Investigation, Development, and Evaluation of Performance Proving for Fault-tolerant Computers by Hare, D. et al.
NASA Contractor Report 166008 
NASA-CR-166008 
19840017239 
Investigation, Development, 
and Evaluation of 
Performance Proving for 
Fault-Tolerant Computers 
Karl N. Levitt 
Richard Schwartz 
Dwight Hare 
P. Michael Melliar-Smith 
Robert E. Shostak 
Robert Boyer 
J S Moore Milton Green 
W. D avid Elliott 
SRI International 
Menlo Park, California 94025 
Contract NASl-15528 
August 1983 
NI\SI\ 
National Aeronautics and 
Space Administration 
Langley Research Center 
Hampton, Virginia 23665 
111111111111111111111111111111111111111111111 
NF01865 
llBRARV COpy 
I. ":', " '984 ~'. : U f ~~l Ij I I 
LANGLEY R':SEAR' . IoNTm 
UBR/IRY, NASA 
HP'~JPTON. VIRGIWA 
https://ntrs.nasa.gov/search.jsp?R=19840017239 2020-03-20T21:54:45+00:00Z
NASA Contractor Report 166008 
Investigation, Development, 
and Evaluation of 
Performance Proving for 
Fault-Tolerant Computers 
Karl N. Levitt 
Richard Schwartz 
Dwight Hare 
P. Michael Melliar-Smith 
Robert E. Shostak 
Robert Boyer 
J S Moore Milton Green 
W. David Elliott 
SRI International 
Menlo Park, California 94025 
Contract NAS1-15528 
August 1983 
NI\5/\ 
National Aeronautics and 
Space Administration 
Langley Research Center 
Hampton, Virginia 23665 

TABLE OF CONTENTS 
Chapter 
1 Introduction • 
2 STP Theorem Prover--Overview • 
3 STP Theorem Prover--Command Interface 
4 Overview of Design Verification 
5 A Simple Example of Design Verification 
6 Design Verification of SIFT--Overview 
7 Design Verification of SIFT--Listings 
7.1 Integer STP 
7.2 NAT STP 
7.3 Pair of STP 
7.4 Sets Axioms 
7.5 Subframe Axioms 
7.6 10 Axioms 
7.7 Majority STP • 
7.8 Specification for Sequences of Type1 
7.9 REP Axioms . 
7.10 10 RP Derivation • 
7.11 Schedule Axioms 
7.12 PACT Axioms 
7.13 React Mapping 
7.14 React Lemmas . 
7.15 Prepost Axioms 
· 7.16 Prepost Mapping 
7.17 Prepost Lemmas 
· 7.18 Proof-Status 4 • 
7.19 Proof-Status 3 
· 7.20 Proof-Status 1 • 
Values 
Page 
1 
9 
29 
35 
49 
57 
81 
87 
91 
95 
99 
103 
107 
115 
119 
123 
135 
161 
169 
181 
187 
243 
255 
261 
283 
287 
295 
8 Overview of Code Verification 301 
9 HDM-Pasca1 Code Verification System--Genera1 Introduction 305 
10 Meta-Verification Condition Generator; Hoare Rules for Pascal 331 
11 HDM-Pasca1 Code Verification System--Description of Operation 361 
12 HDM-Pasca1 Code Verification System--User's Manual. 375 
iii 
Chapter 
13 HDM-Pasca1 Code Verification System--Simp1e Exercises 
14 
15 
16 
Verification of SIFT Code • • • • • • • • • 
14.1 Pre/post Specification in SPECIAL 
14.2 SIFT Code ••••••••••••••• 
Sample Verification Conditions and Proofs • 
Formal Definition of HDM Methodology 
17 An Initial Approach to Verifying a Schedu1er--Written in 
18 
19 
20 
21 
22 
23 
Assembly Language . . . 
Formal Definition of BDX930 Instruction Set • 
Verification of Numerical Algorithms . . 
Verification of Flight Control Programs • 
Verification of Hardware Logic . . . . . . . . . . . . . . 
The Boyer-Moore Theorem Prover and Its Application to 
Program Verification • • • • • • • • • • 
Conclusions • 
Form N-305 •••• 
iv 
Page 
381 
401 
409 
427 
437 
449 
473 
479 
507 
519 
533 
555 
589 
593 
CHAPTER 1 
INTRODUCTION 
1 

INTRODUCTION 
1. Project Objectives 
This report is concerned with the Formal Verification of computer systems. In the course of 
carrying out the work reported herein we have developed a number of methodologies for verifying 
systems, developed computer-based tools that assist users in verifying their systems, and have 
applied these tools to verifying in part the SIFT ultrareliable aircraft computer. 
By formal verification we mean showing by mathematical reasoning that a system satisfies its 
requirement. By a system we mean the computer hardware and the collection of programs that 
run on the hardware. A requirement is a description of the function to be carried out by the 
system. The requirement indicates the system's response to all sequences of inputs that could be 
applied to the system. If the verification is successfully carried out, the system is, in principle, 
guaranteed to be correct; no further validation (e.g., testing) should be required.* However, it 
should be noted that the system might still contain some errors that require conventional testing 
to uncover e.g. due to: errors in the requirement, ommisions in the requirement, errors in portions 
of the system that are not verified. Thus one should view formal verification as a systematic 
approach to analyzing a system that when combined with standard methods, is potentially 
capable of reducing significantly the number of errors in delivered systems. 
How can it be assured that requirements are free of errors! The most obvious answer is to 
produce requirements that are short enough and simple enough to be carefully reviewed. We 
have found that even for very complex systems, requirements can be written that indicate only 
what is essential to understand what the system is supposed to be doing. Details of the system's 
implementation need not be part of the requirement. It is our conclusion, then, that short 
requirements statements can be produced. In order to be processible by the verification tools, the 
requirement must be expressed in a formal language. We will be using three different languages 
for stating requirements (STP, Boyer-Moore theory and SPECIAL). Those familiar with 
mathematical logic will have no trouble reading and understanding the requirements we present 
in this report. Those who have not been exposed to mathematical logic will be able to understand 
the requirements through the English comments that accompany the formal logic statements. 
We wish to contrast our approach to system verification to the traditional approach, in particular 
stressing why our approach leads to simpler and more believable requirements, and why it makes 
the process of verifying large systems feasible. The traditional approach, which we call code 
verification, is concerned with verifying algorithms expressed in a programming language. For 
example a sort algorithm is shown to satisfy the requirement that the output is ordered and a 
permutation of the input. (The requirement for such algorithms is commonly called the 
specification.) 
Code verification in itself is inadequate since it does not lead to requirements that are short and 
*To understand the implications of verification, the reader might find it helpful to make analogy to 
what a proof in, say, plane geometry means. Reasoning similar to what we describe in this report is used 
to prove the Pythagorean Theorem. Once verified, a theorem can be freely used in any circumstance 
where it applies - the assumptions underlying the theorem (there is a right triangle with sides a, band 
hypotenuse c.) are satisfied. 
3 
simple. For example, an operating system consists of many subprograms. Each of these 
subprograms can be given a specification: The specification for the scheduler will indicate what it 
means to schedule; the specification for the directory manager will indicate what it means for 
directory entries to handled properly. However, these specifications in toto fail to clearly indicate 
the overall purpose of the operating system which, in the case of SIFT, is to assure that aircraft 
control programs are processed correctly. It is the interaction of these programs that determines 
if the overall goals of the system are to be satisfied. 
What is needed, then, is a requirement statement that addresses higher-level issues. To achieve 
this, we suggest that a system requirement be expressed as a model, which we take to mean a 
collection of higher-level functions t.ogether with properties (expressed as axioms on the 
functions). This model must be shown to be consistent with the specifications for the subprograms 
that comprise the system; we call this process design verification. (Code verification is then 
employed to show the consistency of the subprograms' specifications with their implementation.) 
Often, as was the case in SIFT, the jump from the model to the specifications is too large to be 
carried out in one step. Hence we introduce additional models, the collection of models forming a 
hierarchy. Design verification, then, consists of proving that each model is consistent with the one 
directly below it in the hierarchy. It should be noted that in a well-conceived hierarchy, each 
model will introduce a particular element of design; the SIFT hierarchy nicely illustrates this 
concept. 
In support of the steps of design verification and code verification, we have developed a collection 
of interactive tools. The heart of the design verification tools is the STP theorem prover, the 
language which it supports being used to define the models. Besides the theorem prover, the tool 
set contains various support packages, including ones that manage the overall verification process 
and that output a final proof in a form that is reasonably readable. 
The code verification system supports the verification of Pascal programs whose specifications are 
expressed in the SPECIAL specification language. The methodology underlying the tools, (called 
the Hierarchical Development Methodology [HDM]), allows the code itself to be decomposed in a 
hierarchical layering of levels. This process greatly simplifies the verification of large programs. 
Another significant feature of the code verification system is that it can be easily tailored to 
handle any particular programming language. This independence of programming language is 
achieved through a tool called the meta- verification condition generator, which accepts the 
syntax and (axiomatic) semantics of a programming to produce a code verification system unique 
to that language. 
As indicated above, the scope of this project is aircraft electronics systems. Our primary 
accomplishment was the development of the verification systems (for design and code verification) 
and the application of the design verification system to SIFT. It should be noted that design and 
code verification, as carried out in this project, do not cover all parts of an aircraft electronics 
system. Missing from our verification (besides the parts of SIFT we did not verify -- see below) 
are the following: Assembly-level programs, Hardware logic, and Application programs 
Consideration of these areas begins to complete a full hierarchy for an aircraft electronics system, 
the components of which are: 
4 
• Application programs -- in particular, flight control programs 
• Design for a fault-tolerant aircraft computer -- SIFT 
• Higher order code (Pascal) for SIFT software 
• Assembly level code, which in the case of SIFT is in the Bendix BDX930 instruction 
set 
• Hardware logic -- implementation of the BDX930 instruction set 
In each of these areas, we developed techniques that give some promise of being suitable for 
verifying real systems. 
2. Significant Accomplishments of Project 
The significant accomplishments of the project are the following: 
1. The development of experimental verification tools (for design and code verification). 
It should be noted that versions of these tools have been used to verify security-related 
properties of operating systems; this work was carried out on other SRI projects. 
2. The application of the design verification tools tools to the verification (in part) of the 
SIFT operating system. As we indicate later, SIFT achieves reliability by having tasks 
execute on3 or more processors, the results being voted on after completion of each 
task. vVhen an error can be pinpointed to a processor, it is logically removed and 
replaced by another processor. The requirement for SIFT (informally stated) is that 
the probability of producing an incorrect result shall be less than 10"-10 per hour over 
a 10 hour mission. The major property addressed by the design verification exercise 
and expressed in a model is that all aircraft tasks managed by the SIFT system will 
yield correct results within their prescribed deadlines, as long as the system is in a 
safe state. Here tasks are programs that implement the various aircraft functions 
(flight control, navigation, etc.); correct means that the tasks will always get the right 
inputs and deliver the output as would be produced by a working processor; within 
the deadline means that the result is produced according to some preassigned 
schedule. Safe state, is not given a definition at the highest model; when defined in a 
lower model, it. means that the number of good processors exceeds the number of 
failed processors in a configuration -- voting works. We believe that this model 
expresses exactly the significant functional properties of SIFT. Moreover, it should be 
noted that the design verification turned up a significant design error, that previously 
escaped our attention. Our verification of the SIFT design is currently incomplete, 
failing to prove the following 
• Reconfiguration: When a processor is found to be faulty, the reconfiguration 
design will logically remove from the configuration of processors. Current work 
is considering this verification . 
• Quantitative reliability, the failure probability for SIFT is 1O"·10/hour for a 
10 hour mission. Our design hierarchy does include a model, called the reliability 
5 
model that expresses, in terms of a Markov model, the concept of system failure. 
However, we did not formally relate the reliability model to the other models; 
this connection might be carried out in current work. This connection by itself, 
however, will not lead immediately to a verification of quantitative reliability 
since the rates of processor failure and reconfiguration must be derived; these 
rates can only be derived from significant experimentation with SIFT, as 
currently being carried out by NASA-Langley. 
3. The application of the code verification tools to the verification (in part) to a Pascal 
implementation of SIFT. As in the design verification exercise, our concern was just 
with the safety-related properties; we did not carry out the verification of the SIFT 
code concerned with reconfiguration. Among other current deficiencies of the code 
verification effort are: 
• Although the code we did verify would successfully run SIFT, it is not the code 
that in the SIFT system delivered to NASA-Langley. The delivered code is a 
combination of Pascal and BDX930 assembly code. Moreover, the Pascal portion 
is written in a version of Pascal tailored to an efficient real-time processing; for 
example, it permits the specification of absolute addresses, and accomplishes the 
transfer of data among processors by a special assignment statement. Our code 
verification system, support standard Pascal, does not handle such features. 
• The program that assures the clocks of the SIFT processors are in 
synchronization was not verified. The specifications for the clock synchronization 
program were, however, used in the design proof. 
• The program that handles interactive consistency, i.e., the transfer of single 
source data among processors. 
4. An initial approach to verifying assembly language programs. This approach, if 
mechanized, would be used to verify that portion of a system not expressible in a high-
level language. We attempted, but did not complete, the verification of a scheduler 
for a real time system. A byproduct of this effort was a formal definition of the 
BDX930 instruction set in the Boyer-Moore theory. 
5. An approach to verifying the precision of numerical algorithms, e.g., navigation 
programs. This approach is suitable only for programs where the correctness 
property (ignoring precision, the algorithm computes a certain function), and the 
precision property (the error introduced through round-off and other error-introducing 
operations is bounded by a specified value) can be handled separately. 
6. An approach to verifying control applications. Again, separating design verification 
from code verification proved to be extremely useful. The code verification exercise 
proves that the program correctly implements a particular filter function. The design 
verification shows that a configuration of filters achieves a particular control law. We 
used the Boyer-Moore theory to express the control law for a simple application -- the 
control of a vehicle subject to bounded disturbances in one dimension. 
6 
7. An approach to verifying hardware logic that demonstrates the consistency between a 
hardware logic circuit and a specification for the functional behavior of that circuit. 
Using our method, we successfully verified a hardware frequency comparator. A more 
ambitious undertaking, not yet attempted, would be to verify the implementation of 
the instruction set for a computer. 
3. Organization of Report 
This report, having been compiled largely from existing reports, papers, listings, etc., is large and 
not well structured. The following is a brief guide to the report. 
The report is organized into the following areas: 
1. STP Theorem Prover -- Chapters 2-3. Chapter 2 provides an easy to follow 
introduction to the STP logic. Chapter 3 describes the command interface of the STP 
theorem prover for those who want to consider using it. 
2. Design Verification of SIFT -- Chapters 4-7. Chapter 4 presents an easy introduction 
to the technique of design verification, presents an informal verification of a very 
simple voting system, and presents a synopsis of the design verification of SIFT. 
Chapter 5 gives the listing of the mechanization (using STP) of the verification of the 
simple voting system. Chapter 6 presents more detail on the SIFT design verification, 
in particular describing the hierarchy of models. Chapter 7 presents the complete 
listing of the design verification of SIFT. 
3. High Level Language Code Verification -- Chapters 8-15. Chapter 8 introduces, in a 
tutorial manner, the subject of code verification in general. Our approach to verifying 
a hierarchy of modules -- the Hierarchical Development Methodology (HOM) -- is 
introduced in Chapter 9. The discussion here is centered around the language 
(SPECIAL) used to specify these modules and an ideal language (called ILPL) used for 
module implementation. In later chapters we show how an existing language (Pascal) 
can be used for module implementation. The Meta-Verification Condition Generator, 
the approach to producing a language-independent code verification system is 
presented in Chapter 10. Included at the end of this chapter are rules for the context-
independent semantics of a Pascal subset. Chapters 11-13 introduce the code 
verification system we developed to prove hierarchies of Pascal programs, each of 
which is specified in SPECIAL. Chapter 14 presents the portion of the SIFT code we 
verified and Chapter 15 gives sample listings of the proofs. Finally, Chapter 15 
presents a formal definition of a subset of the HDM proof methodology; the Boyer-
Moore logic is used to express the formal definition. Our motivation in producing such 
a formal definition is to reduce the chances for errors being introduced in the 
verification process itself; a careful reading of such a formal definition should uncover 
errors in the verification technique. 
4. Assembly language-level Verification -- Chapters 17-18. Chapter 17 presents our 
(incomplete) attempt to verify a scheduler written in assembly language. The 
definition of the assembly language (BDX930) that would have been used is presented 
in Chapter 18. 
7 
5. Numerical Algorithm Verification -- Chapter 19 
6. Verification of Flight Control Programs -- Chapter 20 
7. Verification of Hardware Logic -- Chapter 21 
8. Tutorial on the Boyer-Moore Logic and its application to Verification of Fortran 
Programs -- Chapter 22 
9. Conclusions -- Chapter 23 
4. Recommended Chapters 
We expect that most readers will be interested in the verification of SIFT and the tools that 
made it possible. To this end, the chapters to read are: 2, 5, and 7; chapter 8, containing the 
complete listing of the verification, is recommended for those few who will want to carefully 
scrutinize the detailed steps in the verification. 
5. Acknowledgments 
Most of the authors have had a long-term involvement in the SIFT design, development and 
verification -- and in SRI's verification projects. Others who have also been involved are John 
Wensley (the SIFT concept and its detailed design), Jack Goldberg (leader of the final 2 years of 
the SIFT implementation project) and Chuck Weinstock (chief implementer of SIFT). Larry 
Robinson was the principal developer of the HDM proof methodology. 
\Ve are grateful to a number of individuals of the NASA-Langley Research Center for their 
assistance on many aspects of this project. Nick Murray was the initial monitor of the work. He 
provided constant encouragement, technical feedback on the aspects of this work related to SIFT, 
and helped guide our initial attempts to verify flight control programs. Rick Butler, the current 
monit.or, has carefully read this report, and has provided us with valuable criticism and 
suggestions on a wide range of technical areas related to the project. In addition, he did much of 
the work on the mechanized verification of the simple voting system (Chapters 5 and 6). Rick 
has also helped out considerably in the creation of a plan for producing a demonstrable 
verification system that could be used for a wide variety of applications. 
Billy Dove (at the start of this effort) and, currently, Milt Holt are responsible for NASA-
Langley's program in reliable aircraft computers. We also wish to thank the various NASA-
Langley professionals who participated in the oral reviews we had them suffer through. These 
individuals (Brian Lupton, Earl Migneault, Larry Spencer, Sal Bavuso, Dan Palumbo -- among 
others), although often skeptical of the verification approach, provided us with gentle and helpful 
criticism. 
Earl Boebert (Honeywell -- Systems and Research Division) suggested the problem we used in 
Chapter 20 to illustrate our technique for flight control verification. 
We are also grateful to the DoD Computer Security Center for their current support of SRI's 
verification effort and to particular individuals (Ann Marmor-Squires, Bret Hartman, Marv 
Schaefer, and Roger Schell) for their ongoing technical advice. 
8 
CHAPTER 2 
STP THEOREM PROVER - OVERVIEW 
9 

STP: A Mechanized Logic 
for Specification and Verification 
R. E. Shostak, Richard Schwartz, and P.M. Melliar-Smith 
1 Introduction 
This paper describ~ a logic and proof theory that has been mechanized and successfully applied to 
prove nontrivial properti~ of a fully distributed fault-tolerant system. We believe the system is close to 
achieving the critical balance in man-machine interaction necessary for successful application by ~rs 
other than the system developers. 
STP is an implemented system supporting specification and verification of theories expressed in an 
extension of multisorted first-order logic. The logic includes type parameterization and type hierarchies. 
STP support includes syntactic checking and proof components as part of an interactive environment for 
developing and managing theori~ in the logic. In formulating each new theory, the user begins with a 
certain core theory that comprises a set of primitive typ~ and function symbols, and extends this theory 
by introducing new types and symbols, together with axioms that capture the intended semantics of the 
new concepts. The mechanical proof component or the system is predicated on a rast, complete decision 
procedure for a certain syntactically characterizable sub theory. By providing aid to this component in the 
form of the selection of appropriate instanc~ or axioms and lemmas, the user raises the level of competence 
of the prover to encompass the extended theory in its entirety. ~ a result or a successful proof attempt 
using STP, one obtains the sequence of intermediate lemmas, together with the axioms, auxiliary lemmas, 
and their necessary instantiations, which lead to the theorem. The system automatically keeps track or 
which formulas have been proved and which have not, 50 that the user is not foreed to prove lemmas in 
advance of their application. The system al50 monitors the incremental introduction and modification of 
specifications to maintain soundn~s. 
This paper is organized as follows: Section 2 discusses motivation for the form of man-machine 
interaction embodied by STP. Section 3 contains a formal description or the logic and the proof theory, 
and illustrates the description with an example. Section 4 discusses the use or STP in a large-seale efl'ort to 
prove nontrivial properties or SIFT, a distributed Software-Implemented Fault-Tolerant operating system 
for aircraft flight control. Finally, Section 5 d~cribes directions ror rurther work. 
2 Issues in Mechanized Verification Support 
STP's design was guided to a considerable extent by our experience in attempting to formulate and 
re:l.'3on about properties of SIFT. The following concerns were strongly influential. 
This research wa.s supported in PaTt by NASA contract NASl·15528, NSF gnnt MC5-1g04081, and by AFOSR contrxt 
F 4g62Q. ;g·c·oogg. 
11 
2.1 Property-Theoretic Specification 
It is ohen desirable to specify program or system characteristics abstractly by stating properties 
possessed without defining the method of attainment. High-level system specifications represent, in 
effect, system requirement" rather than a prescription of implementation characteristics. That the 
specification method allow such partial specification of system properties is important; without this 
capability, one is forced to ofJe"peei/y system descriptions. As a consequence, one both overconstrains 
possible implementation solutions and introduces spurious detail into the design specification. 
2.2 Credible Specifications and Proofs 
The intent of formal specification and verification is to increase one's confidence that a system will 
function correctly. As such, the specification and proof of system conformance must be beliefJtJble. To 
produce credible specifications, the specification language must be sufficiently close to the user's conceptual 
understanding of the task the system is to perform. Specifications that are as long as or longer than the 
actual code tor the system are likely to be harder to understand than the code itselr. 
Credibility or a verification effort requires that the end product be a proor that can be independently 
scrutinized and subjected to the social process. It must be possible to separate the process by which the 
proot was obtained from the proof itseJr. 
2.3 Form of Verification Support 
Mechanical theorem provers can be characterized by the style and level ot user direction necessary 
to' complete the proot. The spectrum ot possibilities ranges from completely automatic" out to lunch" 
verification, where no user interaction is necessary to-direct the proof to completion, to a proof checker 
(e.g., the FOL [Wey 80] system) where all steps are provided by the user. Between these extremes are 
interactive semi-automatic systems (such as LCF [Mil 79]) in which proofs are generated by a symbiosis 
of mechanically derived and user-provided steps. This is necessary because, in practice, theories that are 
sufficiently rich to be useful are usually either undecidable or have combinatorics that preclude practical 
decision procedures. Research in theorem proving has thus focused on methods by which the user can 
direct machine inference. 
Mechanical deduction in most systems has taken the form of heuristic algorithms for searching large 
state spaces to determine the sequence or intermediate steps necessary to torm a proof. Because or the 
difficulty in determining the ultimate success or failure of a heuristically ch05en proof strategy without 
exhaustive search, the user is charged with the responsibility for monitoring the proof attempt and aborting 
an unpromising path. Where the user can determine that an inappropriate proof strategy has been chosen, 
he then introduces additional lemmas in an attempt to induce the system to follow a more fruitful path. 
A drawback to heuristic theorem-proving attempts is that successful proor depends upon intimate 
knowledge of the heuristic!! employed. One must understand how very subtle changes in specification 
structure, even those that preserve semantic equivalence, can affect the direction and final outcome of the 
proof attempt. Lemma form becomes as important as content. In many cases the user may be aware 
oi the proof steps necessary to justify the lemma within the supported theory, but he may be unable to 
suggest the lemmas in the form appropriate to guide the verification system down the proper path. This 
difficulty may be attributed to the inability to provide a succinct, yet complete, characterization of the 
heuristics em ployed by the theorem prover. WIthout this characterization, effective use of the system will 
12 
depend not only on the understanding oj the underlying theory, but al.so u~n intimate knowledge of the 
theorem prover implementation. 
Our experience has led us to believe that effective symbiosis bet"lVeen man and machine depends upon 
3.. The predictability of machine-supplied deduction 
h. the user's ability directly to provide proof strategies and steps beyond the automatic deductive 
capability 
c. machine interaction with the user in the style and level of conceptualization natural to him 
d. the machine's ability to provide re,pon,;ve deductive support to maintain continuity of user interac-
tion. 
Our proof experience indicates th~t the predictability of machine aid is far more important than the 
occasional burst of insight. Successful interaction with a theorem prover depends upon the user's having 
a clear picture of how the formula is deducible within the theory and when 115er assistance is necessary. 
It seems unlikely in systems supporting extensive, but incomplete, deduction that the user would succeed 
without this insight. 
In a system involving extensive user interaction, one should not underestimate the importance of the 
user interface. It is crucial that all interaction be pre5ented at the level of 115er input and in a nat ural 
and succinct notation. Management of information becomes a major problem during proof construction. 
That the user retain a clear intuitive understanding of the specificatioD5 is paramount. Techniques for 
aggregation of information, such as theory parameterizaton, as suggested by Goguen and Burstall [BuG 
ii], are extremely important. Data base management aids for organizing and retrieving theories are 
critical. 
For the man-machine relatioD5hip to be symbiotic, machine respoD5e m115t keep pace with the user. 
The size of conceptual steps compreheD5ible to the user must be well matched to the computational 
efficiency of the theorem prover. Our experience indicates that a delay of more than on the order of one 
minute in machine response tends to cause loss of concentration. 
2.4 Related Work 
Much progress has been made in the last ten years on techniques for formal specification and 
verification. Early contributions to formal specification include Milner's work [Mil 67} on weak simulation 
and Parnas' [Par 72J on hierarchical methodology. The concepts introduced in thi:! early work were 
further developed and incorporated in the HOM methodology [RoL 77,LRS 79J. The more recent research 
of Goguen and Burstall on Clear [BuG 771 and of Nakajima on Iota [Nak 771 introduced the notion of 
higher-order theories and theory parameterization. 
At the same time, a great deal of research has focused on systems for mechanical verification. The 
e31'liest such systems depended strongly on heuristic-ba:sed, theorem proving strategies. The system:! or 
King [Kin 69J and Levitt and Waldinger [Le\V 751 are among the:!e. The Boyer-Moore theorem prover 
[BoM 79J is one of the most striking examples of the power possible using heuristic technique:!. The 
deductive component of STP, however, is more akin to the theorem provers of Bledsoe [B1e 74J, Nelson 
and Oppen [OpN 78], Shostak [Sho 77J, and Suzuki [Suz 751, all of which are founded on the use of decision 
procedures. The GYPSY system [Goo 791, the Jovial Verification System [EI:! 79J, the Stanford Verifier 
[Lue 79], and the SDC system [Sch 801 are recent examples of ~rogram veriiication :!!y:!!tems. 
By and large, 3peciiication research has been pUMued independently of 'Work on yeriiication. Only in 
the J:l.St few years has emphasi:! been placed on the interaction bet"lVeen the specification medium and the 
13 
verification component. The Affirm system [Mu 801, ror example, utilizes a term rewriting system, both 
as an algebraic specification medium and as a vehicle ror mechanical proor. The system de5cribed in the 
current paper continue5 the emphasis on maintaining a close balance between the level or conceptualization 
supported in the specification and the level at which machine-aided deduction OCC1U'3. 
3 The Logic of STP 
Berore pre5enting a rormal de5cription or the logic supported by the system, we present a simple 
example to give an intuitive reeling ror the specification style. 
We define a parameterized theory or Pairs or objects or two arbitrary type domains. We then use this 
theory to derive a theory or integer Intervals, represented by pairs or beginning and end points. 
Figure 1 shows the specification or th~e theories in STP. The user declares the parameterized type 
PAIR.OF(TI T2) in line 3, having previously declared type variables TI and T2 in lines I and 2. The 
accessor operation FIRST is defined by the DS (Declare function Symbol) command in line 4 to take a value 
of type PAIR.OF(TI T2) and return a value of type Tl. The SECOND component acc~or is analogously 
defined in line 5. A pair constructor MAKE.PAIR(TI T2) is declared in line O. Variables X and Y are 
declared to be of schematic types Tl and T2 (respectively) in Jines 7 and 8. These declarations introduce 
new function and variable symbols, but attach no semantics. Lines 9 and 11 introduce two axiom schemes 
to define the properties of Pairs. Axiom Al defines the accessor functions FIRST and SECOND to retrieve 
the first and second components (respectively) of a pair constructed by MAKE.PAIR. Axiom A2 extends 
the equality operation by defining two Pairs to be equal exactly when the corresponding components are 
equal. Equality is predefined over all domains. 
INTERVAL is introduced as a subtype of PAIR.OF(INTEGER INTEGER) in line 13. Note that 
type variables TI and T2 are thus both instantiated as ground type INTEGER. The subtype declaration 
declares Intervals to be an extension of the theory oc Pairs oc Integers. The type theory allows implicit type 
coercion from a subtype to a supertype (but not vice versa). Thus, all axioms defining Pain of Integen 
are applicable to Intervals - in this case, instances of axiom schemes Al and A2. 
Lines 15 and 16 introduce derived Interval operations BEGINNING and END, defined as the selection 
of the first and second Pair values (respectively). The DD (Declare Definition) construct can be vie.ed as 
a means of conservative extension. Semantically, line 15 is equivalent to introducing the axiom (EQUAL 
(BEGINNING II) (FIRST II)). Operationally, the DD defining BEGINNING is automatically instantiated 
and applied as an axiom. Similarly, a MAKE.INTERVAL constructor is derived in line 20 in terms of the 
MAKE.PAIR operation oc the supertype. 
After introducing the signature ror 3n Interval MEMBER operation in line 21, axiom A3 in line 22 
begins to introduce Interval semantics. An Integer I is defined to be a Member or Interval II exactly when 
it lies between the beginning and ending points or the Interval. This completes our abbreviated definition 
of Integer Intervals. 
14 
1. (DTV TI) 
2. (DTV T2) 
(QUOTE "The following is a partial theory of Pairs") 
3. (DT PAIR.OF (TI T2)) 
4. (DS TI FIRST ((PAIR.OF Tl T2))) 
5. (DS T2 SECOND ((PAIR.OF TI T2))) 
6. (DS (PAIR.OF TI"T2) MAKE.PAIR(TI T2)) 
7. (DSV TI X) 
8. (DSV T2 Y) 
9. (DA Al (AND (EqUAL X (FIRST (MAKE.PAIR X Y))) 
(EQUAL Y (SECOND (MAKE.PAIR X Y))m 
10. (DSV (PAIR.OF TI T2) P) 
11. (DSV (PAIR.OF Tl T2) PI) 
12. (DA A2 (IFF (EQUAL P PI) 
(AND (EQUAL (FIRST P) (FIRST PI)) 
(EqUAL (SECOND P) (SECOND PI))))) 
(QUOTE "The theory of Intervals is now derived as a subtheory of Pairs") 
13. (DST INTERVAL (PAIR.OF INTEGER INTEGER)) 
14. (DSV INTERVAL II) 
15. (DD INTEGER BEGINNING (II) (FIRST II)) 
16. (DD INTEGER END (II) (SECOND II)) 
17. (DSV INTEGER I) 
18. (DSV INTEGER J) 
19. (DSV INTEGER K) 
20. (DD INTERVAL MAKE.INTERVAL (I J) (MAKE.PAIR I J» 
21. (DS BOOL MEMBER (INTEGER INTERVAL» 
22. (DA A3 (IFF (MEMBER I II) 
(AND (LESSEQP (BEGINNING II) I) 
(LESSEQP I (END II))))) 
Figure 1 
15 
3.1 Formal Description oi the Language 
The language of our logic i~ ~imilar to that of conventional multi~orted ~t-order logic, but provides 
(or parameterized sorts and sort hierarchies. Before describing the structure of formulas in our logic, 
we need first to define the language of sort expressioIl3 (which, (or re3.50Il3 of conformance with the 
specification literature, we call type expressions). 
3.1.1 Language of Type Expressions 
The vocabulary of type expressioIl3 is very much like that o( ordinary ~t-order terms. A theory 
in our logic has a countable set or type variable., and (or each n > 0, a countable set o( n-:ary twe 
"ymbo/8. Type symbols or degree 0 are said to be elementary, while those of nonzero degree are said to 
be parameterized. Every n-ary parameterized type symbol has associated with it a parameterized type 
temp/ate given by an n-tuple or (not necessarily distinct) type variables. The intended meaning o( the 
templates will be clear shortly. A legal type ezprellion, or simply type ezpre8.ion is a term recursively 
constructed rrom type variables and symbols in the (ollowing manner: 
3. A type variable is a type expression. 
b. An elementary type symbol is a type expression. 
c. If t is an n-ary parameterized type symbol, t1, t2, .•• , t" are type expressions such that ti - tj whenever 
the ith and jth components or the type template of t are equal, then t(t1, t2, ... , t,,) is a type expression. 
Note that the template or a parameterized type symbol (orees certain o( the symbol arguments in 
a type expression to be identical. 1(, ror example, INTEGER and REAL are elementary type symbols, 
U and V are type variables, and MIXEDTRIPLE is a trinary type symbol with template <U,U,V>, 
then MIXEDTRIPLE(INTEGER INTEGER REAL), MIXEDTRIPLE(REAL REAL REAL), and MIXED-
TRIPLE(V V U) are all legal type expressioIl3, but MIXEDTRIPLE(INTEGER REAL REAL) is not. 
We refer to type expressions that contain type variables as ,chematic type, and those that do not as 
ground type8. By type 8ubditut;on, we mean a substitution that replaces type variables by type expressions. 
By a type indance of a given type, we mean any type resulting from the application of a type substitution 
to the given type. 
The rai80n d'etre for schematic types is to permit us to talk about many types of objects at once. For 
example, we may want to Cormulate and apply a certain property or SETs, in various contexts, to SETs 
oC INTEGERs, SETs oC FOOs, and so on. Rather than stating and proving the property separately Cor 
SET(INTEGER), SET(FOO), etc., we need only prove it about SET(U), whe~e U is a type variable. As 
will be seen later, we will then be able to apply the property in the context or each specific instance oC U. 
In addition to a set o( type variables and type symbols (and templates), each theory in our logic has 
associated with it a ,ubtype Ilrudure, expres~ed as a binary relation over type expressioIl3. The ~ubtype 
relation is defined in the Collowing way. 
First, certain type symbol~ are designated as ,ubtype 'ymho/,. &sociated with each elementary 
subtype 5ymbol is a ground type expression, ~aid to be its immediate lupertype. Associated with each 
parameterized symbol" is :1 schematic type expre~sion t, said to be the immediate ,upertype oC the type 
expression 8(t 1, t2, ... , t,,), where < tl, t2, ... , t" > is the template of 8. The type expression t is constrained 
to have exactly the same set of type variables as the set oC type variables occurring in the template of 8. As 
:1 further con5traint, it mU!St be possible to find a total ordering or 311 subtype symbols in such 3 way that 
each is junior in the ordering to every subtype symbol occurring in its associated immediate supertype. 
(This constraint is necessary to prevent circularity in the subtype structure, and is automatically satisfied 
16 
in the mechanization by virtue of the chronological ordering of subtype declaratioDS.) Now, the subtype 
relation is defined recursively as the co~est binary relation over type expre~ioDS that: 
i. contains < 8, t > for each elementary subtype symbol 8 with immediate supertype t. 
ii. contains < S{tll t2, ... , tt:'), t > for each parameterized subtype symbol" with immediate supertype t 
and template < til t2, ... , tn >. 
iii. is closed under reflexivity, traDSitivity, and type instantiation. 
By "closed under type instantiation", we mean that ir t is a subtype of ~ (i.e., < t, ~ > is in the 
relation) and ~ is a type substitution, then u(t) is a subtype 01 u(~). 
Suppose, for example, that U and V are type variables, that SET and SETOFPAIRS are unary type 
symbols with template <U>, that HOMOGPAIR is a binary type symbol with template <V,V>, and 
that INTEGER, RATIONAL, and REAL are all elementary type symbols. Suppose also that INTEGER is 
a subtype symbol with immediate supertype RATIONAL, RATIONAL is a subtype symbol with immediate 
supertype REAL, and that SETOFPAIRS is a subtype symbol with immediate supertype SET(HOMOG. 
PAIR(U U)). Then the following are true: 
INTEGER is a subtype of RATIONAL and REAL 
RATIONAL is a subtype of REAL 
SET(INTEGER) is a subtype of SET(INTEGER) 
SETOFPAIRS(V) is a subtype of SET(HOMOGPAIR(V V)) 
SETOFPAIRS(SET(INTEGER)) is a subtype of SET(HOMOGPAIR(SET(INTEGER),SET(INTEGER))) 
SETOFPAIRS(SET(SET(U))) is a subtype of SET(HOMOGPAIR(SET{SET(U)),SET(SET(U)))) 
Note, however, that SET(INTEGER) is not a subtype of SET(REAL). 
One can prove from the definitions that the subtype relation imposes a well-founded partial ordering 
on the type expressions of the theory. This partial ordering, moreover, is structured as a set of top-rooted 
trees (thinking of sons as subtypes of fathers). A type expression can have several sons, but no type 
expression can have two unrelated ancestors. 
3.1.2 Primitive Types 
Different theories in our logic can, of course, have quite different type vocabularies, supertype struc-
tures, or both. All, however, are considered to share certain primitive types. These include the elementary 
type BOOL and the elementary types INTEGER, RATIONAL, REAL, and NUMBER. INTEGER is a 
subtype symbol with immediated supertype RATIONAL, RATIONAL is a subtype symbol with immediate 
supertype REAL, and REAL is a subtype symbol with immediate supertype NUMBER. Neither BOOL 
nor NUMBER i:I a ~ubtype ~ymbol. A.!s we will ~ee later, the~ ~ymbol~ ~e all interpreted, i.e., have II 
priori semantics in interpretations. We will see that the semantics are as one would expect, except that 
NUMBER, REAL, and RATIONAL are considered to have identical semantics. In addition, each theory 
is considered to have the type variable *T*. The inclusion of at least one type variable is necessary for 
defining certain primitive function symbols, such as EQUAL. 
As a theoretical aside, it might be noted that BOOL is the only primitive type that is truly nec~sary 
to provide the bootstrapping power needed to define interesting theories. For once BOOL is provided, one 
has :111 the power oi conventional first-order logic, and can axiomatize other concepts (such as INTEGERs). 
We have included the other primitive types as an important convenience. As the conventional semantics 
17 
of other useful types (such as SETs, SEQUENCES, and so on) are mechanized, th~ types wiil also be 
considered as primitives. 
3.1.3 The Language of Formulas 
In conventional predicate calculus, formulas are constructed from atomic formulas and the familiar 
propositional and ~t-order connectives. The atomic formulas, in turn, are constructed rrompr"~dicate 
letters and term expressions. Allor the structure at or above the level or predicates in 3 iir.It-order 
formula is of course Boolean, whereas all or the runction symbols occurring beneath the predicate :symbols 
are interpreted over an arbitrary nonempty set (said to be the ciomain or the interpretation). 
Formulas in our logic are constructed similarly, except that the symbols occurring in terms can have 
arbitrary types, including type BOOL. There is thererore no reason to distinguish between ·,redicates" 
and "terms". In recognition of this point, it will be convenient simply to speak or 'umbol;c .~:rpre .. ion'; 
formulas, in particular, will merely be symbolic expressions or type BOOL. A3 an abbreviation, we will 
sometimes simply say "expression" rather than "symbolic expression" when there is no possi7:11e conrusion 
with type expressions. It is important to note, in this' connection, that we want to draw a firm distinction 
between symbolic expressions and type expressions; in particular, "TYPE" is not itselr a type, contrary to 
the viewpoint expressed in some programming languages. 
These remarks having been made, we return to rormal description. Beyond the vocabulary or type 
expressions described earlier, a theory in our logic has a countable set or ,ymbo/ic "ariable, (or just 
variable,,) VI, V2, ••• , and for each integer n > 0, a countable set o( n-arllfunction ,ymbol' f~, n, ... 
Associated with each variable and (unction symbol is a ,,·gnature. The signature or a variable is an 
arbitrary type expression, said to give the type of that variable. The type signature or an n-ary runction 
symbol is an n + I-tuple of type expressions. The first component gives the return tupe o( the (unction 
symbol, and the remaining n components the formal argument type,. The only restriction placed on these 
type expressions is that (or function symbols other than constants (i.e., o( degree > 1), each Iype var;able 
that occur., in the return type mull occur in alleall one 0/ the argument type,. For example, it F is a unary 
function symbol with return type SET(U), then the formal argument type or F could be HOMOGPAIR(U 
U) but could not be HOMOGPAIR(INTEGER INTEGER). The intent here is that any ground binding o( 
the type variables in the formal argument types should uniquely determine a ground instance o( the return 
type. We will say that a variable or (unction symbol whose signature has at least one schematic type is 
,chematic. The intuitive meaning is that a schematic symbol is a kind of abbreviation (or an entire class 
of symbols, the signature of each member o( which is a ground instance o( the signature o{ the schematic 
5ymbol. 
The legal ,ymbolic e:zpreu;om, or ju.st e:zpre .. ;on, o{ a given theory are defined rec~ively as {ollows. 
We say that t is an e:zpre,,;on if 
i. t is a term, i.e., either a variable or o( the (orm f( tl, t2, ... , t,,), where f is an n-ary (unction symbol 
(n ~ 0) and each ti is (recursively) a term, and 
11. t typecheck". 
The only departure from predicate calculu.s is thu.s the type-checking restriction. Roughly speaking, 
the meaning of "typechecks" is -:ihat one would expect: that the arguments to a function symbol are of 
the appropriate type. Because of the presence or type variables and subtype structure, however, the exact 
meaning of "appropriate" needs some explanation. 
Since the subtlety owes primarily to the type variables, let ~ fir.lt eonsider terms none or whose 
symbols is schematic. 'rVe will say that the return type of such a term is ju.st the return type or the 
18 
outermost function symbol (or, il the term is j~t a variable, the return type 01 the variable.) We will 
say that such a term typechecb il and only il the return type of each actual argument to a lunction 
symbol occurring in the term is a subtype of the corresponding lormal argument type in the signature 01 
the function symbol. For example, ir QPLUS takes two RATIONALS and returns a RATIONAL, and il 
INTEGER is a subtype 01 RATIONAL is a subtype or REAL, then QPLUS(X X) typechecb ir the type 
of X is INTEGER or RATIONAL, but not ir the type or X is REAL. 
The situation becomes more interesting it any or the symbols occurring in the term t is schematic. In 
this case, t typechecb if there is a way or instantiating the signature of each such symbol that ca~s t to 
typecheck in the sense just given ror terms with no schematic symbols. For example, suppose that F is a 
schematic symbol with signature <SET(U),U,U> (i.e, F takes two arguments or type v, V a type variable, 
and returns a SET(U)). Suppose also that I and X are variables with types INTEGER and RATIONAL, 
respectively. Then F(I X) typechecb, since applying the substitution {U / RATIONAL }t.o the signature 
of F (meaning that F now takes two RATIONALS and returns a SET(RATIONAL)) causes the type or 
each actual to be a subtype 01 the corresponding expected argument type. 
In the case whete a schematic symbol occurs more than once in a term, we permit a separate 
instantiation 01 its signature lor each occurrence. For example, ir G is a binary runction symbol that 
takes a SET(BOOL) and a SET(REAL) as arguments, the term G(F(TRUE, TRUE), F(I, I» typechecb, 
using the substitution {U / BOOL}lor the left occurrence and {V / REAL}lor the right occurrence 01 F. 
Schematic variables and constants are treated specially. The substitutions associated with occurrences 
of variables and constants in an expression must agree on all type variables their signatures have in common. 
For example, if variables A and B are both or type SET(V), the term G(A,B) does not typecheck, since 
the substitutions associated with A and B must give U the same value. 
Each assignment of substitutions to the symbol occurrences or a term that causes the typechecking 
requirement to be satisfied will be called a JJyntactic interpretation of the term. We can say, then, that 
a term is a legal expression if and only if it has ~t least one syntactic interpretation. Just M schematic 
symbols can be viewed as representing a class 01 symbols, terms involving schematic symbols can be 
considered as representing classes 01 terms, one lor each syntactic interpretation. 
It should be noted that the definition or "typechecks" just presented is completely nonconstructive; 
we have not said how to find the needed signature instances; indeed, we have not even explained how or 
whether it is possible to tell whether one type expression is a subtype 01 another. Clearly, without an 
effective way of testing for syntactic well-form edness , a logic is hardly of practical interest. Fortunately, 
both the subtype relation and the typecheck predicate are effectively (and easily) computable. We show 
in a forthcoming paper that the subtype relation can actually be computed using a finitely terminating 
canonical term rewrite system. A type expression t is a subtype of another type expression t! iff t 
(eventually) rewrites to t'j the canonical lorms of the system are those types that are subtypes only or 
themselves. 
We also give an algorithm lor type checking that depends on the notion 01 lealt general ,yntactic 
interpretation. We say that one syntactic interpretation is Ie" general than another il the type substituted 
for each type variable in the substitution corresponding to a given symbol occurrence in the first syntactic 
interpretation is a subtype of the corresponding substituted type in the second. (For example, the syntactic 
interpretation of F(I I) in which the substitution {U / INTEGER lis ~ed for the occurrence of F is less 
general than that in which {U / RATIONAL lis used.) One can show that each expression has a unique 
least general syntactic interpretation modulo the assignment 01 types to the type variables in the signatures 
of yariable and constant symbols. 19 
3.1.4 Primitive Function Symbols 
Each theory is considered to include the following function symbols as primitives. For each symbol, 
the return type is given first, then the function symbol followed by a list oC argument typ~. 
BOOL TRUE{) 
BOOL FALSEO 
BOOL AND(BOOL BOOL) 
BOOL OR(BOOL BOOL) 
BOOL IMPLIES(BOOL BOOL) 
BOOL NOT(BOOL) 
BOOL IFF(BOOL BOOL) 
BOOL FORALL(*T* BOOL) 
BOOL EXISTS(*T~ BOOL) 
BOOL EQUAL(*T* ·T*) 
BOOL LESSEQP(NUMBER NUMBER) 
BOOL LESSP(r-.lJMBER NUMBER) 
BOOL GREATEREQP(NUMBER NUMBER) 
BOOL GREATERP(NUMBER NUMBER) 
NUMBER PLUS(NUMBER NUMBER) 
NUMBER DIFFERENCE(NUMBER NUMBER) 
NUMBER MINUS(NID.mER) 
NUMBER TIMES(NUMBER NUMBER) 
I 
The IFF construct shown above is interpreted as Boolean equivalence. The IF construct 'is the 
McCarthy three-placed it statement that is interpreted to return the value oC the second or third argument, 
depending on whether the predicate in the first argument place is true or false, respectively. 
In addition to those in the list above, there is a constant symbol for each integer and rational number. 
Note that arithmetic functions, such as PLUS, all take NUMBERs as arguments. Thus, iC I is an INTEGER 
yariable, and F is a monadic function symbol with argument type INTEGER, then PLUS(I I) is a legal 
expression, but F(PLUS(I I)) is not, even though the semantics oC INTEGERs guarantee that the sum oC two 
integers is always an integer. The desired effect can be obtained in practical applications by introducing 
a function symbol IPLUS with INTEGER arguments and return type, and endowing that symbol (using 
a definition) with the semantics oC PLUS, r~tricted in integers. 
The signatures of EQUAL and IF in the list above both u!!e the primitive type variable ·T·. It 
follows from the typecheck requirement that the typ~ of the two actual arguments to EqUAL in 3 legal 
expresssion need not be the same; they must, however, have a common supertype. Similarly, the types of 
the two branch expressions of a three-placed IF construct must have a common supertype. 
For the two quantifiers (FORALL and EXISTS), an additional syntactic restriction is imposed beyond 
the u:mal typecheck rule: the fi~t argument to e:J.Ch of these in 3 legal expression must be 3 variable. 
20 
3.2 Semantics or Theori~ in the Logic 
As one would hope, the meaning of formulas in the language reflects intuition. Once again, the only 
real depa.rt ure from conventional quantification theory with equality stems from the presence of sorts. 
Expressioo:3 have meaning only with respect to inlerpretaliofU. An interpretation consists 01 the 
assignment of :lets, called domaifU, to the type expressions 01 the theory, and 01 functions to the function 
symbols of the theory. 
More specifically, an interpretation assigns to each ground type expression a nonempty set in such a 
way that for any two ground type expressions t and c' 
i. The ~et associated with t is a subset of that associated with tI il and only il t is a subtype of tI. 
ii. The !et associated with t has a non-empty intersection with that associated with tI if and only if t 
and L" have a common supertype. 
iii. The get of rational numbers is associated with typ~ NUMBER, RATIONAL, and REAL, the set of 
integers is associated with type INTEGER, and the set 01 truth values (true and !aue) is associated 
with type BOOL. 
Clause (i) says that the partial ordering or assigned domains under set inclusion must be isomorphic 
to the subtype partial ordering. Clause (iii) gives RATIONALS, INTEGERS, and BOOLS their standard 
interpretation, but identifies NUMBERS and REALS with rationals. REALs thus acquire the same 
interpretation they are given in most programming languages in recognition 01 the limitations 01 machine 
representation. 
An intepretation also assigns to each n-ary nonschematic runction symbol an n-ary lunction whose 
signature is obtained from that of the function symbol by replacing each type expression with its assigned 
domain. Constant symbols, in particular, are assigned elements from the domain associated with their 
return types. Primitive nonschematic function symbols are given their standard meanings. 
Every schematic function symbol is assigned a multiplicity 01 functions - one ror each ground instance 
of its signature. (Intuitively, one can think or schematic function symbols as abbreviations for a class of 
symbols.) The signature or the assigned function corr~ponding to a given signature instance is that 
obtained by replacing each type expr~sion in the instance by its assigned domain. Once again, primitive 
symbols, including the quantifiers, are given their usual semantics. Note that each quantified variable 
ranges over a single domain. 
Now, each closed expression (closed in the sense of having no unbound variabl~) tak~ a meaning, or 
valuation, with respect to a given interpretation 1 and a given assignment J. of ground type expressions to 
the type variables occurring in the signatures of variable and constant symbols. For expressions involving 
only nonschematic symbols, the valuation is defined recursively in the way one would expect: the valuation 
of a constant is just the domain element assigned to it by I, and the valuation of a nonconstant is obtained 
by recursively applying the function assigned to its outermost symbol to the valuations of its arguments. 
For expressions involving schematic symbols, the valuation is defined as that of the least general syntactic 
interpretation (as defined earlier) modulo the assignment A. (Note that the assignment A is analogous to 
the assignment of domain values to free variables in interpretations or predicate calculus.) 
The notions of validity and satisfiability are now defined in the usual way. A formula (i.e., an 
expression of type BOOL) is said to be 1)(J/id if and only if its universal closure has valuation true in all 
interpretations; it is 6ati6fiable if its existential closure is true in at least one interpretation. 
21 
3.3 The Proof Theory and its Mechanization 
The connection between the model-theoretic semantics described in the previoU3 section and the proof 
mechanism used in our system is made by a generalized rorm or the Skolem-Herbrand-GOdel theorem. 
Herbrandian semi-decision procedures, of course, have long been the most popular means of mechanizing 
Quantified logics. Because or the extensions to ordinary quantification theory provided by our language, a 
generalized form of the theorem must be U3ed and a mechanical proof procedure formulated on the basis 
of this generalization. 
Before outlining the theorem and the derived procedure, it "i11 be helpful to describe the deductive 
mechanism that lies at the heart of the prover. This mechanism consists of an efficient implementation or a 
decision procedure ror unquantified rormulas in an extension or Presburger arithmetic. The theory includes 
the .usual propositional connectives: equality, rational and integer variables and constants, the arithmetic 
relationil <, ~, >, ~, and addition and multiplication. Uninterpretecl predicate and runction symbols of 
type integer and rational are also permitted. The decision procedure is complete for the subtheory or this 
theory having no integer variables or function symbols, and containing no nonlinear use or multiplication. 
The procedure is sound, or course, for the entire theory, and is able to prove the vast majority of formulas 
involving integer constructs that are actually encountered in practice. The speed of proof, moreover, is 
fairly impressive: theorems occupying several pages in the SIFT effort were U3ually proved in well under 
a minute. (Indeed, as we noted elsewhere, such speed has proven to be essential to our methodology.) 
It should be noted, however, that this decision theory does not include quantified formulas, nor does it 
support function symbols of U3er-defined types. 
The proof procedure derived from our generalization or the S.-H.-G. theorem can be viewed as a 
means of reducing the proof or formulas in the typed first-order theory that the user has formulated to 
the automatic proof of formulas in the underlying unQuantified decision theory we have jU3t described. 
Informally speaking, the S.-H.-G. theorem states that a rormula of predicate calculU3 is valid if and only 
if some disjunction of instances of its validity Skolem form is tautological. The instane-es must replace 
variables in the Skolem form with terms in the Herbrand Universe of the formula. The generalization of 
the theorem to deal with formulas in our typed language is stated similarly, but requires that 
i. Each variable be instantiated with an expression whose type is a subtype of that of the variable, and 
ii. Each instance typechecks. 
The generalization states that the given formula is valid according to the semantics defined in the 
last section if and only if some disjunction of instances satisfying (i) and (ii) above is true, con.idered (J' (J 
formula in the underlying deci8ion theory, where it is under.ltood that symbols of a subtype of BOOL are 
considered to be of type BOOL, symbols of a subtype of INTEGER are considered to be of type INTEGER, 
and all other symbols are considered to be or type RATIONAL. In effect, the generalization holds that 
once the instances have been typechecked, all of the type information other than that distinguishing 
RATIONALs, INTEGERs, and BOOLs can be stripped away. 
The theorem immediately gives rise to a proof procedure: with assistance from the U3er, appropriate 
instances of the Skolem form of the theorem to be proved (together with instances of any axioms or 
lemmas needed to prove it) are formulated, disjoined, and submitted to the underlying decision procedure. 
A detailed description of the decision procedure is given in [Sho 82]. 
Operationally , the user is saved from any details or this process other than selecting appropriate 
instances. In particular, the process of Skolemization is completely transparent to him, as are the 
disjunction of instances and the submission oC this disjunction to the underlying decision mechanism. 
The user is thus free to re3:5on exclusively at the level or his ~t-order typed theory. 
As an illustration, let 113 return to the example from the theory of Intervals presented in Section 2.l. 
22 
We proye the simple theorem that e.yery interval with an end point greater than or equal to the beginning 
point contains at least one number as a member. Figure 2 shows the expr~sion and proof oi this theorem. 
Line 23 encodes the theorem within the theory or Intervals previo~ly defined. ~ expected, one prov~ 
a formula of the form 3:r P(:r) by demoILStrating some value v such that P(v). In this case, the user 
must obserYe that, from (GREATEREQP J I) in the antecedent, axiom A3 defining Intenal membe~hip, 
and the definition given in Al of the Interval constructor MAKE.INTERVAL, one can determine that the 
beginning interval value I satisfies the formula (MEMBER I (MAKE.INTERVAL I J)). In line 24, the 
user invokes the PR command to cOILStruct this proof. The system then prompts the user for the needed 
substitutions .. 
23. (DF THEOREM (IMPLIES (GREATEREQP J I) 
(EXISTS K (MEMBER K (MAKE.INTERVAL I J))))) 
2~. (PR THEOREM 
Al 
A3) 
Want iILStance for THEOREM! Y 
K/I 
Want instance for AI! Y 
Y/ J 
X/ I 
Want instance for A3! Y 
11/ (MAKE.lNTERVAL I J) 
1/ 
---Proving'---
160 conses 
.2 seconds 
Proved 
4 The Proof of SIFT 
Figure 2 
SIFT (Software-Implemented Fault Tolerance)(Wen 78] is a reliable aircraft flight control computer 
system. SIFT uses five to eight Bendix BDX930 computers, each equipped with its own private storage. 
A broadcast communication mechanism allows each processor to traILS mit its r~ults to a buffer area in 
each processor. The design is fully distributed, with no common b~~, no common clocks, no common 
interrupt or synchronization registers, no common storage, and no physical meaILS or isolating a raulty 
processor. The SIFT processors (physically) share only the ability to communicate with one another. 
In SIFT, fault masking, detection, and reconfiguration are all managed by software. Safety-critical 
tasks are replicated on three or more proc~sors, with all proc~rs voting on the results of each redundant 
computation. A Global Executive task, which is itself replicated, is r~poILSible for fault diagnosis on 
the basis of error reports irom the voting software, and for selecting a new configuration excluding the 
processors deemed to be faulty. The r~ult of this reconfiguration is that tasks are shifted from faulty 
processors to those still working. EYery proc~sor vot~ on the r~ults of the Global Executive and adjusts 
its t.:lSk schedule accordingly. 23 
·SIFT's processors run asynchronously; each contains its own private clock. The software must 
maintain a loose synchronization to within approximately 50 microseconw, and each proc~sor runs 
a task periodically to resynchronize its clock with those or the other processors in the configuration. 
Care was taken in the design to ensure that, even under rault conditions, all working proces!Ors retain 
synchronization and remain consistent in their schedule and configuration. 
4.1 The Design Hierarchy or SIFT 
The problem or specification credibility in the proor or SIFT is addressed through the use or hierar-
chical design specification and verification. This approach allows incremental introduction and verification 
of design aspects - making a step-by-step connection between the high-level, abstract view or the system 
to the detailed control and data structures employed in the implementation. Figure 3 iJIustra~ the 
SIFT design hierarchy. At present, the STP system does not provide specific mechanical support ror the 
hierarchical specification structure; we discuss ruture work in this direction in Section 4. 
The 10 Specification, the most abstract Cunctional description or the system, asserts that, in CI u/e 
configuration, the result or a task computation will be the effect or applying its mathematical runction 
to the results or its designated set or input tasks, and that this result will be obtained within a real-time 
constraint. Each task or the system is defined to have been performed correctly, with no specification or 
how this is achieved. The ~odel has no concept or processor (thus no representation or replication of tasks 
or voting on results), and of course no representation or asynchrony among processors. The specification 
or this model contains only 8 axioms. 
The Replication Specification elaborates upon the 10 Specification by introducing the concept or 
processor, and can thererored~cribe the replication or tasks and their allocation to processors, voting on 
the results or these replicated tasks, and reconfiguring to accommodate faulty proCes!Ors. The specification 
defines the r~ults or a task instance on a working proc~sor based on voted inputs, without defining any' 
schedule of execution or processor communication. This model is expressed in terms or a global system 
state and system time. 
The Broadcast Specification develops the design into a Cully distributed system in which each processor 
has access only to local information. Each proc~sor has a local clock and a broadcast communication 
interface and buffers. The asynchrony among processors and its effect upon communication is modeled. 
The specification explicitly defines each processor's independent inCormation about the configuration and 
the appropriate schedule or activities. The schedule of activities defines the sequence of task executions 
and votes necessary to generate task results within the required computation window. The Broadcast 
Specification is the lowest level description or the complete multiprocessor SIFT "V8tem. 
The PrePost Specification consists or specifications ror the operating system ror 3 single processor. 
The specification, in terms or pre-conditionfpost-condition pairs, Cacilitates the use or sequential proof 
techniques to prove properties or the Pascal-based operating system as a sequential program. These 
specifications are very close to the Pascal programs, and ~ntially require the programs to "do what they 
do". 
The Reliability Analysis is a conventional discrete semi-Markov analysis that calculates the probability 
that the system reaches an unsafe configuration from the rates or solid and transient faults and from the 
reconfiguration wtes. Neither this Reliability Analysis nor the other Fault and Error Models will be 
described here. 
A more detailed presentation or the SIFT specifications and their verification can be found in [MeS 
82]. 24 
BOX930 Microprogram 
Procmor Specification 
BOX930 
LovicDnign 
R.li.bility 
An.lysis 
Error Rit. 
An.lysis 
mes 
BOX930 
Flult Model 
BOX930 
SpecifiCition 
BDX930 
Microprovram 
FIGURE 3 
25 
1/0 
Spec:ifiCition 
R.plication 
Spec:ifiCition 
BrOldc:ut 
SpecifiCition 
PrePost 
Spec:ifiCition 
PSICII 
Provr.m 
BOX930 
Provram 
4.2 The Proof of the SIFT Design 
Hierarchical proof of design involves axiomatically defining a mapping from functions and predicate 
symbols of a level of the design to terms or the level below. One then proves each axiom or the higher 
level as a theorem in the theory of the level below. 
The most substantial portion of the verification or the 10 Specification involved proor or the axioms 
that define the results or task:s in a safe configuration. To derive th~ from the Replication level involved 
a demonstration that task replication and majority voting suffice to mask errors in a sate configuration. 
To do 50 required approximately 22 proots, with an average or 5 premises necessary per proot, and 106 
in:stantiation:s of axioms and lemmas used overall. 
The proof of the relationship between the Replication Specification and the Broadcast Specification 
was more challenging. This proof required demomtrating the consistency ot information present in each 
working processor (the set of processors still in the configuration, in particular), or the correct schedule to 
be used, and of the results of past task iteration:s. Furthermore, the proot required showing that the various 
processors, operating independently and asynchronously with only local information, can communicate 
with each other without mutual interference, and can cooperate to produce a single global system defined 
by the Replication Specification. It was also necessary to show that the task schedules were such that 
the task results are always available in other processors when required. The derivation ot the Replication 
axioms involved 56 proofs, with an average o( 7 premises each, and 410 in:stantiations o( axioms and 
lemma5 overall. 
The proof of the relationship between the Broadcast Specification and the PrePos"t Specification was 
easier. Most of the interest centered on the mapping between the properties o( the changing values or 
variables in the Pascal system and the properties o( the Broadcast model's more abstract state (unctions 
which are explicitly parameterized by time and processor. A (uther complication concerned mapping the 
functional representation of data structures in the Broadcast model to the (finite) Pascal data structures. 
Derivation of the necessary Broadcast axioms involved 17 proots, with an average o( 9 premises each, and 
148 instantiations overall. The proot of the Pascal programs from the Pre Post Model specifications used 
conventional verification eondition generation. 
5 Future \-Vork 
As a result ot experience with both design and code proot in the SIFT effort, several improvements 
and changes to STP are contemplated. We intend to implement decision procedures tor an expanded set o( 
primitive theories - all syntactically eharacterizable. We envision doing this at least tor a large rragment ot 
set theory (following the work ot Ferro and Schwartz [FeS 80D, ~quences, and tuples. Mechanical support 
for induction schemes is also needed. The u:ser currently can introduce" induction" axioms, but with no 
implied semantics. We also anticipate providing direct mechanical support tor hierarchical development. 
Improvements to the user interface will take several torms. In the current system, the u:ser is foreed 
to specify theories in the abstract syntax ot Lisp. For all but the heartiest ot users, pure prefix syntax 
is clearly uD5atisf:l.Ctory. \Ve are currently defining an external, enriched specification language and 
a corresponding reduction to the current type theory. The language will contain explicit support for 
hierarchical specification, theory encapsulation, !Coping, and implicit state; it will support SPECIAL-like 
state-machine specifications [LRS 791 as a sublanguage. 
A graphic5 interface i5 contemplated to ~sist in eonstrueting and manipulating theorie5 and libl'3ries 
of theorie5. In addition, our experience with code proof indieates that forcing the u~r to re~n at the level 
of formulas mechanically genel'3ted by a VCG is doomed to failure. Re~ning at this level is antithetical 
26 
to our philo:!ophy or man-machine dillCo~ at the level or user conceptualization - in this case, the level 
of the program :!tructure. We intend over the next year to experiment with user interaction at the level of 
path (and :!ubpath) assertioIl!5 within the program structure, hoping that this will achieve in the program 
domain what was gained in the present system by hiding the internal mt-order/ground rormula mapping 
from the U5er in present design proor. 
Finally, we intend to supplant after-the-ract mechanical support ror complete proor construction with 
incremental pro or cOD!ltruction. Our goal is to replace, iD!lorar as possible, explicit user iD!ltantiation of 
symbols with a rormallanguage in which the ~r can incrementally cOD!ltruct and apply a high-level proof 
strategy. With this approach, we believe we have a more efficient proor strategy while requiring less effort . 
on the U5er's part. In this way, we hope to preserve the man-machine balance as we increase the U5er's 
capability to formulate and reason about larger conceptual steps within the theory. 
6 Acknowledgments 
We want to acknowledge the contributions or Dwight Hare to the development or STP and the proof 
of SIFT, and of ~Iie Lamport to the early formulations o( the SIFT specifications. 
References 
[Ble 74] 
[BoM 79] 
[BuG 77] 
[Els 79J 
[FeS 80J 
[Goo 79] 
[Kin 69] 
[LeW i51 
[LRS 79J 
[Luc i9J 
[Me3821 
[Mil ill 
[~lil i9] 
[~Iu:! 80] 
Bledsoe,W.W., "The Sup-inr method in Presburger arithmetic", Memo ATP-18, Mathe-
matics Dept., Univ. oC Texas, Austin, Texas, Dec. 1974. 
Boyer, R., J Moore, "A computational logic" , Academic Press, 1979. 
B1.U':5tall, R., J. Goguen, "Putting theories together to make specificatioD!l", Prac. IJCAI, 
August 1977. 
Elspas, B., et ale "A Jovial Verifier", SRI International, June, 1979. 
Ferro, A., E. Omodeo, J. Schwartz, "Decision procedures (or ~me fragments o( set theory" , 
5th Conf on Automated Deduction, july 1980. 
Good, D., R. M. Cohen, J. Keeton-Williams, "Principles or proving concurrent programs 
in Gypsy", Proc 6th POPL, 1979. 
King, J., "A program verifier", Ph.D. thesis, CMU, 1969. 
Levitt, K., R. Waldinger, "Reasoning about programs", AI Journd/5, 1974. 
Levitt, K., L. RobiD!lon, B. Silverberg, "The HOM handbook", SRI International, 1979. 
Luckham, D., N. Suzuki, "Verification or array, record, and pointer operations in P3lICal", 
TOPLAS, Oct, 1979. 
Melliar-Smith, P. M., R. L. Schwartz, "Formal specification and mechanical verification 
of SIFT: a rault-tolerant flight control system", IEEE Trdnldct;on6 on Computen, July 
1982. 
Milner, R., "An algebraic definition or simulation between programs, CS 205, Stanrord, 
1971. 
~ilner, R., "LeF: a way or doing proors with a machine" , Proc 8th MFCS SrJf7lP, 1979. 
MU5ser, D., "Abstract data type specification in the Affirm system", IEEE TSE, Jan. 1980. 
27 
INak 77] 
IOpN 78] 
[Par 72J 
[RoL 77J 
[Sch 801 
[Sho 77J 
[Sho 821 
[Suz 75J 
[Wen 78] 
(Wey 80] 
Nakajima, R., M. Honda, H. Nakahara, "Describing and verifying programs with abstract 
data types", Formal Delcription 01 Programming ConceptI, North Holland, 1977. 
Oppen, D., G. Nelson, "A simplifier based on efficient decision algorithms", Proceedings 
of Fifth POPL, Tucson, Arizona, Jan. 1978. 
Parnas, D., "A technique for software module specification with examples", CACM, May 
1972. 
Robirulon, L., K. Levitt, "Proof techniques for hierarchically structured programs" , CA CM, 
April 1977. 
Schorre, V., J. Stein, "The interactive theorem prover (ITP) user manual", TM-6889/00o. 
101, SDC, 1980. 
Shostak, R., "A practical decision procedure for arithmetic with function symbols", JACM, 
April 1979. 
Shostak, R., "Deciding Combinatiorul ot Theories", Proceeding' of t/ae S;zt/a Conference 
on Automated Deduction, June 1982. 
Suzuki, N.,"Verifying programs by algebraic and logical reduction", Proc. Int. Cont. on 
Reliable Software, Los Angeles, 1975. 
Wensley, J., et aI., "SIFT: Design and Analysis ot a Fault-tolerant Computer lor Aircraft 
Control", Proc IEEE, Vol. 66, No. 10, Oct. 1978. 
Weyhrauch, R., "Prolegamena to a theory ot mechanized formal reasoning", Al Journal, 
1980. 
28 
CHAPTER 3 
STP THEOREM PROVER - COMMAND INTERFACE 
29 

STP Theorem Prover--Command Interface 
Command Reference List for STP 
Declaration Commands 
DTV(symbol) (Declare Type Symbol) 
Declares symbol to be a type variable. Symbol must be atomic and not presently declared as a 
type or type variable. 
DT(symbol [(typevarl, typevar2 ... typevarn)]) (Declare Type) 
Declares symbol to be a new type. Symbol must be atomic and not presently declared as a type 
or type variable. If the optional list (typevarl typevar2 ... typevarn) is provided, symbol is 
declared as a parameterized type. In this case, n must be at least 1 and each typevari must be 
presently declared as a type variable. The typevari's need not be distinct. 
DST(symbol [(typeYarl typevar2 ... typevarn)] typexp) (Declare SubType) 
Declares symbol to be a subtype of the type given by the type expression typexp. Symbol must 
be atomic and not presently declared as a type or typevariable. If the optional list (typevarl 
typevar2 ... typevarn) is provided, symbol is declared as a parameterized subtype of typexp. In 
t.his case, n must be at least 1 and each typevari must be presently declared as a type variable. 
Typexp must be a legal type expression. The set of parameters of the declared subtype must be 
identical to the set of type variables occurring in typexp. (In particular, if no parameter list is 
given, typexp must contain no occurrences of type variables). 
DSV{typexp symbol) (Declare Symbol Variable) 
Declares symbol to be a variable of type typexp. Symbol must be atomic and not presently 
declared as a variable or function symbol. Typexp must be a legal type expression. 
DS{typexp symbol (typexpl typexp2 ... typexpn)) (Declare Symbol) 
Declares symbol to be function symbol of return type typexp and argument types typexpl, 
typexp2, ... typexpn. Symbol must be atomic and not presently declared as a variable or function 
symbol. Typexp, typexpl, ... typexpn must be legal type expressions. n may be zero, in which 
case symbol is declared as a constant. In this case, the third argument to DS need not be 
provided. Note that this is not the same as declaring a symbol variable. Unless n is 0, each type 
variable occuring in the return type typexp must occur as a type variable of at least one of 
typexpl typexp2 ... typexpn. 
DD(typexp symbol (varl var2 ... yarn) exp) (Declare Definition) 
Declares symbol as a defined function symbol of type typexp with formal parameter list (varl 
var2 ... varn) and body expo Symbol must be atomic and not presently declared as a variable or 
31 
function symbol. typexp must be a legal type expression. Each vari must be presently declared 
as a variable, and exp must be legal expression containing at least one occurrence of each vari. N 
may be zero. The declaration causes symbol to be declared per 
DS(typexp symbol (typel type2 ... typen)) 
where typel, type2, ... typen, respect.ively, are the types of varl, var2, '" varn. Note that since 
exp must be a (presently) legal expression, symbol cannot be defined recursively. 
The body exp must be a legal symbolic expression not containing any quantifiers. The type of the 
body need not be the same as typexp. However, the expression (EQUAL symbol exp) must be a 
legal symbolic expression (where symbol is assumed to be declared as above.) 
DF(name formula) (Declare Formula) 
Associates name with formula. Name must be atomic, and not currently associated with a 
formula. Formula must be a legal expression of type BOOL. The status of name is initialized to 
UNPROVED. 
DA(name formula) (Declare Axiom) 
Associates name with formula, and changes its status to AXIOM. Equivalent to: DF{name 
formula) CS(name AXIOM) 
DC(newname oldname) (Declare Copy) 
Associates new name with the formula with which oldname is currently associated. Newname 
must be an atomic symbol not presently associated with any formula, and oldname must be 
presently associated with a formula. Equivalent to: 
DF(newname form) 
where form is (FORMULA oldname). 
UDT(symbol) (UnDeclare Type) 
Undeclares type or type variable symbol. Symbol must currently be declared as a type or type 
variable, but must not be referred to in the declaration of some other presently declared type or 
symbol. 
UDS(symbol) (UnDeclare Symbol) 
Undeclares function symbol or variable symbol. Symbol must currently be declared as a function 
symbol or variable, but must not be referred to in the declaration of any presently declared 
formula. If symbol was declared by a DD, the associated definition is lost. 
UDF(symbol) (Undeclare Formula) 
Undeclares the formula associated with symbol. Symbol must currently be associated with a 
32 
formula. The st.atus of all formulas whose proof depends upon (either directly or indirectly) the 
undeclared formula is changed to UNPROVED. 
Commands Associated with Proving 
PR(form formi form2 ... formn) (PRove) 
Attempts to prove the formula form using formI, form2, ... , formn as hypotheses. N may be 
zero. Form must be either the name associated with a presently declared formula, or a list of the 
form 
(name sub) 
where name is associated with the formula to be proved, and sub is a substitution to be applied to 
the free variables in the validity skolem form of that formula before the proof is attempted. Sub 
must be of the form ((varl terml)(var2 term2) ... (varn termn)) where each vari is one of the free 
variables, and termi is a legal expression. The vari's must be distinct, but need not include all of 
the free variables. The expression obtained by substituting each termi for vari in the validity 
skolem form of the formula associated with name must be a legal expression (i.e., must 
typecheck.) In addition, the type of each termi must be a subtype of some instance of the type of 
vari. Further restrictions and conventions regarding the termi's are discussed below. 
In the case where form is an atom rather than of the form (name sub)), if the named formula has 
free variables in its validity skolem form, the user is asked whether he desires an instance. If so, 
he is prompted for a substitution variable by variable. If no substitution is desired for a given 
variable, the user can so indicated by pressing carriage return. 
Similarly, each of the hypotheses formI, form2, formn may be either the name of a declared 
formula, or a list of the form (name sub). Here, however, sub must be a substitution for the free 
variables of the satisfiability skolem form of the named formula, as opposed to the validity 
skolem form. Once again, if no list is supplied, the user is asked whether he desires an instance. 
The formula submitted to the theorem prover consists of the implication of the instantiated 
formula to be proved by the conjunction of the instantiated hypotheses. (Upon completion of the 
PR command, this formula is the value of the atom IMPLICATION. A version of 
IMPLICATION with all defined symbols replaced by their definitions is given by 
EXP.IMPLICATION). If the proof is successful, the status of form (or the first element of form, if 
form is a list) is changed to PROVED. Otherwise, the status is unchanged. 
Proof Debugging Commands 
CHECK MONITOR 
Enters the CHECK MONITOR subsystem. This subsystem provides some help in discovering 
why a proof in STP has failed. After a proof in STP has failed, calling the function 
(CHECK.MONITOR) will place t.he user in a subsystem which provides information about the 
failed proof. While in the CHECK.MONITOR, the user is prompted for a command by a u*u. 
The subsystem commands are E, PP.PR, PP.PR.ATTEMPT, QI, QF, PR, and PC. 
33 
E 
The E command exits the CHECK.MONITOR. 
PP.PR 
The PP.PR command prints the conclusion and each premise along with a formula number (the 
conclusion being numbered zero) and the substitutions for each formula. 
PP.PR.ATTEMPT 
The PP .PR.ATTEMPT command prints the information in PP .PR along with the instantiated 
versions of each formula. 
(QI number) 
The QI command is typed in parentheses along with a number as in (QI 3) and prints the 
substitutions and instantiated version of the numbered formula, as in PP.PR.ATTEMPT. 
(QF name) 
The QF command is parenthesized along with a formula name as in (QF PREMISE1) and prints 
the uninstantiated version of the named formula. 
(PR number) or (PR numberlist) 
The PR command is parenthesized and takes either a single number as an argument as in (PR 3), 
a list of numbers as in (PR (1 2 3)), or (PR ALL). This command attempts to check the 
applicability of each (specified) numbered premise in the proof by assuming the proof proceeds 
through the use of Modus Ponens. 
(PC number) or (PC numberlist) 
The PC command is similar to the PR command and takes the same type of arguments. It 
checks the applicability of premises assuming the contrapositive direction (i.e., attempts to show 
that the consequent is false and thus the antecedent is also false). 
34 
CHAPTER 4 
OVERVIEW OF DESIGN VERIFICATION 
35 

