Verification of the FtCayuga fault-tolerant microprocessor system. Volume 2: Formal specification and correctness theorems by Srivas, Mandayam & Bickford, Mark
NASA Contractor Report 187574
(NASA-CR-16757_) VFRIFICATIuN n,F THE
FTCAY!JGA FAULT-T_LERANT M!CROP_CESSOR
SYSTEM. VqLUME 2: FF)RMAL SPFCIFICATION AN.q
C,qKRECINESS THEI3REMS Finial Report (ORA




Verification of the FtCayuga Fault-Tolerant
Microprocessor System
Volume _: Formal Specification
and Correctness Theorems












This is the second volume of a two-volume report that presents a formal specification and
verification of a property of a quadruplicately redundant fault-tolerant microprocessor system
design. This volume gives a complete listing of the formal specification of the system and the
correctness theorems that were proved. The system performs the task of attaining interactive
consistency among the processors using a special instruction on the processors. The design is
based on an algorithm proposed by Pease, Shostak and Lamport. The microprocessor used
in the system is called FtCayuga, which was designed by extending another formally verified
microprocessor MiniCayuga. The property verified ensures that an execution of the special
instruction by the processors correctly accomplishes interactive consistency, provided certain
preconditions hold, using a computer-aided hardware design verification tool, Spectool, and
the theorem prover, Clio, both of which were developed at ORA. A major contribution of tile
work is the demonstration of a significant fault-tolerant hardware design that is mechanically
verified by a theorem prover.




2 General Structure of a Specification Generated by Spectool 3
2.1 Structural Specification Part ........................... 3
2.2 Component Classes Specification Part ...................... 5
2.3 Controller Specification Part ........................... 6
2.4 Composite Behavior Specification Part ..................... 7
3 Voter Specification 8
3.1 Abstract Specification .............................. 8
3.2 Design Specification ................................ 13
4 FtCayuga Specification 24
4.1 Abstract Specification .............................. 24
4.2 Design Specification ................................ 28
4.3 Common Part ................................... 45
IcNet Specification 48
5.1 Abstract Specification .............................. 48
5.2 Design Specification ................................ 50
6 Common Theory 59
6.1 Type Definitions ................................. 59
6.2 The Axioms .................................... 62
iii
_ ,,,IfglEf¢ll_/_ I[rNll PRECEDING PAGE BLANK NOT FILMED
7 Tile Main Lemmas Proved 62




N A SA Langley Research Center has recently initiated a research effort to develop a validation
methodology for life-critical digital (fly-by-wire) flight control systems. Such systems must
meet stringent reliability requirements. The systems are expected to have a probability of
failure as low as 10 -9 for a 10 hour mission. Hence, as has been well-argued in [6], the
design and validation methods employed for such systems must meet high standards. The
designs must use fault-tolerant strategies to enable the continued operation of the system in
the presence of component failures. The validation methods must ensure that there are no
design errors in the system.
The process of formal verification is capable of showing that a system design satisfies a
specified property for all inputs and initial conditions of the design. Hence it is a promising
candidate for consideration as a validation technology for flight control systems. Digital
control systems are implemented using a combination of hardware and software components.
llct_ce, a formal verification technology for flight control systems must be applicable to both
software and hardware designs. This work is concerned with the formal verification of a
hardware design.
This report presents tile formal verification of a hardware system for a task that is
an important component of a fault-tolerant computer architecture for flight control systems.
The hardware system implements an algorithm for attaining interactive consistency (byzan-
tine agreement) [2] among four microprocessors as a special instruction on the processors.
The property verified ensures that an execution of the special instruction by the proces-
sors correctly accomplishes interactive consistency, provided certain preconditions hold. An
assumption is made that tile processors execute synchronously. For verification, we used
a computer-aided hardware design verification tool, Spectool [3], and the theorem prover,
Clio [1], both of which were developed at ORA. The microprocessor used in the system is
called FtCayuga, which we designed by extending the the formally verified microprocessor
MiniCayuga [4].
A major contribution of the work is the demonstration of a significant fault-tolerant
hardware design that is mechanically verified by a theorem prover. The work illustrates the
advantage of using hierarchy and abstraction in system design specification to manage the
complexity of formal verifica'tion. The work demonstrates the value of a special-purpose tool
that tailors the use of a theorem prover to a hardware domain in order to reduce the effort
required for formal verification.
This is the second volume of a two-volume report. The first volume [5] contains an
overview of the work and an informal description of the specification and the proof of cor-
rectness. This volume contains the entire specification of the system and the definitions of all
the correctness theorems and lemmas we proved. This volume is intended as a supplement to
Volume 1, and, hence, the presentation in this volume assumes that you have read Volume 1.
The next section describes the general structure of a specification generated by Spec-
tool, which also appeared as appendix section A in Volume 1. We repeat this description
here for easy reference. The description is useful in understanding the design specifications
of the main blocks--IcNet, Voter, and FtCayuga---of our system. The rest of the material
in this volume is organized as follows.
1. The Voter Specification section contains the design and abstract specifications of the
Voter.
2. The FtCayuga Specification section contains the design and abstract specifications of
FtCayuga.
3. Tile IcNet Specification section contains tile design and abstract specifications of IcNet.
4. The Common Theory section contains definitions of the data types and primitive func-
tions on the data types that are used in the previous specifications. Some of these types
are unimplemented abstract types which are specified by axiomatizing the operations
on them.
5. Tile Main Lemmas section contains the definitions of the main theorem and the main
lemmas with the help of which the main theorem was proved. The bridge theorems
that connect the two levels of descriptions of IcNet and Voter appear as part of the
abstraction specifications of the respective components. Since we did not prove the
bridge theorems for FtCayuga, we have not included them here.
6. The General Lemmas section contains the set of basic lemmas that were used in proving




Structure of a Specification Generated by
A design specification generated by Spectool consists of the parts described in the following
sections.
2.1 Structural Specification Part
This part specifies the data path architecture. It defines a set of types to model the data path
state and a set of functions to specify the connections between the data path components.
Spectool generates this part in a generic fashion from the following structural information
about the data path provided by the user:
1. the names of components and component classes,
2. the names of the actions defined on components,
3. the types that model the internal states of components,
4. the types of the external inputs to the circuit, and
5. the graphical connections between components.
To give the reader an idea of this part of a design specification, a fragment of the structural
specification part of the voter circuit is shown below.
[1 Generic part of the data path state definition
type SYSTEM_STATE = COMP->L0CAL_STATE
type INPUT_STREAM = NAT->EXTSTATE
type CHANGE = <<COMP,NAT,LOCAL_STATE>>
type STATE = <<SYSTEM_STATE, [CHANGE], INPUT_STREAM>>
[I A type for every component class. The type defines the names of
I[ ali the components used in the data path that belong to the class.
I
majority ::= MAJ1 [ MAJ2 [ MAJ3
bytereg ::= PRI [ PR2 J PR3 [ R12 [ RI3 [ R23 [ R31 [ R32
3
bitlatch ::= VS J ST
I! A labeled union type of all the component class types
COMP ::= Controller I C_majority !majority I C_mux4 !mux4
i C_bytereg !bytereg I C_bitlatch !bitlatch
Jl A labeled union type of all local states of components









II The following specifies the input connections to the component MAJ2
majorityinput s (C_majority MAJ2) =
<<getbyteregoutO (current s (C_bytereg R32)),
getbyteregoutO (current s (C_bytereg RI2)),
getbyteregoutO (current s (C_bytereg PR2))>>
The type STATE defines the data path state as a tuple: <<SYSTEM_STATE, [CHANGE],
INPUT_STREAM>>. SYSTEM_STATE maps every component (an element of type COMP) in the
data path to its LOCAL_TATE. [CHANGE] is the list of pending actions on the data path
components. This list is maintained to simulate the effect of delays on actions. The list
conta,ins an update record for each of the actions that has been triggered by the controller
on components, but is yet to be completed. The first two fields of STATE define a snapshot
in time of the data path state. Thestateof a component is given by SYSTEM_STATE unless
an action is pending on the component, in which case the state is bottom.
The third field of the tuple, INPUT_STREAM, specifies the values of the external inputs
to the circuit as function of time. INPUT_STREAM is a function type from time (NAT) to
EXTSTATE, where EXTSTATE is a type that combines all the external inputs into a tuple.
Tim type LOCAL_STATE is a labeled union of tile local states of all the components
of tlle data path (and the controller). The local state type of a component is a tuple of
it,s i_ternal state and (a tuple of) its outputs. The definition of the local state type of a
component appears as part of the component class specification.
The set of components in a data path is organized so that every component is an
instance of a component class. The type C0MP groups together the names of all the compo-
nents in a data path. It is defined as a labeled union of all the component class types, where
a component class type is an enumerated type of the names of all the components belonging
to the corresponding class.
Similarly, the type ACTION groups together the names of the It is defined as a labeled
union of all the action types of the component classes, where the action type of a component
class is an enumerated type of the names of all the actions defined for the class. The definition
of the action type of a component appears as part of the component class specification.
Connections between data path components are specified by defining, for every com-
ponent, a function that determines the inputs to the component in a given data path state.
2.2 Component Classes Specification Part
Every component in the data path is an instance of a component class. The components
belonging to the same class share several attributes. This part specifies the shared attributes ,
of a class for every class used in a design. A component class specification defines the type
that denotes the internal state of a components of the class, the types of the outputs, a
type denoting the names of the actions on the components, and the effects of the actions
on the components. For every action, it defines three functions: "state" and "output"
functions return, respectively, the new state and the new outputs of a component after an
action is performed; and the "delay" function gives the delay associated with the action. For
illustration, a part of the specification of the majority component class used in the voter
circuit is given below.
II The component class majority.
[I Local state of majority: <<internal state type, <<output types>>>>
type majority_loca]state = <<<<data, BOOL>>,<<(byto),(BOOL)>>>>







majoritydelay (select3 c) = #0
majoritycomp (select3 c) = C_majority c
majorityout (select3 c) s <<inl,in2,in3>> = <<get_byte 3 (dataof s), bitof s>>
majoritystate (select3 c) s <<inl,in2,in3>> = s
majoritydelay (select2 c) = #0
majoritycomp (select2 c) = C_majority c
majorityout (select2 c) s <<inl,in2,in3>> = <<get_byte 2 (dataof s), bitof s>>
majoritystate (select2 c) s <<ini,in2,in3>> = s
2.3 Controller Specification Part
A controller is specified by means of two functions nextstate and scheduler. The nextstate
function gives the next controller state as a function of the current state and controller in-
T
puts. The nextstate function is used at the end of each cycle to advance the controller
state. The function scheduler returns a list of actions as a function of the controller state,
controller inputs, and the phase. For illustration, a part of the specification of the controller
for the voter circuit is shown below.
CONTROLSTATE ::= LDPI [ LDP2 1XNGII I XNG12 1XNG21 I XNG22 I XNG3!
( XNG32 [ CMPP ( OUT1 ( OUT2
nextstate LDPI in = ('(startedof in))->(LDPI);(LDP2)
nextstate LDP2 in = XNGII
scheduler XNGII <<vstart, started>> 0 = (selprvtlbyteO)
6
selprvtlbyteO = [A_bytereg(readO PRI), A_mux4(choose3 MUX)3
scheduler XNGi2 <<vstart, started>> 0 = (selprvtlbyte2)
selprvtlbyte2 = [A_bytereg(read2 PR1), A_mux4(choose3 MUX)]
II Some of the details specific to the voter design
II There are 4 clock phases per cycle.
num_phases = 4
2.4 Composite Behavior Specification Part
This part defines a set of functions that derive the composite behavior of a design using the
information expressed in the rest of the specification. This part formalizes in Caliban the
operational model of the behavior of a finite state controller system. This part is identical
for every circuit since Spcctool generates it in a completely generic fashion. The higher-order
function definition capability of Caliban is a primary reason why it is possible to express
this part in a generic fashion. A top level fragment of this part of the specification is shown
below.
Execute s = do_phases 0 s
Output s = generate_output 0 s
do_phases n s = update_state s , n = num_phases
do_phases (n+l) (do_phase n s)
do_phase n <<s,p,in>> =
advance_inputstream (do_actions (current_schedule s2 n) s2)
where s2 = update_state <<s,p,in>>
The two main functions defined in this part are Execute and Output. Execute advances
the state of the system across a single cycle. Output returns the (tuple of) external outputs
produced by the circuit over the next cycle. Output actually returns a list outputs, one for
every phase in a cycle. The two functions are defined hierarchically in terms of several other
functions, some of which are described below.
7
To simulate tile effect of delays on COml)onent actions, the specification maintains a
list of records of pending updates that have been triggered by the controller, but are yet to
take effect on the circuit state. The update record for an action contains the component on
which the update is pending, a time-out counter that is initialized to the delay of the action
and decremented after every phase, and the result of the update. The function update_state
causes the result of all the update records on the list that have timed out totake effect on
the circuit state. The function also decrements the time-out counter of the update records
that have not yet timed-out by one unit of time. The purposes of the rest of the functions
should be apparent from the names of the functions. They are summarized below.
• The function do_phases updates the state for all the phases in a cycle.
• The function do_phase updates the state for a single phase. It causes (using update_state)
the pending updates that have timed out to take effect; gets the current_schedule
from the controller, makes new update records (using do_actions) for all the actions
in the schedule, and then advances the input stream by a time unit.
3 Voter Specification
3.1 Abstract Specification
FROM CommonTheorySec IMPORT update_byte,DATUM, Word, data, _et_byte, good
FROM VoterDesignSec IMPORT controllerstate, majority_of, majority_exists,
OUTI,OUT2,XNGII,XNGI2,XNG21,XNG22, XNG31,XNG32,
CMPP,LDPIrLDP2,













select Zero (a:x) = a
select (Succ n) (a:x) = select n x
take Zero x = []
take (Succ n) (a:x) = a : take n x
***************************Abstraction of the voterstate:
VoterhBS s = <<controllerstate s, Voter_array s, Voter_maj s, goahead s>>
Voter_array s 1 1 = get_PRl_state s
Voter_array s 1 2 = get_PR2_state s
Voter_array s 1 3 = get_PR3_state s
Voter_array s 2 1 = get_R21_state s
Voter_array s 2 2 = get_R12_state s
Voter_array s 2 3 = get_R13_state s
Voter_array s 3 1 = get_R31_state s
Voter_array s 3 2 = get_R32_state s
Voter_array s 3 3 = get_R23_state s
Voter_maj s s
<<get_MAJl_state s, get_MAJ2_state s, get_MAJ3_state s>>
goaheads = get_VS_state s
Voter_from_proc s = map from_proc (take #4 (inlist_from s))
Voter_from_voters s = map from_vtrs (take #4 (inlist_from s))
II$=%=_=$=$=_=_=$=$=_=_=e=_=_=_=_=_=$=$=$=$=_=_=_=$=_--
HALFWORD_KIND ::= LO ] HI
VoterStep <<cstate,array,maj,go>> from_proc from_voters =
<<nextstate cstate <<go,go>>, newarray, newmaj, newgo>>
where
newarray {(cstate= LDPI) _ go} = update_rowl LO array from_proc
newarray {cstate= LDP2} = update_fowl HI array from_proc
newarray {cstate = XNG11} = update_diagonal 0 LO array from_voters
newarray {cstate= XNG12} = update_diagonal 0 HI array from_voters
newarray {cstate= XNG21} = update_diagonal 1LO array from_voters
newarray {cstate= XNG22} = update_diagonal I HI array from_voters
newarray {cstate= XNG31} = update_diagonal 2 LO array from_voters
newarray {cstate= XNG32} = update_diagonal 2 HI array from_voters
newarray = array I_ otherwise it's unchanged
newmaj =(cstate = CMPP)->(maj_vector array) ; maj
newgo = beginof (select (#2) from_proc) ,cstate = OUT2
beginof (select (#2) from_proc) ,(cstate = LDPI) & ('go)
go
update_fowl LO array in =
update_array (update_array array rowl 0 (proc_in (select Zero in)))
rowl i (proc_in (select (#2) in))
update_fowl HI array in = ....
update_array (update_array array rowl 2 (proc_in (select Zero in)))
row1 3 (proc_in (select (#2) in))
update_diagonal n LO array in =
update_array
(update_array array (diagonal (#n)) 0 (cross_in n (select (#I) in)))
(diagonal (#n)) i (cross_in n (select (#3) in))
update_diagonal n HI array in =
update_array
(update_array array (diagonal (#n)) 2 (cross_in n (select (#I) in)))
(diagonal (#n)) 3 (cross_in n (select (#3) in))
update_array_byte array <<i,j>> b v i _ = update_byte b (array i j) v
update_array_byte array <<i,j>> b v k = array k 1
update_array array [] b [] = arra_
update_array array (a:x) b (c:y) =
update_array (update_array_byte array a b c) x b y
9
iterate Zero f x = x
iterate (Succ n) f x = iterate n f (f x)
succ 1 = 2
succ 2 = 3
succ 3 = 1
diagonal n =
[<<2.iterate n succ 2>>.<<3.iterate n succ 3>>]
rowl = [<<1,1>>,<<1,2>>,<<1,3>>]
cross_in 2 <<vl,v2,v3>> = [v2,vl]
cross_in 1 <<vl,v2,v3>> = [v3,vl]
cross_in 0 <<vl,v2,v3>> = [v3,v2]
proc_in <<x,y,z,go>> = [x,y,z]
beginof <<x,y,z,go>> = go
compute_majority x y z = <<majority_of x y z. majority_exists x y z>>
maj_vector array =
<< compute_majority (array I I) (array 2 I) (array 3 1),
compute_majority (array i 2) (array 2 2) (array 3 2),
compute_majority (array i 3) (array 2 3) (array 3 3)>>
Voter_Step_lenuna :=
Proper_state's c
=> 'VoterABS (Execute s)'
='VoterStep (VoterABS s)(Voter_from_proc s)(Voter_from_voters s) c
**********--*******************************************************
Voter output functions. We define one function for every output
II of the Voter, The function defines the list of output signals
][ produced at that port in the "output phases" (0 and 2) of a cycle
maj_out n <<cstate,array,maj,go>>
= low_half (get_maj_va! n maj) , (cstate = OUT1)
high_half (get_maj_val n maj) .(cstate = OUT2)
dont_care [_ don't care in other cases
dont_care = <<bottomtbQt_om>> ..... _, _ _,
get_maj_val i <<<<bO,bi>>.<<cO.ct>>,<<dO,dt>>>> = bO
get_maj_val 2 <<<<bO,bl>>,<<cO,cl>>,<<dO,dl>>>> = cO
get_maj_val 3 <<<<bO,bl>>,<<cO,cl>>,<<dO,dl>>>> = dO
low_half (DATUM (Word byte3 byte2 bytel byteO)) = <<byteO, byte1>>
high_half (DATUM (Word byte3 byte2 bytel byteO)) = <<byte2, byte3>>
crossout <<cstate,array,maj,go>>
= xng_out cstate array [[ depends only on cstate and array
xng_out cs array
= sendlow 1 array, (cs = XNGII)
sendhigh 1 array, (ca = XNG12)
sendlow 2 array, (ca = XNG21)
sendhigh 2 array, (ca = XNG22)
sendlow 3 array, (cs = XNG31)
sendhigh 3 array, (cs = XNG32)
dont_care _I don't care, otherwise
sendlow n array = <<get_byte 0 (array 1 n), get_byte I (array I n)>>
lO
sendhigh n array = <<get_byte 2 (array i n), get_byte 3 (array 1 n)>>
statusout <<cstate,array,maj, go>> = getstatus maj, (cstate -= CMPP)
dont_c_Lre
getstatus <<<<maj II ,maj 12>>, <<maj21 ,maj22>>, <<maj31 ,maj32>>>>
= <<<<maj 12,maj 22,maj 32>>, <<maj 12,maj 22,maj 32>>>>
sndngout <<cstate,array,maj,go>>




= <<True,True>>, (cstate= LDPI)
<<False,False>>
I_ Now the tuple <<maj_out I s, maj_out 2 s, ..... freeout s>> will be a tuple
II of lists of length two. The output function at the lower level
II gives a list of tuples of lenght two. To compare the two levels,
II we must "transpose" one of the representations.
transpose [ <<aO,bO,cO,dO,eO,fO,gO>>, <<al,bl,cl,dl,el,fl,gl>>]
= << <<aO,al>>,<<bO,bl>>,<<cO,cl>>,<<dO,dl>>,<<eO,el>>,
<<fO,f1>>,<<gO,gl>> >>
VoterOut s = <<maj_out i s,maj_out 2 s,maj_out 3 s,statusout s,
crossout s,sndngout s,freeout s>>
VoterOut_Lemma := 'VoterOut (VoterABS s)'
<= Ctranspose (Output s) _, Proper_state 's'
I[ Now we will write another description of the voter, similar to the one
[[ above, but with the inputs and outputs grouped differently and with
[[ the input stream separated from the state. This description is used
[[ when the voter is thought of as a component in a larger system.
type ARRAY = NUM->NUM->data
type MAJSTATE = <<data,BODL>>
type MAJROW = <<MAJSTATE,MAJSTATE,MAJSTATE>>
type VOTERSTATE = <<CONTROLSTATE,ARRAY,MAJROW,BOOL>>
The input tuple used above has the form <<pvtl,pvt2,pvt3,vl,v2,v3,b>>,
and each cycle consumes four such tuples from the input stream.
The new description of the voter is as a component having
four inputs from_proc = <<go,pvtl,pvt2,pvt3>> , and vl, v2, and v3,
each of which is a four tuple (representing the values on the input wires














II So, in the new description, the voter has a state s :: VOTERSTATE
II and it gets an input in = <<from_proc, from_vl, from_v2, from_v3>>.
11
II We can define its new state by using the function VoterStep defined above.
voterstep s in = VoterStep s (serial_from_proc in)(serial_from_voter in)
Jl The voter-component will have four output ports: to_proc, crossl, cross2,
II and cross3. The "cross" outputs will all be the same:
cross_out <<cs,array,mj,b>> = pad (xng_out cs array)
pad <<a,b>> = <<a,a,b,b>>
II The output "to_proc" contains all the other output of the voter:




