Formal proof of the AVM-1 microprocessor using the concept of generic interpreters by Levitt, K. et al.
NASA Contractor Report 187491
FORMAL PROOF OF THE AVM-1 MICROPROCESSOR USING THE







NASA Contract NAS 1-18586
March 1991








This document was generated in support of NASA contract
NASI-18586, Design and Validation of Digital Flight Control
Systems Suitable for Fly-By-Wire Applications, Task Assignment
3. Task 3 is associated with formal verification of embedded
systems. In particular, this document contains the HOL code
that formally proves the AVM-I microprocessor using the theory
of generic interpreters.
The NASA technical monitor for this work is Sally C.
Johnson of the NASA Langley Research Center, Hampton, Virginia.
The work was accomplished at Boeing Military Airplanes,
Seattle, Washington, and the University of California, Davis,
California. Personnel responsible for the work include:
Boeing Military Airplanes:
D. Gangsaas, Responsible Manager
T. M. Richardson, Program Manager
G. C. Cohen, Principal Investigator
University of California:
Dr. K. Levitt, Chief Researcher





1.2 An Architectural View .............................................................................................................. 1
1.2.1 The Registers ................................................................................................................ 1
1.2.2 The Instruction Set ....................................................................................................... 2
1.2.3 Selecting Instructions ................................................................................................... 5
1.3 An Organizational View ............................................................................................................ 5
1.3.1 The AVM-1 Datapath ................................................................................................... 5
1.3.2 The Control Unit .......................................................................................................... 9
1.3.3 Timing ........................................................................................................................ l0
The Organization of the Proof ....................................................................................................... 12
2.1 Proof Organization .................................................................................................................. 12
2.2 Proof Metrics ........................................................................................................................... 15
3 The Proof .......................................................................................................................................... 17
3.1 The Generic Interpreters .......................................................................................................... 17
3.1.1 Synchronous Interpreters ............................................................................................ 17
3.1.2 Temporal Abstraction ................................................................................................. 22
3.1.3 Asynchronous Interpreters ......................................................................................... 27
3.2 The Word Representation ........................................................................................................ 31
3.3 Auxiliary Files ......................................................................................................................... 35
3.3.1 Auxiliary Theorems .................................................................................................... 35
3.3.2 The Jump Condition ................................................................................................... 38
3.3.3 The Register File ........................................................................................................ 40








A 16 Input Multiplexor ............................................................................................... 42
A Generic ALU .......................................................................................................... 44
The Arithmetic Logic Unit ......................................................................................... 50
The Shifter Unit .......................................................................................................... 57
The Microprogram Counter Unit ............................................................................... 60
The State Selectors ..................................................................................................... 62
The Electronic Block Model ...................................................................................... 70
iii
...._,_.._INIEN,fl0N/I_.IL v, _ PRECEDING PAGE BLANK NOT FILMED
Contents (Continued)
3.5 The Phase-Level ...................................................................................................................... 82
3.5.1 The Microcode Assembler ......................................................................................... 82
3.5,2 The Microcode Definition .......................................................................................... 89
3.5.3 The Phase-Level Interpreter ....................................................................................... 96
3.5.4 The Phase-Level Proof ............................................................................................. I03
3.6 The Micro-Level .................................................................................................................... 115
3.6.1 The Micro-Level Interpreter ..................................................................................... 115
3.6.2 The Micro-Level Instructions ................................................................................... 138
3.6.3 The Micro-Level Proof ............................................................................................. 155
3.7 The Macro-Level ................................................................................................................... 169
3.7. l The Macro-Level Interpreter .................................................................................... 169
3.7,2 The Macro-Level Proof ............................................................................................ 184




This technical report is intended to document the HOL code verifying a microprocessor called AVM-I .
This section will give a brief introduction to the design of AVM-1. The next section will discuss the
organization of the proof and present some technical details concerning the execution of the proof
scripts in HOL. The last section contains the proof scripts used to verify AVM-I.
1.1 AVM-I .
We have designed a computer designated AVM-1 (A Verified M/croproce88or) to demonstrate the use
of generic interpreters in verifying hierarchically decomposed microprocessor specifications. For s more
detailed look at the architecture and organization of AVM-1, see [Win90a].
Our design is an attempt to build a microprocessor that is at once verifiable, implementable, and
usable. We have been influenced by our own experience in verifying microprocessors [Win90b], the
experience of others [Joy89,Coh88], and our desire to provide hardware features in support bf operating
systems; such features include interrupts, memory management, and supervisory modes. AVM-1 is
part of a verified chip set being designed and verified by the Computer Systems Verification Group at
the University of California, Davis. Other pieces of the system include a memory management unit, a
floating point unit, an interrupt controller, and a direct memory access chip.
1.2 An Architectural View.
A computer's architecture is its programming interface; an architecture describes a language and how
that language is interpreted. The language definition contains a specification of the computer's state
and the instructions available for manipulating that state. The architecture must also define how
instructions are selected.
The instruction set for AVM-1 was inspired by the RISC I instruction set found in Kateve-
his [Kat85]. There are a number of differences, but many features in the RISC I instruction set
(such as using ALU operations to synthesize a MOVE instruction) were incorporated into the AVM-I
instruction set. As we will see in the section on organization, however, AVM-I cannot be called a
RISC architecture since its microcoded implementation is somewhat dit_erent than today's RISC chips.
1.2.1 The Registers.
AVM-I has a load-store architecture based on a large register file. The register file is divided into
three portions:
1. Register 0 which is read-only and contains the constant 0.
2. Seven supervisor-mode registers including a distinguished register for use as the supervisor stack
pointer (SSP). The supervisor-mode registers are read-only unless the CPU is in supervisor-mode
Table 1: The program status word.
Meaning when setBit
0 Last ALU result was zero
1 Last ALU operation caused a carry
2 Last ALU result was negative
3 Last ALU operation caused a overflow
4 Interrupts enabled
5 In supervisory mode
(determined by the 6th bit in the program status word).
3. Twenty-four general purpose registers.
Two additional registers are visible at the architectural level: the program counter and the program
status word. The program counter (PC) is used to sequence the computer--it indicates which instruction
to execute next.
The program status word (PSW) is used to keep track of the status of the last ALU operation,
whether or not interrupts are enabled, and the privilege level of the CPU. Table 1 shows the meaning
of the 6 bits in the program status word.
AVM-1 shares a register, IVEC, with the interrupt controller. This register contains the interrupt
vector and is read-only as far as the CPU is concerned.
1.2.2 The Instruction Set.
The instruction set contains 30 instructions. The opcode space has room for 64; the upper half of the
opcode space is reserved for future co-processors. As mentioned above, the instruction set is based on
a load-store architecture, meaning that most instructions are not allowed to access memory for their
opersads.
The instruction formats are simple and regular. Figure 1 shows the four instruction formats. All
of the formats use the same opcode field.
In formats 1 sad 2, the instructionisdividedinto fourfields.The top 6 bits(31-26) give the
opcode of theinstructions.The next 5 bits(25-21)denote the destinationregisterin most operations.
The thirdfield(bits20-16) selectsthe registerused as the A operand inmost operations.In format 1,
the fourthfieldiscomprisedofbits15-11 and isused to selectthe registerused ms the B operand. In
format 2,thefourthfieldusesallofthe 16 remainingbitstoform an immediate number (0to (2le- 1)).
Format 3 is identical to formats 1 and 2 except that only the opcode and destination fields are used.
Format 4 uses only the opcode field.







31 25 20 15












Figure 1: The instruction formats in AVM-1 .
the instruction format should be kept as simple as possible. A regular instruction format, while not
essential to verification, can greatly reduce the amount of detail that has to be dealt with in the proof.
The 30 programming level instructions are shown in Table 2. There is a group of 8, 3-argument
arithmetic instructions and another group of 8 arithmetic instructions that use a 16-bit immediate
value. There are 4 instructions for loading and storing registers. In addition, there axe instructions
for performing user interrupts, jumps, subroutine calls, and shifts. Por a detailed description of the
instruction set, see [Wing0a].
Synthesizing Addressing Modes. Besides the CALL and INT instructions which must access a
stack, only the load and store instructions can access memory. All of the other instructions only
operate on the internal registers. This makes the implementation of the instruction set easier and
results in faster operation of most of the instructions.
The addressing mode in the load and store instructions uses the sum of two numbers, a register
and either a register or a_ immediate value, to calculate the address of the memory operation. This is
a flexible scheme which allows most popular addressing modes to be synthesized.
Table 3 (adapted from [Kat85])shows how the memory addressingscheme inAVM-I can be used
to support common constructsin modern high-levellanguages.














3 Get program status word
3 Put program status word
Load register
ST 1 Store register





RTN 3 Return from subroutine
LDI 2 Load registerusingimmediate value
STI 2 Storeregisterusingimmediate value
ADD 1 Add
ADDC 1 Add with carry
SUB I Subtract
SUBC I Subtractwith borrow (carry)
BAND 1 Bit-wise conjunction
BOR i Bit-wise disjunction
BXOR 1 Bit-wiseexclusivedisjunction
BNOT 1 Bit-wisenegation
ADD 1 Add usingimmediate value
ADDC I Add with carryusingimmediate value
SUB 1 Subtract usingimmediate value
SUBC 1 Subtract with borrow usingimmediate value
BAND 1 Bit-wiseconjunctionusingimmediate value
BOR 1 Bit-wisedisjunctionusingimmediate value
BXOR 1 Bit-wiseexclusivedisjunctionusingimmediate value
NOOP 4 No operation
Table3: Synthesizingaddressingmodes using AVM-1 'sload
and storeinstructions.













• In directmode, the A registerholds the baseof the data segment and the immediate valueallows
addressingwithin 4-2zsof the base.
• In indirectmode, the A registerholds the valueofthe pointer.R [0] holds the constant0.
• To perform memory operations on records, the A register holds the base address of the record
and the immediate field holds the field offsets into the record.
• Array operations are performed by using the A register to hold the base address of the array and
the B register hold the index.
1.2.3 Selecting Instructions.
We select instructions in the instruction set using the opcode portion of the word in memory pointed
to by the current value of the program counter. We will only use the 5 least significant bits of the
opcode field,givingspace for32 instructions.
Table 4givesa breakdown ofthe opcodes forA VM-1 .The instructionsetisdividedintofourgroups
depending on the valueof the first2 bitsin the opcode. The firstwo groups containmiscellaneous
instructions,the thirdgroup containsALU operationsand the fourth group containsthe immediate
versionofthe instructionsingroup 3.
1.3 An Organizational View.
This sectiondescribesthe organizationof AVM-I -what components are used and to what effect.The
implementation of AVM-I can be dividedintotwo major parts:the datapath and the controlunit.
We willdiscusseax.hofthese.
1.8.1 The AVM-I Datapath.
The AVM-1 datapath is loosely based on the AMD 2903 bit-sliced datapath [Adv83] and is shown
in Figure 2. The signals shown at the right-hand side of the figure connect to the control unit. The















Figure 2: The AVM-1 Datapsth
6









[[ OOXXX 01XXX IOXXX ltxxx
JMP LSL ADD ADDI
CALL LSR ADDC AD'DCI
INT ASR SUB SUBI
SUBC SUBCl[
GPSW' NOOP BAND BANDI
PPSW NOOP BOR BOKI"
LD LDI BXOR BXOKI
ST STI BNOT NOOP
The datapath has three buses, a register file containing 32 registers, and numerous support registers
and latches. Two buses, A and B, are connected to the output ports on the register file and system
registers. The C bus is connected to the input port on the register file and the system registers. In
addition, the interrupt vector is attached to the B bus through a special port to the interrupt controller.
The A and B buses feed the inputs to the ALU through two latches. The memory buffer register
can also serve as the A input to the ALU through a multiplexor on the ALU input. The ALU performs
simple arithmetic and boolean operations on the values on its A and B inputs. The results of the ALU
operation are fed to the shifter which can perform logical and arithmetic shifts. The result from the
shifter is put onto the C bus for distribution.
In addition to a result, the ALU produces a set of status bits (negative, zero, carry, and overflow)
which can be saved in the program status word directly. If desired, a one--bit multiplexor also allows
the bit shifted out of the shifter to be saved in the carry field of the PSW. The control lines to the
PSW allow the supervisor and interrupt enable bits to be set and cleared and each of the status bits
to be loaded individually.
The status from the PSW and the destination field of the instruction register are fed into the jump
code circuitry. This combinatorial circuit calculates the jump conditions shown in Table 5 and supplies
a boolean result which is used to determine if the prograzn counter should be loaded from the C bus.
The program counter can also be loaded unconditionally.
The instruction register can be loaded from the C bus, but only the immediate portion of the
instruction register can be placed on the B bus.
The memory address register can be loaded directly from the program counter or from the C bus.
This allows the MAR to be loaded quickly for instruction fetches while still allowing calculated addresses
for loads and stores.
The datapath has two flipfiops for holding the status of interrupt actions and three demnltiplexors
















64 x 40 Micro BOM
°l' P TH R [ p [ tll2i
Figure 3: The AVM-1 Control Unit
8
Table 5: Implementationofthejump codesforthe JMP instruc-













i0 (nf xor "d)
11 -_(nf @vf)
12  ((nf e r) vzf)
13 ((nf evf) Vzf)
14 true
15 true
1.3.2 The Control Unit.
The controlunit for AVM-I isshown in Figure 3. The controlunit hms four major blocks: the
microprogram counter,the microinstructionregister,the dock, and the microrom.
The microprogram counter is the most complex of the four. The purpose of the microprogram
counter is to compute the next address for the microprogram based on the current system state.
The microprogram counter is fed the condition and address (addr) fields from the microinstruction
register, the opcode from the instruction register, and the supervisory and interrupt enable bits from
the program counter. There are 5 jump conditions:
1. No jump; the microprogram counter is incremented. This is the default operation.
2. Jump to addr unconditionally
3. Jump to the locationgivenby the opcodo signaland an offset(4in thiscase).This allowsus to
use a tablelookup approach to instructiondecoding in the microcode. We only use the 5 least
significantbitsofthe 6--bitopcode;the top halfoftheinstructionsetisreservedfora coprocessor.
4. Jump to addr ifthe interruptsignalistrue and interruptsare enabled.
5. Jump to addr ifthe supervisorymode signalistrue.
clkl I--
elk2
Figure 4: The clock signals in AVM-I .
The microinstruction register is a 40-bit register that holds the current microinstruction. The only
special feature of the register is that each of the fields from the microinstruction are avmlable through
separate ports for use elsewhere in the control unit and datapath.
The microinstructionformat is shown in Table 6. A microinstructionconsistsof 40 bitsin 24
fields.The fieldsin a microinstructioncan be broken into4 groups: those affectingthe operationof
the microprocessor,those affectingthe program statusword, those dealingwith externalsignals,and
thosethatare used formicroinstructionsequencing.For a detaileddescriptionofthe microinstructions,
see [Win90a].
The clockiss simple four-phase counterwith a strobelinefor each phase. Figure 4 shows the
output timing forthe clock.The clkl line,forexample, isonly trueduring phase I,the clk2 lineis
trueduring phase 2,and so on.
The microrom holds the microcode and is made from a read--only memory that is 40-bits wide and
64 words long.
1.3.3 Timing.
The timing of AVM-1 is based on a four phase clock (see Figure 5). During the four phases, the
machine performs the following state transitions:
1. In phase 1, the microinstruction register is loaded from the microrom.
2. In phase 2, the latches feeding ALU axe loaded from the register file and system registers.
3. In phase 3, the results from the ALU and shifter axe calculated. In addition, the MAR can be
loaded from the PC in this phase.
4. In phase 4, the result calculated in phase 3 is stored back into the register file and system registers.
l0













Al_JX Toggle MUX on A-bus
SHFT Shifterfunction
ALU ALU function
MAR Load MAR from P-Mu.x
MBR Load MBR from C-bus
















S'_SM Set supervisorymode bitin PSW
C_SM Clear supervisorymode bitin PSW
S.fiE Set interruptenablebitin PSW
C'_IE Clear interruptenable bitin PSW
LD_C Load carry bitin PSW
LD_V Load overflowbitin PSW
LD_N Load negativebitin PSW
LD_Z Load zero bitin PSW














3 C0ND Microcode jump condition







Figure 5: A PERT phase diagram for AVM-1 .
Every microinstructionisexecuted by the phase sequencedescribedabove.Sincemicroinstructions
are used to implement the macroinstructions,the timing fora macroinstructionisdependent on the
number of microinstructionin itsimplementation.In most casesthisnumber is4.
2 The Organization of the Proof
This section presents the organization of the proof of AVM-1 in HOL. The section discusses the overall
proof organization, gives a description of the theories making up the proof and gives some measurements
of the complexity of the proof.
2.1 Proof organization
The proof forAVM-1 containsmore than 25 theories.This sectionpresentsthe generalprooforgani-
zation(thehierarchyoftheories)and brieflydescribesthe contentsof each theory.
Figure 6 shows how the major theories of the proof of AVM-I are related. This hierarchy
shows arm. th as the child theory of a long ancestry that follows the hierarchical decomposition discussed
in [Wing0s]. The picture is not complete; there are many theories not shown. For example, aux_def, th
is the ancestor of almost every theory in the proof.
The rest of this section gives a taxonomy of the major theories in the proof of AVM-1 .
12
Figure 6: The theory hierarchy for the proof of AVM-I .
Generic Interpreters. The generic interpreter theories include the synchronous model, the temporal
abstraction theory, and the asynchronous model.
• gen_Insync.th -- Defines and verifies a synchronous version of the generic interpreter theory.
• time_abs.th -- Defines a temporal abstraction function and proves several useful lemmas con-
cerning it.
• gen..I.th-- Contains the genericdefinitionof an interpreterused in the definitionand proofof
the variouslevelsin AVM-I .
Auxiliary Theories. There are a number of auxiliary theories that are used throughout the proof
of AVM-I .
aux_defs.th -- Contains the abstractdefinitionforn-bit words. The definitionisaccomplished
using the functionsin abstract .ILl,the ML code forproducingabstracttheories.
aux_thms.th -- Contains auxiliary definitionsand theorems.The theoryisan ancestorofmany
of the main theoriesin the proof.
jump_def.th -- Contains the definition of the jump condition logic that is used at every level.
regs_def.th _ Contains the definition of the register file. Several distinguished registers are
defined and the function for updating the register file is given.
13
The Electronic Block Model. The electronicblock model descriptiondepends on a number of
theories.The definitionmakes use of a genericALU that issubsequentlyinstantiatedto definethe
ALU used in AVM-I . The shifterand microprogram counterare alsodefinedseparately.
muxl6_def.th -- Contains the definitionofa 16 inputmultiplexorthatisused inthe definition
ofthe genericALU theory.
gen_alu.th m Contains the abstract definition and verification of a 16 function ALU.
alu_def.th-- Contains the instantiationofthe genericALU theorypresentedinthe lastsection
for a specificsetof functions.The correctnessresultismeaninglesssincethe modules used to
implement the functionsare nullmodules. Thisdoes not affecthe validityofthe proofpresented
here sinceonly the definitionisused in subsequenttheories.A number of theorems about the
ALU's output are proven here and are used in subsequentproofs.
shifter_def.th m Contains the definition of a 4 function shifter that is used in defining the
electronic block model. A number of theorems about the shifter's output are proven here and are
used in subsequent proofs.
mpc_def.th -- Contains the definition of the microprogram counter unit that is used in the
definition of the electronic block model and the phase-level.
mpc_def.th -- Contains the definitionofthe stateselectorsforthe electronicblock model.
block_def.th -- This theory containsthe definitionof the electronicblock model. The theory
containsthe definitionof most ofthe blocksused to constructthe electronicblock model.
The Phase-Level. This sectionpresentsthe theoriesthat definethe phase-levelinterpreter.Also
presentedisthe theory that verifiesthe phase-levelinterpreterwith respectto the electronicblock
model.
ucode_aux.ml -- Contains the ML code that definesthe microcode assembler. No theory is
created;the assemblerisan ML program thatcreatesthe appropriateterms for a givenprogram
statement.
s ucode_def.th -- Definesthe type forthe microcode as wellas a number of selectorfunctions
that returnthe variousfieldsthatmake up a microinstruction.
• phase_def.th -- Definesthe abstractbehaviorofthe 4 phase-levelinstructionsand givesseveral
auxiliarydefinitionsused ininstantiatingthe abstractinterpretertheory.
• phase.th -- Contains the correctnessresultfor the phase-level.The resultis obtained by
instantiatingthe genericinterpretertheorycontainedin gen..I.'ch.
14
The Micro-Level. This section presents the theories that define the micro-level interpreter. Also
presented is the theory that verifies the micro-level interpreter with respect to the phase-level inter-
preter.
• micro_def.th -- Defines the abstract behavior of the 64 micro-level instructions and gives several
au.xJliaxy definitions used in instantiating the abstract interpreter theory.
• uinst_def.th-- Definesthe microinstructionsand combines them togetherintothe microrom.
• micro.th -- Contains the correctness result for the micro-level. The result is obtained by
instantiating the generic theory gen_I .th.
The Macro-Level. This section presents the theories that define the macro-level interpreter. Also
presented is the theory that verifies the macro-level interpreter with respect to the micro-level inter-
preter.
• macro_def.th -- Definesthe abstractbehavior of the 32 macro--levelinstructionsand gives
severaiauxiliarydefinitionsused in instantiatingthe abstractinterpretertheory.
• macro.th -- Contains the correctnessresultfor the macro-level. The resultisobtained by
instantiatingthe generictheorygen_I.th.
The Final Result. This section presents the theory that prove AVM-I correct. The theory is the
descendant of all of the theories presented earlier.
• avm.th -- Contain_ the correctnessresultforthe microprocessor.The finalresultis obtained
by combining the correctnessresultsfrom phase, th,micro, th and macro.th.
2.2 Proof Metrics.
Table 7 presentstherun-timesforthe varioustheoriesin the proofon a SPARCStation with 16 Mbytes
ofmemory. The timesareCPU seconds.The tablealsogivesthe number ofprimitiveinferencesrequired
to run the correspondingML scriptinHOL. We were usingversion1.10of HOL builtusing the Austin
Kyoto Common Lispcompiler.
The totaltime to run the proof was 208029.1 CPU seconds,or nearly58 CPU hours. The proof
took almost a week ofelapsedtime because the coreimages were quitelarge(as high ss 29 Mbytes)
and caused the operatingsystem to thrashwhen garbage collecting.
There are severalfriesin the tablethat were not discussedin the lastsection.Due to sizellmi-
tationsof main memory, the filesmk.mic_xl .ml and mk_mic.x2.ml were broken out of ink.micro.ml
and mk_ac._I.ml,mk_mac_l.ml,and mk.mac_2.ml were broken out ofink_macro.m1.
15
Tsble 7: Script run-times on a SPARCStation with 16M of memory.
File Name
def_aux.ml








































This sectiondocuments the HOL theoriesthat make up the proof discussedin [Win90a].






3.1 The Generic Interpreters
S.l.1 Synchronous Interpreters
This sectionpresentsthe ML code thatcreatesthe theorygen_I_sync.th.
Lk_I .nl
(c) P. J. Windley 1990
09 JA1 90
14 FEB 90
Defines a generic interpreter used in subsequent specifications.
The interpreter is proven to be correct under certain obligationJ.
The interpreter in this file is synchronous.
2/13/90 -- Modified to take external lines into account.














( ' _t_list'." : (*key# (*star s->*env->sst ate ) ) list" )
( ' key '," : *key->num" )
( 'select ' ," :*state->*env->*key")
( ' cy¢iss '," : *ksy->nus*')
(+ substat,', °*:*stat,'->*stats")
( ' Iub@nqr '," : *@xxw ' -> *sxxlr" )
( ' Y_apI '." : (time ' ->*state ' ) ->(tim, ' ->**nv ' ) ->bool")
( ' count '," : *star • ' ->*env '->*key ' ")
('stLrt' ,":*key'")
:tke__s___has cpu_abs; ;
let I_rop_ty = abstract_type 'gon_l_syn¢' 'key' ; ;
lot IITE__def = now_definition
( ' I|TE_P ',
"! (rop:'I_rep_ty) (s:tiJe->*state) (,:tiJao->*onv) .
IITERP rop s • =
!t :tiJso.
lot n = (key top (soloct top (s t) (e t))) in (
s(t+l) - (SMD (EL n (ix_s__list zep))) (s t) (e t))"
);;
let IMTE__DEF_EXPAIDED = EXPAND.LET_RULE INTERP_def;;
let inat_cox_sct_dsf - new_def_axition
( 'IIST_COP_ECT ',
"! ix_st : (*keyt(*state->*env->*state))
(s ' : time '->*state ' )
(s ' : tim, '->**nv ' ) .
IIST_CORRECT rsp s ' , ' inat =
(YJapl (rep:'l.rep_ty) s' ,') =->
(:t :t_aas'.
let s = (\t. (substats rep (s' t))) in
ist * = (\t. (sub*n, rsp (.' t))) in
let c = (cycles rep (sol.or rep (s t) (* t))) in (
(select top (s _) (o t) = (FST i_st)) /\
(count top (s' t) (o' t) = (start top)) ==>
((SLID_t) (s t) (, t) - (s (t+ c))) /\
(countr.p (,' (t + c)) (,' (t + c)) = (stsrtr.p))))"
);;








"!k:*key. (key (rep:'l_rep__y) k) < (LEWGTE (inst_list rop))"
"!k:*key . k = (FST (EL (key (rep:'I_rep_ty) k) (inst_list rep)))"
];;
Io% IMPL__XTSTATE_t.EMMA - TAC_PROOF
(C[3.
"lot S " (\t:t_e .(substate rep (s' t))) and
e = (\t:t_e .(subenv rep (e' t))) in (
(Iapl (rep:'I_rep__y)) s' e' _=>
(!t:time'
(cou_t rep (s' _) (e' t) = (s_t rep)) =_>
((substate rep (s' (_+(cycles rep (select rop (s _) (e _)))))) =
(SND (EL (key rep (select rep (s %) (e %)))




THEN POP_ASSUN_LIST (\asl .
iot asl' =







(subsnv rsp (s' t))))" thm) ?
(SPEC "(select (rep:'I_rep._y)
(subs%ate rep(s' %))
(subenv rsp (o' t)))" tim) ?
tb_) asl'))
THFJ RES_TAC
THE| POP_ASSUM (\thA. ASSUKE_TAC (REWRITE.RULE D (SPEC "t:time'" tlm)))
THEN RES_TAC




EXP_ID_LET_RULE IMPL_BEZTSTATE_LEm_) ; ;
lot tims_shilt = neg_prin_rec_definition
('time_shi_t',
"(timo_shi_t f (s:_ime->*s_ate) (o:_iRo->*env) 0 = O) /\
19
(tins shift f s • (SUC n) = (
lot Z - (tins_shift f s • n) in
t ÷ (_ (. t) Co t))))"
);;
let I_CLOCK_LEN_ - TAC_PP.OOF
((D.
"Io_ s = (\_:tiae .(subsists rsp (s' t))) and
• = (\t:tiao. (subonv rop Co' t))) in (
(IKl)l rep) s' o' /\
((count rep) (s' O) (s' O) = (st_t top)) ==>
:t. lot t_iapl =
(tins_shift (\st env. (cydos rop (select rop st any))) s • _) in






THEN RECITE_TIC [tile_shift; o_DEF;LET_DEF]
THEN (FIRST__SUM ACCEPT_TAC ORELSE ALL_TAC)




THEN POP_ASSUM_LIST (\asl .
let asl' =









(\st onv. cyclos rep(soloct rop st env))
(\t'. subsists rop(s' t'))




(\st onv. cycles top(select top st onv))
(\t'. 8ubstato rop(s' t'))
(\t'. subonv top (e' t')) t)))))" tlm) ?




(\st Shy. cycles top(select top st onv))
(\t'. subsists ropCs' t'))





(\st env. cycles rep(select rep st env))
(\t'. substate repCs' t'))
(\t'. subenv rep (e' t')) t))))" tim) ?
tim) asl' ) )
THE_ RES_TAC
THEI POP_ASSUM (\tha. ASSIZE TIC (REWRITE_RULE
(SPEC "(t ine.shi_t
(\st env. cycles (rop:'I_rop_ty) (soloct top st onv))






EI.PAND_LET_Rt_ I_CLOCK_I_) ; ;
let IMPL_I_COBRECT - prove_tlm
( 'IMPL_I_CORAECT',
"let s- (\t:tile .(substaterep (s' t))) and
• = (\t:tine .(subenv top (e' t))) in (
(Ispl rep) s' e' /\
((count (rop:'I_rep_ty)) (s_ O) (e _ O) - (start rop)) -->
lo_ f ", time_shift (\st env. (cycles top (select top st oar))) s • in





















[ELDIJSD_LET_PJJLE (REVRITE_RULE [_DD1] tine_shift)]
BETA_TIC
POP_ASS_ (\x. ASSUME_TIC (SPEC "t:tiuo ''' x))




This section presents the ML code that creates the theory time_abs.th.
File : mk_t imo .al
Author: (c) P. J. ¥indloy 1990
Date: 19 FEB 90
Modif iad:
Descript ion:
Creates a theory of temporal abstractions as defined in [1,2].
The theory dafine$ several temporal operators and a temporal
projection function that cau be used to relate time at
different levels of abstraction.
[1] _elhma, Thomas F., "Abstraction Mechanisms for Harduaze
Varif ica_ion"
[2] Joyco, Jeffrey J., "Multi-Level Verification o_
_icroprocosaor-Basod Systems"






noe_t ype_abhrev ( 't ime ' ," :nun") ; ;
lot First = new_dofinition
('Fizat',
"! g t. First g t =
(!p:tine. p < t ==> "(g p)) /\
(g t)"
);;
let |oxt - now_dofim.ition
('|oxt',
"! 8 tl t2. |oxt 8 (tl,t2) =
(tl < t2) /\




let Temp_Abs = nsw_prim_rec.dofinition
('Tsap_Abs ',
°'(Temp_ibs g 0 = e t:tiae . First 8 t) /\






ASSUME "?t:time. P t /\ Q t"))));;
let FIRST_LEMMAI = TAC_PROOF
(([],
*,! f .
(? t:tim, . _ t) /\
(!t. _ t -=> (?n. Ioxt fCt,t + n) /\ rCt,t + n))) ==>
? t. First f t"),
REPEAT GEN_TAC








FLEWRITE_RULE [STM_RULE First] (
134P_TRANS
(SPEC_ALL (
REWRITE.RULE [First] FIRST_LERMAI) )
(BETA_RULE (
SPECL C"\t. (!p. p < t ==> "(f p))";
"\t. (f t):bool"] LERMAI))));;
let IEXT_LEMMAI = TAC_PROOF
(([3,
"! f m .
(? t:t_e . _ t) /\
(:t. f t --> (?n. |oxt fCt,t + n) /\ r(t,_ + n))) /\
(_ (Tonp_Abs _ m)) =-=>
? t. Iloxt f (Tsmp_Abs f m, t)"),
REPEAT STRIP_TAC
THEN RES_TAC
THE_ ASSUM.LIST (\ul . MAP_EVERY STRIP_ASSIME_TAC ul)
THE_ EXISTS_TAC "(Tomp_Abs f m) + n'"









(PORE_OICE_RE_RITE_R_LE [SYM_R__E C01J_/SS0C] (
BETA_RULE (
SPECL ["\t. ((Temp_Abs f m) < t) /\
(!¢'. (Tonp_Abs f n) < t' /\ ¢' < t ==> "f ¢')";
"\¢. (f ¢):boo1"] LEMMA1)))));;
lol; ,l.LL_F_Tenp_lbs = TAC_PROOF
(( [3.
"t f .
(? t:tilao . f t) /\
(.'t. f t ==> (?n. iext f(¢,t + n) /\ r(t,t + n))) ==>
!n . f (Tenp_Abs f n)"),
REPEAT GEN_TAC








let ONE_OR_THE_OTHER = TAC_PR00F
(([3.
": • b . "(a = b) ==> (a < b V b < a)"),
IIDUCT_TAC
THEN IIDUCT_TAC
THEN ASN_REWRITE_TAC [STN_RULE IIOT_SUC ;LESS_0 ;
INV_SUC_EQ ;LESS_MOND_EQ]
);;
let First_UNIQUE = prove_thB
( 'First_UIIC_]E',
"! g ¢1 t2 .
(First g I;I /\ FLrst g t2) ==> ('_I = t2)",
PURE_OlCE_REWRITE_TAC [First]
TmuI REPEAT STRIP_TAC
TaEX aSX_CaSES_TAC"_ - _2"
Ta_ ASX_REV_ITE_T*C[3
INP_RES_TAC 01E_0R_THE_0THER
TSEIL [ ¢ _ ¢
ASSUN_LIST (\ul. ASSUME_TAC (
SPEC "tl:tiRe" (el 4 ul)))
;X2X
ASSUN_LIST (\uZ. ASSU__TAC (





let Next_UNIQUE = prove_tim
( 'hxt_UllI_UE',
"!t ¢1 t2 f .
(Next _ (t,tl) /\ Nox_ f (t,t2)) -=> (el - t2)",
PURE_OICE.REWRITE_ TAC [Next]
THEI REPEAT STRIP_T_tC
THEI ASK_CASES_TAC "¢2 - t2"
ASN_Rm/P_TE_TAC[]
THYJI II__RES_TAC ONE_OR_THE_OTHER
£SSUM_LIST (\ul. £SSUME_TAC (
SPEC "t_:ti-,," (el 4 asl)))
;X2_
ASSUN_LIST (\asl. ISSUME_TAC (






"!f U n .
C?t. _ _) /\
(!%. _ t ==> (?n. Nex% f(%,% + n) /\ r(t,t + n))) /\
Next f(Tomp_kbs f u,(Temp_Abs f u) + n) ==>
((Qt. Next f(Temp_Abs f u,t)) = ((Tomp_Abs f u) + n))"),
REPEAT GEN_TAC
THEN STRIP_GOAL_THEN ((MAP_EVERY ASSUME_TAC) o CONIUMCT$)
THEM MATCH_MP_TAC
(SPECL ["TQ,,p_Abs f u*';
"(Qt. Next f(Temp_Abs _ u,%))";








THEM £SSUN_LIST (\asl. ACCEPT_TAC
(REWRITE_RULE [el 3 ael] (el I ul)))
);;
let llF_Tomp_Abs - prove_thin
( ' IIFF_TQmp.Abs ',
"! f r.
(! ¢:¢iln . t ¢ ='> ? n . ]lext _ (t,t+n) /\ r(t,t_)) -->
! u . r (Te_p.Abs f u, Teip_Abs f (u+l))",
P,EPFA[T GEN_TAC




THEM PURE_0|CE_RE_TE_TAC [SYN_RULE ADD1]
THF_ ISM_RE_ITE_TAC [Te_p_Abs]
THEN ASSUN_LIST (\asl . STRTP_ASSq.ME_TAC (
It_.qq_TE_ItULE[el I ul]




let Tonp_£bs_DF_ENERITE = prove_thn
( ' Tap_Ibs_DEGEIE_TE',




THENL [ % 1 I
MATCH_MP.TAC
(SPECL ["\£' :time.T";
"qD_. Firs_ (\%':_ime.T) t";
"0";
] First_UNIQUE)
THEN COMV_TAC (DEPTH_CONV SELECT_CONV)








THEN C0_V_TAC (DEPTH_CONV SELECT_CONV)
THEN RE91tITE_TAC [Nex_;LESS_SUC_REFL]
THEN CONJ_TAC
















This section presents the ML code that creates the theory gen./.th.
nk_I.nl
(¢) P. J. ¥ilxlloy 1990
09 J,U8 90
19 FEB 90
Defines a generic interpreter used in subsequent specifications.
The iuterpreter is proven te be correct under certain obligations.
The interpreter in this file is sTnchronous.
2/13/90 -- Modified to take external lines into account.
2/19/90 -- Modified to aake asynchronous.
............................................................. .--_





ne__t ype_sbbr ev ( 't ins ' ," :nun"); ;











( ' subst at •'," :est ate ' ->*state")
( ' subenv,, ,, : • env ' ->eenv °')
(' Iapl t ," : (_iae ' ->estate' ) -> (tiae ' ->sony ' ) ->beef")
( ' count '," :estate '->sony ' ->*key _")
( ' start' 0":*key'")
];;
nako_inst_thas cpu_abs ; ;
let I_rep_ty = abstract_type 'gen_I' 'key';;
lot INTERP_def = now_definition
('IITEP_',
"! (rep:'I_rop_ty) (s:tiuo->estato) (e:tine->eonv) .
IFFERP top s • =
!t:tino.
lot n = (key top (select top (s t) (o t))) in (




EXPAND_LET_RULE INTERP_dof) ; ;
let inst_correct_def = new_definition
( 'IIST_CORRECT '.
"! inst : (ekeyS (*state->*env->*state))
(s' : tile'->estate')
Co ' : tiae '->sony ' ) .
lIST_CORRECT rops' e' inst =
(Zapl (rep:'I_rep_ty) s' e') -=>
(!t:tiae'.
let s = (\t. (substate top (s' t))) in
let • = (\t. (subenv top (o' t))) in
lot f - (\t. (count top (s' t) (e' t) - (start top))) in (
(select top (s t) (o t) = (FST inst)) [\
(count rep (s' t) (o' t) = (start top)) ==>
? c.
hx_ :le (t,t+c) /\












"!k:*key. (key (rop:*t_rep.ty) k) < (LEBGTH (Lust.list rep)) °'
"!k:+ke 7 . k = (FST (EL (key (rep:+I_rop_ty) k) (inst_list rep)))"
lot IMPL_BF.XTSTATE__ = TAC_PR00F
((D.
"let s - (\_:tine .(substate rep (s' t))) and
+ = (\_:tiue .(sub+n, rep (e' _))) and
= (\t. (count rep (s' t) (e' t) = (s%art rep))) in (
(lapl (rep:'l_rep_ty)) s' e' ==>
(!t:tine'
(count rep (s' t) (e' t) - (s_art rep)) ==>
? ¢ .
Next f (t,t+c) /\
((substate rep (s' (t + c))) =
(SND (EL (key rep (select rep (s t) (e t)))




THEN POP_ASSUM_LIST (\asl .
io% asl' =




(SPEC "(key (rep: "I_rep_%y)
(select top
(substate rep(s' t))
(suben, r+p (e' t))))" tha) ?
(SPEC "(solec_ (rep:*I_rep_ty)
(substate rep(s' t))
(subenv rep (e' t)))" the) ?
thin) asl'))
THEB RES_TAC








EXP2LIq)_LET_RULE IMPL_/EITSTATE_LE_DLI) ; ;
lot IHPL_I_CORRECT = prove_tha
('INPL_I_CORRECT',
"let s = (\t:tiae .(substate rep (s' t))) and
29
• = (\$:tiJae .(subenv rsp (s' $))) and
f = (\¢:tiae .(count r,p (s' t) (,' _) - (start rep))) in
let abs = (Toap_Abs f) in (
(Inpl (rop:'I_rop_ty)) s' e' /\
(?t. f t) ==>




THEN PURE_REWRITE_TAC [llTERP_DEF_EIPA]IDED; o_DEF]





SPECL ["(\t:tiae . (count rsp (s' $) (e' $) -
(starZ (rep :"I_rep_£y) )))";
"(\(tl :$iae,$2 :ti_e) .