Specifying and Verifying Ultra-Reliability 
and Fault-Tolerance Properties 
Richard L. Schwartz and P.M. Melliar-Smith 
Abstract 
A methodology to rigorously verify ultra-reliability and fault-tolerance system proper-
ties is described. The methodology utilizes a hierarchy of formal mathematical specifications 
of system design and incremental design proof to prove the system has the desired 
properties. A small example of the approach is given, and the application of the methodol-
ogy to the large-scale proof of SIFT, a fault-tolerant flight control operating system, is 
discussed. 
1 Introduction 
How does one begin to substantiate a claimed Mean Time Between Failures (MTBF) 
of a million years! This was the problem facing the designers of SIFT [1]. Clearly, 
rates of failure this small are beyond the point where testing and fault injection can 
suffice: Validation by fault injection, while necessary, is unlikely to convince one that 
the reliability requirements have been met. 
Substantiation of such an ultra-reliability requirement must be based on some form 
of analytic reliability analysis. Discrete Markov analysis is frequently used to analyze 
system failure and recovery transition rates. Because of the normally quite large number 
of actual system states and failure modes, one typically uses an extrapolation from fault 
rates and system states that are easier to measure. 
The validity of this extrapolation depends on a number of assumptions, and, at 
the desired level of reliability, even "minor" violations of the assumptions can have 
This work was supported by the NASA Langley Research Center under Contract NASl-15528 
"'Indeed, this has been rererred to as the "Smithsonian Experiment". 
37 
significant effects on the reliability achieved. Thus the assumptions must themselves be 
quite rigorously substantiated if the claimed reliability is to be believed. For instance, 
one important assumption of the Markov analysis is that the occurrence of faults is well 
described by a Poisson model with complete independence between processors. 
The validity of the Markov analysis depends also on the assumptions (1) that the 
states and the transitions of the Markov model correspond accurately to the actual system, 
and (2) that the states in which system failure is possible are correctly identified. But 
this correspondence is far from obvious: actual systems have very many states with many 
complex transitions between them. Without some means to reconcile the assumed states 
and transitions of the Markov analysis with those of the real system, one can produce 
highly optimistic reliability estimates. 
In attempting to substantiate the ultra-reliability requirement of SIFT, we employed 
a three-part methodology. The first of these is a demonstration that, so long as a system 
safe predicate remains true, the system performs the desired flight control function, even 
though one or more processors may be faulty. This is a correctness property for the 
function performed by the system. 
The. second is a demonstration that the Markov analysis computes an upper bound 
on the probability that system safe becomes false. This is a correctness property for 
the probabilistic reliability analysis of the system. 
The third and last step in the methodology is to prove that each state and transition 
of the Markov model reflects a valid abstraction of the states and transitions of the 
functional specification. 
By showing that system safe remains true over the desired period and that its being 
true implies the system will perform as desired, one can establish correct and reliable 
system operation. 
Because even a very small defect in the demonstrations could allow failures at an 
unacceptable rate, these demonstrations must be performed with the rigor of mathemati-
cal proof. Our experience has been that it is simply too easy either to overlook or abstract 
details of system operation inappropriately. A formal, unambiguous, specification and a 
formal system of mathematical deduction is necessary to attain the degree of confidence 
expected for critical system components. Run-time validation, (i.e., testing) techniques 
simply cannot be used to ensure that software, operating on a working processor, will per-
form as specified. Exhaustive software testing being impractical, a rigorous methodology 
for specifying and proving properties of all possible program behavior becomes necessary. 
The need for formal mathematical proof to ensure the desired functional and reliability 
requirements presents two major issues: 
~ How does one define the criteria sufficient to ensure the correct functioning of the 
system! 
38 
~ How does one prove that the criteria are satisfied by the actual system! 
The first issue is crucial if the formal verification effort is to have any practical 
significance. Even as a noncomputer scientist, one must have confidence, that the formal 
specifications, stating what is meant by the correct functioning of the system, in fact 
reflect the intended behavior. That a formal specification expresses what the system 
designer intuitively means must, in the end, be determined by inspection. A formal 
specification must therefore be believable if rigorous mathematical correspondence to the 
specification is to ensure the desired effect. 
The larger and more complex the system, the more acute the problem becomes. 
Specifications reflecting the detailed behavior of the system allow the most straightforward 
formal verification effort, but it is difficult to ensure that low-level specifications embody 
what is meant by the proper functioning of the system. Very high-level specifications, 
abstracting from the details of the system, are necessary if we are to state the overall func-
tional and fault-tolerance properties of the system in a way that can be understood and 
believed. The problem then becomes one of reconciling the very high-level specifications 
with the detailed transformations performed by the programs of t.he actual system. 
In order to state high-level system specifications that can be shown t.o be consistent 
with the actual program, one must formulate not just a single specification of the sys-
tem, but a hierarchy of specifications. Our approach is to state a tiered set of system 
specifications, as illustrated in Figure 1. 
Each level Li in the hierarchy specifies an abstract view 0/ the system de.,ign in terms 
of a set of primitive predicates Pi and functions Fi. The specification for the model is 
given by a set of axioms, characterizing those properties of the model appropriate for 
that level of system abstraction. At each level in the hierarchy, a specification Li can 
be seen as an abstraction of the previous level Li+1' Correspondence between successive 
levels is maintained by expressing each primitive function and predicate of higher-level 
Li in terms of the functions and predicates of the lower-level LHI. 
With this mapping, one must then prove that each property derivable from the 
higher-level specification can be proved from the lower-level specification. The mapping 
between levels need not be complete; the mapping itself may be given as a set of axioms, 
saying only enough about the correspondence to derive the necessary axioms of the higher 
level as theorems from the axioms of the lower-level. It is required only that the mapping 
axioms be consistent, i.e., that there exist a complete functional· mapping between levels 
which satisifies the mapping axioms. By demonstrating the correspondence between 
successive levels Li and Li+1' one can conclude by induction that any property provable 
from the highest-level specification is also provable from the lowest-level specificat.ion. 
Thus, any analysis of the system based on a higher-level specification in the hierarchy is 
valid and could have been performed on the lowest-level system specification. 
To completely couple the analysis wit.h the system, t.he lowest-level specification of 
the system should be the actual program executed by the hardware, while the highest-level 
39 
specification should reflect the intended overall function performed by the fault-tolerant 
system. The higher-level specifications represent, in effect, system requirements, stating 
properties to be possessed without defining method of attainment. As one moves down 
the hierarchy, each lower-level specification successively introduces additional mechanism 
in the design specificat.ion to achieve the fault-tolerance and expresses a more detailed 
and operational view of system transformation. 
The fundamental idea of the paradigm is to gradually introduce aspects and com-
plexities of design and algorithm as one moves down the hierarchy. Between successive 
specification levels one can perform incremental design verification, proving that the more 
detailed design specification at the lower level support.s the abstracted view at the higher 
level. By gradually introducing the algorithms used to achieve fault-tolerance, one can 
verify each aspect of the design at the highest level of abstraction containing the necessary 
concepts. This produces a tractable specification and verification exercise and serves to 
highlight and isolate design decisions and fault-tolerance paradigms. 
It is this paradigm that will be discussed first in the context of the SIFT experience 
and then illustrated later in the paper by a small, almost trivial, example. 
2 An Outline of the Design of SIFT 
The SIFT aircraft control computer system is designed to achieve high reliability 
from standard computers by replication of the hardware and adaptive majority voting. 
The use of majority voting, rather than a hot standby, is necessary to avoid even minor 
perturbations to high performance real-time tasks during error recovery. In contrast 
to other majority-voted systems, for instance FTMP[2], in SIFT the voting mechanism 
that detects and masks hardware faults, is implemented entirely in software. This 
allows the construction of SIFT from conventional computer components and allows 
greater flexibility. Hardware detected to be faulty is reconfigured out of the system, 
again by software, with its workload being transferred to other processors. Thus several 
successive faults can be survived if there is sufficient time between them to permit the 
reconfiguration. 
SIFT is a fully distributed system with no global, shared components. The system is 
constructed from up to eight identical computer units, each containing a Bendix BDX930 
processor, a 32K main store, a broadcast interface, and a 1553 interface, as shown in 
Figure 2. Each processor has its own 32k word main store and internal clock, neither 
of which can be accessed by any other processor. The 1553 interface provides a serial 
bus connecting the processor to the various aircraft sensors and actuators. The mean 
time between failures of one of these units, containing processor, store, and interfaces, is 
something less than one thousand hours. 
Processors communicate with each other through a broadcast interface. In SIFT 
there is, conceptually, a single instance of each logical task, but, for reliability, that task 
40 
is actually replicated and executed on three or five processors. Each instance of the task, 
upon completion of the computation, invokes an executive function which broadcasts its 
results through the data6le to each processor. In each of the processors, the three (or 
more) versions of the task results are extracted from the data file by voting software, and 
the majority result is placed in the input buffer, from which it can be obtained by any 
task that needs to use the results. 
The voting software notes any discrepancies among the values on which it votes. 
A task error reporter, run periodically on every processor, generates a synopsis of the 
errors detected on that processor and broadcasts the synopsis. The global executive task, 
which is replicated like other critical tasks, receives the error synopses broadcast from 
the various processors and decides from them which processors are faulty. The global 
executive is responsible for the reconfiguration of the system, generating the configuration 
of processors to be used, excluding the processors deemed faulty and distributing the 
execution of application tasks appropriate to the current phase of the Bight among the 
configured processors. In each processor, the results from the various replications of the 
global executive are voted and then used by the local executive task to select a task 
schedule for its scheduler, and to set up the sets of processors executing each task for 
use by the voting software. Note that, while the global executive task is a replicated 
and voted task common to the whole system, the error reporter and the local executive 
are tasks specific to each processor individually, and their results cannot be voted. Even 
though they are run on every processor, the results they generate relate only to their own 
processor. 
The validity of the majority-voting approach depends on all task replications on 
working processors generating identical results, which in turn depends on these replica-
tions performing identical calculations on identical inputs. Provided that the system 
remains safe, majority voting of the results of replicated tasks suffices to ensure that all 
working processors obtain the same values for the results of those tasks. Where an input 
is obtained from an unreplicated source, no such assurance applies. Not only may the 
result obtained from an unreplicated source be erroneous, which the other tasks might 
accommodate, but the faulty source could broadcast different values to different proces-
sors. This would cause replicated tasks on those processors to obtain different results, 
destroying the utility of majority voting. In SIFT, a mechanism called interactive con-
sistency [3] is used to ensure that all working processors obtain the same value for any 
input derived from an unreplicated source, whether that be an unreplicated application 
task, a sensor, or an error-reporting task. 
3 An Outline of the SIFT Design Hierarchy 
Figure 3 shows an outline of the various specifications and analyses that are used 
in the justification of the reliability of SIFT. On the right of the figure is a hierarchy of 
specifications of the correct functional behavior of SIFT, while on the left are a set of 
41 
analyses that yield the probability of that correct behavior. The models at the bottom 
of the figure describe the hardware of SIFT, upon which the more abstract analysis IS 
based. 
The Hardware Fault and Error Rate Models describe the nature of possible hardware 
faults and assign error rates to aggregate failure modes. The Reliability Analysis then 
provides a Markov model of safe and unsafe system states and the probability of staying 
within safe states through the process of fault detection and reconfiguration. 
The 10 Specification, the most abstract functional description of the system, asserts 
that, in a 8afe configuration, the result of a task computation will be the effect of applying 
its designated mathematical function to the results of its designated set of input tasks, 
and that this result will be obtained within a real-time constraint. Each task of the 
system is defined to be correctly performed, with no indication of how this is attained. 
No mechanism used to achieve this is specified; the model includes only the assertion that 
each conceptual task will be correctly performed. The model has no concept of processor 
(thus no representation of replication of tasks or voting on results), and, of course, no 
representation of asynchrony among processors. The specification of this model contains 
only eight axioms and is intended to be understandable by an informed aircraft flight 
control engineer. This specification, together with the Reliabililty Analysis (and faith in 
the overall methodology), are intended to provide enough information to show that the 
system is capable of satisfying the project requirements. 
The Replication Specification elaborates upon the 10 Specification by introducing 
the concept of processor, and can therefore describe the replication of tasks and their 
allocation to processors, voting on the results of these replicated tasks and reconfiguring 
to accommodate faulty processors. The specification defines the results of a task instance 
on a working processor based on voted inputs, without defining any schedule of execution 
or processor communication. A distinction is made between the value (or set of values, 
for a fault processor) computed by a task instance, the value received by each other 
processor, and the value determined by.a majority vote on each processor. This model is 
expressed in terms of a global system state and sychronous system time. The specification 
does not include lower level concepts of resource requirements, schedules, or .broadcast 
buffer communication. 
At this level, sufficient design detail about replicated task computation on multiple 
processors and voted input values is present to prove that majority voting suffices to mask 
errors (provided enough working processors are included in the configuration). 
The Activity Specification develops the design into a fully distributed system in 
which each processor has access only to local information. Each processor has a local' 
clock, a broadcast communication interface and buffers. The asynchrony among proces-
sors and its effect upon communication is modeled. The specification explicitly defines 
each processor's independent information about the configuration and the appropriate 
schedule of activities. The schedule of activities defines the sequence of task executions 
42 
and votes necessary to generate task results within the required computation window. 
The Activity Specification is the lowest level description of the complete multiprocessor 
SIFT system. 
In proving that this level design specification supports the Replication level, one 
must prove that the asynchronous distributed system remains consistent, even in the 
presence of errors. This involves showing that, despite the purely local information used 
by each processor to determine current time, current schedule and current configuration, 
all working processor will reach the same conclusions at roughly the same time. One 
must show that enough processors remain in approximate synchronization and that no 
effective use is made of the slight clock skew. 
This is a key design decision in SIFT: distributed computation is used to achieve only 
fault-tolerance, not an increase in performance. All task instances execute at roughly the 
same time, and all instances are intended to be completed prior to any possible use of the 
results. The synchronous, global design abstraction of the system can thus be validated. 
The PrePost Specification consists of specifications for the operating system for 
a single processor. The specification, in terms of pre-condition/post-condition pairs, 
facilitates the use of sequential program techniques to prove properties of the Pascal-
based operating system as a sequential program. These specifications are very close to 
the Pascal programs, and essentially require the programs to "do what they do" . 
The various programs that form the SIFT executive are written in Pascal and 
form the Pascal Implementation, from which is derived by compilation the BDX990 
Implementation. This is the lowest level specification of the SIFT software. 
Each of the design specifications is defined by a set of axioms, written in a strongly 
typed variant of first-order (quantified) predicate calculus. The specification language is 
part of the STP specification and verification system [4] developed at SRI as part of the 
SIFT effort. 
The hierarchy of specifications, from the I/O level down to the Pascal level, has been 
mechanically verified for the major system functionality. The proof demonstrates that a 
SIFT system in a "safe" state operates correctly despite the presence of arbitrary faults. 
Not yet completed is the proof that the SIFT executive performs an appropriate, safe, 
and timely reconfiguration in the presence of faults. A more extensive discussion of the 
SIFT hierarchy and design proof can be found in [5]. 
In the following section, a simple example of a two level specification and design 
proof illustrates the basic concepts of the methodology. 
4 A Simple Example of Design Proof 
Consider a simple, almost trivial, example of a system implementing fault masking 
through majority voting. We assume some set of tasks to be performed, each with an 
43 
associated mathematical function it should perform. For a task k, we use function(k) to 
denote the associated mathematical function. For simplicity, we assume only constant 
functions of no arguments. The result of applying the function is thus function( k )0. 
Let's assume that the system is to guarantee reliable computation of each task by 
replicating the task and executing it on a number of processors. We wish to say that, 
provided enough of the processors are actually working, the majority of values produced 
by each executing processor will in fact be the correct value. In this case, task replication 
is sufficient to mask faults in a minority of processors. For simplicity of illustration, let 
us assume that each task is executed by each processor. In our simple example, we will 
also assume a single iteration of each task, with its results placed in dedicated memory 
locations for later inspection. 
As a top-level design specification, we introduce a function produce(k), which tells 
us,for a task k, what value was conceptually produced. The predicate task-safe(k) will 
indicate that task k is "safe". In terms of these functions and predicates, we can now 
give our specification, comprised of a single axiom. 
Axiom L1.Al 
Ll.Al task-safe(k) ~ produce(k) = function(k)O 
The meaning of task-safe will not be given by this level specification. Like the system-
safe predicate in the SIFT specification, a reliability analysis will assign a probability that 
task-safe(k), for each task k, will remain true for the appropriate period. 
This completes our level 1 specification. Conceptually, this and the associated 
reliability analysis would be given to the flight control engineer. Having guaranteed 
that each task would produce the appropriate value, no further knowledge of how this 
is achieved would be theoretically required (discounting natural curiosity as to how the 
effect was achieved). 
At the next level of specification, we introduce the concept of a set of processors, 
procset, and task computations on the processors. The function produce.on(k,p) denotes 
the value that processor p produces for task k. A predicate working(p) indicates that 
processor p is physically working during the relevant period. At this level, working(p) is 
left uninterpreted. Again, our specification consists of only one axiom: 
Axiom L2.Al 
L2.Al working(p) ~ produce.on(k,p) = function(k)O 
This states that a working processor p will produce the correct value for task k. 
We now wish to demonstrate that axiom Ll.Al, expressing our high level design 
44 
specification, can be proved from L2.Al. In doing so, we need to define each primitive 
function of the higher level specification, namely task.safe and produce, in terms of our 
lower level functions: In order to exhibit these mappings, we must first define some 
auxiliary set abstractions. 
We define: 
work8et = {p I working(p) ApE proc8et } 
prod8et(k) = {< v,p > I v = produce.on(k,p) } 
workans(k) = 
{< v,p > I v = produce.on(k,p) = function(k)O Ap E workset } 
The set workset is the set of working processors, while prod8et(k), pairs, for task 
k, each processor with its value produced for k. The set workans(k) is the subset of 
prod8et(k) corresponding to right answers produced by working processors (after all, even 
malfunctioning processors could produce correct results). . 
Given these definitions, we can now define our mappings as follows: 
Map.l task.safe{k) 2 'lwork8etl > Iproc8etl 
Map.2 task.safe(k) produce(k) = majority(prod8et(k)) 
Map.l defines our task.safe(k) as having at least half the processors working. Map.2 
defines that, in the case where task.safe(k), the Level 1 produce(k) can be mapped as the 
majority of values produced by all processors. We assume a standard axiomatization for 
such a majority function, and for cardinality of sets, denoted II. 
Our basic argument in establishing that Ll.Al follows from L2.Al and the mappings 
is as follows: We assume the antecedent of L2.AI and show that the consequent must 
therefore be true. We know that every processor contributes a value to prod8et, and that 
each working processor contributes the correct value to prod8et. Our assumption that 
task-safe(k) tells us at least half the processors are working, and therefore that at least 
half the values in prodset will be the correct value. The majority value in prodset must 
therefore be the correct value and thus produce(k) must be the correct value. The above 
informal argument can be (and has been) easily formalized and mechanically verified. 
*Technically. we will also use the identity mapping ror the runction(k) runction present in both levels. 
45 
5 Conclusions 
In this paper we have described a methodology to verify reliability and fault-tolerance 
properties of systems. \Ve have advocated using a hierarchy of design specifications and 
incremental design verification. This task is neither easy, nor in all cases, practical. In the 
SIFT effort, the majority of the overall effort was spent producing the simplest possible 
design. It was only because of the simple, clean design that one could abstract succinct, 
high level views of the system and its function. Without this, the verification effort would 
not have been possible. Indeed, a strong case can be made that, verification issues 
aside, the best chance of producing an ultra-reliable system design is to use the 
simplest, most straightforward techniques practical. Complex error recovery and 
fault-tolerance mechanisms are likely to introduce as much unreliability as they remove. 
The mechanical verification effort using the STP verification system was an expensive 
tour de force. The system is currently suitable for the use only of its designers. We are 
currently designing and implementing a specification and verification system, targeted for 
completion about mid-1984, that should be useable by enlightened engineers or computer 
scientists with at least an undergraduate background in mathematical logic. Of course, 
such verification exercises will continue to be expensive, appropriate only for applications 
with a very high reliability requirement. 
One should also bear in mind that the application of mathematical design verification 
techniques increases confidence in "correctness" of a system design, but does not provide 
an iron clad guarantee that the system will perform as expected. Mathematical reasoning, 
even when aided by computer program, should be carefully reviewed and subjected to 
some form of social process. In addition, still left for inspection outside the formal system 
is (I) whether the highest-level specification reflects the users' requirements and expected 
performance, (2) whether the hardware properly supports the virtual machine assumed 
at the lowest-level of proof, and (3) whether the assumptions of the hardware fault model, 
and of the probabilistic Markov analysis are valid. 
Acknowledgments 
Also involved in the SIFT design effort were J. Wensley, J. Goldberg, K. Levitt, L. 
Lamport, M. Pease, M. Green, W. Kautz, R. Shostak, and C. Weinstock. The proof was 
carried out with the assistance of D. Hare. The STP verification system was developed 
in close collaboration with R. Shostak. 
46 
References 
[1] J. Wensley, et aI., "SIFT: Design and Analysis of a Fault-Tolerant Computer for 
Aircraft Control", Proceedings 0/ the IEEE, 60(10):1240-1254, October 1978. 
[2] A. Hopkins, T.B. Smith, J. Lala, "FTMP - A Highly Reliable Fault-Tolerant 
Multiprocessor for Aircraft", Proceedings 0/ the IEEE, 66(10): 1221-1239, Oct 
1978. 
[3] M. Pease, R. Shostak, L. Lamport, "Reaching Agreement in the Presence of 
Faults", JACM, 27(2):228-234, April 1980. 
[4] R. Shostak, R. Schwartz, P.M. Melliar-Smith, "STP: A Mechanized Logic for 
Specification and Verification" ,6th Conference on Automated Deduction, Springer 
Verlag, June 1982. 
[5] P.M. Melliar-Smith, R. Schwartz, "Formal Specification and Mechanical Verification 
of SIFT: A Fault-Tolerant Flight Control System", IEEE Transactions on Computers, 
Vol. C-31, No.7, July 1982. 
47 

CHAPTER 5 
A SIMPLE EXAMPLE OF DESIGN VERIFICATION 
49 

Formal Verification of the Simple SIFT 
Voting System 
51 
/* The set of right answers will be at least as large as the set of 
results from working processors 
*/ 
LEM1: formula 
CARD(WoRKANS(K)) ~ CARD(RIGHTANS(K)) 
prove LEM1 
using CARD.SUBSET [Sl ~ WoRKANS(K), 
S2 ~ RIGHTANS(K)] 
SUBSET [Sl ~ WORKANS(K), 
S2 ~ RIGHTANS(K), 
X ~ *X:2] 
WORKABS [I_P ~ *X:2] 
var SP: SET. OF(PAIR.OF (TYPEI, TYPE2)) 
var XP: TYPE2 
APPLY1: (FUNS, TYPE2, TYPE1) TYPE1 
var PAIR12: PAIR. OF (TYPE1 , TYPE2) 
var SQ: SET.OF(TYPE2) 
var F: FUNS 
/* card(sq) = card( { < f(xp),xp > I xp E sq }) */ 
PAIRCARDEQUALITY: formula 
(V PAIR12: 
PAIR12 E SP 
(3 XP: PAIR12 = MAKE.PAIR(APPLY1(F, XP, Xl), XP) A XP E SQ)) 
) 
CARD(SP) = CARD(SQ) 
/* 
We introduce a functional value, prodfun, such that 
prodfun(k)(p) = produce.on( k,p ) 
*/ 
PRoDFUN: (TASKS) FUNS 
PRODAX: axiom 
APPLY 1 (PRODFUN(K), P, 2) = PRoDUCE.ON(K, P) 
/* 
Lemmas 6 and 7 establish the two directions of the equivalence forming 
the antecedent of Paircardequality, where prodfun is used for f 
*/ 
LEM6: formula 
I_P E WORKANS(K) 
) 
(3 P: I_P = MAKE. PAIR (APPLY 1 (PRoDFUN(K), P, 2), P) APE WoRKSET()) 
prove LEM6 [P ~ SoURCE(I_P)] 
52 
using WORKABS 
RIGHTABS 
PRODABS 
PAIR.EQUALITY [PAIR ~ I_P, 
PAIRI ~ MAKE.PAIR(PRODUCE.ON(K, SOURCE(I_P)), SOURCE(I_P))] 
PAIR.AXIOM.2 [Xl ~ PRODUCE.ON(K, SOURCE(I_P», 
X2 ~ SOURCE(I_P)] 
PRODAX [P ~ SOURCE(I_P)] 
LEM7: formula 
(3 P: I_P = MAKE. PAIR (APPLY 1 (PRODFUN(K), P, 2), P) APE WORKSET(» 
) 
I_P E WORKANS(K) 
prove LEM7 
using PRODAX [P ~ *P:C] 
WORKP [P ~ *P:C] 
L2.AI [P ~ *P:C] 
/* 
PAIR.AXIOM.2 [Xl ~ PRODUCE.ON(K, *P:C) , 
X2 ~ *P:C] . 
PRODABS [I_P ~ MAKE.PAIR(PRODUCE.ON(K, *P:C), *P:C)] 
RIGHTABS [I_P ~ MAKE.PAIR(PRODUCE.ON(K, *P:C), *P:C)] 
WORKABS [I_P ~ MAKE.PAIR(PRODUCE.ON(K, *P:C), *P:C)] 
Using lemmas 6 and 7 in Paircardequality, we prove that the number 
of correct answers from working processors is equal the number of working 
processors 
*/ 
LEM3: formula 
CARD(WORKSET(» = CARD(WORKANS(K» 
prove LEM3 
using PAIRCARDEQUALITY [SP ~ WORKANS(K), 
SQ ~ WORKSET(), 
Xl ~ 2, 
XP ~ *P:2, 
F ~ PRODFUN(K)] 
LEM6 [I_P ~ *PAIRl2:l] 
LEM7 [I_P ~ *PAIR12:1, 
P ~ *XP: 1] 
/* Similarly lemmas 8 and 9 will be used in Paircardequality to prove 
lemma 4 
*/ 
LEM8: formula 
I_P E PRODSET(K) J (3 P: I_P = MAKE. PAIR (APPLYl(PRODFUN(K), P, 2), P» 
prove LEM8 [P ~ SOURCE(I_P)] 
using PRODABS 
PAIR.EQUALITY [PAIR ~ I_P, 
PAIRl ~ MAKE.PAIR(PRODUCE.ON(K, SOURCE(I_P», SOURCE(I_P»] 
PAIR.AXIOM.2 [Xl ~ PRODUCE.ON(K, SOURCE(I_P», 
X2 ~ SOURCE(I_P)] 
PRODAX [P ~ SOURCE(I_P)] 
LEM9: formula 
53 
(3 P: I_P = MAKE.PAIR(APPLYl(PRODFUN(K), P, 2), P)) ) I P E PRODSET(K) 
prove LEM9 
using PRODAX [P ~ *P:C] 
PAIR.AXIOM.2 [Xl ~ PRODUCE.ON(K, *P:C), 
X2 ~ *P:C] 
PRODABS [I_P ~ MAKE.PAIR(PRODUCE.ON(K, *P:C), *P:C)] 
/* The number of produced values is equal to the number of processors */ 
LEM4: formula 
CARD(PROCSET()) = CARD(PRODSET(K)) 
prove LEM4 
using PAIRCARDEQUALITY [SP ~ PRODSET(K), 
SQ ~ PROCSET 0 ' 
Xl ~ 2, 
XP ~ *P:2, 
F +- PRODFUN(K)] 
LEM8 [I_P ~ *PAIR12:l] 
LEM9 [I_P ~ *PAIR12:l, 
P ~ *XP: 1] 
PROCABS [P ~ *P:2] 
/* We now prove the main axiom of Level 1 as a theorem of Level 2 */ 
prove Ll.Al 
using MAJ. 1 [M.BAG.l ~ RIGHTANS(K), 
M.BAG ~ PRODSET(K), 
/* 
Tl.V ~ APPLY(FUNCTION(K))] 
RIGHTABS [I_P ~ *Vl.V2:l] 
MAPPING 1 
MAPPING2 
LEMI 
LEM3 
LEM4 
We now derive the Paircardequality lemma from a fundamental axiom 
of set theory 
*/ 
var STl: SET. OF (TYPEl) 
var ST2: SET.oF(TYPE2) 
var T2.Vl: TYPE2 
var T2.V2: TYPE2 
var T2.V3: TYPE2 
var T2.V4: TYPE2 
var T2.V5: TYPE2 
var Tl.Vl: TYPE 1 
var Tl. V2: TYPE 1 
54 
var Tl.V3: TYPEI 
var Tl.V4: TYPE 1 
/* 
The cardinality of two sets are equal if and only if there exists 
a bijective mapping between the two sets 
*/ 
CARDEQUALITY: axiom 
/* 
CARD(STl) = CARD(ST2) 
(3 F, T2.V4, Tl.V4: 
(V T2. VI, T2. V2 : 
T2.Vl E ST2 
" T2.V2 E ST2 
" ~(APPLYl(F, T2.Vl, Tl.V2) = APPLYl(F, T2.V2, Tl.V2)) 
) 
~(T2.Vl = T2.V2)) 
" (V Tl.Vl, T2.V5: 
T1. VI E STl 
) 
(3 T2.V3: T2.V3 E ST2 "APPLYl(F, T2.V3, Tl.V3) = Tl.Vl))) 
Because this axiom expresses a second order axiom scheme, the type 
system of our current STP is strained. Spurious variables had to be introduced 
in order to coerce the types. Future system will not suffer from this. 
*/ 
/* Genpair is our bijective mapping function */ 
GENPAIR: FUNS 
GENPAlRAX: axiom 
APPLYl(GENPAIR(), XP, PAIR12) = MAKE.PAIR(APPLYl(F, XP, Xl), XP) 
AWFULTYPEHACK: axiom 
XP = XP " PAIR12 = PAIR12 " Xl = Xl 
prove PAIRCARDEQUALITY [PAIR12 ~ *Tl.Vl:l, 
XP ~ *XP:C] 
using CARDEQUALITY [STI ~ SP, 
ST2 ~ SQ, 
F ~ GENPAIRO, 
T2.V3 ~ *XP:C, 
T2.V4 +- XP:6, 
T2.Vl +- XP:6, 
T2.V2 ~ XP:6, 
T2.V5 ~ XP:6, 
Tl.Vl +- PAIR12:6, 
Tl.V2 +- PAIR12:6, 
Tl.V3 +- PAIR12:6, 
Tl.V4 +- PAIR12:6] 
GENPAlRAX [F ~ F:C, 
XP +- *T2. VI : 1 , 
PAIR12 ~ PAIR12:6] 
GENPAlRAX [F ~ F:C, 
55 
XP .. *T2.V2:1, 
PAIRl2 .. PAIRI2:6] 
GENPAIRAX [XP .. *XP:C, 
F .. F:C, 
PAIRl2 .. PAIRI2:6] 
PAIR.EQUALITY [PAIR .. MAKE. PAIR (APPLY I (F:C, *T2.VI:I, *XI:C), *T2.VI:I), 
PAIRI .. MAKE. PAIR (APPLY I (F:C, *T2.V2:1, *XI:C), *T2.V2:1)] 
AWFULTYPEHACK [XP .. XP:6, 
Xl .. Xl :6, 
PAIRl2 .. PAIRI2:6] 
PAIR.AXIOM.2 [Xl .. APPLYI(F:C, *T2.VI:I, *XI:C), 
X2 .. *T2. VI : 1) 
PAIR.AXIOM.2 [Xl .. APPLYI(F:C, *T2.V2:1, *XI:C), 
X2 .. *T2.V2: 1) 
56 
CHAPTER 6 
DESIGN VERIFICATION OF SIFT - OVERVIEW 
57 

The Hierarchical Specification and Mechanical 
Verification or the SIFT Design 
This section describes the formal specification and proof methodology employed to demon-
strate that the SIFT computer system meets its requirements. The hierarchy of design 
specifications is shown, from very abstract descriptions of system function down to 
the implementation. The most abstract design specifications are simple and easy to 
understand, almost all details of the realization having been abstracted out, and can be 
used to ensure that the system functions reliably and as intended. A succession of lower-
level specifications refines these specifications into more detailed, and more complex, views 
of the system design, culminating in the Pascal implementation. The section describes 
the rigorous mechanical proof that the abstract specifications are satisfied by the actual 
implementation. 
1. The Role of Formal Proof 
The extreme reliability requirement on SIFT imposes a very severe problem in substan-
tiating the achievement of that level of reliability. At the required reliability, a mere 
observation, even of a large number of systems, will be ineffective. Further, a SIFT sys-
tem must be able to recover successfully from several million faults for every allowable 
system failure, and must, therefore, be able to recover from quite improbable and un-
foreseen faults and even combinations of faults. Thus validation by fault injection, while 
necessary, is unlikely to convince us that SIFT meets its reliability requirements. 
The justification that SIFT meets the reliability requirement must be based on an ex-
trapolation from fault rates that are easier to measure, such as those for an individual 
processor. For SIFT, this extrapolation takes the form of a discrete Markov analysis, 
with the numbers of working and faulty processors defining the states and the fault and 
reconfiguration rates defining the transitions. The validity of this extrapolation depends 
on a number of assumptions, and, at the desired level of reliability, even "minor" viola-
tions of the assumptions can have significant effects on the reliability achieved. Thus the 
assumptions must, themselves, be quite rigorously substantiated if the claimed reliability 
is to be believed. For instance, one important assumption of the Markov analysis is that 
the occurrence of faults is well described by a Poisson model with complete independence 
between processors. Much of the electronic and mechanical design of SIFT is intended to 
maintain this independence. 
59 
The validity oC the Markov analysis depends also on the assumption that the states and the 
transitions oC the Markov model correspond accurately to the actual system, and that the 
stat.es in which system Cailure is possible are correctly identified. But this correspondence 
is Car Crom obvious, Cor the actual system has very many states with many complex 
transitions between them, and the correspondence must be maintained even when one or 
more oC the processors has suffered a Cault. In SIFT, this correspondence is based on a 
predicate system sare indicating that the replication oC each oC the tasks is sufficient 80 
that the voting can mask the effectsoC the Caults present in the system. The validation 
oC SIFT now consists oC two parts. The first oC these is a demonstration that, so long as 
system sare is true, the system perCorms the desired flight-control Cunction, even though 
one or more processors may be Caulty. This is a correctness property Cor the Cunction 
perCormed by the system. The second is a demonstration that the Markov analysis 
computes an upper bound on the probability that system sare becomes Calse. This is a 
correctness property Cor the probabilistic reliability analysis oC the system. Because even 
a very small deCect in the demonstrations could allow Cailures at an unacceptable rate, 
these demonstrations must be perCormed with the rigor oC mathematical prooC. In this 
paper we consider only the first oC these parts. An outline oC the probabilistic reliability 
analysis is given in Wensley [I]. 
The necessity Cor Cormal mathematical prooC to ensure that SIFT meets the desired 
Cunctional and reliability requirements presents two major issues: 
• How does one define the criteria sufficient to ensure the correct Cunctioning oC the 
system! 
• How does one prove that the criteria are satisfied by the actual system! 
The first issue is crucial iC the Cormal verification effort is to have any practical significance. 
One must have confidence, even as a noncomputer scientist, that the Cormal specifications 
stating w hat is meant by the correct Cunctioning oC the system in Cact reflect the intended 
behavior. That a Cormal specification expresses what the system designer intuitively 
. means must, in the end, be determined by inspection. A Cormal specification must 
therefore be believable iC rigorous mathematical correspondence to the specification is 
to ensure the desired effect. The larger and more complex the system, the more acute the 
problem becomes. Specifications reflecting the detailed behavior oC the system allow the 
most straightCorward Cormal verification effort, but it is difficult to ensure that low-level 
specifications embody what is meant by the proper Cunctioning oC the system. Very high-
level specifications, abstracting Crom the details oC the system, are necessary iC we are 
to state the overall Cunctional and Cault-tolerance properties oC the system in a way that 
60 
can be understood and believed. The problem then becomes one of reconciling the very 
high-level specifications with the detailed transformations performed by the programs of 
the actual system. 
In order to state high-level system specifications that can be shown to be consistent with 
the actual program, one must formulate not just a single specification of the system, but 
a hierarchy of specifications. Our approach is to state a tiered set of system specifications, 
as illustrated in Figure IV-H. 
Each level Li in the hierarchy specifies an abstract view of the system in terms of a set 
of primitive predicates Pi and functions Fi. The specification for the model is given by a 
set of axioms, characterizing those properties of the model appropriate for that level of 
system abstraction. At each level in the hierarchy, a specification Li can be seen as an 
ab"traction of the previous level LHI. Correspondence between successive levels is done 
by expressing each primitive function and predicate of higher-level Li in terms of the 
functions and predicates of the lower-level Li+1 . With this mapping, one must then prove 
that each property derivable from the higher-level specification can be proved from the 
lower-level specification. The mapping between levels need not be complete; the mapping 
itself may be given as a set of axioms, saying only enough about the correspondence 
to derive the necessary axioms of the higher level as theorems from the axioms of the 
lower-level. It is required only that the mapping axioms be con"i"tent, i.e., that there 
exist a complete functional mapping between levels that satisifies the mapping axioms. 
By demonstrating the correspondence between successive levels Li and LHt. one can 
conclude by induction that any property provable from the highest-level specification is 
also provable from the lowest-level specification. Thus, any analysis of the system based 
on a higher level specification in the hierarchy is valid and could have been performed on 
the lowest-level system specification. 
Within the hierarchy, the lowest-level specification of the system is the actual SIFT 
system executed by the hardware, while the highest-level specification reflects the intended 
overall function performed by the fault-tolerant system. The higher-level specifications 
represent, in effect, "ydem requirement6, stating properties to be possessed without 
defining method of attainment. As one moves down the hierarchy, each lower-level 
specification successively introduces additional mechanism in the design specification to 
achieve the fault-tolerance and expresses a more detailed and operational view of system 
transformation. Between successive specification levels, one can perform incremental 
de8ign verification, proving that the more detailed design specification at the lower level 
supports the abstracted view at the higher level. By gradually introducing the algorithms 
used to achieve fault-tolerance, one can verify each aspect of the design at the highest 
61 
leyel of abstraction containing the necessary concepts. 
As an example, one can prove that replication and majority voting serve to mask faults, 
using a specification of the system as a single (and therefore synchronous) global object. 
Having proven this paradigm with respect to that specification level, one can then define 
a lower-level specification of the system as a distributed asynchronous system with a 
broadcast communication interface. It is then required to exhibit a mapping from the 
distributed system view to the global system view at the higher specification level. 
Demonstration that each axiom of the global-state specification is provable from the 
axioms defining the distributed-state specification will ensure that any theorems about 
fault masking in the global-system view are valid for the distributed-system view as well. 
Thus the paradigm of fault masking through task replication is introduced and validated 
prior to introducing techniques for fault isolation through distribution of resources. 
2. Mechanized Specification and Verification 
Attempting to formally characterize and justify the design of any real system is com-
plex and tedious. Without mechanical aids for constructing formal specifications and 
rigorously enforcing sound proofs, this task would be completely impractical and would 
not produce a credible result. Our early experience in formulating formal "paper" 
specifications and giving informal mathematical arguments of correctness was fraught 
with specification ambiguity and oversights in the informal correctness proofs. In response 
to this, and our desire to mechanize the style of specification and verification employed in 
our previous "paper" attempts, a new mechanical yerification system was designed and 
implement.ed. 
STP [8] is an implemented system supporting specification and verification of theories. As 
implemented, STP did not contain a parser for SPECIAL, and thus, for this verification 
the specifications were expressed in the LISP-like internal representation of STP. The 
logic of STP is an extension of a multi sorted (strongly-typed) first-order logic. The logic 
includes type parameterization and type hierarchies. STP support includes syntactic type 
checking and proof components as part of an interactive environment for developing and 
managing theories in the logic. At the core of the system is a fast, complete decision 
procedure [9] for a quantifier-free theory of (Presburger-like) arithmetic. The user of 
the system can introduce new types and function symbols, with the semantics specified 
through a set of first-order axioms. By providing aid to the theorem prover in the 
form of selection of appropriate instances of axioms and lemmas, the user raises the 
level of competence of the prover to the full first-order theory specified. A fundamental 
62 
FIGURE IV-11 A HIERARCHY OF SPECIFICATIONS 

characteristic of the system is that the user need know no details of the theorem prover 
itself; the system forms a complete mechanization of a simply-characterized theory. As 
a result of a successful proof attempt using STP, one obtains the sequence of axioms 
and intermediate lemmas, together with their necessary instantiations, which lead to the 
theorem. The system automatically keeps track of which formulas have been proved and 
which have not, so that the user is not forced to prove lemmas in advance of use. The 
system also monitors the incremental introduction and modification of specifications to 
monitor soundness. 
3. An Outline of the Specification Hierarchy 
Figure IV-12 shows an outline of the various specifications and analyses that are used 
in the justification of the reliability of SIFT. Before the individual specifications arc 
described in detail, we give a description of their intent and interaction. On the right 
of the figure is a hierarchy of specifications of the correct functional behavior of SIFT, 
while on the left is a set of analyses that yield the probability of that correct behavivT. 
The models at the bottom of the figure describe the hardware of SIFT, upon which the 
more abstract analysis is based. 
The 10 Specification, the most abstract functional description of the system, asserts that, 
in a 3a/e configuration, the result of a task computation will be the effect of applying its 
designated mathematical function to the results of its designated set of input tasks, and 
that this result will be obtained within a real-time constraint. Each task of the system is 
defined to have been performed correctly, with no specification of how this is achieved. 
The model has no concept of processor (thus no representation of replication of tasks or 
voting on results), and of course no representation of asynchrony among processors. The 
specification of this model contains only 8 axioms and is intended to be understandable 
by an informed aircraft flight control-engineer. 
The Replication Specification elaborates upon the 10 Specification by introducing the 
concept of processor, and can therefore describe the replication of tasks and their alloca-
tion to processors, voting on the results of these replicated tasks, and reconfiguring to 
accommodate faulty processors. The specification defines the results of a task instance 
on a working processor based on voted inputs, without defining any schedule of execution 
or processor communication. This model is expressed in terms of a global system state 
and system time. 
The Activity Specification develops the design into a fully distributed system in which 
63 
each processor has access only to local information. Each processor has a local clock 
and a broadcast communication interface and buffers. The asynchrony among processors 
and its effect upon communication is modeled. The specification explicitly defines each 
processor's independent information about the configuration and the appropriate schedule 
of activities. The schedule of activities defines the sequence of task executions and votes 
necessary to generate task results within the required computation window. The Activity 
Spccification is the lowest level description of the complete multiprocessor SIFT 6y6fem. 
The PrePost Specification consists of specifications for the operating system for a single 
processor. The specification, in terms of pre-condition/post-condition pairs, facilitates 
the use of sequential proof techniques to prove properties of the Pascal-based operating 
system as a sequential program. These specifications are very close to the Pascal programs, 
and essentially require the programs to "do w hat they do". 
The various programs that form the SIFT executive are written in Pascal and form the 
Pascal Implementation, from which is derived by compilation the BDX990 Implementation. 
This is the lowest level specification of the SIFT software. 
The functional behavior described by the I/O Model is assured only so long as the 
predicate system safe remains true. The analyses shown on the left of Figure IV-12 
provide the probability that system safe will remain true and hence that the desired 
functional behavior will continue. 
In the remainder of the paper, we present details of the specifications comprising the 
SIFT design hierarchy. Un/eu otherwile noted, all Ipecijicationl and mapping6 are taken 
from actual 6y6fem 6pecijications and completed proof6. For pedagogical purpo~es, we 
have used a syntactic transliteration of the actual form of the specifications. The STP 
system forced all user interaction to use a LISP-like prefix notation; we have transformed 
this into more common mathematical notation. 
The mechanical proof of consistency between the various levels of specification and further 
details of its derivation are contained in Chapters 6 and 7. 
4. Input/Output Specification 
The Input/Output Specification of SIFT, the highest level specifying functional behavior, 
defines the input/output characteristics of tasks performed by SIFT. The specification 
defines the configuration of system tasks and expresses the flow of information between 
tasks. Based on an abstract notion of time, which may be interpreted as subframe time, we 
refer to iterations of a task taking place during various time intervals. The time interval 
64 
RELIABILITY 1/0 
RA::ALYSIS ~TATES SPEC IF rTI ON 
ERROR RATE ~ REPLICATION 
ANALYSIS STATES SPECIFICATION 
RATES 
BDX930 
FAULT MODEL 
BDX930 
SPECIFICATION 
I 
BDX930 
MICROPROGRAM 
I 
BROADCAST 
SPECIFICATION 
I 
PRE POST 
SPECIFICATION 
PASCAL 
PROGRAM 
BDX930 
PROGRAM 
BDX930 MICROPROGRAM 
PROCESSOR SPECIFICATION 
BDX930 
LOGIC DESIGN 
FIGURE IV-12 THE HIERARCHY OF SPECIFICATIONS AND ANALYSES USED TO 
SUBSTANTIATE THE RELIABILITY OF SIFT 

for a particular iteration of a task is referred to as its execution window, having a begining 
time and an ending time. Each task is defined to use as inputs the values produced by 
its input tasks and produces one or more outputs during its execution window. Based on 
a high-level predicate specifying whether a task is aaJe during a particular iteration of a 
task, the specification defines that a task which is safe during an iteration will produce 
exactly one output value, computed as a function of its input values. Provided that 
the entire system is safe throughout some interval (i.e., that all tasks are safe for that 
interval), we can prove by induction that all tasks will compute correct functions of their 
intended inputs. This defines at a high level what it means for SIFT to function correctly. 
Conspicuously absent from this model is any notion that a task is replicated and computed 
on a set of processors. At a lower level, we shall explain that the value the I/O specification 
defines as resulting from a given task iteration will actually be the outcome of a majority 
vote of processors assigned to compute the task. The taak aaJety predicate taken as 
primitive in the I/O specification, specifying when a task can be relied upon to produce 
correct results, will be defined at a lower level to be a function of the amount of task 
replications and the number of working processors. 
Briefly, the model is organized as follows. Each task a in Ta8ks the set of all executive 
and application tasks, computes a (mathematical) function, denoted by function (a), of 
its input values. The function apply (/, til takes as parameters a functional value and 
an argument list and produces the result of applying the function to the argument list.! 
Inputs(a) denotes the set of tasks providing inputs to a. For task b E Inputs (a), the 
input to an iteration of a is provided by the most recently completed iteration of b prior 
to the execution window of that iteration of a. A derived function b to i of a denotes 
the iteration of b providing input to the i-th iteration of a. Because all tasks iterate once 
per frame, one can prove (as indeed we do) that b to i of a is equal to i or i -I, that is, 
that the input task is either "executed" in the same frame as the task or in the previous 
frame. During each iteration i of a task a, Result(a, i) denotes the set of output values 
which are produced. In order to map task iterations to subframe time, the function 
i of a is used to denote the time interval [tl' 12] comprising the execution window of the 
i-th iteration of a. The functions beg(i of a) and end(i of a) are used to denote the 
begining and end of the execution window, respectively. 
The overall structure of task configurations within the I/O model is illustrated in Figure 
IV-13. For a task such that the predicate task a safe during i is true, a will produce 
exactly one output value during its execution window. The output(s) of a task which is not 
!This is in ract a trick to use a first-order encoding or runctional value domains. 
65 
sare during its iteration is unspecified. Because the configuration or tasks is different ror 
different phases or the flight, not all tasks necessarily compute each iteration. A predicate 
a on during i determines whether Result(a, i) is expected to compute a runction or its 
inputs or to return a special 1. element as its value. 
Within the I/O specification, the interactive consistency algorithm is defined as a special 
rorm or task. For such a task a, satisrying the predicate i/ c( a), its associated mathe-
matical runction function(a) is defined to be the identity runction. Recall rrom our 
discussion in Section 4 the interactive consistency algorithm is used in order for multiple 
processors reading unreplicated (and possibly unstable) input to reach agreement on an 
input value. As we explain below, a sare interactive consistency task will alwaY6 produce 
a single output value. 
Based on these primitive runctions and predicates, the I/O specification contains eight 
axioms, expressing constraints on when task iterations are to take place and that sare 
tasks compute runctions or their designated inputs. We do not illustrate the entire set or 
axioms here. The axioms related to the scheduling or task iterations are straightrorward. 
They express basic requirements that successive iterations or a task are properly ordered 
in time and that the execution window or a task b must precede the execution window or 
a task a to which it provides input. 
The major axiom defining the Input/Output behavior of a task is the following: 
a on during i 1\ 
task a safe during i 1\ 
Vb E Inputs{a) 
IResult{b, b to i of a)1 = 1 
:J 
Result{ a, i) = 
{ apPly( lunction{a), {< v,t > It E IRnputls{{a) 1\. l )})} v E esu t t, t to • 0 a 
This axiom defines that any iteration or a task a, such that (1) a is both on and 
sale and (2) each task b providing input to the i-th iteration or a returns exactly one 
output value during its corresponding iteration (the notation 181 denotes the cardinality 
or set s), will return exactly one output during its iteration (i.e., that Result (a,i) will be 
a singleton set). The value produced will be that resulting rrom applying its designated 
function lunction{a) to the set or (tagged) values produced by its input tasks. The set of 
input values is specified as a set of pairs < v, t >, where, for each task t in the input set, 
v is the value in the (singleton) set Result( t, t to i of a). Thus, provided a is sare and 
its input is stable, it will correctly compute an output value. This is the main statement 
66 
of functional correctness of the system that is demonstrated by the proof effort. 
In the case of interactive consistency tasks, one additional axiom governs its input/-
output charact.eristics: 
(if c( a) A if c task a sare during i) :::> IResult( a, i)1 = 1 
This defines that an interactive consistency task which is safe during its iteration 
will always produce a single value as output. By the previous axiom, ir its input task is 
safe and thus provides a single output, the interactive consistency task will perrorm its 
associated function (in this case the identity function) on the input. Even ir the input 
task is not sare, however, the current axiom defines that lome single output value will be 
produced. This is the main correctness criterion for the interactive consistency algorithm. 
We did not carry out a mechanical proor or this axiom - a hand pro or can be found in 
[6]. 
These are the major axioms of the I/O specification. In the next section, we present 
the next lower-level specification and show how the primitives and stated axioms of the 
I/O specification are supported at the next level. 
5. The Replication Specification 
The Replication Specification, at the next lower level, introduces the notion that 
tasks are replicated and executed by some number of processors. Based on a high-level 
concept or each processor communicating its results to all other processors, a specification 
of the majority voting perrormed by each processor is given. Also defined (but not 
proven) is the information flow through which error reports from individual processors 
are provided to the global executive. This inrormation is used by the global executive in 
order to diagnose processor faults and remove, rrom the configuration, processors deemed 
to have solid faults. 
The concept of task scheduling has been refined to define not only the execution 
window for task execution but also the set or processors assigned to execute the task. 
The function poll tor i or a denotes the set of processors assigned to compute the i-th 
iteration of task a. The I/O model primitive predicate a on during i is derived within 
the Replication model as: 
a on during i - 3p E poll for i of a 
With the concept of processor computation occuring in the Replication model, the task 
safe predicate appearing as primitive within the I/O model can be derived within the 
Replication model in terms of working processors. The Replication model includes a 
67 
variable S, which denotes the set of "safe" processors at any given time. SI t lJ t 21 denotes 
the set of processors safe during the interval [tl , t2]' At the Activity model level, we 
will define a processor being "safe" as a rather compl!!x function of having correctly 
functioning hardware, being in the correct configuration, and having a clock within some 
skew of other processor clocks. Of course this set will not have ~n implementation 
counterpart, since the implementation will never have perfect information concerning 
the set or ~orrectly runctioning processors. 
A. derived concept at this level is that of a task iteration's data window. 
The DWindow for 6 to i of a is defined to be the time interval 
[ beg (6 to i of a) of 6, end (i of a)]. 
Based on this function, we define DWindow for i of a to be the interval extending rrom 
the begining of the execution window or the earliest input task to a and extending to the 
end of the execution or i of a. 
Using these concepts of data window and the set of working processors, we can now 
derive the task safe predicate of the I/O model as follows: 
task a safe during i 
2 X Ipoll for i of a n s DWlndow lor i 01 a I > Ipoll for i of 01 
V "'-J a on during i 
The definition states that a task a is safe either ir a majority or the processors assigned 
to compute the task are working for the data window or the task or ir the task is not on 
during i. It is necessary that the processors are in the working set S for the entire data 
window of the task in order that we can be assured (in mapping to the next lower-level 
specification) that the processor will not corrupt its input data prior to its use. We omit 
discussion of the conditions necessary to define the sarety of interactive consistency tasks. 
With the concept that a processor computes an iteration or a task comes the function 
Result(a, i) on p which denotes the set of outputs produced by processor p for the i-th 
iteration of task a. In a manner left unspecified by this level, processor p communicates 
its results to all other system processors. The function Result (a, i) on p i~ q denotes 
the value that processor q has reportedly received from processor p for the i-th iteration 
of a. The relationship between Result on and Result on in is defined by the rollowing 
axiom: 
68 
q E poll for j of b n SDWlndow for j of b 
:::> 
Result(b,j) on q = 
{ 1
3 p p E sj of b " } 
v v = Result(b,j) on q in p 
This defines that, for a processor q in the poll set that is safe for the DWindow, the 
Result set on q is equal to the set of values that processors safe for the execution window 
have reportedly received from q. More int.uitively, this states that the output of a working 
processor in the poll is the set of values reportedly received by working processors. 
The function Result(a, i) in q is used to define the result of processor q voting on 
the output of the i-th iteration of a based on the results communicated to it. 
The overall structure of the Replication model is illustrated in Figure IV-14. The 
task structure shown is a refinement of the task configuration illustrated in Figure IV-13. 
As we shall show shortly, the I/O primitive Result (a, i) for a safe ta.'3k iteration will 
be derived as the value a majority of assigned processors obtained by their voting. All 
processors are required to report the results of each task computation to all processors, 
and all processors are required to vote on all received values. Rather than a task producing 
a set of output values as in the I/O model, in the Replication model, a task produces a set 
of ~equence~ of values. This reflects the fact that conceptual values in the system actually 
consist of a sequence of "machine words". Processor voting is scheduled (as specified at 
the next level of specification) on a word by word basis. We define voting via the following 
aXIOm: 
p E Si of b " 
1 < y < result size( b) 
:::> 
(Result( b, j) in p )[y] = 
. . ({ Iq E poll for j of b" }) 
maJority < v,q > v = (Result(b,j) on q in p)[y] 
For a safe processor p, a vote on a defined value position y, the y-th element in Result (b,j) 
in p is defined to be equal to the majority of first components in the set of value-processor 
pairs < v, q >, where q is in the poll set and v is the y-th component of the result on in 
value in processor p. This represents an encoding of majority value in the bag of all values 
in p reportedly received from processors in the poll set for task b. 
69 
The main execution axiom of the Replication Specification is now given as follows: 
p E poll tor i ot a n SDWlndow for i of a 
:::> 
Result{a, i) on p = 
{ apPly ( tunction{a), { < v, t > I : ~ ~:;::;t\~~ t t: i ot a) in p})} 
This axiom, quite similar to its counterpart in the I/O model, defines that a working 
processor p in the poll set for the i-th iteration of task a, will compute the proper 
function of its locally-voted input values. Note that, unlike its I/O axiom counterpart, 
this is purely a local specification of the actions of a single, working processor operating 
on locally-computed information - still with respect to a synchronous system. 
We are now in a position to define the mapping up to the I/O concept of Result (a, i). 
This is given by the following axiom: 
Result(a, i) = 
{ 1
3 p p E Si of a" } 
V V = Re8ult{a, i) in p 
This expresses the set Result(a, i) as consisting of the set of values that safe processors 
obtained as a result of voting. 
\Ve omit discussion of the other axioms of the Replication Specification. In order to 
show that the I/O Specification is a valid abstraction of the Replication Specification, we 
must prove that the I/O axioms follow as theorems from the Replication axioms and the 
mappings. 
The proof of the main Execute axiom of the I/O Specification required that each safe 
processor voting be shown to obtain the same voted value, assuming from the antecedent 
of the I/O Execute axiom that the task is safe and that there is only one value of the 
Result of each input task. This implies that each safe processor applies the correct 
mathematical function to the same set of input values and thus every safe processor 
produces the same correct output value. But our I/O assumption of task sate asserts 
. that a majority of the processors computing the task are safe; therefore, the majority of 
computed values must be the correct value. 
The proof of the main I/O Execute axiom from the Replication axioms required 
approximately 22 proofs, with an average of 5 premises necessary per proof, and 106 
instantiations of axioms and lemmas overall. 
70 
Task b 
Iteration 
j = b to i of a 
Task c 
Iteration 
k 
b(jl 
Task a 
Iteration 
i of a 
alii 
FIGURE IV-13 THREE TASKS IN THE I/O MODEL 
Task b 
Iteration 
Task e 
Iteration 
k 
elkl on p 
Task b 
Iteration 
j=btoiofal-'" - .. , iI 
Task e 
Iteration 
k=ctoiofa 
Task b 
Iteration I b(j) in r 
Taske 
Iteration fZIkI on r 
k 
Ib to i olal of b = i 0' b 
k of c 
b(j) inq 
DWindow i of a 
Task a 
Iteration 
Task a 
Iteration 
alilonq 
Task a 
Iteration 
i ola 
FIGURE IV-14 THREE TASKS IN THE REPLICATION MODEL 
Processor p 
aliI inq 
Processor q 
Processor r 
Time 
'-7" 
1 The Activity Specification 
This level or specification defines a completely local view or the behavior of a single 
processor in the SIFT system. The fully diltributed nature of the SIFT system is specified 
at this level: each processor has an independent concept of time, configuration, and 
schedule. Also at this level is a more explicit model of the activities and data structures 
carry out the transformations specified at the Replication level. Whereas the Replication 
level defines the executed and voted values for each execution window of a task, the 
Activity level defines a schedule of execute and vote activities to realize this within the 
execution window. 
Within the Activity model is the first indication that the SIFT system is not synchron-
ous; the subframes on the various processors start and finish at slightly different real 
times. Two functions, start(t,p) and finish(t,p) map subframe time on processor p to 
real times at which the subframe starts and finishes, as shown in Figure IV-15~Real-time" 
is represented in the specification as a discrete domain, which can be thought of as "clock 
ticks," to allow induction. A short overhead interval occurs between the finish of one 
subframe and the start of the next. Because of clock skew and transport delay within 
SIFT, the processors will not be exactly synchronized, but, for the system to function 
correctly, it is necessary that the clocks remain within a specified tolerance, max skew, 
of each other. This is the responsibility of the clock synchronization task, a part of each 
processor's Local Executive, using an algorithm whose proof is given in [10]. The required 
synchronization is expressed by: 
clock sare(p, t) 1\ clock sare(q, t) 
:::> 
finish(t,p) + broadcast delay < start(t + l,q) V 
finish(t,q)+ broadcast delay < start(t+ l,p) 
As we discussed earlier, SIFT is carefully designed so that the distributed system is 
effectively 8ynchronou,. Within the limits given above, asynchronism caused by processor 
clock skew has no external effect. In the case of the broadcasting of the results of a task, 
for example, our specifications define the value at the destination only after the latest 
time at which the broadcast could have been completed, given the maximum processor 
skew. It is necessary to prove that no access to these data is attempted before that time, 
in order to map this asynchronous system up to the higher-level, synchronous Replication 
and I/O models. 
The state of each processor is specified using two state-selector functions, correspond-
ing to two data structures of the SIFT operating system: a data file connected via a 
71 
broadcast interface to all system processors, and an input file into which voted values are 
placed and from which a task retrieves its input values. In the Activity specification, the 
function datafile in p for a on q at rt denotes the value in the datafile in processor p at 
real-time rt for the result of task a on processor q. The function input in p for a at rt 
denotes the value in the input file in processor p at real-time rt for the voted result of 
task a. 
As we mentioned earlier, each processor has an independent opinion of the configura-
tion it is expected to use in scheduling activities. At the start of a suhrrametime t, 
processor q uses as the appropriate configuration config (t,q) the value in a configuration 
sub field of input in q for GEO at start(t,q), where GEO denotes the replicated Global 
Executive task. For configuration c, the function ached (c, t, q) denotes the sequence 
of activities scheduled for subframetime t on processor q. An activity is either < 
execute, a >, specifying the execution of task a or < vote, a, fI > specifying a vote on 
element fI of the output of task a. Figure IV-16i11ustrates the interaction between the 
data structures and scheduled activities. 
The effect of an execute is specified by the following axiom: 
p,q E We " 
< execute, a >E ached( config(t,q), t,q) 
~ 
datafile in p for a on qat ( finish(t,q) + broadcast delay()) = ( . { I bE Inputs(a) " }) apply functlOn(a), < v, b > . ., b ( ) v = lDput lD q lor at start t + 1, q 
The set We denotes the set of correctly functioning (working) processors during sub-
frametime t. The antecedent of the axiom defines that processors p and q are working 
during subframe t and that an execute activity for a is among the activities scheduled 
for processor q, according to its perceived configuration. The consequent specifies that 
. the datafile in each working processor p for a on q at the finish of that subframe plus 
the broadcast delay, according to q 'a clock, is equal to the correct function applied to 
the set of input values present in the input file at the atort of the next aubfrome. Several 
explanations are in order. The hardware broadcast interface connecting processor q's 
datafile to all processor datafiles is asynchronous and can be initiated at any time during 
the subframe, with respect to q's clock. In the event of an execute and a broadcast 
by processor q sometime during subframe t, the earliest moment at which the entry for 
a on q can be guaranteed is the finish of the subframe plus the maximum broadcast 
delay. Thus the value is only defined at this moment in time, and with respect to the 
broadcasting processor's clock. It was necesary to demonstrate that, with respect to 
72 
BROADCAST 
DELAY 
I MAX J I 1 SKEW I I" -I_I 
1 I 1 
p ~I --------------~I i~ 
q 
STARTIt. q) 
1 
I 
I 
1--"'""-----
I OVERHEAD 
I 
FINISHIt. q) 
t+1 
t+1 
FIGURE IV-15 THE TIMING RELATIONSHIPS BETWEEN SUBFRAMES ON ASYNCHRONOUS 
PROCESSORS 
Task b 
Iteration 
Task c 
Iteration 
k 
1/ 
I 
" , 
r ~xe;ute I Broa:cast I ~ ---, 
Schedulelt,.r) 
I 
Task I 
Iteration 
1 V~te I I .. I E~e:ute I 
Schedulettq.q) 
FIGURE IV-16 A PARTIAL VIEW OF THREE TASKS IN THE BROADCAST MODEL 
Processor p 
Processor q 
Proceuor r 
receiving processor p'S clock, the information is present by start (t + I,p). Given the 
set of specified schedule constraints, it was shown that the information is present in all 
loosely synchronized processors prior to the first moment at which access can occur. 
One might notice that an execute activity scheduled during subCrame time t causes 
the datafile at the start of time t + I to contain the result of applying the appropriate 
function to the arguments present at the start of time t+ 1. This rather noncomputational 
definition is due to the possibility of one subframe containing a vote on an input value 
and subsequent use in an execute. The effect of this sequence can be characterized by 
stating that the execution uses as inputs the values defined aher the end of the subframe. 
In mapping this to the computation performed by the implementation, it was necessary 
to prove that schedule constraints allow this to be achieved by sequentially performing 
the activity sequence scheduled for the subframe. 
The axiom defining a vote activity scheduled for the subframe is the following: 
p E W
t 
" 
< vote, a, y >E sched( config(t,p), t,p) 
:) 
(input in p for a at start(t + l,p))[Yl = 
. . ({ I q E poll by p for a at t " }) 
ma.Jorlty < d,q > d = (datafile in p for a on qat start(t,p))[yl 
Given a working processor p scheduled to perform a vote on the y-th component of 
a during subframe t, the input file in p at the start of the following subframe is defined 
to be the majority of datafile values present in the datafile at the start of subframe t. 
The function poll by p for a at t denotes the set of processors determined by p at the 
time of the vote to have executed the last iteration of task a. This is defined as a rather 
complex function of p'S view of the system configuration at the start of the subframe and 
of the schedule table. We do not give the definition here. 
These axioms constitute the primary axioms defining the Activity specification. 
There are in all approximately 40 axioms defining the introduced functions and predicates 
of the model and constraining the composition of the schedule table. 
In terms of the functions of the Activity model, we can now define the mappings 
to the function symbols of the Replication model. The function Result on in of the 
Replication level is derived with the following axiom: 
73 
v = Result(a, i) on pin q 
\1'1, t beg(i of a) < t < end(i of a) " 
1 < '1 < result size( a) 1\ 
< vote,k,SI >E sched( config(t,q),t,q) 
::> 
v['1] = (datafile in q for a on pat start{t,8»)[SI] 
Briefly, the mapping axiom defines each component SI of the Result on in value to be 
the value present in the datafile at the time during the execution window when a vote 
activity is scheduled for element 1/. Thus, the concept or value reportedly received by 
processor q from processor p is defined as the value used at the time or a scheduled vote 
on q. 
In an analogous manner, the mapping up to the Replication Result in voted value 
is defined by the following axiom: 
start frame( frame(t» = i X frame size() " 
1 < SI < result size(a) " 
< vote, k, SI >E sched{ config(t,p), t,p) 
::> 
(Result(a, i) in p )[SI] = (input in p for a at start(t + l,p »)['1] 
Briefly stated once again, each SI-th component of Result in for processor p is defined to 
be the value in the input file in p at the start of a subframe following a vote scheduled on 
element SI during a subframe corresponding to the i-th iteration of task a. Intuitively, the 
voted value is the value in the input file rollowing a scheduled vote. Schedule constraints 
allow only one vote to be scheduled on a given element during an execution window. 
The poll for of concept of a global poll set found in the Replication level is mapped 
up from the Activity level with the following axiom. 
pollfor i of a = { q 13 p 3 t 3 SI 
start frame( frame{t» = i X framesizeO 1\ 
1 < SI < result size{ a) " 
< vote, a, SI >E 8ched{ config(t,p), t,p) 1\ 
p E Si of a " } 
q E poll by p for a at t 
The global concept of poll for i of a is derived as the set of all processors included 
in poll by p for a at t at the time or a scheduled vote (of any element) on a processor 
p sare ror the execution window. 
74 
Finally, the last mapping to be illustrated is the derivation of the set of safe proces-
sors, as used in the Replication model. This is defined by the following mapping axiom: 
st = {p Ip E W t A 
clock safe(p, t) A 
task GEO safe during last(t, GE()) A 
Result( GEO, last(t, GE())) = } 
input in p for 'GEO at start(t,p) 
The above definition represents a precise statement of a processor that is correctly 
functioning, has a view of the last Global Executive output reflecting the consensus, 
and whose clock is close enough to other safe processors to properly communicate. The 
interaction between processor safety and the output of the Global Executive is worthy 
of further explanation. The definition does not require the processor to have been safe 
during previous subframes; this allows transient faults to have affected the processor 
in the past. The only requirements expressed are (1) that the Global Executive task 
have had sufficient replication to remain safe (effectively since system start-up), (2) that 
the configuration (contained within the output of the Global Executive) for the current 
subframe be unaffected, and (3) that clock safety be recovered despite any transients 
affecting the clock in the past. 
The proof of the relationship between the Replication Specification and the Broadcast 
Specification was quite challenging. The proof involved showing that the distributed sys-
tem has, as a valid abstraction, the synchronous, global characterization expressed in 
the Replication Specification. This required that the axioms and schedule constraints 
imply consistency of configuration and schedule within a single processor and between 
processors during an execution window. It was necessary to show that vote and execute 
activities, replicated on different processors and running during different subframes within 
the frame, use the same information for input. Furthermore, the proof required that the 
various processors, operating independently and asynchronously with only local informa-
tion, communicate with each other without mutual interference; that the task schedules 
guarantee that results are always available in other processors when required, and are 
never accessed during broadcast. The derivation of the Replication axioms involved 56 
proofs, with an average of 7 premises each, and 410 instantiations of axioms and lemmas 
overall. 
2 PrePost and Imperative Levels 
The PrePost specification intended to form a bridge between the Activity Specification 
75 
and the Pascal programs of the operating system. It is expressed in terms of preconditions 
and postconditions for operating system operations and the specifications are very close 
to the Pascal programs, essntially requiring the programs to "do what they do" . 
The Activity level represents a specification for each processor in the distributed, 
multiprocessor system. In contrast, the PrePost level, very similar in abstraction to 
the Activity level, defines the behavior of a single, independent processor. The model 
employs the data structure abstractions present in the actual Pascal operating system 
implementation and is intended to facilitate a connnection between the multiprocessor 
system specification and the proof of the Pascal operating system executing on a single 
processor. 
At the program level of abstraction, even conceptually simple properties require 
very complex specification and tedious verification. Because of the difficulty inherent 
in mapping between design specifications and an imperative implementation model, we 
deliberately limited the conceptual jump between the two levels. Having proved all con-
sidered aspects of the design correct at higher levels in the hierarchy, the only concep-
tual jump between the lowest level design specification and the implementation was the 
change in specification medium; the PrePost specification expresses that the "code does 
what it does." A traditional verification condition generation paradigm [11] was employed 
to prove precondition/postcondition procedure characterizations from the Pascal proce-
dures, each treated as a sequential program. We explain only enough of the model and 
its specification for the reader to glean an overall understanding of the nature of the 
specification. 
Within the PrePost model, the state of a processor is specified as a pair < p, t >, 
where p is a processor id and t is a suhrrame time. Accessor functions proc and time 
map states· into component processor and time components (respectively). For a state 
pair < p, t >, the function next( < p, t » = < p, t + 1 >. Within the Pre Post 
model, each data structure of the Pascal program is declared as an explicit function of 
the state. At the program-level, the datafile is implemented as a two-dimensional array 
of type array [proc, task] 0.1 array [Integer] 01. Integer, mapping a processor id 
and task name into the array of Integer values currently in the datafile. The input file 
is a program structure declared of type array [task, Integer] 0.1 Integer, task name 
and element number into an Integer value. Similarly, the schedule table is implemented 
as an array of type array [proc. config. subframe. activity-index] C2L activity, 
defining for each processor, configuration, subframe, and activity index, which activity is 
to be performed. The schedule table is a constant data structure present in each processor 
and thus not a function of the state. 
76 
~ 
The following PrePost axiom defines the semantics of the Execute activity: 
proc(8i/t8tate) E wtlme(.i/t8tate) " 
3j 1 < j < max activities() " 
< eXt!cute, a >= ached table()[ real to virt(8i/t8tate)[ proc(8i/t8tate)), 
pconfig( 8i ft8tate), 
au brrame( 8i/t8tate), 
j) " V b V jV V 1 < V < result 8ize()[b) " 
p.inputs[a,j) = b ~ null taskO 
~ inp[j, v) = input( next(8ift8tate))[b, V] 
datafile( next(8ift8tate))[ proc(8i/t8tate), a) = task rellultll(a, inp) 
The antecedent of the axiom defines the case where the processor component of the state 
is correctly functioning for the current subframe, some activity of the schedule for the 
current configuration and subframe specifies an Execute for task a, and the auxiliary array 
variable inp contains the value in the input data structure in the state next (8i/t8tate), for 
each input task b indicated by the array p.inputs. The array real to virt, shown here 
as an explicit function of the state, maps a real processor id into a logical processor id, in 
terms of which the schedule table is defined. Assuming the antecedent holds, the axiom 
then defines the datafile in the executing proce680r in state next(8i/t8tate) to contain 
the results of applying the appropriate mathematical function to the input array inp . 
As we discussed in the previous section, it is required to prove during code verification 
that sequential execution of the schedule activities will satisfy this noncomputational 
specification of effect. A mapping axiom defines that the value corresponding to the 
processor's own entry in the datafile of a safe processor will be in all other datafiles by 
the start of the next subframe. 
In order to apply sequential verification techniques to the Pascal program executing 
on the processor, it is necessary to make the state < p, t > or the processor and 
the dependence upon a correctly functioning processor implicit. The sequential proor, 
in effect, considers execution on a properly functioning Pascal machine satisfying the 
axiomatic specification of Pascal. Furthermore, the next (8i/tstate) transition is taken 
to be one iteration of the Pascal dispatcher procedure, called once per subframe by a 
clock interrupt to execute the scheduled activity sequence. This "metatheoretic" jump is 
the only departure from our formal notion of hierarchy and is made as a concession 
to allow traditional code verification tools to form the last link in the proof. The 
validity of this jump is dependent upon a proof that the dispatcher in fact is allowed to 
77 
execute as a sequential program, with no clock interrupts before completion and with no 
interference between internal and external data structure access. The former assumption 
was demonstrated by a timing analysis of the actual Bendix 930 code and the latter by 
the non-interference proof at the Activity Specification level. 
The following precondition/postcondition characterization of the dispatcher is produced 
and verified for the actual dispatcher procedure: 
3 j 1 < j < max activitiesO A 
< execute, a >= ached table()[ real to virt(mSfproc), 
pconfig, 
8ubframe, 
j] A 
V b V jV Sf 1 < Sf < result size()[b] A 
pinputs[a,j] = b :f: null taskO 
:J inp[j,Sf] = input[b,Sf] 
{ dispatcher} 
datafile[mSfproc, a] = task results(a, inp) 
Hoare sentences like the above, asserting properties of a sequential dispatch procedure 
and its effect on the Pascal data structures, were proven consistent with the actual 
im plementation. 
The code proof required demonstration of approximately 40 verification conditions 
and was carried out by Dwight Hare and Karl Levitt using a version of the SPECIAL code 
verification system. The design proof between the Activity and PrePost specifications 
required 17 proofs, with an average of 9 premises each, and 148 instantiations overall. 
8. Conclusions and Further Work 
Our proof has demonstrated that the Pascal implementation of the SIFT distributed 
system satisfies the execution axioms of the I/O Specification. That the axioms of the I/O 
Specification characterize "correct" system operation remains a subjective judgement. 
The soundness of the axiomatic specifications is demonstrated by the existence of an 
imperative model at the lowest level of the hierarchy, relative to interpretations for all 
unimplemented function and predicate symbols (such as W, the set of working processors). 
Also assumed is the correct implementation of the Pascal machine, realized by the Pascal 
compiler and the Bendix BDX930 hardware. 
78 
The proof of the fault tolerant clock syncronization algrithm was performed inde-
pendently, without mechanical support, and is given in Appendix B. The mechanical proof 
given here, the proof of correspondence to the I/O Specification, encompasses schedul-
ing, rating, and interprocessor communication. Yet to be performed is the proof of or-
respondence to the probabilistic reliability analysis, encompassing error diagnosis and 
reconfiguration. We expect to perform this remaining proof over the next year. 
The process of formal specification and verification of SIFT resulted in the discovery 
of four design errors - errors that would have been difficult or impossible to detect by 
testing. Early specification efforts uncovered the insufficiency of three clocks for fault-
tolerant clock synchronization (see Appendix B). The formal proof revealed that tasks 
not scheduled to execute did not regenerate their default result value every iteration, thus 
exposing that result to the accumulation of errors from transient faults. 
A conclusion of our work is the importance of de6ign verification prior to implemen-
tation verification. The highest-level design specifications for the SIFT system could not 
have been expressed in terms of specifications of individual Pascal programs. 
The STP system used for specification and mechanical proof was developed COD-
currently with the proof effort, with its approach heavily influenced by our ongoing ex-
perience in attempting the proofs. The success of the man-machine symbiosis depended 
upon the user being able to express naturally his understanding of the proof in guiding the 
proof. Under other sponsorship, SRI is currently developing a new specification language 
for HDM, including parameterized theories, specification of state-modifying operations, 
and Hoare sentences, and are constructing an enhanced STP verification system. 
References 
[1] J. Wensley, et aI., "SIFT: Design and Analysis of a Fault-Tolerant Computer for 
Aircraft Control", Proceeding6 0/ the IEEE, 60(10):1240-1254, October 1978. 
[2] J. Goldberg, "SIFT: A Provable Fault-Tolerant Computer for Aircraft Flight 
Control", IFIP Congre66 80, 1980. 
[3] C. Weinstock, "SIFT: System Design and Implementation", Tenth International 
Symp06ium on Fault-Tolerant Computing, Oct 1980. 
[4] J. Goldberg, "Development and Evaluation of a Software-Implemented Fault-
Tolerant Computer: SIFT Hardware" , Interim Technical Report, SRI International, 
Nov. 1979. 
79 
[5} K. Mosses, "SIFT - A Ultra-Reliable Avionic Computing System" , NATO AGARD 
Conference on Tactical Airborne Diatributed Computing and Network" June 1981. 
[6} M. Pease, R. Shostak, L. Lamport, "Reaching Agreement in the Presence of 
Faults", JACM, 27(2):228-234, April 1980. 
[7} A. Hopkins, T.B. Smith, J. Lala, "FTMP - A Highly Reliable Fault-Tolerant 
Multiprocessor for Aircraft", Proceeding' of the IEEE, 66(10): 1221-1239, Oct 
1978. 
[8} R. Shostak, R. Schwartz, P.M. Melliar-Smith, "STP: A Mechanized Logic for 
Specification and Verification", 6th Conference on Automated Deduction, June 
1982. 
[9} R. Shostak, "Deciding Combinations of Theories" ,6th Conference on Automated 
Deduction, June 1982. 
[10} L. Lamport, P.M. Melliar-Smith, "Synchronizing Clocks in the Presence of Faults", 
in preparation, SRI International, Feb 1982. 
[ll} S. Igarashi, R. London, D. Luckham, "Automatic Program Verification I: A 
Logical Basis and its Implementation", Acta Informatica, 4:145-182, 1975. 
80 
CHAPTER 7 
DESIGN VERIFICATION OF SIFT - LISTINGS 
81 

The Listing of the Design Proof for SIFT 
This listing has been produced by a preUyprinting program from the original proof 
listings used in the proof. Manual intervention has been used only for pagination. The 
font used to print the listing was specially developed to improve the legibility oC the proof 
Cor this report. 
Reading a proof such as that below is a major undertaking, and complete familiarity 
with the STP system (described in Chapter 3), with the commands to STP (described in 
Chapter 4), and with the overall structure of the hierarchical specifications and design 
proof of SWT (described in Chapter 5) are essential. To assist the reader to understand 
the actual proofs, we first include a sample proof in which the prove command has been 
expanded and annotated to show the substitutions made in the lemmas and axioms cited. 
Particular attention should be paid to the manner in which reference is made to free and 
bound quantified variables in the proof. 
The proof commences with the definition of Integers (an augment to the built-in 
theory), Natural Numbers, Pairs, and Sets. Next the concept of a subframe is defined 
followed by the a.'doms of the 10 Specification, the most abstract specification of the 
system. This is followed by a definition of Majority and the axioms of the Replication 
Specification. Next comes the proof of the relationship between the 10 Specification and 
the Replication Specification, arranged as a series of lemmas, each with its proof, followed 
by the proofs for axioms of the 10 Specification. 
The listing continues with the axioms that describe constraints on the schedules for 
SWT, followed by the axioms of the Activity Specification. Next comes the mapping of the 
Replication Specification onto the Activity Specification, and the lemmas and proofs that 
demonstrate the consistency of those two levels of the specifications. This is followed by 
the specifications of the PrePost level of abstraction of SWT, and the mappings and proofs 
between the Activity and PrePost Specifications. Lastly, the proof status of a number of 
axioms is exhibited, showing what other axioms and unproven formulas the proof of each 
of these axioms depends on. 
83 
/* 
A Primary L('mm:t. 1 f :l ta~k executes and is ::;:tfp, and if 
all its i IIput.S are wi 11 behaved, a S:Lfe proc('ssor vuting on the 
broadcast results will ~btain the corre~t result value for 
t.hat task 
Hr.L1·1: formilla 
TASI<' SAFE(K. I) 
A ON. DFH I t-;G (1\, 1) 
A LJQ E SAFE.FOR(OF(I. K» 
A (V L: L E INl'llTS(I\) ) 1 = CARD(IU~SULT(L, TU.OF(L, I, K»» 
A I 5 y 
A Y ~ HEStTLT. STZE(I<) 
) 
SEQ. ELEM (APPLY (FUNeT [ON (K), V. INPUTS. A::! (I, K», Y) 
= MA.HlRlTY(D.nM:.D·I(K, I, QQ, Y» 
prove HP.LH [1. .. *L:l] 
using ar.L1:) 
HI'. D~)A 
CAfm . D . BAG. D·\ 
CAIW . D . B:\G . L \ 0 
CAHD.~l·IlSET [S~ .. D.HAG.Ll::!(K, I, QlJ, Y), 
Sl .. I>.IW:.LlO(K, I, QQ, Y)] 
MAJ.l [Tl.V .. :;EQ.ELEM(APPLY(FUNCTlON(K), V.INPllTS.A2(I, K», Y), 
M.IW:.l .. D.nAG.L12(K, I, QQ. Y), 
M.BAG .. D.nA(;.D-t(K, I, QQ, Y)] 
RP.Ll:.:A [D.P. I .. *Vl.V2:t3] 
84 
46_PP.PR.ATTEMPT) 
PREMISES FOR PROOF OF RP.L14 ARE: 
1. RP .L13 
QQ E SAFE.FOR(OF(I, K» 
A (V L: L E INPUTS(K) ) 1 = CARD(RESULT(L, TO.OF(L, I, K»» 
) 
D.BAG.LIO(K, I, QQ, Y) ~ D.BAG.L12(K, I, QQ, Y) 
/* Note that, to satisfy the antecedent, we must show for an arbitary L 
in the input set, the cardinality of the result is 1. The arbitary 
L can be referred to as *L:l in composing substitutions. */ 
2. RP.D9A 
TASK.SAFE(K, I:D) 
,ON.DURING(K, I) 
V CARD(POLL.FOR.OF(I, K» 
< 2*CARD(POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K») 
3. CARD.D.BAG.D4 
CARD(D.BAG.D4(K, I, QQ, Y» = CARD(POLL.FOR.OF(I, K» 
4. CARD.D.BAG.LIO 
CARD(D.BAG.LIO(K, I, QQ, Y» 
= CARD(POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K») 
5. CARD.SUBSET [S2 ~ D.BAG.L12(K, I, QQ, Y), 
Sl ~ D.BAG.L10(K, I, QQ, Y)] 
D.BAG.LIO(K, I, QQ, Y) ~ D.BAG.L12(K, I, QQ, Y) 
) 
CARD(D.BAG.L12(K, I, QQ, Y)) ~ CARD(D.BAG.L10(K, I, QQ, Y)) 
85 
6. MAJ.l [Tl.V ~ SEQ. ELEM(APPLY (FUNCTION (K), V.INPUTS.A2(I, K», Y), 
M.BAG.l ~ D.BAG.Ll2(K, I, QQ, Y), 
M.8AG ~ D.BAG.D4(K, I, QQ, Y)] 
(V Vl.V2: 
Vl.V2 E D.BAG.Ll2(K, I, QQ, Y) 
SEQ. ELEM(APPLY (FUNCTION (K), V.INPUTS.A2(I, K», Y) = VALUE(Vl.V2) 
A Vl.V2 E D.BAG.D4(K, I, QQ, Y» 
) 
(CARD(D.BAG.D4(K, I, QQ, Y» < 2*CARD(D.BAG.Ll2(K, I, QQ, Y» 
) 
SEQ.ELEM(APPLY(FUNCTION(K), V.INPUTS.A2(I, K», Y) 
= MAJORITY(D.BAG.D4(K, I, QQ, Y») 
/* Again, the antecedent requires showing a property for an arbitary 
vl.v2 value pair. *vl.v2:6 will refer within the substitutions 
to this value. */ 
7. RP.Ll2A [D.P.l ~ *Vl.V2:6] 
*Vl.V2:6 E D.BAG.Ll2(K, I, QQ, Y) 
SEQ.ELEM(APPLY(flmCTION(K), V.INPUTS.A2(I, K», Y) 
= VALlffi(*Vl.V2:6) 
A *Vl.V2:6 E D.BAG.D4(K, I, QQ, Y) 
/* Here we substitute *vl.v2:6 for the free d.p.l variable to 
discharge the hypothesis of premise 6. */ 
CONCLUSION IS 
TASK.SAFE(K, I) 
A ON.Dl~ING(K, I) 
A QQ E SAFE.FOR(OF(I, K» 
A (V *L:l: 
*L:l E INPUTS(K) ) 1 = CARD(RESULT(*L:l, TO.OF(*L:l, I, K»» 
A 1 ~ Y 
A Y ~ RESULT.SIZE(K) 
) 
SEQ.ELEM(APPLY(FUNCTION(K), V.INPUTS.A2(I, K», Y) 
= MAJORITY(D.BAG.D4(K, I, QQ, Y» 
/* The antecedent of the lemma to be proven asserted that, for 
all input tasks L, the cardinality of the result set was one. 
We therefore substitute *L:l for L, discharging the hypothesis of 
premise 1. */ 
86 
SUBSECTION 7.1 
INTEGER STP 
87 

var INTI: INTEGER 
var INT2: INTEGER 
var INT3: INTEGER 
UNINTERPRETED.TI~ffiS: (INTEGER, INTEGER) ~ INTEGER 
IPLUS: (INTI, INT2) ~ INTEGER = INTI+INT2 
IDIFFERENCE: (INTI, INT2) ~ INTEGER = INTI-INT2 
ITIMES: (INTI, INT2) ~ INTEGER = tmINTERPRETED. TIMES (INTI , INT2) 
TIMES. AXIOM. 1: ax iom 
~(INTI = INT2) A ~(INT3 = 0) ) ~(INTI*INT3 = INT2*INT3) 
/* Induction Scheme over Integers with Upper Bound: */ 
/* (FORALL INTI (FORALL INT3 
(IMPLIES 
(AND 
(LESSP INT3 INTI) 
(p INTI) 
(FORALL INT2 
(IMPLIES 
(AND 
(LESSEQP INT2 INTI) 
(p INT2» 
(p (IDIFFERENCE INT2 1»») 
(p INT3»») 
/* Induction Scheme over Integers with Lower Bound */ 
(FORALL INTI (FORALL INT3 
(IMPLIES 
(AND 
(GREATERP INT3 INTI) 
(p INTI) 
(FORALL INT2 
(IMPLIES 
(AND 
(GREATEREQP INT2 INTI) 
(p INT2» 
(p (IPLUS INT2 1»») 
(p INT3»» 
89 
/* Induction Scheme over Integer Intervals: */ 
/* (FORALL INTI (FORALL INT3 
(IMPLIES 
(FORALL INT2 
(AND 
(p INTI) 
(IMPLIES 
(AND 
(LESSEQP INTI INT2) 
(LESSP INT2 INT3) 
(p INT2» 
(p (IPLUS INT2 1»») 
(p INT3»» 
TIMES. AXIOM. 2: ax iom 
INTI*INT2+INT2 = (INTI+I)*INT2 
TIMES. AXIOM. 3 : ax iom 
INTI > INT2 A INT3 > 0 J INTI*INT3 > INT2*INT3 
TIMES. AXIOM. 4: ax iom 
INTI = 0 J INT2*INTI = 0 
TIMES. AXIOM. 5: axiom 
INTI*INT2 = INT2*INTI 
90 
\ 
SUBSECTION 7.2 
NAT STP 
91 

/* SPECIFICATION FOR NATURAL NUMBERS AS A SUBTYPE OF INTEGERS */ 
NAT: type is INTEGER 
var Y: NAT 
var Z: NAT 
var W: NAT 
var WI: NAT 
NAT. NONNEGATIVE: axiom 
Y ~ 0 
NATBOTI: (NAT, NAT) ~ NAT 
NATBOT2: (INTEGER) ~ NAT 
NPLUS: (Y, Z) ~ NAT = Y+Z 
var INTI: INTEGER 
INT.NAT: (INTI) ~ NAT = if INTI ~ 0 then INTI else NATBOT2(INTI) end if 
NDIFFERENCE: (Y, Z) ~ NAT = if Y ~ Z then Y-Z else NATBOTI(Y, Z) end if 
NTIMES: (Z, W) ~ NAT = Z*W 
MOD: (INTEGER, NAT) ~ NAT 
MOD.AXIOM: axiom 
Y = MOD(INTI, W) (3 INT2: Y < W A INTI = W*INT2+Y) 
93 

