

## Specification and verification of a circuit in ACP (revised version)

*Citation for published version (APA):* Baeten, J. C. M., & Vaandrager, F. W. (1988). *Specification and verification of a circuit in ACP (revised version).* (Reports of the programming research group, University of Amsterdam = Rapporten van de vakgroep programmatuur, Universiteit van Amsterdam; Vol. P8821). Universiteit van Amsterdam.

Document status and date: Published: 01/01/1988

#### Document Version:

Publisher's PDF, also known as Version of Record (includes final page, issue and volume numbers)

#### Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

#### General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

- · Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
- You may not further distribute the material or use it for any profit-making activity or commercial gain
  You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the "Taverne" license above, please follow below link for the End User Agreement:

www.tue.nl/taverne

#### Take down policy

If you believe that this document breaches copyright please contact us at:

openaccess@tue.nl

providing details and we will investigate your claim.



## University of Amsterdam Programming Research Group



## Specification and Verification of a circuit in ACP (revised version)

J.C.M. Baeten F.W. Vaandrager



University of Amsterdam Department of Mathematics and Computer Science Programming Research Group

Specification and verification of a circuit in ACP (revised version)

> J.C.M. Baeten F.W. Vaandrager

### J.C.M. Baeten

Programming Research Group Department of Mathematics and Computer Science University of Amsterdam

NIKHEF-K A108 Kruislaan 409 1098 SJ Amsterdam

P.O. Box 41882 1009 DB Amsterdam The Netherlands

tel. +31 20 5922012

F.W. Vaandrager

Department of Software Technology Centre for Mathematics and Computer Science

CWI M337 Kruislaan 413 1098 SJ Amsterdam

P.O. Box 4079 1009 AB Amsterdam The Netherlands

tel. +31 20 5924125

# Specification and verification of a circuit in ACP (revised version)

1 10 1

#### Jos C.M. Baeten

Programming Research Group, University of Amsterdam, P.O.Box 41882, 1009 DB Amsterdam, The Netherlands.

#### Frits W. Vaandrager

Department of Software Technology, Centre for Mathematics and Computer Science, P.O.Box 4079, 1009 AB Amsterdam, The Netherlands.

A simple circuit is specified and verified in the framework of the Algebra of Communicating Processes (ACP). The usefulness of the priority operator for this type of applications is demonstrated.

1980 Mathematical Subject Classification (1985 revision): 68M10, 68Q35, 68Q60, 94C99. 1987 CR Categories: B.6.1, B.7.1, F.1.1, F.3.2.

Key words & Phrases: process algebra, concurrency, circuit, interference, priority operator, put mechanism.

Note: Partial support received from the European Communities under ESPRIT contract 432, An Integrated Formal Approach to Industrial Software Development (Meteor).

#### 1. INTRODUCTION.

ACP, the Algebra of Communicating Processes of BERGSTRA & KLOP [BK1, BK2, BK3], is an algebraic framework designed both for the specification and for the verification of concurrent systems. The ACP framework is closely related to MILNER'S CCS [MI] and HOARE'S CSP [H]. In his seminal work [MI], Milner already mentioned hardware description as a possible application area of his calculus. Yet most applications of theories like CCS, CSP and ACP are in fields as protocol verification, semantics of programming languages and distributed algorithms. Only a group around REM [R] has been working actively on VLSI circuits in the setting of *trace theory*, which is inspired by an early variant of CSP.

The subject of this paper is the specification and verification of a simple circuit in the ACP framework. The description of the circuit we consider here is derived from KALDEWAU [K].

In the example we will encounter an interesting application of the priority operator  $\theta$ , introduced in BAETEN, BERGSTRA & KLOP [BBK1]. The application arises because wires in a circuit have a *direction*. If, at one side of the wire, a component takes the initiative to change the value on the wire, this just happens. This means that if we model a circuit in a formalism with synchronous communication, we have to guarantee that whenever one process wants to perform a send-action, corresponding to a change in the value of a wire, the communication partner is always willing to perform the associated read-action. In this report we will show how this fundamental correctness criterion (called *absence of interference*) can be formulated by means of the put mechanism of BERGSTRA [B], using the priority operator. This paper can be viewed as the result of an integration exercise: we tried to incorporate notions from trace theory into the ACP formalism, and moreover investigated whether notions from ACP can be used to enhance the trace theoretic modelling of circuits.

Although we tried to keep this paper as much self-contained as possible, this is not an introductory paper on process algebra. For a survey of the ACP formalism we refer the reader to BERGSTRA & KLOP [BK3], or to [BK1], where also a comparison with related approaches can be found.

## THE ALGEBRA OF COMMUNICATING PROCESSES

The axiomatic framework in which we present this paper is ACP, the Algebra of Communicating Processes, as described in [BK1, BK3]. Here, we give a brief review of ACP.

Process algebra starts from a finite collection A of given objects, called atomic actions, atoms or steps. These actions are taken to be indivisible, usually have no duration and form the basic building blocks of our systems. The first two compositional operators we consider are  $\cdot$ , denoting sequential composition, and + for alternative composition. If x and y are two processes, then x·y is the process that starts the execution of y after the completion of x, and x+y is the process that chooses either x or y and executes the chosen process. Each time a choice is made, we choose from a set of alternatives. We do not specify whether the choice is made by the process itself, or by the environment. Axioms A1-5 in table 1 below give the laws that + and  $\cdot$  obey. We leave out  $\cdot$  and brackets as in regular algebra, so xy + z means  $(x \cdot y) + z$ .

On intuitive grounds x(y + z) and xy + xz present different mechanisms (because the moment of choice is different), and therefore an axiom x(y + z) = xy + xz is not included.

We have a special constant  $\delta$  denoting deadlock, the acknowledgement of a process that it cannot do anything anymore, the absence of an alternative. Axioms A6,7 give the laws for  $\delta$ . Together, the axioms A1-A7 are referred to as BPA, which stands for Basic Process Algebra.

Next, we have the parallel composition operator  $\|$ , called merge. The merge of processes x and y will interleave the actions of x and y, except for the communication actions. In x  $\|$  y, we can either do a step from x, or a step from y, or x and y both synchronously perform an action, which together make up a new action, the communication action. This trichotomy is expressed in axiom CM1. Here, we use two auxiliary operators  $\|$  (left-merge) and  $\|$  (communication merge). Thus, x  $\|$  y is x  $\|$  y, but with the restriction that the first step comes from x, and x  $\|$  y is x  $\|$  y with a communication step as the first step. Axioms CM2-9 give the laws for  $\|$  and  $\|$ . We assume the communication function is given on atomic actions and obeys laws C1-3.

#### **EXAMPLES:**

a || b = a || b + b || a + a | b = ab + ba + a | b;(ab) || c = a(b || c) = a(bc + cb + b | c);(ab) | (cd) = (a | c)(b || d) = (a | c)(bd + db + b | d).

Finally, on the left-hand side of table 1 we have the laws for the encapsulation operator  $\partial_H$ . Here H is a set of atoms, and  $\partial_H$  blocks actions from H by renaming them into  $\delta$ . The operator  $\partial_H$  can be used to encapsulate a process, i.e. to block communications with the environment.

