# Hardware/Software Partitioning in Verilog \*

Qin Shengchao<sup>1</sup>, He Jifeng<sup>2\*\*</sup>, Qiu Zongyan<sup>1</sup>, and Zhang Naixiao<sup>1</sup>

<sup>1</sup> School of Mathematical Sciences Peking University, Beijing, 100871, China qinshc@pubms.pku.edu.cn, {zyqiu, naixiao}@pku.edu.cn <sup>2</sup> United Nations University International Institute for Software Technology UNU/IIST, P.O.Box 3058, Macau hjf@iist.unu.edu

Abstract. We propose in this paper an algebraic approach to hardware/software partitioning in Verilog HDL. We explore a collection of algebraic laws for Verilog programs, from which we design a set of syntaxbased algebraic rules to conduct hardware/software partitioning. The cospecification language and the target hardware and software description languages are specific subsets of Verilog, which brings forth our successful verification for the correctness of the partitioning process by algebra of Verilog. Facilitated by Verilog's rich features, we have also successfully studied hw/sw partitioning for environment-driven systems.

Keywords. Verilog, algebraic laws, hardware/software co-design, hard-ware/software partitioning

## 1 Introduction

The design of a complex software product like a nuclear reactor control system is ideally decomposed into a progression of related phases. It starts with an investigation of the properties and behaviours of the process evolving within its environment, and an analysis of requirement for its safety performance. From these is derived a specification of the electronic or program-centred components of the system. The project then may go through a series of design phases, ending in a program expressed in a high level language. After translation into a machine code of the chosen computer, it is executed at high speed by electronic circuity. In order to achieve the time performance required by the customer, additional application-specific hardware devices may be needed to embed the computer into the system which it controls.

With chip size reaching one million transistors, the complexity of VLSI algorithms is approaching that of software algorithms. However, the design methods for circuits resemble the low level machine language programming methods. Selecting individual gates and registers in a circuit like selecting individual machine instruction in a program. State transition diagrams are like flowcharts.

<sup>\*</sup> Partially supported by NNSFC No. 60173003

<sup>\*\*</sup> On leave from Software Engineering Institute of East China Normal University

These methods may have been adequate for small circuit design when they were introduced, but they are not adequate for circuits that perform complicated algorithms. Industry interest in the formal verification of embedded systems is gaining ground since an error in a widely used hardware device can have significant repercussions on the stock value of the company concerned. In principle, proof of correctness of a digital device can always be achieved by making a comparison of the behavioural description of the circuit with its specification. But for a large system this would be impossiblly laborious. What we need is a useful collection of proven equations and other theorems, which can be used to calculate, manipulate and transform the specification formulae to the product.

Hardware/software co-design is a design technique which delivers computer systems comprising hardware and software components. A critical phase of the co-design process is to partition a specification into hardware and software. This paper proposes a partitioning method whose correctness is verified using algebraic laws developed for the Verilog hardware description language. One of advantages of this approach lies in that it ensures the correctness of the partitioning process. Moreover, it optimises the underlying target architecture, and facilitates the reuse of hardware devices.

The algebraic approach advocated in this paper to verify the correctness of the partitioning process has been successfully employed in the **ProCoS** project on "Provably Correct systems". The original **ProCoS** project [5] concentrated almost exclusively on the verification of standard compiler of a high-level programming language based on Occam down to a microprocessor based on Transputer [4]. Sampaio showed how to reduce the compiler design task to one of program transformation; his formal framework is a procedural language and its algebraic laws [13]. Towards the end of the first phase of the project, Ian Page *et al* made rapid advance in the development of hardware compilation technique using an Occam-like language targeted towards Field Programmable Gate Arrays [10], and He Jifeng *et al* provided a formal verification of the hardware compilation scheme within the algebra of Occam programs [3].

Recently, some works have suggested the use of formal methods for the partitioning process [14, 12]. In [14], Silva *et al* provide a formal strategy for carrying out the splitting phase automatically, and present an algebraic proof for its correctness. However, the splitting phase delivers a large number of simple processes, and leaves the hard task of clustering these processes into hardware and software components to the clustering phase and the joining phase. Furthermore, additional channels and local variables introduced in the splitting phase to accommodate huge number of parallel processes actually increase the data flow between the hardware and software components. In [12], Qin *et al* propose an algebraic approach to partition a specification into hardware and software in one step and as well verify the correctness of their partition process. However, their approach is based on algebraic laws of the high level communicating language Occam, which leaves rather a long way to pass in hardware/software co-synthesis phase, since the partition results also enjoy a high level form. In this paper, the above-mentioned long way has been shortened by adopting Verilog as our partition language.

The remainder of this paper is organised as follows. Section 2 introduces Verilog HDL and explores some useful algebraic laws. Section 3 describes our partitioning strategy. We propose our co-specification language and target hardware and software architectures in section 4. Afterwards, we investigate our partition process in detail in section 5 by designing a collection of proved syntax-based partitioning rules. A simple conclusion is followed in section 6.

## 2 Verilog and Its Algebraic Laws

Modern hardware design typically uses a hardware description language (HDL) to express designs at various levels of abstraction. A HDL is a high level programming language with usual programming constructs, such as assignments, conditionals and iterations, and appropriate extensions for real-time, concurrency and data structures suitable for modelling hardware.

Verilog is a HDL that has been standardized and widely used in industry ([8]). Verilog programs can exhibit a rich variety of behaviours, including eventdriven computation and shared-variable concurrency. In our hardware/software partitioning process, the non-trivial subset of Verilog we adopt contains the following categories of syntactic elements.

1. A Verilog program can be a sequential process or a program paralleled by several sequential processes, with or without local variable declaration.

 $P ::= S \mid P \parallel P \mid var x \bullet P$ 

2. A sequential process in Verilog can be any of the forms as follows.

$$\begin{split} S &::= PC(\text{primitive command}) \mid S; S \text{ (sequential composition)} \\ \mid \textit{if } b \, S \, \textit{else } S \text{ (conditional)} \mid \textit{while } b \, S \text{ (iteration)} \\ \mid (g \, S) [\![ \dots ]\!] (g \, S) \text{ (guarded choice)} \mid \textit{always } S \text{ (infinite loop)} \\ \mid \textit{case } (e) (pt \, S) \dots (pt \, S) \text{ (switch statement)} \end{split}$$

where

To facilitate algebraic reasoning, the language is enriched with

- assignment event @(v := e)

- general guarded choice construct  $(g_1 P_1) [\ldots ] (g_n P_n)$
- non-deterministic choice  $P \sqcap Q$

Although it is reported that Verilog has been much more widely used in industry than VHDL([1]), the formal semantics of Verilog has not been fully studied. He and Zhu ([6, 17]) explore an operational and a denotational semantics for Verilog and investigate some algebraic laws from them. Zhu, Bowen and He ([15, 16]) establish formal consistency between above-mentioned two presentations. Iyoda and He ([9]) successfully apply simple algebraic laws of Verilog to hardware synthesis process. Recently, He has explored a collection of algebraic laws for Verilog, by which a well-formed Verilog program can be transformed into head normal forms ([2]). In the following, we investigate some algebraic laws for Verilog, which will play a fundamental role in our hardware/software partitioning process.

