Interpreter composition issues in the formal verification of a processor-memory module by Cohen, Gerald C. & Fura, David A.
Ira , 
NASA Contractor Report 4594 
8 / 
Interpreter composition Issues in the Formal 
Verihcation of ahocessor-Memory Module 
David A, Fura and Gerald C.  Cohen 
Contract NAS1-18586 
Prepared for Langley Research Center 
https://ntrs.nasa.gov/search.jsp?R=19940028269 2020-06-16T12:04:31+00:00Z
NASA Contractor Report 4594 
Interpreter Composition Issues in the Formal 
Verification of a Processor-Memory Module 
David A. Fura and Gerald C. Cohen 
The Boeing Company e Seattle, Washington 
National Aeronautics and Space Administration 
Langley Research Center 0 Hampton, Virginia 23681 -0001 
Prepared for Langley Research Center 
under Contract NAS1-18586 
May 1994 

Preface 
This document was generated in support of NASA contract NAS 1-18586, Design and Validation of Digital 
Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 12. Task 12 is concerned 
with issues in the formal specification and verification of a processor-memory module. 
This report describes interpreter composition techniques suitable for the formal specification and verifica- 
tion of a processor-memory module using the HOL theorem-proving system. The processor-memory mod- 
ule is a multi-chip subsystem within a fault-tolerant embedded system under development within the Boeing 
Defense & Space Group. It provides the opportunity to investigate the specification and verification of a 
real-world subsystem within a commercial1 y-developed fault-tolerant computer. 
The NASA technical monitor for this work is Sally Johnson of the NASA Langley Research Center, Hamp- 
ton, Virginia. 
The work was accomplished at the Boeing Company, Seattle, Washington. Personnel responsible for the 
work include: 
Boeing Defense & Space Group: 
D. Gangsaas, Responsible Manager 
T. M. Richardson, Program Manager 
Boeing Defense & Space Group: 
Gerald C. Cohen, Principal Investigator 
David A. Fura, Researcher 
Y 
Contents 
1 
2 
3 
4 
5 
6 
7 
Introduction ............................................................................................................................................ 1 
Hierarchical Pre-Post Logic ................................................................................................................... 3 
2.1 
2.2 
2.3 
2.4 
Interpreter Behavioral Model ....................................................................................................... 4 
2.1.1 Related Work .................................................................................................................... 4 
2.1.2 HPL Interpreter Behavior ................................................................................................. 6 
Interpreter Abstraction .................................................................................................................. 8 
2.2.1 Related Work .................................................................................................................... 8 
2.2.2 HPL Abstraction ............................................................................................................... 9 
Interpreter Liveness ...................................................................................................................... 10 
2.3.1 Related Work .................................................................................................................... 10 
2.3.2 HPL Interpreter Liveness ................................................................................................. 11 
Interpreter Correctness ................................................................................................................. 11 
2.4.1 Related Work ................................................................................................................... 12 
2.4.2 HPL Correctness .............................................................................................................. 13 
Issues in Secure Abstract-Level Composition ...................................................................................... 14 
The Role of Abstraction .............................................................................................................. 14 
Temporal Abstraction for Globally-Clocked Systems ................................................................ 15 
Temporal Abstraction for Interface-Clocked Systems ................................................................ 16 
3.1 
3.2 
3.3 
Synchronizing Interface-Clocked Interpreters ..................................................................................... 18 
Bijective Monorate Interpreters .................................................................................................. 20 
Injective Multirate Interpreters ................................................................................................... 22 
Surjective Multirate Interpreters ................................................................................................. 25 
4.1 
4.2 
4.3 
Processor-Memory Module Specification and Verification ................................................................ 28 
Local Memory Specification ...................................................................................................... 31 
PIU Specification Refinements .................................................................................................. 31 
5.1 PMM Overview .......................................................................................................................... 28 
5.2 Local Processor Specification .................................................................................................... 30 
5.3 
5.4 
Conclusions .......................................................................................................................................... 33 
References ............................................................................................................................................ 34 
A HOL Overview .................................................................................................................................... 36 
A.l The Language ............................................................................................................................. 36 
A.2 The Proof System ....................................................................................................................... 38 
B Interpreter Verification Test Case Studies .......................................................................................... 39 
B.l Standard Interpreter Justification-Proof Example ..................................................................... 39 
B.3 Multirate Injective Interpreters .................................................................................................. 43 
B . 2 Monorate Bijective Interpreter Justification-Proof Example .................................................... 40 
V 
C Processor-Memory Module Specification Examples ......................................................................... 50 
C 1 Transaction Signal Data Structure Definitions ......................................................................... 50 
C.2 Local Processor Transaction-Level Model ............................................................................... 55 
C.3 Local Memory Transaction-Level Model ................................................................................. 56 
C.4 M-Port Transaction-Level Model .............................................................................................. 58 
vi 
List of Figures 
3.1 
3.2 
3.3 
4.1 
4.2 
4.3 
4.4 
4.5 
4.6 
4.7 
4.8 
4.9 
The Problem of Composing Abstract Models ............................................................................. 14 
Temporal Abstraction Linking the Timing and Clock Levels .................................................... 15 
Temporal Abstraction Linking the Clock and Transaction Levels ............................................. 16 
Description of an Interpreter’s Transaction Events and Concrete-Level Variables .................. 
Example Bijective Monorate Interpreter Model ......................................................................... 20 
Example Injective Multirate Interpreter Model .......................................................................... 22 
Example System Exhibiting Injective Multirate Behavior ........................................................ 23 
Desired Composite-System Behavior for System of Figure 4.5 ............................................... 
Specification Hierarchy for System of Figure 4.5 ...................................................................... 24 
Example Surjective Multirate Interpreter Model ........................................................................ 25 
18 
Transaction One-to-one and Onto Relationships ....................................................................... 19 
24 
Example System Exhibiting Surjective Multirate Byavior ....................................................... 26 
4.10 Desired Composite-System Behavior of System of Figure 4.9 .................................................. 26 
4.1 1 Partial Specification Hierarchy for System of Figure 4.9 .......................................................... 27 
5.1 
5.2 
Block Diagram ofthe Processor-Memory Module .................................................................... 28 
Major Blocks of the Processor Interface Unit ............................................................................ 29 
V i i  

List of Tables 
A . 1 HOL Infix Operators .................................................................................................................. 37 
A.2 HOL Binders ............................................................................................................................... 37 
A.3 HOL Type Operators ................................................................................................................. 38 
ix 
1 Introduction 
To date, theorem-proving efforts targeting microprocessor-based system verification have treated these 
systems as self-enclosed state-transition systems without outputs (e.g., [Hun86], [Coh88], [Joy90], 
[Wingo], [Gra92], [Lev93]). While these approaches have been effective on the small-scale systems 
addressed thus far, they are not ones that we expect to scale up to larger systems in any practical way. The 
fundamental problem with these approaches is their insistence on performing subsystem compositions at 
very low levels of abstraction. 
We believe that the ability to compose hardware models at high levels of abstraction is fundamental to 
the practical specification and formal verification of nontrivial hardware systems. Without such a capability, 
large-scale system verifications would quickly become bogged down by the explosion in low-level state 
resulting from the independent actions of typical interacting subsystems. In this report we describe a new 
approach to interpreter composition that permits provably-secure compositions at high levels of abstraction. 
Our work under this task is ultimately targeted to a commercially-developed processing subsystem, 
called the Processor-Memory Module (or PMM), of a fault-tolerant computer system. The Fault Tolerant 
Embedded Processor (FTEP) is targeted towards applications in avionics and space requiring extremely 
high levels of mission reliability, extended maintenance-free operation, or both. Since the need for high- 
quality design assurance in these systems is an undisputed fact, the continued development and application 
of formal methods is vital as these systems see increasing use in modern society. 
The work described in this report represents the culmination of a multiyear effort to develop and apply 
theorem-proving technology to hardware verification. Previous work under Task 10 developed abstraction 
techniques and an interpreter modeling approach to specify a PMM interface chip (the Processor Interface 
Unit, or PIU) in terms of its higher-level transaction handling. In this context, a transaction refers to the bus 
transactions of typical commercial microprocessors, such as the Intel 80960 [Int89] or the MIPS R3000 
[Kan87]. Techniques for formally verifying the transaction level with respect to its underlying clock level 
were also developed in Task 10. Tivo Task 10 final reports describe the results of the PIU specification and 
verification work ([Fur93a] and [Fur93b], respectively). 
Prior to this, work under Task 3 developed interpreter modeling and verification techniques applicable 
to a wide range of hardware verification problems. A new approach to hierarchical decomposition and the 
development of a generic interpreter theory together greatly reduced the level of effort required by many 
verifications. The recent verification of an implementation of the Viper microprocessor certifies the strength 
of these methods. The methodology that was employed in this verification is described in [Win911 and 
[Win92], while the verification itself is described in [Lev93]. 
The research focus of the Task 12 work described here was on composition, specifically transaction- 
level composition. We have developed modeling and verification methods that permit provably-secure com- 
position at this high level of abstraction. To our knowledge, this work represents the first successful demon- 
stration of an interpreter-based approach to this problem. AI1 of our work was performed using the HOL 
theorem proving system from the University of Cambridge [Gor93]. 
Section 2 of this report describes an interpreter modeling approach first developed under lhsk 10. Called 
‘hierarchical pre-post logic’ (or HPL), this model has seen further refinement during Task 12. The aspects 
of HPL covered here include the modeling of interpreter behavior, interpreter abstraction, interpreter live- 
ness, and interpreter correctness. 
Section 3 explains important issues in secure abstract-level composition. The primary focus is on the 
role that abstraction plays in secure abstract-level composition. Low-level hardware composition is 
reviewed and a new approach to abstract-level synchronization, based on interface-event clocking, is intro- 
duced. 
1 
Section 4 describes how interface-event clocking impacts the modeling and verification of interpreter- 
based systems. It introduces ‘multirate’ interpreters, where the interpreter inputs and outputs clock at differ- 
ent rates. Largely through two significant examples, techniques to solve some important modeling and ver- 
ification problems are demonstrated. 
Section 5 contains a description of the new PMM specification models produced under this task and 
describes some modifications to the existing models required to support composition. 
Section 6 presents our conclusions. 
A brief description of the HOL theorem proving system is contained in Appendix A. 
Appendix B contains the HOL listings of several interpreter verification test case studies. 
Appendix C provides Processor-Memory Module specification examples. 
2 
2 Hierarchical Pre-Post Logic 
In this section we describe a formal modeling approach that addresses the specification and verification 
needs of the PMM. The interpreter behavioral model provides for the specification of both operation pre- 
conditions and postconditions, hence the ‘pre-post’ designation. The approach supports hier 
position of system specifications and the explicit relating of the different levels through the use of 
abstraction predicates, as explained in thii section. 
In describing this hierarchical pre-post logic (HPL), we make use of a specification approach introduced 
by Joyce [Joy%], by describing operators and data types generically. Many operators are defined only by 
their types, with nothing said about what operations they actually perform. In this way, theorems proven 
about them are applicable to all operators satisfying the appropriate type. We make extensive use of type 
variables so that our results are applicable, in some instances, to structures with arbitrary types. 
In this section we make consistent use of the following variable names. The variables k, t, s, e, and p 
represent, in order, instructions, time, state signals, environment (input) signals, and output signals. When a 
variable is primed it denotes a concrete-level, or implementing, entity. Type variables prefixed by a * are 
polymorphic and denote abstract types. Note that each of the types shown here is abstract except for that of 
the time variable. The type “:time” is an abbreviation for the HOL type for natural numbers “:num” 
Common Variables and Their Types 
znstructwns: k :*in&, k’ :*in&’ 
Time: t :time, t’ :time’ 
State: s :tirne+*state, s’ :time’+*state’ 
Environment: e :time j*env,  e’ :time’j*env’ 
Output: p :time+*out, p’ :time’+*out’ 
The following generic operators are used throughout this section. We don’t describe them in detail here, 
but merely point out that the first three (the execution predicate, precondition, and postcondition) are asso- 
ciated with the interpreter behavioral model (Section 2.1) and the last four (event predicate, state, input, and 
output abstraction) are used in the abstraction definition (Section 2.2). 
The variable rep is an n-tuple whose elements are of the types specified for the generic operators. The 
operators are implemented as accessor functions that select elements of this n-tuple. For example, EXEC is 
a function that, when applied to rep, returns an arbitrary value of the appropriate type. 
Generic Operators 
Execution Predicate: EXEC rep : * instr+s-sig+e-sig+p-sig+time+booI 
Precondition: PREC rep :*instr-+s-sig+e-sig+p-sig+time+bool 
Postcondition: POSTC rep :*instr+s-sig+e-sig+p-sig+time+bool 
Event Predicah: G rep :time’+bool 
State Abstraction: SAbs rep :s-sig’-+e-sig’+p-sig’+time’+*state 
Environment Abstraction: EAbs rep :s-sig’+e-sig’+p-sig’+time’+*env 
Output Abstraction: PAbs rep :s-sig’+e-sig’+p-sig’+time’+*out 
ss ig  = (time+*state) s-sig’ = (time’+*state’) 
e-sig = (time+*env) e-sig’ = (tirne’+*env’) 
p-sig = (tirne+*out) p-sig’ = (time’+*out’) 
where: 
3 
The rest of this section describes four major aspects of our modeling approach: (a) the interpreter 
behavior model, (b) abstraction between levels, (c) interpreter liveness, and (d) interpreter correctness. Each 
of these is covered in its own subsection. 
2.1 Interpreter Behavioral Specification 
system. After this we describe the HPL approach to the particular subject being addressed. 
2.1.1 Related Work 
Interpreter modeling has a significant history now within the theorem proving community. In this sec- 
tion we discuss three different approaches that have been implemented within the HOL system, as well as 
others. Because the term ‘interpreter’ is such a broad one, covering essentially the entire class of finite-state 
machines, we have limited our focus to those approaches having been used to model hardware at higher lev- 
els of abstraction. By ‘higher’ we mean above the level of latches and flip-flops. The approaches cited here 
have all been used for modeling microprocessor instruction sets, for example. We have made minor modi- 
fications to the original definitions in some cases to achieve a common syntax for this section. 
‘FSM’ Approach 
The first approach was used by a number of researchers: Cohn for the Viper proof [Coh88][Coh89], 
Joyce for the Tamarack proof [Joy90], and Graham for the SECD proof [Gra92]. In each of these micropro- 
cessor modeling and verification efforts, the machine behavior was defined using a single function to repre- 
sent the next state with respect to the current state and current environment. Interpreter outputs were not 
modeled. 
In this and the subsequent sections we begin first with a description of prior work, usually with the HOL 
FSM Specijicafion Style [CohSS][Joy9O][Gra92] 
‘d t . s (t+l) = NEXT-STATE (s t) (et) 
~ ~~ 
This approach is a natural one to take and, indeed, worked as intended for all three of the cited efforts. 
However, one difficulty with it is its embedding of the instruction decoding operation within the next-state 
function. As explained in Section 2.4, this leads to some complexity in performing an implementation cor- 
rectness proof, 
GIT Approach 
Windley developed the generic interpreter theory (GIT) to address some of the problems existing with 
the previous interpreter models [Win90]. The basic idea behind the theory is that by implementing (inside 
the theory) some of the difficult proofs common to many interpreter verifications, the user is spared the bur- 
den of carrying out these proofs. Furthermore, the theory presents to the user a well-defined interface, detail- 
ing exactly what kinds of specifications need to be made and precisely what lemmas need to be proved. This 
has the effect of greatly streamlining the specification and verification tasks associated with interpreter 
proofs that use the theory. 
The GIT specification style, shown next, is different from the FSM style in its use of an instruction vari- 
able, k, which is defined by the function SELECT SELECT takes the current state and environment and 
returns an instruction, or ‘instruction key,’ in the GIT parlance. SELECT can be thought of as an instruction 
decoding function. 
The instruction key is used by the INSTRUCTIONS and OUTPUT functions to determine the particular 
next-state and output functions, respectively, to use for the current time. These functions are denoted NEXT-- 
4 
STATE-K and OUTPUT-K here to indicate that they are associated with a single instruction, k, and do not 
define the behavior for the entire instruction set. 
GIT SpeciJication Style [Win901 
V t . let k = SELECT (s t) (e t) in 
let NEXT-STATE-K = INSTRUCTIONS k in 
let OUTPUT-K = OUTPUT k in 
(s (t+l) = NEXT-STATE-K (s t) (et) A 
p t = OUTPUT-K (s t) (et)) 
From a specification standpoint, the GIT approach is very similar to the previous FSM models in its reli- 
ance on functions to define interpreter behavior. The incorporation of outputs into the GIT is a natural step 
forward however. Section 2.4 explains in more detail the advantages of the GIT approach over the previous 
RTS Approach 
In [Her92], Herbert describes a relational transition system (RTS), amodified GIT in which the behavior 
is expressed with relations rather than functions. One advantage of such a modification is that it admits par- 
tial descriptions of behavior. This was an important consideration in Herbert’s work on incremental design 
verification, where proofs were sometimes being performed before the design was finished. 
The RTS specification style is shown in the following HOL code. To begin, the approach makes use of 
a property list, prop-list, where each property, prop, within this list is a 2-tuple. The first element of the 2- 
tuple is an instruction key and the second element is a predicate. The main idea is that, for each execution 
step, exactly one key will be selected and the predicate it is paired with acts as a ‘postcondition’ for the exec- 
tion step. The predicate ISSELECT (k, s t, e t) is a relational version of the GIT SELECT function. It returns 
true when the instruction key, k, is selected by the current state, s t, and environment, et.  The postcondition 
predicate specifies the correct relationship between the next state and the current state and environment. 
Interpreter behavior is expressed as: for every property, prop, if prop is a member of the property list, 
and if the key within prop matches that selected by IS-SELECT, then the postcondition within prop is satis- 
fied. 
models in its support for interpreter verification. / 
RTS SpeciJication Style [He1921 
V t. let k = & k. IS-SELECT (k, s t, et) in 
(V prop. prop MEM prop-list A 
(F ST prop = k) 
3 
SND prop (s (t+l), s t, et))) 
where: prop-list is a list of (instruction tag, predicate) pairs with type: 
“:(*instr # (*state#*state#*env+bool)) list” 
The use of the choice operator (E) here is to guard against the possibility that multiple instruction keys 
are selected at a single time. Such a possibility would constitute a specification error and would be caught 
by this approach since the ‘uniqueness’ required to process the choice operator would not be established. 
5 
2.1.2 HPL Interpreter Behavior 
Our interpreter behavioral model has benefitted from the prior work done on the FSM and GIT 
approaches. Herbert’s efforts proceeded in parallel with ours, however, and thus our modeling work was per- 
formed independently of it. 
As was the case for Herbert, the motivation for developing a new interpreter model here was certain lim- 
itations within the existing approaches. In the case of HPL, the objective was to model fault-tolerant systems 
at very high levels of abstraction. The model required three elements: (1) a predicate to represent the state 
of a system prior to a mission, (2) a predicate to represent a set of fault-occurrence properties, an&(3) a pred- 
icate to represent the system state at mission end. The existing models did not provide this. 
This work on fault-tolerance modeling was performed outside of this contract, and is described in detail 
in [Fur94]. It produced the basic structure of the model, with the three elements mentioned above given the 
names precondition, execution predicate, and postcondition, respectively. However, most of the work 
described in this section, and virtually all of that described in the following sections, was performed under 
Tasks 10 and 12 of this contract. 
Interpreter Definition 
To specify hardware interpreters, HPL employs only two of the three predicates directly- the execution 
predicate (EXEC rep) and the postcondition (POSTC rep) as shown in the following definition. Interpreter 
correctness is stated informally as “whenever an instruction is executed its postcondition is satisfied.” This 
represents the standard behavior used in the other models described above. Where HPL differs is the com- 
bination of: (a) the use of an explicit instruction variable, k, (b) the separation of instruction decoding and 
execution into their own predicates, and (c) the relational-style postcondition predicate. 
As explained in Section 2.4, providing the instruction variable k as part of the interpreter definition per- 
mits straightforward instruction set case splitting, thus simplifying correctness proofs. This is achieved with- 
out having to perform nontrivial theorem proving within a generic theory. 
As explained later in this section, and in the interpreter liveness discussion in Section 2.3, having access 
to the instruction decoding behavior (the execution predicate) provides certain modeling advantages that can 
be exploited. 
Because the postcondition has very little predefined structure, HPL provides a great amount of flexibil- 
ity in its interpreter modeling. It is equivalent to RTS in this regard. It can accommodate the functional style 
of the FSM and GIT approaches, as well as the relational style of the RTS approach. 
Znfepreter Defanition: 
I- INTRPrepsep = V k t .  EXECrepksept  3 POSTCrepsept 
Preconditioned Interpreter Definition 
The above definition faithfully models the interpreter behavior we are interested in, and for many veri- 
fications it is suitable for direct use. There are some verification problems, however, that are inconvenient 
to solve using this model directly. In these proofs, correct execution requires that certain state variables con- 
tain specified initial values at the beginning of an operation. The transaction-level proofs for the PMM are 
6 
one example of this. A convenient way to handle these proofs is to fist postulate the appropriate values 
using a precondition (PREC rep) and then prove the simpler theorem shown next. 
