

**THÈSE POUR OBTENIR LE GRADE DE DOCTEUR  
DE L'UNIVERSITÉ DE MONTPELLIER**

**En Informatique**

**École doctorale : Information, Structures, Systèmes**

**Unité de recherche LIRMM**

**Vérification d'une méthodologie pour la conception de systèmes  
numériques critiques**

**Présenté par Vincent IAMPIETRO**

**Le Date de la soutenance**

**Sous la direction de David Delahaye  
et David Andreu**

**Devant le jury composé de**

|                               |               |
|-------------------------------|---------------|
| [Nom Prénom], [Titre], [Labo] | [Statut jury] |
| [Nom Prénom], [Titre], [Labo] | [Statut jury] |
| [Nom Prénom], [Titre], [Labo] | [Statut jury] |



**UNIVERSITÉ  
DE MONTPELLIER**



## *Acknowledgements*

The acknowledgments and the people to thank go here, don't forget to include your project advisor...



# Contents

|                                                                                |            |
|--------------------------------------------------------------------------------|------------|
| <b>Acknowledgements</b>                                                        | <b>iii</b> |
| <b>1 <math>\mathcal{H}</math>-VHDL: a target hardware description language</b> | <b>1</b>   |
| 1.1 Presentation of the VHDL language . . . . .                                | 1          |
| 1.2 Choosing a formal semantics for VHDL . . . . .                             | 1          |
| 1.3 Abstract syntax for $\mathcal{H}$ -VHDL . . . . .                          | 1          |
| 1.3.1 Design declaration . . . . .                                             | 1          |
| 1.3.2 Concurrent statements . . . . .                                          | 2          |
| Process statement . . . . .                                                    | 2          |
| Component instantiation statement . . . . .                                    | 2          |
| 1.3.3 Sequential statements . . . . .                                          | 3          |
| 1.3.4 Expressions, names and types. . . . .                                    | 3          |
| 1.3.5 Examples of $\mathcal{H}$ -VHDL abstract syntax . . . . .                | 4          |
| 1.4 Preliminary definitions . . . . .                                          | 6          |
| 1.4.1 Semantic domains . . . . .                                               | 6          |
| 1.4.2 Elaborated design and design state . . . . .                             | 6          |
| 1.5 Elaboration rules . . . . .                                                | 8          |
| 1.5.1 Design elaboration . . . . .                                             | 9          |
| 1.5.2 Generic clause elaboration . . . . .                                     | 10         |
| 1.5.3 Port clause elaboration . . . . .                                        | 11         |
| 1.5.4 Architecture declarative part elaboration. . . . .                       | 11         |
| 1.5.5 Type indication elaboration. . . . .                                     | 12         |
| 1.5.6 Behavior elaboration . . . . .                                           | 13         |
| Elaboration of concurrent statements . . . . .                                 | 13         |
| Process elaboration. . . . .                                                   | 13         |
| Process declarative part elaboration. . . . .                                  | 14         |
| Component instantiation elaboration. . . . .                                   | 14         |
| 1.5.7 Implicit default value. . . . .                                          | 15         |
| 1.5.8 Typing relation. . . . .                                                 | 15         |
| 1.5.9 Static expressions. . . . .                                              | 16         |
| Locally static expressions. . . . .                                            | 16         |
| Globally static expressions. . . . .                                           | 16         |
| 1.5.10 Valid port map. . . . .                                                 | 16         |
| 1.5.11 Valid sequential statements. . . . .                                    | 19         |
| Well-typed signal assignment. . . . .                                          | 20         |
| Well-typed variable assignment. . . . .                                        | 20         |

|                                                                     |           |
|---------------------------------------------------------------------|-----------|
| Well-typed if statements . . . . .                                  | 20        |
| Well-typed loop statement . . . . .                                 | 21        |
| Well-typed rising and falling edge blocks . . . . .                 | 21        |
| Well-typed rst blocks . . . . .                                     | 21        |
| Well-typed null statement . . . . .                                 | 21        |
| <b>1.6 Simulation rules . . . . .</b>                               | <b>21</b> |
| <b>1.6.1 Full Simulation . . . . .</b>                              | <b>21</b> |
| <b>1.6.2 Simulation loop. . . . .</b>                               | <b>23</b> |
| <b>1.6.3 Simulation cycle. . . . .</b>                              | <b>23</b> |
| <b>1.6.4 Initialization rules . . . . .</b>                         | <b>24</b> |
| Evaluation of a process statement . . . . .                         | 24        |
| Evaluation of a component instantiation statement . . . . .         | 24        |
| Evaluation of the composition of concurrent statements . . . . .    | 25        |
| <b>1.6.5 Clock phases rules . . . . .</b>                           | <b>25</b> |
| Evaluation of a process statement . . . . .                         | 25        |
| Evaluation of a component instantiation statement . . . . .         | 26        |
| Evaluation of the composition of concurrent statements . . . . .    | 27        |
| <b>1.6.6 Stabilization rules . . . . .</b>                          | <b>27</b> |
| Evaluation of a process statement . . . . .                         | 27        |
| Evaluation of a component instantiation statement . . . . .         | 28        |
| Evaluation of the composition of concurrent statements . . . . .    | 28        |
| <b>1.6.7 Evaluation of input and output port maps . . . . .</b>     | <b>28</b> |
| <b>1.6.8 Evaluation of sequential statements . . . . .</b>          | <b>30</b> |
| Signal assignment statement . . . . .                               | 30        |
| Variable assignment statement . . . . .                             | 30        |
| If statement . . . . .                                              | 31        |
| Loop statement . . . . .                                            | 31        |
| Rising and falling edge block statements . . . . .                  | 31        |
| Rst block statement . . . . .                                       | 32        |
| Composition of sequential statements and null statement . . . . .   | 32        |
| <b>1.6.9 Evaluation of expressions . . . . .</b>                    | <b>32</b> |
| <b>A The place design in concrete and abstract VHDL syntax</b>      | <b>35</b> |
| <b>B The transition design in concrete and abstract VHDL syntax</b> | <b>39</b> |
| <b>Bibliography</b>                                                 | <b>43</b> |

# List of Figures



# List of Tables

|                                                                |   |
|----------------------------------------------------------------|---|
| 1.1 The <i>type</i> and <i>value</i> semantical types. . . . . | 6 |
|----------------------------------------------------------------|---|



# List of Abbreviations

|              |                                                                   |
|--------------|-------------------------------------------------------------------|
| <b>SITPN</b> | Synchronously executed Interpreted Time Petri Net with priorities |
| <b>VHDL</b>  | Very high speed integrated circuit Hardware Description Language  |
| <b>PCI</b>   | Place Component Instance                                          |
| <b>TCI</b>   | Transition Component Instance                                     |
| <b>GPL</b>   | Generic Programming Language                                      |
| <b>HDL</b>   | Hardware Description Language                                     |
| <b>LRM</b>   | Language Reference Manual                                         |



*For/Dedicated to/To my...*



## Chapter 1

# $\mathcal{H}$ -VHDL: a target hardware description language

- Make a remark on the notation of design states, e.g.  $\mathcal{E}''$  refers to the set of events of design state  $\sigma''$  when there is no ambiguity.
- Two points of view to consider the semantics of VHDL: simulation or synthesis. Simulation described in the LRM; synthesis, problem is that there are no standard, unlike Verilog (cite Verilog standard synthesis semantics).

### 1.1 Presentation of the VHDL language

### 1.2 Choosing a formal semantics for VHDL

### 1.3 Abstract syntax for $\mathcal{H}$ -VHDL

In this section, we describe the abstract syntax of  $\mathcal{H}$ -VHDL, the subset of VHDL covering all the constructs present in the generated  $\mathcal{H}$ -VHDL programs. Terminals of the language will be written in typewriter font, or will be enclosed in simple quotes for symbols with no typewriter representation. The  $a^*$  denotes a possibly empty repetition of the element  $a$ ; the  $a^+$  denotes a non-empty repetition of  $a$ .

#### 1.3.1 Design declaration

As in [5], we define the *design* construct in the  $\mathcal{H}$ -VHDL's abstract syntax which has no equivalent in the concrete syntax of VHDL.

```

design ::= design ide ida gens ports sigs cs
gens   ::= gdecl*
ports  ::= pdecl*
sig    ::= sdecl*
```

```

gdecl ::= (ide, τ, e)
pdecl ::= ((in | out), ida, τ)
sdecl ::= (id, τ)

```

In the above entry,  $\text{id}_e$  indicates the entity identifier and  $\text{id}_a$  the architecture identifier of the declared design. The  $\text{gens}$  entry corresponds to the generic clause, i.e. the declaration list for the generic constants of the design. A generic constant is declared via the  $\text{gdecl}$  entry; it generic constant declaration is a triplet composed of a generic constant identifier, a type indication and an expression denoting its default value. The  $\text{ports}$  entry holds the declaration of the input and output ports of the design. A port declaration (i.e. the  $\text{pdecl}$  entry) is a triplet composed of a port type, i.e.  $\text{in}$  or  $\text{out}$ , a port identifier, and a type indication. The  $\text{signals}$  entry is the list declaring the internal signals of the design. An internal signal declaration entry (i.e.  $\text{sdecl}$ ) is a couple composed of a signal identifier and a type indication. The  $\text{cs}$  entry represents the concurrent statements composing the behavior of the design.

### 1.3.2 Concurrent statements

```
cs ::= psstmt | cistmt | cs || cs | null
```

In  $\mathcal{H}$ -VHDL, two kinds of concurrent statements are available to describe the behavior of a design: process statements, represented by the  $\text{psstmt}$  entry, and component instantiation statements, represented by the  $\text{cistmt}$  entry. Concurrent statements are composable through the  $\parallel$  operator. We add the  $\text{null}$  statement to help represent empty behaviors.

#### Process statement

```

psstmt ::= process (idp, sl, vars, ss)
sl      ::= id*
vars    ::= vdecl*
vdecl   ::= (id, τ)

```

A process statement declares a sensitivity, i.e. the  $\text{sl}$  entry, which is a list of signal identifiers. In order to be well-formed, the signals of a sensitivity list must be either internal signals or input ports of the design. The process possibly declares a set internal variables, i.e. the  $\text{vars}$  entry. A variable declaration entry is a couple composed of a variable identifier and a type indication. The  $\text{ss}$  entry represents the sequence of statements composing the body of the process, i.e. the part that will be executed during the simulation.

#### Component instantiation statement

The identifier  $\text{id}_c$  represents the name of component instance. Identifier  $\text{id}_e$  points out the name of the design, i.e. the entity identifier, being instantiated here. The  $\text{gmap}$  entry describes the list of associations between generic constant identifiers and expressions. The  $\text{ipmap}$  entry is the

---

```

cistmt ::= comp (idc, ide, gmap, ipmap, opmap)
gmap ::= assocg*
ipmap ::= associp*
opmap ::= assocop*
assocg ::= (id, e)
associp ::= (name, e)
assocop ::= (id, (name | open)) | (id(e), name)

```

list of associations between input port identifiers (or indexed identifiers) and expressions. The opmap entry is the list of associations between output port identifiers (or indexed identifiers) and signal names, or the open keyword. Associating the open keyword with an output port identifier in an output port pmap indicates that the port is not connected.

### 1.3.3 Sequential statements

```

ss ::= name <= e | name := e | if (e) ss [ss] | for (id, e, e) ss
      | falling ss | rising ss | rst ss ss' | ss; ss | null

```

The ss entry defines the sequential statements that compose the body of processes. The signal assignment statement is represented with the  $\Leftarrow$  operator; the variable assignment statement with the  $:$ = operator. Among the control flow statements, the falling statement (resp. rising ss) declares a block of sequential statements to be executed only at the falling edge (resp. rising edge) of the clock signal (see Section 1.6.5). Also, the rst statement declares two blocks, the first one must be executed during the initialization phase of the simulation; otherwise, the second one is executed (see Section 1.6.4).

### 1.3.4 Expressions, names and types.

```

e ::= e and e | e or e | not e | e = e | e ≠ e
      | e < e | e <= e | e > e | e >= e | e + e | e - e
      | name | natural | boolean | (e+)

```

```

name ::= id | id( e )
boolean ::= true | false
τ ::= boolean | natural (e, e) | array (τ, e, e)

```

The expression entry declares a set of operators over Boolean expressions, and natural numbers expressions. The natural non-terminal represents the set of natural numbers ( $\mathbb{N}$ ). The id non-terminal represents the set of identifiers, comparable to the set of strings, or any infinitely enumerable set. In what follows, identifiers will be enclosed in double quotes at the time of their declaration, and they will appear without double quotes when used in expressions.

### 1.3.5 Examples of $\mathcal{H}$ -VHDL abstract syntax

Listing 1.1 gives the translation in abstract  $\mathcal{H}$ -VHDL syntax of the declarative part of the transition design presented in Listings ?? and ?? in concrete VHDL syntax.

```

1  design "transition" "transition_architecture"
2    -- Generic clause
3    (("transition_type", natural(0, 2), 0),
4     ("input_arcs_number", natural(0, NATMAX), 1),
5     ("conditions_number", natural(0, NATMAX), 1),
6     ("maximal_time_counter", natural(0, NATMAX), 1))
7
8    -- Port clause
9    ((in, "input_conditions", array(boolean, 0, conditions_number-1)),
10   (in, "time_A_value", natural(0, maximal_time_counter)),
11   (in, "time_B_value", natural(0, maximal_time_counter)),
12   (in, "input_arcs_valid", array(boolean, 0, input_arcs_number-1)),
13   (in, "reinit_time", array(boolean, 0, input_arcs_number-1)),
14   (in, "priority_authorizations", array(boolean, 0, input_arcs_number-1)),
15   (out, "fired", boolean))
16
17    -- Internal signals
18    (("s_condition_combination", boolean),
19     ("s_enabled", boolean),
20     ...
21     ("s_time_counter", natural(0, maximal_time_counter)))
22
23    -- Concurrent statements
24    CS

```

LISTING 1.1: The transition design's declarative parts in abstract  $\mathcal{H}$ -VHDL syntax.

In Listing 1.1, the type indication of the “`transition_type`” generic constant has been transformed from the `temporal_t` enumeration type to the `natural(0, 2)` type. The `temporal_t` enumeration type, defined through the three values {`NOT_TEMPORAL`, `TEMPORAL_A_A`, `TEMPORAL_A_B`}, is naturally transformed into a natural range. This transformation is only valid because the `temporal_t` type is only defined and used in the transition design which has a static behavior. Also, the `std_logic` type defined in the VHDL Std Logic 1164 library [4] is transformed into the Boolean type, and the `std_logic_vector` is transformed into the array of Booleans type. This transformation is valid because, in the transition and place designs and also in the generated designs, we are only referring to the values ‘0’ and ‘1’ among all the values enumerated by the `std_logic` type (see [4, p. 2]). Also, note that the `clock` and `reset_n` input ports declared in the port clause of the transition design are removed in the hvhdl version. In the  $\mathcal{H}$ -VHDL abstract syntax, the if statements that were testing the value of the `clock` and the `reset_n` signals have been turned into specific sequential statements (i.e `rst`, `falling` and `rising` blocks). Thus, we don't need the `clock` and `reset_n` signals in the port declaration list anymore.

