Formal verification of a set of memory management units by Cohen, Gerald C. et al.
NASA Contractor Report 189566
i.A _" ,:" .
c_._ _ _,
i j -- ,,/..,-:i
















v -I:_,-_ nt) _"; :_(.-(.L i?.i_'
"_I:.
•"_:? !




Tlds document was generatedin supportof NASA contractNAS 1-18586,Design and Verificationof
DigitalFlightControlSystems SuitableforFly-By-Wire Applications,Task Assignment 3. Task 3 is
associatedwith formal verificationof embedded systems. In particular,thisdocument describesthe
_xificationofa setofmemory management units(MMU). The verificationeffortdemonstratestheuse of
lfietatchicaldecompositionand abstractheories.The MMUs can be organizedintoa complexityhierarchy.
Each new levelinthehierarchyadds a few significantfeaturesormodificationstothelower levelMMU.
Tic unitsdescribedincluded:
& A page check translation look.aside module (TLM).
b. A page check TLM with supervisor line.
c. A base and bounds MMU.
d. A virtual address Iranslation MMU.
e. A virtual address translation MMU with memory resident segment table.
The NASA technical monitor for this work is Sail), C. Johnson of the NASA Langley Research Center,
Hampton, Virginia.
The work was accomplished at Boeing Military Airplanes, Seattle, Washington, and the University of
California, Davis, California. Personnel responsible for the work include:
Boeing Military Airplanes:
D. Gangsaas, Responsible Manager
T. M. Richardson, Program Manager
(3. C. Cohen, Principal Investigator
University of California:
Dr. K. Levitt, Chief Researcher










1.1 Memory Management ..................................................................... 1
1.2 Integration ................................................................................. 3
1.3 Verified Memory Management Units ..................................................... 4
1.4 Related Work .............................................................................. 5
1.5 HOL ........................................................................................ 6
1.5.1 The Language ........................................................................ 7
1.5.2 The Proof System .................................................................... 9
1.6 Device Specification ....................................................................... 10
1.7 Additionv.1 Notation ....................................................................... 10
AUXILIARY THEORIES ...................................................................... II
2.1 bitVectors..................................................................................11
2.2 Gates .......................................................................................13
2.3 bitVectorCompsrison Units ..............................................................13
2.3.1 Complete bitVector Comparison Unit .............................................. 13
2.3.2 Comparison of bitVector Equality .................................................. 14
2.4 Registers ................................................................................... 16
SIMPLE MEMORY MANAGEMENT UNITS ...............................................17
3.1 Page Check TLM ..........................................................................17
3.2 Page Check TLM With SupervisorLine.................................................18
3.3 Base And Bounds MMU ..................................................................19




5.0 MEMORY-RESIDENT TABLE MMU ........................................................27
5.1 Generic Theories ........................................................................... 28
5.2 Specification ............................................................................... 29
5.3 Implementation ............................................................................ 30
5.4 Memory .................................................................................... 31
5.5 Control Unit ............................................................................... 32
5.6 Memory Management Execution Cycle .................................................. 35
iii
PRECEDING PAGE BLANK NOT FILMED
5.7 Verification .................................................................................
5.8 Control Unit Lemma_ .....................................................................
6.0 CONCLUDING REMARKS ...................................................................











BASE AND BOUNDS CHECK UNIT ..........................................
VIRTUAL ADDRESS TRANSLATION UNIT .................................
















2.3-1 Compare Two BitYectors ....................................................................... 15
2.3-2 Compare Two Words For Equality ............................................................. 15
3.1-I Page Check TLM ................................................................................ 18
3.2-1Page Check TLM With Supervisor Line ....................................................... 19
3.3-1Base and Bounds MMU ......................................................................... 21
4.2-1 Base and Bounds MMU with Virtual Address Translation .................................. 25
5.5-1Abstract MMU Internal Block Diagram ....................................................... 34
$.5-2Abstr_t MMU External Block Diagram ...................................................... 34
LIST OF TABLES
Table Page
1.5-1 HOL Inftx Operators ............................................................................ 8
1.5-2 _IOL Binders ..................................................................................... 8
1.5-3HOL Type Operators ........................................................................... 9
5.7-1Abstract MMU Verification Script Run-Times ................................................ 37
5.8-1 Control Unit Theorems ......................................................................... 38

1.0 INTRODUCTION
This report describesthe verification of a set of memory management units (MMU). The
specification and verification were done using the HOL verification system (ref. 1). The MMUs
¢a_ be organised into a complexity hierarchy. Each new level in the hierarchy adds a few significant
fegtures or modifications to the lower level MMU. The units described include:
a. A page check TLM (translation look-aside module).
b. A page check TLM with supervisor line.
¢. A base and bounds MMU.
d. A virtual address translation MMU.
e. A virtual address translation MMU with memory resident segment table.
Life-critical systems are becoming increasingly dependent on computer systems. Though re-
dundant components in fault-tolerant systems increase reliability, these systems do not exclude
errors due to specification or implementation flaws. Building reliable systems out of unreliable
components does not guarantee a safe and secure system. Faults resulting from design errors are
especially di_cult to protect against and can compromise critical functionality (ref. 2). While sim-
ulation may discover the presence of errors, it cannot guarantee the absence of errors. Hardware
verification can be used to uncover all inconsistencies between a mathematical model of the imple-
mentation and the formal specification. Hunt suggests that it is faster to verify a microprocessor
design than to exhaustively test one (ref. 3).
Hardware verification requires that a system design is formally shown to satisfy its specification
through a mathematical proof. Using theorem proving techniques, an expression describing the
behavior of a device is proven to be equivalent in some sense to an expression describing the
implementation structure of the device. These expressions concisely describe the behavior of devices
in am unambiguous way. The behaviors] semantics are clearly defined; providing an accurate basis
for building systems (ref. 4).
1.1 MEMORY MANAGEMENT
The principle purpose of an operating system is to manage system resources. Perhaps the most
fundamental resource is main memory. On behalf of a program, the operating system allocates
a section of main memory to load the program into before execution. During execution, the
operaI_g system will handle dynamic requests for additional memory. Sophisticated operating
systems also support additional memory management capabilities including security and virtual
memory functions.
As a real security function, the operating system must ensure process noninterference.
Eark process expects that its space wm not be modified or read by other processes. Farther,
di_res.ent portions of a process can be tagged as readable, writable, executable, or a combination of
the three.
Most machines have a physical memory address space that is much smaller than the address
space the processor can address. For example, a 32-bit processor may be capable of addressing 4
[_rtes of memory (_) while the machine only has 16 megabytes of actual main memory (224).
When several programs are executing, each may expect access to the entire address space. Virtual
memory a_ows the eutire address space to appear available to each process.
Left to software alone, security and virtual memory capabilities cannot be completely provided.
The functions demand hardware support. These functions may be present as part of the central
processing unit (CPU) or as a separate chip. The MMU acts as a filter between the CPU and
memory (see Figure 1.1-1).
For each CPU memory request, the MMU determines whether the request will violate security
constraints. If virtual memory support is also provided, the MMU will translate a request from
a virtual to a real location. When the virtual location does not map to a location presently in
memory, the MMU will inform the CPU that a "fault" has occurred.
Security and virtual memory attributes are defined for blocks of contiguous memory. Access to
each block can be restricted to be a combination of read, write, or execute permissions. In systems
where nil blocks are a f_xed size, the blocks are referred to as "_pages'. When the blocks may be of
varying size they are referred to as "segments".
Segments cousist of a varying number of pages.
basis and the real address of a memory word is
Simple MMUs expect the information for
In many systemsboth typesofobjectsaxepresent.
Protectionattributesaxeestablishedon a segment
specifiedon a page basis.
each block to be writtento MMU registers(for
example, PDP-11). More sophisticated MMUs will access memory resident tables to ascertain a
block's status (for example, Intel 80286, 80386 and Motorola 68851). Also a fully functional MMU
would utilize a car.he to speed up these table accesses. Process management functions axe also












Figure 1.1-I: System Block Diagram
a distinctableforeach process.
1.2 INTEGRATION
The MMU must be designedto work with otherprocessorsin a cooperativemanner. The MMU
must be respondentto the actionsof otherprocessors.The CPU and MMU have a codependent
relationship.The MMU must know the processid (supervisoror userprocess),the kind ofrequest
(instructionfetchor data fetch),as wellas whether the requestisa read,write,or execute.
MMU exceptions (bad address, segment fault, page fault, invalid access type) are distinct from
interrupts. The CPU must be prepared to handle an MMU exception during the execution of an
instruction (as opposed to the standard interrupt mechanism where interrupts are handled only
after the end of an executing instruction).
If the CPU performs prefetch, it is possible that the prefetch mechanism will inadvertently
fetch an address that would never be executed (due to some sort of jump preceding the execution
of this "instruction"). If the MMU generates one of the possible exceptions mentioned above, the
CPU must postpone processing the exception until the offending value is actually used.
The MMU must also provide a means for the CPU to perform any operation regardless of
possible exceptions. For example, when an external interrupt occurs, the CPU must be able to
save the return address on a stack.
MMU's can also extend a CPU's instruction set. Instructions to flush its cache, search or
load a traaslstion table entry, or test the _cess rights of s process may be provided. To support
operating system memory maaagement, the MMU may also be responsible for setting a dirty bit
within a page descriptor when the page has been modified.
The MMU must be responsive to other devices as well. For example, the activity of a direct
memory access unit (DMA) can invalidate MMU cache entries. Either the MMU must watch the
bus traffic or a mechan_m must be avai/sble to the CPU to invalidate c_hed entries.
1.S VERIFIED MEMORY MANAGEMENT UNITS
Each of the MMUs are constructed from a combination of gates, registers and word comparison
units. The gates and registers were available from previous work; however, the word comparison
units were designed and verified for this effort.
The simplest MMU combines a register with a word comparison unit. Addresses from a system
bus can be stored in the register or compared with the register's value. An acknowledgment signal
is returned to indicate whether or not the address matched the register value. Because the word
comparison unit provides result output lines to indicate if the first of two inputs is greater than,
less than, or equal to the other, the MMU could be trivially changed to return a different result.
While this MMU is primitive, it provides sufficient hardware support for a segmented or paged
memory by combining several units and providing each with a distinct part of the address.
For minimal security, the next MMU uses input from a supervisor line. When the supervisor
line is high, the MMU operates in supervisor mode. A new register value can only be stored when
the MMU is in supervisor mode. Also, all accesses are authorized when in supervisor mode.
The base and bounds MMU adds two significant enhancements. First, the register is addressed
as s memory location. When the supervisor line is high, the address bus value matches the register's
predefmed address, mud the write line is high; the MMU will store the value on the data bus in its
register. Also, the MMU logically divides each address into two parts: a page and an offset. The
register value is divided in the same manner. For the MMU to validate a memory address, the page
address must match with the stored page component a_d the offset must be less than or equal to
4
the stored bounds component.
The next MMU adds user mode virtual address translation. System information pertaining
to both segment and offset validation and virtual address translation is maintained in a pair of
registers. These registers can only be accessed when the MMU is operating in supervisor mode.
The Iast MMU validates CPU memory requests based on a memory resident segment table.
Each segment-specific entry in the table defines the segment's availability, read-write-execute access
rights, segment size, and real address location in memory.
The addition of these features reduces the amount of operating system software support. By
developing a sophisticated MMU in steps, the construction of the final proof is much more tractable.
In the sections that follow, we briefly describe the HOL theorem prover. Then, we describe
the above devices and several auxiliary theories developed to support their verification. The final
section is a description of future work, including composing the MMU with a cache.
1.4 RELATED WORK
Neumann proposes a unified hierarchy that accomodates all critical requirements (ref. 5). Respon-
sibility to satisfy each requirement can then be delegated to an appropriate layer of the design.
The layers remain interdependent; the more abstract layers relying on the correctness of the lower
levels. Formal proofs about the hardware level discharge some of the assumptions made by higher,
software levels. Similarly, hardware level proofs often make assumptions about the behavior of the
software that axe discharged when the level is composed (ref. 6).
There has been significant interest in formal verification as an alternative to simulation (refs. 7,
8, 9 and 10). Hardware verification efforts thus fax have focused primarily on a microprocessor as
the base for computer systems (refs. 3, 11, 12 and 13).
Perhaps the best known verification effort is that of the VIPER microprocessor (refs. 11, 14
and 15). VIPER is the first microprocessor intended for commercial distribution where a formal
verification has been attempted. However, these processors are quite limited. Only Joyce's mi-
croprocessor, Ta_narack-3, provides interrupts, and none provide memory management functions
necessary to support s secure operating system.
Previous efforts to verify systems have included construction of vertically verified systems with
a microprocessor/memory as the system's base. Joyce has specified and verified a compiler for the
verified Tamaxack-3 microprocessor (ref. 16).
ComputationalLogic Inc. has attempted to verify a "stack" of interpreters where the imple-
mentation of a level is the specification of the next lower level (ref. 4). In this way, higher levels
of the stack define new functionality by collecting the next lower level's functionality. The stark
consists of a compiler (Micro-Gypsy), an assembler and linking loader, an operating system, and a
microprocessor.
Bevier has verified a simple operating system (KIT), which ensures that tasks are isolated
from one another. Implementation of the hardware base has not been verified (refs. 17 and 18).
He assumes extensions to the FM8502 microprocessor to provide interrupts, asynchronous I/O,
memory management, and supervisor-mode instructions.
I.S HOL
HOL is a general theorem proving system developed at the University of Cambridge (refs. 1 and
19) that is based on Church's theory of simple types, or higher order logic (ref. 20). Church
developed higher order logic as a foundation for mathematics, but it can be used for describing
and reasoning about computational systems of all kinds. Higher order logic is similar to the more
familiar predicate logic, but allows quantification over predicates and functions, not just variables,
_owing more general systems to be described.
HOL grew out of Robin Milner's LCF theorem prover (ref. 21) and is similar to other LCF
progeny such as NUPRL (ref. 22). Because HOL is the theorem proving environment used in the
body of this work, we will describe it in more detail
HOL's proof style can be tailored to the individual user, but most users find it convenient to
work in a goal-directed fashion. HOL is a tactic based theorem prover. A tactic breaks a goal into
one or more subgoals and provides a justification for the goal reduction in the form of an inference
rule. Tactics perform tasks such as induction, rewriting, and case analysis. At the same time,
HOL allows forward inference and many proofs are a combination of both forward and backward
proof styles. Any theorem proving strategy a user employs in connection with HOL is checked for
soundness, eliminating the possibility of incorrect proofs.
HOL provides a metalanguage, ML, for programming and extending the theorem prover. Using
ML, tactics can be put together to form more powerful tactics, new tactics can be written, and
theorems can be combined into new theories for later use. The metalanguage makes the HOL
verification system extremely flexible.
6
In HOL, all proofs,even tactic-based proofs, are eventually reduced to the application of
inference rules. Most nontrivial proofs require large numbers of inferences. Proofs of large devices
such as Inicroprocessors can take many _1]_ons of inference steps. In a proof containing millions
of steps, what kind of confidence do we have that the proof is correct? One of the most important
features of H0L is that it is secure, meaning that new theorems can only be created in a controlled
manner. H0L is based on five primitive axioms and eight primitive inference rules. All high-level
inference rules and tactics do their work through some combination of the primitive inference rules.
Because the entire proof can be reduced to one using only eight primitive inference rules and five
primitive axioms, an independent proof-checking program could check the proof syntactically.
1.5.1 THE LANGUAGE.
The objectlanguage of HOL isdescribedin thissection.We willdiscussHOL's terms and types.
Terms. All HOL expressions are made up of terms. There are four kinds of terms in HOL:
variables,constants,functionapplications,and abstractions(lambda expressions_.Variablesand
constantsare denoted by any sequence ofletters,digits,underlines,and primes startingwith a
letter.Constants are distinguishedin the logic;any identifierthatisnot a distinguishedconstant
istaken to be a variable.Constantsand variablescan have any finitearity,not just0,and, thus,
can representfunctionsas well.
Punction applicationisdenoted by juxtaposition,resultingin a prefixsyntax.Thus, a term of
the form "_clt2" isan applicationof the operator*elto the operand _2. The term'svalueisthe
result of applying tl to t2.
An abstraction denotes a function and has the form "A x. t". An abstraction "A x. _c'° has
two parts: the bound vaxiable • and the body of the abstraction t. It represents a function, f,
suchthat "f(x) = t". For example, "A y. 2*y" denotesa functionon numbers which doublesits
argument.
Constants can belong to two spedal syntacticclasses.Constants of arity2 can be declared
to be infix.Infixoperatorsare written "randl op rand2" insteadof in the usual prefixform:
'°oprandl rand2". Table 1.5-Ishows severalof HOL's built-ininfixoperators.
Constants can alsobelong to another specialclasscalledbinders. A familiarexample of a
binderisV. If¢ isa binder,then the term "c x.t" (where • isa variable)iswrittenas shorthand































there exists an • such that
choose an • such that "cis true
In addition to the infix constants and binders, HOL has a conditional statement that is written
a --* b _ c, meaning "if a, then b, else c."
Types. HOL isstronglytyped to avoidRussell'sparadox and othersllkeit.Russell'sparadox
occursin a highorderlogicwhen one can definea predicatethatleadsto a contradiction.Specif-
ically,suppose thatwe defineP as P(x) • -_z(x)where -_denotesnegation.P is truewhen its
argument appliedtoitselfisfalse.Applying P toitselfleadstoa contra_lJctionsinceP (P) = -_P(P)
(i.e.,true = false).This kind ofparadox can be preventedby typingsince,in a typed system,
the type ofP would neverallowitto be appliedto itselJ'.
Every term h HOL is typed according to the following recursive rules:
L Ea_ constant or variable has a fixed type.
b. If • has type o and _ has type 8, the abstraction A x. x has the type (o --,/3).
¢. If _ has the type (a --, 8) and u has the type o, the application "c u has the type 8.
Types in HOL are built from type variables and type operators. Type variables are denoted by
a sequence of asterisks (*) followed by a (possibly empty) sequence of letters and digits. Thus, *,
***, and *ab2 are all valid type variables. All type variables are universally quantified implicitly,
yielding type polymorphic expressions.
























lists of type *
products of * and **
coproducts of * and **
functions from * to **
(denoted by a sequence of letters and digits beginning with a letter) and an arity. If _1,..., _a are
types and op is a type operator of arity n, then (trl,...,an)op is a type. Note that type operators
are postfix while normal function application is prefix or infix. A type operator of arity 0 is a type
constant.
HOL has several built-in types, which are listed in Table 1.5-3. The type operators boo1,
tad, and fun are primitive. HOL has a special syntax that allows (*,**)prod to be written
as (* # **), (*,**)sum to be written as (* ÷ **), and (*,**)fun to be written as (* -> **).
1.5.2 THE PROOF SYSTEM.
HOL is not an automated theorem prover but is more than simply a proof checker, falling somewhere
between these two extremes. HOL has several features that contribute to its use as a verification
environment:
a. Severalbuilt-intheories,includingbooleans,individuals,numbers, products,sums, lists,and
trees.These theoriescontainthe fiveaxioms thatform the basisofhigherorderlogicas well
as a largenumber of theorems thatfollowfrom them.
b. Rules ofinferenceforhigherorderlogic.These rulescontainnot only the eightbasicrules
of inferencefrom higherorder logic,but alsoa largebody of derivedinferencerulesthat
allowproofsto proceed using largersteps.The HOL system has rulesthat implement the
standardintroductionand eliminationrulesforPredicateCalculusas wellas specializedrules
forrewritingterms.
r_ A conection of tactics. Examples of tactics include: _b'I_I__TAC which rewrites a goal ac-
cording to some previously proven theorem or definition; GELTAC which removes unnecessary
aniversal]y quantified variab]es from the front of terms; and F._._ACwhich says that to show
two tl_ngs are equivalent, we should show that they imply each other.
d. A proof management system that keeps track of the state of an interactive proof session.
e. A metalanguage, ML, for programming and extending the theorem prover. Using the metalan-
guage, tactics can be put together to form more powerful tactics, new tactics can be written,
and theorems can be aggregated to form new theories for later use. The metalanguage makes
the verification system extremely flexible.
1.6 DEVICE SPECIFICATION
Circuits and devices are described in HOL using a mixture of functions and predicates. Universally
quantified variables are used to specify input and output device lines whJJe internal device lines
are existentially quantified. The specifications are general]y defined to mode] a state transition
system. A spec_cation defines the state and environment at time t÷l, as a function of the state
and environment at time t.
1.7 ADDITIONAL NOTATION
In the text, various fonts wKl be used to denote constants, defi.ui'cion names and object types. The
turnzti]e symbol t-, is used to indicate that the term is a theorem which has been formally proven
in the logic. When the subscript _def _ is present (eg t-de/), the theorem is simply a definition.
10
2.0 AUXILIARY THEORIES
An MMU will receiveasinput bothbooleancontrolsignals and word values. The word values
are abstractly viewed as azldresses into memory, but take the concrete form of an array of boolean
values or bits. This sequence of bits will be referred to as a "bitVector'. To support the verification
of the MMUs, a theory defuting how hitVectors can be ordered was constructed.
A theory describing a device that compares bitVectors was also constructed. The device accepts
two bitVectors and returns a result indicating whether the first bitVector is greater than, less than
or equal to the second bitVector.
2.1 BITVECTORS
BitVectors are represented by the type :num-,bool, but are constrained to be a finite length.
BitVectors axe functions that, when applied to a number, return the bit at that offset. Given a
bitVector B with length n+l, the term B 0 returns the least significant bit value and the term B
n returns the most significant bit value.
The bitVector theory contains function definitions to compare bitVectors and to compare
subsequences of bitVectors. The definitions are recursive so that they may apply to bitVectors of
any length. Many of the functions expect the first argument to be the offset of the most significant
bit (msb) of a bitVector.
The auxiliary definitions IRB, ZEROS and _BS are defined in the box below. _ uses the Hilbert
choice operator to return an arbitrary bit (boolean) value. ZEROS serves as a bitVector of F values.
The curried function expects width and bit offset number arguments and returns F for any line
within the width range and an arbitrary value of type bool otherwise.
Signals are defined sLmilarly to bitVectors. The concrete type is defined as :time---, bit Vector (or
.-num-,num-,bool). However, it is convenient for signals to appear to be of type :num--*time--, bool.
The function _S reorders arguments so that abstract signals are implemented by a function in-
volving bitVectors.
I-de! _ - LP,,B.., • (x:bool) . F
I--d,,, ZEaOES• • - (a (. w) -. Ir I
_'de.f I.BS (w:num) (s/g:num--.n_-.-bool) (::hum) (n:num)
mn_-e-, s/grit J
1!
Defudtions bvE{_U_LL, bvGRFATF.£ and bvLESS correspond to the numeric comparison functions:
equal, greater than and ]ess than. These definitions reflect a twos-complement interpretation of
bitVectors where the least significant bit is bit 0. T is used for the bit value I and F for the
bit value 0. The first argument specifies the most significant bit offset and is followed by two
bitVectors. The definitions, being re,cursive, specify & base case (where the msb offset is zero), and
the inductive case. Note that bvLF_S is defined as a function of bvGP,F.ATER with the bitVector
arguments reversed.
bdz! (b,EQUALO •b.. (a O..bO) ) ^
(bvF_UAL (SUCh) •b.. (bvEQUALn •b A (s (SUC n) .. (b (SUCh)))))
I-_.! (b_IUEATF,.q0 • b = ( • 0 ^(b_LFATER (SUC n) • b =
( (a(SUC n) ^ -, b(SUC n))





