Mechanically verified hardware implementing an 8-bit parallel IO Byzantine agreement processor by Moore, J. Strother
NASA Contractor Report 189588
/
f _
w
w
u
Mechanically Verified Hardware
Implementing an 8-Bit Parallel IO
Byzantine Agreement Processor
w
J Strother Moore
Computational Logic, Inc.
Austin, Texas
L
w
r--
U
W
Contract NAS1-18878
1992
J
w
m
Nabonal Aeronauhcs and
Space Aclmm_stralton
Langley Research Center
Hampton, Virginia 23665-5225
(NASA-CR-189588) MECHANICALLY
HARDWARE IMPLEMENTING AN B-BIT
BYZANTINE AGREEMENT PROCESSOR
(ComputationJ1 Logic) 41 p
VERIFIED
PARALLEL IO
CSCL 098
N92-24695
Unclas
G3/62 0081291
https://ntrs.nasa.gov/search.jsp?R=19920015452 2020-03-17T12:20:14+00:00Z
ii
m
)
T_L
IN
i
U
m
m
m
m
i
+ +
w
w
i
Abstract
Consider a network of four processors that use the Oral Messages (Byzantine Generals) al/gonthm of Pease,
Shostak a_d Lamport to achieve agreement in the presence of faults. Bevier and Young have published a
functionai dcs,:ription of a single processor that, when interconnected appropriately with three identical
others, implements this network under the assumption that the four processors step in synchrony. By
formalizing the original Pease, Shostak and Lamport work, Bevier and Young mechanically proved that
such a network achieves fault tolerance. In this paper we develop, formalize and discuss a hardware design
that has been mechanically proved to implement their processor. In particular, we formally define mapping
functions from the abstract state space of the Bevier-Young processor to a concrete state space of a
hardware module and state a theorem that expresses the claim that the hardware correctly implements the
processor. We briefly discuss the Brock-Hunt Formal Hardware Description Language which permits
designs both to be proved correct with the Boyer-Moore theorem prover and to be expressed in a
commercially supported hardware description language for additional electrical analysis and layout. We
briefly describe our implementation, which actually takes the form of a hardware design generator which
produces a design as a function of the desired word size. We exhibit the theorem that establishes that the
generator is correct. We exhibit the instance generated for sense data of width 8, in the syntax of NDL, a
hardware description language supported by LSI Logic, Inc. We exhibit some results of processing the
verified design with commercially available tools. We discuss two unrealistic aspects of our verified
design. (a) The use of parallel instead of set'ial io requires an excessive number of pins. (b) The
assumption that all four processors step in synchrony is implemented by having them share a common
clock-- introducing an unacceptable single-point failure mode.
Keywords: hardware verification, fault tolerance, Byzantine agreement, Oral Messages algorithm,
automatic theorem proving, Boyer-Moore logicl
| =1
,,2
[i
H
F_
t.a
-_:i]
_a
r_
m
l,...a
i|
i
i
I
i
I
I
|
i
q_
i
Z
I
L A
w
w
Table of Contents
w
w
w
mira
W
w
1. Background ......................................................... 1
2. Mapping from Abstract States to Concrete States ........................... 3
2.1. The Restricted Abstract State Space .......................................... 3
2.2. The Concrete State Space .................................................. 5
62.3. The Map Down ..........................................................
2.4. The Map Up ..................................................... .., ..... 6
73. The Specification ....................................................
4. The Implementation .................................................. 8
4.1. Incrmt3 ................................................................. 8
4.2. Counter3 ................................................................ 10
4.3. Other Submodules 12
4.4. Lstep ................................................................... 13
145. The Theorem Proved by NQTHM .......................................
156. Comments on our Design ..............................................
Appendix A. The Formal Definition of LOCAL-STEP and GOOD-STATEP ..... 16
Appendix B. The Formal Design ........................................
Appendix C. The NDL for LSTEP_8 .....................................
19
27
Appendix D. Mechanically Produced Schematics ........................... 29
== =
w
W
w
2-
%
__ _ iii PRECEDING PAGE BLANK NOT F[t__._F.D
| I
L Background
Bvz_.:ae Generals")In [1] Bevi.-r and Young describe a formalization of the "Oral Messages" (or " . ,
algorithm olPease, Shostak and Lampon [5] and a functional description of a process.v dlat implements
the algo.,i;!Jr," tn the case of a four processor network. They use the Boyer-Moore theorem prover,
NQTHN_"[2_ to check the Pease-Shostak-Lamport theorem and to prove that their abstract processor
correctly _mplements the algorithm for the case in question. They specify the processor by exhibiting a
function named local-step that is the state transition function, i.e., the function that, on each clock tick,
produces the next state of the processor. In this paper we implement that processor in the formalized
hardware description language (HDL) of Brock and Hunt and we exhibit a theorem, which has been proved
by NQTHM, that states that our hardware implements local-step. Readers are urged to see [1] for
additional background material.
The processor reads sense data and inputs from its peers, exchanges this data in a certain fixed pattern
among the peers, and then votes on certain combinations of the exchanged .data. The result of the vote is an
"interactive consistency vector" ("icv") which contains four data objects in 1:1 correspondence with the
four processors. The icy in a processor indicates that processor's "opinion" of the final value of the sense
data in each of the four. Provided at most one processor is faulty, all nonfaulty processors hold identical
opinions about all the processors, including any faulty processor. This fact is proved informally but
precisely in [5]; it is stated formally and proved mechanically in [1]. In actual applications, the sense data
and all of the exchanged data are in fact bit vectors of some fixed length, though that restriction is
unnecessary in the abstract view of the processor and in its proof.
Bevier and Young formalize the processor by formalizing the notion of its "state" and its "state
transition" function, the function which determines the next state given the sense data, the input from the
peers, and the current state, To model the network in which the four processors are connected, Bevier and
Young define a function called global-step which manages four independent procersor states and
transfers the outputs of each state to the appropriate inputs of the next state transition. This model of the
network implicitly assumes that all four processors execute in lockstep synchrony. If local-step is
taken as a low-level hardware design, in which one state transition by local-step describes one tick of
the microprocessor's clock, then this assumption is naturally implemented by having the four processors
controlled by a common clock. If l.ocal-step is taken more abstractly, in which one step by
local-step might require many microprocessor cycles, then this assumption might be implemented via
some rough clock synchronization algorithm and time abstraction. We take the view that local-step is
a low-level specification and we designed our microprocessor to implement it directly. This is unrealistic
for two reasons. First, it requires the four processors to share a common clock, which introduces a potential
single-point failure mode. Second, it requires parallel it so that all the bits output by one processor on one
clock tick are available as input to the appropriate peer processor on its next cycle. But because we have so
many inputs and outputs, parallel it makes excessive demands for pins. We return to these points after
presenting our design.
The state of the abstract processor, local-step, is a 5-tuple conslaxtcted by state from
• a 3×3 matrix of sense data read and obtained from peers;
• an output buffer obu¢ of length 3, each component of which is physically connected to a
feted peer processor in such a way that the contents of that component on each cycle appears
as a certain input to the peer on its next cycle;
• the interactive consistency vector icy containing data objects (or a token denoting "no
majority") representing the finally agreed upon values of the sense data in each of the four
peers;
• a light which represents the final action taken by the processors upon reaching agreement;
m
m
m
2?
= =
i
w
kJ
w
and
• a counter, clock, which records the current "time" modulo 8 and is used to gequ._nce the
device.
Bevier and Young def'me the notion of a
description, _.b,we. See Appendix A.
"good state" with good-statep whict_ formalizes the
The definition of local-step is
Definition.
(local-step input state)
(let ((sense (nth 0 Input))
(pO (nth 1 input))
(pl (nth 2 input))
(p2 (nth 3 input))
(Qlock (clock state) ) )
(case (remainder =lock 8}
(0 (state (matrix •tatS)
(make-list 3 sense)
(put 3 sense (icy state))
(light state)
(remainder (plus 1 (¢lock state)) 8)))
(I (•tats (put 0 (list pO pl p2) (matrix state} )
(list pl pO pO)
(icy state}
(light state)
(remainder (plus i (cloc_ state} } 8} ))
(2 (state (put 1 (list pO pl p2) (matrix state}}
(llst (nth 2 (nth 0 (matrix state)))
(nth 2 (nth 0 (matrix state)))
(nth 1 (nth 0 (matrix state)) ) }
(icy state)
(light •tats}
(remainder (plus 1 (_lock state) ) 8}) }
(3 (state (put 2 (list pO pl p2) (matrix state)}
(ohuf state)
(icy state)
(light state)
(remainde= (plus 1 (alock state) } 8) })
(4 (state (matrix state)
(obuf state)
(eoml_ute-lcv (matrix state) (icy state))
(light state)
(remainder (plus 1 (=lock state)) 8) ) )
(5 (state (matrix state)
(obuf state}
(icy state)
(lilts: (icy state) )
(remainder (plus 1 (clock state) ) 8) } )
(otherwise
(agate (matrix state)
(obuf state)
(icy state}
(light state)
(reaalnder (plus 1 (clock state) ) 87) } )) •
The case and let abbreviations (supported by some local patches to NQTHM) should be self-
explanatory. The defmition of local-step without these abbreviations may be found in Appendix A,
along with the definitions of the subfunctions. Roughly speaking, the function above produces a new state
as a function of the current state and the input. On each application, the clock is incremented by one
(modulo 8). When the clock is between 0 and 5, other components of the state are modified. The last two
cycles (6 and 7) arc no-ops.
w
Our job is to construct a Formal HDL description of a module that implements this function and to prove
that we did so.
The Form',d HDL we use is the descendant of that described by Brock and Hunt in [3]. (At the time of this
writing, the new Formal HDL has not yet been documented though we explain it brie_qy here.) The
language is connected to the hardware design tools of LSI Logic, Inc., via a Lisp prog,_n duat translates
Formal HDL descriptions into LSI Logic's Netlist Description Language (NDL). NDL is a conventional
hardware description language similar to Verilog ru [7]. Commercially available LSI Logic tools permit
one to analyze NDL descriptions to extract schematics, do layout, etc.
In this document we exhibit our implementation and the theorem that we claim establishes its correctness.
We sketch the Formal I-1DL to make our description somewhat self-contained, but we do not include the
definition of the HDL, nor do we even discuss (much less present the NQTHM events leading to) the proof
of correctness. However, the f'de of events, leading from NQTHM's ground=zero state through the
definition of the Brock-Hunt hardware interpreter, dual.-eva]., and thence onward to our implementation
of l-oca:l.-step and its correctness, is available upon request. The file may be processed by the released
NQTHM, but requires the loading of Bishop Brock's "fast clausifier" patch, available from CLI.
J
m
2. Mapping from Abstract States to Concrete States
The function we wish to implement, local-step, uses such abstract objects as the 5-tuple states,
integers, the arbitrary sense data objects, etc. In order to implement it in digital hardware we must both
restrict it to certain kinds of sense data (e.g., bit vectors) and define a mapping from the abstract state space
to a concrete state space.
The hardware description language we use imposes on us a formal definition of concrete states as
cons-trees of Boolean vectors. The shape of the tree depends on the hierarchical decomposition of the
hardware description. Thus, our description of the concrete state space foreshadows our final
implementation. Nevertheless, we describe the two state spaces (the restricted abstract one and the
concrete one) and the maps between them before exhibiting our implementation.
2.1 The Restricted Abstract State Space
Brock and Hunt define a bit vector to be recognized by b_:),
Definition.
(b,_ x)
:BE
(if (-_:Lstp x)
(_1 • ' nil.)
(and (booip (caz x)) (bvp (cdr x)))).
We introduce the idea of a bit vector of width w,
Definition.
(bvpn by w)
(equal (length by) w) ),
and the idea of a proper list of such bit vectors,
Definition.
l
I
s
m_
4w
W
w
w
w
w
w
w
(all-bvpn 1st w)
(if (nlistp Ist)
(eq'_ai ist nil)
(and (bvpn (car Ist) w)
(all-bvpn (cdr ist) w) ))
In our restricted abstract states, sense data (and thus the exchanged and voted data) wi// always be bit
vectors of width w.