(substate rep (s' tl))
(subenv rep (e' $I))))
(inst_list rep) ) )
(substats rep (s' $1))
(subenv rep (e' tl)))"
] INF_Teap_Abs)) )
THEM C0IJ_TAC






3.2 The Word Representation
This sectionpresentsthe ML codethat createsthetheoryaux_def.th.
File : def_aux, al
De•or ipt ion:
Defines generic functions used in subsequent specifications.
Author: (c) P. J. Windley 1989
Date: 29 DEC 89






now_typo_abbrov ( 'tiao '," :num") ; ;
let sbs_rep = new_abstract_representation [
ALU_unctions
addition wi_hou_ carry
('add', ":(*wordn _ *wordn -> *wordn) ")
addition with carry
('addc', ":(*wordn# *wordnS bool -> *wordn) ")
carry predicate for add
('addp', ":(*eordn# *wordn # *wordn) -> bool ")
predicate carry for sddc
('addcp', ":(*,or,in# *,ordn# *,orda) -> bool ")
Z ovezTlo, predicate for add
('aortl', ":(*wordnS *uordnt *,ordn) -> bool ")
incrueut
('inc', ":(*wordn-> *wordn) *')
Z subtract without carry
('sub', ":(*,ordnS *,ordn -> *,ordn) ")
subtract ui_h carry
('subc', ":(*wordn# *,ordn# boo1) -> ,,ordn ")
31
7. carry predicate for sub 7.
('sub]p', ": (*worctn # *wordn # *wordn) -> bool
7. overflow predicate for sub 7.
('serf1', ": (*wordn # *wordn # *wordn) -> boo1
7. dec_renen_ 7.
('doe _ . ": (*worckl -> *wordn)
7. bi_wise and 7.
('band', *': (*worcln # *wordn -> *wordn)
7. biteis, xor 7.
('bxor', ":(*wordn 8 *wordn-> *wordn)
7. bi_wise or 7,
('bor', ": (*wordn # *wordn -> *wordn)
7. hi,wise no_ 7.
('bno_', ": (*wordn -> *worctn)
7* Tes_ functions 7.
7. negative? 7.
('now])' , ": (*worcln -> bool)
7*zero? 7.
('z*rop', ": (*word_ -> heel)
7, SHIFTER fumctions
7* shif_ loft
('shl' , ": (*wordn -> *wordn)
7* shif_ righ_ 7*
C'shr', ": (*wordn -> *word_)
7* azi_hme_ic shif_ righ_ 7*
('ur', ": (*wordn -> *wordn)
7* Bi$ functions 7*
7* nest significan_ bi_ 7*
('Bb _ , ": (*wordn -> bool)
7* leu_ significant bi_ 7*
('isb', ": (*wordn -> bool)
7* Coercion £hnnctions 7*
7* hum, rio yawl, of n-bi$ word 7*
('val', ": (*wordn -> nun)
7* vordn representation of number 7*
('uordn', ": (nun -> ewordn)
7* address represenSation of a word 7*




















opcod, portion of word
( ' opcode ', ": (*wordn-> (bool#bool#bool#boolSbool#bool))")
destJ.uation portion of word
('dest c , ": (*worcLu -> erog_lon) ")
source .t portion of word
('srca', ": (ewordn -> erog_lon) ")
souxce B portion of word
( _ srcb', ": (*wordn -> *tog_Ion) ")
value of reg_len
('tog_ion', ": (*reg_len -> hum) *')
immediate portion of word
('Jim', ": (*wordn -> eworctn) ")
Subranging _unctions for the Program Status Vord
interrupt enable bit Lu word
('get_io' ":(*wordn -> bool) ")
supervisory mode bit in word
('8et_sa' ":(*wordn-> boo1) ")
carry bit in word
('get_of ' ": (*wordn -> bool) ")
overflow bit in word
('got_vf' ": (*wordn -> bool) ")
zero bit in word
('SOt_z_ ' ":(*wordn -> bool) *')
no 8 bit in word
('8,t_nf' ": (*wordn -> bool) *')
crest, pss
('ak_pam' ": ((bool#boollbool#boolSbool#bool) -> ewordn)")
Memory functions
fetch a word from lemory
('fetch', *': (omelet 7 I eaddrsss) -> ewordn *')
store a word in mamory
('store', ":(*momor7 # *address # owordn) -> _eaory ")
transmute memory
('trine', ":slsmory -) ellomory ")
Interrupt _ust ruct ions
('iu__trans', *':swordn -> *wordn ")
33
('i._t_fot_,', '°:*wordn -> *wordn
3;;




The section presents severs] auxiliary theories that are used throughout the specification and verifica-
tion of A VM-I .
3.3.1 Auxiliary Theorems
The section presents the ML code that creates the theory aux_thfs.th.
File: ak_au_.al
Author: (¢) P. J. Windley 1990
Date: 15 JAN 90
Modified:
Description :
Prove auxilliary theorens used in subsequent proofs.
sst_aeaxch_path (search_path () I [ '/nuztag/hole/w_ndley/hol/_=actics / ' ;
'/nuztag/hono/eindley/hol/Ll/, ;
]);;




['tuple/' ;'decinal/'; 'uso¢/'])) ;;
syste- '/bin/rn a__'_has.th' ; ;
nee_theory 'aug_tEas + ; ;
load/ 'tuple' ; ;
Auxilliary list definitions and theorems
let SET_EL_DEF- new_pria_rec_definition
('SET_EL_DEF',
"(SET_EL 0 (Ist:(*)list) x = (COBS x (TL Ist))) /\
(SET_EL (SUC n) ist x = (CONS (HD is¢) (SET_EL n (TL ist) x)))"
);;
35
lot SET_EL = prove_tka
( ' SET_EL',
°': htx .
(SET_EL 0 (CONS h t) x = (CONS x %)) /\
(SET_EL (SUC n) (CONS h t) x = (CONS h (SET_EL n ¢ x)))"
REPEAT GEN_TAC
THEN REVRTTE_TAC [SET_EL_DEF; HD; TL]
);;
let EL_SET_EL - prove_tka
( ' EL_SET_EL',
"; x n lot . EL n (SET_EL n lot z) = z",
GU.TAC
IIDUCT_TAC
THEN P,,EWRTTE_TAC [SET_EL_DEF; EL;CONS;TL;HD]
THEN LIST_INDUCT_TAC
TI_..NL[





Auxillikcy boolean definitions and theorems
............................................................... -_
lot xor = new_infix_definition
(_XOr c ,
"! • b . xor$ a b = (a /\ "b) \/ ('a I\ b)"
);;
Define addition of • number with •btG value
lot add_bt6 - new_dofinition
( +&dd_bt6 ',
": X y .
add_hi6 • y =
bt6_ival ((bt6_val x) + y)"
);;
l•£ OFFSET " "4";;
l•t PLUS_4_LEMMA = TAC_PROOF
(([],




Some other nice conversions
36
let is_SID_tezat =
if is_comb t then
tst(dest_cons$(fst(strip_coab t))) = 'SID'
else
fL_se;;
lot SRD_CO_ t -
if is.SND_Sernt Shsn
10£ op,pr = dest_coab £ in






let inv_num_CO_n = (
let x,y = dear_comb n
let y_ino - in___o__e_ ((teru__o_in_ y) + 1) in
if not(x = "SUC") then fail else
STM_RULE (nun_CONV y_inc))
? fail_i_h 'inv_num_CONV';;
Prove Shat She Sable lookup doesn't end up at She beginning of ROM
OFFSET_MOT_BEGINNING = J- !b. "(add_b_6(F,SND b)4 = F,F,F,F,F,F)
Run $_Je: 1110.9s
Intermediate theorens generaSed: 32451
............................................................... --_
let 0FFSET_NOT_BEGINNING - TAC_PROOF
((0.




TBEI COIV_TAC (0MCE_DEPTH_COJV $MD_CONV)
THEI COmV_TAC (0NCE_DEPTH_CDNV bS6_vaI_CONV)
THEM PURE_ONCE_REWRITE_TAC [PLUS_4_LEMMA]
TI_J COMV_TAC (TOP_DEPTH_CONV iuv_nun_C0NV)






8.3.2 The Jump Condition
The section presents the ML code that creates the theory jump_def.th.
File : de f_ jump. nl
Author: (c) P. J. Windley 1990
Date: 9 APR 90
Modif ied:
Description:
Defines the function used to describe the junp unit in the
EBM and to describe jump condition selection in the
other levels.
................................................................
set_search_path (search_path() @ ['/muztag/home/windley/hol/tactice/' ;
'/nuztag/hone/windley/hol/al/' ;
]);;




['tuple/' ; 'decimal/'] )) ; ;
load_ 'abstract' ; ;
system '/bin/rn 3unp_def .th' ; ;
nee_theory 'jump_def' ; ;
nap nee_parent ['aux def' ; 'aux_ths_s']; ;
let rep_ty = abstract_type 'aux_def' 'get_sm' ; ;
This definition is used in the jump instruction.
...............................................................
let JUMP_COlD = new_definition
(' JUMP_C0gD',
"! d . __COID (rep:*rep_ty) d paw =
let cf = (get_cf rep pew) and
vf = (get_vf rep peg) and
nf = (get_n_ rep pew) and







(d * 2) ">
(d " 3) ">
(d = 4) =>
(d = 5) ->
(d - 6) ->
(d - 7) ->
(d = 8) ->
(d = 9) =>
(d = 10) =>
(d = 11) ->
(d = 12) =>











"((nf xor v_) V zl)
((n_ xorv_) \/ z_)
T )"
% carry Z









lowor or saao (m_.signod)
high,r (unsignod) X
less than (signed) %
gr+a_or or .qual (si_od) %
groator tham (signod)
_ greater or oqual (signod)
slways _.
39
3.8.3 The Register File







(c) P. J. W£ndley 1990
18 JAN 90
IOFFJ 90
Dof£nos functions for selecting registers in the register file.
These functions are used in many of the specifications.
met_search_path (search_path() @ ['/muz_ag/home/g£ndley/hol/tactics/';
'/auztag/hoie/lil_dlsy/hol/ml/';
]);;








nap new_pLront ['auxdof';'aux_thms'] ;;
lot rep_ty - abstract_type _aux_def' 'get_sn';;
Special nanos for sons of the registers in resistor gile.
go magic nunbers here!
lot zero_reg - new_definit£on ('zoro_regto"zoro_reg - 0");;
let ZERO_REG - new_definition
('ZFAO_KEG'.
"! reg_list:(*wordn)list . ZERO_KEG reg_list - (EL zero_to s reg_list)"
);;
4O
Superviso_ registers are froa 1-7
let IS_SUP_REG - ne._defini_ion
( ' IS_SUP_REG',
"!n. IS_SUP_KEG n - (0 < n) /\ (n < 8)"
);;
let ssp_rog - now_dot_ni_ion ('ssp_rog'."ssp_rog - 1");;
lot SSP_REG = new_definition
('SSP_REG',
"! reg_list:(*.ordn)list . SSP_KEG reg_list - (EL ssp_reg zeg_list)"
);;
let UPDATE_KEG - neu_definition
('UPDATE_BEG',
"! (rep:'rep_t 7) psv n (reg_list:(*wordn)list) value .
UPDATE_KEG rep ps. n tog_list value -
let sa - (get_ca rep ps.) in
(n - zero_reg) -> reg_list J
(IS_SUP_KEG n /\ "sm) => reg_list I




3.4 The Electronic Block Model
This section presents the theories that define the electronic block model.
3.4.1 A 16 Input Multiplexor







(¢) P. J. Windley 1989, 1990
29 DEC 89
13 JAN 90
Dofinos a 16 input MUX usod in subsoquont $pocifications.
sot_soarch_path (soarch_path() $ ['/auztag/holo/gindley/hol/tactics/';
'/augtag/hono/a_dloy/hol/sLl/';
]);;







let nux_16°def - nag_definition
('IKIZ_16_DEF'.





(sel.ct = (F,F,F,F)) => bO I
(soloct = (F,F.F,T)) => bl I
(solect = (F,F,T.F)) => b2 l
(solsct = (F,F,T,T)) -> b3 {
42
(select = (F,T,F,F)) => b4
(solsc+ = (F,T,F,T)) => b5
(sslec+ = (F,T,T,F)) => b6
(select = (F,T,T,T)) -> b7
(select = (T,F,F,F)) => b8
(select = (T,F,F,T)) => b9
(select = (T,F,T,F)) => b10
(select = (T,F,T,T)) => bll
(select = (T,T,F,F)) => b12
(solec_ = (T,T,F,T)) => b13




let aux_16_application = prove_tha
('WJZ_I6',
"! (bO bl b2 b3 b4 b5 b6 b7 b8 b9 blO bll b12 b13 b14 b15 r:*) .
((MUX_16 (bO,bl,b2,b3,b4,b5.b6,b7,b8.bg,b10,b11,b12,b13,b14,b15)
(F.F,F,F) r) - (r = b0)) /\
((_J__16 (bO,bl.b2,b3,b4,b5,b6,bT,b8.bg,blO,b_1,b12,b13,b14.b15)
(F,F,F,T) r) = (r = bl)) /\
((}{UX_16 (bO,bl,b2,b3.b4.b5,b6,bT,b8.b9.b10,b11,b12,b13,b14.b15)
(F,F,T,F) r) - (r = b2)) /\
((NUX_16 (bO,bl,b2,b3,b4.bS,b6,b7,b8,b9,blO,b11,b12,b13,b14,blS)
(F,F,T.T) r) = (r - b3)) /\
((_rJ1_16 (bO,bl,b2,b3,b4,bS,b6,b7,bS,bg.b10,b11,b12,b13,b14,b15)
(F,T,F,F) r) = (r = b4)) /\
((NUI_16 (bO,bl,b2,b3,b4,b5,bG,b7,b8,bg,blO,bll,b12,b13,b14,blS)
(F,T,F.T) r) - (r - be)) /\
((__16 (bO,bl.b2,b3,b4,bS,b6,b7,b8,bg,b10,b11,b12,b13,b14,b15)
(F,T,T,F) r) = (r = b6)) /\
((1_3Z_16 (bO,bl,b2,b3,b4,bS,bS,b7.be,bg.b10,b11,b12,b13,b14,blS)
(F,T,T.T) r) = (r = b7)) /\
((MUI_I6 (bO,bl.b2,b3,b4,b5,b6,b7,b8,bg,b10.bll,b12,b13,b14,b15)
(T,F.F,F) r) = (r = b8)) /\
((NUI_16 (bO,bl,b2,b3,b4,bS.b6,b7,b8,b9,blO,bll,b12,b13,b14,b15)
(T,F,F,T) r) = (r = bg)) /\
((NUI_16 (bO,b1,b2,b3,b4,b5,b6,bT.bS,bg,b10,b11,b12,b13,b14,b15)
(T,F,T,F) r) - (r - blO)) /\
((MUX_16 (bO,bl,b2,b3,b4,bS,b6,b7,bB.b9,blO,bll.b12.b13,b14,b15)
(T,F,T,T) r) = (r = bll)) /\
((MUI_16 (bO,bl,b2,b3,b4,bS,b6,b7,bS,b9,b10,b11,b12,b13,b14,b15)
(T,T,F,F) r) - (r = b12)) /\
((I_JX_16 (bO,bl,b2,b3,b4,bS,b6,b7,bS,b9,b10,b11,b12,b13,b14,b16)
(T,T,F,T) r) - (r = b13)) /\
((]_J7,_16 (bO,bl,b2,b3,b4,bS,b6,b7,bS,b9,b10,b11,b12,b13,b14,b16)
(T,T,T,F) r) = (r = b14)) /\
((I_X_I6 (bO,b1,b2,b3,b4,bS,b6,b7,bS,b9,blO,b11,b12,b13,b14,b16)





3.4.2 A Generic ALU







(c) P. J. Windley 1989, 1990
29 DEC 89
13 JAN 90
Defines • generic ALU used in subsequent specifications. The
theory contains a 8eneric proof.
sot_soazch_path (search_path() @ ['/muztas/home/win_lloy/hol/tactics/';
'/muztag/home/w_cLley/hol/al/';
]);;










let alu_abs = new_abstract_representation
[
( cfun¢O ', ": o:Luput s->soutput->s_lags->bool °')
( ' funcl ' ,': *:Luput s->loutput->*flsgs->bool" )
( ' fume2 ', ": *inputs->*output->*flags->bool')
44
( 'tune3 ' ,": .inpucs->souCput->*_lags->bool")
( ' _unc4 '," : *inpu¢ s->oouCpu_->*f 1 ags->bool")
( ' ¢unc5 '. ": einpu¢ s- >eouCpu¢->*:_lags->boo 1")
( ' :tunc6 ', °' : *inpu_ s->*ou_put->*_lags->bool")
( ' func7 ', ": *inputs->*output->*f lags->bool")
( ' func8 ', ": *inpu¢ s->*ou_pu_->*f lags->bool")
( 'func9 '. ": .input s- >,©utput->*f lags->bool")
(' funclO' ," :*iupu_s->toutput->*:lags->bool")
( ' func 11 ' ," :.inputs->*outpu_->*f lags->bool")
('func 12 '," : • input s->, output- >*f lags->bool")
( '_uncl3' ," :*inputs->*output->*flags->bool")
( ' _unc 14'," : *_uput s ->*output->*flags->bool" )
( ' _unc_ S ' ," : *input s->*output->*f lags->bool")
( 'aoduleO ', ": *input s->*out put->*f I ass->bool" )
( 'aodule _ _, ": *inpu_ s->*ou_put->t flags->bool")
( 'module2 ', ": *input s->*output->*fl&gs->bool')
( '1odule3 ',": * input $->*output->*flags->bool" )
( '_odule4 ',": ,input s->*output->*f lags->bool" )
( ' aoduleS ', ": *input s->*output -> *f lags->boo1" )
( ' module6 ', ": * input s->*output->*f lags->bool" )
( ' module7 ', ": • input s->*output->* f lags->bool")
( 'iodule8 ', ": *input s->*out put->*flags->bool")
( ' aodul e9 ',": *input s->*output ->Iflags->bool")
( '_odule 10 ' ," : *inputm->*output ->*_lags->bool '°)
( 'module I1 '," :einputs->_output ->*flags->bool" )
( 'modulel2 +," :*input s- >* output - >*f 1 al_s->bool °')
( 'modulel3 ' ." :*inputs->*output->*fla6s->bool")
( 'aodulel4' ," :*inputs->*output->*flags->bool")
45
( 'aoduls 15 ' ,": *inputs->*output- >*f ls4_s->bool")
];;
=ake_inst.thas alu_abs ; ;
let alu_rep_ty = abstract_type 'gsn.alu' 'funcO';;
let dusmy_op_dof = nss_dsfinition
('DUMMT_OP',
"DUlglT_OP - Qz: one .F"
);;
let alu_spec_def - new_dsfin/tion
( ' £LU_SPEC_DEF ',
"! (rsp:'alu.rsp_ty) switch inputs output flags .
ALU_SPEC rsp switch inputs output flags =
((switch = (F,F,F,F)) => (
(JuncO rep) inputs output flags)
(switch = (F,F,F,T)) => (
(funcl rep) inputs output flags)
(switch- (F,F,T,F)) => (
(func2 rsp) inputs output flags)
(switch = (F,F,T,T)) => (
(func3 rep) inputs output flags)
(switch = (F,T,F,F)) => (
(func4 rap) inputs output flags)
(switch = (F,T,F,T)) -> (
(func5 rsp) inputs output flags)
(switch = (F,T,T,F)) => (
(func6 rsp) inputs output flags)
(switch = (F.T,T,T)) => C
(func7 rap) inputs output flags)
(switch = (T,F,F,F)) => (
(f_u_c8 top) inputs output flags)
(switch = (T,F,F,T)) => (
(func9 rap) inputs output flags)
(switch = (T,F,T,F)) => (
(funclO rap) inputs output flags) [
(switch- (T,P,T,T)) => (
(func1! rsp) inputs output flags) i
(switch = (T,T,F,F)) => (
(funcl2 rsp) inputs output flags) I
(switch = (T,T.F,T)) => (
(func13 top) inputs output flags) I
(switch = (T,T,T,F)) => (
(func14 top) inputs output flags) I
default
(funcl5 rap) inputs output flags)"
);;
let £LU_SPEC = provo_thn
( ' £LU_SPEC ',
"! (rep:'alu_rep_ty) inputs output fla_s .
(£LU_SPEC rep (F,F,F,F) inputs output fllq_s -
46
(fun¢O rsp) inputs output flags) /\
(ALU_SPEC rsp (F,F,F,T) inputs output flags =
(funcl rap) inputs output flags) /\
(£LU_SPEC rap (F,F,T,F) inputs output flags =
(rune2 rsp) inputs output flags) /\
(£LU_SPEC rsp (F,F,T,T) inputs output flags -
(func3 top) inputs output flags) /\
(ALU_SPEC rop (F,T,F,F) inputs output flags =
(rune4 rap) inputs output flags) /\
(£LU_SPEC rsp (F,T,F,T) inputs output flags -
(rune5 rsp) inputs output flags) /\
(ALU_SPEC rop (F,T,T,F) inputs output flags -
(fUnc6 rop) inputs output flags) /\
(ALU_SPEC rap (F,T,T,T) inputs output flags =
(rune7 rop) inputs output flags) /\
(ALU_SPEC rap (T,F,F,F) inputs output flags =
(func8 rsp) inputs output flags) /\
(ALU_SPEC rap (T,F,F,T) inputs output flags =
(rune9 rsp) inputs output flags) /\
(aLU_SPEC rep (T,F,T,F) inputs output flags =
(funcl0 rsp) inputs output flags) /\
(ALU_SPEC rsp (T,F,T,T) inputs output flags =
(funcl:l rep) inputs output flags) /\
(ALU_SPEC rap (T,T,FoF) inputs output flags =
(funcl2 top) inputs output flags) /\
(ALU_SPEC rsp (T,T,F.T) inputs output flags =
(fun¢13 rep) inputs output flags) /\
(£LU_SPEC top (T,T,T,F) inputa output flags =
(funci4 rsp) inputs output flags) /\
(ALU_SPEC rap (T,T,T,T) inputs output flags =
(funcl5 rap) inputs output flags)",
RE_IITE_TAC [alu_spec_def ;PAIR_Eq]
);;
Generic implsssnt at ion
let alu_iap_def = new_definition
('ALU.IMP ',
"! (rep:'alu_rep_ty) switch inputs output flags .
ALU_IIIP rsp slitch inputs ou_pu_ flags =
? rO 10 rl fl r2 12 r3 f3 r4 f4 r5 fB r6 f6 r7 f7
f9 riO riO rli fll ri2 f12 ri3 fi3 r14 t14 r15 115 .re 18 r9
(((aoduloO top) inputs rO fO) /\
((aodulel rsp) inputs rl fl) /\
((nodule2 top) inputs r2 f2) /\
((lodule3 top) inputs r3 f3) /\
((module4 top) inputs r4 14) /\
((aoduls5 rsp) inputs r6 fS) /\
((aoduls6 top) inputs r6 f6) [\
((Iodulo7 top) inputs r7 f7) /\
((module8 rsp) inputs r8 f$) /\
((aodule9 rsp) inputs r9 f9) /\
((ioduleiO rap) inputs rio flO) /\
47
);;
((,oduls11 rep) inputs rll f11) /\
((nodulo12 rop) inputs r12 f12) /\
((nodulol3 rep) inputs r13 f13) /\
((nodulol4 rap) inputs r14 f14) /\









(funcO rsp inputs output flags)";
"!inputs output flags.
(aodulol (rep:'alu_ropty) inputs
(funcl top _nputs output flags)";
"!inputs output flags.
(sodulo2 (rop:'alu_rop_ty) inputs
(func2 rop inputs output flags)";
"!inputs output flags.
(nodule3 (rop:'alu_rsp_ty) inputs
(func3 rep inputs output flags)";
"!inputs output flags.
(nodule4 (rop:'alu_rop_ty) inputs
(rune4 rep inputs output flags)";
"!inputs output flags.
(nodulo$ (rop:'alurop_ty) inputs
(func5 rep _uputs output flags)";
"!inputs output flags.
(nodulo6 (rop:'alu_ropty) inputs
(rune6 top inputs output flags)";
"!inputs output flags.
(sodulo7 (rop:'alu_rop_ty) inputs
(func7 top inputs output flags)";
"!inpUtS OUtpUt flags.
(nodulo8 (rop:'alu_rsp_ty) inputs
(func8 rop _nputs output flags)";
"!inputs output flags.
(nodule9 (rop:'alu_rop_ty) inputs
(func9 top inputs output flags)";
"!inputs output flags.
(nodulolO (rsp:'alu_rop_ty) inputs
(funclO top inputs output flags)";
"!inputs OUtput flags.
(nodulo11 (rop:'alu_rop_ty) inputs
(func11 top _nputs output flags)";
"!inputs output flags.
(nodule12 (rop:'alu_rep_ty) inputs
(rune12 top inputs output flags)";
"!inputs output flags.
(nodulo13 (rop:'alu_rop_ty) inputs

















(module14 (rop:'alu_rop_ty) inputs output flags)-=>
(fun¢14 rep inputs output Slags)";
":inputs output _lag#.
(_oduls16 (rep: "alu_rep_ty) inputs output flags)==>
(funcI5 rep inputs output flags)";
3;;













(nee, zero, owl i,carry)
Run time: I081.2s
Intermediate thoorsls generated: 67847
provo__hm
( 'kLU_CORRECT ',
















3.4.3 The Arithmetic Logic Unit







(c) P. J. ¥indley 1989, 1990
29 DEC 89
13 JAN 90
Defines a ALU used in subsequent specifications using
generic operators from the auxilliaxy defiuitions theory
and a generic ALU from the theory of generic alu's.
set_search_path (search_path() @ ['/nuztag/home/w_tloy/hol/tactics/';
'/auztag/hone/windley/hol/al/';








nap new_parent ['mux_def'; 'gen_alu'] ; ;
let rep_ty = &bstract_type 'aux_def' 'opcode';;
let add_githout_carry_def = neg_def£uition
('£DD_WlTHOUT_CARRY'.
"! (rep:'rep_ty) in_l in_B (cin:bool) ouz neg zero ovfl carry .
ADD_WITHOUT_CARRY rep (in_l.in_B,cin) out (neg,zero,ovfl,carry) =
let result = (add rep) (in_a./n_B) in
let ¢ = (addp rep) (in_A.in_B,result) and
n = (nogp top) result and
z = (zorop top) rosult and
• = (aovfl rep) (_.uA,in_B,result) in
((out = result) /\ (meg = n) /\ (zero ffi z) /\
5O
);;
(ovtP1 - v) /\ (carry - c))"
let _dd.wi_h_carrT_def - new_definition
( ' ADD_WITH_CARRY ',
"! (rep:'rep_ty) in_A i__B cin ou_ no 8 zero ovfl c-vry .
ADD_¥ITH.CARR¥ rep (i-.A,in_B,cin) out (neg,zero,o_fl,carry) -
le_ result - (addc rep) (in_A,in B,cin) in
le_ ¢ - (addcp rep) (in_k,in_B,rosult) and
n - (ne_ rep) resul_ and
z - (zerop rep) resul_ and
v - (aovfl top) (in_A,in_B,re_ul_) in
((out - result) /\ (nee - n) /\ (zero - z) /\
(ov_l - v) /\ (ceu-ry - c))"
);;
let incromont_def - nee_definition
('INCREMENT',
"! (rep:'rep_ty) in_A in__ tin out nee zero ovfl carry .
INCREMENT rep (in_A,in.B,cin) out (nee,zero,sell,carry) -
let result " (inc rep) in_k in
let c " (addp rop) (in_A,(eordn rop) O,result) and
n - (negp top) result and
z - (zerop top) result and
v=Fin
((out - resulZ) /\ (nee - n) /\ (zero - z) /\
(ovfl " 'v) /\ (carry ,. c))"
);;
let sub_without_carry.def - nee_definition
( 'SU__WITHOUT_CARRY ',
"! (rep:*rep_ty) in.A in_B tin out nee zero ovfl carry .
SUB_WITHOUT_C£RR¥ rep (in_A,in_B,cin) out (nog,zero,orfl,carry)-
let result - (sub rep) (in_A,in_E) in
let ¢ - (subp rep) (in_A,in_B,result) and
n - (negp top) result and
z " (zorop rep) result and
v - (eoTfl rep) (in.A,in_B,result) in
((out " result) /\ (neS - n) /\ (zero - z) /\
(ov:fl - ,) /\ (carry - c))"
);;
let sub_with_carry_dof - nee_definition
( ' SUB_WITH_CARRY ' 0
"! Crop:'rep_ty) in_A i__B tin out ne 8 zero owfl carry .
SUB_WITH_CARRY rep (in_A,in_B,cin) out (neg,zero,ovfl,carry) -
let result - (subc rep) (in_a,in_B,cin) in
let c - (subp top) (in_A,in_B,rosult) and
n - CheEp rep) result and
z " (zorop rep) result and
v - (sorT1 top) (in_A,in_B,result) in
((out " result) /\ (noS - n) /\ (zero - z) /\
(O'V'J_I l V) 1\ (oe/r 7 n C))"
);;
let decrenen£_def = now_defini$ion
('DECRJ_EBT'.
"! (rep:'rep_ty) in_A _u_B cin out ne8 zero ovfl carry .
DECRDqEIT rep (in_A,in_B,cin) out (neg,zero,ov_l,carry) -
1+_ result = (dec rep) in_A in
let c = (anbp rep) (_u_A.(wordu rep) O,result) and
n = (negp top) result and
z = (zorop rep) result and
v=Fin
((out = result) /% (neg = n) /% (zero = z) /%
(ov_l = v) /% (carry = c))"
);;
let bitwise_and_def = new_definition
( 'BITWISE_AID',
"! (rep:'rep_ty) iu_a in_B ciu out n.g zero ovfl carry .
BITWISE_AMD rep (_u_A,in B,cin) out (neg,zero,ov11,carry) =
let result = (band rep) (in A,_u_B) in
let ¢ = F and
n = (negp rep) result and
z = (zerop top) result and
v=F_u
((out = result) /\ (ne8 = n) /\ (zero = z) /\
(ov_l • v) I\ (carry = ¢))"
);;
let biteise_xor_def = nee_defiuition
( 'BITWISE_IOR ',
*'! (rop:'rep_ty) in_l __B tin out ne 8 zero ov_l carry .
BITWZSE.XOR rep (_u_A,_u_B,cin) out (neg,zero,ovfl,oarry) =
let result = (bxor rep) (in_k.in_B) in
let c = F and
n = (no_ top) result and
z = (zerop rep) result and
v=Fin
((out= result) I\ (ne8-n) I\ (sore = z) /\
(ov:_l = ,) /\ (carry - c))"
);;
lot bitwise_or_def = now_definition
( ' B ITMISE_0R ',
"! (rep:'rep_ty) in_i in_B tin out ne 8 zero ovfl carry .
BITMZSE_0R rep (_.n_a,in_B,¢in) out (neg,zoro,ovfl,carry) =
let result = (bet rep) (in_A,in.B) in
lot c = F and
n = (neKp rep) result and
z = (zerop rep) result and
v=Fin
((out = result) I\ (hOg = n) I\ (zero = z) /\
(o_l = v) /\ (carry = ¢))'*
);;
let bitwise_not_def = new_definition
( 'BZTMISE_IOT ',
52
"! (rep:'rep t 7) in_l in_B cin out neg zero ovfl carry .
BITVISE_NOT rep (in_A,in_B,cin) out (neg,zero,ovfl,carr 7) -
let result = (bnot rep) in_l in
let c = F and
n = (ne_ rep) result and
z = (zorop rop) result and
v=Fin
((out - result) /\ (..g = n) /\ (zero - z) /\
(ov_l = v) /\ (carry = c))"
);;
let alu_noop_def = new_defin/tion
(' ALU_|O_ ',
"! (rep:'rep_ty) in_A in_B oin out neg zero evfl carry .
£LU_NOOP rep (in_A,in_B,cin) out (neg,zero,ovfl,carry) -
((out = in_A) /\ (neg = ((neg? rep) in_A)) /\
(zero = ((zorop rep) in_A)) /\
(ov_l = F) /\ (carry = _))"
);;
let dmmy_nodule_def = new_definition
( 'DUMMY_MODULE_DEF ',
"!(rep:'rep_ty) (in_A in_B out:*wordn) (ciu neg zero oTfl carry:heel) .
DUMMY_MODULE_DEFrep (in_£,in_B,cin) out (neg,zero,ovfl,carry) = F"
);;
let alu_spec_def = new_definition
(')ttC2_ALU_SPEC_DEF ',
": (rep:'rep_ty) switch in_A in_B cin out (neg zero ovfl ¢arrT:bool) .


















(DUHMY _RODULE_DEF rep), (DUMMY _HODULE_DEF rep),
(DUMM__MODULE_DEF rep) 0(DU)g__RODULE_DEF rep),
(DUXHT_MODULE_DEF rep), (Dtqg__n0DULE_DEF rep),
(DURMT_NODULE_DEY rep), (DUMMY_RDDULE_DEF rep),
(DU}OIT_NODULE_DEF rep), (DU_RT.RODULE_DEF rep),
(DUMRT_MODULE_DEF rep), (DUMMT.NODULE_DEF rep),
(DUMMT_HODULE_DEF rep), (DURMY_HODULE_DEF rep),




switch (in_I,in_B,cin) out (nsg.zsro,ovfl,carry)"







[- !rep switch in_l in_B tin out neg zero ovfl carry.
MAC2_ALU_SPEC rep swizch(in_A,in_B,cin)out(neg,zero,ovfl,carry) =
((switch = F,F,F,F) =>
IDD_VITHOUT_CIRR¥ rep(in_I,in_B,cin)out(neg,zero,ovfl,carry) [
((switch = F,F,F,T) =>
£DD_VITH_CIRRY rep(in_I,in_B,cin)out(neg,zero,ovfl,carry) [
((switch = F,F,T,F) =>
I|CREMENT rep(in_A,iu_B,cin)out(neg,zero,owfl,carry) [
((switch - P.F,T,T) =>
SUB_WITHOUT_CARRY rep(in_I,in_B.cin)out(neg,zsro,owfl,carry) [
((switch = F,T,P,F) =>
SUB_WITH_CARRY rep(in_I,in_B,cin)out(neg,zero,ovfl,carry) [
((switch = F,T,F,T) =>
DECREN_IT rsp(in_I,in_B,cin)ou_(neg,zero,owfl,carry) l
((switch = F,T,T,F) =>
BITVISE_AIDrep(iu_A.in_B,cin)out(neg,zero,ovfl,carry) [
((switch = F,T.T,T) =>
BITVISE_XOR rep(in_i,in_B,cin)out(neg,zero,ovfl,carry) i
((switch = T,F.F,F) =>
BITVISE_OR rep(in_I,in_B.cin)out(neg,zero.ovfl.carry) I
((switch - T,P,F,T) =>
BITVISE_NOTrep(in_A,in_B,cin)out(neg,zero,ovfl,carry) I
((switch = T,F.T,F) =>
£LU_|OOP rep(in_I,in_B,cin)out(neg,zero,ovfl,carry) [
((switch = T,F,T,T) =>
£LU_|00P rep(in_A,in_B,cin)out(neg,zero,ovfl,carry) i
((switch = T.T.F,F) ->
ALU_|OOP rep(in_i,in_B,cin)out(neg,zero,ovfl,carry) [
((switch = T.T.F,T) ->
£LU_|OOP rep(in_I,in_B,cin)out(neg,zero,ovfl,carry) [








"! (a:bool) (bl xl yl:*) b2 b3 .
54
(a=> ((bl = xl) /\b2) I ((b: = yl) /\]o3)) ..





ie_ COED_EqT_LDMA = TiC_PROOF
((D,
": (a:bool) (bl xl yl:m) b2 b3 .
(a => (bl = xl) I (bl- _,I))=






(([],"! (a:*->**) b (¢ d:*) .





le¢ C0ND_BULL_LER_ = TAC_PR00F
((D,"! b (c: *) .


















