A model and proof technique for verifying hardware compilers for communicating processes

We show how to verify a hardware compiler from communicating processes to both speed-independent and clocked hardware. We present a systematic and modular technique for correctly realizing abstract components in asynchronous or clocked hardware, and use the technique to derive verified asynchronous and synchronous versions of our compiler. Our work is based on a previously verified algorithm that translates a core version of occam called Joy into delay-insensitive handshake circuits. We introduce a trace-based theory of circuit behavior that allows delay-insensitive, speed-independent and clocked behaviors to be described. A novel feature of our theory allows clocked implementations to be related to unclocked specifications. We present a novel technique based on protocol conversion to translate delay-insensitive handshake circuits into specifications for speed-independent or clocked circuits while preserving correctness. We present compilers that translate Joy into four-phase speed-independent circuits and clocked circuits. Finally, we prove that the circuits generated by the compilers are satisfactory realizations of the specifications generated by protocol conversion. Much of the proof was carried out automatically by a tool we wrote for the purpose; the rest involved algebraic manipulation. The principal lesson we learned from this research is that verifying hardware compilers for communicating processes is tractable. We also learned how to structure a hardware compiler for easy verification. The protocol conversion technique can be applied to any compiler that targets handshake components, providing a unified and systematic approach to hardware compiler verification that encompasses asynchronous and clocked circuits.