#### EXAMPLE:

Suppose  $a \mid b = c, c \neq a, c \neq b, H = \{a, b\}, \text{ then } \partial_H(a \mid b) = \partial_H(ab + ba + a \mid b) = \delta\delta + \delta\delta + c = = \delta + \delta + c = c.$ 

| x + y = y + x                                                   | A1         | $\mathbf{x} \  \mathbf{y} = \mathbf{x} \  \mathbf{y} + \mathbf{y} \  \mathbf{x} + \mathbf{x} \  \mathbf{y}$ | CM1 |
|-----------------------------------------------------------------|------------|-------------------------------------------------------------------------------------------------------------|-----|
| x + (y + z) = (x + y) + z                                       | A2         | aLx = ax                                                                                                    | CM2 |
| x + x = x                                                       | A3         | $ax \bot y = a(x \parallel y)$                                                                              | CM3 |
| (x + y)z = xz + yz                                              | A4         | $(x + y) \mathbb{L}z = x \mathbb{L}z + y \mathbb{L}z$                                                       | CM4 |
| (xy)z = x(yz)                                                   | A5         | $ax \mid b = (a \mid b)x$                                                                                   | CM5 |
| $x + \delta = x$                                                | A6         | $a \mid bx = (a \mid b)x$                                                                                   | CM6 |
| $\delta x = \delta$                                             | A7         | $ax \mid by = (a \mid b)(x \mid y)$                                                                         | CM7 |
|                                                                 | antet proc | (x+y)   z = x   z+y   z                                                                                     | CM8 |
|                                                                 |            | x   (y+z) = x   y+x   z                                                                                     | CM9 |
| ∂ <sub>H</sub> (a) = a ifa∉H                                    | D1         |                                                                                                             |     |
| ∂ <sub>H</sub> (a) = δ ifa∈H                                    | D2         | alb=bla                                                                                                     | C1  |
| $\partial H(x + \lambda) = \partial H(x) + \partial H(\lambda)$ | D3         | (a b) c=a (b c)                                                                                             | C2  |
| $9H(x\lambda) = 9H(x).9H(\lambda)$                              | D4         | $\delta   a = \delta$                                                                                       | C3  |

In the following table we have  $a,b,c \in A \cup \{\delta\}$ , x,y,z are arbitrary processes, and  $H \subseteq A$ .

Table 1. ACP (a,b,c  $\in A \cup \{\delta\}, H \subseteq A$ ).

The language ACP can serve to give specifications of systems. However, if we want to do *verifications*, we have need for an *abstraction* mechanism, for, in order to verify that a given implementation satisfies the required external behavior, we need to abstract from all internal actions of the system. Here, we use the contstant  $\tau$  of MILNER [MI] for this purpose, added to the system ACP as expounded in BERGSTRA & KLOP [BK2]. The axiom system ACP<sub> $\tau$ </sub> consists of the axioms of ACP together with the axioms in table 2 below. For more information, we refer to [BK2].

| T1  | $\tau \bot x = \tau x$ TM1                            |
|-----|-------------------------------------------------------|
| T2  | $\tau x \parallel y = \tau(x \parallel y) \qquad TM2$ |
| T3  | $\tau \mid x = \delta$ TC1                            |
|     | $x \mid \tau = \delta$ TC2                            |
| TI1 | τx   y=x   y TC3                                      |
| TI2 | xlty=xly TC4                                          |
| TI3 |                                                       |
| TI4 | $\partial_{H}(\tau) = \tau$ DT                        |
| TI5 |                                                       |
|     | T2<br>T3<br>T11<br>T12<br>T13<br>T14                  |

Table 2. ACP<sub> $\tau$ </sub> (a  $\in$  A  $\cup$  { $\delta$ }, I  $\subseteq$  A).

#### 2. BASIC ELEMENTS.

A circuit consists of a number of basic elements, connected by wires. On each wire there is either a high voltage (1) or a low voltage (0). The state of the circuit is characterized by the voltages on its wires. In the process algebra modeling we view the basic elements as processes, and with each wire we associate the name of a communication port. For every x from a given set P of port names, the alphabet A contains atomic actions  $sx\uparrow$ ,  $sx\downarrow$ ,  $rx\uparrow$ ,  $rx\downarrow$ ,  $cx\uparrow$  and  $cx\downarrow$ . Communication is defined by  $sx\uparrow | rx\uparrow = cx\uparrow$  and  $sx\downarrow | rx\downarrow = cx\downarrow$ . Whenever an action  $cx\uparrow$  takes place the interpretation is that the voltage on wire x becomes 1, and whenever an action  $cx\uparrow$  takes place, the voltage becomes 0. At a slightly higher level of abstraction, we make no distinction between actions  $cx\uparrow$  and  $cx\downarrow$  (and also not between  $sx\uparrow$  and  $sx\downarrow$ , or  $rx\downarrow$  and  $rx\downarrow$ ), calling both cx. We use symbols x,y,z for the names of ports and symbols p,q,r for voltages.

In the sequel, we describe the basic components inverter, And-element, C-element, and fork.

#### 2.1. THE INVERTER.

The *inverter* has one input wire and one output wire. The output wire always has a different voltage than the input wire. In the initial state, the input wire x has voltage 0, the output wire y voltage 1. The graphical representation is shown in fig. 1.



The inverter is recursively specified as follows:

$$I_{xy}^{0} = rx \uparrow \cdot sy \downarrow \cdot I_{xy}^{1}$$
$$I_{xy}^{1} = rx \downarrow \cdot sy \uparrow \cdot I_{xy}^{0}.$$

Like all other processes that will be associated with basic elements, the process  $I_{xy}^0$  obeys the following two rules.

## 1. For a given port, the $\uparrow$ and $\downarrow$ actions alternate.

The reason for this rule becomes obvious when we look at the interpretations of the  $\uparrow$  and  $\downarrow$  actions. An  $\uparrow$ -action occurs whenever the voltage on the wire becomes 1, whereas an  $\downarrow$ -action occurs whenever the voltage becomes 0. Because we assumed that on each wire the voltage is either 1 or 0, there must always be an  $\downarrow$ -action between two occurrences of an  $\uparrow$ -action: if the voltage is 1, it must become 0 before it can become 1 again. Analogously, there must always be an  $\uparrow$ -action between two occurrences of an  $\uparrow$ -action between two occurrences of an  $\downarrow$ -action.

The second rule is less obvious:

2. Actions on input and output ports are never enabled simultaneously.

This means that, for example, we do not have equations for the inverter process of the form  $I_{xy}^{0} = rx \uparrow (sy \downarrow \cdot I_{xy}^{1} + rx \downarrow \cdot I_{xy}^{0}).$ 

When we look at physical inverters, it is of course possible that, in the starting state, the voltage of the input wire becomes 1, and then, before the voltage on the output wire has been changed to 0, immediately becomes 0 again. The problem is that it is not clear what will happen to the voltage of the output wire in situations like this. It might be the case that the voltage changes on the input wire occur so fast that the changes are not propagated through the inverter so that the output voltage remains unchanged. Another possibility is that the voltage changes on the input are somehow kept in memory, so that, sooner or later, both changes will occur on the output wire.

Clearly, it will be very difficult (if not impossible) to model phenomena like this in process algebra. Therefore, we do not take into account the possibility that voltage changes occur on the input ports, if voltage changes on the output ports are possible. If a basic component is placed in an environment that offers premature voltage changes on the input ports, we speak of *interference*. One may say that such circuits are not well-designed. We will say more about interference in section 3.

#### 2.2. THE AND-ELEMENT.

The And-element has two input wires and one output wire. If both inputs have voltage 1 the output will have voltage 1, otherwise the output will have voltage 0. The graphical representation of the And-element is as shown in fig. 2.



The behavior of an And-element with input wires x and y and output wire z will be given by a specification with variables  $A_{xyz}^{pq}$ , where p is the voltage of wire x and q the voltage of wire y. In state  $A_{xyz}^{pq}$ , the voltage of wire z is p.q.

$$\begin{aligned} A^{00}_{xyz} &= rx \uparrow A^{10}_{xyz} + ry \uparrow A^{01}_{xyz} \\ A^{10}_{xyz} &= rx \downarrow A^{00}_{xyz} + ry \uparrow sz \uparrow A^{11}_{xyz} \\ A^{01}_{xyz} &= rx \uparrow sz \uparrow A^{11}_{xyz} + ry \downarrow A^{00}_{xyz} \\ A^{01}_{xyz} &= rx \uparrow sz \uparrow A^{01}_{xyz} + ry \downarrow sz \downarrow A^{00}_{xyz} \end{aligned}$$

We can incorporate an inverter with an And-element, graphically represented as in fig. 3. We call this element  $A_{xyz}^{10}$ .



