Decomposition of Sequential Behavior Using Interface Specification and Complementation

Decomposition of system behavior along functional boundaries into interacting sequential components is a key step in top-down system design. In this paper, we present sequential decomposition, a method for factoring sequential components from a system specification based on interface specifications of the components. The resulting components can be independently synthesized, or realized using off-the-shelf components. We introduce interface specification language (ISL), based on finite-state machine semantics, to specify the input/output behavior of synchronous sub-systems. A component is factored from a system by embedding an implementation of the complement of its interface into the system description. The composition of a machine with its complement is shown to be isomorphic to the machine, and the composition of a machine with an implementation of its component is shown to be a safe interaction. We apply sequential decomposition to a non-trivial example, a special-purpose computer with Scheme programming language primitives as its instructions.

1. INTRODUCTION ecomposition of system specifications for com- puter-aided system design is an active topic in synthesis research.As Gajski points out, system synthe- sis by design partitioning and interface synthesis must be explored to make synthesis viable for large designs ].Synthesis of systems with complex control structures into designs with "monolithic" control units can result in unwieldy implementations.A design tool should have the flexibility to let a designer decompose a system into suitable components with explicit synchronization and value communication.Synthesis of these decomposed components with register transfer level specifications can then be accomplished by high-level synthesis techniques.
Derivation is a formalization of synthesis with more emphasis on "correct construction" than on design auto- mation.Our tools constitute a set of transformations that are used to engineer an implementation from a specifi- cation, with each transformation accumulating informa- tion about the implementation.In a functional frame- work, a transformation called system factorization [2]   was used earlier to extract functional components having naive interactions with the surrounding system.As a generalization of system factorization, we have devel- oped sequential decomposition which uses a finite state machine model to decompose system descriptions into interacting sequential machines [3, 4].
We introduce Interface specification language (ISL), to describe the interaction of a machine with its environ- ment, orthogonal to its functional behavior.An extensive presentation of the language is given in [3].The comple- ment of a machine specifies the behavior of its environ- ment.We define implementation relations over ma- chines.Decomposition is accomplished by encapsulating parts of a system at the algorithm, process, or operation level of granularity into an abstract component with a specified interface.An implementation of its complement is then embedded as the interface "stub" in the original system description.
A composition operation is defined on the machines to model the synchronous interaction between machines.It is shown that a machine composed with its complement results is a closed machine that is isomorphic to the original.It is also shown that a machine composed with an implementation of its complement results in a safe interaction, meaning that the machines can complete an interaction protocol and reach their respective final states.