Before presenting algebraic laws, we define a triggering predicate as follows.

**Definition 1.** Given an event control eg, we define those simple events that enable eg as follows.

$$E(eg) =_{df} \begin{cases} \{\uparrow x\}, & \text{if } eg = @(\uparrow x) \\ \{\downarrow x\}, & \text{if } eg = @(\downarrow x) \\ \{\uparrow x, \downarrow x\}, & \text{if } eg = @(\sim x) \\ E(eg_1) \cup E(eg_2), & \text{if } eg = eg_1 \text{ or } eg_2 \\ E(eg_1) \cap E(eg_2), & \text{if } eg = eg_1 \text{ and } eg_2 \\ E(eg_1) \setminus E(eg_2), & \text{if } eg = eg_1 \text{ and } \neg eg_2 \end{cases}$$

Given an output event  $\rightarrow \eta$ , and an event control eg, we adopt a triggering predicate, denoted as  $\eta \sim eg$ , to describe the condition under which the former enables the later.

$$\eta \rightsquigarrow eg =_{df} E(@(\eta)) \subseteq E(eg)$$

and adopt the predicate,  $\eta \rightsquigarrow eg$ , to denote the condition when the former cannot trigger the later.

$$\eta \rightsquigarrow eg =_{df} E(@(\eta)) \cap E(eg) = \emptyset$$

By this definition, now we can define the well-formedness of guarded choice constructs.

**Definition 2.** A guarded choice  $[]_{i \in I} g_i P_i$  is well-formed iff all its input guards are disjoint, i.e., for any input guards  $g_k$ ,  $g_l$  from  $\{g_i \mid i \in I\}$ , if  $E(g_k) \cap E(g_l) \neq \emptyset$ , then  $g_k = g_l$ , and  $P_k$  and  $P_l$  are exactly the same process.  $\Box$ 

All guarded choice constructs are well-formed in later discussions.

Now, we explore a collection of useful algebraic laws for Verilog programs.

Successive assignments to the same variable can be combined to a single one. (assgn-1) v := e; v := f = v := f[e/v]

In an assignment to a list of variables, the order of variables is irrelative. (assgn-2) u, v := e, f = v, u := f, e

Variables not occured on the left side of an assignment remain unchanged during the assignment.

 $(assgn-3) \ u := e \ = \ u, \ v := e, \ v$ 

skip does not change the value of any variable.

(assgn-4) skip = v := v

Sequential composition is associative, and has left zero *chaos*. It distributes backward over conditional, internal and external choices.

(seq-1) (P;Q); R = P; (Q;R)

- (seq-2) chaos; P = chaos
- $(seq-3) \ (P \sqcap Q); R = (P; R) \sqcap (Q; R)$
- (seq-4) (if b P else Q); R = if b (P; R) else (Q; R)

$$(seq-5) ( []_{i \in I} (g_i Q_i)); R = []_{i \in I} (g_i (Q_i; R))$$

By the following law, we can transform a sequential composition of an output event and a guarded choice into a guarded process (g P), where output guard g will no longer fire guards of P.

(seq-6) Let  $S = [\!]_{i \in I} (g_i P_i)$ , and g is the disjunction of all input guards of S. (1)  $\rightarrow n: S = \begin{cases} \rightarrow \eta S & \text{if } \eta \rightsquigarrow g; \end{cases}$ 

(1): 
$$\neg \eta, \beta = \big( \rightarrow \eta P_k \text{ if } \eta \rightsquigarrow g_k \text{ for some } k \in I.$$

 $\begin{array}{ll} (2). & (x < f)_{\perp}; @(x := f); S = \\ & \left\{ \begin{array}{ll} (x < f)_{\perp}; @(x := f) \, S & \text{if } \uparrow x \rightsquigarrow g; \\ (x < f)_{\perp}; @(x := f) \, P_k & \text{if } \uparrow x \rightsquigarrow g_k \text{ for some } k \in I. \end{array} \right. \end{array}$ 

(3). 
$$(x > f)_{\perp}; @(x := f); S =$$
  

$$\begin{cases} (x > f)_{\perp}; @(x := f) S & \text{if } \uparrow x \rightsquigarrow g; \\ (x > f)_{\perp}; @(x := f) P_k & \text{if } \uparrow x \rightsquigarrow g_k \text{ for some } k \in I. \end{cases}$$

(4). 
$$(x = f)_{\perp}; @(x := f); S = (x = f)_{\perp}; @(x := x) S$$

where  $b_{\perp}$  is an assertion defined as *if b skip else chaos* ([7]).

For a general guarded choice G, we can also transform it by this law into a guarded choice  $\|_{i \in I} (g_i P_i)$ , where no output guard in  $\{g_i \mid i \in I\}$  will enable any guards of the process following it. Without loss of generality, from now on, we assume all guarded choices meet this property.

Assignment distributes forward over conditional.  $(cond-1) \ v := e; (if \ b(v) \ P \ else \ Q) = if \ b(e) \ (v := e; P) \ else \ (v := e; Q)$ Iteration is subject to the fixed point theorem.  $(iter-1) \ while \ b \ P = if \ b(P; while \ b \ P) \ else \ skip$ Non-deterministic choice is idempotent, symmetric and associative.

(nond-1)  $P \sqcap P = P$ 

 $(nond-2) P \sqcap Q = Q \sqcap P$ 

 $(nond-3) P \sqcap (Q \sqcap R) = (P \sqcap Q) \sqcap R$ 

Parallel operator is symmetric and associative, and has *chaos* as zero.

(par-1) P || Q = Q || P(par-2) P || (Q || R) = (P || Q) || R(par-3) chaos || P = chaos

Local variable declaration enjoys the following laws.

 $(lvar-1) var x \bullet (x := e) = skip$ 

 $(lvar-2) var x \bullet (P \lhd b \triangleright Q) = (var x \bullet P) \lhd b \triangleright (var x \bullet Q)$ , provided x is not free in b.