The icv of the abswact state will be restricted to being a list of length 4, the last element of which is a bit
vector of width w and the other three of which are either bit vectors of width w or else the object
(toni-token) indicating that no majority was found.
Definition.
(icvp 1st w)
(and (equal (length ist) 4)
(or (bvpn (car ist) w)
(equal (car Ist) (maj-token)) )
(or (bvpn (cadb: 1st) w)
(equal (cadr ist) (maj-token)) )
(or (bvpn (caddr ist) w)
(equal (caddr Ist) (maj-token)) )
(bvpn (cadddr ist) w)
(equal (cddddr Ist) nil))
Similarly, we require that the matrix and the output buffer of the restricted abstract state contain fixed
width bit vectors. We wrap al/these restrictions up into a single predicate,
Definition.
(data-path-assumptionp state w)
(and (properp (matrix state) )
(all-bvpn (nth 0 (matrix state))
(all-bvpn (nth 1 (matrix state))
(all-bvpn (nth 2 (matrix state))
(all-bvpn (obuf state) w)
(icvp (icy state) w)).
w)
-)
w)
The abstract sta_e contains the light which is set by the .ndef'med f.nctio, filter once the icy is
computed. We cannot implement either the light or the filtar in hardware since they are unspecified.
Therefore, the map up from concrete states to abstract ones must somehow recover from the concrete state
an icy upon which filter produces the required light. Thus, if we are originally presented with an
abstract state whose light is not the value of filter on some icy it will be impossible to map the state
down invcrU"oly. We therefore impose on the abstract state space the additional restriction that the light
of an abstract state be obtained by applying filter to some iccp-object. We avoid the implicit
existential quantification by passing the alleged object in as a "wimess." States for which there exists
such a witness are said to be "well-lit."
Definition.
(well-litp state act-reg w)
(and (icvp act-reg w)
(equal (light state) (filteE act-reg) ) )
l5
Our restricted abstract state space is def'med by
Definition.
(bevier-young-statep state act-reg w)
(and (good-statep state)
(data-path-assumptionp state w)
(we_A-litp state act-reg w) ),
which recognizes well-lit good states that satisfy the data path width assumption.
2.2 The Concrete State Space
The shape of a concrete state is determined by the hierarchical decomposition of our hardware description
and the conventions of the Formal HDL language. A concrete state will be a list of length nine with the
following components, arrayed in the order shown:
component structure types
cnt (cO cl c2) threcbiu
matrlxO (mOO toO1 toO2) threew-bk vectors
matrixl (mlO -,11 m12) _c w-bitve_o_
matrix2 (m20 m21 m22) threew-bit vector_ ....
c_ta-out (o0 ol 02) three_'-bitveetors
icv-reg (icvO icvl icY2 icY3) fout w-bilvectors
act-reg (aO al a2 a3) fout w-bkvecto_
icv-maJ-exAmtlp-reg (bO bl b2) th_.ebiu
act-maJ-eximtmp-reg (dO dl d2) threebiu
For example, (cnt state) is de[reed to be (nth 0 state) and (act-maj-existsp-reg
...... state) is defined t0be (nth 8 state).
The recognizer for well-formed concrete states is:
l_finitlon.
(hunt-brock-statep z w)
(and (p=operp x)
(equal (length x) 9)
(_,l_n (one x) 3)
(equal (length (mat::izO x)) 3)
(equal (length (matrix1 x)) 3)
(equal (length (matrix2 x)) 3)
(equal (length (data-out x)) 3)
(equal (length (icv-reg x)) 4)
(equal (len__gth_(act-:eg x)) 4)
(all-l:rvpn (matrJatO x) w)
(all-bvpn (matrixl x) w)
(all-bvpn (mat=ix2 x) w)
(all-bvpn (data-out x) w)
(all-bvpn (icv'Eeg x) w)
(all-bvpn (act-reg x) w)
(bvpn (icv-maj-existsp-reg x) 3)
(bvpn (act-maj-existsp-reg x) 3))
l
I
|
U
u
J
U
l
m
m
I"
m
=__ _:
m_
=
W r
= _+
. =
k.;
w
w
2.3 The Map Down
We map the abstract icv onto the concrete icv by replacing (maj-token), when it occurs, by the bit
vector that is everywhere f. This is ambiguous, since that bit vector may be legitimate _nse data. We
therefore maintain a 3-bit register, maj-e.xistsp-=eg, which is in 1:1 correspondeace with the f'Lrst
three worr£_ of the concrete icy and in which an f indicates that the corresponding tcv word denotes
(ma_ -token).
Definition.
(icy-down icy w)
(list (if (equal (car icy) (maj-token))
(nat-to-v 0 w)
(car icy) )
(if (equal (cad.= icy) (maj-token))
(nat-to-v 0 w)
(aadr icy) )
(if (equal (caddr icy) (maj-token))
(nat-to-v 0 w)
(aaddr icy) )
(caddd= icy) ]
Here is how we set maj-existsp-reg from the abstract icy:
Definition.
(ma j-existsp-reg icy)
(list (not (equal (car icy) (maj-token)))
(not (equal (cadr icy) (maj-token)) )
(not (equal (caddr icy) (maj-token)) ) )
To map an abstract state down (invertibly) we must know the wimess for the light of the abstract state.
This witness, which is another icv, we store in the act-roq and the act-maj-_tistsp-reg
(a/fording the ("_3 -token) s in the wimess the same treatment as in the icy). Thus, we map an abstract
state down (with respect to a given witness aet-reg and data width w) with
Definition.
(down state act-=eg w)
(list (nat-to-v (clock stat_3i ......
(nth 0 (matrix state) )
(nth 1 (matrix state))
(nth 2 (mat=ix etat_°T .....
(obuf state) ..................
(i_r-dow_ (icy state) w)
(icy-down act-reg w)
(maJ-existsp-reg (icy state))
(maj-existsp-=eg act-reg) ) .
2.4 The Map Up
We invert the icy-down map with
Definition.
(icy-up icy icv-maj-existsp-reg)
z
(list (if (car icv-maj-existsp-reg) (caz icy) (ma j-token) )
m(if (cadr icv-maJ-existsp-Eeg)
(if (caddr icv-maj-existsp-reg)
(cadddr icy) ),
which is also u_d to recover the light witness.
(cad= icy) (maj'token))
(eaddr icy) (maj-token))
We then in_e_ the down map with
Definition.
(up lst)
E
(state (list (matrixO ist) (matrix1 1st) (matrix2 ist))
(data-out ist)
(icy-up (icv-reg ist)
(icv-maj-existsp-reg ist) )
(filter (icy-up (act-reg ist)
(act-maj-existsp-reg Ist) ) )
(v-to-nat (cnt ist) ) )
Observe that after recovering the witness from act-reg and act-maj-existsp-reg we apply
filter to obtain the light.
3. The Specification
In the most literal sense, our goal is to exhibit a netlist that implements the Bevier-Young LOCKL-S_P
for some fixed data path width, w, namely 8. We exhibit such a netlist in Appendix C, where it is displayed
in the syntax of LSI Logic's NDL. Let netlist be the formal analogue of that netlist, let module be the
formal analogue of the top-level module name, LSTKP 8, and let w be the data width 8. Then the
following theorem holds:
Theorem. Main
(implies (and (bevier-young-statep state act-reg w)
(bvpn sense w)
(bvpn pO w)
(bvpn pl w)
(bvpn p2 w)
(equal te f)
(equal reset- t))
(equal (local-step (list sense pO pl p2) state)
(up
(dual-eva1 2 module
(append (list clk te ti reset-)
(append sense
(append pO
(append pl p2) ) ) )
(dow_ state act-reg w)
netlist) ) ) )
This theorem says that
• state is a state in our res_icted abstract state space (whose light is witnessed by
act-reg and whose data path width is w), and
• sense, pO, p1, p2 are bit vectors of width w, and
• the "test enable" line, te, to our module is low and the "reset when low" line, reset-, is
high,
then
l
u
i
Rig Z
I¢
Ill
I
lid =
Ig
8k
--4
L_
R
m
- ÷
_ m_
w
=
m
, the Bevier-Young local-step applied to the given sense and input data in the given
abslract state
is equal to the result of
•mapping the abstract state down to a concrete state (using the supplied wimess),
• stepping the Brock-Hunt hardware model forward one step on that concrete s_,.c with our
given inputs, module, and netlist, and
• mapping the resulting concrete state back up.
Technically speaking, we do not actually cause NQTHM to prove this theorem. We actually def'me both a
netlist generator and a netlist recognizer, both of which take the data width, w>0, as a parameter. The
generator produces a list constant that is the formal HDL description of a netlist that implements
local-step for the given data width. The recognizer returns ¢ or f according to whether a given netlist
is someextension of_eoae we-gea6    .. We thenlead NQTHM to the proof of the theorem that ff
the recognizer accepts a netliat defining module for width w>0 (where netlist, module and w are
now universally quantified variables) then the interpretation of the module under the netlist computes
local-step in the sense illustrated above. We do not prove that our generator always constructs a
netlist satisfying the recognizer. Rather, we merely execute the generator on any chosen w, obtain a
concrete netlist, and then execute the recognizer on that netlist to observe that the generator worked for that
particular w. This is faster than proving that the generator always satisfies the recognizer, since one usually
only generates a small number of instances of the design.
4. The Implementation
Our implementation is decomposed into modules. We exhibit the module definition generators in
Appendix B. In this section we explain a few of the modules simply to illustrate the HDL and our
implementation.
4.1 Incrmt3
The following NQTHM function defines the implementation of the INCRMT3 module. The module takes
three bits in, i0...i2, and produces three bits, 00...02. If the two bit vectors are thought of as integers in
binary notation, then the specification of this module is that the output is the successor of the input, modulo
8. We state this specification formally later. The implementation def'mes the output, in terms of the input,
with combinational logic: o0 is the logical n-egation o_"i0; ol is the exclusive-or of i0 and il; and 02 is
the exclusive-or the intermediate signal s0 and i2, where sO is the conjunction ofi0 and il.
Definition.
(incrmt3*)
' (inczmt3 (i0 il i2) (o0 ol 02)
((gO (o0) b-not (i0))
(gl (oi) b-xor (i0 il))
(g2 (80) b-and (iO il))
(g3 (02) b-zor (sO i2)))
nil)
The module clef'tuition is a list of five parts. The f'wst part, incrmt3, is the name of the module. The
second part, (i0 il i2), is the list of input signals. The third part, (o0 ol o2), is the list of output
signals. The fourth part is a list of _"_u _,,_' each of which is a list of the form (oct-nauru
output rood-nauru input) meaning that the signals listed in the output list are those produced by
9 m
the module rood-name with input input m the C_rent S_te. The _urrence pAmes, occ-name, e.g.,
gO, gl, etc., are irrelevant here. The fifth part of a module definition is the list of state-holding
occurrences. In the module above there are none so the list is nil. Note that the "_,d_modules" of
ine:mxt3 (tt,e modules used in its definition) are b-not, b-xor, and b-and. These are :.'J primitive but
in general they may be the name of other defined modules.
rnerme3* can be thought of as a parameterized module generator that happens to have no parameters
(and thus is a constant). Many of our module generators take arguments that indicate the size of the data,
say, and use list processing functions to construct a suitable module definition. All of our module
generators have names that end in *.
in addition to its module dermltio-n_hemtor, each module [s assoc_ed_ith two other fuhct_6fis_a netlist
generator and a netlist recognizer. A neflist is just a list of module definitions. The neflist generator for a
module produces a list containing the definition of the module and all of its submodules. The netlist
generator for the incz'me3 module is shown below.
Definition.
(incrmt3$netlist)
(cons (incrmt3*)_
(union (b-notSnetlist)
(union (b-andSnetlist)
(b-xor$netlis_))))
All dour ne_stgeneratorshavenamesthatendingnetlist.