Related Research
Several researchers have looked at the interface issues involved in system synthesis.Bordello uses timing diagrams to specify the interface of a circuit and synthesis tools to generate the interface automatically [5].While Boriello develops these external interface specifi- cations as a means to guide synthesis, our goal is to use them to guide design decomposition.Yajnik and Ciesiel- ski [6] perform top-down machine decomposition by partitioning outputs and states in state graphs with the objective of performance and area optimization of syn- thesized PLA circuits.Specification at different levels of abstraction and partitioning of control and data flow graphs for synthesis have been considered by Kuehl- mann and Bergamaschi [7] to obtain smaller layouts.Our approach is to enable designers to decompose systems into logically and functionally distinct components and not to use heuristics to partition a design based on layout constraints.
J6wiak et.al [8,9] have developed heuristic methods for simultaneous decompositions of sequential machines into component machines by partitioning the state space, inputs and outputs.The inter-connections between the components are also determined heuristically by analyzing the machine structure.This method can be used to decompose a machine into sub-machines based on vari- ous area and speed constraints, but it does not take into account timing and protocol constraints in a design.
System-level decomposition in the System Architect' s Workbench is accomplished by behavioral transforma- tions 10].Walker and Thomas show transformations on the controller and selector to partition a design into processes.The processes created using their method have a very simple interaction scheme to transfer data values and control signals using message passing.Their ap- proach cannot synthesize components using complex protocols for data transfers and synchronization.
SpecPart [11] partitions algorithm/process grained computations from the SpecChart behavioral specifica- tions.Default protocols are used for interaction between components.The CHOP system-level design partitioner [12] uses task graphs to specify the protocol between every partition.Special purpose hardware units called data-transfer modules are used on both sides of each interaction.Although this method allows for complex protocols and use of off-the-shelf components, the inter- face has to be designed manually and may be expensive in terms of area and performance because of the special purpose modules.
In our approach, parts of a system can be abstracted and the protocol between the components can be incor- porated into the components without using any special- purpose modules and without restrictions on the proto- cols.Components of a system can be independently synthesized, or mapped to off-the-shelf components such as dynamic RAMs and floating-point units by specifying their interface from timing diagrams.
In related formal methods research, Kurshan [13] verifies reactive systems by stepwise reduction and refinement using L-automata with language and process homomorphism.Gopalakrishnan et.al.14] have used an annotated state machine model for bottom-up hardware specification and synthesis in HOP.Drusinsky and Harel have used state-charts for bottom-up hierarchical speci- fication [15] by embedding simpler state machines at a lower level of specification into states at a higher level of specification.The tree of state machines is then synthesized into a network of PLAs.Levin [16] uses a hierarchical automata model for system specification targeted towards a network of PLAs with memory.This method only supports naive interactions between con- stituent automata where one of the automaton is in "operation" and all the others are "waiting for its response".
Clarke et.al [17,18,19] have used a compositional finite state machine model to verify temporal properties of systems using computational tree logic and binary decision diagram based methods.Davie and Milne [20,21] have used constraints on the target architecture and the context of a design in CIRCAL to reduce the complexity of verification.Dill et.al [22] have looked at asynchronous hardware verification using the Murq HDL and verifier to test for deadlocks and invariants.As an alternative to bottom-up verification techniques, our approach facilitates top-down design by factoring se- quential components from designs using transformations.

Outline
The rest of this paper develops a theoretical basis for decomposition of sequential components from system specifications.Section 2 gives a brief introduction to Interface Specification Langage and a finite state ma- chine based semantic model for it.Section 3 describes the environment in which a machine operates, its complement machine.Section 4 gives a construction for composition of machines.The composition operation formalizes the synchronous interaction of machines for given port connections.We define a machine isomor- phism property and prove that a machine composed with its complement results in a closed machine isomorphic to the original.Section 5 defines the implementation and path implementation relations by extending the inclusion relation over port values in machine transitions to states and machines.We also show that a machine composed with a path implementatiori of its complement results in a safe interaction, i.e. the final states of the constituent machines are reachable.
As an example, a scheme machine is used to illustrate the ideas in the paper.The Scheme machine is a special-purpose computer providing the symbolic pro-cessing primitives of the Scheme programming lan- guage.The system includes a processor and a heap with a stop-and-copy garbage collector, an allocator, and a dynamic RAM based memory subsystem.We will use sequential decomposition on a high-level system descrip- tion to derive the interactions between the CPU, alloca- tor, and garbage collector in the system organization shown in Figure 1.

INTERFACE SPECIFICATION LANGUAGE
A definition in Interface Specification Language (ISL) is used to specify the input/output interaction of a machine with its environment.Communication between machines is modeled as values over connected ports.Other forms of communication, such as using buffers or shared storage, must be modeled explicitly.The interface is defined over input and output control ports (CI, CO) and input and output data ports (DL DO).The ports can range over a set of values (V) which includes the don't care value (#).
ISL is built on three kinds of synchronization primi- tives, lock-step, 1-way and 2-way synchronization.The operators sequence (;), choice (!]), interleave (X) and repetition (*) are used to form expressions in the lan- guage.The complement (M) and composition (M IM2)/v operations are discussed in sections 3 and 4. A detailed discussion of ISL syntax is presented in [3].
The BNF-style syntax description of the language is given in Figure 2. A machine is parametrized by the port names occurring in its defining expression.An action consists of a set of values on data ports guarded by certain truth values on control ports.Input actions A denote a set of control inputs guarding data actions.
Similarly, output actions A o denote a set of control outputs guarding data actions.The internal behavior of a machine can be annotated in any expression in the interface description.