(good (a I I)) _ (good (a 1 2)) & (good (a I 3))
& (good (a 2 I)) _ (good (a 2 2)) a (good (a 2 3))
& (good (a 3 i)) & (good (a 3 2)) _ (good (a 3 3))
good_maj_row <<a,b,c>> = good_maj a a (good_maj b) & (good_maj c)
good_maj <<a,b>> = good a a !b
[[clio: sy good_array ex
lJclio: sy good_maj_row ex








Proper_state 's' => Proper_voterstate 'VoterABS s'
*************************************************************************Here are some functions we need to specify the next level of abstraction.
control <<cs,array,maj,go>> = cs
arrayof <<cs,array,maj,go>> = array
maj_of <<cs,array,maj,go>> = maj
go_of <<cs,array,maj_go>> = go
rowlof <<cs,array,ma3,go>> = <<array I I, array i 2, array I 3>>
Jl Now we'll define a predicate that says how well defined the inputs
[_ to the voter need to be in order to result in a Proper_voterstate.
good_voter_in cs in = !!(serial_from_voter in) , xng_cycle cs
!!(serial_from_proc in)
xng_cycle XNGII = True
xng_cycle XNG12 = True
xng_cycle XNG21 = True
xng_cycle XNG22 = True
xng_cycle XNG31 = True
xng_cycle XNG32 - True
xng_cycle cs = False
Proper_voterstate_lemma :=
(Proper_voterstate 's' _ 'good_voter_in (control s) in'='True')
=> Proper_voterstate 'voterstep s in'
12
II When the voter state is not LDP1 the the nextstate is a function
of the current state only. We need to export this function:
next_voterstate s = nextstate s bottom
3.2 Design Specification
FROM CommonTheorySec IMPORT data, byte, good, BYTEO, BYTE1, BYTE2, BYTE3,
set_byte, byte_inc, get_byte, update_byte
good_mstate <<s.b>> c ffi good s _ !b _ (bfc)
[[clio: sy good_mstate extend
II Generated by the spectool
llclio: symbol Execute never




C0MP ::= Controller I+
ACTION ::= Advance_controller_÷
CONTROLSTATE :: type
LOCAL_STATE ::= S_Controller !CONTROLSTATE I+
getcontrolstate (S_Controller x) = x
is_proper_contr (S_Controller x) = )x
llclio: sy is_proper_contr extend
controllerstate s = getcontrolstate (current s Controller)
effect Advance_controller s c =
S_Controller (nextstate (controllerstate s) (controllerinput s))
delay Advance_controller = #0
component Advance_controller ffiController
controllerinput s = <<getbitlatchout0 (current s (C_bitlatch VS)),
getbitlatchout0 (current s (C_bitlatch ST))>>
_*=*=*=*=*=*=*=*=*=*=*=*=*=*=,=,=.=.=,=.=,=.=.=.=.=,--
[I The Control states and the next_state function.
vstartof <<vstart, started>> = vstart
startedof <<vstart, started>> = started
CONTROLSTATE ::TnLDP_ I+nextstate LDP1 _ [] - in))->startedof (LDPI);(LDP2)
CONTROLSTATE ::= LDP2 l+
nextstate LDP2 in ffiXNG11
CONTROLSTATE ::= XNGll +
nextstate XNGII in = XNG12
CONTROLSTATE ::= XNGI2 +
nextstate XNG12 in = XNG21
CONTROLSTATE ::= XNG21 +
nextstate XNG21 in = XNG22
CONTRDLSTATE ::= XNG22 +
nextstate XNG22 in = XNG31
CONTROLSTATE ::ffiXNG31 +
nextstate XNG31 in = XNG32
CONTROLSTATE ::= XNG32 +
nextstate XNG32 in = CMPP
CONTROLSTATE ::ffiCMPP [+
nextstate CMPP in ffi0UTI
13
CONTROLSTATE ::= OUTI I+
nextstate OUT1 in = OUT2
CONTROLSTATE ::= OUT2 I+
nextstate OUT2 in = LDPI
CONTROLSTATE ::= J
II The component External.
type EXTSTATE = <<byte, byte, byte, byte, byte, byte, BOOL>>
external_input_prvtl <<xO, xl, x2, x3, x4, xS, x6>> = xO
external_input_prvt2 <<xO, xL, x2, x3, x4, x5, x6>> = xl
external_input_prvt3 <<xO, xl, x2, x3, x4, x5, x6>> = x2
external_input vinl <<xO, xl, x2, x3, x4, x5, x6>> = x3
external_input:vin2 <<xO, xl, x2, x3, x4, xS, x6>> = x4
external_input_vin3 <<xO, xl, x2, x3, x4, xS, x6>> = x5
?xternal_input_vstart <<xO, xl, x2, x3, x4, x5, x6>> = x6
is_proper_ext <<xO, xl, x2, x3, x4, xS, x6>> =
(!xO) & (!xl) _ (!x2) _ (!x3) & (!x4) _ (!xS) _ ('x6)
IIclio: sy is_proper_ext extend
current_input <<s,p,in>> = in Zero
nth_input n <<s,p,in>> = in n
llclio: sy Proper_External extend
Proper_External C<<s,p,in>>' :=
(t::NAT) 'is_proper_ext (in t)+='True +
****************************
#1 There are 4 clock phases per cycle.
num_phases = 4
input_phases = [#0, #1, #2, #3]
output_phase 0 = True + ++
output_phase 2 = True
output_phase n = False
[I* * * * * * * * ** • • • ** , , , , , , *** **
II The generic Execute function.
type SYSTEM_STATE = COMP->LOCAL.STATE
type INPUT_STREAM = NAT->EXTSTATE
type CHANGE = <<COMP,NAT,LOCAL_STATE>>
type STATE - <<SYSTEM_STATE, [CHANGE], INPUT_STREAM>>
pending_chan_es <<s,p,in>> = p
current <<s,p,in>> c = bottom, pendin_ p c
sc
pending [] c = False
pendin_ (<<c,t,v>>:rest) c = True
pendin_ (<<c2,t,v>>:rest) c = pendin_ rest c
Execute s = do_phases 0 s
do_phases n s _ update_state s , n = num_phases
do_phases (n+1) (do_phase n s)
Output s = _enerate_output 0 s
generate_output n s {n=num_phases} = [3
Eenerate_output n s {output_phase n} =
Out(do_phase n s) : _enerate_output (n+l) (do_phase n s)
14
generate_output n s = generate_output (n+l) (do_phase n s)
llclio: modify_rule "do_phases" count 20000
llclio: symbol do_phases never
update_state <<s,p,in>> = do_changes p <<s,[],in>>
do_phase n <<s,p,in>> =
advance_inputstream (do_actions (current_schedule s2 n) s2)
where s2 = update_state <<s,p,in>>
current_schedule s n = scheduler (controllerstate s) (controllerinput s) n
do_change <<c,Zero,v>> <<s,p,in>> = <<update s c v, p, in>>
do_change <<c,Succ n,v>> <<s,p,in>> = <<s, <<c,n,v>>:p, in>>
do_action a s = do_change (change_of a s) s
advance_inputstream<<s,p,in>> = <<s,p,in.Succ>>
change_of a s = <<component a, delay a, effect a s (component a)>>
do_changes [] s = s
do_changes (<<c,t,v>>:rest) s = do_changes rest (do_change <<c,t,v>> s)
II This is a trick to handle conditional actions correctly
do_actions :: [ACTION]->STATE->STATE
AXIOM (s)'do_actions [] s' = 's'
AXIOM (a)(rest)(s)'do_actions (a:rest) s' = 'do_actions rest (do_action a s)'
update s c v c2 = (c=c2)->v; s c2
foldl op s [] = s
foldl op s (a:rest) = foldl op (op a s) rest
map f [] = []
map f (a:x) = (f a): (map f x)
list_to Zero = []
list_to (Succ n) = list_to n ++ [n]
iterate f Zero s = s
iterate f (Succ n) s = iterate f n (f s)
I I_=$=$=$=_=_=_=$=_=_=_=$=_=$=$=$=_=_=_=,=,=,=$=_=_=_--
II Component Classes.
,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=*=*=*=*--The component class majority.
majority :: type
type majority_localstate = <<<<data, BOOL>>,<<(byte),(BOOL)>>>>
LOCAL_STATE ::= S_majority !majority_localstate l+







majoritydelay (select3 c) = #0
majoritycomp (select3 c) = C_majority c
majorityout (select3 c) s <<inl,in2,in3>> = <<get_byte 3 (dataof s), biter s>>
majoritystate (select3 c) s <<inl,in2,in3>> = s
majoritydelay (select2 c) = #0
majoritycomp (select2 c) = C_majority c
majorityout (select2 c) s <<inl,in2,in3>> = <<get_byte 2 (dataof s), biter s>>
majoritystate (select2 c) s <<inl,in2,in3>> = s
15
majoritydelay (selectO c) = #0
majoritycomp (selectO c) = C_majority c
majorityout (selectO c) s <<inl,in2,in3>> = <<get_byte 0 (dataof s), bitof s>>
majoritystate (selectO c) s <<inl,in2,in3>> = s
majoritydelay (selectl c) = #0
majoritycomp (selectl c) = C_majority c
majorityout (select! c) s <<inl,in2,inS>> = <<get_byte I (dataof s), bitof s>>
majoritystate (selectl c) s <<inl,in2,in3>> = s
majoritydelay (comp c) = #2
majoritycomp (comp c) = C_majority c
majorityout (comp c) s <<inl,in2,in3>> =
<<get_byte 0 (majority_of in1 in2 inS), majority_exists in! in2 in3>>
majoritystate (comp c) s <<inl,in2,inS>> =
<<majority_of inl in2 inS, majority_exists inl in2 in3>>
effect (A_majority a) = majorityeffect a
delay (A_majority a) = majoritydelay a
component (A_majority a) = majoritycomp a
majorityeffect a s c =
S_majority <<majoritystate a (getmajoritystate (current s c))
(majorityinput s c),
majorityout a (getmajoritystate (current s c))
(majorityinput s c)>>
getmajoritystate (S_majority <<x,y>>) = x
getmajorityoutO (S_majority <<x,<<yO,yl>> >>) = yO
getmajorityoutl (S_majority <<x,<<yO,yl>> >>) = yl
is_proper_majority (S_majority <<x,<<yO,yl>> >>) = (! yO) & (! yl)
llclio: sy is_proper_majority extend
((( (( ( ( ¢
Goodmajority s out fnd :== good_mstate s fnd'='True
I I*=_=_=_=_=_=*=*=_=_=_=_=_=_=*=_=_=_=*=_=_=_=_=_=_=_--) The component class mux4.
mux4 :: type
type mux4_localstate = (byte)
LOCAL_STATE ::= S_mux4 !mux4.1ocalstate I+






mux4delay (choose4 c) = #0
mux4comp (choose4 c) = C_mux4 c
mux4out (choose4 c) <<inl,in2,in3,in4>> = in4
mux4delay (choose3 c) = #0
mux4comp (choose3 c) = C_mux4 c
mux4out (choose3 c) <<inl,in2,in3,in4>> = in3
mux4delay (choose2 c) = #0
mux4comp (choose2 c) = C_mux4 c
mux4out (choose2 c) <<inl,in2,in3,in4>> = in2
mux4delay (choosel c) = #0
mux4comp (choosel c) = C_mux4 c
mux4out (choosel c) <<inl,in2,in3,in4>> = inl
effect (A_mux4 _) = mux4.effect a
delay (A_mux4 a) = mux4delay a
component (A_mux4 a) = mux4comp a
16
mux4effect a s c = S_mux4 (mux4out a (mux4input s c))
getmux4outO (S_mux4 y) = y
is_proper_mux4 (S_mux4 y) = ! y
_Iclio: sy is_proper_mux4 extend
I I_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=%=_=_=_=_=_--
The component class bytereg.
bytereg :: type
type bytereg_localstate = <<data,<<(data),(byte)>>>>
LOCAL_STATE ::= S_bytereg !bytereg_localstate I+










byteregdelay (read3 c) = #0
byteregcomp (read3 c) = C_bytereg c
byteregout (read3 c) s din = <<s, get_byte 3 s>>
byteregstate (read3 c) s din : s
byteregdelay (read2 c) = #0
byteregcomp (read2 c) = C_bytereg c
byteregout (read2 c) s din = <<s, get_byte 2 s>>
byteregstate (read2 c) s din = s
byteregdelay (readl c) = #0
byteregcomp (readl c) = C_bytereg c
byteregout (readl c) s din = <<s, get_byte I s>>
byteregstate (readl c) s din = s
byteregdelay (readO c) = #0
byteregcomp (readO c) = C_bytereg c
byteregout (readO c) s din = <<s, get_byte 0 s>>
byteregstate (readO c) s din = s
byteregdelay (set3 c) = #I
byteregcomp (set3 c) = C_bytereg C
byteregout (set3 c) s din = <<update_byte 3 s din, din>>
byteregstate (set3 c) s din = update_byte 3 s din
byteregdelay (set2 c) = #I
byteregcomp (set2 c) = C_bytereg c
byteregout (set2 c) s din = <<update_byte 2 s din, din>>
byteregstate (set2 c) s din = update_byte 2 s din
byteregdelay (set1 c) = #I
byteregcomp (setl c) = C_bytereg c
byteregout (set1 c) s din = <<update_byte 1 s din, din>>
byteregstate (setl c) s din = update_byte 1 s din
byteregdelay (setO c) = #1
byteregcomp (setO c) = C_bytereg c
byteregout (setO c) s din = <(update_byte 0 s din, din>>
byteregstate (setO c) s din ffiupdate_byte 0 s din
17
effect (A_bytereg a) = byteregeffect a
delay (A_bytereg a) = byteregdelay a
component (A_bytereg a) = byteregcomp a
byteregeffect a s c =
S_bytereg <<byteregstate a (getbyteregstate (current s c)
(bytereginput s c),
byteregout a (getbyteregstate (current s c))
(bytereginput s c)>>
getbyteregstate (S_bytereg <<x,y>>) = x
getbyteregoutO (S_bytereg <<x,<<yO,yl>> >>) = yO
getbyteregoutl (S_bytereg <<x,<<yO,y1>> >>) = yl
is_proper_bytereg (S_bytereg <<x,<<yO,y1>> >>) = (! yO) & (! yl)
[[clio: sy is_proper_bytereg extend
Goodbytereg's t 'dataout' 'byteout':ffiffi 'dataout'='s' & 'good s'='True'
II The component class bitlatch.
bitlatch :: type
type bitlatch_localstate = <<BOOL,(BOOL)>>
LOCAL_STATE ::= S_bitlatch !bitlatch.localstate [+
ACTION ::= A_bitlatch !bitlatch_ACT |+
bitlatch_ACT ::=
seth !bitlatch
bitlatchdelay (seth c) = #i
bitlatchcomp (seth c) ffiC_bitlatch c
bitlatchout (seth c) s in = in
bitlatchstate (seth c) s in = in
effect (A_bitlatch a) = bitlatcheffect a
delay (A_bitlatch a) = bitlatchdelay a
component (A_bitlatch a) = bitlatchcomp a
bitlatcheffect a s c =
S_bitlatch <<bitlatchstate a (getbitlatchstate (current s c))
(bitlatchinput s c),
bitlatchout a (getbitlatchstate (current s c))
(bitlatchinput s c)>>
getbitlatchstate (S_bitlatch <<x,y>>) = x
getbitlatchoutO (S_bitlatch <<x,y>>) = y
is_proper_bitlatch (S_bitlatch <<x,y>>) = ! y
llclio: sy is_proper_bitlatch extend









[[ Components (other than Controller and External)
l[ and their connections.
majority ::= MAJ1 _+
majorityinput s (C_majority MAJI) ffi
<<getbyteregoutO (current s (C_bytereg R31)),
getbyteregoutO (current s (C_bytereg R21)),
getbyteregoutO (current s (C_bytereg PRI))>> ,
majority ::= MAJ2 l+
majorityinput s (C_majority MAJ2) =
18
<<getbyteregoutO (current s (C_bytereg R32)),
getbyteregoutO (current s (C_bytereg RI2)),
getbyteregoutO (current s (C_bytereg PR2))>>
majority ::= MAJ3 I+
majorityinput s (C_majority MAJ3) =
<<getbyteregoutO (current s (C_bytereg R23)),
getbyteregoutO (current s (C_bytereg R13)),
getbyteregoutO (current s (C_bytereg PR3))>>
mux4 ::= MUX l+
mux4input s (C_mux4 MUX) =
<<getbyteregoutl (current s (C_bytereg PR3)),
getbyteregoutl (current s (C_bytereg PR2)),
getbyteregoutl (current s (C_bytereg PRI)), bottom>>
bytereg ::= PRI +
bytereginput s (C_bytereg PRI) = external_input_prvtl (current_input s)
bytereg ::ffiPR2 +
bytereginput s (C_bytereg PR2) ffiexternal_input_prvt2 (current_input s)
bytereg ::= PR3 +
bytereginput s (C_bytereg PR3) = external_input_prvt3 (current_input s)
bytereg ::= RI2 +
bytereglnput s (C_bytereg RI2) = external_input_vinl (current_input s)
bytereg ::= RI3 +
bytereglnput s (C_bytereg RI3) ffiexternal_input_vinl (current_input s)
bytereg ::= R21 +
bytereglnput s (C_bytereg R21) = external_input_vin2 (current_input s)
bytereg ::= R23 +
bytereglnput s (C_bytereg R23) = external_input_vin2 (current_input s)
bytereg ::= R31 +
bytereglnput s (C_bytereg R31) = external_input_vin3 (current_input s)
bytereg ::= R32 '+
bytereglnput s (C_bytereg R32) = external_input_vin3 (current_input s)
bitlatch ::= VS !+
(C_bitlatch VS) external_input_vstart (current_input s)bitlatchinput s =
bitlatch ::= ST I+







sndng_controller_out s <<vstart, started>> = ready_to_send s
free_controller_out s <<vstart, started>> = voter_free s
Out s = (<<getmajorityoutO (current s (C_majority MAJI)),
getmajorityoutO (current s (C_majority MAJ2)),
getmajorityoutO (current s (C_majority MAJ3)),
<<getmajorityoutl (current s (C_majority MAJI)),
getmajorltyoutl (current s (C_majority MAJ2)),
getmajorityoutl (current s (C_majority MAJ3))>>,
getmux4outO (current s (C_mux4 MUX)),
sndng_controller_out (getcontrolstate
(current s Controller)) (controllerinput s),
free_controller_out (getcontrolstate (current s Controller))
(controllerinput s)>>)
external_output_ml <<xO, xl, x2, x3, x4, x5, x6>> = xO
external_output_m2 <<xO, xl, x2, x3, x4, x5, x6>> = xl
external_output_m3 <<xO, xl, x2, x3, x4, xS, x6>> = x2
external_output_status <<xO, xl, x2, x3, x4, xS, x6>> = x3
external_output_cross <<xO, xl, x2, x3, x4, xS, x6>> = x4
19
external_output_sndng <<xO, xl, x2, x3, x4, x5, x6>> = x5
external_output_free <<xO, xl, x2, x3, x4, x5, x6>> = x6
inlist_from <<s,p,in>> = input_phases_of in
input_phases_of in = (map in input_phases) ++
input_phases_of (in. (#+ #num_phases))
_.=_=,=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=,=.=.=.=_=_=_--
I_ The scheduler.
scheduler LDPI <<vstart, started>> 2 =
((vstart)->[A_bytereg(setl PRI), A_bytereg(setl PR2),
A_bytereg(setl PR3)];[A_bitlatch(setb VS)])
scheduler LDP2 <<vstart, started>> 2 =
[A_bytereg(set3 PRI), A_bytereg(set3 PR2), A_bytereg(set3 PR3)]
scheduler XNGII <<vstart, started>> 2 = (selprvtlbytel)
scheduler XNG12 <<vstart, started>> 2 = (selprvtlbyte3)
scheduler XNG21 <<vstart, started>> 2 = (selprvt2bytel)
scheduler XNG22 <<vstart, started>> 2 = (selprvt2byte3)
scheduler XNG31 <<vstart, started>> 2 = (selprvt3bytel)
scheduler XNG32 <<vstart, started>> 2 = (selprvt3byte3)
scheduler 0UTI <<vstart, started>> 2 =
[A_majority(selectl MAJI), A_majority(selectl MAJ2),
A_majority(selectl MAJ3)]
scheduler OUT2 <<vstart, started>> 2 =
[A_majority(select3 MAJI), A_majority(select3 MAJ2),
A_majority(select3 MAJ3), A_bitlatch(setb VS)]
scheduler LDPI <<vstart, started>> 0 =
((vstart)->[A_bytereg(set0 PR1), A_bytereg(set0 PR2),
A_bytereg(set0 PR3)];[])++[A_bitlatch(setb ST)]
scheduler LDP2 <<vstart, started>> 0 =
[A_bytereg(set2 PRI), A_bytereg_set2PR2), A_bytereg(set2 PR3)]
scheduler XNG11 <<vstart, started>> 0 = (selprvtlbyteO)
scheduler XNGI2 <<vstart, started>> 0 = (selprvtlbyte2)
scheduler X_21 <<vstart, started>> 0 = (selprvt2byte0)
scheduler XNG22 <<vstart, started>> 0 = (selprvt2byte2)
scheduler XNG31 <<vstart, started>> 0 = (selprvt3byte0)
scheduler XNG32 <<vstart, started>> 0 = (selprvt3byte2)
scheduler 0UTI <<vstart, started>> 0 =
[A_majority(selectO MAJI), A_majority(selectO MAJ2),
A_majority(selectO MAJ3)]
scheduler 0UT2 <<vstart, started>> 0 =
[A_majority(select2 MAJI), A_majority(select2 MAJ2),
A_majority(select2 MAJ3)]
scheduler XNG11 <<vstart, started>> 3 =
[A_bytereg(setl R12), A_bytereg(setl R23)]++[Advance_controller]
scheduler XNG11 <<vstart, started>> 1 =
[A_bytereg(set0 R12), A_bytereg(set0 R23)]
scheduler XNG12 <<vstart, started>> I =
[A_bytereg(set2 RI2), A_bytereg(set2 R23)]
scheduler XNG12 <<vstart, started>> 3 =
[A_bytereg(set3 R12), A_bytereg(set3 R23)]++[Advance_controller]
scheduler XNG21 <<vstart, started>> i =
[A_bytereg(set0 R13), A_bytereg(set0 R31)]
scheduler XNG21 <<vstart, started>> 3 =
[A_bytereg(setl R13), A_bytereg(setl R31)]++[Advance_controller]
scheduler XNG22 <<vstart, started>> I =
[A_bytereg(se_2 R13), A_bytereg(set2 R31)]
scheduler XNG22 <<vstart, started>> 3 =
[A_bytereg(set3 RI3), A_bytereg(set3 R31)]++[Advance_controller]
2O
scheduler XNG31 <<vstart, started>> i =
[A_bytereg(setO R21), A_bytereg(setO R32)]
scheduler XNG31 <<vstart, started>> 3 =
[A_bytereg(setl R21), A_bytereg(setl R32)]++[Advance_controller]
scheduler XNG32 <<vstart, started>> i =
[A_bytereg(set2 R21), A_bytereg(set2 R32)]
scheduler XNG32 <<vstart, started>> 3 =
[A_bytereg(set3 R21), A_bytereg(set3 R32)]++[Advance_controller]
selprvtlbyteO = [A_bytereg(readO PRI), A_mux4(choose3 MUX)]
selprvtlbytel = [A.bytereg(readl PR1), A_mux4(choose3MU_)]
selprvtlbyte2 = [A.bytereg(read2 PRI), A_mux4(choose3 MUX)]
selprvtlbyte3 = [A_bytereg(read3 PRI), A_mux4(choose3 MUX)]
solprvt2byteO [A_bytereg(readO PR2), A_mux4(choose2MUX)]
selprvt2bytel = [A_bytereg(readl PR2), A_mux4(choose2 MUX)]
selprvt2byte2 = [A_bytereg(read2 PR2), A_mux4(choose2MUX)]
selprvt2byte3 = [A_bytereg(read3 PR2), A_mux4(choose2 MUX)]
selprvt3byteO = [A_bytereg(readO PR3), A_mux4(choosel MUX)]
selprvt3bytel = [A_bytereg(readl PR3), A_mux4(choosel MUX)]
selprvt3byte2 = [A_bytereg(read2 PR3), A_mux4(choosel MUX)]
selprvt3byte3 = [A_bytereg(read3 PR3), A_muxd(choosel MUX)]
scheduler CMPP <<vstart, started>> 0 =
[A_majority(comp MAJ1), A_majority(comp MAJ2), A_majority(comp MAJ3)]
scheduler s in 3 = [Advance_controller]
scheduler s in t [3
I I*=*=*=*=*=*=*=*=%=*=*=*=*=,=*=_=,=_=,=,=,=,=,=,=,=,--
II Proper state predicates.
is_proper_state 's' :==
'is_proper_contr (current s Controller)' = 'True'
'is_proper_majority (current s (C_majority MAJI))' = 'True'
a 'is_proper_majority (current s (C_majority MAJ2))' = 'True'
& 'is_proper_majority (current s (C_majority MAJ3))' = 'True'
'is_proper_mux4 (current s (C_mux4 MUX))' = 'True'
& 'is_proper_bytereg (current s (C_bytereg PRI))' = 'True'
& 'is_proper_bytereg (current s (C_bytereg PR2))' = 'True'
'is_proper_bytereg (current s (C_bytereg PR3))' = 'True'
a 'is_proper_bytereg (current s (C_bytereg RI2))' = 'True'
a 'is_proper_bytereg (current s (C_bytereg RI3))' = 'True'
a 'is_proper_bytereg (current s (C_bytereg R21))' = 'True'
& 'is_proper_bytereg (current s (C_bytereg R23))' = 'True'
a 'is_proper_bytereg (current s (C_bytereg R31))' = 'True'
'is_proper_bytereg (current s (C_bytereg R32))' = 'True'
& 'is_proper_bitlatch (current s (C_bitlatch VS))' = 'True'