Preconditioned Interpreter DeBnition: 
I- INTRP-PREC rep s e p = 
V k t .  EXECrepksept A PRECrepksept I> POSTCrepksept 
The need for operation preconditioning results in an additional theory obligation. The precondition must 
be initially established at time 0, and then it must be propagated at each successor time. The following def- 
inition of ‘precondition satisfaction’ describes this property. 
Precondition Satisfaction: 
I- PREC-SATrepsep = 
( V k .  EXECrepksepO 3 PRECrepksepO) A 
[V k k l  t . POSTC rep k s e p t A EXEC rep k l  s e p (SUC t) 3 PREC rep k l  s e p (SUC t)) 
PREC-SAT is a property that clearly must be met if the precondition is to hold at every operation bound- 
ary. The reason for including the execution predicate here is that, in general, a state’s value may be defined 
conditionally on an input occurrence that is encapsulated within the execution predicate. 
While the need for the above condition is expected in a correctness proof, the following proof obligation 
did surprise us initially. It states that when an instruction is executed at some (nonzero) time then there must 
have been an instruction executed at the previous time. 
Instruction Sequence Liveness: 
I- SEQLIVE rep s e p = V k t . EXEC rep k s e p (SUC t) I> (3 k l  . EXEC rep k l  s e p t) 
‘Instruction sequence liveness’ is an issue for us because we are verifying an instruction set rather than 
a program. In a program we know that a prior instruction is executed by virtue of its position within the code. 
Instruction set verification does not permit this solution, instead we must explicitly prove it. 
In the approach described here, interpreter correctness can be verified by satisfying the following three 
proof obligations. The justification theorem states that when they are satisfied, then the interpreter is correct 
The actual HOL definitions and the proof for this justification theorem are contained in Appendix B. 
I Modijied Proof Obligations: Justijicatwn Theorem: 
V rep s e p . INTRP-PREC rep s e p 
V reps e p . PREC-SAT reps e p 
V rep s e p . SEQ-LIVE rep s e p 
I- V r e p s e p .  
INTRP-PREC rep s e p 3 
PREC-SAT rep s e p 5) 
SEQ-LIVE rep s e p =I 
INTRP rep s e p 
In the tradition of Windley’s generic interpreter theory, we believe that the breakdown of theorem prov- 
ing tasks into two distinct classes, as shown here, has a great practical benefit in reducing the number of 
theorem proving tasks that must be repeated in every interpreter verification. The advantage to proving inter- 
preter correctness this way is that the justification-theorem proof could be embedded within a generic theory 
and then simply reused whenever a new interpreter is being verified. The user would only be concerned with 
proving facts that were specific to the particular circuit being addressed. In this case, these are the proof obli- 
gations shown here. 
7 
2.2 Interpreter Abstraction 
Virtually all interpreter verifications performed in HOL have used the abstraction ideas described by 
Melham in [Me190]. Of the different types of abstraction described in this previous work, two are of primary 
interest to interpreter modeling and verification: (a) temporal abstraction and (b) data abstraction. These 
thus represent the major topics of this section. 
2.2.1 Related Work 
microprocessor verifications cited earlier in this report. 
Temporal Abstraction 
Temporal abstraction relates the coarse-grained time at an abstract level of description to a fine-grained 
concrete time. The objective of a temporal abstraction approach is, therefore, to define an appropriate map- 
ping between the two levels. This is necessary so that the state, input, and output signals defined over these 
times can be related. 
In typical interpreter applications, the temporal relationship is defined with respect to the concrete-level 
signals. An ‘event predicate,’ G rep, shown among the following HOL expressions, when true, marks an 
‘instruction boundary event.’ These events define the concrete times marking the boundaries of the abstract 
operations. 
This section focuses on the temporal and data abstraction ideas described in [Me1901 used in most of the 
Event Predicate: (G rep) :time’+bool I Instruction B o u n d q  Event: G rep t’ = T 
Numerous examples of event predicates exist. In the low-level modeling work of [Her881 and [Me190], 
for example, clock-level operation boundaries are defined by the rising edge of the system clock. In the 
microprocessor verifications cited previously, the boundaries of the abstract-level assembly instructions are 
defined by the return of the microcode program counter to address zero. 
Having an event predicate is not sufficient, however, to relate an abstract level to an underlying concrete 
level. For example, while the event predicate G rep defines the concrete times marking the abstract-operation 
boundaries, it cannot identify the particular abstract times that correspond to these boundaries. The usual 
approach to address this is to define the abstract time as the accumulated ‘count’ of the boundary events. 
‘Operation boundary predicates’ implement this idea, as shown in the following HOL code. 
NTH-TIME-TRUE t (G rep) 0 t’ relates the abstract and concrete times through the event predicate G rep. The 
predicate is read “G rep is true for the t’th time at concrete time t’.” The ‘temporal abstraction function,’ 
t-abs, maps abstract time to concrete time using the instruction boundary predicate. For each abstract time 
t, it returns a concrete time, t’, such that G rep is true for the t’th time at t’. 
Instruction Boundary Predicate: 
Temporal Abstraction Function: 
NTH-TIME-TRUE t (G rep) 0 t’ 
t-abs :time+time’ = h t . E t’ . NTH-TIME-TRUE t (G rep) 0 t’ 
Data Abstraction 
Data abstraction relates the abstract-level data values to the data of the implementation. It is typically 
implemented with functions that map concrete values to abstract values. The following expressions show 
the abstraction functions mapping the state, environment, and output. While these functions can theoreti- 
cally handle arbitrary mappings, in practice the abstract data structures are usually simple subsets of the 
underlying concrete data structures. Note that the types for these functions are different from those of the 
8 
generic functions shown at the beginning of Section 2. The generic functions apply to the data abstraction 
described in the next section. 
Datu Abstraction Functions 
State Abstraction: s-abs :*state’+*state 
Envkonment Abstraction: e-abs : *env’+*env 
Output Abstraction: p-abs :*out’+*out 
Putting the Two Together 
The following HOL expressions show how the temporal and data abstraction operators are normally 
combined to implement abstraction (0 is the function composition operator). The abstract state signal s, for 
example, is defined as the expression within the parentheses on the right-hand side. The value defined by 
this expression applied to an abstract time t is seen to be a concrete value (s’ t’) mapped through s-abs. The 
concrete time t’ is the abstract time t mapped through t-abs. 
Traditional Interpreter Abstraction Relationships: 
s t = (s-abs o s’ o t-abs) t 
e t = (e-abs o e’ o t-abs) t 
p t = (p-abs o p’ o t-abs) t 
2.2.2 HPL Abstraction 
The HPL approach to interpreter abstraction uses the same temporal abstraction ideas as above but oth- 
erwise differs in two fundamental ways: (a) it uses more-powerful data abstraction functions to implement 
interval abstraction (described in the Task 10 Specification Report [Fur93a]) and (b) it implements the 
abstraction within ‘abstraction predicates’ rather than embedding it within the interpreter correctness state- 
ment. 
The following definition describes a typical abstraction predicate. Again, the temporal mapping uses the 
function Labs defined above. The difference from the traditional interpreter approach is that the state 
abstraction functions are strengthened to support interval abstraction. For example, the state abstraction is 
implemented using SAbs rep, which operates on the concrete state signal, s’ (type :time’+*state’), rather 
than the state value, s’ t’ (type :*state’). This gives the user of the abstraction function freedom to map mul- 
tiple (temporal) instances of a concrete signal to the abstract level, and allows mapping from concrete times 
other than t’. 
The abstraction is defined within an abstraction predicate, in contrast to current practice where it is 
defined within the interpreter correctness statement. One of the benefits of this approach is that abstraction 
is now defined and reasoned about as a stand-alone entity. This more blosely matches our intuitive under- 
standing of abstraction, which we view as defining the relationships between abstract and concrete variables, 
period. We do not require the existence of a correctness statement to think about these relationships. We also 
find the explicit naming of both the concrete and abstract signals to increase the clarity of these relationships. 
The implicitly defined abstract signals in the traditional approach provide a more cryptic definition. 
HPL Abstracrion Predicate: 
I- INTRP-ABS rep s e p s’ e’ p’ = 
V t . let t’ = t-abs t in 
(($3 t = SAbs rep 5’ e’ p’ 1’) A 
(et = EAbs rep s’ e’ p’ t’) A 
(p t = PAbs rep s’ e’ p’ t’)) 
9 
As explained in [Fur93a], the traditional approach to interpreter abstracuon, implemented in the GIT, is1 
not flexible enough to handle the required mapping between the clock level and the transaction level of the 
PIU. This was our original motivation for examining alternative approaches, leading to the selection and fur- 
ther development of HPL. 
2.3 Interpreter Liveness 
Interpreter liveness is a subtle issue, and the reason for this is that it involves the Hilbert choice operator, 
E. To help clarify things we consider again the HPL abstraction predicate, but we define it in a somewhat 
different way (and without E) as shown in the following HOL code. This definition is actually one that could 
be used for an implementation proof (it has certain disadvantages with respect to composition however) We 
show it because it demonstrates the clear need to establish that NTH-TIMEJRUE t (G rep) 0 t’ is true for the 
temporal variables t and t’. This is the interpreter liveness proof obligation. 
I 
ModiJed Abstraction Predicate: 
I- INTRP-ABS-X rep s e p s’ e’ p’ = 
tJ t t’. NTH-TIME-TRUE t (G rep) 0 t’ 
3 ((s t = SAbs rep s’ e’ p’t’) A 
(et = EAbs rep s’ e’ p’ t’) A 
(p t = PAbs rep s’ e’ p’ t’)) 
I 
In the actual abstraction predicate (of Section 2.2.2) the concrete time is mapped from the abstract time 
using the rewritten t-abs function as: t’ = Et’ . NTH-TIME-TRUE t (G rep) 0 t’. What can we say about this 
time t’ ? Nothing, actually, unless we can prove the following subgoal: 3 t’ . NTH-TIME-TRUE t (G rep) 0 t’ 
In other words, just as above, to achieve an interpreter correctness proof, the predicate NTH-TIME-TRUE t (G 
rep) 0 t’ must be proven true for the abstract instruction executed at time t. Without this the concrete and 
abstract variables cannot be related through the data abstraction functions. This proof obligation is easily 
obscured by the way that the abstraction predicate is defined in Section 2.2.2. 
2.3.1 Related Work 
In Melham’s treatment of abstraction, the interpreter liveness proof obligation is to establish a ‘universal 
liveness’ property similar to the one shown next. Proving liveness therefore entails showing that an abstract- 
to-concrete temporal mapping exists for all abstract times (or G rep is true infinitely often), 
Universal Liveness: 
I- INTRP-LIVErep = 
V t. 3 t’. NTH-TIME-TRUE t (G rep) 0 t’ 
When the event predicate depends on the interpreter input (Le., G rep = G’ e’ rep) then universal liveness 
cannot be proven. The source of the input may simply stop transmitting, for example. In their low-level hard- 
ware verification work, both Melham and Herbert simply assumed universal liveness for the clock input sig- 
nals within their event predicates [Me1901 [Her88]. 
When the event predicate is a function of the state (Le., G rep = G’ s’ rep) then the situation is much 
improved, and universal liveness can be proven. In the microprocessor verifications of Graham and Joyce, 
for example, the liveness property proven was actually somewhat different from the above definition. The 
basic idea in their work was to instead prove the following two properties: (1) G rep is true in at least one 
state, and (2) whenever G rep is true in a state then it is true in some later state [Gra92] [Joy90]. The proofs 
10 
of these two facts are more easily accommodated in an interpreter correctness proof than a direct assault on 
the above definition. Windley’s GIT incorporated many of these proof steps as part of the theory’s infrastruc- 
ture [Wingo]. 
2.3.2 HPL Interpreter Liveness 
For the vast majority of the transaction-level implementation proofs within the PMM, the event predi- 
cate is a function of the input rather than the state. The option of assuming universal liveness is not very 
appealing here, particularly for the S process that is concerned with start-up behavior. Here we would expect 
the event predicate (an active reset) to occur exactly once. 
Fortunately, it is not really necessary to establish universal liveness to achieve an implementation proof. 
The sufficient property to establish is that, given that an abstract operation is executed at timet, then there 
exists a t’th occurrence of the event predicate. This property is defined next. 
/ Conditional Liveness: 
I- COND-INTRP-LIVE rep s e p = 
’d k t .  EXEC rep k s e p t 
3 3 t’. NTH-TIME-TRUE t (G rep) 0 t’ 
We have demonstrated in our on-going P-Port verification that this definition is strong enough to achieve 
implementation correctness proofs. It is also weak enough so that it can be proven itself, provided that the 
execution predicate and abstraction predicate are defined appropriately. We use an example from the PIU P- 
Port to illustrate what we mean here. More explanation of the following terms can be found in [Fur93a]. 
In the P-Port the event predicate is defined with respect to two L-Bus signals received from the local 
processor: G rep = h t’. BSel(L-ads-E (e’ t’)) A BSel (L-den-E (e’ t’)). Now, turning to the transaction level, 
the execution predicate EXEC rep k s e p t is true if one of the six valid L-Bus transaction opcodes is received 
at timet; PBM-WrLM, PBM-WrPIU, PBM-WrCB, PBM-RdLM, PBM-RdPIU, or PEW-RdCB. In order to be able 
to prove conditional liveness, we place the followhng constraint on the abstraction: We require that the 
abstraction function define a transaction opcode equal to one of these values only if NTH-TIME-TRUE t (G 
rep) 0 t’ is true, where t’ is defined in the normal way as t-abs t. 
This constraint says that we don’t consider the P-Port to have received a valid transaction opcode at time 
t unless the P-Port has received t (clock-level) transaction requests. This is really not much of a constraint 
since we would expect this fact to be true anyway. 
To conclude this section, we point out only that it is the separation of the operation decoding function 
into its own execution predicate that permits this preferred solution to the interpreter liveness problem. 
2.4 Interpreter Correctness 
With a few exceptions (e.g., [Hun86]), interpreter correctness statements have generally followed the 
same form. These statements define an implication in which the behavior defined by the implementation 
interpreter implies the behavior defined by the specification interpreter. If we ignore the issues of abstraction 
and liveness, these statements are represented by the following pseudo-code. 
General (Stripped Down) Znterpreter Correctness DeJinition: 
I- imp-inlrp behavior I> spec-inlrp behavior 
Proving correctness statements such as this directly is usually avoided because of the complicated 
behaviors involved. One common approach used to break these proofs into smaller subgoals is to perform 
11 
a case split on the abstract-level instruction set. When this is done the proof obligations resemble the fol- 
lowing pseudo-code. Each of these subgoals is read: “if we assume the concrete interpreter behavior, and if 
we assume that the condition for (abstract) operation J’s execution is satisfied, then the specified behavior 
for operation J results.” 
General (Saipped Down) Operation Case Split: 
I- imp-in@ behavior 3 spec-opl execution condition 3 spec-opl postconditwn 
0 t 
I- imp-in@ behavior 3 spec-op N execution conditwn 3 spec-op N postcondition 
2.4.1 Related Work 
The microprocessor verifications cited earlier employ a correctness statement similar to the one shown 
next. This statement says: “if we assume the given implementation and interpreter liveness, then the 
instance of the specification interpreter ‘defined by the abstraction’ is correct.” This embedding of the 
abstraction within the correctness statement follows [Me190], and is the approach used to formally link the 
abstract- and concrete-level variables. 
Interpreter Correctness D&nitwn (based on [Me190],[Joy90], etc.): 
V rep s’ e’ p’. 
INTRP-imp rep s’ e’ p’ A 
INTRP-LIVE rep 
3 INTRP-spec rep (s-abs o s’ o t-abs) 
(e-abs o e’ o t-abs) 
(p-abs o p’ o t-abs) 
Given this basic form, the correctness proof can be approached in a couple of ways. The Viper, Tama- 
rack, and SECD proofs all employed variations of a common technique. Windley’s GIT-based verification 
of AVM-1 was a significant departure from this however. 
‘FSM’ Approach 
As indicated in Section 2.1, the FSM-style interpreter specification approach presents some difficulties 
for correctness proofs. The problem is that the embedding of the instruction decoding within the 
NEXT-STATE function makes it somewhat difficult to perform the desired case split on the instruction set. 
Although this is not a major problem, it does require extra work in performing the verification. 
Joyce, in the proof of Tamarack [Joy90], handled the instruction case split by explicitly defining a proof 
obligation for each instruction in terms of its 3-bit opcode bit combination. In all, there were eight instruc- 
tions verified this way. Some final processing was needed to show that the collection of cases proved actually 
covered all possible combinations of bit patterns. 
In the SECD proof [Gra92], Graham introduced a disjunctive ‘valid-program-constraint’ as a precon- 
dition within the correctness statement. Each disjunct represented the conditions under which that particular 
instuction was selected for execution. The case split was performed directly as part of the proof, with each 
case using its disjunct as an assumption. A disadvantage of this approach was the extra work required to 
specify the constraint, which was lengthy and quite detailed. 
12 
GIT Approach 
Windley’s work on the GIT recognized that the steps needed (in [Joy90]) to process the individual 
instruction proofs into a finished verification were independent of the actual system being verified. Rather, 
they were functions of the structure of the interpreter model, which could be fixed. Where the GIT takes a 
significant departure from fhese previous efforts is in collecting up these sorts of proof requirements and 
proving them within a generic theory. 
This has two beneficial aspects. First of all, the workload for the user of the theory is reduced since the 
theory proofs are reused. Secondly, the theory presents to the user a clear definition of the user’s proof obli- 
gations. For example, the GIT presents the following two obligations to the user. 
GIT User Proof Obligations [Win90]: 
(V s’ e’ p’ k . INST-CORRECT s’ e’ p’ k) A 
(b’ s’ e’ p’ k . OUTPUT-CORRECT s’ e’ p’ k) 
/ 
We don’t go into the details of INST-CORRECT and OUTPUT-CORRECT here since they are somewhat 
lengthy - these details can be found in [Win92]. The important point to be noted about these obligations is 
that they both contain the ‘for all k’ that makes clear the need for an instruction case split. Again, the proof 
infrastructure within the theory takes care of the details necessary to derive the interpreter correctness state- 
ment described previously. 
2.4.2 HPL Correctness 
HPL interpreter correctness is proven using the same general approach described above. There are some 
differences however, primarily in (a) the handling of abstraction and (b) the support for instruction case 
splitting. 
The HPL interpreter correctness definition is shown next. This statement says: “if we assume the given 
implementation and interpreter liveness, and if the abstraction is defined according to the abstraction pred- 
icate there, then the specification interpreter is correct.” 
I i 
HPL Interpreter Correctness Dejnitwn: 
V rep s e p s’ e’ p’. 
INTRP-imp rep s’ e’ p’ A 
INTRP-ABS rep s e p s’ e’ p’ A 
COND-INTRP-LIVE rep s e p 
3 INTRP-spec rep s e p 
We view this correctness statement as preferable over the statement of the last section in two 
respects: (a) the theorem consequence contains the specification interpreter, rather than a particular instance 
of the interpreter, and (b) abstraction is clearly (and correctly) treated as an asserted entity by its very posi- 
tion within the correctness statement. The practical differences between the two definitions may be small 
however. 
Instruction case-split support is not evident from this definition. 73 see where it exists we need to revisit 
the interpreter definition described in Section 2.1.2. Informally, this definition says: “for all k and t, if 
instruction k is executed at time t then the postcondition for k is true at t.” Thus, the instruction case split 
requirement is clearly indicated in the interpreter definition itself. It is made visible during an interpreter 
proof as soon as the abstract interpreter is rewritten, as a normal part of the initial proof steps in any verifi- 
cation. 
13 
3 Issues in Secure Abstract-Level Composition 
An important capability of a theorem-proving approach to hardware verification is the ability to achieve 
provably correct compositions of subsystem models at high levels of abstraction. This is an area in which 
theorem proving holds a potential advantage over competing approaches such as model checking [McM93], 
as well as others. 
There are good practical reasons for composing at high levels of abstraction. As pointed out in the Task 
10 Specification Report [Fur93a], abstract-level compositions are easier to verify than those pe,rformed 
lower in the hierarchy. In addition, the difficult implementation proof performed within a subsystem to 
achieve a verified abstract level is reused every time the subsystem is designed into a new system configu- 
ration. In contrast, composition proofs must be repeated for new configurations. 
For the specification and verification of large hardware systems there is probably no choice but to per- 
form as much abstraction as possible within subsystems, before composition, just to get a handle on the 
complexity. As demonstrated in the work under Task 10, performing the clock- to transaction-level abstrac- 
tion within the PIU ports greatly reduced the complexity of the PIU system mbdel, and is expected to reduce 
the amount of required theorem proving as well. 
In this section we overview some important issues in achieving provably correct compositions of 
abstract subsystem models. We first review the role of abstraction in this process. Following this, we 
describe the role of temporal abstraction for secure composition at low levels of abstraction. We then con- 
trast this to the temporal abstraction necessary for composition at levels comparable to the transaction level. 
The interface-event clocking introduced here provides the subject for Section 4. 