bale! bvlJESS n • b .. bvGREATERn b •
Comparison definitions, which only consider a contiguous section of a bitVector are also defined.
bvPART constructs a bitVector given a range and a bitVector. Outside the range, the new b]tVector
returns F, while within the range, the new bitVector returns the old bitVector's corresponding
•_4]ue. Defudtions bvEQbi¢ is a shorthand to compare two bits. bvPar_EQUAL, and bvPar_GKF.ATF._,
bvPaxcLESS compare contiguous sections of bitVectors; from a specified top bit down to a specified
bottom bit.
J'de! bvPIRT nax _ (sig:nua-.-bool) (n:nun)
- (n > nu) -- F I (n< sin) --. F I sig n
I-4e! bvF.Albi%• • b = (a x " Cb (x:nun)):bool)
l"de.f (bvPartEQUIL 0 y a b =
( (y = O) ...- (bvEQblt 0 • b) I Y )) ^
(bvPartEQUAL ($UC x) y • b =
((SUC x) > y -'-. (bvEQbit (SUC x) • b A (bvPax'tEQUAL • y • b)) I
((SUC x) ,, y) -. (bvEQbit (SUC x) • b) I P
))
I-dd (bvParZ_tFATIOt (SUC x) y a b =
( ((SUC x) • y) --.
((u(SUCx) ^ -,b(SUCz) ) V
((a(SUC x)=b(SUC x)) A bvPcr_,GRFATER• y • b) ) I
((SUC z) - 7) -- (aCSUCz) ^ -_bCSUCz)) J r ) )
I-do! bvPeurtLF,SS • y • b - bvPartOEEATER • y b •
12
2.2 GATES
The devices are constructed from the gates described below. The gates lay, nor2 and hemal2 are
assumed to be primitive, and from these we construct and2.._ap and or2.._np.
l-de / Jay In out - (out - -, in)
I-, daor2•bout - (out -'_ (a V b))
J'de! •and2 • b out - (out = -_( • A b))
_d,! m_t2.inp • b out = (3 p. hand2 • b p
O-_@ or2.t_p • b out = (3 p. nor2 • b p
2.S BITVECTOR COMPARISON UNITS
Two bitVector comparison units are constructed. The first compare unit produces three boolean
results indicating either a greater than, less than or equal relation between the two input bitVectors.
Frequently all that is needed is a device that recognizes two bitVectors as equal. The second unit
compares two bitVectors for equality as defined by the bitVector definition bvEQU_L.
2.3.1 COMPLETE BITVECTOR COMPARISON UNIT
The bitVector comparison unit takes two words as input and produces three boolean results indicat-
ing whether the first was greater than, less than, or equal to the second bJtVector. The specification
and implementation definitions are constructed recursively. We begin by defining a specification
bLzCo_.spec, and implementation bitComp.._p, for a device where the inputs (first,see) are
each a single bit rather than a bitVector. The implementation is proved to be equivalent to the
specification. Note the existentially quantified variables p and q are Lines internal to the device.
_e! bitConp_spec first nc 8 I • =
(8 = ( first A "_ see)) A
(1 = ( _ first A sec)) A
(e = ( first = sec ))
l-d@ bltCoap_:Lap first sec K I • •
Bpq . (Inv first p) ^
(nor2 p sec S) ^
(nor2 q fizst I) A
(nor2 S 1 e)
(iav sec q) ^
_- bitConp.i=p first sec S 1 • = bitCoap_spec first sec g 1 •
13
Definitions for two-bit words can be constructed in • similar manner as shown below. The
implementation ¢a=pComb.._p is proved to be equivalent to the specification compCombJpe¢.
I-_! ¢otpCoeb_spec gO g! 10 11 eO el g 1 • ,,
(S-(81 V (el ^ gO))) ^
(I = (II v (el ^ 1o))) ^
(e = (el ^ eO))
1"4d ¢_osb_tzp gO |1 10 11 eO el g 1 • -
3 p q. (md2.tap el gO p) ^ (or2.J_p gl p g) ^
(aud2.tap el 10 q) A (or2_t_p 11 q 1)
(sud2./ap el eO e)
A
I- ¢mpCosb.lap 80 gl 10 11 eO el 8 1 • = cosp¢osb_sp*c gO $1 10 11 eO el g 1 •
Using the bitVector comparison definitions _nd the bitComp specification and implementation,
• compare unit for an arbitrary sized bltVector is defined using recursive definitions and verified.
l-de,, comp_spec n • b I[ I • =
( K = ( bvGItF.ATEltn • b) )
( I - (bvLESS n • b) ) ^
( • - (bvF.qUALn • b) )
A
l-_q (coap.hapO a b gr is eq - (bltCoap.lap (a O) (b O) Sr is eq)) A
(coap_/zp (SUC n) • b gr Is eq =
:i ipa la ea gn In en .
(coap__ap n • b gn In en) A
(bitCoap_JJp (a (SUCn)) (b (SUCn)) I_ lJ ca) ^
(coa_ozb_JJp _p_p in JJ ,n u &r _s .q) )
I- ¢oa1>.fap n • b great less equ - co=p_spec n • b great less equ
An example of an implementation for bitVectors of length three is in Figure 2.3-I.
2.3.2 COMPARISON OF BITVECTOR EQUALITY
Frequently,the fu_ power of the compare unit described above isnot required. For example, for a
device to recognize bus requests directed to it,the device need only compare for equality the bus
address with • predefmed address. Note that an equality comparison unit also requires many fewer
gates.
The equality comparison unit is defined in • manner similar to the full comparison unit. First,
we construct • device that recognizes bit equality, and then we construct an equality unit for





Figure 2.$.1: Compare Two BitV¢ctors
Figure 2.$-_: Compare Two Words For Equality
15
f'dtJ bitEq_epec first eec • -
(e - ( tLrst - sac ))
t-+d bltEq_lap first sac • •
3 i j . (nor2 first sec i) A
(and2.1=p first sec J) A
(or2_£a p i J e)
F- bit_Imp fJ_t set s = bltEq.sp4¢ first sec •
l-dd tempEq_Sl_Cn • b • • ( • = ( bvEqUiLn • b) )
I-_.I (cmp_l_lap 0 • b _q - (bltEq_iap (a 0) (b 0) sq)) A
(cmpEq./ap (SUC •) • b eq =
_Iman .
(c_lapn • b en) ^
(b_tF___p (s (SUCn)) (b ($UC:)) ea) ^
(and2_tap en a eq))
J- cespr.q..:btpn • b, = conpEq.sp*c n • b ,
2.4 REGISTERS
Registersaxeused to storethe stateofan MMU overtime. This theorywas implemented by Phil
Windley and includedinthisreportforthe sakeofcompleteness.
Registersreceivean inputbitVector,and cleatand locdcontrolsignals.A register'soutput at
time t÷l depends on itsinput controllinesclr and ].dat time t.The output remcins unchanged
ifbothcontrollinesaxe F.Ifboth linesaxe high,theregisteriscleated.A registerimplementation
isconstructedfrom primitivegates,and a formM proofshows the implementationisequiv'clentto
the specification.
I'd, ! reK_spec • i ld ¢lr out -
(Vt:nu . out(t+1) - (clr t -* ZEROES • I ld t -* i t
^
(out 0 - ZEROES ,)
I out t) )
I-dd (rq_iap0 i ld clr out - d_ff (i 0) ld ¢1r (out 0))
A
(rq_£ap (SUC n) i ld clr out = ((reg.ia p n i ld clr out)
(d.tf (i (SUC n)) ld ¢]Jr (out (SUCn)))))
/%
I- relL.im]p • i ld clr out = re$.spec • (ABS • t) Id clr (ABS • out)
16
3.0 SIMPLE MEMORY MANAGEMENT UNITS
3.1 PAGE CHECK TLM
The page check TLM (translation look-aside module) is the simplest MMU. Protection is generally
needed on a page or segment basis' ; rarely on a word basis I. Memory addresses can be decomposed
into a page and a page offset descriptor. The page check TLM acts only on the page descriptor.
The device will either compare a received page descriptor s with another vMue previously stored
in a register or store a new value for future comparisons. When a comparison is performed, the unit
returns T when the two values are the same. The device is expected to return a result one time
epoch _fter receiving its inputs. The units are defined using the auxiliary definitions mentioned in
the previous section and are correct for all bitVector widths. To isolate the timing dependencies,
the specification is divided into two parts: pgCk and pgCk-spec.
The definition psCk-spec describes the timing details. The register and acknowledgment out-
put values at t÷! are a function of the input values at time t. The function is specified by pgCk.
The definition pgCk accepts a bitVector address, a wrRe/compare command line and a register
a_d returns a tuple containing the resultant register value and acknowledgment output. If the
command line is T, the register is updated and the output acknowledgment is set to T (regardless
of the comparison result). If the command line is [:, indicating a comparison should be performed,
the output acknowledgment is dependent on the result of the comparison.
The implementation pgCk..t=p is constructed by composing a register, a comparison unit and
an OR gate (Fig. 3.1-1 3). The definitions show the use of the ABS function to allow signals to take
arguments out of order. The implementation is shown to imply the specification.
SHere • pa_e is • cont_uous block of memory words; each block _ • fixed length. Segments Lre blocks of
words but all sesments need not be of the s_me length.
_Note th,t the concrete implement,tion of • pqe descriptor is • subeequence of • bitVector.
SThe reset box in the figure is set to F in the definition.
17
I-4_ pEC_ n adcLress write rSstr -
(_rite = T) -- (address, ?) I
(bvF._LL a rgstr address)--- (rgs_r, T) I (rgs_r, F)
_pt_'k_spec n addzrr/C reg ack -
¥ (t:mm). Ores(t+1), ack(_÷1)) - pgCk n (addr t) (rV0 t) (r_g _)
I-4_ Iplg__/ap n add=" rVC re 8 ack =
Yt. 3sle.
(:eg./ap a addr rVC bitFalse re s ) A
(co__inp n (ABS n re 8 t) (ABS n ad_Lr t) S 1 e)
(mr2./ap, (rYe t) (ack (t+l)))
A









Figure $.1-I: Page Check TLM
3.Z PAGE CHECK TLM WITH SUPERVISOR LINE
The _ple page check unit cannot guarantee that processes will not interfere with one another.
Processes cannot be trusted to leave the page check unit's register unmodified. The above unit
cannot prevent a process from writing to the TLM unit and altering the protection scheme intended
by the operating system kernel. The enhanced unit receives input from a supervisor input line.
Only when the supervisor line is high, can a write to the page check register occur.
We assume that the CPU has two control states: a supervisor state intended for operating
system use and a user state for use by application processes. Generally, the supervisor line sta:us
is defined by a bit in the central processing unit's program status word (PSW). Microprocessors,
designed for muitlprocessing, restrict access to the PSW so that process status bits (including the
supervisor bit) can be modified only when the system is executing in supervisor state. This scheme
assumes that nonkernel tasks execute in user state. The supervisor bit can be extended into a
process identifier field or a security ring field.
The implementation requires one additional AND gate and an internal line. The proof is quite
similar to the pgCk proof; it requires an additional case split to deal with the supervisor line.
18
I'd,/ psCka_slmc n addr rWC sup rug ack -
¥ (t:nua). (re$(t+l), ack(t+l)) -
pgCk n (addr t) (rWC t ^ sup t) (rug t)
bad p$Cka_lap n addr rVC sup rug ack -
Yt. 3zsle.
(and2.1mp (rVC t) (sup t) (x t) ) ^
(reg.£mp n addr • bltFalse rug ) ^
(coap.iapn (_S nre s_) (LBSn _ t) S 1 e)
(or2_:iip • (x t) (ack (t+l)))
^






Figure 3._-I: Page Chect TLM With Supervisor Line
3.3 BASE AND BOUNDS MMU
The base and bounds MMU (bb-MMU) extends the capabilitiesof the page check devices.This
last"simple"MMU isactuallymuch more sophisticatedthan the previousdevices.While the page
check unitsleftunspecifiedhow the device'sregisterisaddressed,the bb-MMU providesa more
completeinterfacetoa systembus. The deviceexpectsinputsconsistingofan address(inbitVector
form),a supervisorline,a read/writelineand a data value.When a requestisvalid,the device
asserts an acknowledgment sig_M.
The bb-MMU is positioned between the CPU and memory and must recognize when bus
requests are targeted to itself. The bb-MMU protection register is accessed as a memory location.
When the supervisor line input is asserted (T) the bb-MMU will operate in supervisor mode.
In supervisor mode, the bb-MMU compares a memory request's bus address with a constant
to determine whether the protection register is being accessed. If the address does match and the
read/write line is T, then the protection register value will be updated. Whether the protection
19
register is updated or not, the acknowledgment line wm be asserted.
In user mode, the bb-MMU decomposes the input address and register output into a segment
and offset component. The bb-MMU verifies that the address segment matches the stored segment
component (the base) and that the address offset is not greater than the stored offset (the bounds).
The top bits (between n and e) of the address bitVector represent the segment identifier.
The specification is divided into parts to distinguish the supervisor and user mode behaviors.
The specification basoBoundCk.spoc is only valid when the segment offset size 8 is less than the
bitVector size n. Note that the data and address bitVector sizes axe implicitly defined to be the
same length. The specification defines the resulting state as a tup]e consisting of the protection
register value and the acknowledgment line value. When the supervisor line is high, bbSUPF.£V
defines the result state, otherwise, bbC0/_P defines the result state.
The parameter LDDRrepresents an unspec_ed constant denoting the address of the protection
register.
['del bbSUPERV n bbaeg _ data &J)DR 11 =
( re --, ((bv£QUAL n addr £DDR) -_ (data, T:bool) [ (bbaog, T))
I (bbRe s, T) )
l-de j bbCOMP n • bbaeg addr =
(bvEQUAL n (bvP_T n • bbReg) (bvP_T n • addr)
-, (bb_s, T:bool) [ (bb_es, F)
^ -_(bv0P.F.ATER • addr bbRe8) )
_-g¢! bb|•xtState m • bblteg addr data £DDR super re -
( super --, bbSUP£RV n bbReg addr data £DDR re [
[ bbCONP n • bbReg addr )
_'dd basdoundCk.spec m • bblteg addr data ADDR •uper re ack =
(• • n) _ ¥ t. (bbnes(t÷1),ack(t+1) ) =
bbhxtState n a (bbReg t) (addr t) (data t) £DDR (•up, r t) (re t)
The implementation is defined using primitive gates, as well as the register and full compaxison
unit described previously. A more ei_cient implementation wonld use the equality comparison unit.
The abstract function PET is used to split off a subsection of a bitVector.
2O
_Je$ PItT • max nin (sig:nua->_-,,->bool) (t:nua) (n.nua)
- (n>au)--F I
(n < •in) .-.., ? J
(n <- •) -- (si sn_) t
Fdd baxeBoundCk_/ap n s bbKe8 addr data ADDRsuper rw ack -
(a • n) _ V t.
(3 rriteBB 80 gl 82 10 11 12 a2 z addrKatch goodSeg good_fs ok.
(reg__p n data trrlteBB bitFalse bbRe8) ^
(cosp./ap n (LEa n addr t) LDDIt gO 10 (addrKa_ch t)) ^
(and2_Lzp (rs t) (supor t) (x t)) ^
(smd2_Lap (addr_qatch t) (x t) (rrLtaBB t)) A
(coap_£mp n (PRT n n • bbReS t)
(PRTn n • addr t) g! 11 good3e8) ^
(coap_t_p • (An$ n addr t)
(dES n bbKe8 t) 82 12 a2) A
(Lnv 82 goodMa) ^
(and2_tmp 8oodOf• goodSeg ok) A
(or2.izp ok (super t) (ack (t÷l)))
)
data




Figure $.8-1: Base and Bounds MMU
The proof is substaatially more complicated than the proofs for the page check units. In the
process of verifying that the implementation implies the speci_cation, several intermediate lemma_
are useful. While they are all seemingly obvious, HOL requires a proof for each.
21
LmmaO
I- (• < n) =_ (PRTnn • •ig t) = (bvPLET n sCABS n •Ig t) )
l.asa I
i- CovEQUALu(bvPlRT n •(ABS n bbReg t))(bvPLRT n •(ABS n addrt)) ^
-, bvGRFATER•(kBS n addr t)(kB$ n bbEeg t)) ,.
(-, bv(IRFATER•(LBS n addr t)(LBS n bbReg t)) ^
CoTEQU/Ln(bvP_T n •(LBS n bbRe8 t)) (bvPART n •(LB$ n addrt)))
r.._m 2
_- (n> O) =_ (Suc (PHn) -I) ÷ I - (SUC(PI_En))
L_sa$
I- (n:nua). (n • 0 ) _ (SU¢ (PP.,En)) - n
Proving the final theorem required 492.7 seconds of CPU time sad generated 31,227 intermediate
theorems.
t J- bueBoundCk_:Lnp n • bbReg addr data ADDRsuper r_ ack =_bueBoundCk_apec n • (ABS n bbReg) (12S n addr) (ABS n data) LDDR super re ack
Proper management of the register's contents ensures that a process can oaly modify a specified
address space. Although very simple, a set of these devices composed together would be sut_icient
to satisfy a system's security need to enforce process noninterference. V/]_e the use of multiple
devices is not strictly necessary, a system with several devices might considerably reduce operating
system overhead.
22
4.0 VIRTUAL ADDRESS TRANSLATION MMU
The MMU is programmed through two memory-mapped control registers:
a. A protection register governs the range of valid virtual memory addresses a process may
I_CesS.
b. A translate address feaster designates the base real address a_cessibh in memory.
Processes cannot be trusted on their own to leave the unit's registers unmodified. Only when
the supervisor line is high wRl the unit permit a register write. Tiffs ensures that the security
protection scheme intended by the operating system kernel cannot be altered intentionally or un-
intentionally by user processes. This scheme assumes that nonkernd tasks execute in user state.
The supervisor bit can be extended into a process identifier field or a security ring field.
The protection register and virtual addresses are partitioned into a segment and an offset 4.
A request is validated if the segment address matches the stored segment component and the
offsetislessthan or equal to the storedbounds component. When a requestisvalJdated,the
MMU constructsa realaddressusingthe offsetofthe requestedaddressand the translateaddress
register.When the supervisorlineisasserted,allaccessesare authorizedand addresstranslation
isnot performed.
4.1 SPECIFICATION
The abstraction functions PET and PRTb, are used to split off a subsection of a bitVector s. The
function definition Vtog, creates a real address by replacing the segment identifier with the real
base offset; the bottom s bits of the virtual address remain unchanged.
Fie ! PRT v max aim (sig:ntm--ntm--.bool) Ot:,tua) (n:n_m) =
(,t> ,tax) -. F J
(n < ,tin) -- F I
(n <= w) --* (sig,t t) I IRB
t-i, ] FRTI •mtx ,tin (sig:nuw-*boel) (,t:,ttm) •
(,t _ ,tax) --. f I
(,t < •in) -. F I
(n <- •) -- (sis ,t) I tItD
t-de ! V¢oR reall virtt • n • (n > s) -- (rea.ll n):heel l (viral n)
4Here • page is • contiguous block of memory words; each Mock being • fixed length. Segments are blodm of
words bat ill segments need not be of the same length.
bPleue _:e the appendix for • description of bitVectors and many of the device building blocks.
23
The specificationvir'cBBCk.spec is defined as a state transition system. The specification
defines the state and environment at time t+l, as a function of the state and environment at time
t. The state is maintained in va_ables (bbReg, vaReg). The input environment consists of the
address bus value, data bus value, and control bus signals (add.r, data, super, ru). The output
environment consists of a request validation line and a reaJ address (ack, ou_Addr). The functions
vSUPERV and vCOMPdefine the supervisor and user mode behaviors, respectively. The parameters
m, • and tVDR serve as constants defining the most significant bitVector bit, the most significant
address offset bit and the base address of the MMU registers. The size of the bitVectors must be
fFester than the segment offset for the specification to be mesn_gful.
f'd_ vSUPERV n bbReg valleg adcLr data ADDR z_ -
( (ru ^ (bvEQUAL n (bvPAP.T n 1 addr) (bvP/.qT n 1 ADDK) ))
-- (addr 0) --. (data, rares, addr, T:bool) J
(bbEeg, data. addr, T:bool) J
(bbP.eS. v_qe$, addr, T) )
bg,! VtoR realA v_A a n = (n > s) -, (ro=31 n):bool [ (viral n)
J'de! vCONP n s bbReg vaReg addr =
(bvEQUIL n {bvPLRT n s bbReg)(bvPkRT n s addr) ^
-_ (bvGRE_TER • addr bbRes) )
-. (bbReg, vaReg. (VtoR vaAeg addr s), T:bool) [
(bbReg. rare S, addr. F)
bdz! vlleztS¢ats n s bbRe s v_e s addr data LDDR super rv -
Juper -- vSUPERV n bbReg rares adcLr data LDDR rv [
vC0MP n s bbRes val_e 8 addr
_dz! v_rtBBCk_spec n • bbRe8 vaReg addx data ADDR super rvack outlddr =(s < n) =_
V t. (bbRog(t+l),vaReg(_+l), outiddr(t÷1), ack(t+1) ) m
vlJextState n s (bbReg $) (raReS $) (addr t) (data $)
IDDR (super t) (rv t)
4.2 IMPLEMENTATION
The implementation vir'cBBCk.:bmp is defined using primitive gates, registers and the full comparison
unit described previously. A more efficient implementation would use an equality comparison unit.
The function pick._p defines a bitVector MUX. The datapath can be seen in Figure 4.2-1.
24
t'de! pick_J_p (uordJl :num--*bool) (wordB :nuz--*bool) (which:bool) ree
m (uhich - T) --* (tee o uordJl) I (ras - uordB)
F£¢I virtBBCk__lp n a LODR bbRsg vaBeg addr data super r-# ack outAddr-(s<n) =_ Vs.
(3 wBB uV[ select • s.q0 slql a.q2 8oodSeg $ood0fa ok nok _rJ.at g I e.
(Lnd2_Isp (n t) (au_r t) (x t)) ^
(ConpEq__p n (PRT n n I adds t) (PIIT/ n n I ADDR) (aM0 t)) A
(and2_£sp (aM0 t) (z t) (aMI t)) ^
(_nv (addr 0 t) (11(2 t) ) ^
(s_d2.1=p (_I t) (adds 0 t) (vBB t)) A
(and2_iap (aN1 t) (aM2 t) (wVl t)) A
(reg__ n data wBB bltFalee bbRe_) A
(rogJ_p n data wVA bi_FLlse rare s) A
(coapEq.£ap n (PITT n n s bbReg t)
(PRT n a s adds t) 8oodSs$) A
(¢o___ a (inS n adds t)
(ins n bbReg t) g I a) A
(/=v g good01s) A
(snd2.1ap $ood01, soodSeg ok) ^
(or2_llp ok (super t) (ack (t+l))) A
(£nv ok nok ) ^
(or2./ap nok (super t) nxlst) ^
(plck._Jtp (ins n adds t) (ins = vad_eg t) nxlat (select t)) ^