SUBSECTION 7.3 
PAIR OF STP 
95 

/* ********** Theory of Pairs ********** */ 
var TYPEI: type 
var TYPE2: type 
PAIR.OF: type (TYPEl, TYPE2) 
FIRST: (PAIR. OF (TYPE I , TYPE2» ~ TYPEI 
SECOND: (PAIR. OF (TYPEI, TYPE2» ~ TYPE2 
~~KE.PAIR: (TYPEI, TYPE2) ~ PAIR. OF (TYPE I , TYPE2) 
var PAIR: PAIR. OF (TYPE I , TYPE2) 
var PAIRl: PAIR. OF (TYPE I , TYPE2) 
var Xl: TYPEI 
var X2: TYPE2 
PAIR.~XIOM.I: axiom 
3 PAIR: FIRST(PAIR) = Xl A SECOND(PAIR) = X2 
PAIR.AXIOM.2: axiom 
Xl = FIRST(MAKE.PAIR(XI, X2» A X2 = SECOND(MAKE.PAIR(XI, X2» 
PAIR. EQUALITY: axiom 
PAIR = PAIRI 
FIRST(PAIR) = FIRST(PAIRl) A SECOND(PAIR) = SECOND(PAIRI) 
97 

SUBSECTION 7.4 
SETS AXIOMS 
99 

/* ********** Set Theory Lemmas Assumed ********** */ 
using NAT.STP 
var TYPEl: type 
SET.OF: type(TYPEl) 
var TYPE2: type 
MEMBER: (TYPE 1 , SET.OF(TYPEl)) ~ BOOL 
UNION: (SET. OF (TYPEl), SET.OF(TYPEl)) ~ SET.OF(TYPEl) 
INTERSECTION: (SET. OF (TYPEl), SET.OF(TYPEl)) ~ SET.OF(TYPEl) 
SUBSET: (SET. OF (TYPEl), SET.OF(TYPEl)) ~ BOOL 
CARD: (SET.OF(TYPEl)) ~ INTEGER 
var S: SET.OF(TYPEl) 
var Xl: TYPEI 
/* (DTV TYPEI X) */ 
var Sl: SET,OF(TYPEl) 
var V.CARD.l: TYPEl 
var V.CARD.3: TYPE 1 
var S2: SET.OF(TYPEl) 
SINGLETON: (S, X) ~ BOOL = XES A CARD(S) = 1 
SELECT: (SET.OF(TYPEl)) ~ TYPEI 
101 
SET. SELECTION: axiom 
SELECT(S) E S 
INTERSECT: formula 
XES n Sl = XES A X E Sl 
INTERSECTION. COMMUTES: formula 
S n Sl = S1 n S 
CARD. INTERSECTION: formula 
CARD(S n Sl) ~ CARD(Sl) 
CARD. SUBSET: formula 
Sl ~ S2 ) CARD(S2) ~ CARD(Sl) 
SUBSET: formula 
Sl ~ S2 - (V X: X E Sl ) X E S2) 
CARD. 1: formula 
CARD(S) = 1 ) (3 V.CARD.1: V.CARD.1 E S) 
CARD. 2: formula 
CARD(S) = 1 ) (X E S A Xl E S ) X = Xl) 
CARD.5: formula 
S ~ Sl A CARD(S) > 0 ) CARD(Sl) > 0 
CARD.6: formula 
CARD(S) ~ 0 
SETEQUALITY: formula 
Sl = S2 _ (V X: X E Sl = X E S2) 
CARD.4: formula 
CARD(S) > 0 ) (3 X: XES) 
CARD. 3: formula 
(3 V.CARD.3: V.CARD.3 E S A (V X: XES ) V.CARD.3 = X» 
) 
CARD(S) = 1 
102 
SUBSECTION 7.5 
SUBFRAME AXIOMS 
103 

/* ********** Theory of Subframe Time ********** */ 
/* Declaration of Subframetime */ 
SUI3FRAMETIME: type is INTEGER 
var T. SUB: SUBFRAMETIME 
var T1.SUB: SUBFRAMETIME 
var T2.SUI3: SUBFRAMETIME 
SUB.INeR: (T.SUB) ~ SUBFRAMETIME = T.SUB+l 
SUB . DEeR: (T. SUB) ~ SUBFRAMETIME = T. SUB-l 
/* 
Induction Scheme over Subframetime: 
(FORALL T. SUB (FORALL Tl. SUB 
(IMPLIES 
(FORALL T2.SUB 
(AND 
(p T . SUB) 
(IMPLIES 
(AND 
(LESSEQP T.SUB T2.SUB) 
(LESSP T2.SUB Tl.SUB) 
(p T2.SUB)) 
(p (SUB.INeR T2.SUB))))) 
(p T1. SUB) ) ) ) 
105 

SUBSECTION 7.6 
10 AXIOMS 
107 

1* ********** Input/Output Axioms --- The Highest Level ********** */ 
using INTEGER.STP 
using SEQ.STP 
using SETS.AXIOMS 
using PAIROF.STP 
var TYPE1: type 
var TYPE2: t.ype 
1* WAS (DTV TYPE1) *1 
REALTIME: type is INTEGER 
SUBFRAMETIME: type is INTEGER 
INTERVAL: type is PAIR. OF (SUBFRAMETIME, SUBFRAMETIME) 
var INTERVAL1: INTERVAL 
BEGIN: (INTERVAL1) ~ SUBFRAMETIME = FIRST(INTERVAL1) 
END: (INTERVAL1) ~ SUBFRAMETIME = SECOND(INTERVAL1) 
VALUE: (PAIR1) ~ TYPE1 = FIRST(PAIR1) 
SOURCE: (PAIR1) ~ TYPE2 = SECOND(PAIR1) 
FUNCTION. TYPE: type 
SET.OF: type (TYPE1) 
ITERATION: type is INTEGER 
var I: ITERATION 
INCR: (I) ~ ITERATION = l+I 
DATAVAL: type 
DATA: type is SEQ(DATAVAL) 
1* WAS (DT DATA) *1 
PROC: type 
TASK: type 
var K: TASK 
var L: TASK 
GLOBAL.EXEC: ~ TASK 
CLOCK: ~ TASK 109 
BOTTOMl: (TASK) ~ DATA 
var J: ITERATION 
var T: SUBFRAMETIME 
var TT: SUBFRAMETI~~ 
var II: INTERV.~ 
var P: PROC 
var QQ: PROC 
var V: DATA 
var V.T: PAIR. OF (DATA , TASK) 
var V.INPUTS: SET.OF(PAIR.OF(DATA, TASK)) 
var V.BAG: SET. OF(PAIR. OF (DATA , PROC)) 
EPSILON: ~ REALTIME 
LAMBDA: ~ REALTIME 
var T1: SUBFRAMETIME 
var T2: SUBFRfu\~Tn~ 
*X: (SET.OF(TYPEl)) ~ TYPEl 
OF: (ITERATION, TASK) ~ INTERVAL 
DW.OF: (ITERATION, TASK) ~ INTERVAL 
DW.FOR.TO.OF: (TASK, ITERATION, TASK) ~ INTERVAL 
TO.OF: (TASK, ITERATION, TASK) ~ ITERATION 
ERROR. REPORTER: (PROC) ~ TASK 
var T. SUB: SUBFRAMETIME 
SUB . I NCR: (T . SUB) ~ SUBFRAMETIME = T. SUB+ 1 
SUB.DECR: (T.SUB) ~ SUBFRA'vlETIME = T.SUB-l 
IC.ERROR.REPORTER: (PROC) ~ TASK 
SAFE: (SUBFRAMETIME) ~ SET.OF(PROC) 
SAFE.FOR: (INTERVAL) ~ SET.OF(PROC) 
CONFIGURATION: (DATA) ~ SET.OF(PROC) 
TASK. SAFE: (TASK, ITERATION) ~ BOOL 
POLL. FOR. OF: (ITERATION, TASK) ~ SET.OF(PROC) 
110 
ON: (TASK, ITERATION, PROC) ~ SET.OF(DATA) 
ON. IN: (TASK, ITERATION, PROC, PROC) ~ DATA 
IN: (TASK, ITERATION, PROC) ~ DATA 
RESULT: (TASK, ITERATION) ~ SET.OF(DATA) 
IC: (TASK) ~ BOOL 
ON.DURING: (TASK, ITERATION) ~ BOOL 
SSF: (TASK, TASK) ~ BOOL 
INPUTS: (TASK) ~ SET.OF(TASK) 
APPLY: (FUNCTION. TYPE, SET. OF(PAIR. OF (DATA, TASK») ~ DATA 
FUNCTION: (TASK) ~ FUNCTION.TYPE 
REAL. TIME: (SUBFRAMETI~ffi) ~ REALTIME 
REPORTS: (PROC, PROC, ITERATION, TASK) ~ BOOL 
REPORTVAL: (PROC, PROC, ITERATION, TASK) ~ DATA 
ON.DURING: (TASK, ITERATION) ~ BOOL 
TO.OF: (TASK, ITERATION, TASK) ~ ITERATION 
TASK.SAFE: (TASK, ITERATION) ~ BOOL 
RESULT: (TASK, ITERATION) ~ SET.OF(DATA) 
var V.P: PAIR. OF (DATA, PROC) 
IC.TASK.SAFE: (TASK, ITERATION) ~ BOOL 
IC. TASK. SAFE: (TASK, ITERATION) ~ BOOL 
SELECT: (SET.OF(TYPEl» ~ TYPEl 
III 
/* 
The End of a task iteration follows the Beginning 
by at least one subframe 
IO.AI.I: axiom 
SUB.INCR(BEGIN(OF(I, K») < END(OF(I, K» 
/* 
The End of one iteration of a task precedes the following 
iteration of the task 
IO.AI.2: axiom 
END(OF(I, K» ~ BEGIN(OF(INCR(I), K» 
/* SSF(L K) means that, for each iteration of task K, 
the corresponding iteration of input task L will 
have a one subframe overlap with K 
IO.AI.3: axiom 
SSF(L, K) ) SUB.INCR(BEGIN(OF(I, K») = END(OF(TO.OF(L, I, K), L» 
/* 
Axiom defining correct behavior of an Interactive 
Consistency task K: If K is safe, it will always 
produce a single output value -- regardless of 
the stability of inputs to the task 
IO.A3: axiom 
lC(K) A lC.TASK.SAFE(K, I) ) CARD(RESULT(K, I» = I 
/* An interactive consistency task K can only have 
one replication of one input task. An interactive 
consistency task has as its associ~ted mathematical 
function the identity function. 
IO.A4: axiom 
IC(K) A SOURCE(V.T) E INPUTS(K) A SlNGLETON(V.INPUTS, V.T) 
) 
CARD(lNPUTS(K» = I 
A (L E INPUTS(K) ) I = CARD(POLL.FOR.OF(TO.OF(L, I, K), L») 
A VALUE(V.T) = APPLY(FUNCTlON(K), V.INPUTS) 
112 
/* 
A safe task K which is 'on' will use 'bottom' as an input 
value for any input task L which was not on for the 
corresponding iteration. Further, task L is 'safe' in 
this case. 
IO.A5: axiom 
/* 
L E INPUTS(K) 
A ON.DURING(K, I) 
A TASK.SAFE(K, I) 
A ~ON.DURING(L, TO.OF(L, I, K» 
) 
SINGLETON (RESULT(L , TO.OF(L, I, K», BOTTOMl(L» 
A TASK.SAFE(L, TO.OF(L, I, K» 
If every previous iteration of the clock task 
prior to Tl was safe, the skew between 
any prior time T2 and now will be less than 
(TI-T2) * (I-Lambda) 
IO.A6: axiom 
T2 < Tl A (V I: END(OF(I, CLOCK(») ~ Tl ) TASK.SAFE(CLOCK(), I» 
) 
(TI-T2)*(1-LAlffiDA(»-EPSILON() < REAL.TlME(Tl)-REAL.TIME{T2) 
A REAL.TIME(Tl)-REAL.TI~ffi(T2) < (TI-T2)*(1+LAMBDA(»+EPSILON() 
V.INPUTS.A2: (ITERATION, TASK) ~ SET. OF(PAIR. OF (DATA, TASK» 
/* 
Set Abstraction for set V.INPUTS.A2: the 
set of <L,Result(L,L to I of K» pairs for 
each input task L to task K 
IO.A2A: axiom 
SOURCE(V.T) E INPUTS(K) 
A VALUE(V.T) E RESULT(SOURCE(V.T), TO.OF(SOURCE(V.T), I, K» 
V.T E V.INPUTS.A2(I, K) 
/* 
~~IN EXECUTE AXIOM: If a task K is 'on' and 'safe' during 
iteration I, then output set Result(K,I) will be the set 
resulting from applying the proper mathematical function 
to the input set V.INPUTS.A2, composed according to the 
previous set abstraction axiom 
IO.A2: axiom 
ON.DURING(K, I) 
A TASK.SAFE(K, I) 
A (V L: L E INPUTS(K) ) CARD(RESULT(L, TO.OF(L, I, K») = 1) 
) 
SINGLETON(RESULT(K, I), APPLY(FUNCTION(K), V.INPUTS.A2(I, K») 
113 

SUBSECTION 7.7 
MAJORITY STP 
115 

/* ********** Theory of Majority over Bags ********** */ 
using SETS.AXIOMS 
using PAIROF.STP 
var TYPEl: type 
var TYPE2: type 
MAJORITY: (SET.OF(PAIR.OF(TYPEl, TYPE2») ~ TYPEl 
var M.BAG: SET.OF(PAIR.OF(TYPEl, TYPE2» 
var M.BAG.l: SET.OF(PAIR.OF(TYPEl, TYPE2» 
var Vl.V2: PAIR.OF(TYPEl, TYPE2) 
var Tl. V: TYPEl 
var T2.V: TYPEl 
var T3.V: TYPE2 
BOTTOM: (TYPEl) ~ TYPEl 
MAJ.l: axiom 
(V Vl.V2: Vl.V2 E M.BAG.l = Tl.V = VALUE(Vl.V2) A Vl.V2 E M.BAG) 
) 
(CARD(M.BAG) < 2*CARD(M.BAG.l) ) Tl.V = MAJORITY(M.BAG» 
MAJ.2: axiom 
o = CARD(M.BAG) ) BOTTOM(T2.V) = MAJORITY(M.BAG) 
MAJ .3: axiom 
~(3 Tl.V, T3.V V M.BAG.l: 
(V Vl.V2: Vl.V2 E M.BAG.l = Tl.V = VALUE(Vl.V2) A Vl.V2 E M.BAG) 
) 
CARD(M.BAG) < 2*CARD(M.BAG.l» 
) 
BOTTOM(T2.V) = MAJORITY(M.BAG) 
117 

SUBSECTION 7.8 
SPECIFICATION FOR SEQUENCES OF TYPEl VALUES 
119 

/* SPECIFICATION FOR SEQUENCES OF TYPEl VALUES */ 
using NAT.STP 
var TYPEl: type 
var X: TYPEl 
SEQ: type(TYPEl) 
var SEQl,SEQ2: SEQ(TYPEl) 
SEQ.ELEM: (SEQ(TYPEl), NAT) TYPEl 
SEQ.LENGTH: (SEQ(TYPEl» NAT 
SEQ. CAT: (SEQ(TYPEl), SEQ(TYPEl» SEQ(TYPEl) 
SEQ.NEW: (TYPEl) SEQ(TYPEl) 
~~KESEQ: (TYPEl) SEQ(TYPEl) 
SEQ. MEMBER: (TYPEl, SEQ(TYPEl» BOOL 
var Y: NAT 
SEQ.LENGTH.AXIOM: axiom 
SEQ.LENGTH(SEQ.CAT(SEQl, SEQ2» = SEQ.LENGTH(SEQl)+SEQ.LENGTH(SEQ2) 
SEQ.ELEM.AXIOM2: axiom 
SEQ.ELEM(SEQ.CAT(SEQl, SEQ2), Y) = X 
(Y > SEQ.LENGTH(SEQl)-INT.NAT(l) 
A SEQ.ELEM(SEQ2, Y-SEQ.LENGTH(SEQl» = X) 
V (Y ~ SEQ.LENGTH(SEQl)-INT.NAT(l) A SEQ.ELEM(SEQl, Y) = X) 
SEQ. LENGTH. NEW.AXIOM: axiom 
SEQ.LENGTH(SEQ.NEW(X» = 0 
SEQ.~UlliESEQ.AXIOM: axiom 
SEQ.LENGTH(SEQl) = 1 A SEQ.ELEM(SEQl, INT.NAT(O» = X 
SEQl = MAKESEQ(X) 
SEQ.ME~ffiER.AXIOM: axiom 
SEQ.MEMBER(X, SEQl) 
(3 Y: 0 ~ YAY < SEQ.LENGTH(SEQl) A SEQ.ELEM(SEQl, Y) = X) 
SEQ. EQUALITY. AXIOM: axiom 
SEQl = SEQ2 = (V Y: SEQ.ELEM(SEQl, Y) = SEQ.ELEM(SEQ2, Y» 
121 

SUBSECTION 7.9 
REP AXIOMS 
123 

/* 
********** Replication Specification and 
Mapping to Input/Output Specification ********** 
using INTEGER.STP 
using SEQ.STP 
using SETS.AXIOMS 
using PAIROF.STP 
var TYPE2: type 
var TYPEI: type 
REALTIME: type is INTEGER 
SUBFRAMETI~ffi: type is INTEGER 
INTERVAL: type is PAIR. OF (SUBFRAMETIME, SUBFRAMETIME) 
var INTERVALI: INTERVAL 
BEGIN: (INTERVALI) ~ SUBFRAMETIME = FIRST(INTERVALl) 
END: (INTERVALl) ~ SUBFRAMETIME = SECOND(INTERVALl) 
/* BEGIN: (INTERVAL) ~ SUBF~ffiTIME */ 
/* END: (INTERVAL) ~ SUBFRAMETIME */ 
VALUE: (PAIRl) ~ TYPEI = FIRST(PAIRl) 
SOURCE: (PAIRl) ~ TYPE2 = SECOND(PAIRl) 
using MAJORITY.STP 
FUNCTION. TYPE: type 
ITERATION: type is INTEGER 
DATAVAL: type 
BOTTOMD: ~ DATAVAL 
var Dl: DATAVAL 
/* A type system hack: the parameterized BOTTOM 
function applied to any DATAVAL produces the 
BOTTOMD element of the DATAVAL domain 
BOTTOM. EQUALITY: axiom 
BOTTOM(Dl) = BOTTOMD() 
125 
TASK: type 
var K: TASK 
var L: TASK 
RESULT. SIZE: (TASK) ~ NAT 
DATA: type is SEQ(DATAVAL) 
var V: DATA 
var VI: DATA 
BOTTOMI: (TASK) ~ DATA 
/* 
Each element of a DATA BOTTOM I function is 
a BOTTOMD value -- again a type hack 
DATA. BOTTOM: axiom 
I S YAY S RESULT.SIZE(K) J SEQ.ELEM(BOTTOMI(K), Y) = BOTTOMD() 
/* 
Two DATA values V and VI are equal iff the 
lengths are equal and corresponding elements 
are equal 
DATA. EQUALITY: axiom 
V = VI 
(V Y: 
SEQ.LENGTH(V) = SEQ.LENGTH(Vl) A I S YAY S SEQ.LENGTH(V) 
J 
SEQ.ELEM(V, Y) = SEQ.ELEM(VI, Y» 
PROC: type 
GLOBAL. EXEC: ~ TASK 
CLOCK: ~ TASK 
var I: ITERATION 
var J: ITERATION 
var JI: ITERATION 
var T: SUBFRAMETIME 
var TT: SUBFRAMETIME 
var II: INTERVAL 
var P: PROC 
126 
var 00: PROC 
var R: PROC 
var V.T: PAIR. OF (DATA, TASK) 
var V.INPUTS: SET.OF(PAIR.OF(DATA, TASK» 
var V.BAG: SET. OF(PAIR. OF (DATA, PROC» 
EPSILON: ~ REALTIME 
LAMBDA: ~ REALTIME 
var T1: SUBFRAMETIME 
var T2: SUBFRAMETIME 
OF: (ITERATION, TASK) ~ INTERVAL 
DW.OF: (ITERATION, TASK) ~ INTERVAL 
DW.FOR.TO.OF: (TASK, ITERATION, TASK) ~ INTERVAL 
TO.OF: (TASK, ITERATION, TASK) ~ ITERATION 
ERROR.REPORTER: (PROC) ~ TASK 
var T.SUB: SUBFRAMETIME 
SUB.INCR: (T.SUB) ~ SUBFRAMETIME = T.SUB+1 
SUB.DECR: (T.SUB) ~ SUBFRAMETIME = T.SUB-l 
IC.ERROR.REPORTER: (PROC) ~ TASK 
SAFE: (SUBFRAMETIME) ~ SET.OF(PROC) 
SAFE.FOR: (INTERVAL) ~ SET.OF(PROC) 
CONFIGURATION: (DATA) ~ SET.OF(PROC) 
TASK.SAFE: (TASK, ITERATION) ~ BOOL 
POLL.FOR.OF: (ITERATION, TASK) ~ SET.OF(PROC) 
ON: (TASK, ITERATION, PROC) ~ SET.OF(DATA) 
ON. IN: (TASK, ITERATION, PROC, PROC) ~ DATA 
IN: (TASK, ITERATION, PROC) ~ DATA 
RESULT: (TASK, ITERATION) ~ SET.OF(DATA) 
V.INPUTS.A2: (ITERATION, TASK) ~ SET. OF(PAIR. OF (DATA , TASK» 
APPLY: (FUNCTION. TYPE, SET. OF(PAIR. OF (DATA, TASK») ~ DATA 
FUNCTION: (TASK) ~ FUNCTION.TYPE 
127 
/* Defines sequence lengths of functions returning DATA values */ 
DATA. SIZE. IS. SEQ. LENGTH: axiom 
SEQ.LENGTH(IN(K, I, QQ» = RESULT.SIZE(K) 
A SEQ.LENGTH(APPLY(FUNCTION(K), V.INPUTS.A2(I, K») = RESULT.SIZE(K) 
A SEQ.LENGTH(BOTTOM1(K» = RESULT.SIZE(K) 
A SEQ.LENGTH(ON.IN(K, I, P, QQ» = RESULT.SIZE(K) 
/* Each task output vector has at least one element */ 
RESULT. SIZE. GREATER. THAN. 1: axiom 
RESULT.SIZE(K) ~ 1 
IC: (TASK) ~ BOOL 
ON.DURING: (TASK, ITERATION) ~ BOOL 
SSF: (TASK, TASK) ~ BOOL 
INPUTS: (TASK) ~ SET.OF(TASK) 
REAL. TIME: (SUBFRAMETIME) ~ REALTIME 
REPORTS: (PROC, PROC, ITERATION, TASK) ~ BOOL 
REPORTVAL: (PROC, PROC, ITERATION, TASK) ~ DATA 
ON.DURING: (TASK, ITERATION) ~ BOOL 
TO.OF: (TASK, ITERATION, TASK) ~ ITERATION 
TASK. SAFE: (TASK, ITERATION) ~ BOOL 
RESULT: (TASK, ITERATION) ~ SET.OF(DATA) 
var V.CARD: . DATA 
var V.CARD1: DATA 
var Sl: SET.OF(TYPE1) 
var S2: SET.OF(TYPE1) 
var V2: DATA 
var V3: DATA 
var V4: DATA 
var V.P: PAIR. OF (DATA, PROC) 
128 
D.BAG.LI0: (TASK, ITERATION, PROC, NAT) ~ SET.OF(PAIR.OF(DATAVAL, PROC» 
IC.TASK.SAFE: (TASK, ITERATION) ~ BOOL 
IC.TASK.SAFE: (TASK, ITERATION) ~ BOOL 
DECR: (I) ~ ITERATION = I-I 
INCR: (I) ~ ITERATION = 1+1 
/* same as IO.Al.l */ 
RP.Al.l: axiom 
SUB.INCR(BEGIN(OF(I, K») < END(OF(I, K» 
/* same as IO.Al.2 */ 
RP.Al.2: axiom 
END(OF(I, K» ~ BEGIN(OF(INCR(I), K» 
/* If a processor P is both in the poll set 
for the i-th iteration of K and safe for 
the DataWindow, then the set On(K,I,P) of 'computed' 
values is defined to consist of exactly the 
On.ln(K,I,P,Q) values which safe processors 
have received from P 
RP.A2: axiom 
P E POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K» 
J 
(V E ON(K, I, P) 
(3 QQ: QQ E SAFE.FOR(OF(I, K» A V = ON.IN(K, I, P, QQ») 
/* Error Re~orter Characteristics ... */ 
RP.A7: axiom 
CARD(INPUTS(ERROR.REPORTER(P») = 0 
A SINGLETON(INPUTS(IC.ERROR.REPORTER(P», ERROR.REPORTER(P» 
A IC(IC.ERROR.REPORTER(P» 
A SINGLETON(POLL.FOR.OF(I, ERROR.REPORTER(P», P) 
A I = TO.OF(IQ.ERROR.REPORTER(P), I, ERROR.REPORTER(P» 
/* More Error Reporter Characteristics */ 
RP.A8: axiom 
IC.ERROR.REPORTER(P) E INPUTS(GLOBAL.EXEC(» 
A BEGIN(OF(I, GLOBAL.EXEC(») < BEGIN(OF(I, IC.ERROR.REPORTER(QQ») 
A BEGIN(OF(I, IC.ERROR.REPORTER(QQ») 
< BEGIN (OF(INCR(I), GLOBAL.EXEC(») 
129 
/* Global Executive Characteristics */ 
RP.A9: axiom 
/* 
CONFIGURATION (SELECT(RESULT(GLOBAL.EXEC(), I») 
~ CONFIGURATION (SELECT(RESULT(GLOBAL.&XEC(), DECR(I»» 
A (END(OF(I, GLOBAL.EXEC(») < BEGIN(OF(J, K» 
) 
POLL.FOR.OF(J, K) ~ CONFIGURATION(SELECT(RESULT(GLOBAL.EXEC(), I»» 
The beginning of the DataWindow for input task L 
providing input to the i-th iteration of K is 
equal to the beginning of the corresponding iteration 
of L 
RP.D2.l: axiom 
BEGIN(DW.FOR.TO.OF(L, I, K» 
= if L E INPUTS(K) 
then BEGIN(OF(TO.OF(L, I, K), L» 
else BEGIN(OF(I, K» 
end if 
/* The end of the same DataWindow is the end of the 
i-th iteration of K 
RP.D2.2: axiom 
END(DW.FOR.TO.OF(L, I, K» = END(OF(I, K» 
/* 
The overall DataWindow for the i-th iteration of K 
starts sometime after the beginning of the 
DataWindow for each input task 
RP.D3.l: axiom 
~(BEGIN(DW.FOR.TO.OF(L, I, K» < BEGIN(DW.OF(I, K») 
/* 
The overall DataWindow starts with the DataWindow 
for some (input) task 
RP.D3.2: axiom 
3 L: BEGIN(DW.FOR.TO.OF(L, I, K» = BEGIN(DW.OF(I, K» 
/* The overall DataWindow ends with the end of the i-th iteration */ 
RP.D3.3: axiom 
END(DW.OF(I, K» = END(OF(I, K» 
130 
/* Mapping: A task is on iff there is at least one processor in 
the poll set 
RP.D7: axiom 
ON.DURING(K, I) = CARD(POLL.FOR.OF(I, K» ) 0 
var D.P: PAIR. OF (DATAVAL , PROC) 
var D.BAG: SET. OF(PAIR. OF (DATAVAL , PROC» 
D.BAG.D4: (TASK, ITERATION, PROC, NAT) ~ SET. OF(PAIR. OF (DATAVAL , PROC» 
/* 
Set Abstraction for D.BAG.D4: Consists of all 
<dataval,processor) pairs for the y-th DATA element 
received by processors in the poll set 
RP.D4A: aXIom 
/* 
D.P E D.BAG.D4(K, I, QQ, Y) 
(3 P: 
SEQ.ELEM(ON.IN(K, I, P, QQ), Y) = VALUE(D.P) 
A P = SOURCE(D.P) 
APE POLL.FOR.OF(I, K» 
Definition: For a safe processor QQ, the IN value 
is defined to be equal to the majority of the set 
defined above 
RP.D4: axiom 
QQ E SAFE.FOR(OF(I, K» A 1 S YAY S RESULT.SIZE(K) 
) 
SEQ.ELEM(IN(K, I, QQ), Y) = MAJORITY(D.BAG.D4(K, I, QQ, Y» 
V.INPUTS.A3: (TASK, ITERATION, PROC) ~ SET. OF(PAIR. OF (DATA, TASK» 
/* 
Set abstraction for V.INPUTS.A3(K,I,P): the set of 
<DATA,TASK) pairs where the DATA value is the 
voted IN value for an input task -- all in processor P 
RP.A3A: axiom 
V.T E V.INPUTS.A3(K, I, P) 
SOURCE(V.T) E INPUTS(K) 
A VALUE(V.T) = IN(SOURCE(V.T), TO. OF (SOURCE (V. T), I, K), P) 
131 
/* 
MAIN EXECUTE AXIOM: If processor P is both in 
the poll set and safe for the DataWindow, it 
will produce a single, correct value 
RP.A3: axiom 
P E POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K» 
) 
SINGLETON(ON(K, I, P), APPLY(FUNCTION(K), V.INPUTS.A3(K, I, P») 
/* same as IO.D1 */ 
RP.D1: axiom 
(L E INPUTS(K) A ~SSF(L, K) 
) 
~(BEGIN(OF(I, K» < END(OF(TO.OF(L, I, K), L») 
A BEGIN(OF(I, K» < END(OF(INCR(TO.OF(L, I, K», L») 
A (L E INPUTS(K) A SSF(L, K) 
) 
END(OF(TO.OF(L, I, K), L» = SUB.INCR(BEGIN(OF(I, K»» 
IO.D1: axiom 
/* 
(L E INPUTS(K) A ~SSF(L, K) 
) 
~(BEGIN(OF(I, K» < END(OF(TO.OF(L, I, K), L») 
A BEGIN(OF(I, K» < END(OF(INCR(TO.OF(L, I, K», L») 
A (L E INPUTS(K) A SSF(L, K) 
) 
END(OF(TO.OF(L, I, K), L» = SUB.INCR(BEGIN(OF(I, K»» 
Set Abstraction D.BAG.L10(K,I,QQ,Y): set of 
<DATAVAL,Processor> pairs where the DATAVAL 
was received by a processor P which was 
both in the poll set and safe for the appropriate period. 
RP.D11: axiom 
/* 
D.P E D.BAG.L10(K, I, QQ, Y) 
(3 P: 
P E POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K» 
A SEQ.ELEM(ON.IN(K, I, P, QQ), Y) = VALUE(D.P) 
A P = SOURCE(D.P» 
Mapping: A task K is safe during iteration i iff 
either it is not on or a majority of the processors 
in the poll set are safe for the DataWindow 
RP.D9A: axiom 
TASK. SAFE(K , I) 
~ON.DURING(K, I) 
V CARD(POLL.FOR.OF(I, K» 
< 2*CARD(POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K») 
132 
/* same as IO.A3 --this will be left for future proof attempts */ 
RP.A4: axiom 
IC(K) A IC.TASK.SAFE(K, I) ) CARD (RESULT(K, I» = 1 
/* Mapping: An iteractive consistency task K is safe iff 
(2 * size of poll set for both K and input task) 
< (3 * number of safe processors in the poll set for 
either K or input task) 
RP.D9B: axiom 
IC.TASK.SAFE(K, I) 
,ON.DURING(K, I) 
V (IC(K) 
A (L E INPUTS(K) 
) 
2*CARD(POLL.FOR.OF(TO.OF(L, I, K), L) U POLL.FOR.OF(I, K» 
< 3 
*CARD(SAFE.FOR(DW.OF(I, K» 
n (POLL.FOR.OF(TO.OF(L, I, K), L) 
U POLL.FOR.OF(I, K»») 
/* same as IO.A4 */ 
RP.A5: axiom 
/* 
IC(K) A SOURCE(V.T) E INPUTS(K) A SINGLETON(V.INPUTS, V.T) 
) 
CARD(INPUTS(K» = 1 
A (L E INPUTS(K) ) 1 = CARD(POLL.FOR.OF(TO.OF(L, I, K), L») 
A VALUE(V.T) = APPLY(FUNCTION(K), V.INPUTS) 
A safe processor reports any processor from whom it has 
received a value not consistent with its voted value 
-- does not apply to outputs from interactive consistency tasks 
RP.A10: axiom 
P E SAFE.FOR(DW.OF(J, K» 
) 
(,IC(L) 
ALE INPUTS(K) 
A QQ E POLL.FOR.OF(TO.OF(L, J, K), L) 
A ,(ON.IN(L, TO.OF(L, J, K), QQ, P) = IN(L, TO.OF(L, J, K), P» 
REPORTS(P, QQ, TO.OF(L, J, K), L» 
/* An unsafe processor can never again be trusted */ 
RP.A11: formula 
T1 > T2 ) SAFE(T1) ~ SAFE(T2) 
133 
/* same as IO.A6 --not covered by current proof */ 
RP.A6: axiom 
T2 < Tl A (V I: END(OF(I, CLOCK(») ~ Tl ) TASK.SAFE(CLOCK(), I» 
) 
(TI-T2)*(I-LAAffiDA(»-EPSILON() < REAL.TIME(Tl)-REAL.TIME(T2) 
A REAL.TIME(Tl)-REAL.TIME(T2) < (TI-T2)*(I+LAAffiDA(»+EPSILON() 
/* not used in proof */ 
RP.D8: axiom 
REPORTS(P, QQ, I, K) 
(3 J: 
BEGIN(OF(I, K» ~ BEGIN(OF(J, ERROR.REPORTER(P») 
A BEGIN(OF(DECR(J), ERROR.REPORTER(P») < END(OF(TO.OF(L, I, K), L» 
A REPORTVAL(P, QQ, I, K) E RESULT(ERROR.REPORTER(P), J» 
/* not used in proof */ 
RP.DI0: axiom 
(V T: BEGIN(II) ~ TAT < END(II) ) P E SAFE(T» - P E SAFE.FOR(II) 
/* 
Mapping: A DATA value V is in the result set iff 
it is the voted value from some safe processor 
RP.D6: axiom 
V E RESULT(K, I) - (3 P: P E SAFE.FOR(OF(I, K» A V = IN(K, I, P» 
134 
SUBSECTION 7.10 
10 RP DERIVATION 
135 

/* 
********** Proof of Mapping between 
I/O and Replication Specifications ********** 
*/ 
/* 
The beginning of a Data Window is earlier or at least equal 
to the beginning of the Execution Window 
RP.Ll: formula 
BEGIN{OF{I, K» ~ BEGIN{DW.FOR.TO.OF(L, I, K» 
prove RP.Ll 
using RP.Al.l [K ~ L, 
RP.Dl 
RP.D2.1 
I ~ TO.OF{L, I, K)] 
137 
/* 
If a time is wi thin .the Execution Window, then it must 
be within the Data Window 
RP.L2: formula 
BEGIN(OF(I, K» 5 TAT < END(OF(I, K» 
) 
BEGIN(DW.OF(I, K» 5 TAT < END(DW.OF(I, K» 
prove RP.L2 
using RP .AI. I 
RP.D3.3 
RP.D3.1 
RP.Ll 
138 
/* 
If a processor is Safe for the Data Window, it is Safe 
for the Execution Window 
RP.L3: formula 
P E SAFE.FOR(DW.OF(I, K» J P E SAFE.FOR(OF(!, K» 
prove RP.L3 
using RP.L2 [T ~ *T:3] 
RP.DIO [T ~ *T:3, 
II ~ DW.OF(!, K)] 
RP.DIO [II ~ OF(I, K), 
T ~ @:D] 
139 
/* 
If a task generates a singleton result value, then safe 
processors will have that value in their In buffer 
RP.L4: formula 
L E INPUTS(K) 
A I = CARD (RESULT (L, TO.OF(L, I, K))) 
APE SAFE.FOR(DW.OF(I, K)) 
) 
(V E RESULT(L, TO.OF(L, I, K)) = V = IN(L, TO.OF(L, I, K), P)) 
prove RP.L4 
using RP.L7 
CARD.2 [X ~ IN(L, TO.OF(L, I, K), P), 
Xl ~ V, 
S ~ RESULT(L, TO.OF(L, I, K))] 
RP.D6 [I ~ TO.OF(L, I, K), 
K ~ L, 
V ~ IN(L, TO.OF(L, I, K), P)] 
RP.D6 [I ~ TO.OF(L, I, K), 
K ~ L] 
140' 
/* 
If a task is on a processor that is Safe for its data window, 
and if all its input tasks are well behaved, the inputs to the 
task will be same as in the 10 Model 
RP.L5: formula 
(V L: L E INPUTS(K) J 1 = CARD(RESULT(L, TO.OF(L, I, K»» 
APE SAFE.FOR(DW.OF(I, K» 
J 
(V.T E V.INPUTS.A3(K, I, P) = V.T E V.INPUTS.A2(I, K» 
prove RP.L5 [L ~ SOURCE(V.T)] 
using RP.A3A 
IO.A2A 
RP.L4 [V ~ VALUE(V.T), 
L ~ SOURCE(V.T)] 
141 
/* As RP.L5 */ 
RP.L6: formula 
(V L: L E INPUTS(K) J 1 = CARD(RESULT(L, TO.OF(L, I, K»» 
APE SAFE.FOR(DW.OF(I, K» 
) 
V.INPUTS.A2(I, K) = V.INPUTS.A3(K, I, P) 
prove RP.L6 [L ..: *L:2] 
using SETEQUALITY [S2 .... V.INPUTS.A3(K, I, P), 
S1 .... V.INPUTS.A2(I, K), 
X .. *X: 1] 
RP.L5 [V.T .. *X:1] 
142 
/* 
If a proces~or is Safe for the Data Window of a task, it 
is Safe for the Execution Windows of each of that task's 
input tasks. Needed to prove RP.L4 
RP.L7: formula 
P E SAFE.FOR(DW.OF(I, K» ALE INPUTS(K) 
) 
P E SAFE.FOR(OF(TO.OF(L, I, K), L» 
prove RP.L7 
using RP.DIO [T ~ *T:l, 
II ~ OF(TO.OF(L, I, K), L)] 
RP.DIO [T ~ *T:l, 
II ~ DW.OF(I, K)] 
RP.L2A [T ~ *T:l] 
143 
/* 
If a processor executes a task, and is Safe for the data 
window of that task, and if all the inputs to the 
task are well behaved, then the task output computed by 
that processor will be the result of applying the task function 
to the correct task inputs. 
RP.L8: formula 
P E POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K» 
A (V L: L E INPUTS(K) ) 1 = CARD (RESULT(L, TO.OF(L, I, K»» 
) 
SINGLETON(ON(K, I, P), APPLY(FUNCTION(K), V.INPUTS.A2(I, K») 
prove RP.L8 [L ~ *L:2] 
using INTERSECT [SI ~ SAFE.FOR(DW.OF(I, K», 
S ~ POLL.FOR.OF(I, K), 
RP.L6 
RP.A3 
X ~ P] 
144 
/* 
... and that,output value will be the broadcast valtie received 
by all processors that are Safe for the execution window of 
the task 
RP.L9: formula 
P E POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K» 
A (V L: L E INPUTS(K) ) 1 = CARD (RESULT (L, TO.OF(L, I, K»» 
A QQ E SAFE.FOR(OF(I, K» 
) 
ON.IN(K, I, P, QQ) = APPLY(FUNCTION(K), V.INPUTS.A2(I, K» 
prove RP.L9 [L ~ *L:5] 
using INTERSECT [S1 ~ SAFE.FOR(DW.OF(I, K», 
S ~ POLL.FOR.OF(I, K), 
X ~ P] 
CARD.2 [Xl ~ ON.IN(K, I, P, QQ), 
RP.L3 
RP.LIO 
RP.L8 
X ~ APPLY(FUNCTION(K), V. INPUTS.A2(I , K», 
S ~ ON(K, I, P)] 
RP.A2 [V ~ ON.IN(K, I, P, QQ)] 
145 
/* 
A result value received from a Safe processor is a member 
of the set of all computer result values 
RP. Lll: formula 
QQ E SAFE.FOR(OF(I, K» A D.P E D.BAG.LI0(K, I, QQ, Y) 
J 
D.P E D.BAG.D4(K, I, QQ, Y) 
prove RP.Lll 
using INTERSECT [SI ~ SAFE.FOR(DW.OF(I, K», 
S ~ POLL.FOR.OF(I, K), 
X ~ *P:2] 
RP.Dll [P ~ @:D] 
RP.D4A [P ~ *P:2] 
146 
var D.P.1: PAIR.OF(DATAVAL, PROC) 
D.BAG.L12: (TASK, ITERATION, PROC, NAT) ~ SET.OF(PAIR.OF(DATAVAL, PROC» 
/* 
Set abstraction: A result value received from 
a Safe processor is a member of the 
set of result values to be voted on 
RP.L12A: axiom 
D.P.1 E D.BAG.L12(K, I, QQ, Y) 
SEQ.ELEM(APPLY(FUNCTION(K), V.INPUTS.A2(I, K», Y) = VALUE(D.P.1) 
A D.P.1 E D.BAG.D4(K, I, QQ, Y) 
147 
/* 
If a processor is Safe for the executio window of a task, 
and that generates a singleton result value, then 
the result values received from Safe processors by 
that processor will be correct values 
RP.L12R: formula 
QQ E SAFE.FOR(OF(I, K)) 
A D.P E D.BAG.L10(K, I, QQ, Y) 
A (V L: L E INPUTS(K) ) 1 = CARD(RESULT(L, TO.OF(L, I, K)))) 
) 
D.P E D.BAG.L12(K, I, QQ, Y) 
prove RP.L12R [L ~ *L:3] 
using RP.L12A [D.P.1 ~ D.P] 
RP.L11 
RP.L9 [P ~ *P:4] 
RP.D11 [P ~ @:D] 
148 
/* as RP.L12R */ 
RP.L13: formula 
QQ E SAFE.FOR{OF{I, K) 
A (V L: L E INPUTS{K) ) 1 = CARD {RESULT (L, TO.OF{L, I, K»» 
) 
D.BAG.L10{K, I, QQ, Y) ~ D.BAG.L12{K, I, QQ, Y) 
prove RP.L13 [L ~ *L:2] 
using SUBSET [S2 ~ D.BAG.L12{K, I, QQ, Y), 
X ~ *X:1, 
S1 ~ D.BAG.L10{K, I, QQ, Y)] 
RP.L12R [D.P ~ *X:1] 
149 
/* 
A time within the execution window of an input 
task to a task K lies within the data window of task K. 
Used to prove RP.L7 
RP.L2A: formula 
BEGIN(OF(TO.OF(L, I, K), L» S T 
A T < END(OF(TO.OF(L, I, K), L» 
ALE INPUTS(K) 
) 
BEGIN(DW.OF(I, K» S TAT <END(DW.OF(I, K» 
prove RP.L2A 
using RP.A1.1 
RP.D3.3 
RP.D3.1 
RP.D2.1 
RP.Dl 
150 
/* If a task executes and is Safe, at least one processor must have 
been Safe for its execution window 
RP.L16: formula 
ON.DURING(K, I) A TASK.SAFE(K, I) ) CARD(SAFE.FOR(OF(I, K») > 0 
prove RP. LlG 
using CARD.INTERSECTION [SI ~ SAFE.FOR(DW.OF(I, K», 
S ~ POLL.FOR.OF(I, K)] 
CARD.SUBSET [S2 ~ SAFE.FOR(OF(I, K», 
SI ~ SAFE.FOR(DW.OF(I, K»] 
SUBSET [S2 ~ SAFE.FOR(OF(I, K», 
X ~ *X:3, 
SI ~ SAFE.FOR(DW.OF(I, K»] 
RP.L3 [P ~ *X:3] 
RP.D9A 
RP.D7 
151 
/* A Primary Lemma. If a task executes and is Safe, and if 
all its inputs are will behaved, a Safe processor voting on the 
broadcast results will obtain the correct result value for 
that task 
RP.Ll4: formula 
TASK.SAFE(K, I) 
A ON.DURING(K, I) 
A QQ E SAFE.FOR(OF(I, K» 
A (V L: L E INPUTS(K) J 1 = CARD (RESULT (L, TO.OF(L, I, K»» 
A 1 S Y 
A Y S RESULT.SIZE(K) 
J 
SEQ.ELEM(APPLY(FUNCTION(K), V.INPUTS.A2(I, K», Y) 
= MAJORITY(D.BAG.D4(K, I, QQ, Y» 
prove RP.Ll4 [L ~ *L:1] 
using RP.Ll3 
RP.D9A 
CARD.D.BAG.D4 
CARD. D. BAG. L 10 
CARD.SUBSET [S2 ~ D.BAG.L12(K, I, QQ, Y), 
S1 ~ D.BAG.LlO(K, I, QQ, Y)] 
MAJ.l [Tl.V ~ SEQ.ELEM(APPLY(FUNCTION(K), V.INPUTS.A2(I, K», Y), 
M.BAG.l ~ D.BAG.Ll2(K, I, QQ, Y), 
M.BAG ~ D.BAG.D4(K, I, QQ, Y)] 
RP.Ll2A [D.P.l ~ *Vl.V2:6] 
152 
/* ... and will place that result value in its IN buffer */ 
RP.LI5: formula 
TASK.SAFE(K, I) 
A ON.DURING(K, I) 
A QQ E SAFE.FOR(OF(I, K» 
A (V L: L E INPUTS(K) J 1 = CARD (RESULT (L, TO.OF(L, I, K»» 
) 
APPLY(FUNCTION(K), V.INPUTS.A2(I, K» = IN(K, I, QQ) 
prove RP.L15 [L ~ *L:l] 
using RP.LI4 [Y ~ *Y:3] 
RP.D4 [Y ~ *Y:3] 
DATA.EQUALITY [V ~ IN(K, I, QQ), 
Y ~ @:D, 
VI ~ APPLY(FUNCTION(K), V.INPUTS.A2(I, K»] 
DATA.SIZE.IS.SEQ.LENGTH 
RESULT. SIZE. GREATER. THAN. 1 
153 
var Ll: TASK 
/* 
Almost there: If a task executes and is Safe, and all its 
inputs are well behaved, its result will be the result of applying 
its function to the correct inputs 
RP.L17: formula 
TASK.SAFE(K, I) 
A ON.DURING(K, I) 
A (V L: L E INPUTS(K) ) 1 = CARD (RESULT (L, TO.OF(L, I, K»» 
A (V Ll: Ll E INPUTS(K) J 1 = CARD(RESULT(Ll, TO.OF(Ll, I, K»» 
J 
SINGLETON(RESULT(K, I), APPLY(FUNCTION(K), V.INPUTS.A2(I, K») 
prove RP.L17 [L ~ *L:6, 
Ll ~ *L:7] 
using CARD.3 [V.CARD.3 ~ APPLY(FUNCTION(K), V.INPUTS.A2(I, K», 
S ~ RESULT(K, I)] 
RP.L16 
CARD.4 [S ~ SAFE.FOR(OF(I, K»] 
RP.D6 [P ~ *X:3, 
V ~ APPLY(FUNCTION(K), V.INPUTS.A2(I, K»] 
RP.D6 [V ~ *X:l, 
P ~ @:D] 
RP.L15 [QQ ~ *X:3] 
RP.L15 [QQ ~ *P:5] 
154 
/* 
The number of versins of a task's result available for voting 
on is the number of processors executing that task 
CARD.D.BAG.D4: formula 
CARD(D.BAG.D4(K, I, QQ, Y» = CARD(POLL.FOR.OF(I, K» 
/* 
The number of correct versions of a task's result is the 
number of Safe processors executing that task 
CARD.D.BAG.LIO: formula 
CARD(D.BAG.LIO(K, I, QQ, Y» 
= CARD(POLL.FOR.OF(I, K) n SAFE.FOR(DW.OF(I, K») 
var L2: TASK 
NECESSARY. EVIL: formula 
(V L: L E INPUTS(K) ) 
) 
(V Ll: Ll E INPUTS(K) ) 
A (V L2: L2 E INPUTS(K) 
1 = CARD(RESULT(L, TO.OF(L, I, K»» 
1 = CARD(RESULT(Ll, TO.OF(Ll, I, K»» 
) 1 = CARD(RESULT(L2, TO.OF(L2, I, K»» 
155 
/* We now consider tasks that are not currently being executed */ 
/* If a task is executed and safe, and has an input task 
that is not being executed, a majority of the result values 
for that not.on task will be nulls 
RP.L19: formula 
L E INPUTS(K) 
A ON.DURING(K, I) 
A TASK.SAFE(K, I) 
A ~ON.DURING(L, TO.OF(L, I, K» 
A 1 5 Y 
A Y 5 RESULT.SIZE(L) 
) 
BOTTOMD() = MAJORITY(D.BAG.D4(L, TO.OF(L, I, K), QQ, Y» 
prove RP.L19 
using MAJ.2 [M.BAG ~ D.BAG.D4(L, TO.OF(L, I, K), QQ, Y), 
T2.V ~ D1 :2] 
BOTTOM. EQUALITY 
CARD.D.BAG.D4 [K ~ L, 
I ~ TO.OF(L, I, K)] 
CARD.6 [S ~ POLL.FOR.OF(TO.OF(L, I, K), L)] 
RP.D7 [K ~ L, 
I ~ TO.OF(L, I, K)] 
156 
and on a safe processor that null value will 
be placed in the IN buffer 
RP.L20: formula 
L E INPUTS(K) 
A ON.DURING(K, I) 
A TASK.SAFE(K, I) 
A ~ON.DURING(L, TO.OF(L, I, K» 
A QQ E SAFE.FOR(OF(TO.OF(L, I, K), L» 
A I ~ Y 
A Y ~ RESULT.SIZE(L) 
) 
SEQ.ELEM(BOTTOMI(L), Y) = SEQ.ELEM(IN(L, TO.OF(L, I, K), QQ), Y) 
prove RP.L20 
using RP.LI9 
DATA. BOTTOM [K ~ L] 
DATA.EQUALITY [V ~ IN(L, TO.OF(L, I, K), QQ), 
VI ~ BOTTOMI(L)] 
RP.D4 [K ~ L, 
I ~ TO.OF(L, I, K)] 
157 
/* as RP.L20 */ 
RP.L21: formula 
L E INPUTS(K) 
A ON.DURING(K, I) 
A TASK.SAFE(K, I) 
A ~ON.DURING(L, TO.OF(L, I, K» 
A QQ E SAFE.FOR(OF(TO.OF(L, I, K), L» 
) 
BOTTOMl(L) = IN(L, TO.OF(L, I, K), QQ) 
prove RP.L21 
using RP.L20 [Y ~ *Y:2] 
DATA.EQUALITY [V ~ IN(L, TO.OF(L, I, K), QQ), 
Y ~ @:D, 
VI ~ BOTTOMl(L)] 
DATA.SIZE.IS.SEQ.LENGTH [K ~ L, 
I ~ TO.OF(L, I, K)] 
158 
/* Using the above chain of lemmas, we now prove the main 
Execute axiom of the I/O specification .,. 
prove IO.A2 [L ~ *L:2] 
using RP.L17 
NECESSARY.EVIL [L1 ~ *L:1, 
L2 ~ *L1: 1] 
159 
and the I/O axiom about tasks that are NOT.ON 
during that iteration. 
prove ID.A5 
using RP.D9A [K ~ L, 
I ~ TO.OF(L, I, K)] 
RP.L21 [QQ ~ *X:9] 
RP.D9A 
RP.L21 [QQ ~ *P:6] 
RP.D6 [K ~ L, 
I ~ TO.OF(L, I, K), 
V ~ BOTTOM 1 (L) , 
P ~ *X:9] 
RP.D6 [K ~ L, 
I ~ TO.OF(L, I, K), 
P ~ @:D, 
V ~ *X:7] 
CARD.3 [V.CARD.3 ~ BOTTOM1(L), 
S ~ RESULT(L, TO.OF(L, I, K»] 
RP.L21 [QQ ~ *X:9] 
CARD.4 [S ~ SAFE.FOR(DW.OF(I, K»] 
RP.L7 [P ~ *X:9] 
CARD.INTERSECTION [S ~ POLL.FOR.OF(I, K), 
Sl ~ SAFE.FOR(DW.OF(I, K»] 
RP.D7 
160 
SUBSECTION 7.11 
SCHEDULE AXIOMS 
161 

/* 
********** Specification And Constraints 
For Schedule Tables ********** 
*/ 
SCHED: (CONFIGS, SUBFRAMETIME, PROC) ~ SEQ (ACTIVITY) 
/* 
If L provides input to K, then SSF(L,K) iff all votes on 
L precede Execute on K 
BR.AI4: aXIom 
1 $ Y 
/* 
ALE INPUTS(K) 
A Y $ RESULT.SIZE(L) 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = L 
A ELEM.ACTION(ACTIV2) = Y 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
(SSF(L, K) 
(SEQ.MEMBER(ACTIV, SCHED(CON, T.SUB, P» 
SEQ.MEMBER(ACTIV2, SCHED(CON, T.SUB, P») 
A (3 W: 
SEQ. ELEM(SCHED(CON , T.SUB, P), W) = ACTIV2 
A (V Z: Z > W ) ~(ACTIV = SEQ.ELEM(SCHED(CON, T.SUB, P), Z»») 
If a vote on L provides input to K in a different frame, there will 
be no subsequent votes on L prior to the Execution of K 
var CONI: CONFIGS 
BR.A25A: axiom 
L E INPUTS(K) 
A START.FRAME(FRA1ffi(T.SUB» = I*FRAME.SIZE() 
A SEQ. MEMBER (ACTIV , SCHED(CON, T.SUB, P» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(TI.SUB» = TO.OF(L, I, K)*FRAME.SIZE() 
A SEQ. MEMBER (ACTIV2, SCHED(CON2, T1.SUB, P» 
A «ACTION(ACTIV2) = VOTE() A ELEM.ACTION(ACTIV2) = Y) 
V ACTION(ACTIV2) = DUMMY.VOTE(» 
A TASK.ACTION(ACTIV2) = L 
A FRAME(T. SUB) = FRAME(T2. SUB) 
A TI.SUB < T2.SUB 
A T2.SUB $ T.SUB 
) 
~(3 ACTIV3: 
TASK.ACTION(ACTIV3) = L 
A «ACTION(ACTIV3) = VOTE() A ELEM.ACTION(ACTIV3) = Y) 
V ACTION(ACTIV3) = DUMMY.VOTE(» 
A SEQ.MEMBER(ACTIV3, SCHED(CON, T2.SUB, P») 
163 
/* In a sUbtyame, an Execute for K implies no Vote for K */ 
BR.All: axiom 
SEQ.ME~rnER(ACTIV, SCHED(CON, T.SUB, P» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
.,(SEQ.MEMBER(ACTIV2, SCHED(CON, T.SUB, QQ» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K) 
/* There will be exactly one Execute on K in a Frame */ 
BR.Al2: axiom 
/* 
SEQ. MEMBER (ACTIV, SCHED(CON, T.SUB, P» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
.,(.,(Tl.SUB = T.SUB) 
A FRAME(Tl.SUB) = FRAME(T.SUB) 
A ACTION(ACTIV3) = EXECUTE() 
A TASK.ACTION(ACTIV3) = K 
A SEQ.MEMBER(ACTIV3, SCHED(CON, Tl.SUB, P») 
There will not be more than one subframe in a Frame 
containing either a Vote or a Dummy Vote 
BR.A12A: axiom 
SEQ.ME~rnER(ACTIV, SCHED(CON, T.SUB, P» 
A «ACTION(ACTIV) = VOTE() A ELEM.ACTION(ACTIV) = Y) 
V ACTION(ACTIV) = D~ruY.VOTE(» 
A TASK.ACTION(ACTIV) = K 
A FRAME(Tl. SUB) = FRAME(T. SUB) 
A TASK.ACTION(ACTIV3) = K 
A «ACTION(ACTIV3) = VOTEO A ELEM.ACTION(ACTIV3) = Y) 
V ACTION(ACTIV3) = DUMMY.VOTE(» 
A SEQ.~ffiMBER(ACTIV3, SCHED(CON, Tl.SUB, P» 
) 
T . SUB = Tl.SUB 
var T2. SUB: SUBFRAMETIME 
/* In no subframe will there be both a Vote and a Dummy Vote */ 
BR.A12B: axiom 
,,(SEQ.~ffiMBER(ACTIV, SCHED(CON, T.SUB, P» 
A ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A SEQ.~ffiMBER(ACTIV2, SCHED(CON, T.SUB, P» 
A ACTION(ACTIV2) = DU1ruY.VOTE() 
A TASK.ACTION(ACTIV2) = K) 
164 
/* In any frame there will be either a Vote or a Dummy Vote */ 
BR.A12C: axiom 
/* 
3 T. SUB, ACTIV: 
START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A SEQ. MEMBER (ACTIV, SCHED(CON, T.SUB, P» 
A TASK.ACTION(ACTIV) = K 
A «ACTION(ACTIV) = VOTE() A (3 Y: ELEM.ACTION(ACTIV) = Y» 
V ACTION(ACTIV) = DUMMY.VOTE(» 
If there is an Execute on K, there will be a later vote 
on every processor for every output element 
BR.A13A: axiom 
SEQ.~ffi~ffiER(ACTIV, SCHED(CON, T.SUB, P» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
(V Y: 
1 ~ Y 
A Y ~ RESULT.SIZE(K) 
A (3 T1. SUB: 
(3 ACTIV2: 
T1.SUB > T . SUB 
A FRAME(T1.SUB) = FRAME(T.SUB) 
A SEQ.MEMBER(ACTIV2, SCHED(CON, Tl.SUB, QQ» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K 
A ELEM.ACTION(ACTIV2) = Y») 
/* If no processor Executes K, no one will Vote on K */ 
BR.A13B: axiom 
(V T.Slm, P, ACTIV: 
~(START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A SEQ.ME~ffiER(ACTIV, SCHED(CON, T.SUB, P» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K» 
) 
~(SEQ.~ffiMBER(ACTIV2, SCHED(CON, TI.SUB, QQ» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K 
A ELEM.ACTION(ACTIV2) = Y 
A START.FRAME(FRAME(Tl.SUB» = I*FRfu~.SIZE(» 
BR.A44: axiom 
SEQ.ME~ffiER(ACTIV, SCHED(CON, T.SUB, P» 
A ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Y 
) 
1 ~ YAY ~ RESULT.SIZE(K) 
165 
/* A Vote, Dummy Vote or an Execute will be within the Execution 
Window 
BR.AI6: axiom 
START.FRAME(FRAAffi(T.SUB» = I*FRAME.SIZE() 
A SEQ. MEMBER (ACTIV, SCHED(CON, T.SUB, P» 
A (ACTION(ACTIV) = EXECUTE() 
V ACTION(ACTIV) = VOTE() 
V ACTION(ACTIV) = DUMMY.VOTE(» 
A TASK.ACTION(ACTIV) = K 
) 
BEGIN(OF(I, K» S T.SUB A T.SUB < END(OF(I, K» 
BR.A28: axiom 
BEGIN(DW.FOR.TO.OF(L, I, K» 
= if L E INPUTS(K) 
then BEGIN(OF(TO.OF(L, I, K), L» 
else BEGIN(OF(I, K» 
end if 
BR.A29: axiom 
END(DW.FOR.TO.OF(L, I, K» = END(OF(I, K» 
BR.A30: axiom 
~(BEGIN(DW.FOR.TO.OF(L, I, K» < BEGIN(DW.OF(I, K») 
BR.A31: axiom 
END(DW.OF(I, K» = END(OF(I, K» 
LAST: (SUBFRAMETI~ffi, TASK) ~ ITERATION 
/* The Last Subframe finished last and the next has not */ 
BR.A33: axiom 
I = LAST(T.SUB, K) 
END(OF(I, K» S T.SUB A END(OF(INCR(I), K» > T.SUB 
/* The Last iteration of the Global Exec is constant over 
an Execution Window 
BR.A36: axiom 
BEGIN(OF(I, K» 5 T.SUB 
A T.SUB < END(OF(I, K» 
A BEGIN(OF(I, K» 5 T2.SUB 
A T2.SUB < END(OF(I, K» 
) 
LAST(T.SUB, GLOBAL.EXEC(» = LAST(T2.SUB, GLOBAL.EXEC(» 
166 
/* L to I of K is the last completed iteration of L */ 
BR;A40: axiom 
(L E INPUTS(K) A ~SSF(L, K) 
) 
~(BEGIN(OF(I, K» < END(OF(TO.OF(L, I, K), L») 
A BEGIN(OF(I, K» < END(OF(INCR(TO.OF(L, I, K», L») 
A (L E INPUTS(K) A SSF(L, K) 
) 
END(OF(TO.OF(L, I, K), L» = SUB.INCR(BEGIN(OF(I, K»» 
167 

SUBSECTION 7.12 
PACT AXIOMS 
169 

/* ********** Activity Specification ********** */ 
using PAIROF.STP 
using SETS.AXIOMS 
using SEQ.STP 
/* THE FOLLOWING DST IS NECESSARY TO MAP TO THE PRE/POST SPEC */ 
DATAVAL: type is NAT 
ACTIVITIES: type is NAT 
CONFIGS: type is DATAVAL 
DATA: type is SEQ(DATAVAL) 
FRAMETIME: type is INTEGER 
var CON2: CONFIGS 
using SUBFRAME.AXIOMS 
INTERVAL: type is PAIR. OF (SUBFRA1ffiTIME, SUBFRAMETIME) 
var INTERVALI: INTERVAL 
using MAJORITY.STP 
.V,~UE: (PAIRI) ~ TYPEI = FIRST(PAIRI) 
SOURCE: (PAIRI) ~ TYPE2 = SECOND(PAIRI) 
var T.F~~; FRAMETIME 
FRAME: (SUBFRAMETIME) ~ FRAMETIME 
FRAME.INCR: (T.FRAME) ~ FRAMETIME = T.FRAME+I 
START . FRAME: (FRAMETIME) ~ SUBFRAMETIME 
START: (SUBFRAMETIME, PROC) -. REALTIME 
var T.REAL: REALTIME 
var TI.REAL: REALTIME 
RPLUS: (T.REAL, TI.REAL) ~ REALTIME = T.REAL+TI.REAL 
INT. TO.REALTIME: (INTI) ~ REALTI~ffi = INTI 
RESULT. SIZE: (TASK) ~ NAT 
FRAME. SIZE: -. NAT 
171 
BR.A27: axiom 
FRAME.SIZE() > 0 
ITERATION. START: (I) ~ SUBFRAMETIME = I*F~ffi.SIZE() 
OVERHEAD: ~ NAT 
BROADCAST. DELAY: ~ NAT 
MAX. INTERVAL: ~ NAT 
MIN. INTERVAL: ~ NAT 
REAL. SAFE: (REAl,TIME) ~ SET.OF(PROC) 
ACT. SAFE: (SUBFRAMETIME) ~ SET.OF(PROC) 
WORKING: (SUBFRAMETIME) ~ SET.OF(PROC) 
/* 
A processor is safe for asubframe if it is 
safe for all contained 'real times' 
BR.A32: axiom 
P E WORKING(T.SUB) 
(V T.REAL: 
START(T.SUB, P) ~ T.REAL 
A T.REAL ~ START(SUB.INCR(T.SUB), P) 
APE REAL.SAFE(T.REAL» 
/* State Components */ 
INPUTIN.OF: (PROC, TASK, REALTIME) ~ DATA 
DATAFILEIN.FOR.ON: (PROC, TASK, PROC, REALTIME) ~ DATA 
/* ------------------ */ 
/* Declaration of Activity and Activities Types */ 
ACTIVITIES: type is NAT 
ACTIVITY: type 
var ACTIV: ACTIVITY 
var ACTIV3: ACTIVITY 
VOTE: ~ ACTIVITIES 
EXECUTE: ~ ACTIVITIES 
DUMMY. VOTE: ~ ACTIVITIES 
var ACT: ACTIVITIES 
172 
ACTION: (ACTIVITY) ~ ACTIVITIES 
TASK.ACTION: (ACTIVITY) ~ TASK 
ELEM.ACTION: (ACTIVITY) ~ NAT 
/* --------------------- */ 
var D1: DATAVAL 
CONFIG.FIELD: ~ NAT 
/* One of the fields in the output of the Global Executive 
is a configuration field 
GE.CONFIG.FIELD: axiom 
1 ~ CONFIG.FIELD() A CONFIG.FIELD() ~ RESULT.SIZE(GLOBAL.EXEC()) 
/* A processor will use the configuration field in the 
*f 
voted output of the Global Exec in determining current 
configuration. 
CONFIG: (T.SUB, P) ~ CONFIGS 
= SEQ.ELEM(INPUTIN.OF(P, GLOBAL.EXEC(), START(T.SUB, P), 
CONFIG . FIELD 0 ) 
WORKING.DURING: (P, T.SUB) ~ BOOL = P E WORKING(T.SUB) 
SCHED: (CONFIGS, SUBFRAMETIME, PROC) ~ SEQ (ACTIVITY) 
/* The following axioms and derived functions introduce 
the definition of real time and its relation to subframe 
time. 
*/ 
FINISH: (T.SUB, P) ~ REALTIME = START(SUB.INCR(T.SUB), P)-OVERHEAD() 
BR.A1.A: axiom 
FINISH(T.SUB, P) ~ START(T.SUB, P) 
BR.A1.C: axiom 
START(T.SUB, P)+MIN.INTERVAL() $ START(SUB.INCR(T.SUB}, P} 
A START(SUB.INCR(T.SUB), P) ~ START(T.SUB, P)+~uu{.INTERVAL() 
BR.A1.D: axiom 
BROADCAST . DELAY 0 < OVERHEADO 
BR.A1.E: axiom 
2*OVERHEADO < MIN. INTERVAL 0 A MIN. INTERVAL 0 ~ ~uu{. INTERVAL 0 
var CON: CONFIGS 
173 
/* 
Frame Axiom for INPUT (the 'post vote' buffer) -- if there 
is no Vote on a task K scheduled on a processor which is working during 
that subframe, the INPUT value for K will be unchanged. 
BR.A6A: axiom 
WORKING.DURING(P, T.SUB) 
" 1 ~ Y 
" Y ~ RESULT.SIZE(K) 
/\ -.(3 ACTIV: 
) 
SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
" «ACTION(ACTIV) = VOTE() 
" TASK.ACTION(ACTIV) = K 
" ELEM.ACTION(ACTIV) = Y) 
V (ACTION(ACTIV) = DUMMY.VOTE() A TASK.ACTION(ACTIV) = K») 
SEQ.ELEM(INPUTIN.OF(P, K, START(T.SUB, P», Y) 
= SEQ.ELEM(INPUTIN. OF(P, K, START(SUB. INCR(T. SUB), P»' Y) 
BOTTOMl: (TASK) ~ DATA 
/* 
Dummy Vote axiom -- if a working processor has a Dummy Vote 
scheduled for a task K, the INPUT for K at the beginning of 
the following subframe will be BOTTOM. 
BR.A6B: axiom 
WORKING.DURING(P, T.SUB) 
A SEQ.~ffiMBER(ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P»· 
/\ ACTION(ACTIV) = DulafY.VOTE() 
A TASK.ACTION(ACTIV) = K 
) 
INPUTIN.OF(P, K, START(SUB.INCR(T.SUB) , P» = BOTTOMl(K) 
NOT.ON.FRAME: (TASK, PROC, SUBFRAMETIME) ~ BOOL 
/* Definition of NOT.ON.F~ffi -- a task K is not on during 
a frame, as determined by processor Q at time T. SUB,· if 
using his perception of the configuration, there is no 
processor which is scheduled to Execute K during that 
frame. 
BR.A22: axiom 
-,NOT.ON.FRAME(K, QQ, T.SUB) 
(3 Tl.SUB, P, ACTIV: 
F~ffi(T. SUB) = FRAME(Tl. SUB) 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, QQ), Tl.SUB, P» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K) 
POLLBY.FOR: (PROC, TASK, SUBFRAMETIME) ~ SET.OF(PROC) 
174 
/* Definition of POLLBY -- a processor R is determined 
by Processor P at t.ime Tl.SUB to be in the poll set 
for task L iff, according to his configuration at 
that time there is an Execute on R scheduled for that 
frame. 
BR.A9A: axiom 
R E POLLBY.FOR(P, L, Tl.Slffi) 
(3 T.SUB, ACTIV: 
T.SUB < Tl.SUB 
A FRAME(T.Slffi) = FR~E(Tl.SUB) 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, P), T.Slffi, R» 
A ACTION(ACTIV) = EXEG~TE() 
A TASK.ACTION(ACTIV) = L) 
D.BAG.A9C: (PROC, TASK, SlffiFRAMETI~ffi, NAT) ~ SET. OF(PAIR. OF(DATAVAL, PROC» 
var D.P: PAIR. OF (DATAVAL, PROC) 
/* The set of <processor,dataval> pairs for broadcast output 
from processors in the poll set -- as determined by processor P at 
time T.Slffi. 
SET.ABSTRACTION.A9C: axiom 
V D.P: 
D.BAG.MAJ: 
D.P E D.BAG.A9C(P, K, T.Slffi, Y) 
SOlmCE(D.p) E POLLBY.FOR(P, K, T.SUB) 
A VALUE(D.P) 
= SEQ.ELEM(DATAFILEIN.FOR.ON(P, K, SOURCE(D.P), 
START(T.Slffi, P», 
Y) 
(PROC, TASK, SlffiFRAMETIME, NAT, DATAVAL) ~ SET.OF(PAIR.OF(DATAVAL, PROC» 
SET.ABSTRACTION.MAJ: axiom 
V D.P2: 
D.P2 E D.BAG.MAJ(P, K, T.SUB, Y, D2) 
D.P2 E D.BAG.A9C(P, K, T.Slffi, Y) A D2 = VALUE(D.P2) 
175 
/* Definition of Vote activity -- a working processor scheduled 
to perform a Vote will have placed the majority of values 
from processors in its poll.by set into INPUT. 
BR.A9C: axiom 
WORKING.DURING(P, T.SUB) 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Y 
) 
SEQ.ELEM(INPUTIN.OF(P, K, START(SUB.INCR(T.SUB), P», Y) 
= MAJORITY(D.BAG.A9C(P, K, T.SUB, Y» 
var V.INPUTS: SET.OF(PAIR.OF(DATA, TASK» 
/* 
Definition of Execute activity -- Given a working processor QQ 
scheduled to Execute task K and (another) working processor P 
to receive the broadcast, the result of applying the correct 
mathematical function to the Inputs will, according to QQ's 
clock, be present in P at the end of the current subframe plus 
the broadcast delay. N.B. the timing is w.r.t. to processor 
performing and broadcasting the computation. 
BR.A41: formula 
WORKING.DURING(P, T.SUB) 
A WORKING.DURING(QQ, T.SUB) 
A (V V.T: 
V.T E V.INPUTS 
SOURCE(V.T) E INPUTS(K) 
A VALUE(V.T) 
= INPUTIN.OF(QQ, SOURCE(V.T), START(SUB.INCR(T.SUB), QQ») 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
DATAFILEIN.FOR.ON(P, K, QQ, 
RPLUS(INT.TO.REALTIME(BROADCAST.DELAY(», 
FINISH(T.SUB, QQ») 
= APPLY(FUNCTION(K), V.INPUTS) 
176 
/* Frame axiom for the Datafile -- If processors P and QQ are 
working during a subframe in which QQ is not to Execute K, 
the datafile in P should remain unchanged from the end of 
the previous subframe + broadcast delay until the end of the 
current subframe +broadcast delay (according to QQ's clock) 
BR.A42: formula 
WORKING.DURING(P, T.SUB) 
A WORKING.DURING(QQ, T.SUB) 
A ...,(3 ACTIV: 
SEQ.MEMBER(ACTIV, SClffiD(CONFIG(T.SUB, QQ), T.Stm, QQ» 
A ACTION (ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K) 
A RPLUS(INT.TO.REALTlME(BROADCAST.DELAY(», FINISH(SUB.DECR(T.SUB), QQ» 
~ T.REAL 
A T.REAL ~ RPLUS(INT.TO.REALTIME(BROADCAST.DELAYO), FINISH(T.SUB, QQ» 
) 
DATAFILEIN.FOR.ON(P, K, QQ, T.REAL) 
= DATAFILEIN.FOR.ON(P, K, QQ, 
RPLUS(INT.TO.REALTIME(BROADCAST.DELAY(», 
FINISH(SUB.DECR(T.SUB), QQ») 
VOTE. COST: ... NAT 
EXEC~TE.COST: (TASK) ... NAT 
COST: (ACTIV) ... NAT 
= if ACTION(ACTIV) = VOTE() 
then VOTE.COSTO 
else EXECUTE.COST(TASK.ACTION(ACTIV» 
end if 
SEQ.COST: (SEQ(ACTIVITY» ... NAT 
var SEQ.ACTIV: SEQ (ACTIVITY) 
BR.SEQ.COST: axiom 
SEQ.COST(SEQ.CAT(SEQ.ACTIV, MAKESEQ(ACTIV») 
= SEQ.COST(SEQ.ACTIV)+COST(ACTIV) 
BR.AIO: aXIom 
SEQ.COST(SCHED(CON, T.SUB, P» ~ MIN.INTERVAL()-OVERHEAD() 
var ACTIV2: ACTIVITY 
/* The i-th iteration of a task will take place during the 
i-th frame. 
BR.A18: aXlOm 
START.FRAME(FRAME(BEGIN(OF(I, K»» = I*FRAME.SIZE() 
A F~ffi(BEGIN(OF(I, K») = FRAME(SUB.DECR(END(OF(I, K»» 
177 
/* The next two axioms establish the well ordering of iterations */ 
BR.A19.1: axiom 
SUB.INCR(BEGIN(OF(I, K») < END(OF(I, K» 
BR.A19.2: axiom 
END(OF(I, K» ~ BEGIN(OF(INCR(I), K» 
/* Instance of Induction Scheme Over Integers */ 
BR.INDUCTION.SUB.TIME.I: formula 
V T.SUB, T1.SUB: 
DATAFILEIN.FOR.ON(QQ, K, P, START(T.SUB, QQ» = V 
A (V T2.SUB: 
T.SUB ~ T2.SUB 
A T2.SUB < T1.SUB 
A DATAFILEIN.FOR.ON(QQ, K, P, START(T2.SUB, QQ» = V 
) 
DATAFILEIN.FOR.ON(QQ, K, P, START(SUB.INCR(T2.SUB) , QQ» = V) 
) 
DATAFILEIN.FOR.ON(QQ, K, P, START(T1.SUB, QQ» = V 
/* Another instance ... */ 
BR.INDUCTION.SUB.TlME.2: formula 
V T.SUB, T1.SUB: 
D1 = SEQ. ELEM(INPUTIN. OF(QQ, L, START(T.SUB, QQ», Y) 
A (V T2.SUB: 
) 
T.SUB ~ T2.SUB 
A T2.SUB < T1.SUB 
A D1 = SEQ.ELEM(INPUTIN.OF(QQ, L, START(T2.SUB, QQ», Y) 
) 
01 = SEQ. ELEM(INPUTIN. OF(QQ, L, START(SUB.INCR(T2.SUB) , QQ», 
Y» 
D1 = SEQ.ELEM(INPUTIN.OF(QQ, L, START(TI.SUB, QQ», Y) 
/* Induction Scheme over Iterations - Instance of Integer Induction 1 */ 
BR.INOUCTION. ITERATION. 1: formula 
V I, J: 
J ~ I 
A BEGIN(OF(I, K» > T.SUB 
A (V J1: BEGIN(OF(Jl, K» > T.SUB ) BEGIN(OF(INCR(Jl), K» > T.SUB) 
) 
BEGIN(OF(J, K» > T.SUB 
178 
/* 
The next three axioms establish basic properties of START.FRA1ffi 
and FRAME functions. 
BR.A21A: axiom 
START.FRAME(FRAME(T.SUB» < START.FRAtffi(FRAME.INCR(FRAME(T.SUB») 
BR.A21B: axiom 
START .FRAME(FRAME. INCR(T. FRAME» = START .FRA1ffi(T. FRAME) +FRAME. SIZEO 
BR.A21: axiom 
START.FR~:(FRAME(T.SUB» ~ Tl.SUB 
" Tl.SUD < START.FRAME(FRA1tE.INCR(FRAME(T.SUB»)) 
FRAME(T. SUB) = FRAtffi(Tl. SUB) 
/* Topology of Interactive Consistency Tasks */ 
BR.A20: axiom 
/* 
IC(K) " SOURCE(V.T) E INPUTS(K) " SINGLETON(V.INPUTS, V.T) 
) 
CARD(INPUTS(K» = 1 
" (L E INPUTS(K) ) 1 = CARD(POLL.FOR.OF(TO.OF(L, I, K), L») 
" 3 = CARD(POLL.FOR.OF(I, K» 
" VALUE(V.T) = APPLY(FUNCTION(K), V.INPUTS) 
A processor is safe for an iteration iff it is 
safe for every subframe within the execution window. 
BR.Dl: axiom 
(V T.SUB: BEGIN(II) ~ T.SUB " T.SUB < END(II) ) P E SAFE(T.SUB» 
P E SAFE.FOR(II) 
var ACTIV3: ACTIVITY 
LAST: (SUBFRAMETlME, TASK) ~ ITERATION 
CLOCK. SAFE: (PROC, SUBFRAMETlME) ~ BOOL 
179" 
/* 
Two processors are within skew of each other at time 
*/ 
T.SUB iff the end of the last subframe + broadcast delay 
w.r.t. one processor's clock is less than the start 
of the current subframe of the other's clock. 
WITHIN.SKEW: (P, QQ, T.SUB) -to BOOL 
= FINISH(SUB.DECR(T.SUB), P)+BROADC.\ST.DELAYO ~ START(T.SUB, QQ) 
A FINISH(SUB.DECR(T.SUB), QQ)+BROADCAST.DELAY() ~ START(T.SUB, P) 
/* 
This lemma was proven by hand by Leslie Lamport. It is the 
basic statement of correctness for the clock task which runs 
on each processor. 
BR.LEMMA.FOR.LES.TO.PROVE: formula 
CLOCK.SAf'E(P, T.SUB) A CLOCK.SAFE(QQ, T.SUB) 
) 
WITHIN.SKEW(P, QQ, T.SUB) 
var R: PROC 
/* Draw a picture. " */ 
BR.A35: axiom 
CLOCK.SAFE(P, T.SUB) 
IC.TASK.SAFE(CLOCK(), LAST(T.SUB, CLOCK(») 
APE WORKING(T.SUB) 
A (V R: 
(V Tl.SUB, QQ: 
T1.SUB ~ T.SUB . 
A T1.SUB ~ END(OF(LAST(T.SUB, CLOCK(», CLOCK(») 
ARE WORKING(Tl.SUB) 
A QQ E SAFE (END (OF (LAST(T. SUB, CLOCK(», CLOCK(»» 
A QQ E WORKING(Tl.SUB) 
A WITHIN.SKEW(R, QQ, T.SUB» 
) 
WITHIN.SKEW(P, R, T.SUB» 
DATA. SIZE. IS.SEQ.LENGTH.2: axiom 
SEQ.LENGTH(INPUTIN.OF(P, K, T.REAL» = RESULT.SIZE(K) 
A SEQ.LENGTH(DATAFILEIN.FOR.ON(P, K, QQ, T.REAL» = RESULT.SIZE(K) 
DATA. SIZE. IS.SEQ.LENGTH.3: axiom 
SEQ.LENGTH(APPLY(FUNCTION(K), V.INPUTS.A3(K, I, QQ») = RESULT.SIZE(K) 
A SEQ.LENGTH(APPLY(FUNCTION(K), V.INPUTS» = RESULT.SIZE(K) 
LENGTH.OF.ELE~ffiNTS.OF.ON.IS.LENGTH.OF.ON.IN: axiom 
V E ON(K, I, QQ) ) SEQ.LENGTH(V) = RESULT.SIZE(K) 
using SCHED.AXIOMS 
using REACT.MAPPING 
180 
SUBSECTION 7.13 
REACT MAPPING 
181 