Listing 1.2 presents the translation in  $\mathcal{H}$ -VHDL abstract syntax of the two of the processes presented in Listing ??.

```

1  process ("condition_evaluation",("input_conditions"),
2          ("v_internal_condition",boolean)),
3      v_internal_condition :=  $\top$ ;
4      (for ("i",0,conditions_number - 1)
5          (v_internal_condition := v_internal_conditions and input_conditions(i)));
6      s_condition_combination  $\Leftarrow$  v_internal_condition
7      ) ||
8  process ("firable",("clk"), $\emptyset$ ,
9          rst (s_firable  $\Leftarrow$   $\perp$ )
10         (falling (s_firable  $\Leftarrow$  s_firing_condition))
11     )

```

LISTING 1.2: The condition\_evaluation and firable processes in  $\mathcal{H}$ -VHDL abstract syntax. The two processes are defined in the behavior of the transition design.

In Listing 1.2, inner blocks of sequential statements are enclosed between parentheses to ease the reading, albeit parentheses are not part of the  $\mathcal{H}$ -VHDL syntax. The body of the firable process gives an example of the use of a `rst` block and a `falling` block. One can see, from the comparison of Listing ?? and 1.2, that a `rst ss ss'` statement is the translation of the concrete VHDL statement `if reset_n = '0' then ss else ss' endif;`. Comparing the same listings, a `falling ss` statement is the translation of the concrete VHDL statement `if falling_edge(clock) then ss end if;`.

Listing 1.3 shows the translation in  $\mathcal{H}$ -VHDL abstract syntax of the component instantiation statement laid out in Listing ??.

```

1  comp (idt, "transition",
2      -- Generic map
3      (transition_type  $\Rightarrow$  0,
4       input_arcs_number  $\Rightarrow$  1,
5       conditions_number  $\Rightarrow$  1,
6       maximal_time_counter  $\Rightarrow$  1),
7      -- Input port map
8      (time_A_value  $\Rightarrow$  0,
9       time_B_value  $\Rightarrow$  0,
10      input_conditions(0)  $\Rightarrow$  id0,
11      input_arcs_valid(0)  $\Rightarrow$  id1,
12      priority_authorizations(0)  $\Rightarrow$   $\top$ ,
13      reinit_time(0)  $\Rightarrow$  id2),
14      -- Output port map
15      (fired  $\Rightarrow$  id3)

```

LISTING 1.3: An example of instantiation of the transition design in  $\mathcal{H}$ -VHDL abstract syntax.

The statement of Listing 1.3 is almost similar to the one of Listing ?? . The NOT\_TEMPORAL value associated to the transition\_type constant is turned into 0 (remember the temporal\_t enumeration type is transformed into a natural range).

## 1.4 Preliminary definitions

### 1.4.1 Semantic domains

Let  $id$  denote the set of identifiers in the semantic domain. We write  $prefix\text{-}id$  to denote arbitrary subsets of the  $id$  set. The  $type$  and  $value$  semantical types are defined as follows:

```

 $type ::= \text{bool} \mid \text{nat}(\text{nat},\text{nat}) \mid \text{array } (type,\text{nat},\text{nat})$ 
 $value ::= \text{bool} \mid \text{nat} \mid \text{array}$ 
 $\text{bool} ::= \text{'T'} \mid \text{'L'}$ 
 $\text{nat} ::= 0 \mid 1 \mid \dots \mid \text{NATMAX}$ 
 $\text{array} ::= (\text{value}^+)$ 

```

TABLE 1.1: The  $type$  and  $value$  semantical types.

In Table 1.1, the  $type$  type is in any way similar to the  $\tau$  entry of the abstract syntax, however, all constraint bounds in the  $\text{nat}$  and  $\text{array}$  types have been evaluated to natural numbers. NATMAX denotes the maximum value for a natural number. The NATMAX value depends on the implementation of the VHDL language; NATMAX must at least be equal to  $2^{31} - 1$ . Note that the  $array$  value contains at least one value as an array's index range contains at least one index (that is index 0).

**Notation 1** (Partial functions). *Here, we present our notations pertaining to partial functions:*

- *The  $\rightarrowtail$  arrow denotes a partial function.*
- *The  $\rightarrow$  denotes an application (i.e, a total function).*
- *For all  $f \in A \rightarrowtail B$ ,  $x \in f$  states that  $x$  is in the domain of function  $f$ .*
- *For all  $f \in A \rightarrowtail B$  and  $g \in A \rightarrowtail C$ ,  $f \subseteq g$  states that the domain of  $f$  is a subset of the domain of  $g$ .*
- *For all  $X \subset A$  and  $f \in A \rightarrowtail B$ ,  $X \subseteq f$  states that  $X$  is a subset of the domain of  $f$ .*

### 1.4.2 Elaborated design and design state

Now, let us define the structure of an elaborated design which is a structure bound to a given  $\mathcal{H}$ -VHDL design and to a design store, i.e a global environment mapping identifiers to  $\mathcal{H}$ -VHDL designs. Only the designs referenced into the global design store can be instantiated as component instances in the behavior of a given design. The elaborated design structure is built

during the elaboration phase (see Section 1.5). Then, the elaborated design will act as a runtime environment in the expression of the simulation rules. Let  $ElDesign(d, \mathcal{D})$  be the set of the elaborated designs for a given  $\mathcal{H}$ -VHDL design  $d$  and a design store  $\mathcal{D}$ . An elaborated design is a composite environment built out of multiple sub-environments. Each sub-environment is a table, represented as a partial function, mapping identifiers of a certain category of constructs (e.g, input port identifiers) to their declaration information (e.g, type indication for input ports). We represent an elaborated design as a record where the fields are the sub-environments. An elaborated design is defined as follows:

**Definition 1** (Elaborated Design). *For a given  $\mathcal{H}$ -VHDL design  $d \in \text{design}$  s.t.  $d = \text{design id}_a \text{ gens ports sigs behavior}$  and a given design store  $\mathcal{D} \in \text{entity-id} \rightarrow \text{design}$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D})$  is a record  $\langle Gens, Ins, Outs, Sigs, Ps, Comps \rangle$  where:*

- $Gens \in \text{generic-id} \rightarrow (\text{type} \times \text{value})$  where  $\text{generic-id} = \{id \mid (id, \tau, e) \in \text{gens}\}$ , is the partial function yielding the type and the value of generic constants.
- $Ins \in \text{input-id} \rightarrow \text{type}$  where  $\text{input-id} = \{id \mid (\text{in}, id, \tau) \in \text{ports}\}$ , is the partial function yielding the type of input ports.
- $Outs \in \text{output-id} \rightarrow \text{type}$  where  $\text{output-id} = \{id \mid (\text{out}, id, \tau) \in \text{ports}\}$ , the partial function yielding the type of output ports.
- $Sigs \in \text{declared-signal-id} \rightarrow \text{type}$  where  $\text{declared-signal-id} = \{id \mid (id, \tau) \in \text{sigs}\}$ , the partial function yielding the type of declared signals.
- $Ps \in \text{process-id} \rightarrow (\text{variable-id}(id_p) \rightarrow (\text{type} \times \text{value}))$  where  $\text{process-id} = \{id_p \mid \text{process}(id_p, sl, vars, ss) \in \text{behavior}\}$ , the partial function associating processes to their local environment. Local environments are functions mapping local variable identifiers to their corresponding type and value. Therefore, each set of local variable identifiers  $\text{variable-id}(id_p)$  depends on the process identifier (represented by  $id_p$ ) passed as the first argument of the  $Ps$  function.
- $Comps \in \text{component-id} \rightarrow ElDesign(d_e, \mathcal{D})$ , where  $\text{component-id} = \{id_c \mid \text{comp}(id_c, id_e, gm, ipm, opm) \in \text{behavior}\}$ , the partial function mapping component instance ids to their elaborated design version. The set  $ElDesign(d_e, \mathcal{D})$  depends on the design  $d_e$  from which the component identifier  $id_c$ , passed as the first argument of the  $Comps$  function, is an instance. Design  $d_e$  is retrieved from the design store  $\mathcal{D}$  s.t.  $d_e = \mathcal{D}(id_e)$ .

We assume that there are no overlapping between the identifiers of the sub-environments (i.e, an identifier belongs to at most one sub-environment). When there is no ambiguity, we write  $\Delta(x)$  to denote the value returned for identifier  $x$ , where  $x$  is looked up in the appropriate field of  $\Delta$ . We write  $x \in \Delta$  to state that identifier  $x$  is defined in one of  $\Delta$ 's fields. We note  $\Delta(x) \leftarrow v$  the overriding of the value associated to identifier  $x$  with value  $v$  in the appropriate field of  $\Delta$ ,  $\Delta \cup (x, v)$  to note the addition the mapping from identifier  $x$  to value  $v$  in the appropriate field of  $\Delta$ , that assuming  $x \notin \Delta$ . We write  $x \in \mathcal{F}(\Delta)$ , where  $\mathcal{F}$  is a field of  $\Delta$ , when more precision is needed regarding the lookup of identifier  $x$  in the record  $\Delta$ .

Let  $\Sigma(\Delta)$  be the set of design states for a given elaborated design  $\Delta$ . A design state of  $\Delta$  is defined as follows:

**Definition 2** (Design state). A *design state*  $\sigma \in \Sigma(\Delta)$ , for a given design  $d \in \text{design}$ , a given design store  $\mathcal{D}$  and an elaborated design  $\Delta \in \text{ElDesign}(d, \mathcal{D})$ , is a record  $\langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle$  where:

- $\mathcal{S} \in \text{signal-id} \rightarrow \text{value}$ , the partial function yielding the current values of the design's signals (ports and declared signals).
- $\mathcal{C} \in \text{component-id} \rightarrow \Sigma(\Delta_c)$ , the partial function yielding the current state of design's component instances, where  $\Delta_c = \Delta(id_c)$  and  $id_c \in \text{component-id}$  is the component identifier passed to function  $C$ .
- $\mathcal{E} \subseteq \text{signal-id} \sqcup \text{component-id}$ , the set of signal and component instance identifiers that generated an event at the considered design state.

The *signal-id* subset is the disjoint union of *input-id*, *output-id* and *declared-signal-id*. We use  $\sigma(id)$  to denote the value associated to an identifier in the signal store  $\mathcal{S}$  or in the component store  $\mathcal{C}$  fields. When there is no ambiguity, we write  $id \in \sigma$  to state that an identifier is defined in either the signal store  $\mathcal{S}$  or the component store  $\mathcal{C}$  fields. Also, when there is no ambiguity, we rely on indices or exponents to qualify the signal store, the component instance store and the set of events of a given design state. For instance,  $\mathcal{C}_0$  denotes the component instance store of design state  $\sigma_0$ , and  $\mathcal{E}'$  denotes the set of events of design state  $\sigma'$ , etc.

**Notation 2** (No events design state). For a given  $\mathcal{H}$ -VHDL design  $d$ , a design store  $\mathcal{D}$ , and an elaborated design  $\Delta \in \text{ElDesign}(d, \mathcal{D})$ , the function  $\text{NoEv} \in \Sigma(\Delta) \rightarrow \Sigma(\Delta)$  returns a design state similar to the one passed in parameter only with an empty set of events. I.e, for all design state  $\sigma \in \Sigma(\Delta)$  s.t.  $\sigma = \langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle$ ,  $\text{NoEv}(\sigma) = \langle \mathcal{S}, \mathcal{C}, \emptyset \rangle$ .

## 1.5 Elaboration rules

The goal of the elaboration phase is to build an elaborated design  $\Delta$  along with a *default* state  $\sigma_e$ , out of a  $\mathcal{H}$ -VHDL design  $d$ . The elaboration relation also covers type-checking operations for the declarative and behavioral parts of design  $d$ . Even though the elaboration of a design is described in the LRM, the formalization of this phase has been performed in few works only [1, 2, 5], and never in a setting that covers both syntactical well-formedness and type-checking of the designs. We are interested in the formalization of the elaboration phase because we are interested in the *well-formedness* of the programs generated by the HILECOP transformation. Here, the term well-formedness refers to a syntactically valid design, w.r.t. the syntactic rules of the VHDL language, and to a well-typed design, w.r.t. the typing rules defined in the LRM. Formalizing the elaboration phase is also a way to define how the runtime environment and the runtime state of the simulation are built. For now, we haven't tackle down the proof that the  $\mathcal{H}$ -VHDL designs generated by HILECOP are elaborable, i.e. syntactically well-formed and well-typed. As explained in Chapter ??, this task is foreseen in our work perspectives. Contrary to what is prescribed in the LRM [3, p. 166], we are not dealing with the transformation of the component instantiation statements into block statements in our formalization of the elaboration phase. We prefer to preserve the hierarchical structure of the design (i.e. its

composite structure) during its elaboration. We argue that dealing with component instantiation statements instead of block statements does not complexify the semantics of the  $\mathcal{H}$ -VHDL simulation rules.

In the following sections describing the elaboration and the simulation rules of the  $\mathcal{H}$ -VHDL semantics, the green frames adds explanations about the premises of the rules and the ref frames brings explanations about the side conditions of the rules.

### 1.5.1 Design elaboration

Component instances possibly define the behavior of a design. Each component instance declares the entity identifier that points out to the specific design being instantiated. Therefore, for each instantiation, the associated design must be known through the definition of a global design declaration environment called a *design store*. A design store is defined as follows:

**Definition 3** (Design store). *A design store  $\mathcal{D} \in \text{entity-id} \rightarrow \text{design}$  is the partial function mapping design identifiers (i.e. the entity identifier of designs) to their corresponding representation in abstract syntax. As a prerequisite to the elaboration of HILECOP-generated designs (i.e, resulting from the transformation of a SITPN into an  $\mathcal{H}$ -VHDL design), a particular design store  $\mathcal{D}_{\mathcal{H}}$  is defined. Design store  $\mathcal{D}_{\mathcal{H}}$  holds the description of the place and transition designs which full definition in abstract syntax are given in Appendices A and B.*

At the beginning of the elaboration phase, a function  $\mathcal{M}_g \in \text{generic-id} \rightarrow \text{value}$  mapping the top-level design's generic constants to values is passed as an element of the environment. The  $\mathcal{M}_g$  function is referred to as the *dimensioning* function.

$$\begin{array}{c}
 \text{DESIGNELAB} \\
 \Delta_{\emptyset}, \mathcal{M}_g \vdash \text{gens} \xrightarrow{\text{egens}} \Delta \\
 \Delta, \sigma_{\emptyset} \vdash \text{ports} \xrightarrow{\text{eports}} \Delta', \sigma \\
 \Delta', \sigma \vdash \text{sigs} \xrightarrow{\text{esigs}} \Delta'', \sigma' \\
 \hline
 \mathcal{D}, \Delta'', \sigma' \vdash \text{cs} \xrightarrow{\text{ebeh}} \Delta''', \sigma'' \\
 \hline
 \mathcal{D}, \mathcal{M}_g \vdash \text{design id}_e \text{ id}_a \text{ gens ports sigs cs} \xrightarrow{\text{elab}} \Delta''', \sigma'' 
 \end{array}$$

where  $\Delta_{\emptyset}$  denotes an empty elaborated design, that is an elaborated design initialized with empty fields (empty tables). In the same manner,  $\sigma_{\emptyset}$  denotes an empty design state. The effect of the *egens*, *eports*, *esigs* and *ebeh* that respectively deal with the elaboration of the generic constants, the ports, the architecture declarative part and the behavioral part of the design, are explicated in the following sections. To give an example, the elaborated design and the default design state resulting of the elaboration of the transition design for the given dimensioning function  $\mathcal{M}$  are the presented through the following  $\Delta$  and  $\sigma_e$  structures:

$$\mathcal{M} := \{ ("transition\_type", 2), ("input\_conditions", 2), ("input\_arcs\_number", 4) \}$$

$$\begin{aligned} \Delta := & \{ \\ & Gens := \{ ("transition\_type", (\text{nat}(0,2), 2)), \\ & \quad ("input\_conditions", (\text{nat}(0, \text{NATMAX}), 2)) \\ & \quad ("input\_arcs\_number", (\text{nat}(0, \text{NATMAX}), 4)) \\ & \quad ("maximal\_time\_counter", (\text{nat}(0, \text{NATMAX}), 1)))\}, \\ & Ports := \{ ("transition\_type", (\text{nat}(0,2), 2)), \\ & \quad ("input\_conditions", (\text{nat}(0, \text{NATMAX}), 2)) \\ & \quad ("input\_arcs\_number", (\text{nat}(0, \text{NATMAX}), 4)) \\ & \quad ("maximal\_time\_counter", (\text{nat}(0, \text{NATMAX}), 1)))\}, \\ & \} \end{aligned}$$

### 1.5.2 Generic clause elaboration

The  $egens$  relation elaborates a list of generic constant declarations.