Such an And-element has the same specification as a regular And-element, with two differences: first, all arrows of actions on port x are reversed; second, when the voltages on wires x,y,z are all 0, it is in initial state  $A_{\underline{x}yz}^{10}$ . Note that the process  $A_{\underline{x}yz}^{10}$  is not exactly the same as the composition of an inverter and an And-element (connected via a port w, so  $\tau_{C} \circ \partial_H(I_{xw}^0 || A_{wyz}^{10})$  with  $H = \{rw\uparrow, rw\downarrow, sw\uparrow, sw\downarrow\}$  and  $C = \{cw\uparrow, cw\downarrow\}$ ) since in the composition, delay can occur in the inverter.

However, the two processes are identical if they operate in an environment that does not offer voltage changes on the input wires in situations where a voltage change on the output side can be expected. This can be expressed formally with the  $\nabla_z$ -operator of section 7.

#### 2.3. THE C-ELEMENT.

The Muller C-element has two input wires and one output wire. After having received an input change on both input wires, it produces a change on the output wire. The graphical representation is shown in fig. 4.



1 1g. ¬

The process specification is as follows:

$$C^{0}_{xyz} = (rx \uparrow || ry \uparrow) \cdot sz \uparrow C^{1}_{xyz}$$
$$C^{1}_{xyz} = (rx \downarrow || ry \downarrow) \cdot sz \downarrow \cdot C^{0}_{xyz}$$

We can incorporate an inverter with a C-element, graphically represented as in fig. 5. We call this element  $C_{xyz}^0$ 



Such a C-element has the same specification as a regular C-element, with two differences: first, all arrows of actions on port x are reversed; second, when the voltages on wires x,y,z are all 0, it is in initial state  $ry\uparrow sz\uparrow C_{xyz}^1$ . Observations similar to the ones at the end of 2.2, can be made in this case.

#### 2.4. THE FORK.

The *fork*, graphically denoted by a  $\cdot$  sign, has one input wire and two output wires. It passes the value of the input wire on to the output wires. In EBERGEN [E] essentially the following specification is given for the fork:

$$F^{0}_{xyz}=rx\uparrow (sy\uparrow ||sz\uparrow) \cdot F^{1}_{xyz}$$
$$F^{1}_{xyz}=rx\downarrow (sy\downarrow ||sz\downarrow) \cdot F^{0}_{xyz}$$

In this paper, we will not use forks of this type. This is because, for the correctness of a circuit, we have to make the assumption that the internal forks used to connect the components of the circuit are *isochronic* (see MARTIN [MA]), i.e. the delays in these forks are short enough, compared to the delays in other components, to assume that the outputs of an isochronic fork have the same value at any time. In the process algebra modeling an isochronic fork is just a *wire*:

$$W_{xy}^{0} = rx \uparrow \cdot sy \uparrow \cdot W_{xy}^{1}$$
$$W_{xy}^{1} = rx \downarrow \cdot sy \downarrow \cdot W_{xy}^{0}$$

At the output port of such a wire there are two processes reading. Thus we do not have binary but ternary communication. Up to now communication was defined by  $(x \in P)$ :

 $sx\uparrow | rx\uparrow = cx\uparrow, sx\downarrow | rx\downarrow = cx\downarrow.$ 

For ports  $y \in P$  with ternary communication we want:

 $sy\uparrow | ry\uparrow | ry\uparrow = cy\uparrow, sy\downarrow | ry\downarrow | ry\downarrow = cy\downarrow.$ 

We achieve this by defining the following binary communications:

 $sy^{1}y^{=}sry^{,sry^{1}}ry^{=}cy^{,ry^{1}}ry^{=}rry^{,sy^{1}}rry^{=}cy^{,}$ 

and similarly for the  $\downarrow$ -actions (of course | is also commutative). The reader may think that defining synchronization in this way makes things more complicated than they actually are. Why not introduce synchronization as in trace theory (see e.g. VAN DE SNEPSCHEUT [S]) or TCSP (see e.g. HOARE [H]), where an arbitrary number of a-actions synchronize into just another a-action? Our motivation for doing it like this is that on the physical level an asymmetry exists between send and read actions. In our view it is important not to abstract too soon from this asymmetry. We will elaborate on this in the next section.

#### 3. ACTIVE VERSUS PASSIVE.

In process algebra there is a symmetry between r- and s-actions. On the physical level such a symmetry is not present, and a distinction between *active* and *passive* actions can be made. A basic component can take the initiative to change the value on an output wire: the component performs an active s-action. If the value on the input wire of a component changes, this component is 'forced' to perform a passive r-action immediately. This means that, talking about circuits, there are problems with the physical interpretation of process expressions where a component wants to do a s-action, but cannot do so because the component on the other end of the wire is not prepared to do the corresponding r-action. As a part of the correctness proof of a circuit we therefore have to show that this *interference* does not occur.

A technique which makes a formal definition of the correctness criterion mentioned above possible is the *put mechanism* as presented in BERGSTRA [B]. Let us briefly review the put mechanism. Suppose that processes S and R are connected by a binary communication port x. The mechanism allows process S to perform an action  $sx \Diamond (\Diamond being either \uparrow or \downarrow)$ . This action can always be performed, regardless of whether or

not R is able to receive the message. However, if R happens to be in a state that enables  $rx\Diamond$ , then  $sx\Diamond$  and  $rx\Diamond$  must synchronize into  $cx\Diamond$ . On the other hand, if  $sx\Diamond$  is performed when  $rx\Diamond$  is not enabled then no synchronization will occur.

Let  $<_x$  be the partial ordering on the set of atomic actions defined by  $sx\uparrow <_x cx\uparrow$  and  $sx\downarrow <_x cx\downarrow$ . Then the composition of S and R is given by:

 $\theta_{<x} \circ \partial_{\{rx\}}(S \parallel R).$ 

The operator  $\theta_{<x}$  gives  $cx\uparrow$  priority over  $sx\uparrow$ , and  $cx\downarrow$  over  $sx\downarrow$ , thus enforcing synchronization whenever possible. The operator  $\theta$  was defined in BAETEN, BERGSTRA & KLOP [BBK1] by means of the system ACP<sub> $\theta$ </sub>, which contains the axioms of ACP together with the following axioms in table 3. Here, the operator  $\theta$ is parametrised by a given partial ordering <, and < is an auxiliary operator needed to give a finite axiomatisation; intuitively, x < y is x, but with all initial steps blocked, that are majorized by an initial step of y.

| $\theta(a) = a$                                                         | a⊲b = a if not a <b< th=""></b<>                                                                                 |
|-------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
| $\theta(xy) = \theta(x) \cdot \theta(y)$                                | a⊲b = δ if a <b< td=""></b<>                                                                                     |
| $\theta(x + y) = \theta(x) \triangleleft y + \theta(y) \triangleleft x$ | x⊲yz = x⊲y                                                                                                       |
|                                                                         | $x \triangleleft (y + z) = (x \triangleleft y) \triangleleft z$                                                  |
|                                                                         | xy⊲z = (x⊲z)y                                                                                                    |
|                                                                         | $(x + y) \triangleleft z = x \triangleleft z + y \triangleleft z$                                                |
|                                                                         | and the second |

Table 3. ACP<sub>0</sub>.