3.1 The Role of Abstraction 
The problem of ensuring the soundness of abstract-level composition is illustrated by Figure 3.1 At the 
top of this figure are two components, f and g, with output a and input b, respectively. Each of these com- 
ponents is an abstract representation of the component beneath it, f’ and g’, respectively. In its intended oper- 
ation, the abstract component g should receive the output of component f; in other words, we desire that the 
value on signal b be equal to the value on signal a, for all time t. The problem is to show that making this 
connection (composing f and g) is ‘sound,’ or that the composed abstract-level system remains an accurate 
abstraction of the composed concrete-level system. 
............................................................. 
composition (proved?) ‘Easy’ Solution: 
if a = absa’ 
and b = abs b’ 
thengiven a’ = b’ 
weprove a = b 
abslrmtwn abshnction 
a’ b’ 
composition (assumed) 
f’ 
Figure 3.1: The Problem of Composing Abstract Models. 
At the lowest level of abstraction in a model hierarchy, it is necessary to make the assumption that com- 
ponents are interconnected in some specified way. This is akin to assuming that the individual components 
have a specified behavior, and, hence, is unavoidable. However, at high levels of abstraction it is not accept- 
able to make such assumptions for the interconnections, just as it is not acceptable to assume the required 
14 
behavior of the individual components. Fortunately, we don’t need to make these assumptions, since the 
necessary properties can, in principle, be proven from the underlying implementation. 
Referring again to Figure 3.1, the abstract-level composition proof obligation is to show that the signals 
a and b are equal, given the specified models for components f’ and g’, plus their indicated interconnection, 
plus the abstraction linking f’ with f and g’ with g. The easiest way that this can be accomplished is if a and 
b are defined using a common abstraction hnction, abs for example, from their concrete counterparts a’ and 
b’ Since it is already assumed that a’ and b‘ are equal, the desired property that a (= abs a’) and b (= abs b’) 
are equal would result directly. 
In fact, the condition in which the abstract component inputs and outputs are abstractions of only the 
concrete inputs and outputs (and not state) holds among the transaction- and clock-level models of the 
PMM. The PMM specification hierarchy was constmcted in this way partly in response to the composition 
problems that were anticipated during Task 10. 
The work referred to in the last section (in [Her881 and [Me190]) was concerned with compositions at 
the ‘clock’ level of abstraction, using concrete-level components defined at the ‘timing’ level. At the clock 
level, a time step corresponds to a single period of the system clock. The timing level [Her881 has as its time 
step a fixed increment of real time, such as a nanosecond or a fraction of a nanosecond. Even though we do 
not use a timing level in our own work, it is worthwhile to examine the temporal abstraction used in this 
prior work in preparation for the transaction-level discussion of the next section. 
Figure 3.2(a) shows a very simple circuit that we use to illustrate some of these concepts. The flip-flops 
are both assumed to change their states on the rising edge of the clock signal clk’. The output of flip-flop A 
is assumed to be connected to the input of flip-flop B at the timing level of abstraction shown in the figure. 
The composition problem here is to prove that the same interconnection can be made at the clock level of 
abstraction. 
t+l t+2 t+3 clock-level time e . . .  A B 
t’ t’+N’ t’+2N’ t’+3N’ timing-level time 
clk’ clk‘ 
t-abs t = E u’. NTHJIME-TRUE t E 0 u’ 
where E = hv’ . R ~ E S  CIK v’ 
(b) Temporal Abstraction. (a) Timing-level Circuit. 
Figure 3.2: Temporal Abstraction Linking the Timing and Clock Levels. 
Almost intuitively, hardware designers know that two clock-level flip-flop models can be intercon- 
nected this way, provided that the applicable setup and hold times are all met. Ignoring these details, which 
we consider to be data abstraction issues, the underlying reason why this is so is that both flip-flops are 
clocked on the same edge of the same clock. In other words, they both employ the same temporal abstraction 
to link their timing and clock levels. As shown in Figure 3.2(b), the temporal abstraction function Labs 
relates the clock level to the timing level at the rising edges of the timing-level clock. The event signal E, 
15 
defined using the predicate RISES, is true precisely at these points of interest. RISES clk’ v’ is true precisely 
when clk’ v’ is true and clk’ (VI-1)  is false. 
The synchronous timing control that is provided by a common clock is instrumental in making the 
design of even large digital systems tractable. Again, it is the use of a common temporal abstraction function 
implied by this that eases the composition-correctness burden on the digital designer. Likewise, this com- 
mon clock simplifies the formal modeling and verification of composition at the clock level of abstraction. 
Unfortunately, from a modeling standpoint, digital designers do not include global clocks in their designs 
that step at the rate of all the levels in a specification hierarchy. The techniques described in this section need 
to be generalized to work at these higher levels. 
3.3 Temporal Abstraction for Interface-Clocked Systems 
In contrast to the low-level work described above, we are aware of no work to compose interpreters at 
higher levels of abstraction. The bulk of the work done by the theorem-proving community targets micro- 
processors. In this work the top level is typically the macroinstruction level, where a time step corresponds 
to the execution of an assembly-language instruction. The level immediately below this is often at themicro- 
instruction level. When compositions are performed as part of these microprocessor verifications however 
(for example between the microprocessor and system memory), it is done at the clock level or lower (e.g., 
[Hun86],[Coh88],[Joy90],[Win90],[Gra92],[Lev93]). In [Fur93a] we explained why we reject this 
approach for the PMM. 
One difficulty with higher-level composition is that, in direct contrast to the clock level, there is no 
notion of a global clock to synchronize the actions of the participating subsystems. For this reason, higher- 
level composition requires a certain amount of flexibility in defining what constitutes a ‘clock,’ as well as 
its corresponding ‘time steps.’ 
As before, one key to secure higher-level composition is the use of a consistent temporal abstraction for 
the subsystems being composed. For our transaction-level modeling, we have accomplished this by focus- 
ing on the bus protocols used by the subsystems of the PMM. At this level, a time step is defined by the 
occurrence of an event corresponding to the initiation of a new bus transaction. Figure 3.3 describes these 
events for the four buses of the PMM: the L-Bus (or P-Bus), I-Bus, M-Bus, and C-Bus. 
I 
M-Port 
C-Port 
~ 
Ep: GBus event signal 
Ei: I-Bus event signal 
Em: M-Bus event signal 
Ec: C-Bus event signal 
(a) PMM Structure and Event Signals. 
t t+l t+2 t+3 
0 0 0  0 trans-level time 
t’+M’ t’+N’ t’+O’ clock-level time “ 
t-abs t = E u’. NTH-TIME-TRUE t E* 0 u’ 
Ep = At. 
Ei = h t. 
Em = h t. FALLS MB-cs-eeprom- t V 
Ec = h t. 
L-ads-t A L-den-t 
I-male- t v I-rale- t V 7 I-cale- t 
FALLS MB-cs-sram- t 
CB-rqt- t 
(b) Temporal Abstraction for the Four Buses. 
Figure 3.3: Temporal Abstraction Linking the Clock and Transaction Levels. 
16 
The L-Bus event signal Ep, for example, when true for a clock-level time tp' indicates that a new L-Bus 
transaction has begun, and, hence, that the transaction-level time should be incremented. 
In a system with multiple buses then, it is possible that multiple clocks will exist. Section 4 covers the 
issues involved in modeling and verifying interpreters with interface clocking. (In the rest of this report we 
generalize the notion of bus protocols to include any communication policy between two or more sub- 
systems; we use the more generic term intetjiuce protocol to describe them.) 
17 
$ynchro~zing Inte~ace-Cloc~ed Interpreters 
The last section has shown that interface-event clocking can present scenarios in which interpreters 
relate to different events over their input and output interfaces. Since these events dictate the temporal 
abstraction for the abstract level, this implies that the abstract-level temporal variables for an interpreter’s 
input and output may themselves be different. In this section we examine how this possibility affects the 
modeling and verification of interpreter-based systems. 
The discussions of this section will be largely example driven. Figure 4.1 introduces the modeling style 
that will be used throughout the section. The interpreter in this figure has an input event predicate Fe rep ef 
and output event predicate Fp rep pf. The ‘representation’ variable rep has the same interpretation as in the 
previous sections. For example, Fe rep is a generic operator that maps a signal, ef in this case, to the bool- 
eans. The actual definition of Fe rep’s behavior is undefined, only its type is known. Within the actual HOL 
segments shown in this section, the complete expression will be used. However, in the text we will usually 
employ the abbreviated form: Fe, Fp, etc. 
I 1 
Fe rep ef’ - Input Event Predicate 
Fy rep pf’ - Ou@ut Event Predicate 
ef - Concrete Input Signal 
pf’ - Concrete Output Signal 
t’ - Concrete Input & Output Event Times 
I I 
Figure 4.1: Description of an Interpreter’s Transaction Events and Concrete-Level Variables. 
The input and output signal names follow a standard pattern of prefixing an e or a p, for the inputs and 
outputs respectively, to the name of the interpreter under consideration. The concrete-level signal names ef’ 
and pf’ are therefore used for the concrete-level intepreter f’ All concrete signals used in the following 
examples are of the type “:time’+*io”; the abstract signals map abstract time, t, to the same signal-value 
type *io. 
To permit this section to focus on issues of composition, the models in this section avoid unnecessary 
complexity wherever feasible. For example, the behavior of both concrete- and abstract-level interpreters is 
a simple flowthrough: V t’. pf’ t’ = ef’ t’ in the above example. We will describe other assumptions as they 
are needed. 
Moving on to the interpreter modeling issues themselves, we begin by pointing out that, even though a 
given interpreter’s event predicates may be different for the inputs and outputs, this does not mean that the 
temporal variables themselves must be different. A good illustration of this is the P-Port within the PIU. 
Here, the port’s input events are defined over the L-Bus and its output events over the PIU I-Bus. These are 
clearly different events yet the transaction-level temporal variable is the same for the inputs and outputs. 
The reason for this is that the input-to-output event mapping is one-to-one and onto. In other words, each 
input event causes at least one output event, and, furthermore, it causes at most one output event. 
Therefore, an important consideration for interface-clocked interpreters is the relationship between the 
occurrences of the input-transaction requests and the resulting output-transaction requests. These requests 
may or may not be one-to-one and they may or may not be onto. 
To gain a better picture of exactly what we mean here, Figure 4.2 shows these two relationships graph- 
ically. The one-to-one mapping, defined by the HOL definition TRANS-ONE-TO-ONE in part (a), describes 
an interpreter where every input transaction event results in a unique output transaction event. In other 
words, if an input request arrives at concrete time te’, then no further requests will arrive until after an output 
18 
I- TRANS-ONE-TO-ONE e’ p’ = Ep rep p’ t’ 
Y t te’ tp’. 
NTH-TIME-TRUE t (Ee rep e’) 0 te’ 3 
STABLE-FALSE (Ep rep p’) (te’,tp’-1) 3 
STABLE-FALSE (Ee rep e’) (te’+l ,tp’) 
Output Trans Times: *A-i-’ 
te 
Input Trans Times: A Y
te’ v Ee rep e’ t’ 
(a) Qne-to-One Relationship. 
I- TRANS-ONTOe’p’ = Ep rep p’ t‘ 
tP, ‘d t te’ tp”. 
STABLE-FALSE (Ee rep e’) (tp”+l ,te’-1) 3 
STABLE-FALSE (Ep rep p’) (tp”+l,te’-1) Input Tyns Times: * c. 
Ee rep e’ t’ 
Output Trans Times: 
A x 
Y 
t NTH-TIME-TRUE t (Ep rep p‘) 0 tp” 3 tp” implies 
Y v te’ 
(b) Onto Relationship. 
Figure 4.2: Transaction One-to-one and Onto Relationships. 
transaction is begun. The predicate STABLE-FALSE f (tl ,t2) is true precisely when f t is F for all t in the closed 
interval [tl, a]. 
The onto mapping defined in part (b) describes an interpreter where every output request is in response 
to a unique input transaction event. Here, if an output request is transmitted by the interpreter at concrete 
time tp”, then no more such requests will be transmitted until a new input transaction request is received. 
The one-to-one and onto relationships just described provide for a four-element partitioning of the class 
of (single-input, single-output) inteiface-clocked interpreters: 
(1) Interpreter transactions are one-to-one and onto. 
(2) Interpreter transactions are one-to-one but not onto. 
(3) Interpreter transactions are not one-to-one but are onto. 
(4) Interpreter transactions are neither one-to-one nor onto. 
Examples of all four interpreter types can be found in the PMM, depending on how one defines the 
transaction events for the various buses. As we have defined them, they lead to the existence of interpreter 
types (l), (2), and (3). In the following three subsections we examine each of the fist three interpreter types, 
primarily through simplified examples. 
19 
4.1 Bijective Monorate Interpreters 
When the mapping between the interpreter input transactions and the output transactions is bijective 
(both one-to-one and onto) we have the familiar situation in which the abstract clock rates are the same for 
the interpreter inputs and outputs. In order to introduce some concreteness into the following discussion, we 
will refer often to the simple circuit example shown in Figure 4.3. 
Concrete Interpreter Behavior: 
I- INTRP-f’ ef’ pf’ = V t’. pf’t’ = ef’t’ 
I- INTRP-f ef pf = V t .  pf t = eft 
Abs&act Interpreter Behavior: 
One-to-one and Onto Conditions Satisfied: 
(one-to-one) 
Input Abskaction: 
V t’. Fe rep ef’ t’ 3 Fp rep pf’ t’ 
let t’ = E t’. NTH-TIMS-TRUE t (Fe rep ef‘) 0 t’ in 
eft = ef’t’ 
Output Abstraction: (onto) V t’. Fp rep pf’ t’ 3 Fe rep ef’ t’ 
let t’ = Et’. NTHJIMETRUE t (Fp rep pf’) 0 t’ in 
pf t = pf’t’ 
Figure 4.3: Example Bijective Monorate Interpreter Model. 
The synchronization problem for monorate interpreters is fundamentally different from the intepreter 
synchronization problems of the following two sections. Here, we are concerned with an aspect of the inter- 
preter implementation verification. In a verification such as this it is clearly necessary to establish a proper 
input-output relationship for the concrete-level interpreter; in other words, in response to an input event 
request at time t’ the interpreter must be shown to produce correct outputs. Now, having this, it is an addi- 
tional step to prove that the t’th input request produces the correct behavior corresponding to the t’th output 
transaction, and not some other output transaction. 
A fair amount of our Task 10 work dealt with this synchronization problem for the PIU P-Port, and it 
resulted in the solution described in [Fur!33a]. In our work under Task 12 we have revisited the Task 10 solu- 
tion and made a fairly significant improvement to it. We don’t detail the Task 10 approach here except to 
say that it requires two additional theorems not required by the new approach that we describe next. 
The Task 10 work taught us that synchronizing an interpreter’s abstract-level inputs and outputs can be 
divided into two subproblems that can be handled separately. These are: (a) establishing interpreter ‘output 
liveness‘, and then, from this, (b) establishing the correct ‘transaction ordering.’ The following two HOL 
definitions precisely capture these two concepts. In these definitions, to save space we have introduced the 
terms €e and Ep to represent Ee rep e’ and Ep rep p’, respectively. 
Interpreter Output Liveness: 
I- OUT-TRANS-LIVE e’ p’ = 
Znterpreter Trans Ordering: 
I- NEXT-OUT-TRANS-IS-NTH e’ p’ = 
‘d t te’ tp’. 
NTH-TIMETRUE t €e 0 te’ 3 
NTH-TIME-TRUE t €p 0 tp’ 
V t te’. 
NTHJIME-TRUE t €e 0 te’ 3 
3 tp’. STABLE-FALSE-THEN-TRUE Ep (te’,tp’) STABLE-FALSE-THEN-TRUE € p  (te’,tp’) 3 
20 
The predicate OUT-TRANS-LIVE is true precisely when an output transaction event exists following 
every input transaction event. This is a property that clearly must be proved, since otherwise there would be 
no hope of establishing a proper temporal mapping on the interpreter output side. It is also a property that 
should be provable directly from the concrete-level definition of the circuit under consideration. Nothing is 
said about the ordering of such an output request, only that one must exist sometime on or after the arrival 
of the input request. The on-going P-Port verification includes this proof. 
The predicate NEXT-OUT-TRANS-IS-NTH is distinguished from OUT-TRANS-LIVE in that it is usually 
not possible to be proved directly from the concrete-level circuit. The reason for this is that it involves the 
abstract-level time t. Since circuits don’t normally maintain a memory of the number of input and output 
transactions processed, there is no notion oft  contained within the circuit description. These types of theo- 
rems are most naturally proven by induction; in this case, on the abstract timet. 
The following HOL segment describes an approach to achieving a proof for NEXT-OUT-TRAN- 
S-IS-NTH. In addition to the definition OUT-TRANS-LIVE just discussed, proof obligations exist for the def- 
initions TRANS-ONE-TO-ONE, TRANS-ONTO, and FIRST-TdANSCAUSAL. The first two of these were 
defined at the beginning of Section 4; the third is shown here. FIRST-TRANSCAUSAL says that no output 
transactions will be produced before the first input transaction is received. Having proofs for the four theo- 
rem obligations, the justification theorem provides the desired result. The HOL listings in Appendix B con- 
tain these definitions and the proof of the justification theorem. 
‘Interpreter Trans Ordering’ Pro0 f Obligations: 
I- ‘J e’ p’. TRANS-ONE-TO-ONE e’ p’ I- ‘J e’ p’. TRANS-ONTO e’ p’ TRANS-ONE-TO-ONE e’ p’ A 
I- ‘J e’ p’. FIRST-TRANSCAUSAL e’ p’ TRANS-ONTO e’ p’ A 
where: OUT-TRANS-LIVE e’ p’ 
I- FIRST-TRANS-CAUSAL e’ p’ = 3 NEXT-OUT-TRANS-IS-NTH e’ p’ 
JustiJcation Theorem: 
I- ‘J e’ p’. 
FIRST-TRANS-CAUSAL e‘ p’ A 
’V te’. 
STABLE-FALSE (Ee rep e’) (O,te’-l) 3 
STABLE-FALSE (Ep rep p’) (O,te’-l) 
In the tradition of Windley’s generic interpreter theory, we believe that the breakdown of theorem prov- 
ing tasks into two distinct classes, as shown here, has a great practical benefit in reducing the number of 
theorem proving tasks that must be repeated in every interpreter verification. The advantage to proving 
transaction ordering this way is that the justification-theorem proof could be embedded within a generic the- 
ory and then simply reused whenever a new circuit is being verified. The user of the theory would therefore 
not need to be concerned with constructing the proof, In general, it would be desirable to include into such 
a theory all of the proof infrastructure that doesn’t directly involve the circuit implementation or specifica- 
tion. In this way, the user would only be concerned with proving facts that were specific to the particular 
circuit being addressed. 
We are not proposing to develop a generic theory for interface-clocked interpreters in the near term, 
since a significant amount of basic research remains to be done; however, we believe that it is a good practice 
to structure theorem-proving tasks so that they could be easily incorporated into a future theory. 
21 
ve Multirate Interpreters 
The monorate interpreters addressed in the last section resemble very closely the interpreters employing 
global clocks, in the sense that the output times and the input times were the same for each state of the 
machine. Of course, there is no inherent reason that an interpreter’s input and output transaction events must 
be one-to-one and onto. When they are not, then the input and output times can be different, even for those 
corresponding to a common clock cycle. This possibility can seem strange unless one keeps in mind the fact 
that the inteface events dictate the associated clock rates, and that these events can occur at different rates. 
As we shall explain in this section, the benefit that is gained by handling interpreters this way is provably 
secure interpreter composition. And this composition is performed at a high level of abstraction, such as the 
PMM transaction level. 
In this section we address interpreters where the mapping between input and output transaction events 
is one-to-one but not onto. In other words, for every input event there are one or more output events. Figure 
4.4 depicts this scenario, using a version of the simplified example used in the last section. Again, the output 
behavior of this interpreter, at the abstract level, is the identity function, as are the data abstractions for the 
input and output variables. 
Absbact Interpreter Behavior: 
1- INTRPf rep ef pf ef‘ pf’ = 
‘d t. 
let t’ = E t’. NTH-TIME-TRUE t (Fe rep et,) 0 1’ in 
let u = E u. NTH-TIME-TRUE u (Fp rep pf’) 0 t’ in 
(pf u = eft) 
Znp ut Abstraction: 
let t’ = E t’. NTH-TIME-TRUE t (Fe rep ef’) 0 t’ in 
eft = ef’t’ 
let u’ = E u’. NTH-TIME-TRUE u (Fp rep pf‘) 0 u’ in 
One-to-One Condition Satisfied: 
(one-to-one) V t’. (Fe rep ef’) t’ 
(but not onto) 
I) (Fp rep pf’) t’ Ougut Absbaction: 
pf u = pf’ u’ 
~ ~ ~ ~ ~ ~ 
Figure 4.4: Example Injective Multirate Interpreter Model. 
The temporal abstraction functions in this figure clearly illustrate the multirate aspect of this example 
interpreter. Abstract timet at the interpreter input corresponds to the concrete timet’, where event Fe is true 
for the t’th time. Likewise, abstract time u at the output marks the concrete time that Fp is true for the u’th 
time. For this interpreter the relationship t 5 u holds. 
