Formal verification of a microcoded VIPER microprocessor using HOL by Windley, Philip et al.
NASA Contractor Report 4489
Formal Verification of a Microcoded
VIPER Microprocessor Using HOL
Karl Levitt, Tejkumar Arora,
Tony Leung, Sara Kalvala,



















This document was generated in support of NASA contract NAS 1-18586, Design and Validation of Digital
Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 3. Task 3 is associated
with formal verification of embedded systems.
The formal verification of a microprocessor involves demonstrating that a specification of the
microprocessor is satisfied by its implementation. The specification is usually a formal description of the
microprocessor's instructions. Any more concrete description of the microprocessor can suffice for the
implementation, but it has become the practice for the implementation to represent the major electronic
blocks that constitute the microprocessor (ALU, registers, latches, memory, etc), hence the name electronic
block model. Although not necessarily routinely, a realization of the electronic block can be checked by
simulation or other testing methods.
A particular microprocessor of interest is Viper, designed by the Royal Signals and Radar Establishment,
UK (RSRE) for critical applications. An initial successful proof of Viper (by Avra Cohn) was of its major
state model. However, what was verified is considered to be too abstract for an implementation. A
subsequent effort was undertaken by Cohn to verify Viper's electronic block model. Both of these efforts
made use of the HOL (the Cambridge Higher Order Logic) theorem prover. This latter proof was not
completed, mostly because it became too time consuming.
Our view of the incomplete proof of Viper is that the jump in abstraction between the electronic block
model and the specification is too great. By introducing intermediate levels between the two extreme
models, the overall proof becomes one of establishing more but simpler proofs. Windley, in a recent U. C.
Davis PhD thesis showed that the levels can be represented as interpreters, each of which models an
abstraction of a microprocessor. For example, one of the levels is an interpreter for the execution of
microinstructions. To further simplify the proof effort, Windley developed a theory of generic interpreters--
a notation that is sufficiently powerful to represent a large class of interpreters. The interpreter theory has
been formalized using generic theories in HOL for use in specifying and verifying microprocessors. The
generic interpreter theory formally defines an interpreter and generates a correctness theorem for the generic
model stating what it means, in general, for an instance of the interpreter to be correctly implemented.
To demonstrate the effectiveness of this theory on a real microprocessor instruction set, this report presents
our results on applying the generic interpreter methodology to Viper. We redesigned Viper as a hierarchy of
five interpreters, each of which is an instance of the generic interpreter. The top level specifies the Viper
III
PRECEENNG PJIIC_ BLANK NOT FILMED
instruction set, and the lowest is of the abstraction of the conventional electronic block model, but one that
implements a microinstruction interpreter.
In this report we discuss our design of the microcoded machine that realizes the Viper instruction set, and
our verification of this machine. The design and most of the verification was carried out in 1 person-year
by two Master's students with no previous background in formal methods. We also discuss features of the
original Viper design that our verification effort does not consider.
The NASA technical monitor for this work is Sally Johnson of the NASA Langley Research Center,
Hampton, Virginia.
The work was accomplished at Boeing Military Airplanes, Seattle, Washington, and the University of
California, Davis, California. Personnel responsible for the work include:
Boeing Military Airplanes:
D. Gangsaas, Responsible Manager
T. M. Richardson, Program Manager
G. C. Cohen, Principal Investigator
University of California:











1.O INTRODUCTION ............................................................................... 1
1.1 VIPER ..................................................................................... 3
1.2 Abstraction ................................................................................. 5
1.2.1 ttierarchical Decomposition ......................................................... 5
1.2.2 Generic Interpreters ................................................................. 6
1.3 What we have accomplished vis-a-vis VIPER ........................................... 7
1.4 Notation a.n<l ('onventions ................................................................ 9
1.5 Chapter Summaries ........................................................................ 9
2.0 RELATED MICROPROCESSOR VERIFICATION EFFORTS ........................... 11
2.1 Tamarack ................................................................................... 12
2.2 FM8501 ..................................................................................... 12
2.3 VIPER ...................................................................................... 13
2.4 SECD ....................................................................................... 15
2.5 Comparison ................................................................................. 15
3.0 TIlE FIVE-LEVEL STIIUCTURE OF OUR VIPER IMPLEMENTATION ............... 17
4.0
3.1 VIPER Instruction Level ................................................................. 18
3.2 The Macro Level ........................................................................... 19
3.3 Micro Lew, l ................................................................................ 21
3.4 Phase Level ................................................................................ 22
3.5 Electronic Block Level .................................................................... 23
3.5.1 The Data Path ....................................................................... 23
3.5.2 The Control U nit .................................................................... 25
PROOF METIlODOLOGY . ................................................................... 29
4.1 Abstract operations ....................................................................... 29
4.2 Veritication Using an Abstract Interpreter Model ...................................... 31
V
4.3 Hierarchicalproof.......................................................................... 33
5.0 MACRO LEVEL SPECIFICATION AND PROOF OF MICRO LEVEL .................. 37
5.1 Instantiation of the interpreter ........................................................... 37
5.2 Example specification ..................................................................... 40
5.3 Proof obligations and example proof ..................................................... 41
6.0 MICROCODE SPECIFICATION AND PROOF OF PHASE LEVEL ..................... 43
6.1 Instantiating the generic interpreter ..................................................... 43
6.2 Specification of microinstructions ........................................................ 43
6.3 Proof obligations .......................................................................... 46
7.0 PIIASE SPECIFICATION, I_I,OCK SPECIFICATION AND PROOF .................... 47
7.1 Descripti(m of the l)has(,s ................................................................. 47
7.2 1)escription of block I(,v(,l ................................................................. 52
7.3 Proof of the Block level ................................................................... 52
8.0 MACRO LEVEL CORRESPONDENCE TO RSRE SPECIFICATION .................... 57
8.1 Introduction ................................................................................ 57
8.2 Methodology ............................................................................... 57
8.3 Defining the instru('liolt._ .................................................................. 58
:_.4 l'roof of 5llLlI ............................................................................. 61
8.5 Definition of the Decoder . ................................................................ 66




APPENDIXA: DESCRIPTIONOFHOL ........................................................ 73
APPENDIX B: INTERPRETI'I{THEORY AND ABSTRACT FUNCTIONS................ 77
APPENDIX C: VII)El( LEVEl, SPECIFICATION.............................................. 89
APPENDIX D: MACROI,EVEL SPECIFICATION............................................. 111
APPENDIX E: MICRO LEVEl, SPECIFICATION.............................................. 157
APPENDIX F: MI('RO(I()I)I,] ..................................................................... 231
APPENDIX G: SAMPI,E .MA(II{OTO MICRO LEVEl, PROOF.............................. 237
APPENDIX 11: PllASE I,F\"I'_I,SPECIFICATION.............................................. 247
APPENDIX I: ELECTRONICBLOCK LEVEL ................................................. 267





1.2-1 A microprocessor specification call be decomposed hierarchically ....................... 6
3.1-1 VIPER Instruction Format ..................................................................... 18
3.3-1 Microinstruction sequence for SHLS ........................................................... 22
3.5-1 Electronic Block Model ......................................................................... 24
3.5-2 Microinstruction Format ........................................................................ 25
4.1-1 Abstract representation of operations .......................................................... 30
4.1-2 Using an abstract representation ............................................................... 31
4.2-1 Abstract representation of a processor ......................................................... 31
4.2-2 Specification of the in'(,(,rpr(,ter . ................................................................ 32
4.2-3 Implementation of tl_e interpreter .............................................................. 32
4.2-4 Obligations of the interpreter model ........................................................... 33
4.2-5 Intermediate lemma in final proof .............................................................. 34
4.2-6 Correctness of the interpreter . ................................................................. 34
5.1-1 Macro-level viewed as an interpreter ........................................................... 37
5.1-2 Macro-instruction list............................................................................ 38
5.1-3 State as viewed by macro-instructions ......................................................... 38
5.1-4 Obligation for macro-instructions .............................................................. 39
5.2-1 The wri.t,e_::eg function ........................................................................ 40
5.2-2 Example macro-instruction ..................................................................... 40
5.3-1 Function to generate goals ...................................................................... 41
5.3-2 Proof of S]II, B illstru(tion ...................................................................... 42
6.1-1 Micro level interpreter in terlns of the generic interpreter . .................................. 44
6.2-1 State as viewed by microinstructions .......................................................... 44
6.2-2 Example microcode ............................................................................. 45
6.3-1 Correctness of microinstructions ............................................................... 45
6.3-2 Correctness of the micro level .................................................................. 46
Ix
PRE'OEENNG PPlGE BLANK NOT FII..Iw_D
7.1-1 State manipulated by phase aIicl EBM levels ................................................. 48
7.1-2 Description of first pha>e ....................................................................... 48
7.1-3 Description of second phase .................................................................... 49
7.1-4 Third phase ...................................................................................... 50
7.1-5Third phase, continuation ...................................................................... 51
7.2-1 Register with enable input ......................................................................52
7.2-2 Data path ........................................................................................ 53
7.3-1 Instantiating generic interln'et_,r at phase level ............................................... 54
7.3-2 'Tactic for proving individual phases ........................................................... 54
7.3-3 Proof of correctness of phase level ............................................................. 55
8.2-1 VIPER's NEXT fi_t_ction ....................................................................... 59
8.2-2 Goal for the veriIication step ................................................................... 59
8.4-1 Goal for proof of .¢;|[I,B ......................................................................... 61
8.4-2 Lemmas for cases of I)SF ....................................................................... 62
8.4-3 Tactics in proof of StlLB ....................................................................... 62
8.4-4 Lemmas with properties of VIPER level ...................................................... 63
8.4-5 Error cases in VIPER specificatiotl ............................................................ 65









3.2-2 Decoding operand fields
........................................................... • ....... . .... . 21
A-1 HOL Infix Operators ............................................................................ 74
A-2 HOL Binders.
.................................................................................... 5




Computers are being used with increasing frequency in areas where tile correct implementation
of the computer hardware is critical. These include:
• Safety-critical applications where the computer is directly involved in the control of systems
that protect human life. A flight control system on an aircraft or the control system in a
nuclear power plant are examples of this type of application.
• Security-critical applications where the computer is used to process information that is eco-
nomically or politically sensitive. Many computers used ill government or industry fall into
this category to one degree or another.
• Mass-produced consumer goods where the computer is an integral part of the product and
a mistake in the design or implementation could result in product recalls costing enormous
amounts of money.
In these and other applications it is vital that the computer system be correct.
There are two complementary approaches to computer correctness: fault tolerance and fault
exclusion. The former, usually achieved through designs with redundant computing elements, is
most useful in handling dynamic faults occurring during system operation, due to component failure
or other unexpected events. The latter is a static process intended to remove errors in design and
implementation before the computer system is in service.
Testing is an example of a fault exclusion technique. Testing can be divided into two distinct
kinds: implementational testing, which is used to verify that a physical device is fabricated correctly,
and functional testing, which is used to verify that a design functions as the designer intended.
Because it is impossible to exhaustively test a computer system, formal verification is an attractive
alternative to functional testing.
Formal verification requires at least two descriptions of a system: one of its implementation
and one of its specification. Correctness is shown by demonstrating through mathematical proof
that the former implies the latter. Although verification can be carried out using pencil and paper,
the detail associated with the verification of realistic systems would overwhelm even the most
patient human prover. Moreover, humans, being fallible, are likely to accept erroneous proofs as
theorems. An alt(,rnativ(, is the ins(, of theorenl proving programs. Such mechanical theorem provers
range from proof generators that attempt to create a proof with minimal human assistance to proof
checkers that check a human-created proof. We used the HOL (Cambridge Higher Order Logic)
theorem prover for our work. HOL's style of proof is closer to that of a proof checker than a proof
generator, but HOL can be programmed to also provide significant automation in the creation of
proofs.
Although through verification a computer system call, in principle, be demonstrated to contain
no design errors, verification cannot ill practice be guaranteed to achieve such a goal. First of all,
the specification might not represent what the user wants of the system; in other words, the creation
of the specification from informal requirements can introduce errors. Second, what is being verified,
the implementation, is all abstraction of the physical device that comprises the microprocessor; the
physical device might not correspond to the implementation, possibly due to errors introduced in
the fabrication process. Third, verification, even with the assistance of mechanical theorem provers,
is difficult and extremely hunlan intensive; it might be impossible to complete the verification of
complex systems.
Verification methodology has held the promise of correct programs for many years. However,
it has been mostly impractical for large programs, hi recent years, there has been interest in
microprocessor verification. Although large programs are beyond the capability of the current
verification technology, the verification of commercial microprocessors should be realistic. Our
justifications for being optimisti(: about micropi:ocessor verification are as follows:
• The specification for a microprocessor is not difficult to produce, largely expressing the func-
tional behavior of each instl'uction.
• The implementation for many microprocessors is conceptually straightforward, largely in-
volving iterative structures (such as registers) and control logic to resolve the many different
cases. The algorithms represented by the implementation, even for arithmetic, are usually
extremely simple compared with those associated with programs.
However, the detail involved in microprocessor proofs rapidly becomes staggering. This was
the experience of Avra Cohn in attempting to verify the VIPER microprocessor.
1.1 VIPER
VIPER wasdesignedby RSRE(ref. 1) in the mid-1980's.Not intendedby its designersto
pushthe envelopeof microprocessordesign,VIPER wasdesignedto besimpleandverifiable.For
example,VIPER doesnot containa stackor (userand privileged)modes,nor doesit support
interrupts. The first wasexcludedbecauseit invites a programmingpracticethat can lead to
runtimeerrors,andthethird becauseit wasthoughtto bea featuredifficult to verify. Wehavenot
seencommentson thesecond,but weconjecturethat VIPER wouldnot beusedin anyapplications
requiringmultitasking.
Of interestto ushere,arethe attemptsto verifyVIPER, in particular (ref. 2). Thetop-level
specificationdefinesthe NEXT stateasafunctionof thecurrentstateandthecurrentinstruction.
Theelementsof thestatearemainmemory,fiveregisters,anda fewstatusbits--abstractingaway
a largefractionof the statethat comprisestile implementation.The implementation,calledthe
electronicblockmodelis describedin termsof logicalblockssuchasanALU, registers,flip-flops,
multiplexors,etc. Both the specificationand the electronicblock modelwereprovidedto Cohn
by RSRE.Theproofwasto demonstratethat theelectronicblockmodelimpliesthespecification;
HOL wasusedin the proofprocess.
Cohn'sworkremainsa significantcontribution,havingformMizedthe electronicblockmodel
in HOLandhavingdevelopedamethodologyandmanylemmasthat couldbeusedto carryout the
proof, ttowever,theproofwasJLotcompleted.As it progressed,it becameclearthat approximately
1person-weekwasrequiredto provetheimplementationof eachof the 122casesin thespecification.




RSRE's specification is extremely unstructured; essentially it is almost totally non-orthogonal.
Although not conceptually difficult, the specification is still long--three pages of HOL logic.
P
The specification is quite a bit more unstructured than what one would expect of the instruc-
tion set architecture for a colnputer with the instruction set power of VIPER.
Although not particularly complicated as compared with state-of-the-art commercial micro-
processors, the implementation is still quite long. It occupies approximately seven pages of
HOL logic. If this were a program being verified, by all measures it would be of nontrivial
length.
Further elaborating on (b), the jump in abstraction between the specification and the elec-
tronic block model is too large to be carried out in one step.
d. Thereis insufficientsupportin tIOL for thekindsoflow-levelreasoningassociatedwith words,
bit strings,etc.
It is item (c) that is of particular concern to us. In starting out on our work, we conjectured that
through intermediate abstractions tile proof effort required for VIPER could be simplified to the
point where it would be realistic. It is still necessary to verify the lowest level of abstraction, defined
in seven pages of HOL logic, ultil,iately with respect to the highest level of abstraction, occupying
three pages of specification representing 128 cases. However, if the next to the lowest level of
/
abstraction has fewer cases, the lowest level will be easier to veery. Similarly, if the next-to-highest
level of abstraction is shorter, it will be relatively easy to verify with respect to the specification.
The handcrafting of levels of abstractions is what is needed to simplify the verification of complex
systems. In creating these abstractions, there will be tradeoffs among the number of cases, the size
of the abstraction's specifications, all¢t the jump in data abstraction between adjacent abstractions.
As discussed later, the specifica.tion of the electronic block model of our VIPER machine
is simpler than that of Cohn's, with respect to omitted details not pertinent to our proof. For
example, we do not specify in detail the logic of the ALU; instead it is declared to perform one of
32 unspecified functions. This incompleteness, of course, appears at all levels, including the top
level. As noted by Brock and tttlllt (ref. 3) with respect to a similar but less glaring weakness in
the RSRE specifications of VIPER, the top-level specification does not permit proofs of programs
that depend on the semantics of these operations to be carried out. However, the incompleteness
in the electronic block model is not relevant to the main purpose of our verification effort: to verify
that the sequence of actions at the electronic block model assure (among many other things) that
the correct ALU control lines are asserted with respect to the instructions under execution.
VIPER has many more features that make it suitable for use in safety-critical applications,
but are not modeled at the top-level. These include input signals for resetting the machine, single-
stepping it, forcing the machine into an error state and extending read/write cycles. Output
signals are also provided to indicate the state of the STOP aild B flags, and whether the machine
is currently fetching or executing an instruction. VIPER also incorporates a time-out facility in its
interaction with the memory.
Because these features are illconsequential to the top-level specification, however, they can
safely be ignored in the block-level specification, i.e. the implementation. However, for the purpose
of verification with respect to the top-level instructions, certain assumptions about the behavior
of these signals must be made. l'br example, the reset signal is assumed to be false throughout
the executionof an instructionand the STOPflag is assumedto be falseat the beginningof an
instruction. In addition,a simplememorymodelin whichmemoryrespondsin a fixedandknown
numberof cyclesis beingassumed,althoughthedesignof VIPER supportsmorecomplexmemory
protocols.
1.2 ABSTRACTION.
Viewinga complexprogramasa hierarchyof abstractionsis a well-knownapproachto sim-
plifying the verificationof sucha system.ProgramminglanguagesuchasAda providesyntactic
units (i.e., modules)for definingabstractions;of course,it is the programmer'sresponsibilityto
createmodulesthat will simplify the designand,if it is relevant,the verification.
To facilitate the useof abstractionia the designattd verificationof microprocessors,Wind-
ley (ref. 4) formalizedthe conceptof interpreters.
1.2.1 HIERARCHICAL DECOMPOSITION.
As mentionedabove,verificationrequiresat least two formaldescriptionsof the computer
system:onebehavioral,B, andonestructural, S. Veriiicationconsistsof showingthroughformal
proof techniquestha.t
S:_B
Oneneednot be limited, of course, to one level of abstraction. Supposing that B1 through
Bn represent increasingly abstract specifications of the system's behavior, one could verify its
correctness by proving
S =:, B_ =_ ... :, B,,
Figure 1.2-1 shows how this principle can be applied to the specification of a microprogrammed
microprocessor. At the bottom of the hierarchy is the usual structural specification of the electronic
block model.
Macro LevelSpe ification ]
I Micro LevelSpecification ]
Phase Level ]Specification
ElectronicModelBlock 1
Figure I.O-I: A mtcroproccssor spectJicatwn can be decomposed h_erarchzcally.
This specification describes tile computer's implementation--for our purpose, the connections
among its various components. At the top is the behavioral specification corresponding to the
programmer's model of the microprocessor. In between these are two additional abstraction levels:
one for the microcode interpreter and one specifying the phase (or subcycle) behavior. Our VIPER
design has two macro levels: the topmost is the RSRE specilicatiol_ and the next lower specifies an
orthogonal instruction set containing 20 instructions.
Hierarchical decomposition plays an important role in tile methodology for verifying micropro-
cessors. The use of a hierarchical decomposition can lead to significant reductions in the amount
of effort used to structure and complete a correctness proof.
1.2.2 GENERIC INTERPRETERS.
With one exception, each of the levels in the specification hierarchy shown in Figure 1.2-1
has the same structure. The bottom-level specification is a structural description, but the other
specifications all share a common structure. Each of the abstract behavioral descriptions can be
specified using an interpreter model, ltowever, the level in our hierarchy that corresponds to the
RSRE instruction set does not tit exactly our interpreter model.
Perhapsthe mostdistinguishingfeatureof an interpreter is that it has a flat control structure.
One of n instructions is chosen based on the current state. The chosen instruction operates on
the state and the cycle begins anew. There are a large number of interesting computer systems
that have a flat control structure: microprocessors, operating systems, language interpreters, and
editors are a few.
Since each of the behavioral descriptions in the specification hierarchy are similar, we would
prefer to develop a general model of an interpreter and use this model in our specification rather
than treating each level in the hierarchy separately.
As we will demonstrate, a generic interpreter specification consists of a number of parts:
abstract state, instructions, selectors for instructions, mapping to next lower state, description of
implementation, etc. To verify the instantiation of a generic interpreter involves the verification of
obligations, tile most difficult of which is that each instructiol/ is correctly implemented.
1.3 WHAT WE HAVE ACCOMPLISHED VIS-A-VIS VIPER
Our goal was to show that through the use of the generic interpreter methodology a micro-
processor as complex as VIPER could be verified. Since VIPER was not designed as a hierarchy
of interpreters, the RSRE VIPER design could not be verified using this methodology. Hence, we
designed a microl)rocessor that would realize the VIPER instruction set as specified by RSRE. The
design is in terms of the five levels of abstraction, as follows:
a. The top level is, with a few minor simplifications, the RSRE specification. In the RSRE
specification, all functions (with the exception of a few arithmetic functions) are defined; in
our specification some functions (such as the comparison of two words) are uninterpreted.
As indicated previously, the exact meaning of functions used to define the instructions is
not relevant to a proof that shows that the appropriate ALU signals are asserted for each
instruction, a l_d olmraads are fetched from and stored to the specified locations.
b. The next level down is the macro level specification (the top level of figure 1.2-1), providing
20 instructions. This level, as opposed to the RSRE specification, represents the VIPER
instruction set in terms of comparatively few instructions with orthogonal fields. It is empha-
sized that this level is equivalent in power to the RSRE specification, but of course having
a different format the instructions of this level would not execute VIPER programs. It was
necessary to demonstrate that this level realizes the RSRE specification at level (a).
c. Thethird levelis the micro level, providing approximately 100 microinstructions. Each macro
instruction is implemented as a linear (loop-fl'ee) sequence of a subset of the microinstructions.
The microcode is ill effect the data of this level.
d. The next level down is the pha._¢ level, which implements each micro-instruction in a sequence
of 3 phases
e. The lowest level is tile Electronic Block Model level, which consists of the control structure
and datapaths to implement each of the phases.
Our experience to date has convinced us that the generic methodology has simplified the
proof effort by half, as COml)ared with Cohn's experience. Furthermore, the use of hierarchical
abstractions has permitted us to divide up the proof. Most of the proof was accomplished by two
Master's students, each student verifying 2 levels.
As Cohn has noted, it is important to clearly state what has been and what has not been
verified.
Our proof demonstrates that the Electronic Block Model we have designed implements the
RSRE instruction set. It is important to note that the ALU is a component of the Electronic
Block Model. But having just specifications for the ALU, and not an implementation, means that
we are not verifying that the AI, U, when stimulated with signals that are assumed to cause it
to add two numbers, actually does carry out the add operation. Of course, we could carry out
the verification down to the gate-level---and verify the ALU, decoders, flip-flops, registers--and the
other components taken as primitives of the Electronic Block Model. Such proofs are within current
verification capabilities and in fact have been performed routinely by many verification teams.
When all is said and done, our verification shows the following: For each instruction of the
RSRE specifications, the Electronic Block Model causes the proper sequencing of actions to take
place; the operands are fetched from the right place (registers or memory}, the results are stored
in the right place, and the right signals are asserted on the primitive functional units (such as the
ALU). Since there are many ways the Electronic Block Model could sequence activities (most of
them incorrect) what is verified is far from trivial.
1.4 NOTATION AND CONVENTIONS.
Our notation will be that of standard logic with a few extensions:
• Terms in the logic will be written in typewriter font.
• Conjunction, disjunction, negation, implication, universal quantification, existential quantifi-
cation, and lambda abstr_wtiou use the usual symbols: A, V, -,, =::::v, V, 3, and ), respectively.
• We use a conditional operator that is written a --, b [ c, meaning "if a, then b, else c."
• Definitions will be denoted with a pre-pended l-del.
• Terms that have been formally proven in tile logic will be pre-pended with I-.
Other notations and logical expressions will be exl)lained as they are used.
1.5 CHAPTER SUMMARIES.
Chapter 2 compares VIPER to other microprocessors that have been verified. Our Macro level
shows that VIPER can be viewed as a microprocessor with approximately 20 instructions--about
the same as several other microprocessors that have beea verified. However, VIPER's imple-
mentation complexity was rellected in the size of its microcode, i.e. approximately three times
tim complexity of other t,,ic,'ol},'o('es._ovs considered for verification. The additional complexity is
mostly due to error con(litiolLs.
Chapter 3 presents our design for the VIPER microprocessor, with the discussion organized
according to the five levels of interpreters identified.
Chapter 4 reviews the hierarchical methodology eml)loyed in the verification. Excluding the
top and bottom levels, each level in the hierarchy is a generic interpreter, which is instantiated to
include the instructions supl)orted by the interpreter, a unique key assigned to each instruction,
the state space of the interpreter and its implementing interl)reter, a mapping between these state
spaces, and a descriptioa of the implementation. Once instantiated, an interpreter can be verified--
showing that the implementation implies the specification for each instruction in the specification.
Chapters 5, 6, 7, and 8 highlight the verification effort. We discuss the specifications for each
of the five interpreters and present in detail the verification of the shift-left instruction through the
five levels.
Chapter9 presentsour col_clusionsand recommendationsfor future work. Particularly rel-
evantare the recommendationsfor providingadditionalautomationin the HOL systemandthe
needfor fastertheoremprovingengines.AlthoughVIPER is a significantchallengeto the current
verificationtechnology,it is still a rather impoverishedmicroprocessor.Of interest,then, is seal-
ability of the verificationweandothersworkingon microprocessorverificationarepursuing:the
prospectsfor verifyingdesignsthat aremorecomplexthan VIPER byanorderof magnitude.
The 10appendicesinclude_tbrief descriptionof tile HOL logic(AppendixA) and the HOL
listingsof the five interpretersandthe ML codethat constitutesthe verification.Wehaveincluded
the completelistings to allow the dedicatedreadertile opportunity to checkour proof, to improve
it through the useof better tactics, to extendthe designwith newfeatures,or to translatethe
specificationsinto a differentlogic.
10
2.0 RELATED MICROPROCESSOR VERIFICATION EFFORTS
There have been numerous efforts to verify microprocessors. Many of these have used the
same implicit behavioral model. We will first describe this implicit model and then describe the
microprocessor verifications that use it.
In general, the model uses a state transition system to describe the microprocessor. The
microprocessor specification has four important parts:
a. A representation of the state, S. This representation varies depending oil the verification
system being used.
b. A set of state transition functions, J, denoting the behavior of the individual instructions of
the microprocessor. Each of these functions takes the state defined in step (a) as an argument
and returns the state updated in sonm mealfingful way'.
c. A selection function, N, that selects a function from the set J according to the current state.
d. A predicate, I, relaling lh,' stale at lime t + 1 to the state at time _ by means of J and N.
In some cases, the individual state transition functions, J, and the selection function, N, are
combined to form one large state transition function. Also, a functional specification would use a
function for part (4) instead of a predicate. The specifications, however, are largely the same.
After the microprocessor has been specified, we can verify that a machine description, M,
implements it by showing
W E S M(s) _ I(_).
That is, I has the same effect on the state, s, that M does. This theorem is typically shown by
case analysis on the instructions in J by establishing the following lemma:
Vj E J M(s) =_ (Vt: time C(j,s,t) =_ s(t + hi) = j(s(t)))
where C is a predicate expressing the conditions for instruction j's selection, s(t) is the state at
time t, and nj is the number of cycles that it takes to execute j. This lemma says that if an
instruction j is selected, then apt>lying j to the current state yields the state that results by letting
the implementing interpreter M run for _tj cycles. We call this lemma the instruction correctness
lemma.
The remaining parts of this section describe microprocessor verifications where some variation
of this general model was used.
ll
2.1 TAMARACK
Tamarack is a small microcoded microprocessor that has been verified by Jeffrey Joyce at the
University of Cambridge. Joyce has verified Tamarack to the transistor level using HOL and has
fabricated an 8-bit version of the design in CMOS. In addition to verifying the microprocessor,
Joyce has also verified a compiler for Tamarack (ref. 5).
Tamarack is a 16-bit computer with a 13-bit address space. The computer has 8 instructions:
halt, jump, jump if zero, add, subtract, load, store, and skip (or no operation). The architecture has
an accumulator and a program counter visible to the assembly language programmer in addition
to the memory. The computer is implemented in microcode and has a single bus connecting each
of the blocks in the electronic block model. The microstore is 32 microwords long.
Tamarack is based on a computer designed and verified using the LCF-LSM system (a precursor
to HOL) by Mike Gordon (ref. 6). Daniel Weise verified Gordon's design using a Lisp-based system
called Silica Pithecus (ref. 7) and Harry Barrow verified it using a system called VERIFY (ref. 8),
making this the most widely verified microcoml)uter design.
The specification and verificatio_L of Tamarack corresponds closely to the general model devel-
oped at the beginning of this section. The macro-level specification denotes what each instruction
does and ties the descriptions of each instruction together with a predicate stating the relation
between the state at time t and time t + 1.
The verification of Tamarack is enlightening since it has been perforlned many times with
many different verification systems and using many levels of abstraction. Tamarack is, however,
small, and research is underway to discover methods for scaling the Tamarack experience to larger
microprocessors, including those with larger instruction sets and support for operating systems.
2.2 FM8501.
FM8501 is a microprocessor designed and verified by Warren Hunt using the Boyer-Moore
theorem prover (ref. 9). The architecture has a register file containing eight, 16-bit registers, a
64K--byte memory space, 26 instructions, and four memory addressing modes. FM8501 models
memory as an asynchronous process. The implementation is microcoded and has a microstore of
16 microwords.
12
The specification of FM8501 consists of two recursive functions: one for the behavioral spec-
ification and one for the iml)lenwntation. Tile functions recurse at each clock cycle, computing a
new state. Time and the asynchronous inputs to the CPU are modeled by all oracle. The oracle
is represented by a list; it is this list that the specifications recurse on. Time is represented by the
current position of the recursive specification in the fist. Each member of the list gives whatever
asynchronous inputs may exist at that time. The proof shows the equivalence of the two recursive
functions using an abstract (uninterpreted) oracle function.
Crocker et al re-verified FM8501 using a specification written in ISPS in the SDVS verification
system (ref. 10). The re-verification is significant because the work used no part of Hunt's work
directly and thus represents an independent verification of the design using a different verification
system.
On the surface, the verification of FM8501 appears quite different than the verification of
Tamarack, but in fact, they are very similar. The methods of specification for the top-level can be
seen as an instance of the general model presented at the beginning of this section. The verification,
even though done on a functional specification in a first-order system, uses the a form of the
instruction correctness lemma to show that the electronic block model implements the top-level
specification.
2.3 VIPER.
VIPER was designed by Britain's Royal Signals and Radar Establishment (RSRE) at Malvern
to provide a formally verified microprocessor for use in safety-critical applications. VIPER's de-
signer's chose not to include a stack and interrupts--anticipating that they might lead to difficulties
in the verification. The machine was designed to halt on errors and raise an external exception.
The fabrication was carried out by two separate manufacturers and is commercially available.
VIPER has a 20-bit program counter, a 32-bit general purpose accumulator, and two 32-
bit index registers. VIPER has a single instruction format that allows the user to select a source
register, one of four memory addressing modes, one of eight destinations, whether or not to compare,
and one of sixteen ALU functioas. In addition to the fields just mentioned, each instruction contains
a 20-bit address. The VIPEII design is described in detail in (ref. 1). The implementation is
hardwired instead of being microcoded.
13
Thecombinationof fieldsin theinstructionformat(excludingsourceanddestinationselections)
yields122differentinstructioncases.Our analysisof theVIPER design(ref. 11)hascharacterized
theVIPER instructionsetusingonly20instructions.Aswewill see,this isanimportantdistinction
that bearson the difficulty of verifyingVIPER, andmotivatedusto includea newmacrolevel in
our design.
VIPER is the first micropl'ocessorintex_dedfor commercial use where formal verification was
attempted. Again, the verificatiolt was not completed. While VIPER is significantly simpler than
today's general purpose microprocessors, its verification provides a benchmark on the state-of-the-
art in microprocessor verification.
The specification of VIPER attendant to previous proof efforts (by RSRE and others) is hier-
archical, although the levels do not have theuniform structure of our specification. The top-level
specification of VIPER developed by RSRE is similar in style to that of Tamarack (ref. 5). The next
level of the specification is called the major-state machine and is a description of VIPER's major
states. The next level in the specification is the electronic block model. The top two levels were
specified first in LCF-LSM and later in HOL. The electronic block model was specified in HOL.
Below the electronic block model the circuit was described using a hardware description language
called ELLA and verified by "intelligent exhaustive simulation" (ref. 12).
A paper-and-pencil proof of correctness between the top-level of VIPER and the major-state
machine was performed by RSRE. Because of the complexity of the lower-level (electronic block
model to major state machille) proof, RSI{t:: did not attempt a hand proof of this level. RSRE
contracted with Avra Cohn at Cambridge University to formalize the top-level proof and perform
the lower-level proof. Cohn describes her formal verification of the major-state machine with
respect to the top-level specification in (ref. 13).
Cohn decided to forego the proof of the top-level correspondence in trying to verify the elec-
tronic block model since the major-state level specification and the electronic block model yielded
dissimilar structures under cases analysis. Instead, she attempted to show a direct correspondence
between the top-level and the electrolfic block model (ref. 14). Cohn's proof of this level remains
incomplete because of the large case explosion that occurred and the size of the proofs in each of
the cases. This is not to say that the proof could not be completed.
From Cohn's experience with VIPER, it seems clear that abstraction is critical in dealing with
the large case explosion that occurs in these kinds of proofs. The major-state machine did provide
a level of abstraction between the top-level and the electronic block model, but it appears to be
14
the wrongone.In addition,Cohnhadalmostnoaccessto VIPER's designersandthushadlittle or
nohelp in decipheringand understandingthemostly informalspecificationof theelectronicblock
model.
2.4 SECD.
Brian Graham et al at the University of Calgary have undertaken the implementation and
verification of the SECD nlaehine (ref. 15). The SECD machine is an abstract Lisp machine
invented by Landin to reduce lambda expressions (ref. 16). The variant of SECD implemented
by Graham is described in (ref. 17). Graham's work is part of a larger effort at the University of
Calgary to verify a complete system including a LispKit compiler as well as tile SECD chip.
The architecture has foul" registers, called S, E, C, and D. The S register holds a stack pointer,
the E register holds a pointer to the environment, the C register functions as a program counter,
and D points to a stack used to dump the state of the machine. There are approximately 20
instructions and the implementation is microcoded.
The remarkable thing about the SECD proof is that even though the architecture is specialized,
the specifications and proofs are done in a manner very similar to the proofs of the more conventional
architectures described in the last three sections. The behavioral model corresponds to the general
model described at the beginning of this section. Tile top-level specification is based on state--
transitions and the description of the electronic block model is a predicate-based circuit description
similar to both (ref. 5) and (ref. 14 ). The garbage-collection mechanism is implemented in hardware,
and the proof was done without taking it into account. Work is in progress on a second proof that
verifies the garbage-collection hardware and a second implementation.
2.5 COMPARISON.
Table 2.5-1 summarizes the designs of the four microprocessors presented in this section. The
table, like all such tabulations, caunot hope to capture all of the important characteristics of the
microprocessors, but the data presented does provide some basis for judging relative complexities.
15
Tamarack FM8501 VIPER SECD
UserRegisters 2 8 4 4
Instructions 8 26 20 21
Microcoded yes yes no yes
Microstore size 32 words 16 words N/A 512 words
Interrupts yes no no no
Memory Model a.sync async sync sync
Word Width 16-bit 16-bit 32-bit 32-bit
Memory Size 8K 64K IM 16K
Table 2.5-1: Comparison o/ ver2fied m,croprocessors
16
3.0 THE FIVE-LEVEL STRUCTURE OF OUR VIPER IMPLEMENTATION
The proof of correctness of the VIPER microprocessor requires that the formal description
of VIPER's implementation (down to the Electronic Block Model - EBM) implies the formal
description of VIPER's high-level specification. Due to the complexity and expense of proving this
directly, however, the original VIPER verification was never completed (ref. 18).
In order to simplify tile proof effort so that it.could be accomplished in a reasonable time, we
described the specification and implementation of VIPER in the form of a hierarchy of abstract
interpreters, as described in Chapter 1. Instead of directly relating the high-level specification
and implementation descriptions, the high-level specification can be related to an intermediate and
less-abstract interpreter, which can be related to a lower-level interpreter, and so on down to the
implementation. Each lower-level interpreter can be said to implement the interpreter above it in
the hierarchy. Although the number of theorems that must be proved increases, the theorems are
typically simpler, and the overall proof effort is greatly reduced.
The following sections dc,._(:ril)e the architecture ofea(h of tile hierarchical levels and summarize
the proof strategy used to v(,ril'y VIPEI/. The hierarchical decomposition approach uses five levels:
a. VIPER instruction level--The RSRE specification. This is what the assembly-language pro-
grammer sees.
b. Macro Level--The high-level VIPER specification as an interpreter, it consists of 20 instruc-
tions.
c. Micro Level--The microcode level. Each high-level instruction is implemented by a series of
microinstructions, which constitute the specification _LI,this level.
d. Phase Level--This level decomposes the interpretation of a single microinstruction into the
parallel execution of a set of elementary operations.
e. Electronic Block Level---The "implementation" level of the microprocessor, described in terms
of blocks such as the registers and the ALU.















Figure 3.1-1: VIPER ]nstructwn Format
3.1 VIPER INSTRUCTION LEVEL
VIPER's high-level architecture consists of three general-purpose 32-bit registers (called A,
X and Y), a 20-bit program counter (called P), and a single-bit boolean register (B) that holds
the results of comparison instructions. The registers X and Y are normally referred to as "index
registers" because they are most commonly used for address indexing, although they can also be
used as general purpose registers. There is also a STOP flag that is not accessible to a programmer,
but indicates an error condition in the machine. Any illegal operation, arithmetic overflow or
computation of an illegal address causes the STOP flag to be set.
A memory address is 20 bits, but the memory itself has 32-bit words. The address space is
divided into a memory space and a l)eripheral space each addressed by 20 bits. The distinction
between the two is made by an extra memory/I/O bit. Only the least significant 20 bits of the
program counter are meaningful, and loading a '1' intoany of the top 12 bits will cause the machine
to halt (viz., the STOP flag becomes true).
An instruction word is 32 bits long and consists of an operation code in the most significant
12 bits plus a 20-bit address. The address field is also used as an offset or constant by some
instructions. The opcode is further subdivided as shown in Figure 3.1-1.
The opcode subfields are not orthogonal and are interdependent in an intricate way. Briefly,
these fields have the following function:
rfi A 2-bit source register sele('tor for the computation (A,X,Y or P).
mf: A 2-bit memory address control field that indicates the mode of fetching the operand from
memory (literal addressing, content addressing or offset addressing (offset X or Y)).
dr: A 3-bit destination selector for an ALU computation (registers, memory space or I/O space).
18
cfi A 1-bit flag that indicateswhetheror not the instruction is a comparison.
if: A 4-bit function selector to indicate which comparison (if instruction is a comparison) or which
computation is to be done by the ALU.
The specifications for this level are given in Appendix C.
3.2 THE MACRO LEVEL
Although the 12 opcode bits allow 4096 possible instructions, many of the combinations have
redundant subfields, o1" represent impossible conditions, so that there are only 122 unique possi-
bilities. We have ._plit the 122 cases into 20 instructions. The operations that are supported by
these instructions fall into six categories: shifts, comparisons, arithmetic and logical operations,
procedure calls, memory read/writes and input/output instructions. The complete instruction set
is listed in Table 3.2-1, with the meaning of the operand fields explained in Table 3.2-2. The HOL
definitions for the entire macro-level are in Appendix D.
The SHLS instruction is one of 20 instructions in our macro level. If the stop field is set,
there is no state change. The new value for the program counter is computed by adding 1 to the
current value. If the address is invalid, the stop field is set. Otherwise, the register to be shifted
is determined, and the shill performed. Finally, the shifted result is written to the appropriate
register and the overflow bit is set if appropriate.
The specification is described in more detail in Section 5.2. To verify that the macro-level
realizes the VIPER instruction level it is necessary to map each of the 20 macroinstructions to the
12 opcode bits of the VIPER level. A decoder function is introduced that maps the 12 opcode bits
into a 5 bit instruction field (for 20 instructions) and (nearly) orthogonal fields corresponding to
source register select (2 bits), memory mode select (2 bits) and destination register select (2 bits).




NOOP dreg, sreg No operation
SHRS dreg, sreg dreg := sreg shifted right (copy sign bit)
SHRB dreg, sreg dreg:= sreg shifted right through B







dreg := sreg shifted left through B
compare sreg and m, depending on ff
dreg := sreg + m; B := carry
ADDS dreg, sreg, m dreg := sreg + m; STOP := overflow
SUBB dreg, sreg, m dreg := sreg - m; B := borrow
SUBS dreg, sreg, m dreg := sreg - m; STOP := overflow
NEG dreg, m dreg := -m
ANDM dreg, sreg, m dreg := sreg AND m
NOR dreg, sreg, m dreg := sreg NOR m
XOR dreg, sreg, m dreg := sreg XOR m
ANDMBAR dreg, sreg, m dreg := sreg AND m-complement
CALL m Y := P; P := m
WRITEMEM sreg, addr mem[addr] := sreg
READMEM dreg, nlelll (Ireg := m (froln nlemory st)a.ce )
WRITEIO sreg, addr io[addr] := sreg
READIO dreg, mere (lreg := m (from io space)
Table 3.2-1: VIPER macroznstructtons
20
sreg = source register (one of A, X, Y, P)
dreg = destination register (one of A, X, Y, P)
STOP = flag which indicates machine has stopped
B = flag set by comparison operators and if overflow occurs




addr = tail if mf=l
tail+X if mf=2
tail+Y if mf=3
"lhble 3.0-2: Decoding operand fields
3.3 MICRO LEVEL
Our proof of VIPER is based on a micro-coded desigu i,t order to be able specify VIPER as a
hierarchy of interpreters usiug the paradigm described in (ref. 4). As a result, we are able to take
advantage of the proof simplification afforded by this method.
Each macro level instruction is implemented by a series of microinstructions. The microcode
execution traces for each macro instruction are presented in Appendix F. For example, the mi-
croinstruction trace for the SILLS instruction is illustrated in Figure 3.3-1
The microprogram that implements the SILLS instruction uses 10 of the approximately 100
microinstructions supported by the micro level. Many instructions use the same microinstruc-
tions, e.g., for fetching instructions, incrementing the program counter, etc. The microinstruction
AXY_WRITE assures that the destination register is one of a, x, y. For this instruction, the
destination cannot be the program counter. The microinstruction SHLS_ul performs the actual
shift and the write to the destination register.
A symbolic description of the VIPER microinstructions and the specification of the entire
micro level are given ill Appemlix E. The microinstructiou tbrma.t is described in Section 3.5.2.
21
Cycle uCode uLoc Comment
t fetch_ul 0
t + 1 fetch_u2 1
t + 2 fetch_u3 2
t + 3 fetch_u4 3
t + 4 jmp_reqm 4
t + 5 jmp_opc 5
t + 6 AXY_WR1TE 10
t + 7 SHLS_ul 11
t + 8 NO_OVL 12
t + 9 NOOP 13
fetch macro instruction
increment pc
invalid address (> 20 bits)?
ir _ macro instruction
require memory?
jump to noop+instruction ltumber
destiuatioa must be register A, X or Y
shls operatiou
result must not overtlow
jutn I) to fetch next macro instruction
Fzgurc 3.3-1: Mtcrotnstruction sequence for SHLS
3.4 PHASE LEVEL
The phase level, although it is the lowest level interpreter in the hierarchy, is more properly
considered to be equivalent to the FIlM level, rather than an abstraction of it. In particular, the
phase and EBM levels share the same state and clock. Each phase in the system clock is associated
with an instruction in the phase-level interpreter. The inputs to the phase-level interpreter consist
of a bit-translation of the microinstructions defined for the micro level. In this way, the phase-level
interpreter implements the micro-level interpreter.
Each microcycle (the time it lakes to ('Otul)lete a single microinstruction) is composed of three
phase cycles. The specification for the phase level, in Appendix 1t, has a separate definition for
each of the phase cycles. 'l'he eyelets that occur duriug each phase are described in Section 3.5.2.
The result at the tirst of three phases can be described in a simple way. At this level the
state consists of a list of general-purpose registers (including a, x, y, p and others), registers
to hold temporary results, the current instruction, data i_, aad data out to memory (or I/O),
the memory, b and s'cop bits, the memory address register and a result register for the ALU, the
microprogram counter, the microinstruction register, the micro-l_.OM contents, 2 latches, and phase
bits (to indicate the current and next phases). If the sl:op bit is set there is no state change, except
to indicate there is no next phase. Otherwise, 1.he cmttents of the micro-ROM as defined by the
microprogram are fetched and cotltrol proceeds to phase 2. The other phases are similar, but much
more complex, due to the complexity of the steps performed.
22
3.5 ELECTRONIC BLOCK LEVEL
The ElectronicBlockModelof VIPER usedin the proofdiffersfromtheoriginal RSREdesign
in severalways. Unlike the original design,the block modelis microcodedto enablethe useof
the hierarchicaldecompositionproofmethod.The externalinterfaceis alsodifferentfrom that of
the RSREdesignin that it doesnot includecertaininput aadoutput signalsthat havenoeffect
with regardto the top-levelspecification.Thesesignalswerealsoignoredin Cohn'sproofeffort
(ref. 18). Our VIPER ElectronicBlockModelis shownin Figure3.5-1andthe EBM specification
is in AppendixI.
3.5.1 THE DATA PATH
The datapath consistsof the registersat the phaselevelin additionto a few others(M, ONE
and INS) that areusedas internal scratchpadregisters. Ills is the instruction register,M is a
temporary register used ill operand computation and 01_E holds the numerical constant '1'. Each
of the programmer-accessible registers can output its contents onto the internal bus labeled r and
the other registers can output contents onto the m bus. The least-significant 20 bits of P and INS
can also be output to the MAtt input bus. These registers can be loaded with either the ALU result
or the word fetched from memory (DIN).
The m and the r buses feed into a 32-bit hLU that performs functions depending on the values
of aluctl (the ALU control signal from each microinstruction), ff and the B flag. The overflow
and result of an operation are fed into both the register block and the micro-sequencing logic unit,
which sets the STOP flag when an invalid result is generated in some contexts.
To communica.te with m¢,nmry, there is a 20-bit memory address register MAR, and two 32-bit
data registers DIN al_d DOUT. The NAP, calt be loaded in parallel with an ALU operation. The MAR
and Dig registers are loaded only if the r signal is set, and DOUT is loaded only if the w signal is set.
The instruction decoder unit takes in 12 bits of opcode from the INS register and the B flag,
and sets the STOP flag if the Ol)code is illegal. Otherwise, it generates a condensed opcode. It
also generates a signal reqm that denotes whether or not the instruction requires computation of
an operand. This informatioa is used by the microcode for branching purposes.
The STOP tlag is set by both the instruction decoder and the micro-sequencing logic units.
This is due to the fact that. the machine could halt for two reasons - illegal instruction format
(static error cases) and illegal operations during instruction execution (dynamic error cases). More
23
II'_u_c _ 5-?: Electrottac Block ,_lodd
24
maddr seq_ctl alu_ctl I
dec_ctl
l')gur¢ J.5-2. Mzcro,_struct,m_ Format
preci._ely, tile static (,rrol'._ ca,J_llt are:
• Unused opcode.
• A Call instruction without tile P register as the destination.
• P register as the destination for certain instructions.
• A Write instruction without an address operand.
/!dlr/c
rfc
while the dynamic errors that cause the m_tchine to go to a stop state are:
• Value of P register overflows 20 bits after incrementing.
• The address after indexiug overflows 20 bits.
• Overflow ou ADDS i,slru('lion.
• Overflow o[,S(!IIS i,i_t,',,,:ti,.),,.
• Overflow on SILLS instructiou.
• P register as the destination and value overflows 20 bits.
adrs
3.5.2 THE CONTROL UNIT
In this section, we will explain the part of the block model that generates signals for the Data
Path section.
Microinstruction Format A microinstruction is 31 bits long. Its format is as shown in Fig-
ure 3.5-2. The interpl'etatiotl of the microinstruction fields is given below.
25
maddr: address in the microcode, 7 bits
seqctl: 3 control lines tor the micro se(lueucing logic:
(000) stay idle
(001) if reqm=true then mc := true;jaddr := maddr+mf[0..1]
(010) mc := true; jaddr := opc[0..4] + maddr
(011) mc := true; jaddr := maddr
(100) if overflow=true then stop:=true
(101) if (msb 12 bits of res h_s a 1) then stop := true
(110) if ((dl_0..2]=3 or 4 or 5) V (msb.12 bits of res has a 1)) then stop := true
(111) if (df[0..2]=4 or 6) theu stop:=true
aluctl: 4 control lines for the ALU, interpreted as:
(0000) res := m
(0001) res:= v
(0010) B := COMI'ARE(ff, r, m, b)
(0 0 1 1) l'eS := -Ul
(010 O) res := r+m; B := carry
(0101) re,_ := r+m
(0 1 1 O) res := r-m; B := borrow
(0 1 1 1) res := r-m
(1000) res:= r XORm
(1001) res:= r AND m
(1010) res:= r NOR m
(1011) res := r AND NOT m
(1100) res := r >> 1 , copy sign bit
(1 1 0 1) res := r>> 1 , shift through B
(1 1 1 O) res := r<< 1 , overflow := msb
(1 1 1 1) res := r<< 1 , shift through B
dec_ctl: control line to disable/enable tile stop output of the instruction decoder
r: read signal
w: write signal
io: read/write from io (if true) or memory (if false)










(1 1 1) ADDR





rfc: MUXR control line to decide which of rf/mrf is used to select source register
dfc: MUXD control line to decide which of df/mdf is used to select destination of alu result
de: data enable, to enable data from memory to be written into reg block
re: res enable, to eIlable the 5. l,[l oull}ut to be written into reg block
adrs: address select, to select one of P/ADDR as the address
ds: data select, to select one of M/INS as destination of data from mem/io
ms: m select, to select olle of M/ONE/ADDR to come out oJl the m bus
Microinstruction Specification A symbolic descriptioa of the VIPER microcode and the spec-
ification for the micro level aw, given in Appendix E. As an example, consider the microinstruction
number 19: SIlLS_u2, the microinstruction that carries out the shift-left operation once the registers
have been determined.
The state relevant to the microinstruction is that of the micro level, in particular the list of
general purpose registers, the l(,mporary (m), instruction, (lata input and data output registers, the
memory, the overflow and stop bits, the memory address cegister, the (ALU) result register, the
microprogram couiiter, al_d I,he reset bit. The RSF field determines the source field--the register
whose contents art, Io be ._hitted. :\ssUllling the stop bit is not set, the register determined by
the DSF field receives the shifted contents of the source register, and the microprogram counter is
incremented. All other state variables are unaffected.
27
Microinstruction Timing Each microcycle is composed of three phase cycles, and the net effect
ofa microinstruction is an accumulatiott of effects of tlle three phrases in sequence. Briefly, the events
during each of the phases are as follows:
a. Load the next microinstruction to be executed into the microiustruction register MIR.
b. Gate the register values into the MLATCH, RLATCH. Load MARwith P or ADDR if r (read signal)
is true. Load DOUT if w (write signal) is true. Set the STOP flag if either of the two stop
conditions is true.
c. Load DIN with the value from n|emory if the read signal is true. Load the ALU result of data
from memory into the register bh)ck. Load MPC with the _ddress of the next microinstruction.
Load RES and 0VL with the AInU result and ALU overttow, respectively.
Microinstruction Sequencing The address of the next microinstruction is either MPC ÷ 1 or
jaddr, which is coml)uted by the micro-sequencing logic depending on all its inputs. The manner




The basis of this verification is the use of a package in llOL for abstract representation of func-
tions and also a generic model fol' interpreters based on Windley's thesis. These two methodologies
provide a way to separate critical control aspects from implementation-level details of concrete data
operations. Each of these applications of abstract representations is explained before describing
details of the verification of our VIPER design.
4.1 ABSTRACT OPERATIONS
The primitive functiolts periormed by the machine _nd used in the specification of higher-level
actions are defined as abstract operations. The HOL specification of these operations is shown in
Figure 4.1-1. In particular, one may note that the operations are typed using type variables instead
of concrete types (i.e. *wordn instead of wordn).
Abstract functions are packaged together into abstract representations, which makes such "def-
initions" possible. Each abstract I'unction can only appear once in any one theory, and the abstract
representation can be accessed through the name of any of the functions defined in it. The type
rep_ty given in Figure 4.1-2 is populated by all instances ot' the abstract representation defined in
Figure 4.1-1. Any one flmction in an abstra.ct rep_'esentatiol_ can be used to key into a particular
set of functions; in this case the function opcodo is defined in Figure 4.1-1 and is used as a key in
Figure 4.1-2. The universally quantified variable rep represents all possible instantiations for the
set of abstract fuz_(:|io]_s. 'l'h(' _))sti'actiol_ structul'e tbe_ b(,('ol_es a l)arameter for all the other
specifications that (lep(,nd oil th(,se functiolls.
In our work, tim fun('tiolls o1' this abstract structure are given no meaning other than that
illustrated in Figure 4.1-1. For example, all we say about add is that it maps two *uordn's into a
*wordn. At all levels of the hierarchy add has only this meaning. Although not relevant to our proof,
the exact meaning of add could be specified and shown to be correctly realized by an implementation
of the ALU. This definition ot' add is reflected up to the instr_Lction-level specification, and then
assembly language progl'ams referring to add could be veriiie(l.
29
new_theory 'aux_def';;
let abs_rep = new_abstract_representation [
7. ALU functions Y.
7. negation 7.
('ne E ', '°:(*wordn -> *wordn) ")
Y. addition without carry _.
('add', ":(*wordn # *wordn -> *wordn) ")
o • °. ........
Y. SHIFTER functions Y.
Y. shift left through b Y.
('shlb', '°:(*wordn # bool -> *wordn) ")
_. Coercion functions _.
Y. numeric value of n-bit word Y.
('val', ":(*wordn -> num) ")
. . . 0 . ° ......
7. Test functions Y.
_. see if address is valid 7.
('valid_address' , " :(*wordn -> bool) ")
7. decoder 7.
('decode', ":((*opcode # bool) -> (bool # bt5 # bool)) ")
. . .o . ° .....
7. Subranging functions 7.
7. opcode portion of word 7.
('opcode', ":(*wordn -> *opcode) ")
..... ° .....
7. Memory functions 7.
7. fetch a word from memory _.
('fetch', ":((*memory # *address) -> *wordn) ")
];;
close_theory();;
Fzgur( d. 1-1: Abstract represe.latiott of operatzo;ts
3O
new parent 'aux deft;;
let rep_ty = abstract_type 'aux_def' 'opcode';;
let load_m = new_definition('1oad_m ',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn)
(ir:*wordn) (ram:*memory) .
load_m rep (a, x, y, p, Jr, ram) =
Figure 4.1-2: Using an abstract representation












Figure 4.2-1: Abstract representation of a processor
4.2 VERIFICATION USING AN ABSTRACT INTERPRETER MODEL
The abstraction mechanism illustrated above is used not only to define the basic operations
performed by the machine but also to model an "abstract" interpreter, or a general model for a
processor that performs any given set of instructions. All the proofs of correctness of this abstract
model of a processor are completed; thus all that is needed is to show that the specification and the
implementation correspond to the same instantiation of the generic processor. These follow from
the verification of a small set of proof obligations.
The components of a_, abstr;wt int(,'p_'eter are specified z_s shown in Figure 4.2-1. The complete
specification is ff_.;ivetlit_ Al)l_(utdix B. At any time, the pair (state, environment) selects a unique
instruction to be executed Hext, through a given key. Each instruction provides a mapping from
(state, environment) to state. The implementation (IMPL) is described as a predicate characterizing
the state and environment values associated with the lower (implementation) level.
The abstraction specified by cpu_abs is used in the definition of two properties. INTEKP, given
31
let I_rep_ty = abstract type 'gen_I' 'key';;
let INTERP_def = new_definition
('INTERP' 3
"! (rep:'I_rep_ty) (s:time->*state) (e:time->*env) .
INTEKP rep s e =
!t:time.
let n = (key rep (select rep (s t) (e t))) in (
s(t+l) = (SND (EL n (inst_list rep))) (s t) (e t))"
);;
Figure 4.2-2: Specification of the ,uterpreter





IMPL_IMP rep s' e' inst =
(Impl (rep:_I_rep_Zy) s' e') ==>
(!t:time'
let s = (\t. (substate rep (s' t))) in
let e = (\t. (subenv rep (e' t))) in
let c = (cycles rep (select rep (s t) (e t))) in (
(select rep (s t) (e t) = (FST inst)) /\
(count rep (s' t) (e' t) = (start rep)) ==>
((SND inst) (s t) (e t) = (s (t + c))) /\
(count rep (s' (t + c)) (e' (t + c)) = (start rep))))"
);;
Figure 4.2-3: hnplementatzon of the znterlJreter
in Figure 4.2-2, denotes the fact that the state at the next cycle (s (t ÷ 1)) must be the same
as that specified by the instruction (SND (EL n (insz_list rep))), where the instruction itself
is chosen by some I'unction ot' lh(, slalo all(I environment (select rep (s t) (e Z)).
The other ilnportant prol,t,vty is represented by IMPL_IMP, shown i11 Figure 4.2-3. This function
defines a function which, given the opcode of an instruction, asserts that if insz is the instruction
currently selected, then after allowing the number of cycles necessary for the implementation to
execute this instruction, the state is that specified by the instruction.
These two properties represent the semantics of an interpreter, one dealing with the state
function and the other dealing with the meaning of each instruction. One step in the verification
of a processor is to show that, if all the instructions are implemented correctly, then the next-state









(key (rep:'I_rep_ty) k) < (LENGTH (inst_list rep))"
k = (FST (EL (key (rep:'I_rep_ty) k) (inst_list rep)))"
l",gurt .{, 2-4: Obhgahons of the ntterpreter model
To obtain the proof of co,'rectness of the interpreter, one must frst fulfill the necessary theory
obligations, displayed in Figllre 4.2-4.
The first of these thco,'y obligatio_s refers to a propet'ty to be maintained for each of the
instructions. This property states that each instruction is implemented correctly. This is the most
significant of the obligatiolis as it is the most difficult to satisfy. The other two obligations relate to
the ordering of the instructions, and to the fact that each opcode maps to a particular instruction.
Once all the proof obligations are discharged, the rest of the proof is completed automatically,
by using the above properties as lemmas. For example, Figure 4.2-5 shows how a simplified version
of IMPL_IMP is used in proving an intermediate lemma; in the code shown in Figure 4.2-6 we may
observe how this lemma is used in the final proof of correctness of the processor--that the property
INTERP (see Fig,Jr(,-1.2-2) J_(,hl,__,1 all lillJl','-;.
The use of the il_le,'pwl(,r model thus becomes clear: the human verifier will "only" need to be
concerned with the proof of each instruction and a few additional properties about the list structure
of the instructions (the opcode); the interpreter model then combines all these proofs into a final
proof of correctness for the processor.
4.3 HIERARCHICAL PROOF
Even when using the interpreter model to organize the proof effort, the verification of the
RSRE VIPER micro-processor still involved a large number of cases to be verified, each of them
quite complex. As explained previously, we have solved this problem by designing the architecture
of the processor as a five-level hierarchy.
33
let IMPL_NEXTSTATE_LEMNA = TAC_PKOOF
(([],
"let s = (\t:time .(substate rep (s' t))) and
• = (\t:time .(subenv rep (e' t))) in (
(Impl (rep:'I_rep_ty)) s' e' ==>
()t:time J
(count rep (s' t) (e' t) = (start rep)) ==>
((subs%ate rep (s' (t+(cycles rep (select rep (s t) (e t)))))) =
(SND (EL (key rep (select rep (s t) (e t)))
(inst_list rep))) (s t) (e t))))"),
EXPAND LET TAC
THEN E_PEAT STRIP_TAC
THEN POP_ASSUM_LIST (\asl .
let asl' =
map (PURE_REWRITE_RULE [EVEKY_EL;IMPL_INP_EXPANDED]) asl in
MAP_EVERY ASSUME_TAC
THEN ..........
THEN FIRST_ASSUN (ACCEPT_TAC o SYM_RULE)
Figure 21.2-5: h_termed_ate lemma z,tfinal proo[
let IMPL_I_CORRECT = prove_thm
('IMPL_I_CORRECT',
"let s = (\t:time .(substate rep (s' t))) and
e = (\t:time .(subenv rep (e' t))) in (
(Impl rep) s' e' /\
((count (rep:'I_rep_ty)) (e' O) (e' O) = (start rep)) ==>
let f = time_shift (\st env. (cycles rep (select rep st env))) s e in







Figure 4.2-6: Correctness of the _nterTreter
34
The interpreter model is u._ed lbr all the proof levels. For example, at one level we consider
the instantiation of the interpreter where the instruction list consists of the macro-instructions and
the implementation is given by the micro-code. At another level, there is the instantiation with the
instruction set being the micro-instructions and the implementation consisting of the phase-level
description of the architecture.
The next sections describe l)roofs of the various levels in more detail. Each of these proofs con-
sists of specifying the instructiou set and the hnplementation, proving all the numerous lemmas--
one for each instruction--thttt constitute the proof obligations, and then instantiating the proofs
of correspondence for that level.
Chapter 5 presents the specification of the macro level (the second from the top in our five level
hierarchy) in more detail than given in Cha, pter 3. Proof obligations are generated that relate to
showing that the macro specification is correctly realized by the micro-level specification (including
the microcode).
(.ihal)ter 6 l)l+e._('l,ts the ,_pt,cificatiotL (>[ the nli¢ro lev('l and the proof that it is correctly realized
by the phase-level Sl)ecili('ati_)ll.
Chapter 7 presents the specitication,_ of the phase and electronic-block levels and proof of
correspondence.
Finally, Chapter 8 presents the proof of the macro level with respect to the RSRE specification.




