# Π-Ware: An Embedded Hardware Description Language using Dependent Types

Author: João Paulo Pizani Flor

<joaopizani@uu.nl>

Supervisor: Wouter Swierstra

<w.s.swierstra@uu.nl>

Department of Information and Computing Sciences
Utrecht University

Monday 25<sup>th</sup> August, 2014

Background Hardware Design

DTP

Research Question

Method

DTP / Agda

lig picture

Π-Ware

emantics

Conclusions



### Table of Contents

### Background

Hardware Design Functional Hardware DTP

### Research Question

Question Method

#### DTP / Agda

Big picture Agda

#### Π-Ware

Syntax Semantics **Proofs** 

#### Conclusions

Limitations Future work



## Hardware design is hard(er)

- ▶ Strict(er) correctness requirements
  - You can't simply update a full-custom chip after production
    - Intel FDTV
  - Expensive verification / validation (up to 50% of development costs)
- ▶ Low-level details (more) important
  - Layout / area
  - Power consumption / fault tolerance

#### Background

#### Hardware Design Functional Hardware

Functional Hardware DTP

#### Research Question

{uestion Acthod

#### OTP / Agda

Big picture Aøda

#### Π-Ware

emantics

#### roofs

Conclusions

#### Limitations



## Hardware design is growing

- ▶ Moore's law will still apply for some time
  - We can keep packing more transistors into same silicon area
- ▶ **But** optimizations in CPUs display diminishing returns
  - Thus, more algorithms directly in hardware

Background

Hardware Design Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

Π-Ware

I I-VVare

emantics

Conclusions



## Hardware Description Languages

- ▶ All started in the 1980s
- ▶ De facto industry standards: VHDL and Verilog
- ▶ Were intended for *simulation*, not modelling or synthesis
  - Unsynthesizable constructs
  - Widely variable tool support

#### 3ackground

#### Hardware Design

DTP

#### Research

Method

#### DTP / Agda

Big picture

#### Π-Ware

yntax emantics

#### roofs

Conclusions



## Functional Programming

- ▶ Easier to *reason* about program properties
- ▶ Inherently *parallel* and *stateless* semantics
  - · In contrast to imperative programming

Background

Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

Π-Ware

Syntax

roofs

Conclusions

Future work

Universiteit Utrecht



## Functional Hardware Description

- A functional program describes a circuit
- Several functional Hardware Description Languages (HDLs) during the 1980s
  - For example,  $\mu$ FP [Sheeran, 1984]
- ▶ Later, embedded hardware Domain-Specific Languages (DSLs)
  - For example, Lava (Haskell) [Bjesse et al., 1998]

Hardware Design

Functional Hardware

Research

Question

TD / Aad

Big picture

Agda

I I-Ware

Semantic:

Proofs

Conclusions Limitations



#### Embedded DSLs for Hardware

- ▶ Lava
- Limitations
  - Low level types
  - Not guaranteeing size match

Hardware Design

Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

Π\_Ware

I I-vvare

emantics

10015

Limitations



Dependently-Typed Programming (DTP) är en programmationstechnik...

Background

Functional Hardy

Research

Question

Method

DTP / Agda

Big picture

Agda

Π-Ware

yntax emantics

Proofs

Conclusions

Limitations



### Research Question

"What are the improvements that DTP can bring to hardware design?"

Question



## Methodology

- Develop a hardware DSL, embedded in a dependently-typed language (Agda)
  - Called **Π-Ware**
  - allowing simulation, synthesis and verification

Background

Functional Hardwa

Research

Method

DTP / Agda

Big picture

∏\_Ware

I I-VVare

Semantics

onclusion

Limitations



- Types can depend on values
  - Example: data Vec (α : Set) : N → Set where...
  - Compare with Haskell (GADT style):
     data List :: \* -> \* where...
- Types of arguments can depend on values of previous arguments
  - Ensure a "safe" domain
  - take :  $(m : \mathbb{N}) \to \text{Vec } \alpha \ (m+n) \to \text{Vec } \alpha \ m$

