Anvil: A General-Purpose Timing-Safe Hardware Description Language
Jason Zhijingcheng Yu, Aditya Ranjan Jha, Umang Mathur, Trevor E. Carlson, Prateek Saxena
TL;DR
Anvil addresses pervasive timing hazards in hardware design by introducing a general-purpose HDL with a novel static type system that enforces timing safety across registers and signals. It models timing via events, lifetimes, and an event graph, allowing dynamic timing behaviors to be expressed while maintaining compile-time guarantees and safe module composition through timing contracts. The language provides channel-based communication, explicit timing control, and a formal safety framework, and it compiles to SystemVerilog with modest area and power overheads. Empirical evaluation across latency-sensitive components demonstrates practical viability, integration with SV projects, and no additional cycle latency. The work shows timing safety need not come at the cost of expressiveness, enabling safer, more reliable hardware design flows.
Abstract
Expressing hardware designs using hardware description languages (HDLs) routinely involves using stateless signals whose values change according to their underlying registers. Unintended behaviours can arise when the stored values in these underlying registers are mutated while their dependent signals are expected to remain constant across multiple cycles. Such timing hazards are common because, with a few exceptions, existing HDLs lack abstractions for values that remain unchanged over multiple clock cycles, delegating this responsibility to hardware designers. Designers must then carefully decide whether a value should remain unchanged, sometimes even across hardware modules. This paper proposes Anvil, an HDL which statically prevents timing hazards with a novel type system. Anvil is the only HDL we know of that guarantees timing safety, i.e., absence of timing hazards, without sacrificing expressiveness for cycle-level timing control or dynamic timing behaviours. Unlike many HLS languages that abstract away the differences between registers and signals, Anvil's type system exposes them fully while capturing the timing relationships between register value mutations and signal usages to enforce timing safety. This, in turn, enables safe composition of communicating hardware modules by static enforcement of timing contracts that encode timing constraints on shared signals. Such timing contracts can be specified parametric on abstract time points that can vary during run-time, allowing the type system to statically express dynamic timing behaviour. We have implemented Anvil and successfully used it to implement key timing-sensitive modules, comparing them against open-source SystemVerilog counterparts to demonstrate the practicality and expressiveness of the generated hardware.