The Synchronous System Description Language PURR*

Thomas Kropf, Jürgen Ruf, Klaus Schneider, and Markus Wild

University of Karlsruhe, Department of Computer Science,
Institute for Computer Design and Fault Tolerance (Prof. D. Schmid),
P.O. Box 6980, 76128 Karlsruhe, Germany,
email: {Thomas.Kropf,Juergen.Ruf,Klaus.Schneider}@informatik.uni-karlsruhe.de,
http://goethe.ira.uka.de/hvg

Abstract This paper presents the new synchronous language PURR, the system description language of the verification system C@S. The language is mainly based on Esterel, but extends it in several ways. These extensions are necessary to model systems at a high level of abstraction that makes state-of-the-art verification techniques applicable. Moreover, our new language directly supports transformational verification: most steps necessary to make a system description suitable for a correctness proof with a certain decision procedure or a theorem prover can be done inside our language, avoiding conflicts occurring from different semantics of different languages.

1 Introduction

The formal verification of systems requires languages to formally model the system implementation and to describe specifications unambiguously. Correctness proofs can then be performed using a calculus or a decision procedure which work on both descriptions. The main emphasis of this paper lies on a new approach to describe and specify systems in a way which is better suited for a formal treatment than existent description languages.

State-of-the-art methods for circuit design are based on hardware description languages such as VHDL [10] or Verilog [16]. Both languages are dedicated to the design and the fast simulation of circuits at various levels of abstraction. However, these languages are less suited for formal verification. First, they both lack of a clear formal semantics. The semantics for these languages have been given in an informal manner that is not always clear and hence lead to discussions about the exact meaning of some constructs. Recently, different formal semantics have been proposed to solve this problem [3]. However, the event-driven simulation oriented semantics of these languages still makes verification difficult and they are less suited to describe systems at higher levels of abstraction.

A completely different approach is based on synchronous languages, which have been developed for the design of reactive embedded systems. In these languages, most statements do not consume time and those statements that do so are explicitly controlled by the user. Moreover, parallel threads run synchronously, i.e. both have the

* This work has been financed by DFG project Automated System Design, SFB358 and also by the priority program 'Design and design methodology of embedded systems'. 
same ‘clocking scheme’. This view of threads simplifies the design of software for microcontrollers as well as hardware design for complex controllers to a large extent.

There are different synchronous languages such as Esterel [2,7] that represents an imperative synchronous language, Lustre [15] a synchronous dataflow language, and graphical synchronous languages such as statecharts [5], Argos [8] or SyncCharts [4].

In contrast to hardware description languages like VHDL or Verilog, these languages have been designed with the application of formal methods in mind. The result have been clear, readable languages with a clean and formal semantics. The statements are as orthogonal as possible to achieve a small and understandable set of grammar rules. Moreover, the synchronous semantic model is excellently suited for the application of verification techniques, in particular for temporal logic model checking.

Hence, synchronous languages are an excellent starting point for a new language dedicated to formal verification. However, each of these languages lacks certain features which are essential for modeling and verifying a wide range of hardware systems as well as real time embedded systems at different levels of abstraction. To keep the advantages of synchronous languages without the restrictions hindering their intended use, our approach is based on defining a new system description and verification language called PURR by smoothly enriching the synchronous imperative language Esterel by the lacking language constructs. We have chosen Esterel as the basis of our approach as this language offers excellent possibilities to describe control dominated systems and there are many tools available for this language.

In the following, we will give a brief overview about our additions and motivate the decisions made. We will then present some aspects of PURR as well as some small examples. In contrast to Esterel, PURR offers the following additional features:

- nondeterminism
- abstract data types with polymorphism and dependent types [14,1]
- generic modules
- special processes for finite state machines and net lists
- critical regions
- formal property specification and analysis with assertions

One of the main differences between Esterel and PURR is the use of nondeterminism in PURR. While traditional synchronous languages enforce deterministic systems, we allow and want to have nondeterminism as this is essential for modeling systems at higher abstraction levels. Consider for example, that a thread of a set of threads wanting to access a shared resource is to be chosen for arbitration. As long as the arbitration is fair and correct, we do not need to know how it actually works and can model the choice nondeterministically. Hence, nondeterminism may arise by various sorts of abstractions. Also, nondeterminism may arise in timing issues: due to abstractions, the delay or computation time of a component may often be determined only to a certain degree of exactness. Such timing behavior is modeled in PURR by timing intervals where the actual transition time is chosen nondeterministically from a specified interval.

