# Π-Ware: An Embedded Hardware Description Language using Dependent Types

Author: João Paulo Pizani Flor

<joaopizani@uu.nl>

Supervisor: Wouter Swierstra

<w.s.swierstra@uu.nl>

Department of Information and Computing Sciences
Utrecht University

Sunday 24th August, 2014

Hardware Design
Functional Hardware

Research

Question

DTP / Agda

ig picture

I I-Ware

iemantics

onclusions



### Table of Contents

### Background

Hardware Design Functional Hardware DTP

### Research Question

Question Method

### DTP / Agda

Big picture Agda

#### Π-Ware

Syntax Semantics **Proofs** 

#### Conclusions

Limitations Future work



## Hardware design is hard(er)

- Strict(er) correctness requirements
  - You can't simply update a full-custom chip after production
    - Intel FDTV
  - Expensive verification / validation (up to 50% of development costs)
- ▶ Low-level details (more) important
  - Layout / area
  - Power consumption / fault tolerance

#### Background

#### Hardware Design Functional Hardware

Functional Hardware DTP

#### Research Question

{uestion Acthod

#### OTP / Agda

Big picture Aøda

#### Π-Ware

emantics

#### roofs

Conclusions

#### Limitations



### Hardware design is growing

- ▶ Moore's law will still apply for some time
  - We can keep packing more transistors into same silicon area
- ▶ **But** optimizations in CPUs display diminishing returns
  - Thus, more algorithms directly in hardware

Background

Hardware Design Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

Π-Ware

I I-VVare

emantics

Conclusions



### Hardware Description Languages

- ▶ All started in the 1980s
- ▶ De facto industry standards: VHDL and Verilog
- ▶ Were intended for *simulation*, not modelling or synthesis
  - Unsynthesizable constructs
  - Widely variable tool support

#### 3ackground

### Hardware Design

DTP

#### Research

Method

#### DTP / Agda

Big picture

#### Π-Ware

yntax emantics

#### roofs

Conclusions



### Functional Programming

- ▶ Easier to *reason* about program properties
- ▶ Inherently *parallel* and *stateless* semantics
  - · In contrast to imperative programming

Background

Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

Π-Ware

Syntax

roofs

Conclusions

Future work



## Functional Hardware Description

- A functional program describes a circuit
- Several functional Hardware Description Languages (HDLs) during the 1980s
  - For example,  $\mu$ FP [Sheeran, 1984]
- ▶ Later, embedded hardware Domain-Specific Languages (DSLs)
  - For example, Lava (Haskell) [Bjesse et al., 1998]

Hardware Design

Functional Hardware

Research

Question

TD / Aad

Big picture

Agda

I I-Ware

Semantic:

Proofs

Conclusions Limitations



### Embedded DSLs for Hardware

- ▶ Lava
- Limitations
  - Low level types
  - Not guaranteeing size match

Hardware Design

Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

Π\_Ware

I I-vvare

emantics

10015

Limitations



Dependently-Typed Programming (DTP) är en programmationstechnik...

Background

Functional Hardy

Research

Question

Method

DTP / Agda

Big picture

Agda

Π-Ware

yntax emantics

Proofs

Conclusions

Limitations



### Research Question

"What are the improvements that DTP can bring to hardware design?"

Question



## Methodology

- Develop a hardware DSL, embedded in a dependently-typed language (Agda)
  - Called **Π-Ware**
  - allowing simulation, synthesis and verification

Background

Functional Hardwa

Research

Method

DTP / Agda

Big picture

∏\_Ware

I I-VVare

Semantics

onclusion

Limitations



- Types can depend on values
  - Example: data Vec (α : Set) : N → Set where...
  - Compare with Haskell (GADT style):
     data List :: \* -> \* where...
- Types of arguments can depend on values of previous arguments
  - Ensure a "safe" domain
  - take :  $(m : \mathbb{N}) \to \text{Vec } \alpha \ (m+n) \to \text{Vec } \alpha \ m$

Hardware Design
Functional Hardware

Research Question

Method

DTP / Agda

Big picture

Agda

Π-Ware

emantics

Conclusions



- ▶ Type checking requires *evaluation* of functions
  - We want Vec Bool (2 + 2) to unify with Vec Bool 4
- ▶ Consequence: all functions must be total
- ► Termination checker ensures (heuristics)
  - Structurally-decreasing recursion
    - This passes the check:

```
\begin{array}{ll} \mathrm{add} \,:\, \mathbb{N} \to \mathbb{N} \to \mathbb{N} \\ \mathrm{add} \,\, \mathrm{zero} & y = y \\ \mathrm{add} \,\, (\mathrm{suc} \,\, x') & y = \mathrm{suc} \,\, (\mathrm{add} \,\, x' \,\, y) \end{array}
```