Figure 4._-I: Base and Bounds MMU u,ith V,r_ua! Addree8 T_nslation
4.3 VERIFICATION
Severalsimpleintermediatelemmaz were provenwith the from theorem requiring1,209secondsof
CPU time executingon a Sun SpaxcStation.The finalproofgenerated64,185primitiveinferences.
25
LmmaO
J- PItT n n • sig t = bvPLRT n s(ABS n sig t)
Lama 1
J- (bvEQUAL n(bvPLRT n •CABS n bbR•g _))(bvPART n •(ABS n _ t)) /%
-_ bvGP,EATER s(ABS n add¢ t)(ABS n bbEeg t)) m
(-, bvQP_iTI_ •CABS n adcLr t)(/3S n bbReg t)) ^
(b_F.QUJU. n(bvPJ3T n •(JLB$ n bbReg t))(bvPLRT _ s(/Jg$ n addr I;)))
14sma 2
I- VtoR • • • m •
L4_a 3
_- PRTA n n s sig - bvPIJlT n • si S
Lmma 4
F addrOt =IBSnaddr t 0
Several of these units could be comblned to provide sui_cient hardware support for a segmented
and paged memory. This design also supports mu/tiple process requirements assuming the top bits
of an address specify a process identifier.
v_"tBBCk__sp n • ADDR bbRe 8 rare 8 add_ data •uper rvack outiddr
v/rtBBCk_mpec n • LDDR (ABS n bbReg) (ABS n vaReg) (ABS n adds)
(LBS n data) super rvack outAddr
26
E.0 MEMORY-RESIDENT TABLE MMU
This MMU provides protection and address tr_ms]ation on a segment basis. These functions
are only in effect when the MMU operates in user mode. When operating in supervisor mode,
the memory protection mechanism is inactive and requests are passed through without address
tramflation.
Addresses consist of a segment identifier and a segment offset. The segment identifier is
used to fetch the segment descriptor. Segment descriptors are located in a memory-resident table
and consist of two words. The first word specifies the segment size and read, write and execute
permissions. The second word acts as a base address for the segment's real location in memory. To
trandate from a virtual address to a real address, the MMU adds the segment offset to the segment
base address. To support segment paging, the first word also contains a bit indicating whether the
segment is presently in memory. If this bit is F, the operating system is free to use the second word
as a disk offset or in any other fashion.
The location of the table is determined by the MMU's segment table pointer register. This
register is accessible only in supervisor mode. The MMU assumes the table provides an entry for
all possible segment descriptors.
0:
n s-I 0
4, ..... 4, .... 4, ..... 4, ....... 4, .... 4 4,
llvaill_eadJWrigeJ_ecugeJ ....l Se_ent Size J
4,..... 4,.... 4,..... 4,....... 4,.... 4,.................. 4,
4,...... . 4,
4, 4,
The MMU described here must fetch a descriptor from memory for each access. Initial work
on a ca_e to speed up performance is discussed in a subsequent section.
The previous units were constructed in a bottom up manner--from the gate level up. Using
the verifcation of these units as a model, devices that compare one bitVector with another in an
arbitrary way could be specified and successfully verified. The device described in this section takes
a top-down approach to the verification of a much more complicated device. The implementation
level here is the electronic block level. We construct a generic theory describing an ]VIMU where
several functions are left abstract.
27
6.1 GENERIC THEORIES
A generic theory consists of three parts:
at.
b.
An abstract repr_entation of the uninterpreted constants and types in the theory. The ab-
stract representer/on contains a set of abstract operations and a set of abstract objects. The
mnnantics of the abstract representation are unspecified. Inside the theory, we don't know
what the objects and operations mean.
A list of theory obligation predicates defining relationships between members of the abstract
representation. When a theory is instantiated, these predicates must be proven &bout the
concrete representation. Within the theory, the obligations represent axiomatic knowledge.
The abstract MMU theory does not contain any theory obligations.
c. A collection of abstract theorems about the representation.
For a more complete description of abstract theories see (ref. 23).
Using the abstract theory package, a set of selector functions can be created. When applied
to an abstract representation, s selector function extracts the desired function.
Instead of dealing with concrete data types such as bitVectors with a specific length, the
abstract MMU works with data values of abstract types *words, *address and *memory. The
abstract representation provides a set of functions that manJpulate these types.
Previous device theories have considered the size of the segment identifier and segment offset
fields within a bitVector. The abstract representation ignores these details by providing functions
that return the segment identifier or segment offset fields from an address (eogId and sog0fs,
respectively). There is also a function segIdstff, which returns the offset of a segment descriptor
within the memory-resident segment table for a given address. Since descriptors require two words,
the implementation of this function simply shifts the segment identifier to the left 1-bit position
(e.g., adds a trailing zero bit).
The abstract functions availBi'c, readBi_, wrlteBi_ and exscBi_ extract a bit value from
an argument of type *wordn. These functions are applied to the first word of a segment descriptor.
Several functions that operate on two-tuples are available. Given a pair of *words values,
add returns a value of *wordn. Functions addxEq, ofsLEq and va3._.d_ccess replace the concrete
comparison units used in previous units.
28
Additionalabstractcoercionfunctionsare syllable to convert vs]ues between types. If the
theory were instant]areal, the concrete implementation of the abstract types would l_e]y be the
same (bitVectors) and these functions would be unnecessary.
Memory is also treated abstractly. The abstract representation provides a fetch function, and
a trmldormation function e.
mev_¢ype_abbrev ('iU/E', ":bool e bool II booi"); ;
let ssm.abs • neu.abstract_repres4ntatton
[
(' segld',
(' seSOf s ',
('segldah_',
IZ
( ' ava/1Bi t ',
('readBit',









( ' gordn c,
('address',
Z Rnor7 functiou Z
('fetch',
(J trans ',
": (*addrus -> *vordn)"
": (oaddress -> ouordn)"














":(*address # *address -> bool)" );
":(*address • evord_ -> bool)" );
":(*address 8 *uordn 8 RVE -> bool)" );
": (*wcrdn -> nun)" ) ;
": (nun-> esordn)" ) ;
":(*gordn-> eaddzess)" );
":(elenor 7 | eaddress) -> *wordn" );
":enenory -> *nenorT" ) ;
let smu.t 7 J abstract.typQ 'uu_abs' 'segld';;
A type abbreviation RWE is alsodefined to be a three tuple of bit values. Selector functions
rBIT, uBIT and eBIT access the first, second, and tbbd bits, respectively.
_Se! rBIT rue =
i'd@ vBIT rye =





The specification is decomposed into severs] rules and ignores timing details. The timing details
are spelled out in the fins] correctness theorem. The state of the MMU specification is a three-tuple
consisting of a boolean acknowledgment, a memory address and the table pointer re_ster v_ue.
SThis function k included for future extensions
29
Thedefinitions superNode and userNode describe the behavior of the MMU when operating
in their respective modes. The definition lega.IAccess uses many of the abstract functions to
fetch from memory the appropriate segment descriptor and compare it with the request's access
parameters. The definition vToR constructs a real address from a virtual address.
The variable r in all definitions is the abstract representation.
lmU_ECIFICATIO|
_dd legalAcctsJ r viddrtbiPtrna melt=
let • = (fttch r)( me.
(address r)((addr) (segldsh:f r vAddr.tbIPtr) )) in
( (vs.llclAcces8 r) (vAddr.a.rge) A (ofaLZqr) (vAddr.a))
bde ! vToR r vAddrtbIPtr nan =
let • - (fetch r) (ha. (address r)
((add r)( (uordm r 1). (add r)(segldsh_ r vAddr.tbiP_r) ))) in
(address r) ((add r) (seg0fs r vAddr, a))
bd,! 8uperHode r vAddrrve tblPtrLDDR _blPtr data nu =
((wBIT rye) ^ (addrEq r (vAddr.tblPtrADDE)))
-.- ( T. vAddr, data ) J
( T. vAddr. _bXPtr )
_d_ usarlqoda r vAddrrve tbIPtrIDDR tblPtrdata melt -
( legaltccassr vtddr tblPtr rye sen
--- ( T. (vToR r viddr tbiPtr nan). tbIPtr ) J
( F. vAddr, tblPtr ) )
_d,! nau_ope¢ • vAddr rue tblPtrADDR tblPtr data nan superv =
(auparv---. auperModo r vAddr rye tbIPtrADDR tbIPtrdata nest [
userMode r vAddr rye tbiPtrADDR tbIPtr data non )
5.3 IMPLEMENTATION
The implementationisconstructedfrom electronic-blockmodel components. These are definedas
specificationsfor the behaviorof a gate-levelimplementation. Many of the devicesspecifytheir
timing behavioras well. The buildingblocksconsistof a securitycomparison unit,an address
match unit,a memory fetchunit,an adder,feasters,latches,muxes, and a controlunit.Most of
the devicedefinitionsare self-explanatorywith the exceptionof the memory and the controlunit.
These two unitswillbe describedin greaterdetail.
The system bus providesthe followingto the MMU:
a. A request line.
b. A supervisor state line.
c. Read/write/execute request type lines.
d. An address bus value.
30
e. A data bus value.
I-de! secUnt_.spec • b z'lre ok =
V t. ok (t÷l) r
((valid&cc_l z') ((a t),(b t),(_e t)) A (ofsL_.qr) ((a t),(b t)))
l-_f mldU_.81_c r • b c • V t:aua, c (t+1) = (add r ( (a _).(b t) ))
T b out
(t+l)) -- address r(b (:+1)) I (a t)V t:nu. (out (t+l)) - (v
I-d@ wmc3Untt.spec • b c out • -
V t:a-,,. (out t) - (w t - O) -* • t I (w t - 1) .--, b t I c t
t- d.! splitUn/t.spec r virt id ors •
V t:nua. ((id t) - (segldahf r) (vlrt t))
((ors t) = (segOfs r) (rift t))
^
_d@ latchUntt.spec r I out c_rl =
V t:nua, out (t+l) - ctrl (_+I) -. out t I (i (_+1))
regUni__spec r i Id clr out -
(Y Z:nua. ou_ (t*1) - (clr t -. (wordar 0 )
(ou_ 0 - (wordnr O) )
I ld t -- i t I ou_ t) ) ^
Fd@ satchUnit.spec r • b • -
V (_:nua). a(t+l) - ( addrEqr (a t, b t) ) -- T:bool I F"
I-g,! oneUnit.sl_¢ r t = (wordn r) 1
I-d@ bitFalse t - F
5.4 MEMORY
The memory unitspecificationdefinesan interfaceto memory that issynchronous.Ifthe request
linere_ishigh at t,then at t÷I, datawillcontainthe requestedmemory valueand the done line
willbe T. Ifthereisno requestattime t,then done at t÷I willbe F.To constructan asynchronous
version,thisspecificationcould be modifiedto statethatgiven a requestat time t,the next time
done JsT datawillhold the requestedvaluefrom memory.
When composing the MMU with a cache,the synchronousspecificationwillalsochange. If
thereisa cache hit,a valuewould be returnedmuch sooner(perhapsan orderofmagnitude) than
ifmain memory were to be accessed.
The controlunitand the finalcorrectnesstatement do not relyon a synchronous memory
unitspecification.The proofcouldbe easilymodifiedto fittheseother models.
31
Fde $ naoryUnit_spec r req addr data done nan =
( (data 0 - wordn r 0) ^ (done 0 - F) ) A
¥ t. ( (req t)-* ( (data ($+I) - _etch r (ha t, nddr t) )
(done (t+l) = T) ) I
( (data (t+l) - wordn r 0) A
(done (t+l) = F) ) )
5.5 CONTROL UNIT
To process each memory request, the control unit will pass through several phases. The unit is a
clocked device. At each clock tick the control unit may change its phase depending on the results
computed by the other internal units and the MMU input from the system bus.









request type (read/write/execute) lines (rwe).
address compare result line (match).
security unit result line (secOk).
memory fetch result line (fdone).
The control unit output lines include:
a. The MUXes that control the adder's inputs (muxC).
b. The adder output latch (IC).
¢. The MUX that controls the bus memory address lines (x]at).
d. The register update lines (tmpC, tblC).
e. The memory request line (rReq).
f. The MMU done line (done).
g. The MMU access acknowledgment line (a_).
There are six distinct phases; however, not all phases are executed for each request. Which
phases are executed depends on the validity of the memory request. Request evaluation begins
with the control unit in phase 0 and completes when phase 0 is again reached. A vaiJd request
win require five phases with a delay of at least one time unit before a phase change. Most phases
32
require one clock cycle; however, memory requests for a segment descriptor may take severad. The
control unit wLtl busy-wa_t untL1 a memory fetch completes.
I-,leI ¢oatrolUntt.spe¢ reqln super r_e aatch secOl fdone
muxC _npC tbIC IC rRtq xlst done tck phue =
((nuxC O,tmpC O,tblC O,IC O,rReq O,xlet O,dona O,ack O, phua O) =
(0 . F , r ,F .F . F ,
A
Of t • (wAxC(_+I) ,lmpC(t÷l) ,tblC(t+1) ,1C(t+l)
ack(t+l),phus(Z+l) ) = Z
(phase t = O) --
(reqIn t -*




^ aatch t) -* (
((phue I: = 2) ^ fdone t) -*
((phue t = 3) ^ fdoae z) --,
(eecOE t --.
,rlteq(t+ 1), xl&t (t.+l), done (t +1),
M t _ 1 r x d a P 7,
Z U nba • 1 oc H
g p I t qt nk A ]{
( O, F,F,F, F,F,P,F, I) J
( O. F,F.P, F,F,F,P, 0)) I
O, F,T,F, F,F,F,F. 5) J
( O, F,F,F, F,F,T,T ,0) l
( 2, T,F,T, T,T.P,F, 2)) J
( 1, F,F,F, T,T,F,F, 3) I
(phase t = 4) --
(phua t - 6) -* ( O, F,F,F, F.F,T,T
(n_xC _,ZapC t,zblC t,lC t, F ,xlat t,done t,ack t.phue t)
( O, P,F,F, F,T,P,F, 4) l
( O, F,F,F, F,F,T,F, 0)) J
( O, F,P,T, F,T,T.T. O) I
,0) I
)
The dataPa_h definition describes the interconnection between a_ the units other than the
control unit. The mu.:Lmp joins the control unit with the data path.
Data Path
_dd dataPath r vAddr vData rye na tblP_rADDR tblPtr rAddr
mu.xC tape tblC 1C rReq xlat na_ch secOK fdone =
(nuxl nu.x2 id ors addOut data ZatOut :nua-.eeordn)
(aecData:nua--.swordn).
(regUnit_ape¢ r vDate tblC bitFalae tblPtr) /%
(rsgUnlt_epe¢ r data tmpC bitFalss aacData) /%
(eocUnlt.apec r vAddr socData rye eecOK) ^
(aplitUnit.epe¢ r vAddr Id ors) /%
(nux3Unit_apec id ors (onaUnit.spec r) nuxl mu.xC) /%
(nuz3Lh_it.apec tbIPtr data latOut m_x2 muxC) /%
(_ddLh_it_epec r auxl mux2 addOut) /%
(latchUnlt.spe¢ r addOut letOut lC) /%
(aat.chUnit_spec r vAddr tblPtrLDDR match) /%
(nuxUnlt_epo¢ r vAddr latOut rAddr xZet) /%
(nenoryUnit.epec r rRoq riddr date fdone men)
_! mm1.iJtpr vAddr vData rye auperv tblPtr tbIPtrkDDR reqln
rAddrdone ack xlat hemp hue =
3 (nuxC :nua--,nun)(tnpC tblC IC rRoq match socOl fdone :nun--,bool) .
(ce_trolthuLt.apec roqln auperv rwe match 8ocOl fdono
muxC tmpC tblC IC rReqxlat done ack phue) /%
(dataPeth r vlddr vDate rye men tbIPtrADDR tblPtr rAddr
nuxC tnpC tblC lC rReq xlet match 8ecOE fdone)
33
i........ _:;::::;_;_::_::_:y::::::::_:_:::_::::::::::::::::::::::;;:::::::::::::::::;:::;::::::::::::::;::::::::;::::i
vAd_dr ......................... _.......................................................... _ii


































Figure 5.5-_: Abstract MMU Ez_ernal Block Diagram
M
5.6 MEMORY MANAGEMENT EXECUTION CYCLE
When the control unit is in phase 0, it will busy-wait for a request and then proceed to phase
1. During phase 0, the address comparison unit (ma1:c.hUnit_spsc) can determine whether the
bus address matches the MMU's table pointer address. The result is put on the ma*cch line. The
split unit spli_Unit.sps¢ divides the address into its segment table offset and segment offset
components.
In phase 1, the supervisor line determines what the next phase will be. When the supervisor
line is high, two results axe possible. When the request is a write and the aa_ch line is T, the
control unit will direct the table pointer register to store the value on the data bus. The control
unit will set the next phase to 5. After one dock tick in phase 5, the acknowledge and done lines
are asserted and the control unit returns to phase 0. This ensures the data bus v-_lue w_ remain
constant while the register updates its store. If the request is not directed to the segment table
pointer register, the done and acknowledge lines axe asserted and the phase is set to 0. Since the
xla'c line remaius F, the origins] request is effectively passed on to memory without modification.
During this time, tile adder will compute the memory address of the segment descriptor using
the shifted segment identifier and the segment table pointer (output from the MUXs). When the
supervisorlineisnot highand the controlunitisinphase 1,a memory fetchwillbe initiatedusing
the adder output.The adder output latchcontrollineisassertedto keep thisvalueconstant.The
temporary registerwritecontrolline(zmpC)willbe assertedto capturethefirstword ofthe fetched
se_nent descriptor.The controlunitwillmove on to phase 2.
The controlunitwillremain inphase 2 untilthe fdone lineisassertedindicatingthe memory
fetchhas completed. During thistime,the adder willhave incremented the addressso that the
secondword ofthe segment descriptorcan be fetched.The controlunitwillthen move on tophase
3.
The controlunit willalsoremain in phase 3 untilthe fdons lineisassertedindicatingthe
memory fetchhas completed. Ifthe securityunithas assertedthe sac01(line,phase 4 isentered.
The delayprovidessufficienttime forthe adder to createthe realaddressfrom the second word of
the segment descriptor(fetchedword) and the segment offset.In phase 4, the xlat, done and ack
linesare assertedand the controlunitreturnsto phase 0.
Ifthe securityunit does not authorizethe memory request,the controlunit does not enter
phase 4,but,instead,returnsto phase 0 assertingthe dons line,but not the ack line.
35
Note that the done line is asserted only when the MMU completes its execution cycie--and
only for one clock cycle.
5.T VERIFICATION
Several auxiliary definitions are used to express the final correctness statement. To relate the
implementation to the specLqcation, a temporal abstraction is constructed using the two predicates
|ext and F_--st. The predicate First is true when its argument t is the first time that g is true. The
predicate liszt i true when t2 is the next time after tl that g is true. The predicate stable Jigs
states that between tl and t8 the MMU inputs will remain consta_;t.
I-,_! Fir.t gt- (¥p:t/se. p <t =_ -, (gp)) ^ (g t)
I',le$ Next | (tl,t2) o (tl • t2) ^
(Yt:time . tl ¢ t A t < t2 _ "_ (g t)) ^ (g t2)
I-d_ 8table.JSJ4_ tI t2 vAddr na tblPtrLDDlt data nqm super ,,
Y t'. tl < t' A t' < t2 =_
(super •' = super tl) ^
(vAddr •9 ,, vlddr tl) A
(rwe t' = rge tl) A
(data t' - data tl) A
(sea t' = mm tl) ^
(tblPtrJDDlt t' = tblPtrLDDR tl)
The correctness theorem states that if the implementation is in phase 0 and a memory request
is made, the implementation will respond c time steps later such that the state of the implemen-
tations matches the state defined by the specification for a set of given MMU inputs. The inputs
must remain stable until the MMU responds to a request. If a memory request is not made, the
acknowledgment line remains F, the phase remains 0 and the M/viU table pointer register remains
unchanged.
I- ma_/np r vtddr vData r_a super tblPtr tblPtrLDDR raqln rlddr
done ark xlat nan phase _
(Vt.
(phase t - O)
(r_lIn • -_
(:1 c. Ilezt done(t,t + c) A (phue(t + ¢) = O) ^
(stable_sip t(t + c)vAddr rye tblPtrADDR ,Data nan super =_
(nna.81mc r (vAddr t) (rye t) (tblPtrADDll t) (tbIPtr t)
(vData t) (ha t) (super t) =
ack(t + ¢),rAddr(t + c),tbiPtr(t ÷ ¢))))
| ( (ack(t + I) = F) -*
(phue(t + 1) - O) -,















The correctness theorem required 2,635.2 seconds of CPU time running on a SPARCStation
with 16 Mbytes of memory. HOL generated 121,858 primitive inferences to prove the theorem.
Many lemmas were proven to support the final MMU correctness result. The proof effort was
organized into a hierarchy of theories as presented in Table 5.7-1.
5.8 CONTROL UNIT LEMMAS
Contrd onitlemmas provenincludedthe following:
a. Each phase was shown to be distinct.
b. The control unit phase state can be only one of six possible values.
c. Phase 0 can never follow phase 2.
d. During phase 0, the state of the MMU does not change.

































