# Π-Ware: An Embedded Hardware Description Language using Dependent Types

Author: João Paulo Pizani Flor

<joaopizani@uu.nl>

Supervisor: Wouter Swierstra

<w.s.swierstra@uu.nl>

Department of Information and Computing Sciences
Utrecht University

Tuesday 26<sup>th</sup> August, 2014

Introduction
What is II-Ware

Background

Research Question

Question

DTP / Agda

Big picture

Agda

Syntax

emantics roofs

Conclusions



## Table of Contents

#### Introduction

What is ∏-Ware Background

### Research Question

Question Method

## DTP / Agda

Big picture Agda

### Π-Ware

Syntax Semantics **Proofs** 

#### Conclusions



## What is Π-Ware

▶ Π-Ware är en...

#### Introduction

What is ∏-Ware

Research

Question

Method

OTP / Agda

Big nicture

Agda

Π-Ware

Syntax

Proofs

Conclusions



## Hardware design is hard(er)

- Strict(er) correctness requirements
  - You can't simply update a full-custom chip after production
    - Intel FDTV
  - Expensive verification / validation (up to 50% of development costs)
- ▶ Low-level details (more) important
  - Layout / area
  - Power consumption / fault tolerance

What is Π-Ware

Background

Research

Question

DTD / A=

Big picture

Agda

r-vvare

emantics Proofs

Conclusions



## Hardware design is growing

- ▶ Moore's law will still apply for some time
  - We can keep packing more transistors into same silicon area
- ▶ **But** optimizations in CPUs display diminishing returns
  - Thus, more algorithms directly in hardware

What is Π-Ware

Dananah

Question

Question

DTP / Agda

Big picture

7-Ware

Syntax

emantics 'roofs

Conclusions



## Hardware Description Languages

- ▶ All started in the 1980s
- ▶ De facto industry standards: VHDL and Verilog
- ▶ Were intended for *simulation*, not modelling or synthesis
  - Unsynthesizable constructs
  - Widely variable tool support

What is Π-Ware

Research

Question

Question

DTP / Agda

DIP / Agda

Big picture

7-Ware

1-vvale

emantics roofs

Conclusions

Conclusions



## Functional Programming

- Easier to reason about program properties
- Inherently parallel and stateless semantics
  - In contrast to imperative programming

Background



## Functional Hardware Description

- A functional program describes a circuit
- ► Several *functional* Hardware Description Languages (HDLs) during the 1980s
  - For example,  $\mu$ FP [Sheeran, 1984]
- Later, embedded hardware Domain-Specific Languages (DSLs)
  - For example, Lava (Haskell) [Bjesse et al., 1998]

What is Π-Ware
Background

Research

Question

Method

DTP / Agda

Big picture

-Ware

Syntay

Semantic Proofs

Conclusions



## Embedded DSLs for Hardware

- ▶ Lava
  - Simulation / Synthesis / Verification
- Limitations
  - Low level types
  - No size checks

What is Π-Ware

Background

Research

Question

Method

DTP / Agda

Big nicture

Agda

Π-War

yntax

Proofs

Conclusions

Limitations

Future work



Dependently-Typed Programming (DTP) är en programmationstechnik...

What is II-Ware

Background

Research

Question

Method

DTP / Agda

DIF / Agua

Big picture

7-Ware

I-VVare

yntax

roofs

Conclusions





## Research Question

"What are the improvements that DTP can bring to hardware design?"

#### Introduction

What is  $\Pi$ -Ware Background

Research Question

Question

Method

DTP / Ago

Big picture

Agda

l-Ware

yntax

emantics roofs

Conclusions

Limitations

Future work



## Methodology

- Develop a hardware DSL, embedded in a dependently-typed language (Agda)
  - Called **Π-Ware**
  - allowing simulation, synthesis and verification

#### Introduction

Background

#### Research Question

Method

#### DTP / Agda

DIP / Agda

#### A = d =

1-Ware

#### Syntax

emantics roofs

#### Conclusions



- Disclaimer: Suspend disbelief in syntax
  - Examples are in Agda
  - Syntax similar to Haskell, details further ahead
- Types can depend on values
  - Example: data Vec  $(\alpha : Set) : \mathbb{N} \to Set$  where...
  - Compare with Haskell (GADT style):
     data List :: \* -> \* where...
- ► Types of arguments can depend on *values of previous* arguments
  - Ensure a "safe" domain
  - take :  $(m : \mathbb{N}) \to \text{Vec } \alpha \ (m+n) \to \text{Vec } \alpha \ m$

