1. Tutorial ??
Formal Methods for
Hardware Veriﬁcation:
Overview and Application to VHDL
Carlos Delgado Kloos, Peter T. Breuer
Universidad Polit´ecnica de Madrid
<{cdk,ptb}@dit.upm.es>
VDHLForum for CAD in Europe – Nantes, 24 April 1995 1
2. Introduction Outline ??
⋆ Formal Hardware Veriﬁcation Approaches
⋆ Theorem Proving
⋆ Model Checking
⋆ Formal Reasoning with VHDL
⋆ Semantics
⋆ Logic
⋆ Algebra
VDHLForum for CAD in Europe – Nantes, 24 April 1995 2
3. Motivation Citation ??
“If you are faced by
a diﬃculty or a controversy in science,
an ounce of algebra is worth a ton of verbal argument.”
J.B.S. Haldane
VDHLForum for CAD in Europe – Nantes, 24 April 1995 3
4. Motivation Bryants comparison ??
simulate exhaustively a 256 bit RAM
⇒ 1080 possible combinations of input and state
⋆ use all matter in galaxy to build computers (1017 kg)
⋆ let each computer have the size of an electron (10−30 kg)
⋆ let each computer simulate 1012 cases per second
⋆ start simulation at the time of Big Bang (1010 years ago)
by now, we would have simulated 0, 05% of all cases
VDHLForum for CAD in Europe – Nantes, 24 April 1995 4
5. Motivation Pentium ??
The top ten reasons to buy a PENTIUM Machine:
10. Your current computer is too accurate.
9. You want to get into the Guiness book as
“Owner of Most Expensive Paperweight”.
8. Math errors add zest to life.
7. You need an alibi for the I.R.S.
6. You want to see what all the fuss is about.
5. You’ve always wondered what it would be like to be a plaintiﬀ.
4. The “Intel Inside” logo matches your decor perfectly.
3. You no longer have to worry about CPU overheating.
2. You got a great deal from JPL.
1. It’ll probably work.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 5
6. Motivation Trends ??
⋆ systems are growing larger
⋆ systems are growing more complex
⋆ design teams are growing larger
⋆ time to market is getting more critical
VDHLForum for CAD in Europe – Nantes, 24 April 1995 6
7. Theorem proving Classiﬁcation ??
Systems that manipulate an object language
⋆ Term rewrite systems
⋆ Transformational systems
⋆ Theorem provers
There is a convergence of these kinds of systems
VDHLForum for CAD in Europe – Nantes, 24 April 1995 7
8. Theorem proving Theorem provers ??
Systems that help to prove theorems
⋆ Proof checkers
a posteriori check (eg. MIZAR)
⋆ Proof assistants
user guided proof, strategies can be deﬁned, forward and back
ward proof
(eg. LCF, HOL, Isabelle, Veritas+)
⋆ Automatic theorem provers
(eg. Nqthm)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 8
9. Theorem proving Comparison ??
⋆ Degree of interaction
⋆ Object language: underlying logic
⋆ Meta language: command language
⋆ Kinds of proofs
⋆ Proof management
VDHLForum for CAD in Europe – Nantes, 24 April 1995 9
10. Theorem proving Nqthm ??
The BoyerMoore Theorem Prover
⋆ Quantiﬁerfree ﬁrstorder classical logic with equality
(free variables are implicitly universally quantiﬁed)
⋆
⋆
⋆
VDHLForum for CAD in Europe – Nantes, 24 April 1995 10
11. Theorem proving The LCF family ??
LCF = Logic for Computable Functions
⋆ Stanford LCF: proof checker with ﬁxed commands (Scott 71–72)
⋆ Edinburgh LCF: metalanguage: ML, objectlanguage: PPλ (Mil
ner 75–79)
⋆ Cambridge LCF: metalenguage: Standard ML, objectlanguage:
PPλ (improved) (Paulson 84)
⋆ G¨oteborg LCF: supports MartinL¨of’s type theory (Petersson 82)
⋆ Cambridge HOL: metalenguage: ML, objectlanguage: Higher
Order Logic (Gordon 80–)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 11
12. Theorem proving LCFrelated provers ??
⋆ Veritas: metalanguage: Miranda, objectlanguage: HigherOrder
Intuitionistic Logic (Hanna, Daeche 85–)
⋆ Isabelle: metalanguage: ML, objectlanguage: parametrizable
(Paulson 86–)
