Hardware proofs using EHDM and the RSRE verification methodology by Butler, Ricky W. & Sjogren, Jon A.
e....----"--
NASA Technical Memorandum 100669
AVSCOM Technical Memorandum 88-B-017
HARDWARE PROOFS USING EHDM AND
THE RSRE VERIFICATION METHODOLOGY
(_ASA-IE-lOObtg) EJEEhAEE EECGFS USING EBD_
&EL TE_ ES_E VEE]_]CA_]CE BE_ECDCLCG¥
|_ASA) 90 _ CSCL 09E
3/6 2
N89-I_002
Ricky W. Butler
Jon A. Sjogren
December 1988
Nalional Aeronautics and
Space Admznlslrahon
Langley Research Center
Hampton, Virginia 23665-5225
US ARMY_
AVIATION
SYSTEMS COMMAND
AVIATION R&T ACTWITY
https://ntrs.nasa.gov/search.jsp?R=19890004631 2020-03-20T04:32:53+00:00Z

TABLE OF CONTENTS
INTRODUCTION .....................................................
SUMMARY OF RSRE HARDWARE VERIFICATION METHODOLOGY ................
TOP-LEVEL SPECIFICATION OF SIX-BIT COUNTER .......................
THE FINITE-STATE AUTOMATA SPECIFICATION ..........................
Definition of Finite-state Automata ...........................
Mapping to the Top-Level Specification ........................
BLOCK DIAGRAM SPECIFICATION ......................................
SPECIFICATION OF CIRCUIT .........................................
Listing of Cnt6 cir ...........................................
Translation of Circuit-Spec to Silicon ........................
INFORMAL PROOFS ..................................................
Proof Between Top Level Spec and Major State Machine Spec .....
Proof Between Major State Machine Spec and Block Model Spec ...
Proof Between Block Diagram Spec and Circuit-Level Spec ....... •
SPECIFICATION OF N-BIT WORDS .....................................
FORMAL PROOFS ....................................................
Introduction to Proving in EHDM ...............................
Status of P[oofs ..............................................
CONCLUSIONS ......................................................
REFERENCES .......................................................
APPENDIX A THEORY OF GENERAL WORDS ...............................
APPENDIX B SUGGESTIONS FOR IMPROVING EHDM ........................
Definition of the Values of a Type ............................
Definitional Axioms ...........................................
Improvement to P[oof Instantiator .............................
APPENDIX C FULL LISTING OF SPECIFICATIONS INCLUDING PROOFS .......
2
2
2
6
7
ii
17
21
21
24
25
26
31
35
36
40
40
41
43
44
45
50
50
5O
52
54

INTRODUCTION
Recently NASA,Langley Research Center and the Royal Signals and Radar
Establishment (RSRE)have initiated a joint research program in formal
verification of life-critical systems. The first phase of this work involves a
critical assessment of the RSREwork on the VIPERmicroprocessor. The VIPER
was designed by RSREresearchers specifically for life-critical applications
and was subjected to a formal proof of correctness. The proof methodology is
based on a hierarchical specification of the system design. This methodology
was first illustrated on a 6-bit counter by RSREin the RSREMemorandum3832
entitled "Hardware Proofs using LCF-LSMand ELLA"by W. J. Cullyer and C. H.
Pygott (ref. i.) In this paper, the RSREapproach to hardware verification is
studied in the context of a different specification language -- Revised Special
developed by SRI International (ref. 2). The reason the methodology is
explored via a different specification language is twofold: (i) to expose any
weaknessesin the methodology due to the specification language LCF-LSM,and
(2) to explore the feasibility of using EHDM(EnhancedHierarchical Design
Methodology) for hardware verification using the RSREmethodology.
In this paper RSRE's6-bit counter example is re-specified in Revised
Special. In the RSREreport, the proofs between the levels of the hierarchical
specification were accomplished by hand. In this report, the proofs are
performed using the EHDM(EnhancedHierarchical Design Methodology) theorem
proving system. The paper makesa comparison between the LCF-LSMand Revised
Special languages. The viability of the RSREmethodology is discussed.
Particular attention is given to the feasibility of using their methodology in
concert with the EHDM tools.
SUMMARY OF RSRE HARDWARE VERIFICATION METHODOLOGY
The RSRE approach to verification is based on the use of hierarchical
specification. The formal hierarchy consists of the following four levels:
(i) Functional
(2) Finite-state automata
(3) Block model
(4) Circuit model
The proof between level (i) and (2) establish that the finite automata of
level (2) implements all of the functions of the top level. The top level
consists of axioms which define the output of the circuitry in response to
inputs without any details of the steps that are performed to accomplish the
computation. Thus, the top level is essentially the definition of a
mathematical function. The second level decomposesthe function into sequences
of steps which can accomplish the overall functionality. The sequencesof
steps are defined by a finite-automata model. Proof that level (I) follows
from (2) is accomplished by enumerating all possible sequences that the finite
automata can perform and demonstrating that these accomplish the function of
level (i).
At level (2) the computation performed by each transition of the finite
automata is specified by a mathematical (sub)function. The details of how each
of these subfunctions are computed is not specified until level (3). Level (3)
specifies how each of the subfunctions of level (2) are accomplished in terms
of an electronic block diagram. The proof between level (2) and (3)
establishes that each of the subfunctions of level (2) are properly computed by
the level (3) structure. Finally, the proof between level (3) and (4)
establishes that each "block" in the level (3) model is correctly implemented
with logic gates.
In the RSRE work the first three levels were specified in LCF-LSM. The
last level was specified in ELLA (ref. 3.) The third level was also specified
in ELLA in addition to the LCF-LSM specification. The properties at each level
in the hierarchy must be proved to be theorems in the level below it. The
proofs between levels (1 ) and (2 ) and between (2 ) and (3 ) are accomplished
analytically. The proof between levels (3) and (4) are accomplished by the
method of "intelligent exhaustion".
TOP-LEVEL SPECIFICATION OF SIX-BIT COUNTER
The example used by RSRE to illustrate their specification/verification
methodology was a six-bit counter. The counter holds a value "count" which is
either retained at its current value, loaded with a new value from an external
source, or incremented once or twice depending on the value of "func", a two-
bit control signal. The informal specification for the counter is
func = 0
func _ 1
func - 2
func- 3
Do nothing: "count" unchanged
Load "count" from a 6-bit parallel input, "loadin"
Increment "count": i.e. count := count + 1
Increment "count" twice: i.e. count := count + 2
In the RSRE report this informal specification is translated into a formal
specification written in LCF-LSM. The design of the counter is documented by a
hierarchical specification where each successive level in the hierarchy
introduces more detail as the result of design decisions. In this paper these
specifications are presented in Revised Special.
The formal Specification of the counter in Revised Special is:
cnt6: MODULE
USING words
THEORY
states: TYPE
word6: TYPE is word[6]
word2: TYPE is word[2]
state: VAR states
loadin,w: VARword6
func: VARword2
val2:function[word2 -> int] is val[2]
val6:function[word6 -> int] is val[6]
mw6: function[int -> word6] is mw[6]
cnt: function[states -> word6]
exec cnt: function[states,word6,word2 -> states]
ready: function[states -> bool]
addl mod64:function[word6 -> word6] ==
( LAMBDAw -> word6:
IF val6(w) = 63 THEN mw6(0)
ELSE mw6(val6(w)+l)
END )
ready_ax: AXIOM ready(state) IMPLIES ready(exec_cnt(state,loadin,func) )
counter ax: AXIOM ready(state) IMPLIES cnt(exec cnt(state,loadin,func)) =
- IF val2(func) = 0 THEN cnt(state)
ELSIF val2(func) = 1 THEN loadin
ELSIF val2(func) = 2 THEN
addl mod64(cnt(state))
ELSE
addl mod64(addl mod64(cnt(state)))
END
_D cnt6
It is unnecessary to present details about Revised Special, since the above
specification can be understood with a little explanation. (This is probably
the best way to be introduced to a formal specification language -- by way of
example. ) The first line assigns the name"cnt6" to the specification. The
second line indicates that an external module "words" will be used in this
module. This will be explained in more detail in the following discussion.
The next three lines which follow the THEORYkeyword define three "types" --
"states", "word6", and "word2". These types will be used to distinguish logic
variables which represent the state (or "count") of the machine, 6-bit words,
and 2-bit words, respectively. Types serve the samefunction in the formal
specification language as in a programminglanguage -- they enable the
automatic system to detect user errors.
The first type "state" is uninterpreted, that is, there is no domain of
values or any meaning associated with it. At this level of abstraction it
represents the state of the machine, but details about what constitutes the
state of the machine are not specified. The two types, "word6" and "word2" are
equated to word[6] and word[2] by the "is" clause. They represent the domain
of 6-bit words and 2-bit words. N-bit words are used to specify an N-bit
transmission lines which can be interpreted as integers or as ordered sets of
boolean values. The properties of the generic type word[N] are defined in the
module "words" which is discussed in detail in the section entitled
"SPECIFICATION OF N-BIT WORDS". The next three lines of the specification
define four logic variables - "state", "loadin", "w" and "func". (Note. These
are mathematical variables, not program variables) Next, seven functions are
defined. The meaning of these functions are:
val2:
val6:
mw6:
maps an unsigned 2-bit word to its positive integer equivalent
maps an unsigned 6-bit word to its positive integer equivalent
maps a positive integer into an unsigned 6-bit word
cnt: returns the value of the 6-bit counter when applied to the "state"
of the machine
exec cnt: maps the state of the machine to its new state when the counter is
"executed"
ready: when applied to the state of the machine returns "true" if and
only if the machine is in the ready state, i.e. ready to receive
the next "func". This function is necessary since the execution
of the counter is not instantaneous. There are intermediate
states in the machine. It is important to prove that when the
counter is executed (i.e. via exec cnt) the machine is returned to
a state where it is ready to receive the next input. (Note. This
property was not considered in the RSRE work).
addl mod64: adds 1 (modulo-64) to a 6-bit word
The first three functions are equated to functions defined in the module
"words". The last three functions are elaborated in more detail (formally) at
lower levels of the specification hierarchy.
The last part of the specification provides two axioms which define the
behavior of the counter. The first axiom expresses the most important
properties of the counter in terms of the function "exec cnt". The function
"exec cnt" transforms the state of the counter in response to the inputs
"state", "loadin", and "func" and thus defines the "execution" of the counter:
func Ioadin
oLJ
exec_cnt:
_R
state
OOLErER
state
cnt:
OOUNTER
state
--" COURt
At this level of abstraction, the state of the machine has only two properties
-- the value of the counter, an integer between 0 and 63, and whether the
machine is ready. The value of the counter is returned by the function "cnt".
The function "ready" returns a boolean variable indicating whether the machine
is ready for input. The execution of the counter is defined by "exec cnt". If
the machine is ready, then the counter will operate correctly and the state of
the counter will be updated according to the "counter ax" axiom. If the value
of func is 0 (i.e. val2(func) is 0), then the value of the counter remains the
same(i.e. cnt(state) -- the original state). If the value of "func" is i,
then the value of the counter is changed to the value "loadin". If the value
of "func" is 2, then the value of the counter is incremented by I. Of course,
one must consider the case where the counter "turns over" (i.e. if the counter
is currently at 63 - 1111112 , it next becomes 0). This concept is captured by
modulo-64 arithmetic. The "addl nod64" function adds 1 to a word6 variable in
modulo-64 arithmetic. The meaning of the "addl nod64" function specification
is simple. If the value of the current value of the state (i.e.
val6(cnt(state)) ) is 63, then a single increment will turn-over the counter to
0 (i.e. mw(6) -- the 6-bit word whose value is 0). Otherwise, it is just the
value of the counter plus one (i.e. mw6(val6(cnt(state))+l) ).l
Thus, for "func" = 2 the value of the counter becomes
addl mod64(cnt(state))
If the value of "func" is 3, then a double increment is performed:
addl mod64(addl mod64(cnt(state)))
The second axiom, "ready ax", expresses the concept that a complete execution
of the counter returns the counter to a ready state, if it was originally
ready.
THE FINITE-STATE AUTOMATA SPECIFICATION
The six-bit counter is defined as a finite-state automata at this level of
abstraction. The second level in the hierarchy is called the major-state
specification in later RSRE documents, but is referred to as the finite-state
automata specification throughout this paper. The finite automata consists of
4 states named "fetch", "incl", "inc2", and "load" shown in figure i. The
machine is assumed to start in the "fetch" state.
The "addl mo464" function is defined using EHDM' s LAMBDA notation. The
concept i_ intuitive. The kayword "LAMBDA" indicates that a function is
being defined. This keyword is followed by the formal arguments to the
function. The symbol -) is followed by the type of the function result.
Finally, 2the function's body is provided. For example, the integer function
f (x) = x +i would be formally defined by f : functionl int -> int) = (LAMBDA
x -> int : x*x+l) .
fun¢*O
fetch
inc 1
load
inc 2
Figure i. Diagram of finite-state automata
It is necessary not only to describe this finite-state automata formally, but
also mathematically map the more abstract specification onto this
specification. These issues are addressed in the next two sections.
Definition of Finite-state Automata
The finite state model is defined using two external modules -- "words" and
"triples". 2 The first module "words" provides a formal definition of what
constitutes an N-bit word. This specification module is generic and can be
used for other hardware designs. The module "words" is described in detail in
the section called "FORMAL SPECIFICATION OF N-BIT WORDS". The theory of N-bit
Modules serve the same purpose in Revised Speczal as they do in a
programming language -- they facilitate the definition and re-use of
specifications.
words can be used by "importing" the "words" module via a USING clause or the
similar MAPPING clause. This module defines the following functions:
/
val: maps an N-bit word to an unsigned integer
mw: maps unsigned integer to an N-bit word
bit: returns the contents of a specified bit in a word
These functions are defined in a "parameterized" module (i.e. parameterized by
N, the number of bits in a word). Thus, for each "instantiation" of the module
(i.e. declaration in a USING clause), there are three different functions. For
example,
USING words[2], words[6]
defines two types -- word[2] and wordI6]-- and six functions -- val[2], mw[2],
bit[2], val[6], mw[6], bit[6].
The module "triples" defines the concept of an "ordered triple". 3 The ordered
triple has three components which can be accessed with the functions "first",
"second", and "third". An ordered triple is created from individual components
via the function make_triple. The relationship between these functions is
described by the following axiom in the triples module:
Makemtriple ax: AXIOM
x -- firstTmake triple(x, y, z))
AND y = second(make triple(x, y, z))
AND z = third(make_triple(x, y, z))
The "state" of the finite-state machine is designated by an ordered triple:
(count, double, node)
where
count = the current value of the counter, a number between 0 and 63
inclusive
double= a boolean variable which is true if and only if a double
increment is to be performed
node = indicates at which node the machine is currently located
3 Mathematicians typically use the notation (x,y,z) to define a triple.
8
This triple is defined formally as follows:
USINGtriples[word[6],bool,word[2]]
statevector: TYPE is triple
count: function[ statevector -> word6 ] is first
double: function[ statevector -> bool ] is second
node: function[ statevector -> word2 ] is third 4
The first line imports the generic theory of triples. The module was
parameterized by "word[6], bool, word[2]" This results in a theory of triples
where the first component is of type word[6], the second component is of type
bool and the third component is word[2]. To enhance readability of the
specification, alternate names are given to the names which are exported from
the "triples" module in the next 4 lines. Thus statevector is an alternate
name for the type "triple" with the following components -- a 6-bitword, a
boolean, and a 2-bit word. The individual components of the triple can be
accessed via the functions -- "count", "double", and "node".
The allowed transitions of the finite automata are defined by the NEXT
function. The NEXT function maps the "statevector" to the new "statevector" in
response to the 2-bit function code "func" and "loadin":
NEXT: function[statevector,word6,word2 -> statevector]
This function was defined as follows in the original version:
NEXT: function[statevector,word6,word2 -> statevector] =
(LAMBDA stv,ldn,fn -> statevector:
IF val2(node(stv)) = 0 THEN
FETCH(count(stv),double(stv),idn,fn)
ELSIF val2(node(stv)) = 1 THEN
INCl(count(stv),double(stv),idn,fn)
ELSIF val2(node(stv)) = 2 THEN
INC2(count(stv),double(stv),idn, fn)
ELSE
LOAD(count(stv),double(stv),idn,fn)
END
Unfortunately, when the function was defined in this manner, the EHDM theorem
4 In EHDM synonyms are defined using the keyword "is"
prover required excessive amounts of time. The properties of "NEXT" were
consequently defined using 4 separate axioms:
NEXT0 ax: AXIOM val2(node(stv)) = 0 IMPLIES
NEXT (stv, idn, fn ) = FETCH (count (stv ),double (sty ),idn, fn )
NEXT1 ax: AXIOM val2(node(stv)) = 1 IMPLIES
NEXT(stv,ldn,fn) = INCl(count(stv),double(stv) ,Idn,fn)
NEXT2 ax: AXIOM val2(node(stv)) = 2 IMPLIES
NEXT(stv,ldn,fn) = INC2(count(stv),double(stv) ,idn,fn)
NEXT3 ax: AXIOM val2(node(stv)) = 3 IMPLIES
NEXT( sty, Idn, fn) = LOAD( count(stY), double(sty), idn, fn)
By defining the properties of NEXT using four axioms, the theorem prover could
be directed to find the proof in a more efficient manner. 5 The function NEXT
is defined in terms of the subfunctions INCI, INC2, LOAD, and FETCH to enhance
the readability of the specification. Originally all of the subfunctions were
defined using the LAMBDA syntax. However, in this form the formal proofs
(i.e., proving that this level implements the top_Level spec) required
exhorbitant amounts of CPU time. These functions were redefined using
"axiomatic" definitions and the proofs required only a few minutes to complete. 6
The total functionality of the counter is captured in the function
"Finite automata":
Finite automata: function[ statevector,word6,word2 -> statevector ] =
(LAMBDA svt, idn, fn-> statevector:
IF val2(fn) = 0 THEN
NEXT( svt, idn, fn)
ELSIF val2(fn) = 3 THEN
NEXT(NEXT(NEXT(svt,ldn,fn), idn,fn ),idn,fn )
ELSE
NEXT(NEXT(svt,ldn,fn), idn,fn )
END)
One could easily prove that the former specification defines a function
which is equivalent to the function defined by these four axioms.
Although defining the subfunctions with axioms increases the work of the
"human" prover -- i.e. one must explicitly cite the axiom whenever the
function is used in a formula being proved --, the amount of proving time
can be drasticly reduced. The reduction in proving time comes by only
citing the functions whose eKpansion is relevant to the proof.
i0
This function defines the sequenceof calls of "NEXT"which accomplish each
function. This function represents a "spanning tree" of the graph shown in
figure 2.
Figure 2. - Spanning Tree for Finite-Automata
If "Finite Automata" is defined properly, the counter will be returned to the
"fetch" node at the completion of the function as well as performing the
specified function.
Mapping to the Top-Level Specification
The mappings to the higher level of abstraction are made using EHDM mapping
statements. (In the RSRE report the connections between models were informal).
EHDM requires that a mapping be provided for every uninterpreted type and every
constant of the module being mapped (i.e. the higher level specification). In
"cnt6" the following uninterpreted type was defined:
states
The following functions were defined:
cnt, exec cnt, ready:
ii
These are "mapped" in module "cnt6 fa" as follows:
cnt6.states: TYPEFROMstatevector
cnt6.cnt: function[statevector -> word6] is count
cnt6.exec cnt: function[statevector,word6,word2 -> statevector]
is Finite automata
cnt6.ready: function[statevector -> bool] =
(LAMBDA stv -> bool: node(sty) = fetchnode )
The "cnt6." prefix indicates that "cnt6" functions are being mapped.