#### EXAMPLE:

 $\theta_{<\mathbf{x}^{\circ}}\partial_{\{\mathbf{rx}\}}(\mathbf{sx}\uparrow || \mathbf{a} \cdot \mathbf{rx}\uparrow) = \theta_{<\mathbf{x}^{\circ}}\partial_{\{\mathbf{rx}\}}(\mathbf{sx}\uparrow \cdot \mathbf{a} \cdot \mathbf{rx}\uparrow + \mathbf{a}(\mathbf{sx}\uparrow \cdot \mathbf{rx}\uparrow + \mathbf{rx}\uparrow \cdot \mathbf{sx}\uparrow + \mathbf{cx}\uparrow) + \delta) =$ 

- $= \theta_{<x}(sx\uparrow a\cdot\delta + a(sx\uparrow fx\uparrow + \delta + cx\uparrow)) =$
- $=\theta_{<\mathbf{x}}(\mathbf{s}\mathbf{x}\uparrow\cdot\mathbf{a}\cdot\delta)\triangleleft\mathbf{a}(\mathbf{s}\mathbf{x}\uparrow\cdot\mathbf{r}\mathbf{x}\uparrow+\mathbf{c}\mathbf{x}\uparrow)+\theta_{<\mathbf{x}}(\mathbf{a}(\mathbf{s}\mathbf{x}\uparrow\cdot\mathbf{r}\mathbf{x}\uparrow+\mathbf{c}\mathbf{x}\uparrow))\triangleleft\mathbf{s}\mathbf{x}\uparrow\cdot\mathbf{a}\cdot\delta=$
- $= sx \uparrow \cdot a \cdot \delta \triangleleft a + a \cdot \theta_{<x} (sx \uparrow \cdot rx \uparrow + cx \uparrow) \triangleleft sx \uparrow =$
- $= sx \uparrow \cdot a \cdot \delta + a \cdot (\theta_{<x}(sx \uparrow \cdot rx \uparrow) \triangleleft cx \uparrow + \theta_{<x}(cx \uparrow) \triangleleft sx \uparrow \cdot rx \uparrow) =$
- $= sx\uparrow \cdot a \cdot \delta + a \cdot (sx\uparrow \cdot rx\uparrow dcx\uparrow + cx\uparrow dsx\uparrow \cdot rx\uparrow) =$
- $= sx \uparrow \cdot a \cdot \delta + a \cdot (\delta + cx \uparrow) = sx \uparrow \cdot a \cdot \delta + a \cdot cx \uparrow.$

In circuit specifications one can use the put mechanism to model communication between components. Showing that there is no danger of interference in a circuit then comes down to proving that on the internal ports no s-action can take place.

If there is ternary communication at port  $y \in P$ , the situation is a bit more complicated. We encapsulate actions  $ry \diamond$  and  $rry \diamond$  (read actions without a synchronizing send action), and impose on A the partial ordering  $\langle y \text{ given by } sy \uparrow \langle y \text{ sry} \uparrow \langle y \text{ cy} \uparrow \text{ and } sy \downarrow \langle y \text{ sry} \downarrow \langle y \text{ cy} \downarrow \text{ to express that we want to synchronize as much as possible. Absence of interference can now be proven by showing that on internal ports no S-actions or sractions can be performed.$ 

Our definition of absence of interference is, in the setting of deterministic processes, equivalent to the definition in EBERGEN [E]. The advantage of our approach is however, that we can check the absence of in-

terference in a neat way while calculating the transition diagram of a circuit. We do not need a separate round for it.

#### 4. SEMANTICS.

In this paper we employ the axiom system ACP and extensions  $ACP_{\theta}$  and  $ACP_{\tau}$  which all correspond with bisimulation semantics. In BAETEN, BERGSTRA & KLOP [BBK2] it is shown that the operator  $\theta$  is inconsistent with ready and failure semantics. Consequently the combination of  $\theta$  and trace semantics (the semantics in which KALDEWAIJ [K] discussed the circuit we will consider here) is in general inconsistent. However, if one restricts attention to deterministic processes, then the priority operator can be added consistently to trace semantics. Essentially this is because on the domain of deterministic and deadlock-free processes bisimulation semantics and trace semantics coincide (see BAETEN & BERGSTRA [BB]).

Further, we use the *Recursive Definition Principle* (RDP) and the *Recursive Specification Principle* (RSP), that together say that every guarded recursive specification has a unique solution (see [BK3]). All specifications that occur in this paper are guarded.

#### 5. SPECIFICATION.

In order to avoid interference, communication in electrical circuits often takes place following a handshaking protocol. Let a,b be an input wires of a given circuit and let  $\overline{a},\overline{b}$  be output wires. For a pair x,y of ports, the four-phase handshaking protocol demands that every pair of consecutive transitions on x and on y takes place on different wires. We are interested in a simple buffer (or semaphore) which follows the four-phase handshaking protocol for the pairs  $a,\overline{a}$  and  $b,\overline{b}$ . This means that on one side of the circuit (the input side), it will perform an action  $ra\uparrow$  followed by an action  $s\overline{a}\uparrow$ . Next, the voltages are changed back again ( $ra\downarrow$  followed by  $s\overline{a}\downarrow$ ). On the other side of the circuit, we get the actions  $s\overline{b}\uparrow$ ,  $rb\uparrow$ ,  $s\overline{b}\downarrow$ ,  $rb\downarrow$ , in this order. Somehow, the buffer we want to construct must work in such a way, that the actions on the input side cause the actions on the output side. In the next section, we consider a particular implementation.

#### 6. IMPLEMENTATION.

A proposal for an implementation, from KALDEWAIJ [K], is depicted below. Port names are displayed. Initial voltages are all 0.



Fig. 6.

We now give a corresponding formal description. First we have a collection of port names:

 $P = \{a, \overline{a}, b, \overline{b}, c, d, e, f, g, h\}.$ 

Of these, a, c, e, g are ternary, the others (a, b, b, d, f, h) are binary. Important sets of atomic actions are:

 $H = \{rx\uparrow, rx\downarrow, rrx\uparrow, rrx\downarrow : x = \overline{a}, c, d, e, f, g, h\}$ 

 $I = \{cx\uparrow, cx\downarrow : x = c,d,e,f,g,h\}$ 

(actions rrx $\uparrow$ , rrx $\downarrow$  matter only for ternary ports). Let  $\theta_{<}$  be the priority operator based on the partial ordering on atomic actions given by:

 $sx\uparrow < srx\uparrow < cx\uparrow, sx\downarrow < srx\downarrow < cx\downarrow$  (x  $\in$  P)

(actions  $srx\uparrow$ ,  $srx\downarrow$  matter only for ternary ports).

Then the circuit of fig. 6 is given by:

 $IMPL = \theta_{<0}\partial_H(ra\uparrow \cdot sd\uparrow \cdot C^1_{cad} \parallel A^{10}_{edf} \parallel W^0_{fa} \parallel W^0_{bg} \parallel W^0_{be} \parallel rg\uparrow \cdot sh\uparrow \cdot C^1_{\underline{e}gh} \parallel W^0_{hc} \parallel A^{10}_{\underline{g}cb})$ 

Protocol verifications in BERGSTRA & KLOP [BK3] and VAANDRAGER [V] all have the form

 $\tau_{J}$ (Implementation) = Specification.

It seems that for circuits, this type of result cannot be obtained. Implementations can in general perform more sequences of actions at the input and output side than allowed by the specification. For instance, the process IMPL can start with a  $rb\uparrow$ -action.  $\tau_I(IMPL)$  is only equal to SPEC in a *context* (environment) which behaves properly. For a correct behavior of the circuit it is necessary that actions from the environment are not offered too soon. Thus, we want to remove premature read-actions from the process IMPL. In order to formalize this, we need some trace theoretic notions from BAETEN & BERGSTRA [BB].

#### 7. TRACE SETS.

7.1 DEFINITION. A<sup>\*</sup> is the set of finite sequences, or traces, of elements of A. The empty sequence is denoted by  $\varepsilon$  and sequence  $\sigma^* \rho$  is the concatenation of sequences  $\sigma$  and  $\rho$ . The domain T of trace sets is defined by:  $T = \{X \subseteq A^* : \sigma^* \rho \in X \Rightarrow \sigma \in X\}$ 

(trace sets must be prefix closed). On T, we define the operator  $\partial/\partial a$  by (Z  $\in$  T, a  $\in$  A):

 $\partial/\partial a(Z) = \{\sigma \in A^* : a^*\sigma \in Z\}.$ 

Further, we will have need of the deletion operator  $\varepsilon_I$ , that leaves out all elements of I in a trace. Here, I is a set of atomic actions (I  $\subseteq$  A). Note  $\varepsilon_I$ : A<sup>\*</sup>  $\rightarrow$  A<sup>\*</sup>.

