Proof Planning for Automating Hardware Verification by Cantu-Ortiz, Francisco Javier

















iAbstractIn this thesis we investigate the applicability of proof planning to automate the veri-cation of hardware systems. Proof planning is a meta-level reasoning techniquewhich captures patterns of proof common to a family of theorems. It contributesto the automation of proof by incorporating and extending heuristics found in theNqthm theorem prover and using them to guide a tactic-based theorem prover inthe search for a proof. We have addressed the automation of proof for hardwareverication from a proof planning perspective, and have applied the strategies andsearch control mechanisms of proof planning to generate automatically customisedtactics which prove conjectures about the correctness of many types of circuits.The contributions of this research can be summarised as follows: (1) we show byexperimentation the applicability of the proof planning ideas to verify automatic-ally hardware designs; (2) we develop and use a methodology based on the conceptof proof engineering using proof planning to verify various combinational and se-quential circuits which include: arithmetic circuits (adders, subtracters, multipli-ers, dividers, factorials), data-path components (arithmetic logic units, shifters,processing units), and a simple microprocessor system; and (3) we contribute tothe proling of the Clam proof planning system by improving its robustness andeciency in handling large terms and proofs.In verifying hardware, the user formalises a problem by writing the specic-ation, the implementation and the conjecture, using a logic language, and asksClam to compose a tactic to prove the conjecture. This tactic is then executedby the Oyster prover. To compose a tactic, Clam uses a set of methods whichimplement heuristics that specify general-purpose tactics, and AI planning mech-anisms. Search is controlled by a type of annotated rewriting called rippling, whichcontrols the selective application of rewrites called wave rules. We have extendedsome of the Clam's methods to verify circuits. The size of the proofs were ordersof magnitude larger than the proofs that had been attempted before with proofplanning, and are comparable with similar verication proofs obtained by othersystems, but using fewer lemmas and less interaction.Proof engineering refers to the application of formal proof for system designand verication. We propose a proof engineering methodology which consists ofpartitioning the automation of formal proof into three dierent kind of tasks:user, proof and systems tasks. User tasks have to do with formalising a particularverication problem and using a formal tool to obtain a proof. Proof tasks referto the tuning of proof techniques (e.g. methods and tactics) to help obtain aproof. Systems tasks have to do with the modication of a formal tool system.By making this distinction explicit, proof development is more manageable. We
iiconjecture that our approach is widely applicable and can be integrated into formalverication environments to improve automation facilities, and be utilised to verifycommercial and safety-critical hardware systems in industrial settings.
iiiAcknowledgementsFirst and foremost I would like to express my deep gratitude to my supervisorsProf. Alan Bundy, Dr. Alan Smaill and Prof. David Basin. Their support, ad-vice, friendship and encouragement, often beyond duty, have been invaluable. Iwould like to express my appreciation to Toby Walsh and James Molony for theircomments and discussions on drafts of the thesis; to Andrew Ireland, Ian Green,Gordon Reid, Raul Monroy, Hugo Terashima and Santiago Negrete for all the sup-port provided; and to the members of the Mathematical Reasoning Group whocreated such a productive and research environment. I thank Peter and FlorenceSinclair through whom I met the superb Scottish hospitality. I would like to ex-press my deep gratitude to Dr. Fernando J. Jaimes (ITESM) for his support,encouragement and patience during my graduate studies. I thank Leticia Rodrig-uez, Moraima Campbell, Manuel Valenzuela, Rogelio Soto, Jose Escamilla, PabloRamirez, Ramon Brena and the members of the Center for Articial Intelligenceat ITESM; I am indebted to my mother Raquel, my brother Humberto and mysisters Hilda, Maria de la Luz and Raquel; my parents-in-law Hector and Carmenand all the members of my family. I thank my examiners Prof. Michael Gordon,University of Cambridge and Prof. Michael Fourman, University of Edinburghfor their thoughtful comments and feedback on the thesis. Finally, I gracefullyacknowledge the nancial support of CONACYT and ITESM. God bless you all.
ivDedicationI dedicate this thesis to Carmen, my wife, and to our children Francisco, Hector,Eduardo and Marycarmen. My deepest thanks for your love, patience, prayersand care, which made this dream a reality.
vDeclarationI hereby declare that I composed this thesis entirely myself and that it de-scribes my own research. Portions of the work described here have been publishedpreviously in [Cantu et al 96].
Francisco J. Cantu-OrtizEdinburghJune 12, 1997
Table of Contents1. Introduction 11.1 Overview : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 11.2 Motivation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 41.3 Contributions : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 61.4 Organisation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 62. Background 82.1 Verication : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 82.1.1 Hierarchical Verication : : : : : : : : : : : : : : : : : : : : 92.2 Components : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 102.2.1 Specication : : : : : : : : : : : : : : : : : : : : : : : : : : : 102.2.2 Implementation : : : : : : : : : : : : : : : : : : : : : : : : : 122.2.3 Relationship : : : : : : : : : : : : : : : : : : : : : : : : : : : 152.2.4 Functional versus relational verication : : : : : : : : : : : : 162.3 Approaches to Formal Verication : : : : : : : : : : : : : : : : : : : 192.3.1 Logic : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 192.3.2 Propositional Logic : : : : : : : : : : : : : : : : : : : : : : : 212.3.3 First-Order Logic : : : : : : : : : : : : : : : : : : : : : : : : 222.3.4 Boyer-Moore Computational Logic : : : : : : : : : : : : : : 22vi
Table of Contents vii2.3.5 Higher-Order Logic : : : : : : : : : : : : : : : : : : : : : : : 242.3.6 Intuitionistic Logic : : : : : : : : : : : : : : : : : : : : : : : 252.3.7 Modal Logic : : : : : : : : : : : : : : : : : : : : : : : : : : : 252.3.8 Mu Calculus : : : : : : : : : : : : : : : : : : : : : : : : : : : 262.3.9 Other Approaches to Hardware Verication : : : : : : : : : 262.4 Verication Environments : : : : : : : : : : : : : : : : : : : : : : : 292.4.1 Theorem provers : : : : : : : : : : : : : : : : : : : : : : : : 292.4.2 Model/equivalence checkers : : : : : : : : : : : : : : : : : : 332.5 Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 353. Proof Planning 363.1 Methods : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 363.2 Inductive Proof Planning : : : : : : : : : : : : : : : : : : : : : : : : 433.2.1 Rippling : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 443.2.2 Fertilisation : : : : : : : : : : : : : : : : : : : : : : : : : : : 523.3 An example : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 543.4 Clam-Oyster : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 573.4.1 Oyster : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 573.4.2 Clam : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 583.5 Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 594. Hardware Verication 604.1 Basic elements : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 604.1.1 Types : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 604.1.2 Operations : : : : : : : : : : : : : : : : : : : : : : : : : : : : 63
Table of Contents viii4.1.3 Conversion functions : : : : : : : : : : : : : : : : : : : : : : 654.2 A non-inductive proof : : : : : : : : : : : : : : : : : : : : : : : : : 664.2.1 Formalisation : : : : : : : : : : : : : : : : : : : : : : : : : : 664.2.2 Verication : : : : : : : : : : : : : : : : : : : : : : : : : : : 674.3 An inductive proof : : : : : : : : : : : : : : : : : : : : : : : : : : : 694.3.1 Formalisation : : : : : : : : : : : : : : : : : : : : : : : : : : 694.3.2 Verication : : : : : : : : : : : : : : : : : : : : : : : : : : : 714.4 Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 745. A Methodology 755.1 A Proof Engineering based Methodology : : : : : : : : : : : : : : : 765.2 Combinational circuits : : : : : : : : : : : : : : : : : : : : : : : : : 795.2.1 An n-bit adder : : : : : : : : : : : : : : : : : : : : : : : : : 795.2.2 Arithmetic Logic Unit : : : : : : : : : : : : : : : : : : : : : 835.2.3 Multiplier : : : : : : : : : : : : : : : : : : : : : : : : : : : : 885.3 A sequential circuit : : : : : : : : : : : : : : : : : : : : : : : : : : : 915.3.1 User tasks : : : : : : : : : : : : : : : : : : : : : : : : : : : : 935.3.2 Proof tasks : : : : : : : : : : : : : : : : : : : : : : : : : : : 1055.3.3 Systems tasks : : : : : : : : : : : : : : : : : : : : : : : : : : 1075.4 Extendability and Scalability : : : : : : : : : : : : : : : : : : : : : 1085.4.1 Extendability : : : : : : : : : : : : : : : : : : : : : : : : : : 1085.4.2 Scalability : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1095.5 Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 110
Table of Contents ix6. Extensions to Proof Planning 1126.1 Proof level : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1136.1.1 Methods and tactics : : : : : : : : : : : : : : : : : : : : : : 1156.1.2 Induction Schemes : : : : : : : : : : : : : : : : : : : : : : : 1196.1.3 Equations : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1206.2 Systems level : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1206.2.1 Predicates : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1216.2.2 Debugging and versions of Clam : : : : : : : : : : : : : : : : 1216.3 Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1227. Results 1237.1 Experiments : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1237.2 Analysis : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1267.2.1 Analysis of human timings : : : : : : : : : : : : : : : : : : : 1267.2.2 Analysis of experiments : : : : : : : : : : : : : : : : : : : : 1277.2.3 Analysis of object-level times : : : : : : : : : : : : : : : : : 1347.2.4 Analysis of hierarchical proofs : : : : : : : : : : : : : : : : : 1357.2.5 Analysis of lemmas : : : : : : : : : : : : : : : : : : : : : : : 1357.3 Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1418. Related and future work 1428.1 Related work : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1428.1.1 NQTHM : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1438.1.2 HOL : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1448.1.3 PVS : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 145
Table of Contents x8.1.4 VERIFY : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1458.1.5 MONA : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1468.1.6 VOSS : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1468.1.7 Comparison : : : : : : : : : : : : : : : : : : : : : : : : : : : 1478.2 Future Work : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1488.2.1 Interface with other provers : : : : : : : : : : : : : : : : : : 1498.2.2 Temporal logic : : : : : : : : : : : : : : : : : : : : : : : : : 1528.2.3 Heuristic search : : : : : : : : : : : : : : : : : : : : : : : : : 1548.2.4 Interface to a HDL : : : : : : : : : : : : : : : : : : : : : : : 1548.2.5 Propositional reasoning : : : : : : : : : : : : : : : : : : : : : 1558.2.6 Lemma speculation : : : : : : : : : : : : : : : : : : : : : : : 1558.2.7 Automatic generation of induction schemes : : : : : : : : : : 1558.2.8 Higher-order rippling : : : : : : : : : : : : : : : : : : : : : : 1568.2.9 Relational verication : : : : : : : : : : : : : : : : : : : : : 1568.2.10 Microprocessor verication : : : : : : : : : : : : : : : : : : : 1568.3 Summary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1579. Conclusions 158A. Object level denitions 179A.1 Types : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 179A.2 Operations on types : : : : : : : : : : : : : : : : : : : : : : : : : : 179A.2.1 Booleans : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 179A.2.2 Natural numbers : : : : : : : : : : : : : : : : : : : : : : : : 180A.2.3 Lists : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 181
Table of Contents xiA.2.4 Words : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 181A.3 Conversion functions : : : : : : : : : : : : : : : : : : : : : : : : : : 181A.4 Conditional functions : : : : : : : : : : : : : : : : : : : : : : : : : : 182B. Non recursive circuits 183B.1 Half adder : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 183B.2 Full adder : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 183B.3 1-bit ALU : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 184B.4 4-1 Multiplexer : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 184C. Incrementer 186C.1 Formalisation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 186C.2 Proof plan : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 186C.3 Proof : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 188C.4 Methods : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 188D. Multiplier 189D.1 Formalisation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 189D.2 Lemmas : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 189D.3 Proof : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 190D.4 Methods : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 190E. Gordon computer 191E.1 Formalisation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 191E.2 Proof plan : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 201E.3 Proof : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 205E.4 Methods : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 206
Table of Contents xiiF. Other circuits 207F.1 Adder : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 207F.1.1 Explicit parameter : : : : : : : : : : : : : : : : : : : : : : : 207F.1.2 Big endian : : : : : : : : : : : : : : : : : : : : : : : : : : : : 207F.2 ALU : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 208F.2.1 Explicit parameter : : : : : : : : : : : : : : : : : : : : : : : 208F.2.2 Big endian : : : : : : : : : : : : : : : : : : : : : : : : : : : : 208F.3 Shifter : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 209F.4 Processing unit : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 210F.5 Other arithmetic operations : : : : : : : : : : : : : : : : : : : : : : 210F.5.1 Adder : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 210F.5.2 Multiplier : : : : : : : : : : : : : : : : : : : : : : : : : : : : 211F.5.3 Exponentiator : : : : : : : : : : : : : : : : : : : : : : : : : : 211F.5.4 Factorial : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 211F.5.5 Subtracter : : : : : : : : : : : : : : : : : : : : : : : : : : : : 211F.5.6 Divider : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 212F.5.7 Counter : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 212G. Methods 213G.1 Symbolic evaluation : : : : : : : : : : : : : : : : : : : : : : : : : : : 213G.2 Generalise : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 214G.3 Normalise : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 214G.4 Induction strategy : : : : : : : : : : : : : : : : : : : : : : : : : : : 215G.5 Elementary : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 215G.6 Use of equation in hypothesis : : : : : : : : : : : : : : : : : : : : : 216
Table of Contents xiiiG.7 Evaluate denition : : : : : : : : : : : : : : : : : : : : : : : : : : : 216G.8 Term cancellation : : : : : : : : : : : : : : : : : : : : : : : : : : : : 217G.9 Boolean case analysis : : : : : : : : : : : : : : : : : : : : : : : : : : 217G.10 Memoise recursive function : : : : : : : : : : : : : : : : : : : : : : : 218G.11 Weak fertilise : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 219
List of Figures2{1 Modelling the structure of a device : : : : : : : : : : : : : : : : : : 163{1 Method components : : : : : : : : : : : : : : : : : : : : : : : : : : 373{2 Data base of methods : : : : : : : : : : : : : : : : : : : : : : : : : : 393{3 Method eval def : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 423{4 A Proof Plan for Induction : : : : : : : : : : : : : : : : : : : : : : : 433{5 Structure of proof plan : : : : : : : : : : : : : : : : : : : : : : : : : 554{1 1-bit Full adder : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 674{2 Structure of proof plan for verifying the full adder : : : : : : : : : : 684{3 Implementation of n-bit incrementer : : : : : : : : : : : : : : : : : 704{4 Structure of the proof plan for n-bit incrementer : : : : : : : : : : : 715{1 Proof plan for the n-bit Adder : : : : : : : : : : : : : : : : : : : : : 815{2 Hardware Design of a 1-bit ALU : : : : : : : : : : : : : : : : : : : : 855{3 Proof plan for the n-bit ALU : : : : : : : : : : : : : : : : : : : : : 865{4 Proof plan for the nm-bit multiplier : : : : : : : : : : : : : : : : : : 895{5 Specication of the Gordon computer : : : : : : : : : : : : : : : : : 955{6 Register-transfer level implementation of the Gordon computer : : : 965{7 Proof plan for the Gordon computer : : : : : : : : : : : : : : : : : 102xiv
List of Figures xv5{8 Extendability and scalability of proof planning : : : : : : : : : : : : 1096{1 Verify: set of methods for hardware verication : : : : : : : : : : : 1136{2 Method for term cancellation : : : : : : : : : : : : : : : : : : : : : 1166{3 Method for Boolean case analysis : : : : : : : : : : : : : : : : : : : 1176{4 Method for memoisation : : : : : : : : : : : : : : : : : : : : : : : : 1188{1 LAMBDA proof for the associativity of addition : : : : : : : : : : : 1508{2 Proof plan for the associativity of addition : : : : : : : : : : : : : : 1519{1 Extendability and scalability of proof planning : : : : : : : : : : : : 160
Chapter 1Introduction
1.1 OverviewThis thesis is about the application of proof planning to the automation of formalverication in the hardware domain. Given an implementation of a circuit and aspecication of its behaviour, formal verication shows that the implementationmeets the specication. The specication and the implementation are expressedas formulae in a formal system, the relationship between the specication and theimplementation is stated by a conjecture and the proof that the implementationmeets the specication is obtained by using a calculus associated to the formalsystem.Proof planning is a meta-level reasoning technique for the global control ofsearch in automatic theorem proving. A proof plan captures common patternsof reasoning in a family of similar proofs and is used to guide the search fornew proofs in the family. Proof planning combines two standard approaches toautomated reasoning: the use of tactics and the use of meta-level control. Themeta-level control is used to build large complex tactics from simpler ones andalso abstracts the proof, highlighting its structure and the key steps. The maincomponent of proof planning is a collection of methods. Amethod is a specicationof a tactic. A tactic is a program that applies one or more rules of inference during1
Chapter 1. Introduction 2a proof. A method consists of an input formula (a sequent), preconditions, outputformulae, postconditions, and a tactic. A method is applicable if the goal to beproved matches the input formula of the method and the method's preconditionshold. The preconditions, formulated in a meta-logic, specify syntactic propertiesof the input formula and contain heuristics to constrain search. Using the inputformula and preconditions of a method, proof planning can predict if a particulartactic will be applicable without actually running it. The output formulae (theremay be none) determine the new subgoals generated by the method and give aschematic description of the formulae resulting from the tactic application. Thepostconditions specify further syntactic properties of these formulae. For eachmethod there is a corresponding general-purpose tactic associated to that method.Methods can be combined at the meta-level in the same way tactics are combinedusing tacticals. The process of reasoning about and combining methods is calledproof planning. When planning is successful it produces a tree of methods, called aproof plan. A proof plan yields a composite tactic, which is built from the tacticsassociated with each method, custom designed to prove the current conjecture.Proof plan construction involves search. However, the planning search space istypicallymany orders of magnitude smaller than the object-level search space. Onereason is that the heuristics represented in the preconditions of the methods ensurethat backtracking during planning is rare. Another reason is that the particularmethods used have preconditions which strongly restrict search, though in certaindomains they are very successful in constructing proofs. There is of course aprice to pay: the planning system is incomplete. However, this has not proved aserious limitation of the proof planning approach in general [Bundy et al 91] norin our work where proof plans were found for all experiments we tried. The planformation system upon which our work is built is called Clam. Methods in Clamspecify tactics which build proofs for a theorem proving system called Oyster,which implements a type theory similar to Nuprl's [Bundy et al 90].A number of methods have been developed in Clam for inductive theoremproving and we used these extensively to prove theorems about parameterisedhardware designs. Induction is particularly dicult to automate as there are a
Chapter 1. Introduction 3number of search control problems including selection of an induction rule, de-ciding a case split, possible generalisations and lemma speculation, etc. It turnsout, though, that many induction proofs have a similar shape and a few tacticscan collectively prove a large number of the standard inductive theorems. Theinduction strategy ind strat is a method for applying induction and handlingsubsequent cases. After the application of induction, the proof is split into one ormore base and step cases. The sym eval method attempts to solve the base caseusing simplication and propositional reasoning. If necessary, another inductionmay be applied. The step case method consists of two parts: rippling and fertil-isation. The rst part is implemented by the ripple method. Rippling is a kindof annotated rewriting where annotations are used to mark dierences betweenthe induction hypothesis and conclusion. Rippling applies annotated rewrite rules(called wave-rules which are applied with the wave method) which minimise thesedierences. Rippling is goal directed and manipulates just the dierences betweenthe induction conclusion and hypothesis while leaving their common structure pre-served; this is in contrast to rewriting based on normalisation, which is used inother inductive theorem provers such as Nqthm [Boyer & Moore 79]. Rippling alsoinvolves little search, since annotations severely restrict rewriting. The second partof the step case, fertilisation, can apply when rippling has succeeded (e.g. whenthe annotated dierences are removed or moved `out of the way', for example, tothe root of the term). The fertilisemethod then uses the induction hypothesisto simplify the conclusion.The research reported in this thesis investigates how all these features of proofplanning can be transported and extended to deal with the multiple problems thatarise in automating hardware verication.
Chapter 1. Introduction 41.2 MotivationFabrication of hardware systems has become an increasingly dicult activity dueto the growing complexity of the tasks the systems perform. Detecting errors aftera commercial circuit has been fabricated may represent important economic lossesfor a hardware company. A recent example of this situation is the design error inthe division algorithm of Intel's Pentium microprocessor that was detected afterfabrication and when the product was in the market. Simulation, the traditionaltechnique used to test circuit designs cannot validate all of the enormous amountof inputs that exist in an typical circuit because of the combinatorial explosion ofthe search space. Formal methods promise to overcome this problem by developingmathematical proofs of correctness which are independent of the size of the circuit,increasing in this way the condence in the correctness of the hardware designs.For instance, formal verication has been used post hoc to detect the error in thedivision algorithm of the Pentium microprocessor [Moore et al 96,Rue et al 96].Although mathematical proof is a desirable feature, formal methods face their owndiculties which prevent them from being widely accepted and used by industryin a regular way [Saiedian 96]. Interest of industry in formal methods has centredmainly on `push-button' systems based on model checking where weak decidablelogics and ecient algorithms are used for problem specication and verication,but these systems are limited and cannot be applied to many important classes ofproblems such as those requiring hierarchical representations. On the other hand,systems based on more expressive logics are often resisted because translating thespecication and the implementation requires expertise in logic, proof constructionis not automated, and most companies are not willing to invest time and money intechnologies which are still in an embrionic stage as in the case interactive theoremproving.To increase the acceptance of formal methods in domains with undecidableverication problems, we must automate proof construction as much as is prac-tically possible [Rushby 96]. One of the main problems to overcome is the large
Chapter 1. Introduction 5search space for proofs. Even when semi-decision procedures like resolution areavailable, completely automated theorem proving is not viable because such tech-niques are too general and cannot exploit structure in the problem domain torestrict search. Heuristics, combined with user interaction to overcome incom-pleteness have become a useful resource. One example of this is the systemNQTHM [Boyer & Moore 88], which uses a xed set of heuristics to automatethe construction of proofs by induction. Proof construction is automated butsometimes the user must interrupt the prover and suggest lemmas to stop it fromexploring an unsuccessful branch. A second example is embodied by tactic-basedproof development systems like HOL, LAMBDA, PVS, and NUPRL (describedin section 2.4), where users themselves raise the level of automation by writingtactics for particular problem domains. Incompleteness is addressed by interactiveproof construction, whereby, instead of writing a 'super-tactic' which works in allcases, users interactively combine tactics to solve the problem at hand and directlyprovide heuristics.Our motivation comes from the desire to combine the best of these two ap-proaches, providing automation comparable to systems like NQTHM and oeringincreased exibility by supplying heuristics and new domain specic proof proced-ures like in the tactic approach. Proof planning attempts to automate decisions likethe choice of induction scheme and variables, case splits, generalisations, lemmaspeculation, and the like, which are usually specied by the user when writingtactics, as well as the process of assembling a particular tactic for a given conjec-ture by using AI planning techniques. We will explore how these features of proofplanning can be utilised to guide Oyster, a theorem prover similar to NUPRL, inverifying hardware.
Chapter 1. Introduction 61.3 ContributionsThe main contribution of this thesis is in the area of proof automation for the hard-ware verication domain in a tactic-based setting: we demonstrate by experiment-ation the viability of using proof planning for guiding the automatic constructionof customised tactics for the verication of hardware designs of small and mediumsize scale, and conjecture that proof planning can be scaled-up to verify more com-plex circuits of the type typically found in modern commercial applications. Wedevelop a proof engineering methodology using proof planning to verify variouscombinational and sequential circuits which include: arithmetic circuits (adders,subtracters, multipliers, dividers), data-path components (arithmetic logic units,shifters, processing units), and a simple microprocessor system, using few lemmascompared to other systems. We also contribute to the proling of the Clam proofplanning system to improve its robustness and eciency in handling large termsand proofs.1.4 OrganisationThe thesis is organised as follows: chapter 2 presents the background and a surveyon formal methods for hardware verication; chapter 3 presents an overview ofproof planning and its application to inductive theorem proving; chapter 4 usestwo examples to introduce the basic ideas of proof planning for hardware verica-tion; chapter 5 describes a methodology for hardware verication based on proofplanning and the concept of proof engineering; chapter 6 describes the extensionsto proof planning for verifying hardware; chapter 7 presents experiments for hard-ware verication, statistics of the experiments and an analysis of the statistics aswell as a description of the experiments; chapter 8 describes related and futurework; and chapter 9 presents conclusions.
Chapter 1. Introduction 7Appendix A describes some basic elements for hardware verication: types,operations on types, conversion functions and conditional functions. The rest ofthe appendices describe the main experiments in verifying hardware with proofplanning: appendix B describes non-recursive combinational circuits; appendix Cexplains a bit incrementer; appendix D describes a multiplier; appendix E describesthe Gordon computer; and appendix F describes other circuits. Finally, appendixG displays the main methods used in the proofs.
Chapter 2BackgroundFormal methods for hardware verication is an active area of research and eortsare being made to transfer its techniques to solve problems of industrial scale. Inthis chapter we present a summary of basic concepts and a brief survey of formalmethods for hardware verication. More comprehensive and extended surveys arepresented in [Yoeli 90] and [Gupta 91]. Section 2.1 describes formal verication;section 2.2 characterises the components of the verication problem; section 2.3describes the approaches to formal hardware verication; section 2.4 describes themain hardware verication environments and the work done in them; and section2.5 presents a summary of the chapter.2.1 VericationVerication consists of establishing a formal relationship between a specicationand an implementation of a system. That is, showing that:8x1 : 1 : : :8xn : n: Cond ! S(x1 : : : xn) R I(x1 : : : xn)where x1 : : : xn are variables of type 1 : : : n respectively which represent inputs oroutputs to the system. R is some mathematical relation like equivalence, implic-ation or equality and some others. Cond represent some conditions, S(x1 : : : xn)represents the specication and I(x1 : : : xn) the implementation. This is known8
Chapter 2. Background 9as the verication problem. Formal here means the use of a mathematical frame-work for describing and solving the problem. A formal system is a mathematicalframework for reasoning about a problem and its possible solutions. It providesa mathematical description language, and a calculus (or proof system) for prov-ing conjectures in the theory associated with the formal system. The vericationproblem is given as a conjecture where the specication S, the implementation I,and the relationship R between S and I are expressed using the language of theformal system, and the calculus is used to prove that the implementation and thespecication satisfy the relationship. Two important aspects of the mathematicallanguage are its syntax and its semantics. The former has to do with the rules forwriting valid formulae, the latter is concerned with the meaning of formulae. Adeductive calculus formed by a set of axioms and a set of inference rules, is thebest well-known technique for proving conjectures in the formal system and hasbeen widely applied to the verication problem.2.1.1 Hierarchical VericationSystem complexity is frequently dealt with by recursively decomposing the systeminto simpler interrelated systems yielding a hierarchy of components at dierentlevels of abstraction. A specication and implementation of the system is given foreach level. In this hierarchy, a system implementation at a certain level serves asthe specication of the system at the next level in the hierarchy. The vericationsof the system at two consecutive levels in the hierarchy can then be composed togive a verication of a system implementation with respect to a more abstract spe-cication. This procedure can be extended to other levels to achieve a vericationof the bottom level implementation with respect to the top level specication. In[Moore 89], J Moore presents such a methodology for the hierarchical vericationof systems specied in the Boyer-Moore logic.
Chapter 2. Background 102.2 ComponentsThere are three components of the verication problem: the specication, theimplementation and the relationship between them. In this section we characteriseeach of these components.2.2.1 SpecicationThe specication of a system describes what the system should do. It is an ab-stract description of its external behaviour. Details about the internal workingof the system are ignored by the specication and left to the implementation.The specication must include external inputs and outputs which are relevant tothe designer, and a relation between inputs and outputs. The following aspectswhich help the designer in understanding the specication will now be discussed:abstraction mechanisms, properties, veriable specications, executable specica-tions, and representation formalisms.AbstractionAbstraction mechanisms for hardware verication were rst identied by Melhamand are described in [Melham 88]. These include the following: Structural. This type of abstraction consists of hiding internal connectionsand components of a system, displaying just the external aspects; Behavioural. This type of abstraction allows the designer to write partialspecications of a system. This means that there are inputs of the systemwhich are left undened and treated as \don't cares"; Data. This type of abstraction allows the designer to map one data type(e.g. binary numbers) into another data type (e.g. decimal numbers)
Chapter 2. Background 11 Temporal. This type of abstraction allows the designer to map a time-scale(e.g. micro-operations time scale) into another time scale (e.g. programminginstruction time scale)System propertiesThe specication of a system describes properties of the system which are of par-ticular interest. This includes safety properties, e.g. two devices cannot accesssimultaneously their bus; liveness properties, e.g. a device will eventually be al-lowed to access its bus; and timing properties, e.g. a device will access its buswithin 5 seconds. These properties are modelled using logics to reason about timeand events.Veriable specicationsA specication can either be assumed correct or can be veried with respect togiven criteria. This denes a hierarchy of specications, as these criteria can inturn be veried with respect to more abstract criteria, until we reach a criterionwhich is assumed correct.Expressive specicationsExpressiveness is determined by the kind of formalism employed to write the spe-cication. With some formal languages, we can express more facts than we canwith others. As we will see in section 2.3, higher-order logic is more expressivethan rst-order logic, which is more expressive than propositional logic. High ex-pressivity is an important feature, because it allows the designer to write compactand broad denitions, facilitating in this way the formalisation task from the userpoint of view, although transferring the verication eort to the machine.
Chapter 2. Background 12Executable specicationsA specication can be described in a language which is executable, and tested onconcrete input data, e.g. a set of denitions given in Lisp. This feature helps thedesigner in writing and debugging the specications. But there is a trade-o since,in general, executable specications tend to be less expressive than non-executablespecications.Representation formalismsMany representation formalisms exist for describing specications. Among themost common are logical formulae (functional or relational), nite-state machines(either automata or state-transition graphs), and trace structures [Yoeli 90]. Whichformalism is used determines the type of proof methods that can be used to reasonabout the specication.2.2.2 ImplementationThe implementation of a system indicates how the system does what it should do.For a hardware system this may be a design displaying its components, inputs andoutputs, and connections between the components. Hierarchical layers, timing,and synchronicity among devices (that is, when to send or receive data from otherdevice) are aspects of interest to the designer, and will now be discussed.Hierarchical implementationsAs we mentioned above, system complexity is usually tackled by decomposing thesystem into simpler components organised in hierarchical levels, treating each levelseparately, and composing the solutions of each layer into an integrated solution.This is commonly done for hardware systems. Layers spread from the modellingof physical characteristics of components, such as speed, capacitance, voltage,current, etc., all the way up to the program level. The following is a descriptionof the main layers:
Chapter 2. Background 13 Physical. The physical level deals with electrical properties (Current, voltage,speed, delays ) of basic electronic components (transistors, resistors, diodes). Switch. The switch level uses the transistor as its basic element to buildelectronic systems. Systems veried at this level are electronic circuits madeup of transistor, resistors, diodes and other components that implement sometype of device, such as boolean gates. Gate. The gate level uses the gate as its basic element to build combin-ational and sequential circuits. Systems veried at this level are circuitswhich are made up of various kinds of gates (AND, OR, XOR, INVERTER,etc). Among these circuits are several kinds of combinational and sequentialfunctions: adders, decoders, multiplexors, ip-ops, load-registers, counters,etc. Register transfer. The register transfer level uses the register as its basicelement and micro-operations to process data in the registers. A register-transfer logic provides a language to describe valid operations among re-gisters. This level is used to describe the implementation of microprocessorarchitectures. Assembly program. The assembly program level provides programming in-structions to write assembly programs. A description of this level is givenin terms of the semantics of the individual programming instructions. Eachinstruction is implemented by a set of micro-operations which are executedat the register-transfer level.Combinational or sequentialA circuit can be either combinational or sequential. In a combinational circuit allthe calculations are considered to occur instantly with no delays in data propaga-tion. Combinational circuits use Boolean gates to compute Boolean functions.Sequential circuits use storage elements which can be either ip-ops or registers,combinational circuits which compute inputs to the ip-ops, and feedback loops.
Chapter 2. Background 14Synchronous or asynchronousA sequential circuit can be either synchronous or asynchronous. In a synchronouscircuit signal processing is regulated by the pulses of a clock which is global tocircuit components. Time is usually considered discrete, and outputs at timet + 1 are calculated from the inputs at time t.In an asynchronous circuit signalprocessing, transmission and storage can occur at any instant of time.Representation issuesThe following aspects of representation are relevant to the implementation: circuitrepresentation by functions or relations, word representation by lists or functions,and parameterised representation of circuits. The rst aspect is discussed in sub-section 2.2.4. Parameterised representation. Hardware representations are sometimes para-meterised by an attribute of the circuit. Word size is an example of an at-tribute that is frequently used as a parameter in representations of varioushardware devices. Word representation. Words can be modelled using either lists or functions.Lists are commonly used by many verication tools for representing andmanipulating words.Hardware description languagesHardware description languages (HDL) have been developed, standardised, andutilised by the hardware industry to describe and simulate hardware designs[IEEE 88]. These languages have become popular and are used by design en-gineers in a regular basis. However formal reasoning about the designs is verydicult because the semantics of the language is not clearly dened. Subsets ofHDLs with a well established semantics have been dened for formal reasoning inverication environments, although their use remains limited [Gordon 95].
Chapter 2. Background 152.2.3 RelationshipType of relationshipThe relationships between the specication and the implementation may includethe following: equality. The implementation and the specication are represented by func-tions: imp = spec implication. The implementation and the specication are represented byrelations; the specication is a partial description of system behaviour, so theimplementation which contains more information, implies the specication:8x imp(x)! spec(x) equivalence. The implementation and the specication are represented as re-lations; both contain the same amount of information, so the implementationimplies the specication and vice-versa: 8x imp(x)  spec(x) subset. The language representing the implementation is a subset of the lan-guage representing the specication. The language refers to the one acceptedby a nite-state machine: L(imp)  L(spec) logical implication The implementation provides a semantic model with re-spect to which the specication is satised: imp j= specProof methodsThe proof methods used to establish the relationship may include: theorem prov-ing, model checking, equivalence checking, and language containment. Thesemethods are further explained in section 2.3.
Chapter 2. Background 162.2.4 Functional versus relational vericationThe verication problem can be formalised using either a functional or a relationaldescription. A full account of system verication using functional and relationalrepresentations is given in [Camilleri 88]. Here we present a summary of this topicbecause it is relevant for the experiments with hardware verication that we willpresent later.Functional VericationFunctional verication is characterised as follows: circuit components are represented by total functions where the inputs of thecomponent are the arguments of the function and the value of the functionitself represents one of the possible outputs of the component. component interconnections also called internal wires as well as the overallstructure of the circuit are represented by function composition, where aterm is passed as an argument to another function.Figure 2{1 describes these characteristics.
C
a b cA BFigure 2{1: Modelling the structure of a devicen The functional representation of this device is as follows:Cfun(a) = Bfun(Afun(a))
Chapter 2. Background 17Cfun is the functional representation of the device with input a, output c, internalcomponentsA and B. Afun and Bfun are functional representations of componentsA and B. Value b is computed by A and passed to B.To prove that implementation I meets specication S we must prove a theoremof the form:8i1; : : : ; in:Abs1(Ifun(i1; : : : ; in)) = Abs2(Sfun(Abs(i1; : : : ; in)))where Abs, Abs1 and Abs2 are data abstraction functions. Abs is required toconvert data representations of the implementation to that of the specication.Furthermore, the function denitions need not be equal for all valid data valuesand so data abstractions Abs1 and Abs2 are also required to restrict and select thedata for which the specication and implementation descriptions can be shownto be equal. The use of data abstractions to select and restrict the domain ofa function is analogous to dening partial specications when using relations.Sfun and Ifun are the specication and the implementation respectively given asfunctions.Relational VericationThe relational representation approach is characterised as follows: circuit components are represented by predicates where the inputs and out-puts of the component are the arguments of the predicate. The predicateconstrains the values of these parameters so that the predicate is true. component interconnections also called internal wires are represented byshared existentially quantied variables. the overall structure of the circuit is represented by the conjunction of thepredicates and shared variables.Figure 2{1 also illustrates this modelling technique. The relational represent-ation of this device is as follows:
Chapter 2. Background 18Crel(a; c)  9b:Arel(a; b) ^Brel(b; c)Crel is the relational representation of the device with input a, output c, internalcomponents A and B, and internal wire b. Arel and Brel are relational represent-ations of components A and B. Value b is hidden by an existential quantier.To prove that implementation I meets specication S we must prove a theoremof the form:8i1; : : : ; in; o1; : : : ; om:Irel(i1; : : : ; in; o1; : : : ; om)! Srel(Abs(i1; : : : ; in; o1; : : : ; om))where again, Abs is required to convert data representations of the implement-ation to that of the specication. Srel is the specication given as a relation.Similarly Irel is the implementation given as a relation.Functional representations in general carry more information than relationalrepresentations, especially when the relational descriptions are partial or when ex-tra information is required to specify the outputs in the functional case. Therefore,in these cases it is not possible to prove the equivalence between both represent-ations, except when both representations carry the same amount of information.Otherwise, the following relationship will hold:8i1; : : : ; in; o1; : : : ; om((o1; : : : ; om) = Repfun(i1; : : : ; in))! Reprel(i1; : : : ; in; o1; : : : ; om)Here Repfun and Reprel mean functional and relational representations wherethese representations can be either specications or implementations. Camillerihas shown this theorem in verifying various types of combinational hardware[Camilleri 88].The advantages and disadvantages of each representation can be summarisedas follows:
Chapter 2. Background 19 Relational representations allow the description of only the features of adevice which are of interest, thus forming a partial specication. Relational representations allow the denition of bidirectional devices bymerely dening relations between ports without distinguishing inputs fromoutputs. Functional representations require the denition of total functions, althoughin principle, partial functions could also be used but with more diculty. Functional representations can be executed given a suitable interpreter. Functional representations are easier to reason about than their relationalcounterparts (e.g. mathematical induction). Relational representations are more expressive, while functional representa-tions are computationally more ecient for system verication.2.3 Approaches to Formal VericationIn this section we describe the main approaches to formal verication. Theseapproaches are typically based on logic, and on other formalisms e.g. nite-statemachines and trace structures.2.3.1 LogicLogic studies the principles of reasoning, and is a science that has as a wide rangeof applications in many disciplines which include computer science and articialintelligence [Gallier 86,Genesereth & Nilsson 87].There are two aspects of logic: its syntax and its semantics. The syntax of logiccan be described in terms of a formal system where the language consists of a setof well-formed formulae made of symbols from an alphabet (constants, variables,
Chapter 2. Background 20functions, predicates, connectives) and rules for constructing the formulae; andthe calculus (or proof system) associated to the formal system consists of a set ofaxioms, and a set of rules of inference for deductive reasoning. A formula  whichis derived from the axioms by a sequence of inference rules applications is called atheorem and is denoted by: ` . If  is derived from a set of formulae   we write  `  which is read  is deduced from  .The semantics of classical logic assigns meaning to the formulae by means ofan interpretation. An interpretation consists of a domain and a mapping fromelements, functions, and relations of the domain to constant, variables, functionand predicate symbols in the formula. Constants, variables, and terms denoteelements of the domain. A formula can take the values true or false. A modelMis an interpretation that makes a formula  true and is denoted: M j= , which isread \M satises ". A formula  is valid if it is true for every interpretation, anddenoted by j= . A formula is satisable if it has a model and is a contradiction ifit is false for every interpretation. A set of formulae   is satisable if there is aninterpretation that satises every formula in  . The fact that, every interpretationthat satises a set of formulae   also satises a formula , is denoted by   j= and read \  logically implies ".Soundness and completeness are two attributes of a proof system with respectto semantics. Soundness means that any theorem deduced by the proof systemis valid. Completeness means that any valid formula can be proved by the proofsystem. The completeness theorem establishes the relationship between deductionand logical implication:   j= $   ` which establishes the equivalence between j= and `.Theorem proving has to do with establishing that a formula is a theorem in aformal system. Automatic theorem proving is concerned with the mechanisationby computer of the deduction process. Theorem proving has been used to verifyhardware. The specication and the implementation are given as formulae in logicand the relationship is either an implication or an equivalence. Alternatively, the
Chapter 2. Background 21specication and the implementation can be given as terms with the relationshipbeing an equality. Model checking has to do with establishing that an interpret-ation is a model of a formula, and has also been used to verify hardware. Thespecication is given as a formula, the implementation is given as an interpretationand the relationship is a logical implication. Model checking tries to establish thatthe implementation is a model of the specication.Many types of logics can and have been derived, depending upon the con-straints imposed on the syntax and semantics of the logic. Without being ex-haustive, we survey some of the logics that have been used for hardware veric-ation: propositional logic, rst-order logic, higher-order logic, intuitionistic logic,modal-temporal logic.2.3.2 Propositional LogicPropositional logic consists of a set of logical symbols with a xed meaning (con-nectives, parentheses), and a set of non-logical symbols with variable meaning(predicate symbols of arity zero called propositions) with which well-formed for-mulae (ws) can be constructed. A truth assignment (or interrelation) assignsws one of the values true or false. Valid formulae are called tautologies. Propos-itional logic was one of the rst logics used to model digital systems and representBoolean functions, and is well known among design engineers. Propositional logicis a convenient way of representing and reasoning about gate-level combinationalcircuits but is inappropriate for modelling time and feedback loops. Propositionallogic is decidable and there are tautology checkers for establishing the validity of aformula (e.g. truth tables). However, the problem of satisability for propositionallogic is known to be NP -complete. Finding a model which satises a formula isknown as the SAT problem [Gallier 86].Binary Decision DiagramsBinary decision diagrams (BDDs) are a data structure for the ecient manipula-tion of Boolean functions which include testing for validity of formulae and equi-
Chapter 2. Background 22valence of functions. BDDs are represented by acyclic graphs which can representBoolean functions in a concise way [Akers 78]. R. Bryant introduced a restrictedform of BDDs called Ordered Binary Decision Diagrams (OBDDs), found a ca-nonical representation of functions, and developed ecient algorithms for validityand equivalence operations [Bryant 86]. Some theorem provers (e.g. PVS) andmodel checkers (e.g SMV) have implemented a variation of BDDs for tautologychecking.2.3.3 First-Order LogicUniversal and existential quantication runs just over elements of the domainwhich can be any set. A term denotes an element of the domain, predicates cantake one of the values true or false. First-order logic is more expressive thanpropositional logic and digital systems can be better described. Proof systemsfor rst-order logic have been developed which are sound and complete, althoughwhen one introduces particular theories (e.g. lists, arithmetic), a proof systemmaybe incomplete. Proof systems in general are semi-decidable, which means that ifa formula is valid there are proof methods which will establish this fact, but if theformula is not valid, these same methods may run forever without detecting thisfact. First-order logic has found many types of application including program andhardware verication.2.3.4 Boyer-Moore Computational LogicThe Boyer-Moore Computational Logic is a subset of rst-order predicate logicwith implicit universal quantication, equality, and the inference rule for a typeof Noetherian induction, developed for reasoning about computations. The lo-gic exploits the duality between inductive reasoning and recursive denitions. Italso includes the shell principle for introducing and axiomatising new inductivelydened types by dening a recogniser function, a constructor function, and anaccessor function for elements of the type. The principle of denition allows theuser to dene new functions and avoid possible inconsistencies either by den-
Chapter 2. Background 23ing non-recursive functions in terms of pre-dened functions or by making surethat a well-founded order exists on a measure of the arguments that decreases oneach recursive call. The logic includes built-in shells that axiomatise the naturalnumbers, integers, lists, and strings. The proof system associated with the logiccomprises a pre-dened proof strategy consisting of the consecutive application ofpre-dened basic proof techniques which are inference rules supported by powerfulheuristics [Boyer & Moore 79].Mathematical induction is required for reasoning about object and events con-taining repetition. Since repetition is ubiquitous in many application areas andinductive reasoning is very dicult to automate, research has focussed on the auto-mation of proof for mathematical induction. Inductive proofs are characterised bythe application of induction rules such as Peano induction and structural induc-tion on lists and other data structures. All these forms of induction are subsumedby a single, general schema of well-founded induction:8x : : (8y : : x  y ! P (y))! P (x)8x : : P (x)where  is some well-founded relation on the type  , i.e. there is no innitedescending sequence: a1  a2  a3  : : :. The data-structure, control ow, timestep, etc., over which induction is to be applied, is represented by the type  . Theinductive proof is formalised in a many-sorted or typed logical system.Success in proving a conjecture, P , by well-founded induction is highly de-pendent on the choice of x,  and . For many types,  , there is an innitevariety of possible well-orderings, . Thus choosing an appropriate induction ruleto prove a conjecture is one of the most challenging search problems to be solvedin automating inductive inference.The automation of inductive inference raises a number of unique diculties insearch control:Synthesis of induction rules: To prove a theorem by induction, one of the in-nite number of possible induction rules must be synthesised and the induc-tion variables chosen;
Chapter 2. Background 24Conjecturing lemmata: Sometimes a lemma required to complete the proof isnot already available and must be conjectured and then proved;Generalisation of induction formulae: Sometimes a theorem cannot be provedwithout rst being generalised on one of its terms.In addition to these special search problems all the standard problems also manifestthemselves, e.g. deciding when to make a case split, determining the witness foran existential quantier, etc.2.3.5 Higher-Order LogicIn Higher-order logic (HOL) variables range over predicates and functions as wellas over individuals of the domain. This means that predicates and functions canbe quantied, given as arguments of other predicates or functions, and be out-puts of other predicates and functions as well. This makes higher-order logic veryexpressive, mathematically elegant, and permits a concise description of complexproblems. But this increased complexity makes reasoning more dicult as thelogic becomes undecidable, inconsistencies can be introduced, and proof systemsalso become incomplete. To alleviate these problems, the domain is usually con-strained to have decidable or semi-decidable sub-classes, a type discipline is usedto avoid inconsistencies (e.g. Russell's paradox) by introducing hierarchies amongthe elements of the domain, and heuristics are developed to cope with incomplete-ness. With these amendments that retain its advantages, higher-order logic hasbecome very popular for describing and verifying hardware systems [Gordon 86].One restricted higher-order logic is monadic second-order logic, a decidablelogic for reasoning about strings. It has been used for verifying parameterisedhardware, as well as generalising standard BDDs hardware verication capabilities[Basin & Klarlund 95].
Chapter 2. Background 252.3.6 Intuitionistic LogicIn intuitionistic logic the fact that a formula is either true or false does not holdin general. To prove an existential conjecture it is not sucient to negate theconjecture and arrive at a contradiction, we need to construct explicitly an element(witness) which satises the conjecture. This constructive approach has beenfound very useful in program synthesis and has also been applied to the synthesisof circuits [Basin 91].2.3.7 Modal LogicModal logic extends the scope of predicate logic with the notion of change andintroduces new modal operators to express variability [Hughes & Cresswell 90]. Inpropositional logic predicates (propositions) are either true or false; in predicatelogic the truth of a predicate depends on the elements of the domain within a staticworld; in modal logic it is possible to change from a world into another world bymeans of an accessibly relationship, where the truth of a predicate also dependson the world in which it is applied. Worlds can be seen as states in which a systemcan be. The accessibility relationship is characterised by modal operators whichdescribe properties which remain true when going from one state to another state.The basic modal operators are the necessity operator 2P which means that 2P istrue in a state s if P is true in all states accessible from s; the possibility operator3P which means that 3P is true in a state s if P is true in some state accessiblefrom s; the next operator P which, for linear logics, means that P is truein a state s if P is true in the next state from s; and the until operator P [ Qwhich means that P [Q is true in a state s if either Q is true in s or it is true insome other state accessible from s with P being true in every intermediate state[Galton 87].Temporal LogicTemporal logic is a type of modal logic. It was developed for reasoning about timein the verication of concurrent programs and has found a wide variety of applica-
Chapter 2. Background 26tions in studying time-dependent systems [Pnuelli 77]. The four modal operatorsare referred as the Always, Sometimes, Next-time, and Until operators respectivelyin temporal logic terminology. Correctness properties of time-dependent systemscan easily be expressed in temporal logic. These include Safety properties whichstate that nothing bad happens j= 2P (e.g. two devices do not access the bussimultaneously); liveness properties which state that eventually something goodhappens j= P ! 3Q (e.g. a device will eventually access the bus); and precedenceproperties which grants orders of events j= P [Q (e.g. two devices access the busin the order their requests are done).Temporal logic can be seen from dierent perspectives yielding dierent typesof temporal logics. In one view the truth of a formula can be dened with respectto the interval between two states or with respect to a state. In the rst case,we have interval temporal logic (ITL) [Moszkowski 85]. In the second case, timecan be seen from two dierent views. In one case, time is a linear sequence ofevents which results in linear-time temporal logic (LTTL) [Manna & Pnuelli 81].In the second case time has a branching structure of events which results in whatis called branching-time temporal logic (BTTL). Computation tree logic (CTL) isa version of BTTL that has been applied extensively to the formal verication ofsequential circuits [Clarke & Emerson 81].2.3.8 Mu CalculusThe Mu Calculus extends the expressiveness of propositional temporal logic byadding operators for denoting xed points of predicate transformers (i.e functionsfrom relations to relations). It was developed independently of temporal logic andvarious versions have been studied in the context of program verication and hasalso been applied to the hardware domain [Emerson & Lei 86].2.3.9 Other Approaches to Hardware VericationThere are other approaches for hardware verication which traditionally are notregarded as part of logic like nite-state machines, although they keep a close
Chapter 2. Background 27connection with logic. For instance, the notion of regularity which is observed incertain types of parameterised circuits (e.g. adders, ALUs, counters) and whichhave been formalised using automata for which decision procedures for a type ofsecond-order logic on strings exist.Finite-state machinesAn automaton is a mathematical structure for accepting or rejecting input se-quences of symbols which correspond to words in a language. Starting at an initialstate, the automaton applies a transition for each symbol of the input sequencegiving new states. When the last input symbol is read, if the resulting state cor-responds to a designated nal state then the input sequence is accepted, otherwiseit is rejected. This assumes a nite automaton where the input sequence is nite.Some concurrent/reactive systems may require automata over innite sequences.A nite-state machine is an automaton extended with an output alphabet to formoutput sequences rather than just an accept/reject condition. Given a state, if atransition produces a single new state, then the machine is deterministic, other-wise it is non-deterministic. Moore and Mealy machines are commonly studiedin automata theory. In a Moore machine the output sequence is a function ofa state. In a Mealy machine the output is a function of the state and the in-put [Hopcroft & Ullman 79]. Finite-state machines have been used to representboth the specication and the implementation of the verication problem, andseveral techniques have been developed to establish the relationship between thetwo which include: Machine equivalence. Establishes the equivalence of two nite-state ma-chines by composing a machine which accepts the exclusive-or of the two cor-responding languages. If the composite language accepts just the empty lan-guage then the two machines are equivalent. Since this algorithm is compu-tationally expensive, other techniques based on extracting a state-transitiongraph from each machine, composing the graphs, and developing ecientalgorithms for its manipulation have been attempted [Devadas et al 87].
Chapter 2. Background 28 Language containment. The relationship between the implementation andthe specication is that of language subset rather that equivalence. Here itis shown that the language generated from the machine that describes theimplementation is contained in the language generated by the machine thatdescribes the specication [Kurshan 87] Trace theory. A trace is a sequence of transitions in a nite-state machine. Atrace structure consists of a set of input and output wires, a set of traces rep-resenting a circuit's behaviour on legal inputs, and a set of traces representinga circuit's behaviour on invalid inputs. Trace theory represents the beha-viour of a system as a set of traces and has been used to model asynchronoussystems [Hoare 78], delay-insensitive circuits, and speed-independent circuits[Dill 89]. The specication and the implementation of speed-independent cir-cuits are described by trace structures, and the relationship corresponds tothe concept of safe substitution. An implementation is correct if it preservesthe correctness of a larger context when substituted for the specication inthat context. A context is an expression in trace theory containing a freevariable and is denoted by []. A trace structure T is said to conform toanother structureM, denoted by T  M, if for every context [], if [M] isfailure-free then so is [T ]. A trace structure is failure-free if its failure set isempty. Since it is not possible to test an innite number of contexts, a worst-case context called the mirror ofM can be dened, such that T  M holdsif and only if the composition of T and the mirror ofM is failure-free. Thus,the mirror of a trace structure represents the strictest environment condi-tions under which the trace structure is expected to operate correctly. Then,if an implementation operates correctly when composed with the mirror ofthe specication, then it is a safe substitution under all environments.The main advantage of trace structures is the ability to perform hierarchicalverication by using the same representation formalism (trace structures) ofspecications and implementations, and by dening hierarchical operationson traces such as hiding, composition, and renaming. Its main disadvantage,
Chapter 2. Background 29is the need for the explicit construction of a state-transition graph associatedwith the composite trace structure.2.4 Verication EnvironmentsIn this section we present some of the environments used for hardware vericationand the type of systems they have been applied to. There are many ways inwhich these environments could be classied, depending upon features of interest.One such classication considers the type of proof construction method employed,grouped into theorem proving, and model/equivalence checkers. This groupingalso reects a current trend in the use of proof environments in both academicand industrial organisations nowadays.2.4.1 Theorem proversThere are many proof construction methods in the theorem proving arena. Threepopular approaches based on seminal works from the 60s and 70s are resolution[Robinson 65], tactics [Gordon et al 79], as well as approaches that emphasise aparticular sort of inference, like mathematical induction [Boyer & Moore 79]. Toraise the level of automation of equational and tactic-based provers, meta-levelreasoning methods that reason about equations or tactic formation, have alsobeen developed [Bundy 88,Silver 85].The NQTHM theorem prover is based on the Boyer&Moore computational lo-gic to automate proof by mathematical induction [CLINC 96]. It uses a subsetof Lisp as the specication language of the designs, thus making the the specic-ations executable. It uses a xed set of proof techniques, namely, simplication,destructor elimination, cross-fertilisation, generalisation, elimination of irrelevanceand induction. The techniques are tried in the order listed on each remaining for-mula with hardly no backtracking, until all formulae have been proved or all thetechniques fail. Users can guide the prover by providing lemmas or suggesting sets
Chapter 2. Background 30of rewrite rules [Boyer & Moore 88]. NQTHM has been used to verify a net-listimplementation of the FM9001, a 32-bit general-purpose microprocessor which wasfabricated as a CMOS gate array by LSI Logic Inc., and which serves as the basisof the CLINC stack [Bishop et al 95]. The elements of the stack which include asimple applications program in a high-level language a compiler, an assembler, alinker, and a simple multitasking operating system have also been veried usingNQTHM [Moore 89]. The system is a stack in the sense that each upper layer isan abstract machine implemented on top of the lower layer. The stack is shortonly by comparison to systems of practical interest. The ACL2 theorem proveris an industrial-strength implementation of the Boyer-Moore logic and a descend-ant of Nqthm that has been used to verify the correctness of the kernel of theAMD5K86tm oating-point division algorithm [Moore et al 96].The OTTER theorem prover is designed to prove theorems stated in rst-orderlogic with equality. Otter's inference rules are based on resolution and paramodu-lation, and it includes facilities for term rewriting, term orderings, Knuth-Bendixcompletion, weighting, and strategies for directing and restricting searches forproofs. Otter can also be used as a symbolic calculator and has an embeddedequational programming system. Otter is a fourth-generation Argonne NationalLaboratory deduction system whose ancestors (dating from the early 1960s) in-clude the TP series, NIUTP, AURA, and ITP. Currently, the main application ofOtter is research in abstract algebra and formal logic. Otter and its predecessorshave been used to answer many open questions in the areas of nite semi-groups,ternary Boolean algebra, logic calculi, combinatory logic, group theory, latticetheory, and algebraic geometry [OTTER: 96].Tactic-based theorem proversTheorem provers like HOL, LAMBDA, VERITAS, ISABELLE , NUPRL and PVSare representative of a family of systems that have derived from the LCF system[Gordon et al 79].
Chapter 2. Background 31HOL is a tactic-based, interactive theorem prover based on classical higher-order logic, developed by M. Gordon and his group at Cambridge University[Gordon 88]. The logic is derived from Church's Simple Type Theory with theaddition of polymorphism in types, and embedded in ML, a functional program-ming language [Gordon 85]. Tactics and tacticals are derived from the EdinburghLCF system [Gordon 83]. A tactic is a program that applies a set of inference rulesin a single proof step. The HOL system has been extensively used for hardwareverication since the early 80s. Currently, it has a wide installed base in academicand industrial institutions [HOL 96]. HOL has been used to verify microprocessorswith pipe-line architectures [Windley & Coe 94] and commercial circuits like VI-PER, a commercially available microprocessor designed by the British Ministry ofDefence for use in life-critical applications. The formal verication of two layersof the implementation of the VIPER's design was done by Avra Cohn [Cohn 88].Early work include the verication of the TAMARACKmicroprocessor [Joyce 90].LAMBDA is the rst commercial, formal methods-based, computer aided-design tool, specially tailored to problems of synthesis and verication of hardwaredesigns [Mayger & Harris 91]. LAMBDA automatically applies formal vericationduring the design process, so that each completed design is eectively correct byconstruction, yet the user is isolated from much of the complexity of the under-lying mathematical proof techniques involved [Fourman & Hexsel 91]. LAMBDA,as well as other model/equivalence checking products have been developed andcommercialised by Abstract Hardware Limited. Clients of LAMBDA, which in-clude Large Systems Integration, Avionics, Telecommunications and High Integ-rity Systems, apply LAMBDA in the design and verication safety-critical systems[LAMBDA 96]. The LAMBDA tool set includes the DIALOG design environment[Mayger 91] , which enables the power of LAMBDA to be eectively utilised bydesign engineers, the ANIMATOR, a behavioural simulator for eective specica-tion analysis, and the BROWSER, a friendly user interface to the theorem provercore, which can be used eectively for proving properties of specications and forthe development of new proofs by using graphics and menus based on schemat-ics, extending the design automation capability. The theorem prover is based on
Chapter 2. Background 32classical higher-order logic, tactics and natural deduction. The library containshundreds of rules of inference and tactics. LAMBDA contains a powerful rewritingsystem [Francis et al 92].PVS is a Prototype Verication System developed at Stanford Research Insti-tute for system verication [Owre et al 94]. It is based on classical higher-orderlogic, tactics, and uses ecient decision procedures for arithmetic reasoning. It hasbeen used for the verication of commercial circuits. PVS was used to verify someaspects of the AAMP5, a pipelined microprocessor built by Collins CommercialAvionics, a division of Rockwell International, using almost half a million transist-ors. An implementation of the microcode at the register-transfer level was veriedwith respect to a representative subset of instructions [Srivas & Miller 95]. It hasbeen extended with model checking techniques and applied to the verication ofcommercial systems [Havelund & Shankar 96].Other tactic based provers include:VERITAS, designed by Hanna and Daeche who rst proposed the use ofhigher-order logic for hardware verication [Hanna & Daeche 86] and proposeda technique for the synthesis of circuits augmented with elements of type theory[Hanna et al 89b,Hanna et al 89a];ISABELLE, an interactive tactic-based theorem prover developed by LarryPaulson and his group [ISABELLE 96]. Logics are encoded in a meta-logic bydeclaring a theory, which consists of a signature and a set of axioms. ISABELLE'stheory of higher-order logic extended with theories of sets, well founded recursion,natural numbers and higher-order resolution and unication has been used for thesynthesis of circuits [Basin & Friedrich 96];NUPRL, a proof development system developed by R.L. Constable and hisgroup [Constable et al 86]. NUPRL is based upon a constructive type theory,similar to Martin-Lof's polymorphic type theory and is intended as a foundation forconstructive mathematics. Mantissa Adjuster and Exponent Calculator (MAEC)is an image processor developed by P. DelVecchio [DelVecchio 90] under contractfor NASA. MAEC is a section of a oating-point adder unit, and was partially
Chapter 2. Background 33formally veried by D. Basin and P. DelVecchio [Basin & DelVecchio 89] usingNUPRL.A meta-level reasoning theorem proverThe Clam-Oyster system was developed by Alan Bundy and the MathematicalReasoning Group at the University of Edinburgh. Oyster is a Prolog implementa-tion of the Nuprl system. Clam is a meta-level reasoning proof planner which sitson top of the Oyster prover to guide it in the search for a proof. A more detaileddescription of this tool is given in section 3.4.2.4.2 Model/equivalence checkersModel checking was rst proposed by Clarke and Emerson [Clarke & Emerson 81]as an ecient proof technique for CTL. One of its serious limitations is the useof an explicit state-transition graph representation of the hardware to be veried,which makes expressiveness limited (i.e. hierarchical or parameterised circuitscannot be modelled) and the number of states increases exponentially with thenumber of elements in the design, resulting in a state explosion problem. Symbolicmodel checking is an extension to model checking that uses symbolic Booleanrepresentations for states and transitions functions of a sequential system, in orderto avoid building its global state-transition graph explicitly. Ecient symbolicBoolean manipulation techniques are then used to evaluate the truth of temporallogic formulae with respect to these models.SMV is a model checker developed by Kenneth McMillan for the CTL temporallogic. It has been used to verify the cache coherence protocol described in theIEEE Futurebus+ standard nding a number of previously undetected designserrors [McMillan 92].CheckO-M is an AHL's product which performs model checking to nd errorsin a design and to verify critical properties, such as the absence of deadlocks andwhether the design performs specied functions. Given a set of logical properties
Chapter 2. Background 34which the design should possess, CheckO-M determines if the design omits re-quired behaviour or includes unwanted behaviour. For example, it can check thatmutually exclusive events cannot occur concurrently, and that a desired event willoccur at a specic time. CheckO-M can model check both complex combinator-ial and sequential designs, and can be used at all stages of the design ow as itcan check behavioural, register-transfer level and gate-level designs. CheckO-Mworks with designs made using hardware description languages like VHDL, EDIFand Verilog [CHECKOFF-M 96].CheckO-E is an AHL's product which checks that two circuit designs are beha-viourally identical. CheckO-E reduces design times by replacing long simulationruns for validation with much faster equivalence checking, and increases designcondence by guaranteeing to nd any dierences between designs. CheckO-E can compare both complex combinatorial and sequential designs, even if theirarchitectures or state encodings are dierent. CheckO-E can also be used atall stages of the design ow and is compatible with VHDL and EDIF designs[CHECKOFF-E 96].MONA is a tool developed by Nils Klarlund and his group at the Universityof Aarhus, Denmark. MONA translates formulae into nite-state automata. Theformulas may express search patterns, temporal properties of reactive systems, orparse tree constraints. MONA is based on weak monadic second-order logic ofthe natural numbers, which is a decidable fragment of arithmetic. MONA hasbeen applied to the verication of combinational and sequential circuits exhibitingregularities [Basin & Klarlund 95].COSMOS is a symbolic simulator developed by Randy Bryant and co-workersfor modelling low-level circuit behaviour with a three-valued logic (adding don'tcare values X) [Bryant et al 87].Other formal method tools include VERIFY [Barrow 84a], VOSS [Seger 93],VIS [Brayton 96], CIRCAL [Milne 85], and LDS [Madre & Billon 88].
Chapter 2. Background 352.5 SummaryWe have presented a summary and a survey of formal methods for hardware veri-cation. Most of the approaches to formal verication are based on logic andemploy various types of proof methods to establish the verication relationshipbetween the specication and the implementation. Model-checking has developedvery ecient techniques for the automatic verication of complex circuits, but theyare dicult to use in hierarchical verication. Theorem proving seems more ap-propriate for hierarchical verication, but its generality creates dicult problemsof search control. User interaction with a theorem prover is not always aordablebecause this is a time-consuming task and demands experts in logic. Automationis called for, and there, search control is the problem to overcome. Meta-levelreasoning techniques are a useful resource to control search and raise the level ofautomation in tactic-based settings.
Chapter 3Proof PlanningProof planning usesmethods to reason about tactics in searching for a proof. In thischapter we explain proof planning as developed by the Mathematical ReasoningGroup (MRG) at the University of Edinburgh, and the way it has been used inautomating inductive theorem proving. Section 3.1 explains methods, the maincomponent of proof planning; section 3.2 describes inductive proof planning and itsmain heuristics: rippling, rippling analysis, and fertilisation; section 3.3 presentsan example of proof planning and domains for which proof planning has beenapplied; section 3.4 describes the Clam-Oyster system; and nally section 3.5presents a summary of the chapter.3.1 MethodsThe Oyster proof development system reasons backwards from the conjecture tobe proved, using an intuitionistic higher-order logic and a sequent calculus proofformalism. The search for a proof must be guided either by a user or by a tactic.The Oyster search space is very big even by theorem proving standards. Thereis a big number of inference rules, and some rules like induction have an innitebranching rate, therefore careful search is very important if a combinatorial explo-sion is to be avoided. The intention of proof planning is to guide as much of thesearch for a proof as possible, thus relieving the user of a tedious and error-prone36
Chapter 3. Proof Planning 37burden. The core of proof planning is a set of heuristics to apply exibly a set ofpre-dened general tactics to maximise the chances of proving a conjecture. Thetactics incorporate extensions to many of the heuristics embedded in Nqthm. Eachtactic is partially specied by a method, which is a description of the preconditionsand eects of the tactic. Articial intelligence planning techniques (e.g. depth-rst, breadth-rst, best-rst, etc.) are used to construct a custom made proof planfor the conjecture. This plan is then executed by Oyster to derive a proof for theconjecture. A method describes important aspects of a tactic without representingall of its details. A method is represented as a frame with 6 components: a name,an input formula (a sequent), preconditions, output formulae, postconditions, anda tactic. The preconditions and postconditions are expressed in a meta-logic wherea subset of Prolog is used as a meta-language. Figure 3{1 shows the components.
             H==>G,
             [...Preconditions...],
             [...Postconditions...],
             [...Outputs...],
             tactic(...Args...)
           ).
method(Name(...Args...),Figure 3{1: Method components the name component Name(...Args...) corresponds to the name and thearguments of the method; the input component H==>G is a sequent with hypothesis H and goal G.H must unify with the hypothesis list of the current goal, which is also asequent, and G must unify with the goal of the current goal; the preconditions component [...Preconditions...] is a list of formulaethat specify properties that the input sequent must meet. A method issaid to be applicable if the input formula unies with the input sequent and
Chapter 3. Proof Planning 38the preconditions are satised. These preconditions specify heuristics thatconstrain the search space of applicable methods; the postconditions component [...Postconditions...] is a list of prop-erties that will hold after the method has been applied successfully; the output component [...Outputs...] is a list of new subgoals generatedby the method which remain to be proved. If the list is empty then themethod is said to be terminating, otherwise it becomes a branching pointif it has more that one output formulae. Each output is represented by asequent formula; the tactic component tactic(...Args...) is the name of a general-purposetactic with the same arguments as the method. Using the input formula andpreconditions of a method, proof planning can predict if this tactic will beapplicable without actually running it.Methods can be composed at the meta-level in the same way tactics are com-posed using tacticals. The operators that combine methods are called methodicals.For instance, the methodical then in M1 then M2 combines sequentially the twomethods M1 and M2, by providing as input to M2 the output sequents of M1.Methods can call other methods by a single invocation or by a repeated invoca-tion of a sequence of methods. A method called by another method is called asub-method. A method can be both a method or a sub-method and the dierenceis made explicit. The call is typically made from within the preconditions of thecalling method. The process of recursively composing methods at the meta-levelis called proof planning, and the resulting tree of methods is called a proof plan,which is just a composite tactic customised for the current conjecture, built-outof general-purpose tactics. Clam, the plan formation system, receives a conjec-ture and looks for the rst method which is applicable. Methods are stored in adata-base and are tried one by one in the order in which they appear. If a methodfails to apply, then Clam tries the next one, until one is applicable. If no methodis applicable, then Clam reports failure, otherwise, the output of the applicable
Chapter 3. Proof Planning 39method yields the new subgoals. If two or more methods are applicable, they aretried one by one. This process is applied recursively to each of the resulting sub-goals until all the leaves of the tree contain terminating methods, that is, methodsthat produce no subgoals. This means that Clam can backtrack from any node inthe tree, should a method failed to apply.The standard data-base of methods in the Clam system is shown in gure 3{2.A procedural interpretation of this set of methods is as follows:
  