The "cnt6" function "cnt" is mapped to "count" which is an abbreviation for the
first component accessor function "first" of type "triples".
The "cnt6" function "exec cnt" is mapped to the function "Finite_automata".
The "cnt6" function "ready" is mapped by a function that returns true if and
only if the automata is currently located at "fetchnode":
cnt6.ready: function[statevector -> bool] =
(LAMBDA sty -> bool: node(stv) = fetchnode )
The need for this function now becomes clear. It is possible that an
improperly designed counter could return the correct "count" but not correctly
return the machine to the proper state, namely "fetchnode", where it is ready
for the next input. This captures the "sequential" nature of the circuit.
This property was not captured in the RSRE LCF-LSM specification.
External Interface and Timing Issues
The RSRE report does not formally define the interaction of the counter
with respect to asynchronous changes in "func" and "loadin". The report
examined the impact of changes in "func" and "loadin" while the finite automata
is executing by a method called "hoisting the exit conditions". The method is
built on the concept that the finite automata samples from lists of "func" and
"loadin" values. These lists contain countable sequences of values which the
"func" and "loadin" lines contain at the time points which the finite automata
samples them. The finite automata is assumed to be driven by a synchronous
clock u one clock tick per transition of the finite automata. Thus, the calls
12
to "NEXT"are triggered by the synchronous clock. The analysis given in the
RSREreport indicates how to match the values in the list with the execution of
the counter.
Since it is possible that the value of "func" or "loadin" can change over
time, this must be accounted for in the specification. In the "cnt6 fa"
specification above it is implicitly assumedthat the values do not change
until the counter has returned to the "fetchnode" state. This is implied by
the fact that all of the calls to "NEXT"in the function "Finite automata", use
the samevalues of "idn" and "fn" (i.e. the parameters which correspond to
"loadin" and "func" in the top spec). For example,
NEXT(NEXT(NEXT(svt,ldn,fn), idn,fn ),idn,fn )
If this assumption is not valid, the specification could be generalized by
defining a list of "func" and "loadin" signal values:
clocktime: TYPEis int
funcsigs: function[clocktime -> word2]
loadinsigs: function[clocktime -> word6]
These functions "map" the synchronous clock time to the values of "func" and
"loadin" at those times. It is necessary to assumethat the values of "func"
and "loadin" are "stable" at the time that the finite automata samples them.
In order to relate the behavior of the finite automata over time to these
input values it is necessary to extend the definition of state to include time:
(count, double, node, clk)
The first three components are as before. The fourth component indicates the
current time, i.e. the number of clock pulses which have been sent to the
automata thus far. Formally, we would have:
USING quads[word6,bool,word2,nat]
statevector: TYPE is quad
13
count: function[ statevector-> word6 ] is first
double: function[ statevector-> bool ] is second
node: function[ statevector-> word2 ] is third
clk: function[ statevector-> word2 ] ] is fourth
Function "NEXT" and its subfunctions would have to be modified to increment the
value of clk. For example,
NEXT0 ax: AXIOM val2(node(stv)) = 0 IMPLIES
NKXT(stv,ldn,fn) = FETCH(count(stv),double(stv),clk(stv),idn,fn)
= IF val2(fn) z 0 THEN
make_quad(count(stv),BOOLF(bit2(0,fn)),fetchnode,clk(stv)+l)
ELSIF val2(fn) = 1 THEN
make_quad(count(stv),BOOLF(bit2(0,fn)),loadnode,clk(stv)+l)
ELSE
make_quad(count(stv),BOOLF(bit2(O,fn)),inclnode,clk(stv)+l)
END
The net result would be to formally connect the arguments of "NEXT" in the
definition of "Finite_automata" to the sequence of func and loadin values over
clock time:
NEXT(NEXT( NEXT(svt,loadinsigs[l], funcsigs[l]),
loadinsigs[2], funcsigs[2]),
loadinsigs[3], funcsigs[3])
The cnt6 fa Specification
The cnt6_fa specification excluding the proofs is:
cnt6 fa: MODULE
MAPPING cnt6 ONTO words, triples[word[6],bool,word[2J],bsignal
THEORY
(* create some abbreviations
word2: TYPE is word[2]
word6: TYPE is word[6]
mw2: function[int -> word2] is mw[2]
mw6: function[int -> word6] is mw[6]
val2:function[word2 -> int] is val[2]
val6:function[word6 -> int] is val[6]
bit2: function[int, word2 -> signalval] is bit[2]
*)
14
statevector: TYPEis triple
count: function[statevector -> word6] is first
double: function[statevector,-> bool] is second
node: function[statevector -> word2] is third
BOOLF:function[signalval -> bool] is signal_to bool
(* define logic constants
fetc_node: word2 = mw2(0)
inclnode: word2 = mw2(1)
inc2node: word2 = mw2(2)
loadnode: word2 = mw2(3)
undef svt: statevector
(* define logic variables
svt: VAR statevector
ct, idn, w: VAR word6
fn: VAR word2
dbl,b: VAR bool
(* define functions *)
ADD1:function[word6 -> word6] ==
(LAMBDA w -> word6:
IF val6(w) = 63 THEN mw6(0) ELSE mw6(val6(w)+l)
END )
INCI: function[word6,bool,word6,word2 -> statevector]
INCI ax: AXIOM INCl(ct, dbl, idn, fn) =
IF dbl THEN
make_triple(ADDl(ct),BOOLF(bit2(0,fn)),inc2node)
ELSE
make_triple(ADDl(ct),BOOLF(bit2(0,fn)),fetchnode)
END
INC2:function[word6,bool,word6,word2 -> statevector]
INC2 ax: AXIOM INC2(ct, dbl, idn, fn) =
make_triple(ADDl(ct),BOOLF(bit2(0,fn)),fetchnode)
LOAD: function[word6,bool,word6,word2 -> statevector]
LOAD ax: AXIOM LOAD(ct, dbl, Idn, fn) =
make_triple(idn,BOOLF(bit2(0,fn)),fetchnode)
FETCH: function[word6,bool,word6,word2 -> statevector]
FETCH ax: AXIOM FETCH(ct, dbl, idn, fn)=
IF val2(fn) = 0 THEN
make triple(ct,BOOLF(bit2(0,fn)),fetchnode)
ELSIF val2(fn) = 1 THEN
make_triple(ct,BOOLF(bit2(0,fn)),loadnode)
ELSE
make_triple(ct,BOOLF(bit2(0,fn)),inclnode)
END
*)
*)
15
NEXT: function[statevector,wo[d6,word2 -> statevector]
(*
NEXT ax: AXIOM NEXT(svt,ldn,fn) =
IF val2(node(svt)) = 0 THEN
FETCH(count(svt),double(svt),idn,fn)
ELSIF val2(node(svt)) = 1 THEN
INCl(count(svt),double(svt),Idn,fn)
ELSIF val2(node(svt)) = 2 THEN
INC2(count(svt),double(svt),idn,fn)
ELSIF val2(node(svt)) = 3 THEN
LOAD(count(svt),double(svt),Idn, fn)
ELSE
undef svt
END
*)
NEXT0 ax: AXIOM val2(node(svt))
NEXT(svt,ldn,fn)
0 IMPLIES
= FETCH(count(svt),double(svt),idn,fn)
NEXT1 ax: AXIOM val2(node(svt))
NEXT(svt,ldn,fn)
= 1 IMPLIES
= INCl(count(svt),double(svt),idn,fn)
NEXT2 ax: AXIOM val2(node(svt))
NEXT(svt,ldn,fn)
= 2 IMPLIES
= INC2(count(svt),double(svt),idn,fn)
NEXT3 ax: AXIOM val2(node(svt))
NEXT(svt,ldn,fn)
= 3 IMPLIES
= LOAD(count(svt),double(svt),idn,fn)
Finite automata:
I
function[statevector,word6,word2 -> statevector]
(LAMBDA svt, Idn, fn -> statevector:
IF val2(fn) = 0 THEN
NEXT(svt,ldn,fn)
ELSIF val2(fn) = 3 THEN
NEXT(NEXT(NEXT(svt,ldn,fn), idn, fn ),
Idn,fn )
ELSE
NEXT(NEXT(svt,ldn,fn), idn,fn )
END )
(* Mapping to Top Level Spec in Module cnt6 *)
cnt6.states: TYPE FROM statevector
cnt6.cnt: function[statevector -> word6] is count
cnt6.exec cnt: function[statevector,word6,word2 -> statevector]
is Finite automata
cnt6.ready: function[statevector -> bool] =
(LAMBDA svt -> bool: node(svt) = fetchnode )
END cnt6 fa
16
Strengthening the Top-Level Specification
The top-level specification defines the operation of the counter when
"ready" is true, i.e. when it is ready for input. But, an implementation that
is never ready satisfies the specification above. The following mappings would
satisfy the specification:
cnt6.ready: function[statevector -> bool] = FALSE
cnt6.states: TYPE
cnt6.cnt: function[statevector -> word6]
cnt6.exec cnt: function[statevector,word6,word2 -> statevector]
The following property would preclude trivial implementations:
reset_ready_ax: AXIOM NOT ready(state) and func = 0 IMPLIES
ready( exec cnt(state,loadin,func) )
This property would define "func=0" as a reset, i.e., regardless of which state
the counter is currently in, if the counter is "executed" with "func=0" it will
be returned to "fetchnode". Unfortunately, the RSRE implementation does not
satisfy this property. If the counter is located at state "inclnode" and
"double(state)" is true, then the counter would transition to "inc2node" in
response to a "func=0" command. The following more complicated property also
precludes trivial solutions and is satisfied by the RSRE implementation:
eventually_ready_ax: AXIOM
NOT ready(state) and func = 0 IMPLIES
ready( exec cnt(exec cnt(state,loadin,func),loadin,func) )
BLOCK DIAGRAM SPECIFICATION
This section describes the third level in the hierarchy -- the block
diagram specification. In the RSRE work the block-diagram spec was the lowest
level of the system specified in the formal language LCF-LSM. They created a
second description of the block diagram in the hardware design language ELLA
(ref 3.) The connection between these two theoretically equivalent
specifications was informal. The connection between the ELLA specification and
the lower level circuit description was done using the method of "Intelligent
Exhaustion" (ref. 4.)
17
This specification describes the system as a block diagram illustrated in
figure 3.
Ioadln count node doul_e func
l,oo,__,oo_ooJ1.o,.oooiI-o_.1
q"t4 _
t ,_ ,|l_t i
lalCfl for node"'ch'o_o_n'F I l I '.'_'o,_.
counl node double Countloglc
Figure 3. - Block Diagram Specification
The finite automata is implemented by the following blocks (or subcircuits):
INCLOGIC MULTIPLEX MPLXCON INCCON NEXTNODE
The internal state variables (i.e. count, node and double) are assumed to be
stored by latches which maintain their values between clock ticks. This is not
explicitly formalized in the RSRE methodology. Consequently, it is possible
that an implementation which failed to store these variables in latches would
not be detected as erroneous by the RSRE methodology. Although informally this
could be checked, it is not clear how this could be detected by an automatic
theorem prover.
18
The cnt6 blk specification without proofs is:
cnt6 blk: MODULE
MAPPINGcnt6 fa ONTOwords,triples[word[6],bool,word[2]],bsignal
THEORY
(* define abbreviations for 'words'
word2: TYPE is word[2]
word6: TYPE is word[6]
mw2: function[int -> word2] is mw[2]
val2:function[word2 -> int] is val[2]
bit2: function[int, word2 -> signalval] is bit[2]
mw6: function[int -> word6] is mw[6]
val6:function[word6 -> int] is val[6]
bit6: function[int, word6 -> signalval] is bit[6]
BOOLF: function[signalval -> bool] is signal to bool
statevector: TYPE is triple
(* logic constants defined in cnt6 fa
fetchnode: word2 = mw2(0)
inclnode: word2 = mw2(1)
inc2node: word2 = mw2(2)
loadnode: word2 = mw2(3)
define logic variables
sty: VAR statevector
ct,incout,loadin: VAR word6
noinc: VAR bool
nd,func: VARword2
dbl: VARbool
mplxsel: VAR bool
(* define functions
INCLOGIC: function[word6,bool -> word6]
INCLOGIC ax: AXIOM INCLOGIC(ct,noinc) =
IF noinc THEN ct
ELSE ADDI(ct)
END
*)
*)
*)
MULTIPLEX: function[word6,word6,bool -> word6]
MULTIPLEX ax: AXIOM MULTIPLEX(incout, loadin, mplxsel) =
IF mplxsel THEN_incout
ELSE loadin
END
19
MPLXCON: function[word2 -> bool] =
(LAMBDA nd-> bool: NOT (val2(nd) = 3) )
INCCON: function[word2 -> bool] =
(LAMBDA nd-> bool: (val2(nd) = 0) )
NEXTNODE: function[word2,word2,bool -> word2]
(*
NEXTNODE ax: AXIOM NEXTNODE(nd,func,dbl) =
IF val2(nd) = 0 THEN
IF val2(func) = 0 THEN fetchnode
ELSIF val2(func) = 1 THEN loadnode
ELSE inclnode
END
ELSIF val2(nd) = i THEN
IF dbl THEN inc2node
ELSE fetchnode
END
ELSE
fetchnode
END
*)
NEXTNODE0 ax: AXIOM val2(nd) - 0 IMPLIES
NEXTNODE(nd,func,dbl) =
IF val2(func) = 0 THEN fetchnode
ELSIF val2(func) = 1 THEN loadnode
ELSE inclnode
END
NEXEI ax: AXIOM val2(nd) = 1 IMPLIES
_DE(nd,func,dbl) = IF dbl THEN inc2node
ELSE fetchnode
END
NEXTNODE2a3 ax: AXIOM val2(nd) = 2 or val2(nd) = 3 IMPLIES
NEXTNODE(nd,func,dbl) = fetchnode
C_IC: function[statevector,word6,word2 -> statevector] =
(LAMBDA sty, loadin, func -> statevector:
make_triple(MULTIPLEX(INCLOGIC(count(stv),
INCCON(node(stv))
loadin,
MPLXCON(node(stv)) ),
BOOLF(bit2(0,func)),
NF_JCPNODE(node(stv),func,double(stv)) )
i
cnt6 fa.NEXT: function[statevector,word6,word2 -> statevector] = COUNTLOGIC
END cnt6 blk
2O
SPECIFICATION OF CIRCUIT
In this section the 6-bit counter is expressed in terms of low-level circuit
elements -- NAND2, INV, XNOR, etc. In the_RSRE pape[, this level was only
defined in the ELLA language. Although the MAPPINGS to "cnt6_blk" have been
included, none of the proofs between this level and the block model have yet
been attempted.
Listing of Cnt6 cir
cnt6 cir: MODULE
-- l
MAPPING cnt6 blk ONTO words, triples, bsignal
THEORY
(* abbreviations
word2: TYPE is word[2]
word6: TYPE is word[6]
cntrlsigs: TYPE is triple[bool,bool,word[2]]
bit2: function[int, word2 -> bool] is bit[2]
bit6: function[int, word6 -> bool] is bit[6]
assign2:function[int,bool,word2 -> word2] is assign[2]
assign6:function[int,bool,word6 -> word6] is assign[6]
(* circuit elements
b,bl,b2,b3,b4: VAR bool
INV: function [bool -> bool] = (LAMBDA b -> bool: not b)
NAND2: function [bool, bool -> bool] =
(LAMBDA bl,b2 -> bool: not (bl and b2))
NAND3: function [bool, bool, bool -> bool] =
(LAMBDA bl,b2,b3 -> bool: not (bl and b2 and b3))
NAND4: function [bool, bool, bool, bool -> bool] =
(LAMBDA bl,b2,b3,b4 -> bool: not (bl and b2 and b3 and b4))
XNOR: function [bool, bool -> bool] =
(LAMBDA bl,b2 -> bool: not (not bl and b2 or bl and not b2))
NOR/: function [bool, bool -> bool] =
(LAMBDA bl,b2 -> bool: not (bl or b2))
(* logic variables
i0,ii,i2,i3,i4,i5: VAR bool
ibit,lsel,incbit,incsel: VAR bool
incout,loadin,cntr: VAR word6
,)
,)
,)
21
mplxsel, noinc, Double: VARbool
Node,Func: VARword2
(* circuit definition
output : function [bool,bool,bool,bool,bool,bool -> word6]
(LAMBDA i0,ii,i2,i3,i4,i5 -> word6:
assign6(0,i0,
assign6(l,il,
assign6(2,i2,
assign6(3,i3,
assign6(4,i4,
assign6(5,i5,newword[6])))))))
*)
bitsel: function[bool,bool,bool,bool -> bool] =
(LAMBDA ibit,lsel,incbit,incsel -> bool:
NAND2(NAND2(ibit,lsel), NAND2(incbit,incsel))
MPLEXCIRC: function[word6,word6,bool -> word6]
MPLEXCIRC ax: AXIOM MPLEXCIRC(incout, loadin, mplxsel) =
output(
bitsel(bit6(0,1oadin),INV(mplxsel),bit6(0,incout),mplxsel),
bitsel(bit6(l,loadin),INV(mplxsel)
bitsel(bit6(2,1oadin),INV(mplxsel)
bitsel(bit6(3,1oadin),INV(mplxsel)
bitsel(bit6(4,1oadin),INV(mplxsel)
bitsel(bit6(5,1oadin),INV(mplxsel)
)
,bit6(l,incout),mplxsel),
,bit6(2,incout),mplxsel),
,bit6(3,incout),mplxsel),
_bit6(4,incout),mplxsel),
,bit6(5,incout),mplxsel)
carry4bar: function[word6,bool -> bool] =
(LAMBDA cntr,noinc -> bool:
NAND4(INV(noinc),bit6(0,cntr),bit6(l,cntr),bit6(l,cntr))
)
INCCIRC: function[word6,bool -> word6] =
(LAMBDA cntr,noinc -> word6:
output( _
XNOR(bit6(0,cntr), noinc),
XNOR(bit6(l,cntr), NAND2(INV(noine),bit6(0,cntr)) ),
XNOR(bit6(2,cntr),
NAND3(INV(noinc), bit6(0,cntr), bit6(l,cntr) ) ),
XNOR(bit6(3,cntr),carry4bar(cntr,noinc) ),
XNOR(bit6(4,cntr),
NAND2(INV(carry4bar(cntr,noinc)), bit6(3,cntr) )
),
XNOR(bit6(5,cntr),
NAND3(INV(carry4bar(cntr,noinc)),
bit6(3,cntr) ,
bit6(4,cntr) ) )
)
22
inccon:
common:
function[word2 -> bool] =
(LAMBDANode -> bool:
NOR2(bit2(0,Node),bit2(l,Node))
function[word2,word2 -> bool] =
(LAMBDANode,Func -> bool:
NAND3(inccon(Node),INV(bit2(l,Func)),bit2(0,Func))
CONTROLCIR: function[word2,word2,bool -> cntrlsigs]
(LAMBDA Node,Func,Double -> cntrlsigs:
maketriple(inccon(Node),
NAND2(bit2(0,Node),bit2(l,Node)),
assign2(0, NAND2(common(Node,Func),
NAND2(inccon(Node),bit2(l,Func))
),
assign2(l,NAND2(common(Node,Func),
NAND3(Double,
bit2(0,Node),
INV(bit2(l,Node) ) )),
newword[2])
)
(* Mappings to "cnt6 blk"
cnt6 blk.INCLOGIC: function[word6,bool -> word6] = INCCIRC
cnt6 blk.MULTIPLEX:
cnt6 blk.INCCON:
cnt6 blk.MPLXCON:
cnt6 blk.NEXTNODE:
END cnt6 cir
function[word6,word6,bool -> word6] = MPLEXCIRC
function[word2,word2,bool -> bool] =
(LAMBDANode,Func,Double -> bool:
first(CONTROLCIR(Node,Func,Double))
)
function[word2,word2,bool -> bool] =
(LAMBDA Node,Func,Double -> bool:
second(CONTROLCIR(Node,Func,Double))
)
function[word2,word2,bool -> word2] =
(LAMBDANode,Func,Double -> word2:
third(CONTROLCIR(Node,Func,Double))
)
,)
23
Translation of Circuit-Spec to Sili_:c_n
Although the circuit-level description is defined in terms of only low-
level circuit elements, this level does not explicitly specify the layout of
the circuit. There ale many problems to be addressed here. The first is
uncovering the basic element interconnections from the functional description.
