




NASA Contractor Report 189698
Formal Design Specification of a Processor
Interface Unit
David A Fura















!,P_-C:FICATION OF A PRf]CESSOR
I_JTF_,FACL UNIT (Aoein,:j Mil it<]ry
Airplane _ ev¢,l oft,lent. )
N93-1253_3






This document was generated in support of NASA contract NAS 1-18586, Design and Validation of Digital
Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 9. Task 9 is concerned
with the formal specification of a processor interface unit.
This report describes the formal specification of the design for a processor interface unit using the HOL
methodology. The processor interface unit is a single-chip subsystem within a fault-tolerant embedded sys-
tem under development at the Boeing High Technology Center. It provides the opportunity to investigate
the specification and verification of a real-world component within a commercially-developed fault-tolerant
computer.
The NASA technical monitor for this work is Sally Johnson of the NASA Langley Research Center, Hamp-
ton, Virginia.
The work was accomplished at the Boeing Company, Seattle, Washington and the University of Idaho,
Moscow, Idaho. Personnel responsible for the work include:
Boeing Military Airplanes:
D. Gangsaas, Responsible Manager
T. M. Richardson, Program Manager
Boeing High Technology Center:
Gerald C. Cohen, Principal Investigator
David A. Fura, Researcher
University of Idaho:




1.1 In_formal PIU Description ........................................................................................................... 1
1.1.1 PMM Initialization .......................................................................................................... 3
1.1.2 CPU Accesses to Memory .............................................................................................. 4
1.1.2.1 To Local Memory ............................................................................................. 4
1.1.2.2 To Internal Register File ................................................................................... 5
1.1.2.3 To the C_Bus .................................................................................................... 6
1.1.3 C_Bus Accesses to Memory ........................................................................................... 6
1.1.4 Timers and Interrupts ...................................................................................................... 6
61.2 Specification Overview ...............................................................................................................





Formal Microprocessor Modeling .............................................................................................. 9
2.2.1 Microprocessor Specification ......................................................................................... 9
2.2.2 Microprocessor Verification ........................................................................................... 10
2.3 A Formal Model of Interpreters .................................................................................................. 10
2.3.1 Abstract Theories ............................................................................................................ 10
2.3.2 Temporal Abstraction ..................................................................................................... 12
2.3.3 The Abstract Representation ........................................................................................... 12
2.3.4 The Theory Obligations .................................................................................................. 14
2.3.5 Abstract Theorems .......................................................................................................... 15
2.3.5.1 Defmingthe Interpreter .................................................................................... 15
2.3.5.2 Induction on Interpreters .................................................................................. 15
2.3.5.3 The Implementation is Live .............................................................................. 16
2.3.5.4 The Correctness Statement ............................................................................... 16
2.3.5.5 Composing Interpreters Hierarchically ............................................................ 17
2.4 Parallel Composition ................................................................................................................... 17
172.5 Conclusion ..................................................................................................................................
Design Specification ............................................................................................................................














Component Descriptions ................................................................................................. 19




CTR Datapath Block ........................................................................................ 23
ICR Datapath Block .......................................................................................... 25
CR Datapath Block ........................................................................................... 26
SR Datapath Block ........................................................................................... 26
Finite-State Machines ...................................................................................... 26
Block Diagram Descriptions ........................................................................................... 27
3.1.2.1 P_Port Structure ................................................................................................ 28
3.1.2.2 M_Port Structure .............................................................................................. 29
3.1.2.3 R_Port Structure ............................................................................................... 32
3.1.2.4 CPort Structure ............................................................................................... 34
o..
111






3.1.2.5 SUCont Structure ............................................................................................ 38
3.2 Port Phase-Level Behavior ......................................................................................................... 39
3.3 Port Clock-Level Behavior ........................................................................................................ 40
3.4 PIU Port-Level StrucUtre ............................................................................................................ 40
3.5 PIU Clock-Level Behavior ......................................................................................................... 41
Models for Transaction Specification .................................................................................................. 42
4.1 Introduction ................................................................................................................................. 42
4.2 Abstract Views ............................................................................................................................ 43
4.3 Representing Transaction Systems ............................................................................................. 45
4.4 Preliminary Transaction Model Design ...................................................................................... 47
4.4.1 The Transaction Model ................................................................................................... 47
4.4.1.1 Ports .................................................................................................................. 48
4.4.1.2 State .................................................................................................................. 48
4.4.1.3 Transactions ...................................................................................................... 48
4.4.1.4 Operation .......................................................................................................... 48
4.4.2 Development Plan and Comments .................................................................................. 48
4.5 Conclusions ................................................................................................................................. 49
Towards an Integrated Simulation/Verification Environment ............................................................. 50
5.1 New Datatypes in HOL ............................................................................................................... 50
5.1.1 Arrays .............................................................................................................................. 50
5.1.2 N-Bit Words ................................................................................................................... 51
5.2 An Example in M ........................................................................................................................ 51
5.3 An Example in HOL ................................................................................................................... 53
Conclusions..........................................................................................................................................54
References ............................................................................................................................................ 56
ML Source for Component Specifications ........................................................................................... 58
ML Source for the Gate-Level Specification of the PIU Ports ........................................................... 80
B.1 P Port Specification .................................................................................................................... 80
B.2 M Port Specification ................................................................................................................... 86
B.3 R Port Specification .................................................................................................................... 94
B.4 C Port Specification .................................................................................................................... 103
B.5 SUSont Specification ............................................................................................................... 114
ML Source for the Phase-Level Specification of the PIU Ports .......................................................... 121
C.1 P Port Specification .................................................................................................................... 121
C.2 M Port Specification ................................................................................................................... 128
C.3 R Port Specification .................................................................................................................... 136
C.4 C Port Specification .................................................................................................................... 151
C.5 SU Cont Specification ............................................................................................................... 173
ML Source for the Clock-Level Specification of the PIU Ports ......................................................... 182
D. 1 P Port Specification .................................................................................................................... 182
D.2 M Port Specification ................................................................................................................... 186
D.3 R Port Specification .................................................................................................................... 190 • i
iv
D.4 C Port Specification .................................................................................................................... 198
D.5 SU_Cont Specification ............................................................................................................... 209
E ML Source for the PIU Block-Level Specification ............................................................................ 2.15
F ML Source for the PIU Clock-Level Specification ............................................................................. 219
vi
List of Figures
1.1 Block Diagram of the Processor-Memory Module (PMM) ....................................................... 2
1.2 Major Blocks of the Processor Interface Unit (PIU) .................................................................. 3
1.3 PIU Specification Hierarchy ...................................................................................................... 7
2.1 A Hierarchy of Interpreters ......................................................................................................... 11


























Two Series Latches Clocked by the Same Phase ....................................................................... 21
Interval Representations ............................................................................................................. 22
Example D Flip-Flop Constructed With Latches ....................................................................... 23
Functional Block Diagram of a Counter ..................................................................................... 24
Functional Block Diagram of the CTR Datapath Block ............................................................. 24
Functional Block Diagram of the ICR Datapath Block .............................................................. 25
Functional Block Diagram of the CR Datapath Block ............................................................... 26
Functional Block Diagram of the SR Datapath Block ................................................................ 27
Functional Block Diagram for Finite-State Machines ............................................................... 27
P_Port Top-Level Block Diagram ............................................................................................. 28
Block Diagram of P_Port Datapath ............................................................................................ 29
Block Diagram of P_Port Controller .......................................................................................... 30
M_Port Top-Level Block Diagram ............................................................................................ 30
Block Diagram of the M_Port Datapath ..................................................................................... 31
Block Diagram of the MPort Controller ................................................................................... 32
R_Port Top-Level Block Diagram ............................................................................................. 33
Block Diagram of Register File Controller ................................................................................. 33
Block Diagram of the Timer Interrupt Block ............................................................................. 34
Block Diagram of the Register Interrupt Block .......................................................................... 34
CPort Top-Level Block Diagram ............................................................................................. 35
Block Diagram of the C_Port Datapath ...................................................................................... 35
Block Diagram of the C_Port Controller (Part A) ...................................................................... 36
Block Diagram of the C_Port Controller (Part B) ...................................................................... 37
Block Diagram of the Startup Controller PIU-Port Interface ..................................................... 38
Block Diagram of the Startup Controller CPU Interface ............................................................ 39
4.1 The View from the CPU ............................................................................................................. 43
4.2 View from the Memory .............................................................................................................. 44
4.3 View from the Network .............................................................................................................. 44
4.4 Abstraction Views for the PIU .................................................................................................... 45
4.5 Modeling the Buses in a Computer System using Tuple Space ................................................. 47
vii




51.1 R_Port Register Definitions ........................................................................................................
2.1 The abstract functions and their types for the generic interpreter model ................................... 13




This report describes work to formally specify the requirements and design of a processor interface unit
(PIU), a single-chip subsystem providing memory-interface, bus-interface, and additional support services
for a commercial microprocessor within a fault-tolerant computer system. This system, the Fault-Tolerant
Embedded Processor (FIEP), is targeted towards applications in avionics and space requiring extremely
high levels of mission reliability, extended maintenance-free operation, or both. The need for high-quality
design assurance in such applications is an undisputed fact, given the disastrous consequences that even a
single design flaw can produce. Thus, the further development and application of formal methods to fault-
tolerant systems is of critical importance as these systems see increasing use in modern society.
The work described in this report is but a fast step towards developing a provably correct fault-tolerant
computing platform for application to real commercial and military systems. Beyond the PIU verification
task that follows this work, future formal methods targets include at least two additional application-specific
integrated circuits (ASICs) and the operating system software for the FTEP system. It is expected that the
lessons learned in this PILl effort will influence the future design and modeling of these components to facil-
itate their subsequent verification.
This report contains five major sections following this introduction, as well as several appendices con-
taining the PIU design specification in its full detail. Section 2 describes the generic interpreter theory used
to formally specify portions of the PIU design. This theory builds on previous NASA-funded work
described in [Win90], with important extensions in the handling of interpreter outputs to support subsystem
composition.
Section 3 explains the PIU design specification at a high level to facilitate the understanding of the for-
real models contained in the appendices. The specification itself was written using the HOL theorem-prov-
ing system developed at the University of Cambridge, England [Gor88].
Section 4 describes our progress in developing a transaction-based modeling approach for specifying
the PIU requirements. A number of modeling candidates were investigated and a preferred approach was
identified for formalization in HOL.
Section 5 describes our initial efforts at integrating our hardware design and verification environments
into a single framework. A prototype M-to-HOL translator was developed and was used to translate the PIU
behavioral specifications initially written in the simulation language M.
Section 6 contains a concluding discussion.
Before leaving this section, we first present an informal description of the PIU, including both its struc-
ture and an overview of its behavior. Following this we introduce the specification hierarchy developed for
the PIU.
1.1 Informal PIU Description
The PIU is a single-chip subsystem providing memory-interface, bus-interface, and additional support
services within the Processor-Memory Module (PMM) of the FTEP system. The PIU's position within the
PMM structure is shown in Figure 1.1. A PMM, itself a single block within an FTEP Core, interconnects
three internal PMM subsystems: the local processors, the local memory, and the Core Bus (C_Bus) inter-
face.
The PMM processors (CPU0 and CPU1) are arranged in a cold-sparing configuration to enhance long-
life operation. Only one processor is active during a given mission, with the choice of active processor deter-
mined during initialization. The spare processor is disabled by the P1U through assertion of the processor's
cpu_reset input. For the first implementation of the PMM, described in this report, Intel 80960MC micro-
processors are used for the local processors. They communicate with the PIU using the L_Bus bus protocol
of the 80960.
Processor programs and data are stored in local electrically-erasable programmable read-only memory
(EEPROM) and static random access memory (SRAM), respectively. Memory accesses are initiated by
either the local processor or an external block acting as C_Bus master. In either case the PIU provides the
memory interface. The features provided by the PIU include memory error correction, memory locking to
implement atomic read-modify-write operations, byte _ses, and block accesses of up to 64 words.
EEPROM and SRAM memory capacity in the first implementation is 1 MB (megabyte) of actual informa-
tion storage each, implemented within seven 256Kx8-bit memory chips each. A (7,4) Hamming code pro-
vides single-bit error correction on memory reads.
The PIU also provides processor support features such as timers and interrupt control. Two 64-bit timers
can be set by the processor to provide either timekeeping or watchdog functions. Processor interrupts are
generated within the PIU under two conditions. One condition is a timer time-out; the other is a write oper-
ation to a specially designated PIU register by either the local processor or C_Bus master.
The reset and clock signals shown at the top of Figure 1.1 are produced by the Fault-Tolerant Clock Unit
(PTCU) not shown here. The prom_reset signal is sent only to the PIU to allow it greater control over the
local processors. For example, the PIU uses this signal to enter its initialization mode, during which it acti-
vates the processor reset signals. All of the PIU input signals produced by the FI'CU are synchronized with
those in the PIUs in redundant PMMs of a fault-tolerant FTEP core.
The structure of the PIU itself is shown in Figure 1.2. The Processor Port (P_Port), C_Bus Port
(C_Port), and Memory Port (M_Port) implement the communication protocols for the L_Bus, C_Bus, and
M_Bus, respectively. The M_Port also implements (7,4) Hamming encoding and decoding on writes and
reads, respectively, to the local memory, and the C_Port implements single-bit parity encoding and decoding
for C_Bus transfers.
SRAM







Figure 1.1: Block Diagram of the Processor-Memory Module (PMM).
2
The Register Port (RPort) is the fourth, and final, port residing on the PIU's Internal Bus (I_Bus). It
contains a state machine, counters, and various command and status registers used by the local processor to
implement timers and interrupts.
The Start-up Controller (SU_Cont) implements the PMM initialization sequence. After it has concluded
initialization, control is turned over to the other ports with the SU_Cont continuing operation in a back-
ground mode. The SU_Cont is not physically located on the IBus, however, for convenience, we will
sometimes refer to it as one of the five PIU ports.
Behaviorally, the PIU functionality can be divided into four categories: (1) PMM initialization, (2)
local-processor memory accesses, (3) C_Bus memory accesses, and (4) timers and interrupts.
1.1.1 PMM Initialization
The PIU conlrols the PMM initialization sequence. After receiving a synchronous pmm_reset signal
from the Frcu, the PIU initiates the testing of the two local processors (or CPUs). Based on the test results,











Figure 1.2: Major Blocks of the Processor Interface Unit 0PIU).
other CPU. During the initialization, the Plu also maintains the inter-PMM synchronization that is initially
estabfisbed by the FI'CUs.
The Plu initiates CPU self-test via the CPU reset signals that it controls. To begin the initialization
sequence, the PIU resets CPU0, which then goes through a two-phase Ontel 80960) testing process of its
own. In the first phase the CPU executes a 47,000-cycle self-te_ procedure; in the second phase the CPU
reads the first eight words of local memory (via the PIU) and pea-forms a check-sum test. If either of these
tests fail, then the CPU'sfailureO_ pin remains asserted, otherwise it is deasserted.
After the CPU self-test is completed, the CPU executes a software-based test using a program and the
prior-mission fault status stored in local memory. At preselected points in this program the CPU updates
PIU registers in a prespecified manner. At the end of this program, the PIU compares the modified PIU reg-
ister values against their expected values. This acceptance test is the final major test of CPU functionality
during initialization.
At the same time that CPU0 is being tested, the PIU isolates CPU1 by asserting its cpul_reset input.
Once the testing of CPU0 is completed, the roles are reversed. After both CPUs have been tested, the PIU
selects one to be active for the upcoming mission. The selection algorithm makes use of the CPU failure
signal outputs and the acceptance-test results: if CPU0 is ok then it is selected, otherwise if CPU1 is ok then
it is selected, otherwise neither one is selected. Once the selection is made, the selected CPU is reset again
and begins normal operation. The PIU isolates the other CPU by keeping its reset active.
An important PIU requirement is to maintain clock.level synchronization between redundant PMMs,
yet accommodate possible nondeterminism within the PMM initialization sequences. Before the PMM ini-
tialization begins, the redundant PMM clocks are synchronized by the FTCUs, and prom_reset signals are
delivered to the PlUs synchronously across all PMMs. Synchronization is maintained by establishing max-
imum time durations for each phase of the initialization and having each PMM use the entire duration. The
PlUs enforce these phase boundaries and thus guarantee that each PMM leaves its initialization on precisely
the same clock cycle.
1.1.2 CPU Accesses to Memory
The PIU controls CPU reads and writes to the local memory, the internal PIU registers, and global mem-
ory.
1.1.2.1 To Local Memory
The Plu implements error-correction code (ECC) encoding and decoding and supports atomic memory
operations, byte accesses, and 2-, 3-, and 4-word block transfers.
On writes to the local memory, the PIU encodes the 32-bit data words using a single-error-correction
(7,4) Hamming code. The 56-bit encoded words are stored such that each 7-bit word (there are eight of
these) is spread among the seven 256Kx8-bit memory chips. On reads, the decoding process implemented
within the PlU masks all faults affecting one of the seven bits of each code word. Entire memory-chip fail-
ures are thus handled.
Atomic memory accesses, the atomic add and atomic modify instructions of the Intel 80960 instruction
set, are supported by the PlU. During these operations the PIU prevents the C_Bus from gaining access to
the local memory. The PIU uses the lock signal provided by the CPU during these operations.
Byte accesses to the local memory are supported by the PIU. Reads are implemented in a straightfor-
ward way. Writes are implemented using a read-modify-write operation that reencodes the entire 32-bit data
word.
Byte accesses of up to four words are also supported to implement cache refilling within the CPU.
4
1.1.2.2 To Internal Register File
The PIU supports atomic accesses and 2-, 3-, and 4-word block transfers to and from its internal regis-
ters within the R_Port. Byte accesses are not supported, nor is the data encoded before being stored. Vable
1.1 shows the R_Port register definitions.
The Interrupt Control Register (ICR) supports memory-mapped interrupts to the local processor. The
register is divided into four fields. The first two contain the interrupt settings and mask bits for intO_, in bits
0 through 7 and 8 through 15, respectively. A logic-1 in both a set location and the associated mask location
signifies an active interrupt, which if enabled (external to the R_Port) will generate an active intO_ signal to
the processor. Bits 16 through 31 are used in a corresponding way for int3_.
The ICR contents are updated in two different ways. A write to register address 0 implements a logical-
AND operation on the new value and the old register contents, while a write to address 1 implements a log-
ical-OR operation. These two operations implement the resetting and setting of register bits, respectively. A
read to either of these addresses returns the current register value.
The General Control Register (GCR) and Communication Control Register (CCR) provide control bits
to the internal PIU and the C_Bus, respectively. The GCR bits include the start-up software counter enable
(used for the acceptance test discussed earlier), R_Port counter configuration control bits, and parity-error-
latch reset bits. The CCR contains the message header for the next C_Bus transaction. Either of these reg-
isters can be written to or read from by the local processor.
The Status Register (SR) holds status information produced internally to the PIU. This includes start-
up error-detection status, local-memory and C_Bus error-detection status, start-up controller state, and the
last C_Bus slave-status report. This register is read-only.
Register addresses 8 through 11 are used to load new counter values to the 32-bit counters 0 through 3,
respectively. These load values can be read by the local processor using the same addresses. Register
addresses 12 through 15 are read-only locations containing the current value of the four counters.
The four counters are combined to form two 64-bit counters which can be configured in a variety of
ways via control bits in the GCR. The choices include enabled vs. disabled counting, enabled vs. disabled
interrupting on overflow, and reloading vs. count-continuation on overflow. Counters 0 and 1 together sup-
port timer interrupts using the intl interrupt line; counters 2 and 3 use int2.
Table 1.1: R_Port Register Definitions.
Register Address Contents
0 Interrupt Control Register (ICR) reset
1 ICR set
H ,i , i
2 General Control Register (GCR)
3 Communication Control Register (CCR)
4 Status Register (SR)
8 Counter 0 in
9 Counter 1 in
10 Counter 2 in
5
Table 1.1: R_Port Register Definitions.
Register Address Contents
I 1 Counter 3 in
12 Counter 0 out
13 Counter 1 out
14 Counter 2 out
15 Counter 3 out
1.1.2.3 To the C_Bus
The upper 2 GB (gigabytes) of the CPU address space is reserved for external memory and input/output
(I/O). The PIU routes CPU memory accesses at these addresses to the CBus. It implements the C_Bus pro-
tocol, parity encoding and decoding of data, and support for atomic memory operations, byte transfers, and
2-, 3-, and 4-word block transfers.
The PIU implements the C_Bus communication protocol. This includes all arbitration actions and nec-
essary handshaking.
On writes to the C_Bus the PIU encodes each byte of data using a single-error-detection parity code,
Data arriving over the C_Bus is likewise decoded.
Atomic memory operations are supported by the PIU. Once the PIU acquires the C_Bus it doesn't relin-
quish it until the atomic operation is completed. The PIU again makes use of the CPU lock signal to know
when to do this.
Byte transfers and 2-, 3-, and 4-word transfers are handled in a straightforward manner.
1.1.3 C_Bus Accesses to Memory
The PIU controls C_Bus reads and writes to local memory and the P[U register file. All of the support
features described earlier for the CPU-initiated transfers are supported here as well. The C_Bus (i.e., the
processing unit of an external block) has priority over the CPU for local memory accesses. The PIU holds
off the local CPU using the CPU hold_ input signal. The PIU supports block transfers as large as 64 words
over the C_Bus.
1.1.4 Timers and Interrupts
As explained above, the PIU contains two 64-bit counters and an interrupt control register The counters
can be used to implement timed interrupts as well as a real-time clock. The timed interrupts can be pro-
grammed to provide either a single-shot interrupt or repeated, periodic interrupts.
The interrupt register is a memory-mapped register used to implement 16 possible interrupts. These
interrupts can be initiated by either the active local processor or an external C_Bus master.
1.2 Specification Overview
Figure 1.3 shows the specification hierarchy developed for the Pill. In constructing this hierarchy much
emphasis was placed on maintaining compatibility with existing formal specification methods, particularly
the generic interpreter theory described in Section 2. The resulting hierarchy reflects this emphasis, partic-
ul_ly in the lower levels where many of the tec/miques d_scribed in [Win90] are used.
Consistentwithestablished hierarchical specification methods, the levels in the hierarchy of Figure 1.3
are abstractions of the levels below them. Four types of abstraction are used here. Temporal abstraction
relates time at a particular level to the time at lower levels; each unit of time at the higher level corresponds
to multiple time units at the lower level. Data abstraction relates the states of two levels, with the higher
level state being a function (typically a subset) of the state at the lower level. In behavioral abstraction, a
structural description at the lower level, defined using the physical interconnection of components or sub-
systems, is replaced by a purely behavioral description at the higher level. Structural abstraction (or com-
position) combines subsystems defined at one level to form a higher level.
At the bottom of the PIU specification hierarchy is the gate-level description. This is a structural
description derived from the lowest-level detailed design developed by the PIU design team. The chip lay-
out is obtained directly from this level using silicon compilation techniques that are not within the scope of
the specification and subsequent verification tasks. Components at the gate level include individual logic
gates, latches, counters, and finite-state machines. This level is comparable to the electronic block model
(EBM) level of [Win90].
The phase-level behavioral description for each of the five PIU ports is a behavioral abstraction of each
corresponding gate level. This level is comparable to the phase level used in [Win90]. The specification at
this level consists of an instruction set containing two instructions, one for phase A and one for phase B,
defining the state transition and outputs generated during each phase.
The clock-level behavioral description for the PIU ports uses a time interval of an entire clock period
rather than a single phase (temporal abstraction), and the state is a subset of the phase-level state (data
abstraction). Only a single instruction is defined for each port, specifying the state change and outputs of the
port occurring during its execution. This level is comparable to the microinstruction level of [Win90] and


























Figure 1.3: PIU Specification Hierarchy.
Theport-levelstructureisastructuralcompositionofthefiveindividualclock-levelportspecifications.
Theportcompositionisbasedontheestablishedmethodof forming a logical conjunction of the individual
port descriptions.
The clock-level behavioral description for the PIU is a behavioral abstraction of the structural descrip-
tion at the PIU port level, providing a clock-level description for the entire chip. This level is comparable to
the microinstruction level referred to above, an important difference being in the approach to instruction
decoding: here no decoding is used, resulting in a single instruction compared to the many microinstruc-
tions in [Wing0], for example.
The transaction-style behavioral description is the topmost level in the PIU hierarchy providing a con-
cise and easy-to-understand definition of PIU behavior. Whereas the lower five levels of the hierarchy rep-
resent the PIU design and were developed bottom-up, the transaction level specifies the PIU requirements.
In this role as human interface the transaction level must address modeling problems not faced at the lower
levels.
Three important problems unique to the transaction level are: (1) independently-initiated concurrent
behavior, (2) multiple sequential outputs, and (3) shared state. Because of these, hardware modeling
approaches used within the HOL community to date are inadequate for transaction-level modeling. Section
4 describes these problems in more detail and explains our progress in developing a transaction-level model
suitable for the PIU.
"_=.4
2 Generic Interpreter Theory
This section describes the generic interpreter theory used to model portions of the PIU. The work
described in this section grew out of efforts to model microprocessors and thus the model discusses micro-
processor specification and verification heavily. We have discovered that the model is useful for describing
other hardware devices as well, and, in particular, we have found it to be well-suited for specifying the PIU
design. The generic interpreter theory is described more fully in [W'm90].
2.1 Introduction.
The formal specification and verification of microprocessors has received much attention. Indeed, sev-
eral verified microprocessors have been presented in the literature. This section presents an abstract model
that describes a large class of hardware devices, including microprocessors and other devices with a single
major control point. The model is called a generic interpreter and the theory contains important theorems
about it.
We have formalized the interpreter model in the HOL theorem proving system [Gor88,Gog88]. The for-
mal model can be instantiated inside the system and serves as a framework for writing device specifications
and verifying them. This framework clearly states what definitions must be made to specify the device and
which lemmas must be established to complete the verification. After the user has defined the components
of the hardware device model and proven the necessary lemmas about them, individual theorems from the
abstract theory can be instantiated to provide concrete theorems about the actual device being verified.
The model that we have defined has proven useful in specifying and verifying several microprocessors
[Win90,Aro90]. The model is not, however, limited to microprocessors only. Recent work has shown that
the model can be used in specifying other hardware devices as well [Win91]. Because the model was orig-
inally developed for microprocessor modeling, however, much of the terminology in the model (e.g.,
instruction set) is influenced by microprocessor terminology. We have kept it even though more general ter-
minology might be better in some cases.
The model we have defined differs from other formal descriptions of state machines (such as Loewen-
stein's model in [Low89]) by including the data and temporal abstractions that are important in specifying
and verifying microprocessors in the formalization.
2.2 Formal Microprocessor Modeling.
There have been numerous efforts to formally model microprocessors. At the time this project was
begun the best known of these included Jeff Joyce's Tamarack microprocessor [Joy89], Warren Hunt's
FM8501 and FM9001 microprocessors [Hun87, Hun92], and Avra Cohn's verification of VIPER [Coh88].
Tamarack is a simple microprocessor with only 8 instructions. FM8501 is larger (roughly the size of a PDP-
11), but has not been implemented; FM9001 is a 32-bit version that is being verified and implemented.
VIPER is the first microprocessor intended for commercial use where formal verification was used. How-
ever, the verification has not been completed because of the large case explosion that occurred and the size
of the proofs in each of the cases. Recent work on hierarchical specification [Win88], coupled with the work
presented here, has overcome this problem; microprocessors significantly more complicated than VIPER
are now within the realm of formal treatment.
2.2.1 Microprocessor Specification.
The specifications for the microprocessors mentioned above appear very different on the surface; in fact,
the specifications of FM8501 and FM9001 are even in a different language. On closer inspection, however,
9
each uses the same implicit behavioral model. In general, the model uses a state transition system to describe
the microprocessor. A microprocessor specification has four important parts:
1. A representation of the state, S.
2. A set of state transition functions, J, denoting the behavior of the individual instructions of the micro-
processor. Each of these functions takes the state defined in step (1) as an argument andreturns the state
updated in some meaningful way.
3. A selection function, N, that selects a function from the set J according to the current state.
4. A predicate, I, relating the state at time t+l to the state at time t by means of J and N.
In some cases, the individual state transition functions, J, and the selection function, N, are combined
to form one large state transition function. Also, a functional specification would use a function for part (4)
instead of a predicate. The general form, however, is the same.
2.2.2 Microprocessor Verification.
Just as most microprocessor specifications are similar, so too are their verifications. After the micropro-
cessor has been specified, we can verify that a machine description, M, implements the specification, I, for
some state, s, by showing:
Vs ¢ S . (M (s) l (s) )
That is, we show that I has the same effect on the state, s, as M does. This theorem is typically shown by
case analysis on the instructions in J by establishing the following lemma:
V (j ¢ J) o M (s) ==_(Vt" C(j,s,t) =_ (s (t+ nj) =j (s(t) ) ) )
where C is a predicate expressing the conditions for inslxuctionj's selection, s(t) is the state at time t, and n.J
is the number of cycles that it takes to execute j. This lemma says that if an instructionj is selected, then
applying j to the current state yields the state that results by letting the implementing interpreter M run for
nj cycles. We call this lemma the instruction correctness lemma.
2.3 A Formal Model of Interpreters.
An interpreter is a computing structure with one control point. One of the many available instructions
is chosen at this conUol point based on the current state and inputs. The state is then processed by this
instruction and the cycle begins again.
In general, a microprocessor specification can consist of many abstraction levels. Every level except the
bottom specification (which is the structural specification) can be modeled as an interpreter A hierarchical
approach to specification and verification has been shown to significantly reduce the amount of effort
required to complete the verification of a microprocessor [Win88].
Figure 2.1 shows a generalized hierarchy of interpreters. Note that each communicates with the state
and environment, although most interpreters see only an abstraction of the state. An interpreter sends
instructions to the interpreter below it and communicates (mostly timing) information to the interpreter
above it.
2.3.1 Abstract Theories.
A theory is a set of types, definitions, constants, axioms and parent theories. Logics are extended "by






Figure 2.1: A Hierarchy of Interpreters.
in the theory are undefined inside the theory except for their syntax and a loose algebraic specification of
their semantics. Group theory is an example of an abstract theory. The multiplication operator is undefined
except for its syntax (a binary operator on type ":group") and a loose semantics given by the axioms of group
theory.
Abstract theories are useful because they provide proofs about abstract structures that can be used to
reason about specific instances of the structure. In groups, for example, after showing that addition over the
integers satisfies the axioms of group theory, we can use the theorems from group theory to reason about
addition on the integers.
An abstract theory consists of three parts:
1. An abstract representation of the uninterpreted constants and types in the theory. The abstract repre-
sentation contains a set of abstract operationsand a set of abstract objects. (These are sometimes called
uninterpreted constants and uninterpreted types.)
2. A set of theory obligations defining relationships between members of the abstract representation. Inside
the theory, the obligations represent axiomatic knowledge concerning the abstract representation. Out-
side the theory, the obligations represent the criteria that a concrete representation must meet if it is to
be used to instantiate the abstract theory.
3. A collection of abstract theorems. The theorems are generally based on the theory obligations and can
stand alone only after the theory obligations have been met.
To imtantiate an abstract theory, the concrete representation must meet the syntactic requirements of the
abstract representation as well as the semantic requirements of the theory obligations. If the syntactic and
semantic requirements are met, then the instantiation provides a collection of concrete theorems about the
new representation.
There are several specification and verification systems that support abstract theories. Some, such as
OBJ [Gog88] and EHDM [SRI88], offer explicit support. HOL, the verification environment used for the
11
researchreportedhere, does not explicitly support abstract theories; however, HOL's metalanguage, ML,
combined with higher--order logic, provides a framework for implementing abstract theories [Win90a] in a
manner that does not degrade the trustworthiness of the theorem prover.
2.3.2 Temporal Abstraction
Before we can discuss the formal model, we must describe the temporal abstraction that it uses. The
development follows that of [Joy89,Me188,Her88].
In general, different levels in the interpreter hierarchy will have different views of time. We use tempo-
ral abstraction to produce a function that maps time at one level to time at another. Figure 2.2 shows a tem-
poral abstraction function E The circles represent clock ticks. The number of clock ticks required at the
implementing level to produce one clock tick at the implemented level is irregular.
The predicate, G, is true whenever there is a valid abstraction from the lower level to the upper level.
We can define a generic temporal abstraction function in terms of G. In a microprocessor specification, G is
usually a predicate indicating when the lower level interpreter is at the beginning of its cyclema condition
that is easy to test.
We will use a function Temp_Abs as our temporal abstraction function. The function is defined recur-
sively so that (Temp_Abs g O) is the first time that the predicate g is true and (Temp_Abs g (n+l)) is the next
time after time n when g is true. We will not develop the details of the temporal abstraction function here,
but refer the interested reader to the references given above and [Win90].
2.3.3 The Abstract Representation
We specify the abstract representation by defining a list of absWaet objects and operations. 3ltble 2.1
shows the operations and their types. We must emphasize that the representation is abstract and, therefore,
the objects and operations have no definitions. The descriptions that follow are what we intend for the rep-
resentation to mean. The representation is purely syntactic, however.
The following abstract types are used in the representation.
• :*state represents the state.
• :*env represents the environment.
-....¢
F" I








Figure 2.2: The Temporal Abstraction Functions F and G.
12
Table 2.1: The abstract functions and their types for the generic interpreter model.
Operation Type
instructions ":*key->(*state->*env->*state)"
select ":*state-> *env-> *key"
output ":*key->(*state-> *env-> *out)"
substate ":*state'- >*state"
subenv ".'*env'-> *env"
subout ": *out'-> *out
lmpl ":(time '-> *state')->(time'-> *env')->bool"
count ":*state'-> *env'-> *key'"
start ":*key'"
• :*out represents the outputs.
• :*key is type containing all of the keys. Keys are used to select instructions. For example, the opcodes
form the keys in the top-level specification of a microprocessor.
We add primes to the types to indicate that they represent state, time, etc. at the implementing rather than
the implemented level of the hierarchy.
The abstract representation can be broken into two parts. The first contains those operations concerned
with the interpreter.
• instructions is the instruction set. The set is represented by a function from a key to a state transition
function.
select picks a key based on the present state and environment.
output is a set of output functions. The set is represented by a function from a key to a function that pro-
duces output for a given state and environment.
• substate is the state abstraction function for the interpreter. The substate function is used to hide the vis-
ible state in the interpreter.
• subenv is the environment abstraction.
• subout is the output abstraction.
Because we want to prove correctness results about the interpreter, we must have an implementation.
The second part of the abstract representation contains three functions that provide the necessary abstract
definitions for the implementation.
• Impl is the abstract implementation. We could have chosen to make this function more concrete, but do-
ing so would have required that every implementation have some pre-chosen structure. Thus, we say
nothing about it except to define its type.
• count is analogous to select except it operates at the implementing level.
• start denotes the beginning of the implementation clock cycle.
13
We will ensure that count periodically reaches start as part of the synchronization process.
2.3.4 The Theory Obligations
Proving that the implementation implies the interpreter definition is typically done by case analysis on
the instnlctions; we show that when the conditions for an instruction's selection are right, the instruction is
implied by the implementation. We call this the instruction correctness lemma.
The predicate INSTRUCTION_CORRECT expresses the conditions that we require in the instruction
correctness lemma: 1
I-de/INSTRUCTION_CORRECT gi s' e' inst =
(Impl gi s' e') ==>
(!t:time'.
let st = (substate gi (s't)) in
let e t = (subenv gi (e'O) in
let ft = (count gi (s't) (e'O = (start gO) in
let k = (select gi (sO (e 0) in
((inst = (instructions gi k)) A (ft) ==>
?c. Next f(_t+c) A (inst (st) (et) = (s(t+c)))))
INSTRUCTION_CORRECT operates on a single instruction inst. The implementation implies that for
every time, t, if inst is selected and the implementation's counter is at the beginning, then there is a time c
cycles in the future such that applying the instruction to the current state yields the same state change that
the implementation does in c cycles.
INSTRUCTION_CORRECTis a good example of the kind of information that is captured in the generic
model. Previous microprocessor verifications created this lemma, or one similar to it, in a largely ad hoc
manner.
Because our model has outputs as well as inputs (the environment), we must also assume something
about the output in order to establish correctness. The predicate OUTPUT_CORRECTexpresses the condi-
tions that we require in the output correctness lemma:
I-defOUTPUT_CORRECT gi s' e' p' k =
(lmpl gi s' e' p') ==>
(#:time'.
let st = (substate gi (s' t)) in
let e t = (subenv gi (e't)) in
let pt = (subout gi (p't)) in
let ft = (count gi (s'O (e't) = (start gi)) in
((count gi (s't) (e'O = (start gi)) A
(select gi (st (et) = k) ==>
(p t = (output gi k) (sO (e t))))
1. The HOL code in this reportis shown using the HOL convention of representing universal quantification,
existential quantification, implication, conjunction, disjunction, and negation by the symbols !, ?, _>, A, V.,
and ~, respectively. The form "el => e2 1e3" represents "if el then e2 else e3."
14
UsingINSTRUCTIONCORRECT and OUTPUT_CORRECT we can define the theory obligations in our
model. The theory obligations are given as a predicate on an abstract representation gi:
I-defGl gi =
(!s'e'p'k. INSTRUCTION_CORRECT gi s' e' p' k) A
(!s' e'p' k. OUTPUT_CORRECT gi s' e' p' k)
The predicate says that every instruction in the instruction set satisfies the predicate INSTRUCTION_COR.
RECTand every output function satisfies the conditions set forth in OUTPUT_CORRECT.
2.3.5 Abstract Theorems
Using the abstract representation and the theory obligations, many useful theorem pertaining to inter-
preters can be established on the genetic structure.
2.3.5.1 Defining the Interpreter
One of the important parts of the collection of abstract theorems is the definition of a genetic interpreter.
The definition is based on functions from the abstract representation.
I-deflNTERP gi s e p =
!t:time.
let k = (select gi (st) (et)) in
(s(t+l) = (instructions gi k) (st) (et)) A
(pt = (output gi k (st) (et))
The specification of an interpreter is a predicate relating the contents of the state stream at time t+l to the
contents of the state stream at time t. The relationship is defined using the functions from the abstract rep-
resentation. The definition also uses the currently selected output function to denote the current output.
2.3.5.2 Induction on Interpreters
The definition of the interpreter sets up a relation between the state at t and t+l. Sometimes it is useful
to have a more explicit statement regarding induction. The following theorem, which follows from the def-
inition of the interpreter given in Section 2.3.5.1, defines induction on an interpreter:
I-!Q. INTERP gi s e p ==>
(0. (sO) A
!t. let inst = (instructions gi (select gi (sO (e t)) in
O (s t) = = > Q (inst (s t) (e t)))) = = >
!t. Q (st)
The theorem states that for any arbitrary predicate on states, Q, if Q is true of the state at time 0, and when
Q is true of the state at time t, it follows that it's also true of the state returned by the current instruction,
then Q is true of every state.
We note that even though this theorem looks fairly simple, and indeed is quite easy to show in the
genetic theory, the theorem will eventually be instantiated with the entire denotational description of the
semantics of a particular instruction set and will be quite involved. The same admonition holds for each of
the theorems and definitions presented in this section.
15
2.3.5.3 The Implementation is Live
Using the theory obligations, we can prove that the implementation is five. By live we mean that if the
implementation starts at the beginning of its cycle, then there is a time in the future when the implementation
will be at the beginning of its cycle again. That is, we show that the device will not go into an infinite loop.
I- Impl gi s' e' ==>
(!t. (count gi (s'O (e't) = start gi ==>
(?n. Next (_t. count gi (s't) (e'O = start gi) (t, t+n)))
Next P (tl, t2) says that t2 is the next time after tl when P is true.
2.3.5.4 The Correctness Statement
The correctness result can be proven from the definition of the interpreter and the theory obligations:
I. let st = (substate gi (s'O) and
et = (subenv gi (e't)) and
pt = (subout gi (p' t)) and
ft = (count gi (s'O (e't) = (start gi)) in
let abs = (Temp_ABSfl in
(lmpl gi s' e' p') A
(?t. ft) ==>
(INTERP gi) (s o abs) (e o abs) (p o abs)
In the correctness statement, s', e', and p' are the state, environment, and output streams in the imple-
mentation. The terms (s o abs), (e o abs), and (e o abs) are the state, environment, and output streams for
the interpreter defined in the model. They are data and temporal abstractions ofs', e', andp'. The correctness
statement says that if the implementation is valid on its state, environment, and output streams and there is




In [Win88],we show that hierarchical decomposition makes the verification of large microprocessors
practical. To support this decomposition, the generic interpreter model contains a theorem about composing
generic interpreters hierarchically.
I-(INTERP gi I = Impl gi 2) A
(select gi 1 = count gi 2) ==>
! (s":time->*state") (e":time- >*env") (p":time-> *out").
let s't = (substate gi 1 (s" O) and
e't =(subenv gi 1 (e"t)) and
p't = (subout gi 1 (p"t)) and
ft = (count gi 1 (s"O (e"t) = start gi 1) in
let st = (substate gi 2 (s' O) and
e t = (subenv gi 2 (e't)) and
pt = (subout gi 2 (p't)) and
gt = (select gi 1 (s't) (e't) = start gi 2) in
let absl = (Temp_ABS f) in
let abs2 = absl o (Temp_ABS (g o absl)) in
(Impl gi 1 s" e" p") A
(?t. ft) ==>
(?t. (g o absl) 0 ==>
INTERP gi 2 (s o abs2) (e o abs2) (p o abs2)
This theorem states that if gi 1 and gi 2 are generic interpreters and they are connected such that the inter-
preter definition ofgi 1 is the implementation ofgi 2 then the implementation ofgi I implies the interpret-
er definition of gi 2.
This important theorem captures the temporal and data abstraction required to compose two interpreters.
This theorem is a good example of the utility of abstract theories in hardware verification. This theorem is
tedious to prove and were it not contained in the abstract theory, it would have to be proven numerous times
in the course of a single microprocessor verification.
2.4 Parallel Composition
Our eventual goal is to use the work that is described in Section 4 to show how a set of interpreters can
be composed with each other in parallel. This goal is significantly different from the theorem described in
Section 2.3.5.5. In hierarchical composition, the implementation of one interpreter model is the interpreter
from the other. In parallel composition, the two interpreters share a behavioral specification (i.e., interpreter
definition), and the implementation is two or more interpreters linked together. The interpreters can be
linked by shared state, common input, common output, and connections between the interpreters' inputs and
outputs.
Undoubtedly, as our theory of composition matures, the generic interpreter theory will change. The
advantage of generic theories is that these changes can be made more easily in the generic theory than they
can in a specific definition of a VLSI device.
2.5 Conclusion
This section has described the generic interpreter model. The theory isolates the temporal and data
abstractions of the proof inside the abstract theory. The theory also contains several important theorems
17
about the abstract representation. These theorems are true of every instantiation of the abstract representa-
tion that meets the theory obligations.
The theory has many important benefits:
• The generic model structures the proof by stating explicitly which definitions must be made (one for each
of the members of the abstract representation) and which lemmas need to be proven about these clef'tui-
tions (namely, the theory obligation). This is a substantial improvement over previous microprocessor
verifications where these decisions were made on an ad hoc basis.
• The generic model insulates users of the model from complex proofs about the data and temporal ab-
stractions. These proofs are done once and then made available to the user by instantiation.
• The use of a generic interpreter model for specifying and verifying microprocessors provides a method-
ological approach. Making specification and verification methodological is an important step in turning
what has been primarily a research activity into an engineering activity.
18
3 Design Specification
This section describes the lower five levels of the PIU specification hierarchy (Figure 1.3), which con-
stitute the design specification. The discussion proceeds bottom-up, beginning with the gate-level specifi-
cation of individual ports and finishing up with the clock-level specification for the entire PIU.
The gate-level specification, described in Section 3.1, corresponds to the lowest-level design imple-
mented by the PIU design team. Below this level a silicon compiler provides the translation to the mask lay-
out used for chip fabrication. The specification effort described in this report is not concerned with this
translation, which currently falls within the domain of the tool vendor -- Mentor Graphics Corporation.
A set of detailed-design schematics was produced by the design team as part of the design process.
Unfortunately they are not suitable for this report because, in printed form, many are too small to be under-
stood. Because of this we created our own set of schematics, included in Section 3.1, to accompany the HOL
specifications located within the appendices. These schematics are provided as aids to understanding only,
since, due to time constraints in developing them, they are not complete nor are they fully accurate.
Sections 3.2 through 3.5 describe, in order, the phase-level specifications for the five ports, the clock-
level specifications for the five ports, the port-level structural specification, and the clock-level specification
for the entire PIU.
3.1 Gate-Level Structure
The gate-level specifications for the five PIU ports use the structural definition style described in
IGor86] and in use throughout the HOL community. Within each port, each component, or block, has its
behavior specified in the form of a predicate; in essence, the block behavior is defined to be the relationship
between inputs, outputs, and internal states that results in the predicate's being true. The behavior of the
composition of these blocks is defined as the logical conjunction of the individual block predicates. Exis-
tentially quantified variables are used for the block interconnections internal to the port-level composition.
The gate-level specification for the PIU is much too unwieldy for a detailed coverage in these pages.
This section therefore provides only a high-level explanation of the PIU's operation and the HOL models
that represent it. References will be made to the appropriate sections of the appendices for the full details.
We begin in Section 3.1.1 with a description of the components used in the PIU design. Fortunately, the
design uses only a small subset of the component types available in the silicon compiler library, ranging in
complexity from individual logic gates to medium-scale integration (MSI) datapath elements and finite-state
machines. Section 3.1.2 explains how the components are combined to form the five PIU ports.
3.1.1 Component Descriptions
The HOL models for elementary logic gates follow closely the previous work in this area and we say
little about this subject. Modeling sequential logic is more interesting however: Previous sequential models
generally depict even the most elementary components as edge-sensitive devices -- a flip-flop perspective.
However, in the design tool used for the PIU, the elementary sequential component is not edge-sensitive,
but rather the level-sensitive latch. Flip-flops are higher order components, consisting of two or more
latches. As explained below, the level-sensitive components used in the PIU require a different modeling
approach.
3.1.1.1 Combinational Logic
The PILl specification requires only a few inverters, AND and OR gates, and buffers from the compi3-
nent library. The specification style used for these components follows that of earlier work and is demon-
19
strated in the AND-gate definition shown here. The theory gates_defin Appendix A contains the complete
H0L source for these components.
J I- AND3_$PECa b c z = V t:time, zt=(at) A(bt)A(cO ]
3.1.1.2 Latches
The HOL definitions for the latches used in the PIU design are contained in the theory latches_defin
Appendix A. In this section we describe the modeling of a simple D latch as an explanation of the HOL
models.
The following definition of a D latch demonstrates the specification style that we use for PIU latches.
This specification states that the next state q_state (t+l) equals the input din t if the clock clk_in t is active,
otherwise it equals its current value q_state t. The latch output q out t equals the new state.
DLAT_SPEC d_in clk_in q_state q_out =
V t:time.
(q_state (t+l) = (clk_in 0 => d_/n t I q_state 0 A
(q_out t = q_state ( t + l ) )
Latch behavior is being expressed here as a finite-state machine (FSM), using both a next-state function
and an output function. Previous latch models in HOL, where the next-state function was also used for out-
puts, failed to faififftflly represent true latch behavior. To demonstrate why this is true, Figure 3.1(a) shows
an example circuit where two latches, in series, are clocked with the same phase of the system clock. To our
knowledge, scenarios such as this have not been considered in prior verification work; however, we cannot
dismiss them since they occur within the PIU design. Actually, such combinations might be expected in any
standard-cell approach to chip design where designers work with predefined cells containing a multitude of
latches in fixed locations. There are places in the PIU design, for example, where avoiding these combina-
tions would actually require a more complicated design.
The circuit in Figure 3.1 (a) would be incorrectly modeled if latch models containing only the next-state
function of DLAT_SPEC were used. This is demonstrated in the HOL code segments of Figure 3.1 Co),defin-
ing first the behavior of the implementation, including the next state of latch £2 derived from this behavior,
followed by a reasonable specification for its required behavior.
The behavior of the implementation (IMP) is a standard composition of individual latch behaviors. The
key observation here is that the value of z at time t+l depends on signal values at time t-1 (e.g., a (t-I)).
However, as expressed in the model of required behavior (REQ), in reality the circuit of Figure 3.1 (a), when
viewing the signal z, behaves no differently than a single A-clocked latch does (aside from propagation
delay differences not expressed at this level). Therefore, the value ofz (t+l) should be a function of signal
values at time t, not t-1. Note that for the general case of N series, same-phase latches, we would have z (t+l)
as a function of signals at time (t-N-l); clearly this is not what we want. We note that the source of this prob-
lem is the level-sensitive nature of latches, which results in cascaded latches behaving very much like com-
binational logic; Otis is not true of edge-sensitive components such as flip-flops.
Revisiting fundamental FSM definitions suggests ways to solve this latch modeling problem. In autom-





IMP = (b(t+l) = phase_At=>atlbt) A




(phase A (t-l) => a (t-l) I b (t-l)) I
zt
REQ = (b(t+l)=phase_At=>atlbt) A
(z (t+l) = phase_A t --> a t I z 0
(b) Relationship between next z and current values, using standard latch model.
Figure 3.1: Two Series Latches Clocked by the Same Phase.
the present-state and present-inputs. Figure 3.2(a) is a pictoral representation of this where the present and
next times are denoted by t and t+l, respectively. Figure 3.2(b) shows an alternative approach where the
inputs and outputs use the time index of the next-state.
In models of synchronous systems such as FSMs, lower-level issues such as propagation delay are not
represented. For a latch, whose time interval is a single clock phase, the present- and next-states correspond
to the states at exactly the beginning and end of the phase, respectively. All present-inputs can similarly be
assumed to arrive at either the phase beginning or end. Present-outputs are defined in terms of the present-
state and -inputs, and are assumed to be transmitted with zero delay. Of course, in reality an input is a
present-input only if it satisfies the setup and hold times of the latch with respect to the falling edge (the end)
of the clock phase; state changes and output transmissions have propagation delay as well.
With this view of FSM behavior, it is clear that for a formal latch model to be composable in all clocking
scenarios it must use the same time index for both its present-inputs and -outputs. This is necessary to permit
signal propagation through series-connected, same-phase latches in zero time. In a latch model using only
a single FSM next-state function, this function must play the role of the output function as well; thus, the
time index of the current-output is t+ 1. If the standard interval representation of Figure 3.2(a) is used, then












Figure 3.2: Interval Representations.
tions are to either use the alternative interval representation of Figure 3.2(b) or else use a second FSM func-
tion for the output, matching its time index to that of the input.
We mention the first solution, using the alternative interval representation, only to point it out as a can-
didate for future consideration. We currently prefer the second approach, expressed in the model
DLAT_SPEC above, since it is consistent with the generic interpreter model described in Section 2.
3.1.1.3 Flip.Flops
HOL definitions for the flip-flops used in the PIU design are contained in the theoryffs_defof Appendix
A. In this section we describe the modeling of a simple D flip-flop as an explanation of the HOL models.
Flip-flops are built out of latches as in the example phase-A-clocked D flip-flop shown in Figure 3.3. In
this model inputs arriving at the flip-flop during phase B are latched on the falling edge of B. The new flip-
flop output is available at the beginning of phase A and remains stable for an entire clock period. From an
edge-triggered point of view this flip-flop is seen to be clocked on the rising edge of phase A.
It is an interesting side note that in discussions with the PIU designers it became clear that their view of
flip-flop behavior is somewhat different from the perspective that we employ. For example, if asked to
choose which of the two latches in the flip-flop model of Figure 3.3 represents the true state of the flip-flop,
the designers say latch L2 and we say 1.1. This difference is easy to understand given the modeling environ-
ments that each group uses, and it turns out that the FSM-based specification approach embodied in Figure
3.3(b) provides a perspective to help rex_neile these two viewpoints.
The PIU designers view latch L2 as the important one beeanse it is the only one directly visible to them
during simulation. All flip-flop changes occur on the rising edge of L2's clock (phase A) and the flip-flop is
stable otherwise. From this perspective the purpose of latch LI is only to ensure the edge-triggered nature
of the flip-flop by restricting possible flip-flop output values to those inputs arriving before phase A rises.
As formal verifiers we view L1 as the important latch because it is clocked by phase B, the last phase in
the clock cycle. This is important when we make the jump in abstraction from the phase level to the clock
level and wish to eliminate one of the two state variables associated with these latches (data abstraction). As
a general rule it is best to keep the latch with the most up-to-date state among the candidates for elimination,
otherwise updated state will not be carried forward to the next clock cycle when the model is symbolically
executed. From this perspective latch LI contains the essential state of the flip-flop of Figure 3.3 and ./2
serves only to control the time at which the new flip-flop stale is made externally visible.





(a) Functional block diagram.
I- DFF SPEC d_in phase_A stateA stateB q_out =
Y t:time.
(stateB (t+ l ) = -(phase_A t) => d_in t IstateB t) A
(stateA (t+l) = (phase_A t) => stateB t I stateA 0 A
(q_out t = stateA (t+ l))
(b) HOL representation.
Figure 3.3: Example D Flip-Flop Constructed With Latches.
embed the behavior of the phase-A latch within the flip-flop output. This FSM-based approach is also com-
patible with the PIU designer perspective if we take a commonly-used black box view of fundamental com-
ponents such as ttip-llops. In such an approach, only the inputs and outputs of these components are visible
to an outside observer during simulation -- the internal state is hidden.
3.1.1.4 Counters
Counters are implemented as flip-flops surrounded by increment/decrement and selection logic. All of
the counters used in the PIU design are functionally of the form of the example in Figure 3.4 t increment-
ing is performed within the output stage rather than the input stage. The HOL source for all PIU counters is
contained in the theory counters_defof Appendix A.
The inputs/d_0, and up_in control the operation of this counter. If/d_/n is active then the input d/n is
loaded into the counter, otherwise the current value, incremented or nonlncremented according to the up_in
input, is reloaded. The input up_in also controls the value output by the counter.
3.1.1.5 CTR Datapath Block
The PIU R_Port contains two 64-bit counters implemented using a total of four 32-bit CTR datapath
blocks. The CTR datapath blocks are themselves built from lower-level components of the compiler library,
but we treat them as primitives here since they are used directly in the R_Port specification. The HOL source
for the CTR datapath block is contained in the theory datapaths_defof Appendix A.
Figure 3.5 shows the functionality of the CTR datapath block. It behaves much like the counter of the




clock_A I I up_inld_in clock_B
stateB
q_out









Figure 3._: Functional Block Diagram of the CTR Datapath Block.
24
Of the 11 latches in this model, the one best representing the counter value is L4, holding the value ctr.
Latch L2 contains the load-input, controlling whether a new value is loaded or the updated counter value is
reloaded. Latches L1 and/..8 hold these two values, respectively. Latches L5 and/_,6 hold values controlling
the incrementer itself. For the top half of the 64-bit counters, L6 contains the carry-in from the lower half.
Latch L7holds the can'y-out from the counter. Latches L9 and LIO implement a flip-flop holding the updated
counter value for possible output. The two latches/.3 and Lll control the writing of latch values onto Bus_A,
from the input side and output side, respectively.
3.1.1.6 ICR Datapath Block
The R_Port contains a single Interrupt Control Register (ICR) implementing memory-mapped inter-
rupts for the local processor. The HOL source for this block is located in the theory datapaths_defof Appen-
dix A.
Figure 3.6 shows a functional block diagram of this block. The true ICR value is located in the flip-flop
implemented by latches L4 and/.,5. The flip-flop implemented by L1 and L2 holds the ICR value fed back
using Bus_A. Latch L3 holds a mask-adjustment value that resets or sets individual mask bits according to
the value of input icr_select. Latch L6 controls the writing of values onto Bus_A either as part of an ICR










Figure 3.6: Functional Block Diagram of the ICR Datapath Block.
25
3.1.1.7 CR Datapath Block
The R_Port contains two control registers (CRs), called GCR (for General Control Register) and CCR
(for Communications Control Register). The HOL source for the CR datapath block is located in the theory
datapaths._defof Appendix A.
Figure 3.7 shows a functional block diagram of the CR datapath block. In comparison with the previous
two datapath blocks, this one is relatively simple, containing a single latch (L1) to hold a loaded 32-bit value
and a latch (L2) to control the writing of this value onto Bus_A. The second output port, always enabled,











Figure 3.7: Functional Block Diagram of the CR Datapath Block.
3.1.1.8 SR Datapath Block
The R_Port contains a single Status Register (SR) that may be read by an external processor The HOL
source for the SR datapath block is located with the previous datapath blocks in the theory datapaths_defof
Appendix A.
Figures 3.8 shows a functional block diagram of this datapath block. Inputs provided by several sub-
systems of the PIU are collected and stored in latch LI; latch L2 controls the writing onto Bus_A.
3.1.1.9 Finite-State Machines
Finite-state machine (FSM) modules are used in every PIU port to control the sequencing of port oper-
ations. Each FSM module has the structure shown in Figure 3.9. FSM inputs are loaded during phase B, as
is the fed back present-state. Combinational logic implements the next-state and output functions, whose










Figure 3.8: Functional Block Diagram for the SR Datapath Block.
3.1.2 Block Diagram Descriptions
To simplify the PIU specification task, we augmented the set of compiler-library components just
described with several logic-blocks built of more-primitive components. "lrWoguidelines were followed in
constructing these superblocks. First, instances of multilevel logic were converted into equivalent behav-
ioral descriptions. Secondly, memory elements holding multibit words were sometimes grouped into single
blocks to facilitate modeling with our array-access funetiom. Together, these steps greatly decreased the
number of components in the gate-level description of the PIU with a risk of introducing modeling error that








Figure 3.9: Functional Block Diagram for Finite-State Machines.
27
Creating superblocks also has the beneficial side effect of simplifying our description of the five PIU
ports. Even so, the complexity of the resulting specification remains formidable and a fully-detatiled p/c-
toral description of the Pit/structure is beyond the scope of this report. The HOL descriptions in Appendix
B should be considered the gate-level specification for the five PIU ports; the descriptions in this section are
intended only to provide insight so that the HOL is more easily understood. Although considerable care has
gone into the consU'uction of these descriptions, they are not complete and contain minor inaccuracies as
well.
The ports are described in the order: P_Port, M_Port, RPort, C_Port, and SU_Cont, in the following
five subsections.
3.1.2.1 P_Port Structure
The top-level block diagram of the P_Port, shown in Figure 3.10, describes the partitioning of the




Figure 3.10: P_Port Top-Level Block Diagram.
The P_Port Datapath, shown in Figure 3.11, consists mainly of latches to hold L_Bus-sourced informa-
tion and tristate buffers for driving the L_Bus and I_Bus. Read from top to bottom, the latch contents
are: 32-bit data, the 26 least significant address bits, the most significant address bit, the 4-bit byte enables,
and the write/read bit, all sourced by the local processor. All control signals are provided by the P_Port Con-
troller.
The P_Port Controller is shown in Figure 3.12. The FSMblock implements the I_Bus protocol and sup-
ports atomic memory accesses by the local processor. The other blocks support the FSM by encoding infor-
mation received from the two adjacent buses and by handling some of the control-signal generation.
The Req__Inputs block implements the setting and resetting of the P_rqt latch, based on new-lransaction
requests and transaction-completed messages received from the L_Bus and I_Bus, respectively. An active
high P_rqt indicates a pending or in-progress L_Bus transaction.
The Ctr_Logic block keeps track of the number of words remaining in the current transaction so that the














Figure 3.11: Block Diagram ofP_Port Datapath.
The Lock_Inputs block and associated latches provide support for handling atomic operations. The
P_lock_ latch holds the most recent valid lock signal provided by the local processor. The FSM implements
memory locking by locking the I_Bus.
3.1.2.2 M_Port Structure
The top-level structure of the M_Port is shown in Figure 3.13. It has the same form as the P_Port, con-
taining a single datapath block and a single controller block. These are described further in the two figures
following Figure 3.13.
Figure 3.14 shows the structure of the M_Port datapath. On the left is the interface to the MBus. The
EDAC_Decode_Logic block performs a Hamming decode on the 56-bit data received from the M Bus,
while the Enc_Out_Logic block encodes 32-bit data for writing onto the M_Bus.
The Read_Latches block stores the 32-bit decoded data word read from memory. The Mux_Out_Logic
block selects bytes from this stored value or else the word currently on the IBus for writing onto the









Figure 3.12: Block Diagram of the P_Port Controller.
I_Bus
__ M_Port Controller K
M_Bus














Figure 3.14: Block Diagram of the M_Port Datapath.
The M_Port controller is shown in Figure 3.15. The left side of the figure is the I_Bus interface. The
SE_Logic block determines whether a memory access is to SRAM memory or to EEPROM memory, based
on the memory address. It drives the appropriate chip-select signal based on this determination.
The WR_Log/c block determines whether a memory access is a read or write and provides this informa-
tion to the rest of the M_Port. The Addr_Ctr block and BE_Logic block store the memory address and byte
enables, respectively, for the word being accessed.
The Rdy_Logic, Ctr_.Logic, and Srdy_Logic blocks together implement most of the l_Bus protocol for
the M_Port, which consists mainly of controlling the value of the l_srdy_ signal transmitted back to the
I_Bus master. The 2-bit counter in Ctr_Logic implements variable walt-states for the SRAM and EEPROM
memory.
The FSM block provides high-level control of the memory interface. It sequences through a series of
states, depending on the type of memory transaction, and provides output signals mainly used by the Ena-
ble_Logic block to implement the control of the M_Port datapath. The FSM also directly controls bus
enabling for the l_Bus.
The Memparityln_Logic block and its associated latch store the error status for memory accesses. The
















Figure 3.15: Block Diagram of the M_Port Controller.
3.1.2.3 R_Port Structure
The R_Port top-level block diagram is shown in Figure 3.16. Of the five major blocks shown there three
are described further in the figures that follow Figure 3.16. The Register File block is not broken down fur-
ther since it consists entirely of the datapath blocks described in Sections 3.1.1.5 through 3.1.1.8. There are
four CTR blocks implementing two 64-bit counters, one ICR block, two CR blocks implementing the GCR
and CCR, and one SR block.
The Bus Interface block represents the multiple tristate buffers that potentially chive the Bus_A node of
the R_Port. This block is similar to the approach used to model buses described in [Joy90].
The Register File Controller is shown in Figure 3.17. The Wr__Lat block determines whether a register
access is a read or write and provides this information to the rest of the R_Port. The FSM block is a simple
3-state state machine providing high-level control of the register accesses and I_Bus interface. The RW_Sigs
block encodes the FSM output to implement this control.
Tae Reg_Sel_Ctr block contains a 4-bit counter holding the register number for the current access. The
R_srdy_del_ latch value is used to increment the counter on multiword accesses. The Reg_File_Ctl block
32
Register File Controller _ Register File




Figure 3.16: R_Port Top-Level Block Diagram
decodes the register address to create most of the control signals needed by the register file.
The Timer Interrupt Block is shown in Figure 3.18. It consists of two identical sub-blocks, each imple-
menting the interrupt logic for one of the two 64-bit counters.
The latches R_cOl_cout and R_c23_cout hold the carry-out values of the two counters. The Ctr lnt -
Logic blocks use this information and several bits of the GCR to determine whether the timer interrupts


















Figure 3.18: Block Diagram of the Timer Interrupt Block.
Figure 3.19 shows the structure of the Register Interrupt Block. The And_Tree block receives the 32-bit
ICR value, consisting of 16 interrupt-set bits and 16 mask bits. Half of these bits are dedicated to interrupt
IntO_ and half to lnt3_. If an interrupt-set bit and its associated mask bit are simultaneously active-high, then








Figure 3.19: Block Diagram of the Register Interrupt Block.
3.1.2.4 C_Port Structure
The C_Port top-level structure is shown in Figure 3.20, minus the complicatedexternal interfaces. The
C_Port controller is divided into two subunits because of its large size. Because we could not identify a log-
ical partitioning, we simply divided the existing schematic down the center, creating a left half and a right
half, controllers A and B, respectively.






















Figure 3.21: Block Diagram of the CPort Datapath.
35
between the l_Bus and the C_Bus. The Parity_Decode_Logic block decodes the 18-bit parity-encoded data
received from the C_Bus data lines. It outputs 16-bit data and a single-bit error-detection flag.
The CBJn_Latches block stores the messages received from the C_Bus. This information consists of
transaction header information, address, and data. The BE_Out_Logic block outputs the byte enables onto
the I_Bus. The CB_Out_Logic block parity-encodes data for transmission onto the C_Bus.
On the left side of the figure, the Grant_Logic block implements the C_Bus arbitration. The
Addressed_Logic block determines whether this PIU is being addressed by the C_Bus master. The
D_Writes_Logic block determines whether this P1U is an active channel or not; ff not then it prohibits mem-
ory accesses using the Disable_writes output. The Parity_Signal_Inputs block controls the setting and reset-
ting of the C__parity latch, whose output, CB_parity, is transmitted to the R_Port SR.
Part (A) of the C_Port controller is shown in Figure 3.22. The two state machines: Master FSM and
Slave FSM, implement the C_Bus protocol from the master and slave perspectives, respectively. The Srdy
FSM controls the enabling of I_Bus slave signals transmitted by the C_Port.
The Last_Log/c block and the latches holding C_lock_in_ and C_last_in_ preprocess the l_Iock_ and
/_last_ I_Bus signals received from the P_Port. The Hold_Logic block and the latches holding C_last_out_
and C_hold_ process the/_/ast_ and  _hold_ signals transmitted over the l_Bus. The Cout_Sel_Logic block
determines which 16-bit word is to be transmitted over the C_Bus and provides selection signals to the data-





Figure 3_2: Block Diagram of the C_Port Controller (Part A).
36
Figure3.23shows part (B) of the C_Port controller. The DP_Ctls PLA block converts output signals
from both the master and slave state machines of part (A) into control signals for the datapath. The latches
at the output of this block, as well as the Cout_.l_Le_Logic block, provide further processing for the datap-
ath, primarily to control the enabling of the datapath latches.
The CBss_Out_Logic block and the CBms_Out_Logic block determine the master-status and slave-sta-
res, respectively, for CBus transactions. The Srdyln_Logic block decodes the slave-status input from the
C_Bus to determine whether the slave is ready for the next transaction.
The Rdy_Logic block, the ISrdy_Out_Logic block, and intervening latches implement the generation
and transmission of the I srdy_ signal to the I_Bus. The ladEn_Logic block controls the enabling for
address and data transmissions over the I Bus.
The Pe_Cnt_Logic block controls the enabling of parity-error counting within the datapath.
(from C_Bus, l_Bus, &
C_Port Controller Part A)
(to C_Bus, l_Bus, &









Figure 3.23: Block Diagram of the C_Port Controller (Part B).
37
3.1.2.5 SU_Cont Structure
The SU_Cont structure is divided into the two subsections shown in Figures 3.24 and 3.25. The first
figure shows mainly the blocks that interact with the other ports within the PIU, while the second shows
mainly those that interface with the local processor.
The FSM block in Figure 3.24 controls the initialization process. It sequences through states that suc-
cessively reset and test CPU0, reset and test CPU1, then select and initialize the active mission processor.
It uses the output of the 18-bit counter block, via the Muxes block, to control its time duration in many of
its states. The Delay_In block processes the input signals for the counter block.
The Dis Int Out block determines and then transmits reset signals and various disable signals to the
other ports.
The blocks Scnt_.In, Scnt_Inl, the 3-bit counter block, and the intervening latches support the software-
based acceptance test of each processor. The output S_.Sofl_Cnt contains the number of instances that the
local processor writes a specific pattern to the General Control Register in the R_Port. If not equal to a spe-











(to/from CPU Interface Block)
(from PIU ports & CPU)
Scnt--ln_[_L.___Scnt-lnl_-?c°unter_Cnt
Figure 3.24: Block Diagram of the Startup Controller PIU-Port Interface.
38
Figure3.25shows the SU_Cont blocks that interact mainly with the local processor. The Cpu_Ok block
and the Fail_In block together control the loading of four latches holding failure-status information. The
CpuOk block uses the S._Sofl_Cnt signal just discussed and the Failure_ signals from the local processors.
The latch outputs are transmitted to the RPort where they ate stored in the Status Register.
The Bad_CpuJn block controls the loading of two latches holding processed failure status of the two
local processors. These latch outputs ate used, together with FSM block outputs, in the misc logic block to
control the loading of two other latches. These latch outputs are used to maintain the local processors in a
reset or nonreset state, as appropriate.
3.2 Port Phase.Level Behavior
The phase-level specification for each PIU port is a behavioral abstraction of the corresponding gate-
level structure. Each port is defined in terms of a 2-instruction instruction set, corresponding to the behavior
occurring during each of the two clock phases. Each instruction is itself represented using two functions,
defining the next-state transition and the output. Consistent with the generic interpreter model, the states and
outputs for the ports are represented as n-tuples.
(to/3_om PIU-Port Interface Block)
i r'-"-I


















Figure 3.25: Block Diagram of the Startup Controller CPU Interface.
39
Appendix C contains the HOL phase-level specification. The ports are presented in the order: P Port,
M Port, R Port, C Port, and SU_Cont, in Sections C.1 through C.5, respectively. Within each section the
next-state function for phase A is presented first, followed by the output function for phase A, and the next-
state and output functions for phase B.
3.3 Port Clock-Level Behavior
The clock-level specification for each PILl port is both a temporal abstraction and a data abstraction of
the corresponding phase-level specification. Here the unit of time is an entire 2-phase clock period, rather
than a single phase. Data abstraction is achieved by eliminating state variables representing certain latch val-
ues. Usually the eliminated latches are part of edge-triggered devices, such as flip-flops and counters, and
are clocked on phase A.
In contrast to the phase level, where the choice of instruction set is dictated by the number of clock
phases, the choice at the clock level is much more subjective. For example, only a single instruction is really
necessary to capture the behavior of the ports. This would provide the most concise description of behavior
at the cost of providing the least understandable description. At the opposite extreme, the ports could be
specified using an instruction set with millions of very simple and easy-to-understand instructions. How-
ever, verifying such a large instruction set would be infeasible, as would the mere goal of trying to print their
descriptions.
Instruction sets provide the human interface to state-transition system behavior Their existence implies
an instruction selection capability such as that provided by the select function of the generic interpreter
model. Often this functionality is referred to as instruction decoding, and the proper choice of this function
(i.e., of the instruction set itself) is important for any specification attempting to provide a human-under-
standable yet concise description of behavior.
By their very nature, microprocessor instruction sets at the macro and microcode levels must be
straightforward to specify since they provide the programming interface for the microprocessor. However,
since the PIU was never intended to be programmed, nor is it microcoded, (dock-level) instruction set ele-
gance received little consideration from the PIU design team. As a result, a dock-level instruction set for
each port in which each instruction specifies a single well-defined action would require many tens of indi-
vidual port-level instructions. The composition of these port-level instructions would require many tens or
hundreds of PIU-level instructions, requiring many thousands of pages to even print; verifying these instruc-
tions would be an enormous undertaking.
Based on these considerations, we have abandoned our earlier efforts to define human-friendly instruc-
tion sets at the clock level. Instead we have opted for practicality and we specify clock-level behavior using
a single instruction for each port. Each port instruction has two parts -- a next-state function and an output
function, defining the next state and output under all operating conditions. Sections D.1 through D.5 of
Appendix D contain the HOL specification for this level.
3.4 PIU Port-Level Structure
The PIU port-level structure is a sU'uctural composition of the five dock-level port specifications. We
have used the standard approach to structural composition in which component-defining predicates are log-
ically ANDed to form the composite behavior. Existentially-quantified variables are used for component
outputs remaining internal to the composed system. Appendix E contains the HOL specification for this
level.
40
3.5 PIU Clock-Level Behavior
Appendix F contains the HOL specification for the PIU clock-level behavior. As with the individual
ports, the clock-level behavior of the entire PIU is represented using only a single instruction consisting of
a next-state function and an output function-
41
4 Models for TransactionSpecification
Thissectiondescribestheworkundertakentodeterminethe most appropriate model for specifying the
top level of the Processor Interface Unit (I'IU).
4.1 Introduction.
To complete the specification of the PIU, a top-level specification of the required behavior of the PIU
must be written. This behavioral model should describe the actions of the device with respect to its environ-
ment and internal state.
The PIU is essentially a bus controller. However, there are some differences: the PIU contains special
features for fault tolerance and dependability, such as an encoding of words sent to memory for error cor-
rection and the ability to select between two processors depending on the results of a power-on self test.
Our goal is to model each of the concurrent portions of the PIU individually using an interpreter (as dis-
cussed in Section 2) and to show that a composition of these interpreters entails the behavior of a more
abstract model. At first, we believed that the composite behavior of the PIU could be described using the
interpreter model as well. However, we found that the high-level behavior of a device such as the PIU is
not easily modeled as an interpreter.
An interpreter is a computational device with one major control point. That is, one of a set of instruc-
tions is chosen based on the current state and that instruction is used to process the state; following the exe-
cution of the instruction, the process begins anew. While interpreters describe many interesting devices, the
model is too restrictive to describe the PIU.
There are at least three aspects of the intended behavior of the PIU that make it difficult to describe using
existing techniques:
• The feature of a bus controller that causes the greatest difficulty in using an interpreter model to describe
it is its concurrency---a bus controller does many things at once. For example, most bus controllers con-
tain timers that, in conjunction with an on-board interrupt controller, can interrupt the CPU. These timers
operate concurrently with other portions of the bus controller, such as memory and network operations.
• A typical top-level specification of the PIU might include the memory subsystem because this corre-
sponds to the CPU's view of the PIU (see the next section for a more complete discussion of this). This
shared state between the PIU and other devices makes description using an interpreter model difficult.
• The outputs of the PIU do not correspond on a one-to-one basis with the inputs; there is a many-to-one
relationship between the outputs and inputs. The interpreter model assumes that the output at a particular
time is described by a function on the current state and environment. The PIU may make several outputs
in sequence because of a single input request (a block memory read request is a good example).
In exploring possible models for use in describing the behavior of hardware devices such as bus con-
trollers, we were concerned with the following issues:
• The notation and semantics should be amenable to embedding and automation in an automatic theorem
prover such as HOL.
• The model and notation should be sufficiently general to allow a large number of interesting devices to
be described.
• The model and notation should be sufficiently defined to allow a rich set of theorems to be proven about
it in isolation of any particular application.
42
4.2 Abstract Views
Figure4.1: Theview from the CPU.
Before exploring specific notations for describing the PIU, we consider some of the features of the PIU
that make its behavioral specification interesting. These absWact views contribute to the understanding nec-
essary to specify its operation. In general, the behavior of the PIU can be looked on as a combination of
behaviors from different viewpoints: that of the CPU, the network, and the memory. In order to simplify the
discussion that follows, we will ignore certain behaviors of the PIU. In particular, we will assume that the
start-up processor is finished and that the PIU is in steady-state operation.
Figure 4.1 shows the abstract view of the PILl from the CPU. In this view, the CPU sees the combination
of the PIU, Network, and Memory (PNM) as a monolithic address space. Similarly, interrupt signals can be
viewed as coming to the CPU from this abstract object rather than the individual components.
In the CPU view, when the CPU issues a read request to the PNM, the PNM responds with the informa-
tion located at the virtual address given by the CPU. The actual location of the requested data, that is,
whether it resides in local memory, remote memory, or a register in the P1U, is abstracted away. Similarly,
when the CPU issues a write request, it does not know whether the request will update local memory, remote
memory, or a register in the PIU.
Of course, inside the CPU view, the PIU either responds to requests from the CPU itself, or by issuing
other requests to the network or the memory. Specifying what requests the PIU makes to other devices in
response to a request from the CPU can be viewed as a specification of the implementation of the PNM.
Another way of viewing these requests is that they will be specified in the other views of the system. The
latter is the method we employ.
Figure 4.2 shows the view from the memory. The memory can be viewed as a processor, albeit a simple
one. In the memory view, the PIU/CPU/Network abstraction (PCN) makes memory read and write requests
and the memory responds appropriately. Because the memory device is simple, it makes no requests of the
PCN itself, but only responds to requests.
The fact that some of these requests originated with the CPU and others with other hosts on the network
is abstracted away. Inside the PCN abstraction, of course, the requests to the memory are originating with
the CPU or the network and after some processing by the PIU (such as error correction encoding and decod-
ing) are being passed on. The relationship between requests from the CPU and the network do not necessar-
43
Figure4.2: ViewfromtheMemory.
ily correspondonaone-to-onebasiswiththe requests sent to the memory. A single request from the CPU
may result in many requests to the memory.
Figure 4.3 shows the view of the PIU from the perspective of the network. In this view, the PIU, mem-
ory, and CPU are abstracted into a single object (PMC). This is, perhaps, the most complex abstraction. The
network makes requests of the PMC and the PMC makes requests of the network. These requests are pri-
marily memory read and write requests.
The problem with the views presented in Figures 4.1 --4.3 is that the abstractions include the behavior of
the CPU, network, and memory. Our goal is to specify the behavior of the PIU independent of the devices
to which it is connected. Each of these views can be thought of as a specification of the abstract interface to
one portion of the PIU. As Figure 4.4 shows, we can superimpose the specifications on one another. The
union of the PNM, PCN, and PMC specify the behavior of the entire unit. Their intersection, denoted by the
shaded area, is meant to represent the behavior that is specific to the PIU.





Figure 4.4: Abstraction Views for the PIU.
While we feel that this is a good way to think about the behavior of the PIU in abstract, we are not con-
vinced that it is an appropriate method of specifying the behavior of the PIU. Before such a decision can be
made, we will need to do further work. Primarily, we would like to attempt to model the specification of a
small device in this way and evaluate the specification for readability and ease of use in verification.
4.3 Representing Transaction Systems
The last section discussed the specification of the abstract interfaces of the PIU, but ignored the details
about how those specifications would be written. We talked abstractly about transactions between the PIU
and other system components, but the question remains of how to represent those transactions.
One of the difficulties of representing the PIU was touched upon in the last section. If we were only
faced with the problem of representing a transaction system such as the PNM (P1U, network, and memory
abstraction), the problem would be much simpler. The model would consist of a set of response functions
associated with incoming transactions. For each incoming transaction, the response function would update
the state of the system and generate an outgoing response based on the current value of the state.
In the model shown in Figure 4.4, the PIU is not a transaction system, but a transaction translation sys-
tem. The PIU cannot generate a response until it issues requests of its own and receives answers to those
requests. In addition, there may be state internal to the PIU that needs to be updated and affects the response.
The ultimate goal of the work presented in this report is not to just specify the PIU, but to verify that
specification against a lower-level specification. This goal creates several criteria that limit our choice of
notation for the behavioral specification:
1. The notation must be capable of specifying concurrent operations of the PIU.
2. The notation must be capable of describing the PIU independent of the other devices to which it might
be attached (i.e., the state of those devices should not be a necessary part of the PIU specification.
3. The notation must allow a many-to-one relationship between outputs and inputs.
4. The final specification must be concise and readable. We would like to be able to look at the specification
and capture some overall feeling for what it means. Without this level of abstraction, it is very difficult
to determine whether the specification is correct or not.
5. The notation must have, or be amenable to building, a collection of theorems about it so that we can rea-
son about the specification and its relationship to the lower-level implementations.
45
6. Thenotation must be mechanizable and, since our verification system of choice is HOL, be representable
in the HOL logic.
There are a number of candidate notations:
1. We could aUempt to represent the transactions in HOL without resorting to any specific notation (i.e.,
raw HOL). We consider the genetic interp_ter theory (GIT) to be a representation of one kind of com-
putational object in raw HOL. The use of raw HOL to represent transactions implies that we would build
a model similar to the GIT, but capturing the abstractions envisioned in the previous section.
The advantages of this approach are that the model is likely to be tailored to the structure of the PILl more
closely than with the other approaches. This means that the meaning of the specification may be clearer.
Our experience with the GIT has shown us that abstract models built in HOL can be a fruitful avenue of
exploration because they yield a great deal of information to aid in understanding the structure at hand.
These models lend a structure to the specification and verification task that is usually not there otherwise;
the model states explicitly what definitions must be made to complete the specification and which lem-
mas need to be proven to complete the verification.
The disadvantages of using raw HOL are that the model of a transaction system would have to be built
and useful theorems about this model would have to be proven. This task is usually more easily done
when at least one concrete specific, ation of the type being modeled has been built. This prototype speci-
fication serves to guide the model development.
2. We could use temporal logic. The primary benefit of temporul logic is that transactions entail describing
and reasoning about actions that will occur in the future because of something that occurs now. For ex-
ample, when the CPU sends a memory read transaction to the PIU, this creates an obligation in the PIU
to respond to the request in the future. In between receiving the request and answering it, the PIU would
engage in a number of transactions with the network, memory, or both.
The primary advantage of temporal logic is that there has been much work in the area and it has been
successfully used to model hardware devices in other specification efforts.
The disadvantage is that it is as general as any other general purpose logic and thus, while expressive,
would not serve to sU'ucture the specification.
3. We could use a weli--developed process algebra [Hen88, Hoa85, Mii89a, Mi189b, Mi189c]. Milner
[Mi189a] presents a calculus of communicating concurrent processes called CCS; CCS is perhaps the
best known process algebra. In process algebras, the specification concentrates on the communication
between processes. The specification of the PIU would entail a specification of the events that occur and
the events that follow from them.
There are several advantagestousing a process algebra. Process algebras are well understood and there
are several popular ones from which to choose. This implies that there are also a great many theories
developed and ready for use in a proof effort. To the extent that deduction rules and theorems about the
process algebra can be mechanized in HOL, the job of proving properties of the specification will be
eased. Indeed, several of the most popular process algebras have been mechanized in HOL and are avail-
able for use [Sch91, Cam89, Mel91]. These mechanizations are in various states, so the amount of effort
in using one is difficult to predict.
The disadvantages are similar to those of temporal logics. We fear that the specification will be largely
free-form because of the generality of the specification language and thus not structure the problem
enough to make the specification and verification methodical.
4. We could use a formal model of a coordination language such as LINDA [But91] to model the actiQns
of the system. In this model, the PIU, CPU, memory, and network are modeled as communicating in a
46
commonareacalled tuple space. Figure 4.5 shows how this would look. In this model, the PIU writes to
and reads from tuple space along with the other devices in the system. We can think of tuple space as an
abstract model of the bus.
We have given considerable thought to this option. The advantage of this option is that the model is gen-
eral and seems to be useful for describing ensembles of coordinated processes. The disadvantage is that
the model is not yet fully formalized (not to mention mechanized), and thus there would be considerable
work before we could begin using the model. Also, we consider this model to be better suited to describ-
ing interactions between system components (how ever they are specified) rather than specifying the
components themselves. Thus, we plan to pursue the formalization of LINDA as a model for composing
specifications, rather than for the specifications themselves.
Overall, we believe that approach (1) has the most promise and meets the criteria that we outlined above.
We do, however, recognize that there is a rich body of research surrounding process algebras and thus will
draw on that wherever possible. Indeed, much as the GIT looks similar to a state machine, but has specific
features designed to specify and verify microprocessors, our transaction model will look similar to existing
process algebras but have features specific to specifying and verifying hardware devices such as the PIU.
4.4 Preliminary Transaction Model Design
This section discusses some preliminary design concepts for the transaction model and gives our devel-
opment plans.
4.4.1 The Transaction Model
Our preliminary transaction model contains elements common to other behavioral models, augmented
by features targeting transaction-level behavior.
Tuple Space
Figure 4.5: Modeling the Buses in a Computer System using Tuple Space.
47
4.4.1.1 Ports
A transactionsystemhasa numberof ports.Thesystemwill receiverequestson inputports,send
requestsonoutputports and communicate data on data ports. Our model will have an alphabet of port names
that can be used to identify ports uniquely.
4.4.1.2 Sm_
The transaction system will have internal state. This state will be represented in a concrete object as a
tuple, but in the model will be represented abstractly.
4.4.1.3 Traasactio_
A transaction will be a triple consisting of an identifying request (taken from an alphabet of possible
requests), a state transition function used to update the state, and a set of port-request function pairs repre-
senting the requests to be sent and the ports to issue them on in response to the transaction request. The
request functions use the current state and values on the data ports to generate a request.
4.4.1.4 Operation
The model will be driven by request events. The model will consist of a set of transactions for each input
port. The set represents the legal requests on that port. For each input port, the model will, in parallel, read
a request, find the appropriate transaction in its transaction set, and use that transaction to update the state
and issue requests on output ports.
4.4.2 Development Plan and Comments
We plan to refine the preliminary concepts outlined above as follows:
1. Build a function program in ML of the behavior of the PILl based on the model present above. The pro-
gram will allow us to exercise the model and determine where there are problems. We chose ML since
it is close to the syntax of HOL and will be readily converted into HOL when we are satisfied with it.
2. The program built in the previous step will be specific to the PIU. Our plan is to generalize that program
into an abstract model of transaction systems. We plan to use the results of the experiments in the previ-
ous step to guide a formalization of the general model in HOL. Careful design of the abstraction in the
program will make this task easier. Provided that the results of the experiments yield favorable results,
we do not anticipate formalization to be a large effort.
3. After the model has been formalized, we will need to use it to assess its utility and determine what lem-
mas need to be proven in the abstract theory to enable effective reasoning in the concrete model. There
is no way to determine what these theories will be until the model is used the first time.
4. As the model is used, there will undoubtedly be refinements and extensions. Our experience with the
generic interpreter theory has shown that refining and extending abstract theories is not an arduous task
and anticipate that the same will be true of the new model.
There are several areas that may lead to difficulties:
• The model specifies each input port separately (in the spirit of the abstract views of Section 4.2). There
will have to be coordination between ports due to shared state and output ports. The network port and
the CPU port cannot both issue requests of the memory port simultaneously. This, of course, is also a
restriction in the design. Our problem is not what coordination to perform, since that exists in the PIU
48
already, but how to represent such coordination in the model. We hope that process algebras will give us
some guidance.
• The state is shared and thus may be updated by several ports at once (provided that such updating does
not cause interference). We hope that partial specifications of the changes, represented by predicates
rather than functions, will solve this problem.
• We have ignored the start-up operation of the PIU in our model. We do not believe that this is a problem
since the start-up portion of the drip operates in sequence with the rest of the PIU components. We can
model the start-up portion using an interpreter or transaction system (whichever is more appropriate) and
choose the behavior of the start-up device or the PIU device depending on the current state.
• The PIU has a number of on-board clocks that serve as interrupt timers. We hope that they can be mod-
eled using the concepts presented in this chapter by looking at the external clock port as another input
port with its own set of transactions. One of those transactions will trigger interrupts when the state is
correct.
4.5 Conclusions
Hardware devices such as the PIU present a unique challenge for behavioral specification. They differ
from interpreters primarily in that there is a large amount of course-grained parallelism and they do not con-
1Iol all the state that they are expected to impact. The overall system (PIU, CPU, network, and memory)
could be modeled as an interpreter, but our desire is to model the PIU independently.
One could just make a laundry list of all the actions that occur and use this as the specification, but the
result would be nearly unreadable for a complex device such as the PIU. Our goal is to create an abstraction
that organizes that behavior so that the specification is readable as well as useful for verification. An unread-
able specification is likely to be wrong.
The research presented here is only a start at the top-level specification of the PIU. We plan the follow-
ing follow-on work:
• The preliminary transaction model must be refined as presented in Section 4.4. The models need to be
tested on the PIU design for utility. Furthermore, the model needs to be formalized in HOL.
• Further work must be done on the composition of our abstract-view approach to behavior. We plan a
further review of the literature for applicable work and a small test study involving a small device with
a simple semantics, but more than one interface, to determine whether composing the abstract behaviors
of the interface is sufficient to represent behavior.
• We intend to pursue the formalization of the LINDA coordination language since it seems a likely can-
didate model for composing the specification of the PIU with the specifications of the CPU, memory,
and network. This composition would be used to implement a more abstract view of the system. This
work does not have consequences for the top-level specification of the PIU itself but may be important
for future compositions.
49
5 Towards an Integrated Simulalion/Veriflcation Environment
This section describes work that finks the M hardware description language and the HOL theorem prov-
ing system.
The M hardware description language is part of a simulation and synthesis system from Mentor Graph-
ics Corporation. M is a superset of C with extensions for efficiently describing hardware.
The goal of the work presented in this section was to develop a prototype translator for converting M
descriptions to the equivalent HOL descriptions. We chose to describe the implementation of the PIU in M
for several reasons:
• Engineers working on the project are more comfortable with M descriptions than they are with the logic
of HOL. This is probably because of the similarity of M to imperative programming languages in which
most engineers arc schooled.
• M descriptions can be executed. This allows the specifications to be animated, providing a form of sim-
ulation. Engineers can observe the operation of the specification in an effort to judge its correctness.
The translator described here is a prototype tool. We have used the AWK programming language
[Aho88] to construct a parser for the subset of M actually used in the description of the PIU. In addition to
parsing M, the tool generates HOL statements corresponding to the input. The generation is done on an ad
hoc basis--no attempt has been made to describe the semantics of M formally.
The translator between M and HOL is important because a hand translation would be tedious and error
prone. Using a machine translation, even one done informally, provides consistent translations. When an
error in a translation is found, the translator can be corrected and the other translations redone to ensure that
the error does not affect other specifications as well.
Future work may include a more formal translator between M and HOL if we determine that M descrip-
tions are useful. The more formal translator would include a parser built into the HOL theorem prover as
well as a formal semantic description. The translation would be done completely within the theorem prover
for added assurance.
The following section will discuss data types developed for use with the model. We will not discuss the
actual translation process in detail, but we will give a simple example of an M description of a finite state
machine and its equivalent form in HOL as produced by the M-to-HOL translator. The HOL definitions are
intended to be used with the generic interpreter model described in Section 2 of this report.
5.1 New Datatypes in HOL
In order to translate M to HOL, we had to make type definitions in HOL that correspond to the types
used in the M language. Two of the more involved type definitions were arrays and n-bit words.
5.1.1 Arrays
Since M is a superset of C, M descriptions make heavy use of arrays. HOL does not have a built-in array
type, but arrays are easy to model in higher--order logic using functions. In general we treat an array of
objects as a function from the natural numbers to the same objects. There are four basic operations on arrays
in M that needed to be defined in HOL: array indexing, array assignment, array subsetting, and subarray
assignment.
Array Indexing. In M, arrays are indexed using bracket notation. In HOL, since arrays are just func-
tions, arrays are indexed by function application. Thus, the M term xlil is written in HOL as (x i).
Array Assignment. In M, one can use an indexed array variable as the lvalue in an assignment state-
ment. Logic does not have assignment, so the corresponding definition is functional. We define a function
50
called ALTER that operates on an array, an index, and a value and returns a new array with the value stored
in the array at the index given. All other values are unchanged. Thus, the M term x[i] = y is mitten (ALTER
x (i) y) in HOL.
Array Subsetting. In M, one can use a subarray in an expression. The HOL funcfionSUBARRAYserves
the same purpose. Thus, the M term x[15:51 (which represents an 11-element array with location 0 holding
the same value as x[5], location 1 holding the same value as x[6], and so on) would be written in HOL as
SUBARRA Y x(15,5).
Subarray Assignment.InM, one canassignarraystoportionsofanexistingarray.The HOL function




