Microprocessing and Microprogramming

ELSEVIER Microprocessing and Microprogramming 40 (1994) 909-912

Towards Amalgamating High-Level Synthesis and Proof Systems * Mats Larsson at

aDepartment of Computer and Information Science, LinkSping University, S-581 83 LinkSping, Sweden

This paper gives an overview of an ongoing research project on the application of formal methods to high-level synthesis. The key idea is to embed a design representation used in an existing high-level synthesis system in a mechanical proof system. This approach has the following properties: First, we use a design representation proved applicable to high-level synthesis; Second, we can reason about design transformations used in an existing high-level synthesis system; Third, we allow formal reasoning about both control and data; and Fourth, we provide mechanical support for formal reasoning.

1. I n t r o d u c t i o n

High-level synthesis (HLS) is becoming an in- creasingly important area in digital system de- sign [12]. This is because production technology has continued to improve during the last decades and the complexity of digital systems has in- creased accordingly. Due to this ever increasing complexity, a need for computat ional support to design and reason about digital systems at higher- levels of abstraction has emerged. By designing at higher levels of abstraction this complexity can be handled and the design effort, and thereby the design time, can be reduced.

Unfortunately the high-level synthesis system existing today are not based on sound semantic principles. Research in this area has so far been oriented towards optimizing a qualitative mea- sure of the generated design in terms of area and speed and the equally important correctness mea- sure have almost entirely been ignored. To solve this problem I propose a method to establish a formal basis for high-level synthesis by embedding a design representation, used in a high-level syn- thesis system, in a mechanized proof system. This way the correctness of both generated designs and the design system itself can be stated and rea- soned about formally with mechanical support.

* This work is supported by The Swedish Institute (SI) and The Swedish Board of Technical Development (NUTEK). tpresently at: University of Cambridge, Computer Lab- oratory, New Museums Site, Pembroke Street, CB2 3QG Cambridge, UK.

1.1. P r e v i o u s w o r k Camposano has presented a formal definition

of the Yorktown Internal Form design representa- tion together with a set of proven transformations that can be used for scheduling and allocation [3].

Corella et al. have defined the semantics of a procedural language, used as input to the IBM HLS system, annotated with timing informa- tion [4]. This information is added by back- annotating the original input with the actual schedule implemented by the HLS system. This annotated input is then verified against the syn- thesised design.

Devadas and Keutzer translates the procedu- ral input into a non-deterministic finite automa- ton that represents a set of schedules that can be chosen by the synthesis program [5]. Verification of scheduling constraints is then carried out using automata-theoretic algorithms.

Grass et al. have designed a set of formal meth- ods to cope with three different problems they have identified in HLS - - module verification, scheduling, and controller synthesis [7]. For each of these problems they use different methods. For module verification they use HOL, for verifying scheduling they use LOTOS, and for controller synthesis they use a model of LOTOS with timing.

Leeser and Wolf have presented an extended FSM model (Behavioural FSM) which permits the use of state transition graphs to model incom- pletely specified sequential behaviour [9]. High- level synthesis is modelled as the transformation of a behavioural FSM into a completely specified

0165-6074/94/$07.00 © 1994 - Elsevier Science B.V. All rights reserved. SSD! 0165-6074(94)00080-8

910 M. Larsson / Microprocessing and Microprogramming 40 (1994) 909-912

FSM [14]. The transformations can be proved behaviourally correct.

McFarland and Parker has developed a theory of behavioral expressions and used these to verify transformations in the CMUDA HLS system [11] and in the SAW HLS system [10].

2. The Approach

The approach taken here is to embed the in- ternal design representation of an existing HLS tool in a mechanized proof system. The benefits of such a language embedding approach are man- ifold, Boulton et al. [2] mentions the following:

• provide an unambiguous semantic defini- tion of the notation;

• mechanized support for syntax and type checking;

• a framework for establishing meta-theorems about the notation;

• support formal proofs about programs;

• derivation of proof rules for the notation;

• verification of compilers.