#### Premises

- $etyp_{id_g}$  transforms a type indication, specifically attached to a generic constant declaration, into a *type* instance and checks its well-formedness (see Section 1.5.5).
- The  $e$  relation links an expression  $e$  to its value  $v$  in a given context (see Section 1.6.9). The context of evaluation for an expression is composed of a given elaborated design, a given design state, and given local environment. We omit symbols at the left of the thesis when they refer to empty structures. For instance,  $\vdash e \xrightarrow{e} v$  is a notation for  $\Delta_\emptyset, \sigma_\emptyset, \Lambda_\emptyset \vdash e \xrightarrow{e} v$ .
- $SE_l$  states that an expression is *locally static* (see Section 1.5.9).
- $v \in_c T$  and  $\mathcal{M}(id_g) \in_c T$  checks that the default value and the value of yielded by the dimensioning function belongs to the type of the declared generic constant (see Section 1.5.8).

#### Side conditions

The expression  $id_g \in \Delta$  checks that the generic constant identifier  $id_g$  is not already defined in the *Gens* sub-environment of the elaborated design  $\Delta$ .

GENELABDIMEN

$$\frac{\vdash \tau \xrightarrow{etyp_{id_g}} T \quad \vdash e \xrightarrow{e} v \quad SE_l(e) \quad \mathcal{M}(id_g) \in_c T \quad v \in_c T \quad id_g \notin \Delta}{\Delta, \mathcal{M} \vdash (id_g, \tau, e) \xrightarrow{egens} \Delta \cup (id_g, (T, \mathcal{M}(id_g))) \quad id_g \in \mathcal{M}}$$

The GENELABDEFAULT states that the value of declared generic constant is defined by its default value when no value is specified by the dimensioning function  $\mathcal{M}$ .

$$\text{GENELABDEFAULT} \quad \frac{\vdash \tau \xrightarrow{etypg} T \quad \vdash e \xrightarrow{e} v \quad SE_l(e) \quad v \in_c T \quad \text{id}_g \notin \Delta}{\Delta, \mathcal{M} \vdash (\text{id}_g, \tau, e) \xrightarrow{egens} \Delta \cup (id_g, (T, v)) \quad \text{id}_g \notin \mathcal{M}}$$

$$\text{GENELABCOMP} \quad \frac{\Delta, \mathcal{M} \vdash \text{gdecl} \xrightarrow{egens} \Delta' \quad \Delta', \mathcal{M} \vdash \text{gens} \xrightarrow{egens} \Delta''}{\Delta, \mathcal{M} \vdash \text{gdecl, gens} \xrightarrow{egens} \Delta''}$$

### 1.5.3 Port clause elaboration

#### Premises

The *defaultv* relation yields the implicit *default* value for a given type.

$$\text{INPORTELAB} \quad \frac{\Delta \vdash \tau \xrightarrow{etypg} T \quad \Delta \vdash T \xrightarrow{defaultv} v}{\Delta, \sigma \vdash (\text{in}, \text{id}, \tau) \xrightarrow{eports} \Delta \cup (id, T), \sigma \cup (id, v)} \quad \begin{matrix} \text{id} \notin \Delta \\ \text{id} \notin \sigma \end{matrix}$$

$$\text{OUTPORTELAB} \quad \frac{\Delta \vdash \tau \xrightarrow{etypg} T \quad \Delta \vdash T \xrightarrow{defaultv} v}{\Delta, \sigma \vdash (\text{out}, \text{id}, \tau) \xrightarrow{eports} \Delta \cup (id, T), \sigma \cup (id, v)} \quad \begin{matrix} \text{id} \notin \Delta \\ \text{id} \notin \sigma \end{matrix}$$

$$\text{PORTELABCOMP} \quad \frac{\Delta, \sigma \vdash \text{pdecl} \xrightarrow{eports} \Delta', \sigma' \quad \Delta', \sigma' \vdash \text{ports} \xrightarrow{eports} \Delta'', \sigma''}{\Delta, \sigma \vdash \text{pdecl; ports} \xrightarrow{eports} \Delta'', \sigma''}$$

### 1.5.4 Architecture declarative part elaboration.

$$\text{SIGELAB} \quad \frac{\Delta \vdash \tau \xrightarrow{etypg} T \quad \Delta \vdash T \xrightarrow{defaultv} v}{\Delta, \sigma \vdash (\text{id}, \tau) \xrightarrow{esigs} \Delta \cup (id, T), \sigma \cup (id, v)} \quad \begin{matrix} \text{id} \notin \Delta \\ \text{id} \notin \sigma \end{matrix}$$

$$\text{SIGELABCOMP} \quad \frac{\Delta, \sigma \vdash \text{sdecl} \xrightarrow{esigs} \Delta', \sigma' \quad \Delta', \sigma' \vdash \text{sig} \xrightarrow{esigs} \Delta'', \sigma''}{\Delta, \sigma \vdash \text{sdecl; sigs} \xrightarrow{esigs} \Delta'', \sigma''}$$

### 1.5.5 Type indication elaboration.

The *etype* relation checks the well-formedness of a type indication  $\tau$ , and transforms it into a semantical *type* (as defined in Table 1.1). A type indication  $\tau$  is well-formed in the context  $\Delta$  if  $\tau$  denotes the boolean keyword or the nat or array keywords with a *well-formed* constraint, and a well-formed element type in the array case.

$$\begin{array}{c}
 \text{ETYPEBOOL} \qquad \text{ETYPENAT} \\
 \hline
 \frac{}{\Delta \vdash \text{boolean} \xrightarrow{\text{etype}} \text{bool}} \qquad \frac{\Delta \vdash (e, e') \xrightarrow{\text{econstr}} (v, v')}{\Delta \vdash \text{natural}(e, e') \xrightarrow{\text{etype}} \text{nat}(v, v')} \\
 \\ 
 \text{ETYPEARRAY} \\
 \hline
 \frac{\Delta \vdash \tau \xrightarrow{\text{etype}} T \quad \Delta \vdash (e, e') \xrightarrow{\text{econstr}} (v, v')}{\Delta \vdash \text{array}(\tau, e, e') \xrightarrow{\text{etype}} \text{array}(T, v, v')}
 \end{array}$$

The *econstr* relation checks that a constraint is well-formed and evaluates the constraint bounds. A constraint  $c$  is well-formed in the context  $\Delta$  if:

- its bounds are globally static expressions [3, p.36] of the nat type.
- its lower bound value is inferior or equal to its upper bound value.

**Remark 1** (Type of constraints). *As the VHDL language reference stays unclear about the type of range and index constraints [3, p.33], we add the restriction that range and index constraints must have bounds of the nat type (i.e., value of type nat).*

#### Premises

$SE_g$  states that an expression is *globally static* (see 1.5.9).

$$\text{ECONSTR} \\
 \frac{\Delta \vdash SE_g(e) \quad \Delta, \sigma_\emptyset, \Lambda_\emptyset \vdash e \xrightarrow{e} v \quad v \in_c \text{nat}(0, \text{NATMAX}) \quad \Delta \vdash SE_g(e') \quad \Delta, \sigma_\emptyset, \Lambda_\emptyset \vdash e' \xrightarrow{e} v' \quad v' \in_c \text{nat}(0, \text{NATMAX})}{\Delta \vdash (e, e') \xrightarrow{\text{econstr}} (v, v')} \quad v \leq v'$$

When considering a type indication in a generic constant declaration, the definition of well-formedness differs slightly from the general definition. A type indication  $\tau$  associated to a generic constant declaration is well-formed if  $\tau$  denotes the boolean keyword, or the nat keyword with a *well-formed* constraint.

The  $e\text{type}_g$  relation is specially defined to check the well-formedness of a subtype indication associated with a generic constant declaration.

$$\frac{\text{ETYPEGBOOL}}{\vdash \text{boolean} \xrightarrow{e\text{type}} \text{bool}} \quad \frac{\text{ETYPEGNAT} \quad \Delta \vdash (\mathbf{e}, \mathbf{e}') \xrightarrow{e\text{constr}_g} (v, v')} {\vdash \text{natural}(\mathbf{e}, \mathbf{e}') \xrightarrow{e\text{type}} \text{nat}(v, v')}$$

The  $e\text{constr}_g$  relation checks that a *generic* constraint (i.e, a constraint appearing in a type indication associated with a generic constant declaration) is well-formed and evaluates the constraint bounds.

A *generic* constraint  $c$  is well-formed if:

- its bounds are locally static expressions [3, p.36] of the nat type.
- its lower bound value is inferior or equal to its upper bound value.

$$\frac{\text{ECONSTRG} \quad \begin{array}{ll} SE_l(\mathbf{e}) & \Delta_\emptyset, \sigma_\emptyset, \Lambda_\emptyset \vdash \mathbf{e} \xrightarrow{e} v \\ SE_l(\mathbf{e}') & \Delta_\emptyset, \sigma_\emptyset, \Lambda_\emptyset \vdash \mathbf{e}' \xrightarrow{e} v' \end{array} \quad \begin{array}{ll} v \in_c \text{nat}(0, \text{NATMAX}) \\ v' \in_c \text{nat}(0, \text{NATMAX}) \end{array} \quad v \leq v'} {\vdash (\mathbf{e}, \mathbf{e}') \xrightarrow{e\text{constr}_g} (v, v')}$$

## 1.5.6 Behavior elaboration

### Elaboration of concurrent statements

The elaboration of the composition of concurrent statements is performed in a sequential manner.

$$\frac{\text{CSPARELAB} \quad \begin{array}{ll} \mathcal{D}, \Delta, \sigma \vdash \text{cs} \xrightarrow{ebeh} \Delta', \sigma' & \mathcal{D}, \Delta', \sigma' \vdash \text{cs}' \xrightarrow{ebeh} \Delta'', \sigma'' \end{array}} {\mathcal{D}, \Delta, \sigma \vdash \text{cs} || \text{cs}' \xrightarrow{ebeh} \Delta'', \sigma''} \quad \frac{\text{CSNULLELAB}} {\mathcal{D}, \Delta, \sigma \vdash \text{null} \xrightarrow{ebeh} \Delta, \sigma}$$

**Process elaboration.**

#### Premises

$\text{valid}_{ss}$  states that a sequential statement is well-typed.

### Side conditions

$sl \subseteq Ins(\Delta) \cup Sigs(\Delta)$  indicates that the sensitivity list  $sl$  must only contain signal identifiers that are readable, that is, *input* ports and declared signals.

PSELAB

$$\frac{\Delta, \Lambda_\emptyset \vdash \text{vars} \xrightarrow{evars} \Lambda \quad \Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{ss})}{\mathcal{D}, \Delta, \sigma \vdash \text{process } (\text{id}_p, sl, \text{vars}, ss) \xrightarrow{ebeh} \Delta \cup (id_p, \Lambda), \sigma} \quad id_p \notin \Delta \quad sl \subseteq Ins(\Delta) \cup Sigs(\Delta)$$

### Process declarative part elaboration.

The  $evars$  relation builds a local environment out of a process declarative part.

VARELAB

$$\frac{\Delta \vdash \tau \xrightarrow{etyp} T \quad \vdash T \xrightarrow{defaultv} v}{\Delta, \Lambda \vdash (id, \tau) \xrightarrow{evars} \Lambda \cup (id, (T, v))} \quad id \notin \Lambda, id \notin \Delta$$

VARELABCOMP

$$\frac{\Delta, \Lambda \vdash \text{vdecl} \xrightarrow{evars} \Lambda' \quad \Delta, \Lambda' \vdash \text{vars} \xrightarrow{evars} \Lambda''}{\Delta, \Lambda \vdash \text{vdecl, vars} \xrightarrow{evars} \Lambda''}$$

### Component instantiation elaboration.

#### Premises

- The  $emapg$  relation binds a generic map to a function  $M \in id \rightsquigarrow value$  (see definition below).
- $\text{valid}_{ipm}$  (resp.  $\text{valid}_{opm}$ ) states that a in port map (resp. out port map) is valid, i.e well-formed and well-typed (see 1.5.10).

### Side conditions

$M \subseteq Gens(\Delta_c)$  checks that the generic map  $gmap$  contains references to known generic constant identifiers only.

COMPELAB

$$\frac{\mathcal{M}_\emptyset \vdash \text{gmap} \xrightarrow{emapg} M \quad \mathcal{D}, \mathcal{M} \vdash \mathcal{D}(id_e) \xrightarrow{elab} \Delta_c, \sigma_c \quad \Delta, \Delta_c, \sigma \vdash \text{valid}_{ipm}(\text{ipmap}) \quad \Delta, \Delta_c \vdash \text{valid}_{opm}(\text{opmap})}{\mathcal{D}, \Delta, \sigma \vdash \text{comp } (id_c, id_e, gmap, ipmap, opmap) \xrightarrow{ebeh} \Delta \cup (id_c, \Delta_c), \sigma \cup (id_c, \sigma_c)} \quad id_c \notin \Delta, id_c \notin \sigma \quad id_e \in \mathcal{D} \quad M \subseteq Gens(\Delta_c)$$

A port map is a mapping between signals coming from an embedding design ( $\Delta$ ) and ports of an internal component instance ( $\Delta_c$ ). The formal part of an port map entry (i.e, left of the arrow) belongs to the internal component, whereas the actual part (i.e, right of the arrow) refers to the embedding design. Therefore, we need both  $\Delta$  and  $\Delta_c$  to verify if a port map is well-typed leveraging the  $\text{valid}_{pm}$  predicate.