Hardware Design
Functional Hardware

Research Question

Method

DTP / Agda

Big picture

Agda

Π-Ware

emantics

Conclusions



- ▶ Type checking requires *evaluation* of functions
  - We want Vec Bool (2 + 2) to unify with Vec Bool 4
- ▶ Consequence: all functions must be total
- ► Termination checker ensures (heuristics)
  - Structurally-decreasing recursion
    - This passes the check:

```
\begin{array}{ll} \mathrm{add} \,:\, \mathbb{N} \to \mathbb{N} \to \mathbb{N} \\ \mathrm{add} \,\, \mathrm{zero} & y = y \\ \mathrm{add} \,\, (\mathrm{suc} \,\, x') & y = \mathrm{suc} \,\, (\mathrm{add} \,\, x' \,\, y) \end{array}
```

· This does not:

```
silly : \mathbb{N} \to \mathbb{N}

silly zero = zero

silly (suc n') = silly | n' /2|
```

### Hardware Design

Functional Hardwa

#### Research Question

Method

DTP / Agda

#### Big picture

Agda

#### I I-Ware

Semantics

### Conclusions



Dependent pattern matching can rule out impossible cases

Big picture



▶ Dependent pattern matching can *rule out* impossible cases

```
    Classic example: safe head function
```

 $\mathsf{head}\,:\,\mathsf{Vec}\,\,\alpha\,\,(\mathsf{suc}\,\,n)\,\to\,\alpha$ 

 $\mathsf{head}\ (x :: xs) = x$ 

Hardware Design Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

Agda

□ \//\are

Π-Ware

emantics

Proofs

Conclusions





- ▶ Dependent pattern matching can *rule out* impossible cases
  - Classic example: safe head function head : Vec  $\alpha$  (suc n)  $\rightarrow \alpha$

head (x :: xs) = x

• The **only** constructor returning  $Vec \alpha$  (suc n) is  $\_::\_$ 

Hardware Design
Functional Hardware
DTP

Research Question

Method

DTD / And

Big picture

Ngda

Π-Ware

Syntax Semantics

Conclusions

Limitations Future work



## Depedent types as logic

- Programming language / Theorem prover
  - Types as propositions, terms as proofs [Wadler, 2014]
- ► Example:
  - Given the relation (drawn triangle):

```
data \_ \le \_ : \mathbb{N} \to \mathbb{N} \to \text{Set where}

z \le n : \forall \{n\} \to \text{zero} \le n

s \le s : \forall \{m \ n\} \to m \le n \to \text{suc } m \le \text{suc } n
```

Proposition:

```
twoLEQFour : 2 \le 4
```

• Proof:

```
twoLEQFour = s \le s (s \le s z \le n)

s \le s (s \le s (z \le n : 0 \le 4) : 1 \le 4) : 2 \le 4
```

Hardware Design
Functional Hardware

Research Question

Method

DTP / Agda

Big picture

Agda

I I-VVare

emantics

Conclusions





## Agda syntax for Haskell programmers

- ► Liberal identifier lexing (Unicode everywhere)
  - $a\equiv b+c$  is a valid identifer,  $a\equiv b+c$  an expression
  - · Actually used in Agda's standard library
  - And in Π-Ware: C, [ c ], ↓, ↑
- ▶ Mixfix notation
  - \_[\_]≔\_ is the vector update function: v [ # 3 ] ≔ true.
  - \_[\_]:=\_ v (# 3) true ⇔ v [ # 3 ] := true
- ▶ Almost nothing built-in
  - $\_+\_$ :  $\mathbb{N} \to \mathbb{N} \to \mathbb{N}$  defined in Data.Nat
  - if then else : Bool ightarrow lpha 
    ightarrow lpha 
    ightarrow lpha defined in Data.Bool

Hardware Design
Functional Hardware

Research Question

Question

TD / A ...

Big picture

Agda

Π-Ware

emantics

Conclusion

Limitations
Future work



## Agda syntax for Haskell programmers

- Implicit arguments
  - Don't have to be passed if Agda can guess it
  - Syntax:  $\varepsilon$  :  $\{\alpha : \mathsf{Set}\} \to \mathsf{Vec} \ \alpha \ \mathsf{zero}$
- ▶ "For all" syntax:  $\forall n \iff (n : \_)$ 
  - Where \_ means: guess this type (based on other args)
  - Example:
    - $\forall n \rightarrow \text{zero} \leq n$
    - data  $\_\leq\_$ :  $\mathbb{N} \to \mathbb{N} \to \mathsf{Set}$
- ▶ It's common to combine both:
  - $\forall \{\alpha \ n\} \rightarrow \mathsf{Vec} \ \alpha \ (\mathsf{suc} \ n) \rightarrow \alpha \Longleftrightarrow \{\alpha : \_\} \{n : \_\} \rightarrow \mathsf{Vec} \ \alpha \ n \rightarrow \alpha$