Another major difference between Esterel and PURR is the availability of (polymorphic) abstract data types. Esterel only covers the control of parallel running threads
while data types other than integers, floats, booleans and strings are imported from a ‘host language’ like C. Esterel can be translated afterwards into this host language such that a complete host language program can be created. From the designer’s point of view this is reasonable, since all the heuristics for the code optimization of already existing modern compilers can be used and only the code generation for the control of parallel running threads is left to the Esterel compiler. However, from the verifier’s point of view, this is a serious drawback, since an entire formal verification that should also cover the data manipulations is difficult to perform in such a language ‘mix’. Hence, we decided to extend Esterel by inductive definitions of abstract data types that are suitable for formal verification [9].

Subsequent differences between Esterel and PURR such as generic modules and syntax for directly describing hardware structures at register-transfer and synchronous gate level can be viewed as ‘syntactic sugar’: They do not extend the expressiveness of the language as these constructs could in principle also be expressed in Esterel itself\(^1\). However, as a main topic of \(\text{C@S}\) is the verification of hardware designs, it is convenient to be able to directly describe hardware structures and not to transform them to Esterel constructs. The possibility to describe generic structures allows the use of inductive proof methods to perform correctness proofs (also for abstract data types).

The most verification oriented difference of PURR to any other description language is the possibility to directly add specifications to the modules similar to the language of the SMV model checker [13]. Thus it is not only possible to model the implementation behavior, but also to explicitly state the intended behavior. Thus PURR offers all necessary input to a formal verification, namely implementation and specification descriptions. In contrast to the SMV language, it is possible to give specifications also for submodules. Moreover, PURR allows to specify the behavior of the system environment, i.e. requirements about the external world which have to be fulfilled for a correct system functioning. This directly supports ‘assumption-commitment’ style correctness proofs.

In the same way as specifications, analysis requests are possible. While specifications of a module are either true or false, analysis requests describe problems for which a numeric solution is to be computed, e.g. the length of the shortest path between two states or two sets of states. Up to now, only timing analysis is supported, but there are many other applications, such as structural analysis to think about.

Besides the additional possibilities to model a wide variety of systems at different levels of abstraction, PURR directly reflects the transformation verification methodology of \(\text{C@S}\) [12]: PURR allows to describe the behavior of the very same submodule in different models, e.g. as an algorithmic description, a standard finite state machine or a netlist of simpler modules. Parts of a system may even be described by a set of properties only given e.g. as a temporal logic specification without having an implementation at all. This allows to perform the partitioning and transformation of implementation descriptions in PURR itself. These steps are necessary for the verification of complex

\(^1\) As far as possible, we aim at giving PURR a translational Esterel semantics, i.e. to define additional constructs in terms of Esterel programs such that arbitrary PURR descriptions can be translated into Esterel to use – besides our own verification environment – the available Esterel tools for synthesis and simulation.
systems, especially, if the correctness proof involves the application of decision procedures like model checking. As an example, an algorithmic description using only finite data types may be transformed into a finite state machine representation before it is fed into a model checker. It is only in the very last transformation step where the PURR description is exported in the file and language format of the target prover. Hence it is easily possible to add additional proof systems as backend modules of $\mathcal{C@S}$. It has to be noted also that PURR has been carefully chosen in such a way that (at least the synchronous subset) of VHDL and Verilog can be translated into it. By providing such front ends for $\mathcal{C@S}$ a verification of synchronous hardware designs given in standard hardware description languages is also possible.

2 The Synchronous Language PURR

Due to the space restrictions of this paper it is not possible to present PURR or the $\mathcal{C@S}$ system in detail\(^2\). In the following, we present only the basic ideas concerning abstract data types, and the different types of modules.