· This does not:

```
\begin{array}{ll} \text{silly : } \mathbb{N} \to \mathbb{N} \\ \text{silly zero} &= \text{zero} \\ \text{silly (suc } n') &= \text{silly } \lfloor \ n' \ /2 \rfloor \end{array}
```

### Hardware Design

Functional Hardw

#### Research Question

Method

DTP / Agda

#### Big picture

Agda

#### I I-Ware

Semantics

### Conclusions



Dependent pattern matching can rule out impossible cases

Big picture



▶ Dependent pattern matching can *rule out* impossible cases

• Classic example: safe head function

 $\mathsf{head}\,:\,\mathsf{Vec}\,\,\alpha\,\,(\mathsf{suc}\,\,n)\,\to\,\alpha$ 

 $\mathsf{head}\ (x :: xs) = x$ 

Sackground
Hardware Design
Functional Hardware

DTP

Question

Method

DTD / A-J-

Big picture

Agda

7.147

Π-Ware

mantics

Proofs

Conclusions





- ▶ Dependent pattern matching can *rule out* impossible cases
  - Classic example: safe head function head : Vec  $\alpha$  (suc n)  $\rightarrow \alpha$

head (x :: xs) = x

• The **only** constructor returning  $Vec \alpha$  (suc n) is  $\_::\_$ 

Hardware Design
Functional Hardware
DTP

Research Question

Question

DTP / Anda

Big picture

Agda

Π-Ware

Syntax Semantics

Conclusions

Limitations Future work



### Depedent types as logic

- Programming language / Theorem prover
  - Types as propositions, terms as proofs [Wadler, 2014]
- Example:
  - Given the relation (drawn triangle):

```
data \_ \le \_ : \mathbb{N} \to \mathbb{N} \to \text{Set where}

z \le n : \forall \{n\} \to \text{zero} \le n

s \le s : \forall \{m \ n\} \to m \le n \to \text{suc } m \le \text{suc } n
```

• Proposition:

```
twoLEQFour : 2 \le 4
```

• Proof:

```
\begin{aligned} & twoLEQFour = s \leq s \ (s \leq s \ z \leq n) \\ s \leq s \ (s \leq s \ (z \leq n \ : \ 0 \leq 4) \ : \ 1 \leq 4) \ : \ 2 \leq 4 \end{aligned}
```

Hardware Design
Functional Hardware

Research Question

Method

DTP / Agda

Big picture

□ \//ar

Syntax

roofs

Conclusions



### Agda syntax for Haskell programmers

- ► Liberal identifier lexing (Unicode everywhere)
  - $a\equiv b+c$  is a valid identifer,  $a\equiv b+c$  an expression
  - · Actually used in Agda's standard library
  - And in Π-Ware: C, [ c ], ↓, ↑
- Mixfix notation
  - \_[\_]≔\_ is the vector update function: v [ # 3 ] ≔ true.
  - \_[\_]:=\_ v (# 3) true ⇔ v [ # 3 ] := true
- ▶ Almost nothing built-in
  - $\_+\_$ :  $\mathbb{N} \to \mathbb{N} \to \mathbb{N}$  defined in Data.Nat
  - if then else : Bool ightarrow lpha 
    ightarrow lpha 
    ightarrow lpha defined in Data.Bool

Hardware Design
Functional Hardware

Question

Question Method

TD / A

ig picture

Agda

Π-Ware

Syntax Semantics

Proofs

Limitations



## Agda syntax for Haskell programmers

- Implicit arguments
  - Don't have to be passed if Agda can guess it
  - Syntax:  $\varepsilon$  :  $\{\alpha : \mathsf{Set}\} \to \mathsf{Vec} \ \alpha \ \mathsf{zero}$
- ▶ "For all" syntax:  $\forall n \iff (n : \_)$ 
  - Where \_ means: guess this type (based on other args)
  - Example:
    - $\forall n \rightarrow \text{zero} \leq n$
    - data  $\underline{\quad} \leq \underline{\quad} : \mathbb{N} \to \mathbb{N} \to \mathsf{Set}$
- ▶ It's common to combine both:
  - $\forall \{\alpha \ n\} \rightarrow \mathsf{Vec} \ \alpha \ (\mathsf{suc} \ n) \rightarrow \alpha \iff \{\alpha : \_\} \{n : \_\} \rightarrow \mathsf{Vec} \ \alpha \ n \rightarrow \alpha$