Goodmajority 'getmajoritystate(current s (C_majority MAJI))'
'getmajorityoutO(current s (C_majority MAJI))'
'getmajorityoutl(current s (C_majority MAJI))'
a Soodmajority 'getmajoritystate(current s (C_majority MAJ2)) c
'getmajorityoutO(current s (C_majority MAJ2))'
'getmajorityout1(current s (C_majority MAJ2))'
a Goodmajority 'getmajoritystate(current s (C_majority MAJ3))'
_getmajorityoutO(current s (C_majority MAJ3))'
'getmajorityoutl(current s (,_majority MAJ3))'
21
Goodbytereg 'getbyteregstate(current s (C_bytereg PRI))'
'getbyteregoutO(current s (C_bytereg PRI)) _
'getbyteregoutl(current s (C_bytereg PRI))'
• & Goodbytereg 'getbyteregstate(current s (C_bytereg PR2))'
'getbyteregoutO(current s (C_bytereg PR2))'
'getbyteregout1(current s (C_bytereg PR2))'
& Goodbytereg 'getbyteregstate(current s (C_bytereg PR3))'
'getbyteregoutO(current s (C_bytereg PR3))'
'getbyteregoutl(current s (C_bytereg PR3))'
Goodbytereg 'getbyteregstate(current s (C_bytereg RI2))'
'getbyteregoutO(current s (C_bytereg R12)) c
'getbyteregoutl(current s (C_bytereg R12))'
Goodbytereg 'getbyteregstate(current s (C_bytereg RI3))'
'getbyteregoutO(current s (C_bytereg R13))'
'getbyteregoutl(current s (C_bytereg RI3))'
Goodbytereg 'getbySeregstate(current s (C_bytereg R21))'
'getbyteregoutO(current s (C_bytereg R21))'
'getbyteregout1(current s (C_bytereg R21)) c
Goodbytereg 'getbyteregstate(current s (C_bytereg R23))'
'getbyteregoutO(current s (C_bytereg R23))'
'getbyteregout1(current s (C_bytereg R23))'
& Goodbytereg (getbyteregstate(current s (C_bytereg R31))'
"getbyteregoutO(current s (C_bytereg R31))'
'getbyteregout1(current s (C_bytereg R31))'
Goodbytereg 'getbyteregstate(current s (C_bytereg R32))'
'getbyteregoutO(current s (C_bytereg R32)) _
'getbyteregout1(current s (C_bytereg R32))'
& Goodbitlatch 'getbitlatchstate(current s (C_bitlatch VS))'
_getbitlatchoutO(current s (C_bitlatch VS))'
& Goodbitlatch 'getbitlatchstate(current s (C_bitlatch ST)) c
'getbitlatchoutO(current s (C_bitlatch ST))'
Proper_External 's'
[[clio: symbol Proper_state extend_auto
l[clio: symbol pending_changes extend_auto
II,=,=,=,=_=,=,=,=,=,=_=_=_=_=,=_=_=_=_=_=_=_=_=,=,=,--
J( For export to other modules, we define functions
_I access the internal state of each component that has one.
get_MAil_state s = getmajoritystate (current s (C_majority MAJI))
get_MAJ2_state s = getmajoritystate (current s (C_majority MAJ2))
get_MAJ3_state s = getmajoritystate (current s (C_majority MAJ3))
get_PR1_state s = getbyteregstate (current s (C_bytereg PRI))
get_PR2_state s = getbyteregstate (current s (C_bytereg PR2))
get_PR3_state s = getbyteregstate (current s (C_bytereg PR3))
get_Rl2_state s = getbyteregstate (current s (C_bytereg RI2))
get_Rl3_state s = getbyteregstate (current s (C_bytereg R13))
get_R21_state s = getbyteregstate (current s (C_bytereg R21))
get_R23_state s = getbyteregstate (current s (C_bytereg R23))
get_R31_state s = getbyteregstate (current s (C_bytereg R31))
get_R32_state s = getbyteregstate (current s (C_bytereg R32))
get_VS_state s = getbitlatchstate (current s (C_bitlatch VS))
get_ST_state s = getbitlatchstate (current s (C_bitlatch ST))
II_=%=_=_=_=_=_=_=_=_=_=%=_=_=_=#=_=_=_=_=_=_=_=_=_=_--
I[ Auxillary definitions.
type bitvec = [BOOL]
22
dataof <<data, bit>> = data
bitof <<data, bit>> = bit
JJ ** Should this he majority_does_not_exist ? **
majority_exists inl in2 in3 = (inl = in2) I (inl = in3) I (in2 = in3)
majority_of in1 in2 In3 = (in1=in2 -> inl; (in1=in3 -> inl; in2))
isbitvector n bitvec = (n = ## bitvec)
ready_to_send s = (s=OUTI)I(s=OUT2)
voter_free s = s=LDP1
from_proc <<p1,p2,p3,vl,v2,v3,go>> = <<pl,p2,p3,go>>
from_vtrs <<p1,p2,p3,vl,v2,v3,go>> = <<v3,v2,vl>>
[[ The cutpolnts and loop conditions.
CUTPOINT ::2 start
at_start s = start_state (controllerstate s)
start_state LDPI = True
start_state x = False
PATH ::= startPATHO ]÷
path_start startPATHO = start
path_end startPATHO = start
path_length startPATHO = #II
path_condition 'startPATHO' 's' :==
TRUE
'controllerstate s(='LDP1 '
a '-(startedof (controllerinput (iterate Execute (#I) s)))'='False'
'controllerstate literate Execute l:_I s)'='iDP2'
'controllerstate iterate Execute s)'='XNGII'
a 'controllerstate iterate Execute s)'='XNG21'
& (controllerstate iterate Execute I:_I s)'='XNG22'a 'controllerstate iterate Execute s)'='XNG31'
& 'controllerstate iterate Execute l:_I s)'='XNG32'a 'controllerstate iterate Execute s)'2'CMPP '
& 'controllerstate iterate Execute (#9) s)C2'OUT1 '
a 'controllerstate iterate Execute (#I0) s)'='OUT2'
PATH ::= startPATHl I+
path_start startPATHl 2 start
path_end startPATH1 = start
path_length startPATH1 = #1
path_condition 'startPATHl' 's' :=2
TRUE
'controllerstate s'='LDPI '
'-(startedof (controllerinput (iterate Execute (#1) s)))'='True'
Invariant 'p' 's' :2 TRUE
PATH ::= I
Advance_Relation 'pl' 'p2' 'el' 's2' := TRUE
path_precond 'path" 's' :=
'!pathC2'True '
& path_condition 'path' 's'
& Invariant 'path_start path' 's'
_Iclio: sy path_precond extend
l_clio: sy Invariant extend
path_postcond 'path' 's' :=
23
Invariant 'path_end path' 'iterate Execute (path_length path) s'
a Advance_Relation 'path_start path' 'path_end path'
's' 'iterate Execute (path_length path) s'
VC 'path' 's':=
path_precond 'path' 's' => path_postcond 'path' 's'
VC_ok 's' :== (path) VC 'path' 's'




Timing_ok 's'_ ;roper_state 's'
Timing_ok_case 's': ==
Timing_ok 's', 'controllerstate s'='c'
Timing_ok_by_cases :== Proper_state 's' s> Timing_ok_case 's'
4 FtCayuga Specification
In the following the functions that are used in both tile abstract as well as the design
specifications arc given in a separate section.
4.1 Abstract Specification
FROM CommonTheorySec IMPORT data_to_addr, data_to_regaddr, byte_num,byte_inc,
ood, reset_to_addr, inc_data, LSB,
IF,JIT,JMP, SADD,MOVE,ICOP,PVT,STATUS,VTI,VT2,
VT3, BYTEO, dstof,opclassof, opcodeof, update,protected,
data, regaddr, addr, sregaddr, data_to_sregaddr DATUM,
Word, set_byte, data_false, getbyte, get_byte, byte
FROM CommonPartSec IMPORT current_result, interruptof,







_ Now we define a partial abstraction, FtCayugaABS, of the ftCayuga state
II and a corresponding version, FtCayugaStep, of the Execute function.




<<controllerstate s, get_IP_EG_state s, get_DST_state s,
get_BSLT_state s, get_HAND_state s, get_MEM_state s,
get_NXPC_state s, get_REG_state s, get_INST_state s,
get_SREG_state s, get_BC_state s>>
FtInputABS s = time_abs(inlist_from s)
24
_l Selector functions on the FTCAYUGASTATE:
control <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = cs
iregof <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = irg
dst_of <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = dst
rsltof <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = rslt
handof <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = hnd
memof <<cs,irg,dst,rslt,h_d.mem,nx,reg,inst,sreg,bc>> = mem
nxpcof <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = nx
regof <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = reg
inst_of <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = inst
sregof <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg,bc>> = sreg
bytecount <<cs,irg,dst,rslt,hnd,mem,nx,reg,inst,sreg.bc>> = bc
FtCayugaStep s in =
<<newcontr (control s) (interruptof in) (iregof s),
newireg (control s) (interruptof in) s,
newdst (controf s) (dst_of s)(iregof s),
newrslt (control s) s,
newhand (control s) (interruptof in) (handof s),
newmem (control s) s,
newnxpc (control s) (interruptof in) s,
newreg (controf s) s,
newinst (control s) (inst_of s)(iregof s),
newsreg (control s) in s,
newbc s>>
If******************** next control state *********************************
newcontr WBS in irg = in->DFI;DF
newcontr WBL in irg = in->DFI;DF
newcontr DFI in irg = INTF
newcontr INTF in lrg = INTC
newcontr INTC in irg = active_nextstate False irg
newcontr cs in irg = active_nextstate in irg
active_nextstate in ireg =
in->INTF;(0P_switch (opclassof (opcodeof ireg)))
(i******************** next ireg state *********************************
newireg WBS in s = iregof s
newireg WBL in s = iregof s
newireg WBA in s = memof s (data_to_addr(next_nxpc in (nxpcof s)))
newireg WBS in s = memof s (data_to_addr (jmpnxpc in s))
newireg DFI in s = memof s (data_to_addr (handof s))
newireg DF in s = memof s (data_to_addr(next_nxpc in (nxpcof s)))
newireg INTF in s = memof s (data_to_addr (iregof s))
newireg INTC in s = memof s (data_to_addr(inc_data (nxpcof s)))
jmpnxpc in s =
in->(reset_to_addr in)
(jump_cond (inst_of s)(regof s)(dst_of s))-> (rsltof s); (Inc_data (nxpcof s))
jump_cond inst reg dst =
((opcodeof inst)=JMP)
xor (((opcodeof inst)=JIT) & (LSB(reg (data_to_regaddr dst))))
xor (((opcodeof inst)=JIF) & -(LSB(reg (data_to_regaddr dst))))
J[******************** next dst state *********************************
newdst WBS dst ireg = dst
newdst WBL dst ireg = dst
newdst INTF dst ireg = dst
newdst cs dst ireg = dstof (ireg)
newrslt WBS s = rsltof s
newrslt WBL s = rsltof s
25
newrslt INTF s = rsltof s
newrslt WBA s =
current_result <<memof s,nxpcof s,wba_reg s,iregof s,sregof s,[]>>
newrslt cs s =
current_result <<memof s,nxpcof s,regof s,iregof s,sregof s,[]>>
wba_reg s = regof s , opcodeof (inst_of s) = SADD
update (regof s) (data_to_regaddr (dst_of s)) (rsltof s)
II******************_* next hand state ******************_************
newhand DFI in h = h
newhand INTF in h = h
newhand cs in h = reset_to_addr in
newmem WBS s = update (memof s)(data_to_addr (rsltof s))
(regof s (data_to_regaddr (dst_of s)))
newmem cs s = memof s
_********_**_* next nxpc state _*__*_*_*_,_,_,__
newnxpc WBS in s = nxpcof s
newnxpc WBL in s = nxpcof s
newnxpc WBA in s = next_nxpc in (nxpcof s)
newnxpc WBJ in s = jmpnxpc in s
newnxpc DFI in s = handof s
newnxpc DF in s = next_nxpc in (nxpcof s)
newnxpc INTF in s = iregof s
newnxpc INTC in s = inc_data (nxpcof s)
next_nxpc in nxpc = in-> (reset_to_addr in); (inc_data nxpc)
II*******_****_*_ next reg state *****************_**************
newreg WBL s =
update (regof s) (data_to_regaddr (dst_of s))
(memof s (data_to_addr (rsltof s)))
newreg WBA s = wba_reg s
newreg cs s = regof s
newinst INTF inst ireg = inst
newinst cs inst ireg = ireg
********************** next sreg state *********************************
newsreg WBA in s =
update (special_update s in) (data_to_sregaddr (dst_of s)) (rsltof s)
• (opcodeof (inst_of s) = SADD)_ -(protected(data_to_sregaddr (dst_of s)))
special_update s in
newsreg cs in s = special_update s in
special_update s <<r,vl,v2,v3,[stl,st2]>> =
ic_update (sregof s) (bytecount s) vl v2 v3 , ic_data_ready st1
status_update (sregof s) stÂ , it_cycle_completed (sre6of s) stl
status_clear (sregof s), (voter_free stl) & (opcodeof (inst_of s) = ICOP)
sregof s
special_update s in = sre_of s
msbof, next2msbof :: byte -> B00L
ic_data_ready stl = "(msbof stl) a (next2msbof stl)
ic_cycle_completed sreg stl = (msbof st1) a "(msbof (get_byte 3 (sreg STATUS)))
voter_free st1 = (msbof st1)
]] status_clear resets the msb of (sreg STATUS)
status_clear sreg = update sreg STATUS data_false
I_ status update sreg updates the STATUS register in sreg to stl
status_update sreg stl = update sreg STATUS (DATUM (Word stl stl st1 stl))
26
*l ic_update updates the three ic registers in sreg
ic_update sreg b vl v2 v3 =
update (update (update sreg VTI (update_bytes b (sreg VT1) vl))
VT2 (update_bytes b (sreg VT2) v2))
VT3 (update_bytes b (sreg VT3) v3)
byte_inc2 = byte_inc.byte_inc
byte_inc3 = byte_inc.byte_inc2
update_bytes b w [vl,v2] =
set_byte b (set_byte (byte_inc3 b) w vl) v2
********************** next bc state *********************************
newbc s = byte_inc(byte_inc (bytecount s))




fourphase (ic_initiate (control s) (inst_of s) (sregof s STATUS))
star_byte <<r,vl,v2,v3,st>> = hd st
ic_initiate ,state inst st =
(,state = WBA) & (opcodeof inst = ICOP) & (msbof (getbyte BYTEO st))
prvtout s = pad [(getbyt e
(getbyte
pad [a,b] = <<a,a,b,b>>
fourphase a = <<a,a,a,a>>
(byte_inc (bytecount s)) (sregof s PVT)),
(byte_in, (byte_inc (bytecount s))) (sregof s PVT))]
Properness predicate:
Goodmem 'sO := (x::addr)'good (s x)'=C!!x' a '!(s x)'='!!x'
Goodregfile 's' := (x::regaddr)Cgood(s x)'='!x ' a '!(s x)'='!x'
Goodsregfile 's' := (x::sregaddr)'good(s x)'='!x' _ '!(s x)'='!x'
Proper_ftcayuga '<<cstate,ireg,dst,rslt,hand,mem,nxpc,reg,inst,sreg,bc>>' :=
'!,state' ffi'True'
& 'good ireg' ffi'True'
& 'good dst" = 'True'
& 'good rslt' - 'True'
& 'good hand' = 'True'
& Goodmem 'mem'
& 'good nxpc' = 'True'
& Goodregfile 'reg'




!r _ ((ic_data_ready stl)->(good_voter_vals vl v2 v3);True)
good_voter_vals [vll,vl2] [v21,v22] [v31,v32] =
!v11 _ !v12 _ !v21 & !v22 & !v31 & !v32
Proper_ftcayuga_lemma :=
(Proper_ftcayuga's ' _ 'good_ftcayuga_in in'='True ')
=> Proper_ftcayuga 'FtCayugaStep s in'
_I Stuff we need about the function "statusword"
type threebit = <<BOOL,BOOL,BOOL>>
stwdl,stwd2 :: <<threebit,threebit>>-><<BOOL,BOOL>>-><<BOOL,BOOL>>->byte
27
statusword x y z = [stwdl x y z, stwd2 x y z]
II Some lemmas about the PVT register
newPVT s =
((opcodeof (inst_of s) = SADD)& ((data_to_sregaddr (dst_of s))=PVT)
((control s)=WBA))
-> (rsltof s); sregof s PVT
PVT_lemmal :== 'ic_update sreg b vi v2 v3 PVT'='sreg PVT'
PVT_lemma2 :==
'special_update s <<r•vl,v2•v3,[stwdl x <<fr•y>> <<snd•z>>,st2]>> PVT'
='sregof s PVT'
• '!fr a !snd a !(inst_of s) _ (good (sregof s STATUS))'='True'
IPVT_lemma3 : =
'sregof (FtCayugaStep s <<r•vl,v2,v3•[stwdl x <<fr,y>> <<snd•z>>•st2]>>) PVT'
= "newPVT s'
• '!fr & !snd a !(inst_of s)& !(dst_of s) _ (good (sregof s STATUS))'='True'
newPVT2 s in =
((opcodeof (newinst (control s) (inst_of s)(iregof s)) = SADD)
((data_to_sregaddr (newdst (control s) (dst_of s)(iregof s)))=PVT)
& ((newcontr (control s) in (iregof s))=WBA))
-> (newrslt (control s) s); newPVT s
PVT_lemma4 :=
'newPVT (FtCayugaStep s <<r,vl,v2,v3,[stwdl x <<fr,y>> <<snd,z>>,st2]>>)'
= 'newPVT2 s r'
, '!fr _ !snd _ !(inst_of s)_ !(dst_of s) _ (good (sregof s STATUS))C='True '
_I Some lemmas about the VTI, VT2, VT3 registers
VT123_lemmal :==
'newsreg cs in s v'='special_update s in v'
, ('v'='VTl'\/ 'v'='VT2' \/ 'v'=CVT3 c)
& '!cs a !(inst_of s) a !(dst_of s)'='True ¢
4.2 Design Specification
FROM CommonTheorySec IMPORT data,byte,nodata,opcode,addr,regaddr•sregaddr,
good, opcodeof, indirect, srclof•src2of,dstof,
data_to_addr, data_to_regaddr, data_to_sregaddr,
reset_to_addr, regaddr_to_sregaddr, byte_hum,
update• inc_data, add_data• sub_data, ,he_data, LSB,
ACLASS•JCLASS,SCLASS,LCLASS,opclassof
LD. ST• ADD• JMP• JIT• JIF, CNE, MOVE, SADD,
PVT•VTI•VT2,VT3,STATUS,protected,
BYTEO• set_byte• getbyte• byte_in,
FROM CommonPartSec IMPORT Step• prefer,h, current_opclass,
current_dst, current_result
clio: add OP_switch
Iclio: modify "OP_switch" off
llclio: add vtrs_update
llclio: modify "vtrs_update" off
II Generated by the spectool
llclio: symbol Execute never