For example, suppose we have the following circuit specification
BLACK BOX: function[bool,bool,bool,bool -> bool]
(LAMBDA ii,i2,i3,i4 -> bool:
NAND3(XNOR(il,i2),
NAND2(XNOR(il,i2), INV(XNOR(i3,i4)))
XNOR(i3,i4)
)
)
A brute-force implementation of this function would yield:
iI
_NV
NAND2 NAND3
Of course, by recognizing common sub-expressions, this could be implemented as
fo I1ows:
24
NAND2 NAND.1
INFORMAL PROOFS
The concept of hierarchical specification depends on the idea of proving
the axioms of a specification level as theorems in the level below it. One
first maps the uninterpreted types and constants of the high level theory into
more concrete objects in the lower level. The axioms of the high level
specification are mapped down (using the mappings) to the objects of the lower
level and proved as theorems there:
 zoMs %, %
I
I
I Map
I
v
AXIOMS B I , B 2, B_, B
One must then prove that Map(; h ) and Map(A;) follow from B l , B 2, S 3, B 4.
In the next two sections, the proofs which establish the connection from
the block model specification up to the top specification ale presented
informally.
25
Proof Between Top Level Spec and Major State Machine Spec
There were two axioms of the top level spec "cnt6": "counter ax" and
"ready ax".
counter ax: AXIOM ready(state) IMPLIES cnt(exec cnt(state,loadin,func)) =
IF val2(func) = 0 THEN cnt(state)
ELSIF val2(func) = 1 TH_N loadin
ELSIF val2(func) = 2 THEN
addl mod64(cnt(state))
ELSE
addl mod64(addl mod64(cnt(state)))
END
When "counter ax" is mapped down to the next level, the functions "ready",
"cnt", and "exec_cnt", are interpreted in terms of their mapping definitions.
Thus, in the lower level, the "counter ax" is:
counter ax: AXIOM node(state) = fetchnode IMPLIES
count(FinTte_automata(state,loadin,func)) =
IF val2(func) = 0 THEN count(state)
ELSIF val2(func) = 1 THEN loadin
ELSIF val2(func) = 2 THEN
addl mod64(count(state))
ELSE
addl mod64(addl mod64(count(state)))
END
This must be proved as a theorem in terms of the axioms of "cnt6 fa".
basic strategy is to decompose this theorem into four cases:
The
Case i: val2(func) = 0
Case 2: val2(func) = 1
Case 3: val2(func) = 2
Case 4: val2(func) = 3
First, one lemma is proved which simplifies the proof of the four cases. Next,
each case is proved separately. Finally, "counter ax" is proved from these
four cases:
26
Proof of a Lemma
Proof:
Thus,
stbl: LEMMA ready(st) IMPLIES val2(node(st)) = 0
-i
By definition, ready(st) => (node(st) = fetchnode )
=> (node(st) = mw2(0) ).
ready(st) ==> val2(node(st)) = val2(mw2(0))
By the "val mw thm" theorem of words[2] we have:
ready(st) ==> val2(node(st)) = val2(mw2(0)) = 0
Endproof.
Proof of cnt 0
cnt 0: LEMMA ready(state) and val2(func) = 0
IMPLIES cnt(exec cnt(state,loadin,func)) = cnt(state)
Proof: From the definition of "exec cnt" and val2(func)=0 we have:
cnt(exec cnt(state,loadin,func)) =
-cnt(NEXT(state,loadin,func), loadin,func )
Using "NEXT_ax", the preceeding lermna, and "FETCH_ax" we have:
cnt(exec cnt(state,loadin,func)) =
cnt(FETCH(cnt(state) ,doublef(state),loadin,func) ) =
cnt(make_triple(cnt(state),BOOLF(bit2(0,func)),fetchnode) )
Finally by definition of "cnt" and the "make_triple ax" we have:
cnt(exec cnt(state,loadin,func)) =
cnt(state)
Endproof.
27
Proof of cnt I
cnt i: LEMMA ready(state) and val2(func) _ 1
IMPLIES cnt(exec cnt(state, loadin, func) ) - loadin
Proof:
cnt(exec cnt(state,loadin,func)) - (* NEXT ax *)
D
cnt( NEXT(NEXT(state,loadin,func), loadin,func )) =
cnt( NEXT(FETCH(cnt(state) ,doublef(state),loadin,func) )) -
cnt( NEXT( make_triple(cnt(state) ,BOOLF(bit2(0, func) ),loadnode)
loadin, func )) -
(* -- Since VAL2(loadnode) _ 3 -- *)
cnt (LOAD( cnt (make_t riple (cnt (state ),BOOLF (bi t2 (0, func )),loadnode ),
double f (make tr iple (cnt (state ),BOOLF (bi t2 (0, func )),loadnode ),
loadin,func) ) -
cnt( LOAD( cnt( state ),
BOOLF(bit2(0, func }),
loadin,func) ) -
cnt(make_triple(loadin,BOOLF(bit2(0,func)),fetchnode) ) =
loadin
28'
Proof of cnt 2
cnt 2: ready(state) and val2(func) - 2
IMPLIES cnt(exec cnt(state,loadin, func))
IF val6(cnt(state)) - 63 THEN mw6(0)
ELSE mw6(val6(cnt(state))+l)
END
Proof:
cnt(exec cnt(state,loadin,func)) I (* NEXT ax *)
cnt( NEXT(NEXT(state,loadin,func), loadin,func )) -
cnt( NEXT(FETCH(cnt(state) ,doublef(stateT,loadin,func) 77 -
cnt( NEXT( make_triple(cnt(stateT,BOOLF(bit2(0,func77,inclnode7
loadin,func )) =
Since VAL2(inclnode) - 1 --- *)
cnt(INCl(cnt(make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode),
doublef(make_triple(cnt(state),BOOLF(bit2(O,func)),inclnode),
loadin,func) ) =
cnt(INCl(cnt(state),
BOOLF(bit2(0,func),
loadin,func) ) -
(* -- Since bit2(0,func) - 0 =-> BOOLF(bit2(0,func)) = false --- *)
cnt(make_triple(ADDl(cnt(state)),BOOLF(bit2(O,func)),fetchnode)) -
ADDl(cnt(state)7 -
IF val6(cnt(state)) I 63 THEN mw6(0) ELSE mw6(val6(cnt(state))+l)
END
Proof of cnt 3
cnt 3: LEMMA ready(state) and val2(func) = 3
IMPLIES cnt(exec_cnt(state,loadin,func))
IF val6(cnt(state)) = 63 THEN mw6(1)
ELSIF val6(cnt(state)) = 62 THEN mw6(0)
ELSE mw6(val6(cnt(state))+2)
END
29
Proof:
cnt(exec cnt(state,loadin,func))
cnt( NEXT(
cnt( NEXT(
= (* NEXT ax *)
NEXT(NEXT(state,loadin,func), loadin,func ), loadin,func)) =
NEXT(FETCH(cnt(state) ,doublef(state),loadin,func)),
loadin,func) -
cnt( NEXT( NEXT(make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode)
loadin,func ), loadin,func )) =
(* --- Since VAL2(inclnode) = 1 --- *)
cnt(NEXT(
INCl(cnt(make_triple(cnt(state),BOOLF(bit2(O,func)),inclnode),
doublef(maketriple(cnt(state),BOOLF(bit2(O,func)),inclnode),
loadin,func),loadin,func ) ) =
cnt(NEXT( INCI(cnt(state),
BOOLF(bit2(0,func),
loadin,func),loadin,func) ) =
(* --- Since bit2(0,func) - 1 --> BOOLF(bit2(0,func)) - true --- *)
cnt(NEXT(make_triple(ADDl(cnt(state)),BOOLF(bit2(O,func)),inc2node),
loadin, func) ) =
cnt(INC2(cnt(make_triple(ADDl(cnt(state)),BOOnF(bit2(0,func)) ),
doublef(make_triple(ADDl(cnt(state)),BOOLF(bit2(0,func)) ),
loadin,func)) =
cnt(INC2(ADDl(cnt(state)),
BOOLF(bit2(0,func)),
loadin,func ) )
cnt(make_triple(ADDl((ADDl(cnt(state))),BOOLF(bit2(O,func)),fetchnode) )
ADDl((APDl(cnt(state)))
ADDI(IF val6(ADDl(cnt(state))) = 63 THEN mw6(0)
ELSE mw6(val6(ADDl(cnt(state)))+l) END )
IF val6(IF val6(ADDl(cnt(state))) = 63 THEN mw6(0)
ELSE mw6(val6(ADDl(cnt(state)))+l) END) - 63 THEN mw6(0)
ELSE mw6(val6(IF val6(ADDl(cnt(state))) = 63 TH]_ mw6(0)
ELSE mw6(val6(ADDl(cnt(state)))+l) END)+1)
END
3O
IF val6(cnt(state)) = 63 THEN mw6(1)
ELSIF val6(cnt(state)) = 62 THEN mw6(0)
ELSE mw6(val6(cnt(state))+2)
_D
Proof of the cnt6 axioms
ready_ax: AXIOM ready(state) IMPLIES ready(exec_cnt(state,loadin,func) )
counter ax: AXIOM ready(state) IMPLIES cnt(exec cnt(state,loadin, func)) =
- IF val2(func) _ 0 THEN cnt(state)
ELSIF val2(func) = 1 THEN loadin
ELSIF val2(func) = 2 THEN
addl mod64(cnt(state))
ELSE
addl mod64(addl mod64(cnt(state)))
END
The "counter_ax" follows from "cnt_0", "cnt i", "cnt_2", and "cnt_3" and the
"val_range_thm" applied to "func". The "val range thm" is needed to establish
that "func" can only be equal to 0, 1, 2, or 3. Thus the "ELSE" clause in
"counter ax" applies to "func" = 3 only. Thus, counter ax follows directly
from cnt_0, cnt_l, cnt_2, cnt_3, and val_range_thm[2]. The axiom "ready_ax" is
proved from the same lemmas.
Proof Between Major State Machine Spec and Block Model Spec
In this section the connection between the major state machine model and
the block diagram spec is demonstrated via informal proof. The following
axioms of the major state machine model must be proved as theorems in the Block
Model:
NEXT0 ax: AXIOM val2(node(stv)) = 0 IMPLIES
-- NEXT(stv,ldn,fn) = FETCH(count(stv),double(stv),Idn,fn)
NEXT1 ax: AXIOM val2(node(stv)) = 1 IMPLIES
NEXT(stv,ldn,fn) = INCl(count(stv),double(stv),Idn,fn)
NEXT2 ax: AXIOM val2(node(stv)) = 2 IMPLIES
NEXT(stv,ldn,fn) = INC2(count(stv),double(stv),idn,fn)
NEXT3 ax: AXIOM val2(node(stv)) = 3 IMPLIES
NEXT(stv,ldn,fn) = LOAD(count(stv),double(stv),idn,fn)
31
The function "NEXT"is mappedonto "COUNTLOGIC"at this level, so each of these
axioms must be proved with respect to the "COUNTLOGIC"implementation:
NEXT0ax: AXIOMval2(node(stv)) = 0 IMPLIES
- _IC (stY, idn, fn ) = FETCH( count (sty ),double (sty), idn, fn)
Proof:
_IC(stv, loadin, func) =
make__triple(MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))),
loadin,
MPLXCON(node(stv))),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node)) ) =
[ by definition of INCCON and MPLXCON: }
make triple(MULTIPLEX(INCLOGIC(count(stv),
(val2(node(stv)) = 0) ),
loadin,
NOT (val2(node(stv)) = 3)),
B(X)LF(bit2(0,func)),
NEXODE(node(stv),func,double(node)) ) =
make_triple(MULTIPLEX(INCLOGIC(count(stv),
true ),
loadin,
true ),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node)) ) -
{ by INCLOGIC ax: }
maketriple(MULTIPLEX(count(stY),
loadin,
true ),
BOOLF(bit2(0,func)),
NEXTSK)DE(node(stv),func,double(node)) ) -
{ by MULTIPLEX ax: }
make triple(count(sty),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node)) ) -
{ by FETCH ax: }
FETCH(cnt(stv),doublef(stv),loadin, func) =
32
The last step follows from the fact that val2(node(stv) = 0 IMPLIES
NEXTNODE(node(stv),func,double(node) ) ) is an element of
{fetchnode, loadnode, inclnode }
that
Endproof
NEXT1 ax: AXIOM val2(node(stv)) = 1 IMPLIES
- COUNTLOGIC(stv,ldn,fn) = INCl(count(stv),double(stv),idn,fn)
Proof:
C_IC(stv, loadin, func) =
make_triple(MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))),
loadin,
MPLXCON(node(stv))),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node)) ) =
{ by definition of MPLXCON: }
make_triple( MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))),
loadin,
NOT(val2(node(stv))=3) ),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node)) )
{ by INCLOGIC ax: }
make triple( MULTIPLEX(ADDI(count(stv),
loadin,
true),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node))
{ by MULTIPLEX ax: }
{ by INCl ax: }
maketriple( ADDl(count(stv),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node))
( The last step follows from the fact that
NEXTNODE(node(stv),func,double(node))
{fetchnode,inc2node)
Endproof
33
INCl(cnt(stv),double(stv),loadin,func) =
val2(node(stv) = 1
) is an element of
IMPLIES that
NEXT2ax: AXIOMval2(node(stv)) u 2 IMPLIES
- COUNTLOGIC( sty, idn, fn) = INC2 (count (sty) ,double(sty), Idn, fn )
Proof:
_IC(stv, loadin, func) s
make_triple( MULTIPLEX( INCLOGIC( count( sty), INCCON( node(stv) )),
loadin,
MPLXCON(node (sty)) ),
BOOLF(bit2 (0, func) ),
NEXTNODE (node (stv ),func, double (node )) ) =
[ by INCLOGIC_ax: ]
make_triple( MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))),
loadin,
NOT(val2(node(stv))-3) ),
BOOLF(bit2(0,func)),
NKXTNODE(node(stv),func,double(node)) ) -
make_triple(
[ by MULTIPLEX_ax: ]
MULTIPLEX(ADDI(count(stv),
loadin,
true),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node))
make_triple( ADDl(count(stv),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node))
[ by NEXTNODE2a3_ax: ]
make_triple( ADDl(count(stv)),
BOOLF(bit2(0, func)),
fetchnode ) =
{ by INC2 ax: }
INC2(cnt(stv),double(stv),loadin,func) =
NEXT3 ax: AXIOM val2(node(stv)) = 3 IMPLIES
C_IC(stv,ldn,fn) = LOAD(count(stv),double(stv),idn,fn)
34
_IC( sty,
[ by INCLOGIC_ax:
loadin, func) =
make_triple(MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))),
loadin,
MPLXCON(node(stv))),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node)) ) =
make_triple(MULTIPLKX(INCLOGlC(count(stv),val2(node(stv))-0),
loadin,
NOT(val2(node(stv))=3) ),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node)) ) =
]
make_triple(MULTIPLEX((count(stv)
loadin,
NOT(val2(node(stv))=3) ),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node))
by MULTIPLEX_ax: ]
make_triple(
[ by NEXTNODE2a3_ax: ]
{ by U  _ax: )
make_triple(
loadin,
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(node))
t
loadin,
BOOLF(bit2(0,func)),
fetchnode ) =
m
LOAD(cnt(stv),double(stv),loadin,func) =
Proof Between Block Diagram Spec and Circuit-Level Spec
In the RSRE methodology, the proof
and the circuit-level specification is
intelligent exhaustion (ref. 4) or the
proofs at this level have notyet been
the advantages
between the block-diagram specification
accomplished by the method of
more recent "NODEN" method (ref 5). The
attempted. Future work will investigate
and disadvantages of "NODEN" versus EHDM proof.
35
SPECIFICATIONOFN-BIT WORDS
A physical row of input or output lines are often interpreted as integers
in some hardware devices. Of course the range of integer values which can be
presented on N wires is finite, usually taken to be 0 to 2"-i. It is necessary
to build a theory which enables one to reason about such rows of signal values
as integers, in a simple manner. This section describes such a theory. In
this theory a row of N inputs is referred to as a "N-bit word". This theory
has been defined in a separate module "words" to facilitate its reuse. This
module should be usable by most hardware verification projects without
modification.
It is necessary to first define the possible signal values which can appear
on a single line. For simplicity, the set of boolean values: {true, false} are
used to represent signal values in "words". In the RSRE reports, the domain of
signal values range over t, f, x, z, q and i, which stand for true, false,
don't care, tri-state high impedance, unaltered memory element and
indeterminate, respectively. The x, z, q, and i values were not needed to
verify the counter in EHDM so the simpler boolean domain was used. Appendix A
shows how the theory of words can be generalized to include these other values.
Conceptually, a word consists of N bits which are indexed by an integer
between 0 and N-I inclusive. Thus, the module is defined in terms of a generic
parameter "N" which is the number of bits in the word. This module exports the
type "word[N]". If only one type of word will be used in a specification, the
user can declare the size of the words in a USING clause, e.g.
USING words [32 ]
and the identifier "word" can be used instead of word[32]. If more than one
word type is needed, then the following using clause is used:
USINGwords
f
and the user must cite the length of the word explicitly, e.g. word[32],
word[16], etc. This module also defines the following functions:
36
val(w): returns the unsigned integer value of the N-bit word "w"
mw(i): returns an N-bit word containing the binary representation of the
unsigned integer "i".
bit(i,w): returns the contents of the "ith" bit of word "w"
assign(i,b,w): assigns the boolean value "b" to the "ith" bit of word "w"
If there is only one declaration of the "words" module, then the above
functions cab be abbreviated as "val", "row", "bit" and "assign". If there are
multiple declarations of the "words" module, then the function names cannot be
abbreviated, e.g. :
valI32](w): returns the unsigned integer value of the 32-bit word "w"
val[12](w): returns the unsigned integer value of the 12-bit word "w"
bit[16](i,w): returns the contents of the "ith" bit of the 16-bit word "w"
assign[12](i,b,w): assigns "b" to the "ith" bit of the 12-bit word "w"
The "bit" and "assign" functions enable the access and modification of
individual bits of a N-bit word. These functions are defined formally as
follows:
bitassign: AXIOM (i >= 0 and i < N) IMPLIES
bit(i,assign(k,b,w)) =
( IF k = i THEN b ELSE bit(i,w) END )
Thus, bit and assign are defined in terms of each other. The axiom defines
the effect of retrieving a bit from a word which has been modified by assigning
a new value to one of its bits. If the bit being retrieved is the same as the
one just assigned, the new value is retrieved. Otherwise, the value retrieved
is the same as before the assignment. Thus, assigning a bit in a word does not
affect any other bit in the word. It should be noted that these functions are
not defined in a "constructional" manner; that is, they have not been defined
separately in terms of previously defined primitives. Their properties have
been defined axiomatically in terms of each other. Such axioms must be
carefully scrutinized to insure that inconsistencies are not introduced into
the specification.