(lvar-3) If x is not free in Q, then

(1)  $var x \bullet Q = Q$ (2)  $(var x \bullet P); Q = var x \bullet (P; Q)$ (3)  $Q; (var x \bullet P) = var x \bullet (Q; P)$ 

 $(3) \ Q, (var \ x \bullet I) = var \ x \bullet (Q, I)$  $(4) \ (var \ x \bullet P) \parallel Q = var \ x \bullet (P \parallel Q)$ 

 $(lvar-4) var v \bullet (\rightarrow \eta_v P) = var v \bullet (skip; P)$ 

 $(lvar-5) var u \bullet (var v \bullet P) = var v \bullet (var u \bullet P)$ 

We will denote  $var x \bullet var y \bullet \ldots \bullet var z$  as  $var x, y, \ldots, z$ .

The following is a set of expansion laws which enables us to convert a parallel process into a guarded choice. We assume that

 $G_{1} = []_{i \in I}(g_{i} Q_{i}) \qquad G_{2} = []_{j \in J}(h_{j} R_{j})$  $G_{3} = []_{k \in K}(e_{v_{k}} P_{k}) \qquad G_{4} = []_{l \in L}(e_{u_{l}} T_{l})$ 

where all  $g_i$  and  $h_j$  are input guards (like  $@(\eta)$ ); all  $e_{v_k}$  and  $e_{u_l}$  are respectively output events with respect to variables  $v_k$  and  $u_l$  (like  $\rightarrow \eta$  or @(x := f)).

$$\begin{array}{l} (\textit{par-4}) \ (x := e; G_1) \parallel (y := f; G_2) \ = \ (@(x := e) \ (G_1 \parallel (y := f; G_2))) \parallel \\ (@(y := f) \ ((x := e; G_1) \parallel G_2)) \end{array}$$

 $(par-5) G_1 \parallel (y := f; G_2) = (@(y := f)(G_1 \parallel G_2)) \parallel \parallel_{i \in I} g_i (Q_i \parallel (y := f; G_2))$  $(par-6) \text{Let } q =_{df} or_{i \in I} g_i, h =_{df} or_{i \in I} h_i, \text{then}$ 

$$\begin{array}{l} par-b) \text{ Let } g =_{df} \quad or_{i \in I} \ g_i, \ h =_{df} \quad or_{j \in J} \ h_j, \text{ then} \\ (G_1 \, \| \, G_3) \, \| \ (G_2 \, \| \, G_4) = & \|_{i \in I} \ ((g_i \ and \neg h) \ (Q_i \, \| \ (G_2 \, \| \, G_4)) \, \| \\ & \|_{j \in J} \ ((h_j \ and \neg g) \ ((G_1 \, \| \, G_3) \, \| \ R_j)) \, \| \\ & \|_{i \in I, j \in J} \ ((g_i \ and \ h_j) \ (Q_i \, \| \ R_j)) \, \| \\ & \|_{k \in K, j \in J_k \sim k_k} \rightarrow h_j \ (e_{v_k} \ (P_k \, \| \ R_j)) \, \| \\ & \|_{i \in I, l \in L, e_{v_k} \rightsquigarrow h_j} \ (e_{v_k} \ (P_k \, \| \ G_2 \, \| \, G_4))) \, \| \\ & \|_{i \in I, l \in L, e_{u_l} \rightsquigarrow g_i} \ (e_{u_l} \ (Q_i \, \| \ T_l)) \, \| \\ & \|_{l \in L, e_{u_l} \rightsquigarrow g} \ (e_{u_l} \ (G_1 \, \| \, G_3) \, \| \ T_l)) \end{array}$$

(par-7) An assignment thread is involved.

$$\begin{array}{l} (1) \ (x:=e) \parallel (y:=f) \ = \ (@(x:=e) \ (y:=f)) \ \| \ (@(y:=f) \ (x:=e)) \\ (2) \ (x:=e) \parallel G_2 \ = \ (@(x:=e) \ G_2) \ \| \ \|_{j \in J} \ (h_j \ ((x:=e) \parallel R_j)) \end{array}$$

The parallel operator is disjunctive.  $(par-8) (P \sqcap Q) \parallel R = (P \parallel R) \sqcap (Q \parallel R)$ 

In some special case, the parallel operator distributes over conditional. (par-9) var  $v_1, \ldots, v_n \bullet ((if \ b \ S_1 \ else \ S_2) \parallel G) =$   $var v_1, \ldots, v_n \bullet (if \ b \ (S_1 \parallel G) \ else \ (S_2 \parallel G)),$ 

provided guards in G are either event controls with respect to variables in  $\{v_1, \ldots, v_n\}$  or time-delay guards.

Time-delay guards are involved in the following law. (*par-10*) Let  $\Delta_1 > \Delta_2 > 0$ ,  $\Delta > 0$ .

 $(1). \ (\#\Delta S) \| G_3 = G_3$   $(2). \ (G_1 \| \#\Delta_1 S) \| \ (G_2 \| \#\Delta_2 T) = \\ \|_{i \in I} \ ((g_i \ and \neg h) \ (Q_i \| \ (G_2 \| \#\Delta_2 T)) \| \\ \|_{j \in J} \ ((h_j \ and \neg g) \ ((G_1 \| \#\Delta_1 S) \| R_j)) \| \\ \|_{i \in I, j \in J} \ ((g_i \ and \ h_j) \ (Q_i \| R_j)) \| \\ \| \#\Delta_2 \ ((\#(\Delta_1 - \Delta_2) S) \| T)$   $(3). \ (G_1 \| \#\Delta S) \| \ (G_2 \| \#\Delta T) = \\ \|_{i \in I} \ ((g_i \ and \ \neg h) \ (Q_i \| \ (G_2 \| \#\Delta T)) \|$ 

$$\begin{bmatrix} i \in I & (G_i \text{ and } \neg g) & ((G_1 \parallel \# \Delta S) \parallel R_j)) \parallel \\ \parallel_{j \in J} & ((h_j \text{ and } \neg g) & ((G_1 \parallel \# \Delta S) \parallel R_j)) \parallel \\ \parallel_{i \in I, j \in J} & ((g_i \text{ and } h_j) & (Q_i \parallel R_j)) \parallel \\ \parallel \# \Delta & (S \parallel T) \end{bmatrix}$$

The guarded choice is idempotent, symmetric and associative. (guard-1)  $G_1 \parallel G_1 = G_1$ 

 $(guard-2) G_1 \parallel G_2 = G_2 \parallel G_1$ 

 $(guard-3) \ (g_1 \ Q_1) \ [ \ ((g_2 \ Q_2) \ [ \ (g_3 \ Q_3)) \ = \ ((g_1 \ Q_1) \ [ \ (g_2 \ Q_2)) \ [ \ (g_3 \ Q_3) \ (g_3 \$ 

(guard-4) var  $v \bullet ((@(\eta_v) P) || G_1) = var v \bullet G_1$ 

The construct always S executes S forever.

 $(always-1) \ always S = S; always S$ 

From the operational semantics of Verilog ([6]), we know the fact that skip is not a left zero of sequential composition in general cases, because it might filter some signal. Hereby, the following inequation is obvious.

