csla: LEMMA val2(node(stv)). = 1 IMPLIES. COUNTLOGIC(stv,ldn,fn). = make_triple(ADDl(count(stv)),. BOOLF(bit2(0,fn)),. NEXTNODE(node(stv),fn,double(stv)).
e....----"--
NASA
Technical
Memorandum
AVSCOM Technical
Memorandum
100669 88-B-017
HARDWARE PROOFS USING EHDM AND THE RSRE VERIFICATION METHODOLOGY
(_ASA-IE-lOObtg) &EL TE_ ES_E |_ASA)
90
EJEEhAEE VEE]_]CA_]CE _
EECGFS USING BE_ECDCLCG¥ CSCL
N89-I_002 EBD_ 09E
3/6 2
Ricky W. Butler
Jon A. Sjogren
December
1988
Nalional Aeronautics and Space Admznlslrahon Langley Research Center Hampton, Virginia 23665-5225
US
ARMY_
AVIATION SYSTEMS AVIATION
COMMAND R&T ACTWITY
TABLE
INTRODUCTION SUMMARY
THE
RSRE
HARDWARE
Definition Mapping
to
SIX-BIT
of
Automata
Top-Level
Specification
of
PROOFS
cir
................
.......................
..........................
6
...........................
7
Circuit-Spec
to Silicon
24
........................
25
..................................................
Between
Major
State
Proof
Between
Block
Diagram
Level
N-BIT
WORDS
and
Major
Machine
Spec
Spec
Spec
and
State and
Machine
Block
Circuit-Level
Spec
Model
OF
FORMAL
....................................................
PROOFS
Introduction
to
Proving
P[oofs
.....
26
...
31
Spec
Spec
SPECIFICATION
.......
.....................................
in EHDM
•
35 36 40
...............................
40 41
..............................................
......................................................
43
.......................................................
44
THEORY
45
REFERENCES APPENDIX
A
APPENDIX
B SUGGESTIONS
Definition
of
OF
the
GENERAL FOR Values
Definitional
Axioms
Improvement
to P[oof
C
17
21
Proof
APPENDIX
ii
........................
...........................................
Top
CONCLUSIONS
2
21
Between
of
2
......................................
Proof
Status
2
.........................................
CIRCUIT
Cnt6
Translation
COUNTER
SPECIFICATION
SPECIFICATION OF
METHODOLOGY
Finite-state
the
SPECIFICATION Listing
OF
AUTOMATA of
DIAGRAM
INFORMAL
VERIFICATION
SPECIFICATION
FINITE-STATE
BLOCK
CONTENTS
.....................................................
OF
TOP-LEVEL
OF
FULL
LISTING
WORDS
...............................
IMPROVING of
EHDM
a Type
........................
............................
........................................... Instantiator OF
INCLUDING
PROOFS
50 5O
.............................
SPECIFICATIONS
50
.......
52 54
INTRODUCTION Recently NASA,Langley Research Center and the Royal Signals and Radar Establishment (RSRE)have initiated a joint research program in formal verification of life-critical systems. The first phase of this work involves a critical assessment of the RSREwork on the VIPERmicroprocessor. The VIPER was designed by RSREresearchers specifically for life-critical applications and was subjected to a formal proof of correctness. The proof methodology is based on a hierarchical specification of the system design. This methodology was first illustrated on a 6-bit counter by RSREin the RSREMemorandum 3832 entitled "Hardware Proofs using LCF-LSMand ELLA" by W. J. Cullyer and C. H. Pygott (ref. i.) In this paper, the RSREapproach to hardware verification is studied in the context of a different specification language -- Revised Special developed by SRI International (ref. 2). The reason the methodology is explored via a different specification language is twofold: (i) to expose any weaknessesin the methodology due to the specification language LCF-LSM,and (2) to explore the feasibility of using EHDM(EnhancedHierarchical Design Methodology) for hardware verification using the RSREmethodology. In this paper RSRE's6-bit counter example is re-specified in Revised Special. In the RSREreport, the proofs between the levels of the hierarchical specification were accomplished by hand. In this report, the proofs are performed using the EHDM(EnhancedHierarchical Design Methodology) theorem proving system. The paper makesa comparison between the LCF-LSMand Revised Special languages. The viability of the RSREmethodology is discussed. Particular attention is given to the feasibility of using their methodology in concert
with
the
EHDM
SUMMARY
The
RSRE
specification.
approach The
tools.
OF
RSRE
HARDWARE
to verification formal
hierarchy
VERIFICATION
is based consists
on of
METHODOLOGY
the the
(i) Functional (2) Finite-state (3) Block (4)
Circuit
model model
automata
use
of
following
hierarchical four
levels:
The proof between level (i) and (2) establish that the finite automata of level (2) implements all of the functions of the top level. The top level consists of axioms which define the output of the circuitry in response to inputs without any details of the steps that are performed to accomplish the computation. Thus, the top level is essentially the definition of a mathematical function. The second level decomposesthe function into sequences of steps which can accomplish the overall functionality. The sequencesof steps are defined by a finite-automata model. Proof that level (I) follows from (2) is accomplished by enumerating all possible sequences that the finite automata can perform and demonstrating that these accomplish the function of level (i). At level (2) the computation performed by each transition of the finite automata is specified by a mathematical (sub)function. The details of how each of
these
subfunctions
specifies of
an
how
electronic
establishes the
level
(3)
In last
ELLA
in
the
proofs
the
RSRE was
each
hierarchy between
of
of
each
work
the
the
either source,
be
levels
first
the
bit
control
until
level
are
(2)
between of
(2)
between (3)
level
(2)
are
level
model
is
(3).
Level
accomplished
level
level
proof
level
proof
was
used
and
in terms
(3)
properly (3)
(3)
and
correctly
computed
by
(4) implemented
proved
by
its
incremented signal.
levels
(ref.
3.)
The
specified third
specification.
to
be
in
between
levels
(3)
the
(2 ) and and
in
level
The
theorems
(2 ) and
between
were
LCF-LSM.
was
also
properties level
(4) are
specified
at each
below
(3 ) are
The
it.
level
The
accomplished
accomplished
by
the
exhaustion".
SPECIFICATION
RSRE
a six-bit at
three
LCF-LSM
(1 ) and
"intelligent
retained or
the
in the
in ELLA
to
must
The
example
methodology
specified
proof
subfunctions
"block"
TOP-LEVEL
The
of
The
Finally,
specified
in addition
analytically. method
subfunctions
diagram.
is not
gates.
level
in
the
structure.
that
logic
of
computed
block
that
establishes with
each
are
to
OF
illustrate
counter.
The
their
counter
current
value,
loaded
once
twice
depending
The
or
informal
SIX-BIT
specification
COUNTER
specification/verification holds
with on
a value
a new the
for
value
value
the
of
counter
"count"
which
from
an
external
"func",
a two-
is
is
func
=
0
Do
func
_
1
Load
func
-
2
Increment
"count":
3
Increment
"count"
func-
In
the
RSRE
this
written
hierarchical
"count"
"count"
report
specification
from
more
specifications formal
twice:
as
where the
presented
Specification
The each
result
the
input,
count
:= count
+ 1
i.e.
count
:= count
+ 2
is of
successive of
"loadin"
i.e.
design
in Revised of
parallel
specification
in LCF-LSM.
detail are
unchanged a 6-bit
informal
specification
introduces
The
nothing:
design
translated the
into
counter
level
in
decisions.
a
formal
is documented
the
by
hierarchy
In
this
Special
is:
paper
these
Special.
counter
in Revised
cnt6: MODULE USING words THEORY states:
TYPE
word6: word2:
TYPE TYPE
state:
VAR
is word[6] is word[2] states
loadin,w: VARword6 func: VARword2 val2:function[word2 val6:function[word6 mw6: function[int
->
-> int] -> int] word6]
is val[2] is val[6] is mw[6]
cnt: function[states -> word6] exec cnt: function[states,word6,word2 ready: function[states -> bool] addl
->
-> word6] == -> word6: IF val6(w) = 63 THEN ELSE mw6(val6(w)+l)
states]
mod64:function[word6 ( LAMBDAw
mw6(0)
END ) ready_ax: counter
ax: -
_D
cnt6
AXIOM AXIOM
ready(state)
IMPLIES
ready(exec_cnt(state,loadin,func)
ready(state) IMPLIES cnt(exec cnt(state,loadin,func)) IF val2(func) = 0 THEN cnt(state) ELSIF val2(func) = 1 THEN loadin ELSIF val2(func) = 2 THEN addl mod64(cnt(state)) ELSE addl mod64(addl mod64(cnt(state))) END
) =
a
It is unnecessary to present details about Revised Special, since the above specification can be understood with a little explanation. (This is probably the best way to be introduced to a formal specification language -- by way of example. ) The first line assigns the name"cnt6" to the specification. The second line indicates that an external module "words" will be used in this module. This will be explained in more detail in the following discussion. The next three lines which follow the THEORY keyword define three "types" -"states", "word6", and "word2". These types will be used to distinguish logic variables which represent the state (or "count") of the machine, 6-bit words, and 2-bit words, respectively. Types serve the samefunction in the formal specification language as in a programming language -- they enable the automatic system to detect user errors. The first type "state" is uninterpreted, that is, there is no domain of values or any meaning associated with it. At this level of abstraction it represents the state of the machine, but details about what constitutes the state of the machine are not specified. The two types, "word6" and "word2" are equated to word[6] and word[2] by the "is" clause. They represent the domain of 6-bit words and 2-bit words. N-bit words are used to specify an N-bit transmission lines which can be interpreted as integers or as ordered sets of boolean module
values.
The
"words"
which
"SPECIFICATION define are
four
OF logic
mathematical
defined.
The
properties
of
the
is discussed
N-BIT
of
The
next
- "state",
variables, meaning
in detail
WORDS".
variables
generic
not these
type
in the three
"w"
variables)
functions
are
section
lines
"loadin",
program
word[N]
of
defined
in
entitled the
specification
and
"func".
Next,
seven
(Note.
These
functions
are
are:
val2:
maps
an unsigned
2-bit
word
to
its
positive
integer
equivalent
val6:
maps
an
6-bit
word
to
its
positive
integer
equivalent
mw6:
maps
a positive
cnt:
returns of
exec
cnt:
the
maps
unsigned
the
integer
value
of
into
the
the
an unsigned
6-bit
counter
6-bit
when
word
applied
to
the
"state"
machine
the
state
of
the
machine
to
its
new
state
when
the
counter
"executed" ready:
when
applied
only
if the
the
next
to
the
machine
"func".
state
of
is
the
This
in
the
function
machine
ready
returns
state,
is necessary
i.e.
"true" ready
since
the
if and to
receive
execution
is
of the counter is not instantaneous. There are intermediate states in the machine. It is important to prove that when the counter is executed (i.e. via exec cnt) the machine is returned to
addl
The
where
property
was
mod64:
first
adds
three
"words". lower
a state
The
levels
The behavior
last
part
of
the of
"exec
transforms
"state",
are
the
and
in
to
are
the
the RSRE
input.
(Note.
This
work).
functions
defined
in the
in more
detail
module (formally)
at
hierarchy.
first
provides axiom
the
function
"exec
state
the
counter
in
thus
defines
the
and
func
axioms
expresses
of
of
the
two
in terms
"func"
next
word
elaborated
specification
counter
"loadin",
equated
The
receive
to a 6-bit
functions
counter.
properties cnt"
the
to
considered
specification
of
the
ready
(modulo-64)
three
the
is
not
functions
of
last
1
it
which
most
the
important
cnt".
response
define
to
The the
"execution"
of
function
inputs the
counter:
Ioadin
oLJ _R
OOLErER
state
exec_cnt:
state
OOUNTER
At
this
--
the
level
The is the
of
value
of
is
ready.
machine
function ready
--"
state
cnt:
for
machine
abstraction, the
counter, The
value
"ready"
returns
input.
The
is
the
ready,
an
integer
of
the
the
of
the
machine
between
0 and
counter
a boolean
execution
then
state
of
counter
COURt
is
returned
variable the
63,
only and
by
indicating
counter
will
has
operate
two
whether
the
function
whether
is defined correctly
properties
by
the
"exec
and
the
the "cnt". machine cnt". state
If of
the counter will be updated according to the "counter ax" axiom. If the value of func is 0 (i.e. val2(func) is 0), then the value of the counter remains the same (i.e. cnt(state) -- the original state). If the value of "func" is i, then of
the
value
"func"
one is
is
must
of 2,
the
then
consider
currently
at
counter the
the 63 -
is
value
case
changed
of
where
1111112
the
, it
arithmetic.
The
"addl
modulo-64
arithmetic.
The
meaning
simple.