7.2 DEFINITION. We define the restriction of a process to a trace set. If x is a process, and Z a trace set, then  $\nabla_Z(x)$  is the result of disallowing every step in x that will result in a trace outside Z. Axioms for  $\nabla_Z$  are in table 4, on the following page.

The restriction operator can be used to express that the process IMPL must behave in a certain way at the input and output side: all sequences of actions that do not conform to the four-phase handshaking protocol are disallowed. Thus, if in = A - {ra $\uparrow$ , ra $\downarrow$ , sra $\uparrow$ , sra $\downarrow$ }, out = A - {rb $\uparrow$ , rb $\downarrow$ , sb $\uparrow$ , sb $\downarrow$ }, we only allow traces in the set

 $Z = \{ \sigma \in A^* : \varepsilon_{in}(\sigma) \text{ is a prefix of } (ra\uparrow sra\uparrow ra\downarrow sra\downarrow)^{\omega}, \varepsilon_{out}(\sigma) \text{ is a prefix of } (rb\uparrow sb\uparrow rb\downarrow sb\downarrow)^{\omega} \}.$ 

 $\begin{aligned} \nabla_Z(\delta) &= \delta \\ \nabla_Z(\tau) &= \tau \\ \nabla_Z(\tau x) &= \tau \cdot \nabla_Z(x) \\ \nabla_Z(ax) &= a \cdot \nabla_{\partial/\partial a}(Z)(x) & \text{if } a \in Z \\ \nabla_Z(ax) &= \delta & \text{if } a \notin Z \\ \nabla_Z(x + y) &= \nabla_Z(x) + \nabla_Z(y) \end{aligned}$ 

Table 4. Restriction operator.

We will show in the sequel that the process  $\tau_I \circ \nabla_Z(IMPL)$  does behave like a buffer (the set I was defined in section 6). Notice that since port  $\overline{a}$  is a ternary port, actions sra occur here, and not actions sa. This difference will become important in the sequel.

#### 8. VERIFICATION.

Let the process SPEC be given by the following specification:

```
SPEC = ra1.SPEC*
```

```
SPEC^* = sra^{\uparrow} \cdot ra^{\downarrow} \cdot sra^{\downarrow} \cdot (sb^{\uparrow} \cdot rb^{\uparrow} \cdot sb^{\downarrow} \cdot rb^{\downarrow} || ra^{\uparrow}) \cdot SPEC^*.
```

Then the theorem below immediately shows that we have absence of interference.

## 8.1. THEOREM: $\tau_{I^o} \nabla_Z(IMPL) = SPEC$ .

PROOF: It will be useful to derive the complete transition diagram for process IMPL. This diagram is depicted in fig. 7. In this transition diagram, we have omitted all subtrees of edges, that are not allowed by the trace set Z, defined in section 7 above. Disallowed edges are made grey in the diagram.

For sake of completeness, we give the first part of the calculations that lead to the diagram:

$$\begin{split} \mathsf{IMPL} &= \theta_{<\circ}\partial_{\mathsf{H}}(\mathsf{ra}\widehat{\mathsf{1}}\cdot\mathsf{sd}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\underline{\mathsf{g}}\mathsf{df}}\|\mathsf{W}^{0}_{\mathsf{fa}}\|\mathsf{W}^{0}_{\mathsf{fa}}\|\mathsf{W}^{0}_{\mathsf{bg}}\|\mathsf{rg}\widehat{\mathsf{1}}\cdot\mathsf{sh}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\underline{\mathsf{g}}\mathsf{g}\mathsf{h}}\|\mathsf{W}^{0}_{\mathsf{hc}}\|\mathsf{A}^{10}_{\underline{\mathsf{g}}\mathsf{c}\mathsf{b}}) = \\ &= \mathsf{ra}\widehat{\mathsf{1}}\cdot\theta_{<\circ}\partial_{\mathsf{H}}(\mathsf{sd}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\underline{\mathsf{g}}\mathsf{dd}}\|\mathsf{W}^{0}_{\mathsf{fa}}\||\mathsf{W}^{0}_{\mathsf{fa}}\||\mathsf{W}^{0}_{\mathsf{g}}||\mathsf{W}^{0}_{\mathsf{g}}||\mathsf{se}\widehat{\mathsf{1}}\cdot\mathsf{W}^{1}_{\mathsf{b}}||\mathsf{rg}\widehat{\mathsf{1}}\cdot\mathsf{sh}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\underline{\mathsf{g}}\mathsf{g}\mathsf{h}}\||\mathsf{W}^{0}_{\mathsf{hc}}\|\mathsf{A}^{10}_{\underline{\mathsf{g}}\mathsf{c}\mathsf{b}}) + \\ &+ \mathsf{rb}\widehat{\mathsf{1}}\cdot\theta_{<\circ}\partial_{\mathsf{H}}(\mathsf{ra}\widehat{\mathsf{1}}\cdot\mathsf{sd}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\underline{\mathsf{g}}\mathsf{dd}}\||\mathsf{M}^{0}_{\mathsf{g}}||\mathsf{W}^{0}_{\mathsf{g}}||\mathsf{W}^{0}_{\mathsf{g}}||\mathsf{se}\widehat{\mathsf{1}}\cdot\mathsf{W}^{1}_{\mathsf{b}}||\mathsf{rg}\widehat{\mathsf{1}}\cdot\mathsf{sh}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\underline{\mathsf{g}}\mathsf{g}\mathsf{h}}\||\mathsf{W}^{0}_{\mathsf{hc}}||\mathsf{A}^{10}_{\mathsf{g}\mathsf{c}\mathsf{b}}) = \\ &= \mathsf{ra}\widehat{\mathsf{1}}\cdot\left(\mathsf{cd}\widehat{\mathsf{1}}\cdot\theta_{<\circ}\partial_{\mathsf{H}}(\mathsf{C}^{1}_{\mathsf{g}}||\mathsf{sf}\widehat{\mathsf{1}}\cdot\mathsf{A}^{11}_{\mathsf{b}}||\mathsf{sa}\widehat{\mathsf{1}}\cdot\mathsf{W}^{1}_{\mathsf{g}}||\mathsf{W}^{0}_{\mathsf{g}}||\mathsf{W}^{0}_{\mathsf{b}}||\mathsf{rg}\widehat{\mathsf{1}}\cdot\mathsf{sh}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\underline{\mathsf{g}}\mathsf{g}\mathsf{h}}||\mathsf{W}^{0}_{\mathsf{hc}}||\mathsf{A}^{10}_{\mathsf{g}\mathsf{c}\mathsf{b}}) + \\ &+ \mathsf{rb}\widehat{\mathsf{1}}\cdot\ldots... = \\ &= \mathsf{ra}\widehat{\mathsf{1}}\cdot\left(\mathsf{cd}\widehat{\mathsf{1}}\cdot\left[\mathsf{cf}\widehat{\mathsf{1}}\cdot\theta_{<\circ}\partial_{\mathsf{H}}(\mathsf{C}^{1}_{\mathsf{g}}||\mathsf{A}^{11}_{\mathsf{b}}||\mathsf{sa}\widehat{\mathsf{1}}\cdot\mathsf{W}^{1}_{\mathsf{fa}}||\mathsf{W}^{0}_{\mathsf{g}}||\mathsf{W}^{0}_{\mathsf{b}}||\mathsf{rg}\widehat{\mathsf{1}}\cdot\mathsf{sh}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\mathsf{g}}||\mathsf{W}^{0}_{\mathsf{b}}||\mathsf{rg}\widehat{\mathsf{1}}\mathsf{s}^{1}_{\mathsf{g}}) + \\ &+ \mathsf{ra}\widehat{\mathsf{1}}\cdot\ldots...+\mathsf{rb}\widehat{\mathsf{1}}\cdot\ldots...\right] + \mathsf{rb}\widehat{\mathsf{1}}\cdot\ldots... = \\ &= \mathsf{ra}\widehat{\mathsf{1}}\cdot\left(\mathsf{cd}\widehat{\mathsf{1}}\cdot\left[\mathsf{cf}\widehat{\mathsf{1}}\cdot\{\mathsf{sr}\widehat{\mathsf{a}}\widehat{\mathsf{1}}\cdot\theta_{<\circ}\partial_{\mathsf{H}}(\mathsf{C}^{1}_{\mathsf{d}}||\mathsf{A}^{11}_{\mathsf{b}}||\mathsf{W}^{1}_{\mathsf{a}}||\mathsf{Sg}\widehat{\mathsf{1}}\cdot\mathsf{W}^{1}_{\mathsf{d}}}||\mathsf{W}^{0}_{\mathsf{b}}||\mathsf{sh}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\mathsf{b}}||\mathsf{M}^{0}_{\mathsf{b}}||\mathsf{sh}\widehat{\mathsf{1}}^{1}_{\mathsf{c}}^{1}_{\mathsf{b}}) + \mathsf{rb}\widehat{\mathsf{1}}\ldots... = \\ &= \mathsf{ra}\widehat{\mathsf{1}}\cdot\left(\mathsf{cd}\widehat{\mathsf{1}}\cdot\left[\mathsf{cf}\widehat{\mathsf{1}}\cdot\{\mathsf{sr}\widehat{\mathsf{a}}\widehat{\mathsf{1}}\cdot\mathsf{C}^{0}_{\mathsf{c}}^{0}_{\mathsf{c}}||\mathsf{C}^{1}_{\mathsf{c}}||\mathsf{M}^{1}_{\mathsf{b}}||\mathsf{M}^{1}_{\mathsf{b}}||\mathsf{M}^{1}_{\mathsf{b}}||\mathsf{M}^{1}_{\mathsf{b}}||\mathsf{M}^{1}_{\mathsf{b}}||\mathsf{M}^{0}_{\mathsf{b}}||\mathsf{sh}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\mathsf{b}}||\mathsf{M}^{0}_{\mathsf{b}}||\mathsf{Sh}\widehat{\mathsf{1}}\cdot\mathsf{C}^{1}_{\mathsf{b}}||\mathsf{M}^{0}_{\mathsf{b}}||\mathsf{A}^{0}_{\mathsf{c}}||\mathsf{A}^{0}_{\mathsf{b}}|) + \mathsf{h}^{1}_{\mathsf{c}}||\mathsf{A}^{0}_{\mathsf{b}}||\mathsf{A}$$