 $@\uparrow v \neq skip; @\uparrow v$ 

The following definition will capture those cases where skip is a left zero of sequential composition.

#### Definition 3 (Event control insensitive).

A process P is event control insensitive if skip; P = P.

**Theorem 1.** The following processes are event control insensitive.

- -x := e, skip, chaos, or #(t);
- $@(x := e), \rightarrow \eta_v;$
- if b P else Q, while b Q, case  $(e) (pt_1 S_1) \dots (pt_n S_n)$ ;

 $- \prod_{i \in I} (g_i Q_i), v := g e$ , where no guards are event controls;

- $P_1; P_2$ , where  $P_1$  is event control insensitive;
- $-P_1 \sqcap P_2, P_1 \parallel P_2$ , where both  $P_1$  and  $P_2$  are event control insensitive;
- always S, where S is event control insensitive;

-  $var v_1, \ldots, v_n \bullet (S_1 \parallel \ldots \parallel S_n)$ , where each  $S_i$  is either event control insensitive, or only guarded by events with respect to variables in  $\{v_1, \ldots, v_n\}$ .

From those basic algebraic laws mentioned above, we investigate the following lemma, which will be very useful in later discussions.

#### Lemma 1. Let

 $P = (@\eta_u P_2), \ Q = (\to \eta_u; @\eta_v Q_2),$ 

suppose sequential programs  $P_1, P_2, Q_1$  are event control insensitive, and variables u, v do not occur in  $P_1$  or  $Q_1$ , then

- (1).  $var u, v \bullet (P \parallel Q) = var u, v \bullet (P_2 \parallel (@\eta_v Q_2))$
- (2).  $var u, v \bullet (P \parallel (Q_1; Q)) = var u, v \bullet (Q_1; (P \parallel Q))$

(3). 
$$var u, v \bullet ((P_1; P) \parallel (Q_1; Q)) = var u, v \bullet ((P_1 \parallel Q_1); (P \parallel Q))$$

*Proof.* The proof is presented in [11].

We introduce an ordering relation between programs before further investigation.

#### Definition 4 (Refinement).

Let P, Q be Verilog processes employing the same set of variables, we say Q is a refinement of P, denoted as  $P \sqsubseteq Q$ , if  $P \sqcap Q = P$  is algebraically provable.

## 3 Partitioning Strategy

This section is devoted to introduce our hardware/software partitioning strategy, which can be described in four steps, see Fig. 1.

- Before conducting the partitioning process, the programmer codes the kernel specification for the system to be designed in our co-specification language, which is a sequential subset of Verilog and will be detailedly explained in next section.
- Then, assisted by program analysis techniques ([12]), the programmer carries out the hardware/software allocation task, i.e., marks out those parts that should be implemented by hardware and divides the variables employed by the kernel specification into two disjoint sets.
- Our hardware/software partitioning algorithm will take such a marked program as input, and deliver as output the corresponding hardware and software kernel specifications. In this step, we design and prove a collection of syntax-based splitting rules, which ensure the correctness of the partitioning process and make computer automatic partitioning possible.



Fig. 1. Hardware/Software Partitioning Strategy

 Afterwards, hardware/software partitioning results for the whole environmentdriven system is derived from the results in the third step.

We successfully propose an algebraic approach to hardware/software partitioning, which ensures the correctness of the hardware/software partitioning process and facilitates the automatic partitioning.

In later sections, we will first investigate our partitioning framework and then explore the algebraic partitioning rules.

## 4 Hardware/Software Partitioning Framework

In this section, we intend to introduce our hardware/software partitioning framework. We propose our co-specification language and investigate the underlying target hardware/software architectures.

The co-specification language we adopt is a sequential subset of Verilog, which comprises the following syntactic elements.

 $S ::= AC \text{ (primitive command)} \mid S; S \text{ (sequential composition)} \\ \mid if b S else S \text{ (conditional)} \mid S \sqcap S \text{ (non-deterministic choice)} \\ \mid while b S \text{ (iteration)} \mid (gS) \| (gS) \text{ (guarded choice)}$ 

where

$$AC ::= v := e | \rightarrow \eta_v | @\eta_v | #\Delta | chaos | (v := e)_n (timing assignment) | \langle S \rangle (specific block)$$

 $\eta_v ::= \ \thicksim v \ | \ \uparrow v \ | \ \downarrow v$ 

The assignment statement with time constraint  $(v := e)_n$  doesn't appear explicitly in Verilog's syntax introduced in section 2, but it is in fact a well-formed Verilog program since

 $(v := e)_n = \sqcap_{0 \le k \le n} (v := \# k e)$ 

Moreover, the block notation in  $\langle S \rangle$  has no semantical meanings.

From the customer's requirements, the programmer can describe the kernel specification for the system to be designed in this co-specification language. After appropriate hardware/software marking and allocation, a marked source program is passed to the partitioning process.

The underlying target hardware and software components from the kernel specification will own specially-chosen forms. We adopt an event-trigger mechanism to synchronise behaviours between hardware and software, and use a shared-variable mechanism to cope with interactions between hardware and software.

The kernel part of the software specification is a member of CP(r, a), a subset of sequential Verilog programs, which is constructed by the following inductive rules.

(1). An event control insensitve sequential process not containing variable r or a;

(2).  $\rightarrow \eta_r; C; @\eta_a$ , where C is a member of CP(r, a) not mentioning r or a;

(3).  $C_1$ ;  $C_2$ , or *if*  $b C_1 else C_2$ , or  $C_1 \sqcap C_2$ , or  $(g_1 C_1) \parallel (g_2 C_2)$ , where  $C_1, C_2, g_1, g_2 \in CP(r, a)$ ;

(4). while bC, where  $C \in CP(r, a)$ .

We introduce another set  $CP_{\varepsilon}(r, a)$  which comprises those processes in CP(r, a) not mentioning variable  $\varepsilon$ .

As mentioned in last section, our splitting task is divided to two steps. Firstly, we design a collection of algebraic rules to refine any source program S (the kernel specification for the system) to its hardware/software decomposition

 $C_0 \parallel D_0$ 

where the software component  $C_0$  is of the form  $(C; \to \eta_{\varepsilon})$ , C is a member of  $CP_{\varepsilon}(r, a)$ , the special event  $\to \eta_{\varepsilon}$  is adopted for the purpose of synchronisation between hardware and software, and the hardware component  $D_0$  is subject to the following equation:

$$D_0 = \mu X \bullet ((@\eta_r M; \to \eta_a; D_0) [(@\eta_\varepsilon skip)))$$

where  $M =_{df} case(id)(p_1 M_1) \dots (p_n M_n)$  is a case construct not containing  $r, a, \varepsilon$ .