If
the
val6(cnt(state)) 0
(i.e.
value
) is
mw(6)
of
--
the
Thus,
value
the
"func"
=
the
value
of
the
then
plus
addl
If
63, 6-bit
counter
for
of
one
2 the
of
second
"func"
the
axiom,
counter
function the
(i.e. value
This adds
"addl
value
a single whose
0).
of
the
is
0).
Of
course,
(i.e.
if
the
counter
is
captured
by
variable
in
concept
a word6
state
the
counter
specification
(i.e.
turn-over
Otherwise,
the it
mw6(val6(cnt(state))+l) of
value
I.
function
will
the
by
1 to
nod64"
increment value
over"
If
counter
is
just
to
the
).l
becomes
mod64(cnt(state))
is
3,
addl
The
of
"loadin".
incremented
"turns
becomes
nod64"
value
is
counter
current
word
the
counter
next
modulo-64
is
the
to
"ready
returns
then
mod64(addl
ax", the
a double
is performed:
mod64(cnt(state)))
expresses
counter
increment
to
a
the
concept
ready
that
state,
if
a
complete
it was
execution
originally
ready.
THE
The
six-bit
counter
abstraction.
The
specification
in
later
specification
4 states
named
The
is
"addl
concept being
=
x
int
->
2the x +i :
start
is The
x*x+l)
.
-)
be
is
and
"fetch"
automata called
referred
"load"
to
finite shown
at
the as
this
EHDM'
followed
by by
the
by
s
LAMBDA
indicates the
the
finite-state
figure
consists i.
The
type For f :
notation. that
formal of
example, functionl
a
The function
arguments the
the ->
is to
function
int
of
major-state
automata in
level
state.
using
provided. defined
is
The
"LAMBDA"
followed is
is
paper.
defined
is
body formally
but
"inc2",
kayword
keyword
symbol
function's would
hierarchy
this
in the
function
This The
Finally, f (x)
in the
SPECIFICATION
a finite-state
documents,
"incl",
intuitive.
defined.
function.
RSRE
as
throughout
to
mo464" i_
level
"fetch",
assumed
AUTOMATA
is defined
second
automata
machine
FINITE-STATE
the
result. integer int)
=
function (LAMBDA
of
fun¢*O
fetch
load
inc 1
inc 2
Figure
It is also
necessary
not
mathematically
specification.
i.
only map
These
Diagram
to describe the
more
issues
are
Definition
The
finite
state
"triples".
2
constitutes used the
for
The an
other
section
Modules programming specifications.
model first
N-bit
called
serve
module
designs.
"FORMAL
the language
same
they
finite-state
addressed
in
two
provides
The
OF
onto
a
N-BIT
this
definition
--
"words"
definition
is generic
as
The
they
do and
and
of
and
is described
WORDS".
Speczal the
but
sections.
modules
formal
"words"
Revised
two
formally,
Automata
module
module
facilitate
automata
next
external
specification
in
the
Finite-state
using
automata
specification
SPECIFICATION
purpose --
this
"words"
This
finite-state
abstract
of
is defined
word.
hardware
of
what
can
be
in detail
theory
in re-use
of
a of
in
N-bit
words
can
similar
be
used
MAPPING
by
"importing"
clause.
This
the
module
"words"
module
defines
the
via
a USING
following
clause
or
the
functions:
/ val:
maps
an
mw:
maps
unsigned
bit:
returns
These N,
the
functions
the
(i.e.
number
N-bit
are of
to an
integer
to
contents
defined
bits
declaration
word
of
unsigned
integer
an
word
a specified
in a
bit
in
"parameterized"
in a word).
in a USING
N-bit
Thus,
clause),
for
there
a word
module
each are
(i.e.
parameterized
"instantiation"
three
of
different
the
by module
functions.
For
example,
USING
words[2],
defines
two
bit[2],
val[6],
The
module
triple
has
"second", via
the
types
--
three
and
wordI6]--
the
concept
defines
components
which
An
can
ordered
make_triple.
the
following
The axiom
"state"
(count,
of
the
double,
of
be
six
in
finite-state
an
functions
"ordered
accessed
triple
Makemtriple ax: AXIOM x -- firstTmake triple(x, y, z)) AND y = second(make triple(x, AND z = third(make_triple(x,
The
and
--
val[2],
mw[2],
3
ordered
bit[6].
"third".
function by
word[2]
mw[6],
"triples"
and
described
words[6]
the
with
is created
relationship
triple". the
from
between
triples
The
functions individual
these
"first", components
functions
is
module:
y, z)) y, z))
machine
is
designated
counter,
a number
by
an
ordered
between
0 and
triple:
node)
where count
=
double= node
3
Mathematicians
=
the current inclusive a boolean increment indicates
typically
value
of
the
variable which is true if is to be performed at which node the machine
use
the
notation
8
(x,y,z)
and is
only
if
a double
currently
located
to
a
define
triple.
63
This triple
is defined formally as follows:
USINGtriples[word[6],bool,word[2]] statevector: count: double: node:
The
TYPE
function[ function[ function[
first
line
parameterized where bool
the and
by
first the
boolean,
and
a 2-bit
accessed
via
the
function. response
NEXT:
This
to
function
was
4 lines.
function
defined
as
Thus
individual
finite
maps
follows
readability
names
components and
are
"func"
and
->
the
EHDM
synonyms
when
the
function
are
defined
was
using
defined
the
--
of
of is
of
are is
of
type
the
exported an
triples
from
alternate
a 6-bitword,
the
triple
can
a be
"node".
defined
"statevector"
in
which
statevector
"double",
was
component
components
automata
the
code
the
module
in a theory
second
enhance
following
"count",
the
to
results
the
To
The
to
by
the
the
new
NEXT
"statevector"
"loadin":
statevector]
original
version:
function[statevector,word6,word2 -> statevector] (LAMBDA stv,ldn,fn -> statevector: IF val2(node(stv)) = 0 THEN FETCH(count(stv),double(stv),idn,fn) ELSIF val2(node(stv)) = 1 THEN INCl(count(stv),double(stv),idn,fn) ELSIF val2(node(stv)) = 2 THEN INC2(count(stv),double(stv),idn, ELSE LOAD(count(stv),double(stv),idn,fn) END
Unfortunately,
In
word[6],
function[statevector,word6,word2
NEXT:
4
--
triples. This
given
the
The
function
2-bit
type
next
word.
of
of
word[2]"
are
with
functions
NEXT
the
names
"triple"
theory
is word[2].
in the
transitions The
of
component
module
word6 ] is first bool ] is second word2 ] is third 4
generic
is
alternate
-> -> ->
bool,
component
type
allowed
the
"word[6],
the
The
for
statevector statevector statevector
third
"triples"
name
triple
imports
specification, the
is
in this
keyword
"is"
=
fn)
manner,
the
EHDM
theorem
in
prover
required
consequently
NEXT0
defined
ax:
NEXT1
AXIOM
ax:
NEXT2
AXIOM
ax:
NEXT3
excessive
AXIOM
ax:
AXIOM
By
defining
the
be
directed
to
is defined the
in
using
(i.e.,
proving
using
properties
of
"NEXT"
were
axioms:
(sty ),idn, fn )
= =
1 IMPLIES INCl(count(stv),double(stv)
,Idn,fn)
val2(node(stv)) NEXT(stv,ldn,fn)
= 2 IMPLIES = INC2(count(stv),double(stv)
,idn,fn)
val2(node(stv)) NEXT( sty, Idn, fn)
= 3 IMPLIES = LOAD( count(stY),
find terms of the
the
the
the
in a more
of
four
INCI,
level
CPU
implements
time.
and
functionality
the of
These proofs
the
INC2,
in
form
top_Level
functions required
5
of
were only
a
is captured
idn, fn)
theorem
prover
The
LOAD,
all
this
the
counter
the
manner.
Originally
However,
double(sty),
axioms,
efficient
subfunctions
syntax.
this
definitions
using
specification.
LAMBDA
that
of NEXT
proof
of
"axiomatic"
total
The
val2(node(stv)) NEXT(stv,ldn,fn)
amounts
The
time.
val2(node(stv)) = 0 IMPLIES NEXT (stv, idn, fn ) = FETCH (count (stv ),double
exhorbitant
"Finite
of
4 separate
properties
readability
defined
amounts
and
the the
function
FETCH
formal
enhance were
proofs
required
redefined
in
to
NEXT
subfunctions
spec)
few
could
using
minutes the
to
complete.
function
automata":
Finite
automata:
function[ statevector,word6,word2 -> statevector ] = (LAMBDA svt, idn, fn-> statevector: IF val2(fn) = 0 THEN NEXT( svt, idn, fn) ELSIF val2(fn) = 3 THEN NEXT(NEXT(NEXT(svt,ldn,fn), idn,fn ),idn,fn ELSE NEXT(NEXT(svt,ldn,fn), idn,fn )
)
END)
One which
could is
Although "human"
easily equivalent
defining prover
function can be
is used drasticly
citing
the
prove to
--
functions
the i.e.
that the
the function
subfunctions one must
in a reduced.
formula
whose
The
former
specification defined by
with explicitly
axioms cite
being proved reduction
eKpansion
is
i0
in
these
increases the axiom
--, the proving
relevant
defines four
amount time to
the
a axioms.
function
the work whenever of comes proof.
proving by
of
the the time
only
6
This function defines the sequenceof calls of "NEXT"which accomplish each function. This function represents a "spanning tree" of the graph shown in figure 2.
Figure 2. - Spanning Tree for Finite-Automata If
"Finite
"fetch"
Automata" is defined properly,
node
specified
The
to
statements.
(In
requires
constant "cnt6"
the
completion
of
the
Mapping
the
function
of the
the
the
higher
the
that
RSRE
level report
a mapping
module
following
to
being
be
Top-Level
of
following
cnt,
will
as well
as
be
returned
performing
to
the
the
the
exec
functions
cnt,
were
are
connections
provided
mapped
uninterpreted
Specification
abstraction
for
(i.e. type
states
The
counter
function.
mappings
EHDM
at
the
defined:
ready:
ii
was
between
every
the
made
higher
defined:
using models
uninterpreted level
EHDM
mapping
were type
informal). and
specification).
every In
These are "mapped" in module "cnt6 fa" as follows: cnt6.states:
TYPEFROMstatevector
cnt6.cnt:
function[statevector
cnt6.exec
cnt:
cnt6.ready:
prefix
The
"cnt6"
function
component
indicates "cnt"
accessor
function
"exec
The
"cnt6"
function
"ready"
automata
cnt6.ready:
cnt"
need
for
this
designed
return
machine
for
the
This
next
was
now
counter to the
input.
property
sty
function
not
The with
RSRE
report
respect
examined
does
impact
of
is executing
by
built
concept
on
"loadin" "func" samples clock
the
"loadin"
them. u
one
The clock
lists
lines finite tick
changes
the
in
automata
the
if and
the
interaction
"loadin"
time
exit
the
but
of
an
not
correctly
it
the
while
is
ready
circuit.
from
which
be driven
finite
the
The the
report
The
lists
of
of values the by
automata.
counter
finite
conditions".
sequences points
of
"loadin".
samples
to
that
specification.
Issues
the
)
where
nature
Timing
countable
12
true
fetchnode
"count"
and
of
returns
is possible
LCF-LSM
is assumed
transition
=
and
the
for
"Finite_automata".
"fetchnode",
automata
at
abbreviation
=
"func"
"func"
contain
that
correct
define in
finite
function
"sequential"
and
mapped.
"triples".