5.0 MACRO LEVEL SPECIFICATION AND PROOF OF MICRO LEVEL
5.1 INSTANTIATION OF THE INTERPRETER
The macro-level view of VIPER is mapped to the interpreter model through the definition
given in Figure 5.1-1.
The first parameter of INTERP is the _et of macroinstructions macro_ins¢_list. The machine
is specified by the action of 20 instructions, listed in Figure 5.1-2. The instruction N00P_M is repeated
so as to fill the opcode space u t) to 32 instructions. Each of these instructions is defined according
to its effect on the state of the micro-level machine, defined in Figure 5.1-3. In the macro level,
the processor state coasists of the four data registers a, x, y, and p, the (overloaded) overflow
flag register b, the stop sigllal, _lz)(I the Inemory. Each instruction is specified as a function from a
state to another state. The effect of au instl'uctioll on the state also depends on the reset signal,
which is set by external processcs and, thus, is not a part of the state under consideration.
Other parameters for instantiating the generic interpreter are:
Opcode and Opc_Val: functions to select the macro-level opcode from the macro state and to
instantiate the key, i.e. to index into the instruction list.
MacroLovelCycles: a fu,ction that maps each instructioa to the number of minor (i.e. micro)
cycles necessary to coml)lcte the execution of the instructions; this number corresponds to
the )_um},('r ot micn,-i)_si Ju(lions ,e('(,ssa_'y Io imple_m:_t each macro-instruction.
Micro_staze_to_Macro_state: _ function that indicates which parts of the micro-level state
let Macro_Int_def = new_definition
('Macro_In¢_def',
"! (rep:'rep_ty) (s:time->'macro_state) (e:time->'macro_env) .
Macro_Int rep s e =
INTERP
(macro_inst_list rep) Opc_Val, Opcode rep,
MacroLevelCycles, Micro_state_to_Macro_state rep ,
(I:'micro_env->'macro_env)) Nicro_I rep,
GetMPC, "FETCH_ADDR, @x:one. F)
);;
Fzgure 5. I-1: Macro-level wewed as a)) interpreter
PREOEDtNG P/tGE BLANK NOT FILMED
37



























((F,T,T,T,T),ABS ENV (SUB0 rep));
((T,F,F,F,F),ABS_ENV (XOR rep));
((T,F,F,F,T),ABS ENV (AND rep));
((T,F,F,T,F),ABS ENV (NOR rep));




Figure 5. I-2: Macro-instruction list
let macro_state =
":(*wordn#*wordn#*wordn#*wordn#bool#bool#*memory)";;
Z a x y p b stop ram Z
let macro_env = ":(bool)";;
l"lgtlre 5. I-./. _'tat_ a._ vtewcd by macro-,n.slructlon_
38
let Macro_Int_IMPL_IMPL_DEF = new_defini%ion
('Macro_Int_IMPL_IMPL_DEF',
"! (rep:'rep_ty) s' e'
Macro_Int_IMPL_INP rep s' e' =
IMPL_IMP
(macro_inst_lis_ rep.
Opc_Val, Opcode rep, MacroLevelCycles,
Micro_sCare_to_Macro_state rep, (I:'micro_env->'macro_env),
Micro_I rep,
GetMPC, "FETCH_ADDR, ©x:one.F) s' e'"
);;
I"lfl.l( 5. I'/t: Obltgallm_ for macro-iu.sh'uctzon_
are visible at the micro-level.
* I: the identity function, which signifies that the environment visible to the macro-level is
identical to the one visible to the micro-level.
• Micro_I: the implement;ttiou, which is the (micro level) interpreter which executes the mi-
crocode, shown in Figure 6.1-1.
• GetMPC: a function that selects the micro-prograru counter froln the state--the variable at
the micro level that holds the current microinstruction.
• the start address: the opcode that signals the beginning of every micro-level execution.
Comparing these parameters to the abstract parameters used in the specification of the abstract
interpreter illustrated in l"i_,re-1.2-1 provides an illustration of how the abstraction mechanism
WoI'ks.
Once we ha.ve a.u i,._ta.uliati(m of' the gel,eric interpreter, the next step is to satisfy the proof
obligations, the heart of which is to prove that each macro-instruction is implemented correctly by
the corresponding sequence of micro-instructions. In Figure 5.1-4 we can observe the instantiation of
the function IMPL_IMP (see Figure 4.2-3) for this interpreter; note that even though the opcode does
not appear in this instantiatio_, IMPL_IMP is a function that takes an extra numerical argument.
39
let write_reg = new_definition('write_reg',
'°! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool)
(stop:bool) (ir:*wordn) (ram:*memory) (value:*wordn) (newb:bool).
write_reg rep (a, x, y, p, b, stop, ir, ram, value, newb) =
let dsfValue = (DSF rep Jr) in
((dsfValue = (F,F,F)) => (value, x, y, p, newb, stop, ram) )
((dsfValue = (F,F,T)) => (a, value, y, p, newb, stop, ram) I
((dsfValue = (F,T,F)) => (a, x, value, p, newb, stop, ram) I
(a, x, y, p, b, T, ram))))");;
Fig.re 5,2-I." The write-reg func'lZoll
let SHLB = new_definition('SHLB',
"! (rep:'rep_ty) (a:.wordn) (x:*wordn) (y:*wordn) (p:*wordn)
(b:bool) (stop:heel) (ram:*memory) .
SHLB rep (a, x, y, p, b, stop, ram) =
(stop => (a. x, y, p, b, stop. ram) I
(let newp = (add rep (p, wordn rep I)) in
(('valid_address rep newp) =>
(a, x, y, newp, b, T, ram) [
(let ir = (fetch rep (ram, address rep p)) in
let ldr = (load_r rep (a, x, y, newp, ir)) in
let result = (shlb rep (ldr, b)) in
let newb = (bitn rep ldr) in
write_reg rep (a, x, y, newp, b,.F, it, ram, result, newb)
))))");;
l;'tgniY 5.2-_t Es:aml, le ynacro-lll.stT'aclto_
5.2 EXAMPLE SPECIFICATION
The macro-i.structioJ_s are sl,e(itied iu terms of auxiliary fuuctiou_, olLe of which is shown in
Figure 5.2-1. The urite_reg ful_(:tio)_ defines which destinatiol_ register is selected based on the
DSF field.
The machine instruction for "shift left using the b register" is specified as shown it, Figure 5.2-
2. Given a particular state, the detiltition characterizes the state after the iustruction is executed.
The machine can already be in a stop state, in which case it will continue to be in that state. It
will :reach a stop state if the address of the next instruction (obtained by incrementing the program
counter) is illegal. In all other cases, the machine will compute the result of applying the shlb
abstract function to the contents of ldr, storing the result in the at)propriate register and storing
the bit shifted out into the b register.
4O
let MK_INST_CORRECT_GOAL n =




(m ins din dout:time->*wordn) (ram:time->*memory)
(b stop ovl:time->bool) (mar:time->*address)
(res:Zime->,wordn) (mpc:time->btT) (reset_e:time->bool).
(REG_LIST LENGTH rep /\
DECODE_M_CORRECTLY_IMP rep) ==>
(Macro_In__IMPL_IMP rep
(\C. (reg t,m t,ins t,din t,douZ t, ram t,b t,stop t,
ovl t, mar t, res t, mpc t))
(\_. reset_e t) "inst)";;
F_g,re 5.3-1: Function to generate goals
5.3 PROOF OBLIGATIONS AND EXAMPLE PROOF
In this section we describe the theorem that, when proved, asserts that the machine instruc-
tions are correctly iml)lemeated by the micro-code, and show how this theorem is proved. The
proof consists primarily in showing that each of the 20 macro-instructions is implemented by its
microprogram. The, microcodo apiwars in A'ppendix F.
An action to be repeated many times is the generation of goals: one for every macroinstruc-
tion. The goals m'e generated using the function given in Figure 5.3-1, repeatedly for each of the
macroinstructions. ('l']_e argumeut h)I' the ]'u,ction is theopcode: thus the function is iterated for
all values from 0 to 19.)
The proof of the SIILB i,,slrm:tion is sketched in Figure 5.3-2. The opcode for SHLB is 3. The
tactic FETCH_INST_TAC "siml)lifies" the goal by evaluating the results of fetching the instruction.
Once the instruction is fetched aud decoded, two cases arise: if the write to the destination register
results in an exception condition then the machine stops; if not then the operation terminates
successfully.
The proof may appear to be simple, but each of the tactics applied is very long and involved.
FETCH_INST_TAC geueralizes many steps needed in the proof:
• it ._pecializc._ Macro_Int_IMPL_IMP_LEMMA tO the appropriate macro-instruction,
• creates and proves the subgoal that the instruction has been decoded correctly,
• considers the number of cycles necessary for finishing each instruction,
• considers the case in which lhe maclline is already in a stop state,
41
se%_goal( MK_INST_CORRECT_GOAL 3 );;
expand( FETCH_INST_TAC 3








Ftgur'e 5.2-2: Proof of SHLB instruction
• or goes into stop state due to an addressing exception.
The subgoal that remai,ts i._ to prove the specific sequence o1' micro-instructions for the given
instruction.
All the symbolic execution _l.el)s also involve ntanipulating the tilue aspects, attd controlling the
number of assumptions generated I)y resolution and rewriting tactics. These steps involve several
layers of tactics, all of which are applied on each of the twenty goals (one for each instruction).
The proof for tile other (19) instructions is similar to that of Figure 5.3-2. Each proof involves
the tactic FETCH_INST_TAC and REWRITE_TAC, but tactics that deal with symbolic execution of
the microcode and diSl)osition of nor,hal attd error cases are a function of the instruction class in
question. Thus, there are specialized tactics tot addition, reading _nd writing menlory, I/O, etc.
42
6.0 MICROCODE SPECIFICATION AND PROOF OF PHASE LEVEL
6.1 INSTANTIATING THE GENERIC INTERPRETER
The micro levelof VII'El{ is alsoan instanceof tile genericinterpreter,with the instruction
list consistingof tile microinstru('tionsandtheimplementationbeingrepresentedby thephase-level
representation.Tile instantiationisgivenin Figure6.1-1.It is usefulto comparethis instantiation
with theoneillustrated in Figure5.1-1.The argumentsof both areanalogous.
6.2 SPECIFICATION OF MICROINSTRUCTIONS
Themicroinstructionsoperateona mm:edetailedstatethan themacro-instructions,asshown
in Figure6.2-1. Here,the four registersvisibleto the macro-instructionsaremodeledas a list of
registers instead of a tuple. The other registers are: a temporary register m, the instruction register
Jr, and two memory data registers (for datain and dataout). Two boolean types represent the
values of the b flap, and and stop signal, while the other o,e is the internal overflow signal. The
memory address regist(,,' is of lyp(' *address. Tile (temporary) value returned from the ALU is
stored in the res register. The value of the microl)rogram counter is of type bt7. The reset signal
is also visible.
The sequence of microinstructions needed to implement the StILB macroinstruction is given
in Appendix F: the first tive cycles arc used to fetch the macro-instruction, an optional memory
fetch is performed (using up to seven additional cycles) and then four microinstructions specific to
SHLB are executed.
One of the four microinstructions (SHLB_u2) called in the execution of SHLB is specified in
Figure 6.2-2. This mieroinstruction, with opcode of 21, stores the value obtained by a left shift
into the ai)l)rol)riate register, assuming the stop bit is not set.
43
let Micro_I_def = new_definition
('Hicro_I_def',
"! (rep:'rep_ty) (s:time->'micro_state) (e:time->'micro_env) .









(GetPhaseClock:'Phase_state -> "Phase_env -> triple),
PhaseClockBegin, _x:one.F) s e '°
);;
let Micro_I_INPL_INPL_DEF = new_definition
('Nicro_I_INPL_IMPL_DEF',
"J (rep:'rep_ty) (s:time->'Phase_state) (e:time->_Phase_env) .









(GetPhaseClock:'Phase_state -> APhase_env -> triple),
PhaseClockBegin, ©x:one. F) $ e"
);;
Figure 6. I-I: 3hero 1¢_,(1 u_tCr'l, reter ,u lerms of lh(, 9_._c7,_c interpreter
let micro_state =
":(((*wordn)list)#*wordn#*wordn#*wordn#*wordn#*memory
Z a, x, y, p m ins din dou% ram Z
#bool#bool#bool#*address#*wordn#bt7)";;
Z b stop ovl mar res mpc Z
let micro_env = ":(bool)";;
F_gu,Y' 6.2-1: Slat¢ as v_ewed bg m_croiTi.slruchous
44
let SHLB_u2 = new_definition
('SHLB_u2',
"!(rep:-rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
SHLB_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mp¢) (reset) =
let sval = shlb rep ((EL (bt2_val(KSF rep ins)) regs), b) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(update_reg regs (DSF rep ins) sval, m, ins, din, dour, ram,
bitn rep (EL (bt2_val(KSF rep ins)) regs), F, F, mar, sval,
add_bt7 mpc I)"
);;
Fzgure 6.2-2: Example m_crocode




let MK_IMPL_IMP_GOAL n =




(mreg insreg din dout:time->*wordn) (ram:time->*memory)
(b stop ovl:time->bool) (mar:time->*address) (res:time->.wordn)
(mpc:time->btT) (mir:time->ucode) (rlatch mlatch:time->*wordn)
(phl ph2 ph3:time->bool) (reset:time->bool).
(!t.
(stop t ==> "phl t /\ "ph2 t /\ -ph3 t) /\
(phl t = "stop t /\ "ph2 t /\ "ph3 t) /\
(ph2 t = -stop t /\ -phl t /\ "ph3 t) /\




(regs t, mreg t, insreg t, din t, dour t, ram t,
b t, stop t, ovl t, mar t, res t, mpc t, mir t, micro_rom,
rlatch Z, mlaZch t, phl t, ph2 t, ph3 t))
(reset t)) "inst";;
let INPL_IMP_TAC n =
let inst = term_list_el n
(snd(dest_eq(
snd(dest_forall(concl micro_inst_list))))) in
let thm = el (n+l) instructions in
let find_Phase_I_term tm = (
let ((x,y),z) = ((dest_comb # I)
(dest_comb tm)) in
(x = "Phase_I (rep:-rep_ty)")) ? false in (
REPEAT STRIP_TAC
THEN SUBST_TAC [SPEC inst Micro_IMPL_IMP_LEMMA]
THEN .......
) ;;





















"(\t. ( regs t, mreg $, insreg t, din t, dou_ t, ram t,
b t, stop t, ovl t, mar t, res t, mpc t,
mir t, urom, rlatch t, mlatch t, phl t,
ph2 t, ph3 t)):time->'phase_state")
]
'MICRO';;
let correct_lemma = snd(hd theorem_list);;






ONCE_REWRITE_RULE [SYM RULE Micro_I_def] ¢orrect_lemma))))
);;
F_g.rc 6.3-2: Correctness of the micro level
6.3 PROOF OBLIGATIONS
As in the proof of the macro level, the correct implementatioL_ of each of the microinstructions
must be proved. ]tere the number of' [emlllas needed is eveLt larger thatL for the macro level--128
cases,corresponding to the 12,_ mi(roilLstructions--however all of them are appreciably simpler.
The process is repeated for each of the opcodes, as shown ill Figure 6.3-1.
A single tactic (IMPL_IMP_TAC), when insta_ntiated with the microinstruction number, suffices
to prove each of the 128 cases.
Once the proof obli_;atiolls _w'(,l_,(,t, the ('orrectness lemma follows automatically. The proof,
where tile lemmas _ud ilLstaLLtiat.it, Ns are ust,d to obtaiL_ the tiLLal th¢,orem of correctness for this
lemma, is showll il_ I.'iKuro (i.3-'2.
46
7.0 PHASE SPECIFICATION, BLOCK SPECIFICATION AND PROOF
7.1 DESCRIPTION OF THE PHASES
Both the phase descriptiou and tile block model manipulate the same state variables, given in
Figure 7.1-1. Note the correspondence between this view and the structure represented in 3.5-1.
Also note the variables introduced here (re±r, urom, rlatch, etc.) not required in the micro-level
specification.
The actions specified I)y each of tile microinstructions are executed in three phases, each of
which affect differel_t subsets of the state variables. In the first phase the value of the microinstruc-
tion register is set l)y fetchillg the alq)VOl)l'iate ,aicroinstructiou from the micro-rom, as indicated by
the value in the micro-t)rograN_ cou,_te,'. This can be obse,'ved in the specification ofphase_one_def
given in Figure 7.1-2.
In the second phase, tile micro-instruction is decoded, if the microiustruction calls for a 'read'
or a 'write' operation the (source or destination) address is fetched into the max'. In the case of
a 'write' the value to be writteu out is placed in dou'c. New values are also obtained for the two
inputs for the ALU: rla'cch altl(I mlalzch. The IIOL delinition for the second phase is given in
Figure 7.1-3.
The destinations and other addresses are also checked for exceptions: in cases where any of
the micro-operations are invalid, the s'cop signal is set and the processor does not execute the third
phase; in other cases the machiue is ready to run the third phase.
In the third phase the result COml)uted by the ALU is stored in the appropriate register, and
the address of the next microillstt'uctioll is computed and to_lded into rope, as shown in figures 7.1-4
and 7.1-5. The changes made during this phase are to the registers, the m register, the instruction
register, the da'cain latch (in the case of a 'read' instructioll), the memory in the case of a 'write',
the flag b, the overflow indicator, the result fi'om ALU, the mpc, and several others.
The three phases together, then, indicate the steps needed to execute a micro-instruction.
Each of the 128 inst t'uctiolls takos three phases.
47
let Phase_state =
":(*wordn)list # % regs %
(*wordn # % mreg %
(*wordn # % insreg %
(*wordn # % din Z
(*wordn # % dour %
(*memory # % ram %
(bool # % b %
(bool # % stop %
(bool # % ovl %
(*address # Z mar Z
(*wordn # Z res Z
(bt7 # % mpc Z
(ucode # % mir Z
((hUm -> ucode) # % urom %
(*wordn # % rlatch Z
(*wordn # Z mlatch Z
(bool # % phasel
(bool # bool)))))))i)))))'))))";; % phase2, phase3 %
let Phase_env = ":bool";;
I"_gulc 7 1-1. ,s'tutt m.nq_Mal(d bg pha..,t ._,d A!IIM levels
let phase_one_def = new_definition
('phase_one_def',
.,l (rep:'rep_ty) (regs:(*wordn)list) (mreg insreg din dout:*wordn)
(ram:*memory) (b stop ovl:bool) (mar:*address) (res:*wordn)
(mpc:bt7) (mir:ucode) (urom:num->ucode) (rlatch mlatch:*wordn)
(phl ph2 ph3:bool) (reset:bool).
phase_one rep (regs, mreg, insreg, d£n, dour, ram, b, stop, ovl,
mar, res, mpc, mir, urom, rlatch, mlatch, phl, ph2,
ph3) (reset) =
stop => (regs, mreg, insreg, din, dour, ram, b, T, ovl, mar, res,
(F,F,F,F,F,F,F), mir, urom, rlatch, mlatch, F, F, F) I
(regs, mreg, insreg, din, dour, ram, b, F, ovl, mar, res,
mpc, urom (bt7_val mpc), urom, rlatch, mlatch, F, T, F) "
);;
F_gur_ 7.1-2: Dcscr_pt_on o/first phas_
48
let phase_two_def = new_definition
('phase two def _,
l| | (rep:'rep_ty) (regs:(*wordn)list) (mreg insreg din dout:*wordn)
(ram:*memery) (b stop ovl:bool) (mar:_address) (res:_wordn)
(mpc:bt7) (mir:ucode) (urom:num->ucode) (rlatch mlatch:*wordn)
(phl ph2 ph3:bool) (reseC:bool).
phase_two rep (regs, mreg, insreg, din, dour, ram, b, stop, ovl,
mar, res, mpc, mir, urom, rlatch, mlatch, phl, ph2,
ph3) (reset) =
(regs,mreg, insreg,din,
7.... new dout .... 7.
(W mir => EL (bt2_val(R_c mir => (Mrf mir)
i RSF rep insreg)) regs
J dour),
ram,b,
%.... new stop .... _,
((FST(decode rep(opcode rep insreg,b)) /\ (Dec_ctl mir))
\/ ((Seqctl mir = (F,F,T))
/\ (((FST(SND(decode rep(opcode rep insreg,b)))) -- (F,F,T,T,F))
\/
((FST(SND(decode rep(opcode rep insreg,b)))) = (F,F,T,T,T)))
/\ ((MSF rep insreg) = (F,F)))
\/ (Seqctl mir = T,F,F) /\ ovl \/ ..........
\/ (DSF rep insreg = (T,T,T)))),
ovl,
_,.... new mar .... %
((R mir \/ W mir) => (Adrs mir => address rep insreg
I address rep (EL p_reg regs))
I mar),
res, mpc, mir, urom,
% .... new rlat ch .... 7,
EL (bt2_val (Rfc mir => (Mrf mir)
I RSF rep insreg)) regs,
7,.... new mlatch .... Z
((Ms mir = F,F) => mreg
I ((Ms mir = F,T) => wordn rep I
] pad rep (address rep
insreg))) ,
F,F,
%-- whether to go to phase three or not --%
"((FST(decode rep(opcode rep insreg,b))
/\ (Dec_ctl mir)) \/ ...........
k/ (DSF rep insreg = (T,T,T))))
)") ;;
f"l_./)lre7.1-3. Descr_pt*o_ of scco),d phase
49
let phase_three_def = new_definition
('phase_%hree_def',
"! (rep:'rep_ty) (regs:(*wordn)list) (mreg insreg din dout:*wordn)
(ram:*memory) (b s_op ovl:bool) (mar:*address) (res:*wordn)
(mpc:btT) (mir:ucode) (urom:num->ucode) (rlatch mlatch:*wordn)
(phi ph2 ph3:bool) (reset:bool).
phase_three rep(regs, mreg, insreg,din, dour, ram, b, stop, ovl, mar, res,
mpc, mir, urom, rlatch, mlatch, phl, ph2, ph3) (reset) =
((Re mir =>
((Dfc mir /\ ((Mdf mir = (T,T,F)) \/ (Mdf mir = (T,T,T)))) =>
regs (
update_reg regs
(Dfc mir => (Mdf mir) ) DSF rep insreg) b
(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F,T,F)) =>
mla%ch ]
((Aluctl mir = F,F,F,T) =>
rlatch I
((Aluctl mir = F,F,T,T) =>
neg rep mlatch I
(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)) =>
add rep(rlatch,mlatch) { ...........




(Ds mir => mreg ] din) }
((Re mir /\ Dfc mir /\
((bt3_val(Dfc mir =>(Mdf mir) I DSF rep insreg))=6)) =>
...... ((Aluctl mir = T,T,T,F) =>




(Ds mir => din ) insreg) I
((Re mir /\ Dfc mir /\
((bt3_val(Dfc mir =>(Mdf mir) I DSF rep insreg))=7)) =>
join rep (opcode rep insreg, address rep
(((Aluctl mir = F,F,F,F) \/ (Aluc¢l mir = F,F,T,F)) =>
mlatch I
...... shl rep rlatch (
shlb rep(rlatch,b)))))))))))))) I
insreg) ),
(K mir => (Io mir => fetchio rep(ram,mar) I fetch rep(ram,mar)) _ din),
dour,
(W mir=>(Io mir=>storeio rep(ram,mar,dout) Istore rep(ram,mar,dout))l ram),
F:gure 7.1-4: Third phase
5O
((Aluctl mir : F,F,T,F) =>
bcmp rep(rlatch,mlatch,b,FSF rep insreg) I
..... ((Aluctl mir = T,T,T,T) => bitn rep rlatch J b))))),
F,
(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)) =>
aovfl rep(rlatch,mlatch,add rep(rlatch.mlatch)) (
(((AlucZl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) =>
sovfl rep (rlatch,mlatch,sub rep(rlatch,mlazch)) ]
((Aluctl mir = T,T,T,F) => bitn rep rlatch J F))),
(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F,T,F)) =>
mlatch {
((Aluctl mir = F,F,F,T) =>
...... shl rep rlatch [
shlb rep(rla_ch,b))))))))))))),
...((Seqctl mir = F,T,T) => Maddr mir [ (F,F,F,F,F,F,F)))) I
bt7_ival((btT_val mpc) + I)),
mir,urom,rlatch,mla%ch,T,F,F)"
Ft!lure 7.1-5: Third phase, conttJ_uattoiL
51
let REG_EN_SPEC = new_definition
('REG_EN_SPEC',
"! set clk (in:time->*wordn) ou_ .
REG_EN_SPEC set elk in out =
!t:time. out (t+l) = ((set _) /\ (elk t)) => in t I
);;
OUt _"
f'_g.r(' 7.2-1: t¢cgister wdh euMflc _ul,ut
7.2 DESCRIPTION OF BLOCK LEVEL
The block level is tile lowest level of description in this verification, and consists of components
such as the ALU, registers, flip-flol,._, etc. Proofs of each of" the compouents are straightforward,
although gate-level realizations calt also be checked by testiug. Small COml)onents, such as the
register in Figure 7.2-1, are specifie(l by their behavior. These are used in the structural specification
of larger components such as the datapath, as showlL in Figure 7.2-2. The components are linked
by existentially quantified variables, which represent the intertial lines of the implementation. This
specification tbrmalizes the block _tructure depicted in Figure 3.5-1.
7.3 PROOF OF THE BLOCK LEVEL
This I)roof also involves il_sl.auliati_lg the geueric iutel'weler model, as in the previous two
levels. The instantiation is illustrated in Figure 7.3-1.
To establish the first theory obligation, we prove that Phase_I_IMPL_IMP applies to each of
the three phases. The proof is relatively simple though it involves many rewrites and manipulation
of long descriptions; the ba.sic taclic used in all three proofs is showu in Figure 7.3-2
The first obligation tb/Iows vel'y easily from the proof of each of the lemmas. The other two
obligations are also relatively straightforward, as we have to reason about a list of only three
instructioll_. The proo[' is also luade .qmpler because the two levels siva re the same clock, and they
observe an identical state and environment. The final proof of correctness at this level is shown in
Figure 7.3-3.
52
let DATAPATH = new_definition
('DATAPATH',
"! (rep:'rep_ty) (din dour rlatch mlatch res mreg insreg:time->*wordn)
(b ovl reqm stop msl_stop ph2 ph3 rd wr io dfc din_en result_en
addr sel din sel :time->bool)
(mar:time->*address) (opt:time->hiS) (regs:time->(*wordn)list)
(r_sel m_sel:time->bt2) (rft mft:b%2) (result_sel mdf:time->bt3)
(dft:bt3) (ram:time->*memory) (aluctl:time->bt4)
(dec_oil reset:%ime->bool).
DATAPATH rep din dour b mar rlatch mlatch res ovl opt reqm stop msl_stop
ph2 ph3 regs mreg insreg rft mft dft ram rd wr io mdf dfc aluctl
dec_ctl r_sel result_sel din_en result_en addr_sel din_sel
m sel reset =
!t:time.
? din_i mar_i rlatch ± mlatch i result alu ovl alu_b ±r dec stop.
((rft = RSF rep (insreg t)) /\
(mft = MSF rep (insreg t)) /\
(dft = DSF rep (insreg %)) /\
(REGISTER_BLOCK rep result din ph3 r_sel result_sel din_en result_en
addr_sel din sel m_sel mar_i ir rlatch_i mlatch i regs mreg insrsg
dfc mdf b) /\
(MAR_SPEC (it. ((rd t) \/ (wr t))) ph2 mar_i mar) /\
(REG_EN_SPEC rd ph3 din_i din) /\
(REG_EN_SPEC wr ph2 rlatch_i dour) /\
(EXT_INTERFACE rep rd wr io ph3 mar dour din_i ram) /\
(REG_SPEC mlatch_i ph2 mlatch) /\
(REG_SPEC rlatch_i ph2 rlatch) /\
(ALU_SPEC rep (rlatch t) (mlatch %) (result t) (alu_ovl t) (b t)
(alu_b %) (aluctl t) (FSF rep (insreg %))) /\
(REG_SPEC result ph3 res) /\
(FF_SPEC alu_ovl ph3 ovl) /\
(FF_SPEC alu_b ph3 b) /\
(INSDEC_SPEC rep (ir %) (b t) (dec_ctl t) (dec_stop t) (opc t)
(reqm t)) /\
(STOP_SPEC stop dec_stop msl_stop ph2))"
);;
F_g(n'e 7.2-_: Data path
53
let Phase_I_def = new_definition
('Phase_I def c,
"! (rep:rrep_ty) (s:%ime->'Phase_state) (e:time->'Phase_env)











EBM_Start, ©x:one. F) s e"
);;
let Phase_I_IMPL_IMP_DEF = new_definition
('Phase_I_IMPL_IMP_DEF',
"' (rep:'rep_ty) s' e'











EBM_Start, @x:one. F) s' e'"
);;










THEN POP_ASSUM_LIST (\asl. (MAP_EVERY (STRIP_ASSUME_TAC o SPEC_ALL) asl))
THEN POP_ASSUM_LIST (\asl. (MAP_EVERY (STRIP_ASSUME_TAC o SPEC_ALL) asÂ));;




















"(\t:time (regs t, mreg t, insreg t, din _, dour t, ram t,
b t, stop t, ovl t, mar t, res t, mpc t, mir t, urom,
rlatch t, mlatch t, phl t,
ph2 t, ph3 t)):¢ime->'EBM_state");
]
'PHASE';;






(ONCE_KEWKITEKULE [SYM_RULE Phase_I_def] correct_lemma)))))
);;
/"ql,,Y' 7..7-J: /','oof o/ cor,'¢ct,(_._ o/l,/,_._t _ level
55

8.0 MACRO LEVEL CORRESPONDENCE TO RSRE SPECIFICATION
8.1 INTRODUCTION
This section describes the verification of our macro level with respect to the level that defines
the VIPER instructions. The VIPI_R instruction level, as specified by RSRE, is not in the format
of our generic interpreter, lle,ce we are etuploying a style of proof here different fl'om that used in
the other levels.
Ill general terms, the w_l'i[h:ation described in this section involves showing that each possible
opcode in the VIPER level is realized by one of the 20 instructions at the macro level with suitable
values for tile three fiehts: source register select, destination register select, and memory mode
select. The opcode is a 12-bit [ield, thus there are 212 different values possible for the opcode. An
abstract decoder is assumed, which maps the 12 opcode lilts of the VIPER level to an instruction
and to the three selectio,, [h'hls at the macro level.
The VIPER level is divided up into cases, each of which (with a few exceptions) corresponds
to one of the 20 macroinstructions. Then it is shown that these cases cover the 212 possible vMues
for the VIPER-level opcode fiehls.
8.2 METHODOLOGY
The NEXT luuctiol_, as sl,mvl_ i,_ t"igu,'e s.2-l, is the heart of the \:IPEI{ instruction specification.
The NEXT definition is primarily a decoding tree, which determines the subsequent state based on
the current values in the VIPER registers and memory. For instance, if the 'comp' flag is set, the
machine will execute a coml)are operation. If a write operation is requested, VIPER will attempt
to execute a write operation.
Even though there are di[fe,etlt fields in the instruction register, namely DSF, CSF, FSF, and
MSF, the interpretations of these registers are not indepe,l(lent of each other. For example, MSF
is usually used to decide which addressing mode the processor will use to access memory, unless
FSF is (T,T,F,F), in which case MSF will be used to decide which shift operation the machine will
execute. This lack of orthogonality complicates the verification with respect to the NEXT function
because the verifier must "walk through" the decoding tree for each combination of DSF, CSF,
and MSF and determine the behavior of' each instruction. This lack of orthogonality complicated
Cohn's proof.
P_G P/tGE BLANK NOT FtLM6D
57
This definition cannot serve as the top level in tile interpreter hierarchy, as we have defined
interpreters. An orthogonal instructioll set has to be derived and used as the macro level--the top
level in the abstract interpreter hierarchy. Furthermore, to prove our implementation of VIPER,
we also have to prove that the our macro level is equivalent to the NEXT state definition as defined
by RSRE and used by Cohn.
The proof methodology is as follows. To define the top level in our hierarchy--the RSRE
level--first we define an interpreter using the RSRE definition of the NEXT state function of
Figure 8.2-1, referred to as cohn_NEXT:
_-def ! (rep:'rep__y) (s:time->'macro_state) (e:time->-macro_env) .
cohn_Int rep s e =
(!t.
s(t+l) = cohn NEXT rep (s t))
Then the goal to t)e proved is illustrated in Figure 8.2-2. It expresses the desired property
that for all possible states visible at the macl'o all(l VIPER levels, characterized by combination
of (a, x, y, p, b, stop, r_m), the macro interpreter yields the same next state as the RSRE level
characterized by the NEXT function.
• b minimize the cases we have to consider, we start with a decoder for the interpreter. The de-
coder in the interpreter is responsible for detern_ining from the state 7-tuple the correct instruction
for the macro level. For each major case that the decode r generates, we define an instruction to han-
dle that case. For iwlstaiic(,, if l]_e ('SV bit is set, tile decoder should select the CMP instruction--a
bit compare. If tile DSI" tield is (T,T,I") and the C,SF bit is not set, tile decoder should select the
WRITEIO instruction. Thus the somewhat ill-structured VIPER instruction set is mapped to an
orthogonal set. The cases for the decoder and the corresponding instructions are listed in Appendix
J.
8.3 DEFINING THE INSTRUCTIONS
The macro-level instructions (:all t)e divided coltveniently into five classes of instructions. The
first class includes instructions that do not access memory. This class includes the shift instructions,
of which there are four: SIIR, SIIL, SIIRB, StILB, for right and left shifts using or not using the b
register. There are four cases tot each shift instruction, correspondillg to the four source registers
(a, x, y, p), as specified by tile I)SI: field. The load_r functiolL performs this selection.
5_
NEXT (ram, p, a, x, y, b, stop) =
(stop => (ram, p, a, x, y, b, T) in
((noinc \/ illegaladdr) \/ ((illegalcl \/ illegalsp)
\/ (illegalonp \/ illegalwr)) =>
(ram, newp, a, x, y, b, T) I
(comp => (ram, newp, a, x, y, COMPARE(fsf, source,
MEMREAD(ram, msf, addr, x, y, io, F), b), F) I
(writeop => (MEMWRITE(ram, source, msf, addr, x, y, io),
newp, a, x, y, b, F) l
(skip => (ram, newp, a, x, y, b, F) I
let m = MEMREAD(ram, msf, addr, x, y, io, NILM(dsf, csf, fsf)) in
let aluout = ALU(fsf, msf, dsf, source, m, b) in
((dr = O) => (ram, newp, VALUE aluout, x, y,
BVAL aluout, SVAL aluout) [
((dr = I) => (ram, newp, a, VALUE aluout, y,
BVAL aluout, SVAL aluout) I
((dr = 2) => (ram, neap , a, x, VALUE aluout, y,
BVAL aluout, SVAL aluout) J
(call => (ram, TRIM32TO20(VALUE aluout), a, x,
INCP32 p, BVAL aluout, SVAL aluout) I
(ram, TRIM32TO20(VALUE aluout), a, x, y,
BVAL aluout, SVAL aluout)))))))))))
II!I,_,¢:,_-I t'll_I'.'/¢"_3,'t'.\'7Ju.clw.
set_goal([],
"' (rep:'rep_ty) (a:time->*wordn) (x:time->*wordn) (y:time->*wordn)
(p:time->*wordn) (b:time->bool) (stop:time->bool)
(ram:time->*memory) (t:time) .
(! (ram':*memory) (p':*wordn) .
((address rep (pad rep (address rep
(fetch rep (ram', address rep p')))))
= address rep. (fetch rep (ram _, address rep p')))))
==>
((Macro_Int rep (\t. ((a t), (x t), (y t), (p t), (b t), (stop t),
(fetch rep ((ram t), address rep (p t))),
(ram t))) (\t.(reset t))) =
(cohn_Int rep (it. ((a t), (x t), (y t), (p t), (b t), (stop t),
(fetch rep ((ram t), address rep (p t))),
(ram t))) (\t.(reset t))))");;
l"l_J,,e 6.2-2: G_,al fur the I,cvl.[i_tt_oll _tcp
59
The second class of instructioxts an'e those that write to memory: WKITEM and WRITEIO. There
are 16 subcases for tile WRITEM in._truction, corresponding to the possible selections of source and
destination registers. The proof etltail._ reasozfing about 4 subcases for each of the 4 instructions.
The above two classes of instructions do not require any memory read. The third set of
instructions are those that read memory, wherein the result cannot be used to modify the p register.
These instructions are: ADDB, SUBII, NEG, XOR, AND, NOR, ANDMBAR, and READIO.
There are four cases of n,etHoty load arid six cases of output writes (three valid and three
invalid) yielding a total of 24 subcases for each of these instructions. The memory reads can be
generalized so there are only six sul)case,_ to be proved for each such instruction.
The fourth set, of intstrttctio,s _]_, si]nih_ to the third set but they involve writing to the p
register, in effect achievitlg a junlp or a. goto. The specific instructions are: CALL, READM, ADDS,
and SUBO.
The specification for CALL is l)asically the same as the AI)DB instruction except for some
minor difference in write_preg. Siltlilar to the ADDB instruction, there are six subcases for each
of these instructions.
The last class of in,.structioll is what wu call the compare in.struction. We have decided to have
an abstract function bcmp represeuting all sixteen cases of comp_re. The bcrnp function appears at
all levels, including the block level. The memory load is ge,eralized so there is only one case to
prove for the compare instructioz_.
60
sst_goal([],
I! | (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool)
(stop:bool) (ram:*memory) .
(('(CSF rep (fetch rep (ram, (address rep p)))) /\
('(DSF rep (fetch rep .(ram,.(address rep p)))=(T,T,F))) /\
('(DSF rep (fetch rep (ram, address rep p))=(T,T,T))) /\
(FSF rep (fetch rep (ram, address rep p)) = (T,T,F,F)) /\
(MSF rep (fetch rep (ram, address rep p)) = (T,T))) ==>
(SHLB rep (a, x, y, p, b, stop, ram) =
cohn_REXT rep (a, x, y, p, b, stop, ram)))");;
I"*!l*_,v _.4-1: Goal for proo] o]" 511LB
8.4 PROOF OF SHLB
As in the previous sections, we have chosen SIILB to illustrate tile proof methodology. First
we identify tile conditions on the VIPEl{-level state under which SIILB is selected, namely:
"CSF A
-(DSF = (T, T, T) V DSF = (T, T, F)) A
"((DSF = (T, F, T) A "b) V (DSF = (T, F, F) A b))
"FSF = (F, F, F, T) A
FSF = (T, T, F, F) A (MSF = (T, T))
Hence, the goal for the verification of SIILB can be written as in Figure 8.4-1. The goal states
that if the conditions for i,v()kil,_ the SIll,I] instruction are satisfied then the effects of the SHLB
instruction on the iJla('v'c, state al(, id('l_ti('al to those speci[h,d by the NEXT function. As a lemma
we have proved that the regisle, seleclecl _t. the macro h'wq and the VIPER level is the same:
(rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:,wordn)
(b:bool) (ram:*memory) .
(¢ohn_REG rep (RSF rep(fs_ch rep(ram,address rep p)),a,x,y,
add rep(p,wordn rep 1))) =
(load_r rep (a, x, y, add rep (p, wordn rep I),
fetch rep (ram, address rep p)))
We also have decomposed the NEXT definition into ca..ses cor,'esponding to each DSF value,
as illustrated in Figure 8.d-2. Thus we can rewrite the NEXT defit,itiof_ mr,oh faster in our proof.
There are six states for the DSF so six such.theorems are required.
We now dispose of simple cases (e.g., stop, invalid new p,'ogram counter after increment) by
using the tactic illustrated in Figure 8.4-3.
61
) (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn)(p:.wordn) (b:bool) (stop:bool) (ram:_memory).
(let fsf = (FSF rep (fetch rep (ram, address rep p))) in
let dsf = (DSF rep (fetch rep (ram, address rep p))) in
let msf = (MSF rep (fetch rep (ram, address rep p))) in
let rsf = (RSF rep (fetch rep (ram, address rep p))) in
le% csf = (CSF rep (fetch rep (ram, address rep p))) in
le% addr = (address rep (fetch rep (ram, address rep p))) in
let newp = (add rep (p, wordn rep I)) in
let io = ((cohn_OUTPUT rep (dsf, csf)) V
(cohn_INPUT rep (dsf, csf, fsf))) in
let r = cohn_REG rep (rsf, a, x, y, newp) in
let m = cohn_NEMREAD rep (ram, msf, addr, x,
y, io, cohn_NILM rep (dsf, csf, fsf)) in
let aluout = cohn_ALU rep (fsf, msf, dsf, r, m, b) in
let newp = (add rep (p, wordn rep i)) in
((('stop) A
('csf) A
(valid_address rep newp) A
('(dsf = (T,T,T))) A
('(dsf = (T,T,F))) A
(dsf = (F,F,F)) A
(fsf = (T,T,F,F))) ==>
(cohn_NEXT rep (a, x, y, p, b, F, ram) =
(cohn_VALUE aluout, x, y, newp,
cohn_BVAL aluou%, cohn_SVAL aluout,
ram))))








THEN ASM_CASES_TAC "'(valid_address (rep:'rep ty)
(add rep (p, wordn rsp l))):bool");;
e (IMP_RES_TAC (EXPAND_LET_RULE cohn_noinc)
THEN ASM_REWRITE_TAC[]
THEN ASM_REWRITE_TAC[]);;
e (ASSUM_LIST (\asl. ASSUME_TAC (REWRITE_RULE
[el 19 asl] (el 1 asl)))
THEN ASM_REWKITE_TAC[]);;
l"_gur'c 8.4-J: Tactics _u proof of 511LI3
62
! (rep:'rep_ty) (fsf:bt4) (msf:bt2)
(dsf:bt3) (r:*wordn) (m:.wordn) (b:bool) .
(((fsf = (T,T,F,F)) A (msf = (T,T))) ==>
(le_ pwrite = ((dsf = (F,T,T)) V ((dsf = (T,F,F)) V
(dsf = (T,F,T)))) in
(cohn_hLU rep (fsf, msf, dsf, r, m, b)
= (shlb rep (r, b), (bitn rep r), pwrite))))
(rep:'rep_ty) (fsf:bt4) (msf:bt2)
(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool)
(((fsf = (T,T,F,F)) A (msf = (T,T))) ==>
(le_ pwrite = ((dsf = (F,T,T)) V ((dsf = (T,F,F)) V
(dsf = (T,F,T)).)) in.
let aluout = cohn_ALU rep (fsf, msf, dsf, r, m, b) in
(cohn_VALUE aluout = (shlb rep (r,b)))))
@ (rep:'rep_ty) (fsf:bt4) (msf:bt2)
(dsf:bt3) (r:,wordn) (m:*wordn) (b:bool) .
(((fsf = (T,T,F,F)) A (msf = (T,T))) ==>
(let pwrite = ((dsf = (F,T,T)) V ((dsf = (T,F,F)) V
(dsf = (T,F,T)))) in
let aluout = cohn_ALU rep (_sf, msf, dsf, r, m, b) in
(cohn_BVAL aluout = (bitn rep r))))
F*gurn' ,Y.4-4: Lemmas with properties of VIPER level
Next we step through the DSF cases by first consideriag DSF = (F, F, F). We must iden-
tify the values for (cohn_VhLUE aluout), (cohn_BVhL aluout), and (cohn_SVhL aluout). The
theorems displayed in Figure g.4-.1 characterize the values reqltired in the proof.
By specializing the al,ovc, th_,oren,s, and under the co,L(lition that the goal preconditions hold
and DSF = (F, F, F), we ('au now prove that the macro attd VII'ER levels are identical, for this
value of DSF.
The cases tbr DSF = (F, F, T) and (F, T, F) can be proven using the same tactic. For
DSF = (F, T, T), (T, F, F), or (T, F, T), the proofs _tre simpler since for each case an error
condition is generated, which (:_uses execution to stop.
These error conditions arc, expressed with respect to the macro level by the following theorem:
63
F write_reg_illegalpdes__aux =
! (rep:'rep_ty) (a:.wordn) (x:*wordn) (y:,wordn) (p:*wordn) (b:bool)
(stop:bool) (ir:*wordn) (ram:*memory) (value:*wordn_ (newb:bool).
(((DSF rep Jr) = (F,T,T)) V
((DSF rep ir) = (T,F,F)) V
((DSF rep Jr) = (T,F,T)))
==>
(write_reg rep (a, x, y, p, b, stop, ir, ram, value, newb)
= (a, x, y, p, b, T, rata))
and specializing it for StlLB:
F illegal_shlb = (SPECL ["rep:'rep_ty";
"a: *wordn" ;
"x:*wordn"; "y:*wordn";
"add (rep:_rep_ty) (p, wordn rep I)";
"b:bool"; "F";




(a,x,y,add rep(p,wordn rep I),
fetch rep(ram,address rep p))), b)";
"b:bool"]
write_reg_illegalpdest_aux);;
In the VIPER level the error conditions corresponding to DSF = (F, T, T), (T, F, F), and
(T, F, T) are expressed by the theorem in Figure 8.4-5. ]lelLce tile proofs of equivalence for the
cases resulting in errors consist ol ,'('wfitillg the goals using the tactic shown in Figure 8.4-6.
We now have proveiJ the goat Iht_l the m_wro level coil',wily implt',_lel,ls the shift-left behavior
at the VIPER instructi(m level:
J- ! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn)
(p:*wordn) (b:bool) (stop:bool) (ram:*memory) .
(('(CSF rep (fetch rep (ram, (address rep p)))) A
('(DSF rep (fetch rep (ram, (address rep p)))=(T,T,F))) A
('(DSF rep (fetch rep (ram, address rep p))=(T,T,T))) A
(FSF rep (fetch rep (ram, address rep p)) = (T,T,F,F)) A
(MSF rep (fetch rep (ram, address rep p)) = (T,T))) ==>
(SHLB rep (a, x, y, p, b, stop, ram) =
¢ohn_NEXT rep (a, x, y, p, b, stop, ram)))
64
! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn)
(p:*wordn) (b:bool) (stop:bool) (ram:*memory) .
(let fsf = (FSF rep (fetch rep (ram, address rep p))) in
let dsf = (DSF rep (fetch rep (ram, address rep p))) in
let msf = (MSF rep (fetch rep (ram, address rep p))) in
let rsf = (RSF rep (fetch rep (ram, address rep p))) in
let csf = (CSF rep (fetch rep (ram, address rep p))) in
let addr = (address rep (fetch rep (ram, address rep p))) in
let newp = (add rep (p, wordn rep I)) in
let io = ((cohn_0UTPUT rep (dsf, csf)) V
(cohn_INPUT rep (dsf, csf, fsf))) in
let r = cohn_REG rep (rsf, a, x, y, newp) in
let m = cohn_MEMREAD rep (ram, msf, addr, x,
y, io, cohn_NILM rep (dsf, csf, fsf)) in
let aluout = cohn_ALU rep (fsf, msf, dsf, r, m, b) in
let newp = (add rep (p, wordn rep I)) in
((('stop) n
('csf) A
(valid_address rep newp) A
(-(dsf = (T,T,T))) A
(-(dsf = (T,T,F))) A
(dsf = (F,T,T)) A
(fsf = (T,T,F,F))) ==>
(cohn_NEXT rep (a, x, y, p, b, F, ram) =
(a, x, y, newp, b, T, ram))))
Fig,,( 8.4-5: ETror ca._es _7_ VIPER Sl, Cc_Jicatzou




THEN ASM_REWRITE_TAC [reg_eqv; write_reg; PAIR_EQ]);;