Hardware Design
Functional Hardware

Research Question

Method

DTP / Agda

Big picture Agda

1. Ware

Syntax

Proofs

Conclusions



### Low-level circuits

- Structural representation
- Untyped but sized

```
data \mathbb{C}': \mathbb{N} \to \mathbb{N} \to \mathsf{Set}
data \mathbb{C}' where
     Nil : \mathbb{C}' zero zero
```

Gate :  $(g\# : Gates\#) \rightarrow \mathbb{C}'$  ([in] g#) ([out] g#)

 $\rightarrow (f : \operatorname{Fin} o \rightarrow \operatorname{Fin} i) \rightarrow \mathbb{C}' i o$ Plug :  $\forall \{i \ o\}$ 

$$\mathsf{DelayLoop} \,:\, (c \,:\, \mathbb{C}' \,\, (i \,+\, l) \,\, (o \,+\, l)) \,\, \{\mathsf{comb}' \,\, c\} \,\to\, \mathbb{C}' \,\, {\color{black} i \,\, o}$$

Syntax



### **Atoms**

- ▶ How to carry values of an Agda type in *one* wire
- ▶ Defined by the Atomic type class in PiWare.Atom

```
record Atomic : Set<sub>1</sub> where field

Atom : Set
```

|Atom|−1 : N

 $n \rightarrow atom$  : Fin (suc |Atom|-1)  $\rightarrow Atom$  $atom \rightarrow n$  :  $Atom \rightarrow Fin$  (suc |Atom|-1)

inv-left :  $\forall i \rightarrow atom \rightarrow n \ (n \rightarrow atom \ i) \equiv i$ inv-right :  $\forall a \rightarrow n \rightarrow atom \ (atom \rightarrow n \ a) \equiv a$ 

```
|Atom| = suc |Atom|-1
Atom# = Fin |Atom|
```

Hardware Design
Functional Hardware

Research

Question Method

DTP / Agda

Big picture Agda

Π-Ware

Syntax Semantics

Conclusion

Future work

I deale work



#### **Atomic instances**

- ► Examples of types that can be Atomic
  - Bool, std\_logic, other multi-valued logics
  - Predefined in the library: PiWare.Atom.Bool
- First, define how many atoms we are interested in

$$|B|-1 = 1$$
  
 $|B| = suc |B|-1$ 

Friendlier names for the indices (elements of Fin 2)

```
pattern False# = Fz
pattern True# = Fs Fz
```

### Hardware Design

Functional Hardwa

### Research

Method

#### DTP / Agda

Big picture

#### Π-Ware

#### Syntax

Proofs

#### Conclusions Limitations



## Atomic instance (Bool)

▶ Bijection between  $\{n \in \mathbb{N} \mid n < 2\}$  (Fin 2) and Bool

```
n \rightarrow B = \lambda { False# \rightarrow false; True# \rightarrow true } B \rightarrow n = \lambda { false \rightarrow False#; true \rightarrow True# }
```

▶ Proof that  $n \rightarrow B$  and  $B \rightarrow n$  are inverses

```
inv-left-B = \lambda { False# \rightarrow refl; True# \rightarrow refl; } inv-right-B = \lambda { false \rightarrow refl; true \rightarrow refl }
```

With all pieces at hand, we construct the instance

Background
Hardware Design
Functional Hardware

Research

Method

DTP / Agda

Agda

Π-Ware

Syntax Semantics

Conclusions

Future work

### Gates

- ▶ Circuits parameterized by collection of *fundamental gates*
- Examples:
  - {NOT, AND, OR} (BoolTrio)
  - {NAND}
  - · Arithmetic, Crypto, etc.
- ► The definition of what means to be such a collection is in PiWare.Gates.Gates

Hardware Design Functional Hardware DTP

Research Question

Method

DTP / Agda

Big picture

1-Ware

Syntax

emantics

Proofs

Conclusions
Limitations



### The Gates type class

```
W: \mathbb{N} \to Set
W = Vec Atom
 record Gates: Set where
   field
        |Gates| : N
        |\mathsf{in}| |\mathsf{out}| : \mathsf{Fin} |\mathsf{Gates}| \to \mathbb{N}
                      : (g : Fin | Gates|)
        spec
                          \rightarrow (W (|in| g) \rightarrow W (|out| g))
    Gates# = Fin |Gates|
```