Fig. 7.

More straightforward calculations lead to the statement of the theorem:

$$\begin{split} \tau_{I^{o}} \nabla_{Z}(IMPL) &= \\ &= ra \uparrow \cdot \tau \cdot \tau_{I^{o}} \nabla_{Z^{o}} \theta_{<^{o}} \partial_{H}(C_{\underline{c}ad}^{1} \| A_{\underline{e}df}^{11} \| s\overline{a} \uparrow \cdot W_{\overline{a}}^{1} \| W_{\underline{a}g}^{0} \| W_{\underline{b}e}^{0} \| rg \uparrow \cdot sh \uparrow \cdot C_{\underline{e}gh}^{1} \| W_{\underline{h}c}^{0} \| A_{\underline{g}c\overline{b}}^{10}) = \\ &= ra \uparrow \cdot \tau_{I^{o}} \nabla_{Z^{o}} \theta_{<^{o}} \partial_{H}(C_{\underline{c}ad}^{1} \| A_{\underline{e}df}^{11} \| s\overline{a} \uparrow \cdot W_{\overline{a}}^{1} \| W_{\underline{b}e}^{0} \| rg \uparrow \cdot sh \uparrow \cdot C_{\underline{e}gh}^{1} \| W_{\underline{h}c}^{0} \| A_{\underline{g}c\overline{b}}^{10}), \end{split}$$

and for the second equation:  $\tau_{I^{o}}\nabla_{Z^{o}}\theta_{<^{o}}\partial_{H}(C_{\underline{c}ad}^{1} \| A_{\underline{c}df}^{11} \| s\overline{a} \uparrow \cdot W_{\underline{f}a}^{1} \| W_{\underline{b}g}^{0} \| W_{\underline{b}g}^{0} \| rg \uparrow \cdot sh \uparrow \cdot C_{\underline{c}gh}^{1} \| W_{\underline{b}c}^{0} \| A_{\underline{c}cb}^{10}) =$   $= sr\overline{a} \uparrow \cdot [ra \downarrow \| \tau \cdot \tau \cdot \tau] \cdot \tau \cdot \tau \cdot sr\overline{a} \downarrow \cdot [ra \uparrow \cdot \tau \| \tau \cdot s\overline{b} \uparrow \cdot rb \uparrow \cdot \tau \cdot \tau \cdot s\overline{b} \downarrow \cdot rb \downarrow \cdot \tau] \cdot$ 

5

 $\begin{aligned} & \cdot_{\tau_{I}} \circ \nabla_{Z} \circ \theta_{<} \circ \partial_{H} (C_{\underline{c}\underline{a}\underline{d}}^{1} \| A_{\underline{e}\underline{d}\underline{f}}^{11} \| s\overline{a} \uparrow \cdot W_{\underline{f}\underline{a}}^{1} \| W_{\underline{a}\underline{g}}^{0} \| W_{\underline{b}\underline{e}}^{0} \| rg \uparrow \cdot sh \uparrow \cdot C_{\underline{e}\underline{g}\underline{h}}^{1} \| W_{\underline{h}\underline{c}}^{0} \| A_{\underline{g}\underline{c}\underline{5}}^{10}) = \\ & = sr\overline{a} \uparrow \cdot ra \downarrow \cdot sr\overline{a} \downarrow \cdot [ra \uparrow \| s\overline{b} \uparrow \cdot rb \uparrow \cdot s\overline{b} \downarrow \cdot rb \downarrow] \cdot \\ & \cdot_{\tau_{I}} \circ \nabla_{Z} \circ \theta_{<} \circ \partial_{H} (C_{\underline{c}\underline{a}\underline{d}}^{11} \| A_{\underline{e}\underline{d}\underline{f}}^{11} \| s\overline{a} \uparrow \cdot W_{\underline{h}\underline{a}}^{1} \| W_{\underline{b}\underline{g}}^{0} \| W_{\underline{b}\underline{e}}^{0} \| rg \uparrow \cdot sh \uparrow \cdot C_{\underline{e}\underline{g}\underline{h}}^{1} \| W_{\underline{h}\underline{c}}^{0} \| A_{\underline{g}\underline{c}\underline{b}}^{10}) \end{aligned}$ 

(using the equation  $\tau x \| y = \tau(x \| y)$ ). This finishes the proof of the theorem.

The theorem we just derived leads us to consider the question, in what sense this circuit really implements a buffer, in what sense do the actions on the input side really cause the actions on the output side. It is not the case that all input actions precede all output actions, as we can see from the theorem. But, we can reason as follows: of the four actions on the input side, the  $sra\uparrow$  action is the 'real' input action, the acknowledgement that an input has taken place, the confirmation that input has been accepted. The  $ra\uparrow$  action is the offering of the input, the down actions  $ra\downarrow$  and  $sra\downarrow$  are just re-initializations, to return to the original state of the circuit. On the other hand, we can consider the  $sb\uparrow$  action as the 'real' output action. The action  $rb\uparrow$  is the acknowledgement of the environment that an output has been received, and the down actions are again re-initializations. (This choice of which actions constitute the 'real' input and output action coincides with observations of HOGERWOORD [HOO]).