/* 
********** Non-Identity Mappings from Activity Model 
to Replication Model ********** 
*/ 
/* 
A processor QQ is in the global poll set iff there 
exists a processor P safe for the execution window who, 
according to his view of the configuration, decides at the 
time of a scheduled Vote that QQ is in his POLL.BY set. 
BR.RE.MAPPING.4: axiom 
/* 
QQ E POLL.FOR.OF(I, K) 
(3 P, T.SUB, ACTIV, Y: 
START.FRAME(FRAME(T.SUB» = hFRAME.SIZE() 
/\ 1 5 Y 
./\ Y 5 RESULT.SIZE(K) 
/\ P E SAFE.FOR(OF(I, K» 
/\ SEQ. MEMBER (ACTIV , SCHED(CONFIG(T.SUB, P), T.SUB, P» 
/\ ACTION(ACTIV) = VOTE() 
/\ TASK.ACTION(ACTIV) = K 
/\ ELEM.ACTION(ACTIV) = Y 
/\ QQ E POLLBY.FOR{P, K, T.SUB» 
A value V is in the global ON set for K of I on P iff 
some safe processor QQ determines that either (1) the task K is on 
for the contained frame and has V as a voted ON.IN value, 
or (2) the task is determined to be NOT.ON and V is bottom. 
BR.RE.MAPPING.5: axiom 
V E ON{K, I, P) 
(3 QQ: 
QQ E SAFE.FOR(OF{I, K» 
/\ {(~NOT.ON.FRA1ffi{K, QQ, BEGIN(OF{I, K») 
/\ (V Y: 
1 5 Y /\ Y 5 RESULT.SIZE{K) 
) 
SEQ.ELEM{V, Y) = SEQ.ELEM(ON.IN{K, I, P, QQ), Y») 
V (NOT.ON.FRAME{K, QQ, BEGIN{OF{I, K») /\ V = BOTTOMl{K»» 
183 
/* A V is the ON.IN value in QQ for K of I on P iff 
either (2) the task is determined to be NOT.ON and 
V is bottom, or (2) the task is ON and each component 
of V is equal to the OATAFILE component at the time of a scheduled 
vote. 
BR.RE.MAPPING.6: axiom 
/* 
V = ON.IN(K, I, P, QQ) 
(V Y, T.SUB, ACTIV: 
BEGIN(OF(I, K» S T.SUB 
/\ T.SUB < ENO(OF(I, K» 
1\ 1 S Y 
1\ Y S RESULT.SIZE(K) 
1\ ~NOT.ON.FRAME(K, QQ, BEGIN(OF(I, K») 
1\ SEQ. MEMBER (ACTIV, SCHEO(CONFIG(T.SUB, QQ), T.SUB, QQ» 
1\ ACTION(ACTIV) = VOTE() 
./\ TASK.ACTION(ACTIV) = K 
1\ ELEM.ACTION(ACTIV) = Y 
) 
SEQ.ELEM(V, Y) 
= SEQ.ELEM(OATAFILEIN.FOR.ON(QQ, K, P, START(T.SUB, QQ», Y» 
V (NOT.ON.FRAME(K, QQ, BEGIN(OF(I, K») /\ V = BOTTOMl(K» 
The IN value for K of I on P is determined from 
the value in the voted INPUT structure at the time of 
a scheduled vote. 
BR.RE.MAPPING.7: axiom 
(3 T.SUB, ACTIV: 
START.FRAME(FRAME(T.SUB» = I*FRAME.SIZEO 
1\ 1 S Y 
/\ Y S RESULT.SIZE(K) 
1\ SEQ. MEMBER (ACTIV, SCHEO(CONFIG(T.SUB, P), T.SUB, P» 
1\ TASK.ACTION(ACTIV) = K 
1\ ACTION(ACTIV) = VOTE() 
/\ ELEM.ACTION(ACTIV) = Y 
1\ SEQ.ELEM(INPUTIN.OF(P, K, START(SUB.INCR(T.SUB), P», Y) = 01) 
) 
SEQ.ELEM(IN(K, I, P), Y) = 01 
/* ... or the value in the INPUT structure at the time of a dummy vote. */ 
BR.RE.MAPPING.8: axiom 
(3 T.SUB, ACTIV: 
SEQ. MEMBER (ACTIV, SCHEO(CONFIG(T.SUB, P), T.SUB, P» 
1\ ACTION(ACTIV) = OUMMY.VOTE() 
1\ TASK.ACTION(ACTIV) = K 
/\ INPUTIN.OF(P, K, START(SUB.INCR(T.SUB) , P» = V) 
) 
IN(K, I, P) = V 
184 
/* 
A processor is safe at a subframe time iff it is working, 
the clock is safe, the Global Executive was safe for 
its last iteration, and the INPUT in the processor has 
the global consensus value for the last iteration 
of the Global Executive. 
RE.BR.~MPPING.9: axiom 
P E SAFE(T.SUB) 
P E WORKING(T.SUB) 
A CLOCK.SAFE(P, T.SUB) 
A TASK.SAFE(GLOBAL.EXEC(), LAST(T.SUB, GLOBAL.EXEC())) 
A SINGLETON(RESULT(GLOBAL.EXEC(), LAST(T.SUB, GLOBAL.EXEC())), 
INPUTIN.OF(P, GLOBAL.EXEC(), START(T.SUB, P))) 
185 

SUBSECTION 7.14 
REACT LEMMAS 
187 

/* 
********** Lemmas and Proofs for ********** 
*/ 
/* 
Proof between Replication and Activity Specifications 
If processors P and QQ are safe for the execution window of 
the i-th iteration of task K, QQ has (according to his information) 
an Execute scheduled, P has a Vote scheduled (wrt P's information) 
later in the frame, there will be no further Execute scheduled 
011 QQ for t.hat frame. 
BR.LEMMA.l: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(OF(I, K» 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A SEQ.~ffiMBER(ACTIV, SClffiD(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A FRAME(T. SUB) = FRAME(T1. SUB) 
A SEQ.MEMBER(ACTIV2, SCllED(CONFIG(T1.SUB, P), T1.SUB, P» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K 
A SUB.INCR(T.SUB) ~ T2.SUB 
A T2.SUB ~ Tl.SUB 
) 
,(ACTION(ACTIV3) = EXECUTE() 
A TASK.ACTION(ACTIV3) = K 
A SEQ.MEMBER(ACTIV3, SClffiD(CONFIG(T2.SUB, QQ), T2.SUB, QQ») 
prove BR.LEMMA.l 
using BR.A21 [Tl.SUB ~ T.SUB] 
BR.A21 
BR.A21 [Tl.SUB ~ T2.SUB] 
BR.A12 [CON ~ CONFIG(T2.SUB, QQ), 
T1. SUB ~ T2. SUB, 
P ~ QQ] 
BR.LEMMA.14 
BR.A16 [P ~ QQ, 
CON ~ CONFIG(T.SUB, QQ)] 
BR.A16 [P ~ QQ, 
T.SUB ~ T2.SUB, 
CON ~ :4, 
ACTIV ~ ACTIV3] 
189 
/* Given the circumstances of Lemma 1, the datafile in P will 
remain unchanged from the subframe following the Execute 
until the time of the Vote 
BR.LEMMA.2: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(OF(I, K» 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A FRAME(T. SUB) = FRAME(TI. SUB) 
A SEQ.MEMBER(ACTIV2, SCHED(CONFIG(Tl.SUB, P), Tl. SUB , P» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K 
A DATAFILEIN.FOR.ON(P, K, QQ, START(SUB.INCR(T.SUB), P» = V 
) 
DATAFILEIN.FOR.ON(P, K, QQ, START(T1.SUB, P» = V 
prove BR.LEMMA.2 
using BR. LEM~l<\. 4 [T2. SUB .. *T2. SUB: 2] 
BR.INDUCTION.SUB.TlME.1 [T.SUB .. SUB.INCR(T.SUB) , 
P .. QQ, 
QQ .. P] 
190 
/* A processor P that is safe for the exection window of the 
i-th iteration of K will be working for each contained s~bframe 
time. 
BR.LEMMA.3: formula 
P E SAFE.FOR(OF(I, K)) A BEGIN(OF(I, K)) S T.SUB A T.SUB" < END(OF(I, K)) 
) 
WORKING.DURING(P, T.SUB) 
prove BR.LEMMA.3 
using RE.BR.MAPPING.9 
BR.Dl [II ~ OF(I, K)] 
/* Analogous to Lemma 3 for the Data Window */ 
BR.LEM~~.3A: formula 
P E SAFE.FOR(DW.FOR.TO.OF(L, I, K)) 
A BEGIN(DW.FOR.TO.OF(L, I, K)) S T.SUB 
A T.SUB < END(DW.FOR.TO.OF(L, I, K)) 
) 
WDRKING.DURING(P, T.Sv~) 
prove BR.LEMMA.3A 
using RE.BR.MAPPING.9 
BR.Dl [II ~ DW.FOR.TO.OF(L, I, K)] 
191 
/* 
By Lemma 2 and induction, the Datafile in P at the time of the Vote 
will be same as it was at the beginning of the subframe following 
the Execute on QQ 
BR. LEMMA.4: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(OF(I, K» 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START. FRAME(FRAME(T. SUB» =I*FRAME. SIZEO 
A FRAME(T. SUB) = FRAME(T1. SUB) 
A SEQ. MEMBER (ACTIV2, SCIIED(CONFIG(T1.SUB, P), T1.SUB, P» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K 
A SUB.INCR(T.SUB) ~ T2.SUB 
A T2.SUB < TI.SUB 
) 
DATAFILEIN.FOR.ON(P, K, .QQ, START(SUB.INCR(T2.SUB) , P» 
= DATAFILEIN.FOR.ON(P, K, QQ, START(T2.SUB, P» 
prove BR.LEMMA.4 
using BR.LEMMA.3 [T.SUB .. T2.SOO] 
BR.LEMMA.3 [T.SUB .. T2.SOO, 
P .. QQ] 
BR.AI6 [CON .. CONFIG(TI.SUB, P), 
T . SUB .. T 1. SUB , 
ACTIV .. ACTIV2] 
BR.LEMMA.I [T2.SUB .. SUB.INCR(T2.SUB) , 
ACTIV3 .. ACTIV2:5] 
BR.LEMMA.I8 [T.SUB .. T2.SUB] 
BR.LEMMA.l [ACTIV3 .. ACTIV:5] 
BR.DI [T.SUB .. T2.SUB, 
II .. OF (I, K)] 
BR.DI [T.SUB .. T2.SOO, 
II .. OF(I, K), 
P .. QQl 
BR.DI [II .. OF(I, K), 
T.SUB .. SUB.INCR(T2.SUB)] 
BR.DI [II .. OF(I, K), 
T.Su~ .. SUB.INCR(T2.SUB) , 
P .. QQ] 
BR.AI6 [P .. QQ, 
CON .. CONFIG(T.SUB, QQ)] 
192 
/* 
If QQ has an Execute scheduled for the i-th iteration of K, 
and QQ is safe for the execution window, there will be no 
further Execute scheduled for the remainder of the execution 
window. 
BR.LEMMA.5: formula 
QQ E SAFE.FOR(OF(I, K» 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
) 
-.(3 ACTIV2: 
SEQ.MEMBER(ACTIV2, 
SCHED(CONFIG(SUB.INCR(T.SUB), QQ), Su~.INCR(T.SUB), QQ» 
A ACTION(ACTIV2) = EXECUTE() 
A TASK.ACTION(ACTIV2) = K) 
A BEGIN(OF(I, K» ~ SUB.INCR(T.SUB) 
A SUB.INCR(T.SUB) < END(OF(I, K» 
prove BR.LEMMA.5 
using BR.Al3A [CON ~ CONFIG(T.SUB, QQ), 
P ~ QQ] 
BR.A16 [T.SUB ~ *Tl.SUB:l, 
ACT IV ~ *ACTIV2:1, 
CON ~ CONFIG(T.SUB, QQ), 
P ~ QQ] 
BR.A12 [P ~ QQ, 
ACTIV3 ~ ACTIV2, 
CON ~ CONFIG(T.Sl~, QQ), 
Tlo SUB ~ SUB. INCR(T. SUB)] 
BR.LE~WA.14 [T2.SUB ~ SUB.INCR(T.SUB)] 
BR.A16 [P ~ QQ, 
CON ~ CONFIG(T.SUB, QQ)] 
BR.A21 [Tl.SUB ~ T.SUB] 
BR.A21 [Tl.SUB ~ *Tl.SUB:l] 
BR .A21 [Tlo SUB ~ SUB. INCR(T. SUB)] 
193 
/* 
If processor QQ is scheduled to execute task K, and either a Vote 
or a Dummy Vote on an input task L to K is scheduled earlier, 
the voted value in Input at the time of the Execute 
will be the same as that just after the Vote. The proof of 
this uses Lemma 7 and induction. 
BR.LEMMA.6: formula 
QQ E SAFE.FOR(DW.FOR.TO.OF(L, I, K» 
A SEQ. MEMBER (ACTIV. SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A 1 5 Y 
A Y 5 RESULT.SIZE(K) 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
ALE INPUTS(K) 
A SEQ. MEMBER (ACTIV2 , SCHED(CONFIG(T1.SUB, QQ), T1.SUB, QQ» 
A TASK.ACTION(ACTIV2) = L 
A «ACTION(ACTIV2) = VOTE() A ELEM.ACTION(ACTIV2) = Y) 
V ACTION(ACTIV2) = DUM~IT.VOTE(» 
A START.FRAME(FRAME(Tl.SUB» = TO.OF(L, I, K)*FRAME.SIZE() 
A SEQ.ELEM(INPUTIN.OF(QQ, L, START(SUB.INCR(Tl.SUB), QQ», Y) = Dl 
) 
SEQ.ELEM(INPUTIN.OF(QQ, L, START(SUB.INCR(T.SUB) , QQ». Y) = Dl 
prove BR.LEMMA.6 
using BR.INDUCTION.SUB.TlME.2 [T.SUB ~ SUB.INCR(Tl.SUB), 
Tl.SUB ~ SUB.INCR(T.SUB)] 
BR.LEMMA.7 [T2 . SUB ~ T2. SUB: 1] 
194 
/* 
If processor QQ is scheduled to execute task K, and either a Vote 
or a Dummy Vote on an input task L to K is scheduled earlier, 
then, for each subframe time between the Vote 
and subsequent Execute, the voted value in Input 
will remained unchanged. */ 
BR.LEMMA.7: formula 
QQ E SAFE.FOR(DW.FOR.TO.OF(L, I, K» 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T. SUB , QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A 1 ~ Y 
A Y ~ RESULT.SIZE(K) 
A START.FRAME(FRAME(T.SUB» = hFRAME.SIZEO 
ALE INPUTS(K) 
A SEQ.MEMBER(ACTIV2, SCHED(CONFIG (T1. SUB , QQ), T1.SUB, QQ» 
A TASK.ACTION(ACTIV2) = L 
A «ACTION(ACTIV2) = VOTE() A ELEM.ACTION(ACTIV2) = Y) 
V ACT ION (ACTIV2) = DUMMY. VOTE 0 ) 
A START.FRAME(FRAME(T1.SUB») = TO.OF(L, I, K)*FRAME.SIZEO 
A T1.SL~ < T2.SUB 
A T2.SUB ~ T.SUB 
A D1 = SEQ.ELEM(INPUTIN.OF(QQ, L, START(T2.SUB, QQ», Y) 
) 
D1 = SEQ.ELEM(INPUTIN.OF(QQ, L, START(SUB.INCR(T2.SlID) , QQ», Y) 
prove BR.LEMMA.7 
using BR.LEMMA.49 [P .. QQ, 
ACTIV3 .. ACTIV:B] 
BR.LEMMA.50 [P .. QQ, 
ACTIV3 .. ACTIV:B] 
BR.LEMMA.51 [p .. QQ, 
ACTIV3 .. ACTIV:6] 
BR.A25A [P .. QQ, 
CON .. CONFIG(T.SlID, QQ), 
CON2 .. CONFIG(Tl.SUB, QQ), 
ACTIV3 .. ACTIV:6] 
BR.A12A [T1.SUB .. T2.SUB, 
ACTIV3 .. ACTIV:6, 
T.SUB .. Tl.SUB, 
ACTIV .. ACTIV2, 
CON .. CONFIG(T1.SUB, QQ), 
P .. QQ, 
K .. L] 
BR.ABA [P .. QQ, 
T.SUB .. T2.SUB, 
K .. L] 
BR.LEMMA.3A [T.SUB .. T2.SUB, 
P .. QQ] 
BR.A28 
BR.A29 
BR.A1B [P .. QQ, 
CON .. CONFIG(T.SUB, QQ)] 
BR.A16 [P .. QQ, 
K .. L, 
. I .. TO.OF(L, I, K), 
T . SUB .. T1.SUB, 
ACTIV .. ACTIV2, 
CON .. CONFIG(T1.SUB, QQ)] 
195 
/* For a processor QQ safe for the data window of the i-th iteration 
of K and scheduled to vote on a task input L and later Execute 
task K, QQ will be working for all intervening subframes. 
BR.LEMMA.8: formula 
QQ E SAFE.FOR(DW.FOR.TO.OF(L, I, K» 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
ALE INPUTS(K) 
A SEQ.MEMBER(ACTIV2, SCHED(CONFIG (Tl. SUB, QQ), Tl.SUB, QQ» 
A TASK.ACTION(ACTIV2) = L 
A «ACTION(ACTIV2) = VOTE() A ELEM.ACTION(ACTIV2) = Y) 
V ACTION(ACTIV2) = DUMMY.VOTEO) 
A START.FRAME(FRAME(Tl.SUB» = TO.OF(L, I, K)*FRAME.SIZE() 
A Tl.SUB < T2.SUB 
A T2.SUB 5 T.SUB 
) 
WORKING.DURING(QQ, T2.SUB) 
prove BR.LEMMA.8 
using BR.LEMMA.ll 
RE.BR.MAPPING.9 [T.SUB ~ T2.SUB, 
P ~ QQ] 
BR.Dl [II ~ DW.FOR.TO.OF(L, I, K), 
P ~ QQ, 
T.SUB ~ T2.SUB] 
196 
/* No more than one task iteration can take place in one frame */ 
BR.LEMMA.lO: formula 
BEGIN{OF(I, K» ~ T.SUB 
A T.SUB < END(OF(I, K» 
A BEGIN(OF(J, K» ~ Tl.SUB 
A Tl.SUB < END(OF(J, K» 
A -, (I = J) 
) 
-,(START . FRAME (FRAME (T . SUB) ) = START .FRAME(FRAME(TI.SUB») 
prove BR.LEMMA.lO 
using TIMES.AXIOM.l [INTI .. I, 
INT2 .. J, 
INT3 .. FRAME. SIZEO] 
BR.A27 
BR.Al8 
BR .Al8 [I .. J] 
BR.A2l [T.SUB .. BEGIN(OF(I, K», 
Tl.SUB .. SUB.DECR(END(OF(I, K»)] 
BR.A2l [T.SUB .. BEGIN(OF(I, K», 
T1. SUB .. T. SUB] 
BR.A2l [T.SUB .. BEGIN(OF(J, K», 
Tl.SUB .. SUB.DECR(END(OF(J, K»)] 
BR.A2l [T.SUB .. BEGIN(OF(J, K»] 
BR.A2l [T.SUB .. BEGIN(OF(I, K», 
Tl.SUB .. BEGIN(OF(I, K»] 
BR.A2l [T.SUB .. BEGIN(OF(J, K», 
Tl.SUB .. BEGIN(OF(J, K»] 
BR.A2lA 
BR.A2lA [T.SUB .. Tl.SUB] 
BR.A2l [Tl.SUB .. START.FRAME(FRAME(T.SUB»] 
BR.A2l [T.SUB .. Tl.SUB, 
Tl.SUB .. START.FRAME(FRAME(T1.SUB»] 
197 
/* 
If a processor QQ is safe for the data window, and has 
a Vote on an input task L providing input to a later Execute of task 
K, every' intervening subframe is within the data window. 
BR.LEMMA.ll: formula 
QQ E SAFE.FOR(DW.FOR.TO.OF(L, I, K» 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
ALE INPUTS(K) 
A SEQ.MEMBER(ACTIV2, SCHED(CONFIG(T1.SUB, QQ), T1.SUB, QQ» 
A TASK.ACTION(ACTIV2) = L 
A «ACTION(ACTIV2) = VOTE() A ELEM.ACTION(ACTIV2) = Y) 
V ACTION(ACTIV2) = Dt»~.VOTE(» 
A START.FRA1iE(FRAME(Tl.SUB» = TO.OF(L, I, K)*FRAME.SIZE() 
A T1.SUB < T2.SUB 
A T2.SUB 5 T.SUB 
) 
BEGIN(DW.FOR.TO.OF(L, I, K» 5 T2.SUB 
A T2.SUB < END(DW.FOR.TO.OF(L, I, K» 
prove BR.LEMMA.ll 
using BR.A28 
BR.A16 [T.SUB ~ Tl.SUB, 
P ~ QQ, 
ACTIV ~ ACTIV2, 
CON ~ CONFIG(T1.SlJB, QQ), 
I ~ TO.OF(L, I, K), 
K ~ L] 
BR.A16 [CON ~ CONFIG(T.SUB, QQ), 
P ~ QQ] 
BR.A29 
var T1.FRAME: FRAMETIME 
198 
/* Two frames are equal iff their beginning subframes are equal. */ 
BR.LEMMA.12: formula 
START. FRAME {FRAME{T . SUB» = START. FRAME{FRAME{TI. SUB» 
FRAME (T . SUB) = FRAME (T1. SUB) 
prove BR.LEMMA.12 
using BR.A21 
BR.A21 [Tl.SUB ~ T.SUB] 
BR.A21 [T.SUB ~ Tl.SUB] 
BR.A21B [T.FRAME ~ FRAME(T.SUB)] 
BR.A21B [T.FRAME ~ FRAME(Tl.SUB)] 
199 
/* 
If QQ is safe for the execution window for I of K, then 
the configuration according to processor QQ will be the same 
for any two subframe times within the window. 
BR.LEMMA.14: formula 
QQ E SAFE.FOR(OF(I, K» 
A START.FRAME(FRAME(T.SUB» = I*FRA1ffi.SIZE() 
A FRAME(T. SUB) = FRAME(T2. SUB) 
A BEGIN(OF(I, K» S T.SUB 
A T.Slffi < END(OF(I, K» 
A BEGIN(OF(I, K» S T2.SUB 
A T2.SUB < END(OF(I, K» 
) 
CONFIG(T.SUB, QQ) = CONFIG(T2.SUB, QQ) 
prove BR.LEMMA.14 
using BR.DI [II ~ OF(I, K), 
P ~ QQ, 
T.SUB ~ T2.SUB] 
BR.DI [II ~ OF(I, K), 
P ~ QQ] 
CARD.2 [S ~ RESULT(GLOBAL.EXEC(), LAST(T.SUB, GLOBAL.EXEC(»), 
X ~ INPUTIN.OF(QQ, GLOBAL. EXEC 0 , START(T.SUB, QQ», 
Xl ~ INPUTIN.OF(QQ, GLOBAL.EXEC(), START(T2.SUB, QQ»] 
RE.BR.MAPPING.9 [P ~ QQ] 
RE.BR.MAPPING.9 [P ~ QQ, 
T.SUB ~ T2.SUB] 
SEQ.EQUALITY.AXIOM [SEQI 
BR.A36 
~ INPUTIN.OF(QQ, GLOBAL.&XEC(), START(T.SUB, QQ», 
SEQ2 
~ INPUTIN.OF(QQ, GLOBAL.&XEC(), START(T2.SUB, QQ», 
y ~ CONFIG.FIELD()] 
200 
/* 
If P is safe for the I,K execution window, then, for 
any two contained subframes, the decision as to whether 
a given task is 'on' for that frame will be the same 
(see the definition of NOT.ON.FRAME in BR.A22) 
BR.LEMMA.16: formula 
P E SAFE.FOR(OF(I, K» 
A BEGIN(OF(I, K» ~ T.SUB 
A T.SUB < END(OF(I, K» 
A BEGIN(OF(I, K» 5 Tl.SUB 
A Tl.SUB < END(OF(I, K» 
) 
(NOT.ON.FRAME(K, P, T.SUB) _ NOT.ON.FRAME(K, P, Tl.SUB» 
prove BR.LEMMA.16 
using BR.LEMMA.16A 
BR.LEMMA.16A [T.SUB ~ Tl.SL~, 
TI. SUB ~ T. SUB] 
/* Trivial corollary of Lemma 16 */ 
BR.LEMMA.16A: formula 
P E SAFE.FOR(OF(I, K» 
A BEGIN(OF(I, K» ~ T.SUB 
A T.SUB < END(OF(I, K» 
A BEGIN(OF(I, K» ~ Tl.SUB 
A Tl.SL~ < END(OF(I, K» 
A ,NOT.ON.FRAME(K, P, T.SUB) 
) 
,NOT.ON.FRAME(K, P, Tl.SUB) 
prove BR.LEMMA.16A 
using BR.A22 [QQ ~ P, 
ACTIV ~ @:D] 
BR.LEMMA.14 [QQ ~ P, 
T2.SUB ~ Tl.SUB] 
BR.LEMMA.21 
BR.LEMMA.21 [T.SUB ~ TI.SUB] 
BR.A18 
BR.LEMMA.12 [Tl.SUB ~ BEGIN(OF(I, K»] 
BR.A22 [Tl.SUB ~ *Tl.SUB:l, 
ACTIV ~ *ACTIV:l, 
T.SUB ~ TI.SUB, 
QQ .. P, 
P ~ *P: 1] 
201 
/* Composing Lemma 16 with the mapping of ON. IN, 
we conclude that if a processor P is safe for 
I of K, and processor P, at time T.SUB determines 
then that the task K was run and there should be 
a Vote activity performed, the ON.IN value 
will be the value in the Datafile at that time. 
BR.LEMMA.15: formula 
P E SAFE.FOR(OF(I, K» 
A ~NOT.ON.FRAME(K, P, T.SUB) 
A START.FRAME(FRAME(T.SUB) = I*FRAME.SIZEO 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Y 
A 1 5 Y 
A Y 5 RESULT.SIZE(K) 
) 
SEQ.ELEM(ON.IN(K, I, QQ, P), Y) 
= SEQ. ELEM(DATAFILEIN. FOR.ON(P, K, QQ, START(T.SUB, P», Y) 
prove BR.LEMMA.15 
using BR.LEM~tA.16 [Tl.SUB .. BEGIN(OF(I, K»] 
BR.A16 [CON .. CONFIG(T.SUB, P)] 
BR.RE.~~PING.6 [V .. ON.IN(K, I, QQ, P), 
P .. QQ, 
QQ .. P] 
202 
var V.INPUTS: SET.OF(PAIR.OF(DATA, TASK» 
/* 
This is an important lemma concerning synchronization 
and availability of broadcast data across processor 
boundaries. It states that if processor QQ is safe for 
I of K, and processors P and QQ are clock safe and working 
for subframe T.SUB, at which time an Execute is scheduled 
on processor QQ, according to QQ's clock, then the 
Datafile on processor P, according to P's clock, will have the 
correct output value at the beginning of the next subframe. 
BR.LEMMA.17X: formula 
QQ E SAFE.FOR(OF(I, K» 
A CLOCK.SAFE(P, SUB.INCR(T.SUB» 
A CLOCK.SAFE(QQ, SUB.INCR(T.SUB» 
APE WORKING(T.SUB) 
A QQ E WORKING(T.SUB) 
A QQ E WORKING(SUB.INCR(T.SUB» 
APE WORKING(SUB.INCR(T.SL~» 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A (V V.T: 
V.T E V.INPUTS 
SOURCE(V.T) E INPUTS(K) 
A VALUE(V.T) 
= INPUTIN.OF(QQ, SOURCE(V.T), START(SUB.INCR(T.SUB) , QQ») 
A SEQ. MEMBER (ACTIV , SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
DATAFILEIN.FOR.ON(P, K, QQ, START(SUB.INCR(T.SUB) , P» 
= APPLY(FUNCTION(K), V.INPUTS) 
prove BR.LEMMA.17X [V.T ~ *V.T:l] 
using BR.A41 
BR.A42 [T.REAL ~ START (SUB. INCR(T.SUB) , P), 
T.SUB ~ SUB.INCR(T.SUB)] 
NAT.NONNEGATIVE [Y ~ BROADCAST.DELAY()] 
NAT.NONNEGATIVE [Y ~ OVERI~AD()] 
NAT.NONNEGATIVE [Y ~ MIN.INTERVAL()] 
BR.A1.D 
BR.Al.E 
BR.Al.C [T.SUB ~ SUB.INCR(T.SUB) , 
P ~ QQ] 
BR.LEMMA.FOR.LES.TO.PROVE [T.SUB ~ SUB.INCR(T.SUB)] 
BR.LE~illA.5 [ACTIV2 ~ *ACTIV:2] 
203 
/* 
This lemma builds on lemma l7x. Eliminated are various 
assumptions concerning WORKING and CLOCK. SAFE that 
are shown to be satisfied by virtue of other constraints. 
BR.LEMMA.l7: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(OF(I, K» 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A (V V.T: 
V. T E V. INPUTS 
SOlffiCE(V.T) E INPUTS(K) 
A VALUE(V.T) 
= INPUTIN.OF(QQ, SOURCE(V.T), START(SUB.INCR(T.SUB) , QQ») 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG (T. SUB , QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
DATAFILEIN.FOR.ON(P, K, QQ, START(SUB.INCR(T.SUB), P» 
= APPLY(FUNCTION(K), V.INPUTS) 
prove BR.LEMMA.l7 [V.T ~ *V.T:l] 
using BR.LEMMA.l7X 
RE.BR.MAPPING.9 
RE.BR.~~PING.9 [P ~ QQ] 
RE.BR.MAPPING.9 [T.SUB ~ SUB.INCR(T.SUB)] 
RE.BR.MAPPING.9 [T.SUB ~ SUB.INCR(T.SUB), 
P ~ QQ] 
BR.Dl [II ~ OF(I, K)] 
BR.Dl [II ~ OF(I, K), 
P ~ QQ] 
BR.Dl [II ~ OF(I, K), 
T.SUB ~ SUB.INCR(T.SUB), 
P ~ QQ] 
BR.Dl [II ~ OF(I, K), 
T.SUB ~ SUB.INCR(T.SUB)] 
BR.LEMMA.5 
BR.Al6 [CON ~ CONFIG(T.SUB, QQ), 
P ~ QQ] 
204 
/* If processors P and QQ are both safe for two consecutive subframes 
during whichQQ does not have an Execute scheduled (according 
to QQ's view of the configuration), then the Datafile in P 
for the results of QQ will remain unchanged. 
BR.LEMMA.18: formula 
P E SAFE(T.SUB) 
A QQ E SAFE(T.SUB) 
APE SAFE(SUB.INCR(T.SUB» 
A QQ E SAFE(SUB.INCR(T.SUB» 
A -,(3 ACTIV: 
SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K) 
A -'(3 ACTIV2: 
) 
SEQ. MEMBER (ACTIV2, 
SCHED(CONFIG(SUB.INCR(T.SUB) , QQ), SUB.INCR(T.SUB), 
QQ» 
A ACTION(ACTIV2) = EXECUTE() 
A TASK.ACTION(ACTIV2) = K) 
DATAFILEIN.FOR.ON(P, K, QQ, START(SUB.INCR(T.SUB), P» 
= DATAFILEIN.FOR.ON(P, K, QQ, START(T.SUB, P» 
prove BR.LEMMA.18 [ACTIV ~ *ACTIV:17, 
ACTIV2 ~ *ACTIV:2] 
using BR.A42 [T.REAL ~ START(T.SUB, P)] 
BR.A42 [T.REAL ~ START(SUB.INCR(T.SUB), P), 
T.SUB ~ SUB.INCR(T.SUB)] 
BR.A42 [T.REAL 
~ RPLUS(INT.TO.REALTIME(BROADCAST.DELAY(», FINISH(T.SUB, QQ»] 
RE.BR.MAPPING.9 
RE.BR.MAPPING.9 [P ~ QQ] 
RE.BR.MAPPING.9 [T.SUB ~ SUB.INCR(T.SUB)] 
RE.BR.MAPPING.9 [P ~ QQ, 
T.SUB ~ SUB.INCR(T.SUB)] 
BR.LEMMA.FOR.LES.TO.PROVE 
BR.LEM~L\.FOR.LES.TO.PROVE [T.SUB ~ SUB.INCR(T.SUB)] 
NAT.NONNEGATIVE [Y ~ OVERHEADO] 
NAT.NONNEGATIVE [Y ~ MIN.INTERVAL()] 
NAT.NONNEGATIVE [Y ~ BROADCAST.DELAY()] 
BR.A1.A 
BR.A1.C [P ~ QQ, 
T.SUB ~ SUB.INCR(T.SUB)] 
BR.Al.E 
BR.Al.e [P .. QQ] 
REGRETABLE.EVIL [ACTIV2 ~ *ACTIV:l, 
ACTIV3 ~ *ACTIV:3] 
205 
/* For two times T.SUB and TI.SUB, during which processors 
P and QQ are (respectively) safe during an execution 
window, both processors will reach the same decision 
concerning the system configuration. 
BR.LE~~.19: formula 
P E SAFE(T.SUB) 
A QQ E SAFE(TI.SUB) 
A BEGIN(OF(I, K» S T.SUB 
A T.SUB < END(OF(I, K» 
A BEGIN(OF(I, K» S TI.SUB 
A TI.SUB < END(OF(I, K» 
A START.FRAME(FRAME(T.SUB» = I*F~m.SIZE() 
) 
CONFIG(T.SUB, P) = CONFIG(TI.SUB, QQ) 
prove BR.LE~.19 
using BR.A36 [T2.SUB ~ TI.SUB] 
RE.BR.MAPPING.9 
RE.BR.MAPPING.9 [P ~ QQ, 
T.SUB ~ TI.SUB] 
CARD.2 [S ~ RESULT(GLOBAL.EXEC(), LAST(T.SUB, GLOBAL.EXEC(»), 
X ~ INPUTIN.OF(P, GLOBAL.EXEC(), START(T.SUB, P», 
Xl ~ INPUTIN.OF(QQ, GLOBAL.EXEC(), START(TI.SUB, QQ»] 
DATA.EQUALITY [V ~ INPUTIN.OF(P, GLOBAL.EXEC(), START(T.SUB, P», 
GE.CONFIG.FIELD 
VI ~ INPUTIN.OF(QQ, GLOBAL.EXEC(), START(TI.SUB, QQ», 
y ~ CONFIG.FIELD()] 
DATA.SIZE.IS.SEQ.LENGTH.2 [K ~ GLOBAL.EXEC(), 
T.REAL ~ START(T.SUB, P)] 
DATA.SIZE.IS.SEQ.LENGTH.2 [K ~ GLOBAL.EXEC(), 
P ~ QQ, 
T.REAL ~ START(TI.SUB, QQ)] 
206 
/* Two times within the same execution window will be within 
the same frame 
BR.LEMMA.21: formula 
BEGIN(OF(I, K» ~ T.SUB A T.SUB < END(OF(I, K» 
) 
FRAME(T.SUB) = FRA1ffi(BEGIN(OF(I, K») 
prove BR.LEMMA.21 
using BR.A18 
BR.A21 [T.SUB ~ BEGIN(OF(I, K», 
Tl.SUB ~ BEGIN(OF(I, K»] 
BR.A21 [T.SUB ~ SUB.DECR(END(OF(I, K»), 
Tl.SUB ~ SUB.DECR(END(OF(I, K»)] 
BR.A21 [T.SUB ~ BEGIN(OF(I, K», 
T1.SUB ~ T . SUB] 
207 
/* If two processors are safe for the execution window and 
and have Votes scheduled during the same frame on 
the same element of the same task, they will determine 
the same set of processors to be polled. This again, 
involves proving global consistency. This lemma proves 
only implication. Equivalence is stated in lemma 25 
and proved by referring two to this lemma. 
BR.LEMMA.22: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(OF(I, K» 
A SEQ.MEMBER(ACTIV2, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K 
A ELEM.ACTION(ACTIV2) = Y 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T1.SUB, QQ), T1.SUB, QQ» 
A ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Z 
A FRAME(T.SUB) = FRAME(Tl.SUB) 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
) 
(R E POLLBY.FOR(P, K, T.SUB) ) R E POLLBY.FOR(QQ, K, Tl.SUB» 
prove BR.LEMMA.22 
using BR.A9A [L ~ K, 
T1. SUB ~ T. SUB] 
BR.A9A [T.SUB ~ *T.SUB:l, 
ACTIV ~ *ACTIV:l, 
P ~ QQ, 
L ~ K] 
BR.LE~ruA.23 [T.SUB ~ Tl.SUB, 
Tl.SUB ~ *T.SUB:l, 
ACTIV ~ *ACTIV:l, 
Y ~ Z, 
ACTIV2 ~ ACTIV, 
P ~ QQ, 
QQ ~ R] 
BR.LE~illA.19 [T.SUB ~ *T.SUB:l, 
Tl.SUB ~ *T.SUB:l] 
BR.Dt [T.SUB ~ *T.SUB:l, 
P ~ QQ, 
II ~ OF(I, K)] 
BR.Dl [T.SUB ~ *T.SUB:l, 
II ~ OF (I, K)] 
BR.A16 [T.SUB ~ *T.SUB:l, 
ACTIV ~ *ACTIV:l, 
P ~ R, 
CON ~ CONFIG(*T.SUB:l, P)] 
208 
/* 
If, according to a processor P who has a Vote scheduled on 
task K, there is another processor QQ who has an Execute 
scheduled within the same frame, the Execute must precede 
the Vote. 
BR.LEMMA.23: formula 
P E SAFE.FOR(OF(I, K» 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A SEQ.MEMBER(ACTIV2, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K 
A ELEM.ACTION(ACTIV2) = Y 
A FRAME (T . SUB) = FRAME (T1. SUB) 
A SEQ.MEMBER(ACTIV, SCHED (CONFIG (T1. SUB, P), T1.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
T 1. SUB < T. SUB 
prove BR.LEMMA.23 
using BR.A13A [CON ~ CONFIG(Tl.SUB, P), 
T . SUB ~ T 1. SUB , 
P ~ QQ, 
QQ ~ P] 
BR.A12A [CON ~ CONFIG(T.SUB, P), 
ACTIV ~ ACTIV2, 
Tl.SUB ~ *Tl.SUB:l, 
ACTIV3 ~ *ACTIV2:1] 
BR.LEMMA.14 [QQ ~ P, 
T2.SUB ~ Tl.SUB] 
BR.A16 [ACT IV ~ ACTIV2, 
CON ~ CONFIG(T.SUB, P)] 
BR.A16 [CON ~ CONFIG(Tl.SUB, P), 
P ~ QQ, 
T. SUB ~ T1. SUB] 
209 
/* ... the IFF version of lemma 22. */ 
BR.LEMMA.25: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(OF(I, K» 
A SEQ. MEMBER (ACTIV2, SClffiD(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV2) = VOTE() 
A TASK.ACTION(ACTIV2) = K 
A ELEM.ACTION(ACTIV2) = Y 
A SEQ.MEMBER(ACTIV, SCIffiD(CONFIG(Tl.SUB, QQ), Tl.SUB, QQ» 
A ACTlON(ACTIV) = VOTEO 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Z 
A FRAME(T. SUB) = FRAME(Tl. SUB) 
A START.FRAME(FRAME(T.SUB» = hFRAME.SIZEO 
) 
(R E POLLBY.FOR(P, K, T.SUB) = R E POLLBY.FOR(QQ, K, Tl.SUB» 
prove BR.LEMMA.25 
using BR.LEMMA.22 
BR.LEMMA.22 [P ... QQ, 
T. SUB ... T 1. SUB , 
T 1. SUB ... T. SUB , 
ACTIV .. ACTIV2, 
Z .. Y, 
Y .. Z, 
ACTIV2 .. ACTIV, 
QQ .. P] 
210 
/* 
From lemma 25 and the mapping of POLL.FOR.OF, 
we ~etermine that a processor safe for the execution 
window who has a vote scheduled will reach the global 
consensus as to the set of processors to be polled. 
BR.LEMMA.26: formula 
P E SAFE.FOR(OF(I, K)) 
A SEQ.MEMBER(ACTIV2, SClffiD(CONFIG(T.SUB, P), T.SUB, P)) 
A ACTION (ACTIV2) = VOTEO 
A TASK.ACTION(ACTIV2) = K 
A ELEM.ACTION(ACTIV2) = Y 
A 1 ~ Y 
A Y ~ RESULT.SIZE(K) 
A START.FRAME(FRAME(T.SUB)) = I*FRAME.SIZE() 
) 
(R E POLLBY.FOR(P, K, T.SUB) = R E POLL.FOR.OF(I, K)) 
211 
/* 
A processor safe for the execution window who has a Vote 
scheduled will have placed in INPUT the majority value 
of the ON.IN values. 
BR.LEMMA.27: formula 
QQ E SAFE.FOR(OF(I, K» 
" 1 5 Y 
" Y ~ RESULT.SIZE(K) 
A SEQ.ME~mER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
" ACTION(ACTIV) = VOTE()· 
" TASK.ACTION(ACTIV) = K 
" ELEM.ACTION(ACTIV) = Y 
" START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
) 
SEQ.ELEM(INPUTIN.OF(QQ, K, START(SUB.INCR(T.SUB) , QQ», Y) 
= MAJORITY(D.BAG.D4(K, I, QQ, Y» 
prove BR.LEMMA.27 
using BR.A9C [P ~ QQ] 
SETEQUALITY [S1 ~ D.BAG.D4(K, I, QQ, Y), 
S2 ~ D.BAG.A9C(QQ, K, T.SUB, Y), 
X ~ *X:2] 
SET.ABSTRACTION.A9C [P ~ QQ, 
D.P ~ *X:2] 
BR.AH'> [P ~ QQ, 
CON ~ CONFIG(T.SUB, QQ)] 
BR.D1 [II ~ OF(I, K), 
P ~ QQ] 
RE.BR.MAPPING.9 [P ~ QQ] 
BR.LE~ruA.26 [P ~ QQ, 
ACTIV2 ~ ACTIV, 
R ~ SOURCE(*X:2)] 
RP.D4A [P ~ SOURCE (*X: 2) , 
D.P ~ *X:2] 
BR.LE~ruA.28 [P ~ QQ] 
BR.LEMMA.15 [P ~ QQ, 
QQ ~ SOURCE(*X:2)] 
212 
/* If a safe processor decides that a Vote activity for K 
is scheduled, the task must be ON that frame, as 
determined during that subframe. 
BR.LEMMA.28: formula 
P E SAFE.FOR(OF(I, K» 
A START.FRAME(FRAME(T.Sl~» = I*FRA1ffi.SIZE() 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = VOTE() 
A ELEM.ACTION(ACTIV) = Y 
A TASK.ACTION(ACTIV) = K 
) 
,NOT.ON.FRA1ffi(K, P, T.SUB) 
prove BR.LEMMA.28 
using BR.A13B [ACTIV2 ~ ACTIV, 
CON ~ CONFIG(T.SUB, P), 
T1 . SUB ~ T. SUB , 
QQ ~ P] 
BR.A22 [T1.SUB ~ *T.SUB:1, 
ACTIV ~ *ACTIV:1, 
QQ ~ P, 
P ~ *P: 1] 
BR.LEMMA.12 [T1.SUB ~ *T.SUB:1] 
BR.LEMMA.14 [QQ ~ P, 
T2.SUB ~ *T.SUB:1] 
BR.A16 [CON ~ CONFIG(T.SUB, P)] 
BR.A16 [T.SUB ~ *T.SUB:1, 
ACTIV ~ *ACTIV:1, 
p ~ *P: 1, 
CON ~ CONFIG(T.SUB, P)] 
213 
/* 
An extension of lemma 28, ... the task must be ON 
as determined at the beginning of the execution 
window. 
BR.LEMYA.29: formula 
P E SAFE.FOR(OF(I, K)) 
A START.FRAME(FRAME(T.SUB)) = I*FRAME.SIZE() 
A SEQ. MEMDER (ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P)) 
A ACTION(ACTIV) = VOTE() 
A ELEM.ACTION(ACTIV) = Y 
A TASK.ACTION(ACTIV) = K 
) 
~NOT.ON.F&~(K, P, BEGIN(OF(I, K))) 
prove BR.LEMMA.29 
using BR.A13B [ACTIV2 ~ ACTIV, 
CON ~ CONFIG(T.Sl~, P), 
Tl. SUB ~ T. SUB, 
QQ ~ P] 
BR.A22 [Tl.SUB ~ T.SUB:l, 
ACTIV ~ : 1, 
QQ ~ P, 
T.SUB ~ BEGIN(OF(I, K), 
P ~ : 1] 
BR.LEMMA.12 [Tl.SUB ~ T.SUB:l, 
T.SUB ~ :0] 
BR.LEMMA.14 [QQ ~ P, 
T2.SUB ~ T.SUB:I] 
BR.A16 [CON ~ CONFIG(T.SUB, P)] 
BR.A16 [T.SUB ~ :1, 
ACTIV ~ : 1, 
p ~ : 1, 
CON ~ CONFIG(T.SUB, P)] 
BR.LEMMA.I4 [QQ ~ P, 
T2.SUB ~ BEGIN(OF(I, K»] 
BR.AI8 
BR.LEMA~.I2 [TI.SUB ~ BEGIN(OF(I, K»] 
BR.LEMMA.I2 [T.SUB ~ *T.SUB:1, 
TI.SUB ~ BEGIN(OF(I, K»] 
214 
/* 
If a task is ON, as determined by a safe processor P at the 
beginning of the execution window, then there exists, 
according to P, a Vote activity scheduled within that 
frame. Thus, a safe processor will vote on all tasks 
it views to be in the configuration. 
BR.LEMMA.30: formula 
~NOT.ON.FRAME(K, P, BEGIN(OF(I, K») 
" 1 5 y 
" y 5 RESULT.SIZE(K) 
" P E SAFE.FOR(OF(I, K» 
) 
(3 T.SUB, ACTIV: 
START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
" SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
" ACTION(ACTIV) = VOTE() 
" ELEM.ACTION(ACTIV) = Y 
" TASK.ACTION(ACTIV) = K) 
prove BR.LEMMA.30 [ACTIV .. *ACTIV2:2, 
T.SUB .. *Tl.SUB:2] 
using BR.A22 [T.SUB .. BEGIN(OF(I, K», 
Tl.SUB .. @:D, 
P .. @:D, 
ACTIV .. @:D, 
QQ .. P] 
BR.A13A [CON .. CONFIG(BEGIN(OF(I, K», P), 
T.SUB .. *Tl.SUB:l, 
P .. *P:l, 
QQ .. P, 
ACTIV .. *ACTIV:l] 
BR.A16 [CON .. CONFIG(BEGIN(OF(I, K», P), 
T.SUB .. *Tl.SUB:2, 
ACTIV .. *ACTIV2:2] 
BR.A18 
BR.AIO [CON .. CONFIG(BEGIN(OF(I, K», P), 
T.SUB .. *Tl.SUB:l, 
P .. *P:l, 
ACTIV .. *ACTIV:l] 
BR.A19.1 
BR.LEMMA.14 [T.SUB .. BEGIN(OF(I, K», 
QQ .. P, 
T2.SUB .. *Tl.SUB:l] 
BR.LEMMA.14 [T.SUB .. *Tl.SUB:l, 
QQ .. P, 
T2.SUB .. *Tl.SUB:2] 
215 
/* 
For a safe processor QQ and task K which QQ determines 
at the beginning of the execution window is in the configuration, 
The IN value will be the majority of ON.IN values. Thus 
the Vote activity satisfies the 'voted input' criterion 
of the Replication specification. 
BR.LEMMA.31: formula 
QQ E SAFE.FOR(OF(I, K)) 
" 1 ~ Y 
" Y ~ RESULT.SIZE(K) 
" -,NOT.ON.FRAME(K, QQ, REGIN(OF(I, K))) 
) 
SEQ.ELEM(IN(K, I, QQ), Y) = MAJORITY(D.BAG.D4(K, I, QQ, Y)) 
prove BR.LEMMA.31 
using BR.LEMMA.30 [P ~ QQ] 
BR . LEMMA. 27 [ACTIV ~ *ACTIV: 1 , 
T.SUB ~ *T.SUB:1] 
BR.RE.MAPPING.7 [P ~ QQ, 
T.SUB ~ *T.SUB:1, 
D1 ~ SEQ.ELEM(INPUTIN.OF(QQ, K, 
Y) , 
ACTIV ~ *ACTIV:1] 
216 
START(SUB.INCR(*T.SUB:1) , QQ)), 
/* 
If a safe processor determines at the beginning of the 
execution window that a task is not ON, then there 
will be a DU1DfY VOTE scheduled sometime within the frame. 
BR.LEMMA.32: formula 
QQ E SAFE.FOR(OF(I, K» 
" 1 ~ Y 
" Y ~ RESULT.SIZE(K) 
" NOT.ON.FRAME(K, QQ, BEGIN(OF(I, K») 
) 
(3 Tl.SUB, ACTIV2: 
START.FRAME(FRAME(Tl.SUB» = I*F~ffi.SIZE() 
" SEQ.MEMBER(ACTIV2, SCHED(CONFIG(BEGIN(OF(I, K», QQ), Tl.SUB, QQ» 
" TASK.ACTION(ACTIV2) = K 
" ACTION(ACTIV2) = DU1DfY.VOTE(» 
prove BR.LEMMA.32 [Tl.SUB ~ *T.SUB:4, 
ACTIV2 ~ *ACTIV:4] 
using BR.A22 [T.SUB ~ BEGIN(OF(I, K», 
Tl.SUB ~ *T.SUB:2, 
P ~ *P:2, 
ACTIV ~ *ACTIV:2] 
BR.A138 [Tl.SUB ~ *T.SUB:4, 
ACTIV2 ~ *ACTIV:4, 
y ~ *Y:4, 
CON ~ CONFIG(BEGIN(OF(I, K», QQ)] 
BR.Al8 
BR.A12C [P ~ QQ, 
CON ~ CONFIG(BEGIN(OF(I, K», QQ)] 
BR.LE~ruA.12 [T.SUB ~ *T.SUB:2, 
Tl.SUB ~ BEGIN(OF(I, K»] 
217 
/* 
The counterpart to Lemma 31 -- this is the case where the 
task K is determined to be NOT.ON during the frame. 
This lemma, together will Lemma 31 proves RP.D4 of 
the Replication specification. 
BR.LEMMA.33: formula 
QQ E SAFE.FOR(OF(I, K)) 
" 1 ~ Y 
" Y ~ RESULT.SIZE(K) 
A NOT.ON.FRAME(K, QQ, BEGIN(OF(I, K))) 
) 
SEQ.ELEM(IN(K, I, QQ), Y) = MAJORITY(D.BAG.D4(K, I, QQ, Y)) 
prove BR.LEMMA.33 
using BR.LE~ruA.35 
MAJ.2 [M.BAG ~ D.BAG.D4(K, I, QQ, Y), 
T2.V ~ Dl :3] 
BOTTOM. EQUALITY 
DATA. BOTTOM 
BR.LEMMA.36 
218 
/* 
If a safe processor QQ determines at the beginning 
of the execution window that K is NOT.ON, then 
the global POLL.FOR.OF set will be empty. 
BR.LEMMA.34: formula 
/* 
QQ E SAFE.FOR(OF(I, K» A NOT. ON. FRAME(K , QQ, BEGIN(OF(I, K») 
) 
(V P: ~(P E POLL.FOR.OF(I, K») 
Proof Outline: From AC, apply Forward Br.a22. Then use conclusion 
to satisfy Antecendent of Al3b. Obtain negation of Backward consequent 
of Mapping.4 by: using backward antecent of Mapping.4, 
prove al6 (employing also lemma.l2), 
and lemma.l9 (employing also al9.l, rp.dl and al8) , 
resulting in negation of backward antecedent of 
mapping.4 
prove BR.LEMMA.34 
using BR.A22 [T.SUB ~ BEGIN(OF(I, K», 
Tl.SUB ~ *T.SUB:2, 
P .. *P:2, 
ACTIV ~ *ACTIV:2] 
BR.Al3B [Tl.SUB .. *T.SUB:4, 
ACTIV2 .. *ACTIV:4, 
Y .. *Y:4, 
QQ ~ *P:4, 
CON ~ CONFIG(BEGIN(OF(I, K», QQ)] 
BR.Al8 
BR.RE.MAPPING.4 [QQ .. P, 
ACTIV .. @:D, 
Y .. @:D, 
T.SUB .. @:D] 
BR.Al6 [T.SUB .. *T.SUB:4, 
ACTIV .. *ACTIV:4, 
P .. *P:4, 
CON .. CONFIG(*T.SUB:4, *P:4)] 
BR.Dl [II ~ OF(I, K), 
T.SUB .. *T.SUB:4, 
P .. *P:4] 
BR.Dl [II .. OF(I, K), 
T.SUB .. BEGIN(OF(I, K», 
P .. QQ] 
BR.LEMMA.l9 [P .. QQ, 
, T.SUB ~ BEGIN(OF(I, K», 
QQ .. *P:4, 
Tl.SUB .. *T.SUB:4] 
BR.Al9.l 
BR.LEMMA.l2 [T.SUB .. *T.SUB:2, 
Tl.SUB .. BEGIN(OF(I, K»] 
219 
/* 
... and furthermore, the cardinality of the set of ON.IN 
values for processors in the poll set will therefore be o. 
BR.LEMMA.35: formula 
QQ E SAFE.FOR(OF(I, K» A NOT.ON.FRAME(K, QQ, BEGIN(OF(I, K») 
) 
o = CARD(D.BAG.D4{K, I, QQ, Y» 
prove BR.LEMMA.35 
using BR.LEMMA.34 [P ~ *P:2] 
RP.D4A [D.P ~ *X:4, 
P ~ @:D] 
CARD.6 [S ~ D.BAG.D4{K, I, QQ, Y)] 
CARD.4 [S ~ D.BAG.D4(K, I, QQ, Y)] 
220 
/* More about the case when the task is determined to 
be NOT.ON ... the IN value of the Replication level 
will be the bottom value -- according to the definition 
of majority and the formation of the ON.IN bag. 
BR.LEMMA.36: formula 
/* 
QQ E SAFE.FOR(OF(I, K» 
A 1 ~ Y 
A Y ~ RESULT.SIZE(K) 
A NOT.ON.FRAME(K, QQ, BEGIN(OF(I, K») 
) 
IN(K, I, QQ) = BOTTOM1(K) 
Use antecedent of conclusion to satisfy antecedent 
of Lemma.32. Using conclusion of lemma.32, lemma.14 
(requiring a16, a19.l, lemma.12(requiring a18», 
and re.br.mapping.7 (requiring 
br.dl) to satisfy the antecent of a6b. Use conclusion of 
a6b, together with lemma.14, to satify the antecent of 
mapping.8 to conclude consequent of conclusion. 
prove BR.LEMMA.36 
using BR.LEMMA.32 
BR.A6B [P .. QQ, 
T.SUB .. *T1.SUB:l, 
ACTIV .. *ACTIV2:l] 
BR.LEMMA.14 [T.SUB .. *Tl.SUB:l, 
T2.SUB .. BEGIN(OF(I, K»] 
BR.Dl [II .. OF(I, K), 
P .. QQ, 
T.SUB .. *Tl.SUB:l] 
RE.BR.~~PING.9 [P .. QQ, 
T.SUB .. *Tl.SUB:l] 
BR.A16 [T.SUB .. *Tl.SUB:l, 
P .. QQ, 
CON .. CONFIG(BEGIN(OF(I, K», QQ), 
ACTIV .. *ACTIV2:l] 
BR.A19.l 
BR.RE.MAPPING.8 [T.SUB .. *Tl.SUB:l, 
ACTIV .. *ACTIV2:l, 
V .. BOTTOMl(K), 
P .. QQ] 
BR.A18 
BR.LEMMA.12 [T.SUB .. BEGIN(OF(I, K», 
Tl.SUB .. *Tl.SUB:l] 
221 
/* If a processor is in the global poll set for I of K, and is safe 
for the execution window, then there exists an 
Execute activity sometime within that frame for K. 
BR. LEMMA. 37: formula 
P E POLL.FOR.OF(I, K) APE SAFE.FOR(OF(I, K» 
) 
(3 T.SUB, ACTIV: 
START.FRAME(FRAA~(T.SUB» = I*FRAAffi.SIZE() 
A SEQ. MEMBER (ACTIV , SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = EXE(~TE() 
A TASK.ACTION(ACTIV) = K) 
prove BR.LEM~~.37 [T.SUB ~ *T.Slffi:2, 
ACTIV ~ *ACTIV:2] 
using BR.RE.MAPPING.4 [QQ ~ P, 
BR.A9A [R ~ P, 
P ~ *P:I, 
L ~ K, 
Y ~ @:D] 
Tl.SUB ~ *T.SUB:l] 
BR.DI [II ~ OF(I, K), 
T.SUB ~ *T.SUB:2] 
BR.Dl [II ~ OF(I, K), 
T.SUB ~ *T.SUB:2, 
P ~ *P:l] 
BR.LEM~~.l9 [QQ ~ *P:I, 
Tl.SUB ~ *T.SUB:2, 
T.SUB ~ *T.SUB:2] 
BR.Al6 [T.SUB ~ *T.SUB:2, 
CON ~ CONFIG(*T.SUB:2, *P:I), 
ACTIV ~ *ACTIV:2] 
BR.Al6 [T.SUB ~ *T.SUB:l, 
P ~ *P:l, 
ACTIV ~ *ACTIV:l, 
CON ~ CONFIG(*T.SUB:l, *P:l)] 
BR.LEMMA.l2 [T.SUB ~ *T.SUB:I, 
Tl.SUB ~ *T.SUB:2] 
222 
/* 
If a safe processor has a Dummy Vote scheduled and determines 
that the task is NOT.ON, then the INPUT value is the 
majority value. This extends lemma 36. 
BR.LEMMA.38: formula 
QQ E SAFE.FOR(OF(I, K» 
" SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
" ACTION(ACTIV) = DUMMY.VOTE() 
" 1 $ Y 
" Y $ RESULT.SIZE(K) 
" TASK.ACTION(ACTIV) = K 
" NOT.ON.FRAME(K, QQ, BEGIN(OF(I, K») 
" START.FRAME(FRAME(T.SUB» = I*F~\ffi.SIZE() 
) 
SEQ.ELEM(INPUTIN.OF(QQ, K, START(SUB.INCR(T.SUB), QQ», Y) 
= MAJORITY(D.BAG.D4(K, I, QQ, Y» 
prove BR.LEMMA.38 
using BR.ABB [P ~ QQ] 
BR.D1 [II ~ OF(I, K), 
P ~ QQ] 
RE.BR.MAPPING.9 [P ~ QQ] 
BR.A19.1 
BR.RE.MAPPING.8 [V ~ BOTTOM1(K), 
P ~ QQ] 
BR.LEMMA.35 
MAJ.2 [M.BAG ~ D.BAG.D4(K, I, QQ, Y), 
T2.V ~ D1:8] 
BOTTOM. EQUALITY 
BR.A16 [CON ~ CONFIG(T.SL~, QQ), 
P ~ QQ] 
DATA. BOTTOM 
BR.A16 [P ~ QQ, 
CON ~ CONFIG(BEGIN(OF(I, K», QQ)] 
BR.LE~iA.14 [T2.SUB ~ BEGIN(OF(I, K»] 
BR.A18 
BR.LE~iA.12 [T.SUB ~ BEGIN(OF(I, K», 
T1. SUB ~ T. SUB] 
223 
/* 
If a safe processor QQ is scheduled to Execute task K 
and one of its input tasks L is NOT.ON, the value 
in INPUT.IN at the beginning of the subframe after the Execute 
will be the correct IN value. Note that because of the way 
the Execute is defined at this level, we want to use the input 
values present after the Execute. This allows a Vote and subsequent 
Execute within the same subframe. 
BR.LEMMA.39: formula 
QQ E SAFE.FOR(DW.OF(I, K» 
A SEQ.~ffiMBER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A 1 ~ Y 
A Y 5 RESULT.SIZE(L) 
A START.FR~(F~(T.SUB» = I*F~.SIZE() 
ALE INPUTS(K) 
A NOT.ON.FRAME(L, QQ, BEGIN(OF(TO.OF(L, I, K), L») 
) 
SEQ.ELEM(INPUTIN.OF(QQ, L, START(SUB.INCR(T.SUB), QQ», Y) 
= SEQ.ELEM(IN(L, TO.OF(L, I, K), QQ), Y) 
prove BR.LEMMA.39 
using BR.LEMMA.32 [I ~ TO.OF(L, I, K), 
K ~ L] 
BR.LEMMA.14 [K ~ L, 
I ~ TO.OF(L, I, K), 
T.SUB ~ BEGIN(OF(TO.OF(L, I, K), L», 
T2.SUB ~ *Tl.SUB:l] 
BR.A18 [I ~ TO.OF(L, I, K), 
K ~ L] 
BR.A19.1 [I ~ TO.OF(L, I, K), 
K ~ L] 
BR.LEMMA.12 [T.SUB ~ BEGIN(OF(TO.OF(L, I, K), L», 
Tl.SUB ~ *Tl.SUB:l] 
BR.A16 [T.SUB ~ *Tl.SUB:l, 
CON ~ CONFIG(BEGIN(OF(TO.OF(L, I, K), L», QQ), 
ACTIV ~ *ACTIV2:1, 
K ~ L, 
I ~ TO.OF(L, I, K), 
P ~ QQ] 
BR.LEMMA.38 [ACTIV ~ *ACTIV2:1, 
T.SUB ~ *Tl.SUB:l, 
K ~ L, 
I ~ TO.OF(L, I, K)] 
BR.LEMMA.33 [I ~ TO.OF(L, I, K), 
K ~ L] 
BR.LE~WA.6 [Tl.SUB ~ *Tl.SUB:l, 
ACTIV2 ~ *ACTIV2:1, 
Dl ~ SEQ.ELEM(IN(L, TO.OF(L, I, K), QQ), Y)] 
RP.L7 [P ~ QQ] 
SCHED.LEMMA.l 
224 
SCHED.LEMMA.l: formula 
QQ E SAFE.FOR(DW.OF(I, K)) ALE INPUTS(K) 
) 
QQ E SAFE.FOR(DW.FOR.TO.OF(L, I, K)) 
prove SCIlED.LEMMA.l 
using RP.DlO [II ~ DW.OF(I, K), 
P ~ QQ, 
T ~ *T:2] 
RP.DlO [II ~ DW.FOR.TO.OF(L, I, K), 
P ~ QQ, 
RP.D3.l 
RP.D3.3 
RP.D2.2 
T ~ @:D] 
225 
/* The parallel argument to Lemma 39, this time where input 
task L is ON during the frame. 
BR.LEMMA.40: formula 
QQ E SAFE.FOR(DW.OF(I, K» 
A SEQ.MEMBER(ACTIV, SCHEO(CONFIG(T.SUB, QQ), r.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A 1 S Y 
A Y S RESULT.SIZE(L) 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
ALE INPUTS(K) 
A ~NOT.ON.FRA1ffi(L, QQ, BEGIN(OF(TO.OF(L, I, K), L») 
) 
SEQ.ELEM(INPUTIN.OF(QQ, L, START(SUB.INCR(T.SUB) , QQ», Y) 
= SEQ.ELEM(IN(L, TO.OF(L, I, K), QQ), Y) 
prove BR.LEMMA.40 
using BR.LEMMA.30 [I .. TO.OF(L, I, K), 
K .. L, 
P .. QQ] 
BR.A18 [I .. TO.OF(L, I, K), 
K .. L] 
BR.LEMMA.27 [ACTIV .. *ACTIV:l, 
T.SUB .. *T.SUB:l, 
K .. L, 
I .. TO.OF(L, I, K)] 
BR.LEMMA.31 [I .. TO.OF(L, I, K), 
K .. L] 
BR.LE~MA.6 [Tl.SUB .. *T.SUB:l, 
ACTIV2 .. *ACTIV:l, 
01 .. SEQ.ELEM(IN(L, TO.OF(L, I, K), QQ), Y)] 
RP.L7 [P .. QQ] 
SCHEO.LEMMA.l 
226 
/* Lemma 40 states that each element Y in the INPUT will be 
map to the IN value of the Replication specification. 
Here we state that the aggregate INPUT will thus also map. 
BR.LEMMA.4I: formula 
QQ E SAFE.FOR(DW.OF(I, K» 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECVTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
ALE INPUTS(K) 
) 
INPUTIN.OF(QQ, L, START(SUB.INCR(T.SUB), QQ» 
= IN(L, TO.OF(L, I, K), QQ) 
prove BR.LEMMA.4I 
using DATA.SIZE.IS.SEQ.LENGTH [K ~ L, 
I ~ TO.OF(L, I, K)] 
DATA.SIZE.IS.SEQ.LENGTH.2 [P ~ QQ, 
K ~ L, 
T.REAL ~ START(SUB.INCR(T.SUB), QQ)] 
DATA.EQUALITY [V ~ INPUTIN.OF(QQ, L, START(SUB.INCR(T.SUB), QQ», 
VI ~ IN(L, TO.OF(L, I, K), QQ), 
Y ~ @:D] 
BR.LEMMA.40 [Y ~ *Y:3] 
BR.LEMMA.39 [Y ~ *Y:3] 
227 
/* 
Continuing, having established that the correct input values 
will be present at the time of an execute, we now state that 
the DATAFILE just after execution in every safe processor will 
have the correct mathematical function performed on the 
specified inputs. 
BR. LEMMA. 42: formula 
P E SAFE.FOR(OF(I, K)) 
A QQ E SAFE.FOR(DW.OF(I, K)) 
A SEQ. MEMBER (ACTIV, SCllliD(CONFIG(T.SUB, QQ), T.SUB, QQ)) 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(T.SUB)) = hFRAME.SIZEO 
) 
DATAFILEIN.FOR.ON(P, K, QQ, START(SUB.INCR(T.SUB) , P)) 
= APPLY(FUNCTION(K), V.INPUTS.A3(K, I, QQ)) 
prove BR.LEMMA.42 
using RP.A3A [P .. QQ, 
V.T .. *V.T:3] 
BR.LEMMA.41 [L .. SOURCE(*V.T:3)] 
BR.LEMMA.17 [V. INPUTS .. V.INPUTS.A3(K, I, QQ)] 
BR.A16 [CON .. CONFIG(T.SUB, QQ), 
P .. QQ] 
RP.L3 [P .. QQ] 
BR.LEMMA.3 [P .. QQ] 
BR.LEMMA.3 
228 
and therefore the ON.IN value present in every processor 
will thus reflect this correctly computed value. 
BR.LEMMA.43: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(DW.OF(I, K» 
A I ~ Y 
A Y ~ RESULT.SIZE(K) 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(T.Slm» = I*FRAME.SIZE() 
) 
SEQ.ELEM(ON.IN(K, I, QQ, P), Y) 
= SEQ. ELEM(APPLY (FUNCTION (K), V.INPUTS.A3(K, I, QQ», Y) 
prove BR.LEMMA.43 
using BR.LEM~~.42 
BR.AI6 [CON ~ CONFIG(T.SUB, QQ), 
P .. QQ] 
RP.L3 [P ~ QQ] 
BR.LEM~~.3 [P ~ QQ] 
BR.LEMMA.3 
BR.AI3A [CON ~ CONFIG(T.SUB, QQ), 
p ~ QQ, 
QQ ~ P] 
BR.LEMMA.19 [P ~ QQ, 
QQ ~ P, 
TI.SUB .. *TI.SUB:6] 
BR.AI6 [CON ~ CONFIG(T.Slm, QQ), 
T.SUB ~ *TI.SUB:6, 
ACTIV ~ *ACTIV2:6] 
BR.DI [T.SUB ~ *TI.SUB:6, 
II .. OF(I, K)] 
BR.DI [II ~ OF(I, K), 
P .. QQ] 
BR.LE~WA.2 [TI.SUB .. *TI.SUB:6, 
ACTIV2 ~ *ACTIV2:6, 
V ~ APPLY(FUNCTION(K), V.INPUTS.A3(K, I, QQ»] 
DATA. SIZE. IS.SEQ.LENGTH.3 
DATA.SIZE.IS.SEQ.LENGTH.2 [T.REAL ~ START(*TI.SUB:6, P)] 
DATA.EQUALITY [V ~ DATAFILEIN.FOR.ON(P, K, QQ, START(*Tl.SUB:6, P», 
VI ~ APPLY(FUNCTION(K), V.INPUTS.A3(K, I, QQ»] 
BR.LEMMA.15 [ACTIV ~ *ACTIV2:6, 
T.SUB ~ *Tl.SUB:6] 
BR.LE~.28 [ACTIV .. *ACTIV2:6, 
T.SUB ~ *Tl.SUB:6] 
BR.LEMMA.12 [TI.SUB ~ *Tl.SUB:6] 
229 
and therefore the correct answer will be in the set of 
ON values, given the mapping of ON.IN to ON values. 
BR.LEMMA.44: formula 
QQ E SAFE.FOR(DW.OF(I, K» 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
. A TASK. ACTION (ACTIV) = K 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
) 
APPLY(FUNCTION(K), V.INPUTS.A3(K, I, QQ» E ON(K, I, QQ) 
prove BR.LEMMA.44 
using BR.A22 [Tl.SUB ~ T.SUB, 
T.SUB ~ BEGIN(OF(I, K», 
P ~ QQ, 
QQ ~ QQ] 
BR.LEMMA.19 [P ~ QQ, 
Tl.SUB ~ BEGIN(OF(I, K», 
QQ ~ QQ] 
BR.A16 [P ~ QQ, 
CON ~ CONFIG(T.SUB, QQ)] 
BR.Dl [II ~ OF(I, K), 
P ~ QQ] 
RP.L3 [P ~ QQ] 
BR.A19.1 
BR.Dl [II ~ OF(I, K), 
P ~ QQ, 
T.SUB ~ BEGIN(OF(I, K»] 
BR.RE.MAPPING.5 [P ~ QQ, 
QQ ~ QQ, 
Y ~ @:D, 
V ~ APPLY(FUNCTION(K), V.INPUTS.A3(K, I, QQ»] 
BR.LEMMA.43 [Y ~ *Y:8, 
P ~ QQ] 
BR.A18 
BR.LEMMA.12 [Tl.SUB ~ BEGIN(OF(I, K»] 
230 
/* Finally, ... the ON set will contain only the correct value. 
Citing this and lemma 37 leads to the proof of RP.A3 -- the 
main Execute axiom of the Replication specification. 
BR.LEMMA.45: formula 
QQ E SAFE.FOR(DW.OF(I, K» 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
) 
SINGLETON(ON(K, I, QQ), APPLY(FUNCTION(K), V.INPUTS.A3(K, I, QQ») 
prove BR.LE~illA.45 
using BR.LEMMA.44 
CARD.3 [V.CARD.3 ~ APPLY(FUNCTION(K), V.INPUTS.A3(K, I, QQ», 
S ~ ON(K, I, QQ)] 
BR.RE.MAPPING.5 [V ~ *X:2, 
Y ~ *Y:5, 
P ~ QQ] 
BR.LEMMA.43 [P ~ *QQ:3, 
Y ~ *Y:5] 
DATA. EQUALITY [V ~ *X:2, 
Y ~ @:D, 
VI ~ @V.CARD.3:2] 
LENGTH.OF.ELEMENTS.OF.ON.IS.LENGTH.OF.ON.IN [V ~ *X:2] 
DATA. SIZE. IS.SEQ.LENGTH.3 
BR.A22 [TI.SUB ~ T.SUB, 
T.SUB ~ BEGIN(OF(I, K», 
QQ ~ *QQ:3, 
P ~ QQ] 
BR.LE~~~.I2 [TI.SUB ~ BEGIN(OF(I, K»] 
BR.LEMMA.I9 [TI.SUB ~ BEGIN(OF(I, K», 
P ~ QQ, 
QQ ~ *QQ:3] 
BR.DI [II ~ OF(I, K), 
P ~ QQ] 
BR.DI [II ~ OF(I, K), 
T.SUB ~ BEGIN(OF(I, K», 
P ~ *QQ:3] 
RP.L3 [P ~ QQ] 
BR.AI9.I 
BR.AI6 [P ~ QQ, 
CON ~ CONFIG(T.SUB, QQ)] 
BR.AI8 
231 
/* The remaining lemmas are used to prove lemma 7. */ 
/* 
An input task executes either during the same frame as 
its input task or during the previous frame. The iteration 
numbers are thus off by at most one. 
BR.LEMMA.46: formula 
L E INPUTS(K) ) TO.OF(L, I, K) = I V TO.OF(L, I, K)+l = I 
prove BR.LEMMA.46 
using BR.A18 
BR.A18 [K ... L, 
I ... INCR(TO.OF(L, I, K))] 
BR.LEM~~.52 [T.SUB ... BEGIN(OF(I, K)), 
Tl.SUB ... SUB.DECR(END(OF(INCR(TO.OF(L, I, K)), L))), 
J ... INCR(TO.OF(L, I, K))] 
BR.LEMMA.52 [I ... INCR(TO.OF(L, I, K)), 
J ... TO.OF(L, I, K), 
T.SUB ... SUB.DECR(END(OF(INCR(TO.OF(L, I, K)), L))), 
Tl.SUB ... SUB.DECR(END(OF(TO.OF(L, I, K), L)))] 
BR.A18 [K .. L, 
I .. TO.OF(L, I, K)] 
BR.LEMMA.52 [Tl.SUB .. BEGIN(OF(I, K)), 
BR.A40 
T.SUB ... SUB.DECR(END(OF(TO.OF(L, I, K), L))), 
I .. TO.OF(L, I, K), 
J .. I] 
232 
/* 
If an input task L executes within the previous frame, 
then the next iteration of L can't end until after the 
beginning of K -- this establishes that the TO.OF function 
picks up the value present in the state. 
BR.LEMMA.47: formula 
L E INPUTS(K) A INCR(TO.OF(L, I, K» = I 
) 
BEGIN(OF(I, K» < END(OF(I, L» 
prove BR.LEMMA.47 
using BR.A40 
BR.AI8 
BR.AI8 [I ~ TO.OF(L, I, K), 
K ~ L] 
BR.A27 
TIMES.AXIOM.I [INTI ~ I, 
INT2 ~ TO.OF(L, I, K), 
INT3 ~ FRAME. SIZE 0 ] 
233 
var CONI: CONFIGS 
/* 
Draw a picture ... Consider an Execute for the 
i-th iteration of task K and a Vote 
for the corresponding input task L. Let there be another 
Vote on L scheduled after the first vote 
and before the Execute. We state that either the second Vote 
is outside the execution window and in the same frame as the 
Execute on K, or there is in fact only one Vote. This involves 
a case split on whether the corresponding Vote on L is in the 
same frame as the Execute of K or in the previous frame. 
BR.LEMMA.48: axiom 
P E SAFE.FOR(DW.FOR.TO.OF(L, I, K» 
" L E INPUTS(K) 
" START.FRAME(FRAME(T.SUB» = hFRAME.SIZEO 
" SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
" ACTION(ACTIV) = EXECUTE() 
" TASK.ACTION(ACTIV) = K 
" START.FRAME(FRAME(TI.SUB» = TO.OF(L, I, K)*FRAME.SIZE() 
" SEQ.MEMBER(ACTIV2, SCHED(CONFIG(TI.SUB, P), Tl.SUB, P» 
" «ACTION(ACTIV2) = VOTE() " ELEM.ACTION(ACTIV2) = Y) 
V ACTION(ACTIV2) = DUM~W.VOTE(» 
" TASK.ACTION(ACTIV2) = L 
" FRAME (T . SUB) = FRAME (T2. SUB) 
" T2.SUB > TI.SUB 
" T2.SUB ~ T.SUB 
" TASK.ACTION(ACTIV3) = L 
" «ACTION(ACTIV3) = VOTE() " ELEM.ACTION(ACTIV3) = Y) 
V ACTION(ACTIV3) = DUMMY.VOTE(» 
" SEQ.MEMBER(ACTIV3, SClffiD(CONFIG(T2.SUB, P), T2.SUB, P» 
) 
(BEGIN(OF(I, K» ~ T2.strn " T2.SUB ~ T.SUB " T.SUB < END(OF(I, K») 
V (BEGIN(OF(I, L» ~ T2.SUB 
" T2.SUB < BEGIN(OF(I, K) 
" BEGIN(OF(I, K» < END(OF(I, L») 
234 
prove BR.LEMMA.48 
using BR.LEMMA.47 
BR.LEMMA.46 
BR.A40 
BR.A16 [CON ~ CONFIG(T.SUB, P)] 
BR.A16 [T.Slm ~ T2.SUB, 
ACTIV ~ ACTIV3, 
CON ~ CONFIG(T2.SUB, P), 
K ~ L] 
BR.LEMMA.19 [QQ ~ P, 
T.SUB ~ T1.SUB, • 
I ~ TO.OF(L, I, K), 
Tl.SUB ~ T2.SUB, 
K ~ L] 
BR.A16 [T.SUB ~ Tl.SUB, 
K ~ L, 
CON ~ CONFIG(Tl.SUB, P), 
ACTIV ~ ACTIV2, 
I ~ TO.OF(L, I, K)] 
BR.LEMMA.21 [T.SUB ~ T2.SUB, 
K ~ L, 
I ~ TO.OF(L, I, K)] 
BR.A19.1 [K ~ L, 
I ~ TO.OF(L, I, K)] 
BR.A12A [T.SUB ~ T1.SUB, 
BR.A18 
CON ~ CONFIG(T1.SUB, P), 
K ~ L, 
ACTIV ~ ACTIV2, 
T1 . SUB ~ T2. SUB] 
BR.A18 [I ~ TO.OF(L, I, K), 
K ~ L] 
BR.LEMMA.12 [T.SUB .. BEGIN(OF(I, K», 
T1.SUB .. BEGIN(OF(TO.OF(L, I, K), L»] 
BR. LEMMA. 21 [T. SUB .. Tl. SUB, 
I ~ TO.OF(L, I, K), 
K ~ L] 
BR.LEMMA.21 [T.SUB ~ T2.SUB, 
BR.A28 
BR.A29 
I ~ TO.OFeL, I, K), 
K .. L] 
BR.D1 [T.SUB ~ T1.SUB, 
II .. DW.FOR.TO.OF(L, I, K)] 
BR.D1 [T.SUB ~ T2.SUB, 
II .. DW.FOR.TO.OF(L, I, K)] 
235 
/* 
In the situation described in the previous lemma, the 
configuration at the time of the Vote will be the same 
as at the time of the Execute, even though the Vote 
and Execute may be in different frames. This follows 
because of schedule constaints, lemma 48, and misc. 
BR.LEMMA.49: axiom 
P E SAFE.FOR(DW.FOR.TO.OF(L, I, K» 
" L E INPUTS(K) 
" START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
" SEQ. MEMBER (ACTIV, SCHED(CONFIG{T.SUB, P), T.SUB, P» 
" ACTION(ACTIV) = EXECUTE() 
" TASK.ACTION(ACTIV) = K 
" START . FRAME (FRAME (T1. SUB» = TO. OF(L, I, K)*FRAME. SIZEO 
" SEQ.MEMBER(ACTIV2, SCHED(CONFIG(Tl.SUB, P), Tl.SUB, P» 
" «ACTION(ACTIV2) = VOTE() "ELEM.ACTION(ACTIV2) = Y) 
V ACTION(ACTIV2) = DUM~IT.VOTE{» 
" TASK.ACTION{ACTIV2) = L 
" FRAME(T.SUB) = FRAME(T2.SUB) 
" T2.SUB > Tl.SUB 
" T2.SUB ~ T.SUB 
" TASK.ACTION(ACTIV3) = L 
" «ACTION(ACTIV3) = VOTE() " ELEM.ACTION(ACTIV3) = Y) 
V ACTION(ACTIV3) = D~~.VOTE(» 
" SEQ.MEMBER(ACTIV3, SCHED(CONFIG(T2.SUB, P), T2.SUB, P» 
) 
CONFIG(T.SUB, P) = CONFIG(T2.SUB, P) 
prove BR.LEMMA.49 
using BR.LEMMA.l9 [QQ ~ P, 
Tl.SUB ~ BEGIN(OF(I, K»] 
BR.LEMMA.l9 [QQ ~ P, 
Tl.SUB ~ T2.SUB] 
BR.LEMMA.l9 [QQ ~ P, 
K ~ L, 
T.SUB ~ T2.SUB, 
Tl.SUB ~ BEGIN{OF(I, K»] 
BR.LEMMA.48 
BR.A40 
BR.Al9.2 
BR.A28 
BR.A29 
BR.Al6 [CON ~ CONFIG(T.SUB, P)] 
BR.Al6 [K ~ L, 
T . SUB ~ T 1. SUB , 
ACTIV .. ACTIV2, 
I ~ TO.OF(L, I, K), 
CON ~ CONFIG(Tl.Su~, P)] 
BR.Al9.l 
BR.Dl [II ~ DW.FOR.TO.OF{L, I, K)] 
BR.Dl [II .. DW.FOR.TO.OF(L, I, K), 
T.SUB ~ T2.SUB] 
BR.Dl [II ~ DW.FOR.TO.OF(L, I, K), 
T.SUB ~ BEGIN{OF{I, K»] 
BR.Al9.l [K ~ L, 
I .. TO.OF(L, I, K)] 
236 
/* 
Furthermore, the configuration at the time of the 
possible two Votes will be the same. 
BR.LEMMA.50: axiom 
P E SAFE.FOR(DW.FOR.TO.OF(L, I, K» 
1\ L E INPUTS(K) 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A SEQ.~ffiMBER(ACTIV, SClffiD(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(Tl.SUB» = TO.OF(L, I, K)*FRAME.SIZE() 
A SEQ.~MBER(ACTIV2, SCHED(CONFIG(Tl.SUB, P), TI.SUB, P» 
A «ACTION(ACTIV2) = VOTE() A ELEM.ACTION(ACTIV2) = Y) 
V ACTION(ACTIV2) = DUMMY.VOTE(» 
A TASK.ACTION(ACTIV2) = L 
A FR~(T1.SUB) = FRAME(T2.SUB) 
A T2.SUB > Tl.SUB 
A T2.SUB 5 T.SUB 
A TASK.ACTION(ACTIV3) = L 
A «ACTION(ACTIV3) = VOTEO A ELEM.ACTION(ACTIV3) = Y) 
V ACTION(ACTIV3) = DUMMY.VOTE(» 
A SEQ.~MBER(ACTIV3, SCHED(CONFIG(T2.SUB, P), T2.SUB, P» 
) 
CONFIG(TI.SUB, P) = CONFIG(T2.SUB, P) 
prove BR.LEMMA.50 
using BR.Alfi [CON ~ CONFIG(T.SUB, P)] 
BR.Alfi [K ~ L, 
I ~ TO.OF(L, I, K), 
T. SUB ~ T 1. SUB , 
ACTIV ~ ACTIV2, 
CON ~ CONFIG(TI.SUB, P)] 
BR.Alfi [K ~ L, 
I ~ TO.OF(L, I, K), 
T.SUB ~ T2.SUB, 
ACTIV .. ACTIV3, 
CON ~ CONFIG(T2.SUB, P)] 
BR.LEMMA.19 [QQ ~ P, 
K .. L, 
I ~ TO.OF(L, I, K), 
T . SUB .. T1.SUB, 
BR.A19.1 
BR.A40 
BR.A28 
BR.A29 
Tl . SUB .. T2. SUB] 
BR.DI [T.SUB ~ TI.SUB, 
II .. DW.FOR.TO.OF(L, I, K)] 
BR.DI [T.SUB ~ T2.SUB, 
II .. DW.FOR.TO.OF(L, I, K)] 
237 
/* 
... And, either the two Votes are in the same frame or the 
second Vote is in the same frame as the Execute. 
BR.LEMMA.5l: axiom 
P E SAFE.FOR(DW.FOR.TO.OF(L, I, K» 
ALE INPUTS(K) 
A START.FRAME(FRAME(T.SUB) = I*FRAME.SIZE() 
A SEQ.~ffiMBER(ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A START.FRAME(FRAME(Tl.SUB» = TO.OF(L, I, K)*FRAME.SIZE() 
A SEQ.MEMBER(ACTIV2, SClffiD(CONFIG(Tl.SUB, P), Tl.SUB, P» 
A «ACTION(ACTIV2) = VOTE() A ELEM.ACTION(ACTIV2) = Y) 
V ACTION(ACTIV2) = DUMMY.VOTE(» 
A TASK.ACTION(ACTIV2) = L 
A T2.SUB > Tl.SUB 
A T2.SUB S T.SUB 
A TASK.ACTION(ACTIV3) = L 
A «ACTION(ACTIV3) = VOTE() A ELEM.ACTION(ACTIV3) = Y) 
V ACTION(ACTIV3) = DUMMY.VOTE(» 
A SEQ.MEMBER(ACTIV3, SCHED(CONFIG(T2.SUB, P), T2.SUB, P» 
) 
FRAME(Tl. SUB) = FRAME(T2. SUB) V FRAME(T. SUB) = FRAME(T2. SUB) 
prove BR.LEMMA.51 
using BR.LEMMA.46 
BR. LEMMA.l2 
BR.A2l [T.SUB ~ Tl.SUB] 
BR.A2l [Tl.SUB ~ T.SUB] 
BR.A2l [Tl.SUB ~ T2.SUB] 
BR.A2l [T.SD~ ~ Tl.SUB, 
T1 . SUB ~ T2. SUB] 
BR.A2lB [T.FRAME ~ FRAME(Tl.SUB)] 
TIMES.AXIOM.2 [INTl ~ TO.OF(L, I, K), 
INT2 ~ FRAME.SIZE()] 
238 
/* Later iterations of a task are performed during later subframes. */ 
BR.LEMMA.52: formula 
START.FRAME(FRAME(T.SUB)) = I*FRAME.SIZE() 
A START.FRAME(FRAME(TI.SUB)) = J*FRAME.SIZE() 
A I > J 
) 
T . SUB > T 1. SUB 
prove BR.LEMMA.52 
using BR.A21 [TI.SUB ~ T.SUB] 
BR.A2IB [T.FRAME ~ FRAME(T.SUB)] 
BR.A21 [T.SUB ~ TI.SUB] 
BR.A2IB [T.FRAME ~ FRAME(TI.SUB)] 
NAT.NONNEGATIVE [Y ~ FRAME.SIZE()] 
TIMES.AXIOM.3 [INTI ~ I, 
INT2 ~ J, 
INT3 ~ FRAME.SIZE()] 
TIMES.AXIOM.I [INTI ~ I, 
INT2 ~ J, 
INT3 ~ FRAME.SIZE()] 
BR.LEMMA.12 
BR.A21 [TI.SUB ~ T.SUB, 
T. SUB ~ TI. SUB] 
239 . 
/* 
Given a pair of safe processors, the ON.IN value received 
will be among the values mapped up to ON. 
BR.LEMMA.53: formula 
P E SAFE.FOR(OF(I, K» A QQ E SAFE.FOR(OF(I, K» 
) 
ON.IN(K, I, P, QQ) E ON(K, I, P) 
prove BR.LEMMA.53 
using BR.RE.MAPPING.5 [V ~ ON.IN(K, I, P, QQ), 
Y ~ @:D] 
BR.RE.MAPPING.6 (V .. BOTTOMl(K), 
Y ~ @:D, 
T.SUB ~ @:D, 
ACTIV ~ @:D] 
240 
/* As the formula name implies ... */ 
REGRETABLE.EVIL: formula 
,(3 ACTIV: 
SEQ. MEMBER (ACTIV, SCfffiD(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K) 
) 
,(3 ACTIV2: 
SEQ.MEMBER(ACTIV2, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV2) = EXECUTE() 
A TASK.ACTION(ACTIV2) = K) 
A ,(3 ACTIV3: 
SEQ.~ffiMBER(ACTIV3, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV3) = EXECUTE() 
A TASK.ACTION(ACTIV3) = K) 
241 
********** Proofs of Replication Model Axioms 
prove RP.D4· 
using BR.LEMMA.33 
BR.LEMMA.31 
prove RP.A3 
using INTERSECT [X ~ P, 
S ~POLL.FOR.OF(I, K), 
SI ~ SAFE.FOR(DW.OF(I, K»] 
RP.L3 
BR.LEMMA.37 
BR.LEMMA.45 [QQ ~ P, 
T.SUB ~ *T.SUB:3, 
ACTIV ~ *ACTIV:3] 
prove RP.A2 [QQ ~ *QQ:3] 
using INTERSECT [S ~ POLL.FOR.OF(I, K), 
SI ~ SAFE.FOR(DW.OF(I, K», 
X ~ P] 
BR.LEMMA.34 [QQ ~ @QQ:C] 
BR.RE.MAPPING.5 [Y ~ *Y:4, 
QQ ~ @:D] 
DATA.EQUALITY [VI ~ ON.IN(K, I, P, *QQ:3), 
********** 
Y ~ @:D] 
LENGTH.OF.ELEMENTS.OF.ON.IS.LENGTH.OF.ON.IN [QQ ~ P] 
DATA.SIZE.IS.SEQ.LENGTH [QQ ~ *QQ:3] 
BR.LEMMA.34 [QQ ~ *QQ:C] 
BR.RE.MAPPING.5 [QQ ~ *QQ:C, 
Y ~ @Y:D] 
DATA.EQUALITY [VI ~ ON.IN(K, I, P, *QQ:C), 
Y 4- *Y:8] 
DATA.SIZE.IS.SEQ.LENGTH [QQ ~ *QQ:C] 
242 
SUBSECTION 7.15 
PREPOST AXIOMS 
243 