Hardware Design
Functional Hardware

Research Question

Method

DTP / Agda

Agda

7-Ware

Semantics

Conclusions



#### Low-level circuits

- Structural representation
- Untyped but sized

```
data \mathbb{C}': \mathbb{N} \to \mathbb{N} \to \mathsf{Set}
data \mathbb{C}' where
     Nil : \mathbb{C}' zero zero
```

Gate :  $(g\# : Gates\#) \rightarrow \mathbb{C}'$  ([in] g#) ([out] g#)

 $\rightarrow (f : \operatorname{Fin} o \rightarrow \operatorname{Fin} i) \rightarrow \mathbb{C}' i o$ Plug :  $\forall \{i \ o\}$ 

$$\mathsf{DelayLoop} \,:\, (c \,:\, \mathbb{C}' \,\, (i+l) \,\, (o+l)) \,\, \{\mathsf{comb}' \,\, c\} \,\, \rightarrow \,\, \mathbb{C}' \,\, i \,\, o$$

Syntax



#### **Atoms**

- ▶ How to carry values of an Agda type in *one* wire
- ▶ Defined by the Atomic type class in PiWare.Atom

```
record Atomic : Set<sub>1</sub> where field

Atom : Set
```

|Atom|-1 :  $\mathbb{N}$ 

 $n \rightarrow atom$  : Fin (suc |Atom|-1)  $\rightarrow Atom$  $atom \rightarrow n$  :  $Atom \rightarrow Fin$  (suc |Atom|-1)

inv-left :  $\forall i \rightarrow atom \rightarrow n \ (n \rightarrow atom \ i) \equiv i$ inv-right :  $\forall a \rightarrow n \rightarrow atom \ (atom \rightarrow n \ a) \equiv a$ 

```
|Atom| = suc |Atom|-1
Atom# = Fin |Atom|
```

Hardware Design
Functional Hardware

Research

Question

Method

DTP / Agda

Agda

∏-Ware Syntax

emantics

Conclusion

Limitations



#### **Atomic instances**

- ▶ Examples of types that can be Atomic
  - Bool, std\_logic, other multi-valued logics
  - · Predefined in the library: PiWare.Atom.Bool
- First, define how many atoms we are interested in

$$|B|-1 = 1$$
  
 $|B| = suc |B|-1$ 

Friendlier names for the indices (elements of Fin 2)

```
pattern False# = Fz
pattern True# = Fs Fz
```

Hardware Design

DTP

Research Question

Method

DTP / Agda

Big picture Aøda

Π-Ware

Syntax

Proofs

Conclusions Limitations



## Atomic instance (Bool)

▶ Bijection between  $\{n \in \mathbb{N} \mid n < 2\}$  (Fin 2) and Bool

```
n \rightarrow B = \lambda { False# \rightarrow false; True# \rightarrow true }
B \rightarrow n = \lambda { false \rightarrow False#; true \rightarrow True# }
```

▶ Proof that  $n \rightarrow B$  and  $B \rightarrow n$  are inverses

```
inv-left-B = \lambda { False# \rightarrow refl; True# \rightarrow refl; }
inv-right-B = \lambda { false \rightarrow refl; true \rightarrow refl }
```

With all pieces at hand, we construct the instance

```
Atomic-B = record { Atom
                                      = B
                        |Atom|-1| = |B|-1
                        ; n \rightarrow atom = n \rightarrow B
                        ; atom\rightarrown = B\rightarrown
                        : inv-left = inv-left-B
                        ; inv-right = inv-right-B }
```

Syntax



Universiteit Utrecht

#### Gates

- ▶ Circuits parameterized by collection of *fundamental gates*
- Examples:
  - {NOT, AND, OR} (BoolTrio)
  - {NAND}
  - · Arithmetic, Crypto, etc.
- ► The definition of what means to be such a collection is in PiWare.Gates.Gates

Hardware Design
Functional Hardware
DTP

Research

Method

DTP / Agda

Big picture

1 14/----

I I-Ware Syntax

emantics

Proofs

Conclusions
Limitations



### The Gates type class

```
W: \mathbb{N} \to Set
W = Vec Atom
 record Gates: Set where
   field
        |Gates| : N
        |\mathsf{in}| |\mathsf{out}| : \mathsf{Fin} |\mathsf{Gates}| \to \mathbb{N}
                      : (g : Fin | Gates|)
        spec
                          \rightarrow (W (|in| g) \rightarrow W (|out| g))
    Gates# = Fin |Gates|
```