Machine Model
The semantics of ISL is based on a finite-state machine model.A machine is a sextuple M (S, T, r, f, P, R, V), where S is the set of states, T is a non-empty set of transitions, r is the reset/start state, f is the final state, P is the set of ports, R is a set of internal registers and V is the domain of values.The set of ports is a union of the sets of control inputs, control outputs, data inputs, and data outputs (P CI t.J CO t.J DI t.J DO).A machine with no input ports is called a closed machine.
The final state of a machine indicates the completion of protocols associated with the machine; it does not indicate termination.There are two kinds of states, transit states and wait states.A transit state has no transitions from the state to itself.A wait state has at least one transition from the state to itself.In state diagrams, wait states are indicated by (D and transit states are identified as . .ports not assigned don't care values by the label The semantics of a definition in ISL is the finite state machine it constructs.A detailed discussion of ISL is presented in [3].

Example--Garbage Collector
In the system shown in Figure 1, consider the interface of the garbage collector.It follows a simple protocol where it waits for collect to be asserted and then after a finite interval asserts gc-active.gc(collect,gc-active)(M) -[; await collect/T; compute gc-active/F,M= garbage-collect(M)]* Scheme

Allocator
Garbage Collector  The ISL specification for the garbage collector is given above.Figure 3 shows the state machine for the garbage collector interface.

COMPLEMENTATION
In a system of interacting sequential components, no single component should be considered in isolation.A component must be specified in relation to its interaction with its surroundings.This interaction is typically specified by control and data signal interfaces.When isolating the single component, it is useful to view this isolation as an interaction between the component and a complement machine that abstracts the behavior of the environment.
Notice then that the complement of a machine should be identical to itself, except with its input and output ports reversed and the internal registers hidden.This might suggest that the notion of complementation is a trivial one, since the interaction of a machine and its complement is already 'fixed'.However, by generalizing the connectivity of input and output ports, or by considering an implementation of the complement machine, the resultant composed machine may exhibit other interest- ing kinds of behavior.
We define a function "gensym" that generates a new input(output) port name for an output(input) port name.Definition 3.2: Given a machine M (S, T, r, f, P, R, V) where P CI U CO UDI UDO, the complement machine (S, , r,f, , tb, V where is a set of new port names, one for each port in P. The set of transitions T {s _ s21s s 2 T and.Rename(2)} where 2(p') Rename (_P)(p') .(p)where p' P is the new port corresponding to p P. The "Rename" function creates an assignment function.gcorresponding to .such that the corresponding complementary ports have the same value.
The complement machine is constructed by creating a complementary set of ports with the same value on corresponding ports.It retains the sets of values, states, reset and final states, but its internal behavior is unspecified.The complement of the garbage collector is shown in Figure 3.