⋆ Lambda: metalanguage: PolyML, objectlanguage: HigherOrder
Polymorphic Predicate Calculus of Partial Terms, interfaced to CAD
system
VDHLForum for CAD in Europe – Nantes, 24 April 1995 12
13. Theorem proving Theory ??
A formal logic consists of
⋆ a notation (a set of wellformed formulas)
⋆ a ﬁnite set of axioms
⋆ a ﬁnite set of inference rules
A formal proof is a sequence of wellformed formulas f1, f2, ..., fn,
such that for all i
⋆ fi is an axiom, or
⋆ fi can be derived from {f1, f2, ..., fn} using an inference rule
VDHLForum for CAD in Europe – Nantes, 24 April 1995 13
14. Theorem proving HOL expressions ??
The expressions in HOL can be:
⋆ constants 1: num, +: num>num>num
⋆ variables x: num, x: num>bool
⋆ abstractions λx.(λy.x+y)
⋆ applications (λx.(λy.x+y)1)2
VDHLForum for CAD in Europe – Nantes, 24 April 1995 14
15. Theorem proving HOL types ??
The types in HOL can be:
⋆ atomic types bool, num
⋆ compound types num*bool, num>num>num
⋆ polymorphic types ’a>’b, (’a>bool)>bool
VDHLForum for CAD in Europe – Nantes, 24 April 1995 15
16. Theorem proving HOL ??
The Object Language HOL comprises
⋆ Typed λCalculus (functions, including higherorder)
⋆ Polymorphic objects (parametric polymorphism)
⋆ Higherorder Logic (quantiﬁers over values, predicates, etc.)
It can be manipulated from the Metalanguage ML (which is quite
similar).
VDHLForum for CAD in Europe – Nantes, 24 April 1995 16
17. Theorem proving Axioms ??
There are only 5 axioms in HOL: 4 for the theory of bool
⋆ ⊢ ∀t. (t=T) ∨ (t=F)
⋆ ⊢ ∀t1 t2. (t1⇒t2)⇒(t2⇒t1)⇒(t1=t2)
⋆ ⊢ ∀t. (λx. t x)=t
⋆ ⊢ ∀P x. P x ⇒P(ǫ P)
and one for the theory of ind
⋆ ⊢ ∃f. ONE ONE f ∧ ¬ ONTO f
VDHLForum for CAD in Europe – Nantes, 24 April 1995 17
18. Theorem proving Inference rules ??
There are only 8 primitive inference rules:
{t} ⊢ t ⊢ t=t ⊢ (λx.t1)t2 = t1[t2/x]
Γ1 ⊢ t1 ⇒ t2 Γ2 ⊢ t1
Γ1 ∪ Γ2 ⊢ t2
Γ ⊢ t1=t2
Γ ⊢ (λx.t1)=(λx.t2)
Γ ⊢ t2
Γ − {t1} ⊢ t1 ⇒ t2
Γ1 ⊢ t1=t2 Γ2 ⊢ t[t1]
Γ1 ∪ Γ2 ⊢ t[t2]
Γ ⊢ t
Γ ⊢ t[s1, ... sn/’a, ... ’n]
VDHLForum for CAD in Europe – Nantes, 24 April 1995 18
19. Theorem proving Theories ??
All information (types, constants, axioms, theorems, etc.)
is hierarchically structured in theories:
⋆ pairs
⋆ natural numbers
⋆ lists
⋆ primitive recursion
⋆ arithmetic
⋆ trees
⋆ etc.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 19
20. Theorem proving Proof styles ??
There are essentially two ways to proceed:
⋆ Forward proof:
(Primitive or derived) inference rules are applied to (axioms or)
theorems until the desried theorem is proved
⋆ Backward proof:
A goal (a sequent to be proved into a theorem) is successively
decomposed into subgoals, until there are already proved theo
rems
VDHLForum for CAD in Europe – Nantes, 24 April 1995 20
21. Theorem proving Example (J. Joyce) ??
i1
i2
x o2
⋆ specify behavioural models for NAND and NOT
⋆ specify intended behaviour of AND
⋆ specify implementation of AND in terms of NAND and NOT
⋆ prove that implementation satisﬁes intended behaviour for AND
VDHLForum for CAD in Europe – Nantes, 24 April 1995 21
22. Theorem proving Example (Specs) ??
Behaviours:
⊢def NAND(i1,i2,o1) ≡ o1 = ¬(i1∧i2)
⊢def NOT(i1,o1) ≡ o1 = ¬ i1
⊢def ANDspec(i1,i2,o1) ≡ o1 = i1∧i2
Structure:
⊢def ANDimpl(i1,i2,o1) ≡ ∃x. NAND(i1,i2,x) ∧ NOT(x,o1)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 22
23. Theorem proving Example (Correctness) ??
⋆ Strong correctness
ANDimpl(i1,i2,o1) ≡ ANDspec(i1,i2,o1)
⋆ Weaker correctness
ANDimpl(i1,i2,o1) ⇒ ANDspec(i1,i2,o1)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 23