Hardware Design
Functional Hardware

511

Research Question

Method

DTP / Agda

Big picture

Π\_W/are

Syntax

Semantics Proofs

Conclusions



#### Gates instances

- ► Example: PiWare.Gates.BoolTrio
- ► First, how many gates are there in the library |BoolTrio| = 5
- ▶ Then the friendlier names for the indices

```
pattern FalseConst# = Fz

pattern TrueConst# = Fs Fz

pattern Not# = Fs (Fs Fz)

pattern And# = Fs (Fs (Fs Fz))

pattern Or# = Fs (Fs (Fs (Fs Fz)))
```

Hardware Design

DTP

Research

Method

TD / A...

Big picture

Agda

II-Ware Syntax

Semantics

Proofs

Conclusions

Limitations



## Gates instance (BoolTrio)

▶ Defining the *interfaces* of the gates

```
|in| FalseConst# = 0
|in| TrueConst# = 0
|in| Not# = 1
|in| And# = 2
|in| Or# = 2
```

|out| = 1

▶ And the specification function for each gate

```
\begin{array}{lll} \operatorname{spec-false} & \_ & = [ \ \operatorname{false} \ ] \\ \operatorname{spec-true} & \_ & = [ \ \operatorname{true} \ ] \\ \operatorname{spec-not} & (x :: \varepsilon) & = [ \ \operatorname{not} x \ ] \\ \operatorname{spec-and} & (x :: y :: \varepsilon) & = [ \ x \wedge y \ ] \\ \operatorname{spec-or} & (x :: y :: \varepsilon) & = [ \ x \vee y \ ] \end{array}
```

Background
Hardware Design
Functional Hardware

Research

Method

DTP / Agda

Agda

Π-Ware

Syntax Semantics

Conclusions

Future work



## Gates instance (BoolTrio)

Mapping each gate index to its respective specification

```
specs-BoolTrio FalseConst# = spec-false

specs-BoolTrio TrueConst# = spec-true

specs-BoolTrio Not# = spec-not

specs-BoolTrio And# = spec-and

specs-BoolTrio Or# = spec-or
```

▶ With all pieces at hand, we construct the instance

Background
Hardware Design
Functional Hardware

Research Question

Method

DTP / Agda

Agda

I I-VVare

Syntax Semantics

Conclusions
Limitations



### High-level circuits

- ▶ User is not supposed to describe circuits at low level  $(\mathbb{C}')$
- ► The high level circuit type (ℂ) alloes for typed circuit interfaces
  - The input and output indices are Agda types

```
data \mathbb{C} (\alpha \beta : Set) {i j : \mathbb{N}} : Set where

Mk\mathbb{C} : {\{s\alpha : \psi \forall \forall \alpha \{i\}\}\}} {\{s\beta : \psi \forall \forall \beta \{j\}\}\}}

\rightarrow \mathbb{C}' i j \rightarrow \mathbb{C} \alpha \beta \{i\} \{j\}
```

- ► MkC takes:
  - Low level description (ℂ¹)
  - Information on how to synthesize elements of lpha and eta
    - Passed as instance arguments

Background
Hardware Design
Functional Hardware

esearch Juestion

Aethod

DTP / Agda

Agda Agda

Π-Ware

Syntax Semantics

onclusion

Limitations



## Synthesizable

- ▶ \#W↑ type class (pronounced Synthesizable)
  - Describes how to *synthesize* a given Agda type  $(\alpha)$
  - Two fields: from element of  $\alpha$  to a word and back

```
record \Downarrow W \Uparrow (\alpha : Set) \{i : \mathbb{N}\} : Set where constructor <math>\Downarrow W \Uparrow [\_, \_] field \Downarrow : \alpha \to W i \Uparrow : W i \to \alpha
```