/* ********** Prepost Level Axioms derived by Program Proof ********** */ 
CARDINALITY: (S) ~ NAT = CARD(S) 
AR~~Y.TYPE: type (TYPEl) is SEQ(lYPEl) 
INDEX: (ARRAY.TYPE(TYPEl), NAT) ~ TYPEl 
TASK: type is NAT 
PROC: type is NAT 
ACTIVITIES: type is NAT 
NULL. ENTRY: 0 ~ ACTIVITIES = 0 
STATE: type is PAIR.OF(SUBFRAMETI~m, PROC) 
var STATE. SIFT: STATE 
MAKE. STATE: (T.SUB, P) ~ STATE = MAKE.PAIR(T.SUB, P) 
S.SUB: (STATE. SIFT) ~ SUBF~TI~m = FIRST(STATE.SIFT) 
S.PROC: (STATE. SIFT) ~ PROC = SECOND(STATE.SIFT) 
NEXT: (STATE. SIFT) ~ STATE 
= ~~KE.STATE(SUB.INCR(S.SUB(STATE.SIFT», S.PROC(STATE.SIFT» 
P.SUBF~TIME: type is NAT 
var T. PSUB: P. SUBF~TIME 
B9TTOM_VAL: () ~ DATAVAL = BOTTOMD() 
INSET: (X, S) ~ BOOL = XES 
MOD.F~SIZE: (T.SUB) ~ P.SUBF~ffiTIME = MOD(T.SUB, F~.SIZE(» 
SUBFRAME: (STATE.SIFT) ~ P.SUBFRAMETIME = MOD.F~SIZE(S.SUB(STATE.SIFT» 
P . SUBFRA!lffiTIME . BOUNDS: ax i om 
T.PSUB < FRA!lffi.SIZEO 
P.CONFIG: (STATE) ~ CONFIGS 
var TYPE3: type 
RECORD. TYPE: type(TYPEl, TYPE2, TYPE3) 
ACTIVITY. RECORD. TYPE: type is RECORD.TYPE(ACTIVITIES, TASK, NAT) 
SCHED TABLE: 
~ ARRAY.TYPE(ARRAY.TYPE(ARRAY.TYPE(ARRAY.TYPE(ACTIVITY.RECORD.TYPE»» 
TABLE_LENGTH: (ARRAY.TYPE(ACTIVITY.RECORD.TYPE» ~ NAT 
var TAB: ARRAY.TYPE(ACTIVITY.RECORD.TYPE) 
MAX_ACTIVITIES: ~ NAT 245 
DOT.TASKNAME: (ACTIVITY.RECORD.TYPE) ~ TASK 
DOT.ACTIVITY: (ACTIVITY.RECORD.TYPE) ~ ACTIVITIES 
DOT.ELEM: (ACTIVITY.RECORD.TYPE) • NAT 
INPUT: (STATE) ~ ARRAY.TYPE(ARRAY.TYPE(DATAVAL» 
DATAFILE: (STATE) ~ ARRAY.TYPE(ARRAY.TYPE(ARRAY.TYPE(DATAVAL») 
P.INPUTS: ~ ARRAY.TYPE(ARRAY.TYPE(NAT» 
POLL: ~ ARRAY.TYPE(ARRAY.TYPE(ARRAY.TYPE(BOOL») 
RESULT_SIZE: ~ ARRAY.TYPE(NAT) 
NULL TASK: ~ TASK 
MAX.ACTIVITIES: ~ NAT 
var INP: ARRAY. TYPE (ARRAY. TYPE (DATAVAL» 
TASK_RESULTS: (TASK, ARRAY.TYPE(ARRAY.TYPE(DATAVAL») ~ ARRAY.TYPE(DATAVAL) 
VOTE: ~ ACTIVITIES 
DUMMY_VOTE: () ~ ACTIVITIES = DUMMY.VOTE() 
VIRT_TO_REAL: (STATE) ~ ARRAY.TJPE(PROC) 
REAL TO VIRT: (STATE) ~ ARRAY.TYPE(PROC) 
var T1: TASK 
var E1: NAT 
var JI: NAT 
var PROCS: SET.OF(PROC) 
var MAJ_PROCS: SET.OF(PROC) 
var MAJI: DATAVAL 
var MAJI2: DATAVAL 
var TASKI: TASK 
var JIl: NAT 
SET.FN#9: (DATAVAL, STATE, NAT, TASK, CONFIGS) ~ SET.OF(PROC) 
MAX_PROCESSORS: ~ NAT 
246 
/* Schedule table axiom */ 
SCHED.TABLE.LENGTH.AXIOM: axiom 
TABLE_LENGTH(TAB) = Y 
DOT.ACTIVITY(INDEX(TAB, Y+INT.NAT(l))) = NULL.ENTRY() 
A (V Z: Z ~ Y A Z > 0 ) , (DOT.ACTIVITY(INDEX(TAB, Z)) = NULL.ENTRY())) 
/* Set Abstraction definition */ 
SET.ABSTR#9: axiom 
INSET(QQ, SET.FN#9(MAJI, STATE. SIFT, EI, TI, CON)) 
QQ ~ 1 
A QQ ~ MAX_PROCESSORS() 
A INDEX(INDEX(INDEX(POLL(), CON), INDEX(REAL_TO_VIRT(STATE.SIFT), QQ)), 
TI) 
A MAJI = INDEX(INDEX(INDEX(DATAFILE(STATE.SIFT), QQ), TI), EI) 
SET.FN#lO: (TASK, CONFIGS, STATE) ~ SET.OF(PROC) 
/* Another set abstraction */ 
SET.FN.AXIOM.IO: axiom 
V P, TI, CON: 
INSET(P, SET.FN#lO(TI, CON, STATE.SIFT)) 
P ~ 1 
A P ~ MAX_PROCESSORS() 
A INDEX(INDEX(INDEX(POLL(), CON), 
INDEX(REAL_TO_VIRT(STATE.SIFT), P)), 
TI) 
247 
/* 
This formula, characterizing the effect of 
having no Vote within a frame has been proven 
of the code by verification condition generation 
VOTE. FRAME. AXIOM: axiom 
V TI, EI: 
-'(3 JI: 
WORKING.DURING(S.PROC(STATE.SIFT) , S.SUB(STATE.SIFT)) 
I\JI~l 
1\ JJ S MAX_ACTIVITIES() 
1\ TI = DOT.TASKNAlfE(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
(REAL_TO_VIRT 
(STATE. SIFT) , 
J1)) 
S.PROC(STATE.SIFT)) ),.& 
P.CONFIG(STATE.SIFT)), 
SUBFRAlfE(STATE.SIFT)) , 
1\ «DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
) 
JI)) 
= VOTEO 
INDEX 
(REAL_TO_VIRT 
(STATE. SIFT) , 
S.PROC(STATE.SIFT))) , 
P.CONFIG(STATE.SIFT)), 
SUBFRAME(STATE.SIFT)), 
1\ EI = DOT.ELEM(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
JI)) ) 
INDEX 
(REAL_TO_VIRT 
(STATE. SIFT) , 
S.PROC(STATE.SIFT)) 
), 
P.CONFIG(STATE.SIFT)), 
SUBFRAYE(STATE.SIFT)), 
V DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
JI) ) 
= DUMMY _ VOTE 0 )) 
INDEX 
(REAL_TO_VIRT 
(STATE. SIFT) , 
S.PROC(STATE.SIFT))), 
P.CONFIG(STATE.SIFT)) , 
SUBFRAME(STATE.SIFT)), 
INDEX(INDEX(INPUT(NEXl(STATE.SIFT)), TI), EI) 
= INDEX(INDEX(INPUT(STATE.SIFT) , TI), EI) 
248 
/* This axiom describing the effect of a Vote on 
the state has been proven of the Pascal code. 
VOTE.ACTIVITY: axiom 
V TI, EI: 
(3 JI: 
WORKING.DURING(S.PROC(STATE.SIFT), S.SUB(STATE.SIFT» 
"JI~l 
" JI ~ MAX_ACTIVITIES() 
" DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SClffiD_TABLE(), 
JI) ) 
= VOTEO 
INDEX 
(REAL_TO_VIRT(STATE.SIFT) , 
S.PROC(STATE.SIFT»), 
P.CONFIG(STATE.SIFT», 
SUBFRAME(STATE.SIFT», 
" TI = DOT.TASKNAME(INDEX(INDEX(INDEX(INDEX(SClffiD_TABLE(), 
JI) ) 
, 
INDEX 
(REAL_TO_VIRT 
(STATE. SIFT) , 
S.PROC(STATE.SIFT») 
P.CONFIG(STATE.SIFT», 
SUBFRAME(STATE. SIFT», . 
"EI = DOT. ELEM(INDEX(INDEX(INDEX(INDEX(SClffiD_TABLE(), 
JI») 
) 
INDEX: 
(REAL_TO_VIRT(STATE.SIFT) 
, S.PROC(STATE.SIFT»), 
P.CONFIG(STATE.SIFT», 
SUBFRAME(STATE.SIFT», 
if 3 MAJI2: 
CARDINALITY(SET.FNH9(MAJI2, STATE.SIFT, EI, TI, 
P.CONFIG(STATE.SIFT») 
then 
> CARDINALITY(SET.FNHIO(TI, P.CONFIG (STATE. SIFT) , 
STATE.SIFT» 
V MAJI: 
CARDINALITY(SET.FNH9(MAJI, STATE.SIFT, EI, TI, 
P.CONFIG(STATE.SIFT») 
> CARDINALITY(SET.FNHIO(TI, P.CONFIG(STATE.SIFT) , 
STATE. SIFT» 
) 
INDEX(INDEX(INPUT(NEXT(STATE.SIFT», TI), EI) = MAJI 
else BOTTOMD() = INDEX(INDEX(INPUT(NEXT(STATE.SIFT», TI), EI) 
end if 
249 
/* Similarly for the Dummy Vote */ 
DUMMY_VOTE. ACTIVITY: axiom 
V TI, EI: 
(3 JI: 
WORKING.DURING(S.PROC(STATE.SIFT), S.SUB(STATE.SIFT» 
A JI ~ 1 
A JI ~ MAX_ACTIVITIES() 
A DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
JI» 
= DUMMY_VOTE () 
INDEX 
(REAL_TO_VIRT(STATE.SIFT), 
S.PROC(STATE.SIFT»), 
P.CONFIG(STATE.SIFT», 
SUBFRAME(STATE.SIFT», 
A TI = DOT.TASKNAME(INDEX(INDEX(INDEX(INDEX(SClffiD_TABLE(), 
JI») 
A EI ~ 1 
A EI ~ INDEX(RESULT_SIZE(), TI) 
) 
, 
INDEX 
(REAL_TO_ VIRT 
(STATE.SIFT), 
S.PROC(STATE.SIFT») 
P.CONFIG(STATE.SIFT), 
SUBFRAME(STATE.SIFT», 
INDEX(INDEX(INPUT(NEAl(STATE.SIFT», TI), EI) = BOTTOM_VAL() 
250 
/* and for the lack of an Execute during a frame */ 
EXECUTE. FRAME. AXIOM: axiom 
V P, TI, EI: 
WORKING.DURING(S.PROC(STATE.SIFT), S.SUB(STATE.SIFT» 
" .,(3 JI: 
JI ~ 1 
" JI ~ MAX_ACTIVITIES() 
" DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
(REAL_TO_ VIRT 
(STATE.SIFT), 
JI) ) 
= EXECUTE() 
S.PROC(STATE.SIFT»), 
P.CONFIG(STATE.SIFT», 
SUBFRAME(STATE.SIFT», 
" DOT.TASKNAME(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
JI) ) 
= TI) 
(REAL_ TO_ VIRT 
(STATE.SIFT), 
S.PROC(STATE.SIFT»), 
P.CONFIG(STATE.SIFT», 
SUBFRAME(STATE.SIFT», 
) 
INDEX(INDEX(INDEX(DATAf'ILE(NEXT(MAKE.STATE(S.SUB(STATE.SIFT), 
S.PROC(STATE.SIFT»», 
S.PROC(STATE.SIFT», 
TI), 
EI) 
= INDEX(INDEX(INDEX(DATAFILE(MAKE.STATE(S.SUB(STATE.SIFT), 
S.PROC(STATE.SIFT»), 
S.PROC(STATE.SIFT», 
TI), 
EI) 
251 
/* and for an Execute activity */ 
EXEGVTE.ACTIVITY: axiom 
V TI, INP: 
WDRKING.DURING(S.PROC(STATE.SIFT), S.SUB(STATE.SIFT» 
A (3 JI: 
JI ~ 1 
A JI ~ MAX_ACTIVITIES() 
A DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
JI» 
= EXECUTEO 
(REAL _ TO _ VIRT 
(STATE. SIFT) , 
S.PROC(STATE.SIFT»), 
P.CONFIG(STATE.SIFT», 
SUBFRAME(STATE.SIFT», 
A DOT.TASKNAME(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
JI» 
= TI 
INDEX 
(REAL_TO_VIRT 
(STATE. SIFT) , 
S.PROC(STATE.SIFT») , 
P.CONFIG(STATE.SIFT», 
SUBFRAME(STATE.SIFT», 
A (V TASKI, JIl, EI: 
EI ~ 1 A EI ~ INDEX(RESULT_SIZE(), TASKI) 
) 
(INDEX(INDEX(P.INPUTS(), TI), JIl) = TASKI 
A ~(TASKI = NULL_TASK(» 
) 
INDEX(INDEX(INP, JIl), EI) 
= INDEX(INDEX(INPUT(NEXT(STATE.SIFT», TASKI), EI»» 
) 
INDEX(INDEX(DATAFILE(NEXT(~~E.STATE(S.SUB(STATE.SIFT), 
S.PROC(STATE.SIFT»», 
S.PROC(STATE.SIFT», 
TI) 
= TASK_RESULTS(TI, INP) 
252 
S1FT.PARAlffiTER.1NVAR1ANTH7: axiom 
VOTE() > 0 A DUMMY_VOTE() > 0 A EXECUTE() > 0 
S1FT.PARAlffiTER.1NVAR1ANTH8: axiom 
~(VOTE() = DUMMY_VOTE(» 
A ~(VOTE() = EXECUTE(» 
A ~ (DUMMY _VOTE 0 = EXECUTE 0 ) 
S1FT.PARAlffiTER.1NVAR1ANTH17: axiom 
V P, CON, T.PSUB, J1, Y: 
DOT.ACT1V1TY(1NDEX(1NDEX(1NDEX(1NDEX(SCHED_TABLE(), P), CON), 
T.PSUB), 
= 0 
A Y > JI 
) 
JI) ) 
DOT.ACT1V1TY(1NDEX(1NDEX(INDEX(INDEX(SCHED_TABLE(), P), CON), 
T.PSUB), Y» 
= 0 
using PREPOST.MAPPING 
253 

SUBSECTION 7.16 
PREPOST MAPPING 
255 

/* 
********** Mapping from Prepost Specification 
to Activity Specification ********** 
PP.MAPPING.l: axiom 
RESULT.SIZE(K) = INDEX(RESULT_SIZE(), K) 
PP.MAPPING.2: axiom 
CoNFIG(T.SUB, P) = P.CoNFIG(MAKE.STATE(T.SUB, P» 
PP.MAPPING.3: axiom 
Y ~ 1 
) ) , 
A Y $ TABLE_LENGTH(INDEX(INDEX(INDEX(SCHED_TABLE(), 
) 
INDEX 
(REAL_To_VIRT(MAKE.STATE(T.Su~, 
P», 
P) ), 
P.CoNFIG(MAKE. STATE(T. SUB, P»), 
SUBFRAME(MAKE.STATE(T.SUB, P»» 
ACTION (SEQ. ELEM(SCHED(CoNFIG (T. SUB, P), T.SUB, P), Y-INT.NAT(l») 
= DoT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
Y» 
INDEX 
(REAL_TO_VIRT 
(MAKE. STATE(T. SUB, P», 
P», 
P.CoNFIG(MAKE.STATE(T.SUB, P»), 
SUBFRAME(MAKE. STATE(T. SUB, P»), 
A TASK.ACTIoN(SEQ.ELEM(SCHED(CONFIG(T.SUB, P), T.SUB, P), Y-INT.NAT(l») 
= DoT.TASKNAME(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
Y» 
INDEX 
(REAL_TO_VIRT 
(MAKE.STATE(T.SUB, P», 
P», 
P.CONFIG(MAKE.STATE(T.SUB, P»), 
SUBFRAME(MAKE. STATE(T. SUB, P»), 
A ELEM.ACTION (SEQ. ELEM(SClIED(CONFIG(T. SUB, P), T.SUB, P), Y-INT.NAT(l») 
= DoT.ELEM(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
Y» 
INDEX 
(REAL_TO_VIRT(MAKE.STATE(T.SUB, 
P 
P», 
P.CONFIG(MAKE. STATE(T. SUB, P»), 
SUBFRAME(MAKE. STATE(T. SUB, P»), 
257 
PP.MAPPING.4: axiom 
SEQ.LENGTH(SCHED(CONFIG(T.SUB, P), T.SUB, P» 
= TABLE_LENGTH(INDEX(INDEX(INDEX(SCHED_TABLEO, 
INDEX(REAL_TO_VIRT(MAKE. STATE(T. SUB, 
», P», 
P.CONFIG(MAKE. STATE(T. SUB, P»), 
SUDFRAME(MAKE.STATE(T .SUB, P»» 
PP.MAPPING.5: axiom 
1 S YAY S RESULT.SIZE(K) 
) 
SEQ.ELEM(DATAFILEIN.FOR.ON(P, K, QQ, START(T.SUB, P», Y) 
P 
= SEQ.ELEM(INDEX(INDEX(DATAFILE(MAKE.STATE(T.SUB, P», QQ), K), Y) 
A SEQ. ELEM(INDEX(INDEX(DATAFILE(MAKE. STATE(T. SUB, P», QQ), K), Y) 
= INDEX(INDEX(INDEX(DATAFILE(MAKE. STATE(T. SUB, P», QQ), K), Y) 
PP.MAPPING.6: axiom 
WORKING.DURING(P, T.SUB) 
A WORKING.DURING(QQ, T.SUB) 
A 1 < Y 
A Y ~ RESULT.SIZE(K) 
) 
SEQ.ELEM(DATAFILEIN.FOR.ON(P, K, QQ, START(T.SUB, P», Y) 
= SEQ. ELEM(INDEX(INDEX(DATAFILE(MAKE. ST ATE (T. SUB, QQ», QQ), K), Y) 
A SEQ.ELEM(INDEX(INDEX(DATAFILE(MAKE.STATE(T.SUB, QQ», QQ), K), Y) 
= IND&X(INDEX(INDEX(DATAFILE(MAKE.STATE(T.SUB, QQ», QQ), K), Y) 
PP.MAPPING.7: axiom 
1 S YAY S RESULT.SIZE(K) 
J 
SEQ.ELEM(INPUTIN.OF(P, K, START(T.SUB, P», Y) 
= SEQ. ELEM(INDEX(INPUT(MAKE. STATE(T. SUB, P», K), Y) 
A SEQ.ELEM(INDEX(INPUT(MAKE. STATE(T. SUB, P», K), Y) 
= INDEX(INDEX(INPUT(MAKE. STATE(T. SUB, P», K), Y) 
CONVERT. REP: (SET.OF(PAIR.OF(DATA, TASK») • ARRAY.TYPE(ARRAY.TYPE(DATAVAL» 
PP.MAPPING.10: axiom 
MAKE. PAIR (V, L) E V.INPUTS 
(1 S EI 
A EI S RESULT.SIZE(L) 
A ~NDEX(INDEX(P.INPUTS(), K), Jl1) = L 
A ~(L = NULL_TASK(» 
) 
INDEX(INDEX(CONVERT.REP(V.INPUTS), Jl1), EI) = SEQ.ELEM(V, EI» 
PP.MAPPING.8: axiom 
APPLY(FUNCTION(K), V.INPUTS) = TASK_RESULTS(K, CONVERT.REP(V.INPUTS» 
PP.MAPPING.9: axiom 
L E INPUTS(K) 
(3 EI: INDEX(INDEX(P.INPUTS(), K), EI) = L A ~(L = NULL_TASK(») 
258 
PP.MAPPING.l1: axiom 
TABLE_LENGTH (INDEX(INDEX(INDEX(SCHED_TABLEO , 
INDEX(REAL_TO_VIRT(MAKE. STATE(T. SUB, P}}, 
P», 
P.CONFIG(MAKE.STATE(T.SUD, P}», 
SUBFRAME(MAKE. STATE(T. SUB, P})}} 
~ MAX_ACTIVITIES() 
PP.MAPPING.12: axiom 
QQ E POLLBY.FOR(P, K, T.SUB) 
INDEX(INDEX(INDEX(POLL(), P.CONFIG(MAKE. STATE(T. SUB, P}}}, 
INDEX(REAL_TO_VIRT(~~E.STATE(T.SUB, P», QQ», 
K) 
PP.MAPPING.13: axiom 
1 ~ PAP ~ MAX_PROCESSORS() 
259 

SUBSECTION 7.17 
PREPOST LEMMAS 
261 

/* 
********* Lemmas and Proofs between 
Activity and PrePost Specifications 
********** 
PP.LEMMA.l: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(OF(I, K» 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTEO 
A TASK.ACTION(ACTIV) = K 
) 
WORKING.DURING(S.PROC(MAKE. STATE(T. SUB, QQ», 
S. SUB (MAKE. STATE(T. SUB, QQ») 
A (3 JI: 
JI ~ 1 
A JI ~ MAX_ACTIVITIES() 
A DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
(REAL_TO_VIRT 
JI» 
= EXECUTE() 
(MAKE. STATE(T. SUB, QQ», 
S.PROC(MAKE.STATE(T.SUB, 
QQ»», 
P.CONFIG(MAKE.STATE(T.SUB, QQ»), 
SUBFRAME(MAKE.STATE(T.SUB, QQ»), 
A DOT. TASKNAME(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
JI) ) 
= K) 
263 
(REAL_ TO_ VIRT 
(MAKE.STATE(T.SUB, QQ», 
S.PROC(MAKE. STATE(T. SUB, 
QQ») ), 
P.CONFIG(MAKE.STATE(T.SUB, QQ»), 
SUBFRAME(MAKE.STATE(T. SUB, QQ»), 
prove PP.LEMMA.I [JI ~ *Y:I+INT.NAT(I)] 
using SEQ.MEMBER.AXIDM [SEQI ~ SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ), 
X ~ ACTlV, 
Y ~ @:D] 
SCHED.TABLE.LENGTH.AXIOM [Y ~ TABLE_LENGTH(@TAB:2), 
Z ~ @:D, 
TAB 
~ INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
SIFT.PARAMETER.INVARIANT#7 
(REAL_ TO_ VIRT 
(MAKE.STATE(T.SUB, QQ», 
QQ», 
P.CONFIG(MAKE. STATE(T. SUB, 
QQ»), 
SUBFRAME(MAKE.STATE(T.SUB, QQ»)] 
SIFT.PARAMETER.INVARIANT#17 [P ~ INDEX(REAL_TO_VIRT(A~E.STATE(T.SUB, 
QQ», 
QQ), 
CON ~ CONFIG(T.SUB, QQ), 
PP.MAPPING.II [P ~ QQ] 
PP.MAPPING.4 [P ~ QQ] 
BR.DI [II ~ OF(I, K), 
P ~ QQ] 
BR.AI6 [P ~ QQ, 
T.PSUB ~ SUBFRAME(MAKE.STATE(T.SUB, QQ», 
JI ~ TABLE_LENGTH(@TAB:2)+INT.NAT(I), 
Y ~ JI:C] 
CON ~ CONFIG(T.SUB, QQ)] 
RE.BR.MAPPING.9 [P ~ QQ] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
X2 ~ QQ] 
PP.MAPPING.3 [Y ~ *Y:I+INT.NAT(I), 
P ~ QQ] 
PP.MAPPING.2 [P ~ QQ] 
PP.MAPPING.I 
264 
PP.LEMMA.2: formula 
WORKING.DURING(QQ, T.SUB) 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = VOTE() 
A ELEM.ACTION(ACTIV) = Y 
A TASK.ACTION(ACTIV) = K 
) 
(3 JI: 
JI ~ 1 
A JI ~ ~~_ACTIVITIES() 
A DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
(REAL_TO_VIRT 
JI» 
= VOTE() 
(MAKE. STATE(T. SUB, QQ», 
S.PROC(MAKE. STATE(T. SUB, 
QQ»», 
P.CONFIG(MAKE.STATE(T.SUB, QQ»), 
SUBFRA1iE(MAKE. STATE(T. SUB, QQ»), 
A DOT.TASKN~ffi(INDEX(INDEX(IND&X(INDEX(SCHED_TABLE(), 
IND&X 
(REAL_TO_VIRT 
JI» 
= K 
(MAKE. STATE(T. SUB, QQ», 
S.PROC(MAKE.STATE(T.SUB, 
QQ»», 
P.CONFIG(MAKE.STATE(T.SUB, QQ»), 
SUBFRAME(MAKE. STATE(T. SUB, QQ»), 
A DOT.ELEM(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
JI» 
= Y) 
INDEX 
(REAL_TO_VIRT(MAKE.STATE(T.SUB, 
QQ», 
S.PROC(MAKE. STATE(T. SUB, QQ»», 
P.CONFIG(MAKE.STATE(T.Su~, QQ»), 
SUBF~(MAKE.STATE(T.SUB, QQ»), 
.265 
prove PP.LEMMA.2 [JI ~ *Y:I+INT.NAT(I)] 
using SEQ.ME~mER.AXIOM [SEQl ~ SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ), 
X ~ ACTIV, 
Y ~ @:D] 
SCHED.TABLE.LENGTH.AXIOM [Y ~ TABLE_LENGTH(@TAB:2), 
SIFT. PARAMETER. I NVAR IANT#7 
Z ~ @:D, 
TAB 
~ INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
(REAL_ TO_ VIRT 
(MAKE. STATE(T. SUB, QQ», 
QQ», 
P.CONFIG(MAKE.STATE(T.SUB, 
QQ» ), 
SUBFRAME(MAKE. STATE(T .SUB, QQ»)] 
SIFT.PARAMETER.INVARIANT#l7 [P ~ INDEX (REAL_TO_VIRT (MAKE. STATE(T. SUB, 
QQ», 
QQ), 
CON ~ CONFIG(T.SUB, QQ), 
PP.MAPPING.II [P ~ QQ] 
PP.MAPPING.4 [P ~ QQ] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
T .PSUB ~ SUBFRAME(MAKE.STATE(T . SUB, QQ», 
JI ~ TABLE_LENGTII(@TAB:2)+INT.NAT(l), 
Y ~ JI:C] , 
X2 ~ QQ] 
PP.MAPPING.3 [Y ~ *Y:I+INT.NAT(l), 
P ~ QQ] 
PP.MAPPING.2 [P ~ QQ] 
PP.MAPPING.I 
266 
PP.LEMMA.3: formula 
WORKING.DURING(QQ, T.SUB) 
A SEQ. MEMBER (ACTIV, SCllliD(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = DUMMY_VOTE() 
A TASK.ACTION(ACTIV) = K 
) 
(3 JI: 
JI ~ 1 
A JI ~ MAX_ACTIVITIES() 
A DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCllliD_TABLE(), 
INDEX 
(REAL_TO_VIRT 
JI» 
= DUMMY_VOTE () 
(MAKE. STATE(T. SUB, QQ», 
S.PROC(MAKE.STATE(T.SUB, 
QQ») ), 
P.CONFIG(MAKE. STATE(T. SUB, QQ»), 
SUBFRAME(MAKE.STATE(T.SUB, QQ»), 
A DOT.TASKNAME(INDEX(INDEX(INDEX(INDEX(SCllliD_TABLE(), 
INDEX 
JI» 
= K) 
. 267 
(REAL _ TO _ VIRT 
(MAKE. STATE(T. SUB, QQ», 
S.PROC(MAKE.STATE(T.SUB, 
QQ»» , 
P.CONFIG(MAKE. STATE(T. SUB, QQ»), 
SUBFRAME(MAKE.STATE(T.SUB, QQ»), 
prove PP.LEMMA.3 [JI ~ *Y:I+INT.NAT(I)] 
using SEQ.MEMBER.AXIOM [SEQI ~ SCHED(CONFIG(T.SUB, QQ). T.SUB, QQ), 
X ~ ACTIV, 
Y ~ @:D] 
SCHED.TABLE.LENGTH.AXIOM [Y ~ TABLE_LENGTH(@TAB:2), 
SIFT.PARAMETER.INVARIANTH7 
Z ~ @:D, 
TAB 
~ INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
(REAL_TO_VIRT 
(MAKE. STATE(T. SUB, QQ», 
QQ», 
P.CONFIG(MAKE. STATE(T. SUB, 
QQ» ), 
SUBFRAME(MAKE. STATE(T. SUB, QQ»)] 
SIFT.PARAMETER.INVARIANTHI7 [P ~ INDEX(REAL_TO_VIRT(MAKE. STATE(T. SUB, 
QQ». 
QQ), 
CON ~ CONFIG(T.SUB, QQ), 
PP.MAPPING.II [P ~ QQ] 
PP.MAPPING.4 [P ~ QQ] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
T.PSUB ~ SUBFRAME(MAKE.STATE(T.SUB, QQ», 
JI ~ TABLE_LENGTH(@TAB:2)+INT.NAT(I), 
Y ~ JI:C] . 
X2 ~ QQ] 
PP.MAPPING.3 [Y ~ *Y:I+INT.NAT(I), 
p.~ QQ] 
PP.MAPPING.2 [P ~ QQ] 
PP.MAPPING.I 
268 
PP.LEMMA.4: axiom 
JI ~ TABLE_LENGTH(INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX(REAL_TO_VIRT(MAKE.STATE(T.SUB, 
P», 
A JI S MAX_ACTIVITIES() 
) 
P», 
P.CONFIG(~~E.STATE(T.SUB, P»), 
SUBFRAME(~E.STATE(T.SUB, P»» 
DOT.ACTIVITY(INDEX(INDEX(INDEX(INDEX(SCHED_TABLE(), 
JI» 
= NULL.ENTRY() 
INDEX 
(REAL_TO_VIRT(MAKE.STATE(T.SUB, 
P», 
S.PROC(~~E.STATE(T.SUB, P»», 
P.CONFIG(~E.STATE(T.SUB, P»), 
SUBFRAME(~E.STATE(T.SUB, P»), 
269 
PP.LEMMA.5: 'formula 
, (V V.T: 
V. T E V. INPUTS 
SOURCE(V.T) E INPUTS(K) 
A VALUE(V.T) 
= INPUTIN.OF(QQ, SOURCE(V.T), START(SUB.INCR(T.SUB), QQ») 
A EI ~ I 
A EI ~ INDEX(RESULT_SIZE(), TASKI) 
A INDEX(INDEX(P.INPUTS(), K), JII) = TASKI 
A ~(TASKI = NULL_TASK(» 
) 
INDEX(INDEX(CONVERT.REP(V.INPUTS), JII), EI) 
= INDEX(INDEX(INPUT(NEXT(MAKE. STATE(T. SUB, QQ»), TASKl), El) 
prove PP.LEMMA.5 [V.T 
~ MAKE.PAIR(lNPUTlN.OF(QQ, TASKl, 
START(SUB.lNCR(T.SUB), QQ», 
using PAlR.AXlOM.2 [Xl ~ T.SUB, 
X2 ~ QQ] 
TASKl)] 
PAIR.AXlOM.2 [Xl ~ INPUTIN.OF(QQ, TASKl, START(SUB.INCR(T.SUB), QQ», 
X2 .. TASKl] 
PP.MAPPING.I [K ~ TASKl] 
PP.MAPPING.9 [L .. TASKl, 
EI .. JIl] 
PP.MAPPING.IO [L .. TASKI, 
El .. El, 
V .. INPUTlN.OF(QQ, TASKl, START(SUB.lNCR(T.SUB), QQ»] 
PP.MAPPING.7 [Y .. El, 
T.SUB .. SUB.INCR(T.SUB), 
P .. QQ, 
K .. TASKI] 
270 
PP.LEMMA.7: formula 
P E.SAFE.FOR(OF(I, K» 
A QQ E SAFE.FOR(OF(I, K» 
A START.FRAME(FRAME(T.SUB» = hFRAME.SIZEO 
A (V V.T: 
V. T E V. INPUTS 
SOURCE(V.T) E INPUTS(K) 
A VALUE(V.T) 
= INPUTIN.OF(QQ, SOURCE(V.T), START(SUB.INCR(T.SUB), QQ») 
A SEQ.ME~rnER(ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
) 
INDEX(INDEX(DATAFILE(~~E.STATE(SUB.INCR(T.SUB), QQ», QQ), K) 
= TASK_RESULTS(K, CONVERT.REP(V.INPUTS» 
prove PP . LEMMA. 7 [V. T .. *V. T: 1] 
using PP.LEMMA.5 [EI .. *EI:2, 
TASKI .. *TASKI:2, 
JIl .. *JIl: 2] 
EXECUTE.ACTIVITY [STATE.SIFT .. MAKE.STATE(T.SUB, QQ), 
JI .. *JI:3, 
TI .. K, 
INP .. CONVERT.nEP(V.INPUTS)] 
PP.LEMMA.I 
PAIR.AXIOM.2 [Xl .. T.SUB, 
X2 .. QQ] 
271 
PP.LE~~.8: formula 
P E SAFE.FOR(OF(I, K» 
A QQ E SAFE. FOR(OF(I, K» 
A START.FRAME(FRAME(T.SUB» = I*FRAME.SIZE() 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ» 
A ACTION(ACTIV) = EXECUTE() 
A TASK.ACTION(ACTIV) = K 
A INDEX(INDEX(DATAFILE(~~KE.STATE(SUB.INCR(T.SUB), QQ», QQ), K) 
= TASK_RESULTS(K, CONVERT.REP(V.INPUTS» 
) 
DATAFILEIN.FOR.ON(P, K, QQ, START(SUB.INCR(T.SUB) , P» 
= APPLY(FUNCTION(K), V.INPUTS) 
prove PP.LE~NA.8 
using PP.~PING.8 
PP.~PING.5 [Y ~ *Y:3, 
T.SUB ~ SUB.INCR(T.SUB)] 
DATA.EQUALITY [VI ~ DATAFILEIN.FOR.ON(P, K, QQ, 
START(SUB.INCR(T.SUB) , P», 
Y ~ @:D, 
V ~ APPLY(FUNCTION(K), V.INPUTS)] 
PP.~~PING.6 [Y ~ *Y:3, 
T.SUB ~ SUB.INCR(T.SUB)] 
BR.LE~.5 
BR.DI [II ~ OF(I, K), 
T.SUB ~ SUB.INCR(T.SUB)] 
BR.DI [II ~ OF(I, K), 
P ~ QQ, 
T.SUB ~ SUB.INCR(T.SUB)] 
RE.BR.~PING.9 [T.SUB ~ SUB.INCR(T.SUB)] 
RE.BR.~PING.9 [P ~ QQ, 
T.SUB ~ SUB.INCR(T.SUB)] 
DATA. SIZE. IS.SEQ.LENGTH.3 
DATA.SIZE.IS.SEQ.LENGTH.2 [T.REAL ~ START(SUB.INCR(T.SUB) , P)] 
SEQ.EQUALITY.AXIOM [SEQI ~ APPLY(FUNCTION(K), V.INPUTS), 
SEQ2 ~ TASK_RESULTS(K, CONVERT.REP(V.INPUTS», 
Y ~ *Y:3] 
SEQ.EQUALITY.AXIOM [SEQI 
~ INDEX(INDEX(DATAFILE(NEXT(MAKE. STATE(T. SUB, 
QQ»), QQ), 
K), 
SEQ2 ~ TASK_RESULTS(K, CONVERT.REP(V.INPUTS», 
Y ~ *Y:3] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
X2 ~ QQ] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
X2 ~ QQ] 
272 
PP.LEMMA.10: axiom 
WORKING.DURING(P, T.SUB) 
A SEQ.MEMBER(ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Y 
) 
CARD(D.BAG.A9C(P, K, T.SUB, Y» 
= CARD(SET.FNH10(K, P.CONFIG(MAKE. STATE(T. SUB, P», 
MAKE. STATE(T. SUB, P») 
prove PP.LEMMA.10 
using SET.ABSTRACTION.A9C [D.P ~ MAKE.PAIR(*D1:2, *QQ:2)] 
SET.CONSTRUCTION.LE~~ 
PAIR.AXIOM.2 [Xl ~ D1:2, 
X2 ~ QQ:2] 
PP.MAPPING.12 [QQ ~ *QQ:2] 
SET.FN.AXIOM.10 [P ~ *QQ:2, 
STATE.SIFT ~ MAKE.STATE(T.SUB, P), 
TI ~ K, 
CON ~ P.CONFIG(MAKE.STATE(T.SUB, P»] 
PP. ~~PING; 13 [P ~ *QQ: 2] 
273 
var Rl: PROC 
var D.Pl: PAIR.OF(DATAVAL,PROC) 
var D.P2: PAIR. OF (DATAVAL , PROC) 
var D.BAG.l: SET.OF(PAIR.OF(DATAVAL, PROC» 
var D2: DATAVAL 
/* 
The set of processors computing the same value can be represented 
either as a set of (proc,value) pairs or as a set of procs. 
SET.CONSTRUCTION.LEMMA: formula 
(V Dl, QQ: 
MAKE.PAIR(Dl, QQ) E D.BAG.A9C(P, K, T.SUB, Y) 
QQ 
E SET.FNgIO(K, P.CONFIG(MAKE.STATE(T.SUB, P», MAKE. STATE(T. SUB, P» 
A Dl = SEQ.ELEM(DATAFILEIN.FOR.ON(P, K, QQ, START(T.SUB, P», Y» 
) 
CARD(D.BAG.A9C(P, K, T.SUB, Y» . 
= CARD(SET.FNgIO(K, P.CONFIG(MAKE.STATE(T.SUB, P», 
MAKE.STATE(T.SUB, P») 
SET.CONSTRUCTION.LEMMA.2: formula 
(V D.P: 
D.P E D.BAG 
SOURCE(D.P) 
E SET. FNg9(VALUE(D.P), MAKE. STATE(T. SUB, P), Y, K, 
P.CONFIG(MAKE. STATE(T. SUB, P»» 
) 
CARD(D.BAG.MAJ(P, K, T.SUB, Y, D2» 
= CARD(SET.FNg9(D2, MAKE.STATE(T.SUB, P), Y, K, 
P.CONFIG(MAKE. STATE(T. SUB, P»» 
274 
PP.LEMMA.13: formula 
1 S YAY S RESULT.SIZE(K) 
) 
CARD(D.BAG.MAJ(P, K, T.SUB, Y, D2» 
= CARD(SET.FNH9(D2, MAKE.STATE(T.SUB, P), Y, K, 
P.CONFIG(MAKE. STATE(T. SUB, P»» 
prove PP.LEMMA.13 
using SET.CONSTRUCTION.LE~\.2 [D.BAG ~ D.BAG.A9C(P, K, T.SUB, Y)] 
PP.MAPPING.13 [P ~ SOlmCE(*D.P:l)] 
SET.ABSTRACTION.A9C [D.P ~ *D.P:l] 
SET.ABSTRH9 [QQ ~ SOURCE(*D.P:l), 
~~JI ~ VM.UE(*D.P:l) , 
STATE.SIFT ~ MAKE.STATE(T.SUB, P), 
EI ~ Y, 
TI ~ K, 
CON ~ P.CONFIG(~~E.STATE(T.SUB, P»] 
PP.MAPPING.12 [QQ ~ SOURCE(*D.P:l)] 
PP.MAPPING.5 [QQ ~ SOURCE(*D.P:l)] 
275 
PP.LEMMA.14: formula 
WORKING.DURING(P, T.SUB) 
A SEQ. MEMBER (ACTIV, SClffiD(CONFIG(T.SUB, P), T.SUB, P» 
A,ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Y 
A I S Y 
A Y S RESULT.SIZE(K) 
A (3 ~~JI2: 
CARDINALITY(SET.FNH9(MAJI2, MAKE. STATE(T. SUB, P), Y, K, 
P.CONFIG(MAKE. STATE(T. SUB, P»» 
> CARDINALITY(SET.FNHIO(K, P.CONFIG(MAKE.STATE(T.SUB, P», 
MAKE. STATE(T. SUB, P»» 
A (V MAJI: 
CARDINALITY(SET.FNH9(A~JI, MAKE. ST ATE (T. SUB, P), Y, K, 
P.CONFIG(MAKE.STATE(T.SUB, P»» 
> CARDINALITY(SET.FNHIO(K, P.CONFIG(MAKE.STATE(T.SUB, P», 
MAKE. STATE(T. SUB, P») 
) 
INDEX(INDEX(INPUT(NEXT(MAKE. STATE(T. SUB, P»), K), Y) = MAJI) 
) 
SEQ.ELEM(INPUTIN.OF(P, K, START(SUB.INCR(T.SUB) , P», Y) 
= A~JORITY(D.BAG.A9C(P, K, T.SUB, Y» 
prove PP.LEMMA.14 [~~JI ~ *MAJI2:C] 
using PP.LEMMA.13 [D2 ~ *MAJI2:C] 
PP.LEMMA.IO 
MAJ.I [M.BAG ~ D.BAG.A9C(P, K, T.SUB, Y), 
M.BAG.I ~ D.BAG.MAJ(P, K, T.SUB, Y, *MAJI2:C), 
TI.V ~ *MAJI2:C] 
SET.ABSTRACTION.MAJ [D.P2 ~ *Vl.V2:3, 
D2 ~ *MAJI2:C] 
PP.MAPPING.7 [T.SUB ~ SUB.INCR(T.SUB)] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
X2 ~ P] 
276 
PP.LEMMA.15: formula 
WORI(ING.DURING(P, T.SUB) 
A SEQ.ME~rnER(ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Y 
A 1 ~ Y 
A Y S RESm,T.SIZE(K) 
A -'(3 MAJI2: 
CARDINALITY(SET.FN#9(MAJI2, MAKE.STATE(T.SUB, P), Y, K, 
P.CONFIG(MAKE. STATE(T. SUB, P»» 
> CARDINALITY(SET.FN#IO(K, P.CONFIG(MAKE. ST ATE (T. SUB, P», 
~UlliE.STATE(T.SUB, P»» 
A BOTTO~ID() = INDEX(INDEX(INPUT(NEXT(~~E.STATE(T.SUB, P»), K), Y) 
) 
SEQ.ELEM(INPUTIN.OF(P, K, START(SUB.INCR(T.SUB), P», Y) 
= MAJORITY(D.BAG.A9C(P, K, T.SUB, Y» 
prove PP.LEMMA.15 [MAJI2 ~ *TI.V:3] 
using PP.LEMMA.13 [D2 ~ *TI.V:3] 
PP.LEMMA.I0 
~~J.3 [M.BAG.l ~ D.BAG.MAJ(P, K, T.SUB, Y, *TI.V:3), 
M.BAG ~ D.BAG.A9C(P, K, T.SUB, Y), 
.T2. V ~ BOTTOMDO] 
SET. ABSTRACTION . ~~J [D. P2 ~ * VI. V2 : 3, 
D2 ~ *TI. V:3] 
PP.MAPPING.7 [T.SL~ ~ SL~.INCR(T.SUB)] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
X2 ~ P] 
BOTTOM. EQUALITY [DI ~ BOTTmID 0 ] 
277 
PP.LEMMA.16: formula 
WORKING.DURING(P, T.SUB) 
A SEQ. MEMBER (ACTIV, SCHED(CONFIG(T.SUB, P), T.SUB, P» 
A ACTION(ACTIV) = VOTE() 
A TASK.ACTION(ACTIV) = K 
A ELEM.ACTION(ACTIV) = Y 
A 1 ~ Y 
A Y ~ RESULT.SIZE(K) 
J 
SEQ.ELEM(INPUTIN.OF(P, K, START(SUB.INCR(T.SUB) , P», Y) 
= MAJORITY(D.BAG.A9C(P, K, T.SUB, Y» 
prove PP.LEMMA.16 
using PP.LEMMA.2 [QQ ~ P] 
VOTE.ACTIVITY [JI ~ *JI:l, 
MAJI2 ~ *MAJI2:5, 
~L\JI ~ *MAJI: 3, 
STATE.SIFT ~ MAKE.STATE(T.SUB, P), 
EI ~ Y, 
TI ~ K] 
PP.LEMMA.14 [MAJI2 ~ *MAJI2:5] 
VOTE.ACTIVITY [JI ~ *JI:I, 
PP . LEMMA. 15 
MAJI2 ~ *MAJI2:5, 
MAJI ~ *~fAJI: 3 , 
STATE.SIFT ~ MAKE. STATE(T. SUB, P), 
EI ~ Y, 
TI ~ K] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
X2 ~ P] 
278 
Proofs of Activity Specification Axioms and Lemmas 
prove BR.A6A [ACTIV 
~ SEQ.ELEM(SCHED(CONFIG(T.SUB, P), T.SUB, P), 
*JI:2-INT.NAT(I»] 
using SEQ.MEMBER.AXIOM [SEQ1 ~ SCHED(CONFIG(T.SUB, P), T.SUB, P), 
X ~ @ACTIV:C, 
Y ~ *JI:2-INT.NAT(I)] 
VOTE.FRA1fE.AXIOM [STATE.SIFT ~ MAKE.STATE(T.SUB, P), 
TI ~ K, 
EI ~ Y] 
PP.MAPPING.4 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
PP.MAPPING.3 
PP.MAPPING.2 
PP.MAPPING.7 
X2 ~ P] 
[Y ~ *JI:2] 
PP.MAPPING.7 [T.SUB ~ SUB.INCR(T.SUB)] 
SCHED.TABLE.LENGTH.AXIOM [Y ~ TABLE_LENGTH(@TAB:9), 
Z ~ @:D, 
TAB 
~ INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
(REAL_TO_VIRT 
(MAKE.STATE(T.SUB, P», 
P.CONFIG(MAKE. ST ATE (T. SUB, 
P»), 
SUBFRA1fE(MAKE.STATE(T .SUB, P»)] 
P», 
SIFT.pARAMETER.INVARIANTH7 
SIFT. PARAMETER. I NVAR IANTH 17 [P ~ INDEX(REAL_TO_VIRT(MAKE. STATE(T. SUB, P», 
PP.MAPPING.ll 
PP.MAPPING.I 
P), 
CON ~ CONFIG(T.SUB, P), 
T.PSUB ~ SUBFRAME(MAKE.STATE(T.SUB, P», 
JI ~ TABLE_LENGTH(@TAB:9)+INT.NAT(1), 
y ~ *JI:2] 
279 
prove BR.LEMMA.18 [ACTIV 
~ SEQ. ELEM(SCHED(CONFIG (T. SUB, QQ), T.SUB, QQ), 
.JI:2-INT.NAT(I»] 
using SEQ.ME~IDER.AXIOM [SEQI ~ SCHED(CONFIG(T.SUB, QQ), T.SUB, QQ), 
X ~ OACTIV:C, 
Y ~ *JI:2-INT.NAT(I)] 
EXECUTE.FRAME.AXIOM [STATE.SIFT ~ MAKE. STATE(T. SUB, QQ), 
TI ~ K, 
EI ~ .Y:3] 
DATA.EQU.~ITY [V ~ DATAFILEIN.FOR.ON(P, K, QQ, START(SUB.INCR(T.SUB), P», 
VI ~ DATAFILEIN.FOR.ON(P, K, QQ, START(T.SUB, P», 
Y ~ @:D] 
DATA.SIZE.IS.SEQ.LENGTH.2 [T.REAL ~ START(SUB.INCR(T.SUB), P)] 
DATA.SIZE.1S.SEQ.LENGTH.2 [T.REAL ~ START(T.SUB, P)] 
PAIR.AXIOM.2 [Xl ~ T.SUB, 
X2 ~ QQ] 
PP.MAPPING.3 [Y ~ .Jl:2, 
P ~ QQ] 
PP.MAPPING.2 [P ~ QQ] 
PP.MAPPING.6 [Y ~ .Y:3] 
PP.MAPPING.6 [T.SUB ~ SUB.INCR(T.SUB), 
Y ~ .Y:3] 
RE.BR.MAPPING.9 
RE.BR.MAPPING.9 [T.SUB ~ SUB.INCR(T.SUB)] 
RE.BR.MAPPING.9 [P ~ QQ] 
RE.BR.MAPPING.9 [P ~ QQ, 
T.SUB ~ SUB.INCR(T.SUB)] 
SCHED.TABLE.LENGTH.AXIOM [Y ~ TABLE_LENGTH(@TAB:15), 
Z ~ O:D, 
SIFT.PARAMETER.INVARIANT#7 
TAB 
~ INDEX(INDEX(INDEX(SCHED_TABLE(), 
INDEX 
(REAL _ TO _ VIRT 
(MAKE. STATE(T. SUB, QQ», 
QQ», 
P.CONFIG(MAKE. STATE(T. SUB, 
QQ» ), 
SUBFRAME(MAKE. STATE(T. SUB, QQ»)] 
SIFT.P~~TER.INVARIANT#17 [P ~ INDEX(REAL_TO_VIRT(MAKE.STATE(T.SUB, 
QQ», 
PP.MAPPING.II [P ~ QQ] 
PP.MAPPING.4 [P ~ QQ] 
PP.MAPPING.I 
prove BR.LEMMA.17 [V.T ~ .V.T:I] 
using PP.LE~~.7 
PP.LE~~.8 
QQ), 
CON ~ CONFIG(T.SUB, QQ), 
T.PSUB ~ SUBFRAME(MAKE. ST ATE (T. SUB, QQ», 
JI ~ TABLE_LENGTH(@TAB:15)+INT.NAT(I), 
Y ~ *JI:2] 
280 
prove BR.A9C 
using PP.LEMMA.16 
BR.A44 [CON ~ CONFIG(T.Su~, P)] 
prove BR.A6B 
using PP.LEMMA.3 [QQ ~ P] 
DUMMY_VOTE.ACTIVITY [JI ~ *JI:I, 
EI ~ *Y:4, 
STATE.SIFT ~ MAKE. STATE(T. SUD, P), 
TI .. 1\] 
DATA. BOTTOM [Y ~ *Y:4] 
DATA.EQUALITY [V .. INPUTIN.OF(P, K, START(SUB.INCR(T.SUB) , P», 
VI .. BOTTOMI(K), 
Y ~ @:D] 
DATA.SIZE.IS.SEQ.LENGTH 
DATA.SIZE.IS.SEQ.LENGTH.2 [T.REAL .. START(SUB.INCR(T.SUB) , P)] 
PP.MAPPING.7 [Y ~ *Y:4, 
T.SUB .. SUB.INCR(T.SUB)] 
PAIR.~XIOM.2 [Xl ~ T.SUD, 
X2 ~ P] 
PP.MAPPING.I 
281 
Proved Using the Following Axioms and Unproved Formulas: 
----- Axioms -----
BOTTOM.EQUALITY (20) 
BR.A1.A (4) 
BR.A1.C (8) 
BR.A1. E (4) 
BR.A12 (12) 
BR.A12A (36) 
BR .A12C (10) 
BR.A13A (38) 
BR.A13B (38) 
BR.A16 (300) 
BR.A18 (244) 
BR.A19.1 (74) 
BR.A19.2 (8) 
BR.A21 (944) 
BR.A21B (432) 
BR .A22 (108) 
BR.A25A (8) 
BR.A27 (8) 
BR.A28 (32) 
BR.A29 (32) 
BR.A36 (192) 
BR.A40 (48) 
BR.A44 (10) 
BR.A9A (42). 
BR.D1 (440) 
BR.RE.MAPPING.4 (26) 
BR.RE.MAPPING.5 (8) 
BR.RE.MAPPING.6 (14) 
BR. RE. ~L>\PPING. 7 (6) 
BR.RE.MAPPING.8 (10) 
DATA. BOTTOM (20) 
DATA.EQUALITY (114) 
DATA.SIZE.IS.SEQ.LENGTH (20) 
DATA.SIZE.IS.SEQ.LENGTH.2 (190) 
DATA.SIZE.IS.SEQ.LENGTH.3 (10) 
DUMMY_VOTE.ACTIVITY (10) 
EXECUTE.ACTIVITY (4) 
GE.CONFIG.FIELD (84) 
10 .A2A (2) 
LENGTH.OF.ELEMENTS.OF.ON.IS.LENGTH.OF.ON.IN (4) 
MAJ.1 (22) 
MAJ.2 (10) 
MAJ.3 (10) 
NAT.NONNEGATIVE (60) 
PAIR.AXIOM.2 (132) 
PP.MAPPING.1 (46) 
PP.MAPPING.10 (4) 
PP.MAPPING.ll (32) 
PP.MAPPING.12 (60) 
PP.MAPPING.13 (60) 
PP.MAPPING.2 (32) 282 
PP.MAPPING.3 (32) 
SUBSECTION 7.18 
PROOF-STATUS 4 
283 

42_STATUS (BR. LEMMA. 17) 
Proved Using the Following Axioms and Unproved Formulas: 
----- Axioms 
BR.A12 (1) 
BR.A13A (1) 
BR.A16 (3) 
BR.A21 (3) 
BR.A36 (1) 
BR.Dl (5) 
DATA. EQUALITY (1) 
DATA.SIZE.IS.SEQ.LENGTH.2 (1) 
DATA.SIZE.IS.SEQ.LENGTH.3 (1) 
EXECUTE.ACTIVITY (1) 
PAIR.AXIOM.2 (6) 
PP.MAPPING.l (2) 
PP.MAPPING.I0 (1) 
PP.MAPPING.ll (1) 
PP.MAPPING.2 (1) 
PP.MAPPING.3 (1) 
PP.MAPPING.4 (1) 
PP.MAPPING.5 (1) 
PP.~~PING.6 (1) 
PP.MAPPING.7 (1) 
PP.MAPPING.8 (1) 
PP.MAPPING.9 (1) 
RE.BR.MAPPING.9 (5) 
SCHED.TABLE.LENGTH.AXIOM (1) 
SEQ.EQUALITY.AXIOM (3) 
SEQ. MEMBER. AXIOM (1) 
SIFT.PARAMETER.INVARIANT#17 (1) 
SIFT.PARAMETER.INVARIANT#7 (1) 
----- Unproved Formulas 
CARD.2 (1) 
285 

SUBSECTION 7.19 
PROOF-STATUS 3. 
287 

33_STATUS(IO.A2) 
Proved Using the Following Axioms and Unproved Formulas: 
----- Axioms -----
BOTTOM. EQUALITY (20) 
BR.A1.C (4) 
BR.A1.D (4) 
BR.A1.E (4) 
BR.A12 (16) 
BR.A12A (36) 
BR.A12C (10) 
BR.A13A (42) 
BR.A13B (38) 
BR.A16 (308) 
BR.A18 (244) 
BR.A19.1 (74) 
BR.A19.2 (8) 
BR.A21 (956) 
BR.A21B (432) 
BR.A22 (108) 
BR.A25A (8) 
BR.A27 (8) 
BR.A28 (32) 
BR.A29 (32) 
BR.A36 (196) 
BR.A40 (48) 
BR.A44 (10) 
BR.A9A (42) 
BR.D1 (452) 
BR.HE.MAPPING.4 (26) 
BR.HE.MAPPING.5 (8) 
BR.HE.MAPPING.6 (14) 
BR.HE.MAPPING.7 (6) 
BR.HE.MAPPING.8 (10) 
DATA.BOTTOM (20) 
DATA. EQUALITY (114) 
DATA.SIZE.IS.SEQ.LENGTH (20) 
DATA.SIZE.IS.SEQ.LENGTH.2 (194) 
DATA.SIZE.IS.SEQ.LENGTH.3 (6) 
DUM},{Y _VOTE. ACTIVITY (10) 
EXECUTE.FRAME.AXIOM (4) 
GE.CONFIG.FIELD (84) 
IO.A2A (2) 
LENGTH.OF.ELEMENTS.OF.ON.IS.LENGTH.OF.ON.IN (4) 
MAJ.1 (22) 
MAJ.2 (10) 
MAJ.3 (10) 
NAT.NONNEGATIVE (60) 
PAIR.AXIOM.2 (112) 
PP.MAPPING.1 (42) 
PP.MAPPING.11 (32) 
PP. MAPPING .12 (60) 
PP.}'~PING.13 (60) 
PP .~~PING. 2 (32) 
PP.~~PING.3 (32) 289 
PP .~~PING.4 (32) 
PP.MAPPING.5 (30) 
PP.MAPPING.6 (8) 
PP.MAPPING.7 (56) 
RE.BR.MAPPING.9 (476) 
RESULT.SIZE.GREATER.THAN.1 (2) 
RP .AI. 1 (44) 
RP.A3A (6) 
RP.D1 (27) 
RP.D10 (70) 
RP.D11 (4) . 
RP.D2.1 (27) 
RP.D2.2 (8) 
RP.D3.1 (35) 
RP.D3.3 (35) 
RP.D4A (22) 
RP.D6 (6) 
RP.D7 (1) 
RP.D9A (3) 
RP.L12A (4) 
SCHED.TABLE.LENGTH.AXIOM (32) 
SEQ.EQUALITY.AXIOM (112) 
SEQ.MEMBER.AXIOM (32) 
SET.ABSTR#9 (30) 
SET.ABSTRACTION.A9C (70) 
SET.ABSTRACTION.MAJ (30) 
SET.FN.AXIOM.10 (30) 
SIFT.PARAMETER.INVARIANT#17 (32) 
SIFT. PARAMETER. INVARIANT#7 (32) 
TIMES.AXIOM.1 (56) 
TIMES.AXIOM.2 (8) 
TIMES.AXIOM.3 (48) 
VOTE.ACTIVITY (20) 
VOTE. FRAME. AXIOM (8) 
----- Unproved Formulas -----
BR.A41 (4) 
BR.A42 (4) 
BR.INDUCTION.SUB.TIME.1 (4) 
BR.INDUCTION.SUB.TIME.2 (8) 
BR.LEMMA.FOR.LES.TO.PROVE (4) 
CARD.2 (200) 
CARD.3 (3) 
CARD.4 (11) 
CARD.6 (10) 
CARD.D.BAG.D4 (2) 
CARD.D.BAG.L10 (2) 
CARD. INTERSECTION (1) 
CARD. SUBSET (3) 
INTERSECT (10) 
NECESSARY.EVIL (1) 
RP.L10 (2) 
SET.CONSTRUCTION.LEMMA (30) 
SET.CONSTRUCTION.LEMMA.2 (30) 
SETEQUALITY (12) 
SUBSET (3) 
290 
34_STATUS(IO.A5) 
Proved Using the Following Axioms and Unproved Formulas: 
----- Axioms -----
BOTTOM.EQUALITY (9) 
BR.AI2A (6) 
BR.AI2C (3). 
BR.AI3A (9) 
BR.AI3B (9) 
BR.AI6 (42) 
BR.AI8 (30) 
BR.A19.1 (9) 
BR.A21 (99) 
BR.A21B (42) 
BR.A22 (24) 
BR.A36 (33) 
BR.A44 (3) 
BR.A9A (12) 
BR.Dl (72) 
BR.RE.MAPPING.4 (6) 
BR.RE.MAPPING.6 (3) 
BR.RE.MAPPING.7 (3) 
BR.RE.MAPPING.8 (3) 
DATA. BOTTOM (9) 
DATA. EQUALITY (18) 
DATA.SIZE.IS.SEQ.LENGTH (6) 
DATA.SIZE.IS.SEQ.LENGTH.2 (21) 
DUMMY_VOTE.ACTIVITY (3) 
GE.CONFIG.FIELD (9) 
MAJ.l (6) 
MAJ.2 (6) 
MAJ.3 (3) 
PAIR.AXIOM.2 (30) 
PP.MAPPING.l (9) 
PP. MAPPING. 11 (6) 
PP.MAPPING.12 (18) 
PP . MAPPING. 13 (18) 
PP.MAPPING.2 (6) 
PP.MAPPING.3 (6) 
PP.MAPPING.4 (6) 
PP.MAPPING.5 (9) 
PP.MAPPING.7 (12) 
RE.BR.MAPPING.9 (72) 
RP .A1.1 (1) 
RP.D1 (1) 
RP.D10 (2) 
RP.D2.1 (1) 
RP.D3.1 (1) 
RP.D3.3 (1) 
RP.D4A (6) 
RP.D6 (2) 
RP.D7 (4) 
RP.D9A (2) 
SCHED.TABLE.LENGTH.AXIOM (6) 
SEQ.EQUALITY.AXIOM (24) 291 
SEQ.MEMBER.AXIOM (6) 
SET.ABSTR##9 (9) 
SET.ABSTRACTION.A9C (21) 
SET.ABSTRACTION.MAJ (9) 
SET.FN.AXIOM.10 (9) 
SIFT.PARAMETER.INVARIANT##17 (6) 
SIFT.PARAMETER.INVARIANT##7 (6) 
VOTE. ACTIVITY (6) 
----- Unproved Formulas -----
CARD.2 (33) 
CARD.3 (1) . 
CARDA (4) 
CARD.6 (6) 
CARD.D.BAG.D4 (3) 
CARD. INTERSECTION (1) 
SET.CONSTRUCTION.LEMMA (9) 
SET.CONSTRUCTION.LE~~.2 (9) 
SETEQUALITY (3) 
292 
35_STATUS(BR.LEMMA.17) 
Proved Using the Following Axioms and Unproved Formulas: 
----- Axioms 
BR .A1.C (1) 
BR.A1.D (1) 
BR .A1.E (1). 
BR.AI2 (2) 
BR.AI3A (2) 
BR.AI6 (5) 
BR.A21 (6) 
BR.A36 (2) 
BR.Dl (8) 
NAT.NONNEGATIVE (3) 
RE.BR.MAPPING.9 (8) 
SEQ.EQUALITY.AXIOM (2) 
----- Unproved Formulas 
BR.A41 (1) 
BR.A42 (1) 
BR.LEMMA.FOR.LES.TO.PROVE (1) 
CARD.2 (2) 
293 

SUBSECTION 7.20 
PROOF-STATUS 1 
295 

10_STATUS(IO.A2) 
Proved Using the Following Axioms and Unproved Formulas: 
----- Axioms -----
BOTTOM.EQUALITY (20) 
BR.A12 (12) 
BR.A12A (36) 
BR.A12C (10) 
BR.A13A (38) 
BR.A13B (38) 
BR.A16 (300) 
BR.A18 (244) 
BR.A19.l (74) 
BR.A19.2 (8) 
BR.A2l (944) 
BR.A2lB (432) 
BR.A22 (108) 
BR.A25A (8) 
BR.A27 (8) 
BR.A28 (32) 
BR.A29 (32) 
BR.A36 (192) 
BR.A40 (48) 
BR.A44 (10) 
BR.A9A (42) 
BR.Dl (440) 
BR.RE.MAPPING.4 (26) 
BR.RE.MAPPING.5 (8) 
BR.RE.MAPPING.6 (14) 
BR.RE.MAPPING.7 (6) 
BR.RE.MAPPING.8 (10) 
DATA.BOTTOM (20) 
DATA. EQUALITY (118) 
DATA.SIZE.IS.SEQ.LENGTH (20) 
DATA.SIZE.IS.SEQ.LENGTH.2 (198) 
DATA.SIZE.IS.SEQ.LENGTH.3 (10) 
DillfMY _ VOTE. ACTIVITY (10)' 
EXECUTE.ACTIVITY (4) 
EXECUTE. FRAME. AXIOM (4) 
GE.CONFIG.FIELD (84) 
IO.A2A (2) 
LENGTH.OF.ELE~~NTS.OF.ON.IS.LENGTH.OF.ON.IN (4) 
MAJ.1 (22) 
MAJ.2 (10) 
MAJ.3 (10) 
NAT.NONNEGATIVE (48) 
PAIR.AXIOM.2 (136) 
PP.MAPPING.l (50) 
PP.MAPPING.lO (4) 
PP.MAPPING.l1 (36) 
PP.MAPPING.12 (60) 
PP.MAPPING.13 (60) 
PP.MAPPING.2 (36) 
PP.MAPPING.3 (36) 
PP.MAPPING.4 (36) 297 
PP.MAPPING.5 (34) 
PP.MAPPING.6 (12) 
PP.MAPPING.7 (60) 
PP.MAPPING.8 (4) 
PP.MAPPING.9 (4) 
RE.BR.MAPPING.9 (464) 
RESULT.SIZE.GREATER.THAN.l (2) 
RP.A1.1 (44) 
RP.A3A (6) 
RP.D1 (27) 
RP.DIO (70) 
RP.D11 (4) 
RP.D2.1 (27) 
RP.D2.2 (8) 
RP.D3.1 (35) 
RP.D3.3 (35) 
RP. D4A (22) 
RP.D6 (6) 
RP.D7 (1) 
RP.D9A (3) 
RP.L12A (4) 
SCHED.TABLE.LENGTH.AXIOM (36) 
SEQ.EQUALITY.AXIOM (116) 
SEQ.MEMBER.AXIOM (36) 
SET.ABSTR#9 (30) 
SET.ABSTRACTION.A9C (70) 
SET.ABSTRACTION.MAJ (30) 
SET.FN.AXIOM.IO (30) 
SIFT.PARAMETER.INVARIANT#17 (36) 
SIFT.PARAMETER.INVARIANT#7 (36) 
TIMES.AXIOM.1 (56) 
TIMES.AXIOM.2 (8) 
TIMES. AXIOM. 3 (48) 
VOTE.ACTIVITY (20) 
VOTE.FRAME.AXIOM (8) 
----- Unproved Formulas -----
BR.INDUCTION.SUB.TIME.1 (4) 
BR.INDUCTION.SUB.TIME.2 (8) 
CARD.2 (196) 
CARD.3 (3) 
CARD.4 (11) 
CARD.6 (10) 
CARD.D.BAG.D4 (2) 
CARD.D.BAG.L10 (2) 
CARD. INTERSECTION (1) 
CARD. SUBSET (3) 
INTERSECT (10) 
NECESSARY.EVIL (1) 
RP.L10 (2) 
SET.CONSTRUCTION.LEMMA (30) 
SET. CONSTRUCTION. LEMMA. 2 (30) 
SETEQUALITY (12) 
SUBSET (3) 
298 
I3_STATUS(IO.A5) 
Proved Using the Following Axioms and Unproved Formulas: 
----- Axioms -----
BOTTOM.EQUALITY (9) 
BR.AI2A (6) 
BR.AI2C (3) 
BR.AI3A (9) 
BR.AI3B (9) 
BR.AI6 (42) 
BR.AI8 (30) 
BR.AI9.I (9) 
BR.A2I (99) 
BR.A2IB (42) 
BR.A22 (24) 
BR.A36 (33) 
BR.A44 (3) 
BR.A9A (12) 
BR.DI (72) 
BR.RE.MAPPING.4 (6) 
BR.RE.MAPPING.6 (3) 
BR.RE.MAPPING.7 (3) 
BR.RE.MAPPING.8 (3) 
DATA. BOTTOM (9) 
DATA. EQUALITY (18) 
DATA.SIZE.IS.SEQ.LENGTH (6) 
DATA.SIZE.IS.SEQ.LENGTH.2 (21) 
DUMMY_VOTE.ACTIVITY (3) 
GE.CONFIG.FIELD (9) 
MAJ.I (6) 
MAJ.2 (6) 
MAJ.3 (3) 
PAIR.AXIOM.2 (30) 
PP.MAPPING.I (9) 
PP. MAPPING.ll (6) 
PP.MAPPING.I2 (18) 
PP.MAPPING.I3 (18) 
PP.MAPPING.2 (6) 
PP.MAPPING.3 (6) 
PP.MAPPING.4 (6) 
PP.MAPPING.5 (9) 
PP.MAPPING.7 (12) 
RE.BR.MAPPING.9 (72) 
RP .A1.l (1) 
RP.DI (1) 
RP.DIO (2) 
RP.D2.1 (1) 
RP.D3.I (1) 
RP.D3.3 (1) 
RP.D4A (6) 
RP.D6 (2) 
RP.D7 (4) 
RP.D9A (2) 
SCHED.TABLE.LENGTH.AXIOM (6) 
SEQ.EQUALITY.AXIOM (24) 299 
SEQ.MEMBER.AXIOM (6) 
SET.ABSTRH9 (9) 
SET.ABSTRACTION.A9C (21) 
SET.ABSTRACTION.MAJ (9) 
SET.FN.AXIOM.I0 (9) 
SIFT.PARAMETER.INVARIANTHI7 (6) 
SIFT.PARAMETER.INVARIANTH7 (6) 
VOTE. ACTIVITY (6) 
----- Unproved Formulas -----
CARD.2 (33) 
CARD.3 (1) 
CARD.4 (4) 
CARD.6 (6) 
CARD.D.BAG.D4 (3) 
CARD. INTERSECTION (1) 
SET.CONSTRUCTION.LEMMA (9) 
SET.CONSTRUCTION.LEMMA.2 (9) 
SETEQUALITY (3) 
·300 
CHAPTER 8 
OVERVIEW OF CODE VERIFICATION 
301 

Overview of Code Verification 
The verified code for the SIFT Executive is not the code that executes on the SIFT system as 
delivered. The running versions of the SIFT Executive contain optimizations and special code 
relating to the messy interface to the hardware broadcast interface and to packing of data to 
conserve space in the store of the BDX930 processors. The running code was in fact developed 
prior to and without consideration of any mechanical verification. This was regarded as 
necessary experimentation with the SIFT hardware and special-purpose Pascal compiler. New 
sections of Pascal code, entirely independent of the running SIFT Executive, were written for the 
code verification from the lowest-level design specifications. Exactly those sections of code were 
constructed to correspond to the PrePost specifications. The Pre post specifications; in turn, 
specify only what was needed to prove I/O level properties addressed by the design verification. 
The Pascal code sections cover: the selection of a schedule from the global executive broadcast, 
scheduling, dispatching, three way voting, and error reporting actions of the SIFT Executive .. 
Not included in these sections of Pascal code are: the global executive, five way voting, clock 
synchronization, interactive consistency, low level broadcasting, and program loading, 
initialization, and schedule construction. The original intention was to augment the proven code 
in order to produce and deliver a running, proven system. Due to lack of project resources, this 
integration did not occur. 
The STP system was developed and used to prove properties of axiomatically specified design 
specifications. It does not however support deduction of properties of Pascal programs. 
Relatively late in the project, a Pascal/HDM verification tool was developed to make this code 
proof capability available to the project. The tool accepts (precondition/postcondition) 
specifications written in HDM's SPECIAL language, together with a Pascal program, and 
produces an STP theory containing the generated verification conditions. The verification 
conditions were then proven in STP, with some assistance from the tool. 
The complexity of the interface between SPECIAL, Pascal, and STP led to unwieldy interaction 
and a lack of confidence in the outcome of the code proof effort. In some cases, manual 
intervention was used to separate long verification conditions into manageable pieces, etc. 
Consequently, it is not possible to ascribe to the code proof the degree of confidence one might 
have in the design verification. However, the relationship between the PrePost Specification and 
the code sections is very close, and inspection of them will show that the specification requires the 
code to 'do what it does'. Virtually all interesting aspects of the design have been incrementally 
introduced and incorporated into the proof prior to the code level. For this reason, we feel that 
the actual code proof, while of course a necessary step in the complete exercise, is less valuable 
than design proof of the algorithms. 
The code proof was performed for the sections of Pascal code described earlier, containing the 
selection of a schedule from the global executive broadcast, scheduling, dispatching, three way 
voting, and error reporting actions of the SIFT Executive. The size of these sections of code 
cannot be compared to the size of other SIFT code, written on an entirely different basis. Indeed, 
their size is not relevant; it is their functionality, of maintaining consistency and correct results in 
an asynchronous multicomputer system containing faults, that is important. These sections of 
303 
code alone suffice to substantiate the I/O Specification property verified by the design 
verification. We intend to repeat this code verification, rigorously, using a new specification and 
verification system. 
The code verification did not consider the code or the global executive, five way voting, clock 
synchronization, interactive consistency, low level broadcasting, and program loading, 
initialization, and schedule construction. It is our opinion that the code ror the global executive, 
five way voting, interactive consistency, and schedule construction, is straight-rorward and 
presents no special verification problems beyond those or any other program code. We have no 
plans to veriry the program loading and initialization code. The difficulty or verirying the low 
level broadcast code, and the clock synchronization code, will depend very much on the model 
assumed ror the 'Pascal' broadcasting hardware. Undoubtedly, they can be done but may be very 
messy. The proor or the clock synchronization code (only 35 lines or declarations and statements 
in Pascal) is probably beyond the state or the art in any available verification system without the 
use or hierarchical design verification. 
Chapter 9 provides an introduction to the HDM-Pascal Code Verification System, and Chapter 10 
describes the System ror automatically constructing Verification Condition Generators, as used to 
build the HDM-Pascal VCG .. Chapter 11 describes the operation or the Code Verification System 
and Chapter 12 contains the User Manual. Chapter 13 contains a simple example, and Chapter 
14 describes the actual code verification done ror SIFT. 
304 
CHAPTER 9 
HOM-PASCAL CODE VERIFICATION SYSTEM - GENERAL INTRODUCTION 
305 