COMP ::= Controller I+
ACTION ::= Advance_controllerl+
CONTROLSTATE :: type
LOCAL_STATE ::= S_Controller !CBNTROLSTATE I+
getcontrolstate (S_Controller x) = x
is_proper_contr (S_Controller x) = !x
llclio: sy is_proper_contr extend
controllerstate s = getcontrolstate (current s Controller)
effect Advance_controller s c =
S_Controller (nextstate (controllerstate s) (controllerinput s))
delay Advance_controller = #0
component Advance_controller = Controller
controllerinput s =
<<getbitlatchoutO (current s (C_bitlatch RESET)),
opcodeof(getlatchoutO (current s (C_latch INST))),
getdecoderoutO (current s (C_decoder DEC)),
getdecoderoutl (current s (C_decoder DEC)),
getmatcheroutO (current s (C_matcher MTCH)),
getmatcheroutl (current s (C_matcher MTCH)),
getregfileout2 (current s (C_regfile KEG))>>
_%=_=_=_=$=_=$=_=@=_=@=_=@=_=_=_=_=_=_=_=_=_=$=$=$=_--
II The Control states and the next_state function.
resetof <<reset, inst, op, ind, eql, eq2, cc>> = reset
instof <<reset, inst, op, ind, eql, eq2, cc>> = inst
opof <<reset, inst, op, ind, eql, eq2, cc>> = op
indof <<reset, inst, op, ind, eql, eq2, cc>> = ind
eqlof <<reset, inst, op, ind, eql, eq2, cc>> = eql
eq2of <<reset, inst, op, ind, eql, eq2, cc>> = eq2
ccof <<reset, inst, op, ind, eql, eq2, cc>> = cc
CONTROLSTATE ::= WBS I+
nextstate WBS in = ((resetof in))->(DFI);(DF)
CONTROLSTATE ::= WBL I+
nextstate WBL in = ((resetof in))->(DFI);(DF)
CONTROLSTATE ::= WBA I+
nextstate WBA in = ((resetof in))->(INTF);(OP_switch (opclassof (opof in)))
CONTROLSTATE ::= WBJ I+
nextstate WB3 in = ((resetof in))->(INTF);(OP_switch (opclassof (opof in)))
OP_switch x =
WBA, x = ACLASS
WBS, x = SCLASS
WBL, x = LCLASS
WBJ
CONTKOLSTATE ::= DFI I÷
nextstate DFI in = INTF
CONTKOLSTATE ::= DF I÷
nextstate DF in = ((resetof in))->(INTF);(OP_switch (opclassof (opof in)))
CONTKOLSTATE ::= INTF I+
nextstate INTF in = INTC
CONTROLSTATE ::= INTC l+
nextstate INTC in = OP_switch (opclassof (opof in))
CONTKOLSTATE ::= I
ll_=_=e=_=_=_=%=@=_=@=@=@=_=_=@=_=@=@=_=_=@=@=_=_=_=@--
_I The component External.
type EXTSTATE = <<BOOL, byte, byte, byte, byte>>
external_input_reset <<xO, xl, x2, x3, x4>> = xO
external_input_vl <<xO, xl, x2, x3, x4>> = xl
external_input_v2 <<xO, xl, x2, x3, x4>> = x2
external_input_v3 <<xO, xl, x2, x3, x4>> = x3
99
external_input_ST <<xO, xl, x2, x3, x4>> = x4
is_proper_ext <<xO, xl, x2, x3, x4>> = (!xO) a (!xl) & (!x2) _ (!x3) _ (!x4)
lJclio: sy is_proper_ext extend
current_input <<s,p,in>> = in Zero
nth_input n <<s,p,in>> = in n
llclio: sy Proper_External extend
Proper_External '<<s,p,in>>' :=
(t::NAT) 'is_proper_ext (in t)'='True'
_I$=+=$=_=_=+=$=_=_=$=+=+=_=_=_=+=$=+=+=+=+=+=+=+=_=_--
II There are 4 clock phases per cycle.
num_phases = 4
input_phases = [#0, #I, #3]
output_phase I = True
output_phase 3 = True
output_phase n = False
II_=%=+=+=+=_=_=+=_=+=_=_=_=_=_=_=_=%=_=$=_=_=+=+=_=_--
II The generic Execute function.
type SYSTEM_STATE = COMP->LOCAL_STATE
type INPUT_STREAM = NAT->EXTSTATE
type CHANGE = <<COMP,NAT,LOCAL_STATE>>
type STATE = <<SYSTEM_STATE, [CHANGE], INPUT_STREAM>>
pending_changes <<s,p,in>> = p
current <<s,p,in>> c = bottom, pending p c
sc
pending [] c = False
pending (<<c,t,v>>:rest) c = True
pending (<<c2,t,v>>:rest) c = pending rest c
Execute s = do_phases 0 s
do_phases n s = update_state s , n = num_phases
do_phases (n+1) (do_phase n s)
Output s = generate_output 0 s
generate_output n s {n=num_phases} = []
generate_output n s {output_phase n} =
Out(do_phase n s) : generate_output (n+l) (do_phase n s)
generate_output n s = generate_output (n+l) (do_phase n s)
llclio: modify_rule "do_phases" count 20000
ilclio: symbol do_phases never
update_state <<s,p,in>> = do_changes p <<s,[],in>>
do_phase n <<s,p,in>> =
advance_inputstream (do_actions (current_schedule s2 n) s2)
where s2 = update_state <<s,p,in>>
current_schedule s n = scheduler (controllerstate s) (controllerinput s) n
do_change <<c,Zero,v>> <<s,p,in>> = <<update s c v, p, in>>
do_change <<c,Succ n,v>> <<s,p,in>> = <<s, <<c,n,v>>:p, in>>
do_action a s = do_change (change_of a s) s
30
advance_inputstream <<s,p,in>> = <<s,p,in.Succ>>
change_of a s = <<component a, delay a, effect a s (component a)>>
do_changes [] s = s
do_changes (<<c,t,v>>:rest) s = do_changes rest (do_change <<c,t,v>> s)
II This is a trick to handle conditional actions correctly
do_actions :: [ACTION]->STATE->STATE
AXIOM (s)'do_actions [] s' = 's'
AXIOM (a)(rest)(s)'do_actions (a:rest) s' = 'do_actions rest (do_action a s)'
update s c v c2 = (c=c2)->v; s c2
foldl op s [] = s
foldl op s (a:rest) = foldl op (op a s) rest
map f [] = []
map f (a:x) = (f a): (map f x)
list_to Zero = []
list_to (Succ n) = list_to n ++ [n]
iterate f Zero s = s




The component class latch.
latch :: type
type latch_localstate = <<data,data>>
LOCAL_STATE ::= S_latch !latch.localstate I+
ACTION ::= A_latch !latch_ACT |+
latch_ACT ::=
set !latch
latchdelay (set c) = #I
latchcomp (set c) = C_latch c
latchout (set c) s in = _ininlatchstate (set c) s in -
effect (A_latch a) = latcheffect a
delay (A_latch a) = latchdelay a
component (A_latch a) = latchcomp a
latcheffect a s c =
S_latch <<latchstate a (getlatchstate (current s c))
(latchinput s c),
latchout a (getlatchstate (current s c)) (latchinput s c)>>
getlatchstate (S_latch <<x,y>>) = x
getlatchoutO (S_latch <<x,y>>) = y
is_proper_latch (S_latch <<x,y>>) = good y
llclio: sy is_proper_latch extend
Goodlatch 'sO *OUt': == 'So=tOUt"
The component class mux.
mux :: type
type mux_localstate = data
LOCAL_STATE ::= S_mux !mux_localstate I+
ACTION ::= A_mux !mux_ACT |+
mux_ACT ::=
choose3 !mux Ichoose2 !mux
choosel !mux
muxdelay (chooses c) = #0
muxcomp (chooses c) = C_mux c
muxout (choose3 c) <<inl,in2,in3>> = ins
31
muxdelay (choose2 c) = #0
muxcomp (choose2 c) = C_mux c
muxout (choose2 c) <<inl,in2,in3>> = in2
muxdelay (choosel c) = #0
muxcomp (choose1 c) = C_mux c
muxout (choosel c) <<inl,in2,in3>> = inl
effect (A_mux a) = muxeffect a
delay (A_mux a) ffimuxdelay a
component (A_mux a) = muxcomp a
muxeffect a s c = S_mux (muxout a (muxinput s c))
getmuxoutO (S_mux y) = y
is_proper_mux (S_mux y) = good y
llclio: sy is_proper_mux extend
Il_ _ $ • $ • • $ • $ • $ • • • $ $ • _ $ • • • • #_ #_
The component class mem.
mem :: type
type mem_localstate = <<addr->data,data>>
LOCAL_STATE ::= S_mem !mem_localstate I+




memdelay (write c) = #2
memcomp (write c) = C_mem c
memout (write c) s <<aval,dval>> = nodata
memstate (write c) s <<aval,dval>> = update s aval dval
memdelay (read c) = #2
memcomp (read c) = C_mem c
memout (read c) s <<aval,dval>> = s aval
memstate (read c) s <<aval,dval>> = s
effect (A_mem a) _ memeffect a
delay (A_mem a) = memdelay a
component (A_mem a) = memcomp a
memeffect a s c =
S_mem <<memstate a (getmemstate (current s c)) (meminput s c),
memout a (getmemstate (current s c)) (meminput s c)>>
getmemstate (S_mem <<x,y>>) = x
getmemoutO (S_mem <<x,y>>) = y
is_proper_mem (S_mem <<x,y>>) = ! y
I Iclio: sy is_proper_mem extend
Goodmem CsC 'out':== (x::addr)'good (s x)C=C!x ' & C!(s x) C='!x '
I I *T_*;* _o*m;o_*en*'_'2:_-as*s*re*g;r_. :_ =*=*=*=*=*=*=*=*=*=*=*--
regfile :: type
type regfile_localstate = <<regaddr->data, <<data,data,BOOL>>>>
LOCAL_STATE ::= S_regfile !regfile_localstate [÷





regfiledelay (load c) = #1
regfilecomp (load c) = C_regfile c
32
regfileout (load c) s <<srcl,src2,dst,dval>> = <<nodata, nodata, False>>
regfilestate (load c) s <<srcl,src2,dst,dval>> = update s dst dval
regfiledelay (d_unload c) = #i
regfilecomp (d_unload c) = C_regfile c
regfileout (d_unload c) s <<srcl,src2,dst,dval>> = <<s dst, nodata, False>>
regfilestate (d_unload c) s <<srcl,src2,dst,dval>> = s
regfiledelay (unload c) = #I
regfilecomp (unload c) = C_regfile c
regfileout (unload c) s <<srcl,src2,dst,dval>> =
<<s srcl, s src2, LSB (s dst)>>
regfilestate (unload c) s <<srcl,src2,dst,dval>> = s
effect (A_regfile a) = regfileeffect a
delay (A_regfile a) = regfiledelay a
component (A_regfile a) = regfilecomp a
regfileeffect a s c =
S_regfile <<regfilestate a (getregfilestate (current s c))
(regfileinput s c),
regfileout a (getregfilestate (current s c))
(regfileinput s c)>>
getregfilestate (S_regfile <<x,y>>) = x
getregfileoutO (S_regfile <<x,<<yO,yl,y2>> >>) = yO
getregfileoutl (S_regfile <<x,<<yO,yl,y2>> >>) = yl
getregfileout2 (S_regfile <<x,<<yO,yl,y2>> >>) = y2
is_proper_regfile (S_regfile <<x,<<yO,yl,y2>> >>) = (! yO) a (! yl) & (! y2)
Jlclio: sy is_proper_regfile extend
Goodregfile 's' 'opl' 'op2' 'cc': ==
(x::regaddr)'good(s x)'='!x' a '!(s x) C='!x '
I ,=,=,=,=,=,=,=,=,=,=,=,=,=_=,=,=,=%=,=,=,=,=,=,=,=,__
The component class decoder.
decoder :: type
type decoder_localstate = <<opcode,BOOL,data,regaddr,data>>
LOCAL_STATE ::= S_decoder !decoder.localstate [+
ACTION ::= A_decoder !decoder_ACT I÷
decoder_ACT ::=
decode !decoder
decoderdelay (decode c) = #0
decodercomp (decode c) = C_decoder c
decoderout (decode c) in =
<<opcodeof in, indirect in, dstof in, srclof in, src2of in>>
effect (A_decoder a) = decodereffect a
delay (A_decoder a) = decoderdelay a
component (A_decoder a) = decodercomp a
decodereffect a s c = S_decoder (decoderout a (decoderinput s c))
getdecoderoutO (S_decoder <<yO,yl,y2,y3,y4>>) = yO
getdecoderoutl (S_decoder <<yO,yl,y2,y3,y4>>) = yl
getdecoderout2 (S_decoder <<yO,yl,y2,y3,y4>>) = y2
getdecoderout3 (S_decoder <<yO,yl,y2,y3,y4>>) = y3
getdecoderout4 (S_decoder <<yO,yl,y2,y3,y4>>) = y4
is_proper_decoder (S_decoder <<yO,yl,y2,y3,y4>>) =
(! yO) _ (! yl) _ (good y2) & (! y3) _ (good y4)
llclio: sy is_proper_decoder extend
I I*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*--I The component class alu.
alu :: type
33
type alu_localstate = data
LOCAL_STATE ::= S_alu !alu.localstate I+





aludelay (compare c) = #2
alucomp (compare c) = C_alu c
aluout (compare c) <<opl,op2>> = cne_data opl op2
aludelay (subtract c) = #2
alucomp (subtract c) = C_alu c .......................
aluout (subtract c) <<opl,op2>> = sub_data opl op2
aludelay (add c) = #2
alucomp (add c) = C_alu c
aluout (add c) <<opl,op2>> = add_data opl op2
effect (A_a!u a) = alueffect a
delay (A_alu a) = aludelay a
component (A_alu a) = alucomp a
alueffect a s c = S_alu (aluout a (aluinput s c))
getaluoutO (S_alu y) = y
is_proper_alu (S_alu y) = good y
I_clio: sy is_proper_alu extend
I I #_ #_ _ _ _ _ _ _ _ _ _ #_ _ _ _ _ _, _ _ _ _ _ _ _, _The component class inc.
inc :: type
type inc_localstate = (data)
LOCAL_STATE ::= S_inc !inc.localstate l+
ACTION ::= A_inc !inc_ACT |+
inc_ACT ::=
increment !inc
incdelay (increment c) = #I
inccomp (increment c) = C_inc c
incout (increment c) in = inc_data in
effect (A inc a) = inceffect a
delay (A__nc a) = incdelay a
component (A_inc a) = inccomp'a
inceffect a s c = S_inc (incout a (incinput s c))
getincout0 (S_inc y) = y
is_proper_inc (S_inc y) = good y
J[clio: sy is_proper_inc extend
matcher :: type
type matcher_localstate = <<<<B00L,BDDL>>,<<BODL,BDOL>>>>
L0CAL_STATE ::= S_matcher !matcher.localstate [+
ACTION ::= A_matcher !marcher_ACT |+
matcher_ACT ::©
match !marcher
matcherdelay (match c) = #I
matchercomp (match c) = C_matcher c
matcherout (match c) s <<srcl,src2,dstY> =
<<srcl = data_to_regaddr dst, data_to_regaddr src2 = data_to_regaddr dst>>
34
matcherstate (match c) s <<srcl,src2,dst>> =
<<srcl=data_to_regaddr dst,data_to_regaddr src2 = data_to_regaddr dst>>
effect (A_matcher a) = matchereffect a
delay (A_matcher a) = matcherdelay a
component (A_matcher a) = matchercomp a
matchereffect a s c =
S_matcher <<matcherstate a (getmatcherstate (current s c))
(matcherinput s c),
matcherout a (getmatcherstate (current s c)) (matcherinput s c)>>
getmatcherstate (S_matcher <<x,y>>) = x
getmatcheroutO (S_matcher <<x,<<yO,yl>> >>) = yO
getmatcheroutl (S_matcher <<x,<<yO,yl>> >>) = yl
is_proper_marcher (S_matcher <<x,<<yO,yl>> >>) = (! yO) _ (! yl)
[[clio: sy is_proper_marcher extend
II_ _ • • • • • • • • • • • • • • • • • • • • • • •The component class bitlatch.
bitlatch :: type
type bitlatch_localstate = <<BOOL,(BOOL)>>
LOCAL_STATE ::= S_bitlatch !bitlatch,localstate [+
ACTION ::= A_bitlatch !bitlatch_ACT [+
bitlatch_ACT : :=
seth !bitlatch
bitlatchdelay (seth c) = #I
bitlatchcomp (setb c) = C_bitlatch c
bitlatchout (seth c) s in.= in
bitlatchstate (setb c) s in = in
effect (A_bitlatch a) = bitlatcheffect a
delay (A_bitlatch a) = bitlatchdelay a
component (A_bitlatch a) = bitlatchcomp a
bitlatcheffect a s c =
S_bitlatch <<bitlatchstate a (getbitlatchstate (current s c))
(bitlatchinput s c),
bitlatchout a (getbitlatchstate (current s c))
(bitlatchinput s c)>>
getbitlatchstate (S_bitlatch <<x,y>>) = x
getbitlatchoutO (S_bitlatch <<x,y>>) = y
is_proper_bitlatch (S_bitlatch <<x,y>>) = ! y
[ [clio: sy is_proper_bitlatch extend
Goodbitlatch CsC CoutC:== 'sC='out '
I I.=. =. =. =.=.=.=.=.=.=.=.=.=.=.=.=.=.=.='-.=.=.='='='--
The component class special_regfile.
special_regfile :: type
type special_regfile_localstate = <<sregaddr->data, << (byte), (data) >>>>
LOCAL_STATE ::= S_special_regfile !special_regfile_localstate _+





special_regfiledelay (sunload c) = #1
special_regfilecomp (sunload c) = C_special_regfile c
special_regfileout (sunload c) s <<dst,din,vl,v2,v3,status,b,src>> =
<<getbyte b (s PVT), s src>>
t
special_regfilestate (sunload c) s <<dst,din,vl,v2,v3,status,b,src>> = s
special_regfiledelay (sread c) = #1
35
special_regfilecomp (sread c) = C_special_regfile c
special_regfileout (sread c) s <<dst,din,vl,v2,v3,status,b,src>> =
<<getbyte b (s PVT), s dst>>
special_regfilestate (sread c) s <<dst,din,vl,v2,v3,status,b,src>> =
vtrs_update s b vl v2 v3 status
special_regfiledelay (sload c) = #I
special_regfilecomp (sload c) = C_special_regfile c
special_regfileout (sload c) s <<dst,din,vl,v2,v3,status,b,src>> =
<<(protected dst -> getbyte b (s PVT); getbyte b (update s dst din PVT)),
bottom>>
special_regfilestate (sload c) s <<dst,din,vl,v2,v3.status,b,src>> =
((protected dst)->s; update s dst din)
effect (A_special_regfile a) = special_regfileeffect a
delay (A_special_regfile a) w special_regfiledelay a
component (A_special_regfile a) = special_regfilecomp a
special_regfileeffect a s c =
S_special_regfile <<special_regfilestate a (getspecial_regfilestate
(current s c)) (special_regfileinput s c),
special_regfileout a (getspecial_regfilestate
(current s c)) (special_regfileinput s c)>>
getspecial_regfilestate (S_special_regfile <<x,y>>) = x
getspecial_regfileoutO (S_special_regfile <<x,<<yO,yl>> >>) = yO
getspecial_regfileoutl (S_special_regfile <<x,<<yO,y1>> >>) = yl
is_proper_special_regfile (S_special_regfile <<x,<<yO,yl>> >>) =
(! yO) _ (! yl)
IIclio: sy is_proper_special_regfile extend
II*T_*co*mpo_*c_as*s*mu*x_ -*=*=*=*=*=*=*=*=*=*=*=*=*--
mux4 :: type
type mux4_localstate = (data)
LOCAL_STATE ::= S_mux4 !mux4 localstate l+
ACTION ::= A_mux4 !mux4_ACT T+
mux4_ACT ::=
choose4_4 !mux4 ]choose4_3 !mux4
choose4_2 !mux4
choose4_i !mux4
mux4delay (choose4_4 c) = #0
mux4comp (choose4_4 c) = C_mux4 c
mux4out (choose4_4 c) <<inl,in2,in3,in4>> = in4
mux4delay (choose4_3 c) = #0
mux4comp (choose4_3 c) = C_mux4 c
mux4out (choose4_3 c) <<inl,in2,in3,in4>> = in3
mux4delay (choose4_2 c) = #0
mux4comp (choose4_2 c) = C_mux4 c
mux4out (choose4_2 c) <<inl,in2,in3,in4>> = in2
mux4delay (choose4_1 c) w #0
mux4comp (choose4_1 c) = C_mux4 c
mux4out (choose4_1 c) <<inl,in2,in3,in4>> = inl
effect (A_mux4 a) = mux4effect a
delay (A_mux4 a) = mux4delay a
component (A_mux4 a) = mux4comp a
mux4effect a s c = S_mux4 (mux4out a (mux4input s c))
getmux4outO (S_mux4 y) = y
36
is_proper_mux4 (S_mux4 y) = ! y
IIclio: sy is_proper_mux4 extend
!
I The component class byte_counter.
byte_counter :: type
type byte_counter_localstate = <<byte_hum, (byte_num)>>
LOCAL_STATE : := S_byte_counter !byte_counter_localstate I+




byte_counterdelay (reset_count c) = tO
byte_countercomp (reset_count c) = C_byte_counter c
byte_counterout (reset_count c) s in = BYTEO
byte_counterstate (reset_count c) s in = BYTEO
byte_counterdelay (inc_byte c) = #0
byte_countercomp (inc_byte c) = C_byte_counter c
byte_counterout (inc_byte c) s in = byte_inc s
byte_counterstate (inc_byte c) s in = byte_inc s
effect (A_byte_counter a) = byte_countereffect a
delay (A_byte_counter a) = byte_counterdelay a
component (A_byte_counter a) = byte_countercomp a
byte_countereffect a s c =
S_byte_counter <<byte_counterstate a (getbyte_counterstate
(current s c)) (byte_counterinput s c),
byte_counterout a (getbyte_counterstate (current s c))
(byte_counterinput s c)>>
getbyte_counterstate (S_byte_counter <<x,y>>) = x
getbyte_counteroutO (S_byte_counter <<x,y>>) = y
is_proper_byte_counter (S_byte_counter <<x,y>>) = ! y





