tools or translated from a hardware description language such as VHDL. [6]. Verification is nothing ..... This isan example of the temporal abstraction going on ...
3rd
NASA
Symposium
on VLSI
Design
10.1.1
1991
Formal Specification High Speed CMOS
of a Correlator
P. J. Windley Department
of Computer
Science
University
of Idaho
Moscow,
ID 83843
208.885.6501 Abstract: The
The
formal
specification
a clear,
1
gives
the
unambiguous
of a high
high-level
description
speed
CMOS
behavior
of the
correlator
of the
high-level
is presented.
correlator
and
architecture
provides
of the
device.
Introduction.
The
use
of formal
the
most
important
specification result
for communication writers,
and,
firm
foundation
has
the
perhaps
potential
This correlator, and
which
is capable
Formal
VLSI
devices
unambiguously
tured
also
take
place.
as
providing
well
CMOS
spectrometer,
be used technical
provide
This
a
analysis
a basis
correlator
for
contains
[2]. The 32 channels
rather
of abstraction [4].
the than
Verification.
The
[8]. Generally,
behavioral
expected
behavior
imperative,
giving
we need
specification
of the
device.
a clear
at least
is written The
relationship
in
behavioral between
the
outputs.
CAD
describes,
again
specification
can
tools
or translated
using be
logic,
derived
from
how
from
a hardware
the
circuit
design
is put
to-
information
description
cap-
language
such
[6].
Verification models.
structure.
levels
specification
structural
by conventional
as
can
engineers,
specifications can
Perhaps
that
test
of a high-speed
and
describes and
the
errors
in a space-born
at many
specification
Ideally,
as VHDL
properties.
to be used
is declarative
structural
gether.
design
desired
benefits.
behavior
engineers, design
reduce
many
design's Formal
circuit
specification
has
at 25MHz.
a structural
state,
of the
customers.
Specification
current
The
is designed
and
specification inputs,
formal
circuits
production
of the
has
can be specified
a behavioral and
the
of sampling
2
logic
design
presents
description
analysis
significantly
the
VLSI
engineers,
importantly,
which
to that
paper
design
most
upon
in designing
is a clear
among
demonstrating
tural
specification
is nothing Ideally,
This
with
the
used
to analytically
more
we would
analysis,
aid of mechanical
which
than like
a mathematical to show
is a type
verification
demonstrate
selected
that
analysis the
of symbolic tools
[5].
behavioral
These
of the
behavioral
intended
behavior
simulation,
can
mathematical
properties
and
follows
be
done
models
for a computer
struc-
from
the
by hand
or
can
be
also
system.
10-.1.2
3
A Brief
To formally
introduction
modei
hardware
to HOL.
and
to develop
T_his prevents on which the
proofs from containing - logical work is b_sed are sound. Due
q_anfiflcation
over
a typed
lambda
this project _ype
sets
due
calculus
brief
user
base
description HOL
[5:t]
Church
developed about
theore
on
and
thus
permitting
functions
HOL is not a fully
Several
built-in
and trees. logic
rules
that
allow
HOL system
logic
was selected
for
and polymorphic
support,
and
In this
section
at
Um_'versity
a growing
we will provide
a
proofs
Rv.WRITE_'rAc or deflnition,
ables
from
equivalent, A proof
of theorems
that
follow
using
terms.
to
support
rewrites
of a goal, show
management
larger
for rewriting
which
we should
but
and
0V.ILTAC which
front
These
introduction
that
system
they
that
imply
keeps
each
track
says
of higher-
the eight
of derived system
rules
that
Calculus
Examples
as
of tactics
previously
univerS_y
basic
inference
has
for Predicate
to some
sums,
them.
not only
proof.
unnecessary
contribute
products,
from
HOL
rules
according
that
checker,
the basis
body
The
directed
IgQ_TAC which
form
contain
steps.
goal
a goal
and
rules
also a large
elimination
removes
predicates
a proof
numbers,
number
of tactics
orem
individuals, that
logic,
for
in allowing
over
features
axioms
logic.
Although
be used
logic
simply
several
on the five
to proceed
rules
has
than
build
higher-order
it can
quantification
is more
HOL
booleans,
for higher-order
[3].
to be described.
but
extremes.