While the phase unique lemma.s were trivial to prove, the other lemmas
effort. A table listing the lemma_, the required CPU time to verify them
intermediate theorems generated is presented in Table 5.8-1.
required substantial
and the number of
38
6.0 CONCLUDING REMARKS
Severs] enhancements could be made to the abstract MMU.
It would not be difficult to add a register that specified the number of valid entries in a
segment table. The incom/ng segment id would be compared with this new value. V_en the
id is greater than the stored value, the MMU could generate a segment table fault.
b. Another read-ouly status register could be added to indicate the type of fault that occurred.
c. A paging unit could be modeled based on the segment table unit. The device would effectively
be the same as the segmentation unit. The stored rex] address offset might serve as the page
table pointer.
d. Values were added together inste_cl of being merged together, which is more common.
e. A cache could be added (see section on register stacks).
This research was intended to serve as a vehicle to investigate how we could reason about
changes in a device under development. The compare units and the page check units demonstrate
what changes to a proof axe necessary for small device changes. What is of greater concern, however,
is the construction of fire walls within a design; being able to recognize what effect a structurs]
change would have and how to keep as much of an old proof as possible. The use of abstraction
seems to satisfy these needs, as well as making proofs more tractable.
It also seems apparent that a generic execution tactic could be constructed to ease the pa_n
of performingsymbolicexecutionby hand. This would greatlysimplifyone of the most arduous
tasksininteractiveproofverificationusingHOL.
Abstract theoriesprovidea mechanism to ignoremany detailsthatcan be handled at lower
levelsof a design. For example, the abstractMMU focusesattentionon the correctnessof the
controlunit.Using the abstracttheorypadmge, abstractdevicescan be instantiatedwith verified
gatelevelimplementationsof the abstractedfunctions.
The abstractionmechanism alsopermitsdesignchangeswithout the need fora completerever-
ificationeffort.The correctnesstheorem forthe abstractMMU isnot dependent on the layoutof
the segment protectiondescriptoror the specificprotectionrequirements.
The basisfora securehardware platformisa fullyfunctionalMMU. The MMU presentedhere
servesas a model to verifya more sophisticatedevice,such as the hardware referencemonitor
39
SIDEARM (ref.24).
The MMUs verifiedprovidesufficienthardware support for am operatingsystem kernelto
ensureprocessisolationand virtuM memory. The devicedesignscam be simplifiedto definea
pagingunit.Futurework willinvestigatethe compositionof segmentationand pagingunits.
A r_ister stack that implements a FIFO replacement strategy has also been verified. This
k being enhanced to construct an MMU cache with either an LRU or LFU replacement strategy.
Future work will investigate composing the MMU with the CPU and other chips to form a complete
hardware base.
6.1 FUTURE WORK
One of the group's goals is to specify a set of chips that can work together as a system. The rela-
tionships between an MMU, an interrupt controller, a DMA controller, a memory, coprocessor chips
(floating point processor), and the CPU were examined and several potential system integration
problems were uncovered.
Further research will also examine how a set of processor specifications can be connected
to create a system. A difficulty in composing independent processors occurs when they share
state (e.g., memory, peripheral control registers). The proofs for each device make (legitimate)
assumptions about the effects of device operations. These assumptions simplify the device proof
but assume complete control over (now shared) state. We have defined some of the composition
problems and are developing an interaction model based on a noninterference requirement.
40
REFERENCES
1. M.Gordon,"HOL:A ProofGeneratingSystemfor Higher-OrderLogic,"in VLS! Specification,
Verification, and Synthesis (G. Birtwhistle and P. Subrahmanyam, eds.), pp. 73-128, Kluwer
Academic Press, 1988.
2. V. P. Nelson, "Fanlt-Tolerant Computing: Fundamental Concepts, _ Computer, July 1990.
3. W. A. Hunt, _Microprocessor Design Verification, _' Journal of Automated Reasoning, vol. 5,
1989.
4. W. R. Bevier, W. A. Hunt, and W. D. Young, "Toward Verified Execution Environments,"
IEEE Symposium on Security and Privacy, 1987.
5. P. G. Neumann, _On Hierarchical Design of Computer Systems for Critical Applications,"
IEEE Transaction on Software Engineering, vol. SE-12, No. 9, September 1986.
6. J. D. Guttmsn and H.-P. Ko, "Verifying A Hardware Security Architecture," IEEE Symposium
on Research in Security and Privacy, 1990.
7. H. G. Barrow, "VERIFY: A Program for Proving Correctness of Digital Hardware Designs,"
Artificial Intelligence, vol. 24, 1984.
8. J. Joyce, "Formal Specification and Verification of Microprocessor Systems," Microprocessing
and Microprogramming, North-Holland, (24)1988.
9. G. Milne and P. Subrahmanyam, Formal Aspect of VLSI Design. Publishers B.V., 1986.
I0. D. Weise, "Functional VerhScation of MOS Circuits," l!4th ACM/IEEE Design Automation
Conference, 1987.
11. A. Cohn, "A Proof of Correctness of the VIPER Microprocessor: the First Level," in VL$I
Specification, Verificotion, and Synthesis (G. Birtw_stle and P. Subrahmanyam, eds.), pp. 27-
71, Kluwer Academic Press, 1988.
12. W. A. Hunt, "A Verified Microprocessor," Tech. Rep. 47, The University of Texas at Austin,
Dec. 1985.
13. J. J. Joyce, Multi-Level Verification of Microprocessor--Based Sl/stems. PhD thesis, Cambridge
University, December 1989.
41
I4. W. J. Cullyer,"ImplementingSafety Critical Systems: The VIPER Microprocessor," in VLSI
Specification, Verification, and Synthesis (G. Birtwhlstle and P. Subrahmanyam, eds.), pp. 1-25,
Kluwer Academic Press, 1988.
15. A. Cohn, "A Proof of Correctnessof the VIPER Microprocessor:the Second Level,"in Cur-
rant Trends in Hardware Verificationand Automated Theorem Promng (G. Birtwhistleand
P.Subrslnnsnysm, eds.),pp. 1-91,Springer-Verlag,1989.
16. J. J. Joyce, Totally Verified Systerr_: Linking Verified Software to Verified Hardware. Lecture
Notes in Computer Science No. 408, Springer Verlag, July 1989.
17. W. R. Bevier, UA Verified Operating System Kernel," Tech. Rep. 11, Computational Logic,
Inc., October 1989.
18. W. R. Bevier, "Kit and the Short Stax.k," Journal of Automated Reasoning, vol. 5, 1989.
19. A. Caznilleri, M. Gordon, and T. Melham, "Hardware Verification using Higher Order Logic,"
in bVom HDL Descriptions to Guaranteed Correct Circuit Designs (D. Borrione, ed.), Elsevier
ScientificPublishers,1987.
20. A. Church, "A Formulationofthe Simple Theory of Types," Journalof SymbolicLogic,vol.5,
1940.
21. M. Gordon, R. Milner, and C. Waxlsworth, Edinburgh LCF. Lecture Notes in Computer Science
No. 78, Springer Verlag, 1979.
22. R. L. Constable, Implementing Mathematics with the NUPRL Proof Development System.
Prentice Hall, 1986.
23. P. J. Windley, "A Poor Man's Implementation of Abstra_:t Theories," Tech. Rep. CSE-90-06,
University of California, Davis, 1990.
24. W. Boebert, "The LOCK Demonstration," 11th National Computer Security Conference, 1988.
42
APPENDIX A: BITVECTOR THEORY
sTstea 'ru bLtYector.th' ;;
aee.theo_ 'bLtVector' ;
let A_B • :eu_def:Lnit/c_
(.'J.U', "I.P,.B - ql (z:bool) . F");;
let ZEROES ,,, aeu_def_,,Lt/on
('ZEJU_',
"! (u:nu) Ca:n,,-) .
ZE_U • • - (a <- u) -> F I _");:
let LBS ,, nev.defJ._Lt.ic_
('JJS',
"ABS (v:nmD (s/g:nua->mm->bool) (¢:nml) (n:nua)
- n (- • -> ai8 n t I t._");;
let bvPLRT - aev_defknLtLon
( +bvPJJT' ,
"bvPJJtT nu mLn (sig:nus->bool) (n:nuA)
- (n > nu) -> F i
(n < _n) -> P I
si8 a ");;
Zet bvEQbit - no•.defJ_ition
( ' bvEQbit.DEF <,




"(bvEQUAL 0 • b " Ca 0 - (b O):bool)) /\




"(bTGBFATER0 a b - ( • 0 I\ "b 0 ) ) /\
(bvGREATER (SUC n) • b -
( ( a(SUCn)l\'bCSUC n) ) V
( (a(SUC n)-b(SUC n)) /\ bvGREJLTERn • b)
))"
);;
let bvLESS - neu_dof_aition
('bvLUS_DEP',
"bvLESSa • b - bvGRF.JTER= b t"
);;
let bvPartF._iL - no•.prJa_rec.defLuition
('bvPartF.J;NtL_DEF',
"(bvPartEqUAL 0 Y • b -
( (y = 0 ) m> (bvEQbit 0 a b) I Y )) /\
(bvPartEQUAL (SUC x) y • b -
43
(
((SUC x) • y) ..> (bvEqbit (SIJC x) • b /% (bvPaz_£QUAL z y • b)) J
((SUC z) - y) -> (bvEQbit Csuc x) • b) i Y
) )" );:
let bvPar_GKF_TER = nev.pr4u_rec_definition
(' bvPL_GREATERoDEF',
"(bvPartGP_ATER (SUC z) 7 • b =
(
((SUC z) > y) =>
( C aCsuc z)I\'bCSUC x) ) V
((a(SUC z)=b(SUC z)) /\ bvPax'_GKEAIT.R • y • b) ) I
((suc x) - y) -> (aCsuc x)/\'bCSUC x)) I I'
) )" );;
lot bvPaurtLF.S$ = nov_dofabxi, t/_
(' bvPar_LESS_DEF',
"bvPau-tLF.SS • y • b .. bvPs.._GRFATER • y b a*'
);;
cl_e_theox7 () ; ;
44
APPENDIX B: COMPARISON UNITS
load_ 'txist.tac.11' ; ;
sTst_ '11 ¢¢mp_rer.th t ; ;




"! t/rst sec g 1 • . bLtConp.spe¢ f_rst se¢S 1 • -
(_ m ( _J_llt /% "Jt¢)) /%
(1 = ( "first /\ ale)) /\




"! 2_rl: eec E _ • • b_tCoap.Lrptirst sec & _ • -
?p q . (inv first p) /\ (inv sec q) /\
(nor2 p 8e¢ S) /\
(nor2 q fLrs_ i) /\
(nor2 S I e) "
);;
let bLtConp_cozTect - prove.•ha
('bitCoap_correc_',
"! f£rst se¢ g 1 e.
bitCoup.1_pfirst se¢ 8 I • = bitConpospec first so¢ S 1 e",
















l- !first sec S I e.
bitColl_.J_p first lec _ 1 • o bitColp.sl)e ¢ first SiC i 1 t
t_•: 3S.Ss
ZntenaedJatethloreasgenerated: 3470
let c_qpCoab.spec - nev_def_iti_
('coapCoab_sl_C',
"! S0 S] 10 1] ,0 el S I * . conpConb.spec S0 81 10 11 ,0 ,] $ 1 , -
(g - (Sl \I (,1 I\ S0))) I\
(1 • (11V (el /\ 10))) /\
(e = (•1 /\ e0))"
);;
45
let compCoab._p = new_definition
(' coapConb_iap',
"! g0 S1 10 ll e0 el g I • . compCoab.izp g0 gl 10 11 e0 el S 1 • =
? p q . (andl__pel gO p) /\ (or2_inpgl p g) /\
(and2_imp el 10 q) /\ (or2._-p 11 q 1) /\
(andl_iJp el e0 e) "
);;
:]Let con_onb_con'ec't • prove_thn
(' cmtpCoab_correct ',
"t gO I;1 10 11 eO el S 1 e. conpCOabo:L_ gO $1 lO 11 eO e! | I • -
conpConb_•pec sO SI 10 11 eO el S 1 e",
BEb_ZTE.TIC [ co_Comb_iap; conpConb_•p*c; and2.correct; orl_correct]




[ SPECL [ "(1 = 11%/ el A 10)" ; "(g - i;1%/ el /% gO)" "] COiiJ_STI_
THEM PURE_0|CE_REVRITE_TAC [ SPECL [ "(e - e0 l\ el)" ] C0|J.SY_
THEM ILEVRZTE_TAC [ C0|J.J3SOC ]
¢onpConb_corTect -
J- !gO KI 10 11 eO el g I e.
co=pConb.JJi:) gO 81 10 11 eO el g 1 • =
COnl:)Coab_spec gO gl 10 11 •0 el g 1 •
Run t_,: 25.9•
Intell•dia_e _heorm generated: 2385
let coap_•pec - new_det_ition
( ' conp_•pec ',
": n ab g le.
conp_spec n a b g I • =
( S = ( bvGP_IT_ n • b) ) /%
( I = ( bvLESS n • b) ) /\
( • = ( bvEQUAL n a b) )"
);;
let coap_4mp = neg_prin.rec.defJJ_Ition
(' comp_/np',
"(conp_/Ep 0 • b IF" is eq = (bltConp.JJtp (a 0) (b O) _r is eq))/\
(coap_isrp (SUC n) • biP" ls eq =
? p la a i;n ].u en .
(conp.4=p n • b Sn In en) /\
(bitComp_i=p (a (SUCn)) (b (SUC n)) Sn in ca) /\
(coapCoab_i.ap ipu Ipe ].n lm an a ST Is eq)
)-
);;
let conpare_correct - prove_thm
( _compa/'e_col-rect '.
"tn • b great less equ.






[Z bus c--e 1.
ILEVRlTE_TAC_bLtCoap_correct; bitCosp.•pe¢;
bvGP_ATER_DEF; bvLESS_DEF ;bvF_UAL_DEF]
TEEI F_.TAC THEM STRIP_TAt THE]I ASM_REWRITE.TAC D














EQ_TAC THEI STRIP_TiC THE! ASM_REVRITE_TAC r3
PUBE_OMCE_BEVRITE.TAC [ SPECL [ "'a(SUC n)" ] CO|J_SYM]
PURE.OICE_REWRITE_TAC [ SPECL [ "bvEOUAL n • b" ] COIJ.STP_
BZ_ITE.TAC D THFJi E__TAC THEm STRIP_TAC
J3N.REb_ITE_TAC E]
co,,pare_correct m
[- :n • b great l•s• equ.
co__JJmp n • b great less equ = coap_spsc n a b •rear less equ
Itun tire: I63.7•
OLrb_e collection tJJs: 97.6s
Intsz_ediate theorems sen•rated: 13399
let bi_Eq_spe¢ = nes.definition
( 'bitEq.spe¢',
"! first •sc • . bitEq_•pec first see s =
(e = ((tirst:bool) = •ec ))"
);;
let bitEq__p - nee_d•f£nition
('bitF_._p',
"! fir•t sec • . bitEq__=p first se¢• =
T i j . (nor2 first sec i) /\
(a_d2.iap first •ec j) /\
(or2_/ap i j e) "
);;
let bitF_l.correct - prove_•h-
( 'bJtEq_correct ',
"! _irst •ec e.
bltEa._ first se¢• = bitEq.•pec first sec s",
IL_ITE_TAC [ bitF__iap; bitEq_spe¢; or2_corr•ct;
nor2; and2_correct ; _uv; or2_spec; and2.spec]
TEl REPEAT _EI_TAC
TEE]I EIISTS.ELIM_TAC





l- tf/z_t 8e¢ e. bltEa._lap :_irst sec • = bitEq_spe¢ :tlrs_ sec •
Run t/me: 15.38
Intermediate theoreas l_enera_ed: 1251
le_ conp_.spec - neu_defi.nttton
( ' cm,pF, o._8l)oc ',
,,! I • b o.
¢o_Eq_8]pe¢ n • b , =
( • .. ( bvEQUJLLn • b) )"
);;
le_ cmq_q_inp - neu_pr/n_rec.def£n/tlon
( ' ¢o=p__/=p'.
"(coop_.lap 0 • b eq = (bitEq_Isp (a O) (b O) eq))/\
(coapEq.i=p (SUCn) • b eq =
T @I O_ o
(coapEq_iap n • b an) /_
(bitEq_:Lnp (a (SUCn)) (b (SUC n)) a) /%
(and2_iap en ea eq)
)-
);;
let coapEq_correct - prove.tha
(' conpF.q_correc'r. ',
": n • b e. conpEq_£=l_ n • b • = conpEq_spec n a b e",
IIFDUCT_TAC
THEM REPEAT GFJ.TIC
THEm ASM_P,EWEZTE_TAC[cozpF.q_i.np; conpF..q_spec ;bvF._UJ.L_DEF; and2._Lap ;
bitF..q_correc't; bitEq_spec; £nv; nand2 ]
THEN EXISTS_ELIN_TAC
THEM PUP.E_OICE.REb'RITE.TIC [ SPECL [ "bvEi_UAL n • b" ] C0|J.ST.q]
THEM REb'RITE_TAC rl
);;
coapEq_coz'rect - l- !n • b e. coapEq_iap n • b • - conpEq_spec n a b •
Bun _/ne: 22.18
ln_ernedLate 'theorem senerated: 1796
close_theory () ; ;
48
APPENDIX C: PAGECHECK UNITS
system 'rn pgCk.th' ; ;
loads Sexist .ta¢.nl ' ; ;
nH__heory 'pgCk' ; ;
nap load_p_rent ['Sates' ; 'bitVector' ; 'conpersr' ; 'resister'] ; ;
let bitFalsa - neg.defLuttion
('bitFalse t, "tt . bitFalss t • F');;
psCk ipecifies a (relister/ack) pair for a (n/addreu/eriteOp/resister)
input tuple
let psCk= nsu_defiJLition
('pKCk', "0.rsstr address writs n. pKCk n address write rKstr =
((write = T) => (address, T:bool) [
(bvEQUAL n rgstr address) => (rgstr. T) J
(rsstr, F)
)" );;
let pgCk_spec = nee_definition
('p$Ck_spec ',
":(rag addr :nua->nua->bool) (rWC ack :nua->bool) (n:nua).
psCk.spe¢ n addr rWC reg ack =
:(t:nua). (reg(t+l), ack(z+l)) =
pgCk n (addr t) (rWC t) (reg t)" );;
let psCk.iap - new_de1_nition
('pgCk._=p',
"!reg addr rVC nack. pgCk.iap n addr rWC re S eck =
:t.
(?g 1 e.
(reg_IJa p n addr rVC bitFalse re s ) /\
(¢oap.i_pn (ABS n reg t) (IBS n addr t) S i e) /\
(or2__p • (rWC t) (ack (t÷l)))
),,
);;
let pgCk_correct - prove_the
(,peCk.correct,,
":re S addr rgC n ack . pgCk_JJBp n addr rVC reg ack =->
l_Ck_apec n (IBS n addr) rWC (kBS n rag) ack",
REPEAT GEI_TAC










REb_.ITE_TAC [ conpLrs_correct; reg_corrsct ; or2.correct ]
RE_ITE.TAC [ res_spec; coap.spec; or2.spec]










lOW add • sul_niJor llne ........
let pt_ka.spe¢ - new.def£ni_ion
('pSC_a_spe¢',
";(r_ addr :nm->nua->bool) (sup rUC ack :nus->bool) (n:nuz).
p_a_spec n addr rVC sup re Sack =
i(t:nua). (res(t÷l), ack(t÷l)) =
psCk n (addr t) (rWC t /\ sup t) (re s t)" )_;
let p1_ka_J_p - _s.def_tlon
('p$C_a_i_',
"treqB addr rVC sup nack. pgCka_£sp n addr rWC sup res ack =
it.
(?zSle.
(md2_lap (rgC t) (sup _) (z t) ) /%
(tog_4= p n addr • bitFalse re s ) /\
(ccusp.imp n (JIBS n reg t) (ABS n add:r t) S 1 e) /%
(or2_imp • (z _) (ack (t+1)))
)" );;
let pgCkB.correct = prove.tha
( 'lq_a.con'ect,,
";re s addr rWC sup nack . pgCka._ap n addr rWC sup reg _ck ==>
psCka_sl_C n (ABS n adcLr) rWC sup (ABS n reg) ack" ,
REPEAT GEI_TAC
O|CE.REb'RITE.TIC [ pgCka.:bsp; pgCka_spe¢ ]
THD O]ICE.REb'RITE_TIC [pgCk ]
TB]_ OIICE.KEt/RITE_TAC
[ conpare_correct_ reg_correct ; or2_correct; and2.correc_ ]
O|CE_KEWI_ITE.TIC [ reg_spe¢; conp.Sl_C; or2.spec; and2_spec]
THE]I BEWRITE.TAC [ bitF_lse ]
THEN EZISTS_ELIM_TAC
THD BEPF._T STRIP_TAC
THEN POP.ASSLM(\thL STltIP.ASSUME_TAC (SPEC.ALL tha))
THEN ASSLM_LZST(\u1. REWRITE.TAC
[(R£_fltlTE_RULE [el 2 ul] (el 3 ul))])
NAP.EVF.RY ASN_CASF.S_TAC [ "(rWC t):boo1"." "(sup t):bool"]
TJ_]I ASSUN_LIST(\$hl. ASSUNE_TAC (KEI/_ITE_I_ULE [
(KEb'KITE_BULE [(el I _hl); (el 2 thl)] (el 4 _hl) ) ] (el S thl) ))
ASM_REWRIT__TAC I-I




APPENDIX D: BASE AND BOUNDS CHECK UNIT
By•tea Cll lum,lr, b c; ;
load_ %zi•t.tac.sl ' ; ;
leg.theory 'aau' ;;
liaplowl_parent ['g•te•';'bitVector';'conparer';'reIL•ttr'];;
let bitFalze = new_deflnltlou




addr. off•st, data, •upervlsor •tats, rtad/wrlte request,
IDDR o_ register





let bbSUPERV • new.definition
('bbSUPE_V',
"!(bbKegaddr data an•a->boo1)
(LDDR :nua->bool) (rw:bool) (n:nua),
bbSUPER¥ n bbReg 8ddrdata LDDR re
( re -> ((bvEQULL n addr ADDR) => (data, T:bool) I (bbReg, T)
(bbReg, T) )" );;
)1
let bbCOKP = sea_definition
('bbCOKP',
"!bbR, 8 addr n s.
bbCOMP n • bbReg addr =
( (bvEQUAL n (bvPART n • bbAeg)(byPLRT n • sddr) /\ "(bvGRF.ATER • add.r bbReg) )
=> (bbReg, T:bool) i (bbRe8, F))");;
let bblextState - nee.definition
('bb|extStat,',
"!(bbBeg addr data :nu_->bool)
(LDDR :nua->bool) (super re ack :bool)(n • :nun).
bb|extState n • bbRe g ad&r data ADDR super re -
( super •> bbSUPERV n bbRe 8 ad&r data kDDRre [
bbCOMP n • bbRe 8 eddr )" );;
let b4meBoundCk.spec • neu_definltLon
(' bueBoundOk_spec',
"! (bbR, 8 addr data an•a->tom->heel) (LDDR :num->bool)
(super re ack :nua->bool) (n •:nun).
baseBoundC1t.spec n s bbReg addr data LDDR super rvack =
(8 < n) "->
!t. (bbRes(t+l),atk(t÷l) ) =