The interpreter behavioral model has some unfortunate complexity. Our objective at the start of this task 
was to employ the simpler relationship b’ t. 3 u. pf u = ef t to express interpreter behavior. However, this was 
not satisfactory. While it was possible to successfully verify the behavior with respect to a concrete-level 
implementation, using it to verify behavior higher up in the hierarchy proved to be extremely difficult. We 
were not able to accomplish this, due to the existential quantifier’s inability to ‘keep track’ of the necessary 
relationship with the concrete-level time. More discussion on this general topic proceeds below. 
The other approach that we considered was the relationship V t u. pf u = ef t. This also failed to work, 
but for the opposite reason; that is, it was too strong a statement to verify with respect to the implementation. 
Specifying the abstract time u for the interpreter output has thus turned out to be a fine balancing act between 
constraining it too much and not constraining it enough. Although somewhat ugly, the interpreter definition 
in Figure 4.4 achieves the proper balance. 
22 
In this interpreter definition the output expression contains the abstract time u, defined as the ‘event 
count’ corresponding to the concrete timet’. The definition oft’ here is critical - it is defined as the concrete 
time that the input event is true for the t’th time. Thus, the t’th input event and u’th output event are related 
through their common concrete-level time t’. 
To provide further explmation of these types of interpreters and to answer the question. “yes, but do 
they really exist in practice?” we now present a fairly substantial example. This example is actually a sim- 
plified version of certain ports within the PIU. It can also be seen to represent an important class of comput- 
ing structures, namely shared-memory systems. All of the definitions and proofs shown here have been 
implemented in HOL and are contained in Appendix B. 
Figure 4.5 shows the example circuit. The components labeled f’, g’, and h’ are intended to mimic cer- 
tain aspects of the behavior of the PIU C-Port, P-Port, and M-Port, respectively, while i’ represents the I- 
Bus. The individual concrete-interpreter behaviors are simply flowthrough. The i’ component behavior is 
viewed in a highly simplified way to avoid complexity not relevant to the immediate discussion. We assume 
that a transaction request from either of the source components, f’ or g’, is passed on to the h’ component. 
Thus, we are ignoring possible bus contention here. 
The abstract interpreter behavior is also a simple flowthrough for each of the three interpreters. In this 
figure, and in the following discussion, it is important to keep in mind that the abstract time variables (t here) 
are defined over the interface events showii in the appropriate figure. For example, t within the INTRPf 
model counts the input events Fe and the output events Fp. 
Concrete Interpreter Behavior: 
I- INTRP-f’ ef’ pf’ = ‘d t’. pf’ t’ = ef’ t’ 
I- INTRP-g’ eg’ pg’ = ‘d t’. pg’ t’ = eg’ t’ 
I- INTRP-h’ eh’ ph’ = ‘d t’. ph’ t’ = eh’ t’ 
Abstract Interpreter Behavior: 
I- INTRPf ef pf = ’d t. pf t = ef t 
I- INTRPAegpg = ‘dt. pgt=egt  
I- INTRP-hehph = ‘dt. pht=eht  
Figure 4.5: Example System Exhibiting Injective Multirate Behavior. 
So far we have seen nothing but one-to-one and onto behavior within these interpreters. Where we lose 
the onto behavior is in going to a higher level of abstraction. For example, in a direct parallel to theP Process 
of the PIU transaction-level specification, consider the behavior of a composite system containing the com- 
ponents g’, h’, and i’. Input events to this system are those denoted by G‘e (analogous to PIU L-Bus requests) 
and the output events are represented by Hp (analogous to M-Bus output requests). In this composite system 
the input and output events clearly proceed at different rates, since the output events Hp are also caused by 
the events Fe; not just the input events Ge. 
In light of the multirate interpreter model of Figure 4.4, it is perhaps an understatement to say that hav- 
ing multiple clocks is not desirable for a top-level specification. For our small system example then, the 
interpreter model shown in Figure 4.6 is preferred over the earlier multirate model style of Figure 4.4. In the 
composite system model here, the input and output values are both defined with respect to the input-event 
clock. In the rest of this section we explain how such a behavioral model can be verified with respect to the 
multicomponent configuration of Figure 4.5. 
23 
Desired Absaact Composite lnterpreter Behavior: 
I- INTRP-gh eg ph = ‘tl t. ph t = eg t 
Figure 4.6: Desired Composite-System Behavior for System Example of Figure 4.5. 
Figure 4.7 describes an implementation hierarchy linking the concrete models of Figure 4.5 to the 
abstract model just described. To simplify things somewhat, we are ignoring the intermediate bus i’, and 
therefore we assume that the components g’ and h’ are connected. 
‘tl t. let t’ = E t’. NTHJIME-TRUE t (Ge rep eg’) 0 t’ in 
let u = E u. NTH-TIME-TRUE u (Hp rep ph’) 0 t’ in 
. let t’ = E t’. NTH-TIME-TRUE t (Gp rep eh’) 0 t’ in 
let u = E u. NTH-TIMETRUE u (Hp rep ph’) 0 t’ in 
Figure 4.7: Specification Hierarchy for Circuit of Figure 4.5. 
At the bottom of the hierarchy are the concrete-level models with their associated behaviors shown at 
the side. Immediately above these are the abstract-level models for the same components. Here, the input 
and output values shown in the equations are based on the event predicates shown in the figure. An imple- 
mentation proof linking these two levels of models would use the techniques described in the Task 10 report 
[Fur93b]. In our HOL development in Appendix B we assume the implementation proofs for g and h, to 
more quickly get on with the issues of composition. 
Having verified models at the second level of this hierarchy, we would now like to compose them into 
a composite ‘gh’ system. Unfortunately, we cannot do this directly because of the mismatch in temporal 
abstraction between g and h, as evidenced by the different ‘event counters’ Gp and He. The solution to this 
dilemma is to redefine the abstraction for the h input. Instead of counting the events He, we now count Gp. 
This produces the complicated interpreter expression for h shown in the figure. 
The proof verifying that this new model is a valid abstraction of the old one is fairly straightforward. 
The key to making it work is the fact that a common concrete t’ exists for the r’th Gp event and the u’th He 
event. 
24 
With common temporal abstractions defined for the interfacing signals, the components g and h are then 
composed to form a new structural model. The proof for this step required some unexpected work to ensure 
that the intermediate concrete-level signals were available to several of the necessary definitions. Normally 
these signals are discarded at the earliest possible time. 
From the structural model, a behavioral abstraction was performed to create the model gh shown in the 
figure. As in the typical stucture-to-behavior proofs within the PMM, this proof was straightforward and 
short. 
The model verified in this step still maintains the complex multirate behavior of the component h’ In 
fact, had we desired, we could have avoided this scenario altogether by simply making h’s output count at 
the rate Gp to begin with. Our reason for not doing this was to remain faithful to the PMM design. In this 
design, the output of h mimics the M-Port value transmitted over the PMM M-Bus. In order to compose the 
M-Port (hence the PIU) with the local memory we will require a common temporal abstraction for this inter- 
face. Thus we keep Hp to demonstrate that this composition can be done. 
The final step in the proof chain is to redefine the abstraction for the system gh as a sort of inverse to 
the operation done for the h component. In fact, the proof for this verification is remarkably similar to that 
developed for h. Again all of these definitions and proofs are contained in Appendix B. 
/ 
4.3 Surjective Multirate Interpreters 
In this section we address the reverse scenario from that of the last section, namely, interpreters where 
the input-to-output transaction mapping is onto but not one-to-one. In this case, for every interpreter output 
event there are one or more input events. Another way of looking at this is that only a subset of the input 
events cause output events. 
Figure 4.8 shows an example of this type of interpreter. All of the assumptions and simplifications used 
in the previous sections are applied to this example, as well as those that follow in this section. In this par- 
ticular figure, we note that the interpreter behavior is similar to that of the injective interpreter example in 
Figure 4.4. In fact, the temporal abstraction is identical. The only difference is the addition of the condition- 
ing by F rep (eft) here. 
Abstract Interpreter Behavior: 
I- 1NTRP-f rep ef pf ef’ pf’ = 
I 
v t. 
let t’ = &t’. NTH-TIME-TRUE t (Fe rep ef’) 0 t’ in 
let u = & u. NTHJIME-TRUE u (Fp rep pf’) 0 t’ in 
(F rep (eft) 3 (pf u = eft)) 
Onto Condition Satisjied: Znput Abstraction: 
(onto) ‘d t’. (Fp rep pf’) t’ 
(but not one-to-one) 
let t’ = E t’. NTH-TIMEJRUE t (Fe rep et’) 0 t’ in 
eft = ef’t’ 
Jet u’ = E u’. NTH-TIME-TRUE u (Fp rep pf‘) 0 u’ in 
z) (Fe rep ef’) t’ Output Abstraction: 
pf u = pf’ u’ 
Figure 4.8: Example Surjective Multirate Interpreter Model. 
The predicate F rep is assumed to evaluate to true precisely when the interpreter input is identified as 
one that causes an output event (over pf). In such a case the output, at time u, follows the input, at timet, in 
this example. This is the same behavior as for the injective model of Figure 4.4. 
25 
An interesting difference from before, however, is evident for the case when F rep is not true. In this 
scenario there is no output event over pf, therefore, output abstract time effectively stands still. Thus, for this 
scenario we cannot express the output as some sort of ‘no-op’ value as might be attempted for a normal state 
machine. This explains the need for the conditioning contained in the model. 
We note here that this need to be able to underspecify the output behavior effectively rules out func- 
tional-behavior interpreter models for this application. Of the other interpreter models cited in Section 2, 
only Herbert’s RTS approach provides the necessary modeling flexibility. 
As in the last section, to provide a better appreciation for the practical importance of surjective modeling 
we present an example. Figure 4.9 shows it. As might be expected, instead of having the multiple sub- 
systems on the input side of the system as before, here they are on the output side. As before, this system 
also mimics the PIU, with the subsystems f’, g’, and h’ representing the P-Port, M-Port, and C-Port, respec- 
tively. 
Concrete lnterpre fer Behavior: 
I- INTRP-f’ ef’ pf’ = b’ t’. pf’ t’ = ef’ t’ 
I- INTRP-g’ eg’ pg’ = b’ t’. pg’ t’ = eg’ t’ 
I- INTRP-h’ eh’ ph’ = b’ t’. ph’ t’ = eh’ t’ 
Abstract In ferpreter Behavior: 
I- INTRPf ef pf = b’ t. pf t = ef t 
I- INTRP-gegpg = b’t. pgt=egt  
I- INTRP-h eh ph = b’ t. ph t = eh t 
Figure 4.9: Example System Exhibiting Surjective Multirate Behavior. 
In this example system, an output transaction arriving at input ef causes an output transaction at either 
output pg or else ph, but not both. In the context of the PIU, this represents L-Bus inputs being forwarded 
to the M-Bus or C-Bus, respectively. We are ignoring the PIU R-Port register file as a possible destination 
here. 
The preferred system model for this configuration is shown in Figure 4.10. All signals are expressed 
using the same temporal operator, t, which counts input transactions. As above, the outputs are conditioned 
on the destination status contained within the system input. Although we have not proven this, we believe 
that this conditioning can be replaced here by a functional version. In other words, the pg expression could 
be written as: pg t = (G rep (ef t)) s ef t 1 ‘irue‘, where the ‘idle’ output would represent an output tri-stated 
condition. This appears feasible, first of all, because the necessary temporal events exist (at the input), and 
secondly, because the output is presumed to be tristated anyway between the more coarse-grained output 
events. The overall benefit from doing this is not clear though. 
Desired Abskact Composite Interprefer Behavior: 
I- INTRPfgh ef pg ph = 
‘tl t. (G rep (eft) 3 (pg t = ef t)) A 
(H rep (eft) 3 (ph t = eft)) 
I 1 
Figure 4.10: Desired Composite-System Behavior for System of Figure 4.9. 
26 
The specification hierarchy for the surjective cases looks remarkably similar to that for the injective case 
of the last section. We are currently in the process of completing the proofs for this case however. They will 
be made available when they are finished. 
\J t. (G rep (eft) 3 (pg t = eft)) A 
(H rep (eft) 3 (ph t = eft)) 
t. let t’ = E t’. NTHJIME-TRUE t (Fe rep ef‘) 0 1’ in 
let u = E u. NTH-TIME-TRUE u Gp rep pg’) 0 t’ in 
((0 rep (et t) 3 (pg u = eft)) A 
(H rep (eft) 3 (ph v = eft))) 
let v = E v. NTH-TIME-TRUE v ( L p rep ph’) 0 t’ in 
t. let t’ = Et’. NTH-TIME-TRUE t (Fp rep eh’) 0 t’ in 
let u = E u. NTH-TIME-TRUE u (Hp rep ph’) 0 t’ in 
(H rep (eh t) 3 (ph u = e h  t)) 
Figure 4.11: Partial Specification Hierarchy for System of Figure 4.9. 
27 
5 Processor-Memory Module Specification and Verification 
In this section we overview our progress on the Processor-Memory Module (PMM) specification and 
verification. Section 5.1 overviews the PMM itself. The three sections that follow cover our work on the 
specification of the local processor, local memory, and PIU 
5.1 PMMOverview 
The PMM is the primary processing subsystem of the Fault Tolerant Embedded Processor (FEP)  sys- 
tem. As seen in Figure 5.1, the PMM contains four major subsystems: the local processors, the ldcal mem- 
ory, the Processor Interface Unit (PIU), and the Core Bus (C-Bus) interface. 
The PMM processors (CPUO and CPU1) are arranged in a cold-sparing configuration to enhance long- 
life operation. Only one processor is active during a given mission. The choice of active processor is deter- 
mined during initialization. The spare processor is disabled by the PIU through assertion of the processor’s 
cpu-reset input. For the first implementation of the PMM, described in this report, Intel 80960MC micro- 
processors [Int89] are used for the local processors. They communicate wfth the PIU using the L-Bus bus 
protocol of the 80960. 
Processor programs and data are stored in local electrically-erasable programmable read-only memory 
(EEPROM) and static random access memory (SRAM), respectively. Memory accesses are initiated by 
either the local processor or an external block acting as C-Bus master. In either case the PIU provides the 
memory interface. The features provided by the PIU include memory error correction, memory locking to 
implement atomic read-modify-write operations, byte accesses, and block accesses of up to 64 words. 
EEPROM and SRAM memory capacity in the first implementation is 1 MF3 (megabyte) of actual informa- 
tion storage each, implemented within seven 256Kx8-bit memory chips each. A (7,4) Hamming code pro- 
vides single-bit error correction on memory reads. 
The PIU also provides processor support features such as timers and interrupt control. l b o  64-bit timers 
can be set by the processor to provide either timekeeping or watchdog functions. Processor interrupts are 
pmm-reset cpu0-reset 
cbus-clk 
b 
piu-clk failureo- CPUO 
I 4 * 
L-Bus M-Bus I! PIU 
EEPROM 
~ 
Core Bus Interface 
~ 
Figure 5.1: Block Diagram of the Processor-Memory Module. 
28 
generated within the PIU under two conditions. One condition is a timer time-out; the other is a write oper- 
ation to a specially designated PIU register by either the local processor or C B u s  master. 
The reset and clock signals shown at the top of Figure 5.1 are produced by the Fault-Tolerant Clock Unit 
(FTCU) not shown here. The pmm-reset signal is sent only to the PIU to allow it greater control over the 
local processors. For example, the PIU uses this signal to enter its initialization mode, during which it acti- 
vates the processor reset signals. All of the PIU input signals produced by the FTCU are synchronized with 
those in the PIUs in redundant PMMs of a fault-tolerant FTEP core. 
The structure of the PIU itself is shown in Figure 5.2. The Processor Port (P-Port), C B u s  Port (C-Port), 
and Memory Port (M-Port) implement the communication protocols for the L-Bus, CBus ,  and M-Bus, 
respectively. The M-Port also implements (7,4) Hamming encoding and decoding on writes and reads, 
respectively, to the local memory, and the C-Port implements single-bit parity encoding and decoding for 
C-Bus transfers. 
The Register Port (R-Port) is the fourth, and final, port residing on the PIU’s Internal Bus (I-Bus). It 
contains a state machine, counters, and various command and status registers used by the local processor to 
implement timers and interrupts. 
d 
cpu0-reset 
cpul-reset 
d 
M-Bus 
<= 
Figure 5.2: Major Blocks of the Processor Interface Unit. 
fail ure0- 
failurel- 
L-Bus 
3 
29 
The Start-up Controller (SUCont) implements the PMM initialization sequence. After it has concluded 
initialization, control is turned over to the other ports with the SU-Cont continuing operation in a back- 
ground mode. The SU-Cont is not physically located on the I-Bus; however, for convenience, we will some- 
times refer to it as one of the five PIU ports. 
As explained in [Fur93a] the PMM exhibits at least four distinct types of behavior: (a) initialization and 
self-test, (b) timekeeping and interrupt control, (c) CBus-initiated memory requests to the PMM local 
memory and the PIU register file, and finally (d) local-processor-initiated memory requests to the same two 
destinations, plus to global memory via the C-Bus. For the purposes of this report, we are only concerned 
with the last type of behavior, local processor memory requests to the local memory, the internal PIU register 
file, and global memory. 
5.2 Local Processor Specification 
To support the Task 12 research focus on PMM composition, we have developed a simple transaction- 
level model for the local processor as a means to exercise the L-Bus interface to the PIU The following 
HOL segment shows the transaction-level postcondition for this model. As evident from this definition, the 
processor model acts principally as a source and sink for L-Bus packets. The values for the transmitted pack- 
ets are taken from the local state, s, and the data returned from the PIU on reads are simply written back to 
this state. 
The packet opcode is determined by the address bits and readwrite information. (The functions SUB- 
ARRAY and ELEMENT return a subarray and element of an array, respectively.) The six opcodes shown in the 
model are for reads and writes to the local memory (-LM), PIU register file (-PIU), and global memory CCB). 
The address, block size, byte enables, and lock bit are transmitted directly. The output data is transmitted 
only on write operations, as expected, and the local state is updated only on reads. The Xsk 10 Specification 
Report [Fur93a] contains a more detailed explanation of these fields. The actual HOL listings for the local 
processor specification are contained in Appendix C. 
Local Processor Postcondition: 
I- CPUT-POSTC cputi s (er,el) p t = 
let h e m  = (7 ELEMENT (CPUT-addrS (8 t)) 31) A 
let piu = (T ELEMENT (CPUT-addrS (s t)) 31) A 
let cbus = ELEMENT (CPUT-addrS (s t)) 31 in 
let write = CPUT-wrS (s t) in 
((PBM-Opcode (p t) = lmem 
(-, (SUBARRAY (CPUT-addrS (s t)) (25,24) = WORDN 1 3)) in 
(SUBARRAY (CPUT-addrS (s t)) (25,24) = WORDN 1 3) in 
(write * PBM-WrLM 1 PBM-RdLM) I 
piu 3 (write 3 PBM-WrPIU I PBM-RdPIU) I 
%cbus% (write * PBM-WrCB I PBM-RdCB)) A 
(PBM-Addr (p t) = CPUT-addrS (s t)) A 
(write 3 (PBM-Data (p t) = CPUT-dataS (s t))) A 
(PBM-BS (p t) = CPUT-bSS (S t)) A 
(PBM-BE (p t) = CPUT-be-S (s t)) A 
(PBM-Lock (p t) = CPUT-lock-S (S t)) 
(-I write 3 (CPUT-dataS (8 (t+l)) = PBS-Data (el t)))) 
A 
30 
5. 
1 for the local memory reflects the simple behavior of this subsystem. The 
following WOL code shows the postcondition for the local memory. It describes the expected behavior with 
represents word writes represents byte writes. As indicated in 
this definition, an opcode of dWr corresponds to a ‘simultaneous’ read and write, Actually, at the 
implementing clock level the read precedes the write. The PIU executes a read-modify-write operation to 
implement byte writes so that the full 32-bit memory word gets reencoded. 
The function MALTER in this definition inserts into its first argument (the memory) the value of the third 
argument (the M-Bus data array). The insertion is done within the address bounds of the second argument. 
If the operation is either a word write or a byte write the the memory is updated with the new value, oth- 
envise the old value is used. The opcode output of MBS eady indicates that the memory is implementing 
its part of the M-Bus protocol correctly. For the simple memyy-bus protocols of typical memory chips, this 
means that the memory is not driving the concrete-level data signal lines out of turn. On data reads and byte 
writes the memory system returns the requested data array. 
the major point of inte being the handling of byte . Among the three M-Bus opcodes, r 
M-Rd represents reads, 
Local Memory Postcondition: 
I- MEMT-POSTC memti s e p t = 
let adr-min = VAL 23 (MBM-Addr (e t)) in 
let adr-max = adr-min + bs in 
t) = MBM-Wr) V (MB -0pcode (et) = MBM-RdWr)) 
(MBM-Data (e t)) 
I MemtS (s t)) A 
(MBS-Opcode (p t) = MBS-Ready) A 
(((MBM-Opcode (et) = BM-Rd) V (MBM-Opcode (et) = MBM-RdWr)) 
I) (MBS-Data (p t) = SUBARRAY (MemtS (s t)) (adr-max,adr-min)))) 
5.4 PIU Specification 
During this task we have made some modifications to the existing PIU models, some by choice and oth- 
ers by necessity. In some cases we found that models could be greatly simplified by making better use of 
specially-defined functions. The M-Port model described in this section is a good example of such a case. 