COMPOSITION
The composition operation creates a restricted product machine for a given set of port connections.The com- position operation on machines with respect to a particu- lar connection of their ports is used to construct a machine that behaves as the constituent machines ex- ecuting synchronously.The construction of the com- posed machine is similar to "lock-step cartesian product" in HOP [14].Composition only creates reachable states and transitions starting inductively from the start state.In each inductive step, the transitions in each machine that can "occur synchronously", are used to form a transition in the composed machine.The states that the machines reach after taking these transitions make up a state in the composed machine.This state is then used to compose transitions in the next inductive step of the construction.
Each equivalence class of/I/is called a net.Connecting input ports together creates an input net.All other combinations of port connections create output nets.Definition 4.4: Given machines M (S1, T 1, r 1, fl, P1, R 1, V) and M E ($2, T2, r2, f2, P2, RE, V2)and the net-list A/between P1 and P, the composed machine (M Mz)/v is constructively defined by (S, T, r, f, P, V) where P CI tO CO tO DI tO DO.Each equivalence class N of/1/ forms a port in the composed machine.It is represented as [p] where p N.
CI {N N contains no control output ports } CO {NI N contains at least one control output port } DI {N N contains no data output ports } DO (N N contains at least one data output port } Let-Pl2(P) =-Pl (P) if p P1 72 (P) if p P2 The set of states S and transitions T are constructed by the following inductive schema: 1.The start state of the composed machine r is (rl, r2). 2. The transition (q,s) (q',s') T and (q',s') S is reachable iff: , S i. qq' T lands-4 T2 ii. (q, s) S is reachable iii._#,-P2 are composable, that is, these exists Jl.J2... Jk such that a) care_,tO care_, C U [pj,] where the transition label for the composed machine is" ([fl]) =212(/9 if p care, t.J care_, # otherwise 3. (q, s) is a transit state if either q or s are transit states, otherwise it is a wait state.
If the final states of two interacting machines are reachable then we say that the composition of the two machines is safe.Both the machines must follow a correct protocol to reach their final states.The safety of the composed machine implies that there is some inter- action sequence between its constituent machines that leads to the final state of the composed machine.It does not imply that all possible interactions between the machines will reach the final state.We will prove that the composition of a machine M with its complement in which each port connected to its corresponding renamed port, results in a closed machine isomorphic to M. Theorem 4.1 Given a minimal deterministic machine M (S, T, r, f, P, R, where P CI t3 CO tO DI to DO and its complement machine (S, , r, f, , qb, and A/o is the port map obtained by connecting every port p P with its complementary port p' P. Let M o Then M o is a closed machine isomorphic to M.
[] Proof: The proof follows by induction on the length of the derivation of states and transitions in the construction of M o.The proof is given in the Appendix.
We have shown that a machine composed with its complement results in a closed machine isomorphic to itself.There is a one-to-one mapping between the states and transitions in M and M o.There is not state space explosion in the composed machine.The observable temporal behavior of the composed machine M o is the same as M. The composed machine is closed and self contained.Figure 4 shows the construction of the ma- chine composed using the garbage collector and its complement with every port connected with its com- plementary port.We can see that the composed machine (gc --)/vo is isomorphic to the original machine, and has no input ports.

IMPLEMENTATION
We would now like to explore relations over machines based on their input/output behavior.The sequence of transitions of a machine and the values associated with the ports in the machine for each transition are key to the implementation relations described in this section.Rela- tions over the reset/start states of the machines and the intermediate states along the sequence of transitions are used to describe a strong implementation (if_) relation and a weak path implementation (_Up) relation.
A one-to-one mapping of the ports in M and Ms is the basis for the inclusion relation over transition labels.Let Pl and Pe be ports in Mx and M s respectively.A map P Pe means Pl corresponds to p_ and the values on these ports can be compared.
Definition 5.7: The inclusion relation over transition labels with respect to a port map is defined as: "if1 '2 = for all p care.e,, Pe care.e,_Pl Pe and "l(Pl)-"/72(P2) The binary relation "simulated by" (r-) is a maximal relation over states, S C_ $1 Se, where S, Se are the sets of states in M, M2.Definition 5.8: A relation over states is a simulation relation if sl(r-)se implies: for all S "1 S l, there exists and s' s' [-2 $2 "if2 S' 2 such that_P <-f12 A machine M is implemented by (_) machine M 2 if every state in M is simulated by some state in M s, and the start state of M1 is simulated by the start state of M2.
Let r 1, r e be the start states of M1, Mz.Definition 5.9: The relation M implemented by M E (M ME) holds iff: r l"r 2 and for all s S there exists an s 2 S 2 such that s E s 2.