A Summary of HDM 
This chapter provides a brief summary of the Hierarchical Development Methodology. HDM 
decomposes the design of a system into a hierarchy of abstract machines, linearly ordered with a 
different abstract machine at each level in the hierarchy. Each abstract machine in the hierarchy 
is dependent only on the functionality of lower-level machines. Each abstract machine provides 
all of the facilities (operations and abstract data structures) that are needed to realize (i.e., to 
implement operations of and to represent the data structures of) the machine at the next higher 
level. The facilities of the highest-level abstract machine, and only those of that machine, are 
visible to a user of the system. The lowest-level machine, denoted as the primitive machine, 
cont.ains facilities that the designer deems as primitive, e.g., the hardware on which the system is 
running or a programming language. A machine is itself decomposed into modules, each module 
having operations and data structures which typically define a single abstract data concept. As 
in the Parnas module concept, the module is the programming unit of HOM; each of the modules 
may be independently implemented. The programs implementing a module can access the data 
structures of their own abstract machine, but not those of lower-level machines. Lower-level data 
structures may be modified only by the execution of lower-level operations. Thus the internal 
details of a module remain hidden from above the module. 
In HOM there is a clear separation of the aspects of system realization into 8tages, as follows: 
1. Conceptualization of the system. 
2. Definition of the functions oC the external interCace and the structuring of those 
functions into a hierarchy of abstract machines, each consisting of one or more 
.modules. 
3. Adding further abstract machines to the structure of the entire system, including 
modules within the hierarchy that are not externally visible. 
4. Formal specification of each module. 
5. Formal representation of the data structures of each machine in terms of those of the 
modules at the next lower level. 
6. Abstract implementation of the operations of each module, i.e., writing an abstract 
program for each abstract machine written in terms of the operations at ~he next 
lower level. 
7. Coding, or transforming the abstract programs into efficient executable programs. 
Parnas [121 has characterized software development as a sequence of decisions, where it is likely 
that decision di is dependent on earlier decisions dl, ... , d(i-l). What Parnas recognized as vital is 
that there is a proper order for decisions, namely the earlier decisions have the greater impact on 
the ultimate success of the system. Thus it is vital to identify the important decisions and to 
evaluate them critically. HOM has been designed to formalize this decision model. 
307 
Each of the stages of HOM involves the making of decisions, and HOM provides languages to 
express these decisions. Those decisions associated with stages (1) through (4) are generally 
considered as design. Those associated with stage (5) and with stages (6) and (7) involve 
representation and implementation, respectively. The decisions made from stage (1) to stage (7) 
are roughly in order of decreasing importance. For example, whether or not to use paging 
involves a design decision, and is clearly more important than how to store the page table -which 
is a representation decision. The algorithm for page replacement is an implementation decision. 
This approach contrasts with the current approach to software realization in which the program 
itself is used to capture all of the decisions of design, representation, and implementation. In a 
system designed according to HOM, the four stages would largely be pursued in order. Thus, all 
of the design decisions should be made before the representation or implementation is attempted. 
However, backtracking is normally expected. In addition, it is not implied that a designer first 
considers the highest abstract machine, then the next highest and so on, i.e., top-down design. 
\Ve would expect that attention would be given to several abstract machines at a time, i.e. when 
a designer conceives of a particular abstract machine at a position in the hierarchy, he might also 
have in mind lower level abstract machines to implement that machine. It is also possible for the 
design to be accomplished top-down while the implementation proceeds bottom-up. 
Module specification (stage 4) involves the expression of the intent of a module, independent of its 
implementation. The language SPECIAL (SPECification and Assertion Language) ( (161, [13]) is 
used for this purpose and enables the concise and formal description of a module. SPECIAL is 
also used for writing intermodule representations (stage 5), which we call mapping functions. 
The intermodule implementation programs (stage 6) are called abstract programs, since each can 
be viewed as running on an abstract machine whose operations they invoke. Abstract programs 
are intended to be directly compiled into executable code (stage 7). The language used for 
writing abst.ract programs can be extremely simple since most of the complexity of the programs 
is embodied within the abstract machine operations invoked by the programs. We have 
developed a clean simple language (ILPL -- Intermediate Level Programming Language) to 
describe abstract programs. Alternatively, programs could be written directly in a modern 
programming language such as Ada, Euclid, or Modula. 
The first three stages of HOM are fundamental to the development. The decisions precisely 
formulated for these stages provide an early documentation of a system, prior to implementation, 
and significantly more understandable than the implementation. They thus provide the basis for 
good implementation. The results of these stages also provide the assertions that define what 
correctness· means for the system. Since each stage of HDM has an appropriate formal language 
for expressing the decisions made at that stage, machine checking is possible. Existing tools 
accomplish some types of machine checking for these stages. 
The specifications for the highest-level abstract machine are a concise description of the system as 
seen by the user, but only in terms of those facilities that are relevant to the specifications, i.e., 
implementation details are omitted from the specification. In addition, the module specifications 
and mapping functions are used [141 to formulate assertions for the proof of the abstract 
programs. This report is concerned primarily with the design aspects of HOM, although 
references are included that discuss techniques for verification in HOM. 
HOM is a new synthesis of several promising approaches to software design. It has been 
308 
developed to address deficiencies in the current software practice. It has been clearly influenced 
by the concepts of hierarchical programming and its extensions, in particular the important 
principles of hierarchical design, of doing design prior to implementation, of decomposing a 
system into small manageable pieces, and of carrying out a proof of correctness simultaneous with 
design. Although these principles are well-known, they are difficult to apply to real systems. The 
key to the effectiveness of HOM is that it offers a practical means for constructing, manipulating, 
evolving, and maintaining formal program abstractions. This property is absent in current 
structured programming methodologies, and present in only primitive form in modern 
programming languages. Formal abstraction provides the mechanism for verification, separation 
of specifications and implementation, variations in the order of binding design decisions, family 
design, and other desiderata of modern system development. 
At present, HOM is evolving and does not yet possess all of the on-line aids that would ease its 
routine use. For the immediate future (say the next two years), it will see its greatest use in 
systems where correctness is of extreme concern. We anticipate that in the future, HOM-like 
met.hodologies will be an important approach to the design of general software. 
This document is intended to serve as an overview of HOM, describing in some detail most of the 
features needed to design and implement systems. Some attempt is made to justify particular 
features and to compare HOM with other approaches, but this report is not intended to be a 
complete survey on design methodologies. A more complete description of HOM can be found in 
the three-volume HOM Handbook [15, 17, 8J. 
Chapter 3 of this report discusses the uses of HOM in the development of secure systems and· 
subsystems. Chapter 4 presents an example of the use of HOM, organized according to the stages 
of HOM outlined above. Chapter 5 presents part of the design of a secure data management 
system as an illustration of HOM's usefulness in designing a secure application system. 
309 
2. The Use of HDM for Attaining Security 
This chapter presents some of the important aspects of HOM for developing software satisfying 
security requirements. 
The attainment of security requires an overall perspective on the system needs. In general, it is· 
very difficult (if not impossible) to enforce elaborate security policies in an application 
environment if the underlying system is insecure - unless the application environment is 
extremely restrictive (e.g., has no sharing of resources, or hides all of the facilities of the 
underlying system). Thus it is necessary to consider the security provided by the operating 
system, not just the security provided by an application environment. Further, the attainment of 
security can be adversely affected by improper design, by poor choice of programming language, 
and by improper implementation. Any weak link could provide a critical flaw. 
The ways in which HOM contributes to the attainment of secure software have been considered at 
length in [11]. These issues are only summarized here. 
Suitability for verification is the major factor that differentiates HOM from the wealth of 
development methodologies. Since correctness is so critical for security, formal verification of 
sec:urity properties is considered mandatory for certain systems. HOM was developed to address 
the need for verifying large systems. HOM organizes the development into stages, the system into 
a hierarchy of abstract machines, and the machines into modules to produce units small enough 
and well structured enough to be amenable to verification. A verification methodology based 
upon this' ap~roach has been developed [14]. However, even if formal verification is not 
attempted, the preciSion and discipline imposed by HOM encourage sound design and 
. implementation. The concentration on careful design and matching implementation, and the 
potential ror analysis throughout make HOM an excellent choice when security is an issue. 
2.1 Current Uses of HDM for Security 
. HOM is being applied to the design of several systems with critical requirements. These include 
secure systems designed at SRI, namely the Provably Secure Operating System (PSOS (10], [5]) 
and a secure real-time operating system (TACEXEC [4]). (HOM is also being used for NASA by 
SRI in the development of SIFT, an ultrareliable fault-tolerant computer system [18].) 
HOM is being used outside of SRI as well. The Ford Aerospace and Communications Corporation 
is developing a system [KSOS] whose user interface is compatible with UNIX (Registered 
Trademark of Bell Laboratories) and which is based on a security kernel [9]. The security of the 
KSOS design is being subjected to formal proofs that the specifications are consistent with a 
formal model for multilevel security [1]. 
At the time of writing, all of the kernel specifications have been subjected to the proof process, 
and the proofs have pointed out the flaws remaining in the design. Honeywell is using HOM on 
its own version of KSOS [KSOS-6], and has used it in the past for a flight-control system [2] and 
for the design and proof of a secure kernel for a Multics-like system (together with the MITRE 
Corp.) [7]. In addition, there have been and are various other experimental uses of HOM. 
310 
Until now, most of the applications of HDM have been to operating systems or kernels in which 
there are extremely critical requirements. In many of these efforts, verification is an important 
consideration. 
2.2 Requirements 
A system should be designed with a clear understanding of what requirements it is to meet, 
particularly with regard to security. It is desirable to have a precise definition of what it means 
for a system to be "secure". For example, the PSOS design permits the implementation of highly 
sophist,icatcd security policies; various properties of the basic PSOS protection mechanism have 
been formalized. The KSOS design has a security kernel which provides enforcement of a 
multilevel security policy (under which information at a given security level cannot filter down to 
a lower level). A formal requirement that the specification for each kernel function satisfies this 
model is being used for the proofs mentioned above. (An earlier version is given in [3].) It is also 
applicable to trusted processes that are authorized to selectively violate the security of the kernel. 
2.3 Design 
HDM enforces constraints on the way in which a design is defined, although it does not essentially 
constrain what the design can achieve or what functionality can be implemented. Use of 
hierarchical design structure and formal specifications for each module in the hierarchy 
contributes to the avoidance of many types of security naws commonly found in the design and 
implementation of existing systems. For example, the notion of abstract machine specificatin 
verification are appropriate. In general, verifiability is greatly enhanced by the use of HDM [14]. 
The staged decom position of the development process permits design proofs to be carried out 
before implementation is attempted (providing a formal means for early evaluation of the design), 
and then permits proofs of program correctness. The hierarchical decomposition of the design 
into levels of abstract machines is particularly valuable in simplifying both the design proofs and 
the program proofs. Use of formally based languages of HDM is vital to both types of proof. 
Design proofs demonstrate a formal consistency between the formal specifications (in SPECIAL) 
and a formal model (e.g., a model of the security requirements). These specifications also form a 
basis for the program proofs, verifying that the program implementing a module specification is 
consistent with its specification. As noted above, the choice of programming language can greatly 
innuence the feasibility of verification. 
311 
3. A Simple Example of the Use of HDM 
In this chapter, HDM is used to describe a complete - although very simple -- system: a "stack" 
module implemented in terms of an "array" module. The discussion is organized into seven 
sections: a review of HDM, and one section for each stage outlined in Chapter 2. 
In HDM, a system evolves from an initial concept to verified executable code as a sequence of 
"decisions". In each stage of the development process, the system developer makes a series of 
decisions. The stages are ordered so that improper decisions tend to be exposed early, and 
therefore can be corrected early. 
The verification aspects of HDM are found in [14]. Some aspects of verification are'discussed 
below in connection with the first six stages. 
A primary concern is to illustrate the staged, decision-oriented development of a system using the 
three languages of HDM -- HSL (the Hierarchy Specification Language), SPECIAL, and ILPL. 
Brief int-roduct,ions to these languages are given to produce a reasonably self-contained 
description. However, the simplicity of the example does not properly illustrate many of the 
advantages of HDM as applied to complex systems. More details on HDM and a more complex, 
example appear in [15, 17,8]. 
3.1 Review of the Mechanisms of HDM 
In HDM, a system is realized as a linear hierarchy (a sequence) of ab8tract machine8, sometimes 
called levels. The top level is called the user-inter face, while the bottom level is called the 
primitive machine. These two machines together are called the extreme machines. The 
remaining levels are called intermediate machine8. Each machine provides operation8, each of 
which has a unique name and arguments. An operation is invoked, similar to a subroutine call in 
,a conventional p~ogramming language, by associating values for the operation's arguments. The 
invocation of an operation can return a value and/or modify the internal 8tate (abbreviated as 
8tate) of the machine, as renected by the values of the machine's ab8tract data 8tructure8. As 
discussed later, the "return" of an operation can be either a value or an "exception", the latter 
corresponding to one of a number of conditions that are defined for the module. 
The "user-interface" provides the operations that are available to the user of the system. The 
operations of the "primitive machine" are typically constructs of a programming language and 
possibly some of the hardware operations. 
A machine 8pecification characterizes the value returned and the new state for each possible 
machine operation and each possible state of the machine. The specification describes the 
functional behavior of a system (returned values for all input combinations), but not necessarily 
the performance of the system or the resources consumed by its execution. 
The realization of a machine (not the primitive machine, hereafter noted as machine i) is a two 
step process. First, the abstract data structures of a machine i (i not 1) are repre8ented by those 
of the next lower-level machine i-I. Second, each of the operations of a machine i (i not 1) is 
312 
im1Jlemented as a program in terms of the operations of machine i-I. The collection of 
implementations for all machines excluding the primitive machine constitutes the sJlstem 
implementation. 
A machine is sometimes decomposed into simpler units called modules. For the purposes of this 
discussion, a module may itself be viewed as a machine; however, in reality a module's 
specification need not be self-contained, unlike that of a machine. 
Clearly, system implementation is the desired end-product of the system development process. 
However, its emergence takes place only at stage 6. In the five previous stages, important 
decisions are made that logically progress toward the end product. 
3.2 Stage 1 -- Conceptualization 
In stage 1, the problem to be solved is formulated in general terms. Typically, the statement is in 
terms of constraints imposed on the extreme machines, and of the performance expected from the 
system. Currently, English is employed as the description medium, although consideration is 
being given to a formal language for conceptualization. For our single example, we will utilize the 
Conceptualization stage to provide informal descriptions of the extreme machines. 
The user interface provides a collection of individually accessible stacks, manipulatable by 
conventional stack operations. The primitive machine consists of a collection of individually 
accessible arrays, as provided by a conventional high-level programming language. This example 
is developed according to the stages of HDM. The completed example is presented in the 
following figures. 
313 
Figure 3-1: Specification orthe STACKS Module 
MODULE stacks $( maintains a fixed number of stacks of integers, 
each of the same fixed maximum size) 
TYPES 
stack_name: DESIGNATOR $( names for stacks) j 
PARAMETERS 
INTEGER max_stack_size $( maximum size for a given stack) j 
FUNCTIONS 
VFUN ptr(stack_name s) -> INTEGER ij $( stack pointer, or 
number of elements, of stack s) 
HIDDEN; 
INITIALLY 
i = OJ 
VFUN stack_ val(stack_name Sj INTEGER i) -> INTEGER Vj 
$( v is the ith value of stack s) 
HIDDENj 
INITIALLY 
v = 7j 
OFUN push(stack_name Sj INTEGER v)j 
$( puts the value v on top of stack s) 
EXCEPTIONS 
stack_overnow : ptr(s) = max_stack_sizej 
EFFECTS 
'stack_ val(s, 'ptr(s)) = Vj 
'ptr(s) = ptr(s) + Ij 
OVFUN pop(stack_name s) -> INTEGER Vj 
$( pops the stack s and returns the old top) 
EXCEPTIONS 
stack_ undernow : ptr(s) = OJ 
EFFECTS 
'stack_ val(s, ptr(s)) = !j 
'ptr(s) = ptr(s) - 1; 
v = stack_ val(s, ptr(s»j 
END MODULE 
314 
Figure 3-2: Specification of the ARRAYS Module 
MODULE arrays $( maintains a fixed number of fixed-size 
integer arrays) 
TYPES 
array _name: DESIGNATOR; 
PARAMETERS 
INTEGER array _size $( the number of elements in an array); 
FUNCTIONS 
VFUN access_array(array _name a; INTEGER i) -> INTEGER V; 
$( returns element i of array a) 
EXCEPTIONS 
array _ bounds: i < 0 OR i > array _size - 1; 
INITIALLY 
v=O; 
OFUN change_array(array _name a; INTEGER i, v); 
$( changes. the ith value of array a to v) 
EXCEPTIONS 
array _ bounds: i < 0 OR i > array _size - 1; 
EFFECTS 
'access_array(a, i) = v; 
END MODULE 
315 
Figure 3-3: Mappings for STACKS and ARRAYS 
MAP stacks TO arrays; 
EXTERNALREFS 
FROM stacks: 
stack_name: DESIGNATOR; 
INTEGER max_stack_size; 
VFUN ptr{stack_name s) -> INTEGER i; 
VFUN stack_ val( stack_name s; INTEGER i) -> INTEGER V; 
. FROM arrays: 
array _name: DESIGNATOR; 
INTEGER array _size; 
VFUN access_array( array _name aj INTEGER i) -> INTEGER Vj 
INVARIANTS 
FORALL array _name a: access_array(a, 0) <= array _size - 1 
AND 
access_array(a, 0) >= 0; 
MAPPINGS 
stack_name: array _name; 
ptr( stack_name s): access_array(s, 0); 
stack_ val( stack_name Sj INTEGER i): 
IF 1 <= i AND i <= access_array(s,O) 
THEN access _ array(s, i) 
ELSE 7; 
END MAP 
316 
Figure 3-4: Abstract Implementation of the STACKS Module 
IMPLEMENTATION stacks IN TERMS OF arrays; 
EXTERNALREFS 
FROM slacks: 
stack_name: DESIGNATOR; 
INTEGER max stack size; 
OFUN push(sta~k name s; INTEGER v); 
OVFUN pop(stack_name s) -> INTEGER v; 
FROM arrays: 
array_name: DESIGNATOR; 
INTEGER array-size; 
VFUN access_array(array_name a; INTEGER j) -> INTEGER v; 
OFUN change_array(array_name a; INTEGER i, v); 
TYPE MAPPINGS 
stack_name: array _name; 
INITIALIZA TION 
BEGIN 
max_stack_size < - array _size - 1; 
END; 
IMPLEMENTATIONS 
OPROG push(stack_name s; INTEGER v); 
DECLARATIONS 
INTEGER i; 
BEGIN 
i < - access_array(s, 0) + 1; 
EXECUTE change array(s, i, v) THEN 
ON array-bounds: RAISE(stack_overflow); 
ON NORMAL:; END; 
change_array(s, 0, j); 
END; 
OVPROG pop(stack_name s) -> INTEGER v; 
DECLARA TIONS 
INTEGER i; 
BEGIN 
i < - access array (s, 0); 
IF i = 0 THEON RAISE(stack underflow); FI; 
change_array(s, 0, i-I); -
v < - access_array (s, j); 
RETURN(v); 
END; 
END JMPLEMENT A TION 
317 
3.3 Stage 2 -- Extreme Machine Interrace Design 
In stage 2, more detail is developed ror the two extreme machines, concerned primarily with the 
decomposition or these machines into modules and the selection or the operations or the 
constituent modules. An inter face de8cription is derived ror each module, specirying the 
monule's operat.ions and providing supporting inrormation. The .interrace description is 
sometimes (6) referred to as the "syntax" or a module, in contrast to the specification (stage 4) 
which is referred to as the "semantics". 
For our example, each (extreme) machine is a single module: "stacks" ror the "user-interrace", 
and "arrays" ror the "primitive machine". Hence we here rerer to "stacks" and "arrays" both 
as machines and as modules. 
3.3.1 Interface Description for 'stacks' 
MODULE stacks 
stack-name: DESIGNATOR 
INTEGER max stack size 
OFUN push{stack_name s; INTEGER v) 
OVFUN pop{stack_name s)·> INTEGER v 
Some brief remarks about the syntax or SPECIAL are appropriate. First, all reserved words are 
in caps. Second, SPECIAL is a "typed" language in that a type is associated with each item 
when declared, thus permitting subsequent appearances or the items in a specification (see stage 
4) to be checked ror consistency with their declared type. For present purposes, a type is a set or 
values. The type INTEGER (a primitive type or SPECIAL) has as values all or the integers 
-- positive and negative (including zero). The type BOOLEAN (also a primitive type or 
SPECIAL) has as values TRUE and FALSE. Although not needed ror this example, there are 
additional primitive types. New types, e.g., sets, vectors, structures (records), subtypes, may also 
be construct.ed out or existing types. 
One or more t.ypes noted as de8ignator type8 can be associated with a module. The values or 
these types, called de8ignator8, serve as names ror abstract objects or the module. The interrace 
description or a module lists all or its designator types. For example, the "stacks" module 
interface description declares the designat.or type "stack_name" (an abbreviation ror name-or-
st.ack). 
Following the de the module being specified, and additional runctions declared to produce a more 
readable specification. The rollowing are examples or types or expressions supported by 
SPECIAL. 
1. Arithmetic Expressions 
The value returned by an arithmetic expression is or type INTEGER or REAL. An arithmetic 
expression is a single constant, a variable or a user-defined runction or type INTEGER or REAL, 
or is built out or existing arithmetic expressions using the operations "+", "*", ".", "/". 
318 
2. Boolean Expressions 
The value returned by a boolean expression is or type BOOLEAN. The constants TRUE and 
FALSE are boolean expressions, as are variables and runctions declared to be or type BOOLEAN. 
The operations AND, OR, " ......... " (NOT) and "=>" (IMPLIES) are used to build up boolean 
expressions Crom existing boolean expressions. 
3. Relational Expressions 
Using the infix relational operators (namely "=", "<", "<=", ">", ">=", " ......... ="), boolean 
expressions are constructed Crom existing expressions. For "=" (or " ......... ="), the resulting 
expression is oC the Corm A = B (or A ......... = B) where A and B are required to have the same 
type. For the other operators, each oC the two component expressions is required to be or type 
INTEGER or REAL. 
4. Conditional Expressions 
A conditional expression is oC the Corm IF P THEN Q ELSE R, where P is of type boolean, and 
Q and R are of the same arbitrary type. The type or the re~lUlting expression is the type of Q (or 
R). 
5. Quantified Expressions 
To express properties relating to a large number or values, SPECIAL provides quantified 
expressions that are in the first-order predicate calculus. The universal quantified statement is 
written as 
FORALL x I P(x): Q(x) 
or 
FORALL x: P(x) >Q(x). 
The meaning is "For all values or x such that P(x) is true, Q(x) is also true." Clearly, P(x) and 
Q(x) are of type BOOLEAN, as is the type or resulting expression. The variable x can be or any 
type, usually declared prior to its introduction in the specification. 
The existentially quantified statement is written as 
EXISTS x I P(x): Q(x), 
which has the meaning "There exists a value x such that, ir P(x) is true, then Q(x) is also true." 
3.3.2 Role of -7- in SPECIAL 
SPECIAL provides the particular value UNDEFINED (abbreviated as "!") to stand ror "no 
value". It is used in a specification where the designer wishes to associate the absence of a 
meaningful value with a data structure. (UNDEFINED should not be conrused with "don't 
care", which stands for some value.) UNDEFINED is only used in a specification, not in an 
implementation; no operation can return U!U as a value. For purposes or establishing type 
matching rules, however, "!U is assumed to be a value or every type. 
319 
3.3.3 Specification of ·stacks· 
Now we are ready to discuss the SPECIAL specification of the module "stacks ll . This 
specificat.ion consists of three paragraph8: TYPES, PARAMETERS, and FUNCTIONS. More 
complex modules would require additional paragraphs, omitted here for simplicity. 
1. TYPES paragraph 
Here the types referred to in the specification are declared. It is required that all designator 
types (e.g., "stacks" for this module) be decbred, but the declaration of other types can be 
deferred until the first appearance of an item of that type. Note that comments -- $(This is a 
comment) -- can appear anywhere in a specification. 
2. PARAMETERS paragraph 
All of the parameters are listed as they appear in the interface description of the module. 
3. FUNCTIONS paragraph 
Most of the functionally interesting information in a module specification is embodied in the 
FUNCTIONS paragraph. Each of the operations of the module (llpush" and IIpOp" for the 
module II stacks II ) is listed and individually specified. In addition, other functions, typically V-
functions corresponding to data structures, are introduced to assist in the specification of the 
operations. Itis emphasized that, except for the primitive machine, the data structures serve 
only for purposes of specification. 
We separately consider V-functions and 0- and OV-functions. 
a. Specification of V-functions 
For purpose of specification, a V-function returns a value and never causes a state change. A 
V-function is classified as [primitive or derived] and [visible or hidden]. Thus a V-function is one 
of four flavors, identified by the combination of reserved words that appear in its specification. 
The primitive V-functions -- IIptrll and "stack_val" for the "stacks ll module -- correspond to 
the module's data structures. Their specification requires the association of an initial value with 
each possible argument value. That is, all primitive functions are defined to be "total", although 
many argument values correspond to physically meaningless conditions. For such conditions, the 
value of the function is usually "!II. The expression following INITIALLY specifies the initial 
value .. The primitive v-function IIstack_ val" returns the INTEGER v corresponding to the i-th 
location in stacks. We have decided that the initial value v of "stack-val" for any stacks is to be 
"!" for all i. The expression 
v=! 
which is understood to mean 
FORALL s; i: stack_ val(s, i)=! 
captures this decision. Note that in general the expression need not determine a unique initial 
yalue for a primitive V-function. 
320 
The other primitive V-function, "ptr" returns the value i of the stack pointer for stack s. The 
initial value of "ptr" is 0 for all stacks, renecting the decision that all stacks are to be initially 
empty. 
A hidden V-function cannot be called from outside the module, i.e., it is not an operation. The 
reserved word HIDDEN in the V-function specification declares the function to be hidden. 
Clearly, "stack_val" should be hidden since only the top element of the stack is to be accessible. 
However, some designs for a stack allow the pointer to be accessible. 
The visible V-functions are operations that return a value, but do not cause a state change. 
They are identified by the absence of the word HIDDEN in the specification. As is the case for 
all operations, the specification can indicate a list of exception conditions. Since the "stacks" 
module has no visible V-functions, we defer discussion of exception conditions to the next section. 
The value of a derived V-function is specified in terms of the values of the primitive V-functions. 
In the specification of a derived V-function, an expression that defines the returned value appears 
following the reserved word DERIVATION. 
Because a V-function can serve multiple roles (say as an operation and a data structure), the 
length of a SPECIAL specification can be reduced, as compared with an alternative specification 
technique in which operations and data structures are separately specified. 
h. Specification or 0- and OV-runctions 
All 0- and OV-functions are state-changing operations. An operation can return one of n 
exceptions ex!, ex2, ... , exn (we use the descriptive term "raise" in referring to exceptional 
returns), or can return "normally". No state change occurs when an operation invocation raises 
3n exception. A value-returning operation (V- or OV-function) will return an actual value upon 
the NORMAL return; an O-function merely returns. Exception returns are a way of associating 
particular events with classes of states and values of the operation's arguments. In the 
specification of an operation, the specification of each exception condition consists of a name 
(typically a mnemonic for the condition) followed by a boolean expression that characterizes the 
condition. The list of exception conditions follows the reserved word EXCEPTIONS. 
The behavior of an operation that has n exception conditions is determined as follows: if the 
expression corresponding to ex! evaluates to true, then the first exception is raised; if the 
expression corresponding to ex! evaluates to false and the expression corresponding to ex2 . 
evaluates to true, then the second exception is raised; ... ; finally, if the expressions corresponding 
to ex!, ... , exn evaluate to false, the operation returns normally. 
For the O-function "push", there is the single exception condition, specified as: 
The expression evaluates to true when the number of elements in the stack is equal to the 
maximum size of a stack. 
Following the reserved word EFFECTS, the state changes that can occur as associated with 
321 
0- and OV-functions, together with the value corresponding to the NORMAL return of an OV-
function, are specified. The specification consists of a collection of boolean expressions, each 
called an effect (in which the order of presentation is irrelevant). Semantically, the collection of 
effects should be read as a single expression which is the conjunction of the expressions 
corresponding to each of the errects. An errect can reference the following: arguments to the 
operation, values of primitive V-functions before the invocation ("old" values) of the operation, 
and value that primitive V-functions will obtain after t.he"invocation ("new" values). In the 
specification, a single quote, "'" , preceding a primitive V-function indicates the value of the V-
function after the invocation. The collection of effects defines the new value of each primitive 
V-function in terms of old values and argument values in the following way: the feasible new 
values for the primitive V- functions are those for which each of the effects evaluates to TRUE. 
Thus the specifications need not be determini8tic, i.e., they need not define a unique new value 
for each primitive V-function argument list. However, the specifications for our simple example 
are deterministic. 
\Vhen the new value of a primitive V-function for some argument is not constrained by the 
specification, it is assumed that the new value is identical to the old value. 
For "push", the effects are: 
'stack_ val(s, 'ptr{s)) = v; 
'ptr(s) = ptr(s) + 1; 
They constrain the new value of "ptr(s)1I to be the old value incremented by one, and the new 
value of the pointer for s to be the value v pushed onto the stack. Note that since the effects do 
not constrain the values of stack_ val(s,i) for i ........ = 'ptr(s), such values remain unchanged. 
We will not burden the reader with a discussion of the errects for IIpOpll, except for a few 
remarks. First, note that the returned value v is specified to be the INTEGER on the top of the 
stack in the old state. Second, the location at the top of the stack is the old state changed to be 
"!". It should be clear that this latter state change is apparent only in the specification. The 
implementation need not be concerned with this apparent storing of II!II. 
3.3.4 Specification of -arrays-
Since the specification of the module "arraysll is relatively straightforward, only a few clarifying 
remarks are necessary. The V-function lIaccess_array" serves both as the principal data 
structure of the module and as an operation. Its invocation raises an exception if the actual 
argument i is out of bounds. Thus, although the function is defined to be total, its representation 
(for example, as a data structure in a programming language) need only account for values of i 
that are within bounds. 
3.4 Stage 5 -- Data Representation 
322 
3.4.1 Overview of Module Representation 
In this stage, the primary concern is with representing the data structures or each machine (other 
than the primitive machine) in terms or the data structure or the next lower-level machine. The 
description or the representation or a machine m in SPECIAL is denoted as the "m mapping". 
As with a module specification, a mapping can be checked ror selr-consistency, but also ror 
consistency with the module specifications, interrace description, and hierarchy description. 
A mapping, similar to a module specification, does not act as executable code. Instead, a 
mapping is a rormal description, serving as a record or the representation decisions and as an 
input to a verirication system. Thus the representations are conveniently described using the 
SPECIAL expression mechanism. 
Since the hierarchy for our example contains only two levels, only one mapping is required, for 
"stacks". The mapping contains three paragraphs: EXTERNALREFS, INVARIANTS, and 
MAPPINGS. (For more complicated systems, additional paragraphs would be required.) Berore 
discussing the mapping in detail, it is appropriate to present informally the basic representation 
decisions. 
3.4.2 Representation Decisions for 'stacks' 
Each stack of integers is represented as an integer array. The current value of the stack pointer 
for stacks is the value in the O-th location or the array a corresponding to s. Each or the 
"defined" clements in stack s -- those in position I, 2, ... , ptr(s} -- are in corresponding positions or 
array. Thus the locat.ions or array a starting with location ptr(s) + 1 hold values that are 
inconsequential to the "stacks" module. Since all locations of the array except the O-th are 
available to hold stack elements, the maximum stack size is the array size minus one. 
3.4.3 EXTERNALREFS Paragraph 
In the EXTERNALREFS paragraph are listed all the items of the upper level that are to be 
represented, and those of the lower level that are the targets or the representation. For both 
levels, the items or concern are primitive V-runctions, parameters, and designator types. Clearly, 
the primitive V-runctions and parameters are or concern here as they are the data structures or 
the respective machines. However, the mapping must also consider the designator types or the 
upper modules, since they embody a set of values that have meaning only at the upper module, 
and thus are part or the data of that module. The inclusion of type inrormation here (although 
redundant with information in the module specification) permits the type checking or a mapping 
as a self-contained unit. 
3.4.4 MAPPINGS Paragraph 
In this paragraph the representation decisions that were inrormally presented above are precisely 
formulated. Each upper-level data item is separately represented, that is, associated with an 
expression in terms of lower-level data items. The expression associated with an upper-level data 
item can be viewed as a definition or that item in terms of the data items at the next lower level. 
The first of the mappings 
323 
stack_name: array _name 
captures the decision that the type "stack_name" is to be represented by the type 
"array _name". It is understood that each designator s of "stack_name" is to be represented 
by a unique designator a of "array _name", although at this point it is not necessary to define 
precisely the correspondence between values of the two types. In general, a designator type of the 
upper level can be represented by any type of the lower level. Thus, designators can be 
represented (for example) by integers; indeed, assuming that a primitive machine supporting 
designators is not available, the ultimate representation of designators is likely to be in terms of 
such primitive data types as integers, characters, or machine words. 
The second of the mappings 
captures t.he decision that the maximum number of stack elements is one less than the size of an 
array. 
The t.hird of the mappings 
ptr(stack_name s): access_array(s,O) 
captures the decision that the stack pointer is stored in the O-th location of the corresponding 
array. Note that s, d~c1ared to be of type "stack_name", appears in the defining expression in a 
context in which "stack_name" has no meaning. Clearly, s in the defining expression refers to 
the unique "array _name" designator corresponding to s. In general, when an argument a of 
some type t associated with the upper level appears in the defining expression, it is assumed to be 
the unique clement a' that is the representation of a. Thus the type of a in the defining 
expression is t', where t' is the type that represents t. 
The fourth of the mappings 
stack_ val(stack_name s; INTEGER i) : 
IF i > 0 AND i <= access_array (s, 0) 
THEN access _ array (s, i) 
ELSE? 
captures the decision that "defined" elements of the stack appear in corresponding elements of 
the array. For i corresponding to an undefined stack element, the expression must evaluate to 
"!" 
3.4.5 INVARIANTS Paragraph 
This paragraph contains boolean expressions (invariants) in terms of the lower level that are 
intended to be true after the execution of a program that implements an operation of the upper 
level machine. In effect, the invariants express constraints on the lower level state. It should be· 
understood that the invariants are expected to be satisfied by any program referring to the 
operations of the lower-level machines. Generally, many invariants can be posed, but only those 
that assist in the verification, that are significant in the documentation of the system, or that 
simplify the implementation are included. 
324 
The single invariant of our example 
FORALL array _name a: 
access _ array(a, 0) <= ar;ray _size-l 
AND 
access_array(a, 0) >= 0 
constrains the value in the O-th location of all arrays to be bounded by 0 and array _size-I. Since 
the stack pointer is stored in the O-th location of the corresponding array, this invariant indeed 
seems reasonable. 
3.5 Stage 6 -- Abstract Implementation 
In stage 6 each machine (other than the primitive machine) is implemented in terms of the 
machine at. the next lower level. For machine i, the implementation consists of 
• An initialization program whose execution causes the state of machine i-I to become 
a state that maps (up) to the initial state of i; A program for each operation of i that 
satisfies its specifications. 
All programs of the implementation of i reference operations of i-I. 
For expressing the implementation programs, we have developed the language ILPL (Intermediate 
Level Programming Language). Although, in principle, almost any programming language could 
be used t.o express machine implementations, ILPL is particularly well-suited in that its syntax, 
type checking rules, and model of computation are compatible with the other languages of HDM. 
We will not present a detailed description of ILPL, but instead illustrate some of its features in 
connection with the implementation of "stacks". First, we present a brief overview of the 
language. 
3.6.1 Overview of n.,PL 
ILPL is an extremely simple imperative language, avoiding many of the complex features of high-
order programming languages. The main purpose of ILPL is to describe a sequence of calls to 
operations. Some of the significant features of ILPL are the following: 
• Simple argument passing discipline: In ILPL, all arguments are passed by "value". Of 
the conventional schemes for passing arguments -- by "value", by "reference", and by 
"name" -- "call by value" is conceptually the simplest. It has several advantages in 
implementing secure systems, including the avoidance of a wide class of security bugs 
referred to as "time-of-creation to time-of-use" modifications [11]. 
• Limited built-in data structures: In HDM, most of the data structures are provided by 
specified modules. Thus, ILPL need provide only a few simple kinds of data types, 
namely integers, characters, booleans, vectors, and structures (records). 
• Controlled side-effects: Since an ILPL program consists mainly of calls to operations of 
325 
a machine, the only side-effects are changes to V-functions as portrayed in the 
specifications of modules. 
• Simple storage allocation: The only allocation carried out in the execution of an ILPL 
program is for local variables. Any dynamic allocation of objects is reserved for the 
modules that maintain such objects. 
• No design aids in the language: Since HDM separates design and implementation 
decisions into distinct stages, all descriptions relating to design are expressed in 
SPECIAL or HSL. 
• Structured exception handling: The program implementing an operation has multiple 
return points, one corresponding to the normal return and the remainder 
corresponding to the exceptional returns. A program referencing an operation 
"handles" any of the possible returns -- exceptional or normal -- for that operation. 
• Type compatibility with SPECIAL: ILPL provides only a subset of the types of 
SPECIAL, essentially those that are easily implemented. Among those omitted is the 
"set". However, ILPL does support designator types, enforcing the same protection 
rules for designators as SPECIAL. 
The implementation of "stacks" contains four paragraphs: EXTERNALREFS, TYPE 
MAPPINGS, INITIALIZATION, and IMPLEMENTATIONS, discussed next. 
3.5.2 EXTERNALREFS Paragraph 
All of the operations of both levels are listed. Also included are the parameters of both machines 
(since they can be referenced as operations) and the designator types. Complete type information 
is given here for all arguments and results, even though it duplicates information in the module 
Bpecifications, allowing the implementations to be complete for purposes of type checking. 
3.5.3 TYPE MAPPINGS Paragraph 
The mappings of the designator types of the upper machine are listed. Again, this information 
has already appeared (in the representation), but its appearance here means that the 
implementation is selC-contained. 
3.5.4 INITIALIZATION Paragraph 
The "initialization" program is given which when executed will drive the lower-level machine to a 
state that maps to the desired initial state of the upper-level machine. For the example, the 
initialization program has only to establish a value Cor the "stacks" parameter 
"max_stack_size". Note that the image of the initial state of "arrays" is such that "ptr(s)" has 
the initial value o. 
The reader might wonder how the initial value oC "!" for stack_ val{s, i) is realized. Recall that 
the representation for II stack_ val" is 
326 
stack_ val{s; i) : 
IF i >= 1 AND i <= access_array(s, 0) 
THEN access _ array(s, i) 
ELSE! 
But the initial value of access _ array{s, 0) is 0, in which case the expression following IF is false 
for all i. Hence, for the initial state of "arrays" the representation of "stack_val" becomes 
stack_ val(s, i) = ! 
which is the initial value desired. 
3.5.5 IMPLEMENTATIONS Paragrapb 
Following are the programs that implement the operations of "stacks". The informal description 
of the program for "push" should serve as a documentation of the program, and assist a reader in 
grasping the syntax of ILPL. 
INFORMAL DESCRIPTION OF "push" 
Retrieve the O-th element of the array (p, the stack pointer); 
If i=p+l is beyond the array bounds (and thus exceeds the 
maximum stack size), raise the "stack_overflow" exception 
and exit; 
Modify the i-th location in the array to be v (push v onto 
t.he stack); 
Modify the O-t.h location in the array to be i (increment the 
the stack pointer); 
For the actual program, the first statement is 
i <- access_array{s, 0) + 1 
No exception is expected from the invocation of access_array(s, 0), since the second argument 
(0) is clearly in bounds. The second statement 
EXECUTE change_array{s, i, v) THEN 
ON array _ bounds : RAISE{ stack _ overflow); 
ON NORMAL:; 
END; 
illustrates the mechanism for exception handling in ILPL. Following EXECUTE is a reference to 
an operation, change _ array(s, i, v), that can lead to an exception, in this case "array_bounds". 
The text following ON has the following meaning: If the "array_bounds" exception is raised as a 
result of the invocation of "change_array", then the "stack_overflow" exception is raised as 
the termination of the program for "push". (If the "change_array" operation had more 
exceptions than were expected, they would be accommodated by additional "ON" terms.) If the 
"array _bounds" exception is not triggered, then the invocation of "change_array" terminates 
"normally" by storing v in the i-th location of array s. 
To complete the description of the program, no exception is expected for the statement 
327 
change _ array( s, 0, i), 
since it is seen that i is within bounds. 
3.6 Stage 7 -- Coding 
The abstract programs associated with stage 6 must ultimately be transformed into efficiently 
executable programs. That is the task of stage 7. In general, the task may be accomplished 
automatically or manually. The choice may rest on the actual hardware and on the tools 
available for compiling or assembling code. The development of automatic tools for 
accomplishing stage 7 is encouraged. 
328 
References 
[I] T. Berson and J. Barksdale. 
KSOS: Development Methodology for a Secure Operating System. 
In NCC '79, NY NY. AFIPS, June, 1979. 
[2] W. E. Boebert, J. M. Kamrad, E. R. Rang. 
Analytic Validation of Flight Hardware .. 
Technical Report, Honeywell, 77SRC63, Systems and Research Center, Minneapolis, 
Minnesota, September, 1977. 
[3] R. J. Feiertag, K. N. Levitt, L. Robinson. 
Proving Multilevel Security of a System Design. 
In Sixth Symp. on Operating System Principle8, 16-18 November 1977, pages 57-67. 
ACM, November, 1977. 
In Operating Systems Review, Vol. 11, No.5. 
[4] R.J.Feiertag. 
TACEXEC. 
Technical Report, SRI International, Menlo Park CA, Final Report, April, 1979. 
[5] R.J. Feiertag and P.G. Neumann. 
The Foundations of a Provably Secure Operating System (PSOS). 
In National Computer Conference 1978, Vol. -/8, pages 115-120. AFIPS, 1979. 
[6] J. V. Guttag. 
The specification and application to programming of ab8tract data type8. 
PhD thesis, Department of Computer Science, University of Toronto, 1975. 
Computer Science Research Group Tech. Report CSRG-59. 
[7] Honeywell Corp. 
Project Guardian Final Report. 
Technical Report, Honeywell Information Systems, Inc., Federal Systems Division, McLean 
VA, September, 1977. 
ESD-TR-7B-1l5. 
[B] K. N. Levitt, L. Robinson, B. A. Silverberg. 
The HDAf Handbook, Vol III: A Detailed Example in the U8e of HDM. 
Technical Report, SRI International, June, 1979. 
[9] E.J. McCauley and P. Drongowski. 
KSOS: Design of a Secure Operating System. 
In NCC '79, NY NY. AFIPS, June, 1979. 
[10] P. G. Neumann, R. S. Boyer, R. J. Feiertag, K. N. Levitt, and L. Robinson. 
A Provably Secure Operating SY8tem: the SY8tem, Its App/ication8, and Proofs. 
Technical Report, SRI International, May, 19BO. 
This is the Second Edition, replacing the 1977 edition. 
[11] P.G. Neumann. 
Computer Security Evaluation. 
In National Computer Conference 1978, Vol. -/7, pages 10B7-1095. AFIPS, 1978. 
329 
[12] D. L. Parnas. 
On a 'Buzzword': Hierarchical Structure. 
In Information Processing 74, pages 336-339. IFIP, North-Holland Pub. Co., Amsterdam, 
1974. 
[13] L. Robinson, K. N. Levitt, P. G. Neumann, and A. R. Saxena. 
A Formal Methodology for the Design of Operating System Software. 
Prentice-Hall, New York, 1977, . 
[14] L. Robinson and K. N. Levitt. 
Proof Techniques for Hierarchically Structured Programs. 
Comm. ACM 20(4):271-283, April, 1977. 
[15] L. Robinson. 
The HDM Handbook, 'Vol I: The Foundations of HDM. 
Technical Report, SRllnternational", June, 1979. 
[16] O. M. Roubine and L. Robinson. 
The SPECIAL Reference Afanual. 
Technical Report, SRI International, CSL-45, January, 1977. 
[17] B. A. Silverberg, L. Robinson, K. N. Levitt. 
The HDM Handbook, Vol II: The Languages and Tools of HDM. 
Technical Report, SRI International, June, 1979. 
[18] J. H. Wensley, L. Lamport, J. Goldberg, M. W. Green, K. N. Levitt, P. M. Melliar 
Smith, R. E. Shostak, and C. B. Weinstock. 
SIFT: Design and Analysis of a Fault-Tolerant Computer for Aircraft Control. 
Proc. IEEE 66(10):1240-1255, October, 1978. 
330 
CHAPTER 10 
META-VERIFICATION CONDITION GENERATOR; 
HOARE RULES FOR PASCAL 
331 

Automatic Construction of Verification 
Condition Generators From Hoare Logics 
Mark Moriconi and Richard L. Schwartz 
Abstract. We define a method for mechanically constructing verification condition generators from a useful 
class of Hoare logics. Any verification condition generator constructed by our method is shown to be sound and 
deduction-complete with respect to the associated Hoare logic. The method has I;>een implemented. 
1. Int roduction 
A verification condition generator (VCO), a central component in a program verification system, reduces the 
question of whether a program is consistent with its specifications to that of whether cenain logical formulas are 
theorems in an underlying theory. VCOs must embody the semantics of the programming language; for the most 
part, they have been seen as implementations of Hoare-style axiomatic semantics. In the past, all such VCOs have 
been hand-coded for a specific language. with no formal guarantee that they accurately reflect the axiomatic language 
definition. The new contributions of this paper are (i) a general method for constructing VCOs mechanically from a 
useful class of Hoare logics and (ii) a formal basis for the method that provides the needed correspondence between a 
VCO and the axiomatic definition on which it is based. 
Our theoretical results show that any VCO constructed by our method accurately reflects the axiomatic 
definition of the programming language. In other words, any such VCO is sound and deduction-complete with respect 
to the Hoare axiomatization of the language. Of course, it is still necessary to establish the soundness and relative 
completeness of the axiomatic definition with respect to an operational model [2]. 
In the process of trying to prove that our method has these properties, we found some subtle limitations of the 
commonly used implementation strategy for Hoare logics. This led us to identify precise conditions on Hoare logics 
under which this strategy will produce correct vcas. Roughly the entire Pascal [5] and Euclid [7] axiomatizations 
satisfy our constraints, for example. We discuss the practical limitations of this work and propose extensions in the . 
conclusion. 
Our method consists of two main steps. An axiomatic definition is first transformed into a nonnal form from 
which we then derive a recursively defined vca. The method has been implemented to form a mct.'l verification 
condition generator, called MetaVCa. If supplied with an axiomatic language definition satisfying our constraints. 
MetaVCO will automatically produce a VCO for the language. 
After introducing some of the basic concepts to be used in this paper, we present the normal fonn for rule~ 
(Section 3), the less constrained rule fonn for user-defined rules (Section 4), and then the main soundness and 
completeness results (Section 5). 
333 
2. Background and Overview 
2.1. The Basic Method 
In 1969 Hoare [4] i,ntroduced the style of axiomatic scmanticsJrequently used to define programming languages. 
Hoare's approach is to regard program text as specifying a relation between assertions. The notation P{S}Q is used 
to mean that "if precondition P is true before execution of program fragment S, and if execution of S temiinates. then 
postcondition Q is true upon its completion". The meaning of every simple statement (such as assignment) is defined 
by an axiom schema and every compound statement (such as composition) is defined by an inference rule schema. A 
logical system containing Hoare axiom and deduction schemas for all syntactic forms in a programming language 
constitutes a partial-correctness axiomatic definition or axiomatization of the language [8]. 
The role of a VeG in a program verification system is to reduce the correctness of a sentence P{S}Q to the 
correctness of some number of lemmas. catted verification conditions, in the underlying theory. The provability of 
these lemmas is intended to be sufficient to guarantee that an axiomatic proof using the Hoare system could be 
constructed. 
Verification condition generation is typically performed using a recursively defined predicate trans/onner 
pre(S.Q) • which maps a program fragment S and a postcondition Q into a precondition. The function pre computes 
an asscnion sufficient to guarantee that Q witt be derivable as a postcondition (i.e .• that pre(S.Q){S}Q is provable). 
The provability of the verification condition P=>pre(S.Q) in the underlying logic is thus sufficient to show that 
P{S}Q is provable within any Hoare system containing the rule of consequence. A predicate transformer that 
produces preconditions which are both necessary and sufficicllt to derive Q as the postcondition is said to compute the 
weakest derivable precondition. and is denoted wdp(S.Q). 
Our notion of wdp should not be confused with Dijkstra's notion of weakest liberal precondition wlp [3]. 
Weakest in our context is with respect to provability from the axiomatic definition. while Dijkstra's notion of weakest 
is relative to an interpretive model. 
We now show how to derive wdp from a Hoare axiomatization of a programming language. Suppose that the 
normal form characterization of rules is 
PI {SI} 0.1' .... Pn {Sn} Qn' r (1) 
~{S}Q 
which permits the deduction of ~{S} Q from the n+1 premises. For the moment, let each Qi' r. and ~ stand for 
arbitrary logical expressions involving predicate symbols P l' .... P n.Q and formulas in tlle underlying theory. 
Examples of rules of this form are the axiom for assignment (without side effects) 
p[x-e]{x:=e} P (2) 
where p[x-e] indicates the proper substitution of the expression e for each occurence of the variable x in p. and the 
rule of inference for statement composition 
P{Sl}R. R{S2}Q 
P{Sl:S2}Q 
Given any rule of form (1). wdp can be defined as follows: 
wdp(S.Q) = ~[J\-wdp(Sl'Ql)' .... P n -wdP(Sn.Qn») A ('9'v) r [P l-wdp(Sl'Q}). "·t P n -wdp(Sn,O-n)] 
334 
(3) 
(4) 
where (p l-~""'P n -tnl denotes n proper substitutions carried out sequentially in a left-to-right order, and v is the set 
of all free logical variables in r. For example, the predicate transformer corresponding to assignment axiom (2) would 
be 
wdp(x: = e,P) = p[x-e] 
and the one corresponding to composition rule (3) would be 
wdp(Sl;S2.Q) = P (P-wdp(Sl'R), R-wdp(S2,Q)] = wdp(Sl,wdp(S2,Q» (5) 
Notice that these are the predicate transformers usually associated with assignment and composition. In fact. the 
predicate transformers produced by wd=- .re the ones commonly used to mechanize Hoare logics. 
2.2. The Two Main Problems 
As just discussed, a VCG reduces the question of whether a sentence P{SlQ is a theorem in Hoare logic to the 
question of whether P:::>wdp(S,Q) is a theorem in the underlying theory (e.g., first-order logic). Two important 
questions naturally arise: 
1. Soundness. Does the VCG accurately reflect the semantics of the programming language as embodied by 
the associated Hoare logic? In other words, if P:::>wdp(S.Q) is provable in the underlying theory, is 
P{S}Q provable in the Hoare logic? 
2. Completeness. Is a VCG as "powerful" as the Hoare logic from which it is derived? In other words, if 
P{S}Q is provable, is P:::>wdp(S,Q) also provable? 
More formally, we must show that 
I-:u;P{S}Q 
where:U; is a Hoare axiom system, ~is the underlying logical theory, wdp:u;(S,Q) is the predicate transformer derived 
. from:U; as prescribed by (4), and P:Jwdp:u;(S,Q) is the formula in ~produced by the VCG. lbis theorem does not 
hold for arbitrary :U;, as explained later. Thus. the problem is to find a sufficient set of constraints on :u; that does not 
unreasonably restrict the expressiveness of the resulting logics. The general rule form constraints of Section 4 have 
this property. 
2.3. A Unifying Model 
We need a conceptual model that connects formal axiomatic proofs and VCGs based on wdp. Such a model is 
provided by viewing a VCG as an automatic proof constructor for Hoare logic. An axiomatic proof of a sentence 
P{S}Q consists of a sequence of steps where the last step is P{S}Q, and cach previous step is either an instance of an 
axiom schema, a theorem in the underlying logic, or follows from,previous steps by applying an instance of a rule of 
inference. In our model. a VCG constructs such proofs. using wdp to find instantiations for free predicate symbols in 
axioms and rules of inference. For any sentence P{S}Q, the basic strategy is to inst.1ntiate precondition P with 
wdp(S,Q). 
This model is illustrated below, where annotations (indicated by lines with roman numbering) relate the strategy 
used by the VCG in attempting to construct the formal proof of the sentence a{z:=I;y:=z+Il!l. Indentation 
indicates the nesting of recursive calls on wdp. 
335 
i. Select and instantiate composition rule for "z: = l;y:= z+ I" with: 
SI-z:=1. S2.-y:=z+ 1. Q-fJ. R-wdp(y:=z+1.Q)=P(y-7.+1). 
P-wdp(z: = 1.R)=wdp(z: = l.wdp(y: = z+ l,p»=(p[y-z+ l){z-l) 
ii. Apply assignment axiom for "y: = z+ I" with: 
x-y. e-z+ 1. p-p 
1. p(y-z+ IHy: =z+ I}P 
iii. Apply assignment axiom for HZ: = I" with: 
X-I, e-l. P-P[y-z+l). 
2. (p(y-z+l)[z-l]{z:=l} P(y-z+l) 
3. (.8(y-z+l)(z-l]{z:=I;y:=z+I}P 
4. a:>. (jJ(y-z+ 1])[z-l) 
S. a {z:=I;y:=z+l} fJ 
assignment 
assignment 
composition (1.2) 
lemma 
cons~quence (4) 
The overall proof strategy of the VCG is to select and instantiate the rule of inference that applies to the outennost 
syntactic structure in the program fragment (step n. satisfy its premises (steps ii and iii). and then conclude its 
conclusion (line 3). The VCG begins the proof by selecting the' rule of composition (3) and perfonning the 
instantiations indicated above. This is a valid instantiation because it binds all free symbols in the rule. To see this. 
notice that when the substitution [P-wdp(z: = 1.R). R-wdp(y: = z+ 1.P)] is applied to the composition rule. we get 
wdp(y: = z+ l.P) for Rand wdp{z: = l.wdp(y: = z+ 1.,8» for P. Next. the VCG must prove both premises of the 
rule. namely wdp(y:=z+l.PHy: =z+ 1lP and wdp(z: = l.wdp(y: =z+ l.P»{z: = l}wdp(y: =z+I.P). Expanding 
the definition of wdp. we see that both are instances of assignment axiom (2). yielding Jines 1 and 2 of the fonnal 
proof. Having satisfied the premises of the composition rule. the vca concludes line 3 of the proof. 
. Lines 4 and 5 are instances of a two-line scheme that completes every proof done by the vca. Line 4 
corresponds to the formation of P:Jwdp(S.Q) • which must be provable in the underlying theory for this to be a valid 
proof. Line 5 then follows immediately by the rule of consequence (ROC): 
P::>R. R{S}T. DQ 
PIS} Q 
Although VCGs nonnally produce only line 4 as output. their output could just as easily be the entire axiomatic proof. 
It should be pointed out that our model accurately describes the VCG only because of the restrictions we place 
on Hoare logics. The model clearly is inadequate for arbitrary Hoare logics. For example. it is easy to state a rule that 
requires the invention of an inductive assertion. which wdp is incapable of doing. The nOlmal form constraints given 
in the next section were carefully chosen so that the vca can always properly apply rules (consistency) and so that the 
instantiations computed by wdp will always be the weakest derivable instantiations (completeness). 
This model provides the needed conceptual link between previous work on VCGs and Hoare logic. In the past, 
the vca ilsdf has been taken as the definition of the programming language. It is usually the case that the predicate 
transfonner serves as the definition of each construct in the language. since there is often no axiomatic definition of 
the language. In some cases. however. there docs exist an axiomatic definition of the programming language. but no 
formal correspondence between it and the predicate transformer is demonstrated. In both cases. we are left with the 
vea as a de jOCIO standard when automated proofs arc attempted. 
336 
The only attempt at validating the view of a veo as a proof constructor for an associated axiom system is the 
work of Igarashi. London. and Luckham (6). In their paper. they give an axiomatic definition of a small language and 
an associated vea. While they do not d~monstrate a formal correspondence between their recursively specified veo 
and their axiom system. they do prove that. their axiom system is interderivable with another axiom system that m<;>re 
directly reflects the instantiation strategy employed by their veo. 
3. The Normal Form for Rules 
This section defines a set of constraints on Hoare axioms and rules of inference under which the desired 
consistency and completeness property holds. Rules satisfying these constraints will be called nonnalfonn rules. 
3.1. Notational Conven,tions and Preliminary Definitions 
We will be defining properties of partially interpreted axiom and inference rule schemes. and must therefore 
carefully distinguish among three levels of discourse. In defining the normal form. we will use metavariables c:P, Q, ~. 
... (with or without subscripts) to denote partially interpreted, standard first·order formulas. These formulas can 
contain un interpreted predicate symbols P. O. R.... (with or without subscripts) and formulas from the underlying 
theory. For example. ~could denote p. PI\x=S. or x=S. We assume that uninterpreted predicate variables p. O. 
R .... may be instantiated by formulas in the underlying theory. For example. P could be instantiated as x = 5 • but not 
0l\x=5. 
We will make use of a binary relation c::: on uninterpreted predicate symbols. For a Hoare sentence of the form 
~(Pl' .... Pm) {S} 0.(0}, ...• On) 
where predicate symbols P }' .... P m and 01' .... 0
0 
are logically free in ~and 0.. respectively. we have 
Pi c::: OJ • for iE{l ..... m} andjE{l ..... n} 
Intuitively. a relation Pc:::O should be thought of as indicating that the binding of predicate symbol P is dependent 
upon the binding of predicate symbol O. The relation c::: is defined with respect to a set of Hoare sentences in the 
obvious way. The notation ~ denotes the transitive closure of c:::. Whenever we have H ~ T. H will be called the 
head of the dependency chain and T the tail. 
Similarly. for a rule of the form given in (1). we employ the relation ~ to define the dependence of a proof 
concerning S on proofs concerning SI' ...• Sn' In particular. we have S~Si' for iE{l •...• n} . For a Hoare axiom 
system. we define the transitive closure ~ + in the obvious manner. 
We usc the function FreePreds to denote the set of logically free predicate symbols in a formula. a Hoare 
sentence. or a Hoare rule. FreePreds applied to a formula denotes its logically free symbols. FreePreds applied to a 
Hoare sentence ~S}Q is simply tlle union ofFreePreds(~ and FreePreds(Q). and FreePreds applied to an inference 
rule is the union of the predicate symbols obtained by applying FreePreds to each premise and th.: conclusion of the 
rule. 
We will use the function FragVars to denote the set of "fragment variables" in the language fragment S of a 
Hoare sentence P{S}O. For example. FragVars applied to "if n then SI else S2 fi" has the value {B.S1.S2}. If 
applied to an entire Hoare rule. FragVars yields a set containing the fragment variables from every Hoare sentence in 
the rule. 
337 
Lastly. we use Utese two functions in defining Ute notion of a bound occurrence of an unintcrpreted predicate 
symbol in a rule. For a rule R. a predicate symbol in FreePreds(R) is bound in R if and only if it is in FragVars(R). 
·OUterwise. the occurrence is said to be free in R. Intuitively. we are carefully distinguishing Utose logically free 
variables Utat are bound in Ute program fragment when a rule is applied (i.e .• those bound in Ute rule) from those that 
must be bound by wdp. . 
3.2. The Constraints 
We will state the complete definition of Ute nonnal form and Uten explain it in detail. 
The Normal Form 
A normalform rule is any instance N of 
PI {SI} 0 1 •...• Pn {So} 0 0 • r 
~{S}Q 
Utat satisfies the following constraints: 
1. PI' .... Pn and Q are predicate symbols free in N. 
2. f is a sentence in the underlying theory whose logically free predicate symbols 
can include only those in FreePreds(N) or FragVars(S). 
3. The fragment variables of each Sj in the premises must be bound in S. That is. it 
must be the case that Ul~j~nFragVars(Sj)~FragVars{S). 
4. Dependencyordering. The Hoare-sentence premises ofN must satisfy two 
dependency constraints. 
a. Pj&Pj :> i <j 
h. T!:U A -'(3R)U~R :> U=Q V U bound in N 
S. MOll%nicily. Let ~[Pt-false. PEs) denote q>with the proper substitution of false for each 
predicate P in the set s. 'Jben. the following constraint on q>must be satisfied: 
~[PI"",Pn.Qt-true] V VS~{Pl""'Pn.Q} -,q>[Pt-false. PEs]) 
This constraint must hold for r (with ~replaced by f) and for each O. (with q>replaced by 0.). 
I I 
For axioms. this definition collapses to sentences of the form q> (Q){S}Q • where postcondition Q is the only 
predicate symbol that can be free in the axiom and the following constraint must be satisfied: 
q>[Q-true] V -'~[Q-false]. 
Two constraints are placed on a collection of normal form rules: (i) Any terminal string a in the programming 
language can be an instance of at most one language fragment S defined by by a nonnal form axiom or inference rule. 
(ii) The relation «+ must be irretlexive. (We show later that Utis will guarantee termination of wdp.) Also. 
accompanying every normal form system are the ROC and the axiom false{S}Q. 
Constraints 4 and 5 require further explanation. Constraint 4 ensures that wdp will be able to compute 
instantiations for all free. uninterprcted predicate symbols in rules using left-to-right substitution of wdp(S .. O.) for 
I I . 
each 91. This is done by first imposing restrictions on where frcc predicate symbols can occur in rules, and then 
placing constraints on some ofthcsc symbols based ~n dependency considerations. Constraint 4a requires an ordering 
338 
offrec predicate symbols that is made apparent by the following schema: 
P1{Sl}OiP2····'Pn), ... , Pj{Sj}Qj(Pj+I""'Pn), •.. , Pn{Sn}Qn 
~(J\, ... ,Q) {S} Q 
This says that every precondition of a Hoare sentence· premise of an inference rule can depend only upon 
preconditions occurring· in subsequent premises. This has the effect of eliminating dependency cycles, such as a 
premise of the form P{ ... }P (as in the case of the "unassened" while statement) or a pair of premises of the form 
P{ ... }R and R{ ... }P. In neither case would wdp be able to find an instantiation for the repeated symbol P. Also note 
that 4a requires not only that a proper ordering of premises exists. but that premises actually be placed in the 
prescribed order. For example, if the premises for of composition rule (3) were reversed. it would not satisfy 4a. 
Given this ordering. constraint 4b ensures that the tail of every dependency chain is either expressible as a 
function of postcondition Q or is bound in a program fragment In the hypothesis of 4b. U is the tail of a dependency 
chain T~U which does not also occur as the head of another chain (Le .• there is no other R such that U~R). The 
conclusion of4b says that every such U must be either the postcondition Q or a fragment variable in N, both of which 
are bound without the use of wdp when a rule is applied. Composition rule (3). for example. satisfies this constraint, 
since postcondition Q is the only tail not also occurring as the head of a dependency chain. In contrast, a rule 
. . 
containing premises P{ ... }T, S{ ... }R, and R{ ... }Q would not be allowed. unless T were bound in a program 
fragment Otherwise. wdp would not compute an instantiation for T. 
Constraint 5 is necessary for completeness. Recall that the completeness of a VCG hinges upon its ability to 
compute the weakest derivable precondition wdp(S.Q) for a given Sand Q. As the simplest example of a rule for 
which wdp cannot compute the weakest derivable precondition. consider the axiom ""Q{S}Q. From this axiom. it is 
possible to prove true{S}true using the ROC. The predicate transformer associated with this axiom by (4) is 
wdp(S.Q)=-'Q. meaning that wdp(S.true) = false . But true (not false) is the weakest derivable precondition. This 
same son of difficulty can result from interactions among several different rules. 
Therefore. Constraint 5 imposes a monotonicity constraint on rules. which eliminates rules in which cenain 
"changes of sign" exist between the preconditions of the premises and the precondition in the conclusion. The first 
disjunct of 5 says that an inference rule that docs not have a sign change is aeceptable. That is. if the truth of~ follows 
from the truth of PI' .... P nand Q. the rule is acceptable. The second disjunct states that a sign change in an inference 
rule is acceptable if the falsity of~ is independent of the free variables in the rule. More precisely. it says that a rule is 
acceptable if there are no truth values assignments to PI' ... , P nand Q that will make ~ true. Whenever this is the 
case. we know that any sign change is a function. of predicate symbols bound in the language fragment; it turns out 
that this does not result in incompleteness. lbe axiom ""Q{S}Q above docs not satisfy this constraint. 
A normal form definition ofa simple language is given in Figure 1; the general form of this definition is given in 
the next section. Although the while rule N4 and the conditional rule N5 may appear unusual, their general rule form 
is the common one. Also note that the procedure declaration and call rules (N7 and NS, respectively) use assenion-
language functions to handle the association between procedure declaration and call. lbe predicate boundP(p.Q) is 
used in NS to test whether there is an expression of the form bind(p.<asscrtioll.asserlion,variable» in Q before total 
functions getpre, getpost, and getvars are applied to retrieve binding information at the point of call. A more elegant 
approach to handling this contextual information is suggested in the conclusion. For pedagogical reasons. we assume 
in our simple language that expressions have no side effects, procedures are non recursive, procedure as parameters 
and aliasing in procedure calls are prohibited, and global variables are disallowed. 
339 
Axioms 
Nl. simple assignment: P[x-e] {x:=e} P 
P[a-arrayUp~ate(a.el'e2)] {aIel]: =e2} P P{ }P 
N2. array assignment: 
N3. empty statement: 
Rules ofinference 
N4. iteration: 
Pl{S}P. PA""D:JQ. PAD:JPl 
NS. conditional: 
P {while B assert P do S ad} Q 
N6. compound statements: 
B:JPI A ...,n:JP2 {if B then Sl else S2 fa} Q N7. procedure declaration: 
P{Sl}R. R{S2}Q U{SI}Q. R{S2}TAbind(p.<P.Q.x». P:JU 
N8. procedure call: 
R{begin proc p(var x)=pre P; post Q: Sl corp: S2 end}T 
boundP(p.Q) 
(VvXgetpre(p.Q)[getva~p.Q)-a]Agetpost(p.Qj[getvars(p.Q)-x') :> Q[a-x/) {pea)} Q 
Figure 1: Example nonnal fonn language definition. 
4. An Equivalent Rule Form With Fewer Constraints 
So far. we have explained the nonnal fonn for rules and how to transfonn them into a VCG. This section 
presents the remaining part of our method. which is motivated by the practical concern of wanting to impose as few 
constraints as possible on rules written by users of MetaVCG. The general rule fonn defined below allows 
considerable flexibility in stating premises to inference rules -- premises need not be ordered and may have more 
general preconditions. This rule fonn has the important propeny that any rule satisfying its constraints can be 
mechanically transfonned into an equivalent nonnal fonn rule. The nonnal fonn rules of Figure 1 that are more 
conveniently expressed in this general rule fonn are contained in Figure 2. and the transfonnation between the two 
rule forms is defined in the appendix. 
lbe General Rule Form 
A general fonn rufe is any instance G of 
~{S}Q 
that satisfies nonnal fonn constraints 1-3 and 4b. where: 
1. Each premise 1is a Hoare sentence of one of the following forms. 
a. ~ {S} (t b. ~ {S} (t c. ~A~ {S} (t 
where. in all three cases. ~ is a metavariable evaluating to a single predicate symbol free in G. 
~ is a metavariable evaluating to a fonnula not containing any predicate symbols free in G. 
and Q is a metavariable. 
2. The relation c!= must be irreflexive with respect to 'fl' •••• 1
0
• 
3. Let r be the set of predicate symbols free in the preconditions of 11, ••.• 1 . Then; the following constraint on ~must hold: n 
9[p-true. P€rU{Q}) V Vs~rU{Q} ....,9[P-false. PEs) 
This constraint must hold for r (with 9 replaced by r) and for each (t. (with 9 replaced by (t.). 
I I 
340 
01. Iteration: 
PAB{S}P. PA""B:::>Q 
P {while B assert P do Sod} Q 
G3. Procedure declaration: 
P{SllQ• R{S2}T Abind(p.<P.Q.x» 
R{bcgin proc p(var x)=prc P; post Q; SI corp; S2 end}T 
02. Conditional: 
PAB{SI}Q. PA...,B{S2}Q 
P {if B then SI else S2 fil Q 
Figure 2: Acceptable renditions of awkward nonnal fonn rules. 
The interesting constraints are the first two. Constraint 1 gives the user considerable flexibility in expressing the 
Hoare sentence premises of an inference rule by lifting three nonnal form resuictions. Constraint la allows duplicate 
free predicate symbols as preconditions. and Ie allows a combination of (possibly duplicate) free and bound predicate 
symbols. Rules Gl and G2 illustrate the utility of this weakening of the normal form constraints. Constraint lb allows 
preconditions whose logically free variables are bound in the rule, as ittiJstrated by G3. 
Constraint 2 is the only dependency constraint It says that the Hoare sentence premises of an inference rule can 
be unordered, provided there are no dependency cycles. This is in contrast to normal fonn constraint 4a. which 
requires a very particular ordering of premises. 
The collection of general form axioms and rules of inference must satisfy the two overall constraints given for 
the nonnal fonn system. 
5. Formal Basis for the Method 
To demonstrate that a VCG constructed by our method is sound and deduction-complete with respect to a 
gene"ral form axiomatic definition g. we prove the following theorem. 
Theorem: Let g' be any general form axiom system g augmented by the rule of consequence and the 
axiom false{S}Q. and let T denote the transformation from g to the nonnal fonn. and suppose that S'is a 
complete (perhaps noneffective) proof system for the underlying theory. Then 
.... g, P{S}Q iff .... S'P::>wdp,.(g)(S.Q) 
The proof is done in two steps, showing first that 
.... gl P{S}Q iff .... T(gl P{S}Q 
and then that 
I-Jt P{S}Q iff .... S'P:Jwdp ,N<S.Q) 
where Jt is any normal form axiom system .x augmented by the ROC and the axiom false{S}Q. The fonner lemma 
demonstrates that a general form system CJ is sound and deduction-complete with respect to the nomlal fonn 
representation of g under T. Its proofis tedious but routine and will not be given here. The second lemma, which we 
prove here. establishes that YCGs constructed by our method are sound and deduction-complete with respect to any 
normal form system X. 
When wdp(S.Q) appears in a formula, there is an implicit assertion that it tenninates and denotes a formula in 
341 
the underlying theory. As part of the completeness proof. we will prove that, whenever a sentence P{S}Q is provable 
in .11. wdp(S.Q) always in fact terminates and produces a formula in s: 
5.1. Main Soundness Result 
In this section we prove the consistency of a VCG with respect to its associated normal form axiom system 
augmented by the ROC. The soundness lemma to be proved is: 
If ~~P:::>wdp ~S.Q) then ~ .11 P{S}Q 
Henceforth. we will usually omit explicit reference to theories and will use wdp(S.Q) is an abbreviation for 
wdp~S.Q). 
The proof is by induction on the depth of recursive application of wdp. In terms of our proof constructor 
model. we must show that' wdp properly applies the axioms and rules of inference defining each construct of the 
programming language. Each recursive application ofwdp must correspond to a valid proof step. We show that, for 
each S defined by an axiom. ·wdp(S.Q){S}Q is provable. and that for each S defined by an inference rule. 
wdp(S.Q){S}Q is provable wheneve~ wdp(Sj.Qj){Sj}Qj is provable for each premise of the rule. This demonstrates 
that wdp(S.Q){S}Q holds for any construct S; the hypothesis and the ROC can then be used to obtain the desired 
conclusion. 
As the base case for the induction. we consider the situation in which S is defined by an axiom of the form 
~(Q){S}Q. By the definition ofwdp. we get wdp(S.Q){S}Q. from which the desired conclusion follows. 
-We now show that wdp properly applies inference rules defining the composite constructs of the language. This 
means that, for any normal form inference rule N. (i) wdp must find a valid instantiation ofN and (ii) if wdp(S .• Q.) 
I I 
finds a valid instantiation for each of the n Hoare-sentence premises. then wdp(S.Q){S}Q fo\1ows. To establish (i) we 
must show that the left-to-right substitution 
(6) 
binds all free predicate symbols in N. Recall that the premise of a normal form inference rule consists of n Hoare-
sentence premises of the form Pj{Sj}Qj and a sentence r in the underlying theory. Normal form constraints 4a and 
4b require that each OJ contain as logically free predicate symbols only Pj+ 1 ..... P n' Q or predicate symbols bound in 
S. Further. these are the only symbols that can be free in wdp(S .• Q.). The successive left-to-right substitutions given 
I I 
in (6) will then eliminate each Pi in the Hoare-sentence premises. This leaves as 10gical\y free predicate symbols only 
Q and those bound in S. all of which are bound whenever a rule is applied. It follows from normal form constraint 2 
that (6) also binds all free symbols in r. 
We next establish (ii). We take as inductive hypotheses 
wdp(Sl'Ql){Sl}Ql' .... wdp(Sn.Qn){Sn}On (7) 
i.e .• that wdp generates valid preconditions for each Hoare-sentence premise. Now let 0.'. c,p'. and r' stand for 0. .• ~ 
I I 
and r under (6). More specifica\1y. 0: is 
Qj [Pi + l-wdp(Si+ 1.Qi+ 1)' .... P n -wdp(Sn.Qn)] • (8) 
C)(Pl-wdp(S1.Ql)' .... Pn-wdp(Sn·Qn)] • 
and r' is defined analogously to C)'. From our previous analysis of dependency constraints. we know that the only free 
predicate symbol in Q~ is Q. ~ is thus a valid instantiation for 0... Using this instantiation and our inductive 
I I I 
342 
hypothesis (7), we can conclude 
(9) 
We now show that our vea is sound independent of whcther (VV)r' is provable in s: First suppose that 
I-(Vv)r. This coupled with (9) satisfies all thc premises ofN, ,iJlowing us to conclude ~/{S}Q, from which we 
obtain ~I A(VV)r'{S}Q, which according to the definition ofwdp is the same as wdp(S,Q){S}Q. Now assume that 
-.(Vv)r' . Then, from the definition of wdp, we see that wdp(S,Q):::>false. In this case we can use the axiom 
false{S}Q and the ROC to conclude wdp(S.Q){S}Q. 
The above induction argument shows that wdp(S.Q){S}Q is provable for all S. The final step is to observe that . 
our assumption that P:Jwdp(S.Q) and the ROC can now be used to conclude I-X P{S}Q .• 
5.2. Main Completeness Result 
In this section we prove the completeness of a predicate transformer system produced by our method with 
respect to the sentences derivable from the axiom system X. In particular. we prove that 
I-X P{S}Q implies I-S-P::>wdp(S.Q) (10) 
The proof is by induction on the number of rccursive calls on wdp. We must show that, for any provable sentence 
P{S}Q • wdp can construct a proof using the weakest derivable instantiations. As the base case for our induction. we 
show that wdp computes the weakest derivable preconditions when S is defined by an axiom. The induction step 
considers the situation in which S is defined by a rule of inference. We prove inductively that if"wdp generates the 
weakest precondition for each Hoare-sentence in the premises of the rule. then it will generate the weakest derivable 
precondition for the S defined by the rule. This is sufficient to show establish our theorem. since each premise used in 
the application of an inference rule is deduced from application of another inference rule or follows from an axiom. 
Defore presenting the main proof. we first establish that the function wdp(S.Q) always terminates. If S is 
defined by an axiom. wdp terminates because it involves no recursion. For S defined by an inference rule N. the 
termination of wdp(S,Q) depends upon the termination of each wdp(S.Cl.) in the n Hoare-sentence premises of 
I I 
N. Our overall system constraint that «+ is irreflexivc guarantees that the proof of a sentence concerning S cannot 
depend upon satisfying a premise concerning S. The sequence of inferences attempting to satisfy the premises of N 
must therefore be finite, and thus the computation of wdp(S.Q) must also be finite. 
Case 1 (S defined by axiom). Our theorem clearly holds ifS is proved using false{S}Q (since P must be false). 
Now suppose S is proved using normal form axiom ~ (Q){S}Q , whose corresponding predicate transformer is 
wdp(S.Q)==~(Q). Since this axiom uniquely defines S (excluding false{SJQ frum consideration). it must be applied 
in any proof of P{S}Q. In the most general setting. a proof of P{S}Q would invoh'c showing that P:::>S>(R) and 
R:::>Q. and then using the instance ~(R){S}R orour axiom and the ROC to conclude P{SJQ. "lltus. our theorem 
(10) holds for axioms if we can show that P:::>wdp(S.R)::>wdp(S,Q). 
We first observc that P::>wdp(S.R) follows from the dcfinition of wdp for S and the fact that p:::>~ (R). We 
now show that wdp(S.R)::>wdp(S.Q) -- or cquivalently ~ (R)::>~ (Q) -- follows from the fact that R:::>Q and the 
monotonicity normal form constraint TI1Crc are two ways in which R::>Q can hold. If R is true, ~ (R):::>~ (Q) 
clearly holds since Q must also be true. Now assume that R is false and S> (R) is true. Since our monotonicity 
constraint requires that S>(true) V -'~(falsc), S>(-'R) must also be true. Hence, the truth of~is thus independent 
343 
of the truth value of the free predicate symbol. and ~(Q) must also be true. Thus wdp(S.Q) is the weakest derivable 
precondition if S is defined by an axiom. I 
Case 2 (S defined by a rule of inference). Supposc that S is defined by normal form inference rule N. Our 
inductive hypothesis asserts that, from postcondition Q. wdp generates the weakest derivable instantiation for each 
precondition in the premises ofN. That is. we assume that . 
P1::>wdP(S1.Q~(Q» •...• Pn::>wdp(So.Q~(Q» 
where Q~ is defined as before (8) and wilt contain only postcondition Q as a free variable. 
I 
(11) 
We begin by observing that any proof of P{S}Q must necessarily follow a certain pattern. and then prove 
inductivcly that corresponding to any such proof is a proof of P::>wdp(S.Q) in ~ The general form of any proof of 
P{S}Q using inference rule N must proceed as follows: Since S can be defincd only by N. we know that instantiating 
predicate symbols PI' ...• Po and postcondition Q will yield a sentence of the form R {S} U such that P::>R and 
U::>Q. The ROC would then be uscd to conclude P{S}Q. This argument can be characterized more formally as 
applying some substitution [p 1-RI' ...• P D - Rn' Q-UI to N to obtain 
R1{Sl}Tl' ...• Rn{Sn}Tn'" 
R{S}U 
such that the premises RI{S1}Tl' ...• Rn{Sn}Tn and., are satisfied and where P::>R and U::>Q. Using the ROC. we 
conclude P{S}Q. 
This observation guides the subsequent argument, which shows inductively that R::>wdp(S.U) given that 
P::>R. A similar argument can be used to show that wdp(S.U)::>wdp(S.Q) given that U::lQ. Combining thesc 
arguments yields P:::>wdp(S,Q). which means that our method is complete for S defined by an inference rule. 
We begin by inst.1ntiating our inductive hypothesis (11) with [Pl-RI •...• Pn -Rn.Q-U]. yielding 
Rl:::>wdp(Sl.Q~(U» •...• Rn:::>wdp(Sn.Q~(U» (12) 
We proceed to show that wdp computes thc wcakest derivablc precondition for Sand Q. i.c .• 
~ R :::> wdp(S.U) (13) 
Noting that R is obtained by the proper substitution ofRl •...• Rn and U into precondition ~ofN. and expanding the 
definition of wdp. we wilt prove (13) by showing in two independent steps that 
~[P1-R1' ...• Po-Rn' Q-U] :::> ~[P1-wdp(SI'Ql)' .... Pn-wdp(Sn.Qo).Q -UI (14) 
and th-at 
(15) 
Choose any assignment of truth values to RI ••..• Rn such that the antecedent of (14) holds. For any true Rj• 
wdp(S.,Q'(U» must be true by the inductive hypothesis. Hence, 
I I . 
~[PI-RI' .... PH-RH• Pi-wdp(Si·Q~(U», Pi+ I-R j +l' •.•• Pn-Ro,Q -U] must also be true. 
Now consider any false Rj such that the antecedent of (14) holds. Recall that our monotonicity constraint 
requires 
~[P r···.P n,Q-trueI V V s ~ {P~ •...• p n,Q} "'~[P -false. P € s1 
The first disjunct must hold (since. by hypothesis, there exists a false interpretation of an Rj rendering ~truc). But this 
implies that ~ is true irrespectivc' of thc truth value of R .. Therefore, ~ [P.-wdp(S .• Q'(U))) will be true irrespective 
. I I I I 
344 
of the truth value of wdp(Si,Q~(U». This completes the proof of (14). The proof of (15) is exactly analogous, since r 
may contain only the free predicate symbols assumed in the proof of (14) and must satisfy an analogous monotonicity 
constraint 
This completes the proof of R::lwdp(S,U) at (13). Recall that, in order to complete the entire proof, we must 
. . . 
consider derivations of P{S}Q that use the second half of the ROC. Specifically, we must show that. given the fact 
that U::lQ. wdp(S,U):Jwdp(S,Q). The requires an inductive argument following the reasoning used in the preceding 
one for (13). Expanding the definitions of wdp(S,U) and wdp(S.Q), we can show that each 
wdp(Si,Q~(U» ::l wdp(Si,Q~(Q» , and thus that wdp(S,U):Jwdp(S,Q). Our hypothesis that P::lR and the fact that 
R:Jwdp(S,U) can be used to conclude P::lR::lwdp(S,U)::lwdp(S,Q), thereby completing our proof of Case 2. 
Combining this with Case 1 demonstrates the completeness of of wdp with respect to the augmented nonnal form 
axiom system.1l .• 
6. Conclusion and Futu re Work 
The practical significance of thi~ work is that it is now possible to correctly mechanize a useful class of Hoare 
logics by automated means. A VCO constructed by our method can serve not only as a central component of a 
program verification system, but it can also serve as a vehicle for "debugging" axiomatic definitions and exploring the 
semantic effect of various language design decisions. 
It should be pointed out that a VCO produced by our method is correct only if the axiomatic definition of the 
programming language is correct. Thus. the remaining step in validating a verification system as a basis for reasoning 
about program behavior is to prove that the axiomatic definition is consistent and relatively complete with respect to 
an interpretive (operational) language model, as done by [2,1]. 
Our theoretical results demonstrate til at the traditional VCO paradigm is correct when certain constraints are 
placed on the rule forms in the associated Hoare logic. In addition, we found that Meta VCO's soundness depends 
upon the presence of false{S}Q as an axiom, which brings out a interesting anomaly in the commonly used VCO 
paradigm. Recall that wdp is constructed from an inference rule by conjoining the premise r in the underlying theory 
to the precondition in the conclusion. In essence, r is "carried back" through the proof by wdp rather than occurring 
as a proof step to justify the application of the inference rule. As a simple example, instead of applying a rule with 
premise r and conclusion ~S}Q, the VCO in effect applies the axiom ~A(Vv)r{S}Q. However, moving r from the 
premise to the precondition in the conclusion is not in general valid. While nothing can be proven from the original 
inference rule if r is unsatisfiable, wdp(S,Q){S}Q can be proven from tile rule which the VCO actually applies. This 
is sound only if falsc{SjQ is independently provable. Clearly, attempting to prove false{S}Q when S is defined by 
an inference rule with an unsatisfiable premise is pathological. Nevenheless. it docs illustrate that the paradigm only 
works if either false{S}Q is an axiom or, for every inference rule, all premises in the underlying th.eory are satisfiable. 
The expressiveness of our present theory is in principle sufficient for defining the semantics of real programming 
languages, provided the assertion language is rich enough. However, as a practical matter, it lads the expressive 
power necessary to deal adequately with "context·dependent" semantics, such as full static scope, aliasing. side effects, 
exceptions, and procedures as parameters. Our method docs well with contexHndependent propenies of language 
sema.ntics, but transfers much of the burden for defining context-dependent semantics to functions embedded in the 
assertion language. 
345 
We are exploring several extensions to our method, all subject to the constraint that they preserve its soundness 
and completeness. We are investigating (he use of an enriched Hoare sentence C/P{S}Q, as described in [1, 101. The 
additional C component expresses static information concerning program structure. This would allow us to reason 
about context directly within the Hoare logic, rather than having to embed contextual information in the assertion 
language (as was done m procedure declaration and call rules G3 and NS). Employing the context component, the 
revised procedure rules might be of the form: 
CU{<p,proc(x)pre P,post Q>} I P{Sl}Q, R{S2}T 
C I R{bcgin proc(yar x) = pre P; postQ; S1 corp; S2 end}T 
CU{p,proc(x)pre R,post T>} I (Vv)(R[x-a]AT[x':-x'D :::> Q[a-x'] {pea)} Q 
The use of the context component in the first rule allows us to define that the context for elaboration of the block body 
S2 and procedure body Sl is the surrounding context C augmented by the local block declaration for procedure p. The 
procedure call axiom then defines that the meaning of a procedure call is determined from the context at the point of 
call. Recursive procedures are handled by these rules. 
Our current constraints allow only rules that have an inherent "backward" orientation and to which a backward 
predicate transformer semantics can be assigned. Our theory (and implementation) could be adapted to handle 
forward-oriented rules with a forward predicate transformer semantics as well. Based on analysis of predicate 
dependencies, MetaVCG could choose the appropriate substitution direction, provided that all of the rules have the 
same orientation. For example, the forward-oriented Algol 68 axiomatization [91 could be nandled. Further 
extensions to handle axiom systems with no consistent orientation are also being studied. 
Finally, we are exploring methods of introducing early interpretation of functions in the underlying theory to 
allow, for example, for interleaved generation and simplification of verification conditions. At present, all functions in 
the underlying theory (including proper substitution) remain uninterpreted throughout verification condition 
generation. 
Acknol\lcdgmcnts. We would like to thank Larry Flon who, together with the first author, developed the initial 
concept of MetaVCG. Valuable comments on this paper were provided by Wolf Polak, Bernie Elspas, Pepe 
Meseguer, Steve Crocker, and Joe Goguen. This work was supponed in pan by NASA-Langley Research Center 
under Contract NASl-15528 and Rome Air Development Center under Contract F30602-78-C-0031. 
References 
t. E.M. Clarke, Jr. Programming language constructs for which it is impossible to obt..1in good I {oare axiom systems. 
Journal a/the ACM, 26,1. pp.129-147, January 1979. 
2. S.A. Cook. Soundness and completeness of an axiom system for program verification. SIAM Journal 0/ 
Computing. Vol. 7, No. I, pp. 70-90, February 1978 . 
. 3. E. W. Dijkstra. A discipline a/programming. Prentice-Hall, Inc., Englewood Cliffs, New Jersey, 1976. 
4. C.A.R. Hoare. An axiomatic basis for computer programming. Communications o/the ACM, vol. 12, no. 10, pp. 
576-5S0, October 1969. 
5. C.A.R. Hoare and N. Wirth. An axiomatic dennition of the programming language P~al. Acta In/onnatica, 2, 4; 
pp. 335-355,1973. 
346 
6. S. Igarashi. R.L. London. D.C. Luckham. Automatic program verification I: A logical basis and its 
implementation. Acta Infonnatica, 4, pp.145-182, 1975. 
7. R.L. London. J.V. Outtag. J.1. Horning. n.W.l.ampson, lO. Mitchell, and OJ. Popek. Proofrulcs for the 
programming language Euclid. Acta Infonnatica, 10, pp. 1-26, 1978. 
8. A. Meycr and l Halpern. Axiomatic definitions of programming languages: a theoretical assessment Seventh 
Annual ACM Symposium on Principles of Programming Languages, pp. 203-212, January 1980. 
9. R. Schwartz. An axiomatic semantic definition of Algol 68. Ph.D. thesis, UCLA Computer Science Department 
"cpon UCLA-34-P214-75, August 1978. 
10. R. Schwartz. An Axiomatic Treatment of Algol 68 Routines. Proceedings of the International Conference on 
Automata, lAnguages and Programming, Springer Verlag Lecture Notes in Computer Science, July 1979. 
Appendix: Equivalence-Preserving Transformation to Normal Form 
The transformation from the general rule form of Section 4 to the more constrained normal form of Section 3 is 
defined as follows. First son the rule according to the three classes of allowable premises, yielding a schema of the 
form 
We now define two functions: 
~l{Sl}Cll ~ ... , ~j{Sj}Clj' ~j+l{Sj+l}Cli-t:l , ... , ~k{Sk}Clk' 
~k+lA~k+l{Sk+l}Clk+l , ... , ~n"~n{Sn}Cln' r 
~{S}Q 
Duplicates(i) = {m: ~ml = I~il. j+1~m~n}, forj+1<i~n 
where, for a metavariable~, I~I denotes thc partially intcrpretcd first-order formula bound to~, and 
MkFormula(i) = Pi(forj+I~i<k) and l~iPPi (fork+1<i~n) 
Now rewritc the soned schema above as 
P1{Sl}Cl1, ... , Pn{Sn}Cln, r "(/~lPPl) A ... A (/~jPPj) 
~{S}Q 
with the subscquent overall proper substitution 
[~il- AkEDuPlitates(i) MkFormula(k)], for j+ 1 <i~n 
The last step is to reorder the premises of this rule to satisfy normal form constraint 4a, which can always be done. 
347 

