System Description
Aspects as Syntactic Sugar

Jens Brandt and Klaus Schneider
Reactive Systems Group
Department of Computer Science
University of Kaiserslautern
http://rsg.informatik.uni-kl.de

Abstract

Many different system description and specification languages are used in modern design flows to emphasize different aspects like modular architecture, multi-threaded behavior, abstract action-oriented behavior, and the desired temporal properties. However, the use of many specialized languages complicates the development of seamless and robust design flows. In this paper, we show that synchronous languages are powerful enough to capture the mentioned aspects of system descriptions as simple syntactic sugar. In particular, we show how hardware structures, multi-threaded and action-oriented programs as well as property specification languages can be incorporated in a synchronous programming language so that a single core language with a powerful compiler can handle all design descriptions in a consistent way.

1 Introduction

Many embedded systems are heterogeneous in the sense that they consist of parts that are currently developed by totally different design flows and languages. The most relevant distinction is thereby the partition into application-specific hardware and software. Different hardware architectures like DSPs or standard microprocessors also require different ways for the implementation of the software part, which often implies the use of specialized languages and compilers. Various levels of abstraction make use of different modeling paradigms like action-oriented or multi-threaded system behavior. Moreover, specialized languages are used to describe the desired functional and temporal properties for the simulation and verification phases. The set of languages used in modern system design therefore includes languages like system description languages as UML [30], System-C [28], and SystemVerilog [2], hardware description languages like VHDL [41] and Verilog [27], property specification languages like PSL [1], and of course, traditional programming languages like C.

However, the plethora of languages currently used in many design flows is simply unmanageable. Depending on many tools and licenses requires to update designs almost all the time, which makes the overall design process inefficient. Moreover, it is a big disadvantage that specialized languages force the designer to already think about a later realization (in software or hardware), which makes late design changes concerning the hardware-software partitioning or even weaker modifications of the architecture practically impossible. Specialized languages like Accellera’s property specification language PSL [2] became moreover very complicated languages. However, the most difficult problem that results from the use of so many languages is that the underlying models of the languages do not always match: For example, hardware description languages mostly rely on an event based simulation, while software programs mostly rely on a sequential uniprocessor execution, and property specifications consider formal models like transition systems.

For this reason, we propose in this paper a unified approach that focuses on a single programming paradigm. This consolidation is the result of many bad experiences made with complex design flows. To this end, we propose the synchronous programming paradigm [3], since synchronous languages have already proved to be able to generate both application-specific hardware and software from the same synchronous program. Moreover, the underlying semantics match with the models used in formal verification like model checking.

However, synchronous languages currently do not offer much support for the specification of temporal specifications. Usually, observers are written as synchronous programs that are then run in parallel with the system and report whether something bad has happened. Compilers for synchronous languages are able to traverse the state space and check whether such a situation can happen, so that checking safety properties is already comfortably embedded in synchronous programming environments. However, checking more complex specifications like liveness, different kinds of fairness, or even assume-guarantee reasoning is not yet available in commercial tools.

Based on the Esterel language, we developed our own experimental language called Quartz and implemented an entire tool framework called Averest for this language. The current version of Averest that is available under www.avorest.org can be used to translate synchronous programs to hardware (netlists given in VHDL or Verilog) or software (programs written in C) [38, 39], and to verify given specifications written in temporal logics like LTL, CTL, and even in the full $\mu$-calculus [37]. In this paper, we present the new version of Averest that is currently in an experimental status, and therefore not yet publically available. During the development of this version, we also discussed additional special syntactic means to describe the modular architecture of a system, and also more powerful specifications to support development processes based
on refinement techniques. However, having considered many languages and approaches, we came to the conclusion that most of these aspects can be implemented without much effort as simple syntactic sugar on top of our existing language.

This paper therefore demonstrates the expressive power of the synchronous programming model in that we show how different aspects like the description of the modular architecture, complex properties as given by \( \omega \)-regular properties similar to PSL and assume-guarantee reasoning can be incorporated in a synchronous language. In particular, we show that regular expressions and temporal logics can be easily translated to even more readable synchronous programs. Besides the better readability of the specification, the main advantage is the possibility to use existing tools for synchronous languages to simulate, verify, and debug the specified properties as well as the program. Moreover, all translations to hardware and software already offered by compilers for synchronous languages can still be used for hardware-software codegen.