Of Cambridge
logic
to predicate
also allows
prover
including
the
or higher-order Similar
systems
theorem
a large
collection
the
logic
general
theories
from
as specialized
include
.
it
system.
higher-order
for mathematics,
o1¢all kinds.
these two environment:
These
types,
as a foundation
more
the standard
A large
of simple
logic
theories,
of inference of inference
implement
.
developed
supports
ioca[
that
that the foundations proofs, which include
specifications
ruggec[ness,
higher-order
to derive
rules
well
The
generic
"system
theory
automated
falling somewhere between to its use _s _ verification
Rules
efforts.
logic,
selection.
m pr0ving
higher-order
variables,
order
our
we felt
verification
assures of the
which
attractive
computational-systems over
lists,
a mechanical
a system
its-ava_ab_ty,
Church's
quantification
.
using
proofs,
of HOL.
is based
reasoning
that
facilitate
it a very
of our
mistakes, and to the nature
for higher-order
made
is a general
that
we felt
would
]_¢Urthermore
accuracy
and properties
of objects,
to its support
c0nstructs.
world-wide
proofs
the
wag necessary
and
the
to ensure
proven quanti-fled two
things
thevari-
that
to show
are
state
of an interactive
proof
theorem
Using
other. of the
s_sslon.
o
A metaianguage, the
metalanguage,
tactics use.
ML,
can be written, The
metalanguage
for
tactics
programming can
be put
and theorems makes
the
and together
extending to form
can be aggregated verification
system
the more
to form extremely
prover.
powerful new
tactics,
theories
flexible.
new
for later
3rd NASA
Symposium
on VLSI
Design
Operator
AppIication tl = t2
Meaning
tl,t2 tl
A t2
tl
V t2
tl
tl
_
t2
HOL
are written
for all x,t
3
3x.
t
there
g
¢
t
choose
Table
1 shows
Meaning
a binder
can
In addition is written
data
another
cycle
which
is signaled, datardy
then
"c(_
x.
infix
the line
integration from
the
a word
Readers
The section
goes
cycle
serial interested
by
a space
The int
latched
to
form:
rand1
prefix
called
x.t"
"op
(where
HOL
b, else
binders.
A familiar
x is a variable)
several
to
two
operators rand2".
of HOL's
has
example
of
is written
as
built-in
a conditional
binders.
statement
that
c."
signal
with process
that
a register, data
mode
in additional
detail
are
on
referred
end
to be on the the
specification
the
output
lines.
value
correlator.
of a control
are
stream. period
cleared,
integration
to [2].
of the
from
2-
integration
integration
are
two
stream
other
of the
new
Specification. behavioral
on the
of an
read
the
accepts of one
duration
accumulators with
can be read depending
the
the
is ready
signal
for the
When
design
versions
undelayed
Concurrent
period
serial
the
line.
The
Delayed
continues
control
immediately.
or byte
spectrometer.
of 25MHz.
into
integration
the
belong
usual
2 shows
borne
a maximum
the
are
Correlator presents
can
Infix
binders,
multiplication)
can begin
previous
"c
"if a, then
for at
high
and
which
to be infix.
Design.
a biased
results
term
t is true
be declared
class
Table
constants
are accumulated. is defined
the
t
operators.
special
t)".
[ c, meaning
clocked
(using
products
either
infix
is designed
streams
The
This
b
correlator
data
built-in
belong
that
constants
2 can
of HOL's
Correlator
multiplied
5
-*
The
The bit
a
predefined
of arity
that
Binders
of in the
term
to the
2: HOL
several
an x such
an x such
instead
also
for the
exists
rand2"
is V. If c is a binder,
shorthand
4
are
Constants
op
several
Constants
there
classes.
t 2
Operators
V
system
"randl
Infix
Application Vx. t
x.
and t2
or t2
t 1 implies
1: HOL
Table
syntactic
t2
V
Table
In the
equals
A =:_
special
tl
the pair tl tl and t2
P
Binder
10.1.3
1991
and
chip.
A new
period, Data line.
the
is read
the in
I0.I.4
A
B
rn int
rn byte
IO Interpreter
Figure
1: Architecture
of
consumer
the
correlator
relationship
shows
between
the
the
producer--
INT interpreter
and the
tO interpreter.
The
overall
tecture
architecture
is based
as single
architecture The
on two
instruction with
portion
tion of the variables:
incoming
• acc--A
bank
• sr--A • count--A
state
description
machines
which,
[7]. The interpreters
serving of the
signals
as the
design
shared
is the
is shown along
link between
The
interpreter
in Figure
with
are arranged
INT interpreter.
in 32 channels.
of 32, 4-bit
bank bank
separate
interpreters a register
producer
• dolay--A
of the behavioral
the
1. The
datapath,
archi-
function
in a producer-consumer
the
two
interpreters.
INT performs controls
the
the following
integrastate
accumulators.
of 32, 2-bit
of 32, 24-bit
delay shift
elements.
registers.
bank of 32, 24-bit counters.