Other simplifications were made by moving away from the functional modeling style of the GIT, and instead 
using a relational style. 
Changes that were dictated to us primarily concern composition. In particular, it became necessary to 
redefine our data structures that had been defined with respect to the ports during lhk 10. For example, the 
P-Port specification previously had its own set of state, input, and output structures that were different from 
those of the other ports. Distributing these signals among the other ports would have required additional pro- 
cessing that would have added even more complexity to an already sizeable PIU specification. 
To correct this, in this task we have introduced new data structures for the buses, as well as the other 
interconnects of the PMM. These provide the expected improvement in sharing among the port models that 
use them. We have included the transaction-level data structures within the HOL listings in Appendix C. 
31 
In the rest of this section we describe one of the revised port models, namely the transaction-level post- 
condition for the M-Port. Much of this definition is familiar from the earlier models. The interesting parts 
here concern the Hamming encoding and decoding, plus the implementation of byte writes. 
Beginning with the simpler Hamming decoding on memory reads, the I-Bus output data is shown here 
being processed by a function MAPN. This function creates an array of size bs by mapping (Ham-Dec rep) 
over the individual elements of the M-Bus data input. 
Modeling byte-write operations is inherently complex in a word-addressed memory, especially when 
the data are encoded. For each word to be written, the M-Port first reads the current word from membry, then 
inserts the new bytes into the word (based on the byte enable bit pattern), and finally writes the updated word 
back into memory. The word read from memory is decoded before being used and the updated word is 
encoded before being stored. 
In the M-Port postcondition, the function MAP-LISTN creates an array of size bs similar to MAPN above. 
However, rather than applying a single function over the entire input array, it applies a list of functions. The 
first function of the list is applied to the first element of the array, and so on. The function BYTE-MUXN per- 
forms the desired byte selection here for each word when mapped over its four arguments: 31, be, the ‘new’ 
word, and the ‘old’ word. 
M-Port Postcondition: 
I- MT-POSTC rep mti (ei,em,er) (pm,pi) t = 
let bs = VAL 1 (PBM-BS (ei t)) in 
((IBS-Opcode (pit) = IBS-Ready) A 
((mti = MT-Rd) 
3 (MBS-Opcode (em t) = MBS-Ready) 
3 (IBS-Data (pit) = MAPN bs (Ham-Dec rep) (MBS-Data (em t)))) A 
(MBM-Opcode (pm t) = 
(mti = MT-Rd) MBM-Rd I 
((mti = MT-Wr) A (PBM-BE (ei t )  = WORDN 3 15)) 3 MBM-Wr I 
MBM-RdWr) A 
(MBM-Addr (pm t) = PBM-Addr (ei t)) A 
((mti = MT-Wr) 
3 (MBM-Data (pm t) = 
let be = PBM-BE (ei t) in 
MAP-LISTN bs 
[(Ham-Enc rep) o 
(hf. BYTE-MUXN 31 be (ELEMENT (PBM-Data (ei t)) 0) f); 
(Ham-Enc rep) o 
(If. BYTE-MUXN 31 be (ELEMENT (PBM-Data (ei t)) 1) f); 
(Ham-Enc rep) o 
(hf. BYTE-MUXN 31 be (ELEMENT (PBM-Data (ei t)) 2) f); 
(Ham-Enc rep) o 
(Af. BYTE-MUXN 31 be (ELEMENT (PBM-Data (ei t)) 3) f)] 
(MAPN bs (Ham-Dec rep) (MBS-Data (em t))))) A 
(MBM-BS (pm t) = PBM-BS (ei t))))) 
Compared to the old style of specification that we described in our Task 10 reports, the new models are 
much more compact, and arguably easier to understand. The difficulty in comprehension that is introduced 
by the use of the new functions is more than offset by the reduction in bulk. Nevertheless, we believe that 
specifications of this sort should be challenged either through proof or by simulation. In the future we hope 
to address the issue of requirements specification correctness with additional rigor. 
32 
6 Conclusions 
The ability to compose hardware interpreter models at high levels of abstraction is fundamental to the 
practical specification and formal verification of nontrivial hardware systems. Without such a capability, 
large-scale system verifications would quickly become bogged down by the explosion in low-level state 
resulting from the independent actions of typical interacting subsystems. In the work reported here, we have 
developed a technique for high-level interpreter composition and demonstrated its efficacy on a substantial 
verification example. The approach is suitable for application to the transaction-level verification of the tar- 
get Processor-Memory Module (PMM). 
To our knowledge, all formal hardware verifications to date have performed their component composi- 
tions at very low levels of abstraction, comparable to the PMM clock level. At these levels of abstraction, 
the presence of a global clock greatly facilitates the necessary composition theorem proving. The global 
clock is the basis for a single temporal abstraction definition that is shared by each component interface. 
This common abstraction is, in turn, instrumental for achievin a straightforward composition proof. 
systems communicate by using what are normally termed protocols. These protocols are defined with 
respect to certain events defined over the low-level signals that interconnect the communicating subsystems. 
A formal proof of high-level composition must therefore focus on these shared events as a means to syn- 
chronize subsystem interactions. 
In this ‘interface-event clocking’ approach, the abstract-level temporal operators for a subsystem’s input 
and output signals measure the accumulated count of the appropriate transaction ‘events’ occurring over the 
input and output interfaces, respectively. This view of temporal abstraction introduces some interesting 
modeling and verification issues. Becaus the events for a subsystem’s inputs and outputs are defined for 
different interfaces, they may or may not occur in lock step. When they don’t, then the input and output 
events count at different rates, This has the effect of creating interpreter behavior functions where the time 
variables for the inputs and outputs are different. 
Such ‘multiclocked interpreters’ have great practical importance in hardware modeling and verification. 
For example, within the PMM there are scenarios in which the relationship between interpreter input events 
and output events is one-to-one, but not onto, and vice versa, In other words, there are cases in which a sub- 
system’s input events cause only a subset of its output events, and cases where only a subset of the input 
events cause output events. In fact, these scenarios represent an important class of computing hardware 
structures that includes, for example, bus-based shared memory systems. 
We have developed techniques that allow us to create and formally verify such ‘multiclocked interpret- 
ers’ with respect to standard interpreter models. We have also implemented an approach to formally verify 
compositions involving multiclocked interpreters. Finally, we have formally verified standard interpreters 
with respect to multiclocked interpreter models. These techniques were all demonstrated on a substantial 
example verification problem. 
In addressing the composition needs of a real-world subsystem, we have exceeded the capabilities of 
interpreter modeling approaches developed for streamlined microprocessor verifications. Prior work under 
Task 10 showed inadequacies in their handling of abstraction. In this task, we have found that multirate 
interpreters cannot be modeled using the functional style of behavior embedded in some standard models. 
A relational style of behavior modeling is required here. 
The hierarchical pre-post logic (I-IPL) modeling approach that was developed largely under this contract 
has been shown to satisfy the modeling and verification needs of the PMM. Future work should focus on 
exploring further the basic problems in PMM verification that will surely arise as this effort continues under 
Boeing funding. Beyond this, we should consider embedding WL‘s multiclocked interpreter approach to 
composition within a generic theory, a composition-oriented version of Windley ’s generic interpreter theory. 
The higher levels of abstraction have no such notions o H a global clock. Instead, at these levels sub- 
33 
7 
[Chu40] 
[Coh88] 
[Coh89] 
[Con861 
[Fur93a] 
Fur93bI 
[Fur941 
[Gor79] 
[Gor93] 
[Gra92] 
[Her881 
[Her921 
[Hun861 
[Int89] 
[JOY901 
[ Kan871 
[Lev931 
[McM93] 
A. Church, “A Formulation of the Simple Theory of Qpes,” Journal of Symbolic Logic, Vol. 5,  
1940. 
A. C o b ,  “A Proof of Correctness of the Viper Microprocessor: The First Level,” in G. Birtwist- 
le and P. A. Subrahmanyam (eds.), VUZ Specification, Verification, and Synthesis, Kluwer Ac- 
ademic Publishers, 1988, pp. 27-71. 
A. Cohn, “Correctness Properties of the Viper Block Model. The Second Level,” in G. Birtwist- 
le and P.A. Subrahmanyam (eds.), Current Trends in Hardware VeriJcation and Automated 
Theorem Proving, Springer-Verlag, 1989, pp. 1-91 
W.L. Constable, Implementing Mathematics with the NUPRL Proof Development System, Pren- 
tice Hall, 1986. 
D.A. Fura, P.J. Windley, and G.C. Cohen, ‘Towards the FormJ Specification of the Require- 
ments and Design of a Processor Interface Unit,” NASA Contractor Report 4521, 1993. 
D.A. Fura, P.J, Windley, and G.C. Cohen, “Towards the Formal Verification of the Require- 
ments and Design of a Processor Interface Unit,” NASA Contractor Report 4522, 1993. 
D. A. Fura, Formal Abstraction, Composition, and Verification Methods for Fault-Tolerant 
Hardware Interpreters, Ph.D. thesis, Department of Electrical Engineering, University of 
Washington, 1994. 
M. Gordon, R. Milner, and C. Wadsworth, Edinburgh LCF- A Mechanized Logic of Computa- 
tion, Lecture Notes in Computer Science, Vol. 78, SpEinger-Verlag, 1979 
M.J.C. Gordon and T.F. Melham, Introduction to HOL; A Theorem Proving Environment for 
Higher Order Logic, Cambridge University Press, 1993. 
B.T. Graham, The SECD Microprocessor. A Verification Case Study, KIuwer Academic Pub- 
lishers, 1992. 
J. Herbert, ‘Temporal Abstraction of Digital Designs,” Technical Report No. 122, Computer 
Laboratory, University of Cambridge, February 1988. 
J.M.J. Herbert, “Incremental Design and Formal Verification of Microcoded Microprocessors,” 
in V: Stavridou, T.F. Melham, and R.T. Boute (eds.), Theorem Provers in Circuit Design, Elsevi- 
er Science Publishers, 1992, pp. 157-174. 
W.A. Hunt, Jr., FM8.501: A Verified Microprocessor, Ph.D. thesis and Technical Report 47, In- 
stitute for Computing Science, University of Texas at Austin, February 1986. 
Intel Corporation, 80960MC Hardware Designer’s Reference Manual, June 1989. 
J.J. Joyce, Multi-Level Verijication of Microprocessor-Based Systems, Ph.D. thesis and Techni- 
cal Report No. 195, Computer Laboratory, University of Cambridge, May 1990. 
G. Kane, MIPS R2000 RISCArchitecture, Prentice Hall, 1987. 
K. Levitt, et. al., “Formal Verification of a Microcoded VIPER Microprocessor Using HOL,” 
NASA Contractor Report 4489, February 1993. 
K.L. McMillan, Symbolic Model Checking, Kluwer Academic Publishers, 1993. 
34 
[Me1901 T. Melham, Formalizing Abstraction Mechanisms for Hardware Veri$cation in Higher Order 
Logi, Ph.D, thesis and Technical Report No, 201, Computer Laboratory, University of Cam- 
bridge, August 1990. 
P.J. Windley, The Formal Verijitation of Generic Interpreters, 1Ph.D. thesis and Research Report 
CSE-90-22, Division of Computer Science, University of California, Davis, July 1990. 
P. Windley, K. Levitt, and G.C. Cohen, “The Formal Verification of Generic Interpreters,” 
NASA Contractor Report 4403, October 1991. 
P.J. Windley, “Abstract Theories in HOL,” in Proceedings of the 1992 International Conference 
on the HOL theorem Prover and its Application, October 1992. 
[Win901 
[Win911 
[Win921 
35 
Appendix A: HOL Overview 
HOL is a general theorem proving system developed at the University of Cambridge [Go1931 that is 
based on Church’s theory of simple types, or higher order logic [Chu40]. Church developed higher order 
logic as a foundation for mathematics, but it can be used for describing and reasoning about computational 
systems of all kinds. Higher order logic is similar to the more familiar predicate logic, but allows quantifi- 
cation over predicates and functions, not just variables, allowing more general systems to be described. 
HOL grew out of Robin Milner’s LCF theorem prover [Gor79] and is similar to other LCF progeny such 
as NUPRL [ConM]. Because HOL is the theorem proving environment used in the body of this work, we 
describe it in more detail. This description is taken from [Win90]. 
HOL‘s proof style can be tailored to the individual user, but most users find it convenient to work in a 
goal-directed fashion. HOL is a tactic-based theorem prover. A tactic breaks a goal into one or more sub- 
goals and provides a justification for the goal reduction in the form of an inference rule. Tactics perform 
tasks such as induction, rewriting, and case analysis. At the same time, HOL allows forward inference, and 
many proofs are a combination of forward and backward proof styles. Any theorem-proving strategy a user 
employs in connection with HOL is checked for soundness, eliminating the possibility of incorrect proofs. 
HOL provides a metalanguage, ML, for programming and extending the theorem prover. Using ML, 
tactics can be put together to form more powerful tactics, new tactics can be written, and theorems can be 
combined into new theories for later use. The metalanguage makes the HOL verification system extremely 
flexible. 
In HOL, all proofs, even tactic-based proofs, are eventually reduced to the application of inference 
rules. Most nontrivial proofs require large numbers of inferences. Proofs of large devices such as micropro- 
cessors can take many millions of inference steps. In a proof containing millions of steps, what kind of con- 
fidence do we have that the proof is correct? One of the most important features of HOL is that it is secure, 
meaning that new theorems can only be created in a controlled manner. HOL is based on five primitive axi- 
oms and eight primitive inference rules. All high-level inference rules and tactics do their work through 
some combination of the primitive inference rules. Because the entire proof can be reduced to one using 
only eight primitive inference rules and five primitive axioms, an independent proof-checking program 
could check the proof syntactically. 
A.l The Language 
The object language of HOL is described in this section. We will discuss HOL‘s terms and types. 
Terms. All HOL expressions are made up of terms. There are four kinds of terms in HOL: variables, 
constants, function applications, and abstractions (lambda expressions). Variables and constants are denoted 
by any sequence of letters, digits, underlines, and primes starting with a letter. Constants are distinguished 
in the logic; any identifier that is not a distinguished constant is taken to be a variable. Constants and vari- 
ables can have any finite arity, not just 0, and, thus, can represent functions as well. 
Function application is denoted by juxtaposition, resulting in a prefix syntax. Thus, a term of the form 
“tl t2” is an application of the operator t l  to the operand t2. The term’s value is the result of applying t l  to t2. 
An abstraction denotes a function and has the form “h x. t.” An abstraction “h x. t” has two parts: the 
bound variable x and the body of the abstraction t. It represents a function, f, such that ‘If(,) = t.” For example, 
“h y. 2*y” denotes a function on numbers that doubles its argument. 
Constants can belong to two special syntactic classes. Constants of arity 2 can be declared to be infix. 
Infix operators are written: “raridl op rand2” instead of in the usual prefix form: “op rand1 rand2.” Table 
A. 1 shows several of HOL‘s built-in infix operators. 
36 
Constants can also belong to another special class called binders. A familiar example of a binder is V 
If c is a binder, then the term “c x. t” (where x is a variable) is written as shorthand for the term “c(h x. t).” 
Table A.2 shows several of HOL‘s built-in binders. 
Binder Application 
V v x . t  
3 3 x . t  
& &x. t  
Meaning 
for all x, t 
there exists an x such that t 
choose an x such that t is true 
In addition to the infix constants and binders, HOL has a conditional statement that is written 
“a =j b I c,” meaning “if a then b else c.’’ 
Spes.  HOL is strongly typed to avoid Russell’s paradox and others like it. Russell’s paradox occurs in 
a high order logic when one can define a predicate that leads to a contradiction. Specifically, suppose that 
we define P as P(x) = 7x(x), where denotes negation. P is true when its argument applied to itself is false. 
Applying P to itself leads to a contradiction since P(P) = ,P(P) (i.e., true = false). This kind of paradox can 
be prevented by typing since, in a typed system, the type of P would never allow it to be applied to itself. 
Every term in HOL is typed according to the following recursive rules: 
a. Each constant or variable has a fixed type. 
b. If x has type a and t has type 0, the abstraction h x. t has &e type (a + p). 
c. If t has the type (a p) and u has the type a, the application t u has the type 9. 
Types in HOL are built from type variables and type operators. Type variables are denoted by a sequence 
of asterisks (*) followed by a (possibly empty) sequence of letters and digits. Thus, *, ***, and *ab2 are all 
valid type variables. All type variables are universally quantified implicitly, yielding type polymorphic 
expressions. 
Type operators construct new types from existing types. Each type operator has a name (denoted by a 
sequence of letters and digits beginning with a letter) and an arity, If al, . . ., a, are types and op is a type 
operator of arity n, then (a,, .. ., a,) op is a type. Note that type operators are postfix while normal function 
application is prefix or infix. A type operator of arity 0 is a type constant. 
37 
HOE has several built-in types that are listed in Table A.3. The type operators bool, ind, and fun are 
QL has a special syntax that allows (*,**)prod to be written as (* # **), (*,**)sum to be written 
as (* + **), and (*,**)fun to be written as (* + **). 
Table A.3: HOL Type Operators. 
7 ~ 
boo1 0 
i nd 0 
num 0 
(*)list 1 
I Operator I ~ r i t y  I Meaning I 
booleans 
individuals 
natural numbers 
lists of type * 
r- (*,**)prod I I products of * and ** I 
I (*,**)sum I 2 I coproductsof * and** 1 
I (*,**)fun 1 2 1  functions from * to ** I 
roof System 
QL is not an automated theorem prover, but is more than simply a proof checker, falling somwhere 
between these two extremes. KQL has several features that contribute to its use as a verification environ- 
ment: 
a. Several built-in theories, including booleans, individuals, numbers, products, sums, lists, and 
trees. These theories contain the five axioms that form the basis of higher order logic, as well 
as a large number of theorems that follow from them. 
b. Rules of inference for higher order logic. These rules contain not only the eight basic rules of 
inference from higher order logic, but also a large body of derived inference rules that allow 
proofs to proceed using larger steps. The HQL system has rules that implement the standard 
introduction and elimination rules for Predicate Calculus as well as specialized rules for rewrit- 
ing terms. 
c. A collection of tactics. Examples of tactics include: REWRITE-TAC which rewrites a goal 
according to some previously proven theorem or definition; GEN-TAC which removes unneces- 
sary universally quantified variables from the front of terms; and EQ-TAC which says that to 
show two things are equivalent, we should show that they imply each other. 
d. A proof management system that keeps track of the state of an interactive proof session. 
e. A metalanguage, ML, for programming and extending the theorem prover. Using the metalan- 
guage, tactics can be put together to form more powerful tactics, new tactics can be written, and 
theorems can be aggregated to form theories for later use. The metalanguage makes the verifi- 
cation system extremely flexible. 
i 
38 
Appendix B: Interpreter Verification Test Case Studies 
This section contains HOL theories for several interpreter test case studies. The theory inup contains 
the justification theorem for standard interpreters. The theory bi-intrp contains the justification theorem for 
monorate bijective interpreters. The theory in-intrp contains theorems demonstrating the feasibility of for- 
mal composition for multirate injective interpreters. 
B. 1 Standard Interpreter Justification-Proof Example 
set-f lag ( I timing' , true) ; ; 
set-aearchqath (searchqath0 0 ~'/home/elvis6/dfura/ftep/piu/hol/l~b/'; 
~/home/elvia6/dfura/ftep/piu/hol/pport/pproc/'; 
~/home/elvis6/dfura/hol/ml/'; 
~/home/elvis6/dfura/hol/L~rary/tools/'; 
~/home/elvis6/dfura/hol/L~rary/aba-theo~/' 
I ) ; ;  
system 'rm intrp.th';; 
new-theory 'intrp';; 
loadf 'abstract';; 
loadf 'aux-defs';; 
map loadqarent ['ineq';'tenrplogic-def';'aaaoc'l;; 
new-type-abbrev ( time ' , " : num" ) ; ; 
new-type-abbrev ( ' time ' ' , :nu") ; ; 
load-library 'reduce';; 
loadf 'pt-tacs.ml';; 
let ~~~-1elmna = new-abstract-representation 
[('EXEC', ": (*instr->(time->*env) ->(time->*out)->time->bool)"); 
( 'P-C', " t  (*instr->(tioae->*env)->(time->*out)->time->bool)"); 
( ' P O S E ' ,  .v:(*instr->(time->*env)->(time->*out)->time->booll") 
I ; ;  
make-inst-thma REP-lemma;; 
let REP = abstraet-type 'intrp' 'EXEC';; 
%-------------------------------------------------------------------------------- 
. . .............................................................................. % 
let INTFW = new-definition 
Definitions for interpreter. 
( ' INTRP ' , 
*'! (rep :AREPI (e :time->*env) (p :time->*out) . 
INTRP rep e p = 
!k t. EXEC rep k e p t 
==> POSTC rep k e p t" 
);; 
39 
let INTRP-PREC = new-definition 
('INTRP-PREC', 
"! (rep :hap) (e :time->*env) (p :time->*out) . 
INTRP-PREC rep e p = 
!k t. EXEC rep k e p t / \  
PREC rep k e p t 
==> POSTC rep k e p t" 
1;; 
let PREC-SAT = new-definition 
('PREC-SAT', 
"! (rep :"REP) (e :time->*env) (p :time->*out) . 