What is Π-Ware

Research Duestion

Question Method

DTP / Agda

Big picture

П \//---

Semantics

Proofs

Conclusions



- ► Type checking requires *evaluation* of functions
  - We want Vec Bool (2 + 2) to unify with Vec Bool 4
- ▶ Consequence: all functions must be total
- Termination checker (heuristics)
  - Structurally-decreasing recursion
  - This passes the check:

```
\begin{array}{lll} \operatorname{add} : \mathbb{N} \to \mathbb{N} \to \mathbb{N} \\ \operatorname{add} \operatorname{zero} & y = y \\ \operatorname{add} \left(\operatorname{suc} \ x'\right) & y = \operatorname{suc} \left(\operatorname{add} \ x' \ y\right) \end{array}
```

· This does not:

```
silly: \mathbb{N} \to \mathbb{N}
silly zero = zero
silly (suc n') = silly | n' /2|
```

#### Introduction

Background

#### Research Question

Method

#### DTP / Agda

### Big picture

Agda

#### Syntax

Semantic Proofs

#### Conclusions



▶ Dependent pattern matching can *rule out* impossible cases

```
• Classic example: safe head function head : Vec \alpha (suc n) \rightarrow \alpha head (x :: xs) = x
```

• The **only** constructor returning  $Vec \alpha$  (suc n) is \_::\_

What is Π-Ware

Research Question

Question

DTP / Agda

Big picture

Π-Ware

Syntax Semantics

Conclusions



## Depedent types as logic

- Programming language / Theorem prover
  - Types as propositions, terms as proofs [Wadler, 2014]
- Example:
  - Given the relation:

```
data \_ \le \_ : \mathbb{N} \to \mathbb{N} \to \text{Set where}

z \le n : \forall \{n\} \to \text{zero} \le n

s \le s : \forall \{m \ n\} \to m \le n \to \text{suc } m \le \text{suc } n
```

• Proposition:

twoLEQFour : 
$$2 \le 4$$

Proof:

```
twoLEQFour = s \le s (s \le s z \le n)

s \le s (s \le s (z \le n : 0 \le 4) : 1 \le 4) : 2 \le 4
```

What is Π-Ware Background

Research Question

Question Method

OTP / Agda

## Big picture

71800

Syntax

emantics roofs

Conclusions





## Agda syntax for Haskell programmers

- ► Liberal identifier lexing (Unicode everywhere)
  - $a \equiv b + c$  is a valid identifer,  $a \equiv b + c$  an expression
  - Used a lot in Agda's standard library: X, ⊎, ∧
  - And in Π-Ware: C, [ c ], ↓, ↑
- ▶ Mixfix notation
  - \_[\_]≔\_ is the vector update function: v [ # 3 ] ≔ true.
  - \_[\_]:=\_ v (# 3) true ⇔ v [ # 3 ] := true
- ▶ Almost nothing built-in
  - $\_+\_$  :  $\mathbb{N} \to \mathbb{N} \to \mathbb{N}$  defined in Data.Nat
  - if then else : Bool  $\rightarrow \alpha \rightarrow \alpha \rightarrow \alpha$  defined in Data.Bool

Introduction
What is Π-Ware
Background

Research Question

Question

DTP / Agda Big picture

Agda

Syntax

Semantics Proofs

Conclusions



## Agda syntax for Haskell programmers

- Implicit arguments
  - Don't have to be passed if Agda can guess it
  - Syntax:  $\varepsilon$  :  $\{\alpha : \mathsf{Set}\} \to \mathsf{Vec} \; \alpha \; \mathsf{zero}$
- ▶ "For all" syntax:  $\forall n \iff (n : \_)$ 
  - Where \_ means: guess this type (based on other args)
  - Example:
    - $\forall n \rightarrow \text{zero} \leq n$
    - data  $\_\leq\_$ :  $\mathbb{N} \to \mathbb{N} \to \mathsf{Set}$
- ▶ It's common to combine both:
  - $\forall \{\alpha \ n\} \rightarrow \mathsf{Vec} \ \alpha \ (\mathsf{suc} \ n) \rightarrow \alpha \iff \{\alpha : \} \{n : \} \rightarrow \mathsf{Vec} \ \alpha \ n \rightarrow \alpha$

What is Π-Ware

Background

Question

Question

DTP / Agda Big picture

Agda

Syntax

emantics 'roofs

Conclusions



### Low-level circuits

- Structural representation
- Untyped but sized

```
data \mathbb{C}': \mathbb{N} \to \mathbb{N} \to \mathsf{Set}
data \mathbb{C}' where
     Nil : \mathbb{C}' zero zero
```

Gate :  $(g\# : Gates\#) \rightarrow \mathbb{C}'$  ([in] g#) ([out] g#)