Each of these state variables is paramcterized for time and channel number
and has type
:time--4num---_w,where w varies with registerwidth. The specificationfor INT relatesthe state variables at time g + 1 to the their value at time t and the value of the inputs at time t. Fdt]
_tegrate_int
(acc, (a,
delay,
b,
int,
st, rn)
count,
datardy)
=
Vt. let
nextstato
=
(acc
(t+l),
delay
nextstate
(ace
((int
Ca t,
t)
-_
(t+i), t,
delay b t,
integrate
Jr
(t+l),
t, int
sr t,
I dump) count
t,
x'n t))
count
:
(t+l), t,
datardy
( datardy t)
(t+l))
=
3rd NASA
The
Symposium
function
the
nextstate
int
line.
The
individual
of the
b-d,!
shift
integrate (a,
lignal_product
let
new_ace
n
--_
(bt4
ival
nee_delay
n
=
let
nee_count
n
=
is calculated
values
•
the
calculated
state
for
variables.
the
ace,
value
In the
delay,
and
of case
count
(delay
n)
b
in
(
[
(n=O)
n.
-_
a
(si_al_product
are precisely
accn))
] (delay
new_count,
_ _
in
(wordn o) I inc (count n) [ (count n) in
datardy)
described.
a biased
in (n--l))
n, acc n))
st,
by adding
state
for
on the
datardy)
For example,
multipfication
signal to the current value in the same The consumer portion of the circuit following
values
are
count,
mapper
O)
new_delay,
The new values
new
or dump depending
is unchanged.
(signal_product
let
(new_acc,
integrate
-----
(add4
(c_ry4
new (sr)
=
10.1.5
to either
delay, st, int, rn) =
n
1991
produce
register
(ace. b,
let
rn
evaluates
instruction
The
Design
instructions
integrate
Variables.
on VLS[
the
of the
new value
n-delayed
accumulator. is the I0 interpreter.
of the
signal The
n th accumulator
and the
interpreter
undelayed controls
the
variables:
sr--A
bank
of 32, 24-bit
in the
INT interpreter.
shift
registers.
This
is the
same
register
as the
sr
register
t
•
¢ounter--A
• out--A • borw--A The preter. the byte
counter
for counting
16-bit
register
that
latches
state
variable
that
indicates
specification The
read
7-bit
for the
I0 interpreter
cycle,
it can
end
at a time,
it can
dump
the
the
six instructions.
the
read
a word
on the output
is similar
has
data
values whether
I0 interpreter cycle,
output.
The
it can at a time,
to the
output is byte
data
or it can
or work
specification
interpreter
dump
lines.
can from
serial.
of the be reset,
the
do nothing.
output
INT interit can
start
registers
a
!0.1.6
O-dr !
io_:J_t
(s_,
countor,
(byte, Vt
rn,
out,
outck)
bore,
datardy,
bog£n)
=
.
let
nextstate
: Tosot
((rn t) ((datardy
^ bogin
t)
-_
((datardy t) ^
((val
(counter
((datardy
t)
A
(borv
t)
((datacrdy
t)
A _(bore
(st
(t+l),
counter
nextstate
(st
t)
out
t,
rn
The operation of 10 is more
t,
t)
(t+l),
t,
0))
t)
A (outck
counter
(byte
=
A (outck
(t+l), t,
t))
out
bore t,
outck
bore
I
start_road
[
--*
ond_road
j
--_
dump_byte
[
-_
dump_word
J
noop
)
(t+l), t,
datardy
datardy
t,
in
(
(t+l))
=
begin
t)
t))
complicated that the operation of INT. Whenever
the reset
llne is raised, the state is reset as described in the specificationof the reset operation. When
the datardy
line goes high, the interpreter begins a read cycle. When
lineisraised and the datardy
line ishigh, wc dump
value of the borw line. There is a counter so that the correct number are dumped.
When
the outck
either bytes or words depending
on the
of bytes and words
the counter reaches 0 we end the read cycle (by pulling the datardy
line low). Otherwise, wc do nothing. I As an example
_dd
dump_eord
of the instructions in I0, consider the dump_word
(st,
counter,
(byte, lot
nee_counter
let
i
lot
now_out
(st,
The
=
rn, :
(val
out,
outck) (dec
:
begin)
in
in
short
(mr nov_out,
instruction updates
datardy,
: counter)
counter)
nee_counter,
borv,
instruction.
i)
in bore,
datardy,
begin)
the counter by decrementing
the old value. The
value on the
output is determined by 16 most significantbits from the ith shiftregister,where
i is the
value of the counter. The most interestingfeature of the specificationof INT and 10 is that they share state. For example, both specify changes to sr, the variable representing the shift register.INT produces a value that is placed in sr by its dump instruction. I0 uses that value when asked to present the results of the integration on the output lines. Both interpreters also specify changes to datardy, the variable representing whether or not data is ready to bc output. INT sets datardy
when
it has dumped
the the counter into the shift register. 10 resets datardy
when
the contents of
it is done outputting the
data. Readers that
some
end
of the tNote
of this details
specification in the
integration
that count
circuit
period
in INT and
who are ends,
counter
are familiar not there
found
with in the
is an 8 cycle
the
design
may
specification. delay
before
in I0 are two different state variables.
be surprised
For data
instance,
to find after
can be read
the from
3rd NASA
Symposium
on VLSI
the chip (i.e.datardy
Design
1991
10.1.7
goes high). In the specificationshown
above datardy
goes high the
time period afterthe ±nt lineispulled high. This is an example of the temporal abstraction going on between
the circuitlevelsof the specificationand the behavioral specifications
given here.