**Remark 2** (Valid generic map). Note that we are not checking the validity of the generic map. In case of an ill-formed generic map, a inconsistent mapping  $\mathcal{M}$  is generated by the  $\text{emapg}$  that will make the elab relation, taking  $\mathcal{M}$  as a parameter, never derivable. Therefore, the elab relation does an implicit validity check on the generic map.

$$\frac{\text{ASSOCGELAB} \quad SE_l(e) \quad \Delta_\emptyset, \sigma_\emptyset, \Lambda_\emptyset \vdash e \xrightarrow{e} v}{\mathcal{M} \vdash \text{id}_g \Rightarrow e \xrightarrow{\text{emapg}} \mathcal{M} \cup (\text{id}_g, v)} \quad \frac{\text{GMAPELABCOMP} \quad \mathcal{M} \vdash \text{assoc}_g \xrightarrow{\text{emapg}} \mathcal{M}' \quad \mathcal{M}' \vdash \text{gmap} \xrightarrow{\text{emapg}} \mathcal{M}''}{\mathcal{M} \vdash \text{assoc}_g, \text{gmap} \xrightarrow{\text{emapg}} \mathcal{M}''}$$

An  $\text{assoc}_g$  entry doesn't allow indexed id in its formal part, due to the restriction of generic constants to scalar types. Note that this restriction is not imposed by the VHDL language reference; it is our stance towards a simplification of the VHDL semantics.

### 1.5.7 Implicit default value.

According to the VHDL reference, when declaring a port, a signal or a variable, these items must receive an implicit default value depending on their types [3, p.61, 64, 173]. The  $\text{defaultv}$  relation determines the default value for a given type.

$$\frac{\text{DEFAULTVBOOL}}{\text{bool} \xrightarrow{\text{defaultv}} \perp} \quad \frac{\text{DEFAULTVCNAT} \quad n \leq m}{\text{nat}(n, m) \xrightarrow{\text{defaultv}} n}$$
  

$$\frac{\text{DEFAULTVCARR} \quad T \xrightarrow{\text{defaultv}} v}{\text{array}(T, n, m) \xrightarrow{\text{defaultv}} \text{create\_array(size, } T, v)}$$

$\text{create\_array(size, } T, v)$  creates an array of size  $\text{size}$ , containing element of type  $T$ , where each element is initialized with the value  $v$ .

### 1.5.8 Typing relation.

$$\frac{\text{ISBOOL}}{b \in \mathbb{B}} \quad \frac{\text{ISCNAT}}{n \in \text{nat}(l, u)} \quad \frac{\text{ARRAY} \quad v_i \in_c T}{\Delta \vdash (v_1, \dots, v_n) \in_c \text{array}(T, l, u)} \quad i = 1, \dots, n \quad n = (u - l) + 1$$

### 1.5.9 Static expressions.

Static expressions are either locally static or globally static.

#### Locally static expressions.

An expression is *locally* static if:

- It is composed of operators and operands of a *scalar* type (i.e, natural or boolean).
- It is a *literal* of a scalar type.

$$\frac{\text{LSENAT}}{SE_l(n)} \quad n \in \mathbb{N} \quad \frac{\text{LSEBOOL}}{SE_l(b)} \quad b \in \mathbb{B} \quad \frac{\text{LSENOT}}{SE_l(\text{not } e)} \quad \frac{\text{LSEBINOP}}{SE_l(e) \quad SE_l(e')} \quad \text{op} \in \{ +, -, =, \neq, <, \leq, >, \geq, \text{and}, \text{or} \}$$

#### Globally static expressions.

An expression is *globally* static in the context  $\Delta$  if:

- It is a generic constant.
- It is an array aggregate composed of globally static expressions.
- It is a locally static expression.

$$\frac{\text{GSELOCAL}}{SE_l(e)} \quad \frac{\text{GSEGEN}}{\Delta \vdash SE_g(id_g)} \quad id_g \in Gens(\Delta) \quad \frac{\text{GSEAGGREGATE}}{\Delta \vdash SE_g((e_1, \dots, e_n))} \quad i = 1, \dots, n$$

### 1.5.10 Valid port map.

The  $\text{valid}_{ipm}$  predicate states that an *in* port map is valid in the context  $\Delta, \Delta_c$ , where  $\Delta$  is the embedding design structure and  $\Delta_c$  denotes the component instance owner of the port map, if:

- All ports defined in  $\Delta_c$  are exactly mapped once in the portmap.
- For each port map entry, the formal and actual part are of the same type.

#### Premises

- $list_{ipm}$  builds a set  $\mathcal{L} \subset id \sqcup (id \times \mathbb{N})$  out of the port map association list.
- $\text{check}_{pm}$  checks the validity of a port map based on the corresponding port list and the set built by the  $list_{ipm}$  relation.

$$\text{VALIDIPM} \quad \frac{\Delta, \Delta_c, \sigma, \mathcal{L}_\emptyset \vdash \text{ipmap} \xrightarrow{\text{list}_{\text{ipm}}} \mathcal{L} \quad \text{check}_{\text{pm}}(\text{Ins}(\Delta_c), \mathcal{L})}{\Delta, \Delta_c, \sigma \vdash \text{valid}_{\text{ipm}}(\text{ipmap})}$$

### Side conditions

$\text{id}_p \notin \mathcal{L}$  checks that the port identifier  $\text{id}_p$  is not already mapped.

LISTIPMSIMPLE

$$\frac{\Delta, \sigma \vdash e \xrightarrow{e} v \quad v \in_c T}{\Delta, \Delta_c, \sigma, \mathcal{L} \vdash \text{id}_p \Rightarrow e \xrightarrow{\text{list}_{\text{ipm}}} \mathcal{L} \cup \{\text{id}_p\}} \quad \begin{array}{l} \text{id}_p \notin \mathcal{L}, \text{id}_p \in \text{Ins}(\Delta_c) \\ \Delta_c(\text{id}_p) = T \end{array}$$

### Premises

$v_i \in_c \text{nat}(n, m)$  checks that the index value stays in the array bounds.

### Side conditions

$\text{id}_p \notin \mathcal{L}$  and  $(\text{id}_p, v_i) \notin \mathcal{L}$  checks that neither the port identifier  $\text{id}_p$  nor the couple port identifier  $\text{id}_p$  and index  $v_i$  are already mapped.

LISTIPMPARTIAL

$$\frac{SE_l(e_i) \quad \Delta, \sigma \vdash e \xrightarrow{e} v \quad v \in_c T \quad \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m)}{\Delta, \Delta_c, \sigma, \mathcal{L} \vdash \text{id}_p(e_i) \Rightarrow e \xrightarrow{\text{list}_{\text{ipm}}} \mathcal{L} \cup \{(\text{id}_p, v_i)\}} \quad \begin{array}{l} \text{id}_p \notin \mathcal{L}, (\text{id}_p, v_i) \notin \mathcal{L} \\ \text{id}_p \in \text{Ins}(\Delta_c) \\ \Delta_c(\text{id}_p) = \text{array}(T, n, m) \end{array}$$

LISTIPMCONS

$$\frac{\Delta, \Delta_c, \sigma, \mathcal{L} \vdash \text{assoc}_{ip} \xrightarrow{\text{list}_{\text{ipm}}} \mathcal{L}' \quad \Delta, \Delta_c, \sigma, \mathcal{L}' \vdash \text{ipmap} \xrightarrow{\text{list}_{\text{ipm}}} \mathcal{L}''}{\Delta, \Delta_c, \sigma, \mathcal{L} \vdash \text{assoc}_{ip}, \text{ipmap} \xrightarrow{\text{list}_{\text{ipm}}} \mathcal{L}''}$$

The  $\text{check}_{\text{pm}}(Ports, \mathcal{L})$  predicate states that all port identifiers referenced in the domain of  $Ports \in id \rightsquigarrow type$  appear in  $\mathcal{L}$  as a simple identifier, or if the port identifier is of type array,

then all couples  $(id, i)$  must belong to  $\mathcal{L}$ , where  $i$  denotes all indexes of the array range and  $id$ , the port id.

$$\text{check}_{pm}(Ports, \mathcal{L}) \equiv \forall id_p \in \text{dom}(Ports), id_p \in \mathcal{L} \vee (Ports(id_p) = \text{array}(T, n, m) \wedge \forall i \in [n, m], (id_p, i) \in \mathcal{L})$$

The  $\text{valid}_{opm}$  predicate states that an *output* port map is valid in the context  $\Delta, \Delta_c$ , where  $\Delta$  is the embedding design structure and  $\Delta_c$  denotes the component instance owner of the port map, if:

- An output port appears at most once in the output port map.
- Two different output ports cannot be connected to the same signal.
- For each port map entry, the formal and the actual part are of the exact same type (i.e, in the sense of the Leibniz equality).

We allow partially connected output port map; i.e, an output port map where all output ports might not be present in the mapping. Such output ports are open by default.

### Premises

$list_{opm}$  builds two sets  $\mathcal{L}, \mathcal{L}_{ids} \subseteq id \sqcup (id \times \mathbb{N})$  out of the port map opmap.  $\mathcal{L}_{ids}$  is built incrementally to check that there are no multiply-driven signals resulting of the port map connection.

$$\begin{array}{c} \text{VALIDOPM} \\ \hline \Delta, \Delta_c, \mathcal{L}_\emptyset, \mathcal{L}_{ids_\emptyset} \vdash \text{opmap} \xrightarrow{list_{opm}} \mathcal{L}, \mathcal{L}_{ids} \\ \hline \Delta, \Delta_c \vdash \text{valid}_{opm}(\text{opmap}) \end{array}$$

### Side conditions

- $id_p \notin \mathcal{L}$  checks that the port identifier  $id_p$  is not already mapped (i.e, is not already in the formal part of the port map).
- $id_s \notin \mathcal{L}_{ids}$  checks that the signal identifier  $id_s$  is not already mapped (i.e, is not already in the actual part of the port map).
- $\Delta_c(id_p) = \Delta(id_s) = T$  checks that  $id_p$  and  $id_s$  are exactly of the same type.

### LISTOPMSIMPLETOSIMPLE

$$\begin{array}{c} \text{LISTOPMSIMPLETOSIMPLE} \\ \hline \Delta, \Delta_c, \mathcal{L}, \mathcal{L}_{ids} \vdash id_p \Rightarrow id_s \xrightarrow{list_{opm}} \mathcal{L} \cup \{id_p\}, \mathcal{L}_{ids} \cup \{id_s\} \\ \hline \begin{array}{l} id_p \notin \mathcal{L}, id_s \notin \mathcal{L}_{ids} \\ id_p \in \text{Outs}(\Delta_c) \\ id_s \in \text{Sigs}(\Delta) \cup \text{Outs}(\Delta) \\ \Delta_c(id_p) = \Delta(id_s) = T \end{array} \end{array}$$

### Side conditions

$Outs_c(\text{id}_p) = T$  and  $Sigs(\text{id}_s) = \text{array}(T, n, m)$  checks that the type of  $\text{id}_p$  and the type of the elements of  $\text{id}_s$  are the same. Note that  $\text{id}_s$  must denote an array as  $\text{id}_p$  is mapped to one of  $\text{id}_s$ 's partial.

LISTOPMSIMPLETOPARTIAL

$$\frac{SE_l(e_i) \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m)}{\Delta, \Delta_c, \mathcal{L}, \mathcal{L}_{ids} \vdash \text{id}_p \Rightarrow \text{id}_s(e_i) \xrightarrow{list_{opm}} \mathcal{L} \cup \{\text{id}_p\}, \mathcal{L}_{ids} \cup \{(\text{id}_s, v_i)\}}$$

$\text{id}_p \notin \mathcal{L}, \text{id}_s, (\text{id}_s, v_i) \notin \mathcal{L}_{ids}$   
 $\text{id}_p \in Outs(\Delta_c)$   
 $\text{id}_s \in Sigs(\Delta) \cup Outs(\Delta)$   
 $\Delta_c(\text{id}_p) = T$   
 $\Delta(\text{id}_s) = \text{array}(T, n, m)$

LISTOPMSIMPLETOOPEN

$$\frac{}{\Delta, \Delta_c, \mathcal{L}, \mathcal{L}_{ids} \vdash \text{id}_p \Rightarrow \text{open} \xrightarrow{list_{opm}} \mathcal{L} \cup \{\text{id}_p\}, \mathcal{L}_{ids}}$$

$\text{id}_p \notin \mathcal{L}$   
 $\text{id}_p \in Outs(\Delta_c)$

**Remark 3** (Unconnected output port.). We forbid the case where an indexed formal part corresponding to the subelement of a composite output port is unconnected, i.e  $\text{id}_p(e_i) \Rightarrow \text{open}$ , as it could lead to the case where some subelements of a composite output port are connected while others are not (error case in [3, p.7]).

LISTOPMPARTIALTOSIMPLE

$$\frac{SE_l(e_i) \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m)}{\Delta, \Delta_c, \mathcal{L} \vdash \text{id}_p(e_i) \Rightarrow \text{id}_s \xrightarrow{list_{opm}} \mathcal{L} \cup \{(\text{id}_p, v_i)\}, \mathcal{L}_{ids} \cup \{\text{id}_s\}}$$

$\text{id}_p, (\text{id}_p, v_i) \notin \mathcal{L}, \text{id}_s \notin \mathcal{L}_{ids}$   
 $\text{id}_p \in Outs(\Delta_c)$   
 $\text{id}_s \in Sigs(\Delta) \cup Outs(\Delta)$   
 $\Delta_c(\text{id}_p) = \text{array}(T, n, m)$   
 $\Delta(\text{id}_s) = T$

LISTOPMPARTIALTOPARTIAL

$$\frac{\begin{array}{c} SE_l(e'_i) \vdash e'_i \xrightarrow{e} v'_i \quad v'_i \in_c \text{nat}(n', m') \\ SE_l(e_i) \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m) \end{array}}{\Delta, \Delta_c, \mathcal{L} \vdash \text{id}_p(e_i) \Rightarrow \text{id}_s(e'_i) \xrightarrow{list_{opm}} \mathcal{L} \cup \{(\text{id}_p, v_i)\}, \mathcal{L}_{ids} \cup \{(\text{id}_s, v'_i)\}}$$

$\text{id}_p, (\text{id}_p, v_i) \notin \mathcal{L}, \text{id}_s, (\text{id}_s, v'_i) \notin \mathcal{L}_{ids}$   
 $\text{id}_p \in Outs(\Delta_c)$   
 $\text{id}_s \in Sigs(\Delta) \cup Outs(\Delta)$   
 $\Delta_c(\text{id}_p) = \text{array}(T, n, m)$   
 $\Delta(\text{id}_s) = \text{array}(T, n', m')$

LISTOPMCONS

$$\frac{\Delta, \Delta_c, \mathcal{L}, \mathcal{L}_{ids} \vdash \text{assoc}_{po} \xrightarrow{list_{opm}} \mathcal{L}', \mathcal{L}'_{ids} \quad \Delta, \Delta_c, \mathcal{L}', \mathcal{L}'_{ids} \vdash \text{opmap} \xrightarrow{list_{opm}} \mathcal{L}'', \mathcal{L}''_{ids}}{\Delta, \Delta_c, \mathcal{L}, \mathcal{L}_{ids} \vdash \text{assoc}_{po}, \text{opmap} \xrightarrow{list_{opm}} \mathcal{L}'', \mathcal{L}''_{ids}}$$

### 1.5.11 Valid sequential statements.

The  $\text{valid}_{ss}$  predicate states that a sequential statement is well-typed.