 $\rightarrow (f : \operatorname{Fin} o \rightarrow \operatorname{Fin} i) \rightarrow \mathbb{C}' i o$ Plug :  $\forall \{i \ o\}$ 

$$\mathsf{DelayLoop} \,:\, (c \,:\, \mathbb{C}' \,\, (i \,+\, l) \,\, (o \,+\, l)) \,\, \{\mathsf{comb}' \,\, c\} \,\to\, \mathbb{C}' \,\, {\color{black} i \,\, o}$$

Syntax

Universiteit Utrecht



### **Atoms**

- ▶ How to carry values of an Agda type in *one* wire
- ▶ Defined by the Atomic type class in PiWare.Atom

```
record Atomic : Set<sub>1</sub> where field

Atom : Set
```

|Atom|−1 : N

n→atom : Fin (suc |Atom|-1) → Atom atom→n : Atom → Fin (suc |Atom|-1)

inv-left :  $\forall i \rightarrow atom \rightarrow n \ (n \rightarrow atom \ i) \equiv i$ inv-right :  $\forall a \rightarrow n \rightarrow atom \ (atom \rightarrow n \ a) \equiv a$ 

```
|Atom| = suc |Atom|-1
Atom# = Fin |Atom|
```

What is Π-Ware

Research Question

Method

DTP / Agda

Agda

Π-Ware Syntax

Semantics Proofs

onclusions

Limitations

Future work



### **Atomic instances**

- Examples of types that can be Atomic
  - Bool, std\_logic, other multi-valued logics
  - · Predefined in the library: PiWare.Atom.Bool
- First, define how many atoms we are interested in
  - Need at least 1 (later why)

$$|B|-1 = 1$$
  
 $|B| = suc |B|-1$ 

Friendlier names for the indices (elements of Fin 2)

```
pattern False# = Fz
pattern True# = Fs Fz
```

What is  $\Pi$ -Ware Background

Research Question

Question

Method

DIP / Agda

Agda

∏-Ware Syntax

Semantics

Proofs

Conclusions

Future work



## Atomic instance (Bool)

▶ Bijection between  $\{n \in \mathbb{N} \mid n < 2\}$  (Fin 2) and Bool

```
n\rightarrow B=\lambda { False# \rightarrow false; True# \rightarrow true } B\rightarrow n=\lambda { false \rightarrow False#; true \rightarrow True# }
```

▶ Proof that  $n \rightarrow B$  and  $B \rightarrow n$  are inverses

```
inv-left-B = \lambda { False# \rightarrow refl; True# \rightarrow refl; } inv-right-B = \lambda { false \rightarrow refl; true \rightarrow refl }
```

With all pieces at hand, we construct the instance

```
Atomic-B = record { Atom = B

; |Atom|-1 = |B|-1

; n\rightarrow atom = n\rightarrow B

; atom\rightarrow n = B\rightarrow n

; inv-left = inv-left-B

; inv-right = inv-right-B }
```

Introduction

Background

Research Question

> Question Method

DTP / Agda

gda

Syntax

Semantics

Proots

Conclusions

Limitations Future work

Universiteit Utrecht

### Gates

- ▶ Circuits parameterized by collection of *fundamental gates*
- Examples:
  - {NOT, AND, OR} (BoolTrio)
  - {NAND}
  - Arithmetic, Crypto, etc.
- ► The definition of what means to be such a collection is in PiWare.Gates.Gates

What is Π-Ware

Research Question

Question

DTP / Arda

Big picture

Agda

Syntax

iemantics

Proofs

Conclusions



## The Gates type class

```
W: \mathbb{N} \to Set
W = Vec Atom
 record Gates: Set where
   field
        |Gates| : N
        |\mathsf{in}| |\mathsf{out}| : \mathsf{Fin} |\mathsf{Gates}| \to \mathbb{N}
                  : (g : Fin | Gates|)
        spec
                         \rightarrow (W (|in| g) \rightarrow W (|out| g))
    Gates# = Fin |Gates|
```

Syntax

Universiteit Utrecht

### Gates instances

- ► Example: PiWare.Gates.BoolTrio
- ▶ First, how many gates are there in the library

```
|BoolTrio| = 5
```

▶ Then the friendlier names for the indices

```
pattern FalseConst# = Fz

pattern TrueConst# = Fs Fz

pattern Not# = Fs (Fs Fz)

pattern And# = Fs (Fs (Fs Fz))

pattern Or# = Fs (Fs (Fs (Fs Fz)))
```