We denote as  $DP_{\varepsilon}(r, a)$  the set of processes with the same form as  $D_0$ .

To avoid any possible loss of signals at the moment when the fixed point construct (equation) is expanded, we naturally claim that an abstract event only takes place at the moment when there's no other active events at all.

Secondly, for kernel specification S, rather than consider the hardware/software partitioning for S, we deal with the decomposition for the whole system's specification

 $\Psi_f^s(S) =_{df} always (@\eta_s S; \to \eta_f)$ 

which is driven by the environmental process:

 $Env =_{df} always (\rightarrow \eta_s; @\eta_f)$ 

and derive the partitioning of  $\Psi_f^s(S)$  under the environment Env as

 $\Psi_f^s(C) \parallel_{Env} D$ 

where  $P \parallel_{Env} Q =_{df} P \parallel Env \parallel Q$ , and the software component enjoys the form

 $\Psi_f^s(C) =_{df} always (@\eta_s C; \to \eta_f)$ 

where C is a process from CP(r, a),

and the hardware component D is of the form:

 $D =_{df} always (@\eta_r M; \rightarrow \eta_a)$ 

We denote as DP(r, a) the set of processes of the same form as D.

The following theorem ensures the synchronized termination between the kernel hardware and software specifications.

**Theorem 2.**  $(C_1; C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0 = ((C_1; \rightarrow \eta_{\varepsilon}) \parallel D_0); ((C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0)$ for any  $C_1, C_2$  in  $CP_{\varepsilon}(r, a)$  and  $D_0$  in  $DP_{\varepsilon}(r, a)$ .

*Proof.* By structural induction on  $C_1$ .

**case 1**  $C_1$  is event control insensitive and does not mention r or a.

(1.1)  $C_1$  is an atomic command.  $C_1 = chaos$ , the proof is trivial.  $C_1 = chaos, \text{ the proof is Grand and the$ LHS{Theorem 1}  $= tg((C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0)$  $= tg(skip; ((C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0))$  $\{(par-6), (lvar-4)\}$  $\{(seq-6), (par-6), (guard-4)\}$  $= tg \left( (\rightarrow \eta_{\varepsilon} \parallel D_0); \left( (C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0 \right) \right)$ = RHS $(1.2) C_1 = S_1 \sqcap S_2$ LHS  $\{(seq-3)\}$  $= ((S_1; C_2; \to \eta_{\varepsilon}) \sqcap (S_2; C_2; \to \eta_{\varepsilon})) \parallel D_0$  $\{(par-10)\}$  $= ((S_1; C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0) \sqcap ((S_2; C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0)$ {hypothesis}

 $(1.6) C_1 = S_1; S_2.$ 

(1.6.1)  $S_1$  is a non-deterministic choice or conditional or guarded choice construct, we can respectively convert  $C_1$  to a non-deterministic choice, or conditional or a guarded choice construct by Laws (*seq-3*), (*seq-5*) and (*seq-4*), which are the cases we have dealt with in (1.2), (1.3) and (1.4).

(1.6.2)  $S_1$  is an atomic command. It's trivial when  $S_1$  is *chaos*. We only demonstrate the proof when  $S_1$  is a timing guard tg.

| LHS                                                                                                                                   | $\{(par-6), (guard-4)\}$           |
|---------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| $= tg\left((S_2; C_2; \to \eta_{\varepsilon}) \parallel D_0\right)$                                                                   | $\{hypothesis\}$                   |
| $= tg\left(\left((S_2; \to \eta_{\varepsilon}) \parallel D_0\right); \left((C_2; \to \eta_{\varepsilon}) \parallel D_0\right)\right)$ | $\{(seq-6), (par-6), (guard-4)\}$  |
| = RHS                                                                                                                                 |                                    |
| (1.6.3) $S_1 = while  b  S$ . Similar to (1.5).                                                                                       |                                    |
| case 2 $C_1 = \rightarrow \eta_r; C; @\eta_a.$                                                                                        |                                    |
| LHS                                                                                                                                   | $\{(par-6), (lvar-4), Theorem 1\}$ |
| $= (C; @\eta_a; C_2; \to \eta_\varepsilon) \parallel (M; \to \eta_a; D_0)$                                                            | $\{Lemma \ 1\}$                    |
| $= (C \parallel M); ((@\eta_a; C_2; \to \eta_\varepsilon) \parallel (\to \eta_a; D_0))$                                               | $\{(par-6), (lvar-4)\}$            |
| $= (C \parallel M); (skip; ((C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0))$                                                    | $\{(par-6), (lvar-4)\}$            |
|                                                                                                                                       |                                    |

| = | $(C \parallel M); (\rightarrow \eta_{\varepsilon} \parallel D_0); ((C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0) \qquad \{(par-t) \mid d_{\varepsilon} $ | 5), | (lvar-4), | Theorem 1}      |  |
|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|-----------|-----------------|--|
| = | $(C \parallel M); ((@\eta_a; \to \eta_{\varepsilon}) \parallel (\to \eta_a; D_0)); ((C_2; \to \eta_{\varepsilon}) \parallel D_0)$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 0)  |           | $\{Lemma \ 1\}$ |  |
| = | $((C; @\eta_a; \to \eta_\varepsilon) \parallel (M; \to \eta_a; D_0)); ((C_2; \to \eta_\varepsilon) \parallel D_0)$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |     |           |                 |  |
|   | ${(par-l)}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 5), | (lvar-4), | Theorem 1}      |  |
| = | RHS                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |     |           |                 |  |
|   | <b>case 3</b> $C_1$ is a composite construct.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |     |           |                 |  |
|   | (3.1) $C_1 = C^0; C^1$ , similar to (1.6).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |     |           |                 |  |
|   | (3.2) $C_1 = C^0 \sqcap C^1$ , similar to (1.2).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |     |           |                 |  |
|   | $(2,2)$ $C_{-}$ = if $hC_{0}^{0}$ alog $C_{1}^{1}$ analogous to $(1,2)$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |     |           |                 |  |

(3.3)  $C_1 = if b C^0 else C^1$ , analogous to (1.3).

(3.4)  $C_1 = []_{i \in I} (g_i C^i)$ , similar to (1.4).

(3.5)  $C_1 = \text{while } b C$ , analogous to (1.5). The following corollary is directly from theorem 2.

**Corollary 1.** Given  $C \in CP_{\varepsilon}(r, a)$  and  $D_0 \in DP_{\varepsilon}(r, a)$ , we have

 $(while \ b \ C; \rightarrow \eta_{\varepsilon}) \parallel D_0 = while \ b \ ((C; \rightarrow \eta_{\varepsilon}) \parallel D_0)$ 

## 5 Hardware/Software Partitioning

This section specifies our hardware/software partitioning process in detail. As mentioned in section 3, the task is divided to two steps: hardware/software partitioning for kernel specification; decomposition of the whole system's specification. The process will be detailedly investigated in the following two subsections.