N-bit words are defined in M using arrays of booleans. Since we represent arrays as functions, the nat-
ural representation for n-bit words is a function from the natural numbers to the booleans. The theory of n-
bit words that we defined uses this representation and makes definitions that allow the representation to be
usable. There are four kinds of definitions in the n-bit word theory:
1. Definitions that interpret the meaning of an n-bit word.
2. Definitions that create n-bit words with special meanings and give them a name.
3. Definitions that test an n-bit word for a given property.
4. Definitions that operate on n-bit words.
There are two major functions for interpreting n--bit words: VAL and WORDN. VAL returns the numeric
value of an n-hit word. WORDN returns the n-bit word representing a given number.
There are a number of functions for creating special n-bit words. We will not discuss all of them here,
but only give a few examples. SETN returns an n-bit word with all of its bits set. Similarly, RSTN returns
an n-bit word with all of its bits false.
Examples of test predicates include ONES which tests if all the bits in a word are true and ZEROS which
tests if all the bits in a word are false.
Operations on n-hit words implement common boolean and arithmetic operations on n-bit words. For
example, NOTN returns the n-bit complement of a word. INCN returns the n-bit word resulting from adding
1 (modulo n) to its argument.
So far, the theory does not contain many theorems regarding these definitions and their relationship to
one another. These theorems will be proven as necessary.
5.2 An Example in M
The following example shows how a finite state machine is described in M. For brevity, the description
contains only one state, S1; a more realistic description would contain more states, as well as more logic
variables. The example does illustrate some of the features of M that required translation such as logic oper-




Authors: David Fura / Phillip Windley
Date: 13MAR92
Example of M description for translation.
#define Vl 1
#define V2 2
MODULE test () (
/* State variables:*/
MEMORY LOGIC new_A, A;
MEMORY LOGIC new_B, B;








switch (Decode (Clock)) (
case SI:
new_A= (C==VI)II (C !=V2);














5.3 An Example in HOL
The following code represents the translation of the M code in the last section into HOL by the prototype
translator developed for this project. No substantive changes have been made to the text. Except for inden-
tation and spacing, everything is just as the translator produced it.
letVl = "i";;
letV2 = "2";;
let test state= ((A, B, C): bool #bool #wordn);;
let test_inputs = ((Rst, Clock): bool #bool);;
let test outputs = ((I_X): wordn);;
let Sl_inst_def = new_definition
('Sl_inst ',
"Sl_inst ^test_state ^test_inputs =
let new_A= (C = (WORDN^VI)} \/ (~(C= (WORDN^V2))) in
let new_B = (C = (WORDN ^Vl) ) /\ new A in
let new_C =wr(C, (WORDN i) ) in
(new_A, new_B, new_C) •
);;
let Sl_out_def = new_definition
('Sl_out',
_Sl_out ^test_state ^test_inputs =
let new_A= (C = (WORDN^VI)) \/ (~(C = (WORDN^V2))) in
let new_B = (C = (WORDN ^Vl)) /\ new A in
let new_C = wr(C, (WORDN i)) in












I X_30_29 = (SUBARRAY new_C (i, 0 ) ) in
I_X 28 0 = new_B
(SUBARRAY new_C (28,0 ))
(SUBARRAY I_X (28,0) ) in
I_X = (MALTER
(MALTER
(MALTER I_X (31,31) I X 31 31)
(30,29) I_X_30_29)
(28,0) I_X_28_0) in
The translator does a good job of translating most M programs intoHOL. The largest limitation on its
use is the simple type analysis that is done. A more thorough type analysis would catch some of the infre-
quent errors, but would have made the translator much more complicated. If a translator based on formal
semantics is constructed, we will overcome this limitation.
53
6 Conclusions
We have completed the design specification for a processor interface unit (PIU) and identified the mod-
eling approach to be used for the requirements specification. Along the way we have made progress in inte-
grating our hardware design and verification environments into a single unified framework.
In performing this task a number of important conclusions have been reached concerning the state-of-
the-art in formal specification, using HOL, with respect to the demands of real-world hardware systems.
The generic interpreter theory, described in Section 2, was shown to work well in a real-world hardware
application. It is clear that this theory, which was initially funded by NASA in a previous task [Win90], fits
applications well beyond the domain of microprocessors for which it was originally used. Our introduction
of outputs into the theory accommodates the composition of subsystems modeled as interpreters, and
enhances the theory's applicability to future system modeling problems.
Developing the lower five levels of the PIU specification hierarchy, described in Section 3, stretched
existing specification tools and techniques to their limit To illustrate the size of this modeling problem, the
five phase-level specifications together required equations for 280 state variables and 60 output variables.
The PIU clock-level model caused overflows in three different stacks in the original Lisp implementation
used to build the HOL system.
Because of delays in the PIU design schedule, this task began while the design was still undergoing con-
siderable change. Due to the multiple specification levels and the lack of any significant automation, mod-
ifying our models to reflect these changes required much more effort than that required by the design team,
for example. As a result, the total effort required to complete the design specification was far greater than
necessary. Although previous formal specification and verification efforts appear to have begun only after
the design was finalized, and therefore didn't face this problem, formal methods will be most useful when
they can be applied before a chip is initially fabricated, and thus before the design is finished as well. Based
on this experience it is clear that major improvements are needed in the tools used to develop future design
specifications.
Perhaps our most significant discovery is that current hardware specification approaches, although suit-
able for the lower levels of the PIU specification hierarchy, are inadequate for the topmost level. This moti-
vated us to investigate the alternative modeling techniques described in Section 4, from which we have
defined a preliminary model for use in formalizing a new transaction-based modeling level.
Although not explicitly part of this task's description, we have made progress in integrating our hard-
ware design and verification environments to support this and future work. The M-to-HOL translator,
described in Section 5, performs a nearly-complete translation of suitably-formatted M-langnage models
into HOL. The utility of this tool was demonstrated by our translation of all the port-level behavioral models
from their definitions in M. Although this translation is not based on a formal semantics for M, it provides
a consistent translation capability that is available for use now. It should have an immediate impact on pro-
ductivity for the next chip specification.
The work presented in this report has made a significant contribution to the specification and verification
of real-world devices, but much remains to be done. In particular, this report has outlined the following
tasks:
1. Before work on the specification of the top level can be completed, the formal model of the transaction
level must be completed. Section 4 gives a more detailed plan for completing this work.
2. The specification hierarchy was outlined in Section 3, but this task did not include the completion of the
specification. In particular, the PIU top-level specification remains to be written.
54
_v
In addition to the work that must be completed to finish the specification, there are a number of open
questions that have a direct bearing on how this work is used:
1. The proofs of correspondence between levels in the specification hierarchy should be completed. The
specification process itself is useful because it gives designers an abstract view of the device and aids
understanding. The detailed examination entailed in the specification is useful for finding errors. How-
ever, the primary benefit of a formal specification is that it is amenable to analysis.
2. If we intend to use the top-level specification along with specifications of other devices in the PMM,
such as the CPU and memory, to write a specification of the PMM, a model of composition must be de-
veloped. Section 4 recommended a formalization of LINDA as that model, but no work has been done
to explore the feasibility or utility of this method.
3. The translation between M and HOL is being done in a prototype system written in AWIC A more formal
approach, with more confidence in its correctness, would be to embed M in HOL. This would involve
defining the syntax of M (or a reasonable subset) in HOL and then defining a formal semantics of M for
use in the translation. Because the translation would be done by the verification system itself, we could
have increased confidence that the HOL model corresponded to the M model.
55
7 References
[Aho88] A.V. Aho, B.W. Keminghan, P.J. Weinberger, The AWK Programming Language, Addison-Wes-
ley, 1988.
[Aro90] Tejkumar Arora, The formal verification of the VIPER microprocessor: EBM to microcode level,
Master's thesis, University of California, Davis, 1990.
[But91 ] P. Butcher, "A Behavioral Semantics for Linda-2," Software Engineering Journal, July 1991.
[Cam89] A. J. Camilleri, "Mechanizing CSP Trace Theory in Higher--Order Logic," Hewlett-Packard Lab-
oratories, Technical Memorandum HPL-ISC-TM-89-13 I, August 1989.
[Coh88] Avra Cohn, "Correctness properties of the VIPER block model: The second level," University of
Cambridge Computer Laboratory, Technical Report 134, May 1988.
[SRI88] SRI International Computer Science Laboratory, EHDMSpecification and Verification System: Us-
er's Guide, Version 4.1, 1988.
[Gor86] M. Gordon, "Why Higher-Order Logic is a good Formalism for Specifying and Verifying Hard-
ware," in G.J. Milne and P.A. Subrabmanyam, editors, Formal Aspects of VLSI Design, North-
Holland, 1986.
[Got88] Michael J.C. Gordon, "HOL: A proof generating system for higher-order logic," in G. Birtwistle
and P.A Subrahmanyam, editors, VLSI Specification, Verification, and Synthesis, Kluwer Academ-
ic Publishers, 1988.
[Gog88] J. Goguen and T. Winkler, "Introducing OBJ3," SILl International, Technical Report SRI-CSL-88-
9, August 1988.
[Hen88] M. Hennessy, Algebraic Theory of Processes, MIT Press, 1988.
[Her88] John Herbert, "remporal abstraction of digital designs," in G.J. Miine, editor, The Fusion of Hard-
ware Design and Verification, Proceedings of the IFIP WG 10.2 International Working Confer-
ence, Glasgow, Scotland, North-Holland, 1988.
[Hoa85] C. A. R. Hoare, "Communicating Sequential Processes," Prentice Hall, 1985.
[Hun87] Warren A. Hunt, Jr., "I'he mechanical verification of a microprocessor design," in D. Borrione, ed-
itor, From HDL Descriptions to Guaranteed Correct Circuit Designs, Elsevier Scientific Publish-
ers, 1987.
[Hun92] Warren A. Hunt, Jr., and Bishop Brock, "A Formal HDL and its use in the FM9001 Verification,"
in C.A.R. Hoare and M.J.C. Gordon, editors, Mechanized Reasoning and Hardware Design, Pren-
tice Hall, 1992.
[Joy89] Jeffrey J. Joyce, Multi-Level Verification of Microprocessor-Based Systems, Phl) thesis, Universi-
ty of Cambridge, December 1989.
[Koh78] Z. Kohavi, Switching and Finite Automata Theory, McGraw-Hill, 1978.
[Low89] Paul Loewenstein, "Reasoning about state machines in higher-order logic," in M. Leeser and G.
Brown, editors, Workshop on Hardware Specification, Verification, and Synthesis: Mathematical
Aspects, Lecture Notes in Computer Science, Springer-Verlag, 1989.
[Me188] Thomas Melham, "Abstraction mechanisms for hardware verification," in G. Birtwistle and P. A.
Subrabmanyam, editors, VLSI Specification, Verification and Synthesis, Kluwer Academic Pub-
lishers, 1988.
56
[Mel90] TE Melham, "Formalizing Abstraction Mechanisms for Hardware Verification in Higher Order
Logic," University of Cambridge Computer Laboratory, Technical Report 201, August 1990.
[[Mel91] T. F. Melham, "A Mechanized Theory of the K-Calculus in HOL," in G. Huet, G. Plotldn, and C.
Jones, editors, Second Annual Workshop on Logical Frameworks, Edinburgh, May 1991.
[Mi189a] R. Milner, Communication and Concurrency, Prentice Hall, 1989.
[Mi189b] R. Milner, J. Parrow, and D. Walker, "A Calculus of Mobile Processes, Part I," University of Ed-
inburgh, Laboratory for Foundations of Computer Science, Technical Report ECS-LFCS-89-85,
June 1989.
[Mi189c] R. Miiner, J. Parrow, and D. Walker, "A Calculus of Mobile Processes, Part II," University of Ed-
inburgh, Laboratory for Foundations of Computer Science, Technical Report ECS-LFCS-89-86,
June 1989.
[Sch91] E.T. Schubert, K. Levitt, G.C. Cohen,. "I'owards Composition of Verified Hardware Devices,"
NASA Contractor Report 187504, November 1991.
[Win88] Phillip J. Windley, "A hierarchical methodology for the verification of microprograrnmed micro-
processors," in Proceedings of the IEEE Symposium on Security and Privacy, May 1990.
[Win90] Phillip J. Windley, The Formal Verification of Generic Interpreters, Phl) thesis, University of Cal-
ifornia, Davis, Division of Computer Science, June 1990.
[Win90a] Phillip J. Windley, "A poor man's implementation of abstract theories," University of California,
Davis, Division of Computer Science, "TechnicaIReport CSE-90-06, 1990.
[Win91] Phillip J. Windley, 'q'he formal specification of a high-speed CMOS correlator," in Proceedings
of the Third Annual IEEE/NASA Symposium on VLSI Design, October 1991.
57
Appendix A ML Source for Component Specifications.
This appendix contains the HOL models for components used in the gate-level specification for the PIU
ports, as well as auxiliary definitions for n-bit words implemented as arrays and array accessing functions.
File: gates_def.ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the combinational logic gates used in the gate-level description of the




map new_.pment ['aux__def' ];;
let NOT_SPEC = new_definition
('NOT_SPEC',
*'[ az.
NOT_SPEC a z =
(1 t:time, z t = ~a t)"
);:
let AND2 SPEC = new_definition
('AHD2_SPEC',
"[ abz.
AND2_SPEC a b z =
(I t:time, zt= at ^ b t)"
);,
let AIqD3_SPEC = new_definition
('AND3._SPEC',
"labcz.
AND3_SPEC a b c z =
(I Crime.zt= atAbtAct)"
);;
let OR2_SPEC = new_definition
('OR2_SPEC',
"1 abz.
OR2_SPEC a b z =
(t t:time, z t= atVb t)"
),,




OR3_SPEC a b c z =
(I t:time, z t= at Vb t Vc t)"
);,
let NAND2_SPEC = new_definition
('NAND2 SPEC',
"labz.
NAND2_SPEC a b z =
(I t:time, z t= -(a t A b t))"
);;
let NAND3_SPEC = new_definition
('NAND3_SPEC',
"labcz.
NAND3_SPEC a b c z =
(I t:time, z t= ~(a tA b tAct))"
);;
let BUF SPEC = new_definition
('BUF_SPEC',
"l (a:time->*) z.
BUF_SPEC a z =
(I t:time, z t = a t)"
);;
let TRIBUF_SPEC = new_definition
('TRIBUF_SPEC',
"I (a:time->*) e z.
TRIBUF_SPEC a e z =





Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the latches used in the gate-level specification of the FTEP PIU, an ASIC




map new_parent ['aux der ];;
59
let DLAT_SPF_,C = new_definition
('DLAT_SPEC',
"1 (din:fime->bool) elk state ClOUt.
DLAT SPEC din clkstate qout =
I t:time.
(state (t+l) =(clk t) => din t I state t) A
(qout t = state (t+l)y'
);,
let DSLAT_SPEC = new_definition
('DSLAT_SPEC',
"1 (din:fime->bool) set clk state ClOUt.
DSLAT_SPEC din set clk state qout =
I t:time.
(state (t+l) = (clk t) => ((set t) => T I din t) I state t) A
(ClOUtt = state (t+l))"
let DRLAT_SPEC = new_definition
('DRLAT SPEC',
"l (din:time->bool) rst clk state ClOUt.
DRLAT_SPEC din rst clk state qout =
I t:tnne.
(state (t+l) = (clk t) => ((rst t) => F I din t) Istate t) A
(qout t = state (t+l))"
);;
let DSRLAT_SPEC = new_definition
('DSRLAT_SPEC',
"1 (din:time->bool) set rst clk state qout.
DSRLAT_SPEC din set rst clk state qout =
I t:time.
(state (t+l) = (clk t) => ((set t A ~rst t) => T I
(-set t Arst 0 => F I





(qout t = state (t+l))"
letDELAT SPEC = new_definition
('DELAT_SPEC',
"f(din:time->bool)en clkstateqout.
DELAT_SPEC din en clkstateqout=
t:time.
(state (t+l) = (clk tA en t) => din t I state t) ^
(qout t = state (t+l))"
);;
let DRELAT_SPEC = newdefinition
('DRELAT_SPEC',
"l (din:time->bool) rst en clk state qout.
DRELAT_SPEC din rst en clk state qout --
t t:time.
(state (t+l) = (clk t A en 0 --> ((rst t) => F I din t) I state t) A
(qout t = state (t+l))"
);;
let DSELAT_SPEC = new_definition
('DSELAT_SPEC',
"I (din:time->bool) set en clk state qout.
DSELAT_SPEC din set en clk state qout =
f t:time.
(state (t+l) =(clk t A en t) --> ((set t) => T I din t) I state t) A
fqout t = state (t+l))"
);,
let DSRELAT_SPEC = new_definition
('DSRELAT_SPEC',
"I (dm:time->bool) set rst en clk state qout.
DSRELAT_SPEC din set rst en clk state qout --
t t:time.
(state (t+l) =(clk t A en 0 => (( set t A -rst t) => T I
(-set t A rst t) => F I




(qout t = state (t+l))"
ARB) I
let DLATn__SPEC = new_definition
('DLATn_SPEC',
"1 (din:time->wordn) clk state qout.
DLATn SPEC din clk state qout =
I t:thne.
(state (t+l) =(clk t) => din t I state t) A




Author. (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the flip-flops used in the gate-level specification of the FTEP PIU, an ASIC




map newparent ['sux_def' ],;
............ ....................................................................................................
One-bit flip-flop, no set, no reset, no enable.
................................................................................................. cj_
let DFF_SPEC = new_defini6on
('DFF_SPEC',
"I (din:thne->bool) clk stateO statel qout.
DFF_SPEC din clk stateO statel qout =
(I Crime. ($tateO (t+l) = (.-elk t) => din t IstateO t) A
(statel (t+l) = (elk t) => state0 t Jstatel t) ^
(qout t = statel (t+l)))"
);;
.......... ....................................................................................................
One-bR flip-flop, no set, with reset, no enable.
62
let DRFF_SPEC = new_definition
('DRFF_SPEC',
"I (din:time->bool) :st elk stateO statel qout.
DRFF_SPEC din rst elk state(} statel qout =
(I Crime. (stateO (t+l) = (--elk t) => (rst t => F I din t) I stateO t) A
(statel (t+l) = (elk t) => stateO t l statel t) A
(qout t ffistate1 (t+l)))"
);;
let DSFF_SPEC = new_definition
('DSFF_SPEC',
"! (din:time->bool) set elk stateO statel qout.
DSFF_SPEC din set clk state(} statel qout =
(I t:time. (stateO (t+l) = (--elk t) => (set t => T I din t) I stateO t) ^
(state1 (t+l) =(clk t) => stateO t l state1 t) ^
(qoutt= statel(t+l)))"
);;
let DRSFF_SPEC = new_definition
('DRSFF_SPEC',
"I (din:time->bool) rst set clk state{) statel qout.
DRSFF_SPEC din rst set elk stateO statel qout ---
(l t:time. ((-elk t A set t A -rst t) => stateO (t+l) = T) A
((--clk t A -set t ^ rst t) _---> stateO (t+ 1) = 1:9 ^
((elk t V -set t A -rst t) => stateO (t+l) = stateO t) A
(state1 (t+l) =(clk t) => stateO t l state1 t) A
(qout t = state1 (t+l)))"
);;
let DEFF_SPEC = new_definition
('DEFF_SPEC',
"1 (din:time->bool) en clk state(3 statel qout.
DEFF_SPEC din en elk stateO statel qout =
(I t:time. (stateO (t+l) = (-.elk t) => din t IstateO t) A
(state1 (t+l) = (elk tAen t) => state0 t I statel t)A
(qout t = state1 (t+l)))"
);;
Multiple-bit flip-flop, no set, no reset, with enable.
63
kt DEFFn_SPEC = new_definition
('DEFFn_SPEC',
"1 (din:time->wordn) _ elk state{) $tatel qout.
DEFFn..SPEC din eu elk stat_ stall qout =
(I utime. (stateO (t+l) = (-clk t) => din t IstateO t) A
(statel (t+l) =(clk t A en t) => stateO t I statel t) A
(qout t = statel (t+l)))"
);;
let DREFF_SPEC = new_definition
('DREI__SPEC',
"[ (din:lime->bool) en rst clk stateO statel qout.
DREFF_SPEC din en rst clk stateO statel qout =
(l t:fime. (stateO (t+l) =(.-clk t) => (rst t => F I din t) I stateO t) A
(statel (t+l) = (elk t A en t) => stateO t I statel t) A
(qout t = state1 (t+l)))"
);;
let DSEFF_SPEC = new_definition
('DSEFF_SPEC',
"l (din:time->bool) en set clk state0 statel clout.
DSEFF_SPEC din en set elk stateO statel qout --
(I t:time. (stateO (t+l) ffi(,-clk t) ffi> (set t => T Idin t) I stateO t) A
(statel (t+l) = (elk t A en t) => stateO t Istatel t) A
(qout t = statel (t+l)))"
);;
let DRSEFF_SPEC = new_definition
('DRSEFF_SPEC',
"I (din:time->bool) en rst set clk stateO statel qout.
DRSEFF_SPEC din e_ rst set clk state0 statel qout =
(I t:time. ((-cik t A set t A -rst t) _---> state0 (t+l) = T)/_
((-clk t A -set t A rst t) _-> state0 (t+l) = F)/_
((clk t _/-set t A ~rst t) _> state0 (t+l) ---state0 t) A
(statel (t+l) = (clk t A en t) => state0 t I statel t) A





Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the counters used in the gate-level specification of the FTEP PIU, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.
system 'rm counters_def.th';;
new_theory 'counters def' ;;
map new_parent ['aux def','array_def';'wordn_def'];;
let UPCI__SPEC = new_definition
('UPCNT_SPEC',
"I size (din:time->wordn) ld up elk state0 statel qout zero.
UPCNT_SPEC size din ld up elkstateO statel qout zero =
It'time.
);;
(state0 (t+l) = (-elk t) =>
((id t) => din t i
(up t) => INCN size (statel t) I statel t) I
state0 t) A
(statel (t+l) = (elk t) => state0 t I statel t) A
(qout t = (up 0 => INCN size (statel (t+l)) I statel (t+l)) A
(zero t = (up t) => (INCN size (statel (t+l)) = WORDN 0) I (statel (t+l) = WORDN 0))"
let DOWNCNT_SPEC = new_definition
('DOWNCNT_SPEC',
"1 size (din:time->wordn) ld down clk state0 statel qout zero.
DOWNCNT_SPEC size din ld down elk state0 statel clout zero =
It:time.
(state0 (t+l) =(--clk t) =>
((ld t) => din t I
(down t) => DECN size (statel t) Istatel t) I
state0 t) A
(statel (t+l) = (elk t) => state0 t I statel t) A
65
(qout t = (down t) => DECN size (statel (t+l)) I statel (t+l)) A
(zero t = (down t) => (DECN size (statel (t+l)) = WORDN 0) I (statel (t+l) = WORDN 0))"
);;
let UPRCNT_SPEC = new_definition
('UPRCNT_SPEC',
"l size (din:time->wordn) ld up rst clk state0 statel qout zero.
UPRCNT_SPEC size din ld up rst clk stateO state1 qout zero =
[utime.
(state0 (t+l) ---(-.elk t) =>
((ld 0 => din t I
(up t) => INCN size (statel t) I statel t) I
stateO t) A
(statel (t+l) = (elk t) =>
((rst t) => WORDN 01 stateO t) I
statel t) A
(qout t = (up t) => INCN size (statel (t+l)) I statel (t+l)) A
(zero t = (up t) => (INCN size (statel (t+l)) = WORDN 0) I (statel (t+l) = WORDN 0))"
);;
let DOWNRCNT_SPEC = new_definition
('DOWNRCNT_SPEC',
"1 size (din:time->wordn) ld down rst clk stateO statel qout zero.
DOWNRCNT_SPEC size din ld down rst clk stateO statel ClOUtzero =
It:time.
(stateO (t+l) = (-.elk t) =>
((ld t) => din t I
(down t) => DECN size (statel t) Istatel t) 1
stateO t) A
(statel (t+l) =(clk t) =>
((rst t) => WORDN 0 1state(3 t) )
statel t) A
(Clout t = (down t) => DECN size (statel (t+l)) I statel (t+l)) A





Author: (c) D.A. Fura 1992
66
Date: 31 March 1992
This file contains the ml source for the datapath blocks of the R-Port of the F]'EP PIU, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.
system 'rm datapaths_def.th';;
new_theory 'datapatbs__def';;
map loadf |'abstract'] ;;
map newparent [ 'aux_def ;'array_def' ;'wordn_def'] ;;
let rep_ty = abstract_type'aux_.def' 'Andn',;
let DP CTR_SPEC = new_definition
('DP_CTR_SPEC',
"l clkA clkB (busB_m:time->wordn) cir_wr ¢_ld cir_rd ce cm csror_ld cor_rd
r_ctr_in r_ctr_mux_sel r_ctr_irden r_cU r ctr_ce r_clr_cin r_ctr_cry
r ctr new r ctr outA r_ctr_out r ctr orden busA_outl busA_out2 c_out.
DP_CTR_SPEC clkA clkB busB_in cir_wr c_ld cir_rd ce cin csmr_ld cor_rd
r_c__in r_ctr_mux_sel r_ctr_irden r_ctr r_ctr_ce r_cu_cin r_ctr_cry
r__ctr_aew r_ctr_outA r__ctr out r_ca'_orden busA_outl busA_out2 c_out =
It:time.
((clkA t) _>
((r__ctr_in (t+l) = r._ctr__int) A
(r_ctr_mux_sel (t+l) = r_ctr mux_sel t) A
(r c__irden (t+l) = r_ctr_irden t) A
(r_ctr (t+l) = (r_ctr_mux_sel t) => r ctr in t Ir_ctr_new t) A
(r_c__ce (t+ 1) = ce t) A
(r_c__cin (t+l) =cin t) A
(r_ctr_cry (t+l) = r_ctr_cry t) A
(r_ctr_new (t+l) = r_ctr_new t) A
(r._ctr_outA (t+l) = r_ctr_new t) A
(r_ctr_out (t+l) = r_ctr_out t) A
(r_ctr_orden (t+1) = r_.ctr_orden t))) A
((clkB t) _->
((r__cU_in (t+l) = (cir_wr t) => busB_in t Ir._ctr_in t) A
(r_ctx_mux_sel (t+l) = ¢_ld t) A
(r_ctr_irden (t+l) = cir_rd t) A
(r_ctr (t+l) = r._ctr t) A
(r_ctr_ce (t+l) = r...clr_ce t)A
(r_ctr_cin (t+l) = r_ctr_cm t) A
(r__ctr_cry (t+l) = (r._ctr ce t) A (r_ctr_cin t) A ONES 31 (r_ctr t)) A
(r_ctr_new (t+l) = ((r_ctr_ce t) A (r._ctr_cin t)) => INCN 31 (r._ctr t) I r_ctr t) A
(r_c¢ outA (t+l) = r._cC_outA t) A
67
(r_ctr_out (t+l) = (csr__ld t) => r_ctr_outA t Ir_c_'_out t) A
(r_ctr orden (t+l) = cor nt t)))A
((busA_outl t = ((r_c_'_irden (t+l)) A (clkA t)) => r_ctr_in (t+l) I ARBN) A
(busA out2t= ((r._ctro_en (t+l))A (clkAt))=> r._ctrout (t+l)IARBN) A
(c_outt= r_ctr_cry(t+l)))"
);;
let DP_ICR_SPEC = new_definition
(' DPJCR_SPEC',
"1 (rep:_ep_ty) clkA clkB (busA in:time->wordn) busB_in icr_wr_feedback icr_wr icr_select icr_ld icr__rd
r._ic__oldA r__icr_old r._icr_mask r._icrA r_icr r_icr_rden
busA_out icr..out.
DP_ICR_SPEC rep clkA clkB busA_m busB_in icr_wr_feedback icr_wr icr_select icr_ld icr_rd





(r_.i=_old(t+l) = r_icr_oldt) ^
(r_icr_mask (t+l) = r._icr_mask t) A
(r_icrA (t+l) = (icr_select t) --> Andn rep (r_icr_old t, r_icr_mask t)
IOm rep (r_icr_old t, r_icr_mask t)) A
(r_ic_ (t+l) = r_icr t) A
(r_icr..rden (t+l) = r..icr_rden t)) A
((clkBt)_>
(r._icr..oldA(t+1)= r_.ica__oldAt)A
(r_icr_old(t+l)= (icrwr_feedback t)=> r_.icr_oldAtIr_icr_oldt)A
(r_icr..mask(t+l)= (icr_wrt)=> busB_in tIr icrmask t)A
(r._icrA(t+l)= r..ic_tA)A
(r._icr0+I) = (icr_Idt)=> r..icrAtIr.icrt)A
(r_icr_rden (t+l) = icr_rdO) A
((busA_out t = ((r..ict_rden (t+ 1) A (clkA t)) => r_icr (t+ 1) I ARBN )) A
(icr_out t = r_icr (t+l)))"
);;
Control register used to build General ConUol Register (GCR) and Communication Control Register (CCR).
......................................................................................................... O_
let DP_CR_SPEC = new_definition
('DP CR_SPEC',
"I clkA clkB (busB_m:time->wordn) cr_wr cr_rd
r_cr r_cr_rden
busA_out cr_out.








(r.. cr (t+l) = r.cr t) A
(r._cr_rden (t+l) = r_cr_rden t)) A
((clkBt) _>
(r_.cr (t+ 1) = (cr wr t) => busB_in t Ir_cr t) A
(r__cr_rden (t+l) = crrd t)) A
((busA_out t = ((r cr__rden (t+l)) A (clkA t)) --> r..cr (t+l) IARBN) A
(or out t-- r_cr (t+l)))"
Status Register Block.
let DP_SR_SPEC = new_definition
('DP_SR_SPEC',
"I clkA clkB (mp:time->wordn) sror._ld sr..rd
r._sr r sr_rden
busA_out.
DP SR SPEC clkA clkB inp sror_ld sr_rd




(r__sr(t+l) = r..sr t) A
(r__sr_rden (t+l) = rjr_rden t)) A
((clkBt)_--->
(r._sr(t+I)= (sror._Idt)=> inptIr__srt)A
(r_sr._rden (t+l) = sr_rd t)) A





Author: (c)D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the buses used in the gate-level specification of the FTEP PIU, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.
system 'rm buses_def.th';;
new_theory'buses__def';;




Specification for a conflict-free bus.
let Bus CF 12 SPEC = new_definition
('Bus__CF_I 2_SPEC',
"1 inEl inE2 inE3 inE4 mE5 inE6 inE7 inE8 inE9 inEl0 inEll inE12,
Bus_CF_I2 SPEC inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inEl0 inEll inE12 --
It:time.
(inE1 t) => -((inE2 t) V (inE3 t) V (inE4 t) V (inE5 t) V (inE6 t) V (inE7 t) V (inE8 t) V
(inE9 t) V (inE10 t) V (mEll t) V (inEl2 t)) I
(inE2 t) => .-((inE3 t) V (inE4 t) V (inE5 t) V (inE6 t) V (inE7 t) V (inE8 t) V (inE9 t) V
(mE10 t) V (inEll t) V (inE12 t)) I
(inE3 t) => ~((inFA t) V (inE5 t) V (inE6 t) V (inE7 t) V (inE8 t) V (inE9 t) V (inEl0 t) V
(inEll t) V (inE12 t)) I
(inEA t) => -((inE5 t) V (inE6 t) V (inE7 t) V (inE8 t) V (inE9 t) V (inElO t) V (inEll t) V
(inEl2 t)) I
(inE5 t) => ~((inE6 t) V (inE7 t) V (inE8 t) V (inE9 t) V (inE10 t) V (inEll t) V (inE12 t)) I
(inE6 t) => --((inE7 t) V (inE8 t) V (inE9 t) V (inEl0 t) V (inE11 t) V (inE12 t)) I
(inE7 t) => ~((inE8 t) V (inE9 t) V (inE10 t) V (inEll t) V (inE12 t)) I
(inE8 t) => --((inE9 t) V (inE10 t) V (inEl I t) V (inE12 t)) I
(inE9 t) => ~((inE10 t) V (inEll t) V (inEl2 0) I
(inEl0 t) => ~((inEll t) V (inEl2 t)) I
(inEll t) => ~(inE12 t) t T"
);;
let Bus 12 1 SPEC = new_definition
('Bus 12_I_SPEC',
"1 (inDl:time->*) roD2 inD3 inD4 inD5 inD6 inD7 inD8 inD9 inD10 inDll inDl2
inEl inE2 inE3 inFA inE5 inE6 inE7 inE8 inE9 inEl0 inEll inEl2 out.
Bus 12_I_SPEC inDl inD2 inD3 inD4 inD5 inD6 inD7 inD8 inD9 inDl0 inDll mDl2
inE1 inE2 inE3 inEA inE5 inE6 inE7 inE8 inE9 inE10 inEll inE12 out=
It:time.
(Bus_CF_12_SPEC inEl inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inEll inE12) -->
((inE1 t ==> (out t = inD1 t)) A
(inE2 t _-_-> (out t = inD2 t)) A
(inE3 t _> (out t = inD3 t)) A
(inE4 t => (out t = inD4 t)) A
(inE5 t _---> (out t = inD5 t)) A
(inE6 t _> (out t = inD6 t)) A
(inE7 t => (out t = inD7 t)) A
(inE8 t _> (out t = inD8 t)) A
(inE9 t => (out t = laD9 t)) A
(inEl0 t => (out t = inDl0 t)) A
(inE11 t => (out t = inDl 1 t)) A





"I (in_A:time->*) ouLA ouLB.
BuslA_SPEC in_A out_A out B =
It:time.
(out_A t = in__A t) A
(ouLB t = in A t)"
);;
let BuslB_SPEC = new_definition
('Busl B SPEC',
"1 (in_B:l_ne->*) ouUA out_B.
BuslB_SPEC in_B out_A out_B =
It:time.
(ouLA t = in B (t- 1)) A





Author:. (c) D.A. Fura 1992
Date: 31 March 1992
This file contains auxiliary definitions needed for the gate-level specification of the FTEP PILl, an ASIC










'pfsm_ty = PHI PAI PD I PILL';;
let pc_state ty = ``:(w_rdn#b_#w_nin#b_#pf_m-ty#b_#b_#b_#b_#b_#w_rdn#b__#b_#b_y_;;
let pc_env_ty = ":(bool#bool#bool#wordn#bool#bool#wordn#bool#bool#wordn#bool#bool#bool)";;
let pc_out_ty = ":(wordn#bool#worda#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool)";;
let cmfsm_ty_Axiom =
deftnetype'cmfsm_ty_Axiom'
'cmfsm_ty = CIVIl ICMR ICMA3 1CMAI ICMA01CMA2 1CMDI I CMD0
I CMW I CMABT',;
let csfsm_ty_Axiom =
define..type 'csfsm_ty Axiom'
'csfsm_ty = CSI ICSL I CSAI ICSA0 1CSAOW ICSALE ICSRR ICSD1 I CSDO ICSACK ICSABT';;
let cefsm_ty_Axiom =
define_type' cefsm_ty Axiom'
'cefsm_ty = CEI ICEE';;






let cc_env_ty = ":(wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool#
w_rdn#w_rd_#w_rd_#w_rdn#b___#b___#b___#b___#w_rdn#w_rd_#b__l#b___#w_rd_#b___)__;_




'mfsm_ty = MI IMA IMW I MRR IMR IMBW IMILL';;
let mc_state_ty = "_(mfsm-ty#b_#b_#b_#b_#w_rdn#b_#b_#w_rdn#w_rdn#b_#b_#b_w_r_n)_;;
let mc_env_ty = ":(bool#bool#bool#bool#bool#wordn#bool#bool#wordn#bool#wordu#bool#bool)";;
let mc_ouLty = ":(wordn#bool#wordn#wordn#bool#bool#bool#bool#bool)";;
let rfsm_ty_Axiom =
define_type 'rfsm_ty_Axiom'
'rfsm_ty = RI IRA I RD';;




let rc env .ty= ":(bool#bool#wordn#bool#bool#wordn#bool#bool#bool#bool#bool#bool#bool#bool#boo_
wordn#wordn#wordn#bool#bool#wordn)";;
let rc_out_ty = ":(wordn#boo_bool#bool#boolFoool#wordn#worda#bool#bool)";;
let sfsm_ty_Axiom =
deftne__type'sfsm_ty_Axiom'
'sfsm_ty = SSTART I SRA I SPF ISCOI ISCOF I ST I SCII I
SCIF ISS I SSTOP ISCS ISN I SO I SILL';;
let sc_state_ty = ":(sfsm_ty#bool#bool#bool#bool#bool#bool#wo_dn#wordn#
bool#bool#bool#bool#bool#bool#bool#bool#bool)';;
let sc_env_ty = ":(bool#bool#bool#bool#bool#wordn#bool#bool)';;
72
let sc. out_ty = ":(wordn#bool#bool#bool#bool#bool#bool#boolObool#bool#bool)";;




let GND = new_definition
('GND',
"I t:fi_e. GND t= F'
);;








(' Par_Det ', ":(wordn->bool)");
('Par_Eric', ":(wordn->wordn)');
(' p_interp ', ":( Apc_s tate_tyO_c_e n v t y#^pc_o u t_ty->bool )");
('e._interp', ":(Acc state_ty#^ec_env..ty#^ec_out ty->bool)");
('m_mterp', ":(^inc._state ty#"me_env_ty#"me out ty->bool)');
('r_interp', ": ('_rc_state_ty#_rc env_ty#'_re_o ut_ty->bool)");
('s.._interp', ": (^sc_state_ty#%e._env_ty#%e_out_ty->bool)")1 ;;
make lust_thins abs_rep;;




Author: (c) E J. Wmdley 1992
Description:
Prove auxilliary theorems about functions so that functions
can be easily used to represent arxays.
Modification History:
24FEB92 -- Original file. Many of the theorems included were
motivated by theorems defined on lists in
list aux.ml.
26FEB92 -- [DAF] Modified order of parameters in calls to
ALTER, MALTER, SUBARRAY to match simulation
language syntax. Added definition of ELEMENT.
73






% Added 26FEB92 (from PJW). [DAF] %
let SYM_RULE =
(CONV_RULE (ONCE DEPTH_CONV SYM_CONV))
? failwith 'SYM_RULE';;
Auxilliary array definitions and theorems.
We will use functions to represent arrays. The definition
that follows defines a ALTER function that can be used to set
the nth membe_ of an array. The following lemmas are useful
in reasoning about mxay operations.
.........................................................
let ALTER_DEF = new_definition
('ALTER_DEF',
"ALTER (f:*->**) n x = (_m. (m = n) => x I (fm))"
);;
let ALTER_THM = prove_thm
('ALTER_THM',





ALTER_EQUAL is simlex to the EL_SET_EL lemma for fists.
.................................................... _)_
let ALTER_EQUAL = prove_thm
(' ALTER_EQUAL',
"1 x n (f:*->**). (ALTER fn x) n = x",
REPEAT GEN_TAC





ALTER_NONEQUAL is similar to NOT_EL_SET_EL for lists.
...............................................................
lot ALTER_NONEQUAL = prove_thin
'ALTER_NON_EQUAL',
"1 n m (f:*->**) x.
-(n = m) _>







ALTER_COMMUTES is similar to SETEL_SETEL for lists.
.......................................................
let ALTER_COMMUTE = prove_thin
(' ALTER_COMMUTE',
"l (dl:*) d2 (f:*->**) (x:**) y.
~(dl = d2) _>
((ALTER (ALTER fd2 x) dl y) =
(ALTER (ALTER f dl y) d2 x))",
REPEAT GEN_TAC






THEN UNDISCH_TAC "~((dl:*) = d2)"
THEN ASSUM_LIST (Xthl. REWRITE_TAC (map SYM_RULE thl))
);;
_7 ..............................................................
Until now, it hasn't mattered what the type of the subscript is
and so the previous lemmas were all general, even though
someone using them to representa arrays, would probably be
using numbers as subscripts.
Now, we want to reason about subarrays given as a sequence from
a starting value to an ending value. This presupposes that the
subscripts can be totally ordered. To make life easy, we won't
be that general, but wiU use numbers as subscripts.
let SUBARRAY_DEF = new_definition
('SUBARRAY_DEF',
"1 n m if:Bum->*).
SUBARRAY f (re,n) = _x. ((x+n) <= m) => f(x+n) I ARB"
);;
75
let SUBARRAY_THM = l_ove_thm
('SUBARRAY THM',
"l n m (f:num->*).
SUBARRAY f (m,n) x = ((x+n) <= m) => fix+n) I ARB",
REPEAT GEN_TAC
THEN REWRrrE TAC [SUBARRAY_DEF]
THEN BETA_TAC
THEN REFL TAC
let ELEMENT_DEF = new_definition
('ELEMENT_DEF',
"1 m (f:num->*).
ELEMENT f (m) = f m"
);,
MALTER alms multiplevalues in an array.
.........................................................
let MALTER_DEF - new_definition
('MALTER_DEF',
"l n m f (g:num->*).
MALTER f (m,n) g --
_x. (n<= x A x <= m) => g (x-n)Ifx'"
),;
let MALTER_THM = prove_thin
('MALTER 'H-IM',
"In m (x:num)g (f:num->*).






let MALTER_SUBARRAY_IDENT = prove_thin
('MALTER_S UBARRAY_IDENT',
"In m (f:num->*). MALTER f (m,n) (SUBARRAY f (m,n)) = f',
REPEAT GEN_TAC




THEN ASM_REWRITE TAC [_]
THEN ASSUM__LIST (_.hl. MAP_EVERY ASSUME_TAC
(flat (map CONJUNCTS (film (is..conj o concl) thl))))
THEN IMP_RES_TAC SUB_ADD




let MALTER_SUBARRAY..SUBSCRIPI'S -- prove thin
('MALTER_SUBARRAY_SUBSCRIPT',
"In m x (f:num->*) g.
MALTER f (m,n) (SUBARRAY g (re,n)) x =
(n <-- x A x <= m) => g x If x",
REPEAT GEN TAC
THEN CONV TAC (ONCE DEPTH_CONV FUN_EQ_.CONV)
THEN REWRITE TAC [MALTER_THM;SUBARRAY THM]
THEN REPEAT COND_CASES_TAC
THEN ASM_REWR1TE_TAC []
THEN ASSUM LIST (_thl. MAP_EVERY ASSUME TAC
(flat (map CONJUNCTS (filter (is_toni o concl) thl))))
THEN IMP RES_TAC SUBADD







Defines a theory of words which contains a definition for
converting between functions from numbers to booleans and
natural numbers and proves various useful theorems about
this definition. This file is based on a theory that was
orglnally authored by Graham Birtwhistle of the University
of Calgary in 1988.
Authors: (c) Graham Birtwhistle, Philfip Wmdley, 1988, 1992
Modification History:
28FEB92 --[PJW] Original file from wordeanl
10MAR92 -- [PJW] Added definition of WORDN.
13MAR92 -- [DAF] Added definitions of by, SETN, RSTN, GNDN,
NOTN, INCN, DECN, ARBN.
% Removed 13MAR92. [DAb']









% Replaced 13MAR92. [DAF]
map load parent [ 'bits', 'num_thms' ; 'exp' ; 'array_clef ];;
%





let bv = new_definition
('bv',
"1 (b:bool).
bv b = (b) => 1 I0"
);;
let VAL = new prim_tee_definition
('VAL',
"(VAL 0 (f:wordn) = bv (fO))
A
(VAL (SUC n) f = ((2 EXP (SUCn)) * (by (f (SUCn)))) + VAL n f)"
);;
let pos_val = new_definition
('pos_val',
"I (x:wordn) (y:num).
pos_val x y = Cov(x y)) * (2 EXP y)"
);;
let ONES = new vrim_rec_definition
('ONES',
"(ONES 0 a = (a 0))
A
(ONES (SUC n) a = (a(SUC n)) ^ (ONES n a))
");;
let ZEROS = new_.imm rec_definition
('ZEROS',
"(ZEROS 0 a = -(a 0))
A
(ZEROS (SUC n) a = -(a(SUC n)) A (ZEROS n a))
");;
% Modified 13MAR92. [DAF]
let WORDN = new_defimtion
('WORDN',




let WORDN = new_definition
('WORDN',
"t (x:num). WORDN x = _n. ((x DIV (2 EXP n)) MOD 2 = ly'
);;
let SETN = new_definition
('SETN',
"f (x:num). SETN x = _(n:num). (n <= x) => T I ARB"
);;
% Equivalent to "WORDN if' but perhaps more convenient %
let RSTN = new_definition
('RSTN',
"f (x:num). RSTN x = _(n:num). (n <= x) => F I ARB"
);;
let GNDN = new..definltion
('GNDN',
"l (x:num) (t:time). GNDN x t= _(n:num). (n <= x) => F i ARB"
);;
let NOTN = newdefinition
('NOTN',
"I (x:num) (f:wordn). NOTN x f = X(n:ntma). (n <= x) => -(f n) I ARB"
);;
let INCN = new_definition
('INCN',
"Inf.
INCN n f = (ONES n f) => RSTN n I WORDN ((VAL n f) + 1)"
);;
let DECN = new_definition
('DECN',
"fnf.
DECN n f = (ZEROS n f) => SETN n IWORDN ((VAL n f) - 1)"
);,
let ARBN = new_definition
('ARBN',




% Removed th_s for now 13MAR92. [DAF]
clo___eory();;
79
Appendix B ML Source for the Gate-Level Specification of the PIU Ports.
This appendix contains the HOL models for the gate-level specification for the PIU ports. The ports are
listed in the order: P_Port, M_Port, R_Port, C_Port, and SU_Cont.
B.I P Port Specification
File: p_block ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the gate-level specification of the PIU P-Port, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.
............................................................................... ..........................
seLsearch..path(se_ch._pathO@ ['/home/titan31dfum/ftep/piu/hol/lib/']);;
system 'rm p_block.th' ;;
new_theory 'p_block';;
map new..parent ['gates_def';'latches_def*,'ffLdeP ;'couute__def' ;'aux_def ;'mray_def;'paux_def ];;
let p__state_ty= ":(pfmn_ty#bool#bool#bool#wordn#wordn#bool#wordn#boolOwordn#nmn#bool#bool#
pfsm_ty#bool#bool#boogtbool#bool#bool#bool#bool#num#boo l#bool#bool#bool#bool#bool)";;
let p_state = "((P_fsmjtateA, P_fsm_astate, P_fsm_dstate, P fsm_hlda_ P wr data, P_addr, P_dvstl, P_be_,
P._wr, P_be_n_, P=sizeA, P__loadA, P_downA, P_fam__state, P_fsm_rst, P fsm mrqt, P_fsmjack,
P_fsm._cgnt_, P_fsm_crqL, P_fsm_hold , P fsm lock_., P_rqt, P_size, P_load, P._down, P_lock_,
P_lock_inh_, P_male_, P raleJ
:^p_state_ty)";;
let p_env_ty = ":(bool#booi#bool#wordn#bool#bool#worda#bool#boolOwordn#bool#bool#bool)";,
let p_env = "((ClkA, ClkB, RsL L_ad_m, Lads.., L_den_, L_be_, L_wr, L_lock_, Lad_in, I..cgnt.., I_hold_, Lady_)
:^p_env_ty)";;
let p_ouLty = ":(wordn#bool#wordn#wordn#wordn#bool#boo]#bool#bool#bool#bool#bool#bool)";;
let pout = "((L_ad_out, L_ready_, lad data ouL I_ad_addr_out, l_be_, l_rale_, l_male..., l_crqL, I_cale_,
I tardy_, I_lasL, Lhlda_, I lock_)
:^p_out_ty)";;
let Data_Latches_SPEC = new_definition
( 'Data_Latches_S PEC',
"1 clkA clkB (lad_m:time->(num->bool)) (lbe_in:time->(num->bool)) (lwr_in:time->bool) en_in be._sel
wr_data addr destl be wr be_n
8O
data_out addr_out be out.
Data_Latches_SPEC clkA clkB lad_in lbe_in lwr_in enin be sel
wr_data addr destl be wr be_n
data_out addr_out be_out =
It:time.
(idkA t) _>
((wr_data (t+l) = lad_in t) A
(addr (t+l) = (en_in t) => (lad_in t) I(addr t)) ^
(destl (t+l) = (era_in t) => (ELEMENT (lad_in t) (31)) I (destl t)) A
(be (t+l) = (en_in t) => (Ibe_in t) I (be t)) A
(wr it+l) ffi(en_in t) => 0wr_in t) I(wr t)) A
(be_n it+l) = lbe_in t)))A
((clk8 t) =>
((wr data (t+l) = wr_data t) A
(addr (t+l) = ad& 0 A
(destl (t+1) = dcstl t) A
(be (t+l) = be 0 A
(wr (t+l) = wr t) A
(ben it+I) = be_n t)))A
((data_out t = wr..data (t+l)) A
(let odl = MALTER iaddr_out t) O1,27) (be it+l)) in
(let od2 = ALTER odl (26) F in
(let od3 = MALTER od2 (25,24) (SUBARRAY (addr (t+l)) i1,0)) in
(let od4 = MALTER od3 (23,0) (SUBARRAY (addr it+l)) (25,2)) in
(addr_out t = od4))))) ^
(be_out t = (be_sel t) => (be 0+1)) I (ben (t+l))))"
);;
let Req_Inputs_SPEC = new_definition
('Req_Inputs_SPEC',
"I l_ads_ l_den_ (reset_rqt:time->bool) rqtmS rqt_inR rqt_inE.
Req_Inputs_SPEC Lads_ l_den_ reset_rqt rqt_inS rqt_inR rqt inE =
lt_time.
(rqt_inS t = -(Lads_ t) A O_den_ t)) A
(rqt_inR t = reset_rqt t) A
(rqt_inE t = (rqLinS t) V (rqt inR t))"
);;
O_ ...............................................................................................................
Input logic for P_size counter.
........................................................................................................... 1_
let Ctr_Logic_SPEC = new_definition
(' Ctr Logic_SPEC',
"1 clkA clkB l_ad_in load_in down_in zero_cat
psize p_sizeA p_load p_loadA p_down p_downA.
Ctr_Logic_SPEC clkA elkB Lad_in load_in down_in zero_cat





((p_sizeA (t+l) = p_size t) A
Lo_loadA (t+l) = pJoad t) A
(p_downA (t+l) = p_down t) A
(p_size (t+l) = p_size t) A
(p_load (t+l) -- p_load t) A
(p_down 0+1) = pdown t))) A
((clkB t) ---->
((p_sizeA (t+l) = p_sizeA t) A
(p_loadA (t+l) = p_loadA t) A
(p_downA (t+l) = p_downA t) A
(p_size (t+l) = (pJoadA t) => SUBARRAY (lad_in t) (1,0) I
(p_downA t) => DECN 2 (p_sizeA t) I
p_sizeA t) A
(p load (t+l) = loadln t) A
(p_down (t+l) = down_in t))) A
(zero_cat t = (p_downA t) => (DECN 2 (p sizeA (t+l)) = (WORDN 0)) I (p_sizeA (t+l) = ONORDN 0)))"
let Scat_Logic_SPEC = new_definition
('Scat_Logic_SPEC',
"1 rst fsm_astate fsm_dstate fsm_hlda_ paddr p_wr p_rqt zero_cat i_srdy_
i_ad_data_out_en lad_out_e.n_ i_.rale_ i_male_ i_crqt_
fsm_mrqt fsm_nt fsm_sack reset_rqt l_ready.
Scat_Logic_SPEC rst fsm_aatate fsm_dstate fsm_hlda_ p_addr p_wr p_rqt zero_cat i_srdy_
i_ad_data_out_en l_ad_out_eu_ i_rale._ i_.male_ i_crqt..
fsm_mxqt fsm_rst fsm_saek reset rqt l_ready =
It:time.
(Cad_data out en t = (pwr t) A (fsm dstate t)) A
(l_ad_out_en._ t = (p_wr t) A (fsm_dstate t) V -(fsm_hlda_ t) V (fsm_astate t)) A
(i_rale_ t = ~(-(ELEMENT (p_addr t) (31)) A
(VAL 26 (SUBARRAY (p_addr t) (25,24)) = 3) A
(fsm_as_tet)A
(pjqt t))) A
(i_male_ t = -(-(ELEMENT (p_addr t) O1)) A
-(VAL 26 (SUBARRAY (p_addr t) (25,24)) = 3) A
(fma_aatate 0 A
(p_xlt t))) A
(i_crqt_ t = -((ELEMENT (p addr t) (31)) A (p_rqt t))) A
(fsm_mrqt t = -(ELEMENT (p_addr t) (31)) A (p_,rqt t)) A
(fsm_rst t = rst t) A
(fsm_sack t = (zefo_cnt t) A -(i. srdy_ t) A (fsm datate t)) A
(reset rqt t = (rst t) V (fsm_sack t)) A





"lrstfsm_dstatep_male_ p__rale_lock inE lock_inb_inE.
Lock_Inputs SPBC rstfsm_dstatep_male p_rale_lock_mE lock inh inE =
It:time,
(lock_inE t = (rst t) V (fsm_dstate t)) .A
(lock_inh_inE t = (rst t) V -(p_male t) V -(p tale t))"
);;
let FSM_SPEC = new_definition
('FSM_SPEC',
"1 clkA clkB rst_in tarquin sack_in cgnt_in_ crqt in hold.in_ lock-in_
state rst mrqt sack cgnt_ crqt_ hold_ lock_
stamA astate dstaW hlda
astate_out dstate_out ldda_out._.
FSM_SPEC clkA clkB rstin mrqt_in sack_in cgnt_in_ crqt in_ hold in_ lock_in_
state rst mrqt sack c/gnU crqU hold_ lock_
stateA astatedstate hlda_
astate_out dstate_out hlda_out =
R:time.
((clkA t) _>
((state (t+l) = state t) ^
(Tst (t+l) = rst t) A
(mrqt (t+l) = mrqt t)/_
(sack(t+l) = sack t) A
(cgnt_ it+l) = cgnt t) A
(crqU (t+l) = crqt_ t)A
(hold_ (t+l) -- hold t) A
Clock_ (t+l) = lock_ t) A
(stateA (t+l) =
((rst t) => PAI
(state t = PH) --> ((hold_ t) => PAI PH) I
(state t = PA) => (((mrqt t) V ~(¢gnt_ t) A -(crqt_ t)) => PD I
((Clock_ t) A -(bold_ t)) => PHI PA)) I
(((sack t) A (hold_ t)) => PAI
((sack t) A -(hold_ t) A -(lock_ t)) => PAI
((sack t) ^ -(bold_ t) A (lock t)) => PHI PD))) A
(aatate 0+1 ) = (state.A (t+l) = PA)) A
(dstat¢ (t+l) = (stateA (t+l) = PD))A
(hlda_ (t+l) = -(statcA (t+l) = PA)))) A
((clkB t) _-._->
((state(t+l) = stateA t) A
(rst (t+l) ---rst_in t) ^
(mrqt (t+l) = mrqt_in t) A
(sack(t+l) = sack_in t) A
(cgnt_ (t+l) = cgnt_in_ t) A
(crqt_ (t+l) = crqt_in_ t) A
(hold_ (t+l) = hold_in_ 0 A
(lock_ (t+l) = lock_in_ t) A









let P_Block_SPEC = newdefinition
('P_BIock_SPEC',
"1 (P fsmjtateA P_fsm state :time->pfsm_ty)
(P wr_data Pad& P_be_ Pbe_n_ P_sizeA P_size :time->w_rdn)
(P_fsm_astate P .fsm_dstate P .flun_hlda_ P_destl P_wr P_loadA P_.downA P fmn_rst P_fsm_mrqt
P_fsm_sac.k P_fsm_cgnt_ P_fsm_crqt._ P_fsm_hold_ P__fsm_Iock_ P_rqt P_Ioad P_down P__Iock..
P_lock_inh_ P_male_ P_rile_ :time->bool)
(L_ad_inL_be_Lad_in :time->wordn)
(CIkA ClkB Rst Lads_ L_den_ L_wr L_lock_ I_cgnt I_hold_ I_srdy_ :lime->bool)
(L_ad_out lad_data_out I_ad_ed__out I_be_ :time->wordn)
(L_ready_ I_rale_ I_male_ l_crqt_ Leaf©_ I tardy_ I_last_ I_hlda_ I_Iock_ :time->bool).
P_Block._SPEC (P_fsm_stateA, P_fsm_astate, P_fsm..dstate, P_fsm_hlda_., P_wr_data, P_addr, P destl, P_be_,
P_wr, P_be_n.., P_sizeA, P_loadA, P_downA, P_.fgm_state, P..fsm..rsL P..fsm_mrqt, P_fsm_.ssck,
P._fsm_cgnt_, P_fsm_crqt.., P__fsm_hold_, P..fsm..Iock_, P_rqt, P_size, P_Ioad, P_down, P..lock__,
P._lock_inh__, P_male_., P_rail)
(ClkA, CIkB, Rst, L_ad_in, Lads.., L_de__, L_be.., L_wr, L_Iock._, Lad_in, I..cgnL, I__hold._, I srdy_)
(Lad.out, L_ready_, Lad_data_out, Lad_addr_out, I_be, I_rale_, I_male_, Lcrqt..., I__cale..,
I_mrdy_, I__lasL, I_hlda__, Llock_) =
? fsm_utam fsm_dstate rqt data_out addr_out be_out data_out__cn reeet_rqt
rqt_inS rqt_inR rqt_inE rqt_outQ load_in down_in zero._cnt zero_cnt_
1 ad out_en_ tale_ male_ fsm_mrqt fsm_rst fsm_sack l.ready i_cgnt
Iock_inElock._outQlock_inh_inE lock mh outQ p_male..outQp_rale__outQIock._outQ_.
(Data_Lamhes_SPEC ClkA ClkB L_ad_in L_be_ L_wr rqt fsm_astate
P_wr dam Pad& P_destl P_be_ P_wr P_be_n_
dam_out addr_out be_out) A
(TRIBUF_SPEC data_out data_out en I_ad_data._out) A
(TRIBUF_SPEC addr out fsm_uta_ I ad__dr out) A
(TRIBUF_SPEC be_out I_hlda_ I_be_) A
(Req..Inlmts_SPEC L ads L_den_ reset_rqt rqLinS rqt_inR rqt_inE) A
(DSRELAT SPEC GND rqLinS rqt_inR rqt_inE ClkB P_rqt rqt..outQ) A
(NOT_SPEC rqt_outQ reset..rqt) A
(Ctr_Logic_SPEC ClkA ClkB L_ad_in load_in down_in zero_cut
P_size P sizeA P_IoadP_IoadA P_down P_downA) A
(ScaLLogic._SPEC Rst fsm_utam fma_dstate I_hlda_ P_addr P_wr P_rqt zero_cnt I_srdy_
data_out_aa Lad_out_en_ rale., male_ I_crqt_
fsm_.mrqt fsm_rstfsm_sack rt, et_rqt l..teady) A
(TRIBUF_SPEC tale_ l._hlda I._rale_) A
(TRIBUF_SPEC male_ Lhkia_ I_mlle_) A
(TRIBUF_SPEC GND l_hlda.. I_mrdy_) A
(NOT_SPEC zero cnt zero_cnt_) A
84
(TRIBUF_SPEC zero_cnt_ Lhlda_ I._lasL) A
(NOT_$PEC l_ready L_ready_) A
(DSELAT_SPEC L lock Rst lock_inF. CIkB P_|ock_ lock outQ)/X
(DSELAT_SPEC LJock_ Rst lock_inh inE ClkB P._lock_mh_ lock inh_outQ) A
(Lock_Inputs_SPEC Rst fsm_dstate p mah_outQ p_rale._outQ lock_inE lock_inh_inE) A
(DELAT_SPEC male_ ft_n astate ClkB P_male_ p male_outQ) A
(DELAT SPEC rale_ ft_n_astate ClkB P_.rale_ p_rale_outQ) A
(NOT SPEC lock._outQ lock_outQ_) A
(NAND2 SPEC lock outQ_ lock_.inh_outQ I_lock) A
(NOT SPEC I cgnt_ i._cgn0 A
(NAND3_SPEC i._cgnt fsm_astate Ihold_ I_cale_) A
(BUF_$PEC Lad in L_ad_out) A
(FSM._SPEC ClkA ClkB fsm r6t fsm mrqt fsm sack I_cgnt_ I._crqt Ihold_ lock outQ
P_fsm_state P_fsm_rst P fsm mrqt P_fsm_sack P_fsm_cgnt_ P_fsm crqt_
P_fsm_hold_





B.2 M Port Specification
File: m_block.m]
Author:. (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the gate-level specification of the P-Port of the FTEP PIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
................................................................................................................. o_
set_search_path (search_.pathO @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);;
system 'rm m block.th';;
new_theory 're_block',;
loadf 'abstract';;
map new_parent [' gates_def' ;'Iatcbes_def ;' ffs_def' ;'co unte_s clef' ;'mau x_def' ;'aux_def' ;'array_def' ;'wordn_def' ];;
let m_state_ty = ":(mfsm ty#bool#bool#bool#bool#bool#wordn#wordn#wordn#bool#wor_#
mfsm_ty#bool#bool#bool#boo l#bool#bool#bool#bool#
bool#bool#wordn#wordn#wordn#bool#bool#bool#wordn#wordn)";;
let m_state = _((M_fsm_stateA, M_flm_address, M_fsm_read, M._fsm write, M__fsm_byte_write, M_fsm_mem_enable,
M_addrA, M_beA, M_c, otmtA, M. rdyA, M_rd_dataA, M._fsm..state, M_fsm_male_, M_fsm_rd,
M_fsm_bw, M fsm ww, M__fsm_last._, M_fsm_mrdy_, M_f_m_zero cnt, M_fsm rst, M_se, M_wr,
M addr, M_be, M_count, M..rdy, M_wwdel, M_parity, M_rd._data, M_detect)
:^m_state_ty )";;
let m_env_ty = ":(b°°l#b°°l#b°°l#b°°l#b°°l#w°rdn#b°°l#b°°l#w°rdn#b°°l#w°rdn#b°°I#b°°l)';'
let m_env = "((CIkA, CIkB, Rst, Disable eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_,
I_mrdy_, MB_data_in, Edac._en_, Reset_parity)
:_m_env_ty)";,
let m_out_ty = ":(wordn#bool#wordn#wordn#bool#bool#bool#bool#booly';;
let m out = "(Gad_out, I__dy_, MB_addr, MB_data_out, MB_cs_eeprom , MB cs stare, MB_we_, MB_oe_,
MB_,parity)
:Am out_ty)";;
let rep_ty = abstract type 'aux_def ' Andn';;
let SE..Logic_SPEC = new__definition
('SE_Logic_SPEC',
"I clkA clk.B (i_ad:time->wordn) male mere_enable M_se ca e_ cs_s_.
86
SE_Logic SPEC clkA clkB lad male mem..enableM_se cs._e_cs_s_=
It:time.
((clkA t) -_-_> ((M_se (t+l) = M_se t))) A
((clkB t) _---> ((M_se (t+l) = (male t) => ELEMENT (lad t) (23) I M se t))) A
((cs_e_ t = ~((mere_enable t) ^ -(M_se (t+l)))) ^
(cs_s_ t = -((mere_enable t) A (Mse (t+ 1)))))"
),;
let WR_Logic_SPEC = new_definition
('WR Logic gPEC',
"t clkA clkB i_ad male mere_enable M_wr wr rd_mem wr mere.
WR. Logic_SPEC clkA clkB i_.ad male mere_enable M_wr wr rd_mem wr_mem =
R:time.
((clkAt)_--->((M_wr (t+l)= M wr t)))A
((clkBt)_> ((M_wr (t+l)= (malet)=> ELEMENT (i_adt)(27)lM wr t)))A
((wr t = M_wr (t+l)) A
(rd_mem t = (mere_enable t) ^ -(M_wr (t+1))) A
(wr_mem t = (mem enable t) A (M_wr (t+l))))"
);;
let Addr Ct_ SPEC = newdefinition
('Addr Ctr_SPEC',
"l clkA clkB (i_ad:time->wordn) male rdyA M addr M addrA addr_out.
Addr Ctr SPEC clkA clkB i_ad male rdyA M_addr M_addrA addr_out =
lttime.
((clkA t) _-_->
((M_addr (t+l) = M_addr t) ^
(M_addrA (t+I) = M addr 0)) A
((clkB 0 _--->
((M_addr (t+l) = (male t) => (SUBARRAY (i_ad t) (lg,0)) I
(rdyA t) => (INCN lg (M addrA t)) I (M_addrA t)) A
0Vl_addrA (t+l) = M m:ldrA t))) A
(a(klr_out t = (rdyA t) => (INCN 15 (M_addrA (t+l))) IM_addrA (t+l))"
);;
let BE_Logic_SPEC = new_definition
('BE_Logic_SPEC',
"1 clkA clkB (i be:time->wordn) male srdy wr_mem M_lm M beA be._out ww bw.
BE_Logic_SPEC clkA clkB i._lm male srdy wr_mem M bo M beA be_out ww bw =
It:time.
((clkA 0 _>
((M_be (t+l) = Mbe O A
87
__beA (t+I) = M_be t))) A
((clkB t) ---_>
(_Vi_be (t+l) = ((male t) V (srdy t)) => (i_be t) I(M_be t)) A
(M_beA (t+l) = M_beA t)))A
((be_out t = M_beA (t+l)) A
(ww t = (wr_mem t) A (VAL 3 (M_be 0+1)) = 15)) A
(bw t = (wr mere t) ^ -(VAL 3 (M_be 0+1)) = 15)))"
);;
let Rdy_Logic_SPEC = new_definition
('Rdy_Logic_SPEC',
"1 write read z_o._cnt w'r_mem rdy.
Rdy_Logic_SPEC write read zem._cnt wr_mem rdy =
It:time.
(rdy t = (write t) ^ (zero cat t) V (read t) A (zero_cnt t) ^ -(wr_mem t))"
);,
4_ .................................................................................................................
Wait state counter logic.
............................................................................................................
let C(x_Logic_SPEC = new_definition
{'Ctr_Logic_SPEC',
"1 clkA clkB in dn td M_count M_countA zexo__cat.
Ctr_Logic__SPEC clkA cikB in dn Id M_count M countA zero._cnt =
tCtime.
((clkA t) ==>
((M_count (t+l) = M_count t) A
(M_countA (t+l) = M_count 0)) A
((clkB t)-_->
((M_count (t+l) = (ld t) => ((in t) => (WORDN 1) IOVORDN 2)) I
(dn t) => (DECN 1 (M_countA t)) I (M_countA t)) A
(M_countA (t+l) = M_countA t))) A
(z_o_cnt t = (M__countA (t+l) =((dn t) => (WORDN 1) )(WORDN 0))))"
);;
let Enable_Logic..SPEC = new_definition
('Enable_Logic_SPEC'.
"1 cs_ceprom_ rd_mem address read write byte_write wwd¢l
disabl©__prom disable._wfites oe edac_le we_ mb_wr_un_.
Enable_Logic_SPEC cs_eeprom rd_mem address read write byte_write wwd¢l
disable ¢eprom disable_writes o¢_ ¢dac_l¢ we_ mb_wr_en_ =
It:time.
(oe_ t = -((rd_mem t) A (address t) V (read t))) A




-((write t) V (byte_write t) V (wwdel t))) A
(edac_le t = read 0 A
(mb_wr_en_ t = --(write 0)"
let Srdy_Logic SPEC = new_definition
('Srdy_Logic_SPEC',
"I wr rdy rdy_outQ srdy_.
Srdy_Logic_SPEC wr rdy rdy_outQ srdy_ =
It:free.
srdy_ t = -((rdy_outQ t) A ~(wr t) V (rdy t) A (wr t))"
),:
let EDAC Docode_Logic SPEC = new_definition
(' EDAC_Decode_Logic_SPEC ',
"[ (rep:Arep_ty) (mb_data_in:time->wordn) edac en data out detect_out.
EDAC_Decode_Logic_SPEC rep mb_data in edac_en data out detect_out =
It:thne.
(data_out t = (edac_en t) --> (Ham_Dec rep (rob data in t)) I (rob data in t)) ^
(detecLout t = (edac_en t) => (Ham Detl rep (rob_data_in t)) I (WORDN 0))"
);;
let Read_Latches SPEC = newdefinition
('Read_Latches_SPEC',
"l (rep:Arep_ty) clkA clkB (data_.inD:time->wordn) edac_en edac_le detect_inD detectmE
M rd data M__d_dataA M_detect m data outQ m detect_outQ.
Read_Latches_SPEC rep clkA clkB data_inD edac_en edac_le detect_inD detect inE
M_rd_data M_rd_dataA M_detect m data outQ m_detect_outQ =
It:time.
((clkA t) _>
((M_rd_data (t+l) = M rd data t) A
(M._rd_dataA (t+l) = M rd data t) A
(M_detect (t+l) = (detecuinE t) => (detect inD t) #(M_detect t)))) A
((clkBt)_->
((M__rd._data(t+l)= (edac_Iet)=> (data_inDt}I(M_rd_data t))A
(M rd._dataA(t+I)= M_rd_data t)A
(M_detect (t+l) = M_detect t))) ^
((m_data_outQ t = Mjd_dataA (t+l))/_
(m_detect_outQ t = Ham_Det2 rep ((M_detect (t+l)), (¢dac_en t))))"
);;
89
let Detect._Enable_Logic_SPEC = new_definition
(' Detect._Enable .Logic_SPEC',
"I edac_en ¢dac_rd detect._inE,
Detect_Enable_Logic_SPEC edac_en edac_rd detecLinE =
Itl/me.
(detect._inE t = (edac_en t) A (edac rd t) V -(edac rd t))"
);;
Oj_ .............................................................................................................
Memory write data multiplexer.
........................................................................................................
let Mux_Out_Logic_SPEC = new_definition
('Mux Out_Logic_SPEC',
"I (re_data outQ:lime->wordn) i..ad be mb data out,
Mux_Out._Logic_SPEC m_data_outQ i..ad be mb data out =
If'time.
let odl =




(MALTER odl 05,8) ((ELEMENT (bet)(1))=> (SUBARRAY (i_adt)(15,8))
I(SUBARRAY (m dataoutQ t)05,8))))
in
(let o<13 =
(MALTER od2 (23,16) ((ELEMENT (be t) (2)) => (SUBARRAY (i_ad t) (23,16))
I(SUBARRAY (m_data_outQ t) (23.16))))
in
(let od4 =
(MALTER ocB (31,24) ((ELEMENT (be t) (3)) => (SUBARRAY (lad t) (31,24))
l (SUBARRAY (m..data_outQ t) (31,24))))
in (rob_data_out t = od4))))"
);;
let Enc_Out__Logic_SPEC = new_definition
('Enc_Out_Logic_SPEC',
"1 (rep:_rep_ty) (mb_data_out:time->wordn) mb_edata_out.
Enc Out_Logic_SPEC rep rob_data out mb_edata_out =
It:time.
(mb_edata_out t = Ham_Enc rep (mb_data..out t))"
);;
90
let Memparity_In_Logic_SPEC = new_definition
( 'Memparity_In_Logic_SPEC',
"I srdy mere_enable detect_outQ rst reset._parity memparity_inS mempatity_inR memparity..inE.
Memparity_In_Logic_SPEC srdy mem_enable detecLoutQ rst reset_.parity
memparity_inS memparity_inR memparity_inE =
R:time.
(memparity_inS t = (srdy t) A (mem_enable t) A (detect outQ t)) A
(memparity_inR t = (rst t) V (reset_parity t)) A
(memparity_inE t = (memparity_inS t) V (memparity_inR t))"
);;
_7 .......................................................................................................................
M-Port controller state machine.
.............................................................................................................. I_
let FSM_SPEC = new_definition
('FSM_SPEC',
"I clkA clkB male_in rd in bw__in ww_in lasLin_ tardy_in_ zero_cnt_in rst_in
state male_ rd bw ww last mrdy_ zero cnt rst
stateA address read write byte_write mere_enable
address_out read..out write out byte_write__out mem enable_out.
FSM_SPEC clkA clkB male__in_ rdin bwin ww_m last_in_ mrdy_in zero_cnLin rst._m
state male Ill bw ww last._ tardy_ zero__cnt rst
stateA address read write byte_write mem_enable
address_out read_out write_out byte_write_out mem_enable__out =
It:time.
((clL_ t)_>
((state (t+l) = state t) A
(male_ (t+l) = male t) A
(rd (t+l) = rd t) A
(bw (t+l) = bw t) A
(ww 0+1) = ww t) A
(lasU (t+l) = last_ t) A
(mrdy_ (t+l) = mrdy_ t) A
(zeto._cnt 0+1) = zero_cnt t) A
(rst (t+l) = rst t) A
(stateA (t+l) =
((rst t) => MI I
(state t = MI) => ((-(male_ t)) => MA IMI)I
(state t = MA) => ((-(tardy_ t) A (ww t)) => MW I
(-(tardy_ t) A ((rd t) V (bw t))) ---> MR IIdA) I
(state t = MR) => (((bw t) A (zero._cnt t)) => MBW I
((last_ t) A (rd t) A (zero__cnt t)) => MA I
(-(last_ t) A (rd t) A (zero_cnt t)) => MRR IMR) I
(state t = MRR) => MI I
(state t = MW) => (((zero_cnt O ^ -(last_ t)) => MI I
((zero_cnt t) A (last_ t)) => MA I MW) I
MW)) A
(address (t+l) = (stateA (t+l) = MA)) A
(read 0+1) = (stateA 0+1) = MR)) A
(write (t+l) = (stateA (t+l) = MW)) A
(byte_write (t+l) = (stateA (t+l)= MBW))A
(mere_enable (t+l) = -(stateA (t+ 1) = MI))))/X
91
((clkB t)---_>
((state (t+l) = sta_A t) A
(male_ (t+l) : mal_in_ t) ^
(rd (t+l) = rdin t) ^
(bw (t+l) = bw_in 0 ^
(ww (t+l) = ww_in t) A
(luC (t+l) = last._in_ t) ^
Cmrdy_ 0+I) = tardy_in_ t) ^
(__cnt (t+l) = zero__cnt_m t) A
(rst (t+l) = rstin t) A
(stateA (t+l) = stateA t) ^
(address (t+l) = address t) A
(read (t+ 1) = read t) A
(write (t+l) = write t) A
(byte_write (t+l) = byte_write t) A
(mere enable (t+l) = mem_enable t))) A
((address out t = adckess (t+l)) A
(read_out t = read (t+l)) A
(write_out t = write (t+l)) A
(byte_write_out t = bytewrite (t+l)) A
(mere_enable_out t -- mere_enable (t+l)))
");;
let M_Block_SPEC = new_definition
('M_Block_SPEC',
"1 (M_fsm_address M_fsm_read M fsm_write M_fsm_byte_write M_fsm_mem_enabl© M_rdyA
M_fsm._male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsmJast_ M_fsm_mrdy_ M_fmn_zefo_cnt M_fsm_rst M se
M_wr M__ly M wwdel M...pafity :(time->boo1))
(M_addrA M_beA M_countA M_rd_damA M_addr M_be M_count M_rd_data M_detect :(time->wordn))
(lVl_fsm_stateA M_fsm_state :(time->mfsm_ty))
(CIkA CIkB Rst Disable..eeprom Disable_writes I_male_ I last_ Lmrdy_ Ed__en_ Reset_p_ty :(time->bool))
(Lad_in I_be_ MB_data_in :(time->won:In))
(I_srdy_ MB_cs eeprom_ MB_cs_sram_ MB_we MB_oe_ MB..parity :(time->bool))
(I_ad_out MB_addr MB_dam_out :(time->wordn))
(rep:_rep_ty).
M_Block_SPEC (M_fsm_stateA, M_fsm_address, M fsm_read, M_fsm_write, M fsm_byte_write, M_fsm_mem_enable,
M_addrA, M..beA, M_countA, M_rdyA, M_yd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd,
M_fsm bw, M_f__ww, M_fsm._lasU, M_fsm_mrdy_, M_fsm zero_cnt, M_fsm_rst, M_se, M_wr,
M_addr, M_be, M_count, M..rdy, M_wwdel, M_parity, M_rd_data, M_detect)
(CIkA, CIkB, Rst, Disable_eeprom, Disable_writes, Lad_in, Imale.., I_last_, I_be_,
Lmrdy_, MB_data_in, Edac_en_, Resetparity)
(I_ad_out, I_srdy_, MB_addr, MB_data_out, MB. cs__rom.., MB_cs_sram_, MB_we_, MB_oe_,
MB_parity)
rep =
? male address read write byte_write mere_enable wr rd_mem wrjnem rdy_outQ srdy
be ww bw zero._cnt rdy count_inDN count_inLD wwdel_inD wwdel_outQ edac_le
rdy_outQ srdy_ edac__en data_out detect_out data_inD detect_inD detect_inE
m_data_outQ m_detect_outQ mb_data_out mb_edata_out mb_wr_en_ mb_wr_en
memparity_inS memparity_inR memparity_inE.
92
(NOT_SPEC Lmale_ male) A
(SE Logic_SPEC CIkA CIkB Lad_in male mere_enable M_se MB cs_eeprom_ MB_cs stare_) A
(WR_Logic_SPEC CikA CIkB Lad_in male mere enable M wr wr rdmem wr mere) A
(Acklr_Ctr SPEC CIkA CIkB Lad_in male rdy_outQ M_addr M_addrA MB_addr) A
(BE_Logic_SPEC CIkA CIkB Lbe_ male srdy wr_mem M_be M_beA be ww bw) A
(Rdy_Logic._SPEC write read zerocut wrmem rdy) A
(CUr Logic SPEC CIkA ClkB MB_cs..eeprom_ count_inDN count_inLD M_count M_countA zero_cnt) A
(OR2_SPEC write read count inDN) A
(OR2_SPEC address byte_write count inLD) A
(AND2_SPEC ww address wwdel_inD) A
(DLAT_SPEC wwdeLinD CikB M wwdel wwdeLoutQ) A
(Enable_Logic_SPEC MB cs eeprom_ rdmem address read write bytewrite wwdeLoutQ
l_sable eepmm Disablewrites MB oe edac_le MB_we_ mb wr en ) A
(DFF_SPEC rdy CIkA M_rdy M rdyA rdy_outQ) A
(Srdy_Logic SPEC wr rdy rdy_outQ srdy_) A
(TRIBUF SPEC stdy_ mere_enable I._srdy_) A
(NOT_SPEC srdy_ srdy) A
(NOT_SPEC Ed__eu_ edac en) A
(EDAC_Decode_Logic_SPEC rep MB_data_in edac_en data out detect_out) A
(Read Latches_SPEC rep ClkA CIi_ data inO edac_eu edac le detect_inD detecLinE
M rd data M_rd_dataA M_detect m_data_outQ m_detect outQ) A
(TRIBUF_SPEC m_data_outQ rd_mem Lad_out) A
(Detect_Enable_Logic SPEC edac_en rd_mem detect_inE) A
(Mux_OuLLogic_SPEC m data outQ Lad_in be mb_data_out) A
(Eric Out Logic_SPEC rep mb data_out mb edata out) A
(NOT_SPECmb wr en mb wr en) A
(TRIBUF_SPEC mb edata out mb_wLen MB._data out) A
(Mempa_ity_In._Logic SPEC srdy mere_enable m_detecLoutQ Rst Reset_parity
memparity_inS memparity_inR memparity_inE) A
(DSRELAT_SPEC GND memparity_inS memparity_inR memparity inE CIkB
M..p_-ityMB pamity) A
(FSM_SPEC ClkA ClkB I_male_ rdmem bw ww LlasL I_mrdy_ zero_cut Rst
M_fsm stateM_fsm male_ M fsm rdM_fsm_bwM_fsm_wwM fsm last M fsm_mrdy_
M_fsm_zero__cnt M_fsm rst
M_fsm_stateA M_fsm address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm mere_enable




B.3 R Port Specification
File: r_block.ml
Author. (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the gate-level specification of the R-Port of the FTEP PIU, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.
set_search_path (search_patiO) @ ['/home3titan3/dfura/ftep/piu/hol/lib/']);;
system 'rm r_block.th';;
new_theory 'r_block' ;;
map loadf ['abstract';'buses._deP ];;
map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def;'datapaths_def';'raux_def'; 'aux_def';
'array def' ;'wordn_def' ];;







let r_state = "((R_fsm_stateA, R_fsm_cntlatch, R_fsm_stdy_, R_int0_ca, R_int0_disA, R_int3_en, R int3..disA,
R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA. R_cntlatch_deLA. R srdy_delA_,
R_reg_selA, R_ca'O, R_cUO_ce, R_cUO_cin. R_ctr0_outA, R_ctrl, R_ctrl_ce, R ctrl_cin,
R_clrl_outA, R_ctr2, R._ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_clz3. R_ctr3_ce, R_ctr3_cin,
R_ctr3_outA, R_icr loadA, R_icr_oldA, R_icrA, R_bmA_latch, R_fsm_stata, R_fsm_ale_,
R_fsm_mrdy_, R_fsm last_, R_fsm_rst, R_int0_dis, R_'mt3_dis, R_c01_cout_del, R intl_en,
R_c23_cout_del, R int2_en, R wr, R_cntlatch_del, R_srdy_deL, R_reg_sel, R_ctr0 in,
R_ctr0 mux._sel, R_c,tr0_irden, R._ctr0_cry, R._ctK)_new, R_ctr0_out, R_ctrO_orden, R_ctrl_in,
R_ctrl_mux_sel, R._ctrl_irden, R c_rl_cry, R_ctrl._new, R_ctrl_out, R._ctrl._orden, R_ctr2__in,
R ctr2 mux_sel, R_ctf2_irden, R_ctr2_cry, R__ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in,
R ctr3 mux__sel, R_cC3_irden, R_ctr3_cry, R_ctr3_new, R ctr3_out, R_ctr3._orden, R icr_load,
R_icr__old, R icr mask, R_icr, R_icr_rden, R_ccr, R_ccr_rden, R_.gcr, R._gcr_.rden, R._sr,
R_sr_rden)
:"r._state_ty)";;
let r_env_ty = ":(bool#bool#bool#wordn#bool#bool#wordn#bool#boogtbool#wordn#wordn#b ooI#bool#
wordn#wordn#wordn#boo_bool#wordu )";;
let r_env = "((CIkA, CIkB, Rst, Lad_m, I..rale._, Llast_, I_be_, I mrdy_, Disable__mt, Disable_writes,
Clm_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, ld, Channel/D, CB..pafity, MB__pffirity,C_ss)
:Ar_env_ty)";;
94
let r..out ty = ":(wordn#bool#bool#bool#bool#bool#wordn#wordn#bool#bool),,;;
let rout ffi"((I_ad_out, l_srdy_, Int0, Intl, Int2, Int3_, Ccr, Led, Reset_error, Prom_invalid)
:'_r out-ty)";;
let rep_ty = absa_acUtyp¢ 'aux_deP 'Andn';;
4_ ...................................................................................................................
R-Port controller state machine.
................................................................................................................. Q/_
let FSM_SPEC = new_definition
('FSM_SPEC',
"1 (ClkA:time->bool) ClkB ale_in_ tardy_in_ lasUin_ rst_in
ale_ tardy_ last_ rst state
cntlatch srdy_ (smteA:tim©->rfsm ty)
s0_out slout cntlatch_out srdy_out.
FSM_SPEC CIkA CIkB ale_in_ tardy_in_ last_in_ rst_in
ale_ mr_y_ last rst state
cntlatch srdy_ stateA
so_out slout cntlatch out srdy_ouU =
It:time.
((CIkA t) ==>
((stateA (t+l) ffi((rst t) ffi> RI I
((state t) = RI) => ((-ale_ t) => RA _RI) I
((state t) = RA) => ((~tardy_ t) => RD IRA) I
((-last._ t) => RI t RA))) A
(cntlatch (t+l) = ((state t = RI) A -ale_ t)) A
(srdy_ (t+l) = -((state t = RA) A ~tardy_ t)) A
(state (t+l) = state t) ^
(ale (t+l) = ale t) A
(mrdy_ (t+l) = tardy_ t) A
(last (t+l) = last_ t) A
(rst 0+1) = rst t))) A
((¢lkB t) ==>
((stateA (t+l) = stateA t) A
(cutlatch (t+l) = catlateh t)A
(srdy_ (t÷l) = srdy_ 0/_
(state (t+l) = st_A t)/_
(ale_ (t+l) = ale_in_ t) A
(mrdy_ (t+l) = tardy_in_ t) A
(last_ (t+l) = last_in_ t) A
(rst 0+1) = rstin t))) ^
((s0_out (t+l) = (stateA (t+l) = RD)) A
(s l_out (t+l)= ((stateA (t+ 1) = RA) V (stateA (t+l) = RD))) Px
(cnflatch out t = cnflatcb (t+l)) ^
(srdy out t= srdy_ (t+l)))"
);;
95
let Wr__Lat_SPEC = new_defimtion
('Wr_Lat_$PEC',
"i clk.B (iad_in:time->wordn) w-r_inE r_wr wr_outQ.
Wr._Lat_SPEC clkB led_in wr_inE r_wr wr_outQ =
I_me.
((-(clkB t)) _> (r. wr (t+l) = r._wr t)) A
((clkB t) _-> (r_wr (t+l) ffi(wr_inE t) => (ELEMENT (lad_in t) (27)) I r_wr t)) A
(wr_outQ t ffir._wr (t+l))"
);;
let RW_Sigs SPEC = new_definition
('RW_Sigs_SPEC',
"i r_.wr sO sl disable_writes dp_read r_write r_read icr rd ea srdy_en.
RW_Sigs SPEC r_wr sO sl disable_writes dp_read r_write r_read icr_rd_en srdy_en =
(It:time.
(dp_read t = (-r_wr t) A ((sO t) V (sl t))) A
(r_write t = (-disable_writes t) A (r_wr t) A (sO t) A (sl t)) A
(r_read t = (~r_wr t) A (-sO t) A (sl t)) A
(icr_rd_en t = (-sO t) A (sl t)) A
(srdy_en t = (sO t) V (sl t)))"
),;
let Reg_SeLCtr_SPEC = new_definition
('Reg_SeI_CIx_SPEC',
"I clLA lad_in inL inU_ r reg_sel r_reg._selA outQ.
Reg_SeI_Ctr_SPEC clkA iad_in inL inU_ r..reg._sel r..reg..selA outQ =
It:time.
((clkA t) ---->
((r_reg._sel (t+l) = r._xeg_sel t) A
(r_reg__selA (t+l) = r..reg_.sel t))) A
((-(clkA t)) _>
((r_reg..sel (t+l) =
(inL t) => SUBARRAY (iad_in t) (3,0) t
(-inU_ t) => INCN 3 (r_reg_selA t) t z..reg_selA t) A
(r_reg_selA (t+ 1) = r._reg_selA t))) A
(outQ t = (~inU_ t) => INCN 3 (r_reg_selA (t+l)) Ir reg._selA (t+l)y'
);;
O_ .......................................................................................................
Generation logic for register file control signals.
............................................................................................................
let Reg._FLle_C__SPEC = new_definition
('Reg_File_CtI_SPEC',
"I (reg_.sel:time->wordn) write read icr_rd_en
96
cir wr01 cix_wr23
cOir_wr cOit rd c0or_rd clk_wr clk=rd clor_rd
c2k_wr c2tr_rd c2oLrd c3ir_wr c3k_rd c3or_rd
icr_wLfeedb_..k icr_select icr_rd
ccrwr ccrrd gcrwr gcrrd sr_rd.
Reg_File Ctl SPEC reg_sel write read icLrd_en
cir_wrOl cir_wr23
cOkwr cOir_rd cOor_rd clir_wr cl__rd cloLrd
c2ir_wr c2ir_rd c2or_rd c3k_wr c3ir_rd c3or_rd
icr_wr_feedbsck icr_select icLrd
ccr_wr ccr_rd gcrwr gcr_rd sLrd =
(It:time.
(cir wrOl t = (write t) A (((reg_sel t) = WORDN 8) V ((reg_sel t) = WORDN 9))) A
(ch'_wr23 t = (write t) A (((reg_sel t) = WORDN 10) V ((reg..sel t) -- WORDN 11))) A
(cOir_wr t = (write t) A ((reg._sel t) = WORDN 8)) A
(c0ir rd t = (read t) A ((reg_sel t) = WORDN 8)) A
(c0orjd t = (read t) A ((reg._sel 0 = WORDN 12)) A
(clir_wr t = (write t) A ((reg_sel t) = WORDN 9))A
(cILr_rd t = (read t) A ((reg sel t) = WORDN 9)) A
(clor_rd t = (read t) A ((reg..sel t) = WORDN 13)) A
(c2ir_wr t = (write t) A ((reg_sel t) = WORDN I0)) A
(c2ir_rd t = (read t) A ((reg..eel t) = WORDN I0)) A
(c2or_rd t = (read t) A ((reg..sel t) = WORDN 14)) ^
(c3ir_wr t = (write t) A ((reg_sel t) = WORDN II)) A
(c3ir_rd t = (read t) A ((reg..sel t) = WORDN II)) ^
(c3or_rd t = (read t) A ((reg_sd t) = WORDN 15)) ^
(icr_wr_feedback t = (write 0 A (((reg_ sel t) = WORDN 0) V ((reg_sel t) = WORDN I))) A
(icr_select t = ~((reg._sel t) = WORDN I)) A
(icr_rd t = (icr_rd__en 0 A (((reg_sel t) = WORDN 0) V ((reg_sel t) = WORDN l))) A
(ccr_wr t = (write t) A ((reg_sel t) = WORDN 3)) ^
(ccr_rd t = (read t) A ((reg_sel t) = WORDN 3)) ^
(gcr_wr t = (write t) A ((reg_sel t) = WORDN 2)) A
(gcr_rd t = (read t) A ((reg. sel t) = WORDN 2)) ^
(sr..rd t = (read t) A ((reg_sel t) = WORDN 4)))"
);;
_0 ...............................................................................................................
Input logic for R_intI_en, R_int2_en latches.
..............................................................................................................
let CIr_InLLogic_SPEC = new_definition
('Ctr_InLLogic_SPEC',
"l one_shot interrupt reload cout cout_del ch-_wr
inLen_inR inLen_inS inLen_inE c_ld.
Ctr_Int_Logic_SPEC one_shot interrupt reload cout couLdel cir_wr
inLen_inR int en ins inLen__inE cld=
()t:time.
(inLen_inR t = (one_shot t) ^ (coutdel t) V (-interrupt t)) A
(int_en_inS t = (interrupt t) ^ ((cout t) ^ (reload t) V (ck wr t))) A
(int_en_inE t = (one_shot t) ^ (cout__del t) V (~inten'upt t) V
(interrupt t) ^ ({coat t) A (reload t) V (ch-_wr t))) A









And Tree_SPEC ior outO out3 =
( It:time.

