Hardware Design

511

Research Question

Method

DTP / Agda

Big picture

Π-Ware

Syntax

Semantics Proofs

Conclusions



#### Gates instances

- ► Example: PiWare.Gates.BoolTrio
- ► First, how many gates are there in the library |BoolTrio| = 5
- ▶ Then the friendlier names for the indices

```
pattern FalseConst# = Fz

pattern TrueConst# = Fs Fz

pattern Not# = Fs (Fs Fz)

pattern And# = Fs (Fs (Fs Fz))

pattern Or# = Fs (Fs (Fs (Fs Fz)))
```

Hardware Design

DTP

Research

Method

DTP / Agda

Big picture

Agda

Syntax

Semantics

Proofs

Conclusions Limitations



## Gates instance (BoolTrio)

▶ Defining the *interfaces* of the gates

```
|in| FalseConst# = 0
|in| TrueConst# = 0
|in| Not# = 1
|in| And# = 2
|in| Or# = 2
```

|out| = 1

▶ And the specification function for each gate

```
\begin{array}{lll} \operatorname{spec-false} & = [ \ \operatorname{false} \ ] \\ \operatorname{spec-true} & = [ \ \operatorname{true} \ ] \\ \operatorname{spec-not} & (x :: \varepsilon) & = [ \ \operatorname{not} \ x \ ] \\ \operatorname{spec-and} & (x :: y :: \varepsilon) & = [ \ x \land y \ ] \\ \operatorname{spec-or} & (x :: y :: \varepsilon) & = [ \ x \lor y \ ] \end{array}
```

Background Hardware Design Functional Hardware

Research

Method

DTP / Agda

Big picture

1-Ware

Syntax Semantics

Proofs

Conclusions Limitations

## Gates instance (BoolTrio)

Mapping each gate index to its respective specification

```
specs-BoolTrio FalseConst# = spec-false

specs-BoolTrio TrueConst# = spec-true

specs-BoolTrio Not# = spec-not

specs-BoolTrio And# = spec-and

specs-BoolTrio Or# = spec-or
```

With all pieces at hand, we construct the instance

```
BoolTrio: Gates
BoolTrio = record { |Gates| = |BoolTrio| ; |in| = |in| ; |out| = |out| ; spec = specs-BoolTrio }
```

Background
Hardware Design
Functional Hardware

Research Question

Method

DTP / Agda

Agda

I I-VVare

Syntax Semantics

Conclusions



### High-level circuits

- ▶ User is not supposed to describe circuits at low level  $(\mathbb{C}')$
- ► The high level circuit type (ℂ) alloes for typed circuit interfaces
  - The input and output indices are Agda types

```
data \mathbb{C} (\alpha \beta : Set) {i j : \mathbb{N}} : Set where

Mk\mathbb{C} : {\{s\alpha : \psi \forall \forall \alpha \{i\}\}\}} {\{s\beta : \psi \forall \forall \beta \{j\}\}\}}

\rightarrow \mathbb{C}' i j \rightarrow \mathbb{C} \alpha \beta \{i\} \{j\}
```

- ► MkC takes:
  - Low level description (ℂ¹)
  - Information on how to synthesize elements of lpha and eta
    - Passed as instance arguments

Background
Hardware Design
Functional Hardware

esearch Juestion

Aethod

DTP / Agda

Agda

Π-Ware

Syntax Semantics

Conclusions



## Synthesizable

- ▶ \#W↑ type class (pronounced Synthesizable)
  - Describes how to *synthesize* a given Agda type  $(\alpha)$
  - Two fields: from element of  $\alpha$  to a word and back

```
record \Downarrow W \Uparrow (\alpha : Set) \{i : \mathbb{N}\} : Set where constructor <math>\Downarrow W \Uparrow [\_, \_] field \Downarrow : \alpha \to W i \Uparrow : W i \to \alpha
```

Hardware Design

DTP

Research

Question

.victilou

Big nicture

Agda

 $\Pi\text{-Ware}$ 

Syntax

roofs

Conclusions
Limitations



### **₩**M↑ instances

- ▶ Any *finite* type can have such an instance
- ▶ Predefined in the library: Bool; \_x\_; \_⊎\_; Vec
- Example: instance for products (\_x\_)

Hardware Design Functional Hardwar

Research

Question

DTP / Agda

Big picture Agda

∏-Ware Syntax

Semantic

Proofs

Conclusions
Limitations

Future work

Luture work



### Synthesizable

▶ Both fields \$\\$\\$ and \$\\$\\$ should be inverses of each other

Background

Functional Hardw

Research

Question

Method

memou

DTP / Agda

Big picture

l\_Ware

I I-VVare

Syntax

mantics

Proofs

Conclusions

Future work



### Circuit semantics

- ▶ Synthesis semantics: produce a netlist
  - Tool integration / implement in FPGA or ASIC.
- Simulation semantics: execute a circuit.
  - · Given circuit model and inputs, calculate outputs
- ▶ Other semantics possible:
  - · Timing analysis, power estimation, etc.
  - This possibility guided Π-Ware's development