24. Theorem proving Example (Proof) ??
1) ANDimpl(i1,i2,o1) {initial formula}
2) ∃x. NAND(i1,i2,x) ∧ NOT(x,o1) {def ANDimp}
3) NAND(i1,i2,x) ∧ NOT(x,o1) {strip oﬀ ∃x}
4) NAND(i1,i2,x) {left conjunt of 3)}
5) x=¬(i1∧i2) {def NAND}
6) NOT(x,o1) {right conjunt of 3)}
7) o1=¬x {def NOT}
8) o1=¬(¬(i1∧i2)) {subst. 5) in 7)}
9) o1=(i1∧i2) {simplify ¬¬t=t}
10) AND(i1,i2,o1) {def AND}
11) ANDimpl(i1,i2,o1) ⇒ AND(i1,i2,o1) {discharge assumption 1)}
VDHLForum for CAD in Europe – Nantes, 24 April 1995 24
25. Theorem proving Pros ??
⋆ generality
⋆ ﬂexibility
⋆ expresiveness
⋆ exploitation of regularity, hierarchy and abstraction
⋆ proof security
⋆ user extensibility
VDHLForum for CAD in Europe – Nantes, 24 April 1995 25
26. Theorem proving Cons ??
⋆ long learning curve
⋆ large expertise needed
⋆ requires deep knowledge of mathematics and logic
⋆ tedious proofs
VDHLForum for CAD in Europe – Nantes, 24 April 1995 26
27. Theorem proving Achievements ??
Several microprocessors have been veriﬁed
⋆ FM8501 (Nqthm, Warren Hunt, Univ. Texas, 1986)
⋆ Viper (HOL, Avra Cohn, Univ. Cambridge, 1988)
⋆ Tamarack3 (HOL, Jeﬀ Joyce, Univ. Cambridge, 1989)
⋆ AVM–1 (HOL, Phil Windley, Univ. California, Davis, 1990)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 27
28. Theorem proving The future ??
⋆ higher temporal complexity (pipelines, asynch. systems, realtime)
⋆ higher data complexity (IEEE ﬂoating point std, ...)
⋆ higherlevel speciﬁcations (hardware/software veriﬁcation, ...)
⋆ veriﬁcation of classes of designs (microproc. families, ...)
⋆ veriﬁcation of an ATM network (Fairisle)
⋆ TkHolWorkbench (a GUI for HOL)
⋆ BDDs in HOL
⋆ HOL 2000 initiative
⋆ several logic embeddings (CCS, TLA, Unity, Noden, ...)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 28
29. Theorem proving More info about Nqthm ??
⋆ Computational Logic Inc.
1717 W. 6th St., Suite 290
Austin, TX 787034776, USA
⋆ <SoftwareRequest@cli.com>
http://www.cli.com/
⋆ R.S. Boyer, J.S. Moore: A Computational Logic Handbook,
Academic Press 1988
VDHLForum for CAD in Europe – Nantes, 24 April 1995 29
30. Theorem proving More info about HOL ??
⋆ Cambridge Univ. Computer Laboratory
Pembroke Street, GB–Cambridge CB2 3QG, England (UK)
⋆ Sara Kalvala <sk@cl.cam.ac.uk>
http://www.comlab.ox.ac.uk/archive/formalmethods/hol.html (info)
http://lal.cs.byu.edu/lal/gettinghol.html (tool)
⋆ M. Gordon, T. Melham (eds.): Intr. to HOL: A Theorem Proving
Environment for Higher Order Logic, Cambridge Univ. Press 93
⋆ 8th International Workshop on Higher Order Logic Theorem Prov
ing and its Applications, Utah September 11–14, 1995
VDHLForum for CAD in Europe – Nantes, 24 April 1995 30
31. Theorem proving More info about LAMBDA ??
⋆ LAMBDA: Logic and Mathematics Behind Design Automation
⋆ Abstract Hardware Ltd.
The Howell Building, Brunel University Science Park
GB–Uxbridge UB8 3PH, England (UK)
⋆ <lambda@ahl.co.uk>
VDHLForum for CAD in Europe – Nantes, 24 April 1995 31
32. Model checking Model of Computation ??
⋆ Finite state systems are modeled by labelled statetransition graphs
(Kripke structures)
⋆ Given an initial state, the structure can be unwound to an in
ﬁnite tree (computation tree), whose paths represent possible
behaviours
⋆ A temporal logic is used to express properties of behaviours
⋆ Veriﬁcation is carried out by exhaustive search of the state space
⋆ To speed up veriﬁcation, eﬃcient representation techniques are
used based on binary decision diagrams.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 32
33. Model checking Temporal Logics ??
⋆ In a linear temporal logic, the operators describe events along a
single computation path
⋆ In a branching temporal logic, the operators describe events along
several computation paths
⋆ path quantiﬁers:
A (for every path), E: there exists a path
⋆ linear time operators:
Xf (f holds next time)
Ff (f holds sometime in the future)
Gf (f holds globally in the future)
fUg (f holds until g holds)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 34
34. Model checking CTL: theory ??
Every atomic formula is a CTL formula.