(0)) A (ELEMENT (icr t) (8)) V
(1)) A (ELEMENT (icr 0 (9)) V
(2)) A (ELEMENT (icr t) (10)) V
(3)) A (ELEMENT (ior t) (11)) V
(4)) A (ELEMENT (icr t) (12)) V
(5)) A (ELEMENT (icr t) (13)) V
(6)) A (ELEMENT (_ t) (14)) v
(7)) A (ELEMENT (icr t) (15))) A
(16)) A (ELEMENT (icr t) (24)) V
(17)) A (ELEMENT (ior t) (25)) V
(18)) A (ELEMENT (icr t) (26)) V
(19)) A (ELEMENT (icr t) (27)) V
(20)) A (ELEMENT (icr t) (28)) V
(21)) A (ELEMENT (icr t) (29)) V
(22)) A (ELEMENT (icr t) (3O)) V
(23)) A (ELEMENT (icr t) (31))))"
let Reg_Int_Logic_SPEC = new_definition
('Reg_Int_Logic_SPEC',
'q int0_eu intO_dis int3_eo int3_dis disable_int into int3_.
Reg_InULogic_SPEC into_ca int0_dis int3_en mt3_dis disable_Jut intO_ int3_ =
(It:time.
(intO_ t = -((into_co t) A (~intO_dis t) A (-disable_lot t))) A
(int3_ t = -((int3_¢n t) A (-int3_dis t) A (--disable_int t))))"
);;
let SR_Inputs_SPEC : new_definition
('SR_Inputs_SPEC',
"I cpu_fail reset_cpu pin_fail pmm_fall s_state
id chmmellD cb_lauity c._ss mb..patity (sr_inp:time->wordn).
SR_Inputs_SPEC cpu_fail reset_cpu pin_fail prom_fail s_state
id channelID oh_purity c_ss mb._parity sr_inp =
It:time.
let al = (MALTER ARBN (1,0) (cpu_fail t)) in
let a3 = (MALTER al (3,2) (reset._cpu t)) in
let a.5 = (ALTER a3 (8) (piu_fail t)) m
98
let a6 = (ALTER a5 (9) (prom_fail t)) in
let a7 = (MALTER a6 (15,12) (s_state t)) in
let a8 = (MALTER a7 (21,16) (id t)) in
let a9 = (MALTER a8 (23,22) (channelID t)) in
let al0 - (ALTER a9 (24) (cb_.parity t)) in
let all = (MALTER al0 (27,25) (c_ss t)) in
let a12 - (ALTER all (28) (rob parity t)) in
(sr_inp t = a12)"
),;
let GCR_Outputs SPEC = new_definition
('GCR_Outputs_SPEC',
"1 (gcr_out:thne->wordn)
led reloadOl oneshot01 interruptOl enableOl
reload23 oneshot23 interrupt23 enable23 reset_error pmm..invalid.
C,CR_Outputs_SPEC gcr out led reloedO1 oneshot01 interrupt0l
enableOl reload23 oneshot23 interrupt23 enable23 reset_error pmm_invalid =
R:fime.
(led t = SUBARRAY (gcr_out t) (3,0)) A
(reload01 t = ELEMENT (gcr._out t) (16)) A
(oneshot01 t = ELEMENT (gcr out t) (17)) A
(interrupt01 t -- ELEMENT (gcr_out t) (18)) A
(enable01 t _ ELEMENT (get_out t) (19)) A
(reload23 t =, ELEMENT (gcr_out t) (20)) A
(oneshot23 t = ELEMENT (gcr out t) (21)) A
(intearupt23 t = ELEMENT (gcr..out t) (22)) A
(enable23 t -- ELEMENT (gcr out t) (23)) A
(reset.error t = ELEMENT (gcr._out t) (24)) A
(pmm_invalid t = ELEMENT (gcr_out t) (28))"
);;
let Bus_Enab_SPEC = new_definition
('Bus__Enab_SPEC',
"1 clkA r ctrO irden r_ctr0_orden r._ctrl_irden r_ctr l_orden r_ctr2_irden r_ctr2_orden
r ctr3 irden r_ctr3_orden r icr rden r_ccr_rden r_gcr_rden r._sr_rden
busA cO_enl busA_cO_en2 busA_cl_enl busA cl_en2 busA._c2_enl busA__c2_en2
busA_c3_enl busA_c3 en2 busA icr en busA_ccr_en busA..gcr_en busA_sr_en.
Bus_Enab_SPEC clkA r_ctr0_irden r_ctrO_orden r ctr l_irden r ctr l_o_en r_ctr2 irden r_ctr2_orden
r_ctr3_irden r._ctr3_orden r._icc_rden r._ccr rden r_gcr_rden r_sr._rden
busA cO enl busA c0_en2 busA_cl_enl busA_cl_en2 busA_c2_enl busA c2_en2
busA_c3_enl busA c3_en2 busA_icr_en busA_ccr en busA_ger_en busA_sr_en =
It:time.
(busA_c0_enl t = (clkA t) A (r_ct:O_irden t)) A
(busA_c0 en2 t = (clkA t) A (r_ctr0_orden t)) A
(busA_cl enl t = (clkA t) A (r_ctrl_irden t)) A
(busA._cl_en2 t = (clkA t) A (r_ctrl_orden t)) A
99
(busA c2._enl t = (clkA t) A (r__ctr2_irden t)) A
(busA_c2_en2 t = (clkA t) A (Lctr2 orden t))A
(busA_c3_enl t = (clkA t) A (r__ctr3_irden t)) A
(busA_c3_en2 t = (clkA t) A (r_.ctr3_orden t)) A
(busA_icr_en t = (clkA t) A (r _icr__rden t)) A
(busA_ccLen t = (clkA t) A (r._ccr_rden t)) A
(busA_.gcr._en t = (clkA t) A (r_.gcr_rden t)) A




let R_Block_SPEC -- new_definition
('R_Block_SPEC',
I (rep:_p_ty)
(R_fsm stateA R_fsm state :time->rfim_ty)
(R reg_selA R._clrO R _r0 outA R._clxl R._ctrl_outA Rj_'2 R_ctr2._outA R..ctr3 R _r3_outA R_icr_oldA
R ic_A R busA_latch R._reg_sel R ctrO_in R_¢UO_new R__r0 out R. ctrl_in R_ctrl_new R ctrl_out
R ctr2 in R_c_2 new R ctr2 out R_Ox3_in R ctr3_new R _r3_out R i_ old R_i__mask R icr
R_c_r R..gcr R_sr :time->wordn)
(R_fsm_cntlatch R_fsm_srdy_ R_intO en R_int0_disA R_int3._en R int3_disA R_c01_cout R_cOl_couLdelA
R_c23_cout R_c23_couLdelA R_cntlatch_delA R_srdy_delA_ R_cUO_ce R_cUO_cin R_ctr l_ce R_ctrl_cin
R ctr2_ce R ctr2_cin R_cer3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_ R fsm tardy_ R_fun last R fsm_rst
R_int0_dis R_int3_dis R_cOl_couLdel R_intl_en R_c23_couLdel R_inl2_en R_wr R_cntlatch_del
R_srdy_deL R_ctr0_mux_sel R_ctrO_irden R..cuO_cry R__ct_3_orden R_ctrl mux_sel R_ctrl_irden
R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_¢_/R_ctr2_orden R_ctr3_mux_sel
R_ctr3_irden R_ctr3_ary R_ctr3..orden R__icr load R_icr_rden R_ccr_rden R_gcr_.rden
R_sr..rden :_ae->bool)
(Lad_in I_be_ Cpu..fail Reset_cpu S_state Id ChannelID C_ss :time->wordn)
(CIkA CIkB Rst I_rale_ I_last_ I__mrdy_ Disable_int Disable_writes Piu_fail Prom_fail
CB_p_ty MB..parity:time->booi)
(Iad_out Ccr Led :time->wordn)
(I_srdy_ IntO_ Intl Int2 Int3_ ReseLerror Prom_invalid :time->bool).
R_Block_SPEC rep
(R_fsm_stateA, R__fsm_cntlatch, R_f__srdy_, R_intO en, R_int0_disA, R int3_ea, R_int3_disA,
R_cOl_cout, R_cOl_couLdelA, R_c23_cout, R..c23 couLdelA, R_cntlatch._deiA, R_srdy_de_ ,
R_reg_selA, R_ctrO, R_cerO_ce, R_cUO cin, R_cUO_outA, R__c_r1, R_ctrl ce, R_ctrl_cin,
R_ctrl_outA, R._ctr2, R..clr2._ce, R_ctr2._cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin,
R_ctr3_outA, R_icrJoadA, R_icr_oldA, RjcrA, R_busA_latch, R_fsm_state, R_fsm_ale_,
R_fsm_mrdy__ R_fun_lasL, R. fsm_rst, Rint0_dis, R_int3._dis, R_cOl_couLdel, R_intl_en,
R_c23_couLdel, R_int2 en, R_wr, R_cntlatch_del, R_srdy_deL, R_reg sel, R_ctr0_in,
R_ct_0_mux_sel, R_ctrO_irden, R_ctrO c_ry, R_cer0_new, R_ctr0_out. R_cUO_orden, R_ctrl_in,
R ctrl mux_sel, R_ctrl_irden, R_ctrl_cry, R_clrl_new, R._ctrl_out. R_ctrl_orden, R ctr'2_in,
R cU2 mux_sel, R_c_r2_irden, R_clr2_cry, R_ctr2_new, R_ctr2_out, R ctr2 olden, R_ctr3_in,
R_ctr3_mux_sel, R_clr3_irden, R_clr3_cry, R_cer3_new, R_ctr3_out_ R_ctr3_orden, R_icr_load,
R_icr_old, R_icr_mask, Rjcr, R_ic__rden, R_ccr, R_ccr_rden, R..gcr, R_gcr_rden, R_sr,
R_sr__rdm )
(CIkA, CIkB, Rst, Led_in, Lrale_, LlasL, Lbe_, I_mrdy_, Disable_int, Disable_writes,
Cpu_fail, ReseLcpu, Piu_fail, Prom_fail, S_state, Id, ChannelID, CB_parity, MB..parity, C_ss)
(Lad_out, Lsrdy_, Int0_, Intl, Int2, Int3_, Ccr, Led, ReseLerror, Prom_invalid) =
? fsm_sO fsm_sl fsm_cn0atch fsm_srdy_ srdy_en wr_inE wr_outQ
100
dp_read r_write r_read icr_rd_en cl3or._ld srdy_del_outQ_ rzf,_sel
ivr_rd_en r_cir_wr01 r_cir_wr23 cOir_wr cOir_rd cOor_rd clit_wr clir_rd clor_rd
c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir rd c3or_rd icr_wr_feedback icr select icr_rd
ccr_wr cc_rd gcr_wr gcr_rd sr_rd icr_ld cOl_cout cOl_cout_outQ c01_oout_delA_outQ
c23_cout c23_cout_outQ c23_cout_delA_outQ
oneshot01 interrupt01 reload01 intl_en_inR intl_en ins intl_en_inE intl_en_outQ c01_ld
oneshot23 interrupt23 reload23 int2. en_inR int2_en_inS in__en_inE int2_en_.outQ c23_1d
enable01 enable23 c0_cout c2 cout ccr_out gcr out sr_inp
disable_int_ int0_en_inD intO_en_outQ int0 dis_outQ int3_en inD int3_en_outQ int3_dis_outQ
let_out BusA BusB_in busA latch_out
(BusA_c0_outl BusA_c0_out2 BusA_cl_outl BusA_cl_out2 BusA c2_outl BusA_c2 out2
BusA_c3_outl BusA_c3_out2 BusA_icr_out BusA_ccr_out BusA_gcr_out BusA_sr_out :time->wordn)
(BusA_cO_enl BusA_c0_en2 BusA_cl_enl BusA_cl_en2 BusA c2 enl BusA_c2_en2
BusA_c3_enl BusA_c3 en2 BusA_icr_en BusA ccr_en BusA_.gcr en BusA_sr en :thne->bool)
(FSM._SPEC CIkA CIkB l_rale_ I_mrdy_ I_last_ Rst
R_fsm ale._ R_fsm msdy_ R_fsm_last_ R_fsm _rst R fsm_state
R_fsm_cntlatch R fsm_srdy_ R_fsm stateA
fsm_sO fsm_sl fsm_cntlatch fsm_srdy_) ^
(TRIBUF_SPEC fsm_srdy_ srdy_en I_srdy_) A
(NOT_SPEC Lrale_ wr_inE) A
(Wr..Lat_SPEC CIkB Lad_in wr._inE R_wr wr_outQ) A
(RW_Sigs_.SPEC wr_outQ fsm_s0 fsm_sl Disable__writes dpw.ad r _write r_read icr_rd_en srdy_en) A
(DFF_SPEC fsm cntlatch CIkA R_cntlatch_del R__cntlatch_delA c13or__ld) A
(DF'F_SPEC fsm srdy_ CIkA R_srdy_deL R._srdy_deiA_ srdy_deLoutQ_) A
(Reg_Sel Ctz_SPEC CIkA Lad_in wr_inE srdy_del._outQ_ R_reg_sel R_reg..selA reg sei) A
(Reg_File_Ctl_SPEC reg_.sel r_write r_read icr rd en
r_cir wrO1r_cir_wr23
cO__wr cOir rd cOor rd clir_wr clir .rd clor_.rd
c2ir_wr c2ir_rd c2or rd c3ir_wr c3ir_rd c3or__rd
icr_wLfeedback icr select icr._rd
ccr_wr c.cz_rd gcr_wr gcr_rd sr._rd) A
(DF'F_SPEC icr_wr_feedback CIkA R_icr load R_icr_.loadA icr_ld) A
(DLAT_SPEC cOl_cout CIkA R c01_cout cOl_cout_outQ) A
(DLAT_SPEC c23_cout CIkA R c23 c.out c23_couLoutQ) A
(DF'F_SPEC cOl_cout_outQ ClkA R_cO1 cout_.del R cOl._cout_delA cOl_cout delA_outQ) A
(DFF_SPEC c23 cout outQ CIkA R_c23 couLdel R_c23_cout_delA c23_cout delA outQ) A
(Ctr Int_Logic_SPEC oneshotOl interrupt0l reload01 c01_cout_outQ ¢01_cout_delA_outQ
r_cir_w_Ol intl._en JaR intl_en_inS intl_en inE c01_ld)A
(Ctr InULogic._SPEC oneshot23 interrupt23 reload23 c23_cout_outQ c23 cout delA_outQ
r_cir_wr23 int2_en JaR int2_en ins int2_en inE c23._1d) A
(DSRELAT_SPEC GND intl_.en_inS intl..en__inR intl_en_inE ClkB R intl en mtl_en_outQ) A
(DSRELAT_SPEC GND int2 en_mS int2 en_inR int2_en._inE CIkB R int2 en int2_en_outQ) ^
(NOT_SPEC Disable_Jut disable_int._) A
(AND3_SPEC c01_cout_outQ int l_en_outQ disable_int_ Intl) A
(AND3_SPEC c23_cout_outQ int2_en_outQ disable_int_ Int2) A
(And_Tree SPEC icr_out intO_en_inD int3_en_inD) ^
(DLAT_SPEC intO_en_inD CIkA R int0_en intO_en_outQ) A
(DLAT_SPEC mt3_en_inD CIkA R int3_en int3_en._outQ) A
(DFF_SPEC into en_outQ CIkA R_intO_dis R_intO_disA mtO_dis_outQ) ^
(DFF SPEC int3 en_outQ CIkA R_int3 dis R_int3_disA mt3_dis_outQ) A
(Reg_Int_Logic SPEC int0_en_outQ into dis_outQ int3 en._outQ int3_dis_outQ
Disable_int IntO_ Int3_) A
101
(DLATn_SPEC BusA CIkA R_busA latch busA_latch, out) A
(TRIBUF_SPEC busA..latch-out dp..read I ad_out) A
(BUF__SPEC I_adjn BusB_in) A
(DP_CTR_SPEC ClkA ClkB BusB_in cOir_wr c01_ld cOir._rd enableO1 VDD fsm_cntlatch
cOor_rd R_cUO_in R_ctr0_mux_sel R_cUO_irden R_c¢0 R_ct_O_ce R_ctr0_cin
R_cUO_cry R_ctr0_new R_cUO_outA R_cU0-out R_c_O_orden
BusA_cO-outl BusA..cO_out2 cO_cout) A
(DP_CTR_SPEC ClkA CIkB BusBjn clir_wr cOl_ld clir_rd VDD c0_cout cl3or_ld
clor_rd R_cUl_in R_ctrl._mux_sel R_ctrl_irden R_ctrl R_ctrl_ce R_ctrl_cin
R_ctr I_cry R_ctr l_new R_ctr I _outA R_c¢ 1_out R_ctr l _orden
BusA_cl_outl BusA_cl_out2 cOl_tout) A
(DP_CTR_SPEC CIkA ClkB BusB_in c2ir_wr c23_1d c2ir_rd enable23 VDD fsm_cntlatch
c2or_rd R_ctr2_in R_ctr2_mtet_sel R_ctr2_irden R_cU'2 R_ctr2_ce R_cU2_cin
R_cU'2 cry R_ctr2._new R_ctr2_outA R_ctr2_out R_ctr2_orden
BusA_c2_outl BusA c2_out2 c2_cout) A
(DP CTR_SPEC ClkA ClkB BusB in c3ir_wr c23_ld c3ir rd VDD c2_cout cl3or._ld
c3or_rd R_cu3_in R._ctr3..mux_sel R_ctr3_irden R_ctr3 R_ctr3_ce R_ctr3_cin
R_ctr3_cry R_ctr3_new R_cU3 outA R_ctr3_out R_cU3_orden
BusA c3-outl BusA_c3-out2 c23 cout) A
(DP_ICR_SPEC rep ClkA ClkB BusA BusB_in icr_wr_feedback icr_rd icr select R icr loadA icr_rd
R_icr_oldA R_icr_old Rjcr_mask RjcrA R_icr R_icr_rden
BusAjcr_out i__out) A
(DP_CR_SPEC ClkA ClkB BusB in ccr_wr ccr_rd R_ccr R_ccr rden BusA_ccr_out ccr_out) A
(DP_CR_SPEC CIkA ClkB BusB_in gcr_wr gcr_rd R_gcr R_gcr rden BusA_gcr_out gcr_out) A
(GCR_Outputs_SPEC gcr_out Led reload01 oneshotO1 interrupt01
enable01 rdoad23 oneshot23 interrupt23 enable23 Reset error Prom_invalid) A
(SR_Inputs_SPEC Cpu_fall Reset_cpu Piu._fail Pmm._fail S_state
Id ChannelID CB_parity C._ss MB..parity sr_inp) A
(DP_SR_SPEC CIkA CIkB sr_inp fsm__cntlatch sr_rd R_sr R_sr_rden BusA_sr_out) A
(Bus_Enab_SPEC CIkA R_ctrO_irdm R ctr0-orden R_ctrl_irdea R..ctrl_orden R_ctr2_jrden R_ctr2_orden
R ctr3 irden R_ctr3_ordcm Rjcr_rdea R_ccr_rden R..gcr_rden R_sr_rden
BusA cO enI BusA_cO en2 BusA_cl_cml BusA_cl._en2 BusA..c2_enl BusA_c2__en2
BusA_c3_.enl BusA_c3_en2 BusA_icr_en BmA_ccr_en BmA..g_r_ea BusA_sr_en) A
(Bus_I2_I_SPEC BusA_c0_outl BusA_c0_out2 BusA_cl_outl BusA_cl_out2 BusA_c2_outl BusA c2 out2
BusA_c3-outl BusA_c3-out2 BusA_ic_-out BmA_ca_out BwA_gcr-out BusA_.sr_out
BusA_cO_enl BusA_cO_en2 BusA cl enl BusA cl_en2 BusA_c2 enl BusA_c2_en2




B.4 C Port Specification
File: c_block.m[
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the gate-level specification of the C-Port of the FTEP PIU, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.
.............................................................................................................. _0




map new_parent [ 'gates_def' ;' latches_def' ;' ffs def', 'counters__def'; 'caux_def' ;' aux._def' ;'array__def' ;'wordn__def' ];;
let MSTART = "WORDN 4";;
let MEND = "WORDN 5";;
let MRDY = "WORDN 6";;
let MWAIT = "WORDN 7";;
let MABORT = "WORDN 0";;
let SACK = "WORDN 5";;
let SRDY = "WORDN 6";;
let SWAIT = "WORDN T';;
let SABORT = "WORDN 0";;










let c_state = "((C_mfsm_stateA,C_mfsm mabort,C_mfsm midle,C_mfsm_mrequest,C_mfsm_ma3,C_mfsm_ma2,C_mfsm_mal,
C_mfsm_ma0,C mfsm _rod 1,C mfsm...md0, C_mfsm_i aden_ m, C _m fsm_ m_ cout_ sel 1,C_mfsm_m_couU sel0,
C_mfsm_ms,C_mfsm_rq U,C_mfsm_cgnt_,C_mfsm_cm_en,C_mfsm_aboR_le_en_,C_mfsm_mparity,
C_sfsm stateA,C_sfsm_ss,C_sfsm iad en_s,C_sfsm_sidle,C_sfsm_slock, C_sfsm_sal,C_sfsm_sa0,




C_cin_2_leA,C_mrd y deLA..,C..iad._en__s_.delA,C_wrdyA,C_n'dyA,C_iad_out, C._a I a0,C_a3a2,
C_mfsm state,C_mfsm..m-dy_en,C_mfsm_D,C_mfsm_grant'C_mfsm_rst'C_mfsm_b usy,C_mfmn_wri_,
C_mfsm_crqt_,C_mfsm_hold_,C_mfsm_last_,C_mfsm Iock_,C_mfsm._ss,C_mfsm_invalid,




C_rrdy, C_parity, C sota'ce,C_data_in,C_iad_in )
,_c_state_ty)";;
let c_env_ty = ":(wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool#
wordn#wordn#wordn#wordn#bool#bool#bool#bool#wordn#wordn#bool#bool#wor_bool )';;
let c..env = "((Lad_in, I_be_in_, I_nwdy_in_, I_rale__in_, I_male_m_, Llast_in_, l_srdy_in_,
IJock_, LcalL, Lhlda_, LcrqL,
CB_rqLin_, CB_ad_ia, CB_ms_m, CB_ss_in,
Rst, C1kA, ClkB, CIkD, Id, ChannellD, Pmm_failure, Piu_invalid, Ccr, Reset ea'ror)
:Ac env ty)";;
let c out_ty = ":(bool#bool#bool#bool#bool#bool#bool#wordn#wordn#
bool#wordn#wordn#wordn#wordn#bool#bool )";;
let c_out = "((I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, Llast_ouU, I_srdy_out_,
I ad out, I_be_out_,
CB_rqt_out_, CB_ms_out, CB_ss_out, CB ad out, C_ss_out, Disable_writes, CB_parity)
:Ac out_ty)";;
let rep_ty = abstra_Utype ' aux._clef' 'Andn';;
let LastLogic = new_definition
('Last_Logic',
"t rst clkD mfsm_mdl mfsm_mabort last in inE.
Last_Logic rst clkD mfsm_md I mfsm_mabort last_in_inE =
It:time.
(lasLm_inE t = (rst t) V ((clkD t) A (mfsm_md I t)) V (mfsm_.mabort t))"
);;
let Hold_Logic = new_definition
('Hold_Logic',
"I (cb_ms:time->wotdu)cltD dsm..sal last out_inS last. out..iuR lut__out__inE.
Hold_Logic c.b_ms clkD sfsm_sal last ouLinS last_out_inR last_out_inE =
It:time.
(last_outmS t = sfgm_sal t) A
(iast_out_inR t = (¢lkD t) A ((cb_ms t = ^MEND) V (oh_ms t = ^MABORT))) A
(last_out_inE t = (last_out_inS t) V (last_out._inR t)y'
);;
104
let Cout_Sel_Logic_SPEC -- newdefinition
('Cout Sel_Logic SPEC',
"I sfsm_s cout..selO mfsm_m_cout_sell mfsm m_cout_selO sfsm_sdO sfsm_sd I (cout._sel:time->wordn).
Cout._Sel_Logic_SPEC sfsm_s_cout_sel0 mfsm_m_couLsell mfsm_m_cout_sel0 sfsm_sd0 sfsm_sdl cout_sel =
It:time.
(cout sel t = ((sfsm_sdO t) V (sfsm_sdl t))
=> (let al = (ALTER (cout_sel t) 0 (sfsm_s_cout_sel0 t))
in (ALTER al 1 F))
I (let al = (ALTER (cout...sel t) 0 (mfsm_m_cout_sel0 t))
in (ALTER al 1 (mfsm_m_cout_sell t))))"
);;
_9 ..........................................................................................................
Gener_on logic for srdy signal.
.................................................................................................................
let Srdy_In Logic_SPEC = new_definition
('Srdy_In_Logic._SPEC',
"I (cb ss:fime->wordn) dfsm srdy,
Srdy_In_Logic_SPEC cb_ss dfsm._srdy =
It:free. (dfsm_srdy t = (cb_ss t = ^SRDY))"
);,
let Rdy_Logic_SPEC = new_definition
('Rdy_Logic SPEC',
"1 mfsm_md0 mfsm_mdl clkD write srdy wrdy_inD rrdy_.inD,
Rdy_Logic_SPEC mfsm_md0 mfsm_mdl clkD write srdy wrdy inD rrdy_inD =
It:time.
(wrdy inD t = (srdy t) A (write t) A (mfsm_mdl t) A (clkD t)) A
(rrdy inD t = (srdy t) A -(write t) A (mfsm_md0 t)/_ (clkD t))"
);;
let ISrdy_OuLLogic_SPEC = new_definition
('ISrdy_Out_Logi_SPEC',
"1 wrdyA_outQ rrdyA_outQ fsm_mabort tale_ srdy...en isrdy_inD isrdy_mE.
ISrdy_OuLLogi¢ SPEC wrdyA_outQ rrdyA__outQ fsm_mabort cale_ srdy_en isrdy_mD isrdy_inE =
It:time.
(isrdy_inD t = -((wrdyA_outQ t) V (rrdyA_outQ t) V (fsm_mabort t))) A
(isrdy_inE t =-(cale_ t) V (srdy_en t)y'
);;
Generation logic for CBss_out signal.
105
let CBss_Out..Logic_SPEC = new_definition
('CB ss_Out Logic..SPEC',
"7 (sfsm_ss:time->wordn) prom failure piu_.valid cbss_out.
CBss_Out_Logic_SPEC sfsm_ss pmm._failure piu_.valid cbss._out =
It'time.
(cbss_out t = (let al = (MALTER (cbss_.out t) (1,0) (SUBARRAY (sfsm_ss t) (1,0)))




"t (mfsm ms:time->wordn) linen_failure piu_valid chins_out.
CBms Out_Logic SPEC mfsm ms pmm_failure piu_valid cbms_out =
It:time.
(chins_out t = (let al = (MALTER (chins out t) (1,0) (SUB,ARRAY (mfsm_ms t) (1,0)))
in (ALTER al (2) ((ELEMENT (mfsm_ms t) (2)) A -(pmm_failure t) A -(piu_valid t)))))"
);;
let Cout_l_Le_Logic_SPEC = new_definition
('Cout_l_Le_Logic_SPEC',
"l dfsm master cout 0 le del dfsm_couLl_le cout_l le.
Cout..1 Le_Logic_SPEC dfsm_master cout 0 le de1 dfsm_vout..l le cout_l_le =
It:time.
(couLl le t = ~(dfsm_mastor t) A (dfsm_couLl_le t) V (dfsm muter t) A (tout 0 le del t))"
);;
let Iad En Logic_SPEC = new_definition
('lad_En_Logic_SPEC',
"l mfsm lad en m sfsm_iad_en_s lad en s del iad_en.
lad_En_Logic_SPEC mfsm lad en..m sfsm._iad en s iad_en_s_del iad_en =
It:time.
(iad__en t = (mfsm iad__en m t) V (_sm iad en_s t) V (iad._en_s..del t))"
);;
let Pe_.Cnt_Logic._SPEC = new_definition
( 'Pe_Cnt_Logic_SPEC ',
I06
"I clkD (sfsm_sparity:time->bool) mfsm_mparity (cb_ss in: time->wordn) c_pe_cnt.
Pe_Cnt_Logic SPEC cliff) sfsm_sparity mfsm_mparity cb._ss_in c._pe_cnt =
It:time.
(c_pe_cnt t = (clkD t) ^
(-((sfsm_sparity t) = (mfsm_mparity t)) V ((SUBARRAY (cb_ss in t) (1,0)) = WORDN 0)))"
);;
oj_ ..................................................................................................................
Generation logic for c grant, c_busy signals.
................................................................................................................. _)_
let Grant_Logic_SPEC = new_definition
('Caant_Logic_SPEC',
"1 (id:time->wordn) (rqt_:time->wordn) busy grant.
Grant_Logic_SPEC id rqt_ busy grant =
lt:fime.
(busy t = -(ELEMENT (rqt_ t) (3)) V -(ELEMENT (rqt t) (2)) V -(ELEMENT (rqt_ t) (1))) A
(grant t - ((SUBARRAY (id t) (1,0)) -- WORDN O) A -(ELEMENT (rqU t) (0)) V
((SUBARRAY (id t) (1,0)) -- WORDN 1)A -(ELEMENT (rqt t) (0)) A (ELEMENT (rqt_ t) (1)) V
((SUBARRAY (id t) (1,0)) _- WORDN 2) A -(ELEMENT (rqt__ t) (0)) A (ELEMENT (rqt_ t) (1)) A
(ELEMENT (rqt_ t) (2)) V
((SUBARRAY (id t) (1,0)) -- WORDN 3) A -(ELEMENT (rqL_ t) (0)) A (ELEMENT (rqt_ t) (1)) A
(ELEMENT (rqt_ t) (2)) A (ELEMENT (rqt_ t) (3)))"
);;
let Addressed_Logic_SPEC -- new_definition
('Addressed_Logic._SPEC',
"I (id:time.->wordn) (source:fime->wordn) addressed.
Addressad_Logic_SPEC id source addressed =
It:time.
(addressad t -- ((ELEMENT (id t) (0)) = (ELEMENT (sour_ t) (10))) A
((ELEMENT (id t) (1)) -- (ELEMENT (sourc_ t) (11)))A
((ELEMENT (id t) (2)) -- (ELEMSNT (source t) (12))) ^
((ELEMENT (id t) (3)) = (ELEMENT (soume t) (13))) ^
((ELEMENT (id t) (4)) = (ELEMENT (sourc._ t) (14))) A
((ELEMENT (id t) (5)) = (ELEMENT (source t) (15))))"
);;
let D_Writes_Logic._SPEC = new_definition
(' D_Writes_Logic_S PEC ',
"1 dfsm_slave (cban_id:time->wordn) (source:time->wordn) disable_writes.
D_Writes_Logic_SPEC dfsm_slave chan_id source disable_writes --
It:time.
(disablewrites t -- (_sm_slave t) A -((ELEMENT (chart id t) (0)) A (ELEMENT (source t) (6)))
A -((ELEMENT (cban_id t) (1)) A (ELEMENT (source t) (7)))
A -((ELEMENT (cban_id t) (2))/_ (ELEMENT (source t) (8)))
107
);;
A-((ELEMENT (chan_idt)O)) A (ELEMENT (sourcet)(9))))"
let Parity_Decode I..ogic_SPEC = new_definition
( ' Parity_Decode_Logic_SPEC',
"trep cad in cad_in_dec cad_in_det.
Parity_Decode_Lo$ic_SPEC rep cad_in cad in dec cad_in_det =
It:time.
(cad in dec t = (Par_Dec rep (cad_in t))) A
(cad_in_det t = (Par_Det rep (cad_in 0))"
);;
let Parity_Signal__Inputs._SPEC = new_definition
('Parity_Signal_Inputs_SPEC',
"t rst cad_in_det clkD c..pe._cnt reset..parity
c_parity_inSc_parityinS c.parity inE.
Parity_Signal_Inputs_SPEC rst cad_'m_det clkD c..pe_cnt reset_parity
c_parity_inSc_parity_mRc_parity_inE=
It:time.
(cparityinS t = (cad_in_det t) A (clkD t)/X (c..pe_cnt t))/X
(c_.pafity_inR t = (rst t) V (reset..parity t)) A
(c_parity_inE t = (c__parity_inS t)V (c...parity_inR t))"
);;
let CB_in_Latches_SPEC = new_definition
('CB_In_Latches_SPEC',
"1 clkA clkB rst (cad_in_dec:time->wordn) cin_0_le cin_l_le cin_2_le cin_3_le cin_4_le
(source:time->wordn) (sizewrbe:time->wordn) iad_.preout
c_source c_dam_in c_sizewrhe c_iad..preout.
CB_In Latches_SPEC clkA clkB rst cad in_dec cin_0_le cin_l_le cln_2_le cin_3_le cin_4_le
source sizewrbe isd_preout




(c..datain (t+l)= c_data._in t)A
(c_sizewrhe (t+l) = c_sizewrhe t) A
(c_iad_,preout (t+l) = (cin_2_le t) => (c_data_m t) I(c._iad_preout t)))) A
((clkB t)-->
((c_source (t+l) = (rst t) --> WORDN 0 I
(cin__3_le t)=> (cad_in_dec0 1
(c_souroe t)) ^
108
(c_data_in (t+l) = (rst t) --> MALTER (c_data_in t) (31,16) (WORDN 0) l
((cin_l_le t) A (-cin_OJe t)) => MALTER (c_data_in t) (31,16) (cad_in_dec 0 1
(c_dam_in (t+l))) ^
(c_data_in (t+l) = (rst t) --> WORDN 01
((cin_0=le t) A (-cin_l Jet)) --> MALTER (c_dataln t) (15,0) (cad_in_dec t) I
(c_data_in(t+l)))A
(c_sizewrbe(t+l)= (rstt)=> WORDN 01
(cin_4_let)-->SUBARRAY (c_dataint)(31,22)I
(c._sizewrbet))^
(c_iad preout (t+D = (c._iad_preout t)))) ^
((source t = c_source (t+l)) A
(sizewrbe t = c_sizewrbe (t+l))A
6acl._preout t = c_iad_preout (t+l)))"
);;
let BE_Out_Logic_SPEC = new_definition
('BE_Out_Logic.=SPEC',
"I (sizewrbe:time->worda) hlda be_out.
BE_Out_Logic_SPEC sizewrbe hlda be_out --
It:time.
((hlda t) ---_> (be_out t -- SUBARRAY (sizewrbe t) (9,6)))"
);;
let Write_Logic_SPEC = new_definition
('Write_Logic_SPEC',
"1 clkA clkB (iad_in:time->wordn) sizewrbe cale_ master_tran C_wr write.
Write_Logic.=SPEC clkA clkB iad_in sizewrbe cede_ master_tran C_wr write =
It:time.
((clkA t) _> C_wr(t+D =C_wrt) A
((clkB t) _---> C_wr (t+l) = (-cede.= t) => (ELEMENT (iad_m t) (27)) I C wr t) A
(write t = (master_lxan t) --> (C_wr (t+l)) I (ELEMENT (sizewrbe t) (5)))"
);;
let CB_Out_Logic_SPEC = new_definition
('CB_OuLLogic_SPEC',
"1 rep clkA clkB (iad_in:time->wordn) (cor:time->wordn) dfsm cout.=0Je cout l_le mfsm_mrequest cout_sel cad_preout
C_iad_in C_ala0 C_a3a2.
CB_Out.=Logic._SPEC rep clkA clkB lad_in ccr dfsm_cout_0Je cout_l le mfsm_mrequest cout_sel cad_preout
C_iad_in C_ala0 C_a3a2 =
It:time.
((clkAt)_>
((C_iad_in (t+l) = C_iad_m t)A
109
(C_alaO (t+l) =(cout l_le t) => (C_iad_in t) I(C_ala0 t)) A
(C_a3a2 (t+l) = (mfsm_mrequest t) => (ccr t) I (C a3a2 t)))) A
((clkB t)_>
((C_iad_in (t+l) = (dfsm_ couL0_le t) => (iad_m t) I (C_iad_in t)) A
(C_alaO (t+l) = C_ala0 t) A
(C_a3a2 (t+l) = C_a3a2 t))) A
(cad preout t = ((cout_sel (t+l)) = WORDN 0) => (Par_Ene rep (SUBARRAY (C_ala0 (t+l)) (15,0))) I
((cout_sel (t+ l )) = WORDN 1) => (Par_Enc rep (SUBARRAY (C_al a0 (t+ 1)) (31,16 ))) I
((couLsel (t+l)) = WORDN 2) => (Par_Enc rep (SUBARRAY (C_a3a2 (t+l)) (15,0))) I
(Par_Enc rep (SUBARRAY (C_a3a2 (t+l)) (31,16))))"
),;
let C_Block_SPEC = new_definition
('C_BIock_SPEC',
"I (C mfsm._s_A C mfsm state :time->cmfsm ty)
(C_dsm..stateA C..sfsm_state :time->csfsm_ty)
(C_efsm_stateA C._efsm_state :time->cefsm ty)
(C_mfsm_ms C_sfsm_ss C_ssA C_iad._out C_ala0 C_a3a2 C_mfsm_ss C_sfsm ms C_sizewrbe C_ss
C_sou_ce C_data_in C_iad_in :time->wordn)
(C_mfsm_mabort C_mfsm_midle C_ndsm :m_uest C_mfsm_.ma3 C_mfsm_ma2 C_mfsm_mal
C_mfsm_maO C_mfsm_mdl C_mfsm mdO C_mfsm..iad_en..m C_mfsm m_cout_sell C_mfsm_m_couLselO
C_mfsm_rqt_ C_mfsm_cgnt_ C_mfsm cmen C mfsm_abort_le..en_ C_mfsm_mparity
C .sfsm_iad_en_s C__sfsm sidle C_sfsm_slock C_sfsm..sal C sfsm_sa0
C_.sfsm_sale C__sfsm_sdl C_sfsm_sdO C_sfsm_sack C_sfsm_sabort C_sfsm. s_cout..sel0 C_sfsm_sparity
C_efsm_srdy_en
C_clkAA C._sidle..delA C_mrqt..deLA C_last..inA_ C_holdA_ C._rd..srdy C_cout._0_le_delA
C_cin_2__leA C_mrdy_delA_ C..iad_en__s_delA C_wrdyA C_rrdyA
C_.mfsm srdy_en C_mfsm_D C_mfsm_grant C_mfsm_.rst C_ndsm busy C_mfsm_write
C_mfsm_crqt_ C_mfsm_hoid C mfsm_last C_mfsm_lock_ C_mfsm_invalid
C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C..sfsm_addressed C_sfsm_hlda_.
C__efsm_cale_ C__efsm_lasL C_efsm male_ C..efsm tale.. C..efsm_srdy_ C_efsm_rst
C_wr C_clkA C_sidle_del C_mrqLdel C_last_in_ C_lock_in C last out
C_hold_ C_cout_O_le_del C_cin 2_le C_mrdy del_ C lad en s del C wrdy
C rrdy C_perity :time->bool)
(I_mrdy..in.. Lrale in I male_in_ I_last_in_ Lsrdy_in_ I_lock.. I_cale_ I_hlda_ I crqt_
Rst CIkA CIkB CIkD Prom_failure Piu_invalid Reset_e_ror :time->bool)
(Lad_in I_be_in CB_rqLin_ CB ad_in CB_ms_in CB..ss._in Id ChannelID Ccr :time->wordn)
(I_cgnL I_mrdy_out I hold_ I_rale_out.. I_male out I last out I srdy_out_ CB_rqt_ouL
Disable_writes CB_parity :time->bool)
(Iad_.out I_beout_ CB_ms_out CB_as_out CB_ad_out C ss out :time->wordn)
(rep:_rep_ty).
C_Block_SPEC (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_.mfsm ma2,
C_mfsm mal, C_mfsm maO, C_mfsm_mdl, C_mfsm_mdO, C mfsm_iad eu..m, C mfsm_m_couLsell,
C_mf__m_cout..sel0, C_mfsm_ms, C mfsm_rqt_, C ndsm_cgnt_, C_mfsm_cm_en,
C_mfsm_abort_le_en_, C_mfsm mparity,
C_sfsm_stateA, C_sfsm_as, C_sfsm_iad_en._s, C_sfsm_sidle, C__sfsm_.slock, C__sfsm sal,
C sfsm_sa0, C sfsm_sale, C_sfsm sdl, C_sfsm..sd0, C_sfsm_sack, C_sfsm sabort,
C_sfsm_s_couLsel0, C_sfsm__sparity, C_efsm..stateA, C._efsm_srdy_en,
C_clkAA, C sidle_delA, C_mrqt_delA, C_last_inA_, C__ssA, C_holdA_, C_rd srdy,
C_cout 0 ie delA, C_cin_2_leA, C_mrdy_delA_, C_iad en s_delA, C_wrdyA, C_rrdyA, C_iad__out,
110
C_al a0, C_a3a2,
C_mfsm state, C_mfsm srdy._on, C_mfsm_D, C_mfsm_grant, C_mfsm rst, C_mfsm busy,
C_mfsm write, C_mfsm_crqt_, C_mfsm_hold_, C..mfsm_last._, C_mfsm lock._, C_mfsm_ss,
C n_sm_invalid,
C_sfsm state, C sfsm_D, C sfsm_.grsnt, C sfsm_rst, C._sfsm write, C_sfsm addressed,
C_sfsm_hlda_, C_sfsm_ms,
C_efsm state, C efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_,
C_efsm_rst,
C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_m_, Clock_in_, C_ss,
C last_out_, C_hold_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_on_s del, C_wrdy,
C_rrdy, C p_ity, C_source, C_data_in, C_iad in)
(I_ad_in, I_be..in, l_mrdy_in_, I_rale in_, l_male_in, I_last_m_, I_srdy__in..,
I__Iock_, l...cale.., I..hlda , I_crqL_,
CB_rqt_in_, CB_ad_in, CB_ms_in, CB._ss__in,
Rst, ClkA, Clk.B, ClkD, Id, ChanneIID, Pmm failure, Piu__invalid, Ccr, Reset_error)
(I_cgnt_, I tardy out_, Ihold_, I_rale. out.., I_maleout_, I_last_out_, I_srdy_out_,
I_M_out, I_be_out_,
CB_rqt._out_, CB_ms_out, CB ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)
rep =
? (grant busy mfsm mabort mfsm_midle mfsm mrequest mfsm_ma3 mfsm_ma2 mfsm_mal mfsm_ma0
mfsm_mdl mfsm_md0 mfsm iad_on_m mfsm_m_oout_sell mfsm m couL_sel0 mfsm cm_on
mfsm_abort_le_on_ mfsm mparity sfsm_iad_en s sfsm_sidle sfsm slock sfsm_sal sfsm_sa0
sfsm_sale sfsm sdl sfsm_sd0 sfsm_sac_ sfsm sabort sfsm s__out_sel0 sfsm_sparity
efsm_srdy_on dfsm master dfsm_slave dfsm_cln_0 le dfsm_cin_l_le dfsm_dn_3_ie
dfsm_in_4 le dfsm_cout._0_le dfsm_cout l._le dfsm_cad on dfsm_male_ dfsm tale_
dfsm_mnty_ last in_inE last._in outQ lock_in inE lock__in._outQ clkA_outQ
last_out_inS last out inR last..out_inE last_out outQ sstatus en_ sidle_dal_outQ
nuqt_del_outQ mstatus on dfsm_srdy write wrdy_inD wrdy_outQ rrdy_inD rrdy_outQ
wrdyA_outQ rrdyA_outQ i_srdy_en isrdy_inD isrdy_inE cout_0_le_del_out tin 2_le_out
cout l_le mrdy_del out iad_on_s_c_l_outQ laden c..pe_cnt addressed cin_2._le
cad_in_det cparity_inS c_parity inR c_parity_inE hlda :time->hool)
(mfsm ss mfsm_ms sfsm ss _out sel cad_indec source sizewrbe iad_preout cad_preout :time->wordn).
(OR2_SPEC Rst mfsm_mal lock__in_inE) A
(DRELAT_SPEC I_lock Rst lock in_inE ClkB Clock_in_ lock_in._outQ) A
(Last_Logic Rst ClkD mfsm_mdl mfsm_mabort last._in inE) A
(DREFF_SPEC I last in last in_inE Rst CIkB C_last..inA_ C_last_in__ last in._outQ) A
(DEFFn_SPEC mfsm_ss mfsm_abort_ie en_ CIkB C_ssA C_ss C_ss..out) A
(DFF_SPEC CIkD CIkA C_clkA C_clkAA clkA outQ) A
(Hold_Logic CB ms in ClkD sfsm_sal last_out_inS last_out.inR last..out_inF.) A
(DSRELAT_SPEC GND last_out_ms last ouUinR last out_inE ClkB C_last_out_ last_out_outQ) A
(TRIBUF_SPEC last out_outQ hlda I last out_) A
(OR2_SPEC sfsm_sidle sfsm_sabort sstatus_on_) A
(DFF SPEC sfsm_sidle CikA C_sidle..del C_sidle_delA sidle del_outQ) A
(DFF_SPEC mfsm_lm_uest CIkA C_mrqt del C_mrqt._delA mrqt_del..outQ) A
(Cout_Sel...Logic_SPEC sfsm_s_cout_s¢10 mfsm_m_cout_sell mfsm_m_couUsel0 sfsm_sd0 sfsm_sdl oout_sel) A
(NOT_SPEC mfsm era_on mstatus_on_) A
(DEFF SPEC sfsm_sidle ClkD ClkA C_hold_ C holdA_ l_hold_) A
(Srdy_In Logic_SPEC CB_ss..in dfsm srdy) A
(Rdy_Logic_SPEC mfsm_md0 mfsm_mdl CIkD write dfsm_srdy wrdy_inD r_dy inD) A
111
(DLAT_SPEC wrdy_inD CIkB C_wrdy wrdy outQ) A
(DLAT_SPEC rrdy_inD ClkB C..yrdy rrdy..outQ) A
(DLAT_SPEC wrdy_outQ CIkA C_wrdyA wrdyA..outQ) A
(DLAT_SPEC rrdy_outQ CIkA C_rrdyA rrdyA_outQ) A
(ISrdy_Out._Logic .SPEC wrdyA__outQ rrdyA..outQ mfsm mabort Lcale_ i_srdy__en isrdy..inD isrdy_inE) A
(TRIBUF_SPEC isrdy_inD isrdy_inE I_srdy_out..) A
(CBss_Out._Logi¢ SPEC sfsm ss Pmm failure Piu..invalid CB_ss..out) A
(DFF_SPEC dfsm_cout_0Je CIkA C_cout_0..le..del C_cout__0._le_deLA cout_0_le_del._out) A
(DFF SPEC dfsm_cin__O_ie CIkA C..cin 2_le C_cin_2..leA cin_ 2..le..out) A
(Cout..l_Le_Logic..SPEC dfsm_master cout_0_le..deLout dfsm oout_l_le couLl_le) A
(DFF SPEC dfsm_mrdy_ ClkA C_mrdy_deL C mrdy_delA_ mrdy_deLout)A
(NOT_SPEC I_hlda.. hlda) A
(TRIBUF_SPEC dfsm_male_ hlda I_male_out_) A
(TRIBUF_SPEC dfsm_rale_ hlda I rale..out_) A
(TRIBUF SPEC mrdy_deLout hlda I tardy_out_) A
(DEFF_SPEC sfsm_iad_en._s CIkD ClkA C_iad_en_s_del C._iad en_s_delA iad_en._s._deLoutQ) A
(Iad_En_Logic_SPEC mfsm_iad_en_m sfsm_iad_en_s iad_en._s_del_outQ iad_en) A
(CBms_Out_Logic_gPEC mfsm_ms Prom_failure Piu_invalid CB ms_out) A
(Pe_Cnt._Logic._SPEC CIkD sfsm_sparity mfsm_mpanty CB_ss_m c_pe_cnt) A
(Gnmt_Logic_.SPEC Id CB_rqt._in_ busy grant) A
(Addressed_Logic_SPEC Id Csource addressed) A
(D_Writes_Logic_SPEC dfsm_slave ChannelID C_source Disable_writes) A
(Parity_Decode_Logic_SPEC rep CB_ad_in cad_in_dec cad_in_det) A
(Parity_Signel_Inputs_SPEC Rst cad_in_det CIkD c_pe_cnt Reset_error
c.,pmty_inSc...,pmty_inRc_parity_inF_,)^
(DSRELAT_SPEC GND c..g_ty_inS c._parity_inR c_parity_inE ClkB C_parity CB_parity) A
(CBJn_Latches_SPEC CIkA ClkB Ret cad_in_dec dfsm_cin_0_le dfun_cin_l_le cin_2_le dfsm._cin_3_le
dfsm--cm 4Je som'ce sizewrbe iad_ut
C_source C_data_in C_sizewrbe C_iad out) A
(BE..Out_Logic_SPEC sizewrbe hlda I_.be_out_) A
(TRIBUF_SPEC iad_.preout iad_en I.ad.out) A
(Wfite_Logic._SPEC CIkA CIkB I._ad_in sizewrbe I_cale_ mfsm_cm_eu C_wr write) A
(CB_Out_Logic_SPEC rep CIkA CIkB Lad_in C.cr dfsm_cout_0_le couLl_le mfsm_mrequest cout_sel cad preout
C lad inC ala0C_a3a2)A
(TRIBUF__SPEC ¢ad..lxeout dfsm cad en CB ad out) A
(CMFSM_SPEC CIkA CIkB efsm_s_dy_en CIkD grant Rst busy write
I_crqL I_hold_ last_in..outQ lock in outQ CB_ss__in Piu_invalid
C_mfsm_state C_mfsm_srdy_en C_mfsm_D C..mfsm_grant C_mfsm_rst C_mfsm_busy C__mfsm_write
C_mfsm crqt_ C_mfsm_hold_ C mfsm_last_ C_mfsmJock C..mfsm_ss C_mfsm_invalid
C_mfsm_stateA C_mfsm_mabort C_mfsm_midle C mfm_.mrequest C_mfsm_ma3 C_mfsm_ma2
C_mfsm_mal C_.mfsm..ma0 C..mfsm_mdl C_mfsm_mdO C_mfsm_iad_en_m C_mfsm_m_cout. sell
C_mfsm_m_cout_selO C_n_m_ms C_n_m_rqL C_mfsm_cgnt_ C_nffsm cm en
C_mfsm_abo__le_.en_C mfsm_mparity
mfsm_mabort mfsm_midle mfsm_mrequest mfsm_ma3 mfsm ma2 mfsm real mfsm_ma0
nff'sm_mdl mfsm_mdO mfsm_iad_en_m mfsm m mut..sell mfsm_m_couLselO mfsm_ms
CB_rqt_out_ I_cgnt_ mfsm_cm_en mfsm_abort_le_en_ mfsm_mparity)A
(CSFSM_SPEC CIkA CIkB CIkD grant Rst write addressed I._hlda_ CB_m_in
C_sfsm_state C_sfsm_D C_sfsm_.grant C. sfsm_rst C_sfsm_write C_.sfsm_addressed
C_sfsm_hlda_ C_sfsm_ms C_sfsm..stateA C_sfsm_ss C_sfsm_iad_en_.s C_sfsm..sidle
C_sfsm_slock C sfsm_sal C_sfsm_sa0 C_sfsm_sale C_sfsm_sdl C_sfsm_sd0 C_sfsm_sack
C_sfsm sabort C_sfsm s oout_sel0 C._sfsm_sparity
sfsm .ss sfsm iad_ea_s sfsm_sidle sfsm..slock sfsm_sal sfsm..sa0 sfsm..sale
sfsm_sdl sfsm_sdO sfsm_.sack sfsm_sabort sfsm..s cout_sel0 sfsm_sparity) A
(CEFSM_SPEC CIkA CIkB I_cale.. I_last_in I..male_in_ I_rale..in_ Lsrdy_in Rst
112
C._efsm_statc C_¢fsm._caic_ C_efsm_last_ C cfsm._male_ C_efsm_ral¢_ C cfsm_srdy_ C_efsm._rst
C efsm_stateA C_efsm_srdy_en efsm_srdy_en) A
(CDFSM SPEC dfsm__srdy CIkD clkA_outQ write sizewrbe sfsm_sidIe sidle_deLoutQ sfsm_slock
sfsm_sal sfsm_sa0 sfsm sale sfsm sdl sfsm sd0 sfsm_sack mfsm midle mrqt._deLoutQ
mfsm ma3 mfsm ma2 mfsm mal mfsm_ma0 mfsm mdl mfsm rod0 Lcale I_srdy_in_.
dfsm_master dfsm_slave dfsm cin 0 le dfsm._cin l_|e dfsm_cin._3_le dfsm._cin..4_le






Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the gate-level specification of the startup controller of
the FTEP P1U, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
set__search_path (search_path 0 @ ['/home/titan3/dfura/ftep/piu/holflib/']);;
system 'rm s_block.th';;
new_fl_eory 's_block';;
map new_parent ['gates_def';'latches_.def;'ffs_def,'counters__der ;'saux_def';'aux_def;'array_def;'wordn_def'];;




let s_state = "((S_fsm_stateA, S_fsm sn, S_fsm_so, S_fsm srcp, S..fsm_sdi, S_fsm_srp, S_fsm_srcO, S fsm srcl,
S_fsm_spf, S fsm sc0f, S_fsm_sclf, S_fsm_sl_d, S._fsm..sb, S_fsm_src, S_fsm_sec, S__fsm_srs,
S_fsm_scs, S_soft_shot, S_so__shot._deIA, S_soft_cntA, S_delayA, S instart, S cpu_histA,
S_fsm_state, S_fsm_rst, S fsm delay6, S__fsm_delayl7, S_fsm_bothbad, S_fsm_bypass,
S_soft_shot_del, S soft_cnt, Sdelay, S_bad_cpuO, S bad_cpul, S _reset._cpu0, S. reseLcDul,
S_pmm_fail, S_cpuO_fail, S_cpul_fail, S_cpu_hist. S_piu_fail)
:As_state_ty)";:
let s_env__ty = ":(bool#bool#bool#bool#bool#boolfoool#bool#booly';;
let s_env = "((ClkA, CIkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO._, Failurel_)
:^s_euv_ty)';;
let s_out._ty = ":(wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool)";;
let s_out = "((S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Resot_cpul, Cpu_hist,
Piu_fail, CpuO fail, Cpul_fail, Prom_fail)
:Asout ty)";;
let Scnt__In_SPEC = new_definition
('Scnt._In_SPEC',
"1 gcrh gcrl sofLshot_inD soft_cnt_inL.
Scnt_In_SPEC gcrh gcrl soft_shot._mD soft cnt inL =





Input logic for S_sofi__cnt counter.
.................................................................................................................. {_
let Scnt In I_SPEC = new_definition
('Sent_In 1SPEC',
"I sofLshot._outQ sofl_shot_del__outQ soft_cnt_inU.
Scnt In I_SPEC soft_shoLoutQ soft._shoL.del_outQ soft_cnt inU =
(I t:time. (sofLcnt_inU t = soft_shot_outQ t A -sof't shot_del_.outQ t))"
);;
let Delay_In_SPEC = new_definition
('Delay_In _SPEC',
"! scpustart delay reset_cnt delay_inR.
Delay._In_SPEC scpustart delay reset._cnt delay_mR =
(I t:time. (delay_mR t = scpustart t A (ELEMENT (delay t) (6)) V reset_cnt t))"
);;
let Muxes_SPEC = new_definition
('Muxes_SPEC',
"1 (delay:time->wordn) test instart_inD delayl 7.
Muxes_SPEC delay test instart_inD delay17 =
(It:time. (instart_inD t = (test t) => ELEMENT (delay t) (5) I ELEMENT (delay t) (16)) A
(delayl7 t = (test t) => ELEMENT (delay t) (6) I ELEMENT (delay t) (17))y'
);;
let Dis_InUOut_.SPEC = new_definition
('Dis_InLOut_SPEC',
"I restart normal delay disable_int__in disable_int_out.
Dis_Int_OuLSPEC instart normal delay disable_mUm disable_int._out =
(I t:time. (disable_int_out t = -instart t A -(normal t A (ELEMENT (delay t) (6)) A disable_int_in t)))"
);;
let Bad_Cpu_In_SPEC = new._definition
('Bad_Cpu In_SPEC',
115
"I normal operation cpu0_fail cpul_fail begin
bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE
bad_cpul_inS bad_cpul_inR tnut_cpul_inE.
Bad_Cpu In_SPEC normal operation cpu0_fail cpul_fail begin
bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE
bed_cpul_inS bad_cpul_inR bad_cpul_inE =
(_ t:tmae. (bad_cpuO_mS t = begin t) ^
(bad cpu0_mR t = (normal t V operation t) A -cpu0_f_ t) A
(bad_Clm0 inE t = begm t V (normal t V operation t) A .-cpu0 f_ t) A
(bad_cpu1_ms t= begint)A
(bad cpu l_inR t= (normaltV operationt)A cpu0 failtA -cpul_failt)A
(bad cpul inE t= begintV (normaltV operationt)A cpu0._failtA .-cpul_fsfilt))"
);;
let Cpu_Ok SPEC = new_definition
('Cpu_Ok_SPEC',
"T soft_cnt clmO_fall cpul_fail failureO faihael_ cpuO_ok cpel_ok.
Cpu_Ok..SPEC soft._cnt cpuO fail cpul_fail fallureO_ failurel_ cpu0_ok cpul_ok =
(I t'time. (cpu0_ok t = ((soft_cnt t) = WORDN 5) A cpu0_fail tA failme0_ t) A
(cpul_ok t = ((soft_cnt t) = WORDN 5) A cpul_fail t A failurel_ t))"
):;
let FaiI_In_SPEC = new_definition
('FaiI_In_SPEC',
"l begin prom_fail piu_fail byptm cpu0_ok cpul._ok
lmma fail ins lmam._fail_inR prom fail_inE cpuO fail_inS cpu0_fail_inR cpu0_fail_mE
cpul_fail ins cpul_fail_inR cpul_fail_inE #u fail_inS piu_fail_inR piu..fail_inE.
FaiI_In_SPEC begin prom_fail #u_fail bypass cpuO_ok cpul_ok
prom_fail inS pmm_fail._inR prom fail inE cpu0_faiI_inS cpuO_fail._inR cpuO fail inE
cpul fail ins cpul_fail_inR cpul_fail_inE piu_fail_inS piu_fail inR piu_fail_inE =
(t t:time. (pmm_fail_mS t = begin t) A
(prom_fail inR t = prom_fail t) A
(pmm_fall_inE t = begin t V prom_fail t) A
(cpuO_fail_mS t = begin t) A
(cpuO_fail_inR t = bypass t V cpu0_ok t) A
(cpu0 failinE t = begin t V bypass t V cpu0._okt) A
(cpul_fail_inS t = be$in t) A
(cpul_fall_inR t = bypass t V cpul_ok t) A
(cpul_fail_mE t = begin t V bypass t V cpul_ok t) A
(piu_fail_inS t = begin 0 A
(piu fail_mR t = bypass t V piu_fail t) A






"1 clkA clkB rst._in _lay_in delayl7_in bothbad_in bypass_in
state rst delay6 delayl7 bothbad bypass
stateA sn so srcp sdi srp srcO srcl spf sc0f sclf spmf sb src sec srs scs
stateA out snout so_out srcp out sdi__out sip_out src0_out srcl_out spf._out
sc0f._out solf_out spml'_out sb_out ste_.out see_out srs_out scs out.
FSM_SPEC clkA clkB rstin delay_in delayl7_in botbbsd_in bypass_in
state rst delay6 delay17 bothbad bypass
stateA sn so srcp sdi srp src0 srcl spf sc0f sclf spmf sb src sec srs scs
stateA_out snout so_out step out sdi._out srp._out ste0._out srcI_out spf_out
sc0f_out sclLout spmf_out sb...out ste_out sec_out srs..out scs out =
It:time.
((cl_ t) _--->
((state (t+l) = state t) A
(rst (t+l) = rst t) A
(delay6 (t+l) = delay6 t) A
(delay17 (t+l) = delay17 t) A
(bothbad (t+l) ---bothbad t) A
(bypass (t+l) = bypass t) A
(stateA (t+ 1) =
((rst t) => SSTART I
((state t) = SSTART) => SRA I
((state t) - SRA) => ((delay6 t) => ((bypass t) => SO ISPF) I SRA) I
((state t) = SPF) => SCOI I
((state t) = SCOI) => ((delayl7 t) => SCOF 1SCOI) I
((state 0 = SCOF) => ST I
((state t) = ST) => SCII I
((state t) = SCII) => ((delay17 t) => SCIF I SCII) I
((state t) = SClF) => SS I
((state t)= SS) => ((bothbad 0 => SSTOP ISCS) I
((state t) = SSTOP) => SSTOP I
((state t) = SCS) => ((delay6 t) => SN I SCS) I
((state t) = SN) => ((delay17 t) => SO I SN) I SO)) A
(sn (t+l) = (stateA (t+l) = SN)) A
(so (t+l) = (stateA (t+l) = SO)) A
(step 0+1) = ((~(stateA (t+l) = SO) A -((sate t) = SSTOP)) V ((state t) = SRA))) A
(sdi (t+l) = ((~(stateA (t+l) = SO) ^-((state t) = SSTOP)) V ((state t) = SRA))) A
(srp (t+l) = ((stateA (t+l) = SSTART) V (stateA (t+l) = SRA) V (stateA (t+l) = SC0F) V
(stateA (t+l) = ST) V (stateA (t+l) = SCIF) V (stateA 0+1) = SS) V
(stateA (t+l) = SCS))) A
(srcO 0+1) = (~(stateA (t+l) = SPF) ^ ~(stateA (t+l) = SCOI))) A
(srcl 0+1) = (~(stateA (t+l) = ST) A ~(stateA (t+l) = SCII))) A
(spf (t÷ 1) = (((state t) = SRA) A (delay6 t) A -(at t))) ^
(scOf (t+l) = (stateA (t+l) = SCOF))A
(sclf (t+l) = (stateA (t+l) = SCIF)) A
(spmf (t+l) = (stateA (t+l) = SO)) A
(sb (t+l) = (stateA (t+l) = SSTART)) .A
(src (t+l) = ((stateA (t+l) = SSTART) V (((state t) = SRA) A (delay6 t)) V
(stateA (t+l) = SCOF) V (stateA (t+l) = ST) V (stateA (t+l) = SCIF) V
117
(stateA(t+l)= SS) V (((state t) = SCS)A (delay6 t)))) A
(sec (t+l) = ((-(stateA (t+l) = SSTOP) A ~(stateA (t+l) = SO)) V ((state t) = SN))) A
(ms (t+l) = ((((state t) -- SPF) A --(rst t)) V (((state t) = ST) A -(rst t)))) A
(scs 0+1) = (stateA (t+l) = SGS)))) ^
((cl_ 0 ----->
((state (t+l) = stateA t) A
fist (t+l) ffirsCin t) A
(delay6 (t+l) = ELEMENT (delay in t) (6)) A
(delayl7 (t+l) = delaylT_in t) A
(bothbecl (t+l) = bothbad_in t) A
(bypass (t+l) = bypass in t) A
(sa (¢+ 1) = sn 0 A
(so (t+l) = ,o t)A
(step (t+l) -- s-rep t) A
(sdi (t+l) = sdi t) A
(srp (t+l) = srp t) A
(sreO (t+l) --- _ t) A
(srcl (t+l) -- sr¢l t) A
(spf (t+l) = spft) A
(scOf it+l) -- scOf t) A
(self it+l) _ self t) A
(spmf (t+l) -- spmf t) A
(sb (t+l) = sb t) A
(src (t+l) = src t) A
(sec (t+l) = sec t) A
(ms (t+l) = srs t)/_
(sos (t+l) = scs t))) A
((let a0 = (ALTER (stateA out t) (0)
((stateA (t+l) = SRA) V (stateA (t+l) = SPF) V (stateA (t+l) = ST) V
(stateA (t+l) = SCII) V (stateA (t+l) = SCS) V (stateA (t+l) = SN) V
(stateA (t+ 1) = SO)))
in
(let al = (ALTER t0 (1)
((stateA (t+ 1) = SPF) V (stateA (t+l) = SCOI) V (stateA (t+ 1) = SCOF) V
(stateA (t+l) = ST) V (stateA (t+l) -- SSTOP) V (stateA (t+l) = SO)))
in
(let aT.= (ALTER al (2)
((stateA (t+l) = SCOF) V (stateA (t+l) = ST) V (stateA (t+l) = SCII) V
(stateA (t+l) = SC1F) V (stateA (t+l) = $S) V (stateA (t+l) -- SSTOP) V
(stateA (t+l)= $CS)))
in
(leta3 = (ALTER a2 (3)
((stateA (t+l) = SS) V (stateA (t+l) = SSTOP) V (stateA (t+l) = SCS) V
(stateA (t+l)= SN)V (,tateA (t+l) = SO)))
in
(st_A_out t = a3))))) A
(sn_out t = sn (t+l)) A
(so_out t = so (t+l)) A
(m'cp_out t =srcp (t+l)) A
(sdi_out t = sdi (t+l)) A
(srp_out t =mp (t+l)) A
(src0_out t = ere0 (t+l)) A
(srcl_out t = srcl (t+l)) A
(spf_out t = spf(t+l))/_
_m _¸
118
(sc0f._outt = scOf (t+l)) A
(self_out t = self (t+l)) A
(spmf..out t = spmf (t+ 1)) A
(sh out t = sb (t+l)) A
(src__out t = src (t+l)) A
(see_out t = sec (t+l)) A
(srs_out t = srs (t+l)) A
(scs_out t = scs (t+l)))
");,
let S_Block_SPEC = new_definition
('S Block_SPEC',
"1 (S_fsm_stateA S_fsm_state :(time->sfsm_ty))
(S soft_cntA S delayA S soft._cnt S_delay :(time->wordn))
(S_fsm_sn S fsm_so S_fsm__srcp S fsm_sdi S fsm_srp S_fsm..srcO S fsm_srcl S_fsm spf S_fsm_scOf
S_fsm_scl f S_fsm spmf S_fsm_sb S_fsm_src S fsm_sec S fsm srs S__fsm_scs
S_soft_shot S soft_sbot_deLA S instart S_cpu_histA
S_fsm__rst S fsm delay6 S fsm delayl7 S_fsm__bothbad S_fsm_bypass
S soft shot_del S_bad_cpuO S_bad_cpul S_reset cpu0 S_reset_cpul S_.pmm_fail S cpuO_fail S cpul_fail
S_.piu fail S cpu hist :(time->bool))
(CIkA CIkB Rst Bypass Test C,crh Gcrl FailureO Failurel_ :(fime->bool))
(S_state :(time->wordn))
(Reset._cport Disable_int Reset.A3iu Reset..cpuO Reset__cpul Cpu hist Piu_fail CpuO_fail Cpul_.fail
Pmm_fail :(time->bool)).
S_Block_SPEC (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm srp, S fsm_srcO, S_fsm_srcl,
S_fsm_spf, S fsm scOf, S._fsm_sc l f, S_fsm._spmf, S fsm_sb, S_fsm_src, S_fsm sec, S_fsm_srs,
S fsm scs, S soft shot, S soft shot_ delA, S sofLcntA, S_delayA, S_instart, S_cpu_histA,
S_fsm_state, S_fsm_rst, S fsm_delay6, S fsm delayl7, S_fsm_bothbad, S fsm bypass,
S soft shot._del, S_soft_cnt, Sdelay, S__bad_.cpuO, S_bad cpul, S_reset__cpuO, S._reset cpul,
S_.pmm_fail, S_cpuO_fail, S_cpul__fail, S_cpu_hist, S_.piu fail)
(CIkA, CikB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failurel_)
(S_state, Reset__cport, Disable_int, Reset_piu, Reset cpu0, Reset_cpul, Cpu hist,
Piu_fail, Cpu0._fail, Cpu1_fail, Pmm_fail) =
(It:time.
? fsm_delayl7 fsm bothbad
fsm_sn fsm_so fsm_sdi fsm. srcO fsm srcl fsm spf fsm_scOf f_n_scl f fsm_spmf fsm_sb
fsm src fsm_sec fsm srs fsm_scs NC
soft_shot_inD soft_shot__outQ soft_shot_.deLoutQ
soft_cnt_inL soft ent_inU sofl_cnt_inR soft_cnt_outQ
delay_inL delay_inU delay_inR delay_.outQ instart_inD instart, outQ
bad_cpuO__inS bad cpuO_inR bad_cpuO_inE bad_cpuO_outQ reset._cpuO_inD
bad_cpuI_inS bad cpul_inR bad_cpul_inE bad_cpul..outQ reset_cpul_inD ¢pu_hist_inD
cpuO_ok cpul ok
prom fail inS pmm_fail_inR prom fail inE cpu0 fail ins cpuO fail inR cpu0 fail mE
cpu l_fail_inS cpul_fail_inR cpu l_faiL/nE piu_fail._inS piu_fail_inR piu_fail_inE.
(Scnt_In_SPEC C,csh Gcrl soft_shot_laD soft_cnt_mL) A
(DLAT_SPEC soft shot_inD CIkA S soft shot soft_shot_outQ) A
(DFF_SPEC soft_shot_outQ CIkA S_sofl_shot_del S soft_shot_delA so__shot del ouCQ) A
(Scnt_Inl_SPEC soft_shot_outQ soft shot del_outQ soft_cnt_inU) A
(UPRCNT_SPEC 2 (GNDN 2) soft_cnt_inL soft_cnt .mU soft cnt_inR CIkA S_soft_cnt S_soft_cntA
119
soft_cut_outQNC) ^
(I_Iay_In_SPEC fsm_scs delay..outQfsm srcdelay_inR)A
(UPRCNT_$PEC 17 (GNDN 17)delay inL delay_inUdelay inR CIkA Sdelay S_delayA delay..outQNC) A
(Muxes_SPEC d¢lay._outQTestinstartinD fsm_cklayl7)A
(DLAT_SPBC instartinD CIkA S_instartinstartoutQ) A
(Dis Int Out SPEC instartoutQ fsm_sn delay..outQfsm_sdiDisable_int)A
(AND2__SPF,,CCpu0 failCpul_failfmL_bothbad)A
(Bad Cpu._In__SPECfsmsn fsmso Cpu0_failCpu1_failfsm_sb
bad_cpuO_inS bad_cpu0_inR bad_t_puO...inE
bad_cpul_inS bad_cpul_inR bad_clml_inE ) A
(DSRELAT_SPEC GND bad Clm0_inS bad_cpu0_inR bad_cpu0_inE CIkB S_bad_cpu0 bad_cpu0_outQ) A
(DSRELAT_SPEC GND bad__cpul_inS bad cpul_inR bad__cpul_inE CIkB S_bad_cpu I bad_cpu l..outQ) A
(AND2_SPEC bad_cpuO_outQ fsm_srcO reaet_cpu0_inD) A
(AND2_SPEC bad_cpul_outQ fsm_srcl reset_cpul_inD) A
(DLAT_SPEC reset_cpu0_inD CIkB S_reset_cpu0 Reset_cpu0) A
(DLAT_SPEC re_t_clml_inD CIkB S_reset_cpul Reset_cpul)A
(AND3_SPEC Reset_cpu0 Reset_cpul Bypass cpu_hist_inD) A
(DFF_SPEC cpu_bist_inD CIkB S_cpu_histA S_cpu_hist Cpu hist) A
(FaiI_In_SPEC fsm_sb fsm_spmf fsm_spf Bypass cpu0_ok cpul_ok
prom_fail_inS pmm_fail_inR pmm_fail_inE cpuO fail ins cpuO_fail_mR cpu0 fail inE
clml_faiLinS cpul_faiUinR cpul_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE) A
(DSRELAT_SPEC GND prom_fail_inS prom fail_inR ixnm._fail_inE CIkB S_.pmm_fail Prom_fail) A
(DSRELAT_SPEC GND cpu0_fail_inS cpu0_fail_inR cpu0..fail_inE CIkB S_cpuO_fail CpuO_fail) A
(DSRELAT_SPEC GND cpul_faiLinS cpul_fail_inR cpul_fail_inE CIkB S_cpul_ftil Cpul_fail) A
(DSRELAT_SPEC GND piu_fail_inS piu_fail_inR piu_fail_inE C]kB S._piu_fail Piu_fail) A
(Cpu_Ok_SPEC soft_cnt._outQ fsm_scOf fsmsc I f Fail_e0 Failurel_ cpuO._ok cpul_ok) A
(FSM_SPEC CIkA CLkB Rst delay_outQ fsm_delayl7 fitm_bothbad Bypass
S_fsm_state S_fsm_ rst S_fsm_delay6 S_fsm..delay 17 S__fsm bothbad S_fsm_bypass
S_fsm_stateA S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_srcO S fsm srcl
S_fsm_spf S_.fsm_sc0f S_fsm_scl f S..fsm..spmf S_fsm_sb S_fsm src S_fsm..sec S_fsm_srs
S fsm scs
S_state fsmsn fsm_so Reset_cport fsm_sdi Reset_piu fsm_srcO fsm_srcl fsm_spf




Appendix C ML Source for the Phase.Level Specification of the P1U Ports.
This appendix contains the HOL models used in the phase-level specification for the PIU ports. They are
listed in the order: P_Port, M_Port, R_Port, CPort, and SU_Cont.
C.I P Port Specification
File: p_,phase.ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the phase-level specification of the P-Port of the FTEP BIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulk of this code was translated from an M-lenguage simulation program using a translator






pfsm_ty#bool#boo l#bool#bo ol#boo l#bool#bool#bool#wordn#bool#bool#bool#bool#boo l#bool)";,
let p_state = "((P_fsmjtateA, P_fsm_astate, P_fsm_dstate, P fsm_hkla_, P_wr_data, P_addr, P_destl, P__be_,
P wr, P_be_n_, P_sizeA, P_loadA, P_downA, P fsm state, P_fsm_rst, P_fsm_mrqL P._fsm_sack,
P fsm_cgnt , P_fsm_crqt._, P_fsm_hold_, P_fsm_lock , P_rqt, P_size, P_load, P_down, P_lock_,
P lock_inh_, P_male_, P_mle_.)
:(pfsm_ty#bool#boo l#bool#wordn#wordn#bool#wordn#bool#wordn#wordn#bool#bool#
pfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#wordn#bool#boo l#bool#bool#boo l#bool))",;
let p__env_ty = ":(bool#bool#bool#wordn#bool#bool#wordn#bool#bool#wotdn#bool#bool#bool)";;
let p_env = "((ClkA, ClkB, Rst, L ad_in, L_ads_, L den_, L_be_, L_wr, L_lock_, Lad_in, Lcgnt_, I_hold_, I_srdy_)
:(bool#bool#bool#wordn#bool#bool#wordn#bool#bool#wordn#bool#bool#bool))";;
let p_out_ty = ":(wordn#bool#wordn#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool)";,
let pout = "((L_ad_out, L_ready_, Lad_data_out, I_ad_addr_out, I_be_, I_rale_, Lmale_ I_crqt_, I_cah_,
I_mrdy_ I_last_, I_hlda_, l_lock_)
:(wordn#bool#wordn#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool))";;
let PH_A_inst_def = new_definition
121
('PH_A inst',
"1 (P_fsm_state P..fsm__stateA :pfsm_ty)
(P_fsm_astate P__fsm dstate P__fsm_hlda_ P_destl P_wr P_loadA P__downA :bool)
(P_fsm_rst P_fsm_mrqt P fsm sack P_.fsm_cgnt.. P_fsm_crqt_ P_fsm hold_ P..fsm_lock_ P._rqt P_load :bool)
(Pdown P lock P lock__inh_ P_male_ P_rale_ :bool)
(P wr_data P_addr P_be__ P_be_n_ P..sizeA P._size :wordn)
(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I..cgnL I hold_ l_srdy_ :bocl) (L_ad_in L_be_ I_ad_in :wordn).
PH_A..inst (P._fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda.., P..wr_dat& P. addr, P_destl, P_be,
P_wr, P._be_n_, P..sizeA, P__loadA, P_downA, P_fsm_state, P._fsm..rst, P fsm_mrqt, P_fsm_sack,
P_fsm_cgnt_, P_fsm_crqt_, P_.fsm_hold , P fsm lock_, P_rqt, Psize, P load, P_down, P_lock_,
P_lock._mh_, P_male_, P_rale_)
(ClkA,ClkB, Rst,L_ad_in,L_ads_,L_den_, L_be_,L_wr, L_Iocko Lad_in, l_cgnt_,Lhold_, I_srdy_)=
let new_P..fsm_stateA =
((p_fsm_rst) => PAI
((P_fsm_state = PH) => ((P_fsm_hold_) => PAI PH) I
((P_fun_state= PA) =>
((P_fsm_mrqt V (~P fsm_crqt_ A -P _fsm_cgnt..)) => PD I
((P_fsm_lock_ A -P_fsm_hold_) => PHI PAD I
((P._fsm_state = PD) =>
(((P_fsm_sack A P_fsm_hold ) V (P_fsm_sack A ~P_ fsm_hold_ A -P_fun_lock_)) => PAI
((P_fun_sack A ~P_f_m_hold_ A P_fun__lock_) => PHI PD)) I P_ILL)))) in
let new__P_fsm_astate = (new_P fsm_stateA = PA) in
let new__P_fsm_dstete = (new_P_fsm_stateA = PD) in
let new_P_fsm_hlda_ = ~(new_P_fsm stateA = PH) in
let new_P_wr._data = L_ad_in in
let new._P_addr = ((~P_.rqt) => (SUBARRAY L_ad_in (25,0)) I P_addr) in
let new P_destl = ((~P..rqt) --> (ELEMENT L ad_in (31)) I P_destl) in
let new_Pbe_ = ((-P_rqt) => L_be_ IP_be..) in
let new_P__wr = ((-P._rqt) => L_wr IP..wr) in
let new_P_be_n_ = L_be_ in
let new__P_loadA = P_load in
let new_P_downA = P_down in
let new_P_sizeA = P_size in
let new__P_fsm._state = P_fsm..state in
let new_P_fun_rst = P..fsm_.rst in
let new_P__fsm_mrqt = P_fsm_mrqt in
let new_P_fsm_sack = P..fsm_s_k in
let new__P_fsm_cgnt._ = P_fsm cgnt._ in
let new__P_fsm_crqt__ = P_fsm crqt_ in
let new_P fsm_hold_ = P_fsm_hold_ in
let new_P_fsm_Iock_ = P_fsm_Iock_ in
let new P_rqt = P..rqt in
let new_P_size = P_size in
let new_P_load ffiP load in
let new_P_down = P_down in
let new_P_lock__ = P_lock_ in
let new_P_lock inh_ = P._lock_mh in
let new_P_male_ = P_male_ in
let new_P_rale_ = P_rale_ in
122
(new_P_fsm_stateA, new_P_fsm_astate, new_P _fsm_dstate, new P fsm_hlda_, new P_wr_data, new_P_addr, new P destl,
new_P_be.., new_P__wr, new_P..be_n_, new_P sizeA, new_P_loadA, new_P downA, new P__fsm_state, new_P_fsm_rsL
new_P_fsm mrqt, new_P_fsm sack, new._P_fsm cgnt_ new._P fsm_crqL, new_P_fsm_hold, new_P fsm_Iock_,
new_P__rqL newP_size, new Pload, newP_down, mew_P lock_, new_P_lock_inh.., new._P_male_, new_P_rale._)"
);;
let PH A_out_def = new_definition
('PH A._out',
"I (P_fsm state P fsm stateA :pfsm_ty)
(P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_destl P wr P_loadA P_downA :bool)
(P fsm_rst P_fsm mrqt P_fsm_sack P_fsm_cgnt._ P_fsm crqt_ P_fsm_hold_ P_fsmJock_ P_rqt P_Ioad :bool)
(P_down P_Iock_ P_Iock inh p male_ P_rale :hool)
(P_wr_data P_addr P be P be_n_ P_sizeA Psize :wordn)
(CIkA CIkB Rst Lads L_den_ L_wr L lock_ I_cgnt.. Lhold_ I_srdy_ :bool) (L_ad_in L_be_ Lad_in :wordn).
PH_A_out __fsm_stateA, P_fsm astate, P fsm dstate, P_fsm_hlda._, P_wr_data, P_addr, P_destl, P_be_,
P_wr, P_be_n, P_.sizeA, P_loadA, P_downA, P fsm_state, P fsm_rst, P_fsm_mrqt, P_fsm sack,
P fsm_cgnt_, P_fsm_crqL, P_fsm_hold.., P fsm_lock , P_rqL P_size, P_Ioad, P_down, P_lock._,
P_lock_/nh_, P_male_, P__ral¢._)
(CIkA, CIkB, Rst, Lad in, [._ads.., L_den.., L__be, L_wr, L_Iock_, Iad_in, Lcgnt..., I_hold, Lsrdy_) =
let new_P_fsm_stateA =
((P_fsm rst) => PA {
((P_fsm _state = PH) => ((P fsm hold_.)=> PA IPH) I
((P_fsm_state = PA) =>
((P_fsm_mrqt V (~P_fsm crqt_ A ~P_fsm cgnt_)) => PD I
((P fsm_lock_ A ~P fsm_hold_) => PH[ PA)) I
((P_fsm_state = PD) =>
(((P_fsm sack A P_fsm hold_.) V (P_fsm_sack A -P..fsm_hold A -P_fsmJock_)) => PAI
((P fsm_sack A ~P fsm_hold_ A P_fsmJock_) => PHI PD)) I PILL)))) in
let new__P_fsm astate = (new_P_fsm_stateA = PA) in
let new_P__fsm_dstate = (new P__fsm_stateA = PD) in
let new P fsm hlda_ = -(new P fsm stateA = PH) in
let new P wr data = L_ad_in in
let new_P_addr = ((-P_rqt) => (SUBARRAY Lad in (25,0)) I P_addr) in
let new P__destl = ((~P_rqt) => (ELEMENT L_ad_in (31)) IP_destl) in
let new P be =((-Prqt)=>L_be IP be) in
let new_P_wr = ((~P_rqt) => L_wr IP_wr) in
let new_P_bea_ = L_be_ in
let new_P_loadA = P_load in
let new_P_downA = P_down in
let new_P_sizeA = P_size in
let new__P_fsm_state = P._fsm_state in
let new_P_fsm_rst = P_fsm_rst in
let new__P_fsm_mrqt -- P_fsm_mrqt in
let new_P_fsm sack = P_fsm_sack in
let new_P_fsm__cgnt = P_fsm cgnt__ in
let new_P fsm_crqt._ -- P_fsm_crqt_ in
let new P_fsm_hold_ = P fsm hold_ in
let new P fsm lock_ = P_fsm lock_ in
let new_P_rqt = P rqt in
123
let new_P_size = P_size m
let new_P_Ioad = P_Ioad in
let new_P_down = P_down in
let new_P_iock_ = P_lock_ in
let new_P_lock_inh_ ffi P_lock_inh_ in
letnew_P_male =P male_m
let new_P_nde_ = P_rale_ in
let p_ale = (-Lads_ A L_den_) in
let p_sack = ((new_P_sizeA = ((new_P._downA) => WORDN 1 I WORDN 0)) A -Lsrdy_ A new_P_fsm_dstate) in
let L_ad_out = ((-new_P__fsm_astate A new_P_fsm_hlda_ A -(new P fsm dstate A new_P wr)) => I_ad_m IARBN) in
let L_ready_ = (~(-I_srdy_ A new_P fsm_dstate)) in
let od0 = ARBN in
let odl = (MALTER od0 (31,27) newP_be_) in
let od2 = (ALTER odl (26) F) in
let od3 = (MALTER od2 (25,24) (SUBARRAY new_P_addr (I,0))) in
let od4 = (MALTER o<13(23,0) (SUBARRAY new_P_addr (25,2))) in
let I_ad_addr_out = ((new_P_.fsm_astate) => od4 1ARBN) in
let I_ad_data_out = ((new P fsm dstate A new_P_wr) => new_P..wr_data I ARBN) in
let I_be_ = ((new_P_fsm hlda..) => ((new P fsm astate) => new_P_be_ Inew P be n..) IARBN) in
let I__rale._= ((new._P_fsm_ldda_.) =>
~(~new__P_destl A ((SUBARRAY new._P_addr (25,24)) = OVORDN 3)) A new_P_fune.state A new_P__rqt) IARB) in
let I_male_ = ((new P fsm hlda_) =>
~(-new_P_destl A (~((SUBARRAY new_P addr (25,24)) = OVORDN 3))) A new_P_fsm astate A new_P_rqt) IARB) m
let I_crqt__ = ~(new_P_destl A new_P rqt) in
let I_.cale_ = -(-I_cgnt_ A new P fun astate A I_hold_) in
let I_mrdy_ = ((new P fsm hlda_) => F I ARB) in
let I_last_ = ((new_P_fsm_hlda_) => (new_P_sizeA = ((new_P._downA) => WORDN 1 IWORDN 0)) I ARB) in
letI hlda._= new_P..fsm_hlda_in
letI lock_= -(-new_P_Iock_ A new_P__Iock__inh_)in
(L_ready_, I_luL, I_be_, I_mrdy_, Iad_data_out, I ad_addr_out, Lhlda._, I_lock_, I_cale=, l_male__ I_rale_.,
I_crqt._, L_ad_out)"
);;
let PH_B_inst_def = new_definition
('PH_B_imt',
"1 (P_fsm_.state P__fsm_stateA :pfsm_ty)
(P_fsm_astate P fsm_dstate P._fsm_hlda P destl P_wr P_loadA P_downA :1>ool)
(P_fsm_nt P_fun mrqt P._fsm_sack P_fsm_cgnt_ P_fsm_crqt_ P_fsm_hold P fun lock_ P_rqt P_load :bool)
(P_down P lock P lock inh P_male_ P rale_ :bool)
(P_wr_data P_addr P be P_be_n_ P_sizeA P_size :wordn)
(CIkA CikB Rst Lads_ L_den_ L_wr L_lock_ l_cgnt_ I_hold_ I_srdy_ :bool) (L_ad_in L_be_ I_ad_in :wordn).
PH_B_inst (P_fsm_stateA, P_fun astate, P_fsm_dstate, P_fsm hlda.., P..wr data, P_addr, P_destl, P_be_,
P_wr, P_be_n_, P..sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm sack,
P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold._, P._fsm_lock_, P_rqt, Psize, P_load, P_down, P_lock_,
P_lock_inh_, P._male_, P_rale_)
(ClkA,ClkB, RsL Lad_in, Lads_, L_den_, L_be_, L wr, L_Iock_,I_ad_in,I..cgnt_,I_hold_,l_srdy_)=
letp_ale= (-L_ads_ A L_den_) in
124
letpsack = ((P_sizeA= ((P_downA) => WORDN I IWORDN 0))A -l_srdy_A P fsm dstate)in
letnew_P, rqt= ((p_aleA -(p_sackV Rst))=> T I
((-pale A (p_sack V Rst)) --> F I
((-p_ale A -(p_sack V Rst)) => P._rqt I ARB))) in
let new_P_load = -new_P__rqt in
let newP_down = (~I_srdy_ A Pjsm_dstate) in
let newP__size = ((P_loadA) => (SUBARRAY L_ad_in (1,0)) I
((P_downA) --> DECN 1 e_sizeA I P_sizeA)) in
let newP_male_ = ((P_fsm_astate) =>
-(~P_destl A (~((SUBARRAY P_addr (25,24)) = (WORDN 3))) A new_P__rqt) I Pmale) in
let new P_rale_ = ((Pjsm_astate) =>
-(-P_destl A ((SUBARRAY P_ad& (25,24)) = (WORDN 3)) A new_P_rqt) I P._rale_) in
let newP_lock_ = ((Rst) => T I
((P_fsm_dstate) => L_lock_ I P lock_)) in
let new_P_iock_inh_ = ((Rst) => T I
((-new_P_male__ V ~new P_rale ) => L_lock I P lock__mh_)) in
let new P_fsm_state = P_fsm_stateA in
let new_P_fsm rst = Rst in
let new_P_fsm_mrqt = (-P_destl A new_P_rqt) in
let new P fsm_sack = p_sack in
let new P_fsm_cgnt_ = LcgnL in
let new_P_fsm_crqt_ = ~(P_destl A new_P_rqt) in
let new_P_fsm_hold_ = I_hold in
let new_P_fsm_lock_ = new_P, lock_ in
let new P_fsm_stateA = P_fsm_stateA in
let new_P_fsm_astate = P_fsm astate in
let new_P_fsm_dstate = P fsm dstate in
let new_P_fsm_hlda_ = P_fsm_hlda_ in
let new_P wr data = P wr data in
let new_P_addr = P addr in
let new_P_destl = P_destl in
let new_P_be_ = P_be_ in
let new_P_wr = P wr in
let new_P_be_n_ = P_be_n_ in
let new_P_sizeA = P_sizeA in
let new_P_loadA = P_loadA in
let new_P_downA = P_downA in
(new_P fsm stateA, new_P_fsm_astate, new_P_fsm dstate, new_Pfsm_hlda._, new_P_wr_data, new._P_addr, new_P_destl,
new_P_be, new_P_wr, new_P_be_n_, new_P_sizeA, new_P__loadA, new_P_downA, new_P_fsm_state, new..P_fsm_rst,
new_P fsm_mrqt, new_P fsm sack, new_P_fsm_cgnt.., new_P_fsm_crqt_, new_P_fsm_hold , new_P_fsm_lock_,
new_Pjqt, new_Psize, new_P load, new_P_down, new_P lock, new_P_lock_inh_, new_P_male., new_P_rale_)"
);;
let PH_B_ouLdef = new_definition
('PH_B_out',
"1 (P_fsm_state P fsm stateA :pfsm_ty)
(P_fsm_astate P..fsm_dstate P fsm_hlda_ P_destl P_wr PJoadA P downA :bool)
(P_fsm_rst P_fsm_mrqt P_fsm_sack Pjsm_cgnt_ P_fsm crqt_ P_fsm_hold_ P__fsmJock_ P_rqt P_load :bool)
125
(P_down P_lock_ P_!ock_inh_ P_male_ P_rale_ :bool)
(P_wr_data Pad& P_be_ P_be_n_ P_sizeA P_size :wordn)
(CIkA ClkB Rst Lads_ L_den_ L_wr L_lock_ I_cgnt.. I_hold l_srdy_ :bool) (Lad_in L_be I ad in :wordn).
PH_B_out (P_fsm_stateA, P_fsm_astate, P fsm_dsta_, P_fsm_hlda_, P_wr_data, P_addr, P destl, P_be_,
P_wr, P_be..n.., P_sizeA, P_loadA, P_downA, P_fsm..state, P_fsm_jst, P_fsm_mrqt, P_fsm_sack,
P_fsm_cgnt_, P..fsm_crqt_ P_fsm hold.., P_fsm_lock_, P__rqt,P_size, P..load, P_down, P._lock_,
P_lock_inh_, P_male_, P_rale_.)
(CIkA, CIkB, Rst, Lad_in, L_ads_, L_den_, L_be_ L_wr, L_lock.._ Lad_in, I__cgnt_, I_hold_, I_srdy_) =
let pale = (-L_ads_ A L_den_) in
let p_sack = ((P_sizeA = ((P_downA) => WORDN 1 IWORDN 0)) A -I__srdy_ A P_fsm._dstate) in
let new..P_rqt = ((p_ale A -(p_sack V Rst)) => T I
((-pale A (p_sack V Rst)) => F I
((-pale A -(p_sack V Rst)) => P_rqt I ARB))) in
let new_P_load = -new_P. rqt in
let new_P_down = (-I._srdy_ A P_fsm_dstate) in
let new..P_size = ((P_loadA) => (SUBARRAY Lad_in (1,0)) I
((P downA) => DECN 1 P_sizeA IP_sizeA)) in
let new_P_male_ = ((P_fsm_astate) =>
-(-P destl A (-((SUBARRAY P_addr (25,24)) = (WORDN 3))) A new_P_rqt) I Pmale_) in
let new_P_rale_ = ((P__fsm_astate) =>
-(-P_destl A ((SUBARRAY Pad& (25,24)) = (WORDN 3)) A new_P__rqt) IP_rale_.) in
let new_P_lock_ = ((Rst) => T I
((P_fsm &tate) => L_lock_ IP_lock_)) in
let new_P_lock_inh_ = ((Rst) => T I
((-new_P_male__ V -new..P tale ) => L_lock_ I P_lock_inh_)) in
let new_P_fsm_state = P_fsm_stateA in
let new_P_fsm_rst = Rst in
let new_P_fsm_mrqt = (~P destl A new_P_rqt) in
let new .P_fsm_sack = p_sack in
let new_P_fsm_cgnt_ = I_cgnt.. in
let new_P_fsm_crqt = ~(P..destl A new_P_rqt) in
let new_P_fsm_hold_ = I_hold_ in
let new_P .fsm_lock_ = new_P lock_ in
let new_P_fsm_stateA = P fsm stateA in
let new_P_fsm_astate = P_fsm astate in
let new _P_fsm_dstate = P_fsm_dstate in
let new__P_fsm_.hlda__ = P_fsm_hlda in
let new._P_wr data = P..wr_data in
let new_P_addr = P__addr in
let new_P..destl = P_destl in
let new_P_be = P be m
let new_P_wr = P_wr in
let new_P_be_n_ = P_be_n_ in
let new_P_sizeA = P_sizeA in
let new_P..loadA = P loadA in
let new_P_downA = P_downA in
let L_ad_out = ((-new_P_fsm_astate A new_P_fsm_hlda_ A ~(new_P_fsm dstate A new_P_wr)) => I__ad_in I ARBN) in
let L_ready_ = (-(~I_srdy_ A new_P__fsm_dstate)) in
let odO ffiARBN in
let odl = MALTER od0 (31,27) new_P_be_ in
let od2 = ALTER odl (26) F in
126
letod3 = MALTER od2 (25,24)(SUBARRAY new_P..addr(I,0))in
letod4 = MALTER od3 (23,0)(SUBARRAY new_P_addr (25,2))in
letI ad_addr_out= ((new P__fsm_astate)=> od4 1ARBN) in
let Lad..data_out = ((new P_ fsm_dstate A new_P_wr) => new_P, wr..data I ARBN) in
let I_be_. = ((new P fsm_hlda._) => ((new_P__fsm_astate) => new P be Inew_P_be_n_) I ARBN) in
let l_rale_ = ((new P_.fsm Idda_.) =>
~(-new__P_destl A ((SUBARRAY new P_addr (25,24)) = (WORDN 3)) A new_P_fsm_astate A new_P_rqt) I ARB) in
let I_male_ = ((new_P_fsm_hlda_) =>
~(~new_P__destl A (~((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) A aew_P__fsm_astate A new_P_rqt) I ARB) in
let I_crqL = ~(new_P destl A new P._rqt) in
let I cale= ~(-I_cgnL A new_P_fsm_astate A I_hold) in
let I_mrdy_ = ((new. P_fsm_hlda__) => F I ARB) in
let I_last_. = ((new_P fsm hlda_) => (new_P_sizeA = ((new_P__downA) => WORDN 1 I WORDN 0)) I ARB) in
let Lhlda_ = new P_fsm_hlda in
let I_lock_ = -(-new_P..lock_ A new_P_lock__inh_) in