Methods:
applies an equality in the hypothesis
handles existential quantification
generalises common term in a formula
normalises a formula
a. induction  
b. sym_eval
c. step_case 




 ii. fertilize 
applies induction strategy
selects induction scheme and induction variables
applies symbolic evaluation to the base case





simplifies induction conclusion with induction hypothesis
- strong_fertilise
- weak_fertilise rewrites induction conclusion with induction hypothesis
applies induction hypothesis directly
applies rewriting
applies simple propositional reasoning








Figure 3{2: Data base of methods try to solve the conjecture by symbolic evaluation. If successful, nish, ifthere are remaining subgoals, try the set of methods again; try to solve the conjecture by induction, generalising or normalising anyterms, if necessary. Solve the base case by applying symbolic evaluation andsolve the step case by applying rippling and fertilisation. In either case, ifthere are remaining subgoals, try the set of methods again.A brief description of these methods follows:
Chapter 3. Proof Planning 40sym eval: this method simplies a formula with symbolic evaluation which con-sists of the repeated application of the sub-methods elementary, equal,eval def, and existential.generalise: this method generalises a formula by substituting a variable for acommon sub-term. If the formula is an equation, and there is a commonsub-term on both sides of the equation, then this sub-term is replaced by avariable.normalise: this method applies various kinds of normalisation operations toa formula like removing universal quantiers, moving the antecedent of animplication into the hypotheses, and replacing a conjunctive hypothesis byits conjuncts.ind strat: this method denes a strategy for proof by mathematical induction.It applies the induction sub-method, which yields two or more subgoals: thebase case and the step case. The base case is simplied by the sub-methodsym eval. The step case is simplied by the step case sub-method. Theinduction strategy is further explained in section 3.2.The sub-methods called by these methods are the following:elementary: this sub-method removes universally quantied variables if thereare any, applies simple propositional reasoning to the goal, and solves simplewell-formedness goals.equal: this sub-method checks if there is any equality among the hypothesesand uses it to rewrite the goal.eval def: this sub-method normalises the goal by the exhaustive application ofrewrite rules from a terminating rewrite system.existential: this sub-method deals with existentially quantied variables inequalities.
Chapter 3. Proof Planning 41induction: the preconditions of this sub-method implement a heuristic calledrippling analysis for suggesting an induction scheme and induction variablesby a look-ahead analysis into the rippling process. This heuristic is describedin subsection 3.2.1. The output of the method is a list of base cases and stepcases.step case: this sub-method repeatedly applies the sub-methods ripple andfertilise.ripple: this sub-method is used to reduce the dierence between the inductionconclusion and the induction hypothesis by the repeated application of thesub-methods wave, case-split, and unblock. The Rippling heuristic isdescribed in subsection 3.2.1.wave: this sub-method repeatedly applies wave rules to the current goal. A waverule is a kind of rewrite with annotations that control search. Annotationsinclude boxes to wrap up terms called wave fronts, underlines to denoteterms called wave holes, and upwards and downwards arrows to indicate thedirection in which wave fronts are moved by wave rules. A precise meaningof annotations is given in section 3.2.1.casesplit: this sub-method introduces a case split in a proof, based on thenotion of complementary sets.unblock: this sub-method unblocks rippling either by removing wave holes an-notations, or by applying meta-rippling, which consists of the manipulationof annotations with rewrite rules.fertilise: this sub-method utilises the induction hypothesis to simplify theinduction conclusion. It applies the sub-methods strong fertilise orweak fertilise. This heuristic is explained in subsection 3.2.2.strong fertilise: this sub-method appeals to the induction hypothesis toprove the rippled induction conclusion.
Chapter 3. Proof Planning 42weak fertilise: this sub-method uses the induction hypothesis as a rewriterule to simplify the rippled induction conclusion.As an example, gure 3{3 displays the method eval def, which applies rewriterules from base and recursive equations which are not wave rules. The current goal
                   H==>G,
                   [matrix(Vars,Matrix,G),
                     wave_fronts(_,[],Matrix),
                     exp_at(Matrix,Pos,Exp),
                     \+ Pos = [0|_],
                     not metavar(Exp),
                     reduction_rule(Exp,NewExp,Cond,Dir,Rule,_),
                     polarity_compatible(Matrix,Pos,Dir),
                     elementary(H==>Cond,_),
                   [replace(Pos,NewExp,Matrix,NewMatrix),
                   [H==>NewGoal],
                   eval_def(Pos,[Rule,Dir])).
                    matrix(Vars,NewMatrix,NewGoal)],
     method(eval_def{Pos,[Rule,Dir]),
Figure 3{3: Method eval defis matched with the sequent H==>G. The preconditions split the goal G into univer-sal variables and the matrix, checks that the matrix contains no wave front annota-tions, and locates an expression Exp within the matrix that is not meta-variable,and which can be rewritten using the conditional rule Cond ! Exp) NewExpwhere) indicates rewriting. Rule may be based on implication, equality or equi-valence and must had been proven to be measure decreasing under a well-foundedtermination order. The polarity conditions ensures that the rule is terminatingand the hypotheses must imply the conditions Cond of the rule. The postcon-ditions replace the expression Exp by the new expression NewExp and form thenew goal NewGoal. The output is the new sequent formed with the hypothesesand the new goal H==>NewGoal. There is a tactic called eval def with argumentsPos,[Rule,Dir] associated to the method, which applies the rewriting.