From this we see that having such an embed- ding we can prove designs generated by the high- level synthesis system correct with respect to the (translated) algorithmic specification. We can also prove the transformations of the design sys- tem correct using the same method. With such a set of proved design transformations as base, a formal transformation system, similar to the one described in a forthcoming paper by the au- thor [8], can be implemented.

Such a transformation system have many pos- sible applications. It can for example function as the kernel of a formal high-level synthesis system. Every design synthesised by such a system would be correct by construction.

The approach is generic in the sense that the method can be used for other well-defined design representation for transformational design. A fur- ther advantage of the approach is its extendibility. We can define new design transformations to be

used in our design system. By proving them cor- rect we do not risk making the system inconsis- tent. Another use of a formally embedded design representation is to allow symbolic execution of designs.

3. The HLS S y s t e m

Extended time Petri net (ETPN) is a formal representation model derived from Petri net the- ory and consisting of separate but related models for control and data path [13]. Control is mod- elled by a time Petri net with deterministic firing rules and guarded transitions and the data path by a data flow graph with conditional arcs (see Figure 1). There are several restrictions on the

l Control Signals f Time Data Petri Guard Signals Flow Net Graph

Figure 1. The ETPN model

control Petri net introduced to avoid specifying systems with ambiguous behaviour. The most important of these are that the Petri net must be:

weU-behaved, i.e. if two subgroups of the data part can be active simultaneously, they must be disjoint;

safe, i.e. two sets of operations can not be executed on the same data unit at the same time;

• conflict-free, i.e. non-deterministic choice between transitions is not allowed;

A graphical representation of an ETPN descrip- tion can be seen in Figure 2.

M. Larsson / Microprocessing and Microprogramming 40 (1994) 909-912 911

I

S B

~2

S,

S~ 4

S 4

S,~

6s Sa

"0"

$ • Sz

7

Sa $ t

Figure 2. An ETPN example

This representation model is used as a unified design representation which captures the inter- mediate designs of the high-level synthesis pro- cess, and thus allows the synthesis algorithm to employ an iterative improvement approach to carry out the synthesis task. The basic idea is that once the behavioural specification is trans- lated into the initial design representation, it can be viewed as a primitive implementation. Correctness-preserving transformations can then be used to successively transform the initial de- sign into an efficient implementation. These can be divided into three groups:

• Operation scheduling transformations, e.g. to change the degree of parallelism in the design;

• Data path transformations, e.g. to let oper- ations share resources;

• Control transformations, e.g. to reduce the complexity of the control Petri net

The CAMAD 3 system [13] is a HLS tool designed to work on the ETPN design representation and to implement the outlined transformational syn- thesis method.

3Computer Aided Modelling, Analysis, and Design.

4. E m b e d d i n g E T P N in a P r o o f S y s t e m

By embedding a language in a proof system we mean to (re)define it in terms of the nota- tion of the proof system. We have chosen to use the HOL proof assistant [6] as proof system which means that we will embed ETPN in higher order logic. The motivation for using HOL is that it is a mature and well supported proof system with properties such as safe symbolic reasoning about design objects, safe extensions to the basic logic via definitions, and a programmable interface to the logic. Another reason it that the author have already designed a formal transformation system based on the window inference package in HOL [8] and will build on that experience in this project.

When embedding a language in logic the se- mantics of this language must be properly cap- tured in the new definition. This is particularly difficult to achieve for languages that are not se- mantically well-defined. In the case of ETPN the control part has a well-defined semantics derived from Petri net theory whereas it uses an uninter- preted (syntactical) model of the data path. The latter means, for example, that no algebraic rea- soning is possible in the current version of ETPN.

We have partitioned the project into three phases:

1. To gain a full understanding of ETPN and its use in HLS;

2. To define a formal theory of ETPN that can be embedded in HOL;

3. To demonstrate the usefulness of the theory by performing proofs or implementing tools.

We are currently in phase 2 and the main problem we encounter here is to go from an uninterpreted to an interpreted model, i.e. the fact that we can reason about the meaning of a design rather than just manipulate it syntactically. The major tasks that have to be achieved are:

• Defining a data path semantics;

• Defining equivalence explicitly.