The outline of the paper is as follows: In the next section, we briefly consider the core of our synchronous language Quartz, which is the input language of our Averest system. In the following sections, we then show how structural descriptions, action-oriented descriptions, and property specifications are easily obtained in Quartz, so that these aspects can all be handled in a unique framework. For this reason, it is very simple to check their equivalence by means of verification or simulation.

2 The Averest System

Averest is a set of tools for specification, verification, and implementation of reactive systems. It includes a compiler for synchronous programs, a symbolic model checker, and a code generator for hardware and/or software synthesis. Further tools for event-based simulation as well as for supervisor synthesis are currently under development. Averest can be used for modeling and verifying finite as well as infinite state systems at various levels of abstraction and with different styles of descriptions. In particular, Averest is not only well-suited for the design of integrated circuits, but also for developing communication protocols, concurrent programs, software in embedded systems, etc.

Systems descriptions for Averest are given in the imperative synchronous programming language Quartz [34–36, 38]. Quartz is an imperative synchronous language that was derived from the Esterel language [5, 6]. The common paradigm of synchronous languages is the perfect synchrony [3, 17], which means that most of the statements are executed as micro steps in zero time. Consumption of time is explicitly programmed by special statements which partition the micro steps into macro steps. In the programmer’s view, all macro steps take the same amount of logical time. Thus, concurrent threads run in lockstep and automatically synchronize at the end of their macro steps. The introduction of micro- and macrosteps is not only a convenient programming model, it is also the key to generate deterministic single-threaded code from multi-threaded synchronous programs. Thus, synchronous programs can be executed on ordinary microcontrollers without complex operating systems. As another advantage, the translation of synchronous programs to hardware circuits is straightforward [4, 33]. Moreover, the formal semantics of synchronous languages makes them particularly attractive for reasoning about program semantics and correctness. Therefore, synchronous languages are well-suited for the design of safety-critical embedded systems that consist of application-specific hardware and software.

In this paper, we mainly focus on the core of the Quartz language that is powerful enough to define many other statements as simple syntactic sugar. This core language consists of the following basic statements:

**Definition 1 [Basic Statements of Quartz]** The set of basic statements of Quartz is the smallest set that satisfies the following rules, provided that \( S, S_1, S_2 \) are also basic statements of Quartz, \( \ell \) is a location variable, \( x \) is an event variable, \( y \) is a state variable, \( \sigma \) is a Boolean expression, and \( \alpha \) is a type:

- nothing (empty statement)
- \( y = \tau \) and \( \text{next}(y) = \tau \) (assignments)
- \( \ell : \text{pause} \) (consumption of time)
- \( \text{if}(\sigma) S_1 \text{ else } S_2 \) (conditional)
- \( S_1 ; S_2 \) (sequential composition)
- \( S_1 \parallel S_2 \) (synchronous concurrency)
- \( \text{do } S \text{ while}(\sigma) \) (iteration)
- \( \text{[weak] suspend } S \text{ when } [\text{immediate}](\sigma) \) (suspension)
- \( \text{[weak] abort } S \text{ when } [\text{immediate}](\sigma) \) (abortion)
- \( \{\alpha \; y : S\} \) (local variable \( y \) with type \( \alpha \))
- \( \text{choose } S_1 \text{ else } S_2 \) (nondeterministic choice)
- \( \text{assume}(\varphi) \) (inline assumption)
- \( \text{assert}(\varphi) \) (inline specification)
- \( \text{name}(\tau_1, \ldots, \tau_n) \) (module instance)

Many other statements can be defined as macro statements, as e.g. the following always statement:

\[
\text{always } S \equiv \text{do } S; \text{pause}; \text{while } \text{true}
\]

In addition to many Esterel statements that can be defined in the above spirit as syntactic sugar, the Quartz language features moreover generic programs (compile time parameters), different forms of concurrency (synchronous, asynchronous, interleaved), explicit nondeterministic choice, fixed bitwidth integers with a complete set of arithmetic operations, arrays, infinite integers and temporal logic specifications.

In Quartz, there are two kinds of (local and output) variables, namely event and state variables. State variables \( y \) are persistent, i.e., they store their current
value until an assignment changes it. Executing a delayed assignment \( \text{next}(y) = \tau \) means to evaluate \( \tau \) in the current macro step (environment) and to assign the obtained value to \( y \) in the following macro step. Immediate assignments update \( y \) in the current macro step and are therefore rather equations than assignments.