fertiliseFigure 3{4: A Proof Plan for InductionEach of the boxes represents a method. The nesting of the boxes represents thenesting of methods, i.e. an inner method is a sub-method of the one immediatelyoutside it.
Chapter 3. Proof Planning 443.2.1 RipplingThe purpose of rippling is to complete an inductive proof by rewriting and appealto the induction hypothesis, once an induction scheme and an induction variablehave been chosen. The idea behind rippling is that the induction conclusion willbe an image of the induction hypothesis except that constructor terms such as thesuccessor function s, will be wrapped around the induction variables. Ripplingattempts to move the constructor function out through the term, leaving behindan exact image of the induction hypothesis within the induction conclusion byannotating the dierences with special annotations [Bundy et al 93]. For example,suppose we have a conjecture about the associativity of addition:8x; y; z : Natural (x+ y) + z = x+ (y + z) (3.1)If we prove this conjecture by induction then we have the induction hypothesis:(X + Y ) + Z = X + (Y + Z) (3.2)and the induction conclusion with annotations:( s(x) " + y) + z = s(x) " + (y + z) (3.3)The annotations are explained as follows: the box around the s constructor iscalled a wave-front; the arrow indicates that the term s is moving outwards todominate the term in the left-hand side; the underlined term within the box iscalled the wave-hole; Deleting the arrow and everything in the box which is notunderlined gives the skeleton which is identical to the induction hypothesis andis preserved during rippling; the induction conclusion without the annotations iscalled the erasure.The selection of induction schemes and induction variables is supported byrippling analysis. The movement of wave-fronts is supported by various types ofrippling. Both are described next.Rippling AnalysisRippling Analysis is a heuristic that helps to suggest an induction variable and aninduction scheme by a look-ahead analysis of the rippling process [Bundy et al 89].
Chapter 3. Proof Planning 45Rippling analysis rst suggests candidate induction schemes, and then tests theirvalidity. Suggested inductions are generated by considering all permutations ofall the universally quantied variables with all possible innitely many inductionterms, severely restricted to those suggested by wave-rules. Induction terms aregenerated subject to the criterion that they can be rippled by some wave-rulepresent in the data-base. Each occurrence of each variable is tagged with a collec-tion of candidate inductions which describe: the induction term annotations of the induction term any variables that must be sinks (explained below) any simultaneous inductions required on some other variables how well this suggestion fares for the other occurrences of that variableAn occurrence for which a wave-rule is applicable with this induction term issaid to be unawed, otherwise it is said to be awed. Flawed occurrences are tobe avoided since there is no wave-rule to move one or more initial wave-frontsintroduced by the induction.All this information is then processed by the following heuristics to rank thevarious suggestions: prefer inductions on a variable which minimises the number of awed occur-rences; prefer inductions on a variable which minimises the depth on the term treeof all awed occurrences; prefer inductions on a variable that minimises the number of unawed oc-currences
Chapter 3. Proof Planning 46For instance, suppose we have the conjecture for the associativity of addition 3.1,the Peano axiom: 8U; V : Natural U = V $ s(U) = s(V ) (3.4)and the denition of addition in terms of 1-step recursion:0 + V = Vs(U) + V = s(U + V ) (3.5)The induction scheme dual to 1-step recursion is 1-step induction on the naturalnumbers with induction term s(x) and induction variable x:P (0) ^ 8x : Natural P (x)! P (s(x))8x : Natural P (x)Each of the three universally quantied variables in the conjecture x, y, z, areanalysed with respect to the axiom and the denition of +. Both occurrences ofthe variable x are in the recursive position of +: e.g. x + : : :; one occurrence ofthe variable y is in the recursive position of +: e.g. y + : : :; and no occurrence ofthe variable z is in a recursive position. The variables x is unawed, variables yand z are awed. The following table summarises this analysis:Var. Def. Ind. Ind. Occurrences Statusterm scheme Total unawed awedx + s(x) 1-step 2 2 0 unawedy + s(y) 1-step 2 1 1 awedz none none none 2 0 2 awedIn this case a 1-step induction on x is chosen. The step-case becomes:8x; y; z : Natural; (x+ y) + z = x+ (y + z) ` (s(x) + y) + z = s(x) + (y + z)to which we can apply three rewrites based on the denition of + and nish theproof successfully.An extension to rippling analysis which uses meta-variables to instantiate un-known induction schemes is called middle out reasoning [Hesketh 91].
Chapter 3. Proof Planning 47Types of ripplingThere are several types of rippling. We describe rippling-out, rippling-in, ripplingsideways, conditional rippling and rippling with multiple wave-rules. Other typesof rippling exist and are described in [Bundy et al 93].Rippling outRippling out moves wave-fronts outwards to match the induction hypothesis usingwave-rules. For instance, wave-rules corresponding to equations 3.5 and 3.4 are asfollows: s(x) " + y ) s(x+ y) " (3.6)s(x) " = s(y) " ) x = y (3.7)If we apply wave-rule 3.6 to the left-hand side of the induction conclusion (3.3) weobtain: s(x+ y) " + z = : : :one more application of the rule gives:s((x+ y) + z) " = : : :the wave-front s is now completely rippled out in the left-hand side. We can nowrewrite the right-hand side with the same wave-rule:: : : = s(x+ (y + z)) "the wave-front s is also completely rippled-out in the right-hand side too and weobtain: s((x+ y) + z) " = s(x+ (y + z)) " (3.8)we can now use wave-rule 3.7 to obtain:(x+ y) + z = x+ (y + z)which matches the induction hypothesis nishing the proof.
Chapter 3. Proof Planning 48Rippling inRippling in moves wave-fronts in the opposite direction, that is, inwards. Waverules that do rippling in can be obtained from equations that rewrite the right-hand side of the equation into the left-hand side. For instance, an inwards waverule for equation 3.5 is: s(x+ y) # ) s(x) # + y (3.9)the inwards direction is indicated by the arrow in the box.Rippling sidewaysRippling sideways is formed by combining rippling out and rippling in to movea wave-front within an expression towards an argument of that expression wherethere is a universally quantied variable. Initially the wave-front goes outwards,and when it is in the appropriate position, moves inwards to the position of theuniversally quantied variable, which will 'absorb' the wave-front. These variablesare called sinks. The idea is that in the induction conclusion there must be anotheruniversally quantied variable that will be unied with the wave-front that wasabsorbed by the sink. Sinks are represented by the symbol: b: : :c. For instance,consider the following conjecture about list reversal:8L;M : Natural list; rev(L) <> M = qrev(L;M)where rev is the naive list reversal function, qrev is the tail recursive reversalfunction and <> is the function that appends two lists. These primitive recursivefunctions are dened by: rev(nil) = nilrev((H :: U) = rev(U) <> (H :: nil) (3.10)qrev(nil; V ) = Vqrev(H :: U; V ) = qrev(U;H :: V ) (3.11)
Chapter 3. Proof Planning 49nil <> V = V(H :: U) <> V = H :: (U <> V ) (3.12)where :: is the list constructor operator and nil is the empty list. The followingwave-rules are derived from the recursive equations 3.10, 3.11 and 3.12:rev( H :: U ") ) rev(U) <> (H :: nil) " (3.13)qrev( H :: U "; V ) ) qrev(U; H :: V #) (3.14)(H :: U) <> V " ) H :: (U <> V ) " (3.15)Wave rule 3.14 is an example of a side-ways (also called transverse) wave rule.Additionally, we can show that append is associative and derive the followingwave-rule which is also a transverse wave-rule:( U <> V ") <> W ) U <> ( V <> W #) (3.16)Applying induction, we get the hypothesis:rev(l) <> M = qrev(l;M)and the conclusion: rev(h :: l) " <> bmc = qrev( h :: l "; bmc)To make the induction conclusion match the induction hypothesis we will ripplethe two wave-fronts sideways so that each surrounds an bmc. Applying 3.14 tothe right-hand side we get:rev(h :: l) " <> bmc = qrev(l; bh :: mc)We draw the sink annotation outside the wave-front to show that it has absorbedthe wave-front. We now apply 3.13 to ripple the wave-front out in the left-handside: ( rev(l) <> (h :: nil) ") <> bmc = qrev(l; bh :: mc)Wave-rule 3.16 is used to ripple the wave front sideways to the left-hand bmc:(rev(l) <> ( (h :: nil) <> m #) <> bmc = qrev(l; bh :: mc)Normalisation is now applied to simplify the wave-fronts in the sinks and makethem identical. This permits the use of the induction hypothesis which matchesthe induction conclusion if we instantiate M to h :: m, nishing the proof.
Chapter 3. Proof Planning 50Conditional ripplingConditional rippling uses conditional wave-rules, which are wave-rules that areapplied when a condition is provable:Condition! ) where )  is a wave rule and Condition is a formula. If a condition of a wave-rule is provable from the current hypotheses, then we can use the rule. But evenif the condition is not currently provable, we can still use the rule, provided wedivide the proof into two cases, using the condition and its negation. A problemto solve is when to use the condition to split the current case into two sub-cases,and when to try to prove the condition within the current case. A partial solutionto this problem is to store related conditional rules in complementary sets of theform: Condition1 ! ! 1: : :Conditionn ! ! nwhere Condition1; : : : ; Conditionn form a partition. The following is a hypothet-ical example of a complementary set of wave-rules:x = false ^ y = false ! bus( s(t) "; x; y)) memory(t; bus(t; x; y)) "x = false ^ y = true ! bus( s(t) "; x; y)) acc(t; bus(t; x; y)) "x = true ^ y = false ! bus( s(t) "; x; y)) pc(t; bus(t; x; y)) "x = true ^ y = true ! bus( s(t) "; x; y)) buffer(t; bus(t; x; y)) "which says that a bus loads at time t+1 from either the memory, the accumulator,the program counter, or the buer register, depending upon the values of x and y.Rippling with multiple wave-frontsThis kind of rippling ripples out more than one wave-front at once. Wave rulesthat do this type of rippling are called multi-wave rules. Examples of multi-wave
Chapter 3. Proof Planning 51rules are the following:8U; V : Natural s(U) " = s(V ) " ) U = VU + V " = X + Y " ) U = X ^ V = Y "(U + V ) " W ) U W + V W "Wave rules are derived from axioms, recursive denitions, and lemmas. An-notations of well annotated terms (wats) on wave rules and induction conclusionsare obtained by the recursive application of the unary functions wfout, wn, andwh which place an outwards box, and inwards box, or an underline in an un-annotated term, respectively. These functions can be represented schematically asfollows: wfout((x)) gives (x) "wfin((x)) gives (x) #wh((x)) gives (x)This way, an outwards wave-front like wfout((wh(1); : : : ; wh(n))) is represen-ted schematically by (1; : : : ; n) ", where n > 0. The arguments i can alsobe well annotated terms. The function skel takes a well-annotated term wat andreturns a set of terms which form the skeleton of wat.It has been shown that rippling with well-annotated terms has the followingproperties [Basin & Walsh 96b]:well-formedness: if s is a wat, and s ripples to t, then t is also a wat.skeleton preservation: if s ripples to t, then skel(s)  skel(t);correctness: if s ripples to t, then skel(t) rewrites to skel(t) in the un-annotatedtheory;termination: rippling terminates because it guarantees a measure reduction ina well-founded order. The position and orientation of wave-fronts denethis measure, and rippling applies wave rules that reduce this measure in anunchanging skeleton.
Chapter 3. Proof Planning 52Notice that rippling reasons backwards, from the conjecture to the axioms.Therefore, to apply the implication !  it uses the rewrite rule  ) . Clamuses a general notion of polarity to determine in which orientation and to whichsub-expressions a wave-rule can be legally applied. For instance, for wave-rulesformed from implications, the polarity of a sub-formula is the parity of the numberof implicit or explicit negations within which it is contained, e.g in :p^q ! r, p andr are of positive polarity and q is of negative polarity. For wave-rules formed frominequalities, the polarity can be calculated from the monotonicity of the functionscontaining the sub-expression. The annotations in the induction conclusion andthe wave-rules are calculated automatically in Clam by an algorithm implementedin a wave-rule parser.3.2.2 FertilisationThe use of the induction hypothesis to simplify the induction conclusion is calledfertilisation. It is applied when no further rippling is possible. In the previousexample we made a direct appeal to the induction hypothesis to complete theproof. This is called strong fertilisation. Alternatively, the induction hypothesiscan also be used as a rewrite rule to simplify the induction conclusion. This iscalled weak fertilisation. For instance, in the example about the associativity ofaddition, instead of using wave rule 3.7, we can use the induction hypothesis (3.2)to rewrite either side of the conclusion (3.8). Using the hypothesis 3.2 left-to-rightwe get: s(x+ (y + z)) = s(x+ (y + z))which is trivially true, nishing the proof.Weak fertilisation is useful when rippling gets blocked in one side of the induc-tion conclusion. Consider the following conjecture:8x : Natural half(x+ x) = xwhere half is dened by: half(0) = 0
Chapter 3. Proof Planning 53half(s(0)) = 0half(s(s(u))) = s(half(u)) (3.17)from which Clam derives the wave-rule:half( s(s(U)) ")) s(half(U)) "Assume that rippling analysis chooses a 1-step induction on x. The step casebecomes: half(x+ x) = x ` half( s(x) " + s(x) ") = s(x) "The wave-rule from the recursive denition of plus applied to the left-hand side ofthe induction conclusion gives:half( s(x+ s(x) ") ") = s(x) "at this point no further wave-rules are applied and the rippling is blocked. Notethat the wave-rule required to unblock this rippling is:U + s(V ) " ) s(U + V ) "This is a commuted version of addition, but let us assume that this wave-rule isnot available. However, the right-hand side is trivially fully rippled, so we canapply weak fertilisation using the induction hypothesis right-to-left to get:half(s(x+ s(x))) = s(half(x+ x)) #After strong fertilisation, wave-fronts are removed since they have completed theirjob. After weak fertilisation they may still have a role to perform on the unblockedside of the equation, e.g. the right-hand side, so the annotations are left in placein this side. Their role is to be rippled-in by applying wave-rules derived fromequations in the opposite direction, that is, from right to left. This is indicatedby annotating the wave-front with the direction in which it is going to be rippled:inwards. Thus, the inwards wave-rule obtained from equation 3.17 is:s(half(U)) # ) half( s(s(U )) #)
Chapter 3. Proof Planning 54applying it to the right-hand side gives:half(s(x+ s(x))) = half( s(s(x+ x)) #)after which no more rippling in is possible. The wave-fronts are now removed andthe outermost function symbols are cancelled to give:x+ s(x) = s(x+ x)which is solved by generalisation and induction.Note that this subgoal is an instance of the missing wave-rule. This is nota coincidence, from the above analysis, we can see that if weak fertilisation andrippling succeed, then the subgoal they leave is an instance of the missing waverule, which can be generalised into the missing wave-rule, stored, and used againwhen needed.3.3 An exampleWe now give an example to illustrate the concepts explained. Consider the con-jecture that says that the length of two lists appended is equal to the sum of thelengths of each list:8x; y :  list length(x <> y) = length(x) + length(y) (3.18)where x and y are two lists of elements of type  , and length calculates the lengthof a list. The recursive denition of length is:length(nil) = 0length(H :: U) = s(length(U)) (3.19)From which the following outwards wave-rule is derived:length( U :: V ") ) s(length(V )) " (3.20)(H :: U) <> V " ) H :: (U <> V ) " (3.21)













wave   (length)
wave   (plus)
8
wave   (append)
9
wave   (length)
10










Figure 3{5: Structure of proof planThe structure of the proof plan which proves this conjecture is displayed in gure3{5. The proof plan is obtained automatically by Clam using the depth-rstplanner. Method and sub-method applications are marked with step numbers inthe nodes of the tree and are as follows: methods in the data base are tried one by one. When the method ind stratis tried, (in this case the other methods will have failed), we have thatrippling analysis and the denition of append suggest a list induction withx as the induction variable (step 1) the base case is length(nil <> y) = length(nil) + length(y)to which symbolic evaluation is applied (step 2) rewriting with the base-case denitions of append, length, and plus, andpropositional reasoning solves the base case (steps 3-6) the step case is length(x <> y) = length(x) + length(y)
Chapter 3. Proof Planning 56` length( a :: x " <> byc) = length( a :: x ") + length(byc)to which the step case sub-method is applied (step 7) the ripple sub-method looks for wave-rules to apply (step 8) the wave sub-method applies wave-rule 3.20 (the recursive denition of length)on the right-hand side of the induction hypothesis (step 9):length( a :: x " <> byc) = s(length(x)) " + length(byc) the wave sub-method applies wave-rule 3.6 (the recursive denition of plus)in the right-hand side (step 10):length( a :: x " <> byc) = s(length(x) + length(byc)) " the wave sub-method applies wave-rule 3.15 (the recursive denition of ap-pend) in the left-hand side (step 11):length( a :: x <> byc ") = s(length(x) + length(byc)) " the wave sub-method applies wave-rule 3.20 (the recursive denition of length)in the left-hand side (step 12):s(length(x <> byc)) " = s(length(x) + length(byc)) " the wave sub-method applies wave-rule 3.7 to obtain (step 13):length(x <> byc) = length(x) + length(byc) this matches the induction hypothesis and strong fertilisation nishes theproof applying the sub-method elementaryProof planning has been applied to other domains in addition to induct-ive theorem proving. These include summing series [Walsh et al 92], hardwareconguration [Lowe 91], program synthesis [Kraan et al 93], bridge game playing[Frank et al 92], and data-type transformation [Richardson 95].
Chapter 3. Proof Planning 573.4 Clam-OysterThe Clam-Oyster system has been developing since 1988 by the MathematicalReasoning Group at Edinburgh, incorporating previous experience in meta-leveland equational reasoning obtained from the PRESS system during the late 70s andearly 80s [Sterling et al 82,Silver 83]. A description of the Clam-Oyster system isgiven in [Bundy et al 90] and here, we give a brief description, highlighting thefeatures which will be relevant for understanding hardware verication with proofplanning.3.4.1 OysterOyster is a tactic-based interactive proof editor for goal directed, backward chain-ing proofs. It is based on intuitionistic higher-order logic and type theory. Ituses Prolog as a meta-language. It includes the types and constructors for naturalnumbers, integers, lists, disjoint union, functions, dependent functions, product,dependent product, quotient, subsets and recursion. A detailed description of thesystem is given in [Horn 95]. The user can create denitions and theorems whichare proved using the inference rules of the logic and of the various types. For in-stance, the denition of addition over the natural numbers which we will be usingin the following chapters, is given by:plus(x,y)<==>p_ind(x,y,[p,r,s(r)])where p ind is the inductive constructor for the natural numbers, x is the inductionvariable, y is the value for the base case, and [p; r; s(r)] describes the recursivecomputation of the function: s(r) is the value at s(p) where r is the value at p.From this denition, we have derived a primitive recursive function of addition,given by equations 3.5, which must be justied as theorems in the theory of the
Chapter 3. Proof Planning 58natural numbers 1. We may also dene addition using the extract term from asynthesis theorem in which the p ind term is introduced.plus(x,y)<==>term_of (plus) of x of yThis sort of denition facilitates the type-nding procedure during proof. All theobject-level denitions as well as the equations and rewrite rules derived from theequations and used by Clam for proof planning, are treated in a similar way.3.4.2 ClamClam implements the idea of proof planning. The main components of the Clamproof planner are: the logical objects, the method language, the planners, thelibrary mechanism, and the wave-rule parser. The method language which con-sists of predicates and connectives, also uses Prolog as its meta-language. Thelibrary mechanism allow the user to manipulate the logical objects. The plannersimplement various search procedures like depth-rst search, breadth-rst search,iterative deepening search, and best-rst-search to apply methods. The wave-ruleparser generates automatically annotations of wave-rules and induction conclu-sions. These annotations are created dynamically when the wave-rules are re-quired. A detailed description of the system is given in [vanHarmelen & group 96].Clam has various types of logical objects and uses commands to handle them.For instance, an Oyster denition for addition is recognised by the commanddef(plus). The base and recursive equations of addition are handled by givingthem identiers made from the name of the denition and a consecutive num-ber, i.e., plus1, and plus2, and handling them by the commands eqn(plus1)and eqn(plus1) respectively. Theorems like the associativity of addition, givenby formula 3.1 are named by an identier, e.g. assp and handled by the com-mand thm(assp). Wave rules derived like 3.6 are identied by the name of the1We have used a inx notation to represent arithmetic and list operations
Chapter 3. Proof Planning 59formula from which they are derived and recognised by the command wave likein wave(plus2). Methods, sub-methods, induction schemes, and proof plans arehandled by commands mthd, smthd, scheme, and plan respectively, in a similarway.Dependencies among logical objects are declared in a le called needs Forinstance, the logical objects needed by theorem 3.18 (called len sum) are declaredby the following entry in the needs le:needs(thm(len_sum) [def(plus),def(length),def(append),wave(cnc_s)])Logical objects can be loaded from and saved into the library with commands likelib load(T) and lib save(T), respectively. For instance, by sayinglib_load(thm(len_sum))Clam will load the theorem len sum along with all the logical objects declared inthe needs le.3.5 SummaryWe have presented a review of the proof planning technique as developed by theMRG group. We have described the notion of methods, which is the main com-ponent of proof planning. We have also described inductive proof planning andits main heuristics and search control mechanisms: rippling analysis, rippling, andfertilise, and have illustrated inductive proof planning with an example, alongwith a description of the Clam-Oyster proving system. This description providesus the background knowledge of proof planning required to explore now its use inverifying hardware.
Chapter 4Hardware VericationProof planning can be applied to automate hardware verication. This is the mainhypothesis of this thesis. In this chapter we illustrate the use of proof planningfor hardware verication by applying it to the verication of two simple circuits,and introduce the basic ideas. Section 4.1 describes basic elements for hardwareverication: types, operations on types, and conversion operations between types;section 4.2 explains the proof planning of a non-recursive circuit: a full adder;section 4.3 explains the proof planning of a recursive circuit: an n-bit incrementer;and section 4.4 presents a summary or the chapter.4.1 Basic elementsIn this section we describe the basic elements that we will need for our hardwareverication task: types, operations on types, and conversion functions betweentypes. Circuits are represented using a functional representation as described insection 2.2.4 and computer words are formalised using lists.4.1.1 TypesThe main types we will be using include: Booleans, words, natural numbers,signals, and states. Other types that we may use will be introduced when needed.60
Chapter 4. Hardware Verication 61BooleansThe type Boolean is represented as a disjunction of two unary types, where trueis the left injection and false is the right injection of the disjoint type.This denition is inuenced by the fact that we are using an intuitionisticlogic, type theory system (i.e. Oyster) at the object level, but the results areindependent of initial design decisions like this.WordsWords (or bit-vectors) are represented as lists of booleans:word = bool listThe elements of the type ( list) are nil and terms of the form h :: t, where nilstands for the empty list, :: is the list constructor, h is an element of type  , andt is a list of type  list. Inductive term constructors are supplied (e.g. list ind),from which primitive recursive functions dened over lists, like the append of twolists, the reverse of a list, and others, can be obtained. Most signicant bits canbe either to the left or to the right of the list. The latter representation is calledbig-endian, the former is called little-endian.We can parameterise words on their length using the following set type:wordn(n) = fw : wordjlength(w) = ng:The output of a hardware device is given as a word containing a nite number ofBoolean values, so we will frequently use these types to formalise the output ofcircuits like adders, arithmetic logic units, shifters, memories and other devices.Computer memory will be represented by a list of words of length n:memn(n) = wordn(n) listNatural numbersThe type pnat supplies the natural numbers. The elements of pnat are 0 and termsof the form s(: : :), where s is the successor function on natural numbers. Inductive
Chapter 4. Hardware Verication 62denition terms are supplied (e.g. p ind), from which primitive recursive functionsdened over pnat, like addition, subtraction, division and multiplication, can beobtained.This type will be frequently used to formalise the specication of a hardwaredevice, abstracting the internal working of the device.SignalsSignals arise in modelling sequential circuits. A signal is represented by a functiontype from time (represented by the natural numbers) to words:signal = time! wordThe output of data-path components which are transmitted by a bus, are usuallyformalised using signals. Control signals are represented by another function typeflag from time to Booleans: flag = time! boolSignals generated by a control unit, usually are of type flag.StatesStates arise when modelling the operation of a computer system. A state is rep-resented by a product type where the types of the elements of the product dependon the kind of state being represented:state = type1# : : :#typenwhere # is the product type constructor. Elements of this type are formed bythe operator &, e.g. t1& : : :&tn is an element of the type state. For instance, acomputer state at the instruction level ma be represented by the contents of thememory, the program counter, the accumulator, and a status ag which indicateswhether the computer is idle or running:inst state = memn(16)#wordn(13)#wordn(16)#bool
Chapter 4. Hardware Verication 63where memn(16), wordn(13) and wordn(16) are types for representing a memoryof 16-bit words, words of 13 bits (e.g. the program counter), and words of 16 bits(e.g. the accumulator register).A computer state at the register transfer level is often represented by thecontents of the memory and various registers of dierent lengths like the programcounter (13 bits), the accumulator (16 bits), the status ag (1 bit) , the buer (16bits), the memory address register (13 bits), the instruction register (16 bits), theargument register (16 bits), the microcode program counter (5 bits) and the readyag (1 bit). Its type is given by:rt state = memn(16)#wordn(13)#wordn(16)# : : :#boolWe will see in the next sections and in chapter 5 how all these types are usedto formalise and verify combinational and sequential hardware.4.1.2 OperationsWe dene some operations on types, the ones we will be using in modelling hard-ware. A type operation is a function that takes elements of the type and producesanother element of the same type.Boolean logicA Boolean logic comprises the type Boolean and operators on this type which aredened in terms of a built-in decision operator. For instance, the and operatorapplied to two variables U and V is dened by:and(U,V) = if U is true then V else falseFrom this denition we can derive properties on booleans like the and operationwhich is given by: and(true; V ) = Vand(false; V ) = false
Chapter 4. Hardware Verication 64These functions correspond to theorems which are justied from the primitivedenition of and. From these equations, rewrite rules are obtained for proof plan-ning. The other Boolean operators are dened in a similar way: not, or, xor, imp,and equiv. We these Boolean functions we will be able to formalise Boolean gateslike AND, OR, INVERTER, XOR, NAND, etc., as well as basic hardware devicessuch as an adder which sums two bits.Word operationsPrimitive recursive functions dened over lists like append, length and reversedened in chapter 3, apply also to words. The bit-wise and operation is denedby: and w(nil; nil) = niland w(H1 :: U;H2 :: V ) = and(H1;H2) :: and w(U; V ) (4.1)Other bit-wise Boolean operations, like not, or and xor, are dened in a similarway and will be useful in specifying the behaviour of an arithmetic logic unit.Natural number operationsThe following operations will be useful in specifying the behaviour of arithmeticcircuits like multipliers, dividers, exponentiators and factorial circuits. The follow-ing are primitive recursive function dened on the natural numbers. Multiplicationis dened by: 0  V = 0s(U)  V = U  V + VExponentiation is dened by: 20 = s(0)2s(U) = 2  2U
Chapter 4. Hardware Verication 65where 2 is an abbreviation for s(s(0)). Factorial is dened by:fact(0) = s(0)fact(s(U)) = s(U)  fact(U)And division on the natural numbers (quotient and remainder) are dened by:U=0 = 0U < V ! U=V = 0(U + V )=V = s(U=V )rem(U; 0) = 0U < V ! rem(U; V ) = Urem((U + V ); V ) = rem(U; V ))4.1.3 Conversion functionsFunctions that convert from one type into another type are necessary for comparingthe specication and the implementation of a circuit, which are frequently denedin dierent types, as opposed to operations on a type, whose application produceselements of the same type. For instance, if the specication of a circuit is givenby an equation in the natural numbers and the circuit gives a word as output, weneed to convert the word into a natural number to make it comparable with thespecication.The function bool2nat converts a Boolean into a natural number:bool2nat(false) = 0bool2nat(true) = s(0)The primitive recursive function word2nat converts a word in big endian formatinto a natural number:word2nat(nil) = 0word2nat(H :: U) = bool2nat(H) + 2  word2nat(U) (4.2)
Chapter 4. Hardware Verication 66word2nat l converts a word in little endian format into a natural number:word2nat l(nil) = 0word2nat l(H :: U) = bool2nat(H)  2length(U) + word2nat l(U)Sometimes we need the inverse operation, that is, converting a natural number intoa word of a certain length. This is obtained by the following primitive recursivefunction: nat2word(0; N) = 0nat2word(s(len); N) = nat2bool(N) :: nat2word(len; half(N))where nat2bool is a primitive recursive function that converts the number 0 intofalse and the number s(0) into true.The function abs imp converts a register-transfer level state into an instructionlevel state:8x1 : memn(16); x2 : wordn(13); x3 : wordn(16); x4 : bool; x5 : wordn(16);x6 : wordn(13); x7 : wordn(16); x8 : wordn(16); x9 : wordn(5); x10 : boolabs imp(x1&x2&x3&x4&x5&x6&x7&x8&x9&x10) = (x1&x2&x3&x4)4.2 A non-inductive proofWe describe now, the verication of a full-adder using a non-inductive proof plan.The full adder is a non-recursive combinational circuit which serves as a building-block of more complex circuits. Basically, it is a 1-bit adder which takes as inputtwo bits a, b and a carry input bit c and produces a sum bit fa sum and a carryoutput bit fa carry.4.2.1 FormalisationThe formalisation of the full adder is given by formulae that describe the specic-ation, the implementation and the verication conjecture.







p3Figure 4{1: 1-bit Full adderis obtained by two XOR gates connected by an internal wire p1. The carry outputfa carry is obtained from two AND gates, one OR gate, one XOR gate, and threeinternal wires p1, p2, p3. These circuits are formalised as follows:fa sum(a; b; c) = xor(a; xor(b; c))fa carry(a; b; c) = or(and(xor(a; b); c); and(b; c))full adder(a; b; c) = fa sum(a; b; c) :: fa carry(a; b; c) :: nilThe verication of the full adder is stated by the following conjecture:` 8a; b; c : bool word2nat(fa adder(a; b; c)) = full adder spec(a; b; c)4.2.2 VericationThe verication is done in two stages: proof planning and execution of the com-posite tactic (proof plan) resulting from the proof planning.







bool_cases(c) bool_cases(c) bool_cases(c) bool_cases(c)
eval_def



















7 8 21Figure 4{2: Structure of proof plan for verifying the full adder the method sym eval applies symbolic evaluation to simplify the goal bycalling the sub-methods eval def, bool cases and elementary. eval def rewrites using the rules derived from the denitions of word2nat,times, plus, fa sum, and fa carry. bool cases does a case split on variable a to give two subgoals, one for thefalse case and another for the true case (this sub-method is described inchapter 6).
Chapter 4. Hardware Verication 69 eval def simplies again the resulting subgoals using the rewrites of and,or, xor, bool2nat and plus. Similar simplications are done for the booleanvariables b and c giving 8 cases which are solved by propositional reasoningusing elementary.Plan executionThe proof plan is then executed by the Oyster system which proves the conjectureexecuting the tactic associated to each method. The formalisation of this proof isdisplayed in appendix B.StatisticsThe proof planning is done by Clam in 4 seconds. The execution of the proof planis done by Oyster in 1:45 minutes. In general, plan execution times are higherthan proof planning times. This has to do with the use of a prover based on typetheory with time consuming type checking sub-goals.4.3 An inductive proofWe now describe the verication of a recursive combinational circuit using aninductive proof plan. An n-bit incrementer takes as input a word x of length nand a Boolean carry input c, and produces as output a word of length n+1 whichis the result of adding c to x. If c is true then x in incremented by 1 otherwise xis left unchanged. In both cases there is a carry output co.4.3.1 FormalisationThe formalisation of the n-bit incrementer is given by formulae that describe thespecication, the implementation and the verication conjecture.








xnFigure 4{3: Implementation of n-bit incrementerThis design is formalised by the following recursive function:inc(nil; c) = c :: nilinc(a :: x; c) = ha sum(a; c) :: inc(x; ha carry(a; c)) (4.3)The conjecture that establishes the equivalence between the specication andthe implementation is the following:` 8c : bool; 8x : word; word2nat(inc(x; c)) = word2nat(x) + bool2nat(c)The specication is given unfolded, because this way, we can have a wave-rulefrom the conjecture, once we prove it.











































eval_def eval_def eval_def eval_def
ind_strat
sym_eval
Figure 4{4: Structure of the proof plan for n-bit incrementerThe left-hand side shows method application and the tree in the right-handside shows both method and (the main) sub-method application. There are 22method/sub-method application steps indicated by the numbers on the nodes: the verication conjecture matches the input slot H ==> G of the methodind strat, with H set to the empty list and G set to the verication con-jecture (step 1);
Chapter 4. Hardware Verication 72 the sub-method induction is tried: rippling analysis and the recursive den-ition of inc suggest an induction on word using variable x (step 2). Thisinduction scheme is a special case of induction on lists where the elementsof the list are of type bool. Thus, we have the following new goals:the base case:word2nat(inc(nil; c)) = word2nat(nil) + bool2nat(c)and the step case:word2nat(inc( v0 :: v1 "; bcc)) = word2nat( v0 :: v1 ") + bool2nat(bcc) The base case is solved by symbolic evaluation (steps 3-6) as follows: re-writing is applied to the goal using rules from the equations for word2nat,plus, inc and times. Then the sub-method term cancel (which is explainedin chapter 6) applies arithmetic reasoning by cancelling out equal additiveterms on both sides of an equation. Finally, the sub-method elementarynishes the remaining subgoal. The step case is simplied by the sub-method step case as follows (steps7-11): The annotations of the sub-term word2nat(v0 :: v1) on the right-hand side of the equation match the annotations of the left-hand side ofthe following outwards wave-rule obtained from equation 4.2, the recursivedenition of word2nat:word2nat( H :: U ")) bool2nat(H) + 2  word2nat(U) " (4.4)so the wave method is applied to give:: : : = bool2nat(v0) + 2  word2nat(x) " + bool2nat(bcc)The annotations of the sub-term inc(v1; c) on the left-hand side of the equa-tion match the annotations of the left-hand side of the following outwardswave-rule obtained from equation 4.3, the recursive denition of inc:inc( H :: U "; V )) ha sum(H;V ) :: inc(U; ha carry(H;V )) " (4.5)
Chapter 4. Hardware Verication 73so the wave method is applied again to yield:word2nat( ha sum(v0; c) :: inc(x; ha carry(v0; c)) ") = : : :The annotations on the right-hand side of the equation match the annota-tions of the left-hand side of wave-rule 4.4, so that the wave method appliesonce more to give:bool2nat(ha sum(v0; c)) + (2  word2nat(inc(x; ha carry(v0; c)))) " = : : :No more rippling or unblocking is possible, thus rippling nishes its role.But now the fertilise method applies, as the sub-termword2nat(inc(x; ha carry(v0; c)))on the left-hand side of the equation matches the left-hand side of the in-duction hypothesisword2nat(inc(U; V )) = word2nat(U) + bool2nat(V )with the substitution ha carry(v0; c)=V . Thus, the output of the fertilisemethod is obtained by rewriting from left to right with the induction hypo-thesis, giving:bool2nat(ha sum(v0; c)) + (2  (word2nat(v1) + bool2nat(ha carry(v0; c))))=(bool2nat(v0) + 2  word2nat(v1)) + bool2nat(c) The resulting subgoal is simplied by symbolic evaluation (steps 12-22) byapplying arithmetic cancellation (this is a new method which will be ex-plained in chapter 6), Boolean case analysis (also a new sub-method to beexplained in chapter 6) on variables v0 and c, rewriting and propositionalreasoning on the four Boolean cases, to nish the proof.
Chapter 4. Hardware Verication 74Plan ExecutionThe resulting composite tactic (or proof plan) customised for proving this partic-ular conjecture is then ran in Oyster which executes the tactic associated to eachof the methods which compose the proof plan, obtaining in this way a vericationproof.StatisticsClam plans the proof in 9 seconds. Oyster executes the plan in 41 seconds. Theproof planning of the n-bit incrementer required no lemmas. Another feature ofClam is that, in general, because of its automation facilities, it requires very fewlemmas in order to nd proof plans, compared to other systems. However, proofplan generation can be made faster if we add certain lemmas. For instance if weadd the lemma x+ 0 = xClam generates another proof plan in only 5 seconds.4.4 SummaryWe have presented two examples to introduce the basic ideas about the use ofproof planning for hardware verication. The rst example was a full-adder, a non-recursive, combinational circuit veried by case analysis. The second example wasan n-bit incrementer, a recursive combinational circuit veried by inductive proofplanning, using no lemmas in its verication. These two proofs are simple, butillustrate the way in which proof planning can be applied to verify circuits built byreplicating a basic component. For this type of circuit we exploit the automationfacilities of inductive proof planning to produce a proof. Tasks required involvedformalising the problem, adding two new sub-methods (e.g. Boolean case analysisand arithmetic reasoning), planning the conjecture and executing the plan.
Chapter 5A MethodologyThe hardware domain presents many examples of circuits with replicated com-ponents and feedback loops. Formal methods provide techniques to reason aboutsuch circuits and remain an active area of research. Among formal methods aremeta-level reasoning techniques, of which proof planning is a type. In chapter 4 wesaw how poof planning is applied to verify simple circuits. Proof planning can bescaled up and applied systematically to verify hardware with replicated compon-ents and feedback loops. Our work shows that proof planning can be successfullyapplied at least in the following cases: verication of combinational circuits andverication of synchronous sequential circuits. In the former, if the circuit is builtby replicating a set of basic hardware components, then it can be formalised usingrecursive functions. In the latter, if the circuit operation is controlled by a globalclock, then we can formalise it using a nite-state machine to represent time trans-itions. Given appropriate extensions, both types of verication proofs can be doneusing inductive proof planning by reasoning about the number of components andthe time parameter.In this chapter we describe a simple methodology for hardware verication us-ing proof planning for verifying both types of hardware. Section 5.1 describes amethodology based on the concept of proof engineering. Sections 5.2 and 5.3, applythe methodology to verify a set of combinational and sequential circuits of increas-ing complexity: an adder, an arithmetic logic unit, a parallel array multiplier, and75
Chapter 5. A Methodology 76a simple microprocessor. Section 5.4 discusses the features of extendability andscalability of proof planning. Finally, section 5.5 summarises the chapter.5.1 A Proof Engineering based MethodologyWe describe a methodology based on the idea of proof engineering for the verica-tion of hardware using proof planning. Proof engineering refers to the developmentof formal proof for systems (product) design and verication.The methodology consists of partitioning automation of formal proof into tasksclassied at three levels: user, proof and systems (tool) tasks. User level tasks haveto do with formalising a particular verication problem and using a formal tool toobtain a proof. Tasks typically will include the following: formalise the problem by providing denitions of the specication and theimplementation, and a statement of the verication conjecture; instruct a proof planner to use one of the planners and a predened set ofmethods, to generate a proof plan; and execute the proof plan to obtain a proof if a proof is not obtained, then revise the formalisation, which may includebugs, do appropriate corrections, and try again.In case of failure, then proof tasks come into action. Proof level tasks have todo with tuning proof techniques without modifying the tool system, and typicallywill include the following: apply a dierent method conguration; provide a possible missing lemma; modify an existing method and tactic;
Chapter 5. A Methodology 77 provide a new method and tactic; formalise a new theory.If the problem persists (we expect this to be rarely the case), then systems leveltasks, which refer to the modication of the proof system tool, may be necessary.This may include: correct a bug or ineciency in either the planner or the prover; provide a new predicate or connective for the method language; provide a new planner or extend an existing one; extend the library mechanism with a new type of logical object; extend the wave-rule parser or provide a new one; or develop a new interface for a dierent tactic-based prover, a model checker,or a decision procedure.The line between the tasks is sometimes rather ne, e.g. providing a dierentmethod ordering could be done at the user level as well, especially for users with acertain experience with the use of proof planning. Also, providing a new methodor a new predicate are not that dierent, although, conceptually, they are dierent,because the latter involves a modication to the planner and the former is onlyinput to the planner.We believe that this methodology could be supported organisationally, by hav-ing dierent individuals with dierent levels of competence carrying out thesetasks. For instance, the user level tasks could be performed by design engineers,with expertise in product design in a particular domain. The proof level taskswould be performed by an individual with experience in the use of formal meth-ods for system design, and who we call a proof engineer. The systems level taskswill be done by software developers who build, maintain and commercialise formalmethods tools. In this case, we have played these three roles.
Chapter 5. A Methodology 78The methodology proposed is not exclusive for hardware, it could equally beapplied to applications in other domains e.g. software development, product con-guration, product design, production scheduling, etc.To formalise a verication problem, the user provides equations, both recurs-ive and non-recursive for the specication and the implementation, a vericationconjecture, and dependencies among logical objects. The conjecture is typicallyan equation stating that the specication is equal to an abstract form of the im-plementation. For combinational hardware it takes the form:8x1; : : : ; xn conditions! spec(x1; : : : ; xn) = abs(imp(x1; : : : ; xn))In the case of synchronous sequential hardware, there will be a time parameter t,and if the specication and the implementation involve dierent time scales, then,we must provide a mapping function f that converts times from one scale into theother: 8t : time 8x1; : : : ; xnconditions! spec(t; x1; : : : ; xn) = abs(imp(f(t); x1; : : : ; xn))In either case, the same set of methods is applied to plan the conjecture.In the following sections we illustrate the methodology by describing severalexamples of combinational and sequential circuits. In presenting these examples,we also emphasise two features of proof planning which support the methodology:extendability and scalability. Extendability means that the proof and systems taskswhich involve extensions to proof planning to verify a particular circuit will alsowork to verify other circuits of the same type. Scalability means that the proofand systems tasks which involve extensions to proof planning to verify a particularcircuit will also work to verify more complex circuits. We conjecture that these twofeatures of extendability and scalability will hold for circuits of industrial-strength,if we apply to them a proof engineering methodology based on proof planning.
Chapter 5. A Methodology 795.2 Combinational circuitsIn this section we describe the verication of some combinational circuits usingthe methodology. The circuits presented in this section are: an adder, a multiplier,and an arithmetic logic unit. We focus on the aspects which are relevant to theverication methodology: user, proof, and systems level tasks.5.2.1 An n-bit adderAn n-bit adder takes as input two words x and y of the same length n, and a carryinput bit c and produces a word adder of length n+ 1 which is the sum of x andy.User tasksTasks involved here include formalising the problem and running Clam-Oyster toobtain a verication proof. The formalisation of the adder included experimentingwith relational and functional representations. A relational formalism was triedrst, just to nd out that Clam (especially the rippling technique) was designedto deal with functional representations, and we preferred the functional formal-ism thereafter. Another representation decision was determining whether to usefunctions or lists to represent words. The rst attempt was to use functions, butthis revealed several ineciencies of Clam's wave-rule parser in handling largeterms. The decision to use a functional formalism to represent circuits and liststo represent words was supported by reading Hunt's work with Nqthm [Hunt 86].The specication is given by the equation:adder spec(x; y; c) = word2nat(x) + word2nat(y) + bitval(c)A common implementation of the n-bit adder is the ripple-carry adder obtainedby cascading n full adders. This implementation is formalised by the following
Chapter 5. A Methodology 80recursive function, where the rst two arguments are assumed to have the samelength: adder(nil; nil; c) = cadder(a :: x; b :: y; c) = fa sum(a; b; c) :: adder(x; y; fa carry(a; b; c))The verication conjecture has the form of a combinational circuit:length(x) = length(y)!word2nat(adder(x; y; c)) = word2nat(x) + word2nat(y) + bitval(c)The next task is to run Clam-Oyster to get a proof. The proof plan that provesthis conjecture is generated automatically by Clam and is displayed graphicallyin gure 5{1. Notice that it has the same structure as the proof plan for theincrementer circuit described in chapter 4. The left-hand side shows the methodapplication and the right-hand side shows both, method and sub-method applica-tion. The planning takes 31 method and sub-method application steps, indicatedby the numbers on the nodes of the tree, we briey explain the main steps of theplanning: rippling analysis, the recursive denition of the adder, and the conditionlength(x) = length(y) suggest a double induction on the variables x and y(steps 1-2). An induction scheme with these characteristics was added toClam's database of induction schemes. the base case:word2nat(adder(nil; nil; c)) = word2nat(nil) + word2nat(nil) + bitval(c)is solved by symbolic evaluation, rewriting, term cancellation, and proposi-tional reasoning (steps 3-6)






































eval_defFigure 5{1: Proof plan for the n-bit Adder the step case: word2nat(adder( v0 :: x "; v2 :: y "; c)) =word2nat( v0 :: x ") + word2nat( v0 :: x ") + bitval(c)is simplied by rippling, by applying the wave sub-method with the waverule 4.4, and the outwards wave rule derived from equation 5.1:adder( H :: U "; I :: V "; C))fa sum(H; I;C) :: adder(U; V; fa carry(H; I;C)) "Unblocking is applied next, and then weak-fertilisation (steps 7-13). the remaining subgoal is solved by symbolic evaluation applying term can-cellation, Boolean case analysis on variables v0, v2, and c, which results in 8cases, each of which is solved by rewriting and propositional reasoning (steps13-31).
Chapter 5. A Methodology 82Plan execution is then carried by Oyster by executing the tactic associated toeach of the methods which appear in the plan.Proof tasksThe proof tasks consisted of: writing an extra clause for the Boolean case analysismethod, writing a method for doing arithmetic reasoning; adding a new clausefor weak fertilisation; modifying the generalise method to handle Boolean caseanalysis; adding a new scheme for induction on two words of the same length;experimenting with method orderings; and writing or updating tactics associatedto the new or the updated methods. All this extensions are described in chapter6 and their statistics are analysed in chapter 7. Boolean case analysis was rst used for verifying the full-adder. The methodcontained two clauses to cover a situation in which a Boolean variable isamong the variables of the goal and another situation in which a Booleanvariable is already in the hypothesis list. A third clause was added for theadder to recognise Boolean terms like the head of a word and do case analysison them. The tactic for this method was adapted from the case-split tactic. Cancellation of top-level additive terms on both sides of an equality wascarried out by a term cancellation sub-method. The sub-method requiredsome new predicates and was easy to implement. A key step for the successful planning of the adder verication conjecturewas the addition of a clause in the weak fertilise method to handle wave-fronts that contain several sinks, each of which stores an inwards wave-front.With this addition, the step case was completed and the proof was nishedby term cancellation and Boolean case analysis. The generalisation method was slightly modied to add a precondition forgeneralising Boolean terms. The lack of this condition would cause Clam toloop, reecting a bug in the type guessing predicate.
Chapter 5. A Methodology 83 A special induction schemewas added to Clam's data base to verify hardwaredevices like the adder, in which there are replicated components and twoinput words of the same length. For this particular proof we had to apply induction rst to avoid applyingBoolean case analysis and unfolding of denitions which made proof by in-duction more dicult. This was done by a change in method ordering andrequired experimentation with various orderings. Otherwise, backtrackingwhen a method fails will generate a dierent ordering, which in this case,will nd the desired proof plan. The modication to the tactics were in most cases straightforward except theone for term cancellation which was very dicult to implement as explainedin 6.Systems tasksThe systems level extensions were minor, although in some cases they were timeconsuming (e.g. parsing well-annotated terms), and consisted of: writing a newmethod predicate for nding terms of type Boolean, updating the type informationof the Prolog program which does type checking, and correcting ineciencies (e.g.the predicate for well-annotated terms was implemented in such a way that madeun-necessary, time consuming calculations).5.2.2 Arithmetic Logic UnitAn Arithmetic Logic Unit (ALU) takes as input two words x and y of the samelength n, a carry input c, and three selection boolean variables s0, s1, s2 whichdetermine the kind of micro-operation to execute, and produces a word of lengthn + 1. It is interesting to note that although this circuit is more complex thatthe adder, its proof did not require any new extensions to Clam-Oyster. The ALUperforms the 12 operations displayed in the following table:
Chapter 5. A Methodology 84Selections2 s1 s0 c Operation0 0 0 0 Move x0 0 0 1 Increment x0 0 1 0 Add x and y0 0 1 1 Add x and y with carry0 1 0 0 Subtract y from x with borrow0 1 0 1 Subtract y from x0 1 1 0 Decrement x0 1 1 1 Move x with carry1 0 0 X Bitwise Or of x and y1 0 1 X Bitwise Xor of x and y1 1 0 X Bitwise And of x and y1 1 1 X Not of x (complement)When s2 equals zero, we have an arithmetic operation. The carry input c is usedto further determine the operation. When s2 equals 1 we have a logic operationand the value of c is a don0t care, which is indicated by X.User tasksThe formalisation of this circuit proceeded as follows: the implementation hasthe same form as the incrementer and the adder, thus, implementing the ALUwas straightforward; the specication gave more trouble and most of the time wasspent debugging each of its 12 components.The specication of the ALU is formalised in terms of the adder and bit-wiseBoolean operations on words. When c = false inadder(x; nat2word(length(x); 0); c)we have the eect of transferring x, when c = true, x is incremented by 1. Whenc = false in adder(x; y; c), we get the addition of x and y, when c = true wehave addition with carry. Subtraction of two words x and y is dened in terms of

























