In this paper we present a method of describing digital systems at different levels of temporal and data abstraction. The techniques are particularly suited to modelling the architecture and organisation of microprocessors. Two formal definitions of correctness are defined and compared. The verification process is shown to be reducible to tractable state exploration in both cases. We model digital systems by means of iterated maps. These maps are defined by equations which evolve a system from an initial state by the iterative application of a next-state function. A formal model of time is used in the form of a clock algebra. The correctness of an iterated map, modelling the implementation of a system, is defined by an equation containing abstraction mappings and a functional specification of the system given by an iterated map. Time is related by temporal abstraction maps called retimings. 1 Introduction In this paper we consider a set of general algebraic tools for modelin...

. This article gives a survey on different methods of formal synthesis. We define what we mean by the term formal synthesis and delimit it from the other formal methods that can also be used to guarantee the correctness of an implementation. A possible classification scheme for formal synthesis methods is then introduced, based on which some significant research activities are classified and summarized. We also briefly introduce our own approach towards the formal synthesis of hardware. Finally, we compare these approaches from different points of view. 1 Introduction In everyday use, synthesis means putting together of parts or elements so as to make up a complex whole. However in the circuit design domain, synthesis stands for a stepwise refinement of circuit descriptions from higher levels of abstraction (specifications) to lower ones (implementations), including optimizations within one abstraction level. Synthesis can be performed by hand for small circuits. Nowadays mor...

In this paper, we introduce bounded indirection, a restricted form of pointers, for system specification. Indirection provides a mechanism for compact descriptions of many complex control structures, such as interrupts, continuations, and dynamic connections between machines. We describe three kinds of indirection - state, value and net indirection for use in different aspects of system description. Transformations on indirection representations and methods for synthesizing bounded indirection within the framework of behavior tables are presented. The use of indirection in system specification and synthesis is illustrated using three large examples. 1 Introduction Hardware description languages are widely used as a front-end for synthesis tools. HDLs have evolved from programming languages with many of their features and are extended with additional constructs for hardware specification. Some HDLs are primarily simulation languages with synthesizable subsets, whereas others are primar...

A hardware self-managing heap memory (RCM) for languages like LISP, SMALLTALK, and JAVA has been designed, built, tested and benchmarked. On every pointer write from the processor, reference-counting transactions are performed in real time within this memory, and garbage cells are reused without processor cycles. A processor allocates new nodes simply by reading from a distinguished location in its address space. The memory hardware also incorporates support for off-line, multiprocessing, mark-sweep garbage collection. Performance statistics are presented from a partial implementation of SCHEME over five different memory models and two garbage collection strategies, from main memory (no access to RCM) to a fully operational RCM installed on an external bus. The performance of the RCM memory is more than competitive with main memory.

Design and synthesis of DRAM based memory systems has been a difficult task in high-level system synthesis because of the relatively complex protocols involved. In this paper, we illustrate a method for topdown design of a DRAM memory interface using a transformational approach. Sequential decomposition of the DRAM memory interface entails extraction of a DRAM memory object from a system description that incorporates the read/write protocol and accounts for refresh cycles. We apply sequential decomposition to a non-trivial example, a formally derived realization of the Nqthm FM9001 microprocessor specification [1], called DDD-FM9001 [2]. 1 Introduction Derivation is a formalization of synthesis with more emphasis on "correct construction" than on design automation. Our tools are a set of transformations that are used to engineer an implementation from a specification, with each transformation accumulating information about the implementation. In a functional framework, a transformatio...

The FM9001 is a general-purpose 32-bit microprocessor that was fabricated for Computational Logic, Inc., by LSI Logic, Inc., as an ASIC. Prior to fabrication, the FM9001 netlist was formally and mechanically proved to implement its userlevel specification by Brock and Hunt using the Nqthm theorem prover. In this report, we document our post-fabrication testing of the physical device. The testing included both executing FM9001 machine code and also low-level testing with a Tektronix LV500 chip tester. To date, all tests have confirmed that the FM9001 behaves as formally specified. 1 Introduction The FM9001 is a general purpose CMOS, 32-bit microprocessor that was fabricated for us by LSI Logic in 1991. Prior to fabrication, the netlist design of the FM9001 that we later supplied to LSI Logic was formally proven, using the mechanical theorem prover Nqthm [7, 5], to implement its user-level, i.e., machine-code level, specification. (See the report "The FM9001 Microprocessor Proof" [7] fo...

A major element of codesign is the task of decomposing a design in order to target some of its components to hardware and some to software while maintaining the integrity of the execution model. We illustrate how a previously developed algebraic technique we call system factorization adapts to this notion of decomposition. As an example, we describe how the mechanization of system factorization was used in the formal derivation of an implementation of Hunt's FM9001 microprocessor description using the DDD design derivation system. This case study demonstrates the benefits to system-level design in combining an executable modeling language, its associated formal-reasoning systems, hardware synthesis tools, and a hardware development platform in an integrated prototyping environment. 1 Introduction With the increasing complexity and diversity of applications employing VLSI technology, design environments providing a unified framework for specification, design, and simulation/modeling ar...

In this paper we propose a design strategy that exploits the strengths of different formal approaches to establish a reliable path from a mechanically verified high-level description to a concrete gate-level realization. We demonstrate the use of this approach in the realization of a fault-tolerant clock synchronization circuit. We used the Digital Design Derivation system (DDD) to derive major portion of the design leaving relatively small portions to be verified either by use of a mechanical theorem prover (PVS) or by demonstrating boolean equivalence using Ordered Binary Decision Diagrams. DDD allows the designer to isolate areas of the design space where mechanized proof support can be most effectively applied, while maintaining the overall integrity of the development process. The interface between the different systems has not yet been completely formalized but we believe that our approach will provide an effective design path from high-level specifications to concrete realizatio...

In this paper, we introduce behavior tables, an extension of register transfer tables, as a basis for system representation for reasoning about control, datapath, protocol, and data abstraction facets of system synthesis. The novelty in our approach is that it unifies different aspects of system synthesis and alleviates the need to change bases to reason about different facets of a design. Behavior tables can model indirection in system specification, by allowing names of registers and states to be treated as values. Behavior tables provide an environment for transformational design to derive a formally "correct" implementation from a specification. The emphasis of our work is on design correctness rather than design automation. Herein, we develop implementation relations over different facets of behavior tables. A set of transformations on the different facets of behavior tables, that preserve the implementation relations on the facets, are presented. Behavior tables and the transfor...

We present an analysis and taxonomy of the program transformation processes, identify the transformation domains in software engineering, and consider an operational view to program transformations. The taxonomy is based on the analyzed transformation approaches in HW design, as well as HW/SW co-design systems. Finally, we present a case study: the transformation (packaging, wrapping and customization) of VHDL components with the program modification language Open PROMOL. 1.