### Well-typed signal assignment.

WELLTYPEDSIGASSIGN

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c T \quad \text{id}_s \in Sigs(\Delta) \cup Outs(\Delta)}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{id}_s \Leftarrow e) \quad \Delta(\text{id}_s) = T}$$

WELLTYPEDIDXSIGASSIGN

$$\frac{\begin{array}{l} \Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c T \\ \Delta, \sigma, \Lambda \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m) \quad \text{id}_s \in Sigs(\Delta) \cup Outs(\Delta) \end{array}}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{id}_s(e_i) \Leftarrow e) \quad \Delta(\text{id}_s) = \text{array}(T, n, m)}$$

### Well-typed variable assignment.

WELLTYPEDVARASSIGN

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c T \quad \text{id}_v \in \Lambda}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{id}_v := e) \quad \Lambda(\text{id}_v) = (T, val)}$$

WELLTYPEDIDXVARASSIGN

$$\frac{\begin{array}{l} \Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c T \\ \Delta, \sigma, \Lambda \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m) \quad \text{id}_v \in \Lambda \end{array}}{\Delta, \Lambda \vdash \text{valid}_{ss}(\text{id}_v(e_i) := e) \quad \Lambda(\text{id}_v) = (\text{array}(T, n, m), val)}$$

### Well-typed if statements.

WELLTYPEDIF

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c \text{bool} \quad \Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(ss)}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{if } (e) ss)}$$

WELLTYPEDIFELSE

$$\frac{\begin{array}{l} \Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(ss) \\ \Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c \text{bool} \quad \Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(ss') \end{array}}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{if } (e) ss ss')}$$

### Well-typed loop statement.

$$\begin{array}{c}
 \text{WELLTYPEDLOOP} \\
 \dfrac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c \text{nat}(0, \text{NATMAX}) \quad \Delta, \sigma, \Lambda \vdash e' \xrightarrow{e'} v' \quad v' \in_c \text{nat}(0, \text{NATMAX}) \quad \Delta, \sigma, \Lambda' \vdash \text{valid}_{ss}(\text{ss})}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{for } (\text{id}_v, e, e') \text{ ss})} \quad \Lambda' = \Lambda \cup (\text{id}_v, (\text{nat}(v, v'), v))
 \end{array}$$

### Well-typed rising and falling edge blocks

$$\begin{array}{c}
 \text{WELLTYPEDRISING} \qquad \qquad \qquad \text{WELLTYPEDFALLING} \\
 \dfrac{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{ss})}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{rising ss})} \quad \dfrac{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{ss})}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{falling ss})}
 \end{array}$$

### Well-typed rst blocks

$$\begin{array}{c}
 \text{WELLTYPEDRST} \\
 \dfrac{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{ss}) \quad \Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{ss}')}{\Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{rst ss ss}')}
 \end{array}$$

### Well-typed null statement

$$\begin{array}{c}
 \text{WELLTYPEDNULL} \\
 \hline
 \Delta, \sigma, \Lambda \vdash \text{valid}_{ss}(\text{null})
 \end{array}$$

## 1.6 Simulation rules

### 1.6.1 Full Simulation

The full simulation process is decomposed in two steps. The first step is the elaboration phase that builds an elaborated version of a  $\mathcal{H}$ -VHDL design along with its default state, and type-checks the design. Previous to the elaboration phase, the top-level design receives a value for each of its generic constant; we refer to it as the *dimensioning* of the top-level design. The second step is the simulation phase that executes the behavioral part of the top-level design starting from an initial state. The simulation is decomposed into simulation cycles. Each simulation cycle is divided in four parts entailed by the *synchronous* execution of  $\mathcal{H}$ -VHDL top-level designs, i.e designs whose behavior depend on a clock signal. The four parts are, first, the execution of concurrent statements responding to the rising edge of the clock signal, then, a phase of signal stabilization followed by the execution of concurrent statements responding to the falling edge of the clock signal, and finally another phase of signal stabilization. At each clock event, the

value of the primary inputs of the design being currently simulated are captured and injected in the simulation; primary inputs receive values from the design environment. Here, the environment is represented by a function mapping input port identifiers to values depending on the current count of simulation cycles and the considered clock event. This leads to the following hypothesis:

**Hypothesis 1** (Stable primary inputs). *The values of primary inputs (i.e, input ports of the top-level design) are captured at each clock event, and therefore are stable (i.e, their values do not change) between two contiguous clock events.*

Hypothesis **Stable primary inputs** arises from the fact that the clock signal sample rate respects the Nyquist-Shannon sampling theorem. Therefore, the sample rate of the design's clock is sufficient to capture all events possibly arising in the environment. We only need to settle the values of the primary inputs at the clock edges.

Also, after each clock event phase follows a signal stabilization phase in the proceedings of a simulation cycle. One more hypothesis is needed here:

**Hypothesis 2** (Stabilization). *All signals have enough time to stabilize during the signal stabilization phase that happens between two clock events.*

As a  $\mathcal{H}$ -VHDL design represents a physical circuit, one can assume that the represented circuit is analyzed former to the simulation. Therefore, one knows exactly how much time is needed to propagate signal values through the longest physical path; as a consequence, a proper clock frequency is set ensuring signal stabilization between two clock events. Thus, Hypothesis **Stabilization** arises from the previous facts.

The *full* simulation relation takes in parameter a top-level design  $d$ , a design store  $\mathcal{D} \in id \rightsquigarrow design$ , an elaborated design  $\Delta \in ElDesign(d)$ , a dimensioning function  $\mathcal{M}_g \in Gens(\Delta) \rightsquigarrow value$ , a primary input environment  $E_p \in (\mathbb{N} \times Clk) \rightarrow (Ins(\Delta) \rightarrow value)$ , a simulation cycle count  $\tau \in \mathbb{N}$ , and a simulation trace  $\theta \in \text{list}(\Sigma(\Delta))$ , corresponding to the list of states yielded by design  $d$  after  $\tau$  simulation cycles. Note that we use the pointed notation to access the behavioral part of design  $d$ , written  $d.cs$ . It is this part of the design that is executed during the simulation, and therefore is passed as a parameter of the initialization and simulation relations.

FULLSIM

$$\frac{\mathcal{D}, \mathcal{M}_g \vdash d \xrightarrow{\text{elab}} \Delta, \sigma \quad \mathcal{D}, \Delta, \sigma \vdash d.cs \xrightarrow{\text{init}} \sigma_0 \quad \mathcal{D}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta}{\mathcal{D}, \Delta, \mathcal{M}_g, E_p, \tau \vdash d \xrightarrow{\text{full}} (\sigma_0 :: \theta)}$$

where:

- $\mathcal{M}_g \in Gens(\Delta) \rightsquigarrow value$ , the function yielding the values of generic constants for a given top-level design, referred to as the *dimensioning* function.
- $E_p \in (\mathbb{N} \times Clk) \rightarrow (ident \rightsquigarrow value)$ , the function yielding a mapping from primary inputs (i.e, input ports of the top-level design) to values at a given simulation cycle count (i.e, the  $\mathbb{N}$  argument), and a given clock event (i.e, the  $Clk$  argument, where  $Clk = \{\uparrow, \downarrow\}$ ).
- $\tau$ , the number of simulation cycles to execute. The value of  $\tau$  is decremented at each clock cycle until it reaches zero (see Section 1.6.2).

### 1.6.2 Simulation loop.

$$\frac{\text{SIMEND}}{\mathcal{D}, E_p, \Delta, 0, \sigma \vdash cs \rightarrow []} \quad \frac{\text{SIMLOOP} \quad \mathcal{D}, E_p, \Delta, \tau, \sigma \vdash cs \xrightarrow{\uparrow\downarrow} \sigma', \sigma'' \quad \mathcal{D}, E_p, \Delta, \tau - 1, \sigma'' \vdash cs \rightarrow \theta}{\mathcal{D}, E_p, \Delta, \tau, \sigma \vdash cs \rightarrow (\sigma' :: \sigma'' :: \theta)} \quad \tau > 0$$

### 1.6.3 Simulation cycle.

To ease the reading of forward simulation rules, we need to introduce two notations.

**Notation 3** (Overriding union). *For all partial function  $f, f' \in X \nrightarrow Y$ ,  $f \overset{\leftarrow}{\cup} f'$  denotes the overriding union of  $f$  and  $f'$  such that  $f \overset{\leftarrow}{\cup} f'(x) = \begin{cases} f'(x) & \text{if } x \in \text{dom}(f') \\ f(x) & \text{otherwise} \end{cases}$*

**Notation 4** (Differentiated intersection domain). *For all partial function  $f, f' \in X \nrightarrow Y$ ,  $f \overset{\neq}{\cap} f'$  denotes the intersection of the domain of  $f$  and  $f'$  for which  $f$  and  $f'$  yields different values. That is,  $f \overset{\neq}{\cap} f' = \{x \in \text{dom}(f) \cap \text{dom}(f') \mid f(x) \neq f'(x)\}$ .*

**Definition 4** (Input port values update). *Given an  $\mathcal{H}$ -VHDL design  $d \in \text{design}$ , a design store  $\mathcal{D} \in id \rightarrow \text{design}$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D})$ , a simulation environment  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow (\text{Ins}(\Delta) \rightarrow \text{value})$ , let us define the relation expressing the update of the values of the input ports of  $\Delta$  at a given design state  $\sigma \in \Sigma(\Delta)$ , clock cycle count  $\tau \in \mathbb{N}$ , and clock event  $clk \in \{\uparrow, \downarrow\}$ , and thus resulting in a new state  $\sigma_i \in \Sigma(\Delta)$ . The relation is written  $\text{Inject}_{clk}(\sigma, E_p, \tau, \sigma_i)$  and verifies that:  $\sigma = \langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle$  and  $\sigma_i = \langle \mathcal{S} \overset{\leftarrow}{\cup} E_p(\tau, clk), \mathcal{C}, \mathcal{E} \rangle$ .*

The cycle relation states that the design state  $\sigma''$  is the result of the execution of concurrent statement  $cs$  over one simulation cycle, this starting from state  $\sigma$ . As told in Hypothesis 1, we update the input port values at each clock event. New input port values are coming from the environment  $E_p$ . The updates are made in the definitions of  $\sigma_i$  and  $\sigma'_i$ . These definitions are expressed as side conditions.

$$\frac{\text{SIMCYC} \quad \begin{array}{ll} \mathcal{D}, \Delta, \sigma_i \vdash cs \xrightarrow{\uparrow} \sigma'_i & \mathcal{D}, \Delta, \sigma'_i \vdash cs \rightsquigarrow \sigma' \\ \mathcal{D}, \Delta, \sigma'_i \vdash cs \xrightarrow{\downarrow} \sigma'_i & \mathcal{D}, \Delta, \sigma'_i \vdash cs \rightsquigarrow \sigma'' \end{array} \quad \begin{array}{l} \text{Inject}_{\uparrow}(\sigma, E_p, \tau, \sigma_i) \\ \text{Inject}_{\downarrow}(\sigma', E_p, \tau, \sigma'_i) \end{array}}{\mathcal{D}, E_p, \Delta, \tau, \sigma \vdash cs \xrightarrow{\uparrow\downarrow} \sigma', \sigma''}$$

**Remark 4** (Input ports and signal store). *For a given  $\Delta \in \text{Design}$ ,  $\sigma \in \Sigma(\Delta)$ ,  $E_p \in \mathbb{N} \rightarrow \text{Clk} \rightarrow (\text{Ins}(\Delta) \rightarrow \text{value})$ ,  $\tau \in \mathbb{N}$ ,  $clk \in \text{Clk}$ , we have  $\text{dom}(E_p(\tau, clk)) \subseteq \text{dom}(\mathcal{S})$ , where  $\sigma = \langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle$ . Indeed, the input ports of  $\Delta$  that constitutes the domain of  $E_p(\tau, clk)$  are a subset of the set of signals. The set of signals constitutes the domain of the signal store of  $\sigma$  (i.e.,  $\mathcal{S}$ ); thus we have  $\text{dom}(E_p(\tau, clk)) \subseteq \text{dom}(\mathcal{S})$ .*

### 1.6.4 Initialization rules

$$\text{INIT} \quad \frac{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \xrightarrow{\text{runinit}} \sigma' \quad \mathcal{D}, \Delta, \sigma' \vdash \text{cs} \xrightarrow{\sim} \sigma''}{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \xrightarrow{\text{init}} \sigma''}$$

At the initialization phase, the block of sequential instructions of all processes is executed exactly once (*runinit*), then a stabilization phase follows (*stabilize*). It is during the initialization phase that the first part of `rst` blocks is executed. A block (`rst ss ss'`) is equivalent to (`if (rst = false) then ss else ss'`) where `rst` is a reserved signal identifier. Therefore, when considering a `rst` block, the *runinit* relation executes the `ss` block; at every other moment of the simulation, the `ss'` block is executed. This mimicks the conventional proceeding of a simulation where the `rst` signal (for *reset* signal) is set to false during the initialization (only during the *runinit* phase, not during the stabilization phase), and then is set to true for the rest of the simulation.

#### Evaluation of a process statement

##### Premises

- The *i* flag of the  $ss_i$  relation indicates that all sequential instructions responding to the initialization phase (i.e, `rst` blocks) will be executed.
- The set of events of state  $\sigma$  is emptied ( $NoEv(\sigma)$ ) before the evaluation of the process statement body, and the resulting state is the starting state that will be written through the execution of the process statement body.

$$\text{PSRUNINIT} \quad \frac{\Delta, \sigma, NoEv(\sigma), \Lambda \vdash \text{ss} \xrightarrow{ss_i} \sigma', \Lambda'}{\mathcal{D}, \Delta, \sigma \vdash \text{process } (\text{id}_p, \text{sl}, \text{vars}, \text{ss}) \xrightarrow{\text{runinit}} \sigma'} \quad \Delta(\text{id}_p) = \Lambda$$

#### Evaluation of a component instantiation statement

$$\text{COMPINIT} \quad \frac{\begin{array}{c} \Delta, \Delta_c, \sigma, \sigma_c \vdash i \xrightarrow{\text{mapip}} \sigma'_c \\ \mathcal{D}, \Delta_c, \sigma'_c \vdash \mathcal{D}(\text{id}_e).\text{cs} \xrightarrow{\text{runinit}} \sigma''_c \\ \Delta, \Delta_c, NoEv(\sigma), \sigma''_c \vdash o \xrightarrow{\text{mapop}} \sigma' \end{array} \quad id_e \in \mathcal{D} \quad \Delta(\text{id}_c) = \Delta_c, \sigma(\text{id}_c) = \sigma_c}{\mathcal{D}, \Delta, \sigma \vdash \text{comp } (\text{id}_c, \text{id}_e, g, i, o) \xrightarrow{\text{runinit}} \sigma''} \quad \sigma'' = <\mathcal{S}', \mathcal{C}'(id_c) \leftarrow \sigma''_c, \mathcal{E}' \cup (\mathcal{C} \cap \mathcal{C}')>$$

## Evaluation of the composition of concurrent statements

$$\begin{array}{c}
 \text{PARRUNINIT} \\
 \frac{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \xrightarrow{\text{runinit}} \sigma' \quad \mathcal{D}, \Delta, \sigma \vdash \text{cs}' \xrightarrow{\text{runinit}} \sigma''}{\mathcal{D}, \Delta, \sigma \vdash \text{cs} || \text{cs}' \xrightarrow{\text{runinit}} \text{merge}(\sigma, \sigma', \sigma'')} \quad \mathcal{E}' \cap \mathcal{E}'' = \emptyset \\
 \text{NULLRUNINIT} \\
 \frac{}{\Delta, \sigma \vdash \text{null} \xrightarrow{\text{runinit}} \text{NoEv}(\sigma)}
 \end{array}$$

The `merge` function computes a new state based on the original state  $\sigma$ , and the states  $s$  and  $s'$  yielded by the computation of two concurrent statements. In the resulting state, the signal value store  $S_m$  is a function merging together the signal store functions at state  $\sigma$ ,  $s$  and  $s'$ .  $S_m$  yields values from the signal store  $S$  (resp.  $S'$ ) for all signal that belongs to the set of events at state  $s$  (resp.  $s'$ ), and yields values from the original signal store  $S_\sigma$  for all unchanged signals. The same goes for the resulting component instance state store  $C_m$ . The new set of events  $\mathcal{E}_m$  is the union between set of events at state  $s$  and  $s'$ . The `merge` correctly merges the state  $\sigma$  and  $s'$  only if the set of events of  $s$  and  $s'$  are disjoint. Fortunately, the PARRUNINIT rule that calls to the `merge` function defines the condition of disjoint set of events as a side condition.

```

1 Definition merge(o,s,s') :=
2   let o = (S_o,C_o,E_o) in
3   let s = (S,C,E) in
4   let s' = (S',C',E') in
5   let S_m = λ id. if id ∈ E then S(id) else if id ∈ E' then S'(id) else S_o(id)
6   let C_m = λ id. if id ∈ E then C(id) else if id ∈ E' then C'(id) else C_o(id)
7   let E_m = E ∪ E' in (S_m,C_m,E_m).