This method of defining a word differs considerably from the way they were
defined in the RSRE report using LCF-LSM. In LCF-LSM there are specific built-
in functions that manipulate lists of objects. In the RSRE work, a word is
37
represented by a list of objects. Thus, they "construct" a word using more
primitive functions.
In the top-level specification of the 6-bit counter, its behavior is
defined in terms of modulo-64 arithmetic over integers. Thus, it is necessary
to define functions which "interpret" an N-bit word as an integer. The "val"
and "row" functions perform this duty. The "val" function is defined
recursively as follows:
valm: function[word,int,int -> int]
valm def: AXIOM valm(w,m,n) = IF m - 0 THEN 0
ELSE 2*valm(w,m-l,n) + BOOLVAL(bit(n-m,w))
END
val: function[word -> int]
val def: AXIOM val(w) = valm(w,N,N)
Similarly, the "mw" function is defined recursively:
mw: function[int -> word]
mwm: function[int,int,int -> word]
mwm def: AXIOM mwm(v,m,n) = IF m = 0 THEN newword
ELSE
assign(n-m,BOOLVAR(MOD2(v)),
mwm(DIVBY2(v),m-l,n) )
END
The constant "newword" used in "mwm def" above represents an undefined
word. It is defined formally as:
accessnew: AXIOM bit(k, newword) = f
The major theorem of this module establishes that "val" and "mw" are inverse
functions:
( ii >- 0 AND ii < power2(N) ) IMPLIES val(mw(ii)) = ii
The specification of "words" is:
words: MODULE[N: intl
USING power 2_th, divby2 th
EXPORTING WOrd, newword, bit, assign, val, mw, mwm, valm, bool to int
WITH power2_th,divby2_th
38
ASSUMING
N_pos: FORMULAN>0
THEORY
word: TYPE
k,i,ii,m,v,n: VARint
w,wl,w2: VARword
b: VARbool
newword: word
assign: function[int, bool, word-> word]
bit: function[int, word -> bool ]
bitassign: AXIOM(i >= 0 and i < N) IMPLIES
bit(i,assign(k,b,w)) =
( IF k - i THEN b ELSE bit(i,w) END )
mw: function[int -> word]
val: function[word -> int]
mwm: function[int,int,int -> word]
mwm def: AXIOM mwm(v,m,n) =
IF m = 0 THEN newword
ELSE
assign(n-m, BMOD2(v),mwm(DIVBY2(v),m-l,n) )
END
mw def: AXIOM mw(ii) = mwm(ii,N,N)
bool to int: function[bool -> int] =
(LAMBDA b -> int: IF b THEN 1 ELSE 0 END )
valm: function[word,int,int -> int]
valm def: AXIOM valm(w,m,n) = IF m = 0 TH_ 0
ELSE 2*valm(w,m-l,n) + bool to int(bit(n-m,w))
END
val def: AXIOM val(w) = valm(w,N,N)
(* Big Theorems *)
val mw thm: THEOREM ( ii >= 0 AND ii < power2(N) )
IMPLIES val(mw(ii)) = ii
val_range_thm: THEOREM val(w) >= 0 and val(w) < power2(N)
val bits thm: THEOREM val(wl) = val(w2) IMPLIES
(FORALL m: m>=0 AND m<N IMPLIES bit(m,wl)=bit(m,w2))
END words
The proofs of the theorems are listed in Appendix C.
39
FORMALPROOFS
In this section a brief overview is given of the formal proofs performed using
the EHDM theorem prover. The automatic theorem prover is used to guarantee
that no errors have been made in the proofs themselves.
Introduction to Proving in EHDM
Proving is accomplished in EHDM by reducing the problem to the decidable
domain of the theorem prover by citing all premises which the theorem depends
upon and "instantiating" the variables of the theorem and premises. To
illustrate this process, the cnt_0 proof will be examined. From the informal
proof (see section entitled "INFORMAL PROOFS") we can see that the theorem
follows from NEXT ax, FETCH ax, stbl, and make triple_ax. The first step to
proving the theorem is to list these premises. Next, the variable names in the
premises must be "matched". This is accomplished by "instantiating" (i.e.
substituting) the variables in the premises with the same names as in the
conclusion. The first premise used was NEXT_ax. NEXT_ax has three variables
which must be "instantiated", namely maj, loadin, and func. v The cnt_0
formula calls the "NEXT" function with arguments "state", "loadin", and "func".
Therefore, these are the values that must be assigned to the "NEXT_ax"
variables. This is done as follows:
maj <- state@C,
loadin <- loadin@C,
func <- func@C
The @C is used to indicate that the names come from the conclusion. (Names
from premise one are designated by @pl, premise two by @P2 and so forth.) This
matching process is done for all of the premises. The formal proof is:
7 Substitutable variables are those that are universally quantified in the
premises and existentially quantified in the conclusion.
40
p_cnt_0: PROVE cnt_0 FROM NEXT_ax{maj <- state@C,
loadin <- loadin@C,
func <- func@C},
FETCH_ax{count <- cnt(state@C),
double <- doublef(state@C),
loadin <- loadin@C,
func <- func@C},
make_triple_ax{x <- cnt(state@C),
y <- BOOLF(bit2(0,func@C)),
z <- fetchnode],
stbl{st <- state@C)
Proof statements are included in the specification module in the last section
which follows the reserved word "PROOF". The module is subjected to the
theorem prover. The prover attempts to prove each of the theorems referenced
by a "PROVE" statement. The prover returns either "PROVED" or "UNPROVED". A
proof trace is supplied by the theorem prover to aid the user in accomplishing
a proof.
Some suggestions for improving the EHDM Theorem Prover are given in
Appendix B.
Status of Proofs
All of the proofs between the Top Level and the Major-State Level and
Between the Major-state level and the Block Model level have been completed. A
complete listing of the specifications and proofs are given in Appendix C. The
status reports generated by EHDM are listed below:
Proofs Between Top-level and Major-state level
The proof chain is complete
The following formulas were justified only as specific instances
words[&l].N_pos
The axioms and assumptions at the base are:
cnt6 fa.INC2 ax"
cnt6-fa.NEXT_ax"
cnt6-fa.INCl ax'
cnt6--fa.NEXT[ ax"
cnt6--fa.LOADax"
cnt6-fa.NEXT_ ax"
tripYes[&l, &_, &3].make_triple_ax
41
cnt6 fa. FETCHax'
cnt6-fa. NEXT0--ax*
divby2 th. alt-ax*
divby2-th, kill ax"
words[&l ] .valpos ax"
words[&l ]. twen ax"
words[&l ] .mw def
words[ &l ].weTr ax"
divby2 th. tfun-ax"
int in_uctions?int induct_by_2
divvy2 th. ifun ax'-
words [&l ].qfun-ax"
words [&l ].vfun-ax"
divby2 th.DIV ax
divby2-th. B_2 ax
divby2 th.MOD2 ax
words [&l ].bi tassign
words[ &l ].mwm def
words[&l] .zftm ax"
words[ &l ].val _ef
int inductions.int induction
wor_s[&l ].valm def-
words [&l ].rang_-ax"
powe r2_th, powe r2_ax
* denotes the axioms which are merely name definitions (.see section entitled
"Definitional Axioms" in APPENDIX B. The critical axioms are
triples[&l, &2, &3].make_triple_ax
words[ &l ].row def
int inductions.int induct by 2
divSy2 th.DIV ax -
divby2-th. BMOD2_ax
divby2 th.MOD2 ax
words[&l ].bitassign
words[&l] .mwm def
words[ &l ].val def
int inductions.int induction
wor_[s[ &l ].valm def-
powe r2_th, powe?2_ax
Proofs Between Ma_or-state level and Block-model level
The proof chain is complete
The axioms and assumptions at the base are:
cnt6 fa.LOAD ax"
cnt6--blk._DE2a3 ax °
cnt6-fa.INC2 ax" -
cnt6-blk.NEX_DEl ax"
cnt6-fa.INCl ax" -
cnt6--blk.NEX_DE0 ax"
cnt6-fa.FETCH ax" --
42
cnt6 blk.MULTIPLEXax*
cnt6-blk. INCLOGICax'
" denotes the axioms which are merely namedefinitions (see section entitled
"Definitional Axioms" in APPENDIXB.
Status of modules in context
cnt6 cir: Parsed and Typechecked
signal: Parsed and Typechecked
cnt6: Parsed and Typechecked
cnt6 fa: Parsed and Typechecked, 31 proofs, 31 attempted, 31 succeeded
ineq_cases: Parsed and Typechecked, 5 proofs, 5 attempted, 5 succeeded
divby2 th: Parsed and Typechecked, 29 proofs, 29 attempted, 29 succeeded
power2_th: Parsed and Typechecked, 7 proofs, 7 attempted, 7 succeeded
words prf: Parsed
cnt6 51k: Parsed and Typechecked, 14 proofs, 14 attempted, 14 succeeded
bsignal: Parsed and Typechecked
words: Parsed and Typechecked, 58 proofs, 58 attempted, 58 succeeded
int inductions: Parsed and Typechecked
triples: Parsed and Typechecked
CONCLUSIONS
The RSRE methodology appears to be a practical approach to designing and
verifying digital hardware. No major problems have been discovered in the
methodology thus far. The work of this paper has focused on the hierarchical
specification method. Future work will concentrate on the method of
intelligent exhaustion.
There was one property which should be demonstrated about sequential
circuits that was not explicitly dealt with in the RSRE papers -- "readiness"
of the finite state automata. The "readiness" property refers to whether the
finite automata always returns to the fetch state after executing a function.
Although RSRE's hand proofs clearly established this property, the property was
not specified formally.
The RSRE report did not formalize in LCF-LSM the timing behavior of the
counter. Although some timing diagrams were provided and some informal remarks
were made about "hoisting exiting conditions", it is not clear how this
material could be formalized. Although omitting timing details from the LCF-
LSM specifications significantly reduces the complexity of the specifications,
it raises the possibility that certain design errors could go undetected. For
example, if the state variables were not stored in latches (e.g., connected via
direct feedback line), the automatic theorem prover would not report this
43
deficiency. This appears to be an implicit assumption of the overall
methodology which should be more carefully documented. 8
The EHDM system was found to be fully capable of supporting the RSRE
methodology for hardware verification. Two features of the EHDM system were
found to be especially useful -- generic modules and the MAPPING constructs.
The generic module capability provided a convenient method of defining the
theory of words. This stands in contrast to LCF LSM where the "almost
identical" text must be repeated which define "val2", "val6", "va132", etc.
The MAPPING constructs enabled the user to formally connect the levels of the
system hierarchy. This was only accomplished informally in the RSRE report.
REFERENCES
i. Cullyer, W. J. ; and Pygott, C. H. : Hardware Proofs Using LCF-LSM and ELLA,
RSRE Memorandum No. 3832, Royal Signals and Radar Establishment, Sept. 1985
2. F. W. yon Henke; J.S. Crow; R. Lee; J.M. Rushby; R.A. Whitehurst:
The EHDM verification environment: an overview.
Proc. of the llth NBS/NCSC National Computer Security
Conference, Baltimore, October 1988.
3. Morison, J. D.; Peeling N. E.; Thorp T. L. : ELLA: Hardware Description Or
Specification?, Proc. IEEE International Conference CAD-84, Santa Clara,
Nov. 12-15, 1984.
4. Pygott, C. H.: Formal Proof of Correspondence between the specification of
a hardware module and its gate level implementation, RSRE Report No. 85012,
Royal Signals and Radar Establishment, Sept. 1985
5. Pygott, C. H.: NODEN: An Engineering Approach to Hardware Verification,
IFIPS Hardware Verification Conference, July 1988.
A simple program could be wriiten which examines the circuit-level
specification to insure that all feedback paths contain a one clock delay
device (e.g. a latch) .
44
APPENDIXA
THEORYOF GENERAL WORDS
In this section, a general theory of words is developed. This theory
defines the concept of a N-bit word where each bit can take values from a more
general domain than the booleans. Although the theory developed does not
depend upon the specific domain, the following values are of typical interest:
t -- true
f -- false
x -- don't care
q -- unaltered memory element
z -- tristate impedance high
i -- indeterminate
The following specification defines these values
signalval: TYPE
t,f,x,q,z,i: signalval
unique: AXIOM t ~= f and t ~= x and t ~= q and t ~= z and t ~- i and
f ~= x and f ~= q and f ~= z and f ~= i and
x ~= q and x ~= z and x ~= i and
q ~= z and q ~= i and
z ~= i and
ss: VAR signalval
exhaust: AXIOM x = t or x = f or x = x or x = q or x = z or x = i
Since EHDM has no method of defining a new domain of values automatically, the
user must manually define its value and explicitly state the property of
uniqueness and completeness.
The properties of words over the domain of "signalval" are defined in the
same manner as words defined over booleans.
BitAssign: AXIOM (i < N and i >- 0) IMPLIES
( IF k = i THEN Bit(i,Assign(k,s,gw))- s
ELSE Bit(i,Assign(k,s,gw))= Bit(i,gw) END )
This is essentially the same as "bitassign" in the boolean words theory.
function names are capitalized to distinguish them from the boolean word
The
45
functions since EHDMdoes not support overloading of function names. The
axiom defines the effect of retrieving a bit from a word which has been
modified by assigning a new value to one of its bits. If the bit being
retrieved is the sameas the one just assigned, the new value is retrieved.
Otherwise, the value retrieved is the sameas before the assignment. It
should be noted that these functions are not defined in a "constructional"
manner, that is, they have not been defined separately in terms of previously
defined primitives. Their properties have been defined axiomatically in terms
of each other. Suchaxioms must be carefully scrutinized to insure that
inconsistencies are not introduced into the specification.
Next, the functions "val" and "mw" are defined in the general theory of
words. The "val" and "row" functions "interpret" the N bits of boolean values
as an integer. Consequently they are only defined for general words that
contain only values of "t" and "f". They must be defined as partial functions.
This is accomplished by defining a function which embedsthe boolean words in
the set of general words:
embed: function[word-> gword]
embedax: AXIOM(i < N and i >= 0) IMPLIES
-- Bit(i,embed(w)) z bool to signal(bit(i,w))
There are now two distinct types -- word and gword -- which represent boolean
words and general words respectively. The function bool to signal associates
the boolean values with "t" and "f" of "signalval":
bool_to_signal: function[bool -> signalval] =
(LAMBDA bb -> signalval:
IF bb THEN t
ELSE f
END)
Thus, the function "embed" maps boolean words to the corresponding general word
which consists of only "t" and "f" values. Using the "embed" function, the
partial functions "Val" and "Mw" can be defined:
Val: function[gword-> int]
Val ax: AXIOM Val(embed(w)) = val(w)
Mw: function[ int -> gword]
Mw ax: AXIOM Mw(ii) - embed(mw(ii))
46
The theorems of the "words" module are easily established in the theory of
general words. For example:
Val Mw thin: THEOREM ( ii >_ 0 AND ii < power2(N) )
IMPLIES Val(Mw(ii)) = ii
Proof: Val(Mw(ii)) = Val(embed(mw(ii))
= val(mw(ii)
= ii
The last step follows from the "val mw thm" theorem of "words", the boolean
word theory.
The full specification of "gwords" follows:
gwords: MODULE[N: int]
USING words,power2_th,signal,divby2th
EXPORTING gword, newgword, Valuable, Assign, Bit
WITH power2th,signal,divby2th
ASSUMING
N pos: FORMULA N>0
THEORY
(* abbreviations for words items
word: TYPE is word[N]
assign: function[int, bool, word -> word] is assign[N]
bit: function[int, word -> bool] is bit[N]
mw: function[int -> word] is mw[N]
val: function[word -> int] is val[N]
(* Theory needed to define words functions
gword: TYPE
newgword: gword
k,i,ii: VAR int
w: VARword
gw, gw2: VAR gword
s: VAR signalval
a,b: VAR bool
Assign: function[int, signalval, gword -> gword]
Bit: function[int, gword -> signalval]
Bit__Assign_ax: AXIOM (i < N and i >= 0) IMPLIES
( IF k - i THEN Bit(i,Assign(k,s,gw))- s
ELSE Bit(i,Assign(k,s,gw))= Bit(i,gw) END )
,)
,)
47
accessnew: AXIOMBit(k,newgword) = x
(* - Concepts related to interpretation of words as integers ...... *)
embed: function[word-> gword]
embed ax: AXIOM (i < N and i >= 0) IMPLIES
- Bit(i,embed(w)) = bool to signal(bit(i,w))
Val : function[gword -> int ]
Val ax: AXIOM Val(embed(w)) = val(w)
Mw: function[int -> gword]
Mw ax: AXIOM Mw(ii) = embed(mw(ii))
Valuable: function[ gword -> bool ]
Valuable def: AXIOM Valuable(gw2) - (EXISTS w: gw2 = embed(w))
Val Mw thin: AXIOM ( ii >= 0 AND ii < power2(N) )
IMPLIES Val(Mw(ii)) = ii
Bit bit thm: THEOREM (i < N and i >= 0) IMPLIES
-- - bit(i,w) _ signal to bool(Bit(i,embed(w)))
Assign_assign_thm: THEOREM (i < N and i >= 0) IMPLIES
embed(assign(i,b,w)) = Assign(i,bool to signal(b),embed(w))
valuable mw: THEOREM Valuable(embed(mw(ii)))
Valuable thm: THEOREM Valuable(gw) = (_i>=0) and (i < N) IMPLIES
- (Bit(i,gw) = t or Bit(i,gw) - f))
Val_range_thm: AXIOM Valuable(gw) IMPLIES
Val(gw) >= 0 and Val(gw) < power2(N)
PROOF
p_Val Mw thm: PROVE Val Mw thm FROM Mw ax,
Va[_ax{w <- mw(ii)},
val mw thm[N]
p_Val_range_thm: PROVE Valrange_thm{gw <- embed(w@p3)} FROM
Valuable_def{gw2 <- embed(w@P3)],
val_ax{w <- w@P3],
val_range_thm[N]
p_Valuable_mw: PROVE Valuable_mw FROM Valuable_def
p_Bit_bit thm: PROVE Bit bit thm FROM embed ax,
- - - signal to bool ax
p_Assign assign thm: PROVEAssign assign thm FROM
- - - Bit Assign_ax,
embed_ax{w <- assign(i,b,w)}
END gwords
48
signal : MODULE
EXPORTING signalval, t, f, x, (* EQsig, AND3, OR3, NOT3, EQUIV *)
bool to signal, signal to bool, bool to int, BOOLF
(* , int to signal , signal to int *T --
THEORY
signalval: TYPE
t,f,x: signalval
a,b,c: VAR signalval
bb: VAR bool
i: VAR int
unique: AXIOM (t ~- f) and (t ~= x) and (f ~m x)
exhaust: AXIOM a-t OR a=f OR a=x
signal to bool: function[signalval -> bool]
signal-to-boolax: AXIOM signal to bool(t) - true and
signal to bool(_) - false
bool to signal: function[bool -> signalval] -
(LAMBDA bb -> signalval:
IF bb THEN t
ELSE f
END)
BOOLF: function[signalval -> bool] is signal to bool
bool to int: function[bool -> int] =
(LAMBDA bb -> int: IF bb THEN 1 ELSE 0 END )
END signal
49
APPENDIX B
SUGGESTIONS FOR IMPROVING EHDM
In the following subsections, several suggeskions are made for improving the
EHDM verification system.