C.2 M Port Specification
File: m_.phase.ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the phase-level specification of the M-Port of the FTEP PIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulk of this code was translated from an M-language simulation program using a translator
written by PJ. Wmdley at the University of Idaho.




map new_parent ['maux_def' ;'anx._def' ;'array_clef' ;'wordn_def' ],;
let m_state_ty = ":(mfsm ty#bool#bool#bcol#bool#bool#wordn#wordn#wordn#bcol#wordn#
mfsm_ty#bcol#bool#bool#bool#bool#bool#bool#bool#
bool#bool#wordn#wordn#wordn#bool#bool#bool#wordn#wordn )",;
let instate = "((M fsm_stateA, M_fsm eddress, M fsm read, M_fsm_write, M_fsm__byte_write, M fsm mere_enable,
M_addrA, M_beA, M_countA, M._rdyA, M_.rd_dataA, M fsm state, M_fsm_.male__, M_fsm_rd,
M_fsm bw, M_fsm_ww, M_fsm last., M fsm_mrdy_, M_fsm zero cut, M_fsm_rst, M__se, M wr,
M_addr, M be, M_count, M_rdy, M wwdel, M_panty, M rcl data, M_detect)
:^m_state_ty)";;
letm env ty = ":(bool#bool#bool#bool#bcol#wordn#bool#bool#wordn#bool#wordn#bool#booly';;
let m_env = "((CIkA, CIkB, Rst, Disahle eeprom, Disable_writes, I_M_m, I_male_, I_last_, I_be_.
I_mrdy_, MB_data_in, Edac__en_, Reset..parity)
:_a euv_ty)";;
let m_ouLty = ":(wordn#bcol#wordn#wordn#bool#bool#bool#bool#bool)";;
let re_out = "((I_ad_out, I srdy_, MB_addr, MB..data_out, MB_cs_eeprom._, MB cs stare_, MB_we_, MB_oe_,
MB..pcrit_)
:"m_ouLty)";;
let rep_ty = abstracLtype 'anx_def 'Andn';;
_y .................................................................................................
Next-state definition for Phase-A insb'uction.
...........................................................................................................
let PH_A._inst_def = new_definition
128
('PH_A_inst',
"t (M_fsm_stateA M_fsm_state :mfsm_ty)
(M_addrA M_beA M countA M_rd dataA M_addr M_be M count M_rd_data M_detect :wordn)
(M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm mere_enable M_rdyA
M._fsm_male_ M_fsm rd M_fsm_bw M_fsm_ww M fgm last M fsm_mrdy_ M_fsm_zero_cnt M._fsm rst
M se M_wr Mjdy M wwdel M_jncity :bool)
(I ad_in Ibe MB._data in :wordn)
(CIkA CIkB Rst Disable_.eeprom Disablewrites Imale.. I last_ I_mrdy_ Edac_en_ Reset_parity :booi).
PH_A_inst (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte write, M_fsm_mem_enable,
M addrA, M_beA, M countA, M rdyA, M_rd_dataA, M_fsm_state, M_fsm male , M fsm rd,
M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M._fsm_zero_cnt, M_fsm_rst, M_se, M_wr,
M_addr, M_be, M_count, M_rdy, M_wwdel, M..patity, M_rd_data, M_detect)
(CIkA, CIkB, Rst, Disable__eeprom, Disable_writes, l ad_in, I_male, I_last_, I_be._,
I_mrdy_, MB._data_in, Edac_en_, Resetparity) =
let new_M__fsm_stateA =
((M_fsm_rst) => MI I
((M_fsm_state = MI) => ((~M__fsm_male_) => MA I MI) I
((M_fsm_state = MA) =>
((-M_fsm_mrdy_ h M fsm ww) => MW I
((~M_fsm_mrdy_ A (M_fsm_rd VM fsm bw)) => MR I MA)} I
((M_fsm_state = MR) =>
((M fsm bw A M fsm_zero_cnt) => MBW I
((M_fsm last_ A M fsm_rd A M_fsm_zero_cnt) => MA I
((-M_fsm_last_ A M fsm rd A M fsm_zero_cnt) => MRR I MR))) I
((M_fun_state = MRR)=> MI I
((M_fsm_state = MW) =>
((~M fsm last A M_fsm_zero._cnt) => MI I
((M_fsm last A M_fsm_zero_cnt) => MA I MW)) I
((M_fsm_state = MBW) => MW I MILL))))))) in
let new M fsm address = (new M fsm_stateA -- MA) in
let new_M_fsm read = (new M fsm stateA = MR) in
let new M_fsm_write _ (new_M_fsm_stateA ffiMW) in
let new M_fsm_byte_write = (new__M_fsm stateA = MBW) in
let new M_fsm_mem enable = (~(new_M..fsm_stateA = MI)) in
let new_M_addrA = M_addr in
let new_.M._beA = M_be in
let new M_countA = M_count in
let new_M__rdyA = M__rdy in
let new_M._rd dataA = M_rd data in
let new M fsm state = M_fsm_state in
let new_M_fsm_male = M_fsm..male__ in
let new_M__fsm_rd = M_fsm_rd in
let new_M_fsm_bw = M fsm bw in
let new M fsm ww = M_fsm_ww in
let new_M_fsm, last._ = M_fsm last_ in
let new_M_fsm_.mrdy_ = M_fsm_mrdy_ in
let new_.M_fsm_zero_cnt = M_fsm_zero_cnt in
let new M fsm rst = M fsm rst in
let new_M_se = M_se in
letnew M wrfM_wrin





let new..M_wwdel = M_wwdel in
let new_M_parity = M_parity in
let new..M_rd_data = M_rd_data in
let new. M_detect = M_detect in
(new_M_fsm_stateA, new_.M_fsm_address, aew_M_f_L.read, new_.M_fsm_write, new_M_fsm_byte_write,
ncw_.IVl_fsm_mem_euable, new..M_addrA, new M_beA, new.._M countA, new_M_rdyA, new_M_rd_dataA,
new_M..fsm_state, new_M_fsm..male_, new_M_fsm_rd, new_.M_fsm..bw, new._l_fsm ww, new_M_fsm_last..,
new M fsm mrdy__ new..M..fsm_ze__cnt, new_M_fsm_rst, new_M_se, new M_wr, new_M_addr, new_M_be,
new_M_count, new_M_.rdy, aew_M_wwdel, newM_parity, new..M__rd_data, new_M_detect)"
);,
let PH A out def = new_definition
('PH_A_out',
") (M_fsm_sta_A M_fsm_state :mfsm_ty)
(M_addrA M_beA M_countA M rd_dataA M_addf M_be M_count M_rd_data M_de_t :wo_ln)
(M fsm_address M_fsm_read M_fsm_wrRe M_fsm_byte_write M_fsm. mere_enable M_rdyA
M fsm male M fsmrd M fsm_bw M_fsm ww M_fsm_last_ M_fsm_mrdy_ M_fsm_zero_cnt M_fsm_rst
M_se M_wr M_rdy M_wwdel M_parity :bool)
(I_ad in I be_ MB_data_m :won:In)
(CIkA CIkB Rst Disable_eeprom Disable_writes I_male_ I_last_ Lrnrdy_ Edac_en_ Reset_Inu'ity :bool)
(rep:Arep_ty).
PH_A_out (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable,
M_addrA, M_beA, M_count/k, M._rdyA, M_rd_dataA, M_fln..state, M_fsm male._, M_fsm.3d,
M_fsm_bw, M_fsm ww, M...fsm_last_, M_fsm_mrdy_, M fsm_zero._ont, M_fsm_rst, M se, M_wr,
M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, Mdetect)
(CIkA, CIkB, Rst, Disable eeprom, Disablewrites, I..ad_in, Lmale_, I_last.., I_be_,
I_mrdy_, MB._data_in, Edac_en_, Reset_parity)
rep =
let new_lVl_fsm._stateA =
((M_fsm_rst) => MI I
((M_fsm state = MI) => ((~M_fsm__male_.) => MA l MI) I
((M_fsm_state = MA) =>
((-M_fsm_mrdy_ A M fsm_ww) => MW l
((~M fsm_mrdy_ A (M_fsm_rd V M_fsm_bw)) => MR l MA)) l
((M_fsm stale = MR) =>
((M_fsm_bw A M_fsm..zero_cnt) => MBW l
(0vl._fsm...last.. A M fsm rd A M_fsm_zero_cnt) => MA I
((~M fsm last A M_fsm_rd A M_fsm_zefo__cnt) => MRR IMR))) I
((M_fsm state = MRR) => MI l
((M_fsm_state = MW) =>
((~M_fsm_.last_ A M_fsm_zero_cnt) => MI I
((M_fsm__last_ A M fsm zero cnt) => MA i MW)) I
((M_fsm_state = MBW) => MW I M_ILL))))))) in
let new M fsm address = (new_M_fsm_stateA = MA) in
let new M fsm read = (new M_fsm_stateA = MR) in
130
let new_M_fsm_write = (new_M fsm_stateA = MW) in
let new_.M_fsm_byte write = (new_.M_fsm_stateA = MBW) in
let new_M_fsm mem..enable = (~(new_.M_fsm_stateA = MI)) in
let new.M_addrA = M_addr in
let new_M__beA = Mbe in
let new.M_countA = M_count in
let new .M._rdyA = M_rdy in
let new..M_.rd._dataA = M_rd_data in
let new_M_fsm .state = M__fsm_state in
let new_M._fsm..male.. = M fsm_male_ in
let new_M._fsm..rd = M_fsm. rd in
let new M fsm_bw = M_fsm_bw in
let new M_fsm_ww = M fsm ww in
let new_M__fsm_lasL = M_fsm_last._ in
let new_M_fsm tardy_ = M._fsm tardy_ in
let new_M_fsm zero..cnt = M_fsm_zero_cnt in
let new_MJsm_rst = M_fsm_rst in
let new_M_se = M_se in
let new_M_wr = M wr in
let new_M_addr = M_addr in
let new_M_be = M_be in
let new_M_count = M_count in
let new_M_rdy = M_rdy in
let new_M_wwdel = M wwdel in
let new_M._parity = M_parity in
let new_M_rd_data = M_rd_data in
let new_M_detect = M_detect in
let m_rdy = ((new_M_fsm_write A (new_M_countA = OVORDN 1)))
V (new_M_fsm_read A (new M_countA = OVORDN 1)) A ~new_M wr)) in
let m_srdy_ = ~((new_M_rdyA A -new_M_wr) V (m_rdy A new M_wr)) in
let mb_data_7_0 = ((ELEMENT new_M beA (0)) => (SUBARRAY I_ad_in (7,0)) I(SUBARRAY new M_rd_dataA (7,0))) in
let mb data 15_8 = ((ELEMENT new M beA (1)) => (SUBARRAY lad_in (15,8)) I (SUBARRAY new_M._rd._dataA
(15,8))) in
let mb_data_23_16 = ((ELEMENT new_M_beA (2)) => (SUBARRAY I_ad_in (23,16)) I (SUBARRAY new_M_rd_dataA
(23,16))) in
let rob_data 31 24 = ((ELEMENT new_M_beA (3)) => (SUBARRAY I_ad in (31,24)) I (SUBARRAY new_M_rd_dataA
(31,24))) in




let Lad._out = ((~new_M_wr A new_M_fsm_mem_enable) => new_M_rd_dataA I ARBN) in
let I__srdy_ = ((new_M_fsm_mem_enable) => m_srdy_ I ARB) in
let MB_addr = ((new_M_rdyA) => (INCN 18 new_M_addrA) I new_M_addrA) in
let MB_data_out = ((new M._fsm_write) => (Ham_Enc rep rob_data) I ARBN) in
let MB_cs__eeprom_ = -(new_M_fsm_mem_enable A ~new_M_se) in
let MB_cs_sram = -(new_M_fsm_mem_enable A new_M._se) in
let MB_we_ = -((new_M_se V ~new_M_fsm_mem._enable V ~Disable eeprom)
A ~Disable_writes
A (new_M_fsm_byte_write V new M_fsm_write V new M_wwdel)) in
let MB_oe = ~((~new_M_wr A new_.M fsm address) V new_.M_fsm_.read) in
let MB_.parity = newM_parity in
(Lad out, I srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we._, MB_oe_, MB_parity)"
131
);;
let PH_B._insLdef = new_definition
('PH_B_inst',
"I (Mjsm_stateA M_fsm_state :mfsm_ty)
(M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M__rd._data M_detect :wordn)
(M_fun_address M fsm read M_fsm_write M fsm..byte_write M_fsm_mem_enable M rdyA
M_fsm, male.. M fsm rd Mjsm_bw M fsm ww M fsm last_M fsm tardy_ M fsm zero cntMJsm_rst
M se M_wr M_rdy M_wwdel M..parity :bool)
CI ad inI be MB_data_m :wordn)
(ClkA ClkB Rst Disable_eepromDisable_writesLmale_ Llast_Lmrdy_ Edac en_ Reset.parity:bool)
(rep:'_rep_ty).
PH_B_inst (M_fsm_stateA, M_fsm_address, M_fsm_read, Mjsm_write, M_fsm_byte_write, M._fsm_mem_enable,
M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, Mjsm_.male_, M_fsm_rd,
M fsm bw, M fun_v/w, M_fsm_last_, Mjsm_mrdy.., M_fsm ze_o__cnt, M_fsm rst, M_se, M wr,
M_addr, M_be, M count, M_rdy, M_wwdel, M..parity, M_rd clata, M_detect)
(CIkA, CIkB, Rst, Disable_eeprom, Disable_writes, I_ad_m, Lmale_, I_last_, Lbe_,
I_mrdy_, MB_.data_in, Edac en_., Reset_parity)
rep =
let new M se = ((-l_male) => (ELEMENT l_ad_in (23)) I M_se) in
let new_M_wr = ((-l_male_) => (ELEMENT I_ad_in (27)) IM_wr) in
let aew__M_addr =
((~Lmale_) => (SUBARRAY I_ad_in (18,0)) I
((M._rdyA) => (INCN 18 M_addrA) I M_addrA)) in
let new_M_count =
((M_fun_address V M_fsm_byte_write) => ((new M_se) => OVORDN 1) (WORDN 2)) I
((M_fsm_write V M fun read) => (DECN 1 M_countA) I M_countA)) in
let m_rdy = ((M_fsm_write A (new_M_count = (WORDN 0)))
V (M_fsm_read A (new_M_count = (WORDN 0)) A ~new_M wr)) m
let m_srdy_ = -((M_rdyA A -new M_wr) V (mrdy A new_M_wr)) in
let new_.M_be = ((-I_male_ V ~m_srdy__) => (NOTN 3 Lbe_) I M_be) in
let new_.M_rdy = m_rdy in
let new_.M_wwdel = (M_fsm_addtess A new_M_wr A (newM_be = (WORDN 15))) in
let new_M._rd_data = ((M_fsm_read) => (Ham_Dec rep MB._data_.in) I M_.rd_data) in
let new_M_detect =
(((M_fsm_read A -new_M_wr) V new. M_wr V ~M_fmn_mem_enable) =>
((~Edac en ) => (Ham_Detl rep MB_data_in) I(WORDN 0)) IM_detect) in
let re_error = (~m_srdy_ A Mjsm_.mem_enable/_ (Ham_Det2 rep (new_M_detect, ~Edac._en._))) in
let new_M._arity =
((m_error A ~(Rst V Reset_parity)) => T I
((-m error A (Rst V Reset..parity)) => F I
((-m error A -(Rst V Reset..parity)) => M..parity I ARB))) in
let new_Mjsm..state = M_fsm_stateA in
let new_M_fsm_male = I male_ in
let new_MJsm__rd = (-new..M_wr A M_fsm_mem_eoable) in
let new_.MJsm..bw = ((-(new_M_be = (WORDN 15))) A new_M wT A M_fsm__mem_enable) in
let new Mjsm ww = ((new_M_be = (WORDN 15))/_ new M_wr ^ M_fsm_mem_enable) in
let new MjsmJast = I last in
132
let newJvlJsm_mrdy_ = l_mrdy_ in
let new .NI_fsm_zero_cnt = (new_M_count = (WORDN 0)) in
let new_ M_fsm_rst = Rst in
let new_Mjsm_stateA = M_fsm stateA in
let new_.MJsm_address = M_fsm_ackiress in
let new_M_fsm_read = M_fsm_read in
let new_Mjsm_write = Mjsm_write in
let new_MJsm_by_e_write = MJsm_byte_write in
let new..Mjsm..mem_cnable = M_fsm_mem_euable in
let new_M_addrA = M_addrA in
let new_M beA = M_beA in
let new M countA = M_countA in
let new..M_rdyA = M_rdyA in
let new_M_rd_dataA = M..rd_dataA in
(new_M_fsm stateA, new_M fsm address, new_M_fsm_read, new lVl_fsm_write, new M fsm_byte_write,
new_M_fsm_m©m_euable, new_M_addrA, new_Nl beA, new_lVl countA, new_M rdyA, new_M_rd._dataA,
new_M fsm_state, new_lVl fsm male_, newJVl_fsm_rd, new_lVljsm_bw, new M fsm ww, new M fsm_last__,
new M_fsm mrdy_, new_M_fsm_zero_cnt, new_lVI_fsm_rst, new_M_se, new M_wr, new_M_addr, new_M_be,
new_M_count, new_M_rdy, new_M_wwdel, new_Mparity, new M_rd__data, new_Mdetect)"
);;
let PH_B__out_def = new_definition
('PH_B_out',
"I (M fsm_stateA M_fsm_state :mfsm_ty)
(M_addrA M_beA M_countA M_rd..dataA M_addr M_be M count M._rd._data M_detect :wordn)
(M_fsm_address M_fsm_read M fsm write Mjsm_byte write M_fsm mem_enable M_rdyA
M fsrn male M fsm rd Ivl fsm_bw M_fsm_ww M fsm last M fsm_mrdy_ M_fsm_ze_o..¢nt M_fsm_rst
M_se M_wr M._rdy M_wwdel M_parity :bool)
(lad in ] be MB_data in :wordn)
(ClkA Clk.B Rst Disable eeprom Disable_writes I_male.. I_last__ l_mxdy_ Edac_en_ Reset_parity :bool)
(rep:_ep ty).
PH_B_out (M_fsmjtateA, M_fsm_address, M_fmn_read, M_fsm_write, Mjsm_byte_write, M_fsm_mem..enable,
M_addrA, M_beA, M_countA, M_rdyA, M rd_dataA, MJsm_state, MJsm_male__, M_fsm._rd,
MJsm_bw, M_fsm_ww, M_fsm_last._, M fsm_mrdy_, Mjsm_zero_cnt, M..fsm_rst, M_se, M_wr,
M_addr, M_be, M_couut_ M_rdy, M wwdel, M_parity, M rd_data, M_detect)
(ClkA, CIkB, Rst, Disable_eeprom, Disablewrites, Lad_in, I._male_, Llast__, Lbe_,
I_mrdy_, MB_data_in, Edac en_, Reset_parity)
rep =
letnew_M se= ((~[male) => (ELEMENT Lad_in (23))IM_se) in
letnew M wr = ((-I_male_)=> (ELE_ I adm (27))IM_wr) in
let new M_addr =
((-I_male_) => (SUBARRAY Lad_in (18,0)) I
((M._rdyA) => (1NCN 18 M_addrA) IM addrA)) in
let newM_count =
((MJsm address _/Mjsm_byte_write) => ((new M_se) => (WORDN 1) I (WORDN 2)) I
((Mjsm_write V MJsm_read) => (DECN I M_countA) I M countA)) in
let m_rdy = ((M_fsm_write A (new _Lc_unt = (WORDN 0)))
133
V(M..fsm_.readA (new_Mcount = (WORDN 0)) A -new_M_wr)) in
let m_srdy_ = --((M_rdyA A ~new_M_wr) V (m..rdy A new_M_wr)) in
let newMbe = ((-I_male_ V ~m_srdy_) => (N(YrN 3 Lbe..) I M_be) in
let new_.M_rdy = m_rdy m
let new__M_wwdel = (M_fsm_address A new M wr A (new M be = (WORDN 15))) in
let new_M_rd_deta = ((M_fsm read) => (Ham Dec rep MB_data_in) I M_rd data) in
let new_Mdetect =
(((M_fsm_read A ~new..M_wr) V new_M_wr V ~M_fsm mem_enable) =>
((-Edac_eo_) => (Ham_Detl rep MB_data in) I (WORDN 0)) I M_detect) in
let m_error = (-m_srdy_ A M._fsm_mem enable A (Ham_Det2 rep (new M detect, ~Edac_en ))) in
let new_M.parity =
((m_error A -(Rst V Reset..parity)) => T I
((~m_ermr A (Rst V Reset_parity)) => F I
((-m error A ~(Rst V Reset..parity)) => M_.parity I ARB))) in
let new_M fsm_state = M fsm stateA in
let new..M fsm..male__ = I..male in
let new._M..fsm_rd = (-new_M wr A M_fsm_mem_enable) in
let new..M_fsm__bw = ((-(new M be = (WORDN 15))) A new_M_wr A M_fsm_mem_eaable) in
let new M fsm ww = ((new_M_be = (WORDN 15)) A uew_M_wr A M_fsm mem enable) in
let new M fsm last =I last in
let new M fsm mrdy_ = I_mrdy_ in
let new_M_fsm..zero_cnt = (new M count = (WORDN 0)) in
let new..M_fsm_rst = Rst in
let new M fsm stateA = M_fsm_stateA in
let new M fsm address = M_fsm_address in
let new_M_fsm__read = M_fsm_read in
let new M fsm write = M_fsm_write in
let new M fsm_byte_write = M_fsm_byte_write in
let new M fsm_mem_enable = M_fsm_mem enable in
let new M_addrA = M_addrA in
let new_M_beA = M_beA in
let new_M_countA = M_countA in
let new_.M..rdyA = M_rdyA in
let new..M_rd_dataA = M rd..dataA in
let m_rdy = ((new M_fsm_write A (new M_countA = (WORDN 1)))
V (newM_fun_read A (new M_countA = (WORDN 1)) A -.new._M wr)) in
let m_srdy_ = -((new_M_rdyA A -new_M_wr) V (m_rdy A new_M_wr)) in
let mb_data_7_0 = ((ELEMENT new M beA (0)) => (SUBARRAY I_ad_in (7,0)) I(SUBARRAY new_M_rd_dataA (7,0))) in
let mb_data_15_8 =
((ELEMENT new_M beA (1)) => (SUBARRAY Lad_in (15,8)) I (SUBARRAY new..M_rd_dataA (15,8))) in
let mb data_23_16 =
((ELEMENT new_M_beA (2)) => (SUBARRAY I ad_in (23,16)) I(SUBARRAY new_M_rd_dataA (23,16))) in
let rob_data 31 24 =
((ELEMENT new M beA (3)) => (SUBARRAY Lad_in (31,24)) I (SUBARRAY new_M_rd_dataA (31,24))) in




let Lad_out = ((-new M_wr A new_M_fsm_mem__enable) => new M rd dataA IARBN) in
let I_srdy_ = ((new_M_fsm_mem_euable) => m_srdy_ IARB) in
let MB_addr = ((new M_rdyA) => (INCN 18 new_.M_addrA) I new_M_addrA) in
let MB._data_out = ((new_M. fsm write) => (Ham_Ene rep mb_data) 1ARBN) in
let MB_cs_eeprom_ = -(new_M_fsm_.mem__enable A ~new M_se) in -.,_d
134
let MB_cs_sram_ = -(new..M_fsm_mem_enable A new_M._se) in
let MB_we_ = -((new_M_se V ~new M_fsm_mem__enable V ~Disable_eelxom)
A -Disable.writes
A (new_M._fsm_.byte_writeV new M_fsm_write V new_M_wwdel)) in
letMB_oe = -((-new M_wr A new..M fsm_address)V new M__fsm__read)in
letMB_.parity= newM._parity in
(Lad out,I...srdy_,MB_addr, MB_data out,MB_cs eeprom_, MB cs_sram_,MB_we ,MB_oe_, MB_.parity)"
);;
135
C.3 R Port Specification
File: r_phase.ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the phase-level specification of the R-Port of the FTEP PIU,
an ASIC developed by the Embedded Pmcesslng Laboratory, Boeing High Technology Center.
The bulk of this code was translated from an M-language simulation program using a translator
written by P.J. W'mdley at the University of Idaho.




map new_parent ['raux_def';'aux_def';'array_def';'wordn def'];,







let r_state = "((R_fsm_stateA, R_fsm_cntlatch, R_fsm_s_dy_, R_int0_en, R into disA, R_int3 ea, R_int3_disA,
R c01 cout, R_cOl_cout_delA, R ¢23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_
R_reg selA, R_ctr0, R_cer0_ce, R_ctr0_cin, R_ctr0_outA, R_cerl, R_ctrl ce, R_ctrl_cin,
R._ctr l_outA, R_ctr2, R_clr2_ce, R ctr2_cin, R_¢tr2_.outA, R_ctr3, R_ctr3_ce, R__ctr3_cin,
R clr3 outA, R_icr_loadA, R icr oldA, R_icrA, R__busA_latch, R_fsm_state, R_fsm_ale_,
R fsm tardy_, R fsm last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_oout_del, R_intl_en,
R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy de1_, R_reg__sel, R cU0_in,
R._ctr0_mux sel, R._cUO_irdea, R_cU0_cry, R_c_ new, R_ctr0_out, R_ctr0_orden, R_ctrl in,
R_ctrl_mux_sel, R_ctrl irden, R_ctrl_cry, R_ctrl_new, R clrl out, R_cUl_orden, R_ctr2_in,
R ctr2 mux_sel, R_ctr2_irden, R_ctr2_cry, R cu'2 new, R ctr2_out, R ctr2 ordea, R_ctr3_in,
R_ctr3_.mux_sel, R ctr3_irden, R_ctr3_cry, R ctr3_new, R ctr3_out, R_ctr3_orden, R icr_load,
R icr old, R_icr_mask, R_icr, R icr rden, R_ccr, R_ccr_rden, R..gcr, R_gcr_rden, R_sr,
R sr rden)
:_r_state_ty)";;
let r env ty = ":(boo]#bool#bool#wordn#bool#bool#wordn#bool#bool#bool#wordn#wordn#booI#bool#
wordn#wordn#wordn#bool#boo I#wordn )";;
let r__env = "((CIkA, CIkB, Rst, lad_in, I..rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes,
Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_.parity, MB..parity, C_ss)
136
:At env_ty)";;
let r_out_ty = ":(wordn#bool#bool#bool#bool#bool#wordn#wordn#bool#bool)";;
let rout = "((I_ad__out, I srdy_, Int0, Intl, Int2, Int3__,Ccr, Led, Reset error, Prom_invalid)
:Ar_out_ty)";;
let repty = abstract_type 'aux. def' 'Andn';;
let PH_A_inst_ def = newdefinition
('PH_A_inst',
"1 (rep:Arep_ty)
(R_fsm_stateA R fsm_state :rfsm_ty)
(R. reg._selA R_ctr0 R_cU0_outA R_ctrl R..c_l outA R_cff'2 R cbr2_outA R._ctr3 R_ctr3..outA R icr_.oldA
R_icrA R_busA latch R_reg._sel R ctr0 in R_ctr0_new R_ctr0._out R..ctrl in R ctrl new R_ctrl__out
R ctr2 in R_ctr2_new R ctr2 out R ctr3 in R.ct13 new R._ctr3._out R._ic-t_old R icr mask R..icr
R_ccr R_gcr R_sr :wordn)
(R fsm_cntlatch R_fsm_srdyo R_int0..en R_int0 disA R_int3_en R_int3_disA R cO1 cout R. cO1 couL_delA
R_c23_cout R_c23_cout_delA R_cntlateh..delA R_srdy_delA_ R ¢tr0 ce R_c__cin R ctrl_ce R_ct_l_cin
R_ctr2_ce R ctf2_cin R_ctr3_ce R_ctr3_cin R_icr._loadA R fsm_ale__ R_fsm tardy_ R fsm_last R_fsm rst
Rint0_dis R_int3_dis R cOl_cout..del R_int l__en R._c23 oout del R_int2_en R_wr R_cntlatch_del
R_srdy del_ R_ctr0 mux_sel R ctr0_irden R_ctr0_cry R_c__ordea R_ctrl_mux_sel R c_l_irden
R_ctrl_cry R_ctr l_orden R c_r2_mux_sel R ctr2 irden R_ctt2_cry R_ctr2_orden R_ctr3 mux_sei
R_ctr3_irden R_ctr3_cry R_ctr3_orden R icr load R icr_rden R_ccr_rden R_gcr rden
R_sr_rden :bool)
(I_ad in Ibe_ Cpu_fail ReseLcpu S_state Id CbanoelID C_ss :wordn)
(ClkA CIkB Rst I_rale_ I last_ I_mrdy_ Disable_int Disablewrites Piu_fail Prom fail
CB_parity MB parity :bool).
PH_A inst _ep
(R_fsm_stateA, R fsm_cntlatch, R_fsm_srdy__, R inC0_en, R int0_disA, R_int3 en, R_int3 disA,
R_c01_cout, R col cout delA, R_c23_cout, R_c23_cout_delA, R_cntlatch delA, R.srdy_delA_,
R_reg._selA, R_clzO, R_ctr0_ce, R._caO_cin, R_cCO_outA, R_ctrl, R_ctrl_ce, R_ctrl_cin,
R ctrl outA, R_ctr2, R_ctr2 ce, R_ctr2_cin, R_ctr2..outA, R_ctr3, R_ctr3_ce, R__ctr3_tin,
R. ctr3._outA, R_icr_loadA, R_icr_oldA, R_igrA, R_busA._latch, R_fsm_state, R_fsm_ale_,
R_fsm_mrdy_, R fsm_last_, R_fsm_rst, R_int0_dis, R_int3 dis, R_c01 oout_del, R_intl_en,
R_c23 cout_del, R_int2_en, R_wr, R cnflatch_del, R srdy_del_, R_reg._sei, R_ct__in,
R_ctr0_mux_sel, R ctr0_irden, R ctr0_cry, R_ctr0_new, R_c'a0 out, R_ctr0_orden, R ctrl in,
R_ca'l mux_sel, R_c_rl_irden, R ctrl_cry, R_cffl_new, R_ctrl_out, R_ctrl_orden, R_ctr2_m,
R ctr2 mux_sel, R_cb,2_irden, R ctr2_cty, R_ctr2_new, R_ctr2..out, R_ctr2_orden, R_ctr3 in,
R_c_3_mux_sel, R_ctr3_irden, R ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R icr_load,
R_icr_oid, R_icr_maslr, R_icr, R_icr_rden, R ccr, R ccr._rden, R_.gcr, R_gcr_rden, R_sr,
R _sr_rden )
(CIkA, CIkB, Rst, I_ad_in, I_rale_, I_last_, l_be_, I_mrdy_, Disable_int, Disable.writes,
Cpu_fail, Reset_cpu, Piu_.fail, Prom_fail, S__state, Id, ChannellD, CB_parity, MB_parity, C_ss) =
let new_R_fsm_stateA =
((R_fsm rst) => RI I
((R_fsm_state = RI) => ((~R_fsm_ale_) => RA I RI) I
((R_fsm_state = RA) => ((~R_fsm_mrdy_) => RD IRA) I
((-R_fsmJast_) => RI IRA)))) in
let new_R_fsm_cntlatch = ((R_fsm_state = RI) A ~R_fsm_ale__) in
137
let new_R_fsm_srdy_ = -((R_fsm_state = RA) A -R_fsm_mrdy_) in
let new_R_cntlatch_deLA = R_cntlatch_del in
let new R srdy_delA = R_srdy..del_ in
let new_R_reg_selA = R_reg..sel in
let r reg_gel = ((~new_R_srdy_delA) --> (INCN 3 new_R_reg_selA) Inew_R_reg..selA) in
let r_write = (-Disable_writes A R_wr A (new R fsm stateA = RD)) in
let r_read = (-R_wr A (new_R f_m..stateA = RA)) in
let r cir wr01 = (r_write A ((r__reg_sel = (WORDN 8)) V (r_reg_.sel = (WORDN 9)))) in
let r cir wr23 = (r_write A ((r._reg_sel = (WORDN 10)) V (r._reg_.iel = (WORDN 11)))) in
let new R_ctr0 = ((R_ctr0_mux__sel) => R_ca'O_in I R_ctr0_new) in
let new_R_ctrO_ce = (ELEMENT R._gc_ (19)) in
let new_R_ctzO_cin = T in
let new_R_clK) outA = R_ctr0_new m
let new_.R_ctrl = ((R._ctrl mux. sel) => R__ctrl_in IR_ctrl_new) in
let new_R_ctrl_ce = T in
let new R_ctrl_cin = R_ctr0_cry in
let new R clrl outA ffiR_ctrl..new in
let new_R_ctr2 = ((R_ctr2_mux._sel) => R..cU2 in IR_ctr2_new) in
let new_R_clr2__ce = (ELEMENT R..gcr (23)) in
let new_R_c¢2_cm ffiT in
let new_R_ctr2_outA = R_ctr2_new in
let new_R_ctr3 = ((R_ctr3_mux. sel) => R_ctr3_in I R_ctr3_new) in
let new_R_clT3_ce = T in
let new_R_clr3_cin = R_ctr2_cry in
let new R clr3 outA = R c_3_new in
let new_R_icLloadA ffi R i__load in
let new R icr oldA =
(((new_R_fsm_stateA = RA) A ((r_reg..sel = (WORDN 0)) V (r..reg._sel = (WORDN 1)))) => R_icr I R_icr_oldA) in
let new R icrA =
((~(r_reg_sel = (WORDN 1))) => Andn rep (R_icr_old, R_icL,mask) I Om rep (R_icr_old, R_icr mask)) in
let new R intO en = (((ELEMENT R_icr (0)) A (ELEMENT R_iar (8))) V
((ELEMENT R icr(1))A (ELEMENT R. iar(9)))V
((ELEMENT R_icr(2))A (ELEMENT R__icr(I0)))V
((ELEMENT R_icr(3))A (ELEMENT R_icr(II)))V
((ELEMENT R_i_ (4))A (ELEMENT Rjar (12)))V
((ELEMENT R_icr (5)) A (ELEMENT Rj_ (13))) V
((ELEMENT R_icr (6))A (ELEMENT R_.icr(14)))V
((ELEMENT R_icr (7))A (ELEMENT Rjet (15)))) in
let new_R_into_disA = R_int0_dis in
letnew_R_int3_en = (((ELEMENT R_icr (16)) A (ELEMENT R_ic_ (24))) V
((ELEMENT R_icr (17)) A (ELEMENT S_ic_ (25))) V
((ELEMENT R_icr (18)) A (ELEMENT R_icr (26))) V
((ELEMENT R_icr (19)) A (ELEMENT R_icr (27))) V
((ELEMENT R_icr (20)) A (ELEMENT S__icr (28))) V
((ELEMENT R_icr (21)) A (ELEMENT R_icr (29))) V
((ELEMENT R_icr (22)) A (ELEMENT R_icr (30))) V
((ELEMENT R_icr (23)) A (ELEMENT R_icr (31)))) in
let new R_int3_disA = R_int3_dis in
letnew R cOl cout=R_c_l_cryin
let new R cOl cout_delA = R cOl cout_del in
let new_R_c23_cout = R_ctr3 cry in






((R_ctrl_orden) --> R_ctrl_out I
((R_ctr'2_irden) => R_ctr2_in I
((R_cU'2_orden) => R_ctr2_out I
((R_ctr3_irden) => R_ctr3_in I
((R_ctr3 order) => R_ctr3_out I
((R_icr_rden) => R_icr I
((R_ccr rden) => R_ccr I
((R_gcr_rden) => R_gcr I
((R_sr_rden) => R_sr I ARBN))))))))))))) in
let new_R_fsm_state = R fsm state in
letnew_R_fsm_ale_fR fsm ale in
let new R fsm tardy_ = R fsm_mrdy_ in
let new_R_fsm_last = R_fsm_last._ in
]etnew R fsm rst=R fun rstin
let new_R_intO_dis = R into dis in
let new R int3 .dis = R_int3_dis in
let new_R_cOl_cout_de] = R_c01_couLdel in
let new_R intl_en = R_intl_en in
let new R_c23_couLdel = R_c23_couLdel in
let new_R_mt2_en = R_int2_.en in
let new_R_wr = R_wr in
let new_R_cntlatch_del = R_cntlatch_del in
let new_R_srdy_deL = R srdy_del in
let new_R_reg_sel = R_reg_sel in
let new_R_ctr0_in = R__ctr0 in in
let new R_ctr0_mux_sel = R_ctt0 mux_sel in
let new R_ctr0_irden = R_ctr0_irden in
let new_R_ctr0_cry = R_ctr0_cry in
let new R ctr0 new = R ctrO new in
let new_R__clr0_out = R_ctr0 out in
let new R clr0 orden = R..clK)_orden in
let new_R_c111_in = R ctrl in in
let new R ctrl mux_sel = R_ctrl_mux._sel in
let new_R_ctrl_irden = R_c_l_irden in
let new_R_ctrl_cry = R_ctrl_cry in
let new_R ctrl_new = R_clrl._new in
let new_R_ctrl_out = R_ctrl_out in
let new_R ctrl_orden = R ctrl orden in
let new_R_ctr2_in = R ctr2 in in
let new R ctr2_mux_sel = R ctr2_mux_.sel in
let new_R ctr2 irden = R_ctr2_irden in
let new_R_c_2_cry = R_cU2_cry in
let new R ctr2 new = R_ctr2 new in
let new R ctr2 out = R ctr2 out in
let new_R_ctr2_orden = R_ctr2_orden in
let new R cti3 in = R_ctr3_in in
let new R ctr3_mux_sel = R_ctr3_mux_sel in
let new_R ctr3 irden = R_ctr3_irden in
let new_R_ctr3_cry = R_ctr3_cry in
let new_R_ctr3_new = R_ctr3_new in
let new_R_ctr3 out = R ctr3 out in
let new_R_ctr3_orden = R_ctr3_orden in
139
let new_R_icr_load = R_icr_load in
let new_R_icr_old = R_icr_old in
let new_R_icr_mesk = R_icr_mesk in
let new_R_icr = R._icr in
let new_R_icr_rden = R_icr_rden in
let new_R_c_ = R_c_ in
let DeW_R_ccr_rden = R__ ._1_ in
let new_R_.gcr = R_.gcr in
let new_R_.gcr_rden = R..g_jdeu in
let new_R_sr = R_sr in
let new_R_sr rden = R_sr..rden in
(new R_fsm stateA, new_R_fsm_cntlatch, new_R_f_m_srdy_, new_R_int0_en, new_R_intO_disA, new_R_int3_en,
new R_int3_disA, new_R_c01_cout, new_R_c0l_couLdelA, new_R_c23_cout, new R_c23_couLdelA,
new R_cntlatch_deiA,
new_R_srdy_delA , new_R_reg._selA, new R ctr0, new_R_c, U0_ce, new_R..ctr0_cin, new_R_.ctr0_outA, new R_cU 1,
new R_ctrl ce, new R ctrl_cin, new_R_ctrl_outA, new R__cU'2,new_R..ctr2_ce, new_R_c__cin, new_R_ctr2_outA,
new_R clr3, new_R._clr3_ce, new_R_clr3 cin, new_R_ctr3_outA, new_R_icr_loadA, new_R_icr_oldA, new_R_icrA,
new R_busA_latch, new R fsm slate, new_R_fsm_ale__, new_R fsm_mrdy_, new_R_fsm last_, new_R_fsm_rs¢,
new_R_intO_dis, new_R_int3_dis, new_R_cOl_cout..del, new_R_intl_.en, new_R_c23_¢out_del, new_R_int.2_en,
new R_wr,
new_R__cntlatch_de], new_R_srdy_del_, new_R_reg..sel, new_R_cUO_in, new_R cU0_mux_sel, new_R..ct_)_irden,
new R._ctr0 cry, new_R_ctr0_new, new_R_ctr0_out, new R..ctr0 orden, new R..ctr1_in, new_R_ctrl_.mux_sel,
new R_ctrl irden, new R c_l_cry, new R__ctrl_new, new_R__l_out, new_R_ctr]_orden, new R_ctr2_in,
new R_ctr2_mux_sel, new R_ctr2_h'den, new_R__2 cry, new_R ctr2_new, new_R_.ctz2_.out, new_R__J2_orden,
new R_ctr3 in, new R._ctr3_mux._sel, new_R_ctr3_irden, new_R c_r3_cry, new R_ctr3_.new, new R_ctr3_out,
new R_clr3_orden, new_R ic__load, new R_icr_old, new_R_icr mask, new_R_i_, new R_icr_rden, new_R__r,
new R_ccr_rden, new_R._scr, new R..scr rden, new_R_sr, new_R sr_rden)"
);;
_0 .......................................................................................................
Output deflni6on for Phase-A instruction.
................................................................................................................ O_
let PH_A out_def = new_definition
('PH_A_out',
"I (rep:Arep ty)
(R fsm_stateA R_f_m_state :__ty)
(R reg.__LA R..ctr0 R_ctr0_outA R_¢Irl R._ctrl outA R_ctr2 R ctr2._outA R..ctr3 R_ctr3_outA R_icr oIdA
R_icrA R_b_AhtWh R reg_se! R_cerO in R_c_O_new R cerO_out R_clrl_in R_ctrl_new R cerl_out
R_ctr2_m R._ctr2_new R_ctr2_out R_ctr3_in R ctr3_new R_ctr3_out R_icr_old R_icr mask R_icr
R_ccr R_gcr R_sr :wordn)
(R fsm_cntlatch R_fsm_srdy_ R_int0..en R_int0 disA R int3_en R_int3_disA R_cOl_cout R_c01_cout_delA
R._cT.3_cout R_¢23_cout_delA R_¢ntlatch_delA R._srdy_delA_ R_ctIO ce R..ct_O_¢in R_ctrl_ce R_ctrl_cin
R._clr2_ce R__'2_cin R clz3_ce R..ctr3..cin R ic__loadA R_fsm_ale_ R_fsm_mrdy_ R._fsm_last_ R_fsm rst
R into dis R_int3_dis R_c01_cout__del R intl_en R_c23_cout .del R_int2_en R_wr R_cntlatch_del
R_srdy_del_ R_clrO_mux_sel R_cCO_irden R_cUO_cry R_ctr0 orden R_ctrl_mux_sel R_ctrl irden
R_cUl_cry R..ctrl_onien R ctr2 mux..sel R_c¢2_irden R._ctr2_cry R_clr2_orden R_ctr3_mux_sel
R_ctr3_irden R_ctr3_cry R_ctr3 orden R_icr_load R icr_rden R_ccr_rden R_.gcr_rden
R_sr_rden :bool)
(Lad in I be_ Cpu_fail Reset_cpu S_state Id ChannelID C ss :wordn)
(CIkA CikB Rst I_rale I_last_ I_mrdy_ Disable int Disable_writes Piu..fail Prom_fail
CB_parity MB_parity :bool).
PH_A out rep v
140
(R..fsm_stateA, R_fsm_cntlatch, R_fsm_srdy.., R_int0_en, R_mt0 disA, R_int3..en, R_int3._disA,
R c01 .cout, R__col_cout_deLA, R_c23_cout, R__c23_cout_delA, R_cntlatch__delA, R srdy delA_,
R..reg_selA, R_ctr0, R_cUO_ce, R_ct:O_cin, R_.cU0_outA, R_.ctrl, R_ctrl_ce, R_ctrl_cin,
R_c/r l_outA, R_clr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_cU3, R_ctr3_ce, R_ctr3_cin,
R__ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA__latch, R_fsm_state, R_fsm_ale_,
R__fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_intOdis, R_int3_dis, R_col_cout_del, R_mtl_en,
R_.c23_cout_del, R_int2 en, R_wr, R_cntlatch_del, R_srdy_del_., R_reg. sel, R_cUO_in,
R_.etr0_mux sel, R_c__irden, R_ctr0_cry, R_ct__new, R_ctx0 out, R_ctr0 orden, R_ctrl_in,
R._ctrl_mux_sel, R._ctr l_irden, R_ctrl_cry, R_c_rl_new, R__ctrl_out, R_ct_l_orden, R_ctr2_m,
R ctr2 mux_sel, R. ctr2 irden, R_ctr2_cry, R_ctr2_new, R_ctr2._out, R_ctr2 orden, R_ctr3_m,
R ctr3 mux_sel, R._ctr3_irden, R_ctr3_cry, R_etr3_new, R_c_3_out, R_ct_3_orden, R_icr_load,
R..icr_old, R_icr_mask, R_icr, R_icr._rden, R_ccr, R_ccr..rden, R_.gcr, R_.gcr_rden, R_sr,
R sr rden)
(ClkA, ClkB, Rst, I_ad_in, I._rale__, I_last_, Lbe_, I_mrdy_, Disable_int, Disable_writes,
Cpu_fail, Reset_cpu, Pin_fail, Prom_fail, S_state, Id, ChannelID, CB_parity, MB_pafity, C_ss) =
let new_R_fsm_stateA =
((R_fsm__rst) => RI I
((R_fsm_state = RI) => ((-R_fsm_ale_) => RA I RI) I
((R_fsm_state = RA) => ((~R_fsm_mrdy__) => RD IRA) I
((~R fsm last_) => RI IRA)))) in
let new_R_fsm_cntlatch = ((R_fsm_state = RI) A ~R_fsm_ale_) in
let new_R_fsm_srdy_ = ~((R._fsm_state = RA) A -R_fsm_mrdy_) in
let new R cntlatch_delA = R__cntlatch_del in
let new_R_srdy_delA_ = R_srdy_del_ in
let new_R_reg_selA = R_reg_sel in
let r_reg_sel = ((~new_R_srdy deLA_) => (INCN 3 new_R_reg_selA) Inew_R_reg_.selA) in
let r_write = (-Disable_writes A R_wr A (new_R_fsm_stateA = RD)) in
let r_read = (-R_wr A (new_R_fsm_stateA = RA)) in
let r cir wrO1 = (r_write A ((r_reg_sel = OVORDN 8)) V (r_reg_sel = (WORDN 9)))) in
let r ¢ir wr23 = (r_write A ((r.reg_sel = (WORDN 10)) V (r reg_sel = (WORDN 11)))) in
let new R ctr0 = ((R__ctrO_mux_sel) => R._cUO_in I R_etr0 new) in
let new R c__ce = (ELEMENT R..gcr (19)) in
let new R cU_) tin = T in
let new R ¢lr0_outA = R_cUO_new in
let new_R._ctrl = ((R_ctrl_mux_sel) => R_ctrl_in IR_ctrl_new) in
let new_R_ctrl_ce = T in
let new_R_ctrl_cin = R_ctr0_cry in
let new_R_ctrl_outA = R_ctrl new in
let new_R_ctr2 = ((R..ctr2_mux_sel) => R_ctr2_in I R ctr2_new) in
let new_R_ctr2_ce = (ELEMENT R_gcr (23)) in
let new R ctr2 cin= T in
let new_R_ctr2_outA = R_ctr2_new in
let new_R_Or3 = ((R_ctr3_mux sel) => R .ctr3_in I R._ctr3_new) in
let new_R_ctr3_ce = T in
let new R ctI3 tin = R._ctr2_cry in
let new_R_ctr3__outA = R ctr3 new in
let new_R_icr_loadA = R_icr_load in
let new_R_icr._oldA =
(((new R fsm stateA = RA) A ((r._reg_sel = (WORDN 0)) V (r reg..sel = (WORD]'4 1)))) => R_icr I R_icr_oldA) in
let new R_icrA =
((-(r_reg_sel = (WORDN 1))) => Andn rep (R_icr_old, R..icr_mask) I Orn rep (R_icr old, R_icr_mask)) in
let new R int0_en = (((ELEMENT R_icr (0)) A (ELEMENT R_icr (8))) _/
((ELEMENT R_icr (1)) A (ELEMENT R_icr (9))) V
141
((ELEMENT R_icr(2))A (ELEMENT Rjcr (I0)))V
((ELEMENT R..icr(3))A (ELEMENT Rjcr (II)))V
((ELEMENT R_icr (4)) A (ELEMENT R_icr (12))) V
((ELEMENT Rjog (5)) A (ELEMENT R_icr (13))) V
((ELFJHENT R_icr (6)) A (ELEMENT R_icr (14))) V
((ELEMENT R_icr (7)) A (ELEMENT R_icr (15)))) in
let new_R int0 disA = R intO_dis in
let new_R int3 en = (((ELEMENT R_icr (16)) A (ELEMENT R_icr (24))) V
((ELEMENT R icr(17))A (ELEMENT R icr(25)))V
((ELEMENT R._icr(18))A (ELEMENT R_i(=(26)))V
((ELEMENT R_icr(19))A (ELEMENT R_ic_(27)))V
((ELEMENT R_icr(20))A (ELEMENT R_icr(28)))V
((ELEMENT R_icr (21)) A (ELEMENT R_icr (29))) V
((ELEMENT R icr (22)) A (ELEMENT R_icr (30))) V
((ELEMENT R_icr (23)) A (ELEMENT R_icr (31)))) in
let new_R_int3_ disA = R int3_dis in
let new R c01 cout = R._ctr l cry in
let new R c01_cout deiA = R c01_cout_del in
let new_R c23_cout = R_ctr3_cry in
let new_R c23_cout delA = R c23_couLdel in
let new_R busA_latch =
(((R_ctr0 irden) => R_ctr0_in I
((R_ctr0 orden) => R..ctr0_out I
((R_ctrl irden) => R_cttl in {
((R_ctrl orden) => R.strl_out I
((R_ctr2_irden) => R_ctr2_in I
((R_c.V2ord_) => R._ctr2_outI
((R_ctr3_irden) => R_cer3 in I
((R_ctr3_orden) => R..ctr3._out I
((R_icr_rden) => R_icr I
((R_ccr rden) => R_c_r I
((R_$cr_rden) => R_.gcr I
((R_sr_rde_) => R_sr I ARBN))))))))))))) in
let new_R fsm_state ffiR_fsm_state in
let mew_R fsm_ale_ = R_fsam_aJe_ in
let new_R fsm_mrdy_ = R_fsm_mrdy_ in
let new_RJsm_iast... = Rjsm_last_ in
let new_R fsm_rst = R_fsm_rst in
let new R mt0_dis = R into dis in
let new_R int3_dis = R_int3_dis in
let new_R c01_cout_del = R_cOl_cout__del in
let new_R_mtl_en = R_intl_en in
let new_R_c23_cout_del = R_c23_couLdel in
let new_R_int2_en -- R_int2__en in
let new_R wr = R_wr in
let new R cntlat_h_del = R__cntlatch_ del in
let new_R_srdy deL = Rjrdy del_ in
let new_R_reg_sel = R_reg_sel in
let new_R_ctrO_in = R_¢tr0_in in
let new_R_cerO mux_sei = R_ctrO_mux_sel in
let new_R_ctxO_irde_ = R ctr0_irden in
letnew_R_ctxO_cry = R_ctrO_cry in
let new_R_ctrO_new = R_ctrO_new in
let new_R_ctxO_out = R_ctzO_out in
-,,.../
142
let new_R cuO_orden = R_c_0_orden in
let new R_clxl_in = R_ctrl_in in
let new_R_ctrl_mux_sel = R_ctrl_mux_sel in
let new_R_ctrl irden = R cttl irden in
let new_R c¢l_cry = R_ctrl_cry in
let new_R_c¢l_new = R_ctrl_new in
let new_R_c_l_out = R_ctrl_out in
let new R ctrl_orden = R ctrl orden in
let new_R_c_2_in = R_ctr2_in in
let new_R_ctr2_mux_sel = R_Oz2_mux_sel in
let new_R_cb'2_i.rden = R_ctr2 irden in
let new_R_ctr2 cry = R_ctz2_cry in
let new_R_ctr2_new = R_c¢2_new in
let new_R_ctx2_out = R_ctr2_out in
let new_R_c_2_orden = R_ctt2_orden in
let new_R_ctr3 in = R c_3_in in
let new R ctr3 mux_sel -- R_ctx3_mux_sel in
let new_R c_'3 irden = R_ctr3_irden in
let new_R_c¢3 cry = R_ctr3_cry in
let new_R ctr3_new = R_ctr3_new in
let new_R_c_3_out = R_ctr3_out in
let new R c¢3_orden = R ctr3 orden in
let new R ior load = R_icr_load in
let new_R_icr_old = R_icr_old in
let new R icr mask = R_icr_mask in
let new_R_i_ = R_icr in
let new R icr rden = R_ior_rden in
let new R_ccr = R_cor in
let new_R_ccr_rden = R_ccr_rden in
let new_R_gcr = R_gor in
let new_R_gcr_rden = R gcr_rden in
let new_R_sr = R_sr in
let new R sr rden = R_sr_rden in
let I ad out = ((-new_R_wr A ((new_R fsm_stateA = RA) V (new_R fsm_stateA = RD))) => new_R_busA_latch IARBN) in
let I__srdy_ = (((new R fsm stateA = RD) V ((new_R_fsm_stateA = RA))) => new_R_fsm_srdy_ I ARB) in
let Int0_ = -(new R intO en A ~new_R_int0 disA A ~Disable._int) in
let Intl = (new R cOl cout A new_R_intl_en A-Disable_int) in
let Int2 = (new_R_c23_cout A new_R_int2_en A -Disable__int) in
let Int3_ = -(new_R_int3_en A ~new_R_int3_disA A -Disable._int) in
let Ccr = new_R_ccr in
let Led = (SUBARRAY new_R_gcr (3,0)) in
let Reset_error = (ELEMENT new_R_.gcr (24)) in
let Prom invalid = (ELEMENT new_R_.gcr (28)) in
(I_ad_out, I_srdy_, Int0_, Intl, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)"
);;
C)_ ............................................................................................... .............
Next-state definition for Phase-B instruction.
................................................................................................................ O_





(R_reg_.seLA R_ctr0 R cla0..outA R_ctrl R_¢trl_outA R ctr2 R ctr2 outA R_ctr3 R ctr3 outA R_icr..oidA
R_icrA R__busA_latch R_reg_.sel R cUO_in R_ctrO_new R__cUO_out R__ctrl_in R..c_rl_new R ctrl out
R_ctY2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr old R_icr_mask R_icr
R_ccr R..gcr R_sr :wordn)
(R_fsm_cntlatch R_fsm_srdy_ R_intO_en R_int0_disA R_int3_en R_int3_disA R_col_cout R_c01 cout_delA
R c23 cout R_c23_cout delA R_cntlatch._delA R_srdy_delA_ R_ctr0..ce R_cUO_cin R ctrl_ce R_ctrl_cin
R_ctr2_ce R_ctr2_cin R ctr3 ce R ctr3 cin R icr loadA R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst
R_mt0_dis R int3 dis R cOl cout_del R_mtl_en R_c23_cout..del R_int2_en R_wr R_cntlatch_del
R srdy_del R ctr0 mux._sel R c(rO irden R_ctzO_cry R cerO orden R_ctrl_mux._sel R ctrl irden
R_ctrl_cry R ctrl_orden R_clr2._mux_sel R_ctr2_irden R_clr2_cry R clr2_orden R cU3 mux_sel
R ctr3 irden R_c_r3_cry R__ctr3_orden R icr load R icr_rden R_ccr_rden R_.gcr_rden
R_sr rden:bool)
(I ad_in I__be_ Cpu_fail Reset_cpu S_state Id ChannelID C_ss :wordn)
(CIkA CIkB Rst I__rale_ I_last_ I_mrdy_ Disable._int Disable_writes Pin_fail Pnmm_fail
CB_parity MB parity :bool).
PH_B inst rep
(R_fsm_stateA, R_fsm_cntlatch, R_fsm_$rdy.., R_int0_en, R_intO_disA, R_int3_en, R_int3_disA,
R c01 cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_.
R_reg_selA, R._cU'0, R_ctr0_ce, R_clr0_cin, R_clr0..out.A. R_ctrl, R_ctrl_ce, R_cul cin,
R_ctrl outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R._clr3_cin.
R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_.
R fsm tardy_. R_fsm_last_, R_fsm_rst, R intO dis, R_int3_dis, R_col_cout_del, R_intl_en,
R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_. R_reg_sel, R_ctr0_in,
R_ctr0_mux sel, R_ctr0_irden, R_ctzO_cry, R_ctr0_new, R ctr0 out, R_c__ordee, R_ctrl_in,
R_ctrl_mux_sel, R_ctrl_irden, R_ctrl_cry, R ctrl new, R_ctrl_out. R_ctrl orden, R_ctr2_in,
R_ctr2_mux_sel, R_ctr2_irdeo, R_ctr'2 cry, R_ctr'2_new, R_ctr2_out. R_ctr2 orden, R_cU3_in,
R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load,
R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_ccr, R ccr_rdeo, R_gcr, R_gcr rden, R_sr,
R_sr_rden)
(CIkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_nndy_, Disable_int. Disable_writes,
Cpu_fail, Reset_cpu, Pin_fail, Pmm_fail, S_state, Id, ChanneUD, CB_parity, MB_parity, C ss) =
let new_R_wr = ((-I rde_) => (ELEIVlENT I_ad_in (27)) I R_wr) in
let new_R_srdy_del_ = R_fsm, srdy_ in
let new_R_reg_sel =
((-l._rale_) => (SUBARRAY Iad i, (3,0)) {
((~R_srdydelA_) => (IHCN 3 R_reg_seLA) l R_reg_selA)) in
let new_R_cntlatch_del = R fsm cntlatch in
let r_reg_sel = ((~R_srdy_deIA_) => (INCN 3 R_.reg._seIA) {R_reg. seLA) in
let rwrite = (-Disable_writes A new_R_wr A (R_fsm_stateA = RD)) in
let r_read = (~new_R_wr A (R_fsm_stateA = RA)) in
let r._ck._wsOl = (r_write A ((r..reg..sel = 0AtORDN 8)) V (r_reg_sel = (WORDN 9)))) in
let r..cir wr23 = (r_write A ((r._reg_sel = (WORDN I0)) V (r_reg._sel = (WORDN II)))) m
let new_R_ccr = ((r_write A (r_reg_.sel = (WORDN 3))) => I_ad_in {R_ccr) in
let newJ_ccr_rden = (r_read A (r._reg..sel = (WORDN 3))) in
let new_R..gcr = ((rwrite A (r..reg_sel = (WORDN 2))) => l_ad_in {R_gcr) in
let new_R_.gcr_rden = (r_read A (r_reg._sel = (WORDN 2))) in
let new_R_ctr0_in = ((r_write A (r_reg._sel = (WORDN 8))) => I ad in I R..cerO_in) in
let new_R ctr0_mux_sel = (r._cir_wr01 V ((ELEMENT new_R_.gcr (16)) A R CO] cout)) in
let new_R_ctr0_irden = (r_read A (r_reg_sel = (WORDN 8))) in
let new R ctr0 new -- ((R .ctr0_ce A R cer0 cin) => (INCN 31 R_ctrO) {R_ctr0) in
let new_R_ctr0_cry = (R ctr0_ce A R_cUO_cin A (ONES 31 R._ctlO)) in
144
let new_R_cUO_out = ((R_fsm_cntlatch) => R_ctr0_outA i R__ctr0_out) in
let new R_ctrO_orden = (r_read A (r_reg__sel = OVORDN 12))) in
let new R_ctrl_in = ((r_write A (r_reg_.sel = (WORDN 9))) --> I ad in I R_ctrl_in) in
let new R_ctr l_mux_sel = (r__cir_wrOl V ((ELEMENT new R_gcr (16)) A R col_cout)) in
let new_R_ctrl_irden = (r_read A (r_reg_sel = (WORDN 9))) in
let new_R_ctrl_new = ((R_ctrl_ce A R_ctrl__cin) => (INCN 31 R_ctrl) I R._ctrl) in
let new_R_ctrl_cry = (R_ctrl_ce A R_ctrl_cin A (ONES 31 R ctrl )) in
let new_R_ctrl_out = ((R_cntlatch_delA) --> R_ctrl outA IR ctrl out) in
let new_R_ctr l_orden = (r_read A (r reg..sel = (WORDN 13))) in
let new R_ctr2_in = ((r_write A (r_reg sel = (W'ORDN I0))) => Iad in R_ctr2_in) in
let new_R_ctr2_mux._sel = (r__cir_wr23 V ((ELEMENT new_R_gcr (20)) A R_c23_cout)) in
let new_R_ctr2_irden = (r_readA (r reg_sel = (WORDN 10))) in
let new_.R_ctr2_new = ((R_ctr2._ce A R_ctr2_cin) => (INCN 31 R_etr2) I R__ctr2) in
let new_R_ctr2_cry = (R_ctr2_ce A R ctr2 cin A (ONES 31 R_ctr2)) in
let new R_ctr2_out = ((R_fsm_cntlatch) => R_ctr2_outA I R_ctr2_out) in
let new_R_ctr2_orden = (r_read A (r_reg_sel = (WORDN 14))) in
let new_R_ctr3..in = ((r_write A (r_reg_sel = (WORDN 11))) --> I__ad_in IR ctr3 in) in
let new..R_ctr3_mux_sel = (r_dr wr23 V ((ELEMENT new_R .gcr (20)) A R_c23_cout)) in
let new_ R_ctr3_irden = (r_read A (r_reg._sel = (WORDN 11))) in
letnew_R_ctr3_new = ((R_ctr3_ceA R_c¢3_cin) => (INCN 31 R_ctr3)IR ctr3)in
letnew R._ctr3_cry= (R_ctr3_ceA R ctr3cinA (ONES 31 R c_3))in
let new_R_cU'3_out = ((R_cntlatch_delA) => R_ctr3_outA IR_ctr3_.out) in
let new_R_ct_3__orden = (tread A (r..reg_sel = (WORDN 15))) in
let new_R_icr_load = (r_write A ((r__reg..sel = (WORDN 0)) V (r__reg_.sel = (WORDN 1)))) in
let new R_icr_old =
((r__write A ((r_reg_.sel = (WORDN 0)) V (r._reg_sel = (WORDN 1)))) => R_icr_oldA I R_icr_old) in
let new_R_icr_mask =
((r_write A ((r_reg..sel = (3VORDN 0)) V (r_reg_.sel = (WORDN 1)))) => I_ad_in t R_icr_mask) in
let new_R icr = ((R_icr_loadA) => R iotA I R_icr) in
let new R_icr__rden = ((R_fsm_stateA = RA) A ((r_reg_.sel = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) in
let st28 = (ALTER ARBN (28) MB..parity) in
let sr28_25 = (MALTER st28 (27,25) C_ss) in
let $r28_.24 = (ALTER sr28_25 (24) CB_parity)in
let sr28_22 = (MALTER sr28_24 (23,22) ChannelID) in
let sr28_16 = (MALTER sr28..22 (21,16) Id) in
let gr28_12 = (MALTER sr28_16 (15,12) S_state) in
let st28. 9 = (ALTER sr28_12 (9) Pmm_fail) in
let $r28_8 = (ALTER sr28_9 (8) Piu..fail) in
let $r28_2 = (MALTER sr28_8 (3,2) Reset..cpu) in
let st28_0 = (MALTER sr282 (I,0) Cpu_fail) in
let uew_R_sr = ((R_fsm_cnflatvh) => sr28_O I R_st) in
let new_R_sr__rden = (r..read A (r_reg_ sel = 0NORDN 4))) in
let newR_int0_dis = R intO en in
let new_R_int3_dis = R_int3_en in
let new_R_col_cout_del = R cOl cout in
let new_R_c23_cout_del = R c23 tout in
let new_R_intl_en =
((((ELEMENT new_R_.gcr (18)) A (r_cir wK)l V (R_col_cout A (ELEMENT new_R.gcr (16)))))
A -(-(ELEMENT new_R .gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_col_cout_del))) => T I
((-((ELEMENT new R_.gcr (18)) A (r_cir_wr01 V (R_cOl_cout A (ELEMENT new_R_gcr (16)))))
A (-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R..g_ (17)) A R_col_cout__del))) => F I
((-((ELEMENT new R_.gcr (18)) A (r..¢ir_wr01 V (R_col_cout A (ELEMENT new_R..gcr (16)))))
A -(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_.gc_ (17)) A R_col_cout..del))) => R intl en I ARB))) in
let new..R_int2_en =
145
((((ELEMENT new_R_gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R_gcr (20)))))
A -(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_couLdel))) => T I
((-((ELEMENT new_R_.gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R_gcr (20)))))
A (-(ELEMENT new_R_gc_ (22)) V ((ELEMENT new R_gcr (21)) A R_c23_cout_del))) => F I
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R_ga (20)))))
A -(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R_c23_couLdel))) => R int2 en I ARB))) in
let new_R_fsm_state = R._fsm_stateA in
let new_R_fsm, ale_ = Ira]e_ in
let new R fsm tardy_ = Lmrdy_in
let new_R_fsm._]asL = l_lasL in
let new R fsm rst = Rst in
let new R faro stateA = R fsm stateA in
let new R fsm cntlatch = R..fsm._cntlatch in
let new_R_fsm_srdy_ = R_fsm_srdy_ in
let new_R_int0_en = R_int0 en in
let new R int0 disA = R into disA in
let new R int3 on = R_mt3_en in
let new_R_int3_disA = R_int3 disA in
let new_R c01 cout = R c01 cout in
let new R c01 couLdeIA = R_c01_couLdelA in
let new_R..c23_cout = R c23_cout in
let new_R..c23 couLdelA = R_c.23_oouLdelA in
let new_R_cntlatch_delA = R..cn0atch_delA in
let new_R_srdy_delA_ = R_srdy_delA_ in
let new_R_reg_selA = R_reg_seLA in
let new_R._clr0 = R_clr0 in
let new_R..cCO_ce = R._ctr0_ce in
let new_R_ctr0_cin = R_cCO_cin in
let new R c¢O outA--R ctrO outA in
let new_R_ctrl = R_ctrl in
let new_R_ctrl_ce = R ctrl_ce in
let n©w_R_ctr l_cin = R_ctrl_cin in
let new_R_ctrl_outA = R_ctrl_outA in
let new_R_ctr2 = R_ctr2 in
let new R ctr2 ce = R_c_r2._ce in
let new R ctr2 cin = R_ctr2_cin in
let new_R_ctr2_outA = R_ctr2_outA in
let new R clr3 = R_c_r3 in
let new R_ctr3 ce = R ctr3_ce in
let new_R_clr3_cin = R_ctr3_cin in
let new_R..clr3._outA = R ctr3 outA in
let new R icr loadA = R icr loadA in
let new R_icr_oldA = R icr oldA in
let new R icrA = R_icrA m
let new_R_busA_latch = R_busA_latch in
(new_R_fsm_stateA, new_R_fsm_cntlatch, new R_fsm_srdy_, new R int0_en, new R into disA, new_R_int3_en,
new_R_int3_disA, new R col cout, new_R_c01_couLdeIA, new_R_c23_cout, new_R._c23 couLdelA,
new_R_cntlatch_delA,
new_R_srdy_delA_, new_R_reg_selA, new_R_c¢O, new_R_ctr0_ce, new_R_cCO_cin, new_R ct_ outA, new_R_ctrl.
new_R_ctrl_ce, new_R_c_l_cin, new_R_ctrl_outA, new_R_ctr2, new R ctr2_ce, new_R_ctr2_cin, new_R_ctr2_outA,
new_R_ctr3, oew_R_ctr3_ce, new_R_ctr3._cin, new_R_ctr3_outA, new R icr loadA, new_R_icr_oldA, new_R_icrA, •
new_R_bus A_latch, new_R_fsm_state, new_R_fsm_ale.., new_R_fsm tardy_, new_R_fsm_lasL, new_R_fsm_rst,
new_R_int0 dis, new R int3_dis, new_R c01_cout_del, new_R intl en, new R_c23_couLdel, new_R_int2_en,
146
new_Rwr,
new_R ¢ntlatch_del, new_R srdy_del__, new_R_reg._sel, new R ct_3_in, new_R ct__mnx_sel, new R ctrO irden,
new_R ¢_O_cry, new_R_¢trO_new, new R_c_O._out, new_R_c_O_orden, new_R ctrl_in, new_R__ctrl mux sel,
new R ctrl irden, new_R_ctrl_cry, new R_ctrl_new, new_R_ctrl..out, new R c_l_orden, new_R ctr2_in,
new_R c_r2_mux_sel, new_R_ctr2_irden, new_R_ct12 cry, new_R_ctr2 new, new R ctr2_out, new_R_c_2_orden,
new_R ctr3_in, new_R_ctr3 mux sel, new_R_ctr3_irden, new R_ctr3_cry, new R_ctr3_new, new_R_c_3 out,
new_R_ctr3_orden, new R_icr_load, new R_icr_old, new_R_icr._mask, new_R_icr, new_R_icr_r&n, new R_ccr,
new_R ccr_rden, new_R_gcr, new_R_gcr_rden, new_R_sr, new_R_sr._rden)"
);;




(R_reg_selA R..ctzO R ctz0_outA R_ctrl R_c_rl_outA R_¢tr2 R_¢tr2_outA R._ctr3 R_ctr3. outA R icr oldA
R_icrA R_busA_latch R._reg_sel R ctr0_in R..ctr0._new R._ctr0_out R ctrl_in R_ctrl_new R_ctrl_out
R_ctr2_in R c_2 new R_ctr2_out R_ctr3_in R_ctr3_new R_c_r3 out R_icr_old R_icr mask R_icr
R_ccr R_gcr R_sr :wordn)
(R_fsm_cuflatch R fsm srdy_ R_int0 en R_int0 disA R_int3 en R_int3 disA R_c01_c.out R_c01_couUdelA
R c23 cout R c23 cout_delA R_cntlatch_delA R_sniy_delA_ R_ctr0_ce R_ctr0_cin R_ctrl_ce R_ctrl_cin
R ctr2 ce R._ctr2. cin R_ctr3_ce R ctr3_cin R icr loadA R fsm_ale_ R_fsm_mrdy_ R fsm_last_ R fsm_rst
R into dis R int3_dis R_cOl cout_del R_intl_en R c23 cout_del R_int2 ea R_wr R_cntlatch_del
R_srdy del R_ctr0 mux_sel R_ctr0_irden R ctr0_cry R ctr0 orden R_ctrl_mux_sel R_c¢l_irden
R_ctrl_cry R ctrl_orden R_c¢2_mux_sel R ctr2 irden R_ctr2._cry R ctr2 orden R_ctr3_mux sel
R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr rden R_ccr_rden R_gcr_rden
R_sr rden :bool)
(I_ad in Ibe_ Cpu_fail Reset_cpu S_state Id ChanneLID C_ss :wordn)
(ClkA CIkB Rst I_rale I_last_ I_mrdy_ Disable int Disable_writes Piu fail Pmm fail
CB_parity MB_ty :bool).
PH_B_out rep
(R fsm_stateA, R_fsm_cnflatch, R_fsm_srdy_, R_int0 en, R int0_disA, R_int3 en, R_int3_disA,
R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout delA, R._cntlatch_delA, R_srdy_delA_,
R_reg_selA, R_ctt0, R_ctr0_ce, R_ctr0_cin, R_ctr0_outA, R_ctrl, R_ctrl_ce, R..ctr l_cin,
R ctrl outA, R_ctr2, R_ctr2._ce, R_ctr2._cm, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin,
R ctr3 outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA latch, R_fsm_state, R fsm ale_,
R fsm mrdy_, R_fsm_last , R_fsm_rst, R_int0_dis, R int3_dis, R c01 cout_del, R_intl_en,
R c23 cout_del, R_int2_en, R_wr, R cntlatch_del, R srdy_del_, R_reg__sel, R_ctr0 in,
R ctr0 mux_sel, R ctrO irden, R._ctr0_cry, R cO0 new, R ctrO_out, R_ctr0_onien, R ctrl_in,
R ctrl mux_sel, R ctrl irden, R_ctrl_cry, R ctrl new, R_ctrl_out, R._ctrl_orden, R_ctr2_in,
R_ctr2 mux._sel, R. ctr2_irden, R_ctr2_cry, R._ctr2_new, R._ctr2_out, R_ctr2_o_en, R._ctr3_in,
R ctr3 mux_sel, R ctr3 irden, R__ctr3_cry, R ctr3 new, R ctr3 out, R_ctr3_orden, R_icr load,
R_icr._old, R icr_mask, R_icr, R_icr_rden, R ccr, R_ccr_rden, R._gcr, R_gcr_rden, R_$r,
R_ sr_rden )
(CIkA, CIkB, Rst, I ad in, I_rale , I_last, I be, I_mrdy_, Disable int, Disable writes,
Cpu_fail, Reset_cpu, Piu fail. Prom fail, Sstate, Id, ChannellD, CB_parity, MB_parity, C ss) =
let new_R_wr = ((-Ira/e_) => (ELEMENT I_ad_in (27)) I R wr) in
let new R srdy_del_ = R fsm srdy_ in
let new_R_reg_sel =
((~I__rale_) => (SUBARRAY I_ad_in (3,0)) [
147
((-R_udy_delA_) => (INCN 3 R_reg_selA) I R_reg__selA)) in
let new_R_cntlatch_del = R__fsm_cntlatch in
let r_reg..sel = ((~R_srdy_delA_) => (INClq 3 R reg_selA) I R_reg_selA) in
let r_write = (-Disable_writes A new_R_wr A (R_fsm_stateA = RD)) in
let r_read = (-new_R_wr/_ (R_fsm_stateA = RA)) in
let r..ciLwrOl = (r_write A ((r..reg..sel = (WORDN 8)) V (r_reg..sel = (WORDN 9)))) in
let Lcir wr23 = (Lwrite A ((r__reg. sei = (WORDN 10)) V (r_reg..sel = (WORDN 11)))) in
let new_R_ccr = ((Lwrite A (r_reg_sel = (WORDN 3))) :> I_ad_in IR_ccr) in
let new_R_ccr_rdeu = (r_read A (r_reg..sel = (WORDN 3))) in
let new R gcr = ((r_write A (r reg..sel = (WORDN 2))) => I_ad_in I R..gcr) in
let new_R_.gcr_.rden = (r_read A (r__reg._iel = (WORDN 2))) in
let new.R_ctr0 in = ((r_write A (r_reg_sel = (WORDN 8))) => Lad_in IR_ctr0_in) in
let new_R_ctrO_mux_sel = (Lcir_wr01 V ((ELEMENT new_R_.gcr (16)) A R c01_cout)) in
let new_R c¢O_irden = (r_read A (r_reg..sel = (WORDN 8))) in
let new_R_ctr0 new = ((R__ctr0_ce A R_.cer0_cin) => (INCN 31 R_ctr0) I R_ctr0) in
let new_R_ctrO_cry = (R_ctr0_ce ^ R_cU0_cin/_ (ONES 31 R_ctrO)) in
let new_R_cCO_out = ((R_fim_cnOatch) => R_ctr0._outA I R_cttO_out) m
let new_R_ctrO_orden = (r..read ^ (r._reg..sel = (WORDN 12))) in
let new_R._ctr I in = ((rwrite A (r__reg_.sel :: (WORDN 9))) => Lad_in I R..ctrl in) in
let new_R_clz l_mux_sel = (Lcir_wr01 V ((ELEMENT new..R_gcr (16)) A R_c01_cout)) in
let new_R__ctrl_irden = (r_read A (r__reg_.sel = 0WORDN 9))) in
let new_R_ctrl_new = ((R_ctrl_ce ^ R_ctrl..cin) => (INCN 31 R_clzl) I R_c¢l) in
let new_R_clzl_cry = (R..ctrl_ce A R_ctrl_cin A (ONES 31 R_ctrl)) in
let new..R_clzl_out = ((R_cntlatch..delA) => R..ctrl._outA IR..ctrl_out) in
let new_R_ctrl_orden = (r_read A (r._reg..rel = (WORDN 13))) in
let new R ctr2 in = ((r_write A (LreLsel = (WORDN 10))) => Lad-in I R_ctr2_in) in
let new_R_c¢2__mux_sel = (Lcir wr23 V ((ELEMENT new_R_.gcr (20)) A R c23 cout)) in
let new_R._clz2_irden = (r..read A (r_reg_.sel = (WORDN 10))) in
let new_R_ctr2_new = ((R_ctr2_ce A R_clr2_cin) => (INCN 31 R_clz2) I R_clz2) in
let new R_ctr2..cry = (R_ctr2_ce A R_ctr2_cin A (ONES 31 R._ctr2)) in
let new_R_ctr2_out = ((R_fsm_cntlatch) => R_ctr2_outA I R ctr2._out) in
let new R_ctr2_orden = (r_read A (r_.reg_sel = (WORDN 14))) in
let new R_ctr3_in = ((r_write A (r_reg_sel = (WORDN 11))) => Lad_in {R_ctr3_in) in
let new_R_ctr3_mux sel = (r_cir_wr23 V ((ELEMENT new_R_gcr (20)) ^ R_c23_cout)) in
let new_R__clz3_irden = (r_read A (r_.reg..sel = (WORDN lI))) in
let new R ctr3_new = ((R_ctr3 ce A R__ctr3_cin) => (INCN 31 R_ctr3) I R_ctr3) in
let new R ctr3_cry = (R_ctr3_ce A R_ctr3_cin A (ONES 31 R_ctr3)) in
let new_R_c¢3_out = ((R_cntlatch_delA) :> R. ctr3..outA I R ctr3 out) in
let new_R_c¢3_ordea = (r_read ^ (r_reg__sel = (WORDN 15))) in
let new_R_icr load = (r._write A ((r_reg_sel : (WORDN 0)) V (r_.reg_sel = 0NORDN 1)))) in
let new R icr_old =
((r_write A ((r_reg__sel = (WORDN 0)) V (r_reg..sei = (WORDN 1)))) :> R._icr_oldA IR_icr_old) m
let new_R_ic__mask =
((r_write A ((Lreg_.sel = (WORDN 0)) V (r.reg. sel = (WORDN 1)))) => I ad in I R._icr_mesk) in
let new R_icr = ((Rjc:_loadA) :> R..icrA IR_ic:) in
let new_R icr rden = ((R_fsm_stateA = RA)/_ ((Lreg_.sel = (WORDN 0)) V (r_.reg_.sel = (WORDN 1)))) in
let sr28 = (ALTER ARBN (28) MB parity) in
let sr28_25 = (MALTER st28 (27.25) C..ss) in
let sr28_24 = (ALTER sr28_25 (24) CB_parity) in
let sr28_22 = (MALTER sr28_24 (23.22) ChannellD) in
let sr28_16 : (MALTER sr28__22 (21.16) Id) in
let sr28_12 = 0VlALTER sr28__16 (15.12) S_state) in
let sr28_9 = (ALTER sr28_.12 (9) Prom_fail) in
let sr288 = (ALTER sr28_9 (8) Piu._fail) in
148
let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in
let sr28__0 = (MALTER sr28_2 (1,0) Cpu_fail) in
let new_R_sr = ((R_fsm_cntlatch) => st28_0 1R_sr) in
let new_R_sr__rden = (r_read A (r_reg_sel = 0VORDN 4))) in
let new_R_intO_dis = R_intO_en in
let new_R_int3_dis = R_int3_en in
let new_R_c01 cout_dei = R_c01 cout in
let new_R_c23 cout_del = R_c23_cout in
let new_R_intl_en =
((((ELEMENT new_R_.gcr (18)) ^ (r._cir_wr01 V (R._cOl_cout A (ELEMENT new_R_.gcr (16)))))
A -(-(ELEMENT new_R..gcr (18)) V ((ELEMENT new_R gcr (17)) A R cOl_cout_del))) => T I
((-((ELEMENT new_R..gcr (18)) A (r..cir_wrO1 V (R cOl_cout A (ELEMENT new_R_.gcr (16)))))
A (-(ELEMENT new_R..gcr (18)) V ((ELEMENT new_R..gcr (17)) ^ R_c01_cout__del))) => F I
((-((ELEMENT new_R_.gcr (18)) A (r_.cir_wrOl V (R_cOl_cout A (ELEMENT new_R_.gcr (16)))))
A -(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_.gcr (17)) A R cOl_coutdel))) => R_intl_en I ARB))) in
let new R_int2_en =
((((ELEMENT new R_gcr (22)) A (r_cir_wr23 V (R_c23_cout A (ELEMENT new_R..gcr (20)))))
A -(-(ELEMENT new_R..gct (22)) W((ELEMENT new R_gcr (21)) A R__c23 cout_del))) => T I
((-((ELEMENT new_R_.gcr (22)) A (r._cir_wr23 V (R_c23_cout A (ELEMENT new R_.gcr (20)))))
A (-(ELEMENT new_R..gcr (22)) V ((ELEMENT new_R_gcr (21)) ^ R c23..cout_del))) => F I
((-((ELEMENT new_R_gcr (22)) A (r__cir_wr23 V (R_c23 cout A (ELEMENT new R..gcr (20)))))
A -(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R..gcr (21)) A R_c23_cout_del))) => R_int2_en IARB))) in
let new_R_fsm_state = R._fsm_stateA in
let new_R_fsm ale_ = I rale in
let new_R_fsm mrdy_ = Imrdy_ in
let new_R_fsm last_ = LlasL in
let new_R_fsm_rst = Rst in
let new_R fsm_stateA = R fsm stateA in
let new_R_fsm__cntlatch = R_fsm..cntlatch in
let new R fsm srdy_= R_fsm srdy_in
let new_R_int0_en = R_into_en in
let new_R_int0_disA = R_into_disA in
let new_R_int3, en = R_int3_en in
let new_R_int3_disA = R_int3_disA in
let new_R_cOl_cout = R_cOl_cout in
let new_R_cOl_cout_delA = R_cOl_cout_delA in
let new_R_c23_cout = R_c23_cout in
let new_R_c23_cout_delA = R_c23_cout_delA in
let new R cntlatch_delA = R_cntlatch_delA in
let new_R_srdy_delA_ = R_srdy_delA_ in
let new R__reg_.seLA = R_reg__selA in
let new R ctr0 = R._cerO in
let new_R_ctrO_ce = R_cttO_ce in
letnew R_ca'0_cin= R_ct_3 cinin
letnew R ctr0 outA = R_ctr0_outA in
letnew R ctrl= R ctrlin
letnew R ctrlce = R ctrlce in
letnew R ctrlcin= R ctrlcinin
letnew R c¢l__outA= R__ctrl_outAin
letnew R_ctr2= R_ctr2in
letnew R ctr2ce = R ctr2c,ein
letnew_R_cer2._cin= R ctr2cinm
letnew R_c_r2._outA= R_cU2_outA in
letnew R_ctr3 = R_ctr3 in
149
let new_R_ctr3_ce = R ctr3_ce in
let new_R..cer3_¢in = R_ctr3_cin in
let new_R_ctr3_outA -- R_etr3_outA in
let new R_icr_loadA = R_icr_loadA in
let new_R_icr..oldA = R_icr_oldA in
let new_R_icrA = R_ic_A in
let new_R_busA_latch = R_busA_latch in
let I ad_out = ((-new R_wr A ((new_R_fsm_stateA = RA) V (new._R_fsm_stateA = RD))) => new_R_busA_latch I ARBN) in
let I__srdy_ = (((new_R_fsm..stateA = RD) V ((new_R_fsm_stateA = RA))) => new_R_fsm_srdy_ I ARB) in
let IntO_ = -(new_R int0_en A -new_R_intO_disA A -Disable_int) in
let Intl = (new_R_cOl_cout A new_R_intl en A ~Disable_int) in
let Int2 = (new R_c23_cout A new R_int2_en A ~Disable..int) in
let Int3_ = ~(new_R_int3__en A -new_R_int3_disA A ~Disable_.int) in
let Ca = new_R_ccr in
let Led -- (SUBARRAY new_R..gcr (3,0)) in
let Reset error = (ELEMENT new_R_.gcr (24)) in
let Pmm_invalid = (ELEMENT new_R_.gcr (28)) in




C.4 C Port Specification
File: c .phase.ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the phase-level specification of the C-Port of the VFEP PIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulk of this code was translated from an M-language simulatinn program using a translator
wriRen by P.J. Windley at the University of Idaho.