It
the
"hoisting
contain
per
bool]
RSRE
being
"fetchnode":
namely
the
)
is an
function at
return
formally
type
clear.
state,
called
that
These
becomes
in the
changes
a method
values. and
not
a
are
which
the
statevector]
fetchnode
node(stv)
Interface
to asynchronous
the
by
->
captures
External
to
-> bool:
could
captured
of
located
proper
This
"count"
is mapped
is currently
=
functions
"first"
function[statevector
improperly the
to
is mapped
(LAMBDA
The
"cnt6"
function
"cnt6"
the
that
is mapped
The
if
->
function[statevector -> bool] = (LAMBDA stv -> bool: node(sty)
"cnt6."
only
is count
function[statevector,word6,word2 is Finite automata
The
first
-> word6]
automata method
"func" which
finite
is and the
automata
a synchronous Thus,
the
calls
to "NEXT"are triggered by the synchronous clock. The analysis given in the RSREreport indicates how to match the values in the list with the execution of the counter. Since it is possible that the value of "func" or "loadin" can change over time, this must be accounted for in the specification. In the "cnt6 fa" specification above it is implicitly assumedthat the values do not change until the counter has returned to the "fetchnode" state. This is implied by the fact that all of the calls to "NEXT"in the function "Finite automata", use the samevalues of "idn" and "fn" (i.e. the parameters which correspond to "loadin" and "func" in the top spec). For example, NEXT(NEXT(NEXT(svt,ldn,fn), idn,fn
),idn,fn
)
If this assumption is not valid, the specification could be generalized by defining a list of "func" and "loadin" signal values: clocktime:
TYPEis int
funcsigs: function[clocktime -> word2] loadinsigs: function[clocktime -> word6] These functions "map" the synchronous clock time to the values of "func" and "loadin" at those times. It is necessary to assumethat the values of "func" and "loadin" are "stable" at the time that the finite automata samples them. In order to relate the behavior of the finite automata over time to these input values it is necessary to extend the definition
of state to include time:
(count, double, node, clk) The first current automata
USING
three
components
time,
i.e.
thus
far.
the
are
number
Formally,
as
before.
of
clock
pulses
we
would
have:
quads[word6,bool,word2,nat]
statevector:
TYPE
The
is quad
13
fourth which
component have
been
indicates sent
to
the
the
count:
function[ function[ function[ function[
double: node: clk:
Function
"NEXT"
value
clk.
of
NEXT0
ax:
statevector-> statevector-> statevector-> statevector->
and For
AXIOM
its
subfunctions
would
have
to
be modified
to
increment
the
example,
val2(node(stv))
NKXT(stv,ldn,fn) =
word6 ] is first bool ] is second word2 ] is third word2 ] ] is fourth
=
=
IF val2(fn)
0 IMPLIES
FETCH(count(stv),double(stv),clk(stv),idn,fn)
z 0 THEN
make_quad(count(stv),BOOLF(bit2(0,fn)),fetchnode,clk(stv)+l) ELSIF val2(fn) = 1 THEN make_quad(count(stv),BOOLF(bit2(0,fn)),loadnode,clk(stv)+l) ELSE make_quad(count(stv),BOOLF(bit2(O,fn)),inclnode,clk(stv)+l) END The
net
result
definition clock
of
would
be
to
formally
"Finite_automata"
to
connect the
sequence
of
NEXT(svt,loadinsigs[l], loadinsigs[2],
loadinsigs[3],
The
cnt6_fa
cnt6
arguments func
of and
"NEXT" loadin
in the values
over
time:
NEXT(NEXT(
The
the
fa:
MAPPING
specification
cnt6
excluding
funcsigs[l]),
funcsigs[2]),
funcsigs[3])
fa
Specification
the
proofs
is:
MODULE cnt6
ONTO
words,
triples[word[6],bool,word[2J],bsignal
THEORY
(* word2: word6:
create TYPE TYPE
some
abbreviations
is word[2] is word[6]
mw2: function[int mw6: function[int val2:function[word2 val6:function[word6 bit2: function[int,
-> word2] is mw[2] -> word6] is mw[6] -> int] is val[2] -> int] is val[6] word2 -> signalval]
14
is bit[2]
*)
statevector:
TYPEis triple
count: function[statevector -> word6] is first double: function[statevector,-> bool] is second node: function[statevector -> word2] is third BOOLF:function[signalval (*
-> bool] is signal_to bool define
logic
constants
define
logic
variables
define
functions
*)
fetc_node: word2 = mw2(0) inclnode: word2 = mw2(1) inc2node: word2 = mw2(2) loadnode: word2 = mw2(3) undef svt: statevector
(*
*)
svt: VAR statevector ct, idn, w: VAR word6 fn: VAR word2 dbl,b: VAR bool (*
ADD1:function[word6 -> word6] == (LAMBDA w -> word6: IF val6(w) = 63 THEN mw6(0)
*)
ELSE
mw6(val6(w)+l)
END ) INCI: function[word6,bool,word6,word2 INCI ax: AXIOM INCl(ct, dbl, idn,
fn)
-> =
statevector]
IF dbl THEN make_triple(ADDl(ct),BOOLF(bit2(0,fn)),inc2node) ELSE make_triple(ADDl(ct),BOOLF(bit2(0,fn)),fetchnode) END INC2:function[word6,bool,word6,word2 INC2 ax: AXIOM INC2(ct, dbl, idn,
fn)
-> =
statevector]
make_triple(ADDl(ct),BOOLF(bit2(0,fn)),fetchnode) LOAD: function[word6,bool,word6,word2 LOAD ax: AXIOM LOAD(ct, dbl, Idn,
fn)
-> =
statevector]
make_triple(idn,BOOLF(bit2(0,fn)),fetchnode) FETCH: function[word6,bool,word6,word2 -> statevector] FETCH ax: AXIOM FETCH(ct, dbl, idn, fn)= IF val2(fn) = 0 THEN make triple(ct,BOOLF(bit2(0,fn)),fetchnode) ELSIF val2(fn) = 1 THEN make_triple(ct,BOOLF(bit2(0,fn)),loadnode) ELSE make_triple(ct,BOOLF(bit2(0,fn)),inclnode) END
15
NEXT:
function[statevector,wo[d6,word2
->
statevector]
(* NEXT
ax:
AXIOM
NEXT(svt,ldn,fn) = IF val2(node(svt)) = 0 THEN FETCH(count(svt),double(svt),idn,fn) ELSIF val2(node(svt)) = 1 THEN INCl(count(svt),double(svt),Idn,fn) ELSIF val2(node(svt)) = 2 THEN INC2(count(svt),double(svt),idn,fn) ELSIF val2(node(svt)) = 3 THEN LOAD(count(svt),double(svt),Idn, ELSE undef svt END
fn)
*) NEXT0
NEXT1
ax:
ax:
AXIOM
AXIOM
val2(node(svt)) NEXT(svt,ldn,fn)
0 IMPLIES =
FETCH(count(svt),double(svt),idn,fn)
val2(node(svt)) NEXT(svt,ldn,fn)
=
1 IMPLIES
=
INCl(count(svt),double(svt),idn,fn) 2 IMPLIES INC2(count(svt),double(svt),idn,fn)
NEXT2
ax:
AXIOM
val2(node(svt)) NEXT(svt,ldn,fn)
= =
NEXT3
ax: AXIOM
val2(node(svt)) NEXT(svt,ldn,fn)
= 3 IMPLIES = LOAD(count(svt),double(svt),idn,fn)
Finite
automata:
function[statevector,word6,word2 -> statevector] (LAMBDA svt, Idn, fn -> statevector: IF val2(fn) = 0 THEN NEXT(svt,ldn,fn) ELSIF val2(fn) = 3 THEN NEXT(NEXT(NEXT(svt,ldn,fn), idn, fn ), Idn,fn ) ELSE NEXT(NEXT(svt,ldn,fn), idn,fn )
I
END (*
Mapping
cnt6.states:
TYPE
to Top
FROM
function[statevector
cnt6.exec
cnt:
END
cnt6
Level
Spec
in Module
*)
cnt6
statevector
cnt6.cnt:
cnt6.ready:
)
-> word6]
is
count
function[statevector,word6,word2 is Finite automata
function[statevector -> bool] = (LAMBDA svt -> bool: node(svt)
fa
16
->
=
statevector]
fetchnode
)
Strengthening
The
top-level
"ready"
is
is never satisfy
specification
true,
ready the
the
i.e.
when
satisfies
defines
it
the
Top-Level
is
the
ready
operation
for
specification
Specification
input.
But,
above.
The
function[statevector
->
bool]
=
following
property
reset_ready_ax:
would
AXIOM
preclude
NOT
property
be
counter
to
this
ready(state)
to
precludes
"func=0" in,
if
"fetchnode".
If the
is
then
a
true,
"func=0"
trivial
solutions
diagram level second (ref
the
the
system
The
lower
Exhaustion"
In
of
was
level
(ref.
the the
the
that
mappings
would
statevector]
= 0
IMPLIES
i.e.,
is the
RSRE
would
satisfied
at
with
by
the
of
third RSRE in
"func=0"
state
level
between
these
The
description
in
the
does
"inclnode"
not
and
"inc2node"
complicated
property
in two
in also
implementation:
4.)
17
hierarchy
language the
)
hardware
done
between using
--
the
block
spec
was
the
LCF-LSM. design
theoretically
connection was
the
block-diagram
formal
diagram
it will
to
RSRE
state
SPECIFICATION
work
the
which
implementation
transition more
)
regardless
"executed"
following
block
informal.
circuit
reset,
counter
is
func
is located
DIAGRAM
specified
connection
specifications the
following
cnt(state,loadin,func)
counter
The
and
describes
description 3.)
implementation
AXIOM and func = 0 IMPLIES cnt(exec cnt(state,loadin,func),loadin,func)
specification. of
a
counter
BLOCK
section
exec
as
the
command.
eventually_ready_ax: NOT ready(state) ready( exec
This
when
implementations:
and
Unfortunately,
property.
"double(state)" response
define
is currently
returned
satisfy
would
->
trivial
ready(
the
an
counter
FALSE
cnt6.states: TYPE cnt6.cnt: function[statevector -> word6] cnt6.exec cnt: function[statevector,word6,word2
This
the
specification:
cnt6.ready:
The
of
created
language
a
ELLA
equivalent
the the
They
lowest
ELLA
method
specification of
"Intelligent
and
This specification figure 3.
Ioadln
describes the system as a block diagram illustrated
count
node
doul_e
in
func
l,oo,__,oo_ooJ 1.o,.oooi I-o_.1 t,_ ,|
l_t q"t4
"'ch'o_o_n' F I lalCfl
counl
finite
automata
is
3. -
internal
stored
by
explicitly that not
an be
could theorem
state
latches
variables which
implementation
be
checked,
as
l I '.'_'o,_.
node
by
the
which
erroneous it
is not
the
(i.e.
following
count,
their
RSRE
to
by
RSRE
the
clear
node
and
how
store
prover.
18
these
could
be
subcircuits):
NEXTNODE
clock
are
variables
assumed
ticks.
Consequently,
methodology.
this
(or
double)
between
methodology.
failed
blocks
INCCON
values
Countloglc
Specification
MPLXCON
maintain in
double
Diagram
MULTIPLEX
formalized
detected
Block
implemented
INCLOGIC
The
for
node
Figure
The
i
_
it in
Although detected
by
to
This is
be is
possible
latches
would
informally an
not
automatic
this
The cnt6 blk specification
without proofs is:
cnt6 blk: MODULE MAPPING cnt6 fa ONTOwords,triples[word[6],bool,word[2]],bsignal THEORY define
(*
word2: word6:
TYPE TYPE
-> word2] is mw[2] -> int] is val[2] word2 -> signalval] -> word6] is mw[6] -> int] is val[6] word6 -> signalval]
function[signalval
statevector:
TYPE
fetchnode: inclnode: inc2node: loadnode:
*)
'words'
->
bool]
is
is
bit[2]
is
bit[6]
signal
to
bool
is triple
logic
(*
for
is word[2] is word[6]
mw2: function[int val2:function[word2 bit2: function[int, mw6: function[int val6:function[word6 bit6: function[int, BOOLF:
abbreviations
constants
defined
in
cnt6
fa
word2 = mw2(0) word2 = mw2(1) word2 = mw2(2) word2 = mw2(3) define
sty: VAR statevector ct,incout,loadin: VAR noinc: VAR bool nd,func: VARword2
logic
*)
variables
word6
dbl: VARbool mplxsel: (*
INCLOGIC: INCLOGIC
MULTIPLEX: MULTIPLEX
VAR
bool define
*)
functions
function[word6,bool -> word6] ax: AXIOM INCLOGIC(ct,noinc) = IF noinc THEN ct ELSE ADDI(ct) END
function[word6,word6,bool -> word6] ax: AXIOM MULTIPLEX(incout, loadin, mplxsel) IF mplxsel THEN_incout ELSE loadin END
19
=
MPLXCON:
function[word2 (LAMBDA nd->
INCCON:
function[word2 (LAMBDA nd->
NEXTNODE:
-> bool] = bool: NOT (val2(nd) -> bool] = bool: (val2(nd)
function[word2,word2,bool
=
= 0)
->
3)
)
)
word2]
(* NEXTNODE
ax:
AXIOM NEXTNODE(nd,func,dbl) = IF val2(nd) = 0 THEN IF val2(func) = 0 THEN fetchnode ELSIF val2(func) = 1 THEN loadnode ELSE inclnode END ELSIF val2(nd) = i THEN IF dbl THEN inc2node ELSE fetchnode END ELSE fetchnode END
*) NEXTNODE0
ax:
AXIOM val2(nd) - 0 IMPLIES NEXTNODE(nd,func,dbl) = IF val2(func) = 0 THEN fetchnode ELSIF val2(func) = 1 THEN loadnode ELSE inclnode END
NEXEI
ax:
AXIOM val2(nd) = _DE(nd,func,dbl)
1 IMPLIES = IF dbl THEN inc2node ELSE fetchnode END
NEXTNODE2a3
ax:
AXIOM val2(nd) = 2 or NEXTNODE(nd,func,dbl)
val2(nd) = 3 IMPLIES = fetchnode
C_IC:
function[statevector,word6,word2 (LAMBDA sty, loadin, func
->
-> statevector] statevector:
=
make_triple(MULTIPLEX(INCLOGIC(count(stv), INCCON(node(stv)) loadin, MPLXCON(node(stv)) ), BOOLF(bit2(0,func)), NF_JCPNODE(node(stv),func,double(stv))
cnt6 END
fa.NEXT:
cnt6
function[statevector,word6,word2
blk
2O
->
statevector]
i
)
= COUNTLOGIC
SPECIFICATION
In
this
elements defined
--
NAND2,
in the
included, been
section
none
the
6-bit
counter
INV,
XNOR,
etc.