The nedist recognizer for incrmt3 recognizes when a given nedist contains the definition of incmm:3
and all of its submodules.
DeNnitioD.
(incrmt3&
(and
netlist)
(equal (lookup-module 'incrmt3 netlist) (incrmt3*))
(and (b-not& (delete-module 'incrmt3 netlist))
(and (b-and& (delete-module 'incrmt3 netlist))
(b-xor& (delete-module 'incrmt3 netlist)))))
All of our netlist recognizers have names that end in &. Because the netlist generators and recognizers can
be deduced from the module definitions, we henceforth discuss only the module definition generators.
To specify and prove the correcmess of modules we must have a way of formally deriving their outputs and
state changes from their inputs and their definitions. Bishop and Hunt define the NQTHM function
dual-eva1 which can be thought of as an interpreter for their HDL. Dual-eva1's first argument is a
flag that determines whether the function returns the signals output by the module or the new state created
by the module. The signal values are retttmed if the flag is 0 and the state value is returned if the flag is 2.
Other values of the flag have other meanings.
Using dual-eval we can state the correctness of incrmt3.
Theorem.
(implies (and (incrmt3& netlist)
(bvpn i 3))
(equal (dual-eva1 0 'incrmt3 i state netlist)
(nat-to-v (addl (v-to-nat i) ) 3) ) )
This theorem says that if netlist contains the def'mition of incrmt3 and its submodules and i is a bit
m
g
W
m
I
j_
I -
w
10
:J
iga
L_
atom
L_
k_
vector of length 3, then the output produced by evaluating the inca:mr3 module with input £, in any state,
is ob_ined by converting £ to a natural number, incrementing itby one, and converting the result into a
3-bit vector. This formula has been proved by NQTHM.
Observe that if we proceeded to use inc_3 as a submodule in some other module, and then u'ied to
prove that module correct, the netlist recognizer for that superior module would ;,ns_c that the n_ist
recogmzer tot incx'mt3 were satisfied. Hence, if during the symbolic evaluation of tha_ superior module
the question arose "what is the value of the inc_3 module on -0...x2?" the answer is provided by the
correctness theorem for £ncx'a_3 above. Thus, this methodology lets us "stack" modules and their
correcmcss theorems to build complex structures.
We can run a Common Lisp function on the definition of incza_3 to translate it into NDL. The result is
: MODULE IN_3; '
INPUTS I0, II, I2;
OUTPUTS 00,01,02;
LEVEL FUNCTION;
DEFINE
GO (00) - IVA(I0) ;
GI(OI) = EO(I0,ZI);
G2(S0) = AN2(I0,II) ;
G3(02) = EO(S0, I2);
END MODULE;
Note that the '_dccp" structure of the defifikiofi _s identical. The primitive module names (for "invert,"
"exclusive or" and "and") are those supported by LSI Logic's design tools
_We _ process this NDL description of _¢ module with LSI Logic's "schematic liberator" and obtain the
mechanically drawn schematic diagram included in Appendix D.
4.2 Counter3
The followingmodule,counter3-temp, merelyconjoinsthereset- signalwitheachofitsotherttu_c
inputs. The three output signals of counter3-temp are thus f if reset- is f and arc otherwise just _c
input signals.
Definition.
(counter3-temp*)
' (counter3-temp (reset- i0 il i2)
(dO dl d2)
((gO (dO) b-and (reset- iO))
(gl (all)b-and (_eSet" il))
(g2 (d2) b-and (reset- i2) ))
n£1)
We use incrmt3, counter3-temp and our f_st s_-holding device _ cons_uct counter3.
Definition.
(counter3*) ...... "..........." .."....
(list ' counter3
' (clk te ti reset-)
(indgces 'q 0 3)
(list (list ' reg
(indices 'q 0 3)
= :=
11
(Zlst
(list
(index 'reg 3)
(cons 'clk
(cons 're
(cons 'ti
'inc
(indices 'i 0 3)
'incrmt3
(indices 'q 0 3))
'gO
(indices 'd 0 3)
'counter3-temp
(cons 'reset- (indices
' =eg)
The expression (index
thought of as ' REG3. The expression (indices
indexed names starting from index 0.
(indices 'd 0 3)))))
'i 0 3))))
name i) COnstructs an indexed name, e.g., (index 'reg 3) may be
n_r._ 0 k) cons_uc_ _e li_t of k consecutive
Thus, the module above takes four input signals, clk, re, ti and reset-, and produces three output
signals, q0...q2. The f_st three input signals are used in LSI Logic's low level register module for the
clock, the test enable line, and the test input line. The two test signals allow us to chain registers together
so as to load and read the state of a module serially. In our designs we use the te and ti inputs to build
such "scan chains." But we do not discuss them here and we have not proved that our scan chains work;
all our theorems contain the hypothesis that the"ee Signal is f, which means thaio-m: tfieorems address
themselves only to the behavior of our modules in non-test mode.
The first occurrence above, the one named :ecj, says that the three output signals, q0...q2, are obtained
from the module =eg3 by giving it the six inputs elk, re, ti, d0...d2 in the current state. The reg3
module is a primitive module for a state-holding device of width 3. Its value is just the contents of the
current state (modulo the te and ti inputs which we do not further discuss). But the new state delivered
by %eg3 is the list of three signals, d0...d2. Thus, this first occurrence sets the module output to the three
signals in the current state and makes the new state be d0...d2. But we have not def'med the:-e signals yet.
The second occurrence above, the one named inc, should be read "Let iO...i2 be obtained by
incrementing qO...q2 with the inc_3 module. Thus, the 10...i2 represent the number one greater
(modulo 8) than the value returned by counter3.
Finally, the third occurrence above, named gO, del'mes d0...d2 to be the result of applying
counter3-temp tothe reset- signal and iO...i2.
Note that the fifth part of the module clef'tuition above is 'reg. This is the single occurrence of a
state-holding device in the module and it describes the state returned by this module. In this case, the state
is just the 3-bit state of the t'_33 module. In general the fifth part of a module definition is either a single
occurrence name or a (possibly empty) list of occurrence names.
Functionally, the counter3 module can be thought of as operating on four signal arguments and a 3-bit
state and producing three signal values and a 3-bit state. The signals returned are just those in the state in
which counter3 is evaluated. The state returned is obtained by incrementing its current state by one
(modulo 8) and zeroing it if reset- is f. This specification of counter3 is captured in the two
theorems shown below.
w
!
ig
b
-z
m
m
b
m
=
J_
12
=
z :
= =
u
w
w
= =
_.J
w
w
Theorem.
(_lies (and (counter3& netlist)
(equal te f)
(bvp one)
(equal (length cnt) 3))
(equal (dual-eval 0 'counter3
=nt))
(list clk te ti reset-)
cntne£i_st)
Theorem.
(implies (and (counter3& netlist)
(equal te f)
(boolp reset-)
(bvp cnt )
(equal (length cnt) 3))
(equal (dual-eval 2 'counter3
....... (list clk te ti reset-)
cnt netlist)
(if reset-
(nat-to-v (addl (v-to-nat cnt)) 3)
(list f f f))))
The first specifies the signals returned by counter3 arid the second specifies the state returnecL
The NDL for the two modules is
MODULE COUNTER3-TEMP;
INPUTS RESET-, I0, II, I2;
OUTPUTS D0,DI, D2;
LEVEL FUNCTION;
DEFINE
GO (DO) = AN2 (RESET-, I0) ;
G1 (DI) - AN2 (RESET-, I1) ;
G2 (D2) = AN2 (RESET-, I2) ;
END MODULE;
MODULE COUNTER3;
INPUTS CLK, TE, TI, RESET-;
OUTPUTS Q.0,Q.I,Q.2;
LEVEL FUNCTION;
DEFINE
REG(Q.0,Q.I,Q.2) m REG 3(CLK, TE, TI,D.0,D.I,D.2);
INC(I. 0,I.i,I'2) " INCRMT3(Q.0,Q.I,Q.2);
G0(D.0,D.I,D.2) = CO_R_T-_(RZSET-il.0,I.I,I.2);
END MODULE;
4.3 Other Submodules
Our implementation of local-step uses six modules in addition to the three explained above. We
merely describe them here. The corresponding module definitions are shown in Appendix B.
Split-3-to-6 takes the three bits returned by the counter3 module, which correspond to
local-step's clock, and rev.n'ns six signals, s0...sS, with the property that si is t iff the three input bits
represent the number i in binary. This module is a demultiplexor. When the clock is 6 or 7, all the output
signals are f.
w
i3
Majority3 is a module parameterized by the data width n. It takes three n-bit vectors in. It delivers a
single bit, called maj -existsp, and an n-bit vector. If there is a majority element among the three input
vectors, :._e r"odule sets maj,existsp to t and returns the majority element. O_herwise, it sets
ma5-existp to f and returns an n-bit vector of f.
Tv-if3 tn.,?!ements a nest of selectors (conditionals) that occurs several times in _ implementation.
The moaule _sparameterized by n. It takes the inputs cO, v0, cl, vl, c2, v2 and v3, where the ci are
single signals and the vi are bit vectors of width n. Its output is the n-bit vector specified by (if cO v0
(if el vl (if C2 v2 v3))).
Regs3 is a parameterized state-holding module that consists of three n-bit registers. It takes as input three
n-bit vectors (plus the usual clk, re, and ti used in all register modules), returns as its value the vectors
in the three registers, and stores its input vectors as the new state of the registers. We use regs3 to build a
row of local-step's matrix.
Regs4 is like regs3 except operates on four n-bit vectors. We use regs4 to represent the icv-reg
and theact-reg.
v-buf-pwr isa parameteri_n-bitbuf-fermodule,a deVice_t p_ itsn bitsofinputhroughbuthas
more drivethana normalbuffer.We useitinordertomake ourimplementationacceptabletoa certain
formallydefinedpredicatethatcheckstheloadsanddrivesonalloursignals.
4.4 Lstep
We now describe our implementation of local-step. The module is called 1step. It is parameterized
by n, the sense data width. See Appendix B for the definition of the module.
Lstep takes the input signals clk, re, ti, reset- and four n-bit input vectors, sense, p0, pl and
p2. It is a state-holding module whose state s is satisfies (hunt-brock-statep s n). It returns
seven n-bit vectors, o0, ol, 02, e0, el, a2 and a3, and one 3-bit vector, act-ma3-aatists p. The
three oi outputs represent local-step's outputs to the three peer processors. The four ai outputs
represent the "actuator icv"--the four vectors determining the light or final action taken by the
processor. The act-autj-existsp output indicates which of the first three ai actually denote
(me j-token).
The occurrences in the module are roughly described as follows. The three matrix rows are defined as
instances of the rags3 module. Matrix element M02 is Used so often we have to buffer it with
v-buf-pwr. We def'me the data-out register as another instance of regs3, and take our three n-bit
oi vectors from them. We define icv-reg as an instance of r_js4. We define act-rag as an instance
of rags4 We define icy-me j-existsp-reg and the act-me j -existsp-reg each as instances of
rag3.
We use counter3 to obtain and increment the clock and then use split-3-to-6 to demultiplex itin_
at most one "hot" signal. The six outputs are fanned out into the logic below so as to sequence the steps
correctly. Two of the six, namely sl and s2, are used so often that we have to buffer them in order to
drive all the dependent gates.
In _e occurrences_ gl _rough g6-m22v, we use tv-if3 and the primitive tv-if to shuffle dam
between our inputs, data-out and the matrkx n3ws as determined by which of the multiplexed clock
signals is t.
U
m _
J_
I --
14
v
w
L±
w
In the occurrences named g7, g8, and g9 we vote on the appropriate combinations of matriz elements,
using autjoriey3 to obtain both the maj -mc£stsp bit and the answer for each of the three votes. This
is done on every cycle but the results ate ignored except when the clock signal s4 is t, wt, en we put the
results into icv-reg and icv-maj-existsp-reg (in occurrences g11-icv0v through
g11-icv2v and g13). At occurrenceg11-icv3v we put the sense inputintoicy3 when fileclock
signal s 0 is t.