Background

Functional Hard

Research

Question

Method

Big nicture

Agda

 $\Pi\text{-Ware}$ 

Syntax

roofs

Conclusions
Limitations



## **₩ W M** instances

- ▶ Any finite type can have such an instance
- ▶ Predefined in the library: Bool; x ; ⊎ ; Vec
- Example: instance for products ( x )

```
\Downarrow \forall \forall \uparrow - \times : \{ s\alpha : \Downarrow \forall \uparrow \alpha \{i\} \} \{ s\beta : \Downarrow \forall \uparrow \beta \{j\} \} \}
                    \rightarrow \downarrow \downarrow \bigvee \uparrow (\alpha \times \beta)
where down: (\alpha \times \beta) \rightarrow W(i + j)
                 down (a, b) = (\Downarrow a) ++ (\Downarrow b)
                 up: W (i + j) \rightarrow (\alpha \times \beta)
```

up w with splitAt i w up  $.( \downarrow a ++ \downarrow b) \mid \downarrow a, \downarrow b, \text{ refl} = \uparrow \downarrow a, \uparrow \downarrow b$ 



Syntax

## Synthesizable

▶ Both fields \$\\$\\$ and \$\\$\\$ should be inverses of each other

Background

Functional Hardw

Research

Question

Method

memou

DTP / Agda

Big picture

l\_Ware

I I-VVare

Syntax

mantics

Proofs

Conclusions

Future work

Universiteit Utrech



#### Circuit semantics

- ▶ Synthesis semantics: produce a netlist
  - Tool integration / implement in FPGA or ASIC.
- Simulation semantics: execute a circuit.
  - · Given circuit model and inputs, calculate outputs
- ▶ Other semantics possible:
  - · Timing analysis, power estimation, etc.
  - This possibility guided Π-Ware's development

Hardware Design
Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

7-Ware

Syntax

Semantics

onclusions

Limitations



### Synthesis semantics

▶ Netlist: digraph with *gates* as nodes and *buses* as edges

Nil : € 0 0

 $\frac{f : Fin \ o \rightarrow Fin \ i}{Plug \ f : \mathbb{C} \ i \ o}$ 

g#: Gate#

Gate  $g# : \mathbb{C}$  (ins g#) (outs g#)

 $c : \mathbb{C} (i+l) (o+l)$ DelayLoop :  $\mathbb{C} i o$  Nil



ins g# Gate g# outs g#



Background
Hardware Design
Functional Hardware

Research Question

Question Method

DTP / Agda

Big picture Agda

Π-Ware

Semantics

Proofs

Limitations Future work

Universiteit Utrecht

## Synthesis semantics

**c**<sub>1</sub> : ℂ i m c₂: ℂ m o C1 "> C2 : € i O

C1: € İ1 O1 C2: C i2 O2  $C_1 \mid C_2 : \mathbb{C} (i_1+i_2) (0_1+0_2)$ 

C1: C i1 0 C2: C i2 0

 $C_1 \mid +' C_2 : \mathbb{C} (1+(i_1 \sqcup i_2)) O$ 







Semantics

Universiteit Utrecht

### Synthesis semantics

#### Missing "pieces":

- ▶ Adapt Atomic
  - New field: a VHDLTypeDecl
    - Such as: type ident is (elem1, elem2);
    - Enumerations, integers (ranges), records.
  - New field: atomVHDL : Atom# → VHDLExpr
- ▶ Adapt Gates
  - · For each gate, a corresponding VHDLEntity
  - netlist :  $(g\#: Gates\#) \rightarrow VHDLEntity (|in| g\#) (|out| g\#)$ 
    - The VHDL entity has the interface of corresponding gate

Hardware Design
Functional Hardware

Research

Method

DTP / And

Big picture

7-Ware

Semantics

roofs

Conclusions Limitations



### Simulation semantics

- ▶ Two levels of abstraction
  - High-level simulation ([\_]) for high-level circuits (ℂ)
  - Low-level simulation ( $[\![\_]\!]'$ ) for low-level circuits ( $\mathbb{C}'$ )
- Two kinds of simulation
  - Combinational simulation ([\_]) for stateless circuits
  - Sequential simulation ([\_]\*) for stateful circuits
- High level defined in terms of low level

Hardware Design

Functional Hardv DTP

Research

Question

DTP / Agda

Big picture Agda

Π-Ware

Semantics

roofs

Conclusions

Limitations



# Combinational simulation (excerpt)

```
[\![ ]\!]': \forall \{i \ o\} \rightarrow (c: \mathbb{C}' \ i \ o) \{p: \mathsf{comb}' \ c\} \rightarrow (\mathsf{W} \ i \rightarrow \mathsf{W} \ o)
   [Ni] ]' = const \varepsilon
   [ Gate g# ] ' = spec g#
      [\![ Plug p ]\!]' = plugOutputs p
      [\![ DelayLoop \ c \ ]\!]' \{()\} \ v
[ c_1 \rangle \rangle c_2 \rangle \langle c_2 \rangle \langle c_1 \rangle \langle c_2 \rangle \langle c_
[ ] _{-}| +'_{-} \{i_{1}\} c_{1} c_{2} ]' \{p_{1}, p_{2}\} =
                                                 [ [ c_1 ]' \{ p_1 \}, [ c_2 ]' \{ p_2 \} ]' \circ \text{untag } \{ i_1 \}
```