THEN ASM_REWRITE_TAC [reg_eqv; write_reg; PAIR_EQ]);;
I:_q,,,c 6.4-0: 7hcl,c tised _1_ I,r,wf of 511LB
65
8.5 DEFINITION OF THE DECODER
It was mentioned above that the mapping from tile 12-bit opcode field of the VIPER level to
the 20 orthogonal instructions of tl_e macro level is effected by at decoder. We have specified the
decoder in terms of 24 cases, corre._pondilig to the 20 instructiolLs in the macro level, 3 error cases,
and an extra case for the NOOP illslrtictio_. To complete tile verification of the macro level it
is shown that the cases associated with the m_cro-level instructions are exactly the preconditions
for these instruction._. Also, it i._ shuwJi that the ca_es cover all the possible values for the VIPER
opcode field. The cases [or the dccodc, r al'e given ill Appendix J.
66
9.0 CONCLUSIONS
This taskwasinitiated becausepreviousattemptsto verifytile designof theVIPER micropro-
cessorusingmechanicaltheoremproverswerenot completed.SinceC,ohn's incomplete verification
effort was published ill its entiKely, we had the ol)portunity to attel_q)t to determine why it was so
difficult to complete. One reason is the large jump ill abstraction between the instruction specifica-
tion and the implementation. The ._econd reason is the complexity of the specification itself. Many
machines have clearly identified instructions with orthogonal fields to define addressing modes,
register selection, etc. This is not the case for the VIPER architecture. Thus, although the in-
struction architecture is not complex, 122 unique cases must be separately considered in verifying
the implementation. Each of the cases considered in ('.ohn's VI1)ICR veritication effort required
appl'oximately one ])Ol'sOIt-W('('l( 1o conLp/ete.
Based on the success Windley achieved using a hi(*l'archical methodology to verify a simpler
microprocessor (AV M-l), we d(,t'i(h,d to appJy the methodology to tile VI PER processor. Windley's
methodology depends on viewing the design of a microprocessor as a hierarchy of interpreters, the
topmost providing the abstraction of the instructions accessible to the assembly language program-
mer and the lowest the iml)le,ne]ltation that is to be verilied. A reasonable choice for the lowest
level is an abstractio/l of the microprocessor that cot_sists of its blocks such as the ALU, registers
and latches; the original proof ettort for the VIPER processor used this as the level to be verified
and referred to it as the elcctrol_ic block ,_odcl. Among the choices for intermediate levels using
the Windley lnethodology is an iullerl)r('t(,r of microinstruclions, which cal)tures the decision that
the microprocessor is microcoded.
The VIPER design is not microcoded, because the designers concluded that a hardwired design
is faster thaT1 ol_(' whet(, tl_, colllrol is achieved through microprograms. Moreover, the VIPER
design does ILot suggest all 5' c(mvellient h,vels other than the instl'uction level and the electronic
block model. Consequently, the Windley lnethodology could not be applied to the VIPER design.
What our verification e[fOl't is (Oll('(,rl|e([ with is a lllicrocoded design that we developed to realize
the VII)E/{ instrucliol| set: the (,h,('trotlic block model of (ml' d(,sigH is apl)_'oxima.tely equivalent in
complexity to that of RSI{E's design.
To address tile issue of the complexity of the specilication, we introduced a level below the
VIPER instruction level, which provides the same functionality but in terms of 20 orthogonal
instructions. Of course Vll'i",ll programs will not ruu on this 20-instruction level, so it remained to
67
showthe equivalenceof this newhwet with the V1PEI{ instruction-,_et level. Our design consisted
of 5 levels and entailed the veritication of tile four lowest of these.
Our verification demonstrates tile following: Corresponding to a VIPER object program in-
struction occupying the 12-bit opcode field, the logic of the electronic-block model is such that the
correct ALU function will be invoked, the arguments (if any) will be drawn fi'om the correct register
and main memory locations, the res,lts (if any) will be stored hi the correct register (and flag bit)
or main memory location, and the program counter will be correctly updated (incremented by one
or set to the correct jump address). Si.ce our design is microcoded, the proof entails (among many
other things) showing that tile microprogram corresponding to each instruction is correct.
What the verification does not guarantee is important to disclose:
• Our specification of the electronic block-model .does not capture the semantics of the low-
level functions, such as add, shift-left, xor, etc. These functions are not defined. Hence, it is
not possible to use our sl)ecification_ to reason about tile COml)utatiot,s of assembly language
programs. We could have easily provided a semantics for these functions as a specification to
be verified of au ]ntl)le]tmt,tatiol_ ltmre concrete than the electronic-blocl; model. We decided
not to provide such a specitication, as our main goal was to verify the control logic of the
microprocessor. This was also a cJ'iticism of Cohn's specification, but Cohn's come closer
than ours in capturing the setnantics of the operations.
• Emphasizing what was indica.led above, we have not veritied an implenmntation more concrete
than the electronic-block t,odel, such as a gate-level iml_leme.tation. It is not clear that
verificatiotl is the J,lost. cost-ell'ective approach to checking gate-level descriptions.
• For simplicity we have a.ssulned a single compare function. The VIPER processor has 16
compare instructions, but the logic to realize these ditfer in only trivial ways.
• The VIPER processor has external control lines; such as a. reset button. The RSRE specifi-
cation does not consider these lines, nor do we.
• Our specification (similar to I(SI{E's) does not deal with how long an instruction takes to
execute. ][andling timing SlWcifications is feasible, but would severely complicate the verifi-
calion. Aga.int, othel" t.echllique_ are I)eller suited to reasoning about timing for the relatively
simple control logic that tl,e VIPER processor employs.
• We have assumed that the main mentory responds essentially instantaneously to read or write
requests. VII*El{ can support an asynchronot, s interactioll between the processing unit and
68
mainmemory. 'l'echltiquos;_reknownfor modelinp_.;sl2¢'ltan interaction,but wedid not use
themhere.
* Main memoryis assumed to lie a blac]_ box. It is certainly feasible to consider a less abstract
model of memory, such as one that models the decoder, sense lines, etc. Again, verification
is not the best approach to re_son about the details of a memory system.
Our major goal was to determine if the verification of such a hierarchical design is simpler
than the verificatiolk of" a liar de._ign, such as VIPI:.'R. Furthermore, we wanted to determine if any
gain is achieved through introduction of an orthogonal instructiou set. The most difficult aspect
of the Cohn verification effort was the consideration of the 122 cases that are part of the RSRE
specification. Of course, our verification had to face these same 122 cases, but the objects being
verified with respect to these ca.ses is much "closer" to tile specification than was the case for
Cohn's proof, llaving completed the verification we conclude theft the methodology can simplify
microprocessor verification efforts.
A second goa.l was to deter,lJine if, through the u.se of the hierarchical methodology and a
previous successful verificatiolt effort of a sin.lpler microprocessor, the verification of a larger micro-
processor would be less of a tour de torte than has been the experience with previous verification
efforts. Towards this goal, the main contributors of the project team were two Master-level stu-
dents, with skills in logic but no previous experience with formal methods or mechanical theorem
provers. Moreover, tile proof effort was divided u 1) - each studeut assuming responsibility for two
levels. Although each of the st udent._ colltpleted his task, their work did not compose. Each student
made assumptions about the the micro level, but in a few iusta.nces without communicating them
to the other. In the end, these changes required most of the p,'oof to be redone - and in the absence
of those who carried out the iHitial proof, llthe conlnlt_Jlicat.ioj, between the humatl provers had
been better, much grief would have been avoided.
A third goal was to deterxJfine if, through the use of sl,ecial-purpose HOL tactics, the proof
could have been accomplished with less human intervention. (HOL is mostly a proof checker,
as compared with the lloyer Moore theorem prover. Excessive human intervention is avoided
through the elnl)loyntent of tactics that lllatch the expr(,ssiolis being reasoned about.) Towards
this goal, we developed a few syl,I)oli(' execution tactics intel_ded to cover the actions associated
with the implementation of all instruction, e.g., a microinstruction, phase instruction, or macro level
instruction. At the lowest levels, special-purpose symbolic execution tactics worked perfectly, in
effect handling all cases. At the upl)er levels we were less successful, requiring hand-crafted tactics
69
correspondingto eachinstructionclass(sldft, writentenlory,arithtnetic,etc). At the highestlevel
(proofof macroto l(St(E sl)ecification),wewereableto reuseveryfewtactics,a statementabout
tile irregularity of the \:IPEI{ i.stru('tion set.
A final goal wasto determinethe effectivenessof HOI, for a largeproofeffort. Tile proof
wascompleted,but it waspainful. Theexperienceof HOL usershasbeenthat humanproof time
vastlyexceedsttOL's processingtime. This wasnotour experiencewith this proof. Wegenerated
expressionsthat sometimesconsmnedhoursof processingtime to reasonabout.
Additional issuesto bestudieditlclude:
• The scalabilityof the proofeffort. Our teamwouldnot havebeenwilling to tacklea micro-
processoranorderof lnagnitudemorecomplexthan the VII'El{ _rchitecture.Thediscovery
of tacticsthat handlemostcaseswould,of course,simplify thehumanetfort.
• Reasoningaboutchanges.Mostof theItOL processingtit,,eandalargefractionof thehuman
time wasdevotedto re-do]llgproofssub._equentto designc[,ange._.Identifyingthosepartsof
a proofthat neednot be redonewouldhavesavedvaslel['ort.
• The role of a.simulator to discover"obvious"errors. We designed the microprocessor, but
never tested it. tlence, tilt, veriIication effort detected errors that would have been discovered
with the must rudimentary of tests. ,Not having access to a ('AD system with a design
simulator for IIOL specifications, we should have written a simulator in ML.
• The role of correctness-lm'servi.g transformations to lransforlkl a verilied nficro-coded design
into a more efficient hardwired design.
Further work is needed l)efort, il can be concluded that larger microprocessors can be verified
and that the hierarchical interprelor lheory ofl'ers benetits in such efforts. Work underway at Boeing
on the verification of a fault-tolerant processor gives promise of another data point. Clearly, the
interpreter theory organizes the proof, but still the number of cases that the verifier must consider
is staggering. There are too many ca._es to be handled individually, lla.nd-crafted tactics can be
constructed to allow the llOL system to process nlany cases in one shot, but we discovered that
the performance of tile theorel,i prover was dismal. The use of special Boolean decision packages
should be of considerable help.
7O
REFERENCES
1. W. Cullyer, "Implementing Safety-CriticaJ Systems: the Viper Microprocessor," memo 411-87,
Royal Signals and Radar Establishment, 1987.
2. A. Cohn, "A Proof of Correctness of the VIPER Microprocessor: the First Level," VLSI
Specification, Verificatio11, rind _ynthesis, G. Birtwhistle and P. S ubrahmanyam, eds., 1988.
3. B. Brock and W. tlunt, "ICeport on the Formal Specification and Partial Verification of the
VIPER Microprocessor," Contractor Report 187540, NASA Langley Research Center, 1991.
4. P. J. Windley, "The Formal Verification of Generic interpreters," Ph.D Thesis, 1990.
5. J. Joyce, "Formal Verification and Implementation of a Microprocessor," in VLSI Specifica-
tion, Verification and Synthesis (G. Birtwistle and P. Subrahmanyam, eds.), Kluwer Academic
Publishers, 19,q_.
6. M. Gordon, "Proving a (:Oml)uter (iorrect," Tech. Rep. 41, Computer Lab, University of Cam-
bridge, 1983.
7. D. Weise, Formal Multi-level Hierarchical Verification of Synchronous MOS VLSI Circuits.
PhD thesis, Massachusetts htstitute of Technology, 1986.
8. H. G. Barrow, "Verify: A Program for Proving Correctness of Digital Hardware Designs,"
Artificial Intelligence, vol. 24, 1984.
9. W. Hunt, "FM8501: A Verified Microprocessor," Tech. Rep. 1CSCA-CMP-47, University of
Texas at Austin, 1985.
10. S. Crocker, E. Cohen, S. Landauer, and tt. Orman, "Reverification of a Microprocessor," in
Proceedings of the Symposium on Security and Privacy, IEEE, 1988.
11. T. Arora, "The Formal Verification of the VIPER Processor: EBM to Microcode Level," Mas-
ter's thesis, University of Calilornia, Davis, 1990.
12, C. Pygott, "'Formal Proof of (:orrespondence Between a tlardware Module and its Gate-level
Implementation," memo _5(11'2, l/oyal Signals and tladar Establishment, 1985.
13. A. Cohn, "A l'roo[ of ('orrectness of the Viper Microprocessor: the First Level," in VLSI
Specification, Verificatio'l_ and Synthesis (G. Birtwistle and P. Subrahmanyam, eds.), Kluwer
Academic Publishers, 1988.
71
14. A. Cohn, "Correctiiess Proper'ties of the Viper Block Model: the Second Level," in Current
Trends in Hardware I/erificatiol_ aJ_d Automated Theorem t2rovi_g (G. BirtWistle and P. Sub-
rahmanyam, eds.), Springer-Verlag, 1989.
15. B. T. Graham, The SECD Microprocessor, A VerificatioTt Ca_'e Study. Kluwer International
Series in Engineering _nd Computer Science, Boston: Kluwer Academic Publishers, 1992.
16. P. La.ndin, "The Mechanical EvaluatioJL of Expressions," Computer Journal, vol. 6, no. 4, 1964.
17. P. Henderson, Fuuctioual pmfltnmmiw./ : applicatio_ and i_plcme_ztation. Prentice-Hall Inter-
national, 1980.
18. A. Cohn, "A Proof of C.orrectne_s of the VIPER Microprocessor: the Secolld Level," University
of Cambridge compvter Labor¢_tory Technical Report, 1989.
19. M. Gordon, "Proving a Computer Correct," Tech. Rep. 41, Computer Lab, University of Cam-
bridge, 1983.
20. M. Gordon, "HOL: a, proof gellerating system for higher-order logic," in VLS1 Specifica-
tion, Verifications, amt .5'yJ_th_._i._, Ix'luwer Academic t)ress, 19S8.
21. A. Church, "A l:'ormulalioll o['lb(, ,_iml)le Theot'y of Type,s," Symbolic Logic, vol. 5, no. 1, 1940.
22. M. Gordon, R. Milner, aild C. Wadsworth, Edi_zburgh LCI;': A Mechanized Logic of Computa-
tion. Springer-Verlag, 1979.
23. R. L. Constable et al., lml;h mt._ting Mathematics" with the Nuprl PTvof DevelopT;_ent System.
Prentice- l[all, 1986.
72
Appendix A: DESCRIPTION OF HOL
HOL is a general theorem-proving system developed at the University of Cambridge (ref. 19, 20) that
is based on Church's theory of simple types, or higher-order logic (ref. 21). Church developed higher-
order logic as a foundation for mathematics, but it can be used for describing and reasoning about
computational systems of all kinds. Higher-order logic is similar to the more familiar predicate
logic, but allows tluantiticzttiolt over predicates and functions, not just variables, allowing more
general systems to be descrilwd.
IIOL grew out of Robizi h'iillher's LCF theorem l)rover (ref. 22) and is similar to other LCF
progeny such as NUPRL (ref. 23). Because HOL is the theorem-proving environment used in the
body of this work, we will describe it in more detail.
HOL's proof style can be tailored to tile individual user, but most users find it convenient to
work in a goal-directed fashion. IIOL is a tactic-based theorem prover. A tactic breaks a goal into
one or more subgoals and provides a. justification for the goal reduction in the form of an inference
rule. Tactics perform task._ ,_uch as induction, rewriting, and case a.nalysis. At the same time,
HOL allows forward iztfel'enc¢' a,d mal_y proofs are a coJ,Jbi,atio, of both forward and backward
proof styles. Any theorem-proving strategy a user employs in connection with HOL is checked for
soundness, eliminating the possibility of incorrect proofs.
HOL provides the user with a inetalanguage, ML, for programming and extending the theorem
prover. Using M L, tactics caa be put together to form more powerful tactics, new tactics can be
written, and theorems call I)t, cotlll)ined into new theories for later use. The metalanguage makes
the llOL verilicatioJl system (,xtl'(,n,mly tt(,xil)le.
in I[OL, all proofs, evett tactic-based proofs, are eventually reduced to the application of
inference rules. Most nontrivial proofs require large numbers of inferences. Proofs of large devices
such as microprocessors can take many millions of inference steps. In a proof containing millions
of steps, what kind of confidet_ce do we have that the proof is correct': One of the most important
features of tlOL is that it is .secure, meaning that new theorems can only be created in a controlled
manner, ttOL is based o_ live primitive a.xioms and eight primitive inference rules. All high-level
inference rules and tactics do their work through some combination of the primitive inference rules.
Because tile entire proof can be reduced to one using only eight primitive inference rules and five
primitive axioms, an independellt proof-checking program could check the proof syntactically.
73

















The object language of t101. is (h,scribed in this section. \Vo wilt discuss HOL's terms and
types.
Terms. All HOL expressions are made u 1) of terms. There are four kinds of terms in HOL:
variables, constants, function applications, and abstractions (lambda expressions). Variables and
constants are denoted by any sequem'e of letters, digits, underlines, and prilnes starting with a
letter. Constants are distinguished in the logic; any identifier that is not a distinguished constant
is taken to be a variable. Conslanls and variables can have any tinite arity, not just 0, and, thus,
can represent functions as well.
Function application is denoted by juxtaposition, resulting in a prefix syntax. Thus, a term of
the form "tl t2" is an application of the operator tl to the operand t2. The term's value is the
result of applying tl to t2.
An abstraction denotes a function and has the fol'lll "A x. t*'. All abstraction "A x. t" has
two parts: the bound variable x a,,d the body o[ the abstra(:{ioli 1;. It represents a function, f,
such that "f(x) = t". For eXaml)h'. ",\ y. 2*y" denotes a ftin('tion on numbers which doubles its
argument.
Constants can belong to two special syntactic classes. Constants of arity 2 can be declared
to be infix. Infix operators are written "rand1 op rand2" instead of in the usual prefix form:
"op ra}ldl rand2". Table A-I shmvs several of llOL's built-il_ inlix el,craters.
Constants can also belol_g to a_other _pecial class calh'd bi_alers. A familiar example of a
binder isY. Ifcis a binder, the, Ihelernl"c x.t"(wherexisavariable) is written as shorthand












for all x, t
there exists a Jr x such that t
choose an x such that 1: is true
In addition to tile infix constants and binders, HOL has a conditional statement that is written
a --, b I c, meaning; "'if a, then b, else c."
Types. HOL is strongly typed to _void Russell's paradox and others like it. Russell's paradox
occurs in a high order logic wht,tl one t:;t_l define a predicate that leads to a contradiction. Specif-
ically, suppose that we detine P as P(x) = --,x(x) where -_ denotes negation. P is true when its
argument applied to itself is false. Applying P to itself leads to a contradiction since P(P) = -,P(P)
(i.e. , true = false). This kind or paradox-can be prevented by typing since, in a typed system,
the type of P would never allow it to be applied to itself.
Every term itt I[OI, is typ<,d according, to the lollowing r_,cut'sive rttles:
a. Each constant or varial_h, ha._ a fixed type.
b. Ifx has type _ and 1: ha.s type/,the abstraction A x. 1: has the type (0--,/3).
c. If 1: has the type (_ _/3) and u has the type a, the application 1: u has the type/3.
Types in IIOL are built from type variables and type operators. Type variables are denoted by
a sequence of asterisks (*) followed by, a (possibly empty) sequence of letters and digits. Thus, *,
***, and *ab2 arc all valid type variables. All type variables are universally quantified implicitly,
yielding type i)olymorphic expressions.
Type operators construct new types from existing types. Each type operator has a name
(denoted by a sequence of letters and digits beginning with a letter) aad an arity. If ol,...,a,_ are
types and op is a type operator of arity u, the (el,...,a_)op is a type. Note that type operators
are postfix while normal function application is prefix or infix. A type operator of arity 0 is a type
constant.
HOL has several t)lKill-in types which are listed in table A-3. The type operators bool,
±nd, and _un are primilive. I[OI, has it special syntax that allows (*,**)prod to be written
as (* # **), (*,**)sum to by written as (* + **), and (*,**)fun to be written as (* -> **).
75



















lists of type *
products of* and **
coproductsof* and **
functions from * to **
The Proof System.
HOL is not all automated theorem prover but is more than simply a proof checker, falling
somewhere between these two extremes. HOL has several features that contribute to its use as a
verification environment:
a. Several built-in theories, including booleans, individuals, numbers, products, sums, lists, and
trees. These theories contain _he five axioms that form the basis of higher order logic as well
as a large number of theorel_ls lhat toIIow fro,n them.
b. Rules of inference fo,' higher order logic. These rules contain not only the eight basic rules
of inference from higher order logic, but also a large body of derived inference rules that
allow proofs to proceed using larger steps. The ttOL system has rules that implement the
standard introduction and elimination rules for Predicate ('alculus as well as specialized rules
for rewriting terms.
c. A collection of tactics, l';xal_lph's of tactics include: REWRITE_TAC which rewrites a goal ac-
cording to some p,eviously prow,, theorem oz' detinition; CEN_TAC which removes unnecessary
universally quantitied variables from the front of terms; and EQ_TAC which says that to show
two things are equivalent, we should show that they intply each other.
d. A proof management system that keeps track of the state of an interactive proof session.
e. A metalanguage, ML, for progranmaing and extending the theorem prover. Using the metalan-
guage, tactics can I)e i)ut log/el t,,r to forn_ more i)owerful tactics, new tactics can be written,
and theorems can be ag_g,'egaled to torl,i new theories t\)1 later use. The mc'talanguage makes
the verification systmn ext rc.,,..ly ttexibh..
76
Appendix B: INTERPRETER THEORY AND ABSTRACT FUNCTIONS
File: def_aux.ml
Description: Defines generic functions used in subsequent Viper
specifications.
set_search_path (search_path() @ lib_dir_list);;
loadf _abstract';; new_theory 'aux_def':;
new_parent 'tuple';;
new_type_abbrev('time',":num");;
let abs_rep = new_abstract_representation [
Z ALU functions %
Z negation Z
('neg'. ":(*wordn -> *wordn) ")
Z addition without carry Z
('add', ":(*wordn # *wordn -> *wordn)
Z predicate carry for addc Z
('addp', ":(*wordn _ *wordn # *wordn) -> bool
overflow predicate for add
('aovfl _, ":(,wordn _ ,wordn # ,wordn) -> bool
subtract
('sub', ":(,wordn _ *wordn) -> *wordn
carry predicate for sub
('subp', ":(*wordn _ *wordn # *wordn) -> bool
overflow predicate for sub
('sovfl', ":(*wordn # awordn # ,wordn) -> bool
bitwise xor
(_bxor', ":(*wordn # *wordn -> *wordn)
bitwise and










% bit.ise nor Z
('bnor'. ":(*wordn _ *wordn -> *wordn)
bitwise not %
('bnot', ":(*wordn -> *wordn)
bitwise or
('bor', ":(bool # bool -> bool)
SHIFTER functions
Z shift right . copy sign bit Z
('shr _, ":(,wordn -> ,wordn)
Z shift left Z
(_shl _, ":(.wordn -> *wordn)
shift right thru b Z
('shrb',":(*wordn # bool -> *wordn)
shift left thru b Z
('shlb',":(*wordn # bool -> *wordn)
Coercion functions
numeric vaule of n-bit word Z
('val', ":(.wordn -> hum)
wordn representation of number Z
(_wordn', ":(num -> *wordn)
Z address part of a word Z





Z address converting to a word Z
('pad _ . ":(*address -> *wordn) -)
Z combine msb opcode bits and Isb address bits to wordn Z
('join'. ":((_opcode _ *address) -> *wordn ) ")
% Test functions %
% see if address is valid Z
('valid_address', ":(*wordn -> bool)
Z decoder
..)
('decode'. ":((*opcode # bool) -> (bool # bt5 # bool))")
Z Compare function Z
78
cmp two words depending on code %
('bcmp', ":(*wordn _ *wordn # bool # bt4 -> bool)
Z Subranging functions Z
Z opcode portion of word Z
(_opcode'. ":(*wordn -> ,opcode)
retrieve bitO of a ,wordn
('bitO'. ":(*wordn -> bool) ")
Z retrieve bitn of a *wordn Z
('bitn', ":(*wordn -> bool) ")
Z retrieve rsf of a *uordn Z
('RSF'. ":(*wordn -> bt2)")
Z retrieve msf of a *wordn Z
('MSF', *':(*wordn -> bt2)")
Z retrieve dsf of a *wordn Z
('DSF', ":(,wordm -> bt3) ")
retrieve csf of a *wordn Z
('CSF', ":(*wordn -> bool)")
..)
Z retrieve fsf of a ,wordn Z
('FSF'. ":(*wordn -> bt4) ")
Memory functions
fetch a word from memory
('fetch', ":((*memory # ,address) -> *wordn)
store a word in memory
('store _ . ":((,memory # ,address # *wordn) -> ,memory)
fetch a word from io _ _ memory mapped io
(_fetchio', ":((,memory # ,address) -> *wordn)
store a word in memory _ _ memory mipped io










Author: (c) P. J. Windley 1990
Date: 09 JAN 90
Modified: 14 FEB 90
Description:
Defines a generic interpreter used in subsequent specifications.
The interpreter is proven to be correct under certain obligations.
The interpreter in this file is synchronous.












( 'subenv' ," :,env '->,env")





make_inst_thms cpu_abs ; ;
let I_rep_ty = abstract type 'Ken_I' 'key';;
let INTERP_def = new_definition
('INTERP',
,,a (rep:'l_rep_ty) (s:time->,state) (e:time->,env) .
INTERP rep s e =
!t:tiae.
let n = (key rep (select rep (s t) (e t))) in (
s(t+l) = (SND (EL n (inst_list rep))) (s t) (e t))"
);;
let INTERP_DEF_EXPANDED = EXPAND_LET_RULE INTERP_def;;
%<




"(FIND x [3 = O) /\
(FIND x (CONS h t) =
(x = h) => 0 I i + (FIND x t))";;
letrec pos x 1 =
null 1 => 0 i
(x = (hd i)) => I I (I + (pos x (tl i)));;
>Z





IMPL_IMP rep s' e' inst =
(Impl (rep:-I_rep_ty) s' e') ==>
()t:time'
let s = (\t. (substate rep (s' t))) in
let e = (\t. (subenv rep (e' t))) in
let c = (cycles rep (select rep (s t) (e t))) in (
(select rep (s t) <e t) = (FST inst)) /\
(count rep (s' t) (e' t) = (start rep)) =->
((SND inst) (s t) (e t) = (s (t + c))) /\
(count rep (s' (t + c)) (e' (t + c)) = (start rep))))"
81
);;
let IMPL_IMP_EXPANDED = EXPAND_LET_RULE impl_imp_def;;
new_theory_obligations
[
"EVERY (IMPL_IMP (rep:'I_rep_ty) (s':time'->*state') (e':time'->,env'))
(inst_list rep)"
"!k:,key. (key (rep:'I_rep_ty) k) < (LENGTH (inst_list rep))"
")k:*key. k = (FST (EL (key (rep:'I_rep_ty) k) (Jnst_list rep)))"
];;
let IMPL_NEXTSTATE_LEMMA = TAC_PROOF
(([],
"let s = (\t:time .(substate rep (s' t))) and
e = (\t:time .(subenv rep (e' t))) in (.
(Impl (rep:'I_rep_ty)) s' e _ ==>
(!t:time'.
(count rep (s' t) (e' t) = (start rep)) ==>
((substate rep (s' (t+(cycles rep (select rep (s t) (e t)))))) =
(SND (EL (key rep (select rap (s t) (e t)))
(inst_list rep))) (s t) (e t))))"),
EXPAND_LET_TAC
THEN REPEAT STRIP TAC
THEN POP_ASSUM_LIST (\asl .
let asl' =







(subenv rep (e' t))))" thm) ?
(SPEC "(select (rep:-l_rep_ty)
(substate rep(s' t))
(subenv rep (e' t)))" thm) _
thm) asl'))
THEN RES_TAC
THEN POP_ASSUM (\thm. ASSUME_TAC (REWRITE RULE [] (SPEC "t:time'" thm)))
THEN RES_TAC
THEN FIRST_ASSUM (ACCEPT_TAC o SYM_RULE)
82
);;
let IMPL_NEXTSTATE_LEMMA_EXPANDED = EXPAND_LET_KULE IMPL_NEXTSTATE_LEMMA;;
let time_shift = new_prim_rec definition
(_time_shift',
"(time_shift f (s:time->*state) (e:time->*env) 0 = 0) /\
(time_shift f s e (SUC n) = (
let t = (time_shift f s e n) in
t + (f (s t_ (e t)_)_"
);;
let I_CLOCK_LEMMA = TAC_PROOF
(([],
"let s = (\t:time .(substate rep (s' t))) and
e = (\t:time. (subenv rep (e' t))) in (
(Impl rep) s _ e' /\
((count rep) (s' 0) (e' O) = (start rep)) ==>
!t. let t_impl =
(time_shift (\st env. (cycles rep (select rep st env))) s e t) in





THEN REWRITE_TAC (time shift: o_DEF;LET_DEF]
THEN (FIRST_ASSUM ACCEPT_TAC ORELSE ALL_TAC)
THEN POP_ASSUM (\thm. ASSUME_TAC
(CONV_RULE (TOP DEPTH_CONV BETA CONV)
(ONCE_REWRITE_RULE [o DEF] thm)))
THEN BETA_TAC
THEN POP_ASSL__LIST (\asl .
let asl' =









(\st env. cycles rep(select rep st env))
(it'. substate rep(s' t'))





(ist env. cycles rep(select rep st env))
(it'. substate rep(s' t'))





(\st env. cycles rep(select rep st env))
(it'. substate rep(s' t'))




(\st env. cycles rep(select rep st env))
(it'. substate rep(s' t'))
(it'. subenv rep (e' t')) t))))" thm) ?
thm) asl'))
THEN RES_TAC
THEN POP_ASSUM (ithm. ASSUME_TAC (REWRITE_RULE []
(SPEC "(time_shift
(ist env. cycles (rep:-I_rep_ty) (select rep st env))
(it'. substate rep(s' t'))
(\t'. subenv rep (e' t')) t):time'" thm)))
THEN RES_TAC
);;
let I_CLOCK_LEI_A_EXPANDED = EXPAND_LET_RULE I_CLOCK_LEMMA;;
let IMPL_I_CORRECT - prove_thm
('IMPL_I_CORRECT',
"let s = (\t:time .(substate rep (s' t))) and
e = (it:time .(subenv rep (e' t))) in (
(Impl rep) s' e' /\
((cotu-lt (rep:'I_rep_ty)) (s' O) (e' O) = (start rep)) ==>
let f - time_shift (ist env. (cycles rep (select rep st env))) s e in










[EXPAND_LET_RULE (REWRITE_RULE [ADDII time_shift)]
THEN BETA_TAC






Description: Prove auxilliary theorems used in subsequent proofs.
system '/bin/rm aux_thms.th';;
new_theory 'aux_thms';;
let SET_EL_DEF = new_prim_rec_definition
('SET_EL_DEF',
"(SET_EL 0 (lst:(,)list) x = (CONS x (TL ist))) /\
(SET EL (SUC n) 1st x = (CONS (HD lst) (SET EL n (TL Ist) x)))"
);;
let SET_EL - prove_thm
('SET_EL',
,,l h t x .
(SET_EL 0 (CONS h t) x = (CONS x t)> /\




let EL SET_EL = prove_thm
('EL_SET_EL',
"! x n ist . EL n (SET_EL n ist x) = x",
GEN_TAC
THEN INDUCT_TAC
THEN REWRITE TAC [SET_EL_DEF; EL;CONS;TL;HD]
THEN LIST_INDUCT_TAC
THENL [








Description: Defines a new type 'triple' with members ONE, TWO,
THREE. used to instantiate ,key in the EBM to Phase
level proof of viper.
................................................................
system '/bin/rm -f threeval.th';;
new_theory 'threeval';;
let triple = define_type 'triple' 'triple = ONE TWO ( THREE';;
let y = prove_constructors_distinct triple;;
let triple_induct = prove_induction_thm triple;
let triple_cases = prove_cases_tbm triple induct;;
let triple_value = new_definition(
'triple_value' ,
"!x:triple. triple_value x = (x=ONE) => 0 $
(x=TWO) => 1 [
2"
);;
let triple_VALUE_LEMMA = prove_thm
('triple_VALUE_LEMMA',
"(triple value ONE = O) /\ (triple_value TWO = 1)
/\ (triple_value THREE = 2)",
REWRITE_TA¢[triple_value] THEN
STRIP ASSL_4E TAC y THEN
ASSUM_LIST(\asl. REWRITE_TAC[NOT_EQ SYM (el I asl); NOT_EQ SYM (el 2 asl);
NOT_EQ SYM (el 3 asl)])
);;
let triple_LENGTH_LF2_MA = prove_thm
('triple_LENGTR_LEMMA',
"! x:triple (ii 12 13:,). triple_value x < (LENGTH [ll; 12; 13])",














Appendix C: VIPER LEVEL SPECIFICATION
%
Prove that the macro level ==> cohn level
%
system '/bin/rm cohn_eqvaux.th';;






let rep_ty = abstract_type 'aux_def' 'opcode';;
let cohn_REG = definition 'cohn_viper _ 'cohn_REG';;
let cohn_INVALID = definition 'cohn_viper' 'cohn_INVALID';;
let write_reg z EXPAND_LET_RULE (definition _macro_def _ 'write_reg');;
let load_r = EXPAND LET_RULE (definition 'ma£ro def' _load_r_);
let cohm_NEXT = definition 'cohn_viper' 'cohn_NEXT';;
let cohn_NEXT_expanded = EXPAND_LET_RULE cohn_NEXT;;
X register loads are eqv
let reg_eqv = prove_thm
('reg_eqv _ ,
"! (rep:'rep_ty) (a:*wordn) (x:*word_n) (y:*wordn) (p:_wordn)
(b:bool) (ram:,memory) .
(cohn_REG rep (RSF rep(fetch rep(ram,address rep p)),a,x,y,
add rep(p,wordn rep i))) =
(load_r rep (a, x, y, add rep (p, wordn rep 17,
fetch rep (ram, address rep p)))"
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC [coha_REG; load_r]
THEN REPEAT (C0ND_CASES_TAC THEN ASM_REWRITE_TAC[PAIR_EQ]));;
% cohn_stop %
let cohn_stop = prove_thm (
_cohn_stop',
"! (rep:'rep_ty) (a:awordn) (x:*mordn) (y:*wordn) (p:*wordn)
(b:bool) (stop:boo]) (ram:*memory) .
89
stop ==>
(cob.n_NEXT rep (a, x, y, p, b, stop, ram)




% coml noinc %
let cohn_noinc = prove_thm
(_cohn_noin¢ _ ,
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn)
(p:.worcln) (b:bool) (stop:bool) (ram:,memory) .
(let newp = (add rep (p, (aordn rep 1))) in
(((-valid_address rep neap) /\
(-stop)) ==>
(cohn_NEXT rep (a, x, y, p, b, stop. ram)




THEN ASM_REWRITE_TAC [cohn_NEXT_expanded; ¢ohn_INVALID]);;
% write_reg_illegalpdest_aux %
let erite_reg_illegalpdest_aux = prove_thm
('arite_reg_illegalpdest_aux',
"! (rep:'rep_ty) (a:.aordn) (x:.wordn) (y:*wordn) (p:*wordn) (b:bool)
(stop:bool) (ir:,aordn) (ram:*memory)
(value:*wordn (newb:bool).
(((DSF rep ir) = (F,T,T)) \/
((DSF rep Jr) = (T,F,F)) \/
((DSF rep Jr) = (T,F,T)))
(arite_reg rep (a, x, y, p, b, stop, it,
= (a, x, y, p, b, T, ram))",
REPEAT GEN_TAC THEN STRIP_TAC THEN
ASM_REWRITE_TAC[write_reg; PAIR_EQ]);;
ram, value, neab)
let THREE_TUPLE_VALUE_LEMMA = theorem 'tuple' 'THREE_TUPLE VALUE LE_EMA';;
let three_tuple_value_lemma _ (SPECL ["b:bt3"] THREE_TUPLE_VALUE LEM_);;




(('(b - (F,F,F))) /\
('(b = (F,F,T))) /\
('(b = (F,T,F))) /\
('(b = (F,T,T))) /\
(-(b = (T,F,F))) /\
('(b = (T,T,F))) f\
(-(b = (T,T,T))))
==> (b = (T,F,T))",
REPEAT GEN_TAC
THEN STRIP_TAC
THEN ASSUM_LIST (\asl. ASSUME_TAC (REWRITE_RULE [(el I asl);
(el 2 asl); (el 3 asl);
(el 4 asl); (el 5 asl);
(el 6 asl); (el 7 asl)]
three_tuple_value_lemma))
THEN ASM_REWRITE_TAC[]);;
let TWO_TUPLE_VALUE_LEMMA = theorem 'tuple ' 'TWO_TUPLE_VALUE_LEMMA';;
let teo_tuple value_lemma = (SPECL ["b:bt2"] TWO TUPLE_VALUE_LEHMA);;
let bt2_remaining_lemma = prove_thm
('bt2_remaining lemma _ ,
"' (b:bt2) .
(('(b = (F,F))) /\
('(b = (F,T))) /\
('(b = (T,F))))
==> (b = (T,T))",
REPEAT GEN_TAC
THEN STRIP TAC
THEN ASSLrM LIST (\asl. ASSUME TAC (REWRITE_RULE [(el I asl);





University of California, Davis
Prove that the macro level ==> cohn level
%
system '/bin/rm cohn_TTFF_aux.th';;







let rep_ty - abstract_type 'aux_def' 'opcode_;;
let cohn ALU = EXPAND_LET_RULE (definition 'cohn_viper' 'cohn_ALU');;
let cohn_SVAL - definition 'cohn_viper' 'cohn_SVAL';;
let cob_n_BVAL - definition 'cob_n_viper' 'cohn_BVALt;;
let cohn VALUE = definition 'cohn_viper' 'cohn_VALUE';;
let colun_INVALID = definition 'cohn_viper' 'cohn INVALID';;
let cohn ILLEGALCALL = definition 'cohn_viper' _cohn_ILLEGALCALL';;
let cohn SPAREFUNC = definition 'cohn_viper _ 'cohn_SPAREFUNC';;
let cohn_ILLEGALPDEST = definition 'cohn viper' 'cohn_ILLEGALPDEST';;
let cohn WRITE i definition 'cohn_viper' 'cohn_WRITE';;
let cohn ILLEGALWRITE = definition 'cohn_viper' 'cohn_ILLEGALWRITE';;
let cohn NILM = definition 'cohn_viper' 'cohn_NILM';;
let cohn_NOOP = definition _cohn viper' 'cohn NOOP';;
let cokn REG = definition 'cohn_viper' 'cohn_REG_;;
let write_reg = EXPAND.LET_RULE (definition 'macro_def _ _write_reg');;
let load_r = EXPAND_LET_RULE (definition 'macro def _ 'load_r');;
let cohn_NEXT = definition 'cohn_viper _ _cohn_NEXT';;
let cohn_NEXT_expanded = EXPAND_LET_RULE cohn_NEXT;;
let write_reE = EXPAND_LET_RULE (definition 'macro_def _ 'write_reg');;
Z cohn_NRITE_TTFF Z
let cohn_WRITE_TTFF = prove_thm
('cohn_WRITE_TTFF',
"! (rep:Arep_ty) (a:*wordn) (x:*wordn) (y:,wordn) (p:*wordn)
(b:bool) (ram:,memory) .
('(((DSF rep (fetch rep (ram, address rep p))) = (T,T,T)) \/
((DSF rep (fetch rep (ram, address rep p))) = (T,T,F)))) -=>
(cohn WRITE rep (DSF rep (fetch rep (ram, address rep p)),




THEN ASM_REWRITE_TAC [cohn WRITE; PAIR EQ]);;
92
% cohn_illegalcall_TTFF Z
let cohn_illegalcall_TTFF = prove_thm
('cohn_illegalcall_TTFF _ .
" ! (rep:'rep_ty) (a:,worcLn) (x:,wordn) (y:,wordn) (p:,wordn) (b:bool)
(stop:bool) (ram:,memory) .
(((FSF rep (fetch rep (ram, address rep p))) = (T,T,F,F))
==> ((cohn_ILLEGALCALL rep
((DSF rep (fetch rep (ram, address rep p))),
(CSF rep (fetch rep (ram, address rep p))). !
(FSF rep (fetch rep (ram, address rep p))))) = F))",
REPEAT GEN TAC
THEN STRIP TAC
THEN ASM_REWRITE_TAC[cohn ILLEGALCALL; PAIR_EQ]);;
let coha_NILM_TTFF = prove_thm
('cohn_NILM_TTFF'.
"! (rep:'rep_ty) (a:*wordn) (x:,wordn) (y:*wordn) (p:*wordn)
(b:bool) (ram:*memory) .
((-(CSF rep (fetch rep (ram, address rep p)))) /\
('(DSF rep(fetch rep(ram,addre_ rep p)) = T,'r,T)) /\
(-(DSF rep(fetch rep(ram,add1ess rep p)) = T,T,F)) /\
(FSF rep (fetch rep (ram, address rep p)) = (T,T,F,F)))
==> (cohn_NILM rep ((DSF rep (fetch rep (ram, address rep p))),
(CSF rep
(fetch rep (ram, address rep p))),






let cohn_sparefunc_l'rFF = prove_thm
('cohn_sparefunc_TTFF',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool).
((((FSF rep (fetch rep (ram, address rep p))) = (T,T,F,F)) ==>
(cohn SPAREFIJNC rep (
(DSF rep (fetch rep (ram, address rep p))),
(CSF rep (fetch rep (ram, address rep p))),




THEN ASM REWRITE_TAC[cohn_SPAREFUNC; PAIR EQ]);;
93
% cohn_ILLEGALWRITE_TTFF %
let cohn_ILLEGALWRITE_TTFF = prove_thm
('coh0n_ILLEOALWRITE_TTFF',
"! (rep:'rep_ty) (a:*wordm) (x:*wordn) (y:*wordn) (p:*wordn)
(b:bool) (ram:,memory) .
(-(((DSF rep (fetch rep (ram, address rep p))) = (T,T,T)) \/
((DSF rep (fetch rep (ram, address rep p))) = (T,T,F)))) ==>
(cohn_ILLEGALWRITE rep (DSF rep
(fetch rep (ram, address rep p)),
(CSF rep (fetch rep (ram, address rep p))),
(MSF rep (fetch rep (ram, address rep p))))
= F)",




let cohn_illegalpdest_TTFF_ill = prove_thm
('cohn_illegalpdest_TTFF_ill',
"! (rep:-rep_ty) (a:*wordn) (x:*wordn) (y:*wornd) (p:*wordn)
(b:bool) (ram:,memory) .
(('CSF rep (fetch rep (ram, address rep p))) /\
(FSF rep (fetch rep (ram, address rep p)) = (T,T,F,F)) /\
((DSF rep (fetch rep (ram, address rep p)) = (F,T,T)) \/
(DSF rep (fetch rep (ram, address rep p)) = (T,F,F)) \/
(DSF rep (fetch rep (ram, address rep p)) = (T,F,T))))
==> ((cohn ILLEGALPDEST rep (DSF rep
(fetch rep (ram, address rep p)),
CSF rep (fetch rep (ram, address rep p)),




THEN ASM_REWRITE_TAC[PAIR_EQ; cohn ILLEGALPDEST]);;
Z cohn_illegalpdest_TTFF_pass %
let cohn_illegalp<lest_]_rFF_pass = prove_thm
('cohn_illegalpdest_TTFF_pass',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wornd) (p:*wordn)
(b:bool) (ram:*memory) .
94
(('CSF rep (fetch rep (ram, address rep p))) /\
(FSF rep (fetch rep (ram, address rep p)_ = (T,T,F,'F)) /\
((DSF rep (fetch rep (ram, address rep p)) = (F,F,F)) \/
(DSF rep (fetch rep (ram, address rep p)) = (F,F,T)) \/
(DSF rep (fetch rep (r_um, address rep p)) = (F,T,F))))
==> ((cohn_ILLEGALPDEST rep (DSF rep (fetch rep
(ram, address rep p)),
CSF rep (fetch rep (ram, address rep p)),





let cohn_TTFF_FFF_aux = prove_thm
('cohn_TTFF_FFF_aux',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn)
(p:*vordn) (b:bool) (stop:bool) (ram:*memory) .
(let fsf - (FSF rep (fetch rep (ram, address rep p))) in
let dsf = (DSF rep (fetch rep (ram, address rep p))) in
let msf = (MSF rep (fetch rep (ram, address rep p))) in
let rsf - (RSF rep (fetch rep (ram, address rep p))) in
let csf - (CSF rep (fetch rep (ram, address rep p))) in
let addr = (address rep (fetch rep (ram, address rep p))) in
let newp - (add rep (p, worcLn rep I)) in
let io - ((cohn_OUTPUT rep (dsf, csf)) \/
(cohn_INPLrr rep (dsf, csf, fsf))) in
let r _ cohn_REG rep (rsf, a, x, y, newp) in
let m = coh_n_MEMREAD rep (ram, msf, addr, x,
y, io, cohn_NILM rep (dsf, csf, fsf)) in
let aluout - cohm_ALU rep (fsf, msf, dsf, r, m, b) in
le% newp - (add rep (p, wordn rep I)) in
(((-stop) /\
('csf) /\
(valid address rep newp) /\
('(dsf - (T,T,T))) /\
('(dsf - (T,T,F))) /\
(dsf = (F,F,F)) /\
(fsf = (T,T,F,F))) ==>
(cohn_NEXT rep (a, x, y, p. b, F. ram) =
(cohn_VAiUE aluout, x, y, newp,















cohn_NDOP; cohn_INVALID; cohn_WRITE; cohn_ILLEGALWRITE;
cohn_SPAREFUNC;
PAIR_EQ]));;
let cohn_TTFF_FFT_aux = prove_thm
('cohn_TTFF_FFT_aux',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn)
(p:*wordn) (b:bool) (stop:bool) (ram:*memory) .
(let fsf = (FSF rep (fetch rep (ram, address rep p))) in
let dsf = (DSF rep (fetch rep (ram, address rep p))) in
let msf = (MSF rep (fetch rep (ram, address rep p))) in
let. rsf = (KSF rep (fetch rep (ram, address rep p))) in
let csf = (CSF rep (fetch rep (ram, address rep p))) in
let. addr - (address rep (fetch rep (ram, address rep p))) in
let newp = (add rep (p, wordn rep I)) in
let io = ((colin_OUTPUT rep (dsf, csf)) \/
(corm_INPUT rep (dsf, csf, fsf))) in
let r = cohn_REG rep (rsf, a, x, y, newp) in
let m = cohn_MEMREAD rep (ram, msf, addr, x,
y, io, cohn_NILM rep (dsf, csf, fsf)) in
let aluout = cohn_ALU rep (fsf, msf, dsf, r, m, b) in
let newp = (add rep (p, wordn rep i)) in
(((-stop) /\
(-csf) /\
(valid_address rep newp) /\
('(dsf - (T,T,T))) /\
('(dsf - (T,T,F))) /\
(dsf = (F,F,T)) /\
(fsf = (T,T,F,F))) ==>
(cohn_NEXT rep (a, x, y, p, b, F, ram)
(a, cohn_VALUE aluout, y, newp,















cohn NOOP; cob_n_INVALID; cohn_WRITE; co__ILLEGALWKITE;
cohn_SPAREFUNC;
PAIR_EQ]));;
let cohn_TTFF_FTF_aux = prove_thm
('cohn TTFF_FTF_aux',
"! (rep:-rep_ty) (a:.wordn) (x:.wordn) (y:,wordn)
(p:*wordn) (b:bool) (stop:bool) (ram:.memory) .
(let fsf = (FSF rep (fetch rep (ram, address rep p))) in
let dsf = (DSF rep (fetch rep Cram, address rep p))) in
let msf = (MSF rep (fetch rep (ram, address rep p))) in
let rs_ = (RSF rep (fetch rep [ram, address rep p))) in
let csf = (CSF rep (_etch rep (ram, address rep p))) in
let addr = (address rep (fetch rep (ram, address rep p))) in
let newp = (add rep (p, wordn rep I)) in
let io = ((cohn_OUTPUT rep (dsf, ¢sf)) \/
(cohn_INPUT rep (dsf, csf, fsf))) in
let r = cohn_REG rep (rsf, a, x, y, newp) in
let m = cohn_MEMREAD rep (ram, msf, addr, x,
y, io, ¢ohn_NItM rep (dsf, csf, fsf)) in
let aluout = cohn_ALU rep (fsf, msf, dsf, r, m, b) in
let newp = (add rep (p, wordn rep I)) in
(((-stop) /\
('csf) /\
(valid_address rep newp) /\
('(dsf = (T,T,T))) /\
(_(dsf = (T,T,F))) /\
(dsf = (F,T,F)) /\
(fsf = (T,T,F,F))) ==>
(cohn_NEXT rep (a, ×, y, p, b, F, ram) =
(a, x, cohn_VALUE aluout, newp,















cohn.NOOP; cohn_INVALID; col:n_WRITE; cohn_ILLEGALWRITE;
cohnoSPAKEFUNC;
PAIR EQ]));;
let cohn_TTFF_FTT_aux = prove thm
('cohn_TTFF_FTT_aux',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn)
(p:*eordn) (b:bool) (stop:bool) (ram:*memory) .
(let fsf = (FSF rep (fetch rep Cram, address rep p))) in
let dsf = (DSF rep {fetch rep (ram, address rep p))) in
let msf = (MSF rep (fetch rep (rain, address rep p))) in
let rsf = (RSF rep (fetch rep (ram, address rep p))) in
let csf = (CSF rep (fetch rep (ram, address rep p))) in
let addr = (address rep (fetch rep (ram, address rep p))) in
let newp - (add rep (p, wordn rep I)) in
let io _ ((cohn_OUTPUT rep (dsf, csf)) \/
(cohn_INPUT rep (dsf, csf, fsf))) in
let r = cohn_KEG rep (rs_, a, x, y, newp) in
let m _ ¢ohn_MEMREAD rep (ram. msf. addr. x,
y. io. cohn_NILM rep (dsf. csf. fsf)) in
let aluout _ cohn_ALU rep (fsf. msf. dsf. r. m. b) in
lot newp = (add rep (p. worch-_ rep i)) in
((('stop) /\
('csf)/\
(valid_address rep newp) /\
(-(dsf - (T.T.T))) /\
('(d,f * (T.T.F))) /\
(dsf = (F.T.T)) /\
(fsf _ (T.T.F.F))) ==>
(cohn_NEXT rep (a. x. y. p. b. F. ram) =






THEN IMP RES_TAC cohn_illegalcall_TTFF
THEN IMP_RES_TAC cohn NILM_TTFF
THEN IMP_RES_TAC coKn_ILLEGALWRITE_TTFF
THEN IMP_RES TAC cohn_WRITE_TTFF
THEN IMP RES TAC cohn illegalpdest_TTFF ill
THEN IMP RES_TAC cohn_illegalpdest_TTFF pass
THEN IMP_RES TAC cohn_sparefunc TTFF
THEN ASM_REWRITE TAC [
cohn_NOOP; coKn_INVALID; cohn_WRITE; cokn_ILLEGALWRITE
corm SPAREFUNC;
PAIR_EQ]));;
let cohn_TTFF_TFF_aux = prove_thm
('cohn_TTFF_TFF_aux',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn)
(p:*vordn) (b:bool) (stop:bool) (ram:*memory) .
(let fsf = (FSF rep (fetch rep (ram, address rep p))) _n
let dsf = (DSF rep (fetch rep (ram, address rep p))) in
let msf = (MSF rep (fetch rep (ram, address rep p))) in
let rsf = (RSF rep (fetch rep (ram, address rep p))) in
let csf = (CSF rep (fetch rep (ram, address.rep p))) in
let addr = (address rep (fetch rep (ram, address rep p))) it,
let newp = (add rep (p, wordn rep I)) in
let io = ((cohn_OUTPUT rep (dsf, csf)) \/
(cohn_INPUT rep (dsf, csf, fsf))) in
let r = cohn_REG rep (rsf, a, x, y, newp) in
let m = cohn_MEMREAD rep (ram, msf, addr, x,
y, io, cohn NILM rep (dsf, csf, fsf)) in
let aluout = cohn_ALU rep (fsf, msf, dsf, r, m, b) in
let newp = (add rep (p, wordn rep I)) in
((('stop) /\
(-csf) /\
(valid_address rep newp) /\
('(dsf = (T,T,T))) /\
('(dsf = (T,T,F))) /\
(dsf = (T,F,F)) /\
(fsf = (T,T,F,F))) ==>
(cohn_NEXT rep (a, x, y, p, b, F, ram) =
























cob__NOOP; coh__INVALID; cobb_WRITE; coh_ILLEGALWRITE;
coh__SPAREFUNC;
PAIR.EQ]));;
let cohn_TTFF_TFT_aux = prove_thm
('cohn_TTFF_TFT_aux ' ,
"! (rep:-rep_ty) (a:*wordn) (x:,wordn) (y:*wordn)
(p:,wordn) (b:bool) (stop:bool) (ram:,memory) .
(let fsf = (FSF rep (fetch rep (ram, address rep p))) in
let dsf - (DSF rep (fetch rep (ram, address rap p))) in
let msf = (MSF rep (fetch rep Cram, address rep p))) in
let rsf _ (RSF rep (fetch rep (ram, address rep p))) in
let csf = (CSF rep (fetch rep (ram, address rep p))) in
let addr = (address rep (fetch rep (ram, address rep p))) in
let newp = (add rep (p, wordn rep I)) in
let io = ((cohn_OUTPUT rep (dsf, csf)) \/
(cohn_INPUT rep (dsf, csf, fsf))) in
let r = cohn_REG rep (rsf, a, x, y, newp) in
let m - cohn_MEMREAD rep (ram, msf, addr, x,
y, iO, cohn_NILM rep (dsf, csf, fsf)) in
let aluout - cohn ALU rep (fsf, msf, dsf, r, m, b) in
let newp - (add rep (p, wordn rep i)) in
((('stop) /\
(-csf) /\
(valid_address rep newp) /\
('(dsf - (T,T,T))) /\
('(dsf - (T,T,F))) /\
(dsf - (T,F,T)) /\
(fsf - (T,T,F,F))) ==>
(cohn_NEXT rep (a, x, y, p, b, F, ram) =


























cohn illegalpdest TTFF pass
cohn_sparefunc__FFF
THEN ASM_REWRITE_TAC [




let cohn_TTFF_aux = prove_thm
('cohn_TTFF_aux',
"! (rep:'rep_ty) (a:,eordn) (x:,wordn) (y:,wordn)
(p:,wordn) (b:bool) (stop:bool) (ram:_memory) .
(let fsf - (FSF rep (fetch rep (ram, address rep p))) in
let dsf - (DSF rep (fetch rep (ran,, address rep p))) in
let msf - (MSF rep (fetch rep (ram, address rep p))) in
let rsf - (RSF rep (fetch rep (ram, address rep p))) in
let csf = (CSF rep (fetch rep (ram, address rep p))) in
let addr = (address rep (fetch rep (raal, address rep p))) in
let neep = (add rep (p, wordn rep I)) in
let io - ((cohn_OUTPUT rep (dsf, csf)) \/
(Co__INP_ rep (ds_, csf, fsf))) in
let r - cohn_REG rep (rsf, a, x, y, newp) in
let m - cohn_MEMREAD rep (ram, msf, addr, x,
y, io, cohn_NILM rep (dsf, ¢sf, fsf)) in
let aluout - cohn_ALU rep (lsf, msf, dsf. r, m, b) in
let newp - (add rep (p, wordn rep I)) in
((('stop) /\
('¢sf) /\
(valid_address rep newp) /\
('(dsf - (T.T,T))) /\
('(dsf - (T,T.F))) /\
((dsf = (F,F,F)) \/
(dsf - (F,F,T)) \/
(dsf - (F,T,F)) \/
101
(dsf = (F,T,T)) \/
(dsf = (T,F,F)) \/
(dsf - (T,F,T))) /\
(fsf - (T,T,F,F))) ==>
(cohn_NEXT rep (a, x, y, p, b, stop, ram) =
((dsf - (F,F,F))
-> (cohn_VALUE aluout, x, y, newp,
cohn._BVAL aluout, cohn_SVAL aluout,
ram) I
((dsf = (F,F,T))
-> (a, cohn_VALUE aluout, y, neep,
cohn_BVAL aluout, cohn_SVAL aluout,
ram) I
((dsf = (F,T,F))
-> (a, x, cohn_VALUE aluout, newp,
cohn_BVAL aluout, cohn_SVAL aluout,
ram) I










THEN IMP RES_TAC cohn_illegalpdest_TTFF_pass
THEN IMP_RES_TAC cohn_sparefunc_TTFF
THEN ASM_REWRITE_TAC [





University of California, Davis
Prove that the macro level =ffi>cohn level
%
system '/bin/rm cohn_shlb.th';;









let rep_ty = abstract_type 'aux_def' 'opcode';;
let cohn_ALU = EXPAND_LET_RULE (definition 'cohn_viper' 'cohn_ALU');;
let cotun_SVAL = definition 'cohn_viper' 'colin_SVAE';;
let cohn_BVAL = definition 'cohn_viper' 'cotm_BVAL';;
let cohn_YALUE - definition 'cohn_viper' 'cohn_VALUE';;
let cohn_INVALID = definition 'cohn_viper' 'cohn_INVALID';;
let cohn_ILLEGALCALL = definition 'cohn_viper' 'cohn_ILLEGALCALL';;
let cokn_SPAREFUNC = definition 'cohn_viper' 'cohn SPAREFUNC';;
let cohn_ILLEGALPDEST = definition 'cohn_viper' 'cohn_ILLEGALPDEST';;
let cohn_WRITE = definition 'coim_viper _ 'cohn_WRITE';;
let cohn_ILLEGALWRITE = definition 'cohn_viper' 'cohn_ILLEGALWRITE';;
let cohn_NILM = definition 'cohn_viper' "cohn_NILM';;
let cohn_NOOP = definition 'cohn_viper' 'coh_n_NOOP';;
let colin_BEG = definition 'cohn_viper' 'cohn REG';;
let bt3_remaining_lemma = theorem 'cohn_eqvaux' 'bt3_remaining_lemma';;
let reg_eqv = theorem 'cohn_eqvaux' 'reg_eqv';;
let cohen_stop = theorem 'cohn_eqvaux' 'cohn_stop';;
let cohn_noinc = theorem 'cohn_eqvaux' 'cohn_noinc';;
let SHLB = definition 'macro_def' 'SHLB';;
let write_reg = EXPAND_LET_RULE (definition 'macro_def' 'write_reg');;
let load r = EXPAND_LET_RULE (definition 'macro def' 'load r');;
let write_reg_illegalpdest_aux =
theorem 'cohn_eqvaux' 'write_reg_illegalpdest aux';;
Z cohn_ALU_TTFF_TTZ
let cohn_ALU_TTFF_TT = prove_thm
('¢ohn_ALU_TTFF TT',
"! (rep:'rep_ty) (fsf:bt4) (msf:bt2)
(dsf:bt3) (r:*word_n) (m:.wordn) (b:bool) .
(((fsf = (T,T,F,F)) /\ (msf = (T,T))) ==>
(let pwrite = ((dsf = (F,T,T)) \/ ((dsf = (T,F,F)) \/
(dsf z (T,F,T)))) in
103
(cohn ALU rep (fsf, msf, dsf, r, m, b)






let cohn_ALU_TTFF_TT_VALUE = prove_thm
('cohn_ALU_TTFF_TTVALUE',
"! (rep:'rep_ty) (fsf:bt4) (msf:bt2)
(dsf:bt3) (r:*worc[n) (m:*wordn) (b:bool) .
(((fsf - (T,T,F,F)) /\ (msf = (T,T))) ==>
(let pwrite - ((dsf - (F,T,T)) \/ ((dsf = (T,F,F)) \/
(dsf - (T,F,T)))) in
leZ aluout - ¢ohn_ALU rep (fsf, msf, dsf, r, m, b) in




THEN ]MP_RES TAC (EXPAND_LET_RULE ¢ohn ALU_TTFF_TT)
THEN ASM_REWRITE_TAC [cohn VALUE]>;;
% cohn_ALU_I"rFF_TF_BVAL %
let cohn_ALU_TTFF_TT_BVAL = prove_tlun
('coI_n_ALU_TTFF_TT_BVAL',
"! (rep:'rep_ty) (fsf:bt4) (msf:bt2)
(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool) .
(((fsf - (T,T,F,F)) /\ (msf = (T.T))) ==>
(let p_rite - ((dsf = (F,T,T)) \/ ((dsf = (T,F,F)) \/
(dsf - (T,F,T)))) in
let aluout - cohn_ALU rep (fsf, msf, dsf, r, m, b) in




THEN IMP_RES_TAC (EXPAND_LET_RULE cohn_ALU_TTFF_TT)
THEN ASM_REWRITE_TAC [¢ohn_BVAL]);;
% cohn_ALU_TTFF_TT_SVAL %
let cohn_ALU_TTFF_TT_SVAL = prove_tlui_
('cohn_ALU_TTFF_TT_SVAL',
"! (rep:'rep_ty) (fsf:bt4) (msf:bt2)
(dsf:bt3) (r:*wordn) (m:*wordn) (b:bool) .
104
(((fsf = (T,T,F,F)) /\ (msf = (T,T))) ==>
(let pwrite = ((dsf = (F,T,T)) \/ ((dsf - (T,F,F)) \/
(dsf - (T,F,T)))) in
let aluout _ cohn_ALU rep (fsf, msf, dsf, r, m. b) in




THEN IMP_RES_TAC (EXPAND_LETRULE cohn_ALU_TTFFTT)
THEN ASM_REWRITE_TAC [cohn_SVAL]);;
let coh_n ALU_TTFF_TT_FFF SVAL_aux
m EXPAND_LET_RULE (REWRITE RULE [PAIR_EQ]
(SPECL ["rep:_rep_ty"; "(T,T,F,F)"; "(T,T)"; "(F,F,F)";
"load r (rep:'rep_ty) (a, x, y, add rep (p, wordn rep I),
fetch rep (ram, address rep p))";
"cohn_MEMREAD (rep:'rep_ty) (ram, (T,T), address rep







m EXPAND_LET_RULE (REWRITE_RULE [PAIR_EQ]
(SPECL ["rep:'rep_ty"; "(T,T,F,F)"; "(T,T)"; "(F,F,F)';
"load_r (rep:'rep_ty) (a, x, y, add rep (p, wordn rep i),
fetch rep (ram, address rep p))";
"cohn_MEMREAD (rep:'rep_ty) (ram, (T,T), address rep
(fetch rep (ram, address rep p)), x, y.