map new..parent ['caux_def';'aux def','array_def';'wordn..def'l;;
let MSTART = "WORDN 4',;
let MEND = "WORDN 5";;
let MRDY = "WORDN 6";;
let MWAIT = "WORDN 7";;
let MABORT = "WORDN 0";;
let SACK = "WORDN 5";;
let SRDY ---"WORDN 6";;
let SWAIT = "WORDN 7";;









boo l#wordn#bool#boo l#bool#bool#bool#wordn#bool#bool#bool#bool#bool#bool#boo 1#
bool#bool#wordn#wordn#wordn)";;
let cstate = "((C_mfsm stateA, C_mfsm_mabort, C_mfsm_midle, C nffsm_mrequest, C mfsm_ma3, C_mfsm_ma2,
C_mfsm_mal,
C_mfsm_maO,C_mfsm_md I ,C_mfsm_.mdO,C mfsm_iad_en_m,C_mfsm_m_co ut_sel 1,C_mfsm_m_couUselO,
C mfsm ms,C_mfsm_rqt_,C_mfsm_cgnt ,C_mfsm_cm_en,C mfsm abort_le..en_,C_mfsm_mparity,
C_sfsm_stateA,C_sfsm_ss,C sfsm_ied_en_s ,C_sfsm_sidle,C_s fsm_s lock,C_s fsm_sa I ,C sfsm_saO,
151
C_sfsm_sale, C_sfsn__sd I ,C sfsm sdO,C_sfsm_sack,C_sfsm sabort,C_sfsm_s_couLselO,C sfsm sparity,
C_e fsm_stateA,C_e fsm_srdy..en,
C_cIkAA,C_sidle_d¢IA,C_mrqt_delA,C_lasLinA_,C_ssA,C_holdA_,C_cout 0 le delA,
C cin 2 leA,C_mrdy_deLA...,C..iad_en._s_delA,C_wrdyA,C rrdyA,C._iad_out, C_ala0,C_a3a2,
C-mfsm-state_C__mfsm-srdy-en_C-mfsm-D_C-mfsm-grant_C-ndsm-rst_C-mfsm-busy_C-ndsm-write_
C_mfun-crqt-_C-mfsm-h_d_C-mfsm_ast-_C-mfsm-_¢k-_C-mfsm-ss_C-mfsm-inva_id_
C-sfsm-s_ate_C sfsm-D_C-sfsm-granLC-sfsm-rsLC-sfsm-write_C-sfsm addressed_C sfsm-h_da-_C-sfs_
C_efsm_state,C_efsm cale_,C..efsm_lasL, C_efsm_male_,C..efsm_rale_,C_efsm_srdy_,C_.efsm_rst,
C_wr, C._sizewrbe ,C ¢IkA ,C_sidle_del,C..mrqLdel ,C_last_in_,C._lock_in_,C_ss,C_last_out_,
C_hold ,C_couL0_le_del,C_cin_2_le,C..mrdy_deI.., C_iad_en_s_del, C_wrdy,
C._rrdy,C_perity, C_source, C_data_in,C_iad_in )
_c_state_ty)";;
let c env_ty = ":(wordn#wordn#bool#bool#bool#bool#bool#bool#bool#boo]#bool#
w_rdn#w_rdn#w_rdn#w_rdn#b___#b___#b___#b___#w_rdn#w_rdn#b___#b___#w_rdn#b___)__;;
let c_env = "((Lad_in, Ibem_, I mrdy..in.., I tale_in.., l_male_in_, I_last_in_, I_srdy_in ,
I_Iock_, Icale_, I_hlda.., I..crqt_,
CB_rqt_in_ CB_ad_in, CB_ms_in, CB_ss_m,
Rst, CIkA, CIkB, CIkD, Id, ChannelID, Prom_failure, Piu_invalid, Ccr,
Reseterror)
:_c eav ty)";;
let c_out_ty = ":(bool#bool#bool#bool#bool#bool#bool#wordn#wordn#
boo l#wordn#wordn#wordn#wordn#bool#bool)";;
let c._out -- "((I_cgnt.., I_mrdy..out.., Lhold_, Lrale_ouC, Lmale_out.., Llast_out_, I_srdy_out_,
lad_out, I be_out__,
CB_rqLouL, CB ms out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)
:_ out ty)";;
let repty = abstract_type'aux_def' 'Andn';;
let PH A insL.def = new_definition
('PH_A_inst',
"1 (rep:_ep_ty)
(C mfsm_stateA C mfsm_state :cmfsm_ty)
(C_sfsm_stateA C_sfsm state :csfsm_ty)
(C_efsm_stateA C._efsm_state :cefsm ty)
(C_mfsm_ms C_sfsm_ss C_ssA C_iad_.out C_al a0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss
C_source C_data_in C__iad_in :wordn)
(C_mfsm_mabort C_mfsm_midle C_mfsm..mrequest C_mfsm_ma3 C_mfsm ma2 C_mfsm_mal
C_mfsm_ma0 C_mfsm_mdl C_mfsm_md0 C_.mfsm_iad en_m C_mfsm_m_cout_sell C_mfsm_m_cout_sel0
C_mfsm..rqt.. C_.mfsm..cgnt C_mfsm..cm en C,mflm_abort_le._en_C_mfsm_mpafity
C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm saO
C_sfsm_sale C_sfsm_sd 1 C_sfsm_sdO C_sfsm_saek C._sfsm_sabort C_sfsm_s_eout_selO C_sfsm_sparity
C_efs_n_srdy_en
C_clkAA CjJdle_deLA C_mrqt..delA C_last__inA_ C_holdA_ C_cout 0 le delA
C_cin..2_leA C mrdy_delA_ C__iad_en_s_delA C_wrdyA C_rrdyA
C ndsm._srdy_en C_mfsm..D C mf__grant C mfsm rst C_.mfsm_busy C..mfsm_write
C_mfsm_crqt C m/sea_hold C mfsm_last_ C_mfsm_lock_ C_mfsm_invalid
C_sfsm_D C_sfsm_grent C..sfsm_rst C_sfsm_write C_sfsm_ad&essed C_sfsm hlda
152
C._efsm._cale_C_efsm last C efsm_male.. C_efsm_rale_C_efsm_srdy_ C_efsm_rst
C_wr C_clkA C._sidle_del C_mrqt._del C_last_in_ C_Iock_in_ C_last_out_
C_hold_ C_couLO_le_del C_cin_2_le C_mrdy del_ C_iad_en_s_del C_wrdy
C_rrdy C_p_ty :bool)
CLmrdy_in_ Lrale_in_ I_male_in_ I_lastin_ Lsrdg in I lock. I_ca1¢_ I_hlda_ I_crqt_
Rst CIkA CIkB CIkD Prom_failure Piu__invalid Reset_error :bool)
(I_ad_in I_be in CB_rqLin_ CB_ad_in CB ms in CB ss in Id ChannelID Ccr :wordn)
(I._cgnU I_mrdy_out._ I_hold_ I tale out I male_out_ I_last_out_ Lsrdy_out__ CB_rqt out
Disable_writes CB_parity :bool).
PH_A_inst rep
(C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequesL C_mfsm_ma3, C_mfsm_ma2,
C_mfsm_mal, C_mfsm_ma0, C_mfan_mdl, C_mfsm_md0, C mfsm_iad_en_m, C_mfsm_m_cout_sell,
C_mfsm m cout_sel0, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt_, C_mfsm cm_en, C_mfsm_abort_le_en_,
C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock,
C_sfsm._sal, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sdl, C_sfsm_sd0, C_sfsm_sack, C_sfsm sabort,
C_sfsm._s_cout_sel0, C__sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA,
C_mrqt_delA, C_last._inA , C_ssA, C_holdA.., C_cout. 0_Ie__deLA, C._cin..2_leA,
C mrdy_delA , C_iad..en._s_d¢IA, C_wrdyA, C_rrdyA, C_iad out, C_ala0, C_a3a2, C_mfsm_state,
C mfsm_srdy__en, C_mfsm_D, C_mfsm_grant, C mfsm_rst, C_mfsm_busy, C_.mfsm_write, C_mfsm_crqL.,
C_mfsm_hold_ C_mfsm last_, C_mfsm_.Iock_, C_mfsm_ss, C_mfsm_jnvalid, C_sfsm_state, C_sfsm D,
C_sfsm..grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms,
C_efsm ..state, C _efsm_ cale .., C __efsm_ last ._, C ..efsm_ male.., C_efsm ._tale._, C_efsm_srdy_,
C_efsm__rst, C_wr, C_sizewrbe, C__c]kA, C_sidle_del, C_mrqt._del, C_last..in_ C_lock_in_,
C_ss, C._]ast._out.., C_.hold_, C_cout..0__le._de], C..cin_2_le, C_mrdy_del.., C_iad_en_s._del, C_wrdy,
C rrdy, C..parity, C..source, C_data_in, C..iad_in)
(Lad_in, I_be_in_, l tardy_in_, Lrale._in_ I..male_in_, Llast_in_, l_srdy_in_, Llock_,
I_cale_, I_hlda__, Lcrqt__, CB_rqt._in_, CB_ad in, CB_ms_in, CB__ss_in, Rst, ClkA, CIkB,
ClkD, Id, ChannelID, Pmm_failu_e, Piu_invalid, Ccr, Reset_error) =
let new C_mfsm_stateA =
((C_mfsm_rst) => CMI I
((C_mfsm_state = CMI) => (C_mfsm_D A -.C_mfsm_crqt_ A -.C_mfsm_busy A ~C_mfsm_mvalid) => CMR ICMI I
((C_mfsm_state = CMR) ffi> (C_mfsm_D A C_mfsm_grant A C_mfsm_hold_) => CMA3 1CMR I
((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 I CMA3) I
((C_mfsm_state = CMAI ) =>
(C_mfsm_D A (C_mfsm ss = ^SRDY)) => CMA0 I
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT ICMAI I
((C mfsm_state = CMA0) ffi>
(C_mfsm_D A (C mfsm_ss = ^SRDY)) => CMA2 I
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I CMA0 I
((C_mfsm_state = CMA2) =>
(C_mfsm_D A (C_mfsm_ss = ^SRDY)) => CMDI I
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I CMA2 I
((C_mfsm_state = CMDI) =>
(C_mfsm_D A (C_mfsm_ss = ^SRDY)) => CMD0 l
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I CMD1 I
((C_mfsm_state = CMD0) =>
(C_mfsm_D A (C_mfsm_ss = ^SRDY) A C_mfsm_last_) => CMD1 I
(C_mfsm_D A (C_mfsm_ss = ^SRDY) A ~C_mfsm_last_) => CMW I
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I CMD0 I
((C_mfsm state = CMW) =>
(C_mfsm D A (C_mfsm ss = ^SABORT)) => CMABT I
(C_mfsm_D A (C_mfsm_ss = ^SACK) A C_mfsm_lock_) => CMI I
(C_mfsm_D A (C_mfsm_ss = ^SRDY) A ~C_mfsm_lock_ A -.C_mfsm_crqt_) => CMA3 I CMW I
153
((..,C_mfsm_last_) => CMI ICMABT))))))))))) in
let new_C_mfsm mabort = (new_C_mfsm_stateA = CMABT) in
let new_C_mfsm_.nfidle = (new_C_mfsm_stateA = CMI) in
let new C mfsm_mrequest = (new_C_mfsm_stateA = CMR) in
let new_C_mfsm_ma3 = (new_C_mfsm_stateA = CMA3) in
Let new_C_mfsm_m_ = (new_C mfsm..stateA = CMA2) in
Let new C mfsm_mal = (new_C_mfsm..stateA = CMAI) in
let new_C mfsm_maO = (new C_mfsm._stateA = CMA0) in
let new_C_mfsm_mdl = (new C_mfsm_stateA = CMDI) in
let new_C_mfsm_mdO = (new_C_mfsm_stateA = CMD0) in
let new_C_mfsm_iad_en_m = (((new_Cjnfsm_stateA = CMDI) A -,C_mfsm_write A C_m.fsm_srdy_en)
V ((new_C_mfsm_stateA = CMD0) A -,C_mfsm_write A C_mfsm_srdy._en)
V ((new_C_mfsm_stateA = CMW) A (C_mfsm_state = CMD0) A -.C m.fsm_write
A C_mfsm_s_dy_en)) in
let new C nffsm_m_cout_sell = ((new_C_.mfsm_stateA = CMA3) V (new_C_.mfsm_stateA = CMA2)) in
let new_C_mfsm_m_cout_sel0 = ((new C..mfsm_stateA = CMA3) V (new_C.,mfsm_stateA = CMA I)
V (new_C_mfsm_stateA = CMD I)) in
let ms2 = (ALTER ARBN (2) ((new_C_mfsm stateA = CMA3) V (new_C_mfsm_stateA = CMAI) V
(new C_mfsm..stateA = CMA0) V (new_C_mfsm_stateA = CMA2) V
(new_C..mfsm_stateA = CMDI) V (aew_C_mfsm_stateA = CMDO) V
(n©w C_mfsm..stateA = CMW) V (new_C_mfsm stateA = CMABT))) in
let msl = (ALTER ms2 (I) ((new_C_.mfsm_stateA = CMAI) V (new C_.mfsm stateA = CMA0) V
(new C mfsm_stateA = CMA2) V (new_C_mfsm_stateA = CMDI) V
((new_C_mfsm._stateA = CMD0) A C_mfsm._last_) V (new_C_mfsm_stateA = CMW) V
(new_C_mfsm_stateA = CMABT))) in
let ms0 = (ALTER msl (0) (((new_C_mfsm stateA = CMD0) A --C_mfsm last_) V
((new_C_mfsm_stateA = CMW) A C_mfsm_lock_) V (new C_mfsm__stateA = CMABT))) in
let new_C_mfsm_ms = ms0 in
let new C_mfsm_rqt_ = ~(-(new_C_mfsm_stateA = CMI)) in
let new_C_mfsm__cgnt.. = -(new C_mfsm_.stateA = CMA3) in
let new_C_mfsm_cm_en -- ((--(new_C_mfsm_stateA -- CMI)) A (~(new_C_mf_m stateA = CMR))) in
let new_C_mfsm_abort le eo -- --((new_C_mfsm_.stateA = CMABT) V (new_C_mfsm_stateA -- CMI)) in
let new_C_mfsm_mparity = ((new_C mfsm_stateA -- CMA3) V (new C_mfsm_stateA = CMA 1)
V (new C_mfsm_stateA = CMA0) V (new_C_mfsm..stateA -- CMA2)
V (new_C_mfsm stateA -- CMD1) V (new C_mfsm stateA = CMD0)
V (C mfsm_state -- CMAI) V (C_mfsm_state -- CMAO)
V (C_mfsm state = CMA2) V (C_mfsm state = CMD1)) in
let new_C_sfsm_stateA --
((C sfsm_rst) => CSI I
(C_sfsm_state = CSI) => ((C_sfsm_D A (C_sfsm ms = ^MSTART)
A .-C_sfsm_grant A C_sfsm_addressed) => CSA 1 I CSI)
(C_sfsm_state -- CSL) =>
((C_sfsm_D A (C..sfsm ms = ^MSTART) A --C__sfsm__rant A C._sfsm_addressed) => CSAI I
(C_sfsm_D A (C_sfsm_ms = ^MSTART) A .-C_sfsm_grant A ~C_sfsm_addressed) --> CSI I
(C sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT I CSL) I
(C_sfsm_state -- CSA1) --->
((C_sfsm_D A (C..sfsm_m_ = ^MRDY)) => CSA0 I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) --->CSABT I CSAI) I
(C_sfsm_state = CSA0) =>
((C_.sfsm_D A (C_sfsm_ms -- ^MRDY) A .-C_sfsm_hlda_) => CSALE I
(C_sfsm_D A {C_sfBm_ms = ^MRDY) A C__sfsm_hlda_) => CSAOW I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSA0) I
154
(C_sfsm_state = CSAOW) =>
((C_sfsm_D A (C._sfsm_ms = ^MRDY) A .-C_sfsm h]da_) => CSALE l
(C_sfsm_D A (C sfsm_ms = ^MABORT)) => CSABT l CSAOW) l
(C_sfsm state = CSALE) =>
((C_sfsm_D A C_sfsm_write A (C__sfsm_ms = ^MRDY)) => CSDI l
(C_sfsm_D A -.C_sfsm_write A (C_sfsm ms = ^MRDY)) => CSRR l
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT l CSALE) l
(C_sfsm_state = CSRR) =>
((C_sfsm D A -(C__sfsm_ms = ^MABORT)) => CSD1 l
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSRR) I
(C_sfsm_state = CSD 1 ) -->
((C_sfsm_D A (C_sfsm_ms = ^MRDY)) => CSD0 l
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSDI) l
(C_sfsm_state = CSD0) =>
((C_sfsm_D A (C_sfsm__ms = AMEND)) --> CSACK I
(C_sfsm_D A (C_sfsm ms = ^MRDY)) --> CSDl I
(C_sfsm D A (C_sfsm ms = ^MABORT)) => CSABT ICSD0) I
(C_sfsm state = CSACK) =>
((C_sfsm_D A (C__sfsm_ms = ^MRDY)) => CSL I
(C_sfsm D A (C_sfsm ms = ^MWAIT)) => CSI I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT I CSACK) I
(C_sfsm_D) => CSI ICSABT) in
let ss2 = (ALTER ARBN (2) ((~(new_C_sfsm_stateA = CSI)) A (~(new_C_sfsm_stateA = CSABT)))) in
let ssl = (ALTER ss2 (1) ((-(new C_sfsm stateA = CSI)) A (~(new_C..sfsm stat_A = CSACK))
A (-(new C_sfsm_stateA = CSABT)))) in
let ssO = (ALTER ssl (0) ((new C sfsm_stateA = CSAOW) V
((new_C._sfsm_stateA = CSALE) A --C_sfsm_write) V
(new C sfsm_stateA = CSACK))) in
let new_C sfsm_ss = ss0 in
let new C sfsm iaden s = (((new C sfsm_stateA = CSALE) A (~(C_sfsm_state = CSALE)))
V ((new C sfsm_stateA = CSALE) A C sfsm_write)
V ((new_C sfsm stateA = CSD1) A C_sfsm write A (~(C sfsm_state = CSRR)))
V ((new C sfsm stateA = CSDO) A C_sfsm_write)
V ((new C sfsm_stateA = CSACK) A C_sfsm_write)) in
let new C sfsm_sidle = (new C_sfsm__stateA = CSI) in
let new C sfsm_slock = (new_C_sfsm_stateA = CSL) in
let new C sfsm_sal = (new_C_sfsm_stateA = CSAI) in
let new_C_sfsm_sa0 = (new_C_sfsm stateA = CSA0) in
let new C_sfsm_sale = (new C_sfsm_stateA = CSALE) in
let new C sfsm_sdl = (new C sfsm_stateA = CSDI) in
let new C sfsm_sd0 = (new C_sfsm_stateA = CSD0) in
let new C sfsm_sack = (new_C_sfsm_stateA = CSACK) in
let new C sfsm_sabort = (new_C_sfsm_stateA = CSABT) in
let new_C_sfsm_s._cout._seIO = (new C sfsm_stateA = CSDI) in
let new C sfsm_sparity = ((~(new_C sfsm_stateA = CSI)) A (.-(new_C_sfsm__stateA = CSACK))
A (~(new C_sfsm_stateA = CSABT))) in
let new_C_efsm_stateA =
((C_efsm_rst) => CEII
(C__efsm_state = CEI) => ((~C__efsm_cale__) => CEE ICEI) t
((--C_efsm last A ~C efsm_swdy_) V -C._efsm_male_ V --C efsm_rale ) => CEII CEE) in
let new_C__efsm_srdy_en = ((new_C_efsm_stateA = CEE) V (C_efsm_state = CEE)) in
let cout__sel0 = (ALTER ARBN (0) ((new C_sfsm_sdl V new C sfsm_sd0) =>
new_C_sfsm_s cout__sel0 1new_C_mfsm m cout_sel0)) in
155
let cout__sell = (ALTER cout selO (I) ((new C_sfsm_sdl V new_C_sfsm_sd0) => F Inew_C_mfsm_m cout_sell)) in
let c_cout_sel = cout_sell in
let c_busy = (~((SUBARRAY CB_.rqt_in_ (3,1)) = (WORDN 7))) in
let c_.grant = ((((SUBARRAY Id (I,0)) = OVORDN 0)) A ~(ELEMENT CB..rqt_in_ (0)))
V (((SUBARRAY Id (1,0)) = (WORDN I )) A -(ELEMENT CB.jrqt_in_ (0)) A (ELEMENT CB_rqt_in (I)))
V (((SUBARRAY Id (I,0)) = OVORDN 2)) A ~(ELEMENT CB_rqt..in_ (0)) A (ELEMENT CB..rqt__in (I))
A (_LBM_JVT CB_.rqLm_ (2)))
V (((SUBARRAY Id(I,0))= 0NORDN 3))A -(ELEMENT CB.rqLin_ (0))A (ELEMEWr CB._rqLin (I))
A (ELEMENT CB_rqLin_ (2))A (ELEMENT CB_rqLin_ (3))))in
letcwrite = ((new_C_mfsm_can_en) -->C_wr I(ELEMENT C_sizewrb¢(5)))in
let new C..clkAA = C_clkA in
letnew C_sidle delA = C_sidle_delin
let new_C_mrqt_delA = C_mrqt del in
let c__dfsm_srdy = (CB_ss_in = ^SRDY) in
let c_dfsm_master = (new_C_mfsm_ma3 V new_C_mfsm_ma2 V new_C..mfsm_mal V
new_C mfsm_ma0 V new_C_mfsm_mdl V new_C mfsm rod0) in
let c__dfun_slave = (-new C_sfsm_sidle A -new_C_sfsm_slock) in
let c_dfsm cin__0_le ffi(CIkD A ((new_C_mfBm_md0 A c_dfsm_srdy A -c_write) V
(new_C_sfsm_sa0) V (new_C_sfsm sd0 A c_write))) in
let c_dfsm cin 1 le ---(CIkD A ((new C mf_m_mdl A c..dfsm srdy A -c..write) V
(new C_sfsm sal) V (new_C_sfsmjdl A c_write))) in
let c..dfsm cin 3 le = (ClkD A (new C sf_m_sidle V new C_sfsm_slock)) in
let c_dfsm_cin_4_le = (new_C..dkAA A new_C..sfsm_sa0) in
let c_dfsm_cout_O le = ((I_cale) V (I..srdy_in_ A -c_write)
V (new_C__ma0 A c_dfgm__adyA c_writeA CIkD)
V (new_C..m_m_md0 A c_writeA c_dfsm_srdyA CIkD)) in
letc_dfsm cout 1 le= (new C..clkAA A new C_sfam_sdl) in
letc._dfsan_caden = ~((new C mfsm ma3) V (new C_mfsm..mal) V (Dew C_mfsm_maO)
V (new_C mfsm_ma2) V (cwrite A (new_C_mfam mdl V new_C_mfsm_md0))
V (-c_writeA (new Cjfsm__ll V new_Cjfsm sd0)))in
letc_.dfsm_i_male_= -(new C_sfsm..saleA (-((SUBARRAY C sizewrbe(I,0))= CWORDN 3)))A new_C_clkAA) in
letc._dfsm_i_rale_= -(new_C_sfsm_sale A ((SUBARRAY C_sizewrbe (I,0))= 0VORDN 3))A new_C_.clkAA) in
letc_dfsm_i._mrdy_= -((-c_writeA CIkD A (Dew_C sfsm_saleV new_C_dsm_sd I))
V (-c_write A new_C.slkAA A new_C_sfsm_s_k)
V (c_write A CIkD ^ new_C_dm sdO)) in
let new C lasLinA_ = Llast..in_ in
let new C_ssA = CB_ss_in in
let new C_holdA_ = ((CIkD) => C_hold_ I C_holdAJ in
let new_C_cout O_le_deLA = C cout_0._le_del in
let new Ccin 2 lea = C c/n_2_le in
let Dew C_mrdy_deLA_ = C_n_rdy_deL in
let Dew C iad_en_s_delA = ((ClkD) => C_iad_en_s del I C_iad en s._delA) in
let new C wrdyA = C_wrdy in
let new_C_rrdyA = C rrdy in
let new C lad _out = ((new_C_cin._2_leA) => C_data_in I C_iad..out) in
let new C ala0 =
(((c_dfsm_master A new C_cout_0._le delA) V (-c_dfsm_muter Ac_.dfsm cout l_le)) => C lad in I C_ala0) in
let new_C_a3a2 = ((new_C mfsm_mrequest) => Ccr IC a3a2) in
let new C_mfsm_state = C_mfsm_state in
let new_C_mfsm srdy_eD = C mfsm srdy_en in
let new_C_mfsm_D = C_mfsm_.D in
let new_C_mfsm_.grant = C_mf_t in
let new C_mfsm_rst = C .mfsm rst in
let new C_mfsm_busy = C_mfsm_busy in
156
let ncw_C mfsm_write = C_mfsm_write in
let new C mfsm crqt._ = C_mfsm__crqt_ in
let new_C_mfsm_hold_ = C_.mfsm_hold_ in
let new_C_mfsm_last_ = C mfsm_last in
let new_C mfsm_lock._ = C_mfsm_Iock_ in
let new C mfsm ss = C_mfsm_ss in
let new_C mfsm_invalid = C mfsm invalid in
let new C_sfsm_state = C_sfsm_state in
let new C_sfsm..D = C_sfsm_D in
let new C_sfsm grant = C_sfsm..srant in
let new_C_sfsm_rst = C_sfsm_rst in
let new_C sfsm_write = C_sfsm write in
let new_C sfsm_addressed = C sfsm_addressed in
let new_C sfsm hida._ = C sfsm_hlda_ in
let new_C_sfsm_ms = C sfsm_ms in
let new_C efsm_state = C__efsm_state in
let new_C_efsm_cale = C_efsm tale_ in
let new C efsm last_ = C_efsm last_ in
let new_C efsm_male = C efsm_male_ in
let new_C_efsm rale = C_efsm_rale in
let new_C efsm_srdy_ = C efsm_srdy_ in
let new_C_efsm_rst = C .efsm rst in
letnewCwr=C wrin
let new C_sizewrbe = C_sizewrbe in
let new_C cikA = C_clkA in
let new_C sidle._del -- C_sidle_del in
let new C mrqt_del = C_mrqt_del in
let newClast_in_ = C3ast_in_ in
let new_Clock_in_ = C_lock_in_ in
let new C ss = C_ss in
let newClast_out_ = C_last_out_ in
let new_C hold =Chold in
let new_C_cout 0 le..del = C_cout_0._le..del in
let new_C cin_2_le = C_cin_2_le in
let new_C_mrdy_del_ = C_mrdy_deL in
let new_C iad_en_s_del = C_iad en_s_del in
let new C wrdy = C_wrdy in
let new_C rrdy = C_rrdy in
let new_Cparity = C_parity in
let newCsource = C_source in
let new_Cdatain = C_data_in in
let new_C lad_in = C_iad_in in
(new C mfsm_stateA, new_C_mfsm_mabort, new_C_mfsm_midle, new_C_mfsm_mrequest, new_C_mfsm ma3,
new_C_mfsm ma2, new C_ndsm_mal, new_C..mfsm ma0, new_C _mfsm_mdl, new_C mfsm_md0,
new_C_mfsm iad_en m,
new C_mfsm_m_cout_sell, new_C_mfsm_m_cout._sei0, new C_mfsm_.ms, new C mfsm rqt_ new_C_mfsm_cgnt_,
new_C_mfsm_cm_en, new C_mfsm_abort_le_en_, new_C_mfsm mparity, new_C_sfsm_stateA, new C_sfsm_ss,
new C_sfsm_iad_en._s, new_C_sfsm_sidle, new C_sfsm_slock, new_C_sfsm_sal, new_C_sfsm_se_),
new_C_sfsm._sale, new_C_sfsm_sdl, new_C_sfsm_sd0, new C._sfsm_sack, new_C, sfsm_sabort,
new_C_sfsm_s cout_sel0, new C_sfsm_sparity, new_C efsm stateA, new_C..efsm_srdy_ en, new_C clkAA,
new_C_sidle_delA, new_C_mrqt_delA, new_C last_inA_, new_C ssA, new_C_holdA_,
new_C_cout_0_le_deLA, new_C_cin_2_leA, new C_mrdy_delA , new_C__iad_en__s delA, new C_wrdyA, new_C_rrdyA,
new_C_iad_ouL new_C ala0, new_C_a3a2, new C_mfsm__state, new_C_mfsm_srdy_en, new_C_mfsm_D,
157
new_C mfsm_grant, new_C...mfsm_rst, new_C_mfsm_busy, new_C mfsm_writc, new C_mfsm_crqt..,
uew_C_mfsm_hold_, new_C_m/_sm._last._, new_C_mfsm_lock.., new C mfsm._ss, new C..mfsm invalid,
new_C_sfsm_state, new_C_sfsm_D, new_C..sfsm_grant, new_C_sfsm_rst, new_C_sfsm_write,
new_C sfsm addressed, new_C_sfsm_hlda_, new C_sfsm._ms, new_C efsm_state, new C efsm_cale_,
new C_efsm last._, new C._efsm_male_ new_C efsm rale__, new_C_efsm_srdy_, new C efsm_rst, new C_wr,
new_C_sizewrbe, new_C clkA, new_C..sidle..del, new C_mrqt_del, new C last_in , ncw_C_lock in_,
new C_ss, new_C_lastout.., new C_hold_ new_C cout_0..le..del, new C_cin 2 le, new C n_y deL,
new C iad en s.del, new C wrdy, new_C_rrdy, new_C_parity, new C source, newC_data_in, new C_iad_in)"
);;
_7 ...........................................................................................................
Output definition for Phase-A inslrt_tlon.






(C mfsm_ms C sfsm ss C_ssA C_iad. out C ala0 C a3a2 C_mfsm_ss C_sfsm ms C_sizewrbe C ss
C_source C_datain C ied in :wordn)
(C_mfsm_mabcwt C mfsm midle C mfsm_mrequest C mfsm ma3 C_mfsm_ma2 C_mfsm_mal
C_mfsm ma0 C_mfsm mdl C mfsm rod0 C_mfsm_iad..en_m C_mfsm m tout sell C_mfsm m_cout_sel0
C_m£sm_rqt__ C_mfsm cgnt_ C_mfsm cm en C_mfsm_abort_le_en_C_mfsm_mparity
C_sfsm_iad_en s C sfsm_sidle C_sfsm slock C_sfsm_sal C_sfsm_sa0
C_sfsm_sale C_sfsm_sd I C_sfsm_sd0 C sfsm_sack C_sfsm__sabort C_sfsm_s_couLsel0 C_sfsm_sparity
C_efsm._srdy_en
C_clkAA C_sidle__delA C_mrqt.delA C last_inA_ C_holdA_ C_cout 0_le_delA
C cin 2 lea C_mrdy_delA C_iad_en_s__delA C_wrdyA C_rrdyA
C_mfsm_srdy en C_mfsm_D C m£sm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write
C_mfsm_crqt C mfsm_bold_ C_mfsm_lasL C mfsm lock_ C_mfsm_invtlid
C_sfsrn_D C_sfsm..grant C_sfsm_rst C_sfsm_write C._sfsm_addressed C_sfsm hida
C_efsm_cale_ C_efsmJast_ C._efsm_male_ C_efsm_rale_ C_efsm_srdy_ C efsm_rst
C_wr C._clkA C_sidle_.del C mrqt_del C_last_in_ C_lockin_ C last_ouL
C hold C cout 0 le del C_cin_2_le C_mrdy del C lad en s del C_wrdy
C_rrdy C_parity :bool)
(I_mrdy_in_ l._rale_in_ Imale_in_ I last in I s_dy_in_ I_lock._ I_cale_ I hlda_ I crqt_
Rst ClkA CIkB CIkD Prom_failure Piu_invalid ReseLerror :bool)
(Lad in I be in CB_rqLin CB ad in CB ms in CB ss in Id ChannelID Ccr :wordn)
(I cgnt._ Lmrdy_out._ I_hold I_rale out_ Imale out I last out I srdy out CB_rqt out
Disablewrites CB_parity :bool).
PH A out rep
(C_mfsm stateA, C_mfsm mabot_ C_m£sm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_.mfsm_ma2,
C_mfsm_mal, C_mfsm_ma0, C__mfsm_mdl, C_mfsm_mdO, C_mfsm_iad_en__m, C_mfsm_.m_cout_sell,
C_mfsm_m_couLsel0, C mfsm_ms, C_.mfsm_rqt , C mfsm_cgnt__, C_mfsm_cm_en, C_mfsm_abort le en_,
C_mfsm mperity, C_sfsm_stateA, C_sfsm_ss, C sfsm lad en_.s, C_sfsm_sidle, C_sfsm_slock,
C_sfsm_sal, C sfsm_sa0, C__sfsm_sale, C_sfsm sdl, C_.sfsm_sd0, C..sfsm_sack) C_sfsm_sabort,
C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy en, C._clkAA, C_sidle delA,
C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_c.ouLO..le_delA, C cin 2 leA,
C_mrdy__delA_, C__iad_en..s._delA, C_wrdyA, C_rrdyA, C_iad_out, C_al a0, C_a3a2, C_mfsm__state,
C_.mfsm_srdy_en, C_.mfsm_D, C_mfsm_grant, C..mfsm_rst, C_mfsm_busy, C_mfsm_write, C__mfsm_crqL, •
C_mfsm_hold_, C_.mfsm last._, C_mfsm_lock_., C_m.fsm_ss, C_mfsm invalid, C_sfsm_state, C_sfsm_D,
C_sfsm..grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C sfsm_ms,
158
C._efsm_state, C efsm cale , C_efsm_last_, C_efsm_male , C._efsm tale , C..efsm_srdy_,
C_efsm_rst, C_wr, C sizewrbe, C clkA, C sidle_del, C_mrqLdel, C last..in_, C lock._in ,
C_ss, C_last_out_, C_hold.._ C_cout_0_le del, C_cin_2 le, C_mrdy_del_, C lad on s_del, C_wrdy,
C_rrdy, C_parity, Cjource, C_data_in, C_isd_in)
(I_ad in, Lbe..in.., I_mrdy_in_, I_rale_in_, Lmale_in_, I lasLin__ I._srdy_in , I_lock ,
Lcale , Lhlda_, Lcrqt , CB_rqt_in_, CB ad_in, CB ms_in, CB ss_in, Rst, CIkA, ClkB,
ClkD, Id, Channel]D, Prom_failure, Piu_.invalid, Ccr, Reset_error) =
let new_C_mfsm_stateA =
((C_mfsm_rst) => CMI I
((C mfsmjtate = CMI) => (C_mfsm_D A --C_mfsm_crqt_ A ,-C_mfsm_busy A -C_mfsm_invalid) => CMR ICMI I
((C mfsm_state = CMR) => (C mfsm_D A C mfsm_grant A C_mfsm hold_) => CMA3 I CMR {
((C_mfsm_state = CMA3) => ((C_mfsm D) => CMAI ICMA3) {
((C m.fsm_state = CMAI ) =>
(C_.mfsm_D A (C mfsm_ss = ^SRDY)) => CMA0 1
(C .mfsm_D A (C_.mfsm_ss = ^SABORT)) => CMABT {CMAI {
((C mfsm_state = CMA0) =>
(C_mfsm_D A (C_mfsm_ss = ^SRDY)) => CMA2 I
(C_mfsm_D A (C_mfsm ss = ^SABORT)) => CMABT I CMA0 {
((C_mfsm_state = CMA2) =>
(C_mfsm_D A (C_.mfsm_ss = ^SRDY)) --> CMD1 I
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) --> CMABT I CMA2 {
((C mfsm_state = CMD 1) ->
(C_mfsm_D A (C mfsm_ss = ^SRDY)) => CMD0 I
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) --> CMABT { CMD1 I
((C mfsm_state = CMD0) =>
(C_mfsm_D A (C_mfsm_ss = ^SRDY) A C_mfsm_last._) --> CMD1 I
(C_mfsm_D ^ (C_mfsm_ss = ^SRDY) A ~C_mfsm_last_) => CMW I
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT ICMD0 {
((C_mfsm_state = CMW) =>
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I
(C mfsm_D A (C mfsm_ss = ^SACK) A C_mfsm lock_) => CMI I
(C_mfsm_D A (C_mfsm_ss = ^SRDY) A ~C_mfsm_lock_ A .-C_.mfsm_crqt_) => CMA3 {CMW {
((-C mfsm_iast_) => CMI I CMABT))))))))))) in
let new_C_mfsm_mabort = (new_C_mfsm_stateA = CMABT) in
let new_C_mfsm_midle = (new_C mfsm_stateA = CMI) in
let new_C_mfsm_mrequest = (new_C mfsm_stateA = CMR) in
let new_C_mfsm_ma3 = (new_C mfsm._stateA = CMA3) in
let new_C_mfsm_ma2 = (new_C_mfsm__stateA = CMA2) in
let new_C mfsm_mal = (new C_mfsm_stateA = CMAI) in
let new_C_mfsm_ma0 = (new_C_mfsm_stateA = CMA0) in
let new_C mfsm_mdl = (new_C_mfsm__stateA = CMDI) in
let new_C_mfsm_mdO = (new_C_mfsm_stateA = CMD0) in
let new_C mfsm_iad_en m = (((new_C mfsm_stateA = CMDI) A .-C_mfsm_write A C_mfsm..srdy_en)
V ((new_C_mfsm_stateA = CMD0) A -C_mfsm_write A C_mfsm_srdy_en)
V ((new_C_mfsm_stateA = CMW) A (C_mfsm_state = CMDO) A --C_mfsm_write A C_mfsm -
srdy_en)) in
let new C mfsm_m_cout_sell = ((new C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA2)) in
let new_C_mfsm_m_cout_sel0 = ((new C_mfsm_stateA = CMA3) V (new_C_mfsmjtateA = CMAI) V (new_C mfsm_-
stateA = CMDI)) in
let ms2 = (ALTER ARBN (2) ((new_C mfsm_stateA = CMA3) V (new C_mfsm stateA = CMA1) V
(new C_mhm_stateA = CMA0) V (new_C_mfsm_stateA = CMA2) V
(new_C_mfsm_stateA = CMD1) V (new_C_mfsm_stateA = CMD0) V
159
(new_C_mfsm_stateA= CMW) V (new_C_mfsm_stateA = CMABT))) in
let msl = (ALTER ms2 (I) ((new C_mfsm_stateA = CMAI) V (new_C_mfsm_stateA = CMA0) V
(new C_m_m_stateA = CMA2) V (new C .mfsm_.stateA = CMDI) V
((new C_mfsm__stateA = CMD0) A C_mfsm__last_.) V (new C_mfsm_stateA = CMW) V
(new_C_mfsm_sta_A = CMABT))) in
let ms0 = (ALTER msl (0) (((new_C..mfsm_stateA = CMD0) A --C..mfsm_last._) V
((new_C mfsm_stateA = CMW) A C_mfsm lock._) V (new_C_mfsm stateA = CMABT))) in
let aew_C__fsm_ms = msO in
let new_C nLfsm_rqt__ = -(-(new_C mfsm_stateA = CMI)) in
let new_C_mfsm_cgnt = -(new_C_mfsm_stateA = CMA3) in
let new_C_mfsm_cm_.ea = ((~(new_C_mfsm_.stateA = CMI)) A (.-(new_C_.jnfsm..stateA = CMR))) in
let new_C_ndsm_abort_le..eo_ = -((new_C_ndsm_sta_eA = CMABT) V (new_C_n_sm_stateA = CMI)) in
let new_C_mfsm mparity = ((new_C_mfsm_stateA = CMA3) V (new_C..mfsm_stateA = CMAI)
V (new_C mfsm stateA = CMA0) V (new_C_m£sm stateA = CMA2)
V (new_C_mfsm_stateA = CMDI ) V (new C..mfsm stateA = CMD0)
V (C..mfsm_state = CMAI) V (C_mfsm state = CMAO)
V (C..mfsm..state = CMA2) V (C_mfsm_state = CMDI)) in
let new C sfsm._stateA =
((C sfsm_rst) => CSI I
(C_sfsm_state = CSI) --> ((C..ffsm_D A (C_sfsm_ms = ^MSTART3 A -C_sfsm_graat
A C. sfsm_addressed) => CSAI l CSI) l
(C_sfsm_stat© = CSL) =>
((C_sfsm D A (C_.sfsm_ms = ^MSTART) A --C..sfsm__rant A C._ffsm_addressed) => CSAI I
(C_sfsm_D A (C_sfsm ms = ^MSTART) A -C_sfsm_grant/_ -C_sfsm_addressed) => CSI I
(C_sfsm D A (C_sfsm ms = ^MABORT)) => CSABT ICSL) I
(C_sfsm_state = CSAI) =>
((C_sfsm_D A (C_sfsm_ms = ^MRDY)) => CSA0 I
(C_sfsm D A (C_sfsm_ms = ^MABORT)) => CSABT ICSA1) I
(C_sfsm_state = CSAO) =>
((C_dsm_D ^ (C_sfsm_ms = ^MRDY) A -C_sfsm_hkia_) => CSALE {
(C_sfsm..D ^ (C_sfsm_ms = ^MRDY) A C_sfsm_hlda_) => CSAOW I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSA0) I
(C_sfsm_state = CSAOW) =>
((C_sfsm_D A (C..sfsm_ms = ^MRDY)/_ -C_sfsm_hlda ) => CSALE I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSAOW) I
(C_sfsm_state = CSALE) =>
((C_sfsm_D ^ C sfsm_write ^ (C_sfsm__ms = ^MRDY)) => CSD1 I
(C sfsm_D ^ -C sfsm_write A (C_sfsm ms = ^MRDY)) => CSRR I
(C_sfsm_D/_ (C_sflm ms = ^MABORT)) => CSABT ICSALE) I
(C_sfsm_state = CSRR) =>
((C sfsm_D ^ ~(C_sfsm_ms = ^MABORT)) => CSDI I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSRR) I
(C_sfsm_state = CSDI) =>
((C._sfsm_D A (C_sfsm_ms = ^MRDY)) => CSD0 I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT I CSD1) I
(C_sfsm_state = CSD0) =>
((C_sfsm D ^ (C_sfsm_ms = ^MEND)) => CSACK I
(C_sfsm_D A (C_sfsm_ms = ^MRDY)) => CSDI I
(C_sfsm_D A (C sfsm_ms = ^MABORT3) => CSABT ICSDO) I
(C_sfsm_state = CSACK) =>
((C_dsm_D A (C._sfsm_ms = ^MRDY)) => CSL I
(C_sfun_D A (C sfsm_ms = ^MWAIT)) => CSI I
(C sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT i CSACK) J
160
(C sfsm D) => CSI ICSABT) in
let ss2 = (ALTER ARBN (2) ((-(new C_sfsm_stateA = CSI)) A (-(new C sfsm stateA = CSABT)))) in
let ssl = (ALTER ss2 (1) ((~(new_C_sfsm__uRoA = CSI)) A (-(new C_sfsm stateA = CSACK))
A (-(ucw_C sfsm_statoA = CSABT)))) in
let ssO = (ALTER ssl (0) ((new C sfsm stateA = CSAOW) V
((aew_C_sfsm._stateA : CSALE) A --C_$fsm_write) V
(new C._sfsm_stateA = CSACK))) in
let new_C_sfsm_ss = ssO in
let new_C_sfsm lad on s = (((new C._sfsm_stateA = CSALE) A (~(C...sfsm_sta_ = CSALE)))
V ((new_C_sfsm_stateA = CSALE) A C_sfsm write)
V ((new C_sfsm_stateA = CSDI) A C_sfsm_write A (-(C_s_m_stat¢ = CSRR)))
V ((new_C_sfsm_stateA = CSDO) A C sfsm_write)
V ((n©w C sfsm_stateA = CSACK) A C_sfsm_write)) in
let new_C_sfsm_ddle = (new C sfsm_stateA = CSI) in
let new_C sfsm_slock ---(new_C_sfsm_stateA = CSL) in
let new_C sfsm_sal = (new C_sfsm_stateA = CSAI) in
let new C_sfsm_sa0 = (new_C sfsm_stateA = CSA0) in
let new_C_sfsm_sale = (new C sfsm_stateA = CSALE) in
let new_C sfsm_sdl = (new_C sfsm_stateA = CSDI) in
let new C_sfsm_sd0 = (new_C sfsm_stateA = CSDO) in
let new C sfsm_sack = (new C sfsm_stateA = CSACK) in
let new C_sfsm_sabort = (new C_sfsm stateA = CSABT) in
let new C_sfsm_s cout._selO = (new_C sfsm_stateA = CSDI) in
let new C sfsm sparity = ((-(new C sfsm stateA = CSI)) A (-(new C_sfsm_stateA = CSACK))
A (-(new_C_sfsm. stateA = CSABT))) in
let new C_efsm_stateA =
((C..efsm_rst) => CEI I
(C._efsm state = CEI) => ((-C_efsm cale_.) => CEE I CEI) I
((~C_¢fsm_last A ~C efsmjrdy_) V --C. ¢fsm male_ V ~C_efsm_rale_) => CEII CEE) in
let new C efsm srdy en = ((new C_efsm statcA = CEE) V (C. efsm state = CEE)) in
let cout_sel0 = (ALTER ARBN (0) ((new C_sfsm_sdl V new_C_sfsm sd0) =>
acw_C_sfsm_s_cout_s¢lO I new_C mfsm m_cout_s¢10)) in
let ¢out._sellO = (ALTER cout_sel0 (1) ((new_C sfsm_sdl V new_C sfsm_sd0) => F I new_C mfsm_m_couL_sell)) in
let c_cout_sel = cout_sell0 in
let c_busy = (~((SUBARRAY CB3qt_in (3,1)) = (WORDN 7))) in
let c_grant ----((((SUBARRAY Id (1,0)) = (WORDN 0)) A -(ELEMENT CB_rqt_in_ (0)))
V (((SUBARRAY Id (1,0)) - (WORDN 1)) A ~(ELEMENT CB_rqt in_ (0)) A (ELEMENT CB_rqt_in_ (1)))
V (((SUBARRAY Id (1,0)) = 0VORDH 2)) A ~(ELEMENT CB..rqt_in_ (0)) A (ELEMENT CB..rqt..in_ (1))
^ (ELEMENTCB_rqt_in_(2)))
V (((SUBARRAY Id (1,0)) = ('WORDN 3)) A -(ELEMENT CB__rqt_in (0)) A (ELEMENT CB. rqt .in_ (1))
A (ELEMENT CB_rqt in_ (2)) A (ELEMENT CB__rqt_in_ (3)))) in
let cwrite -- ((new C mfsm_cm_en) => C_wr I (ELEMENT C_sizewrbe (5))) in
let new C clkAA = C_clkA in
let new C_sidle_delA = C_sidle_del in
let new C_mrqt_deLA = C_mrqt_del in
let c_dfsm_srdy = (CB_ss_in = ^SRDY) in
let c__dfsm_master = (new_C mfsm ma3 V new C mfsm_ma2 V new C mfsm_mal V
new_C_mfsm ma0 V new_C_mfsm_mdl V new_C_mfsm_md0) in
let c_dfsm_slave = (-new_C sfsm_sidle A -new C_sfsm_slock) in
let c._dfsm_cin_0_le = (CikD A ((new_C_mfsm_md0 A c dfsm_srdy ^ -c_write) V
(new_C sfsm sa0) V (new_C_sfsm_sd0 ^ cwrite))) in
let c_dfsm_cin_l_le = (CIkD A ((new_C_mfsm_mdl A c dfsm_srdy A ~c_write) V
161
(new_C_sfsm_sal) V (new_C_sfsm sdl A c_write))) in
let c_dfsm..¢in_3_le = (CIkD/% (new_C_sfsm_sidle V new_C_sfsm._slock)) in
let c_dfsm_cin_4_le = (new_C_clkAA A new_C_sfsm_sa0) in
let c_dfsm_cout_0_le = ((Lcale_.) V (Lsrdy_in_ A -c_write)
V (new_C_mfsm_ma0 A c_dfgm..mrdy A c_writeA CIkD)
V (new_C_m6sm_mdO A c_writeA c_dfsm_srdyA CIkD)) in
let c_dfsm_cout_ l_le = (new_C..clkAA A new C_sfsm_sdl) in
let c_dfsm_cad en = ~((new_C_mfsm_ma3) V (new_C mfsm_mal)V (new_C_mfsm_ma0)
V (new_C mfsm..ma2) V (c_write A (new_C_mfsmjndl V new_C_mfsm redO))
V (-c_write A (new_C_sfsm..sd I V new_C_sfsm_sd0))) in
let c dfsm_i_male_ = ~(new_C_sfsm..sale A (-((SUBARRAY C_sizewrbe (1,0)) = (WORDN 3))) A new_C_clkAA) in
let c .dfsm_i._ride = -(new_C_sfsm sale A ((SUBARRAY C_sizewrbe (1,0)) = (WORDN 3)) A new C clkAA) in
let c_dfsm_i_mrdy_ = -((-c_write A CIkD A (new_C_sfsm_sale V new_C_sfsm_sdl))
V (-c_write A new_C._clkAA A new C_sfsm_sack)
V (c_write A ClkD A new_C_sfsm_sd0)) in
let new C last inA_ = I last in in
let new C ssA = CB_ss_m in
let new C_holdA_ = ((CIkD) => C hold_ I C_holdA_.) in
let new_C_cout_0_le_delA = C cout 0 le de] in
let new C cin 2 lea = C_cin_2_.le in
let new_C_mrdy_delA_ = C_mrdy. deL in
let new_C iad_en s_delA = ((CIkD) => C__iad_en__s_del I C_iad en_s_delA) in
let new C wrdyA = C_wrdy in
let new_C_rrdyA = C rrdy in
let new C_iad_out = ((new Ccin 2_leA) => C_data_in I C iad out) in
let new_C_ala0 =
(((c dfsm_mutef A new_C_cout..0..le_delA) V (--c_dfsm_master A c_dfsm_cout_l_le)) => C_iad in I C_al a0) in
let new C_a3a2 = ((new_C mfsm_mrequest) => Ccr IC_a3a2) in
let new C_mfsm state = C_mfsm_state in
let new C mfsm_srdy en = C_n_m__rdy__en in
let new_C_mfsm_D = C_mfsm_D in
let new_C_mfsm_grant = C mfsm..grant in
let new_C_mfsm_rst = C_mfsm_nt in
let new_C_mfsm_busy = C_nxf__busy in
let eew_C_mfsm_write = C torero_write in
let new_C_mfsm_crqt_ = C mfsm_crqt in
let new_C_mfsm_hold_ = C..mfsm_hold_ in
let new_C mfsm_last_ = C_n_sm_last_ in
let new C_mfun_lock_ = C_mfunlock_ in
let new C_mfun_ss = C_mfun_ss in
let new_C_mfsm_invalid = C_mfsm_invalid in
let new_C_sfsm_state = C_sfsm_state in
let new_C_sfsm D = C_sfsm_D in
let new_C_sfsm_grant = C._sfsm_grant in
let new_C_sfsm_rst = C.sfsm_rst in
let new_C_sfsm..write = C_sfsm_write in
let new_C_sfsm_addressed = C_sfsm_addressed in
let new C_sfsm..hlda_ = C_sfsm_hlda.. in
let new_C_sfsm_ms = C_sfsm_ms in
let new_C..efsm_state = C__efsm_state in
let new_C_efsm..cale_-- C._efsm_cale_ in
let new_C_efsm last__ = C_efsm last in
let new_C..efsm..male_ = C_efsm male., in
let new_C efsm_.rale_ -- C._efsm_rale_ in
-.,,,d
162
let new C_efsm_srdy_ = C efsm_srdy_ in
let new C_efsm_rst = C_efsm_rst in
let new C_wr = C_wr in
let new C_sizewrbe = C sizewrbe in
let new C clkA = C clkA in
let new C_sidle_del = C_sidle_del in
let new C_mrqt._del = C_mrqLdel in
let new_C last in = CJast_in_ in
let newC_lock_in_ = C_lock_in_ in
let new C_ss = C ss in
let newC_last_out_ = C_last out in
let newC_hold_ = C_hold in
let new C_cout_0_le_del = C_cout_0_ie_del in
let new C_cin_2_le = C_cin_2_le in
let new C_mrdy_del_ = C_mrdy_deL in
let new C iad_en_s del = C_iad_en_s_del in
let new C_wrdy = C_wrdy in
let new C_rrdy = C_rrdy in
let newC_parity ffiC_parity in
let newC_source = Csource in
let newC_data_in = C_data_in in
let new C_iad_in = C_iad_m in
let l._cgnt_ = new C_mfsm cgnt_ in
let I_mrdy_out._ = ((-I_hld_) => new_C_mrdy delA_ I ARB) in
let Lhold_ = new C_holdA in
let I_rale__ouL = ((-I_hlda_) => ¢_dfsqoa._i_rale_ I ARB) in
let I_male_out_ = ((~I_hlda_) => c_dfsm_i_male_ I ARB) in
let I_lasLouL = ((~Ihlda_) => new_C_last_out._ IARB) in
let I._srdy_out_ =
((-I_ca]e_ V new C_efsm srdy_en) => ~(new C_wrdyA V new C rrdyA V new_C mfsm mabort) I ARB) in
let I_beout_ = ((~I_hlda_) => (SUBARRAY new_C sizewrbe (9,6)) I ARBN) in
let I_ad_out =
((new C_iad_en_s_delA V new_C_mfsm_iad en_m V new_C_sfsm iad ens) => new C_iad_out I ARBN) in
let CB_rqLouL = n_ C_nffsm rqt_ in
let cbmsl0 = (MALTER ARBN (1,0) (SUBARRAY new_C_mfsm_ms (1,0))) in
let chins210 = (ALTER cbmsl0 (2) ((ELEMENT new_C_mfsm_ms (2)) A ~Prom_failure A -Pin invalid)) in
let CB_ms_out = ((~new_C mfsm_cm_en) => cbm_101ARBN) in
let cbssl0 = (MALTER ARBN (1,0) (SUBARRAY new_C_sfsm_ss (1,0))) in
let cbss210 = (ALTER vbms 10 (2) ((ELEMENT new_C_sfsm_ss (2)) A ~Prom_failure A -Piu_invalid)) in
let CB_ss_out = ((-new_C_sfsm_skile A ~new_C_sfsm_sabort) => cbss2101 ARBN) in
let CB__l_out = ((c_dfsm_cad_en) =>
((c_cout_sel = (WORDN 0)) => P__Enc rep ((SUBARRAY new C ala0 (15,(3))) I
((c_coaLsel = (WORDN 1)) => Par_Enc rep ((SUBARRAY new C ala0 (31,16))) I
((c cout_sel = (WORDN 2)) => Par_Enc rep ((SUBARRAY new_C_a3a2 (15,0))) I
Par_Enc rep ((SUBARRAY new C_a3a2 (31,16)))))) I
ARBN) in
let C_ss_out = new_C ss in
let Disable_writes = (c dfsm_slave A -((ChannelID = (WORDN 0)) A (ELEMENT newC_source (6)))
A ~((ChannelID = (WORDN 1)) A (ELEMENT new_Csource (7)))
A ~((ChannelID = (WORDN 2)) A (ELEMENT new C_sotwce (8)))
A -((ChannelID = (WORDN 3)) A (ELEMENT new_Csource (9)))) in
let CB_parity = new_C_parity in
163
(LcgnL,I. mrdy..ouL, I_hold, I_rale_out_, I_male_out_, Llast._out_, l_srdy_out_, Lad_out, I_be_ouL,
CB_rqt out_, CB_ms_out, CB_ss__out, CB ad_ out, C_ss_out, Disable_writes, CB_parity)"
);;




(C_sfsm_stateA C sfsm_state :csfsm ty)
(C_e, fsm_.stateA C_efsm state :cefsm_ty)
(C ndsm..ms C_sfsm_ss C_ssA C__iad out C_alaO C_a3a2 C_mfsm_ss C_sfsm ms C_sizewrbe C_ss
C_source C_data_in C..isd_in :wordn)
(C ndsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm mal
C ndsm_ma0 C_mfsm_mdl C mfsm md0 C_mfsm iad..en..m C_ndsm_m_cout sell C_mfsm_m_cout..sel0
C_m.fsm_rqt_ C_mfsm_cgnt._ C_mfsm__cm_en C_.mfsm abort_le_en_ C.j_fsm_mpaxity
C_sfsm_iad _en..s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_sa0
C_sfsm_sale C_sfsm_ sdl C_sfsm_sd0 C_sfsm_seck C_sfsm__sabort C_sfsm s_cout__sel0 C_sfsm_sparity
C_efsm_srdy_en
C_clkAA C_sidle_delA C..mrqt..delA C_last mA C holdA_ C_oout_0_le..delA
C tin 2 lea C_mrdy_delA_ C. iad_en__s_delA C_wrdyA C_rrdyA
C_rnfsm_srdy en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write
C_mfsm_crqt_ C_mfsm..hold_ C_mfsm_last__ C_mfsm_lock__ C_mfsm_invalid
C_sfsm_D C_sfsm_.grant C..sfsm_rst C_sfsm write C__sfsm_addressed C_sfsm_hlda
C_efsm_cale._ C efsm_last_ C._efsm_male_ C_efsm..rale_ C._efsm_srdy_ C__efsm_rst
C_wr C_clkA C sidle..del C_mrqt..del C last in_ C_lock_in C last out
C_hold_ C_cout_0_le_del C_cin..2_le C_mrdy_del C_iad__en_s_del C_wrdy
C_rrdy C.parity :bool)
(I_mrdy_in_ Lrale..in_ I_male_in I._last_in Lsrdy_ia_ I_Iock_ I_cale_ I hlda_ I_crqt._
Rsl CIkA ClkB C[kD Prom_failure Piu_invalid Reset_error :bool)
(Lad in I be in CB..rqt__in_ CB_ad_in CB_ms..in CB_ss_in Id ChannelID Ccr :wordn)
(I__cgnt.. Lmrdy_out_ I_hold_ I_rale_out Imale_out I last out Lsrdy..out.. CB_rqt out
Disable_writes CB_parity :bool).
PH_B_inst rep
(C_mfsm_stateA, C ndsm_mabort, C_mfsm_midle, C rnfsm_mrequest, C_mfsm__ma3, C_.mfsm_ma2,
C mfsm real, C_mfsm_ma0, C_mfsm_mdl, C_mfsm._md0, C_mfsm iad..en_.m, C_mfsm_m cout__sell,
C_mfsm_m..cout_selO, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt__, C mfsm_cm..en, C_mfsm_abort le_en_,
C_mfsm_mparity, C_sfsm_stateA, C_ sfsm_ss, C_sfsm_iad_en ._s, C_sfsm_sidle, C__sfsm_slock,
C_sfsm sal, C__sfsm_sa0, C_sfsm_sale, C_sfsm_sd 1, C_sfsm_sdO, C._sfsm sack, C_sfsm_sabort,
C__sfsm_s_cout_selO, C_sfsm_sparity, C._efsm stateA, C..efsm__srdy_en, C_clkAA, C_sidle_delA,
C_mrqt__delA, CJast _inA_, C_ssA, C._holdA , C cout_0__le_.delA, C cin_2_leA,
C_mrdy_delA_, C_iad._en__s__delA, C wrdyA, C. rrdyA, C_iad_out, C alaO, C_a3a2, C_mfsm_ state,
C_mfsm_srdy_e_, C_mfsm_D, C_mfsm_grant, C_mfsm_zst, C_.ndsm_busy, C_mfsm_write, C_mfsm_crqt__,
C_mfsm_hold.., C_.mfsm last_, C_mfsm_lock__, C..mfsm_ss, C_ mfmL.invalki, C_sfsm_state, C_sfsm_D,
C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C__sfsm addressed, C_sfsm_hlda._, C_sfsm_.ms,
C._efsm_state, C_efsm_cale _, C_efsm_last , C_efsm_male , C_efsm_rale , C._efsm srdy_,
C_efsm_rst, C_wr, C__sizewrbe, C_clkA, C..sidle_de], C..mrqLdel, C_last_in_, C_[ock_in_,
C._ss, C_last_out_, C_hold.., C_cout..0_le_del, C..cln_2_le, C_mrdy_deL, C_iad_en..s_del, C wrdy,
C ndy, C..parity, C_source, Cdatain, C_jsd in)
(Lad_in, Lbe_in_, Lmrdy_in_, Lrale_.in_, Lmale_in_, LlasLin__, I_srdy_m_, I lock_,
I_cale._, Lhlda__, Lcrqt._, CB rqt in_, CB_ad in, CB_.ms_in, CB_ss_in, Rst, CIkA, CIkB,
164
CIkD,Id, ChannelID, Prom_failure, Piu_invalid, Ccr, Res___tor) =
letnew_C_wr = ((~Lcale._)=> (ELEMENT Iad_in (27))IC_wr) in
letnew C_sizewrbe = ((Rst)=> ARBN I
((C sfsm sa0A C_clkAA) => (SUBARRAY C..datain(31,22))IC_sizewrbe))in
let c_write = ((C_mfsm_cm_en) => new_C_wr I (ELEMENT new_C_sizewrbe (5))) in
let cout._sel0 = (ALTER ARBN (0) ((C sfsm_sdl V C_sfsm_sd0) =>
C sfsm s_cout_sel01C_mfsm m cout_sel0))in
letcout._sell0= (ALTER cout sel0(I)((C_sfsm_sdlV C_sfsm_sd0) => F IC_mfsm_m_cout_.seI1))in
letc couLsel = cout._sell0in
let c_busy = (~((SUBARRAY CB_rqLin_ (3,1)) = (WORDN 7))) in
let c_grant = ((((SUBARRAY Id (1,0)) ffi (WORDN 0)) A -(ELEMENT CB._rqt_in_ (0)))
V ((($UBARRAY Id (1,0)) = (WORDN 1)) A ~(ELEMENT CB._tqt._in (0))
A (ELEMENT CB_.tqt_in (1)))
V (((SUBARRAY Id (1,0)) = (WORDN 2)) A -(ELEMENT CB_rqt_in_ (0))
A (ELEMENT CB_rqt_in_(I))
A (ELEMENT CB_tqLin_ (2)))
V (((SUBARRAY Id (l,0))= (WORDN 3))A -(ELEMENT CB_rqt._in_(0))
A (ELEMENT CB_rqLin (I))
A (ELEMENT CB._rqt._in_(2))
A (ELEMENT CB._rqLin_ (3))))in
letc_dfsm srdy= (CB_ss in= ^SRDY) in
letc_dfsm master= (C..,mfsmma3 V C mfsm_ma2 V C mfsm realV C mfsm ma0 V C ndsm_mdl V C mfsm rod0)in
letc..dfsm_slave= (-.C_sfsm.sidleA -C_sfsm slock)in
letc._dfsmcin 01e = (CIkD A ((C mfsm_md0 A c_dfsm_srdyA --c_write)V (C_sfsm sa0)
V (C sfsm sd0 A c_write)))in
letc_dfsm cin_l_le= (ClkD A ((C mfsm_mdl A c_dfsm_srdyA -c_write)V (C sfsm_sal)
V (C_sfsm sdl A c_write)))in
letc..dfsm_cin_3_le= (ClkD A (C_sfsm_sidleV C_sfsm_slock))in
letc_dfsm_cin_4 le= (C_clkAA A C_sfsm_sa0) in
letc_dfsm_couL0_le = ((Lcale._)V (Isrdy.in_A .-c_write)
V (C_m.fsm_ma0 A c__sm srdy A cwrite A CIkD)
V (C_mfsm_md0 A c_writeA c_dfsm srdyA CIkD)) in
let c_dfsm_cout_l_le = (C_cikAA A C_sfsm sdl) in
let c_dfsm_cad_en = -((C_mfsm_ma3) V (C_mfsm real) V (C_mfsm_ma0) V (C_mfsm_ma2) V
(c_write A (C mfsm_mdl V C_mfsm_mdO)) V (-c_write A (C sfsm sdl V C__sfsm_sd0))) in
let c_dfsm_i male_ = ~(C_sfsm sale A (-((5UBARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) A C_clkAA) in
let c__dfsm_i tale._ = -(C_sfsm_sale A ((SUBARRAY new_C sizewrbe (1,0)) = (WORDN 3)) A C_clkAA) in
let c_dfsm_i mrdy_ = -((~c_write A ClkD A (C sfsm_.sale V C_sfsm_sd 1)) V
(-c_write A C_clkAA A C_sfsm_sack) V (c_write A CIkD A C_sfsm_sd0)) in
let new_C_clkA = CIkD in
let new C_sidle_del = C sfsm_sidle in
let new C mrqt_del = C_mfsm..mrequest in
let newC_last_in = ((Rst) => F I
((C_mfsm_mabort V C_mfsm rod1 A CIkD) => C_last_inA_ IC_lasLin_)) in
let newC_Iock_in_ = ((Rst) => F I ((C_mfsm_mal) => Llock_ IClock_in_)) in
let new C_ss = ((C_mfsm_abort le_.en_.) => C_ssA IC_ss) in
let mend = (CB ms in = AMEND) in
let mabort = (CB..ms_in = ^MABORT) in
let new C_last_out_ =
((C_sfsm_sal A ~(CIkD A (mend V mabort))) => T I
((--C_sfsm_sal A (CIkD A (mend V mabort))) => F
((-C_sfsm_sal A -(ClkD A (mend V mabort))) => C_lasLout_ IARB))) in
let newCbold_ = C_sfsm sidle in
165
let new_C_cout_0_le_del = c_dfsm_cout_0_l¢ in
let new_C_cin_2_le = c_dfsm_cin_0J¢ in
let new_C_mrdy_del_ = c_dfsm_i_mrdy_ in
let new C lad eu s del = C_sfsm_iad_en_s in
let uew_C_wrdy = (c_dfsm srdy A c_write A C_mfsm_mdl A CIkD) in
let new_C_rrdy = (c..dfsm_srdy A -c_write A C..mfsm mdO A CIkD) in
let c_pe = (Par_Det rep CB_ad_in) in
let c pc_cut = (ClkD A ((-(C_mfsm_mperity = C_sfsm_sparity)) V ((SUBARRAY CB ss in (1,0)) = (WORDN 0)))) in
let new_C_pmty =
(((CUd) A c..pe ^ c_pe_cnt) A Ccale_.) => T I
((-(CIkD A c_pe A c_pe..cnt) A -Lcale_) => F I
((-(ClkD A c_pe A c=.pe_cnt) A Lcale_) => C_parity I ARB))) in
let new_C_source = ((Rst) => (WORDN 0) I
((c_dfsm_cin_3 le) => P__Dec rep (CB ad_in) IC_source)) in
let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0) I
((c_dfmn__cin IJe) => Par_Dec rep (CB_ad_in) I
(SUBARRAY C_data_in (31,16))))) in
let data in31_0 = (MALTER data_in31_l 6 (15,0) ((Rst) => (WORDN O) I
((c_dfsm_cin..0Je) => Par_Dec rep (CB_ad in) I
(SUBARRAY C_data_in (15,0))))) in
let new C_data_in ffidata_in31_0 in
let new_C_iad_in = ((c..dfsm cout_0 .le) => Lad m IC_iad_in) in
let new_C_mfsm_state ffiC_mfsm_stateA in
let new C_mfsm_srdy_en ffiC._efsm_srdy_en in
let new_C mfmn D = CIkD in
let uew_C_mfsm_grant = c_grant in
let new_C_mfsm rst = Rst in
let new_C_mfmn_busy ffic_busy in
let new_C_mfsm_write = c_write m
let new_C_mfsm_crqL = I crqt_ in
let new_C mfun_hold_ = C_hokiA_ in
let new_C mfsm_last._ = new_C_last..in_ in
let new_C_mfmn_lock_ = new_C_lock in in
let new C_ndsm_ss = CB ss in in
let uew_C_n_fsm_invalid ffi Piu_mvalid in
let new C_sfsm..state = C_sfsm_state in
let new_C_sfsm_D = CIkD in
let new_C_sfsm_grant ffic_grant in
let new_C_sfsm_rst = Rst in
let new_C_sfsm write = c_write in
let new_C_sfsm_addressed = (Id = (SUBARRAY new C source (15,10))) in
let new C_sfsm_hlda._ = I_hlda._ in
let new_C_sfsm_ms = CB ms in in
let new C efsm state ffiC_efsm_state in
let new_C efitm_cale_ = Lcale_ in
let new_C efsm_last_ = IJast in in
let new C efsm_male._ = I_malein in
let new_C..efsm ra]e_ -- I_rale_in_ in
let new_C efsm srdy_ = Lsrdy_in_ in
let new C efsm_rst ffiRst in
let new_C_mfsm_stateA = C_m.fsm_stateA m
let new C_mfsm mabort = C mfsm_mabort in
let new_C_mfsm_midle = C_.mfsm_midle in
let new C mfsm_mrequest = C_mfsm_mrequest in
166
let new C mfsm_ma3 = C_.mfsm_ma3 in
let new_C mfsm_ma2 = C..mfsm_ma2 in
let new_C_mfsm_mal = C_.mfsm_mal in
let new C mfsm maO = C..,mfsm_.maO in
let new_C mfsm_mdl = C mfsm_mdl in
let new_C mfsm redo = C_mfsm_mdO in
let new_C mfsm_iad_en_m = C_mfsm_iad_en_m in
let new C mfsm_m_cout sell = C mfsm m_cout._sell in
let new_C mfsm_m_cout .sel0 = C_mfsm m_cout_sei0 in
let new C mfsm_ms = C_mfsm.,ms in
let new_C mfsm._rqt = C_mfsm_rqt in
let new_C mfsm_¢gnL = C_mfsm._cgnt in
let new_C_mfsm_.cm en = C_mfsm_cm_en in
let new_C mfsm_ab__|e.en_ = C_mfsm abort le en in
let new_C mfsm_mparity = C_mfsm_mparity in
let new_C_sfsm stateA = C_sfsm_stateA in
let new_C sfsm ss = C_sfsm_ss in
let new_C sfsm iad_en_s = C_sfsm_iad en s in
let new_C sfsm_sidle = C sfsm sidle in
let new_C sfsm_slock = C sfsm_slock in
let new_C sfsm_sal = C_sfsm_sal in
let new_C sfsm_sa0 = C_sfsm_sa0 in
let new_C_sfsm sale = C_sfsm_sale in
let new_C_sfsm sdl = C._sfsm_sdl in
let new_C_sfsm sd0 = C sfsm_sd0 in
let new_C sfsm_sack = C_sfsm_sack in
let new C_sfsm sabort = C sfsm_sabort in
let new_C_sfsm s_cout sel0 = C_sfsm_s_eout_sel0 in
let new_C sfsm sparity = C_sfsm_sparity in
let new C efsm stateA = C_efsm_stateA in
let new_C_efsm_srdy_en = C_efsm_srdy_en in
let new C clkAA = C._clkAA in
let new_C_sidle delA = C sidle_delA in
let new_C_mrqt__delA = C_mrqLdelA in
let new_C_lasLinA_ = C_last inA in
let new_C_ssA = C_ssA in
let new_C holdA_ = C_holdA_ in
let new_C_couL0_le_delA = C_couL0__le_delA in
let new C tin 2 lea = C_cin_2_leA in
let new_C_mrdy_delA_ = C_mrdy_delA_ in
let new_C_iad_en_s_delA -- C iad_en_s_delA in
let new_C_wrdyA = C_wrdyA in
let new_C_rrdyA = C_rrdyA in
let new_C_iad_out = C lad out in
let new_C_ala0 = C_al a0 in
let new_C_a3a2 = C_a3a2 in
(new_C mfsm_stateA, new_C_mfsm_mabort, new_C mfsm_midie, new C__fsm_mrequest, new_C_mfsm_ma3,
new_C_mfsm_ma2, new C_mfsm_mal, new_C_mfsm rim0, new_C_mfsm_mdl, new_C mfsm_md0,
new C mfsm_iad_en_m,
new C_mfsm_m_cout..sel I, new_C_.mfsm_m_oout_sel0, new_C_mfsm_ms, new_C mfsm_rqt.., new_C_mfsm_cgnL,
new_C_mfsm_cm_en, new_C_mfsm_abort._le_en , new_C._mfsm_mparity, new_C_sfsm_stateA, new_C_sfsm_ss,
new C_sfsm__iad_en_s, new_C_sfsm_sidle, new_C_dsm_slock, new_C_sfsm_sal, new_C_sfsm_sa0,
new C_sfsm_sale, new_C _sfsm_sdl, new_C_sfsm_sd0, new_C_sfsm_sack, new_C__sfsm sabort,
167
new C_sfsm_s_cout_sel0, new_C .sfsm_sparity, new C_efsm_stateA, new_C._efsm srdy._en, new_C._c]kAA,
new_C_sidle_delA, new_C_mrqt_deIA, new_C_last._inA_, new_C_ssA, new_C_holdA_,
new_C_cout_0 le delA, new_C_cin_2_leA, new_C_mrdy..delA_, new_C_iad_en_s_deLA, new_C_wrdyA, new_C_rrdyA,
new_C_iad_out, new_C_ala0, new_C_a3a2, new_C_mfsm._state, new_C_mfsm_srdy._en, new_C_mfsm_D,
new_C_mfsm_grant, new_C_mfsm_rst, new_C_j_fsm_busy, new_C_mfsm_write, new_C_mfsm crqt_,
new_C_m/sm_hold_, new_C_mfsmJast._, new C_mfsm_lock_, new_C_mfsm_ss, new_C_mfsm_invalid,
new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_grant, new_C_dsm_rst, new_C_sfsm_write,
new_C_$fsm_addressed, new_C_sfsm_hlda_, new_C_sfsm_ms, new_C_efsm state, new_C_efsm_cale_,
new_C_eft;m_last_, new_C_efsm_male.., new_C_efsm_rale_, new_C_efsm_srdy.., new C_efsm_rst, new_C_wr,
new_C_sizewrbe, new_C_clkA, new_C_sidle_del, new_C_mrqt_del, new_C_lasLin_, new_CJock_m_,
new_C_ss, new_C_lasLout_, new_C_hold_, new_C_cout_0_le del, new_C_cin_2_le, new_C_mrdy_deL,
new C_iad_en_s_del, new_C_wrdy, new_C rrdy, new_C_parity, new_C_source, new_C_data_m, new_C lad_in)"
);,
.................. ..............................................................................
Output definition for Phase-B insCuc6on.
........................................................................................... Oj_




(C_sfsm stateA C_sfsm_state :csfsm_ty)
(C_efsm_stateA C efsm_state :cefsm_ty)
(C_mfsm_ms C_sfsm_ss C_ssA C_i_l_out C_ala0 C a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss
C_source Cdata_in C_iad_in :worda)
(C_mfsm_mabort C_.mfsm_midle C_mfsm_mrequest C mfsm_ma3 C_mfsm ma2 C mfsm_mal
C_mfsm_maO C mfsm_mdl C mfsm rod0 C_mfsm_iad._en_m C_mfsm_m..couLsell C_mfsm m_couLsel0
C_mfsm_rqt_ C mfsm_cgnt_ C_nzfsm_cm_eu C_mfsm_abort_le._en_ C mfsm_mparity
C_sfsm._isd_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_sa0
C_dsm_sale C_sfsm._sdl C_sfsm_sd0 C._sfsm_sack C._sfsm_sabort C_sfsm s_cout_sel0 C_sfsm_sparity
C_efsm_srdy_en
C_clkAA C_sidle_delA C_mrqt_delA C_l_t_inA C holdA_ C cout_0_le_delA
C cin_2 leA C_mrdy_delA_ C iad_en_s_delA C_wrdyA C_rrdyA
C mfsm_srdy en C mfsm D C_mfsm_grant C mfsm_rst C mfsm busy C_mfsm_write
C_mfsm_crqt_ C_mfsm_hold_ Cmfsm_last_ C mfsm._lock C_mfsm_invalid
C sfsm D C sfsm_grant C_sfsm rst C_sfsm_write C._sfsm addressed C_sfsm hlda
C _efsm _cale_ C._efsm_last_ C _efsm male_ C efsm..r_de_ C _efma srdy_ C efsm_rst
C_wr C._clkA C_sidle_del C mrqLdel C_lasLin CJock_in C_last_out_
C_hold_ C._cout_0_le_del C_cin 2_le C mrdy._deL C lad en_s. de1 C_wrdy
C_rrdy C_parity :bool)
(I_mrdy_in_ l_rale in_ l_male_in_ l_lastm_ Lsrdy_in l_Iock I cale 1 hlda_ l_crqt_
Rst CIkA CIkB CIkD Prom_failure piu._invalld Reset_on-or :bool)
(Lad in I be in CB._rqt in_ CB_ad_in CB_ms_in CB_ss_in Id ChaunelID Ccr :wordn)
(I_cgnL I tardy out_ I_hold_ I rale_out__ I_male_out_ I_lasLout._ I srdy out_ CB rqt._out
Disablewrites CB_parity :bool).
PH_B out rep
(C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2,
C mfsm_mal, C_mfsm_maO, C_mfsm_mdl, C mfsm_mdO, C_mfsm iad._en_m, C mfsm m tout_sell,
C mfsm_m_cout_sel0, C_mfsm_ms, C_mfsm._rqt._, C. mfsm._cguL, C_mfsm_cm_en, C mfsm_aborLle_en_,
C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm iad_eu_s, C_sfsm_sidle, C_sfsm_slock,
C_sfsm_sal, C..sfsm saO, C_sfsm_sale, C_sfsm sdl, C_sfsm_sdO, C._sfsm sack, C_sfsm_sabort,
C_sfsm_s_cout sol0, C_sfsm sparity, C._efsm_stateA, C._efsm_srdy_eu, C_clkAA, C_sidle_delA,
C_mrqLdelA, C last_inA_, C_ssA, C_holdA_, C_cout_0Je_delA, C cin_2 leA,
168
C mrdy_deIA_, C iad_en_s_delA, C_wrdyA, C rrdyA, C_iad_out, C_al a0, C_a3a2, C_mfsm state,
C_ mfsm_srdy..en, C_mfsm D, C mfsm__'ant, C..mfsm_rst, C._mfsm_busy, C_mYsm_write, C mfsm_crqL,
C_.mfsm_hold_, C_.mfsm_last.._ C_mfsm Iock_ C_mfsm_ss, C_mfsm invalid, C_sfsm_state, C_sfsm_D,
C_.sfsm__ant, C_sfsm rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_., C_sfsm_ms,
C_efsm state, C_efsm_cale._, C efsmJast _,C_efsm_male_, C efsm tale, C_efsm srdy..,
C_efsm rst, C_wr, C_sizewrbe, C_clkA, C._sidle_del, C_mrqLdel, C_last_in_, C_lock_in_,
C ss, C last_out_, C_hold_, C cout_ 0_le del, C_cin_2_.le, C_mrdy deL, C_iad_en__s_de], C_wrdy,
C rrdy, C_parity, C_source, C_damin, C_iad_in)
(I_ad in,Lbe_in_, I tardy_in._,I._rale..in_,I_male_in, ]_lastin_ l_srdy_in_,l_lock_,
l_cale_,I_hlda_,I_crqt._,CB_rqt_in_,CB_ad_in, CB_ms_m, CB_ss_in,Rst,ClkA, CIkB,
CIkD, Id,ChanneIID,Prom_failure,Piu_invalid,Ccr,Reset error)=
letnew_C_wr = ((~I_cale..)=> (ELEMENT I_M_in (27))IC_wr) in
letnew C sizewrbe= ((Rst)=> ARBN I
((C_sfsm_sa0A C_clkAA) => (SUBARRAY C_data_in(31,22))IC sizewrbe))in
let c_write = ((C_mfsm__cm_en) => new_C_wr I (ELEMENT new_C sizewrbe (5))) in
let cout_sel0 = (ALTER ARBN (0) ((C_sfsm_sdl V C sfsm sd0) =>
C_sfsm_s cout_sel01C_mfsm_m_couLsel0)) in
lettout sell0= (ALTER cout_selO(I)((C_sfsm sdl V C_sfsm_sd0) => F IC_mfsm_m_cout._sell))in
let¢ cout_sel= cout_sel10in
letc_busy = (-((SUBARRAY CB_rqt_in (3,1))= (WORDN 7)))in
letc_grant= ((((SUBARRAY Id(I,0))= (WORDN 0))A -(ELEMENT CB_.rqt._in_(0)))
V (((SUBARRAY Id(I,0))= (WORDN I))A -(ELEMENT CB._rqt_in (0))
A (ELEMENT CB_rqt_in_(1)))
V (((SUBARRAY Id(1,0))= (WORDN 2))A -(ELEMENT CB._rqtin (0))
A (ELEMENT CB_rqt_in_(I))
A (ELEMENT CB. rqt_in_(2)))
V (((SUBARRAY Id (I,0))= (WORDN 3))A -(ELEMENT CBjqt_in (0))
A (ELEMENT CB rqt_in_(I))
A (ELEMENT CB. rqt__in_(2))
A (ELEMENT CB..)rqt..m_(3))))in
letc._dfsm_srdy= (CB_ss in= ^SRDY) in
letc dfsm_master = (C_mfsm_ma3 V C_mfsm_ma2 V C_mfsm_mal V C_mfsm ma0 V C_mfsm_mdl V C mfsm_md0) in
letc_dfsm_slave= (--C_sfsmsidleA --C sfsm .slock)in
letc_dfsm_cin._O__le= (ClkD A ((C_mfsm_md0 A c__dfsmsrdyA -c_write)V (C sfsm_sa0)
V (C_sfsrn_sdOA cwrite)))in
letc dfsm_cin IJe = (CIkD/_ ((C mfsm mdl A c._dfsm_srdyA -c_write)V (C_sfsm_sal)
V (C_sfsm_.sdIA c_write)))in
letc_dfsm_cin_3_le= (CIkD A (C_sfsm._sidleV C_sfsm_slock))in
letc__dfmn_cin_4,le= (C_clkAA A C_sfsm._sa0)in
let c__dfsm_cout_O_.le = ((Icale_) _/(I._srdy_in_ A -c_write)
V (C_mfsm_maO ^ c_dfsm_srdy ^ c_write ^ CIkD)
V (C mfsm_mdO/_ cwrite A c_dfsm_srdyA CIkD)) in
letc_dfsm_couLl le= (C clkAA A C_sfsm_sd I)in
letc_dfsm cad en = -((C_mfsm ma3) V (C mfsm_mal) V (C mfsm maO) V (C_mlesm_ma2) V
(c_writeA (C mfsm mdl V C mfsm_md0)) V (-c_writeA (C_sfsm sdl V C_sfsm sd0)))in
letc dfsm_i_male_ = -(C_sfsm_sMe A (~((SUBARRAY new_C_sizewrbe (I,0))= 0OVORDN 3)))A C_clkAA) in
letc_dfsm_i_r_e_ = -(C_sfsm saleA ((SUBARRAY new_C_sizewrbe (l,O))= (WORDN 3))A C__clkAA)in
letc_dfsm_i_mrdy_ = -((-c_writeA ClkD A (C_sfsm saleV C_sfsm_sd1))V
(-c_write/_C_clkAA A C sfsm_sack)V (c_writeA ClkD ^ C_sfsm sdO))in
let new C_clkA = CIkD in
let new C_sidle_del = C sfsm sidle in
let new_C_mrqLdel = C mfsm_mrequest in
169
letnew_C_lasLin_ = ((RsO => F l
((C..mfsm_mabor¢V C_mflm..mdl A ClkD) --->C_lasLinA_ IC_lasLin_.))in
letnewC_Iock..in_= ((Rst)-->F I((C mfsm real)=> Llock..ICJock._in_.))in
let new C_ss -- ((C_mfsm_abort._le._en_) --> C_ssA I C_ss) in
let mend -- (CB_ms_in -- AMEND) in
let mabort = (CB._ms_in = ^MABOK_r) in
let new_C_lasLout.. =
((C_sfsm_sal A -(CIkD A (mand V mabort))) => T I
((--C_sfsm_sal A (CIkD A (mend V mabort))) => F I
((.-C_sfsm..sal A -(CIkD A (mend V mabort))) => C_lasLout._ I ARB))) in
let new_C_hold_ = C sfr,m sidle in
let new_C_couLO..le_del = c_dfsm_cout..0_le in
let new_C_cin_2._le = c_dfsm_cin_0_l© in
let new_C mrdy_del_ = c._dfsm Lmrdy_ in
let new C_iad_an_Ldel = C_sfsm_iad en_s in
let new_C wrdy -- (c_dfsm srdy A cwrite A C_mfsm_mdl A CIkD) in
let new C rrdy = (c_dfsm_srdy A -c_write A C mfsm rod0 A ClkD) in
let c_pe -- (Par Det rep CB nd_in) in
let c_pe_cnt = (ClkD A ((-(C_mfsm_mpm'ity = C_sfsm_sparity)) V ((SUBARRAY CB_sLin (1,0)) -- (WORDN 0)))) in
let new C_pmity =
(((ClkDA c._peA c_.pecnt)A I cale_)=> T I
((--(CIkDA c..peA c_pe._cn0A -I_cale__)=> F I
((-(ClkD A c_.peA c..pe..cnt)A I_cale_)=> C..pm'ity)ARB))) in
letnew C source= ((Rst)=> OVORDN O) I
((c._dfsmcin_3_le)=> Par Dec rep (CB_ad_in)IC_murce)) in
let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0) I
((c dfern..cin_l..le) => Par_Dec rep (CB_ad_in) I
(SUBARRAY C_data_in (31,16))))) in
let data..in31_0 = (MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0) I
((c_dfsm_cin 0 le) => Par_Dec rep (CB_ad_in) I
(SUBARRAY C_data_m (15,0))))) in
let new_C_data_in -- data_in31..0 in
let new C lad in = ((c_dfsm_couL0_ie) => Lad_in I C_iad_in) in
let new C mfsm_state = C_mfsm stateA in
let new C n_fsm_srdy_en = C__efsm._srdy en in
let new_C_m.fsm_D = CIkD in
let new_C mfsm_.grant = c_grant in
let new C mfsm_rst = Rst in
let new C m.fsm_busy = c_busy in
let new C mfsm_write = c_write in
let new_C_mfsm_crqt._ = I crqt_ in
let new_C_mfsm_hold_ = C_holdA in
let new C mfsm_lasL--new C last in in
let new C mfsm_Iock_ = new_Clock in in
let new_C mfsm_ss = CB_ss_in in
let new_C mfsm_invalid -- Pin_invalid in
let new C sfsm_state = C_sfsm_state in
let new_C_sfsm_D = ClkD in
let new C sfsm_.grant -- c_.grant in
let new_C_sfsm_rst = Rst in
let new C sfsm_write -- c_write in
let new_C_sfsm_addressed = (Id = (SUBARRAY new_C_source (15,10))) in
let new C_sfsm_hlda.. = Ihlda_ in










let new_C_mfsm_mabort = C_mfsm mabort in
let new_C n_fsm_midle = C_mfsm_midle in
let new_C_mfsm m request = C_mfsm_mrequest in
let new_C__sm_ma3 = C_mfsm_ma3 in
let new_C_m.fsm_ma2 = C_mfsm..ma2 in
let new_C_mfsm_mal = C_.mfsm_mai in
let new_C_mfsm_ma0 = C_mfsm_ma0 in
let new C_mfsm..mdl = C_mfsm_mdl in
let new_C_mfsm redO = C_mfsm_mdO in
let new_C_mfsm_iad_en_m = C_mfsm_iad en m in
let new_C_mfsm m_cout_sell = C_mfsm m_cvut_sell in
let new_C_mfsm_m_cout_.sel0 = C_mfsm_m_cout sel0 in
let new C_mfsm_ms ffiC_mfsm_ms in
let new_C_mfsm_rqt_ = C_mfsm_rqU in
let new_C_mfsm_cgnt = C_mfsm_cgnU in
let new_C_mfsm cm_en = C_mfam_cm_en in
let new_C_mfsm_abort le en = C_mfsm_abort_le_en in
let new_C_mfsm_mparity ffi C_mfsm._mpmty in
let new_C_sfsm stateA = C_sfsm, stateA in
let new_C_sfsm ss = C..sfsm_ss in
let new_C_sfsm lad en s ffiC_sfsm lad en_s in
let new_C_sfsm_sidle = C sfsm_sidle in
let new_C_sfsm slock = C_sfsm_slock in
let new_C_sfsm sal = C_sfsm_sal in
let new_C_sfsm saO = C._sfsm_saO in
let new_C sfsm sale = C_sfsm_sale in
let new_C_sfsm_sdl = C._sfsm_sdl in
let new_C_sfsm sd0 = C sfsm_sd0 in
let new_C_sfsm_sack = C_sfsm_sack in
let new_C_sfsm sabort = C_sfsm sabort in
let new_C_sfsm s._cout_sel0 = C_sfsm_s._cout_sel0 in
let new_C_sfsm sparity = C._sfsm sparity in
let new_C_efsm_stateA = C_efsm_stateA m
let new C efsm srdy_en = C._efsm_srdy_en in
let new C clkAA = C._clkAA in
let new C sidle delA = C sidle_delA in
let new_C_mrqt delA = C mrqt_delA in
let new C last_iaA = C_last inA_ in
let new_C_ssA = C ssA in
letnew_C_holdA =C holdA in
let new_C_cout_0_le_delA = C_cout 0 le deLA in
let new C cln 2leA = C_cin 2_leA in
let new_C_mrdy delA_ = C_mrdy_delA in
let new C_iad_en_s_delA = C lad ea s delA it)
let new_C_wrdyA = C_wrdyA in
let new_C_rrdyA = C_rrdyA in
171
letnew_C_iad_out = C_ied_out in
let new_C_ala0 = C..alaO in
let new C a3a2 = C_a3a2 in
let Lcgnt__ = new_C_mfsm_cgnt_ in
let Lmrdy_out_ = ((~I_hlda_) => new_C_mrdy_delA_ IARB) in
let I_hold ffinew_C_holdA_ in
let I_rale_out_ = ((~I_hlda) => c_dfsm i_rale_ IARB) in
let l_male_out_ = ((-Lhlda_.) ffi> c_dfsm_Lmale_ I ARB) in
let I_last..out_ = ((-Lhlda_) => new_C_last out I ARB) in
let I_srdy_out_ =
((~Lcale_ V new_C._efsm__srdy_ea) => -(new_C_wrdyA V new_C_rrdyA V new_C_mfsm_mabort) I ARB) in
let I be_out_ = ((~I_hlda_) => (SUBARRAY new_C_sizewrbe (9,6)) IARBN) in
let Lad_out ffi
((new C lad en__s delA V new_C_mfsm_iad_en_m _/new_C_sfsm_ied_en_s) => new_C_iad..out I ARBN) in
let CB_rqt..ouL = new_C_mfsm_rqt_ in
let cbmsl0 = (MALTER ARBN (1,0) (SUBARRAY new_C_mfsm_ms (1,0))) in
let cbms210 ffi(ALTER cbmsl0 (2) ((ELEMENT new_C_mfsm_ms (2)) A ~Prom_failure A ~Piu invalid)) in
let CB_ms_out = ((-new_C..mfsm_cm_en) => cbms2101 ARBN) in
let cbssl0 = (MALTER ARBN (1,0) (SUBARRAY new_C_sfsm..as (1,0))) in
let cbss210 = (ALTER cbmsl0 (2) ((ELEMENT new_C_sfsm_ss (2)) ^ ~Pmm_failure A ~Piu_invalid)) in
let CB u out ffi ((-new_C_sfsm sidle A -new_C_sfsm_sabort) => cbss2101ARBN) in
let CB_ad_out ffi ((c._dfsm_cad_en) ffi>
((c cout_sel = (WORDN 0)) => Par Enc rep ((SUBARRAY new_C_ala0 (15,0))) I
((c_cout sel = (WORDN 1)) ffi> Par..Enc rep ((SUBARRAY new_C_ala0 (31,16))) I
((c cout_sel = (WORDN 2)) => Par_Enc rep ((SUBARRAY new_C_a3a2 (15,0))) I
Par_Enc rep ((SUBARRAY new_C_a3a2 (31,16)))))) I
ARBN)in
let C_as_out = new_C_as in
let Disable_writes = (c_dfsm_slave A -((ChannelID ffi(WORDN 0)) A (ELEMENT new C_souroe (6)))
A -((ChannelID = 0VORDN 1)) A (ELEMENT new_C_source (7)))
A ~((ChannelID = OVORDN 2)) A (ELEMENT new_C_source (8)))
A -((ChannelID = OVORDN 3)) A (ELEMENT new C source (9)))) in
let CB_.pea'ity = new_C_parity in
(l_cgnL, I_mrdy._ouL, I_hold_, I_.rale_.out__, I_male_out_, Ilast_out_, I_srdy_ouL, Lad_out, I_be_ouL,







Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the phase-level specification of the P-Port of the FTEP PIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulk this code was translated from an M-language simulation program using a translator
written by P.J. Windley at the University of Idaho.
.........................................................................................................
set_search_path (search_pathO @ ['/home/titan3/dfura/ftep/piu/holflib/']);;
system 'rm s_block.th';;
new_theory ' s block' ;,
map new_parent ['sanx_def';'aux_def';'array..def';'wordn_def'];;
let s__state_ty = ":(sfsm-ty#b___#b___#b___#b___#b___#b___#b___#b___#b___#b___#b___#b___#b___#b___#b___#b___#
bool#bool#wordn#wordn#bool#bool#
s fsm_ty#bool#boo I#bool#booi#bool#
bool#wordn#wordu#booi#bool#bool#bool#bo ol#bool#b ooi#boo I#bool)";;
let s_state = "((S_fsm_stateA, S_fam_sn, S_fsm_so, S_fam_srcp, S__fsm._sdi, S_fsm_srp, S_fsm_src0, S_fsm_srcl,
S_fsm_spf, S_fsm scOf, S_fsm_sclf, S_fsm.spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs,
S fsm_scs, S_soft_shot, S_sofl_shot_delA, S_soft._cntA, S delayA, S_instart, S_cpu_histA,
S_fsm_state, S_fsm_rst, S._fsm delay6, S_fsm._delayl7, S_fsm_bothbad, S fsm_bypass,
S soft shot_del, S_soft_cnt, S_delay, S_bad._cpu0, S_bad_cpul, S reset_cpu0, S_reset. cpul,
S imma_fail, S_cpu0_fail, S_cpul_fail, S_cpu_hist, S_piu_fail)
:^s_state_ty)";;
let s_env_ty = ":(bool#bool#bool_bool#booDbool#bool_bool#booly';;
let s_env = "((ClkA, ClkB, Rst, Bypass, Test, C,_h, C_,crl,FailureO_., Failurel_)
:As_env_ty)";;
let s_out_ty = ":(wordn#bool#bool#boolteoool#bool#bool#bool#bool#bool#bool)";,
let s_out = "((S_state, Reset_cport, Disahle_int, Reset_piu, Reset._cpu0, Reset_cpul, Cpu_hist,
Piu_fail, CpuO_fail, Cpul jail, Prom_fail)
:As out tY)";;
let PH_A_inst_def = new_definition
('PH_A_inst',
173
"1 (S_fmn_stateA SJsm_state :sfsm_ty)
(S soft_cntA S_delayA Sjoft cut S_delay :wordu)
(S_fsm_snS f_m so SJsm_srcp SJsm_sdi S_fsm_srpS_fsm_src0 S_fsm_sr¢l S_fsm spf S_fsm_sc0f
S fsm_scl f S_fsm_spmf S_fsm sb SJsm_.src S fsm_sec S fsm_srs S__fsm scs S_soft_shot S_soft_shot_delA
S_instart S._cpu__histA S_fsm rst S_fsm_delay6 S_fsm delayl7 S_fsm_bothbad S_fsm_bypass
S_soft_shot_del S_bad_cpu0 S_bad__cpul S__reset_cpuO S_reset_cpul S._pmm fail S_qm0_fail S__cpul_fail
S_cpu hist S..#u__fail :bool)
(CIkA CIkB Rst Bypass Test Gcrh Gml Failure0_ Failurel_ :bool).
PH_A_inst (S_fsm_stateA, S_fmn_sn, S_fun_so, S__fsm..srcp, S_fsm_sdi, S_fsm._srp, S_fsm_src0, S._fsm_.srcl,
SJsm_spf, S_fsm_scOf, S_fsm_scl f, S_fsm..spmf, S_fmn_sb, S fsm_src, S_fsm_sec, S_fsm_srs,
S fun scs, S_softshot, S_soft_shot delA, S soft cntA, S._delayA, S instart, S_¢pu histA,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S__fsm_delayl7, S_fsm..bothbad, S_fsm_bypass,
S_soft_shot_de.l, S_soft_cnt, S_delay, S_bad _cpu0, S._bad cpul, S reseLcpu0, S_reseLcpul,
S_pmm__faiL S_cpuO_.fail, S_clml faiL S_ctm_lfist, S_pin_fail)
(CIkA, CIkB, Rst, Bypass, Test, C_,crh, Gcrl, Failure0 , Failurel_) =
let new_S_fsm_stateA =
((S_fsm_rst) => SSTART t
((S_fsm._state = SSTART) => SRA I
((S_fsm__state = SPA) => ((S_fsm_dday6) => ((S_fun_bypass) => SO I SPF) I SRA) I
((SJsm__gtate = SPF)=> SCOI I
((Sjsm__state = SCOI) => ((S_fmm delayl7) => SCOF I SCOI) I
((Sjun .state = SCOF) => ST I
((Sjsm..state = ST) => SClI I
((Sjsm..state = SCII) => ((S_fsm_delaylT) => SCIF ISCII) I
((SJsm..state = SCIF) => SS l
((SJsm_state = SS) => ((SJsm_bothbad) => SSTOP I SCS) I
((Sjsm_.state = SSTOP) => SSTOP l
((SJsm_state -- SCS) => ((S_fsm_delay6) => SN I SCS) I
((Sjsm._state = SN) => ((S fsm_ddayl7) => SO I SN) I
((S_fsm_stam = SO) => SO I SILL)))))))))))))) in
let new_S_fsm_m = (new_SJsm..stateA = SN) in
let uew_S_fsm_so = (new SJsm stateA = SO) in
let newJ_fsm srcp = (((~(new_Sjsm..stateA = SO)) A (-(Sjsm..state = SS'IUP))) V (SJsm .state = SRA)) in
let new_S_fsm_sdi = (((~(new_S fsm stateA = SO)) A (~(S_fsm..state = SSTOP))) V (S_fsm state = SRA)) in
let new_S_fsm srp = ((new $..fsm_stateA = SSTART) V (new_S_fsm_stateA = SRA)
V (new_S_fsm stateA = SCOF) V (new_S_fsm_stateA = ST)
V (new_S_fsm_stateA = SCIF) V (new_S fsm_stateA = SS)
V (new_S_fsm_stateA = SCS)) in
let uewJ_fsm..src0 = ((-(new_S fsm stateA = SPF)) A (~(new_S_fsm_stateA = SCOI))) in
let new S_fsm__cl = ((-(new_S_fsm_stateA = ST)) A (~(new_S_fsm stateA = SCII))) in
let new_S fsm..spf = ((S_fsm_state = SRA) A S..fsm...delay6 A ~S_fsm_rst) in
let new__S_fsm_scOf = (new S_fsm_stateA = SCOF) in
let new_S_fsm_sc I f = (new_S_fsm_stateA = SCI F) in
let new_S_fsm_spmf = (new__S__fsm_stateA = SO) in
let new__S_fsm_sb = (new_S._fsm__stateA = SSTART) in
let newJ fsm src = ((news fsm stateA = SSTART) V ((S fsm_state = SRA) A S_fsm_delay6)
V (new_S fsm._stateA = SCOF) V (new_S_fsm stateA = ST)
V (new_S_fsm_stateA = SCIF) V (new_S_.fsm_stateA = SS)
V ((S__fsm__state = SCS) A S._fsm._delay6)) in
let new_S_fsm_sec = (((.-(new_S_fsm stateA = SSTOP)) A (~(new_S_fsm_stateA = SO))) V (S_fsm_state = SN)) ha
let new_.S_fsm_srs = (((S..fsm_state = SPF) A -Sfsm_rst) V ((SJsm_state = ST) A ~S_fsm_rst)) in
let newJ_fsm_scs = (newJ_fsm_stateA = SCS) in
let newS_soft__shot = (_ A Gcrl) in
174
let new_S_soft_shot_delA = S soft_sboLdel in
let new_S_soft_cntA = ((new_S__fsm_srs) => 07¢ORDN 0) I S_soft_cnt) in
let s_delay_out = ((S_fsm sec) => (INCN 17 S_delayA) I S_delayA) in
let new__S_delayA = ((new_S_fsm arc V (new_S_fsm_scs A (ELEMENT s_delay_out (6)))) => (WORDN 0) I S_delay) in
let s..delayout = ((new_S fsm sec) => (INCN 17 new_S_delayA) Inew S_delayA) in
let new_S_instart = ((Test) --> (ELEMENT s_delayout (5)) I(ELEMENT s_delayout (16))) in
let s soft cnt out = ((newS_soft shot A ~new_S_soft_shot_delA) =>
(INCN 2 new_S_soft_cntA) Inew_S._soft._cntA) in
let s_cpu0_ok = (new S_fsm_so0f A Failure0_ A (s_soft_cnLont -- (WORDN 5))) in
Iet s_cpu 1_ok -- (new S_fsm_sc I f A Failure 1_ A (s_soft_cnt_out = (WORDN 5 )) ) in
let s cpu0_select = ((new_S_fsm_sn V new_S fsm_so) A -S_clm0_fail) in
let s cpul_select -- ((new_S fsm_sn V new S_fsm_so) A S_cpu0_fail A ~S_cpul_fail) in
let new_S_cpu_histA -- (S .reseLcpuO A S_reset_cpul A Bypass) in
let new_S_fsm_state = S_.fsm state in
let new_S_fsm_rst = S fsm rst in
let new S fsm delay6 = S_fsm_delay6 in
let new S fsm delay17 = S_fsm_delayl7 in
let new_S_fsm_bothbad -- S__fsm_bothbad in
let new_S_fsm bypass -- S-f sin_bypass m
let new_S_soft__shot__del = S_soft_shot_del in
let new S soft cnt = S_soft_cnt in
let new_Sdelay = S_delay in
let new._S_bad_cpuO = S_bad_cpu0 in
let new_S_bad_cpul = S_bad_cpul in
let new_S reset_cpu0 = S reset_cpu0 in
let new._S reseLcpul = S_reset cpul in
let new_S_.pmm_fail = S..pmm_fail in
let new_S_cpu0_fail -- S cpoO fail in
let new_S_cpul_fail = S_cpul fail in
let new_S__cpu_hist = S__cpu hist in
let new_S_piu..fail -- S__pin_fail in
(new S_fsm_stateA, new_S fsm_sn, new_S_fsm_so, new_S_fsm srcp, new_S_fsm_sdi, new_S fsm_srp,
new_S_fsm_srcO, new_S_fsm_srcl, new_S fsm_spf, new S_fsm sc0f, new S fsm sclf, new_S fsm_spmf,
new_S_fsm_sb, new_S fsm_src, new_S_fsm_sec, new_S_fsm_srs, new S fsm_scs, new_S soft_shot,
new S_soft_shot delA, new S soft cntA, new_S delayA, new_S_instart, new_S_cpu histA, new_S_fsm_state,
new S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delaylT, new._S_fsm_bothbad, new_S_fsm_bypass,
new_S_soft_shot_del, new_S_soft_cat, new_S_delay, new_S_bad_cpu0, new_S_bad_cpul, new S_reset_cpu0,
new_S_reset_cpul, new S_pmm_fail, new_S_cpu0_fail, new_S_epul_faLl, new_S cpu_hist, new_S pin fail)"
);;
O_ .................................................................................................
Output definition for Phase-A instruction.
.....................................................................................................
let PH A out def= new_definition
('PH_A_out',
"l (S fsm_stateA S_fsm_state :sfsm_ty)
(S_soft_cntA S_delayA S_sofUcnt S_delay :wordn)
(S_fsm_sn S fsm_so S_fsm_srcp S_fsm sdi S_fsm_srp S_fsm src0 S_fsm_srcl S_fsm_spf S_fsm_sc0f
S_fsm_scl f S_fsm_spmf S fsm sb S_fsm_src S_fsm_sec S_fsm_srs S fsm scs S_soft_shot S_sofUshoUdelA
S_instart S._cpu_histA S_fsm rst S_fsm delay6 S_fsm_delay17 S fsm_bothbad S_fsm_bypass
S_soft_shoUdel S_bad_cpu0 S bad_cpul S_resetcpu0 S_reset_cpul S_pmm fail S_cpu0_fail S_cpul_fail
S_cpu_hist S_piu_fail :bool)
175
(CIkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_ Failurel_ :bool).
PH A out (S_fsm stateA, S_fsm_sn, S_fsm_so, S_fun_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_srcO, S_fsm srcl,
S_fsm_spf, S_fsm_scOf, S_fsm_sclf, S_fsm_spmf, S_fsm__sh, S_fsm_src, S_fsm_sec, S_fsm_srs,
S_fsm..scs, S_sofLshot, S_soft shot_delA, S_soft_cutA, S_delayA, S_instarL S_cpu_histA,
S_fsm_state, S_fsm..rst, S_fsm_delay6, S_fsm_delayl7, S fsm bothbad, S_fsm bypass,
S_soft_shoLdel, S_sofLcnt, S_delay, S_bad_cpuO, S..bad_cpul, S_reset__cpuO, S_reset_cpul,
S_pmm_fail, S_cpu0 fail, S_cpul_fail, S_cpu..hist, S._pinfail)
(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_ Failurel_.) =
let new_S_fsm_stateA =
((S_fsm_rst) --> SSTART I
((S_fsm_state = SSTART) => SRA I
((S fsm._state = SRA) => ((S_fsm delay6) => ((S_fsm_bypass) => SO i SPF) I SRA) I
((S_fsm..state = SPF) => SCOI I
((S fsm..state = SCOI) => ((S fsm_delaylT) => SCOF I SCOI) I
((S..fsm..state = SCOF) => ST,
((S_fsm._state = ST) => SCII I
((S_fsm..state = SCII) => ((S_fsm_delayl 7) => SCIF ISCII) l
((S_fs__state = SCIF) => SS I
((S..fsm_state = SS) => ((S fsm_bothbad) => SSTOP ISCS) I
((S_fsm_state = SSTOP) => SSTOP I
((S_fsm_state = SCS) => ((S_fsm_delay6) => SN I SCS) I
((S_fsm__state = SN) => ((S_fsm_delayl7) => SO I SN) I
((S_fsm._state = SO) => SO, SILL)))))))))))))) in
let new_S_fm..sa = (aew_S_fma_UateA = SN) i,,
let new_S_fsm_so = (aew_S_fsm_stateA = SO) in
let aew_S_fsm..srcp = (((~(new_S._fsm_st_A = SO)) A (-(S_fsm._state = SSTOP))) V (S_fsm_state = SRA)) in
let aew_S_fsm_sdi = (((~(new_S_fsm_st_A = SO)) ^ (~(S_fsm_st_ = SSTOP))) V (S_fsm_state = SRA)) in
let aew_S_fsm_srp = ((new_S._fsm_stateA = SSTART) V (new_S_fsm stateA = SRA)
V (new_S_fsm_sta_A = SCOF) V (new S_fsm_stateA = ST)
V (new_g_fsm..stateA = SCIF) V(new S fsm stateA = SS)
V (new_S_fsm_stateA = SCS)) in
let new_S_fsm_src0 = ((-(new S_fsm_stateA = SPF)) A (-(new_S_fsm_stateA = SCOI))) in
let new S fsm srcl = ((-(new_S_fsm_stateA = ST)) A (~(new..S_fsm..stateA = SCII))) in
let new_S_fgm_spf = ((S_fsm_state = SRA) A S..fsm_delay6 A -S_fsm_rst) in
let new_S_fsm_scOf = (new_S_fsm_stateA = SLY)F) in
let new S fsm sclf = (new S_fsm_stateA = SCIF) in
let new..S_fsm_spmf = (new S_fsm_stateA = SO) in
let new_S_fsm_sh = (new S_fsm_stateA = SSTART) in
let new_S_fsm src = ((new_S_fsm_stateA = SSTART) V ((S fsm_state = SRA) A S_fsm_delay6)
V (new_S_fsm_stateA = SLY)F) V (new S fsm stateA = ST)
V (new_S_fsm stateA = SCIF) V (new_S_fsm_stateA = SS)
V ((S_.fsm state = SCS) A S fsm..delay6)) in
let new_S_fsm_sec = (((-(new_S_fsm_stateA = SSTOP)) A (~(new_S_fsm_stateA = SO))) V (S fsm_state = SN)) in
let new_S_fsm_m = (((S_fsm_state = SPF) ^ ~S_fsm_rst) V ((S_fsm_state = ST) A ~S fsm_rst)) in
let new__S_fsm scs = (new_S_fsm stateA = SCS) in
let new_S_soft_shot = (-.C,crh A Carl) in
let new S soft_shot.delA = S_soft shot_del in
let new_S_soft_cntA = ((new_S..fsm_srs) => (WORDN 0) I S_soft_cnt) in
let s_delay_out = ((S_fsm sec) => (INCH 17 S_delayA) I S_delayA) in
let new_S_delayA = ((new_S_fsm_src V (new_S_fsm scs A (ELEMENT s_delay_out (6)))) => (WORDN O) I g_delay) in
let s_delay_out = ((new_S_fsm_sec) => (INCH 17 new_S_delayA) I new_S delayA) in
let new s_mstart = ((Test) => (ELEMENT s_delay_out (5)) I (ELEMENT s_delay_out (16))) m
let s_soft_cnt..out = ((new S soft shot A ~new S soft shot_delA)=>
176
(INCN 2 new_S_soft_cntA)Inews softcntA)in
lets_cpuO_ok = (new S_fsm_sc0fA FailureO_A (s_soft_cnLout= (WORDN 5)))in
lets_cpu1_ok = (new_S_fsan sclfA Failurel_A (s..soft._cntou = (WORDN 5)))in
lets..cpuO_select= ((new S_fsm_sn V new._S_fsm_so)A -S_cpu0__fail)in
lets_cpul select= ((new_S_fsm snV new_S_fsm_so) A S_cpu0_failA -S_cpul_fail)m
letnew S cpu histA= (S._reset_cpuOA S reset._cpulA Bypass)in
letnew S fsm state= S fsm statein
let new_S_fsm rst = S_fsm_rst in
let new S fsm delay6 = S__fsm._delay6 in
let new_$_fsm delay 17 = S fsm_delayl 7 in
let new_S_fsm_bothbad = S_fsm_bothbad in
let new_S_fsm bypass = S_fsm_bypass in
let new_S_soft_shot_del = S..soft shot._del in
let aew_S_soft cfit = S_soft cnt in
let newSdelay = S_delay in
let new S_bad_cpuO ---S_bad_cpuO in
let new_S_bad cpul = S_bad cpul in
let new..S reset cpuO = S_reset..cpuO in
let new_S_reset__cpu I = S_reset..cpu I in





letss0= (ALTER ARBN (0)((new_S_fsm_.stateA= SS) V (new_S_fsm_stateA= SSTOP)
V (new_S fsm_stateA= SCS) V (new S fsm_stateA= SN)
V (new._S_fsm_stateA = SO))) in
let ssl = (ALTER ss0 (I) ((new_.S fsm_stateA = SCOF) V (new_S_fsm stateA = ST)
V (new S_fsm_stateA = SCII) V (new_S fsm_stateA = SCIF)
V (new_ S_fsm_stateA = SS) _/(new_S_fsm_stateA = SSTOP)
_/(new_S_fsm_stateA = SCS))) in
let ss2 = (ALTER ssl (2) ((new. S_fsm_stateA ---SPF) V (new_S_fsm_stateA = SCOI)
V (news '_fsm stateA = SCOF) V (new S_fsm stateA = ST)
V (new_S_fsm stateA = SSTOP) V (new S._fsm._stateA = SO))) in
let ss3 = (ALTER ss2 (3) ((new_S_fsm_stateA = SRA) V (new_S_fsm_stateA = SPF)
V (new._S_fsm_stateA = ST) _/(new_S_fsm_stateA = SCII)
V (new S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN)
V (new__S_fsm_stateA = SO))) in
let S_state = ss3 in
let Reset..cport = new S_fsm_srcp in
let Disable._int -- (~new_S_instart A ~(new_S._fsm_sn A (ELEMENT s_delay_out (6))) A new S_fsm_sdi) in
let Resetpin = new_S_fsm_srp in
let Reset._cpuO = new S_reset__cpuO in
let Reset_cpul - new S _reset_cpul in
let Cpu_hist = new_S_.cpu_hist in
let Pin_fail = new_S__piu_fail in
let CpuO_fail = new S_cpu0_fail in
let Cpul_fail = new_S_cpul_fail in
let Prom_fail = new_S .pmm_fail in






"1(S_fsm_stateA S_fsm_state :sfsm ty)
(S_soft_catA S clelayA S_softcat Sdelay :wordu)
(S_fsm_sn S_fsm_so S fsm_srcp S_fsm_sdi S_fsm__srp S fsm_src0 S_fsm_sr¢l S_fm_spf S_fsm_sc0f
S fsm sclfS_fsm_sl_nfS_fsm_sb S__fsm_src S fsm sec S fsm srs S..fsm_scs S_soft_shot S_sofLshoLdelA
S_instart S_cpu_histA S_fsm..rst S_fsm delay6 S fsm delayl 7 S_fsm_bothbad S_fun_bypass
S_soft_shot_del S_bad_cpuO S_bad_cpul S_reset_cpuO S reseLcpul S_.vmm fail S_cpuO_fail S_.cpul_fail
S_cpu_.hist S_pin_fail :bool)
(CIkA CIkB Rst Bypass Test Gcrh Carl FailureO_ Failurel_ :bool).
PH B inst (S_fsm stateA, S_fmL.su, S_fsm_so, S__fsm_srcp, S_fsm sdi, S_fsm__srp, S..fsm_srcO, S__fsm_srcl,
S_fsm_spf, S fsm scOf, S_fsm_sclf, S_fsm_spmf, S_fsm_sh, S fsm_src, S_fsm_sec, S_fsm_srs,
S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm delayl7, S_fsm_bothbad, S_fsm_bypass,
S_soft_shot_del, S_soft_cat, Sdelay, S_bad_cpuO, S_bad_cpul, S_re,set_cpu0, S_reset-¢pul,
S_.lxnm_fail, S_cpuO_fail, S_cpul jail, S_cpu_hist, S_piu fail)
(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gorl, FailureO_., Failurel_) =
let s soft cnt out = ((Ssoft._shot A -S_soft shot delA) => (INCN 2 S soft cotA) I S soft catA) in
let s_delay_out = ((S_fsm_sec) --> (INCN 17 S_delayA) I S_delayA) in
let s._cpuO_ok = (S_fsm_soOf^ FailmeO A (s_soft cat out = (WORDN 5))) in
let s_cpul_ok = (S fsm_sclfA Failurel_ A (s_soft_cat_out = (%VORDN 5))) in
let newS_soft shot del = S_soft_shot in
let new_S_soft-cat = ((..__.,crhA ~Gczl) => (WORDN 0) I s_soft_cat-out) in
let newS_delay = s_delay..out m
let new_S_pmm_fail =
((S_fsm_sb A ~S_fsm_spm0 => T I
((-S_fsm_sh A S_fsm_spmf) => F I
((~S_fsm_sh A ~S_fsm_spmO => S..lmmz_fail I ARB))) in
let new S_cpu0_fail =
((S_fsm_sb A ~(s_cpuO_ok V Bypass)) => T I
((~S_fsm_sb A (s_cpuO_ok V Bypass)) => F I
((-S_fsm..sh A ~(s_cpu0..ok V Bypass)) => S_¢puO_fail I ARB))) in
let new S_cpu l_fail =
((S_fsm_sb A -(s__cpul__ok V Bypass)) => T I
((-S_fsm_sh A (s..cpul_ok V Bypass)) => F I
((-S fsm_sh A -(s_cpul._ok V Bypass)) => S cpul_fail I ARB))) in
let new_S_piu_fail =
((S_fsm_sb A -(S_fsm .spf V Bypass)) => T I
((-S_fsm_sh A (S_fim_spf V Bypass)) => F I
((~S_fsm_sh A ~(S_fsm spf V Bypass)) => S_piu_fail I ARB))) in
let s_ cpuO_select = ((S_flm_so V S_fsm_.so) A -new_S_cpuO_fail) in
let s_cpul_select = ((S_fsm_m V S__fsm_so) A new S ¢puO__fail A ~new_S._cpul_fail) in
let new S bad_cpuO =
((S_fsm_sb A -s_cpu0_seleot) => T I
((~S fsm_sh A s_cpu0_select) => F I
((-S_fsm sb A ~s__cpuO select) => S_bad_cpu01ARB))) in
let new S_bad_cpul --
((S_fsm_sb A -s_cpu l_select) => T I
((-S_fsm_sh A s_cpul_select) => F I
((~S_fsm_sh A ~s_¢pul select) => S bad_cpul IARB))) in
178
letnew_Sreset__cpu0 = (new_S_bad_cpu0 A S_fsm_srcO) in
let new_S_reset_cpul = (new_S_bad_cpul A S_fsm_srcl) in
let new_S_cpu_hist = S._cpu_histA in
let new_S_fsm_state = S_fsm_stateA in
let new__S_fsm_rst = Rst in
let new__S_fsm_delay6 = (ELEMENT s_delay_out (6)) in
let new_S_fsm_delayl7 = ((Test) => (ELEMENT s_delay__out (6)) I (ELEMENT s_delay_out (17))) in
let new_S_fsm_bothbad = (new_S_cpu0__fail A new_S_cpul_fail) in
let new_S_fsm_bypass = Bypass in
let new_S fsm stateA = S_fsm_stateA in
let new_S fsm sn = S fsm sn in
let new_S_fsm_so = S_fsm_so in
let new_S_fsm_srcp = S_fsm_srcp in
let new_S fsm_sdi = S_fsm_sdi in
let new_S_fsm_srp = S_fsm_srp in
let new_S_fsm_srcO = S_fsm_srcO in
let new S fsm srcl = S fsm srcl in
let new_S_fsm_spf = S_fsm_spf in
let new_S_fsm_scOf = S_fsm_sc0f in
let new_S_fsm_scl f = S_fsm_scl f in
let new_S_fsm_spmf = S__fsm._spmf in
let new_S_fsm_sb = S_fsm_sb in
let new S fsm src = S_fsm src in
let new_S_fsm_sec = S_fsm_sec in
let new_S_fsm_srs = S_fsm_srs in
let new_S_fsm_scs = S_fsm_scs in
let new_S_soft_shot = S_soft_shot in
let new_S_soft_shot._delA = S_so_..shoLdelA in
let news soft cntA = S_soft_¢ntA in
let new_S_delayA = S_delayA in
let new_S_instart = S_instart in
let new..S_cpu_histA = S_cpu_histA in
(new_S_fsm_stateA, new_S__fsm__sn, new_S_fsm_so, new_S._fsm..srcp, new_S_fsm_sdi, new_S_fsm_srp,
new_S_fsm_src0, new_S_fsm_srcl, new_S_fsm_spf, new_S_.fsm_sc0f, new_S_fsm sclf, new_S_fsm_spmf,
new._S fsm_sb, new_S_fsm_sr¢, new_S_fsm_sec, new_S_fsm srs, new_S_fsm_scs, new_S_soft_shot,
new_S_soft_shoLdelA, new_S_soft_cntA, new_S_delayA, new_S_instart, new_S..cpu_histA, new_S_fsm_state,
new_S_fsm rst, new_S_fsm_delay6, new_S_fsm_delaylT, new._S fsm_bothbad, new_S_fsm_bypass,
new_S_sofLshot._del, new_S_soft_cnt, new_S_delay, new_S_bad cpu0, new_S_bad_cpul, new_Sjeset_cpu0,
new_S_reset_cpul, new_S_.pmm_fail, new_S._cpu0__fail, new_S_cpul._fail, new_S_cpu_hist, new_S_.piu_fail)"
);;
........ ........................................................................................
Output definition for Phase-B instruction.
......................................................................................................
let PH_B_ouLdef = new_definition
('PH_B_out',
"I (S_fsm_stateA S_fsm_state :sfsm_ty)
(S_soft_cntA S delayA S_soft__cnt S_delay :wordn)
(S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_srcl S_fsm_spf S_fsm_scOf
S fsm sclf S_fsm_spmf S_fsm_sb S fsm._src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft._shot_delA
S_instart S__cpu_histA S_fsm._rst S_fsm_delay6 S_fsm_delayl7 S_fsm_bothbad S_fun_bypass
S_soft_shoLdel S_bad_cpu0 S-bad--cpul S__reset_cpu0 S reset_cpul S_pmm_fail S_clm0_fail S_cpul_fail
179
S_cpu_hist S_piujail :bool)
(CIkA CIkB Rst Bypass Test C,crh Garl FailmvO Failurel_ :bool).
PH_B_out (S_fsm_stateA, S_fsmjn, S fsm so, Sjsm step, S_fsm_sdi, S_fsm srp, Sjsm_src0, S_fsm srel,
S_fsm_spf, S_fsm_scDf, S fsm self, S_fsm spmf, SJsm__sb, S_fsm_src, S_fsm see, Sjsm._srs,
S_fsm_ses, Ssoft_shot, S_soft shot delA, S_soft. cntA, S_delayA, S_instm't, S_epu_histA,
S_fsm_state, Sjsm_rst, S_fsm..delay6, Sjsm delayl7, S_fsm_bothbad, S_fsm_bypass,
S soft shot_del, S_soft_cnt, S_delay, S_bad_cpuO, S_bad cpul, S_reset_cpuO, S_reseLcpul,
S_.pmm_fail, S__cpu0.ftil, S__cpul_fail, S_cpu__hist, S..pin_faiI)
(CIkA, CIkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_ Failtlel__) =
let s_soft_cnLout = ((S_soft_sbot A ~S soft shoLdelA) => (INCN 2 S soft_cntA) I S_soft_cntA) in
let s_delay_out = ((Sjsm_sec) => (INCN 17 S delayA) I S_delayA) in
let s_cpuO ok = (Sjsm_.sc0f A FailureO_ A (s_soft_cnt..out = (WORDN 5))) in
let s_.cpul_ok = (S_fsm_scl f A Failurel_ A (s soft_cnt_out = (WORDN 5))) in
let new_S_soft..shot_del = S_soft_shot in
let new_S_soft_cnt = ((--Gcrh/_ -G_I) => OVORDN 0) I s__soft_cnt_out) in
let new_S_delay = sdelay_.out in
let new__S..pmm..fail =
((Sjsm_sb A -S_fsm_spmf) --> T I
((-Sjsm..sb A S_fsm_spmf) => F I
((~SJsm_sb A -Sjsm__spmf) => S._pmmjail IARB))) in
let new S cpuO_fail =
((SJsm_sb ^ ~(s__cpu0..ok V Bypass)) => T I
((~S_fsm_sb A (s cpu0_ok V Bypass)) --> F I
((-S_fsm_sb A ~(s_cpuO_ok V Bypass)) => S_.cpu0_fail IARB))) in
let new..S_cpu l_fail =
((Sjsm_sb A ~(s_cpul_ok V Bypass)) => T I
((~S_fsm sb A (s_cpul_ok V Bypass)) --> F I
((~Sjsm_sb A -(s_cpul. ok V Bypass)) => S..cpul_fail IARB))) in
let new._S_.piu_fail =
((S_fsm_sb A -(S__fsm_spf V Bypass)) => T I
((~SJsm sb A (SJsm_spf V Bypass)) => F I
((~S_fsm sb A -(S_fsm_spf V Bypass)) => S_pin_fail I ARB))) in
let s__cpu0__select = ((S_fsm_sn V Sjsm_so) A -new_S..cpu0_fail) in
let s_cpul_select = ((S_fsm_sn V SJsm_so) A new_S_cpuO_fail A -new_S_¢lml_fail) in
let ,ew_.S_bed_cpu0 =
((Sjsm_sb A ~s_cpu0_select) => T I
((~SJsm_sb A s_cpu0_.select) => F I
((-S_fsm_sb A ~s..cpuO_select) => S_bsd..cpu0 1ARB))) in
let new_S_bad_cpul =
((S_fsm_sb A ~s_cpul_select) --> T I
((~SJsm_sb A s_cpul_select) => F I
((~SJsm_sb A ~s_cpul_select) => S_bad__cpul IARB))) in
let new_S_reseLcpu0 = (new_S bad_cpuO A S fsm srcO) in
let new_S_.reset_cpul = (new_S_bad__cpul A S_fsm_srcl) in
let new_S_cpu_hist = S_cpu_histA in
let new S fsm state = S_fsm_stateA in
let new_S_fsm rst = Rst in
let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in
let new_S_fsm_delayl7 = ((Test) --> (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in
let new_S_fsm_bothbsd = (new .S_cpuO_fail A new__S_clm l_fail) in
let new_S_fsm_bypaas = Bypass in
let new_S_fsm_stateA -- SJsm_stateA in
let new_S_fsm_sn = S_fsm_su in
180
let new S_fsm_so = S_fsm_so in
let new_S_fsm_srcp = S_fsm_srcp in
let new_S_fsm_sdi = S_fsm_sdi in
let new_S_fsm_srp = S fsm_srp in
let new_S_fsm_srcO = S_fsm_srcO in
let new_S_fsm_srcl = S fsm_srcl in
let new_S_fsm_spf = S_fsm_spf in
let new_S_fsm_sc0f = S_fsm_sc0f in
let new S_fsm_sclf = S_fsm_scl f in
let new_S_fsm_spmf = S fsm_spmf in
let new_S_fsm_sb = S_fsm_sb in
let new_S_fsm_src = S fsm_src in
let new S fsm sec = S_.fsm_sec in
let new_S_fsm_srs = S_fsm_srs in
let new S_fsm scs = S_fsm_scs in
let new_S_soft..shot = Ssoft_shot in
let new._S soft shot..delA = S_soft sho_delA in
let new_S_soft._cntA = S soft._cnt.A in
let new_SdelayA = S_de_ayA ia
let new_S_instart = S_imtsrt in
let new_S_cpu_histA = S_cpu_histA in
let ss0 = (ALTER ARBN (0) ((new S_fsm_stateA = SS) V (new_S_fsm stateA = SSTOP)
V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN)
V (new_S fsm stateA = SO))) in
let ssl = (ALTER ss0 (1) ((new_S_fsm_stateA = SCOF)V (new_S_fiim_stateA = ST)
V (new S_fsm_stateA = SCII) V (new_S_fsm_stateA = SC1F)
V (new S fsm_stateA -- SS) V (new_5 fsm_stateA = $STOP)
V (new S_fsm_stateA = 5C5))) in
let ss2 = (ALTER ssl (2) ((new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = SCOI)
V (new S_fsm_stateA ---5COF) V (new 5 fsm stateA = ST)
V (new S_fsm_stateA = SSTOP) V (uew_S_fsm_stateA = SO))) in
let ss3 = (ALTER ss2 (3) ((new_S fsm_stateA = SRA) V (new_S_fsm_stateA = SPF)
V (new_S_fsm stateA = ST) V (new_S fsm_stateA = SCII)
V (new S fsm stateA = $C5) V (new_S_fsm_stateA = SN)
V (new S_fsm_stateA = SO))) in
let S_statc = ss3 in
let Reset_cport = new_S_fsm_srcp in
let Disable_int = (-new_S_instart A -(new_S._fsmsn A (ELEMENT s_delay_out (6))) A new_S fsm sdi) in
let Reset_piu = new_S_fsm_srp in
Jet ReseLcpuO = uew_S_reset_cpuO m
let Reset._cpul = eew_S reset_cpul m
let Cpu_l_st = new_S_cpu hist in
let Piu fail = new $_piu fail in
let CpuO_fail = new S_cpuO fail in
let Cpul fail = new_S_cpul fail in
let Prom_fail = new_S__fail in





Appendix D ML Source for the Clock-Level Spedlication of the PIU Ports.
This appendix contains the HOL models for the clock-level specification for the PIU ports. The ports
are listed in the order: P_Port, M_Port, R_Port, CPort, and SU_Cont.
D.1 P Port Specification
o_ ............................................................................................
File: p_clock 1.ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the clock-level specification of the P-Port of the FTEP PILl,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulk of this code was translated from an M-language simulation program using a translator
written by PJ. Wmdley at the Univemity of Idaho.
set_search_path (search_pathO@ ['/bomatitan3/dfura/flep/piWhol/lib/']);;
system 'rm p_clockl.th';;
new_thenry 'p_clock I ';;
map newparent [ 'paux_def' ;'aux_def';'array_def' ;'wordn_def'];;
let pc_state_ty = ``:(w_rdn#b___#w_rdn#b___#pfsm-ty#bco_#bo__#bo__#bo__#bo__#w_nin#b___#b___#bo__#b___#b___)__;;
let pc_state = "((P_addr, P_destl, P_be_, P_wr. P_fsm_state, P_fsm_rst. P_fsm_sack. P_fsm_cgnt_. P_fsm_hold_.
P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P tale_.)
:^pc_state_ty)";;
let pc_env_ty = ":(bool#bool#bool#wordn#bool#bool#wordn#bool#bool#wordn#bool#bool#bool)";;
let pc_ear = "((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L..lock, I_ad_in, I..cgnU, I bold_, I_srdy_.)
:_¢_env ty)";;
let pc_out_ty = ":(wordn#bool#wordn#wordn#wotdn#bool#bool#bool#bool#bool#bool#bool#bool)";;
let pc_out = "((L_ad_out, L_ready_, I_g_data_out, I_ad_eddr_out, I be_, I_rale._, I_male_, I_crqL, I_cale_,
Imrdy_, I_last_, I_ldda_, I_lock_)
:_pc_out_ty)";;
Next-state definition for EXEC instruction.
................................................................................................
let pEXEC_imt_dvf = new_definition
('pEXEC_inst',
"1 (P_fsm_state :pfsm_ty)
(P_addr P be P size :wofdn)
(P_destl P_wr P_fsm_.rst P fsm sack P__fsm_cgnt__ P fsm_hold_ P_rqt P_down P_lock_
182
P lock inh_ P_male_ P_rale_ :bool)
(L_ad_in L_be_ Iad_in:wordn)
(CIkA CIkB Rst Lads_ L_den_ L wr L_lock_ I_cgnL I_hold_ I_scdy_ :bool).
pEXEC_inst (Pad&, P_destl, Pbe_, P_wr, P_fsm_state, P fsm_rst, P_fsm_sack, P_fsm_cgnt_, Pjsm_hold_,
P_rqt, P size, Pdown, P_lock_, P_Iock inh__, Pmale_, P_rale__)




((pjsm__state = PH) => ((~Pjsm._hold_) => PHl PA) l
((P_fsm__state = PA) =>
(((P_rqt A ~P..destl) V (P_nit A P_destl A -P_fsm_cgnL)) => PD I
((~P_fsm_hold_ A P_lock_) => PHI PA)) I
((P_fsm..state = PD) =>
(((Pjsm_sack A Pjsm_hold_) V (P_fsm_sack A ~P_fsm_hold_ A -Piock_)) => PAI
((P_fsm_sack A -P fsm_hold A P_lock_) => PH I PD)) I PILL)))) in
let new_P._addr = ((-P_nit) => (SUBARRAY L_ad_in (25,0)) I P._addr) in
let new_P_destl = ((-P_nlt) => (ELEMENT Lad_in (31)) I P..destl) in
let newP_be_ = ((-P_nit) => L_be_ I P_be) in
let new_.P_wr = ((-P_nit) => L_wr I P_wr) in
let new_P_size =
((~P_nit) => (SUBARRAY L_ad_in (1,0)) I
((Pdown) => (DECN I P_size) I P_size)) in
let pale = (-L_ads_ A L_den_) in
let p_sack = ((P_size = ((P_down) => (WORDN I) 1(WORDN 0))) A ~I._srdy_ A (new P_fsm_state = PD)) in
let new_P_rqt =
((pale A -(p_sack V Rst)) => T [
((-pale A (p_sack V Rst)) => F I
((-pale ^ -(p_sack V Rst)) => P_nit IARB))) in
let new_Pdown = (~Lsrdy_ A (new_P..fsm__sta_ = PD)) in
let new_Pmale_ = ((new_P fsm_state = PA) =>
--(~new P_destl A (~((SUBARRAY new_P_addr (25,24)) = (WORDH 3))) A ncw_P..rqt) I P_male._) in
let new_P_rale__ = ((new_PJsm state = PA) =>
--(~new P..destl A ((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) A new P_rqt) IP tale._) in
let new..P_lock_ =
((Rst) => T I
((new P_fsm_stat¢ = PD) => L_lock__ I PJock_)) in
let new_P_lock_inb_ =
((Rst) => T I
((~new P_male_ V ~new_P..rale_) => L_lock__ I P lock inh_)) in
let new_P_fsm_rst = Rst in
let new_.P_fsm_sack = p_sack in
let new_P_fsm_cgnU = I_cgnt_ in
let new_P_fsm_hold_ = I_hold_ in
(new_P__addr, new_P_destl, new_Pbe_, new_P wr, new_P_fsm_state, new_P_fsm rst, new_P_fsm sack,
new_P_fsm_cgnU, new_P_fsm hold_, new_P_nit, new__Psize, new P_down, newPlock_, new_P_lock inh ,
new_P_male._, new_P__rale )"
);;
Output definition for EXEC instruction.
183
let pEXEC_ouLdef = new_definition
('pEXEC_out',
"l (P_fsm state :pfsm_ty)
(P_addr P_be_ P_size :wordn)
(P_destl P_wr P_fsm_.rst P_fsm..sack P_fsm_cgnt_ P_fsm_hold P_rqt P_down P lock_
P_lock_inh_ P_male_ P_rale_ :bool)
(L_g_in L_be_ I_ad_m:wordn)
(CIkA CIkB Rst Lads_ L_den_ L_wr L_lock_ I_cgnt_ I_hold_ I_srdy_ :bool).
pEXEC_out (P_addr, P_destl. P_be_, P_wr. P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_¢gnt_, P_fsm_hold_,
P_rqt, P_size, P_down, P_lock_, P_lock_inh__ P_male__ P_rale_)




((P_fsm_state = PH) => ((-P_fsm_hold_) => PHI PA) I
((P_fan_state = PA) =>
(((P__rqt A ~P._destl) V (P_rqt A P destl A -P_fsm_cgnt_)) => PD I
((-P_fsm_hold_ A P_lock_) => PH {PA)) {
((P_.fsm_state = PD) =>
(((P_fsm_sack A P_fsm_hold_) V (P_fsm_sack A -PJsm_hold_ A -P_lock..)) => PA I
((P..fsm..sack A -P fan hold_ A P_lock_) => PHt PD)) I PILL)))) in
let new P_addr = ((-P_rqt) => (SUBARRAY L_ad_in (25,0)) IP_addr) in
let new._P_destl = ((~P_rqt) --> (ELEMENT L_ad_in (31)) IP_destl) in
let new_.P_be_ = ((~P_rqt) => L_be_ I P_be_) in
let new_P_wr = ((~P._rqt) => L_wr IP_wr) in
let new_P_size =
((-P_rqt) => (SUBARRAY L__Im (1,0)),
((P_down) => (DECN I P._sizo) I P_me)) in
let p_ale = (-L ads A L_den_) in
let p_sack = ((new_P_size = ((Pdown) => (WORDN 1) I (WORDN 0))) ^ -I_srdy_ A (new P fsm_state = PD)) in
let new_P_rqt =
((p_ale ^ -(p_sack V Rst)) => T I
((-p_ale ^ (p_sack V Rst)) => F I
((-p_ale A ~(p_sack V Rst)) => P_rqt I ARB))) in
let new_P_down = (~I_srdy_ A (new P_fsm._state = PD)) in
let new_P_male_ = ((new_P_fsm_state = PA) =>
-(-uew_P..destl A (~((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) A new_P_rqt) I P_male_) in
let new P_rale_ = ((new_P_fsm state = PA) =>
-(-new_P_destl A ((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) A new_P__rqt) I P_rale-) in
let new__P_lock_ =
((Rst) => T I
((new P fsm state = PD) => L_lock IP lock_)) in
let new_P_lock_.inh_ =
((Rst) => T I
((-newP_male_ V -new_P.,rale_) => L_lock_ I P_lock_inh_)) in
let new P_fsm..rst = Rst in
let new_P_fsm_sack = p_sack in
let new P_fsm_¢gnt_ = I._cgnt_ in
let new_P_fsm_hold = I_hold_ in
let L_ad out = (((.-(new_P_fsm..state = PA))
A (-(new_P_fan_state = PH))
184
A -((new_F fan_state= PD) A new_P_wr)) => Lad_in IARBN) in
letL ready_ = -(-Lsrdy_ A (new_P_fsm state= PD)) in
letodO = ARBN in
letodl = (MALTER od0 (31,27)new_P_be_) in
letod2 = (ALTER odl (26)F) in
letod3 = (MALTER od2 (25,24)(SUBARRAY new_P_addr (I,0)))in
let od4 = (MALTER od3 (23,0) (SUBARRAY new_P_addr (2.5,2))) in
let I__ad_addr_out : ((new P_fsm state: PA) :> od4 1ARBN) in
let Iad data out = (((new P_fsm_state = PD) A new_P_wr) => L_ad_in I ARBN) in
letI be = ((-(new..P_fsmstate= PH)) => ((new_P.fsm_state= PA) => new_P, be_ lLbe_) IARBN) in
letI._rale= ((~(new_P_fsm_state= PH)) =>
-(-new_P._destlA ((SUBARRAY new_P_addr (25,24))= (WORDN 3))A (new_P._fsm_state= FA)
A new..P._rqt) I ARB) in
let I_male = ((-(new_P fan_state = PH)) =>
~(~new P_destl A (-((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) A (new_P_fsm_state = PA)
A new_P rqt) I ARB) in
let I_crqt_ = -(new P_destl A new_P_rqt) in
let I_cale = -(~I_cgnt_ A (new_P_fsm state = PA) A I_hold_) in
let I_mrdy_ = ((-(new_P fan state = PH)) => F I ARB) in
let I_last_ ---((~(new_P fsm state = PH)) --> (Psize = ((P_down) => (WORDN 1) I(WORDN 0))) I ARB) in
let I_hida_-- -(new P_fsm state = PH) in
let Llock_ = -(-new_P_1ock_ A new_P lock_inh_) in
);;
(Lad_out L_ready_, I_ad_data oat, l_ad_addr out, I_be_, I_rale_, Lmale_, I_crqt_, I cMe_ ]_tardy._,
Ilast , I_hlda_., I lock_)"
close_theory0;;
185
D.2 M Port Specification
File: re_clock 1.ml
Author. (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the clock-level specification of the M-Port of the FTEP PIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulk of this code was translated from an M-language simulation program using a translator
written by PJ. W'mdley at the University of Idaho.
set__search_.path (search pathO @ ['/home/titan3/dfura/ftep/piu/hol/fib/']);;
system 'rm m clockl.th';;
new_theory 'm clockI ';;
loadf 'abstract';;
map new_parent ['maux_def' ;'aux_der ;'m'ray_def';'wordn_def'];;
let mc_state_ty = `_:(mfsm-ty#b___#b___#b___#b___#w_rd_#b___#b___#w_rdn#w_rdn#b___#b___#b__1#w_rda#w_rdn)__;;
let mc__state = "((M_fsm_state, M_fsm_.male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr,
M_be, M_rdy, M wwdel, M_parity, M_rd_data, M_detect)
:^mc..state_ty)";;
let mc_env_ty = ":(boolAeoool#bool#bool#bool#wordn#bool#bool#wordn#bool#wordn#bool#bool)";;
let mc__env = "((ClkA, CIkB, Rst, Disable_.eeprom, Disable_writes, lad_in, I maJe_ I_last_, I_be__
Lmrdy_, MB_data_in, Edac_en_, Reset_parity)
:^mc_env_ty)";;
let mc_out_ty = ":(wordn#bool#wordn#wordn#bool#bool#bool#bool#bool)";:
let mc_out = "((Lad_out, Lsrdy_, MB_addr, MB_data_out, MB_cs_eewom_, MB cs stare_, MB_we.._ MB_oe_, MB_parity)
:_mc_out_ty)";;
letrepty = abstract_type 'aux_def''Andn';;
let mEXEC_inst_def = new_definition
('mEXEC_imt',
'q 0vLfsm_state :mfsm_ty)
(M_coumt M_addr M_be M rd data Mdetect :wordn)
0Vi fsm_male_ M_fsm_lasC M_fsm_mrdy M fsm rst M se M wr M_rdy M_wwdel M_parity :booi)
(Lad in I be MB_data_in :wordn)
186
(CIkA ClkB Rst Disable_eeprom Disable_writes I_male I_last_ I_mrdy_ Eda__en_ Reset_lmfity :bool)
(rep:'_rep_ty).
mEXEC_inst (M_fsm_state. M_fsm_male_, M_fsm_last , M_fsm_mrdy_, MJsm_rst, M count, M_s¢, M_wr, M_addr,
M be, Mjdy, M_wwdel, M_par/ty, M_rd_dam, M_detect)
(CIkA, ClkB, Rst, Disable_eeprom, Disable_writes, Lad_in, I_male_, I_last_, I_be,
I_mrdy_, MB_data_in, FAac_¢n_, Reset_parity)
rep =
let m_bw = ((~(M_b¢ = ONORDN 15))) A M_wr A (-(Mjsm state = MI))) in
let m ww = ((M_be = (WORDN 15)) A M_wr A (~(M fsm_stat¢ = MD)) in
let new M fsm state =
((Mjsm_rst) => MI I
((M_fsm_state = MI) => ((~M_fsm_mal¢_) --> MA IMI) I
((M_fsm_state -- MA) =>
((-Mjsm_mrdy_ A m_ww) => MW l
((~Mjsm_mrdy_ A ((~M_wr A (~(M_fsm_stat¢= Mr)))V m bw)) => MR lMA)) )
((M_fsm_state = MR ) =>
((m_bw A (M_count = (WORDN 0))) => MBW I
((M_fsm_last A ~M_wr A (-(Mjsm_stam = MI)) A (M_count = (WORDN 0))) => MA [
((-Mjsm last A ~M_wr A (~(M_fsm_stat¢ = MI)) A (M_count = (WORDN 0))) => MRR I MR))) I
((M_fsm state = MRR) => MI I
((M_fsm state = MW) =>
((-MJsm_last_ A (M_count = (WORDN 0))) => MI I
((M_fsm_last_ A (M_count = (WORDN 0))) => MA I MW)) I
((M_fsm_state = MBW) => MW I M_ILL))))))) in
let new_M_s¢ = ((-I_male) => (ELEMENT I_ad_in (23)) I M_s©) in
let new M_wr = ((-I_male_) => (ELEMENT Lad_in (27))) M_wr) in
letnew_M_addr =
((~I_male_) --> (SUBARRAY I_ad_in (18,0)) I
((M_rdy)=> (INCN 18 M_addr) IM_addr)) in
letnewMcount =
(((new_M_fsm_state = MA) V (new_M_fsm_state = MBW)) => ((new_M_s¢) => (WORDN 1) I (WORDN 2)) I
(((new_M_fsm state = MW) V (new_M fsm_stam = MR)) => (DECN 2 M_count) IM_count)) in
letm_rdy = (((new M_fsm state= MW) A (newM_count = (WORDN 0)))
V ((new M_fsm_state = MR) A (newM_count = (WORDN 0)) A ~new M_wr)) in
let m_srdy_ = -((M rdy A ~new_M_wr) V (m_rdy A new_M_wr)) in
let new_M_be = ((~I_male_ V ~m._srdy_) => (NOTN 3 I_be_) IM_be) in
let new_M_rdy = tardy in
let new_M_wwdel = ((new_M_fsm_state = MA)A new_M_wr A (new_M_be = (WORDN 15))) in
let new..M__rd_data = (((new..MJsm_state = MR)) ffi> (Ham_Dec rep MB_data_m) IM_M_data) in
let new M detect =
((((new_M_fsm_state = MR) A ~new_M wr) V new_M_wr V (new_M_fsm state = MI)) =>
((~Edac en_) => (Ham_Detl red MB_data_in) IWORDN 0) I M_detect) in
let m_error = (~m_srdy_ A (~(new_M_fsm_state = MI)) A Ham_Det2 rep (ncw_M detect, -Edac._cn_)) in
let new_M_parity =
((m error/_ ~(Rst V Reset..parity)) => T I
((-m error A (Rst V Reset.parity)) => F I
((-re_error A -(Rst V Reset._parity)) => M_parity )ARB))) in
let new_Mjsm_male_ = I_male_ in
let new_MJsm last = ] last in
let new_Mjsm_mrdy_ = I_mrdy_ in
let new_Mjsm_rst = Rst in
(new_M_fsmjtate, new_MJsm_male_, new_M_fsm_last_, new_M_fsm_mrdy_, new_M_fsm_rst, new_M_count,
187




Output definition for EXEC instruction.
........................................................................................
let mEXEC out def-- new_definition
('mEXEC_out',
"I (Mjsm_state :mfsm_ty)
(M_count M_add* M_be M rd_data M_dt_ect :wordn)
(M_fsm_male_ M_fsmJast_ M_fsm_mrdy_ M_fsm_rst M_so M_wr M_rdy M_wwdel M_imrity :bool)
(lad_in Lbe_ MB..data_m :wordn)
(CIkA CikB Rst Disable..eeprom Disable__writm l_male._ I_last Lmrdy_ Edac_en_ Reset_parity :bool)
(rep:"rep_ty).
mEXEC_out (M_fsm_state, M_fsm_male_, Mjsm_laet._ M_fsm tardy_, Mjsm_rst, M_coumt, M_se, M_wr, M_add*,
M_be, M_rdy, M_wwdel, M_parity, M_n:l_data, M_detect)
(ClkA, CIkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_,
I_mrdy_, MB_data_in, Edac_en._, Reset_parity)
rep=
let m_bw = ((-(M_be = (WORDN 15))) A M_wr A (~(M_fsm_state = MI))) in
let m_ww = ((M_be = (WORDN 15)) A M_wr A (~(M_fsm_staY, e = MI))) in
let new M fsm state ffi
((MJsm_rs0 => MI I
((M_fsm_state = MI) => ((-M_fsm_male_) => MA I MI) I
({Mjsm_state = MA) =>
((-M_fsm_mrdy_ A m_ww) => MW I
((~Mjsm tardy_ A ((-M_wr A (-(M_fsm_state = MI))) V m_bw)) => MR I MA)) I
((M_fsm_state = MR) -->
((mbw A (M count = (WORDN 0))) => MBW I
((M_fsm_last_ A -M_wr A (-(Mjsm_state = MI)) A (Mcount = (WORDN 0))) => MA I
((-MJsm_last.. A ~M_wr A (-(M_fsm_state = MI)) A (M_count = (WORDN 0))) => MRR IMR))) I
((M_fsm_state = MRR) ffi>MI I
((M_fsm_state = MW) =>
((~M_fsmJast A (M_count = (WORDN 0))) => MI I
((M_fmn_last_ A (M_count = (WORDN 0))) => MAt MW)) I
((M_fsm_stam = MBW) => MW I M_ILL))))))) in
let new M_se = ((-I_male_) => (ELEMENT I_ad_in (23)) I M_se) in
let new_M_wr = ((-I_male_) => (ELEMENT I_ad_m (27)) IM_wr) in
let new_M_add, =
((-I_male_) => (SUBARRAY Lad_in (18,0)) I
((M_rdy) => (INCN IS M_add*) I M_add,)) in
let newM_count =
(((new M_fsm. state= MA) V (new M_fsm_state ffiMBW)) => ((new M_se) => (WORDN I)I(WORDN 2))I
(((new_lVl_fsm_state = MW) V (new_M_fsm_state = MR)) => (DECN 2 M_count) I M_count)) in
let m_rdy = (((new M fsm state = MW) A (new_M_count = (WORDN 0)))
V ((new_M_fsm_state = MR) A (new_M_count = (WORDN 0)) A ~new_M_wr)) in
letm_srdy_ = -((M rdyA -new_M_wr) V (m_rdy A new_M_wr)) in
let new_M_be = ((-I_male_ V-m_srdy..) => (NOTN 3 Lbe_) I M_be) in
let new_Mjdy = m._rdy in
let new_M wwdel = ((new lvl_fsm_state = MA) A new_M_wr A (new_M_be = (WORDN 15))) in
let new_M_rd_data = (((new_M_fsm_state = MR)) => (Ham_Dec rep MB_data_in) IM_rd_data) in
188
let new_M_detect ffi
((((new_M fsm_state = MR) A -new_M wr) V new M_wr V (new_Mfsm state = MI)) =>
((-Edac_en_) => (Ham_Detl rep MB__data_in) IWORDN 0) I M_detect) in
let re_error = (-m srdy_ A (~(new_M_fsm_state = M_I))A Ham_Det2 rep (new_Mdetect, -Edac._en_)) in
let new_M..parity =
((m_error A -(Rst V Reset_.parity)) => T I
((-m error A (Rst V Reset_.parity)) => F I
((-m error A -(Rst V Reset__parity)) => M_parity I ARB))) in
let new_.MJsm_male_ = Lmale_ in
let new._MjsmJast = I last in
let new_Mjsm_.mrdy_ = Imrdy_ in
let new_M_fsm..rst = Rst in
let Lad out = ((~new_M_wr A (-(new..M_fsm state = MI))) => M_rd data IARBN) in
let I_srdy_ = (((-(new_Mjsm_state = MI))) => m srdy_ I ARB) in
let MB addr = ((M_rdy) => (INCH 18 Mad&) I M_addr) in
let mb_data_7_O = (((ELEMENT M_be (0))) => (SUBARRAY Lad_in (7,0)) I (SUBARRAY M_rd. data (7,0))) in
let mb data_15_8 = (((ELEMENT M_be (1))) => (SUBARKAY Lad_in (15,8)) I (SUBARRAY M_rd_data (15,8))) in
let mb_data_23_16 = (((ELEMENT M_be (2))) => (SUBARRAY I_ad in (23,16)) I (SUBARRAY M__rd_data (23,16))) in
let rob_data_31_24 = (((ELEMENT M_be (3))) => (SUBARRAY Lad_in (31,24)) I (SUBARRAY M_.rd__data (31,24))) in
let mb_data = ((MALTER (MALTER (MALTER (MALTER ARBN (7,0) mb data_7_0)
(15,8)mb__data_15_8)
(23,16)mb_data 23_I6)
(31,24) mb_data_3 I_24)) in
let MB data_out = ((new_MJsm_state = MW) => (Ham_Eric rep mb_.data) I ARBN) in
let MB cs_eeprom_ = -((-(new M fsm_state = MI)) A -new_M se) in
let MB_cs_sram_ = -((~(new_M_fsm_state = MI)) A new_M_se) in
let MBwe = ~((new_M_se V ~(~(new_M_fsm_state = MI)) V ~Disable_eeprvm)
A -Disablewrites
A ((new_M_fsm_state = MBW) V (new_Mjsm_state = MW) V new_M_wwdel)) in
let MBoe = ~((~new M wr/_ (new_M fun_state = MA)} V (new_.M_fsm state = MR)) in
let MB parity = new_Mparity in




D.3 R Port Specification
File: r_clockl .ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the clock-level specification of the R-Port of the FTEP PIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulk of this code was translated from an M-language simulation program using a translator
written by PJ. W'mdley at the University of Idaho.









let rc_state = "((R_fxm_state, R_fmn_ale_, R_fsm tardy.., R..fsm last.., R_fsm_rst, R_ct_O_in, R_ctd)_mux_sel, R_ctr0,
R_ctrO_irden, R_ctr0_uew, R__cuO_cfy, R ctr0 out, R..ctr0_orden, R_ctrl_in, R ctrl mux_sel,
R._clrl, R. c_rl_irden, R ctrl new, R..ctrl_cry, R_ctrl_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel,
R_cU2, R_ctr2_irden, R_ctr2_new, R..ctr2_cry, R_ctr2_out, R ctr2 ordea, R_clr3_in, R ctr3 mux_sel,
R_ctr3, R_ctr3_irden, R ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old,
R__icr mask, R_icr__rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_.gcr_rden, R_sr, R_sr rden, R into dis,
R_mt3_dis, R_c01_cout_del, R_intl_en, R_c23_cout._del, R mt2_en, R_wr, R_cntlatch_del, R_srdy_del_.,
R_reg._sel, R_busA latch)
:'_rc_smte_ty)";;
let rc_env_ty = ":(1_ol#bool#wordn#bool#bool#wordn#bool#bool#bool#wordn#wordn#bool#bool#
wordn#wordu#wordn#bool#bool#wordn)";;
let rc_env = "((CIkA, Rst, I_ad_in, I tale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes,
Cpu_fail, ReseLcpu, Piu_fail, Prom fail, S_state, Id, ChannelID, CB_.parity, MB_parity, C_ss)
:Arc env ty)";;
let r_out__ty = ":(wordn#bool#booI#bool#bool#bool#wordn#wordn#bool#bool)";;
let rout = "((I_ad_out, I__srdy_, IntO, Intl, Int2, Int3_., Ccr, Led, Reset_error, Pmm_invalid)
:At out_ty)";;
let rep_ty = abstract_type 'aux._def' 'Andn';;
190
let rEXEC_inst_def = new definitiou
('rEXEC_insr,
"t (rep :Arep ty)
(R_fsm_state :rfsm_ty)
(R c__in R_ctrO R ct:O_aew R ctr0 out R ctrl in R_ctd R ctrl_new R_ca'l_out R_ca'2._in R c_r2 R ctr2 new
R_ctr2_out R_ctr3 in R ctr3 R cU'3 new R_ctr3_out R_icr_old R_icr mask R icr R ccr R_gcr R sr R_reg_sel
R busA latch :wordn)
(R fsm_ale_ R_fsrn_nudy_ R_fsm_last_ R_fsm_rst R_cUO_mux_sel R_ctr0 irclen R_cUO_cry R cuO_orden
R_cU1_mux_sel
R_ctrl_irden R_ctr 1_cry R_cU l_orden R_ctr2_mux_sel R_ctr2_irde0 R_ctr2 cry R_ctr2_orden R_ctr3_mux sel
R ctr3 irden R_ctr3_cry R_vtr3._orden R_icr_load R_icr rden R_ccr_rden R_gcr_rden R_sr rden Rint0_dis
R int3 dis R c01_oout_del R_intl_en R c23 cout_del R_int2_en R_wr R cntlateh_del R_srdy del :bool)
(I_ad_in I_be Cpu_fnil Reset_cpu S_state Id ChannelID C_ss :wordn)
(CIkA Rst I_rale_ I_last_ I ruffly_ Disable_int Disable_writes Piu_fail Prom_fail CB parity MB_parity :boo)).
rEXEC_inst rep
(R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R caO_in, R_ct10_mux_sel, R_c_0,
R_ctr0_irden, R cg0_new, R ctr0_cry, R_ctr0_out, R_claO_orden, R ctrl_in, R_c_rl_mux_sel,
R ctrl, R_ctd_irden, R_ctrl_new, R_ctrl cry, R_ctrl_out, R_ctrl_ordcn, R_ctr2__in, R_ctr2_mux_sel,
R_ctr2, R_ctr2_irden, R_ctr2_new, R_c_2 cry, R_c¢2 out, R_ctr2_orden, R_ctr3 in, R_ctr3_mux_sel,
R_c_3, R_ctr3_irden, R_ctr3_new, R_ctr3 cry, R_ob'3_out, R_ctr3_orden, R_icr_load, R_icr_old,
R_icr_mask, R_icr_rden, R_icr, R ccr, R ccr .rflen, R_gcr, R_gcr rden, R sr, R_sr_rden, R_int0_dis,
R_int3 dis, R_c01_couUdel, R_intl_en, R c23 cout_del, R_int2_en, R_wr, R_cn0amh_del, R srdy_del_,
R_reg_sel, R_lmsA_latch)
(CIkA, Rst, Iad_in, I_rale , I_last_, I_be_, I_mrdy_, Disable int, Disablewrites,
Cpu_fail, Reset_cpu, Piu fnil, Pmm_fail, S_state, Id, Chan_elID, CB_parity, MB parity, C ss) -=
let new_R_fsm_state =
((R_fsm_rst) => RI I
((R_fsm_state = RI) => ((-R_fsm ale_) --> RA IRI) I
((R_fsm_state = RA) => ((-R_fsm_mrdy_) --> RD IRA) I
((-R_fsm last ) --> RI I RA)))) in
let r_fsm_cntlatch = ((R_fsm_state = ILl) A ~R_fsm_ale_) in
let r_fsm_srdy_ = ~((R_fsm_state -- RA) A ~R_fsm_mrdy_) in
let new_R_wr = ((-I_rale) => (ELEMENT I_ad_in (27)) I R_wr) in
let new_R_¢ntlatcb_del = r_fsm_caflatcb in
let new R srdy_del_ = r_fsm_srdy_ in
let new R_reg_sel =
((~Lrale_) => (SOBARRAY I_ad_m (3,0)) I
((~R_srdy_del_) => (INCN 3 R reg_s¢l) IR_rcg..s_.l)) in
let r reg_sel -- ((-R_srdy_d¢l_) --> (INCN 3 R_reg_sel) I R_reg_sel) in
let r writeA = (-Disable_writes A R_wr A (new R_fsm_state = RD)) in
let r writeB = (-Disable_writes A new_R_wr A (new_R_fsm state = RD)) in
let r_readA = (~R_wr/_ (new_R_fsm_state = RA)) in
let r readB = (~new_R_wr A (new R_fsm_state = RA)) in
let r cir_wr01A = ((r_writeA A ((r reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9))))) in
let r cir_wr01B = ((r_writeB A ((r_r¢g_sel -- (WORDN 8))V (r_reg_sel = 0VORDN 9))))) in
1¢t r cir_wr23A = ((r_writeA A ((r reg_sel = (WORDN 10)) V (r_reg_sel = (WORDN 11))))) in
let r cir_wr23B = ((r_writeB A ((r_reg_sel - (WORDN 10)) V (r..reg_sel = (WORDN 11))))) in
let new_R_ccr = ((r_writeB A (r reg..sel = (WORDN 3))) => 1_ad_m i R_e.cO in
let new_R_ccr_rden = (r_read8 A (r_reg_sel = (WORDN 3))) in
191
let new_R_gcr = ((r_writeB A (r_reg_.sel = (WORDN 2))) => I__l_m I R_gcr) in
let new_R .gcr_rden = (r..readB A (r_reg_.sel = (WORDN 2))) in
let new_R_c01_cout_del = R_ctrl_cry in
let new_R_intl_en =
((((ELEMENT new_R_gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_.gc_ (16))))) A
-(-(ELEMENT new_R..gcr (18))V ((ELEMENT new_R_gcT (17))A R_c01 cout del))) => T I
((-((ELEMENT new R_gcr (18)) A (r__cir_wr01B V (R_cerl cry A (ELEMENT new_R_.gcr (16))))) A
(-(ELEMENT new_R..gcr (18)) V ((ELEMENT new_R_.gcr (17)) A R_c01 cout..del))) => F I
((-((ELEMENT new_R..gcr (18)) A (r_cir_wr01B V (R_ctrl_cry A (ELEMENT new_R_.gcr (16))))) A
-(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_.gcr (17)) A R_c01_cout_del))) => R intl en I ARB))) in
let new R c23 cout_del = R_ctr3_cry in
let new_R_int2_en =
((((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R..cti3_cry A (ELEMENT new_R_gcr (20))))) ^
-(--(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_.gcr (21)) A R_c23_cout_del))) => T I
((-((ELEMENT new_R..gcr (22)) A (r..cir wr23B V (R..ctr3_cry A (ELEMENT new_R_gcr (20))))) A
(-(ELEMENT new R..gcr (22)) V ((ELEMENT new_R..gcr (21)) A R_c23_cout_del))) => F t
((-((ELEMENT new_R_gcr (22)) A (r..cir_wr23B V (R..ctr3_cry A (ELEMENT new_R_.gcr (20))))) A
-(-(ELEMENT new_R..scr (22)) V ((ELEMENT new R_gc_ (21))A R_c23_cout del))) => R int2 en IARB))) in
let new R ctr0 in = ((r_writeB A (r..reg_sel = (WORDN 8))) => I._ad_in I R_ctr0_in) in
let new_R..ctrO mux_sel = (r._cir_wr01B V ((ELEMENT new_R_gcr (16)) A R_ctrl cry)) in
let new_R_c_O_irde_ = (r_readB A (r._reg_.sel = (WORDN 8))) in
let new_R_ctr0 = ((R_ctr0_mux..sel) --> R__cUO_in I R_clrO new) in
let new_R..cCO_new = (((ELEMENT new_R..gcr (19))) => (INCN 31 R..cerO) I R_c¢O) in
let new_R_ctrO_cry = ((ONES 31 R ctr0)A (ELEMENT new_R_.g_ (19))) in
let new R cOO_out = ((r_fsm_cnUatch) => R_ctr0_new I R cUO.out) in
let new R. clr0 orden = (r..readB A (r_reg._sel = (WORDN 12))) in
let new_R_ctrl_in = ((r writeB A (r_reg_sel = (WORDN 9))) => I_ad_in I R_cUt in) in
let new_R_ctr l_mux_sel = (r.cir_wr01B V ((ELEMENT new_R..gcr (16)) A R_ctrlj_'y)) in
let new_R_ctrl irden = (r.re_IB A (r_reg..sel = (WORDN 9))) in
let new_R_ctrl = ((R_ctrl mux sel) => R ctrl..in I R ctrl new) in
let new_R_ctrl_new = ((R_ctr0_cry) => (INCN 31 R_ctrl) I R_ctrl) in
let new_R, clrl_cry = ((ONES 31 R_c/rl) A R_ctr0_cry) in
let new R clrl out = ((R_cntlatch_del) => R..clrl__new I R_ctrl_out) in
let new R ctr 1 orden = (r readB A (r..reg sel = (WORDN 13))) in
let new_R_.ctr2_in = ((r_writeB A (r..reg_.sel = (WORDN 10))) => I_Ad_in I R..clr2..in) in
let new_R_ctr2..mux_sel = ((r._cir_wr'23B V ((ELEMENT new R_gcr (20)) A R ctr3_cry))) in
let new_R_ctr2_irden = (r_readB A (r_reg_sel = (WORDN 10))) in
let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2_in IR_ctr2 new) in
let new_R_ctr2_new = (((ELEMENT new_R..gcr (23))) => (INCN 31 R_ctr2) I R..ctr2) in
let new_R ctr2_cry = ((ONES 31 R_ctr2) A (ELEMENT new R_.gcr (23))) in
let new R ctr2 out = ((r..fsm..cntlatch) => R_ctr2..new I R_ctr2__out) in
let new_R_ctr2_orden = (r..readB A (r__reg..sel = (WORDN 14))) in
let new R ctr3 m = ((r_writeB A (r..reg._sel= (WORDN 11)))=> I..ad_in I R..ctr3_in) in
let new R_ctr3_mux_sel = ((r__cir_wr23B V ((ELEMENT new_R_gcr (20)) A R ctr3_cry))) in
let new_R_clr3_irden = (r__readB A (r_reg..sel = (WORDN 11))) in
let new R ctr3 = ((R_ctr3_mux_sel) => R_.ctr3_in I R_ctr3_new) in
let new R ctr3_new = ((R_ctr2 cry) => (INCN 31 R_ctr3) I R_ctr3) in
let new_R_ctr3_cry = ((ONES 31 R_ctr3) A R_ctr3_cry) in
let new R ctr3 out-- ((R_cntlatch_del) => R__ctr3._new I R_ctr3_out) in
let new R ctr3_orden = (r_readB A (r__reg_sel = (WORDN 15))) in
let new_R_icr__load = (r_wri_B A ((r.j'eg_sel = (WORDN 0)) V (r_reg_.sel = (WORDN 1)))) in
let new_R_icr_ old =
((r_writeB A ((r_reg_.sel = (WORDN 0)) V (r..reg_.sel = (WORDN 1)))) => R__icr I R_icr_old) in







let newR_int0_dis = Lint0_en in
((LWriteB A ((LreLsel = (WORDN 0)) V (L.reg..sel = (WORDN 1)))) ffi> Lad_in I R..icr_mask) in
letnew R_icr=
((R_icLload)=>
((~(Lreg_sel= (WORDN I)))=> (Andn rep (R_icr_old,R_icr_mask))l(Orerep (R icr_old,R_icr_mask)))I
R_icr)in
letnew_R_icr,rden= ((new_R_fsm state= RA) A ((r_reg._sel= OVORDN 0))V (rreg._sol= 0VORDN I))))in
let st28 = (ALTER ARBN (28) MB_pmity) in
let sr28_25 = (MALTER sr28 (27,25) C_ss) in
let sr28_24= (ALTERsr2S_25(24) CB..p_ty) in
let sr28_22 = (MALTER sr28_24 (23,22) ChannellD) in
let sr28_l 6 = (MALTER sr28_22 (21,16) Id) in
let sr28_12 ffi(MALTER sr28_l 6 (15,12) S_state) in
let sr28_9 = (ALTER sr28_12 (9) Prom_fail) in
let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in
let st28. 2 = (MALTER sr28_8 (3,2) ReseLcl m) in
let st28_0 = (MALTER sr28__2 (1,0) Cpu_fail) in
let new R_sr = ((Lfsm_cntlatch) => st28_01 R_sO in
let new_R sr._rden = (r__readB A (r._reg_sel = (WORDN 4))) in
let r_int0_en = (((ELEMENT R_ic_ (0)) A (ELEMENT R_icr (8))) V
((ELEMENT R_icr (I)) A (ELEMENT R icr (9))) V
((ELEMENT R icr (2)) A (ELEMENT R icr (10))) V
(3)) A (ELEMENT R icr (11))) V
(4))A (ELEMENT R_icr (12)))V
(5)) A (ELEMENT R icr (13))) V
(6)) A (ELEMENT R_i_ (14))) V
(7)) A (ELEMENT R_icr (15)))) in
letrjnt3_en = (((ELEMENT R_icr(16))A (ELEMENT R_icr(24)))V
((ELEMENT R_icr(17))A (ELEMENT R_icr(25)))V
((ELEMENT R_icr (18)) ^ (ELEMENT R_icr (26))) V





let new R int3_dis = Lint3._en in
let new_R_busA_latch =
((R_cC0_irden) => R_ctt0_m I
((R_ctr0_orden) => R._cCO_out I
((R_ctrl_irden) --> R_cUl_in I
((R_ctrl_orden) => R__ctrl_out I
((R ctr2 irden) => R_ctr2._in I
((R_ctr2_orden) => R_ca'2_out I
((R_ch'3_irden) => R_ctr3_in I
((R_ctr3_orden) => R ctr3 put I
((R_icr_rden) => new_R icr I
((R_ccr rden) => R_ccr I
((R_.gcr._rden) => R..gcr I
((R_sr._rden) => R__sr IARB)))))))))))) in
let new R_fsm_ale_ = I_.rale_ in
let new R_fsm_mrdy_ = Imrdy_ in
let new_R_fsm_last_ = I lasL in
let new_R fsm rst = Rst in
A (ELEMENT R_icr(28)))V
A (ELEMENT R_icr(29)))V
^ (ELEMENT Rjcr (30)))V
A (ELEMENT R_icr(31))))in
193
(new R fsm state, new_R_fsm_ale_, new_R_fsm_mnty_, new R_fsm_last_, new R fsm_rst, new_R_clr0_in,
new_R, c¢O_mux_sel, new_R..cUO, new R ctr0_irden, new_R_ct_)_new, new_R ctr0_cry, new R c_ out,
new_R_ctr0_orden, new_R_ctrl_in, new_R_clrl_mux_sel, new_R ctrl, new_R_clrl_irden, new_R_ctrl_new,
new_R_ctrl cry,
new_R._ctrl_out, uew_R ctrl orden, new_R_ctr2_in, new_R_cU2 mux_sel, new_R ctr2, new R ctr2_irden,
new R ctr2_new,
new_R_ctr2_cry, new_R_ctr2_.out, new R ctr2 orden, new_R_ctr3_in, new_R_ctr3 mux._sel, new_R_ctr3,
new_R_clr3 irden,
new_R..cCr3_new, new R._ctr3_cry, new_R_clr3_om, new R clr3 orden, new R_icr._Ioad, new R icr old,
new_R_icr_mask,
new_R icr rden, new_R_icr, new_R_ccr, new_R_ccr_rden, new_R_gcr, new_R...gcr.jden, new R st, new_R sr rden,
new_R_mtO_dis, new R_int3_dis, new_R_col_cont_del, new_R_intl_en, new R c23_cout..deL new_R int2 en,
new_R_wr,
new_R_cntlatch_del, new_R_srdy_del._, new_R re&_sel, new R_busA_latch)"
);:




(R_cUO_in R_clr0 R_cUO_new R._ctr0_ont R..ctrl_in R ctrl R..ctrl_.new R clrl out R._ctr2_in R..ctr'2 R_ctr2_new
R_ctr2.out R cer3 in R_ctr3 R ctr3 new R ctr3 out R_icr_oki R_icr_mask R_icr R_ccr R..gcr R sr R_reg_.sel
R_busA latch :wordn)
(R_fsm ale R fsm tardy_ R fsm last R fsm_rst R_clrO..mux__l R..ctr0_h'den R_cUO_cry R_cUO_orden
R_clr l_mux_sel
R ctrl irdon R..clrl_cry R..clrl_orden R._cCr2._mux_sel R..clr'2..irden R_ctr2_cry R_ctr2 orden R._ctr3..mux_sel
R ctr3 irden R_ctr3_cry R_ctr3_orden R__icr._load R_icr_rden R ccr rden R..gcr_rden R_sr_rden R_intO_dis
R_int3 dis R_col_cout_del R intl en R c23 cout_del R_int2_en R_wr R_cntlatch_del R_srdy. del :bool)
(I_ad_in I_be_ Cpu_fail Reset_cpu S_state Id ChannellD C_ss :wordn)
(CIkA Rst I rale I last_ I_mrdy_ Disable_int Disable..writes Piu..fnil Pmm..fail CB..parity MB_parity :bool).
rEXEC_out rep
(R_fsm_state, R_fsm_ale_, R_fsm tardy_, R_fiun_last_, R_fsm_rst, R_ctr0_in, R._clr0_mux__sel, R ctrO,
R._cUO_irden, R_cCO_new, R_ctr0_cry, R_cUO_out, R ctr0 orden, R_ctrl_in, R_clrl..mux._sel,
R_ctrl, R_ctrl_irden, R_ctrl_new, R ctrl cry, R_ctrl out, R ctrl orden, R_cu2 in, R_ctr2_mux_sel,
R__ctr2, R ctr2 irden, R_ctr2 new, R_ctr2_cry, R_cU2_out, R_ctr2._orden, R_ctr3 in, R_ctr3_mux_sel,
R_ctr3, R_ctr3_irden, R ctr3_new, R_ctr3 cry, R_cU'3 out, R_ctr3_orden, R__icr_load, R_icr_old,
R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R..gcr_rden, R_sr, R_sr_rden, R_intO_dis,
R int3 dis, R cO1 cout_del, R_intl_en, R_c23_cout_del, R_int2_en, R_wr, R__cntlatch_del, R srdy_del_,
R._reg..sel, R_busA latch)
(CIkA, Rst, I_ad_in, I tale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes,
Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB parity, MB_parity, C_ss) =
let new_R_fsm_state =
((R_fsm._rst) --> [] I
((R_fsm_state = RI) => ((-R_fsm ale_) --> RA I RI) I
((R fsm_state = RA) => ((-R_fsm_mrdy_) => RD I RA) I
((~R_fsm..last_) ---> RI IRA)))) in
let r_fsm__cntlatch -- ((R_fsm_state = ILl) ^ ~R fsm_ale..) in
let r_fsm .srdy_ = ~((R_fsm_state = RA) A -R_fsm..mrdy._) in
let new_R_wr = ((-I_rale_J => (ELEMENT lad_in (27)) IR_wr) in
194
let new_R cntlatch_del = r fsm_cnflatch in
let new_R_srdy_del = r fsm_srdy_ in
let new_R_reg_sel =
((-I._rale_)=> (SUBARRAY l___in (3,0))t
((-R_stdy_del_)=> (INCN 3 R_reg_sel)lR..reg_sel))in
letr_reg_sel= ((~R_srdy_del_)=> (INCN 3 R._reg_sel)iR_reg._sel)in
let r._writeA = (-Disablewrites A R_wr A (new R_fsm_state = RD)) in
let r_writeB = (-Disable_writes A new R_wr A (new_R_fsm_state = RD)) in
let r._readA = (-R_wr A (new R_fsm_state = RA)) in
let r..readB = (~new R_wr A (new_R_fsm_state = RA)) in
let r_cir_wr01A = ((r writeA A ((r_reg_sel = (WORDN 8)) V (r reg_sel = (WORDN 9))))) in
let r__ck_wtO1B = ((r_writeB A ((r reg..sel = (WORDN 8)) V (r_leg..sel = (WORDN 9))))) in
let r _ck_wr23A = ((r._writeA A ((r_reg_sel = (WORDN 10)) V (r._reg_sei = (WORDN I1))))) in
let r._cir_wr23B = ((r.writeB A ((r reg_sel = (WORDN 10)) V (r__reg_sel = (WORDN 11))))) in
let new_R_ccr = ((r_ writeB A (r_reg_sel = (WORDN 3))) => I._ad_.in IR ccr) in
let new_R ccr_rden = (r_readB A (r_reg_sel = (WORDN 3))) in
let new_R_gcr = ((r. writeB A (r_reg_.se! ffi0VORDN 2))) => I._ad in I R_.gcr) in
let new_R..gcr rden = (r readB A (r._reg_sel = (WORDN 2))) in
let new_R_c01 cout._del -- R_cUl_cry in
let new_R_intl en =
((((ELEMENT new_R_gcr (18)) A (r_cir wr01B V (R_ctrl_cry A (ELEMENT new R_gcr (16))))) A
~(~(ELEMENT new_R_.gcr (18)) V ((ELEMENT new R_gcr (17)) A R_c01_cout_del))) => T I
((~((ELEMENT new R..gcr (18)) A (r_ck_wr01B V (R_ctrl_cry A (ELEMENT new_R_gcr (16))))) A
(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R..gcr (17)) A R_c01 cout_del))) => F I
((-((ELEMENT new_R_.gcr (18)) A (r_cir wr01B V (R..ctrl_cry A (ELEMENT new_R..gcr (16))))) A
~(~(ELEMENT new_R_gcr (18)) V ((ELEMENT new R_gcr (17)) A R_c01_cout_del))) => R_intl_en I ARB))) in
let new_R_c23_cout del = R ctr3 cry in
let new_R_int2 en =
((((ELEMENT new_R_gcr (22)) A (r cir wr23B V (R ctr3 cry A (ELEMENT new_R._gcr (20))))) A
-(-(ELEMENT new_R_.gcr (22)) V ((ELEMENT new R_.gcr (21)) A R__c23_cout..del))) --> T I
((-((ELEMENT new R_.gcr(22))A (r.cirwr23B V (R clr3_cryA (ELEMENT new R...gcr (20)))))A
(~(ELEMENT new_R._gcr(22))V ((ELEMENT new_R_gcr (21))A R..c23_cout._del)))=> F I
((-((ELEMENT new R..gcr(22))A (r_c_..wr23BV (R_ctr3_cryA (ELEMENT new_R..gcr(20)))))A
-(-(ELEMENT new_R_.gcr(22))V ((ELEMENT new_R_gcr (21))A R_c23 c,out_del)))=> R int2_enIARB))) in
letnew R_clr0 in= ((r_writeBA (r._reg_sel= (WORDN 8)))=> I rod_in IR_cOOIn) in
letnew_R_ctr0_mux_sel = (r.cir w1OIB V ((ELEMENT new R_gcr (16))A R_ctrl_cry))in
letnew_R_ctr0_irden = (r._readBA (r_reg._sel= (WORDN 8)))in
letnew_R_c0rO = ((R_ctrO_mux._sel)=> RcOO_in IR cuO_new) in
letnew R__cUrOnew = (((ELEMENT new_R_gcr (19)))-> (INCN 31 R_ctr0)IR_cOr0)in
letnew R__c1_Ocry= ((ONES 31 R_ctr0)A (ELEMENT new_R gcr(19)))in
letnew_R_ctr0 out = ((r..fsmcntlatch)=> R__ctaOnew IR c__out) in
letnew R ctr0orden= (r._readBA (r._regsel= {WORDN 12)))in
letnew_R_ctrl_in = ((rwriteBA (r_reg_sel= (WORDN 9)))=> I.ad_inlR ctrl._in)in
letnew R_ctrl mux_sel = (r ck_wr01B V ((ELEMENT new R_.gcr(16))A R_c_r1_cry))in
let new_R_ctr l_irden = (r._readB A (r_reg_sel = (WORDN 9))) in
let new_R ctrl = ((R_ctr l_mux_sel) => R_ctrl_in I R_ctrl_new) in
let new R ctrl new = ((R_ctr0_.cry) => (INCN 31 R_cUl) I R ctrl) in
let new R ctrl_cry = ((ONES 31 R_c_l) A R_ctr0_cry) in
let new R ctrl out = ((R_cntlatch._del) => R_ctrl_new I R ctrl_out) in
let new_R_vtrl orden = (r._readB A (r..reg..sel = (WORDN 13))) in
let new_R_ctr2_in = ((r_writeB A (r._reg..sel = (WORDN 10))) => I edin I R_ctr2_in) in
let new_R..ctr2_mux_sel = ((r_cir wr23B V ((ELEMENT new_R__gcr (20)) A R_ct_3_cry))) in
let new_R_cia2_ irden = (r_readB A (r_reg..sel = (WORDN 10))) in







let new_R_intO_dis = r into en in
letnew R_cU2._new = (((ELEMENT new_R..gcr(23)))=> (INCN 31 R_ctr2)IR._ctr2)in
letnew_R_ctr2._cry= ((ONES 31 R ctr2)^ (ELEMENT new_R._gcr(23)))in
letnew R._ctr2__out= ((r_.fsmcntlateh)=> R ctr2._newIR ctr2out)in
letnew_R_ctr2..orden= (r_readBA (r..reg..selffi(WORDN 14)))in
letnew_R_ctr3_in = ((rwriteBA (r reg..sel= (WORDN ll)))=> I.ad inIR. cer3 in)in
letnew R_c_3 mux_sel = ((r..cirwr23B V ((ELEMENT new R._gcr(20))A R_ctr3_cry)))in
letnew R_ctr3_irdm = (r._readBA (r..regjd= (WORDN 11)))in
letnew R_c_r3= ((R_c_r3mux..sel)=> R..ctr3in IR c_r3new) in
letnew R_cer3_new = ((R..ctr2_cry)=> (INCN 31 R_ctr3)IR ctr3)in
letnew R_cer3 cry= ((ONES 31 R ctr3)A R_ctr3 cry)in
letnew R._ctr3out= ((R_cntlatch..del)=> R ctr3..newIR_ctr3 out)in
letnew_R_ctr3_orden = (r._readB^ (r._regselffi(WORDN 15)))in
letnew_R_icr..Ioad= (r._writeBA ((rreg sel= (WORDN 0))V (r__reg_sel= (WORDN I))))in
letnew_R icr..old=
((r._writeBA ((r__reg._sd= (WORDN 0))V (r..reg_sel= (WORDN l))))=> R icrIR_icr old)in
letnew R icrmask =
((r..writeB^ ((r_reg..sel= (WORDN 0))V (r._reg._sel= (WORDN I))))=> Lad_in IR._icr_mask)in
let new_R_icr =
((R_icr_load) =>
((-(r_reg_sel = (WORDN 1))) => (Andn rep (R_icr_old, R_icr_mask)) I (Orn rep (R_icr_old, R_icr_mask))) I
R_icr) in
let new_R_icrjden = ((new_R_fsm_state ffiRA) A ((r_reg..sel ffi(WORDN 0)) V (r_reg._sel = (WORDN 1)))) in
let sr'28 = (ALTER ARBN (28) MB parity) in
let sr28_25 = (MALTER sx28 (27.25) Cjs) in
let =r28_24 = (ALTER srT.8 25 (24) CB_parity) in
let sr28_22 = (MALTER sr28_24 (23:7.7.) ChannelID) in
let sr28_16 = (MALTER sur28 22 (21,16) Id) in
let sr28_12 = (MALTER sr28_16 (15,12) Sstate) in
let sr28_9 = (ALTER sr28__12 (9) Prom_fail) in
let sr'28_8 = (ALTER sr28__9 (8) Piu_fail) in
let sr'28_2 = (MALTER sr'28_8 (3,2) Reset_cpu) in
let sr28_0 = (MALTER sr282 (1,0) Cpu._fail) in
let new_R._sr = ((r..fsm_cntlatch) => sr28_01R_sr) in
let new R sr rden = (r..readB A (r._mg__sel = (WORDN 4))) in
let r into en = (((ELEMENT R._ka (0)) A (ELEMENT R_icr (8))) V
((ELEMENT R_icr (1)) A (ELEMENT R_icr (9))) V
((ELEMENT R_icr (2)) A (ELEMENT R_icr (10))) V
(3)) A (ELEMENT R_icr (11))) V
(4)) ^ (ELEMENT R_icr (12))) V
(5)) A (ELEMENT R_icr (13))) V
(6)) ^ (ELEMENT R_icr (14))) V
(7)) ^ (ELEMENT R_icr (15)))) in
let r_int3_en = (((ELEMENT R icr (16)) A (ELEMENT R_i= (24))) V







let new R int3 dis = r int3 en in
let new_R_busA_latch =
((R_ctr0irden)=> R_ctzO in I
(18)) ^ (ELEMENT R_icr (26))) V
(19)) ^ (ELEMENT R_icr (27))) V
(20))^ (ELEMENT R_icr(28)))V
(21))^ (ELEMENT R_icr (29)))V
(22)) A (ELEMENT R_icr (30))) V





((R ctrl irden) => R_c_rl_in I
((R_ctrl_orden) => R_ctrl..out I
((R_ctr2 irden) => R_cer2_in I
((R_ctr2 order) => R__ctr2_.out I
((R_ctr3 irden) => R_ct_3__in I
((R_ctr3 orden) => R__ctr3_out I
((R_icr_rden) => new_R_icr I
((R ccr r_n) => R_ccr I
((R..gcr_rden) => R_gcr I
((R_sr..rden)=> R_srt ARB))))))))))))in
let oew_R_fsm_ale_ = Lrale__ in
let new_R_fsm_mrdy_ -- I_mrdy_ in
let new_R_fsm_last_ = I_last in
let new_R_fsm_rst = Rst in
let Lad_out = ((~R_wr A ((new_R_fsm_state = RA) V (new_R fsm_state = RD))) => new R_busA_latch IARBN) in
let Lsrdy_ =
(((new_R_fsm_state = RA) V (new_R_fsm_seate = RD)) => -((R_fsm_state = RA) A (new_R_fsm sm_e = RD)) I
ARB) in
let IntO_ = -(r_into_en A -Rint0dis A -Disable__int) in
let Intl = (R_ctrl_cry A new_R_intl_en A -DLsable_int) in
let Int2 = (R_ctr3_cry A new_R_int2_en A -Disable int) in
let Int3_ = -(r_int3__en A -RinG_dis A -Disable_int) in
let Ccr = R_ccr in
let Led = (SUBARRAY new R..gcr (3,0)) in
let Reset error = (ELEMENT new_R_.gcr (24)) in
let Prom_invalid = (ELEMENT new R_.gcr (28)) in
(Lad out, I srdy.., Int0_, Intl, Int2, Int3_, Ccr, Led, Reset_error, Prom_invalid)"
);;
197
D.4 C Port Specification
File: c._clock1.ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the clock-level specification of the C-Port of the FTEP PIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Cente¢.
The bulk of this code was translated from an M-language simulation program using a translator
written by PJ. W'mdley at the University of Idaho.
set_search_path (seafch_.pathO @ ['/home/titan3/dfttra/ftep/piu/hol/lib/']);;
system 'rm c clockl.th';;
new_theory 'c_clockl';;
loadf ' abstract' ;;
map new_parent ['caux_def';'aux_def';'array_def';'wordn_def'];;
let MSTART = "WORDN 4";;
let MEND = "WORDN 5";;
let MRDY = "WORDN 6";;
let MWAIT = "WORDN 7";;
let MABORT = "WORDN 0";;
let SACK = "WORDN 5";;
let SRDY = "WORDN 6";;
let SWART = "WORDN T';;
let SABORT = "WORDN 0";;






let cc_state = "((C_mfsm_state,C_mfsm_D,C mfsm_rst, C_mfsm_crqt ,C_mfsm_hold_,C_.mfsm_ss,C_mfsm_invalid,
C_sfsm_state,C_sfsm_D,C_sfsm..rst,C_sfsm_hlda_,C_sfsm_ms,
C_efsm_state,C_efsm_cale ,C_efsm_l ast_,C_e fsm_male_,C_efsm_rale_,C_efsm_srd y_,C_efsm_rst,
C_wr,C_sizewrbe,C._clkA,C_last_in_,C_lock..in_,C_ss,C_last__out_,
C_hold_,C_holdA_C_cout_0 le_del,C_cin_2_le,C_mrdy_del_,C_iad_en_s_del,C_iad en s delA,
C_wrd y,C_rrd y,C_perity,C_source,C_data_in,C iad_out,C_iad_in ,C_a I a0,C_a3 a2)
:Acc state_ty)";;
let cc_env_ty = ":(wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool#
198
w_rd_#w_rde#w_rd_t_w_rd_#b_l#b_#b_#b_l#w_rdn#w_rd_t_b_#b_l#w_rdu#b_)_;;
let cc_egv = "((I_ad_in, I be_in_, I_mrdy_in_, I..rale_in_, I_male_in._, I_lasLin__, I_srdy_in_,
I_Iock_, Lcale_, I hlda.., Lcrqt_,
CB_rqt in_, CB_ad_in, CB_ ms_in, CB_ss_in,
Rst, CIkA, CIkB, ClkD, Id, ChannelID, Prom_failure, Pin__invalid, Ccr,
Reset_error)
:"oc_env_ty)";;
let cc out ty = ":(bool#bool#bool#bool#bool#bool#bool#wordn#wordn#
bool#wordn#wordn#wordn#wordn#bool#bool)";;
let cc_out = "((I_cgnt_, Lmrdy_out_. I_hold_, I_rale_out_, Imale_out, Llast_out_, I_srdy_out_,
Lad_out, I_be out ,
CB_rqt_out_, CB_ms_out, CB ss out, CB ad_out, C ss_out, Disable_writes, CB_parity)
:_c_ouLty)";;
let rep_ty = abstract_type 'aux_def' 'Andn';;
let cEXEC inst def= new_definition
('cEXEC_inst',
"1 (rep:"rep_ty)
(C_mfsm state:cmfsm_ty) (C_sfsm_state:csfsm_ty) (C_efsm_state:cefsm_ty)
(C_mfsm_ss C_sfsm_ms C sizewrbe C_ss C_source C_data_in C_iad_oat C_iad in C_ala0 C_a3a2 :wordn)
(C_mfsm D C_mfsm_rst C_mfsm_crqt_ C_mfsm_hold_ C_mfsm invalid C_sfsm_D C sfsm_rst C_sfsm hlda_
C_efsm cole C_efsm last C_efsm_male_ C_efsm rede_ Cefsm_srdy_ C_efsm_rst
C_wr C_clkA C Just_in_ C_lock_in_ C_last out C hold_ C_holdA_ C_cout_0_le_del C_cin_2_le
C mrdy_del_ C_iad_en_s del C_iad_.en._s_delA C wrdy C_rrdy C_parity :bool)
(Lad_in Lbe_in_ CB_rqt_in_ CB_ad_in CB_ms_in CB_as_in Id ChannelID Ccr :wordn)
(I_mrdy_in_Ingle_in_I_malein_ IJast_.in_Lsrdy_in_ l_Iock_l_c.ale_l._hldaI crqt_
Rst CIk.AClkB ClkD Prom_failurePiu_invalidReset._efmr:bool).
cEXEC_inst rep
(C_mfsm_state, C_mfsm D, C_mfsm_rst, C_mfsm_crqt.., C mfsm hold_, C_mfsm._ss, C_mf_a_invalid,
C_sfsm_state, C_dsm_D, C_sfsm_.rst, C._sfsm_hlda.._ C. sfsm_ms,
C__efsm_state, C..efsm._cale_ C_efsm last.., C efsm_male_, C_efsm role.., C_efsm_srdy_, C_efsm rst,
C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C. ss, C_last_out_,
C_hold , C_holdA_, C_cout 0_le_del, C_dn_2_le, C_mnly_deL, C iad_en s_del, C_iad en_s_delA,
C_wrdy, C_rrdy, C_pmty, C source, C_data_in, C. iad_out, C_iad._in, C ala0,C_a3a2)
(I_ad_in, I_be_in, I_mrdy_in , I_mle in_, I_male_in_, I_last_in_, Lsrdy m_,
Llock_, I_cale_, I_hlda_, I_crqt_, CB rqt_in_, CB ad_in, CB_ms in, CB_ss_in,
Rst, CIkA, CIkB, CIkD, Id, ChannelID, Prom_failure, Piu_invalid, Ccr, Reset_error) =
let c_write = (((--(C_mfsm_state = CMI)) A (-(C_mfsm_state = CMR))) => C_wr I (ELEMENT C_sizewrbe (5))) in
let c_busy = (-((SUBARRAY CB._rqt_in_ (3,1)) = (WORDN 7))) in
let c_grant = ((((SUBARRAY Id (1,0)) -- (WORDN 0)) A -(ELEMENT CB_rqLin_ (0)))
V (((SUBARRAY Id (1,0)) = (WORDN 1)) A -(ELEMENT CB._rqt_in_ (0))
A (ELEMENT CB_rqt_in_ (1)))
V (((SUBARRAY Id (1,0)) = (WORDN 2)) A -(ELEMENT CB._rqt_in_ (0))
A (ELEMENT CS_rqt_in_ (1))
A (ELEMENT CB.._rqt_in_ (2)))
V (((SUBARRAY Id (1,0)) -- (WORDN 3)) A-(ELEMENT CBjqt_in_ (0))