Figure 5{2: Hardware Design of a 1-bit ALUThe verication of this circuit is done in Clam-Oyster by Boolean case analysison the six variables giving 64 cases.The n-bit ALU can then be implemented by cascading n 1-bit ALUs. Thisimplementation is formalised by the following recursive function:alu(s0; s1; s2; nil; nil; c) = and(not(s2); c) :: nil













































eval_defFigure 5{3: Proof plan for the n-bit ALUand sub-method application steps, indicated by the numbers on the nodes of thetree:
Chapter 5. A Methodology 87 rippling analysis, the recursive denition of the ALU, and the conditionlength(x) = length(y) suggest a double induction on the variables x and y(steps 1-2). the base case:alu(s0; s1; s2; nil; nil; c) = alu spec(s0; s1; s2; nil; nil; c)is solved by symbolic evaluation, rewriting, Boolean case analysis on s2,s1, s0, and c (12 cases, one for each micro-operation), and propositionalreasoning (steps 8-29) the step case:alu(s0; s1; s2; v0 :: x "; v2 :: y "; c) = alu spec(s0; s1; s2; v0 :: x "; v2 :: y "; c)is simplied by rippling, by applying the wave sub-method with the outwardswave rule derived from equation 5.1:alu(s0; s1; s2; H :: U "; I :: V "; C))alu sum(s0; s1; s2; U; V;C) :: alu(s0; s1; s2; x; y; alu carry(s0; s1; s2; a; b; c)) "unblocking is applied next, and then weak-fertilisation (steps 30-35). the remaining subgoal is solved by symbolic evaluation applying rewriting,Boolean case analysis on variables v0; v2; s2; s1; s0; c which results in 48 cases,each of which is solved by rewriting and propositional reasoning (steps 39-134).Next, plan execution is carried by Oyster by executing again the tactic associatedto each of the methods which appear in the plan.Proof tasksWe were surprised to see that there were no proof tasks involved. The extensionsmade for the adder were exactly the ones needed for the ALU. This exampleillustrates the extendability and scalability features of proof planning.
Chapter 5. A Methodology 88Systems tasksThe systems tasks were again minor although time consuming, and consistedmainly of debugging the code and nding a way around the ineciencies of Clamin parsing large terms. For instance, the wave-rule parser of version 2.2 couldnot load the specication of the ALU in a reasonable time (e.g. it would run fortwo hours without nishing). The reason is that it was looking for well-annotatedterms in a very inecient way. A new implementation of the wave rule parser inversion 2.3 solved this problem. For the time being, we had to patch the librarymechanism program to avoid un-necessary calculations.5.2.3 MultiplierThis circuit takes as input two words of lengths n and m and outputs a word oflength n + m corresponding to the product of x and y. Multiplication of binarynumbers can be implemented by a simple parallel array multiplier using binaryadditions. Consider, for example, multiplying a 3-bit word by a 2-bit word. Thisis represented by: x2 x1 x0X y1 y0x2y0 x1y0 x0y0x2y1 x1y1 x0y1z4 z3 z2 z1 z0to multiply an n bit word by an m bit word the array multiplier uses n m ANDgates to compute each of these intermediate terms in parallel, and then m binaryadditions are used to sum together the rows. This requires a total of n m onebit adders.User tasksFormalisation of this circuit was easier using a little endian representation of words(i.e. more signicant bits to the left).
















9Figure 5{4: Proof plan for the nm-bit multiplier
Chapter 5. A Methodology 90steps, indicated by the numbers on the nodes of the tree. In this tree we showjust the method application and omit the sub-methods, to make the tree morereadable: rippling analysis, and the recursive denition of mult, suggest an inductionon the variables y (step 1). the base case:word2nat(x)  word2nat(nil) = word2nat(mult(x; nil))is simplied by symbolic evaluation applying rewriting, giving:0 = word2nat(zeroes(len(x)))which is solved by another application of the induction strategy by an in-duction on x (step 2) the step case:word2nat(bxc)  word2nat( v0 :: v1 ") = word2nat(mult(bxc ; v0 :: v1 "))is simplied by rippling, by applying the wave sub-method with the outwardswave-rule derived from equation 5.3:mult(U; H :: V "))adder l(mult one(U;H) <> zeroes(length(V ));mult(U; V ); false) "the wave rule obtained from the verication of the n-bit adder, word2nat,distributivity of times over plus, unblocking, and weak fertilisation, to yield:word2nat(multOne(x; v0) <> zeroes(length(v1))) + word2nat(mult(x; v1))=word2nat(x)  (bitval(v0)  exptwo(length(v1))) + word2nat(mult(x; v1))This equation involvesmostly arithmetic reasoning, and is solved by symbolicevaluation and the induction strategy in steps 3-9.Plan execution is then carried by Oyster by executing the tactic associated to eachof the methods which appear in the plan.
Chapter 5. A Methodology 91Proof tasksThe main proof task was nding the various lemmas required for the proof. Theextensions made for the adder worked for the multiplier as well. The lemmasneeded correspond to the verication of the n-bit adder, distributivity of timesover plus, associativity of times, and reduction rules like x + 0 = x, x  0 = 0.Reduction rule like this can be solved by induction, although they occur in acontext in which the equation in quite complicated and the planning will takemore time.Systems tasksThere were no systems tasks involved for this proof.5.3 A sequential circuitWe now present the verication of a sequential circuit: a simple microprocessor,called the Gordon computer. This is a 16-bit microprocessor, with 8 program-ming instructions, no interrupts, and a synchronous communication interface withmemory, designed by Mike Gordon and his group at Cambridge University. Itsarchitecture has been described elsewhere [Joyce et al 86,Camilleri 88,Joyce 90].There are three sets of lights: 13 PC display lights which show the contents of theprogram counter, 16 ACC display lights which show the contents of the accumu-lator, and the idle light which is on when the computer is idling (i.e. not executinga program). There are also 16 two-position switches which are used for inputingdata. There are also 3 boolean switches and a knob in the front panel. Pushing thebutton switch when the computer is running (i.e. executing a program) interruptsthe execution of the program and the computer idles. The eect of pushing thebutton switch when the computer is idling is determined by the position of theknob. When the knob is in position 0 the eect of pushing the button is that theword determined by the state of the thirteen rightmost switches is loaded into the
Chapter 5. A Methodology 92program counter. Pushing the button when the knob is in position 1 loads theword determined by the sixteen switches into the accumulator. When the knobis in position 2 the contents of the accumulator is stored in the memory at thelocation held in the program counter. Finally, knob position 3 is used to startthe execution of the program stored in memory beginning at the location in theprogram counter. When execution of a program begins the idle light goes o andstays o until execution stops. Execution can only stop if a HALT instruction isencountered or an interrupt is generated by pushing the button.The specication, given at the instruction level, is dened in terms of the se-mantics of the 8 programming instructions. Each instruction consists of the setof operations that determines a new computer state, where a state is determinedby the contents of the memory, the program counter, the accumulator and theidle/running status of the computer. The execution of an instruction denes atransition from a state into a new state and this transition determines the time-unit of an instruction-level time-scale. Thus, for each instruction we must specifythe way in which each of the four components of a computer state are calculated.The implementation is at the register-transfer level. It consists of a data-pathand a microprogrammed control unit. A computer state at the register-transferlevel is determined by the contents of 11 components: the memory, the programcounter, the accumulator, the idle/running ag, the memory address register, theinstruction register, the argument register, the buer register, the bus, the micro-code program counter and the ready ag. The control unit generates the necessarycontrol ags to update the computer registers. Communication between the busand the registers is regulated by a set of gates. The implementation uses a micro-instruction time-scale. The number of micro-instructions required to compute agiven instruction is calculated automatically by using the ready ag in the mi-crocode, and the associated time at the micro-instruction-level time-scale mappedonto the respective time at the instruction-level time-scale. The correctness the-orem asserts that the state of the computer at the specication level is equal toan abstract state of the implementation level each time an instruction is executed.
Chapter 5. A Methodology 93The computer has the following programming instructions, each consisting of a3-bit operation code and a 13-bit address:opcode address mnemonic description000 13 bits HALT stops execution001 13 bits JMP L jump to address010 13 bits JZR L jump to address if ACC=0011 13 bits ADD L add contents of address to ACC100 13 bits SUB L subtract contents of address from ACC101 13 bits LD L load contents of address into ACC110 13 bits ST L store contents of ACC in address111 13 bits SKIP skip to next instruction5.3.1 User tasksThe formalisation involved activities like: translating from the relational specic-ation given in [Joyce et al 86] into a functional representation, and debugging thedenitions. The translation of representation was time-consuming and it wouldhave been easier to start from scratch. Other user tasks included: dening thetypes and converts for signals and states described in chapter 4, providing a time-scale mapping function, and characterising the stability of signals.There are two time-scales, the instruction time-scale and the micro-instructiontime-scale. Each time an instruction is executed the instruction time-scale is in-cremented by 1. Each instruction requires a variable number of micro-operationsto execute. This variability is controlled by the ready ag which becomes true atthe beginning and at the end of each instruction execution. Each time a micro-operation is executed the micro-instruction time-scale is incremented by 1. Thefunction microtime takes an instruction level time and other arguments and con-verts it to a micro-instruction level time. There are also abstraction functions forthe signals swithches, the knob, the button and the idle ag to map them betweenthe two time-scales.microtime(s(u); swt; knob; button) = iterate time(u; swt; knob; button)
Chapter 5. A Methodology 94iterate time(u; swt; knob; button) = next time(microtime(u; swt; knob; button); swt; knob; button)next time(t; swt; knob; button) = if ready(s(t); swt; knob; button) = falsethen next time(s(t); swt; knob; button)else s(t)The predicate stable(sig; t1; t2) means that the signal sig is stable between timest1 and t2. It has the following property8t : pnat; t1  t  t2 ! sig(t) = sig(t1)From here we can prove the lemma:stable(sig; t1; t2)! 8t; t1  t < t2 ! sig(s(t)) = sig(t)SpecicationThe specication of the Gordon computer is graphically displayed in gure 5{5.The computer can be in any of two states, idling or running. When idling thecomputer can execute any of 6 operations depending on the values of button andknob. When running the computer can execute any of 9 instructions dependingupon the value of the operation code. The jump on zero instruction is split in twocases depending on the contents of the accumulator. These 15 cases specify the in-struction level behaviour of Gordon computer. The following conditional equationillustrates the case corresponding to the specication of the add instruction:8u : pnat; swt : signaln(16); knob : signaln(2); button : flagidle(microtime(u; swt; knob; button); swt; knob; button) = false ^button(microtime(u; swt; knob; button)) = false ^opcode = (false :: true :: true :: nil)!computer(s(u); swt; knob; button) = (5.4)
Chapter 5. A Methodology 95
state 10=(m,pc,acc,true)                                                   top execution      
state 4=(m,inc(pc),acc,false)                                             jump if no zero
state 8=(store(addr(pc,m),acc,m),inc(pc),acc,false)          store
state 2=(m,addr(pc,m),acc,false)                                       jump
state 3=(m,addr(pc,m),acc,false)                                       jump if zero
state 7=(m,inc(pc),fetch(pc,m),false)                                load
state 5=(m,inc(pc),add(acc,fetch(pc,m)),false)                  add
state 11=(m,pc,acc,true)                                                   stop operation
state 12=(m,pc,ac,true)                                                     load pc
state 13=(store(pc,acc,m),pc,acc,true)                              load acc
state 14=(m,pc,swt,true)                                                  load mem
state 15=(m,cut(swt),acc,true)                                         start execution
state 1=(m,pc,acc,true)                                                      halt
state 6=(m,inc(pc),subt(acc,fetch(pc,m),false)                  subtract





































Figure 5{5: Specication of the Gordon computerexecute add(computer(u; swt; knob; button))where 8x : state execute add(x) = (5.5)fst(x)&inc g(snd(x))&add g(trd(x); fetch(cut(fetch(snd(x); fst(x)))); false)&truewhere fst, snd and trd access the rst, second and third elements of a spe-cication state respectively. The other 14 cases are dened in the same way.These cases use the following uninterpreted functions: add g(x; y; c) : wordn(16),subtract g(x; y; c) : wordn(16), inc g(x; y; c) : wordn(16), cut(x) : wordn(13),pad(x) : wordn(16), fetch(x) : wordn(16), store(x) : memn(16).
Chapter 5. A Methodology 96ImplementationThe implementation description of the Gordon computer is given at the register-transfer level as shown in gure 5{6 [Joyce et al 86]. The implementation has























Figure 5{6: Register-transfer level implementation of the Gordon computera number of registers in addition to the program counter and accumulator ofthe instruction level. The instruction currently under execution is held in theinstruction register IR, addresses of memory locations to be read or written toare held in the memory address register MAR, arguments to the arithmetic andlogic unit ALU are held in the ARG register and the results of the ALU are heldin the buer register BUFF . The implementation also used ve gate devices G0,G1, G2, G3 and G4 to control the reading of data onto the 16-bit bus BUS.The fetch-decode-execute cycle is driven by a microcoded control unit. Themicrocode is stored in a read-only ROM which can hold 32 microcode instructions,each 30 bits wide. On every clock cycle, the microcode instruction addressed bythe microcode program counterMPC is read from the ROM and decoded by thedecode unit DECODE. Output from the decode unit consists of signals which
Chapter 5. A Methodology 97control the operation of the data part of the implementation. These signals cor-respond to control lines which are labelled in gure 5{6 as rsw, wmar, memctlA,memctlB, wpc, rpc, wacc, racc, wir, rir, warg, aluctlA, aluctlB and rbuf . Forinstance, when the boolean signal rpc has the value true the low 13 bits of the busare read into the program counter register PC. All of the control signals have flagtype (function from time to Bool). The decode unit also produces the address ofthe next microcode instruction which is loaded in the microcode program counter.The register-transfer implementation of the Gordon computer is divided intotwo parts, the data-path and the control unit. The components of the data-pathare the registers, the memory, the arithmetic and logic unit, and the bus. Types ofregisters include 16-bit registers or 13-bit registers; selectively loadable registers ordirectly loadable registers; bi-stable registers or tri-stable registers. Memory wordsand registers that store their contents are 16-bits long. Addresses and the registersthat store them are 13-bits long. Selectively loadable registers use a boolean agto determine when they can be loaded. These boolean ags are generated bythe Control Unit. Among these registers are the memory, dened by the typememn which consists of a list of words in memory. The operation performed onmemory is determined by the values of the ags memctlA and memctlB. Thebuer is a 16-bit, directly loadable, bi-stable register which stores the output ofthe Arithmetic Logic Unit. The bus is used for the transfer of both 16-bit dataand 13-bit addresses. It merges signal from the various devices and ensures thatjust one device has access to it. Each of these and the other registers are denedby a recursive function. For instance, the following recursive function denes theaccumulator:acc(s(t); swt; knob; button) = if wacc(t; swt; knob; button) = falsethen acc(t; swt; knob; button)else bus(t; swt; knob; button)The control unit generates the 16 control ags that drive the data-path. It containss 30-bit microcode store, a 5-bits microcode program counter mpc, and a combin-ational logic to compute the next value of the mpc. For instance, the control ag
Chapter 5. A Methodology 98wacc is calculated by:wacc(t; swt; knob; button) = mc wacc(mpc(t; swt; knob; button))mc wacc is the column of the microcode that stores the 32 values of the writeaccumulator ag. The other 15 control ags are dened in a similar way. Themicrocode program counter is a 5-bit register that loads every clock cycle andcalculates the next value of the mpc.The implementation of the Gordon computer is established by the functioncomputer imp that denes the computer implementation state at any time of themicroinstruction time-scale. computer imp(p)=memory(p)&pc(p)&acc(p)&idle(p)&buffer(p)&mar(p)&ir(p)&arg(p)&mpc(p)&ready(p)where p = (t; swt; knob; button).ConjectureThe rst statement of correctness is given by the following verication conjecturewhich establishes that if the specication and the implementationmatch at a givenpoint in time t of the instruction time-scale then they will also match at time t+1.8u : pnat; swt : signaln(16); knob : signaln(2); button : flagstable(swt;microtime(u);microtime(s(u)))!stable(knob;microtime(u);microtime(s(u)))!mpc(microtime(u; swt; knob; button); swt; knob; button) =false :: false :: false :: false :: false :: nil in wordn(5) !abs imp(computer imp(microtime(u; swt; knob; button); swt; knob; button))
Chapter 5. A Methodology 99=computer(u; swt; knob; button)!abs imp(computer imp(microtime(s(u); swt; knob; button); swt; knob; button))=computer(s(u); swt; knob; button)This version of the conjecture assumes that the computer is stable after power up.It can be shown that there exists a time at which the microcode program counteris reset, and this value is either the address 00000 (0) or the address 00101 (5),corresponding to the initial states when the computer is idling or executing an in-struction, respectively. These values of the mpc can be reached by an initialisationprocedure for the computer after power up. The rst fabrication of Gordon com-puter did not include a reset button for the microcode program counter. Formalverication did not catch this fact because the output values of the mpc were as-sumed bistable without regard to the type of input values of the mpc. Althoughthe deduction was correct, the register transfer model was not accurate enough todetect this fact [Joyce et al 86]. Thus, we assume that the computer powers upand reaches a stable state where the mpc is set to zeroes when the computer isidling. When the computer is running the mpc is set to 5. Also, in this versionof the theorem we assume that the bus carries bistable signals, i.e. we do notmerge/split signals with oating values.A second statement of correctness is given by the following verication conjec-ture which establishes the equivalence of the specication and an abstract repres-entation of the implementation at any point of the instruction-level time-scale:8u : pnat; swt : signaln(16); knob : signaln(2); button : flag(8t : pnat; stable(swt;microtime(t);microtime(s(t))))!(8t : pnat; stable(knob;microtime(t);microtime(s(t))))!mpc(microtime(u; swt; knob; button); swt; knob; button) =false :: false :: false :: false :: false :: nil in wordn(5) !
Chapter 5. A Methodology 100abs imp(computer imp(microtime(u; swt; knob; button); swt; knob; button))=computer(u; swt; knob; button)The proof of this conjecture is done by induction on time. The base case corres-ponds to an unrealistic situation in which the computer powers up and establishesat time 0. The step case coincides with the previous version of the conjecture.A third version of the conjecture is as follows:8u : pnat; swt : signaln(16); knob : signaln(2); button : flag8swt abs : signaln(16); knob abs : signaln(2); button abs : flag(8t : pnat; stable(swt;microtime(t);microtime(s(t))))!(8t : pnat; stable(knob;microtime(t);microtime(s(t))))!(8t : pnat; swt abs of t = swt of microtime(t; swt; knob; button))!(8t : pnat; knob abs of t = knob of microtime(t; swt; knob; button))!(8t : pnat; button abs of t = knob of microtime(t; swt; knob; button))!mpc(microtime(u; swt; knob; button); swt; knob; button) =false :: false :: false :: false :: false :: nil in wordn(5) !abs imp(computer imp(microtime(u; swt; knob; button); swt; knob; button))=computer(u; swt abs; knob abs; button abs)This version considers abstract views of the variables swt, knob and button whichare used in the specication of the computer and are unfolded by the abstractionequations included in the conditions of the conjecture. The proof also assumes thethe computer powers up and establishes at time 0.
Chapter 5. A Methodology 101In the following version of the conjecture, we allow for an arbitrary period oftime for initialisation after power up:8u; v : pnat; swt : signaln(16); knob : signaln(2); button : flag8swt abs : signaln(16); knob abs : signaln(2); button abs : flag(8t : pnat; stable(swt;microtime(t);microtime(s(t))))!(8t : pnat; stable(knob;microtime(t);microtime(s(t))))!(8t : pnat; swt abs of t = swt of microtime(t; swt; knob; button))!(8t : pnat; knob abs of t = knob of microtime(t; swt; knob; button))!(8t : pnat; button abs of t = knob of microtime(t; swt; knob; button))!mpc(microtime(u; swt; knob; button); swt; knob; button) =false :: false :: false :: false :: false :: nil in wordn(5) !abs imp(computer imp(microtime(u; swt; knob; button); swt; knob; button))=computer(u; swt abs; knob abs; button abs)!u  v!abs imp(computer imp(microtime(v; swt; knob; button); swt; knob; button))=computer(v; swt abs; knob abs; button abs)A scheme like the following would be used to prove this conjecture by inductionon time:8 : pnat! u(2) ( H ` 8x : pnat; Conditions! (x)! (s(x))H ` 8u; t : pnat; Conditions! u  t! (u)! (t))VericationThe proof plan corresponding to the second version of the conjecture is generatedautomatically by Clam and is graphically displayed in gure 5{7. Once again,
















































Figure 5{7: Proof plan for the Gordon computernumbers on the nodes of the tree: the proof is done by induction on the time variable u, which is suggested bythe recursive denition of computer. The base case, is solved by symbolicevaluations using initial values for the specication and the implementa-tion at time 0. For the step case, the induction hypothesis establishes theequality of the specication and an abstract view of the implementation attime u of the instruction-level time-scale, and the induction conclusion es-tablishes the same equality at time s(u) of the same time-scale. Mappingthis time unit into the microinstruction time-scale, results in the executionof a variable number of micro-operations, each requiring a time unit of the
Chapter 5. A Methodology 103microinstruction time-scale. The sequence of micro-operations associated toeach instruction is recorded in the microcode. the step case is (step 1):: : : abs imp(computer imp(mt(u; swt; knob; button); swt; knob; button))=computer(u; swt; knob; button)`: : : abs imp(computer imp(mt( s(u) "; swt; knob; button); swt; knob; button))=computer( s(u "); swt; knob; button)which is then simplied by the step case method (step 2). mt is an abbre-viation for microtime. Rippling tries to reduce the dierences between thegoal and the hypothesis using the 15 wave-rules that dene the specication(step 3). This induces a case-split generating 15 cases, one for each of thepossible computer instructions that result when the computer is idling (6) orwhen the computer is running (9) (step 4). For each of these cases the wavemethod applies the outwards wave rule associated with each of the 15 re-cursive equations of the specication (step 5), does unblocking (step 6), andapplies weak fertilisation (steps 7-8). For instance, consider the case whenidle is false, button is false and the operation code is 3. This correspondto the add operation. After case-split the goal is:8u : pnat; swt : signaln(16); knob : signaln(2); button : flagidle(mt(u; swt; knob; button); swt; knob; button) = false ^button(mt(u; swt; knob; button)) = false ^opcode = (false :: true :: true :: nil)!abs imp(computer imp(mt( s(u) "; swt; knob; button); swt; knob; button))
Chapter 5. A Methodology 104=computer( s(u) "; swt; knob; button)the wave sub-method applies the following outwards wave-rule associatedwith its recursive denition given by equation 5.4:8u : pnat; swt : signaln(16); knob : signaln(2); button : flagidle(microtime(U; swt; knob; button); swt; knob; button) = false ^button(microtime(U; swt; knob; button)) = false ^opcode = (false :: true :: true :: nil)!computer( s(U) "; swt; knob; button))execute add(computer(U; swt; knob; button)) "The resulting subgoal:abs imp(computer imp(mt( s(u) "; swt; knob; button); swt; knob; button))=execute add(computer(u; swt; knob; button)) "is simplied by unblocking using equation 5.5 and weak fertilisation to give:v = fst(v)&inc g(snd(v))&add g(trd(v); fetch(tl(tl(tl(fetch(snd(v); fst(v))))); fst(v)); false)&falsewherev = abs imp(computer imp(mt(u; swt; knob; button); swt; knob; button)) since idle is true, the mpc should be set to 5. This is done by the methodchange mpc (step 9)
Chapter 5. A Methodology 105 The resulting subgoal is proved by symbolic evaluation using the recursivedenitions of the implementation state components, namely mpc, memory,pc, acc, arg, mar, ir, buffer (step 10). The recursion is done 10 times,which is the number of micro-operations the computer takes to execute theadd instruction. The memoisation procedure applied by the eval def sub-method, plays a critical role here, for storing and reusing values previouslycomputed, otherwise the memory is exhausted after two or three iterations(step 11). The memoisation procedure is described in section 5.3.2. the generalise method generalises a term which results when fetching thecontents of the program counter from memory (step 12) in the next step the normalisemethod generates four subgoals, one for eachelement of a specication state. Three of these subgoals are tautologies andare solved by the sym eval method, and the fourth:cut(inc g(pad(pc(w; swt; knob; button)))) = inc g(pc(w; swt; knob; button))is solved by the apply lemma method which using the lemmacut(inc g(pad(x))) = inc g(x) the other 14 cases are solved in a similar way5.3.2 Proof tasksThe proof tasks consisted of: writing a new sub-method for implementing amemoisation algorithm for computing recursive functions, writing a new methodfor experimenting with dierence matching, extending the normalisation methodto normalise equations with product terms, experimenting with various represent-ations (e.g. time abstraction, state-transition graphs, conditional rewrites, vectorsvs matrices, etc), nding an eective way of representing and traversing the mi-crocode table, experimenting with method orderings.
Chapter 5. A Methodology 106MemoisationThe evaluation of a recursive function f(x) at a point x = un requires the cal-culation of all the previous values of f at x = u0; : : : ; un 1. If later we need toevaluate f(x) again at another point x = vm, where m > n, normally we wouldcalculate all the previous values of f at x = v0; : : : ; vm 1. But the values off at x = u0; : : : ; un 1 and at x = v0; : : : ; vn 1 are the same, so strictly speak-ing, we do not need to re-compute them, we just need to calculate the valuesof f at x = vn; : : : ; vm. Memoisation allows us to store values which have beenalready computed and re-use them when needed again. This simple procedureyields enormous savings in calculation time. Camilleri implemented a memoisa-tion algorithm for the symbolic execution of the Gordon computer in HOL. As anexample of the computational savings that memoisation provides, he calculatedthat in order to compute the value of bus(t + 10) the equation that denes busis executed over 60:5 million times [Camilleri 88]. We had a similar experience.The evaluation of the recursive functions for the memory, the program counter,the accumulator, the memory address register, the instruction register, the buer,and the microcode program counter for values of time between t and t+10 sharesthe same problem. The memoisation we implemented for proof planning storescomputed values of a function identied as 'memoisable' in the hypothesis list,and each time a new value of the function is needed, we rst check whether thevalue already exist in the hypothesis list. If it is there, we use it, otherwise, it iscomputed and stored for future use.Dierence matchThe formalisation of the Gordon computer was rst made using a deterministicnite-state machine to represent state transitions both at the instruction andregister-transfer levels. The conjecture stated that if the implementation andthe specication are equal at time t in the instruction-level time-scale, then theymust be also equal at time s(t), in the same scale, provided t and s(t) are mappedto microinstruction-level time-scale within the implementation. This situation is
Chapter 5. A Methodology 107represented by:spec(t; : : :) = imp(mt(t); : : :)! spec(s(t); : : :) = imp(mt(s(t)); : : :)To prove this conjecture we assume the antecedent of the implication and tryto prove the consequent. To prove the consequent we used dierence match-ing [Basin & Walsh 93], a techniques that annotates the dierences between twoexpressions and then tries to reduce the dierences. In our case we dierencematched the consequent and the antecedent and wrote a method (diff match)which annotates the consequent based on these dierences. Then we used ripplingto eliminate the dierences and fertilisation to use the antecedent as a rewrite ruleto simplify the consequent. We obtained a proof plan for the Gordon computerfollowing this procedure. The proof plan is displayed in appendix E. But then werealised that this procedure was just the step case of an induction on time and thatit was more general to see it in this way. In any case, learning about dierencematching was a useful experience.NormalisationThe normalisemethod was extended to normalise a formula which consists of anequality of product terms. If we have the goal:U1 : : :&Un = V1 : : :&Vnwe want to split it into a set of n subgoals:U1 = V1; : : :Un = Vnand prove each of these subgoals individually. This situation arises in the proofplanning of the Gordon computer after doing memoisation where we get a goalwhich is an equality between two terms, each of which is a product of four types(the instruction-level state).5.3.3 Systems tasksThe systems tasks consisted of: nding an eective way to parse conditional terms(e.g. predicate expression at), solving ineciencies of Clam in parsing large terms.
Chapter 5. A Methodology 108For instance, the microcode table was implemented by a set of 32 lists, whereeach list has 30 elements. Access to the elements of the microcode table wasimplemented by a recursive function which traverses the list to locate an element.But the execution of this function was very inecient and time consuming, so wechanged the representation of the table and used vectors to represent the columnsof the table, and were able to access faster the elements by indexing instead ofby list traversal. Thus, we did not solve a systems problem, but did a changeof representation to avoid a ineciency of the tool, which still exists. Therefore,this task can be classied as a formalisation task, but we include it here becauseit addressed a systems issue. The same kind of ineciency arose earlier whenwe tried to represent words by functions, so we preferred lists to represent wordsrather than functions.5.4 Extendability and ScalabilityWe have shown by experimentation that proof planning posses the features ofextendibility and scalability, which are important characteristics which contributeto the generalisation of the methodology we have proposed. We do a brief analysisof extendability and scalability.5.4.1 ExtendabilityExtendability means that the same set of methods that were used to verify acircuit of a certain type will work in the verication of a circuit of the same type.For instance, the same methods used in the verication of the adder, worked inverifying the ALU and the incrementer. Although the ALU is more complex thatthe adder and the incrementer is simpler than the adder, in the three cases, theimplementation is obtained by replicating a basic component: n half adders makean incrementer, n full adders make an adder, and n 1-bit ALU make an n-bitALU . This pattern should also apply to other circuits implemented by cascadinga basic component.