In occurrences g12-a0v through g12-a3v we load act-reg from it.-'v-reg if the clock signal s5 is
t. At g12-act-nutj-oarists we load aet-maj-axistsp-reg from icv-maj-existsp-reg if
the clock signal s5 is t.
Because 1step is parameterized we cannot exhibit an NDL display of it. But we e,an exhibit the NDL for
an instance. In Appendix C we show some of the NDL generated for the 8-bit wide version of 1step. In
Appendix D we include the top-level schematic for that instance of 1step.
5. The Theorem Proved by NQTHM
We have proved the following theorem about 1step.
Theorem.
(implies
(and (not (zerop w))
(bevier-young-statep state act-reg w)
(Istep& netlist w)
(_n sense ,)
(bvpn p0 ,)
(bvpn pl w)
(bvpn p2 w)
(equal te f)
(equal reset- t) )
(equal (local-step (list sense p0 pl p2)
state)
(up (dual-eva1 '2 (index 'istep w)
(cons clk
(cons te
(cons ti
(cons reset-
....... (a_nd sense
(append p0
(append pl p2)))))))
(down state act-reg w)
netlist) )))
Observe the similarity between this theorem, proved by NQTI-IM, and the specification of the hardware,
Main. Inpar_cu_, ifwe Ictw,above,be 8 and netlist, above,be (istepSnetlist 8). and we
::observe that (not (ze_op 8)) and (Istep& (Istep$netlist 8) 8), then the in,card
instance of the theorem above is just- Main: _t _ther way, if we generate a netlist of the desired width
with lstepSneel£st and it passes the 1step& test (which can be determined by computation), then we
know the netlist implements local-step.
Part of the NDL translation of (lstep$netlist 8) is shown in Appendix NDL.
It should be noted that the netlist produced by (istepSnetlist 8) passes the NQTHM predicate that
checks adherence m V_ous design rules, including those constraining the loads and drives in the net.
6. Comments on our Design
15
After obtaining NDL for our verified design, we used LSI Logic, Inc. tools to analyze the design. One such
tool summarizes how our design uses the LSI gate array on which it could be built, the LMA9141C.
**** ******** ****** ¢** ****************************************************
* LDS-III DESIGN VERIFIER NETWORK SU)_ARY *
* PROJECT ID : LIA6477 LDS ACCOUNT NAME : MDEACCTI *
* ARRAY NAME : LSTEP 8 ARRAY FAMILY : LMAgK *
* ARRAY TYPE : LI_91_IC *
* CURRENT DATE: 09/04/91 CURRENT TIME: 16:26:10 *
* LMAgK LIBRARY DATE: 12/13/90 LMIgK LIBRARY REVISION: 10.12.0"
* MEMIOK LZ_IRARY DATE: 08/09/90 MEMIOK LIBRARY REVISION: 10.09 *
* NETWORK STATISTICS AFTER CELL DELETIONS *
* NUMBER OF CELLS DELETED: .................................... 0 *
* NUMBER OF UNCONNECTED CELL OUTPUTS: .......................... 244 *
* NUMBER OF INPUT PINS (EXCLUDING BIDIRECTIONAL PINS): ... 36 *
* NUMBER OF OUTPOTPI_S (EXCLUDING BIDTRECTIOI_kL PINS): .. 59 *
* NEMBER OF BIDIRECTIONAL PINS: .......................... 0 *
* TOT&LNUMBEROF I/O SIGNAL PINS USED: ....................... 95 *
* RANGE OF POWER PINS REQUIRED (VSS & VDD) [mln-max]: ........ 08-16 *
* NU)mER O¥ PAD LOCATIONS USED FOR INPUT PINS: ........... 0 *
* NUMBER OF PAD LOCATIONS USED FOR OUTPUT PINS: .......... 0 *
* NUMBER OF PAD LOCATIONS USED FOR BIDIRECTIONAL PINS: ... 0 *
* TOTAL NUMBER OF PAD LOCATIONS USED FOR EBOVE: ............... 0 *
* TOTAL NUMBER OF UNRESERVED PAD LOC&TIONS AVAILABLE: ......... Ii0 *
* NO)_JR OF I/O DEVICE LOCATIONS USED FOR BUFFERS: ............ 0 *
* TOTAL NUMBER OF I/0 DEVICE LOCATIONS AV&IL&BIJ_: ............. 114 *
* NUMBER OF CZLLS USED: 791 I OF GATES USED: 3438 *
* _OP CELL TYPES: 12 )-q_JLYGATE USAGE (%): 24.34 *
* MAXIMUM PINS PER MET: 169 ARRAY ]iRE& USAGE (%) : 24.34 *
* METS WITH 10<_INS/MET<m20: 3 NUMBER OF _ NETS: 826 *
* NETS R'_TE PINS/NET > 20: 2 AVERAGE PINS PER NET: 3.442 *
Observe that our design has 3438 gates. The number of io pins is 95. This is excessively high. It is due to
the fact that our design uses parallel io on 8-bit wide vectors. Recall that there are four 8-bit input vectors
plus four single-bit signals, for a total of 36 input pins. The module has seven 8-bit output vectors plus
three single-bit signals, for a total of 59 output pins. If one wished to exchange 32-bit wide sense data, the
number of pins required would be 359! Our design is parameterized by the data size and our netlist
generator produces correct designs for arbitrary data sizes. But such a summary is deceptive because the
design is not practical for realistic data sizes.
A more sensible design would use serial io, devoting one pin to each of the channels on which full vectors
are currently exchanged. This would reduce the pin count to eighteen and allow arbitrarily sized data at the
III
Ill
W
ii
Ij =
lib
i
m
lid
r
D_
w_
-- 16
. J
z
=
w
= = =
W
- ?
cost of waiting for it to stream in. In [4], we verify that a biphase mark communications protocol allows
reliable communication between two processors whose cycle times arewithin about 5% of each other. The
reader of this document will recognize that it would be straightforward to implement the biphase mark
specificatiol: in our Formal HDL and prove that we had done so. Proving that a,-..HOL description
implemented the send and reev of [4] would be an exercise very similar to proving that lstep
implement_ !teal-step--except it would be easier because there is no need to parameterize the
implementation and the state mapping is much simpler. Indeed, the whole approach taken in [4] was
motivated by our concern that the verification of the implementation of send and recv be straightforward
and independent of all extraneous considerations. The straightforward implementation of those two
functions would allow data to be sent at the burst rate of 1.1M bps if we clocked the microprocessors at
20MHz and had a suitable channel between them.
Our 1step--even ignoring its excessive pin requirements-- is not suitable for fault-tolerant applications
because of the common clock assumption. Our processor implements local-step. Local-step was
proved by Bevier and Young to provide fault-tolerance when it was connected in a network with three
identical peers, all of'which step in concert. More realistically, the four processors should each have an
independent clock. An algorithm like that verified in [6] should be used to get the processors in
approximate synchronization, so that they are all executing the same step of the algorithm during the same
time interval. Our model of asynchronous communications [4] would permit us to prove that two such
processors could communicate.
As we envision it, the low level specification 'ofa realistic Byzantine agreement processor will be a
function, say async-locsl-step, which is like local-step but has a much finer temporal grain.
Async-local-step will break each of the six steps of local-step into hundreds cycles and allow
for serial communication, clock synchronization, and a certain amount of waiting to keep each major step
sufficiently large to insure that all processors step more or less together. Under an appropriate state
mapping, which would necessarily include some time abstraction, async-local-step could be shown
to implement local-step. The Formal HDL design would use async-local-step, not
local-step, as the specification. We offer this sketch of a realistic design effort merely to emphasize
how far we are from having achieved it.
W
Appendix A. The Formal Definition of LOCAL-STEP and GOOD-STATEP
Defl.Jtioa.
(len_h I)
{if {liltp i)
(add/. (length (exit I) ) )
0)
Shd D_udfle..
Add the state of five arlu_ne_u
wi_ _ stat_ and
acces_ s_t =ix, obuf, £cv, light and cloc_
De_lUo..
(make-llst length Inltlal-value)
=
(if (zerop length}
all
(cons inltial-value
(make-llst (subl len_h) Initlal-value) ))
Deflalao..
(nth n I)
=
(if _llstp 11
lira
17
(if (zerop n) - : +_
(car 1)
(ath (subl n) (car i)))
O)
Definition.
(put n v i)
(if (_ .... '_
(if (zerop n)
(cons v (ccLc 1))
(cons (car 1) (put (subl n) v (cctr 1))))
1)
DeflnlUon.
(nth2 t 3 x)
(nth J (nth i x))
In the original Bevier-Young work, MAJORITY was inm_duced by constraint. However, thefunction was
constrained to the point of being uniquely defined. We simply define it and its companion,
_ORITY'EXiSTS. in our mechanical proo{ script we in¢lu_ the events that establish that our
functions satisfy the constraints imposed on theirs. The uniqueness of their functions is not proved in our
script, though we have (elsewhere) led NQTHM to that c0nclusion.
Deflnitloa.
(occurEences
x 1)
(if (listp I)=
(if (equal x (car I))
(add_ (occurrences x (cctr 1) ) )
(oc_urrenoel x (cdr 1) ) )
0)
Ddlnltio..
(ma_ocltyl c,mde votes)
(if (llstp tends)
(if (lessp (length votes)
(times 2 (occurEenc_l (car candl) votes)))
(oar cands)
(ma_orltyl (c_r candl) votes) )
0)
Deflnldoa.
(maJority-existsl canc_ votes)
Z
(if (liltp =ands)
(or (lelep (length votes) (tia_s 2 (occq/rrlncel (car oandl) votes)))
(ma_ority-ex_etsl (c_Ic tends) votes))
f)
Sbd De_dUoa.
Add theshellmaJ-tOk_
with vecopLmr maJ -t okenp.
Dd_ltloa.
(maJor:Lty votes)
l
(if (maJocity-exlstsl votes votes)
(ma_orltyl votes votes)
(maC-token))
Defln_oa.
(majorlty-exists votes)
3
(maJorlty-exlstsl votes votes)
Ik4qnlUoa.
D
U :
i -
mm
i --
LJ
m
= =
w
W
h
H
W
w
L!
u
18
(co_te-icv matrix icY)
(put 0
(majority (list (nth2 0 0 matrix)
(nth2 1 2 matrix)
(nth2 2 1 matrix)))
(put
(_aJority (list (nth2 0 1 matrix)
(nth2 1 0 matrix)
(nth2 2 2 matrix)))
(put 2
(majority (list (nth2 0 2 matrix)
(nth2 1 1 matrix)
(nth2 2 0 matrix) ) )
icy)))
The Bevicr-Young funcuon filter was inuoduced by cons_aJnt We do not nc_d any properties of
filter and thus introduce it by declaration (i.e., as an undefined, unconstrained function symbol).
Undefined FuncUon.
(filter icy)
Deflni_on.
(tablep n i)
(if (limtp i)
(and (equal (length (car i)) (fix n))
(tablep n (cdr i) ))
t)
(matrixp i _ i)
=
(and (equal (length I) (fix i))
(t&blep _ 1))
DeflnIUo..
(good- mtat ep x)
=
(and (statep x)
(matrlxp 3 3 (matrix x))
(equal (length (obuf x)) 3)
(equal (length (icv x}) 4)
(nu._e_ (o.lock x) )
(le'J_ (clock x) 8))
De1.1Ooa.