This leads us to consider the following renaming function:

8.2. DEFINITION. On constants, define the following renaming function buf:

 $buf(sra\uparrow) = input, buf(sb\uparrow) = output,$ 

 $buf(ra\uparrow) = buf(ra\downarrow) = buf(sra\downarrow) = buf(rb\uparrow) = buf(rb\downarrow) = buf(sb\downarrow) = \tau$ ,

and buf leaves all other constants unchanged. Let  $\rho_{buf}$  be the operator that extends this function to all processes (see BERGSTRA & KLOP [BK3] for the notation; the renaming operators were introduced in BAETEN & BERGSTRA [BB]). Then we have the following theorem.

8.3 THEOREM:  $p_{buf}(SPEC) = \tau \cdot input \cdot output \cdot p_{buf}(SPEC).$ (a correct specification for a one-bit buffer).

PROOF:

 $\rho_{buf}(SPEC) = \tau \cdot \rho_{buf}(SPEC^*), and$   $\rho_{buf}(SPEC^*) = input \cdot \tau \cdot \tau \cdot (output \cdot \tau \cdot \tau \cdot \tau \parallel \tau) \cdot \rho_{buf}(SPEC^*) =$   $= input \cdot output \cdot \tau \cdot \rho_{buf}(SPEC^*) = input \cdot output \cdot \rho_{buf}(SPEC).$ 

Now we show how to use theorem 8.1 in a specific context. We take an environment that offers the actions concerned in the right order, e.g. we take the input process IN and the output process OUT given by the following guarded recursive specifications:

> IN = saî·rāî·sa↓·rā↓·IN OUT = rbî·sbî·rb↓·sb↓·OUT.

8.4 THEOREM: Let  $H^* = \{ra\uparrow, ra\downarrow, ra\uparrow, ra\downarrow, rra\uparrow, rra\downarrow, rb\uparrow, rb\downarrow, rb\uparrow, rb\downarrow\}$ . Then process  $\tau_{I^{\circ}\theta < \circ}\partial_{H^*}(IMPL || IN || OUT)$  is given by the following specification:  $X = ca\uparrow \cdot Y$ .  $Y = ca\uparrow \cdot ca\downarrow \cdot ca\downarrow \cdot (cb\uparrow \cdot cb\downarrow \cdot cb\downarrow || ca\uparrow) \cdot Y$ . PROOF: Define  $H_a = \{ra\uparrow, ra\downarrow, ra\uparrow, ra\downarrow, rra\uparrow, rra\downarrow\}$ . With the use of *conditional equations* similar to the ones described in BERGSTRA & KLOP [BK3], we can show

 $\tau_{I} \circ \theta_{<} \circ \partial_{H} \circ (\mathsf{IMPL} || \mathsf{IN} || \mathsf{OUT}) = \tau_{I} \circ \theta_{<} \circ \partial_{H} \circ (\theta_{<} \circ \partial_{H_a} (\mathsf{IMPL} || \mathsf{IN}) || \mathsf{OUT}).$ 

Now consider the process  $\theta_{<\circ}\partial_{H_a}(IMPL || IN)$ . This process has a transition diagram, similar to the diagram in fig. 7, with two differences: first, all grey ra $\diamond$ -edges are removed, and second, all the black a-edges (ra $\diamond$ , sra $\diamond$ ) are changed to communication actions (ca $\diamond$ , ca $\diamond$ ). We do not calculate the subprocesses following grey rb $\diamond$ -actions of this process.

Then, we put this process in the context  $\tau_{I^{\circ}}\theta_{<^{\circ}}\partial_{H^{*}}(... || OUT)$ . Then, all grey rb $\diamond$ -actions can be removed, and all black b-edges (rb $\diamond$ , sb $\diamond$ ) are changed to communication actions (cb $\diamond$ , cb $\diamond$ ).

The proof is finished if we rename all internal actions to T-actions.

Theorem 8.1 is applicable in more contexts. As an example, we will put two copies of the circuit behind each other, and derive a specification for a two-bit buffer. Thus, consider the renaming functions am and  $\overline{bm}$ , where am renames ports a into m, and  $\overline{bm}$  renames ports b into  $\overline{m}$ . To be more specific:

 $\operatorname{am}(\operatorname{ra}\uparrow) = \operatorname{rm}\uparrow, \operatorname{am}(\operatorname{sa}\downarrow) = \operatorname{sm}\downarrow, ..., \operatorname{bm}(\operatorname{cb}\downarrow) = \operatorname{cm}\downarrow, \operatorname{bm}(\operatorname{rb}\uparrow) = \operatorname{rm}\uparrow, ..., \operatorname{etc.}$ 

Now define

 $IMPL_{am} = \rho_{bm}(IMPL), IMPL_{mb} = \rho_{am}(IMPL).$ 

Thus,  $IMPL_{am}$  is the buffer with input ports  $a,\overline{a}$  and output ports  $m,\overline{m}$ , and  $IMPL_{mb}$  is the buffer with input ports  $m,\overline{m}$  and output ports  $\overline{b},\overline{b}$ .

Now define the sets  $H_m = \{rm\uparrow, rm\downarrow, rm\uparrow, rm\downarrow, rrm\uparrow, rrm\downarrow\}$  and  $Im = \{cm\uparrow, cm\downarrow, cm\uparrow, cm\downarrow\}$ , and take the priority ordering as usual. Then we link the two buffers together, define

 $SPEC^2 = \tau_{I \cup Im} \circ \nabla_{Z} \circ \theta_{<} \circ \partial_{Hm} (IMPL_{am} || IMPL_{mb}).$ 

Then we have the following theorem 8.5.

8.5 THEOREM: Process SPEC<sup>2</sup> is the process with the transition diagram depicted in fig. 8. The two nodes marked with a 1 should be identified, as well as the two nodes marked with a 2. (It is easy to give a recursive specification for this process, but that would not be very illuminating.)



PROOF: Of course, we can obtain transition diagrams for IMPL<sub>am</sub> and IMPL<sub>mb</sub> from fig. 7 by just renaming actions. We must show that all grey actions can be omitted. First, IMPL<sub>mb</sub> can undertake no action until it has received an input. Its first input cannot come along b for that is forbidden by  $\nabla z$ . Therefore, the first action of IMPL<sub>mb</sub> is the rm<sup>1</sup> communicating with sm<sup>1</sup> of IMPL<sub>am</sub>. Then, IMPL<sub>am</sub> has already performed 12 or 13 actions, and all grey edges before this point can be disregarded. Now, IMPL<sub>am</sub> must wait for an answer of IMPL<sub>mb</sub> (or perform an ra<sup>1</sup>-action, and then wait). This comes when IMPL<sub>mb</sub> executes srm<sup>1</sup>, and we see that we can omit its grey edges before this point.

Continuing in this fashion, we see we can omit all grey edges, so there is no interference, and what remains is a great quantity of not very interesting calculations.

We get a easier to understand specification for the process SPEC<sup>2</sup> if we apply the renaming function buf of 8.2. Then we obtain the following theorem.

8.6 THEOREM: The process  $\rho_{buf}(SPEC^2)$  satisfies the following recursive specification:

$$X_0 = \tau \cdot \text{input} \cdot X_1$$
  
 $X_1 = (\text{input} \| \text{output}) \cdot X_1.$ 

This is indeed a correct specification for a two-bit buffer.

PROOF: As 8.3.