If f and g are CTL formulae, then so are
¬f (not f)
f ∧ g (f and g)
AXf (for all paths, f holds in the next state)
EXf (for some path, in which f holds in the next state)
AFf (for all paths, f holds eventually)
EFf (for some path, in which f holds eventually)
AGf (for all paths, f holds in every state)
EGf (for some path, in which f holds in every state)
A(fUg) (for all paths, f holds until g holds)
E(fUg) (for some path, f holds until g holds)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 35
35. Model checking CTL: some operators ??
M, s AF x M, s EF x M, s EG x
VDHLForum for CAD in Europe – Nantes, 24 April 1995 36
36. Model checking CTL: examples ??
⋆ AG(EF greenNS): always it is possible to get to the greenNS
state (at a traﬃc light) [liveness property]
⋆ AG(¬(greenNS∧greenEW )): never both greenNS and greenEW
hold (both lights are green)[safety property]
⋆ AG(req ⇒ AF ack): if a request occurs, it will be eventually
acknowledged
⋆ EF(started∧¬ready): it is possible to get to a state where started
holds, but ready does not hold.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 37
37. Model checking Model Checking Problem ??
⋆ Let M be the Kripke structure representing the behaviour of a
system,
⋆ let f be a temporal logic formula representing a property to check,
⋆ the objective is to ﬁnd all states s of M that satisfy the formula
f: M, s f
⋆ in fact, there exist very eﬃcient algorithms for the logic CTL
(Clarke, Emerson and Sistla, ACM TOPLAS 8:2, 1986)
⋆ complexity linear in size of M and f
VDHLForum for CAD in Europe – Nantes, 24 April 1995 38
38. Model checking Model Checking Algorithm ??
M, s0 EGa ∧ AFb?
VDHLForum for CAD in Europe – Nantes, 24 April 1995 39
39. Model checking OBDDs ??
DAGrepresentation of Boolean functions
VDHLForum for CAD in Europe – Nantes, 24 April 1995 40
40. Model checking OBDDs ??
The importance of the variable ordering
VDHLForum for CAD in Europe – Nantes, 24 April 1995 41
41. Model checking OBDDs ??
⋆ S. Akers: Binary Decision Diagrams, IEEE Trans. Computers C–
27:6, June 78
⋆ R. Bryant: GraphBased Algorithms for Boolean Function Ma
nipulation, IEEE Trans. Computers C–35:8, August 86
VDHLForum for CAD in Europe – Nantes, 24 April 1995 42
42. Model checking Symbolic Model Checking ??
⋆ Representing statetransition graphs with OBDDs
⋆ The transition relation can be seen as a boolean formula
⋆ T(v1, ..., vn, v′
1, ..., v′
n), where (v1, ..., vn) represents the current state
and (v′
1, ..., v′
n) the next state
⋆ T is represented by a OBDD.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 43
43. Model checking Pros ??
⋆ decision procedure completely automated: no proofs!
⋆ fast
⋆ counterexamples
⋆ symbolic techniques allow to handle a big number of states
VDHLForum for CAD in Europe – Nantes, 24 April 1995 44
44. Model checking Cons ??
⋆ speciﬁcation is enumeration of desired properties
⋆ completeness problem
⋆ state explosion problem
⋆ large data paths can introduce many states
⋆ no taking advantage of parametrization
⋆ temporal formulas can be diﬃcult to understand
VDHLForum for CAD in Europe – Nantes, 24 April 1995 45
45. Model checking Achievements ??
⋆ Formal veriﬁcation of the IEEE Futurebus+ cache consistency
protocol
(precise model deﬁned, bugs found) Clarke et al. 93
⋆
⋆
⋆
VDHLForum for CAD in Europe – Nantes, 24 April 1995 46
46. Model checking Some references ??
⋆ J. Burch, E. Clarke, et al.: Symbolic Model Checking: 1020 States
and Beyond, Conf. Logic in Computer Science 1990.