#### Remarks:

- ullet Proof required that c is combinational
- Gate case uses specification function
- DelayLoop case can be discharged

Semantics





# Sequential simulation

- ▶ Inputs and outputs become Streams
  - $\mathbb{C}'$  i  $o \Longrightarrow \mathsf{Stream} (\mathsf{W} \ i) \to \mathsf{Stream} (\mathsf{W} \ o)$
  - Stream: infinite list
- ▶ We can't write a recursive evaluation function over Streams
  - Sum case needs Stream  $(\alpha \uplus \beta) \to \text{Stream } \alpha \times \text{Stream } \beta$ 
    - What if there are no lefts (or rights)?
- ▶ A stream function is not an accurate model for hardware
  - A function of type (Stream  $\alpha \to \text{Stream } \beta$ ) can "look ahead"
  - For example, tail  $(x_0 :: x_1 :: x_2 :: xs) = x_1 :: x_2 :: xs$

Background Hardware Design Functional Hardware

Research

Question

DTP / Agda

Big picture

Π-Ware

Semantics

Proofs

Limitations



### Causal stream functions

# Solution: sequential simulation using causal stream function

### Some definitions:

► Causal context: past + present values

$$\Gamma c : (\alpha : Set) \rightarrow Set$$
  
 $\Gamma c \alpha = \alpha \times List \alpha$ 

► Causal stream function: produces **one** (current) output

$$\_\Rightarrow c\_ : (\alpha \ \beta : Set) \to Set$$
  
 $\alpha \Rightarrow c \ \beta = \Gamma c \ \alpha \to \beta$ 

Hardware Design
Functional Hardware

Research Duestion

Method

DTP / Agda

Agda

∏-Ware

Semantics

roofs

Limitations



# Causal sequential simulation

Core sequential simulation function:

- ▶ Nil, Gate and Plug cases use combinational simulation
- DelayLoop calls a recursive helper (delay)
- ► Example structural case: \_\"/\_ (sequence)
  - Context of  $[c_1]$  c is context of the whole compound
  - Context of  $[\![ c_2 ]\!]$ c is past and present *outputs* of c1

Background
Hardware Design
Functional Hardware

lesearch

Method

DTP / Agda

Big picture Agda

∏-Ware

Semantics

Proofs

Conclusions



# Sequential simulation

- ▶ We can then "run" the step-by-step function to produce a whole Stream
  - Idea from "The Essence of Dataflow Programming" [Uustalu and Vene, 2005]

$$\begin{split} \operatorname{runc}' &: (\alpha \Rightarrow \operatorname{c} \beta) \to (\operatorname{\Gammac} \alpha \times \operatorname{Stream} \alpha) \to \operatorname{Stream} \beta \\ \operatorname{runc}' &f ((x^0 \,,\, x^-) \,,\, (x^1 \, \colon \colon x^+)) = \\ &f (x^0 \,,\, x^-) \, \colon \colon \sharp \operatorname{runc}' \, f \, ((x^1 \,,\, x^0 \, \colon \colon x^-) \,,\, \flat \,\, x^+) \end{split}$$

runc : 
$$(\alpha \Rightarrow c \beta) \rightarrow (\text{Stream } \alpha \rightarrow \text{Stream } \beta)$$
  
runc  $f(x^0 :: x^+) = \text{runc'} f((x^0, []), \flat x^+)$ 

▶ Obtaining the stream-based simulation function:

$$[] *' : \forall \{i \ o\} \rightarrow \mathbb{C}' \ i \ o \rightarrow (Stream \ (W \ i) \rightarrow Stream \ (W \ o))$$

 $[\![\_]\!]*' = \mathsf{runc} \circ [\![\_]\!]\mathsf{c}$ 

Background Hardware Design Functional Hardware

esearch

Question

ivietnou , .