• lu_noop_def] _LtC2_ALU_SPEC) in
let Z_L_el = SPEC "¢arxT:bool" (STM_RULEEQ_CLAUSE4) and
rule2 = SPEC "o_l:bool" (STM_RULEEQ_CLAUSE4) _x
lot leml = PURE_OICE_RE_ITE_RULE [rulel;rule2] MAC2_EIPLIDED in
lee lo="aa2 = U_DISCH(fs¢(EQ_IMP_RULE (SPEC_ALL lenal))) in




let ou__le_aa - save__hn
(GEN_ALL(DISCH tT.L (el 1 lena list)))
);;
lo_ nog_lossa = savo_thm
( 'KAC2_IJEG_LEMMA',
(QFJ_ALL (DZSCH_ALL
(PURE_RE_IITE_RULE [C0ND_FU_C_LENMA] (el 2 lemta_list))))
);;
let soro_lona = save__ha
( ' MaC2_TJ_O_IJDnq4',
(GEB_ALL (DISCH_ALL




(GEN_ALL(DISCH_ALL (el 4 lenaa_list) ))
);;
le_ carry_lena ,, save_ibm
( 'MAC2_CARRY_LEMMA ',
(GEN_ALL(DISCH_ALL
(PURE_REWRITE_RULE [C0ND_EQT_LEMMA] (el 5 lemea_list))))
);;
56
8.4.4 The Shifter Unit
The section presents the lVlL code that creates the theory shifter_def.th.
File: dtf_shift.ld
luther: (¢) P. J. Wind/ey 1990
Date: 13 JIN 90
Description:
Defines a SHIFTER used in subsequent speci¢ications using
8eneric operators _roE the auli1_iarydefinitions theory.
Rod/fication Ristory:
May 16 1990
Added carry signal for shifter end bits.






nap nee_parent ['aux_dif'3 ;;
let rip_ty = abstract_type 'aux_def' 'opcod.';;
let shiftir_spsc_def = nee_definition
('SHIFTER.SPEC',
**! (rep:'rep_t 7) switch in_£ out .
SHIFTER_SPEC rep sgitch in_i out ¢_flag =
((seitch = (Y,F)) -> ((out = (skl r,p) i.u_i) I\
(¢_ilig= (ash rip) in_i)) I
(leitch - (P,l)) => ((out = (shrrep) in_i) /t
(¢_il18= (lab ret) in_A)) I
(switch = (T,F)) => ((out = (sir re t) in_A) /%
(¢_ilig= (llb reI) in_i)) l
((o.t = in.A) I\
(¢_lla I = l)) )"
);;
57
le_ COIID_CONJ LEN_ = TAC_PROOF
((D,
"! (a:bool) (bl xl yl:*) b2 b3 .
(a => ((bl = xl) /\ b2) I ((bl = yl) /\ b3)) =







"! (a:bool) (bl xl yl:*) b2 b3 .
(a => (bl = xl) I (bl = yl)) =





le_ ¢OID_FUNC__ = TAC_PR00F
((El,"! (a:*->**) b (c d:*) .
(b => (a c) J (a d)) - (a (b => c I d))"),
REPEAT GEN_TAC
THEN B00L_CASES_TAC "b"
THEN P.E_ITE TAC [3
);;
let CO]fD_IIULL__ = TAC_PROOF
(([],": b (¢: *) .






let rule1 = SPEC "c_flag:bool" (STN.RULE £Q_CLAUSFA) in
let lemaal = PURE 0NCE_REWRITE_RULE [rule1] shi_er_spec_def in
let luusa2 = UNDISCH(fs_(EQ_IMP_RULE (SPEC_ALL leaaal))) in
let leama3 = PURE_ILEVRITE_RULE
[CO)ID_CONJ_LE]O_;COID.]ITOLL__ lema&2 in
C01IJ'U]iCTS lo,-aa3; ;
let out_leaaa = save_th_
('SHIFTER_0UT.LERRA ',
(G_I_ALL(DISCH_ALL (el I lemaa_list)))
);;
let ©arry_leaaa = save_tha
( ' SHIFTER_CARRY_LE]OIA ',
(GEII_ALL (DISCH_£LL





8.4.5 The Microprogram Counter Unit
The sectionpresentsthe ML code that createsthe theorympc_def.th.
File: def_npc.nl
Author: (¢) P. J. W£ndley 1990
Date: 18 JAN 90
Modified:
Description:
Defines a function specifying the behav£or ot the nicorprogr_u
counter unit. The definition is used in the specification of
the electronic block model and the phase level.
set_search_path (search_path() @ ['/nuztag/hono/w£ndley/hol/tactics/';
'/nuztag/hone/g£ndley/hol/ml/';
]);;








let NPC_UilT = new_definition
('lqPC__IIT',
"!(apc:bt6) (opc:bt6) addr tend izeq_f ie ca.
MPC_UWlTmpc opc addr tend izeq_g ie an =
let bt6_inc n = (add_bt6 n 1) in
((cond= (F,F,F)) => (bt6_inc mpc) J
(cond= (F,F.T)) => addz l
(tend = (F,T,F)) => (add.bt6 (F,(SIDopc)) 4) I
(cond= (F,T,T)) => ((_roq_f /\ ie) => addx I (bt6_inc npc)) J










3.4.6 The State Selectors.
The section presents the ML code that creates the theory select_clef .th.
def_select .nl
(c) P. 3. Windley 1990
28 May 90
Definos selection functions for the electronic block nodel state
and environment.
set_search_path (search_path() Q ['/nuztag/hone/windley/hol/tactics/';
'/nuztag/hone/windloy/hol/nl/';
]);;





systen '/bin/ra select_def ._h'; ;
new_theory 'solect_def ' ; ;
nap new_parent ['ucode_def' ;'tuple'] ; ;
neg_type_abbrev ( 'tine' ," :nun") ; ;




*wordn#*wordnlboollbool#ucode# (nun- >uc_le) Ibt2)"; ;
let EBH_env = ":bool°';;
let Selector_TAC x =
REPEAT GER_TAC
THER C0WV_TAC (TOP_DEPTH_COJW FUN EQ_COIV)
62
I_EN PUR£_ONCE I_E_ITE_TAC Ix]
THEN BETA_TAC
I_WRIT£_TAC [] ; ;
let BegS = new_de+inition
('BegS*,
"!(+:time) (s:+ine->'EBM_s+ate) .





(pew pc ivec ir n_r abr ala_ch bla_ch:_ine->ewordn)
(ape:time->hi6) (elk:time->hi2) (uron:nun->ucode)
(sir:_ime->ucode) (ireq_ff iack_ff:tiae->bool).
Begs (\t.(reg t, psw t, pc t, aen t, ivec t,
ir _, tar t, abr t, _pc t,
ala_ch t, blatch t, ireq_ff t,











(psw pc ivec ir nar abr alatch blatch:tine->*eorctu)
(npc:_ize->b_6) (clk:tiae->bt2) (uron:nua->ucode)
(mir:time->ucode) (ireq_ff iack_ff:time->bool).
PswS (\t.(reg t, psw t, pc t, hen t, ivec _,
ir _, max _, nbr t, apc t,
alatch t, blatch t, ireq_ff _,
iack__f t, air t, urom, clk t)) =psw",
Selector_TiC PswS
);;
let PcS = new_definition
('PcS',
"! (¢:ti4n) (s:tiJae->'EBH_state) .
PcS s t = FST(SND(SND(s t)))"
);;
let PcS = prove._ha
('PcS',
"!(reg:tiae->C*uordn)list) (nea:tiae->_seao_-y)




PcS (\t.(reg t, psw t, pc t, non t, ive¢ +,
_r t, mar t, lbr t, lpc _,
alatch t, blatch t, ireq_ff t,
iack_ff _, air t, urom, clk t)) - pc",
Selector.TIC PcS
);;
lot HenS - new_definition
('HenS + ,
"! (+:+iJlo) (s:tJJle->'P-_N_state) .
HemS • ¢ - FST(SIDCSIDCSND(s t))))"
);;
lo+ HonS - provo_tha
(+HAS',
"!(rog:tino->(*eordu)list) (nom:+ino->enonory)
(psg pc ivoc ir mar mbr alatch blatch:tinoo>evordn)
(apc:tino->bt6) (clk:+ino->bt2) (uroa:ntun->ucodo)
(lir:tino->ucodo) (iroq_ff iack_ff:tino->bool).
MomS (\t.(rog t, psw t, pc t, non _, ive¢ _,
_r t, mar t, nbr t, mpc _.
ala%ch t, bla%ch t, ireq_ff %,
iack_ff t, air t, urom. elk t)) = men",
Seloctor_TAC MenS
);;
let IvecS - now_definition
('IvecS +,
"!(t:till) (s:till-)'EBMlStatQ) .
IvocS s _ - FST(SND(SND(SND(SND(s t)))))"
);;
IoZ IvocS - prove_thn
(+IvecS+,
"!(ros:tino->(egordn)list) (mom:tine->enomory)
(psu pc ivoc ir mar mbr alatch blatch:tino->ewordn)
(npc:tine->bt6) (clk:+ine->b+2) (uron:nun->ucode)
(mir:tino->ucodo) (ireq_ff iack_ff:ti_e->bool).
IvocS (\t.(reg t, psw t, pc _, non t, ivoc _,
_r t, mar _, mbr t. mpc t.
alatch t, blatch t, iroq_ff t,
iack_ff t, nit t, urom. clk t)) " ivoc".
Solector_T£C IvocS
);;
lot ItS - now_definition
(titS',
"!(_:tiMe) (s:_iJae->'E_N_stato) .
IzS • t - FST(S_D(S_D(SID(S_D(SID(s t))))))"
);;
let IrS - provo_thn
64
('IrS',
"! (reg :¢i_e->(*vordn)list) (men: tiae->*_eaory)
(ps_ pc ivec ir nat nbr ala_ch blatch:_i_e->swordn)
(npc:¢Lae->b_6) (clk:tiae->b_2) (uroa:nua->ucodo)
(n£r :tJJte->ucode) (_req__f iack_ff : t_ae->bool).
ItS (\_.(reg t, psv ¢, pc ¢. nea _, ivoc ¢,
£r t, aar t, nbr t, npc t,
alatch _, blatch ¢, £req_ff _,
iack_ff t, =iJr ¢, uron, elk ¢)) = _r °',
Seloctor_TAC IrS
);;
let NarS = nee_defLuition
('MarS ' ,
": (t :t_Jae) (s:t_JaO->'EBR_sCate) .
Na_S s +_ = FST(SND(SND(SND(SND(SND(SND(s ¢)))))))"
);;
let NarS = provo__ha
('MarS',
": (reg :¢ime-> (*wordn) list) (aea: ¢iJae->.qaenory)
(pew pc ivec ir mar mbr ala_ch bla¢ch:_iae->*word_)
(apc:tiae->bt6) (clk:tine->bt2) (uroa:nua->ucode)
(air :¢iue->ucode) (ireq_ff iack_ff :tiue->bool).
Mars (\t.(reg t, psw ¢, pc t, men t, ivec _,
ir _, nat t, _br _, npc "_.
ala_ch t, blatch t, £req_ff ¢,
iack__ t. air t, uroa, clk ¢)) = ear",
Selector_TAC Mars
);;
lee _brS = new_def_J_ition
('Kbr$',
"! (t :¢_J_e) (s:tLae->'EBM_scate) .
_brS s ¢ = FST(SBD(SID(S_D(S_D(SND(S_D(S_D($ ¢))))))))"
);;
lee MbrS = prove_tha
('MbrS',
"! (reg: tiae->(egordn) I ist) (aen :¢ine->_enory)
(psw pc ivec iz na_ nbr alatch bla_ch:_ine->*wordn)
(apc:tiae->b¢_) (¢Ik:t/ae->b¢2) (uroa:nua->ucode)
(a_r :_Jae->ucodo) (Lr_L._ iack_ff : t_Jae->bool).
I¢orS (\t.(reg ¢, psw ¢, pc t, hen ¢, _vec t,
ir t, aar ¢, nbr t, apc _,
alatch t, blatch ¢, _.req_ff t.
iack.ff t, mix t, urom, elk _)) = nbr",
Selector_TiC WorS
);;
let _pcS = new_defini¢ion
( '_pcS'.
": (¢ :'_ine) (s : tLae->'_B__sCaCe) .
MpcS s t = FST(S_D(SID($1D(SID(S_D(S_D(SID(SID(s ¢)))))))))"
65
);;
lot MpcS n provo_thn
( 'NpcS'.
"! (tog : ¢ino-> (elordn)lilt) (lea: time->emonory)
(psw pc ivoc Lr mar nbr ala¢ch blatch:¢_lo->_eordn)
(npc : ¢imo->b%6) (clk: time->hi2) (uron :nwa->ucodo)
(miz:tino->ucode) (iroq_ff iack_ff:timo->bool).
_pcS (\%.(rog %, psv %, pc %, hen ¢, ivec %,
ir t, mar to nbr t, npc t,
alatch t, blatch t, _req__f t,
iack_ff ¢. nit %, _ros, clk t)) - npc".
Selector_TAC MpcS
);;
lo% £1a%chS - nev_dofini%ion
('£1atchS',
"!(¢:%ine) (s:tine->'EBM_s%ate) .
AlatchS s t - FST(SND(SND(SND(SND(
SND(SND(SND(SND(SND(s ¢))))))))))"
);;
10% Ala%chS - prove_ibm
('Ala%chS',
"!(rog:tiue->Cewordn)list) (nen:tino->_enory)
(psi pc ivec ir nat nbr alatch bla¢ch:¢ino->egordn)
(npc:tine->bt6) (clk:¢iJae->bt2) (uron:nun->ucode)
(nir:tino->ucodo) (iroq_ff iack_ff:tine->bool).
llatch$ (\%.(reg %, psw %, pc %, hem %, iwec %,
ir t, mac t, nbr t, mpc t,
alatch %, blatch %, _roq_ff t,
iack_ff %, mir %, urom, clk %)) - ala%ch",
S#1ector_TAC £1atchS
);;
let Bla¢chS - noe_dofini%ion
('Blatch$',
"!(¢:timo) (s:timo->'EBM_stato) .
BlatchS s t - FSTCSND(SND(SID(SID(
SED(SND(S_D(S|D(SID(SND(s ¢))))))))))) '°
);;
let BlatchS - provo_¢hm
('BlatchS',
"!(zoS:timo->(ewordn)list) (nen:time->*nenory)
(psw pc ivec iJr mar mbr alatch blatch:tile->_llordn)
(ipc:%JJao->b%6) (clk:¢_Jao->bt2) (t_roJ:nun->ucode)
(nir:%ine->ucode) (ireq_ff iack_gf:%iao->bool).
BlatchS (\¢.(rog %, psw t, pc ¢, nom t, ivoc t,
ir t, mar t, mbr t. _c t,
alatch t, blanch t, _req__f t,




let IroqS - nev_defini+ion
('IreqS+,
"!(+:time) (s:tile->'EBM_state) .
IroqS s _ - FST(SND(SND(SND(SND(SND
(SND(SMD(SNDCSND(SNDCS_)(s t))))))))))))"
let IreqS - provo_thl
('IreqS',
"!(reg:_iae->(,rordn)list) (noa:_imo->_enory)
(psw pc ivec ix mar nbr alatch bla_ch:time->t,_ordn)
(npc:time->bt6) (clk:time->bt2) (uzon:num-)ucode)
(nir:timo->ucodo) (ireq_ff iack_ff:_ime->bool).
IroqS (\t.(re 8 t, psw t, pc t, men _, ivec t,
ir t, nar t, mbr t, mpc t,
alatch %, blatch t, ireq_ff _,






IackS s t - FST(SND(SND(SND(SND(SND(SND(
SND(SND(SND(SND(SND(SND(s _)))))))))))))"
);;
lot lacks - prove_thm
('lackS',
"!(res:tine->(*gorctu)list) (nem:tile->_tenory)
(psl pc ivec ir mar mbr alatch bla_ch:tine->-wordu)
(mpc:tiue->bt6) (clk:tine->b_2) (urom:nun->ucode)
(mir:_ine->ucode) (ireq_ff iack_ff:tile->bool).
lacks (\_.(ro 8 t, psw t, pc t, hem t, ivec _,
_r t, mar _, mbr t, mpc t,
ala%ch t, blatch t, ireq_ff t,
iack_ff t, nit _, uron, clk t)) - iack__F',
Selector_TAt lacks
let HitS - nev.definition
('KitS'.
"!(_:_i_e) (s:_ilo->'ESM_s_ate) .
Sirs s t - FST(SND(SND(S]_D(SND(SND(SND(S_D(
S|D(S_D(SBD(SND(SND(SND(s _))))))))))))))"
);;
let HitS - provo__hn
('MirS',
"!(res:tine->(ewordn)lis_) (nen:tine->_tonory)
(pSg pC iVOc ir mar mbr ala_ch bla_ch:time->_q_ordn)
(mpc:_i_e->b_6) (clk:_ime->bt2) (urom:num->ucode)
(iir:_ime->ucode) (ireq_ff iack_ff:time->bool).
HirS (\t.(re8 t, psw t, pc t, men t, ivoc t,
67
i_ t, mar _, nbr t, mpc t,
alatch t, bla+ch t, ixeq._f t,
iack_+f t, sir +,uron, clk t)) = air",
Ssloctor_TAC HirS
);;
let UronS - nov_definition
('b_onS'.
"!(t:_iJss) (s:_eo>'_M_state) •
Ureas • t = FST(S|D(SID(SWDCS]ID(SND(S]JD(S]IDCS]ID(
SND(SND(SSD(SHD(SND(SND(s t)))))))))))))))"
);;
lot Ureas = provo_tha
('UreaS',
"!(rog:ti_e->(*word_)lis_) (aen:_iJo->_onory)
(pew pc ivoc ir nat nbr ala_ch bla_ch:t_e->ewordn)
(apc:t_e->b_6) (clk:ti_e->bt2) (_om:n_->ucode)
(air:tiJas->ucode) (ireq_If iack__f:tiJae->bool).
UronS (\t.(reg _, per t, pc _, men _, ivoc _.
ir t, nor t. nbr t, npc t,
ala$ch t, blaZch t, iroq_ff _,
iack_f_ t, nir _, _ron, elk _)) = (\t:tiae.uron)",
Seloctor_TAC UronS
);;
let ClkS = new_definition
('elkS',
"!(t:t_e) (s:tiae->'EBM_s_a£e) .
ClkS s t = SND(SND(SND(SI_(SND(SND(SND(SND(SND(
SND(SND(SND(SND(SND(SND(e t)))))))))))))))"
);;
lot CZkS = prove_ibm
('CZkS'.
"!(rss:time->(*wordn)list) (nen:ti_e->*asnory)
(pus pc ivsc _ m_r nor als_ch blatch:tJ4ae->_ordu)
(mpc:t_Jae->bt6) (clk:t_as->bt2) (urom:nu_->ucode)
(n_r:tJJae->ucode) (_req_ff iack__f:tJJse->bool).
ClkS (\t. Crs 8 t, psw t, pc t, ash t, ivec t,
_r t, mar t, abr t, npc t,
ala_ch t. blanch t, _req_ff t,
iack_ff t, air t, u_on, clk t)) =clk",
Selector_TiC CIkS
);;
Selectors on the onvironnont
X
let lreqE = nsw_defi.nition
('lroqE',
"! (t:t_s) (e:t_,,o->'EB}l_env) .
ZreqE • _ = (s t)"
);;
68
le_ IreqE = prove__hl
('IreqE' ,
- ! (_ :tile) (ireq_e:tile->bool) •









3.4.7 The Electronic Block Model
The section presents the ML code that creates the theory block_def.th.
def_block .nl
(¢) P. J. ¥indley 1990
12 JAil 90




Updated to reflect now design.
-- |on-user resistors have been moved out of resistor file.
-- Juap condition calculator is added.
-- PMUladded to multiplex input to )LAR
-- M£R loads from PKLrX
-- Shifter generates carry out
-- CNUImultiploxes carry signals from £LU and Shifter
May 26 90
Corrected errors in the specification:
-- Demu.zos lust not have floating lines
-- g£red ORs cannot be used (load to incon_istacios)
Removod lBN state selection functions and placed in
def_soloct.nLl.
Corrected IR_SPEC definition to reflect desired behavior.
Connected C25S to B bus rather than the C bus.
Hay 28 190
Fixed IVEC unit so that ivoc has state.
Fixed PC unit selection so that it doesn't gall through.















let rep_ty = abs_ract_$ype 'aux_de_' _opcode';;
Ground
le_ GND = new_definition
('GHD',
"! out . GND out = (ou_ - F)"
);;
n-bi% Mux spec
let NUI_SPEC = nee_del_uition
('_I.SPEC',
"! c_l (a:*wordn) b c .
I_u'X_SPEC ctl a b c =
c = (c_l -> a I b)"
);;
1-bit Hux spec
let lg3I_I_SPEC = nev.def_ui£ion
('MUI_I_SPEC',
"! ctl (a:bool) b c .
MUX_I_SPEC ctl a b c =




let I_TCH_SPEC = new_dof_ui_ion
( ' I_TCH_SPEC c ,
" ! (i:_,ae->*uordn) ld ou_ .
LATCH_SPEC i ld out =
(! _:t_e . our(t+1) = ld t
);;
RoKis_er specification
le¢ REG_SPEC = nee_definition
('REG_SPEC',
" ! (i:_JJae->*wordn) ld out contents .
REG_SPEC i ld prt out contents =
! t:time .
(contents (tel) = ld t => i t [ contents t) /\
(prt t ==> (out = contents))"
);;
Flipflop
let FF_SPEC = new_definition
('FF_SPEC',
"! (in:time->be•i) (ld:time->bool) (q:t_me->booi) .
FF_SPEC _u ld q =
! t:nuz . q(t+l) = ((ld t) => _u t I q t)"
);;
ReSister block
let REGISTER_BLOCE = new_def_uition
('REGISTER_BLOCK',
"! (rop:'rep_ty) c a b
ld ld_sspprt_£ prt_D pr$_B ssp (in:time->ewordn) outa outB psg
(reg_list:timo->(swordn)list).
KEGISTKRBLOCE rep c • b ld ld_ssp prt_a prt_D ssp prt_B
in out£ outB psw tog_list =
!t:tJ_e .
(tog_list (t+l)=
(Id t) => (UPDATE_REG rep (psu t) (rog_len rep (¢ t))
(tog_list t) (in t)) [
(ld_ssp t) => (UPDATE_KEG top (psw t) ssp_ro 8
(reg_list t) (in t))
[ (tog_list $)) /\
(prt_& t --> (outA t = (EL (rog_len top (a t)) (tog_list t)))) /\
(prt_D t u> (outA t = (EL (reg_len top (c $)) (tog_list t)))) /\
(ssp t n> (outa t = (SSP_KEG (tog_list t)))) /\
72
);;
(prt_B t ==> (outB t = (EL (reg_len rep (b t)) (reg_list t))))"
IJlllt, ruc+_ ion Register
let IR_SPEC - new_definition
('IR_SPEC',
"! (rep:'rep_ty) set prt (in out contents:tine->sgordn)
opt_port dest_por_ srca_port srcb_port .
IR_SPEC rep set prt in out contents
opt_port dest.port srca_port srcb_port =
(!t:tine.
(contents (tel) = (sot t) => in t I contents t) /\
(opc_port t =opcods rsp (contents t)) /\
(dest_port t = dest rep (contents t)) /\
(srca_port t = srca rep (contents t)) /\
(srcb_port t = srcb rep (contents t)) /\
(prt t =-> (out t = (i_ rep (contents t)))))"
);;
PSW Register
let PSW_SPEC = new_definition
('PSW_SPEC',
"! (rep:'rep_ty) set (in:time->*wordn) out contents
s_sm c_sn s_ie c_ie id_v id_n Id_c id_z
vf nf cf zf ie am.
PSW_SPEC rep set clk prt in out ie sn contents
vf nf cf zf
s_sa ¢_sn s_is c_is Id_v id_n Id_c Id_z =
(!t:time.
(contents (tel) =
((set t) /\ (get_sn rep (contents t))) => (in t) I
(elk t) =>
(ak_pH rsp (
(s_sa t => T
(s_ie t => T
(ld_v t => vf
(Id_n t => nf
(ld_c t => cf
(ld_z t => zf
(contents t)) /\
¢_n t => F l (gst_sn rep (contents +))),
c_ie t -> F I (Set_is top (contents t))).
(8,t_rfrep (contents t))),
(gst_nf rsp (contents _))),
(Sst_cf rep (contents t))),
(get_zf top (contents t))))) I
(sm t = Sst_sn top (contents t)) /\
(is t = Set_is rep (contents t)) /\




lot JUI__SPEC = nee_definition
('JIRP_SPEC',
"! (rep:'rop_ty) d pew out .
JUNP_SPEC rep d pew out =
!t:time . (out t) - JUMP_COIDrep (reg_len rep (d t)) (pew t)"
);;
Wet
lot MBR_SPEC = nee_definition
( ' MBR_SPEC',
"! sot clk rd_e er_s (i:timo->e_ordn) value bus non_port .
MBR_SPEC sot clk rd_e er_e i value bus non_port =
( !t : tile.
(value (t+l) = (((clk t) /\ (rd_s t)) => non_port t I
((clk t) I\ (sot t)) => i t I value t)) /\




lot C255_SPEC = new_definition
('C255_SPEC',
"! (rep:'rep_ty) pr¢ out .
C258_SPEC rep prt out =
prt ==> (out = (vordnrop 255))"
);;
Interrupt vector register •pecific•tion
let IVEC_SPEC = nee_definition
('IVEC_SPEC',
" ! (rep:'rep_ty) prz (out:_ime->*gordn) contents .
IVEC_SPEC rep prt ou_ con_en_s =
! t:t_e .
(content• (_+1) = (conten_$ t)) /\
(prt _ =..> (out t = (int_fetch rep (content• t))))"
);;
Decoder Specs
let DEMUX_2_SPEC = hog_definition
('DERUI_2_SPEC',
"! • o0 ol 02 03 .
DEMUI_2_SPEC • o0 oi 02 03 =
(!t . o0 _ = ((s t) = (F,F))) /\
74
);;
(_t . oX t = ((s t) = (F,T))) /\
(!t . o2 t = (Ca t) = (T,_))) /\
(!t . 03 t = ((s t) - (T,T)))'*
let DEMUX_3_SPEC - new_defin/tion
('DF..MUI3_SPEC',










s oO ol 02 03 04 05 06 07 -
t - (Ca t) - (_,_,F))) /\
t • ((s t) = (F,F,T))) /\
t = ((s t) = (F,T,F))) /\
t - (Ca t) - (F,T,T))) /\
t - ((s t) = (T,F,F))) 1\
t - ((a t) = (T,F,T))) 1\
t = ((s t) = (T,T.F))) /\
t = ((s t) = (T,T,T)))"
);;
Memory
let HEM = new_definition
('MEM',
"! (rep:'rep_ty) rr_s rd.s add/ data ma=.
RY.M rep wr_s rd_s addr data aem =
!t:t/Jue .
(msm (t+l) -
(wr_a t => store top (men t, address rap (addr t), (data t))
I me= t)) /\
(rd_s t ==> (data t • (latch rap (mem _. add/ass rap (addr t)))))"
);;
LOGIC gates
let A]ID_SPEC = new_definition
('_ID_SPEC',
"! a b out .
_IID_SPEC * b out •
(!t:ti=, . (out t) = (, t) /\ (b t))"
);;
let OR_SPEC = now_definition
('OR_SPEC',
"! a b OUt .
OR_SPEC a b out =
(!t:tima . Cout t) = (a t) V (b t))"
);;
lot OR_3_SPEC = now_definition
('OR_3_SPEC',
"! a b c out .
75
0R_3_SPECa b c out =
C!t:tin, . (out t) = Cat) \/ Cb t) V (c t))"
);;
Xet NAR_LOGIC_SPEC - nav_daf_uition
( 'I_R_LOGI C_SPEC,,
": paux clk_3 ¢1k_4 nat out .
N£R_LOGIC_SPEC pmux clk_3 ¢1k_4 nat out =
!t:tiae. (out t) =
((((pauz t) /\ (clk_3 t)) \/ ('(pauz t) /\ (clk_4 t))) /\ (mar I:))"
);;
lot PC_LOGIC_SPEC = now_dofinition
( 'PC_LOGIC_SPEC ',
..opc_onabla pc_jnp_onoblo jmmp_fla B out .
PC_LOGIC_SPEC clk p¢_enablo pc_jnp_onablo juap_flag out =
!t:tino. (out t) = (elk t) I\
((pc_enoblo t) V
((pc_jap_onable t) /\ (juap_fla_ t)))"
);;
le£ DITAPATH = new_definition
('DAT£PATH'.
"! (rep:'rep_ty)
nan re S nat nbr olatch blatch ir pc psw ive¢
iack_ff izeq_ff
iraq_o
amux_s alu_s shft_s mbr_s nar_s paux_a ¢soloct asoloct bsoloct
a_sn c_sn s_io c_ie id_¢ id_v ld_n ld_z csrc_s
iack_s rd.s wr_s
opt is sa
¢lk_l ¢ik_2 elk_3 clk_4 .
DAT£PATH rap non ro 8 nar abr Llatch blatth ir pc psw ivoc
iack_ff ireq°ff
iraq_o
*3nut_s alu_s shft_s nbr_s aaz_s plux_s ¢select asoloct bsoloct
s_sac_sn s_ie c_ie ld_c ld_v ld_n ld.z csr¢_s
iack_8 rd_s wr_s
opt ia on
clk_l elk_2 clk_3 elk_4 =
!_ :tiao.
? lbus Bbus CbusHuxOutHuxlnManDota IXuOut GndMarln
resd_onabla ssp_onablo paw_enable iz_enablo pc_anablopc_jnp_onable
roK_a_onablo raS_sa_onable sap_a_enable '
psw_a_onablo C255_onablo pc_o_onablo
rog_b_onabla iTac_onoblo ir_b_onable
Id_rog_block Id_ssp Id_ir Id_psw id_marld_pc do_afire
dest_s srca_s srcb_s alu_¢ shift_c cf nf wf zf juap_flag
pc_a_l p¢_o_2 p¢_o_3 ir_b_1 it_b_2
flootO float1 .
(GMD (Gnd t)) /\
76
);;
(DEMUX_3_SPEC cselec$ regd_enable sap_enable psw_enable
it.enable pc_enable pc_jnp_enable
floa_O floatl) /\
(DE_/__3_SPEC aselect rog_a_onable reg_sa_enable ssp_a_on_le
psu_a_enable C25$_enable pc_a_1
pc_a_2 pc_a.3) [\
(DR_3_SPEC pc_a_1 pc_a_2 pc_a_3 pc_a_enable) /\
(DEMUX_2_SPEC bselec¢ reg_b_enable ivec_enable
ir_b_1 it_b_2) /\
(OR_SPEC ir.b.1 ir_b.2 ir_b_enable) /\
(A|D_SPEC cik.4 regd_enable ld_reg_block) /\
(ABD_SPEC elk_4 asp_enable ld_sap) /\
(REGISTER.BLOCK rep dest_a srca_s arcb_s
id.reg_block id_ssp reg_a_enable reg_sa_enable
ssp_a_enable rog_b_en_blo
Cbus Abus Bbus paw reg) /\
(AND_SPEC clk_4 Jr_enable id_ir) /\
(IR_SPEC rep id_ir ir_b_enable Cbus Bbus _"
opt dea__s srca_s arch_s) /\
(IATCH_SPEC Abus elk_2 alatch) /\
(LATCH_SPEC Bbus clE_2 blatch) /\
(IVEC_SPEC rep ivec_enable Bbus ivec) /\
(FF_SPEC iack_s c!k_2 iack_ff) /\
(FF_SPEC ireq.e clk_1 _req_ff) /\
(MUX_SPEC (s_ux_s t) (NuxIn t) (alatch t) (MuxOut t)) /\
(MAC2_ALU_SPEC rep (alu_s t) (NuxOu¢ ¢,blatch ¢,get_cf rep (paw _))
(lluOut ¢) (nf _, zf ¢,vf _,alu_c t)) /\
(SHIFTER_SPEC rep (shf__s t) (AluOut z) (Cbus _) (ahif__c _)) /\
(MUX.I_SPEC (csrc_s t) (alu_c t) (shif__c _) (cf _)) /\
(MBR_SPEC nbr_a clk_4 rd.s wr_s Cbus
mbr MuxIn MenData) /\
(AMD_SPEC clk_4 psw_enable ld_pav) /\
(PSW_SPEC rep id_psw elk.4 psu_a_enable Cbus Abus is aa psw
(v_ t) Cmf t) (c_ t) (zf t)
s_sn c_sa a_ie c_ie ld_v ld_n ld_c ld_z) /\
(3U__SPEC rep dest_a psw junp_flag) /\
(PC_LOGIC_SPEC clk_4 pc_enable pc_jnp_enable jtmp_flag id_pc) /\
(REG_SPEC Cbus Id_p¢ pc_a_enable Abus pc) /\
(C255_SPEC rep (C285.enable t) (Abus t)) /\
(MUI_SPEC (paux_s t) (pc _) (Cbus t) (Marln t)) /\
(NAR_LOGIC_SPEC pmux_e clk_3 clk_4 aar_a ld_nar) /\
(LATCH_SPEC Matin id_nar nat) /\
(AWD_SPEC clk_4 wr_s do_trice) /\
(J4EM rep do_srrise rd.s mar NenData nero)"
Control Unit
le_ RPC_SPEC - nee_definition
('NPC_SPEC ',
"! (rep:'rep_ty) clk opt apc addr_a irq ie am cond_a .






(MPC_U;IIT (ape ¢) Cope t)






le1; NTR_SPEC - new_de:finition
( 'MTR_SPEC ',
"! (mir:1;_e->ucode) clk in
aw_x_s sh_s alu_s abr_s aar_s pmux_s ¢select mselect bsalec1;
I_sa_s c_sl_s a_ie_l ¢_io_s
ld_c_s ld_v_s ld_n_s ld_z_s csrc_s _tch_s
iack_s rd_s wr_s addr_s cond_s .
I_IR_SPE¢ air clk in
aauz_s sh_s alu_s abr_s aaz_s pmuz_s csele¢1; aselec1; bselect
c_sa_s s_io_s c_io.s
id_v_s Id_n_s Id_z.s csrc_s _1;ch_s
rd_s wr_s addz_s cond_s =
(air (t+l) = (elk t. -> (in 1;) I (sir ¢))) /\
(a=u_ s t - (A=_ (=it 1;))) /\
(sh_s t = (Shift (air 1;))) /\
(alu_s 1; - (Alu (air 1;))) /\
(=br_, _ - (Wor (mir _))) /\
(msx_, _ = (Sat (mir _))) I\
(pmux_s 1; = (Pa_x (sir ¢))) /\
(cselec1; I: ,, (Trg1; (nix _))) /\
(uoloc1; t - (Srca (nit _))) /\
(bseloct t - ($rcB (lILt t))) /\
Ca_sin_, t = CS_,= (mix 1;))) /\
(c_n_, 1; - (C_n (air t))) /\
(,_ie_s 1; - (S_i, (air t))) /\
(c_i,_s t - (C_i, (air 1;))) /\
(Id.c_s t = (Ld_c (air t))) /\
(ld.v_s 1; = (Ld_v (air 1;))) /\
(id.n_s t = (Ld_n (mix 1;))) /\
(ld_z_s t - (Ld = (air t))) /\
(csrc_s 1; = (Csrc (air t))) /\
(t1;ch_s 1; u (F1;ch (air 1;))) /\
(iack_s ¢ - (lack (six ¢3)) /\
(rd.s t = (Rd (air t))) /\
(wr., 1;= (Wr (air 1;))) I\
(addr_s t = (Address (air 1;))) /\
(cond_s 1; = (Cond (mJ_ t)))"
);;
lea; CLOCI_SPEC = new_deliria;ion
('CLOCK_SPEC',
"! clk clk_l elk_2 clk_3 clk_4 .
CLOCK_SPEC clk clk_l clk_2 elk_3 clk_4 =
!1;:1;iae .
(elk (t+l) = (((elk 1;) - (F,F)) => (F,T) I
((elk t) - (F,T)) => (T,F) I
78
);;
((¢1k _) = (T,P)) -> (T,T) [
(clk_l t = (elk _ = (F,F))) /\
(clk_2 t =(clk t = (F,T))) /\
(clk.3 t =(clk t = (T,F))) /\
(c$k_4 t =(clk t = (T,T)))"
(F,F))) /\
let CONTROL.UNIT = new_definition
('COITROL_UNZT < ,
"! (rep:'rep_ty) (mpc:tine->bt6) (zir:tine->ucodo) elk
(uroa:(t_=s->num->ucode))
clk_1 elk_2 elk_3 clk_4
msux_s sh_s alu_s _br.s nar_s pnux.s cssloct aselsct bsslsct
s_sm c_sm s_is c_ie id_c Id_v Id_n id_z csrc_s ftch_s
iack_s rd_s sr s
opc s= is ireq_f .
CONTROL_UHIT rep
ape air clk urea
clk_l elk_2 elk 3 clk_4
--uxs sh_s alu_s mbr_s nar_s pmux_s cssloct asolsct bsolsct
s_sa c_sm s_io c_ie Id_c ld_v Id_n ld_z csrc_s ftch_s
iack_s rd_s wr_s
opc sm ie ireq_f =
? addr_s cond_s .
(MPC_SPEC rep Ipc elk_4 opc ireq_f ie sn sddr_s cond_s) /\
(MIR_SPEC air clk_l (\t.(urom t (bt6_val (ape t))))
aaux_s sh_s alu_s abr_s mar_s pmu__s cselect &select bsslsct
s_su c_sm s_is c_ie ld_c id_v Id_n ld_z csrc_s ftch_s
iack_s rd_s vr_s addr_s tend_s) /\
(CLOCK_SPEC ¢1k clk_1 clk_2 clk_3 clk_4)"
);;
Dsfins Stats and selector functions for 8:time->'EBM_stats
let EBN_stats -
": ((*wordn) list #*wordnl*wordn#*aelory#
*wordn#*lordnl*wordn#sgordn#bt 6#
*wordnl*.ordnlboolSboolSucods# (num->ucods) #bt2)" ;;
lot EBM_onv = ":bool";;
Dsfins Electronic Block Model
This dsfinitionusos the selection functions on the state and
environment dofinsd in dsf_solect.al. This is dons in order
to have the definition be of the for "EBM rop s • - ..." so
that it can be used with the generic interpreter theory.
let EBN_def = nlw_dsfinition
('F_M_def',
79
"! (rop:'rep.¢y) (s:tiae->'EBH_stato) (o'tiae->'Emq_env) .
EBM top s • =
? uux_s alu_s sh+t_s nbr_s saz_s paux_s csolect uoloct
bsoloct
s_as c_ss s_ie c_ie ld_c ld_v ld_n ld_z csrc_s
iack_s rd_s sr_s _ch_s
opc io sn
elk.1 clk=2 clk_3 clk_4 .
(DATAP£TH rep
(Hans s) (RegS s) (14LrS s) (_rS s)
(ila¢chS s) (Bla¢chS s) (IrS s) (PcS s) (PsgS s)
(IvocS s) (lacks s) (IrsqS s)
(IrsqE Q)
uux_s alu_s shf¢_s sbr_s aar_s pnux_s cseloc¢ uolec¢
bsoloct
s_sa c_ss s_ie c_io ld c ld_v ld_n ld_z csrc_s
iack_s rd.s wr_s
opt iesn
clk_l clk.2 clk_3 clk_4) /%
(CONTROL_UNIT rep
(Kpc$ s) (MirS s) (elks s) (gross s)
clk_l clk.2 clk_3 clk_4
uuz_s shf__s alu_s sbr_s nar_s pnuz_s csoloct asolect
bselect
s_sa c_sn s_ie c_ie ld_c ld_v ld_n ld_z csrc_s f¢ch_s
iack_s rd.s wr_s
opc snie (IreqS s))"
);;