C_mux !mux IC_mem !mem
C_regfile !regfile J
C_decoder !decoder l







II Components (other than Controller and External)
II and their connections.
mem ::= MEM I÷
meminput s (C_mem MEM) =
<<data_to_addr (getmux4outO (current s (C_mux4 ADDR))),
getmuxoutO (current s (C_mux DAT))>>
mux ::= DAT l÷
muxinput s (C_mux DAT) =
37
<<getmemoutO (current s (C_mem MEM)), bottom,
getregfileoutO (current s (C_regfile REG))>>
latch ::= IREG I+
latchinput s (C_latch IREG) = getmuxoutO (current s (C_mux DAT))
mux4 ::= ADDR _+
mux4input s (C_mux4 ADDR) =
<<getincoutO (current s (C_inc INC)),
getlatchoutO (current s (C_latch HAND)),
getlatchoutO (current s (C_latch IREG)),
getlatchoutO (current s (C_latch RSLT))>>
latch ::= NXPC I+
latchinput s (C_latch NXPC) = getmux4outO (current s (C_mux4 ADDR))
inc ::= INC I+
incinput s (C_inc INC) = getlatchoutO (current s (C_latch NXPC))
latch ::= HAND J+
latchinput s (C_latch HAND) m
reset_to_addr (external_input_reset (current_input s))
bitlatch ::= RESET J+
bitlatchinput s (C_bitlatch RESET) = external_input_reset (current_input s)
latch ::= INST i+
latchinput s (C_latch INST) = getlatchoutO (current s (C_latch IREG))
latch ::= RSLT J+
latchinput s (C_latch RSLT) = getmuxoutO (current s (C_mux RS))
mux ::= RS [+
muxinput s (C_mux RS) =
<<bottom, getaluoutO (current s (C_alu ALU)),
getlatchoutO (current s (C_latch SOUT))>>
alu ::= ALU [+
aluinput s (C_alu ALU) =
<<getmuxoutO (current s (C_mux OPl)),
getmuxoutO (current s (C_mux OP2))>>
mux ::= OPI [+
muxinput s (C_mux 0P1) =
<<getlatchoutO (current s (C_latch RSLT)), bottom,
getregfileoutO (current s (C_regfile REG))>>
mux ::= OP2 l+
muxinput s (C_mux 0P2) =
<<getdecoderout4 (current s (C_decoder DEC)),
getregfileoutl (current s (C_regfile REG)),
getlatchoutO (current s (C_latch RSLT))>>
regfile ::= REG [+
regfileinput s (C_re_file REG) =
<<getdecoderout3 (current s (C_decoder DEC)),
data_to_regaddr (getdecoderout4 (current s (C_decoder DEC))),
data_to_regaddr (getlatchoutO (current s (C_latch DST))),
getmuxoutO (current s (C_mux DVAL))>>
latch ::= DST [+
latchinput s (C_latch DST) = getdecoderout2 (current s (C_decoder DEC))
decoder ::= DEC [+
decoderinput s (C_decoder DEC) = getlatchoutO (current s (C_latch IREG))
matcher ::= MTCH [+
matcherinput s (C_matcher MTCH) =
<<getdecoderout3 (current s (C_decoder DEC)),
getdecoderout4 (current s (C_decoder DEC)),
getlatchoutO (current s (C_latch DST))>>
mux ::= DVAL i+
muxinput s (C_mux DVAL) =
<<getmuxoutO (current s (C_mux DAT)),
getlatchoutO (current s (C_latch RSLT)), bottom>>
special_regfile ::= SREG [+
special_regfileinput s (C_special_re_file SREG) =
<<data_to_sregaddr (getlatchoutO (current s (C_latch DST))),
38





getbyte_counteroutO (current s (C_byte_counter BC)),
regaddr_to_sregaddr (getdecoderout3 (current s (C_decoder DEC)))>>
byte_counter ::= BC _÷
byte_counterinput s (C_byte_counter BC) = bottom
latch ::= SOUT [÷
latchinput s (C_latch SOUT) =
getspecial_regfileoutl (current s (C_special_regfile SREG))
latch ::= I
mux ::= ]mem ::=
regfile ::= l
decoder ::=







Out s = (getspecial_regfileoutO (current s (C_special_regfile SREG)))
external_output_PVT xO = xO
inlist_from <<s,p,in>> = input_phases_of in
input_phases_of in = (map in input_phases) ÷+
input_phases_of (in. (#÷ #num_phases))
I].=_=_=e=_=_=_=e=e=_=_=%=_=_=_=_=_=.=_=_=_=_=_=_=_=_--
]] The scheduler.
scheduler WBA <<reset, inst, op, ind, eql, eq2, cc>> 0 =
(DECODE)+÷(SET_H)++(UNLOAD_INC)++[A_byte_aounter(inc_byte BC)]
scheduler WB3 <<reset, inst, op, ind, eql, eq2, cc>> 0 =
(DECODE)++(SET_H)÷+(UNLOAD_INC)+÷[A_byte_counter(inc_byte BC)]
scheduler WBS <<reset, inst, op, ind, eql, eq2, cc>> 0 =
(DECODE)++(SET_H)+÷[A_regfile(d_unload REG),
A_byte_counter(inc_byte BC)]
scheduler WBL <<reset, inst, op, ind, eql, eq2, cc>> 0 =
(DECODE)++(SET_H)+÷(KEAD_RESULT)÷+[A_byte_counter(inc_byte BC)]
scheduler WBJ <<reset, inst, op, ind, eql, eq2, cc>> i =
(JFETCH reset inst cc)÷+(GET_OPS ind)++(ALUOP op)++
[A_latch(set SOUT), A_special_regfile(sread SREG)]
scheduler WB3 <<reset, inst, op, ind, eql, eq2, cc>> 2 =
[A_latch(set NXPC), A_latch(set INST), A_byte_counter(inc_byte BC)]
scheduler WBJ <<reset, inst, op, ind, eql, eq2, cc>> 3
(PHASE3 op)÷÷[Advance_controller]
scheduler WBS <<reset, inst, op, ind, eql, eq2, cc>> I =
(WRITE)++[A_special_regfile(sread SREG)]
scheduler WBA <<reset, inst, op, ind, eql, eq2, cc>> i =
(FETCH reset)++(FORWARD_OPS ind eql eq2 inst)++(ALUOP op)++
[A_latch(set SOUT), A_speclal_regfile(sread SKEG)]
scheduler INTF <<reset, inst, op, ind, eql, eq2, cc>> i =
(READ_IREG)++[A_special_regfile(sread SREG)]
scheduler INTC <<reset, inst, op, ind, eql, eq2, cc>> 1 =
39
(READ_INC)++(GET_OPS ind)++(ALUOP op)++[A_latch(set SOUT),
A_special_regfile(sread SREG)]
scheduler DF <<reset, inst, op, ind, eql, eq2, co>> I =
(FETCH reset)++(GET_OPS ind)÷÷(ALUOP op)++[A_latch(set SOUT),
A_speciai_regfile(sread SREG)]
scheduler WBL <<reset, inst, op, ind, eql, eq2, cc>> 1 =
[A_special_regfile(sread SREG)]
scheduler INTF <<reset, inst, op. ind, eql, eq2, cc>> 2 =
[A_latch(set NXPC), A_byte_counter(inc_byte BC)]
scheduler INTF <<reset, inst, op, ind, eql, eq2, cc>> 3 =
[A_mux(choosel DAT), A_latch(set IREG),
A_special_regfile(sread SRES)]+÷[Advance_controller]
scheduler INTF <<reset, inst, op, ind, eql, eq2, cc>> 0 =
[A_byte_counter(inc_byte BC)]
scheduler INTC <<reset, inst, op, ind, eql, eq2, cc>> 3 =
(PHASE3 op)+÷[Advance_controller]
scheduler DFI <<reset, inst. op, ind, eql, eq2, cc>> 3 =
(PHASE3 op)++[Advance_controller]
scheduler INTC <<reset, inst, op, ind, eql, eq2, co>> 0 =
(DECODE)++(SET_H)++(UNLOAD_INC)++[A_byte_counter(inc_byte BC)]
scheduler INTC <<reset, inst, op, ind, eql, eq2, co>> 2 =
[A_latch(set NXPC), A_latch(set INST), A_byte_counter(inc_byte BC)]
scheduler DFI <<reset, inst, op, ind, eql, eq2, cc>> 2 =
[A_latch(set NXPC), A_latch(set INST), A_byte_counter(inc_byte BC)]
scheduler DF <<reset, inst, op, ind, eql, eq2, co>> 3 =
(PHASE3 op)++[Advance_controller]
scheduler DF <<reset, inst, op, ind, eql, eq2, cc>> 0 =
(DECODE)++(SET_H)++(UNLOAD_INC)++[A_byte_counter(inc_byte BC)]
scheduler WBA <<reset, inst, op, ind, eql, eq2, cc>> 2 =
[A_latch(set NXPC), A_latch(set INST)]++(LOAD_RESULT inst)++
[A_byte_counter(inc_byte BC)]
scheduler WBA <<reset, inst, op, ind, eql, eq2, cc>> 3 =
(PHASE3 op)÷+[Advance_controller]
scheduler WBL <<reset, inst, op, ind, eql, eq2, cc>> 2 =
(LOAD_DATA)+÷[A_Iatch(set INST), A_byte_counter(inc_byte BC)]
scheduler WBL <<reset, ins£, op, ind, eql, eq2, cc>> 3 =
[A_special_regfile(sread SREG)]++[Advance_controller]
scheduler DF <<reset, inst, op, ind, eql, eq2, cc>> 2 =
[A_latch(set NXPC), A_latch(set INST), A_byte_counter(inc_byte BC)]
scheduler WBS <<reset, inst, op, ind, eql, eq2, cc>> 2 =
[A_latch(set INST), A_byte_counter(inc_byte BC)]
scheduler WBS <<reset, inst, op, ind, eql, eq2, cc>> 3 =
[A_special_regfile(sread SREG)]++[Advance_controller]
DECODE = [A_dec6derCde_od-e-_]-, A_matcher(_tc-h-MTC_] .......
SET_H = [A_latch(set HAND), A_bitlatch(setb RESET)]
UNLOAD_INC = [A_regfile(unload REG), A_special_regfile(sunload SREG),
A_inc(increment INC)]
scheduler DFI <<reset. inst. op, ind, eql, eq2, cc>> 0 =
(DECODE)÷÷(UNLOAD_INC)÷÷[A_byte_counter(inc_byte BC)]
READ_RESULT = [A_mux4(choose4_4 ADDR), A_mem(read NEM)]
GET_OPS ind = [A_mux(choose30P1)]÷+((ind)->[A_mux(choose20P2)];
[A_mux(choosel OP2)])
scheduler DFI <<reset, inst, op, ind, eql, eq2, cc>> I =
(READ_HAND)++(GET_OPS ind)++(ALUOP op)++
[A_latch(set SOUT), A_special_regfile(sread SREG)]
ALUOP op = ((op=CNE)->[A_alu(compare ALU)];[A_alu(add ALU)])
40
READ_HAND = [A_mux4(choose4_2 ADDR), A_mem(read MEM)]
READ_INC = [A_mux4(choose4_l ADDR), A_mem(read MEM)]
FETCH reset = ((reset)->(READ_HAND);(READ_INC))
READ_IREG = [A_mux4(choose4_3 ADDR), A_mem(read MEM)]
WRITE = [A_mux4(choose4_4 ADDR), A_mux(chooseS DAT), A_mem(write MEM)]
FORWARD_OPS ind eql eq2 inst =
((eql & (inst "= SADD))->[A_mux(choosel OPl)];[A_mux(choose30Pl)])++
((ind)->((eq2 & (inst "= SADD))->[A_mux(choose30P2)];
[A_mux(choose20P2)]);[A_mux(choosel OP2)])
JFETCH reset inst cc =
((reset)->(KEAD_HAND);(((inst=JMP)xor((inst=JIT)acc)xor((inst=JIF)a
('cc)))->(_AD_RESULT);(KEAD_INC)))
LOAD_DATA = [A_mux(choosel DAT), A_mux(choosel DVAL), A_regfile(load KEG)]
LOAD_RESULT inst = [A_mux(choose2 DVAL)]++
((inst=SADD)->[A_speclal_regfile(sload SREG)];[A_regfile(load KEG)])
PHASE3 op =
[A_mux(choosel DAT), A_latch(set IREG),
A_latch(set DST)]++(SET_RESULT op)++[A_special_regfile(sread SREG)]
SET_RESULT op = ((op=MOVE)->[A_mux(choose3 RS)];[A_mux(choose2 RS)])+÷
[A_latch(set RSLT)]
scheduler s in 3 = [Advance_controller]
scheduler s in t B []
I _*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*--
II Proper state predicates.
is_proper_state 's' :==
'is_proper_contr (current s Controller)' = 'True'
& 'is_proper_mem (current s (C_mem MEM))' = 'True'
'is_proper_mux (current s (C_mux DAT))' = 'True'
'is_proper_latch (current s (C_latch IREG))' = 'True'
& 'is_proper_mux4 (current s (C_mux4 ADDR))' = 'True'
a 'is_proper_latch (current s (C_latch NXPC))' = 'True'
& 'is_proper_in, (current s (C_inc INC))' = 'True'
a 'is_proper_latch (current s (C_latch HAND))' = 'True'
'is_proper_bitlatch (current s (C_bitlatch RESET))' = 'True'
& 'is_proper_latch (current s (C_latch INST))' = 'True'
a is_proper_latch (current s (,_latch RSLT))' = 'True'
Is_proper_mux (current s (C_mux KS))' = 'True'
is_proper_alu (current s (C_alu ALU))' = 'True'
a is_proper_mux (current s (C_mux 0PI))' = 'True'
Is_proper_mux (current s (C_mux OP2))' = 'True'
is_proper_regfile (current s (C_regfile REG))' = 'True'
& is_proper_latch (current s (C_latch DST)) c = 'True'
is_proper_decoder (current s (C_decoder DEC))' = 'True'
is_proper_matcher (current s (C_matcher MTCH))' = 'True'
is_proper_mux (current s (C_mux DVAL))' = 'True'
a is_proper_special_regfile (current s
(C_special_regfile SKEG))' = 'True'
'is_proper_byte_counter (current s (C_byte_counter BC))' = 'True'




& Goodmem 'getmemstate(current s (C_mem MEM))'
'getmemoutO(current s (C_mem MEM))'
a Goodlatch 'getlatchstate(current s (C_latch IREG))'
'getlatchoutO(current s (C_latch IREG))'
a Goodlatch 'getlatchstate(current s (,_latch NXPC))'
'getlatchoutO(current s (C_latch NXPC))'
41
Goodlatch 'getlatchstate(current s (C_latch HAND)) c
'getlatchoutO(current s (C_latch HAND))'
Goodbitlatch 'getbitlatchstate(current s (C_bitlatch RESET))'
'getbitlatchoutO(current s (C_bitlatch RESET))'
& Goodlatch 'getlatchstate(current s (C_latch INST))''
'getlatchoutO(current s (C_latch INST))'
Goodlatch 'getlatchstate(current s (C_latch RSLT))'
'getlatchoutO(current s (C_latch RSLT))'
Goodregfile 'getregfilestate(current s (C_regfile REG))'
'getregfileoutO(current s (C_regfile REG))'
'getregfileout1(current s (C_regfile REG))'
'getregfileout2(current s (C_regfile REG))'
Goodlatch 'getlatchstate(current s (C_latch DST))'
'getlatchoutO(current s (C_latch DST))'
a Goodlatch 'getlatchstate(current s (C_latch SOUT))'
'getlatchoutO(current s (C_latch SOUT))'
Proper_External 's'
lUcllo: symbol Proper_state extend_auto
Jlclio: symbol pending_changes extend_auto
I J,=,=,=,=,=$=,=,=,=,=,=,=,=,=,=,=,=,=e=,=,=,=,=,=,=,--
JJ For export to other modules, we define functions
JJ access the internal state of each component that has one.
get_MEM_state s = getmemstate (current s (C_mem MEM))
get_IREG_state s = getlatchstate (current s (C_latch IREG))
get_NXPC_state s = getlatchstate (current s (C_latch NXPC))
get_HAND_state s = getlatchstate (current s (C_latch HAND))
get_RESET_state s = getbitlatchstate (current s (C_bitlatch RESET))
get_INST_state s = getlatchstate (current s (C_latch INST))
get_RSLT_state s = getlatchstate (current s (C_latch RSLT))
get_REG_state s = getregfilestate (current s (C_regfile REG))
get_DST_state s = getlatchstate (current s (C_latch DST))
get_MTCH_state s = getmatcherstate (current s (C_matcher MTCH))
get_SREG_state s =
getspecial_regfilestate (current s (C_special_regfile SREG))
get_BC_state s = getbyte_counterstate (current s (C_byte_counter BC))
get_SOUT_state s = getlatchstate (current s (C_latch SOUT))
_ J,=$=,=,=,=e=,=,=,=,=,=,=,=,=,=,=,=,=,=,=*=*=*=*=*=*--
lJ Auxillary definitions.
ABS s = <<get_MEM_state s, get_NXPC_state s,
get_REG_state s, get_INST_state s,




vtrs_update s b vl v2 v3 st =
update(update(update(update s VT1 (set_byte b (s VTI) vl))
VT2 (set_byte b (s VT2) v2))
VT3 (set_byte b (s VT3) v3))
STATUS (set_byte b (s STATUS) st)
mux4input = bottom
In The following should be generated by the tool
path_taken s {controllerstate s = WBA} =
42
(external_input_reset(current_input s))-> ACTPATH1;ACTPATHO
path_taken s {controllerstate s = WBS} =
(external_input_reset(current_input s))-> ACTPATH4 ,"
(external_input_reset(nth_input (#4) s))->ACTPATH3;ACTPATH2
path_taken s {controllerstate s = WBL} =
(external_input_reset(current.input s))-> ACTPATH7
(external_input_reset(nth_input (#4) s))->ACTPATH6;ACTPATH5
path_taken s {controllerstate s = WBJ} =
(external_input_reset(current_input s))-> ACTPATH9;ACTPATH8
( I,=+=+=+=+=,=+=_=_=e=,=$=_=_=_=+=_=_=,=,=,=,=_=+=,=,--
II The cutpoints and loop conditions.
CUTPOINT ::= ACT
at_ACT s = ACT_state (controllerstate s)
ACT_state WBJ = True
ACT_state WBA = True
ACT_state WBS = True
ACT_state WBL = True
ACT_state x = False
PATH ::= ACTPATHO I+
path_start ACTPATHO = ACT
path_end ACTPATHO = ACT
path_length ACTPATHO = #I
path_condition 'ACTPATHO' 's' :==
TRUE
& 'controllerstate s'='WBA'
'(resetof (controllerinput (iterate Execute (#I) s)))'='False c
PATH ::= ACTPATH1 I+
path_start ACTPATHI = ACT
path_end ACTPATHI = ACT
path_length ACTPATHI = #3
path_condition 'AC_ATHI ' 's' "--.--
TRUE
Ccontrollerstate s'='WBA'
a '(resetof (controllerinput (iterate Execute (#I) s)))'='True '
& Ccontrollerstate _iterate Execute f:_/ _/'=_INTF'& 'controllerstate titerate Execute '_'INTC'
PATH ::= ACTPATH2 [+
path_start ACTPATH2 = ACT
path_end ACTPATH2 = ACT
path_length ACTPATH2 = #2
path_conditlon 'ACTPATH2' 's' :==
TRUE
'controllerstate s'='WBS'
& '(resetof (controllerinput (iterate Execute (#I) s)))'='False'
'controllerstate (iterate Execute (#1) s)_='DF '
& '(resetof (controllerinput (iterate Execute (#2) s)))'='False '
PATH ::= ACTPATH3 I+
path_start ACTPATH3 = ACT
path_end ACTPATH3 = ACT
path_length ACTPATH3 = #4
path_condition 'ACTPATH3' 's' :==
TRUE
'controllerstate s'='WBS'
& '(resetof (controllerinput (iterate Execute (#i) s)))'='False'
43
'controllerstate (iterate Execute (#1) s)'='DF'
& '(resetof (controllerinput (iterate Execute (#2) s)))'='True'
'controllerstate (iterate Execute l:_I sI'='INTF'& 'controllerstate (iterate Execute s '='INTC'
PATH ::= ACTPATH4 I+
path_start ACTPATH4 = ACT
path_end ACTPATH4 = ACT
path_length ACTPATH4 = #4
path_condition 'ACTPATH4' 's' :==
TRUE
'controllerstate s'='WBS '
a ((resetof (controllerinput (iterate Execute (#I) s)))'='True'
l: Ii)'''°'I'& 'controllerstate _iterate Execute '='INTF'
'controllerstate (iterate Execute (#3) '=(INTC'
PATH ::= ACTPATH5 J+
path_start ACTPATH5 = ACT
path_end ACTPATH5 = ACT
path_length ACTPATH5 = #2
path_condition 'ACTPATH5' 's' :==
TRUE
'controllerstate s'='WBL (
& ((resetof (controllerinput (iterate Execute (#i) s)))(='False '
& 'controllerstate (iterate Execute (#I) s)'='DF'
a '(resetof (controllerinput (iterate Execute (#2) s)))'='False'
PATH ::= ACTPATH6 l+
path_start ACTPATH6 = ACT
path_end ACTPATH6 = ACT
path_length ACTPATH6 = #4
path_condition 'ACTPATH6' 's' :==
TRUE
& 'controllerstate s'='WBL'
'(resetof (controllerinput (iterate Execute (#i) s)))'=(False '
& 'controllerstate (iterate Execute (#i) s)'='DF'
k t(resetof (controllerinput (iterate Execute (#2) s)))(='True '
'controllerstate (iterate Execute s ' (INTC'
PATH ::= ACTPATH7 I+
path_start ACTPATH7 = ACT
path_end ACTPATH7 = ACT
path_length ACTPATH7 = #4
path_condition 'ACTPATHT' 's' :==
TRUE
& 'controllerstate s'='WBL'
& '(resetof (controllerinput (iterate Execute (#I) s)))'='True'
(controllerstate _iterate Execute (=(INTF'
'controllerstate (iterate Execute (#3) '='INTC'
PATH ::= ACTPATH8 I÷
path_start ACTPATH8 = ACT
path_end ACTPATH8 = ACT
path_length ACTPATH8 = #i
path_condition 'ACTPATH8' 's' :==
TRUE
'controllerstate s'm'WBJ '
((resetof (controllerinput (iterate Execute (#1) s)))(=(False '
PATH ::= ACTPATH9 _+
path_start ACTPATH9 = ACT
44
path_end ACTPATH9 = ACT
path_length ACTPATH9 = #3
path_condition 'ACTPATHg' 's' :==
TRUE
'controllers[ate s'='WBJ'
& '(resetof (controllerinput (iterate Execute (#I) s)))C='True '
a 'controllers[ate _iterate Execute l:_I _I '-'INTF'& 'controllers[ate [iterate Execute '='INTC'
ACT_Invariant 's' :==
'prefetch(ABS s)'='get_IREG_state s'
& 'OP_switch (current_opclass(ABS s))'= 'controllers[ate s'
& 'current_dst (ABS s)'='data_to_regaddr(get_DST_state s)'
& 'currant_result(ABS s)' = 'get_RSLT_state s'
Invariant 'ACT' 's' := ACT_Invariant 's'
Invariant 'p' 's' := TRUE
PATH ::= [
ACT_ACT_Advance_Relation 'st' 's2':== 'ABS s2'='Step (ABS sl)'
Advance_Relation 'ACT' 'ACT' 'sl' 's2' := ACT_ACT_Advance_Relation 'st' 's2'
Advance_Relation 'pl' 'p2' 'sl' 's2' := TRUE
path_precond 'path' 's' :=
' !path'='True'
k path_condition 'path' 's'
& Invariant 'path_start path' 's'
[]clio: sy path_precond extend
][clio: sy Invariant extend
path_postcond 'path' 's' :=
Invariant 'path_end path' 'iterate Execute (path_length path) s'
g g t g
a Advance_Relation path_start path path_end path
'st 'iterate Execute (path_length path) s'
VC 'path' 's':=
path_precond 'path' 's' => path_postcond 'path' 's'
VC_ok 's' :== (path) VC 'path' 's'