#### 5.1 Syntax-Based Splitting Rules for Kernel Specification

This subsection is meant to design program partitioning rules. We explore a set of splitting rules which demonstrate how to construct hardware and software parts of a program construct from those of its constituents. Meanwhile, we show how to split atomic commands.

We introduce a predicate *Split* which plays a vital role in formalising the splitting rules.

**Definition 5** (Split). Let  $V = \{r, a, \varepsilon, id\}$ . Given a program S in the cospecification language, its hardware/software partition  $((C; \rightarrow \eta_{\varepsilon}), D^0)$  is specified by the following predicate:

 $\begin{array}{l} Split_{V}(S,C,D^{0}) &=_{df} \\ S &\sqsubseteq (C; \rightarrow \eta_{\varepsilon}) \parallel D^{0} \land \\ C \in CP_{\varepsilon}(r,a) \land D^{0} \in DP_{\varepsilon}(r,a) \land \\ V \subseteq Var(C; \rightarrow \eta_{\varepsilon}) \cap Var(D^{0}) \land \\ V \cap OccVar(S) = \emptyset \end{array}$ 

where OccVar(P) denotes the set of variables occured in the program P.

We design two set of syntax-based splitting rules in two different styles: the *bottom-up* style and the *top-down* style. The progammer can choose either of them to conduct hardware/software partitioning.

#### The Bottom-Up Splitting Rules

The *bottom-up* approach builds the hardware component from a marked program in one step before partitioning, i.e., all services the hardware should provide are integrated at the begining. However, it constructs the software component from those of its constituents using the following rules.

Bottom-Up Rule for Sequential Composition

$$\frac{Split_V(S_i, C_i, D^0), i = 1, 2}{Var(S_1) = Var(S_2)}$$
  
$$\frac{Split_V(S_1; S_2, C_1; C_2, D^0)}{Split_V(S_1; S_2, C_1; C_2, D^0)}$$

Proof.  $S_1$ ;  $S_2$ {; is monotonic}  $\sqsubseteq ((C_1; \rightarrow \eta_{\varepsilon}) \parallel D_0); ((C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0)$  $\{theorem 2\}$  $= (C_1; C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0$ 

## Bottom-Up Rule for Conditional

 $Split_V(S_i, C_i, D^0), i = 1, 2$  $Var(S_1) = Var(S_2)$  $\overline{Split_V(if \ b \ S_1 \ else \ S_2, \ if \ b \ C_1 \ else \ C_2, \ D^0)}$ 

| <i>Proof.</i> if $b S_1 else S_2$                                                                                                   | {conditional is mono.} |
|-------------------------------------------------------------------------------------------------------------------------------------|------------------------|
| $\sqsubseteq if b ((C_1; \rightarrow \eta_{\varepsilon}) \parallel D_0) else ((C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0)$ | $\{(par-9)\}$          |
| $= (if \ b \ (C_1; \to \eta_{\varepsilon}) \ else \ (C_2; \to \eta_{\varepsilon})) \parallel D_0$                                   | $\{(seq-4)\}$          |
| $= ((if \ b \ C_1 \ else \ C_2); \rightarrow \eta_{\varepsilon}) \parallel D_0$                                                     |                        |

#### Bottom-Up Rule for Non-Deterministic Choice

 $Split_V(S_i, C_i, D^0), i = 1, 2$  $Var(S_1) = Var(S_2)$  $\overline{Split_V(S_1 \sqcap S_2, C_1 \sqcap C_2, D^0)}$ 

| <i>Proof.</i> $S_1 \sqcap S_2$                                                                                   | $\{\sqcap is mono.\}$ |
|------------------------------------------------------------------------------------------------------------------|-----------------------|
| $\sqsubseteq ((C_1; \to \eta_{\varepsilon}) \parallel D_0) \sqcap ((C_2; \to \eta_{\varepsilon}) \parallel D_0)$ | $\{(par-8)\}$         |
| $= ((C_1; \to \eta_{\varepsilon}) \sqcap (C_2; \to \eta_{\varepsilon})) \parallel D_0$                           | $\{(seq-3)\}$         |
| $= ((C_1 \sqcap C_2); \to \eta_{\varepsilon}) \parallel D_0$                                                     |                       |

#### Bottom-Up Rule for Guarded Choice

 $Split_V(S_i, C_i, D^0), i = 1, 2$  $Var(S_1) = Var(S_2)$  $\overline{Split_V((g_1 S_1) \| (g_2 S_2), (g_1 C_1) \| (g_2 C_2), D^0)}$ *Proof.*  $(g_1 \ S_1) [\![(g_2 \ S_2)]\!]$ {[] *is mono.*}  $\sqsubseteq (g_1 ((C_1; \rightarrow \eta_{\varepsilon}) \parallel D_0)) [(g_2 ((C_2; \rightarrow \eta_{\varepsilon}) \parallel D_0))]$  $\{(par-6), (guard-4)\}$  $= ((g_1 (C_1; \to \eta_{\varepsilon})) [ (g_2 (C_2; \to \eta_{\varepsilon}))) | | D_0$  $\{(seq-5)\}$  $= (((g_1 \ C_1) | [(g_2 \ C_2)); \to \eta_{\varepsilon}) | | D_0$ 

**Bottom-Up Rule for Iteration** 

### The Top-Down Splitting Rules

In the *top-down* style, both the hardware and software components of the source program are integrated from those of its constituents.

Before investigating the *top-down* splitting rules, we introduce the notion of *mergable* on hardware components from  $DP_{\varepsilon}(r, a)$ .

First of all, we present a basic rule for hardware augmentation, from which and the *bottom-up* rules in the former section we directly obtain the corresponding *top-down* rules in all cases.

**Rule for Hardware Augmentation** 

 $\frac{Split_V(S, C, D)}{mergable(D, D')}$  $\frac{Split_V(S, C, int(D, D'))}{Split_V(S, C, int(D, D'))}$ 

*Proof.* The proof can be reached in [11].