[Rags ;PswS; PcS ;Mo_S ; IvocS; ItS; Mars ;
NbrS ; MpcS ;Alat chS ;gla¢chS; IreqS ;
IackS; Hits ; gross ; ClkS; Ireq_ (
SPECL ["rap: "rep_¢y" ;
"(\¢.(re 8 ¢, poe t, pc ¢, non ¢, ivec t,
_r t, nau,"¢, nbr ¢, ape t,
alatch t, blatch t, _Jreq_ff t,
iack_ff ¢, air t, tiros, clk t)):tJJao->'EBM_sCate";
"(\_. (ix+q_e _)) :tLao->'P.elq_env"] lgBl4_dof))
);;
lee EBN_expanded = save_thn
( ' EBlq.exp4ndod' ,
COIV_RULE (TOP_DKPTH_COIV BETt_COIV) (
PUP__ O|CZ_ P_RITE_ NJLE [
GID ;MOZ_SPEC ;lqUX_I_SPEC ;L£TCH_SPEC ; BEQ_$PEC ;
FF_SPEC ;REGISTER_BLOCK ; IR_SPEC ;PS¥.SPEC ;
JUMP_SPEC ;MBR_SPEC ; C25S_SPEC ;D_IUX_2_SPEC ;
DEMUX.3_SPEC ;HEM;LI[D.SPEC ;0R_SPEC ;OR_3_SPEC ;
M£R_LOGIC.SPEC ;PC_LOGIC_SPEC ;
HPC_SPEC ;KIR_SPEC ;CLOCK_SPEC ;IVEC_SPEC
8O
) C
PURE_ONCE RE_RITE_RUI.E [DAT__PATH; COIITROL_TTilIT] (
SPEC_J_..L EBM) ) )
);;
Define • _unction that naps EBM state to the E_lq counter.
let GotEBMClock = nee_definition
( ' GotEB_lClock ' o
"! (rop:'rsp_ty) (tog: (egordn)list) (son:enonory)
(psw pc ivo¢ _r a_r nbr •latch blatch:*wordn)
(ape : bt 6 ) ( ¢lk: bt 2 ) ( uro•: nun- >uc odo ) (n:ix: u¢ ode )
(iroq_ff iack_:f:f ;int_o:bool).
GotEBMClock top (tog, pse, pc, •ol, ivsc, it, mar, nbr, •pc,
ala_ch, blatch, iroq_:f:f, ia¢k_:ff, nit, 1Lron, elk)
(_ut e) • Qx:bool.F"
);;
Defino _he s_e._t sl;a'te
lot EBM_Start = new_definition






Thissectionpresentsthe theoriesthat definethe phase-levelinterpreter.Alsopresentedis the theory
that verifiesthe phase-levelinterpreterwith respectto the electronic block model.
3.5.1 The Microcode Assembler
The sectionpresentsthe ML code that definesthe microcode assembler.
------. ................. f ..................... . ............ o .... _--
File: uoods_aux.ml
£uthor: (o) P. J. Windley 1990
Date: JUN 23, 1990
Hodifisd:
Dascr£pt£on:
Degauss _he HL func_£ons and constants necessary to describe
the n£croin_rcutions. Th£s _£1s £s loaded by mayoral f£1os
tha_ draf_ _hoorios.
ss__ssarch_pa_h (search_path() 0 ['/muztag/homs/w_dley/hol/tact£cs/';
'/muztag/hone/eindlsy/hol/ll/';
3);;
lot Library_|ooZ = '/nuztag/hono/windlsy/hol/Library/';;
sot_search_path
(search_path() e
(nap (tomcat LibrLryRoot) ['dacimal/';'assoc/';%uple/']));;









To881s MUI on A-bus
Shifter function
• LU function
Load MAR from P-Mux
Load MBR from C-bus
To881aMUl loadinsMAR
l-bus source (includes SSP)
B-bus souxco
82










Set supervisory node bit in PSW
Clear supervisory node bit in PSW
Set interrupt enable bit in PSW
Clear interrupt anable bit in PSW
Lead carry bit in PSW
Lead evorflow bit in PSU
Lead negative bit in PSW
Lead zero bit in PSW
Source of CaTTy (shifter er alu)
1 IICK Interrupt acknowledse signal
1 FTCH Fetch 8ipal
1 RD Read signal
I WR Write signal
3 C0WD Micrecode junp condition
6 £DDR Next address
Shifter anuenonics
let shl = "(F,F)';;
let ehr = "(F,T)";;
let asr - "(T.F)';;
let nsh = "(T,T)"; ;
ILU nnuemonics
let add = "(F,F,F,F)";;
let addc = "(F,F,F,T)";;
let inc = "(F,F.T.F)";;
let sub = "(F,F,T.T)";;
let subc = "(F,T,F,F)";;
let dec = "(F,T,F.T)';;
let band - "(F,T,T,F)";;
let bxor = "(F,T,T,T)";;
le_ bor = "(T,F,F.F)";;
B3
lot bnot = "(T,F,F,T)";;
let nop= "(T,F,T.F)";;
Bogistor mnuenonics
lot rog_filo = "(F,F,F,F)";;
let asp = "(F,F,F,T)";;
let _r = "(F,F,T,F)';;
let paw = "(F.FoT,T)";;
let pc = "(F,T.F,F)";;
let pcj = "(F,T,F,T)";;
ioi: mar = "(F.T,T,F)";;
let mbr = "(F,T,T,T)°';;
le_ norsg = "(T.F,F,F)";;
let aLr_gets_pc = "(T,F,F,T)";;
lo% reg_dest = "(T,F,T,F)";;
let C255 = "(T,F,T,T)";;
10¢ ive¢ = "(T,T,F,F)";;
The affect of • nicroinstruction on the najor conponents of the
datapath is described by an 5-tuple:
Oper (target, shifterop, aourcoa, aluop, ao_rceB)
Targo_ is the target register
Sottrce£ is the zegiater fed to the A-latch
SourcoB is the register fed to the B-latch
aluOp is the £1uOp applied to Sourcoj and SouxceB
ShiftorOp is the shifter operation appliod to the result of
aluOp
lot Procosa_Trgt • =
(x = reg_file) => "(F,F,F)" I
(x =ssp) => "(F,F,T)" I
(x = psw) => "(F,T,F)" [
(x = _r) => "(F,ToT)" [
(x - pc) => "(T.F.F)" I
(x = pcj) -> "(T.F,T)" ]
"(T,T,F)";;
let l_ocess.Szca • =
(x = reg_file) => "(F,F,F)" [
(x = reg_des_) => "(F,F,T)" I
(x = ssp) "> "(F,T,F)" {
(x = pn) => "(F,T.T)" l
(z = C255) => "(T,F,F)" I
*'(T,F,T)';;
let Process_Srcb x -
(z = tog_file) => "(F,F)" I
(x = ive¢) => "(F.T)" [
"(T,F)";;
let Process_KBR x =
(z = abr) => "T" I "F';;
let Process_KtR x =
((x = mar) or (x = aar_gets_pc)) -> "T" J "F";;
le_ Process_PNUlz =
(x - aar_Se_s_pc) => "T" I "F";;
Ze_ Process_A}lb_ x -
(x = mbr) => "T" l "F";;












The PSW 1oadi_ug is 8iven by PSV_Con*rol:










Clear supervisory node bit in PSW
Set intarrupt anabla bit in PSW
Clear interrupt enable bit _u PSV
Load carry bit in PSW
Load overflow bit in PSV
Load negative bit in PSg
Load zaro bit in PS_
Source of carry (shifter or alu)
lot 8et_81 n 1;;
lot clr_an - 2;;
lot sat.io - 1;;
let clr ie - 2;;
lot pass - 3;;
let Id_fron_alu = 1;;
lot id_fron_shifter - 2;;
let Id vf - 4;;
let ld_nf - 4;;
lot id_zf - 4;;
10¢ Sot_PSW (sn,ie,vf,nf,cf,zf) -
"('((n- set_a.) -> "1"" I "F"),
"((an - clr_sn) -> "T" J "F"),
"((i, - set_ie) -> "T" I "F").
"((ie - clr.ie) => "T" J "F"),
"((¢f - ld_fron_alu) or (cf - ld_fron_shif_er) -> "T '° [ "F").
"((vf - ld_vf) -> "T" I "F"),
"((nf - id_nf) -> "T" I "F"),
"((zf - id_zf) -> "T" I "F'),
"((of - ld_fron_alu) -> "T" [ "F"))";;
Sot_PSW (sat_an, clr_ie, pass, pus, pass, pass);;
Sa¢_PS¥ (pass, pass, ld_frol_alu, ld_vf, ld.nf, ld_sf);;
Sot_PSV (pass, pass, id_fron_shiftor, ld_vf, Id_nf, Id_zf);;
....................................... . ........................
The external signals are described by a function EztSi 8
86
let rd = I;;
let rr - 2; ;
let no_nem_op - 3;;
]e_ i_ack = "T";;
let off = °'F";;
let in_fetch - "T°'; ;
let Process_Nem_Op ne=op =
(memop= I) => "(T,r)" I
(aesop - 2) -> "(F,T)" [
"(F,_')"; ;
let ExtSig (iac_ion,fe_h,nenop) -
"('iactiono
"fetch,
"(Process_Nem_Dp m_op) )" ; ;
...............................................................
ExtSig(off ,o_f ,rd) ; ;
Ex¢Sig (i_ack, in_fetch,no_nen_op) ; ;
The next micro instruction is chosen by the result of
Npc (cond, address)
The tend field can take the following values:
Value Nean_-_g
step Increnen¢ the pro_ra_ counter and go there
jnp Jump uncond/t ionally
jop Jump relative to mpc based on current opcode
jint Junp on interrupt
jsn Juap in supervisory mode
Step is the default.
let step = "(F,F,F)";;
let jnp - "(F.F,T)";;
let jop = "(F,T,F)";;
87
let j_t - "(F,T,T)";;
lo_ j_ - "(T,F,F)";;
lot Mpc (cond, _ldr) -°'('cond, "addr)";;
let TEST_ADDR = "(F,F,F,F,F,F)";;
Mpc (st ep, TEST_ADDR) ;;
Mpc (jint oTEST ADDR) ;;
88
3.5.2 The Microcode Definition
The section presents the ML code that creates the theory ucode_def .%h.
File: def_ucode.ml
£uthor: (c) P. 3. Windley 1990
Date: JU]i 23, 1990
Modi_ led :
Description:
Defines the nicrocode for the machine in an abstract way.
A nnuenonic nicroassmbly lansauge is defiued. The theorems
necessary for asseablin 8 the code are proven. The assembler is
actually defied in the file that defLues the actual niorocode
for the machine.
In addition a type for the assembled microcode, the structure
of the assembled niorocode, and selectors on the assembled
microcode are defined.
set_search_path (search_path() Q ['/nuztas/hone/wiudley/hol/tactics/' ;
'/muztas/hoae/w_Lley/hol/ll/';
]);;
let Library_Root - 'Inuztag/hone/_indley/hol/Lihrary/';;
set_search_path
(search_path() e
(nap (tomcat Library_Root) ['dec_aal/';'assoc/';'tuple/']));;
systen'/bin/ra ucode_def, th' ; ;
now_theory 'ucode_ef+' ; ;
nap new_parent ['tu_le'] ; ;
£ lioro£t_struction hal the follog_-_lg forlat:
Bits Nneumonic Description
1 A.tKTI ToKKle MUI on A-bus









Load PtAR from P-Mux
Load HBR from C-bus
Toggle Wu_ loading MAR
A-bus source (includes SSP)
B-bus source










Set supervisory mode bit in PSW
Clear supervisory mode bit in PSW
Set interrupt enable bit in PSV
Clear interrupt enable bit in PSW
Load carry bit in PSW
Load overflow bit in PSg
Load negative bit in PS¥
Load zero bit in PSW
Source of carry (shifter or alu)
1 IACK Interrupt acknowledge signal
1 FTCH Fetch signal
1 RD Read signal














let J_aux = new_dsfin/tion
('Jaux',
"!(ax:bool) (sh:bt2) (al:bt4) (ha nb pc r w ia f:bool)
(ash csa sis cie lcf lvf lnf lzf lal:bool)







let Shift = nel_definition
('Shi_ + ,
"!(ax:bool) (sh:bt2) (al:bt4) (ma nb pc r v ia f:bool)
(lln csn lie cio Icf ivf inf izf lal:bool)






le_ ilu = now_definition
(+ilu',
"!(ax:bool) (sh:bt2) (al:bt4) (ha nb pc r w ia f:bool)
(ssn osa si, ¢i* 1¢f Ivf inf lzf fat:boo1)






let Mbr = now_definition
('Mbr',
"!(ax:bool) (sh:bt2) (al:bt4) (ma nb pc r w ia f:bool)
(ssn cs= sie tie Icf ivf inf izf lal:bool)






lot Mar = new_definition
('Mar',
"!(ax:bool) (lh:bt2) (al:b£4) (lamb pc r I ia f:bool)
(ssn csn sio cio lcf lvf lnf lzf lal:bool)








"!(ax:bool) (sh:bt2) (al:bt4) (aa nb pc r • ia f:bool)
(ssn csn sie tie 1¢_ lv_ ln_ lzf lal:bool)







lot Trgt = new_definition
('Trgt',
"!(ax:bool) (sh:bt2) (al:bt4) (stab pc r • it f:bool)
(ssa css sit tie 1of lvf inf izf lal:bool)






let SrcA = nee_definition
('SrcA'.
"!(ax:bool) (sh:bt2) (al:bt4) (saab pc r • it f:bool)
(ssa css sit cie lcf ivf lnf Izf lal:bool)






le_ SrcB = new_definition
('SrcB',
"!(ax:bool) (sh:bt2) (al:bt4) (saab pc r • it f:bool)
(ssm csm sit cio Icf ivf In/ izf lal:bool)




(jc,ad)) = sb °'
);;
let S_ss = new_definition
('S_8s',
"!(ax:bool) (sh:bt2) (al:bt4) (at ab pc r • it f:bool)
(ssa css sic cio lcf lvf lnf lzf lal:bool)






let (_an = ne•_definition
('C_sa',
"!(ax:bool) (sh:bt2) (al:bt4) (st sb pc r • it f:bool)
(ssa css sit cie lcf ivf Inf izf lal:bool)








le_ S_ie = nov_defiz_£ion
('S_ie',
"!(ax:bool) (sh:bt2) (al:b_4) (aaab pc r • ia f:bool)
(ssn csn sic tie lcf iv/ ln/ lz_ lal:bool)






let C_ie - new_de_ini_ion
('C_ie',
"!(ax:bool) (sb:b_2) (al:b_4) (saab pc r w ia f:bool)
(ssa csa sie cie lcf lvf lnf lzf lal:bool)






let Ld_c = new_definition
('Ld_c',
"!(az:bool) (sh:b_2) (al:bt4) (ma mb pc r • ia f:bool)
(ssa csx sie tie lcf lvf lnl lz_ lal:bool)






le% Ld_v = now_dofi_tion
('Ld_v',
"!(ax:bool) (sh:bt2) (al:b£4) (mamb pc r • £a f:bool)
(ssa ¢s= sie cie lcf lvf in/ lzt lal:bool)






le_ Ldn = new_definition
('Ld_n',
*'!(ax:bool) (sh:b_2) (al:b_4) (wa mb pc r • ia f:bool)
(ssa ¢sm sic tie lcf lv_ lnf lzf 1Ll:bool)








let Ld_z = new_definition
('Ld_z',
"!(ax:bool) (sh:bt2) (al:bt4) (aa ab pc r • ia f:bool)
(ssa csa sie cie lcf lvf ln_ lzf lal:bool)






let Csrc = now_definition
('Csrc',
"!(ax:bool) (sh:bt2) (al:b_4) (ha ab pc r • ia f:bool)
(ssa csa sie cie icf ivf inf izf lal:bool)








"!(ax:bool) (sh:bt2) (al:bt4) (aa nb pc r • ia f:bool)
(ssn csn sie tie Icf ivf inf Izf lal:bool)






le_ Ftch = nee_definition
('F_ch',
"!(ax:bool) (sh:bt2) (al:bt4) (aa ab pc r • ia f:bool)
(ssa csa sie cie lcf lv_ lnf lz_ lal:bool)






let Rd = new_def/nition
('ad',
"!(ax:bool) (sh:b_2) (al:bt4) (aa ab pc r • ia g:bool)
/
(ssa tea sis cie Icf ivf Inf izf lal:bool)






i$_ Yr = now_definition
('Wr',
"!(u:bool) (sh:bt2) (at:hi4) (sasb pc r w is f:bool)
(sea csa sis cie Icf lvf lnf Izf lal:bool)






le£ Cond = new_definition
('Cond',
"!(ax:bool) (sh:bt2) (al:bt4) (ms mb pc r • ia f:bool)
(ssa css sis cie lcf ivf Inf Izf lal:bool)






let Address = new_definition
('Address'.
"!(ax:bool) (sh:bt2) (al:bt4) (ms ab pc r w ia f:bool)
(sea csa sis cie Icf ivf inf Izf lal:bool)








3.5.$ The Phase-Level Interpreter
The section presents the ML code that creates the theory phase_def.th.
File: dof_phaso._1
£uthor: (c) P. J. Windloy 1990
Date: 18 JiN 90
Modified: 06 RI_ 90
Description:
Defines the behavioral description of the phase level
interpreter.
set_search_path (search_path() @ ['/nuztag/hole/wJ.udloy/hol/tactics/';
¢/auztag/hono/ui_iley/hol/_l/';
J);;











lot rop__y = abstract__y_ 'auz_dof' 'opcodo';;
Donotational descriptions of phaJo level instructions.
let phase_one_def = neu_definition
( 'l:,hue_oa_,e_de:le',
"! Crop: "rop_ty) (rog: (*wordn) list) (non: _aomory)
(psw pc ivoc :i_ nar nbr alatch blatch:ewordu)
(_pc:bt6) (clk:bt2) (uxon:ntm->u¢odo) (aix:ucode)
(_roq_ff iack_ff int_o:bool).
phase_one rop (rog, poe0 pc, non, ivoc, ix, nar. nbr, apc,
96
);;
alatch, blatch, ireq_tf, iack__f, nit, urea, clk)
(.i,.,t_o) =
10_ new_air = uzon (b_6_val np¢) and
new_ireq_ff - int_o and
now_clk- (F.T) in
(rig, pSW, pC. Item, ivoc. it. mar. abr, lap¢,
alatch, blanch, new_ireq_ff, iack_ff, new_air, urea, now_elk)"
let phue_two_def = now_dof_.uition
('phue._wo_def'.
"*. (top: "r,p__y) (row: (*wordn) list) (hem: *nemory)
(pSg pc iwo¢ ir mar nbr alatch blatch:*wordn)
(mp¢:5_6) (clk:bt2) (urom:nua->ucode) (mir:ucode)
(ireq_ff iack_ff in__e:bool).
phase_two rap (reg, psw, pc, lea, ivo¢, it, mar, nhr, mpc,
alatch, blatch, ireq__f, iack_ff, air, urea, ¢Ik)
(int_e) =
let new_alatch = (
((SrcA nit) = (F,F,F)) => (EL (rog_len rip (srca top it)) row)
((SrcA nit) = (F,F,T)) => (EL (tog_ion rep (dost rep it)) rag)
((Src£ nir)= (F,T,F)) => (SSP_REG reg) [
((SrcA nit) = (F,T.T)) => psw [
((SrcA nit) = (T,F,F)) => (wordn rep 2SS) I
pc) in
let new_blatch " (
((SrcB air) = (F,F)) => (EL (rag_lea rap (srcb rap _r)) re 8) ]
(CSrcB nix') = CF,T)) => ('h',t__etch rap ive¢.) J
(into :rap _) )
lo_ now_iack_ff =Iack air and
new_clk = (T,F) in
(rag, psw, pc, non. ive¢, Jr, aar. abr, apc,
new_alatch, now_blatch, iroq_ff, new_iack_ff,
nit, urea. now_clk)"
);;
lo_ phuo_three_def = new_dofinition
( 'phaso__hree_dof ',
"! (top: "rep_ty) (row: (*wordn)list) (nea:*aomory)
(psw pc ivec ir mar mbr alatch blatch:*wordn)
(Ipc :bt6) (clk:bt2) (uron:nus->ucode) (air:ucode)
(Lroq_ff iack_ff int_e:bool).
phase_three top (reg. paw. pc. morn, ivoc. _r, mar, nbr. mpc,
ala_ch, blatch, iroq_ff, iack_ff, air, urea, elk)
(_ut_,) =
lot now_aLr = (((Pmux air) /\ (M_r air)) => pc Insr) and
now_clk = (T,T) in
(reg. psw, pc, a,a, ivoc, it. new_asx, nbr, mpc,
alatch, blatch, ireq_ff, iack_fl, air. urea. new_elk) °'
);;
a few auxilliary definitions
97
let £LU_FUNC = nee_definition
( 'ILU_PUNC ',
"! (rep:'rep_ty) s a_inpu% biatch carry_in .
£LU FUNC rep s a_input blatch carry in =
(($ = (F,F,F,F)) => (add rep (a_input,blatch)) [
(s = (F,F.F,T)) => (addc rsp
(s = (F,F,T,F)) => (in¢ rsp
(s = (F,F,T,T)) => (sub rep
(s = (F,T,F,F)) => (sub¢ rep
(s = (F,T,F,T)) => (dec rep
(s = (F,T,T,F)) => (band rep
(s = (F,T,T,T)) => (bxor rep
(s = (T,F,F,F)) => (bor top












let ALU_CAP,_Y_FU_C = new_definition
('ILU_CAP_Y_FUlC',
"!(rep:'rep_ty) switch :Lu_A __B tin .
£LU_CAP_Y_FUWC rep switch in_A _u_B cin=
((switch = F.F,F.F) =>
addp rep(in_A,in_B,add rep(in_A,iu_B)) [
(switch = F,F,F,T) =>
addcp rep(in_A,in_B.addc rep(:Lu_A,:Lu_B,c:Lu)) [
(switch = F,F,T.F) =>
addp rep(i_n_A,wordnrep O,_c rep i__A) [
(switch = F,F,T,T) =>
subp rep(inA,i__B,sub rep(in_A,i__B)) [
(swi%ch = F.T,F.F) =>
subp rep(Ln_A,i__B,subc rep(_u__,in_B,¢in)) [
(switch = F,T,F.T) =>
subp r_p(J_n_a,wordurep O,dec r_p in_A) I
F)"
);;
let £LU_OVFL_FU_C = new_definition
('ILU_OVFL_FU_C',
"!(rep:'rep__y) s_itch iu_A _u_B cin.
_LU_OVFL_FU_C rep switch in_i in_B tin=


















let £LU__EG_FUIC = new_defini_ion
('ILUJEG_FUNC',
98
"!(rep:'rsp_ty) switch __1 in_B cin .
ILU_JrEG_FU]SC rep switch __A __B c_ =
negp rep
((switch = F,F,F,F) =>
add rsp(in_A,in_B) l
(switch = F,F,F,T) =>
addc rsp(in_/,in_B,cin) J
(switch - F,F,T,F) =>
inc rsp in_A [
(switch = F,F,T,T) =>
sub rep(in_A,in_B) [
(switch " F,T,F,F) =>
sub¢ rep(in_A,in_B,cin) [
(switch = F,T,F,T) =>
dec top in_A I
(switch = F,T,T,F) =>
band rsp(in_A,in_B) [
(switch = F,T,T,T) =>
bxcr rep(in_A,in_B) [
(switch = T,F,F,F) =>
bor rop(in_A,in_B) (
(switch ffi T,F,F,T) =>
bnot rep in_A I in_A)"
);;
let ALU_ZER0_FUNC = new_definition
('ALU_ZER0_FUNC ',
"! (rep:'rep_Zy) switch in_A in_B tin .
ALU_ZERO_FUNC rep switch in_A in_B tin =
zerop rep
((switch - F,F,F,F) ->
add rep(in_A,in_B) [
(swiZch = F,F,F,T) =>
addc rep(in_A,in B,cin) [
(switch - F,F,T,F) ->
inc rep in_A J
(switch - F,F.T,T) =>
sub rop(in_A,in_B) [
(switch = F,T,F,F) =>
subc rop(in_A,in_B,cin) J
(switch - F,T,F,T) ->
dec rep iu_A I
(switch - F,T,T,F) 8>
band rep(in_A,in°B) I
(switch = F,T,T,T) =>
bxor rep(in_A,in_B) J
(switch = T,F,F,F) =>
bor rep(in_A,in_B) J
(switch = T,F.F.T) =>
bnot rsp in_A J in_a),,
);;
let SHIFTER_FUNC = new_definition
('SHIFTER_FUWC'.
"!(rep:'rep.ty) switch in_A .
99
SHIFTER_FUNC rep switch in_A -
((switch = FoF) ->
shl rap in_A I
(switch = F,T) =>
shr rap in_l [
(switch = T,F) =>
ur rep in_A I in_A)"
);;
lot SHIFTER_CARRT_IrOWC = now_dofinition
( ' SHIFTER_CARRY_FUWC',
"! (rop:'rop_ty) switch in_A .
SHIFTER_C_R¥_FU/IC top switch in_A =
((switch = F,F) =>
ssb r@p in_A J
(switch = F,T) =>
lsb top in_A I
(switch = T,F) =>
lsb rep in A J F)"
);;
lot phase_fou__def = n__definition
( 'phus_four_dsf ',
" ! (rop: "rop_ty) (reg :(ewordn) list ) (men: enomory)
(pew pc ivo¢ ix _ar mbr alatch blatch:*wordn)
(apc:bt6) (clk:bt2) (urom:num->ucodo) (mix:ucodo)
(ixoq_ff iack_ff int_s:bool).
phase_four rap (r_. pew, pc, now, ivoc, it, max. mbr. apc.
alatch, blatch, ixoqJ_, iack_ff, mix. urea, elk)
Ci__e) =
lot a_input = ((£m_x air) => abr [ ala_ch) in
let cszry_in = (got_of rop pew) in
let alu_result =
ALU_FUNC rep (Alu air) a_input blatch carry_in in
lot cf =
ALU_CAP_¥_FUI@ rap (Alu air) a_input blatch ca:ry_in in
lot rf =
ALU_OVFL_FUWC top (Alu air) a_input blatch carry_in in
lot n_ =
ALU_NEG_FUIC rep (Alu mix) a_input blatch carry_in in
lot zf =
ALU_ZF.RO_FUIC rop (Alu mix) a_input blatch carry_in in
lot result = SHIF:ER_FUIC rap (Shift mix) alu_rosult in
lot shft_c = SHII_ER_CARRT_I_SIC top (Shift air) alu_rosult in
lot opt = (opcode top ix) in
lot is = (gst_io top pew) and
sm = (got_,-. top psw) in
let new_pew = (
(((Tr_ air) = (F,T,F)) /% sin) => result l
(ak_psw reid (
((S_sm mix) => T I (C_s-. air) => F I n),
(Ca_is air) => T I (C_ie air) => F I io),
((Ld_v nix) => v_ l (8st_vf top pew)),
((Ld_n nix) => nll (8st_nf rep pew)).
((Ld_c mix) => ((Care mix) => cf [ shOt_c) I (Set_of top pew)),
100
((Ld_z air) => zf I (get_zf top psw))))) in
lot new_reg = (
((Trgt sir) = (F,F,F)) =>
(UPDATE_REG rep psw (reg_len rep (des_ rep is)) re8 result) I
((Trgt air) - (F.F,T)) =>
(UPDtTE_RF_ rep psw asp_rag re 8 result) I
rag) in
let new_apc = (
MPC_UIIT =pc opt (address air) (tend air) ireq_ff ie sa) in
let new_it = (((Trs_ nit) = (F.T.T)) => result _ ir) in
let jap = (_IP.COND rep (reg_len rep (dest rep ir)) psw) in
lot new.pc = (
((Trgt air) = (T,F,F)) => result I
(((Trgt air) = (T,F,T)) /\ jap) -> result I pc) in
let new.abr = (
(Rd air) => (fetch rep (sea, address rap mar)) I
(Mbr air) -> result I
nbr) in
lot new_mar = (('(Paux n_) /\ (Mar air)) => result J mar) in
let new_non = ((Wr air) => store rap (sea,address rep aaz.abr)
I sea) in
let new_clk = (F.F) in
(new_reg, new_pew, new_pc, new_men, ivec, new_it, new_mar.
new_nbr, nev_apc, alatch, blatch, ireq_ff, iack_ff, air.
turon, Dew_elk)"
);;
Selector function on phase level state for the phase level
collnt er.
let GetPhaseClock = new_definition
('GetPhueClock',
": (rep:'rep_ty) (rag: (exordn)list) (men:creamery)
(paw pc ivec ir nat mbr alatch blal:ch:*wordn)
(mpc:bt6) (clk:bt2) (uron:num->ucode) (nir:ucode)
(ireq_ff iack_ff iut e:bool).
GetPhaseClock rap (rag. paw. pc, sea, ivec, ir. mar, abr, mpc.
alatch, blatch, ireq_fg. Aack_ff, air, urea. elk)
(int_e) =clk"
);;




Substate the phasestate to the micro state.
lw_ Phue_Substate = new_definition
( 'Phase_Subst at • ',
I01
"!(rep:'rop_ty) (reg:Cewordn)list) (mon:enomorl)
(pew pc ivo¢ ir mar mbr &latch blatch:*eordn)
(ape:baG) (¢Ik:bt2) (uroa:ntua->ucode) (air:ucode)
(ireq_ff iack_If int_s :bool).
Phase_Subsists rep (reg, pew. pc, men, ive¢, it. mar. abr, ape.
Llatch, blatch, ireq_ll, iack_ff, air, uron,
elk) =
(tog, pew, pc, sen, ivs¢, it. nar. abr, ape) "
);;
I serves as the substate funtion since the state
of the phase level is equivalent to the phase of the EBH.
I also serves as the subenv function since the set of external
lines in the phase level is the sane as the sot of external




3.5.4 The Phase-Level Proof
Thesectionpresentsthe ML codethat creates the theory phase.$h.
File: ak_phue.nl
£uthor: (¢) P. J. W_udley 1990
Date: 18 JAN 90
Modified:
Description:
Defines the phase level interpreter in terms of the definitions
in block_def.th, phase.dof.th, and gen_I.th.
Proves the leaaas neeting the theory obligations for the abstract
theor 7 gen_I.th and instantiates a proof of the phase level in
terns of the EBM.
................................................................ _e
set_search_path (sea_ch_path() Q ['/nuztag/hoae/windley/hol/tactics/';
'/luztag/hone/windley/hol/al/';
]);;









let GetPhaseClock - definition 'phase_def' 'GetPhaseClock';;
lot phaso_one_def =_[PAWD_LET_RULE (
definition 'phase_def' 'phase_one_def');;
let phase_teo_def = F_PAND_L_T_RULE (
definition 'phase_def' 'phase_two_def');;
let phase_three_def = EXPAND.LET_RULE (
103
definition 'phase_clef, 'phaso_tbxoo_def ') ; ;
lot ILU_IMJIC " definition 'phase_dof' 'ALU_FU]IC' ; ;
lo_ £LU_CERRY_FUNC " definition 'phase_deft '£LU_C_£T_Fu_C';;
let £LU_0VFL_FU_C = definition 'phase_clef' 'ALU_0VFL__C' ; ;
let £LU_WEG_FUNC = definition 'phase_def' 'ALU_BEG_FUNC';;
let £LU_ZER0_FUNC = definition 'phase_def' 'ALU_ZER0_FUNC';;
let SHIFTER_FUIC = definition 'phase_def' 'SHIFTER_FUNC' ; ;
let SHIFTER_CARRT_FUNC = definition 'phase_def' 'SHIFTER_CARRT_Ft_C';;
let phase_four_def - definition 'phase_def' 'phase_four_def';;
let phase_four_expanded - EY_AND_LET_RULE phase_four_def;;
lot EBM_expandod =
REWRITE_RULE [definition 'block_dof' 'IVEC_SPEC']
(theorem 'block_dof ' 'EBM_oxpandod') ; ;
lot GotEBMCIock " definition 'block_def' 'GotEBMCIock';;
let EBN_Start " definition 'block_def' 'EBM_Start' ;;
lot Next - definition 'fine_abe' 'Next';;
lot Tomp_Abs_DEGENERATE = theorem 'time_abe' 'Temp_Abs_DEGENERATE'; ;
loadf 'tuple';;
map autoload_theory ['mpc_def ' ; 'alu_dof ' ; 'shift_dof '] ; ;
lot rop_ty - &bstract type 'aux dof' 'opcodo';;
lot I_rep ty = abstract_type 'gen_I' 'Impl';;
let Phase_state =
": ((*gordn) I is_S*eordn_*wordn#_aenor_
.eordnSewordnS*wordn#*wordn#bt 6_
*wordn#*eordn#bool#bool_ucode# (ntua->uc ode)#bt2)" ; ;
lot Phase_onv -":bool";;
le_ EBM_stito _ Phase_state; ;
lot 371_M_onv - Phaso_onv; ;




le_ Phase_Int_def - new_definition
( 'Phase_In,_clef ' ,
"! (rep:'rep_£y) (s:tiJe->'Phase_state) (e:tiae->'Phase_env) .
Phaso_In_ re]) • • =
I|TERP







(I : "EBM_onv->'Phase_env), EBM rep,
(GetEBMClock rep: "EBM_st ate->'EBM_env->bool),
F.BM.S_ar_, _x:one.F) s e"
);;










J- !rep s e.
Phase.I rep s • =
(!z.
sCz + I) -
SIfD
(b_2_val(GetPhaseOlock(s t) (o t)))
[(F,F) .phase_one rep; (F ,T) ,phase_two rep; (T,F) ,phase_three rep;




Interaediace theoreas generated: 1627
let Phue_In¢_I_l__ Correct_def - new_definition
( ' Phue_In__Inst °Correct_def ',
"! (rep:'rop__y) 8' e'.
Phase_In__Ins__Correct rep s ' • _ =
I_ST_CORRECT
([(F,F) ,_aso_ono rep ;
(F ,T) ,phuo__vo rep;






(I : "EBM.st ate->'Phaso_st ate),
(I: "EBN.onv->'Phue_onv), EBM rep,
(GotEBNClock rep: *EBN_state- >'EBN_env->bool ),
EBH_S_art, h:one.F) s' e'"
let Ph_e_Int_inst_Correc_ =
lot Ph_o_Int_ElT =




instant iat o_abstract_def ini_ ion
' 8en_ I '
' liST_CORRECT'
Phase_Inz_ElT)) ) ) ; ;
Phue_Int_Inst.Correct =
l- !rep s' o' p.
Phase_lnt_Inst_Corre¢_ top s' o' p =
EBM rep s' •' ==>
(:_.
(GotPhaseClock rop(s' t)(e' t) = FST p) /\
(GetEBMCIock rop(s' _)(o' t) = EBM_Start) ==>
(?c.
llex1:(\t'. GetEBNClock rep(s' t') (e' _') = EBM_Start) (t,t + ¢) /\
(SID p(s' t)(e' t) = s'(t + c))))
Run t_e: 203.9s
Intermediate _heorels generatod: 2744
...............................................................
let JrEXT_LENMA = TAC_PR00F
((D,
"!t. _ < (t + I) /\ (!_' -(_ < t' I\ t' < (t + I)))"),
REPEAT GEM.TAC
THEN C0NJ_TAC





let |0T_IF_LEI_4 = TAC_PIOOF
((D,
"! • y (a b c:*wordn) .
(C'x /\ y) => (x => a I b)
I c)=






let IF_OR_LENMA = TAC_PR00F
((D,
": x y (a b:*word_) .
(x => a I
y => a I b) =





Cause these to be read in now so that wo can delete the cache.
TW0_TUPLE_VALUE_LEMMA; ;
_ TUPr_._VALUE L_II_; ;
Get rid of some bulk
lot ALU_FUNC_LEMMA =
REI/RITE_RULE I'SYH_RULE ALU_FUMC'I 14AC2_OUT_I-_34MA;
let ALU CARRY_FUNC_LEMMA =
RENRITE_RIK.E [SYM_RULE ALU CA_Y FUIC] MAC2_CARRY_LEIOIA;;
i._ ALU_OVFL_FL,IC_LEMMA =
REb_ITE_RULE [SYM_RULE ALU_OVFL_FUNC] MAC2_OVFL_LEMMA;;
let JLU__EG_FU_C__ =
REI/RITE_RUI_ [SYM_RULE ALU_EEG_PIrlIC] MAC2_NEG_LEMMA;;
lot ALU_ZERO_FtNC_LEMM£ =
REWRITE_RULE [SYM_RULE ALU_ZERD_FUNC] MAC2_ZER0_L_qM£; ;
let SHIFTER_FU]IC_LEMMA =
RERRITE_RULE [SYM_RULE SHIFTER_FUIC] SHIFTER_0UT__; ;
let SHIFTER CARR¥_FUNC_LEMM£ =
REk_ITE_RULE [SYM_RULE SHIFTER_CARRT_FUIC] SHIFTER_CARRY_IJZmq£;;
up (delete_cache o fst) (cached_theories());;
let PRASE_O_E_EBM_LEMMA = TAC_PROOF
((D,
"!(rop:'rep__y) (reg:_i_a->(*wordn)liat) (m,m:tino->*menory)







(\t.(reg _, psw _, pc t, sex _, ivec +,
ix" t, liar _, ibr t, ,,pc _,
alatch _, blanch t, ireq_gg _,
iack_ff £, air t, uroa, clk _))
(\'t. C_+q_o _))
((F,F) .phue_ono rop)"),