(lo=al-mtep input state)
(if (equal (remainder (clock state) S) 0)
(state (matrix state)
(make-list 3 (nth 0 input))
(put 3 (nth 0 input) (i_ state))
(light state)
(E_mainder (plus 1 (clock state)) 8))
(if (_al (rq_alr_er (clock state) 8) I)
(state (put 0
(llst (nth I input)
(nth 2 input)
(nth 3 input))
(matrix state) )
(list (nth 2 input)
(nth 1 input)
(nth 1 input))
(icy state)
(light state)
(:_inder (plus 1 (clock state)) 8))
(if (equal (remainder (c_lock state) 8) 2)
(state (put 1
(list (nth 1 input)
19 _
(nth 2 input)
(nth 3 input))
(matrix stats) )
(llmt (nth 2 (nth 0 (matrix state)))
(nth 2 (nth 0 (matrix mtate)))
(nth i (nth 0 (matrix state) )))
(icy state)
(light state)
Lremainder (plus I (cloQk state)) 8))
{if {equa2 (remainder (clock state7 8) 37
(state (put 2
(list (nth 1 input)
{nth 2 input)
(nth 3 input) nil)
(matrix state) )
(obuf state)
(light state) " - ' .... _ _ _
(remainder (plus 1 (clock state)) 8))
(if (equal (remainder (clock rotate) 8) 4)
(state (matrix state)
(obuf state)
(co.puts-icy (matrix stats) (Icy stats))
(light state)
(remainder (plus 1 (clock state)} 8))
(remainder (_lock stats) 8) 5)
(matrix state)
(obuf stats)
(icy state)
(filter (icy state) )
(remainder (plus I (clock stets)) 8))
(state (matrix state)
(obuf state)
(icy state)
(light state)
(remalrader (plus I (clock rotate}) 8777777)7
(if (equal
(state
Appendix B. The Formal Design
We exhibit the functions that generate each our modules. For each such generator, fn*, there is also a
netlist generator fn$trgTLIST and a netlist recognizer fn¢,. The nedist generator returns a list of the
generated module and each of its submodules. The netlist recognizer checks that the given netlist contains
the generated module and eachof the required submodules.
,t
2O
W
--:7
z
u
W
(COUNTER3*)
Z
(LIST ' C00NTER3
'(C_K TE TZ
(INDICES ' G
(LIST (LIST
(LIST
(LIST
RESET-)
0 3)
'REG
(INDICES 'Q 0 3)
(INDEX 'REU 3)
(COBS 'CLK
(COBS 'TE
(CONS 'TI (INDICES 'D 0 3)))))
'INC
(INDICES 'I o 3)
'INCRMT 3
(INDICES 'Q 0 3))
'GO
(INDICES 'D 0 3)
'COUNTER3- TEMP
(COBS 'RESET- (INDICES 'I 0 3))))
' (REG))
DefiniUon.
(SPLIT- 3-TO- 6* )
' (SPLIT-3-TO-6 (CO Cl C2)
(SO S1 S2
((Go (NC0)
(Ci (NC1)
(C2 (NC2)
(_3 (S0)
(_4 (sz)
(C5 (S2)
(c6 (s3)
(G_ (s4)
(C8 (ss)
NIL)
Deflnltloa.
(MAJORITY3* N)
$3 $4 S5)
B-NOT (C0))
B-NOT (el))
B-NOT (C2))
B-AND3 (NC0 NCI NC2))
B-AND3 (co wcl NC2))
B-AND3 (NCO C1 NC2))
B-AND3 (CO Cl NC2))
B-AND3 (NC0 NCI C2))
B-AND3 (CO NCI C2) ))
(LIST (INDEX 'N).JORITY3 N)
(_PEND (INDICES 'X 0 N)
(EPPEND (INDICES 'r O N}
(DIDICES ' Z 0 N) ) )
(COBS 'MAJ-EXISTSP (INDICES 'A 0 N))
(LIST (LIST 'GO '(Z0)
(I_DEX 'V-ZQUAL N)
(JUPPZND (INDICES 'x 0 N)
(INDICES 'Y 0 N)))
(LIST 'GI '(El)
(ZImEX 'V-EQUAL N)
(JLPPEND (INDICES 'X 0 N)
(INDICES 'z o N)))
(LIST 'C2 '(Z2)
(INDEX 'V-EQUAL N)
(&PPEND (INDICES 'Y 0 N)
(INDICEs ' z o N) ) )
(LIST 'G2&
(INDICES 'ZERO 0 N)
(lllDIX 'V-XOR N)
(XePZND (INDICES "X 0 N)
(INDIC3E9 'X 0 N)))
' (C3 (_LJ-EXZSTSP) B-OP.3 (No zl Z2))
(LIST ';4 (INDICES 'C 0 N)
(niDEX ' TV-IF
(TRU-_ (laKE-hum N) ) )
(COBS ' B2
(LeREND (zNDzCEs 'Y o N)
(INDICEs ' z_m_oo N) ) ) )
(LIST 'G5 (INDICES 'B 0 N)
(INDEX 'TV-IF
(T_-_ER (M_-T_ N) ) )
(CONS 'E1
(APPEND (INDICES 'X 0 N)
(INDICES 'C 0 N))))
(LIST 'G6 (INDICES 'A 0 N)
(INDEX 'TV-IF
(TREE-_ (_D_Z-TREE N) ) ) "
(CONS ' E0
(APPEND (INDICES 'X 0 N)
(INDICES 'B 0 N)))))
NIL)
D_qnitJon.
(TV-IF3* N)
(LIST (INDEX 'TV-IF3 N)
(CONS 'C0
(APPEND (INDICES 'V0 0 N)
(CONS 'Cl
(APPEND (INDICES 'Vl 0 N)
(CONS 'C2
(APPEND (INDICES 'V2 0 N)
(INDICES 'V3 0 N)))))))
(rNDIcEs 'OUTPUT 0 N)
(LIST (LIST 'G0 (INDICES 'TI 0 N)
(INDEX 'TV-IF
(TRU-NmmER (MAKE-T_ N) ) )
(CONS 'C2
(APPEND (INDICES 'V2 0 _)
(INDICES 'V3 0 N))))
(LIST 'gl (INDICES 'T2 0 N)
(INDEX 'TV-IF
(TREE-NU)mER (MEKZ-TREE N) ) )
(CONS 'Cl
(APPEND (INDICES 'Vl 0 N)
(INDICES 'TI 0 N))))
(LIST 'G2 (INDICES 'OUTPUT 0 N)
(INDEX 'TV-IF
(TRn-_m_mZR (_m_Z-TREE N) ) )
(CONS 'C0 _ , . :
(_PzND (n,_zcIs ,vo o
(INDICES ,T2 o N) ) ) ) )
NIL)
DeflnKion.
(REGS3* N)
Iz
(LIST (INDEX 'REGS3 N)
(CONS ' CLK
(CONS ' TE
(CONS 'TI = - _
(APPEND (INDICES 'R0 0 N)
(APPEND (nmICES '_ 0 N)
(rNDICEs ,R2 o N))))))
(_END (r_DICZS 'gO 0 N)
(,t]_PzxD (zla)zcEs '01 0 N)
(r_IcES ' Q2 o N) ) )
(LIST (LIST 'REG0 (INDICES 'Q0 0 N)
(INDEX 'REG N)
(CONS 'CLK
(CONS 'TE
(CONS 'TI (INDICES 'R0 0 N)))))
(LIST 'REGI (INDICES 'QI 0 N)
(I_DEX 'RZG N)
(CONS 'CLK
(CONS ' TI[
(coNs (INDEX 'Q0 (SO_l N))
21
m
m
B
lm
mm
mm
_-_ 22
u
w
w
m
E
l
(INDICES 'P.I 0 N))1))
(LIST 'REG2 (INDICES 'Q2 0 N)
(INDEX 'REG N)
(CONS 'CLK
(CONS 'TE
(CONS (INDEX 'Q1 (SUB1 N))
(INDICES 'R2 0 N))))))
' (REG0 REGZ REG2))
Definition.
(REGS4* N)
(LIST (INDEX 'REGS4 N)
(CONS ' CLK
(CONS 'TE
(CONS 'TI
(APPe-ND (INDZCES 'RO o N)
(XePE_'_ (INDZCZS '_1 0 H)
• (_EI_D (INDICES 'R2 0 N)
(INDICEs 'R3 0 N)))))))
(APPEND (INDICES 'Q0 0 N)
(APPEND (INDICES 'QI 0 N)
(,%PPEND (INDICES 'Q2 0 N)
(INDICEs ' g3 o N) ) ) )
(LIST (LIST 'REG0 (INDICES 'Q0 0 N)
(INDEX 'REG N)
(CONS ' CLK
(CONS 'TE
(CONS 'TI (INDICES 'R0 0 N)))))
(LIST 'REGI (INDICES 'QI 0 N)'
(xNDEX' I_]IG t;)
(CONS 'CLK
(CONS ' TE
(CONS (INDEX 'Qo (Su1;1 N))
(rNDzCEs •_ o N) ) ) ) )
(LIST 'REG2 (INDICES 'Q2 0 N)
(INDEX 'REG N)
(CONS 'CLK
(CONS 'T11
(cONs (INDEX 'QX (90_I N))
(INDICEs 'R2 o N)))))
(LIST 'REG3 (INDICES '(_3 0 N)
(INDEX 'REG N)
(COilS 'CLK
(CONS 'TE
(CONS (INDEX 'Q2 (SUB1 N))
(INDICEs 'P.3 o N))))))
' (REG0 REGX REG2 REG3))
Deflaltlo,.
(V-BUF-PWRSBODY M N)
=
(_r (z]m(_ x)
r_L
(COWS (LIST (rNDEX '_ x)
(LIST (INDEX 'T N) )
'B-Bo]r-RiR ..................
(LIST (rI_DEX 'l X) ) )
(V-BUF-FMRSBODT (,%DD1 M) (SUBZ N) ) ) )
Ddl.iUo..
(V-BOF-]nrR* N)
(LIST (INDEX 'V-BUI'-PWR N)
(INDICES 'A 0 N)
(INDICES 'Y 0 N)
(V-BUF-PWRSBODY 0 N)
NIL)
Ik.flnltloa.
23 m
(LS_* W)
=¢
(LIST
(_¢Dl_ 'LSTEP N)
(CONS ' CLK
(CONS ' TIC
(CONS ' TI
(CONS '_SET-
(APPEND (INDIES 'SENSE 0 N)
(APPEND (INDIES 'P0 0 N)
(_PEND (_ICES 'PI 0 N)
(INDICES 'P2 0 N))))))))
(APPmm _ _
(INDIC_S ' O0 o N)
(APP_ (INDICES 'O1 0 N)
(_P_ (INDICES '02 0 N}= _
(APPEND (INDZ_S "A_-_ISTSP 0 3)
(_PEND (INDIES '_0 0 N)
(APPEND (INDICES 'A1 0 N)
(_P=ND (INDICES 'J-2 0 N)
(LIST
'(CNT (CO Cl C2)
CO_
(_ _ TI _SET-))
' (GO (SO SI_ S_ $3 $4 $5)
_LIT-3-_-6
(C0 Cl C2))
'(G01 (SZ) B-mUF-PWR (SZWZAK))
'(GOE (S2) B-Emr-PWR (S2WEAK))
(LIST ' _X0
(aU_END (zNDzcEs ,.oo o N)
(_PEND (ZNDZ_S '"0Z 0 N)
(INDICES 'M02WEAK 0 N) ) )
(IND_ '_GS3 N)
(CONS ' CLK
(CONS '
(CONS ' C2
(_PEND (INDICES 'M00V 0 N)
(APP_ (INDICES 'M01V 0 N)
(INDICES 'M02V 0 N)))))))
(LIST 'I_TRIXOA
(_I_S 'M02 0 N)
(IND_ 'V-B_-P_ N)
(z_rozcEs 'No2wzax o N))
(LIST ' _1 ....