_PIIl' • mm _ (sts:nwt->mw°>bool) (t:n_w) (n:nwt)
(: <sd:) => F I
(n<- w) => (sight) | _");;
let bmdom_Ck./np - new.de:f/.u/'ticet
('bmdoundCk./=p',
"_OJJ,tq sddr data :nm->mm->bool)(ADDR :nua->boal)
(mpm- zv act :_n->bool) (n 8:nu,,).
bmdoun_k,/_ n • bbllq ad_ data LDDR super rv ark =
(s < n) --> it.
0 VrltelW 60 sl J2 10 II 12 e2 • addz)latch SoodSeg goodOfs ok.
(x'cql../Mp_s (Ltl;a writeBB bt1;FLXse bbReK) /\
(cmp.:Lup n (ABS n addz t) ADDRsO 10 (add.rRa_ch t)) /%
(and2_/ap (r_ t) (sul_r l) (x t)) /%
(m_12_imp (_ldrHatch t) (x t) (_riteBB t)) /%
(comp./i]p n (PRT n n • bbP.e8 t)
(PRTnn • addr t) |1 11 goodSeg) /\
(coup_imp • (LSS n sadr t)
(LBS n bbKes t) g2 12 e2) /%
(/av 82 SoodOf.) /%
(msd2_t_ SoodO/s SoodSeg ok) A
(or2_1_ o]k (s_ji_r _) (ack (_+1)))
)');;
prove some leana8 ....
le'. n_LmaaO = prove_tha
('mmLmaaO',
":(a 8 t:mn) (st(:n_->w_,->bool). (s < n) .-.>









let _al m prove.ibm
( 'mMl_ma1',
"('mdE_iL n(b_IRT n s(amS n bbReg t))CbvP_T n sCABS n sddr t)) I\
"bgGRF.ITER8(/U9S n addr t)(ABS n bbReg 1;)) ,,,
('b_ItF, ITJ_ 8(J_S n addr t)(LBS n bbRe8 I;)) /%
(bvI_NJLLn(b_PJJtT n s(J3S n bb_.es _;))(bvPJ_T n s(J3S n addr t)))",
0_c_Jm_11_._Ic [














let muLenaa3 ,, prove.thn
('muLenu3 ° ,





TEE! BE_LITE_TAC [nun.COIN "1 '_]
POP.ASS_(\tha. ASS_.TAC
(KEWP_TE_RULE [thai (SPECL ["n"; "0"] GIIE4TEA) ))
POP_LqStm (\tha. ASSU_.TIC
(BEVRZTE.RULE [thai (SPECL ["0"; "n"] LESS_F_) ))
TEE! POP_ASS_(\tha. BE_ITE_TAC [
(IE_4T___Z [tb_] (SeECL ["n";"(SUC O)"] SUB.ADD) )])
);;
5[" prove bueBoundCk.correct .................. 5[
let t_eBoun4C]c_correct = prove.tha
( ' b4up•BoundCk.correc t ',
"! (bbRe S Bddr data :nun->nun->bool) (JLDDR :num->bool)
(super xw ack :nun->bool) (n •:nun).
bueBoundCk_iap n • bbRe$ add_ data ADDR super re ack =->
bueBoundCk_spec n • (ABS n bbRe s) (ABS n adcLr) (4BS n data)
ADDR super rw ack",
KEb_ITE.TIC [bueBoundCk.iJq); bueBoundCk.spec]
THE] REPEAT GEI_TAC





[__¢ol-rect ; feB_correct ; coapaze_col-rect; or2_¢orrect ; il_v]
THE]I DJCE_KEb_IZTE.TJC [amd2.•pec; or2.spec ; reg.spec ; conp.•pec]
THEE REWRITE.TIC [ bitFalse ]
THEI EIISTS.ELIM.TAC
THEi REPEAT STRIP_TAC
POP_ASSUIq(\tba. STRZP_ISSUME_T4C (SPEC.&LL ainu) )
KLP__r'r.AY J.q__cJkSF.q_TlC [ "(rg t) :boo1"; "(•u/>er t) :_ol"J
Tff_L [
5[ 114 5[





USI_q_LIST(\ul. P.EVJ_I_:.TIC [ (el I ul); (el 2 ul)] )
YHZ/I 4.qsLM_LZST(\thl. JLSsuIqE.TJkC (I_EI/RZTE:_RL/I_ [(el I t]L1)] (eZ 5 tb.1) ))
TI_E]J J.qSUM.LIST(\tkl. ASSU1qE.TIC (J_EW_.I_.RIJLE [(el 3 tl_)] (el 5 tkl) ))
J.qSUM_LIS"F(\thl. J.qS_.TAC
(BEVRITE.RULE [(el I tkl)] (SPEC "t" (el 5 till)) ))
TllFJI J.qsuIq.LIST(\thl. P,EVRITE.TAC [(•l I thl) ; (el 3 tl_l)] )
;_ 4/4 5[
53
AI.L_TAC] Zcues2 and 4 r_ain Z
BE_D_I'E_TAC [.--uL---al]
ISS_q_LIST(\uI. RE_ITE.TAC [ (•1 1 ul); (•1 2 ul)] )
TH_ ASS;_I_LIST(\thZ. Jl.qSU__TAC (REVRITE_IgJLE [(•1 1 thl)] (•1 S thl) ))
ASSUM_LIST(_thZ. JLSSUI__TAC (P_WRITE.RULE [(el 2 till)] (•I S thl) ))
ASh'S_LIST (\tJ_. _'OE_TA¢
O_n_ITE_ilU_ [(•1 1 ".hl)] (SPEC "t" (el 5 tb.l.)) ))
/.qSI__LIST (\t4xl. LqSUI__TAC
(BE_ITE.ilULE [(el 10 t4_l)] (SPECL ["n";'•";"t"] m.uI,_maO) ))
TBEII ASS_Iq_LIST(\LI_. ASSIJ__TAC (REb_ITE_RUIJ_ [(el I thl)] (el 4 thZ) ))
ASM_CJ_ES_TAC "ack(t÷l) :bool"
ISSUM_LZST(\_kZ. ILEWRITE.TAC [(•l 1 tI,_) ; (el 4 thl);
(I_IT£_IU3_ [(el I U_l.)] (el 2 t_)) ] )
bueBomsdCk.¢orrect m
l- !bbl_g _ data ADDB •Ul:_r _rw ack n a.










gLrb_e collect/on time: 347.8•
_Lutenmdia_e theoreas generated: 31227
54
APPENDIX E: VIRTUAL ADDRESS TRANSLATION UNIT
• et_flq( 'print.al1_•ubsoal•', false) ; :




l•t bitFal•• - new.d•f_uittm
('bAtFalse', "tt . bitFalse t = F");;
baseBouads I_U with virtual address translation
,Z
let vSUPERV - new_de:f_4tion
( ' vSUPF.RV',
"f(bbReg vaReg addr data :nua->bool)
(ADDR :nua->bool) (re:bool) (n:nua).
vSUPF_V n bbRe K va_, s addr data ADDR re =
( (re /\ (bvEQUAL n (bvPJ£T n I add:) (bvP_T n I £DDR) ))
-> (add: O) => (data, vaRe K, add:, T:bool) J
(bbReg, data, add:, T:bool) J
(bbReg, vaReg, addr, T) )" );;
let VtoR = new.de1_tion
('VtoR',
"VtoR reall virti • n
= Cn> •) -> (real/n):bool [
(virti n)" );;
let vCOMP - naw.def£uitAon
('vC0_',
"!bbReg vaAeg addr n •.
vCOlqPn • bbRe s va_eg add.r=
( (bvEQUAL n (bvP_T n • bbReg)(bvP_T n s add:) I\
"(bvGRFATERs add: bbReg) )
=> (bbReg, wtReg, (VtoR rares addr s), T:bool) [
(bbRag, vaReg, addr, F))'*);;
let vJext$tat• = nev_def£uition
('vhxtStat•'.
"!(bbReg vaKeg add: data :nua->bool)
(£DDR :nma->bool) (super re ack :bool) (n s :nun).
v|extStat• n • bbReg vageg add: data £DDR super rv m
( super m> vSUPERV n bbRe 8 vaReg add:dataJU_DR re J
vCOl_ n • bbReg vaRsg addr )" );;
let virtBBCk_spec m nau.daf/_itlon
('virtBBCk.apec',
"!(bbReg vaReg addrdata matLddr :nua->nua->bool)(£DD_ :nua->bool)
(super re ack :nua->bool) (n e:nua).
virtBBCk_spec n • bbReg vaRag add: data LDDR super re ack outAddr=
(s < n) =->
55
!t. (bbSsg(t÷l),vde$(t*l), outAd_r(t÷l), ack(t+l) ) =
vlextStat, n s (bbReg t) (wJ_lg t) (ad_ t) (data t)
IDDR (super t) (_ _)");;
let PRT = neg_de]_tion
('PRT',
"PRT • max nin (sig:num->nua->bool) (t:nus) (n:nua)
- (n>aax) => F I
(n•nin) => F I
(n<- ,) => (•_nt) ! AU");;
l•t PRTI mne•_defLis.itloa
('PRTA'o
"PRTA • max n:i_ (mig:_->bool) (n:nus)
- (n>mz) a_F I
(n<ain)-> F I
(n<- u) => (•iS n) I LAB ");;
let ptck_tmlp- nev_definttto_
('pick.iap'.
"Nck_tap (,erda :m,..->bool) (wordB :nua->bool) (which:heel) re•
- (•hich- T) => (tea - uordl) I (re• = vordB)");;
let vL-'tBBCk_:_p= nsw_def_u_tion
('vi_SeCk_i_p'.
"!(bbRe S vsReg addr date outlddz :nua->nua->bool)(LDDR :nua->bool)
(super r_ ack :nua->bool) (n s:nua).
virtBBCk.tapn • bblteg rares addx data ADDR super ru ack outiddr-
(s • n) ,-.> it.
(? vBB vVl •elect x aMO ed(! aIq2 goodSeg goodOfs ok nok nxlat S 1 e.
(Ind2_:L_ (rl t) (super t) (x t)) /\
(coapEq_tipn (PRT n n 1 •ddr t) (PRTI n n 1LDDR) (aJ_O t)) /\
(and2_tap (a.qo t) (z t) (aM1 t)) /\
(:in, (addrO t) (a)12 t) ) /\
(andl_iJq_ (aM! t) (•ddrO t) (vBB t)) /\
(and2_i_ (o)11 t) (aN2 t) (wVi t)) /\
(reg.4=p n data uBB bitFalse bbReg) /\
(reK_/mp n data gVl bitFalse vaReg) /\
(compEq__p n (PRTn n • bbReg t)
(PRTn n s addr t) goo_Seg) /\
(conp_iaps (JIBS n eddr t)
(ABS n bbReg t) g I e) /\
(inv S S°°dOle) /\
(and2.tap goodOfa good_egok) l\
(or2_ta_ok (super t) (ack (t+l))) /\
(inv ok nok ) /\
(or2_ispnok (super t) _xlet) /\
(pick._ep (J_S n adcLr t) (J_S n vaAeg t) ztxlat (select t)) /\
( (eutiddr (t+l))- (VtoR (select t) (JIBS n •ddr t) • ) )
)");;
Z..... "prove •one lmu
let :muLemlaO -prove.thl
('mmuLasaO'.
"!(n • t:nua) (sis:nua->nma->bool).




THEII ILEk_.ITE.TAC [PP, T;bvPJLRT;ABS]
);_
let mmLma! • prove__lm
N(bvEQUAL n(bvP&RT n s(ABS n bbReg _))(bvPA_qT n s(ABS n addr t)) /\
"bvGP.EATER s(ABS n addr t)(LBS n bbReg t)) •
('b_RFATER a(/B$ n addr t)(ABS n bbRe 8 t)) /\
(bvEQUAL =(bvPLRT n a(kBS n bbRa s t))(bvPJ.qT n s(LBS n addr t)))",
OICE_REVRITE.TAC [
SPEC "'b_IRFATER s(ABS n addr t)(LB$ n bbRGs t)" COBJ.SYM]
THEll BEFL_TAC
);;
let |muLe:ma2 = prove_thin
( ' aauLeaas2 '.




TliEli BOOL_CASES_TAC "n > s"
TRF,JI REWI_ZTE_TAC []
)_;
let mauLemia3 = provo_tha
( 'smuLemsa3 ',
":(n s :nul) (sig:nua->bool). (PRTA n n s sig) - (bvPLRT n a sis)",
COIV.TAC (DEFTH_COIV FU]I_ZQ_CONV)
THEN REPE_T GEI_TAC
THEm P.EWRITE.TAC [PRTA ;bvPJ.qT]
THEN ASM.CASES.TAC "(n _ > n)"
THEM ASM_REWRITE_TAC I-I
THEM ASSUM.LZST(\uZ. ASSLME_TAC(
KEWRITE_P,ULE [ (SPECL ["n'";"n"] GP_ATER) ] (el I ul) ))
THEM ASSUM.LIST(\uI. REWRITE.TAC[
REWRITE_P, ULE [ (el 1 asl) ] (SPECL ["n";"n'"] LESS_CASES) ])
let smul.a,,,a4 - prove_tha
( 'amuLesma4 ',
"addr 0 t = LBS n addr t 0",
0|CE.P.EYRITE_TAC [ABS]
THEB ONCE.REgRZTE_TAC [SPECL ["0" ; "n"] LESS.OR_EQ]
THEN REWRITE_TAC [
BEWRITE.RULE[SPEC "(O,,,n)" DISJ.STM] (SPECL["n"] LESS_0.CASES)]
);:
Z' prove correct ...... %
let vlrtBB.correct - prova_thm
( ' virtBB.corract ',
"_(bbRe 8 valte 8 addr data outAddr :nua->nua->bool)(ADDR :nuB->bool)
(super rvack :nua->bool) (n a:nua).
vL-'tBBCk_i_p n • bbReg vaReg addr data LDDR super rv ack outAddr =m>
virtBBCk_apec n • (AB$ n bbReg) (ABS n raReS) (ABS n addr)
(ABS n data) LDDR super r_ ack outiddr",
IEb'RITE_TAC [virtBBCk.iap; virtBBCk.apec]
THEir REPEAT GFJ_TAC




THEII O]ICE_BEW_ITE_TAC [vSUPERV; vCOMP]
O]C£_BE_ITE_TAC
[and2.cozTect; re_.correct; coIpice_correct;
¢olq)Eq.coTrec¢; or2_correc¢ ; inv]
TH_ O|CE_BZ_TE_TAC [and2_spec; or2.spec; reg.spe¢;
¢omp_spec; cospEq.spe¢; pick_tsp]
TEEM P.EnZTE_TAC [ bitFalse ]
THEM EZISTS_ELIM_TAC
TEE! IJEPEAT STitlP.TAC
TEEI POP.ASSUM(\tIm. ASSUME.TAC (SPEC_ALL tim))
THEM RIP.EVERT ISM.CASES_TAC ["(super t):bool"; "(rw t):boo1"]
TEE] ASSUM_LIST(_ul. STltIP.ASSt_IE.TAC
(BEb_tITE_RULE [(el I ul);(el 2 ul)] (el 3 ul)))
TEEI POP.ASSLqi.LlST(\ul.
llLP.EVEItY ISSUME_TAC(rev( subtr&ct asl[(el 12 ul)])))
TBEIL
[ % I/4 (super t) (n t) %
ISSUM_LIST (\ul.
RE,TRITE_TIC [(el 6 ul);(el 10 M1);(el 11 ul)] )
THE]I JSM_CASF.S_TJC "bvF._UAL n(PRT n n 1 addr ¢)(PRT; n n 1 IDDR)"
THEJ ASSUN.LIST(\thl. REb'RITE_T&C [ REWRITE_RULE
[(SPECL ["n"; "1" ; "LDDR"] ,,-uLeama3) ;
(SPECL [,'n";"l";"t";"addr"]-,,uLeaaaO)] (el 1 ¢hl) ])
THE! ASSUM_LIST(\thl. ASSIJ__TAC
(REVRITE_RULE [jmuLeama2;(el 2 thl)] (el 8 tILl)))
THEIL [
ISM_ClSES.TAC "(addr 0 t):boo1"
THE]I ASSUN.LIST(\tJ_I. ASSUNE_TAC (REWRITE_PJJLE
[(REWRITE_BIILE [(el i thl);(el 3 tld)3 (el 7 thl) )]
(SPEC "t" (el S ¢hl)) ))
THE]I ASSUN_LIST(\ul. REWRITE.TAC
[REYRITE.RULE [_muLe,,-a4] (el 2 ul)] )
THE11 ASSUM_LIST(\thl. ASSUME_TAC (RE_/ItlTE_P.ULE
[(REWRITE_RULE [(el 2 tlLl);(el 4 thl)] (el 9 till) )]
(SPEC "t" (el 7 Chl)) ))
THEi ASSUIq.LIST(\¢Id. REWRITE_TAC
[PAIIt.EQ; (el I thl); (el 2 thl); (el 4 thl)])
J3SUM_LIST(\thl. ASSUME.TAC (REWRITE.RULE
[(REWRITE_RULE [(el 2 tld);(el 3 tld)] (el 7 shl) )]
(SPEC "¢" (el 5 Chl)) ))
THEM ASSUM_LIST(\thl. ASSUNE_TAC (KEWRITE_N3LE
[(ltEWRITE_ltULE [(el 3 thl);(el 4 thl)] (el 7 tILl) )]
(SPEC "t" (el 5 t, ld)) ))
TEE! ASSUI(_LIST(\¢hl. REWRITE.TAC
[PAIR_EQ; (el 1 till) ; (ol 2 thl) ; (el 3 thl)] )
]
; 1{ 2/4 super ¢ A "rw t 7.
___ITE_TAC [=auLe_a2]
; 1{ 3/4 "super t /\ r_ t _,
/l_L_TlC
; _ 4/4 "super t A "r_ t
M.L.TAC
]
THE_ J3SU__LIST(\ul. (RE_tlTE.TAC [ (el 10 ul); (el 11 ul); ,-,uL-,-,al;
(ILEWRITE_RULE [(el 5 ul)] (SPEC "1;" (el 3 ul)));
(BEWI_TE_RULE [(el 4 ul)] (SPEC "¢" (el 2 -,,1)))]))
58
THEII ASN_CASES.TAC "('bvGREATER s(ABS n ad_r t)CIBS n bbReg t) /\
bvEOUAL n(PRT n n • bbReg t)CPRT n n • •dctr t))"
THE11 i,SSIRq.LIST(\ul. RE91_IT£_TAC[ P,£gltlTE.R_,£ [smuLe,-,a0] (el 1 ul)])
THEM ASSUM_LIST(\ul. REVRIT£.TAC[ KEWRITE.IIULE [(el 1 asl)] (el 7 ul)])
THEE ASSUM_LIST(\u1. REMRITE_TAC [ mmuLemsa2; (ILEMRITE_RULE




J- tbblteg vsdteg adch" data outAdcb" IDDlt super rT ack n s.