Big picture

Agda

I-VVare

Semantics

roofs

Conclusions

uture work

# Properties of circuits

- ▶ Tests and proofs about circuits depend on the *semantics* 
  - We focused on the functional simulation semantics
  - Other possibilities (gate count, critical path, etc.)
- ▶ Very simple sample circuit to illustrate: XOR

Hardware Design
Functional Hardware

Research Question

Question

DTD / A...I.

Big picture

Agda

Π-Ware

ntax emantics

Proofs

Conclusions



# Sample circuit: XOR



$$\begin{array}{ll} \underline{\vee}\mathbb{C} : \mathbb{C} \; (\mathsf{B} \times \mathsf{B}) \; \mathsf{B} \\ \underline{\vee}\mathbb{C} = \; \mathsf{pFork} \times \\ & \; \; \rangle \; (\neg\mathbb{C} \; || \; \mathsf{id}\mathbb{C} \; \rangle \rangle \wedge \mathbb{C}) \; || \; (\mathsf{id}\mathbb{C} \; || \; \neg\mathbb{C} \; \rangle \rangle \wedge \mathbb{C}) \\ & \; \; \rangle \; \vee \mathbb{C} \end{array}$$

#### Background

Hardware Design Functional Hardware DTP

#### Research Question

Method

D.T.D. / A

### Big picture

Agda

#### II-Ware

yntax emantics

#### Proofs

Conclusions



# Specification of XOR

- ▶ To define correctness we need a specification function
  - Listing all possibilities (truth table)
  - Based on pre-exisiting functions (standard library)
- ▶ Truth table

```
\begin{array}{l} \underline{\vee}\mathbb{C}\text{--spec-table} : (B \times B) \to B \\ \underline{\vee}\mathbb{C}\text{--spec-table} \ \ (\text{false} \ \ , \ \text{false}) = \text{false} \\ \underline{\vee}\mathbb{C}\text{--spec-table} \ \ (\text{false} \ \ , \ \text{true} \ ) = \text{true} \\ \underline{\vee}\mathbb{C}\text{--spec-table} \ \ (\text{true} \ \ , \ \text{false}) = \text{true} \\ \underline{\vee}\mathbb{C}\text{--spec-table} \ \ (\text{true} \ \ , \ \text{true} \ ) = \text{false} \end{array}
```

Hardware Design
Functional Hardware

Research

Mothod

DTP / Agda

Big picture Agda

Π-Ware

emantics

Proofs

Conclusions
Limitations

# Proof of XOR (truth table)

```
\begin{array}{lll} \underline{\vee}\mathbb{C}-\mathsf{proof-table} : & \underline{\|} \underline{\vee}\mathbb{C} & \underline{\|} & (a\ ,\ b) & \underline{\vee}\mathbb{C}-\mathsf{spec-table} & (a\ ,\ b) \\ \underline{\vee}\mathbb{C}-\mathsf{proof-table} & \mathsf{false} & \mathsf{false} & = \mathsf{refl} \\ \underline{\vee}\mathbb{C}-\mathsf{proof-table} & \mathsf{false} & \mathsf{true} & = \mathsf{refl} \\ \underline{\vee}\mathbb{C}-\mathsf{proof-table} & \mathsf{true} & \mathsf{false} & = \mathsf{refl} \\ \underline{\vee}\mathbb{C}-\mathsf{proof-table} & \mathsf{true} & \mathsf{true} & = \mathsf{refl} \\ \end{array}
```

- ▶ Proof by case analysis
  - Could be automated (reflection)

Hardware Design
Functional Hardware

Research Question

Question

Big picture

Agda

Π-Ware

emantics

Proofs

Conclusions Limitations

# Specification of XOR

▶ Based (\_xor\_) from Data.Bool

$$\_xor\_: B \rightarrow B \rightarrow B$$
  
true  $xor b = not b$   
false  $xor b = b$ 

► Adapted interface to match exactly <u>∨</u>ℂ

```
\ensuremath{\underline{\vee}} \mathbb{C}\text{-spec-subfunc} : (B \times B) \to B
\ensuremath{\underline{\vee}} \mathbb{C}\text{-spec-subfunc} = uncurry' _xor_
```

Hardware Design

Functional Hards

Research

Method

Method

DIP / Agda

Big picture Agda

Π-Ware

ntax mantics

Proofs

Conclusions
Limitations



# Proof of XOR (pre-existing)

▶ Proof based on <u>V</u>C-spec-subfunc

$$\underline{\vee}\mathbb{C}$$
-proof-subfunc :  $[\![\underline{\vee}\mathbb{C}\,]\!]$   $(a\ ,\ b) \equiv \underline{\vee}\mathbb{C}$ -spec-subfunc  $(a\ ,b)$ 