KE_fl_ITE_TAC [GotPhaseClock; hxt ;
GotEBMClock; EBM_St art; phaso_ono_dof ; ]
SUBST_TAC [EBM_oxpandod]
REPEAT STRIP_TAC
POP_ASSUN_LIST (\asl. (H__EFERY (STRIP_ASSUNE_TAC o SPEC_ALL) asl))
£IISTS_TAC "1"
ASM_REWRITE_TAC [PAIR_EQ;NEXT_I_MMA]
let PHASE_TW0_EBN_LENNA = TAC_PROOF
(([],
":(rop:'rep__y) (reg:tine->(*wordn)list) (non:tino->*nonory)
(psi pc ivec ir nat nbr alatch blatch:tine->elordn)
(Ipc : tine->bt6) (clk:tine-)bt2) (uron:nun->ucodo)
(nit: t ino- >ucode )
(ireq_f_ iack_ff iroq_o :tino->bool).
Phaso_Int_Inst_Corro¢ t top
(\_.(re 8 t, pew t, pc t. non t, ivec t,
ir t, nat t, nbr _, npc t,
alatch t, blatch t, ireq_ff t,
iack_ff t, nit t, uron, clk t))
(\t. (iroq_e t))
((F,T) ,phase_two rep)"),
PURE_OICE RE_ITE_TAC [Phase_ In__Inst_Corre ct ]
THEN REPEAT QEN_TAC
THEN BETA_TAC
THEN RE_rRITE_TAC [GotPhasoClock;Noxt ;




NAP_EVERY (STRIP_ASSU__TAC o SPEC_ALL) asl)
THEM EIISTS_TAC "1"




lo_ find_aselect_torn tn - (
lo_ (x,y) = (dOStoOq tn) in
(X = N(alloloct t):bt3")) ? :fllllo in
UNDISCH_TAC (concl (hd (filter ((find_asoloc¢_torm) o concl)
_I))))






let find_uoloct_tern tn = (
let (w,Cy,Cx,z))) = (I I (I I dest_eq))
((I I dest_eq) (dest_forall ts)) in
(x = "(aselect t):bt3")) ? false in
lot SPEC_t x = (SPEC "t:tim+" x) ? • in
lot uolect_list =
(filter ((find_asolsct_tora) o concl) (tl ul)) in
lot rest = subtract (tl asl) aseloct.list in
let uelect_thus =
nap (RECITE_RULE [hd asl;PAIR_EQ] o SPEC_ALL) aRelect_list in
MAP _EVERY
(CHECK_ISSt_E_TIC o (REWRITE_RULE aseloct__hms) o SPEC_t)
(roy rest)
THEX MAP_EVEa¥ ASSUME_TIC aselect_thRs)
THEN RES_TIC
THEN £SM REWRITE_TIC [PAIR_Eq]
ASSUM.L_rST (\as1 .
let find_bselect_term tm = (
lo+ (x,y) = (dest_eq in) in
(x = "(bselect t):bt2")) ? false in
UNDISCH_TAC (concl (hd (filter ((find_bsoloct_tsrm) o concl)
ul))))
THEN STRUCT_CASES_TAC (SPEC "SrcB(mir t):bt2 '°TW0_TUPLE_VILUE_LEMMA)
THEN STRIP_TIC
THEN POP_ASSUM_LIST (\asl .
let find_bsoloct_tsrm _n = (
let (w,(y,(x,z))) = (I 4t (I I dest_eq))
((I # des¢_eq) (dest_forall tm)) in
(x = "(bselect t):bt2")) ? false in
let SPEC_t • = (SPEC "t:time" x) ? x in
le_ bselect_lis_ =
(Zilter ((Zind_bselect_ters) o ¢oncl) (tl asl)) in
let rest = subtract (tl asl) bsoloct_list in
let bselect_thns =
nap (REWRITE_RULE [hd asl;PIIR_EQ] o SPEC_ALL)
bselect_list in
HAP _EVERY




lot PHASE_THREE_EBM_LERRA = TIC_PROOF
C(O,
" ! (top: "rep_ty) (rog: timo-> (*wordn) list) (non: t ime->enmtory )
(peg pc ivec ir air nbr alatch blatch:tiae->_ordn)
(npc:tiRo->bt6) (clk:timo->bt2) (uron:nua->ucode)
(air: t ino->ucodo)
(ireq_ff iack_ff iroq_e : t iae->bool).
Phaso_Int_Inst _Correct top
(\t.(reg t, psw t, pc t. ,on t, ivec t,
ir t, mar t, nbr t, mpc t,
I09
alatch +, bla++ch t, iroq_ff +,
iack_ff +, nir t, uron, clk I;))
(\t. (ireq_e 1:))
((T,F) ,l_mSo_:hreo rop)"),














GoCEBMClock; E_M_St art; phase_¢hroe_def; ]
SUBST_TAC [EBM_expsndod]
REPEAT STRIP_TAC





Io£ PHASE_FOUR_EBM_LEMMA = TAC_PROOF
(([3,
"! (rep :"rep_ty) (reg :£ine-> (*.ordn) lis_) (hen:£ine->*nenory)
(p81 pc ive¢ ir nat nbr ala_ch bla_ch:_iuo->ewordn)
(inp¢:tilae->bt6) (cik :_i_e->b_2 ) (urom: ntua->ucode)
(nir :tine- >ucode)
(ireq_ff iack_ff ireq_e :fine->boo1).
Phase_Int_Inst_Correct rep
(\_.(reg t, psw _, pc _, aen _, ive¢ _.
ir _. nat t. nbr _, npc _,
alatch _, blatch t. iroq_ff _,
iack_ff _. air $, uron, clk _))
(\_. (i_eq_® _))
((T, T), phase_four rep)" ),
PURE_ONCE_RE_RITE_TA C [Phase_In£_ Ins£_Corre c£]
THEN RY.PEAT GEN_TAC
THEM BETA_TAC





THEM POP_ASSUM_LIST (\asl. (KAP_EVERY (STRIP_ASSUME_TAC o SPEC_ALL) ul))
THEN EIISTS_TAC "I"
THFJ FIRST_ASSUM
(\thn. (ASSUME_TAC (MATCH_MP ALU_FU_C_I2_4£ thn)) ? |0_TAC)
THE] FIRST_ASSUM
(\_hn. (ASSUME_TAC (MATCH_MP SHIFTER_FUNC_LE)M£ the)) ? |O_TAC)
THEM FIRST_ASSUM
(\thn. (ASSUME_TAC (MATCH_HP £LU_NEG_PUNC_LE_ thn) ) T |O_TAC)
THE/ FIRST_ASSUM
(\thn. (ASSUME_TAC (_TCH__P £LU_ZER0_FUIC_L_OIA tk,a)) T |0_T£C)
THEM FIRST_ASSUM
(\thn. (ASSUME_TAC (MATCH_MP £LU_CARRT_FU_C_LEMMA 'thn)) ? |O_TAC)
THEM FIRST_£SSUM




(MATCH_MP SHIFTER_CABR¥_FU_C_LE_O_A tha) ) ? |O_TAC)




THEIL [ % 1
&SM_CASES_TAC "Wr(air _) :boo1"
POp_Asst_ (\_1 .
FIRST_ASSUM (\I;h_2 . (
ASSUME.TAC (






ASM_CASES_TAC "Rd(nir _) :bool"
THESL [ _. 1.I
PoP_ASSUM (\Zb, n:t .
FIRST_ASSUM (\_hn2 . (
ASSUME.TAC (





TKE_ ISM P.EWI_ITE_TAC []
);;
The firs_ oblisa£ion of _ho abstra¢_ int, oz-pro'cer %booty
io_ Phase_In__Corre¢____AUX = TAC_PROOF
(([3.
"! (re]::"rep_%y) (ro_: tLag-> (,wordn) lis% ) (mere:timo->,memory)
(psw pc ivec ir mar mbr alatch blatch:tiae->suordn)
(npc :tino->b_6) (clk:tine->b_2) (uro=:nua->ucode)
(air: t ine->uc ode)
(/zeq_ff iack.ff ireq.e:_/_e->bool).
EVERY (Phase__n__Inst_Correct zep
ix _, mar t, nbz _, ape _,
ala_ch ¢, blatch t, iroq_ff _,












NATCH_ACCEPT_TAC PHASE _THREZ. EBM _LmqPA;
H£TCH_ACCEPT_TAC PHASE _F0UR_EBH_ LEI4qA
]
);;
let Phue_Int_Corroct_LERMA - (
SPEC_ALL (
PURE_OICE_P, Etr_ITE_P.ULE [Phas o_ Int_hmt_Cor'-'oct _dQf ]
Phaae_Int_Correct°IJRRA_AUI) ) ) ; ;
Tho second obligation of tb_ abstract intorprotor thoory
IQt Phase_Int_LEIIGTH_LEMPA = TAC_PR00F
(([].
"! clk:bt2, bt2_val elk < (LENGTH [(F,F),phue_one (rep:'rep_ty);
(F.T),phuo.tlo r.p;
(T,F) ,phuo_throe rop;
(T,T) °phuo_four rop] )"),
IqATCH_&CCEPT_TAC bt2_LEIIGTH__
);;
The third obligation of the abstract intorprotor theory
lot Phaso_Znt_0RDER_LD_a.A - T£C_PP.00F
C([]0
"!¢Ik:bt2 .clk- (FST (EL (bt2_val elk) [(F,F),phaso_ono (rop:'rop_ty);
(F,T) ,phuo_two rep;
(T.F) ,phue_three rep;
(T, T) ,phase_four rep] ) ) "),
REPE£T GEIi_TAC
TKEM STRUCT_CASES_TAC (SPEC "clk:bt2" T_0_TUPLE_VALUE_LENMA)
THEll PURE_OICE.REgRITE_TAC [bt2_val]


















GeZPhasoClock rop: "Phuo_s_a_o-> +Phuo_onv->bZ2,
I : "UM.sSa$o->'Phue_sta$o,
I : "DK_onv->'Phu e_onv,
UN rep,
GotEBMClock rop: "EBM.s_a_o->'EBM_onT->bool, EBM_St art ) ") ;
"(\_. (_r,q_, I:)) :_ino->'EBX_on,") ;
("il _ : t ;i_e->*State ' ",
"(\_.(reg t, psw t, pc t, sen _, ivec t,
ix t, nix t, abr t, nip¢ t,
ala_ch _, blatch _, iroq__ _,






l- lo+ s $ =
I
((\_,.
(tog _',psw t',p¢ t',soa t',ivoc t',_r _',sar t',abr t',
ape t ', alatch _ ' ,blanch _ ', ixeq._ t ', iack_ff t ' ,air _ ',
uroa, clk t'))




mp¢ t',_la_ch t',bla_ch t',_A'oq_t_ t',:tack__f t',a_r t',
uros, clk _'))
_)
((\_'. (_xeq_o _' _'))_) -
F.BI<_Start )





(rlg t,psw t,pc t,les _,_vo¢ t,_r _,mar t,lbr t,npc t,
ala_ch _.bla_ch _,ixeq__ _.iack__ _,aix t,uroa,clk t))
(\_. (_.q_. * t)) /\
(?t. t _) ==>
I_TFJtP
([(F,F) ,phaso_ono top; (F,T),phaso_Z.o top; (T,F) ,phuo_threo top;
(T, T) ,phue__ our rop], bt2_val, GotPhuoClock top, I, I, EB_ top,




: (s_ring S thu) list
Run $iae: 626.4s
Intermediate thooroas generated: 3903
lot corroct_lo=..a = snd(hd thooron_lia+) ; ;






Rovri_o the correctness lonma _u_o a prettier form.
let PRISE_LZVEL_COP, q_CT_LFJQ_ = save_tha
( 'PHASE_LEVEL_CORRECT__+,










(reg t,psw _,pc _,aea t,iv$¢ t,ir _,aaz t,abr t.apc t,&la_ch t,
blatch t,iroq_ff _,iack_ff t,mir _,uzon,clk t))




(reg t,psw t,pc t,nea t,ive¢ t,ir t,mar t,abr t,np¢ t,alatch to
blatch t,ireq_ff t,iack_ff t,aJ.r t,uzon,clk t))
(\t. (/zeq_e t t))
Run tiao: 346.7s
Intorlodiato theoreas generated: 4769
114
3.6 The Micro-Level
This section presents the theories that define the micro-level interpreter. Also presented is the theory
that verifies the micro-level interpreter with respect to the phase-level interpreter.
8.6.1 The Micro-Level Interpreter






(c) P. J. Windley 1989
05 APR 90
Defines the behavioral description of the micro interpreter
level
Modified:
12 APR 90 -- Changed DECODE to use only 5 Isb in opcode.
set_search_path (search_path() @ ['/muzt ag/home/windley/hol/tactics/' ;
'/muzt ag/hone/windley/hol/ml/' ;
J);;









map new_parent ['aux_dof'; 'aux_th_s'; 'roas_def' ; 'jump_def'];;
let rep_ty = abstract_type 'aux_def' 'opcodo';;
I15











le_ FETCH_ADDR - "(F,F,F,F,F.F)";;
let CALL_u2_ADDR- "(T,F,F,T,F,F)";;











let STI_u2_ADDR = "(T,T,F,F,F,F)";;
let EINT_ul_ADDR = "(T,T,F,F,F,T)";;
let EINT_u2_ADDR - "(T,T,F,F,T,F)";;
let EIFr_u3_ADDR = "(T,T,F,F,T,T)"; ;
let EIIT_u4_ADDR- "(T,T,F,T,F,F)";;
let LD_u3_ADDR = "(T.T,F,T,F,T)";;
Micro instruction O: fetch
let FETCH = neg_defini_ion
( ' FETCH_de% ¢,
"! (rep : "rep_ty) (tog: (*wordn)list) (non:enenory)
(psw pc ivec ir mar abr :ewordn) (npc:bt6)
(in__e :boo1).
FETCH rep (re K, psw, pc. hen, ivec, it, nat, nbr, npc)
(int_e) -




fetch rop (non, address rep pc),
((ms_, /\ (get_ie rep pew)) => "EIIT_uI.ADDR I add_b£6 mp¢ I))"
save_tlm( 'FETCH' ,EXPAND LET_RULE FETCH) ;:
Micro i_atruction 1: issue
le_ ISSUE m new_definition
( ' ISSUE_dot ' •
": (rep: "rop__y) reg men
(peg pc ivoc ir mar mbr :*wordn) (ipc:bt6)
(in__o :heel).
ISSUE top (re 8, psw, pc, non, ivoc, it, mar, mbr, ape)
(in__o) =
(reg, pew, pc. men, ivec, nbr,
uLr, mbr, add_b_6 mpc 1)"
);;
save__hm( 'ISSUE' ,EXPAND_LET_RULE ISSUE) ; ;
Micro instruction 2: decode
let DECODE = nee_definition
('DECODE_def ',
"! (top: "rep_ty) reg non
(psw pc ivoc ir mar nbr :*wordn) (npc:bt6)
(in__e :boo1).
DECODE rep (re8, pew, pc, me,.. ivoc, it, mar, Ibr, npc)
(int_e) =
(reg, psw, inc rep pc, men, ivoc, :Lr,
mar, mbr, add_b_6 (F,(SHD(opcod, rep it))) 4)"
);;
save_flue( 'DECODE' ,EXPAnD_LET_RULE DECUDE) ;;
table entry O: firs't uinst for /MP
lot JNP_u% = now_definition
(' _qP_ul_def ',
"! (top : "rep_ty) tog men
(pew pc ivec ir mar nbr :*vordn) (apc:bt6)
(in:.e :heel).
JMP_u% xep (rog, pew, pc, non, ivoc, it, mar, mbz, mpc)
(int_e) -
let a = EL (res_len rep (srca rep it)) re 8 and
$ = in top ir and
d = reg_len top (deer top it) in
let result = add top (a, i) in
lot juap_cond = TJMP_COND top d pew in
(res, ps,,
(juap_cond => result J pc),
117
);;
non, ivec, it, naz, nbr, "FETCH_ADDR)"
save_*hm( ¢JMP_ul ' ,_PAND_LET_RULE J__ul) ; ;
Cable on_ry 1: f_rst uins_ for CALL
................................................................
lot CALL_u! = now_definition
( ' CaLL_ul_dof ',
"! (top: "rop_¢y) re 8 ne
(psw pc Lvec ir nat abr :*wordn) (mpc:bt6)
(int_e :boo1).
CALL_u! rop (re 8, pn, pc, non, ivoc, ir, nat, nbr, npc)
(tog, psl, pc,
non, ivec, ir, self, pc, "CALL_u2 ADDR)"
);;
save_thin( 'C.A/,L_ul ' ,EXPJLND.LET_RULE CALL_ul) ; ;
let CALL_u2 = new_definiti©n
('CALL_u2_def ',
"! (rep:'rop_ty) (reg: C*wordn)list) men
Cpsw pc Lvec ir mar nbr :*wordn) Cnpc:bt6)
(int_e :boo1).
CALL_u2 top (reg, psw, pc, non, ivec, it. mar, lbr, xpc)
Cint_o)=
lo_ d = rog_lon rop (dost top it) in
(rog, psw, pc,
non, ivec, it, EL d reg, nbr, "CALL_u3_£DDR)"
);;
save_tha( 'CALL_u2' ,EXPAND_LET_RULE CALL_u2) ; ;
let CALL_u3 = new_defin/tion
('CALL_u3_def ',
": (rep: "rop_t7) reg am
(ps. pc ivec iz nat nbr :ewordn) (npc:bt6)
(int_e :boo1).
CALL_u3 top (rog, pse, pc, non. ivec, it, nLr. nbr, npc)
(int_o)=
let • = EL (reg_lon rep (srca top it)) tog and
i = inn rep ir in
lot result = add rep (a, i) in
(reg, psw, result,
storo rop (non, address rop mar, nbr),
Lvoc, Jr, nLr. nbr, "CiLL_u4_iDDR)"
);;
save_ibm( 'CELL_u3' ,EXP_ID_LET_RULE CELL_u3) ; ;
let CALL_u4 = new_definition
('CALL_u4_def',
'°!(rep:'rep_ty) re 8 non
118
(psw pc ivec ir nsr abr :ewordn) (apc:bZ6)
(in__e :bool).
CALL_u4 rep (reg, psw, pc. aea, ive¢, ix, aar, abr. ape)
(int_e) =
le_ d = reg_ion rep (des_ rep it) in
lot resul_ = inc rsp (EL d rog) in
(UPDATE_PEG rep pss d reg result, pn. pc, nea.
ive¢, it, aar, nbr, "FETCH_ADDR)"
);;








tsblo entry 2: first ulnar for lit
lot IIT_ul = now_dofini_ion
('INT_u1_dof ',
"! (rep:'rep_ty) (reg: (*gordn)lis_) (aon:*aeaory)
(psw pc ivec ir aar abr :*lordn) (apc:b_6)
(int_e :bool).
INT_ul top (reg, psw, pc, noa, ivec, i_r, nat, nbr, npc)
(_'t_e) =
= get_cf rep psw and
= go__vf rep psw and
= get_nf rep psw and
- got_zf rep ps, and
=Tand
=Fin
ak_psw rep (sn, ie, vflag, nflag, cflag, zflag),
pc, hen, ivec, it, aar, pc, "IMT_u2_ADDR)"
);;
save_tha('INT_uI'.EXP£_D_LET_RULE INT_ul);;
let l|T_u2 = new_definition
('IFr_u2_def'.
"!(rep:'rep_ty) (reg:(ewordn)list) (_ea:_aeaory)
(psw pc ivec ir aar abr :*wordn) (apc:b_6)
(int_e:bool).
l|T_u2 top (reg. psw. pc. nom, ivoc, it. nat. nbr. ipc)
(in__,) -
(tog. psw, pc,
hen. ivec. it, SSP_REG reg, abr, "Irr_uS_ADDR)"
);;
save_tha ('I_r_u2 '.EIPAIID_LET_PJ3LE IFr_u2) ;;
let I|T_u3 = new_defini_ion
('I|T_u3_de_',
"!(:op:'rep_ty) (r,g:(*wordn)limt) (n,n:_aeaory)
(psw pc ivoc ix nat abr :*wordn) (_pc:bt6)
(int_e:bool).




let result = in¢ rep (SSP_REG re K) in
(UPDATE_REG rep pse ssp_reg roe result,
pew, pc, non, ive¢, it, nat, nbr, "I|T_u4_ADDR)"
save_thn( 'IIT_u3' ,EXPAND_LET_RULE IlfT_u3) ; ;
let IIT_u4 = new_definition
(, IFr_u4_def ',
": (top: "rep_ty) (tog: (*wordn)list) (non: enenory)
(pse pc ivoc ir mar mbr :ewordn) (mpc:bt6)
(int_e :bool).
liT_u4 rep (roe, pse, pc, non, ivec, it, mar, nbr, npc)
(int_e) -
lot i = imm rep ir in
lot result - band rop (wordn rep 255, i) in
(roe, peg, result,
store top (non, address rep mar, mbr)o
ivec, ir, mar, abr, "FETCH_ADDR)"
);;
save_tha( 'INT_u4' ,EXPAND_LET_RULE INT_u4) ; ;
table entry 3: first uins_ for RTI
let RTI_u! = nee_definition
('RTI_ul_def ',
"! (rep :"rep_ty) (reg: (ewordn)lis%) (hen: enenory)
(pew pc ivec ir far nbr :_wordn) (mpc:bt6)
(int_e :boo1).
RTI_ul rep (reg, psw, pc, men, ive¢, Jr, mar, abr, apc)
(int_o) -
let result = dec rep (SSP_REG roe) in
(UPDATE_REG rep pew sap_roe reg result,
paw, pc, non, ivec, it, result, nbr, "RTI_u2_ADDR)"
);;
save_tha( 'RTI_ul '.EXPAND_LET_RULE RTI_ul) ;;
let RTI_u2 = new_defini£ion
( 'RTl_u2_def ',
": (rep: "rep_%y) (teE: (*gordn)list) (nen:enenory)
(pie pc ivec ir nat abr :eeordn) (mpc:bt6)
(int_e :bool).
RTI_u2 top (tog, pew, pc, non, ieec, it, nar, abr. mpc)
(int_e) -
let cfla g = Ket_cf rep psw and
vfleq_ = set_el top pew and
nflag = get_nf top psw and
zflag = get_zf rep pew and
sn = F and
ie =T in
(reg,
ak_pew rep (ca, ie, vTlag, nflag, cflag, zflag),
120
);;
pc. Rel, ive¢+ ir_ 18rt
fetch rep (sen, address rep mar). "RTI_u3_IDDR)"
8ave_thB('RTI_u2',EXPIND_LET_PJJLERTI_u2);;
let RTI_u3 = nov_definition
('RTl_u3_dof',
"!(rop:'rep_ty) (reS:(*wordn)lilt) (sem:enuory)
(psi pc Lvec Lr =Lr =br :ewordn) (=p¢:bt6)
(int_e:bool).
RTI_u3 rep (reg, plw, pc, non, ive¢, it, nat, nbr, npc)
(int_e) =
(reg, pl., nbr, aom, ivlc, i.r,nor, mbr, "FETCH.ADDR)"
);;
sove_thn( 'RTI_u3' ,EXPAND_LET_RULE RTI_u3) ;;
table entry 4: firs_ uinst for GPSW
................................................................
let GPSW.ul = new_definition
('GPSW_ul_def',
"!(rep:'rep.Cy) reg non (psi pc ivec ir na_ nbr :*vordn) (npc:b¢6)
(int_l:bool).
GPSW_ul top (rog, psi, pc, hem0 ivec, _Jr, na_, nbr, npc)
(int_e) =
let d - rlg_len top (dolt top it) in
(UPDATE_EEG rep psi d re 8 psi,
psi, pc, non, ive¢, it, mar, abr, "FETCH_ADDR)"
);;
save_th_('GPSV_ul'.EXPAID_LET_RULEGPSW_ul);;
table entry 5: firl_ uinlt for PPSW
let PPSW_ul = nee_definition
('PPSV_uL def',
"!(rep:'rep_ty) reg non (pse pc ivlc ir nor nbr :elerdn) (apc:bt6)
( int_o :boll).
PPSM_ul rip (reg. psi, pc, non, ivoc, ir, nat, nbr. npc)
(int_e) -
lot d = reg_lon top (dolt top ir) and
In = Set_on rep psl in
(reg,
(_ => (EL d re 8) J psi),
pc, men, Lve¢, iJr, nat, mbr, "FETCH_ADDR)"
);;
save_tlua('PPSW_ul',EXPAID_LEr.RULEPPSW_ul);;
table entry 6: first uinlt for LD
121
lot L__u! - nsw_defi_i_ion
( ' M)_ul_dsf ',
"!(rep:'rop__y) tog men (psw pc i_ec ir mar Rbr :ewor_) (ipc:bt6)
(i=.t _o :bool).
LD_ul rep (reg. psw, pc, me-., iToc, ix, Bax, mbr, wpc)
(int_e) -
let • - EL (reg_lsn rep (srca rep ix)) tog and
b = EL (reg_len rep (srcb rep Jr)) reg in
let result = s_Idrep (a, b) in
(rsg, psw, pc, men, ivsc, it, result, abr, "LD_u2_KDDR)"
);;
save_thn('LD_ul' ,EXPAND_LET_RULE LD_ul) ; ;
LD_u2_£DDR: second uinst for LD.
let LD_u2 : new_definition
( 'LD_u2.def ',
"!(rep:'rep_ty) rsg nero (psw pc ivsc ir mar mbr :swordn) (mpc:b¢6)
(int _e :bool).
LD_u2 rep (reg, psw, pc, men, ivec, it, mar, nbr, npc)
(int_e) -
(reg, psw, pc, non, ivec, ix, nat,
fetch rep (men, address top mar), "LD_u3_ADDR)"
);;
save_ibm( 'LD_u2' ,EXPAND_LET_RULE LD_u2) ;;
LD_u3_ADDR: third uinst for LD.
let LD_u3 - new_definition
('LD_u3_def ',
"!(rep:'rep_ty) reS men (pss pc ivec ir mar nbr :*gordn) (npc:bt6)
(int_e :bool).
LD_u3 top (re 8, pse, pc, nero, ivec, ix, mar, nbr, mpc)
(int_e) "
let d = reg_len rep (dest rep ir) in
(UPDATE_BEG rep pse d reg nbr,
psw, pc, men, ivoc, ir, mar, mbr, "FETCH_ADDR)"
);;
says_ibm( 'LD_u3' ,EXPAND_LET_RULE LD_u3) ; ;
table entry 7: first uinst for ST
let ST_ul = nee_definition
('ST_u1_de/',
"!(rep:'rep_ty) reg men (ps: pc ivec ix mar mbr :egordn) (wpc:bt6)
(in__e :bool).




le_ a = EL (rog_len rap (srca rap it)) rog and
b = EL (rog_len rap (srcb rap it)) re 8 in
le_ result = add top (a, b) in
(rag, paw, pc, nan, ivoc, it, result, mbr, "ST_u2_ADDR)"
savo_tha('ST_ul'.EXPAID_LET_RULEST_ul);;
ST_u2_ADDR: second uinst for ST.
lot ST_u2 = nov_definition
('ST_u2_def'.
"!(rep:'rop_ty) (rog:(e,ordn)lis_) (aon:_eaory)
(pay pc ivec ir nsr nbr :*wordn) (Ipc:bt6)
(in__e:bool).
ST_u2 rap (res, psw, pc, he1, ivec, it, nat, nbr, _c)
(int_,) -
let d = reg_le_ rap (dear rap it) in
(rag, paw, pc, hem, ive¢, it, nat, EL d rag, "ST_u3_ADDR)"
);;
save_thn<'ST_u2'.E_A|D_LET_RULEST_u2);;
ST_u3_£DDR: third uinst for ST.
let ST_u3 = no,_de_inition
('ST_u3_def'.
"!(rop:'rop__y) rag non (paw pc £vec ir mar _br :ewordn) (npc:bt$)
(int_e:bool).
ST_u3 top (rag, psi, pc. nan, ivec, it, as/, nbr, npc)
(int_o) =
(tog, paw, pc, store rap (men, address rap aar, mbr),
ive¢, it, nat, abr, "FETCH_ADDR)"
);;
savo_tlm('ST_u3',EXPAID_LET_RULEST_u3);;
table onCry 8: first uins_ for LSL
lot LSL_u/ = new_defini_ion
('LSL_u1_dof'.
"!(rep:'rep_ty) (=eg:(*,ordn)list)
(noJ:ese_ory) (pse pc i,oc _ _ ubr :e_ordn) (ape:hiS)
(int_e:bool).
LSL_ul rap (tog. psw. pc. non, ivoc, it, mur. abr. npc)
(i_t_e) =
let a = EL (rag_lea rap (area rap it)) re6 and
d - roB_Ion rap (dose rap it) in
Io_ rosulz = ahl top a in
let cflag =ash rap a and
vflag = 8et_vf reppsw and
123
);;
nflag = get_nf top pss and
z_lag = Ket_z_ FOp pew and
sn = get_sn rep pew and
ie = 8or_is FOp pSW in
(UPDATE__EG rep psv d re K result,
ak_psw rep (sn, ie, vflag, nflag. ¢flq, zflag),
pc, hen, ive¢. ir, nat, nbr, "FETCH_ADDR)"
save_tha( 'LSL_u! ' ,EIP£ID_LET_RULE LSL_ul) ; ;
table onZry 9: first uinst for LSR
let LSR_ul = new_definition
( ' LSR_ul_dsf ' ,
"!(rep:'rep_ty) reg non (pn pc ivec ir nat nbr :*wordn) (npc:bt6)
(int_, : heel).
LSR_ul rep (re 8, pray, pc, nn, ivec, it, nat, nbr, np¢)
(int_,) =
lot a = EL (FOg_Ion top (srca rep it)) rog and
d = reg.lsn FOp (dost rep iF) in
let result = shr rep a in
• let cflag - isb rsp a and
vflag - get_el rep psw and
n_lag = get_n/ rep pew and
zflag - Set_z_ rep psw and
sn = got_sn top psw and
io ,, get_is Fop pew in
(UPDATE_REG rop psw d ro E result,
ak_pss FOp (sn, is, vflag, n_l&g, cflag, zflag),
pc, non, ivec, it, mar, nbr, "FETCH_ADDR)"
);;
save_¢ha( 'LSR_ul ' ,EXP_D_LET_RIYLE LSR_ul) ; ;
table entry 10: first uinst for £SR
let LSK_ul = new_definition
( ' lSR_u!_def ',
"!(rep:'rop__y) tog hen (psw pc ivec ir mar nbr :elordn) (mpc:bt6)
( int_o :bool).
iSR_ul Fop (tog, pse. pc. Lea. ivoc, it, mr. mbr, apc)
(int_o) -
let • = EL (FOg_Ion rep (srca top it)) reg and
d = reg°lon rep (dest top it) in
let result • asr rop a in
let ¢flag - lsb rop a and
vflag - get_Ct top psw and
nflag = got_nf rep psw and
zflag - gst_zf rep psw and
sn - get_sn top psw and
is • get_is rsp pew in
(UPDITE_REG rop psi d tog result,
124
);;
ak_psvrep (sn, ie, vflag, nflag, cflag, zflag),
pc, non, ivoc, it, nat, nbr, "FETCH_iDDR)"
save_tim( '&SR_ul ' ,EXPA]ID_LET_RULE ASP..ul) ; ;
table entry 11: first uinst for RTN
lot RTN_ul = new_definition
('RTI_u1_def 'o
"! (rep :"rep.ty) (re8 :(8wordn) list) (hen: *nenory)
(pew pc ivec ir nat abr :*wordn) (npc:bt6)
(int.o :boo1).
RTI_ul rop (reg, psw, pc, nero, ivec, ix, mar, nbr, mpc)
(imt_o)=
let d = reg_len top (dent rop it) in
let result = dec rep (EL d reg) in
(UPDATE_REG rep ps. d rog result,
pew, pc, hem, ivec, it, result, mbr, "RTN_u2_h.DDR)"
);;
save_the( 'RTN_u! ' ,EL_ARD_LET_RULE RTN_uI) ; ;
Return through RTI_u3 to transfer nbr to pc.
let RTN_u2 = new_definition
('RTI_u2_dof ',
"! (rop: "rop_ty) (re 8 : (*wordn)lis_) (nen:*monory)
(psi pc ivec ir mar mbr :*wordn) (apc:bt6)
(int_e :bool).
RTN_u2 rep (reg. psw, pc, men, ivec, it, mar, abr, apc)
(imt_e) =
(reg, psw,
pCp teem, ive¢_ ix, tsar,
fetch rep (nora, address top mar), "RTI_u3_ADDR)"
);;
save_the( 'RTiI_u2' ,EXPAHD_LET_RULE RTU_u2) ; ;
table entry 12: first uinst for lOOP (used ¢o fill uron)
let |OOP_ul • new_definition
( ' IJOOP_ul_dof ',
"!(rop:'rep__y) tog non (psw pc ivec ir nat nbr :ewordn) (npc:bt6)
(int_o: boo1).
|O0P_ul rep (reg, paw. pc, nee, ivec, it, maz, mbr, mpc)
(imt_e)=
(reg. psw, pc, non, ivec, ix, mar, nbr, "FETCH_ADDR)"
);;
save_the( '|OOP_ul ', EXPJLII'D_LET_ILULE IlOOP_ul) ; ;
125
table entry 13: fLrst uinst for IOOP (already defined)
table entry 14: first uinst for LDI
Jump to LD_u2_£DDR for second instruction of LDI
lot LDI_ul = nee_definition
( 'LDI_ul_def',
"!(rop:'rsp_ty) reg aea (pse pc ive¢ ir nat abr :*wordn) (apc:bt6)
(int_o:bool).
LDI_ul top (roe, pew, pc. non, ivo¢, ir, air, abr, apc)
(int_e) n
lot • = EL (reg_lon rep (arcs rop ir)) reg and
i = inmrop ir in
let result = add rep (a, i) in
(reg, psw, pc, non, ivo¢, it, result, nbr, "LD_u2_ADDR)"
);;
save_the( 'LDI_ul '.EXPAND_LET_RULE LDI_ul) ;;
table entry 15: first uinst for STI
................................................................
lot STI_ul = new_dofinLtion
('STl_ul_dof '.
"!(rop:'rop__y) roe as'. (ps. pc ivo¢ ir ".ar nbr :*wordn) (npc:bt6)
(int_e :boo1).
STI_ul rop (roe, psw, pc, me,.. ivoc, it, mar, mbr, mpc)
(in__e) =
let a = EL (reg_lsn rep (srca rep Lr)) reg and
i = J_n rep ir in
let result = add rep (a, i) in
(roe, pse, pc, ".e'., ivec, ir, result, nbr, "STI_u2_EDDR)"
);;
savo_thn( 'STI_ul ' ,EXPLID_LET_RULE STI_ul) ; ;
STI_u2_ADDR: second uinst for STI.
Z
lot STI_u2 = nee_definition
('STl_u2_dof'.
"!(rop:'rop_ty) (rog:(e,ordn)list) (aom:*aomory)
(ps, pc ivoc ir mar mbr :*,ordn) (apc:b¢6)
(in¢_e:bool).
STI_u2 rop (roe, pew, pc, men. ivec, it, m_r, mbr, mpc)
(int_e) -
let d = reg_len rep (deer rep ir) in




table entry 1G: first uinst for ADD
lot ADD_ul - new_dentition
('_)D_ui_def ',
"! (rep: "rep_t7) (reg: (eword_) list) (hem- *menory)
(pew pc iyec ir sat =br :*wordn) (-pc:hi6)
(i_t_, :bool).
JLDD_u! top (reg, psw, pc, men, ive¢, it, nat, abr, np¢)
(int_e) =
let a = EL (reg_len rep (srca rep it)) reg and
b = EL (reg_len rop (srcb rep it)) reg and
d = reg_lon rep (dost top it) in







= addp top (n, b, result) and
- aovfl rep (a. b, result) and
= neEp top rosul% and
= zerop top result and
= got.sn rep psv and
= get_ie rep pew _n
(UPDATE_REG rep pew d reg result,
ak_psu rep (sm, ie, vflag, nllag, cllag, zflag),
pc, men, ivo¢, it, nat, nbr, "FETCH_ADDR)"
);;
8ave_tha('XDD_uI',EXPAND_LET_RULEADD_ul);;
table entry 17: first uinst for ADDC
lot ADDC_ul - nee_definition
('£DDC_ul_def',
"!(rep:'rop_ty) (rog:(*vordn)lis_) (men:enomory)
(pew pc ivec ir nat abr :*wordn) (npc:bt6)
(int_e:bool).
ADDC_u! rep (tog, peg, pc, Lea, ivec, Jr, nat, nbr, ape)
(int_e) u
let • m EL (ro$_lsn top (srca rep it)) tog and
b = EL (rog_lon rep (srcb top it)) rog and
d = reg_len top (deer rep ir) in







= addcp top (n, b, result) and
= aovfl top (n, b, result) and
= negprepresult and
= zeroprep resul_ and
= get.sn rep pew and
= get.io top psw in
(UPD&TE_REG rep pew d tog result,
ak_psw top (sa, io, vflag, =flag, cflag, zflag),




_able entry 18: first uinst for SUB
let SD__ul = new_definition
('$UB_ul_def ',
"!(rep:'rep_ty) (reg: (*gordn)list) (nen:eneaory)
(psw pc ive¢ ir nat nbr :ewordn) (apc:bt6)
(int_e :bool).
SUB_ul rep (reg, paw. pc, men, ivec, it, mar, abr, npc)
cant_a)n
fat a = EL (roB_Ion zop (arca rap it)) re 8 and
b = EL (reg_len rep (arch rep ix)) reg and
d = reg_len rep (dear rep it) in







= aubp rep (a, b, result) and
= serf1 rep (a, b, result) and
= neEp rep result and
= zerop top resul% and
= get_sa rep paw and
= get_ie rep paw in
(UPDATE_REG rep paw d reg result,
ak_psw rep (an, is, vflag, nflag, ¢flag, zflaS),
pc, hen, ivec, it, tar, nbr, "FETCH_ADDR)"
);;
aIve__Iua('SUB_uI',EXPAND_LET_RULE SUB_ul);;
table entry 19: first ulnar for SUBC
let SUBC_u! = ne__definition
('SUBC_ul_def',
"!(rep:'rep_ty) (reg:(*worctu)list) (nan:*aeaory)
(pau pc i_oc ir mar abr :*uordn) (up¢:b%6)
(int_e:bool).
SUBC_ul rep (reg. par, pc, ass, ivsc, ix, sat, nbr, spc)
(int_,)=
let a = EL (reg_lsn rep (8rca rep it)) tog and
b = EL (rog_ion top (arcb rep ix)) re s and
d = reg_Ion rop (dear top ix) in