Hardware Design
Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

7-Ware

Syntax

Semantics

onclusions

Limitations



### Synthesis semantics

▶ Netlist: digraph with *gates* as nodes and *buses* as edges

Nil: C 0 0 i o : №

f: Fin o → Fin i Plug f: ℂio

g#: Gate#

Gate  $g# : \mathbb{C}$  (ins g#) (outs g#)

c : ℂ (i+l) (o+l) DelayLoop: ℂio







Semantics

### Synthesis semantics

 $C_1 : \mathbb{C} \text{ i m}$   $C_2 : \mathbb{C} \text{ m o}$   $C_1 \text{ })' C_2 : \mathbb{C} \text{ i o}$ 

C1:  $\mathbb{C}$  i1 O1
C2:  $\mathbb{C}$  i2 O2
C1 |' C2:  $\mathbb{C}$  (i1+i2) (O1+O2)

 $\begin{array}{c} C_1:\mathbb{C} \text{ is 0} \\ C_2:\mathbb{C} \text{ iz 0} \\ \end{array}$   $C_1\mid +^{+}C_2:\mathbb{C} \left(1+\left(\text{is} \sqcup \text{ii}_2\right)\right) \text{ 0}$ 





Background
Hardware Design
Functional Hardware

Research

Question
Question

Method

DTP / Agda
Big picture

Π-Ware

Syntax

Semantics Proofs

Conclusions Limitations

Tutule Work

### Synthesis semantics

### Missing "pieces":

- ► Adapt Atomic
  - New field: a VHDLTypeDecl
    - Such as: type ident is (elem1, elem2);
    - Enumerations, integers (ranges), records.
  - New field: atomVHDL : Atom → VHDLExpr
- ▶ Adapt Gates
  - · For each gate, a corresponding VHDLEntity
  - netlist :  $(g\#: Gates) \rightarrow VHDLEntity (|in| g\#) (|out| g\#)$ 
    - The VHDL entity has the interface of corresponding gate

Hardware Design
Functional Hardware

Research

Question

TD / 4

Big picture

Agda

I I-Ware

Semantics

roofs

onclusions imitations

Future work

### Simulation

- Combinational
- ► Sequential

#### Background

Hardware Design Functional Hardware

Research

Question

Method

DTP / Agda

Big picture

Agda

I I-VVare

Syntax Semantics

Proofs

Conclusion:

Limitations





## Examples

► AndN

#### Background

Hardware Design Functional Hardware

### Research

Question

Method

#### DTP / Agda

Big picture Agda

#### Π-Ware

rntax

Proofs

#### Conclusion



### **Problems**

▶ Definition of [\_] blocks reduction

#### Background

Functional Hardware

### Research

Question

Method

#### DTP / Agda

Big picture

#### Π-Ware

Syntax

#### Proofs

Conclusion

### Limitations



### Summary

▶ Π-Ware is...

#### Background

Functional Hardware

### Research

Question

Method

DTP / Agda

Big picture

Agda

#### I I-VVare

yntax emantics

Proofs

#### Conclusions

#### Limitations



### Current limitations

- ▶ Problem with proofs (definition of [\_])
- ▶ Proofs on (infinite) Streams
- ▶ Bla

Background

Functional Hardy

Research

Question

Method

DTP / Agda

Big picture

Agda

Π-Ware

iyntax iemantics

roofs

Conclusions

Limitations



### Future work

▶ Proof by reflection for finite cases

#### Background

Hardware Design
Functional Hardware

### Research

Question

Method

#### DTP / Agda

Big picture

#### Π-Ware

I I-Ware

#### Syntax

Semantics

### Conclusions



Thank you!

Questions?



### References I



Bjesse, P., Claessen, K., Sheeran, M., and Singh, S. (1998).

Lava: hardware design in Haskell. SIGPLAN Not., 34(1):174–184.



Sheeran, M. (1984).

MuFP, a language for VLSI design.

In Proceedings of the 1984 ACM Symposium on LISP and Functional Programming, LFP '84, pages 104–112, New York, NY, USA, ACM,



Wadler, P. (2014).

Propositions as types.

Unpublished note, http://homepages.inf.ed.ac.uk/ wadler/papers/propositions-as-types/ propositions-as-types.pdf.



Future work