⋆ O. Coudert, J.C. Madre, C. Berthet: Verifying Teporal Properties
of Sequential Machines without Building their State Diagram,
DIMACS Worksh. ComputerAided Veriﬁcation, June 1990
⋆ Th. Filkorn: A Method for Symbolic Veriﬁcation of Synchronous
Circuits, CHDL’91, April 1991
VDHLForum for CAD in Europe – Nantes, 24 April 1995 47
47. Conclusion Other approaches ??
⋆ Symbolic trajectory evaluation
similar to conventional simulation
considers symbols rather than actual values
VOSS, COSMOS
⋆ Automatabased Systems
COSPAN
⋆ Tautology checkers
Checking of combinational circuits
TACHE
VDHLForum for CAD in Europe – Nantes, 24 April 1995 48
48. Conclusion Combining approaches ??
⋆ HOL with a model checker
⋆ HOL with COSMOS [Bryant, Seger]
⋆ HOL with VOSS [Joyce, Seger]
⋆ embedding VHDL in HOL [van Tassel, Kropf]
⋆ a VDHL simulator in Acl2 [Boyer, Hunt]
⋆ interfacing HOL to GENESIL (silicon compiler) [Rushby]
⋆ Prevail calling Nqthm or Tache [Borrione, Pierre]
VDHLForum for CAD in Europe – Nantes, 24 April 1995 49
49. Conclusion Conclusions ??
⋆ the ﬁeld of formal methods is old
⋆ ﬁrst breakthroughs obtained recently
⋆ still primarily academic work
⋆ increasing interest of industry (Siemens, Bull, some CAD vendors)
⋆ still a long way to go
VDHLForum for CAD in Europe – Nantes, 24 April 1995 50
50. Conclusion Citation ??
“It is now a wellestablished phenomenon
that what is highly abstract
for a generation of mathematicians
is just commonplace for the next one.”
J. Dieudonn´e
VDHLForum for CAD in Europe – Nantes, 24 April 1995 51
51. Semantics Classical VHDL simulations ??
A VHDL signal is associated with a driver.
0 1 2 3 4 . . . future time →
Signal
VHDL signal assignments write to the driver.
VHDL wait statements read the driver and suspend execution of the
process until a time determined by the evolving condition of the driver.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 52
52. Semantics Example 1 ??
Initial driver.
0 1 2 3 4 ...
Signal
future time
X <= transport 1.0 after 3 ns
Driver is altered.
0 1 2 3 4 ...
Signal
future time
VDHLForum for CAD in Europe – Nantes, 24 April 1995 53
53. Semantics Example 2 ??
Initial driver.
0 1 2 3 4 ...
Signal
future time
wait until X=1
Final driver:
0 1 2 3 4 ...
Signal
future time
Driver is essentially unaltered, but time has moved on.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 54
54. Semantics Semantics of VHDL ??
VHDL statements relate:
1. an old driver set to a new driver set;
2. an old current timepoint to a new current timepoint;
3. a previous history to an extended history.
H × DS × T ↔ H × DS × T
The combination of history plus driver set is called a ‘world line’.
WL × T ↔ WL × T
VDHLForum for CAD in Europe – Nantes, 24 April 1995 55
55. Semantics Example 3 ??
X=0
X=0
X=0
X=0
X=1
T=1
T=2
T=3
X=0X=0 T=0
X=0X=0 T=1
X <= transport 1.0 after 2 ns
X=1
Time
Initial WL Final WL
⋆ A transport assignment re
lates two worldlines and two
current timepoints.
⋆ The timepoint has to be the
same either side, because the
statement takes no physical
time to execute.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 56
56. Semantics Example 4 ??
X=0X=0
X=1
T=1
T=2
T=3
X=0X=0 T=0
X=0X=0 T=1
X=1
Time
Initial WL Final WL
wait until X=1
X=1
X=1
⋆ A wait statement relates two
worldlines with the same sig
nal values – for the signals of
the controlling process.
⋆ Other signals may diﬀer in any
way possible.
⋆ But time moves on.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 57
57. Semantics Example 5 ??
X=0
X=1
X=0
X=0
X=1
Final WL
wait until X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=1
X=1
X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=1
Time
Initial WL Intermediate WL
X=0
X=0
X<=1 after 2 ns;
⋆ Two statements in se
quence compose via re
lational composition.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 58
58. Semantics Process semantics ??
A process relates:
⋆ An initial worldline to a ﬁnal worldline.
Note that:
⋆ The initial timepoint is zero. The ﬁnal timepoint is ∞
⋆ The body of the process repeats ad inﬁnitum.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 59
59. Semantics A simple oscillator circuit ??
?
?
X <=not X after 2 ns
wait on X
begin
X <= transport not X after 2 ns
wait on X
end
VDHLForum for CAD in Europe – Nantes, 24 April 1995 60
60. Semantics Example 6 ??
X=0
X=1
X=0
X=0
X=1
Final WL
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=1
X=1
X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=1
Time
Initial WL Intermediate WL
X=0
X=0
X<=not X after 2 ns; wait on X
VDHLForum for CAD in Europe – Nantes, 24 April 1995 61
61. Semantics Example 7 ??
X=0
X=1
X=0
X=0
X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=1
X=1
X=1
X=0 T=1
T=2
T=3
X=0 T=0
X=0 T=1
Time
Initial WL
X=0
X=0
X=0
Final WL
X=0
Initial WL
X=1
X<=¬ X after 2 ns;
X <=¬ X after 2 ns;
X=1
X=1
X=1
X=0
X=0
X=0
X=0
X=1
X=1
process
begin X <= transport ¬ X after 2 ns ; wait on X ; end
wait on X
wait on X
T=1
T=2
T=3
T=4
T=5 T=5
T=4
T=3
T=2
T=1
VDHLForum for CAD in Europe – Nantes, 24 April 1995 62
62. Semantics Time and processes ??
A process relates the initial world line with T=0 and the ultimate
world line with T=∞, but we are interested in what happens before
then.