6
The
The
final
them
Top-Level specification
Specification
combines
corr_top
rep
(acc,
delay,
beg£n,
st, rn,
rep
(ace, (a,
(io_int
rep
of the
two
interpreters
and
operates
(st,
specification
and
datardy
reading
of sr
not
For
correctly?
correlator
7
does lines.
can
borw)
outck,
a,
delay,
sr,
counter, rn,
datardy,
out,
b,
(byte_e,
The
count,
counter,
(byte_e, ((integrate_in_
the
specifications
in parallel.
_de]
sr
the
rn))
=
out,
borw,
datardy)
A da_ardy,
begin)
outck)))
explicitly
be answered
int) count,
int,
example,
This
b,
and
answer
questions
regarding
the
do
INT and
It] correctly
coordinate
other
important
questions
regarding
of the
specification.
by analysis
shared
use of the
the
writing
the
and
operation
of
Conclusion.
This
paper
ous
to this
papers
has
such
Deriving
engineer
specification cation of the
the
provides of the
between device.
The
the
behavioral
being
as [2]. These
in English. design
presented
specification
the
descriptions specification
correlator
presented
for a VLSI was
the
design
users
in this paper
on the and
since
documents design
is useful
by unambiguously
is a snapshot
correlator
design.
in design
ambiguous
the design
perspective
and
described
necessarily
by reading
documents customers,
design
were
an interesting
designers,
specification
specification
written,
they
were
and
process.
The
written to the
behavioral
for enhancing
design.
and
talking
communi-
describing
of the
Previ-
documents
the
function
A specification
is
constantly subject to revisionto bring itup to date with current expectation and to correct errors that are part of any written description. Future work will extend the specification in two ways: • We intend eration. that show
to show
that
For example,
the
specification
the analysis
must
exist
between
that
they
are
met.
the
two
meets
will make interpreters
certain
explicit for the
requirements the chip
synchronization to function
for
correct
op-
conditions correctly
and
10.1.8
• We will specify the structural tured in the HDL description specification
implies
level by deriving it from of the circuit. We intend
the architecture
we have
the design information capto show that this structural
described
above.
Acknowledgments This work was 1406. i
sponsored _
by NASA under .... :_
Space
Engineering :
Research
Center
grant
NAGW-
References [1] Albert order
CamiUeri, logic.
Circuit
[2] J.
Canaris
and
and
Tom
editor,
Center
HD£
A high
speed on
of the
Hardware
verification
Descriptions
Publishers,
Symposium
A formulation
Melham.
From
S.cientific
S. Whitaker.
Church.
Logic,
to
using
higher
Guaranteed
Correct
1987. CMOS
VLSI
correlator.
Design,
simple
In NASA
pages
theory
Space
3.3.1-3.3.11,
of types.
Engi.
November
Journal
of Symbolic
5, 1940.
[4] Michael
S.C.
verifying
Gordon.
hardware.
of VLSI
Design,
[5] Michael
S.C.
G. Birtwhist!e Synthesis.
University
[s] Phillip grammed
Why
pages
153-177.
Gordon. and
HOL:
P.A
J. Windley.
IEEE The
of California, J. Windley.
and Elsevier
Press,
Scientific
editors,
editors,
system VLSI
for specifying Formal
and
Aspects
1986. for
higher-order
Specification,
logic.
Verification,
In and
1988. VHDL
Language
Verification Division
A hierarchical
formalism
Publishers,
generating
Standard Formal
is a good
P. A. Subrahmanyam,
A proof
Davis,
microprocessors. 1990.
logic
Subrahmanyam,
Academic
1076-1987.
May
higher-order
In G. J. Mi!ne
Kluwer
Std
[7] PhiUip
Privacy,
Elsevier
Research
[3] Alonzo
Gordon,
In D. Borrione,
Designs.
neering 1990.
[6] IEEE
Mike
of Generic
of Computer
methodology
In Proceedings
Reference
of the
IEEE
1987.
Interpreters.
Science, for
Manual,
the
June
verification
Symposium
PhD
thesis,
1990. of microproon Security
and