(C..nffsmD A --C mfsm crqt_A --c_busyA -C_mfsm_invalid)=> CMR ICMI I
((C_mfsm_state= CMR) => (C_mfsm D A c_grantA C_mfsm_bold )=> CMA3 1CMR I
((C_mfsm_state= CMA3) => ((C_mfsm_D) => CMAI ICMA3) I
((C_mfsm_state= CM AI)=>
(C_mfsm_D A (C_mfsm_ss = ^SRDY)) => CMA01
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT ICMAI I
((C_mfsm_stale= CMA0) =>
(C_.mfsm_D A (C_mfsm_ss = ^SRDY)) => CMA21
(C .ntfsm D A (C._mfsm ss= ^SABORT)) => CMABT {CMA0 {
((C_mfsm_state=CMA2) =>
(C_mfsm_D A (C_mfsm ss= ^SRDY)) => CMDI I
(C..mfsm._DA (C_mfsm ss= ^SABORT)) => CMABT I CMA2 1
((C mfsm_state= CMDI) =>
(C_mfsm_D A (C..mfsm..ss= ^SRDY)) => CMD0 I
(C_.mfsm D A (C_.mfsm_ss= ^SABORT)) => CMABT I CMDI I
((C_mfsm_state= CMDO) =>
(C_:afsm D A (C..mfsm_ss= ^SRDY) A C lastin )=> CMDI l
(C_mfsm..D A (C_mfsm_ss = ^SRDY) A -Clast..in._)=> CMW I
(C_mfsm_D A (C..mfsm_ss= ^SABORT)) => CMABT ICMD01
((c_mfsm_sutm=CMw) =>
(C.mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I
(C_ndsm_D A (C_mfsm_ss =ASACK) A C_Iock_in._) => CMI I
(C..mf_n_D A (C..mfsm_ss = ^$RDY) A -C_Iock_in_ A -C_mfsm crqt_.) => CMA3 1CMW I
((--C_lastin )=> CMI ICMABT)))))))))))in
letc _sfsm_$tateA=
((C sfzm rst)=> CSI I
(C._sf_m_state= CSI) =>
((C_sfsm D A (C_sfsm ms = ^MSTART) A --c ._'ant A c_addressed)=> CSAI ICSI) I
(C_sfsm_stam = CSL) =>
((C_dsm_D A (C_sfsm_ms = ^MSTART) A -c_.grant A c addressed) => CSAI I
(C..sfsm..D A (C_dsm_ms = ^MSTART) A -c_grant A -c_addressed) => CSI I
(C_sfsm__D A (C_sfsm_ms = ^MABORT)) => CSABT I CSL) I
(C_sfsm_state = CSAI) -->
((C_sfsm_D A (C._sfsm_ms = ^MRDY)) => CSA0 I
(C_sfsm_D A (C dsm_ms = ^MABORT)) => CSABT I CSAI) I
(C_sfsm_state= CSA0) =>
((C_sfsm D A (C_sfsm_ms = ^MRDY) A --C sfsm_hlda__)=> CSALE I
(C_sfsm_D A (C_sfsm..ms= ^MRDY) A C_sfsm_hlda_) => CSAOW I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSA0) I
(C_sfsm_su_ = CSAOW) =>
((C_dsm_D A (C_sf'smms = ^MRDY) A --C sfsm_hlda_)=> CSALE I
(C..sfsm_D A (C_dsm_ms = ^MABORT)) => CSABT ICSAOW) l
(C_sfsm state = CSALE) =>
((C_sfsm_D A c_write A (C..sfsm..ms = ^MRDY)) => CSDI I
(C._sfsm_D A -.c_write A (C_sfsm_ms = ^MRDY)) => CSRR I
(C..sfun_DA (C_sfsm...ms= ^MABORT)) => CSABT ICSALE) I
(C_sfsm_state = CSRR) =>
((C_sfsm_D A ~(C_sfsm_ms = ^MABORT)) => CSDI I
200
(C_sfsm D A (C_sfsm.ms = ^MABORT)) => CSABT ICSRR) (
(C_sfsm_state= CSDI) =>
((C sfsm_D A (C_sfsm ms = ^MRDY)) => CSD0 1
(C...sfsrnD A (C_sfsm_ms = ^MABORT)) => CSABT iCSDI) [
(C_sfsm_state ---CSDO) =>
((C sfsm_D A (C. sfsm ms = AMEND)) --> CSACK l
(C_sfsm D A (C_sfsm...ms = ^MRDY)) => CSDI I
(C. sfsm D A (C_sfsm...ms = AM.ABORT)) => CSABT ICSDO} l
(C sfsm_state ffiCSACK) =>
((C sfsm D A (C_sfsm ms ffi^MRDY)) ffi> CSL l
(C_sfsm D A (C_sfsm ms = ^MWAIT)) => CSI l
(C_.sfsmD A (C_sfsm..msffi^MABORT)) => CSABT lCSACK) l
(C_sfsm_D) => CSI I CSABT) in
letc...efsm_stateA=
((C_efsm_rst)=> CEI[
(C efsm_statc= CEI) => ((-C_efsm_cale_)=> CEE ICEI) I
((~C efsm lastA ~C_efsm_srdy_)V -C_efsm_male_ V ~C_efsm tale._)=> CEII CEE) in
letc._srdy_en= ((c__efsmstateA= CEE) V (C_efsm_state= CEE)) in
letcout...sel0= (ALTER ARBN (0)(((c._sfsm_stateA= CSDI) V (cjfsm stateA= CSDO)) =>
(c_sfsm_stateA ffiCSDI) t
(c_mfsm_stateA= CMA3) V (c_mfsm_stateA= CMAI)
V (c.mfsm stateA= CMDI))) in
letcout._selI0 = (ALTER cout sel0(I)(((c._sfsm_stateA= CSDI) V (c_sfsm_stateA= CSDO)) =>
F[
(c_mfsm_stateA = CMA3) V (c mfsm_stateA = CMA2))) in
let c__cout_sel = cout_s¢ll 0 in
let new C_wr = ((-I__cale_) => (ELEMENT Lad_in (27)) I C_wr) in
let new C_sizewrbe = ((Rst) => (WORDN O) I
(((c sfsm_stateA = CSA0) A C_clkA) => (SUBARRAY Cdatain (31,22)) IC_sizewrbe)) in
let chew_write = (((~(¢_mfsm_stateA = CMI)) A (-(c_mfsm stateA = CMR))) =>
new_C_wr I (ELEMENT new C sizewrbe (5))) in
let new C_clkA = CIkD in
let new_C_last_in = ((Rst) => F I
(((c_mfsm_stateA = CMABT) V (c_.mfsm_stateA = CMD1) A ClkD) => I_last_in_ t
C_last_.in)) in
let new_C_lock_in_ = ((Rst) => F I
((c_mfsm_stateA = CMAI) => I...lock_.I
C_Iock_in_)) in
let new C_ss = (((-(c_mfsm_stateA = CMABT)) A (~(c__mfsm_stateA = CMI))) => CB_ss__iu I C_ss) in
let c_mend = (CB ms_in = ^MEND) in
let c_mabort = (CB_ms_in = "MABORT) in
let new_C last_out_ =
(((c_sfsm_stateA = CSAI) A -(ClkD A (cmend V c__mabort))) => T I
((~(¢._sfsm stateA = CSA1) A (CIkD A (c..mend V c_mabott))) => F I
((~(c sfsm stateA = CSAI) A -(CIkD A (c_mend V c_mabort))) => C_.last__out_ I ARB))) in
let c_srdy = (CB_ss_in = ^SRDY) in
let c_dfsm_master = ((c_mfsm_stateA = CMA3) V (c mfsm_stateA = CMA2) V (c_mfsm_stateA = CMA1)
V (c_mfsm_stateA = CMA0) V (c _mfsm_stateA ffiCMD1) V (c_.mfsm__stateA = CMDO)) in
let c_dfsm_cad_en = ~((c_mfsm stateA = CMA3) V (c..mfsm_stateA = CMAI) V (c_mfsm_stateA = CMA0)
V (c mfsm_stateA = CMA2)
V (c_ncw_write A ((c m/sm_stateA -- CMDI ) V (c_nffsm stateA = CMDO)))
V (-c..new_write A ((c._sfsm_stateA = CSDI) V (c_sfsm stateA = CSDO)))) in
let new_C_bold_ = (c_sfsm_stateA = CSI) in
201
let new_C_holdA_ = {(ClkD) => C_hold_ IC_holdA_.) in
let new_C_couL0_le_del = ((I_cale...) V (I_srdy_in_ A -c_new_write)
V ((c_mfsm_stateA= CMA0) A c__rdyA ¢_new_writeA ClkD)
V ((c_mfsm_tateA = CMD0) A c_aew_write A cg_rdy A CUd))) in
let new_C_cin_2._le = (CIkD A (((c..mfsm_stateA = CMDO) A c_srdy A --c_new_write) V
((c._sfsm_stateA = CSA0)) V
((c__sfsm_stateA = CSDO) A c.. new_write))) in
let new C_mrdy_del_ = -((--c_new_write A CIkD A ((c..ffsm stateA = CSALE) V (c_sfsm stateA = CSDI))) V
(-chew_write A C_.clkA A (c_dgm_stateA = CSACK)) V
(c__new_write A CIkD A (c..sfsm_stateA = CSD0))) in
let new C iaden s del = (((c_sfsm...stateA = CSALE) A (-(C_sfsm_state = CSALE)))
V ((c_sfsm_stateA = CSALE) A c_new_write)
V ((c..sfsm_.stateA = CSDl) A c_new_write A (-(C_sf__state = CSRR)))
V ((¢_fsm._stateA = CSD0) A c_new_write) V
((c_dsm_stateA = CSACK) A c..new_write)) in
let new C iad en s delA = ((ClkD) => C_iad en_s__d¢l I Cjad_en..s. delA) in
let new_C_wrdy = (c srdy A c..new_write A (c..mfsm_stateA = CMDI) A ClkD) in
let new_C rrdy = (c srdy A -chew_write A (c.jnfcm..stateA = CMD0) A CIkD) in
let c_.pe = (Par Det rep (CB ad_in)) in
let c_mparity = ((c._mfsm_stateA = CMA3) V (c..mfsm_steteA = CMAI) V (c_.mfsm_stateA = CMAO)
V (c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CMDI) V (c_mfsm stateA = CMD0)
V (C_mfsm_state = CMAI) V (C_mfsm._state = CMA0) V (C_.mfsm_state = CMA2)
V (C_mfsm_state = CMDI)) in
let cjparity = ((~(c_d=n_stateA = CSI)) A (~(c__sfsm_stateA = CSACK)) A (-(c..sfsm_stateA = CSABT))) in
let c_pe_cat = (CIkD A ((~(c_mparity = c_spafity)) V ((SUBARRAY CB ss in (1,0)) = (WORDH 0)))) in
let new_C_parity =
(((ClkD A c_pe A c..pe_cnt) A -Reset error) => T I
((-(Clk_ A c_pe A c pe._cnt) A Reset ecror) => F I
((-(ClkD A c_.pe A c_.pe..cnt) A -Reset_error) => C_parity I ARB))) in
let new C source =
((Rst) => (WORDN 0) t
((CIkD A ((c_sfsm_stateA = CS[) V (c_d=m_stateA = CSL))) => Par_Dec rep (CB_ad_in) 1C_source)) in
let data in31 16 =
(MALTER ARBN (31,16) ((Rst) => (WORDN 0) 1
((ClkD A (((c..mfsm_$tateA = CMDI) h c_srdy A -.c new write) V
((c__sfsm..stateA = CSAI)) V
((c..sfsm_stateA = CSDI) A c new write))) => Par_Dec rep (CB_ad_in) I
(SUBARRAY C_data_in (31,16))))) in
let data_in31_0 =
(MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0) I
((new_C_cin...2Je)--> Par_Dec rep (CB_ad_in) I
(SUBARRAYCdata_in (15,0)))))in
letnew C data in= data in31._Oin
let new C iad out = ((C_cin_2_le) => Cdata_in IC__iad_out) in
let new C iad in = ((new C cout_0_le_del)=> I ad in IC_iad_in)in
let new C ala0 =
(((c..dfsm_maste_r A C._cout_0_le_del) V
(-c_dfsm_.master A C_clkA A (c__sfmn_stateA = CSDI))) => C iad..in IC_alaO) in
let new_C_a3a2 = ((c..mfsm..stateA ffiCMR) => Ccr I C_a3a2) in
let new C mr'sin_state = c._mfsm stateA in
letnew_C mfsm_D = ClkD in
let new C mfsm_rst = Rst in
let new_C mfsm..crqt_ = Lcrqt_ in
let new C re.funbold_= new C holdA_ in
2O2
let new_C mfsm_ss = CB_ss_in in
let new_C_mfsm_invalid = Pinlnvalid in
let new_C sfsm state = c_sfsm_stateA in
let new C sfsm_D = CIkD in
let new_C sfsm_rst = Rst in
let new_C sfsm_hlda_ = Lhldt in
let new_C sfsm_ms = CB_ms_in in
let new_C efsm cale = I cale_in
let new_C_efsm_last_ = I_last_in_ in
let new_C_efsm_male = I_male_in_ in
let new_C.efsm tale = Lrale_in_ in
let new_C efsm_srdy_ = Isrdy_in_ in
let new_C_efsm rst = Rst in
(C mfsm state, C_mfsm_D, C_mfsm_rst, C_mfsm_C_lL, C_mfsm_hold , C_mfsm_ss, C_mfsm_invalid,
C sfs_n_state, C sfsm D, C_sfsm_.rst, C_sfsm hlda._, C_sfsm ms, C_efsm_state, C_efsm._cale_, C_efsm._last_,
C_efsm_male_, C_efsm tale_, C_efsm s_ly_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C lasLin_, C_lockin,
C_ss, C_lasLouL, C_hold_, C holdA , C tout_0 le del, C_cin 2_le, C_mrdy d"l_, C_iad_en_s_del,
C iad_en s_delA, C_wrdy, C_rrdy, C..gmty, C__source, Cdata_in, C_iad._out, C_iad_in, C ala0, C a3a2)"
);;
let cEXEC out def = new_definition
('cEXEC_out'.
"1 (rep:"rep_ty)
(C_mfsm_state:cmfsm ty) (C_sfsm_state:csfsm ty) (C_efsm_state:cefsm ty)
(C mfsm_ss C_sfsm ms C_sizewrbe C_ss C_source Cdata_in C_iad out C_iad_in C_alaO C_a3a2 :wordn)
(C_mfsm_D C mfsm. rst C_mfsm_crqt_ C_mfsm_hold_ C mfsm invalid C_sfsm D C sfsm_rst C_sfsm_hlda_
C efsm._cale_ C_¢fsm_last__ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efs_a_rst
C_wr C_clkA C_lasLin_ Clock_in C_last..out_ C hold_ C_boldA_ C_cout_0_le_del C._cin_2__le
C_mrdy_del_ C_iad_en_s_del C_iad_en_s__delA C wrdy C_rrdy C_.parity :hood
(I_ad_in Lbe_in_ CB_rqLin CB ad in CB ms in CB_ss._m Id ChannelID Ccr :word-)
(I_.mtdy_in_ I_rale_in_ I_male_in I lasLin_ I_srdy._in I_lock_ I_cale_ I__hlda_.I_crqt_
Rst CIkA ClkB CIkD Prom_failure Piu_invalid Reset_error :bool).
cEXEC_out rep
(C_mfsm_state, C_mfsm_D, C mfsm rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_mvalid,
C_sfsm._state, C_sfsm_D, C_sfsm_.rst, C._sfsm_ldda.., C_sfsm_ms,
C_efsm. state, C efsm_cale__, C_efsm_last__, C_efsm_male_, C_efgm_rale_, C_efsm_srdy_, C_.efsm_rst,
C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_m_, C_ss, C_last_out_,
C_hold_, C_holdA_, C_cout_O le._dei, C_cin_2_le, C mrdy_deL, C_.iad_en..s_del, C_iad_ea_s_delA,
C_wrdy, C rtdy, C_parity, C__source, C_datain, C_iad_out, C_iad in, C_alaO, C a3a2)
(Lad_in, I_be_in_, I tardy in_, I rale in, I_male_in_, I_lasLin_, I_srdy_in_,
Llock_, I_cale_, I_hlda__, I_crqt_, CB_rqLin_, CB_ad_in, CB_ms in, CB_ss_in,
Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset.error) =
let cwrite = (((~(C._mfsm_state = CMI)) A (-(C_mfsm_state = CMR))) => C_wr I(ELEMENT C_sizewrbe (5))) in
let c_busy = (-((SUBARRAY CB._rqt_in_ (3,1)) = OVORDN 7))) in
let c_grant = ((((SUBARRAY Id (1,0)) = (WORDN 0)) A -(ELEMENT CB_rqLin (0)))
V (((SUBARRAY Id (1,0)) = (WORDN 1)) A -(ELEMENT CB_rqLin_ (0))
A (ELEMENT CB_rqt_in_ (1)))
V (((SUBARRAY Id (1,0)) = (WORDN 2)) A -(ELEMENT CB_rqt_.in_ ((3))
203
A (ELEMENT CB._rqtin_ (1))
A (ELEMENT CB_rqt_in_ (2)))
V (((SUBARRAY Id (1,0)) -- (WORDN 3)) A -(ELEMENT CB_rqt._in_ (0))
A (ELEMENT CB_rqt._in_ (1))
A (ELEMENT CB.jrqtin_ (2))
A (ELEMENT CBjqLin_ (3)))) in
let c_addressed = (Id -- (SUBARRAY C_source (15,10))) in
let c_mfsm st_teA =
((C_mfsm_rst) => CMI I
((C_mfsm.=state = CMD =>
(C mfsm_D A -C_mfsm_crqt_ A --c_busy A -.C_aft=n_invalid) => CMR I CMI I
((C_mfsm_state = CMR) => (C_mfsm_D A c_grant A C mfsm_hold_) => CMA3 I C_MR I
((C_mfsm_state = CMA3) => ((C_mfsm D) => CMAI I CMA3) I
((C_mfsm_stat= = CMA1) =>
(C..mfsm_D A (C_j_sm_u = ^SRDY)) => CMA0 1
(C_mfsm_D A (C_mfsm_u = ^SABORT)) => CMABT I CMAI I
((C_mf__state = CMA0) =>
(C_mfsm_D A (C_mfsm_= = ^SRDY)) => CMA2 I
(C m/sm_D A (C..mfsm_= = ^SABORT)) => CMABT I CMA0 I
((C_mfsm_state= CMA2)=>
(C...mfsum_D A (C mfsm_ss = ^SRDY)) => CMDI I
(C_mfsm_D A (C_mfsm,_ss = ^SABORT)) => CMABT I CMA2 I
((C_mfsm_stat¢ = CMD1) =>
(C_mfsm D A (C_mfsm_u = ^SRDY)) => CMD01
(C_mfsm_D A (C..mfsm_ss = ^SABORT)) => CMABT ICMDI I
((C_mfsm_state = CMD0) =>
(C_mfsm_D A (C .mf_m_u = ^SRDY) A C_lastin._) => CMDI I
(C_mfsm_D A (C_mfsm_ss = ^SRDY) A -C_last_in_) => CMW l
(C_mfsm_D A (C_.mfsm_ss = ^SABORT)) => CMABT I CMD0 I
((C_mf==_st=e = CMW) =>
(C..mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I
(C mfsm_D A (C_mfmn_= = ^SACK) A C_lock_in._) => CMI I
(C_mfsm_D A (C_mfsm_s= = ^SRDY) A --C_lock_in_ A --C mfsm_crqt..) => CMA3 I CMW I
((-C_last_m_) => CMI ICMABT))))))))))) in
let c_sfsm_stateA =
((C_sfsm_rst) => CSI I
(C._sfsm .state = CSI) =>
((C_sfun_D A (C_sfam_ms = ^MSTART) A -c_grant A c_addressed) => CSA1 I CSI) I
(C_sfsm_state = CSL) -->
((C_sfaza D A (Cjfsm_ms = ^MSTART) A --c_gr_t A c..addreued) => CSAI I
(C_sfsm_D A (C_sfsm_ms = ^MSTART) A -c_grant A -c_addressed) => CSl I
(C_sfun_D A (C_sfsm_ms = ^MABORT)) => CSABT I CSL) I
(C_sfsmjtat= = CSA 1) =>
((C_sfsm_D A (C_=fsm_ms = ^MRDY)) => CSA0 I
(Cjfsm_D A (C sfsm..ms = ^MABORT)) --> CSABT I CSAI) I
(C_sfsm_state = CSA0) -->
((C_sfsm_D A (C._sf=m_ms = ^MRDY) A -C_dsm_.hlda__)=> CSALE I
(C._sfsm D A (C_sfmn_ms = ^IvlRDY) A C_sfsm_hlda_) => CSAOW I
(C._sfsm_D A (C_sfsm_.ms = ^MABORT)) => CSABT I CSA0) I
(C_sf=m_state = CSAOW) -->
((C_sfsm_D A (C_sfsm_ms = ^MRDY) A .-C_sfsm_hlda_.) => CSALE I
(C_sfsm D A (C_sfsm_ms = ^MABORT)) => CSABT lCSA0W) I
(C_sfsm_state = CSALE) =>
((C_sfsm_D A c_write A (C_sfsm_ms = ^MRDY)) => CSDI I
2O4
(C,sfsm D A -cwrite A (C sfsm_ms = ^MRDY)) => CSRR I
(C=sfsm_D A (C_sfsm..ms--^MABORT)) => CSABT ICSALE) I
(C_sfsm_state = CSRR) =>
((C sfsm D A -(C_sfsm ms = ^MABORT)) => CSDI I
(C._sfsm D A (C_sfsm ms : ^MABORT)) => CSABT I CSRR) I
(C_sfsm_state = CSD1) :>
((C sfen D A (C._sfsm_ms = AMRDY)) --> CSDO I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) :> CSABT ICSDI) I
(C_sfsm_state = CSDO) =>
((C sfsm_D A (Cjfsm ms - AMEND)) => CSACK I
(C. sfsm D A (C sfsm._ms = ^MRDY)) => CSD1 I
(C_sfsm D A (C sfen_ms = ^MABORT)) => CSABT I CSDO) I
(C_sfsm state = CSACK) =>
((C sfsm_D A (C_sfsm_ms = ^MRDY)) => CSL I
(C._sfsm D A (C_sfsm_.ms = ^MWA1T)) => CSI I
(C._sfsm D A (C_sfsm_ms = ^MABORT)) => CSABT I CSACK) I
(C_sfsm_D) => CSl I CSABT) in
letc_efsm_stateA=
((C_efsm_rst)=> CEI l
(C.efsm_stata= CEI) => ((-C.efsm._cale_)=> CEE JCEI) I
((-C_efsm_last A -C...efsm_srdy_)V ~C_efsm_male_ V .-C._efsmtale..)=> CEIi CEE) in
letc_srdy_en= ((c._efsmstamA = CEE) V (C_efsm_statc= CEE)) in
letcou[..sel0= (ALTER ARBN (0)(((c_sfsmsta_A = CSDI) V (c.sfsmjta_A = CSDO)) =>
(c_sfsm_stateA= CSDI) I
(c_mfsm_stateA= CMA3) V (c_mfsm_stateA= CMAI)
V (c_mfsm_sta_A = CMDI))) in
letcout_sell0= (ALTER cout sel0(I)(((c_sfsmjtaWA = CSDI) V (c_sfsmjtateA = CSD0)) =>
FI
(c..nlfsm_stateA= CMA3) V (c n_sm._stamA = CMA2))) in
letc._cout._sel= cout_sell0in
letnew_C_wr = ((~IcaJe_)=> (ELEMENT I_ad_in(2"/))IC_wr) in
letn©w_C_sizewrbe = ((Rst)=> (WORDN 0) J
(((c_sfsm_smWA = CSA0) A C_clkA) -> (SUBARRAY C datain (31,22))IC_sizewrbe))in
letc new write= (((~(c..mfsm._stateA= CMI)) A (~(c__mfsm__staU_A= CMR))) =>
new C wr I(ELEMENT new C_sizewrlm(5)))in
letnew_C clkA = CIkD in
letnew_C_last_in_= ((Rst)=> F I
(((c._m.fsm_stateA= CMABT) V (c mfsm stateA= CMDI) A CIkD) => I_last._m_I
C lastin_))in
letnew_C_Iock._in_= ((Rs0 => F I
((c__mfsm stateA = CMAI)=> I_lock_ I
C_lock_in_)) in
let new_C ss = (((~(c_mfsm stateA = CMABT)) A (~(c..mfsm. stamA = CMI))) => CB_ ss__in I C_ss) in
]et c_mend = (CB ms._in = ^MEND) in
let c_mabort = (CB ms in = ^MABORT) in
letnew_C_last_out_ =
(((c._sfsm_slateA = CSAI) A -(ClkD A (c._mend V c_maborD)) => T J
((~(c_sfsm stateA -- CSAI) A (ClkD A (c_mend V c mabort))) => F I
((~(c_sfsm stateA = CSA 1) A ~(ClkD A (c_mmd V c._mabort))) => C_.last._out_ IARB))) in
let c s_dy = (CB ss._in = ^SRDY) in
let c_dfsm_master = ((c mfsm_stateA = CMA3) V (c_mf'sm_stateA = CMA2) V (c.jnfsm_stateA = CMAI)
V (c_mfsm_stateA = CMA0) V (c_mfsm_stateA = CMD1) V (c..mfsm_stateA = CMD0)) in
let c_dfsm_cad_en = ~((c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMAI) V (c__mfsm_stateA = CMA0)
V (c_mfsm_stateA = CMA2)
2O5
V (c_new_writeA ((c._mfsm_steteA= CMDI) V (c..mfsm_stateA= CIVID0)))
V (-c_new_writeA ((c._sfsm._stateA= CSDI) V (c._sfsm_stateA---CSD0)))) in
letnew_C_hold_ = (c__sfsm_stateA= CSI) in
letnew_C_holdA_ = ((CIkD)=> C_hold_ IC holdA._)in
letnew_C_cout__0_le_del= ((I_cale_)V (I_srdy_inA-c._new_write)
V ((c._mfsmjtateA= CMA0) A c_srdyA c._new_writeA ClkD)
V ((c._mfsm_sUaeA= CMD0) A chew_write A c..srdyA ClkD)) in
let new_C_cin_2_le = (CIkD A (((cjnfsm_stateA = CMD0) A c_srdy A -c_new_write) V
((c..sfsm_stateA = CSA0)) V
((c__sfsm._stateA= CSD0) A c_new_write)))in
let new_C_mrdy_del_ = -((.-c_new_write A ClkD A ((c._sfsm_stateA = CSALE)V (c_sfsm stateA = CSDI))) V
(-c_new_write A C_clkA A (c._sfsm_stateA = CSACK)) V
(c_new_write A ClkD A (c._sfsm_steleA = CSD0))) in
let new_C_iad_en_s_del = (((c_dsm..stateA = CSALI_) A (~(C_dsm state = CSALE)))
V ((c_sfsm..stateA = CSALE) A c_new_write)
V ((c_sfsm_stateA = CSDI) A c_new_write A (~(C_sfsm_state = CSRR)))
V ((c_dsm..stateA = CSD0) A c_new_write) V
((c_dsm_stateA = CSACK) A c_new_write)) in
let new_C_iad_en_s_delA = ((CIkD) => C_iad..en..s_del i C_iad..en._s._delA) in
let new C_wrdy = (c_srdy A c_new_write A (c_mfsm_stateA -- CMDI) A CIkD) in
let new C._rrdy = (c._srdy A -c_new_write A (c..mfsm_stateA = CMD0) A CIkD) in
let c_pe = (Par_Det rep (CB_ad_in)) in
let c..mparity = ((c_mfsm_stateA = CMA3) V (c..mfsm_stateA = CMAI) V (c_mfsm_stateA = CMA0)
V (c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CMDI) V (c__stateA = CMD0)
V (C_mfsm_state = CMAI) V (C_mfsm..state= CMA0) V (C_.mfsm_state= CMA2)
V (C_mf_n_mte = CMDI)) in
letc._sparity= ((-(c_sfsmstateA= CSI))A (~(c..sfsm..stateA= CSACK)) A (-(c._sf_mstateA= CSABT))) in
letc..pe_cnt= (CIkD A ((-(c_mparity= c_sparity))V (($UBARRAY CB_ss_in (l,0))= (WORDN 0))))in
letnew_C_parity =
(((CIkDA c._peA c._pe_cnt)A -Reset._error)=> T I
((~(CIkDA c..peA c..pe..cn0A Reseterror)=> F i
((~(CIkDA c..peA c..ne_cnt)A -Reset..earor)=> C..pm'ityIARB))) in
let new_C_source =
((Rst)=> (WORDN 0) I
((CIkDA ((c_sfsm stateA= CSI)V (c _'fsm_stateA= CSL))) => Par Dec rep(CB_ad_in) IC_source))in
letdala_in31_16=
(MALTER ARBN (31,16)((Rst)=> (WORDN 0)I
((CIkD A (((c..mfsmstateA= CMDI) A c_srdyA -.cnew write)V
((c_sfsm_stateA= CSA I))V
((c_sfsm..stateA= CSDI) A c_new_write)))=> Par Dec rep (CB_ad_in) I
(SUBARRAY C._datam (31,16)))))in
letdaIa in31_0=
(MALTER data in31_16 (15,0) ((Rst) => (WORDN O) I
((new_C_cin_2_le) => Par_Dec rep (CB_ad_in) I
(SUBARRAY C_data_m (15,0)))))in
letnew_C_datain = data_in310 in
letnew_C_iad_out = ((C._cm_2._le)=> Cdata_in IC. iad out)in
letnew C_iad_in= ((new_C_cout 0._le._del)=> I..ad_inIC_iad_in)in
letnew_C_ala0 =
(((c._dfsm_masterA C cout 0 le del)V
(-c._dfsmmesterA C._clkAA (c__sfsm_stateA= CSDI))) => C_iad_inIC._ala0)in
letnew C_a3a2 = ((c mfsm st-teA= CMR) => Ccr IC_a3a2) in
letnew C_mfsm state= c_mfsm stateAin
letnew_C_mfsm_D = CIkD in
2O6
let _w C__sm rst = Rst
let new C_mfsm crqt.. = I_crqt in
let new C_mfsm hold_ = new_C_holdA_ in
let new C_mfsm ss = CB_$s_in in
let new C_mfsm_invalid = Piu__invedid in
let new C_sfsm_state = c_sfsm_stateA in
let new C_sfsm D = CIkD in
let new C sfsm_rst = Rst in
let new C sfsm_lflda._ = I_hlda_ in
let new C_sfsm_ms = CB_ms_in in
let new C_efsm_cede_ = I_cede_ in
let new_C _efsm_last_ = I_last_in_ in
let new C_efsm_male = Lmale_in_ in
let new_C efsm_rede_ = I_rede_in_ in
let new_C..efsm_srdy_ = I__srdy_in_ in
let new_C_efsm_rst = Rst in
let I._cgnt_ = ~(c_mfsm_stateA = CMA3) in
let I_mrdy_out_ -- ((-I..hlda_) => C_mrdy del_ I ARB) in
let I hold_= new C holdA in
letI...raleout =
((-Lhlda_)=>
-((c_sfsm_stateA = CSALE) A ((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3)) A C__clkA) IARB) in
let I_male_ouL =
((-I_hlda._)=>
-((c_sfsm_stateA= CSALE) A (~((SUBARRAY new_C_sizewrbe (I,0))= (WORDN 3)))A C_clkA) IARB) in
letI lastout = ((~lhlda_)=> C lastout_IARB) in
let Lsrdy_out._ = ((~I cale_ V c_srdy_.en) => --(C_wrdy V C_rrdy V (c._mfsm_stateA = CMABT)) I ARB) in
let Ibeout_ = ((~I_hlda_) => (SUBARRAY new_C sizewrbe (9,6)) I ARBN) in
let Lad_out = ((new C lad en s delA
V ((c_mfsm stateA = CMDI) A --c new write A c._srdy_en)
V ((c mfsm_stateA ffiCMD0) A ~c new write A c srdy_en)
V ((c_mfsm stateA = CMW) A (C mfsm_state = CMDO) A --c new write A c_srdy_en)
V ((c_sfsm_stateA = CSALE) A (~(C_sfsm._state = CSALE)))
V ((c_sfsm_stateA = CSALE) A c_newwrite)
V ((c_sfsm_stateA = CSDI) A c_new_write A (~(C_sfsm_state = CSRR)))
V ((c sfsm_stateA = CSDO) A c__new_write)
V ((c_sfsm_stateA = CSACK) A c_new_write)) ffi> new_C_iad._out I ARBN) in
let CB_rqt_out_ = ~(-(c mfsm_stateA = CIVIl)) in
let ms0 = (ALTER ARBN (0) (((c_mfsm_stateA ffiCMD0) ?t --C last in_) V
((c_mfsm_stateA= CMW) A C_Iock_in_)V
(c_mfsm_stateA= CMABT))) in
letmsl0 = (ALTER msO (I)(((c_nffsm_stateA= CMAI) V (c._mfsm_stateA= CMA0) V
(c_mfsm_stateA= CMA2) V (c_mfsm._stateA= CMDI) V
((c_mfsm stateA= CMD0) A C lastin_)V (c_mfsm_stateA= CMW) V
(c_nzfsm_stateA= CMABT)))) in
letms210 = (ALTER msl0 (2)(((cmfsm_stateA = CMA3) V (c mfsm_stateA = CMAI) V
(c_mfsm_stateA= CMA0) V (c_mfsm_stateA= CMA2) V
(c_mfsm_stateA = CMDI) V (c_ndsm_stateA = CMDO) V
(c_mfsm_stateA = CMW) V (c_mfsm_stateA = CMABT)) A ~Pmm_failure A ~Piu__invedid))
in
let CB_ms_out = (((~(c_mfsm_stateA = CMI)) A (~(c._mfsm_stateA = CMR))) => ms2101ARBN) in
let ss0 = (ALTER ARBN (0) ((c_sfsm stateA = CSAOW) V
((c_sfsm_stateA = CSALE) A --c_new_write) V
207
(c_sfsm stateA= CSACK))) in
letssl0= (ALTER ssO (I)-(c._sfgm_stateA= CSACK)) in
letss210= (ALTER sslO(2)(~Pmm_.failmeA -Piu._invalid))in
letCB_ms out= (((-(c._sfsmstateA= CSI))A (-.(c_sf_ stateA= CSABT))) --.>ss2101ARBN) in
letCB gl out= ((c__dfsmcad en)=>
((c_cout..sel= (WORDN 0))=> Par Ericrep (SUBARRAY new C ala0 05,0))I
((c_ceut..sel= (WORDN l))-->Pat_Enc rep ($UBARRAY new_C_alaO (31,16))I
((c...ceut..sel= (WORDN 2))=> Par Enc rep (SUBARRAY new C_a3a2 (15,0))I
Par Bnc top(SUBARRAY new C_a3a2 (31,16)))))IARBN) in
let C_ss_out = new_C_ss in
let Disable_writes = ((~(c_sfsm._stateA = CSI)) A (--(c_sfsm_stateA = CSL)) A
~((ChannelID = (WORDN 0)) A (ELEMENT Csource (6))) A
-((ChannelID = (WORDN 1)) A (ELEMENT C_source (7))) A
-((ChannellD = (WORDN 2)) A (ELEMENT Csource (8))) A
-((ChannelID = (WORDN 3)) A (ELEMENT C_source (9)))) in
let CB._parity = new_Cparity in
(I._cgnL,Lmrdy_ouL, l_hold, Lrale._ouL,Imale._out._,I_last_out_,I_srdy_ouL,Lad_out, I_be_out_,






Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the clock-level specification of the startup controller of the
FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulkofthiscode was translatedfrom an M-language simulationprogram usinga translatorw itten
by P.J.Wmdley attheUniversityofIdaho.
....................................................................... .................................




let sc_stam._ty = ',:(sfsm_ty#bool#bool#bool#bool#bool#bool#wordn#wordn#
bool#bool#bool#bool#bool#boo1#bool#bool#bool)';;
let so_stare = "((S_fsm state, S_fsm_rst, S_fsm_delay6, S_fsm. delayl7, S_fsm_bothbad, S_fsm_bypass,
S_soft_shot_.del, S_soft_cnt, S_delay, S_bad_.cpuO, S_bad..cpul, S_reseLcpuO, S._reseLcpul,
S cpu_.hiat, S_Imun_fail, S_cpuO_fail, S_cpul__fail, Spin_fail)
:Asc_state_ty)";;
let sc_env_ty = ":(bool#bool#bool#bool#bool#bool#bool#bool#bool)";;
let sc_env = "((ClkA, CIkB, Rst, Bypass, Test, Gcrh, Gcrl, FailmeO_, Failurel_)
:_c._env_ty)";;
let sc_out_ty = ":(wordn#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool)';;
let scout = "((S_state, Reset_cport, Disable_mr,Reset_pin, Ruset_cpuO, Reset_cpul, Cpu_hist,
Piu_fail, CpuO_fail, Cpul_fail, Prom_fail)
:_sc_ouLty)";;
....... ..............................................................................................
Next-state definition for EXEC instruction.




(S_fsm_rstS_fsm delay6S_fsm_delayl7 S_fsm_bothbad S_fsm_bypass S_soft_shoLdelS_bad_cpu0
S_bad_cpul S_reseLcpuO S_reseLcpul S_cpu hi_ S_.pmm_failS_cpuO_failS_cpu1_fail
S_piu_fail:bool)
(CIkA ClkB Rst Bypass TestOc_ GcrlFailure_ Failurel_:bool).
2O9
sEXEC_inst (S_fsm_state, $_fsm_rst, S fsm_delay6, S_fsm_ddayl7, S_fr,m_bothbad, S_fsm_bypus,
S_soft_shoLde.{, S_sofLcnt, S..delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reseLcpu],
S_cpu_hist, S ..prom_ fail, S_cpu0_fail, S_cpu l_feil, S..pin_fail )
(CIkA, CIkB, Rst, Bypass, Test, C,edm, Gcrl, Fail,e0_, Failurel_.) =
let new. S_fsm._state =
((S_fsm_rst) => SSTART I
((S_fun_state = SSTART) => SRA I
((SJsm_state -- SRA) --> ((S_fsm_delay6) => ((S_fun_bypass) => SO I SPF) I SRA) I
((Sjsm__state = SPF) => SCOI I
((S_fun..state = SCOI) => ((S_fsm_delayl7) => SCOF I SCOD I
((SJun..state = SCOF) => ST I
((S_fun_state = ST) => SCII I
((S_fun__state = SCI1) => ((Sjsm_delayl7) => SC1F I SCII) I
((SJsm_state = SCIF) => SS I
((SJsm._state = ss) => ((SJsm_bothbad) => SSTOP I SCS) I
((Sjsm_state = SSTOP) => SSTOP I
((Sjsm_state = SCS) => ((S_fsm_delay6) --> SN ISCS) I
((Sjsm_state = SN) => ((S_fsm_delaylT) => SO ISN) I
((SJun._state = SO) => SO I S_ILL)))))))))))))) in
let sjsm..sn = (new S fsm state = SN) in
let sjsm..so = (new..Sjsm_state = SO) in
let sjsm_srcp = (((-(new_S_fsm_state = SO)) A (-(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in
let sjsm_sdi = (((~(new S f=na state = SO)) A (-(S_funstate = SSTOP))) V (SJun_state = SRA)) in
let s_fsm_srp = ((news fsm state = SSTART) V (new Sjsm..state = SRA)
V (new S fsm state = SCOF) V (new_Sjsm._state = ST)
V (new..S_fun_state = SClF) V (new_S_fun..state = SS) V (new_S_fun_state = SCS)) in
let sjun sin0 = ((--(new S fsm state = SPF)) A (~(new S_fmn_state = SCOI))) in
let s fsm srcl = ((-(new_SJun_state = ST)) A (~(new_SJsm._state = SCID)) in
let sJsm_spf = ((S_fsm_state = SRA) A S_fsm_delay6 A ~SJsm rst) in
let sjun_sc0f = (new_S_fsm_state = SCOF) in
let sjun_sclf = (new_S_fsm_state = SCIF) in
let sjun__spmf = (new_S_f_m_state = SO) in
let s fsm sb = (new S fun state = SSTART) in
let sjsm_src = ((new_S_fsm_state = SSTART) V ((SJsm..stata = SRA) A S_fsm_delay6)
V (new S fun state = SCOF) V (new..SJsm..state = ST) V (new_S_fsm_state = SCIF)
V (new_S_fsm state = SS) V ((Sjsm_state = SCS) A S_fsm_delay6)) in
let sJsm_see = (((-(new_S_fun_state = SSTOP)) A (-.(new_S_fun_state = SO))) V (S_fsm_state = SN)) in
let sjsm_srs = (((S_fun_state = SPF) A -S_fun_rst) V ((Sjmn._state = ST) A ~S_fsm_rst)) in
let sJsm_scs = (new_Sjun._state = scs) in
let new S_soft_shot..del = (-C,=rh A Gcrl) in
let s_soft_cnt_out =
((s_fsm_srs) =>
((C,¢rl A -G(zb A -S_soft_shot..del) ---> (WORDN 1) I (WORDN 0)) I
((Gcrl A _h A ~S_soft_shoLdel) => (INCN 2 S_sofLcnt) I S soft cnt)) in
let new S soft cnt = ((~G_ A ~Goal) => (WORDN O) Is soft cnLout) in
let s_delayout =
((s_fsm_src V (s__fsm_scs A (ELEMENT S_delay (6)))) =>
((s_fun_c)=> OVORDN{),(WORDN O))t
((s_fsm__sec) => (INCN 17 S_delay) I S_delay)) in
let new__S_delay = sdelay_out in
let s _cpu0_ok = (sJsm sc0f A Failure0_ A (s_soft_¢nt..out = (WORDN 5))) in




((s_fsm_sb A ~sJsm_spmf) => T I
((~sJsm_sb tk s_fsm spmf) => F I
((-s_fsm_sb A -s_fsm spmf) => S._pmm_fail I ARB))) in
let new_S_cpuO_fail =
((s_fsm_sb A ~(s_cpuO ok V Bypass)) => T I
((~s fsm sb A (s_cpuO_ok V Bypass)) => F I
((-Lfsm sb A -(s_cpuO_ok V Bypass)) => S_cpuO fail I ARB))) in
let new S_cpul fail =
((s_fsm_sb A ~(s_cpul_ok V Bypass)) => T I
((~sjsm_sb A (s_cpul ok V Bypass)) => F I
((-s..fsm_sb A ~(s_cpul_ok V Bypass)) => S_cpul fail I ARB))) in
let new_S_piu_fail =
((s fsm sb A ~(s_fsm_spf V Bypass)) => T I
((-s_ fsm_sb A (s_fsm_spf V Bypass)) => F I
((-s_fsm sb A -(sJsm_spf V Bypass)) => S__piu_fail IARB))) in
let s_cpuO_select = ((s_fsm_sn V s fsm so) A ~S cpu0_fail) in
let s cpul_select = ((s_fsm_sn V s_fsm so) A S_cpu0 fail A ~S_cpul_fail) in
let new S_bad_cpu0 =
((s fsm sb A ~s_cpu0_select) => T I
((-s fsm_sb A s_qm0_select) => F I
((-sjsm sb A -S_Clm0_select) --> S bad cpu01ARB))) in
let new_S_bad_cpul =
((s_fsm_sb A -s_cpul select) => T I
((~sjsm_sb A s_cpul._select) => F I
((-s fsm_sb A -s_cpul_select) => S bad cpul I ARB))) in
let new S_reset_cpu0 = (new_S bad_cpu0 A sflsm_src0) in
let new S_reseLcpu I = (new_$_bad_cpu 1 A sjsm_src 1) in
let new_S_cpu._hist = (S_reseLcpu0 A S_reseUcpul A Bypass) in
let new S fsm rst = Rst in
let new_S fsm_delay6 = (ELEMENT s_delay_out (6)) in
let new Sjsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) I(ELEMENT sdelay_out (17))) in
let new_S fsm_bothbad = (new_S_cpa0_fail A new_S_cpul_fail) in
let new._S_fsm_bypass = Bypass in
(new_Sfsm_state, new S_fsm rst, uew_S_fsm_delay6, new_Sjsm_delayl7, new_S_fsm bothbad,
new_S_fsm_bypass, new_$_soft_shot_del, newS_soft_cut, new_S_delay, new_$_bad_cpuO, new_S_bad_cpul,
new_S_reset_cpu0, uew_S_reset_¢pul, new_S_cpu_hist, new S_pmm_faiL new_S_cpu0 fail, new_S_cpul fail,
new_S_.piujail)"
);;




(S fsm_rst S fsm delay6 S_fsm_delayl7 S_fsm bothbad SJsm_bypass S_soft_shot_del S_bad_cpu0
S_bad_cpul S_reset_cpuO S_reset cpul S_cpu_hist S_pnmLfail S_cpu0_fail S_cpulJail
S..piu_fail :boo1)
(ClkA ClkB Rst Bypass Test C,crh C,crl Failme0_ Failmel_ :boo]).
sEXEC out (Sjsm_state, S_fsm_rst, Sjsm_delay6, S_fsm_delaylT, S_fsm_bothbad, S_fsm_bypass,
S_sofLshot_del, S_sofi_cnt, S_delay, S_bad_cpu0, S_bad cpul, S._reset_cpuO, S_reset cpul,
211
S_cpu__hist, S_lmam_fail, S_clm0_fail, S_cpul._feil, S_pin_fail)
(ClkA, ClkB, Rst, Bypass, Test. C-cth, Gctl. FailureO_, Failurel_) =
lot new_S_fsm_state =
((S_fsm_rst) => SSTART I
((S_fsm_state = SSTART) => SPA I
((S_fsm_state = SRA) --> ((S_fsm_delay6) --> ((S_fsm_bylxmS) => SO I SPF) I SRA) I
((S_fsm_state = SPF) --> SCOI I
((S_fzm_state -- SCOI) --> ((S_fsm_delayl7) --> SCOF I SCOI) I
((S_fsm_state = SCOF) => ST I
((S_fsm..state = ST) => SCII I
((S_fsm_.state = SCII) => ((S_fsm_delayl7) => SCIF I SC]I) I
((S_fun_.state = SCIF) => SS I
((S_f_n_staa- -- SS) => ((S_fsm_bothbad) --> SSTOP I SCS) I
((S_fsm_sta_ = SSTOP) => SSTOP I
((S_fran_state = SCS) => ((S_fsm_delay6) => SN I SCS) I
((Sjzm_state = SN) => ((S_fsm_delay]7) => SO I SN) I
((S_fsm_state = SO) => SO I SILL)))))))))))))) in
let sjun._sn = (new_S_fun_state = SN) in
let s_fsm_so = (new_S_fsm_state = SO) in
let s_fsm_srcp = (((-(new_S_fsm_.state = SO)) A (-(S_fsm_state = SSTOP))) V (S_fsm_state = SPA)) in
let s_fsm_sdi = (((--(new S_fsm..state = SO)) A (-.(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in
let s fsm_srp = ((new_S_fsm_state = SSTART) V (new_Sfun..state = SRA)
V (new_S_fsm_state = SO)F) V (new_S_fun..state = ST)
V (new_S_fsm_state = SCIF) V (new_S_fun..state = SS) V (new_S_fsm_state = SCS)) in
let s_fsm, src0 - ((-(new_S__fun_state = SPF)) A (-(new_S fsm state = SO)I))) in
let s_fsm, srcl --- ((-(new S fun_state - ST)) A (-(new_S_fun..state = SCII))) in
let s fun spf = ((S_fsm_state = SRA) A S fsm_delay6 A -S fsm yst) in
let s fsm sc0f-- (new S fsm state = SO)F) in
let s fsm sclf= (new_S_fsm_state -- SCIF) in
let s_fsm_spmf = (new_S_fsm..state = SO) in
let s._f6m..sb = (new_S_f_a_state = SSTART) in
let s fun sn_ = ((new_S_funstate = SSTART) V ((S__fsm._state = SRA) A S fsm delay6)
V (new S fun state = SO)F) V (new_S_fun_state = ST) V (new_S_fsm_state = SC1F)
V (new__S_fsm_.state = SS) V ((S_fsm_state = SCS) A S_fsm_delay6)) in
let s fun._sec = (((-(new_S_fan_state = SSTOP)) A (-(new_Sfun..state = SO))) V (S_fsm_state = SN)) in
let s fsm us = (((S_fsm_state = SPF) A ~S_fsm_rst) V (iS_fun_state = ST) A -S fsm_rst)) in
let s_fsm.._cs = (new_Sjun._state = SCS) in
let new S soft shot del = (~Gcrh A Gcrl) in
let s_soft_cut_out =
((s_fsm_srs) =>
((Gcrl A -Gcrh A -S_soft_shot_del) => (WORDN 1) I(WORDN 0)) I
((Gcrl ^ ~C,crh ^ ~S_sofushot_del) => (INCN 2 S_soft_cut) IS soft cnt)) in
let new_S_soft cnt -- ((_ A -GcH) => tWORDN 0) I s._soft cut_out) in
let s_delay_out =
((s_fsm_src V (s._fsm_scs A (ELEMENT S delay (6)))) =>
((s_fsm_sec)=> 0VORDN 1) l(WORDN 0))I
((s_fsm_sec) => (INCN 17 S_delay) I S_delay)) in
let new_S_delay = sdelay_out in
let s_cpu0__ok = (s_fsm_sc0f A Failure0_ A (s__soft_cut_out = (WORDN 5))) in
let s__cpul_ok -- (s_fsm._scl f A Failurel_ A (s_soR_cut_out = (WORDN 5))) in
let new_S._pmm_fai] =
((s_fsm_sb A ~s_fun_spmf) => T I
((-s_fsm_sb A s_fsm spmf) --> F I
212
((-s_fsm.=sb A -s_fsm_spmf) => S prom fail I ARB))) in
let new_S_cpuO_fail =
((s_fsm_sb A -(s_cpuO__ok V Bypass)) => T I
((-s_fsm_sb A (s._cpuO_ok V Bypass)) => F I
((~s..fsm_sb A -(s__cpuO_ok V Bypass)) --> S_cpuO_fail I ARB))) in
let new_S_cpu l_fail =
((s_fsm_sb A -(s cpul_ok V Bypass)) => T I
((~s.Jsm_sb/_ (s_cpul ok V Bypass)) => F )
((~s.=fsm sb ^ ~(s._cpul ok V Bypass)) => S cpul_fail I ARB))) in
let new_S piu_faU --
((s_fsm sb A -(s_fsm spf V Bypass)) => T I
((~s_fsm_sb A (s._fsm_spf V Bypass)) => F I
((~s__fsm_sb A -(s_fsm._spf V Bypass)) => S_.piu_fail I ARB))) in
let s_cpu0_select = ((s_fsm sn V s fsm_so) A ~S__cpu0_fail) in
let s_cpul_select = ((s fsm sn V s fsm_so) A S_cpu0_fail A ~S_¢lml_fail) in
let new_S_bad_cpu0 =
((s_fsm_sb A -s_cpuO_select) => T I
((~s__fsm_sb A s_cpu0._select) => F I
((~s_fsm_sb A ~s_cpu0_select) => S_bad_cpu0 1ARB))) in
let new_S_bad_cpul =
((s_fsm_sb A ~s_cpul_select) => T I
((~s_fsm_sb A s_cpul_select) => F I
((~s _fsm_sb A -s__cpul_select) => S_bad_cpul lARB))) in
let new._S_reseLcpu0 = (new S_bad__cpu0 A s. fsm__src0) in
let new_S_reseLcpul = (new_S_bad__cpul A s._fsm_srcl) in
let new_S_cpu_hist ---(S_reseLcpu0 A S_reseLcpul A Bypass) in
let new S fsm rst = Rst in
let new S fsm delay6 = (ELEMENT sdelay_out (6)) in
let new S fsm delayl7 = ((Test) => (ELEMENT s__delay_out (6)) I (ELEMENT s_delay_out (17))) in
let new..S_fsm bothbad = (new_S cpu0_fail A new_S clml_fail) in
let new_S_fsm_bypass = Bypass in
let ss0 = (ALTER ARBN (0) ((new_S_fsm. state = SS) V (new_S_fsm_state = SSTOP)
V (new S fsm state = SCS) V (new S fsm state = SN)
V (new_S_fsm_state = SO))) in
let ssl = (ALTER ss0 (1) ((new_S fsm_state = SCOF) V (new S_fsm_state -- ST)
V (new_S_fsm_state = SCII) V (new...S_fsm_state = SCIF)
V (new_S_fsm_state = SS) V (new S fsm_state = SSTOP)
V (new_S__fsm_state = SCS))) in
let ss2 = (ALTER ssl (2) ((new_S fsm_state = SPF) V (new S fsm state = SCOI)
V (new_S_fsin_state = SCOF) V (new_S_fsm state = ST)
V (new._S_fsm_state = SSTOP) V (new S._fsm._state = SO))) in
let ss3 = (ALTER ss2 (3) ((new_S_fsm_state = SRA) V (new__S_fsm_state = SPF)
V (new_S_fsm_state = ST) V (new_S_fsm_state = SCII)
V (new_S_fsm_state = SCS)V (new_S_fsm state = SN)
V (new_S_fsm_state = SO))) in
let S_state = ss3 in
let ReseLcport = s_fsm._srcp in
let Disable_int = (-(s_fsm_sn A (ELEMENT s_delay_out (6))) A s_fsm_sdi
A ((Test) => -(ELEMENT s_delay_out (5)) I -(ELEMENT s_delay_out (16)))) in
let Reset_piu = s._fsm_srp in
let ReseLcpu0 = new_S_reseLcpuO in
let ReseLcpul = new_S_reseLcpul in
let Cpu_hist = new_S_cpu_hist in
let Pin fail = new_S_pin_fail in
213
let CpuO_fail = new_S_cpuO_fail in
let Cpu l_fail = new_$_cpul_fail in
let Pmm_fail = new_S..pmm fail in





Appendix E ML Source for the PIE Block-Level Specification.
This appendix contains the HOL model for the PIU block-level structural specification.
Pile: piu_block.ml
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the block-level specification of the FTEP PIU, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center. At this level
the blocks correspond to the four PIU ports and the startup controller.






system 'rm piu block.th ';;
new_theory'pin_block';;
loadf 'abstract';;
map new_parent ['aux_ deP;'p_clockl';'c_clockl';'m_clockl';'c, clockl';'s..clockl'];;
let rep_ty = abstract type 'aux_def 'Andn';;




(P__eddrP be P size :wordn)
(P_destl P_wr P_fsm_rst P fsm sack P_fsm_cgnt.. P._fsm._hold_ P_rqt Pdown P_lock_
P_lock inh_ P_male_ P_rale_ :bool)
(C_.m/sm_state :cmfsm_ty) (C_sfsm state :csfsm_ty) (C_efsm_state :cefsm_ty)
(C mfsm ssC_sfsm ms C_sizewrbeC_ss C_source Cdata_in C._iad_outC._iadinC_alaO C_a3a2 :wordn)
(C_mfsm_D C_mfsm_rst C mfsm_crqt C_mfsm_hold._ C_mfsm_invalid C_sfsm_D C_sfsm rst C_sfsm_hlda_
C_efsm_cale.. C_efsm_last_. C_efsm_msle._ C_efsm rale C efsm_srdy_ C_efsm_rst
C_wr C._clkA C_last_in_ Clock_in_ C last_out C_hold_ C_holdA_ C_cout__O..le._del C_cin_2_le
C_mrdy_del C iad_en_s_del C lad en_s..delA C wrdy C_rrdy C_parity :bool)
(M_fsm_state :mfsm_ty)
(M_count M_addr M_be M_rd_data M_detect :wordn)
(M_fsm_male._ M._fsm._]ast M fsm_mrdy_ M_fsm_rst M_se M_wr Mjdy M_wwdel M.._mty :bool)
(R_fsm state :ffsm ty)
(R ctr0 in R_ctr0 R ctrO new R_ctr0_out R ctrl in R_cUl R__ctrl_new R_ctrl out R_ctr2_in R. ctr2 R_ctr2_new
R__ctr2 _out R_ctr3_in R_ctr3 R ctr3 new R c_r3 out R._icr_old R_icr_mask R._icr R_ccr R_.gcr R_sr
215
R_reg...selRbus/klatch :wordn)
(R_fsm ale_R._fsm_jah-dy_R_fsm_last_R..fsm.rstR_ctrO mux_sel R_ctrO_irdenR ctr0_cryR_ctr0 orden
R_ctrl_mux_sei R_ctrl_kden R_ctrl_cry R_c(rl_orden R_ctr2_mux._sel R_ctr2_irden R_cU2_ca'y R_ctr2_urden
R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden
R_int0_diJ R_int3_d_ R_cOl_cout_del R_intl_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_ :bool)
(S_fsm_stam :sf_m_ty)
(S_soft_cat S_delay :wordu)
(S_fsm_rst S_fsm_delay6 S_fsm_delayl7 S_fsm_bothbad S_fsm bypass S_soft_shot_del S_bad_cpuO S._bad_cpul
S_reset..cpuO S_reset_cpul S_cpu_hist S..pmm_fail S._cpuO_fall S_cpul_fall S..,piu_fail :bool)
(LadmL be :wordn)
(ClkA CIkB Rst Lads_ L_den_ L_wr L_Iock_ :booD




(Bypass Test FailureO_ Failurel_ :bool)
(L__,l_out :wordn)
(L_ready_ :bool)
(CB ad out CB_ms_outCB _ out :wordn)
(CB_rqt_out :bool)
(MB_addr MB_data_out :wordn)
(MB. cs..eeptom_ MB_cs_sram_ MB_w¢__ M.Bc,_ :bool)
(Led :wordn)
(IntO_ lntl Int2 Int3_ Cpu_hist :bool).
PIU_Block_SPEC rep
(P_tack, P_destl, P_be_, P_wr, P fsm state, P_fsm_rst, P fsm sack, P_fsm_cgnt_, P_fsm_hold_,
P_rqt, P_size, P..down, P_Iock, P lock inh_, Pmale_, P_rale_,
C_m_sm_state, C mfsm D, C mfsm_rst,C mfsm..crqt_,C..mfsm hold_,C mfsm ss,C mfsm invalid,
C._sfsm_state, C sfsm_D, C_sfsm rsL C_sfsm_Mda_, C. sfsm_ms,
C_efsm_state, C_efsm_cale_, C._efsm_last._, C__efsm_male._, C .eft_tale._, C _efsm_srdy__, C_efsm_rst,
C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C last_out_,
C_hold_, C_holdA , C cout_0..le._del, Ccin 2 le, C mrdy_del_, C_iad__en_s_del, C__iad_en_s__delA,
C_wrdy, C rrdy, C_parity, C_source, C_datain, C_ iad__out, C__iad in, C al a0,C_a3a2,
M_fsm_state, M_fsm male._, M_fsm_last , M_fsm..m_y.o M_fsm_rst, Mcount, M_se, M_wr, M_addr,
M_be, M_rdy, M wwdel, M..pmty, M_rd..data, M_detect,
R_fsm _state, R_fsm_ale.., R_fsm tardy.., R_fsm_last._, R__fsm_rst, R__cU0_in, R_cUO_mux_sel, R ctr0,
R_ctr0_itden, R_ctrO_new, R_ctr0_cry, R_cUO_out, R_cCO_orden, R_ctr 1.in, R_clr 1_mux_sel,
R_clrl, R_ctr l_irden, R ctrl_new, R_ctrl_cry, R_ctrl_out, R_cUl_orden, R_ctr2_in, R_ctr2_mux_sel,
R_ctr2, R_ctr2_irdea, R_ctr2_new, R_cU2_cry, R_ctr2_out, R_cU2._orden, R_ctr3_in, R_ctr3_mux_sel.
R_ctr3. R_ctr3_irden, R_cU3_new, R_ctr3_ca'y, R_c_3_out, R_ctr3_orden, R_icr_load, R_icr_old,
R_ic_ mask, R_ic__rden, R_icr, R_ccr, R_ccr rden, R_gcr, R_gcr_rden, R_st, R_sr_rden. R_mtO_dis,
RinG_dis, R_cOl_cout_del, R_intl_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del.._
R_reg_sel, R_busA_latch.
S fsm state, S_fsm_rst, S_fsm delay6, S_fsm_delaylT, S_fsm_bothbad, S_fsm_bypass, S_soft_shoUdel,
S_soft_cnL S_delay, S_bad_cpuO, S_bad_cpul, S_reset_cpu0, S_reset_cpul, S_cpu_hist, S_pmm_fail,
S_cpuO_fail, S_cpul_fail, S_pin_fail)
(ClkA, CIkB, Rst, L_ad_in, Lads_, L_den_, L be__ L_wr, L_lock_,
CB_rqt_in_, CB_ad_in, CB_ms_m, CB_ss in, CIkD, Id. ChannelID,
MB_data_in, Edac_eu_,




CB_ad._out, CB ms_out, CB_ss_out, CB_rqLout_,
MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs sram_, MB_we , MB_oe..,
Int0, Intl, Inr'), Int3_, Led, Cpu_hist) =
? (i_ad i be_ :wordn)
(i_male_ i_rale_ i_crqU i_cgnU i cale_ i tardy_ Lsrdy_ i last i hold_ i_hlda_ iJock_ :bool)
(css :wordn)





(reset_cport disable_int reset_.piu reset__cpuO reset__cpul piu_fail prom_fail cpuO_fail cpul_fail :bool).
(p_intcrp rcp ((P_addr, P_dcstl, P_b¢_, P_wr, P_fsm_stat¢, P_fsm_rst, P_fsm_sacl_ P_fsm_cgnL, Pjsm_hold_,
P rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P.._ale_),
(CIkA, CIkB, reset..viu, L_ad_in, Lads, L den_, L_be_, L_wr, L_lock_, Lad, i_cgnt.._ i_hold_, i srdy_),
(L_ad_out, L ready_, Lad, i_ad, i_be_, i rale_, i_male_, i_crqt_, i_cale_ i tardy_, i. 18sU, i_hlda_, i_lock_))) A
(¢_intt_p rep ((C mfsm_state,C mfsm_D,C_mfsm_rst,C_mfsm_crqt_,C_mfsm_hold_,C_mfsm_ss,C_mfsm invalid,
C_sfsm_state,C_s fsm D,C_sfsm_rst,C_sfsm_hlda_,C_sfsm_ms,
C_¢fsm_state,C_efsm._cale_,C_efsm_last_,C_efsm male_,C_efsm tale_,C_efsm_srdy_,C efsm_rst,
C_wr, C_sizewrbe,C_olkA,C_last_in_,C lock_in_,C_ss,C last_out ,
C_hold_,C_holdA_,C_cout_O_le_del,C_cin 2_l¢,C_mrdy_dcL,C_iad_en_s_del,C_iad_ea s_d¢lA,
C_wrdy,C_rrdy,C_parity, C_source,C_data_in,C iad_ouLC iad_in,C_al a0,C_a3a2),
(i_ad, i_be_, i_mrdy_, i_rale_, i_male_, i_last_, i_srdy_, Clock_, i_cale._, i_hlda_, i_crqt_,
CB rqt_in_, CB ad_in, CB_ms_in, CB_ss_in,
reset_cport, CIkA, CIk.B, CIkD, Id, ChannelID, prom_fail, piu_invalid, ccr, reset_error),
(i cgnt._, i_mrdy_, i..hold_, i_.rale.._ i_male_, i_last_, i_srdy_, Lad, i_be_,
CB_rqt_out_, CB ms out, CB_ss_out, CB_ad_out, c_ss, disable_writes, cb_parity)))A
(m iaterp rep ((M_hm_state, M_fsm_male_, M_fsm_last , M_fsm_mrdy__ M. fsm rst, M_count, M_se,
M_wr, M_addr, M_be, M_rdy, M_wwdel, M_pa_rity, M_rd data, M_detect),
(CIkA, CIkB, reset_piu, reset_clmrL disable_writes, i. ad, i_male_, i last_, i be,
i_mrdy_, MB_data__in, Edac_en_, reset error),
(Lad, i_srdy_, MB_addr, MB_data_out, MB cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, mb_parity))) A
(r_in tvrp rvp ((R fsm_state, R_fsm ale_, Rfsm_mrdy_, R_fsm_l ast_, R_ fsm rs t, R_ctr0_m, R. cRO_mux_sel, R_ctr0,
R c_rO irden, R ottO_new, R.. ottO_cry, R_c__out, R._caO ordcn, R_c_'l._in, R_cCrl mu__s¢l,
R_clrl, R_ctrl_irdea, R ctrl_new, R_ctrLcry, R_ctr]_out, R c_rl o_len, R_ctr2_in, R_ctr2_mux_sel,
R_ct12, R_ctr2_irden, R ctr2_new, R_ctr2_cry, R_ct__out, R_ctr2_orden, R_ ctr3_in, R_ctr3_mux_sel,
R_ctr3, R_ctr3_irden, R ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3 orden, R_icr_load, R_icr_old,
R icr mask, R_icr rden, R_icr, R ccr, R_ccr._rden, R_.gcr, R_gcr. rden, R_sr, R_sr_rden, R_intO_dis,
R_int3_dis, R_c01_cout del, R intl_en, R_c23 cout del, R_int2_en, R_wr, R cntlatch_del, R_srdy deL,
R_reg..sel, R_busA_latch),
(CIkA, reset_piu, Lad, iyale_, i_last_ i be__ i_mrdy_, disable, int, disable_writvs,
cpu0 fail, cpul_fail, reseLcpuO, resvt_cpul, piu_fail, pmm fail, s_state, Id,
ChannellD, cb_parity, mb parity, c_ss),
(Lad, i_srdy_, IntO_, Intl, Int2,/nO_, ccr, Led, reset_error, piu_invalid))) A
(s_intetp rep ((S fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm bothbad, S fsm_bypass,
S_soft_shot_d¢l, S_soft_cat, S_delay, S bad_cpuO, S_bad_cpul, S re.seUcpu0, S. reset cpul,
S cpu_hist, S_pmm fail, S_ cpu0_fail, S_cpul_fail, S...piu_faii),




(s_state, reset_cport, disable_rot, reset_piu, reset_cpuO, reset cpul, Cpu_hist,
piu_fail, cpuO_fail, cpul_fail, pmm_fail)))"
218
Appendix F ML Sourcefor the PIU Clock-LevelSpecification.
Thisappendixcontains the HOL model for the clock-level specification of the PIU.
070 ....................................................................................................
File: pin_clock I.m]
Author: (c) D.A. Fura 1992
Date: 31 March 1992
This file contains the ml source for the clock-level specification of the FTEP PIO, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.






system 'rm piu_clock I .th' ;;
new theory 'piu_clock 1 ';;
map new.parent [`_aux-def`;`_anx-def`;`maux-def`;`raux-def`;`sau_-def`;`aux-def`;`array-def`;`w__dn-def__;;
loadf'abstract';;
let MSTART = "WORDN 4";;
let MEND = "WORDN 5";;
let MRDY = "WORDN 6";;
let MWAIT = "WORDN 7";;
let MABORT = "WORDN 0";;
let SACK = "WORDN 5";;
let SRDY = "WORDN 6";;
let SWAn" = "WORDN T';;
let SABORT = "WORDN 0";;















let piu_state = "((P_addr, P__stl, P_b¢_, P_wr, P_fsm_state, PJsm. rst, P_fsm_saek, P_fsm cgnt_, P_fsm hold_,
P_rqt, P_size, P_dowa, PJock_, P_lock_iah_, P_male_, P_rale_,
C_mfsm_s tate,C_mfsm_D,C_mfsm_rst,C_mfsm_crqt_,C_mfsm_hold_,C_mfsm_ss,C_mfsm_inv alid,




C_wrdy, C_rrdy, C_parity, C_somc.c,C_data_in ,C_iad_out, C_iad in,C_a I aO,C_a3a2,
M fsm state, M_fimk.male_, M_f_L.lasL, M_fsm_mrdy_, M_fsm__t, M_count, M_se, M_wr, M_addr,
M_be, M..rdy, M_wwdel, M_parity, M_.rd_data, M_dctect,
R fsm..state, R_fsm_ale_ R fsm tardy_, RJmnJast.., R_fm_urst, R_ctiO_in, R_ctrO_mux._sd, R_ctsO,
R_ctr0_irden, R_c__new, R..ctxO_c_, R_¢trO_out R_c_O orden, R_ctrl_in, R ctrl mux_s,q,
R_ctrl, R_ctrl_irden, R_¢_'l..new, R ctr1_cry, R_ctrI_out, R..ctrl..orden, R__ctr2__in, R__ctr2..mux_sel,
R_ctr2, R ctr2 irden, R..ctr2._new, R_¢tr2..cry, R_c_2_out, R..ctr2_orden, R_ctr3__in, R._ctr3_mux_sel,
R_ctr3, R_ctr3_irdea, R_.ctr3._new, R_ctr3..cry, R_ctr3..out, R..ctr3__orden, R_icr_Ioad, R_k_r_old,
R_icr mask, R_icr rden, R_icr, R_c_, R_ccr_rden, R..gcr, R_.gcr_rdea, R_sr, R._sr_rden, R into dis,
R int3 dis, R c01 cout..del, R_intl ca, R c23 tout_rid, R-mt2_en, R_wr, R_cnflatch_del, R srdy_deU,
R reg. sel, R_busA_latch,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm delayIT, S_fsm..bothbad, S_fsm_bypus,
S soft shoLdel, S_sofLcnt, S_delay, S bad cpu0, S_bad_cpul, S_reset..cpu0, S_reset__cpul,
S_cpu_hist, S prom_fall, S_cpu0 fail, S._cpul_fail, S_piu_fail)
:_pi,,_state_ty)";;




let piu_eav = "((CIkA, ClkB, Rst, L_ad in, Lads_, L_den_ Lbe_, L,_wr, L_lock_,
CB..rqt_in.., CB_ad m, CB_ms_m, CB ss..in, CIkD, Id, ChanndlD,
MB_data_in, F_dac_en_,
Bypass, Test Failur¢O_, Failurel_)
:^piu_cav_ty)";;





let piu_out = "((L_ad_out, L_r_ady_,
CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out,
MB addr, lv[B_dam_out, MB_cs__txom_, MB cs sram._, MB_we_, MB_o¢_,
IntO_, Intl, Iat2, Int3._ Led,
Re_t_cpuO, R_et_cpul, Cpu_hist, Piujail, Cpu0_fail, Cpul_fail, Prom_fail)
:^piu_out_ty)";;
let rep_ty = absaact_typ¢ 'aux_def' 'Andn';;
22O




(P_addr P be_ P_size :wordn)
(P_destl P_wr P_fsm._rst P_fsm_sack P_fsm cgnt_ P_fsm_hold_ P_rqt P_down P_lock_
P_lock inh P_male_ P._rale :bool)
(C mfsm_state :cmfsm_ty) (C sfsm_state :¢sfsm_ty) (C_efsm state :cefsm._ty)
(C_rnfsm_ss C sfsm_ms C_sizewrbe C_ss C sourve C_data_in C lad_out C_iad_in C_al aO C a3a2 :wordn)
(C_mfsm_D C_mfsm_rst C_mfsm crqt C..mfsm_hold_. C mfsm._invalid C sfsm_D C_sfsm_rst C sfsm_hlda..
C_efsm_.cale_ C_efsm last C efsm_male_ C efsm._rale_ C._efsm_srdy_ C_.efsm._rst
C wr C_clkA C_last._in C_lock_in_ C last out C_hold_ C holdA C_cout__0_le_del C_cln 2_le
C_mrdy_del_ C_iad._en s__del C__iad_en._s_delA C_w_y C rrdy C.parity :bool)
(M_fsm_state :mfsm_ty)
(M_count M addr M_be M rd_data M_detect :wordn)
(M_fsm_male_ M_fsm_last_ M fsm tardy_ M_fsm_rst M_se M wr M_rdy M_wwdel M_parity :bool)
(R_fsm_state :rfsm_ty)
(R_cUO_in R_ctr0 R cUO new R ctr0 out R ctrl in R_ctrl R_ctrl new R ctrl out R_.ctr2_in R_ctr2 R_ctr2_new
R_cU'2_out R_ctr3 in R ctr3 R_ctr3_new R__ctr3 .out R__icr old R_icr._mask R..icr R_ccr R_gcr R sr
R reg_sel R_busA_latch :wordn)
(R fsm_ale._ R fsm tardy_ R fsm last R_fsm_rst R_ctr0 mux sel R_ctT0_irden R ctr0 cry R cU0 orden
R_c_l_mux_sel R_ctxl irden R__c_l_cry R_ctrl._orden R_c_r2..mux._sel R_ctr2 irden R..ctr2_cry R ctr2 orden
R ctx3 mux_.sel R ctr3 irden R_ctr3_cry R__ctr3 orden R_icr_load R_icr rden R_ccr_rden R_.gcr_rden R_sr_rden
R intO dis R_mt3_dis R c01_cout_del R_intl_en R_c23__cout..del R_mt2_en R_wr R_cntlatch_del R_srdy_del_ :bool)
(S_fsm_state :sfsm_ty)
(S soft_cnt S_delay :wordn)
(S_fsm_rst S_fBm_delay6 S_fsm delayl7 S_fsm bothbad S_fsm bypus S soft shot_del S b_l_cpuO S bad cpul
S_reset._cpu0 S reset._cpul S .cpu hist S_pmm_fail S_ cpu0_fail S_cpul_fail S_.pin_fail :bool)
(L_ad_in [._be :wordn)
(CIkA ClkB Rst Lads_ L_den_ L_wr L_lock_ :bool)




(Bypass Test FailureO Failurel_ :bool).
piuEXEC_inst rep
(P_addr, P_destl, P_be_, P wr, P_fsm_state, P_fsm_rst, P__fsm_sack, P_fsm_cgnt_, P_fsm_hold ,
P_rqt, P_size, Pdown, P lock_, P_.lock_.inh_, P_male_, P_rale._,
C_mfsm_state, C_mfsm_D, C_.mfsm_rst, C_mfsm_crqt , C_mfsm._hold_, C_mfsm_ss, C_mfsm_invalid,
C_sfsm state, C._sfsm_D, C_sfsm rst, C sfsm_hlda_., C_sfsm_ms,
C efsm_state, C_efsm_cale_, C._efsm lut_, C_efsm_male_, C..efsm_rale_, C_efsm_udy_, C_efsm..rst,
C wr, C_sizewrbe, C_clkA, C_last_in_, C_iock_in, C_ss, C_last_out ,
C_hold_, C_holdA_ C_cout_0_le_del, C_cin_2_le, C_mrdy del_0 C_iad_en_s_del, C_iad en_s_delA,
C_wrdy, C ndy, C_parity, C_source, C_data_in, C lad_out, C_iad_in, C_ala0,C a3a2,
M fsm state, M_fsm_male_, M_fsm_last._, M_fsm_mrdy_, M fsm_rst, M_count, M_se, M_wz; M_addr,
M_be, M_rdy, M_wwdel, M_mrity, M_rd_data, M detect,
R fsm state, R fsm ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R ctr0 mux_sel, R_ctr0,
R ctrO irden, R ctv0_new, R._cUO_cry, R_cCO_out, R_ctrO_orden, R ctrl_in, R_ctrl_mux sel,
R_ctrl, R_ctrl_irden, R_cUl_new, R_ctrl_cry, R_ctrl out R_ctrl orden, R_c__in, R_ctr2_mux_sel,
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_clr2_out R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel,
221
R_ctr3, R_ctr3_irden, R_ctr3_new, R _ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old,
R_icr__mssk, R_icr_rden, R_icr, R_ccr, R_ccr._rden, R..gcr, R..gcr_rden, R_sr, R_sr..rden, R_int0_dis,
R_int3_dis, R_c01_cout_del, R_intl_en, R..c23_couLdel, R_int2 en, R_wr, R_cntlatch del, R_srdy_del_
R .reg..sel, R_busA_latch,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm..delayl7, S_fsm bothbad, S_fsm_bypass, S_soft_shot__del,
S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset cpul, S_cpu_hlst, S_.pmm_faiL
S_clm0_fail, S._cpul_fail, S..piu_fail)
(CIkA, CIkB, Rst, L_ad_in, Lads, L_den, L_be_, L_wr, [._lock_,
CB rqt..in.., CB_ad_in, CB_ms_in, CB_ss_in, CIkD, Id, ChannelID,
MB_data_in, Edac..en..,
Bypass, Test, FailureO_, Failurel_) =
let new P_fsm_state =
(0P_fsm_rst) => PA I
((P..fsm_state = PH) => ((~P_fmn_hold_) => PH I PA) I
((P_fsm_tate = PA) -->
(((P_rqt A ~P_destl) V (P._rqt A P_destl A ~P fsm_cgnt_)) => PD I
((~P_fsm_hold_ A P_lock_) => PHI PA)) I
((P_fsm__state = PD) =>
(((P_fsm..sack A P_fsm_hold..) V (P_fsm_sack A ~P__fsm..hold_ A -P_lock__)) => PAI
((P__fsm_sack A ~P_fsm_hold_ A P_lock_.) => PHI PD)) I PILL)))) in
let c_write = (((-(C__t_ate = CMI)) A (-(C__state = CMR))) => C_wr I (ELEMENT C_sizewrbe (5))) in
let c_busy = (-((SUBARRAY CB_rqt_m_ (3,1)) = (WORDN 7))) in
let c_.grant = ((((SUBARRAY Id (1,0)) = (WORDN 0)) A -(ELEMENT CB_rqt_in_ (0)))
V (((SUBARRAY Id (1,0)) = (WORDN 1)) A ~(ELEMENT CB_rqt_m_ (0))
A (ELEMENT CB_rqt_in_ (1)))
V (((SUBARRAY Id (1,0)) = 0NORDN 2)) A --(ELEMENT CB_rqt_in_ (0))
A (ELEMENT CB..rqt_in_ (1))
A (ELEMENT CB_rqt_in_ (2)))
V (((SUBARRAY Id (1,0)) = (WORDN 3)) A -(ELEMENT CB_rqt._in.. (0))
A (ELEMENT CB_rqt_in_ (1))
A (ELEMENT CB_rqt_in_ (2))
A (ELEMENT CB._rqt in_ (3)))) in
let c_addressed = (Id = (SUBARRAY C_source (15,10))) in
let new C_mfsm_state =
((C_mfsm rst) => CiVil I
((C_mfsm_state = CMI) =>
(C_mfsm_D A --C_mfsm_crqt_ A -c_busy A .-C_mfsm_invalid) => CMR ICMI I
((C_mfsm_stete = CMR) => (C_mf_m_D A c_gtant A C_mfmn_hold_) => CMA3 1CMR I
((C_mfsm_state = CMA3) => ((C_mf_m_D) => CMAI ICMA3) I
((C_mfsm_state = CMA 1) =>
(C_mfsm_D A (C_mfsm ss = ^SRDY)) --> CMA0 I
(C_.mfsm..D A (C_mfsm_ss = ^SABORT)) => CMABT {CMA1 I
((C_mfsm_state = CMAO) =>
(C_mfsm_D A (C..mfsm_ss = ^SRDY)) => CMA2 I
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT ICMA0 I
((C_mfsm_state = CMA2) =>
(C_mfsm_D A (C mfsm_ss = ^SRDY)) => CMDI I
(C mfsm D A (C..mfsm_ss = ^SABORT)) => CMABT ICMA2 I
((C_mfsm_state = CMD1) =>
(C_mfsm_D A (C_mfsm_ss = ^SRDY)) --> CMD0 I
(C_mfsm_D A (C mfsm_ss = ^SABORT)) => CMABT ICMD1 I
222
((C..mfsm_state = CMD0} =)
(C_=mfsm_D A (C_m_m_ss = ^SRDY) A C_last_in_) =) CMDI I
(C_mfsm_D A (C mfsm_ss = ^SRDY) A -C last_in_) => CMW l
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I CMD0 1
((C_mfsm_state = CMW) =>
(C_mfsm_D A (C_mfsm_ss = ^SABORT)) => CMABT I
(C mfsm_D A (C_mfsm_ss = ^SACK) A C_Iock in_) => CMI I
(C_mfsm D ^ (C_mfsm ss = ^SRDY) A -C_Iock_in_ ^ .=C mfsm crqt__) -> CMA3 1CMW I
((-C last. in_) => CMI i CMABT))))))))))) in
let new_C_sfsm_state =
((C_sfsm rsO => CSI I
(C._sfsm state = C$I) =>
((C_sfsm_D A (C_sfsm ms = ^MSTART) A --c_grant A c._addressed)=> CSAI ) CS]) I
(C_sfsm state = CSL) =>
((C_sfsm D ^ (C._sfsm ms = ^MSTART) A -c_gnmt A c_addressed) => CSA1 I
(C_sfsm_D A (C sfsm_ms -- ^MSTART) A -c_grant A -c_addressed) --> CSI I
(C_sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSL) I
(C_sfsm state = CSAI ) =>
((C_sfsm D A (C_sfsm ms = ^MRDY)) => CSA0 I
(C_sfsm_D A (C_sfsm_ms -- ^MABORT)) => CSABT I CSA1) I
(C_sfsm state = CSA0) =>
((C_sfsm_D A (C__sfsm_ms -- ^MRDY) A --C_sfsm_hMa_.) => CSALE I
(C..sfsm_D A (C sfsm._ms = ^MRDY) A C_sfsm_hlda_) => CSAOW )
(C_sfsm_D A (C sfsm_ms -- ^MABORT)) => CSABT I CSA0) I
(C_sfsm state = CSAOW) =>
((C_sfsm D A (C__sf_m_ms = ^MRDY) A --C_sfsm_.hlda_) => CSALE I
(C._sfsm_D A (C sfsm_ms = ^MABORT)) => CSABT ICSAOW) I
(C_sfsm_state = CSALE) =>
((C_sfsm_D A c_write A (C_sfsm ms = ^MRDY)) => CSD1 I
(C_sfsm_D A -cwrite A (C sfsm ms = ^MRDY)) => CSRR I
(C_sflm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSALE) t
(C_sfsm_state = CSRR) =>
((C_sfsm D A -(C_sfsm_ms = ^MABORT)) => CSDI I
(C_sfsm_D A (C sfsm_ms = ^MABORT)) => CSABT I CSRR) I
(C_sfsm_state = CSD I) =>
((C_sfsm_D A (C_sfsm_I_ -- ^MRDY)) --> CSD0 {
(C_sfsm_D A (C sfsm_ms = ^MABORT)) => CSABT I CSDI) I
(C_sfsm_state = CSDO) =>
((C_sfsm_D A (C_sfsm_ms = ^MEND)) => CSACK I
(C_sfsm_D A (C sfsm_ms = ^MRDY)) => CSD1 I
(C_sfsm_D ^ (C_sfsm_ms = ^MABORT)) => CSABT [ CSDO) I
(C sfsm_state = CSACK) =>
((C_sfsm D A (C_sflm_ms = ^MRDY)) => CSL I
(C sfsm_D A (C_sfsm_ms = ^MWAIT)) => CSI I
(C sfsm_D A (C_sfsm_ms = ^MABORT)) => CSABT ICSACK) I
(C_sfsm_D) => CSI I CSABT) in
let new_C_efsm state =
((C__efsmrst)=> CEII
(C_efsm state= CEI) => ((~C_efsm cale._)=> CEE ICEI) I
((-.C_efsm last_ A -C_efsm_srdy_) V --C. efsm_male_ V -C_efsm_xale ) => CEI I CEE) in
let m_bw = ((-(M_be = (WORDN 15))) A M_wr A (--(M fsm state = MI))) in
223
letm ww= ((M_be = (WORDN 15)) A M_wr A (-._VI_fsm_stat¢ = MI))) in
let new_Nl_fsm_state =
((M fsm nt) -->MI I
((M_fsm_state = MI) => ((-M_fun_male_) => MA IMI) I
((M_fsm_state = MA) -->
((-M_fsm_mrdy_ A m_ww) => MW I
((~M_fsm_mrdy_ A ((-M_wr A (-(M_fsm_state = MI))) V m_bw)) => MR IMA)) I
((M_fsm_state = MR) =>
((m_bw A (M count = (WORDN (3))) => MBW I
((M_fsm_last_ A ~M_wr A (~(M_fsm_state = MI)) A {M_count = (WORDN 0))) => MA I
((-M_fsm last A -M_wr A (~(M_fsm_state = MI)) A (M_count = (WORDN 0))) => MRR I MR))) I
((M_fsm_state = MRR) => MI I
((M_fsm_state = MW) =>
((~M_fsmJast_ A (M_count = (WORDN 0))) => MI I
((M_fsm..last_ A (M_count = (WORDN 0))) => MA IMW)) I
((M_fmm_state = MBW) => MW I M_ILL))))))) in
let new_R_fsm_state =
((R_fmn_rst) => RI I
((R_fsm..state = RI) => ((-R_fun_ale_) => RA I RI) I
((R fsm_state = R.A) => ((-R_fsm_mrdy_.) => RE) IRA) I
((~R_fsm_last_) => ILl l RA)))) in
let r_fsm_cntlatch = ((R_fsm_state = RI) A ~R_fsm ale..) in
let r fsm_srdy_ = -((R_fsm_state = RA) A ~R_fsm_mrdy_) in
let new S fsm state =
((S_fsm_rst) => SSTART I
((S_fsm_state = SSTART) => SRA I
((S_fsm_state = SRA) => ((S_fsm_delay6) => ((S_fsm_bypass) => SO I SPF) I SRA) I
((S_fsm_state = SPF) => SCOI I
((S_fsm_state = SCOI) => ((S_fsm_delaylT) => SCOF I SCOI) I
((S_fr.m_state = SCOF) => ST I
((S_funstate = ST) => SCII I
((S_fsm_state = SCII) => ((S. fsm delay17) => SCIF I SCII) I
((S_fsm_state = SCIF') => SS I
((S_fun_state = SS) => ((S_fsm_bothbad) --> SSTOP I SCS) I
((S_fimL.state = SSTOP) => SSTOP I
((S_fsm_stat¢ = SCS) => ((S_fsm_delay6) => SN I SCS) I
((S_fsm_state = SN) => ((S_fsm_delayl7) => SO I SN) I
((S_fsm_state = SO) => SO I S_ILL)))))))))))))) in
let s fsm sn = (new_S_fsm_state = SN) in
let s fsm so = (new S_fsm_state = SO) in
let reset_cport =(((-(new S fsm state = SO)) A (-(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in
let s_fsm_sdi = (((-(new_S_fsm_state = SO)) A (-(S_funstate = SSTOP))) V (S_fsm_state = SRA)) in
let reset_.piu = ((new_S_fun_state = SSTART) V (new_S_fun_state = SRA)
V (new_S_fun_state = SCOF) V (new_S_fun_state = ST)
V (new_S_fsm_state = SCIF) V (new_Sfunstate = SS) V (new_S_fsm state = SCS)) in
let s fsm srcO = ((-(new_S_fsm_state = SPF)) A (~(new_S fsm_state -- SCOI))) in
let s fsm_srcl = ((-(new_S_fsm_state = ST)) A (~(new_S fsm_state = SCII))) in
let s_fsm._spf = ((S_fsm state = SRA) A S_fsm_delay6 A ~S_fsm rst) in
let s_fsm_scOf = (new_S_fsm_state = SCOF) in
let s fsm self = (new..S_fsm_state = SCIF) in
let s_fsm..spmf = (new_S_fsm_state = SO) in
let s fsm sb = (new..S fsm state = SSTART) in
224
let s_fsm_src = ((new_S_fsm_state = SSTART) V ((S_.fsm. state = SRA) A S_fsm_delay6)
V (new_S_fsm_state = SCOF) V (new_Sfunstate = ST) V (new_S fsm_state = SC 1F)
V (new_S_fsm_state = SS) V ((S_fsm_state = SCS) A S_fsm_delay6)) in
let s_fsm_sec = (((-(new_S_fun_state = SSTOP)) A (-(newS_fun_state = SO))) V (S_fsm state = SN)) in
let s_fsm_srs = (((S_fsmjtate = SPF) A -S_fsm_rst) V ((S_fsm_state = ST) A -S_fsm rst)) in
let s_fsm_scs = (new S__fsm_state = SCS) in
let new P_addr -- ((-P_rqt) => (SUBARRAY L_ad_in (25,0)) I P_addr) in
let new_P_destl = ((~P_rqt) => (ELEMENT L_ad_in (31)) I P_destl) in
let newP__be._ = ((~P_rqt) => L_be_ I P_be_) in
let new P_wr = ((-P_rqt) => L_wr I P_wr) in
let newP_size =
((-P._rqt) => (SUBARRAY L_ad_in (1,0)) I
((P_down) => (DECN 1 P size) IPsize)) in
let new_C_holdA_ = ((CikD) --> C_hold_ I C holdA_) in
let i_cale_ = -((new_C_.mfsm_state = CMA3) A (new_P_fsm_state = PA) A new C_holdA_) in
let c_srdy_en = ((new_C_efsm state = CEE) V (C_efsm_state = CEE)) in
let new_M_count =
(((new_M fsm_state = MA) V (new_M_fsm_state = MBW)) => ((M_se) => OVORDN 1)1 (WORDN 2)) t
(((new M_fsm_state = MW) V (new_M_fmn_state = MR)) => (DECN 2 M_count) I M count)) in
let m_rdy = (((new_M_fsm_state = MW) A (new_M_count = (WORDN 0)))
V ((new_M_fsm_state = MR) A (new_M_count = (WORDN 0)) A -M_wr)) in
let m_srdy_ = ~((M_rdy A -M_wr) V (m_rdy A M_wr)) in
let i_srdy_ = ((~i._cale V c srdy._en) => -(C wrdy V C_rrdy V (uew_C_mfsm_state = CMABT)) J
-(new_M_fun_state = MI) => m_srdy_ I
((new_R_fsm_state = RA) V (new_R_fsm_state = RD)) => -((R_fsm_state = RA) A
(new_R_fun_state = RD)) I ARB) in
let p_ale = (-Lads_ A L_den_) in
let p_sack = ((P_size = ((P_down) => (WORDN 1) I (WORDN 0))) A -i._srdy_ A (new_P_fun._state = PD)) in
let new_P_rqt =
((p_ale A -(p_sack V reset_.piu)) => T I
((-pale A (p_sack V reset..piu)) => F I
((-pale A -(p_sack V reset_piu)) => P_rqt I ARB))) in
let newP_down = (-i_srdy_ A (new_P_fun_state = PD)) in
let new_P_male_ = ((new_P._fsm_state -- PA) =>
-(-new_P_destl A (~((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) A new_P._rqt) I P_male__) in
let new_P_rale_ = ((new_P_fsm_state = PA) =>
-(-new_P..destl A ((SUBARRAY new_P..addr (25,24)) = (WORDN 3)) A new P_rqt) I P_rale..) in
let new _P._lock_ =
((reset piu) => T I
((new_P fsm state = PD) --> L_lock_ I P_lock_)) in
letnew..P_Iock inh =
((rcset..piu)=> T I
((~new...P_male_V -new P rale)=> L_Iock IP_lock_inh ))in
let pod31_27 = (MALTER ARBN (31,27) new_P be__)in
let pod31_26 = (ALTER pod31_27 (26) F) in
let pod31 _24 = (M ALTER pod31_26 (25,24) (SU B ARRAY new_P_addt (1,(3))) in
let new_C_iad_ea_s_delA = ((CIkD) => C_iad_en_s_del IC_iad_.en_s..delA) in
let new C_sizewrbe = ((reseLcport) => OVORDN 0) I
(((new_C_sfsm state = CSA0) A C..clkA) => (SUBARRAY C_data_in (31,22)) IC_sizewrbe)) in
let c_new_write = (((-(new_C. mfsm_state = CMI)) A (--(new_C_mfsm_state = CMR))) =>
C_wr I (ELEMENT new C sizewrbe (5))) in
let new C_is.d_out = ((C_cin_2_le) => C data in I C_iad_out) in