Definition of the Values of a Type
Frequently it is necessary to define a type which takes on a finite number
of distinct values. This is accomplished in LCF-LSM as follows:
type signalval - NEW( t J f J x)
In EHDM this must be done via a laborious detailed specification of all of the
properties needed:
signalval: TYPE
t,f,x: signalval
s: VAR signalval
unique: AXIOM t ~- f and t ~= x and f ~m x
exhaust: AXIOM s m t or s - f or s = x
Definitional Axioms
There is a need for another kind of "axiom" in EH_. In order to facilitate
the proof process it is often necessary to rewrite LAMBDAdefinitions as
axioms. Instead of
F: function[int -> int] - (LAMBDA x -> int: x'x) _
one writes:
F: function[int -> int]
Fax: AXIOM F(x) - x*x
m
50
Thus, the theorem prover only expands the definition of F when specifically
stated as a premise. This is desirable when the definition is complicated and
a proof does not dependupon the particulars of the definition. However, there
is a unhappy side-effect of this procedure. There is now an additional axiom
which appears at the base of the theory. (See section entitled "Status of
Proofs". ) In other words, whenone performs a proof analysis, the big theorems
you have proved are reported to depend upon a set of axioms. This set now
includes all of these "axioms" which are merely definitions of temporary
"names". The big result in no sense depends upon these "names". They were
used as a convenience. If one would rewrite the module using LAMBDA
definitions, then the same big theorems could be proved and the set of axioms
it depended upon would not include these name definitions. Of course, the
theorem prover may take weeks rather than minutes to prove the results.
Perhaps EHDM could be extended with a new construct, say DEFINITION:
F-ax: DEFINITION f(x) w x*x
which must be of a particular restricted form.
In the User's Manual it states " EHDM currently requires a mapping for every
uninterpreted type and every constant of the module being mapped." If one
defines a function name to simplify the statement of a big theorem, one should
not have to have to map this "temporary" function. For example, suppose the
big theorem is:
big_theorem: AXIOM x*x + x = f(x*x+x)g(x)
Suppose that f and g are mapped into some concrete form in a mapping module
and big-theorem is proved there. What if for convenience the above axiom was
written as:
h: function[int -> int]
h ax: AXIOM h(x) = x*x + x
big_theorem: AXIOM h(x) = f(h(x))g(x)
Would it be necessary to specifically "map" h down to the next level? Would
"h ax" have to be proved as a theorem in the mapping module? It is not clear
51
from the User's manual exactly what must be proved when doing hierarchical
mappings.
Also the fact that axioms of one level are proved as theorems in the lower
level leads to a terminology nightmare. It would be nice if a new keyword
could be invented which conveyed this concept.
Improvement to Proof Instantiator
The Proof Instantiator "overlooks" some very obvious substitutions.
Consider the function COUNTLOGIC (from module cnt6 blk) listed below in full:
_IC: function[statevector,word6,word2 -> statevector] =
(LAMBDA sty, loadin, func -> statevector:
make_triple(MULTIPLEX(INCLOGIC(count(stv),
INCCON(node(stv))
loadin,
MPLXCON(node(stv)) ),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(stv)) )
I
There is an axiom NEXTNODE0 ax which will be cited as a premise:
NEXTNODE0 ax: AXIOM val2(nd) = 0 IMPLIES
NEXTNODE(nd,func,dbl) =
IF val2(func) = 0 THEN fetchnode
ELSIF val2(func) = 1 THEN loadnode
ELSE inclnode
END
The following lemma is to be proved:
52
claa: LEMMAval2(node(stv)) = 0 and val2(func) = 0 IMPLIES
_IC(stv,loadin,func) =
make triple(MULTIPLEX(INCLOGIC(count(stv),
INCCON(node(stv))
loadin,
MPLXCON(node(stv)) ),
BOOLF(bit2(0,func)),
fetchnode)
I
The following proof statement does the job:
p_claa: PROVE claa FROM NEXTNODE0_ax{nd <- node(sty),
func <- func,
dbl <- double(stv) }
But the Instantiato[ will not find the instantiations! But, starting with the
conclusion it is obvious that NEXTNODE is called:
NEXTNODE(node(stv),func,double(stv)) )
The only premise stated NEXTNODE0 is of the form:
NEXTNODE(nd,func,dbl) = ...
The required matchings are obvious, and would seem to be easily
automated!
53
A_P_IX C
cnt6: MODULE
USING words
THEORY
FULL LISTING OF SPECIFICATIONS INCLUDING PROOFS
(* ---- define abbreviations for 'words' types and functions .....
word6: T_I_E is word[6]
word2: TYPE is word[2]
,)
val2:function[word2 -> int] is val[2]
val6:function[word6 -> int] is val[6]
mw6: function[int -> word6] is mw[6]
(* define TYPE to represent state of machine ,)
states: TYPE
(_ define logic variables ,)
state: VAR states
loadin,w: VARword6
func: VARword2
(* define properties of 6-bit counter
cnt: function[states -> word6]
exec cnt: function[states,word6,word2 -> states]
ready: function[states -> bool]
addl mod64:function[word6 -> word6] _-
( LAMBDAw -> word6:
IF val6(w) = 63 THEN mw6(0)
ELSE mw6(val6(w)+l)
END )
*)
ready_ax: AXIOM ready(state) IMPLIES ready(exec_cnt(state,loadin,func) )
counter ax: AXIOM ready(state) IMPLIES cnt(exec cnt(state,loadin,func))
- IF val2(func) - 0 THEN cnt(state)
ELSIF val2(func) = i THEN loadin
ELSIF val2(func) = 2 TH_
addl mod64(cnt(state))
ELSE
add1 mod64(addl mod64(cnt(state)))
END cnt6
54
i
words: MODULE[N: int]
USING power2_th,divby2_th
EXPORTING word, newword, bit, assign, val, mw, mwm, valm, bool to int
WITH power2_th,divby2_th
ASSUMING
N_pos: FORMULA N>0
THEORY
word: TYPE
k,i,ii,m,v,n,h,jj,y: VAR int
w,wl,w2: VARword
a,b: VAR bool
newword: word
assign: function[int, bool, word -> word]
bit: function[int, word -> bool]
bitassign: AXIOM (i >= 0 and i < N) IMPLIES
bit(i,assign(k,b,w)) =
( IF k = i THEN b ELSE bit(i,w) END )
mw: function[int -> word]
val: function[word -> int]
mwm: function[int,int,int -> word]
mwm def: AXIOM m_n(v,m,n) =
IF m = 0 THEN newword
ELSE
assign(n-m,BMOD2(v),mwm(DIVBY2(v),m-l,n) )
END
mw def: AXIOM mw(ii) = mwm(ii,N,N)
bool to int: function[bool -> int] =
(LAMBDA b -> int: IF b THEN 1 ELSE 0 END )
valm: function[word,int,int -> int]
valm def: AXIOM valm(w,m,n) = IF m = 0 THEN 0
ELSE 2*valm(w,m-l,n) + bool to int(bit(n-m,w))
END
val def: AXIOM val(w) = valm(w,N,N)
(* Big Theorems *)
val mw thm: THEOREM ( ii >= 0 AND ii < power2(N) )
IMPLIES val(mw(ii)) _ ii
val_range_thm: THEOREM val(w) >- 0 and val(w) < power2(N)
55
val bits thm: THEOREMval(wl) -- val(w2) IMPLIES
(FORALLm: m>=0ANDm<NIMPLIESbit(m,wl)-bit(m,w2))
(* Definition Axioms That Should Be in Proof Section *)
zfun: function[int -> bool]
zfun ax: AXIOMzfun(n) = ( (n > 0 AND n <= N AND ii >= 0 AND ii < power2(n) )
IMPLIES valm(mwm(ii,n,n),n,n) _ ii )
vfun: function[int -> bool]
vfun ax: AXIOM vfun(m) _ ( (m<n and m>=0 and n<=N ) IMPLIES
-- (valm(w,m,n) = valm(assign(0,b,w),m,n)) )
qfun: function[int -> bool]
qfun_ax: AXIOM qfun(m) =
( (m+l>0 and ii>=0 and m<n and ii < power2(m) and n<-N) IMPLIES
valm(mwm(ii,m,n) ,m,n) = valm(mwm(ii,m,n-l) ,m,n-l) )
twen: function[int->bool]
twen ax: AXIOM twen(k) - (k>=0 AND k<NAND valm(wl,N,N) _ valm(w2,N,N)
- IMPLIES valm(wl,N-k,N)-valm(w2,N-k,N))
weir: function[int -> bool]
weir ax: AXIOM weir(m) = (
(m<n and k>0 and m>=0 and n<=N) IMPLIES
(valm(w,m,n) = valm(assign(n-m-k,b,w),m,n)) )
valpos:function[int -> bool]
valpos_ax: AXIOM valpos(m) = (m>=O IMPLIES valm(w,m,n) >=0)
build: function[int->bool]
build ax: AXIOMbuild(k) = (k>=0 AND (FORALL m: m>=N-k AND m<N IMPLIES
-- bit(m,wl)-bit(m,w2)) IMPLIES valm(wl,k,N) = valm(w2,k,N))
copy m bits: function[int,word,word -> word]
copy-m-bits ax: AXIOM copy m bits(m,wl,w2) =
- - T IF m-0 THEN w_-
ELSE assign(N-m,bit(N-m,wl),copy_m_bits(m-l,wl,w2)) END)
gnu: function[int -> bool]
gnu_ax: AXIOM gnu(k) = (k>=0 AND k<mAND k+N-m>=0 IMPLIES
bit(k+N-m, copz m bits(m,wl,w2)) = bit(k+N-m,wl))
rang: function[int -> bool]
rang_ax: AXIOM rang(m) = (m>=0 and m <= N IMPLIES valm(w,m,N)>-0 AND
valm(w,m,N) < power2(m) )
PROOF
(* val mwthmTHEOREM
val mw thm: AXIOM ( ii >- 0 AND ii < power2(N) ) IMPLIES val(mw(ii)) - ii *)
56
inv axiom: LEMMA ( n > 0 AND n <_ N AND ii >_ 0 AND ii < power2(n) )
IMPLIES valm(mwm(ii,n,n),n,n) = ii
(*zfun: function[ int -> bool]
zfun ax: AXIOM zfun(n) = ( (n > 0 AND n <- N AND ii >= 0 AND ii < power2(n) )
IMPLIES valm(mwm(ii,n,n),n,n) = ii ) *)
(*
(*
*)
L0: LE_MMA zfun(0)
LI: LEMMA zfun(1)
Lla: LEMMA ( ii >- 0 AND ii < power2(1) ) IMPLIES MOD2(ii) _ ii
Lla a: LEMMA MOD2(0) = 0
Lla--b: LEMMA MOD2 (1 ) = 1
L2: LEMMA zfun(m) IMPLIES zfun(m+l)
L2a: LEMMA (m>=0 and ii>=0) IMPLIES valm(mwm(ii,m+l,m+li,m+l,m+l) -
2*valm( assign( 0, BMOD2 (ii ),
mwm( DIVBY2 (ii ),m,m+l )),m, m+l )+
bool to int(bit(0,assign(0,BMOD2(ii),
mwm(DIVBY2 (ii ),m, m+l ))))
L2b: LEMMA (m>=0 and m+l<=N and ii>=0) IMPLIES
valm( assign( 0, BMOD2(ii), mwm(DIVBY2(ii),m,m+l) ) ,m,m+l) =
valm(mwm(DIVBY2(ii),m,m+l) ,m,m+l)
vfun: function[int -> bool]
vfun ax: AXIOM vfun(m) = ( (m<n and m>=0 and n<=N ) IMPLIES
-- (valm(w,m,n) --valm(assign(0,b,w),m,n)) ) *)
b20: LEMMA vfun(0)
b21: LEMMA vfun(1)
b2m: LEMMA(vfun(m) IMPLIES vfun(m+l))
b2h: LEMMA (h>--0) IMPLIES vfun(h)
L2c: LEMMA (m+l>0 and m+l<=N and ii>=0) IMPLIES
valm(mwm( ii ,m+l ,m+l ),m+l ,m+l ) --
2*valm( mwm(DIVBY2( ii ),m,m+l) ,m,m+l) + MOD2( ii )
L2d: LEMMA (m+l>0 and ii>=0 and ii < power2(m+l) and m+l<-N) IMPLIES
valm(mwm(DIVBY2(ii),m,m+l) ,m,m+l) -
valm(mwm(DIVBY2(ii),m,m) ,m,m)
qfun: function[int -> bool]
qfun_ax: AXIOM qfun(m) =
( (m+l>0 and ii>_0 and m<n and ii < power2(m) and n<-N) IMPLIES
valm(mwm(ii,m,n) ,m,n) _ valm(mwm(ii,m,n-l) ,m,n-l) )
d20: LEMMA qfun(0)
d20 a: LEMMA valm(mwm(ii,0,n),0,n) = valm(mwm(ii,0,n-l),0,n-l)
57
(*
d2m: LEMMA(qfun(m) IMPLIES qfun(m+l))
weir: function[ int -> bool ]
weir ax: AXIOM weir(m) = (
(m<n and k>0 and m>=0 and n<=N) IMPLIES
(valm(w,m,n) = valm(assign(n-m-k,b,w),m,n)) ) *)
d2m i: LEMMA weir(0)
d2m-2: LEMMA weir(m) IMPLIES weir(m+l)
d2m-3: LEMMA h>=0 IMPLIES weir(h)
d2m 4: LEMMA (m<nAND m>=0 AND n<=N) IMPLIES
- (valm(w,m,n) = valm(assign(n-m-l,b,w),m,n))
d2m 5: LEMMA n - m - 1 > 0 IMPLIES n - m - 2 >= 0
d2h: LEMMA (h>=0) IMPLIES qfun(h)
L2e: LEMMA (m+l>0 and ii>=0 and m+l<=N and ii < power2(m+l))
IMPLIES valm(mwm(ii,m+l,m+l),m+l,m+l) =
2*valm(mwm(DIVBY2(ii),m,m) ,m,m) +
MOD2(ii)
L2h: LEF_'_ (ii>-0 AND m+l > 0 AND ii < power2(m+l)) IMPLIES
(DIVBY2(ii) < power2(m))
L2i: LEMMA (m>0 AND zfun(m)) IMPLIES zfun(m+l)
L3: LEMMA (m>-0) IMPLIES zfun(m)
(* PROVE Statements for Val mw thm
p_val mw thm: PROVE val mw thm FROM inv axiom{n <- N},
val def{w <- mwm(ii,N,N)},
mw _ef,
N_pos
piny: PROVE inv_axiom FROM L3{m <- n},
zfun ax,
val _ef{w <- mwm(ii,n,n)],
mw_ef
p_L0: PROVE L0 FROM zfun_ax{n <- 0}
p_Ll: PROVE L1 FROM zfun ax{n <- I},
valm-def{m <- i, n <- I, w <- mwm(ii@Pl,l,l) },
valm-def{m <- 0, n <- i, w <- mwm(ii@Pl,l,l) },
mwm_ef{v <- ii@pl, m <- I, n <- i},
bitassign{i <- 0,k <- 0,
b <- BMOD2(ii@PI),
w <- mwm(DIVBY2(ii@Pl),0,1)},
MOD2 ax{i <- ii@Pl},
N_pos, Lla{ii <- ii@Pl}
*)
58
p_Lla: PROVE Lla FROM Lla a,Lla b,
MOD_ ax{i-<- 0},
power2 ax{i<-l},power2_ax{i<-0},
Y_l{y<Uii}
p_Llaa: PROVE Lla a FROM BMOD2 ax {i <- 0},
-- MOD2 ax{i <- 0},
DIV3x{i <- 0}
p_Llab: PROVE Lla b FROM BMOD2 ax {i <- l},MOD2_ax{i<-l],
- DIV_ax{i <- i}
p_L2: PROVE L2 FROM zfun_ax{n<-m},zfun_ax{n <- m+l},Li,L2i,zfun_ax{n<-l}
p_L2a: PROVE L2a FROM valm def{w <- mwm(ii,m+l,m+l), m <- m+l, n <- m+l},
mwm_ef{v <- ii, m <- m+l, n <- m+l],
bitassign{i <- 0, k <- 0, b <- BMOD2(ii),
w <- mwm(DIVBY2(ii),0,1)],
N_pos
p_L2b: PROVE L2b FROM b2h{h <- m},
vfun_ax{m <- m, n <- m+l, b <- BMOD2(ii),
w <- mwm(DIVBY2(ii),m,m+l) }
p b20: PROVE b20 FROM
vfun ax {m <- 0},
valm-def{m <- 0},
valm_def{m <- 0,w <- assign(0,b@pl,w)]
p_b21: PROVE b21 FROM
vfun ax {m <- i},
valm-def{m <- i},
valm-def{m <- l,w <- assign(0,b@pl,w)},
valm-def[m <- 0},
valm-def{m <- 0,w <- assign(0,b@pl,w)],
bitassign{i <- (n@pl-l),k <- 0}
p_b2m: PROVE b2m FROM
vfun ax,
vfun--ax{m <- m+l},
valm-def{m <- m+l},
valm-def{m <- m+l, w <- assign(0,b@pl,w)},
bitassign{i <- n@pl-m-l, k<- 0}
p_b2h: PROVE b2h FROM b20,
b2m{m<-dl@p3},
int_induction{p <- vfun,
d2 <- h@C}
p_L2c: PROVE L2c FROM L2a,L2b,
bitassign{i <- 0, k <- 0,b <- BMOD2(ii),
w <- mwm(DIVBY2(ii),m,m+l)},
MOD2_ax{i <- ii},
N_pos
59
p_.L2d: PROVE L2d FROM d2h{h <- m},
qfun ax{ii <- DIVBY2(ii@C),n<-m+l},
L2h(_i<-ii@C},DIVBY2g0{ii<-ii@C}
p d20_a: PROVE d20 a FROM valm def{w<- mwm(ii,0,n),m<-0),
- valm_def{w<- mwm(ii,0,n-l),m<-0,n<-n-l]
p d20: PROVE d20 FROM power2_ax{i<-0},
qfun_ax [m <- 0},
d20 a
PRoved2m_5
p_d2m: PIK_VEd2m FROM
qfun_ax,
qfun ax{m <- m+l},
valm-def{w<-mwm(ii@Pl,m+l,n@Pl),m <- m+l],
valm-def{w<-mwm(ii@pl,m+l,n@Pl-l),m <- m+l,n<-n@Pl-l},
mwm_ef{v<-ii@Pl,m<-m+l},
mwm-def{v<-ii@Pl,m<-m+l,n<-n@Pl-l},
L2hTii<-ii@Pl),DIVBY2g0{ii<-ii@Pl},
d2m 4{w<-mwm(DIVBY2(ii@Pl),m,n),b<-BMOD2(ii@Pl)},
qfun ax{ii<-DIVBY2(ii@Pl)},
d2m__{w<-mwm(DIVBY2(ii@Pl),m,n),b<-BMOD2(ii@Pl),
n<-n@Pl-l},
bitassign{i<-n@Pl-m-l,k<-n@Pl-m-l,b<- BMOD2(ii@PI),
w<- mwm(DIVBY2(ii@Pl),m,n@Pl)},
bitassign{i<-n@Pl-m-2,k<-n@Pl-m-2,b<- BMOD2(ii@PI),
w<- mwm(DIVBY2(ii@Pl),m,n@Pl-l) },
d2m 5
p d2m i: PROVE d2m 1 FROM weir ax{m<-0J,valm def{m<-0),
- valm_-def{w<-assign(n-m-k@Pl,b@Pl,w),m<-0}
p_d2m_2: PROVE d2m 2 FROM weir ax,
- valm_def(w<-assign(n-m-l-k@Pl,b@Pl,w),
m<-m+l],
weir ax{m<-m+l,k<-k@Pl,b<-b@Pl},
valm-def{m<-m+l},
weir ax{k<-k@Pl+l,b<-b@Pl],
bitassign{i<-n@Pl-m-l,
k<-n@Pl-m-l-k@Pl,b<-b@Pl}
p_d2m_3:PROVE d2m 3 FROM d2m i,
- d2m_-2{m<-dl@p3),
int_induction{p <- weir,
d2 <- h@C}
p_d2m_4: PROVE d2m4 FROM d2m_3{h<-m},weir_ax{m<-m@C,k<-l}
6O
p_d2h: PROVE d2h FROM d20,
d2m{m<-dl@p3},
int_induction{p <- qfun,
d2 <- h@C}
p_L2e: PROVE L2e FROM L2c,L2d
p_L2h: PROVE L2h FROM power2 ax{i <- m+l},
DIVBY2_2
p_L2i: PROVE L2i FROM zfun ax {n <- m + i, ii <- power2(m@CS + i)},
L2e Tii <- ii@Pl},
zfun ax {n <- m, ii <- DIVBY2(ii@PI)},
DIV MOD thm,
DIVBY2g_ [ii <- ii@Pl},
L2h {ii <- ii@Pl}
p_L3: PROVE L3 FROM L0,
L2{m<-dl@p3},
int_induction{p <- zfun,
d2 <- m@C),
zfun_ax{n <- m+l},
zfun_ax{n <- m}
(*
(*
(* val bits thmTHEOREM
val bits thm: THEOREM val(wl) = val(w2) IMPLIES
(FORALL m: m>=0 AND m<N IMPLIES bit(m,wl)Ibit(m,w2))
Subwords: THEOREM val(wl) = val(w2) IMPLIES
(FORALL m: 0<mAND m<=N IMPLIES valm(wl,m,N) = valm(w2,m,N))
twen: function[int->bool]
twen ax: AXIOM twen(k) = (k>=0 AND k<N AND valm(wl,N,N) = valm(w2,N,N)
IMPLIES valm(wl,N-k,N)-valm(w2,N-k,N))
twO: LEMMA twen(0)
twk: LEMMA twen(k) IMPLIES twen(k+l)
twh: LEMMA h>=0 IMPLIES twen(h)
TI: LEMMA m>0 AND valm(wl,m,N) = valm(w2,m,N) IMPLIES
valm(wl,m-l,N) = valm(w2,m-l,N)
Tlcorol: LEMMA m>0 AND valm(wl,m,N) = valm(w2,m,N) IMPLIES
bool to int(bit(N-m,wl))=bool to int(bit(N-m,w2))
Vl: LEMMAm>0 IMPLIES DIVBY2(valm(w,m,N))= valm(w,m-l,N)
valpos:function[int -> bool]
valpos_ax: AXIOM valpos(m) = (m>_0 IMPLIES valm(w,m,n) >-0)
val0: LEMMAvalpos(0)
valm step: LEMMA valpos(m) IMPLIES valpos(m+l)
valh: LEMMA h>_0 IMPLIES valpos(h)
,)
,)
,)
61
valpos_result: LEMMAm>=0IMPLIES valm(w,m,n)>=0
(, Proof of val_bits_thm Theorem
p_val bits thm: PROVE val bits thm FROM Subwords{m<-N-m@C},
.... Tlcorol{m<-N-m@C}
p_Subwords: PROVE Subwords FROM twh{h<-N-m@C},twen ax(k<-N-m@C},
val_def{w<-wl],val__ef{w<-w2}
p_val0: PROVE val0 FROM valm_def{m<-0},valpos_ax{m<-0}
p_valm: PROVE valm_step FROM valm def{m<-m@C+l},
val0,valpos_ax{m<-m@C},valpos_ax{m<-m@C+l]
p_valh: PROVE valh FROM val0,valm step{m<-dl@P3},
int_induct1_on{p<-valpos,d2<-h@C}
p_valpos: PROVE valpos_result FROM valh{h<-m@C},valpos_ax{m<-m@C}
p_v1:PROVE VI FROM valm def{w<-w@C,m<-m@C,n<-N},
valpos__result{m <- m-l, n<-N},
valm def{w<-w@C,m<-0,n<-N},
DIV__oub{ii <- valm(w,m-l,N)}
p Tl: PROVE T1 FROM Vl{w<-wl@C},Vl{w<-w2@C}
p_Tlcorol: PROVE Tlcorol FROM Tl,valm def{w<-wl,n<-N},
valm_de_{w<-w2,n<-N}
p_tw0: PROVE two FROM twen_ax{k<-0}
p twk: PROVE twk FROM tw0,twen_ax,twenax{k<-k+l},Tl{m<-N-k}
p_twh: PROVE twh FROM two,twk{k<-dl@P3},int_induction{p<-twen,d2<-h@C}
.)