Event variables do not store their values, hence, an assignment \( y = \tau \) to an event variable just gives \( y \) the value \( \tau \) for this moment of time (unless there is another assignment in the next instant with the same value). If no assignment takes place, the value is not stored, instead, a default value is taken. As most events are of Boolean type, we use the statements \( \text{emit } x \) and \( \text{emit } \text{next}(x) \) as macros for \( y = \text{true} \) and \( \text{next}(y) = \text{true} \), respectively.

There is only one basic statement that defines a control flow location, namely the \( \text{pause} \) statement\(^1\). For this reason, we optionally\(^2\) endow \( \text{pause} \) statements with unique Boolean valued \( \text{location variables} \ell \) that are true iff the control is currently at location \( \ell : \text{pause} \).

The semantics of the other statements is essentially the same as in \( \text{Esterel} \). Due to lack of space, we do not describe their semantics in detail, and refer instead to [34–36] and, in particular, to the \( \text{Esterel} \) primer [5], which is an excellent introduction to synchronous programming.

In addition to the above statements, there are many more statements that are, however, simply reduced to the above core language. For example, using oracle inputs with nondeterministic choice, different kinds of concurrency like asynchronous and interleaved concurrency can be easily reduced to synchronous concurrency.

Moreover, \( \text{Quartz} \) supports \emph{generic programming} in that sequences, and parallel statements can be described via compile-time parameters. For example, it is therefore possible to implement a system with \( n \) similar threads or with \( n \)-bit wide variables, or with arrays of length \( n \). Moreover, statements can be given by primitive recursion so that \( n \) if-then-else statements can be nested in each other.

\[ \text{module BehaveDETECT110(event i,&o)} \]
\[ \text{implements SpecDETECT110(i,o)} \]
\[ \text{implement \{ \}
\]
\[ \text{event prv-i, prv-prv-i;}
\]
\[ \text{loop \{ }
\]
\[ \text{if(i) emit \text{next}(prv-i);}
\]
\[ \text{if(prv-i) emit \text{next}(prv-prv-i);}
\]
\[ \text{if(!i&prv-i&prv-prv-i) emit o;}
\]
\[ \text{pause;}
\]
\[ \text{\}} \]

\[ \text{Figure 1: Behavioral Description of a 110-Detector} \]

---

\( ^1 \)To be precise, immediate forms of \( \text{suspend} \) also have this ability.

\( ^2 \)In case the programmer does not provide a location variable, the compiler will automatically generate one.

\( ^3 \)Outputs are distinguished from inputs by prefixing their name with a \& symbol.

3 \textbf{Structural Descriptions}

Structural descriptions emphasize the hierarchy that is obtained by the composition of modules to new modules at the next level of the hierarchy. Structural descriptions are particularly popular in classic hardware design. In \( \text{Quartz} \), module instances can be used as ordinary statements, so that instances can run in sequence or in parallel, and can interact with each other.

\[ \text{module AND(event a,b,&out)} \]
\[ \text{always}
\]
\[ \text{if(a&b) emit out;}
\]
\[ \text{}
\]
\[ \text{module OR(event a,b,&out)} \]
\[ \text{always}
\]
\[ \text{if(a|b) emit out;}
\]
\[ \text{}
\]
\[ \text{module NEG(event a,&out)} \]
\[ \text{always}
\]
\[ \text{if(!a) emit out;}
\]
\[ \text{}
\]
\[ \text{module DFF(event a,&out)} \]
\[ \text{always}
\]
\[ \text{if(a) emit next(out);}
\]

\[ \text{}
\]

\[ \text{Figure 2: Behaviors of Basic Hardware Gates} \]

It is therefore straightforward to describe modular hardware structures by \( \text{Quartz} \) modules. To this end, no special syntax is necessary, all that is required is a restriction to certain statements: \emph{Basic structural modules}, which form the leaves of the hierarchy, are constructed by a behavioral description, i.e. their modules’ bodies contain a \( \text{Quartz} \) statement. Figure 2 shows some simple definitions of basic hardware gates.