((-(r_reg_.sol = (WORDN 1))) --> (Andn rep (R_icr_old, R_icr_mask)) I (Orn rep (R_icr._old, R_icr_mask))) I
R_icr) in
let new_R_busA_latch =
((R_cttO_irden) => R_ctxO_in I
((R_cUO_orden) => R cUO out I
((R_ctrl_itden) => R ctrl m l
((R_ctrlordeu)=> R__clrl_outI
((R ctr2_irden) => R_clr2_in I
((R_ctr2_otden) => R clr2 out I
((R_ctr3_irden) => R_ctr3_in I
((R_ctr3_ordea) => R._clr3__out I
((R_icr_tden) => new_R_icr I
((R_ccr_rden) => R_ccr I
((R_.gcr rden) => R_.gcr I
((R_lr__rden) => R_sr I ARB)))))))))))) in
let lad = ((new P_fsm_state = PA) => pod31_241
((new_P_fsm_state = PD) A new_P_wr) --> L_ad in I
(new_C_iad_en_s._delA V
((new_C_mf_m_state = CMD1) A -c_new_write A c__srdy_en) V
((new_C_mfsm_state = CMDO) A --c_new_writeA c_srdy_en)V
((new_C..mfsm_state = CMW) A (C mfsm_state = CMDO) A -chew_write A c_srdy_en) V
((new_C_sfsm_state = CSALE) A (-(C_sfim_state = CSALE))) V
((new_C_sfsm_state = CSALE) A c_new_write) V
((new_C_dsm_state = CSD1) A c_new_write A (-(C_sfsm state = CSRR))) V
((new_C_dsm_state = CSDO) A c_.new_write) V
((new_C_sfsm_state = CSACK) A c_newwrite)) => new C_iad_out I
(M_wr A -(new_M._fsm..state= MI)) => M..rd.dataI
(~R_wr A ((new_R_funstate = RA) V (new R fsm state= RD))) => new_R busA_latchIARB) in
letdisable_writes= ((~(new_C_sfsm_state= CSI))A (-.(new_C_sfsm_state= CSL)) A
-((Channdn) = (WORDN 0))A (ELEMENT C_source (6)))A
~((ChannelID= (WORDN I))A (ELEMENT C_source (7)))A
~((ChannelID= (WORDN 2))A (ELEMENT C_source (8)))A
~((ChanneIID= (WORDN 3))A (ELEMENT C_source (9))))in
let i rale =
(~(new P (sin_state = PH) =>
-(-new_P._destl A ((SUBARRAY new P_addr (25,24)) = (WORDN 3)) A (new_P._fsm_gtam = PA) A new_P__rqt) I
-((new_C_sfsm_state = CSALE) A ((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3)) A C_clkA)) in
let new_R_wr = ((-i__rale_) => (ELEMENT i_ad (27)) IR_wr) in
letr writeB= (-disable_writesA new R wr A (ncw_R_fsm state= RD)) in
letr readB = (-new_R wr A (new_R_fsm_state= RA)) in
let new_R_g_ = ((r..writeB A (r__reg..sel = (WORDN 2))) => i_ad I R..g_) in
letnew_R_.gc_ rden= (r_madB A (r_reg_sel= (WORDN 2)))in
letgcrl= (ELEMENT new_R_gcr (0))in
letgcrh= (ELEMENT new_R_.gcr(1))in
letreseterror= (ELEMENT new_R_gcr (24))in
letpin_invalid= (ELEMENT new_R_.gcr(28))in
let cout sel0 = (ALTER ARBN (0) (((new_C_sfmn_state = CSDI) V (new C_sfsm_state = CSD0)) =>
(new_C_sfsm_state = CSDI)I
(new_C_mfsm_state = CMA3 )V (new_C_m fsm_state= CMA I)
V (new_C_mfsm__state= CMDI))) in
letc cout sel= (ALTER cout...selO(I)(((new C_sfsm_state= CSDI) V (new C_sfsm state= CSD0)) =>
FI
226
(new_C_mfsm state = CMA3) V (new_C_mfsm_state = CMA2))) in
let newC_hold_ = (new_C_sfsm._state = CSI) in
let new_C_wr = ((~i ca_e_) => (ELEMENT Lad (27)) }C_wr) in
let new_C__clkA = CIkD in
let i_last_ =
(~(new_P fsm_state = PH) =>
(Psize = ((P_down) => (WORDN 1) I (WORDN 0))) I
C_last.out_) in
let newC_last_in_ = ((reset cport) => F I
(((new_C_.mfsm_state = CMABT) V (new_C_m/sm state = CMDI) A CIkD) => i_last_ I
C_last_in_)) in
let new_C_lock_in_ = ((reset._cport) => F I
((new_C_m,fsm_state = CMAI ) => -(-new_P_lock_ A new_P_lock_inh_) I
C_lock_in_)) in
let new_C ss = (((~(new_C mfsm_state = CMABT)) A (-(new_C_mfsm_state = CMI))) => CB._ss_in I C_.ss) in
let new C last out =
(((new_C_sfsm_state = CSAI ) A ~(CIkD A ((CB_ms_in = AMEND) V (CB_ms_in = ^MABORT)))) => T I
((~(new C_sfsm_state = CSAI) A (CUd3 A ((CB..ms_in = ^MEND) V (CB_ms_in = ^MABORT)))) => F I
((-(new_C sfsm_state = CSA1) A ~(CIkD A ((CB_ms in = ^MEND) V (CB_ms_in = ^MABOI_T)))) => C last out
ARB))) in
let c_srdy = (CB_ss..in = ^SRDY) in
let c_dfsm_master = ((new_C_mfsm_state = CMA3) V (new_C_mfsm state = CMA2) V (new C_mfsm_state = CMAI)
V (new_C_mfsm_state = CMA0) V (new C_mfsm state = CMD1) V (new_C_mfsm_state = CMDO)) in
let c._dfsm_cad_en = ~((new C_mfsm state = CMA3) V (new_C_mfsm_state = CMA1) V (new_C_ndsm_state = CMA0)
V (new_C_mfsm_state = CMA2)
V (c_new_write A ((new_C_mfsm_state = CMD 1) V (new C_mfsm..state = CMD0)))
V (-c_new_write A ((new_C_sfsm state = CSDI) V (new C_sfsm_state = CSDO)))) in
let new_C_couu0_le__del = ((i_cale_.) V (i_srdy_ A ~c_newwrite)
V ((new_C mfsm_state = CMA0) A c_srdy A c_new_write A ClkD)
V ((new_C mfsm_state = CMDO) A c_newwrite A c._srdy A CIkD)) in
let new_C_cin 2_le = (CIkD A (((new_C_mfsm_state = CMDO) A c_srdy A -c_new_write) V
((new_C sfsm state ffiCSA0)) V
((new_C sfsm_state = CSD0) A c_new_write))) in
let new_C mrdy_deL = -((-c__new_write A CIkD A ((new C_sfsm_state = CSALE) V (new C sfsm. state = CSD1))) V
(-chew_write A C_clkA A (new_C_sfsm state = CSACK)) V
(c_new_wnte A ClkD A (new_C_sfsm_state = CSD0))) in
let new_C iad_en_s_del = (((new_C._sfsm_state = CSALE) A (-(C__sfsm_state = CSALE)))
V ((new C_sfsm_state = CSALE) A c_newwrite)
V ((new_C sfsm_state = CSDI) A c_newwrite A (-(C_sfsm_state = CSRR)))
V ((new_C._sfsm state = CSD0) A c_new_write) V
((new_C sfsm state = CSACK) A c__new_write)) in
let new_C wrdy = (c_srdy A c_newwrite A (new_C_mfsm_state = CMD1) A ClkD) in
let new_C n-dy = (c_srdy A -c_new_write A (new_C_mfsm_state = CMDO) A CIkD) in
let c_pe = (Par_Det rep (CB ad in)) in
let c_mparity = ((new_C m/sin_state = CMA3) V (new_C_ndsm_state = CMAI) V (new C mfsm state = CMA0)
V (new_C_mfsm_state = CMA2) V (new_C_mfsm state = CMD1) V (new C_mfsm_state = CMDO)
V (C_mfsm_state = CMAI) V (C_mfsm state = CMA0) V (C_mfsm_state = CMA2)
V (C_mfsm_state = CMDI )) in
let c_sparity = ((-(new_C_sfsm_state = CSI)) A (-(new C sfsm state = CSACK)) A (-(new C_sfsm_state = CSABT))) in
let c_pe_cnt = (CIkD A ((-(c mparity = c_spadty)) V ((SUBARRAY CB_ss in (1,0)) = (WORDN 0)))) in
let new_Cparity =
(((CIkD A c__pe A c_.pe_cat) A -reset_error) => T I
((-(CIkD A c_pe A c=.pe_cnt) A reset_error) => F I




((CIkD A ((new_C_sfmn_state = CSI) V (new_C_sfsm_state = CSL))) => Par_Dec rep (CB_ad_in) IC_source)) in
let data_in3 I_16 =
(MALTER ARBN (31,16) ((reset_cport) => (WORDN O) I
((ClkD A (((new_C_mfsm_state = CMD I) A c_srdy A -c_new_write) V
((new_C_sfsm..state = CSAI)) V
((new_C_sfsm..state = CSDI) A c_new_write))) => Pint_Dec rep (CB_ad in) I
(SUBARRAY C_data_in (31,16))))) in
let new_C_data_in =
(MALTER data in31_16 (15,0) ((reset__cport) => (WORDN 0) I
((new_C_cin_2_le) => Par_Dec rep (CB_ad_in))
(SUBARRAY C_data_in (15,0))))) in
let new_C_iad_m = ((new_C_cout_OJe_del) => i_ad I C_iad_in) in
let new_C_alaO =
(((c dfsm_master A C cout_O le del) V
(~c_dfsm_master A C_clkA A (new_C_sfiun_stete = CSDI))) => C_iad_in I C_ala0) in
let new C_a3a2 = ((new_C_m.fsm_state = CMR) => R_ccr IC_a3a2) in
let i be = ((new_P. fsm_state = PA) => new_P_be_ I
(new_P_fsm_state = PD) => L_be_ I SUBARRAY new C_sizewrbe (9,6)) in
let imale_ =
(~(new_P_fsm state = PH) =>
-(-new_P..destl A (-((SUBARRAY new_P ad(tr (25,24)) = (WORDN 3))) A (uew_P_fsm_state = PA) A uew_P_rqt) I
-((new_C_sfsm_state = CSALE) A (-((SUBARRAY new_C_sizewrbe (I,0)) = (WORDN 3))) A C__clkA)) in
let new .__se = ((-i_male_) => (ELEMENT Lad (23)) I M_se) in
let new M_wr = ((-i_male_) => (ELEMENT lad (27)) IM_wr) in
let new M_addr =
((~i m_e_) => (SUBARRAY i_ad (18,0)) I
((M_rdy) => (INCN 18 M_addr) l M addr)) in
let new_M_be = ((~i_male_ V ~m_srdy_) => (NOTN 3 i be_) I M_be) in
let new_IVI..rdy = m_rdy in
let new_M_wwdel = ((new._M_fsm_state = MA) A new_M_wr A (new_M_be = (WORDN 15))) in
let new_lVl._rd_data = (((new_M._fs, m state = MR)) =-> (HamDec rep MB_data in) IM rd_data) in
let new_M_detect =
((((new_M_fsm state = MR) A ~new_,M_wr) V new_M_wr V (new_M_fsm..state = MI)) =>
((~Edac_en_) => (Ham_Detl rep MR_data_in) IWORDN 0) IM_detect) in
let m_ecror = (-m_srdy_ A (~(new_M_fsm state = MI)) A Ham_Det2 rep (newMdetect, -Edac..en_.)) in
let new_M_parity =
((re_error A -(reset_pin V r--_et_error)) => T I
((-re_error A (reset_.piu V reset e_ror)) => F I
((~re_error A -(reset..piu V reseLerror)) => M_parity I ARB))) in
let new_R_cntlatch_del = r_fsm_cntletch in
let new R_srdy_del.. = r fsm srdy_ in
let new_R_reLsel =
((-i_rale._) => (SUB_Y i_ad (3,0)).
((-Rjrdy del_) => (INCN 3 R_reg sel) I R_reg.jel)) in
let r_writeA = (.-disable._writes A R_wr A (new_R_fsm_state = RD)) in
let r_rcedA = (~R_wr A (new_R_fsm_state = RA)) in
let r_cir_wr01A = ((r writeA A ((r_reg._sel = (WORDN 8)) V (r_reg_sel = (WORDN 9))))) in
let r_cir wr01B = ((r writeB A ((r reg_.sel = (WORDN 8)) V (r_.reg_sel = (WORDN 9))))) in
let r_cir_wr23A -- ((r_writeA A ((r_reg_sel = (WORDN I0)) V (r._reg_sel = (WORDN II))))) in
let r_cir_wr23B = ((r._writeB A ((r reg. sel = (WORDN 10)) V (r_reg_sel = (WORDN 11))))) in
let new_R_ccr = ((r_writeB A (r_reg_sel = (WORDN 3))) => Lad I R_ccr) in
let new R ccr_rden = (r._readB A (r_reg._sel = (WORDN 3))) in
228
let new R_c01_cout..del ---R_ctrl_cry in
let new R intl_en =
((((ELEMENT new_R_.gcr (18)) A (r_cir wrO1B V (R cUl_cry A (ELEMENT new_R_gcr (16))))) A
-(-(ELEMENT new_R_.gcr (18)) V ((ELEMENT new_R gcr (17)) A R_cOl_.cout_del))) => T I
((-((ELEMENT new_R_.gcr (18)) A (r._cir wrO1B V (R..ctrl_cry/_ (ELEMENT new_R_.gcr (16)))))/_
(-(ELEMENT new R_.gcr (18)) V ((ELEMENT new_R..gcr (17)) A R cOl_cout_del))) => F I
((-((ELEMENT new_R_.gcr (18)) A (r__c___wrOIB V (R_ctrl cry A (ELEMENT new_R_.gcr (16))))) A
-(-(ELEMENT new_R_.gcr (18)) V ((ELEMENT new_R_gcr (17)) A R_c01_cout_del))) => R intl_en IARB))) in
let new_R_c23_cout_del = R_ctr3_cry in
let new R mr2 en =
((((ELEMENT new_R_.gcr (22)) A (r_cir_wr23B V (R_ ctr3_a-y ^ (ELEMENT new_R_.gcr (20))))) A
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21))/_ R_c23 cout_dei))) => T I
((-((ELEMENT new_R_.gcr (22)) A (r. c___wr23B V (R..ctr3_cry A (ELEMENT new R..gcr (20)))))/_
(-(ELEMENT new_R..gcr (22)) V ((ELEMENT new R..gcr (21)) A R_c23_cout_del))) => F I
((-((ELEMENT new R..gcr (22)) A (r. c__wr23B V (R_clr3_cry A (ELEMENT new_R_.gcr (20))))) A
-(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) A R._c23 cout del))) => R int2_en I ARB))) in
let new_R_curO_in = ((r_writeB A (r reg..sel = (WORDN 8))) => i..ad I R_ctrO_in) m
let new_R_ctr0_mex_sel = (r..cir_wrOl B V ((ELEMENT new_R_.gcr (16)) A R_ctrl_cry)) in
let new_R_curO_irden = (r_readB/_ (r_reg_sel = (WORDN 8))) in
let new_R_ctrO = ((R_ctr0 mux_sel) => R_ctr0_in I R_ctrO_new) in
let new_R_curO new = (((ELEMENT new_R_.gcr (19))) -> (INCN 31 R_ctrO) I R_curO) in
let new_R_ctrO_cry = ((ONES 31 R ct_) A (ELEMENT new_R_.gcr (19))) in
let new_R crY_out = ((r_fsm_cntlatch) => R_ctrO new I R..cUO_out) in
let new R ctr0 orden -- (LreadB A (r_reg_.sel = (WORDN 12))) in
let new_R_cUrl_in = ((r_writeB A (r..reg__sel = (WORDN 9))) ---> _ad I R._cUrl in) in
let new R cUrl_mux_sel = (r__cir_wrOl B V ((ELEMENT new_R..gcr (16)) A R_ctrl_cry)) in
letnew_R curl_irden--(r_readBA (r.reg__sel= (WORDN 9)))in
letnew_R_curl = ((R_ctrLmux__sel)=> R ctrl.inIR ctrlnew) m
letnew_R_curl_new = ((R.cur0_cry)=> 0NCN 31 R ctrl)IR_ctrl)in
letnew R_ctrl_cry= ((ONES 31 R_ctrl)A R_ctrO_cry)in
letnew_R_cffl_out= ((R cntlatch,del)=> R_curl_new IR clr1_out)in
letnew R ctrl_orden= (r..readBA (r__regsel= (WORDN 13)))in
letnew R_cur2_in= ((r_writeBA (r._reg._sel--(WORDN lO)))=> i_adIR ctr2._in)in
letnew R_cur2_mux_sel = ((r_cir_wr23BV ((ELEMENT new_R..gcr(20))A R_ctr3_cry)))in
letnew_R_ctr2_irden= (r..readBA (r_reg._sel= OVORDN I0)))in
let new_R cur2 = ((R._cU2 mux._sel) => R._cU'2 in I R. ctr2_new) m
let new R ctr2 new = (((ELEMENT new_R..gcr (23))) => (INCN 31 R_ctr2) I R_.ctr2) in
let new_R_ctr2_cry = ((ONES 31 R_ctr2) A (ELEMENT new_R..gcr (23))) in
let new R_cur2_out = ((r._fsm_cntlatcb) => R_ctr2__new I R_ctr2_out) in
let new_R__ctr2_orden = (r_readB A (r.reg_sel = (WORDN 14))) m
let new_R_cur3_in = ((r_writeB A (r_reg_sel = (WORDN 11))) => Lad IR_.ctr3_in) in
let new_R._ctr3_mux sei = ((r_cir_wr23B V ((ELEMENT new_R_.gcr (20)) A R__ctr3_cry))) in
let new_R_ctr3_irde_ = (r._readB/_ (r_.reg__sel = (WORDN 11))) in
let new_R_ctr3 = ((R_cla3_mux_sel) => R._ctr3_in I R_ctr3_new) m
let new_R_ctr3_new = ((R..ctr2_cry) => CINCN 31 R__ctr3) IR_ctr3) in
let new_R_ctr3_c_ = ((ONES 31 R ctr3) A R_ctr3_cry) in
let new_R_ctr3_out = ((R_cntlatch..del) => R._ctr3__new I R_etr3_out) in
let new_R_cur3_orden = (r__readB A (r_reg._sel = (WORDN 15))) in
let new_R_icr _load = (r_writeB A ((r.reg_.sel = (WORDN 0)) V (r reg_sel = (WORDN 1)))) in
let new R icr old =
((r._writeB/_ ((r._reg_sel = (WORDN 0)) V (r_.reg sel = (WORDN 1)))) => R_icr I R_icr_old) in
let new R_icr_mask =
((r writeB A ((r reg._sel = (WORDN 0)) V (r_.reg_sel = (WORDN 1)))) => i_ad I R._icr_mask) in
let new R icr rden = ((new_R_fsm_state = RA)/_ ((r_reg__sel = (WORDN 0)) V (r reg_sel -- (WORDN 1)))) in
229
let r into en = (((ELEMENT R icr (0)) A (ELEMENT R_icr (8))) V
((ELEMENT R_icr (1)) A (ELEMENT R_icr (9))) V
((ELEMENT R_icr (2)) A (ELEMENT R_icr (10))) V
((ELEMENT R_icr (3)) A (ELEMENT R icr (11))) V
((ELEMENT R icr (4)) A (ELEMENT R._icr (12))) V
((ELEMENT R_icr (5)) A (ELEMENT R._icr (13))) V
((ELEMENT R_icr (6)) A (ELEMENT R_icr (14))) V
((ELEMENT R_icr (7)) A (ELEMENT R_icr (15)))) in
let new_R_intO_dis = r__ot0_en in
let r int3 en = (((ELEMENT R_icr (16)) A (ELEMENT R_icr (24))) V
((ELEMENT R_i_ (17)) A (ELEMENT R icr (25))) V
((ELEMENT R_ic_ (18)) A (ELEMENT R_i_ (26))) V
((ELEMENT R_i_ (19)) A (ELEMENT R ic_ (27))) V
((ELEMENT R_ic7 (20)) A (ELEMENT R_icr (28))) V
((ELEMENT R_icr (21)) A (ELEMENT R_icr (29))) V
((ELEMENT R_icr (22)) A (ELEMENT R_icr (30))) V
((ELEMENT R_icr (23)) A (ELEMENT R_i_ (31)))) in
let new_R_int3_dis = r..int3_en in
let new_S soft shot..del = (-gcrh A gcrl) in
let s_soft_cat_out =
((s_fsm_srs) =>
((gcrl A ~gcrh A -S sofl_shot_del) ffi> OVORDN 1) I (WORDN 0)) I
((gcrl A ~gcrh A -S_soft_shot_del) => (INCN 2 S_soft_cat) I S_mfl_cnt)) in
let new_S_mft_cnt = ((~gab A -gcrl) => (WORDN 0) I s_soft_cat_out) in
let s__delay_.out =
((s_f__src V (s_fsm_scs A (ELEMENT S_delay (6)))) ffi>
((s_fun_sec)=> (WORDN I) J(WORDN 0))I
((s_fsm_sec) => (INCN 17 S_delay) I S_delay)) in
let new_S_delay = sdelay..out in
let s_cpuO__ok = (s__fsm_sd)f A Failure_ A (s_soft_cnL.out = (WORDN 5))) in
let s_cpu l__ok ffi(s..fsm_scl f A Failure 1_ A (s_soft..¢nt_out = (WORDN 5))) in
let new_S__pmm_fail ffi
((s_fsm_sb A ~s_fsm_spmO ffi> T I
((-s_fmx_sb A s_fsm_spmf) => F I
((~s..fgm_sb A -s fsm_spmf) => S..lmml_fail I ARB))) in
let new_S__qm0_fail =
((s_fsm_sb A ~(s_cpu0 .ok V Bypass)) ffi> T I
((~s__fsm_sb A ($_cpu0 .ok V Bypass)) --> F I
((~s..fsm..sb A ~(s._qmO_ok V Bypass)) ffi> S_cpu0._fail I ARB))) in
let new..S_clml_fail =
((s_fsm_sb A ~(s_qml_ok V Bypass)) => T t
((~s_fsmjb A (s__cpul_ok V Bypass)) ffi> F I
((~s_.fsm..sb A -(s_cpul_ok V Bypass)) => S_cpul_fail I ARB))) in
let new_S..piu_fail =
((s_fsm_sb A -(s_fsm..spf V Bypass)) => T I
((~s._fsm_sbA (s_fsm_spf V Bypass)) => F l
((-s._fun__sbA -(s_fsm_spfV Bypass))=> S pin_failARB))) in
lets__cpu0_select= ((s fsm_m V s._fmm_m)A -S_.cpu0_fail)in
lets.cpul_selectffi((s_fsm snV s_fsm so)A S_cpu0 failA -S__cpul_fail)in
letnew_S_bed_cpu0 =
((s_fsm_sb A -s_cpu0_selcct) => T I
((~s__fsm_sb A s cpu0_select) => F I
((~s_fsm._sb A ~s cpu0._select) => S_bad_cpu0 1ARB))) in
230
let new._S_bad_cpul =
((s fsm_sb A -s_cpul_select) => T I
((~s_fsm._sb A s_cpul select) => F I
((-s_fsm_sb A -Lcpul_select) => S bad_cpul I ARB))) in
let new_S_reseLcpu0 = (new S_bad_cpu0 A s_.fsm_src0) in
let new_S_reseLcpu I = (new_S_bad_cpu I A s_fmn_src I) in
let new_S_cpu..hist = (S_reseLcpu0 A S reseLcpul A Bypass) in
let ssO = (ALTER ARBN (0) ((new_S_fmLstate = SS) V (new S_f_a_state = SSTOP)
V (new_S_fsm state = SCS) V (new_S fsm_state = SN)
V (new_S_fsm_state = SO))) in
let ssl = (ALTER ssO (1) ((new_S_fma state = SCOF) V (t_w_Sjsm_state = ST)
V (new_S_fsm_stale = SClI) V (new_Sjsm_state = SCIF)
V (new._S_fsm_state = SS) V (new_S_fsm_state = SSTOP)
V (new_S_fsm_state = SCS))) in
let ss2 = (ALTER ssl (2) ((new_S_fsm state = SPF) V (new_S fsm state = SCOI)
V (new_S fsm_sta_e = SCOF) V (new S fsm_state -- ST)
V (new_S_fsm_state = SSTOP) V (new_S fsm..state = SO))) in
let ss3 = (ALTER ss2 (3) ((new_S fma state = SRA) V (new_S_fsm_state = SPF)
V (new S_fsm_state = ST) V (new S fsm state = SCII)
V (new._S_fsm_state = SCS) V (new_S_f_m_state = SN)
V (new_S fsm_state = SO))) in
let s_state = ss3 in
let st28 = (ALTER ARBN (28) new_Mparity) in
let sr28_25 = (MALTER sr'28 (27,25) new_C_ss) in
let sr28_24 = (ALTER sr28_25 (24) newCparity) in
let sr28_22 = (MALTER st28 24 (23,22) ChannelID) in
let sr28_16 = (MALTER st28 22 (21,16) Id) in
let sr28_12 = (MALTER sr28..16 (15,12) s_ state) in
let sr28_9 = (ALTER sr28_12 (9) new__S_pmm fail) in
let sr28_8 = (ALTER sr28_9 (8) new_S_pin__fail) in
let sr28._3 = (ALTER sr28._8 (3) new_S_reseLcpu 1) in
let sr'28_2 = (ALTER sr7.8_3 (2) new S..reseLclm0) in
let sr28_l = (ALTER sr28__2 (1) new_S epul._fail) in
let st28_0 = (ALTER st281 (0) new_S_cpu0, fail) in
let new_R sr = ((r__fs__cntlatch) => st28_01R_sr) in
let new R sr rden = (r_readB A (r_reg_sel = (WORDN 4))) in
let new_P_fsm_.rst = reset_pin in
let new_P_fsmjack = psack in
let new_P._fsm_cgnL = --(new_C_mfsm_state = CMA3) in
let new_P_fsm_hold = new_C_holdA in
let new_C_mfsm_D = CIkD in
let new_C_mfsm_rst = reseLcport in
let new_C_mfsm_crqt_ = ~(new_P_destl A new_P__rqt) in
let new C_mfsm_hold_ = new_C_hokiA_ in
let new C mfsm_ss = CB_ss_in in
let aew_C mfsm invalid = piu_invalid in
let new_C_sfsm D = CikD in
let new_C_sfsm rst = reseLcport in
let new_C sfsm hlda_ = -(new_P fsm._state = PH) in
let new_C_sfsm_ms = CB ms in in
let new_C_efsm_cale.. = i_cale__ in
let new_C_efsm_last._ = i_last_ in
let new_C_efsm_male = i_male_ in
231
let uew_C_efsm_rale_ = i..rale_ in
let uew_C_efun_srdy_ = i_srdy_ in
let n©w_C_efsm._rst = resct_cport in
let new_M._fsm_male_ = i_male., in
let new__M_fsm_hu_t_ = i last_ in
let new_M_fsm_mrdy_ = ((~(P_fsm_state = PH)) => F I C_mrdy_.del_) in
let new_.M_fsm_rst = l_set_pin in
let new_R_fsm..ale_ = i_rale_ in
let new R fsm tardy_ = ((~(P..fsm_state = PH)) => F t C..mrdy_del._) in
let new..R_fmn last.. = i_last_ in
let new_R_fsm_rst = reset..pin in
let new_S_fsm_rst = Rst in
let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in
let new S fsm delayl7 = ((Test) => (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in
let new_S_fsm_bothbad = (new_S_clm0_fail A new_S_clml_fail ) in
let new_S_fsm_bypass = Bypass in
(new_P_addr, new_P._destl, new_P..be_, new_P_wr, new_P_fsm_state, new_P..fsm_nt, new_P_fsm sack,
new_P fsm_cgnt_., new P fsm bold_, new_P_rqt, new_P_size, new_P_down, new_P_lock_, new_P__lock_inh_,
new_P_males new_P_rale_,
new_C_mfsm state, new_C._mfsm_D, new C_mfsm rst, new C mfsm_crqt__, new C mfsm_hold_, new_C_mfsm_ss,
new_C_mfsm invalid, new_C sfsm state, new_C sfsm_D, new_C__sfsm_rst, new_C__sfsm_hlda , new_C_sfsm_.ms,
new_C_efsm..state, new C_efsm_cale_, new_C_efsm_last.., new_C_efsm male_, new C efsm_rale_, new_C_efsm_srdy_,
new_C_efsm_rst, new_C_wr, new_C_sizewrbe, new_C clkA, newC_last..in.., new_C_lock in__, new C_ss,
newC_last_out_, new_C_bold, new_C_holdA_, new_C tout 0 le del, new C cin 2_le, new_C_mrdy del_,
new_C_iad._en_s .del, new_C_iad_en__s_delA, new_C wrdy, new_C_rrdy, new_C..parity, new_Csource, new_C_data_m,
new_C_iad..out, new C_ied in, new_C_ala0, new_C_a3a2,
new_M fsm_state, new_M_fsm_male._, new M fsm last_, new_M_fsm_mrdy_, new M_fsm rst,new_M_count,
new_M_se, new_M_wr, new_M_addr, new_M_be, new M_rdy, new M wwdel, new_M_.p_ty, new M_rd-data,
new_M_detect,
new_R_fsm state, new_R._fsm_ale., new_R_fsm_mrdy_, new_R_fsm..last.., new_R fsm_rst, new_R cU'0_in,
new_R_¢tr0_mux__sel, new R_cUO, new_R_ctr0_irden, new R_c_'O_new, new_R_ctrO_cry, new R_cU0_.out,
new_R_¢tr0_orden, new_R_ctrl_in, new_R._ctrl mux_sel, new_R__ctrl, new_R._ctrl_irden, new_R_ctrl_new,
new_R ctrl _cry,
new_R._clrl_out, new R ctrl orden, new_R_ctr2 in, new_R_ctr2_mux_sel, new_R_ctr2, new_R_ctr2_irden,
new R_ctr2_new,
new_R_ctr2_cry, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3 mux_sel, new_R_ctr3,
new R ctr3 irden,
new_R_clr3_new, new R_ctr3_cry, new_R._ctr3__out, new_R_ctr3_orden, new_R icr..load, new R icr old,
new R icr mask,
new R_icr_rden, new_R_icr, new_R_ccr, new R ccr rden, new_R._gcr, new_R_.gcr_rden, new_R_sr, new R sr_rden,
new_R_intO_dis, new_R_int3_dis, new_R_cOl_cout._del, new_R_intl_en, new_R_c23_cout_del, new_R_int2_en,
Dew_R_wr,
new R_cntlatch_del, new_R_srdy_del_, new_R_reg_.sel, new_R_busA..latch,
new_S_fsm_state, new S_fsm..rst, new_S_fsm_delay6, new_S_fsm_delayl7, new S fsm_bothbad,
new_S_fsm bypass, new_S_soft_shot_del, new S_soft.cnt, new_S_delay, new_S_bad cpu0, new S bad_cpul,








(P_eddr P_be_ P_size :wordn)
(P destl P wr P fsm rst P_fsm sack P_fsm..cgnt P_fsm hold_ P__rqtP_down Flock_
P lock inh_ P_male_ P_rale_ :bool)
(C_mfsm_state :cmfsm_ty) (C_sfsm_state :csfsm_ty) (C._efsm_state :cefsm ty)
(C_mfsm_ss C sfsm ms C sizewrbe C_ss C_source C_data_in C_iad out C_iad_in C ala0 C_a3a2 :wordn)
(C_mfsm_D C_mfsm rst C_mfsm_crqt_ C_mfsm hold_ C_mfsm_invalid C_sfsm_D C__sfsm_ rst C_sfsm hlda_
C_efsm_c, ale_ C_efsm._last C efsm_male C efsm__rale_ C_efsm_srdy_ C_efsm_rst
C wr C_clkA Clast._in C_.lock_in_ C last out C bold_ C_holdA_ C_cout_0._le_del C_cin_2_le
C mrdy del C iad en_s_del C_iad en_s__delA C_wrdy C rrdy C..parity :bool)
(M_fsm_state :mfsm ty)
(M_count M_addr Mbe M_rd data M_detect :wordn)
(M_fsm_male_ M_fsm_lest_ M fsm_mrdy_ M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool)
(R_fsm_state :rfsm_ty)
(R ctr0_in R_ctrO R otto new R_ctr0_out R_ctrl_in R ctrl R ¢lrl new R_ctrl._out R_ctx2._in R._ctr2 R ¢tr2 new
R ctr2_out R_ctr3_in R_ctr3 R ctr3_new R ctr3 out R_icr_old R_icr_mask R_icr R ccr R_.gcr R_sr
R_reg_.sel R_busA_latch :worcln)
(R_fsm_ale_ R_fsm_.mrdy_ R_fsm.last.. R_fsm_rst R_¢erO_mux sel R_.cUO_irden R cuO_cry R_ctr0_orden
R_ctrl_mux._sel R_ctr l_irden R_ctrl_cry R_clrl._orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R ctr2_orden
R ctr3 mux_.sel R..ctr3_irden R._c_3_cry R..ctr3..orden R_icr_load R._icr__rden R_ccr_rden R_gcr._rden R_sr rden
R intO dis R_int3_dis R col cout_del R intl_en R..c23..cout._del R_int2 en R_wr R_cntlatch de[ R_srdy del :bool)
(S_fsm state :sfsm_ty)
(S_solt_cut S_delay :wordn)
(S_fsm_rst S_fsm_delay6 S_fsm_dalayl7 S fsm_bothbad S_fsm bypass S_soft_shot_dei S_bad_cpu0 S_bad__cpul
S_reset__cpuO S_reset._cpul S_cpu..hist S..pmm fail S_cpuO fail S cpul_fail S__piu__fail :bool)
(L_ad_in Lbe_ :wordn)
(ClkA CikB Rst Lads_ L_den_ L_wr L_lock_ :bool)




(Bypass Test FallureO_ Failurel_ :bool).
piuEXEC_out rep
(P__addr, P_destl, P_be_, P wr, P fsm state, P_fsm_rst, P fsm sack, P fsm_cgnt_, P_fsm_hold_,
P_rqt, Psize, Pdown, P_lock_, P_lock_inh_, P_male_, P_rale_,
C mfsm._state, C_ m_m_D, C_mfsm_rst, C_mfsm crqt_, C_mfsm_hold , C mfsm_ss, C_mfsm_invalid,
C_sfsm state, C_sfsm_D, C._s fsm_rst, C_sfsm_hlda_, C._sfsm ms,
C_efsm state, C_efsm cale_, C efsm _last., C efsm male_, C_efsm_rale__, C_efsm_srdy_., C_efsm_rst,
C_wr, C sizewrbe, C_clkA, C_last_in, C_Iock_in_, C ss, C lasLout_.,
C_hold_, C__holdA_, C cout .0._le..del, C__cin_2_le, C tardy_de1_, C_iad e__s_.del, C__iad__en_s._delA,
C_wrdy, C_rrdy, C_parity, Csource, C__data_in, C._/ad_out, C_iad_in, C ala0,C_a3a2,
M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy._, M fsm__rst, M._count, M_se, M_wr, M_addr,
M be, M_rdy, M_wwdel, M._parity, M..rd..data, M_detect,
R._fsm _state, R._fsm_ale_, R fsm_mrdy.., R_fsm._last_, R._fsm...rst, R_.clx0 in, R_cUO_mux_sel, R_ctr0,
R_ctr0_irden, R__ctr0_new, R_ctxO_cry, R_c__out, R..ctr0 orden, R_ctr l_in, R..ctrl_mux sel,
R..ctrl, R...ctrl irden, R cUl_new, R ctrl_cry, R__ctrl..out, R_ctxl_orden, R_ctr2 in, R cUr2..mux..sel,
R__ctr2, R_clr2._irden, R_ctr2_new, R_cU'2_cry, R..ctr2._out, R clx2 orden, R._ctr3_in, R ctr3_mux_sel,
R._ctr3, R_ctr3_h'den, R_clx3_new, R_ctr3_cry, R__ctr3..out, R_clx3_orden, R_icr_Ioad, R..icr_old,
R__icr_mask, R._icr_rden, Riot, R_ccr, R_ccr rden, R_.gcr, R_.gcr rden, R..sr, R_sr rden, R_intO_dis,
233
R_int3..dis, R_c01 oout._dei, R_intl..en, R_c23 couLdel, R_mt2 en, R_wr, R_cntletch_del, R_srdy_del_,
R_reg..sel, R_busA_laWh,
S_fsm..state, S_fsm_,-'st, S_fsm_delay6, S_fsm_delaylT, S_fsm..bothbad, S_fsm_bypass, Sjoft..shot_del,
S soft_cnt, S_de]ay, S_bad_¢puO, S_bad_¢pul, S._reset_cpu0, S..reset_cpul, S ¢pu_hist, S..pmm_fail,
S_cpuO_fail, S_cpul_fail, S_pin_fail)
(CIkA, ClkB, Rst, L ad_in, L_ads.., L_den_, L_be_, L_wr, L_lock_,
CB_rqt_in_, CB_ad_in, CB_ms_m, CB_ss_in, CIkD, Id, ChannelID,
MB_data_in, Edac_e___,
Bypass, Test, Failure0.., Failurel_) =
let new_P_fsm_state =
((P_fsm_rst) => PA I
((P_fsm_state = PH) => ((-P..fsm_hold_) => PH IPA) I
((P..fsm..state = PA) =>
(((P..rqt A ~P_destl) V (P_rqt A P_destl A ~P_fsm_¢gnt_)) => PD I
((~P_.fsm_hold_ A P..lock..) => PHI PA)) I
((P_fsm..state = PD) =>
(((P_fsm_sack A P_.fsm..hold..) V (P_fsm_sack A -P_fsm hold_ A -P_lock_)) => PAI
((P_fsm_sack A -P_fsm_hold_ A P_lock_) => PHI PD)) IPILL)))) in
let cwrite = (((~(C_mfsm_state = CMI)) A (~(C_mfsm_state = CMR))) --> C_wr t(ELEMENT C_sizewrbe (5))) in
let c_busy = (-((SUBARRAY CB_rqt_in_ (3,1)) = OVORDN 7))) in
let c_.gnmt = ((((SUBARRAY Id (1,0)) ffi(WORDN 0)) A -(ELEMENT CB..rqLin_ (O))
V (((SUBARRAY Id (I,0)) ffiOVORDN I)) A -(F.LEMF.24T CB_rqt=.in (0))
A (ELEMENT CB_rqt_in_ (1)))
V (((SUBARRAY Id (I,0)) = (WORDN 2)) A --(ELEMENT CB_.rqLin_ (0))
A (ELEMENT CB__lt_in_ (I))
A (ELEMENT CB_rqLin_ (2)))
V (((SUBARRAY Id (1,0)) = (WORDN 3)) A --(ELEMENT CB_rqt..in_ (0))
A (ELEMENT CB_rqt_.in_ (1))
A (ELEMENT CB_rqt_in_ (2))
A (ELEMENT CB_rqt_in_ (3)))) in
let c_addressed = (Id = (SUBARRAY C._source (15,10))) in
let ncw_C_mfsm..sUUe =
((C_mfun_nt) => CMI I
((C mf_n_state = CMD =>
(C_mfsm_D A --C_mfsm_cult_ A -,c_busy A --C_m.f'sm_invalid) => CMR I CMI I
((C_mfsm..stete = CMR) => (C._mfsm_D A c_.grant A C_mfsm__hold_) => CMA3 1CMR I
((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMAI I CMA3) I
((C_mfsmjtate = CMA1) =>
(C_mfsm_D A (C_mfsm_ss = ^SRDY)) => CMA0 I
(C mfsm_D A (C__mfsmjs = ^SABORT)) => CMABT I CMAI I
((C_mfsm_state ffiCMAO) =>
(C__mf_Du.D A (C__u = ^SRDY)) => CMA2 {
(C..mfsm_D A (C_mfsm_u = ^SABORT)) => CMABT I CMA0 I
((C_mfsm_state = CMA2) =>
(C..mfsm_D A (C_mfsm_ss = ^SRDY)) => CMD1 I
(C_mfsm..D A (C..mfua_u = ^SABORT)) ffi> CMABT I CMA2 I
((C_mfsm state ffiCMDI) =>
(C..mf_a..D A (C_.mfsm_ss = ^SRDY)) => CMD0 l
(C_.mfsm_D A (C__u = ^SABORT)) => CMABT I CMDI I
((C_mf_a_sta_ = CMD0) =>
(C_mfsm_D A (C..mfsm_ss = ^SRDY) A C_lasLin_) => CMDI I
234
(C_mfsm D A (C__mfsm_ss = ^SRDY) ^ -C_last_in_) => CMW l
(C_mfsm_D ^ (C_.mfsm_ss = ^SABORT)) => CMABT l CMD0 {
((C_mfsm_sta_ = CMW) =>
(C_mfsm_D A (C.j_sm_ss = ^SABORT)) => CMABT {
(C_mfsm_D A (C_mfsm_ss = ^SACK) A C lock_in_) => CMI I
(C_mfsm_D A (C mfsm_ss = ^SRDY) A -C_Iockin_ A --C_mfsm_crqt.=) => CMA3 {CMW l
((--C last_in_) => CMI ICMABT))))))))))) in
let new_C_sfsm_state =
((C_sfsm_rst) => CSI I
(C..sfsm_state = CSI) =>
((C_sfsm_D A (Cjfsm_ms = ^MSTART) ^ -c_grant ^ c_.addressed)=> CSAI I CSI) #
(C_sfsm_state = CSL) :>
((C_sfsm_D A (C._sfsm_ms = ^MSTART)A .-c grant A c. addressed) => CSAI l
(C_sfsm D A (C_sfsm ms = ^MSTART) A .-c .Brant A ._ addressed) => CSI l
(C sfsm_D A (C_sfsm..ms = ^MABORT)) => CSABT I CSL) i
(C_sfsm state = CSAI) =>
((C_sfsm_D ^ (C..sfsm_ms = ^MRDY)) => CSA0 l
(C._sfsm D A (C_sfsm_ms = ^MABORT)) --> CSABT I CSAI) I
(C_sfsm_state = CSAO) =>
((C_sfsm_D A (C._sfsm_ms = ^MRDY) A -C_sfsm_hlda_) => CSALE I
(C_sfsm D A (C_sfsm..ms = ^MRDY) A C sfsm_hlda_) => CSAOW I
(C_sfsm_D A (C_sfsm..ms = ^MABORT)) => CSABT ICSA0) I
(C_sfsm_state = CSAOW) =>
((C_sfsm_D A (C_sfsm_ms = ^MRDY) A -C_sfsm_hlda_.) => CSALE I
(C._sfsm D A (C_sfsm ms = ^MABORT)) => CSABT t CSAOW) I
(C_sfsm state = CSALE) =>
((C_sfsm_D A c_write A (C._sfsm_ms = ^MRDY)) => CSD1 I
(C_sfsm_D A -c_write A (C_sfsm_ms = ^MRDY)) => CSRR I
(C._sfsm_D A (C_sfsm ms = ^MABORT)) => CSABT I CSALE) I
(C_sfsm state = CSRR) =>
((C_sfsm_D A -(C sfsm_ms : ^MABORT)) => CSDI I
(C__sfsm D A (C_sfsm_ms = ^MABORT)) => CSABT ICSRR) I
(C_sfsm state = CSDI) =>
((C_sfsm_D A (C._sfsm_ms = ^MRDY)) => CSD0 J
(C_sfsm D A (C_sfsm ms = ^MABORT)) => CSABT ICSDI) I
(C_sfsm state = CSDO) =>
((C sfsm_D A (C__sfsm..ms = ^MEND)) => CSACK I
(C..sfsm_D A (C_sfsm ms = ^MRDY)) -> CSD1 t
(C_sfsm_D A (C_sfsm ms = ^MABORT)) => CSABT ICSD0) I
(C_sfsm_state = CSACK) =>
((C_sfsm_D ^ (C__sfsm_ms= "MRDY)) => CSL I
(C_sfsm D A (C_sfsm_ms = ^MwArr)) => CSl l
(C_sfsm_D A (C_sfs_ ms = ^MABORT)) => CSABT I CSACK) I
(C_sfsm_D) => CSI ICSABT) in
let new_C_efsm state =
((C_efsm rst) => CEI I
(C_efsm state = CEI) => ((-C_efsm cale__) => CEE ICEI) I
((--C_efsm last A .-C_efsm_srdy_) V -C_efsm_male V -.C_efsm_rale ) => CEII CEE) in
let m_bw = ((-(M_be = (WORDN 15))) A M_wr A (,-,(M fsm_state = MI))) in
let m_ww = ((Mbe = (WORDN 15)) A M_wr A (~(M fsm_state = MI))) in
let new M fsm state =
235
C(M_fsm_rst) => MI t
((M_fsm_state = MI) => ((-M_fsm_msle_) => MA I MI) I
((M_fsm stare = MA) =>
((-M_fsm tardy_ A m_ww) => MW I
((-M._fsm mrdy_ A ((-M wr A (.-(M_fsm_stale= MI)))V m_bw)) => MR iMA)) I
((M_fsm._state= MR) =>
((m_bw A (M_count = (WORDN 0))) => MBW I
((M fsm_last_A -M_wr A (-(M_fsm__state= MI))A (M_count = OVORDN 0)))=> MA I
((~M_fsm lastA -M_wr A (~(M_fsm_state= MI))A (M_count = (WORDN 0)))=> MRR iMR))) I
((M..fsm stale= MRR) => MI I
((M_fsm._sta_= MW) =>
((-M_fsm..last..A (M count= (WORDN 0)))=> MI l
((M_fsm_lut_ A (M count= (WORDN 0)))=> MA lMW)) i
((M_fsm_state= MBW) => MW iMILL))))))) in
let new_R_fsm..state =
((R_fsm..rst) => RI i
((R_fsm_state = RI) => ((-R_fsm_ale_) => RA I RI) I
((R_fsm_state = RA) => ((~R fsm tardy_) => RD t RA) I
((-R_fsm_last._) => RI I RA)))) in
let r_fsm_cntlatch = ((R_fsm..state = RI) A ~R_fsm_ale..) in
let r_fsm srdy_ = ~((R_fsm_state = RA) A -R fsm_.mrdy_) in
let new_S_fsm state =
((S_fsm_rst) => SSTART I
((S_fsm_state = SSTART) => SRA I
((S_fsm_state = SRA) => ((S f__delay6) => ((S fsm bypass) => SO ISPF) t SRA) I
((S_fsm_state = SPF) => SCOI I
((S_fsm_state = SCOI) => ((S_fsm_delaylT) => SCOF I SCOI) I
((S_fcm_state = SCOF) => ST I
((S_fsm_state = ST) => SCII I
((S_fsm_state = SCII) => ((S_fsm_delayl7) => SC1F I SCll) I
((S_fsm_state = SCIF) => SS I
((S_f_a_state = SS) => ((S_.fsm_bothbad) => SSTOP I SCS) I
((S_fsm_state = SSTOP) => SSTOP I
((S_fsm_state = SCS) => ((S..fsm_delay6) => SN t SCS) I
((S fsm_state = SN) => ((S fsm delaylT) => SO I SN) I
((S_fsm_state= SO) => SO, S_ILL))))))))))))))in
let s_fsm._sn = (new_S_fsm_state = SN) in
let s..fsm so = (new_S_fsm state = SO) in
let reset_cl_rt = (((-(new_S_fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm_state = SRA)) in
let s._fsm sdi = (((-(new_S fsm_state = SO)) A (~(S_fsm_state = SSTOP))) V (S_fsm__state = SRA)) in
let reset_piu = ((new_S_fun_state = SSTART) V (new_S_f_m_state = SRA)
V (new_S_fsm_state = SCOF) V (new_S_fun_state = ST)
V (new S fsm state = SCIF) V (new_S_fsm_state = SS) V (new S fsm state = SCS)) in
let s fsm src0 = ((-(new_S_fun_state = SPF)) A (-(new_S_fsm_state = SCOI))) in
let s_fsm srcl = ((-(new S fsm state = ST)) A (-(new_S_.fsm_state = SCII))) in
let s_fsm._spf = ((S_fsm_state = SRA) A S_fsm_delay6 A -S fsm rst) in
let s_fsm_scOf = (new_S fsm_state = SCOF) in
let s_fsm_sclf = (new_S fsm_state = SCIF) in
let s_fsm_spmf = (new_S_fsm_state = SO) in
let s_fsm_sb = (new_S fsm_state = SSTART) in
let s fsm_src = ((new_S_fsm_state = SSTART) V ((S_fsm_state = SRA) A S_fsm_d¢lay6)
V (new S fsm state = SCOF) V (new S fsm state = ST) V (new S fsm state = SCIF)
v
236
V(newSfsmstate=SS)V((S_fsm_state= SCS) A S_fsm_delsy6)) in
let s_fsm_sec = (((-(new_S_fsm_state = SSTOP)) A (~(new_S_fsm_smte = SO))) V (S_fsm_state = SN)) in
let s_fsm srs = (((S_fsm_state = SPF) A -S_fsm_rst) V ((S._fsm__state= ST) A -S_fsm_rst)) in
let s_fsm_scs = (new_S_fsm._state = SCS) in
let new P addr = ((-P__rqt) => (SUBARRAY L_ad_in (25,0)) I P_addr) in
let aew P destl = ((-P_rqt) => (ELEMENT L_ad_in (31)) I P_destl) in
let new P be = ((~P_rqt) => L be_ I P_be_) in
let new_P_wr = ((~P_rqt) => L_wr I P wr) in
let new_Psize =
((-P_rqt) => (SUBARRAY L_ad_in (I ,0)) I
((P_down) => (DECN 1 Psize) I P_size)) in
let new_C holdA_ = ((CIkD) => C_hold_ I C_holdA_) in
let i_cale_ = ~((new_C_mfsm_state = CMA3) A (new_P._fsm state = PA) A new_C_holdA_) in
let c__srdy_e_ = ((new_C_efsm_state = CEE) V (C efsm state = CEE)) in
let new_M_count =
(((new M fsm state = MA) V (new_M_fsm_state = MBW)) => ((M_se) => (WORDN I) i (WORDN 2)) [
(((new..,M_fsm_state = MW) V (aew M_fsm_state = MR)) => (DECN 2 M_count) f M_count)) in
let m_rdy = (((new_M fsm_state = MW) A (new_M_count = (WORDN 0)))
V ((new_M_fsm_state = MR) A (newM_count = (WORDN O)) A ~M_wr)) in
let m_srdy_ = ~((M rdy A ~Mwr) V (tardy A M wr)) in
let i_srdy_ = ((-i_cale_ V c_srdy en) => -(C_wrdy V C rrdy V (new_C_mfsm state -- CMABT)) I
~(new M_fsm_state = MI) => m_srdy_ I
((new R fsm state = RA) V (new_R fsm state = RD)) => ~((R_fsm_state = RA) A(new R fsm state = RD)) I
ARB) in
let p_ale -- (-Lads_ A L_den_) in
let p_sack = ((P_size = ((Pdown) => (WORDN 1) I (WORDN 0))) A ~i__srdy_ A (new_P__fsm_state = PD)) in
let new_P_rqt =
((p_ale A -(p_sack V reset_.pin)) => T I
((-p_ale/I (p_sack V rcset...piu)) => F I
((-p_ale A -(p_sackV reset_pin)) => P_rqt IARB))) in
let new_P_down = (~i_srdy_ A (new_P_.fsm.state= PD)) in
let new_P_male_ = ((new_P._fsm_state = PA) =>
~(~new_P_destl A (-((SUBARRAY aew_P_addr (25,24)) = (WORDN 3))) A acw_P._rqt) I P male._) in
let new P tale = ((new_P_fsm state = PA) =>
--(~new_P_dcstl A ((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) A new_P._rqt) I P_tale_) in
let new_P_Iock._=
((reset piu) => T I
((new P_fsm_stat¢ = PD) => L lock I P lock._)) in
let new_P_lock inh_ =
((reset_pin) => T I
((-new_P_male_ V ~aew_P_rale._) => L_lock_ I P_lock_inh_)) in
let pod31 27 = (MALTER ARBN (31,27) newP_be_) in
let pod31 26 = (ALTER pod31_27 (26) F) in
let pod3124 = (M ALTER pod31_26 (25,24) (SUBARRAY new_P addr (1,0))) in
let new C iad_ea_s_delA = ((ClkD) => C_iad_en._s_del IC_iad_en_s_delA) in
let new_C_sizewrbe - ((reset._Clmrt) => (WORDN 0) I
(((new_C_sfsm_state = CSA0) ^ C_clkA) => (SUBARRAY C_data_in (31,22)) I C_sizewrbe)) in
let c_newwrite = (((-(new_C_mfsm_state = CMI)) ^ (-(new_C_mfsm_state = CMR))) =>
C_wr I (ELEMENT aew_C_sizewrbe (5))) in
let new_C_iad_out = ((C_cin_2_le) => Cdata_in I C_iad_oat) in




((~(r._relL.sel=(WORDN1))) => (Andn rep (R_icr_old, R_icr_mask)) I (Ore rep (R_i__old, R_icr_mask))) I
R_icr) in
let new_R_busA_latch =
((R_ctzO_irden) => R_ct_O_in I
((R_cta0_orden) => R ctrO out t
((R_ctrl_irden) => R__ctrl_in )
((R_ctrl_orden) => R..clrl_out I
((R_ctr2_irden) => R_cer2._inI
((R_clr2 orden) => R._clr2_out I
((R_ctr3_irden) => R..cer3_inI
((R_ctr3_orden) => R_etr3_out I
((R_icr_rden) => new_R_icr I
((R_ccr rden) => R_ccr I
((R_.gcr_rden) => R_gcr I
((R sr_rde_) => Rjr IARB)))))))))))) in
let Lad = ((new_P_fsm__state = PA) => pod31_24 I
((new_P_fsm..state = PD) A new_P_wr) => L ad_in I
(new_C..iad_m_s..delAV
((new_C_mfsm state = CMD 1) A -c_new_write A c_.srdy..en) V
((new_C._mfsm_state = CMI_) A -c_new_write A c_srdy..en) V
((new_C mfsm_state = CMW) A (C__state = CMDO) A -c_new_write A c_srdy_en) V
((new C_sfsm_state = CSALE) A (~(C_sfim_state = CSALE))) V
((new_C_sfsm..state = CSALE) A c__newwrite) V
((new_C_sfsm..state = CSDI) A chew_write A (-(C_sfsm state = CSRR))) V
((new_C_sfsmjtate = CSDO) A c..new_write) V
((new_C_sfsm_state = CSACK) A c_new_write)) => new_Cjad_out I
(M_wr A -(new M fsm state= MI)) => M_rd._datal
(-R_wr A ((new R_fsm state= RA) V (new_R_fsm st_ = RE))))=> new_R_busA_latch IARB) in
letdisable_writes= ((-(new C_sfsm_st_ = CSI))A (~(new_C_sfsmjmte = CSL)) A
-((ChannelID = (WORDN 0)) A (ELEMENT C_source (6))) A
-((ChmmellD - 0_ORDN l))A (ELEMENT C_sourcc (7)))A
-((Chennel]D = (WORDN 2)) A (ELEMENT C_murc, e (8))) A
-((ChannelID= fWORDN 3))A (ELEMENT C_source (9))))in
let Lrale_ =
(--(newP fsm state = PH)=>
--(~new_P destl A ((SUBARRAY new P_addr (25,24)) = (WORDN 3)) A (new P_fsm_state = PA) A new P_rqt) I
-((new_C_sfsm_state = CSALE) A ((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3)) A C__clkA)) in
let new_R_wr = ((-Lrtle__) => (ELEMENT Lad (27)) IR_wr) in
let r_writeB = (-disable_writes A new_R_wr A (new_R_fsm_state = RD)) in
let rjeadB = (~new R wr A (new_R_fsm_stete = RA)) in
let uew_R_gc_ = ((r_writeB A (r_reg..sel = (WORDN 2))) => Lad I R_gcr) in
let new R..gca.jrdeu = (r readB A (r__res_sel = (WORDN 2))) in
let gcrl= (ELEMENT new_R..gcr (0)) in
let gcrh = (ELEMENT new_R_.gcr (1)) in
let reseLerror = (ELEMENT new_R_gcr (24)) m
let piu_invalid = (ELEMENT new_R_gcr (28)) in
let cout_sel0= (ALTER ARBN ((3) (((new_C sfsm_state = CSDI) V (new_C_sfsm_state = CSD0)) =>
(new_C_sfmn_stete = CSD1)I
(new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMAI)
V (new C mfsm__state = CMDI))) in
let c_couLsel = (ALTER couLsel0 (I) (((new C sfsm_state = CSDI) V (new_C..sfsm..state = CSD0)) =>
FI
(new C mfsm_state = CMA3) V (new_C_mfsm_state = CMA2))) in
let new_C_hold = (new_C_sfsm state = CSD in
238
letnew_C_wr = ((~i..cale_.)ffi>(ELEMENT i_ad(27))IC_wr) in
letnew C...clkA= ClkD in
let i last =
(-(new P_f_m_state = PH) =>
(P_size = ((Pdown) => (WORDN 1) I(WORDN 0))) I
C_last_out_) in
letnew_C_last..m_= ((reset.cport)=> F J
(((new_C mfsm_state= CMABT) V (new_C mfsm state= CMDI) A CIkD) => i_last_I
C last_in._))in
let newC_lock_in_ = ((reset cport) => F I
((new C_mfsm_state = CMA I) => -(--new_P_lock A new_P_lock_inh_) I
C_lock_in_)) in
let new_C ss = (((~(new_C_mfsm_state = CMABT)) A (_(new_C n_fsm__state = CMI))) => CB_ss_in I C._ss) in
let new_C_lastout_ =
(((new_C_sfsm_state = CSA1) A -(CIkD A ((CB_ms_in = AMEND) V (CB_ms_m = ^MABORT)))) => T I
((~(new C_sfsm state = CSA1) A (C1kD A ((CB_ms_in = AMEND) V (CB ms in -- ^MABORT)))) ffi> F I
((-(new C sfsm state = CSA1) A -(CIkD A ((CB ms_in ffi^MEND) V (CB_ms in ffi^MABORT)))) => C_last out I
ARB))) in
let c_srdy = (CB_ss in = ^SRDY) in
let c_dfsm master = ((new C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA2) V (new C_mfsm state = CMAI)
V (new_C mfsm_state = CMA0) V (new_C_mfsm_state = CMD1) V (new_C_mfsm_state = CMD0)) in
let c_dfsm cad en = ~((new C_nffsm state = CMA3) V (new_C_mfsm_state = CMA1) V (new C mfsm_state = CMAO)
V (new_C_mfsm state = CMA2)
V (c_new_write A ((new_C_mfsm_state = CMDI) V (new C_m_m state = CMD0)))
V (-c_new_write A ((new C_sfsm_state ffiCSD1) V (new_C_sfsm._state = CSD0)))) in
let new_C cout_0 le de1 = ((i_cale__) V (i_stdy_ A -c_new_write)
V ((new_C_mfsm_state = CMA0) A c_srdy A c_new_write A CIkD)
V ((new_C_mfsm_state ffiCMD0) A c__new_write A c..srdy A CIkD)) in
let new_C_cin_2_le = (CIkD A (((new_C_mfsm state = CMD0) A c_srdy A -c new write) V
((new C_sfsm_state = CSA0)) V
((new_C_sfsm_state = CSDO) A cnew_write))) in
let new_C_mrdy del_ = -((-c_new_write A CIkD A ((new_C_sfsm_state = CSALE) V (new_C_sfsm_state = CSDI))) V
(-c_new_write A C_clkA A (new_C_sfsm state = CSACK)) V
(c_new_write A CIkD A (new_C_sfsm_state = CSD0))) in
let new_C_iad_en_s._del = (((new C__sfsm state ffi CSALE) A (-(C_sfsm_state = CSALE)))
V ((new_C_sfsm state = CSALE) A c_newwrite)
V ((new C_sfsm_state = CSD1) A c_newwrite A (-(C .sfsm_state = CSRR)))
V ((new C_sfsm_state = CSDO) A c..new_write) V
((new C_sfsmjtate = CSACK) A c_new_write)) in
let new_C_wrdy = (c_srdy A c_new_write A (new_C mfsm_state = CMD1) A CIkD) in
let new C_rrdy = (c_srdy A -c_new_write A (new_C_mfsm_state = CMD0) A CikD) in
let c pe = (Par_Det rep (CB_ad_in)) in
let c_mperity = ((new_C mfsm_state = CMA3) V (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMA0)
V (new_C mfsm_state = CMA2) V (new_C mfsm_state = CMD1) V (new_C_mfsm state = CMD0)
V (C_mfsm_state ffi CMAI) V (C mfsm._state = CMAO) V (C_ mfsm_state = CMA2)
V (C_mfsm_state ffi CMDI)) in
let c_sparity = ((-(new_C_sfsm_state = CSI)) A (--(new_C_sfsm_state = CSACK)) A (~(new C_sfsm_state = CSABT))) in
let c..ge cnt = (CIkD A ((~(c_.mpm'ity = c_.sparity)) V ((SUBARRAY CB_ss_in (1,0)) = (WORDN 0)))) in
let new_C..parity =
(((CIkD A c_pe A c_.pe cnt) A -reset error) ffi> T I
((~(CIkD A c.pe A c._pe_cnt) A reset_error) ---> F I
((-(CIkDA c..peA c...pe_cnt)A -reset_error)=> C..parityIARB))) in
letnew_C_source =
((rvseUcport)=> (WORDN 0) I
239
((CIkD A ((new_C_sfsm_state = CSI) V (new C_sfsm_state = CSL))) => Par_Dec rep (CB_ad_in) I C_source)) in
let d__in31_16 =
(MALTER ARBN (31,16) ((resot_cport) --> (WORDN 0) 1
((ClkD A (((new_C_mfsm_state = CMD1) A c_srdy A -e_new_write) V
((new_C_sfsm__state = CSA I)) V
((new_C_dsm._state = CSDI) A c new write))) => Par_Dec rep (CB_ad_in) I
(SUBARRAY C_data_in (31,16))))) in
let newC_data_in =
(MALTER data_in3 I_I 6 (15,0) ((reset_cport) => (WORDN 0) l
((new C cin_.2_le)=> Par_Decrep(CB_ad_in),
(SUBARRAY C_data_in (15,0))))) in
let new_C_iad_in = ((new_C_cout 0Je_del) => Lad I C_iad_in) in
let new_C_ala0 =
(((c_dfsm...master A C cout O_le_del) V
(-c_dfsm_master A C_clkA A (new_C_sftm_.state = CSD1))) ffi>C..iad_in IC_ala0) in
let new_C_a3a2 = ((new_C mfsm_state = CMR) --> R_c.cr IC_a3aT.) in
let i_be_ ffi((new_.P_fsm state = PA) ffi> new_P_be_ l
(new_P_fsm_state = PD) => L_be_ I SUBARRAY new_C_sizewrbe (9,6)) in
let i_male_ =
(-(new_P_fsm_state ffiPH) =>
-(-new P_destl A (-((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) A (new_P_fsm_state = PA) A new_P_rqt) I
-((new C_sfsm..sta_= CSALE) A (-((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) A C__clkA)) in
let new_M_so = ((-i..male_) => (ELEMENT i_ad (23)) IM_so) in
let new_M_wr = ((-i_male) ffi> (ELEMENT iad (27)) IM_wr) in
letnewMad& =
((-imale_) => (SUBARRAY i_ad (18,0)) I
((M_rdy) ffi> (INCN 18 M_addr) )M_addr)) in
let new_M_be = ((-i_male_ V -m_srdy._) => (NOTN 3 i_be_) I M_be) in
let new_M_rdy = m_rdy in
let new__M_wwdel = ((new_M_fsm_state = MA) A new_M_wr A (newM_be = (WORDN 15))) m
let new_M_.rd_data = (((new_Mjsm_state = MR)) ffi> (Ham_Dec rep M_B_data in) I M rd data) in
let new..M_detect =
((((new M fsm state = MR) A ~new_M_wr) V new M_wr V (new M fsm state = MI)) =>
((-Edac_en_) => (Ham_Deft rep MB_data_in) IWORDN O) I M_detect) in
let re_error = (~m_srdy_ A (-(new..M_fun_state = MI)) A Ham_Det2 rep (new..Mdetect, ~Edac_en_)) in
let new_Mparity ffi
((m_error A -(resot..piu V reset_error)) => T I
((-m..error A (_set..piuV _s__ewoO) => F I
((-m_err_ A -(reset_piu V reset_error)) ffi> M..parity t ARB))) in
let new_R_cnflatch_del = r._fsm_cnflatch in
let new_R_srdy._del_ = r_fsm_srdy_ in
let new_R_reg_.sol =
((-i_rale_) ffi> (SUBARRAY i_ed (3,0)),
((-R_srdy_del_) => (INCN 3 R_reg._sol) I R...reg..sel)) in
let r_writeA = (-disable..writes A R_wr A (new_R_fsm_state ffiRD)) in
let r...readA = (-Rwr A (new_R_fsm_state = RA)) in
let r_ch'_wr01A ffi ((r._writeA A ((r_reg_sol ffi(WORDN 8)) V (r._reg_sol ffi(WORDN 9))))) in
let r_cir_wr01B = ((r._writeB A ((r._reg_sol = (WORDN 8)) V (r__reg._sol = (WORDN 9))))) in
let r_cir_wr23A = ((r_writeA A ((r_reg..sol = (WORDN I0)) V (r._reg_sol = (WORDN 11))))) in
let r__cir wr23B = ((r_writeB A ((r._reg_sel = (WORDN I0)) V (r_reg._sol = (WORDN II))))) in
let new R_ccr = ((r..writeB A (r._reg_sol = (WORDN 3))) => lad I R_c_) in
let new_R_ccr_rden = (r_read8 A (r_reg_sol ffi(WORDN 3))) in
let new_R_cOl_cout_del = R_ctrl_cry in
let new R int1_en =
240
((((ELEMENT new_R_gcr (18)) A (r_c_ wrOIB V (R_cO'l_cry A (ELEMENT new_R_gcr (16))))) A
-(-(ELEMENT new_R_gcr (18)) V ((ELEMENT newR_get (17)) A R_cOl_cout_del))) => T I
((-((ELEMENT new_R_gcr (18)) A (r__c___wrOIB V (R_clxl_cry A (ELEMENT new R_gcr (16))))) A
(~(ELEMENT new R..set (18)) V ((ELEMENT new_R_scr (17)) A R c01 cout_del))) => F I
((~((ELEMENT new R..gcr (18)) A (r_c___wr01B V (R. cttl_cry A (ELEMENT new R_scr (16))))) A
-(-(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_get (1"/)) A R_c01 couLdel))) --> R intl_en I ARB))) in
let new_R_c23_cout._del -- R_ctt3_cry in
let new R_mt2_en =
((((ELEMENT new_R_get (22)) A (r_cir_wr23B V (R_ctr3_ety A (ELEMENT new_R_gcr (20))))) A
-(-(ELEMENT new_R._gcr (22)) V ((ELEMENT new_R_gcr (21)) A R._c23_couLdel))) => T I
((-((ELEMENT new_R_gcr (22)) A (r__c___wr23B V (R_ctr3_cry A (ELEMENT new R_.gcr (20))))) A
(~(ELEMENT new R_.gcr (22)) V ((ELEMENT new_R_get (21)) A R_c23 cout_del))) => F I
((-((ELEMENT new_R_gcr (22)) A (r_cir_wr23B V (R clr3_cry A (ELEMENT new_R_get (20))))) A
-(~(ELEMENT new_R_.gcr (22)) V ((ELEMENT new_R_.gcr (21)) A R_c23 cout_del))) --> R_int2_en I ARB))) in
let new R_cCO_in = ((r_writeB A (r_reg sel = (WORDN 8))) -_> i__ad I R_ctr0 in) in
let new_R ctr0_mux_sel = (r__cir wr01B V ((ELEMENT new_R gcr (16)) A R_ctrl_cry)) in
let new R_ctrO_irden = (r__readB A (rjeg_sel = 0,VORDN 8))) in
let new R_cW0 = ((R_ctrO mux_sel) => R_ctr0_in IR ct_O_new) in
let new R_ctr0_new = (((ELEMENT new R..gcr (19))) => (INCN 31 R_ctr0) I R__ctr0) in
let new_R_ctr0_ety = ((ONES 31 R_ctr0) A (ELEMENT new_R_get (19))) in
let new R_ctrO_out = ((r_fsm_cntlatch) --> R_cCO_new I R_c__out) in
let new_R_ ctrO_orden = (r..readB A (r_reg sel = (WORDN 12))) in
letnew R_ctrl_m = ((r_writeBA (r_reg._sel= (WORDN 9)))=> i.ad IR_ctrl in)in
letnew R_ctrl_mux_sel= (r_cirwr01B V ((ELEMENT new. R_get (16))A R_ctr1_cry))in
let new R. ctrl_irden = (r_readB A (r _reg._sel = (WORDN 9))) in
let new R ctxl = ((R_ctrl_mux. sel) => R._ctrl in 1R_ctrl_new) in
let new R__ctrl_new = ((R_ctrO_ety) => ('INCN 31 R_c_l) I R_ctrl) in
let new R_ ctrl_cry = ((ONES 31 R_ctrl) A R_.cerO cry) in
let new R__ctxl_out = ((R_cnflatch del) => R_ctrl_.new I R_ctrl out) in
let new R_ctil_orden -- (r_readB A (r._reg_sel .-_(WORDN 13))) in
let new R_ctr2._in -- ((r writeB A (r_reg_sel = (WORDN 10))) => i_ad I R_ctr2_in) in
let new R._ctr2_mux sel = ((r cir_wr23B V ((ELEMENT new R_gcr (20)) A R c1_3 cry))) in
let new_R ctr2_irden = (r_readB A (rjeg..sel = (WORDN 10))) in
let new_R c_r2 = ((R_clx2_mux. sel) -> R._ctr2_in I R_ctr2_new) in
let new R ctr2 new = (((ELEMENT new_R_get (23))) => (INCN 31 R ctr2) I R ctr2) in
let new R_ctr2_cry = ((ONES 31 R_ctr2) A (ELEMENT new R_gcr (23))) in
let new_R ctr2_out = ((r_fsm cntlatch) => R_ctr2._new I R c¢2_out) in
let new R_ctr2 orden = (rjeadB A (r reg_sel = (WORDN 14))) in
let new_R ct_3 in = ((r_writeB A (r_reg sel = (WORDN 11))) => Lad IR_ctr3 in) in
let new R ctr3 mux sel = ((r_cir wr23B V ((ELEMENT new R_gcr (20)) A R ctr3_cry))) in
let new R_ctr3 irden --- (r_readB A (r reg..sel = (WORDN ll))) in
let new R_ctr3 = ((R clz3_mux sel) -> R._ctr3_in I R ctr3 new) in
let new_R ctr3 new = ((R clx2 cry) => (INCN 31 R c_3) I R ctr3) in
let new R ctz3 cry -- ((ONES 31 R_ctr3) A R_ctr3 cry) in
let new R ctr3 out -- ((R_cntlatch del) => R_ctr3_new I R ctr3 out) in
let new R ctr3_orden = (r_readB A (r_reg sel = (WORDN 15))) in
let new R icr load -- (r_writeB A ((r_reg_sel = (WORDN 0)) V (r...reg_sel = CqCORDN 1)))) in
let new_R_icr_old =
((r._writeB A ((r reg_sel = (WORDN 0)) _/(r_reg_sel = (WORDN 1)))) --> R_icr IR_icr_old) in
let new R_icr_mask =
((r_writeB A ((r_reg_sei = (WORDN 0)) V (r_reg_sel = (WORDN 1)))) --> i_ad IR_icx mask) in
let new_R_icr__rden = ((new R_fsm_state -- RA) A ((r..reg..sel -- (WORDN 0)) V (r_reg..sel = (WORDN I)))) in
let r_intO__en = (((ELEMENT R_icr (0)) A (ELEMENT R icr (8))) V
((ELEMENT R iet (1)) A (ELEMENT R_icr (9))) V
241
((ELEMENT R__icr(2))A (ELEMENT R_i_ (I0)))V
((ELEMENT R_icr(3))A (ELEMENT R_icr(II)))V
((ELEMENT R icr (4)) A (ELEMENT R_icr (12))) V
((ELEMENT R_icr (5)) A (ELEMENT R_icr (13))) V
((ELEMENT R_icr (6)) A (ELEMENT R_icr (14))) V
((ELEMENT R icr (7)) A (ELEMENT R icr (15)))) in
let new_R_intO_dis = r_intO_en in
let r..int3_en = (((ELEMENT R._icr (16)) A (ELEMENT R_icr (24))) V











((ELEMENT R_icr (23)) A (ELEMENT Rlicr (31)))) in
let new_R_mt3_dis = r..int3_en in
letnew S softshoLdel = (-gcrhA gcrl)in
lets softcnt..out=
((s_fsm_m) =>
((gcrlA -gcrbA -S_soft_shotde.I)=> (3VORDN I)I(WORDN 0))I
((gcrl A -g_h A -S_soft_shot..del) => (INCN 2 S_soft__cnt) I S_soft cnt)) in
let new S raft cnt = ((-gcxh A -gcrl) => (WORDN 0) I s_soft cnt out) in
let sdelay_out =
((s_fsm_src V (s__fsm_sc, s A (ELEMENT S_delay (6)))) =>
((s_fsm sec)=> (WORDN I)I (WORDN 0)) I
((s_fsm_sec) => (INCN 17 S delay) I S_delay)) in
let new_S_delay = s_delay_out in
let s.spu0_ok = (s._fsm._so0f A Failere0_ A (s soft cnt._out = (WORDN 5))) in
let s..cpul_ok ffi(s_fsm_sclf A Failurel_ A (s_soft cnt out= (WORDN 5))) in
let new S_.pmm_fail ffi
((s_fsm_sb A -s._fsm..spnd) => T I
((-s_fsm._sb A s..fsm..spmf) => F I
((-s_fsm_sb A ~s_fsm_spmf) => S_pmm_fail IARB))) in
let new_S_cpo0_fail ffi
((s_fsm_sbA ~(s_cpuO._okV Bypass))=> T I
((~s_fsm sb A (s_cpu0._okV Bypass))=> F l
((-s__fsm sb A -(s_cpu0_ok V Bypass)) => S_cpu0__fail I ARB))) in
let new_S_cpu l_fail =
((s_fsm_sb A -(s_cpul_ok V Bypass)) => T I
((-s_fsm_$b A (s_cpul_ok V Bypass)) => F I
((-s_fsm sh A -(s_cpul_.ok V Bypass)) ffi> S__cpul_ftil IARB))) in
let new_S__piu_fail =
((s_fsm_sb A -(s_fsm_spf V Bypass)) => T I
((-s..fsm..sb A (s_fsm_spf V Bypass)) => F I
((-s_fsm_sb A ~(s_fsm_spf V Bypass)) => S_piu_fail I ARB))) in
let s_cpu0_select = ((s_fsm_m V s._fsm so) A ~S_qm0_fail) in
let s_spul_select = ((s_fsm_m V s_fsm_so) A S__cpu0__fail A -S_cpul_fail) in
let new_S_bad_cpuO =
((s_fsm._sbA -s_cpuO_select)=> T I
((~s_fsm__sb A s_cpu0..sele_) => F I
((-.s_fsm..sh A -s_cpu0_select) ffi> S_bad_cpe01 ARB))) in
letnew_S_bad_cpul =
((s_fsm_sb A -s_cpul_select) => T I
242
((-s_fsm._sb A s cpul_select) => F I
((-s._fsm_sb A -s_.cpul_select) => S_bad_cpul IARB))) in
let new..S_reset_cpu0 = (new_S_bad_cpu0 A s_fsm_.srcO) in
let new_S_reseLcpul -- (new_$_bad__cpul A s_fsm_srcl) in
let new_S_cpu_hist = (S reset._cpuO A S_reset_cpul A Bypass) in
let ss0 = (ALTER ARBN (0) ((new_S fsm. state = SS) V (new S_fsm_state = SSTOP)
V (new_S_fsm_state= SCS) V (new_S..fsm.state= SN)
V (new_S_fsm_state = SO))) in
letssl = (ALTER ssO (I)((new S fsm state= SCOF) V (new_S fsm state= ST)
V (new_S_fsm_state= SCII)V (new S fsm state= SCIF)
V (new_S_fsm_state= SS) V (new_S_fsm_state= SSTOP)
V (new_S_fsm_state= SCS)))in
letss2= (ALTER ssl(2)((new S fsm state= SPF) V(new_S fsm_state= SC01)
V (new_S_fsm_state = SCOF) V (new S__fsm._state = ST)
V (new_.S fsm_state = SSTOP) V (new_S_.fsm_.state = SO))) in
let ss3 = (ALTER ss2 (3) ((new S fsm state = SRA) V (new_S_fsm state = SPF)
V (new S_fsm_state = ST) V (new S fsm state = SCII)
V (new_S_fsm_state = SCS) V (new S_fsm_state = SN)
V (new_S_fsm state= SO)))in
lets_state= st,3in
letst28---(ALTER ARBN (28)new_M_parity) in
letsr28_25= (MALTER st28(27,25)new_C_ss) in
letsr28_24= (ALTER sr2S_25(24)new_C..parity)in
letsr28_22= (MALTER sr25_24(23,22)ChannelID) in
letsr28_16= (MALTER sr25_22(21,16)Id)in
letsr28_12= (MALTER st28_)6 (15,12)s_.state)in
let m'28_9 = (ALTER sr28_12 (9) new_S..pmm_fail) in
let sr288 = (ALTER sr28__9 (8) new_S_pin_fail) in
let sr28_3 = (ALTER sr28_.8 (3) new_S_raset_cpul) in
let sr28_.2 = (ALTER sr28_3 (2) new_S_reset_cpu0) in
let u28_1 = (ALTER sr28_2 (1) new_S__cpul_fail) in
let st28_0 = (ALTER sr28_l (0) new_S_cpuO_fail) in
let new R_sr = ((r fsm._cntlatch) => st28_01 R_sO in
let new_R_sr_rden = (r_readB A (r_reg_sel = 0VORDN 4))) in
let new_.P_fsm_rst = reset_.piu in
let new_.P_fsm_sack = p_sack in
let uew_P_fsm_cgnt_ = ~(new C_mfsm_state = CMA3) in
let new_.P_fsm_hold_ = new_C_holdA_ in
let new_C_mfsm_D = ClkD in
let new_C_mfsm_rst = raset_cport in
let new_C_mfsm crqt_ = ~(new_P_destl A new P_.rqt) in
let new_C_mfsm_hold = new_C_holdA_ in
let new C_mfsm_ss = CB_ss._in in
let new_C_mfsm_invalid = piu_invalid in
let new_C_sfsm_D -- CIkD in
let new_C_sfsm__rst = reset_cport in
let new C sfsm_hlda = -(new_P_fsm_state = PH) in
let new_C_sfsm_ms = CB_ms_in in
let new_C_efsm_cale_ = i cale in
let new_C, efsm_last._ = i last_ in
let new_C_efsm_male_ = i_male_, in
let new_C_efsm_rale --- i..rale in
let new C_efsm_srdy_ = i_srdy_ in
243
letnew_C__efsm_rst= reset_cport in
letnew M_fsm_male = i male_in
let new_.M_f.mJut_ = iJast_ in
let new_M_.fsm_mrdy_ = ((-(P_fsm_state = PH)) => F I C_mrdy_del..) in
let uew_.M_fsm_rst = reset_piu in
let new_R_fsm_ale_ = i_rale_ in
let new_R_fsm._mrdy_ = ((-(P_fsm_state = PH)) => F IC_mrdy_del_) in
let new_R fsm_lasL = i_last_ in
let new_R_fsm_rst = reset_pin in
let new._S_fsm_rst = Rst in
let new_$_fsm_delay6 = (ELEMENT s_delay_out (6)) in
let new_$_fsm_delayl7 = ((Test) => (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in
let new_$_fsm._bothbad = (new_S_cpuO_fail A new_S_cpul_fail) in
let new_S_fsm_bypa_ = Bypass in
let L_ad out = (((-(new_P_fun_state = PA))
A (--(new P_fsm_state = PH))
A -((new P..fsm_state = PD) A new_P_wr)) => i_ad I ARBN) in
let L_ready_ = ~(-i_srdy_ A (new_P..fsm_state = PD)) in
let CB_rqt_out.. = -(-(new C_mfsm_state = CIVIl)) in
let ms0 = (ALTER ARBN (0) (((new_C_mfsm_state = CMDO) A -C_last..in_) V
((new_C_mfsm_state = CMW) A Clock_in_.) V
(new_C_mfsm _state = CMABT))) in
let mslO = (ALTER msO (1) (((new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMAO) V
(new_C_mfsm state = CMA2) V (new_C_mfsm_state = CMD1) V
((new_C_mfsm_state = CMD0) A C_last_in_.) V (new_C_mfsm_state = CMW) V
(new C mfsm_state = CMABT)))) in
let ms210 = (ALTER mslO (2) (((new_C_mfsm_state = CMA3) V (new C_mfsm_state = CMA1) V
(new C..mfsm_state = CMA0) V (new_C..mfsm_state = CMA2) V
(new_C__state = CMD1) V (new C_mfsm state = CMDO) V
(new_C._mfsm_state = CMW) V (new C mfsm_state = CMABT)) A
-new_S,pmm..fail A -(ELEMENT new R..gcr (28)))) in
let CB_ms..out = (((-(new_C_mfsm_state = CMI))A (-(new C_mfsm state = CMR))) => ms2101 ARBN) in
let sso = (ALTER ARBN (0) ((new C sfsm_state = CSAOW) V
((new_C._sfsm_state = CSALE) A -c_new_write) V
(new_C_sfsm_state = CSACK))) in
let ssl0 = (ALTER sso (1) -(new C sfsm_state = CSACK)) in
let ss210 -- (ALTER ssl0 (2) (~new_S pmm_fall A -(ELEMENT new_R..gcr (28)))) in
let CB ss out = (((-(new_C_sfsm_state = CSI)) A (~(new C_sfsm_.state = CSABT))) => ss2101ARBN) in
let CB_ad_out = ((c__dfsm_cad_en) =>
((c_cout..sel = OVORDN 0)) => Par_Enc rep (SUBARRAY new_C_als0 (15,0)) I
((c..cout_sel = OVORDN 1)) => Par Eric rep (SUBARRAY new_C_also (31,16)) I
((c_cout..sel = (WORDN 2)) => Par_Eric rep (SUBARRAY new_C_a3a2 (15,0)) I
P__Enc rep (SUBARRAY new_C_a3a2 (31,16))))) IARBN) in
let MB_addr = ((M_rdy) => (INCN 18 M_addr) IM_addr) in
let rob_data_7_0 = (((ELEMENT M_be (0))) => (SUBARRAY Lad (7,0)) I (SUBARRAY M..rd__data (7,0))) in
letmb_data 15_8 = (((ELEMENT M_be (1)))=> (SUBARRAY Lad (15,8))I(SUBARRAY M_rd_data (15,8)))in
letmb data 23_16 = (((ELEMENT Mbe (2)))=> (SUBARRAY i..ad(23,16))I(SUBARRAY M_rd._data(23,16)))in
letmb_data_3 I_24 = (((ELEMENT Mbe (3)))=> (SUBARRAY lad (31,24))I(SUBARRAY M...rd..data(31,24)))in
let rob_data = ((MALTER (MALTER (MALTER (MALTER ARBN (7,0) mb data 7_0)
( 15,8) mb_.data 158)
(23,16) mb__data_23_l 6)
(31,24) mb_data 31_24)) in
let MB_data_out = ((new_M_fsm__state = MW) => (Ham_Enc rep mb_data) I ARBN) in
244
letMB cs_eeprom_ = ~((~(new_M_fsm_st_ = MI))A -new_M_se) in
letMB_cs_smm = -((-(new_M_fsm_smte = MI)) A new_M._se)in
letMB_we = -((new M_se V -(_new M_fsm_stam = MI)) V ~resetcport)
A -disable_writes
A ((new__ fsm state = MBW) V (new_M fsm stete = MW) V new_M wwdel)) in
letMB_oe_ = ~((~new M_wr A (new_M_fsm_state = MA)) V (new M fsm state= MR)) in
letdisableint= (~(s._fsmsn A (ELEMENT s_delay_out(6)))A s_fsm_sdi
A ((Test)=> -(ELEMENT sdelay_out (5))I-(ELEMENT s_delay_out(16))))in
let IntO_ = ~(r_intO_en A -R_int0_dis A -disable_int) in
let Intl = (R_ctrl_ccy A new_R_intl_en A -disable_int) in
let Int2 = (R_ctr3_ccy A new_R_int2_en A ~disable_int) in
let Int3_ = -(r_int3_en A -R_int3_dis A ~disable_int) in
let Led = (SUBARRAY new_R_gcr (3,0)) in
let Reset_cpuO = new_S_reset_cpuO in
let Reset_cpul = new_S_reset_cpul in
let Cpu_hist = new_S_¢pu_hist in
let Pin_fail = new_S_piu_fail in
let CpuO_fai! = new_S_cpuO_fai] in
let Cpul fail = new_S cpul_fail in
let Prom_fail = ncw_S..pmm fail in
(L_ad_out, L ready_,
CB_rqt_out, CB_ms out, CB_ss_out, CB_ad_out,
MB_addr, MB data_out, MB_cs_eepmm_, MB_cs_sram_l, MB_we_, MB_o¢_,
intO_, lntl, Int2, Int3.., Led,





REPORT DOCUMENTATION PAGE o.e Noozo4-o,ss
Pubhc ?eport,ng burden for this (OiJedlOfl Of information _%estimated to }vetage I hour Opt 'e'dDOP%e inOudin 9 the time for rewewmng insttudlor_%. %eatch_ncj eli%trot] da(,_ $OUr(_%
_Ja[her,ng :rand ma*nta_n*ng the d&ta needed, and comDle_ing an_ tev,e_ng the (o4te(_¢on of m_ot_at_On _end comments reqard_ng tht_ burcfen estimate or any other a%oe(t of _l.
_ol_ect,on of =ntormat on. nc ucf ng _ugge_t On% for reCluc ng _h,% PufOen t,) Wash,n@ Or_ r_eaOQuJr_er% %e v,ces Drrectorate f'or ¢_tocmat on Operation% and ReD,_e1%. t2 5 }ef_p_%o ¸
t)av,_ H_ghwav. Suite 1204¸ n ,ngton VZ_ 22202-4}02. and to th- O4f_re ,)f Mat_age, menl _nd _ud let PaOer_ork Redu(t_on Proje(t (0104.018fl). Wash,ngton OC 2350 J
1. AGENCY USE ONLY (Leave blank) 1,. REPORT DATE 1 3. REPORT TYPE AND DATES COVERED
"JNovember I, 1992 ] Contractor Report
4. TITLE AND SUBTITLE _ FUNDING NUMBERS





PERFORMING ORGANIZATION NAME(S) AND ADORESS(ES)
Boeing Military Airplanes
P.O. Box 3707 M/S 4C-70
Seattle, WA 98124-2207
9. SPONSORING/MONITORING AGENCY NAME(S) AND AODRESS(ES)














12a, DISTRIBUTION / AVAILABILITY STATEMENT
Unc lass i fi ed-Un I imi ted
Subject Category 60
12b. DISTRIBUTION CODE
13. ABSTRACT (Maximum 200 words)
This report describes work to formally specify the requirements and design
of a processor interface unit (PIU), a single-chip subsystem providing memory-
interface bus-interface, and additional support services for a commercial
microprocessor within a fault-tolerant computer system. This system, the
Fault-Tolerant l_nbedded Processor (FTEP), is targeted towards applications
in avionics and space requiring extremely high levels of mission reliability,
extended maintenance-free operation, or both. The need for high-quality design
assurance in such applications is an undisputed fact, given the disastrous
consequences that even a single design flaw can produce. Thus, the further
development and application of formal methods to fault-tolerant systems is












Fault Tolerant lhabedded Processor (FTEP
18. SECURITY CLASSIFICATION 19 SECURITY fiLASSlrlfiATION
OF THIS PAGE OF ABSTRACT
Unc lassi fied
15. NUMBER OF PAGES
16. PRICE CODE
A12 _.,
20 LIMITATION OF ABSTRACT
S_Jr'da,d Form 298 trey 2-89)