= subp rep (a, b, cesul_) and
= 8ovfl rep (a, b, result) and
= neap rep result and
= zerop rep resulZ and
= get_an rep psw and
= Set.is rep paw in
(UPDATE_REG rep pew d re s result,
ak_paw rep (an, ie, vflag, nflag, ¢flag, zflag),
pc, hen, ive¢, ix, nat, abr, "FETCH_ADDR)"
);;
8avo_thI('SUBClUl',EIPIND_LET_RULESUBC_ul);;
table entry 20: first uinat for BAND
128
let BAID_ul = nse_dsf_ni%ion
( 'BalJD_ul_de_ ',
"! (rep :'rop_ty) (reg: (*wordn)list) (non:eaoaory)
(pew pc ivoc ir asr abr :*wordn) (npc:b%6)
(int_o :boo1).
BAID_ul rsp (reg. pew. pc. hen. ive¢. it. nat. abr. ape)
Cint_e) =
let a = EL (rog_len rep (srce top it)) reg and
b = EL (reg_len rep (ercb rep it)) reg and
d = reg.lan rep (dose rep it) in







= get_of rep psw and
= get_vf rep psw and
= negp rep result and
= zerop rep result and
= ge_ ss rep psv and
= get_is rep pew in
(UPDATE_PEG rep psu d reg result.
nk_psw rep (sn. is. vflag, nflag, cflag, zflag).
pc. hem. ivec. it. nat. nbr, "FETCH_ADDR)"
);;
save_thn('BAND_ul',EXPEWD_LET_RULEBIND.ul);;
%&ble entry 21: first uinst for BOR
let BOR_ul = nou_dsfini_ion
('BOR_ul_def',
"!(rep:'rep_ty) (reg:(*wordn)lis%) (nem:eaenory)
(ps, pc ive¢ ir mar nbr :*wordn) (mpc:bt6)
(int_e:bool).
BOR_u! rep (reg, psw, pc, mea, ivoc, it, mar, mbr, mp¢)
(int_e) =
let a = EL (reg.len rep (srce rep it)) re 8 and
b = EL (reg_len rep (srcb rep it)) reg and
d = roe_fen rep (dose top it) in







= get_of top psv and
= get_vf rep psw and
- no_reprosult and
- zerop rep result and
= gst_sn rep pew and
R ge%_io top ps. in
(UPDATE_REG rep pew d roe result,
nk_psw top (era, is, vflag, nfla s. cfla s. zflag),
pc. men, ivec. it. nat. nbr. "FETCII_ADDR)"
);;
eave_tbm('BOR_ul',EZPIND_LET_RUT-_BOR_ul);;
table entry 22: first uinst for BIOR
129
let B%OR.ul = now_definition
( rBXOR_ul_def, 0
"! (rop:'rep_ty) (re$: (swords)list) (ann:cannery)
(pew pc ivo¢ Lr nat nbr :,word-) (npc:bt6)
(int_e :bool).
BXOR_ul rep (roe, pew, pc, no=, ivec, ix, nat, nbr, npc)
(_,,t_e) ,,,
let • = EL (res_len rep (srca rep i:)) reg -_d
b = EL (re_lon top (nrcb rep J_')) re K aud
d = rogolon top (dent top it) in







= Sot_of top pew and
= Se%_vf zop pew and
- neSp top result and
= zorop rep result and
= gnt_nn top pew and
= got_in rep pew in
(UPDATE_PEG top pew d roe result,
_k_psv top (n, in. vflag, _la$, tflsg, zflag),
pc, floe, ive¢, it, mar. nbr. *FETCH_ADDR)"
);;
savo_tkm ('BXOR_ul ',F.XPKND_LET_R_..EBXOR_ul );;
table entry 23: firs: ui_st for BNOT
let B|OT.u! = neg_dnfinition
( 'BNOT_ui_def ' 0
"! (rep:'rep_ty) (reg: (*wordn)lint) (nen:*nenory)
(psw pc Lvec _r nor nbr :*wordn) (npc:bt6)
( int_e :heel).
B|OT_ul rep (rig, pew, pc, non, ivoc, it, naz, nbr, npc)
(ins_e)=
let • = EL (re_.len rep (nrca rep it)) reg m_d
d = roe_ion rep (dent top it) in







= got_cf :ep pew and
= Kot.vf top pew and
= negp top result
= zerop zep result and
- got.sa top pew and
= Set.in rep pew in
(UPDATE_PEG rep pew d reg result,
n__pnw top (u, is, v_lag, n_lag, cflag, :flq),
pc, men, ivsc, _r, maz, nbr, "FETCH_ADDR)"
);;
savo_tha( 'B|OT_ui ' ,EXPII__LET_RT_E B|OT_ul) ; ;
table entry 24: first ui_t for ADDI




(psu pc ive¢ ir aLr abr :*wordn) (npc:bt6)
(int_e:bool).
£DDI_ul rep (reg, pew, pc, nan, ive¢, it, asr, nbr, ape)
(int_e) =
let a = EL (reg.lsn rep (srta rep it)) reg and
i = imarep ir and
d = reg.len rep (dest top it) in
let result = (add top (a. i)) in
let cflag • addp top (a, i. result) and
vflag = aovfl rap (a. i, result) and
nflag = negp rep result and
zflag = zerop rep result and
sn = ge__sa rep pew and
ie = get_ie rep pew in
(UPDATE REG rep psw d reg result,
ak_psw rep (sn, ie, vflag, nflag, ¢flag, zflag),
pc, aea, ivec, it, nat. abr, "FETCH_ADDR)"
);;
save_tha('ADDI.ul',EXPAND_LET_RULE ADDI_ul);;
table entry 25: first uinst for ADDCI
let ADDCI_ul = new_definition
('ADDCI_u1_def ',
"! (rep:'rep_ty) (reg: (.eordn)list) (mea:eaenory)
(pew pc ivec ir mar ibr :*wordn) (apc:bt6)
(int_e :bool).
ADDCI_ul rep (re E, pew, pc, nee, ive¢, it, nat. abr, npc)
(int_e) -
let a = EL (tee_lea rep (srca rep it)) re 8 and
i = iaa rep ir and
d = reg.len rep (deer rep iz) in
let result = (addc top (a, i, get_of rep psw)) in
let ¢flag = addcp rep (a. i, result) and
vflag • aovfl rap (a, i, result) and
nflag = negp rep result and
zflag = zerop rap result and
st, = get_sa rep pse and
ie = get_is rep pew in
(UPDATE_REG rep peg d rag result,
ak_psw rep (sn, ie, vflag, nflag, cflag, zflag),
pc, men, ivec, ir, naz, mbr. "FETCH_ADDR)"
);;
save_thu('ADDCI_uI',EIPAID_LET_RULEADDCI_ul);;
table entry 26: first uinst for SUBI
let SUBI_ul = new_definition
( ' SUBI_ul_def ',
131
"! (rop: "rop_ty) Crag: (*eordn) list) (non: ,memory)
(pew pc ivec ir nat nbr :.gordn) (apc:bt6)
(int_e : bool).
SUBI_ul top (tog, psw, pc, ion, igoc. it. nat, nbr, npc)
(int.e)=
lot • = EL (tog_Ion top (src• rop it)) rog and
i = inn top ir and
d = reK_len rep (deer rep it) in
lot result • (sub top (a, i)) in
le_ ¢flag • subp top (a, i, result) and
v_lag • sovfl rep (a, i, result) and
nflag = negp top result and
zflag • zsrop top result and
an • go__sn rop pew and
ie - get_ie rep pew in
(UPD£TE_REG top psw d ro E result,
ak psw rep (an, is. vflag, nflsg, cflag, zflsg),
pc, aen, ivec, ir, aar, nbr, "FETCH_£DDR)"
);;
savo_tlua ( 'SUBI_ul ',EXPAND_LET_RULE SUBI_ul ) ; ;
table entry 27: first uinst for SUBCI
...............................................................
let SUBCI_ul = now_definition
( ' SUBCI_ul_def ' ,
"! (rep:'rep_ty) (rog: (egordn)list) (nen:eJtomory)
(peg pc ive¢ ir Mr abr :ewordn) (npc:bt6)
(inZ_e : heel).
SUBCI_ul rop (reg, psg, pc, hen, ivec, it, nat, abr, ape)
(int_e)=
lot a = EL (reg_lon rep (area rep it)) reg and
i = inn rop ir and
d = rog_len rep (dest rep it) in
lot result • (subc rep (a, i, got_of top per)) in
le_ ¢flag = aubp top (a, i, result) and
vTlag • sovfl top (a, i. result) and
nflag • negp rep result and
zflag • zarop rep result and
sn = go__sa top psw and
io - got_ie top peg in
(UPDATE_PEG top pew d tog result,
ak_psv rep (am. ie. vflag, =flag. cflag, zflag),
pc. non, ivec, it, mar, abr, "FETCH_£DDR)"
);;
savo_thn( 'SUBCI_ul ' ,EXPAND_LET_RULE St_Cl_ul ) ; ;
table entry 28: first uinst for BAIDI
'Z
lot BANDI_u! = new_definition
( 'BA|Dl_ul_dof ',
": (top: "rop_ty) (rog: (*gordn)list) (sos: enonory)
132
(pew pc ive¢ _-as: abr :*eordn) (spc:btS)
(int_e :bool).
BAIDI_ul rop (reg, pew, pc, he=, ivec, it, nat, nbr, spc)
(int_o) -
let • = EL (rog_len rep (srca top it)) re 8 and
i = J:m rep _ and
d - reg_len rop (dos_ rep it) in
le_ rosul_ = (band rep (a, i)) in
le_ cflag = 8o__cf rop psw and
vflag - get.vf rep psw and
nflag = neg_ top result and
zfla 8 = zerop top res_ and
sn = get.sa rep psv and
ie = Se_.ie rep psw in
(UPDATE_P_G rep psw d reg result,
ak_psw rep (sa, ie, vflag, nflag, cflag, zflag),
pc, men. ive¢, Jr, nat, sbr, "FETCH_ADDR)"
);;
save_tlm( 'BANDI_ul ',EXPAND_LET_RULE BANDI_ul );;
table entry 29: first uiust 1or BORI
let BORl_ul = nee_definition
( 'BORI_u1_dof ',
"! (rep : "rep_ty) (re 8 : (.vordn) list) (sea: *nonory)
(pn pc ivec ir aar abr :*eordn) (apc:bt6)
(int_e :bool).
BORI_ul rep (reg, psw, pc, hen, ivec, Jr, naz, nbr, npc)
(int_o) -
let a • EL (reg_len rep (srca rep J_)) tog and
i - in rep ir and
d = reg_len top (doer rep it) in







= get.of rep pse and
= 8et.vf rep pew and
= neap rep result and
- zerop top result and
= 8ot_sn top psw and
- set.ie top pn in
(UPDATE_KEG rep pse d re 8 result.
ak_pn rep (sn. ie, r/lag, aflag. ¢flt_. zflsg).
pc, men, ivec, Jr. Mar, nbr, "FETCH_ADDR)"
);;
save_tim( 'BORI_uI _ .EXPAND_LET_RULE BORI_ul) ; ;
table ent_ 30: f_st uinst for BXORI
let BXORI_ul = nee_definition
('BlORI_ul_def _ ,
"!(rep:'rep_ty) (reg:(swordn)list) (nea:enonory)
(pew pc ive¢ ir l_r nbr :*eordn) (npc:bt6)
133
(int_, : bool).
BIORI_ul top (reg. psw. pc. sen. ivsc. Jr. nat. nbr. npc)
(int_,) =
1,_ a - EL (reg_len top (srca rep iJr)) reg and
i = inn rsp ir and
d = reg_len rep (dest rep it) in
let result = (bxor rep (a, i)) in
le_ of lag = get_of rep psw and
v_lag = get_vf rep pse and
nflag = nsgp rsp rssul¢ and
zflag = zerop rep result and
sm = gst_sn rsp psw and
is = S,'__i, top psw in
(UPDATE_kEG rep psw d tog result,
ak_psw top (sn, is, vflag, nflag, cflag, zflag),
pc, men, ivo¢, it, nat, nbr, "FETCH_£DDR)"
);;
save_tlm('BZORI_ul',EXPAND_LET_RULEBXORI_ul);;
code for external intorrup¢
let EINT_ul = new_definition
('EIFT_ul_def c,
"!(rep:'rep_ty) (reg:(*wordn)list) (nen:*nenory)
(pie pc ivec ir mar mbr :elorc_) (apc:bt6)
(int_e:bool).
EIIT_ul top (reg, psw, pc, ken, ivsc, Jr, nl¢, nbro npc)
(int_,) =
10¢ cflag = SeZ_cf top psw and
_lag = ge¢_vf rep psw and
:L_lag " geZ_nf top psw and
zflag = go¢_zf top psw and
8m = T and
2* = F in
(r.g,
ak_psw top (sn, is, ¢flag, rJlag, cflag, zflag),
pc, Lea, iVeC, Lr, mar, pc, "EIIT_u2_£DDR)"
);;
save_tlm('EI|T_ul',EXPJJHD_LET_RULEEINT_ul);;
lot EIIIT_u2 = new_definition
('EIlT_u2_dof',
"!(rep:'rep_ty) (rsg:(ewordn)list) (nsn:_meaory)
(psw pc ivoc Lr mar mbr :*wordn) (apc:bt6)
(int_e:bool).





mea, ive¢, it, SSP_REG rog, nbr, "EINT_u3_ADDR)"
save__ha('EINT_u2'.EXPLWDLETRULEEIBT_u2);;
le_ EIIT_u3 = no__definLtion
('El|T_u3_dof'.
"!(rop:'rep_ty) (reg:C*wordn)list) (nen:*laory)
(psw pc ivo¢ ir nat nbr :*wordn) (npc:bt6)
(in__e:bool).
EIIT_u3 top (re 8, psw, pc, hem, ive¢o Jr, nat, nbr° np¢)
(i.__o)-
lot rosul_ = in¢ rop (SSP_REG tog) in
CUPDATE_REG rop psw ssp_rog ro E rosul_,
pSW. pC.
s_ore rep (non. addross rip nat. abr).
ivec. it. nat. mbr. "EIHT_u4_ADDR)"
);;
savo__km('EINT_u3'.EXPAND_LET_RULEEINT_u3);;
let EINT_u4 - new_definition
('EI_T_u4_def _.
"!(rep:'rop__y) (rog:C*wordn)lisz) (nen:*nonory)
(psw pc Lvo¢ ir nat nbr :*wordn) (npc:bt6)
(in__e:bool).
EINT_u4 rop (reg, psv, pc, hen, ivoc, it, nat, abr, ape)
(in__e)*
let rosul_ = band rep (wordn rap 265. in,_fetch top ivo¢) in
(tog. ps,. rosul_, hem.
ivec. it. mar. Ibr. "FETCH_ADDR)"
);;
save_Zha('EINT_u4'.E_D_LET_RULEEINT_u4);;
IoZ nicro_stato = ":((*wordn)lis_#*wordnSewordn#elnmsory#
*wordn_*wordn#*wordnS*word_bZ6)";;
le$ licro_env - ":bool';;
The n/ro_inst_lis_ gill bo used to i_nt-_tLato /nst_list in
_k_nicro.nl.






























((F,T,T,F,F,T) (BOR_ul rep)) ;
((F,T,T,F,T,F) (BXOR_ul rep)) ;






































SelectMPC fron sta$o. This is used to ins_an$iate gon_I.th.
le$ OstNPC - nee_definition
('OetMPC',
"! (tog: (eeordn) lis_ ) (non: +nenory)
(pse pc ive¢ ir nar nbr :*eordn) (upc:bt6)
(in__e :boo1).





3.6.2 The Micro-Level Instructions
The section presents the ML code that creates the theory uinst_def.th.
File : def_uinst .nl
Author: (c) P. J. Windloy 1990
Date: _ 23, 1990
Modifiod:
Des cript ion:
Definos the microinstructions and microrom for the
nicro--lovel.
................................................................
sot_soarch_path (search_path() 0 ['/nuztag/ho_e/wlndloy/hol/tactics/' ;
'/nuzt ag/hono/eindloy/hol/nl/' ;
3):;
lot Library_Root - '/suzta6/hone/windley/hol/Library/, ; ;
sot_soarch_path
(search_path () Q
(map (concat Library_Root) ['docinal/' ; 'assoc/'])) ; ;
syston '/bin/rn uinst .th' ; ;
now_theory 'uinst ' ; ;
lo&df 'ucodo_aux' ; ;
new_parent 'ucode_def' ; ;
................................................................
If you change those addresses, change tho list in def_uinst._l
as eell.
...............................................................
lot FETCH_ADDR = "(F.F.F,F,F,F)";;
lot CALL_u2_ADDR = "(T.F.F.T.F.F)"; ;
let CALL_u3_ADDR - "(T,F,F,T.F,T)"; ;
let CALL_u4_£DDR - "(T,F,F,T,T,F)"; ;
let I|T_u2_ADDR - "(T,F,F.ToT,T)";;
lot IFr_u3_ADDR - "(T,F,T,F,F,F)";;
138
lot INT_u4.ADDR " "(T,F,T,F,F,T)";;
lot RTI_u2_ADDR = "(T,F,T,F,T,F)";;
lo¢ ETI_uS_£DDR = "(T,F,T,F,T,T)";;









let EIMT_uI_ADDR - "(T,T,F,F,F,T)";;
let EINT_u2_LDDR= "(T,ToF,F,T,F)";;
le_ EI_T_u3_ADDR - "(T,T,F,F,T,T)";;
le_ EINT_u4_ADDR = "(T,T,F,T,F,F)";;
let LD_u3_LDDR = "(T,T,F,T,F,T)";;
lot OFFSET = "(F,F,F,T,F,F)";;
let DUMMY= "(T,T,T,T,T,T)";;










(F, (T ,T), (T ,FoF,T) ,F,T.T, (T,T .F).(T,F ,T) ,T ,F),(F,F,F,F, F,F.F,F,F),
(F,F,T,F), (FoT,T),T,ToF,F,F,T























(F, (T,T), (F,F,T,F),F,F,F,CT,F,F), (T,F,T),T,F), (F,F,F,F,F,F,F,F,F),
(F,F,F,F), (F,T,F),T,T,T,T,T,T
................................................................




"(So__PSW (pass, pass. pass, pass, pass, pass)),
"(ExtSig(off,off.no_aem_op)),




(F, (T,T),(T,F,F,T) ,F,F,F,(T,T,F), (T,F,T),T,F), (F,F,F,F,F,F,F,F,F),
(F,F,F,F), (F,F,F),T,T,T,T,T,T
let 3RP_ul_mc = new_definition
('3}__ul_a¢',
|' J_p__U l __l c I
('(Oper(pcj,nsh,rsg_file,add,ir,nores)) ,









let CALL_ul_Ic = now_def_ition
( ' CALL=ul_nc _,
"CALL_ul.mc •
("(Opsr (noraS ,ash, p¢,asp,no tog,nbr) ),
"(Se't_PSW (pass, pass, pass, pass, pass, pass)),
"(Ext Si8 (off,off ,no_asn_op)),
















(F,(T,T) ,(T,F.F.T) ,F.T,F,(T,T,F), (F,F,T),T,F), (F,F,F,F,F,F,F,F,F),
(F,F,F,F), (F,F,T).T,F,F,T,F,T
















"(Sot_PSV (pass, pass, pass, pass, pass, pass)),
141
"(ErrS ig (off, off ,no_aea_op) ),




(F, (T,T), (F.F,T,F),F,F,F,(F,F,F), (F,F,T),T,F),(F,F,F,F.F,F.F.F,F),
(F,F,F,F),(F,F,T),F,F,F,F,F,F
let IET_ul_nc = nsg_definition
( ' IIT_ul_nc +,
"IIT_ul_nc =
(" ({)per (noreg, nsh, pc, nop, norsg, ibr) ),
"(Set_PSW (set_sn, clr_ie, pass, pass, pass, pass)),
"(ExtSig (off, off ,no_nea_op) ),




(F, (T,T), (T,F,F,T) ,T,F,F,(T,T,F), (T,F,T),T,F), (T,F,F,T,F,F.F.F,F),
(F,F,F,F),(F,F,T),T,F,F,T,T,T
................................................................
let INT_u2_n¢ = nov_definition
( 'INT_u2_m¢ ',
"IIT_u2_m¢ =
(" (Oper (nor sg, ash, s sp, asp, noreg, mar) ),
"(Set_PaW (pass, pass, pass, pass, pass, pass)),
"(Ext Sig (off. off .no_aea_op) ),







let irr_u3_ac = now_dsfinition
('IIT_u3Ds¢ ',
"IET_u3 ic =
(" (Oper (sap,ash, sap,in¢,norog ,noreg) ),
"(Sot_PSV (pass. pass, pass, pass. pass. pass)),
"(Ezra i s (off, off ,no_sea_o F ) ),











"(Sot_l_W (pass, pass, pass, pass, pass, pass)),
"(ExtS_(off,off,wr)),
















(F, (T,T),(F,T,F,T),F,T,F,(F,F,T), (F,T,F),T,F), (F,F,F,F,F,F,F.F,F),
(F,F,F,F),(F,F,T),T,F,T,F,T,F










(F, (T,T),(T,F,F,T) ,F,F,F,(T,T,P),(T,F,T),T,F), (F,T,T,F,F,F,F,F,F),
(F,F,T,F), (F,F, T) ,T,F,T,F,T,T





"(Set_PaW (pass. paas, pass. pass. pass, pass)),
"(_Sig (off. off.no_au_op)),










"(Sot_PSW (pass, pass. pass, pass, pass, pass)),
"(_Sig(off,off,no_mol_op)),




(F, (T,T).(T,F.F.T).F.F,F.(F,F.F), (F,T,T),T.F), (F,F,F,F,F,P.F,P,F),
(F.F,F,F), (F,F,T),F,F,F.F,F,F




"(Sot_PSW (pass, pass, pass. pass. pass, pass)),
"(ExtSig(off.off.no_moa_op)).















let LD_u2_nc = nay.definition
( ' LD_u2_nc ',
"LD_u2_mc =
(" (Opsr (norsg,nsh,noreg,nop,noreg,noreg)),
"(Se__PSW (pass. pass, pass, pass, pass, pass)),
"(Ex_Sig (of f ,off ,rd) ),
- (_c Cj=p. LD.__iDDR ) ) )"
);;
lo1: LD_u3_nc = new.defini_ion
(%D.u3_ac',
"L_).u3_mc =
(" (Opor (reg_filo ,xmh,abr ,nop,norsg ,norog) ),
"(Sot_PSW (pass, pass, pass, pass, pass, pass)),
"(Ex_Sig (off ,off ,no_aoa_op) ),
"(Mpc(jap,rE_CS_LDDR)))"
);;
lot ST_u1_,,( = new_definition
( ' ST_ul_mc ' ,
"ST.ul ac =
(" (Oper (noreg, nsh,reg_ file, add, rsg_file,asr) 7,
"(Set_PSW (pass, pass, pass, pass, pass, pass)),





(F, (T,T),(F,F,F,F),F,T,F, (T,T,F), (F,F,F),F,F), (F,F,F,F,F,F,F,F,F),
(F,F,F,F), (F,F,T),T,F,T,T,T,F
.... 4------ ......................... . ........................... .--_
le_ ST_u2_mc - now_definition
('ST.u2_sc ',
"ST_u2_mc m
(" (Opor(noreg,nsh ,reg_dos_ ,asp,tog_file ,abr) ),
"(Sot_PSW (pass, pass, pass, pass, pass, pass)),
"(ExtSig (ofl ,off ,no_aa_op) ),
"(Mpc (jap, ST_u3. anDR) ) )"
);;
............. _----. ..................... . .... 4----.----. .............
ST_u2_nc =
l- ST_u2_nc =
(P, (T,T), (T,F,F,T) ,T,F,F, (T,T,F), (F,F,T) ,F,F), (F, F,F,P', F, 17,,F,F, F),
(P,F,F,F), (F,F,T) ,T,P,T,T,T,T






"(Set_PSW (pass, pass, pass, pass, pass, pass) ),
"(Ext Sis (off ,off ,_r) ),
"(Npc (jap, FETCH_IDDR) ))"
ST_u3_sc =
I- ST_u3_ac =
(F, (T,T), (T,F,F,T),F,F,F, (T,ToF), (T,F.T),T,F), (F,F,F,F,F.F,F,F,F),
(F,P,r,T), (P,F,T) ,F,P,P,F,P,_
let LSL_ul_mc = new_defin/tion
( ' LSL_ul_ac ',
"LSL_ul_mc =
(" (Opsr (rog_f ils, shl, rog_f ils, hop, norog, noreg) ),
"(Sot_PSW (pass, pass, pass, pass, Id_froa_shiftor, pass)),
"(ExtSi S (off, off ,no_aea_op) ),




(F, (F.F).(T.F.F.T).F.F.F. (F,F,F), (F,F,F).T,F), (F,F,F,F,T,T,F,T,F),
(F,F,F,F), (F,F,T),F,F,F,F,F,F
................................................................
















"(Set_PSW (pass. pass, pass, pass, Id_from_sh/fter, pass)).
"(ExtSig(off,off,no_mea_op)).





(F, (T,F),(T,F,F,T) ,F,F,F,(F,F,F), (F,F,F),T,F), (F,F,F,F,T,T,F,T,F),
(F.F,F,F), (F,F,T),F,F,F,F,F,F
le_ RTN_uI_mc = now_definition
('RT__ul_nc ',
"RTN_uI_mc =
(" (Oper (reg_f £Ie ,nsh,reg_des_ ,dec,norog,lar) ),
"(Se__PSW (pass, pass, pass, p_s, pass, p--s)),
*(ExtSig (o_f,off ,no_nen_op) ),




(F, (T,T),(F,T,F,T) ,F,T.F,(F,F,F), (F,F,T),T,F), (F,F,F,F,F,P,F,F,F),
(F,F,F,F), (F,F,T),T,F,T,T,F,F










(F, (T,T), (T,F,F,T) ,FoF,F,(T,T,F), (T,F,T),T,F), (F,F,F,F,F,F,F,F,F),
(F,F,T,F), (F,F,T),T,F,T,F,T,T




"(Se__PSW (pass, pass, pass, pus, pass, pass)),
"(Ex£Sig(off,off,no_nsn_op)).





(F, (T,T), (F,F,F,F) ,F,T,F, (T,T,F), (F,F,F) ,T,F), (F,F,P,F,F,P,F,F,F),
(F,F,T,F), (F,F,T),T,F,T,T,F,T
io_ STI_uI_n¢ = new_definition
147
( ' STI_ul Jac ',
°'STI_uI_m¢ =
(" (Opor (norog, nsh ,rog_filo, add, it,mar) ).
"(Sot_PSV (pass, pass, pass, pass, pass, pass)),
"(Ext Sis (off ,off ,no_am_op)),
















(F, (T,T).(T,F,F,T) ,T,F,F,(T,T,F), (F,F,T),F,F), (F,F,F,F,F,F,F,F,F),
(F,F,F,F),(F,F,T),T,F,T,T,T,T
le_ £DD_ul_mc = new_definition
('ADD_ul__c ',
"£DD_ul_mc =
(" (0por (r•6_f ils,nsh, rag _file, add, reg_file, noreg )),
"(Se$_PSV (pass, pass, ld_Tf, ld_nf, Id_froa_alu0 ld_zf)),
"(Ex_Sig (otl, off ,no_mem_op)),




(F, (T,T), (F,F ,F ,F) ,F,F,F, (F,F,F), (F,F,F) ,F,F), (F, F,F,F.T.T,T.T.T),
(F,F,F,F),(F,F,T),F,F,F,F,F,F
..............................................................
le% ADDC_ul_,.¢ = naw_defini£ion
( 'LPDC_ul_m¢',
"ADDC_ul_a¢ =
(" (0per (r__f ile ,ash, reg_f JAo ,add¢, ros_f 41 o,norog) ),
"(Sot_PSV (pass, pass, id_Ir/, Id_n_, Id_froa_alu, Id_zf)).
"(Ex$Sig (off ,off ,no_aea_op)),







le_'. SUB.uI_I¢ = neg_dsf£ni_ion
( ¢SUB_ul.sc *,
"SUB_ul_It¢ =
(" (Oper (rog_f ile .nsh. rog_f Lle .sub, reg_f ilo .note S) ),
"(Set,PS¥ (pass, pass, Id_vf, id_nf, id_frox_alu, id_zf)),
"(ExtS/g (off, off ,no_nex_op) ).






let SUBC_uI_n¢ . nee_definition
('SUBC.uI_mc ',
"SUBC.ul_A¢ =
(" (Opor (reg_f ile ,nsh,reg_fils ,subc ,reg_file,noreg) ),
"(Sot.PSW (pass. pass. id_vf. Id_nf. id_from_alu, id_zf)).
"(ExtSL8 (off ,off ,no_mem_op) ),




(F, (T,T), (F,T,F,F) ,F,F,F, (F,F,F), (F,F ,P) ,F ,F), (F,F,F,F,T.T,T,T,T),
(F,F,F,F), (Y, F,T) ,J',_,F,e,P,F
lot B_ID_ulDsc = ne__definition
( ' BABD_ul_mc',
"B_lD.ul_ac =
(" ( Oper (reS_f il,. nsh. rog_f ils. band. reg_f ile, nots 8) ).
"(Set_PSW (pass. pass. pass. id_nf, pus. id_zf)),
"(ExtS/g (off,off ,no_mes_op) ),







let BOR_ul_n¢ = nsw_dofini_ion
( ' BOR_ul_s¢ ',
"BOR_ul_n¢ =
(" (Opor (zoS_f ils,nsh,r__f ilo ,bor,rsg_fils ,norog) ),
"(Set_PSW (pass, pass, pass. id_nf, pass, ld_z_)),




































"(Sot_PSW (pass. pass, id_vf, id_nf, id_fro=_alu, id_sf)),
"(Ex¢Sig(off,off,no_am_op)),
150




(F, (T,T), (F,F,F,F) ,F,F,F, (F,F,F), (F,F,F),T,F), (F,F,F,F,T,T,T,T,T),
(r,F,r, F), (_,F,T),F,F,F,F,F,_
lot £DDCI.ul_nc = nsw_dofini£ion
( 'LDDCI_ul_nc ',
"LDDCI_ul_ac ,,
("(Opor (reg_f ilo ,nsh°rog_fils, addc, ir,norog) ),
"(Sot_PSW (paso, pass, ld_vf, ld_nf, id_fron_alu, Id_zf)),
"(Ext Sig (off, off ,no_ua_op) ),




(F, (T,T), (F,F,F,T),F,F,F,(F,F,F),(F,F,F),T,F), (F,F,F,F,T,T,T,T,T),
(F°F,F,F) ,(F,F,T),F,F,F,F,F,F
let SUBI_ul_ac = new_definition
('SUBI_uI.ec ',
"SUBI_uI_sc =
(" (Opor (rlg_f ile ,nsh,reg_f ill,sub. ir ,norog) ),
"(So__PSW (paso, pass o id_vf, id_nf, id_fron_alu. Id_zf)),







lot SUBCI_ul_n¢ = nee_definition
( ' SUBCI_ul_nc ',
"SUBCI_uI_Ic =
(" (Opor (rlg_filo ,n_h,rog_fill, subc, ir °norog) ),
"(Set_PSW (pus, pass 0 ld.vf, ld_nf, IdJrom_alu, ld_zf)),
"(ExtSig (off,off ,no_aon_op) ),




(F, (T,T),(F,T.F.F).F,F,F,(F,F,F). (F,F,F),T,F), (F.F,F,F,T,T,T,T,T),
151
(F,F,F,F),(F,F,T),F,F,F,F,F,F

















































(F, (T,T), (T,F,F,T) ,T,F, F, (T,T ,F), (T,F,T) ,T,F), (T,F,F,T,F,F,F,F,F),
(F,F,F,F), (F,F,T),T,T,F,F,T,F










(F. (T,T) ,(T,F,F,T),F,T,F,(T,T,F). (F,T,F),T,F),(F,F.F.F,F,F.F.F,F),
(F,F,F,F),(F,F,T),T,T,F,F,T,T


























This list must contain the aicroinstructions that _aplomsnt tho
behavior in the definition micro_inBt_list defined in def_aicro.al.
................................................................
let nicro_zom = now_definition
('micro_tom',
"!n . iicro_roa n =
EL n
[FETCH_mc ; ISSUE_mc ; DECODE_me ; |OOP_ul_ac; JMP_ul_mc; CiLL_ul_mc;
INT_ul_m¢; ETI_Ullm¢; GPSW_uI_mc; PPSW_uI_m¢; LD_ul_mc; STlUl_m¢;
LSL_ul_mc; LSR_ul_m¢; ASR_ul_mc; RTN_ul_m¢; NOOP_ul_m¢; |OOP_ul_m¢;
LDI_ul_mc; STI_ul_mc; ADD_ul_mc; £DDC_uljac; SUB_ul_mc; SUBC_ul_mc;
BABD_ul_m¢; BOR_ul_m¢; BXOR_ul_mc; BBOT_ul_m¢; £DDI_ul_mc;
£DDCI_ul_me; SUBI_ul_m¢; SUBCI_ul_mc; BA_I_ulJa¢; BORI_ul_a¢;
BXORI_ul_mc; |OOP_ul_mc; CALL_u2_mc; CALL_u3_mc; CALL_u4_m¢;
IlT_u2_a¢; INT_u3_m¢; INT_u4_mc; RTI_u2_m¢; RTI_u3_mc; RTN_u2_m¢;
LD_u2_mc; ST_u2_m¢; ST_u3_m¢; STI_u2_m¢; EIFrul_m¢; EINTu2_mc;
EINT_u3_mc; EINT_u4_mc; LD_u3_m¢; NOOP_ul_mc; NOOP_ul_m¢;




















3.6.3 The Micro-Level Proof
The sectionpresentsthe ML code that createsthe theorymicro.1;h.
File: -k_micro, nl
Author" (c) P. J. Vindlsy 1990
Date: /UN 23, 1990
Modi_ led:
Descript ion:
Proves the Licro--level corroct with respect to the phase--level
tmi_ s the ge_ri¢ interpreter proof, phass.th and micro_clef .th.
...............................................................
sot_search_path (search_path() @ ['/muztag/hoao/gindley/hol/tactics/' ;
'/nuzt ag/homo/uindloy/hol/ntl/' ;
]);;




['tuple/' ; 'decimal/'] )) ; ;
loadf 'abstract' ; ;
systen '/bin/ha micro.th'; ;
neg_theory 'aicTo' ; ;
los_Lf 'tuple' ; ;
nap ned_parent C'gon_I' ; 'micro_def' ; 'phase' ; 'uinst'] ; ;
new_autoload_theory 'ucode_dof' ; ;
From micro_dof
let load_nicro_inst - (\x. theoren 'micro_dof c x);;
: thn list
Run time: 2824.Ts


































le_ micro_irish_list _ definition 'micro_def' 'micro_ins__list';;
lot GetJ4PC = dofinition 'nicro_def' 'GotMPC';;
lee load_phaso_inst - (\x. definition 'phaso_dof' x);;
10¢ phases = nap load_phase_inst
['phase_ono_dof';'phase_tuo_dof';'phaso_threo_def';'phase_four_def'];;
let Phase_Substate = dofinition 'phase_dof' 'Phaso_Sub6tato';;
let GetPhaseClock - dofin/tion 'phaso_def' 'GotPhasoClock';;
let PhamoClockBogins definition 'ph_e_dof' 'PhasoClockBogin';;
let ALUFU_C - dofinition 'phaso_def' '£LUFUgC';;
le_ £LU_C£RRTFUNC - definition 'phase_deg' '£LUCARRT_FUNC';;
156
let ILU_EEG_FUMC - definition 'phase_clef' 'ILU_MEG_FU_C'; ;
le_ ALU_ZER0_FUNC = definition 'phase_clef' '£LU_ZER0_Fu'EC';;
let ALU_0VFL_FUNC = definition 'phase_def f 'ALU_0VFL_]_IC';;
let SHIFTER_FU_C = definition 'phase_def t 'SHIFTER.FUNC'; ;
let SHIFFER_CARRY_Irt_C = definition 'phase_def' 'SHIFTER_CJRR¥_FUNC' ; ;
lot Phaso_Int = theorem 'phase' 'Phaso_lnt ' ; ;
Misc. s_u_f
le_ Nex_ -definition 'tiae_abs' 'Mezzo;;




definition 'lpc_def' 'MPC_UNTT')) ; ;
The representation types
let rep_ty = abstract_type 'aux_def' 'opcode' ; ;
let I_rep_ty = abstract_type 'gen_I' 'Impl';;
let micro_staZe = ":((ewordn)list#*wordn_wordu#*memory#
*lordn#ewordnlelordnl*eordnlbt6)";;





let Phase_env = ":heel";;
Define the nicro level interpeter in terms of the Keneric
interpreter definition.
let Micro_Int_def = new_definition
('Micro_Int_def',
"! (rep:'rep_ty) (e:tiae->'aicro_state) (e:tine->'micro_env) .
157




Phaso_Substato top, I, Phemo_lnt ropo
GetPhasoClock rop, PhuoClockBog_u, Qx:one.F) s o"
);;





(instan_iato_abs_ract_dofinition 'gen_lt t INTERP_ Micro_Zn__dof)))
);;
Micro_Int
I- !top s e.
Nicro_Int rep s • =
(!_.
s(t + 1) =
$BD




Intoraodia_o _heorons gonoratod: 921
let Micro_lnt_lnst_Corroct_def - noe_dof_uition
( 'Kicro_lnt_Innt_Corroc_ dof ',
'*! (rop:'rop_ty) (s:¢_e->'Phase_sCato) (o:t_e->'Phaso onv) .