Gordon computer modified Gordon comp.
(upper region)
Figure 5{8: Extendability and scalability of proof planningresents scalability. In the lower region and along the extendability axis, we ndcircuits such as the incrementer, the adder and the ALU . Following the scalabil-ity axis and in the middle region, we nd parallel-array circuits, such as families ofmultipliers and dividers. Further up the scalability axis and in the upper region,we nd microprocessor systems of various types along the extendability axis.As an extendability test, we have done a slight modication to the instructionset of the Gordon computer to see how proof planning methods behave. Thetest consisted in deleting one (any) of the eight programming instructions and
Chapter 5. A Methodology 110replacing the gap by a no-operation (NOP) instruction 1. The instruction deletedwas the add operation. This involved a modication of the next-address-A eldof address 13 in the microcode table (implementation) to change the sequenceof the add micro-operations so that the new computer state associated with theno-operation, consists only of an increment in the program counter pc, and amodication of the specication branch to reect a no-operation computer statein place of the state produced by the add instruction. We were happy to see thatthese changes did not require any modication of the methods or the planner. Theplanner was able to automatically generate a slightly modied tactic to prove thenew conjecture.Thus, these experiments and tests show the robustness of proof planning, andprovide support to our belief that the features of scalability and extendabilityposed by proof planning can be the basis for the adoption of our proof engineering-based methodology on a wider basis.5.5 SummaryIn this chapter we have presented a methodology based on the concept of proofengineering, using proof planning, to verify combinational and sequential circuits,and have illustrated its use in verifying circuits of increasing complexity. Formalproof was divided into three conceptually dierent kind of activities: user, proof,and systems tasks. We have seen how the features of extendability and scalability ofproof planning allow us to transport the same methods to verify circuits of similarclasses and higher complexities. Also, we have seen how slight modications in theimplementation and specication of the proof of a circuit, are transparent to proofplanning, and do not require user intervention to obtain a modied proof, whichillustrates the robustness of proof planning. In general, little user interaction was1This experiment was suggested by Mike Fourman
Chapter 5. A Methodology 111required to get the proofs through. These features of proof planning make themethodology look promising for systematic hardware verication.
Chapter 6Extensions to Proof PlanningIn this chapter we explain the extensions to proof planning which were requiredfor verifying hardware. Most of these extensions are not particular to hardwareand will apply to other domains as well. In general, the extensions were fairlyminor, as the existing implementation of proof planning contained most of theelements necessary for the verication task. The most important extension wasthe tuning of the existing methods, which, in most cases, consisted of addition ormodication of the method's preconditions, or the addition of new clauses; in afew cases, new methods were written. The declarative nature of the meta-logic inwhich the method language is based makes it easy to write or modify methods.Sometimes a method may require a new predicate to be added to the methodlanguage, but usually, these predicates are easy to implement. Along with eachmethod added or modied, the corresponding tactic specied by the method mustbe supplied.We group the extensions according to the kind of tasks introduced in chapter5: user, proof and systems level tasks. The user level extensions refer to the useof proof planning to verify new kinds of circuits and are summarised in chapter 7.Proof level extensions are described in section 6.1, which explains the extensions tomethods, tactics, inductive schemes, and equations; and systems level extensionsare explained in section 6.2, which describes new predicates of the method languageand the evolution of the Clam system. Section 6.3 summarises the chapter.112
Chapter 6. Extensions to Proof Planning 1136.1 Proof levelThe knowledge required at this level is the one held by a typical user of tactic-basedtheorem provers likeHOL, LAMBDA, NUPRL and PVS, and consists of the abilityto write tactics, and specications of their behaviour using methods, except werequire only knowledge of general purpose methods and tactics. The vericationof the circuits described in chapter 5, was obtained using slight variations of theset of methods for inductive theorem proving presented in chapter 3. The new setof methods is displayed in gure 6{1: we call it verify. Verify has exactly the same
  






cancels out common term on both sides of an equation
does Boolean case analysis
generalises a common term on both sides of a formula
c. eval_def applies rewriting and memoisation





selects induction scheme and induction variables
applies symbolic evaluation to the base case
applies ripple and fertilise to the step case
applies rippling heuristic
- weak fertil.
 ii. fertilize 
- unblock
- strong fertil.
applies induction hypothesis as rewrite rule
simplifies induction conclusion with induction hypothesis
applies induction hypothesis directly
unblocks rippling
applies wave rules
- casesplit does a case split
 i. ripple 







Figure 6{1: Verify: set of methods for hardware vericationabstract procedural interpretation as the set of methods given in chapter 3: try to solve the conjecture by symbolic evaluation. If successful, nish, ifthere are remaining subgoals, try the set of methods again;
Chapter 6. Extensions to Proof Planning 114 try to solve the conjecture by induction, generalising or normalising anyterms, if necessary. Solve the base case by applying symbolic evaluation andsolve the step case by applying rippling and fertilisation. In either case, ifthere are remaining subgoals, try the set of methods again.In theory, the ordering of the methods should not matter, because in backtrack-ing, the planner can nd a sequence of method applications that would prove aconjecture. However, in practice this depends on the type of planner used. Thedepth-rst planner is very ecient, but in some cases it may fail to nd a planwhen there is one, if it follows an innite branch which does not contain a plan.A remedy to this situation, which again is just for practical considerations, is tore-order the methods. This will produce a dierent search sequence in looking for aplan, and may nd a plan without backtracking or avoid the possibility of followingan innite branch. A more informed search may be more useful (e.g. a best-rstplanner). A best-rst planner will do an analysis of the current conjecture andutilise domain knowledge encoded as heuristics of the planner, to determine whichof the methods which are applicable at a certain point in the proof, should be triednext. In our case, we have used the depth-rst planner and generated dierentorderings of verify when required. For instance, the order ind strat, generalise,normalise, sym eval (verify1) was used in the verication of the adder, and theorder sym eval, ind strat, generalise, normalise, (verify2) was used in theverication of the ALU. However, the original order (verify) can also nd theseplans in backtracking. In general, a good order for a given conjecture was foundby experimentation.For instance, suppose that we have the method set verify and a goal : : : f(Imp) =Spec. Suppose also that methods sym eval and ind strat are both applicable,with sym eval unfolding the denition of Spec (assume it is given by a largeterm) and then applying a Boolean case analysis. In this situation, we wouldlike ind strat to be applied before sym eval, because otherwise, the inductionwould become very complicated. As we have seen, a remedy to this situation isexperiment with other ordering of verify. This sort of dynamic ordering could becalculated by a heuristic planner as we have pointed out. However, we have not
Chapter 6. Extensions to Proof Planning 115investigated this alternative any further, and have used the un-informed depth-rst search with o-line changes in the orderings when required instead, but inprinciple, it could be implemented to make the planning more automatic. Now,we give a brief description of the extensions to methods and tactics.6.1.1 Methods and tacticsThere are two new methods and tactics: term cancel and bool cases, whichplay an important role in planning hardware verication conjectures but they arenot specic for the hardware domain and can be applied to other domains as well.Term cancellationThis sub-method was added to strengthen Clam's arithmetic reasoning capabilities[Boyer & Moore 81]. It reads an input sequent H ` G, the preconditions of themethod check that G is an equation of the formterm1 + term2 + : : :+ termn = term01 + term02 + : : :+ term0mand the method repeatedly cancels out equal pairs on both sides of the equation.The output is the equation that results after cancelling out equal terms. Themethod is displayed in gure 6{2.The output of the method is a simplied expression which is given as inputto the tactic with the same name. This tactic was a bit dicult to implementbecause reasoning about the associativity and commutativity of addition yieldspermutations of an expression which evaluate to the same value and the inferencerules that justify the simplication steps should consider all of these permutations,which yield a large number of cases to consider. We want a tactic that keeps thesystem fully expansive, in the sense that all the proof steps are justied at theinference rule level. In a tactic-based fully expansive system, the execution ofa tactic results in the execution of the inference rules that support that tactic[Boulton 94].
Chapter 6. Extensions to Proof Planning 116
                   H==>G,
                   [matrix(V,LS = RS in pnat,G),
                     \+ (LS=0 v RS=0),
                     only_sum(LS,LstPlusL),
                     only_sum(RS,LstPlusR),
                     cancel_eq(LstPlusL,LstPlusR,OtherL,OtherR),
                     length(LstPlusL,X),
                     length(OtherL,Y),
                     X>Y],
                   [put_plus(OtherL,Left),
                     putPlus(OtherR,Right),
                     matrix(V,Left=Right in pnat,NG)],
                   [H==>NG],
                   term_cancel(NG)).
submethod(term_cancel(NG),
Figure 6{2: Method for term cancellationThe tactic is implemented by dening a type for multi-set of natural numbers(also called a bag), dening the addition operation on bags, and relating type the-ory arithmetic terms to appropriate multi-sets. We relate type theory arithmeticterms and multi-sets by dening another tactic that maps addition of naturalnumbers into addition of members of a bag. Given an arithmetic expression webuild a bag such that the sum of its elements equals the value of the arithmeticexpression. To do this, we dene the union operation on bags and prove the baglemma: 8x; y; z : bag; bag sum(x) = bag sum(y)!bag sum(bag union(x; z)) = bag sum(bag union(x; z))We then dene one more tactic that applies the bag lemma to the sequent whosehypothesis is the nal expression after cancellation and whose goal is the expressionbefore cancellation.Boolean case analysisThis sub-method reads as input a sequent H ` G, and its preconditions check fora Boolean variable or a term of type Boolean on eitherH or G. If there is one, the
Chapter 6. Extensions to Proof Planning 117method outputs two subgoals, replacing the Boolean variable or term by the valuestrue and false respectively. One of the clauses of this sub-method is displayed ingure 6{3. The tactic was implemented as a special case of the case split tactic.
submethod(bool_cases(Term),
                    H==>G,
                    [matrix(Vars,Matrix,G),
                      exp_at(Matrix,Pos,Term),
                      append(Vars,H,NewH),
                      find_type(NewH,Term,{bool})],
                    [replace_all(Term,{false},Matrix,MG1),
                      replace_all(Term,{true},Matrix,MG2),
                      matrix(Vars,MG1,G1),
                      matrix(Vars,MG2,G2),
                      hfree([Id],H)],
                    [Id:Term={false} in {bool}|H]==>G1,
                      Id:Term={true} in {bool}|H]==>G2],
                    bool_cases(Term)).Figure 6{3: Method for Boolean case analysisModicationsThe following methods and tactics were extended as follows:sym eval: this method (and sub-method) was modied to admit two new sub-methods: term cancel and bool cases. It was also extended to handlebranching outputs, as generated by the bool cases method.equal: this sub-method was extended to apply equations from the hypotheseslist of the form term1 = term2. Before, term1 had to be just a variable.eval def: this sub-method was extended with a memoisation algorithm to com-pute values of recursive functions. This sub-method was very useful in theverication of the Gordon computer for the calculation of values for the re-cursive functions of the memory, the program counter, the accumulator, thememory address register, the buer, and the microcode program counter,during the execution of a computer instruction. Memoisation save a lot ofcomputer time. Figure 6{4 shows this method.
Chapter 6. Extensions to Proof Planning 118
submethod(eval_def(Pos,[Rule,Dir]),
                    H==>G,
                   [matrix(Vars,Matrix,G),,
                     wave_fronts(_,[],Matrix),
                     new_exp_at(Matrix,Pos,Exp),
                     not metavar(Exp),
                     %expression is memoisable
                          Exp=memory(s(X2),_,_,_) v
                          Exp=pc(s(X3),_,_,_) v
                          Exp(acc(s(X4),_,_,_) v
                          Exp(buffer(s(X5),_,_,_) v
                          Exp(arg(s(X7),_,_,_) v
                          Exp(mar(s(X6),_,_,_) v
                          Exp(ir(s(X8),_,_,_)),
                     ((member(A:Exp=NewExp in word(5),H),
                        NewH=H) v
                    func_defeqn(Exp,Dir,Rule:C=>Exp:=>NewExp2),
                    polarity_compatible(Matrix,Pos,Dir),
                    elementary(NewH==>C,_)],
                     matrix(Vars,NewMatrix,NewG)],
                     ((Exp=mpc(s(X1),_,_,_) v
                     % value of function has been calculated already
                  % value hasn’t  been calculated, do it and add it to hypothesis list
                      func_defeqn(Exp,Dir,Rule:C=>Exp:=>NewExp2),
                      matrix(Vars,NewExp2,Goalmemo),
                      applicable_submethod(H==>Goalmemo,sym_eval(_),_,[Hmemo==>NewExp]),!,
                      hfree([HVar],Hmemo),
                      NewH=[HVar:Exp=NewExp in word(5)|Hmemo])),
                  [replace(Pos,NewExp,Matrix,NewMatrix),
                   [NewH==>NewG],
                   eval_def(Pos,[Rule,Dir]))Figure 6{4: Method for memoisationgeneralise: this method (sub-method) was extended to accept variables andterms of type Boolean. A precondition was added to recognise terms of typeBoolean on a formula and apply the generalisation criteria to them.normalise: this method (sub-method) was extended to normalise terms of typeproduct into its individual components. It was used in the verication ofthe Gordon computer to split the components of the specication and im-plementation states which are represented by a product type.weak fertilise: this method was extended with a clause to handle wave-frontsthat contain several sinks, each of which stores an inwards wave-front. Thissituation had not appeared previously in inductive theorem proving, but ithas been found in most of the hardware verication proofs.
Chapter 6. Extensions to Proof Planning 1196.1.2 Induction SchemesClam provides a data base of induction schemes for inductive theorem proving.Some of themwere used or adapted to meet the requirements in verifying hardware.induction on natural numbers: the 1-step induction on natural numbers wasused in the verication of various circuits in which the representation is doneby using an explicit parameter of the length of a word as well as in circuitsin circuits with a time parameter. In the rst case we have circuits like theadder, the ALU, and the shifter. In the second case we have circuits like thecounter and the Gordon computer. We did not modify this scheme, we justused it. 8 : natural! u(2) ((0); 8x : natural (x)! (s(x))8y : natural (y) )induction on word: the 1-step induction on words was adapted as a special caseof 1-step induction on lists with elements of type Boolean. This inductionscheme was used in the verication of the incrementer, the multiplier, andin other combinational circuits.8 : word! u(2) ((nil); 8a : bool 8x : word (x)! (a :: x)8y : word (y) )induction on word increment: this is a 1-step induction on words where theinduction constructor is the increment operation on words. It was used inthe verication of arithmetic operations on words.8 : word ! u(2) ((nil); 8x : word (x)! (inc(x))8y : word (y) )induction on two words: this is a specialised induction scheme on two wordsthat have the same length. It was used in the verication of the big andlittle endian versions of the adder and the ALU.8 : word ! word ! u(2)(nil; nil);
Chapter 6. Extensions to Proof Planning 1208a : bool 8b : bool 8x : word 8y : wordlength(x) = length(y)! (x; y)! (a :: x; b :: y)8u : word 8v : word length(u) = length(v)! (u; v)Each of these schemes is justied by an Oyster theorem.6.1.3 EquationsClam derives rewrite rules from equations, including wave-rules. These equationsmust be justied as theorems in Oyster from the object-level denitions. Forinstance, the inductive denition of word2nat is:word2nat(x) = list ind(x; 0; [h; t; r; plus(bitval(h); times(s(s(0)); r))])where list ind is the inductive term constructor, x is the induction variable, hrepresents the head of the list, t represents the tail of the list, r is the recursivevalue, and the last argument is a formula that calculates next recursive term. Fromhere we obtain the recursive function 4.2 which consists of a base and a recursiveequation. These are given as the following conjectures:` word2nat(nil) = 0 in pnat` 8a : bool; x : word;word2nat(a :: x) = plus(times(s(s(0)); word2nat(x)); bitval(a)) in pnatEach of these conjectures are proved by simpleOyster tactics. Other equations arejustied in a similar way. Proving this sort of conjectures can be easily automatedby writing a generic tactic that would prove them.6.2 Systems levelExtensions at this level include the writing of new predicates for the methodlanguage, debugging, and the addition of new functionality to the Clam system.
Chapter 6. Extensions to Proof Planning 1216.2.1 PredicatesThe meta-logic was extended with a few predicates for the new methods. Amongthese are the following:find type which determines the type of terms like natural numbers, integers,and Booleans and exp at which nds a sub-expression within an expression ina more ecient way, specially when searching the arguments of a conditionalexpression such as if a=b then x then y, since it is more appropriate to rst evaluatethe arguments a and b, and depending on whether the condition is true of false,evaluate x or y, rather than evaluate y, x, b and a. This is important when xand y contain other nested if expressions, which happens frequently when thedata-path components of a microprocessor are formalised by recursive functions.The term cancellation method uses other auxiliary predicates.6.2.2 Debugging and versions of ClamAs a research vehicle, Clam is constantly evolving, to reect new developmentsand debugging of the code, for which the MRG research and technical sta areresponsible. We started our experiments using version 1:5, and in the followingfour years new versions were released, to reach the current version 2:5. We re-ported both ineciencies in the current code and the impossibility of obtainingcertain plans. The most signicant change was the replacement of the wave-ruleparser. A wave-rule parser generates automatically wave rules from recursive for-mulae (e.g recursive equations) identifying and annotating well-annotated terms[vanHarmelen & group 96]. The parser was changed from a static style, in whichall the rewrite rules are generated when a theorem is loaded, to a dynamic style, asdescribed in [Basin & Walsh 96a], in which rewrite rules are created dynamically,when needed. With this new parser, in was possible to do verications that couldnot be obtained with the static one, such as the shifter and the Gordon computerproofs as explained in section 7.1, besides making execution faster. Other improve-ments that were helpful were the method for handling case splits and the updating
Chapter 6. Extensions to Proof Planning 122of the preconditions of the sub-methods: step case, ripple, and induction. Ina production version of Clam this sort of developments would rarely be needed.6.3 SummaryWe have presented extensions to proof planning for hardware verication. Wedescribed proof and systems level extensions. The required extensions were fairlyminor and worked in verifying a variety of circuits. We expect proof level exten-sions to be done un-frequently, and systems level extensions to be done rarely. Theexperience with proof and systems tasks provides evidence to our belief that proofplanning can be used for hardware verication in such a way that most of the timewill be spent by the users of the planner formalising particular conjectures andusing the automation facilities of the planner and the prover to obtain proofs ofthe conjectures.
Chapter 7ResultsThe verication methodology described in chapter 5 was applied to verify othercircuits, which allowed us to obtain timing statistics like: planning time, executiontime, user tasks time, proof tasks time, systems tasks time, and number of lemmas.In this chapter we present a recapitulation of all the experiments done in thisresearch: section 7.1 summarises the experiments and statistics of the experiments,which show evidence that a proof planning based methodology can be of use inverifying hardware; section 7.2 analyses the statistics of the experiments; andsection 7.3 summarises the chapter.7.1 ExperimentsAn experiment consists of: taking a circuit design, applying the proof planningmethodology to verify it, and obtaining the statistics. Table 7{1 summarises theexperiments and displays the numbers. Some circuits are from the IFIP WG10.2Hardware Verication Benchmark Circuit Set (n-bit adder, parallel multiplier,Gordon computer), some are from other sources [Mano 79]. The rst columnlists the circuits, which can be either combinational or sequential. Combinationalcircuits can be non-recursive or recursive. \Explicit parameter" means that thecircuit is parameterised and the parameter is made explicit rather than beingcalculated (e.g. the length of a word). \increment" means that an induction123
Chapter 7. Results 124computer time human time lemmasCircuit planning proof user proof systems(min:sec) (hours)COMBINATIONALnon-recursivehalf adder 0:02 0:51 1 0 0 1full adder 0:04 1:45 2 16 0 11-bit ALU 0:18 10:13 4 0 0 14-1 multiplexer 0:10 4:23 3 0 0 1n-bit incrementerbig endian 0:09 0:41 2 0 0 2n-bit adderexplicit parameter 0:53 3:31 8 88 20 2big endian 0:47 1:41 4 16 0 2adder (increment) 0:02 0:05 4 8 0 3subtracter (increment) 0:07 0:06 2 0 0 3n-bit ALUexplicit parameter 4:01 234:19 32 0 48 2big endian 11:04 274:00 8 0 0 2n-bit shifterbig endian :54 8:57 24 0 16 2n-bit processing unitbig endian 0:001 0:01 2 0 2 2parallel arraynm-bit multiplier 0:36 2:12 12 36 0 6multiplier (increment) 0:04 0:08 4 0 0 3exponentiator (increment) 0:10 0:27 4 0 0 3factorial (increment) 0:13 0:26 4 4 0 3divider-quotient (plus) 0:03 0:18 4 12 0 5divider-remainder (plus) 0:04 0:16 4 0 0 5SEQUENTIALcounter 0:05 0:17 4 4 0 3Gordon computer 27:50 274:15 120 160 280 4modied Gordon computer 23:35 232:26 1 0 0 4Table 7{1: Circuits veried using proof planning
Chapter 7. Results 125scheme with constructor increment on words was used in the proof. Similarly,\plus" means that an induction scheme with constructor addition on words wasused in the proof.We distinguish two kinds of timings: computer and human. Computer timingsrefer to the time necessary to obtain a proof plan and the time required to executethe plan in the computer. Human timings include times at three levels: user, proofand systems tasks. The second column lists computer timings, broken down twoways: proof planning time which is the time Clam takes to nd a plan, and prooftime, which is the time Oyster takes to execute a proof plan1. The third columnlists human timings at three levels: rst, the user tasks timing, which is the time spent understanding the prob-lem, nding the right representation for the specication and the imple-mentation, writing the conjecture, and debugging them, until a proof wasobtained, assuming that the required proof and systems level extensions werein place; second, the proof tasks timing, which is the time spent tuning methods andtactics, and nding missing lemmas; and third, systems tasks timing, which is the time spent in tuning Clam:debugging and improving the planner, debugging and extending the methodlanguage, debugging and improving the wave-rule parser, extending the lib-rary mechanism, developing an interface to a theorem prover, and the like.Finally, the last column indicates the number of lemmas used in the proof beyondthe denitional equations.1Experiments were done in a SUN Ultra 1 with a 167 Mhz UltraSPARC CPU and128Mb of RAM running Solaris 5.5.1
Chapter 7. Results 1267.2 AnalysisIn this section we present an analysis of the statistics: the human timings, thecomputer timings, and the number of lemmas used by the proofs.7.2.1 Analysis of human timingsTo calculate the human timings we recorded the starting and ending dates for eachcircuit verication, obtained the number of weeks, and multiplied the number ofweeks times 40, assuming 40 hours per week.Some of the user, proof and systems level times may appear excessive, andone may ask how often do extensions of this kind have to be made. To givean accurate picture, we are accounting for everything, including many one-timecosts. The time to obtain a proof tended to be high for the rst circuit of acertain kind, but dramatically decreased for subsequent circuits. For instance, then-bit adder which was the rst circuit that we veried, took about 116 man-hours,of which 8 hours correspond to user tasks, 88 hours correspond to proof leveltasks and 20 correspond to systems level tasks. However, the rest of the circuitsin the table utilised these extensions and their proofs were obtained in shortertimes because these extensions were already there. For example, the big-endianversion of the adder, which took just 4 hours, used all of the previous extensions.The 16 hours reported under proof level tasks were spent dening a new inductionscheme which was also used by other big endian proofs. When we tried the explicitparameter version of the n-bit ALU, it turned out that no proof level extensionswere required because all of them were already there. The 32 hours reportedunder user tasks were mainly spent debugging the specication and the 48 hoursreported under systems level tasks were spent debugging the Clam code. The bigendian version of the ALU took advantage of these system level extensions, thus,the user level tasks took just 8 hours and no proof nor system level extensionswere necessary. The shifter required 24 hours of user tasks which were spent
Chapter 7. Results 127mainly in debugging the specication. No proof level extensions were required,but the proof planning of this circuit revealed the need for the new wave-ruleparser which had already been designed but not implemented. Thus, we solicitedthe implementation of the parser which was done by the Clam development teamin about 160 hours. The verication of the processing unit required 2 hours of usertasks to formalise the problem. No proof level tasks were needed, and one systemlevel task which took 2 hours was necessary: a modication of the reduction rulescode in order to apply the ALU and shifter verication theorems as lemmas. Themultiplier did not require any extensions; most of the time was spent in ndingthe lemmas required by the proof. For the remaining arithmetic circuits, theextensions required included deriving new induction schemes such as inductionwith increment of a word and addition of two words, which made the proofs veryeasy to nd.The Gordon computer required a larger eort to scale up proof planning capab-ilities at both proof and systems level. The very scale of the specication requiredthat we make a number of extensions such as memoisation (proof level), so thatthe system would more gracefully handle large terms, and the denition of newpredicates to handle terms eciently (systems level). Also signicant is that thetheorem involves two dierent time-scales with automatic calculation of the num-ber of cycles for each instruction. Again, all these extensions will be used in theverication of similar circuits, so the 440 hours of proof and systems level time(11 man-weeks) is a one-time eort and the verication eort should signicantlydecrease for new circuits of the same kind. We conjecture that the 120 hours offormalisation time (3 man-weeks) may also be reduced in verifying other micro-processors of the same kind (e.g. the FM8501 microprocessor).7.2.2 Analysis of experimentsWe now present a brief description of the experiments and a more detailed analysisof the computer and human timing statistics.
Chapter 7. Results 128Non-recursive circuitsThe non-recursive circuits are basic hardware elements to build replicated hard-ware devices like adders, ALUs and shifters. The half adder is used by the incre-menter and is the simplest of all the circuits. The verication of the full adderwas explained in chapter 4. This was the very rst circuit veried. The computertimings are as follows: the planning time is 4 seconds and the plan execution timeis 1:45 minutes. The human timings are 2, 16 and 0 hours for the user, proof leveland systems level tasks respectively. Proof level tasks involved the developmentof two clauses of the method for Boolean case analysis.The verication of the 1-bit ALU was done by case analysis on six Booleanvariables: three are selection variables, and the other three are input variables.The 4-1 multiplexer receives four input lines and selects one of them as output,depending on the values of two Boolean selection variables. The verication isdone by Boolean case analysis on the 6 variables. No additional proof/systemlevel tasks were required.IncrementerClam plans the n-bit incrementer conjecture in 9 seconds using the depth-rstplanner and Oyster executes the plan in 41 seconds. The formalisation time was2 hours and no additional proof/systems level tasks were required because all therequired extensions were already there. This circuit was veried after the n-bitadder and was the simplest of the circuits which are built by replicating a basiccomponent.AdderThe n-bit adder was veried in ve dierent versions. The very rst inductiveverication that we attempted was the explicit parameter version of the adder.Clam plans this version in 53 seconds using the depth-rst planner and Oysterexecutes the plan in about 3:31 minutes. Its formalisation time was about 8 hours.
Chapter 7. Results 129The time for the proof level task was about 88 hours split as follows: adding aclause for the bool casesmethod (16 hours), writing the term cancelmethod fordoing arithmetic reasoning (40 hours), adding a new clause for the weak fertilizemethod (20 hours); modifying the generalise method to handle boolean terms(4 hours); and experimenting with method orderings (8 hours). The time forthe systems level tasks was 20 hours split as follows: writing a new predicate fornding terms of type Boolean (12 hours), correcting small bugs in the code, andavoiding ineciencies (e.g. the predicate for well-annotated terms) (8 hours). Theversion described in chapter 5 used a big endian notation.The other four versions of the adder used the proof and system extensions donefor the rst version and the statistics are displayed in the table. The big endianversion needed an induction scheme for doing induction on two words of the samelength. The 16 hours reported under proof level tasks correspond to the formalisa-tion of the induction rule and the corresponding tactic. The increment inductionscheme versions of the adder and the subtracter use an induction scheme where theinduction term is the increment operation on words. The 8 hours reported underproof level tasks correspond to the formalisation of increment induction schemeand the tactic. We noticed that there is a direct correspondence between arith-metic operations on the natural numbers and their counterparts on the type word.The equivalent term to the constructor s(: : :) in the natural numbers is i(: : :) whichis dened on words by i(x) = inc(x; true). Then we obtain the equivalence:word2nat(i(x)) = s(word2nat(x))which is used as a lemma in establishing the correspondence between arithmeticoperations on words (circuits implementations) and the equivalent operation on thenatural numbers (circuit specications) such as addition and subtraction (and alsomultiplication, division, factorial and exponentiation). The increment inductionscheme used by the adder circuit was also used in the verication of the subtracter,multiplication, exponentiation and factorial circuits. For instance, the conjecturefor the adder is:word2nat(plus word(x; y)) = word2nat(x) + word2nat(y) (7.1)
Chapter 7. Results 130where plus word is dened by:plus word(nil; y) = yplus word(i(x); y) = i(plus word(x; y))ALUThe n-bit ALU was veried in two dierent versions. After verifying the adder,we attempted the explicit parameter version of the ALU. Clam plans the proofin 4:01 minutes using the depth-rst planner and Oyster executes the plan in234:19 minutes. The user tasks time was about 32 hours split as follows: theimplementation was straight forward, it has the same form as the incrementer andthe adder (4 hours); the specication gave more trouble and most of the time wasspent debugging each of its 12 components (28 hours). There were no proof levelextensions; the ones made for the adder worked for the ALU. The systems leveltime was spent in debugging the code and nding a way around the inecienciesof Clam in parsing large terms. The time for this activity was about 48 hours.The proof planning time of the big-endian representation was 11:04 minutes andthe proof time time was 274:00 minutes. This version used all of the extensionsmade for the explicit parameter version of the ALU as well as the extensions madefor the big endian version of the n-bit adder, such as the induction scheme andthe induction tactic.ShifterThe next verication attempted after the ALU was the n-bit shifter unit. Thebasic shifter unit performs four operations: no-shift, shift-right with serial inputir, shift-left with serial input il, and output zeroes. The operation is determinedby two selection variables h1 and h2. Clam plans the proof in 54 seconds usingthe depth-rst planner and Oyster executes the plan in 8:57 minutes. The timeof the user tasks was about 24 hours split as follows: the implementation wasstraightforward as it has the same form as the incrementer, the adder and theALU (4 hours); the specication was more problematic and most of the time
Chapter 7. Results 131was also spent debugging each of its four components (20 hours). There wereno proof level extensions; the ones made for the ALU worked for the shifter. Thesystems level time was signicant as it involved developing a new wave-rule parser.The old parser could not deal with a situation in which a variable argument ofa recursive function changed to a term not containing that variable in the sameargument position in the recursive call. The new wave-rule parser can deal withthese cases. This situation was a general requirement that had been anticipatedby Alan Bundy but was not implemented when we started this proof. The newparser was developed by the Clam development team and we had to wait aboutthree months until it became implemented. The estimated development time forthe new parser is about 16 hours.Processing unitA processing unit is obtained by composing an ALU and a shifter. The shifteroperates on the output of the ALU and the two combined implement 16 operation.The proof planning and execution of this circuit was done very easily by providingthe ALU and shifter verication theorems as lemmas. Clam plans the proof in 0:1seconds using the depth-rst planner and Oyster executes the plan in 1 second.The formalisation was straightforward and took about 2 hours. There were noproof level tasks for this proof. Regarding systems level tasks, there was a slightmodication of the reduction rules code to apply lemmas which correspond totheorems given by non-wave equations (2 hours).MultiplierThe next circuit was the nm-bit parallel array multiplier. This verication wassuggested by Toby Walsh2 who was using this description of a multiplier imple-mentation to encode a factorisation algorithm into SAT . The verication of the2Personal communication
Chapter 7. Results 132multiplier was explained in chapter 5. Clam plans the proof in 36 seconds usingthe depth-rst planner and Oyster executes the plan in 2:12 minutes. The formal-isation was straightforward and took about 12 hours. The proof level extensionsmainly consisted of looking for the required lemmas and took about 36 hours.There were no systems level tasks for this proof.The conjecture for the increment induction scheme version of the multiplier is:word2nat(times word(x; y)) = word2nat(x)  word2nat(y)where times word denes multiplication of words in terms of plus word. Clamplans the proof in 4 seconds using the depth-rst planner and Oyster executes theplan in 5 seconds. There were no proof level nor systems level tasks for this proof.ExponentiationHaving veried the multiplier we used it in the verication of more complex circuitslike the exponentiation and factorial circuits. The verication conjecture for theexponentiation circuit is given by:word2nat(exp word(x)) = exp(word2nat(x))where exp word is dened in terms of times word. Clam plans the proof in 10seconds using the depth-rst planner and Oyster executes the plan in 22 seconds.The formalisation was straightforward and took about 4 hours. There were noproof level nor systems level tasks for this proof.FactorialThe verication conjecture for the factorial circuit is given by:word2nat(fact word(x)) = fact(word2nat(x))where fact word is dened in terms of times word. Clam plans the proof in 13seconds using the depth-rst planner and Oyster executes the plan in 21 seconds.The formalisation was straightforward and took about 4 hours. The proof leveltasks took about 4 hours and consisted mainly of giving the required lemmas.There were no systems level tasks for this proof.
Chapter 7. Results 133DividerThe conjectures for the division operation are these:word2nat(div word(x; y)) = word2nat(x)=word2nat(y)word2nat(rem word(x; y)) = word2nat(x) rem word2nat(y)where div word and rem word are dened using the constructor plus word. Clamplans the proofs in 3 and 4 seconds using the depth-rst planner and Oysterexecutes the plan in 15 and 17 seconds respectively. The formalisations werestraightforward and took about 4 hours. The proof level tasks took about 12 hoursand consisted mainly of giving the required lemmas and nding a new inductionscheme where the inductive term is plus word and writing the tactic. There wereno systems level tasks for this proof.Binary counterThe rst sequential circuit verication attempted was a binary counter [Gordon 86].We translated the representation from a relational to a functional representation.We used second order functions to represent the specication and the implement-ation at the object level and did the proof planning using rst-order rewrites.The proof planning time for the counter is 0:05 seconds. The proof time is 0:13seconds. Signals were dened function types from the natural numbers to words.The Gordon computerThe next circuit we attempted was the classical Gordon computer microprocessorsystem. As we have already pointed out, translating from a relational into a func-tional representation was time consuming and it would have been easier to derivethe functional representation from scratch. We also had to refresh our computerarchitecture concepts from undergraduate days and understand the internal work-ings of the Gordon computer. After 14 weeks of calendar time (around 560 hours)Clam was able to produce a proof plan which was then executed by Oyster. The