Timing_ok 'sO, Proper_state 'sO
Timlng_ok_case 's' :==
Timing_ok 's', 'controllers[ate s'='c '
Timing_ok_by_cases :== Proper_state 's' => Timing_ok_case 's'
4.3 Common Part
This section contains the definitions of the types and functions that are used in the abstract
a_s well as the design specifications of FtCayuga.









error, JUMP_ERROR, STORE_ERROR, NO_ERROR, addr_O
JJ The abstract state consists of the memory state, the NXPC, the state of
II the registers, the current instruction, and an input stream.
type ABS_EXTSTATE ffi<<BOOL, [byte], [byte], [byte], [byte]>>
_[type ABS_STATE m <<addr->data, data, regaddr-Ydata, data,
sregaddr->data,[EXTSTATE]>>
mem <<m, p, r, i, sr,in>> = m
nxpc <<m, p, r, i, st,in>> = p
reg <<m, p, r, i, st,in>> = r
instrn <<m, p, r, i, sr,in>> = i
ins <<m, p, r, i, st,in>> = in
sreg <<m, p, r, i, sr,in>> = sr
II Step has type ABS_STATE->ABS_STATE.
Step s = <<newmem s, newnxpc s , newreg s, newinstr s , newsreg s,newins s>>
newmem s = store_effect s , current_opclass s = SCLASS
mem s
newreg s = alu_effect s, current_opclass s = ACLASS
load_effect s, current_opclass s = LCLASS
reg s
_l The new current instruction is usually fetched as follows:
prefetch s = mem s (data_to_addr(nxpc s))
I[ But when there is an interrupt the instruction isn't prefetched.
II Right now, there's only one interrupt, so the handler is at whatever
I_ is in memory at addr_O.
handler s = newmem s addr_O
handler_fetch s = newmem s (data_to_addr(handler s))
newinstr s = handler_fetch s , interrupt s
prefetch s
II The new next pc.
newnxpc s = inc_data(handler s), interrupt s
jump_effect s, current_opclass s = JCLASS
inc_data(nxpc s)
II We must define at the abstract level the function that tells us
how many inputs to take from the input stream.
load_or_store x - (x=LCLASS)xor(x=SCLASS)
interruptof <<int,vl,v2,v3,st>> = int
interrupt s { load_or_store (opclassof (opcodeof (instrn s)))}
= (interruptof(hd (ins s))linterruptof(hd(tl (ins s))))
interrupt s = interruptof(hd (ins s))
num_cycles s { load_or_store (opclassof (opcodeof (instrn s)))}
= (interrupt s) ->#4;#2
num_cycles s - (interrupt s) ->#3;#I
46
newins s = remove (num_cycles s) (ins s)
remove Zero 1 = 1
remove (Succ n) 1 = remove n (tl I)
[[ The current instruction is decoded:
current_op s = opcodeof (instrn s)
current_opclass s = opclassof (current_op s)
current_ind s = indirect (instrn s)
current_srcl s = srclof (instrn s_
current_src2 s = src2of (instrn s)
current_dst s = data_to_regaddr (deter (instrn s))
current_sdst s = data_to_sregaddr (dstof (instrn s))
]_ Operandi is the contents of register srcl.
current_operandl s = reg s (current_srcl s)
II If the addressing mode is indirect then operand2 is the contents of
II the register src2, otherwise it's src2 itself.
current_operand2 s = reg s (data_to_regaddr (current_src2 s)), current_ind s
current_src2 s
l] The alu operation is usually add:
current_aluop s = which_op (current_op s)
which_op CNE = cne_data
which_op x = add_data
]I The current result is computed by appying the current alu operation
]I to the current operands, unless the opcode is MOVE, in which case
I_ it's the contents of special-register srcl.
current_result s {current_op s = MOVE} =
sreg s (regaddr_to_sregaddr(current_srcl s))
current_result s = current_aluop s (current_operandl s) (current_operand2 s)
alu_effect s = update (reg s) (current_dst s) (current_result s)
load_effect s = update (reg s) (current_dst s)
(mem s (data_to_addr(current_result s)))
store_effect s = update (mem s) (data_to_addr(current_result s))
(reg s (current_dst s))
jump_effect s = current_result s, jump_ok s
inc_data(nxpc s)
jump_ok s = ((current_op s)=JMP)
xor (((current_op s)=JIT) & (LSB(reg s (current_dst s))))
xor (((current_op s)=JIF) & -(LSB(reg s (current_dst s))))
II A Special-Add instruction (SADD) stores its result in the
II special register file, unless the dst is write-protected,
_] in which case it has no effect.
newsreg s = update (sreg s) (current_sdst s) (current_result s)
, (current_op s = SADD) a -(protected((current_sdst s)))
sreg s
II Specification of power-up (which includes a reset)
reset_addr s = mem s addr_O
reset_inst s = mem s (data_to_addr (reset_addr s))
abe_reset s = <<mem s, inc_data (reset_addr s),
reg s, reset_inst s, sreg s, remove (#S),(ins s) >>
clio: mod * offIclio: add *
47
llclio: mod * on
5 IcNet Specification
5.1 Abstract Specification
FROM CommonTheorySec IMPORT Word, DATUM, PVT, VTI,VT2,VT3,
BYTEO, BYTEI, BYTE2, BYTE3, getbyte
FROM VoterDesignSec IMPORT XNGII, XNG21, XNG31, CMPP, LDPI, LDP2, OUT1
FROM VoterAbstractSec IMPORT voterstep, cross_out, control, go_of, maj_of,
rowlof, arrayer,
Proper_voterstate, next_voterstate,
compute_majority, to_proc, get_maj_val, maj_of
FROM FtCayugaAbstractSec IMPORT FtCayugaStep, vstartout, prvtout, bytecount,
Proper_ftcayuga, sregof, newPVT, newPVT2
FROM IcNetDesignSec IMPORT get_Vl_state, get_V2_state, get_V3_state,
get_V4_state, get_FTCl_state, get_FTC2_state,
get_FTC3_state, get_FTC4_state, byzstep,
byz_crossl, byz_cross2, byz_cross3, byz_to_proc,
Execute, Proper_state, inlist_from, is_proper_ext
INDEX,ONE,TWO,THREE,FOUR,faulty, make_ftc_in,
byzgo, byzpvtl, byzpvt2, byzpvt3, byzCayugaStep
I *************************************************************************Some generic functions we need.
Iterate Zero f x = x
Iterate (Succ n) f x = Iterate n f (f x)
select Zero (a:x) = a
select (Succ n) (a:x) = select n x
*****************************************************************************
II The successor relation on the indicies.
succ ONE = TWO
succ TWO = THREE
succ THREE = FOUR
succ FOUR = ONE
SUCC2 = SUCC.SUCC
SUCC3 = SUCC2.SUCC
************************* Fault modelling *******************************
{{ Everything is defined in terms of the parameter "faulty" which is a
*l predicate on the type INDEX which tells us which fault regions are faulty.
II The possible faults are listed in the following enumerated type:
FAULT ::= Region !INDEX [ NO_FAULT
II To model the fact that we are assttming at most one fault, we can suppose
II that there is a constant, "the_fault" of type FAULT, and then define the
[[ predicate "faulty" in terms of that constant.
the_fault :: FAULT
AXIOM '!the_fault'='True'
,faulty index = (the_fault = (Region index))
*********************** Abstraction function *******************************This abstraction function lets us view the state of the ic-net
48
[] as a function from indicies to ftcayuga states , a function from indicies
I_ to voter states , and an input stream.
I[ We wouldn't need this step if the spectool supported indexed components.
IcNetABS s = <<FTCStates s, VoterStates s, inlist_from s>>
FTCStates s ONE = get_FTCl_state s
FTCStates s TWO = get_FTC2_state s
FTCStates s THREE = get_FTC3_state s
FTCStates s FOUR = get_FTC4_state s
VoterStates s ONE = get_Vl_state s
VoterStates s TWO = get_V2_state s
VoterStates s THREE = get_V3_state s
VoterStates s FOUR = get_V4_state s
************************* Step function for IcNet *****************************
[[ The abstract state change (behavior) of the voter-net.
[[ What happens at each index depends on whether that index is faulty.
IcNetStep <<ftc,vtr, int:rest>> =
<<newftc,newvtr ,rest>>
where newftc index = fault_fie_step index ftc (ftcinput index )
newvtr index = fault_vtr_step index vtr (vtrinput index )
ftcinput index = make_fie_in (select_int index int)
(fault_to_proc index ftc vtr)
vtrinput index = Voterinput index ftc vtr
fault_ftc_step index s in =
FtCayugaStep (s index) in , -(faulty index)
byzCayugaStep (s index) in
fault_vtr_step index s = voterstep (s index) , -(faulty index)
byzstep (s index)
select_int ONE <<a,b,c,d>> = a
select_int TWO <<a,b,c,d>> = b
select_int THREE <<a,b,c,d>> = c
select_int FOUR <<a,b,c,d>> = d
fault_to_proc index ftc vtr =
to_proc (vtr index) , "(faulty index)
byz_to_proc (vtr index)
Voterinput index ftc vtr =
<<fault_from_proc index ftc,
fault_cross THREE (succ3 index) vtr,
fault_cross TWO (suet2 index) vtr,
fault_cross ONE (succ index) vtr>>
[[ The function "fault_from_proc" gives the input tuple of values coming
I[ from the pro¢cessors to the voter whose index is "index".
fault_from_proc index ftc =
<<fault_vstart index ftc,
fault_prvt (whichprvt index (succ index)) (succ index) ftc ,
fault_prvt (whichprvt index (succ2 index)) (succ2 index) ftc,
fault_prvt (whichprvt index (succ3 index)) (succ3 index) ftc>>
_l The expression "whichprvt i j" tells us which replica of the private value
I) of processor j is connected to voter i. This is only used when processor j
II is faulty, and tells us which of byzpvtl, byzpvt2, and byzpvt3 was used.
whichprvt ONE i = I
whichprvt TWO ONE = I
whichprvt TWO i = 2
whichprvt THREE FOUR = 3
49
whichprvt THREE i = 2
whichprvt FOUR i = 3
fault_vstart i ftc = vstartout (ftc i), "(faulty i)
byzgo (ftc i)
fault_prvt il i2 s = prvtout (s i2) , -(faulty i2)
byz_pvt il (s i2)
fault_cross ii i2 s = cross_out (s i2) , "(faulty i2)
byz_cross i! (s i2)
byz_cross ONE = byz_crossl
byz_cross TWO = byz_cross2
byz_cross THREE = byz_cross3
byz_pvt i = byzpvtl
byz_pvt 2 = byzpvt2
byz_pvt 3 = bympvt3
IcNetStepLemma :=
'IcNetABS (Execute s)'='IcNetStep (IcNetABS s)' , Proper_state 's'
II What we have done with this abstraction step is to organize the
lJ state of the ic-net as a function on indicies,
_ and to hide the cross connections.
***************************************************************************
Here is the translation of the Proper_state predicate for the it-net
]] to a predicate on abstract ic-net.
Proper_inlist 'i' := 'is_proper_ext (select n l)'='True', '!n'='True'
Proper_icnet '<<ftc,vtr,inlist>>' := Proper_voterstate 'vtr ONE'
& Proper_voterstate 'vtr TWO'
Proper_voterstate 'vtr THREE'
& Proper_voterstate 'vtr FOUR'
& Proper_ftcayuga 'ftcONE _
& Proper_ftcayuga 'ftc TWO'
Proper_ftcayuga 'ftc THREE'
Proper_ftcayuga 'ftc FOUR'
a Proper_inlist 'inlist (
Jl We then prove :
ProperIcNetLemma :=
Proper_state 's' => Proper_icnet 'IcNetABS s'
5.2 Design Specification
FROM CommonTheorySec IMPORT byte
FROM VoterAbstractSec IMPORT voterstep, cross_out, to_pro,, VOTERSTATE
Proper_voterstate
FROM FtCayugahbstractSec IMPORT FTCAYUGASTATE,FtCayugaStep, prvtout,
vstartout, Proper_ftcayuga, statusword
Generated by the spectool
[clio symbol Execute never
clio mod • off
cli6 add
clio mod * on
5O
_ The Controller.
COMP ::= Controller _
ACTION ::= Advance_controller]+
CONTROLSTATE :: type
LOCAL_STATE ::= S_Controller !CONTROLST_TE D+
getcontrolstate (S_Controller x) = x
is_proper_contr (S_Controller x) = !x
]]clio: sy is_proper_contr extend
controllerstate s = getcontrolstate (current s Controller)
effect Advance_controller s c m
S_Controller (nextstate (controllerstate s) (controllerinput s))
delay Advance_controller = #0
component Advance_controller = Controller
controllerinput s = bottom
]I_=,=_=_=_=_=$=$=_=_=_=_=_=_=$=_=_=_=$=_=_=_=e=_=#=_--
]I The Control states and the next_state function.
CONTROLSTATE : := GO J+
nextstate GO in = GO
CONTROLSTATE : := J
[*=*=_=_=*=,=#=_=#=%=,=,=,=_=_=_=_=e=,=_=,--,=,=,=,=_--
If The component External.
type EXTSTATE = <<BOOL, BOOL., BOOL, BOOL>>
external_input_intl <<xO, xl, x2, x3>> = xO
external_input_int2 <<xO, xl, x2, x3>> = xl
external_input_int3 <<xO, xl, x2, x3>> = x2
external_input_int4 <<xO, xl, x2, x3>> = x3
is_proper_ext <<xO, xl, x2, x3>> = (!xO) & (!xl) & (!x2) & (!x3)
]]clio: sy is_proper_ext extend
current_input <<s,p,in>> = in Zero
nth_input n <<s,p,in>> = in n
J Jclio: sy Proper_External extend
Proper_External C<<s,p,in>>' :=
_t::NAT) Cis_proper_ext (in t)'=CTrueC
[j There are 2 clock phases per cycle.
num_phases = 2
input_phases = [#1]
output_phase 0 = True
output_phase n = False
I] The _eneric Execute function.
type SYSTEM_STATE = COMP->LOCAL_STATE
type INPUT_STREAM = NAT->EXTSTATE
type CHANGE = <<COMP,NAT,LOCAL_STATE>>
type STATE = <<SYSTEM_STATE, [CHANGE], INPUT_STREAM>>
pending_chan_es <<s,p,in>> = p
current <<s,p,in>> c = bottom, pendin_ p c
s c
pendin_ [] c = False
pendin_ (<<c,t,v>>:rest) c {t > Zero} = True
51
pending (<<c2,t,v>>:rest) c = pending rest c
Execute s = do_phases 0 s
do_phases n s = update_state s , n = num_phases
do_phases (n÷1) (do_phase n s)
Output s = generate_output 0 s
generate_output n s {n=num_phases} = []
generate_output n s {output_phase n} =
Out(do_phase n s) : generate_output (n+l) (do_phase n s)
generate_output n s = generate_output (n÷l) (do_phase n s)
I Iclio: modify_rule "do_phases" count 20000
l lclio: symbol do_phases never
update_state <<s,p,in>> = do_changes p <<s,[],in>>
do_phase n <<s,p,in>> =
advance_inputstream (do_actions (current_schedule s2 n) s2)
where s2 = update_state <<s,p,in>>
current_schedule s n = scheduler (controllerstate s) (controllerinput s) n
do_change <<c,Zero,v>> <<s,p,in>> = <<update s c v, p, in>>
do_change <<c,Succ n,v>> <<s,p,in>> = <<s, <<c,n,v>>:p, in>>
do_action a s = do_change (change_of a s) s
advance_inputstream <<s,p,in>> = <<s,p,in.Succ>>
change_of a s = <<component a, delay a, effect a s (component a)>>
do_changes [] s = s
do_changes (<<c,t,v>>:rest) s = do_changes rest (do_change <<c,t,v>> s)
II This is a trick to handle conditional actions correctly
do_actions :: [ACTION]->STATE->STATE
AXIOM (s)'do_actions _ s' = 's'
AXIOM (a)(rest)(s)'do_actions (a:rest) s' = 'do_actions rest (do_action a s)'
update s c v c2 = (c=c2)->v; s c2
foldl op s [] = s
foldl op s (a:rest) = foldl op (op a s) rest
map f [] = []
map f (a:x) = (f a): (map f x)
list_to Zero = []
list_to (Succ n) = list_to n ++ [n]
iterate f Zero s = s
iterate f (Succ n) s = iterate f n (f s)
I J*=$=$=$=$=$=$=$=$=_=_=_=_=_=$=$=$=_=$=$=_=_=_=$=$=_--
J J Component Classes.
liThe component class voter.
voter :: type
type rot er_localstate = <<VOTERSTATE, << (TO_PROC), (fourbyte),
(fourbyte), (fourbyte) >>>>
LOCAL_STATE ::= S_voter !voter,localstate I+







voterdelay (byzchange c) = #I
votercomp (byzchange c) = C_voter c
voterout (byzchange c) s <<from_proc.vl,v2,v3>> =
<<byz_to_proc s , byz_crossl s, byz_cross2 s, byz_cross3 s>>
voterstate (byzchange c) s <<from_proc,vl,v2.v3>> =
byzstep s <<from_proc,vl,v2,v3>>
voterdelay (byzout c) = #i
votercomp (byzout c) = C_voter c
voterout (byzout c) s <<from_proc,vl,v2,v3>> =
<<byz_to_proc s , byz_crossl s, byz_cross2 s, byz_cross3 s>>
voterstate (byzout c) s <<from_proc,vl,v2,v3>> = s
voterdelay (changestate c) = #I
votercomp (changestate c) = C_voter c
voterout (changestate c) s <<from_proc,vl,v2,v3>> =
<<to_proc s . cross_out s, cross_out s, cross_out s >>
voterstate (changestate c) s <<from_proc,vl,v2,v3>> =
voterstep s <<from_proc,vl,v2,v3>>
voterdelay (output c) = #I
votercomp (output c) = C_voter c
voterout (output c) s <<from_proc,vl.v2,v3>> =
<<to_proc s , cross_out s , cross_out s , cross_out s >>
voterstate (output c) s <<from_proc,vl,v2,v3>> = s
effect (A_voter a) = votereffect a
delay (A_voter a) = voterdelay a
component (A_voter a) = votercomp a
votereffect a s c =
S_voter <<voterstate a (getvoterstate (current s c)) (voterinput s c),
voterout a (getvoterstate (current s c)) (voterinput s c)> k
getvoterstate (S_voter <<x,y>>) = x
getvoteroutO (S_voter <<x,<<yO,yl.y2,y3>> >>) = yO
getvoteroutl (S_voter <<x,<<yO,yl,y2,y3>> >>) = yl
getvoterout2 (S_voter <<x,<<yO,yl,y2,y3>> >>) = y2
getvoterout3 (S_voter <<x,<<yO,yl,y2,y3>> >>) = y3
is_proper_voter (S_voter <<x,<<yO,yl,y2,y3>> >>) =
(_ yO) _ (! yl) _ (_ y2) _ (! y3)
llclio: sy is_proper_voter extend
Goodvoter 's' 'to_proc' 'crossl' 'cross2' _cross3':== Proper_voterstate 's'
If,=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.--