Example Input to Meta VeG: Definition of 
a Pascal Subset 
Dwight Hare 
349 

[ ----------------------------------------------------------------------
---------------------- FUNCTION DEFINITION ---------------------------
The 
are 
the 
are 
function definition rule. The preconditions 
the invariants of the current module and map 
associated specification for this function. 
the effects of the function. ] 
of a function 
and the assertions of 
The post condition 
P { statement :: compound.stmt } POSTCONDITIONS.OF (function.id.decl) 
PRECONDITIONS.OF (function.id.decl) =) BEGINNING.STATE.OF(P) 
{ routine:: FUNCTION function.id.decl opt. formals : pas.type.id; 
local.constants local.variables compound.stmt } Q; 
[ ----------------------------------------------------------------------
---------------------- PROCEDL~E DEFINITION ---------------------------
The PROCEDURE definition rule. The preconditions of a PROCEDURE 
are the invariants of the current module and map and the assertions of 
the associated specification for this PROCEDURE. The post condition 
is the effects and the map invariants. ] 
P { statement :: compound.stmt } POSTCONDITIONS.OF (procedure.id.decl) 
PRECONDITIONS.OF (procedure.id.decl) =) BEGINNING.STATE.OF(P) 
{ routine:: PROCEDURE procedure.id.decl opt. formals; 
local.constants local.variables compound.stmt } Q; 
[ ----------------------------------------------------------------------
---------------------- STATEMENT LIST 
The STATEMENTLIST rule. A statement list is a statement 
followed by a statement list. In order to process the statements 
backwards, the statement list is processed and then the statement. ] 
P { statement:: statement} Q & R { stmt.list :: stmt.list } P 
R { stmt.list :: stmt.list; statement} Q; 
[ Another STATEMENTLIST rule. This is for the last statement of the 
statement list. The statement is processed. ] 
P { statement :: statement} Q 
P { stmt.list :: statement} Q; 
[ ----------------------------------------------------------------------
351 
---------------------- ASSERT ----------------------------------------
The ASSERT statement rule. The current assertion must imply the 
post condition and the assertion is passed up as the pre condition. ] 
SPECS. OF (SAME. STATE. OF(specexp» => Q 
SPECS.OF(SA1ffi.STATE.OF(specexp» { statement :: ASSERT specexp } Q; 
[ ----------------------------------------------------------------------
COMPOUND --------------------------------------
The COMPOUND statement rule. The body of the statement is processed] 
P { stmt.list :: stmt.list } Q 
P { statement :: BEGIN stmt.list END} Q; 
[ ----------------------------------------------------------------------
& 
& 
IF --------------------------------------------
The IF statement rule. The expression is processed for overflow, etc. 
Three paths are generated, the test expression being true and the 
execution of the THEN statement implies the post condition and the 
test expression being false and the execution of the ELSE statement 
implies the post condition. ] 
P { statement ;; statementl } Q 
R {{ statement :: statement2 } Q 
S pas.exp:: pas.exp } TRUE 
S & (SPECS.OF(pas.exp) =) P) & (NOT SPECS.OF(pas.exp) => R) 
{ statement:: IF pas.exp THEN statementl ELSE statement2 } Q; 
[ ----------------------------------------------------------------------
---------------------- ~IILE -----------------------------------------
The WHILE statement rule. Three paths are generated from the WHILE. 
The invariant assertion and the negation of the while test implies 
the post condition (terminating condition). The invariant and the 
test condition being true through the statement implies the post 
condition. The precondition of the rule is that the test expression 
is proper and the invariant is true. ] 
[ The path around the loop. The invariant is pushed 
through the body. The invariant and the test expression 
imply the result of the path. ] 
P { statement :: statement} SPECS.OF(SAME.STATE.OF(specexpl» 
& SPECS.OF(SAME.STATE.OF(specexpl» AND SPECS.OF(pas.exp) =) P 
$( The termination condition. The post condition for 
the body is that the counting expression at the 
352 
end of the body is less than that at the start. ) 
& R { statement :: statement} SPECS.OF(specexp2) < COUNTING.EXP 
AND SPECS.OF(specexp2) >= 0 
& RENAME.COUNTING.EXP(SPECS.OF(SAME.STATE.OF(specexpl» AND SPECS.OF(pas.exp) 
AND COUNTING.EXP = SPECS.OF(specexp2) => R) 
& S { pas.exp :: pas.exp } TRUE 
$( The path exiting the loop. ) 
& SPECS.OF(SAME.STATE.OF(specexpl» AND NOT SPECS.OF(pas.exp) => Q 
S & SPECS.OF(SAAfE.STATE.OF(specexpl» 
{ statement:: WHILE pas.exp ASSERT specexpl DECREASING specexp2 
DO statement} Q; 
[ ----------------------------------------------------------------------
---------------------- REPEAT ----------------------------------------
The REPEAT statement rule. The loop invariant is the post condition 
to the body. This invariant condition and the test expression implies 
the post condition and the invariant condition and the negation of the 
test expression implies the precondition of the statement. The 
precondition of the repeat statement and the test on the properness 
of the test expression is the precondition of the statement. ] 
[ The path around the loop. The invariant is pushed through 
the body. The invariant and the negation of the test 
expression imply the path through the body. ] 
P { stmt.list :: stmt.list } SPECS.OF(SAME.STATE.OF(specexpl» 
& SPECS.OF(SAME.STATE.OF(specexpl» AND NOT SPECS.OF(pas.exp) => P 
$( The termination condition. The post condition for 
the body is that the counting expression at the 
end of the body is less than that at the start. ) 
& R { stmt.list :: stmt.list } SPECS.OF(specexp2) < COUNTING.EXP 
AND SPECS.OF(specexp2) >= 0 
& RENAME.COUNTING.EXP(SPECS.OF(SAME.STATE.OF(specexpl» 
AND NOT SPECS.OF(pas.exp) 
AND COUNTING.EXP = SPECS.OF(specexp2) => R) 
& S { pas.exp pas.exp } TRUE 
$( The exit path from the statement. The invariant 
and the test expression implies the post condition. ) 
& SPECS.OF(SAME.STATE.OF(specexpl» AND SPECS.OF(pas.exp) => Q 
[ The entering path goes through the body once always ] 
S & P { statement:: REPEAT stmt.list UNTIL pas.exp 
ASSERT specexpl DECREASING specexp2 } Q; 
[ ----------------------------------------------------------------------
---------------------- ASSIGNMENT ------------------------------------
The ASSIGN~fENT statement rule. The variable and the expression are 
checked for proper semantics and the precondition of the assignment 
353 
is its post condition with the state of the assigned variable changed 
to reflect the assigned value. ] 
P { variable.access :: variable.access } TRUE 
& S { pas.exp :: pas.exp } P 
SAND IN.ASSIGN.BOUNDS (SPECS.OF(pas.exp), variable.access) 
& ASSIGN.RULE (variable.access, SPECS.OF(pas.exp), Q) 
{ statement :: variable.access := pas.exp } Q; 
[ ----------------------------------------------------------------------
--------------------.-- ARRAY ACCESS ---------------------------------
The ARRAY INDEXING rule. The indexing expression must be proper and 
the array variable must be valid. The precondition of this reference 
is the post condition, the validity tests, and the fact that the 
indexing expression is in the index set of the array. ] 
P { pas.exp :: pas.exp } Q 
& S { variable.access :: variable.access } P 
S AND IN.ARRAY.BOUNDS (SPECS.OF(pas.exp), variable.access) 
{ variable.access :: variable.access [ pas.exp ] } Q; 
[ ----------------------------------------------------------------------
---------------------- ARRAY REFERENCING ----------------------------
The ARRAY INDEXING rule. The indexing expression must be proper and 
the array variable must be valid. The precondition of this reference 
is the post condition, the validity tests, and the fact that the 
indexing expression is in the index set of the array. ] 
P { pas.exp :: pas.exp } Q 
& S { variable.ref :: variable.ref } P 
S AND IN.ARRAY.BOUNDS (SPECS.OF(pas.exp), variable.ref) 
{ variable.ref :: variable.ref [ pas.exp ] } Q; 
[ ----------------------------------------------------------------------
---------------------- RECORD ACCESS --------------------------------
The RECORD INDEXING rule. The record variable is checked for proper 
semantics. The precondition of the record reference is the post 
condition and the validity check on the variable. ] 
P { variable.access :: variable.access } Q 
P { variable.access :: variable.access . field.id } Q; 
[ ----------------------------------------------------------------------
---------------------- RECORD REF 
354 
The RECORD INDEXING rule. The record variable is checked for proper 
semantics. The precondition of the record reference is the post 
condition and the validity check on the variable. ] 
P { variable.ref :: variable.ref } Q 
P { variable. ref :: variable.ref . field.id } Q; 
[ ----------------------------------------------------------------------
---------------------- PROCEDURE -------------------------------------
The PROCEDURE CALL statement rule. The actuals are checked as being 
proper expressions. The precondition for the procedure call is that 
the expressions are proper; the values of the actuals are in the range 
of the formals; and that the effects of the procedure implies the 
post condition. All of the variables (in the actual list or referenced 
globally) which are possibly modified by the invocation of the procedure, 
must be renamed to signify their new values. ] 
P { pas.exp.list :: pas.exp.list } TRUE 
P AND ACTUALS.IN.RANGE (procedure.id, SPECS.OF(pas.exp.list» 
AND PRECONDITIONS.FOR (procedure.id, SPECS.OF(pas.exp.list» 
& POSTCONDITIONS.FOR (procedure.id, SPECS.OF(pas.exp.list» 
=) UPDATE.STATE (procedure.id, SPECS.OF(pas.exp.list), Q) 
{ statement :: procedure.id ( pas.exp.list ) } Q; 
[ ----------------------------------------------------------------------
FOR -------------------------------------------
The FOR statement (TO) rule. In this rule, tests are used 
to assert that the FOR loop is executed at least once. If the 
loop is executed then the invariant with the loop variable substituted 
by the final loop value implies the for loop post condition (with 
the loop variable renamed in the post condition). The 
invariant pushed through the statement implies the invariant with 
the loop variable bumped by one. The precondition of the for loop 
is that the range of values taken on by the loop variable is in its 
value set and that if the loop is not executed, then the post condition 
(with the loop variable renamed) is true and that if the loop 
is executed then the invariant is true with the identifier replaced 
by its initial loop value. ] 
[ The path around the loop. The invariant and the assertion 
that the loop variable is within the range of the loop 
implies the path through the loop to the invariant. ] 
P { statement :: statement} SPECS.OF(SAME.STATE.OF(specexp» 
& SPECS. OF (SAME. STATE. OF(specexp» 
AND SPECS.OF(loop.var) )= SPECS.OF(pas.expl) 
AND SPECS.OF(loop.var) < SPECS.OF(pas.exp2) 
=) ASSIGN.RULE(loop.var, SPECS.OF(loop.var) + 1, P) 
& S { pas.exp pas.expl} TRUE 
& R { pas.exp :: pas.exp2 } S 
355 
$( The exit path from the loop. The for stmt is 
assumed to have executed at least once and the 
loop variable in the invariant is replaced by 
the final expression. The invariant implies 
the path exiting from the loop. ) 
& SPECS.OF(pas.exp2) >= SPECS.OF(pas.expl) 
=> ASSIGN.RULE (loop.var, SPECS.OF(pas.exp2), 
SPECS.OF(SAME.STATE.OF(specexp» 
=> UPDATE.VAR.STATE (loop.var, Q» 
[ The precondition of the loop. The possible range 
of values of the loop variable must include the range 
of the loop ... ] 
R AND LOOPVAR.IN.RANGE (loop.var, SPECS.OF(pas.expl), SPECS.OF(pas.exp2» 
$( ... and if the loop is not executed then the post 
condition is true (with the loop var renamed) ... ) 
& SPECS.OF(pas.expl)> SPECS.OF(pas.exp2) 
=), UPDATE. VAR. STATE (loop. var, Q) 
$( ... and if the loop is executed, then the invariant 
pushed through the statement with the loop variable 
replaced by its initial value is asserted. ) 
& SPECS.OF(pas.exp2»= SPECS.OF(pas.expl) 
=> ASSIGN.RULE (loop.var, SPECS.OF(pas.expl), P) 
{ statement:: FOR loop.var := pas.expl TO pas.exp2 
ASSERT specexp DO statement } Q; 
[ The FOR statement (DOWNTO) rule. This rule is the same as the 
above TO version of the FOR rule with the following changes: 
The test of whether or not the loop is executed uses less-than rather 
than greater-than. The inductive step decrements the loop variable 
instead of incrementing it. ] 
[ The path around the loop. The invariant and the assertion 
that the loop variable is within the range of the loop 
implies the path through the loop to the invariant. ] 
P { statement :: statement} SPECS.OF(SAME.STATE.OF(specexp» 
& SPECS.OF(SA1ffi.STATE.OF(specexp» 
AND SPECS.OF(loop.var) <= SPECS.OF(pas.expl) 
AND SPECS.OF(loop.var) > SPECS.OF(pas.exp2) 
=> ASSIGN.RULE(loop.var, SPECS.OF(loop.var) - 1, P) 
& S { pas.exp :: pas.expl } TRUE 
& R { pas.exp :: pas.exp2 } S 
$( The exit path from the loop. The for stmt is 
assumed to have executed at least once and the 
loop variable in the invariant is replaced by 
the final expression. The invariant implies 
the path exiting from the loop. ) 
& SPECS.OF(pas.exp2) <= SPECS.OF(pas.expl) 
=) ASSIGN.RULE (loop.var, SPECS.OF(pas.exp2), 
SPECS.OF(SAME.STATE.OF(specexp» 
356 
=) UPDATE.VAR.STATE (loop.var, Q» 
[ The precondition of the loop. The possible range 
of values of the loop variable must include the range 
of the loop ... ] 
RAND LOOPVAR.IN.RANGE (loop.var, SPECS.OF(pas.exp2), SPECS.OF(pas.expl» 
$( ... and if the loop is not executed then the post 
condition is true (with the loop var renamed) ... ) 
& SPECS.OF(pas.expl) < SPECS.OF(pas.exp2) 
=) UPDATE.VAR.STATE (loop.var, Q) 
$( ... and if the loop is executed, then the invariant 
pushed through the statement with the loop variable 
replaced by its initial value is asserted. ) 
& SPECS.OF(pas.exp2) <= SPECS.OF(pas.expl) 
=) ASSIGN.RULE (loop.var, SPECS.OF(pas.expl), P) 
{ statewent :: FOR loop.var := pas.expl DOWNTO pas.exp2 
ASSERT specexp DO statement } Q; 
[ ----------------------------------------------------------------------
---------------------- CASE ------------------------------------------
The CASE statement rule. The selector expression is processed for being 
proper. The case.selects are processed. This is the 
recursive rule to handle the case.selects of the CASE statement. 
The statement on the selector is processed and the case statement 
rule is recursed to handle the other case selects. The post condition 
of this rule is the results of the other case selects AND that the 
selector expression being in the label list implies the precondition 
of the statement. ] 
S { pas.exp :: pas.exp } TRUE 
& P { case.vcg.stmt :: CASE pas.exp OF case.selects END} Q 
S AND IN.ALLCASE.LIST (SPECS.OF(pas.exp), case.selects) & P 
{ statement :: CASE pas.exp OF case.selects END} Q; 
R { statement :: statement} Q 
& P { case.vcg.stmt :: CASE pas.exp OF case.selects END} Q 
INCASELIST (SPECS.OF(pas.exp), const.list) =) R & P 
{ case.vcg.stmt :: CASE pas.exp OF 
case.selects ; const.list : statement END } Q; 
[ The last case selector is handled by this rule. It states that the 
fact that the selector is in the label list implies the precondition 
of the selected statement. ] 
P { statement :: statement } Q 
357 
INCASELIST(SPECS.OF(pas.exp), const.list) =) P 
{ case.vcg.stmt :: CASE pas.exp OF const.list statement END } Q; 
[ ----------------------------------------------------------------------
BINARY OP -------------------------------------
The BINARY expression rules. Each expression is evaluated for proper 
semantics. The precondition of these rules is the post condition and 
that each of the sUbexpressions is in the machine's value range. ] 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R { pas.exp :: pas.expl AND pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R { pas.exp :: pas.expl OR pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R AND IN.MACHINE.RANGE(SPECS.OF(rule.form» 
{ pas.exp :: pas.expl * pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R AND NOT (SPECS.OF(pas.exp2) = 0) 
{ pas.exp :: pas.expl DIV pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R AND NOT (SPECS.OF(pas.exp2) = 0) 
{ pas.exp :: pas.expl MOD pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
RAND IN.MACHINE.RANGE(SPECS.OF(rule.form» 
{ pas.exp :: pas.expl + pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R AND IN.MACHINE.RANGE(SPECS.OF(rule.form» 
{ pas.exp :: pas.expl - pas.exp2 } Q; 
358 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R { pas.exp :: pas.expl = pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R { pas.exp :: pas.expl <> pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R { pas.exp :: pas.expl <= pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R { pas.exp :: pas.expl < pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R { pas.exp :: pas.expl > pas.exp2 } Q; 
P { pas.exp :: pas.expl } Q 
& R { pas.exp :: pas.exp2 } P 
R { pas.exp :: pas.expl >= pas.exp2 } Q; 
---------------------- UNARY OP --------------------------------------
The UNARY expression rules. The expression is checked for proper 
semantics and the precondition is that check and the fact that the 
expression does not overflow. ] 
P { pas.exp :: pas.exp } Q 
P AND IN.~~CHINE.RANGE(SPECS.OF(rule.form» 
{ pas.exp :: - pas.exp } Q; 
P { pas.exp :: pas.exp } Q 
P { pas.exp :: NOT pas.exp } Q; 
359 
[ ----------------------------------------------------------------------
---------------------- EXPRESSION LIST -------------------------------
The EXPRESSION LIST rule. Each expression of the expression list 
is checked for proper semantics. The precondition is this check. ] 
P { pas.exp :: pas.exp } Q 
& R { pas.exp.list :: pas.cxp.list } P 
R { pas.exp.list :: pas.exp.list, pas.exp } Q; 
[ This rule is an expression list containing one expression ] 
P { pas.exp pas.exp } Q 
P { pas.exp.list :: pas.exp } Q; 
[ ----------------------------------------------------------------------
---------------------- FUNCTION CALL ---------------------------------
The FUNCTION CALL expression rule. The actuals are checked for 
proper semantics. The precondition of the function call is the 
test of the actuals and the condition that the actuals be in the value 
range of the formals. The function invocation is specified to be 
equal to its specification derivation. ] 
P { pas.exp.list :: pas.exp.list } Q 
P AND ACTUALS.IN.RANGE (function.id, SPECS.OF(pas.exp.list)) 
AND PRECONDITIONS.FOR (function.id, SPECS.OF(pas.exp.list)) 
{ pas.exp :: function.id ( pas.exp.list ) } Q; 
360 
CHAPTER 11 
HOM-PASCAL CODE VERIFICATION SYSTEM - DESCRIPTION OF OPERATION 
361 

The P ASCAL-HDM Verification System 
1. Introduction 
This document describes the PASCAL-HDM verification system. This system 
supports the mechanical generation of verification conditions from 
PASCAL programs and HDM-SPECIAL specifications using the Floyd-Hoare 
axiomatic method [2]. Tools are provided to parse programs and 
specifications, check their static semantics, generate verification 
conditions from Hoare rules, and translate the verification conditions 
appropriately for proof using the Shostak Theorem Prover [7]. 
This document is mostly an overview and assumes that the reader is well 
acquainted with the languages involved and the theory of program 
verification. Hence an understanding is assumed of the PASCAL manual 
[3], the HDM handbook [6,8,4], verification techniques [2], 
mathematical logic and induction [1], and the Shostak Theorem Prover 
[7]. In addition, it would be most helpful if the reader is practiced 
in programming, hopefully in the PASCAL computer language and has at 
least studied program specifications and preferably written some. 
Experiences in proving theorems either using a mechanical theorem prover 
or by hand is also useful. 
This document explains the differences between standard PASCAL and the 
language handled by this system. This consists mostly of restrictions 
to the standard language definition, the only extensions or 
modifications being the addition of specifications to the code and the 
change requiring the reference to a function of no arguments to have 
empty parentheses (this was done to remove a very irritating syntactic 
anomaly from the language). Even the ridiculous expression precedence 
rules of PASCAL have been scrupulously followed. This means that 
different operator precedence is in effect inside the specifications of 
the code. Other than these changes, it is hoped that any program which 
parses and checks in this system will compile without error. 
The syntax and semantics of HDM-SPECIAL has been modified, subseted, and 
extended as necessary to support code proofs and to allow formal 
manipulation. This is detailed in sections 2 and 3. Examples of PASCAL 
programs and their specifications are shown in appendix A. 
Section 3 explains the detailed theory of verification in this system 
and how verification conditions are generated. This includes 
explanations of the meaning and use of each part of HDM-SPECIAL for code 
proofs and the method of generating verification conditions. 
The verification conditions are proven using the Shostak Theorem Prover 
which requires a certain form describing the context and syntax of the 
mathematical formulae. How the transformation is done and the resulting 
form is described in section 4. 
Finally section 5 describes how to use the system. 
363 
,2. Language Definitions 
The actual grammar of the subset of PASCAL handled is shown in appendix 
B. The form of the grammar is a slightly nonstandard BNF form. 
Nonterminals in the grammar are represented as lowercase words, terminal 
symbols are delineated by double quote marks. the grammar consists of a 
list of productions, each production consists of a nouterminal being 
defined, the symbol '::=' and a list of alternative definitions, 
separated by a '1'. Each alternative is a sequence (possibly empty) of 
terminals and nonterminals with repetitions of sequences denoted by a 
sequence enclosed in '{' and '}'. The list of alternatives is 
terminated by a' '; '. Hence a PASCAL procedure call might be written as: 
proc.call ::= id "(" exp {"," exp} H)" 
The semantics of the PASCAL constructs are the same as the usual 
semantics except for some restrictions. These restrictions are 
motivated from two different sources. The first set of restrictions are 
necessary to allow for a formal definition of the semantics of PASCAL. 
Such things as floating point arithmetic cannot be axiomatized and must 
be removed from the language. Most of the restrictions are reflected in 
the grammar definition and the rest are the usual restrictions imposed 
on the language for verification purposes. The other restrictions to 
the language are restrictions on where variables may be referenced or 
modified and what routines may be called where. These restrictions 
check that the PASCAL implementation corresponds to the structure of the 
HDM specification. These two sets of restrictions are checked 
separate ly . ' 
The HDM-SPECIAL language grammar is given later. The syntax corresponds 
closely to handbook HDM but has some changes as well as omissions. The 
intended semantics of HDM-SPECIAL is described in the next section 
dealing with verification condition generation. 3. Verification 
Condition Generation 
There are three main semantic aspects of a PASCAL program to be dealt 
with during verification condition generation. These are the control 
flow of the program, the change of state caused by operations, and the 
satisfaction of certain necessary conditions for proper execution and 
termination of the program. These are very different aspects of the 
program and are described and handled separately. 
The flow of control through a PASCAL program (or the path analysis) is 
solely dependent on the semantics of PASCAL statements which change the 
flow and are not dependent on the program specifications. This control 
flow is described using weakest precondition Hoare rules and manipulated 
using the MetaVCG [5]. The Hoare rules used by the system are shown 
later. The action of the MetaVCG is described in the referenced paper 
and produces verification conditions through a simple pattern matching 
and substitution algorithm which uses only a PASCAL program segment and 
the Hoare rules. the verification conditions which result from applying 
the Hoare rules to an example PASCAL program are shown later. 
364 
Various conditions are necessary to ensure the absence of execution time 
errors and proper execution. Possible execution time errors include 
overflow, underflow, array index out of bounds, and assignment out of 
range. Proper execution consists mainly of proving the preconditions to 
functions and procedures. These conditions are referred to in 
functional terms throughout the Hoare rules. Each function is expanded 
out into a boolean expression before the verification condition is 
proven. 
The state during the execution of a program is specified and changed as 
indicated by and according to the HDM model. Only two PASCAL statements 
are allowed to change the state, the assignment and procedure call 
statements. The procedure call is the main point during verification 
condition generation where the semantics of PASCAL and SPECIAL interact. 
There are references in the Hoare rules to functions which capture these 
semantics. These functions are listed at the end of the chapter. 
At this point, it is relevant to discuss the semantics of a SPECIAL 
module specification and the correlation between specifications and 
code. A module definition consists of types, parameters, definitions, 
assertions, invariants, and functions. 
The types are as described in the HDM handbook except that the only 
types supported are INTEGER, BOOLEAN, enumerated types, VECTOR, STRUCT, 
and SET. there is no DESIGNATOR type or UNION types. These types are 
meant to correspond to the PASCAL types INTEGER, BOOLEAN, scalar, ARRAY, 
and RECORD types. There is no correspondence to the SPECIAL SET type 
which can only be used for specification purposes. Whenever a 
correspondence between a PASCAL and SPECIAL declaration is necessary, 
the above correspondence between types is required. 
Parameters come in two flavors, symbolic and functional. Although 
symbolic parameters are equivalent to constant functional parameters, 
they are distinguished because of the difference in their correspondence 
to the PASCAL. Symbolic parameters are considered to be constant values 
and if they have an implementation, then the implemented value must be 
kept constant. The obvious correspondence of symbolic parameters is to 
PASCAL CONST declarations. However, PASCAL CONSTs are only allowed to 
be simple scalar types so it is also allowed to have a symbolic 
parameter correspond to a PASCAL global variable with the restriction 
that the variable never be modified. Functional parameters are 
considered to be un interpreted mathematical function symbols and never 
have an implemented correspondence. Functions which are meant to be 
implemented must be specified in the FUNCTIONS paragraph. 
The ASSERTIONS paragraph of handbook HDM has been extended into two 
paragraphs, the ASSERTIONS and the INVARIANTS. The assertions are 
restrictions on the value space of the parameters only. Only constant 
values of SPECIAL including the symbolic and functional parameters of 
the module can be referenced. Symbolic parameters need not be 
restricted in the assertions since their value can be restricted in the 
mapping. However, there is little point in failing to restrict a 
functional parameter since without the restriction, the function can 
365 
THIS PAGE INTENTIONALLY LEFT BLANK 
366 
have any value and little can be proven about it. In code proofs, 
assertions can be assumed to be always true since if the assertions are 
initially true and the values are constant, then they must be always 
true. Assertions about implemented constants must be shown to be 
satisfied by the actual implemented value. Hence such assertions are 
guaranteed to be consistent. 
It should be noted with some caution that assertions about uninterpreted 
symbolic parameters or parameter functions can be inconsistent in such a 
way as to render the proof trivial. Care must be taken to assure that 
there exists a mathematical function which satisfies all of the 
constraints. Mechanical assistance in this process is not currently 
available. 
INVARIANTS are constraints on the values allowed to be taken on by the 
state functions (VFUNs). This might include value range restrictions or 
constraints on the relative values of a set of state functions. These 
invariants must be true in the initial state of the state functions and 
must be proved to be true after each invocation of a state changing 
operation of the module. This is done by assuming the invariants to be 
true in the state before the invocation of the operation and assuming 
the effects of the operation imply the invariants in the post state. To 
help in the proof of the code, the invariants can be assumed to be true 
in the state at the beginning of the code. The invariants of the lower 
machine can be assumed to be true in all states of the upper machine. 
The FUNCTIONS paragraph is used to specify the state and operation 
functions. The state functions capture the state of the module and 
intuitively correspond to the state of the machine during execution. 
This correspondence is never actually specified but for proof purposes 
is assumed. The operations of the module provide the only way to modify 
the state of the module. These operations must correspond directly to 
an operation in the implementation. An operation which is either not 
implemented or not specified cannot be proven. 
A VFUN (value-function) is used to represent a state function of the 
module. It has optional parameters and represents a set of values 
depending on the state the module is in. Handbook HDM allows VFUNs to 
be either a state function or an operation and distinguishes between 
HIDDEN and VISIBLE, and between PRIMITIVE and DERIVED. As will be 
described later, all aspects of the state are HIDDEN. For the sake of 
simplicity, all VFUNs are PRIMITIVE with OVFUNs being used in place of 
DERIVED VFUNs. This means that all VFUNs are state functions. Besides 
formal parameters, VFUNs have an optional INITIALLY clause which is used 
to specify the initial value of the VFUN. The initialization of the 
implementation state is described later. These INITIALLYs are used to 
prove the INVARIANTS as described above. 
The operations of a module are specified as OFUNs (operation functions) 
or OVFUNs (operation-value functions). They differ only in that an 
OVFUN returns a value while an OFUN does not. There are three clauses 
of an operation, the preconditions, the exception conditions, and the 
367 
postconditions. The preconditions are the ASSERTIONS and are 
constraints on the allowed values of the input parameters and the state 
of the module. The EXCEPTIONS are a set of conditions under which the 
operation is aborted during execution. The postconditions are the 
EFFECTS and describe the effect the operation has on the state of the 
module. 
The meaning of the operation specification is most easily described in 
terms of its correlation with the corresponding PASCAL operation. An 
operation in PASCAL is represented as a PROCEDURE or a FUNCTION. 
Usually, an operation is implemented as a PROCEDURE though some simple 
operations can be FUNCTIONS. there is a strict correspondence required 
between the specification and the code in order for the proof process to 
work. The correspondence in the header of an operation is a name 
correspondence. The name of the OFUN or OVFUN must be the same as the 
name of the PROCEDURE or FUNCTION. The input parameters must agree in 
number, name and type. The output parameter, if any, must agree in name 
and in type. The way a value is returned in an implementation depends 
on whether a FUNCTION or PROCEDURE is used. The value of a PROCEDURE is 
returned through an additional VAR parameter of the same name and type 
as the returned symbol in the OVFUN. In·the implementation, the value 
is returned through this parameter. In PASCAL, the type of the returned 
value of a FUNCTION given in the header must be the same type as the 
returned symbol in the OVFUN. The value to be returned is indicated by 
an assignment to the name of the FUNCTION as in normal PASCAL. Because 
of restrictions inherent in the proof process, a PASCAL FUNCTION is only 
allowed as the implementation for an OVFUN under very restrictive 
circumstances. Under some assumptions, an implemented expression can be 
treated as a purely mathematical expression which is very convenient for 
proof purposes. Some of these assumptions are checked during 
verification, such as the absence of errors like overflow. Some 
assumptions such as the totality of functions and the commutivity of 
certain mathematical operations are ensured through restrictions on 
FUNCTIONS. 
As for the restrictions under which a FUNCTION can be the implementation 
of an OVFUN: first, PASCAL only allows a FUNCTION to return a simple 
scalar type, therefore the OVFUN being implemented must return such a 
simple type. Functions are not allowed to have side effects (and 
therefore cannot change the state of the module) for they could possibly 
invalidate the assumptions of the commutivity of certain mathematical 
operations. To keep them total, OVFUNs having a FUNCTION implementation 
cannot have exceptions and must therefore always return a value. 
The ASSERTIONS of an operation is a set of preconditions which must be 
satisfied at the invocation of the operation. These preconditions must 
be proven at every invocation of this operation to assure that the 
partial function which the operation implements has a computable value. 
These preconditions are assumed to be true when proving the operation. 
The ~XCEPTIONS section allow the specification of abnormal returns from 
the operation. This usually occurs because the current state of the 
368 
module prevents the completion of the operation. This differs from the 
assertions in that preconditions are proved to be true while exceptions 
are proved to be handled correctly during execution. The preferred way 
for the programming language to handle the exception condition is by an 
automatic change in the flow of control as in ADA. PASCAL does not 
support the handling of exceptions so the actual use appears to be more 
like a multi-return mechanism. The EXCEPTIONS section consists of a 
list of exception conditions, each condition having three parts, the 
name of the exception, the condition under which the exception is 
raised, ann a postcondition describing the change of state associated 
with the exception return (note that this can include a specification of 
the returned value). The allowance for a change of state on an 
exception is a relaxation of the constraints on conditions described in 
the HDM Handbook [6, 8, 4]. This postcondition is optional, and if 
missing, indicates that no state change occurred. 
The method for associating the specified exceptions with the implemented 
program is rather arbitrary and unesthetic due to the complete lack of 
any facilit.y in PASCAL. The approach chosen is meant to be flexible, 
simple, and not dependent on very much additional proof mechanism. To 
indicate and handle exceptions, it is necessary to communicate to the 
calling environment which, if any, exception has been raised. This is 
done through a special global variable EXC which must be declared of the 
correct type in the implementation. If the operation has exceptions, 
then the variable EXC is set to either NORMAL_RETURN in the case where 
there is no exception raised or to the name of the raised exception, as 
indicated in the specification of the exception conditions. Therefore, 
the variable EXC must be declared as an scalar type consisting of the 
name NORMAL_RETURN and all of the exception names in any implemented 
operation. On return from an operation which may have raised an 
exception, the program may either test the EXC variable or may assume 
that no exception was raised. In the latter case, it will be necessary 
to prove that no exception occurred in order to benefit from the effects 
of the operation in the proof. The actual postcondition which is 
created during the verification condition generation process is a 
combination of the EXCEPTIONS and EFFECTS sections and is described 
immediately below. 
The postconditions of an operation is a specification of the effects the 
operation has on the state of the module. For the normal return this is 
captured in the EFFECTS section. The usual and most usable form is to 
specify the new state of each state function in terms of the old state 
function, universally quantified over the formal parameters. The actual 
postcondition is a combination of the exceptions and the effects. Each 
set of effects, the normal ones and each of the exception effects are 
guarded by the value of the special variable EXC in the form of an 
implication. For each possible change of state, there is assumed a 
clause of the form "EXC = name =) effect". The values that EXC might 
take on under various conditions is specified in an IF expression. In 
the order that the EXCEPTIONS are listed (order is important), each 
exception condition is the conditional expression of an IF with the then 
part specifying the resulting value of EXC. the final else specifies 
369 
that "EXC = NORMAL_RETURN". Hence the IF expression looks like: 
IF condl TIffiN EXC = namel ELSE IF cond2 THEN EXC = name2 ... ELSE EXC = 
NOR~W. _ RETURN 
If the normal return effects are necessary in a proof, they can be 
extracted from the implication described above by proving that EXC = 
NORMAL RETURN. This can be done by either testing for the equality in 
the code or by proving that none of the exception conditions could have 
occurred thereby reducing the above IF expression to the desired 
equality. Thus the code can efficiently ignore the possibility of an 
exception if it can be proven to be impossible. 
Throughout these specifications of the change of state to VFUNs, it is 
implicit that no specification of the new value of a VFUN implies that 
no change occurred. This is supported by automatically creating the 
expressions which explicitly state this. 
A program is verified by proving that the accumulated state changes from 
each procedure call implies the desired change of state for the entire 
routine. Each procedure call describes its associated state change by 
specifying the new state of each state function in terms of the state 
just before the procedure call. Hence a series of procedure calls 
describes a progression of ever new states which are entered as a result 
of each procedure call. Intermediate and final assertions for the code 
still speak in terms of the new state and the old state. During 
execution of the code, many states are entered however. There is 
therefore a concept of the current state in the verification condition 
generation process. The effects of an operation are considered to be 
universally quantified over the state and reference the current and 
previous state. When a procedure call is encountered, the current state 
is considered changed to a new state and the effects of the operation 
are instantiated to the current and previous states where all quoted 
references to a state function are references to the current state and 
all unquoted references are to the previous state. 
The quoted or unquoted reference to a state function is only sufficient 
to distinguish two states while many states may be encountered during a 
routine. For this reason, the notation for the state of a VFm~ is 
changed during the verification condition generation process. The state 
of a VFUN is indicated by extra parameters to the VFUN. These extra 
parameters indicate the kind of state and the current "state" of the 
state. There are different states for each lower module and a different 
state for the path which starts at the beginning of a program. When a 
state change occurs, the state is modified by embedding it in a call to 
the function NEXT. Hence if the state is "NEXT (STACK_MOD.STATE)" then 
the new state would be "NEXT (NEXT (STACK_MOD.STATE»". The state 
parameters which each VFUN has depends on the module containing that 
VFUN. VFUNs of the lower modules have one state, the state of that 
module. VFUNs of the upper module have a set of states, one for each 
lower module. This is because the state of the upper module is 
completely dependent on the state of the lower modules. Also, since 
370 
definitions are allowed to reference VFUNs, they also have state 
parameters. 4. Transformation to STP 
The verification system produces formulae which if theorems, demonstrate 
that the code is consistent with the specifications. These formulae may 
be inspected by the user and accepted as theorems, or they may be given 
to a mechanical theorem prover for proof. An interface has been 
provided to the Shostak Theorem Prover (STP) which uses a decision 
procedure for linear arithmetic on ground formulae. The theorem prover 
will attempt to produce a proof automatically, but it is usually 
necessary for the user to help the theorem prover with various 
instantiations and axioms. The following discussion will presume some 
understanding of the syntax and method of STP. 
The complete environment of a verification condition must be passed to 
STP. The LEF command of STP assumes the file to be a list of STP 
commands such as DA (declare axiom), OF (define formula), PR (prove). 
The file is passed through once, so objects must be declared before they 
are referenced. Hence the verification system produces a file of 
declarations for the theorem prover of each object which is referenced 
directly or indirectly by the verification conditions to be proven. 
The objects to be declared fall into categories: types, variables, 
constants (functions of zero or more arguments), definitions, axioms, 
formulae, and calls to prove . 
. Types are declared with the STP command DT. The types are the primitive 
types of the theorem prover: INTEGER, BOOLEAN, STATE, and any scalar 
types. INTEGER and BOOLEAN are already primitive types in STP (BOOLEAN 
being called BOOL). The scalar types are defined as primitive types and 
axioms given about the scalar names of the type. 
The variables of STP are typed names which appear as "free" variables in 
the declarations and formulae and appear in DSV declarations. For 
example, the formal names of a definition are "free" variables, as are 
universally quantified variables. All of the names which appear in such 
a position are declared as STP variables. 
Constant functions are those objects which have a fixed, though possibly 
unknown value and are declared in a DS. The local variables of the 
vcgened routine are constant functions of no arguments. The VFUNs of 
the lower modules are functions with state arguments. Also included are 
recursive definitions or definitions with free variables, as described 
below. 
Definitions include the special definitions found in the modules and 
map. PASCAL functions can be considered to have a definition if the 
EFFECTS of the corresponding OVFUN is of the form "v = def". Upper 
VFUNs are defined in terms of the mappings. All of these SPECIAL 
definitions are translated into STP definitions (DO) unless they violate 
one of the constraints on STP definitions. Such restrictions include no 
recursive or mutually recursive definitions and no free variables in 
371 
definitions. When a SPECIAL definition cannot be expressed as an STP 
definition, it is declared as a constant function (OS) and the 
definition expressed as an axiom. 
Axioms appear as a DA in STP and arise from a variety of sources in the 
verification system. Axioms include the assertions of the modules and 
the map, the invariants of the lower modules. and the hypotheses of the 
verification condition to be proven. Also included are the bodies of 
SPECIAL definitions which have not been translated into an STP 
definition. 
Formulae are declared with a OF and are the conclusions of verification 
conditions to be proven. They are proven using the PR command. 
The STP file produced for the verification conditions of PUSH are shown 
later on in the chapter. 
372 
[1) 
[2] 
[3] 
[4] 
[5] 
[6] 
[7] 
[8] 
REFERENCES 
Robert Boyer and J Strother Moore. 
~ g9!p~~~~i9Q~! k9gi~· 
Academic Press, 1979. 
R.W. Floyd. 
Assigning meaning to programs. 
M:!!:h~!~H~~! ~:;:E!:£~~ !:2 99!P!!!!£!: §~!~Q~!: 19:19-32, 1908. 
K. Jensen and N. Wirth. 
g~~r M:!Q~~! ~g~ B!:P9r!!· 
Springer-Verlag, 1974. 
K. Levitt, L. Robinson, and B. Silverberg. 
l~M U:!Q~~~~,Y9!~!!: I!!: ~ Q!:!:~!!!:~ ~~~!p!£ iQ ~h£ y~£ 9f HQM· 
CSL Report 95 for Project 4828, SRI International, June, 1979. 
M. Moriconi and R. Schwartz. 
~!!~2!~!:i~ g2Q§~!:!!~~i9Q 9f Y!:!:ifi~~!!i9Q 99Q~i!!i9Q Q!:Q!:r~!!9!:~ f!:9~ 
U9~r!: k9gi~~· 
Technical Report CSL-125, SRI International, April, 1981. 
Presented at the 8th International Colloquium on Automata, 
Languages, and Programming, Haifa, Israel and Springer-Verlag 
Lecture Notes in Computer Science, July, 1981. 
L.Robinson. 
ffDM U:!~Q~2Q~, YQ!!!~!: !: Th!: EQ!!Q~~!!i2Q§ 2f l~M· 
CSL Report 93 for Project 4828, SRI International, June, 1979. 
R. Shostak, R. Schwartz and P.M. Melliar-Smith. 
STP: A Mechanized Logic for Specification and Verificat.ion. 
1981. . 
Submitted to Working Conference on the Formal Description of 
Programming Concepts. 
B.Silverberg, L.Robinson, and K. Levitt. 
ffDM H:!~~~Q2~' YQ!~~!: I!: Th!: k~Qg!!~g!:~ ~Q~ T~!~ Qf HQM· 
CSL Report 94 for Project 4828, SRI International, June, 1979. 
373 

CHAPTER 12 
HOM-PASCAL CODE VERIFICATION SYSTEM - USERS MANUAL 
375 

HDM/Pascal Verification System User's 
Manual 
Dwight Hare 
The HOM/Pascal verification system is a tool for proving the correctness 
of programs written in Pascal and specified in the Hierarchical Development 
Methodology (HOM). This document assumes an understanding of Pascal, 
IIDM, program verification, and the STP system. 
The steps toward verification which this tool provides is parsing programs 
and specifications, checking the static semantics, and generating verification 
conditions. Some support functions are provided such as maintaining a 
database, status management, and editing. 
The system runs under the TOPS-20 and TENEX operating systems and is 
written in INTERLISP. However, no knowledge is assumed of these operating 
systems or of INTERLISP. The system requires three executable files, 
}ID~NCG, PARSE, and STP. Optionally, the editor EMACS should be on the 
system in order for the editor to work. The file HD~CG is invoked to 
run the system. It uses the files PARSE and STP as lower forks to perform 
the functions of parsing and proving. 
When the system is invoked, the user is at command level. The 
commands which can be executed at command level are described below. 
The command scanner accepts input a character at a time and beeps if 
any character is not legal at that point. A question mark is accepted 
almost anywhere and responds with all of the available options. When 
a part of a command or name is recognized, the unique part is filled 
out automatically. Even though a part has been recognized, the user 
is allowed to keep typing the characters of the command or name. This 
is terminated when a space or carriage return is typed. Most commands 
have several parts to them, each separated by explanatory material in 
parentheses. An example command with the parts typed by the user in 
UPPER case or user typed blanks as underscores: 
PArse_(language) Pascal_(from file) STACK.PAS_ 
The command can be terminated by a blank or a carriage return. The 
entry of a command name or a subcommand name can be aborted with 
<delete> or <rubout> (ascii code 177 octal) whereupon the current 
subcommand will be reprompted. Commands can be aborted completely 
by typing control-D. This returns to the command level either while 
entering a command or while the command is executing. The system is 
not entirely safe from problems arising from user aborts except during 
command input. Such aborts should be used sparingly. When the user 
is prompted for a file name, full file recognition is supported with 
<escape> and control-F. Wildcard selections are not acceptable. 
The system maintains a database of global objects which can be 
referenced in commands. These global objects include the Pascal 
global constants, types, variables, routines, and the Special modules, 
maps, parameters, types, definitions, vfuns, ofuns, and ovfuns. 
Objects can be added to the database at any time with the "Parse" 
command or the "Edit" command (by editing an object and changing the 
name). Redefining an existing entry will have the effect of 
removing any VCs which have been generated but any other objects 
which depend on the changed object must be reprocessed at the 
responsibility of the user. 
The system uses temporary scratch files to communicate between the 
377 
sub forks and to hold the database. The database and parse temporary 
files are opened in the user's directory and will be automatically 
deleted in time. The files used to communicate events between the 
system and STP are not temporary files so that proofs can be reattempted 
at the user's leisure. These files should be manually deleted when 
they are no longer needed. 
Any problems with this system should be reported to: 
Dwight Hare 
Arpanet address: DlL\RE@SRI-CSL 
EL395 
SRI International 
333 Ravenswood Ave. 
Menlo Park, Cal. 94025 
Command Summary 
On-line documentation can be gotten through the? and HELP commands. 
A question mark can be typed during the completion of any command except 
during file name input. All of the available options are given in 
response. The help command is a top level command and gives a short 
description of each top level system command. The help command takes 
one argument, the name of a system command. 
The main system commands are for parsing in code and specification files, 
checking the input, generating verification conditions, and proving the 
VCs. The command for parsing files is PARSE. It takes two subcommands, 
the language being parsed, either PASCAL or SPECIAL and a file to 
parse from. The effect of this command is to add the objects contained 
in the file to the database. 
The CilliCK command takes the name of an object and a property to check, 
either the PASCAL, the SPECIAL, the IIDM, or the CORRESPONDENCE. The 
Pascal and Special checks are that the semantics of the object do not 
violate the·Pascal or Special semantics. This involves mostly type 
checking and other constraints imposed in the language definition. 
These semantics are defined in a pseudo denotational semantic way and 
explained in another document. When an error is discovered, it is 
presented as a violation of an assertion of the semantic definition. 
At present, the user interface is crude and it takes some experience 
to discover the source of the error. During this phase, information 
is gathered into a symbol table which is used by the other two checks 
and by the vcgen process. The HDM check is concerned with discovering 
violations in the hierarchy. This includes checking that the hierarchy 
is a proper tree and that the pascal program doesn't violate the 
hierarchy. The correspondence check is between the Pascal and Special 
forms of an object. An object which has a Special representation as 
a PARAMETER can only have a corresponding Pascal representation as a 
CONST. A Special OFUN or OVFUN corresponds to a Pascal FUNCTION or 
PROCEDURE. Special TYPES correspond to equivalently defined Pascal 
TYPES. 
After the Pascal and Special have been parsed and checked, verification 
conditions can be generated. VCs are generated for operations or modules. 
An operation is a Special OFUN or OVFUN and a Pascal FUNCTION or PROCEDURE. 
The command to generate verification conditions is VCGEN. The vcgen 
process normally has three steps, metavcg, postprocessing, and simplifying. 
These steps can be done separately if desired by invoking the METAVCG, 
378 
POSTPROCESS, and SIMPLIFY commands. The vcgen of an operation consists 
of taking the Pascal routine through the Pascal Hoare rules with the 
metavcg. This serves to transform the code into Special formulas which 
can be further processed without regard to the initial Pascal form. The 
postprocess phase makes the state and state changes explicit and expands 
functions referenced in the Hoare rules. The simplify phase performs 
relatively trivial localized simplifying transformations to the VCs to 
make them more readable. The VC generation for a module does not have 
a metavcg step for there is no Pascal code involved. The module 
invariants and assertions must be proved to be true in the initial 
state and after each operation of the module. 
After VCs have been generated, they can be proven in STP 
through the PROVE command. The prove command takes the name of 
an object for which VCs have been generated. This command generates a 
file of events suitable for STP and starts up the STP program on the 
file. Control is returned to the system by the LOGOUT function performed 
in STP. This is usually done automatically unless a lisp abort is done 
during proof. No record is kept currently of any proofs done. 
The status of the system can be obtained through two commands. STATUS 
shows the current status of any or all objects in the system. It 
t.akes two arguments, the name of an object and the aspect being 
inquired about. This includes what has been parsed and checked and 
whether VCs have been generated. The SHOW command can be used to 
print the Special or Pascal forms of the object and the VCs. It 
takes the name of the object and the form to be printed. 
The database can be modified (other than by parsing in files) by some 
database commands. The database can be cleared and put into the 
initial state with the FLUSH command which takes no arguments. The 
current state of the system can be saved on a file with the SAVE 
command. This command requests if the database is to be flushed after 
saving and prompts for a filename to save the state on. If the database 
is to be flushed, the current disk file which holds the database becomes 
the save file. Hence saving and flushing is much more efficient than 
saving and maintaining the state. This would be the expected mode when 
the system is saved and exited to be continued another time. The 
RESTORE command restores the state of a system previously saved with 
the save command. It asks if the save file can be overwritten and prompts 
for the name of the save file. If the save file can be overwritten, then 
it can become the current database which is much quicker and more efficient 
than not allowing the save file to be modified. This would normally be 
done when it is desired to continue work on a previously saved system. 
The EDIT command can be used to edit the Pascal or Special form of an 
object in the database. This is done by pretty printing the form into 
an emacs buffer and dropping the user down into emacs. The normal emacs 
commands work except the <control-T> command which is modified to allow 
commands to be transmitted back to the system. The command <control-T> 
<control-T> has the effect of a single <control-T> in emacs. The command 
<control-T><control-Z> returns to the system without any action being 
taken. The command <control-T><control-E>.exits emacs and calls the parser 
on the edited buffer with the parsing starting from where the cursor was 
left. It is usual that the entire buffer is to be parsed, so the user should 
be careful to put the cursor at the top of the buffer before exiting. If 
emacs does not exist on the site then the edit command will not work properly. 
A session in the system can be logged with the LOG command. It takes the 
name of a file to log on. A log file can be closed with the CLOSE command. 
379 
Various operating system functions can be performed from inside of the 
system. The QUIT command exits the system and returns to the exec level. 
The EXEC or PUSH command forks off an inferior exec if the site has 
an EXEC program on the <SYSTEM> directory. The DIRECTORY command takes 
a file specification (without any escape conventions but with wild cards) 
and prints the directory listing. The CONNECT command takes the name of 
a directory and attempts to connect to that directory requesting a password 
if necessary. The DAYTI~ffi command shows the current day and time. The 
SYSTAT comm~nd does an exec systat if it exists. The TYPE command takes 
a file name and types that file to the terminal. 
The ; command allows comments to be typed for links or logs. It ignores 
everything typed up to a carriage return. 
Parts Unimplemented 
Currently t.he following are not implemented. The datatypes ARRAY, RECORD, 
and SET are not handled properly. They should not be used. The HDM 
and Correspondence checks are not done and any errors in the code or 
specifications will cause unusual and incorrect behaviour during vcgen. 
The special STP symbols such as PLUS, IMPLIES, BOOL, etc are not 'checked 
for and any program which uses these names will cause errors during proof 
time. 
380 
CHAPTER 13 
HDM-PASCAL CODE VERIFICATION SYSTEM - SIMPLE EXAMPLES 
381 

THIS PAGE INTENTIONALLY LEFT BLANK 
383 

MODuLE stack 
PARAMETERS INTEGER max stack_size; 
ASSERTIONS max stack size> 0 AND max stack size < maxint; 
INVARIANTS ptr() >= 0 AND ptr() <= max_stack_size; 
FUNCTIONS 
VFUN stack val (INTEGER arg) -> INTEGER v; 
VFUN ptr () -> INTEGER v; 
initially v = 0; 
OFUN push (INTEGER v); 
EXCEPTIONS 
full_stack: ptr () >= max_stack_size-1; 
EFFECTS 
'ptr () = ptr () + 1; 
FORALL INTEGER j 
'stack_val(j) = IF j = ptr () + 1 THEN v 
ELSE stack_val(j) END_IF END_FORALL; 
OVFUN pop () -> INTEGER v; 
EXCEPTIONS 
empty_stack: ptr() = 0; 
EFFECTS 
END MODULE 
v = stack_val(ptr()); 
'ptr() = ptr() - 1; 
MODULE array_mod 
PARAMETERS INTEGER Maxarraysize; 
ASSERTIONS Maxarraysize > 0 AND Maxarraysize < maxint; 
FUNCTIONS 
VFUN read (INTEGER arg) -> INTEGER v; 
OFUN write_op (INTEGER arg, val); 
ASSERTIONS 
arg >= 0 AND arg < Maxarraysize; 
EFFECTS 
FORALL INTEGER j : 
'read (j) = IF j = arg THEN val ELSE read(j) END_IF END_FORALL; 
OVFUN read_op (INTEGER arg) -> INTEGER v; 
ASSERTIONS 
arg >= 0 AND arg < Maxarraysize; 
EFFECTS 
v = read(arg); 
END MODULE 
MAP stack TO array_mod; 
385 
MAPPINGS 
ptr () : read(O); 
stack_val (INTEGER arg) : IF arg > 0 TIffiN read(arg) ELSE 0 END_IF; 
max_stack_size = Maxarraysize - 1; 
386 
CONST 
max stack size = 10; 
Maxarraysize = 11; 
TYPE exc kinds = (normal_return, full_stack, empty_stack); 
VAR exc : exc_kinds; 
FUNCTION read_op (arg 
BEGIN END; 
INTEGER) INTEGER; 
PROCEDURE write_op (arg, val 
BEGIN END; 
INTEGER) ; 
PROCEDURE stack_init; 
BEGIN 
write_op(O, 0) 
END; 
PROCEDURE push (v : INTEGER); 
VAR pointer : INTEGER; 
BEGIN 
pointer := read_op(O); 
IF pointer )= max_stack_size-l 
THEN exc . - full stack 
ELSE 
BEGIN 
write_op(O, pointer+l); 
write_op(pointer+l, v); 
exc .- normal return 
END 
END; 
PROCEDURE pop (VAR v : INTEGER); 
VAR pointer : INTEGER; 
BEGIN 
pointer := read_op(O); 
IF pointer = 0 THEN exc := empty_stack 
ELSE 
END; 
BEGIN 
v := read_op(pointer); 
write_opCO, pointer - 1); 
exc .- normal return 
END 
387 
MODULE list 
TYPES list_ptr : INTEGER; 
DEFINITIONS 
BOOLEAN atomp (list_ptr x) IS 
x )= 0 AND x < max_atoms; 
BOOLEAN iscell (list_ptr x) IS 
EXISTS list ptr xl : EXISTS list ptr x2 : 
cell (xl, x2, x) END_EXISTS END_EXISTS; 
ASSERTIONS max_Iist_ptrs )= max_atoms AND max_Iist_ptrs < MAXINT 
AND max_atoms )= 0; 
INVARIANTS 
FORALL list_ptr xl : FORALL list_ptr x2 : FORALL list_ptr x : 
FORALL list_ptr yl : FORALL list_ptr y2 : 
cell (xl, yl, x) AND cell (x2, y2, x) =) xl = x2 AND yl = y2 
END_FORALL END_FORALL END_FORALL END_FORALL END_FORALL; 
FUNCTIONS 
VFUN cell (list_ptr xl, x2, x) -) BOOLEAN b; 
INITIALLY b = FALSE; 
VFUN num_of_cells () -) INTEGER v; 
INITIALLY v = 0; 
OVFUN Icons (list_ptr xl, x2) -) list_ptr x; 
EXCEPTIONS 
storage_full : num_of_cells() = max_Iist_ptrs; 
ASSERTIONS 
atomp (xl) OR iscell (xl); 
atomp (x2) OR iscell (x2); 
EFFECTS 
'cell (xl, x2, x); 
FORALL list_ptr zl : FORALL list_ptr z2 : FORALL list_ptr z : 
(x -= z =) 'cell (zl, z2, z) = cell (zl, z2, z» 
AND (zl -= xl OR z2 -= x2 => NOT 'cell (zl, z2, x» 
AND NOT cell(zl, z2, x) 
END_FORALL END_FORALL END_FORALL; 
OVFUN lcar (list_ptr x) -) list_ptr xl; 
ASSERTIONS 
iscell (x); 
EFFECTS 
EXISTS list_ptr z2 : cell (xl, z2, x) END_EXISTS; 
OVFUN lcdr (list_ptr x) -) list_ptr x2; 
ASSERTIONS 
iscell (x); 
EFFECTS 
EXISTS list_ptr zl cell (zl, x2, x) END_EXISTS; 
388 
OVFUN consp (list_ptr x) -) BOOLEAN b; 
EFFECTS b = iscell (x); 
END_MODULE 
MODULE u Ii s t 
TYPES ulist_ptr : INTEGER; 
PARAMETERS INTEGER max_ulist_ptrs, max_uatoms; 
DEFINITIONS 
BOOLEAN uatomp (ulist_ptr x) IS 
x >= 0 AND x < max_uatoms; 
BOOLEAN isucell (ulist_ptr x) IS 
EXISTS ulist ptr zl : EXISTS ulist ptr z2 : 
ucell (zl~ z2) = x END_EXISTS END_EXISTS; 
ASSERTIONS max_ulist_ptrs >= max_uatoms AND max_ulist_ptrs < MAXINT 
AND max uatoms >= 0; 
INVARIANTS 
FORALL ulist_ptr xl : FORALL ulist_ptr x2 : 
FORALL ulist ptr yl : FORALL ulist ptr y2 
ucell (~l, yl) = ucell (x2, y2) => xl = x2 AND yl = y2 
END FORALL END FORALL END FORALL END FORALL; 
n'um_of_~cellsO >=-0 AND num_;;f_ucellsO-<= max_uIist_ptrs; 
num_of_ucells() = 0 
=> FORALL INTEGER xl : FORALL INTEGER x2 : ucell(xl, x2) = 0 
END_FORALL END_FORALL; 
FUNCTIONS 
VFUN ucell (ulist_ptr xl, x2) -) ulist_ptr x; 
INITIALLY x = 0; 
VFUN num_of_ucells 0 -> INTEGER v; 
INITIALLY v = 0; 
OVFUN ucons (ulist_ptr xl, x2) -) ulist_ptr x; 
EXCEPTIONS 
ustorage_full : num_of_cells() = max_ulist_ptrs; 
ASSERTIONS 
uatomp (Xl) OR isucell (xl); 
uatomp (x2) OR isucell (x2); 
EFFECTS 
FORALL ulist_ptr zl : FORALL ulist_ptr z2 
IF ucell(xl, x2) = 0 THEN 
'ucell (zl, z2) = 
IF zl = xl AND z2 = x2 THEN x 
ELSE ucell (zl, z2) END_IF AND 
ucell(zl, z2) -= x 
ELSE 'ucell (zl, z2) = ucell (zl, z2) AND 
ucell (xl, x2) = x END_IF 
389 
OVFUN ucar (ulist_ptr x) -) ulist_ptr xl; 
ASSERTIONS 
isucell (x); 
EFFECTS 
EXISTS ulist_ptr z2 : ucell (xl, z2) = x END_EXISTS; 
OVFUN ucdr (ulist_ptr x) -> ulist_ptr x2; 
ASSERTIONS 
isucell (x); 
EFFECTS 
EXISTS ulist_ptr zl ; ucell (zl, x2) = x END_EXISTS; 
OVFUN UCODSP (ulist_ptr x) -) BOOLEAN b; 
EFFECTS b = isucell (x); 
END_MODULE 
MODULE search 
TYPES table : INTEGER; ptr ; INTEGER; 
PARAMETERS table primary_table; 
INTEGER max_tables, table_size; 
INVARIANTS 
tablep (primary_table); 
FORALL integer tbl : FORALL integer key : 
NOT tablep(tbl) =) get (key, tbl) = 0 
END_FOR~L END_FORALL; 
FUNCTIONS 
VFUN get (INTEGER key; table tbl) -) INTEGER val; 
INITIALLY val = 0; 
VFUN tablep (table tbl) -) BOOLEAN b; 
INITIALLY b = (tbl = primary_table); 
OVFUN newtable () -) table tbl; 
EXCEPTIONS 
no_more_tables : Dum_of_tables() = max_tables; 
EFFECTS 
FORALL table tbli : 
'tablep (tbli) = IF tbli = tbl THEN TRUE ELSE tablep (tbli) 
END IF END FORALL; 
NOT tablep(tbl); 
OFUN save (INTEGER key; ptr value; table tbl); 
EXCEPTIONS 
table_full: num_of_entries(tbl) = max_table_entries; 
ASSERTIONS 
tablep(tbl) AND get (key, tbl) = 0; 
EFFECTS 
FORALL INTEGER i : FORALL table tbli 
'get (i, tbli) = 
390 
IF i = key AND tbli = tbl THEN value 
ELSE get (i, tbli) END_IF 
END_FORALL END_FORALL; 
OVFUN getop (INTEGER key; table tbl) -> ptr value; 
EXCEPTIONS 
not_found: get(key, tbl) = 0; 
ASSERTIONS tablep (tbl); 
EFFECTS value = get (key, tbl); 
END MODULE 
MAP ulist TO search, list; 
ASSERTIONS 
FORALL INTEGER x : FORALL table tbl : 
tablep(get (x, primary_table» 
AND get (x, primary_table) -= primary_table 
AND (get (x, primary_table) -= 0 =) atomp (x) OR iscell (x» 
AND ( get (x, tbl) -= 0 AND tbl -= primary_table 
=) iscell (get (x, primary_table» AND (atomp (x) OR iscell (x») 
END_FORALL END_FORALL; 
MAPPINGS 
ucell (ulist_ptr xl, x2, x) : 
END MAP 
EXISTS table tbli : 
get (x2, tbli, primary_table) AND get (xl, x, tbli) END EXISTS 
AND cell (xl, x2, x); 
MODULE search_space 
PARfu~ETERS INTEGER max_search_size; 
ASSERTIONS max_search_size ) 0; 
FUNCTIONS 
VFUN search_read (INTEGER arg) -) INTEGER v; 
OFUN search_write (INTEGER arg, val); 
ASSERTIONS arg )= 0 AND arg < max search_size; 
EFFECTS 
FORALL INTEGER i : 
'search_read(i) = 
IF i = arg THEN val ELSE search_read(i) END_IF END_FORALL; 
OVFUN search_readop (INTEGER arg) -) INTEGER v; 
ASSERTIONS arg )= 0 AND arg < max_search_size; 
EFFECTS 
v = search_read(arg); 
END MODULE 
391 
MODULE list_space 
PARAMETERS INTEGER max list_size; 
ASSERTIONS max_list_size> 0; 
FUNCTIONS 
VFUN list_read (INTEGER arg) -> INTEGER v; 
OFUN list_write (INTEGER arg, val); 
ASSERTIONS arg >= 0 AND arg < max_list_size; 
EFFECTS 
FORALL INTEGER i : 
'list]ead(i) = 
IF i = arg THEN val ELSE list_read(i) END_IF END_FORALL; 
OVFUN readop (INTEGER arg) -> INTEGER v; 
ASSERTIONS arg >= 0 AND arg < max list_size; 
EFFECTS 
v = list_read(arg); 
END MODULE 
MAP search TO search_space 
ASSERTIONS 
search read (0) >= 0; 
search=read (0) <= max_tables; 
table_size * max_tables + 1 <= max_search size 
MAPPINGS 
get (INTEGER key, val; table tbl) 
IF tbl >= 0 AND tbl < read (0, search_space) THEN 
EXISTS INTEGER ptr : 
ptr >= tbl * (table_size * 2 + 1) + 2 and 
ptr <= 2 * read (tbl * (table_size * 2 + 1)) + 1 
+ tbl * (table_size * 2 + 1) + 2 
=> read (ptr, search_space) = key AND 
read (ptr + 1, search_space) = val END_EXISTS 
ELSE FALSE END_IF; 
primary table = 0; 
tablep (table tbl) : '0 <= tbl AND tbl < read (0" search_space); 
r 
MAP list TO array_mod; 
DEFINITIONS 
BOOLEAN evenp (INTEGER x) IS 
x = (x/2) * 2; 
392 
ASSERTIONS 
evenp (read (0, list_space»; 
read (0, list_space) )= 100; 
max_Iist_ptrs < maxarraysize; 
MAPPINGS 
cell (list_ptr xl, x2, x) : 
IF x )= read (0, list_space) OR x < 100 OR NOT evenp (x) THEN FALSE 
ELSE xl = read (x, list_space) AND 
x2 = read (x+l, list_space) END_IF; 
list_ptr INTEGER; 
END MAP 
393 
const max_array_size = 511; 
max_Iist_ptrs = 510; 
primary_table = 0; 
table_size = 25; 
max_tables = 10; 
type max_array_index = 0 .. max_array_size; 
array_type = array [max_array_index] of integer; 
list_ptr = integer; 
table = integer; 
ptr = integer; 
ulist_ptr = integer; 
var exc : integer; 
list_space: array_type; 
search_space: array_type; 
procedure write Carg, val : integer; var a 
begin 
array_type); 
a[arg] .- val 
end; 
function readop Carg 
begin 
readop . - a [arg] 
end; 
integer; var a array _ type) 
procedure Icons (xl, x2 : list_ptr; var x list_ptr); 
begin 
x := readop(O, list_space); 
if (x + 2) )= max_Iist_ptrs then exc := 1 
else begin 
end; 
write (x, xl, list_space); 
write (x+1, x2, list_space); 
write (0, x+2, list_space) 
end 
procedure lcar (x : list_ptr; var xl 
begin 
xl .- readop (x, list_space) 
end; 
procedure lcdr {x list_ptr; var x2 
begin 
x2 .- readop (x + 1, list_space) 
end; 
function consp (x : list_ptr) : boolean; 
begin 
integer; 
consp .- (x )= 100) and (x < readop (0, ~ist_space» and (x mod 2) = 0) 
end; 
procedure newtable {var tbl 
var n : integer; 
table); 
begin 
n := readop (0, search_space); 
if n >= max_tables then exc := 1 
else begin 
394 
tbl := n; 
write (tbl * (table_size * 2 + 1) + 1, 0, search_space); 
write (0, n+l, search_space) 
end 
end; 
procedure save (key: integer; value: ptr; tbl table); 
var n, table_start, offset: integer; 
begin 
table_start := tbl * (table_size * 2 + 1) + 1; 
n := readop (table_start, search_space); 
if n >= table size then exc .- 1 
else begin 
offset := n * 2 + 1; 
write (table_start + offset, key, search_space); 
write (table_start + offset + 1, value, search_space); 
write (table_start, n+l, search_space) 
end 
end; 
procedure getop (key: integer; tbl : table; var value 
var table_start, i, max: integer; v : ptr; 
begin 
exc := 0; 
table_start := tbl * (table_size * 2 + 1) + 1; 
i := table start + 1; 
ptr); 
max := table_start + 1 + readop (table_start, search_space) * 2; 
while key <> readop (i, search_space) and (i < max) do i := 1 + 2; 
if i >= max then exc := 1 
else value := readop (i+l, search_space) 
end; 
procedure ucons (xl, x2 : ulist_ptr; var x : ulist_ptr); 
var cdr_table: ulist_ptr; new_t : table; cons_cell: list_ptr; 
begin 
getop (x2, primary_table, cdr_table); 
if exc = 1 then 
begin 
newtable (new_t); 
if exc = 0 then 
begin 
end 
else 
save (x2, new_t, primary_table); 
if exc = 0 then 
end 
begin 
lcons(xl, x2, cons_cell); 
if exc = 0 then 
end 
begin 
save (xl, cons_cell, new_t); 
x := cons cell 
end 
begin 
getop (xl, cdr_table, cons_cell); 
if exc = 0 then x := cons_cell 
else begin 
Icons (Xl, x2, cons_cell); 
395 
if exc = 0 then save (xl, cons_cell, cdr_table); 
x := cons_cell 
end 
end 
end; 
procedure ucar (x 
begin 
ulist_ptr; var xl 
lcar (x, xl) 
end; 
procedure ucdr (x 
begin 
ulist_ptr; var x2 
lcdr (x, x2) 
end; 
function uconsp (x : ulist_ptr) 
begin 
uconsp .- consp (x) 
end; 
boolean; 
396 
MODULE table. 
PARAMETERS INTEGER max_entries; 
ASSERTIONS max_entries >= 0 AND max_entries <= maxint; 
INVARIANTS num_of_entries() >= 0 AND num_of_entries() <= max_entries; 
FORALL INTEGER k : not in_table(k) =) assoc(k) = 0 END_FORALL; 
FUNCTIONS 
VFUN in_table (INTEGER key) -> BOOLEAN v; 
INITIALLY v = FALSE; 
VFUN assoc (INTEGER key) -> INTEGER v; 
INITIALLY v = 0; 
VFUN num_of_entries () -> INTEGER v; 
INITIALLY v = 0; 
OFUN insert_table (INTEGER key, val); 
EXCEPTIONS 
bad key : key = 0; 
table_full : num_of_entries() = max_entries; 
EFFECTS 
FORALL INTEGER i 
'assoc(i) = IF i = key THEN val ELSE assoc(i) END_IF END_FORALL; 
FORALL INTEGER j 
'in_table(j) = IF j = key THEN TRUE ELSE in_table(j) 
END IF END FORALL; 
'num_of_entries() = nu;_of_entries() + 1; 
OVFUN table_op (INTEGER key) -) INTEGER val; 
$( Perform a table lookup, using the key) 
EXCEPTIONS $( The key not being in the table means an exception ) 
bad_key : key = 0; 
key_not_there : not in_table(key); 
EFFECTS 
val = assoc(key); 
OFUN delete_table (INTEGER key); 
EFFECTS 
FORALL INTEGER i : 
'in_table(i) = 
IF i = key THEN FALSE ELSE in_table(i) END_IF END_FORALL; 
FORALL INTEGER i : 
'assoc(i) = IF i = key THEN 0 ELSE assoc(i) END_IF END_FORALL; 
'num_of_entries() = 
IF in_table(key) THEN num_of_entries()-l 
ELSE num_of_entries() END_IF; 
OFUN clear_table (); 
EFFECTS 
FORALL INTEGER i: 'in_table (i) = FALSE END_FORALL; 
FORALL INTEGER i: 'assoc (i) = 0 END_FORALL; 
'num_of_entries() = 0; 
397 
MAP table TO array_mod; 
PARAMETERS INTEGER lookup (INTEGER key); 
DEFINITIONS 
BOOLEAN evenp (INTEGER x) IS 
EXISTS INTEGER y : y*2 = x END_EXISTS; 
BOOLEAN in_array (INTEGER i) IS i )=0 AND i <= Maxarraysize; 
BOOLEAN in_table_def (INTEGER key) IS 
key -= 0 AND 
EXISTS INTEGER i : 
in_array(i) AND evenp(i) AND read(i) = key END_EXISTS; 
ASSERTIONS 
Maxarraysize = max_entries*2; 
FORALL INTEGER k ": 
FORALL INTEGER i : 
in_array(i) AND evenp(i) AND read(i) = k AND k -= 0 
=) lookup(k) = read(i+l) END_FORALL END_FORALL; 
MAPPINGS 
in_table (INTEGER key) : in_table_def(key); 
as soc (INTEGER key) : IF in_table_def(key) THEN lookup(key) ELSE 0 END_IF; 
num_of_entries() : 
CARDINALITY({INTEGER i I evenp(i) AND in_array(i) AND read(i) -= O}); 
MODULE array_mod 
PARAMETERS INTEGER Maxarraysize; 
FUNCTIONS 
VFUN read (INTEGER arg) -) INTEGER v; 
OFUN writeop (INTEGER arg, val); 
ASSERTIONS 
arg >= 0 AND arg < Maxarraysize; 
EFFECTS 
FORALL INTEGER j : 
'read (j) = IF j = arg THEN val ELSE read(j) END_IF END_FORALL; 
OVFUN readop (INTEGER arg) -) INTEGER v; 
ASSERTIONS 
arg )= 0 AND arg < Maxarraysize; 
EFFECTS 
v = read(arg); 
398 
CONST maxarraysize = 100; 
max_entries = 50; 
VAR exc : exc_kinds; 
FUNCTION readop (arg:INTEGER) : INTEGER; 
BEGIN END; 
PROCEDURE writeop (arg, val: INTEGER); 
BEGIN END; 
PROCEDURE insert_table (key, val: INTEGER); 
VAR index, temp, blank_pos : INTEGER; 
BEGIN 
IF key = 0 THEN exc := bad_key 
ELSE BEGIN 
index := 0; 
blank_pos .- -1; 
REPEAT 
temp := readop(index); 
IF temp = 0 then blank_pos .- index; 
index := index + 2 
UNTIL (temp = key) OR (index >= Maxarraysize) 
ASSERT temp = read(index-2) AND index> 1 
AND FORALL INTEGER i : 
in_array(i) AND i (= index-2 AND evenp(i) 
=> read(i) -= key END_FORALL 
AND IF EXISTS INTEGER j : j >= 0 AND j (= index-2 
AND evenp(j) AND read(j) = 0 END_EXISTS 
THEN read(blank_pos) = 0 AND evenp(blank_pos) 
AND blank_pos >= 0 AND blank_pos (= index-2 
ELSE blank_pos = -1 END_IF 
DECREASING maxarraysize - index; 
exc := normal return; 
IF temp = key-THEN writeop (index-I, val) 
ELSE IF blank_pos >= 0 THEN 
BEGIN 
writeop (blank_pos, key); 
writeop (blank_pos+1, val) 
END ELSE exc := table_full 
END; 
END; 
PROCEDURE table_op (key 
VAR index : INTEGER; 
BEGIN 
INTEGER; VAR val 
IF key = 0 THEN exc .- bad_key 
ELSE BEGIN 
index := 0; 
REPEAT 
val := readop (index); 
index := index + 2; 
INTEGER); 
UNTIL (val = key) OR (index >= maxarraysize) 
ASSERT val = read(index-2) AND index> 1 
AND FORALL INTEGER i : i >= 0 AND i (= index-2 
=> key -= read(i) END_FORALL 
DECREASING maxarraysize - index; 
399 
IF val = key THEN 
BEGIN 
val := readop(index-l); 
exc := normal_return 
END 
ELSE exc := key_not_there 
END 
END; 
PROCEDURE delete_table (key INTEGER); 
VAR index,temp : INTEGER; 
BEGIN 
IF key <> 0 THEN 
BEGIN 
index := 0; 
REPEAT 
temp := readop(index); 
index := index + 2 
UNTIL (temp = key) OR (index) maxarraysize) 
ASSERT key -= 0 AND 
FORALL INTEGER i 
(i )= 0 AND i < index AND evenp(i) =) key -= read(i)) 
END_FORALL 
DECREASING maxarraysize - index 
END; 
IF temp = key THEN writeop(index-2, 0) 
END; 
PROCEDURE TABLE_INIT; 
VAR n : INTEGER; 
BEGIN 
FOR n := 0 TO Maxarraysize 
ASSERT FORALL INTEGER i 
DO writeop(n, 0) 
END; 
i )= 0 AND i <= n =) read(i) = 0 END_FORALL 
400 
CHAPTER 14 
VERIFICATION OF SIFT CODE 
401 