PREC-SAT rep e p = 
(!k. EXEC rep k e p 0 ==> PREC rep k e p 0 )  / \  
(!k kl t. POSTC rep k e p t / \  
EXEC rep kl e p (SUC t) 
==> PREC rep kl e p (SUC t))" 
1;; 
let SEQLIVE = new-definition 
( 'SEQLIVE ' , 
"! (rep :Amp) (e :time->*env) (p :time->*out) . 
SEQLIVE rep e p = 
!k t. EXEC rep k e p (SUC t) 
==> ?kl. EXEC rep kl e p t" 
1;; 
let FILTER-RULE-ASSUM-TAC filter rule :tactic = 
let fnile I (\tu. (filter (concl thm)) => (rule thm) I thm) in 
POP-ASSUM-LIST (\asl. MAP-EVERY ASSUME-TAC (rev (map frule asl) ) ) ; ; 
let PRIOR-EXEC' = TAC-PROOF 
( ( [ I ,  
"! (rep :*REP) (e :time->*env) (p :time->*out) . 
SEQLIVE rep e p ==> 
(!u tl k. EXEC rep k e p (tl+u) =I> 
(tl < (tl+u)) ==> 
(?kl. EXEC rep kl e p tl))"), 
REWRITE-TAC [SEQLIVE I 
THEN REPEAT OEN-TAC 
THEN DISCH-TAC 
THEN INDUCT-TAC 
THEN REWRITE-TAC [ADD-CLAUSES; LESS-REFLI 
THEN REPEAT STRIP-TAC 
THEN RES-TAC 
TEEN ASM-CASES-TAC "u = 0" 
THENL 
POP-ASSUM (\thm. RULE-ASSUM-TAC (MWRITE-RULE [thm;ADD-CLAUSESl) ) 
THEN EXISTS-TAC "kl: *inetr" 
IMP-RES-TAC LESS-ADD-NONZBRO 
THEN RES-TAC 
THEN FILTER-RULE-ASSUM-TAC 
8 
(\tat. tm sz "!m. m < (m + u)") 
(\thm. SPEC "t1:time" tbm) 
THEN RES-TAC 
THEN EXISTS-TAC ~~kl~'~:*instr" 
I 
THEN ASM-RBWRITE-TAC 11 
1;; 
let PRIOR-EXEC = TAC-PROOF 
( (11,  
u! (rep :*REP) (e :time->*env) (p :time->*out) . 
S E Q L N E  rep e p E=> 
(!t tl k. EXEC rep k e p t ==> 
(tl < t) ==> 
(Ikl. EXEC rep kl e p tl))"), 
REPEAT OEN-TAC 
THEN DISCH-TAC 
THEN IMP-RES-TAC PRIOR-EXEC' 
40 
TREN REPEAT STRIP-TAC 
THEN FILTER-RUT.&ASSUM-TAC 
(\tm. is-forall tm) 
(\thm. (SPECL [Uk:*instr";"tl:time";"t-tl"l thm) ) 
THEN ASSUM)3-TAC (SPEC "t1:time" LESS-EQ-REFL) 
THEN IMP-RES-TAC LT-IMP-LE 
THEN IMP-RES-TAC 
THEN POP-ASSW (\thm. ALL-TAC) 
THEN POP-ASSUM (\thm. RULE-ASSOM-TAC 
THEN RES-TAC 
THEN EXISTS-TAC *kl:*instr" 
THEN ASM-REWRITE-TAC [ 1 
(SPXCL [~~tl:tims'~;~~tl:time'~;~"t:time"l (Sa-RULE ASSOC-SUB-ADD111 
(REWRITE-RULE [thm;SUB-EQUAL-O;AIID-CLAUSESl) 1 
1;; 
let EXEC-IMP-PREC = TAC-PROOF 
( ( [ I ,  
a'! (rep :Amp) (e :time->*env) (p :time->*out) . 
INTRP-PREC rep e p ==> 
PREC-SAT rep e p I=> 
SELLIVE rep e p =-I> 
REWRITE-TAC [INTRP-PREC; PREC-SAT1 
THEN REPEAT @EN-TAC 
THEN STRIP-TAC 
THEN STRIP-TAC 
THEN STRIP-TAC 
THEN INDUCT-TAC 
THEN ASM-REWRITE-TAC [ I 
THEN ASS=-TAC (REWRITB-RULE [LE-EQ_LT-SUC 1 (SPEC "t : time" LESS-ELREFL) 1 
THEN REPEAT STRIP-TAC 
THEN IMP-RES-TAC PRIOR-EXEC 
THEN RES-TAC 
THEN RES-TAC 
(It k. EXEC rep k e p t ==> PREC rep k e p t)"), 
);; 
let INTRP-CORR = TAC-PROOF 
(([In 
' a !  (rep :"REP) (e :time->*env) (p :time->*out) . 
INTRP-PREC rep e p I=> 
PREC-SAT rep e p =I> 
SEQLIVE rep e p ==> 
INTRP rep e p"), 
REWRITE-TAC [INTRP] 
THEN REPEAT STRIP-TAC 
THEN IMP-RES-TAC EXEC-IMP-PREC 
THEN RULE-ASSUM-TAC (REWRITE-RULE [INTRP-PRECI) 
TaEN RES-TAC 
) t i  
close-theory0;; 
B.2 Monorate Bijective Interpreter Justification-Proof Example 
set-searchqath (searchsath0 (z ['/home/elvis6/dfura/ftep/piu/hol/lib/'; 
'/hamcr/elvia6/d€ura/hol/ml/'; 
41 
'/home/elvis(i/dfura/hol/Library/tools/~ 
I ) ; ;  
let NXXT-OUT-TRANS-IS-NTE = new-definition 
('NEXT-OUT-TRANS-IS-NTE', 
"NEXT-OUT-TRANS-IS-NTH Be Ep = 
! t te' tp'. 
NTH-TIME-TRUE t Eo 0 te' ==> 
N"€-TIME-TRW t Ep 0 tp'" 
STABLE-FALSE-THEN-TRW Ep (te',tp') ==> 
) t ;  
let PILl'E~RULE-ASSIJM-TAC filter rule :tactic = 
let frule = (\thm. (filter (concl thm)) => (rule thm) 1 tbm) in 
POP-ASSWM-LIST (\asl. MAP-EVERY ASSUME-TAC (rev (map frule as11 ) ;; 
42 
let FILTER-POP-ASSUM filter ttac :tactic = 
\ (asl,w) . 
let thm,thml = remove filter as1 in 
ttac (ASSUMB thm) (thml,w);; 
let LESS-EQSTABLE-FALSE-THEN-TRUE = prove-thm 
I'LESS-EQSTABLE-FALSE-THEN-TRW', 
"! f tl t2. STABLE-FAGSE-THEN-TRUE f (tl,t2) ==> tl <= tan, 
REWRITE-TAC [STABLE-FALSE-THEN-TRUE1 
THEN REPEAT STRIP-TAC 
THEN ASM-REWRITE-TAC I 
1;; 
let JUST-THZOREM e TAC-PROOF 
(([I, 
"! B e  Ep. 
TRANS-ONE-TO-ONE E e  Ep / \  
TRANS-ONTO Ee Ep / \  
FIRST-TRANS-CAUSAL E e  Ep / \  
OUT-TRANS-LIVE E e  Ep 
==> NEXT-OUT-TRANSJS-NTH E e  Ep") , 
ITRANS_ONE-~-ONE;TRANS_ONTO;FIRGT-TRAWS_CAUSAL;NBXT-OUT-TRANS-IS-N~; 
REWRITE-TAC 
OUT-TRANS-LIVE 1 
THEN REPEAT QEN-TAC 
THEN REPEAT DISCH-TAC 
THEN INDUCT-TAC 
TBENL t 
% Subgoal 1: base case % 
RXWRITE-TAC [NTH-TIME-TRUE 1 
THEN REPEAT @EN-TAC 
THEN ASM-CASES-TAC *te' = O n  
THEN ASM-RBiVFiITE-TAC [ 1 
THEN REPEAT STRIP-TAC 
THEN IMP-RES-TAC NOT-EQZERO 
THEN IMP-RES-TAC GREATER 
THEN IMP-RES-TAC STABLE-FALSE-THEN 
THEM POP-ASSUM-LIST (MAP-BVERY (\thm. STRIP-ASSUME-TAC thm)) 
THEN RES-TAC 
THEN IMP-RES-TAC SUP-INTERVAL-STABLE-FALSE-THEN-TRUE 
THEN IMP-RES-TAC (REWRITE-RULE [ADD11 LT-IMP-SUC-LE) 
THEN RULE-ASSUM-TAC (RgOJRITE-RULE[ADD-CLAUSESl) 
THEN IMP-RES-TAC SUB-ADD 
THEN POP-ASSUM 
THEN ASM-REWRITE-TAC [ I 
% Subgoal 21 induction step % 
REWRITE-TAC tNTH-TIMLTRUEI 
THEN REPEAT STRIP-TAC 
THEN RES-TAC 
THEN RES-TAC 
THEN EXISTS-TAC rtprrinUmn 
THEN ASM-REWRITE-TAC [I 
THEN IMP-RES-TAC LESS-EQSTABLE-F~SE-~N-TRUE 
THEN SUBGOAL-THEN 
"STABLE-FALSE-mN-TRWE Be (tp"+l,te')" 
ASSUMLTAC 
(\thm. RULEASSUM-TAC (~ITE-RU~[thm;ZERO-LESS-EQ~LESS_X~REFL])) 
; 
THENL t 
% Subgoal 2.1: New subgoal % 
IMP-RES-TAC 
(SPECL tUt':nUmn;"tp":n~";"ln] (SYM-RULE LESS-EQ-MONO-ADD-EQ)) 
THEN ASM-CASES-TAC "(tp"+l) <= te'" 
THBNL [IMP-RES-TAC SW-STABLE_P1ILSE-THEN-TRUE;ALL-TACl 
THEN IMP-RES-TAC NOT-LESS-EQLESS 
THEN IMP-RES-TAC (REWRITE-RULE [ADD11 LT-SUC-IMP-LE) 
THEN IMP-RES-TAC (REWRITE-RULE [ADD11 SUC-LE-IMP-LT) 
THEN FILTER-POP-ASSUM 
(\tm. tm = "TRUE-THEN-STABLE-FALSE Ee (t ' , tp8 ' 1  ") 
(\thm. STRIP-ASSUMB-TAC (REWRITE~RULE[TR~~THEN_STABLE~FALSElthm)) 
THEN FILTER-POP-ASSUM 
(\tm. tm P Y!t. t' t / \  t <= tp'# ==> - ~ e  tn) 
43 
(\thm. STRIP-ASSUME-TAC (SPEC "te' :time' thm) ) 
THEN FILTER-POP-ASSUM 
(\tm. tm = "STABLE-FALSE-THEN-TRUB Belt' + 1,te')") 
(\thm. STRIP-ASSUME-TAC(REWRITE-RULE[STABLE-FALSE-~EN-TRUElthm)) 
THEN RES-TAC 
% Continue % 
; 
RES-TAC 
THEN ASM-CASES-TAC "(tp"+l) <= te'-l" 
THBNL [ 
IMP-RES-TAC (REWRITE-RULE [ADD11 SUC-LE-IMP-LT) 
THEN IMP-RES-TAC THEN-STABLE-FALSE 
THEN IMP-RES-TAC S~-INTERVAL-STABLB-FALSE-THEN-TR~ 
THEN ASSUXE-TAC 
(SPECL ["l"; "t ' :time"] 
(PURE-ONCB-REWRITE-RULE [ADD-SYM] LESS-ELADD)) 
THEN IMP-RES-TAC LESS-ELTRANS 
THEN IMP-RES-TAC (REWRITE-RULE [PRE-SUB11 LE-PRE-IMP-LT) 
THEN IMP-RES-TAC LESS-LESS-ELTRANS 
THEN IMP-RES-TAC LT-IMP-LE 
THEN IMP-RES-TAC SUB-ADD 
THEN FILTER-POP-ASSUM 
(\tm. tm = "(te' - 1) + 1 = te'") 
(\thm. RULE-ASSUM-TAC (REWRITE-RULE [thm;LESS-ELREPLl)) 
THEN RES-TAC 
IMP-RES-TAC NOT-LESS-EQLBSS 
THEN IMP-RES-TAC (REWRITE-RULE [ADD11 LT-IMP-SUC-LE) 
THEN ASS=-TAC 
1 
(SPECL 1"l";"t':time"I 
(PURE-ONCE-REWRITE-RULX [ADD-SYMI LESS-ELADD) ) 
THEN IMP-RES-TAC LESS-ELTRANS 
THEN IMP-RES-TAC SUB-ADD 
THEN FILTER-POP-ASSUM 
(\tm. tm = "(ten - 1) + 1 = te"') 
(\thm. RULE-ASSUM-TAC (REWRITE-RULE 1thm;LESS-EQ-REFLI)) 
THEN IMP-RES-TAC LESS-EQSTABLE-FALSE-THEN-TRUB 
THEN IMP-RES-TAC LESS-ELTRANS 
m N  IMP-RES-TAC SUB-STABLE-FALSE-TN-"RUB 
1 
1 
1 
);; 
close-theory() ; ; 
B.3 Multirate Injective Interpreters 
Filename: in-intrp.ml 
Author: (c) D.A. Fura 1993 
Date: 30 September 1993 
Test-case theory €or injective multirate interpreters. 
Four major theorema: 
(a) H interproter implements multirate H interpreter. 
(b) Concrete structure implements abstract structure. 
(c) Abstract structure implements multirate OH interpreter. 
(d) Multirate QH interpreter implements OH interpreter. 
% ................................................................................ 
set-search-path (searchsath0 B ['/home/elvis6/dfura/ftep/~iu/hol/lib/'; 
'/home/elvis6/dfura/hol/ml/'; 
'/hnme/elvis6/dfura/hol/Library/toola/' 
I);; 
t 
44 
set-flag ('tMnq',true);; 
system 'rm in-intrp.th';; 
new-theory 'in-intrp';; 
load-library 'reduce';; 
loadf 'aux-defs';; 
loadf 'abstract';; 
loadf 'pt-tacs';; 
map loadgarent t ineq' ; ' templogic-def ' I i i 
new-type-abbrev ('time',":num") ;; 
new-type-abbrev ( ' time ' ' I " :nun") ; i 
let Rgp-lemma I new-abstract-representation 
[('Oe', ":(time'->*io)->time'->bool"); 
('Opt, u: (time'->*io)->time'->bool"); 
('He', ": (time'->*io)->time'->bool") ; 
('Hp', ":(time'->*io)->time'->bool") 
1;; 
make-inst-thma RgP-lemuta;; 
let REP I abstract-type 'in-intrp' 'Oe';; 
%------------------------------------------------------------- 
% 
Liveness assumptions. ............................................................. 
let GE-LIVE = new-definition 
( 'OB-LIVE' , 
' a !  (rep:*=P) (eg':time'->*io) . 
G E - L ~  rep eg' = 
It. ?t'. NTH-TIME-TRUE t (Oe rep eg') 0 t'" 
) I t  
let GP-LIVE I new-definition 
( 'OP-LIVE' , 
"I (rep z Amp) (eg ' I time ' ->*io) (pg ' :time ' ->*io) . 
OP-LIVE rep eg' pg' = 
!t t'. 
NTH-TIME-TRUE t (Oe rep eg') 0 t' I=> NTH-TIME-TRUE t (Gp rep pg') 0 t'" 
) i t  
let HE-LIVE = new-definition 
( 'HE-LIVE', 
"1 ( r e p : A R B P )  (pg'rtirae'->*io) (eh'rtirae'->*io) . 
HE-LIVE rep pg' eh' 3: 
!t t'. 
NTH-TIME-TRUE t (ap rep pg') 0 t' ==> NTH-TRdB-TRUB t (Qp rep eh') 0 t'" 
1;; 
let =-LIVE1 = new-definition 
('HE-LIVEl',  
e! (reprARKP) (eh':time'->*io) . 
HE-LIVEl rep eh' = 
It t'. 
NT€-TIMB-!FRUE t lop rep eh') 0 t8 
==D 7u. NT-TIME-TR- u (He rep eh') 0 t'" 
1;; 
let HP-LIVE = new-definition 
( 'HP-LIVE ' , 
"! (rep:*REP) (eh':time'->*io) (ph':time'->*io) . 
HP-LIVE rep eh' ph' = 
!U t'. 
NTH-TIME-TRUE u (He rep eh'l 0 t' I=> NTH-TIME-TRUE u (Hp rep ph') 0 t'n 
) ; I  
45 
let ~-ABS = new-definition 
('0-ABS', 
a i !  (rep:Amp) (eg:time->*io) (pg:time->*io) (eg':time->*io) (pg':time->*io) - 
G-ABS rep eg pg eg' pg' = 
!t. 
let t' = at'. NTH-TIME-TRUE t (Ge rep eg') 0 t' in 
let t" = Qt'. NTH-TIMB-TRUE t (Gp rep pg') 0 t' in 
((eg t = eg' t') / \  
(pg t = pg' t''))" 
);; 
let H-ABS = new-definition 
( 'A-ABS ' , 
a i !  (rep:*mp) (eh:tiM->*io) (ph:time->*io) (eh':time->*io) (ph':time->*io) . 
A-ABS rep eh ph eh' ph' = 
!U. 
let t' = Qt'. NTH-TIME-TRUX u (He rep eh') 0 t' in 
let t" = Qt'. NTH-TIME-TRUE U (Hp rep Ph') 0 t' in 
((eh u = eh' t') / \  
(ph u = ph' t")' 
1;; 
let Q-INTRP = new-definition 
( '0-INTRP ' , 
"1 (egrtime->*io) (pgitime->*io) . 
0-INTRP eg pg = !t. pg t = eg tn 
1;; 
let H-INTRP = new-definition 
( 'H-INTRP ' , 
"! (eh:time->*io) (ph:time->*io) . 
H-INTRP eh ph = !u. ph u = eh u" 
1;; 
%------------------------------------------------------------- 
% 
Interpreter correctness assumptions. ............................................................. 
let 0-INTRP-CORR = new-definition 
( '0-INTRP-CORR' I 
"! (rep:*REP) . 
0-INTRP-CORR rep = 
!(eg:time->*io) (pg:time->*io) (eg' :time'->*io) (pg':time'->*io) . 
O-INTRP' eg' pg' ==> 
O-ABS rep eg pg eg' pg' ==> 
G-INTRP eg Pg" 
) t i  
let H-INTRP-CORR = new-definition 
( ' H-INTRP-CORR ' , 
"! (reprAREP) . 
H-INTRP-CORR rep = 
46 
! (eh:time->*io) (ph:time->*io) (eh':time'->*io) (ph':time'->*io) . 
H-INTRP' eh' ph' ==> 
H-mS rep eh ph eh' ph' ==> 
H-INTRP eh ph" 
1;; 
%------------------------------------------------------------- 
% 
Multirate interpreter definition and correctness proof. ............................................................. 
let H1-INTRP = new-definition 
( 'H1-INTRP' , 
"! (rep:"REP) (eh:time->*io) (ph:time->*io) (eh':time'->*io) 
(ph':time'->*io) . 
!t. 
let t' = Qt*. N!I'H-TIblB-TRUE t (Op rep eh') 0 t' in 
let u = (Pu. NTH-TIME-TRUE u (Hp rep ph') 0 t' in 
(ph u = eh t)" 
H1-INTRP rep eh ph eh' ph' = 
1; ;  
let Hl-AES = new-definition / 
( ' Hl-AaS ' , 
(rep: "REP) (eh:time->*io) (ph:time->*io) (eh':time->*io) (ph':time->*io) . 
!t u. 
let t' = (Pt' NTH-TIME-TRW t (Op rep eh') 0 t' in 
let t" I Qt.. NTH-TI=-TRUE u (Hp rep ph') 0 t' in 
((eh t = eh' t') / \  
HI-ABS rep eh ph ah' ph' = 
(ph u = ph' t"))" 
1 8 ;  
let SELECT-ELIM-TAC tm thm :tactic = 
SUBOOAL-THEN 
THENL [ 
tm (\thm. (REWRITE-TAC [thml THEN RULE_ASS~-TAC(RBw?tITg-RULE[thml))) 
SELECT-UNIQUE-TAC 
THEN ASM-RBw?tITE-TAC I I
THEN REPEAT STRIP-TAC 
THEN IMP-RES-TAC thm 
ALL-TAC 
; 
I ; ;  
let Hl-INTRP-THM = TAC-PROOF 
( ( [ I ,  
"!(rep:"REP) (eh:time->*io) (ph:time->*io) (eh':time'->*io) 
(ph':time'->*io) (eg':time'->*io) (gg':time'->*io) . 