```

**Remark 5** (No multiply-driven signals). *For all states  $\sigma = (S, C, E)$  and  $\sigma' = (S', C', E')$  resulting from the execution of two concurrent statements  $\text{cs}$  and  $\text{cs}'$ ,  $\mathcal{E} \cap \mathcal{E}' = \emptyset$ . Otherwise, there exists some multiply-driven signals, which are forbidden in our semantics.*

### 1.6.5 Clock phases rules

The following rules express the evaluation of concurrent statements at clock phases, i.e. the  $\uparrow$  and  $\downarrow$  phases. The clock signal, triggering the evaluation of synchronous process statements, is represented by the reserved signal identifier `clk`. Thus, synchronous processes are processes containing the `clk` in their sensitivity list.

#### Evaluation of a process statement

$$\begin{array}{c}
 \text{PsRENOCLK} \\
 \frac{}{\mathcal{D}, \Delta, \sigma \vdash \text{process } (\text{id}_p, \text{sl}, \text{vars}, \text{ss}) \xrightarrow{\uparrow} \sigma} \quad \text{clk} \notin \text{sl}
 \end{array}$$

### Premises

The  $\uparrow$  flag in the  $ss\uparrow$  relation indicates that rising blocks will be executed.

PsRECLK

$$\frac{\Delta, \sigma, NoEv(\sigma), \Lambda \vdash ss \xrightarrow{ss\uparrow} \sigma', \Lambda' \quad \text{clk} \in sl \quad \Delta(id_p) = \Lambda}{\mathcal{D}, \Delta, \sigma \vdash \text{process } (id_p, sl, vars, ss) \xrightarrow{\uparrow} \sigma'} \quad \Delta(id_p) = \Lambda$$

PsFENOCLK

$$\frac{}{\mathcal{D}, \Delta, \sigma \vdash \text{process } (id_p, sl, vars, ss) \xrightarrow{\downarrow} \sigma} \quad \text{clk} \notin sl$$

### Premises

The  $\downarrow$  flag in the  $ss\downarrow$  relation indicates that falling blocks will be executed.

PsFECLK

$$\frac{\Delta, \sigma, NoEv(\sigma), \Lambda \vdash ss \xrightarrow{ss\downarrow} \sigma', \Lambda' \quad \text{clk} \in sl \quad \Delta(id_p) = \Lambda}{\mathcal{D}, \Delta, \sigma \vdash \text{process } (id_p, sl, vars, ss) \xrightarrow{\downarrow} \sigma'} \quad \Delta(id_p) = \Lambda$$

## Evaluation of a component instantiation statement

COMPRE

$$\frac{\begin{array}{c} \Delta, \Delta_c, \sigma, \sigma_c \vdash i \xrightarrow{mapip} \sigma'_c \\ \mathcal{D}, \Delta_c, \sigma'_c \vdash \mathcal{D}(id_e).cs \xrightarrow{\uparrow} \sigma''_c \\ \Delta, \Delta_c, \sigma, \sigma''_c \vdash o \xrightarrow{mapop} \sigma' \end{array} \quad \begin{array}{l} id_e \in \mathcal{D} \\ \Delta(id_c) = \Delta_c, \sigma(id_c) = \sigma_c \end{array}}{\mathcal{D}, \Delta, \sigma \vdash \text{comp } (id_c, id_e, g, i, o) \xrightarrow{\uparrow} \sigma''} \quad \sigma'' = <\mathcal{S}', \mathcal{C}'(id_c) \leftarrow \sigma''_c, \mathcal{E}' \cup (\mathcal{C} \cap \mathcal{C}')>$$

COMPFE

$$\frac{\begin{array}{c} \Delta, \Delta_c, \sigma, \sigma_c \vdash i \xrightarrow{mapip} \sigma'_c \\ \mathcal{D}, \Delta_c, \sigma'_c \vdash \mathcal{D}(id_e).cs \xrightarrow{\downarrow} \sigma''_c \\ \Delta, \Delta_c, \sigma, \sigma''_c \vdash o \xrightarrow{mapop} \sigma' \end{array} \quad \begin{array}{l} id_e \in \mathcal{D} \\ \Delta(id_c) = \Delta_c, \sigma(id_c) = \sigma_c \end{array}}{\mathcal{D}, \Delta, \sigma \vdash \text{comp } (id_c, id_e, g, i, o) \xrightarrow{\downarrow} \sigma''} \quad \sigma'' = <\mathcal{S}', \mathcal{C}'(id_c) \leftarrow \sigma''_c, \mathcal{E}' \cup (\mathcal{C} \cap \mathcal{C}')>$$

### Evaluation of the composition of concurrent statements

PARFE

$$\frac{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \xrightarrow{\downarrow} \sigma' \quad \mathcal{D}, \Delta, \sigma \vdash \text{cs}' \xrightarrow{\downarrow} \sigma''}{\mathcal{D}, \Delta, \sigma \vdash \text{cs} || \text{cs}' \xrightarrow{\downarrow} \text{merge}(\sigma, \sigma', \sigma'')} \quad \mathcal{E}' \cap \mathcal{E}'' = \emptyset$$

$$\frac{\text{NULLFE}}{\Delta, \sigma \vdash \text{null} \xrightarrow{\downarrow} \sigma}$$

PARRE

$$\frac{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \xrightarrow{\uparrow} \sigma' \quad \mathcal{D}, \Delta, \sigma \vdash \text{cs}' \xrightarrow{\uparrow} \sigma''}{\mathcal{D}, \Delta, \sigma \vdash \text{cs} || \text{cs}' \xrightarrow{\uparrow} \text{merge}(\sigma, \sigma', \sigma'')} \quad \mathcal{E}' \cap \mathcal{E}'' = \emptyset$$

$$\frac{\text{NULLRE}}{\Delta, \sigma \vdash \text{null} \xrightarrow{\uparrow} \sigma}$$

### 1.6.6 Stabilization rules

STABILIZEEND

$$\frac{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \xrightarrow{\text{comb}} \sigma}{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \rightsquigarrow \sigma} \quad \mathcal{E} = \emptyset$$

STABILIZELOOP

$$\frac{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \xrightarrow{\text{comb}} \sigma' \quad \mathcal{D}, \Delta, \sigma' \vdash \text{cs} \rightsquigarrow \sigma''}{\mathcal{D}, \Delta, \sigma \vdash \text{cs} \rightsquigarrow \sigma''} \quad \mathcal{E} \neq \emptyset \quad \mathcal{E}'' = \emptyset$$

### Evaluation of a process statement

#### Premises

The *c* flag (for *combinational*) on the  $ss_c$  relation indicates that instructions responding to clock events (falling and rising blocks) and instructions executed during the initialization phase only (rst blocks) will not be considered.

PsCOMB

$$\frac{\Delta, \sigma, \text{NoEv}(\sigma), \Lambda \vdash \text{ss} \xrightarrow{ss_c} \sigma', \Lambda'}{\mathcal{D}, \Delta, \sigma \vdash \text{process } (\text{id}_p, \text{sl}, \text{vars}, \text{ss}) \xrightarrow{\text{comb}} \sigma'} \quad \Delta(\text{id}_p) = \Lambda$$

### Evaluation of a component instantiation statement

COMP<sub>COMB</sub>

$$\frac{\begin{array}{c} \Delta, \Delta_c, \sigma, \sigma_c \vdash i \xrightarrow{\text{mapip}} \sigma'_c \\ \mathcal{D}, \Delta_c, \sigma'_c \vdash \mathcal{D}(id_e).cs \xrightarrow{\text{comb}} \sigma''_c \\ \Delta, \Delta_c, \text{NoEv}(\sigma), \sigma''_c \vdash o \xrightarrow{\text{mapop}} \sigma' \end{array}}{\Delta, \Delta, \sigma \vdash \text{comp}(id_c, id_e, g, i, o) \xrightarrow{\text{comb}} \sigma''} \quad \begin{array}{l} id_e \in \mathcal{D} \\ \Delta(id_c) = \Delta_c, \sigma(id_c) = \sigma_c \\ \sigma'' = <\mathcal{S}', \mathcal{C}'(id_c) \leftarrow \sigma''_c, \mathcal{E}' \cup (\mathcal{C} \cap \mathcal{C}')> \end{array}$$

### Evaluation of the composition of concurrent statements

PAR<sub>COMB</sub>

$$\frac{\mathcal{D}, \Delta, \sigma \vdash cs \xrightarrow{\text{comb}} \sigma' \quad \mathcal{D}, \Delta, \sigma \vdash cs' \xrightarrow{\text{comb}} \sigma''}{\mathcal{D}, \Delta, \sigma \vdash cs || cs' \xrightarrow{\text{comb}} \text{merge}(\sigma, \sigma', \sigma'')} \quad \mathcal{E}' \cap \mathcal{E}'' = \emptyset$$

NULL<sub>COMB</sub>

$$\frac{}{\Delta, \sigma \vdash \text{null} \xrightarrow{\downarrow} \text{NoEv}(\sigma)}$$

### 1.6.7 Evaluation of input and output port maps

MAPIPSIMPLE

$$\frac{\Delta, \sigma \vdash e \xrightarrow{e} v \quad v \in_c T}{\Delta, \Delta_c, \sigma, \sigma_c \vdash id_s \Rightarrow e \xrightarrow{\text{mapip}} <\mathcal{S}', \mathcal{C}, \mathcal{E}>} \quad \begin{array}{l} \Delta_c(id_s) = T \\ \sigma_c = <\mathcal{S}, \mathcal{C}, \mathcal{E}> \\ S' = S(id_s) \leftarrow v \end{array}$$

MAPIPPARTIAL

$$\frac{\begin{array}{c} \Delta, \sigma \vdash e \xrightarrow{e} v \quad v \in_c T \\ \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m) \end{array}}{\Delta, \Delta_c, \sigma, \sigma_c \vdash id_s(e_i) \Rightarrow e \xrightarrow{\text{mapip}} <\mathcal{S}', \mathcal{C}, \mathcal{E}>} \quad \begin{array}{l} \Delta_c(id_s) = \text{array}(T, n, m) \\ \sigma_c = <\mathcal{S}, \mathcal{C}, \mathcal{E}> \\ S' = S(id_s) \leftarrow \text{set\_at}(v, v_i, S(id_s)) \end{array}$$

MAPIPCOMP

$$\frac{\Delta, \Delta_c, \sigma, \sigma_c \vdash \text{assoc}_{ip} \xrightarrow{\text{mapip}} \sigma'_c \quad \Delta, \Delta_c, \sigma, \sigma'_c \vdash \text{ipmap} \xrightarrow{\text{mapip}} \sigma''_c}{\Delta, \Delta_c, \sigma, \sigma_c \vdash \langle \text{assoc}_{ip}, \text{ipmap} \rangle \xrightarrow{\text{mapip}} \sigma''_c}$$

**Remark 6** (Out ports and  $e$ ). We can not use the  $e$  relation to interpret the values of output ports, because output ports are write-only constructs. We append the flag  $o$  to the  $e$  relation (i.e.,  $e_o$ ) to permit the evaluation of output port identifiers as regular signal identifier expressions.

## MAPOPOpen

$$\Delta, \Delta_c, \sigma, \sigma_c \vdash \text{id}_f \Rightarrow \text{open} \xrightarrow{\text{mapop}} \sigma_c$$

## MAPOPSIMPLETOSIMPLE

$$\Delta_c, \sigma_c \vdash \text{id}_f \xrightarrow{e_o} v \quad v \in_c T \quad \begin{array}{l} \text{id}_a \in Sigs(\Delta) \cup Outs(\Delta) \\ \Delta(\text{id}_a) = T \end{array}$$

$$\Delta, \Delta_c, \sigma, \sigma_c \vdash \text{id}_f \Rightarrow \text{id}_a \xrightarrow{\text{mapop}} \langle \mathcal{S}', \mathcal{C}, \mathcal{E}' \rangle \quad \begin{array}{l} \sigma = \langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle \\ \mathcal{S}' = \mathcal{S}(\text{id}_a) \leftarrow v, \mathcal{E}' = \mathcal{E} \cup (\mathcal{S} \neq \mathcal{S}') \end{array}$$

## MAPOPSIMPLETOPARTIAL

$$\begin{array}{c} \vdash e_i \xrightarrow{e} v_i \quad v \in_c T \\ \Delta_c, \sigma_c \vdash \text{id}_f \xrightarrow{e_o} v \quad v_i \in_c \text{nat}(n, m) \end{array} \quad \begin{array}{l} \text{id}_a \in Sigs(\Delta) \cup Outs(\Delta) \\ \Delta(\text{id}_a) = \text{array}(T, n, m) \\ \sigma = \langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle \\ \mathcal{S}' = \mathcal{S}(\text{id}_a) \leftarrow \text{set\_at}(v, v_i, \mathcal{S}(\text{id}_a)) \\ \mathcal{E}' = \mathcal{E} \cup (\mathcal{S} \neq \mathcal{S}') \end{array}$$

$$\Delta, \Delta_c, \sigma, \sigma_c \vdash \text{id}_f \Rightarrow \text{id}_a(e_i) \xrightarrow{\text{mapop}} \langle \mathcal{S}', \mathcal{C}, \mathcal{E}' \rangle$$

## MAPOPARTIALTOSIMPLE

$$\Delta_c, \sigma_c \vdash \text{id}_f(e'_i) \xrightarrow{e_o} v \quad v \in_c T \quad \begin{array}{l} \text{id}_a \in Sigs(\Delta) \cup Outs(\Delta) \\ \Delta(\text{id}_a) = T \end{array}$$

$$\Delta, \Delta_c, \sigma, \sigma_c \vdash \text{id}_f(e'_i) \Rightarrow \text{id}_a \xrightarrow{\text{mapop}} \langle \mathcal{S}', \mathcal{C}, \mathcal{E}' \rangle \quad \begin{array}{l} \sigma = \langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle \\ \mathcal{S}' = \mathcal{S}(\text{id}_a) \leftarrow v, \mathcal{E}' = \mathcal{E} \cup (\mathcal{S} \neq \mathcal{S}') \end{array}$$