- Need a lemma to complete the proof
  - Circuit is defined using {NOT, AND, OR}
  - xor is defined directly by pattern matching

```
\vee \mathbb{C}-xor-equiv : (not a \wedge b) \vee (a \wedge not b) \equiv (a \times b)
```

Proofs



### Circuit "families"

- ▶ We can also prove properties of circuit "families"
- ▶ Example: an AND gate with a generic number of inputs

```
andN' : \forall n \to \mathbb{C}' n 1
andN' zero = \mathbb{T}\mathbb{C}'
andN' (suc n) = id\mathbb{C}' |' andN' n \rangle' \wedge \mathbb{C}'
```

- ▶ Example proof: when all inputs are high, output is high
  - For any number of inputs
  - Proof by induction on n (number of inputs)

Hardware Design
Functional Hardware

Research

Question

DTP / Agda

Big picture

 $\Pi\text{-Ware}$ 

yntax emantics

Proofs

Conclusions



### **Problems**

▶ This proof is done in the *low level* 

```
proof-andN': \forall n \rightarrow [\![ andN' n ]\!]' (replicate true) \equiv [\![ true \![Question
proof-andN' zero
                          = refl
proof-andN' (suc n) = cong (spec-and \circ (_::_ true))
                                    (proof-andN' n)
```

- Still problems with inductive proofs in the high level
  - Guess: definition of ℂ and □ prevent goal reduction

Proofs



# Sequential proofs

▶ Example of sequential circuit: a register



Respective Π-Ware circuit description

```
reg : \mathbb{C} (B \times B) B
reg = delay\mathbb{C} (arr ) mux2to1 ) \times \mathbb{C}
      where arr = (\uparrow \downarrow \mathbb{C} \mid | id\mathbb{C}) \rangle ALR\mathbb{C} \rangle (id\mathbb{C} \mid | \uparrow \downarrow \mathbb{C})
```

Proofs

# Register example

▶ Example (test case) of register behaviour

```
loads inputs: Stream Bool
loads = true:: # (true :: # (false :: # repeat false))
inputs = true :: # (false :: # (true :: # repeat false))
actual = take 42 (  reg  * zipWith _, _ inputs loads)
test-reg = actual = true < false < replicate false
```

Hardware Design Functional Hardware

Research

Method

DTP / Agda

Big picture

Π-Ware

emantics

Proofs

Conclusions
Limitations



# Summary

▶ Π-Ware is...

#### Background

Functional Hardware

### Research

Question

Method

#### DTP / Agda

Big picture Agda

#### Π-Ware

I-VVare

Syntax

Proofs

#### Conclusions

#### Limitations



### Current limitations

- ▶ Problem with proofs (definition of [\_])
- ▶ Proofs on (infinite) Streams
- ▶ Bla

Background

Functional Hardw

Research

Question

Method

DTP / Agda

Big picture

Agda

 $\Pi ext{-}Ware$ 

Syntax Semantics

Proofs

Conclusions

Limitations



### Future work

▶ Proof by reflection for finite cases

#### Background

Hardware Design
Functional Hardware

## Research

Question

Method

#### DTP / Agda

Big picture

#### Π-Ware

Syntax

Proofs

## Conclusions



# Thank you!

# Questions?

Mede mogelijk gemaakt door:

Utrechts Universiteitsfonds







### References I



Lava: hardware design in Haskell. SIGPLAN Not., 34(1):174–184.

Sheeran, M. (1984). MuFP, a language for VLSI design. In Proceedings of the 1984 ACM Symposium on LISP and

Functional Programming, LFP '84, pages 104–112, New York, NY, USA, ACM,

Uustalu, T. and Vene, V. (2005). The essence of dataflow programming.

In Proceedings of the Third Asian Conference on Programming Languages and Systems, APLAS'05, pages 2-18, Berlin, Heidelberg. Springer-Verlag.

Future work

### References II



Wadler, P. (2014). Propositions as types.

Unpublished note, http://homepages.inf.ed.ac.uk/wadler/papers/propositions-as-types/propositions-as-types.pdf.

### Background

Hardware Design Functional Hardware DTP

### Research

Question

DTP / Am

Big picture

Π-War

I I-VVare

emantics

Proofs

Conclusions

Limitations