OB-LIVE rep eg' ==D 
H-INTRP eh ph =ID 
OP-LIVE rep eg' pg' ==> 
HE-LIVE rep pg' eh' ==D 
HE-LIVE1 rep 6th' ==> 
HP-LIVE rep eh' ph' ==D 
H-AES rep eh ph eh' ph' ==> 
H1-ABS rep eh ph eh' ph' ==D 
H1-INTRP rep eh ph eh' ph'"), 
REWRITE-TAC 
THEN EXPAND-LET-TAC 
THEN REPEAT STRIP-TAC 
THEN FILTER-POP-ASSUM 
[H~INTRP;Hl_INTRP;OE~LIVE;OP_LIVE;IIE_LIVE;HE~LIVE1;HP~LIVE;H~~S;B1~AESl 
(\tm. tm = "!t. ?t'. NTH-TIME-TRUE t(Oe rep (eg':time'->*io))O t'") 
(\thm. STRIP-ASSUME-TAC (SPEC-ALL thm) 
THEN RES-TAC 
THEN RES-TAC 
THEN RES-TAC 
THEN RES-TAC 
THEN SELECT-ELIM-TAC 
"(at'. NTH-TIME-TRUE t(Op rep (eh':time'->*io))O t') = t'" 
TRUE-EvreNT-TIMsS-EQUAL 
THEN SELECT-ELIM-TAC 
47 
"(&tu. NTH-TIMII-TRUE u(Hp rep (ph':time'->*io))O t') = u" 
TRUE-EVENT-COUNTS-EQUAL 
THEN RULE-ASSUM-TAC (\thm. SPEC-ALL thm) 
THEN SELECT-ELIM-TAC 
"(Qt'. NTH-TIME-TRUE u(He rep (eh':time'->*io))O t') = t"' 
TRUE-BVENT-TIMES-EQUAL 
"(et'. NTH-TIME-TRUE t(Gp rep (eh':time'->*io))O t') = t'" 
THEN SELECT-ELIM-TAC 
TRUE-WENT-TIMES-EQUAL 
(\tm. tm = "(ph:time->*io) u = (eh:time->*io) u") 
(\thm. REWRITE-TAC [thml 
THEN FILTER-POP-ASSUM 
THEN ASM-FlEWFtITE-TAC [ I  
);; 
let GH-STRUCTt I new-definition 
('OH-STRUCT". 
a # !  (rep:*REP) (eg':timer->*io) (ph':time'->*io) (eg:time->*io) 
(ph:time->*io) . 
OH-STRUCT' rep eg' phf eg ph = 
7gh' pg eh . 
0-INTRP' eg' gh' / \  
€I-INTRP' gh' ph' / \  
0-ABS rep eg pg eg' gh' / \  
H1-ABS rep eh ph gh' ph'" 
) I ;  
let OH-STRUCT I new-definition 
( 'OH-STRUCT' , 
' a !  (rep:*RXP) (eg:time->*io) (ph:time->*io) (eh':time'->*io) 
(ph' : time'->*io) . 
OH-STRUCT rep eg ph eh' ph' = 
Igh. 
0-INTRP eg gh / \  
Hl-INTRP rep gh ph eh' ph'" 
1 ; ;  
let OH-STRUCT-THM = TAC-PROOF 
( ( [ I ,  
(rep: *REP) (eg:time->*io) (ph:time->*io) (eg' :time'->*io) (ph':time'->*io) 
(pg:time->*io) (eh:time->*io) (gh':time'->*io) . 
0-INTRP' eg' gh' / \  
HJNTRP' gh' ph' / \  
0-ABS rep eg pg eg' gh' / \  
H1-ABS rep eh ph gh' ph' / \  
0-INTRP-CORR rep / \  
H-INTRP-CORR rep / \  
GE-LIVE rep eg' / \  
0P-LIVE rep egt gh' / \  
HEJIVE rep gh' oh' / \  
HE-LIVEl rep gh' / \  
HP-LIVE rep gh' ph' /I 
G X S  rep eg Po egg gh' / \  
H-ABS rep eh ph oh8 ph' / \  
Hl-ABS rep eh ph gh' ph' I--> 
OH-STRUCT rep eg ph gh' ph'"). 
REWRITE-TAC [OH-STRUCT; G-INTRP-CORR; H-INTRP-CORRI 
THEN REPEAT STRIP-TAC 
THEN RES-TAC 
THEN IMP-RES-TAC H1-INTRP-THM 
THEN POP-ASSWM-LIST 
(MAP-EVERY 
(\tam. STRIP-ASSUME-TAC 
( EXPAND-LET-RULE 
(REWRITE-RULE [G-INTRP';H-INTRP'; 
0-INTRP-CORR;H-INTRP-CORR;G~~S; 
H-ABS;Hl-ABS;OH-STRUCT;HP-LIVE;HE-LIVE; 
HE_LIVEl;GP-LIVE;GE-LIVEI thm)))) 
48 
THEN 
THEN 
THEN 
THEN 
THEN 
THEN 
FILTER-POP-ASSUM 
(\tm. tm ="!t ?t'. NTH-TIME-TRUE t(Ge rep (eg':time'->*iO))O t'") 
(\tu. STRIP-ASSUME-TAC (SPEC-ALL thm) ) 
RES-TAC 
RES-TAC 
RES-TAC 
RES-TAC 
SUBCOAL-THEN 
"(pg:time->*io) = eh" 
ASSUME-TAC 
THENL [ 
COW-TAC (ONCE-DEPTH-CON" FUN-EQ-CON") 
THEN GEM-TAC 
THEN ASM-REWRITE-TAC 1 
EXISTS-TAC "(W:time->*iO)" 
THEN ASM-REWRITE-TAC [ 1 
i 
I 
1;; 
let 0~1-1NTRp = new-definition 
( ' GH1-INTRP ' , 
"! (rep:"REP) (eg:time->*io) (ph:time->*io) (eg':time'->*io) 
(ph; :time'->*io) . 
GH1-INTRP rep eg ph eg' ph' = 
!t. 
let t' = et'. NTH-TIME-TRUE 
let u = 8u. NTH-TIME-TRUE u 
(ph u = eg t)" 
) i i  
let OHl-INTRP-TIIM = TAC-PROOF 
( ( [ I ,  
t (Ge rep eg') 0 t' in 
(Rp rep ph') 0 t' in 
THEN 
THEN 
THEN 
THEN 
THEN 
THEN 
THEN 
THEN 
THEN 
THEN 
) i i  
a'!  (rep:*REP) (eg:time->*io) (ph:time->*io) (eg':time'->*io) 
(pg'rtime'->*io) (eh':time'->*io) (ph':time'->*io) 
OH-STRUCT rep eg ph eh' ph' ==> 
GE-LIVE rep eg' E=> 
GP-LIVE rep eg' pg' ==> 
HE-LIVE rep pg' eh' ==> 
OHl-INTRP rep eg ph eg' ph'") , 
REWRITE-TAC [GH~STRUCT;GH1~INTRP;G~INTRP;H1~INTRP;GE~LIVE;GP~LIVE;HE~LIVEl 
EXPAND-LET-TAC 
REPEAT STRIP-TAC 
FILTER-POP_ASSUM 
(\tm. tm = "!t. (gh:time->*io) t = (eg:time->*io) t") 
(\thm. REWRITE-TAC [SYM-RULE t h m l )  
(\tm. tm "!t. It'. NTH-TIME-TRUE t(Ge rep (eg':time'->*io))O t'") 
( \ t h m .  STRIP-ASSUME-TAC (SPEC-ALL thm)) 
FILTER-POP-ASSUM 
RES-TJK! 
RES-TAC 
SELZCT-ELIM-TAC 
"(at'. NTE-TIME-TRUE t(Ge rep (eg':time'->*io))O t') = t"' 
TRUE-EVENT-TIMES-EQUAL 
RULE-ASSUM-TAC (\thm. SPEC-ALL thm) 
SELXCT-EL=-TAC 
"(at'. NTH-TIME-TRUE t(Gp rep (eh':time'->*io))O t') = t'" 
TRUE-EVENT-TIMESJQVAL 
ASM_RXIQRITE-TAC [ I  
let GH-INTRP = new-definition 
('GH-INTRP', 
" 1  (eg: time->*io) (ph: time->*io) . 
49 
OH-INTRP eg ph = 
!t. ph t = eg t' 
1 ;; 
let OH-ABS I new-definition 
('OH-ABS', 
"! (rep:*REP) (eg:time->*io) (ph:time->*io) (eg':time->*io) (ph':time->*io) . 
OH-ABS rep eg ph eg' ph' = 
!t. 
let t' = et'. NTH-TIME-TRUE t (Ge rep eg') 0 t' in  
((eg t = eg' t') / \  
(ph t = ph' t'))" 
);; 
let OH-INTRP-THM = TAC-PROOF 
( ( [ I ,  
' a !  (rep:"REP) (eg:time->*io) fph:time->*io) (eg':time'->*io) 
(pg':time'->*io) (eh':time'->*io) (ph':time'->*io) . 
OBI-INTRP rep eq ph eg' ph' ==-> 
GE-LIVE rep eg' ==> 
OP-LIVE rep eg' pg' ==-> 
HE-LIVE rep pg' eh' I=> 
HE-LIVE1 rep eh' ==> 
HP-LIVE rep eh' ph' ==D 
Hl-ABS rep eh ph eh' ph' ==> 
OH-ABS rep eg ph ego ph' ==> 
OH-INTRP eg ph"), 
REWRITE-TAC [OH1~INTRp;OH~INTRp;OE~LIvE;OP~LI~;HE~LIvE;HE~LIvE~; 
THEN EXPAND-LET-TAC 
THEN REPEAT STRIP-TAC 
THEN FILTER-POP-ASSUM 
HP-LIVE;OH-ABS;H1-ABS] 
(\tm. tm = "!t. ?t'. NTH-TIME-TRUE t(Oe rep (eg':time'->*io))O t'") 
(\thm. STRIP-ASSUME-TAC (SPEC-ALL th)) 
THEN RES-TAC 
THEN RES-TAC 
THEN RES-TAC 
THEN RBIs-TAC 
THEN RULE-ASSUM-TAC SPEC-ALL 
THEN SELECT-ELIM-TAC 
"(Qt'. NTH-TIME-TRUE t(Ge rep (eg':time'->*io))O t') = t'" 
TRUE-EVENT-TIMES-EQUAL 
"(Qu. NTH-TIME-TRUE u(Hp rep (ph':time'->*io))O t') m u" 
TRUE-EVENT-COUNTS-EQUAL 
THEN SELECT-ELIM-TAC 
THEN SELECT-ELIM-TAC 
"(et". NTH-TIME-TRUE u(Hp rep (ph':time'->*io))O t") = t'" 
TRUE-EVENT-TIMES-EQUAL 
THEN FILTER-POP-ASSUM 
(\tm. tm = "(ph:time->*io) u = (eg:time->*io) t") 
(\th. REWRITE-TAC [SYM-RULE thml ) 
THEN ASM-RBWRITB-TAC [ 1 
1;; 
cloae-theoryO ; ; 
50 
Appendix C: Processor-Memory Module Specification Examples 
This section contains HOL theories for parts of the PMM transaction-level specification. Section C. 1 
contains the signal data structure definitions for the transaction level. Sections (2.2, C.3, and C.4 contain the 
specifications for the local processor, local memory, and M-Port, respectively. 
C.1 lkansaction Signal Data Structure Definitions 
set-flag ('timing',true);; 
set-aearchqath (searchqath0 B ~'/home/el~~a6/dfura/fteg/p~u/hol/lib/~; 
g/home/elvis6/dfura/ftep/piu/hol/pport/'; 
'/home/elvis6/dfura/hol/Library/tools/' 
I ) ; ;  
system 'rm pmmtauxp-def.th';; 
new-theory 'pmmtaup-def';; 
new-type-abbrev ( time ' , " : num" ) ; ; 
new-type-abbrev ( timeT , " : num" ) ; ; 
new-type-abbrev ('wordu', ":num->bool");; 
new-type-abbrev ('wordnn', "rnum->wordn");; 
%---------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
% 
Abstract data type for the memory access target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
let targ-Axiom = 
define-type 'targ-Axiom* 
'targ = LM I PIU I CB';; 
%-------------------------------------------------------------------------------- 
% 
Abstract data type for the L-Bus Master Packet. ................................................................................ 
let pbmop = 
define-type 'pbump' 
'gbmop = PBM-WrLM I PBM-WrPIU I PBM-WrCB I PBM-RdLM I 
PBM-RdPIU I PBM-RdCB I PBM-Illegal';; 
let pbmskt = 
define-type 'pbmgkt' 'pbukt = PBM pbmop wordn wordnn wordn wordu bool';; 
let PBM-Upcode = new-recursive-definition 
false pb-kt 'PBM-opcode' 
"PBM-Opcode (PBM Opcode Addr Data BS BE Lock) = Opcoden;i 
let PBM-Ad& = new-recursive-definition 
false pbmskt 'PBM-Addr' 
"PBM-Addr (PBM Opcode Addr Data BS BE Lock) = Addr";; 
let PBM-Data = new-recursive-definition 
false p-kt 'PBM-Data' 
"Pa-Data (PBM Opcode Addr Data BS BE Lock) = Data";; 
51 
let PBM-BS = new-recursive-definition 
f alse pbmgkt 'PBM-BS' 
"PBM-BS (PBM Opcode Addr Data BS BE Lock) = BS";; 
let PBM-BE = new-recursive-definition 
false pbmgkt 'PBM-BE' 
"PBM-BE (PBM Opcode Addr Data BS BE Lock) = BE";; 
let PBM-Lock E new-recursive-definition 
false pbmmgkt 'PBM-Lock' 
"PBM-Lock (PBM Opcode Addr Data BS BE Lock) = Lock";; 
let PBM-CASES = prove-cases-thm (prove-induction-thm pbmskt);; 
let PBM-Selectors-Work = prove-thm 
('PBM-Selectors-Work', 
" ! k : pbmgkt . 
k = (PBM (PBM-Opcode k) (PBM-Addr k) (PBM-Data k) (PBM-BS k) (PBMBE k) 
(PBM-Lock k) I " ,  
GEM-TAC 
TIIEN STRUCT-CASES-TAC (SPEC "k : pbmmgkt '' PBM-CASES 
THEN REWRITE-TAC [PBM-Opcode; PBM-Addr; PBM-Data; PBM-BS; PBM-BE; PBM-Lock] 
1 i ;  
%------------------------~------------------------------------------------------- 
% 
Abstract data type for the L-Bus Slave Packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
let pbsop = define-type fpbsop' 'pbsop e PBS-Ready I PBS-Illegal';; 
let pbagkt = define-type 'pbsqkt' 'pbsgkt = PBS pbsop wordnn';; 
let PBS-Opcode = new-recursive-definition 
false pbsqkt 'PBS-Opcode' "PBS-Opcode (PBS Opcode Data) = Opcode";; 
let PBS-Data = new-recursive-definition 
false pbsskt 'PBS-Data' "PBS-Data (PBS Opcode Data) = Data";; 
let PBS-CASES = prove-cases-thm (prove-induction-tbm pbsgkt);; 
let PBSSelectors-Work = prove-thm 
('PBS-Selectors-Work', 
"!k:pbagkt. k = (PBS (PBS-Opcode k) (PBS-Data k))", 
GEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k:pbsqkt'* PBS-CASES) 
THEN REWRITE-TAC [PBS-Opcode;PBS-Datal 
I ; ;  
%-------------------------------------------------------------------------------- 
% 
Abstract data type for the I-Bus Slave Packet. ................................................................................ 
let ibsop = define-type 'ibsop' 'ibsop = IBS-Ready I IBS-Idle I IBS-Illegal';; 
let ibsskt = define-type 'ibsqkt' 'ibsgkt = IBS ibsop wordan';; 
let IBS-Opcode = new-recursive-definition 
false ibsgkt 'IBS-Opcode' "IBs-Opcode (IBS Opcode Data) = Opcode";; 
let IBS-Data = new-recursive-definition 
false ibsgkt 'IBS-Data' "IBS-Data (IBS Opcode Data) = Data";; 
let IBS-CASES = prove-cases-thm (prove-induction-thm ibsgkt);; 
let IBS-Selectors-Work = prove-thm 
('IBS-Selectors-Work', 
"!k:ibsmgkt. k = [IBS (IBS-Opcode k) (IBS-Data k))", 
GEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k: ibsqkt" IBS-CASES) 
THEN REWRITE-TAC [IBS-Opcode;IBS-Datal 
1;; 
52 
%-------------------------------------------------------------------------------- 
% 
Abstract data type for the I-Bus Arbitration Master Packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
let ibamop = define-type 'ibamop' 'ibamop = IBAM-Ready I IBAM-Illegal';; 
let ibamqkt = define-type 'ibamqkt' 'ibamqkt = IBAM ibamop';; 
let IBAM-Opcode = new-recursive-definition 
f alae ibamgkt ' IBAM-Opcode' "IBAM-Opcode (IBAM Opcodel = Opcode"; ; 
let IBAM-CASES = prove-cases-thm (prove-induction-thm ibam-pkt);; 
let IBAM-Selectors-Work = prove-thm 
('IBAM-Selectors-Work', 
"!k:ib--pkt. k = (IBAM (IBAM-Opcode k))", 
GEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k:ibamqkt" IBAM-CASES) 
THEN REWRITE-TAC [ IBAM-Opcode 1 
) ; I  
%---------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
% 
Abstract data type for the I-Bus Arbitration Slave Packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
let ibasop = define-type 'ibasop' 'ibasop = IBAS-Ready I IBAS-Illegal';; 
let ibasqkt = define-type 'ibasqkt' 'ibasqkt = IBAS ibasop';; 
let lBAS-Opcode = new-recursive-definition 
false ibasqkt '~BAS-~pcode' "IBAS-Opcode (IBAS Opcode) = Opcode"; ; 
let IBAS-CASES = prove-cases-thm (prove-induction-thm ibasqkt);; 
let IBAS-Selectors-Work = prove-thm 
('IBAS-Selectors-Work', 
"!k:ibasgkt. k = (IBAS (IBAS-Opcode k))", 
GEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k:ibasqkt" IBAS-CASES) 
TBEN REWRITE-TAC [IBAS-Opcodel 
) ; I  
&-------------------------------------------------------------------------------- 
% 
Abstract data type €or the M-Bus Master Packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
let mbmop = 
define-type 'mbmop' 'mbmop = MBM-Wr I MBM-Rd I MBM-RdWr I MBM-Illegal';; 
let d q k t  = 
define-type 'mbmqkt' 'mbmqkt = MBM mbmop wordn wordnn wordn';; 
let MBM-Opcode = new-recursive-definition 
false mbni-pkt 'MBM-Opcode' 
"MBM-Opcode (MBM Opcode Addr Data BSI = Opcode";; 
let MBM-Addr = new-recursive-definition 
false mbm-pkt 'MBM-Addr' 
uMBBM-Addr (MBM Opcode Addr Data BS) = Addr";; 
let MEM-Data = new-recursive-definition 
false mbmqkt 'MBM-Data' 
"MEM-Data (MBM Opcode Addr Data BS) = Data";; 
let MBbf-BS = new-recursive-definition 
false m b u k t  'MBM-BS' 
"MBM-BS (MBM Opcode Addr Data BS) = BS";; 
let MBM-CASES I prove-cases-thm (prove-induction-thm mbmskt);; 
let MBM-Selectors-Work = prove-thm 
('MBM_Selectors-Workl, 
53 
"!krmbmgkt. 
OEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k:mbm-pkt" MBM-CASES) 
THEN REWRITE-TAC [MBM-Opcode;MBM-Addr;MBM-Data;MBM-BSl 
k (MBM (MBM-Opcode k) (MBM-Addr k) (MBM-Data kl (MEM-BS k))", 
1;; 
%-------------------------------------------------------------------------------- 
% 
Abstract data type for the M-Bus Slave Packet. ....................................................................... 
let mbsop = define-type 'mbsop' 'mbsop = MBS-Ready I MBS-Illegal';; 
let mbsgkt = define-type 'mbsgkt' 'mbsgkt = MBS mbsop wordnn';; 
let MBS-Opcode = new-recursive-definition 
false mbsgkt 'MBs-OpcodeO "MBS-Ogcode (MBS Opcode Data) = Opcode";; 
let MBS-Data = new-recursive-definition 
false mbsgkt 'MBS-Data' WBS-Data (MBS Opcode Data) = Data";; 
let MBS-CASES = prove-cases-thm (prove-induction-thm mbsgkt) ;; 
let MBS-Selectors-Work = prove-thm 
('XES-Selectors-Work', 
"lktmbsgkt. k E (MBS (MBS-Opcode k) (MBS-Data k))", 
QEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k :mbsgkt" MBS-CASES) 
THEN REWRITE-TAC [MBS-Opcode;MBS-Datal 
) I t  
let cbmop = 
define-type 'cbmop' 'cbmop = CBM-Wr I CBM-Rd I CBM-Illegal';; 
let cbm-pkt = 
define-type 'cbmgkt' 'cbmgkt = CBM cbmop wordn wordnn wordn wordn';; 
let CBM-Opcode = new-recursive-definition 
false cbmgkt ICBM-Opcode' 
"CBM-Opcode (CBM Opcode Addr Data BS BE) = Opcode";; 
let CBM-Addr = new-recursive-definition 
false cbmgkt 'CBM-Addr' 
"CBM-Addr (CBM Opcode Addr Data BS BE) = Addr" 
let CBM-Data = new-recursive-definition 
false cbm-pkt 'CBM-Data' 
"CBM-Data (CBM Opcode Addr Data BS BE) = Data" 
let CBM-BS new-recursive-definition 
false c b u k t  'CBM-BS' 
"CBM-BS (CBM Opcode Addr Data BS BE) = BS";; 
let CBM-BE a new-recursive-definition 
false cbmgkt 'CBM-BE' 
"CBM-BE (CBM Opcode Addr Data BS BE) = BE";; 
let cM-CASES = grave-cases-thm (prove-induction-thm cbmgkt);; 
let CBM-Selectors-Work = prwe-thm 
('CBM-Selectors-Work', 
"!k:cbnCpkt. 
