Formal Specification in VHDL for Hardware Verification Ralf Reetz Klaus Schneider, and Thomas Kropf Verysys GmbH Institut f¨ ur Rechnerentwurf und Fehlertoleranz Rudower Chaussee 5 Universit¨ at Karlsruhe D-12489 Berlin D-76128 Karlsruhe Germany Germany ralf@verysys.com Klaus.Schneider@informatik.uni-karlsruhe.de Thomas.Kropf@informatik.uni-karlsruhe.de Abstract In this paper, we enrich VHDL with new specification con- structs intended for hardware verification. Using our ex- tensions, total correctness properties may now be stated whereas only partial correctness can be expressed using the standard VHDL assert statement. All relevant proper- ties can now be specified in such a way that the designer does not need to use formalisms like temporal logics. As the specifications are independent from a certain formal- ism, there is no restriction to a certain hardware verifica- tion approach. 1 Introduction As VHDL [1] is an important IEEE standard for describing digital circuits, many commercial design tools are based on this hardware description language. Originally created for simulation, this language has recently been used also for formal verification [2] to ensure the correctness of designs. However, VHDL itself is only intended for describ- ing the implementation of a system for synthesis or sim- ulation. For capturing the system specification, only the assert statement is given to simplify the analysis of lengthy simulation results. Due to the original purpose of this con- struct, only simple safety properties can be stated which are not sufficient for formal hardware verification. For verifi- cation, at least additional constructs for specifying liveness and fairness properties are required to state that some event will actually happen once or infinitely often. Moreover, the environment of the current design reflecting all reasonable inputs to the design has to be modeled appropriately. In this paper, we propose to enrich VHDL by new con- structs in such a way that all the necessary specifications can be written directly in a slightly extended VHDL. The extension is based on a verification scenario, called veri- fication bench, in strong analogy to the usual simulation scenario, known as test benchs. Furthermore, we sig- nificantly extend the existing specification capabilities of VHDL: The existing assert statement only allows to cap- ture partial correctness whereas our extension allows to specify also total correctness of VHDL programs, i.e. now the verification of program termination is possible. We have incorporated the new constructs as part of the tool FLOWER, which is an experimental environment for the formal semantics and verification of VHDL [3]. As we are aware of the fact that existing design tools do not support our extensions, means for translating the extended VHDL sources into standard VHDL are given. The paper is structured as follows. First, we give a brief overview about other approaches to VHDL verifica- tion. Then, we present the verification scenario, based on the verification bench and the new specification constructs with their syntax and semantics. We then give some exam- ples and conclude the paper with some remarks on further directions of research. 2 State of the Art The basis of all formal approaches to VHDL is a formal semantics of VHDL. Unfortunately, the IEEE standard for VHDL does not provide this such that various approaches to giving a formal semantics to VHDL have been investi- gated [4, 5, 3]. For brevity and conciseness of the paper, we assume that a formal semantics for VHDL based on tran- sition systems as presented e.g. in [3] is given and focus only on the semantics of our new constructs. In general, two approaches to hardware verification can be distinguished: verifying the equivalence of two imple- mentations and property verification. For the former, stan- dard VHDL is sufficient as only two implementation de- scriptions are necessary. Different tools from companies like AHL, CHRYSALIS, VERYSYS etc. are already avail-