Gubase collecl:Lon time: 734.6s




( ' ImuLelmaO ',
":(n • t:nua) (eis:nua->n_->bool). (e < n) =->









Zet mmLeaa•3 - prove.tim
( ' aauLemaa3',
"t(n • :nua) (•i$:nua->bool). (• < n) =->









TffEI ASM_C_F..S_TAC "(n _ > (SUC n))"
TriES AS_RITE_TAC Q
THD ASS'oq(_LIST(_I. ASsulqE_TAC(
ItEgRITE_IIUL,E [ ($PECL ["n'";"(SUC n)"] GP.E3tTER) ] (el ! _1) ))
/,SSUI_LIST (\ul. BEgl_,ITE_TIC [
BEgB.ITE..]tUI.E [ (el 1 ul) ] (SPECL ["(SUC n)";"n'"] LESS_CASES) ])
];;
60
APPENDIX F- ABSTRACT MEMORY MANAGEMENT UNIT
mmu_bs.ml
let Library.Root = "/epoch/dl/csiprad/schubartfhollLibrLr,j I , ; ;
let lib.dir.list =
(sap (concat Library.Root)
['Sates/' ; 'bits/' ; 'words/' ;'nuabers/' ; CdecJaal/' ; 'usoc/']); ;
set_search_lath (se_rch_path() e ['. '






(' 8ux_deis.al ' ); ;
myst_ 're /epoch/dl/csgrad/schubtrt/hol/_heorLes/m=u_abs. th' ; ;
il__theory 'nau_&bs' ; ;
'abstract';;
nn_'t]rpe_abbrev (' ltVE'," :boolSboolSbool") ; ;
let Imu_ab8 .. nee_abstrac__represantation
[
( ' segld', . : (*addzess -> *vord_)" ) ;
('segOfs', ": (*address -> *word_)" ) ;
( 'segldsh_', ": (*address -> *.ord_)" ) ;
(' availBit', ": (*wordn -> bool)" ) ;
('readBit ', ": (*wordn -> bool)" ) ;
('IrriteBit', ": (*wordn -> bool)" ) ;
('ezecBLt '. ": (*wordn -> bool)" ) ;
ZZ
('add', ": (*wOrth • *_ordn ->*vord_)" ) ;
11
('addzEq', ": (*address • .address -> bool)" ) ;
('ofsLEq', ": (*address• *eordn -> bool)" ) ;
('VLlid_ccess', ":(*adcLress • twordn 8 EWE -> bool)" );
Coercion function-
('vLI', ": (*wordn -> mm)" ) ;
('goz_h_', ": (n_-> *wordn)" ) ;
('address'. ": (*uordn -> oaddress)" ) ;
Z lkmory f_mcticms
('/etch'. ": (.memory I eaddresa) -> .wordn" ) ;
('tra_'. "-*aelol_ -> qelory" ) ;
];;




lot Library.ltoo_ - ' lepoch/dl/csgred/schuber_/hollLibrary /' ; ;
let lib_dlr_llst -
(nap (¢onca_ Library_freer)
['8a_es/' ; 'bits/' ; 'worda/' ; 'mmber,/' ; 'decinal/' ; 'ueoc/']) ; ;







loadf (' aux.de_s.ml ' ); ;
systa ' re lepoc.hldl/csgr,d]echuber_[holltheori_/.mu_d*f, th' ; :
lace_theory 'mmu_def ' ; ;
loadf ' &bs_ract' ; ;
nap zaee_paren_ ['mmu_ab6' ; '%_mme.abs'] ; ;
lel; rep__y • abstract_type 'mmu.abs' 'segld'; ;
Z.
type de:f taxi$ iox_
_NOWWN----_
new.Zyl_.abbrev ('RME',':bool#boolSbool");;
let rBIT - neu_de_J_i$ion
('rBIT',"!rwe:RME. rBITrue - (FST rwe)");;
let eBIT - new.defixLttion
('uBIT',"!rwe:aME. uBIT rwe - (FST (SND x-we))");;
le_ eBIT - n,w.defJa_ition
('eBIT',"tree :m_. eSIT rue = (SND (SMD rye))");;
Z.
Securisy bi_ auxiliary defini_iona
Se_en$ Descriptor:
Ix s-I
O: [lvailiReadlb_riselExecuteJ .... J Se_en_ Size
÷







let lqL1J, ctaaa = nay_de:f/tuition
('leKallccaas', ":(rut: RWE) vAddz tblPtr nan (r:°rap_ty) .
lqa/lccaaa r v£ddr tblPtr rga sen =
let a = (_etch r)( nan.
(address r)((add r) (segIdshY r vAddr,tbIPtr) )) 4n
{ (validlctu8 r) (vAddr,a,rue) /\ (ofaLEq r) (vAddr,a))");;
let vTol = nev_daf/_Itlon
('vTd',
"JvAddr ¢blPtr na (r:'rap.ty). vToR r vAddr tblPtr nan •
lot a - (fetch r) (ma, (address r)
((add r)( (eordn r I), (add r)(aesldahf r vAddr,tblPtr) ))) /n
(address r) ((hdd r) (JasOfa r viddr, a)) ");;
lot superIqoda - n_.daf_at_ion
( ' auperModa ',
"t rue vlddr tblPtrLDDR tblPtr data non (r:'rep._y).
superModo r vAddr tee tblPtrADDR tblPtr data nan -
((vBIT rye) /\ (addrEq r (v£ddr,tbIPtrIDDR)))
=> ( T, vAddr, data ) J
( T, vlddr, tblPtr )")_;
X
let userModa • nay_definition
( 'userMods ' •
": rue vAddr tbIP_FIDDR tblPtr data nan (r:'rep__y).
usarMode r vAddr rye tblPtrLDDR tblPtr data sen -
((aBIT rue) /% (addrEq r (vlddr,tblPtrADDR)))
-> ( F:bool, vAddr, tbiPtr ) [
( legaliccea8 r vAddr tblPtr rue sen
=> ( T, (vToR r vAddr tblPtr sen), tblP_r ) [
( F, vAddr, tblPtr ) )");;
let useriqoda = nae_def_itton
( ' usarMode ',
"! rue vAddr tblPtrlDDR tblPtr data nan (r:'rap_ty).
userNode r vlddr rwe tblPtrADDE tbiPtr data sea =
( laaalAccess r vlddr _blP_r rye nan
=> ( Y, (vToE r viddr tblPtr sen), $blPtr ) I
( F, vAddr, tblPtr ) )");;
Xot nextStata - new_da£i_.itlon
( 'nex¢State ',
"! rue 8uparv vAddr tblPtrlDVK tblPtr data nan (r:'rap_ty) .
naxtttato r v£ddr two tbIPtrADDR tblPtr data na Japery=
(auparv => superMode r vtddr rue tblPtrlDDR tblPtr data sa J
u_erNode r vAddr lee tblPtrIDDR tblPtr data sen )" ); ;
let nnu_beh - nav_defin.ition
( ' ainu_bah',
"!reqln rue auperv vAddr tblPtrtDDR tblPtrIn nan data (r:'rup.ty).
==u_beh r reqln rga vlddr auperv data no_ tblPtrkDDR tbiPtrln =
][ (raqOut , rAddr , _blPtrOut ) = _{
reqln -> naxtState r vJtddr rye tblPtr£DDR tblPtrln data nan auperv
(F:bool, vAddr, tblPtrln)" ) ; ;
63
Xat ainu_spat = neg_defiJ_itlon
('ainu_spat ',
": rue super• viddr tbIPtriDDR tblPtr data nan (r: "rep_ty) .
==u_spe¢ r vAddr rye tblPtriDDR tblPtr data nan super•=
(superv => 8uplrHode r vlddr rue tblPtrkl)DR tblPtr data nan [
userNode r vAddr rye tblPtrADDR tbiPtr data na )" );;
IMP_ITI TM
Xat secUalt.spe¢ = neu_daf_tlon
( '=etUnit.spec',
"tab ok (r:'rep_ty)(rga:nun->ItVE). 8ecth_it_spe¢ r • b rye ok -
it. ok (t+1) =
((vLlidicc*sa r) (Ca t).Cb t).(rw, t)) /\ (ofsLEq r) (Ca t).Cb t)))");;
Xet addUnlt.apec • nev_def_uLition
('addth_it_spec', ":(a b c :nun->esordn) (r:'rep.t7).
addUnAt_apoc r a b ¢ = !!:nun. c (t+t) = (add r ( (a t),(b t) ))').';
let raxLh_it.ape¢ • nev_def_u_tion
( ' nuzgnit_apo¢ ',
":(a out:nun->saddress) (b :nun->ewordn) (v :nun->bool) (r:'rep_ty).
auxUnit_spe¢ r a b out • =
;!:nun. (out (t+l)) - (• (t+l)) => address r(b (t+1)) l (a t)");;
let nnx3Unit_apec = ne•_definitlon
( ' nux3Uniz_ape¢ ',
"!(a b c out :nun->e•ordn) (•:nun->nua). nu.x3Unit_spe¢ a b c out • -
:!:nun. (out t) - (• t = O) -> a t i (• t - I) -> b t [ c t" ).':
let splitUnit_spe¢ - nev_def/nitlon
('eplitUn/t.spec',
"!(r:'rep.ty) virt id ors. aplltUnit.spec r virt Ad of• =
!!:nun. ((id t) - (segldsl_f r) (virt t)) /\
((of• t) = (aegOfs r) (vt_ t)) ");;
let latch_$t_spec = ne•.de_tion
('latchUnit_spe¢',
"!(i out :nua->*•ordn) (¢trl:nun->bool) (r :'rep_ty).
latch_it_apec r t out ctrl =
!t:nu=. out (t+l) - ctrl (t+l) => out t [ (i (t+l))");;
let regUnit_spe¢ = ne•_defJJLitlon
('reggnlt_apec',
"!(i out :nuJ->seordn) Id clr (r:'rep.ty). regUnlt.spec r i ld clr out -
(!t:nmt. out (t+l) = (clr t => (•ordnr 0 ) I ld t => i t I out t) ) /\
(out 0 = (uox_nr O) )");;
let aatchL_it.Jpe¢- ne•.def/_ttAon
('natchgnit_spec',
"!(a b:nun->ssddrass) (=:nun->bool) (r:'rep_t7). natchgnit_spec r a b • =
!(t:nua). n(t+l) • ( addrEqr (a t, b t) ) => T:bool [ F");;
let on•Unit_spat = ne•_defJJ_tion
(%negnit.spe¢', "!t:nul (r:'rep_ty). onegnit.spec r t = (•ordn r) I");;
64
let bitFmlse " meg_def_ition
('bitF_se', "it:nat. bitFLlse t - F") ; ;
let mmory_ait.spec • nee_definition
('nonoryUnit_spe¢',
"freq addr data done sen (r:'rep_ty).
neaory_It_spec r req •ddz d•ta done nan -
( (dat• 0 = eorda r O) /\ (done 0 - F) ) /\
tt. ( (req t) •> ( (dat• (t÷l) = fetch r (non t, addr t) ) 1%
(done (t+l) • T) ) J
( (data (t+l) = gordn r O) /%
(done (t+l) = F) ) )");;
• valid request will require 4 phases required with a dalsy of st least I
Z/tee Imlt occurs between phues.
O: (inlti*l) -v•it sail1 reqln-
• dd (shift vaddr), tblPtr into tnpReg
compare vaddc, tblPtr/IDDR (satch)
1:
if supervisor node
if match and write request -> store dataln into tblPtr





2: -gait until fdone-
fetch nem (tnpReg+1)
9: -e•it until fdone-
if secOnit pus
add fetched va3ue, vaddr
pass request thou (ad&r,data,rve) and ack
else
FIIL
let controlOnlt_spec - nee.definition
('¢ontrol_h_it_spe¢', "! (suit phase :num->nmt) (rye: num->RkYE)
(tape tblC lC xlat done ack rReq reqIn super match secO[ fdone:nua->bool).
¢ontrolUnit_spe¢ reqln super rue hatch se¢O[ fdone
mu_C t•pC tb_C IC rReq xlat done ack phase =
((nu=C O,tnpC O,tblC O,IC O,rReq O,zlst O,done O,sck O, phane O) -
(0 , F , F , F , F , F , F , F , 0 ) )
/%
(:t. (nuxC (t+1) ,tnpC(t+l) .tblC(t÷l) ,IC(t+l) ,rgeq(t+l) ,zlat (t+l) ,done (t+l).
se±(t÷l),phase(t+l) ) = _ J[ t t 1 r • d • P _{
(phase t • O) =>
(reqln t =>
(phase _ = 1) =>
(super t ->
((eBIT (tee t)) I\ hatch t) =>
7, O n b a e 1 o ¢ B X
7. l pit qt n k • 7.
( O, F,F,F, F,F,F,F, I) J
( O, F,F,F, F,F,F,F, 0)) J
( O, F,T,F. F,F.F,F, 5) I
( O, F,F,F, F,F,T,T ,0) I
65
((phase t - 2) /\ fdone t) =>
((phase t - 3) /\ /done t) =>
(aecDl[ t ->
(phase t = 4) 0>
(phase t = S) ->
( 2, T,F,T, T,T,F,F, 2)) I
( 1, F,F,F, T,T,F,F, 3) I
( O, F,F,F, F,T,F,F, 4) l
( O, F,F,F, F,F,T,F, 0)) I
( O. F,F,T, F,T,T,T, O) I
( O, F,F,F, F,F,T,T ,0) J
(sn_C t,tapC t,tblC t,lC t, F ,zlat t,done t,ack t,phua t)) " );;
let dataPath=new.daf/_ition
('dataPath',
"!(r:'rap.ty) (vldd.r rlddr :nun->eaddraaa)(vData :nun->ewordn) nan
(rue :nmt->RkTE) mm (tbIPtr :ntm->euordn) (tbIPtrLDDR :n,,-->eaddraaa)
(mtxC :nun->mm)(ta]_tblC 1C rReq zlat match aecO[ fdona :nmm->bool).
dataPmth r vlddrvDatarve nea tblPtrtDDRtblPtr rlddr
nuxC tapCtblC lC rKeq zlat watch aecO| _done -













r vData tblC bLtF_lae tbIPtr) /\
r data tmpC b/tF_lse secData) /\
r v£ddr socDatane secOl) /\
r vlddr id ors) /\
id ors (oneUnit_spe¢ r) mull m_LtC) /\
tblPtr data latOut mux2 muzC) /\
r n_xl nux2 addOut) /\
r addOut latOut 1C) /\
r vldcLr tblPtrADDR match) /\
r vAddr latOut rAdd_ xlat) /\
r rReq riddr data fdone sea) ");;
let =,,u_lap- nev_de_tion
('nau__ap',
"!(r:'rep_ty) (vlddr rlddr :n-=->eadd_eas)(vData :nua->eeordn)
(me :nua->RWE)(superv reqln xlat ack done :nun->bool) men
(tblPtr :nmao>owordn) (tblPtrLDDR :n,,-->oadd_ess) (phue :num->nua).
amu__p r vlddr vData rue superv tblPtr tblPtrtDDR reqln
rJddrdone ack xlat sea p hue =
?(m_xC :mm->nua)(lUmpC tblC IC rReq Latch aec0l fdone :nua->bool) .
(controlUnit_spec reqln superv rge match secOK fdone
muxC tmpC tblC 1C rReq alat done ack phue) /\
(datLPath r vAddr vData rwe sea tblPtrIDDh tblPtr rlddr




let LibrL--y_Itoot = ' IQpoch/ dllcs_rM/ schubert/hollLlbrary / ' ; ;
let llb_dlr.llst =
(sap (¢oncat Llbrary._oot)
['gates/' ; 'bits/' ; 'words/' ; 'mmbers/' ; 'doc_-I/' ; 'usoc/']) ; ;






e llb_dlr.1_-t) ; ;
load_ ('max.dsfs.sl ' ) ; ;
systea ' ra /epor.h/dl/cs_d/schu_rt/hol/thoorles/mu.aux. th' ; ;
mew_theory '_llu_aux' ; ;
load_pLr_t ['-=u_abs ' ; ' tiae_tbs ' ; ' =au_d¢! ' ; ' ct=lU_it.l_'_ ; ;_[
Z ;'nu_thas'] ; ;
nee_¢ype.abbrev {'EVE', ":boolSboolSbool") ; ;
].e¢ PLUS.01IE_TAC n •
I_YP.XTE_TAC [(STlq.RULE /i.DD1) ; {mm.C0]i_ n) ;IDD_CIAUSES] ; ;
I¢¢ T2 - prove.¢ha ('T2',
leg T3 = prove_ths ( ' T3',
leg T4 = prove_th_ ('T4',
leg T5 • prove_tha ('T5',
leg 1'6 = prove_tha
let 17 - prove.tha
":t. (t + I) + 1 - t + 2", PLUS_OIE.TIC "2" );;
":t. (t + 2) + 1 - t + 3", PLUS.O]iE.TAC "3" );;
":t. (t + 3) + I • t + 4", PLUS.O]IE.TAC "4" );;
"!t. (t + 4) + ! = t + 5", PLUS.ONE.TIC "5" );;
('T6', "!¢. (t + 5) + I • t + 6", PLUS_OEE.TAC "6" );;
('T7', "_t. (t + 6) + 1 • t + 7", PLUS_DIE.TAC "7" );;
let LESS_LDD_SUC - prove.t.hs
('LZSS_LDD_SUC',"!t n, t < ( t + SUC{n) )",
ILEWRITE_TIC [IDD.ClAUSES; LF.,SS.THIq]
THFJ ILEPFAT GF..i_TIC
THE! DISJ_CASE$_TAC (SPEC "n" LF._S_O_C,tSES)
THEIL
[ POP_LSSUM{\t_. KEE_.ITE_TAC [(STM.]P.UIJZ tha) ;&DD_CL£USES])
POP_lSS_(\tha. ASSUME_TAC( RE_,ITE.P, ULE [tim]
(SPECL ["O";"n"] IJ_S.IOT_£Q) ))
THE! POP.ISSUM(\t2.,, REVRITE_TAC [ (KEVRITE_RULE
67
[(S_ tim)] (SPECL ["t";"n" ]LESS.IDD.IIONZEP.0 ))3)
] );;
let IBI(;E_LI_I_ - TAC_Plt00F
((11. "!tl t2 (t:n,--->bool).
(:t'. tl < t' /\ t' < t2 --> "(_ t')) /\ "(f t2)
=-> (:t'. ¢1 < t' /\ t' < (¢2+1) m> -(f t'))"),
REPEAT STILTP_TAC
J_LM_UST (\asl. USUI_oTIC( SPEC "t':nua" (el 5 Iml)))
ASSIM_LIST (\ul. STRIP_ISSUME_TIC (
m_TE_m_¢_ [SYX_N_LE_D1; LZSS.I_Q (ez s ul)))











PL_E_OICE_IIEIRITE.RUL£ [LESS_0R_EQ] L£SS.EQ_J.rtlSYM) ) ; ;
Z
lot stable_sip - a_l_defJJ_$tLon
('stable_sip',
".Otl t2 (rwe :n_->RVE) (vAd_ tblPtr£DDR:nua->ead_Lrese)
(data :wcm->_oxdn) (nan: =_m->_menory) (super: n_m->bool).
stable_alp tl t2 vAddr tea tblPtrLDDR data Ben super =
o.t'. tl < t' /_ t' < t2 u>
(super t' = super ¢1) I\ (vAddr t' - vAddr tl) /\
(11e t' - rwe tl) /\ (data t' = da_a tl) /\
(sea t' = matl) /\ (tblPtrLDDR t' = tblPtrLDDR tl)"
);;
let mP_F_I_ = prove.tha





O,mz_w, mI__mmLz [1]__F._ o
O0_'fA_BUIZ o (BIICE_ItEWEITE_BIJLE [|OT.DEF] ) ) ) ; ;
lot LESS___FJ_ = prove.tha
('LESS__._',
":t • y. ((t+•) • (t+y)) = (z • y)",
IJDOCT_TIC
111 _ITE_TJC [A__CLA_SES]
TEE]I OICE_REgRTI_.TIC [C013UICTI (COIJ'UICT2 (C01J'_IICT2 (LDD.CLAUBEI)_}
68
TBE] ISK.KBVP_TE_TAC [LESS.R0J0_EQ] ) ; ;
let BLeIII.0_7.lS.1 - prove_tim
('BETV_0_?.IS_I', "0 < I /\ ! < ?",
CO]IV.TIC (TOP_DF.PTII_COJV nua_CDIIV)
TBE]! BLeIJ]LITE.TkC [LESS.O; LESS.M0)i0_F_] ) ; ;
let BETI/_O_T_Lq.2 - prove.tha
('B_V.O.T_ZS_2', "0 < 2 /\ 2 < 7",
COllV_TAC (TOP_D_TB_COliY n--.COI[V)
TBFJ ltL:"O_ITE.TAC [L£SS.O ;LESS_IOliO.EQ] ) ; ;
let l_eTV_O_¥.lrS.4 • prove.thm
('BETV_O_?.IS_4', "0 < 4 /\ 4 < 7",
COIIV_TIC (TOP.DF, PTB_C01IV nu,,_COIIV)
I_?,ZTE_T4C[LESS.O;L_S.XOmO_F_] ) ; ;
let BL_'d_O_¥.IS_S - prove.tha
('BETV.O_7_IS_5', "0 < 5 /\ 5 < 7",
COIIV_T,liC (TOP.D£PTH.CONV nua_CONV)
II£1i_ITE.TXC[T_,.SS.O;L_.SS.._OIIO.F,Q] ) ; ;
let Bk'TV.O.6_Z$.! - prove_tha
('BETV_O.6_ZS_I', "0 < 1 /\ 1 < 6",
COIIV_TAC (TOP.DEPTH.CONV _--_COlIV)
TBFJ IJLIkTRITE_TIO[L[SS.O;LF._S.MONO.F_] ) ;;
let B_/__0.6_IS.2 - prove_tha
('BETV_O_6.IS.2', "0 < 2 /\ 2 < 6",
coIrv_TAC (TOP_DEPTH.CONV him.CONY)
]LEYRITE,.TJIC[LE3S.O;LF.3S.J_DND.F.,_] ) ; ;
let BETV_O.6_IS.4 - prove.tha
('BETV_O_6_IS_4', "0 < 4 /\ 4 < 6",
CDIrV_TIC (TOP_DF.PTB_C0]iV num.COlilV)
THEm B_EFLITF..TAC[LF.SS_O;LESS.JqoN0.F_] ) ; ;
let BETV.O_6.IS.5 • prove_tha
('BETW.O_6_IS_5', "0 < 5 /\ 5 < 6",
COBV.T&C (TOP.DF.PTH_CONV nua.C011V)




lot IAbrary.Root - ' Ispoch/dllcs_rsdlschub_rt/hollLibrary l' ; ;
I*$ 11b_dJ_r_llst •
(sap (¢c_¢at L/brary_Root)
['Sates/' ; 'bits/' ; 'wor_l' ; 'nuabers/' ; 'dscizall' ; 'usocl'] ) ; ;
,et.i_arch.path (HLrch_pa_h() S ['. ' ;
' Ispoc2_/dI Ics_rad/schubert/hollt actics/' ;
'/spoc.b/d I/cs_rad/schubert/hol/al/' ;
'/,poch/dl/cs_ad/schubert/hol/theorlu/' ;
' lapoc.b/dllcs_rad/schubert/holll iap/vu/' ;
]
e lib_dir_list) ; ;
l_( 'I._|S. "1' ) ;;
system 'rm lepor.h/dllcqrrad/schuber_/hollthsorleslcSrlUn4t.lea.tJ_';;
nn_theory ' ctrlUnit.lm ' ; ;
Zloadf 'abatract' ; ;_
lap load_parQnt ['smu_abs' ; 't_e_abl' ; 'mm_def' ; 'arithae$ic'] ; ;
let __EQ_D_ = _ove_th=














THEII COIIV_TAC (OIICE_DEPTH_COIIV SYM_COliV )
_I__TAC [10T__C] ; ;
let P_SE_0__I_ = prove.th-
('P_SE_0._I_', "'(0 = 1) A "(0 = 2) /% "(0 - 3)/\-(0 = 4)/\'(0 = 5)",
IIEPE£T COIJ.TIC THE! nuI_EQ_TIC ) ; ;
let PHASE.I_LqlIQUE • preme_tha
('P_SE.I.UIIQIJE', "'(! - O) /\ "(! - 2) /\ "(! - 3)/\'(! - 4)/\'(I - 5)",
SEPEIT COIJ_TIC _ mm_EQ_TIC );;
7O
let PBISE_2.U]IIqUE = prove_thn
('PIL_SE.2.U]iIqUE', "'(2 - O) /\ "(2 - l) /\ "(2 - 3)/\'(2 - 4)/\'(2 - S)",
REPEAT COiJ.TAC THEMnun.EQ.T4C ) ; ;
let PHASE.3.UWIQUE = prove_the
('PHASE_3_UIilQUE', "'(3 - O) /% "(3 - 1) /% "(3 - 2)/\'(3 - 4)/\'(3 - S)",
]_PlteAT CO]IJ.TAC THEM nnn.EQ_TAC ) ; ;
let PBASE_4_UWIQUE - prove_t)-,
('PBkSE.4_UWIQUE', "-(4 - O) /\ "(4 - 1) /\ "(4 - 2)/\'(4 - 3)/\'(4 - S)",
BEPEAT COIlJ.TAC THEIr smn.E__TAC ) ; ;
let PBASE.S.UIIIQ_ - prove_the
('P_SE_S_U_IQUE', "'(S - O) /% "(S = 1) /\ "(S = 2)/\'(S = 3)/V(S = 4)",
iIEPEJtT CO|J.TAC THEIr nua.Eq_TAC ); ;
Z.
Con_roZ Unt_ Lunu
Xet SXX.PILtSES_01LT - prove.tha
(' SII_PRISES.OliLY',
"! muzC phue rwe tnpC tblC 1C xla_ dome ack rReq reqln super match
se¢Ol[ _done.
con_rolUnit_apec reqln super ne match 8ecOl fdone uuxC tnpC tblC lC
rReq xla£ done ack phase -->
(!t. (phase t - O) V (phue t - 1) V (phase t - 2) V
(phase t = 3) V (phase t = 4) V (phase t = 5))",
REPFJ,T GEJI.TAC