(X_PEND (nmzc_s ,too o N)
(XPPEND (D|DZCES 'Mll 0 N)
(DmICES ')(12 o N) ) )
(INDEX '_GS3 N)
(CONS ' CLK
(CONS 'TE
(CONS (INDEX 'M02 (S_I N)}
(APPEND (INDICES '_0V 0 N)
(APPEND (INDICES '_IV 0 N)
(I"_DICES 'M12V 0 W)))))))
(LIST '_
(_PEND (INDICES '%20 0 N)
(APPEND (INDICES '_I 0 N)
(INDICES ' 1(22 0 N) ))
(INDEX '_GS3 N)
(CONS '
(CONS "
(CONS (I_ 'I(12 (SOB1 N))
(APPEND (INDIES '_0V 0 N)
(A.PPE_D (INDICEs 'N21v o N)
(INDICES 'M22V 0 N)))))))
(LIST '_TA-OUT
(APPEND (INDIES '00 0 N)
J
w --
=
w
m __
= .
imm
= =
am-
u
w
(APPEND (INDICES '01 0 N)
(INDICES 'O2 0 N)))
(INDEX 'REGS3 N)
(CONS 'CLK
(CONS ' TE
{CONS (INDEX 'M22 (SUB1 N) )
(APPEND (INDICES 'OOV 0 N)
(APPEND (INDICES 'OIV 0 N)
(INDICES '02V 0 N))))}))
(LIST 'ICV-REG
(APPEND (INDICES 'ICV0 0 N)
(APPEND (INDICES 'ICVl 0 N)
(APPEND (INDICES ' ICV2 0 N)
(INDICES 'ICV3 0 N))))
(INDEX 'REGS4 N)
(CONS 'CLK
(CONS ' TE
(CONS (INDEX 'O2 (sUlJl N))
(APPEND (INDICES 'ICV0V 0 N)
(_PEND (rNDICES 'ICVlV 0 N)
(APPEND (n4DICES 'ICV2V 0 N)
(INDICES 'ICV3V 0 N) )) ) )) ) )
(LIST '/_CT-REG
(APPEND (INDICES 'A0 0 N)
(APPEND (INDICES 'A1 0 N)
(APPEND (INDICES 'A2 0 N)
(INDICES 'A3 0 N))))
(INDEX 'REGS4 N)
(CONS • CLK
(CONS 'TE • "
(CONS (INDEX 'ICV3 (SUB1 N) )
(APPEND (I_nD_cEs'Aov o N)
(APP_ (INDICES 'AIr 0 N)
(APPEND (INDICES 'A2V 0 N)
(INDICEs 'A3v o N))))))))
(LIST 'ICV-MAJ-EXISTSP-REG
(INDICES 'ZCV-MAJ-EXISTSP 0 3}
(INDEX 'REG 3)
(CONS 'CLK
(CONS ' TE
(CONS (INDEX 'X3 (sm31 N))
(INDICES 'ICV-M_V-EXISTSPV 0 3) ) )) )
(LIST '&CT-M_J-EXISTS_-REG
(INDICES 'AET-MAJ-EXISTSP 0 3)
(rmDEX ';u_ 3)
(CONS 'CLK
(CONS ' TE
(CONS (INDEX 'ICV-MAJ-EXISTSP 2)
(INDICES 'ACT-MAJ-EXISTSPV 0 3) ) ) ) )
(LIST 'G1
(IIDICES 'OOV 0 N)
(rJDEX ' Tv-Dr3 N)
(CONS ' SO
(APPEND (INDICES 'SENSE 0 N)
(CONS ' S1
(APPEND (INDICES 'P1 0 N)
(CONS ' S2
(APPEND (INDICES 'X02 0 N)
(INDICES '00 0 N))))))))
(LIST 'G2
(INDICES 'OIV 0 N)
(INDEX 'TV-IF3 N)
(CONS 'S0
(APPEND (INDICES 'SENSE 0 N)
(CONS 'Sl
(APPEND (INDICES 'P0 0 N)
(CONS ' S2
(APPEND (INDICES 'I(02 0 N)
(INDICEs 'oI o N))))))))
25 J
(LIST 'G3
(INDICES '02V 0 N)
(INDEX 'TV-IF3 N)
(C_S 'S0
(APPEND (INDICES 'SENSE 0 N)
(CONS 'Sl
(APPEND (INDICES 'P0 0 N)
(CONS '$2
(APPEND (INDICES 'M01 0 N)
(INDICES '02 0 N))))))))
(LIST 'G4-M00V
(INDICES 'M00V 0 N)
(II_DEX 'TV-ZF
(TREE-gaM_Um (MAKZ-TlU_ N)) )
(CONS ' Sl
(APPEND (INDICES 'P0 0 N)
(INDICES "MOO 0 N))))
(LIST 'G4-M01V
(INDICES 'M01V 0 N)
(INDEX 'TV-IIe
(Tlum-tm_maR (tO.X3-TRU N) ) )
(CONS 'S1
(APPEND (INDICES 'PI 0 N)
(INDICES 'M01 0 N))))
(LIST ' G4-M02V
(INDICES 'M02V 0 N)
(INDEX 'TV-IF
(_-_ (IO3_-TI_IZ N) ) )
(CONS 'Sl
(J_PEND (INDICES '92 0 N)
(INDICES 'M02 0 N))))
(LIST ' _5____.9v
(II_DICI[S 'MI0V 0 N)
(INDEX 'TV IF ....
(TI_LE-NUM_Lq (14AI_-_EE N) ) )
(CONS '$2
(APPEND (INDICES '90 0 N)
(INDICES 'MI0 0 N))))
(LIST 'GS-MIIV
(INDICES 'MllV 0 N)
(INDEX ' TV-IF
(TRU-_ (ImU_-TlU_ N) ) )
(CONS ' 92
(APPEND (INDICES 'PI 0 N)
(INDICES '1411 0 N))))
(LIST 'G5-M12V
(INDICES 'MI2V 0 N)
(INDEX 'TV-IIe
(TREE-Nm, m,ER (M_Z-TR,U N) ) )
(CONS '$2
(/CI_PII_D (ZYDICES 'P2 0 W)
(INDICES 'M12 0 N) ) ))
(LIST ' GE-M20V
(_I=. ,_Zov o N)
(INDEX ' TV-IF
(_ILII3I-_ (_-TmtZ a) ) )
(CONS ' S3
(INDICES 'M20 0 N)) ))
_k(LIST , _-_Iv
(INDICEs ,_iv o N)
(x_-n,
(_3l-g_14_Lq (_LJ_-TPJCZ N) ) )
(CONS _
(APPEND (INDICES '91 0 N)
(INDICES 'M21 0 N)) ) )
(LIST ' C6-M22V
(INDICES 'M22V 0 N)
(INDEX - -'TV Tit
Im
m
lid
m
m
HI
i
i i
I
i
j_
i___:
i
m
|
=
m
m |
m -,
--i
m
i ii
!
26
T
w
= =
w
k
(TREE-_OICBaR(MAKI-TRn N)))
(CONS 'S3 _ "
(_PEND (INDICES 'P2 0 N)
(INDICES ')(22 0 N))))
(LIST 'G7
(CONS (INDEX 'ICV-MAJ-EXISTSPVl 0)
(INDICES 'MJRTY0 0 N))
(_ND.EX ' MiLTORITY3 N)
(A._END (INDICES 'N00 0 N)
(APPEND (INDICES 'MI2 0 N)
(INDICES ')(21 0 N))))
(LIST 'G8
(CONS (INDEX 'ICV-MAJ-EXISTSPVI 1)
(INDICES 'MJRTY1 0 N))
(INDEX 'M_,JORITY3 N)
(APPEND (INDICES 'M01 0 N)
(APPEND (INDICES 'MI0 0 N}
(zNDIcI{s'_2 0 _))))
(LIST 'G9
(CONS (INDEX 'ICV-MAJ-EXISTSPVl 2)
(INDICES 'MJRTY2 0 N))
(INDEX 'MAJORITY3 t_)
(APPEND (INDICES 'M02 0 N)
(APPEND (INDICES 'NIl 0 N)
(INDICES 'M20 0 N))))
(LIST 'GXX°ICVOV
(INDICES 'ICV0V 0 N)
(INDEX 'TV-ZF
(_RZE-WOWaZR (N_JKZ-_RR N) ).)
(CONS ' S4
(APPEND (INDICES 'N,mTY0 0 N)
(rNDzCEs ' Ic'vo o N) )) ) "
(LIST 'GII-ICVIV
(INDICES 'ICVIV 0 N)
(mum-mn4n.q (mud-mum i_) ) )
(CONS '$4
(APPEND (INDICES 'M,mTYI 0 N)
(rNDzCEs ' zc_ o N) ) ) )
(LIST ' Gli-lcv2v
(INDICES 'ICV2V 0 N)
(DmEX 'TV-IF
(TRU-NDI_BZ_ (N}.KZ-_ N) ) )
(CONS 'S4
(Appzao (rNDzcEs 'MJnTY2 0
(INDICES 'ICV2 0 N))))
(LIST "GII-ICV3V
(INDICES ' ICV3V 0 N)
(INDEX 'TV-II
(TRU-_rm4BER (MAKE-TRU N) ) )
(CONS ' SO
(APPEND (INDICES 'SENSE 0 N)
(INDICES 'ICV3 0 N))))
(LIST 'GI2°&0V
(rWDICES "/LOV 0 N)
(INDEX ' TV-D'
(TREE-NOMB_ (WIUa¢-TRIa& N) ) )
(COilS ' S5
(APPZ_D (ZaOICES 'ICY0 0 N)
_ = (_ICES 'A00 N))))
(LIST 'GI2°EIV .......................
(rNDICES "_klV 0 N)
(INDEX ' TV-I.F
(IL"RIB-m;miER (_-'nLU N) ) )
(CONS ' S5 .....
(APPEND (Z_DIC_S 'ICY% 0 N)
(INDICEs 'A1 0 N)) ) )
(LIST ' G12-JL2V
(INDICES '/_7 0 N)
27 m
(INDEX 'TV-IF
(TRn-_m4_m (HAKE-TREE N) ) )
(CONS '$5
(APPEND (INDICES 'ICV2 0 N)
(zNDICES 'A2 o N))))
(LIST __:I2-A3V
(I_TCES 'A3V 0 N)
t_NT_EX 'TV-IF
(TREZ-_ (MA_Z-T_Z N) ))
(CONS '$5
(APPEND (INDICES ' ICV3 0 N)
(INDICES 'A3 0 N))))
(LIST 'GI2-ACT-MAJ-EXISTS
(IWDZ_S 'ACT-IO, J-EXISTSPV 0 3)
(INDEX 'TV-IF
(11EE-W_Z_BER (MAZ_Z-TREE 3) ) )
(CONS '$5 =: _=:_ =::= :-_ _ _=_
(APPEND (INDICES 'ICV-MLJ-EXISTSP 0 3)
(INDICES 'ACT-MAJ-EXISTSP 0 3) ) ) )
(LIST 'GI3
(INDICES 'ICV-MAJ-EXISTSPV 0 3)
(INDEX 'TV-IF
(TREE-Nm_ER (MAKZ-TREE 3) ) )
(CONS ' S4
(APPEND (INDICES 'ICV-MAJ-EXISTSPVl 0 3)
(INDICES 'ICV-MAJ-EXISTSP 0 3) ) ) ))
' (CNT MATRIX0 MATRIXl MATRIX2 DATA-OUT ICV-REG ACT-REG
ICV-MAJ-EXISTSP-REG ACT-MAJ-EXISTSP-REG) )
Appendix C. The NDL for LSTEP_8
Below we display part of a ncflist that has b_n proved (by constructi0n) to implement local-step for a
data path width of 8. The syntax of the display is NDL, the Neflist Description Language of LSI Logic Inc.
The complete neflist occupies about 9 pages.