ELLA of
language.
the
proofs
OF
is expressed In
the_RSRE
Although between
CIRCUIT
the
this
in
terms
pape[,
this
MAPPINGS
level
and
to the
of
low-level
level
was
"cnt6_blk" block
model
circuit
only
have have
been yet
attempted.
Listing
cnt6
cir:
of
Cnt6
MODULE
--
MAPPING
cir
l
cnt6
blk
ONTO words,
triples,
bsignal
THEORY (*
,)
abbreviations
word2: TYPE is word[2] word6: TYPE is word[6] cntrlsigs: TYPE is triple[bool,bool,word[2]] bit2: bit6:
function[int, function[int,
word2 word6
-> ->
bool] bool]
assign2:function[int,bool,word2 assign6:function[int,bool,word6
b,bl,b2,b3,b4:
-> word2] -> word6] circuit
(*
VAR
is bit[2] is bit[6] is assign[2] is assign[6]
elements
,)
bool
INV: function [bool -> bool] = (LAMBDA b -> bool: not b) NAND2: function [bool, bool -> bool] = (LAMBDA bl,b2 -> bool: not (bl and b2)) NAND3: function [bool, bool, bool -> bool] = (LAMBDA bl,b2,b3 -> bool: not (bl and b2 and b3)) NAND4: function [bool, bool, bool, bool -> bool] = (LAMBDA bl,b2,b3,b4 -> bool: not (bl and b2 and b3 and b4)) XNOR: function [bool, bool -> bool] = (LAMBDA bl,b2 -> bool: not (not bl and b2 or bl and not b2)) NOR/: function [bool, bool -> bool] = (LAMBDA bl,b2 -> bool: not (bl or b2))
(*
logic
variables
i0,ii,i2,i3,i4,i5: VAR bool ibit,lsel,incbit,incsel: VAR bool incout,loadin,cntr: VAR word6
21
,)
mplxsel, noinc, Double: VARbool Node,Func: VARword2 circuit
(*
output
: function (LAMBDA
definition
[bool,bool,bool,bool,bool,bool i0,ii,i2,i3,i4,i5 -> word6:
*) -> word6]
assign6(0,i0, assign6(l,il, assign6(2,i2, assign6(3,i3, assign6(4,i4, assign6(5,i5,newword[6])))))))
bitsel:
MPLEXCIRC: MPLEXCIRC
function[bool,bool,bool,bool -> bool] = (LAMBDA ibit,lsel,incbit,incsel -> bool: NAND2(NAND2(ibit,lsel), NAND2(incbit,incsel))
function[word6,word6,bool ax: AXIOM MPLEXCIRC(incout,
-> word6] loadin, mplxsel)
=
output( bitsel(bit6(0,1oadin),INV(mplxsel),bit6(0,incout),mplxsel), bitsel(bit6(l,loadin),INV(mplxsel) ,bit6(l,incout),mplxsel), ,bit6(2,incout),mplxsel), bitsel(bit6(2,1oadin),INV(mplxsel) bitsel(bit6(3,1oadin),INV(mplxsel) ,bit6(3,incout),mplxsel), bitsel(bit6(4,1oadin),INV(mplxsel) _bit6(4,incout),mplxsel), bitsel(bit6(5,1oadin),INV(mplxsel) ,bit6(5,incout),mplxsel)
) carry4bar:
function[word6,bool -> bool] = (LAMBDA cntr,noinc -> bool: NAND4(INV(noinc),bit6(0,cntr),bit6(l,cntr),bit6(l,cntr))
)
INCCIRC:
function[word6,bool -> word6] = (LAMBDA cntr,noinc -> word6: output( _ XNOR(bit6(0,cntr), noinc), XNOR(bit6(l,cntr), NAND2(INV(noine),bit6(0,cntr)) XNOR(bit6(2,cntr), NAND3(INV(noinc), bit6(0,cntr), bit6(l,cntr) XNOR(bit6(3,cntr),carry4bar(cntr,noinc) ), XNOR(bit6(4,cntr), NAND2(INV(carry4bar(cntr,noinc)), bit6(3,cntr)
), XNOR(bit6(5,cntr), NAND3(INV(carry4bar(cntr,noinc)), bit6(3,cntr) , bit6(4,cntr) ) )
22
)
), ) ),
)
inccon: function[word2 -> bool]
= (LAMBDANode -> bool: NOR2(bit2(0,Node),bit2(l,Node))
common:function[word2,word2
-> bool] = (LAMBDANode,Func -> bool: NAND3(inccon(Node),INV(bit2(l,Func)),bit2(0,Func))
CONTROLCIR:
function[word2,word2,bool -> cntrlsigs] (LAMBDA Node,Func,Double -> cntrlsigs: maketriple(inccon(Node), NAND2(bit2(0,Node),bit2(l,Node)), assign2(0, NAND2(common(Node,Func), NAND2(inccon(Node),bit2(l,Func))
), assign2(l,NAND2(common(Node,Func), NAND3(Double, bit2(0,Node), INV(bit2(l,Node) newword[2])
) )),
)
(*
Mappings
cnt6
blk.INCLOGIC:
cnt6
blk.MULTIPLEX:
cnt6
blk.INCCON:
to
"cnt6
function[word6,bool
,)
blk"
-> word6]
function[word6,word6,bool
->
=
INCCIRC
word6]
= MPLEXCIRC
function[word2,word2,bool -> bool] = (LAMBDANode,Func,Double -> bool: first(CONTROLCIR(Node,Func,Double))
) cnt6
blk.MPLXCON:
function[word2,word2,bool -> bool] = (LAMBDA Node,Func,Double -> bool: second(CONTROLCIR(Node,Func,Double))
) cnt6
blk.NEXTNODE:
function[word2,word2,bool -> word2] (LAMBDANode,Func,Double -> word2: third(CONTROLCIR(Node,Func,Double))
) END
cnt6
cir
23
=
Translation
of Circuit-Spec
Although the circuit-level level circuit elements, this
level
the
problems
circuit.
uncovering For
There the
example,
BLACK
ale
basic
suppose
BOX:
many
description does
explicitly
to be
interconnections
we
the
have
is defined in terms of only low-
not
element
following
to Sili_:c_n
addressed from
here.
the
circuit
specify
the The
layout
first
functional
of
is
description.
specification
function[bool,bool,bool,bool -> bool] (LAMBDA ii,i2,i3,i4 -> bool: NAND3(XNOR(il,i2), NAND2(XNOR(il,i2), INV(XNOR(i3,i4))) XNOR(i3,i4)
) ) A
brute-force
implementation
of
this
function
would
yield:
iI
_NV
Of course, fo I 1ows:
by
recognizing
common
sub-expressions,
24
NAND2
this
NAND3
could
be
implemented
as
NAND.1
NAND2
INFORMAL
The the
axioms
first more
concept of
maps
a
the
concrete
and
hierarchical
specification
are proved
in
mapped as
specification level
uninterpreted objects
specification level
of
the down
theorems
PROOFS
as
theorems
types
and
lower
level.
(using
depends in
constants
the
The
on the
of
mappings)
of
proving
below
it.
high
level
theory
of
to
idea
level
the
axioms
the
the
the
high
objects
One into
level of
the
lower
there:
zoMs
%, % I I I
Map
I v
AXIOMS
One
must In
the
then the
block
next model
prove two
that
Map(;
sections,
specification
B I , B 2,
h ) and the up
Map(A;)
proofs to
B_,
the
informally.
25
follow
which top
B
from
establish
specification
B l , B 2, the ale
S 3,
connection presented
B 4. from
Proof
There
were
"ready
Thus,
ax:
"counter
"cnt",
axioms
Top
of
Level
the
top
Spec
level
and
Major
spec
State
"cnt6":
Machine
"counter
Spec
ax"
and
ax".
counter
When
two
Between
and in
AXIOM
ax"
ready(state) IMPLIES cnt(exec cnt(state,loadin,func)) IF val2(func) = 0 THEN cnt(state) ELSIF val2(func) = 1 TH_N loadin ELSIF val2(func) = 2 THEN addl mod64(cnt(state)) ELSE addl mod64(addl mod64(cnt(state))) END is mapped
"exec_cnt",
the
lower
down
are
level,
to
the
interpreted the
"counter
next in ax"
level,
terms
of
the
functions
their
mapping
=
"ready", definitions.
is:
counter ax: AXIOM node(state) = fetchnode IMPLIES count(FinTte_automata(state,loadin,func)) = IF val2(func) = 0 THEN count(state) ELSIF val2(func) = 1 THEN loadin ELSIF val2(func) = 2 THEN addl mod64(count(state)) ELSE addl
mod64(addl
mod64(count(state)))
END This basic
First,
must
be
proved
strategy
is
as
a
theorem
to decompose
Case
i:
val2(func)
= 0
Case
2:
val2(func)
=
Case
3:
val2(func)
= 2
Case
4:
val2(func)
= 3
one
each
case
four
cases:
lemma
is proved
is proved
in terms this
theorem
of
the
axioms
into
four
of
"cnt6
fa".
The
cases:
1
which
separately.
simplifies Finally,
26
the
proof
"counter
ax"
of is
the
four
proved
cases. from
Next,
these
Proof
of
a Lemma
stbl:
LEMMA
ready(st)
IMPLIES
val2(node(st))
=
0
-i Proof:
By
definition,
ready(st)
=>
(node(st) = => (node(st)
fetchnode = mw2(0)
) ).
Thus, ready(st) By
the
"val
==>
mw
thm"
ready(st)
==>
val2(node(st)) theorem
of
= val2(mw2(0))
words[2]
val2(node(st))
we
have:
= val2(mw2(0))
=
0
Endproof.
Proof cnt
of 0:
cnt
LEMMA
Proof:
From
cnt(exec
Using
0 ready(state) and val2(func) = 0 IMPLIES cnt(exec cnt(state,loadin,func)) the
definition
of
"exec
cnt(state,loadin,func)) -cnt(NEXT(state,loadin,func),
"NEXT_ax",
the
preceeding
cnt"
and
= cnt(state)
val2(func)=0
we
have:
= loadin,func
lermna,
and
"FETCH_ax"
) we
cnt(exec cnt(state,loadin,func)) = cnt(FETCH(cnt(state) ,doublef(state),loadin,func)
have:
) =
cnt(make_triple(cnt(state),BOOLF(bit2(0,func)),fetchnode) Finally
by
definition
of
"cnt"
cnt(exec cnt(state,loadin,func)) cnt(state)
and
the
"make_triple
=
Endproof.