2.1 Abstract Data Types

Abstract data types in PURR are built up by constructors, i.e. the set of values the abstract data type can take is isomorphic to the set of variable free terms build from the constructors $c_1, \ldots, c_n$. Additionally, operators $f_i$ can be defined on the abstract data type by induction on the constructors. The application of the functions $f_i$, as well as the functions on already built-in types such as arithmetic operators on integers and boolean operators on boolean values, does not consume time.

\begin{verbatim}
ABSTYPE list(\alpha) [n: NAT]
CONSTRUCTOR
   NIL : list(\alpha)[0];
   CONS : \alpha\#list(\alpha)[n] \rightarrow list(\alpha)[n + 1];
OPERATOR
   HD : list(\alpha)[n] \rightarrow \alpha;
   TL : list(\alpha)[n] \rightarrow list(\alpha)[(n \oplus 1 : 0)];
   AP : list(\alpha)[n]\#list(\alpha)[m] \rightarrow list(\alpha)[n + m];
EQUATIONS
   HD(CONS(x,y)) := x;
   TL(NIL) := NIL;
   TL(CONS(x,y)) := y;
   AP(NIL,z) := z;
   AP(CONS(x,y),z) := CONS(x,AP(y,z));
END ABSTYPE
\end{verbatim}

\(^2\) An overview of $\mathcal{C@S}$ and the complete grammar of PURR can be found at http://goethe.ira.uka.de/hvg/cats/.

---

2 An overview of $\mathcal{C@S}$ and the complete grammar of PURR can be found at http://goethe.ira.uka.de/hvg/cats/.
As an example, consider the above definition of polymorphic lists of a given length \( n \). All terms of that type are lists, where the members of the lists have type \( \alpha \) and the length of the lists is \( n \). Hence, we support polymorphism, as the use of type variables such as \( \alpha \) is allowed in other types. Each type can be substituted for \( \alpha \) such that these types serve in some way as ‘template types’. Also, we allow dependent types, as a type may depend on other terms. For example, the above type list\(<\alpha>[/n]\) depends on the term variable \( n \) that determines the length of the lists. The usefulness of dependent types for hardware descriptions has be elaborated in [1] and needs not be outlined here. Also, we note without giving further details, that the inductive definition of data types as given above is well suited for a formal treatment, e.g. for correctness proofs by induction (see e.g. [9]).

2.2 Modules in PURR

In general, there are different kinds of modules in PURR that are all described similarly:

```
Module_Sort name [g1 : \gamma_1, \ldots, g_j : \gamma_j](\hat{i}_1 : \alpha_1, \ldots, \hat{i}_m : \alpha_m)  
  \rightarrow (o_1 : \beta_1, \ldots, o_m : \beta_m)
REQUIRES  
  r_1 : \phi_1, \ldots, r_l : \phi_l
Module_Body
SPECIFICATION  
  s_1 : \psi_1, \ldots, s_u : \psi_u
ANALYZE  
  a_1 : \chi_1, \ldots, a_w : \chi_w
End Module_Sort
```

`Module_Sort` is one of FSM, STRUCTURE or PROCESS. The variables \( g_1, \ldots, g_j \) are the generic parameters of the module, \( \hat{i}_1, \ldots, \hat{i}_m \) are the inputs of the module and \( o_1, \ldots, o_m \) are the outputs of the module. \( g_k \) has the type \( \gamma_k \), \( \hat{i}_k \) has the type \( \alpha_k \) and \( o_k \) has the type \( \beta_k \). Available types are integers, booleans, enumeration types, arrays on types, records on types, unions on types and also user-defined abstract data types as shown in the last section.

The difference between the generic parameters \( g_k \) and the inputs \( \hat{i}_k \) is that parameters \( g_k \) do not depend on time while inputs \( \hat{i}_k \) do. Generic parameters are used for defining generic modules, e.g. a module may depend on the bitwidth of its inputs that is then used as generic parameter for the module.

Requirements allow to describe assumptions about the behavior of the environment, but do not affect the behavior of the module. These requirements are used for the verification of the module, as in general the given specifications do only hold when the requirements hold. Also, requirements can be used for code generation as already done in the Esterel compilers.

Requirements as well as specifications of the module can be given in different logics. Currently, temporal logics [6] as CTL, CTL*, LTL and CCTL [11] are considered as well as subsets of first- and higher-order logics to cover specifications on abstract data types.