## MAPOPARTIALTOPARTIAL

$$\begin{array}{c} \vdash e_i \xrightarrow{e} v_i \quad v \in_c T \\ \Delta_c, \sigma_c \vdash \text{id}_f(e'_i) \xrightarrow{e_o} v \quad v_i \in_c \text{nat}(n, m) \end{array} \quad \begin{array}{l} \text{id}_a \in Sigs(\Delta) \cup Outs(\Delta) \\ \Delta(\text{id}_a) = \text{array}(T, n, m) \\ \sigma = \langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle \\ \mathcal{S}' = \mathcal{S}(\text{id}_a) \leftarrow \text{set\_at}(v, v_i, \mathcal{S}(\text{id}_a)) \\ \mathcal{E}' = \mathcal{E} \cup (\mathcal{S} \neq \mathcal{S}') \end{array}$$

$$\Delta, \Delta_c, \sigma, \sigma_c \vdash \text{id}_f(e'_i) \Rightarrow \text{id}_a(e_i) \xrightarrow{\text{mapop}} \langle \mathcal{S}', \mathcal{C}, \mathcal{E}' \rangle$$

## MAPOPCOMP

$$\Delta, \Delta_c, \sigma, \sigma_c \vdash \text{assoc}_{po} \xrightarrow{\text{mapop}} \sigma' \quad \Delta, \Delta_c, \sigma', \sigma_c \vdash \text{opmap} \xrightarrow{\text{mapop}} \sigma''$$

$$\Delta, \Delta_c, \sigma, \sigma_c \vdash \langle \text{assoc}_{po}, \text{opmap} \rangle \xrightarrow{\text{mapop}} \sigma''$$

The  $e_o$  relation is only defined to retrieve the value of out ports from a store signal  $\mathcal{S}$  under a design state  $\sigma = \langle \mathcal{S}, \mathcal{C}, \mathcal{E} \rangle$ .

$$\frac{\text{OUTO}}{\Delta, \sigma \vdash \text{id}_s \xrightarrow{e_o} \sigma(\text{id}_s)} \quad \begin{array}{l} \text{id}_s \in Outs(\Delta) \\ \text{id}_s \in \sigma \end{array}$$

$$\frac{\text{IDXOUTO}}{\vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m)} \quad \begin{array}{l} \text{id}_s \in Outs(\Delta) \\ \text{id}_s \in \sigma \\ \Delta(\text{id}_s) = \text{array}(T, n, m) \\ i = v_i \bmod n \end{array}$$

$$\Delta, \sigma \vdash \text{id}_s(e_i) \xrightarrow{e_o} \text{get\_at}(i, \sigma(\text{id}_s))$$

### 1.6.8 Evaluation of sequential statements

The  $ss$  symbol indicates that the evaluation of the considered sequential statement does not depend on a specific flag (i.e, the  $c$ ,  $i$ ,  $\uparrow$  or  $\downarrow$  flag). In the rules of the  $ss$  relation, a  $ss$  flag is transferred from the conclusion to the premises when an sequential statement is composed of inner sequential blocks.

#### Signal assigment statement

A signal assignment generates a new design state with a modified signal store and a new set of events. Note that there are two states on the left side of the thesis symbol.  $\sigma$  represents the state holding the current values of signals, and  $\sigma_w$  holds the new values of signals (i.e. the *written* state).

##### Premises

The premise  $\mathcal{S}(id_s) \in_c T$  checks that the value associated to signal  $id_s$  in the signal store of  $\sigma$  complies with type  $T$ , where  $T$  is the type associated with signal  $id_s$  in  $\Delta$ .

$$\text{SIGASSIGN} \quad \frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c T}{\Delta, \sigma, \sigma_w, \Lambda \vdash id_s \Leftarrow e \xrightarrow{ss} \langle \mathcal{S}'_w, \mathcal{C}_w, \mathcal{E}'_w \rangle, \Lambda} \quad \begin{array}{l} id_s \in Sigs(\Delta) \cup Outs(\Delta) \\ \Delta(id_s) = T \\ \mathcal{S}'_w = \mathcal{S}_w(id_s) \leftarrow v \\ \mathcal{E}'_w = \mathcal{E}_w \cup (\mathcal{S}_w \setminus \mathcal{S}'_w) \end{array}$$

$$\text{IDXSIGASSIGN} \quad \frac{\begin{array}{c} \Delta, \sigma, \Lambda \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c T \\ \Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v_i \in_c \text{nat}(n, m) \end{array}}{\Delta, \sigma, \sigma_w, \Lambda \vdash id_s(e_i) \Leftarrow e \xrightarrow{ss} \langle \mathcal{S}'_w, \mathcal{C}_w, \mathcal{E}'_w \rangle, \Lambda} \quad \begin{array}{l} id_s \in Sigs(\Delta) \cup Outs(\Delta) \\ \Delta(id_s) = \text{array}(T, n, m) \\ \mathcal{S}'_w = \mathcal{S}_w(id_s) \leftarrow \text{set\_at}(v, v_i, \mathcal{S}_w(id_s)) \\ \mathcal{E}'_w = \mathcal{E}_w \cup (\mathcal{S}_w \setminus \mathcal{S}'_w) \end{array}$$

#### Variable assignment statement

A variable assignment statement modifies the variable values in the local environment.

$$\text{VARASSIGN} \quad \frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c T}{\Delta, \sigma, \sigma_w, \Lambda \vdash id_v := e \xrightarrow{ss} \sigma_w, \Lambda(id_v) \leftarrow (T, v)} \quad \begin{array}{l} id_v \in \Lambda \\ \Delta(id_v) = (T, val) \end{array}$$

$$\text{IDXVARASSIGN} \quad \frac{\begin{array}{c} \Delta, \sigma, \Lambda \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m) \\ \Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad v \in_c T \end{array}}{\Delta, \sigma, \sigma_w, \Lambda \vdash id_v(e_i) := e \xrightarrow{ss} \sigma_w, \Lambda(id_v) \leftarrow (T, \text{set\_at}(v, v_i, val))} \quad \begin{array}{l} id_v \in \Lambda \\ \Delta(id_v) = (\text{array}(T, n, m), val) \end{array}$$

**If statement**

$$\begin{array}{c}
 \text{IF}\top \\
 \Delta, \sigma, \Lambda \vdash e \xrightarrow{e} \top \quad \Delta, \sigma, \sigma_w, \Lambda \vdash ss \xrightarrow{ss} \sigma'_w, \Lambda' \\
 \hline
 \Delta, \sigma, \sigma_w, \Lambda \vdash \text{if } (e) ss \xrightarrow{ss} \sigma'_w, \Lambda'
 \end{array}
 \qquad
 \begin{array}{c}
 \text{IF}\perp \\
 \Delta, \sigma, \Lambda \vdash e \xrightarrow{e} \perp \\
 \hline
 \Delta, \sigma, \sigma_w, \Lambda \vdash \text{if } (e) ss \xrightarrow{ss} \sigma_w, \Lambda
 \end{array}$$
  

$$\begin{array}{c}
 \text{IFELSE}\top \\
 \Delta, \sigma, \Lambda \vdash e \xrightarrow{\text{expr}} \top \quad \Delta, \sigma, \sigma_w, \Lambda \vdash ss \xrightarrow{ss} \sigma'_w, \Lambda' \\
 \hline
 \Delta, \sigma, \sigma_w, \Lambda \vdash \text{if } (e) ss ss' \xrightarrow{ss} \sigma'_w, \Lambda'
 \end{array}
 \qquad
 \begin{array}{c}
 \text{IFELSE}\perp \\
 \Delta, \sigma, \Lambda \vdash e \xrightarrow{e} \perp \quad \Delta, \sigma, \sigma_w, \Lambda \vdash ss' \xrightarrow{ss} \sigma'_w, \Lambda' \\
 \hline
 \Delta, \sigma, \sigma_w, \Lambda \vdash \text{if } (e) ss ss' \xrightarrow{ss} \sigma'_w, \Lambda'
 \end{array}$$

**Loop statement**

$$\text{LOOP}\perp \\
 \frac{\Delta, \sigma, \sigma_w, \Lambda_i \vdash ss \xrightarrow{ss} \sigma'_w, \Lambda' \quad \Delta, \sigma, \Lambda_i \vdash \text{id}_v = e' \xrightarrow{e} \perp \quad \Delta, \sigma, \sigma'_w, \Lambda' \vdash \text{for } (\text{id}_v, e, e') ss \xrightarrow{ss} \sigma''_w, \Lambda''}{\Delta, \sigma, \sigma_w, \Lambda \vdash \text{for } (\text{id}_v, e, e') ss \xrightarrow{ss} \sigma''_w, \Lambda''}$$

$\text{id}_v \in \Lambda$   
 $\Lambda(\text{id}_v) = (T, \text{val})$   
 $\Lambda_i = \Lambda(\text{id}_v) \leftarrow (T, \text{val} + 1)$

$$\text{LOOP}\top \\
 \frac{\Delta, \sigma, \Lambda_i \vdash \text{id}_v = e' \xrightarrow{e} \top}{\Delta, \sigma, \sigma_w, \Lambda \vdash \text{for } (\text{id}_v, e, e') ss \xrightarrow{ss} \sigma_w, \Lambda \setminus (\text{id}_v, \Lambda(\text{id}_v))} \quad \begin{array}{l} \text{id}_v \in \Lambda \\ \Lambda(\text{id}_v) = (T, \text{val}) \\ \Lambda_i = \Lambda(\text{id}_v) \leftarrow (T, \text{val} + 1) \end{array}$$

$$\text{LOOPINIT} \\
 \frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad \Delta, \sigma, \Lambda \vdash e' \xrightarrow{e} v' \quad \Delta, \sigma, \sigma_w, \Lambda_i \vdash \text{for } (\text{id}_v, e, e') ss \xrightarrow{ss} \sigma'_w, \Lambda' \quad \text{id}_v \notin \Lambda}{\Delta, \sigma, \sigma_w, \Lambda \vdash \text{for } (\text{id}_v, e, e') ss \xrightarrow{ss} \sigma'_w, \Lambda'} \quad \Lambda_i = \Lambda \cup (\text{id}_v, (\text{nat}(v, v'), v))$$

**Rising and falling edge block statements**

$$\begin{array}{c}
 \text{RISINGEDGEDEFAULT} \\
 \hline
 \Delta, \sigma, \sigma_w, \Lambda \vdash \text{rising ss} \xrightarrow{ss_f} \sigma_w, \Lambda
 \end{array}
 \qquad
 \begin{array}{c}
 \text{FALLINGEDGEDEFAULT} \\
 \hline
 \Delta, \sigma, \sigma_w, \Lambda \vdash \text{falling ss} \xrightarrow{ss_f} \sigma_w, \Lambda
 \end{array}$$

$$\begin{array}{c}
 \text{RISINGEDGEEXEC} \\
 \hline
 \Delta, \sigma, \sigma_w, \Lambda \vdash ss \xrightarrow{ss_\uparrow} \sigma'_w, \Lambda'
 \end{array}
 \qquad
 \begin{array}{c}
 \text{FALLINGEDGEEXEC} \\
 \hline
 \Delta, \sigma, \sigma_w, \Lambda \vdash ss \xrightarrow{ss_\downarrow} \sigma'_w, \Lambda'
 \end{array}$$

## Rst block statement

$$\begin{array}{c} \text{RSTDEFAULT} \\ \frac{\Delta, \sigma, \sigma_w, \Lambda \vdash ss' \xrightarrow{ss_f} \sigma'_w, \Lambda'}{\Delta, \sigma, \sigma_w, \Lambda \vdash \text{rst ss} \ x \ x' \xrightarrow{ss_f} \sigma'_w, \Lambda'} \quad f \neq i \\ \text{RSTEXEC} \\ \frac{\Delta, \sigma, \sigma_w, \Lambda \vdash ss \xrightarrow{ss_i} \sigma'_w, \Lambda'}{\Delta, \sigma, \sigma_w, \Lambda \vdash \text{rst ss} \ x \ x' \xrightarrow{ss_i} \sigma'_w, \Lambda'} \end{array}$$

## Composition of sequential statements and null statement

$$\begin{array}{c} \text{SEQSTMT} \\ \frac{\Delta, \sigma, \sigma_w, \Lambda \vdash ss \xrightarrow{ss} \sigma'_w, \Lambda' \quad \Delta, \sigma, \sigma'_w, \Lambda' \vdash ss' \xrightarrow{ss} \sigma''_w, \Lambda''}{\Delta, \sigma, \sigma_w, \Lambda \vdash ss; ss' \xrightarrow{ss} \sigma''_w, \Lambda''} \quad \text{NULLSTMT} \\ \frac{}{\Delta, \sigma, \sigma_w, \Lambda \vdash \text{null} \xrightarrow{ss} \sigma_w, \Lambda} \end{array}$$

## 1.6.9 Evaluation of expressions

$$\begin{array}{c} \text{NAT} \\ \frac{}{\Delta, \sigma, \Lambda \vdash n \xrightarrow{e} n} \quad n \in \mathbb{N} \\ \text{n} \leq \text{NATMAX} \end{array} \quad \begin{array}{c} \text{FALSE} \\ \frac{}{\Delta, \sigma, \Lambda \vdash \text{false} \xrightarrow{e} \perp} \end{array} \quad \begin{array}{c} \text{TRUE} \\ \frac{}{\Delta, \sigma, \Lambda \vdash \text{true} \xrightarrow{e} \top} \end{array}$$

$$\begin{array}{c} \text{AGGREG} \\ \frac{\Delta, \sigma, \Lambda \vdash e_i \xrightarrow{e} v_i}{\Delta, \sigma, \Lambda \vdash (e_1, \dots, e_n) \xrightarrow{e} (v_1, \dots, v_n)} \quad i = 1, \dots, n \end{array}$$

$$\begin{array}{c} \text{SIG} \\ \frac{}{\Delta, \sigma, \Lambda \vdash id_s \xrightarrow{e} \sigma(id_s)} \quad id_s \in Sigs(\Delta) \cup Ins(\Delta) \\ \text{VAR} \\ \frac{}{\Delta, \sigma, \Lambda \vdash id_v \xrightarrow{e} v} \quad id_v \in \Lambda \\ \Lambda(id_v) = (T, v) \end{array}$$

$$\begin{array}{c} \text{IDXSIG} \\ \frac{\begin{array}{c} \text{GEN} \\ \frac{}{\Delta, \sigma, \Lambda \vdash id_g \xrightarrow{e} v} \quad id_g \in Gens(\Delta) \\ \Delta(id_g) = (T, v) \end{array}}{\Delta, \sigma, \Lambda \vdash id_s(e_i) \xrightarrow{e} \text{get\_at}(i, \sigma(id_s))} \quad id_s \in Sigs(\Delta) \cup Ins(\Delta) \\ \Delta(id_s) = \text{array}(T, n, m) \\ i = v_i \bmod n \end{array}$$

$$\begin{array}{c} \text{IDXVAR} \\ \frac{\begin{array}{c} \Delta, \sigma, \Lambda \vdash e_i \xrightarrow{e} v_i \quad v_i \in_c \text{nat}(n, m) \\ id_v \in \Lambda \\ \Lambda(id_v) = (\text{array}(T, n, m), v) \end{array}}{\Delta, \sigma, \Lambda \vdash id_v(e_i) \xrightarrow{e} \text{get\_at}(i, v)} \quad i = v_i \bmod n \end{array}$$

where  $\text{get\_at}(i, a)$  is a function returning the  $i$ -th element of array  $a$ .