LOCAL_STATE ::= S_FtCayuga !FtCayuga_localstate _+
ACTION ::= A_FtCayuga !FtCayuga_ACT I+
FtCayuga_ACT ::=




FtCayugadelay (byzcayugaout c) = #i
FtCayugacomp (byzcayugaout c) z C_FtCayuga c
FtCayugaout (byzcayugaout c) s <<in,int>> =
<<(byzgo s), (byzpvtl s), (byzpvt2 s), (byzpvt3 s)>>
FtCayugastate (byzcayugaout c) s <<in,int>> = s
53
FtCayugadelay (cayugaout c) = #i
FtCayugacomp (cayugaout c) = C_FtCayuga c
FtCayugaout (cayugaout c) s <<in,int>> =
<<(vstartout s), (prvtout s), (prvtout s), (prvtout s)>>
FtCayugastate (cayugaout c) s <<in,int>> = s
FtCayugadelay (byzcayuga c) = #1
FtCayugacomp (byzcayuga c) = C_FtCayuga c
FtCayugaout (byzcayuga c) s <<in,inZ>> =
<<(byzgo s), (byzpvtl s), (byzpvt2 s), (byzpvt3 s)>>
FtCayugastate (byzcayuga c) s <<in,int>> =
byzCayugaStep s (make_ftc_in int in)
FtCayugadelay (cayugastep c) = #I
FtCayugacomp (cayugastep c) = C_FtCayuga c
FtCayugaout (cayugaszep c) s <<in,int>> =
<<(vstartout s), (prvtout s), (prvtout s), (prvtout s)>>
FtCayugastate (cayugastep c) s <<in,int>> =
FtCayugaStep s (make_ftc_in int in)
effect (A_FtCayuga a) = FtCayugaeffect a
delay (A_FtCayuga a) = FtCayugadelay a
component (A_FtCayuga a) = FtCayugacomp a
FtCayugaeffect a s c =
S_FtCayuga <<FtCayugastate a (getFtCayugastate (current s c))
(FtCayugainput s c),
FtCayugaout a (getFtCayugastate (current s c)) (FtCayugainput s c)>>
getFtCayugastate (S_FtCayuga <<x,y>>) = x
getFtCayugaoutO (S_FtCayuga <<x,<<yO,yl,y2,y3>> >>) = yO
getFtCayugaoutl (S_FtCayuga <<x,<<yO,yl,y2,y3>> >>) = yl
getFtCayugaout2 (S_FtCayuga <<x,<<yO,yl,y2,y3>> >>) = y2
getFtCayugaout3 (S_FtCayuga <<x,<<yO,yl,y2,y3>> >>) = y3
is_proper_FtCayuga (S_FtCayuga <<x,<<yO,yl,y2,y3>> >>) =
(! yO) & (! yl) _ (! y2) & (! y3)
)lclio: sy is_proper_FtCayuga extend







II Components (other than Controller and External)
_ and their connections.
FtCayuga ::= FTCI _+
FtCayugainput s (C_FtCayuga FTCI) =
<<getvoteroutO (current s (C_voter VI)),
external_input_intl (current_input s)>>
FtCayuga ::= FTC2 _+
FtCayugainput s (C_FtCayuga FTC2) =
<<getvoteroutO (current s (C_voter V2)),
external_input_int2 (current_input s)>>
FtCayuga ::= FTC3 _+
FtCayugainput s (C_FtCayuga FTC3) =
<<getvoterouZO (current s (C_voter V3)),
external_input_int3 (current_input s)>>
FtCayuga ::= FTC4 ]+
54
FtCayugainput s (C_FtCayuga FTC4) = <<getvoteroutO (current s (C_voter V4)),
external_input_int4 (current_input s)>>
voter ::= V1 _+
voterinput s (C_voter VI) =
<< <<getFtCayugaoutO (current s (C_FtCayuga FTC1)),
getFtCayugaoutl (current s (C_FtCayuga FTC2)),
getFtCayugaoutl (current s (C_FtCayuga FTC3)),
getFtCayugaoutl (current s (C_FtCayuga FTC4))>>,
getvoterout3 (current s (C_voter V4)),
getvoterout2 (current s (C.voter V3)),
getvoteroutl (current s (C_voter V2))>>
voter ::= V2 [+
voterinput s (C_voter V2) =
<< <<getFtCayugaoutO (current s (C_FtCayuga FTC2)),
getFtCayugaout2 (current s (C_FtCayuga FTC3)),
getFtCayugaout2 (current s (C_FtCayuga FTC4)),
getFtCayugaoutl (current s (C_FtCayuga FTC1))>>,
getvoterout3 (current s (C.voter VI)),
getvoterout2 (current s (C_voter V4)),
getvoteroutl (current s (C_voter V3))>>
+
voter ::= V3 ([C_votervoterinput s V3) =
<< <<getFtCayugaoutO (current s (C_FtCayuga FTC3)),
getFtCayugaout3 (current s (C_FtCayuga FTC4)),
getFtCayugaout2 (current s (C_FtCayuga FTCI)),
getFtCayugaout2 (current s (C_FtCayuga FTC2))>>,
getvoterout3 (current s (C_voter V2)),
getvoterout2 (current s (C_voter VI)),
getvoteroutl (current s (C_voter V4))>>
voter ::= V4 I+
voterinput s (C_voter V4) =
<< <<getFtCayugaoutO (current s (C_FtCayuga FTC4)),
getFtCayugaout3 (current s (C_FtCayuga FTCl)),
getFtCayugaout3 (current s (C_FtCayuga FTC2)),
getFtCayugaout3 (current s (C_FtCayuga FTC3))>>,
getvoterout3 (current s (C_voter V3)),
getvoterout2 (current s (C_voter V2)),





Out s = (bottom)
inlist_from <<s,p,in>> = input_phases_of in
input_phases_of in = (map in input_phases) ÷+
input_phases_of (in. (#+ #num_phases))
11*=*=*=*=*=*=*=*=*=*=*=%=*=*=*=*=*=*=*=*=*=*=*=*=*=*--
I[ The scheduler.
scheduler GO in 0 = (Vlout)++(V2out)++(V3out)++(V4out)++
......... (FTC1out)++_FTC2out)++(FTC3out)++(FTC4out)
viou_ = t_Iaulty ONE)->LA_voter(byzout V1)J;LA_voter[output VI)])
V2out = ((faulty TWO)->[A_voter(byzout V2)];[A_voter(output V2)])
V3out = ((faulty THREE)->[A_voter(byzout V3)];[A_voter(output V3)])
V4out = ((faulty FOUR)-> [A_voter(byzout V4)] ;[A_voter(output V4)])
Vlstate = ((faulty ONE)-Y[A_voter(byzchange V1)];[A_voter(changestate VI)])
V2state = ((faulty TWO)->[A_voter(byzchange V2)];[A_voter(changestate V2)])
V3state = ((faulty THREE)->[A_voter(byzchange V3)];[A_voter(changestate V3)])
55
V4state = ((faulty FOUR)->[A_voter(byzchange V4)];[A_voter(changestate V4)])
FTClact ((faulty ONE)->[A_FtCayuga(byzcayuga FTCl)];
[A_FtCayuga(cayugastep FTC1)])
FTC2act = ((faulty TWO)->[A_FtCayuga(byzcayuga FTC2)];
[A_FtCayuga(cayugastep FTC2)])
FTC3act = ((faulty THREE)->[A_FtCayuga(byzcayuga FTC3)];
[A_FtCayuga(cayugastep FTC3)])
FTC4act = ((faulty FOUR)->[A_FtCayuga(byzcayuga FTC4)];
[A_FtCayuga(cayugastep FTC4)])
scheduler GO.in I R (Vlstate)÷+(V2state)++(V3state)++(V4state)÷+
(FTClact)++(FTC2act)++(FTC3act)÷+(FTC4act)÷+[Advance_controller]
FTClout = ((faulty ONE)->[A_FtCayuga(byzcayugaout FTCl)];
[A_FtCayuga(cayugaout FTCI)])
FTC2out = ((faulty TWO)->[A_FtCayuga(byzcayugaout FTC2)];
[A_FtCayuga(cayugaout FTC2)])
FTC3out = ((faulty THREE)->[A_FtCayuga(byzcayugaout FTC3)];
[A_FtCayuga(cayugaou% FTC3)])
FTC4out = ((faulty FOUR)->[A_FtCayuga(byzcayugaout FTC4)];
[A_FtCayuga(cayugaout FTC4)])
scheduler s in i = [Advance_controller]
scheduler s in t []
I]_=%=e=e=_=_=_=_=_=_=%=_=e=e=_=e=_=_=_=_=_=_=_=_=_=_--
II Proper state predicates.
is_proper_state 's' :==
'is_proper_contr (current s Controller)' = 'True'
a 'is_proper_FtCayuga (current s (C_FtCayuga FTCI))' = 'True'
'Is_proper_FtCayuga (current s (C_FtCayuga FTC2))' = 'True'
a 'is_proper_FtCayuga (current s (C_FtCayuga FTC3))' = 'True'
'is_proper_FtCayuga (current s (C_FtCayuga FTC4))" = CTrue_
'Is_proper_voter (current s (C_voter VI))' = 'True'
a 'is_proper_voter (current s (C_voter V2))' = 'True'
a 'is_proper_voter (current s (C_voter V3))' = 'True'




a GoodFtCayuga 'getFtCayugastate(current s (C_FtCayuga FTCI))'
'getFtCayugaoutO(current s (C_FtCayuga FTCl))'
'getFtCayugaoutl(currents (C_FtCayuga FTCI))'
'getFZCayugaout2(current s (C_FtCayuga FTCl))'
'getFtCayugaout3(current s (C_FtCayuga FTCI))'
& GoodFtCayuga 'getFtCayugastate(current s (C_FtCayuga FTC2))'
'getFtCayugaoutO(current s (C_FtCayuga FTC2))'
'getFtCayugaoutl(current s (C_FtCayuga FTC2))'
'getFtCayugaout2(current s (C_FtCayuga FTC2))'
'getFtCayugaout3(current s (C_FtCayuga FTC2))'
GoodFtCayuga 'getFtCayugastate(current s (C_FtCayuga FTC3))'
'getFtCayugaoutO(current s (C_FtCayuga FTC3))'
'getFtCayugaoutl(current s (C_FtCayuga FTC3))'
'getFZCayugaout2(current s (C_FtCayuga FTC3))'
'getFZCayugaout3(current s (C_FtCayuga FTC3))'
GoodFtCayuga 'getFzCayugastaze(current s (C_FtCayuga FTC4))'
'getFZCayugaouzO(current s (C_FtCayuga FTC4))'
' 'getFtCayugabutl(current s (C_FtCayuga FTC4))'
'getFtCayugaout2(current s (C_FtCayuga FTC4))'
'getFtCayugaout3(current s (C_FtCayuga FTC4))'
56
Goodvoter 'getvoterstate(current s (C_voter Vl))'
'getvoteroutO(current s (C_voter Vl)) _
'getvoteroutl(current s (C_voter V1))'
'getvoterout2(current s (C_voter Vl))'
'getvoterout3(current s (C_voter Vl))'
Goodvoter 'getvoterstate(current s (C_voter V2))'
'getvoteroutO(current s (C_voter V2))'
'getvoteroutl(current s (C_voter V2)) (
'getvoterout2(current s (C_voter V2))'
'getvoterout3(current s (C_voter V2))'
& Goodvoter cgetvoterstate(current s (C_voter V3))'
'getvoteroutO(current s (C_voter V3))'
'getvoteroutl(current s (C_voter V3))'
'getvoterout2(current s (C_voter V3)) c
'getvoterout3(current s (C_voter V3))'
& Goodvoter Cgetvoterstate(current s (C_voter V4)) c
'getvoteroutO(current s (C_voter V4)) c
'getvoterout1(current s (C_voter V4)) c
'getvoterout2(current s (C_voter V4))¢
,s:getvoterout3(current s (C_voter V4)) c
Proper_External
llclio: symbol Proper_state extend_auto
_clio: symbol pending_changes extend_auto
_ I$=$=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=,=_=,=,=,=,=$=_--
II For export to other modules, we define functions
]] access the internal state of each component that has one.
get_FTC1_state s = KetFtCayugastate (current s (C_FtCayuga FTCI))
get_FTC2_state s = getFtCayugastate (current s (C_FtCayuga FTC2))
get_FTC3_state s = KetFtCayugastate (current s (C_FtCayuga FTC3))
get_FTC4_state s = KetFtCayugastate (current s (C_FtCayuga FTC4))
get_V1_state s = getvoterstate (current s (C_voter V1))
get_V2_state s = getvoterstate (current s (C_voter V2))
get_V3_state s = getvoterstate (current s (C_voter V3))
get_V4_state s = getvoterstate (current s (C_voter V4))
Il_=*=$=_=$=*=$=$=%=_=$=*=e=*=*=*=*=*=*=$=*=*=_=*=*=*--
Jl Auxillary definitions.
make_ftc_in int <<vl,v2,v3_st,snd,fr>> =
<<int,twolist vl, twollst v2, twolist v3, statusword st fr end >>
twolist <<a,b>> = [a,b]
statusword ::
byzstep, byz_to_proc :: *
byzcll, byzcl2, byzcl3, byzcl4, byzc21, byzc22 :: *->byte
byzc23, byzc24, byzc31, byzc32, byzc33, byzc34 :: *->byte
byzCayugaStep :: *
byzpll, byzpl2, byzpi3, byzpl4, byzp21, byzp22 :: *->byte
byzp23, byzp24, byzp31, byzp32, byzp33, byzp34 :: *->byte






AXIOM C!(byzc21 x)(='!x '
AXIOM _!(byzc22 x) C='!xC
AXIOM C!(byzc23 x) C='!x '
AXIOM '!(byzc24 x) C='!x '
AXIOM t!(byzc31 x)'='!x'
AXIOM '!(byzc32 x) C='!x '
AXIOM C!(byzc33 x) C=C!x'
AXIOM '!(byzc34 x)'='!x '
byz_crossl x = <<byzcll x, byzcl2 x, byzc13 x, byzcl4 x>>
byz_cross2 x = <<byzc21 x, byzc22 x, byzc23 x, byzc24 x>>




AXIOM '!(byzpl4 x) C='!x '
byzpvtl x = <<byzpll x, byzpl2 x, byzpl3 x, byzpl4 x>>
AXIOM '!(byzp21 x)'='!x'
AXIOM C!(byzp22 x)'='!x'
AXIOM C!(byzp23 x)'='!x _
AXIOM '!(byzp24 x)_='!x '
byzpvt2 x = <<byzp21 x, byzp22 x, byzp23 x, byzp24 X>>
AXIOM '!(byzp31 x)'='!x'
AXIOM '!(byzp32 x)'='!x _
AXIOM '!(byzp33 x)'='!x '
AXIOM '!(byzp34 x)'='!x'
byzpvt3 x = <<byzp31 x, byzp32 x, byzp33 x, byzp34 x>>




byzgo x = <<byzgl x, byzg2 x, byzg3 x, byzg4 x>>
type FROM_PROC = <<proctuple,proctuple,proctuple,proctuple>>
type proctuple = <<byte,byte,byte,BOOL>>
type TO_PROC = <<twobyte,twobyte,twobyte,<<threebit,threebit>>,twobit,twobit>>
type fourbyte = <<byte,byte,byte,byte>>
type twobyte = <<byte,byte>>
type twobit = <<BOOL,BOOL>>
type threebit = <<BOOL,BOOL,BOOL>>
type fourbit = <<BOOL,BOOL,BOOL,BOOL>>
-_*__from_proc :: FROM_PROC->BOOL





good_proctuple <<a,b,c,d>> = !a _ !b _ !c & !d
lJ¢lio: symbol Proper_voterstate extend_auto
lJclio: symbol Proper_ftcayuga extend_auto
llclio: symbol good_from_proc extend_auto
llclio: symbol good_proctuple extend_auto
is_proper_ext :: EXTSTATE->BOOL
INDEX ::= ONE J TWO I THREE I FOUR
II Everything is defined in terms of this parameter.
faulty :: INDEX -> BOOL
58
_ _*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*--
J# The cutpoints and loop conditions.
PATH ::= (
Invariant 'p' 's' := TRUE
Advance_Relatlon 'p1' 'p2' 'sl' 's2' := TRUE
path_start E = bottom
path_end p bottom
path_length p = bottom
path_condition 'p' 's' :== FALSE
path_precond 'path' 's' :=
'!path'='True'
& path_condition 'path' 's'
& Invariant 'path_start path' 's'
_clio: sy path_precond extend
_clio: sy Invariant extend
path_postcond 'path' 's' :=
Invariant 'path_end path' 'iterate Execute (path_length path) s'
& Advance_Relation 'path_start path' 'path_end path'
's' 'iterate Execute (path_length path) s'
VC 'path' 's':=
path_precond 'path' 's' => path_postcond 'path' 's'
VC_ok 's' :== (path) VC 'path' 's'




Timing_ok 's', Proper_state 's'
Timing_ok_case 's':= =
Timing_ok 's', 'controllerstate s'='c'
Timing_ok_by_cases :== Proper_state 's' => Timing_ok_case 's'
6 Common Theory
6.1 Type Definitions
II Here's what we are assuming about the type number:
)[ For ftcayuga, we must assume that a number consists of four bytes
byte_hum ::= BYTEOIBYTEIIBYTE2IBYTE3
byte :: sort
number ::= Word byte byte byte byte
byte_inc BYTEO = BYTEI
byte_inc BYTEI = BYTE2
byte_inc BYTE2 = BYTE3










AXIOM C!(add_num x y) r='!x _ !yC
AXIOM '!(sub_num x y)'='!x & !y'
, nO,=,x,AXIOM add_hum x




_l Here's what we are assuming about the type data:
data ::= nodata I dataerror l DATUM !number
inc_data (DATUM x) = DATUM (inc_num x)
inc_data x = x
decr_data (DATUM x) = DATUM (decr_num x)
decr_data x - x
add_data (DATUM x) (DATUM y) = DATUM (add_num x y)
sub_data (DATUM x) (DATUM y) = DATUM (sub_num x y)
cne_data x y = (x=y)->data_false;data_true
good (DATUM (Word x y z w)) = !x & !y & !z & !w
getbyte BYTE3 (DATUM (Word b3 h2 bl bO)) = b3
getbyte BYTE2 (DATUM (Word b3 b2 bl bO)) = b2
getbyte BYTE1 (DATUM (Word b3 b2 bl bO)) = bl
getbyte BYTEO (DATUM (Word b3 b2 bl bO)) = bO
set_byte BYTE3 (DATUM (Word b3 b2 bl bO)) v = DATUM (Word v b2 bl bO)
set_byte BYTE2 (DATUM (Word b3 b2 bl bO)) v = DATUM (Word b3 v bl bO)
set_byte BYTEI (DATUM (Word b3 b2 bl bO)) v = DATUM (Word b3 b2 v bO)
set_byte BYTEO (DAIqJM (Word b3 b2 bl bO)) v = DATUM (Word b3 b2 bl v)
get_byte = getbyte.num2byte
update_byte = set_byte.num2byte
num2byte 3 = BYTE3
num2byte 2 = BYTE2
num2byte I = BYTE1










addr ::= ADDR !number
data_to addr (DATUM x) = ADDR x
in¢_addr (ADDR x) = ADDR (inc_num x)
addr_O = ADDR nO
data_O = DATUM nO
II Here's what we need about the regaddr's:
regaddr ::= RO I R1 I R2 I R3 l R4 | R5 1 R6 I R7
R8 I R9 I Rio I Rll I R12 I R13 I R14 I R15 I
Rle I R17 IRls I R19 ! R20 I R21 I R22 I R2s I
R24 I R25 I R26 I R27 I R28 I R29 I R30 I R31
data_to_regaddr :: data -> regaddr
AXIOM C!(data_to_regaddr x)'=C!x '
AXIOM 'data_to_regaddr (DATUM nO) '= 'RO'
AXIOM 'data_to_regaddr (DATUM nl) '= 'RI'
6O
AXIOM 'data_to_regaddr (DATUM n2) '= 'R2 c







llSpecial registers VTI-VT3 and STATUS are write-protected
protected sr = (sr=VTl)xor(sr=VT2)xor(sr=VT3)xor(sr=STATUS)
II The opcodes:
opcode ::= LD I ST J ADD J JMP I JIT J JIF _ CNE I SADD I MOVE I ICOP
opclass ::= SCLASS ] JCLASS I LCLASS I ACLASS ] NONE
opcodeof :: data -> opcode
indirect :: data-> BOOL
dstof :: data -> data II note: this is "padded" to be data
srclof :: data -> regaddr
src2of :: data -> data ]] note: this is "padded" to be data
AXIOM '!(opcodeof x)'='!x'
AXIOM '!(indirect x_'=C!x '
AXIOM '!(dstof x)'= !x'
AXIOM 'good(dstof x)'='good x'
AXIOM '!(srclof x)'-"x'
AXIOM 'good(src2of x)_='good x'
AXIOM '!(src2of x) C='!x '
opclassof LD = LCLASS
opclassof ST = SCLASS
opclassof ADD = ACLASS
opclassof SADD = ACLASS
opclassof ICOP = ACLASS
opclassof MOVE = ACLASS
opclassof CNE = ACLASS
opclassof JMP = JCLASS
opclassof JIT = JCLASS
opclassof JIF = JCLASS
lJ We need a NO_OP, which we take to be ADD RO 0 RO, which adds 0 to RO.
noop :: data
AXIOM 'opcodeof noopC='ADD '
AXIOM 'indirect noop'='False'
AXIOM 'srclof noop'='RO'
AXIOM 'src2of noop'='DATUM nO'
AXIOM 'dstof noop'='DATUM nO'
_ This is the type of error flags. It's the part of the abstract state
lJ which indicates whether an error has occurred.
error ::= NO_ERROR J JUMP_ERROR I STORE_ERROR
II This function is used alot.
update f x y z = (x=z)->y; f z
reset_to_addr x = data_O
clio: mod * offclio: add *


