MODULE LSTEP a;
I_uTs cox, _, _z, _sss_-, sZNsZ.0, sz_sz. 1, sZ_SS_2_SZNsz_31Sz_Sz. 4, sz,sz, s,
SENSZ. 6, SENSE. 7,1_0.0,P0.Z,P0.2,P0.3,P0.4,P0.5,P0.6,P0.7,eZ. 0,PZ. 1,
PI. 2, PI. 3,PI. 4,PI.5, PI. 6,PI. 7, P2.0,P2.I,P2.2, P2.3,P2.4, P2.5,P2.6, P2.7;
OUTPUTS 00.0, O0.I, 00.2,O0.3,00.4,00.5,O0.6,O0.7,01.0, O1.I, O1.2, O1.3,01.4,
01.5, O1.6, O1.7, O2.0,02. I, 02.2, O2.3, O2.4,02.5, O2.6, 02.7,
ACT-MAJ-EXISTSP. 0, ACT-MAJ-EXISTSP. i, ACT-MAJ-EXZSTSP. 2, A0. O, A0.1, AO. 2,
A0.3,A0.4,A0.5,A0.6, Z0.7,AI. 0,AI. I, JLI.2, JLl.3, Jkl. 4,AI. 5, A1.6, AI. 7,
A2.0, A2. I,A2.2,A2.3, A2.4,A2. $,A2.6, A2.7,A3.0,A3. I, A3.2,A3.3,A3.4,
A3.5,A3.6,A3.7;
LEVEL FUNCTION;
DEFIME
CNT(C0,CI,C2) m COUNTER3(CLK, TE,TI,RESET-) ;
GO (SO, SIIN[JLK, $2W]U,K, $3, $4, $5) " SPLIT-3-TO-6 (CO, Cl, C2) ;
GOJL(SI) m B-BOIe-PIIR(SIWIUUK) ;
GOB(S2) m B-BUF-PWR(S2WEAK) ;
MATRIX0 (MOO. 0,MOO. I, MOO. 2, MOO. 3, M00.4, MOO. 5, M00.6, M00.7, M01.0, M01.1, M01.2,
uoz. 3, zeoz.4, Noz. s, Moz. _, Noz. _, uo_,'zu_. o, Mo_auu_. z, _0_U_K. 2,
_ogmt,_z. 3, _o_mu_. 4, No2zau_. s, _0_kt. _, _o_. _]
m REGS3_8 (C/K, 11, C2, MOOV. 0, MOOV. 1, M00V. 2, M00V. 3, M00V. 4, M00V. 5, MOOV. 6,
N00V. 7, M01V. 0, M01V. 1, M01V. 2, M01V. 3, M01V. 4, M01V. 5, M01V. 6, M01V. 7,
MG2V. 0,M02V. I, M02V. 2, M02V. 3, M02V. 4, M02V. 5, M02V. 6,M02V. 7) ;
MATRIXOA (M02.0, N02. I, M02.2, M02.3, M02.4, N02.5, M02.6, M02.7)
= v-noz,-P_m_s (z4o_. o, _o_. z, _02WZAK.2, _0_ZAK. a, M0_. 4, Z4o_au_. 5,
M02WEAK. 6,M021_JULK. 7) ; = .....
MATRIX1 (MI0.0, MI0. I, MI0.2, MI0.3, MI0.4, MI0.5, MI0.6, MI0.7, MII. 0, MII. 1, MII. 2,
MI_,M_. 4, M_I. 5, MII. 6, MII. 7, MI2.0, Mi_2,1, MI2.2, MI2.3, MI2,4, MI2,5,
MI2.6, MI2.7)
•, REGS3 8(CLK, 11,M02.7,MIOV.0,MIOV.I,MI0V.2,M_0V.3,MIOV.4,MIOV.5,MIOV. 6,
m or. 7, m zv. o_fl.Z_-_z. m zv. 2, m zv. 3, m Zv, 4_z;_.zv. s, m zv. _, z,n.zv. "_,
MI2V. 0, MI2V. I, MI2V. 2, MI2V. 3, ME2V. 4, MI2V. S, MI2V. 6,MI2V. 7) ;
m
W
Z_
w
28
z
i
w
u
m
m
w
m
MAT_ZX2(W20.0,M20.i, i(20._2,_0.3, U20.4, X20. S,U20.6, g20. _,ii_i. 0, M2Z.l, _I. 2,
W21.3, N21.4, M21.5, M21.6, M21.7,W22.0, K22. i, 1422.2, I_2 • 3, X22 • 4,M22.5,
1(22.6,1422.7)
•, REGS3 6(CLK, TE,MI2.7,M20V.0,M20V.I,M20V.2,M20V.3,M20V.4,M20V.5,M20V-6,
-- M20V. 7,M21V. 0,M21V. i, M21V. 2, M21V. 3, M21V. 4,M21V. 5, M21V. 6, M21V. 7,
M22V. 0,M22V. I,M22V. 2,M22V.3, M22V. 4, M22V. 5,M22V. 6,M22V. 7) ;
DATA-OUT (O0.0,00. i, O0.2,O0.3, O0.4,00.5, O0.6, 00.7,01.0,01.1,01.2,O1.3,01.4,
O1.5, O1.6, O1.7,O2.0, O2.1,02.2, O2.3, O2.4,02.5,02- 6, 02- 7)
•_ RE_,S3 _CLK, TE,M22.?,O0V.0,OOV.I,OOV.2,OOV.3,O0V.4,O0V.5,OOV-6,00V.7,
OIV. 0, OIV. i, OIV. 2, OIV. 3, OIV. 4, OIV. 5, OIV. 6, OIV. 7,02V. 0,02V. i,
02V. 2, O2V. 3,02V. 4, O2V. 5, 02V. 6, O2V. 7) ;
ICV-REG (ICV0.0, ICV0.1, ICV0.2, ICV0.3, ICV0.4, ICV0.5, ICV0.6, ZCV0.7, ICVl. 0,
ICVI. 1, ZCVI. 2, ICVI. 3, ICVI. 4, ICVI. 5, ICVI. 6, ICVl. 7, ICV2.0, ICV2.1,
ICV2.2, ICV2.3, ZCV2.4, ICV2.5, ICV2.6, ICV2.7, ICV3.0, ICV3. I, ICV3.2,
ZCV3.3, ICV3.4, ICV3.5, ICV3.6, ICV3.7)
•. REGS4_8 (CLK, TE, 02.7, ICV0V. 0, ICVOV. I, ICVOV, 2, ZCV0V. 3, ICVOV. 4, ICVOV. 5,
ICV0V. 6, ICV0V. 7, ICVIV. 0, ICVlV. 1, ICVIV. 2, ICVIV. 3, ICVIV. 4, ICVlV. 5,
ICVIV. 6, ICVIV. 7, ICV2V. 0, ICV2V. i, ICV2V. 2, ICV2V. 3, ICV2V. 4, ICV2V. 5,
ICV2V. 6, ICV2V. 7, ICV3V. 0, ICV3V. I, ICV3V. 2, ICV3V. 3, ICV3V. 4, ICV3V, 5,
ICV3V. 6, ICV3V. 7) ;
G9 (ICV-MAJ-EXISTSPVI .2, MJRTY2 .0, MJRTY2 .I, MJRTY2 .2, MJRTY2 .3, MJRTY2 .4, MJRTY2 .5,
MJRTY2 . 6,MJRTY2 .7)
•. MAJORITY3_8 (M02.0, M02. I, M02.2, M02.3, M02.4, M02.5, M02 •6, M02.7, MII •0, MII •I,
MII. 2, MII. 3, MII. 4,MII. 5, MII. 6,MII. 7, M20.0, M20. I, M20.2, M20- 3,
M20.4, M20.5, M20.6, M20.7) ;
_11-ICV2v(icv2vo,zcv2v,i,z_2v 2,icv2v.3,zcwv 4,zcv2v,s,zcv2v.G,zcwv _)
- _- z__e (s4,.0_2.0,.0_2.1,)_'R_2.2,_2.3, _2.4,.0_2. s,
.0_2. s,.o_2.7, i_2. o, ICW. 1, ic_. 2, z_2.3, _2.4, I_2. s,
zcv2. _, zcw. 7) ;
_11-zc'v3v(zcv3v.o,zcv3v,i,zcv3v.2,zcv3v.3,zcv3v._,zcv3v,s,:cv3v._,zcv_v._)
- _v-_r__ (so, s_ms,,, o,s_ms_. _, s]ms_. _, s_ms_. 3, s_sz. 4, sm, sz. _, s_ms,,. _,
SENSE. 7, IC'V3.0, IC'V3.1, ICV3.2, ICV3.3, ICV3.4, IC'V3. S, IC'V3.6, ICV3.7) ;
_._,-_v(,,_v.o,_v. _,_ov._,_v. 3,_v. 4,_v. s,_v. s,A_V._)
- TV-IF_8 (S5, ICV3.0, ICV3.1, ICV3.2, ICV3.3, ICV3.4, ICV3.5, ICV3.6, ICV3.7, A3.0,
A3. i,_3.2,A3.3, &3.4,A3.5,A3.6, &3.7) ;
G12-&CT-MAJ-EXISTS (ACT-MAJ-EXISTSPV. 0, ACT-MAJ-EXISTSPV. i, ACT-MAJ-EXISTSPV. 2 )
- TV-IF_I 4 (S5, ICV-MAJ-EXISTSP. 0, ICV-M3_-EXISTSP. i, ICV-MAJ-EXISTSP. 2,
ACT-MAJ-EXISTSP. 0,ACT-MAJ-EXISTSP. I, ACT-MAJ-EXZSTSP. 2 ) ;
G13 (ICV-M_J-EXI STSPV. 0, ICV-MAJ-EXI STSPV. I, ICV-MAJ-EXI STSPV. 2 )
- TV-ZF..14 ($4, ICV-MAJ-EXISTSPVI. 0, ICV-M).J'_STSPVI. I, ICV-M_J-EXZSTSPVI. 2,
ICV-M]LJ-EXISTSP. 0, ICV-MAJ-EXISTSP. i, ICV-MAJ-EXISTSP. 2) ;
END MODULE;
MODULE SPLIT-3-TO-6;
INPUTS C0, el, C2;
m
OUTPUTS SO, SI, S2, $3, $4, S5;
LEVEL FONCTZOM;
_ D_rIME
G0(_C0) - IrA(C0);
:-'- GI(MC'I)., IV]k(Cl);
G2(NC2) - IV&(C2);
G3(S0)., AJ3(MC0,1K:I,MC2) ;
_: G4 (S1) ,, s1_3 (C0,MC1,MC2) ;
__ G5 (S2) - ]Lll3 (MC0,C1,MC2) ;
G6(S3) ,. E113 (C0,C1,NC2) ;
G7 (S4) ,, J313 (MC0,MCl,C2) ;
G8 (SS) - XN3 (C0,MCI,C2) ;
END MODULE;
MODULE M_7ORITY3 8;
INPUTS X. 0,X. l,X--2,X.3,X. 4, X. 5,X. 6,X. 7, T. 0,T.I,T.2,Y. 3,Y. 4,Y.5,Y. 6,Y. 7, Z- 0,
Z.I, Z.2, Z.3o Z.4, Z.5, Z. 6, Z.7;
OUTPUTS M_J-EXISTSP,A. 0,A. I,A. 2,A. 3,A. 4,A. 5,A. 6,A. 7;
LEVEL FUNCTION;
DEFI'ME
G0 (zo)
=
gml
29 i
. V-EQU_., 8(X.0,X.I,X.2,X.3,X.4,X.5,X.6,X.7,Y.0,Y.1,Y.2,Y-3,Y-4,Y.$,Y.6,
Y.7):
GI (ml)
. V-XQ__SlX.0,X.I,X.2,x.3,X.4,Xlg,X.6;X.'I;Z.O,Z.I,Z.2,Z.3,Z.4, Z.g,Z 6_
z.7);
G2 (E2)
V-EQUaL 8(Y.0,Y.I,Y.2,Y.3,Y.4,Y.5,Y.6,Y.7,Z.0,Z.I,Z.2,Z.3,Z.4,Z.5,Z.6,
Z.7);
G2A (ZE_. u, _RO. I, ZERO. 2, ZERO. 3, ZERO. 4, ZERO. 5, ZERO. 6, ZERO. 7)
. V-XOR 8(X.0,X.I,X.2,X.3,X.4,X.5,X.6,X.7,X.0,X.1,X.2,X.3,X.4,X.5,X-6,X.7);
G3 (MAJ-EXISTSP) - OR3{E0,EI,E2) ;
G4 (C.0,C.I,C.2,C.3,C. 4,C.5,C. 6, C. 7)
TV_IF_$ (E2, y. 0, y. I, y. 2, y. 3_Y_ 4_Y. 5, Y. 6,Y. 7, ZERO. 0, ZERO. i, ZERO. 2, ZERO. 3,
ZERO. 4, ZERO. 5, ZERO. 6, ZERO. 7) ;
G5 (B. 0,B.I,B.2,B.3,B. 4,B.5, B. 6, B. 7)
TV-IF $ (EI,X. 0,X.I,X. 2,X. 3, X. 4,X. 5,X. 6,X.7,C. 0, C. i, C.2, C.3, C. 4, C- 5, C- 6,
- c.7)_
G6 (A. 0,JL.i,_. 2,A.3,_. 4,A.5,A. 6,A. 7)
m TV-IF_8 (E0,X. 0,X.1,X.2,X. 3,X. 4,X. 5,X. 6,X.7,B- 0, B.1,B.2,B- 3,B- 4,B- 5, B. 6,
B.7);
END MODULE;
qW
Z
m
U
l
l
m
i
Appendix D. Mechanically Produced Schematics
Below we show the schematics produced by LSI Logic, inc:s design tool 'qiberate" from the NDL in
Appendix C. We includethe schematicsfor'incrmt3, majority3 and Istep_8 only. These
schematics are exhibited to emphasize the point that the NDL produ_ from our verified design can be
processed by commercial design tools. This copyrighted material is used with the permission of LSI Logic,
Inc.
i
!R
!m
IB
i
i
W
|
II
l
W
i
!