Chapter 7. Results 134planning takes 35:38 minutes using the depth-rst planner and Oyster executes theplan in 274:15 minutes. The formalisation time was about 120 hours and involvedtasks like: re-learning computer architecture and understanding the Gordon com-puter (40 hrs), translating from the relational specication given in [Joyce et al 86]into a functional representation (20 hrs), experimenting with various representa-tions (e.g. time abstraction, state-transition graphs, conditional rewrites, vectorsvs matrices, stability of signals, etc.) (20 hrs), nding an eective way of repres-enting and traversing the microcode table (20 hrs), and debugging the denitions(20 hrs). The proof level extensions took around 160 hours and consisted of: writ-ing a new sub-method for implementing a memoisation algorithm for computingrecursive functions (50 hrs), writing a new method for experimenting with dier-ence matching (40 hrs), experimenting with method orderings (10), and writingthe required lemmas and tactics (60). The systems level extensions took around280 hours. Most of this time was spent in debugging tasks, and consisted of: nd-ing an eective way to parse conditional terms (80 hrs), nding a way around theineciencies of Clam in parsing large terms (120 hrs), and testing changes to thecode (80 hrs).Modied Gordon computerThe extendability test of the Gordon computer which consisted of replacing theadd programming instruction with a no-operation instruction was straightforwardand took one hour to gure out and perform. The computer timings are slightlylower than the timings for the Gordon computer as the no-operation instructionrepresents less work than the add instruction.7.2.3 Analysis of object-level timesIn general, proof timings tend to be higher that proof planning timings. Thishas to do with the use of type theory specication language at the object level(i.e. Oyster level) with time consuming well-formedness goals. Table 7{2 showsa comparison of proof timing where the type checking procedure has been set on
Chapter 7. Results 135and o. On average, about 70 % of the time is spent in solving type checkingsubgoals.7.2.4 Analysis of hierarchical proofsProof planning is able to deal with hierarchical verication. For instance, theverication theorems for the full adder (fa sum ver and fa carry ver) were usedas lemmas in a verication experiment of the n-bit adder. The verication of thefull adder presented in appendix B cannot be used in the verication of the n-bitadder because the sum and the carry are appended together in a list and are notavailable separately as needed by the adder proof. Despite this, proof planningnds its way without the full adder lemmas by expanding the denitions of thesum and the carry when needed, to prove the n-bit adder conjecture.Another example of hierarchical verication using proof planning is the se-quence of proofs that involve the incrementer, the adder, the multiplier, and theexponentiator and factorial. The adder proof uses the incrementer theorem as alemma, the multiplier proof uses the adder theorem as a lemma, and the exponen-tiator and the factorial proofs use the multiplier theorem as a lemma. As anotherexperiment, for the exponentiator and factorial proofs we deleted the multiplierand adder lemmas, and proof planning was still able to nd verication proofs forthe exponentiator and factorial circuits without those lemmas.The Gordon computer proof used uninterpreted denitions of the ALU, theadder, the subtracter, and other operations (memory fetch and store), which meansthat proof planning is also able to deal with generic specications as described byJoyce [Joyce 90].7.2.5 Analysis of lemmasIn this section we do an analysis of the automation features of proof planning andof the lemmas used by the verication proofs.
Chapter 7. Results 136Circuit type checking on type checking o % type checking(min:sec) (min:sec)COMBINATIONALnon-recursivehalf adder 0:51 0:12 76full adder 1:45 0:23 781-bit ALU 10:13 2:10 794-1 multiplexer 4:23 1:18 70n-bit incrementerbig endian 0:41 0:12 71n-bit adderexplicit parameter 3:31 0:40 81big endian 1:41 0:21 79adder (increment) 0:05 0:02 60subtracter (increment) 0:06 0:02 67n-bit aluexplicit parameter 234:19 7:04 97big endian 274:00 4:59 98n-bit shifterbig endian 8:57 1:40 81n-bit processing unitbig endian 0:01 0:004 60parallel arraynm-bit multiplier 2:12 0:23 83multiplier (increment) 0:08 0:02 75exponentiator (increment) 0:27 0:08 70factorial (increment) 0:26 0:07 73divider-quotient (plus) 0:18 0:04 77divider-remainder (plus) 0:16 0:03 81SEQUENTIALcounter 0:17 0:04 76Gordon computer 274:15 42:38 84modied Gordon computer 232:26 35:52 85Table 7{2: Percentage of time spent in type checking
Chapter 7. Results 137Proof automationThe Clam-Oyster system does not give fully automatic proofs in all the cases.We have seen that for some circuits user intervention is required to supply, say,missing lemmas, as is indicated in the last column of the table. However, we havefound that the number of lemmas utilised is lower compared to other systems andthe type of lemmas are not specialised ones, but rather, general purpose lemmasshared by other proofs, like associativity, commutativity, distributivity, stabilityof signals, induction schemes, and non-denitional equations of recursive functions(e.g addition by recursion on the second argument). Reasons why Clam can ndproofs in many cases without supplying extra lemmas include: the possibility of establishing new proof strategies by dening general-purpose(or domain-specic) methods and tactics which integrate heuristics; the exibility in the application of the heuristics embedded in the meth-ods by keeping an explicit proof tree of the conjecture and using Prolog'sbacktracking mechanism, which allows Clam to look for alternative methodapplications when a method fails. This feature makes method ordering un-necessary when using depth-rst search, provided the search does not followa innite path. a look ahead algorithm implemented in rippling analysis which permits theapplication of predened induction schemeswhich do not have to be derivabledirectly from the recursion functions present in the conjecture.These features provide a higher degree of automation, although in some cases, asin the case of the multiplier, user intervention will be necessary.LemmasThe hardware verication proofs require the denitional equations of the imple-mentation, the specication, the denitions of their components, and a few lemmasof various classes. We distinguish ve classes of lemmas that we have used in the
Chapter 7. Results 138verication proofs reported in this thesis. The rst three classes refer to the gener-ality of the lemmas: how general or how specic the lemmas are; the fourth classis about lemmas for induction rules, and the fth class is about lemmas used inhierarchical verication:general lemmas: these correspond to properties of theories which appear acrossapplication domains. For instance, the property of distributivity of multiplic-ation over addition on the natural numbers, and the property of associativityof append over lists, belong to this class.domain lemmas: these correspond to properties in a given application domain.For instance, the stability of signals in the domain of time-sequential circuits.problem type lemmas: these are properties specic to a problem or type ofproblemswithin a given domain. For instance, converting 13-bit words storedby a program counter to 16-bit words broadcast by a bus, and vice-versa.induction lemmas: these correspond to the justication of induction rules ofinference, and are found across the three classes of lemmas described above.Thus, general, domain and problem lemmas about induction are categorisedas induction lemmas and we can nd: (1) general induction lemmas in theor-ies, like Peano induction on the natural numbers and structural induction onlists, (2) domain induction lemmas like induction on computer words (listsof booleans), and (3) problem induction lemmas like induction on two wordsof the same length which model devices such as adders and ALUs.hierarchical lemmas: these correspond to the verication of systems which areused in building more complex systems. For instance, the verication the-orem of a hardware device (i.e. an adder) can be used as a lemma in theverication of a compound device (i.e. a multiplier).We now describe the lemmas we used to verify hardware: general lemmas: the non-recursive circuits of table 7{1 are veried by Booleancase analysis. However, the Boolean case analysis tactic, needs a general
Chapter 7. Results 139lemma which asserts that any Boolean variable is either true or false, andnothing else, so that the values of a Boolean variable form a partition. Thus,proofs by Boolean case analysis require this lemma.The multiplier required general lemmas which correspond to distributivityof times over plus, a commuted version of distributivity of times over plus,associativity of times, and reduction rules like x+ 0 = x, x  0 = 0. domain lemmas: the Gordon computer used a lemma about stability of sig-nals: the switches to enter data into the computer and the knob to selectthe operation when the computer is idling, problem type lemmas: the Gordon computer used a lemma for doing a casesplit from the conditions of the specication which are determined by thevariables idle, knob, and opcode; and a lemma to ignore three leading zeroesin a 16 bits word to convert it to a 13-bit word. induction lemmas: The explicit parameter versions of the n-bit adder and theALU are done by induction on the natural numbers, so we report a inductionlemma (general) for these proofs. However, the lemma that justies thisinduction scheme is built-into Oyster, so the user does not provide it. Then-bit incrementer, the shifter, and the multiplier proofs are done by inductionon words, Also, the lemma that justies this induction scheme is built-intoOyster too, so the user does not provide it. The increment versions of theadder, the subtracter the multiplier, the exponentiator, and the factorialcircuit are done by induction on words with constructor word increment.Similarly the divider (quotient and remainer) proofs are done by inductionon words with constructor word addition, so we report an induction lemma(domain) for all these proofs. The big endian versions of the adder andthe ALU as well as the look-ahead carry version of the adder are done byinduction on two words of the same length, so we report an induction lemma(problem) for these proofs.
Chapter 7. Results 140Circuit Lemmas Totalgeneral domain problem induction hierarchicalhalf adder 1 0 0 0 0 1full adder 1 0 0 0 0 11-bit ALU 1 0 0 0 0 14-1 multiplexer 1 0 0 0 0 1incrementer 1 0 0 1 0 2adder (explicit parameter) 1 0 0 1 0 2adder (big endian) 1 0 0 1 0 2adder (look-ahead carry) 1 0 0 1 0 2adder (increment) 1 0 0 1 1 3subtracter (increment) 0 0 0 1 2 3alu (explicit parameter) 1 0 0 1 0 2alu (big endian) 1 0 0 1 0 2shifter (big endian) 1 0 0 1 0 2processing unit (big endian) 0 0 0 0 2 2multiplier (little endian) 4 0 0 1 1 6multiplier (increment) 0 0 0 1 2 3exponentiator (increment) 0 0 0 1 2 3factorial (increment) 1 0 0 1 1 3divider-quotient (plus) 3 0 0 1 1 5divider-remainder (plus) 3 0 0 1 1 5Gordon computer 0 1 2 1 0 4Table 7{3: Types of lemmas used in hardware verication hierarchical lemmas: The multiplier used the verication theorem of then-bit adder as a lemma. The increment versions of the adder, subtracter,multiplier, exponentiator, factorial and divider circuits used the vericationtheorem of the increment operation on words given by equation 7.1, as alemma. Also, the factorial and exponentiation circuits used the vericationtheorem of the multiplier as a lemma. Similarly, the processing unit usedthe shifter and ALU verication theorems as lemmas.The last column of table 7{1 summarises the number of lemmas needed byeach circuit. Table 7{3 summarises the type of lemmas for each of these circuits.The appendices show all of the denitions and lemmas used by the various proofs.
Chapter 7. Results 1417.3 SummaryWe have presented a summary of the experiments done using a proof planningbased methodology. We have given statistics that show that, proof planning scalesup well and that the initial proof and systems level extensions required by the rstcircuit of a certain kind served to prove more complex circuits of the same kind.Discounting various one-time development eorts, proof planning may allow usersto formalise circuit verication in times which are lower than what they may appearat rst sight and provide a methodological way of investigating proofs that fail.User interaction is limited, although in some circumstances human (e.g. the user,proof engineer, or system designer) intervention may be called for in supplyingextra lemmas or particular heuristics. The examples show the scalability featureof proof planning, and the test on the modied version of the Gordon computer,illustrate the extendability claim. Also, the full adder - adder - multiplier proofsas well as the the adder - multiplier - exponentiation/factorial proofs illustratethe hierarchical verication capability of proof planning. We conjecture that theapproach presented can be scaled up once more, to verify more complex circuitsof practical interest.
Chapter 8Related and future workIn this chapter we describe related work on theorem proving for hardware veric-ation and outline future directions of research. In chapter 2 we surveyed variousverication environments based on theorem proving. Now, section 8.1 describesexperiments similar to the ones we have presented in chapter 7 using some of thesewell known theorem provers; section 8.2 explores ways in which proof planning canbe extended both, to increase its functionality and to verify more complex circuits;and section 8.3 summarises the chapter.8.1 Related workThe application of automated deduction to hardware verication has been andcontinues to be an active area of research. Many eorts have been made andcurrently are going on to apply formal methods to verify all sorts of hardwaresystems. In this section we examine some of the systems that have been used inverifying circuits similar to the ones we have presented. The theorem provers weexamine are NQTHM, HOL, PVS, and VERIFY, as well as the MONA decisionprocedure. As we have pointed out, Clam/Oyster is a fully-expansive system,and so are theorem provers like HOL and NUPRL. This feature provides the userwith the security characteristic of these sort of systems, as opposed to provers likeNQTHM and PVS which don't incorporate this feature [Boulton 94].142
Chapter 8. Related and future work 1438.1.1 NQTHMMost of the circuits in the table (and many others) have been veried elsewhere us-ing NQTHM [CLINC 96]. As an experiment, some of the circuits we have reportedwere re-implemented in NQTHM by a newcomer to formal verication [Rangel 96].Most of the proof-development time was spent determining the lemmas requiredby the proof. For instance the proof of the n-bit adder uses the following lemmas:commutativity of plus, commutativity of times, and addition, and multiplicationby recursion on the second argument. Clam required none of these lemmas forthe same proof. We have explained in section 7.2 reasons for which Clam usesfewer lemmas compared to systems like NQTHM, in which, proof techniques arepre-established and the application ordering of these techniques is xed with nobacktracking. The induction schemes in NQTHM are derived automatically fromthe recursive functions present in the conjectures but is not able to derive schemeswhich are not directly related to these recursive functions. Whereas in systemslike Clam, although the induction schemes are not yet generated automatically1,because of rippling analysis, it can apply induction schemes suggested by the re-cursive functions present in the conjecture, as well as other type of inductionschemes whose derivation is not direct [Kraan et al 96]. In general, Clam requiredfewer lemmas than NQTHM to verify these circuits. On the other hand, NQTHMprovided a very stable implementation, and was much easier to learn, since theClam system, being an evolving research tool, is not properly engineered yet.In other eorts using NQTHM, the n-bit adder was veried (big-endian) in halfa man-day, where the discovery of the required lemmas was the most dicult part[Stavridou et al 88]. A combinational processing unit (ALU and shifter) was veri-ed byWarren Hunt as part of the verication of the FM8501 microprocessor. Thisprocessing unit is veried in three theorems corresponding to the word, naturalnumber, and two's complement interpretations. It took about two months eort,1although in principle they can. Currently, the available induction schemes are storedin a data base
Chapter 8. Related and future work 144runs in a few seconds2, and used 53 lemmas [Hunt 86]. Although the processorunit reported here is less complicated than FM8501's because we do not includethe two's complement interpretation, we use just 2 lemmas in its proof planning.A parallel array multiplier was veried in NQTHM by L. Pierre. The proof usedve lemmas and took 99.2 seconds in a SUN Sparc2 machine [Pierre 94].8.1.2 HOLOne of the earliest examples using HOL was the verication of the Gordon com-puter by Mike Gordon and his group [Joyce et al 86]. This design was laterimplemented and veried as the Tamarack-3 3 microprocessor by Jerey Joyce[Joyce 90]. The verication took about 5 weeks of proof-development eort andrequired the derivation of at least 200 lemmas including general lemmas for arith-metic reasoning and temporal logic operators which are now built into HOL. Itdid not require to tune HOL and runs in about 30 minutes in a modern machine 4.Although we assume a synchronous communication with memory whereas Joyceuses an asynchronous handshaking protocol as well as interrupts, we use almostno lemmas in its proof planning (e.g. stability of signals, convert from 16 to 13bit words, change of mpc initial value). Viper's ALU was veried by Wong usingHOL. The ALU implements a look-ahead carry facility. The proof took one year,involved 488,760 inference steps, and took 53:52 minutes to execute [Wong 93].Clam could enhance the functionality of HOL by automating: (1) the deriv-ation of customised tactics to prove particular conjectures; (2) the selection of2Personal communication3A rened implementation of the Gordon computer. Its verication in HOL and PVSis also more abstract, as tri-state values and gates to access the bus, and the input ofmanual information through the switches and the knob, are not considered. However,Tamarack-3 includes an option for asynchronous communication with memory.4Personal communication
Chapter 8. Related and future work 145induction parameters (scheme and variables), case splits, and generalisations; (3)the speculation of missing lemmas.8.1.3 PVSAfter we had veried the ALU, Shankar took the specication and the implement-ation we used to reproduce a verication of the same ALU in PVS 5 [PVS 96].The ALU as well as the n-bit adder, and the Tamarack-3 microprocessor havebeen veried in PVS [Cyrluk et al 94,Owre et al 94]. The run time for verifyingeach of these circuits was 2:07, 1:27 and 9:05 minutes respectively in a Sun Sparc-Station 10. These low run-times are explained by the built-in decision proceduresavailable to PVS. In these experiments, the user must provide the induction para-meters and use a predened proof strategy. A proof strategy is packaged as a setof PVS commands for certain kind of circuits. The adder and the ALU use thesame proof strategy, the Tamarack and the pipelined Saxe microprocessor shareanother proof strategy. Clam could also enhance the automation facilities of PVSin a similar way as in the HOL case.8.1.4 VERIFYThe Gordon computer was veried by Harry Barrow using the VERIFY system.The verication is split into two parts e.g. the microinstruction level and the in-struction level and does not use induction, rather, it uses enumeration techniquesand symbolic evaluation. At the microinstruction level the proof uses enumerationtechniques and requires user interaction to assist the proof when state equationswhich describe a nite-state machine representation of this level are encountered.At the instruction level the proof is done by symbolic simulation of the micro-code and by proving the equivalence between sequences of microinstructions and5Personal communication
Chapter 8. Related and future work 146behavioural descriptions of each programming instruction. The second part iscompleted in just 6 minutes of execution time [Barrow 84b].8.1.5 MONAThe n-bit adder, the n-bit ALU , a commercial implementation of the binarycounter and other parameterised circuits which show regularities in their struc-tures have been veried using the MONA decision procedure system [MONA 96].If a circuit which exhibits regularity in its structure can be encoded in the Mon-adic second-order logic, then MONA gets verications in times which are ordersof magnitude faster that the times taken by theorem proving based tools. Ifa circuit design is faulty, MONA nds a counter-example. However, many cir-cuits of interest like multipliers and other devices, cannot be encoded in thelogic, thus the applicability of the approach for practical use remains limited[Basin & Klarlund 95].8.1.6 VOSSThe AMD2901 4-bit ALU from Advanced Micro Devices Inc, is a high-speed cas-cadable microprocessor slice for use in CPUs, peripheral controllers and program-mable microprocessors. This circuit was veried using the VOSS system [Seger 93].The VOSS system does formal verication using symbolic simulation and symbolictrajectory evaluation. The meta-language FL, is a general functional language inwhich Ordered Binary Decision Diagrams (OBDDs) are built-in so that Booleanfunctions can be represented, manipulated and compared very eciently. Userinteraction is required to create the FSM model which is used in the symbolic tra-jectory evaluation, and for structuring the specication-verication le includingvariable ordering.
Chapter 8. Related and future work 147System Circuitsadder ALU multiplier microprocessorNQTHM 0.1 10 2 12HOL 4 52 * 8VOSS - 0.2 - -REVE 3 - * *CLAM-OYSTER 0.1 2.4 1 12Table 8{1: Human timings in number of weeks for circuit verication usingvarious tools8.1.7 ComparisonTable 8{1 displays the human timings for the verication of four standard cir-cuits using the tools described in the previous subsections. We believe that hu-man timings are highly important and more relevant that their computer timingscounterparts. The reason for this is that, in general, more that 90% of the totaltimings (computer and human) are spent on the human side, and any method-ology or automated technique that reduces human timings has a high impact inthe total development eort. Another reason for the importance of displaying hu-man timings is the fact that often, a great deal of eort is invested in developingecient programs to verify a given circuit, attaining very low computer timings,without mentioning the amount of labour spent in making the proof look `auto-matic'. However, it is not easy to nd these timings in the literature nor by askingthe developers, because these are not always reported, or the developers did notrecord them and have forgotten how much time was spent.The time unit in table 8{1 is number of weeks. The Clam-Oyster times wereconverted to weeks assuming 8 hours per day and 5 days a week. The symbol `-'means that the circuit was veried using that tool but the timing was not reportedor was not known by the developers; The symbol `*' means that we did not ndin the literature any reports on the use of the system to verify the circuit. Thecircuits veried using each of these tools are not exactly the same, but have manysimilarities. For instance, the VIPERS's ALU veried using HOL has a look-
Chapter 8. Related and future work 148ahead carry feature, thus, this circuits is more complex than the other ALUs inthe table. Also, the developers do not have the same background and experience, sothe actual numbers may be dicult to compare on a one-to-one basis, however, wethink that they give an idea of the importance of human timings in the vericationeort.The timings for verifying the adder using NQTHM, HOL and REVE werereported in [Stavridou et al 88]; the timings for verifying the ALU in HOL wereobtained from [Wong 93], and by personal communication with the developers (W.Hunt and C. Seger) for NQTHM and VOSS. The verication of the multiplier usingNQTHM is reported in [Pierre 94] and the timing was obtained from LaurencePierre by personal communication. The verication of the FM8501 using NQTHMwas obtained by personal communication from Warren Hunt, and the timing forthe verication of the Gordon computer using HOL is reported in [Joyce et al 86].The verication of the adder, the ALU, and the SAXE microprocessor is reportedin [Cyrluk et al 94], but the human timings are not listed.8.2 Future WorkThere are several directions for future work. These include the following: interface of Clam with other tactic-based provers; temporal logic reasoning; informed search procedures; interface of Clam with hardware description languages; propositional reasoning; automatic generation of induction schemes; higher-order rippling;
Chapter 8. Related and future work 149 relational verication; and verication of other microprocessor systems.In the following subsections we describe each of these directions.8.2.1 Interface with other proversAs noted, much of our time was spent entering and debugging specications. Partof this is due to our use of a somewhat complicated type-theory as a specicationlanguage at the object level. However, our planning approach should work withany tactic based theorem prover; one need only port the tactics associated with thecurrent methods from one system to another so that they produce the same eects.Interfacing Clam with a prover like HOL, LAMBDA or PVS could signicantlyreduce the verication times. It would also provide immediate access to the largecollection of tactics and theorems already available for these systems.LAMBDAMike Fourman used the LAMBDA system to prove several inductive theorems fromthe NQTHM corpus that had been proved in Clam [Cantu 93]. We studied theseexamples to outline an interface between Clam and LAMBDA and use LAMBDAas our object level system, but we decided to use the existing Clam-Oyster interfaceinstead. However, Clam proof plans can be translated into LAMBDA's tactics.As a simple example, consider the transcript generated by LAMBDA to prove theassociativity of addition displayed in gure 8.2.1. This transcript was producedby a tactic written by Mike Fourman to prove a set of theorems by induction fromthe NQTHM corpus [Cantu 93]. Lines 1-4 display the goal. Then an inferencerule for induction on the natural numbers is applied. Lines 6-16 discharge thebase case. Lines 18-20 apply rewriting on the left-hand side using the recursiveequation of addition. Lines 22-24 apply weak fertilisation on the left-hand side.Lines 26-32 apply rewriting twice on the right-hand side using the same equation.The proof is completed by applying the equation for the cancellation of successor
Chapter 8. Related and future work 1501 ******* LEVEL 1 *******2 1: G // H |- plus (x,plus (y,z)) == plus (plus (x,y),z)3 ----------------------------------------------------4 G // H |- plus (x,plus (y,z)) == plus (plus (x,y),z)56 plus (0,plus (y,z))7 ==>> plus (y,z)8 using G // H |- plus (0,y) == y910 plus (0,y)11 ==>> y12 using G // H |- plus (0,y) == y1314 plus (y,z) == plus (y,z)15 ==>> TRUE16 using G // H |- x == x == TRUE1718 plus (1'x',plus (y,z))19 ==>> 1'(plus (x',plus (y,z)))20 using G // H |- plus (1'x,y) == 1'(plus (x,y))2122 plus (x',plus (y,z))23 ==>> plus (plus (x',y),z)24 using G // x == y $ H |- x == y2526 plus (1'x',y)27 ==>> 1'(plus (x',y))28 using G // H |- plus (1'x,y) == 1'(plus (x,y))2930 plus (1'(plus (x',y)),z)31 ==>> 1'(plus (plus (x',y),z))32 using G // H |- plus (1'x,y) == 1'(plus (x,y))3334 1'(plus (plus (x',y),z)) == 1'(plus (plus (x',y),z))35 ==>> plus (plus (x',y),z) == plus (plus (x',y),z)36 using built-in conversion: {n}'x == {n}'y --> x == y3738 plus (plus (x',y),z) == plus (plus (x',y),z)39 ==>> TRUE40 using G // H |- x == x == TRUE4142 ******* LEVEL 2 *******43 ----------------------------------------------------44 G // H |- plus (x,plus (y,z)) == plus (plus (x,y),z)Figure 8{1: LAMBDA proof for the associativity of addition
Chapter 8. Related and future work 151induction([(x:pnat)-s(v0)]) then[base_case([sym_eval([normalize_term([reduction([1,1],[plus1,equ(left)]),reduction([1,2,1],[plus1,equ(left)])])]),elementary(intro(new[y]) then[intro(new[z]) then[identity,wfftacs],wfftacs])]),step_case(ripple(wave(direction_out,[1,1],[plus2,equ(left)],[]) then[wave(direction_out,[1,2,1],[plus2,equ(left)],[]) then[wave(direction_out,[2,1],[plus2,equ(left)],[]) then[wave(direction_out,[],[cnc_s,imp(right)],[])]]] then[fertilize(strong,v1)])]Figure 8{2: Proof plan for the associativity of additionin lines 34-36 and the identity rule in lines 38-40. The goal with the hypothesesdischarged is shown in lines 42-44.We notice two facts: the selection of the induction scheme and the inductionvariable are determined by the user, and the generation of the proof is obtainedby the exhaustive application of rewriting. By using Clam to guide LAMBDA,a customised tactic could be automatically generated to prove a conjecture, theselection of the induction parameters can be automated, and the application ofrewriting can be selective rather than exhaustive, thus reducing the search, whichcan be big if there is a large numbers of inference rules in the data base of rules,which is typically the case in real applications. The proof plan generated by Clamto prove this conjecture is displayed in gure 8.2.1 which shows many similaritieswith the LAMBDA proof. It is possible to map this proof plan into a sequenceof LAMBDA commands that prove the theorem, automating the selection of the
Chapter 8. Related and future work 152induction parameters and applying just the rewriting steps indicated in the proofplan. For instance, the wave method determines the position of the wave-front tobe rippled-out, (e.g. [1,1], [1,2,1] and [2,1]) which can be done with LAMBDA'sguide commands which locate sub-expressions within a expression, and then applyrewriting at the indicated positions [Francis et al 92].HOLClam could also be interfaced to the HOL system. In fact, a 3-year projectbetween Edinburgh and Cambridge has already started to build this interface[Bundy & Gordon 95] which will make it possible to provide the automation fa-cilities described in section 8.1.2. We have joined this project to develop a 3-wayeort between Edinburgh, Cambridge and Monterrey to design hardware verica-tion cases and develop proof engineering activities to test and tune the interface[Cantu 96].8.2.2 Temporal logicClam reasoning capabilities could be strengthened by dening a kind of object-level temporal logic, e.g. linear time propositional logic and then proving rewriteequations and implications from which wave-rules can be derived to prove proper-ties of sequential circuits like ip-ops and controllers, as well as verify micropro-cessor systems with asynchronous communication to external devices. We need todene the modal operators henceforth, eventually, next, and (weak) until as follows[Joyce 90]: 2P = t: 8n P (t+ n)3P = t: 9n P (t+ n)P = t: P (t+ 1)P [ Q = t: 8n (8m; m < n! :(Q(t+m)))! P (t+ n)
Chapter 8. Related and future work 153and the following temporal propositional operators::tP = t: :P (t)P ^t Q = t: P (t) ^ Q(t)P _t Q = t: P (t) _ Q(t)P !t Q = t: P (t)! Q(t)We can then dene the following temporal propositional logic (LTTL):1. every atomic formula in higher-order logic is a formula in LTTL2. if P is a formula in LTTL, then so are :tP , 2P , 3P , and P3. if P and Q are formulae in higher-order logic, then so are P ^t Q, P _t Q,P !t Q, P [QA formula in LTTL is valid if and only if it is true at all times:V alid P = 8t: P (t)We could then prove equations like:2(P !t Q) = 2P !t 2QV alid((P ^t (:tQ))!t (P ))! V alid(P !t (P [Q))from which wave rules like the following can be derived:2( P !t Q ")) 2P !t 2Q "V alid(P !t ( P [Q "))) V alid( (P ^t (:tQ))!t (P ) ")and used to prove conjectures in the logic. For instance, we may have the followinghandshaking protocol: \A data request at time t1 by a sender is acknowledged attime t2 by a receiver and a request to end the interaction is signalled by the senderat time t3 and eventually acknowledged by the receiver at time t4". The behaviour
Chapter 8. Related and future work 154of the sender and the receiver can be formalised in the temporal logic, and usedto prove conjectures that show that the constraints imposed by the protocol areobserved. The logic can also be used to specify memory and interfacing memorywith a processor in an asynchronous communication mode [Joyce 90]. Other form-alisations can be derived to reason about stability and correctness properties ofdevices like ip-ops and controllers [Basin & Klarlund 95]. Currently, we do notforesee extensions to methods or tactics to prove theorems in this type of logic.Formalising the logic at the object level as well as the conjectures, and usingthe proof planning facilities to plan the conjectures seem to be the type of tasksrequired.8.2.3 Heuristic searchA more informed search procedure that uses heuristic information and analysesthe structure of the current goal to determine dynamically in which order to applymethods would make proof planning more automatic and less user/proof engineerdependent. This heuristic knowledge could be encoded in a search procedure likebest-rst search [Manning et al 93] which has been implemented but is not part ofthe standard version of Clam.8.2.4 Interface to a HDLAn interface to a standard hardware description language would also ease specic-ation and make it possible to integrate proof planning better into the hardwaredesign cycle. Many eorts have been made to provide interfaces between hardwaredescription languages used by design engineers (e.g. IEEE's VHDL) and formalmethods tools [Delgado & Breuer 95]. However, the semantics of HDLs is oftennot well dened and the interface is not easy to develop. HDLs that meet therequired properties are then developed, but these lack the required generality, oralternatively, subsets of standard HDLs are dened and interfaced with provers[Hunt & Brock 92]. We think that the latter approach could be explored in theClam context [Gordon 95].
Chapter 8. Related and future work 1558.2.5 Propositional reasoningAnother area for further work concerns improving the power or eciency of someof our methods. For example, reasoning about boolean circuits by case evaluation,which has exponential growth, could be replaced by a more ecient routine basedon BDDs and be implemented as a sub-method of the method sym eval.8.2.6 Lemma speculationAlthough sometimesClam is able to get a proof through without a missing lemma,in other cases the user has to supply lemmas that cannot be guessed by Clam.However, proof planning provides additional features that permit the speculationof lemmas before appealing to the user. The Critics mechanism is such a feature fornding missing lemmas, induction schemes, and generalisations during the ripplingprocess and is described in [Ireland & Bundy 96]. We have done a preliminaryinvestigation to speculate lemmas for some of the circuits veried using a prototypeversion of Clam which implements critics. For instance, if we delete the sub-method term cancel in the experiment about the incrementer, the planning failsbecause it requires the wave rule U + s(V ) ) s(U + V ) which is missing. Withthis lemma the planning succeeds. This lemma can be speculated easily by thecurrent critics in Clam which are available only in an experimental version ofClam which we did not used. Similarly, the lemmas that we have supplied for themultiplier proof (e.g. associativity, commutativity, and distributivity of additionand multiplication), can be speculated by similar critics. The work needed consistsof translating methods and sub-methods from the syntax of the ocial version ofClam to the one used by the critics prototype, and try the experiments.8.2.7 Automatic generation of induction schemesClam keeps a data base of predened induction schemes. Clam searches this database to select a scheme for proof by induction. This provides exibility in use ofinduction schemes. In systems like NQTHM although the type of schemes used
Chapter 8. Related and future work 156are those derivable from the recursive functions in the conjecture, the generationof such schemes is automatic. The generation of the type of induction schemesused by Clam for a particular conjecture can be automated and avoid keeping anexplicit data base of induction schemes. This extension of Clam applies to proofby induction in general, and is not exclusive of hardware verication. This hasbeen a research goal of the MRG but has not been implemented.8.2.8 Higher-order ripplingThe kind of rippling we have described and used to verify circuits applies to rst-order logic. Rippling in higher-logic requires higher-order wave annotations. An-other version of Clam implemented in Lambda-Prolog has been developed by theMRG sta to address this kind of problems [Smaill & Green 96]. Reasoning aboutcircuits with higher-order functions like signals is commonplace in sequential cir-cuits, thus, the Lambda-Prolog version of Clam could be used to prove propertiesof this kind of circuits.8.2.9 Relational vericationThe style of meta-level inference implemented in Clam is very eective for reason-ing about functional representations, but cannot deal with their relational coun-terparts. We did the verication of the full adder in a relational style, and haveoutlined the correctness of the n-bit adder, but extending it to circuits with rep-licated structures and feedback loops such as the ones we have presented requiresadaptation of most of the proof planning techniques (e.g. rippling, fertilisation,rippling analysis, etc). Eorts have been done by various researchers to addressthese issues [Bundy & Lombart 95,Lombart & Deville 94,Ahs & Wiggins 94].8.2.10 Microprocessor vericationWith some of these improvements (e.g. temporal reasoning), Clam could be usedto verify other microprocessor systems with extended functionality. For instance,
Chapter 8. Related and future work 157the verication of Tamarack-3 which includes interrupts and a handshaking asyn-chronous communication protocol with memory would be a natural extension tothe Gordon computer. Another 16-bit microprocessor that provides asynchronouscommunication with memory and that can be veried in Clam is the FM8501. Atthe 32-bit level, the FM9001 could be attempted next as well as microprocessorswith pipe-line architectures veried in HOL [Windley & Coe 94].8.3 SummaryWe have presented a summary of work in hardware verication using theoremprovers which have veried circuits similar to the ones we have reported. Humanand computer timings in many cases are comparable, but Clam provides moreautomation facilities, reected in the automatic generation of customised tactics,the automation of induction decisions, the reduced number of lemmas utilised inthe proofs, and the the selective application of rewriting. We also have describedfuture work that would enhance Clam capabilities for hardware verication andwith appropriate integration would allow us to attempt the verication of morecomplex circuits of the type typically found in commercial and safety-critical ap-plications.
Chapter 9ConclusionsWe have investigated the application of proof planning for automating hardwareverication tasks. Our starting point was the current implementation of proofplanning in the Clam system in October 1992 and its application in domainslike inductive theorem proving. During the following four years we conducted aseries of experiments and drew lessons which can be summarised in the followingcontributions: show by experimentation the applicability, scalability and extendability ofproof planning for automating hardware verication tasks; a methodology for hardware verication; proling of the Clam system.First, our working hypothesis was that proof planning could be used to verifyhardware. Experiments show that the Clam system and the proof planning ideacarry over well to automate proofs in this new domain, although a number ofextensions in the details (as opposed to the spirit) of Clam and the development ofnew general tactics and methods were required. The kind of automation providedby proof planning comprises: the automatic generation of a customised tactic, given a conjecture, from aset of general-purpose methods and tactics, and a search strategy;158
Chapter 9. Conclusions 159 the automatic selection of induction schemes and variables from a predenedset of induction schemes; the automatic generation of case splits and generalisations in the inductivestep; and the use of fewer lemmas compared to other provers.One may ask how important these features are. Critics of interactive theoremproving have claimed that full proof automation is required in order to have formalmethods used by industry in a regular basis [Saiedian 96]. We think that the typeof automation provided by proof planning is a step in this direction.Most importantly, we have seen the robustness of proof planning and the fea-tures of extendability and scalability of proof planning. Robustness means thatproof planning adapts to modications on the implementation and the specicationof a circuit and nds a tactic automatically without user intervention. Extend-ability and scalability means that similar circuits of a certain class or variantsof a particular circuit can be veried using the same methods and planner (ex-tendability), and that circuits of higher complexity can also be veried using thesame methods and planner (scalability). This is interesting, because allows us toconjecture that the proof planning technique can be applied to industrial-strengthcircuits, which are of higher complexity, and are found in the upper region of gure9{1. The verication of this sort of systems will be further facilitated by integrat-ing Clam with tactic-based hardware verication oriented theorem provers suchas HOL and LAMBDA. Clam will enhance the automating capabilities of theseprovers as well as providing them with the extendability and scalability featuresof proof planning, and will benet from all of the tactics that have been developedfor these provers in verifying real-world hardware systems.Second, we have presented a verication methodology that decomposes formalproof into three conceptually dierent kind of tasks: user, proof, and systemstasks. In this investigation these activities were performed by one and the sameperson, but if we think about an organisational context, this distinction can facil-


