The latter issue is perhaps the most difficult one since the scheduling transformations are retiming the design.

912 M. Larsson / Microprocessing and Microprogramming 40 (1994) 909-912

To begin with we have restricted ourselves to ETPN's that lack loops in the control part. This restriction is not unrealistic since there are many designs that do not contain (internal) loops. Even so loop handling will be addressed later on.

5. Conclus ions

The idea to embed a formal model of the in- ternal design representation designed for use in high-level synthesis in a proof system is to the best of our knowledge new. It shows great poten- tial in that it supplies mechanical support for rea- soning formally about individual designs as well as about the synthesis system and the algorithms implementing it.

The ETPN design representation is particu- larly well suited for formalization in logic due to its conceptual simplicity and the fact that it is already partly well-defined. The fact that ETPN is a unified design representation, i.e. designed to capture the intermediate designs of the high-level synthesis system, is also an advantage since only one design representation have to be dealt with throughout the high-level synthesis process.

A side-effect of this work is the insight into ETPN that comes from the need to fully under- stand the semantics of it. This has already led to ambiguities in the language being discovered.

R E F E R E N C E S

1. ACM. Proceedings of the 1991 International Workshop on Formal Methods in VLSI De- sign, Miami, United States, Jan. 1991.

2. R. J. Boulton, A. D. Gordon, M. J. C. Gor- don, J. R. Harrison, J. M. J. Herbert, and J. P. van Tassel. Experience with embedding hardware description languages in HOL. In R. Boute, T. Melham, and V. Stavridou, edi- tors, Proceedings of the Conference on Theo- rem Provers in Circuit Design: Theory, Prac- tice and Experience, The University of Ni- jmegen, The Neiherlands, June 1992. IFIP, North Holland.

3. R. Camposano.. Behavior preserving transfor- mations for high-level synthesis. In Proceed- ings of Workshop on Hardware Specification,

Verification and Synthesis: Mathematical As- pects, Cornell University, Ithaca, New York, United States, 1989. Springer-Verlag.

4. F. Corella, R. Camposano, R. Bergamaschi, and M. Payer. Verification of Synchronous Sequential Circuits Obtained from Algoritmic Specifications. In ACM [1].

5. S. Devadas and K. Keutzer. An Automata- Theoretic approach to Behavioral Equiva- lence. In Proceedings of ICCAD 1990, Santa Clara, CA, Unites States, 1990.

6. M. Gordon and T. Melham, editors. Intro- duction to HOL. Cambridge University Press, Cambridge, England, Mar. 1993.

7. W. Grass, M. Mutz, and W.-D. Tiedemann. High Level Synthesis based on Formal Meth- ods. In Proceedings of EUROMICR094, Liv- erpool, England, Sep 5-8, 1994. IEEE Com- puter Society Press.

8. M. Larsson. An Engineering Approach to Formal Digital System Design. In 7th Inter- national Conference on Higher Order Logic Theorem Proving and its Applications, Malta, Sep 19-22, 1994. Springer-Verlag. to appear.

9. M. Leeser and W. Wolf. Behavior FSMs for High-Level Verification and Synthesis. In ACM [1].

10. M. McFarland. A practical application of ver- ification to high-level synthesis. In ACM [1].

11. M. C. McFarland and A. C. Parker. An Ab- stract Model of Behavior for Hardware de- scriptions. IEEE Transactions on Comput- ers, C-32(7):621-637, July 1983.

12. M. C. McFarland, A. C. Parker, and R. Cam- posano. The High-Level Synthesis of Digital Systems. IEEE, 78(2):301-318, Feb. 1990.

13. Z. Peng and K. Kuchcinski. Automated Transformation of Algorithms into Register- Transfer Level Implementations. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 13(2):150- 166, Feb. 1994.

14. W. Wolf, A. Takach, C.-Y. Huang, and R. Manno. The Princeton University Behav- ioral Synthesis System. In Proceedings of the 29th Design Automation Conference, pages 182-187, Anaheim, CA, United States, Jun 8-12, 1992. IEEE Computer Society Press.