[_' hue cue .............. X
ASSUM°LIST(\ul. PuLP_EVEI_YASSUME.TAC( COII31FdCTS(
(REWRITE_RULE [PAIR.EQ] (el 2 ul) ) )))
THEI POP.ASSUM(\_lm. REWRITE_TAC[_Im] )
;Z ............. induct ion Z
PURE_REk_IZTE_TAC [ADD1]
THEN POP_ASSLM(\tha. DISJ_CASF.S_TAC (tim))
THENL
[Z' cue 0 ........ X
ASM_CASES.TAC "(reqln t) :bool"
THEJ POP.ASSU_.LIST(\ul. P_E_ITE.TAC ( COI3UWCTS (
BEg]LIT£_RULE ([(el I ul);(el 2 ul)] e [PAIR.E(]])
(SPEC_ALL (sl 3 ul)) )))
POP.ASSUM(\tI_. DISJ.CASES.TAC (tl_) )
THLqL
IT. cue I Z
ASM.CJLSES_TJLC"(luper t) : bool"
THEN ASM.CASES_TJkC "(eBlT(z_e t) /\ Retch t):bool"
THEN POP.ASSUlq_LIST(\ul. B_I/RITE.TAC ( COIIJUIICT$ (
ILEkrRITE_RULE ([(el 1 ul) ; (el 2 ul) ; (el 3 ul) ;PAIR.EQ] II
(C011J_lCTS (P_LSE.I_UWIQUE))) (SPEC_ALL (el 4 _1)))))
POP.ASS_i(\tl_. DIS3.CAS£S_TAC (_hA) )
7I
THEIL
[_ case 2 ...................
ASN_CASES_TAC "(fdone ¢):bool"
THFJI POP_ASSUH.LIST(\ul. &E_ITE.TAC ( COWJITIICTS(
P.Ek_ItlTE_ItULE ((COMJU3CTS (PItASE.2.UHIQUE)) I [PAIR_EO])
(REVRITE_RULE [(el 1 asl);(el 2 asl)]
(SPEC.ALL (el 3 asl))) )))
POP_ASSUN(\t]ba. DISJ_CASF.%TAC (tha) )
13ELL
ASM_C_ES_TAC "(fdone t) :boo1"
JSM_CASES_TAC "(secD][ ¢):boo1"
111Ei POP_ASSUM.LIST(\ul. REVRI_I;.TAC ( COM3UNCTS (
REffiP,ITE_itIR_ ((COHJ'UICT$ (Pi_SE.3.UIIQUE)) e [PAZR_EQ])
(REb_ITE_BIJ_ [(el 1 ul);(el 2 asl);(el 3 asl) ]
(SPEC.ALL (el 4 asl)) ))))
;Z- cue 4,S
POPJL%'UM(\tha. DISJ.CASES.TAC (t,_,,))
POP_ASSUH.LIST(\asl. P.EVRI_.TAC( COH3UIlCTS (
EL_ItITE_BULE ((COHJ'UNCTS (PiiASE_4_U]ilQUE)) e
]]]]]
(C0HJUIICTS (PHASE_5_UIilQUE)) e [PIIH.EQ])
(_TE_RIP.E [(el I HI)] (SPEC_ALL (el 2 asl))) )))
);;
SIX_PILtSES_OHLY -



















(phase t = O) V
(phase t = I) V
(phase t - 2) V
(phase t - 3) V
(phuet-4) V
(phue t = S))
Ib_ tine: 123S.¢m
Xnternediate theoreas generated: ?3322
(Holly : Run tJ_e: 2728.2s)
72
let 10T.P_SH_2_71_F.l.O - provs_£hm
(, 10T.P_E_2_T__0',
"! muxC phus rws tnpC _blC 1C r_la_ done ack rReq reqln super match
sec0I :tdone.
controlUnit_sp_c reqln super tee match secO[ fdone muxC tnpC tblC lC
raeq xlat dons aok phue I->
(!t. (phus t - 2) =-> "(phue (t+l) = 0))",
E_PB_T GEI_TAC





BEVRITE_RULE [(,1 I ul);PILtSE.2_INIQ_] (SPE¢_£LL (el 2 ul))))
ASN.CkSES_TAC "(fdons $) :1)oo1"
11_ POP_ASSU_LIST(\ul. __EVE_¥ ASStnqE_TAC( C0|J_CTS (
BE_I__PJJI.E [(el 1 ul);PklR.£Q] (el 2 ul) )))
T_ S_ZP_TAC
1I_ POP_ASSt_LIST(\ul. P.EWItI__TAC [ (REVRI__BI_
((C013U_CTS PHASE.0_U_IQU£) e [(el ! ul)]) (el 2 ul))]) );;
10T_PEISE.2.TE_I_0 -

















(!t. (phase t = 2) =,=> *(phue(1; + I) - 0))
Run tiam,' 69.5s
lnterlediats theorlms generated: 6905
(Holly: Run tins: 233.6s)
let PHISE_0.IDLE = prove.£1_
( 'PHJSE_0.IDLE',
"! mtxC phue lee tnpC tblC lC xlat done ack rReq reqln super hatch
escO[ fdon,.
controlUnit_Sl_C reqln super r_e match snoOK 1done nuxC tmpC tblC 1C
rHsq zlal: done ack phue J=>






I__ASS_(\I_. lUP_L_T JLSSU1__TAC( CO|JUWCTS (
]l_I__lU_ [controlUnit_spe¢] tba )))
1_ POP_J_Stm_LIST(\ul. ILE_I1__TAC( COW31nlCTS (
_rlLI___JJI_ [PAIIt_EQ] (el 2 ul))))
;_ le_luctio= cue Z
i_nZTE_TAC r_DD_]
TBE! ASSUll_LZST(\..,1. ISSUME_TAC( SPEC.AI.L(
IL_RITE_IUJLE [(el 2 ul)] (SPEC.AI_ SII_PHISES.01L¥))))
ASSUM_LIST(\ul. KAP_EVEAT ASSUME_TAC( C0|3UICTS (
SPEC_ALL (REWRITE._ [con_rolUnit_Sl_C] (el 3 ul)))) )
POP_J.%qUM_LIST(\ul. MAP_EVEAY J_SL_E_TAC(rov(sub£rac_ ul
[(el 2 ul);(el 4 ul);(el 5 ul)])))
ASSUM_LIST(\ul. DISJ.CJL_.S_TAC (el 2 ul) )
TBEIL
_. _e o :-- Y,
JI,SI_CJLSE,S.TAC "(r,_Tn I;) :boo1"
POP_ASSIm_LIST(\ul. ILEk_LZTE_TAC( COI3UICTS (
ILEk_ZTE.RULE ([PAIR.EQ;(el 1 u1);(el 2 u1)]l
(COI_]iCTS PBASE_0._iIQUE)) (SPEC.ALL (el 3 u1)) )))
;PDP.ASSUM(\ths. DISJ_CASE.%TAC (tbJ))
THEIL
[Z--- l_u. I ..........
JLSI(.CASES.TAC "(super t):boo1"
THEII ASPl_CASES_TAC "( (IBIT (no t) /\ nat ch t) ) :bool"
THE]I POP_ASSUR_LIST(\ul. ILEVRITE.TAC(
(C01i3UWCTS PHASE.S_UIilQUE) I (C0113U]iCTS (
ILEWRZTE_RULE ([PAIR_EQ;(el 1 u1);(el 2 ul); (el 3 ul)] e
(C013UIlCTS PIiASE.1.LrBIQUE)) (SPEC_ALL (el 4 ul)) ))))
;POP_kSSUM(\U_. DZSJ.CASES_TAC (the))
THEIL
[%, phase 2 .......... %
JkSK,CJLSES.TAC "(_done _ ) : boo1"
POP_ASSI_.LIST(\u1. IL_WRI__TAC( (CO]i3L_IC_ PB_SE_2.L_IlqLrE)e
(CO]I_U]IC_ PHISE_3.1J]iIQLT_) e (COi_I_iCTS ( _LE_RITE_ltLr_
([P_IR_EQ; (ol 1 ul) ; (el 2 ul)]t(C01_IglCTS PHISE_2_L_iI_))




THE! AS__CISES_TAC "(sec0K t) :boo1"
THEJI POP__SSUN.LIST(\u1. RE_RITE_TAC(
(COIJt_lC_ PIJASE_3_L_IQL_) e (COi_1_iCTS ( ILE_RZI_.RL_
([PAIR__;(el 1 u1);(el 2 ul);(ol 3 ---1)]I
(COi_I]ICTS PHASE_3_U_IQUE)) (SPEC.ILL (el 4 u1)) ))))
;_. phase 4,S _,
POP_A$SUM(\Lb_. DISJ_CAS_.TAC (She))
THEMPOP.ASSUM.LIST(\uI. ILEWliITE.TAC(
(C01_rlIOTS P]JISE_S_UWIQUE) e (C0]i3UIiCTS PILILSE_4_UilQUE) e
(C01_UICTS ( ILEnlTE_PJ3LE
([PAIR_E(];(el 1 uI)]I(COI_ITIIC_ PBkSE_4.t_IIQITE)e
(COI3UII_S PBISE_$__IQI_E)) (SPEC_ALL (el 2 ul)) ))))
]]]] ] );;
PH_SE_0_IDLE -


















(!t. (phase t - O) m,> (tblC t = F) /\ (mu_C t - 0))
Ibm t:L_e: 721.0e
Interuedia_e theoreas generated: 66258
let CTRL=UIIIT_EIP/UID = prove.tha
( ' CTRL_UBIT.EIPLliD ',
"controlUnit_sptc reqln super tee match secOl[ :fdone mu_C
tapC tblC 1C rReq xlat done ack phase _->
!t.
n_xC(t + 1),tnpC(t + 1),tblC(t + 1),lC(t + 1),rKeq(_ + 1),
xlat(t + l),done($ + l),ack(_ ÷ 1),phase(t + 1) -
((phase t = O) =>
(reqln t => (O,F,F,F,F,F,F.F,I) { (O,F,F,F,F,F,F,F,O)) {
((phase t - 1) =>
(super t =>




(((phase t = 2) /\ :fdone t) ->
(I,F,F,F,T,T,F,F,3) J
(((phase t = 3) /\ _done t) ->
(secO1_ t => (O,F,F,F,F,T,F,F,4) I (O,F,F,F,F,F,T,F,O)) J
((phase t = 4) =>
(O,F,F,T,F,T,T,T,O) I
((phase t = 5) ->
(O,F.F,F,F,F,T,T,O) l
(nuzC t,tmpC t,tblC t,IC t, F ,xlat t,done t,ack t,
phase t)))))))",
STP.ZP.TAC
POP_ASSUN( \tha. ACCEPT_TAC (



















_xC(t + l),tmpC(t + l),tblC(t + 1),lC(t + 1),rIteq(_ ÷ I),
xZatCt ÷ 1),doneCt ÷ 1),ack(t + 1),phAseCt + 1) -
((l_--et - O) ->
(reqIn t-> (O,;'.F.F.;',F,F,Y.1) I (O,r,;',;',;',F,l',;'.O)) I
((phuo t - 1) =>
(super t =>




(((phase t - 2) /\ fdone t) ->
(1,F,F,F,T,T,F.F,3) [
(((phase 1; = 3) /\ fdone t) ->
(secOI[ t-> (O,F,F,F,F.T,F,F,4) | (O,F,F,F,F,F,T,F,O)) J
((l_* t = 4) =>
(O.P,F,F,F,T.T,T.O) [
((l_ue _ - 5) =>
(O,F,F,F,F,F,T,T,O) |
(muxC %.tnpC t,tblC t,iC t, F ,xlat t,done t,ack ¢,phase t))))))))
Ibm tiae: 33.7s




let Library_hot = ' lepochYdllcsgrad/schube_/hollLibrL,'y / ' ; ;
Xet lib_dSr_list =
(asp (concat Libra_r.Soot)
['gates/' ; 'bits/' ; 'words/' ; 'mmbers/' ; 'declaal/' ; 'asso¢/'] ) ; ;
set.searrJ_path (search.path() e ['. ' ;
'/epoch/all/csgrad/schubert/hol/t actics/' ;
' ]epoch/dl/cagrad/schubert/hol/all' ;
,/epoch/dl/cstp.ad/sc.hubert/hol/theories / , ;
' l epoch/ dl l csgrad/ mchubert/hol/l isp/vax/ ' ;
]
e lib.dir.limt) ; ;
lead_ (' aax_def s .al' ) ; ;
8ystea 'ra lepoch/dllcsgTad/schubert/holltheorieal,_u_pr_l, th ' ; ;
nee_theory 'lmu.pr_ ' ; ;
load:[ 'abstract' ; ;
losd_ 'exlst.tac.a1' ; ;
sap load_parent ['lmu_ahs' ; 't JJe_ab6' ; ' sau.de f' ; ' ¢trlLh;it.lea' ; 'mau. au.t ' J ; ;
let rsp_ty = abstract_tTj>e ',,,u.abs' 'segld';;
AUI FACTS AID DEFS
Z
let line tok t =
if (is_eq t)
then (let • = fst(dest.var(rator(lhs(t))))
in (sea • (words tok) ? false))
else ( if (ts_neg t)
1Lhen (let y =_et(dest.var(rator(dest.neg(t))))
4n sen y (uords tok))
else (let y m fstCdest.var(rator(t)))
_n see y (words tok)) )
? false;;
letre¢ linen tok t -
if (is.conj t)
then (let • - (dest.conJ t)
in (let b - (line tok (fst x))
in (11 b then true
else (lAnes tok (snd •)) )))
else (line tok t)
?talse;;
letreclait tok t =
if (is_coab t)
then (let • = fst(dest.coabt) in unit tok z)
else ((let • = fst(dest.conzt t) in nan • (uords toM)) ? false) ;;
77
let ILrIIO_/LSSIM f ssl = hd(filter(f o cone1) ul);;
let PIND.SPEC_UEZT • u u' ul a
(SP£C • (REVAITE_RULE [u]
(FIM)JLSS_ (unit u') ul) ));;
let ir/]ID_J.qSUM2 f ul - hd(tl(filter(f • con¢l) ul));;
let FIIID__PEC_I]_IT2 • u u' asl =
(sP_ • (Imwaz__RuI_ [u]
(FIIID_J_IM2 (unit u') ...1) ));;
let rl]ID_SPEC.I_UIIIT • ul -
(SPF£ • (COIIrOTCT2 (ltEVRITE.ItULE [_eaoryt_it_spec]
(FI]__£SSUN (unit 'meaoryUnit.spec') asl) ))) ; ;
let FILTER../ISSUN_TAC thal f =
J3SUlI_LIST(_ul. ASSUlqE_TJC( LE_RZTE_RULE thal
(FIiID_J3SLM f ul) ) ) ; ;
let _MIT u asl • (FI]rD_J_SLM (unit u) ul);;
let LIIE 1 asl = (FI|D_J3StM (lines 1) ul);;
let LESS_COWV • =
_",'JtITE_mrU¢ [LESS.MOEO_Eq; LESS_O] (
P,E_ITE_liUI.E [ADD;&DD_SY_ ((TOP_DEPTILCOIIV nua_COIIV) z)); ;
let IAIIGE_IJOgtA • T£C_PP_OF
((n. -:tt t2 (f:nua->bool).
(:t'. tl < t' /\ t' < t2 =m> -(f t')) /\ "(f t2)
=-> (,'t'. tl < t' /\ t' • (t2+1) m> -(f t'))").
P,EPEAT STlIP.TAC
THEll J.qSgLLIST (\",1. ASSUE_TIC( SP£C "t':nu,," (el 5 =u=l)))
THE]I ASSUlq_LIST (\ul. STRIP.ASSUIqE_TAC (
IEI/RZTE_RULE [SYM.RU_ LDD1; LESS.TH]_ (el 3 ul)))
TffE3rL





let IUBIGE.TAC !_ 1o -
COIIJ_TAC
TEE]IL
[REERITE_TAC [(nui_COllV ];t ) ; (SPECL ["t" ;lo] LESS.LDD_SUC)]
IEPEAT
(puRE_OIICE_IIEBRITE_TAC [(SYlq_RULE T2) ; (STIq_BULE T3) ; (SYM_RUIJ_ T4) ;










]t":t y. t < (t + y) " 0 < y"
(GEl "t"
(RZWRITE_E/_E [LESS_0; (COIJImCT1 ( C01 JUiCT2 (tDD_CLtUSES) ) ) ]
(SPECL ["_";"0"] LESS_ADD.EQ))
);;
let I/JIGE._LE th •
(REWRITE_RULE [LESS_MOiO_EQ; LESS__)D_E_, LESS.LDD.EQ1; LESS.O]
( COIV_RULE (TOP.DEPTH.COWV nu_.COIV) th ) ); ;
let EXPAWD_TBLPTR_P/JLE • T ul =
(REWRITE_RULE [(LIME 'tblC' ul) ; (LIME 'tblPsr' -=1) ;T]
(SPEC • (COMJUICTI ( (KEWRITE_lUXLE
[regUalt.sl_C; biSFalse3
(FIID.ASSLR2 (uni$ 'regUnt$_sl_C') ul)) ))) );;
let I|ST.SIG.LIST t ul -
( OMCE.REmUTE_eULE [ADD1]
(BEkTJIlTE.BULE [LESS.SUC_REFL; SYM.RULE ADD1;
IY.__JLUD_EQ; LESS.ADD_EQ 1]




THEE tSSUM_LIST(\ul. REWRITE_TiC [(LIME 'phue' --1);
(LIME 'done' uI);(LIME 'ack' ul);(LIk_ 'tblPsr' ul)] )
THEM T. de'ternine rAdcLr(_+2) T.
tSSUM_LIST(\--1. ASSUME_TiC (
(REWRITE.P/JL£ [(LIME 'muzC' ul);T2;(LIME 'xla_' ul)]
(FI|D.SPEC_tNIT "_÷1" nu.zL_i$.spec 'nu_Uni$_spec' ul) )))
THEI COMJ_TAC Z ¢rea_e range and aau_|pec subgoals X
THEIL Z range 8ubgoa/
[RA|G£_TAC "2 .... 1"
; ]{ Jmu_spec part _{
OMCE_REWRITE.TAC [smu_spe c; st able_sis•]
THEm STRIP.TIC
THEM _ Instantiate 8table_sigs
POP.ASSUM(\tlm. _P_EVER¥ ASSUME_TiC ( CUM3UiCTS (
SYII.RULE( OWCE.ILEWRITE.RULE [ADD1]
(REgRITE.RI/LE [LESS.SUC_REFL; STM_RULE ADDI; STM.RULE T2]
(sPEc "t+l" tlm))))))
TBEM FILTER_ASM.P_ITB_TAC(Iints 'super') I-I
THEJ! PURE.OMCE.KEgRITE.TiC [•uper_ode]
THEI /LL_TIC
let UIPIIR.TIC 1 =
PDP_ASSUM_LIST(\ul.M/P_EVERT ASSUME.TIC ( (
(ray(subtract ul[(el 1 ul)])) Q
[(eaw_zTE.mnx [pila.B_] (,1 1 _1))] )));;
le_ COWTROL_LIME_TACtlu T =
iSSUM.LIST(\-=I. ISSUME.TAC (
7g
REWRITE_RULE ( CO|3UICTS len 0
[(Lille 'tdone' ul) ;T; (LINE 'phase' ul)])
(SPEC t (lttTCB_MP CTRL_UIiIT_EZPIID
(UIIT 'con_rolUn/__spec' ul) )) ));;
let iUU)DR_TAC t T m
£SSUM.LIST (\asl. IStUME.TAC(
(itEWAITE.RULE [(el 1 asl);T;(LIIIE 'xlat' ul)]
(FIND_SPEC_UIilT t muxUni_.spec 'nuxUntt_Sl>eC' ul) )));;
ABSTRACT _ PROOF
let __PROOF • prove_tha
(' Ig[U_PRDOF',
"; (r:'rep.ty) (vAddr rlddr :n--->.addreas) (vData :n,a-).wordn)
(rwe :nua->Rb_)(super rsqln xlat ack done :num->bool) nea
(tbIPtr :n--->ewordn) (tblPtrkDDR :num->*address) (phase :nua->nua).
•,su.iap r vlddr vData rwe super tbIPtr tbiPtrIDDR reqln
r£ddr done ack xlat na phaJe =m>
;t. (phase t = O) m>
(reqln t) =>(?c. |ext done (t,t+c) /\ ( phase (t+c) = 0 ) /\
((stable_sils t (t+c) viddr rwe tblPtrLDDR vData
men super) .m>
(uu_spe¢ r (viddr t) (ree t) ($bIPtrADDR t) (tbIP_r %)
(vDa%a t) (men t) (super t) =
(ack(t+c), rlddr(%+c), tbIPtr(t+c)) )))
[ ( (ack (t+l) • F) /\
(phase (t+l) - O) /\