27
) ax"
we
have:
Proof
cnt
of
i:
cnt
LEMMA
I
ready(state) IMPLIES
and
val2(func)
cnt(exec
cnt(state,
_
1 loadin,
func) ) -
loadin
Proof: cnt(exec
cnt(state,loadin,func))
-
(* NEXT
ax
*)
D
cnt(
NEXT(NEXT(state,loadin,func),
cnt(
NEXT(FETCH(cnt(state)
cnt(
NEXT(
Since
func
VAL2(loadnode)
cnt (LOAD( cnt (make_t double
)) =
,doublef(state),loadin,func)
make_triple(cnt(state) loadin,
(* --
loadin,func
,BOOLF(bit2(0,
)) -
func) ),loadnode)
)) _
3 --
*)
r iple (cnt (state ),BOOLF (bi t2 (0, func ) ),loadnode
f (make
loadin,func)
),
tr iple (cnt (state ),BOOLF (bi t2 (0, func ) ),loadnode ) -
cnt( LOAD( cnt( state ), BOOLF(bit2(0,
func } ),
loadin,func)
) -
cnt(make_triple(loadin,BOOLF(bit2(0,func)),fetchnode) loadin
28'
) =
),
Proof
cnt
of
cnt
2:
2
ready(state) IMPLIES
and
cnt(exec
val2(func)
cnt(state,loadin,
IF val6(cnt(state)) ELSE
- 2
- 63
func))
THEN
mw6(0)
mw6(val6(cnt(state))+l)
END
Proof: cnt(exec
cnt(state,loadin,func))
I
cnt(
NEXT(NEXT(state,loadin,func),
cnt(
NEXT(FETCH(cnt(state)
cnt(
NEXT(
(* NEXT loadin,func
ax
*)
)) -
,doublef(stateT,loadin,func)
77 -
make_triple(cnt(stateT,BOOLF(bit2(0,func77,inclnode7 loadin,func
Since
)) =
VAL2(inclnode)
-
1 ---
*)
cnt(INCl(cnt(make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode), doublef(make_triple(cnt(state),BOOLF(bit2(O,func)),inclnode), loadin,func)
) =
cnt(INCl(cnt(state), BOOLF(bit2(0,func), loadin,func) (* --
Since
) -
bit2(0,func)
-
0 =->
BOOLF(bit2(0,func))
=
false
cnt(make_triple(ADDl(cnt(state)),BOOLF(bit2(O,func)),fetchnode)) ADDl(cnt(state)7
I 63
THEN
mw6(0)
ELSE
mw6(val6(cnt(state))+l)
END
Proof
cnt
of
3:
cnt
LEMMA
3
ready(state) IMPLIES
and
val2(func)
=
3
cnt(exec_cnt(state,loadin,func)) IF val6(cnt(state)) ELSIF ELSE
val6(cnt(state))
= 63 =
mw6(val6(cnt(state))+2)
END
29
THEN
*) -
-
IF val6(cnt(state))
---
mw6(1)
62 THEN
mw6(0)
Proof: cnt(exec
cnt(state,loadin,func))
=
(* NEXT
cnt(
NEXT(
NEXT(NEXT(state,loadin,func),
cnt(
NEXT(
NEXT(FETCH(cnt(state) loadin,func)
cnt(
NEXT(
*)
), loadin,func))
=
,doublef(state),loadin,func)),
-
NEXT(make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode) loadin,func
(* ---
loadin,func
ax
Since
), loadin,func
VAL2(inclnode)
= 1 ---
)) =
*)
cnt(NEXT( INCl(cnt(make_triple(cnt(state),BOOLF(bit2(O,func)),inclnode), doublef(maketriple(cnt(state),BOOLF(bit2(O,func)),inclnode), loadin,func),loadin,func cnt(NEXT(
) ) =
INCI(cnt(state), BOOLF(bit2(0,func), loadin,func),loadin,func)
(* ---
Since
bit2(0,func)
-
1 -->
) =
BOOLF(bit2(0,func))
- true
---
*)
cnt(NEXT(make_triple(ADDl(cnt(state)),BOOLF(bit2(O,func)),inc2node), loadin,
func)
) =
cnt(INC2(cnt(make_triple(ADDl(cnt(state)),BOOnF(bit2(0,func))
),
doublef(make_triple(ADDl(cnt(state)),BOOLF(bit2(0,func)) loadin,func))
),
=
cnt(INC2(ADDl(cnt(state)), BOOLF(bit2(0,func)), loadin,func
) )
cnt(make_triple(ADDl((ADDl(cnt(state))),BOOLF(bit2(O,func)),fetchnode)
)
ADDl((APDl(cnt(state))) ADDI(IF
val6(ADDl(cnt(state)))
ELSE
IF val6(IF
THEN
mw6(val6(ADDl(cnt(state)))+l)
val6(ADDl(cnt(state)))
ELSE ELSE
= 63
mw6(0) END
= 63
THEN
mw6(val6(ADDl(cnt(state)))+l)
mw6(val6(IF
mw6(0) END)
val6(ADDl(cnt(state))) ELSE
)
- 63
= 63 TH]_
mw6(val6(ADDl(cnt(state)))+l)
END
3O
THEN
mw6(0) END)+1)
mw6(0)
IF val6(cnt(state)) ELSIF
= 63
val6(cnt(state))
ELSE
THEN
= 62
mw6(1)
THEN
mw6(0)
mw6(val6(cnt(state))+2)
_D
Proof
of
the
ready_ax:
cnt6
axioms
AXIOM
counter
ax:
ready(state)
AXIOM
"counter_ax"
follows
from
"val_range_thm"
applied
to
that
only
be
equal
to
"func"
"func"
"counter from
can
ax"
cnt_0,
proved
applies cnt_l,
from
the
Proof
In this the
block
axioms
same
the
the spec
major
)
"cnt_0",
"func". to =
cnt_3,
"cnt
The 0,
"val
1, 2,
3 only. and
i",
"cnt_2",
range
or
3.
Thus,
thm"
Thus
and
val_range_thm[2].
"cnt_3"
is needed
the
counter
func))
ax The
and
to
"ELSE"
=
the
establish
clause
in
follows
directly
axiom
"ready_ax"
is
lemmas.
Between
diagram
of
cnt_2,
section
ready(exec_cnt(state,loadin,func)
ready(state) IMPLIES cnt(exec cnt(state,loadin, IF val2(func) _ 0 THEN cnt(state) ELSIF val2(func) = 1 THEN loadin ELSIF val2(func) = 2 THEN addl mod64(cnt(state)) ELSE addl mod64(addl mod64(cnt(state))) END
-
The
IMPLIES
Major
State
Machine
connection
between
is demonstrated
state
machine
via
model
Spec
the
and
major
informal
must
be
Block
state proof.
proved
as
Model
Spec
machine The
and
following
theorems
Model:
NEXT0
ax: --
AXIOM
val2(node(stv)) NEXT(stv,ldn,fn)
= 0 IMPLIES = FETCH(count(stv),double(stv),Idn,fn)
NEXT1
ax:
AXIOM
val2(node(stv)) NEXT(stv,ldn,fn)
= 1 IMPLIES = INCl(count(stv),double(stv),Idn,fn)
NEXT2
ax:
AXIOM
val2(node(stv)) NEXT(stv,ldn,fn)
= =
2 IMPLIES INC2(count(stv),double(stv),idn,fn)
NEXT3
ax:
AXIOM
val2(node(stv)) NEXT(stv,ldn,fn)
= =
3 IMPLIES LOAD(count(stv),double(stv),idn,fn)
31
model
in
the
Block
The function "NEXT"is mappedonto "COUNTLOGIC" at this level, so each of these axioms must be proved with respect to the "COUNTLOGIC" implementation:
NEXT0ax: AXIOMval2(node(stv)) -
= 0 IMPLIES (stY, idn, fn ) = FETCH( count (sty ),double
_IC
(sty), idn, fn)
Proof: _IC(stv,
[ by
loadin, func) = make__triple(MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))), loadin, MPLXCON(node(stv))), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
definition
of
INCCON make
and
MPLXCON:
}
triple(MULTIPLEX(INCLOGIC(count(stv), (val2(node(stv)) = loadin, NOT (val2(node(stv)) = 3)), B(X)LF(bit2(0,func)), NEXODE(node(stv),func,double(node))
make_triple(MULTIPLEX(INCLOGIC(count(stv), true ), loadin, true ), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) { by
INCLOGIC
ax:
MULTIPLEX
0)
) =
) -
} maketriple(MULTIPLEX(count(stY), loadin, true ), BOOLF(bit2(0,func)), NEXTSK)DE(node(stv),func,double(node))
{ by
) =
ax:
) -
} make
triple(count(sty), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
{ by FETCH ax: } FETCH(cnt(stv),doublef(stv),loadin,
32
func)
=
) -
),
The
last
step
follows
from
the
fact
NEXTNODE(node(stv),func,double(node) {fetchnode, loadnode,
that
val2(node(stv)
) ) is an inclnode }
=
element
that
0 IMPLIES
of
Endproof
NEXT1
ax:
AXIOM
-
val2(node(stv)) = 1 COUNTLOGIC(stv,ldn,fn)
IMPLIES = INCl(count(stv),double(stv),idn,fn)
Proof: C_IC(stv,
loadin,
func)
=
make_triple(MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))), loadin, MPLXCON(node(stv))), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) { by
definition
of
MPLXCON:
}
make_triple(
{ by
INCLOGIC
ax:
MULTIPLEX
ax:
triple(
INCl
ax:
MULTIPLEX(ADDI(count(stv), loadin, true), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
}
maketriple(
{ by
MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))), loadin, NOT(val2(node(stv))=3) ), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) )
} make
{ by
ADDl(count(stv), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
} INCl(cnt(stv),double(stv),loadin,func)
( The
last
) =
step
follows
from
the
fact
that
NEXTNODE(node(stv),func,double(node)) {fetchnode,inc2node)
val2(node(stv) ) is an
Endproof 33
=
element
= 1 of
IMPLIES
that
NEXT2ax: AXIOMval2(node(stv)) COUNTLOGIC( sty,
u 2 IMPLIES idn, fn)
= INC2 (count (sty) ,double(sty),
Idn, fn )
Proof: _IC(stv,
loadin, func) s make_triple( MULTIPLEX(
INCLOGIC( count( sty), INCCON( node(stv) loadin, MPLXCON(node (sty)) ), BOOLF(bit2 (0, func) ), NEXTNODE (node (stv ),func, double (node ) ) ) =
make_triple(
[ by
INCLOGIC_ax:
] make_triple(
[ by MULTIPLEX_ax:
NEXTNODE2a3_ax:
INC2
ax:
ADDl(count(stv), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
] make_triple(
{ by
MULTIPLEX(ADDI(count(stv), loadin, true), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
] make_triple(
[ by
MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))), loadin, NOT(val2(node(stv))-3) ), BOOLF(bit2(0,func)), NKXTNODE(node(stv),func,double(node)) ) -
ADDl(count(stv)), BOOLF(bit2(0, func)), fetchnode ) =
} INC2(cnt(stv),double(stv),loadin,func)
NEXT3
ax:
AXIOM
val2(node(stv)) C_IC(stv,ldn,fn)
=
= 3 IMPLIES = LOAD(count(stv),double(stv),idn,fn)
34
) ),
_IC(
sty, loadin,
func)
=
make_triple(MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))), loadin, MPLXCON(node(stv))), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
) =
make_triple(MULTIPLKX(INCLOGlC(count(stv),val2(node(stv))-0), loadin, NOT(val2(node(stv))=3) ), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
) =
[ by INCLOGIC_ax:] make_triple(MULTIPLEX((count(stv) loadin, NOT(val2(node(stv))=3) BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) by
MULTIPLEX_ax:
),
] loadin, BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node))
make_triple(
m
t
[ by
NEXTNODE2a3_ax:
] loadin, BOOLF(bit2(0,func)), fetchnode ) =
make_triple(
{ by U
_ax: ) LOAD(cnt(stv),double(stv),loadin,func)
Proof
In and
the
the
the
at
advantages
level and
Diagram
the
proof
specification
exhaustion this
Block
methodology,
circuit-level
intelligent proofs
RSRE
Between
(ref. have
disadvantages
and
between
Circuit-Level
the
is accomplished
4) or
notyet
Spec
the been
of
more
recent
attempted.
"NODEN"
35
=
versus
Spec
block-diagram by
the
"NODEN" Future EHDM
specification
method
of
method
(ref
work proof.
will
5).
The
investigate
SPECIFICATION OF N-BIT WORDS A physical row of input in
some
hardware
presented
on N wires
to build as
a
theory
integers,
this
in
theory
has
been
module
devices.
a
which
defined
of
be
course
the
usually
enables
one
manner. is
separate by
to
range
reason
interpreted
integer
values
to be
0 to
2"-i.
about
such
rows
of
such
a
describes
to as
"words"
hardware
often of
section
referred
module
most
are
taken
This
inputs
usable
lines
finite,
N
in a
output
Of
a simple
row
should
is
or
to
a
"N-bit
integers
which
can
It
is
values
theory.
its
In
This reuse.
projects
be
necessary
signal
word".
facilitate
verification
as
theory This
without
modification. It on
a
is necessary
single
used
to
signal
line.
represent values
don't
care,
the
shows
how
signal
values
over
counter
high
the
theory
N-I
If only
user
can
the
declare
and word
the
so the can
consists
is the
"word[N]".
in
one
size
z,
type
of
the
set
of
boolean
RSRE
z, q,
i values
boolean
of N
bits
the
of word words
which
module
bits
to
in
are
will
be
in a USING
true,
was
used.
This
used
in a
clause,
domain
by
other an
terms module
values.
integer of
a generic
exports
specification,
the the
e.g.
identifier is needed,
"word"
can
be
used
instead
then
the
following
using
of word[32]. clause
If more
than
is used:
f
word[16],
A
words [32 ]
type
the
to
Appendix
USINGwords
and
of
false,
needed
these
indexed
word.
are
and not
in
appear
false}
the
were
include
is defined the
for
element
domain
can
{true,
reports,
stand
memory
and
which
values:
i, which
generalized
of
values
unaltered
simpler be
signal
In the
q and
x,
Thus, number
possible
"words".
The
inclusive.
type
the
f, x,
of words
a word
the
impedance,
in EHDM
"N" which
USING
t,
respectively.