Phaso_Substate rep, I, Phaso_Int top,








_t ant ia_o_abs_ract _dof ini_ion
,Ken_ l ,
' lIST_CORRECT '
Hicro_ Int_ElT) ) ) ) ; ;
158
Micro_Int _Ins t_Corroct =
J- :rap s • p.
Hicro_Int Inst_Correc% rip S • p "
Phuo_tnt rep s • -->
(!t.
(GetMPCCPhuo_Substate rep(s t))(e t) - FST p) /\
(OotPhaseClock rep(s t)(e t) = PhaseClockBosin) n>
(?c.
|ext
(\t '. GetPhuoClock rop(s t' ) Co t' ) = PhasoClockBogin)
(t,t+ c) /\
(SIP p(Ph_e_Suhstate rep(s t))(e t) =
Phase.Substate rep(s(t + ¢)))))
aap (delete_cache o fs%) (cached_theories());;
Some NL function for the inference rules that folloe.
let last 1 = (el (length i) I);;
letroc tern_list_el n 1 • (
let tm_hd z = rand(fst(dost_comb x)) and
tn tl x = and(dest_conb x) in
if (n = O) then tn.hd 1 else
term_list_el (n-l) (%m_%1 i)) ?
f&ilwith '%eZla_lis%_®l';;
This is insecure for right now. If anyone is seriously concerned
%hat this isn't right, I'll do i% over.
let EL_CONV %a = (
le% ((c,n),l) = ((dost_cosblI)o dest_co=b) tm in
let n_int - tara_to_int n in
ak_tha(_,"'tm - "(tezla_list_el n_int I)")) ?
failwith 'EL_CO_V' ; ;
Some other nice conversions
lot ia_SID_ternt =
if is_coab t then




let op,[tl;t2] = strip_conb pr in
SPECL [tl;t23 (
INST_TTPE [((t_e_of tl),":*") ;
((tTpo_of t2).":**")] SLID)
else
failwith 'SBD_CONV' ; ;
£1)D_ISSOC_COIV "a+(b+c)" --> I- a +(b+c) = (a+b)+c
let ADD_£SSDC_CONV t =
let op1.[_1;t2] = strip_comb
in
let op2,[t3;t4] = strip_comb t2
in
if opl = "$+" • op2 = "$+"
then SPECL [t 1 ; t3 ; t4] LDD_ASSOC
else Sail; ;
INV_ADD_ASS0C_CONV "(a+b)+c .... > l- (s+b)+c = s+(b+¢)
let ZIIV_ADD_ISSOC = (GEN_ALL o STM o SPEC_ALL) ADD_ASSOC;;
let IMV_IDD_ASSOC_CONV t =
le_ opl,[tl;t_ = strip_coabt
in
let op2,[_3;t4] = strip_conbtl
in
iS opl = "$+" & op2 = "$+"
_han SPECL[_3;_4;t2] INV_IDD_ASSOC
else Sail;;
iuv_ntua_C0rV inv_num_C0NV "(SUC 2)" --> J- SUC 2 = 3
let inv_n--_CO_V n = (
let x,y = des__coab n in
let y__uc = _ut_to_term ((_,z__to_iut y) + I) in
if not(x = "SUC') then fail else
STM_RULE (nua_COIV 7_inc))
T failwith 'inv_nun_C01_';;




(rag t.pse t,pc t,nen t°ivec t,_ t,nsr _,nbr t,npc _,alatch t,
blt£ch t.ireq_ff t.iack_ff t,nir t.uron.clk t))
C\t. (i,t_e _)) =->
(_.
160
(elk t - F,F) ==>
(reg(t + 1),pH(t + 1).pc(t + 1),=o-(_ + 1),ive¢(_ + 1),ir(t + 1),
nmr(t + 1),sbrCt + 1),spc(t + 1),ala¢ch(t + 1),bla_ch(t + 1),
J.coq__f(t + 1),iack__f(¢ + 1),m_r(t + 1),ttrom,clk(t + 1) =
(lo¢ nn_ni_ = _osCbt6_v_(apc ¢))
and now_elk = F,T
in
re[; t,psv t,pc t,non t,ivec ¢,iJr t,aa¢ t,nbr t,apc t,alatch ¢,





"(\t. (reg ¢.psw ¢,p¢ t,aom t,
ivec ¢.ir ¢.aar ¢.mbr t.npc t.
ala¢ch t. bla¢ch t. ir+q__f t. iackJf ¢.
air ¢. _uron. clk t)) :time->+Phase_state";
"(\t. (JJ_t_e ¢)) :tJJme->'Phue_env"] Phaso_Znt)) ; ;
Io_ MX_Phuo_Int_Inst_LENN£ inst =
let tp = Ik_n_tuple_froa_int 2 ins¢ in





"reg t : (*,ordn)list";
"loll _ :811olory" ;
"pSW _ :*lord_" ;
"pc t : *wordn" ;
"iVo¢ _ : *lordn" ;
"_r ¢ : ogordn" ;
"II_ t :egord_" ;
"Rbr t:egordll" ;






"iroq_ff t :bool" ;
"iackJ_P t :bool" ;
"int_o t:bool"] (el (inst+l)phases)] (
COIV_R_J_ (DEPT__C01Y SID_C01V) (
CO]If_RULE (OICE.DEPTH_COIV EL_COIV) (
SUBS [bt2_val_COlV "b¢2.val "tp"] (






(\t. (re S _,psw t,p¢ t,mom t,
ivo¢ t,ir t,nar t,mbr t,np¢ t,
alatch t, blatch t, _roq__f 1;, iack_tf t,
air t, urom, elk t))
(\t. (_t_e t))"))))))))));;
lot nk_num_list n =
lotroc mk_nun_list_aux n • =
i1 n- • thon In] olse
(n . (nk_nun_list_aux (n+l) n)) in
nk_num_l_st_aux 0 n;;






"(\t. (rog t,psw t,pc t.mon t.
ivoc t.ir t,aLr t.abr t.mp¢ t.
ala_ch _. blanch t. ireq_ff t. iack_ff t,
nit t, micro_ton, clk t)):time->'Phase_state";
"(\_. (in__e t)) :ti_e->'Phase_onv"]
Micro_Int_Ins__Correct ) ) ; ;
lot BEGIN_LDDR = "F,F";;
Croate • 8oal for i_s_ruc_ion n
lot I__I|ST_CORRECT_G0J_ n -
let inst - _ora_list_ol n
(8nd (dos¢_eq(
snd(dost_gorall(concl micro_inst_list)) ) )) in
"!(rep:'rep_ty) (res:t_ae->(_ordn)list) (mem:t/ao->_eaory)
(paw pc ivec ir mar abr alatch blatch:tiae->swordn)
(npc:tiao->bt6) (clk:tiao->bt2) (uron:nun-_ucodo) (nir:t_JtO->Ucodo)
(i_req_ff iack_f_ int_e:tJJte->bool).
(!p. nk_psw rep
(8ot_sn top p,got_io rap p,got_vf top po
se__n:_ top p,ge__c_ rep p,get_z_ top p) = p) ==>
Hicro_In__Inst_Corroc_ top
(\t. (re 8 t,pse t,pc t,non t,
ivo¢ t.ir t,m_r t,abr t,apc t,
alatch t, blatch t, _req_ff t, iack_ff t,
nir t, micro_ton, clk t))
(\t. (in__e t)) "inst";;
let phase_one.expanded =
EXP£]ID_LET_RULE (ol 1 Phase_Int_Inst_list);;
lot phuo_tgo_oxpanded =
EIPJUID_LET_RULE (ol 2 Phuo_Int_InsZ_list);;
162
lot phaso_'threo_oxplndod =
EXPJJID_LET_RIJI.E (ol 3 Phmse.In'+_Ins__list);;
let RAIGE_LER}_ = TAC_PROOF
((D.
"!ti £2 (clk:tiae->bt2) x .
(!t'. 'tl < 'c" I\ .c' < +,2 -,=> "(clk "+' = x)) I\
"(elk +2 = x) ==>
(!t'. tl • t' 1'% _' < (t2 + I) ==> +(¢ik t' = x))"),
REPEAT STRIP_TAC
THEN ASSL;N_LIST (\asl. ASSUME_TAC (
SPEC "_':tiae" (el 6 as1)))
£SSEM_LIST (\asl. STRIP_ASSUNE_TAC (
REWRITE_RULE [SYM_RULE ADDI;LESS_TH_ (el 3 asl)))
THEmL [
£SSUM_LIST (\asl. &SSUM_.TAC (








PURE_OICE_REWRITE_RULE [DISJ_SYM] LESS_THM) in
PURE_OICE_REIIRITE_RULE [ADDI] (
PURE_ONCE_RECITE_RULE [LESS.EQ_SUCJ (
PURE_0ICE_RE_ITE_RULE [LESS_0R_EQ] LESS_EQ_ANTISYM) );;
Specializo the selectors on _he ucode for a particular uinst.
lot SPEC_SELECTOR • thn -
io_ inst - snd(dos__eq x) in
let (oper,(psw.(siK,apc))) = (I 8 (I # dest_pair)) (
(I I dest_pair) (
(dest.pair inst))) in
lot (ax,lh.al,nb.na,pc,_g.sa,sb) =
(I 41 (I I (I I (I I (I 41 (I 41 (I 41 dost_pair))))))) (
(I I (I I (I I (I I (I I (I 41 desk_pair)))))) (
(I I (I I (I 8 (I 41 (I I dest_pair))))) (
(I I (I # (I # (I • dest_pair)))) (
(I # (I # (I # dest_pair))) (
(I # (I • des__palr)) (
(I I dest_pair) (
(dost_pair oper) ) ) ) ) ) ) ) in
I0_ (8sa,csn,aio.cio,lcf,lrf,lnf.lzf,lal) =
(I # (I • (I S (I # (I # (I # (I # dost_pair))))))) (
(I # (I • (I # (I • (I S (I 8 dear_pair)))))) (
(I # (I # (I 8 (I # (I # dest_pair))))) (
(I # (I 8 (I # (I # dear_pair)))) (
(I # (I 41 (I # dest.pair))) (
163
(I # (l # dest_paLr)) (
(I # dest_pair) (
(deer_pair p,_) ))))))) in
let (ia,for,W) =
(I # (I # dest_pair)) (
(I • deer_pair) (
(dest_pair sis))) in
let (jc°ad) = dest_pair apc in
SPECL lax; sh; kl ;ma;mb;pc;r ;w ;ia; f ;
saa; cam; sie; cie; lcf ; lvf ; lnf ; lzf; lal ;
tg;sa;ab;jc;ad] tha;;
let SPEC.ILL_SELECTORS • =
map (SPEC_SELECTOR z)
[_a_x; Shift ;Alu ;Mbr; Mar; Pm_x; Trot; Src£; SrcB;
S_sm; C_sm; S_ie; C.ie; L__c ;Ld_v; Ld_n; Ld_:;
Csrc; lack; Ft ch ;Rd; Wr; Cond; Address] ; ;
map (delete_cache o fst) (cached_theories());;
Prove the instruction correctness lemaa for instruction n
let IIST_CORRECT_TAC n =
let ins% = term_list_el n
(snd(dest_eq(
snd(dest_forall(concl micro_inst_lis_))))) in
let the = el (n+l) instructions in
let find_Phase_Int_terat_ = (
le_ ((z,y),z) = ((d,s__coab• I)
(des__conb is)) in
(x = "Phase_Int (rep:'rep_ty)")) ? false in (
REPEAT STRIP_TAC
THEM SUBST_TAC [SPEC inst Micro_Inst.Correct_LEMMA]
_l £SM_KE_ITE_TAC [thai
THEM REPEAT STRIP_TAC
THEN £SSUM_LIST (\x. MAP_EVERY ASSUME_TAC (
COIJ'UllCTS (
_ITE_aUU¢ [P*IR_EO] (
SUBS [CDMV_RULE (ORCE_DEPTH_CONV EL_CDNV) (
SPEC (int_to_tez"an) aicro_roa_expanded)] (
COMV_RULE (O|CE_DEPTH_COWV bt6_v_l.COMV) (
SUBS [el 2 z] (
(\y. MP y (el 1 x)) (
SPEC "t:tiae" (
l_TCH_HPph_e_one_ezpw_ded
(hd (filter (find_Phue_Int_terao concl) z)) )))))))))
THEm &SSUIq_LIST (\x. _P_E%_A¥ Asstq'ff._TAC (
COIJUICTS (
at, mITE_RULE [PAIa_EQ] (
SUBS (SPEC_ALL_SELECTORS (concl (el 2 z))) (
SUBS [el 2 x] (











(hd (fil+er (find_Phue.In£.terl o concl) x)) ))))))))
ASSUM_LIST (\x. __EVEK¥ ASSU_E_TAC (
COMJUNCTS (
REWRITE_RULE [PAIR_EQ] (
SUBS (SPEC_ALL_SELECTORS (concl (,1 2 x))) (
SUBS [el 2 x] (
(\y. _ y (,i 1 x)) (
SPEC "(t+1)+1" (
_TCH_MP phase_thr**_expanded
(hd (fil_er (find_Phuo_In___orm o concl) x)) ))))))))





ALU_FUNC ; ELU_ CERR¥. F,JWC; ALU_OVFL FUWC;
_LU_NEG.FUNC; ALU_2Y.RO_FUNC ;SHIFTER_FUNC ;
SHIFTER_C£RRY FUNC] (
SUBS (SPEC_ALL_SELECTORS (concl (,1 2 x))) (
SUBS [,I 2 x_ (
(\y. _m y (,I I x)) (
SPEC "((_+1)+1)+1" (
MATCH_KP (*1 4 Phaso_Int_Inst_lis_)
(hd (fil_er (find_Phas,_In___,rm o concl) x))))))))))))





FIRST [ % 1%
GER_TAC
THE! SPEC_TAC (°'t ' :¢i_e". "t ' : _im*" )
TH_N PURE OMCE_RE_ITE TAC [ADDI]
THEN C0][V_TAC (TOP_DEPTH_COJfV ADD_ASSOC_CONV)
THEN REPEAT (
((MATCH.MP.TAC P_GE_LEMM_) ORELSE ALL_TAC)
THEi C01J_T£C
THE| 0WCE_RE_RITE_TAC [LESS.S_UEEZE_LE_q£] )
THEM ASN_RE_RITE_TAC [PAIR.EQ]
PURE_ONCE_REg_TE_TIC [STM_RULE _DD1]




SPECL ["i:nine*';"SUC n"] LESS_ADD_|OIZERO) )]
ALL_TAC
]);;






Save lonaas for rocovory in _ho ovont of • crash.
lot SAVE_I|ST_LE_A n =
lot nano = (concat 'I|ST_' (stri__of_int n)) in
save_thz(mme ,PROVE_I|ST_CORRECT_LEMM£ n) ; ;
nap (delete_cache o fst) (¢achod_thoorios());;
lotrocak_nun_list n • -
if n = • thon In] clio
(n . (mk_nma_list (n+1) n));;
lot inst_lona_list =
(nap S£VE_IIST__ (nk_ntm_list 0 16));;
nap (delete_cache o fst) (cached_thoories());;
lot inst_iona_list =
inlt_iollaolist Q
(nap SAVE_INST_LF.uRA (ak_nun_list 16 31));;
nap (delete_cache o fst) (cachod_thoorios());;
lot inst_lona_list =
inst_lona_list e
(map SAVE_I|ST_LEIg_ (nk_nun_list 32 47));;
nap (delete_cache o fst) (cachod_theorios());;
lot inst_Iona_list =
inst_ionma_list e
(nap SIVE_I|ST__ (nk_nun_list 48 63));;
nap (deleto_cache o fst) (cached_theorios());;




(psgl_c ivec ir nar nbr alatch blatch:tile->_ordn)
(apc:tine->bt6) (¢Ik:ti_e->bt2) (uroa:mm->ucode) (nir:tine->ucode)
(izoq_ff iack_ff int_o:tino->bool).
(!p. ak_psg top
(Sot_sn top p,got_io top p,sot_wfrep p,
got_nf rep p,get_cf top p,get_zf rop p) = p) ==>
EVERY (Micro_Int_Inst_Correct top
(\t. (rog t,psw t,pc t,nom t,
ivec t,ir t,aLr ¢,mbr t,/pc t,
alatch t, blatch t, ireq_f+ t, iack.ff ¢,
air t. aicro_rom, clk ¢))
(\t. (int_e t))) (aicro_inst_list rep)"),
REWRITE.TIC [EVERT_DEF; aicro_inst_l ist ]
THE_ REPEAT STRIP_TAC
THEN POP.kSSUM (\ul. NP_TAC asl)
IIIE|L (map _TCH_ACCEPT_TkC inst_lemla_lie¢)
);;




Micro_Int_CORRECT_LEM}__£UX) ) ) ; ;
save_th= ( 'Micro_Int_CORRECT_LEMMA ' ,Micro_Int_C0RRECT__) ; ;
Tho socond obligation of tho abstract intorprator thoox 7
let Mitro_Int_LENGTH_LEMMA - TAC_PROOF
(([].
"! mpc. bt6_val mpc < (LENGTH (micro_inst_list (rop:'rop_ty)))").
REPEAT GEN_TAC
THEN REWRITE_TAC [micro_inst_li.t ;LENGTH]
THEN STRUCT_CASES_TAC (SPEC "mp¢ :bt6" SIX_TUPLE_VALUE_LERMA)
THEN CONV_TAC (DEPTH_CONV bt6_val_CONV)
THEN CONV_TAC (TOP_DEPTH_CONV nu__COIV)
TREN REWRITE_TAC [LESS_O; LESS_MOM0_EQ]
);;
save_thin ( 'Nicro_Int_LENGTH_LE_qA ' ,Micro_Int LENGTH LEPTA) ; ;
nap (doloto_cacho o fat) (cachod_thoorios()) ; ;
The third obligation of the abstract interpreter theory
let I_icro_Int_ORDER_LEMMA = TAC_PR00F
((D,
":lpc:bt6 . ape - (FST (EL (bt6.val =pc)
(micro__t_list (rep: "rep__y) ) ) )"),
P_.PEAT GE__TAC
THEM SUBST_TAC [SPEC "rep:'rep_ty" aicro_inst_list]
THEI STRUCT_CASES_TAC (SPEC "=pc:bt6" SII_TUPLE_¥A//E_LDV, A)
THEM COWV_TAC (0|CE_DEPTH_COWV bt6_val_COIN)
THEN COIV_TAC (0|CE_DEPTH_COIV EL_COWV)
THEN RE_ITE_TAC []
);;
save_tim( 'Kicro_Int_0RDER_Ll_gU ' ,Micro_Int_ORDER_LlOg4£) ; ;
















(OetPhasoClock rep) : "phase_state->'phase_anv->bt2,
PhasoClockBegin: bt2, ex: one. F) ") ;
("@ ' :_J.l@ '->*onv'",
"(\t:tiao. (iut_o t):bool)");
("s ' :t _lio->Sstato '",
"(\t. (re S t,psg _,pc t,mon t,
ivoc t,ir _,nar t,mbr t,-pc t,
alatch t, blatch t, ireq_ll t, /ack_fl t,
air t, aicro_ron, elk t)):t_Jae->'phase_state")
]
'MICRO' ;;










This section presents the theories that define the macro-level interpreter. Also presented is the theory






3.7.1 The Macro-Level Interpreter
The section presents the ML code that creates the theory macro.clef .'oh.
de__macro. Rt_
(c) P. J. Winclloy 1989
24 OCT 89
03 #,.PR 90
Degines the behavioral description o_ the macro interpreter
level
set_hearth_path (search_path() Q ['/auzteg/home/w_udloy/hol/tactics/';
'/nu_tag/hono/windloy/hol/_/';
]);;




['ntuabors/'; 'decimal/'; 'asset/'; 'tuplo/']));;
load_ 'abstract ' ; ;
system '/bin/xla macro_dog.th' ; ;
new_theory +aacro_dof ' ; ;
up nee_parent ['aux_de_ t ; '¢uplo ' ; '&ux_thus ' ;
'zogl_do:f' ; 'jtmp_do:f'] ; ;
let rep_ty n abstzact_type 'aux.dst' 'speeds';;
The _t_tlction _ox-aa_s axe given below:
169
Fornat 1 :
31 26 20 16 10 0
4- ........ ÷ ..... ---+...... +- ..... 4-- ............. +
I opcod, I d,s_ I l I B I -,,us,d I
÷ ........ ÷ ..... --4" ...... 4--- ..... 4'-- ............. ÷
Forna¢ 2:
31 25 20 16 0
÷ ........ ÷ ..... -"4"...... 4'--.................... 4-
I OpcodQ I JeSt I i ! _m I
4- ........ ÷ ..... -4- ...... 4"-- .................... +
The _ollowin 8 i;me+z'uc¢io,',- select _i.lds froa the _-,,tructio,',-.
1Q_ Ge¢Src£ = nee_de_Lui_ion
('GetSrcA',
"! (rep:'rep__y) nee re 8 .
GetSrc£ rep reg hen =
rog_lon top (srca rop (_0¢¢h rop (hem, address top reg)))"
);;
let GeCSzcB = hey_dentition
('GetSrcB',
"! (rep:'rep_ty) hen re 8 .
Ge_SrcB rep reg men =
rog_lon top (srcb top (_etch top (hen. address rep reK)))"
);;
1Qt Ge_lmm = now_def_l_i_ion
('GetZms',
"! (rep:'rep.ty) men re 8 .
GotI_trop zog aon =
(ilmzop (_otch top (non, address top reK)))"
);;
let GeCDest = nev_de_ion
('GetDest',
"! (rep:'rop.ty) men re s .
Go_Dos_ zepze s men =





let ADD = nov_detini¢ion
('ADD',
"!(rop:'rop_ty) re K non (psv pc ivoc:*gordn) .
ADD rep (re K, psw, pc, aen, ivec) =
let a - EL (GetSrcA rep pc hen) reg and
170
);;
b = EL (GetSrcB rop pc non) re S and
d - GotDest rep pc hen in
Is_ result = add top (a, b) in
lot cflag = addp top (a, b, result) and
vflag = aov_l rep (a, b, result) and
z_lag = neap top result and
zflag = zerop rep result and
sn = gst_sn reid pew and
ie = set_is rop psw
(UPDATE_REG rep pew d tog result,




let £DDC = new_definition
('/DDC',
"!(rep:'rep_ty) reg hen (pew pc ivec:*wordn) .
ADDC top (tog, pew, pc, hen, ive¢) =
let a = EL (GetSrcA rep pc aen) tog and
b = EL (GetSrcB top pc aen) tog and
d = GetDest rep pc non









= addcp rep (a, b, result) and
= aovfl rap (a, b, result) and
= negprep result and
= zerop rep result and
= 8et_sn top pew and
- 8e__ie rep pew in
(UPDATE P_G top pew d reg rosul_,




let SUB = new_de_inition
('SUB',
"!(rep:'rep_ty) tog non (peg pc ivec:ewordn) .
SUB rep (reg, pew, pc, nea, ivec) =
let a = EL (GotSrcA top pc aea) tog and
b = EL (GetSrcB top pc non) tog and
d = GetDest rep pc non
let reset = sub rep (a, b)
let cflag = subp rep (a, b, res_It) and
v_lag = so_l rep (a, b, result) and
nflag m nogprsp result and
z_lag = zoroproprosu_t and
sn = got_ss rep psw and
ie = got_is top psu
(UPDATE_REG top psw d tog result,




let SUBC - new_definition
('SUBC'.
"! (top: *rep, t 7) re 8 aem (ps_ pc ivec :egord_) .
SUBC top (reg, pew, pc, non, ivoc) -
let s = EL (GetSrc£ reid pc non) rig and
b = EL (GetSrcB top pc non) re g and
d = GetDos_ rep pc ses in
lot result -eubc re p (a, b. Set_cf top psi) in
let cfla 8 • subp top (a, b, result) and
v_lq = sovfl top (a, b. result) end
nfla 8 = nosp top result and
z_lag = zerop rsp resul% and
sn = got_sa rsp psw and
is = Sot_is top pew in
(UPDATE_KEG rop psw d re S rosult,






let £DDI = new_definition
('ADDI',
,, t. Crop: "rep_ty) rig non (ps. pc ive¢ :*eordn) .
£DDI top (reg, pew, pc, non, ivoc) =
let a = EL (GotSrcA top pc non) tog and
i - OotIna top pc sen and
d = GotDost top pc no n in
let result = add rsp (a, i) in
let ¢flag = eddp rsp (a, i, result) and
v_l&g = aov_l top (e, i, result) and
ntla 8 = neKp rep result and
zflag = zerop rsp result and
sm = Se__sn top psw and
ie = Sot_is top psw in
(UPD£TE_REG reln psg d tog result.





let JJ)DCI u now_definition
('kDDCI',
": (top: "rop_ty) tog non (pss pc ive¢: euordn) .
£DDCI rop (tog, psl, pc, non, ivo¢) =
lot a = EL (Oo_Srci rep pc non) re 8 and
i = Getlan rop pc non and
d = OetDes_ rop pc sea in
172
);;
let result = addc rep (a, i, 8or_of rip paw) in
lot ¢flag = addcp rep (a, i, result) and
vflag = aovfl rep (a, i, result) and
nflag = ne_ top result and
zflag = zerop rep result and
a = 8e__sn rep pew and
ie = set_is top pew in
(UPDATE_REG rap paw d reg result,




le'_ $I_I = new_defi_ition
( 'SI_I ',
"!(rep:'rep_ty) reg hen (psv pc ivoc:euord:) .
SUBI rep (reg, pew, pc, non, ivec) -
let • = EL (GetSrcA rep pc non) reg and
i = GetTn top pc nea and
d = GetDest top pc non in
let result - sub rsp (a, i) in
let cfla 8 = subp rep (a, i, result) and
vflsg = sov_l rep (a, i, result) and
aflag = negp rep result and
zflag = zerop rep result and
on = get_sa rep paw and
ie = get_is rep paw in
(UPDATE_REG top psw d reg result,





let SUBCI = new_defi_ition
('SUBCI' ,
"!(rep:'rep_ty) reg nee (pew pc ivec:ewordn) .
ST_CI rep (reg, paw, pc. ass, ivec) =
let a = EL (GetSrcA rep pc non) re 8 and
i = Getlna top pc sea and
d = GetDest top pc non in
lot result = subc rep (a, i, get_cf top psw) in
let cflag = subp rep (a, i, result) and
v_lag = sovfl top (a, i, result) and
a11ag = negp rep result and
sflag = zerop rep result and
sa = set_sa rep pew and
ie = set_ie rep paw in
(UPDATE_PEG top paw d re s result,







let LSL - now_def_nition
('LSL',
":(rep:'rep_ty) re K men (pse pc ivoc:euordn) ,
LSL rep (roe, pew, pc, non, ivec) =
let • = EL (GstSrcA top pc non) reg and
d = GetDest top pc non in
let result - shl rip • in
let of lag - lsb rep • and
vflag = get.vf rep pew and
nfla S - Set_n_ rep pew Led
z_lag = Set.zf top p-w and
sn = Ket.sn top pew and
ie = got_is top pew in
(UPDATE__EG top pew d tog result,





let LSR = now_definition
('LSR',
":(rep:'rop_ty) reg hen (psv pc ivoc:swordu) .
LSR top (roe, pew, pc, non, ivsc) -
let • = EL (GotSrcA top pc non) roe and
d - GotDsst rep pc non in
let result = shr rep • in
let c:_lag = isb top • and
vflag = get_v:f top psw and
_lag = got_nf top pew and
z_lag = 8e__zt rep pew and
81 = get_sn top pew and
£o = got_is top pew
(UPDIT__P£G rep psu d reg result,





let ASR - nee_definition
( 'ASS',
"! (top: "rop_ty) reg non (pew pc ivoc:ewordn) .
ASR top (re K, pew, pc, non, ivec) -
lot • = EL COotSrci rep pc non) tog and
d - GetDest top pc non in
lot reset - ur top • in
lot cglag = lsb rop • and
vfla 8 - Kot._J_ top peg and
nflag = get.n_ top pew and
z_la g = gst_z_ rep pew and
174
);;
sn = got_on top pew and
io - Kot_io rop pew in
(OPDATE_REG top pv d reg result,





lot BLND = now_dofJ_ition
('BAND',
"! Crop: "rop_ty) reg non (pew pc ivoc :owordn) .
BAND rop (roe, psw, pc, non, ivoc) =
lot • = EL (GetSrcA top pc non) roe and
b = EL (GetSrcB top pc ass) roe and
d = GetDest rop pc leon in
lot result = band rap (a, b) in
let cflag = got_cf top pew and
vflag - got_Tf rep pew and
n11ag = nogp top rosul_ and
zflag = zorop rep result and
on - got_o= top pew and
io = Sot_is top pew in
(UPDATE_KEG rop peg d re s result,





lot BOR = noe_definitLon
('BOa',
"! (rep:'rop_ty) roe non (pew pc ivoc:ewordn) .
BOP, rep (reg, pew, pc, lee1, ivoc) =
let • - EL (OetSrcl top pc ltolt) re 8 and
b = EL (GotSrcB top pc leon) rig and
d = GotDost top pc non in
let result = bor top (•, b) in
let cflag - got_of top pew and
v_la 8 = Kot.v_ top psg and
nflag = nsgp rep result and
zflag - zerop top result and
sn = got_so top psg and
ie - Sot_io top pew in
(UPDITE_RgG top pew d reg result,








":(rop:'rop_ty) tog non (pse pc ivoc:egordn) .
BXOR rop (rog, psg, pc, non, ivoc) =
lo_ • " EL (GetSrci rop pc non) tog and
b = EL (Ge_SrcB rep pc hen) re S and
d = Ge_Des_ top pc =en in
lot rosul_ = bxor top Ca, b)
l+z ¢flaS = So__cf top psv and
v_lq = Set_vf rep pse and
nYlag = negp rep resul_ and
z_lag = zerop rep rosu.lt and
sn = got_sn top psg and
io = Ko__ie rep psw in
(UPDITE_KEG rep psw d re g resu.l¢,





let BIOT = now_dofinition
( ' BNOT'.
"! (rep:'rep_zy) tog non (paw pc ivoc:egordn) •
BIJOT top (rog, paw, pc, non, ivo¢) =
10_ • = EL (GotSrcA top pc non) tog and
b = EL (Go_SrcB top pc noa) ro S and
d = Ge_Des_ rep pc Item in
le_ resu1_ = bnot rep a in
lot cflag = 8o__cf rep psv and
);;
v_lag = get_v_ rop psw and
nflag = nogpro p rosul£ and
zflag = zorop top rosul¢ and
an = go¢_sn top psw and
io = ge£_ie rep psw in
(UPDITE°KEG top psw d re s ros_.l_,





le_ B_DI = new_dofini+ion
('B£1[DI',
"!(rop:'rop_%y) tog non (psw pc ivoc:ewordn) .
Bllfl)I top (re 8, psw, pc, non, ivec) =
lot • - EL (GotSr¢_ top pc non) tog and
i = Getlnnrep pc non and
d = GetDest reppc non in
le_ rosul_ = band rep (a. i) in
lo_ c_lag = 8ot_cf _op pl_ and
v_laS = Set_v_ _ep psv and
nflag - neap rep result and
176
);;
z11ag= zerop top result and
sa = gs__sn rep paw and
is = get_is rep paw in
CT..YPDA'rE__Grep paw d rag result,




lot BORI = new_dsfi_ition
('B0_I',
"! (rep:'rop.ty) reg non (pH pc ivo¢:ewordn) .
BOKI top (reg. paw, pc, men, ivoc) =
let • = EL (GstSrcA rap pc non) rag and
i = Gstlmm rap pc men and
d = GstDeet rep pc no- in







= get_cf rap pew and
= get.mr rep paw and
= nogp rap result and
- zerop rap result and
- go__s• rep paw and
= ge__ie top psw in
(UPDATE REG top psw d re 8 result,





le£ BXORI R now_defini_ion
('BIORI',
"!(rop:'rep_ty) reg men (pew pc ivsc:euordn) .
BXORI rep (rag, pew, pc, non, ivo¢) =
lot a - EL (GetSr¢i rap pc non) rag and
i = GetI_arep pc men and
d - GetDest rap pc non in
io_ result = bxor rep (a, i) in
let cflag = got_of rap paw and
);;
vflag - gez_vf rap par and
• flag = nogp rep result and
mfla_ = zoroprop result and
ms - get_an top psv and
ie = ge:_ie rep psw in
(UPDATE_REG rep psw d re 8 result,






lot LD = nee_definition
('LD'.
"! Crop: "rep_ty) rag nos (ps, pc ivoc :eeordn) .
LD rap (re 6, psu. pc. non. ivec) =
lot • " EL (GotSrcl top pc non) reg
b = EL (GotSrcB top pc non) tog and
d - GetDeet top pc men in
let result = fetch rap (non, address rap (add rop Ca, b))) in






lot ST = new_definition
('ST'.
"! Crop: "rep_ty) rag =on (psw pc ivoc:owordn) .
ST rep (re 8, psv, pc, aen, ivoc) =
lot a = EL (Ge_Srci rap pc non) rag and
b = EL (Ge_SrcB rap pc non) rag and
d = EL CGo_Dos_ rap pc non) rag in




store rep (non, neg°addross, d),
ivoc )"
);;
Inediato Load and S_oro:
............................ . ...................................
lat LDI = nov_definition
C'LDI',
": Crop: "rep_$y) rag non (pse pc ivec:eeordn) .
LDI rap (re s, paw, pc, sen, ivec) -
lot a = EL (GotSrcl rep pc non) re K and
£ = OetInn top pc no= and
d = OoTDost top pc non in
lot result = fetch rap (non, address top (add top Ca, i))) in






let STI = neu_definition
('STI' _
":(rop:'rep_ty) roe sen (psv pc ivoc:esordn) .
STI rop (ra$. psw, pc, non, ivoc) =
let a - EL (GotSrcA top pc non) rag and
i = Getlnm rap pc non and
d = EL (GotDost top pc non) tog in
178
);;




• tore top (sen. new_•ddres•, d).
iv,¢)"
Julp
let JHP = new_6ofinition
":(r•p:'rop_ty) reg non (p•g pc ivec:,gordn) .
JWP r•p (re 8, psw. pc. sen. igec) =
lot • - EL (GetSrcl top pc non) reg and
i = Getlma rep pc non and
d = GetDest rep pc usa +-
let ju__cond = JUNP_COND _'ep d psg in
(tog,
pill,





let CALL = negodef_tion
('CALL',
"!(rep:'rep_ty) reg ,.e,. (psg pc ivec:agordn) .
CALL top (reg. psg, pc. men. ivec) =
let • • EL (GetSrcA top pc sen) re 8 and
i = Gotlaa top pc son and
d = GotDest rep pc non and
cd - (EL (OotDest rsp pc non) r• 8) in
(UPDATt_REG rep psg d re 8 (inc top cd).
plw,
add rep (•. i).
• tore rep (men. address ropcd, imc rep pc).
ivec)"
);;
let P.T! = neg_dLefinition
('RTI',
"!(rep:'r_p_ty) reg men (pn pc ivec:euord_) .
RTB top (tog. piT. pc. men. ivec) =
let ¢d n EL (GetDest rep pc hen) re8 and
d - GetDest rep pc Item
(U_DATII_KEG rep paw d re s (dec rep cd),
pit,






let liT = new_definition
('IIIT',
":(rep:'rop_ty) tog hen (peg pc ivec:egordn) .
IIT rep (reg. pew, pc. men. ivec) =
let i = Getlnz rep pc non in
let of lag = got_el rop peg and
vflq = 8et_v_ rep pew and
n_lag = Se__n_ rep psg and
z_la K = Ket_zf rep psw and
sn = T and
$e =Fin
let hog_peg • ak_psw top (sn, is, vflag, nflag, cflag, sfla K)
(UPDITE_P_G rep new_peg ssp_reg re 8 (inc rep (SSP_KEG re 8)),
hog_peg,
band top (uord_ top 255, i),
store top (son. address top (SSP_REG reg). inc rsp pc),
ive¢)"
);;
lot RTI = now_do_iuition
('ltTI',
"; (rop:'rop_ty) re S men (pew pc ivoc:egordn) .
RTI rep (tog, pew, pc, usa, ive¢) =
let ¢d = SSP.REG reg in
let ella K = Set_el rep pew and
vflag = 8et_vf top peg and
nflag = get_nf rep paw and
zflag = get_zf rep peg and
8n = F and
ie =Tin
(UPDATE_REG rep peg ssp_reg reg (dec rep cd),
n__psw rep (sn, is, vflag, _flag, cfla K, sflas),




Get and put program status gord
For futlLro reference, it gould be nice to store the peg banded
with inn.
lot GPS¥ = hog_definition
('GPSW'0
"!(rop:'rep.ty) re 8 non (pew pc ivo¢:egordn) .
GPSW rep (re 8, peg, pc. non. ivo¢) =
lot d = GotDest rep pc non in







lo_ PPSV = nog_dotin_tion
('PPSW,
"!(rop:'rop_ty) re S non (psw pc ivoc:ewordn) .
PPSV rop (rog, psg, pc, non, Lvo¢) =
let d = EL (GotDost top pc non) tog
lot sn = 8ot_sn top pew in
(reg,






10t; |OOP = nee_definition
( 'lOOP',
": (rep:'rep_ty) reg men (psw pc ivec:*uordu) .