#### 9. DELAY-INSENSITIVITY.

Central in the theory of circuit design is the notion of **delay-insensitivity**. Intuitively, a circuit is delay-insensitive if its behavior does not depend on delays in wires and switching elements. It seems that there is no general agreement in the literature about the precise definition of the concept. Formal definitions can be found in [U] and [E]. A minimum requirement for a circuit to be delay-insensitive is that it is free of interference. Another property which is usually associated with delay-insensitivity is the **Foam Rubber Wrapper Principle** of [MFR]. This postulate says that the external behavior of a circuit is invariant if the output ports are extended by wires: the circuit is thought of as being wrapped in foam rubber of which the boundaries are flexible and possibly changing (see figure 9).



Fig. 9.

The behavior of the circuit we are dealing with in this paper does not satisfy the Foam Rubber Wrapper Principle. In order to demonstrate this, we extend port  $\overline{a}$  by a wire. A new port  $\overline{m}$  is introduced together with a renaming function transforming actions at  $\overline{a}$  into actions at  $\overline{m}$ :

 $pr(s\overline{a}) = s\overline{m}, pr(sr\overline{a}) = sr\overline{m}.$ 

If <' is the partial ordering given by  $\overline{sm} <' \overline{sm} <' \overline{cm}$  and  $H' = \{\overline{rm}, \overline{rrm}\}$ , then the extended circuit is defined by:  $IMPL' = \theta_{<'} \circ \partial_{H'}(W_{\overline{ma}} \parallel \rho_{pr}(IMPL)).$ 

Analogously to theorem 8.1, we can derive the following specification for the process SPEC' =  $\tau_{IO}\nabla_Z(IMPL')$ :

SPEC' = ra1.SPEC"

 $SPEC" = sra^{+}ra^{+}(sb^{+}rb^{+}sb^{+}rb^{+}\|sra^{+}ra^{+})\cdot SPEC".$ 

Thus, processes SPEC' and SPEC have different external behavior. However, SPEC' is still interference-free and is a correct implementation of a one-bit buffer according to definition 8.2. Thus, while the circuit of this paper does not satisfy the Foam Rubber Wrapper Principle in the strict sense, functional behavior *is* preserved, when we extend the external ports with wires.

In general, it is not possible to give an interference free implementation of the specification SPEC which satisfies the Foam Rubber Wrapper Principle. The argument for this is simple: the circuit has to perform send-actions at ports  $\overline{a}$  and  $\overline{b}$  right after each other. After having sent a message at  $\overline{a}$ , the circuit does not know whether or not the environment has received this message, due to the unbounded (although finite) delay in the wire. After waiting some time the circuit has to send a message at  $\overline{b}$ , which may arrive too early.

Current research ([E]) suggests that if we have a specification with an interference free implementation composed of basic elements like wires, forks and C-elements, the output ports which are not tapped satisfy the Foam Rubber Wrapper Principle. As we have seen this is not true in general for specifications with tapped output wires. Now we can observe that the fact that in specification SPEC sra-actions occur instead of saactions already tells us that port A presumably does not satisfy the Foam Rubber Wrapper Principle. The wire at port  $\overline{a}$  is tapped and therefore the boundary of the circuit is not flexible there.

#### 10. CONCLUSIONS.

For the hierarchical design and verification of a complex circuit it is crucial that we can reason about the circuit in terms of the external behavior (specification) of smaller components of the circuit. We want to abstract from the implementation details of these components. We have seen that it is unwise to abstract from the distinction between send, read and communication actions, as that makes it possible to see immediately whether or not our implementation is interference-free, and also makes it possible to identify ports that do not satisfy the Foam Rubber Wrapper Principle.

We used the priority operator  $\theta$  to describe the put mechanism of BERGSTRA [B]. This makes it possible to distinguish active and passive actions, and so we can deal with interference. However, the drawback is that we cannot use the abstraction operator  $\tau_I$  inside the scope of the  $\theta$  operator, as this could destroy the interference information. We can illustrate this with a simple example:

 $\tau_{\{i\}} \circ \theta_{s < c} \circ \partial_{\{r\}}(s \| i \cdot r) = s\delta + \tau c, \text{ which displays interference, while} \\ \theta_{s < c} \circ \tau_{\{i\}} \circ \partial_{\{r\}}(s \| i \cdot r) = \tau c \quad \text{ is interference-free.}$ 

Thus, we cannot abstract from the internal actions in the scope of the priority operator, which makes modular verification more difficult. Recent research suggests that it may be possible to affect part of the abstraction inside the scope of the priority operator, using a constant which has less laws than  $\tau$ , and do the remainder of the abstraction outside.

#### **REFERENCES.**

[BB] J.C.M. BAETEN & J.A. BERGSTRA, Global renaming operators in concrete process algebra, report CS-R8521, Centre for Math. and Comp. Sci., Amsterdam 1985. Revised version: report P8709, Programming Research Group, University of Amsterdam 1987. To appear in Inf. & Comp.

[BBK1] J.C.M. BAETEN, J.A. BERGSTRA & J.W. KLOP, Syntax and defining equations for an interrupt mechanism in process algebra, Fund. Inf. IX (2), pp. 127 - 168, 1986.

[BBK2] J.C.M. BAETEN, J.A. BERGSTRA & J.W. KLOP, Ready trace semantics for concrete process algebra with the priority operator, British Comp. Journal 30 (6), pp. 498 - 506, 1987.

[B] J.A. BERGSTRA, Put and get, primitives for synchronous unreliable message passing, report LGPS 3, Dept. of Philosophy, State University of Utrecht, 1985.

[BK1] J.A. BERGSTRA & J.W. KLOP, Process algebra for synchronous communication, Information & Control 60 (1/3), pp. 109-137, 1984.

[BK2] J.A. BERGSTRA & J.W. KLOP, Algebra of communicating systems with abstraction, Theor. Comp. Sci. 37 (1), pp. 77-121, 1985.

[BK3] J.A. BERGSTRA & J.W. KLOP, Process algebra: specification and verification in bisimulation semantics, in: Math. & Comp. Sci. II (M.Hazewinkel, J.K.Lenstra & L.G.L.T.Meertens, eds.), CWI Monographs 4, pp. 61 - 94, North-Holland, Amsterdam 1986.

[E] J.C. EBERGEN, Translating programs into delay-insensitive circuits, Ph.D.Thesis, Technical University Eindhoven, 1987.

[H] C.A.R. HOARE, Communicating sequential processes, Prentice Hall 1985.

[HOO] R. HOOGERWOORD, Some reflections on the implementation of trace structures, Computing Science Notes 86/03, Dept. of Math. & Comp. Sci., Eindhoven University of Technology 1986.

[K] A. KALDEWAIJ, The translation of processes into circuits, in: Proc. PARLE Conf. (Vol. I), (J.W. de Bakker, A.J.Nijman & P.C.Treleaven, eds.), pp. 195 - 212, Springer LNCS 258, 1987.

[MA] A.J. MARTIN, Compiling communicating processes into delay-insensitive VLSI circuits, Distr. Comp. 1, pp. 226 - 234, 1986.

[MI] R. MILNER, A calculus of communicating systems, Springer LNCS 92, 1980.

[MFR] C.E. MOLNAR, T.-P. FANG & F.U. ROSENBERGER, Synthesis of delay-insensitive modules, in: Proc. Chapel Hill Conf. on VLSI (H. Fuchs, ed.), pp. 67-86, Computer Science Press, 1985.

[R] M. REM, Partially ordered computations, with applications to VLSI design, Proc. Found. of Comp. Sci. IV.2 (J.W. de Bakker & J. van Leeuwen, eds.), MC Tract 159, pp. 1 - 44, Mathematical Centre, Amsterdam 1983.

[S] J.L.A. VAN DE SNEPSCHEUT, Trace theory and VLSI design, Springer LNCS 200, 1985.

[U] J.T. UDDING, A formal model for defining and classifying delay-insensitive circuits and systems, Distr. Comp. 1, pp. 197 - 204, 1986.

[V] F.W. VAANDRAGER, Verification of two communication protocols by means of process algebra, report CS-R8608, Centre for Math. and Comp. Sci., Amsterdam 1986.