Composed \emph{structural modules} simply consist of a local declaration of the internal variables (wires in the case of hardware circuits), and a parallel execution of the instantiated hardware modules. It might seem to
be wasteful to run a single thread for each hardware gate, but this may not be the case in the generated code: The compiler is able to merge all the loops that are obtained by expansion of the modules, so that a single thread can simulate the gate netlist in software (if wanted). A similar argument holds for hardware code generation, so that the number of location variables is reduced to only one pause statement (all the location variables are easily detected to have the same transition relations, so that the compiler can unify them all).

```plaintext
module DETECT110_Structure(event i, &o) {
    event w1, w2, w3, w4, w5, w6, w7;
    \| AND(i, w7, w2);
    \| DFF(w2, w3);
    \| NEG(w7, w4);
    \| AND(i, w4, w5);
    \| DFF(w5, w6);
    \| OR(w3, w6, w7);
}
```

Figure 3: Structural Implementation of a 110-Detector

An example is shown in Figure 3, where we implemented a hardware circuit for detecting a 110 subsequence in the input stream. As can be seen, structural descriptions are naturally obtained in a synchronous language like Quartz. Moreover, no special treatment is required for the compiler: it is obviously still possible to generate hardware and software from these modules. In case of hardware design, this offers the benefit of a highly efficient simulation at the synchronous level by compiling the obtained C programs individually for the particular design. For hardware synthesis, the compiler essentially generates the gates that have been used in the description. Hence, there is no loss of the hardware structure and neither a loss of efficiency due to the compilation.

4 Action Languages

Action languages are frequently used for modeling software or hardware systems at an abstract level. Examples of action languages are Unity [11], DisCo [22], TLA [23], sublanguages used in UML as well as languages used in model checkers like Murphi [14] or ALF [9].

The general model of computation of these languages is thereby that a program consists of a set of actions that are executed whenever an associated condition holds. In this sense, this computation model is related to the ‘guarded commands’ that were already considered by Dijkstra [12].

The translation of Quartz programs consists of computing also a set of guarded commands [39]: The compiler computes for each assignment $x = \tau$ the guard condition, i.e. the condition that holds iff the assignment is executed. Then, for each variable $x$, the hardware code generation will generate a case construct that checks the different guards and assigns the corresponding right hand sides.

It is therefore straightforward to directly integrate action languages in the Quartz language. The compiler is thereby even simplified, since the conditional actions can be directly used for the intermediate data structures of the compiler. Moreover, it is very simple to implement a given set of conditional actions as a Quartz module: given actions $(\gamma_1, \alpha_1), \ldots, (\gamma_n, \alpha_n)$, we simply use the following module:

```plaintext
module ModuleName() {
    loop {
        if($\gamma_1$) $\alpha_1$;
        \ldots
        if($\gamma_n$) $\alpha_n$;
        pause;
    }
}
```

The above scheme is very simple, but nevertheless very powerful. In particular, the combination of other Quartz statements like parallel execution, abortion, suspension, etc. allows us to capture also complex module transformations like merging of action modules and many others.

5 Property Specification

In this section, we consider the main ingredients of property specifications available in Quartz. Quartz offers additional constructs to specify complex temporal properties that we have to omit due to lack of space. In particular, temporal logics like CTL, LTL, special fragments of CTL* as well as the full $\mu$-calculus can be used for this purpose. In particular, past temporal operators are often very convenient as can be seen even with the simple example given in Figure 4: $s_1$ means that at all points of time $G$ on all computation paths $\alpha$ of the system, $o$ holds iff currently $i$ is false, and $i$ was true at the preceding two points of time. $s_2$ is another temporal specification stating the same property with only future operators. Finally, $s_3$ considers only one implication, and can therefore make use of the CTL logic and its more efficient model checking algorithms.

```plaintext
spec SpecDETECT110(event i, &o) {
    s1 : A G (o <-> !i & PSX (i & PSX i));
    s2 : A G (i & X i & X X !i <-> X X o);
    s3 : A G (i -> A X (i -> A X (!i -> o)));
}
```

Figure 4: Temporal Specification of a 110-Detector

\*see www.omg.org
Besides the possibility to simply list temporal logic specifications as shown in the specification module given in Figure 4, Quartz offers also inline specifications that refer to the corresponding control flow location of the program. These inline specifications are similar to those developed for VHDL in [32]. Moreover, it is possible to make use of regular and \( \omega \)-regular expressions similar to Accellera’s industry standard property specification language PSL. In contrast to PSL, we make use of Quartz statements to replace regular expressions by more readable program statements.

In the remainder of this section, we first present the possibilities of inline specifications and assumptions to support readable specifications as well as assume-guarantee reasoning. Then, we show how regular expressions can be translated to Quartz statements, and finally we briefly discuss similar translations for temporal logics.