Pseudoinstruction 1or external £ntorrupt
let EINT = now_do_ition
( 'I_ZItT',
": (rop:'rop__y) reg sen (psw pc ivec:eword_) .
glFr rop (tog, psw, pc, non, ivoc) =
lot cd = SSP_EEG re 8 and
d = ssp_reg in
lot cflag = get_el rep psw and
v_lag = 80__vt top pew and
nflag = 8et_n_ top pew end
zfla g = 8et_zf rep psv and
sun = T and
io "F in
lot now_psi = sk_psw top (sn, io, vflag, n_lag, cflag, z_lag) in
(UPDATE_P_G top nes_ps= d tog (inc top cd),
DeW_pSw,
band rep (lordn top 2GG, int._etch rep ivec),




let lacro_etate = ": ((*wor_) list#*wordnlewordnl*m_aory) *'; ;
let lllOro_4_v = *':boom"; ."
£BS_FJV takes a function of type (macro_state -> macro_state)
and ¢rsates a function of type (macro_state -> aaoro_env -> zuacro_etate).
The purpose of this function is to sake the functions dsfiu_ng the
J.ustructions have the right type for use in the _truction list.
let £BS_F.IIV = new_definition
( ' amS_ClV',
": (f :'aacro_atats->'macro_state) (x:'macro_state) (y:'aaoro_env) .
£BS_EIV f x y = f x"
);;
The macro_inst_list will be used to instantiat@ inst_list in
ak_aacro. ILl.






































































(I_L(T,T,F,T,T) ,ABS_E_V (SUBCI rep)) ;
(INL(T,T,T,F,F) ,ABS_E_V (BAIDI rsp)) ;
(I|L(T,T,T,F,T) ,ABS_EWV (BORI rop)) ;
(IEL(T,T,T,T,F) ,ABS_EI_ (BXORI rep)) ;
(IilL(T,T,T,T,T) ,ABS_EIV (|OOPrep)) ;
(IER(one), /RS_EIV (EIIT top)) ;
]"
);;
Dpcodo gill be used to instantiate select in ink_nacre.a1.
los Opcode = nee_definition
(' Opcode',
"! (rip: "rlp_ty) re 6 nel (pew pc +vsc :*wordn)
(int_e :bool).
Opcode rep (rog, psv, pc, son, ivec) (in__o) =
(in__e /\ (go__ie rep pew)> =>
I]lR(one) I
IBL(SND (opcode rep (fetch rep (aem, address rep pc))))"
);;
Opc_Val will be used +o instan_iate key in ak_tacro.al
los Opc_Vml = now_defini$ion
(' Opc_Val',
"! X .
Opc_Val (x:((bool#bool#bool#boollbool) + one)) =
(ISL x) => (btS_val (0UTL x))
I 32" % _here's only one pseudo instruction %
);;
let Micro_Substate • nev_defini$ion
( 'Hicro.Substat • ',
": (rep : "rep_ty) (tog : (egordn) list ) (men : emenor_)
(psw pc ivec ir mar nbr :*wordn) (lpc:b$6) .
Micro.Substate rip (tog, pew, pc, Ion, ivec, it, Bar, ibr, mpc) =




3.7.2 The Macro-Level Proof
The section presents the ML code thxt creates the theory macro.th.
File: mk _aacro. al
luther: (c) P. J. MindLle 7 1990
Date: JUII 23, 1990
Nodif ied:
Descript ion :
Proves the macro--level correct with respect to the nitro--level
usin 8 the generic interpreter theory, micro.th, and nacro_de_.th.
set_search_path (search_path() 9 ['/muz_ag/ho_e/ei_dley/hol/tactics/' ;
,/nuzt aS/hone/ei_L_ey/hol/,L-t/, ;
]);;




['tuple/' ; 'deciual/']) ) ; ;
loadf 'abstract' ; ;
systea '/_u/rm aacro.th' ; ;
new_thooxlr tnacro' ; ;
nap nee_parent ['macro_do_' ; 'gen_I '] ; ;
nap load_ [' tuplo' ; 'digit ' ; 'decimal'] ; ;
Load stuff fron nacro_dsf
let load_macro_inst = (\x. def_ition 'nacro_deg' x);;





let OetSrcl - definition 'nacro_def + 'OotSrcl';;
llt OetSrcB - def_uition 'nacro_def + 'OstSrcB';;
let Ootln- definition 'nacro_def + 'Getlma';;
llt OotDoI¢ - definition 'nacro_dsf' +GotDost';;
let £BS_EEV - definition 'nacro.def + '£BS_EEV+;;
let 0pcod+ - 6efinition +nacro_def + 'Opcode';;
let 0pc_Val + definition 'nacro_dsf + +Opc_Val';;
lot Micro_Subltate - definition +nacro.de+' 'Micro.Substats';;
let macro_inst_list - definition 'macro_de_' 'macro_inst_list';;
Load stuff _ron micro_def.
nol_parent 'Licro';;
1st load_licz_inst - (\x. theorem 'sicro_def + x);;
: the list
Run t_,,e: 2824.7s


































let nitro__t_lis¢ - definition 'nicro_def' 'nicro__t_lJ_t';;
let GetNPC - dotinition 'micro_def' 'GetMPC';;
Other misc. loads.
lot Micro_In¢ - thmoron 'micro' 'Micro_Intr;;
lot |ex¢ - definition %iJme_abs + 'iextr;;
lot add_bt6 = definition +aux_thns' 'add_bt6';;
lmt 0FFSET_NOT_BEGINNING = thoorea 'a_x_thms' _OFFSET_NOT_BEGINNING';;
Load abstract typm definitions.
let rep_ty - abstract type 'aux def' 'opcode';;
let I_rep_ty = abstract type 'gmn_I' 'Impl';;
Dof£uo type tom for the state and one.
let nacre_stats - ":((*wordn)list#euordn#egordnSemmmory#*uordn)";;
let macro_one - ":bool'°; ;
lot micro_state - ":((*word_)liitteword_Sewordnl*nonory#
egordn#egordn#ewordn#ewordn#bt6)";;
lot micro_onv - ":bool';;
Besinnin _ of MPC
lot FETCH.£DDR - *'(F,F,F,F,F.F)";;
Offset into nicroron lookup table
let OFFSET - "4"; ;
°
186
let Macro_Int_de+ = nee_definition
( eKacro_Int_def,,
"! (rep:'rop_ty) (s:tiae->'lacro_etato) (o:tilae->'macro_env) .




(Hicro_Substate top) : "micro_state->"macro_state,
(I : "aicro_enw->'macro.en+),
(Mitro_Int top) : (t _ae->'uicroostate)-> (t ia+-> "Licro_enw)->bool,
GotMPC: "micro_star e-> "licro_lnv->bt 6,
"FETCH_£DDR:bt6, Ix:one.F) s +"
);;





inst ant iato_ abstract_def _uit ion ' gon_ l ' +XNTERP ' Nacro_Int_dof ) ) )
);;
Macro_lnt -
I- !top s o.
Macro_lnt top s • -
(!t.
s(_ + I) -
SID




1"ntsrmedi_ts thQore-s _eneratod: 929
let Macro_Inst_Corroct_def - nee_definition
( 'Macro_Inst.Correct_def ',
"! (rop:'rep_tT) s' e'




Hicro_Substate rep, I, Micro.Int rep,
GetNPC, "FETCH_IDDR, Ix:one.F) s' • ,'+
);;
let Nacro_lnst_Correct - save_thin
( <gacro_Inst_Correct ',
let Macro_Ius__ElT -





inB$antia£ e_ abs tr act _def in_t ion
+gon_l + +I|ST_COP_ECT+ Macro_Ins£_Y.lT) ) )
);;
X ................. . ..............................................
Macro_lnst_Coxwect =
i- !rep a' e' p.
Kacro_Inst_Corract rep a' e' p -
Micro_Int top • ' • ' ,-->
(+t.
COpe•de repCtl£cro_Subs¢ate repCs' t))(•' t) = FST p) /\
(Qe¢MPCCs' t)Co' t) = F,F,F,F,F,F) -=>
(?c.
lext,(\t'. GItMPC(s' ¢')(e' t') = F,F,F,F,F,F)(t,t + c) /\
(SID p(Hicro_Subatat• rep(s' t)) (e' t) =
Micro_Substate rep(s ' (t + c) ) ) ) )
lttm _ile: 74.3s
Intoraediato theorens generated: 4267




C0NV_RULE (TOP_DEPTH_COIlV FUII_EI__COIIV) sum_Axio=) ) ; ;
let IIRCTI0]I_01rE_0E - prove_constructors_one_one sun_axion;;
10¢ III_ECTIO|_DISTIIICT - prove_constructors_distinct, sum_axion; ;
let IIJ_LEII}tI_OIE - TAC_PR00F
((O.
*'! (b:bool) (x:ee) (y z:e) .
((b => liP+ z I IlL y) = (IIIL z)) -=>





THEM IMP_RES_TAC (SYM_RULE II3ECTIOI_DISTIliCT)
THEN lqATCH_MP_TAC (fs¢ (EQ_IMP_RULE
(SPEC_tLL
(COIJUIlCT1 IIJECTIOI_OIE_OIB)) ) )
YHFJI POP_ISSUM (\¢hn • KITCH_ICCEPT_TIC tim)
);;
let TIJ_UEOdLA_TVO = TAC_PitOOY
((0,
"! (b:bool) (x z:e*) (y:*) .
((b => lilt • l IlL y) = (lilt z)) ==>




THE_ REVRITE TAC []
THEN STRIP_TAC
THEM IMP_RES_TAC IIIJECTIOM.DISTIICT
THE]I KATCH_MP_TAC (fat (EQ_IKP_RULE
(SPEC_ALL
(C0|3UECT2 INJECTION_OIrE_oIrE) ) ) )
POP_ASSt_ (\tha . _TCH_ACCEFr_T&C thn)
);;
Song ML function for the inference rules that follow.
let last 1 = (el (length 1) 1);;
ietrec tern_list_el n 1 = (
let ts_hd x = rand(fst(dest_comb x)) and
tm_%l x = snd(dsst_coab x) in
if (n = O) then %a_hd 1 else
tern_list_el (n-l) (tn_tl 1)) ?
failwith 'term_list_el';;
This is insecure for right now. If anyone is seriously concerned
that this isn't right, I'll do i% over.
.............................................................. .--_
let EL_COIV tm = (
let ((c.n),l) = ((dest_conbSI)o dest_comb) %n in
let n_in% = tern_to_in% n in
nk_thn([_,"'tn = "(tern_list_el n.in% i)")) ?
failwith 'EL_CONV' ; ;
Some other nice conversions
let is_SND_term ¢ =
if is_comb t then
fstCdest_const(fst(strip_conb %))) = 'SND'
else
false;;
SID_COIV "S_D (x,y) .... > I- Slid (x,y) = y
let SID.C0JY % =
if i8_SlD_torn t then
lot op,pr = dear_comb ¢ in
let op,[tl;t2] = strip_comb pr in
SPECL [tl;t2] (





JLDD_ASS0C_C0NV "a+(b+¢) .... > l- a +(b+c) = (a+b)+c
let £DD_ASSOC_COWV t n
let op1,[tl;¢2] = strip_comb t
in
let op2,[t3;t4] - strip_comet2
in
if op! = "$+" _ op2 = "$+'°
then SPECL[_I;t3;t4]LDD_ASSOC
also fail;;
I|V_ADD_ASSOC_COJrV "(a+b)+c .... > l- (a+b)+c = a+Cb+c)
let INV_ADD_ASSOC = (GEN_ALL o STMo SPEC_ALL) ADD_ASSOC;;
let INV_ADD_ASSOC_CONV t =
lot opl.[tl;t2] = strip_comb t
in
lot op2,[t3;_4] = strip_comb tl
in
if op! = "$+" • op2 = "$+"
then SPECL[t3;t4;t2] INV_ADD_£SSOC
else fail;;
inv_nu__CO_ inv_nu__COWV "(SUC 2)" --> 1- SUC 2 = 3
................................................................
lot inv_nu__COIV n = (
lot x,y = dsst_comb n in
let y.inC = int_to_terla ((term_to_int y) + 1) in
if not(x = "SUC") then fail else
STM_RULE (nul_CONV y_in¢) )
? failwith 'inv_nu__CnNV' ;;
Using __Micro_Int_lnst_LE3D4£, we can prove a lena of the form
J- Micro_Int
top
(\t. (re 8 t.plu t,pc t.nem t,ivec t,ir t.m4_ t,nbr t,Jpc t))
(\t. (int_o t)) ==>
(gt.
(mq_C t m F.F.T,F,T,T) ==>
(ros(t + 1).psw(t + 1),pc(t + l),non(t + 1),ivec(t + l),ir(t + 1),
aar(t + 1),mbrCt + 1),npc(t + 1) =
ST_u1
rep
(reg t,psw t,pc t.nos t,ivoc t,Lr t,mar t,mbr t,F,F,T,F,T,T)
(int_e t)))
190
for every nicroinstruction, by s_tpiy giving its position in the
list. Happ_ the inforoncs rule onto a list of into•ors fron 0
to 63 7iold_ • list of lena• for oath micro instruction. The
ont_ro proc_ (exclusive of •utoload_ time) takol < 700 soc.
lot Micro_lnt_SPEC =
PUPJ__O|CI_RE_ZTE_RULE [aicro_ins__list; GetMPC] (
BETA_RULE (
SPECL ["rop: "rsp.tT";
"(\t. (tog t,psw t,pc t,non t,
ivoc t,ir t.n_r t,nbr t.npc t)):tiJae->'nicro_st&t•";
"(_t. (int_e t)) :t_Jte->'nicro_onv"] Micro_Int)) ; ;
Io¢ MX_Xicro_Int_Inst_LEMMA inst =
let tp -mk_n_tuple_fron_int 6 inst in





"tog t : (*.ordu)list';
"non t : *nsnory" ;
"psw t : *word_" ;
*'pc t :*word_";
"iVSC t :*_ord41" ;
"Jr t :8wordI1" ;
"lJa_ t : 8wordzl" ;
"abr t : *worckn" ;
tp;
"int_e t:bool*'] (el (inst+l) instructions)] (
CONV_RULB (DEPTH.CD]fV SND_CONV) (
co]rv_RU/J[ (ONCE_DF_TH_COIi'V _.L_ COIIV) (






(\t. (reg t,psw t,pc t,non t,ivoc t,lr t,nar t,nbr t,npc t))
(\t. (int_, t))"))))))))));;
lot SLk_num_].ist n =
letrec mk_n,,-_list_aux n n =
if n = n then Ca] else
(n . (nk_nun_list_aux (n+l) n)) in
ak_nun_list_aux 0 n;;
let Hicro_lnt_ln_t_list = nap MX_Micro_lnt_Zns¢__ (ak_n_m_list 63); ;
|or=aliz, t_ ass-=ption (get rid of add_btS)
let |O__POP_ASSUM_TIC =
POP_ASSUN (\tim. ISSUNE_TIC (
COIV_RULE (011CE_DEPTB_COIV bt6_ival_COIV) (
C011V_RULE DEC_ADD_C01V (
7. DEC_ADD_COIV broken for "0 + 1" Z
PURE_OIICE_KEnITE_RULE [ADD_CLAUSES] (
CO_V_RULE (011CE_DEPTH_C011V bt6_val_CONV) (
P,£VRITE_RULE [add_bt6] tha) ) ) ) ) ) ; ;
i los interesting leanu
let T_PLT,__3_LI_M_ = TAC_PROOF







lo¢ RAIIGE_LENMA = TAC_PR00F
(CD,
":tl t2 (npc:tiao->bt6) • .
(:t'. tl < t' 1\ t' < t2 =n> "(npc _' " X)) /\
"(apc _2 = x) ==>
(!_'. tl < t' /\ t' < (t2 + 1) =-> "(npc t' - x))"),
REPEAT STRIP_TJtC
THEM ASSUN_LIST (\as1. JLSSUME_TJLC(
SPEC "t':tiJae" (el 8 as1)))
THEN ASSUN_LIST (\asl. STRIP_ASSLME_TAC (
RECITE_RULE [ST}I_RULE ADD1;LESS_TH_ (el 3 ul)))
THDL [
ASSUM_LIST (\asl. ASSUME_TAC (












Leman about FETCH-ISS;_-DECODE soquenco.
lot FID__ = TAC_PROOF
((D.
": (rep: "rop_ty) (reg:ti3_->(*wordn) list) (nen:timo->_aaory)
192
(psv pc ivec ir nat nbr :tine->ewordn) (mpc:time->bt6)
(int.o : t me->heel).
Micro_lnt rep (\t. (re 8 t,psw t,pc t,nem t,ivoc t,
ir t,nar t,nbr t,npc t))
(\t. (int_e t)) ==>
*._. (int_. t I\ 8,t.i, rep (psw t) = F) I\
(ape "_ = (F.F,F,F,F,F)) --->
((reg(t + 3),psw(t + 3),pc(t + 3),nenCt + 3),ivocCt + 3),
ir(t + 3),narCt + 3),nbrCt + 3),_q_c(t + 3)) =
(tog t,psw t.inc rop(pc t).nen t.Lvec t,
fetch top(non t,addrsss rep(p¢ t)),pc t,
fetch rep(aea t,address rop(pc t)),
add_bt6 (F,S|D(opcodo rep
(fetch top
(non t,address rep(pc t))))) "OFFSET)) /\
"(mpc(t + 1) = F,F,F,F,F,F) /\
+(IpC((t + 1) + 1) = F,F,P,F,F,F) /\





THEN IHP.RES_TAC (el I Micro_Int_Inst_list)
THEN ASSUM_LIST (\asl. N£P_EVERY ASSUME_TAC (
CONYulCTS(P.EWRITE.RULE [(el 4 asl); PAIR_EQ] (el I asl))))
THEM WOR/IAL_POP_ASSUN_TAC
THEN ASSUM_LIST (\asl. MAP_EVERY ASSUME_TAC (
COJJU|CTS (
(\y. F£TCB__ y (,i I ul)) (
SPEC "t÷l:tin," (
F_TCH_HP (el 2 Hicro_lnt_Inst_list) (last asl)
))))))
TH_ |OR_IIL_POP_AS SUM_TAC
THEg ASSUM_LIST (\ul. MAP.EVERY ASSUNE_TAC (
CO|3U|CTS (
RECITE_RULE _IIR_EQ] (
(\y. KLTCH_HP y (el % asl)) (
SPEC "(t+l)÷l:tims" (







RECITE_RULE [Opcode ; Opc.Val; GetMPC; Micro_Substate; Isxt] (
BETA_RULE (
SPECL ["rop:'rep_ty";
'*(\t. tog t, psw t, pc t, non t, ivoc t,
_r _, mar t, abr t, npc t):tiao->'nicro_sta_e*';
"(\t. int.o t) :t_e->'nicro_env'*]
Macro_lnst_Correct ) ) ) ; ;
193
let EIPAID_NACRO_INST_RULE • =
PUkE.RE_ITE_RULE [GstDest; Getln; OetSrcA; GetSrcB] (
EXPAID_LET_RULE x) ; ;
Psx_oras repeated syabolic execution on the suuaption list
until the MPC has returned the FETCH_ADDR. Keeps track of
the number of iterations and supplies the number as a witness
for the existential quantification.
let (I|ST_LOOP_TAC ts_init):tactic =
let Is_begin thm =
snd(dest_oq tha) = FETCH_ADDR in
let tuplo_val thn =
toxla_to_int (bt_val_gtmc(snd(dsst_eq tha))) in
lstre¢ I|ST_LOOP_TAC_AUI tm ((asl,e):goal) =
let INST_TAC n =
IMP RES_TAC (el n Micro_Int Inst_list) THEM
ASSUM_LIST (\x. IqAP_EVERT ASSUNE_TAC (
COIJUWCTS (
REWRITE_RULE [PAIR_E0] (el 1 x) ))) in
let n = (tuple_val (el I asl)) + I in
let gl,p = INST_TAC n (asl,.) in
let (aal',w') = (hd el) in
let gll,pl = split (
if (is_begin (el I as1')) then
nap (EXISTS_TAC in) gl else
map (INST_LOOP_TAC_AUI "('tn)+l") el) in
(flat gll,(p o napshape(aap length gll)pl)) in
INST_L00P_TAC_AUX "('tn_init + 1)";;
Create a goal for instruction n
................................................................
let HX_I|ST_CORRECT_GOAL n -
let inst = tern_list_el n
(snd(dest_oq(
snd (dest_forall(concl macro_inst_list) )))) in
": (top: "rop_ty) (roe: rise-> (*wordn) list) (non: tiae->emomory)
(psw pc ive¢ ir mar nbr :tino->*wordn) (ape:fine->hi6)
( int_e: t ime->bool ).
(: • . Jut_fetch rep (int_trans rep n) = (int_fotch top n)) /%
(! • a . fetch top (trans rip m,a) = fetch top (m,a)) /\
(! • a x . store top (trans top •,a,x) =
trans top (store rop (m,a,x))) ==>
Nacro_Inst_Correct rop
(\t. roe t, psw t, pc t, men t, ivec t,
ir t, nLr t, nbr t, apc t)
(\t. int_s t) -inst";;
Prove the instruction correctness lena for instruction n
............................................................... --_
let IIST_CORRECT_TAC (n.tha) =
let inst_lem = EXP_D_MACR0_INST_RULE thn in
194
lo¢ ._ns_ u ¢o;rnm list_ol n
(snd (dost_eo,(
snd(dest_forall(con¢l sacro.i_¢_lis_) ) ) ) ) in
PJ_P_T STRIP.TAC






THN.JIASSUM_LIST (\M1. MAP_EVERT ISSUNE_TAC (
COI3UWCTS (
PJ_VRITE_NJLE [ol 10 ul;PAIR_N_] Col 7 ul)
)))
THEII IIORHAL_POP_ASSUM_TAC
TH_ IWST_LOOP_TAC "3 '°




THESL[ % , %
P__OWCE_I%K%'RI__TAC [SYPI_R_ LLDDI]
THEN CONV_TAC (TOP_DEPTH_CO]IV IliV_kDD_ASSOC_CONV)
THEN REWRITE_TAC [
REWRITE_RUI_ [ADD_CLAUSES ;WOT_SUC] (




((NATCH_I_P_TAC I_J,NGE__) 0R.ELSE ALL_TAC)
THEN CONJ.TAC
TIiEN 01CE.REWRITE_TAC [t_.SS_SQ_ZE__] )




map (delete_cache o fs£) (cached_¢hoories());;
Prove EIIIT instruction correctness lem,.a (special case)
'Z
i#% EIMT_ins¢ - defini¢ion 'macro_dof' 'EIIT';;




SPEC "(IMR one:btS+ono,ABS_EIV(EIIT (rep:'rep_ty)))"





THE_ IMP_RES_T£C (el I Micro_In__Inst_list)
195
THE_ ASSUM_LIST (\ul. MAP_EVERY ASSUME_TAC (
CO|JUICTS(BEWRITE_RULE [(el 6 asl); PIIR_EQ] (el I asl))))
T_ |ORMIL_POP_ISSLM_TAC
T_ IWST_LOOP_TAC "1"








GEM_ALL (SPECL ["n:nua"; "SUC n"] LESS_ADD_|OMZERO) )]
;X2X
usEAT (
((i_TCH_MP_TAC RANGE_LEM_) ORELSE ALL_TAC)
THEII COII3_TJ, C




save_tim( 'EIWT_C0RRECT_LEMM£', EINT_CORRECT__) ; ;
--. .................................................... . .... w ....
If PROVE_IWST_CORRECT_LEMMA fails, I don't want it to stop the
asks, so we'll return a dummy thooron.
let PROVE_INST_CORRECT_LE_n = (
TAC_PROOF ((D, KK_IEST_CORRECT_GOALn),
I|ST_CORRECT_TAC (n,el (n+l) mscro_dofn_list)))
? BOOL_CASES_£X;;
Save Is--as for recovery in the event of a crash.
lot SAVE_IMST_LERRAn n
lot haaS u (concat '_£C_I|ST_' (string_of_int n)) in
save_thm(name,PRDVE_IIST_CORRECT_LENMAn);;
nap (delete_cache o fst) (cached_theories());;
lotrec ak_nua_list n • "
if n - • then [t] else
(n . (_k_num_list (n+l) n));;
lot Lnst_loasa_list = nap SIVE_I|ST_UDOU (mk_nma_list 0 7);;




(nap SGE_IIST_LER_ (ak.nua_list 8 16));;
map (delete_cache o fit) (c•chod.+hoozios());;
i0¢ ins¢.lomma_lis¢ -
inat_llama_lis¢ %
(nap SATE_INST_LEMMA (ak_nua_list 1G 23));;
I•p (delete_cache o fst) (cachod__hoorios());;
lot i_a¢.lemma_lia¢ -
inst_imna_lis_ Q




The first oblisation of the abstract interproCer theory
let Hacro_I•__CORRECT.LEMMA_AUX = TIC.PR00F
((0,
"! (rep: "rep_ty) (reg: ¢ imo-> (*wordn) 1 ist ) (non: t ieo->enomoz 7)
(paw pc ivec ir •or •br :¢ime->ewordn) (apc:time->bt6)
(int_e:¢ime->bool).
(! • . in¢_fetch rep (int_trans rep •) = (Jar_leech rep n)) /\
(: • • . fetch rep (¢rans rep •,•) - fetch top (•,•)) /\
(! • • x . s_or@ top (crane rep n,a,z) =
trams top (store rep (n,a,x))) =->
EVERY (Macro_Inst_Correct rep
(\t. reg t, psv "¢, pc ¢, ne-, ¢, ivec ¢,
ir t, mar t, nbr t, mpc ¢)
(\t. int_o t)) (nacro_imlt list rop)"),
BE_LITE_TAC [EVERT_DEF; macro_ins¢.lis¢]
THEM REPEAT STRIP.TIC













"! opc. Opc_¥al opc< (I_IGTH (sacro__nmt_list (rop:'rop_ty)))")°
REPEAT GEII_TAC
THYJ P._RITE_TAC [macro_inst_l£st ;LI_GTH;Opc_Val]
COMD_CASES_TAC
TH_L [
STRUCT_CISES_TAC (SPEC "(0UTL (opc: btS+one))" FIVE_TUPLZ_VAIA__LE_I£)
TH_ P_gRITE_TAC [btS_val; SYM_RULE LDD1 ;OUTL]
ALL_TAC
]
TliEM C01IV_TAC (TOP_DEPTH_COIIV num C01IV)
TI_ REWRITE_TAC [LESS_O ;LESS_M010_EQ]
);;
lo_roc DEPTH_FIRST_COMV cony tm -
FXRST_CONV
[cony;
RATOR_CONV (DEPTH_FIP.qT_CONV cony) ;
RAND_CONV (DEPTH_FIRST_CONV cony) ;
£BS_CONV (DEPTH_FIRST_CONV cony) ]
tm; ;
try it hero Z
or else try left subtroo
or else try right eubtreo





"!opc:btS+ono . "(ISL opt) n.) (ISR opc)'°),
REPEAT STRIP_TAC









"!opc:b_5+ono . "(ISR opc)--> (ISL opc)"),
ltIPEAT STRIP_TAC
TH_ STRUCT_CASES_TAC (SPEC "opc:btS+ono"
(I|ST_TYPE [(":btS"o":*") ; (":ono",":so")] XSL_OR_ISR))
Tm_L [





1'he third obligation of 1;he abel;tact Luterpretor 1;heory
le1; P[acro_Int_0RDgR_LEPa_t = TIC_PR00F
((0,
"!opc:btS+one . opc - CYST CEL (Opc_Val opc)





POP_ASSUM (\1;hnt. 0ICE_LEFT_RECITE_TiC [
(SYM_RULI_
(MP (SPgC "opc:btS+one"
(lIST_TYPE [ (" :bt 5"," :*" ) ; (" : one"," : • e" ) ] IML ) )
(B_I___ [] 1;_,-)))])
THEN STRUOT_CISES_TAC (SPEC "(OUTL (opc:btS+one))"
FIVE_TUPI__VALUE_I_QLL)
THEN REVRITE_TAC [btS_val; OUTL]
POP_ASSUN (\1;b_. ONCE_LEFT_REWRITE.TIC [
(SYM_RULE
(MP (SPEC "op¢:b_S+one"
(IMST_TYPE [ (" :bt5 °' ," :e") ; (" : one", ": ,e")] IMR) )
(REWRITE_RULE [tlm] (SPEC_ILL NOT_ISL__))
))])
THElJ SUBST_TIC [SPEC "(oLrTR (opc:bl;S+one))" one]
THEN REWRITE_TIC [O_R]
]

















GetNPC: "laicro_etato->'Licro_onv->bt 6, "FErCH_LDDR, Ix: one .F) ") ;
("e ' : t :iJae' ->*env '",
"C\t :1;JJte. (_11t_e 1;) :heel)") ;
("a P:1;ilae->*lt at;e '",
"(\1;:1;_Jae. (reg 1;) : (e,ordn)list, (pew 1;) :egordu,
(pc t) :ewordu, (non £) :_menory, (ivoc t) :eeordn,





lot correc__lo_a = snd(hd £hooren_lis£) ; ;
%.
MACR0_LEVEL_C0RRECT__ =
I- (!n. int_fetch repCint_trans top n) = int_fotch rop n) /\
(:n a. fetch rep(trans rop n,a) = fetch rep(n,a)) /\
(!a • x. storo rop(trans top I,a,x) = trans rlp(storo rop(n,a,x))) =.-)
Micro.Int
top
(\_. (tog t,psw t,pc t,non t,ivoc t,ir t,aar t,nbr t,apc t))
(\_. (",,,t_., t) ) /\
(?t. apc _ = F,F,F.F,F,F) ==>
Hacro_Int
top
((\t. (tog t,psw t,pc _,trans rop(nos t),_ut_trans rop(ivoc t))) o
(Toap_Abs(\t. ape t = F,F.F,F.F,F)))
((\t. (int_e t)) o (Toap_ibs(\t. np¢ t = F.F,F,F,F.F)))
Run t_,,o: 254.3s
Intermediate thooroas generated: 4257






0ICE_REWRITE_RULE [SYM_RULE Macro_In£_def] correct_levi•a))))
);;
2O0
3.8 The Final Result
The section presents the ML code that crestes the theory awl th.
File : ak_av=, al
£uthor: (c) P. J. Windley 1990
Date: 3UN 23, 1990
Nadir led:
Descript ion:
Uses the correctness proofs froa each level to prove an overall
correctness result for IVM-1
sot_SeLrch_path (seazch_path() @ ['/au_tq/hole/w£udloy/hol/tactics/' ;
'/nuzt ag/hono/w_dley/hol/al/' ;
1);;




['tuple/' ; ' deciaal/'] )) ; ;
loadf ' abstract ' ; ;
syste_ '/bin/fro awa. th' ; ;
now_theory 'ava' ; ;
new_parent 'lacro c ; ;
let KtCRO_LEVEL_CORBECT_LEPg_ =
theoren ' nacre ' 'MJCRD.I_VEL_CORP_CT_L_MA ' ; ;
let NICRO_LEVEL_CORRECT_LEM_ =
thoorea 'aicro ' '}ffCRO.LEVEL_COP_ECT_LEq}L4 +; ;
let PlUSE_LEVEL_ COP.P.ECT_LD_M£-
RE1/RITE_RULE [I.o_ID] (
thoorea 'phase ' 'PUaSE_LEVEL_CORRECT_I,_q_' ) ; ;
lot Hicro_Int = theoroa 'aicro +' 'Micro_Int'; ;
Load abstract type defiuitions.
201
let rep_ty = abstract_type 'aux_def + 'opcode+;;
let I_rep_ty = abstract_type 'gen_I' 'Impl+;;
De_ine type terns _or the state and any.
lot n&cro_state - ": ((ewordn) liat#_ordn#egordn_emory#euordn) "; ;
let nacre_any - ":bool"; ;
let nicro_state = ": ( (*rordn)liatlewordnl*wordnh_eaoryt
egordnSeeordnSeeordn#_oxd_bt6) "; ;





let Phase_any " ":bool";;
let EBM state = Phase_state;;
let EBM_onv = Phaae_env;;
Note that nitro_ton is substituted for uron. The general version









lot f - (Tonp_£bs(\t. clk t = F,F)) in (
(!p. ak_psg rap (get_an rep p,aat_io rep p,
Sat_el rep p,sat_n_ rap p,
get_cf rap p,gat_zf rep p) = p) -->
EBM rap
(\t. (rag t,paw t,pc t,mt,ivec t,:Lr t,m_r t,
nbr t,mpc t,alatch t,blatcht,ireq__f t,
iack_fg t,nir t,nicro_rca,¢lk t))
(\t. (_req_e t t)) /\
(?t. elk t = F,F) ==>
Micro_InS rap
((\t. (rag t,psw t,pc t,neat,
ivec t,J_ t,nar t,nbr t,apc t)) o f)











"Temp_kbs(\t. c].k t - F,F):tJ_o->_J_o";
"x:t/_e"] (
lIST_TYPE [(" : t_ae",":*°') ;
(":tiae",":**")] o TBM)) ;;
lot nev_o_DEF =
GEl_ALL (
SPECL ["f :tiae->***" ;
"Temp_Abs(\£. clk t = F,F):tiae->timi"] (
lIST_TYPE [(" : tiao",": *") ;
(":tins",":**")] o_D£F)) ; ;
1o£ EBM_MICRO_CORP_CT___EZPkIrDED =
OWCE_REVRZ__RULE [SYM_RULZ new_o.TH_ (
BETA_RULE (
REVP.ZT£.RULE [o_DEF] (
EXPIND_LETJULE £BM_MICRO_CORRECT_LEPMA) ) ) ; ;
KBM_MICRO_COI__L__EIP AWDED=





(go__sn top p,go_.io top p,Kot_v_ rep p,so__n_ rep p,se__cf rep p,





(tog t,pss _,p¢ t,nem t,ivec t,J.r t,n_ t,nbr ¢,mpc t,alatch t,
blatch t. _req_ff ¢, iack_ff t ,air t ,nicro_rom, clk t) )
(\':. (_eq_. t '_)) /\




((roS o (Tesp_Ibs(\_. clk _ = _,_)))x,
(plg o (Jurp_lbl(\t. clk+ = F,F)))xo
(pc o (T_mp.Abs(\t. clk _ = P,F)))x,
(sos o (_onp_Abs(\_. clk 't - F,F)))x,
(ivec o (Te_p_Ib8(\_. c'lk t = P,F)))x,
(_.r o (T_p_£bs(\t. clk _ = F,F)))x,
2O3
(Jaro (Tejtp_lbs(\t.¢ik t = F,F)))x,
(jtbr o (Tejtp_Abs(\t. elk t = F,F)))x,
(ape o (Tomp_Abs(\t. clk t = F,F)))x))
C\x.
((iroq_o o (Tojtp_Ibs(\t. clk t = F,F)))x))
Run tiJSO: 142.2s
Internodiate theoreas Seneratod: 4272
--Z
let AVM_CORRECT = provo_thn
( 'AVM_CORItECT',
": (rap: "rop_ty) (rog: t JJtO-> (*vordn) I ist ) (non: t ins- >enemory)
(pus pc ivac ir aLr abr •latch blatch:tine->e_ordn)
(•pc : tino->bt6) (elk :tino-_bt2)
(jtir : t ine->ucode)
(iroq_ff iack_f_ iroqe:tino->bool).
lot aicro_abs = (Toap_abs(\t. elk t = F,F)) in
let abs = jticro_abs o
(Tenp_Abs(\t. (jtpc o jticro_abs) t = FoF,F,F.F,F)) in (
(:a. intJotch rop(int_trans top jt) = int_fotch top jt) /\
(:n a. fotch rop(trans top n,a) = fetch rop(jt,a)) /\
(!n • x. storo rop(trans rop jt,a,x) = trans rop(storo rop(n,a,x))) ==>
(!p. ak_psw top (got_sn top p,set_io top p,
got_v_ top p,get_n_ top p,
Sot_cf top p.sot_zf top p) = p) ==>
FJN top
(\t. (tog t,psw _,pc t,non $0ivec t,ir t,nar t,
jtbr t,ap¢ t,alatch t,blatch t,iroq_ff t,
iack_:ff t,jtir t ,nicro_ron,clk t))
(\t. (iroq_o t t)) /\
C?t. Cclk t - F,F)) /\
(?t. ((jtpc o nicro_abs) t = F,F,F,F,F,F)) ==>
Hacro_Int rep
((\t. (tog t,psw t,pc t,
trans rep(nea t).int_trans rop(ivoc t))) o abs)
((\t. (ireq_s t t)) o •bs)) °',
EXPklD_LET_TAC
REPEAT (






THFJ O|CE_R_dRITE_TAC [STlq_RULE now_o_TH_
TlffJ POP_ASSUM (\thn . MATCH_ACCEPT_TIC thm)
);;
AVH_CORP_CT =
J- :rep re s non psw pc ivoc ir nLr jtbr •latch blatch npc clk air
iroq_f:f iock_ff iroq_o.




nAcre_abe o (Teap.Abs(\t. (apc o sicro.abs)t - F,F,F,F,F,F))
in
((!a. int_fetch rop(int__rans rsp n) = in___etch rep n) /\
(:n m. fetch rep(trans rep m,a) = fetch repCn,a)) /%
(:aax.




(Set_sn rep p,set.is rep p.sst_vf rep p.set_nf rep p.





(reg t,psw t,pc _,=en t,ivoc _,_r _,nar t,nbr t,apc t,alatch _,
blatch t,£roq_ff t,iack_ff _,n£r t,micro_rom,clk t))
(\t. (ireq_e _ t)) /\
(?t. clk t = F,F) /\
(?t. (mpc o micro_abs)t = F,F,F,F,F,F) ==>
Macro T_t
rep
((\t. (re 8 _,psw t,pc t,trans rep(nen _),int__rans rep(ivec t))) o
abe)
((\t. (_req_s t t)) o abe))
Run tins: 238. ls




[Adv83] Adv'snced Micro Devices. Bipolar Microprocessor Logic and Interface Data Book. AMD Inc.,
1983.
[Coh88] Avra Cohn. Correctness Properties of the Viper Block Model: The Second Level. Technics]
Report 134, University of Cambridge Computer Laboratory, May 1988.
[Joy89] Jeffrey J. Joyce. Multi-Level Verification of Microprocessor-Based Systern,s. PhD thesis,
Cambridge University, December 1989.
[Kat85] Msnolis G. H. Katevenis. Reduced Instruction Set Computer Architectures for VL$I. MIT
Press,1985.
[Win90a] PhillipJ.Windley. The Formal Verificationof Generic Interpreters.PhD thesis,University
of California,Davis,Divisionof Computer Science,June 1990.
[WinO0b] ph_]l_p J. Windley. A hierarchical methodology for the verification of microprogrammed
microprocessors. In Proceedings of the IEEE S_/mposium on Securit_/ and Privacy , May
1990.






2, Government Accession No. 3. Recipient's Catalog No.
5. Report Date
Nbn_n lqql
6, Performing Organization Code
FormalProof of theAVM-1 MicroprocessorUsingthe Conceptof
Generic Interpreters
7, Author(s)
P. Windley, K. Levitt, and G. C. Cohen
9. Performing Organization Name and Address
BoeingMilitary Airplanes
P. O. Box 3707, WS 7J-24
Seattle,WA 98124-2207




8. Performing Organization Report No.
10. Work Unit No.
505-66-41-41
11. Contract or Grant No.
NAS1-18586
13. Type of Report and Period Covered




Final Report- Task 3
SallyC. Johnson
16. Abstract
This documentwas generatedin supportof NASAcontractNASI-18586,Designand Validationof Digital
FlightControlSystemsSuitablefor Fly-By-WireApplications,Task Assignment3. Task 3 is associated
with formalverificationof e_ systems. In particular,this documentcontainsthe 111 code
that formallyprovesthe AVM-I microprocessorusing the theoryof genericinterpreters.








19. Security Cla_d (of thisreporl)
Unclassified
20 Security Clas,$ff. (of thfs pageJ
Unclassified
21 No. of pages
2O8
22. Prince
NASA FORM 1KZ6 OCT 86
208