Figure 9{1: Extendability and scalability of proof planningitate the adoption of formal methods in a rm and provide a smoother transitiontowards its use. Typically, the formalisation task will be done by a hardwaredesign engineer with a background in digital logic, who will write the specica-tion, the implementation and a verication conjecture of a hardware design in alogic formalism, and will run Clam and a prover to get a composite tactic specicfor that conjecture. There may be many users like this within the organisation.Then the proof engineer who will belong to a formal methods department/unitwithin the same organisation, will provide assistance to all of the users in thecompany if something goes wrong with some proof. And nally, a systems engin-eer, who will provide support to the verication environment and will work for aconsulting company outside the organisation. It may be the case that the proofengineering activities would be oered by an outside consulting company as well,but the important point is making the conceptual distinction among the threetypes of activities.Proof planning mechanisms apply both to combinational and sequential hard-ware, the dierence being the handling of time. We investigated several kinds of
Chapter 9. Conclusions 161parameterised circuits and were able to develop methods which captured heuristicssuitable for reasoning about families of such designs. We reported on our timingsfor formalising particular circuits and doing proof/systems engineering activitiesto tune the methods and to tune Clam. Although the times are sometimes highfor initially verifying new kinds of circuits, subsequent verications times were re-spectable and would gracefully decrease once we discount one-time activities, withthe majority of time being spent on simply entering and debugging the formalisa-tion. This provided support for our belief that a system like Clam might be usableby hardware engineers, provided that there is a type of proof engineering supportin the background to tune the proof techniques (e.g. methods, tactics, lemmas,induction schemes, etc.) when required.Third, we contributed to the proling of the Clam system. We obtained thelargest proofs that had been done in Clam-Oyster so far. The experiments forcedsituations that had not arisen in previous proofs, which leaded to improvements inthe code, and suggested extensions that were implemented either by us, or by theMRG sta, improving in this way the functionality and the robustness of Clam.And nally, we think that the research reported in this thesis contributes toour knowledge about the use of meta-level reasoning based on proof planningto verify hardware in tactic-based settings. With additional enhancements andintegration with other proving systems, our approach could become a viable wayof automating industrial-strength verication tasks in the hardware domain.
Bibliography[Ahs & Wiggins 94] T. Ahs and G. A.Wiggins. Relational rippling for logicprogram synthesis and transformation, 1994. Presen-ted at the Fourth International Workshop on LogicProgram Synthesis and Transformation.[Akers 78] S.B. Akers. Binary decision diagrams. IEEE Transac-tions on Computers, C27:509{516, 1978.[Barrow 84a] Harry G. Barrow. Proving the Correctness of DigitalHardware Designs, pages 64{77. CMP Publications,Inc., 600 Community Drive, Manhasset, NY 11030,1984.[Barrow 84b] Harry G. Barrow. Verify: A program for provingcorrectness of digital hardware designs. AI Journal,24:437{491, 1984.[Basin & DelVecchio 89] David A. Basin and Peter DelVecchio. Verication ofcombinational logic in Nuprl. In Hardware Specic-ation, Verication and Synthesis: Mathematical As-pects, Ithaca, New York, 1989. Springer-Verlag.[Basin & Friedrich 96] David Basin and Stefan Friedrich. Modeling a hard-ware synthesis methodology in isabel. In Proceedingsof the Theorem Proving in Higher Order Logics, LNCS1125, pages 33{50. Springer, 1996.162
Bibliography 163[Basin & Klarlund 95] David Basin and Nils Klarlund. Hardware verica-tion using monadic second-order logic. In Proceedingsof the Conputer Aided Verication Conference, LNCS939, pages 31{41. Springer-Verlag, 1995.[Basin & Walsh 93] David Basin and Toby Walsh. Dierence unica-tion. In R. Bajcsy, editor, Proc. 13th Intern. JointConference on Articial Intelligence (IJCAI '93),volume 1, pages 116{122, San Mateo, CA, 1993. Mor-gan Kaufmann.[Basin & Walsh 96a] David Basin and Toby Walsh. Annotated rewritingin inductive theorem proving. Journal of AutomatedReasoning, 16(1{2):147{180, 1996.[Basin & Walsh 96b] David Basin and Toby Walsh. A calculus for and ter-mination of rippling. Journal of Automated Reasoning,16(1{2):147{180, 1996.[Basin 91] David A. Basin. Extracting circuits from constructiveproofs. Research Paper 533, Dept. of Articial Intelli-gence, University of Edinburgh, 1991. Also appearedin Proceedings of the IFIP-IEEE International Work-shop on Formal Methods in VLSI Design, Miami USA,1991.[Bishop et al 95] B. Bishop, W. Hunt, and M. Kaufmann. The fm9001microprocessor proof. Technical report 86, Computa-tional Logic, Inc, 1995.[Boulton 94] Richard J. Boulton. Eciency in a fully-expansivetheorem prover. Technical Report 337, University ofCambridge Computer Laboratory, 1994.
Bibliography 164[Boyer & Moore 79] R. S. Boyer and J S. Moore. A Computational Logic.Academic Press, 1979. ACM monograph series.[Boyer & Moore 81] R. S. Boyer and J S. Moore. Metafunctions. In R. S.Boyer and J S. Moore, editors, The Correctness Prob-lem in Computer Science, pages 103{184. AcademicPress, 1981.[Boyer & Moore 88] R. S. Boyer and J S. Moore. A Computational Lo-gic Handbook. Academic Press, 1988. Perspectives inComputing, Vol 23.[Brayton 96] R.K. et al Brayton. Vis. In M. Srivas and A. Cam-illeri, editors, Proceedings of the Formal Methods forComputer-Aided Design Conference, number 1166 inLecture Notes in Computer Science, pages 248{256.Springer-Verlag, 1996.[Bryant 86] Randal E. Bryant. Graph-based algorithms forboolean function manipulation. IEEE Transactionson Computers, C35:677{691, 1986.[Bryant et al 87] R.E. Bryant, D. Beatty, K. Brace, K. Chao, andT. Sheer. A compiler simulator for mos circuits. InProceedings of the 24th ACM/IEEE Design Automa-tion Conference, pages 9{16. ACM, 1987.[Bundy & Gordon 95] A. Bundy and M. Gordon. Automatic guidance ofmechanically generated proofs. Epsrc research pro-posal, Edinburgh and Cambridge Universities, 1995.[Bundy & Lombart 95] Alan Bundy and V. Lombart. Relational rippling: ageneral approach. In C. Mellish, editor, Proceedings ofIJCAI-95, pages 175{181. IJCAI, 1995.
Bibliography 165[Bundy 88] Alan Bundy. The use of explicit plans to guide induct-ive proofs. In R. Lusk and R. Overbeek, editors, 9thConference on Automated Deduction, pages 111{120.Springer-Verlag, 1988. Longer version available fromEdinburgh as DAI Research Paper No. 349.[Bundy et al 89] Alan Bundy, F. van Harmelen, J. Hesketh, A. Smaill,and A. Stevens. A rational reconstruction and exten-sion of recursion analysis. In N. S. Sridharan, editor,Proceedings of the Eleventh International Joint Con-ference on Articial Intelligence, pages 359{365. Mor-gan Kaufmann, 1989. Also available from Edinburghas DAI Research Paper 419.[Bundy et al 90] Alan Bundy, F. van Harmelen, C. Horn, and A. Smaill.The Oyster-Clam system. In M. E. Stickel, editor,10th International Conference on Automated Deduc-tion, pages 647{648. Springer-Verlag, 1990. LectureNotes in Articial Intelligence No. 449. Also availablefrom Edinburgh as DAI Research Paper 507.[Bundy et al 91] Alan Bundy, Frank van Harmelen, Jane Hesketh, andAlan Smaill. Experiments with proof plans for in-duction. Journal of Automated Reasoning, 7:303{324,1991. Earlier version available from Edinburgh as DAIResearch Paper No 413.[Bundy et al 93] Alan Bundy, A. Stevens, F. van Harmelen, A. Ire-land, and A. Smaill. Rippling: A heuristic for guidinginductive proofs. Articial Intelligence, 62:185{253,1993. Also available from Edinburgh as DAI ResearchPaper No. 567.
Bibliography 166[Camilleri 88] Albert J. Camilleri. Executing behavioural denitionsin higher order logic. Technical Report 140, Universityof Cambridge Computer Laboratory, 1988.[Cantu 93] Francisco J. Cantu. Inductive proofs in LAMBDA.Blue Book Note 819, MRG, University of Edinburgh,1993.[Cantu 96] Francisco J. Cantu. Design, experimentation, andanalysis of hardware verication cases in a proof-planning/higher-order logic framework. Research pro-posal submitted to CONACYT, Mexico, MonterreyInstitute of Technology, 1996.[Cantu et al 96] Francisco Cantu, Alan Bundy, Alan Smaill, and DavidBasin. Experiments in automating hardware verica-tion using inductive proof planning. In M. Srivas andA. Camilleri, editors, Proceedings of the Formal Meth-ods for Computer-Aided Design Conference, number1166 in Lecture Notes in Computer Science, pages 94{108. Springer-Verlag, 1996.[CHECKOFF-E 96] CHECKOFF-E. Abstract Hardware Limited.http://www.ahl.co.uk/chko-e.html, 1996.[CHECKOFF-M 96] CHECKOFF-M. Abstract Hardware Limited.http://www.ahl.co.uk/chko-m.html, 1996.[Clarke & Emerson 81] E.M. Clarke and E.A. Emerson. Design and syn-thesis of synchonization scheletons using branchingtime temporal logic. In The Proceedings of Work-shop on Logics of Programs, LNCS 131, pages 52{71.Springer-Verlag, 1981.
Bibliography 167[CLINC 96] CLINC. Computational Logic Inc., USA.http://www.cli.com, 1996.[Cohn 88] Avra Cohn. A proof of correctness of the viper mi-croprocessor. In G. Birtwistle and P.A. Subrahman-yam, editors, VLSI Specication, Verication, andSynthesis, pages 27{71. Kluwer Academic Publishers,1988.[Constable et al 86] R. L. Constable, S. F. Allen, H. M. Bromley, et al.Implementing Mathematics with the Nuprl Proof De-velopment System. Prentice Hall, 1986.[Cyrluk et al 94] D. Cyrluk, N. Rajan, N. Shankar, and M.K. Srivas.Eective theorem proving for hardware verication.In 2nd Conference on Theorem Provers in CircuitDesign. Springer-Verlag, 1994.[Delgado & Breuer 95] C. Delgado and P. Breuer. Formal Semantics forVHDL. Kluwer Academic, 1995.[DelVecchio 90] Peter E. DelVecchio. The design and formal verica-tion of an integrated circuit for use in a oating-pointsystolic array fast fourier transform processor. Unpub-lished M.Sc. thesis, Cornell University, 1990.[Devadas et al 87] S. Devadas, H.T. Ma, and A.R. Newton. On the veri-cation of sequential machines at diering levels of ab-straction. In The Proceedings of the 24th ACM/IEEEDesign Automation Conference, pages 271{276. IEEEComputer Society Press, 1987.[Dill 89] David L. Dill. Trace Theory for Automatic Hier-archical Verication of Speed-Independent Circuits.
Bibliography 168Unpublished PhD thesis, Carnegie-Mellon University,1989.[Emerson & Lei 86] E.A. Emerson and C.L. Lei. Ecient model check-ing in fragments of the propositional mu-calculus. InThe Proceedings of the Annual Symposium on Logicin Computer Science, pages 267{278. IEEE ComputerSociety Press, 1986.[Fourman & Hexsel 91] M. P. Fourman and R. Hexsel. Formal synthesis. InGraham Birtwistle, editor, IV Higher Order Work-shop. Springer-Verlag, 1991.[Francis et al 92] M. Francis, S. Finn, E. Mayger, and R.B. Hughes.Reference Manuel for the Lambda System 4.2 Vol I.Abstract Hardware Ltd, 1992.[Frank et al 92] I. Frank, D. Basin, and Alan Bundy. An adaptation ofproof-planning to declarer play in bridge. In Proceed-ings of ECAI-92, pages 72{76, Vienna, Austria, 1992.Longer Version available from Edinburgh as DAI Re-search Paper No. 575.[Gallier 86] J. Gallier. Logic for Computer Science. Harper &Row, New York, 1986.[Galton 87] Antony Galton, editor. Temporal Logics and their Ap-plications. Academic Press, 1987.[Genesereth & Nilsson 87] M. R. Genesereth and N. J. Nilsson. Logical Found-ations of Articial Intelligence. Morgan Kaufmann,Palo Alto, CA., 1987.[Gordon 83] Michael Gordon. Lcf-lsm. Technical Report 41, Uni-versity of Cambridge Computer Laboratory, 1983.
Bibliography 169[Gordon 85] Michael Gordon. HOL: A machine oriented formula-tion of higher-order logic. Technical Report 68, Uni-versity of Cambridge Computer Laboratory, 1985.[Gordon 86] Michael Gordon. Why higher-order logic is a goodformalism for specifying and verifying hardware. InG. Milne and P.A. Subrahmanyam, editors, FormalAspects of VLSI Design, pages 153{177. Elsevier Sci-ence Publishers, 1986.[Gordon 88] Michael Gordon. HOL: A proof generating system forhigher-order logic. In G. Birtwistle and P.A. Subrah-manyam, editors, VLSI Specication, Verication, andSynthesis, pages 73{128. Kluwer Academic Publishers,1988.[Gordon 95] Michael Gordon. The semantic challenge of VerilogHDL. In The Proceedings of Tenth Annual IEEE Sym-posium on Logic in Computer Science,. IEEE, Inc.,1995.[Gordon et al 79] M. J. Gordon, A. J. Milner, and C. P. Wadsworth.Edinburgh LCF - A mechanised logic of computa-tion, volume 78 of Lecture Notes in Computer Science.Springer Verlag, 1979.[Gupta 91] A. Gupta. Formal hardware verication methods: Asurvey. Technical Report CMU-CS-91-193, Carnegie-Mellon University, 1991.[Hanna & Daeche 86] F.K. Hanna and N. Daeche. Specication and veric-ation of digital systems using higher-order predicatelogic. In IEE Proceedings, pages 242{254. IEE, 1986.
Bibliography 170[Hanna et al 89a] F.K. Hanna, N. Daeche, and M. Longley. Veritas+: Aspecication language based on type theory. In Work-shop on Hardware, Specication, Verication and Syn-thesis: Mathematical Aspects. Springer-Verlag LNCS,1989.[Hanna et al 89b] F.K. Hanna, M. Longley, and N. Daeche. Formalsynthesis of digital systems. In Luc Claesen, ed-itor, IMEC-IFIP International Workshop on AppliedFormal Methods for Correct VLSI Design, pages 532{548. Elsevier Sciences Publishers, 1989.[Havelund & Shankar 96] Klaus Havelund and N. Shankar. Experiments in the-orem proving and model checking for protocol veri-cation. In Formal Methods Europe FME '96, num-ber 1051 in Lecture Notes in Computer Science, pages662{681, Oxford, UK, March 1996. Springer-Verlag.[Hesketh 91] J. T. Hesketh. Using Middle-Out Reasoning to GuideInductive Theorem Proving. Unpublished PhD thesis,University of Edinburgh, 1991.[Hoare 78] C. A.R. Hoare. Communicating Sequential Processes.Communications of the Association for ComputingMachinery, 21(8):666{677, 1978.[HOL 96] HOL.University of Cambridge Computer Laboratory, UK.http://www.cl.cam.ac.uk/Research/HVG/HOL/HOL.html,1996.[Hopcroft & Ullman 79] J.E. Hopcroft and J.D. Ullman. Introduction to Auto-mata Theory, Languages and Computation. AddisonWesley, 1979.
Bibliography 171[Horn 95] Christian Horn. The Oyster proof development sys-tem. Technical report, Department of Articial Intel-ligence, U. of Edinburgh, 1995.[Hughes & Cresswell 90] G. E. Hughes and M. J. Cresswell. An Introduction toModal Logic. Routledge, 1990.[Hunt & Brock 92] Warren Jr. Hunt and Bishop C. Brock. A formal hdland its use in the fm9001 verication. In MechanizedReasoning and Hardware Design, pages 35{47. Pren-tice Hall, 1992.[Hunt 86] Warren Hunt. FM8501: A veried microprocessor.Technical Report 47, Institute for Computing Science,University of Texas at Austin, 1986.[IEEE 88] IEEE. Standard VHDL Language Reference Manual.IEEE Press, 1988.[Ireland & Bundy 96] A. Ireland and A. Bundy. Productive use of failurein inductive proof. Journal of Automated Reasoning,16(1{2):79{111, 1996. Also available as DAI ResearchPaper No 716, Dept. of Articial Intelligence, Edin-burgh.[ISABELLE 96] ISABELLE. University of Cambridge, ComputerLaboratory.http://www.cl.cam.ac.uk/Research/HVG/isabelle.html,1996.[Joyce 90] Jerey J. Joyce. Multi-level verication ofmicroprocessor-based systems. Technical Report 195,University of Cambridge Computer Laboratory, 1990.
Bibliography 172[Joyce et al 86] Je Joyce, G. Graham Birtwistle, and M. Gordon.Proving a computer correct in higher order logic.Technical Report 100, University of Cambridge Com-puter Laboratory, 1986.[Kraan et al 93] I. Kraan, D. Basin, and A. Bundy. Logic program syn-thesis via proof planning. In K. K. Lau and T. Clem-ent, editors, Logic Program Synthesis and Transforma-tion, pages 1{14. Springer-Verlag, 1993. Also availableas Max-Planck-Institut fur Informatik Report MPI-I-92-244 and Edinburgh DAI Research Report 603.[Kraan et al 96] I. Kraan, D. Basin, and A. Bundy. Middle-out reason-ing for synthesis and induction. Journal of AutomatedReasoning, 16(1{2):113{145, 1996. Also available fromEdinburgh as DAI Research Paper 729.[Kurshan 87] R.P. Kurshan. Reducibility in analysis of coordina-tion. In The Proceedings of Discrete Event Systems:Models and Applications , LNCS 103, pages 19{39.Springer-Verlag, 1987.[LAMBDA 96] LAMBDA. Abstract Hardware Limited.http://www.ahl.co.uk/lambda.html, 1996.[Lombart & Deville 94] V. Lombart and Y. Deville. Rippling on rela-tional structures. Research report, November 1994.Available as research report RR94-16, Departementd'ingenierie informatique, Universite catholique deLouvain, Belgium.[Lowe 91] Helen Lowe. Extending the proof plan methodologyto computer conguration problems. Articial Intelli-
Bibliography 173gence Applications Journal, 5(3), 1991. Also availablefrom Edinburgh as DAI Research Paper 537.[Madre & Billon 88] J.C. Madre and J.P. Billon. Proving circuit correct-ness using formal comparison between expected andextracted behaviour. In The Proceedings of the 25thACM/IEEE Design Automation Conference, pages205{210. IEEE, Inc., 1988.[Manna & Pnuelli 81] Z. Manna and A. Pnuelli. Verication of concurrentprograms: Temporal proof principles. In Springer-Verlag, editor, Proceedings of the Workshop on Logicsof Programs, LLNCS 131, New York, 1981.[Manning et al 93] A. Manning, A. Ireland, and Alan Bundy. Increasingthe versatility of heuristic based theorem provers. InA. Voronkov, editor, International Conference on Lo-gic Programming and Automated Reasoning { LPAR93, St. Petersburg, number 698 in Lecture Notes in Ar-ticial Intelligence, pages pp 194{204. Springer-Verlag,1993.[Mano 79] M. Morris Mano. Digital Logic and Computer Design.Prentice Hall, Inc, 1979.[Mayger & Harris 91] E. Mayger and R.L. Harris. User Guide for theLambda System 4.1. Abstract Hardware Ltd, 1991.[Mayger 91] Eleanor Mayger. Dialog Tutorial. Abstract HardwareLtd, 1991.[McMillan 92] Kenneth L. McMillan. Symbolic Model Checking.Kluwer Academic Publishers, 1992.
Bibliography 174[Melham 88] Thomas Melham. Abstraction mechanisms for hard-ware verication. In G. Birtwistle and P.A. Subrah-manyam, editors, VLSI Specication, Verication, andSynthesis, pages 127{157. Kluwer Academic Publish-ers, 1988.[Milne 85] George J. Milne. Simulation and verication: Relatedtechniques for hardware analysis. In C.J. Koomen andT. Moto-oka, editors, The Proceedings of the SeventhConference on Computer Hardware Description Lan-guages and their Applications. Elsevier Science Pub-lishers, 1985.[MONA 96] MONA. University of Aarhus, Department of Com-puter Science, Denmark.http://www.daimi.aau.dk/ mbiehl/Mona/main.html,1996.[Moore 89] J Moore. System verication. Journal of AutomatedReasoning, 5(4):409{410, 1989.[Moore et al 96] J S. Moore, T. Lynch, and M. Kaufmann. A mechan-ically checked proof of the correctness of the kernel ofthe AMD5k86 oating-point division algorithm. Tech-nical report 112, Computational Logic, Inc, 1996.[Moszkowski 85] B. Moszkowski. A temporal logic for multi-level reas-oning about hardware. Computer, pages 10{19, 1985.[OTTER: 96] OTTER:. An automated Deduction System.http://www.mcs.anl.gov/home/mccune/ar/otter/index.html,1996.[Owre et al 94] S. Owre, J.M. Rushby, N. Shankar, and M.K. Srivas. Atutorial on using pvs for hardware verication. In 2nd
Bibliography 175Conference on Theorem Provers in Circuit Design.Springer-Verlag, 1994.[Pierre 94] Laurence Pierre. An automatic generalization methodfor the inductive proof of replicated and parallel ar-chitectures. In 2nd Conference on Theorem Proversin Circuit Design, pages 72{91. Springer-Verlag, 1994.[Pnuelli 77] A. Pnuelli. A temporal logic of programs. In IEEE,editor, Proceedings of the 18th Annual Symposium onFoundations of Computer Science, New York, 1977.[PVS 96] PVS. Stanford Research Intritute Computer ScienceLab., usa. http://www.csl.sri.com, 1996.[Rangel 96] Victor Rangel. Metodos formales para vericacionde hardware: Un estudio comparativo. UnpublishedM.Sc. thesis, Instituto Tecnologico de Monterrey, Mex-ico, 1996.[Richardson 95] J. D. C. Richardson. Proof planning data type changesin pure functional programs. Unpublished PhD thesis,Department of Articial Intelligence, University of Ed-inburgh, September 1995.[Robinson 65] J. A. Robinson. A machine oriented logic based on theresolution principle. J Assoc. Comput. Mach., 12:23{41, 1965.[Rue et al 96] H. Rue, N. Shankar, and M. K. Srivas. Modu-lar verication of SRT division. In Rajeev Alur andThomas A. Henzinger, editors, Computer-Aided Veri-cation, CAV '96, number 1102 in Lecture Notes inComputer Science, pages 123{134, New Brunswick,NJ, July/August 1996. Springer-Verlag.
Bibliography 176[Rushby 96] John Rushby. Automated deduction and formal meth-ods. In Rajeev Alur and Thomas A. Henzinger, ed-itors, Computer-Aided Verication, CAV '96, number1102 in Lecture Notes in Computer Science, pages 169{183, New Brunswick, NJ, July/August 1996. Springer-Verlag.[Saiedian 96] Hossein Saiedian. An invitation to formal meth-ods. IEEE Computer, 29(4):16{30, April 1996. A\roundtable" of short articles by several authors.[Seger 93] Carl-Johan H. Seger. Voss - a formal hardware veri-cation system user's guide. Technical Report 45, De-partment of Computer Science, University of BritishColumbia, Canada, 1993.[Silver 83] B. Silver. Learning equation solving methods fromexamples. In Alan Bundy, editor, Proceedings of theEighth IJCAI, pages 429{431. International Joint Con-ference on Articial Intelligence, 1983. Also availablefrom Edinburgh as DAI Research Paper 184.[Silver 85] B. Silver. Meta-level inference: Representing andLearning Control Information in Articial Intelli-gence. North Holland, 1985. Revised version of theauthor's PhD thesis, Department of Articial Intelli-gence, U. of Edinburgh, 1984.[Smaill & Green 96] A. Smaill and I. Green. Higher-order annotated termsfor proof search. volume 1125 of Lecture Notes inComputer Science, pages 399{414. Springer, 1996.Also available as DAI Research Paper 799.
Bibliography 177[Srivas & Miller 95] Mandayam Srivas and Steven P. Miller. Applyingformal verication to a commercial microprocessor.In Proceedings of the IFIP International Conferenceof Computer Hardware Description Languages, pages493{502. IFIP, 1995.[Stavridou et al 88] V. Stavridou, H. Barringer, and D.A. Edwards.Formal specication and verication of hardware: Acomparative case study. In Proceedings of the 25thACM/IEEE Design Automation Conference, pages89{96. IEEE, 1988.[Sterling et al 82] L. Sterling, Alan Bundy, L. Byrd, R. O'Keefe, andB. Silver. Solving symbolic equations with PRESS. InJ. Calmet, editor, Computer Algebra, Lecture Notes inComputer Science No. 144., pages 109{116. SpringerVerlag, 1982. Also available from Edinburgh as DAIResearch Paper 171.[vanHarmelen & group 96] van Harmelen and MRG group. The Clam proof plan-ner, user manual and programmer manual (version2.5). Technical report, Department of Articial In-telligence, University of Edinburgh, 1996.[Walsh et al 92] T. Walsh, A. Nunes, and Alan Bundy. The use ofproof plans to sum series. In D. Kapur, editor, 11thConference on Automated Deduction, pages 325{339.Springer Verlag, 1992. Lecture Notes in ComputerScience No. 607. Also available from Edinburgh as DAIResearch Paper 563.[Windley & Coe 94] P.J. Windley and M.L. Coe. A correctness modelfor pipelined microprocessors. In 2nd Conference onTheorem Provers in Circuit Design, Lecture Notes
Bibliography 178in Computer Science, pages 35{54. Springer-Verlag,1994.[Wong 93] Wai Wong. Formal verication of VIPER's ALU.Technical Report 300, University of Cambridge Com-puter Laboratory, 1993.[Yoeli 90] Michael Yoeli. Formal Verication of HardwareDesign. IEEE Computer Society Press, 1990.
Appendix AObject level denitionsThis appendix describes basic denitions on types, as well as rewrite equationsfor operations and conversion functions on types. An Oyster denition has theform: term1<==>term2. A rewrite equation has the form of an Oyster theorem:[hyp1,...,hypn]==>formula in Type.A.1 Types{bool}<==>unary\unary{true}<==>inl(unit){false}<==>inr(unit){word}<==>{bool} listwordn(n)<==>{w:{word}\length(w)=n in pnat}memn(n)<==>wordn(n) listsignal<==>(pnat=>{word})signaln(n)<==>(pnat=>wordn(n))state<==>(memn(16)#wordn(13)#wordn(16)#{bool})imp_state<==>(memn(16)#wordn(13)#wordn(16)#{bool}#wordn(16)#wordn(13)#wordn(16)#wordn(16)#wordn(5)#{bool})A.2 Operations on typesA.2.1 BooleansNOT[]==>(not{false})={true}in{bool}[]==>(not{true})={false}in{bool}AND[]==>y:{bool}=>(y and{false})={false}in{bool}[]==>y:{bool}=>({false}and y)={false}in{bool}[]==>({true}and{true})={true} 179
Appendix A. Object level denitions 180OR[]==>y:{bool}=>(y or{true})={true}in{bool}[]==>y:{bool}=>({true}or y)={true}in{bool}[]==>({false}or{false})={false}in{bool}XOR[]==>y:{bool}=>xor(y,y)={false}in{bool}[]==>xor({true},{false})={true}in{bool}[]==>xor({false},{true})={true}in{bool}A.2.2 Natural numbersPLUS[]==>y:pnat=>plus(0,y)=y in pnat[]==>x:pnat=>y:pnat=>plus(s(x),y)=s(plus(x,y))in pnatTIMES[]==>y:pnat=>times(0,y)=0 in pnat[]==>x:pnat=>y:pnat=>times(s(x),y)=plus(times(x,y),y)in pnatEXPONENTIATION[]==>n:pnat=>exp(n,0)=s(0)in pnat[]==>n:pnat=>i:pnat=>exp(n,s(i))=times(n,exp(n,i))in pnatFACTORIAL[]==>fac(0)=s(0)in pnat[]==>n:pnat=>fac(s(n))=times(s(n),fac(n))in pnatPREDECESSOR[]==>pred(0)=0 in pnat[]==>x:pnat=>pred(s(x))=x in pnatMINUS[]==>x:pnat=>minus(x,0)=x in pnat[]==>y:pnat=>minus(0,y)=0 in pnat[]==>x:pnat=>y:pnat=>minus(s(x),s(y))=minus(x,y) in pnatLESS[]==>x:pnat=>less(x,0)=void in u(1)[]==>x:pnat=>less(0,x)= (x=0 in pnat=>void)in u(1)[]==>x:pnat=>y:pnat=>less(s(x),s(y))=less(x,y)in u(1)QUOTIENT[]==>x:pnat=>quot(x,0)=0 in pnat[]==>x:pnat=>y:pnat=>less(x,y)=>quot(x,y)=0 in pnat[]==>x:pnat=>y:pnat=>quot(plus(x,y),y)=s(quot(x,y)) in pnatREMAINER[]==>x:pnat=>rem(x,0)=0 in pnat[]==>x:pnat=>y:pnat=>less(x,y)=>rem(x,y)=x in pnat[]==>x:pnat=>y:pnat=>rem(plus(x,y),y)=rem(x,y) in pnatHALF[]==>half(0)=0 in pnat[]==>half(s(0))=0 in pnat[]==>n:pnat=>half(s(s(n)))=s(half(n))in pnat
Appendix A. Object level denitions 181A.2.3 ListsAPPEND[]==>l:{word}=>app(nil,l)=l in{word}[]==>h:{bool}=>l1:{word}=>l2:{word}=>app(h::l1,l2)=h::app(l1,l2)in{word}LENGTH[]==>length(nil)=0 in pnat[]==>h:{bool}=>l:{word}=>length(h::l)=s(length(l))in pnatREVERSE[]==>rev(nil)=nil in {word}[]==>h:{bool}=>l:{word}=>rev(h::l)=app(rev(l),h::nil)in {word}A.2.4 WordsNOT[]==>not_word(nil)=nil in {word}[]==>a:{bool}=>x:{word}=>not_word(a::x)= (not a)::not_word(x) in {word}AND[]==>and_word(nil,nil)=nil in {word}[]==>a:{bool}=>b:{bool}=>x:{word}=>y:{word}=>and_word(a::x,b::y)= and(a,b)::and_word(x,y) in {word}OR[]==>or_word(nil,nil)=nil in {word}[]==>a:{bool}=>b:{bool}=>x:{word}=>y:{word}=>or_word(a::x,b::y)= or(a,b)::or_word(x,y) in {word}XOR[]==>xor_word(nil,nil)=nil in {word}[]==>a:{bool}=>b:{bool}=>x:{word}=>y:{word}=>xor_word(a::x,b::y)=xor(a,b)::xor_word(x,y) in {word}A.3 Conversion functionsBOOL TO NAT[]==>bool2nat({false})=0 in pnat[]==>bool2nat({true})=s(0)in pnatNAT TO BOOL[]==>nat2bool(0)={false}in{bool}[]==>n:pnat=>nat2bool(s(n))= not(nat2bool(n)) in {bool}WORD TO NAT[]==>word2nat(nil)=0 in pnat[]==>a:{bool}=>x:{word}=>word2nat(a::x)=plus(bool2nat(a),times(s(s(0)),word2nat(x)))in pnatWORD TO NAT (LITTLE ENDIAN)
Appendix A. Object level denitions 182[]==>word2nat_le(nil)=0 in pnat[]==>h:{bool}=>t:{word}=> word2nat_le(h::t)=plus(times(bool2nat(h),exp(s(s(0)),length(t))),word2nat_le(t))in pnatWORD TO NAT (EXPLICIT PARAMETER)[]==>w:{word}=>word2nat_ep(0,w)=0 in pnat[]==>n:pnat=>w:{word}=> word2nat_ep(s(n),w)=plus(bool2nat(hd(w)),times(s(s(0)),word2nat_ep(n,tl(w)))) in pnatNAT TO WORD[]==>n:pnat=>nat2word(0,n)=nil in{word}[]==>n:pnat=>m:pnat=>nat2word(s(n),m)=nat2bool(m)::nat2word(n,half(m)) in {word}A.4 Conditional functionsIF (BOOL-WORD)[]==>a:{word}=>b:{word}=>if({false},{false},a,b)=a in{word}[]==>a:{word}=>b:{word}=>if({false},{true},a,b)=b in{word}[]==>a:{word}=>b:{word}=>if({true},{false},a,b)=b in{word}[]==>a:{word}=>b:{word}=>if({true},{true},a,b)=a in{word}IF (BOOL-NAT)[]==>a:pnat=>b:pnat=>ifbn({false},{false},a,b)=a in pnat[]==>a:pnat=>b:pnat=>ifbn({false},{true},a,b)=b in pnat[]==>a:pnat=>b:pnat=>ifbn({true},{false},a,b)=b in pnat[]==>a:pnat=>b:pnat=>ifbn({true},{true},a,b)=a in pnatIF (NAT-BOOL)[]==>x:pnat=>y:pnat=>a:{bool}=>b:{bool}=>x=y in pnat=>if_nb(x,y,a,b)=a in{bool}[]==>x:pnat=>y:pnat=>a:{bool}=>b:{bool}=> (x=y in pnat=>void)=>if_nb(x,y,a,b)=b in{bool}IF (NAT-WORD)[]==>x:pnat=>y:pnat=>a:{word}=>b:{word}=>x=y in pnat=>if_nw(x,y,a,b)=a in {word}[]==>x:pnat=>y:pnat=>a:{word}=>b:{word}=>(x=y in pnat=>void)=>if_nw(x,y,a,b)=b in {word}
Appendix BNon recursive circuitsThis appendix describes the implementation, the specication and the conjectureof non-recursive circuits: half adder, full adder, 1-bit ALU and multiplexer.B.1 Half adderIMPLEMENTATION[]==>x:{bool}=>ci:{bool}=>ha_sum(x,ci)=xor(x,ci)in{bool}[]==>x:{bool}=>ci:{bool}=>ha_carry(x,ci)= (x and ci)in{bool}CONJECTURE:[]==>a:{bool}=>b:{bool}=>word2nat(ha_sum(a,b)::ha_carry(a,b)::nil)=plus(bool2nat(a),bool2nat(b))in pnatB.2 Full adderIMPLEMENTATION[]==>a:{bool}=>b:{bool}=>ci:{bool}=>fa_sum(a,b,ci)=xor(xor(a,b),ci) in {bool}[]==>a:{bool}=>b:{bool}=>ci:{bool}=>fa_carry(a,b,ci)= (xor(a,b)and ci or a and b) in {bool}CONJECTURE:[]==>a:{bool}=>b:{bool}=>ci:{bool}=>word2nat(fa_sum(a,b,ci)::fa_carry(a,b,ci)::nil)=plus(bool2nat(a),plus(bool2nat(b),bool2nat(ci)))in pnat183
Appendix B. Non recursive circuits 184B.3 1-bit ALUIMPLEMENTATION[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>a:{bool}=>b:{bool}=>ci:{bool}=>alu_sum(s0,s1,s2,a,b,ci)=fa_sum(or(and(and(s2,and(not(s1),not(s0))),b),or(and(and(s2,and(s1,not(s0))),not(b)),a)),or(and(b,s0),and(not(b),s1)),and(ci,not(s2))) in bool}[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>a:{bool}=>b:{bool}=>ci:{bool}=>alu_carry(s0,s1,s2,a,b,ci)=and(not(s2),fa_carry(or(and(and(s2,and(not(s1),not(s0))),b),or(and(and(s2,and(s1,not(s0))),not(b)),a)),or(and(b,s0),and(not(b),s1)),and(ci,not(s2)))) in {bool}CONJECTURE:[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>a:{bool}=>b:{bool}=>ci:{bool}=>word2nat(alu_sum(s0,s1,s2,a,b,ci)::alu_carry(s0,s1,s2,a,b,ci)::nil)=alu_spec(s0,s1,s2,a::nil,b::nil,ci)in pnatB.4 4-1 MultiplexerIMPLEMENTATION[]==>h0:{bool}=>h1:{bool}=>x0:{bool}=>x1:{bool}=>x2:{bool}=>x3:{bool}=>mux(h0,h1,x0,x1,x2,x3)=or(and(x0,and(not(h1),not(h0))),
Appendix B. Non recursive circuits 185or(and(x1,and(not(h1),h0)),or(and(and(x2,and(h1,not(h0))),and(x3,and(h1,h0)))))) ) in {bool}SPECIFICATION:[]==>x:{word}=>muxSpec(0) of x=hd(x) in{bool}[]==>n:pnat=>x:{word}=>mux_spec(s(n),x)=mux_spec(n,tl(x))in{bool}CONJECTURE[]==>h0:{bool}=>h1:{bool}=>x0:{bool}=>x1:{bool}=>x2:{bool}=>x3:{bool}=>mux_spec(word2nat(h0::h1::nil),x0::x1::x2::x3::nil)=mux(h0,h1,x0,x1,x2,x3)in{bool}
Appendix CIncrementerThis appendix describes the implementation, the specication, the conjecture, theproof planning script, the proof script, and lists the methods used.C.1 FormalisationIMPLEMENTATION[]==>ci:{bool}=>inc(nil,ci)=ci::nil in{word}[]==>ci:{bool}=>a:{bool}=>x:{word}=>inc(a::x,ci)=ha_sum(a,ci)::inc(x,ha_carry(a,ci))in{word}CONJECTURE[]==>x:{word}=>ci:{bool}=>word2nat(inc(x,ci))=plus(word2nat(x),bool2nat(ci))in pnatC.2 Proof planScript of the proof planning generated by Clam using the depth-rst planner:runtime(dplan,T).induction([v0::v1],[x:{word}])then[sym_eval(eval_def([1,2,1],[word2nat1,equ(left)])then[eval_def([2,1],[plus1,equ(left)])then[eval_def([1,1,1],[inc1,equ(left)])then[eval_def([1,1],[word2nat2,equ(left)])then[eval_def([2,1,1],[times2,equ(left)])then[eval_def([2,2,1,1],[word2nat1,equ(left)])then[eval_def([1,2,1,1],[times2,equ(left)])then[eval_def([2,1,2,1,1],[word2nat1,equ(left)])then[eval_def([1,1,2,1,1],[times1,equ(left)])then[eval_def([1,2,1,1],[plus1,equ(left)])then[eval_def([2,1,1],[plus1,equ(left)])then186
Appendix C. Incrementer 187[term_cancel(ci:{bool}=>0=0 in pnat)then[elementary(intro(new[ci])then[identity,wfftacs])]]]]]]]]]]]]),step_case(ripple(wave([1,2,1],[word2nat2,equ(left)],[])then[wave([1,1,1],[inc2,equ(left)],[])then[wave([1,1],[word2nat2,equ(left)],[])then[unblock(eval_def,[2,1,1],[times2,equ(left)])then[unblock(eval_def,[1,2,1,1],[times2,equ(left)])then[unblock(eval_def,[1,1,2,1,1],[times1,equ(left)])then[unblock(eval_def,[1,2,1,1],[plus1,equ(left)])then[unblock(eval_def,[1,1,1,1],[ha_sum1,equ(left)])then[unblock(eval_def,[2,1,1,2,1,1],[ha_carry1,equ(left)])then[unblock(eval_def,[2,1,2,2,1,1],[ha_carry1,equ(left)])then[unblock(eval_def,[2,1,2,1],[times2,equ(left)])then[unblock(eval_def,[1,2,1,2,1],[times2,equ(left)])then[unblock(eval_def,[1,1,2,1,2,1],[times1,equ(left)])then[unblock(eval_def,[1,2,1,2,1],[plus1,equ(left)])]]]]]]]]]]]]])then[fertilize(weak,fertilize([weak_fertilize(left,in,[1,2],v2),weak_fertilize(left,in,[2,2],v2)]))])] thensym_eval(term_cancel(ci:{bool}=>plus(bool2nat(xor(v0,ci)),plus(bool2nat(v0 and ci),bool2nat(v0 and ci)))=plus(bool2nat(v0),bool2nat(ci))in pnat)then[bool_cases(v0)then[eval_def([1,2,1],[bool2nat1,equ(left)])then[eval_def([2,1],[plus1,equ(left)])then[eval_def([1,2,2,1,1],[and2,equ(left)])then[eval_def([2,2,1,1],[bool2nat1,equ(left)])then[eval_def([1,1,2,1,1],[and2,equ(left)])then[eval_def([1,2,1,1],[bool2nat1,equ(left)])then[eval_def([2,1,1],[plus1,equ(left)])then[bool_cases(ci)then[eval_def([2,1],[bool2nat1,equ(left)])then[eval_def([1,1,1,1],[xor1,equ(left)])then[eval_def([1,1,1],[bool2nat1,equ(left)])then[eval_def([1,1],[plus1,equ(left)])then[elementary(identity)]]]],eval_def([2,1],[bool2nat2,equ(left)])then[eval_def([1,1,1,1],[xor3,equ(left)])then[eval_def([1,1,1],[bool2nat2,equ(left)])then[eval_def([1,1],[plus2,equ(left)])then[reduction([],cnc_s)then[eval_def([1,1],[plus1,equ(left)])then[elementary(identity)]]]]]]]]]]]]]],eval_def([1,2,1],[bool2nat2,equ(left)])then[eval_def([2,1],[plus2,equ(left)])then[eval_def([1,2,1],[plus1,equ(left)])then[bool_cases(ci)then[eval_def([1,2,1],[bool2nat1,equ(left)])then[eval_def([1,2,2,1,1],[and1,equ(left)])then[eval_def([2,2,1,1],[bool2nat1,equ(left)])then[eval_def([1,1,2,1,1],[and1,equ(left)])then[eval_def([1,2,1,1],[bool2nat1,equ(left)])then[eval_def([2,1,1],[plus1,equ(left)])then[eval_def([1,1,1,1],[xor2,equ(left)])then[eval_def([1,1,1],[bool2nat2,equ(left)])then[eval_def([1,1],[plus2,equ(left)])then
Appendix C. Incrementer 188[reduction([],cnc_s)then[eval_def([1,1],[plus1,equ(left)])then[elementary(identity)]]]]]]]]]]],eval_def([1,2,1],[bool2nat2,equ(left)])then[eval_def([1,2,2,1,1],[and3,equ(left)])then[eval_def([2,2,1,1],[bool2nat2,equ(left)])then[eval_def([1,1,2,1,1],[and3,equ(left)])then[eval_def([1,2,1,1],[bool2nat2,equ(left)])then[eval_def([2,1,1],[plus2,equ(left)])then[eval_def([1,2,1,1],[plus1,equ(left)])then[eval_def([1,1,1,1],[xor1,equ(left)])then[eval_def([1,1,1],[bool2nat1,equ(left)])then[eval_def([1,1],[plus1,equ(left)])then[elementary(identity)]]]]]]]]]]]]]]]])T = 21316 (milliseconds)C.3 ProofScript of the proof generated by Oysterruntime(apply_plan,T).applying tactic at depth 0: ind_strat([v0::v1],[x:{word}])applying tactic at depth 1: sym_eval(...)T = 105750 (milliseconds)C.4 MethodsMethods used in the proof planninglist_methods.sym_eval/1generalise/2normalize/1ind_strat/1
Appendix DMultiplierThis appendix describes the verication of the multiplier: implementation, spe-cication, conjecture, lemmas, proof plan script, proof script, and methods.D.1 FormalisationIMPLEMENTATION[]==>x:{word}=>mult(x,nil)=zeroes(length(x))in{word}[]==>h:{bool}=>x:{word}=>y:{word}=>mult(x,h::y)=adder_le(appnd(mult_one(x,h),zeroes(length(y))),mult(x,y),{false})in{word}CONJECTURE[]==>x:{word}=>y:{word}=>word2nat_le(mult(x,y))=times(word2nat_le(x),word2nat_le(y))in pnatD.2 LemmasVERIFICATION OF N-BIT ADDER[]==>ci:{bool}=>x:{word}=>y:{word}=>word2nat_le(adder_le(x,y,ci))=plus(word2nat_le(x),plus(word2nat_le(y),bool2nat(ci)))in pnatDISTRIBUTIVITY OF MULTIPLICATION OVER ADDITION[]==>a:pnat=>b:pnat=>c:pnat=>times(a,plus(b,c))=plus(times(a,b),times(a,c))in pnata:pnat=>b:pnat=>c:pnat=>times(plus(b,c),a)=plus(times(b,a),times(c,a))in pnatASSOCIATIVITY OF MULTIPLICATION 189