5.1 Inline Assertions and Assumptions

Verifying a system aims at ensuring that the system has exactly the specified behavior. Traditionally, two kinds of specifications can be distinguished: White box specifications may refer to internal states or local variables of a module, while black box specifications only describe the external behavior of a module without referring to internals. In general, black box specifications should be preferred to support a hierarchical reasoning that is independent of a particular implementation. However, a specification may not hold all the time, but only after reaching some point of the computation which is conveniently defined with inline (white box) specifications.

In traditional programming languages, which lack a built-in verification support, programmers are used to employ assertions for this task: They specify a condition that should hold at a particular control flow location by means of assertion statements. Whenever the control flow hits such a statement during the execution of the program, the given condition is checked and the program is aborted if the condition is violated.

Quartz supports both black box and white box specifications by means of assume and assert statements. Like any statement, they can be used at an arbitrary point of a Quartz module and both statements take a list of labelled conditions, where the conditions can be given in the temporal logic LTL. However, their semantics is completely different: Assume statements list conditions that the programmer assumes to hold at the corresponding control flow location, whereas assert statements list conditions that have to be checked at that location. The verification tool trusts the programmer and uses the assumptions to check the other conditions. The task of assume statements is to give the verification tool additional information that can not be derived from the program alone. For example, knowledge about the environment and possible input values or complex mathematical relations can be added in this way. In many cases, it is possible to check the given assumptions if the final context is given by other modules, but some assumptions are directly given by the environment and can therefore not be checked unless a model of the environment is provided.

Of course, assume guarantee reasoning [19, 29, 42] is directly supported by the assume and assert statements. Moreover, statements in a module can be annotated with classical pre-/postconditions and loop invariants [13, 15, 20]. The task of the compiler is the extraction of the given assumptions and proof obligations and their hand-over to a model checker. Additionally, it creates specifications for common program errors: For example, for bitvectors, it is checked whether an overflow occurs due to arithmetic expressions, and for arrays, it is checked that the index expressions remain in the declared bounds.

Assume/assert statements implement a white-box specification. Specification of the black box behavior is achieved by defining an abstract module (an example is shown in Figure 4). The body of an abstract module does not consist of a statement: instead, a list of temporal specification is given that have to be fulfilled by any concrete module that implements the abstract module. The implements clause in the header of a concrete module tells the compiler to set up also proof obligations to check the temporal properties of the referred abstract module. These mechanisms allow us to establish a refinement relation between two modules similar to the B-method [24, 25].

Abstract modules are again only syntactic sugar: In principle, they consist of a sequence of assert statements that list the temporal specifications. For code generation, assume and assert statements are implemented in an observer that will set an error flag in case the property is violated during runtime.

In this way, Quartz allows the programmer the step-wise refinement of a given system. Starting with a pure temporal specification, proceeding with an intermediate action-oriented description, and finally concluding with a behavioral Quartz statement, a programmer can refine a given model of a system so that each refinement step can be proved to be correct. Moreover, as Averest is capable to handle unbounded integers, one can first start with unbounded integers, then one could check how large value may grow to finally determine sufficient bitwidths. Hence, also the data types can be refined during this process.

5.2 Regular Expressions and Finite Automata

In the previous section, we have shown where specifications can be placed in a module, but we left open, which logic is used to write down the formal specifications. Quartz allows one to use temporal logic specifications, in particular, the linear temporal logic LTL and the branching time temporal logic CTL. Moreover, certain fragments of the more powerful logic $\mu$-calculus are considered, and even the full $\mu$-calculus is supported,
which is currently one of the most expressive specification logics [37].

We discussed also the use of Accellera’s property specification language PSL for future versions of Averest, but came to the conclusion that synchronous languages can be used to make such specification much more readable: While PSL also provides LTL and CTL, it additionally considers regular expressions and finite as well as infinite paths in order to support both simulation and verification, respectively.