(*
(* Bits enuf THEOREM *)
Bits enuf: THEOREM (FORALL m: m>=0 AND m<N IMPLIES bit(m,wl)=bit(m,w2))
IMPLIES val(wl)=val(w2)
Build: LEMMA k>=0 AND (FORALL m: m>=N-k AND m<N IMPLIES
bit(m,wl)-bit(m,w2)) IMPLIES valm(wl,k,N) = valm(w2,k,N)
build: function[int->bool]
build ax: AXIOM build(k) = (k>=0 AND (FORALL m: m>-N-k AND m<N IMPLIES
- bit(m,wl)-bit(m,w2)) IMPLIES valm(wl,k,N) = valm(w2,k,N)) *)
bld0: LEMMA build(0)
bldk: LEMMA build(k) IMPLIES build(k+l)
62
bldh: LEMMAh>=0 IMPLIESbuild(h)
(* Proof of Bits enuf Theorem ,)
p_BitS: PROVE Bits_enuf{m<-m@Pl] FROM Build{k<-N},val_def{w<-wl},
valdef{w<-w2},N_pos
p_Build: PROVE Build{m<-m@P2} FROM bldh{h<-k@C],build_ax{k<-k@C}
p_bld0: PROVE bld0 FROM build ax[k<-0},valm def{w<-wl@Pl,m<-0,n<-N},
valm__ef{w<-w2@Pl,m[-0,n<-N}
p_bldk : PROVE bldk FROM bld0,build ax,build ax{k<-k@P2+l,m<-m@P2},
valm def{w_-wl@P2,m_-k@P2+l,n<-N},
valm-def{w<-w2@P2,m<-k@P2+l,n<-N},
buil__ax{k<-k@P2+l,m<-N-k@P2-1}
pbldh: PROVE bldh FROM bld0,bldk{k<-dl@P3},
intinduction{p<-build,d2<-h@C}
(* Copy_wordthm THEOREM
(* copy_mbits: function[int,word,word -> word]
copy_m_bits_ax: AXIOM copy m bits(m,wl,w2) =
( IF m=0 THEN w2
ELSE assign(N-m,bit(N-m,wl),copy_m_bits(m-l,wl,w2)) END)
.)
,)
(*
copy: function[word -> word] =
(LAMBDA wl -> word: cop_ m bits(N,wl,newword) )
Copy wordthm: THEOREM k>=0 AND k<N IMPLIES
bit(k,copy(wl)) = bit(k,wl)
gnu: function[int -> bool]
gnu_ax: AXIOM gnu(k) = (k>=0 AND k<mAND k+N-m>=0 IMPLIES
bit(k+N-m, copy m bits(m,wl,w2)) = bit(k+N-m,wl))
gnu0: LEMMA gnu(0)
gnuk: L£MMA gnu(k) IMPLIES gnu(k+l)
gnuh: LEMMA h>=0 IMPLIES gnu(h)
gnu_lemma: LEMMA k>=0 AND k<mAND k+N-m>=0 IMPLIES
bit(k+N-m,copy_m_bits(m,wl,w2)) = bit(k+N-m,wl)
,)
(* Proof of Copy__wordthm
p_gnu_le_ma: PROVE gnu_lemma FROM gnuh{h<-k@C},gnu_ax
,)
63
p_Copy_wordthm: PROVE Copy_word_thin FROM gnu_lenm_a{m<-N, w2 <- newword)
p gnuO: PROVE gnu0 FROM gnu ax{k<-0},copy m bits_ax,
bitassign{i<-N-m@Pl,
k<-N-m@Pl,b<-bit(N-m@Pl,wl@Pl),
w<-copym bits(m@Pl-l,wl@Pl,w2@Pl)}
p_gnuk: PROVE gnuk FROM gnu0,gnuax,gnu ax[k<-k+l},gnu ax{m<-m@P2-1},
copy m blts ax,-
bitass1_gn{i<--k+l+N-m@P2,k<-N-m@P2,
b<-bit(N-m@P2,wl@P2),
w<-copym bits(m@P2-l,wl@P2,w2@P2)}
p_gnuh: PROVE gnuh FROM gnu0,gnuk{k<-dl@P3},
intinduction{p<-gnu,d2<-h@C}
(*
(* valrange_thm THEOREM
valrange_thm: THEOREM val(w) >= 0 and val(w) < power2(N)
rang: function[int -> bool]
rang_ax: AXIOM rang(m) = (m>E0 and m <z N IMPLIES valm(w,m,N)>-0 AND
valm(w,m,N) < power2(m) )
rang0: LEMMA rang(0)
irana: LEMMAm>=0 AND valm(w,m,N) < power2(m) IMPLIES
2*valm(w,m,N) + bool to int(bit(N-m-l,w))
iranb: LEMMA m>=0 and valm(w,m,N) >=0 IMPLIES
2*valm(w,m,N) + bool to int(bit(N-m-l,w))>=0
rangm: LEMMA rang(m) IMPLIES rang(m+l)
rangh: LEMMA h>-0 IMPLIES rang(h)
valm_range: THEOREM m>=0 and m<=N IMPLIES valm(w,m,N)>-0 AND
valm(w,m,N) < power2(m)
,)
,)
< 2*power2(m)
(* Proof of Val range_thm
p_val_range: PROVE valrange_thm FROM valm range{m<-N},
val__ef,N_pos
,)
p_rang0: PROVE rang0 FROM rang_ax{m<-0},valm_def{w<-w@Pl,m<-0,n<-N],
N_pos, power2_ax{i<-0)
p__irana: PROVE irana FROM N_pos
p_Iranb: PROVE iranb
64
p_rangm: PROVErangm FROMrang0,rang ax,rang ax{m<-m+l},
valm def{w_-w@P2,m_-m@C+l,n<-N},
poweY2_ax{i<-m@C+l},irana,lranb
p_rangh: PROVE rangh FROM rang0,rangm{m<-dl@P3},
int_induction{p<-rang,d2<-h@C]
p_valm__range: PROVE valm_range FROM rangh{h<-m@C},rang_ax
END words
power2_th: MODULE
USING int inductions
EXPORTING powe r2
THEORY
x: VAR bool
y,m,i,ii,h: VAR int
power2: function[int -> int]
power2_ax: AXIOM power2(i) = IF i=0 THEN 1 ELSE 2*power2(i-l)
pow_eg: THEOREM (y>=0) IMPLIES (power2(y) >= 0)
pow_gr: THEOREM (y>=0) IMPLIES (power2(y+l) >= power2(y))
xpow: function[int -> bool]
xpow_ax: AXIOM xpow(m) = (power2(m) >= 0)
xp0: LEMMAxpow(0)
xpm: LEMMA (xpow(m) IMPLIES xpow(m+l))
xph: LEMMA (FORALL h: (h>=0 IMPLIES xpow(h)))
G 0: THEOREM y>=0 IMPLIES 2*y >= 0
G I: THEOREM y>=0 IMPLIES 2*y+l >= 0
PROOF
p_pow_eg: PROVE pow_eg FROM xpow ax{m<-y},
xph{5<-y}
p_pow_gr : PROVE pow_gr FROM
G 0, pow eg, power2_ax{i <- y+l}
p_xp0: PROVE xp0 FROM-power2--ax{i<- 01,xpow_ax{m<-0}
p_xpm: PROVE xpm FROM
xpow_ax,
xpow ax{m<-m+l },
power 2_ax {i<-m+l },
G_0{y <- power2(m)}
65
p xph: PROVE xph FROM xp0,
xpm{m<-dl@p3},
int__induction{p <- xpow,
d2<- h@C}
p_G0: PROVE G._O
p G1: PROVE G1
END powe r2_th
divby2_th: MODULE
USING int_inductions,power2_th,ineq_cases
EXPORTING DIVBY2,MOD2,BMOD2
THEORY
b: VAR bool
y,m,i,ii,h: VAR int
DIVBY2: function[int -> int]
DIV ax: AXIOM DIVBY2(i) = IF i >= 2 THEN 1 + DIVBY2(i-2)
-- ELSE IF i <- -2 THEN -DIVBY2(-i)
ELSE 0 END END
BMOD2: function [int -> bool]
BMOD2 ax: AXIOM BMOD2(i) = (2*DIVBY2(i) ~= i)
MOD2: function [int -> int]
MOD2 ax: AXIOM MOD2(i) = IF BMOD2(i) THEN 1 ELSE 0 END
B0: LEMMA BMOD2(0) = false
BI: LEMMA BMOD2(1) = true
Balt: THEOREM h>z0 IMPLIES BMOD2(h) = NOT BMOD2(h+I)
alt: function[int -> bool]
alt ax: AXIOM alt(ii) = (ii >= 0 IMPLIES BMOD2(ii) = NOT BMOD2(ii+I))
altO: LEMMA alt(0)
altl: LEMMA alt(1)
altm: LEMMA alt(m) IMPLIES alt(m+2)
alth: LEMMA h>=0 IMPLIES alt(h)
Even: LEMMA ii>=0 IMPLIES NOT BMOD2(2*ii)
Even MOD: LEMMA ii>z0 IMPLIES MOD2(2*ii) = 0
kill: function[int -> bool]
kill ax: AXIOM kill(ii) =( ii>=0 IMPLIES NOT BMOD2(2*ii))
killU: LEMMA kill(0)
66
killm: LEMMAkill(m) IMPLIESkill(m+l)
killh: LEMMAh>-0 IMPLIES kill(h)
Odd MOD: LEMMA ii>=0 IMPLIES MOD2(2*ii+l) = 1
DIVBY2x2: LEMMA (ii >= 0) IMPLIES 2*DIVBY2(ii) <= ii
ifun: function[int -> bool]
ifun ax: AXIOM ifun(ii) = (ii>=0 IMPLIES 2*DIVBY2(ii) <= ii)
if0:--LEMMA ifun(0)
ifl: LEMMA ifun(1)
ifm: LEMMA ifun(m) IMPLIES ifun(m+2)
ifh: LEMMA (h>= 0 ) IMPLIES ifun(h)
DIVBY2x2pI: LEMMA (ii >= 0) IMPLIES 2*DIVBY2(ii)+I >z ii
tfun: function[int -> bool]
tfun ax: AXIOM tfun(ii) = (ii>-0 IMPLIES 2*DIVBY2(ii)+I >- ii)
tf0: LEMMA tfun(0)
tfl: LEMMA tfun(1)
tfm: LEMMA tfun(m) IMPLIES tfun(m+2)
tfh: LEMMA (h>= 0 ) IMPLIES tfun(h)
DIV MOD thm: LEMMA ii>_0 IMPLIES 2*DIVBY2(ii) + MOD2(ii) = ii
Pre2f: LEMMA ii>=0 IMPLIES (2*DIVBY2(ii) = ii OR 2*DIVBY2(ii) + 1 = ii)
DIVBY2g0: LEMMA (ii >= 0) IMPLIES (DIVBY2(ii) >= 0)
DIV doub: LFk4MA (ii >= 0 IMPLIES DIVBY2(2*ii) = ii) AND
-- (ii >= 0 IMPLIES DIVBY2(2*ii+I) = ii)
MOD0 0: LEMMA MOD2(0) = 0
MODI--I: LEMMA MOD2(1) = 1
PROOF
p_MOD0 0: PROVE MOD0 0 FROM BMOD2 ax {i <- 0},
-- -- MOD2 ax{i <- 0},
DIV_--ax{i <- 0}
p_MODI_I: PROVE MODI 1 FROM BMOD2 ax {i <- l},MOD2_ax{i<-l},
- DivSx{i <- i]
p_B0: PROVE B0 FROM BMOD2_ax{i <- 0}, DIV_ax{i<- 0}
p_Bl: PROVE B1 FROM BMOD2_ax{i <- I}, DIV_ax{i<- i}
p_Balt: PROVE Balt FROM alth{h<-h@C},alt_ax{ii<-h@C}
67
palt0: PROVEalt0 FROMalt_ax{ii<-0},B0,Bl
paltl: PROVEaltl FROMalt ax{ii<-l},B0,Bl,
BMOD2-ax{i<-2],BMOD2ax{i<-l},DIV_ax{i<-l},
DIV_ax{i<-2},DIVax{T<-0)
paltm: PROVEaltm FROMalt ax{ii<-m@C},alt ax{ii<-m@C+2},BMOD2ax{i<-m},
alt0,altl,BMOD2 ax{i<:m+l},BMOD2 ax{i<-m+_},
BMOD2ax{i<-m+3T,DIV_ax{i<-m+2],DIVax{i<-m+3}
palth: PROVEalth FROMalt0,altl,altm{m<-dl@P4),
intinduct_by2{p<-alt,d2<-h@C}
p_Even: PROVE ven FROMkillh{h<-ii@C},kill_ax{ii<-ii@C}
p_Even_MOD:PROVEven_MODFROMEven{ii<-ii@C},MOD2__ax{i<-2*(ii@C)}
p Odd_.oD:
pDIVBY2x2:
pif0:
pifl:
pifm:
pifh:
PROVE Odd MOD FROM MOD2 ax{i<-2*ii@C+l},Balt{h<-2*ii@C},
- EvenTii<-ii@C]
PROVE DIVBY2x2 FROM ifh{h<-ii},ifun ax
PROVE if0 FROM ifun ax{ii<-0}, DIVax{i<-0}
PROVE ifl FROM ifun-ax{ii<-l}, DIV--ax{i<-l}
PROVE ifm FROM ifun-ax{ii<-m}, ifu_ax{ii<- (m+2)},
DIV ax{i<- (m+2)T
PROVE i_h FROM if0,ifl,ifm{m<-dl@P4},
int_induct_by2{p<-ifun,d2<-h@C}
pDIVBY2x2pI:
ptf0:
ptfl:
ptfm:
ptfh:
PROVE DIVBY2x2pl FROM tfh{h<-ii},tfun ax
PROVE tf0 FROM tfun ax{ii<-0}, DIV ax{i_-0}
PROVE tfl FROM tfun-ax{ii<-l}, DIV--ax{i<-l}
PROVE tfm FROM tfun--_ax{ii<-m}, tfun ax{ii<- (m+2)},
DIV ax{i<- (m+2)}
PROVE tfh FROM tf0,tfl,tfm{m<-dl@P4},
intinduct_by2{p<-tfun,d2<-h@C}
p DIVBY2g0: PROVE DIVBY2g0 FROM DIVBY2x2pl
p_doub: PROVE DIV doub FROM Even MOD{ii<-ii@C}, Odd MOD{ii<-ii@C},
- G G 1{y<-ii C},
DI--V_MOD_thm[ii<U2*ii@C},DIV_MOD_thm{ii<-2*ii@C+l}
p_DIV_MOD thm: PROVE DIV MOD thm FROM Pre2f,MOD2_ax{i<-ii},
- BMOD2--ax{i<-ii}
p_p[e2f: PROVE Pre2f FROM DIVBY2x2,DIVBY2x2pl,
Y I{y<-2*DIVBY2(ii) - ii +I}
END divby2_th
68
cnt6 fa: MODULE
(*
This module provides a more detailed view of the 6-bit counter function
*counter* defined in the module cnt6. These module defines the counter
as a finite state automata with the following states:
fetchnode inclnode inc2node loadnode
The state transitions are performed by the function NEXT.