QXN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k:cbm-pkt" CBM-CASES) 
THEN REWRITE-TAC [CBM_Ogcode;CBM-Addr;CBM-Data;CBM-BS;CBM-BEl 
k I (CBM (CBbl-Opcode k) (CM-Addx k) (CBM-Data k) (CBM-BS k) (CBM-BE k) ) ", 
1;; 
54 
%-------------------------------------------------------------------------------- 
% 
Abstract data type for the C-Bus Slave Packet. ................................................................................ 
let cbsop = define-type 'cbsop' 'cbsop = CBS-Ready I CBS-Illegal';; 
let cbsqkt I define-type 'cbsgkt' 'cbsgkt = CBS cbsop wordnn';; 
let CBS-Opcode = new-recursive-definition 
false cbsgkt 'CBS-Opcode' "CBS-Opcode (CBS Opcode Data) = Opcode";; 
let CBS-Data = new-recursive-definition 
false cbsgkt 'CBS-Data' "CBS-Data (CBS Opcode Data) r Data";; 
let CBS-CASES = prove-cases-thm (prove-induction-thm cbsgkt);; 
let CBS-Selectors-Work = prove-thm 
('CBS-Selectors-Work', 
"!k:cbsgkt. k = (CBS (CBS-Opcode k) (CBS-Data k))", 
THEN STRUCT-CASES-TAC (SPEC "k : cbsgkt" CBS-CASES )' 
THEN IUWRITE-TAC [CBS-Opcode;CBS-Datal 
GEN-TAC 
1;; 
&-------------------------------------------------------------------------------- 
% 
Abstract data type for the P-Port, M-Port, and R-Port Reset Master Packet. ................................................................................ 
let rmop = define-type 'mop' 'rmop = RM-NoReset I RM-Illegal';; 
let rm-pkt = define-type 'rm-pkt' 'nngkt = RM rmop';; 
let RM-Opcode = new-recursive-definition 
false rmqkt 'RM-Opcode' "RM-Opcode (RM Opcode) = Opcode";; 
let RM-CASES = prove-cases-thm (prove-induction-thm w k t ) ; ;  
let RM-Selectors-Work = prove-thm 
('M-Selectors-Work', 
"Ikrnngkt. k = (RM (RM-Opcode k))", 
OEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k:nngkt" RM-CASES) 
THEN REWRITE-TAC [RM-Opcode] 
1;; 
%-------------------------------------------------------------------------------- 
% 
Abstract data type for the C-Port Reset Master Packet. ................................................................................ 
let crmap = define-type '~~mop' 'crmop = CRM-NoReset I CRM-Illegal';; 
let crrpgkt = define-type 'crnCpkt' 'crrqpkt = CRM crmop';; 
let C R M - O ~ C O ~ ~  = new-recursive-definition 
false c m g k t  'CRM-Opcode' "CRM-Opcode (CRM Opcode) = Opcode"; ; 
let CRM-CASES = prove-cases-thm (prove-induction-tbm crm-pkt);; 
let CRM-Selectors-Work = prove-thm 
('CRM-Selectors-Work', 
"!k:cWkt. k = (CRM (CRM-Opcode k))", 
OEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k: cnn-pkt" CRM-CASES) 
TBIllJ REWRITE-TAC ICRM-Opcodel 
) i t  
%-------------------------------------------------------------------------------- 
--------------------------------------------------------------------------------% 
let ermop = define-type 'emop = ERM-NoReset I ERM-Illegal'r; 
Abstract data type for the External Reset Master Packet. 
55 
let ermqkt = define-type 'ermqkt' 'ermqkt = ERM ennop';; 
let EN-opcode = new-recursive-definition 
false ermqkt 'ERM-Opcode' "ERM-Opcode (ERM Opcode) = Opcode"; ; 
let ERM-CASES I prove-cases-thm (prove-induction-thm ermqkt);; 
let ERM-Selectors-Work = prove-thm 
('XRM-Selectors-Work', 
"!k:ermqkt. k = (ERM (XRM-Opcode k))", 
CEN-TAC 
THEN STRUCT-CASES-TAC (SPEC "k : ermqkt '' ERM-CASES ) 
THEN REWRITE-TAC [ERM-Opcodel 
1 ;; 
close-theory();; 
C.2 Local Processor Transaction-Level Model 
File: cputransp-def.ml 
Author: (c) D.A. Pura 1993 
Date: 21 April 1993 
This file contains the ml source for the trans-level specification of the 
CPU of the FTEP PMEI, a processing module developed by the Embedded 
Processing Laboratory, Boeing Eigh Technology Center. 
% . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
set-flag ('timing',true);; 
set-searchqath (searchqath0 8 [~/home/elvis6/dfura/ftep/piu/hol/pport/'; 
'/home/elvis6/dfura/ftep/piu/hol/lib/'; 
'/home/elvisS/dfura/ftep/piu/hol/p~/'; 
'/home/elvis6/dfura/hl/L~rary/tools/' 
1 ) ; ;  
let CPUT-BXEC = new-definition 
( ' CPUT-EXEC ' , 
" 1  (cputi :cPUpI) (e  :timeT->cput-state) (et :theT->rmqkt) 
(eq :timeT->cpurm-pkt) (el rtheT->pbsqkt) (p :timeT->pbmgkt) (t : t h T )  . 
CPUT-EXEC cputi s (er, eq, el) p t = 
(RM-Opcode (et t) = RM-NoReset) / \  
(CPURM-Opcode (eq t) = CPURM-Rqt) / \  
(PBS-OpRdy (el t) = PBS-Rdy)" 
)I; 
let CPUT-PRE = new-definition 
( 'CPUT-PRB ' , 
"! (cputi :CPUTI) ( a  :timeT->cput-state) (er :timeT->rm>kt) 
(eq :timeT->cpurmqkt) (el :theT->pbsqkt) (p :timeT->pbmqkt) (t :timeT) . 
CPUT-PRE cputi s (er, eq, el) p t = T" 
56 
1 ;; 
let CPUT-POST = new-definition 
(‘CPUT-POST’, 
“! (cputi :CPUTI) ( 8  :timeT->cput-state) (er :timeT->rmgkt) 
(eq :timeT->cpurmgkt) (el :timeT->pbsgkt) (p :timeT->pbmgkt) It :timeT) 
let lmem = (-XLEMKNT (CPUT-addrS f s  t)) 31) / \  
CPUT-POST cputi s (er, eq, el) p t = 
(-(SUBARRAY (CPUT-addrS ( 8  t)) (25,241 = WORDN 1 3 ) )  in 
let piu = (-ELEMENT (CPUT-addrS ( S  t)) 31) / \  
(SUBARRAY ICPUT-addrS ( 8  t)) 125,24) = WORDN 1 3)  in 
let cbus = ELEMENT (CPUT-addrs ( 8  t)) 31 in 
let write = CPUT-wrS ( 8  t) in 
( (PBM-Opcode (p t) = lmem => (write => PBM-WrLM I PBM-RdLM) I 
piu => (write => PBM-WrPIU I PBM-RdPIU) 
% cbus % I (write => PBM-WrCB I PBM-RdCE)) / \  
(PBM-Addr (p t) = CPUT-addrs ( 8  t)) / \  
(write I=> (PBM-Data (p t) = CPUT-dataS (s t))) / \  
(PBM-BS (p t) = CPUT-bsS ( 8  t)) / \  
(PBM-BE (p t) = CPUT-be-S ( 8  t) / \  
(-write ==> (CPUT-dataS ( 8  (t+l)) = PES-Data (el t))))” 
(PBM-Lock (p t) = CPUT-lock-S ( 8  t)) / \  / 
1;; 
let CPUT-INSTR = new-definition 
(‘CPUT-INSTR‘, 
”! (cputi :CPUTI) ( 8  :timeT->cput-state) (er :timeT->rmgkt) 
(eq :timeT->cpurmgkt) (el :timeT->pbsgkt)(p :timeT->pbmgkt) . 
CPUT-INSTR cputi s (er, eq, el) p = 
! t :timeT . 
CPUT-EXEC cputi 8 (er, eq, el) p t / \  
CPUT-PRE cputi s fer, eq, el) p t 
CPUT-POST cputi s (er, eq, el) p t” 
==> 
1; ;  
let CPUT-INTRP = new-definition 
( ’CPUT-INTRP ’ , 
”! ( a  :timeT->cput-state) (er :timeT->rmgkt) (eq :timeT->cpuzmgkt) 
(el :timeT->pbsgkt) (p :timeT->pbmgkt) . 
CPUT-INTRP s (er, eq, el) p = 
! cputi:CPUTI. CPUT-INSTR cputi s (er, eq, el) p” 
1 ; ;  
close-theory ( ; ; 
C.3 Local Memory Transaction-Level Model 
Pile: memtransp-def.ml 
Author: (c) D.A. Pura 1993 
Date: 8 September 1993 
This file contains the m l  source for the trans-level specification of the 
Local M e m o r y  of the PTEP PMM, a processing module developed by the Embedded 
Processing Laboratory, Boeing High Technology Center. 
% ................................................................................ 
set-flag (‘timing’,true);; 
set-searchgath (searchgatho (P [‘/home/elvis6/dfura/ftep/piu/hol/lib/’; 
’/home/elvis6/dfura/ftep/piu/hol/pmm/’; 
‘/home/elvis6/dfura/fteg/piu/hol/mbus/’; 
57 
'; 
1/home/elvis6/dfura/ftep/giu/hol/pport/pproc/ 
I/home/elvieS/dfura/hol/Library/tools/' 
I ) ; ;  
system 'rm memtransp-def.th';; 
new-theory 'memtransp-def';; 
map newsareat ['memtauxp_def';'memaux-def';'pamrtauxp_def';'array_def'; 
'w~rdn_def';~mbtabs~def';'memtabs~def'l;; 
new-type-abbrev ('wordn', ":num->bool") I ;  
new-type-abbrev ('wordnn', ":num->wordn");; 
%-------------------------------------------------------------------------------- 
%. 
M-Bus interpreter definition. ................................................................................ 
let m m ! - ~ ~ ~ c  = new-definition 
( 'MmuT-BxBC ' , 
"! (memti :mm!I) (s :timeT->memt-state) (e :timeT->mbmgkt) 
(p rtimeT->mbsgkt) (tm ttimeT) . 
MBMT-BXBC memti s e p tm = T" 
) I 1  
let MBMT-P~C = new-definition 
( 'mm!-PREC ' I  
"I (memti rMBMTI) ( 8  :timeT->memt-state) (e :timeT->mbm-pkt) 
(p :timeT->mbsgkt) (tm :theT) . 
MBMT-PRBC memti s e p tm = T" 
) I ;  
let I~IE~~T_POSTC = new-definition 
('MBMT-POSTC', 
" 1  (memti :MBMTI) (a  :timeT->memt-state) (e :timeT->mbm-pkt) 
(p :timeT->mbsgkt) (tm :timeT) . 
let a d r d n  I VAL 23 (BlBM-Addr (e tm)) in 
let bs = VAL 1 (MBM-BS (e tm)) in 
let adr-max I a d r d n  + bs in 
((MemtS (a  (tm+l)) = 
MBMT-POSTC memti s e p tm = 
( ( m o p c o d e  (e tm) = MBb-Wr) \ /  (BlBM-@code (e tm) = blBbf-RdWr) 
=D lMLTER (MemtS (s tm)) 
(adr-max,adr-min) 
(=-Data (e tm)) 
I Memts (s tm)) / \  
(MBS-Opcode (p tm) = MBS-Ready) / \  
(((bz~w_opcode (e tm) = D I B M - ~ )  \ /  (BlBM-Opcode (e tm) = MBM-RdWr)) 
=ID (MBS-Data (p tm) = SWARRAY (MemtS ( 8  tm)) (adr-maX,adr-min))))" 
1;; 
let MEWT_XN%T@ P new-definition 
( 'mm!-INTRP ' , 
"! ( 8  :timeT->momt-state) (e :timeT->mbmskt) (p :timeT->mbsgkt) . 
mm!-INTRP a e p = 
!tm memti. 
MEMT-BXBC memti s e p tm / \  
MBMT-PREC memti s e p tm 
MW!P-poBTC mcimti s e p tm" 
=r> 
) I ;  
let MBWT_IMTR~_ABS = new-definition 
( 'I)IEblT_INTRP_ABS', 
"! (a  rtimoT->memt-state) (e itimeT->mbnCpkt) (p :tbeT->mbsgkt) 
(a'  rtimeC->matate) (e' :timec->mb-sin) (p' rtimeC->mb-sout) . 
KEMT-INTRP-ABS s e p 8' et p' = 
! tm. 
let tm' = at8. NTH-TIMB-CHANGBS-TRUB tm (cs-gig-mbs e') 0 t' in 
let tm'suc I et'. NTH-TR+YB-CBANQBS_TRW (SUC tm) (cs-sig-mbs 0') 0 t' in 
let tm'done = et'. STABLE-TRUE-THEatpALSB (cs-sip-mbs e') (tm',t') in 
(((e tm, p tm) = MB-s~ll%'-mS e' p' (tm', tm#suc)) / \  
58 
C.4 M-Port Transaction-Level Model 
59 
1; ;  
let MT-PREC = new-definition 
( 'MTPREC ' , 
"! (mti :MTI) (ei :timeT->pbmgkt) (pm :timeT->mbmqkt) (em :timeT->mbs-pkt) 
(pi :timeT->ibsqkt) (er :timeT->rm-pkt) (ti :timeT) . 
MT-PREC mti (ei,em,er) (pm,pi) ti = T" 
1; ;  
let MT-POSTC = new-definition 
('MT-POSTC', 
"! (rep :"REP) (mti :MTI) (ei :timeT->pbm-pkt) (pm :timeT->mbm-pkt) 
(em :timeT->mbsqkt) (pi :timeT->ibagkt) (er :timeT->rmgkt) 
(ti tm :timeT) . 
let bs = VAL 1 (PBM-BS (ei ti)) in 
((IBS-Opcode (pi til = 
(mti = MT-Rd) => IBS-Ready I 
(mti = MT-Wr) => IBS-Ready I 
%(mti = MT-Idle)% IBS-Idle) / \  
MT_POSTC rep mti (ei,em,er) (pm,pi) (ti,tm) = 
((mti = MT-Rd) 
==> (MBS-Opcode (em tm) = MBS-Ready) 
E=> (IBS-Data (pi ti) = 
W N  bs (Ham-Dee rep) (MBS-Data (em tm)))) / \  
(-(mti = MT-Idle) 
==> ((MBM-opcode fpm tm) = 
(mti = MT-Rd) => MEM-Rd I 
((mti = MT-Wr) / \  (PBM-BE (ei ti) = WORDN 3 15)) => W - W r  I 
MEb-RdWr) / \  
(MBM-Ada (pm tm) = PBM-Addr (ei ti)) / \  
( (mti = MT-Wr) 
==> (=-Data (pm tm) = 
let be = PBM-BE (ei tm) in 
MAP-LISTN ba 
[ (Ham-Enc rep) o 
(\f. BYTE-MUXN 31 be (ELEmNT(PBM-Data(ei ti)) 0 )  f)i 
(Ham-Enc rep) o 
(\f. BYTE-MUXM 31 be (ELEmNT(PBM-Data(ei ti)) 1) f) i 
(Ham-Enc rep) o 
(\f. BYTE-MUXN 31 be (ELEMENT(PBM-Data(ei ti)) 2 )  f); 
(H-Enc rep) 0 
(\f. BYTE-MUXN 31 be (ELEMBNT(PBM-Data(ei ti)) 3) f)l 
(MAPN ba (Ham-Dec rep) (MBS-Data (em tm))))) / \  
(MBM-BS (pm tm) = PBM-BS (ei ti)))))" 
1;; 
let m-1- = new-definition 
('MT-INTRP', 
"1 (rep :"REP) (ei rtimeT->pbmgkt) (pm :timeT->mbm-pkt) 
(em rtimeT-xubagkt) (pi :timeT->ibaqkt) (er :timeT->rmgkt) . 
MT-INTRP rep (ei,em,er) (pm,pi) = 
!ti tm mti. 
MT-EXEC mti (ei,em,er) [pm,pi) ti / \  
MT-PREC mti (ei,em,er) (pm,pi) ti 
M'T-PoS'K: rep mti (ei,em,er) (pm,pi) (ti,tm)" 
==> 
1;; 
let blT_INTRP_ABS = new-definition 
( 'MT-INTW-ABS ' , 
"1 (ei :timeT->pbmgkt) (em :timeT->mbsgkt) (pm :timeT->mbm-pkt) 
(pi :tiaieT->ibsqkt) [er :timeT->rmskt) lei' :timeC->ib-sin) 
(em' :timec->mb-min) (er' :timeC->su-mout) (pm' :timeC->mb-mt) 
(pi' : timeC->ib-aout) . 
MT-INTRP_ABS (ei,em,er) (pm,pi) (ei',em',er') (pm',pi') = 
LU. 
let ti' = at.. NTH-TIME-TRUE u (ale-aig-iba ei') 0 t' in 
let ti'suc = Qt'. NTH-TIMIS-TRW (SUC u) (ale-sig-ibs ei') 0 t' in 
let tm' = at'. NTH-TIMB-CHANGES-TRW u (ca-aig-mbm pm') 0 t' in 
let tm'auc = at'. NTH-TIME-CBANOES-TRW (SUC u) (ca-aig-mbm Pm') 0 t' in 
60 
(((ei u, pi u) = (IB-SLA~&J~BS ei' pi' (ti',ti'suc))) / \  
((pmu, em u) t (MB-MASTER-ABS pm' em' (tm',tm'auc))) / \  
((er u) = RST-ABS er'))" 
);; 
let MT-INTRP-LIVE = new-definition 
('MT-INTRP-LIVE'. 
"! (ei :timeT->pbmqkt) (em :timeT->mbsqkt) (pm :timeT->mbmqkt) 
(pi :thT->ibsgkt) (er :timeT->rmgkt) (ei' :timeC->ib-sin) 
(em' :timec->mb-min) (er' :timeC->su-mout) (pm' :timeC->mb_mout) 
(pi' :timec->ib-sout) . 
MT-IMTRP-LIVE (ei, em, er (pm,pi) ( ei' em' I er ' 1 (pm' ,pi ' 1 = 
!ti mti. 
MT-EXEC mti (ei,em,er) (pm,pi) ti 
==> ?ti'. NTH_TIKE-TRZTX ti (ale-sip-ibs ei') 0 ti' / \  (ti' > 0) ' '  
1;; 
close-theory0 i; 
61 
I REPORT DOCUMENTATION PAGE I Form Approved OMB NO. 0704-0188 
I 
Public rewaning burden for Ihis CollectiOn of information !s estlmatea 10 average 1 hour per response. including the time for rewewing instructions. rearching existing data sources. 
gathering and maintaining the data needed. and completing and reviewing the collecrion 01 information Send comments r arding this burden estimate or any other aspen of this 
collenion of information. mcludlng suggestions for reducing this buraen to Washmgton Headquaners Services. Direnorate?or information Operations and Reports. 1215 Jefferson 
Davis Highway. Suite 1204. Arlington. VA 222024302 ana to the OHice 01 Managemenr and Budget. PaDerwOrk Reduction Project(0704.0188). Washington. DC 20503 
1. AGENCY USE ONLY (Leave blank) 3 REPORT TYPE AND DATES COVERED 
Contrac 
4. TITLE AND SUBTITLE Interpreter Composition Issues in the Formal 
Verification of a Processor-Memory Module 
David A, Pura 
Gerald C. Cohen 
The .Boeing Company 
P.O. Box 3707 
Seattle, WA 98124-2207 
National Aeronautics and Space Administration 
Langley Research Center 
Hampton, VA 23681-0001 
Final Report 
or Report 
5. FUNDING NUMBERS 
C NAS1-18586 
WTJ 505-64-50-04 
8. PERFORMING ORGANIZATION 
REPORT NUMBER 
10. SPONSORING/MONlTORlNG 
AGENCY REPORT NUMBER 
NASA CR-4594 
13. ABSTRACT (Maximum 200 words) 
This report describes interpreter composition techniques suitable 
for the formal specification and verification of a processor-memory 
module using the HOL theorem-proving system. 
module is a multi-chip subsystem within a fault-tolerant embedded 
system under development within the Boeing Defense and Space Group. 
Modelling and verification methods were developed that permit provabl! 
secure composition at the transaction-level of specification 
significantly reducing the complexity of the hierarchical verificatioi 
of the system. 
The processbr-memory 
NSN 7540-01-280-5500 Standard Form 298 (Rev 2-89) 
Prescribed by ANSI Std 239.18 
298-102 