- EXPAND_LET_RULE (REWRITE RULE [PAIR_EQ]
(SPECL ["rep:'rep_ty"; "(T,T,F,F)"; "(T,T)"; "(F,F,F)";
"load_r (rep:'rep_ty) (a, x. y, add rep (p, wordn rep I),
105
fetch rep Cram, address rep p))";
"cohn_MEMHEAD (rep:'rep_ty) (ram, (T,T), address rep





cohn_.ALU TTFF TT VALUE));;
let cokn_ALU_TTFF_TT_FFT_SVAL_aux
= EXPAND_LET_RULE (REWRITE_RULE [PAIR_EQ]
(SPECL ["rep:'rep_ty"; "(T,T,F,F)"; "(T,T)"; "(F,F,T)";
"load_r (rep:'rep ty) (a, x, y, add rep (p, wordn rep I),
fetch rep (ram, address rep p))";
"coMt_MEMREAD (rep:'rep_ty) (ram, (T,T), address rep








(SPECL ["rep:'rep_ty"; "(T,T,F,F)"; "(T,T)"; "(F,F,T)";
"load r (rep:-rep ty) (a, x, y, add rep (p, word_ rep t),
fetch rep (ram, address rep p))";
"cohn_MEMREAD (rep:-rep_ty) (ram, (T,T), address rep
(fetch rep (ram, address rep p)), x, y,






= EXPAND_LET RULE (REWRITE_RULE [PAIR_EQ]
(SPECL ["rep:'rep ty";' (T,T,F,F)"; "(T,T)"; "(F,F,T)";
"load_r (rep:_rep_ty) (a, x, y, add rep (p, wordn rep I),
fetch rep (ram, address rep p))";
106
"¢ohn_MEMREAD (rep:'rep_ty) (ram, (T,T), address rep





cohn_ALU_TTFF_TT_VALUE) ) ; ;
let c ohJn_ALU_TTFF_TT_ FTF_S VAL_aux
= EXPAND_LET_RULE (REWRITE_RULE [PAIR_EQ]
(SPECL ["rep:'rep_ty"; "(T,T,F,F)"; "(T,T)"; "(F,T,F)";
"load_r (rep:-rep_ty) (a, x, y, add rep (p, wordn rep 1),
fetch rep (ram, address rep p)>";
"cohn_MEMREAD (rep:-rep_ty) (ram, (T,T), address rep





cohn_ALU_TTFF_TT_SVAL) ) ; ;
let ¢okn_A LU_TTFF_TT_ FTF_BVAL_aux
= EXPAND_LET_RULE (REWRITE_RULE [PAIR_ED]
(SPECL ["rep:'rep_ty"; "(T,T,F,F)"; "(T,T)"; "(F,T,F)";
"load_r (rep:'rep_ty) (a, x, y, add rep (p, wordn rep 1),
fetch rep (ram, address rep p))";
"cohn_MEMREAD (rep:'rep_ty) (ram, (T,T), address rep





cohn_ALU_TTFF_Tr_BVAL) ) ; ;
let coban_ALU_TTFF_TT_FTF_VALUE_aux
= EXPAND_LET_RULE (REWRITE_RULE [PAIR_EQ]
(SPECL ["rep:-rep_ty"; "(T,T,F,F)"; "(T,T)"; "(F,T,F)";
"load_r (rep:'rep ty) (a, x, y, add rep (p, wordn rep 1),
fetch rep (ram, address rep p))";
"cohn_MEMREAD (rep:'rep_ty) (ram, (T,T), address rep
107
(fetch rep (ram, address rep p)), x, y,





let i]]egal_shlb = (SPECL ["rep:'rep__y";
"a: _vordlt" ;
"x:_ordn'; "y :weordxl" ;
"add (rep:'rep_ty) (p, wordn rep I)";
"b:bool"; "F";
"fetch (rep:'rep_ty) (ram, address rep p)';
"ram : 8memory" ;
"shlb (rep:'rep.ty)
((load_r rep
(a,x,y,add rep(p,wordn rep 1),
fetch rep(ram,address rep p))), b)";
"b:bool']
write_reg_illegalpdest_aux);;
let dsf_remain = (SPEC "(DSF (rep:'rep_ty)
(fetch rep (ram, address rep p))):bt3"
bt3_remaining_lemma);;
let cohn_TTFF_FFF_aux_expanded = EXPAND.LET_RULE
(theorem 'cohn_TTFF_aux' 'cohn_TTFF_FFF_aux');;
let cohn_TTFF_FFT_aux_expanded = EXPAND.LET_RULE
(theorem 'cohn_TTFF_aux' 'cohnTTFF_FFT_aux');;
let cohn_TTFF_FTF_aux_expanded = EXPANDLET_RULE
(theorem _cohn TTFF_aux' 'cohn TTFF FTF_aux');;
let cohn TTFF_FTT_aux_expanded = EXPAND LET RULE
(theorem 'cohn_TTFF_aux _ 'cohn_TTFF FTT aux');;
let cohn_TTFF_TFF aux_expanded = EXPAND LET RULE
(theorem 'cohn_TTFF_aux' 'cohn_TTFF_TFF aux'};;
let cohn_TTFF_TFTaux_expanded = EXPAND_LET_RULE
(theorem 'cohn_TTFF_aux' 'cohn_TTFF_TFT aux');;
Z shlb Z
set_goal(I],
"! (rep:'rep_ty) (a:*eordn) (x:*uordn) (y:,wordm) (p:*wordn) (b:bool)
(stop:bool) (ram:*memory_ .
(('(CSF rep (fetch rep (ram, (address rep p)))) /\
('(DSF rep (fetch rep (ram, (address rep p)))=(T,T,F))) /\
('(DSP rep (fetch rep (ram, address rep p))=(T,T,T))) /\
108
(FSF rep (fetch rep (ram, address rep p)) - (T,T,F,F)) /\
(MSF rep (fetch rep (ram, address rep p)) = (T,T))) =->
(SHLB rep (a, x, y, p, b, stop, ram) =
















rep (p, wordn rep l))):bool");;
e (IMP_KES_TAC (EXPAND_LET_RULE cohn_nolnc)
THEN ASM_REWRITE_TAC[]
THEN ASM_REWKITE_TAC[]);;
e (ASSUM LIST (\asl. ASSUME_TAC (REWRITE_RULE
[el 19 asl] (el ! asl)))
THEN ASM_KEWKITE_TAC[]);;
e (ASSUM_LIST (\asl. ASSUME_TAC (REWRITE_RULE
[] (el I asl))));;






reg_eqv; srite_reg; PAIR EQ]);;














reg eqv; write_reg; PAIR_EQ]);;




THEN ASM_REWHITE_TAC [reg_eqv; write_teE; PAIR_EQ]);;








THEN ASM_REWRITE_TAC [reg_eqv; write_reg; PAIR_EQ]);;
110
Appendix D: MACRO LEVEL SPECIFICATION
File: def_ucode.ml
Description: Defines the selectors for fields of a mlcroinstruction










leg Maddr = new_definition
('Maddr',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt?).
Maddr (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ren), (asel,dsel,msel)) = ua"
);;
let Seqctl = new_definition
('Seqctl',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)




let Aluctl = new_definition
('Aluctl',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
III
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7)
Aluctl (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ren). (asel,dsel,msel)) = actl"
);;
let Dec_ctl = ne__definition
('Dec_ctl',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:btT)
Dec_ctl (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ren), (asel,dsel,msel)) = decctl"
);;
let R = new_definition
('R'.
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:btT)
R (ua,(sctl.actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ren), (asel,dsel,msel)) = rd"
);;
let W = new_definition
('W'.
"!(rd wr inout decctl rfctl dfctl den ten asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:btT)
W (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfc%l),
(den,ren), (asel,dsel,msel)) = wr"
);;
let Io = new_definition
('Io',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (soil udf:bt3) (actl:bt4) (ua:btT)
Io (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ren), (asel,dsel,msel)) = inout"
);;
let Mrf - new_definition
('Mrf',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7)
Mrf (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ren), (asel,dsel,msel)) = urf"
);;
let Mdf = new_definition
('Mdf',
Ll2
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (soil udf:bt3) (actl:bt4) (ua:btT)
Mdf (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ren), (asel,dsel,msel)) = udf"
);;
let Rf¢ = new_definition
('Rfc',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4> (ua:bt7)
Rf¢ (ua,(sctl,actl),decctl,(Id,wr,inout),(urf,udf,rfctl,dfctl),
(den.ten), (asel,dsel,msel)) = rfctl"
);;
let Dfc = new_definition
('Dfc',
"!(rd wr inout decctl rfctl dfctl den ten asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4> (ua:btT>
Dfc (ua,(sctl,actl>,decctl,(rd,wr,inuut),(urf,udf,rfctl,dfctl),
(den,ten), (asel,dsel,mselJ) = dfctl"
);;
let De = new_definition
('De',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:btT)
De (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,d_ctl),
(den,ten), (asel,dsel,msel)> = den"
);;
let Re = new_definition
('Re',
"!(rd wr inout decctl rfctl dfctl den ran asel' dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:btT)
Re (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ten), (asel,dsel,msel)) = ren"
);;
let Adrs = new_definition
('Adrs',
"!(rd wr inout decctl r_ctl dfctl den ten asel dsel:bool)
(urf msel:bt_) (sctl udf:bt3) (actl:bt4) (ua:btT)
Adrs (ua,(sctl,actl),decctl,(rd,wr,inout),(urf,udf,rfctl,dfctl),
(den,ten), (asel,dsel,msel)) = asel"
);;
let Ds = new_definition
('Ds',
113
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:bt7).
Ds (ua,(sctl,actl).decctl,(rd,wr,inout),(urf,udf.rfctl,dfctl),
(den,ten), (asel,dsel,msel)) = dsel"
);;
let Ms - new_definition
('Ms',
"!(rd wr inout decctl rfctl dfctl den ren asel dsel:bool)
(urf msel:bt2) (sctl udf:bt3) (actl:bt4) (ua:btT).
Ms (ua,(sctl,actl),decctl.(rd.wr,inout),(urf.udf.rfctl.dfctl).




%The Macro level of Viper
University of California, Davis
Viper's macro level
modifications
- changed formatting and reordered opnds to add rep
- SUBS changed to SUBO
- changed write_preg so that if skip, stop is set to F
- changed SHL to use ovflw = bitn rep idr
- added expanded defns for load m, load_r, etc
%
system _/bin/rm macro def.th';;




let rep_ty = abstract type 'aux_def' _opcode[;;
let load_m = new_definition('load_m',
"! (rep:'rep_ty) (a:*wordn) (x:,wordn) (y:*wordn) (p:*wordn)
(ir:_vordn) (ram:*memory) .
load_m rep (a, x, y, p, it, ram) =
let msfValue = (MSF rep Jr) in
let imp = (address rep it) in
let addr = (pad rep tmp) in
((msfValue = (F,F)) => (F, addr) [
((msfValue = (F,T)) => (F, (leith rep (ram, (address rep addr))))
((msfValue = (T,F)) => (let t = (add rep (x, addr)) in
((valid_address rep t) =>
(F, fetch rep (ram, (address rep t))) i
(T, addr))) I
(let t = (add rep (y, addr)) in
((valid_address rep t) =>
115
(F, (fetch rep (ram, (address rep t)))) I
(T. addr))))))");;
save_thm('load_m_expanded', EXPAND_LET_RULE load_m);;
let load_io = new_definition('load_io',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn)
(ir:*_ordn) (ram:*memory) .
Ioad_io rep (a, x, y, p, ir, ram) =
let msfValue = (MSF rep Jr) in
let tmp= (address rep ir) in
let addr = (pad rep imp) in
((msfValue - (F,F)) => (F, addr)
((msfValue = (F,T)) => (F, (fetchio rep (ram, (address rep addr))))
((msfValue = (T,F)) => (let t = (add rep (x, addr)) in
((valid_address rep t) =>
(F, fetchio rep (ram, (address rep _))) ]
(T, addr)))
(let t = (add rep (y, addr)) in
((va]id_address rep t) =>
(P, (fetchio rep (ram, (address rep t)))) I
(T, addr))))))");;
save_thm('load_io_expanded', EXPAND_LET_RULE load_io);;
let load_r = new_definition('load_r',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn)
(ir:*wordn) .
load_r rep (a, x, y, p, Jr) =
let rsfValue = (RSF rep Jr) in
((rsfUalue _ (F,F)) s> a I
((rsfValue s (F,T)) => x
((rsfValue = (T,F)) -> y J
p)))");;
save_tkm('load.r_expanded', EXPAND_LET_RULE load_r);;
let vrite_reg - new_definition('write_reg',
"! (rep:-rep_ty) (a:*wordn) (x:*wordn) (y:,wordn) (p:.wordn) (b:bool)
(stop:bool) (ir:*wordn) (ram:*memory) (value:*wordm) (newb:bool).
write_reg rep (a, x, y, p, b, stop, ir, ram, value, newb) =
let dsfYalue = (DSF rep ir) in
((dsfValue = (F,F,F)) => (value, x, y, p, newb, stop, ram) I
116
((dsfValue = (F,F,T)) => (a, value, y, p, newb, stop, ram) I
((dsfValue = (F,T,F)) => (a, x, value, p, uewb, stop, ram) I
(a, x, y, p, b, T, ram))))");;








let erite_preg = nee_definition('erite_preg',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*eordn)
(stop:bool) (ir:*wordn) (ram:*memory) (value:*wordn) .
erite_pre_ rep (a, x, y, p, b, stop, ir, ram, value) =
let dsfValue = (DSF rep it) in
let call = ((CSF rep Jr) = (F)) /\ ((FSF rep it) = (F,F,F,T)) in
((dsfValue = (F,F,F)) => (value, x, y, p, b, stop, ram) I
((dsfValue _ (F,F,T)) => (a, value, y, p, b, stop, ram)
(F,T,F)) => (a, x, value, p, b, stop, ram) I
(T,T,F)) => (a, x, y, p, b, T, ram) l
(T,T,T)) => (a, x, y, p, b,' T, ram) {
= (T,F,F)) [\ "b) \/
(T,F,T)) /\ b)) => (a, x, y, p, b, F, ram) [
x, p, value, b, (('(valid_address rep value)) \/ stop),
b:bool)




let CMP = new_definition('CMP',
"! (rep:*rep_ty) (a:,wordn) (x:*wurdn) (y:,wordn) (p:,wordn) (b:bool)
(stop:bool) (ram:-memory) .
CMP rep (a, x, y, p, b, stop, ram) =
(stop => (a, x, y, p, b, stop, ram)
(let newp - (add rep (p, eordn rep I)) in
(('valid address rep newp) =>
(a, x, y, newp, b, T, ram) J
(let ir - (_etch rep (ram, address rep p)) in
let m = (load_m rep (a, x, y, newp, it, ram)) in
((FST m) => _ invalid memory load
(a, x, y, neep, b, T, ram) )
117
(let idr = (load_r rep (a, x, y, newp, it)) in
let idm = (SND m) in
let far - (FSF rep Jr) in




let NEG - new_definition(_NEG ',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordn)
(b:bool) (stop:bool) (ram:*memory) .
NEG rep (a, x, y, p, b. stop, ram) =
(stop => (a, x, y, p, b, stop, ram) I
(let newp - (add rep (p, wordn rep I)> in
((-valid_address rep newp) =>
(a, x, y, nevp, b, T, ram) L
(let ir - (fetch rep (ram, address rep p)) in
let m = (load_m rep (a, x, y, newp, it. ram)) in
((FST m) => X invalid memory load
(a, X, y, newp, b, T, ram) I
(let idm = (SND m) in
let result = (neg rep Idm) in
write_reg rep (a, x, y, newp, b, F, ir, ram; result, b)))))))");;
Add without overflow detection.
Z
let ADDB - new_definition((ADDB ',
"! (rep:-rep_ty) (a:*wordn) (x:_wordn) (y:_wordn> (p:,wordn)
(b:bool) (stop:bool) (ram:_memory) .
ADDS rep (a. x, y, p, b, stop, ram) =
(stop -> (a, x, y, p, b, stop, ram> ]
(let newp = (add rep (p, wordn rep i)) in
((-valid_address rep newp) =>
(a, x, y, newp, b, T, ram) (
(let ir = (fetch rep (ram, address rep p)) in
let m - (load_m rep (a, x, y0 newp, ir, ram)) in
((FST m) -> _ invalid memory load
(a, x, y, nevp. b, T, ram) I
(let idm = (SND m) in
let idr = (load_r rep (a, x, y, newp, ir)) in
let result = (add rep (idr, idm)) in
get result, addition with carry Z
118
let carry _ (addp rep (Idr, idm, result)) in % _et carry %
write_reg rep (a, x, y, newp, b,F,ir,ram,result,carry)))))))");;
Add with overflow detection.
let ADDS - new_definition('ADDS',
"! (rep:'rep_ty) (a:,aordn) (x:,wordn (y:,wordn) (p:_wordn) (b:bool) (stop:bool) (rmm:,memory) .
ADDS rep (a, x, y, p, b, stop, ram) =
(stop => (a, x, y, p, b, stop, ram) I
(let newp - (add rep (p, wordn rep 1)) in
(('valid_address rep newp) =>
(a, x, y, newp, b, T, ram) [
(let ir = (fetch rep (ram, address rep p)) in
let m = (load_m rep (a, x, y, newp, it, ram)) in
((FST m) => _ invalid memory load
(a, x, y, neap, b, T, ram) I
(let idm _ (SND m) in
let idr = (load_r rep (a, x, y, newp, ir)) in
let result = (add rep (Idr, idm)) in
let ovflw = (aovfl rep (Idr, Idm, result)) in Z detect overflow_
write_preg rep Ca, x, y, newp, b, ovflw, it, ram, result)))))))");;
Subtract aithout overflow detection.
Z
let SUBB _ nea_definition('SUBB _,
"! (rep:'rep_ty) (a:,wordn) (x:,aordn) (y:_eordn)Cp:,wordn)
(b:bool) (stop:bool) (ram:,memory) .
SUBB rep (a, x, y, p, b, stop, ram) =
(stop => (a, x, y, p, b, stop, ram) (
(let neap = (add rep (p, wordn rep I)) in
(C-valid_address rep newp) =>
(a, x, y, newp, b, T, ram) l
(let ir = (fetch rep (ram, address rep p)) in
let m - (load_m rep (a, x, y, newp, Jr, ram)) in
((FST m) => _ invalid memory load
(a, x, y, newp, b, T, ram)
(let idm s (SND m) in
let Idr = (load r rep (a, x, y, newp, it)) in
let result = (sub rep (idr, Idm)) in
let carry = (subp rep Cldr, idm, result)) in _ detect carry
arite_reg rep Ca, x, y, newp, b, F, ir, ram,result,carry)))))))");;
I19
XSubtract with overflow detection
X
let SUBO = new definition('SUBO',
"! (rep:'rep_ty) (a:*wordn> (x:*wordn) (y:*wordn) (p:,wordn) (b:bool) (stop:bool) (ram:*memory) .
SUBO rep (a, x, y, p, b, stop, ram) =
(stop-> (a, x, y, p, b, stop, ram) {
(let newp = (add rep (p, worchn rep I)) in
(('valid_addxess rep newp) =>
(a, x, y, newp, b, T, ram) t
(let ir = (fetch rep (ram, address rep p)) in
let m = (load_m rap (a. x, y, newp, Jr, ram)) in
((FST m) => X invalid memory load
(a. x, y, newp, b. T. ram> I
(let idm = (SND m) in
let idr = (load_r rep (a, x, y, newp, Jr)) in
let result = (sub rep (idr, Idm)) in
let ovflw = (sovfl rep (idr. idm, result)) in _ overflow detection
write_preg rep (a, x, y. newp.b.ovflw,ir.ram.result)))))))");;
X
Exclusive OR between two operands
X
let XOR = new_definition('XOR'.
"! (rep:-rep_ty) (a:.wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool)
(stop:bool) (ram:*memory) .
XOR rep (a. x. y. p. b, stop. ran,) =
(stop => (a, x. y, p, b. stop, ram) I
(let newp = (add rep (p, wordn rep I)) in
(('valid_address rep newp) =>
(a. x. y, newp, b. T, ram) I
(let ir = (fetch rep (ram, address rep p)) in
let m = (load_m rep (a. x. y. newp, iF, ram)) in
((FST m) => _ invalid memory load Z
(a, x, y, newp, b, T, ram) J
(let idm = (SND m) in
let Idr - (load_r rep (a, x. y. newp. ir)) in
let result = (bxor rep (Idr, idm)) in
write_reg rep (a. x, y. newp, b, F. Jr, ram, result, b)))))))">;;
Y.
And between two operands
7.
120
let AND = new_definition('AND',
"! (rep:'rep~ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wordm) (b:bool)
(stop:bool) (rara:*memory) .
AND rep (a, x, y, p, b, stop, ram) =
(stop => (a. x. y. p. b. stop. ram) [
(let newp = Cadd rep (p. wordn rep i)) in
((-valid_address rep newp) =>
(a. x. y. newp. b. T. ram) I
(let ir = (fetch rep (ram. address rep p)) in
let m - (load_m rep Ca. x. y. neep. Jr. ram)) in
((FST m) => Z invalid memory load Z
(a. x. y. newp. b. T. ram) [
(let Idm = (SND m) in
let idr = Cload_r rep Ca. x. y. newp. it)) in
let result = (band rep (idr. Idm)) in
write_reg rep (a. x. y. newp. b. F. ir. ram. result, b)))))))");;
Z
NOR between two operands
let NOR - new_definition(_NOR ',
"' (rep:'rep_ty) (a:_wordn) (x:*wordn) (y:*wordn) (p:*wordn) Cb:bool)
(stop:bool) (ram:*memory) .
NOR rep (a. x. y. p. b. stop. ram) =
(stop => (a. x. y. p. b. stop. ram) J
(let newp = (add rep (p. word_l rep I)) in
(('valid_address rep newp) =>
Ca. x. y. newp. b. T. ram) I
Clef ir = (fetch rep (ram. address rep p)) in
let m - (ioad_m rep (a. x. y. newp. ir. ram)) in
((FST m) => Z invalid memory load Z
(a. x. y. newp. b. T. ram) l
Clef Idm = (SND m) in
let Idr - (load_r rep (a. x. y. newp. it)) in
let result = (bnor rep (idr. Idm)) in
write_reg rep (a. x. y. newp. b. F. it. ram. result, b)))))))");;
Z
ANDMBAR between two operands
Z
let ANDMBAR = new_definition('ANDMBAR'.
"! (rep:'rep_ty) (a:,wordn) (x:_wordn) (y:,wordn) Cp:,wordn) (b:bool)
(stop:bool) (ram:,memory) .
ANDMBAR rep (a. x. y. p. b. stop. ram) =
(stop => (a. x. y. p. b. stop. ram) I
121
(let newp - (add rep (p. wordn rep I)) in
(('valid_address rep newp) =>
(a. x. y. newp. b. T. ram) {
(let ir = <fetch rep (ram. address rep p)) in
let m _ (load_m rep (a. x. y. newp. it. ram)) in
((FST m) => _ invalid memory load
(a. x. y. newp. b. T. r_m) }
(let Idm = (SND m) in
let idr = (load_r rep (a. x. y. newp. Jr)) in
let result = (band rep (idr. bno% rep idm)) in
_rite_reg rep (a. x. y. newp. b. F. it. ram. result, b)))))))");;
Shift right, copy sign bit
let SHB z new dsfinition('SHR'.
"+ (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) [p:_wordn) (b:bool)
(stop:bool) (ram:*memory) .
SHR rep (a. x. y. p. b. stop. ram) =
(stop -> (a. x. y. p. b. stop. ram) {
(let newp - (add rep (p. wordn rep I)) in
((-valid_address rep newp) =>
(a. x. y. newp. b. T. ram) {
(let ir _ (fetch rep (ram. address rep p)) in
let idr = (load_r rep (a. x. y. newp. it)) in
let result = (shr rep idr) in
write reg rep (a. x. y. newp. b. F. ir. ram. result, b)))))");;
Shift right through b
let SHRB = new_definition('SHRB ',
") (rep:-rep_ty) (a:_wordn) (x:,wordn) (y:,wordn) (p:,wordn) (b:bool)
(stop:bool) (ram:_memory) .
SHRB rep (a. x. y. p. b. stop. ram) =
(stop => (a. x. y. p. b. stop. ram) {
(let ne,p = (add rep (p. wordn rep i)) in
(('valid_address rep newp) =>
(a. x. y. newp. b. T. ram) I
(let ir = (fetch rep (ram. address rep p)) in
let idr = (load_r rep (a. x. y. newp. ir)) in
let result = (shrb rep (Idr. b)) in
let newb = (bitO rep idr) in




"! (rep:*rep_ty) (a:*wordn) (x:*wordn) ly:,wordn) (p:*wordn) (b:bool)
(stop:bool) (ram:*memory) .
SHL rep (a, x, y, p, b, stop, ram) =
(stop => (a, x, y, p, b, stop, ram) I
(let newp = (add rep (p, wordn rep I)) in
((_valid_address rep newp) =>
(a, x, y, newp, b, T, ram) I
(let ir = (fetch rep (ram, address rep p)) in
let idr = (load_r rep (a, x, y, newp, it)) in
let result = (shl rep idr) in
% let ovflw = (aovfl rep (Idr, idr, result)) in %
let ovflw = (bitn rep idr) in
write_reg rep (a, x, y, newp, b, ovflw, ir, ram, result, b)))))");;
%
Shift left through b
%
let SHLB = new_definition('SHLB',
"J (rep:'rep_ty) (a:*wordn) (x:*wordn) y:*wordn) (p:*wordn) (b:bool)
(stop:bool) (ram:*memory) .
SHLB rep (a, x, y, p, b, stop, ram) =
(stop => (a, x, y, p, b, stop, ram) I
(let newp = (add rep (p, wordn rep 1)) in
(('valid_address rep newp) =>
(a, x, y, newp, b, T, ram) i
(let ir = (fetch rep (ram, address rep p)) in
let idr = (load_r rep (a, x, y, newp, it)) in
let result = (shlb rep (idr, b)) in
let newb = (bitn rep idr) in
write_reg rep (a, x, y, newp, b, F, ir, ram, result, newb)))))");;
let CALL = new_definltion('CALL',
"! (rep:'rep_ty) (a:*wordn) ix:*wordn) (y:*wordn) (p:,wordn) (b:bool)
(stop:bool) (ram:*memory) .
CALL rep (a, x, y, p, b, stop, ram) =
(stop -> (a, x, y, p, b, stop, ram) I
(let newp = (add rep (p, wordn rep I)) in
((-valid_address rep newp) =>
123
(a, x, y, nevp, b, T, ram) J
(let ir - (fetch rep (ram, address rep p)) in
let m - (load_m rep (a, x, y, nevp, Jr, ram)) in
((FST m) _> _ invalid memory load
(a, x, y, newp, b, T, ram) I
(let idm - (SND m) in
let idr - (load_r rep (a, x, y, newp, it)) in
let dsf = (DSF rep ir) in
(a, x, newp, Idm, b, (_(valid_address rep idm)), ram)))))))");;
was: _rite_preg rep(a, x, y, newp, b, F, Jr, ram, idm)))))))");;
(stop -> (a, x. y, p
(let ne.p - (add rep
(('valid_address rep
(a, x, y, newp, b, T
(let ir - (fetch rep
let READM = new_definition('READM'.
"! (rep:'rep_ty) (a:*vordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool)
(stop:bool) (ram:*memory) .
READM rep (a, x, y, p, b. stop, ram) =
, b, stop, ram) J
(p, wordn rap i)) in
newp) =>
, ram) I
(ram, address rep p)) in
let m - (load_m rep (a, x, y, newp, it, ram)) in
((FST m) -> _ invalid memory load
(a, x, y, newp, b, T, ram) J
(let Idm - (SND m) in
vrite_preg rep (a, x, y, newp, b, F, it, ram, idm)))))))");;
let READIO " new_definition( 'READIO_,
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:.wordn) (b:bool)
(stop:bool) (ram:*memory) .
READIO rep (a, x, y, p, b, stop, ram) =
(stop -> (a, x, y, p, b, stop, ram) l
(let neup = (add rep (p, vordn rep I)) in
(('valid_address rep nevp) ->
(a, x, y, nevp, b, T, ram) l
(let ir = (fetch rep (ram, address rep p)) Jr,
let m - (load_io rep (a, x, y, newp, Jr, ram)) in
((FST m) -> Z invalid memory load Z
(a, x, y, newp, b, T, ram) 1
(let idm - (SND m) in
write_reg rep (a, x, y, nevp, b, F, ir, ram, idm, b)))))))");;
124
let WRITEIO = new_definition('WRITElO'.
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:-wordn) (p:*wordn) (b:bool)
(stop:bool) (raLm:*memory) .
WRITEIO rep (a, x, y, p, b, stop, ram) -
(stop -> (a, x, y, p, b, stop, ram) [
(let newp - (add rep (p, wordn rep I)) in
(('valid_address rep newp) =>
Ca, x, y, newp, b, T, ram) [
(let ir = (fetch rep (ram, address rep p)) in
let value = load_r rep (a, x, y, newp, ir) in
let msfYalue = (MSF rep it) in
let addr - (address rep ir) in
((msfValue - (F,F)) -> (a, x, y, newp, b, T, ram) [
((msfValue = (F,T)) =>
(a, x, y, newp, b, F, (storeio rep (ram, addr, value))) [
((msfValue = (T,F)) => (let t = (add rep (x, (pad rep addr))) in
((valid_address rep t) =>
(a, x, y, newp, b, F, (storeio rep(ram,(address rep t), value))) [
(a, x, y, newp, b, T, ram))) l
(let t = (add rep (y, (pad rep addr))) in
((valid_address rep t) ->
(a, x, y, newp, b, F, (storeio rep(ram,(add_ress rep t), value))) [
(a, x, y, newp, b, T, ram))))))))))");;
let WRITEM - new_definition('WRITEM',
"! (rep:'rep_ty) (a:.wordn) (x:*wordn) (y:*wordn) (p:,wordn) (b:bool)
(stop:bool) (ram:.memory) .
WRITEM rep (a, x, y, p, b, stop, ram) =
(stop => (a, x, y, p, b, stop, ram) 1
(let neap = (add rep (p, wordn rep I)) in
(('valid_address rep newp) =>
(a, x, y, newp, b, T, ram) ]
(let ir = (fetch rep (ram, address rep p)) in
let value = load r rep (a, x, y, newp, it) in
let msfValue = (MSF rep it) in
let addr = (address rep ir) in
((msfValue = (F,F)) => (a, x, y, newp, b, T, ram) I Z msf = O0 Z
((msfValue = (F,T)) =>
(a, x, y, neap, b, F, (store rep (ram, addr, value))) )
((msfValue = (T,F)) => (let t = (add rep (x, (pad rep addr))) in
((valid_address rep t) =>
(a, x, y, newp, b, F,(store rep(ram,(address rep t), value)))l
125
(a, x, y, newp,b, T, ram)) (
(let t = (add rep (y, (pad rep addr))> in
((valid_address rep t) =>
(a, x, y, newp,b,F,(store rep(ram,(address rep t),value))) l
(a, x, y, newp, b, T, ram))))))))))");;
let NOOP_M = new_definition('NOOP_H',
"! (rep:'rep_ty) (a:*wordn) (x:*wordn) (y:*wordn) (p:*wor_) (b:bool)
(stop:bool) (ram:,memory) .
NOOP_M rep (a, x, y, p, b, stop, ram) =
(stop => (a, x, y, p, b, stop, raln) I
(let newp - (add rep (p, worcLn rep I)) in
(('valid_address rep newp) =>
(a, x, y, newp, b, T, ram) I
(a, x, y, add rep (p, (wordn rep i)), b, F, ram))))");;
let macro_state = ":((,wordn)#(*wordn)#(*wordn)#(*wordn)#bool#bool#(*memory))";;
let macro_env = ":(bool)'+;;
ABS_ENV takes a function of type (macro_state -> macro_state)
aund creates a function of type (macro_state -> macro_env -> macro_state).
The purpose of this function is to make the functions defining the
instructions have the right type for use in the instruction list.
................................................................
let ABS_ENV = new_definition
('ABS_ENV',
,,! (f:-macro_state->'macro_state) (x:'macro_state) (y:'macro_env) .
ABS_ENV f x y = f x"
);;



































































return the key base on the state
let Opcode = new_definition
('Opcode',
"! (rep:'rep_ty) (a:,wordn) (x:*wordn) (y:*wordn) (p:*wordn) (b:bool)
(stop:bool) (ram:,memory) (reset:bool) .
Opcode rep (a, x, y, p, b, stop, ram) (reset =
(FST (SND (decode rep ((opcode rep
(fetch rep (ram, address rep p))), b))))");
Opc_Val will be used to instantiate key in mk_macro.ml
................................................................












let REG_LIST.LENGTH = new_definition
('REG_LIST LENGTH',
"REG_LIST LENGTH (rep:'rep_ty) =




THEN CONV_TAC (TOP_DEPTH_CONV nu_m_CONV)
THEN REWRITE_TAC[LENGTH_CONS]
THEN DISCH_TAC
THEN POP_ASSUM(\thm. MAP_EVERY ASSUME_TAC( rev (CONJUNCTS thm )))
THEN FOP_ASSUM(kthm. DISJ_CASES_TAC thm )
THENL
[ALL_TAC
POP~ASSUM(kthm. DISJ_CASES_TAC thm )
]
THEN POP_ASSUM(\theCase.
POP_ASSUM(\thm. ASSUME_TAC( REWRITE_RULE[theCase] thm))
THEN REWRITE_TAC [theCase] )
THEN POP_ASSUM(kthm. CHOOSE_THEN CHOOSE_TAC thm )
THEN POP_ASSUM(\t_un. MAP_EVERY ASSUME_TA¢( rev(CONJUNCTS thm) ))
THEN POP_ASSUM(\thm. CHOOSE_THEN CHOOSE_TAC t)m )
THEN POP_ASSUM(\tba. MAP_EVERY ASSUME_TAC( rev[CONJUNCTS thLu) ))
THEN POP_ASSUM(kthm. CHOOSE_THEN CHOOSE_TAC thm )
THEN POP_ASSUM(\thm. MAP_EVERY ASSUME_TAC( rev(CONJUNCTS thm) ))
THEN ASM_REWRITE_TAC []
THEN CONV_TAC (TOP_DEPTH_CONV num_CONV)
THEN REWRITE_TAC [EL;SET_EL;HD;TL];;
Run time: 76.5s
Intermediate theorems generated: 4412
.....................................
let INDEP_A_UPDATE = prove_thm('INDEP_A_UPDATE',.
128
"!(n:num) (l:,wordn list) (z:*wordn).
( ((n = x_reg) \/ (n = y_reg) \/ (n = p_reg))
(LENGTH 1 = p_reg) )
==> ((EL n <SET_EL a_reg 1 z) ) = EL n I)",
EL_SET_EL_TAC );;
/\
let INDEP_X_UPDATE = prove_thm('INDEP_X_UPDATE _,
"!(n:num) (l:.wordn list) (z:*wordn) .
( ((n = a_reg) \/ (n = y_reg) \/ (n - p_reg))
(LENGTH 1 = p_reg) )
==> ((EL n (SET_EL x_reg 1 z) ) = EL n i)',
EL_SET_EL_TAC );;
/\
let INDEP Y_UPOATE = prove_thm('INDEP_Y_UPDATE',
"! (n:num) (l:*wordn list) (z:_wordn).
( ((n = a reg) \/ (n = x_reg) \/ (n = p_reg))
(LENGTH 1 = p_reg) )
==> ((EL n (SET_EL y_reg 1 z) ) = EL n i)",
EL_SET_EL_TAC );;
/\
let INDEP_P UPDATE = prove_thm('INDEP_P_UPDATE',
"!(n:num) (l:,wordn list) (z:*wordn) .
( ((n = a reg) \/ (n = x_reg) \/ (n = y_reg))
(LENGTH 1 = p_reg) )




let LISTa_CORRECT = prove_thm('LISTa_CORRECT',
"!(l:(*word.n) list) b t. (LENGTH 1 = p_reg ==>
(EL a_reg (update_reg 1 (F,T,T) (b (t:num))
(add (rep:'rep.ty) (EL p_reg i, wordn rep I)) ) =






(SPECL ["a_reg"; "l:(*wordn) list"
"(add [rep:'rep ty)(EL p_reg l,wordn rep I))"]
129
INDEP_P_UPDATE ) )
THEN ASM_REWRITE_TAC [] );;
let LISTx_CORRECT _ prove_thm('LISTx_CORRECT',
"!(l:(*wordn) list) b t. (LENGTH 1 = p_reg_ ==>
(EL x_reg (update reg 1 (F,T,T) (b (t:num))
(add (rep:'rep_ty) (EL p_reg i, wordn rep I)) ) -




THEN IMP_RES_TAC (REWRITE_RULE []
(SPECL ["x_reg"; "l:(*wordn) list";
"(add (rep:'rep ty)(EL p_reg l,wordn rep I))"]
INDEP_P_UPDATE ) )
THEN ASM REWRITE_TAC [] );;
let LISTy_CORRECT - prove.thm('LISTy_CORRECT'
"!(l:(.wordn) list) b t. (LENGTH 1 = p_reg) =->
(EL y_reg (update_reg 1 (F,T,T) (b (t:num))
(add (rep:'rep_ty) (EL p_reg i, wordn rep I)) ) =
EL y_reg 1 )",
REPEAT GEN_TAC
THEN DISCH_TAC
THEN REWRITE_TAC [update_reg;PAI_ SO3
THEN IMP_RES_TAC (REWRITE_RULE []
(SPECL ["y_reg"; "l:(*wordn) list";
"(add (rep:'rep_ty)(EL p_reg l,wordn rep I))"]
INDEP_P_UPDATE ) )
THEN ASM_REWRITE_TAC [] );;
map (deleze_cache o fst) (cached_theories());;
Use this to generate goals for correct instantiation (implementation) proofs.
• ,, This redefines the one in mk_mac_7 _**
.............................................................................
let MK_INST_CO_ECT_GOAL n -
let inst - term_list_el n
(snd(dest_eq(
snd(dest_forall(con¢l macro_inst_list))))) in
"!(rep:'rep ty) (regs:time->(_wor_l)list) (m ins din dout:time->-wordn)






(\t. (reg t,m t,ins t,din t,dout t, ram t,b t,stop t,ovl t, mar t,
res t, mpc t))
(\t. reset_e t) "inst)";;
let int_to_term = ((C o curry) mk_const ":num") o string_of_int and
term_to_int = (int_of_string o fst o dest_const);;
let sum_to_term x y = int_to_term (x+y);;
let sumTerm x y =




mk_const( (string_of_int x), mk_type(_num_,[]))),
mk_const( (string_of_int y), mk_type(_num',[])));
let t_plus_term y =





mk_const( (string_of_int y), mk_type('num_,[])));;
let sumTHM x y =
REWRITE_RULE [
(REWRITE_RULE [ADD_CLAUSES;
SYM_RULE((TOP_DEPTH_CONV num_CONV) (sum_to term x y ) )]
((TOP_DEPTH CONV num_CONV) (sumTerm x y) ))J
(SPECL ["t"; int to term x; int_to_term y] (SYM_RULE ADD_ASSOC));;
let T_DIFF_TAC x y -
REWRITE_TAC [SPECL ["t";x;y] (SYM_RULE ADD_ASSOC)]
THEN CONV_TAC (TOP_DEPTH_CDNV num_C0NV)
THEN REWRITE_TAC [ADD CLAUSES];;
set_goal([],"(t+3)+4 = t+7");;





let T2 = prove_th_ ('T2'
let T3 _ prove thm ('T3'
let T4 _ prove_thm ('T4 _
let T5 = prove_thm ('T5'
let T6 = prove_thm ('T6'
let T7 = prove_thm ('TT'
let T8 = prove_thm ('TS'
let T9 = prove_thm ('T9'
let T10 = prove_thm ('T10
let Tll - prove_thm ('Tl1'












let T13 = prove_thm ('T13', "!t.
let T14 = prove_thm ('T14', "!t.
let T15 = prove_thm ('TI5', "!t.
let T16 = prove_thm ('T16', "!t.
let T17 = prove_thm ('TIT', "!t.
let T18 = prove_thm ('TIS', "!t.
(t + I) + 1 = t + 2", PLUS_ONE_TAC "2" );;
(t + 2) + I = t + 3", PLUS_ONE_TAC "3" );;
(t + 3) ÷ 1 = t + 4", PLUS_ONE_TAC "4" );;
_t + 4> + 1 = t + 5", PLUS_0NE_TAC "5" );;
(t + 5) + i = t + 6", PLUS_ONE_TAC "6" );;
(t + 6) + 1 = t + 7", PLUS_ONE_TAC "7" );;
(t + 7) + I = t + 8", PLUS_ONE_TAC "8" );;
(t + 8) + I = t + 9", PLUS_ONE_TAC "9" );;
(t + 9) + I = t + 10", PLUS ONE_TAC "10" );;








+ I = t ÷ 12", PLUS_0NE_TAC "12" );
+ I = t + 13", PLUS_ONE TAC "13" );
+ 1 = t ÷ 14", PLUS_ONE_TAC "14" );
+ 1 = t • 15", PLUS ONE_TAC "15" );
÷ 1 = t + 16", PLUS.ONE_TAC "16" );;
+ 1 = t + 17", PLUS_ONE.TAC "17" );;
+ 1 = t + 18", PLUS_ONE_TAC "18" );
let T_THMS =[T2;T2;T3;T4;T5;T6;T7;T8;T9;TI0;TII;T12;T13;TI4;T15;TI6;T17;T18];
Define the relationship between selectors op and address and the
constructor join




address rep(ad) ))) = opcode rep(fet)");;




address rep(ad) ))) = address repCad)");;





address rep(ad) ))) = DSF rep(fet)");;




address rep(ad) ))) = HSF rep(fe%)");;
let address pad_address = mk_thm([], "!w.
(address (rep:-rep_ty) (pad rep (address rep(w)))) =
address rep( w )");;




address rep(ad) ))) = FSF rep(fet)");;
NOBMAL_SYMB_EXEC takes as arguments a microinstruction %0 expand
and one of the "T" theorems from above
should append _TAC to the iLame'
let NORMAL_SYMB_EXEC n T =
IMP_RES_TAC (el n Micro_Int_Inst_list)
THEN ASSUM_LIST (\asl. POP_ASSUM(\thm. POP_ASSUM(\thml.
note that thm thml are not used
MAP_EVERY ASSUME_TAC (CONJUNCTS (REWRITE_RULE
([PAIR_EO;T;op_join_op;address_join_address;
DSF_join_op;RSF_join_op;address_pad_address]
@ (subtract asl[(el I asl)])) (el 1 asl)) ))))
THEN NORMAL_POP_ASSUM_TAC ;;
NEXT_SYMB_EXEC_TAC determines what the next microinstruction
expansion should be based on the mpc (on top of assumption stack).
It then invokes NORMAL_SYMB_EXEC passing one of the T_THMS.
(term_to_int(bt val_func(snd(dest_eq(snd_dest_thm( (el i asl)))))))÷1) t);;
................................................................
133
let rope_from_thin thin =
(term_to_int (bt_val_func(snd(dest_eq(snd(dest_thm( thm ) ) ) )) ) ) ;;
let NEXT_SYMB_EXEC_TAC theTime =
let t = (el theTime T THMS) in
ASSUM_LIST(\asI. NORMAL_SYMB_EXEC (mpc_from_thm tel 1 asl)+l) t);;
Z CASES_NEXT_SYMB_EXEC_TAC may be outdated Z
let CASES_NEXT_SYMB_EXEC_TAC theTime theCond =
let t = (el theTime T_THMS) in
ASSUM_LIST(kasl.
IMP_RES_TAC (el (mpc_from_thm (el I asl)+l) Micro_Int Inst_list))
THEN ASM_CASES TAC theCond
THEN ASSUM_LIST (\asl. POP_ASSUM(\keep.
POP_ASSUM(kthm. POP_ASSUM(\thml.
X note that thm thml are not used X
MAP_EVERY ASSUME_TAC ( [keep] @ (CONJUNCTS (REWRITERULE
([PAIR_EQ;t] @ (subtract asl[thm])) thm) ))))))
THEN NORMAL_POP_ASSUM_TAC ;;
The following definitions help remove unneeded theorems from the assertion
list. After using NORMAL_SYMB_EXEC, there are maDy theerems from the
previous step that can be eliminated.
The tactic DELETE_USTEP_TAC expects a number argument and removes all
theorems from the assumption list corresponding to that £ime.
is_at_time_of 2 "foo(t+l):bool = false";;
(is_at_time_of 1 "foo(t+l) = false") = false;;
(is_at_time_of I "-foo(t+l)") = true;;
let is_at_time_of utime tok =
if( is_eq tek)
then (let 1 = lhs(tok) in
then
Z mar(t+l) Z
if( is comb 1 )
then (let r = rand(l) in Z (t+l) Z
if( is_comb r )
then (let op = rator(r) in
if( op = "+ t")
then (if (rand(r) = int_to_term(utime) )













else (if (is neg tok)
then ( let tk z dest_neg(tok) in
if( is_comb tk )





if( is_comb r )
then (let op = rator(r) in
if( op _ "+ t")









let FIND_ASSUMS f asl - (filter(f o concl) asl);;
let DELETE_USTEP_TAC when =
POP_ASSUM_LIST(\asl. MAP_EVERY ASSUME_TAC (
(rev(subtract asl (FIND_ASSUMS (is_at_time_of when) asl) )) ));;
This function returns the nth term in a "pair". It was defined to
help pull out a case split from inside the state (e E valid addressing)
................................................................
letrec pair_el z, p =
if ( n = I) then
if( Is_pair p } then fst(dest_pair(p)) else p
135
else pair_el (n-l) (snd(dest_pair(p)));;
The following tactic converts an assumptio,L like
[ "mpc(t + 6) = bt?_ival(6 + (bt5_vaI(F,F,F,F,F)))" ]
to:
[ "mpc(t + 6) - F,F,F,F,T,T,F" ]
It is a modified version of NOKMAL_POP_ASSUM_TAC
(who picked that tactic name anyway? :-) )
let JMPOPC_POP_ASSUM_TAC =
POP_ASSUM (\thm. ASSUME_TAG (
CONV_KULE (ONCE_DEPTH_CONV btT_ival_CONV) (
CONV_KULE DEC_ADD_CONV (
DEC_ADD_CONV broken for "0 + I" X
PURE_0NCE_REWRITE_RULE [ADD_CLAUSES] (
CONV_RULE (DNCE_DEPTH CONV bt5_val CONV) (
REWRITE RULE [add_btT] thm))))));;
map (delete_cache o fst) (cached_theories());;
let FETCH_INST_TAC n - % set up everything for all proofs? %
let thm = el (n+l) macro_defn_llst ia (
let inst_lemma = EXPAND_LET_RULE thm
and inst z term_list_el n
(snd(dest_eq(
snd(dest_forall(concl macro_inst_list))))) in (
REPEAT GEN_TAC
THEN STRIP TAG
THEN SUBST TAG [SPEC inst Macro Int_IMPL_IMP LEMMA]
THEN ASM_KEWRITE TAC [inst Iemma;ABS_ENV] ))
THEN STRIP_TAG _ don't use REPEAT STRIP TAC!
THEN STRIP TAG
THEN STKIP_TAC
THEN _ specialize the LISTx asumptions but preserve.the assumption order
POP_ASSUM_LIST(\asl.
ASSIJME_TAC (el 5 asl)