#### Introduction

What is Π-Ware Background

#### Research Question

Question

#### DTP / Agda

Big picture

#### 71800

1-Ware

#### Syntax

Proofs

#### Conclusions



## Gates instance (BoolTrio)

▶ Defining the *interfaces* of the gates

```
|in| FalseConst# = 0

|in| TrueConst# = 0

|in| Not# = 1

|in| And# = 2

|in| Or# = 2
```

```
|out| = 1
```

▶ And the specification function for each gate

```
\begin{array}{lll} \operatorname{spec-false} & \_ & = [ \ \operatorname{false} \ ] \\ \operatorname{spec-true} & \_ & = [ \ \operatorname{true} \ ] \\ \operatorname{spec-not} & (x :: \varepsilon) & = [ \ \operatorname{not} x \ ] \\ \operatorname{spec-and} & (x :: y :: \varepsilon) & = [ \ x \wedge y \ ] \\ \operatorname{spec-or} & (x :: y :: \varepsilon) & = [ \ x \vee y \ ] \end{array}
```

Introduction
What is Π-Ware

Decemb

Question

Method

DTP / Agda

Big picture Agda

1-Ware

Syntax

Proofs

Conclusions



## Gates instance (BoolTrio)

Mapping each gate index to its respective specification

```
specs-BoolTrio FalseConst# = spec-false
specs-BoolTrio TrueConst# = spec-true
specs-BoolTrio Not# = spec-not
specs-BoolTrio And# = spec-and
specs-BoolTrio Or# = spec-or
```

▶ With all pieces at hand, we construct the instance

Introduction
What is Π-Ware

Duckground

Question

Method

DTP / Agda

Big picture

Syntax

Semantics

Conclusions

Conclusions



## High-level circuits

- ▶ User is not supposed to describe circuits at low level (C')
- ► The high level circuit type (ℂ) allows for typed circuit interfaces
  - Input and output indices are Agda types

```
data \mathbb{C} (\alpha \beta: Set) {i j : \mathbb{N}}: Set where

Mk\mathbb{C}: {\{s\alpha : \psi \forall \forall \alpha \{i\}\}\}} {\{s\beta : \psi \forall \forall \beta \{j\}\}\}}

\rightarrow \mathbb{C}' i j \rightarrow \mathbb{C} \alpha \beta \{i\} \{j\}
```

- Mkℂ takes:
  - Low level description (ℂ¹)
  - Information on how to synthesize elements of  $\alpha$  and  $\beta$ 
    - Passed as instance arguments (class constraints)

Introduction
What is Π-Ware

Background

Question

Question Method

DTP / Agda

Agda

∏-Ware Syntax

Semantic

roofs

Conclusions



## Synthesizable

- - Describes how to synthesize a given Agda type  $(\alpha)$
  - Two fields: from element of  $\alpha$  to a word and back

```
record \Downarrow W \Uparrow (\alpha : Set) \{i : \mathbb{N}\} : Set where
constructor \Downarrow W \Uparrow [\_, \_]
field
\Downarrow : \alpha \to W i
\Uparrow : W i \to \alpha
```

Introduction

Background

Research

Question

Method

DTP / Agda

Big picture

Agda

- vvare

Syntax

roofs

Conclusions



## **₩** instances

- ▶ Any finite type can have such an instance
- ▶ Predefined in the library: Bool; x ; ⊎ ; Vec
- Example: instance for products ( x )

```
\Downarrow \forall \land - \times : \{ s\alpha : \Downarrow \forall \land \alpha \{i\} \} \{ s\beta : \Downarrow \forall \land \beta \{j\} \} \}
                            \rightarrow \downarrow \downarrow \bigvee \uparrow (\alpha \times \beta)
\Downarrow \mathsf{W} \uparrow - \mathsf{X} \{\alpha\} \{i\} \{\beta\} \{j\} \{s\alpha\} \{s\beta\} = \Downarrow \mathsf{W} \uparrow [\mathsf{down}, \mathsf{up}]
      where down: (\alpha \times \beta) \rightarrow W(i + j)
                        down (a, b) = (\Downarrow a) ++ (\Downarrow b)
```

up : W 
$$(i + j) \rightarrow (\alpha \times \beta)$$
  
up  $w$  with splitAt  $i$   $w$   
up .( $\psi a ++ \psi b$ ) |  $\psi a$  ,  $\psi b$  , refl =  $\uparrow \psi a$  ,  $\uparrow \psi b$ 