MAPPING cnt60NTOwords, triples[word[6],bool,word[2]],bsignal
THEORY
(* create some abbreviations *)
word2: TYPE is word[2]
word6: TYPE is word[6]
mw2: function[int -> word2] is mw[2]
mw6: function[int -> word6] is mw[6]
val2:function[word2 -> int] is val[2]
val6:function[word6 -> int] is val[6]
bit2: function[int, word2 -> signalval] is bit[2]
statevector: TYPE is triple
count: function[statevector -> word6] is first
double: function[statevector -> bool] is second
node: function[statevector -> word2] is third
BOOLF: function[signalval -> bool] is signal to bool
(* define logic constants .)
fetchnode: word2 = mw2(0)
inclnode: word2 = mw2(1)
inc2node: word2 = mw2(2)
loadnode: word2 = mw2(3)
undef svt: statevector
(*
svt: VAR statevector
ct, idn, w: VAR word6
fn: VAR word2
dbl,b: VAR bool
define logic variables ,)
(* define functions ,)
69
ADD1 : function[word6 -> word6] ==
(I2tMBDA w -> word6 :
IF val6(w) = 63 THEN mw6(0)
DD)
INCI:
INCI ax:
ELSE mw6(val6(w)+l)
function[word6,bool,word6,word2 -> statevector ]
AXIOM INCl(ct, dbl, idn, fn) =
IF dbl THEN
make_triple (ADD1 (ct) ,BOOLF(bit2 (0, fn) ),inc2node)
ELSE
make_t riple (ADD1 (ct ),BOOLF (bi t2 (0, fn )),fet chnode )
END
INC2:function[word6,bool,word6,word2 -> statevector]
INC2 ax: AXIOM INC2(ct, dbl, idn, fn) =
make_triple(ADDl(ct),BOOLF(bit2(O,fn)),fetchnode)
LOAD: function[word6,bool,word6,word2 -> statevector]
LOAD ax: AXIOM L(l%D(ct, dbl, idn, fn) =
make_triple(idn,BOOLF(bit2(0,fn)),fetchnode)
FETCH: function[word6,bool,word6,word2 -> statevector]
FETCH ax: AXIOM FETCH(ct, dbl, idn, fn)_
IF val2(fn) - 0 THEN
make triple(ct,BOOLF(bit2(0,fn)),fetchnode)
ELSIF val2(fn) = 1 THEN
make_triple(ct,BOOLF(bit2(0,fn)),loadnode)
ELSE
make_triple(ct,BOOLF(bit2(0,fn)),inclnode)
END
NEXT:
(*
function[statevector,word6,word2 -> statevector]
NEXT ax: AXIOM NEXT(svt,ldn, fn) =
IF val2(node(svt)) m 0 THEN
FETCH(count(svt),double(svt),idn,fn)
ELSIF val2(node(svt)) = 1 THEN
INCl(count(svt),double(svt),idn,fn)
ELSIF val2(node(svt)) = 2 THEN
INC2(count(svt),double(svt),idn,fn)
ELSIF val2(node(svt)) = 3 THEN
LOAD(count(svt),double(svt),Idn,fn)
ELSE
tmdef svt
END
,)
NEXT0 ax:
NEXT1 ax:
AXIOM val2(node(svt)) = 0 IMPLIES
NEXT(svt,ldn,fn) = FETCH(count(svt),double(svt),idn,fn)
AXIOM val2(node(svt)) = 1 IMPLIES
NEX(svt,ldn, fn) = INCl(count(svt),double(svt),idn,fn)
7O
NEXT2 ax: AXIOM val2(node(svt)) = 2 IMPLIES
NEXT( svt, idn, fn) = INC2 (count (svt ),double( svt ),idn, fn)
NEXT3 ax: AXIOM val2(node(svt)) = 3 IMPLIES
NEXT (svt, idn, fn ) = LOAD( count (svt ),double (svt ),idn, fn )
Finite automata: function[statevector,word6,word2 -> statevector]
(LAMBDA svt, idn, fn -> statevector:
IF val2(fn) = 0 THEN
NEXT(svt,ldn,fn)
ELSIF val2(fn) = 3 THEN
NEXT(NEXT( NEX (svt,ldn,fn), idn,fn ),
idn,fn )
ELSE
NEXT(NEXT(svt,ldn,fn), idn,fn )
END )
(* Mapping to Top Level Spec in Module cnt6 ,)
cnt6.states: TYPE FROM statevector
cnt6.cnt: function[statevector -> word6] is count
cnt6.exec cnt: function[statevector,word6,word2 -> statevector]
is Finite automata
cnt6.ready: function[statevector -> bool] =
(LAMBDA svt -> bool: node(svt) ='fetchnode )
(* LEMMAs
st,state: VAR states
loadin,ld: VARword6
func: VARword2
y,m: VAR int
................. * )
(* LEMMAs needed to prove counter ax ..... • *)
gl: LEMMA power2(2) = 4
g2: LEMMA val2(fn) = 0 or val2(fn) = 1 or
val2(fn) = 2 or val2(fn) = 3
g2a: THEOREM (y >= 0 AND y < m) IMPLIES ((y >= 0 AND y < m-l) OR (y_m-l))
g3: LEMMA bit2(0,fn) = BMOD2(val2(fn))
stbl: LEMMA ready(st) IMPLIES val2(node(st)) _ 0
cnt 0: LEMMA ready(state) and val2(func) = 0
IMPLIES cnt(exec cnt(state,loadin,func)) - cnt(state)
AND readyiexec_cnt(state,loadin, func))
71
cnt i: ready(state) and val2(func) - 1
IMPLIES cnt(exec cnt(state,loadin, func)) - loadin
AND ready(exec cnt(state,loadin,func))
cnt 2: L_@IA ready(state) and val2(func) = 2
IMPLIES cnt(exec cnt(s£ate,loadin,func)) =
addl mod_4(cnt(state))
AND ready[execcnt(state,loadin,func))
cnt 3: la2@_A ready(state) and val2(func) - 3
IMPLIES cnt(exec cnt(state,loadln,func)) =
addl mod_4(addl mod64(cnt(state)))
AND ready_execcnt(s_ate,loadin,func))
(* LEPRAs needed to prove cnt 1 *)
cla: ready(st) and val2(fn) = 1
IMPLIES exec cnt(st,ld,fn) =
NEXT(FE_(cnt(st),double(st),Id,fn), id,fn )
clb: LHqMA val2(fn) - 1 IMPLIES
NEXT(FETCH(cnt(st),double(st),id,fn), id,fn ) -
LOAD(cnt(st), BOOLF(bit2(0,fn)), id,fn)
(* LEMMAs needed to prove cnt 2 *)
c2a:
c2b:
c2c:
c2d:
c2e:
c2f:
(*
LEMMA ready(st) and val2(fn) - 2 IMPLIES
exec cnt(st,ld,fn) =
NEXT(FETCH(cnt(st),double(st),id,fn), id, fn)
L_MMA ready(st) and val2(fn) = 2 IMPLIES
NEXT(FETCH(cnt(st),double(st),id,fn), id,fn) =
NEXT(make_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode), Id,fn)
LEMMA ready(st) and val2(fn) = 2 IMPLIES
NEXT(make_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode), id, fn)
INCl(cnt(make triple(cnt(st),BOOLF(bit2(O,fn)),inclnode) ),
double(make_triple(cnt(st),BOOLF(bit2(O,fn)),inclnode)),
id,fn)
LE_IMA ready(st) and val2(fn) = 2 IMPLIES
INCl(cnt(make triple(cnt(st),BOOLF(bit2(0,fn)),inclnode) ),
double(make_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)),
id,fn) -
INCl(cnt(st),BOOLF(bit2(0,fn)),id, fn)
val2(fn) - 2 IMPLIES NOT BOOLF(bit2(0,fn))
Lm_MA ready(st) and val2(fn) - 2 IMPLIES
INCl(cnt(st),BOOLF(bit2(O,fn)),id,fn) -
make_triple(ADDl(cnt(st)),BOOLF(bit2(O,fn)),fetchnode)
LE/@9_ needed to prove cnt_3 ,)
72
c3a:
c3b:
c3c:
c3d:
c3e:
c3f:
c3g:
c3h:
c3n:
c3p:
LEMMA ready(st) and val2(fn) = 3 IMPLIES
exec cnt(st,ld,fn) =
NEXT(NEXT(NEXT(st,ld,fn),Id,fn),Id,fn)
LEMMA ready(st) and val2(fn) - 3 IMPLIES
NEXT(NEXT(NEXT(st,ld,fn),Id,fn),Id,fn) =
NEXT(NEXT(FETCH(cnt(st),double(st),id,fn),id,fn),id,fn)
LEMMA ready(st) and val2(fn)=3 IMPLIES
NEXT(NEXT(FETCH(cnt(st),double(st),id,fn),id,fn),id, fn) =
NEXT(NEXT(make_triple(cnt(st),
BOOLF(bit2(O,fn)),inclnode),
id,fn),id,fn)
LEMMA ready(st) and val2(fn) = 3 IMPLIES
NEXT(NEXT(make triple(cnt(st),BOOLF(bit2(0,fn)),inclnode),
[d,fn),id,fn)=
NEX(INCl(cnt(make_triple(cnt(st),
BOOLF(bit2(0,fn)),inclnode)),
double(make triple(cnt(st),
BOOLF(bit2(U, fn)),
inclnode)),
id,fn),id,fn)
LEMMA ready(st) and val2(fn) = 3 IMPLIES'
NEXT(INCl(cnt(make triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)),
double(make_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)),
Id,fn),id,fn) =
NEXT(make triple(ADDl(cnt(st)),BOOLF(bit2(0,fn)),inc2node),
[d,fn)
LEMMA ready(st) and val2(fn) = 3 IMPLIES
NEXT(make_triple(ADDl(cnt(st)),
BOOLF(bit2(0,fn)),inc2node),id,fn) -
INC2(cnt(make_triple(ADDl(cnt(st)),
BOOLF(bit2(0,fn)),
inc2node)),
double(make_triple(ADDl(cnt(st)),BOOLF(bit2(0,fn)),
inc2node)),id,fn)
LEMMA ready(st) and val2(fn) = 3 IMPLIES
INC2(cnt(make triple(ADDl(cnt(st)),BOOLF(bit2(0,fn)),inc2node)),
doubYe(make_triple(ADDl(cnt(st)),BOOLF(bit2(0,fn)),
inc2node)),id,fn) =
INC2(ADDl(cnt(st)),BOOLF(bit2(0,fn)),id, fn)
LEMMA ready(st) and val2(fn) = 3 IMPLIES
INC2(ADDl(cnt(st)),BOOLF(bit2(0,fn)),id,fn)=
make_triple(ADDl(ADDl(cnt(st))),BOOLF(bit2(0,fn)),fetchnode)
LEMMA val2(inclnode) = 1
LEMMA val2(fn) _ 3 IMPLIES BOOLF(bit2(0,fn))
73
PROOF
p__assumingl: PROVE words[2].N_pos
p_counter_ax: PROVE counter ax
FROM cnt_0{func <- func@C,loadin <- loadin@C},
cnt l{func <- func@C,loadin <- loadin@C},
cnt 2{func <- func@C,loadin <- loadin@C},
cnt 3{func <- func@C,loadin <- loadin@C},
g2{_n <- func@c},
val_range_thm[2]{w <- func@C}
p_ready_ax: PROVE ready_ax
FROM cnt 0{func <- func@C,loadin <- loadin@C},
cnt l{func <- func@C,loadin <- loadin@C},
cnt 2{func <- func@C,loadin <- loadin@C},
cnt-3{func <- func@C,loadin <- loadin@C},
g2{_n <- func@c},
val_range_thm[2]{w <- func@C}
p_gl: PROVE gl FROM power2_ax{i <- 2},
power2_ax{i <- i},
power2_ax{i <- 0}
p_g2: PROVE g2 FROM gl, val range thm[2]{w <- fn@C},
g2a{y <u val2Tfn),m <- 4},
g2a{y <- val2(fn),m <- 3},
g2a{y <- val2(fn),m <- 2},
g2a{y <- val2(fn),m <- i]
p_g2a: PROVE g2a
p_g3: PROVE g3 FROM val mw thm[2]{ii <- val2(fn)}, gl,
val_range thm[2]{w <- fn},
val bits thm[2]{wl <- fn, m <- 0,
w2 <- mw2(val2(fn))],
mw def[2]{ii <- val2(fn)},
mwm def[2]{v <- val2(fn), m <- 2, n <- 2),
bitassign[2]{i <- 0, k <- 0,b <- BMOD2(val2(fn)),
w <- mwm[2](DIVBY2(val2(fn)),l,2)]
p_stbl: PROVE stbl FROM val mw thm[2]{ii <- 0}, gl
74
(* PROVEcnt 0 *)
p cnt_0: PROVEcnt 0 FROMNEXT0_ax{svt<- state@C,
-- idn <- loadin@C,
fn <- func@C},
FETCHax{ct <- cnt(state@C),
dbl <- double(state@C),
Idn <- loadin@C,
fn <- func@C},
make_triple_ax{x <- cnt(state@C),
y <- BOOLF(bit2(0,func@C)),
z <- fetchnode},
stbl{st <- state@C}
(* PROVEcnt 1 *)
p_cnt_l: PROVEcnt 1 FROMcla{st <- state@C, fn <- func@C,Id <- loadin@C},
- clb{st <- state@C, fn <- func@C,id <- loadin@C},
LOAD_ax{ct<- cnt(state@C),
dbl <- BOOLF(bit2(0,func@C)),
idn <- loadin@C,
fn <- func@C},
make_triple_ax{x <- loadin@C,
y <- BOOLF(bit2(0,func@C)),
z <- fetchnode}
p_cla: PROVEcla FROMNEX0_ax{svt <- st@C,idn <- id@C,
fn <- fn@C},
stbl{st <- st@C}
p_clb: PROVEclb FROMFETCH_ax{ct<- cnt(st@C),
dbl <- double(st@C),
idn <- id@C,
fn <- fn@C},
NEXT3_ax{svt<- make_triple(cnt(st@C),
BOOLF(bit2(0,fn@C)),
loadnode),
idn <- id@C,
fn <- fn@C},
make_triple_ax{x <- cnt(st@C ),
y <- BOOLF(bit2(0,fn@C)),
z <- loadnode},
val mwthm[2]{ii <- 3},
power2_ax[i <- 2},
power2ax{i <- i},
power2_ax{i <- 0}
75
(* PROVEcnt 2 *)
p_cnt_2: PROVEcnt 2 FROMc2a{st<-state@C,fn<-func@C,ld<-loadin@C},
- c2b{st<-state@C,fn<-func@C,ld<-loadin@C},
c2c{st<-state@C,fn<-func@C, Id<-loadin@C},
c2d{st<-state@C,fn<-func@C,ld<-loadin@C},
c2e{fn<-func@C},
c2f{st<-state@C,fn<-func@C,Id<-loadin@C},
make triple ax{x<-ADDl(cnt(state@C)),
y<-BOOLF(bit2(0?func@C_),
z<-fetchnode}
p_c2a: PROVE c2a FROM stbl,
NEXT0 ax{svt <- st,
idn <- id,
fn <- fn}
p_c2b: PROVE c2b FROM FETCH_ax{ct <- cnt(st),
dbl <- double(st),
idn <- Id,
fn <- fn}
p_c2c: PROVE c2c FROM NEXT1 ax{svt <- make triple(cnt(st),
BOOLF(bit2(0,fn)),
inclnode),
idn <- id,
fn <- fn},
val mw thm[2]{ii <- l},gl,
make triple_ax{x <- cnt(st),
y <- BOOLF(bit2(0,fn)),
z <- inclnode}
p_c2d: PROVE c2d FROM make_triple ax{x <- cnt(st ),
y <- BOOLF(bit2(0,fn)),
z <- inclnode)
p_c2e: PROVE c2e FROM g3,
BMOD2 ax{i <- 2},BMOD2 ax{i <- 0},
DIV ax{i <- 2},DIV ax{Y <- 0}
p_c2f: PROVE c2f FROM INCl_ax{ct <- cnt(st@C),
dbl <- BOOLF(bit2(0,fn)),
idn <- id@C,
fn <- fn@C},
c2e
76
PROVE
PROVE
cnt 3 FROM
cnt 3 *)
c3a{st<-state@C,fn<-func@C,ld<-loadin@C},
c3b{st<-state@C, fn<-func@C,ld<-loadin@C},
c3c{st<-state@C,fn<-func@C,ld<-loadin@C},
c3d{st<-state@C,fn<-func@C,ld<-loadin@C},
c3e{st<-state@C,fn<-func@C,ld<-loadin@C},
c3f{st<-state@C,fn<-func@C,ld<-loadin@C},
c3p{fn<-func@C},c3n,
c3g{st<-state@C,fn<-func@C,id<-loadin@C},
c3h[st<-state@C,fn<-func@C,id<-loadin@C},
make triple ax{x<-cnt(state@C),
y<-BOOLF(bit2(0,func@C)),
z<-inclnode},
make_triple_ax{x<-ADDl(cnt(state@C)),
y<-BOOLF(bit2(0,func@C)),
z<-inc2node},
make_triple_ax[x<-ADDl(ADDl(cnt(state@C))),
y<-BOOLF(bit2(0,func@C)),
z<-fetchnode}
p_c3a:
p_c3b:
p_c3c:
p_c3d:
p_c3e:
PROVE c3a
PROVE c3b FROM stbl,NEXT0_ax{svt<-st@C,ldn<-id@C,fn<-fn@C}
PROVE c3c FROM FETCH_ax{ct<-cnt(st@C),dbl<-double(st@C),idn<-id@C,
fn<-fn@C}
PROVE c3d FROM NEXT1 ax{svt<-make triple(cnt(st@C),
BOOLF_bit2(0,fn@C)_,inclnode),idn<-Id@C,fn<- fn@C},
gl, val mw thm[2]{ii<-l},
make_tr[ple_ax{x<-cnt(st@C),
' y<-BOOLF(bit2(0,fn@C)),z<-inclnode}
PROVE c3e FROM INCl_ax{ct<-cnt(make_triple(cnt(st@C),
BOOLF(bit2(0,fn@C)),inclnode)),
dbl<-double(make triple(cnt(st@C),
BOOLF(bit2(0,fn@C)),inclnode)),idn<-id@C,fn<-fn@C],
c3p, make_triple_ax{x <- cnt(st@C),
y <- BOOLF(bit2(0,fn@C)),
z <- inclnode}
p_c3f:
p_c3n:
PROVE c3f
PROVE c3n
FROM NEXT2 ax{svt<-make triple(ADDl(cnt(st@C)),
BOOLF[bit2(0,fn@C)_,inc2node),idn<-id@C,fn<-fn@C},gl,
val mw thm[2]{ii<-2},
make triple ax[x<-ADD!(cnt(st@C)),
y<-BOOLF(bit2(0,fn@C)),z<-inc2node}
FROM power2 ax{i<-l},power2 ax{i<-0},
val mw-thm[2]{ii<-l},gT
77
p_c3g:
pc3h:
p_c3p:
PROVE c3g FROM maketriple_ax{x<-ADDl(cnt(st@C)),
y<-BOOLF(bit2(0,fn)),z<-inc2node}
PROVE c3h FROM INC2 ax{ct<-ADDl(cnt(st@C)),dbl<-BOOLF(bit2(0,fn@C)),
- idn<-id@C,fn<-fn@C}
PROVE c3p FROM g3,
BMOD2 ax{i <- 3},BMOD2 ax{i <- 3},
DIV_ax{i <- 3},DIV_ax{T <- i}
END cnt6 fa
triples: MODULE (firsttype, secondtype, thirdtype: TYPE]
EXPORTING triple, first, second, third, make_triple
THEORY
triple: TYPE
first: function[triple -> firsttype]
second: function[triple -> secondtype]
third: function[triple -> thirdtype]
make_triple: function[firsttype, secondtype, thirdtype -> triple]
x: VAR firsttype
y: VAR secondtype
z: VAR thirdtype
t: VAR triple
make triple ax: AXIOM
x _ first, make triple(x, y, z))
AND y = second(make triple(x, y, z))
AND z = third(make triple(x, y, z))
(* exists triple_ax: AXIOM
(FORALL t : (EXISTS x, y, z : t = make_triple(x, y, z)))
*)
END triples
bsignal: MODULE
EXPORTING signalval, signal to bool
THEORY
b: VAR bool
signalval: TYPE is bool