ASSUME_TAC (el 4 asl) THEN ASSUME_TAG (el 3 asl)
ASSUME_TAG (el 2 asl) THEN ASSUME_TAG (el I asl) )
136
THEN ASSUM_LIST (\asl. ASSUME_TAC (REWKITE_HULE[(el 2 asl);PAlR_Eq]
(EXPAND_LET_RULE (SPECL
["fetch (rep:'rep_ty) (ram (t:num),
address rep (EL p_reg (reg (t:num)))):,wordn";
"(b (t:num)):bool"]
(PURE_REWRITE_RULE[DECODE_M_CORRECTLY_IMP] (el 4 asl))))))
THEN ASSUM_LIST(\asl. ASSUME_TAC (REWRITE_RULE[(el 3 asl);PAIR.EQ] ($PEC
(fst(dest_eq(snd(dest_thm(el 3 asl))))) MacroLevelCycles)))
THEN ASM_REWRITE_TAC[]
take care of s%op case
THEN ASM_CASES_TAC "(stop (t:num)):bool"
THEN ASS[__LIST(\asl. REWRITE_TAC [el I asl] )
THENL [ _ subsoal I (stop t )
ASSt_(_LIST(kasl. IMP_RES_TAC
(SPECL [(snd(dest_eq(snd(dest_thm(el 2 asl)))));"t:num"] stop_thm))
THEN ASSUM_LIST (\asl. MAP_EVERY ASSUME_TAC
(CONJUNCTS (REWRITE_RULE [PAIR_EQ] (el I asl))))
THEN ASM_REWRITE_TAC[PAIR_EQ]
; % subgoal 2 - stop t %
NORMAL_SYMB_EXEC I T2 % T2 here is a placeholder Z
THEN NORMAL_SYMB_EXEC 2 T2
THEN COND_CASES_TAC
TRENL [ % subgoal 2.1 -valid_address
NORMAL SYMB EXEC 3 T3
% The processor is now stopped due to an addressing exception %
specialize aund rewrite stop_thm show nothing will cha/_ge
THEN ASSUM_LIST(kasl. ASSUME_TAC( REWRITE_RULE
[(el 5 asl);(el 43 asl);(el I asl)] (SPECL [(int_to_term
((term_to_int (snd(dest_eq(snd(dest_thm.
(REWRITE_RULE [PAIR_EQ] (el 39 asl)))))))-3) );
"(t+3):num"] stop_thm) ))
THEN ASSUM_LIST(kasl. (POP_ASSUM(\thm.
(MAP_EVERY ASSUME_TAC (CONJUNCTS (REWRITE_RULE
([PAIR_EQ; (sumTHM 3
((term_to int(snd(dest_eq(snd(dest_thm
(el 40 asl) )))))-3))
] @ (subtract asl[(el I asl)])) (el I asl)) )) )))
THEN ASM_REWRITE_TAC [PAIR_EQ]
THEN REWRITE_TAC [update_reg; PAIR_EQ;EL SET_ELl
; Z subgoal 2.2 valid_address Z
POP_ASSUM(kthm. ASSUME_TAC (REWRITE_RULE [] thm))
THEN _ORMAL_SYMB_EXEC 3 T3
THEN DELETE_USTEP TAC ! THEN DELETE_USTEP_TAC 2
]];;
137
map (delete_cache o fst) (cached_theorles());;
let INDEP_REG_TAC aReg INDEP_THM =
ASSbl__LIST(\asl. REWRITE_TAC
[(REWRITE_RULE [( SPEC "(update_reg_reg (t:num))(F,T,T)
(add rep(EL p_reg(reg t),wordn (rep:'rep_ty) I)))"
(REWRITE_RULE [KEG_LIST_LENGTH] (last asl)) )]
(SPECL [aReg; "(update_reg(reg (t:num))(F,T,T)
(add rep(EL p_reg(reg t),wordn (rep:_rep_ty) I)))" ] INDEP THM))]);;
% 1- EL 1 : EL x_reg X
let ELX = AP_TERM "EL:num->((*wordn)list->,wordn)" (SYM X);;
% ]- SET_EL 1 = SET_EL x_reg %
let SET_ELX = AP_TERM "SET_EL:num->((*vordn)list -> (*wordn -> (*wordn)list))"
(SYM X);;
let THREE_TUPLE_CASES_ASSOC = prove_thm('THREE_TUPLE_CASES_ASSOC',
"!b.
((((b = T,T,T) \/ (b = F,T,T)) \/ (b = T,F,T) \/ (b = F,F,T)) \/
((b = T,T,F) \/ (b = F,T,F)) \/
(b = T,F,F> \/
(b = F,F,F))
= ( (b = F,F,F) \/
(b - F,F,T) \/
(b = F,T,F) \/
(b = F,T,T) \/
(b = T,F,F) \/
(b = T,F,T) \/
(b = T,T,F) \/
(b = T,T,T) )",
GEN_TAC
THEN ASM_CASES_TAC "(b = F,F,F)"
THENL[ ALL_TAC; ASM_CASES_TAC "(b = F,F,T)"
THENL[ ALL_TAC; ASM_CASES_TAC "(b = F,T,F)"
THENL[ ALL_TAC; ASM_CASES_TAC "(b = F,T,T)"
THENL[ ALL_TAC; ASM_CASES_TAC "(b = T,F,F)"
THENL[ ALL_TAC; ASM_CASES_TAC "(b = T,F,T)"
THENL[ ALL_TAC; ASM_CASES_TAC "(b = T,T,F)"
THENL[ ALL_TAC; ASM CASES_TAC "(b = T,T,T)"
3333333
THEN ASM_REWRITE_TAC [OR CLAUSES;PAIR_EQ]
138
);;
let THREE_TUPLE_VALUE_ASSDC_LEMMA = prove_thmC'THREE_TUPLE_VALUE_ASSOC_LEMMA'
"!b. (b = F,F,F) \/
(b = F,F,T) \/
(b = F,T,F) \/
(b = F,T,T) \/
(b = T,F,F) \/
(b = T,F,T) \/
(b = T,T,F) \/
(b = T,T,T)',
GEN TAC
THEN SUBST_TAC [SYM (SPEC "b" THREE_TUPLE_CASES_ASSOC)]
THEN REWRITE TAC[(SPEC "b" THREE_TUPLE_VALUE LEMMA)] );;
let THREE_TUPLE_IMPI = prove_thm('THREE_TUPLE_IMPI'
"!b. ((b = F,F,F) \/
(b = F,F,T) \/
(b = F,T,F) )
==> -((b = F,T,T) \/
(b = T,F,F) \/
(b = T,F,T) \/




THEN POP_ASSUM(\thm. DISJ_CASES_TAC thm)
THEN (POP_ASSUM(\thm. DISJ_CASES_TAC thm> ORELSE ALL_TAC)
THEN ASM_REWRITE TAC [PAIR_EQ]
);;
let RSF_CASES = SPEC
"(RSF (rep:-rep_ty)(fetch rep(ram t,address rep(EL p_reg(reg t)))))"
TWO_TUPLE_VALUE LEMMA;;
let DSF_CASES = SPEC
"(DSF (rep:-rep_ty)(fetch rep(ram t,address rep(EL p_reg(reg t)))))"
THREE_TUPLE VALUE_ASSOC LEMMA;;
let AXY_DSF_CASES =
"-((DSF (rep:-rep_ty)(fetch rep(ram t,address rep(EL p_reg(reg t)))) = F,F,F)
\/ (DSF rep(fetch rep(ram t,address rep(EL p_reg(reg t)))) = F,F,T)
\/ (DSF rep(fetch rep(ram t,address rep(EL p_reg(reg t)))) = F,T,F))";;
let AXY_IMP1 = (SPEC




DISJ_CASES_TAC RSF_CASES % ¢ond on RSF - 4 subgoals proved
THEN POP_ASSUM(\thm. DISJ_CASES_TAC thm)
THEN Z rewrite (reg t+lO) with the conditions and asl
ASSUN_LIST(\asl. let regsVal = (el 14 asl) in ASSUME_TAC(
REWRITE_RULE [PAIK_EQ;bt3_val;(SYM A);(SYM Y);(SYM P);ELX;SET_ELX]
(0NCE_REWRITE_RULE[update_reg]
(REWRITE_RULE ( (subtract asl[regsVal]) @
[bt2_val;bt3_val;(SYM A);(SYM Y);(SYM P)]) regsVal ))) )
THEN ASM_REWRITE_TAC [PAIR_EQ;EL_SET_EL];;
let ELP_SET_ELP = TAC.PKOOF (([], "!(newVal:*wordn) b.
(EL p_reg (update_reg (reg (t:num)) (F,T,T) b newVal)) = newVal"),
REPEAT 0EN_TAC
THEN REWRITE_TAC[update_reg;bt3_val;(SYM P>;EL_SET_EL;PAIR_EQ] );;
let EL_COND_THM = TAC_PROOF (([], "!(regs:*wordn list) sel.
(EL( (sel = F,F) => a_reg I
(sel - F,T) => x_reg I
(sel - T,F) -> y_reg I
p_reg ) regs ) =
((sel - F,F) => EL a_reg regs I
(sel - F,T) => EL x_reg regs I
(sel - T,F) -> EL y_reg regs I










SPECL ["(update_reg((reg (t:num)):*wordn llst)(F,1",T)(b t)
(add (rep:^rep_ty)(EL p_reg(re_ t),wordn rep i)))";
"(RSF (rep:'rep_ty)(fetch rep(ram (t:num),
address rep(EL p_reg(reg t)))))"]
EL_COND_THM;;
let bt2_reg_def = BEWRITE_KULE [(SYM A);(SYM X);(SYM Y);(SYM P)] bt2_val_def;;
let INDEP_A_UPDATE! = prove_thm('INDEP_A_UPDATEI',
140
"!(l:*wordn list) (n:num) (z:*wordn).
( ((n = x_reg) \/ (n = y_reg) \/ (n = p.reg))
(LENGTH 1 = p_reg) )
=E> ((EL n (SET_EL a_reg 1 z) ) = EL n 1)',
EL_SET_EL_TAC );;
let INDEP_X_UPDATEI = prove_ttm_('INDEP \_UPDATE1',
"!(l:*worchn list) (n:num) (z:*wordn).
( ((n = a_reg) \/ (n = y_reg) \/ (n = p_rag))
(LENGTH I = p_reg) )
==> ((EL n (SET_EL x_reg 1 z) ) = EL n i)".
EL_SET EL_TAC );;
let INDEP_Y_UPDATEI = prove_thm('INDEP_Y_UPDATEI',
"!(l:*wordn list) (n:num) (z:,wordn).
( ((n - a_reg) \/ (n = x reg) \/ (n = p_reg))
(LENGTH 1 = p_reg) )





let INDEPENDENCE_TAC UPDATE_THH = % 325.6
ASSUM LIST(\asl. ASSUME_TAC(
(REWRITE_RULE [( SPEC "(update_reg(reg (t:num))(F,T,T)(b t)
(add rep(EL p_reg(reg t),wordn (rep:'rep_ty) I)))"
(REWRITE_RULE [REG_LIST_LENGTH] (last asl)) )]
(SPECL ["(update_reg(reg (t:num))(F,T,T)(b t)
(add rep(EL p_reg(reg t),wordn (rep:-rep_ty) i)))"] UPDATE_THM ))))
THEN POP_ASSUM(\thm. REWRITE_TAC [ELP_SET_ELP;
(REWRITE_RULE[](SPEC "a_reg" thm ));
(REWRITE_RULE[](SPEC "x_reg" thm ));
(REWRITE_RULE[](SPEC "y_reg" Ibm ));
(REWRITE_RULE[](SPEC "p_reg" thm ))] );;
let EXPAND_REG_TAC = % 235.0s %
ASSUM_LIST(Xasl. let regsVal = (el 13 asl) in ASSUME_TAC(
REWRITE_RULE [PAIR_EQ;bt3_val;(SYM A);(SYM Y);(SYM P);ELX;SET_ELX
bt2_reg_def;SPECI_EL_COND_THM;ELP_SET_ELP]
(ONCE_REWRITE_RULE[update_reg]
(REWRITE_RULE ( (subtract asl[regsVal]) @
[bt2_val;bt3 val;(SYM A);(SYM Y);(SYM P)]) regsVal ))) );;
let EXPAND_B_TAC = % 235,0s %
ASSUM_LIST(\asl. let bVal = (el 8 asl) in ASSUME.TAC(
REWRITE RULE [PAIR_EQ;bt3_val;(SYM A);(SYM Y);(SYM P);ELX;SET_ELX
bt2_reg def;EL COND_THM;ELP_SET_ELP]
141
(REWRITE_RULE [ (subtract asl[bVal])
[bt2_val;bt3_val;(SYM A);(SYM Y);(SYM P)]) bVal )));;
let EXPAND_COND_TAC thmNum =
ASSUM_LIST(\asl. let thm = (el thmNum asl) in ASSUME_TAC(
REWRITE_RULE [PAIR_EQ;bt3_val;(SYM A);(SYM Y);(SYM P);ELX;SET ELX;
bt2_reg_def;EL_COND_THM;ELP_SET_ELP]
(REWRITE KULE ( (subtract asl[thm])
[bt2_val;bt3_val;(SYM A);(SYM Y);(SYM P)J) thm )) );;
let FETCH_OPERAND_CASES_TAC =
NOKMAL_SYMB_EXEC 4 T4 THEN DELETE_USTEP_TAC 3
THEN NOP_AL_SYMB_EXEC 5 T5 THEN DELETE_USTEP_TAC 4
THEN REWRITE_TAC [ioad_m_expanded; write_reg_expanded; ioad_r_expanded;
_rite preg_expa_ded]
construct MSF cases X
THEN ASSUM_LIST(\asl. ASSUME_TAC ( SPEC {snd(dest comb(snd(dest_comb(snd(
dest_comb(rhsCsnd(dest_th_J((el I asl)))))))))))
TWO_TUPLE_VALUE_LEMMA)}
THEN PDP_ASSUM(\thm. DISJ_CASES_TAC thm)
THEN PDP_ASSUM(\thm. DISJ_CASES_TAC thm);;
142
let FIND ASSUM f asl = hd(filter(f o con¢l) asl);;
let MSF_CASE_MPC_REWRITE_TAC =
ASSUM_LIST(\asl. ASSUME_TAC( REWRITE_RULE [(el I asl);bt2_val]
(el 2 asl)))
THEM POP_ASSU_ (\tba. ASSUME_TAC (
CONV_RULE (ONCE_DEPTH_CONV bt?_ival_CONV) (
CONV_RULE DEC_ADD_CONV (
DEC_ADD_CONV broken for "0 + I"
PURE_ONCE_REWRITE_RULE [ADD_CLAUSES] ( thm)))))::
let MSF_FT_FF_FETCH_TAC =










NEXT_SYMB_EXEC_TAC 6 THEN DELETE_USTEP_TAC 5
NEXT_SYMB_EXEC_TAC 7 THEN DELETE_USTEP_TAC 6
NEXT_SYMB_EXEC_TAC 8 THEN DELETE_USTEP_TAC 7
NEXT_SYMB_EXEC_TAC 9 THEN DELETE_USTEP_TAC 8
NEXT_SYMB_EXEC_TAC i0 THEN DELETE_USTEP_TAC 9
NEXT_SYMB_EXEC_TAC iI THEN DELETE_USTEP_TAC lO
NEXT_SYMB_EXEC_TAC 12
JMPOPC_POP_ASSUM_TAC THEN DELETE_USTEP_TAC 11;;
let SYMB_EXEC_ASSUM_TAC mpcAsm theTimeThm =
ASS[_4_LIST(\asl.
IMP_RES_TAC (el (mpc_from_thm (el mpcAsm asl)+1) Micro_Int_Inst_list))
THEN POP_ASSUM(\thm. PDP_ASSUM(\thml. ASSUM_LIST(kasl. ASSUME_TAC(
(REWRITE_RULE ([theTimeThm] @ asl) thm )))));;
let SYMB_EXEC_ASSUM_TACI mpcAsm theTimeTh_ =
ASSUM_LIST(kasl.
IMP_RES_TAC (el (mpc_from_thm (el mpcAsm asl)+l) Micro_Int_Inst_list))
THEN POP_ASSUM(\thm. POP_ASSUM(kthml. ASSUM_LIST(\asl.
MAP_EVERY ASSUME_TAC ( (CDNJUNCTS (REWRITE_RULE(
[PAIH_EQ;theTimeThm;DSF_join_op;op_join_op;address_join_address;
address_pad_address] @ asl) thm) )))));:
% The processor is now stopped due to an addressing exception %
Z specialize and rewrite stop_thm show nothing will change Z
let EXTEND STOP_TAC when M_I_thm =
ASSUM_LIST(\asl.
let curTime = (term_to_int
(rand(rand(fst( dest_eq(snd(dest_thm(el ! asl))))))) ) in
let endTime z
(term %o_int (snd(dest_eq(snd(dest_thm (el when asl) ))))) in
ASSUME_TAC( REWRITE_RULE [ (el I asl); (el 5 asl) ; (el M_I_thm asl);
(sumTHM curTime (endTime-curTime)) ]
143
(SPECL[(int_to_termiendTiJI_e- ¢urTime)); (t_plus_term curTime)]
stop_thm> ) )






















ASSUM_LIST(kasl. REWRITE_TAC[(el 1 asl);PAIR_EQ] ) % 2567.8s %
THEN NSF_CASE_MPC_REWRITE_TAC
THEN NEXT_SYMB_EXEC_TAC 6 THEN DELETE_USTEP_TAC 5
THEN NEXT_SYMH_EXEC_TAC 7 THEN DELETE_USTEP_TAC 6
THEN NEXT_SYMB_EXEC_TAC 8 THEN DELETE_USTEP_TAC 7
THEN SYMB_EXEC_ASSUM_TAC I T9
case split based on valid address
THEN ASSUM_LIST (\asl. ASM_CASES_TAC ( (fst(dest_cond
(pair_el 9 (snd(dest_eq(snd(dest_thm(el 1 asl)))))) )) ))
THENL
[ _ .................. -valid address ..........
POP_ASSUM(ktheCase. POP_ASSUM(\thm. MAP_EVERY ASSUME_TAC (
( [theCase] @ (CONJUNCTS
(REWRITE_RULE [PAIR_EQ; theCase] thm) )))))
THEN DELETE_USTEP_TAC 8
THEN ASSUM_LIST(\asl. ASSUME_TAC % (el 13 asl) is valid_address ... Z
(REWRITE_RULE [PAIR_EQ;update_reg] (el 13 asl)) )
THEN ASM_REWRITE_TAC [PAIR_EQ]
The processor is now stopped due to an addressing exception
specialize and rewrite stop_thm show nothing will change
144
THEN ASSUM_LIST(\asl.
let MLC tok = (rator(lhs(tok))) _ "MacroLevelCycles" ? false in
let endTimeThm = (FIND_ASSUM MLC asl> in
let curTime = (term_to_int
(rand(ra_nd(fst( dest_eq(snd(dest_thm(el 2 asl))))))) ) in
let endTime =
(term_to_int (snd(dest_eq(snd(dest_tb/n (endTimeThm)))))) in
ASSUME_TAC(REWRITE_RULE (aslO[ (sumTHM curTime (endTime-cumTime))])
(SPECL [(int_to_term (endTime - curTime )); (t_plus_term curTime)]
stop_thm) ) )
THEN POP_ASSUM(ktlm. REWRITE_TAC [(REWRITE_RULE [PAIR_EQ] thm)] )
THEN ASM_REWRITE_TAC []
THEN REWRITE_TAC [ELP_SET_ELP]
; _ ..................... now the valid address case .............
POP_ASSUM(\thm. ASSUME_TAC ( REWRITE_RULE [] thm ))








( [theCase] @ (CONJUNCTS(REWRITE RULE[PAIR_EQ;theCase]thm) )))))
ASSUM_LIST(\asl. REWRITE TAC[(el 13 asl)] )
NORMAL_POP_ASSUM_TAC THEN DELETE_USTEP_TAC 8
NEXT_SYMB_EXEC_TAC I0 THEN DELETE_USTEP_TAC 9
NEXT_SYMB_EXEC_TAC II THEN DELETE_USTEP_TAC I0
NEXT_SYMB_EXEC_TAC 12
JMPOPC_POP_ASSUM_TAC THEN DELETE_USTEP_TAC II
let MSF_TT_FETCH_TAC =
ASSUM_LIST(kasl. REWRITE_TAC[(el I asl);PAIR_EQ] ) % 2567.8s %
THEN MSF_CASE_MPC_REWRITE_TAC
THEN NEXT_SYMB_EXEC_TAC 6 THEN DELETE_USTEP_TAC 5
THEN NEXT_SYMB_EXEC_TAC 7 THEN DELETE_USTEP_TAC 6
THEN SYMB_EXEC_ASSUM_TAC 1 T8
% case split based on valid address %
THEN ASSUM_LIST (\asl. ASMCASES_TAC t [fst(dest_cond
(pair_el 9 (snd(dest_eq(snd(dest_thm(el 1 asl)))))) )) ))
TKENL
[%.................. -valid address .......... %
POP_ASSUM(\theCase. POP_ASSUM(\thm. MAP_EVERY ASSUME_TAC (
( [theCase] _ (CONJUNCTS
(REWRITE_RULE [PAIR_EQ; theqase] thm) )))))
THEN DELETE_USTEP_TAC 7
THEN ASSUM_LIST(\asl. ASSUME_TAC % (el 13 asl) is valid_address ... %
(REWRITE_RULE [PAIR_EQ;update_reg] (el 13 asl))
THEN ASM_REWRITE_TA_ [PAIH_EQ]
% The processor is now stopped due to an addressing exception %
specialize and rewrite stop_thm show nothing will change
145
THEN ASSUM_LIST(\asl.
let MLC tok = (rator(lhs(tok))) = "MacroLevelCycles" ? false in
let endTimeThm = (FIND_ASSUM MLC asl) in
let curTime = (term_to_int
(rand(rand(fst( dest_eq(si_(dest_thm(el 2 asl))))))) ) in
let endTime =
(term_to.int (snd(dest_eq(snd(dest_thm (endTimeThm)))))) in
ASSUME_TAC(REWRITE_RULE (asl@[ (sumTHM ¢urTime (endTime-curTime))])
(SPECL [(int_to_term (endTime - ¢urTime )); (t_plus_term curTime)]
stop_the) ) )
THEN POP_ASSUM(\t_L_. REWRITE TAC [(REWRITE_RULE [PAIR_EQ] thm)] )
THEN ASM_REWRITE_TAC []
THEN REWRITE_TAC [ELP_SET_ELP]
; X ..................... now the valid address case .............
POP_ASSUM(\tb_. ASSUME_TAC ( REWRITE.RULE [] the ))









( [theCase] Q (CONJUNCTS(REWRITE_RULE[PAIR_EQ;theCase]the))))))
ASSUM_LIST(\asl. REWRITE_TAC[(el 13 asl)] )
NOPdqAL_POP_ASSUM_TAC THEN DELETE USTEP TAC 7
NEXT_SYMB_EXEC_TAC 9 THEN DELETE_USTEP_TAC 8
NEXT_SYMB_EXEC_TAC I0 THEN DELETE USTEP_TAC 9
NEXT_SYMB EXEC_TAC 11 THEN DELETE USTEP_TAC 10
NEXT SYMB_EXEC_TAC 12









let rep_ty = abstract_type 'aux_def' 'opcode';;
let ABS_ENV = definition 'macro_def' 'ABS_ENV';
let Opcode - definition 'macro_def' 'Opcode';;
let Opc_Val = definition 'macro def' 'Opc_Val';
let Macro_Int_IMPL_IMP = theorem 'mac_I ( 'Macro_Int_IMPL_IMP';;
let Micro_state_to_Macro state = definition mac_I'
Micro_state_to_Macro_state';:
let macro_inst_list = definition 'macro_def
let GetMPC = definition 'micro_def' 'GetMPC ;;
let add_bt? = definition 'micro_def _ _add_bt?_;;
let Next = definition 'time_abs' 'Next';;
let Micro_I = theorem 'micro_aux' 'Micro_I';;
'macro_inst_list';;
let MacroLevelCycles = definition 'mac_I' 'MacroLevelCycles';;
let I rep_ty = abstract_type 'gen_I' 'Impl';;
let macro state = ":(,wordn#*wordn#*wordn_*¥ordn_bool_boolU,wordn_,memory)";;
a x y p b stop ir ram
let macro_env = ":(bool)";;
let micro_state = ":(((*wordn)list)#_wordn#*wordn#
*wordn#,wordn#,memory_bool#bool#bool#,address#,wordn#btT)";;
let micro_env = ":(bool)";;
let load_macro_inst = (\x. definition 'macro_def' x);;
let macro_defn_list = map load_macro_inst
['NOOP_M'; 'SHR'; 'SIIRB'; 'SHLB'; 'SHL';
'CMP'; 'WRITEM'; 'WRITEIO'; 'NE(;'; 'CALL';
'READIO'; 'READM'; 'ADDB'; 'ADDS'; 'SUBB';
147
'SUBO'; 'XOR'; 'AND'; 'NOR'; 'ANDMBAR';.
'NOOP_M'; 'NOOP_M'; _NOOP_M'; 'NOOP_M'; 'NOOP_M';
'NOOP_M'; 'NOOP_M'; 'NDOP_M'; 'NOOP_h'; 'NOOP_M';
'NOOP_M'; 'NOOP_M'];;
let load_micro_inst = (\x. theorem 'miczo_def' x);;
let Micro_state_to_Macro_state - definition 'mac_I' 'Micro_state_to_Macro_state';;





CONV_RULE (TOP_DEPTH_CONV FUN_EQ_CONV) sum_Axiom));;
Some ML function for the inference rules that follow.
................................................................
let last 1 - (el (length i) i);;
letrec term_list_el n 1 = (
let tm_hd x - rand(fst(dest_comb x)) and
tm_tl x - snd(dest_comb x) in
if (n = O) then tm_hd 1 else
term_list el (n-l) (tm_tl i)) ?
fail_ith 'term_list_el';;
This is insecure for right now. If anyone is seriously concerned
that this isn't right, I'll do it over.
................................................................
let EL.CONV tm = (
let ((c,n),l) = ((dest_comb_I)o dest_comb) tm in
let n_int - term_to_int n in
mk_thm([],"'tm = "(term_list el n_int i)")) ?
failwith 'EL_CONV';;
EL_CONV "EL 3 [0;I;2;3;4;5]";;
148
let is_SND_termt =





let SND_CONV t =
if is_SND_term t then
let op,pr = dest_comb t in






let ADD_ASSOC CONV t =
let opl,[tl;t2] = strip_comb t
in
let op2,[t3;t4] = strip comb t2
in
if op! = "$+" & op2 = "8+"
then SPECL[tl;t3;t4]ADD_ASSOC
else fail;;
INV_ADD_ASSOC_CONV "(a+b)+c" --> I- [a+b}+c = a+(b+c)
let INV_ADD_ASSOC = (GEN_ALL o SYM o SPEC_ALL) ADD_ASSOC;;
let INV_ADD_ASSOC_CONV t =
let opl,[tl;t2] = strip_comb t
in
let op2,[t3;t4] = strip_comb tl
in
if opl = "$+" & op2 = "$+"
then SPECL[t3;t4;t2] INV_ADD_ASSOC
else fail;;
let inv_num_CONV n = (
let x,y = dest_comb n in
let y_inc = int to_term ((term_to_int y) + I) in
if not(x = "SUC") then fail else
SYM_RULE (num_CONV y_inc))
? failwith 'inv_num CONV';;
149
let instructions= mapload_micro_ins%
['FETCH_u1'; 'FETCH_u2' ; 'FETCH_u3' ; 'FETCH_u4' ;
'JMP_reqm' ; 'JMP_opc' ; 'NODP' ; _SHRS_ul _ ;
'SHRB_uI' ; 'SHLB_uI' ; 'AXY.WRITE' ; 'SHLS_uI';
'NO_OVL _ ; _NOOP' ;'AXY_WRITE' ; 'SHRS_u2' ;
'NDOP' ; 'AXY_WRITE' ; 'SHRB_u2' ; 'NOOP' ;
'AXY_WRITE' ; 'SHLB_u2' ; 'NODP' ; 'MFO_ul' ;
'MFI_ul _ ;
'MF2_uI' ; MF _ul ; 'MF3_u2' ; 'FETCH_u3 ;
,MF _ -, _
_u_ ; MF3_u5 ; CMF3_u6w1' ; _MF3_ulw4' ;
M 3_u6 ; MF3_u4 _ • CMF3_uSw3 _ • _MF3_u6 _ ;
_MF3_ul _ ; 'MF2_u3' ; _FETCH_u3' ; 'MF3_u4 ' ;
¢MF3_u5 ¢ ; 'MF3_u6' ; 'COMPARE_uI' ; CWRITEMEM_ql' ;
_WRITEIO_uI' ; 'NEG_uI' ; 'CALL_uI' ; 'READIO_uI' ;
_READM_IM_ul _ ," _ADDB_uI' ; 'ADDS_uI' ; 'SUBB_uI' ;
_SUBS_ul _ ; _XOR ul' ; 'AND_ul _ ; 'NOR_u1' ;
'ANDMBAR_uI' ; 'NOOP' ; 'COMPARE u2' ; 'NOOP' ;
_WRITEMEM u2* ; 'NOOP _ ; WRITEIO_u2' ; 'NODP' ;
'AXY_WRITE _ ; 'NEGATE_u2' ;'NOOP' ; 'CALL_u2' ;
'CALL u3 c ; _FETCH_u3' ; NOOP' ; _READIO_u2 _ ;
CMF ....o_u_ , 'READIO_u4 _ ; NOOP _ ; 'READIO_u4 _ ;
_CK_VALID_PC' ; _NOOP _ ; 'ADDB_u2' ; 'NOOP' ;
_ADDS_u2* ; 'CK_VALID_PC'; 'NO_OVL'; 'NOOP' ;
'SUBB_u2 _ ;
'NOOP' ; _SUBS_u2' ; 'CK_VALID_PC ' ; 'ND_OVL' ;
'NOOP _ ;
'XOR_u2 _ ; 'NOOP _ ; 'AND_u2 _ ; _NOOP' ;
'NOR_u2 _ ; 'NOOP _ ; _wait 4 _ ; 'wait_3 _ ;
'wait_2' ; '_ait_l' ; 'MF3_u6' ; 'NOOP _ ;
'NOOP _ ; _NOOP' ; _NOOP _ ; _NOOP _ ;
_NOOP _ ; _NOOP _ ; _NOOP' ; _NOOP _ ;
'NOOP _ ; _NOOP' ; 'NOOP' ; 'NOOP' ;
_NOOP _ ; _NOOP _ ; _NOOP' ; 'NOOP' ;
{NOOP _ " _NOOP _ " 'NOOP' ; 'NOOP' "
_NOOP { ; {NOOP _ ; _NOOP _ ; _NOOP _ ;
_NOOP' ];;
let micro_inst_list = definition 'micro_def ' _micro_inst_list';;
150
let OFFSET = "4";;
Using MK_Micro_Int_Inst_LEMMA, _e can prove a lemma of the form
]- Micro_Int
rep
(\t. (reg t,psw t,pc t,mem t,ivec t,ir t,mar t,mbr t,mpc t))
(\t. (int_e t,reset_e t)) ==>
(!t.
(mpc t = F,F,T,F,T,T) ==>
(reg(t + l),psw(t + l),pc(t + l),mem(t + l),ivec(t + 1),ir(t + I),
mar(t + l),mbr(t + 1),mpc(t + I) =
ST_ul
rep
(re_ t,ps_ t,pc t,mem %,ivec t,ir %,mar t,mbr t,F,F,T,F,T,T)
(int_e t,reset_e t)))
for every microinstruction, by simply giving its position in the
list. Mapping the inference rule onto a list of integers from 0
to 127 yields a list of lemmas for each micro instruction. The






"(\t. (reg t,m t, ins t, din t, dour t, ram t, b t, stop t, ovl t,
mar t, res t, mpc t)):time->'micro_state";
"(\t. (reset_e t)):time->'micro_env'] Micro_I));';
let MK_Micro_Int_Inst_LEMMA inst =
let tp = mk_n_tuple_from_int 7 inst in
let mpc_%erm = "mpc t = "tp" in
DISCB_ALL (
GEN "t" (




"ins t :,wordn" ;
"din t :*wordn" ;
"dour t :_eord/%" ;
"ram t :*memory" ;







"reset_e t:bool"] (el (inst+1) instructions)] (
CONV_RULE (DEPTH.CONV SND_CONV) (
CONV_RULE (DNCE_DEPTH_CONV EL_CONV) (
SUBS [bt7_val_C0NV "btT_val-tp"] (





(\t. reg t,m t, ins t, din t, dour t, ram t, b t, stop t, ovl Z,
mar t, res t, mpc t)
(\t. reset_e t)"))))))))));;
let mk_num_list n =
letrec mk_num_list_aux n m =
if n = m then [m] else
(n . (mk_num_list_aux (n+1) m)) in
mk_num_list_aux 0 n;;
7.
MODIFY F0R A TEST
let Micro_InZ_Inst_list = map MK_Micro_Int_Inst_LEMMA (mk_num_list 32);;
7.
let Micro_Int_Inst_list = map MK_Micro_Int_Inst_LEMMA (mk_num_list 127);;
7.
correct up to here
7.
Normalize top assumption (set rid of add_bt7)
................................................................
let NORMAL_POP_ASSUM_TAC =
POP_ISSUM (\thm. ASSUME_TAC (
CONV_RULE (0NCE_DEPTH_CONV bt7_ival_CONV) (
C0NV_RULE DEC_ADD_CONV (
Z DEC_ADD_COI_ broken for "0 + I" Z
PURE_ONCE_REWRITE.RULE [ADD_CLAUSES] (
CDNV_RULE (DNCE_DEPTH_CONV bt7val_CONV) (
REWRITE_RULE [add_bt7] thm))))));;
152
let RANGE_LEMMA = TAC_PROOF
(([],
")tl t2 (mpc:time->bt7) x .
(!t'. tl < t' /\ t' < t2 ==> -(mpc t' = x)) /.\
"(mpc t2 = x) ==>
(!t'. tl < t' /\ t' < (t2 + I) ==> "(mpc t' = x))"),
REPEAT STRIP_TAC
THEN ASSUM_LIST (\asl. ASSUME_TAC (
SPEC "t':time" (el 5 asl)))
THEN ASSUM_LIST (\asl. STRIP_ASSUME_TAt (
REWRITE_RULE [SYM_RULE ADDI;LESS_THM] (el 3 as1)))
THENL [
ASSUM_LIST (\asl. ASSUME_TAC (














REWRITE_RULE [Opcode;Opc_Val; GetMPC; Micro_state_to_Macro_state;Next] (
BETA_RULE (
SPECL ["rep:'rep_ty";
"(\t. (reg t,m t,ins t,din t,dout t, ram t,b t,stop t,ovl t, mar t, res t, mpc t))
:time->'micro_stat e" ;
"(\t. (reset_e t)):time->_micro_env ''] Macro_Int_IMPL_IMP)));;
let (INST_LOOP_TAC tm_init):tactic =
let is_begin than =
snd(dest_eq thm) = FETCH_ADDR in
let tuple_val than =
term_to_int(bt_val_func(snd(dest_eq (hm))) _n
letrec INST_LOOP_TAC_AUX tm ((asl,w):goal) =
let INST_TAC n =
IMP_RES_TAC (el n Micro_Int_Inst_list) THEN
153
ASSUM_LIST (\x. MAP_EVERY ASSUME_TAC
C0NJUNCTS (
REWRITE_RULE [PAIR_EQ] (el 1 x)))) in
let n = (tuple_val (el I asl)) + i in
let gl,p = INST_TAC n (asl,w) in
let (asl',_') = (hd gl) in
let gll,pl = split (
if (is_begin (el I asl')) then
map (EXISTS_TAC tm) gl else
map (INST_LOOP_TAC_AUX "('tm)÷1") gl) in
(flat gll,(p o mapshape(map length gll)pl)) zn
INST_LOOP_TAC_AUX "('tm_init + 1)";;
let DECODE_M_CORRECTLY_IMP = new_definition
('DECODE_M_CORRECTLY_IMP',
"DEOODE_M_CORRECTLY_IMP (rep:'rep_ty) =
! (ins:.wordn) (b:bool) .
let ins_dec = (decode rep (opcode rep ins, b)) in
let opc= (FST (SND ins_dec)) in
let mem_req = (SND (SND ins_dec)) in




(opc = (F,F,F,T,T)) \/
(opc= (F,F,T,F,F))) => ((mem_req = F) /\ (dec_stop = F))
((opt = (T,T,T,T,T)) => ((mem_req = F) /\ (dec_stop = T)) [
((mem_req = T) /\ (dec_stop = F))))");;
let MX_INST_CORRECT_GOAL n =
let inst = term_list_el n
(snd(dest_eq(
snd(dest_forall(con¢l macro_inst_list))))) zn
"!(rep:'rep__y) (regs:time->(*mordn)list) (m ins din dout:time->*wordn) (ram:time->.memory)




(\t. (reg t,m t,ins t,din t,dout t, ram t,b t,stop t,ovl t, mar t, res t, mpc t))
(\t. reset_e t) "inst)";;
let stop_thm = prove_thm ('stop_thm',
"' (n:num) (t:num).
((Micro_I (rep:_rep_ty)
(\t. reg t,m t, ins t, din t, dout t, ram t, b t, stop t, ovl t,
154
mar t, res t, mpc t)
{\t. reset_e t) /\
(stop t)) /\
(mpc t = (F,F,F,F,F,F,F))) ==>
(reg(t + n),m(t + n),ins(t + n),din(t + n),dout(t + n),r_m(t + n),
b(t+n),stop (t+n),ovl(t+n),mar(t+n),res(t+n),mpc(t+n) =
(reg t,m t,ins t,din t,dout t,ram t,b t,stop t,ovl t,mar t,res t,
mpc t))",
INDUCT_TAC THENL [REWHITE_TAC [ADD_CLAUSES];
(GEN_TAC
THEN STRIP_TAC
THEN ASSUM_LIST (\asl. MAP_EVERY ASSUME_TAC (C0NJUNCTS
(REWRITE_RULE [(el I asl); (el 2 asl);
(el 3 asl); PAIR_EQ] (SPEC "t:time" (el 4 asl)))))
THEN PURE_REWRITE_TAC[ADDI]
THEN PURE_ONCE_REWRITE_TAC[ADD_ASSO¢]
THEN IM_P_RES_TAC (el i Micro_Int_Inst_list)
THEN ASSUM_LIST (\asl. MAP_EVERY ASSUME_TAC
(CONJUNCTS (REWRITE_RULE [(el 8 asl);PAIR_EQ] (el 2 asl))))
THEN ASM_REWRITE_TAC[])]);;
map (delete_cache o fst) (cached_theories());;
let T_PLUS_Z_LEMM_ = TAC_PROOF
(([], "! t.t+Z=(((((((t+l)+l)+1)+1)+l)+l)+l)"),
GEN_TAC




Appendix E: MICRO LEVEL SPECIFICATION
File: ucode_aux.ml
Description: Defines the ML functions and constants necessary to describe
the microintrcutions. This file is loaded by several files
that draft theories.
Modified by ETS:
Includes nee wait microinstruction labels
Removed seq control case stop_ovl_ill_pdest
This case can be simulated by using
stop_ovl and stop_ill_pdest.
Added stop_pcwrite.
set_search_path (search_path() @ lib_dir_list);;
system _/bin/rm ucode_aux.th';;
new_theory Cucode_aux_;;
map new_parent ['tuple'; 'decimal'];;
................................................................
The functional representation of a microinstruction:
(address, seq_alu_ctl(seq, alu), dec_ctl(sig), mem(op),
srcdst(rfc, df¢, rfsel, dfsel), enable(copy), select(addrout, datain, mout) )
The possible values of various arguments is as follous: (X = don't care)
address - symbol / X7
seq - idle / mjmp / opcjmp / jmp / stop_ovl / stop_ill_addr /
stop_ill_pdest / stop_pcwrite
alu - mthro (or idle) / rthro / compare / negate / add_bcarry /
add / sub_bcarry / sub / xor / and / nor / and_not /
shr_s / shr_b / shl_s / shl_b
sig - inhibit / allow
op - idle / rio / rmem / wio / wmen
rfc - inst_rf (or X) / m_r_
dfc - inst_df (or X) / m_d_
rfsel - regA (or X) / regX / regY / regP
dfsel - regA (or X) / regX / regY / regP / regM / regADDR
copy - none / data / res / both
157
PRE"C_I],IN.:._, pollr._,: _-- _.,w
addrout - p (or X) / addr
datain - m (or X) / ins
mout - m (or X) / one / addr
................................................................
+.................................................................
Definition of labels in microcode
................................................................ +/0
let X7 = "(F,F,F,F,F,F,F)";;
let fetch = "(F,F,F,F,F,F,F)";;
let noop= "(F,F,F,F,T,T,F)";;
let shrsl = "(F,F,F,T,T,T,F)";;
let shrbl = "(F,F,T,F,F,F,T)";;
let shlbl = "(F,F,T,F,T,F,F)";;
let mfO = "(F,F,T,F,T,T,T)";;
let mr01 = "(F,T,F,F,F,F,F)";;
let mfll = "(F,T,F,F,F,T,F)";;
let mr21 = "(F,T,F,F,T,F,T)";;
le_, base = "(F,T,F,F,T,T,F)";;
let comparel = "(F,T,T,T,T,F,F)";;
let writememl = "(F,T,T,T,T,F,T)";;
let writeiol = "(F,T,T,T,T,T,T)";;
let negl = "(T,F,F,F,F,F,T)";,
let calll = "(T,F,F,F,T,F,F)";;
le% readiol = "(T,F,F,T,F,F,F)";;
let readmeml = "(T,F,F,T,T,F,F)";;
let addbl = "(T,F,F,T,T,T,T)";;
let addsl = "(T,F,T,F,F,F,T)";;
let subbl = "(T,F,T,F,T,F,T)";;
let subs1 = "(T,F,T,F,T,T,T)";;
158
let xorl = "(T,F,T,T,F,T,T)';;
let _mdl = "(T,F,T,T,T,F,T)";;
let norl = "(T,F,T,T,T,T,T)";;
let wait_1 = "(T,T,F,F,T,F,F)";;
let _ait_2 = "(T,T,F,F,F,T,T)";;
let wait_3 = "(T,T,F,F,F,T,F)";;
let wait_4 = "(T,T,F,F,F,F,T)";;
let X = 0;; % .... dont care ...... %
let idle = 0;; % ....... idle ........ %
Definition of control signals for microsequencing logic
................................................................
idle = 0
let mjmp = 1;;
let opcjmp = 2;;
let jmp = 3;;
let stop_ovl = 4;;
let stop_ill_addr = 5;;
let stop_ill_pdest = 6;;
let stop_pcwrite = 7;;
let seq_ctl x =
(x = idle) => "(F, F, F)" I
(x = mjmp) => "(F, F, T)" [
(x = opcjmp) => "(F, T, F)" {
(x = jmp) => "(F, T, T)" l
(x = s%op_ovl) => "(T, F, F)" $
(x = stop_ill_addr) => "(T, F, T)" I
(x = stop_ill_pdest) => "(T, T, F)"']
"(T, T, T)";;
................................................................
Definition o_ control signals for alu
................................................................
159
_. idle = 0 Y.
let mthro = 0;;
let rthro = I;;
let compare = 2;;
let negate -- 3;;
let add bcarry = 4;;
let add = 5;;
let sub_hearty = 6;;
let sub = 7;;
let xor = 8;;
let and = 9;;
let nor = I0;;
let and_not = 11;;
let shr_s = 12;;
let shr_b -- 13;;
let shl_s = 14;;
let shl_b = 15;;
let alu_ctl x =
(x = idle) => "(F, F, F, F)" J
(x = mthro) => "(F, F, F. F)" J
(x = rthro) => "(F, F, F. T)" ]
(x = compare) => "(F. F, T, F)" I
(x = negate) => "(F. F, T, T)" ]
(x = add_bcarry) => "(F, T, F. F)" [
(x = add) => "(F, T, F, T)" I
(x = sub_bcarry) => "(F, T, T. F)" ]
(x = sub) => "(F, T. T, T)" I
(x = xor) => "(T, F, F, F)" i
(x = and) => "(T, F, F, T)" ]
(x = nor) --> "(T, F, T, F)" [
(x = and_not) => "(T, F, T. T)" [
(x = shr_s) => "(T, T. F, F)" [
(x = shr_b) => "(T. T, F, T)" [
160
(x = shl_s) => "(T, T, T, F)" I
"(T, T, T, T)" ;;
let seq.alu_ctl (seq, alu) =
"('(seq_ctl seq), "(alu_ctl alu))";;
let inhibit = "F";;
let allo_ = "T";;
let dec_ctl (sig) = "'sig";;
let rio = I;;
let rmem = 2;;
let wio = 3;;
let _mem = 4;;
let mem (op) =
(op = idle) => "(F,F,F)" [
(op = rio) => "(T,F,T)" {
(op = rmem) => "(T,F,F)" }
(op = wio) => "(F,T,T)" I
"(F,T,F)";;
let regA = 0;;
let regX = I;;
let regY = 2;;
let reaP = 3;;
let regM = 6;;
let regADDR = 7;;
161
let inst_rf = 0;;
let m_rf = I;;
let inst_df = 0;;
let m_df = 1;;
let rf x =
((x = regA) or (x = X))
(x = regX) => "(F, T)" [
(x = regY) => "(T, F)" {
"(T, T)";;
=> "(F, F)" I
let df x =





=> "(F, F, F)" }
=> "(F, F, T)" }
ffi>"(F, T, F)" {
=> "(F, T, T)" {
=> "(T, T, F)" {
(x = regADDR) => "(T, T, T)" {
"(F, T, T)";; Z P register Z
let srcds% (rfc, dfc, rfsel, dfsel) =
"('(rf rfsel), "(dr dfsel),
"((rfc = m_rf) => "T"J"F"),
"((dfc = m_df) => "T" I"F"))";;
let none = 0;;
le_ data = 1;;
let res = 2;;
let both = 3;;
let enable (x) =
(x = none) => "(F, F)" {
(x = data) => "(T, F)" {
(x = res) => "(F, T)" {
"(T, T)";;
leZ p = 0;;
lez m = 0;;
let ins = 1;;
162
let one = I;;
let addr = 2;;
let whichm x =
(x = m) => "(F, F)" I
(x = one) => "(F, T)" J
(x = addx) => "(T, F)" J
"(T, T)";;
let select (addrout, datain, mout) =
"('((addrout = addr) => "T" I "F"),




Description: Defines the microinstructions and microrom for the
micro--level.
Modifications by ETS
Include new wait, NO_PC_WRITE and CK_VALID_PC, NO_OVL microinstructions.
Replaced SHLS_u3_mc with NO_OVL fby CK_VALID_PC
Logical operations' semantics now stop on write to pc
Reorganized microcode slightly
NO_PC_WRITE changed to AXY_WRITE (i/o space and memory also invalid)
................................................................