Syntax



## Synthesizable

▶ Both fields **↓** and **↑** should be inverses of each other

#### Agda

#### Syntax



## Circuit semantics

- ▶ Synthesis semantics: produce a netlist
  - Tool integration / implement in FPGA or ASIC.
- Simulation semantics: execute a circuit
  - · Given circuit model and inputs, calculate outputs
- ▶ Other semantics possible:
  - · Timing analysis, power estimation, etc.
  - This possibility guided Π-Ware's development

ntroduction

What is Π-Ware

Background

Research

Question

DTP / Agda

DIP / Agda

Agda

-Ware

Syntax Semantics

Proofs

Conclusions

Limitations

Future work



## Synthesis semantics

- ▶ Netlist: digraph with *gates* as nodes and *buses* as edges
- Synthesis semantics: given netlists of subcircuits, build combination

Nil : ℂ 0 0

 $i o : \mathbb{N}$   $f : Fin o \rightarrow Fin i$ Plug  $f : \mathbb{C} i o$ 

g#: Gate#

Gate  $g# : \mathbb{C}$  (ins g#) (outs g#)

 $c : \mathbb{C} (i+l) (o+l)$ DelayLoop :  $\mathbb{C} i$  o









#### Introduction

Background

Question

Method

#### DTP / Agda

Agda

#### II-Ware Syntax

Semantics Proofs

#### Conclusions

Limitations

Universiteit Utrecht

## Synthesis semantics

 $\begin{array}{c} C_1 : \mathbb{C} \text{ i m} \\ C_2 : \mathbb{C} \text{ m o} \end{array}$   $C_1 ) C_2 : \mathbb{C} \text{ i o}$ 

C1:  $\mathbb{C}$  i1 O1
C2:  $\mathbb{C}$  i2 O2
C1 |' C2:  $\mathbb{C}$  (i1+i2) (O1+O2)

 $\begin{array}{c} C_1:\mathbb{C} \text{ is 0} \\ C_2:\mathbb{C} \text{ is 0} \\ \end{array}$   $C_1\mid +^{+}C_2:\mathbb{C} \left(1+\left(\text{isLis}\right)\right)\text{ 0}$ 







Introduction

lackground

uestion

Method

DTP / Agda

Big picture

Π-Ware

Semantics

Proofs

Conclusions

Limitations

Limitations Future work

Universiteit Utrecht

## Synthesis semantics

## Missing "pieces":

- ► Adapt Atomic
  - New field: a VHDLTypeDecl
    - Such as: type ident is (elem1, elem2);
    - Enumerations, integers (ranges), records.
  - New field: atomVHDL : Atom# → VHDLExpr
- ▶ Adapt Gates
  - For each gate, a corresponding VHDLEntity
  - netlist :  $(g\#: Gates\#) \rightarrow VHDLEntity (|in| g\#) (|out| g\#)$ 
    - The VHDL entity has the interface of corresponding gate

What is Π-Ware

Background

Question

Question

DTP / Anda

Big picture

\A/aua

Syntax

Semantics Proofs

Conclusions

Future work



### Simulation semantics

- ▶ Two levels of abstraction
  - High-level simulation ([\_]) for high-level circuits (ℂ)
  - Low-level simulation ( $[\![ \_ ]\!]'$ ) for low-level circuits ( $\mathbb{C}'$ )
- Two kinds of simulation
  - Combinational simulation ( ) for stateless circuits
  - Sequential simulation ([\_]\*) for stateful circuits
- ▶ High level defined in terms of low level

Introduction

Background

Research Question

Question

OTP / Agda

Big picture

Agda

Syntay

Semantics Proofs

onclusions

Conclusions



# Combinational simulation (excerpt)

```
[\![ ]\!]': \forall \{i \ o\} \rightarrow (c: \mathbb{C}' \ i \ o) \{p: \mathsf{comb}' \ c\} \rightarrow (\mathsf{W} \ i \rightarrow \mathsf{W} \ o)
   [Ni] ]' = const \varepsilon
   [ Gate g# ] ' = spec g#
      [\![ Plug p ]\!]' = plugOutputs p
      [\![ DelayLoop \ c \ ]\!]' \{()\} \ v
[ c_1 \rangle \rangle c_2 \rangle \langle c_2 \rangle \langle c_1 \rangle \langle c_2 \rangle \langle c_
[ ] _{-}| +'_{-} \{i_{1}\} c_{1} c_{2} ]' \{p_{1}, p_{2}\} =
                                                 [ [ c_1 ]' \{ p_1 \}, [ c_2 ]' \{ p_2 \} ]' \circ \text{untag } \{ i_1 \}
```

#### Remarks:

- Proof requires c to be combinational
- Gate case uses specification function
- DelayLoop case can be discharged