signal to bool: function[signalval -> bool] = (LAMBDA b -> bool: b)
END bsignal
78
cnt6 blk: MODULE
MAPPI--NG cnt6 fa ONTO words,triples[word[6],bool,word[2]],bsignal
THEORY
(* define abbreviations for 'words'
word2: TYPE is word[2]
word6: TYPE is word[6]
mw2: function[int -> word2] is mw[2]
val2:function[word2 -> int] is val[2]
bit2: function[int, word2 -> signalval] is bit[2]
mw6: function|int -> word6] is mw[6]
val6:function[word6 -> int] is val[6]
bit6: function[int, word6 -> signalval] is bit[6]
BOOLF: function[signalval -> bool] is signal to bool
statevector: TYPE is triple
(* logic constants defined in cnt6_fa
fetchnode: word2 = mw2(0)
inclnode: word2 = mw2(1)
inc2node: word2 = mw2(2)
loadnode: word2 = mw2(3)
define logic variables
stv: VAR statevector
ct,incout,loadin: VAR word6
noinc: VAR bool
nd, func: VAR word2
dbl: VAR bool
mplxsel: VAR bool
(* define functions ,)
INCLOGIC: function[word6,bool -> word6]
INCLOGIC ax: AXIOM INCLOGIC(ct,noinc) =
IF noinc THEN ct
ELSE ADDI(ct)
END
,)
,)
MULTIPLEX: function[word6,word6,bool -> word6]
MULTIPLEX ax: AXIOM MULTIPLEX(incout, loadin, mplxsel) =
IF mplxsel THEN incout
ELSE loadin
END
MPLXCON: function[word2 -> bool] =
(LAMBDA nd -> bool: NOT (val2(nd) = 3) )
79
INCCON:function[word2 -> bool] =
(LAMBDA nd -> bool: (val2(nd) _ 0) )
NEXTNOPE: function[word2,word2,bool -> word2]
(*
NEXTNODE ax: AXIOM NEXTNODE(nd,func,dbl) =
-- IF val2(nd) = 0 THEN
IF val2(func) - 0 THEN fetchnode
ELSIF val2(func) = 1 THEN loadnode
ELSE inclnode
END
ELSIF val2(nd) * 1 THEN
IF dbl _ inc2node
ELSE fetchnode
END
ELSE
fetchnode
END
*)
NEXTNODE0 ax: AXIOM val2(nd) - 0 IMPLIES
- NEXTNODE(nd,func,dbl) =
IF val2(func) = 0 THEN fetchnode
ELSIF val2(func) = 1 THEN loadnode
ELSE inclnode
END
NEXTNODEI ax: AXIOM val2(nd) = 1 IMPLIES
-- NEXTNODE(nd,func,dbl) = IF dbl THEN inc2node
ELSE fetchnode
END
NEXTNODE2a3 ax: AXIOM val2(nd) - 2 or val2(nd) = 3 IMPLIES
- NEXTNODE(nd,func,dbl) = fetchnode
COUNTLOGIC: function[statevector,word6,word2 -> statevector] -
(LAMBDA stY, loadin, func -> statevector:
make_triple(MULTIPLEX(INCLOGIC(count(stv),
INCCON(node(stv))
loadin,
MPLXCON(node(stv)) ),
BOOLF(bit2(0,func)),
NEXTNODE(node(stv),func,double(stv)) )
t
cnt6 fa.NEXT: function[statevector,word6,word2 -> statevector] - COUNTLOGIC
(* - LEMMAs needed to prove NEXT0_ax *)
idn: VARword6
fn: VARword2
80
case O: LEMMA val2(node(stv)) =
COUNTLOGIC(stv,ldn,fn)
0 IMPLIES
= FETCH(count(stv),double(stv),idn,fn)
csOa: LEMMA val2(node(stv)) = 0 IMPLIES
COUNTLOGIC(stv,ldn,fn) =
make_triple(count(sty),
BOOLF(bit2(0,fn)),
NEXTNODE(node(stv),fn,double(stv))
cs0b: LEMMA val2(node(stv)) = 0 IMPLIES
maketriple(count(stv),
BOOLF(bit2(0,fn)),
NEXTNODE(node(stv),fn,double(stv))
FETCH(count(stv),double(stv),idn,fn)
m
(* LEMMAS needed to prove NEXTI_ax *)
case i: LEMMA val2(node(stv)) = 1 IMPLIES
-- COUNTLOGIC(stv,ldn,fn) = INCl(count(stv),double(stv),idn,fn)
csla: LEMMA val2(node(stv)) = 1 IMPLIES
COUNTLOGIC(stv,ldn,fn) =
make_triple(ADDl(count(stv)),
BOOLF(bit2(0,fn)),
NEXTNODE(node(stv),fn,double(stv))
cslb: LEMMA val2(node(stv)) = 1 IMPLIES
make_triple(ADDl(count(stv)),
BOOLF(bit2(0,fn)),
NEXTNODE(node(stv),fn,double(stv))
INCl(count(stv),double(stv),idn,fn)
(* LEMMAs needed to prove NEXT2ax *)
case 2: LEMMA val2(node(stv)) = 2 IMPLIES
-- COUNTLOGIC(stv,ldn,fn) = INC2(count(stv),double(stv),idn,fn)
cs2a: LEMMA val2(node(stv)) = 2 IMPLIES
COUNTifX31C(stv,ldn,fn) =
make_triple(ADDl(count(stv)),
BOOLF(bit2(0,fn)),
NEXTNODE(node(stv),fn,double(stv))
cs2b: LEMMA val2(node(stv)) = 2 IMPLIES
make_triple(ADDl(count(stv)),
BOOLF(bit2(0,fn)),
NEXTNODE(node(stv),fn,double(stv))
INC2(count(stv),double(stv),idn,fn)
(* LEMMAs needed to prove NEXT3 ax *)
case 3: LEMMA val2(node(stv)) =
COUNTLOGIC(stv,ldn,fn)
3 IMPLIES
= LOAD(count(stv),double(stv),idn, fn)
81
cs3a: LEMMAval2(node(stv)) = 3 IMPLIES
COUNTLOGIC (sty, Idn, fn)
make_triple( idn,
BOOLF(bit2 (0, fn) ),
NEXTNODE(node(stv),fn,double(stv)) )
cs3b: LEMMA val2(node(stv)) = 3 IMPLIES
make_triple( idn,
BOOLF(bit2( 0, fn) ),
NEXTNODE(node(stv),fn,double(stv) ) ) -
LOAD (count (sty ),double (stv ),idn, fn )
PROOF
p_case0: PROVE case_0 FROM cs0a,cs0b
p_cs0a: PROVE cs0a FROM INCLOGIC_ax{ct <- count(sty),
noinc <- INCCON(node(stv))},
MULTIPLEX_ax{incout <- count(sty),
loadin <- idn,
mplxsel <- MPLXCON(node(stv))}
P cs0b: PROVE cs0b FROM FETCH_ax{ct <- count(stY),
-- dbl <- double(sty),
idn <- idn, fn <- fn},
NKXTNODE0_ax{nd <- node(stv),
func <- fn,
dbl <- double(sty)}
p_case_l: PROVE case l FROM csla,cslb
p csla: PROVE csla FROM INCLOGIC_ax{ct <- count(sty),
noinc <- INCCON(node(stv))},
MULTIPLEX ax{incout <- ADDl(count(stv)),
-- loadin <- Idn,
mplxsel <- MPLXCON(node(stv))}
P cslb: PROVE cslb FROM INCI ax {ct <- count(sty),
- dbl <- double(sty),
idn <- idn, fn <- fn},
NEXTNODEI_ax{nd <- node(stv),
func <- fn,
dbl <- double(stv)]
p_case_2: PROVE case_2 FROM cs2a,cs2b
82
p_cs2a: PROVEcs2a FROMINCLOGIC_ax{ct<- count(sty),
noinc <- INCCON(node(stv))},
MULTIPLEXax{incout <- ADDl(count(stv) ),
-- loadin <- idn,
mplxsel <- MPLXCON(node(stv)) }
P cs2b: PROVEcs2b FROMINC2_ax{ct <- count(stv),
-- dbl <- double(sty),
idn <- idn, fn <- fn},
NEXTNODE2a3x{nd <- node(sty),
func <- fn,
dbl <- double (stv) }
p case_3: PROVEcase_3 FROMcs3a,cs3b
p_cs3a: PROVE cs3a FROM
MULTIPLEX_ax{incout <-INCLOGIC(count(stv),INCCON(node(stv))) ,
loadin <- idn,
mplxsel <- MPLXCON(node(stv))}
p_cs3b: PROVE cs3b FROM LOAD_ax{ct <- count(stv),
dbl <- double(stv),
idn <- idn, fn <- fn},
NEXTNODE2a3_ax{nd <- node(stv),
func <- fn,
dbl <- double(sty)]
END cnt6 blk
cnt6 cir: MODULE
MAPPING cnt6 blk ONTOwords, triples, bsignal
THEORY
(* abbreviations
word2: TYPE is word[2]
word6: TYPE is word[6]
cntrlsigs: TYPE is triple[bool,bool,word[2]]
bit2: function[int, word2 -> bool] is bit[2]
bit6: function[int, word6 -> bool] is bit[6]
assign2:function[int,bool,word2 -> word2] is assign[2]
assign6:function[int,bool,word6 -> word6] is assign[6]
(* circuit elements
b,bl,b2,b3,b4: VAR bool
,)
,)
83
INV: function [bool -> bool] = (LAMBDA b -> bool: not b)
NAND2: function [bool, bool-> bool] =
(LAMBDA bl,b2 -> bool: not (bl and b2))
NAND3: function [bool, bool, bool -> bool] =
(LAMBDA bl,b2,b3 -> bool: not (bl and b2 and b3))
NAND4: function [bool, bool, bool, bool -> bool ] =
(LAMBDA bl,b2,b3,b4 -> bool: not (bl and b2 and b3 and b4))
XNOR: function [bool, bool -> bool] =
(LAMBDA bl,b2 -> bool: not (not bl and b2 or bl and not b2))
NOR2: function [bool, bool -> bool ] =
('_AMBDA bl,b2 -> bool: not (bl or b2))
(* logic variables
i0,ii,i2,i3,i4,i5: VAR bool
ibit,lsel,incbit,incsel: VAR bool
incout,loadin,cntr: VARword6
mplxsel,noinc,Double: VAR bool
Node,Func: VARword2
(* circuit definition
output: function [bool,bool,bool,bool,bool,bool -> word6] =
(LAMBDA i0,ii,i2,i3,i4,i5 -> word6:
assign6(0,i0,
assign6(l,il,
assign6(2,i2,
assign6(3,i3,
assign6(4,i4,
assign6(5,i5,newword[6])))))))
.)
,)
bitsel: function[bool,bool,bool,bool -> bool] =
(LAMBDA ibit,lsel,incbit,incsel -> bool:
NAND2(NAND2(ibit,lsel), NAND2(incbit,incsel))
MPLEXCIRC: function[word6,word6,bool -> word6]
MPLEXCIRC ax: AXIOM MPLEXCIRC(incout, loadin, mplxsel)
output(
bitsel(bit6(0,1oadin)
bitsel(bit6(1,1oadin)
bitsel(bit6(2,1oadin)
bitsel(bit6(3,1oadin)
bitsel(bit6(4,1oadin)
bitsel(bit6(5,1oadin)
)
,INV(mplxsel),bit6(0,incout),mplxsel),
,INV(mplxsel),bit6(l,incout),mplxsel),
,INV(mplxsel),bit6(2,incout),mplxsel),
,INV(mplxsel),bit6(3,incout),mplxsel),
,INV(mplxsel),bit6(4,incout),mplxsel),
,INV(mplxsel),bit6(5,incout),mplxsel)
carry4bar: function[word6,bool -> bool]
(LAMBDA cntr,noinc -> bool:
NAND4(INV(noinc),bit6(O,cntr),bit6(l,cntr),bit6(l,cntr))
)
84
INCCIRC:function[word6,bool -> word6] =
(LAMBDA cntr,noinc -> word6:
output(
XNOR(bit6(0,cntr), noinc),
XNOR(bit6(l,cntr), NAND2(INV(noinc),bit6(0,cntr)) ),
XNOR(bit6(2,cntr),
NAND3(INV(noinc), bit6(0,cntr), bit6(l,cntr) ) ),
XNOR(bit6(3,cntr),carry4bar(cntr,noinc) ),
XNOR(bit6(4,cntr),
NAND2(INV(carry4bar(cntr,noinc)), bit6(3,cntr) )
),
XNOB(bit6(5,cntr),
NAND3(INV(carry4bar(cntr,noinc)),
bit6(3,cntr) ,
bit6(4,cntr) ) )
)
)
inccon:
common:
function[word2 -> bool] =
(LAMBDANode -> bool:
NOR2(bit2(0,Node),bit2(l,Node))
function[word2,word2 -> bool] =
(LAMBDA Node,Func -> bool:
NAND3(inccon(Node),INV(bit2(l,Func)),bit2(0,Func))
CONIROLCIR: function[word2,word2,bool -> cntrlsigs] =
(LAMBDANode,Func,Double -> cntrlsigs:
make_triple(inccon(Node),
NAND2(bit2(0,Node),bit2(l,Node)),
assign2(0, NAND2(common(Node,Func),
NAND2(inccon(Node),bit2(l,Func))
),
assign2(l,NAND2(common(Node,Func),
NAND3(Double,
bit2(0,Node),
INV(bit2(l,Node) ) )),
newword[2])
)
(* Mappings to "cnt6 blk" *)
cnt6 blk.INCLOGIC: function[word6,bool -> word6] = INCCIRC
cnt6 blk.MULTIPLEX: function[word6,word6,bool -> word6] = MPLEXCIRC
(*
85
cnt6 blk.INCCON: function[word2,word2,bool -> bool ] =
(LAMBDA Node, Func, Double -> bool:
first(CONTROLC IR (Node, Func, Double ))
)
cnt6 blk.MPLXCGN: function[word2,word2,bool -> bool] z
(LAMBDA Node, Func, Double -> bool:
second( CONTROLCIR (Node, Func, Double ))
)
*)
cnt6 blk.NEXTNODE: function[word2,word2,bool -> word2] -
(LAMBDA Node, Func, Double -> word2:
third (CONTK_LCIR (Node, Func, Double ))
)
END cnt6 cir
ineq_.cases: MODULE
THEORY
y,m: VAR int
Y 0: THEOREM (y>-0 AND y<l) IMPLIES y=0
Y--01: THEO_ (y>-I AND y<2) IMPLIES y-I
Y-S: THEOKEM (y>-0 AND y<2) IMPLIES ((y>-0 AND y<l) OR (y>-i AND y<2))
Y I: THEOREM (y>-0 AND y<2) IMPLIES (y-0 OR F-I)
M R: THEOREM (y>-0 AND y<-m) IMPLIES ((y>-0 AND y<-m-l) OR (y-m))
PROOF
pYO: PROVE Y 0
pYOl: PROVE Y Ol
pYS: PROVE Y_S
pYl: PROVE Y 1 FROM
Y S, Y O, Y Ol
pMR: PROVE M R
ineqcases
int inductions: MODULE
EXPORTING next,pred,geq,bge
THEORY
i,j: VAR int
dl, d2, d3, d4, de: VAR int
x,y,z,s: VAR int
86
First: int = 0
next: function[int-> int] -- (LAMBDA i -> int: i+l)
pred: function[ int -> int] = (LAMBDA i -> int: IF i > 0 THEN i-I ELSE 0 END)
geq: function[int,int -> bool] = (LAMBDA i,j -> bool: (i>=j))
bge: function[int -> bool] =
(LAMBDA i -> bool: IF i>=0 THEN true ELSE false END )
p: VAR function[int -> bool]
int_complete: THEOREM (FORALL dl: geq(dl,First) IMPLIES
(FORALL d3: (geq(d3,First) AND geq(dl,d3) AND d3 ~- dl) IMPLIES
p(d3)) IMPLIES p(dl))
IMPLIES (FORALL d2: geq(d2,First) IMPLIES p(d2))
int induction: THEOREM (p(First) AND (FORALL dl: p(dl) IMPLIES p(next(dl))))
IMPLIES (FORALL d2: geq(d2,First) IMPLIES p(d2) )
int_induct_by_2: THEOREM (p(First) AND p(next(First)) AND (FORALL dl: p(dl)
IMPLIES p(next(next(dl)))))
IMPLIES (FORALL d2: (geq(d2,First) IMPLIES p(d2) ))
END int inductions
87
Report Documentation Page
N_,mW #aJoNt_*. _
SNce _41m,_mm, mt
1. Report No. 2. Government Accession No.
NASA TM-I00669 AVSCOM TM-88-B-OI7
4.Titl, and Subtitle
Hardware Proofs Using EHDM and the RSRE Verification
Methodology
7. Author{.)
Ricky W. Butler and Jon A. Sjogren
9. Performing Organizat_n Name and Address
NASA Langley Research Center
Hampton, VA 23665-5225 and
Joint Research Programs Office/AVRADA, Langley Research
C_nt_r. Hampton, VA 23665-5225
]2. Sppn_rlngAp_y Name and Addms
National Aeronautics and Space Administration
Washington, DC 20546-0001
and
U.S. Army Aviation Systems Command
St. Louis, MO 63120-1798
3. Reciplent's Catalog No.
5. Report Date
December 1988
6. Performing Organiaation Code
8. Perform|ng Organisation Report No.
10. Work Unit No.
505-66-21-01
11. Contract or Grant No.
13. Type of Report and Period Covered
Technical Memorandum
14. Army Project No.
ILI61102AH45E
15. Supplementary Notes
Ricky W. Butler: Langley Research Center, Hampton, Virginia
Jon A. Sjogren: Joint Research Programls Offioe, A_-A%_o(X]M, Langley Besear_ Center,
Hampton, VA
16. Abstract
This paper examines a methodology for hardware verification developed by Royal
Signals and Radar Establishment (RSRE) in the context of the SRI
International's Enhanced Hierarchical Design Methodology (EHDM)
specification/verification system. The methodology utilizes a four-level
specification hierarchy with he following levels: functional level, finite
automata model, block model, and circuit level. The properties of a level are
proved as theorems in the level below it. In this paper, this methodology is
applied to a 6-bit counter problem and is critically examined. The
specifications are written in EHDM's specification language, Extended Special,
and the proofs are improving both the RSRE methodology and the EHDM system.
17. Key W_de(Susl_,ted by Authors(s))
Verification
Formal Proof
Formal Specification
Theorem Proving
Hardware Verification
19. SecuriW Clamf. Iof this report)
Unc]asstfted
20, Security CIsu_f. (of this
Unclassified
18. Distribution Statement
Unclassified - Unlimited
Subject Category 62
pagel 21. No. of pages
89
22. Price
A05
NASA FORM 1(K'8 OCT 86 For sale by the National Technical Information Service, Springfield, Virginia 22161-2171