If you change these addresses, change the list in ucode_aux.ml
as well.
let vait_O = "(T,T,F,F,T,F,T)";; is not in ucode_aux.ml
................................................................
................................................................
Definition of labels in microcode
................................................................
let X7 = "(F,F,F,F,F,F,F)";;
let fetch = "(F,F,F,F,F,F,F)";;
let noop- "(F,F,F,F,T,T,F)";;
let shrsl = "(F,F,F,T,T,T,F)";;
let shrbl = "(F,F,T,F,F,F,T)";;
let shlbl = "(F,F,T,F,T,F,F)";;
let mfO = "(F,F,T,F,T,T,T)";;
let mr01 = "(F,T,F,F,F,F,F)";;




let compare1 = "(F,T,T,T,F,T,T)";;
le% wrizememl = "(F,T,T,T,T,F,T)";;
let writeiol = "(F,T,T,T.T,T,T)";;
let negl = "(T,F.F,F,F,F,T)";;
let calll = "(T,F,F,F,T,F,F)";;
let readiol = "(T,F,F,T,F,F,F)";;
let readaneml = "(T,F,F,T,T,F,F)";,
let addbl = "(T,F,F,T,T,T,T)";;
let addsl = "(T,F,T,F,F,F,T)";;
let subbl = "(T,F,T,F,T,F,T)";;
let subsl -- "(T,F,T,F,T,T,T)";;
let xorl = "(T,F,T,T,F,T,T)";;
let andl = "(T,F,T,T,T,F,T)";;
let norl = "(T,F,T,T,T,T,T)";;
let wait_O _ "(T,T,F,F,T,F,T)";;
let waiZ_l -- "(T,T,F,F,T,F,F)";;
let wait_2 _ "(T,T,F,F,F,T,T)";;
let wait 3 = "(T,T,F,F,F,T,F)";;
let wait 4 z "(T,T,F,F,F,F,T)";;
%--- added by ETS .... %
let AXY_WRITE_mc = new_definition
('AXY_WRITE_mc c ,
"AXY_WRITE_mc =





let CK_VALID_PC_mc = new_definition
(, CK_VALID_PC_mc _ ,
"CK_VALID_PC_mc =
('X7, "(seq_alu_ctl(stop_ill_pdest, idle)), "(dec_ctl(inhibit)),
"(mem (idle)), * (srcdst (X, X, X, X) ) , "(enable (none)),
"(select(X, X, X)))"
);;
let NO_OVL_mc = new_definition
('NO_OVL_mc',
"ND_OVL_mc =




...... old stuff ........
let FETCH_uI_mc = new_definition
(CFETCH_ul_mc ' ,
"FETCH_uI_m¢ =
('XT, "(seq_alu_ctl(idle, idle)), "(dec_ctl(inhibit)),
"(mem(rmem)), "(srcdst(X,X,X,X)), "(enable(none)), "(select(p,X,X)))"
);;







"(enable(res)), "(select(X, X, one)))"
let FETCH_u3_mc = new_definition
('FETCH_u3_mc _ ,
"FETCH_u3_mc =




let FETCH_u4_mc = new_definition
(_FETCH_u4_mc',
"FETCH_u4_mc =
('XT, "(seq alu ctl(idle, idle)), "(dec_ctl(inhibit)), "(mem(idle)),












('noop, "(seq_alu_ctl(opcjmp, idle)), "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)), "(select(X, X, X)))"
);;
let NOOP_mc = new_definition
('NOOP_mc',
"NOOP_mc =
('fetch, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)), "(select(X, X, X)))"
);;
let SHRS ul_mc = new_definition
('SHRS_ul_mc',
"SHRS_uI_mc =
('shrsl, "(seq_alu_ctl(jmp, idle)), "(dec_oil(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)), "(select(X, X, X)))"
);;
let SHRB_uI_mc = new_definition
('SHRB_u1_mc',
"SHRB_ul_mc =
('shrbl, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)), "(select(X, X, X)))"
);;
let SHLS_uI_mc = new_definition
('SHLS_ul_mc _,
"SHLS_ul_mc =
('XT, "(seq_alu_ctl(idle, shl_s)), "(dec_ctl(inhibit)), "(mem(idle)),
"(srcdst(inst_rf.inst_df,X,X)), "(enable(res)), "(select(X, X, X)))"
);;




('shlbl, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibi%)),
*(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)), "(select(X, X, X)))"
);;
let SHLB_u2_mc = new_definition
('SHLB_u2_mc',
"SHLB_u2_mc =
('XT, "(seq_alu_ctl(idle, shl_b)), "(dec_ctl(inhibi_)),
"(mem(idle)),
"(srcdst(insZ_rf,inst_df,X,X)), "(enable(res)), "(select(X, X, X)))"
);;
let SHRS_u2_mc = new_definition
('SHRS_u2_mc',
"SHRS_u2_mc =
('XT, "(seq_alu_ctl(idle, shr_$)), "(dec_oil(inhibit)), "(mem(idle)),
"(srcdst(inst_rf,inst_df,X,X)), "(enable(res)), "(select(X, X, X)))"
);;
let SHKB_u2_mc = new_definition
(_SHRB_u2_mc _ ,
"SHRB_u2_m¢ =
('X7, "(seq_alu_ctl(idle, shr_b)), "(dec_ctl(inhibit)), "(mem(idle)).
"(srcdst(inst_rf,inst_df,X,X)), "(enable(res)), "(select(X, X, X)))"
);;
let MFO_ul_mc = new_definition
('MF0_ul_mc _ ,
"MF0_ul_mc =
('mr01, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibi%)),
"(mem(idle)), "(srcdst(X.X,X,X)), "(enable(none)), "(select(X, X, X)))"
);;
let MFl_u1_mc = new_definition
(_MFl_u1_mc _ ,
"MFl_u1_mc =
('mf11, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)i, "(select(X, X, X)))"
);;
let MF2_u1_mc = new_definition
(_MF2_ul_mc _,
"MF2_ul_mc =
('mr21, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), -(enable(none)), "(select(X, X, X)))"
7;;
168
let MF3_ul_mc = new_definition
('MF3_ul_mc ' ,
"MF3_u1_mc =
('XT, "(seq_alu_ctl(idle, mthro)), "(dec_oil(inhibit)), "(mem(idle)),
"(srcdst(X,m df,X,regM)), "(enable(res)), "(select(X, X, addr)))"
7;;
let MF3_uJ_mc = new_definition
(_MF3 u2_mc _,
"MF3_u2_mc =
('XT, -(seq_alu_ctl(idle, add)), "(dec_ctl(in/%ibit)), "(mem(idle)),
"(srcdst(m_rf,m_df,regY,regADDK)), "(enable(res)), "(selec%(X, X, m)))"
);;
let MF3_u4_mc = new_definition
(_MF3_u4_mc',
"MF3_u4_mc =
('XT, "(seq_alu_ctl(idle, idle)), "(dec_ctl(inhibit)),
"(mem(rmem)), "(srcdst(X,X,X,X)), "(enable(none)J, "(select(addr, X, X)))"
);;
let MF3_u5_mc = new_definition
(_MF3_u5_mc',
"MF3_u5 mc =
('XT, "(seq_alu_ctl(idle, idle)), "(dec_ctl(ir/hibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), _(enable(data)), "(select(X, m. X)))"




"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)), "(select(X, X, X)))"
);;
let MF2_u3_mc = new_definition
('MF2_u3_mc',
"MF2_u3_mc =
('XT, "(seq_alu_ctl(idle, add)), "(dec_ctl(iruhibit)), "(mem(idle)),
"(srcdst(m_rf,m_df,regX,regADDR)), "(enable(res)), "(select(X, X, m)))"
);;





"(mem(idle)), "(srcdsz(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;




"(mem(idle)), "(srcdst(X,X,X,X)), *(enable(none)) "(select(X, X, X)))"
);;




"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) -(select(X, X, X)))"
);;
let NEG_ul_mc = new_definition
(_NES_ul_mc',
"NEG_ul_mc =
('negl, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(in/Ribit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;
let CALL_uI_mc = new definition
('CALL_uI_mc',
"CALL_uI_mc =
('calll, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;




"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;




"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;




('addbl, -(seq_alu_ctl(jmp, idle)), _(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;
let ADDS_uI_mc = new_definition
('ADDS_ul mc ',
"ADDS_ul mc =
('addsl, "(seq_alu_ctl(jmp, idle)), "(dec oil(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;
let SUBB_uI_m¢ = new_definition
(_SUBB_ul mc',
"SUBB_uI_mc =
('subbl, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(in.hibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;
let SUBS_ul_mc = new_definition
(_SUBS_uI_m¢',
"SUBS_uI_mc =
('subsl, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;
let X0R_ul_mc = new_definition
(_X0R_u1_mc _ ,
"XOR_ul_mc =




, "(enable(none)) "(select(X, X, X)))"
let AND_uI_m¢ = new_definition
('AND_ul_mc',
"AND_uI_mc =
('andl, "(seq alu_ctl(jmp, idle) , "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), -(enable(none)) "(select(X, X, X)))"
);;
let NOR_ul_mc = new_definition
('NOR_ul_mc',
"NOR_ul_mc =
('norl, _(seq alu_ctl(jmp, idle)), "(dec_ctl(inhibit)),
"(mem(idle)), "(srcdst(X,X,X,X)), "(enable(none)) "(select(X, X, X)))"
);;




('X7, "(seq_alu_ctl (stop_pcwrite, and_not) ), "(dec_ctl (inhibit)), "(mem(idle) ),
"(srcdst(inst_rf,inst_df,X,X)), "(enable(res)), "(select(X, X, m)))"
);;
let COM_ARE_u2_mc = new_definition
('COMPARE_u2_mc',
"COMPARE_u2_mc =
('X7 "(seq_aluctl(idle, compare)), "(dec_ctl(inhibit)), "(mem(idle)),
"(srcdst(inst_rf,X,X,X)), "(enable(none)), "(select(X, X, m)))"
);;
let WRITEMKM_u2_mc = ne__definition
('WRITF2_EM_u2_mc ' ,
"WRITF.2£EMu2_mc =
('X7 "(seq_alu_ctl(idle, idle)), "(dec_ctl(iruhibit)), "(mem(wmem)),
"(srcdst(inst_rf,X,X,X)), -(enable(none)), "(select(addr, X, X)))"
);;
let WKITEIO_u2_mc = new definition
('WRITEIO_u2_mc ' ,
"WRITEI0_u2_mc =
('X7, "(seq_alu_ctl(idle, idle)), "(dec_ctl(inhibit)), "(mem(wio)),
"(srcdst(in.st_rf,X,X,X)), "(enable(none)), "(select(addr, X, X)))"
);;
let NEGATE_u2_mc = new_definition
('NEGATE_u2_mc',
"NEGATE_u2_mc =
('X7, "(seq_alu_ctl(idle, negate)), "(dec c_l(inhibit)), "(mem(idle)),
"(srcdst(X,inst_df,X,X)), "(enable(res)), "(select(X, X, m)))"
);;
let CALL_u2_mc = new_definition
('CALL_u2_mc',
"CALL_u2_mc =
('X7 "(seq_alu_ctl(idle, rthro)), "(dec_ctl(in-hibit)), "(mem(idle)),
"(srcdst(m_rf,m df,regP,regY)), "(enable(res)), Z(select(X, X, X)))"
);;
let CALL_u3_mc = new_definition
(_CALL_u3_mc _ .
"CALL_u3_m¢ =
('X7 "(seq_alu oil(idle, mthro)), "(dec_ctl(iruhibit)), "(mem(idle)),
"(srcdst(X,m_df,X,regP)), "(enable(res)), "(select(X, X, m)))"
);;




('X7, "(seq_alu_ctl(idle. idle)), "(dec_ctl(inhibit)),
"(mem(rio)), "(srcdst(X,X,X,X)), "(enable(none)), "(select(addr, X, X)))"
);;





"(srcdst(X,inst_df,X.X)), "(enable(res)). "(select(X, X, m)))"
);;
let READMEM_u2_mc = new_definition
(¢READMEM_u2_mc _ ,
"READMEM_u2_mc =
('X7, "(seq_alu_ctl(idle, mthro)), "(dec_oil(inhibit)), "(mem(idle)),
"(srcdst(X,inst_df,X.X)). "(enable(res)), "(select(X, X, m)))"
);;





"(srcdst(inst_rf,inst_df,X,X)), "(enable(res)). "(select(X, X, m)))"
);;
let ADDS_u2_mc = new_definition
(CADDS_u2_mc_,
"ADDS_u2_mc =
('X7, "(seq_alu_ctl(idle, add)), "(dec_oil(inhibit)), *(mem(idle)),
"(srcdst(inst_rf,inst_df,X.X)), "(enable(res)), "(select(X, X, m)))"
);;












('X7, "(seq_alu_ctl(idle, sub)), "(dec_ctl(inhibit)), "(mem(idle)),
"(srcdst(inst_rf,inst_df,X,X)), "(enable(res)), "(select(X, X, m)))"
);;
let XOR_u2_mc = new_definition
(_XOR_u2_mc _,
"XOR_u2_mc =





let AND_u2_mc = new_definition
('AND_u2_mc ',
"AND_u2_mc =
('X7, "(seq_alu_ctl(stop_pcwrite, and)), "(dec_ctl(inhibit)), "(mem(idle)),
"(srcdst(inst rf,inst_df,X,X)), "(enable(res)), [(select(X, X, m)))"
);;
let NOR_u2_mc = new_definition
('NOR_u2_mc _,
"NOR_u2_mc =
('X7, "(seq_alu_ctl(stop_pcwrite, nor)), "(dec_ctl(inhibit)), "(mem(idle)),
"(srcdst(inst_rf,inst_df,X,X)), "(enable(res)), "(select(X, X, m)))"
);;
The following were added to pad out fetches so that
the synchronous interpreter model could be used
......................................................................
let MF3_u6wl_mc = new_definition
(_MF3_u6wl_mc _ ,
"MF3_u6w1_mc =
('wait_O, "(seq_alu_ctl(jmp, idle)), "(dec_ctl(inhibit)),
"(srcdst(X,X,X,X)), "(enable(none)), "(select(X,'X, X)))"
);;
"(mem(idle)),
let MF3_ulw4_mc = new_definition
(_MF3_ulw4_mc _ ,
"MF3 ulw4_mc =
('_ait_4, "(seq_alu_ctl(3mp, mthro)), "(dec_ctl(inhibit)), "(mem(idle)),
"(srcdst(X,m_df,X,regM)), "(enable(res)), "(select(X, X, addr)))"
);;




('_ait_3, -(seq alu_ctl(jmp, idle)), -(dec_ctl(iruhibit)),
"(mem(idle)), "(srcds%(X.X,X,X)), "(enable(d_ta)), "(select(X, m, X)))"
);;
let WAIT_mc = new_definition
('WAIT_mc',
"WAIT_mc =
('X7, -(seq_alu.ctl(idle, idle)), -(dec_ctl(ii%hibiZ)),
"(mem(idle)), -(srcdst(X,X,X,X)), "(enable(none)), "(select(X, X. X)))"
);;
This list must contain the microinstructions that implement the
behavior in zhe definition micro_inst_list defined in def_micro.ml.
................................................................
let micro_tom = new_definition
('micro_tom _ ,







































































































































SUBS [FETCH_uI_mc; FETCH_u2_m¢; FETCH_u3_m¢; FETCH_u4_mc; JMP_reqm_m¢;
JMP_opc_m¢; NOOP_mc; SHRS_uI_mc; SHRB_uI_mc; SHLS_uI_mc; SHLB_uI_m¢;
SHRS_u2_mc; SHRB_u2_m¢; MFO_ul_mc; MF3_u6wl_mc;
MF1_ul_mc; MF2_u1_mc; MF3_u1_m¢; MF3_u2_m¢; MF3_u4_m¢; MF3_uS_m¢;
MF3_u6_mc; MF2_u3_mc; COMPARE_ul_m¢; WRITEMEM_uI_m¢; WRITEIO_uI_m¢;
NEG_ul_mc; CALL_ul_m¢; READIO_uI_m¢; READMEM_uI_m¢; ADDB_uI_m¢;
ADDS_uI_mc; SUBB_uI_mc; SUBS_uI_mc; XOR_ul_m¢; AND_ul_mc; NOK_ul_m¢;
ANDMBAR_uI_m¢; COMPARE_u2_mc; WRITEMEM_u2_m¢; WRITEIO_u2_m¢;
NEGATE_u2_mc; CALL_u2_m¢; CALL_u3_m¢; READIO_u2_mc; READIO_u4_m¢;
ADDB_u2_mc; ADDS_u2_m¢; SUBB_u2_m¢; SUBS_u2_m¢; XOR_u2_m¢; AND_u2_mc;







Description: Defines the behavioral description of the micro
interpreter level
Modified by Tony Leung to add wait states to memory fetches to patch
up instruction micro cycles.
Modified by ETS to include AXY_WR and CK_VAL_PC microinstructions
................................................................
set_search_path (search_path() @ lib_dir_list)
loadf 'abstract _;;
system '/bin/rm micro_def.th' ;;
new_theory 'micro_def (;;
map new_parent ['tuple_; _aux_def_; (regs_def
let rep_ty = abstract_type 'aux_def' _opcode';
let add_bt7 = new_definition
(_add_btT' ,
"! x y .
add_bt7 x y =
btT_ival ((bt?_val x) + y)"
);;
' aux_thms ( ] ; ;
let FETCH_addr = "(F,F,F,F,F,F,F)";;
let NOOP_addr = "(F,F,F,F,T,T,F)';;
let SHRS1 addr = "(F,F,F,T,T,T,F)";;
let SHRBl_addr = "(F,F,T,F,F,F,T)";;
let SHLBl_addr = "(F,F,T,F,T,F,F)";;
lee MFO_addr = "(F,F,T,F,T,T,T)";;
let MFOl_addr = "(F,T,F,F,F,F,F)";;
let MFll_addr = "(F,T,F,F,F,T,F)";;
let MF21_addr = "(F,T,F,F,T,F,T)";
let BASE_addr = "(F,T,F,F,T,T,F)";
179
let C0MPAREl_addr = "(F,T,T,T,F,T,T)";;
let WKITEMEMI_addr = "(F,T,T,T,T,F,T)"; ;
let WRITEI01 addr = "(F,T,T,T,T,T,T)";;
let NEG1_addr = "(T,F,F,F,F,F,T)"; ;
let CALL1_addr = "(T,F,F,F,T,F,F)";;
let READIO1_addr = "(T,F,F,T,F,F,F)";;
let READMEMI_addr = "(T,F,F,T,T,F,F)";;
let ADDB1_addr = "(T,F,F,T,T,T,T)";;
let ADDS1_addr = "(T,F,T,F,F,F,T)";;
let SUBB1_addr = "(T,F,T,F,T,F,T)";;
let SUBSl_addr = "(T,F,T,F,T,T,T)";:
let XORl_addr = "(T,F,T,T,F,T,T)";;
let AND1_addr z "(T,F,T,T,T,F,T)";;
let NOR1_addr = "(T,F,T,T,T,T,T)":;
let wait_O_addr = "(T,T,F,F,T,F,T)";;
let wait l_addr = "(T,T,F,F,T,F,F)';;
let wait_2_addr = "(T,T,F,F,F,T,T)";;
let wait_3_addr = "(T,T,F,F,F,T,F)";;
let wait_4_addr = "(T,T,F,F,F,F,T)";;
Micro instruction 57: ANDMBAR - destreg := r /\ "m
................................................................
let ANDMBAR_ul = new_definition
('ANDMBAR_ul _ ,
"!(rep:'rep_ty) (regs:(*vordn)list) (m ins din dout:.wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:.sordn) (mp¢:btT)
(rese_:bool).
ANDMBAR_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let new_stop = ( (DSF rap ins = (F,T,T)) \/
(DSF rep ins = (T,F,F)) \/
180
(DSF rep ins = (T,F,T)) \/
(DSF rep ins = (T,T,F)) \/ •
(DSF rep ins = (T,T,T))) in
let randmbar = band rep ((EL (bt2_val(RSF rep ins)) regs),bnot rep m) in
szop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,-FETCH_addr)
( (new_stop => regs I update_reg regs (DSF rep ins) b randmbar),
m, ins, din, dour, ram, b, new_stop,
(new stop => ovl I F), mar,
(new_stop => res I randmbar),
(new_stop => (F,F,F,F,F,F,F) I add bt7 mpc i) )"
(update_reg regs (DSF rep ins) b randmbar,m,ins, din, dout, ram,
b, new_stop, F, mar, randmbar, add_bt7 mpc 1)"
);;
save-thm(_ANDMBAR_ul',EXPAND_LET_RULE ANDMBAR_ul);;
Micro instruction O: get instn from mem[pc]"
................................................................
let FETCH_u1 = new_definition
('FETCH_uI_def',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:,wordn) (ram:_memory)
(b stop ovl:bool) (mar:*address) (res:.wordn) (mpc:bt7)
(reset:bool).
FETCH_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let paddr = address rep (EL p_reg regs) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, fetch rep (ram, paddr), dout, ram, b, F, F,
paddr, m, add_biT mpc I) "
);;
save_tlm('FETCH_uI',EXPAND_LET_RUL£ FETCH_ul);;
Micro instruction I: increment p
................................................................
let FETCH_u2 = new_definition
('FETCH_u2_def _ ,
"!(rep:'rep_ty) (regs:(_wordn)list) (m ins din dout:_wordn) (ram:_memory)
(b stop ovl:bool) (mar:_address) (res:_ordn) (mpc:bt7)
(reset:bool).
FETCH_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let newp = add rep ((EL p_reg regs), (wordn rep 1)) in
181
);;
stop => (regs.m,ins,din,dout,ram,b,T.ovl,mar,res.'FETCH_addr) i
(update_reg regs (F,T,T) b newp, m, ins, din, dout, ram, b,
F, aovfl rep ((EL p_reg regs), (wordn rep I), newp),
mar, newp, add_bt7 mpc I) "
save_thm('FETCH_u2',EXPAND_LET_RULE FETCH_u2);;
Micro instruction 2: check if (p+1) is valid
................................................................
let FETCH_u3 = ne__definition
('FETCH_u3_def',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*_ordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*_orchn) (mpc:bt7)
(reset:bool).
FETCH u3 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mRr,res,mpc) (reset) =
let new_stop = "(valid_address rep res) in
stop => (regs,m,ins,din,dou%,ram,b,T,ovl,mar,res,'FETCH_addr) i
(regs, m, ins, din, dour, ram, b, new_stop,
(new_stop => ovl J F), mar, (new_stop => res I m),
(new_stop => (F,F,F,F,F,F,F) (add_bt7 mpc 1)))"
);;
save_thm('FETCH_u3',EXPAND_LET_RULE FETCH_u3);
Micro instruction 3: read instruction into ins register
................................................................
let FETCH_u4 = new_definition
('FETCH_u4_def _,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din douZ:,wordn) (ram:_memory)
(b stop ovl:bool) (mar:,address) (res:_worchn) (mpc:bt7)
(reset:bool).
FETCH_u4 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(reEs, m, din, din, dout, ram, b, F, F, mar, m, add_bt7 mpc I)"
);;
, 4 csave_thm( FETCH_u ,EXPAND_LET_RULE FETCH_u4);;
Micro instruction 4: jmp on reqm
................................................................
let JMP_reqm = new_definition
('JMP_reqm',
182
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*.ordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:,wordn) (mpc:bt7)
(reset:bool).
JMP reqm rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let ins_dec = (decode rep (opcode rep ins, b)) in
let new_stop =
(FST ins_dec \/ ( ( (FST(SND(ins_dec)) - (F,F,T,T,F)) \/
(FST(SND(ins_dec)) - (F,F,T,T,T)))
/\ ((MSF rep ins) = (F,F)) )) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dout, ram, b, new_stop,
(new_stop => ovl I F), mar,
(new_stop => res I m),
(new_stop => (F,F,F,F,F,F,F) J
SND (SND ins_dec) => add_biT "MFO_addr (bt2_val(MSF rep ins))i
add bt7 mpc 1)) "
);;
save_thm('JMP_reqm',EXPAND_LET_RULE JMP_reqm);;
Micro instruction 5: imp to (noop+opc)
................................................................
let JMP_opc = new_definition
('JMP_opc',
"!(rep:'rep_ty) (regs:($worchn)list) (m ins din dout:$wordn) (ram:,memory)
(b stop ovl:bool) (mar:,address) (res:,wordn) (mpc:btT)
(reset:bool).
JMP_opc rep (regs,m,ins,din,douZ,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) J
(regs, m, ins, din, dour, ram, b, F, F, mar, m, add_bt7
"NOOP_addr (btS_val (FST (SND (decode rep (opcode rep ins,b))))))"
);;
save_thm(CJMP_opc_,EXPAND_LET_RULE JMP_opc);;
Micro instruction 6: NOOP - goto fetch
let NOOP = new_definition
(_NOOP',
"!(rep:-rep_Zy) (regs:(,wordm)list) (m ins din dout:,wordn) (ram:,memory)
(b stop ovl:bool) (mar:_address) (res:*wordn) (mpc:bt7)
(reset:bool).
NOOP rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
183
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) l
(regs, m, ins, din, dour, ram, b, F, F, mar, m, "FETCH_addr )"
);;
save_thm('NOOP',EXPAND_LET_RULE NOOP);;
Micro instruction 7: SHRS - goto shrsl
................................................................
let SHRS_ul = new_definition
('SHRS_uI',
"!(rep:'rep_ty) (regs:(*worchu)list) (m ins din dout:*_ordn) (ram:.memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
SHRSul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar.res,'FETCHaddr) I
(regs, m, ins, din, dour, ram, b, F, F, mar. m, "SHRS1_addr )"
);;
save_thm('SHRS_ul',EXPAND_LET_RULE SHRS_ul);;
Micro instruction 8: SHRB - goto shrbl
................................................................
let SHRB_ul = new_definition
('SHRB_ul _ ,
"!(rep:'rep_ty) (regs:(,wordn)list) (m ins din dout:*worchn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:,wordn) (mpc:btT)
(reset:bool).
SHRB_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dout, ram, b, F, F, mar, m, "SHRBl_addr )"
);;
save_thm('SHRB_uI',EXPAND_LET_BULE SHRB_ul);;
Micro instruction 9: SHLB - goto shlbl
let SHLB_ul = new_definition
('SHLB_ul',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:,worcln) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:btT)
(reset:bool).
SHLB_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mp¢) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
184
);;
(regs, m, ins, din, dout, ram, b, F, F, mar, m, "SHLB1_addr )"
save_thm('SHLB_uI',EXPAND_LET_RULE SHLB_ul);;
Micro instruction 10: AXY_WRITE - check if dest!= a,x or y
................................................................
let AXY_WRITE = new_definition
(CAXY_WRITE',
"!(rep:'rep_ty) (regs:(.worchn)list) (m ins din dout:.wordn) (ram:.memory)
(b stop ovl:bool) (mar:,address) (res:.wordn) (mpc:bt7)
(reset:bool).
AXY_WRITE rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc)(reset) =
let new_stop = ( (DSF rep ins = (F,T,T)) \/
(DSF rep ins = (T,F,F)) \/
(DSF rep ins = (T,F,T)) \/
(DSF rep ins = (T,T,F)) \/
(DSF rep ins = (T,T,T))) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) J
(regs, m, ins, din, dout, ram, b, new_stop,
(new_stop => ovl I F), mar,
(new_stop => res I m),
(new_stop => (F,F,F,F,F,F,F) i add_biT mpc i)) "
);;
save_thm('AXY_WRITE',EXPAND_LET_RULE AXY_WKITE);;
Micro instruction Ii: SHLS - destreg := shifted value
................................................................
let SHLS_ul = new definition
(_SHLS_uI',
"!(rep:'rep_ty) (regs:(_wordn)list) (m ins din dout:,wordn) (ram:,memory)
(b stop ovl:bool) (mar:.address) (res:_worcln) (mpc:bt7)
(reset:bool).
SHLS_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let sval = shl rep (EL (bt2_val(RSF rep ins)) regs) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(update_reg regs (DSF rep ins) b sval,m,ins, din, dour, ram, b,





let NO_OVL = ne__definition
('NO_OVL _ ,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:_memory)
(b stop ovl:bool) (mar:_address) (res:_wordn) (mpc:bt7)
(reset:bool).
NO_OVL rep (regs,m,ins.din,dout.ram,b,stop.ovl,mar.res.mpc)(reset) =
let new_stop = ( ovl ) in_
stop => (regs,m,ins.din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) i
(regs, m, ins, din, dour, ram, b, ovl, ovl, mar,
(ovl => res ] m),
(ovl => (F,F,F,F,F,F,F) i add_bt7 mpc I)) "
);;
save_thm('NO_OVL_,EXPAND_LET_RULE NO_OVL);;
Micro instruction 15: SHRS - destreg := shifted value
................................................................
le_ SHRS_u2 = new_defini%ion
(_SHRS_u2',
"!(rep:'rep_ty) (regs:(_wordn)lis_) (m ins din dout:*wordn) (ram:_memory)
(b stop ovl:bool) (mar:_address) (res:.wordn) (mpc:bt7)
(reset:bool).
SHRS_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram.b,T,ovl.mar,res,'FETCH_addr) I
(update_reg regs (DSF rep ins) b
(shr rep (EL (bt2_val(RSF rep ins)) regs)),
m, ins, din, dour, ram, b, F, F,




let SHRB_u2 = new_definition
(_SHRB_u2',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:_memory)
(b stop ovi:bool) (mar:_address) (res:.worO_n) (mpc:bt7)
(reset:bool).
SHRB_u2 rep (regs,m,ins,din,dout,raun,b,stop,ovl.mar.res,mpc) (reset) =
let sval = shrb rep ((EL (bt2_val(RSF rep ins)) regs), b) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCHadctr)
(update_reg regs (DSF rep ins) b sval, m, ins, din, dout, ram,




Micro instruction 19: - goto fetch (NOOP)
let SHLB_u2 = new_definition
('SHLB_u2 _ ,
"!(rep:'rep_ty) (regs:(_wordn)list) (m ins din dout:_wordn) (ram:.memory)
(b stop ovl:bool) (mar:.add/-ess) (res:_wordn) (mpc:bt?)
(reset:bool).
SHLB_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let sval = shlb rep ((EL (bt2_val(RSF rep ins)) regs), b) in
stop => (regs.m,ins.din,dout.r_n,b,T.ovl,mar,res,'FETCH_addr) I
(update_reg regs (DSF rep ins) b sval, m, ins. din, dout, ram,
187
);;
bitn rep (EL(bt2.val(RSFrep ins)) regs),F, F, mar,sval,
add_bt?mpcI)"
save_thm('SHLB_u2',EXPAND_LET_RULESHLB_u2);;
Microinstruction 22: - gotofetch (NOOP)
Microinstruction 23: fetch m: MF=O - go¢o mr01
................................................................
let MFO_ul = new_definition
('MFO_uI',
")(rep:'rep_ty) (regs:(*_ordn)list) (m ins din dou$:*.ordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*_orchn) (mpc:btT)
(reset:bool).
MFO_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dout, ram, b, F, F, mar, m, "MFOl_addr )"
);;
save_thm('MFO_uI',EXPAND_LET_RULE MFO_ul);;
Micro instruction 24: fetch m : MF=I - goto mfll
................................................................
let MFI_ul = new_definition
('MFI_ul',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
MFI_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr)
(regs, m, ins, din, dour, ram, b, F, F, mar, m, -MFIl_addr )"
);;
save_thm('MFI_ul',EXPAND_LET_RULE MFI_ul);;
Micro instruction 25: fetch m : MF=2 - goto mr21
................................................................
let MF2_ul = new_definition
('MF2_uI',
"!(rep:'rep_ty) (regs:(*_ordn)list) (m ins din dout:*worc6n) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*_ordm) (mpc:btT)
188
(reset:bool).
MF2_ul rep (regs,m.ins,din,dout,ram,b,stop,ovl.mar.res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr)
(regs, m. ins, din, dout, ram. b. F. F. mar, m, "MF21_addr )"
);;
save_thm(CMF2_uI'.EXPAND_LET_RULE MF2_ul)::
Micro instruction 26: fetch m : MF=3 - M := addr
................................................................
let MF3_ul = new_definition
('MF3_ul c ,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:,memory)
(b stop ovl:bool) (mar:_address) (res:,wordn) (mpc:btT)
(reset:bool).
MF3_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl.mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res._YETCH_addr) I
(regs, pad rep (address rep ins), ins. din, dour. ram, b, F, F,
mar. pad rep (address rep ins), add_bt7 mpc 1)"
);;
save_thm('MF3_uI',EXPAND_LET_RULE MF3_ul);;
Micro instruction 27: fetch m : MF=3 - addr := m + y
................................................................
let MFS_u2 = new_definition
('MF3_u2 _,
"!(rep:'rep_ty) (regs:(_wordn)list) (m ins din dout:_wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:.wordn) (mpc:btT)
(reset:bool).
MF3_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let mplusy = add rap ((EL y_reg regs),m) in
stop => (regs,m,ins,din.dout.ram,b,T,ovl,mar.res,'FETCH_addr)
(regs.m, join rep (opcode rep ins, address rep mplusy), din,
dout. ram, b, F. aovfl rep ((£L y_reg regs), mr mplusy),
mar. mplusy, add_bt7 mpc i)"
);;
save_thm('MF3_u2',EXPAND_LET_RULE MF3_u2);;
Micro instruction 28: fetch m : MF=3 - check if addr > 20 bits (FETCH_u3)
................................................................
189
Microinstruction 29: fetch m : MF=3 - get word from mem(addr)
................................................................
let MF3_u4 = new definition
('MF3_u4_def _ ,
"!(rep:'rep_ty) (regs:(_wordn)list) (m ins din douZ:-wordn) (ram:,memory)
(b stop ovl:bool) (mar:*address) (res:_wordn) (mpc:bt7)
(reset:bool).
MF3_u4 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr)
(regs, m, ins, fetch rep (ram, address rep ins), dour, ram,
b, F, F, address rep ins, m, add_hi7 mpc i) "
);;
save_thm(_MF3_u4',EXPAND_L£T_KULE MF3_u4);;
Micro instruction 30: fetch m : MF=3 - read word into m register
................................................................
let MF3_u5 = new_definition
('MF3_u5_def',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:,wordn) (ram:*memory)
(b stop ovl:bool) (mar:_address) (res:_wordn) (mpc:btT)
(reset:bool).
MF3_u5 rep (regs,m,ins,din,dout,ram,b,s_op,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr)
(regs, din, ins, din, dour, ram, b, F, F, mar, m, add_bt7 mpc I)"
save_tkm('MF3_u5',EXPAND_LET_RULE MF3_u5);;
Micro instruction 31: fetch m : MF=3 - goto base+opc wait i cycle
................................................................
let MF3_u6wl = new_definition
('MF3_u6wl _ ,
"{(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:,memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
MF3_u6w1 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) l




Microinstruction 32: fetch m : MF=O - M := addr wait 4 cycles
................................................................
let MF3_ulw4 = new_definition
('MF3_ulw4 _,
"!(rep:'rep_ty) (regs:(swordn)list) (m ins din dout:_wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
MF3_ulw4 rep (regs,m,ins,din,dout,ram,b.stop.ovl.mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout.ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, pad rep (address rep ins), ins, din, dour, ram, b, F, F,
mar, pad rep (address rep ins), "wait_4_addr)"
);;
save_thm('MF3_ulw4',EXPAND_LET_RULE MF3_ulw4);;
Micro instruction 33: fetch m : MF=O - goto base+opc (MF3_u6)
................................................................
Micro instruction 34: fetch m : MF=I - get word from mem(addr) (MF3_u4)
................................................................
Micro instruction 35: fetch m : MF=I - read word into m register wait 3 cycles
................................................................
let MF3_u5w3 = new_definition
('MF3_u5w3_def _,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:.memory)
(b stop ovl:bool) (mar:*address) (res:*_ordn) (mpc:bt7)
(reset:bool).
MF3_uSw3 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) r
(regs. din, ins, din, dour, ram, b, F, F, mar, m, "wait_3_addr)"
);;
save_thm(_MF3_u5_3_,EXPAND_LET_RULE MF3_u5w3);;
Micro instruction 36: fetch m : MF=I - goto base+opc (MF3_u6)
................................................................
191
Micro instruction 38: fetch m : HF=2 - addr := m + x
................................................................
let MF2_u3 = nev_definition
((MF2_u3 ¢ ,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:_address) (res:_wordn) (mpc:bt7)
(reset:bool).
MF2_u3 rep (regs,m,ins,din,dout,ram,b,stop,gvl,mar,res,mpc) (reset) =
let mplusx = add rep ((EL x_reg regs),m) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) j
(regs,m, join rep (opcode rep ins, address rep mplusx), din,
dour, ram, b, F, aovfl rep ((EL x_reg regs), m, mplusx),
mar, mplusx, add_hi7 mpc I)"
);;
save_thm('MF2_u3',EXPANDLET_RULE MF2_u3);:
Micro instruction 39: fetch m : MF=2 - check if addr > 20 bits (FETCH_u3)
................................................................
Micro instruction 40: fetch m : MF=2 - get word from mem(addr) (MF3_u4)
.................................................................
°/o................................................................
Micro instruction 41: fetch m : HF=2 - read word into m register (MF3_u5)
Micro instruction 43: COMPARE - Koto comparel
................................................................
let COMPARE_ul = new_definition
('COMPARE_ul ' ,
"!(rep:-rep_ty) (regs:(_wordn)list) (m ins din dout:.wordn) (ram:_memory)
(b stop ovl:bool) (mar:*address) (res:_wordn) (mpc:bt7)
(reset:bool).
COMPAKE ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mp¢) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I




Micro instruction 44: WRITEMEM - goto writememl
................................................................
let WRITF2(EM_ul = new_definition
('WRITEMEM_uI',
"!(rep:'rep ty) (regs:(*worchn)lis%) (m ins din dout:.wordn) (ram:*memory)
(b stop ovl:bool) (mar:,address) (res:,word/%) (mpc:bt7)
(reset:bool).
WRITEMEM_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr)
(regs, m, ins, din, dout, ram, b, F, F, mar, m, "WRITEM_MI_ad(Ir)"
);;
save_thm('WRITEMEM_uI',EXPAND_LET_RULE WRITEMEM_ul);;
Micro instruction 45: WRITEIO - goto _riteiol
................................................................
let WKITEIO_ul = ne__definition
('WRITEIO_ul _
"!(rep:-rep_ty) (regs:(_orctn)list) (m ins din dout:,word_n) (ram:,memory)
(b stop ovl:bool) (mar:.address) (res:*worchn) (mpc:btT)
(reset:bool).
WRITEIO_ul rep (regs,m, ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,irus,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dour, ram, b, F, F, mar, m, "WRITEIOl_addr )"
);;
save_thm('WRITEIO_uI_,EXPAND_LET_RULE WRITEIO_ul);;
Micro instruction 46: NEG - goto negl
................................................................
let NEG_ul = new_definition
(_NEG_ul _,
"!(rep:'rep_ty) (regs:(*word_n)list) (m ins din dout:*wor(in) (ram:*memory)
(b stop ovl:bool) mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
NEG_ul rep (regs,m,lns,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dour,ram,b,T,ovl,mar,res,'FETCH addr) I




Micro instruction 47: CALL - goto calll
................................................................
let CALL_u1 = new_definition
('CALL_uI'.
"!(rep:'rep_ty) (regs:(,wordn)list) (m ins din dout:*wordn) (ram:-memory)
(b stop ovl:bool) (mar:*address) (res:*_ordn) (mpc:btT)
(reset:boo1).
CALL_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (reEs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dour, ram, b, F, F, mar, m, "CALLl_addr )"
);;
save_tlm('CALL_ul',EXPAND_LET_RULE CALL_ul);;
Micro instruction 48: READIO - goto readiol
................................................................
let READIO_ul = new_definition
('READIO_uI'.
"!(rep:'rep_ty) (regs:(,wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:=wordn) (mpc:bt7)
(reset:bool).
READID_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dour, ram, b, F, F, mar, m. "KEADIOl_addr _"
);;
save_thm('KEADIO_ul',EXPAND_LET_KULE KEADIO_ul);;
Micro instruction 49: READMEM - goZo readmeml
................................................................
let READMEM_ul = new_definition
('KEADMEM_ul',
"!(rep:'rep_ty) (reEs:(*_ordn)list) (m ins din dout:*_ordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
READMEM_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCB_addr) I




Micro instruction 50: ADDB - goto addbl
................................................................
let ADDB_ul = ne__definition
(_ADDB_ul _ ,
"!(rep:'rep_ty) (regs:(,wordn)list) (m ins din dout:*wordn) (ram:_memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bZ7)
(reset:bool).
ADDB_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) [
(regs, m, ins, din, dour, ram, b, F, F, mar, m, "ADDBl_addr 7"
);;
save_thm('ADDB_uI',EXPAND_LET_RULE ADDB_ul);;
Micro instruction 51: ADDS - goto addsl
................................................................
let ADDS_ul = new_definition
(_ADDS_ul _ ,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:.word_n) (ram:-memory)
(b stop ovl:bool) (mar:*address) (res:*_ordn) (mpc:bt7)
(reset:bool).
ADDS_u1 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dou%,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dour, ram, b, F, F, mar, m, "ADDS1 addr )"
);;
save_thm('ADDS_uI',EXPAND_LET_RULE ADDS_ul);;
Micro instruction 52: SUBB - goto subbl
................................................................
let SUBB_ul = new_definition
('SUBB_ul',
"!(rep:'rep_ty) (re£s:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:_address) (res:*wordn) (mpc:btT)
(reset:bool).
SUBB_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dour, ram, b, F, F, mar, m, "SUBBl_addr )"
);;
save_thm('SUBB_uI',EXPAND_LET_RULE SUBB_ul);;
Micro instruction 53: SUBS - goto subsl
195
let SUBS ul = new_definition
(_SUBS_ul',
"!(rep:'rep_ty) (regs:(*worda)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*_ordn) (mpc:btT)
(reset:bool).
SUBS_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FErCH_addr) I
(regs, m, ins, din, dour, ram, b, F, F, mar, m, "SUBSl_addr )"
);;
save_thm('SUBS_uI',EXPAND_LET_RULE SUBS_ul);;
Micro instruction 54: XOR - goto xorl
................................................................
let XOR_ul = new_definition
('XOR_ul',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordrt) (mpc:btT)
(reset:bool).
XOR_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) -
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dour, ram, b, F, F, mar, m, "XORl_addr )"
);;
save_thm('XOR_ul',EXPAND_LET_KULE XOR_ul);;
Micro instruction 55: AND - goto andl
................................................................
let AND_u1 = new_definition
('AND_ul _ ,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:.wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*_orcln) (mpc:bt7)
(reset:bool).
AND_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I




let NOR_ul = new_definition
('NOR_u1' ,
"! (rep:'rep_ty) (regs: (*wordn)list) (m ins din dour :*wordn) (ram:*memory)
(b sZop ovl:bool) (mar:*address) (res:.wordn) (mpc:bt7)
(reset :bool),
NOR_ul rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram.b,T,ovl,mar,res,'FETCH_addr)
(regs, m, ins, din, dour. ram, b, F, F, mar, m, "NOR1_addr )"
);;
save_thm(_NOR_uI_,EXPAND_LET_RULE NOR_ul);;
Micro instruction 58: ANDMBAR - goto fetch (NOOP)
Micro instruction 59: COMPARE - b := compare(r,m)
................................................................
let CDMPARE_u2 = new_definition
(_COMPARE_u2 _ ,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (r_:*memory)
(b stop ovl:bool) (mar:*address) (res:*word_n) (mpc:btT)
(reset:bool).
COMPARE_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dour, ram,
bcmp rep ((EL (bt2_val(RSF rep ins)) regs),m,b,FSF rep ins), F,
F, mar, m, add_bt7 mpc i)"
);;
save_thm(cCOMPARE_u2',EXPAND_LET_RULE COMPARE_u2);;
Micro instruction 61: WRITEMEM - write r to-address ins[O..19] in memory
................................................................
let WRITEMEM_u2 = new_definition
(_WRITEMEM_u2',
"!(rep:'rep ty) (regs:(*wordn)list) (m ins din dout:*_ordn) (ram:*memory)
(b stop ovl:bool) (mar:.address) (res:,wordn) (mpc:bt7)
(reset:bool).
WRITEMEM_u2 rep (regs,m,ins,din,dout.ram,b,stop,ovl,mar,res,mpc) (reset) =
197
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) [
(regs, m, ins, din, EL (bt2_val(RSF rep ins)) regs,
store rep(ram, address rep ins, EL (bt2_val(RSF rep ins)) regs),
b, F, F, address rep ins, m, add_bt7 mpc 1)"
);;
save_tlm('WRITEMEM_u2',EXPAND_LET_RULE WRITEMEM_u2);;
Micro instruction 63: WRITEIO - write r to address ins[O..19] in io
................................................................
let WRITEIO_u2 = new_definition
(_WRITEIO_u2',
"!(rep:'rep_ty) (regs:(.wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*.ordn) (mpc:bt7)
(reset:bool).
WRITEIO_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) [
(regs, m, ins, din, EL (bt2_va1(RSF rep ins)) regs,
storeio rep (ram, address rep ins,
EL (bt2_val(RSF rep ins)) regs),
b, F, F, address rep ins, m, add_biT mpc 1)"
);;
save.thm('WRITEIO_u2',EXPAND_LET_RULE WRITEIO_u2);;
Micro instruction 66: NEGATE - destreg := -m
let NEGATE_u2 = new_definition
('NEGATE_u2 _,
"!(rep:'rep_ty) (regs:(*vordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:btT)
(reset:bool).
NEGATE_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
198
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr))
(update_reg regs (DSF rep ins) b (neg rep m), m. ins, din. dout_
ram, b, F, F, mar, (neg rep m), add_bt7 mpc I)"
);;
save_thm('NEOATE_u2',EXPAND_LET_RULE NEGATE_u2);;
Micro instruction 67: NEGATE - goto fetch (NOOP)
Micro instruction 68: CALL - y := p
let CALL_u2 = new definition
(_CALL_u2 _,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*_ordn) (mpc:bt7)
(reset:bool).
CALL_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(update reg regs (F,T,F) b (EL p_reg regs), m, ins, din, dour,
ram, b, F, F, mar, (EL p_reg regs), add_biT mpc 1)"
);;
save°thm(cCALL_u2',EXPAND_LET_RULE CALL_u2);;
Micro instruction 69: CALL - p := m
let CALL_u3 = new_definition
(_CALL_u3',
"!(rep:'rep_ty) (regs:(*_ordn)llst) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
CALL_u3 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(update_reg reg_ (F,T,T) b m, m, ins, din, dout, ram, b, F, F,
mar, m, add_bt7 mpc I)"
);;
saveothm('CALL_u3',EXPAND_LET_RULE CALL_u3);;
Micro instruction 70: CALL - check msb 12 bits of res (FETCH_u3)
199
Micro instruction 72: READIO - get word from io(addr)
................................................................
let READIO_u2 = new_definition
('READID_u2_de_ _,
")(rep:'rep_ty) (regs:(,wordn)list) (m ins din dout:,wordn) (ram:_memory)
(b stop ovl:bool) (mar:,address) (res:,wordn) (spc:btT)
(reset:bool).
READIO_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, fetchio rep (ram, address rep ins), dour, ram,
b, F, F, address rep ins, m, add_hi7 mpc 1) "
);;
save_thm('READIO_u2',EXPAND_LET_RULE READIO_u2);;
Micro instruction 73: READIO - read word into m register (MF3_uS)
................................................................
Micro instruction 74: READIO - destreg := m
READIO_u4 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH addr) )
(update_reg regs (DSF rep ins) b m, m, ins, din, dour,
ram, b, F, F, mar, m, add_bt7 mpc I)"
................................................................
let READIO_u4 = new_definition
('READIO_u4 _ ,
"!(rep:'rep_ty) (regs:(*_ordn)list) (m ins din dout:*_ordn) (ram:*memory)
(b stop ovl:bool) (mar:_address) (res:*wordn) (mpc:bt7)
(reset:bool).
READIO_u4 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let new_stop = ( (DSF rep ins = (F,T,T)) \/
(DSF rep ins = (T,F,F)) \/
(DSF rep ins = (T,F,T)) \/
(DSF rep ins = (T,T,F)) \/
(DSF rep ins = (T,T,T))) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr)
( (new_stop => regs f update_reg regs (DSF rep ins) b m),
200
);;
m, ins, din, dour, ram, b, new_stop,
(new_stop => ovl I F), mar,
(new_stop => res I m),
(new_stop => (F,F,F,F,F,F,F) I add_bt7 mpc I) )"
save-thm(_READIO_u4_,EXPAND_LET_RULE READIO_u4);;
................................................................
Micro instruction 75: KEADIO - goto fetch (NOOP)
................................................................
................................................................
Micro instruction 76: READMEM - destreg := m (READIO_u4)
................................................................
let READMEM_u2 = new_definition
('READMEM_u2 _,
"!(rep:'rep_ty) (regs:(_wordn)list) (m ins din dout:*_ordn) (ram:,memory)
(b stop ovl:bool) (mart.address) (res:,wordn) (mpc:bt7)
(reset:bool).
READMEM_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(update_reg regs (DSF rep ins) b m, m, ins, din, dour,




Micro instruction 77: READMEM - check if dest=p /\ result > 20 bits
This use to be SHLB_u2
................................................................
let CK_VALID_PC = new_definition
('CK VALID_PC _,
"!(rep:-rep_ty) (regs:(*wordn)list) (m ins din dout:.wordn) (ram:_memory)
(b stop ovl:bool) (mart*address) (res:*wordn) (mpc:bt7)
(reset:bool).
CK_VALID_PC rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let new_stop = (((DSF rep ins = (T,T,F)) \/
(DSF rep ins = (T,T,T)) ) \/
(-(((DSF rep ins = (T,F,F)) /\ -b) \/
((DSF rep ins = (T,F,T)) /\ b) ) /\
((DSF rep ins = (F,T,T)) \/
(DSF rep ins = (T,F,F)) \/
201
(DSF rep ins = (T,F,T))) /\
-(valid_address rep res) )) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(regs, m, ins, din, dour, ram, b, new_stop,
(new_stop => owl I F), mar,
(new_stop => res I m),
(new_stop => (F,F,F,F,F,F,F) J add_hi7 mpc 1)) "
);;
save_thm('CK_VALID_PC',EXPAND_LET_RULE CK_VALID_PC);;
Micro instruction 79: ADDB - destreg := r+m; b:=carry
.................................................................
let ADDB_u2 = new_definition
(_ADDB_u2',
"!(rep:'rep_ty) (regs:(,wordn)list) (m ins din dout:_wordn) (ram:,memory)
(b stop ovl:bool) (mar:=address) (res:=wordn) (mpc:bt7)
(reset:bool).
ADDB_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let rplusm = (add rep ((EL (bt2_val(RSF rep ins)) regs),m)) in
let new_stop = ( (DSF rep ins = (F,T,T)) \/
(DSF rep ins = (T,F,F)) \/
(DSF rep ins = (T,F,T)) \/
(DSF rep ins = (T,T,F)) \/
(DSF rep ins = (T,T,T))) in
stop -> (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr)
( (new_stop => regs I update_reg regs (DSF rep ins) b rplusm),
m, ins, din, dour, ram,
(new_stop _> b l
_ddp rep((EL (bt2_val(RSF rep ins)) regs),m,rplusm)),
new_stop,
(new_stop => owl I
aovfl rep ((EL (bt2_val(RSF rep ins)) regs), m, rplusm)),
mar,
(new_stop => res I rplusm),




Micro instruction 80: ADDB - goto fetch (NOOP)
Micro instruction 81: ADDS - destreg := r+m
................................................................
let ADDS_u2 = new_definition
('ADDS_u2',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (raum:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt?)
(reset:bool).
ADDS_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let rplusm = (add rep ((EL (bt2_val(KSF rep ins)) regs),m)) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
(update_reg regs (DSF rep ins) b rplusm,m, ins, din, dour, ram,
b, F, aovfl rep ((EL (bt2_va_(KSF _ep ins)) regs), m, rplusm),
mar, rplusm, add_bt7 mpc I)"
);;
save_thm('ADDS_u2',EXPAND_LET_KULE ADDS_u2);;
Micro instruction 85: SUBB - destreg := r-m; b:=borrow
................................................................
let SUBB_u2 = new_definition
('SUBB_u2',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*word_n) (mpc:bt7)
(reset:bool).
SUBB_u2 rep (re_s,m,ins,din,dout,ram,b,s_op,ovl,mar,res,mpc) (reset) =
let rminusm = (sub rep ((EL (bt2_val(RSF rep ins)) regs),m)) in
let new_stop = ( (DSF rep ins = (F,T,T)) \/
(DSF rep ins = (T,F,F)) \/
203
(DSF rep ins = (T,F,T)) \/
(DSF rep ins = (T,T,F)) \/
(DSF rep ins = (T,T,T))) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,_ar,re_,'FETCH_addr) l
( (new_stop => regs I update_reg regs (DSF rep ins) b rminusm ),
m, ins, din, dour, ram,
(new_stop => b I
subp rep((EL (bt2 vaI(RSF rep ins)) regs),m,rminusm)),
new_stop,
(new_stop => owl ]
sovfl rep ((EL (bt2 vaI(RSF rep ins)) regs), m, rminusm)),
mar,
(new stop => res I rminusm),
(new_stop => (F,F,F,F,F,F,F) [ add_bt7 mp¢ i) )"
);;
save_tl_( SUBB_u2 ,EXPAND_LET_RULE SUBB_u2)"
Micro instruction 87: SUBS - destreg := r-m
................................................................
let SUBS_u2 = new_definition
(_SUBS_u2 _ ,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:_wordn) (ram:.memory)
(b stop ovl:bool) (mar:*address) (res:_wordn) (mpc:btT)
(reset:bool).
SUBS_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let rminusm = (sub rep ((£L (bt2_val(RSF rep ins)) regs),m)) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) l
(update_reg regs (DSF rep ins) b rminusm,m,ins, din, dout, ram,
b, F, sovfl rep ((EL (bt2_val(RSF rep ins)) regs), m, rminusm),
mar, rminusm, add_bt7 mpc 1)"
);;
save_thm(_SUBS_u2',EXPAND_LET_RULE SUBS_u2);;
Micro instruction 89: NO_OVL
204
Micro instruction 91: XOR - destreg := r XOR m
................................................................
let XOR_u2 = new_definition
(_XOR_u2',
"!(rep:'rep_ty) (regs:(_wordn)list) (m ins din dout:.wordn) (ram:.memory)
(b stop ovl:bool) (mar:.address) (res:.wordun) (mpc:btT)
(reset:bool).
XOR_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let new_stop = ( (DSF rep ins = (F,T,T)) \/
(DSF rep ins = (T,F,F)) \/
(DSF rep ins = (T,F,T)) \/
(DSF rep ins = (T,T,F)) \/
(DSF rep ins = (T,T,T))) in
let rxorm = (bxor rep ((EL (bt2_val(RSF rep ins)) regs),m)) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res.'FETCH_addr) I
( (new_stop => regs { update_reg regs (DSF rep ins) b rxorm ),
m, ins, din, dour, ram, b, new_stop,
(new_stop => ovl { F), mar,
(new_stop => res { rxorm),
(new_stop => (F,F,F,F,F,F.F) { add_hi7 mp¢ 1) )"
);;
save_thm('XOR_u2',EXPAND_LET_RULE XOR_u2);;
Micro instruction 93: AND - destreg := r AND m
................................................................
let AND_u2 = new_definition
('AND_u2',
"!(rep:'rep_ty) (regs:(*vordm)list) (m ins din dout:,worctn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:,worchn) (mpc:btT)
(reset:bool).
AND_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let new_stop = ( (DSF rep ins = (F,T,T)) \/
(DSF rep ins = (T,F,F)) \/
205
(DSF rep ins = (T,F,T)) \/
(DSF rep ins = (T,T,F)) \/
(DSF rep ins = (T,T,T))) in
let randm = (band rep ((EL (bt2_val(RSF rep ins)) regs),m)) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) [
( (new_stop => regs I update_reg regs (DSF rep ins) b randm),
m, ins, din, dour, ram, b, new_stop,
(new_stop => ovl [ F), mar,
(new_stop => res [ randm),
(new_stop => (F,F,F,F,F,F,F) J add_biT mpc I) )"
);;
save_thm('AND_u2',EXPAND_LET_KULE AND_u2);;
Micro instruction 95: NDR - destreg := r NOB m
................................................................
let NOR_u2 = new_definition
('NOR_u2',
"!(rep:'rep ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*_ordn) (mpc:btT)
(reset:bool).
NOR_u2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
let new_stop = ( (DSF rep ins = (F,T,T)) \/
(DSF rap ins = (T,F,F)) \/
(DSF rep ins = (T,F,T)) \/
(DSF rep ins = (T,T,F)) \/
(DSF rep ins = (T,T,T))) in
let rnorm = (bnor rep ((EL (bt2_val(RSF rep ins)) regs),m)) in
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) I
( (new_stop => regs I update_reg regs (DSF rep ins) b rnorm),
m, ins, din, dour, ram, b, new_stop,
(new stop => ovl I F), mar,
(new_stop => res I rnorm),




Micro instruction 96: NOR - goto fetch (NOOP)
206
Micro instruction 97: wait 4 cycles
let wait_4 = new_definition
('wait_4',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
wait_4 rep (regs,m,ins,din,dout,ram,b,stop,ovl,max,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_adcLr) [
(regs, m, ins, din, dout, ram, b, F, F, mar, m, add_bt7 mpc 1 )"
);;
save_tl_m('wait_4',EXPAND_LET_RULE wait_4);;
Micro instruction 98: wait 3 cycles
................................................................
let wait_3 = new_definition
('wait_3 (,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:.wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
wait_3 rep (regs,m,ins,din,dout,ram,b,stop,ovl,max,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) J
(regs, m, ins, din, dour, ram, b, F, F, mar, m, add_bt7 mpc I )"
);;
save_tbJn('wait_3(,EXPAND_LET_RULE wait_3);;
Micro instruction 99: wait 2 cycles
................................................................
let wait_2 = new_definition
('wait_2 _,
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*addxess) (res:*worctn) (mpc:btT)
(reset:bool).
wait_2 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) ]




Micro instruction I00: wait 1 cycle
................................................................
let wait 1 = new_definition
('wait_l',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reseZ:bool).
wait_l rep (regs,m,ins,din,dout,r_m,b,stop,gvl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,'FETCH_addr) i




let MF3_u6 = new_definition
(_MF3_u6',
"!(rep:'rep_ty) (regs:(*wordn)list) (m ins din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7)
(reset:bool).
MF3_u6 rep (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) =
stop => (regs,m,ins,din,dout,ram,b,T,ovl,mar,res,-FETCH_addr) [
(regs, m, ins, din, dour, ram, b, F, F, mar, m,
add_biT "BASE_addr
(bt5_val (FST (SND(decode rep (opcode rep ins. b))))))"
);;
save_thm('MF3_u6',EXPAND_LET_RULE MF3_u6);;
Micro instructions 102-127 : NOOP
let microstate = ":((*wordn)list#*wordn#*wordn#*wordn#*wordn#
*memory#bool#bool#bool#*address#*worchn#bt7)";;
let micro_env = ":bool";;
The micro_inst_list will be used to instantiate inst_list in
mk_micro.ml.
................................................................
let micro_inst_list = new_definition
('micro_inst_list',











((F,F,F,T,F,F,F) (SHRB ul rep));
((F,F,F,T,F,F,T) (SHLB ul rep));
((F,F,F,T,F,T,F) (AXY WRITE rep));
((F,F,F,T,F,T,T) (SHLS ul rep));













((F,F,T,T,F,F,T) (MF2 ul rep));
((F,F,T,T,F,T,F) (MF3 ul rep));
((F,F,T,T,F,T,T) (MF3_u2 rep));
((F,F,T,T,T,F,F) (FETCH_u3 rep));


















































































































































Select MPC from sta%e. This is used %o ins_antiate gen_I.th.
................................................................
let GetMPC = new_definition
('GetMPC',
"!(regs:(_eordn)list) (m ins din dout:*eordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*eordn) (mpc:bt7)
(reset:bool).
GetMPC (regs,m,ins,din,dout,ram,b,stop,ovl,mar,res,mpc) (reset) = mp¢"
);;
Give # of phase level cycles for each microinstruction
................................................................
let PhaseCycles = ne__definition
('PhaseCycles _ ,





Description: Defines the micro level interpreter in terms of the
definitions in micro_def.th, phase.th, and gen_I.th.
Proves the lemmas for each microinstruction and
saves them.
Modified by ETS to include AXY_WRITE and CK_VAL_PC
set_search_path (search_path() _ lib_dir_list);;
loadf 'abstract';;
this definition isn't in abstract yet %
let TAC_PROOF : (goal # tactic) -> thm =
set_fail_prefix 'TAC_PROOF'
(\(g,tac).
let new_g = ((fst g) © theory_obligation_list,snd g) in
let gl,p = tac new_g in

















let load_micro_inst = (\x. theorem _micro_def _ x);;
let instructions= map load_micro_inst
['FETCH_ul' ; 'FETCH_u2' ; 'FETCH_u3' ; 'FETCH_u4' ;
_JHP_reqm _ ; 'JMP_op¢' ; _NOOP' ; 'SHRS_uI' ;
'SHRB_uI' ; 'SHLB_uI' ; 'AXY_WRITE _ ; 'SHLS_ul_;
_NO_OVL _ ; 'NOOP' ;'AXY_WRITE _ ; _SHRS_u2_';
'NOOP' ; 'AXY_WRITE _ ; 'SHRB_u2 _ ; 'NOOP' ;
'AXY_WRITE _ ; 'SHLB_u2 _ ; _NODP' ; _MFO_uI' ;
MF _ul ;
'MF2_uI' ; 'MF3_ul' ; 'MF3_u2' ; 'FETCH_u3' ;
'MF3_u4' ; 'MF3_u5' ; 'MF3_u6wl' ; 'MF3_ulw4' ;
'MF3_u6' ; 'MF3_u4 _ ; 'MF3_u5_3' ; 'MF3_u6 _ ;
'MF3_ul' ; 'MF2_u3 _ ; _FETCH_u3' ; 'MF3_u4 _ ;
'MF3_u5' ; <MF3_u6 _ ; _COMPARE_ul _ ; 'WRITEMEM_ul _ ;
'WRITEIO_uI' ; 'NEG_ul _ ; 'CALL_u1' ; 'READIO_uI' ;
'READMEM ul' ; 'ADDB_uI' ; 'ADDS_u1' ; 'SUBB ul' ;
_"_R 1 ( - _ "'SUBS_ul ; au _u ; 'AND ul' ; 'NOR ul' ,
'ANDMBAR_ul' ; 'NOOP' ; 'COMPARE_u2' ; 'NOOP' ;
'WRITEMEM_u2' ; 'NOOP' ; 'WRITEIO_u2' ; 'NOOP' ;
'AXY_WRITE c ; 'NEGATE_u2' ;'NOOP' ; 'CALL_u2' ;
_CALL u3' ; 'FETCH_u3' ; 'NOOP ' ; 'READIO_u2 _ ;
_MF3_u5 _ ; _READIO u4 _ ; _NOOP _ ; RE DMEM_u2 ;
_CK_VALID_PC' ; 'NOOP' ; 'ADDB_u2 _ ; _NOOP' ;
'ADDS_u2' ; 'CK_VALID_PC'; 'NO_OVL'; 'NOOP ' ;
'SUBB_u2' ;
'NDOP' ; 'SUBS_u2' ; 'CK_VALID_PC' ; _NO_OVL' ;
_NOOP' ;
<XOR_u2' ; 'NOOP _ ; _AND_u2' ; 'NOOP' ;
'NOR_u2' ; 'NOOP' ; 'wait_4 _ ; _ait_3' ;
_ait_2 _ ; '_ait_l' ; 'MF3_u6' ; 'NOOP' ;
'NOOP' ; 'NOOP' ; 'NOOP' ; 'NOOP' ;
'NOOP' ; _NOOP' ; 'NOOP' ; 'NOOP' ;
'NOOP' ; 'NOOP' ; _NOOP _ ; 'NOOP c ;
<NOOP _ ; 'NOOP _ ; 'NDOP' ; _NOOP _ ;
_NOOP _ ; _NOOP _ ; _NOOP' ; 'NOOP _ ;
_NOOP' ; _NOOP' ; _NOOP' ; 'NOOP ' ;
'NOOP' ];;
let micro_inst_list = definition 'micro_def ( 'micro.inst_list';;
let GetMPC = definition 'micro_def' 'GetMPC';;




let load_phase_ins% = (\x. definition _phase_def _ x);;
let phases = map load_phase_ins%
['phase_one_def';'phase_tvo_def_;'phase_three_def'];;
let PhaseClockBegin = definition _phase_def _ 'PhaseClockBegin';;
let Phase_Subs%ate = definition 'phase_def _ 'Phase_SubstateC;;
let GetPhaseClock = definition _phase_def _ _GetPhaseClock';;
let Phase_I = theorem 'phase _ 'PHASE_I';;
let cond3_def = definition 'phase' Ccond3_def';;
let cond3_lemma = theorem Cphase _ 'cond3_lemma';;
let micro_rom_expanded = theorem 'uinst _ 'micro_rom_expanded_;;
let A = definition 'regs_def ' _A_;;
let X = definition 'regs_def _ 'X';;
let Y = definition _regs_def _ _Y';;




let rep_ty = abstract_type 'aux_def' 'opcode';;
let I_rep_ty = abstract_type 'gen_I' 'Impl';;
let micro_state = ":((*wordn)list_*wordn_*wordn_,wqrdn#,wordn_
*memory#bool#bool#bool#*address#*wordn#btT)";;
let micro_env = ":bool";;
let Phase_state =
":(*vordn)list # *wordn # *wordn # *wordn # *wordn # *memory # bool #
bool # bool # *address # *wordn # bt7 # ucode #(num -> ucode)
*,ordn # *wordn # bool # bool # bool";;
let Phase_env = ":bool";;
................................................................
Intermediate theorem needed for rewriting
let ZERO_NEQ_SUC = theorem 'micro_aux' 'ZERO_NEQ_SUC';;
................................................................
215
let ZERO_NEQ_SUC = prove_tl_m(
_ZERO_NEQ_SUC',
"!n. "(0 = SUCn)",
GEN_TAC THEN REWRITE_TAC[REWRITE_RULE[LESS_O]
(SPECL ["0"; "SUC n"] LESS_NOT_EQ)]
);;
Define the micro level interpeter in terms ol the generic
interpreter definition.
let Micro_I_def = definition _micro_aux' 'Micro_I_def_;;
let Micro_I = theorem _micro_aux' 'Micro_I_;;
let Micro_I_IMPL_IMPL_DEF = definition _micro_aux _ _Micro_I_IMPL_IMPL_DEF';;
................................................................
let Micro_I_def = new_definition
('Micro_I_def _,
"! (rep:'rep_ty) (s:time->'micro_state) (e:time->'micro_env) •









(GetPhaseClock:'Phase_s_ate -> "Phase_env -> triple),
PhaseClockBegin, Qx:one. F) s e"
);;





(instantiate_abstract_definition 'gen_I' _INTERP _ Micro_I_def)))
);;
let Micro_I_IMPL_IMPL_DEF = new_definition
('Micro_I_IMPL_IMPL_DEF _ ,
216
"! (rep:'rep_ty) (s:time->'Phase_state) (e:_ime->'Phase env) .