A logical treatment will require two kinds of logic:
⋆ execution until termination;
⋆ execution until suspension.
Suspension corresponds to looking at intermediate worldlines.
Pressing ‘CtrlZ’.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 63
64. Semantics Processes and parallelism ??
⋆ Processes in parallel have the semantics of the intersection of
relations.
⋆ They have to agree on how world lines change and how long the
change takes.
⋆ Knowledge of the driver set, history, and time are all shared ‘in
stantaneously’ between processes.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 65
65. Semantics A simple follower circuit ??
?
?
Y <= X after 1 ns
wait on X
wait on X;
Y <= transport X after 1 ns;
process begin
end
VDHLForum for CAD in Europe – Nantes, 24 April 1995 66
66. Semantics Oscillator and follower in parallel ??
?
?
?
?
wait on X
Y <= X after 1 ns
wait on X
process
begin
X <= not X after 2 ns;
end
process
begin
Y <= X after 1 ns;
wait on X;
end
wait on X;
X <= not X after 2 ns
VDHLForum for CAD in Europe – Nantes, 24 April 1995 67
67. Semantics Example 8 ??
X=0
X=1
X=0
X=1
Final WL
X=0 T=1
T=2
T=3
X=0 T=0
T=1
X=1
X=1
X=0 T=1
T=2
T=3
X=0 T=0
T=1
Time
Initial WL Intermediate WL
wait on XY<= X after 1 ns;
X<= ¬X after 2 lns; wait on X
X=1
X=1
X=1
X=1 X=1
Y=1
Y=1 Y=1
Y=1
Y=0
Y=0
Y=0
Y=1
Y=1
Y=1
Y=1
Y=1
Y=0
Y=0
Y=0
VDHLForum for CAD in Europe – Nantes, 24 April 1995 68
68. Semantics A useful theorem ??
⋆ Take the ultimate world line and feed it back in again to a process
as its initial world line, then the same world line comes out again.
⋆ So, look for invariant world lines.
⋆ Especially helpful when calculating for parallel processes.
⋆ A world line developed by process 1 can be used as a background
against which process 2 is evaluated.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 69
69. Logic Plan ??
⋆ Insert predicative assertions and timing information in the gaps
between VHDL statements.
⋆ Predicates contain temporal modalities: “it will rain tomorrow”.
⋆ ⊙(x = 1) means “x = 1 will hold in the next instant”. This is the
same as ⊙x = 1.
⋆ x = ⊙x means “x will change in the next instant”.
⋆ Timed pre and post assertions {p, t1} s {q, t2} across statements
s are connected via a formal programming logic of triples.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 70
70. Logic Meaning ??
The Hoare triple
Sρ : {P, T1} a {Q, T2}
means
if a begins to execute at time T1 and condition P holds then,
then, if it ﬁnishes at time T2, Q will hold then.
This is the logic of termination, denoted by S.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 71
71. Logic Example 9 ??
Look at the oscillator process using the logic of termination.
{X= ⊙X,T}
X <= transport (not X) after 2 ns ;
{X= ⊙X= ⊙2X= ⊙3X,T}
wait on X ;
{⊙−2X= ⊙−1X=X= ⊙X,T+2}
The ﬁnal condition (X has been stable and now will be stable with
a diﬀerent value) has been forced by the initial condition (X is mo
mentarily stable).
Note that the initial condition is reestablished as the second part of
the ﬁnal condition.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 72
72. Logic Meaning ??
The Hoare triple
S′ρ : {P, T1} a {Q, T2}
means
if a begins to execute at time T1 and condition P holds then,
then, if it is suspended at time T2, Q will hold then.
This is the logic of suspension, denoted by S′.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 73
73. Logic Example 10 ??
Now look using the logic of suspension. Suspension can only happen
in a blocked wait statement; everything else takes zero time.
Start with the condition established under the logic of termination.,
{⊙−2X= ⊙−1X=X= ⊙X,T}
X <= transport (not X) after 2 ns ;
{⊙−2X= ⊙−1X=X= ⊙X= ⊙2X= ⊙3X,T}
wait on X ;
{⊙−2X= ⊙−1X=X= ⊙X,T} ∨
{⊙−2X= ⊙−1X=X= ⊙X,T+1}
The ﬁnal condition is that X either has just changed or is just about
to change.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 74
74. Logic Process logic ??
A process never terminates; it can only be suspended.