Universiteit Utrecht

Semantics

◆ロ → ◆園 → ◆ 重 → ◆ 重 → り へ ○



# Sequential simulation

- ▶ Inputs and outputs become Streams
  - $\mathbb{C}'$  i  $o \Longrightarrow \mathsf{Stream} (\mathsf{W} i) \to \mathsf{Stream} (\mathsf{W} o)$
  - Stream: infinite list
- ▶ We can't write a recursive evaluation function over Streams
  - Sum case (\_|+'\_) needs (Stream  $(\alpha \uplus \beta) \to \text{Stream } \alpha \times \text{Stream } \beta$ )
    - What if there are no lefts (or rights)?
- ▶ A stream function is not an accurate model for hardware
  - A function of type (Stream  $\alpha \to \text{Stream } \beta$ ) can "look ahead"
  - For example, tail  $(x_0 :: x_1 :: x_2 :: x_s) = x_1 :: x_2 :: x_s$

What is Π-Ware

Research Question

Question

DTP / Agda

Big picture

l-Ware

Syntax Semantics

Proofs

Conclusions



### Causal stream functions

Solution: sequential simulation based on a *causal* stream function

#### Some definitions:

► Causal context: past + present values

$$\Gamma c : (\alpha : Set) \rightarrow Set$$
  
 $\Gamma c \alpha = \alpha \times List \alpha$ 

► Causal stream function: produces **one** (current) output

$$\_\Rightarrow c\_ : (\alpha \ \beta : Set) \to Set$$
  
 $\alpha \Rightarrow c \ \beta = \Gamma c \ \alpha \to \beta$ 

Introduction
What is Π-Ware
Background

Research Question

Question

DTP / Agda

Big picture

-Ware

Semantics

roofs

Conclusions



# Causal sequential simulation

Core sequential simulation function:

$$[\hspace{.08in} [\hspace{.08in} c_1\hspace{.08in}]\hspace{.08in} \rangle'\hspace{.1em} c_2\hspace{.1em}]\hspace{.08in} [\hspace{.08in} c\hspace{.1em} \circ\hspace{.1em} \mathsf{map}^+\hspace{.1em} [\hspace{.08in} [\hspace{.08in} c_1\hspace{.08in}]\hspace{.1em}]\hspace{.1em} \mathsf{c} \hspace{.1em} \circ\hspace{.1em} \mathsf{tails}^+$$

- ▶ Nil, Gate and Plug cases use combinational simulation
- ► DelayLoop calls a recursive helper (delay)
- ► Example structural case: \_\(\right)\'\_ (sequence)
  - Context of  $[c_1]$  c is context of the whole compound
  - Context of  $[\![ c_2 ]\!]$ c is past and present *outputs* of c1

Introduction
What is Π-Ware

Research

Question

Method

DTP / Agda

Big picture

-Ware

Syntax Semantics

roofs

Conclusions

Limitations

Universiteit Utrecht

# Sequential simulation

- ▶ We can then "run" the step-by-step function to produce a whole Stream
  - Idea from "The Essence of Dataflow Programming" [Uustalu and Vene, 2005]

$$\begin{array}{l} \operatorname{runc}' \,:\, (\alpha \Rightarrow \subset \beta) \to (\Gamma \subset \alpha \times \operatorname{Stream} \, \alpha) \to \operatorname{Stream} \, \beta \\ \operatorname{runc}' \, f \, ((x^0 \,,\, x^-) \,,\, (x^1 \,::\, x^+)) = \\ f \, (x^0 \,,\, x^-) \,::\, \sharp \, \operatorname{runc}' \, f \, ((x^1 \,,\, x^0 \,::\, x^-) \,,\, \flat \, x^+) \end{array}$$

```
runc : (\alpha \Rightarrow c \beta) \rightarrow (Stream \alpha \rightarrow Stream \beta)
runc f(x^0 :: x^+) = \text{runc}' f((x^0, []), \flat x^+)
```

Obtaining the stream-based simulation function:

$$[\![\_]\!]*': \forall \{i \ o\} \to \mathbb{C}' \ i \ o \to (\mathsf{Stream} \ (\mathsf{W} \ i) \to \mathsf{Stream} \ (\mathsf{W} \ o))$$
$$[\![]\!]*' = \mathsf{runc} \circ [\![]\!] \mathsf{C}$$

Semantics



# Properties of circuits

- ▶ Tests and proofs about circuits depend on the *semantics* 
  - We focused on the functional simulation semantics
  - Other possibilities (gate count, critical path, etc.)
- ▶ Very simple sample circuit to illustrate: XOR

Introduction

Background

Research

Question

DTP / Agda

Big picture

7.14/....