**Top-Down Rule for Sequential Composition** 

 $\begin{aligned} Split_V(S_i, \ C_i, \ D_i) \\ Var(S_1) &= Var(S_2) \\ \hline mergable(D_1, D_2) \\ \hline Split_V(S_1; S_2, \ C_1; C_2, \ int(D_1, D_2)) \end{aligned}$ 

**Top-Down Rule for Conditional** 

 $\frac{Split_V(S_i, C_i, D_i)}{Var(S_1) = Var(S_2)}$  $\frac{mergable(D_1, D_2)}{Split_V(if \ b \ S_1 \ else \ S_2, \ if \ b \ C_1 \ else \ C_2, \ int(D_1, D_2))}$ 

**Top-Down Rule for Non-Deterministic Choice** 

 $Split_V(S_i, C_i, D_i)$   $Var(S_1) = Var(S_2)$   $mergable(D_1, D_2)$   $\overline{Split_V(S_1 \sqcap S_2, C_1 \sqcap C_2, int(D_1, D_2))}$ 

**Top-Down Rule for Guarded Choice** 

$$\begin{split} Split_V(S_i, \ C_i, \ D_i) \\ Var(S_1) &= Var(S_2) \\ mergable(D_1, D_2) \\ \hline Split_V((g_1 \ S_1) \, \| \ (g_2 \ S_2), \ (g_1 \ C_1) \, \| \ (g_2 \ C_2), \ int(D_1, D_2)) \end{split}$$

The top-down rule for iteration enjoys the exact form with its bottom-up rule.

#### Splitting Atomic Commands

The details for specific blocks' partitioning are similar to discussions in [12].

For the timed assignment  $(v := f(x, c))_n$ , we only concentrate on the cases where both the hardware and software participate in the update of v.

Case 1: f is a busy function, and x is allocated to hardware.

 $Split_B(S = ((v := f(x, c))_n), C, D)$ , where

 $C =_{df} ((id := 1)_0; \rightarrow \eta_r; @\eta_a; (v := ly)_0), and$ 

 $D =_{df} \mu X \bullet ((@\eta_r \ case \ (id) \ (1 \ (ly := f(x, c))_n); \to \eta_a; X) \| (@\eta_\varepsilon \ skip)).$ 

Case 2: f is a busy function, but x is allocated to software.

 $Split_B(S = ((v := f(x, c))_n), C, D)$ , where

 $C =_{df} ((id := 1)_0; (lx := x)_0; \rightarrow \eta_r; @\eta_a; (v := ly)_0), and$ 

 $D =_{df} \mu X \bullet ((@\eta_r \ case \ (id) \ (1 \ (ly := f(lx, c))_n); \to \eta_a; X) [] \ (@\eta_\varepsilon \ skip)).$ 

Case 3: f is not a busy function, but x is allocated to hardware.

 $Split_B(S = ((v := f(x, c))_n), C, D)$ , where

 $C =_{df} ((id := 1)_0; \rightarrow \eta_r; @\eta_a; (v := f(lx, c))_n), and$ 

 $D =_{df} \mu X \bullet ((@\eta_r \ case \ (id) \ (1 \ (lx := x)_0); \rightarrow \eta_a; X) \ \| \ (@\eta_\varepsilon \ skip)).$ 

#### 5.2 Deriving Hw/Sw Partition for an Environment-Driven System

Now we investigate hardware/software partitioning for the whole system. The partitioning process is illustrated in Fig. 2.

As discussed in section 4, suppose the whole system's specification is described by

 $\Psi_f^s(S) =_{df} always (@\eta_s S; \rightarrow \eta_f)$ 

which is driven by environment process

 $Env =_{df} always (\rightarrow \eta_s; @\eta_f)$ 



Fig. 2. Hardware/Software Partition for the Whole System

where S is the kernel specification for the system to be designed, and  $\eta_s$  is the start signal,  $\eta_f$  is the finish signal.

For the kernel specification S, suppose we have obtained its hardware/software decomposition as follows by applying those rules in section 5.1.

 $Split_V(S, C, D)$ 

where  $V = \{r, a, \varepsilon, id\}$ and  $D = \mu X \bullet ((@\eta_r M; \to \eta_a; X) \| (@\eta_\varepsilon skip)).$ 

We design the following rule to generate the partitioning result for the whole system.

## System Partitioning Rule

$$\frac{Split_V(S, C, D)}{Part(\Psi_f^s(S), \Psi_f^s(C), \Psi_a^r(M))}$$

where, predicate *Part* is defined by

$$Part(S, C, D) =_{df} ((S \parallel Env) \sqsubseteq (C \parallel D \parallel Env))$$

and

$$\begin{split} \Psi_u^v(P) &=_{df} always \, (@\eta_v \, P; \to \eta_u), \\ Env &=_{df} always \, (\to \eta_s; @\eta_f). \end{split}$$

*Proof.* We define  $\{always_n(S)\}$  as follows, for all  $n \ge 0$ :

 $always_0(S) =_{df} chaos$  $always_{n+1}(S) =_{df} S; always_n(S)$ 

then by law (always-1), we have

$$always S = \bigsqcup_{n \ge 0} always {}_n(S)$$

Now by continuity of the parallel operator and law (seq-2), we only need to prove, for all  $n \ge 0$ ,

$$(\Psi_f^s(S)_n \parallel Env_n) \sqsubseteq ((\Psi_f^s(C)_n; \to \eta_{\varepsilon}) \parallel D \parallel Env_n)$$

where

$$\begin{split} \Psi_{f}^{s}(P)_{n} &=_{df} always \ _{n}(@\eta_{s} \ P; \rightarrow \eta_{f}) \\ Env_{n} &=_{df} always \ _{n}(\rightarrow \eta_{s}; @\eta_{f}) \end{split}$$

By mathematical induction on n.

(1). Basic step 
$$(n = 0)$$
.  

$$\Psi_{f}^{s}(S)_{0} \parallel Env_{0} \qquad \{(seq-2)\}$$

$$\sqsubseteq (chaos; \rightarrow \eta_{\varepsilon}) \parallel chaos \qquad \{(par-3), (par-1)\}$$

$$= (\Psi_{f}^{s}(C)_{0}; \rightarrow \eta_{\varepsilon}) \parallel D \parallel Env_{0}$$
(2). Inductive step  $(n \rightarrow n + 1)$ .
We first prove, for all  $n \ge 0$ ,

$$(\Psi_f^s(C)_n; \to \eta_\varepsilon) \parallel Env_n = always_n(C); \to \eta_\varepsilon \tag{\dagger}$$

By an induction on n.

n = 0. It's straightforward by law (*par-3*) and (*seq-2*).  $n \rightarrow n+1$ .  $(\Psi_f^s(C)_{n+1}; \rightarrow \eta_{\varepsilon}) \parallel Env_{n+1}$  $\{(par-6), (lvar-4), Theorem 1\}$  $= (C; \to \eta_f; \Psi_f^s(C)_n; \to \eta_\varepsilon) \parallel (@\eta_f; Env_n)$  $\{Lemma \ 1\}$  $= C; ((\rightarrow \eta_f; \Psi_f^s(C)_n; \rightarrow \eta_\varepsilon) \parallel (@\eta_f; Env_n))$  $\{(par-6), (lvar-4), Theorem 1\}$  $= C; ((\Psi_f^s(C)_n; \rightarrow \eta_{\varepsilon}) \parallel Env_n)$ {hypothesis}  $= C; (always_n(C); \rightarrow \eta_{\varepsilon})$  $\{(seq-1)\}$  $= always_{n+1}(C); \rightarrow \eta_{\varepsilon}$ Then, we have  $\Psi_f^s(S)_{n+1} \parallel Env_{n+1}$  $\{(par-6), (lvar-4), Theorem 1\}$ 