0 and
parameter
define
simplicity,
tri-state
Conceptually, between
first
For
range
indeterminate, verify
to
user
must
etc.
cite
This
the
module
length also
of
the word
defines
36
the
explicitly, following
e.g.
word[32],
functions:
one
val(w):
returns the
mw(i):
an N-bit
word
unsigned
integer
"i".
returns
assign(i,b,w):
cab
multiple
one
be
the
abbreviated
of
of
the
the
boolean
of
as
value
of
containing
contents
declaration
declarations
abbreviated,
the
"ith"
value
the
"val",
the
binary
bit
"b"
of
to
"words"
N-bit
word
the
"words"
module,
then
the
of
the
"w"
"ith"
then
and
"w"
representation
module,
"row", "bit"
word
bit
the
of
"w"
above
"assign". function
word
If
there
names
are
cannot
be
e.g. :
valI32](w):
returns
the
unsigned
integer
value
of
the
32-bit
word
"w"
val[12](w):
returns
the
unsigned
integer
value
of
the
12-bit
word
"w"
bit[16](i,w):
The
the
assigns
is only
functions
integer
returns
bit(i,w):
If there
unsigned
returns
the
contents
assign[12](i,b,w):
assigns
"bit"
functions
and
individual
"assign"
bits
of
a N-bit
"b"
of
to
the
enable
word.
the
"ith"
the
These
"ith"
bit
bit
access
of
are
the
the
and
functions
of
16-bit
12-bit
word
modification defined
word
"w"
"w"
of
formally
as
follows:
bitassign:
Thus, the
bit
AXIOM
and
effect
a new one
just
affect
any
in
separately been
in
defined
carefully the
defined
its
the
before bit
a bit
the
value
of
to
retrieved.
bit
It
END
)
other.
The
axiom
has
being
Thus,
be
defined
primitives.
that
is,
is the
a bit
noted
that
each
modified
Otherwise, assigning
should
of
been
retrieved
manner;
terms
insure
which
is
word.
in
each
the
previously
axiomatically
scrutinized
a word
assignment.
the
of
If
a "constructional" terms
terms
from
bits.
new
in
in
bit(i,w)
that
they
Their
other.
Such
inconsistencies
are
assigning
same
value
in
not
as
the
retrieved
a word
does
functions been
must
not are
defined
properties
axioms not
by
the
these
have
defines
have be
introduced
into
specification. This
defined in
as
other
defined
are
of
assigned,
same
0 and i < N) IMPLIES bit(i,assign(k,b,w)) = ( IF k = i THEN b ELSE
retrieving
to one
is the
not
assign
of
value
(i >=
method in
functions
the
of
defining
RSRE
report
that
manipulate
a word using
differs
LCF-LSM.
lists
of
considerably In LCF-LSM
objects.
37
In
the
from there RSRE
the are work,
way
they
specific a word
were builtis
represented by a list primitive functions. In
the
defined
in
top-level terms
to define and
of objects. specification
of modulo-64
functions
which
"row" functions
recursively
as
this
def:
6-bit over
The
counter,
its
integers.
an N-bit
duty.
a word using more
word
"val"
behavior
Thus,
as
an
function
it
is
is necessary
integer.
The
"val"
is defined
follows:
"mw"
-> =
AXIOM
int] IF m - 0 THEN 0 ELSE 2*valm(w,m-l,n) END
+ BOOLVAL(bit(n-m,w))
int] = valm(w,N,N)
function
is defined
mw: function[int -> word] mwm: function[int,int,int mwm
the
"interpret"
perform
val: function[word -> val def: AXIOM val(w)
the
of
arithmetic
valm: function[word,int,int valm def: AXIOM valm(w,m,n)
Similarly,
Thus, they "construct"
->
mwm(v,m,n)
recursively:
word]
= IF m = ELSE
0 THEN
newword
assign(n-m,BOOLVAR(MOD2(v)), mwm(DIVBY2(v),m-l,n)
)
END
The word.
constant It
is defined
accessnew:
The
major
"newword"
AXIOM
theorem
used
formally
bit(k,
of
in
def"
above
represents
an
undefined
as:
newword)
this
"mwm
module
=
f
establishes
that
"val"
and
"mw"
are
functions:
( ii >-
The
specification
words: USING
MODULE[N:
of
ii
WOrd,
< power2(N)
"words"
) IMPLIES
val(mw(ii))
= ii
is:
intl
power 2_th, divby2
EXPORTING WITH
0 AND
newword,
th bit,
assign,
val,
power2_th,divby2_th 38
mw,
mwm,
valm,
bool
to
int
inverse
ASSUMING N_pos: FORMULA N>0 THEORY word: TYPE k,i,ii,m,v,n: VARint w,wl,w2: VARword b: VARbool newword: word assign: function[int, bool, word-> word] bit: function[int, word -> bool ] bitassign:
AXIOM(i >= 0 and i < N) IMPLIES bit(i,assign(k,b,w)) = ( IF
mw: function[int val: function[word
k -
i THEN
b ELSE
bit(i,w)
END
)
-> word] -> int]
mwm: function[int,int,int -> mwm def: AXIOM mwm(v,m,n) = IF m = 0 THEN ELSE assign(n-m,
word] newword BMOD2(v),mwm(DIVBY2(v),m-l,n)
)
END mw
def:
bool
AXIOM
to
mw(ii)
int:
= mwm(ii,N,N)
function[bool (LAMBDA b ->
-> int] = int: IF b THEN
valm: function[word,int,int valm def: AXIOM valm(w,m,n)
val
def:
AXIOM
val(w)
thm:
THEOREM
val_range_thm: val
END
-> int] = IF m = 0 TH_ 0 ELSE 2*valm(w,m-l,n) END
Big mw
bits
thm:
0 END
+ bool
proofs
val(w)
THEOREM val(wl) (FORALL m:
the
int(bit(n-m,w))
*)
( ii >= 0 AND ii < power2(N) IMPLIES val(mw(ii)) = ii
THEOREM
of
to
Theorems
>=
0 and
val(w)
)
< power2(N)
= val(w2) IMPLIES m>=0 AND m- 0) IMPLIES ( IF k = i THEN Bit(i,Assign(k,s,gw))ELSE Bit(i,Assign(k,s,gw))= Bit(i,gw)
the
defined
"bitassign" to distinguish
45
in
the them
boolean from
the
s
words
END
)
theory.
boolean
word
The
functions since EHDMdoes not support overloading of function names. The axiom defines the effect of retrieving a bit from a word which has been modified by assigning a new value to one of its bits. If the bit being retrieved is the sameas the one just assigned, the new value is retrieved. Otherwise, the value retrieved is the sameas before the assignment. It should be noted that these functions are not defined in a "constructional" manner, that is, they have not been defined separately in terms of previously defined primitives. Their properties have been defined axiomatically in terms of each other. Such axioms must be carefully scrutinized to insure that inconsistencies are not introduced into the specification. Next, the functions "val" and "mw" are defined in the general theory of words. The "val" and "row" functions "interpret" the N bits of boolean values as an integer. Consequently they are only defined for general words that contain only values of "t" and "f". They must be defined as partial functions. This is accomplished by defining a function which embedsthe boolean words in the set of general words: embed: function[word-> gword] embedax: AXIOM(i < N and i >= --
Bit(i,embed(w))
There
are
now
words
and
general
the
boolean
two
values
distinct words
types
0) IMPLIES z bool to
-- word
respectively.
with
"t"
and
of
bool_to_signal: function[bool -> (LAMBDA bb -> signalval: IF bb THEN t ELSE f END)
Thus,
the
which
consists
partial
function of
functions
"embed" only
"t"
"Val"
and
maps and
"Mw"
Val: function[gword-> int] Val ax: AXIOM Val(embed(w)) Mw: function[ Mw ax: AXIOM
int -> Mw(ii)
gword
function
words
values.
can
-- which bool
to
represent signal
boolean
associates
"signalval":
signalval]
boolean "f"
and
The
"f"
signal(bit(i,w))
=
to
Using
be defined:
= val(w)
gword] - embed(mw(ii))
46
the the
corresponding "embed"
general
function,
the
word
The
theorems
general
of
words.
Val
Mw
gwords: USING
For
example:
Val(Mw(ii))
The last step word theory.
full
"words"
module
are
thin: THEOREM ( ii >_ 0 AND IMPLIES Val(Mw(ii))
Proof:
The
the
established
ii < power2(N) = ii
in
the
theory
of
)
= Val(embed(mw(ii)) = val(mw(ii) = ii
follows
from
specification
MODULE[N:
easily
of
the
"val
"gwords"
mw
thm"
theorem
of
"words",
the
boolean
follows:
int]
words,power2_th,signal,divby2th
EXPORTING gword, newgword, Valuable, WITH power2th,signal,divby2th
Assign,
Bit
ASSUMING N
pos:
FORMULA
N>0
THEORY abbreviations
(*
word:
TYPE
is
for
words
,)
items
word[N]
assign: function[int, bool, word -> word] bit: function[int, word -> bool] is bit[N] mw: function[int -> word] is mw[N] val: function[word -> int] is val[N] Theory
(*
needed
to
define
is assign[N]
words
,)
functions
gword: TYPE newgword: gword k,i,ii: VAR int w: VARword gw, gw2: VAR gword s: VAR signalval a,b: VAR bool Assign: function[int, signalval, gword Bit: function[int, gword -> signalval] Bit__Assign_ax:
AXIOM
->
gword]
(i < N and i >= 0) IMPLIES ( IF k - i THEN Bit(i,Assign(k,s,gw))ELSE Bit(i,Assign(k,s,gw))= Bit(i,gw)
47
s END
)
accessnew: AXIOMBit(k,newgword) (*
Concepts
-
related
to
= x
interpretation
embed: function[word-> gword] embed ax: AXIOM (i < N and i >= 0) IMPLIES Bit(i,embed(w)) = bool to
of
words
as
integers
......
signal(bit(i,w))
Val : function[gword -> int ] Val ax: AXIOM Val(embed(w)) = val(w) Mw: function[int -> Mw ax: AXIOM Mw(ii) Valuable: Valuable Val
Bit
Mw
gword] = embed(mw(ii))
function[ gword -> bool ] def: AXIOM Valuable(gw2) -
thin: AXIOM
bit thm: --
valuable
mw:
Valuable
(i < N and bit(i,w)
THEOREM
AXIOM
= embed(w))
)
i >= 0) IMPLIES = Assign(i,bool
to
signal(b),embed(w))
Valuable(embed(mw(ii))) Valuable(gw)
=
(_i>=0) and (i < N) IMPLIES (Bit(i,gw) = t or Bit(i,gw)
Val_range_thm:
gw2
i >= 0) IMPLIES _ signal to bool(Bit(i,embed(w)))
THEOREM (i < N and embed(assign(i,b,w))
THEOREM
thm:
w:
( ii >= 0 AND ii < power2(N) IMPLIES Val(Mw(ii)) = ii
THEOREM
Assign_assign_thm:
(EXISTS
Valuable(gw) Val(gw) >=
IMPLIES 0 and Val(gw)
- f))
< power2(N)
PROOF p_Val
Mw
thm:
PROVE
p_Val_range_thm:
Val
PROVE
Mw
thm
FROM
Valrange_thm{gw
Mw ax, Va[_ax{w
bool]
is signal
-> int] = int: IF bb
signal
49
THEN
to
bool
1 ELSE
0 END
)
*)
APPENDIX
SUGGESTIONS
In
the
EHDM
following
subsections,
verification
several
of
distinct
In
it
is necessary
values.
This
type
signalval
- NEW(
EHDM
this
be
properties
IMPROVING
suggeskions
must
of
the
Values
to define
t
done
J f
via
s: VAR
signalval
unique:
AXIOM
t ~-
exhaust:
AXIOM
s m t or
is
proof
one
a need
process Instead
for it
which
takes as
a laborious
detailed
the
on
a finite
number
follows:
specification
f and
t ~=
x and
s - f or
f ~m
of
all
of
the
another
is
often
kind
function[int AXIOM
x
s = x
of
Axioms
"axiom"
necessary
to
in
rewrite
EH_.
->
int]
->
int]
-
(LAMBDA
x ->
F(x)
- x*x
m
50
int:
x'x)
In order
LAMBDAdefinitions
of
function[int
Fax:
improving
J x)
writes:
F:
for
a Type
in LCF-LSM
Definitional
F:
made
TYPE
signalval
axioms.
of
a type
is accomplished
t,f,x:
the
are
needed:
signalval:
There
EHDM
system.