Suspension occurs within the process body, after some nonnegative
number of executions of the body to termination.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 75
75. Logic Example 11 ??
Each oscillator cycle takes 2ns. At this time, termination establishes
and thereafter reestablishes the condition:
{⊙−2X= ⊙−1X=X= ⊙X,T}
and then suspension sets up
{⊙−2X= ⊙−1X=X= ⊙X,T} ∨ {⊙−2X= ⊙−1X=X= ⊙X,T+1}
VDHLForum for CAD in Europe – Nantes, 24 April 1995 76
76. Logic The use of a useful theorem ??
{⊙−2X= ⊙−1X=X= ⊙X ∧ even(T)} ∨ {⊙−2X= ⊙−1X=X= ⊙X ∧ odd(T)}
is an invariant of the oscillator process body under the termination
and suspension semantics.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 77
77. Logic Logical Rules ??
We reason by deriving one Hoare triple of the programming logic from
earlier derived Hoare triples.
The rules of reasoning take the form of
top
bottom
[condition]
in which the bottom is allowed to be derived from the top when
condition holds. Several hypotheses may appear:
top1 top2 top3 . . .
bottom
[condition]
or none
bottom
[condition]
in which case the rule represents an axiom.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 78
78. Logic The Slogic for termination  seq ??
[∀T ∈ [T1, T2]]
Sρ : {P, T1} a {QAT, T} Sρ : {QBT, T} b {R, T2}
Sρ : {P, T1} a ; b {R, T2}
[QA → QB] (1)
If a sequence a;b runs to termination between times T1 and T2, then
it does so by running a from T1 to termination at some intermediate
time T, then running b to termination at T2.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 79
79. Logic Example 12 ??
Take two consecutive signal assignments, each delayed by 1ns.
After the second, it will be the case that x is planned to be equal to
2 next.
Sx : {true, 3} x <= 1 after 1ns {⊙x = 1, 3} Sx : {true, 3} x <= 2 after 1ns {⊙x = 2, 3}
Sx : {true, 3} x <= 1 after 1ns ; x <= 2 after 1ns {⊙x = 2, 3}
The precondition for the second assignment is true, so it does not
matter what condition the ﬁrst statement sets up.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 80
80. Logic Example 13 ??
Waiting for 1ns makes the things that are promised to happen next,
happen.
Sx : {⊙x = 1, 3} null {⊙x = 1, 3}
Sx : {⊙x = 1, 3} wait for 1 {x = 1, 4}
Waiting for 2ns is waiting for 1ns twice.
Sx : {⊙x = 1, 3} wait for 1 ; wait for 1 {⊙−1x = 1, 5}
Sx : {⊙x = 1, 3} wait for 2 {⊙−1x = 1, 5}
VDHLForum for CAD in Europe – Nantes, 24 April 1995 81
81. Logic The Slogic for termination  wait for ??
Sρ : {⊙P, T1} null {⊙Q, T2 − 1}
Sρ : {P, T1} wait for 1 {Q, T2}
Sρ : {P, T1} wait for 1 ; wait for n {Q, T2}
Sρ : {P, T1} wait for n + 1 {Q, T2}
(2)
A wait for 1ns will terminate (in 1ns). The (local) conditions that
hold then are those that are promised to hold now.
Longer waits are sequences of shorter ones.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 82
82. Logic The Slogic for termination  wait on ??
A wait on can be viewed as a loop:
wait on x = do wait for 1ns while x = ⊙−1x
Sρ : {P∧x=⊙x, T1} wait for 1; wait on x {Q, T2} Sρ : {P∧x=⊙x, T1} wait for 1 {Q, T2}
Sρ : {P, T1} wait on x {Q, T2}
(3)
To run a wait to termination between times T1 and T2 either the
waited on variable has to be about to change, in which case we do
a wait for 1ns and terminate at T2=T1+1, or it isn’t, in which case we
have to wait for 1ns and then wait longer.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 83
83. Logic The Slogic for termination  if ??
This logic requires us to be able to get to a desired postcondition
along either path down an if. In each branch we can assume the
appropriate extra precondition.
Sρ : {P ∧ c, T1} b1 {Q, T2} Sρ : {P ∧ ¬c, T1} b0 {Q, T2}
Sρ : {P, T1}if c then b1 else b0{Q, T2}
(4)
Example:
Sxy : {true ∧ x = 0, 4} y <= 1 after 1ns {y = 0, 4}
Sxy : {true ∧ x = 0, 4} y <= 2 after 1ns {y = 0, 4}
Sxy : {true, 4}if x = 0 then y <= 1 after 1ns else y <= 2 after 1ns{y = 0, 4}
VDHLForum for CAD in Europe – Nantes, 24 April 1995 84
84. Logic The Slogic for termination  while ??
While loops can be read as sequences of if branches.
while c do b = if c then b; while c do b else null
Sρ : {P ∧ c, T1} b; while x do b {Q, T2} Sρ : {P ∧ ¬c, T1} null {Q, T2}
Sρ : {P, T1}while c do b{Q, T2}
(5)
Example:
Sx : {true ∧ x = 0, 4} wait on x; while x = 0 do wait on x {x = 0, 5}
Sx : {true ∧ x = 0, 4} null {x = 0, 5}
Sx : {true, 4}while x = 0 do wait on x{x = 0, 5}
VDHLForum for CAD in Europe – Nantes, 24 April 1995 85
85. Logic The Slogic for termination  null ??
The simplest things are the hardest!