'majority_of x x z'='x' , '!z'='True'
'majority_of x z x'='x' , "!z'='True'
'majority_of z x xCfCx' , '!z'ffi'True'
"majority_commutes" 'majority_of x y z'='majority_of y z x'
'good data_O'='True '
'!(msbof x)'='True' , '!x'='True'
'msbof bottom'&_bottom '
'good x'='True' => 'good (inc_data x)'='True'
'good(add_data x y)'m'True' , 'good x a good y'='True'
"sregaddr flat" (x::sregaddr) '!!x'='!x '
Proper_voterstate 'byzstep s in' , Proper_voterstate 's'
"Proper_byzCayuga" Proper_ftcayuga 'byzCayugaStep s in' , Proper_ftcayuga 's'
'msbof (stwdl st <<fr,x>> y)'='fr'
'next2msbof (stwdl st x <<snd,y>>)'='snd '
'!(stwdl st x y)'ffi'True' , '!!st _ !!x _!!y'='True'
7 The Main Lemmas Proved
MainTheorem defines the main correctness property that we proved. It expresses the 12-
cycle interactive consistency property for tile entire system, which was described in (letail
in sections 5.2 and 9.1 of Volume 1. In the following, we describe some of the main ]emmas
that we provcd in constructing a proof of MainTheorem.
MainTheorem states the interactivc consistency property for the actual value (defined
by the function actualPVT) that the processor sends to the voter. Since the processor sends
the value to the voter ovcr two cycles, we define one half of this value based on the contents
of the special register PVT in the cycle in which ICOP is executed and the other half based on
the contents of PVT in the following cycle. To ensure that the IC computation is performed
o_,, r consistent valuc of PVT, the programmcr must make sure that the content of PVT will
_ot change before the processor sends it to thc voter. One way a programmer can ensure
this is by not having a SADD instruction, which is the only instruction that can change the
special register PVT, immediately following IC0P. AnotherMainTheorem formally states this
condition. We have not proved this theorem, which should follow from the MainTheorem.
To decompose the proof of MainTheorem into smaller proofs, we divided the 12-cycle
IC computation into a sequence of six stages of smaller duration. For each of these stages,
we proved a stage lemma that defines the expected behavior for that stage. The different






Load stage rcpresents the first three cycles of IC computation in which the contents of
the private register is moved from the processor to the voter. The lemma corresponding
to this stage is Load_correct_lemma.
Ezchange stage represents the next six cycles of the computation in which tile voters
exchange values between each other. This stage is further divided into a sequence of
three 2-cycle computations, with one lemma for each of them: Xngl_correct_lemma,
Xng2_correct_lemma and Xng3_correct_/emma.
Compute stage represents the single cycle in which majority computation is performed.
The lemma corresponding to this stage is Compute_correct_lena.
Output stage represents the last two cycle of the computation in which the results are
written into the processor. The ]emma corresponding to this stage is Output_correct_lemma.
We "chained" the stage lemmas together, in order, to prove the MainTheorem. We
prove4 another set of lcmmas, called connect lemmas, to assist us in the chaining process.
That is, we used tim connect lcmmas to provc that the antecedent of a stage lemma irnplics
the consequent of a succeeding stage lemma in the chain. The list given below shows the
order in which we used the lemmas for proving the MainTheorem. In the following, CL is
an abbreviation for "Connect_lemma," and -_ is used to indicate the chronological order in
which two lemmas are proved when the lelnmas appear within the same item in the list.
I. Load_correct_lemma
2. CL_1_4 ---* (CL_1_5, CL_1_3) --_ (CL_I_I, eL_l_2)
3. Xngl_correct_lemma
4. (CL_I_I, CL_I_2) ---+CL_3
5. Xng2_correct_lemma
6. (CL_I_I, CL_I_2) --_CL_4
7. Xng_correct_lemma
8. (CL_I_I, CL_I_2) --+ eL_5
9. Comput e_correct_lemma.
63
lO. (CL_I_I, CL_I_2) ---,CL_6
] |. Output_correct_lemma.
***************************************************************************
Now we specify the multi-cycle behavior of the ic net.
We only expect it to perform correctly under certain assumptions.
First, at the beginning of the multi-cycle computation, all the
non-faulty voters should be syncronized in their LDP1 state,
and be waiting for the go-signal.
And all the non-faulty processors should be about to give the go-signal.
And all the non-faulty processors should have their bytcounter at BYTEI.
Using the following predicates, we can assert this condition
on the voternet state, s, as: Sync 'LDPI' 's' _ All_go 's'
Sync 'cs' '<<ftc,vtr,inlist>>' :=
('faulty ONE' = 'False' => 'control (vtr ONE)'='cs')
a ('faulty TWO' = 'False' => 'control (vtr TWO)'='cs')
& (_faulty THREE' = 'False' => 'control (vtr THREE)'='cs')
&('faulty FOUR' = 'False' => 'control (vtr FOUR)C='cs')
vtr <<f,v,in>> = v
ftc <<f,v,in>> = f
inlist <<f,v,in>> = in
GO = <<True,True,True,True>>
go_signal <<ftc,vtr,int:rest>> index = vstartout (ftc index)
All_go 's' :=
(tfaulty ONE'='False' =>
('go_of (vtr s ONE)'='False'
a 'go_signal s ONE'='GO' a 'bytecount (ftcs ONE)'='BYTEI'))
a ('faulty TWO'='False' =>
('go_of (vtr s TWO)'='False'
a 'go_signal s TWO'='GO' a 'bytecount (ftc s TWO) C='BYTEI'))
& ('faulty THREE'='False' =>
('go_of (vtr s THREE)'='False'
& 'go_signal s THREE'='GO' _ 'bytecount (ftc s THREE)'='BYTEI'))
a ('faulty FOUR'='False' =>
('go_of (vtr s FOUR)'='False'
a 'go_signal s FOUR'='GO' a 'bytecount (ftc s FOUR)'='BYTEI'))
Bytecount_sync 'b' 's' :=
('faulty ONE'='False' => 'bytecount (ftc s ONE) C='b')
& ('faulty TWO':'False' => 'bytecount (ftcs TWO)'='b')
a ('faulty THREE'-'False' s> 'bytecount (ftcs THREE)':'b')
a ('faulty FOUR'='False' => 'bytecount (ftc s FOUR)'='b')
II So, the preconditions to the main correctness theorem are:
Preconditions 's' :=
Proper_icnet 's' & Sync 'LDPI' 's' & All_go 's'
*********************************************************************Some intermediate results.
[l Specification of the load cycles.
II This function defines the actual private value used by ICOP
actualPVT s index =
half_and.half (newPVT2 (ftcs index) (first_interrupt s index)) ,
(newPVT (ftcs index))
half_and_half hi io = DA_JM (Word (getbyte BYTE3 hi)(getbyte BYTE2 hi)
64
(getbyte BYTE1 lo)(getbyte BYTEO io))
first_interrupt <<ftc,vtr,inlist>> index = select_int index (hd inlist)
load_correct 'before' 'after' 'index' :=
('faulty (succ index) C='False'
=> 'arrayer (vtr after index) I i' ='actualPVT before (succ index)')
('faulty (succ2 index)'='False'
=> 'arrayer (vtr after index) I 2' =CactualPVT before (succ2 index)')
& ('faulty (succ3 index)'=CFalse'
=> 'arrayer (vtr after index) I 3' ='actualPVT before (succ3 index)')
Load_correct 'before' 'after' :=
"faulty ONE'='False' ffi>load_correct 'before' 'after' 'ONE'
a 'faulty TWO'='False' => load_correct 'before' 'after' 'TWO'
'faulty THREE'='False' => load_correct 'before' 'after' 'THREE'
a 'faulty FOUR'z'False' _> load_correct 'before' 'after' 'FOUR'
Load = Iterate (#3) IcNetStep
Load_correct_proper 's' :=
Load_correct 's' 'Load s' a Sync 'XNG11' 'Load s'
Load_correct_lemma :=
Preconditions 'sO => Load_correct_proper "sO
*********************************************************************Specification of the exchange cycles.
xngl_correct 's' 'index' :=
('faulty (succ index)'='False' =>
'arrayer (vtr s index) 2 2'='arrayer (vtr s (succ index)) i i')
& ('faulty (succ2 index)'='False' =>
'arrayer (vtr s index) 3 3'='arrayof (vtr s (succ2 index)) I I c)
xng2_correct Cs' 'index' :=
('faulty (succ index) C=CFalse' =>
'arrayer (vtr s index) 2 3'='arrayof (vtr s (succ index)) I 2')
& ('faulty (succ3 index)'=CFalse ' =>
'arrayer (vtr s index) 3 I'='arrayof (vtr s (succ3 index)) 1 2')
xng3_correct 's' 'index' :=
('faulty (succ2 index)C=CFalse' =>
'arrayof (vtr s index) 2 lC='arrayof (vtr s (succ2 index)) I 3 c)
& ('faulty (succ3 index)'='False' =>
'arrayer (vtr s index) 3 2'='arrayof (vtr s (succ3 index)) I 3')
Xngl_correct 's' :=
'faulty ONE'='False' => xngl_correct 's' 'ONE'
a 'faulty TWO'='False ' => xngl_correct 's' 'TWO'
& 'faulty THREE'='Fa!se ' => xngl_correct 's' 'THREE'
& 'faulty FOUR's'False' _> xngl_correct 's' 'FOUR'
Xng2_correct 'sO :=
'faulty ONE'='False' -> xng2_correct 's' 'ONE'
& 'faulty TWO'='False ' => xng2_correct 'sO 'TWO'
& 'faulty THREE'=CFalse' => xng2_correct 's' 'THREE'
'faulty FOUR'='False' => xng2_correct 's' 'FOUR'
Xng3_correct 's' :=
'faulty ONE'=CFalse' => xng3_correct 's' 'ONE'
a 'faulty TWO'=CFalse ' => xng3_correct 's' 'TWO'
'faulty THREEC=CFalse' => xng3_correct 'sO 'THREE'
& 'faulty FOUR'='False' => xng3_correct 's' 'FOUR'
Xng = Iterate 4#2) IcNetStep
Xngl_correct_lemma :=
65
(Proper_icnet 's' & Sync 'XNGII' 's') =>
(Xngl_correct 'Xng s' & Sync 'XNG21' 'Xng s')
Xng2_correct_lemma :3
(Proper_icnet Cs' & Sync cXNG21' 's' & Xngl_correct 'sO) 3>
(Xng2_correct 'Xng s' & Sync 'XNG31' 'Xng s' & Xngl_correct 'Xng s')
Xng3_correct_lemma :=
(Proper_icnet 's' & Sync 'XNG31' 's' & Xngl_correct 's' _ Xng2_correct 's') =>
(Xng3_correct 'Xng s' & Sync 'CMPP' 'Xng s'
a Xngl_correct 'Xng s' _ Xng2_correct 'Xng s')
The compute and output cycles:
I An array is a function of type :: _NDEX->INDEX->data
[ If A is an array and i is an index, the A i has type :: INDEX->data
J so it represents a vector of four values, one for each index.
I This representation makes it easy to rotate the vector, since the
I rotated vector is obtained by composin_ with the function "succ".
I Now we can say that an array A is consistent if, for all non-faulty
indicies, i and j, the vectors , A i and A j, are related by the appropriate
rotation, e.E. if j = succ2 i then (A i).succ2 equals (A j).
IndexConsistent 'array' 'index' :=
('faulty (succ index)'='False'=>'(array index).succ'='array (succ index)')
('faulty (succ2 index)'='False'=>'(array index).succ2'='array (succ_ index)')
a ('faulty (succ3 index) C=CFalseC=>'(array index).succ3'=Carray (succ3 index)')
Consistent 'array' :=
'faulty ONE'='False'=> IndexConsistent 'array' 'ONE'
'faulty TWO'='False'=> IndexConsistent 'array' 'TWO'
& 'faulty THREE'=CFalse'=> IndexConsistent 'array' 'THREE'
& 'faulty FOUR'=CFalse'=> IndexConsistent 'array' 'FOUR'
a_icvec init final index ONE = actualPVT init index
a_icvec init final index TWO = maj_val I final index
a_icvec init final index THREE = maj_val 2 final index
a_icvec init final index FOUR = maj_val 3 final index
maj_val i <<ftc,vtr,in>> index = _et_maj_val i (maj_of (vtr index))
Compute = Iterate (#I) IcNetStep
Compute_correct_lemma :=
(Proper_icnet 's' & Sync 'CMPP' 's'
& Proper_icnet 'before' _ Load_correct 'before' 's'
& Xn_l_correct 'sO a Xn_2_correct 'sO & Xn_3_correct 's')
=> (Consistent Ca_i,ve, before (Compute s)'
a Sync 'OUTI' 'Compute sO)
II We want the final correctness condition to refer only to the
#_ states of the processors, not the voters. So the icvec that
J{ we state the condition on is:
icvec init final index ONE = actualPVT init index
icvec init final index TWO = _et_special_re_ister VTI final index
icvec init final index THREE = _et_special_registerVT2 final index
icvec init final index FOUR = get_special_re_ister VT3 final index
_et_special_register saddr <<ftc,vtr,inlist>> index = sreKof (ftc index) saddr
II So to finish of the proof of correctness we need oniy show that
II for non-faulty index, 'i,ve, init (Output s) indexC='a_icvec init s index'
66
Output = Iterate (#2) IcNetStep
output_correct 'sO 'index' :=
'icvec init (Output s) index'=Ca_icvec init s index'
Output_correct 's' :=
('faulty ONEC=CFalse' => output_correct 's' 'ONE')
& ('faulty TWOC=CFalse' => output_correct 's' 'TWO')
& ('faulty THREE'='False' => output_correct 's' 'THKEE')
& ('faulty FOURC='False' => output_correct 'sO 'FOUR')
Output_correct_lemma :=
(Proper_icnet 'sO a Sync 'OUTI' 's' _ Bytecount_sync 'BYTE1' 'sO)
=> Output_correct 's'
Twelve_cycle = Output.Compute. Xng.Xng.Xng.Load
MainTheorem := Preconditions 's' => Consistent 'icvecs (Twelve_cycle s)'
J[ To chain these lemmas together we need:
Connect_lemma_1_l :
(Proper_icnet 's'=_ Sync 'cs' Cs' a 'cs=LDPl'='False ')
=> Proper_icnet 'IcNetStep s'
Connect_lemma_l_2 :
(Proper_icnet 's'=_ Sync 'cs' 'sO a 'cs=LDPl'='False')
=> Sync 'next_voterstate cs' 'IcNetStep s'
Connect_lemma_1_3 :==
Preconditions 's' => Sync 'LDP2' 'Iterate (#2) IcNetStep s'
Ready 's' :=
('faulty ONE'='False' => 'go_of (vtr s ONE)'='True ')
& ('faulty TWO'='False' => 'go_of (vtr s TWO)'='True')
& ('faulty THREE'=CFalse ' => 'go_of (vtr s THREE)'='True ')
a ('faulty FOURC='False' => (go_of (vtr s FOUR)'=CTrue c)
a Sync 'LOP1' 's'
Connect_lemma_l_4 :==
Preconditions 's' => (Proper_icnet 'IcNetStep s' a Ready 'IcNetStep sO)
Connect_lemma_l_5 "==
(Proper_icnet is' a Ready 's')=> Proper_icnet 'IcNetStep s'
Connect_lemmal :=
Connect_lemma_l_1 & Connect_lentma_l_2 _ Connect_lemala_l_3 E Connect_lenuua_1_4
Connect_lemma3 :=
(Proper_icnet 's' & Sync 'XNGII' 's' & Load_correct 'before' 's') =>
Load_correct 'before' 'Xng s'
Connect_lemma4 :=
(Proper_icnet 'sO & Sync 'XNG21' 's' & Load_correct 'before' 's') =>
Load_correct 'before' 'Xng s'
Connect_lemma5 :=
(Proper_icnet 's' a Sync 'XNG31' 's' & Load_correct 'before' 's') =>
Load_correct 'before' 'Xng s'
Connect_lemma6 := Preconditions (s' =>
Bytecounti§ync 'BYTE1' 'Compute(Xng(Xng(Xng(Load s))))'
**********************************************************************Here's another theorem that expresses a property useful from the point of
II view of a programmer using ICOP. It ensures that the system performs IC
II computation on the contents of SREG[PVT] in the cycle in which ICOP was
[[ executed, provided the instruction immediately following ICOP is not
[[ SADD. The following theorem, which has not been proved yet, can be proved
I[ using the above Main1_neorem as a lemma.
*********************************************************************After 12 cycles, each non-faulty processor should have a vector
II of four values: the initial value of its PVT special register
67
_ and the final values in the special register VT1, VT2, and VT3.
_ Among the non-faulty processors, these vectors should be related
II by a rotation.
anothericvec init final index 0NE = get_special_register PVT init index
anothericvec init final index TW0 = get_special_register VTI final index
anothericvec init final index THREE = get_special_register VT2 final index
anothericvec init final index FOUR = get_special_register VT3 final index
II Note that the expression "icvec init final index" is actually
_I a function on the type INDEX, and represents the vector of four values.
II*************************************************************************
ResultConsistent 's' := Consistent 'anothericvec s (Iterate #12 IcNetStep s)'
AnotherMainTheorem :=
Preconditions (s' _ Next_instrn__snot_SADD 's' => ResultConsistent 's'
Array s = arrayof.(vtr s)
ItStep n = Iterate n IcNetStep
8 General Lemmas
'bytecount (FtCayugaStep s in)'='byte_inc(byte_inc(bytecount s))'
'getbyte b (set_byte c w v)'= 'getbyte b w', 'b = c'= 'False'
'getbyte b (set_byte b w v)'='v' , 'good w & !v & !b'='True(
'DATUM (Word (getbyte BYTE3 x)(getbyte BYTE2 x)(getbyte BYTE1 x)
(getbyte BYTE0 x))'='x' , 'good x'='True'
'!(msbof (getbyte b w))'='True' , '!b _ good w'='True'
'(BYTE3 = x) I(BYTE2 = x)](BYTEI= x) l(BYTEO=x)'='!x'
'!(getbyte b w)'='!b' , 'good w'='True'
'!!(data_to_addr x)'='True' , 'good x'='True'
'good(set_byte b w v)'='!b & !v' , 'good w'='True'
"good2definite" 'good x'='True' => "!!x'='True'
'!(byte_inc b)'='!b'
Proper_inlist 'a:b' => Proper_inlist 'b'
'!(byzCayugaStep s in)'='True' , Proper_ftcayuga 's'
'!(newcontr cs in irg)'='!cs' , '!in _ !irg'='True'
68
References
[1] M. Bickford, C. Mills, and E.A. Schneider. "Clio: An Applicatiw_' l,anguage-Bas(,d Veri-
fication System". Technical Report TR 89-13, ORA Corporation, 301A Harris B. Dates
Drive, Ithaca, NY 14850, September 1989.
[2] R. Shostak M. Pease and L. Lamport. "Reaching Agreement in the Presence of Faults".
JACM, 27(2):228-234, April 1980.
[3] Mandayam Srivas. "Bridging the Formal Methods Gap: A Computer-Aided Verification
Tool for Hardware Designs". In COMPCON91, San Francisco, CA, February 25-28 1991.
[4] Mandayam Srivas and Mark Bickford. "Formal Verification of a Pipelined Microproces-
sor". IEEE Software, September 1990.
[5] Mandayam Srivas and Mark Bickford. "Verification of the FtCayuga Fault-Tolerant
Microprocessor System Volume 1: A Case Study in Theorem Prover-Based V'erifica-
tion". Technical Report NASA Contractor Report 4381, NASA Langley Research Cen-
ter, ttampton, VA 23665-5225, 1991. Authors' affiliation: ORA Corporation, 301A Dates
Drive, Ithaca, NY 14850.
[6] Ben L. Di Vito, Ricky W. Butler, and James L. Caldwell. "Formal Design and Verification
of a Reliable Computing Platform for Real-Time Control Phase 1 Results". Technical Re-
port NASA Technical Memorandum 102716, NASA, Langley Research Center, Hampton,




4. Title and Subtitle
Report Documentation Page
i 2, Government Accession No, 3, Recipient's Catalog No.
5. Report Date
Verification of the FtCayuga Fault-Tolerant
Microprocessor System
Volume 2: Formal Specification and Correctness
Theorems
7, Author(s)
Mark Bickford and Mandayam Srivas
9. Performing Organization Name and Address
ORA Corporation
301A Harris B. Dates Drive
Ithaca, NY 14850-1313
12, Sponsoring Agency Name and Addre_





6. Performing Organization Code
8, Performing Organization Report No.
10. Work Unit No.
505-64-10-05
11. Contract or Grant No.
NAS 1-18972
13. Type of Report and Period Covered
Contractor Report
14 Sponsoring #,gency Code
Technical Monitor: Ricky W. Butler, Langley Research Center
Task 1 Final Report
Volume 1 published as NASA CR-4381.
16. Abstract
This is the second volume of a two-volume report that presents a formal specifi-
cation and verification of a property of a quadruplicately redundant fault-tolerant
microprocessor system design. This volume gives a complete listing of the formal
specification of the system and the correctness theorems that were proved. The
system performs the task of attaining interactive consistency among the processors
using a special instruction on the processors. The design is based on an algorithm
pro]-_sed by Pease, Shostak and Lamport. The microprocessor used in the system is
cai led FtCayug:l, which was designed by extending another formally verified micro-
pu'oce._;:_orMln[Cayuga. The property verified ensures that an execution of the
,_pocla; Instruction by the processors correctly accomplishes interactive
consistency, provided certain preconditions hold, using a computer-alded hardware
design verification tool, Spectool, and the theorem prover, Clio, both of which
wore developed at ORA. A major contribution of the work is the demonstration of a
s lg, i f|cant fau]t-tolerant hardware design that is mechanically verified by a
I hoor(_:'nl prover.





19 Secu"ty Classif. <of this report)
Uncl ass[ fied










2_ No. ofpa_s i_. Price
74 ! A04