THEJ ISStq4_LIST(\asl. ASSUME_TIC( KEWRITE_RI3LE [(el 1 susl)] (
SPEC.ILL ( REWRITE.RULE [(UNIT 'consrolUnit.spec' ul)]
(SPEC_ALL PHASE_O_IDLE) ))))
THEM ASSUM_LIST(\asl. ASSUME_TAC( REWRITE_RI_
(CONJUNCTS PHASE_0.U_IQUE e [(LINE 'phase' ul)])
(SPEC "t" (MATCH.MP CFRL_UMIT.EY_AND
(UNIT 'controlUnit_spec' asl) )) ))
THEE £SM_C£SES_TAC "(reqln t):booM'
THFJ ASSUM_LIST(\asl. REWRITE.TIC [(el I --i)] )
THEM ASSUM_LIST(\asl. ASSUME_TAC(
(BEb'RITE_RULE [(el 1 asl)](el 2 asl) ) ))
THFJ POP_ASSUM_LIST (\as1.KLP.EVERT
ASSUME_TAC(rev(subtract asl [(el 3 ul)] )))
ASSUM.LIST(\asl. ASSUME_TIC( CO|3UIICTI( (REgRITE_RUI_
[reiUnit.spec;bitFalse] (FI|D.£SSUM2 (unit 'reiUnit_spe¢') asl)) )))
THEE £$SUM_LIST(\asl. ASSlME_T£C
(&EWRITE.BIYLE [(LIME 'tblC' asl)]
(SPEC "t" (el I asl)) ) )
THEM _ unpair control 1inns at (t+l) %
ISSUM_LIST(\asl. ISSUNE_TAC (
(RE_I_.P/YLE [PAIR.EQ](el 3 asl)) ))
8O
THEN POP.ISSUM_LIST (\u 1. F_bu.EVERT
ASSUNE.TAC(reT(eubtrsct ul ((el 4 ul)]) ))
X se_ rid of "reqln cue Z
13ELL
[ ALL_TAC; ASX_IEWI_.TACD
Z detensine tblPtr (t÷2)%
_SLM_LIST (\asl. £SSLUTE_TIC (
(ELOJ__TBL.eTR_RULE "_÷I" T2 ul)))
13E]1
LqSUIq.LIST(\ul. ASSUME_TAC( (_Eb_ZTE.RULE
(COIJUICTS PRISE_I_UNIQUE e [T2;(LIWE 'pharos' ul)])
(SPEC "_÷1" (F_TCH_MP CTI__U]ilT_EIPLWD
(UWIT 'controlUnit_epec' ul) )) )))
_. cue analysis Z
TH]DI JUM.CASES.TIC "(super(t ÷ l)):bool"
1_JL [
JSN_CJSES.TIC "(eBZT (ne(t + 1))):heel"
I_JL [
£$N.CJ3ES.T4C "(addrEq (r: "rep_ty) (vAddr t ,tbIP1;rLDDR t) ) :boo1"
I_EtL [
t--- (l. I. 1) ..... super, sBIT, addrEq Z
Z ds_orl£ue consrol.lines(_+2) Z
ASSUN.LIST(\ul. ASSUME.TAG( (_EVRITE_NJLE
[PAIR.EQ; (LIllE 'super' tel); (el 2 ul);
(REVRITE_BULE [(el 1 ul)]
(FIID_SPEC_UIIT "t" _,atchUnit.spec 'sa_c.hU_it_spec' ul) )
] (el 4 ul) )))
THE]i _ detez_ine tblPtr(t+3)
ASSUM_LIST(\ul. ASSU_E.TAC (
(F.IPJJiD_TBLPTlt_RULE "t÷2" T3 uZ) ) )
THEil Z detezilLae control.Zines(t+3) 7,
ASSb_.LIST(\ul. ASSL,_E.TAC( (P,EYRITE_NTL.£
(COIhTU]ICTS PHASE_5_U]IIQUE t [(Lille 'phase' ul) ;T3;PAIR_£Q])
(SPEC "t+2" (I_TCH.MP CTRL.U]IIT.EIPJUID




COIIJ_T4C Z create r_e and |mu_spe¢ subgoals Z
TH_L
[ RLUI_E.TAC "3" "2"
OEC£._EV_ITE_T&C _Jmu_spe¢]
THF_ ST_IP.TAC
THEE _ expand stable.sIgs for (_+1) and (t+2)




[LESS_ADD.EQ;LESS.SUC_REFL; SYM.RULE ADD1 ; ST]I_RULE T2]
(SPEC "_,+1" (P_WRITE.RULE [s_,ablo_sigs] (el 1 ul))) )) ) )))
TEEM _SSUM.LIST(\uZ. ASSU_E.TAC
(PUP,.E_011CE.BE_R.ITE_RULE
[(STM_RUIE ((TOP.DEPTH.C0i'V nu_.C0iV) "T'))]
(]ULMGE_RUI.E
(SPEC "t+2" (RE_P,ITE.RULE [stabls_sigs] (el 7 a_l))) ) ) )
THE]I
FILTER_ASM_RE_ZTEoT_C (Z:l_es ' super ' ) Q
PURE.OICE_RE_RITE.TAC [su_r_ode]
81
TBE]I ASSUlq_LIST(\eml. IIEVRITE.TAC [ PAIR.EQ;
(el 13 el);(el 5 ul); Z wBIT _(el 12 ul) _ addrF.q _])
THEM Z shoe vAddz t = rAddr($÷3)
BJLI)DR.T/C "t+2" T3
TBE]! /LSSUM_LISTC\el. RE_ITE.TAC[(el 1 el);(el 2 el)] )
]
1[--- (I.Z.2) _ super, eBIT, "addrEq Z
JSSLM.LIST(_el. /.qSUME.TIC( REVRITE.PJJLE [(el 1 el)]
(ir_BD_SPEC_I_IIT "t" natchUntt_spec 'setchUnit_spec' el) ))
TEEN JSSUH_LIST(\el. MAP_EVERY ASSUME_TIC( COI3U]ICTS(
LEtrRITE_ltULE [PIIR.EQ;(el 1 el);(el 3 el);(el 4 ul)] (el 5 ul) )))
|OT_Fl_13LPTR_TAC
J3StM.LIST(\el. REVRITE_TAC [PAIR_EQ;
(RE__RULE [Sllq_RULE (LIIE 'vAddr' ul)] (LIME 'rlddr' el) );
(e.]. 10 el) ?,_Ld,r_ %])
1;
Y._ (1.2) _- super. "vBIl ............... %
ISSUII_LTb'I'(_I. INJi__EV'£R¥ ASSUI4E.TAC( coa,TUNCTS(
ILE17RITE_IIPJIJ_[PAIR_EQ;(el 1 ul);(el 2 el)] (el 3 el) )))
lOT.FllR_13LPTR.TAC
Ji2_SUIq.LIST(\ul. ILEkrRI__TAC [PAIR.El;;);
(BEb'RIT£_BUI.E [SYN_RULE (LINE 'vAdd_' el)] (LIIE 'rAdd_' el) );
(_k'RITE.BIP.E [SY)I_RULE (LINE 'r3e' el)] (el 17 el) )
% tSlT % ))
]
; _.L_TAC
] %end mrj_r tee %
%_ (2) _ "super .......... %
_ de_ez_ine mddOu_(_÷l)
£SSUM_LIST(\el. ASSUHE.TAC (
BEVRITE_RIrLE [(el 0 el);
(_£_TE__ULE [
(FZED_SP£C_I_iZT "t" eplttUnit.apec 'splitUni_.spec' el)]
(FIMD_SPEC_U]IT2 "t" su13Unit.opec 'nu.t3_i__spe¢' el) )
(RE_LI__RULE [LIWE 'nu_C' el]
(FIMD_SPEC_UEIT "t" nu_3Un_t_spec 'a_t3Uni__spec' el) )
]
(FIID_SPEC.UITT "t" addUnit.spe¢ 'addLIn_t_spec' el) ))
T_ _ detern_ne letOut(t+l)
J.qsuM_LIST (\el. ASSUME_TAC(
(ILEVRITE.RULE [(el 1 ul);(LZ_E 'IC' el)]
(FI_D.SPEC_UIlT "t" la_chUnit.epec 'la$chUnit_spec' el) )))
_ detezi/ne fdone value a_ (t+2)
L._;SUM_LIST(\el. ASSUI_E_TAC( CONJUNCT2
(REVRI__ltt_ IT2; (LIME 'rReq' el)]
(FlirD_SPEC__.U_IT "t+l" el)) ))
_ unpa_r conSrol l_nes a_ (t+2)
POP_ASSIM.LIST(\el.MAP.EVERT _SSU)iE_TAC ( (
(rev(subtrect el[(el 5 el)I)) e
[(RE_qIITE.I_ [PAIR__;(LIIIE 'super' ul)] (el $ el))] )))
_ deter14_e latOut(t+2)
J_UM.LIST (\ul. A3SIJ__TAC (
(BEVRITE_RULE [(el I el);(LZEE '1stOut' ul);T2]
(FI_D_SPEC_U_IT "t+l" latc.hUnit.spec 'latchUn_t.spe¢' el) ) ) )
_ detela_ne r£ddr(t+2)
R_DDR.TAC "t+l" T2
deters control l_es a_ (t+3)
82
THEI
COITROL.LIIIE.TAC "t÷2" PHASE_2_UNIQUE T3
THEN Z deteraine latOut(t÷3) 5[
ASSUK.LIST (\ul. ASSUME_TAC (
(P.E_ITE.RULE [(LINE 'latOut' ul);T3;
(REWRITE.RULE [PAIR_EQ](el I --I))]
(FIND_$PEC.UIIT "t+2" latchUnit_spec 'latchUnit_spe¢' ul) )))
THEIJ _ deter'nine neaory value at (t÷3) 5[
ASSUM.LIST (\asl. ASSUME.TIC(
(REgRITEoItULE [(LINE 'rReq' ul);T3]
(FIND_$PEC.IqEM_OBIT "t÷2" asl) )) )
TEEN 5[ deter'nine tblPtr (t+3)5[
,USUN.LIST (\,,,-1. ASSUME_TAC (
(EXPAIID.TBLFrR_RULE "t+2" T3 ul)))
THEN 5[ mq)air control lines at (t+3) 5[
UNPIIlt_TAC 4
5[ determine control lines at (t+4)
COETRDL_LIirE.TAC "t+3" PEISE.2.bIIQUE T4
THEm 5[ deteruiae addOut(t+4) 5[
JSSUN_LIST(\ul. JSSUNE.TJC (
JLEURITE.RUX.E [PEtSE.2.1/dI_JE; T4; oneUnit_spe¢;
(LINE 'lat0ut' ul) ;
(REWRITE.RULE [(LINE 'muxC' ul);
(FIND_SPEC_D3IT "t÷3" splitUnit_spe¢ 'splitUnit.spec' ul)]
(FIND_SPEC_tniIT2 "t+3" muz3Unit_spec 'm=z3Unit_spec' aal) );
(REbttlTE.RULE [(LINE 'nuxC' ul)]
(FIID_SPEC.UWlT "t+3" nux3Unit.spec 'aux3Uuit.spec' ul) )
]
(FIID_SPEC_UIIT "re3" addUnit_spec 'addUnit_spe¢' ul) ))
THE] 5[deterltine secData re8 value(t+4) 5[
ASStM_LIST(\ul. ASSUME_TAC( RE_RITE.RULE
[T4;bitFalse;(LINE 'tmpC' ul) ;(LINE 'data' ul)]
(SPEC "t+3" (CONJUNCT1( (REWRITE.RULE [resUnit_spec]
(FIND_ASSUM (unit 'resUnit_spec') a_l) ))))))
TREE 5[deternine memory value at (t+4) 5[
ASSUN.LIST (\ul. ASSUN_.TAC(
(REWRITE_BXJLE [(LINE 'rReq' ul);T4]
(FIND_SPEC.MEM_UNIT "t+3" aml) ) ) )
TH_ _{ de_ter3tine tblPtr (t+4)5[
&SStM.LIST(\ul. ASSUME.TAC(
(F._AND_TBLFrR_RULE "t+3" T4 ul)))
THE! Z unpair control lines at (t+4) 5[
UNPAIR,.TaC S
THEE Z deternAne latOut(t+4) 5[
ASSUN.LIST(\ul. ASSUME_TAC( (RE_RITE_RULE
[(el I _I);(LINE 'latOut' ul);(LINE 'addDut' _I);T4]
(FIIrD_SPEC.I_IT "t+Y' latchUnit.spec 'latchUnlt_sI_c' ul))))
THEN _ detentine rAddx (t+4) 5[
RADDR_TAC "t+3" T4
THEE 5[ determine securltyUn_t data(t+5) 5[
ASSUM_LIST(\ul. ASSU_E_TAC (
(REb31TE_PJJLE [(LIEE 'secVata' asl);T5]
(FIID_SPEC_UilT "t+4" secUnit_spec 'secUnlt_spec' ul) )))
5[ deternine control lines at (t+S) 5[
TRPJ
COrF_L.LIIrE_TAC "t+4" PHASE.3._IIQUE T5
THEN 5[ deterIAne aemory value at (t+5)
ASSUM.LIST (\ul. ASSUME.TAC (
83
(REWRITE_RULE [(LIME 'rReq' asl);T5]
(FIED_SPEC_MEM__IT "t+4" ul) ) ) )
Z dateraine tblPtr (t+S)%
ISSIM_LIST(\asl. ISStME_TIC (
(EIPIID_TBLPTR_RULE "t+4" T5 ul)))
TEEM Z mq)air control lines at (t÷5)
_[PIIR_TAC 3
X detent:ins addOut (t+6) Z
J.qSUM_LIST (\as1. ASSLME.TAC (
IEVltlTE.BULE [PHASE_I__IIQUE ;1'6;
(RE_ITE_PJJLE [(LIR 'auxC' asl);(LIEE 'date' asl);(LIIE 'rAddr' as1);
(FIID_SPEC_UIZT "t+5" splitUnLt.spe¢ 'splttUnLt_spec' asl)]
(FII_)_SPEC_UIIT2 "t+S" mux3Unit.spe¢ 'mux3Untt_spec' asl) )
(BL_ITZ.NJLE [LIIE 'm_xC' ul]
(FIED.SPEC_IJIT "t+5" nux3Unit.spec 'aux3Unit_spec' asl) )
]
(PIID_SPEC_UIIT "t+5" addUnLt_spec 'addUnlt_spec' asl) ))
Ymm 1[ detenLine tblPtr (t+6)_
_LIST(\asl. ASSUME_TiC (
(EIPAED_TBLPTR_RULE "t+5" T6 asl)))
TIiDI % cases on vlLl/dlccess
ASllCJLSES_TAC "valiatccess (r:'rep.ty)
(vtddr(t * 4),fetch r(nen(t + 2),rtddr(t + 2)),rwe(t + 4))
/\
(ofsLEq r(viddr(t + 4),fetch r(nen(t + 2),rtddr(t + 2))))"
[
tSSLM_LIST(\uI. ASSUME_TiC (
(BEVRITE_RULE [(el 1 ul)] (LIME 'secOK' ul)) ))
datenLi_e control lines at (t+6) 7,
£SSIM_LIST (\asI. ASSUME_TAC(
REWI_ITE_ItULE (CONJUNCTS PHASE_3_UNIQUE @
[(LIME 'fdone' as1) ; T6 ; (LIIE 'phase' as1) ;PAIR_EQ; (el 1 as1)] )
(SPEC "t+S" (KATCH_MP CTRL_UNIT_EIPLND
(U_IT '¢ontrolUnLt_spe¢' ul) )) ))
_ determine lat0ut(t+6)
£SSUM_LIST(\asl. aSSUNE_TAC( (REValTE_B_LE
[(el 1 asl) ; (LIME 'lat0ut' asl) ; (LIME 'add0u_' asl) ;T6]
(FIID_SPEC.UIIT "t+5" latchUnit.spe¢ 'latchUnit.spec' asl)) ))
THEN 1[ detera£ne rtddr(t+6) 7,
IUtDDIt_T£C "t+5" T6
_[ dotorsine tblPtr (_+7)_
JSSIM_LIST (\asl. ASSUME.TiC (
(EXPAIlD_TBLPTR_RULE "t+6" TT asl)))
I detera/ne control lines at (t+7) Z
TEE!
COITROL_LIEE_TIC "t+6" PHASE.4.UMIqUE T7
POP.ASSL_(\tha. ASSUME.TAC( RECITE.RULE [PAIR_EQ] tba ))
_[ detera4-e latOut(t+7)
/SSIM_LIST(\asl. ASSUME_TAC( (BEVRITE_RULE
[(el I as1) ; (LINE 'latOut' as1) ; (LIIE 'addOut' asl) ;T7]
(FIED.SPEC_LRIT "t÷6" latchUz_t_ope¢ ' latchUnit_opoc ' as1) ) ) )






ASSUM_LIST(\asl. REgRITE.TAC[(LINE 'done' u1);(LIIIE 'phase' asl)])
TEEM CONJ.TAC _ crea_e tense and mmu_epec subsoals
THEML
[ IL_IGE.TAC "7 .... 6"
STRIP_TAC
THEI Z write rAddr for time t Z
iSSUM_LIST(\asl. ASSUI_.TAC( (REWRITE_RULE
[(el 15 asl);(el 17 ul);
(BEVAITE_ltULE [BETV.O.?.I$.S] (IIST.SIa_LIST "t+S" asl) );
(RECITE.RULE [BETV.O.7_IS_4J (IIST_SIO_LIST "t+4" asl) )3
(LIEE 'rAd4r' asl) )))
TffEll
PUR_.OII__RE_ITE.TAC [mau.spec]
TEEI ASSUM.LIST(\u1. BEVRITE.TAC [ (REWRITE.RU_
[(REb_ITE_RULE [BETW_O.?_IS.I] (IEST_SIG.LIST "t+l" ul) )]
(LIIE 'super' as1) )])
THEW PUP_.P_EWRITE.TAC [llmerMode; leS_Jcce_s]
THE1 EIP_D.LET_TAC
_ rtite val]d_ccele for time t
kSSUM.LIST(\ul. ASSUME.TAt ( (REYRITE.RULE
[(REWRITE_RULE [BETW_O.7.IS_2] (I|ST_SIO.LIST "t÷2" u1) );
(I_EWRITE_RULE [BETW.O.7_IS.4] (I|ST.SIG.LIST "t+4" ul) );
(el 29 u1)]
(el 11 asl) ) ))
ASSUM_LIST(\u1. RECITE_TIC [(el 1 u1);(el 2 ul);





; Z Case where "(validlccese ... /\ ofsLEq ... ) Z
_SL_,LLIST(\aa2. ISSLg__T4C(
(REWRITE_RULE [(el 1 u1)] (LINE 'ee¢Ol[' I-1)) ))
Z deterlmJ_e control lines a_ (_+6) Z
ASSUIq.LIST (\asl. ASSUMe_TIC (
EEWRITE_RULE (CONJU_CTS PHASE_3.UNI_3E e
[(LINE 'fdone' asl) IT6; (LINE 'phase' asl) ;PAIR_E_; (el 1 ul)])
(SPEC "_÷5" (MATCH_MP CTRL_UMIT.EIPUID
(UNIT 'con£rolUnit.spe¢' ul) )) ))
THI] _ de_eraine latOut(t+6)
ASSUIq_LIST(\uI. ASSUME_TIC ( (RECITE.RULE
[(el I ul) ;(LINE 'laYOut' ul) ;(LINE 'addOut' asl) ;T6]
(FIWD.SPEC_UIIT "t+S" latcJaUnit.spe¢ 'lat chUnit.epec ' ul) ) ) )




THE/ ASSUM.LIST(\asl. REWRITE.TIC [(LIME 'done' as1) ; (LIi_ 'phase' asl)])




TEEN _ write r4ddr for time t Z
ASSUM_LIST(\--I. ASSUME_TiC( (REWRITE_RUI2_
[(REWRITE_RULE [BETW_O.6.IS.5] (I|ST.SIG_LIST "t+S" asl) )]
85
);;
(LIIE 'rlddr' ul) )))
I_t__OICE.L_R I TE.TI C [n|U_lpO¢]
_EI ASSUM_LIST(\ul. RE_tlTE_TAC [ (RE_tlTE.RULE
[(REb_ITE_RULE [BETW_O.6_IS_I] (IIST_SIG_LIST "t+l" ul) )]
(LIME +super' --1) )])
THEM PURE_P.EWRITE.TAC [userMode; legaIAccsss]
THEm F.IPLWD_LET_TAC
I write v_idlcceu for t_mo t _[
L_SLM_LIST(\ul. ASSUME_TIC ( (REVRITE.ltUIZ
[(BE_ITE_RULE [BETW_O_6_IS.2] (I|ST_SIG_LIST "t+2" ul) );
(B_I/RITE_PJJLE [BETW_O_6_IS_4] (I|ST.SIG_LIST "t+4" --1) );
(el 25 ul)]
(el T ul) ) ))
ASSIM_LIST(\ul. P.EVAITE_TAC [(el 1 ul);(el 2 ul);
(LIME 'tblPtr' aJl);PAIR.EQ] )
TEJ IERITE_TIC D
]
] Z end v_lidicceu cases Z

















(pi,_ t - o) -->
(reqln t ->
(?c.
Ilext done(t,t + c) /\
(Fiu_e(t + c) - O) /\










acJt(t ÷ ¢).rAddr(t + c),tblPtr(t + c)))) l
86
((ack(t ÷ I) - F) I\
"(_e(_ ÷ I) - O) I\
(tbiPtr(t ÷ 1) = tbiPtr t))))
Run tlne: 2419.4s




Xntexlediate thooress generat_l: 122537
87

i O DOCUMENTATIO Fo m
,:, N PAGE 07o -o,8a
: :t,,_t,_:_.z_. i , • ", - -, • .T, 7 ,_.'Z,'Tdr_ .c.3r*" k,._,r,_',_,.'bl_P, Iton3ttnf'r_ _.0 _ S_r_do3mmentsr_ar_mgth,sbu_denest_mateoranyothera_Pectofthis
I ,-i:_ _,,-. ' ._ ..... 7 " _ ._, • ._ ; _- .- _ "., -, .: , :r,_ _r, ¸, F',.-c:,.'_ :_ ._a_hlng_or_ ,_,_aQu,_r_r$ :,.'r_ :*"_ _,lrec_ora%e _or Ir_tT_,mataof_ Opera_On_, dnd ReDoFt_. 121S Je_er$on
Mat3cb_199_ ContractorRe x)rt
!4. TITLE AND SUETITLE





"].PERFOR_,',ING ORGANIZATION NAME(S) AND ADDRESS(ES)
BoeingMilitaryAirplanes
P.O. Box 3707,WS 7J-24
Seattle,W_ 98124-2207


















i 13. A_STRACT _'f._'_'_x_mc,m 2C0 words)
12b. DISTRIBUTION CODE
I
t Thisdocumentwas generatedin supportof NASA contractNASI-18586,Designand Validationof Digital
FlightControlSystemsSuitablefor Fly-By-WireApplication,Task Assignment3.
withformalverificationof _ systems. In particular,this documentdescribesthe verification
of a set of memorymanagementunits, The verificationeffortdenonstratesthe use of hierarchical
decompositionand abstracttheories. The MvUs can be organizedinto a complexityhierarchy. Each
new levelin the hierarchyadds a few significantfeaturesor modificationsto the lower levelMvU.
The unitsdescribedinclude: (I) a page check TIM (translationlook-asidemodule); (2) a page check
TLM with supervisorline; (3) a base a boundsIVM];(4) a virtualaddresstranslationIVMJ;and
(5) a virtualaddresstranslation_ with memory residentsegrenttable.
14.SUBJECTERMS '"
Verification,Validation,HOL, I_, TLM, VirtualAddress
17. SECURITY CLASSIFICATION lB. SECURITY CLASSIFICATION









20. LIMITATION OF ABSTRACT
Standard Form 298 (Rev 2-89)
Pr_sc?_l._'_ DV _I'WSI C_%C_ Z_9-_8