 $= (S; \to \eta_f; \Psi_f^s(S)_n) \parallel (@\eta_f; Env_n)$ {Lemma 1}  $= S; ((\rightarrow \eta_f; \Psi_f^s(S)_n) \parallel (@\eta_f; Env_n))$  $\{(par-6), (lvar-4), Theorem 1\}$  $= S; (\Psi_f^s(S)_n \parallel Env_n)$ {precondition, ; is mono.}  $\sqsubseteq ((C; \rightarrow \eta_{\varepsilon}) \parallel D); (\Psi_f^s(S)_n \parallel Env_n)$ {hypothesis}  $\sqsubseteq ((C; \to \eta_{\varepsilon}) \parallel D); ((\Psi_f^s(C)_n; \to \eta_{\varepsilon}) \parallel D \parallel Env_n)$  $\{(\dagger)\}$  $= ((C; \to \eta_{\varepsilon}) \parallel D); ((always_n(C); \to \eta_{\varepsilon}) \parallel D)$ {Theorem 2}  $= (always_{n+1}(C); \rightarrow \eta_{\varepsilon}) \parallel D$  $\{(\dagger)\}$  $= (\Psi_f^s(C)_{n+1}; \to \eta_{\varepsilon}) \parallel D \parallel Env_{n+1}$ 

### 6 Conclusion and Future Work

This paper proposes an algebraic approach to hardware/software partitioning in Verilog algebra. Verilog HDL is a hardware description language widely used by industry. Due to its plentiful language features, Verilog can be either used to capture system specification or adopted to specify subsequent designs of distinct levels of abstraction, including RTL design.

We adopt a sequential imperative subset of Verilog as our co-specification language, and allow it to contain time constraints, so as to describe timing specification. We confine target hardware and software specifications in specially chosen subsets of Verilog, and use Verilog's event-trigger mechanism to synchronise behaviours between them. Whereas, communications between hardware and software is based on Verilog's shared variable mechanism, which will facilitate the subsequent hardware/software co-synthesis, and make it possible to adopt bus techniques to implement interactions between hardware and software.

The partitioning process in this paper is rather different from our former approach in [12], where we only dealt with partitioning for a sequential source program. However, this paper not only developes a collection of splitting rules to partition a source program into hardware and software components, but also discuss hardware/software partitioning for the whole system which takes the source program as its kernel specification. The system is specified by Verilog's *always* constructs and its execution is driven by an environment process. Such systems widely exist in our daily life, embedded systems are of this kind. Developing a partitioning rule for such systemes will be very helpful for us to investigate correctness-preserved design of embedded systems.

As parts of future work, we need to consider optimization and reconfiguration of the hardware specification we generate before hardware synthesis. Meanwhile, in order to introduce this algebraic approach to hardware synthesis, we will have to investigate more helpful algebraic laws for Verilog. He *et al* have made noticeable progress ([2, 9]).

### References

- Mike Gordon, "The Semantic Challenge of VERILOG HDL", In *Tenth Annual IEEE Symposium on Logic in Computer Science*, IEEE Computer Society Press, 136-145, 1995. Revised version (April 11, 1996) of the paper published in the proceeding.
- 2. He Jifeng, "An Algebraic Approach to the Verilog Programming", will appear in the proceedings of Lisbon Workshop, 2002.
- He Jifeng, I. Page and J. Bowen, "A Provable Hardware Implementation of Occam", Lecture Notes in Computer Science 711, 693–703, (1993).
- He Jifeng and J. Bowen, "Specification, Verification and Prototyping of an Optimised Compiler", Formal Aspect of Computing 6, 643-658, (1994).
- He Jifeng et al, "Provably Correct Systems", Lecture Notes in Computer Science 863, 288–335, (1994).
- He Jifeng and Zhu Huibiao, "Formalising Verilog", in the proceedings of 7th IEEE International Conference on Electronics, Circuits and Systems (ICECS 2000), IEEE Computer Society Press, pp 412–415, Lebanon, December 2000.

- C.A.R. Hoare and He Jifeng, Unifying Theories of Programming, Prentice Hall, 1998.
- 8. IEEE Computer Society, IEEE Standard Hardware Description Language Based on the VERILOG Hardware Description Language(IEEE std 1364-1995), 1995.
- Juliano Iyoda and He Jifeng, "Towards an Algebraic Synthesis of Verilog", Technical Report 218, UNU/IIST, P.O. Box 3058, Macau, April 2001, appeared in the proceedings of the 2001 International Conference on Engineering of Reconfigurable systems and algorithms (ERSA'2001), Las Vegas, USA, (2001).
- Ian Page and Wayne Luk, "Compiling Occam into FPGAs", in FPGAs, eds., Will Moore and Wayne Luk, 271-283, Abingdon EE&CS books, (1991).
- Qin Shengchao, "An Algebraic Approach to Hardware/Software Partitioning in Hardware/Software Co-Design", Ph.D thesis, School of Mathematical Sciences, Peking University, March, 2002.
- Shengchao Qin and Jifeng He, "Partitioning Program into Hardware and Software", in the proceedings of Eighth Asia-Pacific Software Engineering Conference (APSEC 2001), IEEE Computer Society Press, pp 309–316, Macau, 4-7 December, 2001.
- Augusto Sampaio, "An Algebraic Approach to Compiler Design", World Scientific, (1997).
- L. Silva, A. Sampaio and E. Barros, "A Normal Form Reduction Strategy for Hardware/software Partitioning", Formal Methods Europe (FME) 97, LNCS, 1313, 624-643, (1997).
- 15. Zhu Huibiao, Jonathan P. Bowen and He Jifeng, "From Operational Semantics to Denotational Semantics for Verilog", in the proceedings of 11th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME 2001), Livingston, Scotland, 4-7 September, 2001, Lecture Notes in Computer Science 2144, pp 449–464, Springer-Verlag.
- Zhu Huibiao, Jonathan P. Bowen and He Jifeng, "Deriving Operational Semantics from Denotational Semantics for Verilog", in the proceedings of Eighth Asia-Pacific Software Engineering Conference (APSEC 2001), IEEE Computer Society Press, pp 177–184, Macau, 4-7 December, 2001.
- Zhu Huibiao and He Jifeng, "A DC-based Semantics for Verilog", in the proceedings of the International Conference on Software: Theory and Practice (ICS2000), pp 421–432, Beijing, August 21-24, 2000.