Syntax

Semantics

Proofs

Conclusions

Limitations

Future work



# Sample circuit: XOR



$$\begin{array}{l} \underline{\vee}\mathbb{C} \,:\, \mathbb{C} \,\left(\mathsf{B} \times \mathsf{B}\right) \,\mathsf{B} \\ \underline{\vee}\mathbb{C} = \,\,\mathsf{pFork} \times \\ \qquad \qquad \qquad \rangle \,\left(\neg\mathbb{C} \,\mid\mid \, \mathsf{id}\mathbb{C} \,\,\right) \,\wedge\mathbb{C}) \,\mid\mid \, (\mathsf{id}\mathbb{C} \,\mid\mid \, \neg\mathbb{C} \,\,\right) \,\wedge\mathbb{C}) \\ \qquad \qquad \qquad \rangle \,\,\vee\mathbb{C} \end{array}$$

Proofs



# Specification of XOR

- ▶ To define correctness we need a specification function
  - Listing all possibilities (truth table)
  - Based on pre-exisiting functions (standard library)
- ▶ Truth table

```
\begin{array}{l} \underline{\vee}\mathbb{C}\text{--spec-table} : (B \times B) \to B \\ \underline{\vee}\mathbb{C}\text{--spec-table} \ \ (\text{false} \ \ , \ \text{false}) = \text{false} \\ \underline{\vee}\mathbb{C}\text{--spec-table} \ \ (\text{false} \ \ , \ \text{true} \ ) = \text{true} \\ \underline{\vee}\mathbb{C}\text{--spec-table} \ \ (\text{true} \ \ , \ \text{false}) = \text{true} \\ \underline{\vee}\mathbb{C}\text{--spec-table} \ \ (\text{true} \ \ , \ \text{true} \ ) = \text{false} \\ \end{array}
```

### What is Π-Ware

Background

#### Research Question

Question

#### DTP / Agda

Big picture

#### Agda

Syntax

#### Semantic Proofs

Conclusions

#### Conclusions



# Proof of XOR (truth table)

Proof by case analysis

Could be automated (reflection)

```
\vee \mathbb{C}-proof-table : [\![ \vee \mathbb{C} \ ]\!] (a, b) \equiv \vee \mathbb{C}-spec-table (a, b)
\vee \mathbb{C}-proof-table false false = refl
\vee \mathbb{C}-proof-table false true = refl
\vee \mathbb{C}-proof-table true false = refl
\vee \mathbb{C}-proof-table true true = refl
```

Proofs



# Specification of XOR

▶ Based (\_xor\_) from Data.Bool

$$\_xor\_: B \rightarrow B \rightarrow B$$
  
true  $xor b = not b$   
false  $xor b = b$ 

▶ Adapted interface to match exactly <u>∨</u>ℂ

```
\underline{\vee}\mathbb{C}-spec-subfunc : (B \times B) \to B
\underline{\vee}\mathbb{C}-spec-subfunc = uncurry' _xor_
```

Introduction

What is Π-Ware

Background

Research Question

Question

DTP / Agda

Big picture

Π-Ware

Syntax Semantics

Proofs

Conclusions

Limitations



# Proof of XOR (pre-existing)

▶ Proof based on <u>V</u>C-spec-subfunc

$$\underline{\vee}\mathbb{C}$$
-proof-subfunc :  $[\![\underline{\vee}\mathbb{C}\]\!]$  ( $a$ ,  $b$ )  $\underline{=}\underline{\vee}\mathbb{C}$ -spec-subfunc ( $a$ ). Method

- Need a lemma to complete the proof
  - Circuit is defined using {NOT, AND, OR}
  - xor is defined directly by pattern matching

```
\vee \mathbb{C}-xor-equiv : (not a \wedge b) \vee (a \wedge not b) \equiv (a \times b)
```

Question

Proofs



### Circuit "families"

- ▶ We can also prove properties of circuit "families"
- Example: an AND gate definition with generic number of inputs

```
\begin{array}{ll} \operatorname{andN}' : \forall \ n \to \mathbb{C}' \ n \ 1 \\ \operatorname{andN}' \ \operatorname{zero} \ = \ \mathsf{T}\mathbb{C}' \\ \operatorname{andN}' \ (\operatorname{suc} \ n) = \operatorname{id}\mathbb{C}' \ |' \ \operatorname{andN}' \ n \ ) \hspace{-0.5cm} \rangle' \ \wedge \mathbb{C}' \end{array}
```

- ▶ Example proof: when all inputs are true, output is true
  - For any number of inputs
  - Proof by induction on n (number of inputs)