Appendix D. Multiplier 190[]==>a:pnat=>b:pnat=>c:pnat=>times(a,times(b,c))=times(times(a,b),c)in pnatPLUS ZERO[]==>x:pnat=>plus(x,0)=x in pnatTIMES ZERO[]==>x:pnat=>times(x,0)=0 in pnat\section{Proof plan}\begin{verbatim}(only methods are displayed):ind_strat([v0::v1],[y:{word}]) then[ind_strat([v0::v1],[x:{word}]),sym_eval(...) then[ind_strat([v4::v5],[x:{word}]) thenind_strat([v4::v5],[v1:{word}]),ind_strat([v4::v5],[x:{word}]) then[ind_strat([v4::v5],[v1:{word}]),sym_eval(...) thenind_strat([v8::v9],[v5:{word}]) thenind_strat([v8::v9],[v1:{word}])]]]D.3 Proofruntime(apply_plan,T).applying tactic at depth 0: ind_strat([v0::v1],[y:{word}])applying tactic at depth 1: ind_strat([v0::v1],[x:{word}])applying tactic at depth 1: sym_eval(...)applying tactic at depth 2: ind_strat([v4::v5],[x:{word}])applying tactic at depth 3: ind_strat([v4::v5],[v1:{word}])applying tactic at depth 2: ind_strat([v4::v5],[x:{word}])applying tactic at depth 3: ind_strat([v4::v5],[v1:{word}])applying tactic at depth 3: sym_eval(...)applying tactic at depth 4: ind_strat([v8::v9],[v5:{word}])applying tactic at depth 5: ind_strat([v8::v9],[v1:{word}])T = 334617 (milliseconds)D.4 Methodslist_methods.sym_eval/1normalize/1ind_strat/1generalise/2
Appendix EGordon computerThis appendix describes the verication of the Gordon computer: implementation,specication, conjecture, lemmas, script of proof planning, script of proof, andmethods used.E.1 Formalisation===================================================IMPLEMENTATION[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>computerImp(t,swt,knob,button)=(memory(t,swt,knob,button)&pc(t,swt,knob,button)&acc(t,swt,knob,button)&idle(t,swt,knob,button)&buffer(t,swt,knob,button)&mar(t,swt,knob,button)&ir(t,swt,knob,button)&arg(t,swt,knob,button)&mpc(t,swt,knob,button)&ready(t,swt,knob,button))in imp_stateMEMORY[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>memory(s(t),swt,knob,button)=if(memctlB(t,swt,knob,button),{true},store(mar(t,swt,knob,button),191
Appendix E. Gordon computer 192bus(t,swt,knob,button),memory(t,swt,knob,button)),memory(t,swt,knob,button))in memn(16)PROGRAM COUNTER[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>pc(s(t),swt,knob,button)=if(wpc(t,swt,knob,button),{false},pc(t,swt,knob,button),cut(bus(t,swt,knob,button)))in wordn(13)ACCUMULATOR[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>acc(s(t),swt,knob,button)=if(wacc(t,swt,knob,button),{false},acc(t,swt,knob,button),bus(t,swt,knob,button))in wordn(16)IDLE FLAG[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>idle(t,swt,knob,button)=mc_idle(mpc(t,swt,knob,button)) in {bool}MICROCODE (IDLE)[]==>mc_idle({false}::{false}::{false}::{false}::{false}::nil)={true}in {bool}...[]==>mc_idle({true}::{true}::{true}::{true}::{true}::nil)={false}in {bool}BUFFER REGISTER[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>buffer(s(t),swt,knob,button)=if(aluctlB(t,microcode(mpc(p,swt,knob,button))),{false},if(aluctlA(t,microcode(mpc(p,swt,knob,button))),{false},bus(t,swt,knob,button),inc_g(bus(t,swt,knob,button))),
Appendix E. Gordon computer 193if(aluctlA(p,microcode(mpc(p,swt,knob,button))),{false},add_g(arg(t,swt,knob,button),bus(t,swt,knob,button),{false}),subt_g(arg(t,swt,knob,button),bus(t,swt,knob,button),{false})))in wordn(16)MEMORY ADDRESS REGISTER[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>mar(s(t),swt,knob,button)=if(wmar(t,swt,knob,button),{false},mar(t,swt,knob,button),cut(bus(t,swt,knob,button)))in wordn(13)INSTRUCTION REGISTER[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>ir(s(t),swt,knob,button)=if(wir(t,swt,knob,button),{false},ir(t,swt,knob,button),bus(t,swt,knob,button))in wordn(16)ARGUMENT REGISTER[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>arg(s(t),swt,knob,button)=if(warg(t,swt,knob,button),{false},arg(t,swt,knob,button),bus(t,swt,knob,button))in wordn(16)MICROCODE PROGRAM COUNTER[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>mpc(s(t),swt,knob,button)=if(testC(t,swt,knob,button),{false},if(testB(t,swt,knob,button),{false},if(testA(t,swt,knob,button),{false},address_a(t,swt,knob,button),if(button of t,{false},address_a(t,swt,knob,button),address_b(t,swt,knob,button))),if(testA(t,swt,knob,button),{false},
Appendix E. Gordon computer 194pnatEq(word2nat_le(acc(t,swt,knob,button)),0,address_b(t,swt,knob,button),address_a(t,swt,knob,button)),tl(adder_le({false}::{false}::{false}::knob of t,address_a(t,swt,knob,button),{false})))),if(testB(t,swt,knob,button),{false},if(testA(t,swt,knob,button),{false},tl(adder_le({false}::{false}::opcode,address_a(t,swt,knob,button),{false})),address_a(t,swt,knob,button)),address_a(t,swt,knob,button)))in wordn(5)READY FLAG[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>ready(t,swt,knob,button)=mc_ready(mpc(t,swt,knob,button))in {bool}===================================================SPECIFICATION OF THE GORDON COMPUTERSEMANTICS OF INSTRUCTIONS% HALT idle=false,button=false,knob=X,opc=000[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#opcode=({false}::{false}::{false}::nil)in wordn(3))=>computer(s(u),swt,knob,button) =execute_halt(computer(u,swt,knob,button))in state% JUMP id=false,button=false,knob=X,opc=001,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#opcode=({false}::{false}::{true}::nil)in wordn(3))=>computer(s(u),swt,knob,button) =execute_jump(computer(u,swt,knob,button))in state% JZR jump if zero% id=false,button=false,knob=X,opc=010,ac=zeroes
Appendix E. Gordon computer 195[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#opcode=({false}::{true}::{false}::nil)in wordn(3)#word2nat_le(acc(microtime(u,swt,knob,button),swt,knob,button))=0in pnat)=>computer(s(u),swt,knob,button) =execute_jzr(computer(u,swt,knob,button))in state% JZR jump if non-zero% id=false,button=false,knob=X,opc=010,ac=no zeroes[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#opcode=({false}::{true}::{false}::nil)in wordn(3)#word2nat(acc(microtime(u,swt,knob,button),swt,knob,button))=0in pnat=>void)=>computer(s(u),swt,knob,button) =execute_jnozr(computer(u,swt,knob,button))in state% ADD id=false,button=false,knob=X,opc=011,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#opcode=({false}::{true}::{true}::nil)in wordn(3))=>computer(s(u),swt,knob,button) =execute_add(computer(u,swt,knob,button))in state% SUBTRACT id=false,button=false,knob=X,opc=100,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#
Appendix E. Gordon computer 196opcode=({true}::{false}::{false}::nil)in wordn(3))=>computer(s(u),swt,knob,button) =execute_sub(computer(u,swt,knob,button))in state% LOAD id=false,button=false,knob=X,opc=101,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#opcode=({true}::{false}::{true}::nil)in wordn(3))=>computer(s(u),swt,knob,button) =execute_load(computer(u,swt,knob,button))in state% STORE id=false,button=false,knob=X,opc=110,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#opcode=({true}::{true}::{false}::nil)in wordn(3))=>computer(s(u),swt,knob,button) =execute_store(computer(u,swt,knob,button))in state% SKIP id=false,button=false,knob=X,opc=111,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool}#opcode=({true}::{true}::{true}::nil)in wordn(3))=>computer(s(u),swt,knob,button) =execute_skip(computer(u,swt,knob,button))in state% STOP EXECUTE-1 WHEN IS RUNNING% id=false,button=true,knob=X,opc=X,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={false}in {bool}#
Appendix E. Gordon computer 197button of microtime(u,swt,knob,button)={true} in {bool})=>computer(s(u),swt,knob,button) =stop_execute(computer(u,swt,knob,button))in state% STOP EXECUTE-2 WHEN IT'S IDLEING% id=true,button=false,knob=X,opc=X,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={true}in {bool}#button of microtime(u,swt,knob,button)={false} in {bool})=>computer(s(u),swt,knob,button) =stop_operation(computer(u,swt,knob,button))in state% LOAD PC id=true,button=true,knob=00,opc=X,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={true}in {bool}#button of microtime(u,swt,knob,button)={true} in {bool}#knob of microtime(u,swt,knob,button)={false}::{false}::nilin wordn(2))=>computer(s(u),swt,knob,button) =load_pc(computer(u,swt,knob,button),swt of microtime(u,swt,knob,button))in state% LOAD ACC id=true,button=true,knob=01,opc=X,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={true}in {bool}#button of microtime(u,swt,knob,button)={true} in {bool}#knob of microtime(u,swt,knob,button)={false}::{true}::nilin wordn(2))=>computer(s(u),swt,knob,button) =load_acc(computer(u,swt,knob,button),swt of microtime(u,swt,knob,button))in state% LOAD MEM id=true,button=true,knob=10,opc=X,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={true}in {bool}#button of microtime(u,swt,knob,button)={true} in {bool}#
Appendix E. Gordon computer 198knob of microtime(u,swt,knob,button)={true}::{false}::nilin wordn(2))=>computer(s(u),swt,knob,button) =load_mem(computer(u,swt,knob,button))in state% START EXECUTE id=true,button=true,knob=11,opc=X,ac=X[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>(idle(microtime(u,swt,knob,button),swt,knob,button)={true}in {bool}#button of microtime(u,swt,knob,button)={true} in {bool}#knob of microtime(u,swt,knob,button)={true}::{true}::nilin wordn(2))=>computer(s(u),swt,knob,button) =start_execute(computer(u,swt,knob,button))in stateAUXILIARY FUNCTIONS (definition and rewrite equation):EXECUTE HALT[]==>x:state=>execute_halt(x)=fst(x)&snd(x)&trd(x)&{true}in stateEXECUTE JUMP[]==>x:state=>execute_jump(x)=fst(x)&cut(fetch(snd(x),fst(x)))&trd(x)&{false}in stateEXECUTE JUMP ON ZERO[]==>x:state=>execute_jzr(x)=(fst(x)&cut(fetch(snd(x),fst(x)))&trd(x)&{false})in stateEXECUTE JUMP IF NO ZERO[]==>x:state=>execute_jnozr(x)=(fst(x)&inc_g(snd(x))&trd(x)&{false})in stateEXECUTE ADD[]==>x:state=>execute_add(x)=(fst(x)&inc_g(snd(x))&add_g(trd(x),fetch(cut(fetch(snd(x),fst(x))),fst(x)),{false})&{false})in stateEXECUTE SUBTRACT[]==>x:state=>
Appendix E. Gordon computer 199execute_sub(x)=(fst(x)&inc_g(snd(x))&subt_g(trd(x),fetch(cut(fetch(snd(x),fst(x))),fst(x)),{false})&{false})in stateEXECUTE LOAD[]==>x:state=>execute_load(x)=(fst(x)&inc_g(snd(x))&fetch(cut(fetch(snd(x),fst(x))),fst(x))&{false})in stateEXECUTE STORE[]==>x:state=>execute_store(x)=(store(cut(fetch(snd(x),fst(x))),trd(x),fst(x))&inc_g(snd(x))&trd(x)&{false})in stateEXECUTE SKIP[]==>x:state=>execute_skip(x)=(fst(x)&inc_g(snd(x))&trd(x)&{false})in stateSTOP EXECUTION[]==>x:state=>stop_execute(x)=(fst(x)&snd(x)&trd(x)&{true})in stateSTOP OPERATION[]==>x:state=>stop_operation(x)=(fst(x)&snd(x)&trd(x)&{true})in stateLOAD PROGRAM COUNTER[]==>x:state=>swt:wordn(16)=>load_pc(x,swt)=(fst(x)&cut(swt)&trd(x)&{true}) in stateLOAD ACCUMULATOR[]==>x:state=>swt:wordn(16)=>load_acc(x,swt)=(fst(x)&snd(x)&swt&{true}) in stateLOAD MEMORY[]==>x:state=>load_mem(x)=(store(snd(x),trd(x),fst(x))& snd(x)& trd(x)& {true})in stateSTART EXECUTE[]==>x:state=>start_execute(x)=(fst(x)&snd(x)&trd(x)&{false})in state
Appendix E. Gordon computer 200TIME ABSTRACTION[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>microtime(s(u),swt,knob,button)=iterate_time(u,swt,knob,button)in pnatiterate_time(u,swt,knob,button)<==>term_of(iterate_time)of u of swt ofknob of button.[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>iterate_time(u,swt,knob,button)=next_time(microtime(u,swt,knob,button),swt,knob,button)in pnatnext_time(t,swt,knob,button)<==>term_of(next_time)of t of swt of knob of button.[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>next_time(t,swt,knob,button)=if(ready(s(t),swt,knob,button),{false},next_time(s(t),swt,knob,button),s(t))in pnat===================================================LEMMASSTABILITY:stable(signal,t1,t2)<==>p:pnat=>(less(t1,p)#less(p,t2))=>signal of p=signal of t1 in {word}.[]==>n:pnat=>t1:pnat=>t2:pnat=>sig:signaln(n)=>stable(sig,t1,t2)=>t:pnat=>(less(t1,t)#less(t,t2))=>sig of s(t)=sig of t in{word}13-16 BITS[]==>t:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>tl(tl(tl(inc_g({false}::{false}::{false}::pc(t,swt,knob,button)))))=inc_g(pc(t,swt,knob,button))in wordn(13)
Appendix E. Gordon computer 201===================================================CONJECTURE (difference match version)[]==>u:pnat=>swt:signaln(16)=>knob:signaln(2)=>button:flag=>stable(swt,microtime(u,swt,knob,button),microtime(s(u),swt,knob,button))=>stable(knob,microtime(u,swt,knob,button),microtime(s(u),swt,knob,button))=>mpc(microtime(u,swt,knob,button),swt,knob,button)={false}::{false}::{false}::{false}::{false}::nilin wordn(5)=>abs_imp(computerImp(microtime(u,swt,knob,button),swt,knob,button))=computer(u,swt,knob,button) in state=>abs_imp(computerImp(microtime(s(u),swt,knob,button),swt,knob,button))=computer(s(u),swt,knob,button) in stateE.2 Proof planThis is the proof plan for the dierence match version of the conjecture. Thestructure of the methods applied is displayed. The method sym eval and the sub-method eval def produce a large number of rewrite steps, thus they are shownunfolded.diff_match(abs_imp(computerImp(microtime(``s({u})''<out>,swt,knob,button),swt,knob,button))=computer(``s({u})''<out>,swt,knob,button))then[step_case(ripple(direction_out,strong,casesplit([idle(microtime(u,swt,knob,button),swt,knob,button)={true}in{bool}#button of microtime(u,swt,knob,button)={true}in{bool}#knob of microtime(u,swt,knob,button)={true}::{true}::nilin wordn(2),idle(microtime(u,swt,knob,button),swt,knob,button)={true}in{bool}#button of microtime(u,swt,knob,button)={true}in{bool}#knob of microtime(u,swt,knob,button)={true}::{false}::nilin wordn(2),idle(microtime(u,swt,knob,button),swt,knob,button)={true}in{bool}#button of microtime(u,swt,knob,button)={true}in{bool}#knob of microtime(u,swt,knob,button)={false}::{true}::nilin wordn(2),idle(microtime(u,swt,knob,button),swt,knob,button)={true}in{bool}#
Appendix E. Gordon computer 202button of microtime(u,swt,knob,button)={true}in{bool}#knob of microtime(u,swt,knob,button)={false}::{false}::nilin wordn(2),idle(microtime(u,swt,knob,button),swt,knob,button)={true}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool},idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={true}in{bool},idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={true}::{true}::{true}::nil in wordn(3),idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={true}::{true}::{false}::nil in wordn(3),idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={true}::{false}::{true}::nil in wordn(3),idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={true}::{false}::{false}::nil in wordn(3),idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={false}::{true}::{true}::nil in wordn(3),idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={false}::{true}::{false}::nil in wordn(3)#word2nat_le(acc(microtime(u,swt,knob,button),swt,knob,button))=0in pnat=>void,idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={false}::{true}::{false}::nil in wordn(3)#word2nat_le(acc(microtime(u,swt,knob,button),swt,knob,button))=0in pnat,idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={false}::{false}::{true}::nil in wordn(3),idle(microtime(u,swt,knob,button),swt,knob,button)={false}in{bool}#button of microtime(u,swt,knob,button)={false}in{bool}#opcode={false}::{false}::{false}::nil in wordn(3)])then[wave(direction_out,[2,1],[computer15,equ(left)],[]) thenunblock(eval_def,[2,1],[start_execute1,equ(left)]),wave(direction_out,[2,1],[computer14,equ(left)],[]) thenunblock(eval_def,[2,1],[load_mem1,equ(left)]),wave(direction_out,[2,1],[computer13,equ(left)],[]) thenunblock(eval_def,[2,1],[load_acc1,equ(left)]),wave(direction_out,[2,1],[computer12,equ(left)],[]) thenunblock(eval_def,[2,1],[load_pc1,equ(left)]) thenunblock(eval_def,[1,2,2,1],[cut1,equ(left)]),wave(direction_out,[2,1],[computer11,equ(left)],[]) then
Appendix E. Gordon computer 203unblock(eval_def,[2,1],[stop_operation1,equ(left)]),wave(direction_out,[2,1],[computer10,equ(left)],[]) thenunblock(eval_def,[2,1],[stop_execute1,equ(left)]),wave(direction_out,[2,1],[computer9,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_skip1,equ(left)]),wave(direction_out,[2,1],[computer8,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_store1,equ(left)]) thenunblock(eval_def,[1,1,2,1],[cut1,equ(left)]),wave(direction_out,[2,1],[computer7,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_load1,equ(left)]) thenunblock(eval_def,[1,1,2,2,2,1],[cut1,equ(left)]),wave(direction_out,[2,1],[computer6,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_sub1,equ(left)]) thenunblock(eval_def,[1,2,1,2,2,2,1],[cut1,equ(left)]),wave(direction_out,[2,1],[computer5,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_add1,equ(left)]) thenunblock(eval_def,[1,2,1,2,2,2,1],[cut1,equ(left)]),wave(direction_out,[2,1],[computer4,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_jnozr1,equ(left)]),wave(direction_out,[2,1],[computer3,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_jzr1,equ(left)]) thenunblock(eval_def,[1,2,2,1],[cut1,equ(left)]),wave(direction_out,[2,1],[computer2,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_jump1,equ(left)]) thenunblock(eval_def,[1,2,2,1],[cut1,equ(left)]),wave(direction_out,[2,1],[computer1,equ(left)],[]) thenunblock(eval_def,[2,1],[execute_halt1,equ(left)])]) then[fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...]),fertilize(weak,[...])]) then[sym_eval(...),sym_eval(...),sym_eval(...),sym_eval(...),sym_eval(...),change_mpc(v3) then[sym_eval(...)],change_mpc(v3)then[sym_eval(...)then[normalize([])then[sym_eval(...),apply_lemma(inc_pc),sym_eval(...),sym_eval(...)]]],
Appendix E. Gordon computer 204change_mpc(v3)then[sym_eval(...)then[generalise(tl(tl(tl(fetch(pc(microtime(u,swt,knob,button),swt,knob,button),memory(microtime(u,swt,knob,button),swt,knob,button))))),v43:{word})then[normalize([])then[sym_eval(...),apply_lemma(inc_pc),sym_eval(...),sym_eval(...)]]]],change_mpc(v3)then[sym_eval(...)then[generalise(tl(tl(tl(fetch(pc(microtime(u,swt,knob,button),swt,knob,button),memory(microtime(u,swt,knob,button),swt,knob,button))))),v38:{word})then[normalize([])then[sym_eval(...),apply_lemma(inc_pc),sym_eval(...),sym_eval(...)]]]],change_mpc(v3)then[sym_eval(...)then[generalise(tl(tl(tl(fetch(pc(microtime(u,swt,knob,button),swt,knob,button),memory(microtime(u,swt,knob,button),swt,knob,button))))),v52:{word})then[normalize([])then[sym_eval(...),apply_lemma(inc_pc),sym_eval(...),sym_eval(...)]]]],change_mpc(v3)then[sym_eval(...)then[generalise(tl(tl(tl(fetch(pc(microtime(u,swt,knob,button),swt,knob,button),memory(microtime(u,swt,knob,button),swt,knob,button))))),v52:{word})then[normalize([])then[sym_eval(...),apply_lemma(inc_pc),sym_eval(...),sym_eval(...)]]]],change_mpc(v3)then[sym_eval(...)then[normalize([])then[sym_eval(...),apply_lemma(inc_pc),sym_eval(...),sym_eval(...)]]],change_mpc(v3)then[sym_eval(...)],change_mpc(v3)then[sym_eval(...)],change_mpc(v3)then[sym_eval(...)]]]
Appendix E. Gordon computer 205E.3 ProofThis script corresponds to the execution of the tactic dened by the proof plan.The parameters of the tactics are not unfolded:| ?- runtime(apply_plan,T).applying tactic at depth 0: diff_match(...)applying tactic at depth 1: step_case([...])applying tactic at depth 2: sym_eval(...)applying tactic at depth 2: sym_eval(...)applying tactic at depth 2: sym_eval(...)applying tactic at depth 2: sym_eval(...)applying tactic at depth 2: sym_eval(...)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 4: normalize([])applying tactic at depth 5: elementary(identity)applying tactic at depth 5: generalise(...)applying tactic at depth 6: apply_lemma(inc_pc)applying tactic at depth 5: elementary(identity)applying tactic at depth 5: elementary(identity)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 4: normalize([])applying tactic at depth 5: elementary(identity)applying tactic at depth 5: generalise(...)applying tactic at depth 6: apply_lemma(inc_pc)applying tactic at depth 5: elementary(identity)applying tactic at depth 5: elementary(identity)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 4: normalize([])applying tactic at depth 5: elementary(identity)applying tactic at depth 5: generalise(...)applying tactic at depth 6: apply_lemma(inc_pc)applying tactic at depth 5: elementary(identity)applying tactic at depth 5: elementary(identity)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 4: normalize([])applying tactic at depth 5: elementary(identity)applying tactic at depth 5: generalise(...)applying tactic at depth 6: apply_lemma(inc_pc)applying tactic at depth 5: elementary(identity)applying tactic at depth 5: elementary(identity)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 4: normalize([])applying tactic at depth 5: elementary(identity)applying tactic at depth 5: generalise(...)applying tactic at depth 6: apply_lemma(inc_pc)
Appendix E. Gordon computer 206applying tactic at depth 5: elementary(identity)applying tactic at depth 5: elementary(identity)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 4: normalize([])applying tactic at depth 5: elementary(identity)applying tactic at depth 5: generalise(...)applying tactic at depth 6: apply_lemma(inc_pc)applying tactic at depth 5: elementary(identity)applying tactic at depth 5: elementary(identity)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)applying tactic at depth 2: change_mpc(...)applying tactic at depth 3: sym_eval(...)T = 37402334 (milliseconds)E.4 Methodslist_methods.diff_match/1elementary/1step_case/1change_mpc/2sym_eval/1normalize/1generalise/2apply_lemma/1ind_strat/1
Appendix FOther circuitsThis appendix describes the formalisation of other circuits: adder (explicit para-meter), adder (big endian), look-ahead-carry adder, ALU (explicit parameter),ALU (big endian), shifter, processing unit, and other arithmetic circuits.F.1 AdderF.1.1 Explicit parameterIMPLEMENTATION:[]==>x:{word}=>y:{word}=>ci:{bool}=>adder_ep(0,x,y,ci)=ci::nil in{word}[]==>n:pnat=>x:{word}=>y:{word}=>ci:{bool}=>adder_ep(s(n),x,y,ci)=fa_sum(hd(x),hd(y),ci)::adder_ep(n,tl(x),tl(y),fa_carry(hd(x),hd(y),ci))in{word}SPECIFICATION:[]==>n:pnat=>x:{word}=>y:{word}=>ci:{bool}=>adder_ep_spec(n,x,y,ci)=plus(word2nat_ep(n,x),plus(word2nat_ep(n,y),bool2nat(ci)))in pnatCONJECTURE[]==>n:pnat=>ci:{bool}=>x:{word}=>y:{word}=>word2nat_ep(s(n),(adder_ep(n,x,y,ci))) =adder_ep_spec(n,x,y,ci) in pnatF.1.2 Big endianIMPLEMENTATION[]==>ci:{bool}=>adder(nil,nil,ci)=ci::nil in {word}[]==>ci:{bool}=>a:{bool}=>b:{bool}=>x:{word}=>y:{word}=>207
Appendix F. Other circuits 208adder(a::x,b::y,ci)=fa_sum(a,b,ci)::adder(x,y,fa_carry(a,b,ci)) in{word}CONJECTURE[]==>x:{word}=>y:{word}=>ci:{bool}=>length(x)=length(y) in pnat=>word2nat((adder(x,y,ci)))=plus(word2nat(x),plus(word2nat(y),bool2nat(ci))) in pnatF.2 ALUF.2.1 Explicit parameterIMPLEMENTATION:[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>x:{word}=>y:{word}=>ci:{bool}=>alu_ep(0,s0,s1,s2,x,y,ci)= ((not s2)and ci)::nil in{word}[]==>n:pnat=>s0:{bool}=>s1:{bool}=>s2:{bool}=>x:{word}=>y:{word}=>ci:{bool}=>alu_ep(s(n),s0,s1,s2,x,y,ci)=alu_sum(s0,s1,s2,hd(x),hd(y),ci)::alu_ep(n,s0,s1,s2,tl(x),tl(y),alu_carry(s0,s1,s2,hd(x),hd(y),ci))in{word}SPECIFICATION:[]==>n:pnat=>s0:{bool}=>s1:{bool}=>s2:{bool}=>x:{word}=>y:{word}=>ci:{bool}=>alu_ep_spec(n,s0,s1,s2,x,y,ci)=if(s2,{false},if(s1,{false},if(s0,{false},adder_ep(n,x,nat2word(n,0),ci),adder_ep(n,x,y,ci)),if(s0,{false},adder_ep(n,x,not_ep_word(n,y),ci),adder_ep(n,x,not_ep_word(n,nat2word(n,0)),ci))),if(s1,{false},if(s0,{false},app(or_ep_word(n,x,y),{false}::nil),app(xor_ep_word(n,x,y),{false}::nil)),if(s0,{false},app(and_ep_word(n,x,y),{false}::nil),app(not_ep_word(n,x),{false}::nil))))in{word}CONJECTURE:[]==>n:pnat=>s0:{bool}=>s1:{bool}=>s2:{bool}=>ci:{bool}=>x:{word}=>y:{word}=>alu_ep_spec(n,s0,s1,s2,x,y,ci)=alu_ep(n,s0,s1,s2,x,y,ci)in{word}F.2.2 Big endian
Appendix F. Other circuits 209IMPLEMENTATION[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>ci:{bool}=>alu(s0,s1,s2,nil,nil,ci)=((not s2)and ci)::nil in{word}[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>a:{bool}=>b:{bool}=>x:{word}=>y:{word}=>ci:{bool}=>alu(s0,s1,s2,a::x,b::y,ci)=alu_sum(s0,s1,s2,a,b,ci)::alu(s0,s1,s2,x,y,alu_carry(s0,s1,s2,a,b,ci))in{word}SPECIFICATION[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>a:{word}=>b:{word}=>ci:{bool}=>alu_spec(s0,s1,s2,a,b,ci)=if(s2,{false},if(s1,{false},if(s0,{false},adder(a,nat2word(length(a),0),ci),adder(a,b,ci)),if(s0,{false},adder(a,not_word(b),ci),adder(a,not_word(nat2word(length(a),0)),ci))),if(s1,{false},if(s0,{false},app(or_word(a,b),{false}::nil),app(xor_word(a,b),{false}::nil)),if(s0,{false},app(and_word(a,b),{false}::nil),app(not_word(a),{false}::nil))))in {word}CONJECTURE[]==>a:{word}=>b:{word}=>s2:{bool}=>s1:{bool}=>s0:{bool}=>ci:{bool}=>length(a)=length(b) in pnat=>alu_spec(s0,s1,s2,a,b,ci)=alu(s0,s1,s2,a,b,ci) in{word}F.3 ShifterIMPLEMENTATION:[]==>h0:{bool}=>h1:{bool}=>ir:{bool}=>il:{bool}=>shifter(h0,h1,ir,il,nil)=nil in{word}[]==>h0:{bool}=>h1:{bool}=>ir:{bool}=>il:{bool}=>a:{bool}=>x:{word}=>shifter(h0,h1,ir,il,a::x)=mux(h0,h1,a,ir,hd_or_il(x,il),{false})::shifter(h0,h1,a,il,x)in{word}SPECIFICATION:[]==>h0:{bool}=>h1:{bool}=>ir:{bool}=>il:{bool}=>x:{word}=>shifter_spec(h0,h1,ir,il,x)=if(h1,{false},if(h0,{false},x,shift_right(x,ir)),
Appendix F. Other circuits 210if(h0,{false},shift_left(x,il),nat2word(length(x),0)))in{word}shift_right(x,ir)<==>term_of(shift_right)of x of ir.[]==>ir:{bool}=>shift_right(nil,ir)=nil in{word}[]==>x:{word}=>a:{bool}=>ir:{bool}=>shift_right(a::x,ir)=ir::shift_right(x,a)in{word}shift_left(x,il)<==>term_of(shift_left)of x of il.[]==>il:{bool}=>shift_left(nil,il)=nil in{word}[]==>x:{word}=>a:{bool}=>il:{bool}=>shift_left(a::x,il)=app(x,il::nil)in{word}CONJECTURE:[]==>x:{word}=>h0:{bool}=>h1:{bool}=>ir:{bool}=>il:{bool}=>shifter_spec(h0,h1,ir,il,x)=shifter(h0,h1,ir,il,x)in{word}F.4 Processing unitIMPLEMENTATION:[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>h0:{bool}=>h1:{bool}=>ir:{bool}=>il:{bool}=>x:{word}=>y:{word}=>ci:{bool}=>processor(s0,s1,s2,h0,h1,ir,il,x,y,ci)=shifter(h0,h1,ir,il,alu(s0,s1,s2,x,y,ci)) in {word}SPECIFICATION:[]==>s0:{bool}=>s1:{bool}=>s2:{bool}=>h0:{bool}=>h1:{bool}=>ir:{bool}=>il:{bool}=>x:{word}=>y:{word}=>ci:{bool}=>processor_spec(s0,s1,s2,h0,h1,ir,il,x,y,ci)=shifter_spec(h0,h1,ir,il,alu(s0,s1,s2,x,y,ci)) in {word}CONJECTURE:[]==>x:{word}=>y:{word}=>ci:{bool}=>s0:{bool}=>s1:{bool}=>s2:{bool}=>h0:{bool}=>h1:{bool}=>ir:{bool}=>il:{bool}=>shifter_spec(h0,h1,ir,il,alu_spec(s0,s1,s2,x,y,ci))=shifter(h0,h1,ir,il,alu(s0,s1,s2,x,y,ci))in{wordF.5 Other arithmetic operationsF.5.1 AdderIMPLEMENTATION:[]==>y:{word}=>plus_word(nil,y)=y in{word}[]==>x:{word}=>y:{word}=>plus_word(i(x),y)=i(plus_word(x,y))in{word}CONJECTURE:
Appendix F. Other circuits 211[]==>x:{word}=>y:{word}=>plus(word2nat(x),word2nat(y))=word2nat(plus_word(x,y))in pnatF.5.2 MultiplierIMPLEMENTATION:[]==>y:{word}=>times_word(nil,y)=nil in{word}[]==>x:{word}=>y:{word}=>times_word(i(x),y)=plus_word(times_word(x,y),y)in{word}CONJECTURE:[]==>x:{word}=>y:{word}=>times(word2nat(x),word2nat(y))=word2nat(times_word(x,y))in pnatF.5.3 ExponentiatorIMPLEMENTATION:[]==>x:{word}=>exp_word(x,nil)={true}::nil in{word}[]==>x:{word}=>y:{word}=>exp_word(x,i(y))=times_word(x,exp_word(x,y))in{word}CONJECTURE:[]==>x:{word}=>y:{word}=>exp(word2nat(x),word2nat(y))=word2nat(exp_word(x,y))in pnatF.5.4 FactorialIMPLEMENTATION:[]==>fac_word(nil)={true}::nil in{word}[]==>x:{word}=>y:{word}=>exp_word(x,i(y))=times_word(x,exp_word(x,y))in{word}CONJECTURE:[]==>x:{word}=>fac(word2nat(x))=word2nat(fac_word(x)) in pnatF.5.5 SubtracterIMPLEMENTATION:[]==>x:{word}=>minus_word(x,nil)=x in{word}[]==>y:{word}=>minus_word(nil,y)=nil in{word}[]==>x:{word}=>y:{word}=>minus_word(x,i(y))=dec(minus_word(x,y))in{word}CONJECTURE:[]==>y:{word}=>x:{word}=>
Appendix F. Other circuits 212minus(word2nat(x),word2nat(y))=word2nat(minus_word(x,y))in pnatF.5.6 DividerIMPLEMENTATION:QUOTIENT[]==>x:{word}=>div_word(x,nil)=nil in{word}[]==>x:{word}=>y:{word}=>less(word2nat(x),word2nat(y))=>div_word(x,y)=nil in {word}[]==>x:{word}=>y:{word}=>(less(word2nat(x),word2nat(y))=>void)=>div_word(plus_word(x,y),y)=i(div_word(x,y))in{word}REMAINER:[]==>x:{word}=>rem_word(x,nil)=nil in{word}[]==>x:{word}=>y:{word}=>less(word2nat(x),word2nat(y))=>rem_word(x,y)=x in{word}[]==>x:pnat=>y:pnat=>(less(word2nat(x),word2nat(y))=>void)=>rem_word(plus_word(x,y),y)=rem_word(x,y) in {word}CONJECTURE:[]==>x:{word}=>y:{word}=>quot(word2nat(x),word2nat(y))=word2nat(div_word(x,y))in pnat[]==>x:{word}=>y:{word}=>rem(word2nat(x),word2nat(y))=word2nat(rem_word(x,y))in pnatF.5.7 CounterIMPLEMENTATION:[]==>reset:flag=>count_imp(reset)of 0=zeroes(length(nil))in{word}[]==>t:pnat=>reset:flag=>count_imp(reset)of s(t)=del(restart(reset,incfun(count_imp(reset))))of s(t)in{word}[]==>x:signal=>del(x)of 0=x of 0 in{word}[]==>t:pnat=>x:signal=>del(x)of s(t)=x of t in{word}[]==>t:pnat=>rs:flag=>x:signal=>restart(rs,x)of t=if(rs of t,{true},nil,x of t)in{word}[]==>t:pnat=>x:signal=>incfun(x)of t=i(x of t)in{word}SPECIFICATION:[]==>reset:flag=>count_spec(reset)of 0=0 in pnat[]==>t:pnat=>reset:flag=>count_spec(reset)of s(t)=ifbn(reset of t,{true},0,s(count_spec(reset)of t))in pnatCONJECTURE:[]==>t:pnat=>reset:flag=>word2nat(count_imp(reset)of t)=count_spec(reset)of t in pnat
Appendix GMethodsIn this appendix we include the main methods used in the proof planning of thecircuit verication conjectures.G.1 Symbolic evaluationThis method applies symbolic evaluation by calling the submethods elementary,equal, reduction, eval def, term cancel, and bool cases.method(sym_eval(SubPlan),HG,[repeat([HG],Goal :=> SubGoals,Method,(member(Method, [elementary(_),equal(_,_),reduction(_,_),eval_def(_,_),term_cancel(_),bool_cases(_)]),applicable_submethod(Goal,Method,_,SubGoals)),[SubPlan],SubGoals),!,SubPlan \= idtac],[],SubGoals,SubPlan).
213
Appendix G. Methods 214G.2 GeneraliseThis method generalises a common term in two subexpressions.method(generalise(Exp,Var:Type),H==>G,[matrix(Vs,M1,G),sinks(M,_,M1), % Strip out sinksmember(M,[(L=R in _),(L=>R),geq(L,R),leq(L,R),greater(L,R),less(L,R),L#R]),exp_at(L,_,Exp),not atomic(Exp),not constant(Exp,_),object_level_term(Exp),exp_at(R,_,Exp),find_type(H,Exp,Type),append(Vs,H,VsH),hfree([Var],VsH)],[strip_meta_annotations(G,NewG1),replace_all(Exp,Var,NewG1, NewG)],[H==>Var:Type=>NewG],generalise(Exp,Var:Type)).G.3 NormaliseThis method applies normalisation operations dened in the submethod normal.method( normalize(NormTacs),OH==>OG,[ \+ member( _:[ihmarker(_,_)|_],OH),exp_at( OG, _, T=>_ ),exp_at( T, _, _=_ in _ ),iterate((OH==>OG) - [],(Goal-Tacs):=>((H==>G)-STacs),(applicable_submethod(Goal,normal(A),_,[H==>G]),STacs = [normal(A)|Tacs]),true,SubGoal-RNormTacs),RNormTacs \= [],!,reverse(RNormTacs,NormTacs)],[],[ SubGoal ],normalize( NormTacs )).
Appendix G. Methods 215G.4 Induction strategyThis method applies the induction strategy.method(ind_strat(induction(Scheme,VarTL) then CasesTactics),H==>G,[applicable_submethod(H==>G,induction(Scheme,VarTL))],[scheme(Scheme,VarTL,H==>G,BSeqs,SSeqs),(map_list(BSeqs,BSeq:=>BSeq1-sym_eval(Ms),applicable_submethod(BSeq,sym_eval(Ms),_,BSeq1),BSeq1sBTs) orelse(BSeq1sBTs = [BSeqs-[idtac]])),zip(BSeq1sBTs,BSeq1s,BaseTactics1),flatten(BaseTactics1,BaseTactics),flatten(BSeq1s,FBSeq1s),map_list(SSeqs,SSeq:=>SSeq1-step_case(Ms),applicable_submethod(SSeq,step_case(Ms),_,SSeq1),SSeq1sSTs),zip(SSeq1sSTs,SSeq1s,StepTactics),flatten(SSeq1s,FSSeq1s),append(BaseTactics, StepTactics, CasesTactics),append(FBSeq1s,FSSeq1s,AllSeqs)],AllSeqs,ind_strat(induction(Scheme,VarTL) then CasesTactics)).G.5 ElementaryThis method applies simple propositional reasoning.submethod(elementary(I),H==>G,[not (G = (_:_#_)),elementary(H==>G,I)],[],[],elementary(I)).
Appendix G. Methods 216G.6 Use of equation in hypothesisThis method applies an equation in the hypotheses list as a rewrite rule.submethod(equal(HName,Dir),H==>G,[ ((hyp(HName:Term=Var in T,H), Dir=left)v(hyp(HName:Var=Term in T,H), Dir=right)),(not freevarinterm(Term,_)orelse(atomic(Var), not atomic(Term))orelse(atomic(Var), atomic(Term), Term @< Var)),freevarinterm(G,Var)],[map_list([G],In:=>Out,replace_all(Var,Term,In,Out),[GG]),del_hyp(HName:_,H,HThin)],[HThin==>GG],equal(HName,Dir)).G.7 Evaluate denitionThis method does rewriting with equations that are not wave rules.submethod(eval_def(Pos,[Rule,Dir]),H==>G,[matrix(Vars,Matrix,G),wave_fronts(_, [], Matrix),new_exp_at(Matrix,Pos,Exp),not metavar(Exp),func_defeqn(Exp,Dir,Rule:C=>Exp:=>NewExp),polarity_compatible(Matrix, Pos, Dir),elementary(H==>C,_)],[replace(Pos,NewExp,Matrix,NewMatrix),matrix(Vars,NewMatrix,NewG)],[H==>NewG],eval_def(Pos,[Rule,Dir])).
Appendix G. Methods 217G.8 Term cancellationThis method cancels out common additive terms in both sides of an equation.submethod(term_cancel(NG),H==>G,[matrix(V,LS = RS in pnat,G),\+ (LS=0 v RS=0),only_sum(LS,LstPlusL),only_sum(RS,LstPlusR),cancel_eq(LstPlusL,LstPlusR,OtherL,OtherR),length(LstPlusL,X),length(OtherL,Y),X > Y],[putPlus(OtherL,Left),putPlus(OtherR,Right),matrix(V,Left=Right in pnat,NG)],[H==>NG],term_cancel(NG)).G.9 Boolean case analysisThis submethod applies Boolean case analysissubmethod(bool_cases(X),H==>G,member(X:{bool},H),freevarinterm(G,X)], [replace_all(X,{false},G,G1),replace_all(X,{true},G,G2),hfree([Id],H)], [[Id:X={false} in {bool}|H]==>G1,[Id:X={true} in {bool}|H]==>G2],bool_cases(X)).submethod(bool_cases(X),H==>X:{bool}=>G,], [replace_all(X,{false},G,G1),replace_all(X,{true},G,G2),hfree([Id],H)], [[Id:X={false} in {bool}|H]==>G1,[Id:X={true} in {bool}|H]==>G2],bool_cases(X)).submethod(bool_cases(Term),
Appendix G. Methods 218H==>G,matrix(Vars,Matrix,G),exp_at(Matrix,Pos,Term),Term=hd(_),append(Vars,H,NewH),find_type(NewH,Term,{bool})], [listof(V:T,P^(member(V:T,Vars),exp_at(Term,P,V)),BoundVars),subtract(Vars,BoundVars,RestVars),append(BoundVars,H,AllH),replace_all(Term,{false},Matrix,MG1),replace_all(Term,{true},Matrix,MG2),hfree([Id],AllH),matrix(RestVars,MG1,G1),matrix(RestVars,MG2,G2)], [[Id:Term={false} in {bool}|AllH]==>G1,[Id:Term={true} in {bool}|AllH]==>G2],bool_cases(Term)).G.10 Memoise recursive functionThis submethod applies the memoisation procedure on named recursive functions.submethod(eval_def(Rule,[Memo,Pos,Dir,Exp,NewExp,Type]),H==>G,[matrix(Vars,Matrix,G),wave_fronts(_, [], Matrix),new_exp_at(Matrix,Pos,Exp),not metavar(Exp),% expression is a memo function:((((Exp=mpc(s(X1),_,_,_),Type=wordn(5)) v(Exp=memory(s(X3),_,_,_),Type=wordn(16)) v(Exp=pc(s(X4),_,_,_),Type=wordn(13)) v(Exp=acc(s(X5),_,_,_),Type=wordn(16)) v(Exp=buffer(s(X6),_,_,_),Type=wordn(16)) v(Exp=mar(s(X7),_,_,_),Type=wordn(13)) v(Exp=arg(s(X8),_,_,_),Type=wordn(16)) v(Exp=ir(s(X9),_,_,_),Type=wordn(16))),% value has been calculated already((member(Rule:Exp=NewExp in Type,H),NewH=H) v% value hasn't been calculated, do it and add it to hyp list(func_defeqn(Exp,Dir,_:C=>Exp:=>NewExp2),matrix(Vars,NewExp2,Goalmpc),applicable_submethod(H==>Goalmpc,sym_eval(_),_,[Hmemo==>NewExp]),!,
Appendix G. Methods 219hfree([Rule],Hmemo),NewH=[Rule:Exp=NewExp in Type|Hmemo])),Memo=1) v% expression is NOT a memo function:(func_defeqn(Exp,Dir,Rule:C=>Exp:=>NewExp),polarity_compatible(Matrix, Pos, Dir),elementary(H==>C,_),NewH=H,Memo=0,nl,write('7. Rule = '), write(Rule),nl))], [replace(Pos,NewExp,Matrix,NewMatrix),matrix(Vars,NewMatrix,NewG)],[NewH==>NewG],eval_def(Rule,[Memo,Pos,Dir,Exp,NewExp,Type])).G.11 Weak fertiliseThis submethod applies weak fertilisation.submethod(weak_fertilize(Dir,Connective,Pos,Hyp),H==>G,[matrix(Vars,M,G),transitive_pred( M, [LR,RL], [LRN,RLN], NewG_M ),exp_at(M,[0],Connective),((Dir=right,GL=LR,GR=RL, GLNew=LRN, GRNew = RLN) v(Dir=left,GL=RL,GR=LR, GLNew=RLN, GRNew = LRN )),( (wave_fronts(GR1,[[]-PosL/[Typ,out]],GR),select(Pos,PosL,OtherPosL),NewWFspec = [[]-PosL/[Typ,in]])v (wave_fronts(GR1,[[]-PosL/[Typ,in]],GR),PosL = [_,_|_],select(Pos,PosL,OtherPosL),NewWFspec = [[]-PosL/[Typ,in]])v(wave_fronts(GR1,[],GR),wave_fronts(_,[_-_/[_,out]|_],GL),PosL=[],Pos=[],OtherPosL=[[]],NewWFspec = [Pos-OtherPosL/_]) v(wave_fronts(GR1tmp,[WFPos-[WHPos]/[Typ,_]],GR),
Appendix G. Methods 220sinks(GR1,[WFPos],GR1tmp),sinks(GL1,_,GL),append(WHPos,WFPos,RSinkPos),exp_at(GR1,RSinkPos,Sink),exp_at(GL1,LSinkPos,Sink),NewWFspec = [LSinkPos-[WHPos]/[Typ,out]],Pos=[] )v(wave_fronts(GR1tmp,[[]-PosL/[Typ,out]|SunkFronts],GR),select(Pos,PosL,OtherPosL),NewWFspec = [[]-PosL/[Typ,in]],sinks(GR1,SinkPosns,GR1tmp),(forall{PP \ SunkFronts}: (PP = FrontPos-_/[_,_],(thereis{ SS \ SinkPosns} : append(SS,_,FrontPos)))))),exp_at(GR1,Pos,GR1Sub),% check for positive occurrence or symmetrical function symbol:(Connective = (in) orelse polarity(_,_,GR1,Pos,+)),( member( _:[ihmarker(notraw(_),[])|IHyps], H ),nv_member(Hyp:IndHyp,IHyps);member( Hyp:IndHyp, H ),IndHyp \= [_|_]), matrix(_,IndHyp_M,IndHyp),exp_at(IndHyp_M,[0],Connective),replace_all(GL,GRNewSub,M,GSub1),replace_all(GR,GR1Sub,GSub1,GSub),instantiate(IndHyp,GSub,Instan),ground_sinks(Instan,GL,GR,GSub),wave_fronts(GRNewSub,_,GRNewSub)],% postconditions[replace(Pos,GRNewSub,GR1,GRNew1),wave_fronts(GRNew1,NewWFspec,GRNew),wave_fronts(GLNew,_,GL),sinks(NNewG_M,_,NewG_M),matrix(Vars,NNewG_M,NewG)],[H==>NewG],weak_fertilize(Dir,Connective,Pos,Hyp)).