The `Module_Body` depends on the `Module_Sort`. We do not describe the simple cases for FSM and STRUCTURE as these are exactly the same as in the SHDL language as given in [12] (SHDL is a forerunner of PURR). Instead, we describe here the
PROCESS modules. Roughly speaking, processes represent Esterel modules. Given that $\tau$ and $\gamma$ are expressions, $\sigma$ a signal expression, $x$ a (signal) variable, $\alpha$ a type and $S_i$ a statement, the following statements belonging to Esterel are also available in PURR:

1. NOTHING, HALT and PAUSE $\tau$
2. $x := \tau$ and $x := \tau$ AFTER $\gamma$
3. VAR $x := \tau : \alpha$ IN $S$ END
4. SIGNAL $x := \tau : \alpha$ IN $S$ END
5. EMIT $x$ and EMIT $x(\tau)$
6. SUSTAIN $x$ and SUSTAIN $x(\tau)$
7. LOOP $S$ END
8. REPEAT $\tau$ TIMES $S$ END
9. POSITIVE REPEAT $\tau$ TIMES $S$ END
10. IF $\tau$ THEN $S_1$ ELSE $S_2$ END
11. AWAIT $\sigma$
12. ABORT $S_1$ WHEN $\sigma$ END
13. ABORT $S_1$ WHEN $\sigma$ DO $S_2$ END
14. WEAK ABORT $S_1$ WHEN $\sigma$ END
15. WEAK ABORT $S_1$ WHEN $\sigma$ DO $S_2$ END
16. LOOP $S$ EACH $\sigma$
17. EVERY $\sigma$ DO $S$ END
18. SUSPEND $S$ WHEN $\sigma$
19. TRAP $x_1, \ldots, x_n$ IN $S$
   HANDLE $x_1$ DO $S_1$
   $\vdots$
   HANDLE $x_n$ DO $S_n$ END
20. EXIT $x$
21. RUN $m \{\tau_1, \ldots, \tau_n\} (\pi_1, \ldots, \pi_m)$
22. WHILE $\tau$ DO $S$ END
23. $S_1; S_2$
24. $S_1 || S_2$

The meaning of the statements is almost what they say and is, exactly the same as in Esterel. For this reason, a discussion of them is left out here. See e.g. the Esterel Primer\(^3\) for an excellent introduction on Esterel. We have excluded all Esterel statements such as call and exec that have to do with the integration on tasks written in the host language, as PURR has no need for a host language.

In contrast to Esterel, PURR offers the possibility to extend the pause statement by an interval such that it consumes an amount of time units specified by that interval. The actual value of time units to be consumed is chosen nondeterministically of the interval. The pause statement in Esterel does always consume one unit of time. This allows timing nondeterminism.

\(^3\)http://zenon.inria.fr/meije/esterel/.
Another kind of nondeterminism in PURR is given by the \textsc{choose} operator. Given any expression $\Phi(x)$ of type \texttt{boolean}, that depends on a variable $x$ of type $\alpha$, \textsc{choose} $x.\Phi(x)$ represents an element of the type $\alpha$ such that $\Phi(x)$ holds. For example, \textsc{choose} $x.1 \leq x \leq 20$ represents a fixed, but arbitrary number between 1 and 20. Depending on the choice that is done nondeterministically, this choice for $x$ may lead to different computations.

The \texttt{run} statement allows to start the execution already defined module $m$. The parameters $\{\tau_1, \ldots, \tau_n\}$ are thereby instantiations for the generic parameters, while the arguments $(\pi_1, \ldots, \pi_m)$ are time-dependent inputs of the module $m$.

In addition to Esterel statements, PURR offers two further statements: \texttt{region} $x$ $S$ \texttt{end} allows parallel threads to share common data, which then is safely accessed in such a critical region via mutual exclusion. A region $S$ is shared between different threads through its name $x$. Moreover, for any (temporal) logic formula $\psi$, \texttt{assert} $(\ell, \psi)$ is a statement in PURR. These assertion statements make it possible to specify properties which must hold at certain points of the computation flow. It introduces a label $\ell$ to name that control point of the thread and adds the specification that the formula $\varphi$ must hold as that point (hence the specification that always $\ell \rightarrow \varphi$ must hold). The properties $\varphi$ are given in the same way as in specifications, which are described before. This allows to reason about control points and their relationship as given in [17].

3 Conclusions

We have presented PURR a new language targeted at describing and verifying complex systems. It is based to some extent on the synchronous language Esterel, but enriches this by many constructs that are necessary and useful for modeling and verifying reactive systems as e.g. hardware circuits. We have already implemented the core part of \texttt{C@S} in C++ which is responsible for reading and manipulating PURR programs. Also, we have defined a formal semantics which is essentially for a language that is to be used for formal verification. This semantics is the basis for a deep language embedding in the HOL theorem prover that is now in order. Many verification algorithms and decision procedures such as CTL and LTL model checking are also currently integrated into \texttt{C@S}.

References