(GetMPC:'micro_state -> "micro_env -> bt7),
(PhaseCycles:btT->num),
(Phase_Substate:'Phase_state -> "micro state),
(I:'Phase_env ->'micro_env),
Phase_I rep,
(GetPhaseClock:'Phase_state -> "Phase_env -> triple),












map (delete cache o fst) (cached_theories())i;
Some ML function for the inference rules that follow.
................................................................
letrec term_list_el n 1 = (
let tm_hd x = rand(fst(dest_comb x)) and
tm_tl x = snd(dest_comb x) in
if (n = O) then tm_hd i else
term_list_el (n-l) (tm_tl I)) ?
failwith _term_list_el';;
This is insecure for right now, but it is reasonably simple.
................................................................
let EL_CONV tm = (
let ((c,n),l) = ((dest_comb#I)o dest_comb) tm in
let n_int = term_to_int n in
mk_%hm([],"-tm = "(term_list_el n_int i)")) ?
fail_ith 'EL_CONV';;
217
Some other nice conversions
................................................................
let is_SND_term t =
if is_comb t then
fst(dest_const(fst(strip_comb t))) = _SND _
else
false;;
let SND_CONV t =
if is_SND_term t then
let op,pr = dest_comb t in
let op,[Zl;t2] = strip_comb pr in
SPECL [tl;t2] (
INST_TYPE [((type_of tl),":*");
((type of t2),":**")] SND)
else
failwith 'SND_CONV';;
let TPLUS3LEMMA = TAC_PROOF
(([],
"!t. (t+3) = (((t + _) + I) + I)"),
STRIP_TAC THEN







"(\t.(regs t, mreg z, insreg t, din t, dout t, ram t,
b t, stop t, ovl Z, mar t, res _, mpc't, mir t, micro_tom,
rlatch t, mlatch t, phl t,ph2 t, ph3 t)):time->'Phase_state';
"(\t. (reset t)):time->'Phase_env"] Phase_I));;
let MK_Phase_I_Inst_LEMMA inst =
let clk_term =
((inst = 1) => "stop t = T"
(inst = 2) => "phl t = T" i
(inst = 3) => "ph2 t = T" ]
"ph3 t = T") in
let clk_lemma =
REWRITE_RULE [] (




"!t. (stop t ==> "phl t /\ "ph2 t /\ "ph3 t) /\
(phl t = "stop t /\ -ph2 t /\ "ph3 t) /\
(ph2 t = "stop t /\ "phl t /\ "ph3 t) /\






"reg$ t : (,_ord/_)list" ;
"mreg t :_word/l" ;
"insre E t :*wordm";
"din t :_word_n" ;
"dou_ t :*_ordn" ;
"r_m t:*memory",
"b t :hoof" ;
((inst=1) => "T"]"F");
"ovl t:bool";




"micro_rom :num->u¢ ode" ;





"reset t:bool"] (el (inst=l --> inst I (inst-1)) phases)] (
CONV_RULE (DEPTH_CONV SND_CONV) (
CONV_RULE (ONCE_DEPTH CONV EL_CONV) (
REWRITE_RULE [tripIe_VALUE_LEMMA] (SUBS[ASSUME elk_term] (
REWRITE_RULE(CONJUNCTS (clk_lemma)) (
SPEC_ALL (
SUBS [Phase_I SPEC] (
ASSL_ME
"Phase_l (rep: "rep_ty)
(it. (regs t, mreg t, insreg t, din t, dour t, r_ t,
b t, stop t, ovl t, mar t, res t, mp¢ t, mir t, micro_tom,
rlatch t, mlatch t, phl t, ph2 t, ph3 t))
(\t. (reset t))"))))))))))));;







"(\t. (regs Z, mre E t, insreg t, din t, dour t, ram t,
b t, stop t, ovl t, mar t, res.t, mpq t, mir t, micro_rom,
rlatch t, mlatch t, phl t,
ph2 t, ph3 t)):time->'Phase_state";
"(\_. (reset t)):Zime->'Phase_env"]
Micro_I_IMPL_IMP));;
let MK_IMPL_IMP_GOAL n =




(mreg insreg din dout:time->*wordn) (ram:time->.memory)
(b stop ovl:time->bool) (mar:time->_address) (res:tise->_wordn)
(mpc:time->bt7) (mir:time->ucode) (rlatch mlatch:time->*wordn)
(phl ph2 ph3:time->bool) (reset:time->bool).
(!t.
(stop t ==> "phl t /\ "ph2 t /\ ~phS t) /\
(phl t = -stop t /\ "ph2 t /\ "ph3 t) /\
(ph2 t = -stop t /\ "phl t /\ "ph3 t) /\
(ph3 t = -stop t /\ "phl t /\ "ph2 Z)) ==>"
Micro_I_IMPL_IMP rep
(\t. (regs t, mreg t, insreg z, din Z, dour t, ram t,
b t, stop t, ovl t, mar t, res t, mp¢ t, mir t, micro_rom,
rlatch t, mlatch t, phl t, ph2 t, ph3 t))
(\t. (reset t)) "inst";;
let SPEC_SELECTOR x thm =
let inst = snd(dest_eq x) in
let (addr,seqalu,dec,mem,srcdst,en,sel) =
(I # (I # (I # (I # (I _ dest_pair))))) (
(I # (I # (I # (I # dest_pair)))) (
(I # (I # (I # dest pair))) (
(I _ (I _ dest_pair)) (
(i # dest_pair) (
(dest_pair inst)))))) in
let (seq,alu) = (dest_pair seqalu) in
let (r,w,io) =
(I # dest_pair) (
(dest_pair mem)) in
let (mrS, mdf, rfc,dfc) =
220
(I # (I # dest_pair)) (
(I # dest_pair) (
(dest_pair srcdst))) in
let (de,re) = dest_pair en in
let (adrs,ds,ms) =
(I # dest_pair) (
(dest_pair sel)) in
SPECL [r;u;io;dec;rfc;dfc;de;re;adrs;ds;mrf;ms;seq;mdf;alu;addr] thm;;
let SPEC_ALL_SELECTORS x =
map (SPEC_SELECTOR x)
[Maddr;Seqctl;Aluctl;Dec_ctl;R;W;Io;Mrf;Mdf;Rfc;Dfc; De;Re;Adrs;Ds;Ms];;
map (delete_cache o fst) (cached_theories()):;
let IMPL_IMP_TAC n =
let inst = term_list_el n
(snd(dest_eq(
snd(dest_forall(concl micro_inst_list))))) in
let thm = el (n+l) instructions in
let find_Phase_I_term _m = (
let ((x,y),z) = ((dest_comb # I)
(dest_comb tm)) in
(x = "Phase_I (rep:'rep_ty)")) ? false in (
REPEAT STRIP_TAC
THEN SUBST_TAC [SPEC inst MJcro_IMPL_IMP_LF.24MA]
THEN REWRITE_TAC [thm]
THEN SUBST_TAC[A;X;Y;P]
THEN STRIP_TAC THEN STRIP_TAC THEN STRIP_TAC
THEN POP_ASSUM(\thm. STRIP_ASSUME_TAC (MULTI_MP
(CONJUNCTS (SPECL ["(ph2"t):bo61"; "(ph3 t):bool"]
(REWRITE_KULE[cond3_def] cond3_lemma))) thm))
THEN COND_CASES_TAC
THEN POP_ASSUM(kthm. ASSUME_TAC (REWRITE_RULE[] than))
THENL [
ASSUM_LIST(kasl. ASSUME_TAC (
REWRITE_RULE[(el I asl); (el 2 asl); (el 3 asl)]
(SPEC_ALL (el 6 asl))))
THEN ASS[M_LIST (\x. MAP_EVERY ASSUME_TAC (
CONJUNCTS (
REWRITE_RULE [PAIR_EQ] (
(ky. MP y (el 2 x)) (
SPEC "t:time" (
(\y. MP y (el 7 x)) (
MATCH_MP (el I Phase_I_Inst_list)
(hd (filter (find Phase_I_term o concl) x)))))))))
221
THEN ASSUM_LIST (\x. NAP_EVERY ASSUME_TAC (
CONJUNCTS (
REWRITE_RULE [PAIR_EQ] (
(\y. MP y (el 11 x)) (
SPEC "t+l" (
(\y. MP y (el 25 x)) (
MATCH_MP (el I Phase_l_Inst_list)
(hd (filter (find_Phase_l_term o concl) x)) )))))))
THEN ASSUM_LIST (\x. MAP_EVERY ASSUME_TAC (
CONJUNCTS (
REWRITE_RULE [PAIR_EQ] (
(\y. MP y (el 11 x)) (
SPEC "(t+l)+l" (
(\y. MP y (el 43 x)) (
MATCH_MP (el I Phase_l_Inst_list)




HEWRITE_RULE[(el 1 asl); (el 2 asl); (el 3 asl)]
(SPEC_ALL (el 6 asl))))
THEN ASSUM_LIST (\x. NAP_EVERY ASSUME_TAC (
CONJUNCTS (
REWRITE_RULE [PAIR_EQ] (
SUBS [CONV_KULE (ONCE_DEPTH_CONV EL_CONV) (
SPEC (int_Zo_term n) micro_rom_expanded)] (
CONV_RULE (ONCE_DEPTH_CONV bt7_val_CONV) (
SUBS [el 5 x] (
(\y. MP y (el I x)) (
SPEC "t:time" (
(\y. MP y (el 7 x)) (
MATCH_MP (el 2 Phase_l_Inst_list)
(hd (filter (find_Phase_I_term o concl) x))))))))))))
THEN ASSI/M_LIST (\x. MAP_EVERY ASSUME_TAC (
CONJUNCTS (
REWRITE_RULE [PAIR_EQ] (
SUBS (SPEC_ALL_SELECTORS (concl (el 6 x))) (
SUBS [el 6 x] (
(\y. MP y (el 2 x)) (
SPEC "t+l" (
(\y. MP y (el 25 x)) (
MATCH_MP (el 3 Phase_l_Inst_list)
(hd (filter (find_Phase_I_term o concl) x)) )))))))))
THEN ASSUM_LIST (\x. if i__eq(concl(el 1 x))
222
then
( let (lhs, rhs) = dest_eq(concl(el 11 x)) in
(ASM_CASES_TAC rhs THENL [
POP_ASSUM (\tlua.
(ASSUM_LIST (\x. ASSUME_TAC (REWRITE_RULE x tlm))) THEN
ASSUME_TAC thm) THEN
ASSUM LIST (\x. ASSUNE_TAC





(\y. MP y (el I x)) (
SPEC "(t+l)+1" (
(\y. MP y (el 46 x)) (
MATCH_MP (el i Phase_I_Inst_list)
(hd (filter
(find_Phase_I_term o concl) x)) )))))))) THEN
PURE_ONCE_REWRITE_TAC[TPLUS3LEI_] THEN
ASM_REWRITE_TAC []
POP_ASSLrM (\tim. ASSUME_TAC( REWRITE_RULEQ tl_m))THEN
POP_ASSUM (\thm.
(ASSUM_LIST (\x. ASSUME_TAC (REWRITE_RULE x tim))) THEN
ASSUME_TAC thm) THEN
ASSUM_LIST (\x. ASSUME_TAC





SUBS (SPEC_ALL_SELECTORS (concl (el 9 x))) (
SUBS [el 9 x] (
(\y. MP y (el 1 x)) (
SPEC "(t+l)+l" (
(\y. MP y (el 46 x)) (
MATCH_MP (el 4 Phase_l_Inst_list)
(hd (filter





THEN ASSUM_LIST(\asl. ASSUME_TAC (
ONCE_REWRITE_RULE [DE_MORGAN_THM] (el 22 asl)))








SUBS (SPEC_ALL_SELECTORS (concl (el 6 x))) (
SUBS [el 6 x] (
(\y. MP y (el I x)) (
SPEC "(t+1)+l" (
(\y. MP y (el 43 x)) (
MATCH_MP (el 4 Phase_I_Inst_list)
(hd (filter (find_Phase_I_term o concl) x)) ))))))))
THEN PURE_ONCE_REWRITE_TAC[TPLUS3LEMMA] THEN
ASM_REWRITE_TAC [] THEN
REWRITE_TAC[P; bt2_val; bt3_val] THEN
CONV_TAC (TDP_DEPTH_CONV num_CONV) THEN
REWRITE_TAC [ZERO_NEQ_SUC; NOT_SUC; INV_SUC_EQ; add_biT] ))
]);;




let SAVE_INST_LEMMA n =
let name = (concat 'INST_' (string_of_int n)) in
save_thm(name,PROVE_IMPL_IMP_L£MMA n);;
map (delete_cache o fst) (cached_theories());;
letrec mk_num_list n m =
if n = m then [m] else
(n . (mk_num_list (n+1) m));;
The microinstructions be proved and the resulting
theorems will be saved. The theorems for microinstruction n
will be saved u.nder the name INST_n
.............................................
map SAVE_INST_LEMMA (mk_num_list 0 15):;
map (delete_cache o fst) (cached_theories());;
map SAVE_INST_LEMMA (mk_num_list 16 31);;
map (delete_cache o fst) (cached_theories());;
224
map SAVE_INST_LEMMA (mk_num_list 32 47);;
map (delete_cache o fst) (cached_theories());;
map SAVE_INST_LEMMA (mk_num_list 48 63);;
map (delete_cache o fst) (cached_theories());;
map SAVE_INST_LEMMA (mk_num_list 64 79):;
map (delete cache o fst) (cached_theories());
map SAVE_INST_LEMMA (mk_num_list 80 95);;
map (delete_cache o fst) (cached_theories());
map SAVE_INST_LEMMA (mk_num_list 96 III);;
map (delete_cache o fst) (cached_theories())};
map SAVE_INST_LEMMA (mk_num_list 112 127);;




Description: Uses the individual correctness lemmas for each
micro instruction from micro_aux.th to prove the
instruction correctness lemma and complete the
Phase to Micro level proof.
set_search_path (search_path() _ lib_dir_list);;
loadf 'abstract';;
this definition isn't in abstract yet
let TAC_PROOF : (goal # tac%i¢) -> thm =
set_fail_prefix 'TAC_PROOF'
(\(g,tac).
let new_g = ((fst g) @ theory_obligation.list,snd g) in
let gl,p = tac ne__g in









map new_paren_ ['micro_aux'; 'threeval'];;
load_definitions 'threeval';;
load_theorems 'threeval';;
map (delete_cache 0 fSt) (cached_theories());;
let mk_ins__list n =
letre¢ mk_inst_list_aux n m =
let thm x = (theorem 'micro_aux' (concat 'INST_ ' (string_of_int x)))
in
if n = m then [thm m] else
((tlm n) . (mk_inst_list_aux (n+l) m)) in
mk_inst_list_aux 0 n;;
let inst_lemma_list = (mk_inst_lis_ 127);;
226
let Micro_I_def = definition 'micro_aux ' 'Micro I_def';;
let Micro_I = theorem 'micro_aux ' 'Micro_I_;;
let Micro_I_IMPL_IMPL_DEF = definition _micro_aux _ _Micro_I_IMPL_IMPL_DEF_;;
let Micro_I_IMPL_IMP =
let Micro_I_EXT =
CONV_RULE (TOP_DEPTH_CONV FUN_EQ_CONV) Micro_I_IMPL_IMPL_DEF in







let micro_inst_list = definition _micro_def ( _micro_inst_list_;;
let micro_tom = definition _uinst _ _micro_rom_;;
map (delete_cache o fst) (cached_theories());;
let Phase_Substate = definition 'phase_def _ _Phase Substate';;
let GetPhaseClock = definition _phase_def _ _GetPhaseClock';;
let PhaseClockBegin = definition 'phase_def' 'PhaseClockBegin';;
let Phase_I = theorem _phase _ _PHASE_IC;;
................................................................
Load abstract type definitions.
let rep_ty = abstract_type 'aux_def _ 'opcode';;
let I_rep_ty = abstract_type 'gen_I _ 'Impl';;
Define type terms for the state and env.
................................................................
let micro_state = ":((*worchn)list#*wordn#*wordn_*wordn#*worcin#
,memory#bool$bool#bool#*address#*wordn#bt?)";;
let micro_env = ":bool";;
let phase_state =
":(*wordn)list # ,wordn # *wordn # *wordn # -word_n #,memory # bool #
bool # bool # *address # *wordcn # bt7 # ucode # (hUm -> ucode) #
*_ord_ # *wordm # bool # bool # bool";;
227
let phase_env = ":bool";;
map (delete_cache o fst) (cached_theories());;
................................................................
Some ML function for the inference rules that follow.
................................................................
letrec term_list_el n 1 = (
let tm_hd x = rand(fst(dest_comb x)) and
tm_tl x = snd(dest_comb x) in
if (n = 0) then tm_hd 1 else
term_list_el (n-l) (tm_tl i)) ?
failwith 'term_list_elC;;
This is insecure for right now, but it is reasonably simple
................................................................
let EL_CONV tm = (
let ((c,n),l) = ((dest_comb#1)o dest_comb) tm in
let n_int = term_to_int n in
mk_thm([],"'tm = "(term_list_el n_int i)")) ?
failwith 'EL_CDNV';;
The first obligation of the abstract interpreter theory
................................................................
let Micro_I_CORRECT_LEMMA_AUX = TAC_PR00F
(([3,
"!(rep:'rep_ty) (regs:time->(,wordn)list)
(mreg insreg din dout:time->,wordn) (ram:Zime->,memory)
(b stop ovl:time->bool) (mar:time->*address) (res:time->,wordn)
(mpc:time->bt7) (mir:time->ucode) (urom:num->ucode)
(rlaZch mlatch:time->*wordn) (phl ph2 ph3:Zime->bool)
(reset:time->bool).
(!t.
(stop t ==> "phl t /\ "ph2 t /\ "ph3 t) /\
(phl t = "stop t /\ "ph2 t /\ -ph3 t) /\
(ph2 t = "stop t /\ "phl t /\ "ph3 t) /\
(ph3 t = "stop t /\ "phl t /\ "ph2 t)) ==>
EVERY (Micro_I_IMPL_IMP rep
(\t.
(regs t,mreg t,insreg t,din t,dout t,ram t,b t,stop t,
ovl t,mar t, res t,mpc t,mir t,micro_rom,rlatch t,mlatch t,
phl t,ph2 t,ph3 t))




THEN POP_ASSL_ (\asl. MP_TAC asl)
THENL (map MATCH_ACCEPTTAC inst_lemma_list)
);;










"! mpc. btT_val mpc < (LENGTH (micro_inst_list (rep:'rep_ty)))"),
REPEAT GEN_TAC
THEN REWRITE_TAC [micro instlist;LENGTH_
THEN STRUCT_CASES_TAC (SPEC "mpc:bt7" SEVEN_TUPLE_VALUELE_)
THEN CONV TAC (DEPTH_CONV bt7_val_CDNV)
THEN CONV_TAC (TOP_DEPTH_CONV num_CONV)
THEN REWRITE_TAC [LESS O;LESS_MONO_EQ]
);;
save°tbm('Micro_I_LENGTH_LEMMA',Micro_I_LENGTH_LE_);;
map (delete_cache o fst) (cached_theories());;
let Micro_I_ORDER_LEMMA : TAC_PROOF
(([],
"!mpc:bt? . mpc = (FST (EL (bt7 val mpc)
(micro_inst_list (rep:'rep_ty))))"),
REPEAT GEN_TAC
THEN SUBST_TAC [SPEC "rep:'rep_ty" micro_inst_lis¢]
THEN STRUCT_CASES_TAC (SPEC "mpc:bt7" SEVEN_TUPLE_VALUE_LE_A)
THEN CDNV_TAC (DNCE_DEPTH_CONV bt7_val_CONV)
THEN CONV_TAC (ONCE_DEPTH_CONV EL_CGNV)
THEN REWRITE TAC []
);;
229
let MLcro_I_0RDER_LEt@tA = ink_thin(I],
"!mpc:bt7 . mpc = (FST (EL (bt7 val mpc) (micro_inst_list (rep:'rep_ty)))) ''
);;
save_thin ( 'Micro_I_0RDER_LFJ4MA ' ,Micro_I_ORDER_LEMMA) ; ;
map (delete_cache o fst) (cached_theories());;
















("s ' :t ime->_st ate '",
"(\t. ( regs t, Itreg t, insreg t, din t, dour _, ram t,
b t, stop t, ovl t, mar t, res t, mpc t_
mir t, urom, rla_ch t, mlatch t, ph! t,
ph2 t, ph3 t)):time->'phase_state '')
let correct_lemma = snd(hd theorem_list);;












Cycle uCode uLoc Comment
t fetch_u 1 0
t + 1 fetch_u2 1
t + 2 fetch_u3 2
t + 3 fetch_u4 3
t + 4 jmp_reqm 4
fetch macro instruction
increment pc
invalid address (> 20 bits)?
ir _ macro instruction
require memory?
If no memory fetch is required
t + 5 jmp_opc 5 jump to noop+instruction number
If a memory fetch is required
Addressing mode: IMMEDIATE
Cycle uCode uLoc Comment
t + 5 MF0_ul 23 jump to immediate addr mode fetch
t + 6 MF3_ulw4 32 jump to wait 4
t + 7 wait4 97 idle
+ 8 wait3 98 idle
t + 9 wait2 99 idle
t + 10 waitl 100 idle





t + 5 MFI_ul 24
t + 6 MF3_u4 34
t + 7 MF3_u5w3 35
t + 8 wait3 98
t + 9 wait2 99
t + 10 wait1 100
t + 11 MF3_u6 101
jump to indirect addr mode fetch
get word from memory




jump to base+instruction number
Addressing mode: INDEXED with x
Cycle uCode uLoc Comment
t + 5 MF2_ul 25
t + 6 MF3_ul 37
t + 7 MF2_u2 38
t + 8 fetch_u3 39
t + 9 MF3_u4 40
t+ 10 MF3_u5 41
t+ 11 MF3_u6 42
jump to indexed-x addr mode fetch
m +-- instruction operand
addr _ m + x
invalid address (> 20 bits)?
get word from memory
read word into m
jump to base+instruction number
Addressing mode: INDEXED with y
Cycle uCode uLoc Comment
t + 5 MF3_ul 26
t + 6 MF3_u2 27
t + 7 fetch_u3 28
t + 8 MF3_u4 29
t + 9 MF3_u5 30
t + 10 MF3_u6wl 31
t+ 11 MF3_u6 101
m ,--- instruction operand
addr -- m + y
invalid address (> 20 bits)?
get word from memory
read word into m
jump to wait_0 (_IF3_u6)







Instruction: NOOP # 0
uLoc Comment














destinationmust be registerA, X or Y
shr operation













jump to shrb code
destination must be register A, X or Y
shrb operation













jump to shlb code
destination must be register A, X or Y
shlb operation













destination must be register A, X or Y
shls operation
result must not overflow












jump to compare code
compare operation











jump to writem code
write r to address











jump to writeio code
write r to address













jump to neg code
destination must be register A,X or Y
jump to fetch next macro instruction
Instruction: CALL # 9
Cycle uCode uLoc Comment
t + 12 call_u1 47
t + 13 cedl_u2 68
t + 14 call_u3 69
t + 15 fetch_u3 70














NOOP 75 jump to fetch next macro instruction
Instruction: READM # 11
Cycle uCode uLoc Comment
t + 12 readmem_ul 49
t + 13 readio_u4 76
t + 14 CK_VALID_PC 77
t + 15 NOOP 78 jump to fetch next macro instruction
Instruction: ADDB # 12
Cycle uCode uLoc Comment
t + 12 ADDB_ul 50
t + 13 ADDB_u2 79
t + 14 NOOP 80 jump to fetch next macro instruction
Instruction: ADDS # 13
Cycle uCode uLoc Comment
t + 12 ADDS_u1 51
t + 13 ADDS_u2 81
t + 14 CK_VALID_PC 82
t + 15 NO_OVL 83









NOOP 86 jump to fetch next macro instruction
235
Instruction: SUBS# 15
Cycle uCode uLoc Comment
t + 12 SUBS_u1 53
t + 13 SUBS_u2 87
t + 14 CK_VALID_PC 88
t + 15 NO_OVL 89































Instruction: ANDMBAR # 19
uCode uLoc Comment
ANDMBAR_ul 57
NOOP 58 jump to fetch next macro instruction
236
Appendix G: SAMPLE MACRO TO MICRO LEVEL PROOF
let SHIFT_SYMB_EXECI_TAC =
NOP_MAL_SYMB_EXEC 4 T4 THEN DELETE_USTEP_TAC 3
THEN NDRMAL_SYMB_EXEC 5 T5 THEN DELETE_USTEP_TAC 4
THEN NORMAL_SYMB_EXEC 6 T6 THEN DELETE_USTEP_TAC 5
THEN JMPOPC_POP_ASSUM_TAC
THEN NEXT_SY__EXECTAC 7 THEN DELETE_USTEP_TAC 6
THEN ASM_CASES_TAC AXY_DSF_CASES
THEN POP_ASSUM(\thm. ASSUME_TAC (REWRITE_RULE [DE_MORGAN_THM] %hm ));;
let SHIFT_BAD_DEST_TAC =
ASSUM_LIST(kasl. ASSUME_TAC(
REWRITE_RULE (CONJUNCTS(el I asl)) DSF_CASES))
THEN ASSUM_LIST(\asl.
IMP_RES_TAC (el (mpc_from thm (el 3 asl)+l) Micro_Int_Inst_list))
THEN ASSUM_LIST (\asl. POP_ASSUM(kthm. POP_ASSUM(kthml.
MAP_EVERY ASSUME_TAC ( (CONJUNCTS (REWRITE_RULE
([PAIR_EQ;TS] @ (subtract asl[thm])) thm) )))))
THEN DELETE_USTEP_TAC 7
]_ne processor is nov stopped due to an addressing exception
specialize and rewrite stop_thm show nothing will change
THEN ASSUM_LIST(\asl.
let curTime = (term_to_int
(ra/Id(rand(fst( dest_eq(snd(dest_thm(el I asl))))))) ) in
let endTime =
(term_to_int (snd(dest_eq(snd(dest_thm (el 17 asl) ))))) in
ASSUME_TAC( REWRITE_RULE [ (el I asl); (el 5 asl) ; (el 21 asl);
(sumTHM curTime (endTime-curTime)) ]
(SPECL [(int_to_term (endTime - cunrTime )); (t_plus_term curTime)]
stop_thm) ) )
THEN ASSUM_LIST (\asl. POP_ASSUM(kthm.
MAP_EVERY ASSUME_TAC ( (CONJUNCTS (REWRITE_RULE
([PAIR_EQ] @ (subtract asl[thm])) thm) ))))
THEN DELETE_USTEP_TAC 8
THEN ASM_REWRITE_TAC [PAIR_EQ]
THEN REWRITE_TAC [update_reg; PAIR_EQ;EL_SET_EL];;
let SHIFT_GOOD_DEST_TACl =
ASSUM_LIST(kasl. ASSUME_TAG( REWRITE_RULE[(el 1 asl)] AXY_IMPI ))
THEN ASSUM_LIST(kasl.
IM__RES_TAC (el (mpc_from_thm (el 3 asl)+l) Micro_Int_Inst_list))
THEN ASSUM_LIST (\asl. POP_ASSUM(kthm. POP_ASS_.(\thml.
MAP_EVERY ASSUME_TAC ( (CONJUNCTS (REWRITE_RULE
([PAIR_EQ;T8] @ (subtract asl[tbm])) tam) )))))
237
THEN NORMALPOP_ASSUM_TAC
THEN DELETE USTEP_TAC 7
THEN NEXT_SYMB_EXEC_TAC 9 THEN DELETE_USTEP_TAC 8
THEN NEXT_SYMB_EXEC_TAC 10 THEN DELETE USTEP_TAC 9
let SHIFT_GOOD_DEST_TAC2 =










[ INDEPENDENCE_TAC INDEP_X_UPDATEI ;
INDEPENDENCE_TAC INDEP_Y_UPDATEI ]
]
THEN ASM REWRITE_TAC [] ;;
let SHIFTB_GOOD_DEST_TAC =














































Run time: 14550.3s (combined steps)














Intermediate theorems generated: 73834
Intermediate theorems generated: 20909
Intermediate theorems generated: 28525
Intermediate theorems generated: 26480
Intermediate theorems generated: 29003
Intermediate theorems generated: 115876









Intermediate theorems generated: 67117
Intermediate theorems generated: 3905
Intermediate theorems generated: 28853
Intermediate theorems generated: 23540
Intermediate theorems generated: 29521
Intermediate theorems generated: 95274
Run time: 3337,4s/55.6m thms generated: 248210 74thms/sec
Run time: 3259.9s Intermediate theorems generated: 248202
map (delete_cache o fst) (cached_theories());;


















Intermediate theorems generated: 69555
Intermediate theorems generated: 5828
Intermediate theorems generated: 28853
Intermediate theorems generated: 31757
Intermediate theorems generated: 114624
Run time: 3749.3s/62.5m tb.ms generated 250617 67thms/sec
map (delete_cache o fst) (cached_theories());;














Intermediate theorems g4nerat4d: 103886
Intermediate theorems generated: 25436
Intermediate theorems generated: 146380
Run time: 4113.7/68.7m thms generated 275702 67thms/sec
........................................................................
map (delete_cache o fst) (cached_theories());:












13e microcode for this instruction is different than the other




Intermediate theorems generated: 106432
Intermediate theorems generated: 28460
Intermediate theorems generated: 40518
attempt 2:
Bun time: 1205.8s Intermediate theorems generated: 98349
Run time: 374.1s Intermediate theorems generated: 24716
Run time: 550.9s Intermediate theorems generated: 40518
Run time: 1893.9s Intermediate theorems generated: 130991
Run time: 24.2s Intermediate theorems generated: 706
Run time: 33.1s Intermediate theorems generated: 706
Run time: 78.3s Intermediate theorems generated: 838
Run time: 1972.3s Intermediate theorems generated: 136632
map (delete_cache o fst) (cached_theories());;










NORMAL_SYMB_EXEC 4 T4 THEN DELETE_USTEP_TAC 3
NORNAL_SYMB_EXEC 5 T5 THEN DELETE_USTEP_TAC 4
NORMAL_SYMB_EXEC 6 T6 THEN DELETE_USTEP_TAC 5
JMPOPC_POP_ASSUM_TAC
ASM_CASES_TAC AXY_DSF_CASES
POP_ASSUM(\tha. ASSUME_TAC (REWRITE_RULE [DE_MORGAN_THM] thm ))
Z variation on SHIFT_BAD_DEST_TAC Z
e( ASSUM_LIST(\asl. ASSUME_TAC(
REWRITE_RULE (CONJUNCTS(el I asl)) DSF_CASES))
THEN ASSUM_LIST(kasl.
IMP_RES_TAC (el (mpc_from_thm (el 3 as1)+1) Micro_Int_Inst_list))
THEN ASSUM_LIST (\asl. POP_ASSUM(\thm. POP_ASSUM(\thml.
MAP_EVERY ASSUME_TAC ( (CONJUNCTS (REWRITE_RULE
([PAIR_EQ;T7] @ (subtract asl[thm])) thm) )))))
THEN DELETE_USTEP_TAC 6
242
The processor is now stopped due to an addressing exception
specialize and rewrite stop_thm show nothing will change
THEN ASSUM_LIST(\asl.
let ¢urTime = (term_to int
(rand(rand(fst( dest_eq(snd(dest_thm(el 1 asl))))))) ) in
let endTime =
(term_to_int (snd(dest_eq(snd(dest_thm (el 17 asl) ))))) in
ASSUME_TAC( REWRITE_RULE [ (el I asl); (el 5 asl) ; (el 21 asl);
(sumTHM curTime (endTime-cu/-Time)) ]
(SPECL [(int_to_term (endTime - curTime )); (t_plus_term c%trTime)]
stop_tba) ) )
THEN ASSUM_LIST (\asl. POP_ASSUM(kthm.
MAP_EVERY ASSU__TAC ( (CONJUNCTS (REWRITE_RULE
([PAIR_EQ] @ (subtract asl[thm])) thm) ))))
THEN DELETE_USTEP_TAC 7
THEN % rewrite with address case





e( ASSUM_LIST(\asl. ASSUME_TAC( REWRITE_RULE[(el I asl)] AXY_IMPI ))
THEN ASSUM_LIST(kasl.
IMP_RES_TAC (el (mpc_from_thm (el 3 asl)+l) Micro_Int_Inst_list))
THEN ASSUM_LIST (\asl. POP_ASSUM(\thm. POP_ASSUM(kthml.
MAP_EVERY ASSUME_TAC ( (CONJUNCTS (REWRITE_RULE
([PAIR_EQ;TT] @ (subtract asl[thm])) thm) )))))
THEN NDP/IAL_POP_ASSUM_TAC
THEN DELETE_USTEP_TAC 6
THEN NEXT_SYMB_EXEC_TAC 8 THEN DELETE_USTEP_TAC 7
THEN NEXT_SYMB_EXEC_TAC 9 THEN DELETE_USTEP_TAC 8
THEN ASMCASES_TAC
"(bitn (rep:'rep_ty)(EL (bt2_val
(KSF rep(fetch rep(ram (t:num),address rep(EL p_reg(reg t))))))
(update_reg(reg t)(F,T,T)(b t)(add rep(EL p_reg(reg t),wor4_n rep I)))))"
);;
% ...... overflow case .......... %
e( POP_ASSUM(\thml. POP_ASSUM(\thm2.
(ASSUME_TAC thml )
THEN ASSUME TAC( REWRITE_RULE [thml] thm2) ))
THEN ASSUMLIST(\asl.
let curTime = (term_to_int
243
(rand(r_nd(fst( dest_eq(snd(dest_thm(el I asl))))))) ) in
let endTime =
(term_to_int (snd(dest eq(snd(dest_thm (el 18 asl) ))))) in
ASSI_E_TAC( REWRITE_RI_E[(el i asl) ; (el 6 asl) ; (el 2 asl) ; (el 22 asl) ;
(sumTHM c_trTime (endTime-¢urTime)) ]
(SPECL [(int_to_term (endTime- curTime )); (t_plus_term =urTime)]
stop_thin) ) )
THEN ASS[M_LIST (\asl. POP_ASSUM(kth_.
MAP_EVERY ASSUME_TAC ( (CONJUNCTS (REWRITE_RULE
([PAIR_EQ] @ (subtract asl[thm])) tb_m) ))))
THEN DELETE_USTEP_TAC 9
from SHIFT_GOOD_DEST_TAC2
THEN ASSUM_LIST(\asl. DISJ_CASES_TAC (el 15 asl) )
THENL [ EXPAND_REG_TAC





THEN EXPAND COND_TAC 15
THEN ASM_REWRITE_TAC [PAIR_EQ;EL_SET_EL]
THENL





THEN POP_ASSUM(ktbm. (ASSUM_LIST(\asl. REWRITE_TAC
[(REWRITE_RULE ([update_reg] @ asl) thm)] )))
);;
% ...... no overflow case .......... Z
e( POP_ASS[M(\thml. POP_ASSUM(kthm2.
(ASStrME_TAC thml )
THEN ASSLR_E_TAC( REWRITE_RIFLE [thml] thm2) ))
THEN NEXT_SYMB_EXEC_TAC 10 THEN DELETE_USTEP_TAC 9
from SHIFT_OOOD_DEST_TAC2
THEN ASS[M_LIST(kasl. DISJ_CASES_TAC (el 15 asl) )
THENL [ EXPAND_REG_TAC














THEN POP_ASSUM(\thm. (ASSUM_LIST(\asl. REWKITE_TAC




Appendix H: PHASE LEVEL SPECIFICATION
File: def_phase.ml
Description: Defines the behavioral description of the phase level
interpreter.
Modified by ETS to reflect block changes.




map new_parent ['aux_def';'tuple'; 'regs_def_; 'ucode_def'; 'threeval'];;
let rep_ty = abstract_type 'aux_def' 'opcode';;
Denotational descriptions of phase level instructions.
................................................................
let phase_one_def = new_definition
('phase_one_def',
"! (rep:'rep_ty) (regs:(*wordn)list) (mreg insreg din dout:*worckn)
(ram:*memory) (b stop ovl:bool) (mar:*address) (res:*wordn)
(mpc:btT) (mir:ucode) (urom:num->ucode) (rlatch mlatch:*wor4n)
(phl ph2 ph3:bool) (reset:bool).
phase one rep (regs, mreg, insreg, din, dour, ram, b, stop, ovl, mar, res,
mpc, mir, urom, rlatch, mlatch, phl, ph2, ph3) (reset) =
stop => (regs, mreg, insreg, din, dour, ram, b, T, ovl, mar, res,
(F,F,F,F,F,F,F), mir, urom, rlatch, mlatch, F, F, F) i
(regs, mreg, insreg, din, dour, ram, b, F, ovl, mar, res,
mpc, urom (bt7_val mpc), urom, rlatch, mlatch, F, T, F) "
);;
let phase_teo_def = new_definition
('phase_two_def',
"! (rep:'rep_ty) (regs:(*vordn)list) (mreg insreg din dout:*uordn)
(ram:*memory) (b stop ovl:bool) (mar:*address) (res:*wordn)
(mpc:btT) (mir:ucode) (urom:num->ucode) (rlatch mlatch:*wordn)
Piing P__._ BL_r:!_ NOT FILME'._n.
247
(phl ph2 ph3:bool) (reset:bool).
phase_two rep (regs, mreg, insreg, din, dour, ram, b, stop, ovl, mar, res,
mpc, mir, urom, rlatch, mlatch, phl, ph2, ph3) (reset) =
(regs,mreg,irtsreg,din,
(W mir => EL (bt2_val(Rfc mir => (Mrf mir) l RSF rep insreg))regs I dour),
ram,b,
((FST(decode rep(opcode rep insreg,b)) /\ (Dec_ctl mir)) \/
((Seqctl mir = (F,F,T))
/\ (((FST(SND(decode rep(opcode rep insreg,b)))) = (F,F,T,T,F)) \/
((FST(SND(decode rep(opcode rep insreg,b)))) = (F,F,T,T,T)))
/\ ((MSF rep insreg) = (F,F)) ) \/
(Seqctl mir = T,F,F) /\ ovl \/
(Seqc_l mir = T,F,T) /\ -valid_address rep res \/
(Seqctl mir = T,T,F) /\
( ((DSF rep insreg = (T,T,F)) \/ (DSF rep insreg = (T,T,T))) \/
(-(( (DSF rap insreg = (T,F,F)) /\ -b) \/
( (DSF rep insreg = (T,F,T)) /\ b) ) /\
((DSF rep insreg = (F,T,T)) \/
(DSF rep insreg = (T,F,F)) \/
(DSF rep insreg = (T,F,T))) /\
-valid_address rep res )) \/
(Seqctl mir = T,T,T) /\
((DSF rep insreg = (F,T,T)) \/
(DSF rep insreg = (T,F,F)) \/
(DSF rep insreg = (T,F,T)) \/
(DSF rep insreg = (T,T,F)) \/
(DSF rep insreg = (T,T,T)) )),
ovl,
((R mir \/ W mir) =>
(Adrs mir => address rep insreg I
address rep(Ei p_reg regs))Imar),
res,mpc,mir,urom,
EL (bt2_vai(Rfc mir => (Mrf mir) I RSF rep insreg)) regs,
((Ms mir = F,F) => mreg j
((Ms mir = F,T) => wordn rep I I pad rep(address rep insreg))),
F,F,
"((FST(decode rep(opcode rep insreg,b)) /\ (Dec_oil mir)) \/
((Seqctl mir = (F,F,T))
/\ (((FST(SND(decode rep(opcode rep insreg,b)))) = (F,F,T,T,F)) \/
((FST(SND(decode rep(opcode rep insreg,b)))) = (F,F,T,T,T)))
/\ ((MSF rep insreg) = (F,F)) ) \/
(Seqctl mir = T,F,F) /\ ovl \/
(Seqc%l mir = T,F,T) /\ -valid_address rep res \/
248
);;
(Seqctl mir = T,T,F) /\
( ((DSF rep insreg = (T,T,F)) \/ (DSF rep insreg = (T,T,T))) \/
('(( (DSF rep insreg = (T,F,F)) /\ "b) \/
( (DSF rep insreg = (T,F,T)) /\ b) ) /\
((DSF rep insreg = (F,T,T)) \/
(DSF rep insreg = (T,F,F)) \/
(DSF rep insreg = (T,F,T))) /\
"valid_address rep res )) \/
(Seqctl mir = T,T,T) /\
((DSF rep insreg = (F,T,T)) \/
(DSF rep insreg = (T,F,F)) \/
(DSF rep insreg = (T,F,T)) \/
(DSF rep insreg = (T,T,F)) \/
(DSF rep insreg = (T,T,T)) )))"
has let definitions, takes a long time to load, so replaced
it by HOL-expanded definition.
................................................................
let rselect = bt2_val((Rfc mir) => (Mrf mir) [ RSF rep insreg) in
let r_out = (EL rselect regs) in
let new_dout = ((W mir) => r out I dour) in
let bad_res = "(valid_address rep res) in
let df = (DSF rep insreg) in
let pdest = ((df=(F,T,T)) \/ (df=(T,F,F)) \/ (df=(T,F,T))) in
let skip = ((df=(T,F,F)) /\ ~b) \/ ((df=(T,F,T)) /\ b ) in
let bad_rdest = ((df=(T,T,F)) \/ (df=(T,T,T))) in
let bad_dest = ((df=(F,T,T)) \/ (df=(T,F,F)) \/ (df=(T,F,T))
\/ (df=(T,T,F)) \/ (df=(T,T,T)))
in
let seq_case4 = ((Seqctl mir) = (T,F,F)) in
let seq_case5 = ((Seqctl mir) = (T,F,T)) in
let seq_case6 = ((Seqctl mir) = (T,T,F)) in
let seq_case7 = ((Seqctl mir) = (T,T,T)) in
let msl_stop = ((seq_case4 /\ ovl)
(seq case5 /\ bad_res)
(seq_case6 /\ (bad_rdest \/
('skip /\ pdest /\ bad_res)))
(seq_case7 /\ bad_dest))) in







let adr_out = ((Adrs mir) => (address rep insreg) [
(address rep (EL p_reg regs))) in
let new_mar = (((R mir) \/ (W mir)) => adr_ouZ I mar) in
let new_rlatch = r_out in
let new_mlatch = (((Ms mir) = (F,F)) => mreg I
((Ms mir) = (F,T)) => (wordn rep I) [
(pad rep (address rep insreg))) in
(regs, mreg, insreg, din, new_dour, ram,'b, ne__stop, owl, ned_mar,
res, mpc, mir, urom, new_rlatch, new_mlatch, F, F, "new_stop)"
let phase_three_def = new_definition
('phase__hree_def',
"' (rep:'rep_ty) (regs:(*wordn)list) (mreg insreg din dout:.wordn)
(ram:*memory) (b stop ovl:bool) (mar:*address) (res:.wordn)
(mpc:bt7) (mir:ucode) (urom:num->ucode) (rlatch mlatch:,wordn)
(phl ph2 ph3:bool) (reset:bool).
phase_three rep(regs, mreg, insreg,din, dour, ram, b, stop, ovl, mar, res,
mpc, mir, urom, rlatch, mlatch, phl, ph2_ ph3) (reset) =
((Re mir =>
((Dfc mir /\ ((Mdf mir = (T,T,F)) \/ (Mdf mir = (T,T,T)))) =>
regs #
update reg regs
(Dfc mir => (Mdf mir) I DSF rep insreg) b
(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F,T.F)) =>
mlatch [
((Aluctl mir = F,F,F,T) =>
rlatch ]
((Aluctl mir = F,F,T,T) =>
neg rep mlatch
(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)) =>
add rep(rlatch,mlatch)
(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) =>
sub rep(rlatch,mlatch) I
((Aluctl mir = T,F,F,F) =>
bxor rep(rlaZch,mlatch) [
((Aluctl mir = T,F,F,T) =>
band rep(rlatch,mlatch)
((Aluctl mir = T,F,T,F) =>
bnor rep(rlatch,mlatch)
((Aluctl mir = T,F,T,T) =>
band rep(rlatch,bnot rep mlatch)
((Aluctl mir = T,T,F,F) =>
shr rep rlatch
250
((Aluctl mir = T,T,F,T)=>
shrb rep(rlatch,b) [
((Aluctl mir = T,T,T,F) =>




(Ds mir => mreg I din) I
((Re mir /\ Dfc mir /\
((bt3_val(Dfc mir =>(Mdf mir) I DSF rep insreg))=6)) =>
(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F,T,F)) =>
mlatch I
((Aluctl mir = F,F,F,T) =>
rlatch I
((Aluctl mir = F,F,T,T) =>
neg rep mlatch
(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)) =>
add rep(rlatch,mlatch) )
(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) =>
sub rep(rlatch,mlatch)
((Aluc%l mir = T,F,F,F) =>
bxor rep(rlatch,mlatch)
((Aluctl mir = T,F,F,T) =>
band rep(rlatch,mlatch) {
((Aluctl mir = T,F,T,F) =>
bnor rep(rlatch,mlatch) [
((Aluctl mir = T,F,T,T) =>
band rep(rlatch,bnot rep mlatch)
((Aluctl mir = T,T,F,F) =>
shr rep rlatch I
((Aluctl mir = T,T,F,T) =>
shrb rep(rlatch,b) J
((Aluctl mir = T,T,T,F) =>




(Ds mir => din J insreg) [
((Re mir /\ Dfc mir /\
((bt3_val(Dfc mir =>(Mdf mir) J DSF rep insreg))=7)) =>
join rep (opcode rep insreg, address rep
(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F,T,F)) =>
mlatch l
((Aluctl mir = F,F,F,T) =>
251
rlatch l
((Aluctl mir = F,F,T,T) =>
neg rep mlatch }
(((Aluctl mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)) =>
add rep(rlatch,mlatch) l
(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) =>
sub rep(rlatch,mlatch) [
((Aluctl mir = T,F,F,F) =>
bxor rep(rlatch,mlatch) l
((Aluctl mir = T,F,F,T) =>
band rep(rlatch,mlatch) i
((Aluctl mir = T,F,T,F) =>
bnor rep(rlatch,mlatch) I
((Aluctl mir = T,F,T,T) =>
band rep(rlatch,bnot rep mlatch)
((Aluctl mir = T,T,F,F) =>
shr rep rlatch i
((Aluctl mir = T,T,F,T) =>
shrb rep(rlatch,b) [
((Aluctl mir = T,T,T,F) =>
shl rep rlatch [
shlb rep(rlatch,b))))))))))))))
insreg) ),
(R mir => (Io mir => fetchio rep(ram,mar) I fetch rep(ram,mar)) (din),
dour,
(W mir=>(Io mir=>storeio rep(ram,mar,dout) Istore rep(ram,mar,dout))[ ram),
((Aluctl mir = F,F,T,F) =>
hemp rep(rlatch,mlatch,b,FSF rep insreg) I
((Alu¢%l mir = F,T,F,F) =>
addp rep(rlatch,mlatch,add rep(rlatch,mlatch))
((Aluctl mir = F,T,T,F) =>
subp rep(rlatch,mlatch,sub rep(rlatch,mlatch))
((Aluctl mir = T,T,F,T) =>
bitO rep rlatch
((Aluctl mir = T,T,T,T) => bitn rep rlatch [ b))))),
F,
(((Alu¢%l mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)) =>
aovfl rep(rla%ch,mlatch,add rep(rla%ch,mlatch))
(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = F,T,T,T)) =>
sovfl rep (rlatch,mlatch,sub rep(rlatch,mlatch)) I
((Aluctl mir = T,T,T,F) => bitn rep rlatch [ F))),
mar,
(((Aluctl mir = F,F,F,F) \/ (Aluctl mir = F,F,T,F)) =>
mlatch [
2.52
((Aluctl mir = F,F,F,T) =>
rlatch I
((Alu¢%l mir = F,F,T,T) =>
neg rep mlatch }
(((Aluc_l mir = F,T,F,F) \/ (Aluctl mir = F,T,F,T)) =>
add rep(rlatch,mlatch) [
(((Aluctl mir = F,T,T,F) \/ (Aluctl mir = _,T,T,T)) =>
sub rep(rlatch,mlatch) l
((Aluctl mir = T,F,F,F) =>
bmor rep(rlatch,mlatch) [
((Aluctl mir = T,F,F,T) =>
band rep(rlatch,mlatch) [
((Aluctl mir = T,F,T,F) =>
bnor rep(rlatch,mlatch) I
((Aluctl mir = T,F,T,T) =>
band rep(rlatch,bnot rep mlatch) I
((Aluctl mir = T,T,F,F) =>
shr rep rlatch ]
((Aluctl mir = T,T,F,T) =>
shrb rep(rlatch,b) I
((Aluctl mir = T,T,T,F) =>
shl rep rlatch
shlb rep(rlatch,b))))))))))))),
(((Seqctl mir = F,F,T) /\ SND(SND(decode rep(opcode rep insreg,b))) \/
(Seqctl mir = F,T,F) \/
(Seqctl mir = F,T,T)) =>
(((Seqctl mir = F,F,T)
/\ "( (((FST(SND(decode rep(opcode rep insreg,b)))) = (F,F,T,T,F)) \/
((FST(SND(decode rep(opcode rep insreg,b)))) = (F,F,T,T,T)))
/\ ((MSF rep insreg) = (F,F)))
/\ SND(SND(de¢ode rep(opcode rep insreg,b)))
) =>
bt7_ival((btT_val(Maddr mir)) + (bt2_val(MSF rep insreg))) ]
((Seqctl mir = F,T,F) =>
btT_ival
((btT_val(Maddr mir)) ÷
(bt5_val(FST(SND(decode rep(opcode rep insreg,b))))))
((Seqctl mir = F,T,T) => Maddr mir ] (F,F,F,F,F,F,F)))) I
bt7_ival((btT_val mpc) + I)),
mir,urom,rlazch,mlatch,T,F,F)"
);;
has let definitions, takes a long time %o load, so replaced
253
let alu_caseO = ((Aluctl mir) = (F,F,F,F)) in
let alu_casel = ((Aluctl mir) = (F,F,F,T)) in
let alu_case2 = ((Aluc_l mir)
let alu_case3 = ((Aluctl mir)
let alu_case4 = ((Aluctl mir)
let alu_case5 = ((Aluctl mir)
let alu_case6 = ((Aluctl mir)
let alu_case7 = ((Aluctl mir)
















alu_case9 = ((Aluctl mir) = (T,F,F,T)) in
alu_case10 = ((Aluctl mir) = (T,F,T,F)) in
alu_case11 = ((Aluctl mir) = (T,F,T,T)) in
alu_case12 = ((Aluctl mir) = (T,T,F,F)) In
alu_case13 = ((Aluctl mir) = (T,T,F,T)) In
alu_case14 = ((Aluctl mir) = (T,T,T,F)) In
alu_case15 = ((Aluctl mir) = (T,T,T,T)) In
sum = (add rep (rlatch,mlatch)) in
let diff = (sub rep (rlatch,mlatch)) in
let result = (((alu_caseO) \/ (alu_case2)) => mlatch [
alu_casel => rlatch [
alu_case3 => (neg rep mlatch)
(alu_case4 k/ alu_case5) => sum I
(alu_case6 \/ alu_case7) => diff
alu_case8 => (bxor rep (rlatch, mlatch)) l
alu_case9 => (band rep (rlatch, mlatch))




(band rep (rlatch, bnot rep mlatch)) [
(shr rep rlatch) l
(shrb rep (rlatch, b)) [
alu_case14 => (shl rep rlatch) i
(shlb rep (rlatch, b))) in
let w_reg = ((Dfc mir) => (Mdf mir) [ DSF rep insreg) in
let new_regs =
((Re mir) =>
(((Dfc mir) /\ ((Mdf mir = (T,T,F)) \/ (Mdf mir = (T,T,T)))) =>
regs I
update_reg regs w_reg b result) I
regs) in
let new_mreg =
( (De mir) => ((Ds mir) => mreg [ din) [
(((Re mir) /\ (Dfc mir) /\ (bt3_val(w_reg)=6)) =>
254
let new_insreg =
result J mreg) ) in
( (De mir) => ((Ds mir) => din { insreg) {
(((Re mir) I\ (Dfc mir) /\ (bt3_val(w_reg)=7)) =>
(join rep (opcode rep insreg, address rep result)) [
insreg) ) in
let new_din = ((R mir) => ((Io mir) => fetchio rep (ram, mar) [
fetch rep (ram, mar)) l
din) in
let new_ram= ((W mir) => ((Io mir) => storeio rep (ram, mar, dour) [
store rep (ram. mar, dout)) I
ram) in
let nev_b = (alu_case2 =>
(bcmp rep (rlatch, mlatch, b, FSF rep insreg)) I
alu_case4 => (addp rep (rlatch, mlatch, sum)) i
alu_case6 => (subp rep (rlatch, mlatch, diff)) [
alu_case13 => (bitO rep rlatch) [
alu_case15 => (bitn rep.rlatch) l
b ) in
let new_ovl = ((alu_case4 \/ alu_case5) =>
(aovfl rep (rlatch, mlatch, sum)) J
(alu_case6 \/ alu_caseT) =>
(sovfl rep (rlatch, mlatch, diff)) I
alu_case14 => (bitn rep rlatch) J
F) in
let new_res = result in
let seq_casel = ((Seqctl mir) = (F,F,T)) in
let seq_case2 = ((Seqctl mir) = (F.T,F)) in
let seq_case3 = ((Seqctl mir) = (F,T,T)) in
let reqm - (SND(SND(decode rep (opcode rep insreg, b)))) in
let opc= (FST(SND(decode rep (opcode rep insreg, b)))) in
let jaddr = ((seq_casel /\ reqm) =>
(bZ7 ival ((btT_val (Maddr mir))+ (bt2_val(MSF rep insreg)))) [
seq_case2 =>
(bt7 ival ((bt7 val (Maddr mir))+(bt5 val opc))) [
seq_case3 => (Maddr mir) l
(F,F,F,F,F,F,F)) in
let muxmc = ((seq_casel /\ reqm) \/ seq_case2 \/ seq_case3) in
let nev_mpc = (muxmc => jaddr I bt7_ival (bt7_val mpc + I)) in
(new_regs. new_mreg, new insreg, new_din, dour, new_ram, new_b, F,
new_ovl, mar. new_res, new mpc. mir, urom. rlatch, mlatch, T, F, F)"
................................................................
255
Selector function on phase level state for the phase level
counter.
................................................................
let GetPhaseClock = new_definition
((GetPhaseClock _,
"! (regs:(,worctn)list) (mreg insreg din dout:_wordn)
(reum:,memory) (b stop ovl:bool) (mar:_address) (res:_wordn)
(mpc:bt7) (mir:ucode) (urom:num->ucode) (rlatch mlatch:*wordn)
(phl ph2 ph3:bool) (reset:bool).
GetPhaseClock (regs, mreg, insreg, din, dour, ram, b, stop, ovl, mar,
res, mpc, mir, urom, rlatch, mlatch, phl, ph2, ph3) (reset) =
(ph2 => TWO i
ph3 => THREE J
ONE)"
);;
Gives the number of EBM cycles to implement one phase level
cycle.
................................................................
let PhaseLevelCycles = new_definition
('PhaseLevelCycles',
,,i t:triple.
PhaseLevelCycles t = I"
);;




let Phase_Substate = new_definition
('Phase_Substate',
"! (regs:(_wor(in)list) (mreg insreg din dout:_worctn)
(ram:_memory) (b stop ovl:bool) (mar:,address) (res:_wordn)
(mpc:bt7) (mir:ucode) (urom:num->ucode) (rlatch mlatch:_wordn)
(phl ph2 ph3:bool) (reset:bool).
Phase_Substate (regs, mreg, insreg, din, doQt, rum, b, stop, ovl, mar,




'I' serves as the substate funtion since the state
of the phase level is equivalent to the phase of the EBM.
'I' also serves as the subenv function since the set of external
lines in the phase level is the same as the set of external





Description: Defines the phase level interpreter in terms of the
definitions in block def.th, phase_def.th, and gen_I.th.
Proves the lemmas meeting the theory obligations for the
abstract theory gen_I.th and instantiates a proof of the
phase level in terms of the EBM.
................................................................







let time_shift = definition 'gen_I' _time_shift_;;
let GetPhaseClock _ definition _phase_def' 'GetPhaseClock';;
let PhaseLevelCycles = definition _phase_def _ _PhaseLevelCycles';;
let phase_one_def = definition _phase_def ' Cphase_one_def_;;
let phase_t_o_def = definition _phase_def c 'phase_two_def';;
let phase_three_def = definition _phase_def c 'phase_three_def';;
let GetEBNClock = definition 'block_def ' 'GetEBMClock_;;
let ESM_Start = definition 'block_def' 'EBM_Start';;
let EBM_expanded= theorem 'block_def _ 'EBM_expanded';;
loadf 'tuple';;
let rep_ty = abstract_type 'aux_def ' 'opcode';;
let I_rep_ty = abstract_type Cgen_I_ _Impl_;;
let Phase_state =
":(*wordn)list # _wordn _ ,wordn # *wordn # *_ordn # *memory # bool #
bool # bool # *address # *_ordn # bt7 # ucode # (hUm -> ucode) #
258
*wordn # *_ordn # bool # bool # bool';;
let Phase_env = ":bool"; ;
let EBM_state = Phase_state;;
let EBM_env = Phase_env;;
let phase_tb.ree_expanded =
EXPAND_LET_RULE phase_three_def;;
Define the phase level interpeter in terms of the generic
interpreter definition.
................................................................
let Phase_I_def = new_definition
(*Phase_I_def _ ,
"! (rep:'rep_ty) (s:time->'Phase_state) (e:time->'Phase_env) .