A null command won’t execute over a nonzero time, so anything we
care to say about this (impossible) situation is valid.
Sρ : {P, T1} null {Q, T2}
[T1 = T2] (6)
Over a zero time interval, a null command does nothing, so getting
from precondition P to postcondition Q requires that P entails Q at
that time.
Sρ : {P, T} null {Q, T}
[⊙T(P → Q)] (7)
VDHLForum for CAD in Europe – Nantes, 24 April 1995 86
86. Logic The S′logic for suspension  seq ??
[∀T ∈ [T1, T2]]
Sρ : {P, T1} a {QT, T} S′ρ : {QT, T} b {R, T2}
S′ρ : {P, T1} a {R, T2}
S′ρ : {P, T1} a ; b {R, T2}
(8)
If a sequence a;b runs to suspension between times T1 and T2, then
it does so by either
1. running a from T1 to suspension at T2, or
2. running a to completion at some intermediate time T, then running
b to suspension at T2.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 87
87. Logic Other parts of the S′logic for suspension ??
The sequence logic of suspension is the only part that refers back to
the termination logic.
In general, suspension logic is simpler than termination logic.
⋆ Many constructs cannot suspend at all, so have no rules for rea
soning about suspensions!
NULL and signal assignment are examples of constructs that can
not suspend. WHILE loops can only suspend in the body.
⋆ WAIT statements cannot exit under suspension logic. They have
to be suspended strictly before they exit.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 88
88. Logic The S′logic for suspension  wait for ??
S′ρ : {P, T} wait for 1 {Q, T}
[⊙T(P → Q)] (9)
Example:
S′x : {x = 1, 3} wait for 1 {x = 0, 3}
[⊙3(x = 1 → x = 0)]
VDHLForum for CAD in Europe – Nantes, 24 April 1995 89
89. Logic Summary ??
The logic used here is weak in the sense that if we prove
S′ : {P, T1}foo{Q, T2}
then we have not proved that statement foo will suspend at time T2.
We have proved that if it is suspended at time T2, then condition Q
will hold then.
(Ditto for termination).
But processes can be suspended at any time. So the logic is always
applicable.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 90
90. Logic Conclusion ??
Logic is useful for reasoning about the properties of VHDL descrip
tions.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 91
91. Algebra Another approach ??
Another approach to VHDL is to construct a process algebra.
An algebra is a set of equations asserting behavioural equivalences
between diﬀerent code fragments.
For example:
x <= 2 after 3ns; x <= 1 after 2ns = x <= 1 after 2ns
The algebra can be used to prove or disprove equivalences between
diﬀerent formulations.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 92
92. Algebra Synthesis ??
The algebra has a “pure” component that only refers to events and
processes, and a “code” component that contains only VHDL.
Generally, algebra expressions are mixed (impure).
A pure process algebra description can be represented as a state
transition diagram.
The diagram can be transformed slowly via the algebraic laws into
VHDL code.
What comes out is code that implements the state transition diagram.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 93
93. Algebra State transition diagram for follower ??
'
T
c
©
PQ
RS
Y!0 X?0
Y!0 X?0
Y!1 X?1
Y!0 X?1 Y!1 X?0
Entry = Y!0 X?0 PQ PQ = Y!0 X?0 PQ
 Y!0 X?1 RS
RS = Y!1 X?1 RS
 Y!1 X?0 PQ
VDHLForum for CAD in Europe – Nantes, 24 April 1995 94
94. Algebra Code/diagram equivalence ??

??
?
?
C!0 C!0
C!1
C!1 C!0
[C!
0
0];a
=
[C!
0
1];a
=
[C!
0
0];a
=
a = C = not C after 1ns; wait on C; a
VDHLForum for CAD in Europe – Nantes, 24 April 1995 95
95. Algebra Summary ??
Algebras make reasoning about VHDL programs via equalities possi
ble.
The transformation can go in both directions.
We are beginning to ﬁnd that algebra/transition diagram speciﬁca
tions are useful starting points for the synthesis of VHDL code.
The VHDL code can be formally derived by a calculus of reﬁnement
from the initial diagram.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 96
96. Conclusion Conclusion ??
Formal methods allow VHDL to be handled in ways that correspond
to classical activities, but based on secure foundations.
VDHLForum for CAD in Europe – Nantes, 24 April 1995 97
Be the first to comment