NATADD

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad \Delta, \sigma, \Lambda \vdash e' \xrightarrow{e} v'}{v +_{\mathbb{N}} v' \leq \text{NATMAX}} \quad \Delta, \sigma, \Lambda \vdash e + e' \xrightarrow{e} v +_{\mathbb{N}} v'$$

NATSUB

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad \Delta, \sigma, \Lambda \vdash e' \xrightarrow{e} v'}{v \geq v'} \quad \Delta, \sigma, \Lambda \vdash e - e' \xrightarrow{e} v -_{\mathbb{N}} v'$$

ORDOP

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad \Delta, \sigma, \Lambda \vdash e' \xrightarrow{e} v'}{\Delta, \sigma, \Lambda \vdash e \text{ op}_{ordn} e' \xrightarrow{e} v \text{ op}_{ordn} v'} \quad \text{op}_{ordn} \in \{<, \leq, >, \geq\}$$

BOOLBINOOP

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad \Delta, \sigma, \Lambda \vdash e' \xrightarrow{e} v'}{\Delta, \sigma, \Lambda \vdash e \text{ op}_{bool} e' \xrightarrow{e} v \text{ op}_{\mathbb{B}} v'} \quad \text{op}_{bool} \in \{\text{and}, \text{or}\} \quad \frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v}{\Delta, \sigma, \Lambda \vdash \text{not } e \xrightarrow{e} \neg v} \quad \text{NOTOP}$$

EQOP

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v \quad \Delta, \sigma, \Lambda \vdash e' \xrightarrow{e} v'}{\Delta, \sigma, \Lambda \vdash e = e' \xrightarrow{e} eq(v, v')}$$

DIFFOP

$$\frac{\Delta, \sigma, \Lambda \vdash e = e' \xrightarrow{e} v}{\Delta, \sigma, \Lambda \vdash e \neq e' \xrightarrow{e} \neg v}$$

where  $eq$  is the equality relation established for all types defined in the semantics.

PARENTH

$$\frac{\Delta, \sigma, \Lambda \vdash e \xrightarrow{e} v}{\Delta, \sigma, \Lambda \vdash (e) \xrightarrow{e} v}$$



## Appendix A

# The place design in concrete and abstract VHDL syntax

```

1  entity place is
2    generic(
3      input_arcs_number : natural := 1;
4      output_arcs_number : natural := 1;
5      maximal_marking : natural := 1
6    );
7    port(
8      clock : in std_logic;
9      reset_n : in std_logic;
10     initial_marking : in natural range 0 to maximal_marking;
11     input_arcs_weights : in weight_vector_t(input_arcs_number1 downto 0);
12     output_arcs_types : in arc_vector_t(output_arcs_number1 downto 0);
13     output_arcs_weights : in weight_vector_t(output_arcs_number1 downto 0);
14     input_transitions_fired : in std_logic_vector(input_arcs_number1 downto 0);
15     output_transitions_fired : in std_logic_vector(output_arcs_number1 downto 0);
16     output_arcs_valid : out std_logic_vector(output_arcs_number1 downto 0);
17     priority_authorizations : out std_logic_vector(output_arcs_number1 downto 0);
18     reinit_transitions_time : out std_logic_vector(output_arcs_number1 downto 0);
19     marked : out std_logic
20   );
21 end place;
22
23 architecture place_architecture of place is
24
25   subtype local_weight_t is natural range 0 to maximal_marking;
26
27   signal s_input_token_sum : local_weight_t;
28   signal s_marking : local_weight_t;
29   signal s_output_token_sum : local_weight_t;
30
31 begin
32

```

```

33
34 input_tokens_sum:process(input_arcs_weights, input_transitions_fired)
35   variable v_internal_input_token_sum:local_weight_t;
36 begin
37   v_internal_input_token_sum:=0;
38
39   for i in 0 to input_arcs_number 1 loop
40     if (input_transitions_fired(i) = '1') then
41
42       v_internal_input_token_sum:=v_internal_input_token_sum + input_arcs_weights(i)
43       ;
44
45   end if;
46   end loop;
47
48   s_input_token_sum <= v_internal_input_token_sum;
49 end process input_tokens_sum;
50
51 output_tokens_sum:process(output_arcs_types, output_arcs_weights,
52   output_transitions_fired)
53   variable v_internal_output_token_sum:local_weight_t;
54 begin
55   v_internal_output_token_sum:=0;
56
57   for i in 0 to output_arcs_number 1 loop
58     if (output_transitions_fired(i) = '1' and output_arcs_types(i) = arc_t(BASIC)) then
59       v_internal_output_token_sum:=v_internal_output_token_sum +
60         output_arcs_weights(i);
61     end if;
62   end loop;
63
64   s_output_token_sum <= v_internal_output_token_sum;
65 end process output_tokens_sum;
66
67 marking:process(clock, reset_n, initial_marking)
68 begin
69   if (reset_n = '0') then
70     s_marking <= initial_marking;
71   elsif rising_edge(clock) then
72     s_marking <= s_marking + (s_input_token_sum s_output_token_sum);
73   end if;
74 end process marking;
75
76 determine_marked:process(s_marking)
77 begin
78   if (s_marking = 0) then
79     marked <= '0';

```

```

77     else
78         marked <= '1';
79     end if;
80 end process determine_marked;
81
82 marking_validation_evaluation : process(output_arcs_types, output_arcs_weights,
83                                         s_marking)
83 begin
84     for i in 0 to output_arcs_number 1 loop
85         if (((output_arcs_types(i) = arc_t(BASIC)) or (output_arcs_types(i) = arc_t(TEST)))
86             and (s_marking >= output_arcs_weights(i)))
87             or ((output_arcs_types(i) = arc_t(INHIBITOR)) and (s_marking <
88                   output_arcs_weights(i)))
89         then
90             output_arcs_valid(i) <= '1';
91         else
92             output_arcs_valid(i) <= '0';
93         end if;
94     end loop;
93 end process marking_validation_evaluation;
94
95 priority_evaluation : process(output_arcs_types, output_arcs_weights,
96                               output_transitions_fired, s_marking)
96 variable v_saved_output_token_sum : local_weight_t;
97 begin
98     v_saved_output_token_sum := 0;
99
100    for i in 0 to output_arcs_number 1 loop
101        if (s_marking >= v_saved_output_token_sum + output_arcs_weights(i)) then
102            priority_authorizations(i) <= '1';
103        else
104            priority_authorizations(i) <= '0';
105        end if;
106
107        if ((output_transitions_fired(i) = '1') and (output_arcs_types(i) = arc_t(BASIC)))
108            then
109                v_saved_output_token_sum := v_saved_output_token_sum + output_arcs_weights(i);
110            end if;
111
112    end loop;
112 end process priority_evaluation;
113
114 reinit_transitions_time_evaluation : process(clock, reset_n)
115 begin
116     if (reset_n = '0') then
117         reinit_transitions_time <= (others => '0');
118     elsif rising_edge(clock) then

```

```

119    for i in 0 to output_arcs_number 1 loop
120        if ( (((output_arcs_types(i) = arc_t(BASIC)) or (output_arcs_types(i) = arc_t(TEST)))
121            and (s_marking_s_output_token_sum < output_arcs_weights(i))
122            and (s_output_token_sum > 0))
123            or output_transitions_fired(i) = '1' )
124        then
125            reinit_transitions_time(i) <= '1';
126        else
127            reinit_transitions_time(i) <= '0';
128        end if;
129        end loop;
130    end if;
131    end process reinit_transitions_time_evaluation;
132
133 end place_architecture;

```

LISTING A.1: The place design in concrete VHDL syntax.

## Appendix B

# The transition design in concrete and abstract VHDL syntax

```

1  entity transition is
2    generic(
3      transition_type : transition_t := NOT_TEMPORAL;
4      input_arcs_number : natural := 1;
5      conditions_number : natural := 1;
6      maximal_time_counter : natural := 1
7    );
8    port(
9      clock : in std_logic;
10     reset_n : in std_logic;
11     input_conditions : in std_logic_vector(conditions_number1 downto 0);
12     time_A_value : in natural range 0 to maximal_time_counter;
13     time_B_value : in natural range 0 to maximal_time_counter;
14     input_arcs_valid : in std_logic_vector(input_arcs_number1 downto 0);
15     reinit_time : in std_logic_vector(input_arcs_number1 downto 0);
16     priority_authorizations : in std_logic_vector(input_arcs_number1 downto 0);
17     fired : out std_logic
18   );
19 end transition;
20
21 architecture transition_architecture of transition is
22
23   signal s_condition_combination : std_logic;
24   signal s_enabled : std_logic;
25   signal s_firable : std_logic;
26   signal s_firing_condition : std_logic;
27   signal s_priority_combination : std_logic;
28   signal s_reinit_time_counter : std_logic;
29   signal s_time_counter : natural range 0 to maximal_time_counter;
30
31 begin
32

```

```

33 condition_evaluation: process(input_conditions)
34   variable v_internal_condition: std_logic;
35 begin
36   v_internal_condition := '1';
37
38   for i in 0 to conditions_number 1 loop
39     v_internal_condition := v_internal_condition and input_conditions(i);
40   end loop;
41
42   s_condition_combination <= v_internal_condition;
43 end process condition_evaluation;
44
45 enable_evaluation: process(input_arcs_valid)
46   variable v_internal_enabled: std_logic;
47 begin
48   v_internal_enabled := '1';
49
50   for i in 0 to input_arcs_number 1 loop
51     v_internal_enabled := v_internal_enabled and input_arcs_valid(i);
52   end loop;
53
54   s_enabled <= v_internal_enabled;
55 end process enable_evaluation;
56
57 reinit_time_counter_evaluation: process(reinit_time, s_enabled)
58   variable v_internal_reinit_time_counter: std_logic;
59 begin
60   v_internal_reinit_time_counter := '0';
61
62   for i in 0 to input_arcs_number 1 loop
63     v_internal_reinit_time_counter := v_internal_reinit_time_counter or reinit_time(i)
64     ;
65   end loop;
66
67   s_reinit_time_counter <= v_internal_reinit_time_counter;
68 end process reinit_time_counter_evaluation;
69
70 time_counter: process(reset_n, clock)
71 begin
72   if (reset_n = '0') then
73     s_time_counter <= 0;
74   elsif falling_edge(clock) then
75     if ((s_enabled = '1') and (transition_type /= transition_t(NOT_TEMPORAL))) then
76       if (s_reinit_time_counter = '0') then
77         if (s_time_counter < maximal_time_counter) then
78           s_time_counter <= s_time_counter + 1;
79         end if;
80       end if;
81     end if;
82   end if;
83 end process;

```

```

79      else
80          s_time_counter <= 1;
81      end if;
82      else
83          s_time_counter <= 0;
84      end if;
85      end if;
86  end process time_counter;
87
88  firing_condition_evaluation: process (s_enabled, s_condition_combination,
89                                         s_reinit_time_counter, s_time_counter)
90  begin
91      if ((s_condition_combination = '1')
92          and (s_enabled = '1')
93          and ((transition_type = transition_t(NOT_TEMPORAL))
94
95              or ((transition_type = transition_t(TEMPORAL_A_B))
96                  and (s_reinit_time_counter = '0')
97                  and (s_time_counter >= (time_A_value1))
98                  and (s_time_counter < time_B_value)
99                  and (time_A_value /= 0)
100                 and (time_B_value /= 0)))
101
102              or ((s_reinit_time_counter = '0')
103                  and (time_A_value /= 0)
104                  and ((transition_type = transition_t(TEMPORAL_A_A))
105                      and (s_time_counter = (time_A_value1)))
106                      or ((transition_type = transition_t(TEMPORAL_A_INFINITE))
107                          and (s_time_counter >= (time_A_value1)))
108
109              or ((transition_type /= transition_t(NOT_TEMPORAL))
110                  and (s_reinit_time_counter = '1')
111                  and (time_A_value = 1))
112
113      ) then
114          s_firing_condition <= '1';
115      else
116          s_firing_condition <= '0';
117      end if;
118  end process firing_condition_evaluation;
119
120  priority_authorization_evaluation: process(priority_authorizations)
121      variable v_priority_combination: std_logic;
122  begin
123      v_priority_combination := '1';
124

```

```

125   for i in 0 to input_arcs_number - 1 loop
126     v_priority_combination := v_priority_combination and priority_authorizations(i);
127   end loop;
128
129   s_priority_combination <= v_priority_combination;
130 end process priority_authorization_evaluation;
131
132 firable : process(reset_n, clock)
133 begin
134   if (reset_n = '0') then
135     s_firable <= '0';
136   elsif falling_edge(clock) then
137     s_firable <= s_firing_condition;
138   end if;
139 end process firable;
140
141 fired_evaluation : process (s_firable, s_priority_combination)
142 begin
143   fired <= s_firable and s_priority_combination;
144 end process fired_evaluation;
145
146 end transition_architecture;

```

LISTING B.1: The transition design in concrete VHDL syntax.

# Bibliography

- [1] Dominique Borrione and Ashraf Salem. "Denotational Semantics of a Synchronous VHDL Subset". In: *Formal Methods in System Design* 7.1-2 (Aug. 1995), pp. 53–71. ISSN: 0925-9856, 1572-8102. DOI: [10.1007/BF01383873](https://doi.org/10.1007/BF01383873). URL: <http://link.springer.com/10.1007/BF01383873> (visited on 09/18/2019).
- [2] David Déharbe and Dominique Borrione. "Semantics of a Verification-Oriented Subset of VHDL". In: *Correct Hardware Design and Verification Methods*. Advanced Research Working Conference on Correct Hardware Design and Verification Methods. Springer, Berlin, Heidelberg, Oct. 2, 1995, pp. 293–310. DOI: [10.1007/3-540-60385-9\\_18](https://doi.org/10.1007/3-540-60385-9_18). URL: [https://link.springer.com/chapter/10.1007/3-540-60385-9\\_18](https://link.springer.com/chapter/10.1007/3-540-60385-9_18) (visited on 04/01/2020).
- [3] IEEE Computer Society et al. *IEEE Standard VHDL Language Reference Manual*. New York, N.Y.: Institute of Electrical and Electronics Engineers, 2000. ISBN: 978-0-7381-1948-9 978-0-7381-1949-6. URL: <http://ieeexplore.ieee.org/lpdocs/epic03/standards.htm> (visited on 09/16/2019).
- [4] "IEEE Standard Multivalue Logic System for VHDL Model Interoperability (Std\_logic\_1164)". In: *IEEE Std 1164-1993* (May 1993), pp. 1–24. DOI: [10.1109/IEEESTD.1993.115571](https://doi.org/10.1109/IEEESTD.1993.115571).
- [5] John P. Van Tassel. "An Operational Semantics for a Subset of VHDL". In: *Formal Semantics for VHDL*. Ed. by Carlos Delgado Kloos and Peter T. Breuer. Red. by Jonathan Allen. Vol. 307. Boston, MA: Springer US, 1995, pp. 71–106. ISBN: 978-1-4613-5941-8 978-1-4615-2237-9. DOI: [10.1007/978-1-4615-2237-9\\_4](https://doi.org/10.1007/978-1-4615-2237-9_4). URL: [http://link.springer.com/10.1007/978-1-4615-2237-9\\_4](http://link.springer.com/10.1007/978-1-4615-2237-9_4) (visited on 09/12/2019).