Path Implementation
Each path from the start state to the final state in the complement machine represents a valid sequence of interactions to complete a protocol.A machine can interact with an implementation of any interaction path of its complement machine.Decomposition of a component from a system is accomplished by incorporating the appropriate path implementation of the complement of the component into the description of the rest of the system.
A path implementation of a machine implements one of many protocols of the machine.It is a weaker relation than implementation which implements all protocols in a machine.Consider for example an arithmetic unit which employs different protocols for different operations (e.g.plus and divide).Such a device would have distinct complements for distinct protocols--we call these partial complements path complements because they character- ize different paths through the component's machine.
To define the path implementation relation we must first define the relation path simulates over states.The binary relation path simulates is a maximal relation over states, Sp S $2, where S1, S 2 are the sets of states in the two machines.S Up s2 implies four conditions (Definition 5.10).The intuition behind the first condition is that there are some transitions from both S and s2 that can interact and lead towards completion of the protocol.
The second condition states that all transitions from s and s2 that can interact lead to states in the path simulation relation.This assures us that the machines will always reach states in the path simulation relation.The third condition states that for all transitions with active control inputs from Sl, there is a corresponding transition from sz, with which it can interact and these transitions lead to states in the path simulation relation.The intuition behind the third condition is that all outgoing transitions with valid control inputs from a state must be preserved so that all expected inputs in the state can be captured.Condition four states that, if s is a wait state for a control input, then s2 must also be a wait state for the same control input, or s 2 must lead to a wait state for the same control input.Definition 5.10: A maximal relation over states (Sp C S1 $2) is a path simulation relation if Sl r-p s2 implies: 1. T(s) 4: d implies that there exist transitions s, s z sz such that_# < _P_ and s] ffp sz 1 S 2 2 2. For all transitions s 1.The reset state of M is path simulated by the reset state of M 2 (r Up r2).
2. The final state of M is path simulated by the final state of Me Up f2).
We use a simple example to illustrate path implemen- tation.The complement of a garbage collector cycle is transfoed into a path implementation.As shown in Figure 5, the wait loop labeled is removed from the st state.In the resulting machine, the st state has a transition, coesponding to a transition in , and the tget states for the transitions e also in the path simulation relation.Note that the wait transition in the tget state can not be removed because it has an outgoing transition with an active control input.
We will now show that the interaction between a machine and a path implementation of its complement is safe.This means the machines can complete a protocol from the respective start states to the respective final states, with valid control synchronization and data com- munication at each interaction step.Sequential decom- position involves embedding a path implementation of the complement of a component into the machine from which it is extracted.The theorems in this section provide a formal basis for sequential decomposition.
To prove the above mentioned result we must prove the composability of transition labels in the sequence of interactions between a machine and a path implementa- tion of its complement.Lemma 5.1 lf_P i, _j are transition labels and _# < ., then "ff i' "ff j are composable.
Proof: Proof by induction on the length of the derivation of states in the construction of M (see Appendix).
[] Using theorem 5.1, we can prove that a machine M composed with a path implementation of its complement M2 will result in a safe machine.Since the initial and final states of M M= correspond to initial and final states in M and M2 separately, we can infer from this theorem that a machine and a path implementation of its complement can complete a protocol.We have the following corollary: Theorem 5.2 Given a machine Mx and M2 that is path implemented by the complement of M 1, and a port map/1/  Pz, then M (M M2)A, is safe.
Proof: From the definition of path implementation and complementation, fl if-t, fz implies (fl, fz) is reachable in M, and from the definition ofpath simulation, M is safe. []