#### Introduction

Background

uestion

Method

DTP / Agda

Big picture

-Ware

Syntax

Proofs

Conclusions



### **Problems**

▶ This proof is done at the low level

```
proof – and N': \forall n \rightarrow [\![ and N' n ]\!]' (replicate true) \equiv [\![ true \![ Question
proof-andN' zero
                           = refl
proof-andN' (suc n) = cong (spec-and \circ (_::_ true))
                                      (proof-andN' n)
```

- Still problems with inductive proofs in the high level
  - Guess: definition of ℂ and □ prevent goal reduction

Proofs



# Sequential proofs

▶ Example of sequential circuit: a register



Respective Π-Ware circuit description

```
reg : \mathbb{C} (B \times B) B
reg = delay\mathbb{C} (arr ) mux2to1 ) \times \mathbb{C}
      where arr = (\uparrow \downarrow \mathbb{C} \mid | id\mathbb{C}) \rangle ALR\mathbb{C} \rangle (id\mathbb{C} \mid | \uparrow \downarrow \mathbb{C})
```

Proofs

Universiteit Utrecht

# Register example

Example (test case) of register behaviour

```
loads inputs: Stream Bool
loads = true :: # (true :: # (false :: # repeat false))
inputs = true :: # (false :: # (true :: # repeat false))

actual = take 42 ([ reg ]] * $ zipWith __,_ inputs loads)

test-reg = actual = true < false < replicate false
```

- ▶ Still problems with *infinite* expected vs. actual comparisons
  - Normal Agda equality (\_≡\_) does not work
  - Need to use bisimilarity

Introduction
What is П-Ware
Background

Research Question

Method

DTP / Agda

Big picture Agda

I I-VVare

Semantics Proofs

Conclusions



### What Π-Ware achieves

- Compare with Lava, Coquet
- ▶ Well-typed descriptions (ℂ) at *compile time* 
  - Low-level descriptions ( $\mathbb{C}'$ ) / netlists are well-sized
- ▶ Type safety and totality of simulation due to Agda
- Several design activities in the same language
  - Description (untyped / typed)
  - Simulation
  - Synthesis
  - Verification (inductive families of circuits)

Introduction

Background

Research Question

Question

DTP / Agda

Big picture

7-Ware

Syntax

emantics roofs

Conclusions

Limitations

Future work



# Current limitations / trade-offs

- ▶ Interface of generated netlists is always flat
  - · One input, one output

```
entity fullAdd8 is
port (
    inputs : in std_logic_vector(16 downto 0);
    outputs : out std_logic_vector(8 downto 0)
);
end fullAdd8;
```

- ▶ Due to the indices of  $\mathbb{C}'$  (naturals)
  - Can't distinguish  $\mathbb{C}'$  17 9 from  $\mathbb{C}'$  (1 + 8 + 8) (8 + 1)

What is Π-Ware

Research

Question

Method

DTP / Agda

gda

7-Ware

Syntax Semantics

Lonciusions

Limitations



# Current limitations / trade-offs

- ▶ Proofs on high-level families of circuits
  - Probably due to definitions of ℂ and □
- ▶ Proofs with infinite comparisons (sequential circuits)

Introduction

Background

Research

Question

Method

DTP / Agda

Big picture

l-Ware

vntax

emantic roofs

onclusions

Conclusions



### Future work

- Automatic proof by reflection for finite cases
- Prove properties of combinators in Agda
  - Algebraic properties
- ▶ Automatic generation of W (Synthesizable) instances
- More (higher) layers of abstraction

Future work



# Thank you!

# Questions?

Mede mogelijk gemaakt door:

Utrechts Universiteitsfonds







### References I

Bjesse, P., Claessen, K., Sheeran, M., and Singh, S. (1998).

Lava: hardware design in Haskell. *SIGPLAN Not.*, 34(1):174–184.

Sheeran, M. (1984). MuFP, a language for VLSI design.

In Proceedings of the 1984 ACM Symposium on LISP and Functional Programming, LFP '84, pages 104–112, New York, NY, USA. ACM.

Uustalu, T. and Vene, V. (2005). The essence of dataflow programming.

In Proceedings of the Third Asian Conference on Programming Languages and Systems, APLAS'05, pages 2–18, Berlin, Heidelberg. Springer-Verlag.

Introduction
What is Π-Ware

Research

Question

Method

DTP / Agda

Big picture

1-Ware

Syntax

Proofs

Conclusions

Future work

Future work

Universiteit Utrecht

### References II



Wadler, P. (2014). Propositions as types.

Unpublished note, http://homepages.inf.ed.ac.uk/ wadler/papers/propositions-as-types/ propositions-as-types.pdf.

#### Future work