- |
3O
| |!
u
w
v
I
I
co
I TTTT
+_
_TTT
oo
illillll
AA_
F I
Z
I I
/ /\ /\
O O
O
H H H
31
m
-- Z
/ \ /\ / \
z
32
L
K.I
w
z
O
H
O/\
O
/ \
/\ /\
H
/\
W
Q33
00
Lm..-I
11
r. -'i
E_
c_
H
X
00 00 O0
L J L...-J _
II II II
U
mIll
BRI
i.
lp
RI
Am
i
ilium
m
i
m
ig
m!
m
me
In
gB_
i |
nw_
im_ z_
=
i|i
W_
iUg
_L
v
m_w
F"
{/)
i
!
I
I >
)
• I
J
I
f_o
,<
C_
r.t.2
i
=>
I
_q
CO
_q
(SO GO CO CO _'} GO CO CO
II II I1 11 !_ It II 11
Da Da _ _ _ Sq _q
09
H
X
_q
1
TTTT qTTT
o r-4 C'a 00 (D O r-H ¢'_
___ooo
11112222
li II II II
N N N N
35
m
m
m
m
U
m
m!l
I
m
m
IN
m
Jl
z -
m
m -
_=
i|
j -
l!m)
m__
m
z
qu_
F_
--°,
r
m
Z
me_r
7 Z
/
i
.36
37 w
References
1. W.R. Bevier and W.D. Young. The Proof of Correcmess of a Fault-Tolerant Circui_ "J, ,ign.
Proceedings of the Second International Working Conference on Dependable Computing for Critical
Applications. February, 1991, pp. 107-114.
2. R. S Boycr and J S. Moore. A Computational Logic Handbook. Academic Press, New "fork, 1988.
3. B.C. Brock and W.A. Hunt. A Formal Introduction to a Simple HDL. In Forma1Methods for VLS1
Design, J. Staunstrup, Ed., Elsevier Science Publishers B.V. (North-Holland), 1990, pp. 285-329.
4. J S. Moore. A Formal Model of Asynchronous Communication and Its Use in Mechanically Verifying a
Biphase Mark Protocol. Tech. Rept. NASA CR-4433, NASA, 1992.
5. M. Pease and R. Shostak and L. Lamport. "Reaching Agreement in the Presence of Faults". Journal of
the ACM 27, 2 (1980), 228-234. _ ......... .
6. J. Rushby and F. yon Henke. Formal Verification of the Interactive Convergence Clock
Synchronization Algorithm using EHDM. Tech. Rept. SRI CSL 89-3R, Computer Science Laboratory,
SRI International, Menlo Park, CA 94025, January, 1989.
7. D.E. Thomas and P. Moorby. The Verilog TM Hardware Description Language. Kluwer Academic
Publishers, 1991.
Ii
Iw
B
up
i
m
U
m
I
l
q
m
m
III
m
I
m
w
I
J
£i
r:
b ,
w
Kn_
REPORT DOCUMENTATION PAGE
Form _,pprove(_
OMB _0 .]72401a8
- -=T ," -" T.-: .....
• -:,",3 _.*" -"=''_=_°_e'-'='_ _°3"7_O_ "¸'_-1":'_'_'_'=''_II_¸- :n;f _;t'_!¸=_ ;_'_?':'r_P'_l_'_3r_4'_ '_'_D_r3e_T_ltei"_'Tt'e'j'Celi'''%
'. _._.__:i_'- ,_-;_.]_._[ -L_-=_. *:;--,_= ,=_- ; 2,_--]-=-_e__3e-9,%-_.',c=._ Z r=.._.g,_Te _r r'°:r'r'=_!Ct " _.-_'_.:'_ _,_-_;•'S . : _'"='%_
1 _GENCY USE ONLY _Leave Oiar_ ! 2 REPORT DATE / 3. REPORT TYPE AND DATES COVERED
]1992' 1 Contractor Re3ort
• Mechanically Verified Hardware Implementing an 8-Bit
Parallel IO Byzantine Agreement Processor
6. -_L;r.':3 _ _'
i J Strother Moore
_.. _ER.=_,_,_,_GORG_N_Z_'r_CN_ME(Si_ND ADORESS(ES)
Computational Logic, Inc.
1717 W. Sixth Street, Suite 290
Austin, TX 78704
9 SPONSORING MONITORING AGENCY NAME(S) AND ADORESS(ES)
National Aeronautics and Space Administration
Langley Research Center
Hampton, VA 23665-5225
5. FUN'_:N': NUMBERS
C _$1-18878
WU 505-64-10-05
8. PERFORMING ORGANIZATION
REPORT NbMBER
TR-69
10. SPONSORING MONITORING
AGENCY REPORT NUMBER
NASA CR-189588
11.SUPPLEMENTARYNOTES
Langley Technical Monitor:
Task 3 Report
Ricky W. Butler
12a DISTRIBUTIONAVAILABIUTYSTATEMENT
Unclassified-Unlimited
Subject category 62
12b. DISTRIBUTION CODE
13. ABSTRACT (Maximum 200words)
Consider a network of four processors that use the Oral Messages (Byzantine Generals)
algorithm of Pease, Shostak and Lamport to achieve agreement in the presence of
faults. Bevier and Young have published a functional description of a single process-
or that, when/n_ted appropriately with three identical others, implements
this network under the ass_ption that the four processors step in synchrony. By
formalizing the original Pease, etal work, Bevier and Young mechanically proved
that such a network achieves fault tolerance. In this paper we develop, formalize
and discuss a hardware design that has been mechanically proved to implement their
processor. In part£cular,_e formally define mapping functions from the abstract
state space of the Bevier-Young processor to a concrete state space of a hardware
module and state a theorem that expresses the claim that the hardware correctly
implements the processor. We briefly discuss the Brock-Hunt Formal Hardware
Description Language which permits designs both to be proved correct with the
Boyer-Moore theorem prover and robe expressed in a commercially supported hardware
description language for additional electrical analysis and layout. We briefly
describe our implementation.
15. NUMBER OF PAGES14. SUBJECT TERMS
hardware verification, fault tolerance, Byzantine agreement, 41
Oral Messages algorit_, automatic theorem proving, _6.PmcE CODE
Boyer-Moore Logic.
17. SECURITY CLASSIFICATION
REPUnSias_%q1_d
_SN _540-0" -280-5500
18. SECURITYCLASSIFICATIONL19. SECURITYCLASSIFICATION
OF THISPAGE OF ABSTRACT
Unclassified
20. LIMITATION OF ABSTRACT
S,.andarc_ =orm 298 ,aev 289_
-_'__%C"O_"J Z, C.%%, :,,*..3 :]'_- "}
293 '32
GENERAL iNSTRUCTIONS FOR COMPLETING SF 298
The Report Documentation Page (RDP) is used in announcTng and cataloging reports, tt is ,mportant
that this information be consistent with the rest of the report, particularly the cover and titte page.
Instructions _or tilting in each block of the form follow It is important to stay within the lines to meet
optical scanning requirements.
Block 1 .a_e_cy _s.e Or, iV (Leave blank).
Block 2. Rope" Date ;,: p_b!catior, date
;_'ci_c_g day, _or_th, and year, ,fava_iabie (e.g, 1
;an 88) Must c "e at eas'..'.'-e tear
Block]. r_oe o,_ _.epcr.. a_c Dates Covered
State _vhether re;or-t ,s qtenm, final, etc ;f
applicab:e, e_ter,r'dus,,e ,eport dates (eg. I0
jun 87 - 30 Jut' 88).
Block4. Title and Subtit!e. A title is taken from
the pan of the report that provides the most
meam_gfuI and complete ,nformation. When a
report s prepared in more than one volume,
repeat the primary title, add volume number, and
include subtitle for the specificvolume On
classified documents enter the title classification
inparentheses
BlockS. Fundinq Numbers. To include contract
and grant numbers; may include program
element number(s), projectnumber(s), task
number(s), and work unit number(s). Use the
following labels:
C Contract
G Grant
PE- Program
Eiement
Block 6. Author(s)
PR Project
TA Task
WU - Work Unit
Accession No.
Name(s) of person(s)
responsible For writi' g the report, performing
the research, or credited with the content of the
report. If editor r, compiler, this should follow
the name(s)
Block 7. Performinq Organization Name(s) and
Address(es). Sol f-explanatory.
Block 8. Performinq Orqanization Report
Number Enter the unique alphanumeric report
number(s) assigned by the organization
performing the report.
Block 9. _Sponsorinq/Monitorinq Aqency Name(s)
and Address{es) Self-explanatory.
Block 10. Sponsorinq/Monitorinq Aqency
Report Number (If known)
Block 11. Supplementary Notes, Enter
information not _nctuded elsewhere such as:
Prepared in cooperation with...; Trans. of.. ; TO be
published _n.... When a report iS revised, include
a statement whether the new report supersedes
or supplements the older ,eport.
Block 12a, Distribution/Avai!abi!it_ _,5:a,e--'ent.
Denotes public availab, lity or ;_m:tat.ors. ', ze any
availability to the pubi_c. Enter addit_on;._:
limitations or specfal markings in all cap_tais (e g.
NOI:ORN, REL, 1TAR)
OOO
DOE
NASA -
NTIS
See DoDD 5230 24, "Dismbut_on
Statements on Technical
Documents."
See authorities.
See Handbook NHB 2200 2.
Leave blank.
Block 12b.
DOD
DOE
r
NASA -
NTIS
Distribution Code.
Leave blank.
Enter DOE distribution categor;es
from the Standard Distribution =or
Unclassified Scientific and Technical
Reports.
Leave blank.
Leave blank.
Block 13. Abstract. Include a brief (Maximum
200 words) factual summary of the most
significant information contained in the report.
Block 14. Subject Terms. Keywords or phrases
identifying major subjects in the report.
Block 15. Number of Paqes. Enter the total
number of pages.
Block 16. Price Code. Enter appropriate price
code (NTIS only),
Blocks 17.- lg. Security Classifications. Self-
explanatory. Enter U.S. Security Classification in
accordance with U.S. Security Regulations (i.e.,
UNCLASSIFIED). If form contains classified
information, stamp classification on the top and
bottom of the page.
Block 20. Limitation of Abstract. This block must
be completed to assign a limitation to the
abstract. Enter either UL (unlimited) or 5AR (same
as report). An entry in this block is necessary if
the abstract is to be limited, if blank, the abstract
is assumed to be unlimited.
1,
Standard -'orm 298 _acK_e,, 2-89!
I
L
tim
/
lira
Z
m
=
i
i i
i
B