EXAMPLE--SCHEME MACHINE DECOMPOSITION
The Scheme Machine is a special-purpose computer for the Scheme programming language [23].Its instructions provide base primitives that are used by a run-time system to provide scheme primitives.We now consider the decomposition of a high-level behavioral specification of the Scheme machine into a scheme CPU, an allocator, and a garbage collector (as shown in Figure 1), by sequential decomposition of the scheme machine.
A fragment of the state diagram from the behavioral specification of the Scheme machine is shown in Figure 6.State diagrams provide a graphical representation for abstract behavioral specifications [24].
Our first task will be to decompose the allocator from the scheme machine based on its interface specification.The garbage collection procedure is embedded within the allocator interaction (Figure 6) and we factor it into the allocator as an internal procedure.
The ISL specification for the allocator is shown below: Allocator(alloc?, tag, size, avail, read-avail, gc-needed)(M) [await alloc?/T tag/obj-tag, size/obj-size; ((read-avail/T until alloc?/F avail/allocate(obj-tag obj-size M) fl (gc-needed/T until alloc?/FM/gc(M) ))]* gc (M)_ "ava1 / fr-P// FIGURE  The state diagram for the allocator is shown in Figure 7.An implementation of an interaction path of the complement of the allocator can be embedded in the scheme machine, in place of the sequence of transitions for allocation interaction in the scheme machine specification (Figure 6).Since the garbage collection proce- dure is factored into the allocator as an internal procedure, it is not considered in the complement.The source state of the replaced sequence of transitions is merged with the start state of the path implementation [3].
Similarly the target state for the sequence of transitions for allocator interaction is merged with the final state.Figure 8 shows the embedding of a path implementation of the allocator replacing one of the sequence of transi- tions for allocator interaction shown in Figure 6.Assuming that there is a path from the target state to the source state of the replaced sequence of transitions, the resulting scheme machine description is a path implementation of Allocator, since all transitions in the path can be folded into the target state by hiding all names that are not connected with the allocator.The ports in Allocator (alloc?, tag, size, avail, read-avail, gc-needed) are added to the scheme CPU.The next step in the derivation is to factor the garbage collector from the allocator.The path implementation of the garbage collector cycle (Figure 5) is then embedded into the allocator by replacing the transition labeled go(M) (Figure 9).The source state and target state of the replaced sequence of transitions are respectively merged with the start state and final state of the path implemen- tation.The ports in gc (collect, gc-active) are added to the allocator.
We decomposed the Scheme machine into a Scheme CPU and an allocator, and then factored a garbage collector from the allocator.Embedding an implementa- tion of a component into another introduces control synchronization and data communication mechanism between the components for correct interactions between them.The decomposed components cin now be synthesized independently. 7. CONCLUSION Design of a hardware system involves both top-down and bottom-up reasoning.Our emphasis here has been on top-down derivation to promote it as an alternative to the bottom-up verification techniques.Compared to system synthesis methods, derivation allows a designer greater control over system decomposition and the realization of the components, without the use of special-purpose hardware or restrictions on interactions.We start from an initial abstract description of the system and add details to the description in decomposition steps.Decomposition is accomplished by factoring a procedure to a sequential machine that performs the procedure.With each such transformation step the designer extracts a sequential component from the system and incorporates an implementation of the complement of that component's inter- face description into the system.Communication be- tween components is modeled as values over connected ports.Other forms of communication, such as using buffers, shared storage, bidirectionality, must be modeled explicitly.The components in the system can be synthesized independently.
The Scheme machine provided a real example for our decomposition method.We use sequential decomposi- tion to decompose a scheme system into a scheme CPU, an allocator, and a garbage collector with non-trivial interactions between the components.We show that a machine interacting with its complement results is a closed machine that is isomorphic to the original ma- chine, and that a machine interacting with an implementation of its complement results in a safe interaction.

FIGURE
FIGURE

FIGURE 3
FIGURE 3 Garbage collector (a) and its complement (b).

Definition 4 . 5 :
The composed machine (M Mz)/v is considered safe if the state .(f,f2)is reachable, unsafe otherwise.4.1 Machine Isomorphism Definition 4.6: Two machines Mt and M 2 are isomorphic if M and M 2 have isomorphic sets of states and transitions.

FIGURE 4
FIGURE 4 Composition of the garbage collector and its complement.

FIGURE 5
FIGURE 5 Path implementation of complement of gc.

FIGURE 6
FIGURE 6 Fragment from Scheme Machine Specification

FIGURE 8
FIGURE 8 Embedding path implementation of complement of Allocator in Scheme Machine.

FIGURE 9
FIGURE 9 Embedding path implementation of complement of gc in Allocator.