Definition
Frequently
FOR
B
_
to
facilitate as
Thus, the theorem prover only expands the definition of F when specifically stated as a premise. This is desirable when the definition is complicated and a proof does not dependupon the particulars of the definition. However, there is a unhappy side-effect of this procedure. There is now an additional axiom which appears at the base of the theory. (See section entitled "Status of Proofs". ) In other words, when one performs a proof analysis, the big theorems you have proved are reported to depend upon a set of axioms. This set now includes all of these "axioms" which are merely definitions of temporary "names". The big result in no sense depends upon these "names". They were used as a convenience. If one would rewrite the module using LAMBDA definitions, it
then
depended
upon
theorem
prover
Perhaps
EHDM
F-ax:
which
the
of
a
have
to have
big
theorem
and
that
AXIOM
f
h:
restricted
the
definitions.
minutes
to
Of
prove
construct,
set
say
of
axioms
course,
the
the
results.
DEFINITION:
form.
" EHDM
constant
simplify
this
currently
of the
the
requires
module
statement
"temporary"
g
+ x =
are
is proved
function[int AXIOM
big_theorem:
"h ax"
a new
and
being of
function.
a mapping mapped."
a big For
every
If one
theorem,
example,
for
one
suppose
should the
f(x*x+x)g(x)
mapped
there.
into What
if
some
concrete
for
form
convenience
in a mapping
the
above
axiom
module was
as:
h ax:
Would
to
x*x
and
big-theorem
written
with
proved
is:
big_theorem:
Suppose
to map
name
than
states
every
name
these
be
w x*x
it
and
could
rather
extended
Manual
type
theorems
include
weeks
f(x)
function
not
not
take be
big
a particular
User's
uninterpreted defines
may could
be
same
would
DEFINITION
must
In
the
it be have
->
h(x)
= x*x
AXIOM
necessary to be
int] + x
h(x)
to
proved
= f(h(x))g(x)
specifically as
a theorem
"map" in
51
the
h
down mapping
to
the
module?
next It
level? is not
Would clear
from
the
User's
manual
exactly
what
must
be
proved
when
doing
hierarchical
mappings. Also
the
level
leads
could
be
fact to a
that
axioms
of
terminology
invented
which
one
nightmare.
conveyed
this
Improvement
The Consider
Proof the
_IC:
Instantiator function
level
proved
It would
to
Proof
sty,
some
(from
loadin,
theorems
nice
if a new
in
the
keyword
very
module
obvious
cnt6
->
func
->
blk)
substitutions. listed
statevector]
below
in
full:
=
statevector:
make_triple(MULTIPLEX(INCLOGIC(count(stv), INCCON(node(stv))
I
loadin, MPLXCON(node(stv))
),
BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(stv))
There
is an
NEXTNODE0
axiom
ax:
NEXTNODE0
AXIOM
ax
val2(nd)
which
=
will
NEXTNODE(nd,func,dbl)
ELSIF ELSE
following
lemma
is to
= 0 THEN
val2(func)
as
a premise:
fetchnode
= 1 THEN
inclnode
be
cited
=
END
The
be
0 IMPLIES
IF val2(func)
lower
Instantiator
function[statevector,word6,word2 (LAMBDA
be
as
concept.
"overlooks"
COUNTLOGIC
are
proved:
52
loadnode
)
claa: LEMMAval2(node(stv))
=
0
and
_IC(stv,loadin,func) make
val2(func)
=
0 IMPLIES
=
triple(MULTIPLEX(INCLOGIC(count(stv), INCCON(node(stv))
I
loadin, MPLXCON(node(stv))
),
BOOLF(bit2(0,func)), fetchnode)
The
following
p_claa:
proof
PROVE
statement
claa
FROM
does
the
job:
NEXTNODE0_ax{nd
define
(*
states:
TYPE
is val[2] is val[6] is mw[6]
to
represent
of
,)
machine
TYPE define
(_
state:
state
VAR
logic
,)
variables
states
loadin,w: VARword6 func: VARword2 define
(*
properties
of
6-bit
cnt: function[states -> word6] exec cnt: function[states,word6,word2 ready: function[states -> bool] addl
->
-> word6] _-> word6: IF val6(w) = 63 THEN ELSE mw6(val6(w)+l)
counter
*)
states]
mod64:function[word6 ( LAMBDAw
mw6(0)
END ) ready_ax: counter
AXIOM ax:
-
AXIOM
ready(state)
ready(exec_cnt(state,loadin,func)
ready(state) IMPLIES cnt(exec cnt(state,loadin,func)) IF val2(func) - 0 THEN cnt(state) ELSIF val2(func) = i THEN loadin ELSIF val2(func) = 2 TH_ addl mod64(cnt(state)) ELSE add1
END
IMPLIES
mod64(addl
mod64(cnt(state)))
cnt6
54 i
)
words:
MODULE[N:
USING
int]
power2_th,divby2_th
EXPORTING WITH
word,
newword,
bit,
assign,
val,
mw,
mwm,
valm,
bool
bit(i,w)
END
to
int
power2_th,divby2_th
ASSUMING N_pos:
FORMULA
THEORY word:
N>0
TYPE
k,i,ii,m,v,n,h,jj,y: w,wl,w2: VARword a,b: VAR bool newword: word
VAR
int
assign: function[int, bool, word bit: function[int, word -> bool] bitassign:
AXIOM
mw: function[int val: function[word
->
word]
(i >= 0 and i < N) IMPLIES bit(i,assign(k,b,w)) = ( IF k = i THEN b ELSE ->
)
word] -> int]
mwm: function[int,int,int -> mwm def: AXIOM m_n(v,m,n) = IF m = 0 THEN ELSE
word] newword
assign(n-m,BMOD2(v),mwm(DIVBY2(v),m-l,n)
)
END mw
def:
bool
AXIOM
to
int:
mw(ii)
= mwm(ii,N,N)
function[bool (LAMBDA b ->
-> int] = int: IF b THEN
valm: function[word,int,int valm def: AXIOM valm(w,m,n)
val
def:
AXIOM
val(w)
thm:
val_range_thm:
THEOREM
( ii IMPLIES
THEOREM
)
+ bool
to
int(bit(n-m,w))
= valm(w,N,N) Big
mw
0 END
-> int] = IF m = 0 THEN 0 ELSE 2*valm(w,m-l,n) END
(* val
1 ELSE
Theorems
>= 0 AND ii val(mw(ii))
val(w)
*)
< power2(N) _ ii
>- 0 and
55
val(w)
)
< power2(N)
val bits thm: THEOREM val(wl) -- val(w2) IMPLIES (FORALLm: m>=0ANDm bool] zfun ax: AXIOMzfun(n) = (
(n > 0 AND n = IMPLIES valm(mwm(ii,n,n),n,n)
vfun: function[int -> vfun ax: AXIOM vfun(m) --
bool] _ ( (m=0 (valm(w,m,n)
qfun:
bool]
function[int
qfun_ax:
AXIOM
->
qfun(m) = ( (m+l>0 and ii>=0 and valm(mwm(ii,m,n)
twen: function[int->bool] twen ax: AXIOM twen(k) IMPLIES
m0
and
m>=0
(valm(w,m,n) -> bool] valpos(m) =
(m>=O
build: function[int->bool] build ax: AXIOMbuild(k) = (k>=0 -bit(m,wl)-bit(m,w2))
IMPLIES
ii ii
< power2(n) )
and n=0 AND k bool] weir ax: AXIOM weir(m) = ( (m bool] gnu_ax: AXIOM gnu(k) = (k>=0 bit(k+N-m, copz
END)
AND k=0 IMPLIES m bits(m,wl,w2)) = bit(k+N-m,wl))
rang: function[int -> bool] rang_ax: AXIOM rang(m) = (m>=0 and m -0 valm(w,m,N) < power2(m) )
AND
PROOF (* val
val mw
thm:
AXIOM
( ii
>-
0 AND
mwthmTHEOREM ii
< power2(N)
56
) IMPLIES
val(mw(ii))
- ii
*)
inv
axiom:
LEMMA
(*zfun: function[ zfun ax: AXIOM
( n > 0 AND n _ IMPLIES valm(mwm(ii,n,n),n,n)
int -> bool] zfun(n) = ( (n > 0 AND n = IMPLIES valm(mwm(ii,n,n),n,n)
L0:
LE_MMA zfun(0)
LI:
LEMMA
Lla:
LEMMA
( ii
LEMMA LEMMA
LEMMA
L2a:
>- 0 AND
zfun(m)
LEMMA
IMPLIES
(m>=0
and
bool
LEMMA valm(
(*
0 AND ii < power2(n) = ii ) *)
ii < power2(1)
) IMPLIES
MOD2(ii)
_
(m>=0
zfun(m+l) ii>=0)
IMPLIES
valm(mwm(ii,m+l,m+li,m+l,m+l)
-
assign(
to
and
0, BMOD2 ( ii ), mwm( DIVBY2 (ii ),m,m+l ) ) ,m, m+l )+ int(bit(0,assign(0,BMOD2(ii), mwm(DIVBY2 ( ii ),m, m+l ) ) ) )
m+l=0)
IMPLIES
assign( 0, BMOD2(ii), mwm(DIVBY2(ii),m,m+l) valm(mwm(DIVBY2(ii),m,m+l) ,m,m+l)
b20: b21:
LEMMA LEMMA
b2m:
LEMMA(vfun(m)
b2h:
LEMMA
L2d:
) ,m,m+l)
=
LEMMA
IMPLIES
(h>--0) IMPLIES
(m+l>0
vfun(h)
and
ii>=0 and ii < power2(m+l) valm(mwm(DIVBY2(ii),m,m+l) valm(mwm(DIVBY2(ii),m,m)
m0 and ii>_0 and valm(mwm(ii,m,n) LEMMA
)
vfun(0) vfun(1)
LEMMA (m+l>0 and m+l=0) IMPLIES valm(mwm( ii ,m+l ,m+l ) ,m+l ,m+l ) -2*valm( mwm(DIVBY2( ii ) ,m,m+l) ,m,m+l)
d20:
)
ii
vfun: function[int -> bool] vfun ax: AXIOM vfun(m) = ( (m=0 and n=0 and n=0 IMPLIES weir(h)
n - m IMPLIES
1 > 0 IMPLIES
n - m -
(ii>-0 AND m+l > 0 AND ii (DIVBY2(ii) < power2(m))
< power2(m+l))
L2i:
LEMMA
(m>0
zfun(m+l)
(m>-0)
AND
zfun(m))
IMPLIES
IMPLIES
mw
thm:
PROVE
val
IMPLIES
zfun(m) PROVE
(*
p_val
0
(m+l>0 and ii>=0 and m+l word6]
function[statevector -> bool] = (LAMBDA svt -> bool: node(svt)
(*
g2a:
in Module
function[statevector,word6,word2 is Finite automata
(* st,state: VAR states loadin,ld: VARword6 func: VARword2 y,m:
Spec
statevector
cnt6.cnt:
cnt6.ready:
Level
(y
needed
=
LEMMA
>= 0 AND
0: LEMMA
ready(st)
prove
counter
ax
.....