Regular expressions can also be added to Quartz as syntactic sugar: It is well-known that regular expressions, right- and left-linear grammars, and finite automata in different variants are equivalent to each other [7, 8, 10, 18, 21, 31]. Regular expressions are a very simple, yet powerful formalism to describe languages that are as readable as programs. We believe that a programming approach to specification is more appreciated by programmers and engineers. Towards that end, we will consider a finite fixed set of variables \( V \), that accepts the language \( \text{Lang}(r) \) [8, 10, 18, 21, 31]. It is even possible to compute a symbolic representation of such an automaton in time \( O(|r|) \) of length \( O(|r|) \) [37]. As Quartz programs are also a way to symbolically describe automata, we can directly translate regular expressions to equivalent Quartz statements, which is done by the following function \( Q \):

- \( Q(\emptyset) \equiv \text{assert}(\text{false}) \)
- \( Q(\{\}) \equiv \text{assert}(\text{true}) \)
- \( Q(\varphi) \equiv \text{assert} \varphi ; \text{pause} \)
  - with \( \varphi := (\bigwedge a \in \vartheta a) \land (\bigwedge a \notin \vartheta \neg a) \) for \( \vartheta \subseteq V \)
- \( Q(\alpha \vartheta \beta) \equiv Q(\alpha) \parallel Q(\beta) \)
- \( Q(\alpha + \beta) \equiv \text{choose} Q(\alpha) \text{ else } Q(\beta) \)
- \( Q(\alpha \beta) \equiv Q(\alpha) ; Q(\beta) \)
- \( Q(\alpha^*) \equiv \text{finloop} Q(\alpha) \)
- \( Q(\alpha^+) \equiv \text{loop} Q(\alpha) \)

\text{finloop} is thereby a loop that only finitely often iterates its body statement, but the number of iterations is nondeterministic. Using nondeterministic Quartz statements, it is possible to implement such a loop together with a temporal assertion statement:

\[
\text{finloop } S := \{ \text{event } \ell : \\
\text{choose } \text{emit } \ell \text{ else nothing:} \\
\text{while } \ell (\{ S ; \\
\text{assert } \text{F} \ell ; \\
\text{choose } \text{emit } \ell \text{ else nothing:} \\
\}) \\
\ell : \text{pause;}
\]

Special care has to be taken for instantaneous statements, i.e. for the empty word and the empty language. Moreover, as it is well-known that complement operations are redundant, i.e., every regular expression can be rewritten to eliminate complementation, it follows that we can translate every regular expression to Quartz.

As an example, consider the regular expression \( \{a\} + \{a\} \{b\} \) that describes all infinite words over the alphabet \( \{\}, \{a\}, \{b\}, \{a, b\} \) that does not contain two succeeding occurrences of \( b \). It is translated to the Quartz program given in Figure 5.

5.3 Observers for Temporal Logic

Although Quartz allows one to use full temporal logic formulas\(^2\) as specifications, it is sometimes more convenient to write observers with some reachability or fairness constraints. This is the classic approach that is used in many synchronous programming environments. Moreover, it is straightforward to compute for temporal past properties an equivalent deterministic (!) finite

\(^2\)Full temporal logic includes also past time operators, which makes the logic not more powerful, but exponentially more succinct and in general more readable [16, 26, 37].
loop
    choose {
    assert(a&!b)
    pause;
} else {
    assert(a&!b);
    pause;
    assert(!a&b);
    pause;
}

Figure 5: Quartz program for $\{a\} + \{a\} \{b\}$ω

It is straightforward to implement temporal past operators by means of equivalent Quartz modules that can then be simply called to ‘execute’ the specification.

module PastAlways(event phi, &failure) {
    while(phi) {
        pause;
    }
    emit failure;
}

module PastUntil(event phi,psi, &failure) {

    bool q;
    q = false;
    loop {
        next(q) = psi | phi & q;
        pause;
    }
}

It is well-known how to translate LTL formulas $\varphi$ to equivalent $\omega$-automata $A_\varphi$ (see [37] for further references), and even translations to symbolic automata exist that work in linear time (thus producing linear-sized output). We can also use these algorithms to directly generate nondeterministic Quartz statements with assert statements to capture the fairness requirements that are generated by these translations.

6 Summary and Conclusions

In this paper, we have shown that different aspects of a system can be described with a unique programming paradigm. We use the synchronous programming paradigm to describe modular concurrent systems like hardware gate netlists, action-oriented modules, as well as temporal assertions (even extended by $\omega$-regular expressions) in form of simple syntactic sugar. Hence, synchronous programs may not only serve as realization independent descriptions for either hardware or software; they can also be used as alternatives to complex property specification languages like PSL. In addition to increased readability, the approach offers also simulation and execution of these specifications on different architectures.

References

[16] Gabbay, D., Pnueli, A., Shelah, S., and