EBM_Start, @x:one. F) s e"
);;
let PHASE_I = save_thm
('PHASE_I',
BETA_RULE (EXPAND_LET_KULE
(instantiate_abstract_definition _gen_I ¢ _INTERP = Phase_I_def)));;
let Phase_I_IMPL_IMP_DEF = ne__definition
259
( 'Phase_ I_ IMPL_ IMP_DEF',
"! (rep:'rep_ty) s' e'.
Phase_I_IMPL_IMP rep s' e' =
IMPL_IMP
([0NE,phase one rep;
TWO ,phase_two rep ;
THREE,phase_three rep],
triple_value,
(GetPhaseClock: "Phase_state -> "Phase_env -> triple),
(PhaseLevelCycles :triple->hUm),
(I :"EBM_st ate->'Phase_st ate),
(I :"EBM_env->'Phase_env), EBM rep,
(GetEBMClock: "EBM st ate-> "EBM_env->boo i),




CONY_RULE (TOP_DEPTH_CONVFUN_EQ_CONV) Phase_I_IMPL_IMP_DEF in
(REWRITE_RULE [I_THM] (BETA_RULE (EXPAND_LET_RULE
(instantiate_abstract_definition
Cgen_I( 'IMPL_IMP c Phase_I_EXT))));;
We need to establish the first theory obligation for the abstract
theory for a generic interpreter. First, we
will prove Phase_I_IMPL_IMP applies to each of the phases and
then use these results to establish that Phase_I_IMPL_IMP applies
to EVERY instruction (i.e. the first theory obligation.
.................................................................
A lemma needed for rewriting
let cond3_def = new_definition
(_cond3_def _,
"!ci c2 . cond3_def ci c2 =
(cl => TWO [
c2 => THREE I
ONE)"
);;
let xx = prove_constructors_distinct triple;;
let cond3_lemma = prove_thm
('cond3_lemma',
"! ci c2 . (((cond3_def ci c2 = TWO) ==> ci) /\
260
((cond3_def cl c2 = THREE) ==> c2) /\
((cond3_def cl c2 = ONE) ==> (-cl /\ "c2)))",
REPEAT GEN_TAC THEN REWRITE_TAC[cond3_def] THEN
MAP_EVERY BOOL_CASES_TAC ["c1:bool"; "c2:bool"]
THEN REWRITE_TAC[PAIR_EQ] THEN REWRITE_TAC (CONJUNCTS xx) THEN
REWRITE_TAC
[NOT_EQ_SYM(hd(CONJUNCTS xx)); NDT_EQ_SYM(hd(tI(CONJUNCTS xx)));
NOT_EQ_SYM(hd(tI(tI(CONJUNCTS xx))))]
);;
let COND_NULL_LEMMA = TAC_PROOF
(([], "! b (c: *).

















THEN POP_ASSUM_LIST (\asl. (MAP_EVERY (STRIP_ASSD__TAC o SPEC_ALL) asl))
THEN POP_ASSUM_LIST (\asl. (MAP_EVERY (STRIP_ASSUME_TAC o SPEC_ALL) asl));;
le% PHASE_ONE_EBM_LF/_MA = TAC_PROOF
(( [3,
"!(rep:'rep_ty) (re_s:time->(._ordn)lis%)
(mreg insreg din dout:%ime->*_ordn) (ram:time->,memory)
(b stop ovl:%ime->bool) (mar:time->*address) (res:time->._or¢[u)
(mpc:time->btT) (mir:time°>ucode) (urom:ntm->ucode)




(regs t, mreg %, insreg _, din t, dour t, ram t, b t, s_op t,
ovl t, mar t, res t, mp¢ t, mir t, urom, rlatch t, mlatch t,
261




THEN POP_ASSUM (\thm. STRIP_ASSUME_TAC (MULTI_MP
(CONJUNCTS (SPECL ["(ph2 t):bool"; "(ph3 t):bool"]
(REWRITE_RULE [cond3_def] cond3_lemma))) tluu))
THEN CDND_CASES.TAC




(REWRITE RULE [el I as1] (el 13 asl))) THEN
POP_ASSUH_LIST (\asl. (MAP_EVERY
(CHECK_ASSDHE_TAC o (REWRITE_RULE




(REWRITE_RULE [(el I asl); (el 2 asl); (el 3 asl)]
(el 12 asl))) THEN
POP_ASSUM_LIST (\asl. (MAP_EVERY
(CHECK_ASSU]4E_TAC o (REWRITE_RULE




let PHASE_TWO_EBN_LEMMA = TAC_PR00F
((C3.
"!(rep:'rep_ty) (regs:rime->(*wordn)list)
(mreg insreg din dour:time->*eordn) (ram:tiae->*meaory)
(b stop ovl:rime->bool) (mar:Zime->*address) (res:time->*eordn)
(mpc:time->b%7) (mir:%ime->ucode) (urom:nu_->ueode)
(rlatch mlatch:time->*eordn) (phl ph2 ph3:time->bool)
(reset:time->bool).
Phase_I_IMPL_IMP rep
(\t. (regs t, mreg %, insreg t, din t, dour t, ram Z, b r, stop %,
ovl t, mar t, res t, mp¢ t, mir t, turom, rlatch t, mlatch %,






POP_ASSUM (\thin. $TRIP_ASSU__TAC (MULTI_MP
(CONJUNCTS (SPECL ["(ph2 t):bool"; "(ph3 t):boo\"]
(REWRITE_RULE [cond3_def] cond3_lemma))) thm)) THEN
ASSUM_LIST (\asl. STRIP_AS$__TAC
(REWRITE_RULE [el I asl] (el 9 asl))) THEN
POP_ASSUM_LIST (\asl. (MAP EVERY
(CHECK_ASSUME.TAC o (REWRITERULE




let PHASE_THREEEBM_LE_A = TAC_PRDDF
(([],
"!(rep:'rep_ty) (regs:time->(*_ordn)list)
(mreg insreg din dout:time->*_ordm) (ram:time->*memory)
(b stop ovl:time->bool) (mar:time->*add_ess) (res:time->*_ordn)
(mpc:time->bt7) (mir:time->ucode) (urom:num->ucode)
(rlatch mlatch:time->*wordn) (phl ph2 ph3:time->bool)
(reset:time->bool).
Phase_I_IMPL_IMPrep
(\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl _, mar t, res t, mpc t, mir t, urom, rla_ch t, mlatch t,





POP ASSUM (\tl_a. STRIP_ASS_RIE_TAC (MULTI_M_
(CONJUNCTS (SPECL ["(ph2 t):bool"; "(ph3 t):bool"]
(REWRITE_RULE [cond3_def] cond3_lemma))) tl_m)) THEN
ASSUM LIST (\asl. STRIP ASSUME_TAC
(REWRITE_RULE [el I asl3 (el 8 asl))) THEN
POP ASSUM_LIST (\asl. (MAP_EVERY
(CHECK ASSUMETAC o (REWRITE_RULE
[(el I asl); (el 2 asl); (el 3 asl); (el 4 asl)3)) asl)) THEN
ASSUM_LIST (\asl. REWRITE_TAC [SYM
(REWRITE_RULE [el 43 asl] (el 8 asl))]) THEN
POP ASSUM LIST (\asl. MAP_EVERY (\thm.
let rat = ((fst o dest_var orator o fst o dest_eq)
(concl thm) ? 'xxx') and
ran= ((fst o dest_var o rand o fst o dest_eq)
(concl thm)? 'xxx') in
if ((mem rat (eords 'resultS)) R (mem ran (words ctc)))




B00L_CASES_TAC "R(mir t):bool" THEN KEWRITE_TAC[]
);;
The first obligation of the abstract interpreter theory
................................................................
let Phase_I_EVERY_IMPL_IMP = TAC_PROOF
(([],
"!(rep:'rep_ty) (regs:time->(*vord_l)list)
(m.reg insreg din dout:time->*worc[n) (ram:time->,memory)
(b step ovl:time->bool) (ma/-:time->*ad4.ress) (res:time->_uordn)
(mpc:time->bt7) (mir:time->ucode) (urom:nbm->ucode)
(rlatch mlatch:time->*wordn) (phl ph2 ph3:time->bool)
(reset:time->bool).
EVERY (Phase_I_IMPL_IMP rep
(\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch _, mlatch t,













let Phase_I_EVERY_LEMMA = (SPEC_ALL
(PURE_0NCE_REWRITE_RULE [Phase_I_IMPL_IMP_DEF] Phase_I_EVERY_IMPL_IMP));;
...................................................... T .........
The second obligation of the abstract interpreter theory
................................................................
let Phase_I_LENG__LEM_L_ = TAC_PR00F
(([],






The third obligation of the abstract interpreter theory
................................................................
let triple_cases = prove_cases_thm (prove_induction_ibm triple);;
let Phase_I_KEY LEMMA = TAC_PKOOF
(([],




THEN STRUCT_CASES_TAC (SPEC "k:triple" triple_cases)
THEN KEWRITE_TAC (CONJUNCTS tripIe_VALUE_LEMMA)
























"(\t:time. (regs %, mreg t, insreg t, din t, dout t, ram t,
b t, stop t, ovl t, ma_ t, ree t, mpc t, mir %, urom,
rlatch t, mlatch t, phl t,
ph2 t, ph3 t)):time->'EBM_state");
]
' PHASE ' ; ;
265
Timeshift doesn't mean anything at this level since they share
a clock.
................................................................
let TIME_SHIFT_DEGENERATE_LEMMA = TAC_PR00F
(([3,
"!(s:time->'Phase_state) (e:time->'Phase_env).
time_shift(\st env. PhaseLevelCycles (GetPhaseClock st env)) s e = I"),
REPEAT GEN_TAC
THEN CONV_TAC (DEPTH_CONV FUN_EQ_CONV)
THEN INDUCT_TAC
THEN ONCE_REWRITE_TAC [EXPAND_LET_RULE timeshift]
THEN ASM_REWRITE_TAC [I_THM;PhaseLevelCycles;GetPhaseClock;o_DEF;ADD1]
);;
let correct_lemma = snd(hd theorem_list);;












Appendix h ELECTRONIC BLOCK LEVEL
File: def_regs.ml
Description: Register file definitions
................................................................
set_search_path (search_path() @ lib_dir_list);;
system _/bin/rm regs_def.th';;
new_theory _regs_def';;
map new_parent ['aux_def'; 'aux_thmsC];;
.............................................................................
Define selectors for register file
.............................................................................
leZ A = new_definition ('A',"a_reg = 0");;
let X = new_definition ('X_,"x_reg = I");;
let Y = new_definition ('Y_,"y_reg = 2");;
let P = new_definition ('P_,"p_reg = 3");;
.............................................................................
Define mutators for the register file
.............................................................................
let update_reg = new_definition
('update_reg',
"! (registers:(swordn)list) (n:bt3) b value.
update_reg registers n b value -
(((nz(F,F,F)) \/ (n=(F,F,T)) \/ (n=(F,T,F))) =>
SET_EL (bt3_val n) registers value I
((n=(F,T,T)) =>
SET_EL p_reg registers value [
((((n=(T,F,F)) /\ b) \/ ((n=(T,F,T)) /\ "b))) =>






Description: Defines the behavioral description of the electronic block
model.
Modified by ETS:
The sequence control logic now recognizes the
stop case where the pc, io space or is the target
but, it is not valid.
7/17 the register block nou also receives the b flag value which must
be passed to update_reg. The datapath was changed accordingly.
the msl also receives b and control tunit, ebm




map new_parent ['regs_def'; 'ucode_def_; 'tupleC];;
let rep_ty = abstract_type 'aux_def' 'opcode';;
let GND = new_definition
('GND',
"! out . GND out = (out = F)"
);;
Mux which selects one of source register selects from instn and microinstn
................................................................
let MUXR_SPEC = new_definition
('MUXR_SPEC',
"! ctl (a:bt2) b c .
MUXR_SPEC ctl a b c =
c = (ctl => a I b>"
268
);;
Mux which selects one of destination register selects from instn and microinstn
................................................................
let MUXD_SPEC = new_definition
('MUXD_SPEC',
") ctl (a:bt3) b c .
MUXD_SPEC ctl a b c =
c = (ctl => a I b)"
);;
Mux which selects addresses of next microinstruction
................................................................
let MUXM_SPEC = new_definition
('MUXM_SPEC',
"! ctl (a:bt7) b c .
MUXM_SPEC ctl a b c =
c = (ctl => a I b)"
);;
let REG_SPEC = nev_definition
('REG_SPEC',
" ! (i:time->_wordm) Id out .
REG SPEC i Id out =




Flipflop (l-bit register) (B)
................................................................
let FF_SPEC = new_definition
(_FF_SPEC',
"! (in:time->bool) (Id:time->bool) (q:time->bool) .
FF SPEC in Id q =
! t:num . q(t+l) = ((Id t) => in t I q t)"
);;
Register _ith enable input - *wordn (DIN, DOUT)
269
let REO_EN_SPEC = new_definition
( 'REG_EN_SPEC _,
", set clk (in:time->,wordn) out .
REG_EN_SPEC set elk in out =
!t:time. out (t+1) = ((set t) /\ (elk t)) => in t _ out t"
);;
let MAR_SPEC = new_definition
('MAR_SPEC',
"' set clk (in:time->*address) out .
MAR_SPEC set clk in out =
!t:time. out (t+1) = ((set t) /\ (clk t)) => in t I out t"
);;
PHASE CLOCK
let PHASE_CLOCK_SPEC = new_definition
('PHASE_CLOCK_SPEC',
"' dis pl p2 p3.
PHASE_CLOCK_SPEC dis pl p2 p3 =
!t:time. (dis t ==> -(pl t) /\ "(p2 t) /\ -(p3 t)) /\
(pl % = -(dis t) /\ -(p2 t) /\ "(p3 t)) /\
(p2 t = "(dis t) /\ -(pl t) /\ "(p3 t)) I\
(p3 % = -(dis t) /\ "(pl %) /\ "(p2 t)) /\
(pl (t+l) = (p3 t)) /\
(p2 (t+l) = (pl t)) I\
(p3 (t+1) = ((p2 t) => "(dis (t+1)) I F))"
Z there would be a race here, but it can be gotten rid of
by feeding this block with the unstrobed "stop" right out
of the STOP unit. It makes NO difference at the spec level Z
);;
STOP unit
let STOP_SPEC = new_definition
('STOP_SPEC',
"' out inl in2 strobe.
STOP_SPEC out in1 in2 strobe =
270
!t:time. out (t+1) = (strobe t) => ((in1 t) \/ (in2 t)) ) out t"
);;
MPC unit
let MPC_SPEC = ne__definition
(cMPC_SPEC_,
"! dis strobe (in:time->btT) out.
MPC_SPEC dis strobe in out =
!t:time. (out (t+1) = (strobe t) => in t J






let INSDEC_SPEC = new_definition
('INSDEC_SPEC',
"! (rep:'rep_ty) (opcin:*opcode) (b enable stop reqm:bool) (opcout:btS).
INSDEC_SPEC rep opcin b enable stop opcout reqm =
(stop = (FST (decode rep (opcin, b))) /\ enable) /\
(opcout = FST (SND (decode rep (opcin, b)))) /\





let MSL_SPEC = new_definition
('MSL_SPEC',
"! (rep:'rep_ty) (res:*_ordn) (b ovl reqm:bool) (opc:btS) (dr seqctl:bt3)
(mf:bt2) (mc stop:bool) (maddr jaddr:btT).
MSL_SPEC rep maddr seqctl res b ovl df mf reqm opc stop jaddr mc =
let casel= (seqctl = (F,F,T)) in
let case2 = (seqctl = (F,T,F)) in
let case3 = (seqctl = (F,T,T)) in
let case4 = (seqctl = (T,F,F)) in
let case5 = (seqctl = (T,F,T)) in
let case6 - (seqctl = (T,T,F)) in
let case7 = (seqctl = (T,T,T)) mn
let bad_res = "(valid_address rep res) in
let pdest = ((df=(F,T,T)) \/ (df=(T,F,F)) \/ (df=(T,F,T))) in
let skip = ((df=(T,F,F)) /\ _b) \/ "((df=(T,F,T)) /\ b ) in
271
let bad rdest = ((df=(T,T,F)) \/ (df=(T,T,T))) in
let bad_dest = ((df=(F,T,T)) \/ (df=(T,F,F)) \/ (df=(T,F,T))
((stop =
(case4 /\ ovl) \/
(cases /\ bad_res) \/
(case6 /\ (bad_rdest \/
('skip /\ pdest /\ bad_res))) \/
(case7 /\ bad_dest)))
/\
\/ (df=(T,T,F)) \/ (df=(T,T,T))) in
let bad_write =(((opc =(F,F,T,T,F)) \/ (opc= (F,F,T,T,T))) /\
(mr = (F,F))) in
((casel /\ bad_write) \/
(jaddr = ((easel /\ "badwrite /\ reqm)
=> (btT_ival ((btZ_val maddr)+(bt2_val mr)))
case2 => (bt7_ival ((bt7_val maddr) + (btS_val opc))) [
case3 => maddr [
(F,F,F,F,F,F.F)))
/\
(mc = ((casel /\ reqm) \/ case2 \/ case3)))"
);;
ALU
let ALU_SPEC = new_definition
(cALU_SPEC',
"! (rep:'rep_ty) (r m result:,wordn) (ovl inb outb:bool) (aluctl ff:bt4).










let case9 = (aluctl = (T,F,F,T)) in
let case10 = (aluctl = (T,F,T,F)) in
let case1! = (aluctl = (T,F,T,T)) in
let case12 = (aluctl = (T,T,F,F)) in
let casel3 = (aluctl = (T,T,F,T)) :n
let case14 = (aluctl = (T,T,T,F)) _n
let case15 = (aluctl = (T,T,T,T)) an
let caseO = (aluct]
let casel= (aluctl
let case2 = (aluctl
let case3 = (aluctl
let case4 = (aluctl
let case5 = (aluctl
let case6 = (aluctl
let case7 = (aluctl
let case8 = (aluctl
272
let sum = (add rap (r,m)) in
let diff= (sub rep (r,m)) in
((outb = ( case2 => (bcmp rep (r, m, inb, ff)) I
case4 => (addp rap (r, m, sum)) I
case6 => (subp rap (r, m, dill)) I
case13 => (bitO rap r) l
case15 => (bitn rap r)
inb ))
/\
(ovl = ( (case4 \/ caseS) => (aovfl rap (r, m, sum)) I
(case6 \/ caseT) => (sovfl rap (r, m, dill)) I
case14 => (bitn rap r) I
F ))
/\
(result = (((caseO) \/ (case2)) => m
casel => r I
case3 => (nag rap m) I
(case4 \/ caseS) => sum I
(case6 \/ case7) => diff I
case8 => (bxor rap (r, m)) I
case9 => (band rap (r, m)) I
case10 => (bnor rap (r, m)) i
case11 => (band rap (r, bnot rap m))
case12 => (shr rap r) ]
case13 => (shrb rep (r, inb)) I
case14 => (shl rap r) I





let REGISTER_BLOCK = ne__definition
((REGISTER_BLOCK',
"! (rep:'rep_ty) (regs:time->(.wordn)list) strobe din_an result_an din_sel
addr_sel (mreg insreg result din r m:time->.wordn) (rsel msel:time->bt2)
(result_sel mdf:time->bt3) (mar:time->_address) (ir:time->.opcode) dfc
(b :time->bool) .
REGISTER_BLDCK rap result din strobe r_sel result_sel din_an result_an
addr_sel din_sel m_sel mar ir r m rags mreg insreg dfc mdf b =
)t:time.
((rags (t+l) =
(((strobe t) /\ (result_en t)) =>
(((dfc t) /\ ((mdf t = (T,T,F)) \/ (mdf t = (T,T,T)))) =>
273
regs t J




( (din_en t) => ((din_sel t) => (mreg t).[ (din t)) [
(((result_en t) /\ (dfc t) /\ (bt3_val(resul__sel t)=6)) =>




( (din_en t) => ((din_sel t) => (din t) [ (£nsreg t)) [
(((result_en t) /\ (dfc t) /\ (bt3_val(result_sel t)=7)) =>




(EL (bt2_val (r_sel t)) (regs t))) /\
(mr =
( ((m_sel t) = (F,F)) => (mreg t) [
((m_sel t) = (F,T)) => (wordn rep I) [
(pad rep (address rep (insreg t))))) /\
(Jr t =
(opcode rep (insreg t))) /\
(mar t =
(addr_sel t => (address rep (insreg t)) [
(address rep (EL p_reg (regs t))))))"
);;
let EXT_INTERFACE = new_definition
(tEXT_INTERFACE',
"! (rep:'rep_ty) rd vr io strobe addr v_data r_data ram.
EXT_INTERFACE rep rd vr io strobe addr v_data r_data ram =
!t:time .
(ram (t+1) =
(((vr t) /\ (strobe t)) =>
(iot => storeio rep (ram t, addr t, v_data t) [
store rep (ram t, addr t, w_data t))
ram t)) /\
(r_data t =
(((rd t) /\ (strobe t)) =>
274
(iot => fetchio rep (ram t, addr :) J
fetch rep (ram t, addr t))
(wordn rep 0)))"
actually 0 can be replaced by ARB. 0 is chosen for simplicity
);;
let CONTROL_UNIT = new_definition
('CONTROL_UNIT',
"! (rep:'rep_ty) (mpc:time->bt7)
(phl ph2 ph3 stop reqm msl_stop b ovl r w io dfc de re adrs
ds:time->bool) (rs:time->bt2) (rft mft:bt2) (tess mdf:time->bt3)
(dft:bt3) (opc:time->bt5) (res:time->,wordn) (mir:time->ucode)
(aluctl:time->bt4) (dec_ctl :time->bool)
(urom:(time->num->ucode)) (reset:time->bool).
CONTROL_UNIT rep mpc phl ph2 ph3 stop rft mft dft reqm opt msl_stop res
b ovl mir aluctl dec_ctl r w io mdf dfc rs ress de re adrs ds
ms urom (reset) =
! t:time.
? maddr seqctl jaddr mc muxm_o mrf rfc.
((MSL_SPEC rep (maddr t) (seqctl t) (res t) (b t) (ovl t) dft mft
(reqm t) (opc t) (msl_stop t) (jaddr t) (me t) )
/\





(MUXM_SPEC (mc t)(jaddr t) (btT_ival ((btT_val (mpc t)) + I)) (muxl_o t))
(MPC_SPECstop ph3 muxm_o mpc)
(mir (t+1) = (phl t) => urom t (bt7_val (mpc t)) ) mir t)
(maddr t = (Maddr (mir t))) /\
(seqctl t = (Seqctl (mir t))) /\
(aluctl t = (Aluctl (mir t))) /\
(dec_ctl t = (Dec_oil (mir t))) /\
(r t = (R (mir t))) /\
(, t = (W (mirt))) /\
(iot = (Io (mir t))) /\
(mrf t = (Mrf (mir t))) /\
(mdf t z (Mdf (mir t))) /\
(rfc t = (Rfc (mir t))) /\
(dfc t = (Dfc (mir t))) /\
(de t = (De (mir t))) /\
275
(re t = (Re (mir t))) /\
(adrs t = (Adrs (mir ¢))) /\
(ds t = (Ds (mirt))) /\
(ms t = (Ms (mir t))) /\
(MUXR_SPEC (r_c t) (mrf t) (rft) (rs t)) /\
(MUXD_SPEC (d_c t) (mdf t) (dft) (ress t)))"
);;
let DATAPATH = new_definition
(_DATAPATH',
"! (rep:'rep_ty) (din dout rlatch mlatch res mreg insreg:time->*wordn)
(b ovl reqm stop msl_stop ph2 ph3 rd vr io dfc din_en result_en
addr_sel din_sel :time->bool)
(mar:_ime->*address) (opc:time->btS) (regs:time->(*_ordn)list)
(r_sel m_sel:time->bt2) (rft mft:b_2) (re_ul__sel mdf:time->bt3)
(dft:b_3) (ram:time->*memory) (aluctl:time->b%4)
(de¢_c%l reset:_ime->bool).
DATAPATH rep din dout b mar rlatch mlatch res ovl opc reqm stop msl_stop
ph2 ph3 regs mreg insreg rft mft dft ram rd wr £o mdf dfc aluctl
dec_ctl r_sel result_sel din_en result_en addr_sel din_sel
m_sel reset =
!t:time.
? din_/ mar_i rlatch_i mlatch_i result alu_ovl alu_b ir dec_stop.
((rft = RSF rep (insreg t)) /\
(mft = MSF rep (insreg t)) /\
(dft = DSF rep (insre E t)) /\
(REGISTER_BLOCK rep result din ph3 r_sel result_sel din_en result_en









(MAR_SPEC (\t. ((rd Z) \/ (wr t))) ph2 mar_i mar)
(REG_EN_SPEC rd ph3 din_i din)
(REG_EN_SPEC wr ph2 rlatch_i dour)
(EXT_INTERFACE rep rd vr io ph3 mar dour din_i ram)
(REG_SPEC mlatch_i ph2 mlatch)
(REG_SPEC rlatch_i ph2 rlatch)
276
(ALU_SPEC rep (rlatch t) (mlatch t) (result t) (alu_ovl t) (b t)
(alu_b t) (aluctl t) (FSF rep (insreg t)))
/\
(REG_SPEC result ph3 res)
/\
(FF_SPEC alu_ovl ph3 ovl)
/\
(FF_SP£C alu_b ph3 b)
/\
/\
(INSDEC_SPEC rep (ir t) (b t) (dec_ctl t) (dec_stop t) (opt t) (reqm t))
(STOP_SPEC stop dec_stop msl_stop ph2))"
);;
Define State and selector functions for s:time->'EBM_state
................................................................
let EBM_state =
":(*wordn)list # _ regs Z
(*worchn $ _ mre g Z
(*eordn # Z insreg Z
(*wordn # Z din Z
(*.orda # Z dour Z
(*memory # Z ram Z
(bool # Z b Z
(bool # Z stop Z
(bool # _ ovl Z
(*address # Z mar Z
(*wordn # Z res Z
(bt7 # _ mpc
(ucode # Z mir
((hUm -> ucode) # Z urom Z
(*.ordn # Z rlatch X
(*wordn # _ mlatch
(bool # Z phasel Z
(bool # bool)))))))))))))))))";; Z phase2, phase3
let RegsS = new_definition
('RegsS',
"!(t:time) (s:time->'EBM_state) .
RegsS s t = FST(s t)"
);;




(mreg ±nsreg din dour res rlatch mlatch:time->*vordn)
(ram:time->*memory) (b stop or1 phl ph2 ph3:time->bool)
(mar:time->_address) (mpc:time->bt7) (mir:time->ucode)
(urom:num->ucode).
RegsS (\t. (regs _, mre g t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = regs"),
REPEAT GEH_TAC





let MregS = new_definition
(_MregS _ ,
"!(t:time) (s:time->'EBM_state) .
MregS s t = FST(SND(s t))"
);;
let MLregS - TAC_PROOF
(([3,
"' (t:time) (regs:time->(*wordn)list)
(mreg insreg din dou_ res rlatch mlatch:time->_wordn)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->*address) (mpc:time->bt7) (mir:time->ucode)
(urom:num->ucode).
MregS (\t. (regs t, mreg t, insreg t, d£n t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = mreg"),
REPEAT GEN_TAC





let InsregS = nee_definition
(_InsregS c ,
"!(t:time) (s:time->'EBM_state) .
InsregS s t = FST(SND(SHD(s t)))"
);;




(mreg insreg din dour res rlatch mlatch:time->*wordn)
(ram:time->_memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->_address) (mpc:time->btT) (mir:time->ucode)
(uroa:ntm->ucode).
InsreES (\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = insreg"),
REPEAT GEN_TAC





let Dins = nev_definition
(¢DinS',
"!(t:time) (s:time->'EBM_state) .
DinS s t = FST(SND(SND(SND(s t))))"
);;
let Dins = TAC_PROOF
(([],
"! (t:time) (regs:time->(*wordn)list)
(mreg insreg din dout res rlatch mlatch:time->*worcln)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->*address) (mpc:time->btT) (mir:time->ucode)
(urom:num->ucode).
Dins (\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = din"),
REPEAT GEN_TAC





let DoutS = nev_definition
('DoutS',
"!(t:time) (s:time->'EBM_state) .
DoutS s t = FST(SND(SND(SND(SND(s t)))))"
);;




(mreg insreg din dour res rlatch mlatch:time->*wordn)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(ma/-:time->*add/-ess) (mpc:time->btT) (mir:time->ucode)
(urom:n_lm->ucode).
DoutS (\_. (regs %, mreg _, insreg t, din t, dour %, ram %, b %, stop _,
ovl Z, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = dout"),
REPEAT GEN_TAC





let Rams = new_definition
('RamS',
"!(t:time) (s:time->'EBH_state) .
Rams s t = FST(SND(SND(SND(SND(SND(s _))))))"
);;
let Rams = TAC_PROOF
(([3,
"! (%:Zime) (regs:time->(*worch%)list)
(mreg insreg din dour res rlatch mlatch:time->_orcin)
(ram:time->.memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:lime->*address) (mpc:_ime->b%7) (mir:Zime->ucode)
(%trom:num->ucode).
RamS (\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar _, res t, mpc t, mir %, urom, rla%ch t, mla%ch t,
phl t, ph2 _, ph3 t)) = ram"),
REPEAT GEN_TAC





let BS = new_definition
('BS',
"!(t:time) (s:time->'EBM_s_ate) .
BS s t = FST(S_D(SND(SND(SND(SND(SND(s t)))))))"
);;




(mreg insreg din dour res rlatch mlatch:time->,worchn)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->*address) (mp¢:time->btT) (mir:time->ucode)
(urom:n_m->ucode).
BS (\t. (regs t, mreg t, insreg t, din Z, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatth t,
phl t, phi t, ph3 t)) = b"),
REPEAT GEN_TAC





let Stops = new definition
('StopS',
"!(t:time) (s:time->'EBM_state) .
Stops s t = FST(SND(SND(SND(SND(SND(SND(SND(s t))))))))"
);;
let StopS = TAC PROOF
(([3,
"! (t:time) (regs:time->(*worcln)list)
(mreg insreg din dour res rlatch mlatth:time->,wordm)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->*address) (mpc:time->bt7) (mir:time->ucode)
(urom:nzLm->ucode).
Stops (\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl Z, mar t, res t, mpa t, mir t, urom, rlatch t,. mlatch t,
phl t, ph2 t, ph3 t)) = stop"),
REPEAT GEN_TAC





let OvlS = new_definition
((OvlS',
"!(t:time) (s:time->'EBM_state) .
OvlS s t = FST(SND(SND(SND(SND(SND(SND(SND(SND(s t)))))))))"
);;




(_reg insreg din dour res rlatch mlatch:time->*worcin)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->saddress) (mpc:_ime->btT) (mir:time->ucode)
(urom:num->ucode).
OvlS (\t. (regs t, _Lreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = ov1"),
REPEAT GEN_TAC





let MarS = new_definition
('MarS',
"!(t:time) (s:time->'EBM_state) .
Mars s t = PST(SND(SND(SND(SND(SND(SND(SND(SND(SND(s t))))))))))"
);;
let Mars = TAC_PR00F
(([],
"! (t:time) (regs:time->()wordn)list)
(mreg insreg din dour res rlatch mlatch:time->*wordn)
(ram:time->)memory) (b stop ovl phl ph2 ph3:%ime->bool)
(mar:time->*address) (mpc:time->btT) (mir:time->ucode)
(urom:num->ucode).
Mars (\t. (regs %, mreg t, insreg t, din t, dour t, r_m t_ b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = mar"),
REPEAT GEN_TAC





let ResS = nee_definition
('ResS',
"!(t:time) (s:time->'EBM_state) .
ResS s t = FST(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(s t)))))))))))"
);;




(mreg insreg din dour res rlatch mlatch:time->*wordn)
(r_um:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(m_Lr:time->_address) (mpc:time->btT) (mir:ti.me->ucode)
(%irom:ni_m->ucode).
Hess (\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mp¢ t, mir t, _.rom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = res"),
REPEAT GEN_TAC





let MpcS = new_definition
('MpcS',
"!(t:time) (s:time->'EBM_state) .
MpcS s t = FST(SND(SND(SND(SND(SND(SND(S_D(SND(SND(SND(SND(s _))))))))))))"
);;
let MpcS = TAC_PROOF
(([],
"! (t:time) (regs:time->(*wordn)list)
(mreg insreg din dou¢ res rlatch mla¢ch:¢ime->*wordn)
(ram:time->smemory) (b stop ovl ph% ph2 ph3:time->bool)
(mar:time->,address) (mpc:time->btT) (mir:time->ucode)
(urom:num->ucode).
MpcS (\t. (regs Z, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mp¢ t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = mp¢"),
KEPEAT GEN_TAC





le_ MirS = new_definition
(eMirS',
"!(t:time) ($:time->'EBM_state) .
MirS s t = FST(SND(SND(SND(SND(SND(SND($ND(SN_(SND(SND(SND(SND(s t)))))))))))))"
);;




(mreg insreg din dour res rla%ch mlatch:time->*_ordn)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->*address) (mpc:$ime->btT) (mir:time->ucode)
(urom:num->ucode).
MirS (\t. (regs t, mreg t, insreg t, din %, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = mir"),
REPEAT GEN_TAC





let UromS = new_definition
('UromS',
"!(t:time) (s:time->'EBM_state) .
UromS s % = FST(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(SND(s t))))))))))))))"
);;
let UromS = TAC_PROOF
(([],
"! (t:time) (regs:time->(*_ordn)list)
(mreg insreg din dour res rlatch mlatch:time->*vordn)
(ram:time->*memory) (b stop ovl phi ph2 ph3:time->bool)
(mar:time->*address) (mpc:time->btZ) (mir:time->ucode)
(urom:num->ucode).
UromS (\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar _, res t, mp¢ t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = (\t:time. urom)"),
REPEAT GEN_TAC





let KlatchS = ne__definition
('RlatchS',
")(t:time) (s:time->'EBM_state) .
Kla%chS s % = FST(SND(SND(SND(SND(SND(SND(SND(SND($ND(SND(SND(SND(SND(SND(s t)))))))))))))))"
);;




(mreginsregdin dourres rlatch mlatch:time->*wordn)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->*address) (mpc:time->bt7) (mir:time->ucode)
(urom:num->ucode).
RlatchS (\t. (regs t, mreg t, insreg t, din t, dout t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = rlatch"),
REPEAT GEN_TAC





let MlatchS = nev_definition
('MlatchS',
"!(t:time) (s:time->'EBM_state) .




let MlatchS = TAC_PROOF
(([],
"! (t:time) (regs:time->(*wordn)list)
(mreg insreg din dout res rlatch mlatch:time->*wordn)
(ram:time-Y.memory) (b stop ovl phl ph2 ph3:time-Ybool)
(mar:time-Y,address) (mpc:time->btT) (mir:time->ucode)
(urom:num-Yucode).
MlatchS (\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 %)) = mlatch"),
REPEAT GEN_TAC





let PhlS = new_definition
('PhlS',
"!(t:time) (s:time->'EBM_state) .





let PhlS = TAC_PROOF
(([],
"! (t:time) (regs:time->(*_orc[n)list)
(mreg insreg din dour res rlatch mlatch:_ime->_worcin)
(ram:time->,memory) (b stop ovl phl ph2 ph3:time->bool)
(m_.r:time->*address) (mpc:time->btT) (mir:time->ucode)
(urom:nttm->ucode).
PhlS (\t. (regs t, mreg t, insreg t, din t, dour t, ram t, b t, stop t,
ovl t, mar t, res t, mpc t, mir %, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = phi"),
REPEAT GEN_TAC





let Ph2S = new_definition
(_Ph2S',
"!(t:time) (s:time->'EBM_state) .




let Ph2S = TAC_PROOF
(<[],
"! (t:time) (regs:time->(-worcin)lis%)
(mreg insreg din dour res rla_ch mlatch:time->_wordn)
(ram:time->,memory) (b stop ovl phl ph2 phS:time->bool)
(mar:time->,address) (mpc:time-Yb%7) (mir:time-Yucode)
(urom:mm->ucode).
Ph2S (\t. (regs t, mreg t, insreg %, din %, dour %, ram t, b t, stop t,
ovl t, mar t, res t, mp¢ t, mir %, urom, rlatch %, mlatch t,
phl t, ph2 t, ph3 t)) = ph2"),
REPEAT GEN_TAC













let Ph3S = TAC_PROOF
(([],
"! (t:time) (regs:time->(.wordn)list)
(mreg insre E din dour res rlaZch mlazch:time->,wordn)
(ram:time->*memory) (b stop ovl phl ph2 ph3:time->bool)
(mar:time->*address) (mpc:time->bt7) (mir:time->ucode)
(urom:num->ucode).
Ph3S (\t. (regs t, mreg t, insreg t, din t, dour t, ru t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t)) = ph3"),
REPEAT GEN_TAC





let EBM_env = ":hoof";;
let KesetE = new_definition
('ResetE',
"! (t:time) (e:time->'EBM env) .
ResetE e t = e _"
);;
le_ ResetE = TAC_PROOF
((C],
"! (t:time) (reset:_ime->bool) .
ResetE (\t. reset t) = reset"),
REPEAT GEN_TAC






Define Electronic Block Model
................................................................
let EBM_def = new_definition
('EBM_def',
"! (rep:'rep_ty) (s:time->'EBM_state) (e:time-A'EBM_env) .
287
EBH rep s e =
? opc reqm msl_stop rf mf df rd wr io mdf dfc aluctl dec_ctl
r_sel result_sel din_en result_en addr_sel din_sel m_sel.
(DATAPATH rep (Dins s) (DoutS s) (BS s) (Mars s) (RlatchS s)
(MlatchS s) (Bess s) (OvlS s) op¢ reqm (Stops s) msl_stop
(Ph2S s) (Ph3S s) (BegsS s) (MregS s) (InsregS s) rf mf df (B_mS s)
rd wr io mdf dfc aluctl dec_ctl r_sel result_sel din_en
resul%_en addr_sel din_sel m_sel (ResetE e)) /\
(CONTROL_UNIT rep (MpcS s) (PhlS s) (Ph2S s) (Ph3S s) (Stops s) rf mf
df reqm opc msl_stop (Bess s) (BS s) (OvlS s) (MirS s) aluctl dec_ctl
rd _r io mdf dfc r_sel result_sel din_en result_en addr_sel din_sel
m_sel (UromS s) (ResetE e))"
);;
let EBM = prove_t_m
((EBM (,
"! (rep:'rep_ty) (regs:time->f*_ordn)list)
(m_reg insreg din dout:time->*wordn) (ram:time->*memory)
(b stop ovl:time->bool) (mar:time->saddress) (res:time->,worcln)
(mpc:time->btT) (mir:time->ucode) (_trom:ntm->ucode)
(rlatch mlatch:time->*wordn) (phl phi ph3:time->bool)
(reset:time->bool).
EBM rep (\t. (regs t, mreg t, insreg t, din t, dout t, r_m t, b t, stop t,
ovl t, mar t, res t, mpc t, mir t, urom, rlatch t, mlatch t,
phl t, ph2 t, ph3 t))
(\t. (reset t)) =
? opt reqm msl_stop rf mf df rd wr io mdf dfc aluctl dec_ctl
r_sel result_sel din_en result_en addr_sel din_sel m_sel.
(DATAPATH rep din dour b mar rlatch mlatch res ovl opt reqm stop
msl_stop ph2 ph3 regs mreg insreg rf mf df ram rd wr io mdf dfc
aluctl dec_ctl r_sel result_sel din_en result_en addr_sel
din_sel m_sel reset) /\
(CONTROL UNIT rep mpc phl ph2 ph3 stop rf'mf df Yeqm
opc msl_stop res b ovl mir aluctl dec_ctl rd wr io mdf dfc r_sel
result_sel din_en result_en addr_sel din_sel m_sel (\t:time._trom)
reset)",
REWRITE_TAC [RegsS; MregS; InsregS; DinS; Dou_S; RamS; BS; StopS;
OvlS; MarS; BesS; MpcS; MirS; UromS; RlatchS; MlatchS;
PhIS; Ph2S; Ph3S; ResetE; EBM_def]
);;










MPC_SPEC; INSDEC_SPEC; (EXPAND_LET_RULE MSL_SPEC);
(EXPAND_LET_RULE ALU_SPEC); EXT_INTERFACE]
(SPEC_ALL EBM)))
Define a function that maps EBM state to the EBM counter.
................................................................
let GetEBMClock = new_definition
(_GetEBMClock c,
"! (regs:(*wordn)list) (mreg insreg din dout:*wordn) (ram:*memory)
(b stop ovl:bool) (mar:*address) (res:*wordn) (mpc:bt7) (mir:ucode)
(urom:num->ucode) (rlatch mlatch:*wordn)(phl ph2 ph3:bool) (reset:bool).
GetEBMClock (regs, mreg, insreg, din, dour, ram, b, stop, ovl, mar, res,
mpc, mir, urom, rlatch, mlatch, phl, ph2, ph3) (reset) =
@x:bool.F"
);;
let EBM_Start = new_definition
(_EBM_Start _,





Appendix J: INSTRUCTION DECODER




"CSF /\ DSF = (T,T,T)
3..ritem
-CSF /\ DSF = (T,T,F)
4. noop
"CSFI\
"(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
(DSF = (T, F. F) /\ "b)
5. noop
"CSF I\
"(DSF = (T, T, T) \/ DSF = (T, T, F)) I\
(DSF = (T, F, T) I\ b)
6. call
"CSF I\
-(DSF = (r, T, T) \I DSF = (T, T, F)) /\
"((DSF = (T, F, T) /\ "b) \/ (DSF = (T, F, F) /\ b))
FSF = (F, F, F, T)
7. neg
"CSF IX
"(DSF = (T, T, T) \I DSF = (T, T, F)) I\
"((DSF = (T, F, T) /\ "b) \/ (DSF = (T, F, F) /\ b))
"FSF = (F, F, F, T) /\
FSF = (F, F, F, F)
8. readio
"CSF /\
"(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
"((DSF = (T, F, T) IX "b) \/ (DSF = (T, F, F) 1\ b))
"FSF = (F, F, F, T) /\




-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
-((DSF = (T, F, T) /\-b) \/ (DSF = (T, F, F) /\ b))
-FSF = (F, F, F, T) /\
FSF-- (F, F, T, T)
lO.addb
-CSF /\
-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
~((DSF = (T, F, T) /\ ~b) \/ (DSF = (T, F, F) /\ b))
"FSF = (F, F, F, T) /\
FSF = (F, T, F, F)
11.adds
"CSF /\
-(DSF = (T, T, T) \/ DSF = (r, T, F)) /\
"((DSF = (T, F, T) /\ "b) \/ (DSF = (T, F, F) /\ b))
"FSF = (F, F, F, T) /\
FSF = (F, T, F, T)
12.subb
-CSF /\
"(DSF = (T, T, T) \/ DSF = (r, T, F)) /\
"((DSF = (T, F, T) /\ "b) \/ (OSF = (T, F, F) /k b))
-FSF = (F, F, F, T) /\
FSF = (F, T, T, F)
13.subo
-CSF /\
-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
~((DSF = (T, F, T) /\ -b) \/ (DSF = (T, F, F) /\ b))
-FSF = (F, F, F, T) /\
FSF = (F, T, T, T)
14.xor
-CSF /\
-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
-((DSF = (T, F, T) /\ -b) \/ (DSF = (T, F, F) /\ b))
-FSF = (F, F, F, T) /\
FSF = (T, F, F, F)
15.and
"CSF /\
"(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
292
-((DSF = (T, F, T) /\ -b) \/
"FSF = (F, F, F, T) /\
FSF = (T, F, F, T)
(DSF = (T, F, F) /\ b))
16.nor
-CSF I\
-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
-((DSF = (T, F, T) /\ -b) \/ (DSF = (T, F, F) /\ b))
-FSF = (F, F, F, T) /\
FSF = (T, F, T, F)
17. andmbar
-CSF 7\
"(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
"((DSF = (T, F, T) /\ -b) \/ (DSF = (T, F, F) /\ b))
"FSF = (F, F, F, T) /\
FSF = (T, F, T, T)
18.shr
"CSF /\
-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
-((DSF = (T, F, T) /\ -b) \/ (DSF = (T, F, F) /\ b))
"FSF = (F, F, F, T) /\
FSF = (T, T, F, F) /\ (MSF = (F, F))
19.shrb
-CSF /\
-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
-((DSF = (T, F, T) /\ "b) \/ (DSF = (T, F, F) /\ b))
"FSF = (F, F, F, T) /\
FSF = (T, T, F. F) /\ (MSF = (F, T))
20.shl
"CSF /\
"(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
"((DSF = (T, F, T) /\ "b) \/ (DSF = (T, F, F) /\ b))
"FSF = (F, F, F, T) /\
FSF = (T, T, F, F) /\ (MSF = (T, F))
21.shlb
-CSF /\
"(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
"((DSF = (T, F, T) /\ -b) \/ (DSF = (T, F, F) /\ b))
"FSF = (F, F, F, T) /\




"(DSF = (T, T, T> \/ DSF = (T, T, F)) /\
~((DSF = (T, F, T) /\ "b) \/ <DSF = (T, F, F) /\ b))
-FSF = (F, F, F, T) /\
FSF = (T, T, F, T)
23.error
-CSF /\
-(DSF = (T, T, T) \/ DSF = (T, T, F)) /\
-((DSF = (T, F, T) I\ -b) \/ (DSF = (T, F, F) /\ b))
-FSF = (F, F, F, T) /\
FSF = (T, T, T, F)
24.error
-CSF I\
-(DSF = (T, T, T) \[ DSF = (T, T, F)) /\
-((DSF = (T, F, T) /\ "b) \/ (DSF = (T, F, F) /\ b))
~FSF = (F, F, F, T) /\
FSF = (T, T, T, T)
294
Form Approved
REPORT DOCUMENTATION PAGE OM8 No om4-o,se
PUlDhC*ePOftPm,_Dvrden'_orthe%cOlreC_rOnOf,mfOt_a[lOn,$e'_r_a_._"J_33,etac}e'_0_r_r ,e_ot.&e._l'_crudlr_g[P'etlrneforrev,_.w,m_,t_s,'ruC'_,pOm_&eafc_im_eN,_l,m9 _t_ _.)_rc_•'$
CJaIhet,ngaddr_aJ_?a_ng{he(_a:aoee_e_a_d :orroleIl_ga (_,e_,e_,_q?'e:_ile._iono¢,_tor_atpon%eoc_coem_e_Isrec_ara,nq_h,$burcle_e_li_ateOKat_vo{'_efa_ec_or_
D_ _,q_av _r_e_204Arhngto__ ;22_2¸4302a_O_C,t_ ©*_e 0_'._-_ge_e__cd9uc_ge_l>erwo,_e_uctFomP_OFeC:!0704._I_8)¢¢a_t,,_to_C]C23S0!
1. AGENCY USE ONLY (Leave blan_c) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED
February 1993 Contractor Report
4. TITLE AND SUBTII"LE











7. PERFORMING ORGANIZATION NAME(S)AND AODRESS(ES)
Boeing Defense and Space Group
Military Airplanes Division
P.O. Box 3707, M/S 4C-70
Seattle, WA 98124-2207
9. SPONSORING/MONITORING AGENCY NAME(S} AND ADORESS(ES)









10. SPONSORING / MONITORING
AGENCY REPORT NUMBER
NASA CR-4489
Levitt, Arora, Leung, Kalvala, Schubert, Windley, and Heckman: University of
California, Davis, CA; Cohen: Boeing Defense & Space Group, Seattle, WA.
Langley Technical Monitor: Sally C. Johnson




RSRE and members of the Hardware Verification Group at Cambridge University
conducted a joint effort to prove the correspondence betweem the electronic
block model and the top level specification of Viper. Unfortunately, the proof
became too c(xnplex and unmanagable within the given time and funding constraints,
and is thus imcon_lete as at the date of this report.
This report describes an independent attempt to use the HOL mechanical verifier
to verify Viper. Deriving from recent results in hardware verification research
at UC Davis, the approach has been to redesign the electronic block model to make
it microcoded and to structure the proof in a series of decreasingly abstract
interpreter levels, the lowest being the electronic block level. The highest level
is the }LSRE Viper instruction set. Owing to the new approach and some results on
the proof of generic interpreters as applied to simple microprocessors, this attempt











Phase to Micro Level




18 SECURITY CLASSIFICATION 19, SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT
OF THIS PAGE OF ABSTRACT
Uric lass£ fled
S'_arc_a,oForm 29o0iRe_ 2 B9)
NASA-Langley, 1993