• *)
4
= 0 or = 2 or
bit2(0,fn)
to
val2(fn) val2(fn) y < m)
= 1 or = 3 IMPLIES
((y
>=
0 AND
y
< m-l)
OR
= BMOD2(val2(fn))
IMPLIES
val2(node(st))
_ 0
ready(state) and val2(func) = 0 IMPLIES cnt(exec cnt(state,loadin,func)) - cnt(state) AND readyiexec_cnt(state,loadin, func))
71
(y_m-l))
cnt
cnt
i:
2:
ready(state) and IMPLIES cnt(exec AND ready(exec L_@IA
ready(state) and val2(func) = 2 IMPLIES cnt(exec cnt(s£ate,loadin,func)) addl mod_4(cnt(state)) AND
cnt
3: la2@_A
LEPRAs
cla:
clb:
c2b:
=
ready_execcnt(s_ate,loadin,func)) needed
to prove
cnt
1
val2(fn) - 1 IMPLIES NEXT(FETCH(cnt(st),double(st),id,fn), LOAD(cnt(st), BOOLF(bit2(0,fn)), LEMMAs
(*
c2a:
ready[execcnt(state,loadin,func))
*)
ready(st) and val2(fn) = 1 IMPLIES exec cnt(st,ld,fn) = NEXT(FE_(cnt(st),double(st),Id,fn), LHqMA
LEMMA
L_MMA
- loadin
=
ready(state) and val2(func) - 3 IMPLIES cnt(exec cnt(state,loadln,func)) addl mod_4(addl mod64(cnt(state))) AND
(*
val2(func) - 1 cnt(state,loadin, func)) cnt(state,loadin,func))
needed
to prove
cnt
id,fn
id,fn id,fn)
2
) -
*)
ready(st) and val2(fn) - 2 IMPLIES exec cnt(st,ld,fn) = NEXT(FETCH(cnt(st),double(st),id,fn), ready(st) and val2(fn) = 2 IMPLIES NEXT(FETCH(cnt(st),double(st),id,fn),
)
id, fn)
id,fn)
= Id,fn)
NEXT(make_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode), c2c:
c2d:
LEMMA
LE_IMA
c2e: c2f:
ready(st) and val2(fn) = 2 IMPLIES NEXT(make_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode), INCl(cnt(make triple(cnt(st),BOOLF(bit2(O,fn)),inclnode) double(make_triple(cnt(st),BOOLF(bit2(O,fn)),inclnode)), id,fn) ready(st) and val2(fn) = 2 IMPLIES INCl(cnt(make triple(cnt(st),BOOLF(bit2(0,fn)),inclnode) double(make_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)), id,fn) INCl(cnt(st),BOOLF(bit2(0,fn)),id, fn) val2(fn)
Lm_MA
- 2
IMPLIES
NOT
BOOLF(bit2(0,fn))
ready(st) and val2(fn) - 2 IMPLIES INCl(cnt(st),BOOLF(bit2(O,fn)),id,fn)
-
make_triple(ADDl(cnt(st)),BOOLF(bit2(O,fn)),fetchnode) (*
LE/@9_
needed
to
prove
cnt_3
72
,)
id, fn) ),
),
c3a:
LEMMA
ready(st) and val2(fn) = 3 IMPLIES exec cnt(st,ld,fn) = NEXT(NEXT(NEXT(st,ld,fn),Id,fn),Id,fn)
c3b:
LEMMA
ready(st) and val2(fn) - 3 IMPLIES NEXT(NEXT(NEXT(st,ld,fn),Id,fn),Id,fn) = NEXT(NEXT(FETCH(cnt(st),double(st),id,fn),id,fn),id,fn)
c3c:
LEMMA
ready(st) and val2(fn)=3 IMPLIES NEXT(NEXT(FETCH(cnt(st),double(st),id,fn),id,fn),id,
fn)
NEXT(NEXT(make_triple(cnt(st), BOOLF(bit2(O,fn)),inclnode), id,fn),id,fn) c3d:
LEMMA
ready(st) and NEXT(NEXT(make
val2(fn) = 3 IMPLIES triple(cnt(st),BOOLF(bit2(0,fn)),inclnode), [d,fn),id,fn)=
NEX(INCl(cnt(make_triple(cnt(st), double(make BOOLF(bit2(U, inclnode)), id,fn),id,fn) c3e:
LEMMA ready(st) and NEXT(INCl(cnt(make
BOOLF(bit2(0,fn)),inclnode)), triple(cnt(st), fn)),
val2(fn) = 3 IMPLIES' triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)),
double(make_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)), Id,fn),id,fn) = NEXT(make triple(ADDl(cnt(st)),BOOLF(bit2(0,fn)),inc2node), [d,fn) c3f:
LEMMA ready(st) and val2(fn) = 3 IMPLIES NEXT(make_triple(ADDl(cnt(st)), BOOLF(bit2(0,fn)),inc2node),id,fn)
-
INC2(cnt(make_triple(ADDl(cnt(st)), BOOLF(bit2(0,fn)), inc2node)), double(make_triple(ADDl(cnt(st)),BOOLF(bit2(0,fn)), inc2node)),id,fn) c3g:
LEMMA
c3h:
LEMMA
ready(st) and val2(fn) = 3 IMPLIES INC2(cnt(make triple(ADDl(cnt(st)),BOOLF(bit2(0,fn)),inc2node)), doubYe(make_triple(ADDl(cnt(st)),BOOLF(bit2(0,fn)), inc2node)),id,fn) = INC2(ADDl(cnt(st)),BOOLF(bit2(0,fn)),id, fn) ready(st) and val2(fn) = 3 IMPLIES INC2(ADDl(cnt(st)),BOOLF(bit2(0,fn)),id,fn)= make_triple(ADDl(ADDl(cnt(st))),BOOLF(bit2(0,fn)),fetchnode)
c3n:
LEMMA
val2(inclnode)
c3p:
LEMMA
val2(fn)
_
=
1
3 IMPLIES
BOOLF(bit2(0,fn))
73
=
PROOF p__assumingl:
PROVE
p_counter_ax:
p_ready_ax:
words[2].N_pos
PROVE
PROVE
ready_ax FROM cnt 0{func bool] = (LAMBDA b -> bool: not b) [bool, bool-> bool] = bl,b2 -> bool: not (bl and b2)) [bool, bool, bool -> bool] = bl,b2,b3 -> bool: not (bl and b2 and b3)) [bool, bool, bool, bool -> bool ] = bl,b2,b3,b4 -> bool: not (bl and b2 and b3 and b4)) [bool, bool -> bool] = bl,b2 -> bool: not (not bl and b2 or bl and not b2)) [bool, bool -> bool ] = bl,b2 -> bool: not (bl or b2)) logic
(*
.)
variables
i0,ii,i2,i3,i4,i5: VAR bool ibit,lsel,incbit,incsel: VAR bool incout,loadin,cntr: VARword6 mplxsel,noinc,Double: VAR bool Node,Func: VARword2 circuit
(*
output:
function (LAMBDA
,)
definition
[bool,bool,bool,bool,bool,bool i0,ii,i2,i3,i4,i5 -> word6:
->
word6]
=
assign6(0,i0, assign6(l,il, assign6(2,i2, assign6(3,i3, assign6(4,i4, assign6(5,i5,newword[6])))))))
bitsel:
MPLEXCIRC: MPLEXCIRC
function[bool,bool,bool,bool -> bool] = (LAMBDA ibit,lsel,incbit,incsel -> bool: NAND2(NAND2(ibit,lsel), NAND2(incbit,incsel))
function[word6,word6,bool -> word6] ax: AXIOM MPLEXCIRC(incout, loadin, mplxsel) output( bitsel(bit6(0,1oadin) ,INV(mplxsel),bit6(0,incout),mplxsel), bitsel(bit6(1,1oadin) ,INV(mplxsel),bit6(l,incout),mplxsel), bitsel(bit6(2,1oadin) ,INV(mplxsel),bit6(2,incout),mplxsel), bitsel(bit6(3,1oadin) ,INV(mplxsel),bit6(3,incout),mplxsel), bitsel(bit6(4,1oadin) ,INV(mplxsel),bit6(4,incout),mplxsel), bitsel(bit6(5,1oadin) ,INV(mplxsel),bit6(5,incout),mplxsel)
) carry4bar:
function[word6,bool -> bool] (LAMBDA cntr,noinc -> bool: NAND4(INV(noinc),bit6(O,cntr),bit6(l,cntr),bit6(l,cntr))
)
84
INCCIRC:function[word6,bool (LAMBDA
cntr,noinc
-> word6]
=
-> word6:
output( XNOR(bit6(0,cntr), noinc), XNOR(bit6(l,cntr), NAND2(INV(noinc),bit6(0,cntr)) XNOR(bit6(2,cntr), NAND3(INV(noinc), bit6(0,cntr), bit6(l,cntr) XNOR(bit6(3,cntr),carry4bar(cntr,noinc) ), XNOR(bit6(4,cntr), NAND2(INV(carry4bar(cntr,noinc)), bit6(3,cntr)
), )
),
)
), XNOB(bit6(5,cntr), NAND3(INV(carry4bar(cntr,noinc)), bit6(3,cntr) , bit6(4,cntr) )
)
) )
inccon:
function[word2 -> bool] = (LAMBDANode -> bool: NOR2(bit2(0,Node),bit2(l,Node))
common:
function[word2,word2 -> bool] = (LAMBDA Node,Func -> bool: NAND3(inccon(Node),INV(bit2(l,Func)),bit2(0,Func))
CONIROLCIR:
function[word2,word2,bool (LAMBDANode,Func,Double
-> cntrlsigs] -> cntrlsigs:
=
make_triple(inccon(Node), NAND2(bit2(0,Node),bit2(l,Node)), assign2(0, NAND2(common(Node,Func), NAND2(inccon(Node),bit2(l,Func))
), assign2(l,NAND2(common(Node,Func), NAND3(Double, bit2(0,Node), INV(bit2(l,Node) newword[2]) )
(*
Mappings
cnt6
blk.INCLOGIC:
cnt6
blk.MULTIPLEX:
to
"cnt6
function[word6,bool
->
function[word6,word6,bool
(*
85
blk"
) )),
*)
word6] ->
=
INCCIRC
word6]
= MPLEXCIRC
cnt6
blk.INCCON:
function[word2,word2,bool -> bool ] = (LAMBDA Node, Func, Double -> bool: f i r s t (CONTROLC IR (Node, Func, Double
))
)
cnt6
blk.MPLXCGN:
function[word2,word2,bool -> bool] z (LAMBDA Node, Func, Double -> bool: second( CONTROLCIR (Node, Func, Double
))
) *) cnt6
blk.NEXTNODE:
function[word2,word2,bool -> word2] (LAMBDA Node, Func, Double -> word2: third (CONTK_LCIR (Node, Func, Double ) )
) END
cnt6
cir
ineq_.cases:
MODULE
THEORY y,m:
VAR
int
Y 0: THEOREM Y--01: THEO_ Y-S: THEOKEM
(y>-0 AND y-I AND y-0 AND y-0
Y I: THEOREM
(y>-0
AND
y-0
AND
y-0 AND y
int:
i+l)
int]
=
i ->
int:
IF
->
bool]
bool] bool: ->
= IF
(LAMBDA =
(LAMBDA
i>=0
THEN
true
->
bool:
ELSE
false
i-I
ELSE
THEOREM
0 END)
(i>=j))
END
)
bool]
induction: THEOREM (p(First) AND IMPLIES (FORALL d2: geq(d2,First)
int
i,j
i > 0 THEN
THEOREM (FORALL dl: geq(dl,First) IMPLIES (FORALL d3: (geq(d3,First) AND geq(dl,d3) AND d3 ~- dl) p(d3)) IMPLIES p(dl)) IMPLIES (FORALL d2: geq(d2,First) IMPLIES p(d2))
int_induct_by_2:
END
-> i ->
function[int
int_complete:
->
int]
(FORALL dl: p(dl) IMPLIES IMPLIES p(d2) )
(p(First) AND p(next(First)) AND IMPLIES p(next(next(dl))))) IMPLIES (FORALL d2: (geq(d2,First)
inductions
87
IMPLIES
p(next(dl))))
(FORALL IMPLIES
dl:
p(dl)
p(d2)
))
Report
N_,mW #aJoNt_*. _ SNce _41m,_mm, mt 1.
Report
No.
NASA
TM-I00669
4.Titl,
2.
AVSCOM
Documentation Government
Accession
Page 3.
No.
and Subtitle
Hardware
5.
Proofs
Reciplent's
Catalog
No.
TM-88-B-OI7
Using
EHDM
and
the
RSRE
Verification
Report
Date
December
Methodology
1988
6. Performing Organiaation Code
7. Author{.) Ricky
W.
Butler
and
9. Performing Organizat_n NASA
Research
VA
Sjogren
8. Perform|ng Organisation
Report No.
10. Work Unit No.
Center
23665-5225
Joint Research C_nt_r. Hampton,
and
Programs Office/AVRADA, VA 23665-5225
Langley
505-66-21-01
Research
11. Contract
or Grant
No.
Name and Addms
]2. Sppn_rlngAp_y National
A.
Name and Address
Langley
Hampton,
Jon
Aeronautics
Washington,
DC
and
Space
Administration
20546-0001
13. Type of Report
and Period Covered
and U.S.
Army
St.
Aviation
Louis,
MO
Systems
Technical
Command
63120-1798
14. Army Project
Memorandum No.
ILI61102AH45E 15.
Supplementary
Ricky Jon
Notes
W. A.
Butler:
Langley
Sjogren:
Joint
Research
Research
Hampton, 16.
Center,
Programls
Hampton,
Offioe,
Virginia
A_-A%_o(X]M,
Langley
Besear_
VA
Abstract
This paper examines a methodology for hardware verification developed by Royal Signals and Radar Establishment (RSRE) in the context of the SRI International's Enhanced Hierarchical Design Methodology (EHDM) specification/verification system. The methodology utilizes a four-level specification hierarchy with he following levels: functional level, finite automata model, block model, and circuit level. The properties of a level are proved as theorems in the level below it. In this paper, this methodology is applied to a 6-bit counter problem and is critically examined. The specifications are written in EHDM's specification language, Extended Special, and the proofs are improving both the RSRE methodology and the EHDM system.
17. Key W_de(Susl_,ted Verification Proof
Formal
Specification
19.
SecuriW
Proving Verification
Clamf.
Iof
this
Subject
20,
report)
FORM
1(K'8
Statement
Security
CIsu_f.
(of
this
-
OCT
86
For
sale
by
the
National
Technical
Unlimited
Category
pagel
21.
62
No.
of
pages
89
Unclassified
Unc]asstfted NASA
Distribution
Unclassified
Formal
Theorem Hardware
18.
by Authors(s))
Information
Service,
Springfield,
Virginia
22.
Price
A05
22161-2171
Center,