The SIFT Code Specifications 
1. Introduction 
The specification of SIFT consists of two parts, the specifications of 
the SIFT models and the specifications of the SIFT PASCAL program which 
actually implements the SIFT system. The code specifications are the 
last of a hierarchy of models describing the operation of the SIFT system 
and hence are related to the SIFT models as well as the PASCAL program. 
These specifications serve to link the SIFT models to the running program. 
Due to the need to prove the consistency between the PASQ~ program and 
the code specifications, the specifications are very large and detailed 
and closely follow the form and organization of the PASCAL code. In 
addition to describing each of the components of the SIFT code, the code 
specifications describe the assumptions of the upper SIFT models which 
are required to actually prove that the code will work as specified. 
These constraint~ are imposed primarily on the schedule tables. 
This document assumes an understanding of the motivation and basic 
algorithms of SIFT. An acquaintance with the Hierarchical Development 
Methodology (HDM) and SPECIAL is helpful but not required. This 
SIFT specification was written in a variant of SPECIAL developed as 
part of a PASCAL code verification system. The specification is 
written as a series of paragraphs with names such as TYPES and PARAMETERS. 
Comments are enclosed in "$( ... )" and serve only as informal 
descriptions of the formal specification. The data objects of SIFT 
are called VFUNs in the specification but otherwise are identical 
to the variables of the SIFT program. 
The code specification is not a complete description of the SIFT 
program. The SIFT system consists of a number of processors all 
working concurrently in approximate synchronization. This specification 
considers only one of those processors and contains no description 
of how the processors communicate or how they maintain synchronization. 
Any part of the SIFT program which explicitly involves the passage of 
time is outside the realm of this specification. 
The next sections will refer in detail to the SPECIAL specification 
of SIFT. 
2. The Type Declarations 
The TYPES paragraph at the top of the specification declare the data 
types used in the SIFT implementation as well as some types used purely 
for specification purposes. These data types are very similar in 
meaning to data types used in most programming languages such as PASCAL. 
The data types are broken into sections for each major data component 
of SIFT. The first data component is the schedule table whose data 
type is called SCHED_ARRAY. It is an array of arrays which has a 
component for each processor, each configuration, and each subframe. 
The second component is the datafile through which communication 
between processors is done. The datafile type is called the 
DATAFILE ARRAY and has components for each taskname and each element 
of the r~sults produced by each task. The POLL ARRAY type describes 
an entry for each configuration, each processor~ and each task and 
contains a boolean value indicating whether that task is run by that 
processor in that configuration. The ERROR_ARRAY type describes 
403 
an array containing the error count for each processor. The INPUT ARRAY 
has an element array for each task. 
Some data types are used for specification purposes and for internal 
processing in the implementation. SET_OF_INT describes a set of 
integers in the usual mathematical sense of a set. TASK_ARRAY is 
an array of integers indexed by task name. BOOL_ARRAY is an array 
of boolean values. 
3. The Parameter Declarations 
The parameters of the specification correspond to the constant values 
of the implementation. The actual values of these objects are not 
specified but instead sufficient constraints are placed on the 
possible values so that the proof will succeed. The parameters 
and their meaning are given below: 
frame_size The number of subframes in a frame 
max_processors The maximum number of processors in any configuration 
my_processor The physical number of this processor 
max_activities The maximum number of activities allowed in any subframe 
max elems The maximum number of values any task can produce 
max_tasks The maximum number of tasks in the system 
bottom_val The special value returned when a task does not run and 
when no majority is found in voting 
err_threshold The number of error reports before a processor is 
considered faulty 
vote ,dummy_vote , 
execute The possible activities of a subframe 
reconfig The name of the reconfiguration task 
global_exec The name of the global executive task 
error_report The name of the error reporting task 
null task The name of the null or maintenance task 
sched_table The schedule table for each processor, configuration, 
and subframe, giving a set of activities to perform 
poll Determines whether a processor in a given configuration 
runs a particular task 
inputs Gives the names of the tasks which will produce results 
used by a particular task 
i c Indicates which tasks are interactive consistency tasks 
result size Gives the number of values returned by each task 
error_i_c_tasks The names of the error reporting interactive consistency tasks 
4. The Definitions 
Definitions are used as a handy way to name a concept in the 
specification so that it can be more easily referred to. They are 
equivalent to pure mathematical functions in that they take an 
sequence of arguments and produce a determined result. The only 
definition in the specifications defines the concept of a majority of 
a set of values. The values being voted on are found in the datafile 
corresponding to each processor which ran the task as indicated by the 
POLL. The definition the set of all processors which ran the task 
and compares that to the set of all processors which agree on the 
resulting value. If the second set is larger than half the first 
set, a majority value has been found. 
5. The Parameter Invariants 
404 
This section of the specifications contain the constraints on the 
parameter values mentioned in the above section on parameters. Some 
of the constraints seem very obvious, but they must be made explicit 
in order for the mechanical verification effort to succeed. Each 
constraint is described below. 
1) frame_size, max_processors, max_activities, max_elems, and max tasks 
should all be positive values. 
2) 1 <= my_processor <= max_processors 
The processor number of this processor must be a legitimate processor number. 
3) The activities vote, dummy_vote, and execute should be positive numbers 
and each should be different. 
4) The tasks reconfig, global_exec, null_task, the error reporting tasks, 
and the error reporting interactive consistency tasks should all be different 
tasks, that is not'equal to each other. 
5) An execute which uses values must follow the vote or dummy_vote on 
those values. 
6) There is never scheduled both a vote and a dummy_vote on the results 
of a task during a subframe. 
7) The results of an execute are not voted on during the same subframe 
they are produced. 
8) Reconfiguration is always the last thing done in the subframe. This 
is because reconfiguration completely changes the current schedule so 
it is not possible to continue the old schedule. 
9) No vote is scheduled during the same subframe as an error report. That 
is because a vote might change the error count which the error reporting 
tasks broadcasts. 
10) The result of an execute is only voted on once. 
11) No task is executed more than once in any subframe. 
12) The only activities scheduled are vote, dummy_vote, and schedule. 
13) No other activities are scheduled after the null task is started 
to fill out the subframe. 
14) Only one processor runs an interactive consistency task but three 
processors run all other tasks. 
15) The global executive only takes as input itself (the previous 
execution) and the error reporting interactive consistency tasks. 
16) The error reporting interactive consistency tasks broadcast their 
inputs. 
17) The global executive considers a processor to be no longer working 
if it was not previous working or if a majority of the other processors 
have declared it to be bad. 
6. The Specification Functions 
405 
The specification functions serve two purposes. They define the names 
and types of the variables which make up the state of the system and they 
define the operations which modify the state during execution. The 
state variables correspond to the global PASCAL variables of the SIFT 
implementation and the operations of the specification correspond to 
the FUNCTIONs and PROCEDUREs of the implementation. The variables are 
described first followed by the operations. 
1) Subframe contains the current subframe number which ranges from 0 to 
one less than the maximum number of subframes. 
2) Config contains the current configuration. This is the number of 
processors which are currently considered to be working. 
3) Input is an array of values waiting to be input to particular tasks. 
They are the result of voting on the outputs of other tasks. 
4) Datafile is the broadcast area where results of tasks are placed and 
automatically broadcast. 
5) Errors is the number of errors counted for each processor due to non-
agreement In voting. 
6) Real_to_virt is a mapping from a real physical processor number to 
the processor number used in the schedule tables for this configuration. 
The main procedure of the implementation is Dispatcher which is invoked 
at the start of each subframe due to a clock interrupt and which in turn 
invokes each of the activities of that subframe. The specifications of 
the dispatcher describe how each of the state variables described above 
is changed according to the schedule tables. The change to each state 
variable is described in sequence: 
1) The subframe number is incremented by one indicating that another 
subframe has elapsed. If the end of the frame is reached, the subframe 
number is reset to zero. 
2) The config is only changed if a reconfiguration was done during this 
subframe. Its new value corresponds to the number of processors reported 
working by the global executive. 
3) Input is changed to reflect the updated values found by voting on 
values produced by tasks in other subframes. For each entry in the input 
table, if no vote was done in this subframe on the value, then the value 
remains unchanged. If there was a vote, the new input value corresponds 
to the majority value computed by the vote. 
4) The entries in the datafile are updated when tasks broadcast their 
results. If a task did not run during this subframe then its old values 
from the previous subframe remain. If the task did run, its output values 
are placed in the datafile. 
5) If any voting found less than total agreement, then the error counts 
were incremented by the number of non-agreements found. 
6) If a reconfiguration was done, the variables real to virt and virt to_real 
406 
were correctly updated to reflect the new processor configuration. 
The dispatcher calls a variety of other routines to perform the activities. 
The Vote activity routine does a vote by collecting the values to be voted 
on and c~lling the three way voter VDTE3. Dummy_vote just replaces the 
old values by the special value. The global executive counts up the error 
reports and decides which processors are running. The reconfiguration task 
uses the results of the global executive to reconfigure the system. Since 
the actual application tasks running on the SIFT computer are not known 
for this proof exercise, a general routine representing all of the possible 
application tasks is included. 
407 

SUBSECTION 14.1 
PRE/POST SPECIFICATION IN SPECIAL 
409 

MODULE sift 
$( The TYPES) 
TYPES 
$( currently the activity kinds are vote, dummy_vote, and execute) 
activity_kinds: INTEGER; 
$( the task kinds are the names of the various tasks. The special 
ones are global_exec, reconfig, and error_report) 
task_kinds : INTEGER; 
$( This is an array of processor numbers used by the 3-way voter, etc) 
proc_array : ARRAY of INTEGER; 
$( ---------------------------------------------------------------------- ) 
$( The schedule table type definition) 
$( The array of schedules is a configuration schedule for each possible 
processor ) 
sched_array : ARRAY of processor_array; 
activity_record: RECORD (activity_kinds activity; 
task kinds taskname; 
INTEGER elem); 
$( This is a sequence of activities for a given subframe. ) 
subframe_array ARRAY of activity_record; 
$( This is a sequence of subframe actions for each configuration. ) 
config_array : ARRAY of subframe_array; 
$( This is a set of configurations for each processor) 
processor_array: ARRAY of config_array; 
$( ---------------------------------------------------------------------- ) 
$( A datafile contains an array of task data spaces for each 
process which exists. ) 
datafile_array : ARRAY of taskname_array; 
$( An input/output for a process is an array of data) 
elem_array : ARRAY of integer; 
$( Each task has an array of data of its own) 
taskname_array : ARRAY of elem_array; 
$( ---------------------------------------------------------------------- ) 
411 
$( For each configuration, indicate whether a processor executes 
a task ) 
$( Each task either is executed or not {true or false} ) 
poll_task_array : ARRAY of BOOLEAN; 
$( For each processor, indicate whether the various tasks are 
executed or not ) 
$( ---------------------------------------------------------------------- ) 
$( 
$( The num~er of errors seen from each processor. ) 
error_array: ARRAY of INTEGER; 
$( For each task, the element array which is input to that task) 
input_array : ARRAY of elem_array; 
$( A set of integer, for reasoning about properties of things) 
set of int : SETOF INTEGER; 
$( An array of integer, one for each task) 
task_array : ARRAY of INTEGER; 
$( An array of boolean) 
baal_array : ARRAY of BOOLEAN; 
412 
The PARAMETERS ) 
PARAMETERS INTEGER frame_size, max_processors, my_processor, 
max_activities, max_elems, max_tasks, bottom_val, 
err_threshold, vote, dummy_vote, execute, reconfig, 
global_exec, error_report, null_task; 
$( 
$( The sched table is a sequence of schedules for each configuration. 
It is of the form: 
sched_table [proc_num] [configuration] [subframe] [activity_num] 
and gives a record of activities to do. Given a processor 
number, and a configuration number, and a subframe number, 
then there are a sequence of activities to do, each one 
described by its ACTIVITY field. The activities are currently 
VOTE, DUMMY_VOTE, and EXECUTE. For votes, the taskname field is 
the task to vote on and the element number is the element to 
vote on. 'For dummy_votes, the entire element sequence of the 
taskname is set to bottom. For executes, the taskname is invoked. ) 
sched_array sched_table; 
$( The poll tells whether a processor ran a task in a given 
configuration. It is referenced as: 
poll [configuration] [processor] [taskname] ) 
poll_array poll; 
$( The inputs tell which tasks have produced input for a 
particular task. It is indexed by the task to run and 
the number of the task which is input {from 1 to n}. ) 
taskname_array inputs; 
$( This indicates which tasks are interactive consistency tasks. ) 
$( This returns the number of elements output by each task) 
$( The error report tasks are a group of tasks {one for each 
processor} which do the error reporting. They are indicated 
here. ) 
$( The error_i_c_tasks are the interactive consistency tasks 
which broadcast around the error reports. There are three 
of these tasks with the specified task numbers. ) 
413 
The DEFINITIONS ) 
DEFINITIONS 
$( 
BOOLEAN is_in_m~jority (INTEGER c, t, e, val) IS 
$( given a configuration c, a taskname t, and an clement number e, 
return true if val is in the majority of the outputs of all of 
the processors which produced output according to POLL. If there 
is no m~jority, then val must be the default value. ) 
IF EXISTS INTEGER maj_val : 
CARDINALITY ({ INTEGER q I q >= 1 AND q <= max_processors 
AND poll[c] [real_to_virt() [q]] [t] 
AND maj_val = d~tafile()[q] [t] [e]}) * 2 
> CARDINALITY ({ INTEGER pip >= 1 AND p<= max_processors 
AND poll[c] [p] [t]}) END_EXISTS 
THEN FORALL INTEGER maj 
CARDINALITY ({ INTEGER q I q )= 1 AND q <= max_processors 
AND poll[c] [real_to_virt() [q]] [t] 
AND maj = datafile()[q] [t] [e]}) * 2 
> CARDINALITY ({ INTEGER pip >= 1 AND p <= max_processors 
AND poll[c] [p] [t]})-
=> val = maj END_FORALL 
ELSE val = bottom_val END_IF; 
414 
The PARA\IETER INVARIANTS ) 
PARAMETER_INVARIANTS 
$( Constraints on the simple parameters. Various constants have 
appropriate values.) 
frame_size> 0; max_processors> 0; 
my_processor >= 1 AND my_processor <= max_processors; 
max_activities> 0; max_elems > 0; max_tasks> 0; 
vote> 0 AND dummy_vote> 0 AND execute> 0; 
vote -= dummy_vote AND vote -= execute AND dummy_vote -= execute; 
FORALL INTEGER i : FORALL INTEGER j : 
reeonfig -= global_exec AND 
reconfig -= null_task AND 
null task -= global exec AND 
erro;_report_tasks[i] -= reconfig AND 
error_report_tasks[i] -= global_exec AND 
error_report_tasks[i] -= null_task AND 
error_report_tasks[i] -= error_i_c_tasks[j] AND 
error_i_c_tasks[i] -= reconfig AND 
error_i_c_tasks[i] -= null_task AND 
error_i_c_tasks[i] -= global_exec END_FORALL END_FORALL; 
$( Constraints on the schedule table and associated data structures ) 
FORALL INTEGER p : FORALL INTEGER c : FORALL INTEGER sf 
FORALL INTEGER jl : FORALL INTEGER j2 : FORALL INTEGER i 
$( any execute which needs the results of a vote or 
dummy_vote must follow the vote) 
sched_table[p] [c] [sf] [jl].activity = execute 
AND ( sched_table[p] [c] [sf] [j2].activity = vote 
OR sched_table[p] [c] [sf] [j2].activity = dummy_vote) 
AND inputs [sched_table [p] [c][sf] [jl].taskname] [i] 
= sched_table[p] [c] [sf] [j2].taskname 
=> j 1 > j2 
END_FORALL END_FORALL END_FORALL END_FORALL END_FORALL END_FORALL; 
FORALL INTEGER p : FORALL INTEGER c : FORALL INTEGER sf : 
FORALL INTEGER jl : FORALL INTEGER j2 : 
$( there does not exist a vote and a dummy vote on the 
same task during a subframe. ) -
NOT ( sched_table[p] [c] [sf] [jl].activity = vote 
AND sched_table[p][c] [sf] [j2].activity = dummy_vote 
AND sched_table[p] [c] [sf] [jl].taskname = 
sched_table[p][c] [sf] [j2].taskname) 
END_FORALL END_FORALL END_FORALL END_FORALL END_FORALL; 
FORALL INTEGER p : FORALL INTEGER c : FORALL INTEGER sf : 
FORALL INTEGER jl : FORALL INTEGER j2 : 
$( there does not exist a vote on the results of an execute 
in the same subframe ) 
415 
$( There do not exist two executes on 
the same task in the same subframe ) 
sched_table[p] [c] [sf] [i].activity = execute 
AND sched_table[p] [c] [sf] [j].activity = execute 
AND i -= j 
=> sched_table[p] [c] [sf] [i].taskname 
-= sched_table[p] [c] [sf] [j].taskname 
END_FORN~L END_FORALL END_FORALL END_FORALL END_FORALL; 
FOR~L INTEGER p : FORALL INTEGER c : FORALL INTEGER sf : 
FORALL INTEGER j : 
$( all activities are either vote, dummy_vote, or execute. ) 
sched_table[p] [c] [sf] [j].activity = vote 
OR sched_tablc[p] [c] [sf] [j].activity = dummy_vote 
OR sched_table[p] [c] [sf] [j].activity = execute 
OR sched_table[p] [c] [sf] [j].activity = 0 
END_FORALL END_FORALL END_FORALL END_FORALL; 
FORALL INTEGER p : FORALL INTEGER c : FORALL INTEGER sf 
FORALL INTEGER j : FORALL INTEGER i 
$( zero fill in sched table ) 
sched;..table[p] [c][sf] [j].activity = 0 AND i > j 
=> sched_table[p] [c] [sf] [i].activity = 0 
END_FORM~L END_FORALL END_FORALL END_FORALL END_FORALL; 
FORALL INTEGER c : FORALL INTEGER ti : 
$( The number of processors running a particular task 
is 1 for interactive consistency tasks or 3 otherwise ) 
CARDINALITY({ INTEGER pip >= 1 AND p <= max_processors 
AND poll[c] [p] [til}) 
= IF i_c[ti] THEN 1 ELSE 3 END_IF 
END_FORALL END_FORALL; 
$( The inputs to the global executive are itself and the 
error interactive consistency tasks. ) 
inputs [global_exec] [1] = global_exec 
AND FORALL INTEGER i : (i >= 1 AND i <= max_processors 
=> inputs [global_exec] [i+1] = error_i_c_tasks[i]) 
AND (i < 1 OR i > max processors 
=> inputs[globai_exec][i] = null_task) 
END]ORALL; 
$( these are the constraints on the output of various tasks ) 
FORALL input_array inp : FORALL INTEGER i : 
task_results (error_i_c_tasks[i], inp) = inp[l] 
END_FORALL END_FORALL; 
$( returns 1 {not-working} if it was previously not working 
or if a majority of those working consider it bad. ) 
416 
NOT ( 
AND 
AND 
sched_table[p] [c] [sf] [jl].activity = execute 
sched_table[p] [c] [sf] [j2].activity = vote 
sched_table[p] [c] [sf] [jl].taskname = 
sched_table[p] [c] [sf] [j2].taskname) 
END_FORALL END_FORALL END_FORALL END_FORALL END_FORALL; 
FORN,L INTEGER p : FORALL INTEGER c : FORALL INTEGER sf : 
FORALL INTEGER jl : FORALL INTEGER j2 : 
$( Any reconfiguration done must be at the end of a subframe ) 
sched_table[p] [c] [sf] [jl].activity = execute 
AND sched_table[p] [c] [sf] [jl].taskname = reconfig 
AND ( sched_table[p] [c] [sf] [j2].activity = execute 
OR schcd_table[p] [c] [sf] [j2].activity = vote) 
=) jl ) j2 END_FORALL END_FORALL END_FORALL END_FORALL END_FORALL; 
FORALL INTEGER p' : FORALL INTEGER c : FORALL INTEGER sf : 
$( no vote and error_report allowed in the same subframe. ) 
EXISTS INTEGER j : 
sched_table[p] [c] [sf] [j].activity = vote END_EXISTS 
=) NOT EXISTS INTEGER i : 
sched_table[p] [c] [sf] [i].activity = execute 
AND sched_table[p] [c] [sf] [i].taskname 
= error_report_tasks[p] END_EXISTS 
END_FORALL END_FORMJL END_FORALL; 
FORALL INTEGER p : FORALL INTEGER c : FORALL INTEGER sf : 
FORALL INTEGER i : FORALL INTEGER j : 
$( There do not exist two votes on the same element of 
the same task in the same subframe ) 
sched_table[p][c] [sf] [i].activity = vote 
AND sched_table[p] [c] [sf] [j].activity = vote 
AND i -= j 
=) sched_table[p][c] [sf] [i].taskname 
-= sched_table[p] [c] [sf] [j].taskname 
OR sched_table[p] [c] [sf] [i].elem 
-= sched_table[p] [c] [sf][j].elem 
END_FORALL END_FORALL END_FORALL END_FORALL END_FORALL; 
FORALL INTEGER p : FORALL INTEGER c : FORALL INTEGER sf : 
FORALL INTEGER i : FORALL INTEGER j : 
$( There do not exist two dummy_votes on the same element of 
the same task in the same subframe ) 
sched_table[p] [c] [sf] [i].activity = dummy_vote 
AND sched_table[p] [c] [sf] [j].activity = dummy_vote 
AND i -= j 
=) sched_table[p] [c] [sf] [i].taskname 
-= sched_table[p] [c] [sf] [j].taskname 
END_FORALL END_FORALL END_FORALL END_FORALL END_FORALL; 
FORALL INTEGER p : FORALL INTEGER c : FORALL INTEGER sf : 
FORALL INTEGER i : FORALL INTEGER j : 
417 
$( 
FORALL input_array inp : FORALL INTEGER p : 
IF inp[l] [p] = 1 $( = input[global_exec][p] ) 
OR CARDINALITY({INTEGER ql I inp[l] [ql] = 0 
AND p -= ql AND inp[ql+l][p] = I}) * 2 
$( = input[error_i_c_tasks[ql]] ) 
> CARDINALITY ({INTEGER q2 I inp[l] [q2] = 0 AND p -= q2}) 
THEN taskJesults (global_exec, inp)[p] = 1 
ELSE task_results (global_exec, inp)[p] = 0 END_IF 
END_FORALL END_FORALL; 
FUNCTIONS 
418 
The State Functions ) 
$( 
$( The subframe count. Used to index into various tables) 
VFUN subframe() -) INTEGER s; 
$( The current configuration {ie, the number of processors 
currently assumed to be working}. ) 
VFUN config() -) INTEGER c; 
$( This is the input values for a task. It is referenced as: 
input [taskname] [element] ) 
VFUN input() -) input_array value; 
$( The datafile is the broadcast area. It is referenced as: 
datafile [processor] [taskname] [element] ) 
VFUN datafile() -) datafile_array value; 
$( The errors accumulated for each processor, indexed by processor) 
VFUN errors() -) error_array v; 
$( Given a real processor number, this returns the processor number 
used in the various tables for this configuration. ) 
$( Given a processor number in the tables, this maps to the current 
real processor which is associated with it ) 
419 
The Operations ) 
OFUN dispatcher (); 
$( The dispatcher is invoked each subframe. It bumps the subframe 
number and does each of the activities for that subframe. ) 
ASSERTIONS 
s11bframe{} < frame_size and subframeO >= 0; 
FORALL INTEGER c : FORALL INTEGER ti : 
CARDINALITY({ INTEGER pip >= 1 AND p <= max_processors 
AND poll[c] [real_to_virt() [p]] [til}) 
= IF i_c[ti] THEN 1 ELSE 3 END_IF 
END_FORALL END_FORALL; 
EFFECTS 
$( changes to subframe ) 
'subframe() = (subframe + 1) MOD frame_size; 
$( poll set still has 1 or 3 ) 
FORALL INTEGER c : FORALL INTEGER ti : 
CARDINALITY({ INTEGER pip >= 1 AND p <= max_processors 
AND poll[c] [real_to_virt() [p]] [til}) 
= IF i_c[ti] THEN 1 ELSE 3 END_IF 
END_FORALL END_FORALL; 
$( Changes to INPUT: 
For all tasks ti and for all data elements of the task, 
if this element of this task was voted on then the input now 
has the majority value, else if it was dummy voted it has 
bottom as value, else it hasn't changed. ) 
$( Frame axiom: if no vote or dummy vote, nothing changed) 
FORALL INTEGER ti : FORALL INTEGER ei 
NOT &XISTS INTEGER j : j >= 1 AND j <= max activities 
AND ti = sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname 
AND ( ( sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].activity 
= vote 
AND ei = sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].elem) 
OR schcd_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity 
= dummy_vote) END_EXISTS 
=> 'input() [ti] [ei] = input() [ti] [ei] 
END_FORALL END_FORALL; 
$( Vote activity) 
FORALL INTEGER ti : FORALL INTEGER ei 
EXISTS INTEGER j : j >= 1 AND j <= max activities 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = vote 
420 
AND ti = sched_table[real_to_virt() [my_processor]] [config()] 
.[subframe()] [j] .taskname 
AND ei = sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].elem END_EXISTS 
=> is_In_majority (configO I ti I ei I 'inputO [til lei]) 
END_FORALL END_FORALL; 
$( Dummy vote activity ) 
FORALL INTEGER ti : FORALL INTEGER ei 
EXISTS INTEGER j : j >= 1 AND j <= max activities 
AND sched_table[real_to_virt()[my_processor]] [config()] 
[subframe 0] (j] . acti vi ty 
= dummy_vote 
AND ti = sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j] .taskname 
END EXISTS AND ei >= 1 AND ei <= rcsult_size[ti] 
=> 'i~put()[ti] rei] = bottom val 
END_FORALL END_FORALL; 
$( Changes to ERRORS: 
For all processors p, for every non interactive consistency 
vote that p was involved in for which p was not in the majority, 
the error count for p goes up by one. ) 
FORALL INTEGER p : 
'errors() [p] = errors()[p] 
+ CARDINALITY ({INTEGER j I j >= 1 AND j <= max_activities 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = vote 
AND NOT i_c[sched_table[real_to_virtO [my_processor]] [configO] 
[subframe()] [j].taskname] 
AND poll [config()] [real_to_virt() [p]] 
[sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname] 
AND NOT is in majority 
(~onfigO , 
END]ORALL; 
sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j] .taskname, 
sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].elem, 
datafileO [p] 
[sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].taskname] 
[sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].elem])}) 
FORALL INTEGER j : FORALL INTEGER p 
j >= 1 AND j <= max activities 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = execute 
AND sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].taskname 
= error_report_tasks[my_processor] 
=> 'errors()[p] = 0 END_FORALL END_FORALL; 
$( Changes to DATAFILE: 
For each task that is executed, the datafile contains the 
421 
output for that task. ) 
$( Frame axiom: if no execute is done on a task, then 
its datafile area stays the same. ) 
FORALL INTEGER p : FORALL INTEGER ti : FORALL INTEGER ei 
NOT ( p = my_processor 
AND EXISTS INTEGER j : j )= 1 AND j (= max_activities AND 
sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = execute 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname = ti 
END_EXISTS) 
=) 'datafile() [p] [ti] [ei] = datafile()[p] [til rei] 
END_FORALL END_FORALL END_FORALL; 
$( Execute activity) 
FORALL INTEGER ti : FORALL INTEGER ei : FORALL INPUT_ARRAY inp : 
EXISTS INTEGER j : j )= 1 AND j (= max_activities AND 
sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = execute 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname = ti 
AND ti -= reconfig 
AND ti -= error_report_tasks[my_processor] 
END EXISTS 
AND FORALL INTEGER taski : FORALL INTEGER j : FORALL INTEGER elemi 
j )= 1 AND j (= result_size[taski] 
AND inputs [ti] [j] = taski AND taski -= null_task 
=) inp[j] [elemi] = 'input() [taski] [elemi] 
END FORALL END FORALL END FORALL 
=) 'datafile() [my_processor] [ti] rei] = task_results (ti, inp)[ei] 
END_FORALL END_FORALL END_FORALL; 
FORALL INTEGER ei : FORALL INTEGER j 
j )= 1 AND j (= max_activities 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = execute 
AND sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].taskname 
= error_report_tasks[my_processor] 
=) 'datafile() [my_processor] [error_report_tasks[my_proces sor]] rei] 
= IF errors() [ei] ) err_threshold THEN 1 ELSE 0 END_IF 
END_FORALL END_FORALL; 
$( Changes to CONFIG, REAL_TO_VIRT, and VIRT_TO_REAL: 
These are only changed by reconfig. Config is set to the number of 
processors which are currently working, as reported by the global_exec 
task. Real_to_virt is set so that .the nth processor is mapped to 
the mth working processor. Virt_to_real is set so that the nth 
working processor is mapped to the mth processor. ) 
$( Frame axiom: if there is no reconfiguration, then the 
reconfiguration data stays the same. ) 
NOT EXISTS INTEGER j : j )= 1 AND j (= max_activities 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = execute 
422 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname = reconfig 
END EXISTS 
=) 'c~nfig() = config() AND 'real_to_virt() = real_to_virt() AND 
'virt_to_real() = virt_to_real(); 
$( reconfiguration activity) 
EXISTS INTEGER j : j )= I AND j (= max_activities 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j] .activity = execute 
AND sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j] .taskname = reconfig 
END EXISTS 
=) FORALL INTEGER x : 
'config() = CARDINALITY ({INTEGER pI I 
input() [global_exec] [pI] = O}) 
AND 'real_to_virt() [x] = CARDINALITY ({INTEGER p2 I 
p2 (= x AND inputO[global_exec] [p2] = O})' 
AND 'virt_to_real() [x] 
= x + CARDINALITY ({INTEGER p3 I 
p3 (= x AND input() [global_exec] [p3] = I}) 
END_FORALL; 
OFUN vote_activity (INTEGER c, t, e); 
ASSERTIONS 
FORALL INTEGER c : FORALL INTEGER ti 
CARDINALITY({ INTEGER pip )= I AND p (= max_processors 
AND poll[c] [real_to_virt() [p]] [til}) 
= IF i_c[ti] THEN I ELSE 3 END_IF 
END_FORALL END_FORALL; 
EFFECTS 
is_in_majority (c, t, e, 'inputO [t] [e]); 
FORALL INTEGER ti : FORALL INTEGER ei : 
ti -= t OR ei -= e => 'input() [ti] rei] = input() [ti] rei] 
END_FORALL END_FORALL; 
FORALL INTEGER q : 
IF poll [c] [real_to_virtO [q]] [t] AND NOT i_crt] THEN 
IF is_in_majority (c, t, e, datafile()[q] [t] [e]) 
THEN 'e rrors 0 [q] = errors () [q] 
ELSE 'errors()[q] = errors()[q] + I END_IF 
ELSE 'errors()[q] = errors()[q] END_IF END_FORALL; 
OVFUN vote3 (INTEGER t, e; proc_array p) -) INTEGER result; 
ASSERTIONS 
p[l] -= p[2] AND p[l] -= p[3] AND p[2] -= p[3] 
AND p[l] >= 1 AND p[l] (= max_processors 
AND p[2] )= I AND p[2] (= max_processors 
AND p[3] )= I AND p[3] {= max_processors; 
EFFECTS 
IF EXISTS INTEGER maj val : 
CARDINALITY ({INTEGER ql I ql >= I AND ql {= max_processors 
AND datafile() [ql] [t] [e] = maj_val 
AND (ql = p[l] OR ql = p[2] OR 
ql = p[3])}) > I END_EXISTS 
THEN FORALL INTEGER maj : 
CARDINALITY ({INTEGER ql I ql )= I AND ql {= max_processors 
423 
AND'datafile() [ql] [t] [e] = maj 
AND (qi = p[l] OR qi = p[2] OR 
qi = p[3])}) > I 
=> result = maj 
AND FORALL INTEGER j : 
IF j -= p[l] AND j -= p[2] AND j -= p[3] 
THEN 'errors()[j] = errors()[j] 
ELSE IF datafile()[j][t] [e] = maj 
THEN 'errors()[j] = errors()[j] 
ELSE 'errors()[j] = errors()[j] + I END_IF END_IF 
END FORALL 
END_FORALL 
ELSE result = bottom_val 
AND FORALL INTEGER j : 
IF j = p[l] OR j = p[2] OR j = p[3] 
THEN 'errors()[j] = errors()[j] + I 
ELSE 'errors()[j] = errors()[j] END_IF 
END_FORALLEND_IF; 
OFUN dummy_vote_activity (INTEGER c, t); 
EFFECTS 
FORALL INTEGER ti : FORALL INTEGER ei 
'inputO [til rei] = 
IF ti = t AND ei >= I AND ei <= result_size[t] 
THEN bottom_val ELSE inputO [til rei] END_IF 
END_FORALL END_FORALL; 
OFUN gexectask (); 
EFFECTS 
FORALL INTEGER t : FORALL INTEGER e : FORALL INTEGER p : 
IF p = my processor ·AND t = global exec THEN 
IF inp[global_exec] [p] = I -
OR CARDINALITY ({INTEGER qi I inp[global_exec] [ql] = 0 
AND p -= qi AND inp[error_i_c_tasks[ql]] [p] = I}) * 2 
> CARDINALITY ({INTEGER q2 I inp[global_exec] [q2] = 0 
AND p -= q2}) 
THEN 'datafile()[p] [t] [e] = I 
ELSE 'datafile()[p] [t] [e] = 0 END_IF 
ELSE 'datafile() [p] [t] [e] = datafile()[p] [t] [e] END_IF 
END_FORALL END_FORALL END_FORALL; 
OFUN errtask 0; 
EFFECTS 
FORALL INTEGER p : FORALL INTEGER t : FORALL INTEGER e : 
'datafile() [p] [t] [e] = 
IF t = error report AND p = my processor THEN 
IF errors()[e] > err_threshold THEN I ELSE 0 END_IF 
ELSE datafile() [p] [t] [e] END_IF END_FORALL END_FORALL 
AND (p >= 1 AND P <= max_processors => 'errorsO [p]= 0) END]ORALL; 
OFUN recftask (); 
EFFECTS 
'config() = CARDINALITY ({INTEGER pI I input() [global_exec] [pI] = a}); 
FORALL INTEGER x2 : 
'real_ to_ virtO [x2] = CARDINALITY ({INTEGER p2 I 
END_FORALL; 
FORALL INTEGER x3 : 
p2 <= x2 AND input() [global_exec] [p2] = a}) 
'virt_to_real() [x3] = x3 + CARDINALITY ({INTEGER p3 I 
424 
p3 <= x3 AND input() [global_exec] [p3] = I}) 
END_FORALL; 
OVFUN do_err_ic (INTEGER ti) -> BOOLEAN task_done; 
EFFECTS 
IF EXISTS INTEGER i : error_i_c_tasks[i] = ti END_EXISTS 
THEN FORALL INTEGER p : FORALL INTEGER taski : FDID\LL INTEGER ei 
'datafile()[p] [taski] rei] = 
IF p = my processor AND ti = taski 
TIIEN inputO [inputs [til [1]] rei] 
ELSE datafile() [p] [taski] rei] END_IF 
END FORALL END FORALL END FORALL 
- - -AND task done = TRUE 
ELSE task done = FALSE 
and 'dat~file() = datafile() END_IF; 
OFUN general_task (INTEGER til; 
EFFECTS 
FORALL INTEGER p : FORALL INTEGER taski : FORALL INTEGER ei 
IF p = my_processor AND taski = ti THEN 
FORALL input_array inp : 
FORALL INTEGER input_task : FORALL INTEGER j : 
FORALL INTEGER elemi : 
j >= 1 AND j <= result_size[input_task] 
AND inputs [ti] [j] = input_task 
AND input task -= null task 
=> inp[j] [el~mi] = 'input() [input_task] [elemi] 
END FORALL END FORALL END FO~\LL 
=> 'datafile() [p][ti] rei] = task_results (ti, inp)[ei] 
END FORALL 
ELSE 'd~tafileO [p] [taski] rei] = datafileO [p] [taski] rei] END IF 
END FORALL END FORALL END FORALL; 
'input() = input(j; -
END_MODULE 
425 

SUBSECTION 14.2 
SIFT CODE 
427 

const 
frame size = 64; 
max_processors = 7; 
my_processor = 0; 
max_activities = 10; 
max_elems = 100; 
max_tasks = 10; 
bottom_val = 0; 
err threshold = 2; 
vote = 1; 
dummy_vote = 2; 
execute = 3; 
null_ task = 0; 
reconfig = 1; 
global exec = 2; 
error_report = 3; 
type 
activity_kinds = integer; 
activity_range = 1 .. max_activities; 
task_kinds = 1 .. max_tasks; 
subframe_range = 1 .. max_subframe; 
elem_range = 1 .. max_elems; 
config_range = 1 .. max_processors; 
processors = O .. max processors; 
proc_array = array [processors] of integer; 
activity_record = record activity: activity_kinds; 
taskname : task_kinds; 
elem : elem range end; 
subframc_array = array [activity_range] of activity_record; 
config_array = array [subframe_range] of subframe_array; 
processor_array = array [processors] of config_array; 
sched_array = array [processors] of processor_array; 
elem_array = array [elem_range] of integer; 
taskname_array = array [task_kinds] of elem_array; 
datafile_array = array [processors] of taskname_array; 
poll_task_array = array [task_kinds] of boolean; 
poll_proc_array = array [processors] of poll_task_array; 
poll_array = array [config_range] of poll_proc_array; 
error_array = array [processors] of integer; 
input_array = array [task_kinds] of elem_array; 
task_array = array [task_kinds] of integer; 
bool_array = array [processors] of boolean; 
var sched_table : sched_array; 
poll : poll_array; 
inputs : taskname_array; 
i_c : bool_array; 
result_size : task_array; 
task_results : elem_array; 
error_report_tasks : proc_array; 
error_i_c_tasks : proc_array; 
subframe, config : integer; 
input : input_array; 
datafile : datafile_array; 
errors: error_array; 
real_to_virt, virt_to_real proc_arraYi 
429 
exc : integer; 
Iprocedure dispatcher; 
Ivar i : integer; 
I activity_num: activity_range; 
I ti: task_kinds; 
I task_done: boolean; 
Ibegin 
I activity_num:= 1; 
I while (sched_table[real_to_virt[my_processor]] [config] 
I [subframe] [actlvity_num].activity <> 0) 
I and not ( (sched_table[real_to_virt[my_processor]] [config] 
I [subframeJ[activitLnum].activity = execute) 
I and (sched_table[real_to_virt[my_processor]] [config] [subframe] 
I [activity_num].taskname = reconfig» 
I and (activity_num <= max_activities) 
I assert 
I 
I activity_num >= 1 and 
I (* poll set still same *) 
forall integer c : forall integer ti : 
cardinality({ integer pip >= 1 and p <= max_processors 
and poll[c] [real_to_virt() [p]] [til}) 
= if i_c[ti] then 1 else 3 end if 
end forall end_foral rand 
(* Changes to INPUT: 
For all tasks ti and for all data elements of the task, 
if this element of this task was voted on then the input now 
has the majority value, else if it was dummy voted it has 
bottom as value, else it hasn't changed. *) 
(* Frame axiom: if no vote or dummy vote, nothing changed *) 
forall integer ti : f~rall integer el 
not exists integer j : j )= 1 and j < activity num 
and ti = sched_table[real_to_virt()[my_pr~cessor]] [config()] 
[subframe()] [j].taskname 
and ( ( sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].activity 
= vote 
and ei = sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].elem) 
or sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity . 
= dummy_vote) end_exists 
=) 'input() [ti] [ei] = input() [ti] [ei] 
end_for all end_forall and 
(* Vote activity *) 
forall integer ti : forall integer ei 
exists integer j : j )= 1 and j < activity_num 
and sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = vote . 
and ti = sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname 
430 
and ei = sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].elem end_exists . 
=) is_in_majority (config(), ti, ei, 'input() [ti] rei]) 
end forall end_forall and 
(* Dummy vote activity *) 
forall integer ti : forall integer ei 
exists integer j : j )= 1 and j < activity num 
and sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity 
= dummy vote 
and ti = sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].taskname 
end exists and ei )= 1 and ei <= result_size[ti] 
=) 'i~put()[ti] rei] = bottom_val 
end forall end_forall and 
(* Changes to ERRORS: 
For all processors p, for every non interactive consistency 
vote that p was involved in for which p was not in the majority, 
the error count for p goes up by one. *) 
forall integer p : 
'errors()[p] = errors()[p] 
+ cardinality ({integer j I j )= 1 and j < activity_num 
and sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = vote 
and not i_c[sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname] 
and poll [config()] [real_to_virt() [p]] 
[sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname] 
and not is in majority 
(~onfig(), 
end forall and 
sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname, 
sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j] .elem, 
datafile()[p] 
[sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()][j] .taskname] 
[sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].elem])}) 
forall integer j forall integer p : 
j )= 1 and j < activity_num 
and sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = execute 
and sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].taskname 
= error_report_tasks[my_processor] 
=) 'errors()[p] = 0 end_forall end_forall and 
(* Changes to DATAFILE: 
For each task that is executed, the datafile contains the 
output for that task. *) 
, 431 
(* Frame axiom: if no execute is done on a task, then 
its datafile area stays the same. *) 
forall integer p : forall integer ti : forall integer ei 
not ( 
and 
p = my_processor 
exists integer j : j )= 1 and j < activity num and 
sched_table[real_to_virt() [my_processor]] [~onfig()] 
[subframe()] [j].activity = execute 
and sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname = ti 
end_exists) .. 
=> 'datafile() [p] [ti] rei] = datafile()[p] [til rei] 
end forall end_forall end_forall and 
(* Execute activity *) 
forall integer ti : forall integer ei : forall input_array inp : 
exists integer j : j >= 1 and j < activity num and 
sched_table[real_to_virt()[my_processo~]] [config()] 
[subframe 0] [j] . acti vi ty = execute 
and sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].taskname = ti 
and ti -= reconfig 
and ti -= error_report_tasks[my_processor] 
end exists 
and forall integer taski : forall integer j : forall integer elemi 
j >= 1 and j <= result_size[taski] 
and inputs[ti][j] = taski and taski -= null_task 
=> inp[j] [elemi] = 'input() [taski] [elemi] 
end forall end forall end forall 
=> 'datafile()[my_p~ocessor][tI][ei] = task results (ti, inp)[ei] 
end_forall end_forall end_forall and 
forall integer ei : forall integer j : 
j )= 1 and j < activity_num 
and sched_table[real_to_virt() [my_processor]] [config()] 
[subframe()] [j].activity = execute 
and sched_table[real_to_virt() [my_processor]] 
[config()] [subframe()] [j].taskname 
= error_report_tasks[my_processor] 
=> 'datafile() [my_processor] [error_report_tasks[my_processor]] rei] 
= if errors() [ei] > err_threshold then 1 else 0 end_if 
end_forall end_forall 
counting max_activities - activity_num 
do begin 
case sched_table[real_to_virt[my_processor]] [config] 
[subframe] [activity_num].activity of 
vote : vote_activity 
dummy_vote 
(config, 
sched_table[real_to_virt[my_processor]] [config] 
[subframe] [activity_num].taskname, 
sched_table [real_to_virt [my_processor]] [config] 
[subframe] [activity_num].elem); 
dummy vote activity 
-(contig , 
sched_table[real_to_virt[my_processor]] [config] 
[subframe] [activity_num].taskname); 
432 
I 
end; 
execute : 
begin 
ti .- sched_table[real_to_virt[my_processor]] [config] 
[subframe] [activity_num].taskname; 
if ti = global exec then gexectask 
else if ti = e~ror_report_tasks[my_processor] then errtask 
else begin 
do_err_ic (ti, task_done); 
if not task_done then general_task (ti) 
end 
end 
activity_num := activity_num + 1 
end; 
if (sched_table[real_to_virt[my_processor]] [config] 
[subframe] [activity_num].activity = execute) 
and (sched_table[real_to_virt[my_processor]] [config] 
[subframe] [activity_num].taskname = reconfig) 
then recftask; 
if subframe = frame_size-l then subframe := 0 
else subframe .- subframe + 1; 
lend; 
Iprocedure vote_activity (c, t, e integer); 
Ivar i, q, voted: integer; 
I p: proc_array; 
Ibegin 
I if i_crt] then 
I begin 
I q := 1; 
I while not poll[c] [real_to_virt[q]][t] 
I assert i_crt] and q >= 1 and q <= max_processors and 
I forall integer ql : ql >= 1 and ql < q 
I => not poll[c] [real_to_virt() [ql]] [t] end forall 
I counting max_processors - q 
I do q := q + 1; 
input [t] [e] .- datafile [q] [t] [e] 
end 
else begin 
i := 0; 
for q := 1 
assert 
to max processors 
not i_crt] and i >= 0 
and cardinality ({integer x I x >= 1 and x <= q 
and poll[c] [real_to_virt() [x]] [t]}) 
= cardinality ({integer y I exists integer k : 
k >= 1 and k <= i and p[k] = Y 
end_exists}) 
and cardinality ({integer y I exists integer k : 
k >= 1 and k <= i and p[k] = Y 
end_exists}) = i 
and forall integer k : 
k >= 1 and k <= i 
=> p[k] >= 1 and p[k] <= q end_forall 
and forall integer kl : forall integer k2 : 
kl >= 1 and kl <= i and k2 >= 1 and k2 <= i 
and kl -= k2 => p[kl] -= p[k2] end_forall end_forall 
433 
I 
I 
I 
I 
I 
I 
I 
I 
do if poll[c] [real_to_virt[q]] [t] then 
begin 
i := i + 1; 
p[i] := q 
end; 
vote3 (t, e, p, voted); 
input[t] [e] .- voted 
end; 
lend; 
procedure vote3(t, e : integer; p proc_array; var result:integer); 
var vI, v2, v3 : integer; 
begin 
vI .- datafile[p[I]] [t] [e]; 
v2 .- datafile[p[2]] [t] [e]; 
v3 .- datafile[p[3]] [t] [e]; 
if v1=v2 then 
begin 
if v1<>v3 then errors[p[3]] .- errors[p[3]]+I; 
result:=v1 
end 
else if v1=v3 then 
begin 
errors [p[2]] := errors[p[2]]+1; 
result:=v1 
end 
else if v2=v3 then 
begin 
else 
end; 
errors[p[1]] := errors[p[I]]+1; 
result.:=v2 
end 
begin 
errors[p[1]] .- errors[p[1]]+1; 
errors [p [2]] . - errors [p [2]] +1; 
errors [p[3]] .- errors[p[3]]+1 
end 
Iprocedure dummy_vote_activity (e, t 
Ivar res : integer; 
integer); 
Ibegin 
I for res := 1 
I assert 
to result_size[t] 
forall integer ti : forall integer ei 
'input() [ti] rei] = I 
I 
I 
I 
if ti = t and ei >= 1 and ei <= res then bottom val 
else input() [ti] rei] end_if end_forall end_forall 
do input[t] [res] .- bottom_val 
lend; 
procedure gexectask; 
var q, errcount : integer; 
proc_votes, bad_proc_votes proc_array; 
begin 
for q := 0 to max_processors 
do begin 
proc_votes[q] := 0; 
for p' := 0 to max_processors 
do if (q <> p) and (input [global_exec] [p] = 0) then 
434 
begin 
proc_votes[q] := proc_votes[q] + 1; 
if input[error_i_c_tasks[p]][q] = 1 then 
bad_proc_votes[q] := bad_proc_votes[q] + 1 
end; 
end; 
for q := 0 to max_processors 
do if bad_proc_votes[q] * 2 > proc_votes[q] 
then datafile[my_processor] [global_exec] [q] .- 1 
else datafile[my_processor] [global_exec] [q] .- 0 
end; 
procedure errtask; 
var p integer; 
begin 
for p := 0 to max_processors 
do begin 
if errors"[p] > err_threshold then 
datafile[my_processor] [error_report [my_processor]] [p] .- 1 
else datafile[my_processor] [error_report [my_processor]] [p] .- 0; 
errors[p] .- 0 
end 
end; 
procedure do_err ic (ti integer; var did_it boolean); 
var i : integer; 
begin 
i := 1; 
did it := true; 
while (i < max_activities) and (ti <> error_i_c_tasks[i]) do i .- i + 1; 
if ti = error_i_c_tasks[i] then 
datafile[my_processor] [error_i_c_tasks[err_no]] [1] .-
input [error_report_tasks [i]] [1] 
else did it .- false 
end; 
procedure reef task; 
var i : integer; 
begin 
config := 0; 
for i := 1 to max processors do 
if input [glob;l_exec] [ i] = 0 then 
end; 
begin 
end 
config := config + 1; 
real_to_virt[i] := config; 
virt_to_real[config] := i 
procedure general_task (ti 
begin end; 
integer); 
435 

CHAPTER 15 
SAMPLE VERIFICATION CONDITIONS AND PROOFS 
437 

1. The Proof of the SIFT Implementation 
The SIFT operating system was implemented in PASCAL and specified in SPECIAL. The 
SPECIAL specification is the lowest level description of the hierarchy of models which describe 
SIFT. This lowest level describes the implementation by specifying the effect of each PASCAL 
routine (FUNCTION or PROCEDURE). 
The SIFT specifications consist primarily of constraints on the schedule table and descriptions of 
the changes each routine makes to the global variables. The proof proceeds by proving that each 
routine is consistent with its specification. Each of these proofs is separate from the others and 
the order of the proofs is unimportant. A routine is proved by generating a set of verification 
conditions from the PASCAL code and the SPECIAL specifications. Each verification condition 
is a set of assertions derived from a particular path in the routine. A verification condition (VC) 
is generated for each possible path through the routine. 
These VCs are formulae of first order predicate calculus with equality. They must be proven to 
be true in the mathematical sense in order to assure that every possible path through the routine 
accomplishes t.he change of state required by the specifications. These VCs can be proven by 
hand but they are very large and detailed and difficult to work with. The Shostak Theorem 
Prover (STP) [11 is used to prove these formulae. The context of the VCs must be given to STP 
in t.he form of declarations of variables and functions referenced. Each assertion of the path is 
asserted to STP and the requirements of the end of the path are then proven. 
An example VC is given at the end of this section. Not all of the declarations needed are shown. 
The axioms of the form SET.FN.AXIOM describe the intensional set constructors used in the 
specifications. Sets are constructed to define the concept of a majority vote. The axioms of the 
form VC4.H are the hypotheses of VC number 4 and come from the path which is being proven. 
The final formula VC4.C9 is the ninth conjunct of the conclusion of the path. This path is part 
of the dispatcher procedure and is the path from the top of the while loop through the vote 
activity back to the top of the loop. It is necessary to prove that the vote was done properly. 
The effects of the procedure call to the VOTE_ACTIVITY can be assumed in the proof of this 
path since the called procedure will be proven separately. The major difficulty in this proof is 
showing that the vote activity does not interfere with the other activities of the subframe. The 
constraints on the schedule table are used to assure this. 
The SIFT implementation and specifications are organized in a hierarchy of FUNCTION and 
PROCEDURE calls. The topmost routine is the DISPATCHER. This procedure is called at the 
beginning of each subframe and it directs the execution of each activity of that subframe as 
directed by the schedule table. Each activity in the schedule table for the current configuration, 
processor number, and subrrame is dispatched as a call to another PASCAL routine. The vote is 
done by the VOTE_ACTIVITY, the dummy vote is done by the DUMMY _ VOTE_ACTIVITY, 
the global executive task is GEXECTASK, the error reporting task is ERRTASK, the interactive 
consistency error reporting is done by do _ err _ ic, and the general application tasks are done by 
GENERAL TASK. Other routines such as VOTE3 (the three-way voter) are used to accomplish 
these tasks. 
439 
1 
Each of these routines are specified separately in the SIFT code specification. The proof proceeds 
by taking each routine and proving that it is consistent with its specifications. The lowest level 
routines do not call any other routines and consist only of PASCAL statements with known 
effects. The verification condition generator analyzes these statements to prove that they modify 
the global variables as specified. The next higher routines can then assume that any call to these 
lowest level routines will have the right effect since that will have been proven. The 
DISPATCHER at the highest level brings together the combined effect of all the routine calls 
done during the processing of a single subframe and assumes during its proof that each called 
routine performs as specified. This proves that one subframe on one processor is correctly 
processed. The proof that all of the sllbframes on all of the processors are correctly combined is 
done in the proof of the higher models of SIFT. 
The proof of SIFT 'consists of a large complicated set formulae each proven to be true using a 
mechanical theorem prover. This process is long and arduous and requires a great deal of work 
and interaction with the designers, specifiers, and implementors. When a formula fails to be 
proven by the theorem prover it is necessary to inspect the formula to decide if it is too 
complicated for the theorem prover or if it is untrue. Most proof failures are caused by some 
missing information in the specifications which are necessary for the proof. Often some 
constraint on the schedule table was not fully or correctly specified. 
440 
2 
References 
[1 J R. Shostak, R. Schwartz and P.M. Melliar-Smith. 
STP: A Mechanized Logic ror Specification and Verification. 
1981. 
Submitted to Working Conrerence on the Formal Description or Programming Concepts. 
441 
SET.FN.AXIDM.7: axiom 
V P#13, TI#40, C#14: 
P#13 E SET.FN#7(TI#40, C#14) 
P#13 ~ I 
A P#13 5 MAX_PROCESSORS() 
A POLL() [TI#40, REAL_TO_VIRT(STATE.SIFT() [P#13], C#14] 
SET.FN.AXIOM.9: axiom 
V Q#l, MAJ_VAL#2, STATE.SIFT#3, E#l, T#l, C#17: 
Q#l E SET.FN#9(MAJ_VAL#2, STATE.SIFT#3, E#l, T#l, C#17) 
Q#l ~ 1 
A Q#l 5 MAX_PROCESSORS() 
A POLL() [T#l, REAL_TO_VIRT(STATE.SIFT#3) [Q#l], C#17] 
A MAJ_VAL#2 = DATAFILE(STATE.SIFT#3) [E#l, T#l, Q#l] 
SET.FN.AXIOM.10: axiom 
V P#17, T#2, C#18: 
P#17 E SET.FN#10(T#2, C#I8) 
P#17 ~ 1 A P#17 5 MAX_PROCESSORS() A POLL() [T#2, P#17, C#18] 
SET.FN.AXIOM.11: axiom 
V Q#2, MAJ#2, STATE.SIFT#4, E#2, T#3, C#19: 
Q#2 E SET.FN#ll (MAJ#2, STATE.SIFT#4, E#2, T#3, C#19) 
Q#2 ~ 1 
A Q#2 5 MAX_PROCESSORS() 
A POLLO.[T#3, REAL_TO_VIRT(STATE.SIFT#4) [Q#2], C#19] 
A MAJ#2 = DATAFILE(STATE.SIFT#4) [E#2, T#3, Q#2] 
SET.FN.AXIOM.12: axiom 
V P#18, T#4, C#20: 
P#18 E SET.FN#12(T#4, C#20) 
-
P#18 ~ 1 A P#18 5 MAX_PROCESSORS() A POLL() [T#4, P#18, C#20] 
VC4.H1: axiom 
ACTIVITY_NUM() ~ I 
VC4.H2: axiom 
V C#13, TI#39: 
CARDINALITY(SET.FN#7(TI#39, C#13» 
= if I_C() [TI#39] then 1 else 3 end if 
VC4.H3: axiom 
V TI#41, EI#28 : 
.,(3 J#32: 
J#32 ~ 1 
A J#32 < ACTIVITY_NUM() 
A TI#41 
= SCHED_TABLEO 
[J#32, SUBFRAME(STATE.SIFT(», 
CONFIG(STATE.SIFT(», 
REAL_TO_VIRT(STATE.SIFT(»[MY_PROCESSOR()]] 
. TASK NAME 
A «SCHED_TABLE() 
[J#32, SUBFRAME(STATE.SIFT(», 
442 
j 
CONFIG(STATE.SIFT()), 
REAL_TO_VIRT(STATE.SIFT()) [MY_PROCESSOR()]] 
. ACTIVITY 
= VOTEO 
" EI#28 
= SCHED_TABLE() 
[J#32, SUBFRAME(STATE.SIFT()), 
CONFIG(STATE.SIFT()), 
REAL_TO_VIRT(STATE.SIFT()) 
[MY_PROCESSOR()]] 
.ELEM) 
v SCHED_TABLEO 
[J#32, SUBFRAME (STATE. SIFT 0) , 
CONFIG(STATE.SIFT()), 
REAL_TO_VIRT(STATE.SIFT()) [MY_PROCESSOR()]] 
. ACTIVITY 
= DUMMY _ VOTEO)) 
INPUT(NEXT(STATE.SIFT())) [EI#28, TI#41] 
= INPUT(STATE.SIFT()) [EI#28, TI#41] 
VC4.H4: axiom 
V TI#42, EI#29: 
(3 J#33: 
J#33 ~ 1 
" J#33 < ACTIVITY_NUM() 
" SCHED _ TABLE 0 
[J#33, SUBFRAME(STATE.SIFT()), CONFIG(STATE.SIFT()), 
REAL_TO_VIRT(STATE.SIFT()) [MY_PROCESSOR()]] 
. ACTIVITY 
i::: VOTEO 
" TI#42 
= SCHED_TABLEO 
[J#33, SUBFRAME(STATE.SIFT()), 
CONFIG(STATE.SIFT()), 
REAL_TO_VIRT(STATE.SIFT()) [MY_PROCESSOR()]] 
. TAS K NAME 
" EI#29 
) 
= SCHED_TABLE() 
[J#33, SUBFRAME(STATE.SIFT()), 
CONFIG(STATE.SIFT()), 
REAL_TO_VIRT(STATE.SIFT()) [MY_PROCESSOR()]] 
.ELEM) 
if 3·MAJ VAL#8: 
CARDINALITY(SET. FN#9 (MAJ_VAL#8, STATE.SIFT(), EI#29, 
TI#42, CONFIG(STATE.SIFT()))) 
then 
> CARDINALITY(SET.FN#10(TI#42, 
CONFIG(STATE.SIFT()))) 
V MAJ#8: 
CARDINALITY(SET.FN#ll (MAJ#8, STATE.SIFT(), EI#29, 
TI#42, CONFIG(STATE.SIFT()))) 
> CARDINALITY(SET.FN#12(TI#42, 
CONFIG(STATE.SIFT()))) 
) 
INPUT(NEXT(STATE.SIFT())) [EI#29, TI#42] = MAJ#8 
443 
else 
INPUT(NEXT(STATE.SIFT(») [EI#29, TI#42] = BOTTOM_VAL() 
end if 
VC4.H5: axiom 
V TI#43, EI#30: 
(3 J#34: 
J#34 ~ 1 
A J#34 < ACTIVITY_NUM() 
A SCHED_TABLE() 
[J#34, SUBFRAME(STATE.SIFT(», CONFIG(STATE.SIFT(», 
REAL_TO_VIRT(STATE.SIFT(»[MY_PROCESSOR()]] 
. ACTIVITY 
= DUMMY_VOTE () 
A TI#43 
= SCIIED _ TABLE 0 
[J#34, SUBFRAME(STATE.SIFT(», 
CONFIG(STATE.SIFT(», 
REAL_TO_VIRT(STATE.SIFT(»[~IT_PROCESSOR()]] 
. TASK NAME) 
A EI#30 ~ 1 
A EI#30 ~ RESULT_SIZE() [TI#43] 
) 
INPUT(NEXT(STATE.SIFT(») [EI#30, TI#43] = BOTTOM_VAL() 
VC4.H6: axiom 
V P#14, TI#44, EI#31: 
~(P#14 = MY_PROCESSOR() 
A (3 J#35: 
) 
J#35 ~ 1 
AJ#35 < ACTIVITY_NUM() 
A SCHED_TABLE() 
[J#35, SUBFRAME(STATE.SIFT(», 
CONFIG(STATE.SIFT(», 
REAL_TO_VIRT(STATE.SIFT(»[MY_PROCESSOR()]] 
. ACTIVITY 
= EXECUTE() 
A SCHED _ TABLE 0 
[J#35, SUBFRAME(STATE.SIFT(», 
CONFIG(STATE.SIFT(», 
REAL_TO_VIRT(STATE.SIFT(»[MY_PROCESSOR()]] 
. TAS K NAME 
= TI#44» 
DATAFILE(NEXT(STATE.SIFT(») [EI#31, TI#44, P#14] 
= DATAFILE(STATE.SIFT(»[EI#31, TI#44, P#14]" 
VC4.H7: axiom 
V TI#45, EI#32, INP#7: 
(3 J#36: 
J#36 ~ 1 
A J#36 < ACTIVITY_NVM() 
A SCHED _ TABLE () 
[J#36, SUBFRAME(STATE.SIFT(», CONFIG(STATE.SIFT(», 
REAL_TO_VIRT(STATE.SIFT(»[MY_PROCESSOR()]] 
. ACTIVITY 
= EXECUTE() 
A SCHED _ TABLE 0 
[J#36, SUBFRAME(STATE.SIFT(», CONFIG(STATE.SIFT(», 
4uu 
REAL_TO_VIRT(STATE.SIFT(» [MY_PROCESSOR()]] 
.TASKNAME 
= TI#45) 
A (V TASKI#7, J#37 , ELEMI#7: 
J#37 ~ 1 
A J#37 5 RESULT_SIZE() [TASKI#7] 
A INPUTS() [J#37 , TI#45] = TASKI#7 
A .(TASKI#7 = NULL_TASK(» 
) 
INP#7[ELEMI#7, J#37] 
= INPUT(NEXT(STATE.SIFT(») [ELEMI#7, TASKI#7]) 
) 
DATAFILE(NEXT(STATE.SIFT(») [EI#32 , TI#45, MY_PROCESSOR()] 
= TASK_RESULTS (TI#45, INP#7) [EI#32] 
VC4.H8: axiom 
SUBFRAME(~EXT(STATE.SIFT(») = SUBFRAME(STATE.SIFT(» 
VC4.H9: axiom 
CONFIG(NEXT(STATE.SIFT(») = CONFIG(STATE.SIFT(» 
VC4.HIO:- axiom 
ERRORS(NEXT(STATE.SIFT(») = ERRORS(STATE.SIFT(» 
VC4.Hll: axiom 
REAL_TO_VIRT(NEXT(STATE.SIFT(») = REAL_TO_VIRT(STATE.SIFT(» 
VC4.H12: axiom 
VIRT_TO_REAL(NEXT(STATE.SIFT(») = VIRT_TO_REAL(STATE.SIFT(» 
VC4.H13: axiom 
.., (SCHED _ TABLE 0 
[ACTIVITY_NUM(), SUBFRAME(NEXT(STATE.SIFT(»), 
CONFIG(NEXT(STATE.SIFT(»), 
REAL_TO_VIRT(NEXT(STATE.SIFT(») [MY_PROCESSOR()]] 
. ACTIVITY 
= 0) 
VC4.H14: axiom 
ACTIVITY_NUM() ~ MAX_ACTIVITIES() 
VC4.H15: axiom 
SCHED_TABLE() 
[ACTIVITY_NUM(), SUBFRAME(NEXT(STATE.SIFT(»), 
CONFIG(NEXT(STATE.SIFT(»), 
REAL_TO_VIRT(NEXT(STATE.SIFT(») [MY_PROCESSOR()]] 
. ACTIVITY 
= VOTEO 
VC4.H16: axiom 
if 3 MAJ VAL#9: 
CARDINALITY(SET.FN#9(MAJ_VAL#9, NEXT(STATE.SIFT(», 
SCHED _ TABLE () 
[ACTIVITY_NUMO, 
SUBFRA1ffi(NEXT(STATE.SIFT(»), 
CONFIG(NEXT(STATE.SIFT(»), 
REAL_TO_VIRT(NEXT(STATE.SIFT(») 
[MY_PROCESSOR()]] 
.ELEM, 
445 
then 
SCHED_TABLE() 
[ACTIVITY_NUMO, 
SUBFRAME(NEXT(STATE.SIFT())), 
CONFIG(NEXT(STATE.SIFT())), 
REAL_TO_VIRT(NEXT(STATE.SIFT())) 
[MY_PROCESSOR()]] 
. TASK NAME , 
CONFIG(NEXT(STATE.SIFT())))) 
. > CARDINALITY(SET.FN#10(SCHED_TABLE() 
[ACTIVITY_NUMO, 
SUB FRAME (NEXT (STATE. SIFT())) 
, 
CONFIG(NEXT(STATE.SIFT())), 
REAL TO VIRT 
(NEXT(STATE.SIFT())) 
[MY_PROCESSOR()]] 
. TASK NAME , 
CONFIG(NEXT(STATE.SIFT())))) 
V MAJ#9: 
CARDINALITY(SET.FN#ll (MAJ#9, NEXT(STATE.SIFT()), 
SCHED_TABLE() 
[ACTIVITY_NUMO, 
SUBFR~E(NEXT(STATE.SIFT())), 
CONFIG(NEXT(STATE.SIFT())), 
REAL TO VIRT 
(NEXT(STATE.SIFT())) 
[MY_PROCESSOR()]] 
. ELEM , 
SCHED _ TABLE () 
[ACTIVITY_NUMO, 
SUBFRA!ffi(NEXT(STATE.SIFT())), 
CONFIG(NEXT(STATE.SIFT())), 
REAL TO VIRT 
(NEXT(STATE.SIFT())) 
[MY_PROCESSOR()]] 
.TASKNAME, 
CONFIG(NEXT(STATE.SIFT())))) 
> CARDINALITY(SET.FN#12(SCHED_TABLE() 
[ACTIVITY_NUMO, 
SUBFRAME 
(NEXT(STATE.SIFT())), 
CONFIG 
(NEXT(STATE.SIFT())), 
REAL TO VIRT 
(NEXT(STATE.SIFT())) 
[MY_PROCESSOR()]] 
.TASKNAME, 
CONFIG(NEXT(STATE.SIFT())))) 
J 
INPUT(NEXT(NEXT(STATE.SIFT()))) 
[SCHED _ TABLE () 
[ACTIVITY_NUM(), SUBFRAME(NEXT(STATE.SIF~())), 
CONFIG(NEXT(STATE.SIFT())), 
REAL_TO_VIRT(NEXT(STATE.SIFT())) [MY_PROCESSOR()]] 
.ELEM, 
SCHED_TABLEO 
446 
[ACTIVITY_NUM(), .SUBFRAME(NEXT(STATE.SIFT(»), 
CONFIG(NEXT(STATE.SIFT(»), 
REAL_TO_VIRT(NEXT(STATE.SIFT(»)[~IT_PROCESSOR()]] 
. TASK NAME] 
= MA.J#9 
else 
end if 
VC4.H17: axiom 
INPUT(NEXT(NEXT(STATE.SIFT(»» 
[SCHED _ TABLE() 
[ACTIVITY_NUM(), SUBFRAME(NEXT(STATE.SIFT(»), 
CONFIG(NEXT(STATE.SIFT(»), 
REAL_TO_VIRT(NEXT(STATE.SIFT(») [MY_PROCESSOR()]] 
. ELEM , 
SCHED_TABLE() 
[ACTIVITY_NUM(), SUBFRAME(NEXT(STATE.SIFT(»), 
CONFIG(NEXT(STATE.SIFT(»), 
REAL_TO_VIRT(NEXT(STATE.SIFT(») [MY_PROCESSOR()]] 
. TASKNAME] 
== BOTTOM_ VAL 0 
V TI#46 , EI#33: 
-'(TI#46 
= SCHED_TABLE() 
[ACTIVITY_NUM(), SUBFRAME(NEXT(STATE.SIFT(»), 
CONFIG(NEXT(STATE.SIFT(»), 
REAL_TO_VIRT(NEXT(STATE.SIFT(»)[~IT_PROCESSOR()]] 
.TASKNAME) 
V -'(EI#33 
) 
= SCHED _ TABLE 0 
[ACTIVITY _NUMO, SUBFRAME(NEXT(STATE. SIFTO» , 
CONFIG(NEXT(STATE.SIFT(»), 
REAL_TO_VIRT(NEXT(STATE.SIFT(») [MY_PROCESSOR()]] 
.ELEM) 
INPUT(NEXT(NEXT(STATE.SIFT(»» [EI#33, TI#46] 
= INPUT(NEXT(STATE.SIFT(») [EI#33 , TI#46] 
VC4.H18: axiom 
SUBFRAME(NEXT(NEXT(STATE.SIFT(»» 
= SUBFRAME(NEXT(STATE.SIFT(») 
VC4.H19: axiom 
CONFIG(NEXT(NEXT(STATE.SIFT(»» = CONFIG(NEXT(STATE.SIFT(») 
VC4.H20: axiom 
DATAFILE(NEXT(NEXT(STATE.SIFT(»» 
= DATAFILE(NEXT(STATE.SIFT(») 
VC4.H21: axiom 
ERRORS(N&~T(NEXT(STATE.SIFT(»» = ERRORS(NEXT(STATE.SIFT(») 
VC4.H22: axiom 
REAL_TO_VIRT(NEXT(NEXT(STATE.SIFT(»» 
= REAL_TO_VIRT(NEXT(STATE.SIFT(») 
VC4.H23: axiom 
VIRT_TO_REAL(NEXT(NEXT(STATE.SIFT(»» 
= VIRT_TO_REAL(NEXT(STATE.SIFT(») 
447 
VC4.C9: formula 
V TI##50, EI##35: 
(3 J##39: 
J##39 ~ 1 
" J##39 < ACTIVITY_NUMO+l 
" SCHED _ TABLE 0 
[J##39, SUBFRAME(STATE.SIFT()), CONFIG(STATE.SIFT()), 
REAL_TO_VIRT(STATE.SIFT()) [MY_pnOCESSOR()]] 
. ACTIVITY 
= VOTEO 
" TI##50 
= SCHED _ TABLE 0 
[J##39, SUBFRAME(STATE.SIFT()), 
CONFIG(STATE.SIFT()). 
REAL_TO_VIRT(STATE.SIFT()) [MY_PROCESSOR()]] 
. TAS K NAME 
" EI##35 
= SCI lED _ TABLE () 
[J##39, SUBFRAME(STATE.S1FT()), 
CONF1G(STATE.S1FT()). 
REAL_TO_V1RT(STATE.SIFT())[~IT_PROCESSOR()]] 
.ELEM) 
) 
if 3 MAJ VAL##10: 
CARD1NAL1TY(SET.FN##9(MAJ_VAL##10, STATE.SIFT(), EI##35 , 
T1##50, CONF1G(STATE.S1FT()))) 
> CARD1NAL1TY(SET.FN#10(T1#50, 
CONF1G(STATE.S1FT()))) 
then 
V MAJ##10: 
CARD1NAL1TY(SET.FN##ll (MAJ#10, STATE.S1FT(), EI##35, 
T1#50, CONFIG(STATE.SIFT()))) 
> CARD1NAL1TY(SET.FN##12(T1##50, 
CONF1G(STATE.SIFT()))) 
) 
INPUT(NEXl(NEXT(STATE.SIFT()))) [E1#35, T1#50] 
= MAJ#10 
else 
end if 
INPUT(NEXT(NEXT(STATE.SIFT()))) [E1#35, T1#50] 
= BOTTOM_ VAL 0 
448 
CHAPTER 16 
FORMAL DEFINITION OF HOM METHODOLOGY 
449 

A Formal Semantics for the SRI 
Hierarchical Program Design Methodology 
Robert S. Boyer and J S. Moore 
ABSTRACT 
This document is intended for the reader with modest abilities in 
understanding formal logical talk, an intuitive understanding of the SRI 
Methodology, and a large measure of patience. We present a formal 
statement of what it means to use (a subset of) the methodology. In 
particular, we formally define what it means to say that some specified 
module exists and what it means to say that another module is correctly 
implemented on top of it. We pay no attention to motivation, either of 
the methodology or of our formal development of it. Instead, we 
concentrate entirely upon mathematical succinctness and preCISIon. We 
conclude with a discussion of how to use certain INTERLISP programs 
which implement our formal definitions. Among these are a program which 
we allege generates Floyd-like verification conditions sufficient to 
imply the correctness of a module implementation. 
ACKNO\\LEDGMENTS 
The fundamental methodology ideas here are those of Parnas and 
We have only explicitly articulated a few things that were 
implicit and formalized much of what has long been 
but precisely talked about in the Computer Science 
Robinson. 
previously 
intuitively 
Laboratory. 
Thanks to W.W. Bledsoe, K. Levitt, L. Robinson, and J. Spitzen 
for hearing a version of the following details. "They receive all blame 
for any remaining errors. 
451 
I SOME CONVENTIONS 
We assume the existence of the non-negative integers, finite 
sequences, pairs, and sets. We assume that no integer is a sequence or 
a pair, and that no sequence is a pair. We enumerate the members of a 
sequence starting from 1. 
When we write the double quotation mark followed by a sequence of 
ASCII characters not including the double quotation mark followed by 
another double quotation mark, we are refering to the sequence whose 
members are the ASCII numbers of the characters between the double 
quotation marks. 
452 
II FORMULAS 
A word is a non-empty sequence of integers that are members of 
"0123456789.-*'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz". 
An !~~Q~!f!~r is a word one of whose characters is not a member of 
"0123456789". 
A fYQ~~!2Q ~~!22! is an identifier. 
F is a f2r~~!! if F is a member of (the intersection of all sets S 
containing the words and such that any sequence whose first member is a 
function symbol and whose other members are in S is a member of S). 
All but the first ~~!2~r 2f ~ is defined (when s is a finite non-
empty-;~q~~~c~)- to be the sequence whose length is one less than the 
th 
length of s and whose i 
th 
member (for i from 1 to (the length of s)-I) 
is the i+l member of s. 
The !rg~!~Q~~ of a formula not a word is all but the first member 
of the formula. 
A E!r!~~~~r 
identifiers. 
A E!r!~~~~r 
identifiers none 
~~g~~Q~~! 
of which 
contain "'" nor "*". 
is 
are 
or a sequence 
"NIL" or 
"STATE" , 
a sequence 
"NEWSTATE"; 
of distinct 
of distinct 
"NEWVECT", nor 
!Q(x) is (if x is "NIL" then the empty sequence, otherwise x). 
The Y!r!!~!~~ of a formula is defined recursively as: 
If the formula is a word, then if the 
identifier, then the set whose only member is 
otherwise the empty set, 
formula is an 
the identifier, 
Otherwise, the union of the variables of the members of the 
arguments of the formula. 
The r~~~!~ 2f ~~2~~!~~t!Qg ~[1] fQr b[I], a[2] fQr b[2], 
a[n] fQr b[n] !Q the formula c is defined recursively as: 
If for some i c is b [i] , then a[the first i such that 
c], 
Otherwise, if c is a word then c, 
th 
Otherwise, the sequence whose i element is the 
453 
... , 
b [i] is 
result of 
sUbstituting a[l] for bel], a[2] for b[2], ... , and a[n] for 
th 
b[n] in the i member of c (for i from I to the length of c). 
We will also use the 
~n~ b[n] ~I a[n] to mean 
and a[n] for b[n]. 
phrase !~~y!~ 2f !~e!~£!~g b[l] ~I 
the result of substituting a[l] for 
a[l], 
b[l], 
S !~ ~ e!~~~~~~~!2~ of the formula F is defined recursively as 
If F is a word, then S is F, 
Otherwise, S is the concatenation in order of the members of a 
sequence of odd length whose first member is "en, whose second 
member is the function symbol of F, whose last member is ")", 
th th 
member is a presentation of the i 
th 
member of F 
and whose 2*i-1 member is a non-empty sequence of spaces and 
carriage-returns, for i from 2 to the length of F. 
It is a theorem that any sequence is a presentation of at most one 
formula. 
The f2!!Y!~ 2f a sequence is the unique formula (if there is one) 
such that the sequence is a presentation of the formula. 
The ~ee!!£~~i2~ of f to a sequence s is the sequence whose length 
st 
is one greater than that of s, whose first element is f, and whose i+l 
th 
element is the i element of s, for i from I to the length of s. 
The ~ee!!£~~i2~! of f to x[l], ... , and x[n] is the sequence of 
st 
length n~l whose first member is f and whose i+l member is x[i], for i 
from I to n. 
If FS is a sequence of formulas, we define the £2~iY~£~i2~ of FS 
recursively as: 
If FS is empty then the formula of "(TRUE)", 
Otherwise the application* of "AND" to the first member of FS 
and (the conjunction of all but the first member of FS). 
If FS is a sequence of formulas, we define the ~!~iY~£~!2~ of FS 
recursively as: 
If FS is empty then the formula of "(FALSE)", 
Otherwise the application* of "OR" to the first member of FS 
and (the disjunction of all but the first member of FS). 
The !!e!i£~~!2~ of formulas FI and F2 is the application* of 
"IMPLIES" to FI and F2. 
The ~9Y~~i2~ of EI and E2 is the application* of "EQUAL" to EI and 
E2. 
454 
III INTERPRETATIONS AND MODELS 
I is an i~~~rEr~~~~i9~ 9f the set S (where S is a set of pairs 
consisting of a function symbol and a non-negative integer) if and only 
if I is a pair consisting of a set D, called the domain of I, and a 
function G whose domain is S, and for each pair <fn, ar> in S, 
ar 
G«fn,ar» is a function on D to D. 
Fl is ~ ~~~f9r!~!~ of F2 is defined recursively as 
If F1 is F2 then true, 
Otherwise, if F2 is a word, then false, 
Otherwise, Fl is a subformula of some member of the arguments 
of F2. 
The ~ri~~ of a formula not a word is the length of the formula 
minus 1. 
The ~ri~~ ~~~ of a formula F is the set of pairs <fn, ar> such that 
some sub-formula of F not a word has function symbol fn and arity ar. 
E is an ~~Y!r9~!~~~ if and only if E is a function whose domain is 
the set of identifiers. 
If I is an interpretation whose domain includes the integers and 
words, E is an environment whose range is a subset of the domain of I, 
and the domain of the second member of I is a superset of the arity set 
of a formula F, then the !~~~i~g 9f E !i~h r~~E~£~ ~9 I ~~~ E is defined 
recursively as 
If F is an identifier, then E(F) 
Otherwise, if F is a word, then the non-negative integer 
represented by F in decimal, 
Otherwise, if F can be obtained by replacing "X" by a word L 
in the formula of "(QUOTE X)", then if L is an identifier, 
then L, otherwise the non-negative integer represented by L in 
decimal. 
Otherwise, if F is the application* of fn to x[1], x[2], 
x[n], then G«fn, n»(v[1],v[2], ... ,v[n]), where v[i] is the 
meaning of x[i] with respect to I and E. 
Let TRUE and FALSE be distinct objects not integers, pairs, or 
sequences. 
The ~~~~~~r~ ~9!~i~ is the smallest set S containing TRUE, FALSE, 
the words, the non-negative integers, and the pair of each element in S. 
I is a ~~~~~~r~ !~~~rEr~~~~!9~ if and only if the domain of I is a 
superset of the standard domain 
and 
455 
G« "IF" 3»(x y z) l'S Y l'f X l'S not FALSE and z otherwise. , " 
G«"EQUAL",2»(x, y) is TRUE if x is y and FALSE otherwise. 
G«"TRUE",O»O is TRUE 
G«"FALSE",O»() is FALSE 
G«"NUMBERP",I»(x) is TRUE if x is a non-negative integer and 
FALSE otherwise. 
G«"SUBI", I»(x) is x-I if x is a positive integer and 0 
otherwise. 
G«"ADDI",I»(x) is x+1 if x is a non~negative integer and 2 
otherwise. 
G«"LITATOM",I»(x) is TRUE if x is an identifier and FALSE 
otherwise. 
G«"LISTP", I»(x) is TRUE if x is a pair and FALSE otherwise, 
G«"CONS", 2»)(x, y) is the pair (x, y), 
G«"CAR", I»(x) is u if x is the pair (u, v) for any u and v 
and "NIL" otherwise. 
G«"CDR", I»(x) is v if x is the pair (u, v) for any u and v 
and "NIL" otherwise. 
I i~ ~ ~9~~! 9f E~ provided that I is a standard interpretation, FS 
is a set of formulas, the domain of the second member of I is the union 
of the arity-sets of the members of FS together with the set 
{<"IF",3),<"EQUAL",2>,<"TRUE",O),<"FALSE",O),<"NUMBERP",I>,<"ADDI",I><"SUBI",I), 
<"LITATOM",I>,<"LISTP",I),<"CONS",2),<"CAR",I),<"CDR",I)}, and for every 
environment E whose range is a subset of the domain of I, the meaning of 
each member of FS with respect to I and E is not FALSE. 
TH f9!!9~~ from FS provided that 
TH is a formula, 
FS is a set of formulas, and 
every model of FS is a model of FS union singleton TH. 
D results from substituting a function symbol, fn-symbol, for 
"fn-symbol" a parameter sequence, param-seq, for "param-seq" 
and a formula, body, for "body" in the formula of "(DEFNI fn-
symbol param-seq body)", and 
for each model I of FS there exists a model I' of FS union 
singleton (the result of sUbstituting (the application of fn-
symbol to ID(param-seq» for "LHS", and body for "body" in the 
formula of "(EQUAL LHS body)" ) such that the domain of I is 
the domain of I' and the second member of I is a subset of the 
456 
second member of I'. 
An instruction is an application. of "ASSUME" to a formula or the 
applicati~~;-~f-"DEFNl" to a function symbol, a parameter sequence, and 
a formula. 
Ih~ ~h~9r~ r~~~!~i~g from the sequence of instructions instrs is 
defined recursively as 
If instrs is empty, then the empty set 
Otherwise, if the last instruction in instrs is the 
application. of "ASSUME" to a formula fm, then the set whose 
members are fm and the members of the theory resulting from 
all but the last member of instrs 
Otherwise, if the last instruction in instrs is the 
application. of "DEFNl" to fn-symbol, param-seq, and body, and 
that instruction is a definition admissible to the theory 
resulting from all but the last member of instrs, then the set 
resulting from adding (the application. of "EQUAL" to (the 
application of fn-symbol to ID(param-seq» and body) to the 
theory resulting from all but the last member of instrs. 
Otherwise the theory resulting from all but the last member of 
instrs. 
We say that (=> instrs fm) when fm follows from the theory 
resulting from instrs. 
IV MODULES 
Let the reader beware that we will sometimes present definitions in 
the opposite order from that in which they might normally be presented. 
Our purpose in doing this is to avoid ~~gi~~i~g with many apparently 
silly subsidiary concepts. 
A module is the application. of an identifier, (called the 
module.n;~~)~- to (the application of "VFNS" to a sequence of 
vfn.specifications (see below» and (the application of "OVFNS" to a 
sequence of ovfn.specifications (see below». 
A Yf~~~Q~£ifi£~~i2~ is an application. of an identifier (called the 
Yf~~~~~~) to a parameter sequence. (called the vfn.parameter.sequence) 
and (an application. of "ASSERTION" to a formula (called the 
vfn.assertion». 
An 2yf~~~E~~!f!~~~!9~ is an application. of an identifier (called 
the ovfn.name) to a parameter sequence. (called the 
ovfn.parameter.sequence) , (an application. of "ASSERTION" to a formula 
(called the ovfn.assertion», (an application. of "VALUE" to a formula 
(called the ovfn.value», and (an application. of "EXCEPTIONS" to an 
exception.sequence (called the ovfn.exception.sequence) (see below». 
An ~~£~E~i2~~~~9~~~£~ is a sequence of formulas (including the 
identifier "RESOURCE. ERROR" , which will have a special role). 
The ~~Q~~f~~£~i2~~~~~~ of a module is the identifier resulting from 
457 
concatenating the module.name with ".TYPE.FN". The 
invariant. function. name of a module is the identifier resulting from 
~oDc~t~D~tIDg-th~-;od~Ie.name with ".INVRNT". The !~!~!!!~~~!~~~~!!~ of 
a module is the identifier resulting from the concatenation of 
"INITIAL.", the module.name, and ".STATE". The invoke.function.name of 
a module is the concatenation of "INVOKE." and the module.name. 
The ovfn. correctness. assertionl of the sequence of exceptions 
exceptions~-th~-DoD:D~g~tIv~-IDt~g~~-n, the ovfn.specification ovfnspec 
and the module module is defined recursively as 
If exceptions is empty, then the conjunction of the 
ovfn.assertion of ovfnspec, the equation of the formula of 
"(ANSWER NEWVECT)" with the ovfn.value of ovfnspec, the 
formula of "(EQUAL (RETURN.NUMBER NEWVECT) 0)", and the 
application* of the type.function.name of module to the 
formula of "(ANSWER NEWVECT) " , 
Otherwise,if the first member of exceptions is the formula of 
"RESOURCE. ERROR" then the disjunction of (the conjunction of 
the null. assertion (see below) of module with the equation of 
the formula of "(RETURN.NUMBER NEWVECT)" and the shortest 
string of decimal digits whose meaning is n) and the 
ovfn.correctness.assertionl of all but the first member of 
exceptions, n+l, ovfnspec, and module, 
Otherwise, the application* of "IF" to the first member of 
exceptions, (the conjunction of the null.assertion of the 
module and (the equation of the formula of "(RETURN.NUMBER 
NE\VVECT)" with the shortest string of decimal digits whose 
meaning is ~», and the ovfn.correctness.assertionl of all but 
the first member of exceptions, n+l, ovfnspec, and module. 
The ovfn.correctness.assertion of an ovfn.specification ovfnspec 
and a moduI~-~od~I~-Is-the-I~plIcatIon of 
the conjunction of 
the equation of " NEWVECT " and the application of the 
ovfn.name of ovfnspec to the concatenation of the 
ovfn.parameter.sequence of ovfnspec with the sequence 
whose only member is "STATE", 
the formula of "(EQUAL NEWS TATE (STATE NEWVECT»" , and 
the conjunction of the sequence of application*s of the 
type.function.name of module to each of the identifiers 
in the ovfn.parameter.sequence of ovfnspec 
and the conjunction of 
the application* of the invariant.function.name of module 
to "NEWSTATE" and 
the ovfn.correctness.assertionl of the exceptions of 
ovfnspec. 1, ovfnspec, and module. 
The !Qg~!~~£Qrr~£~~~~~~!~~~r~!Q~ of 
conjunction of the concatenation of 
458 
a module module is the 
the sequence, in order, of the vfn.assertions 
vfn.specifications of module and 
of the 
the sequence whose two members are 
the application* of the invariant.function.name of module 
to the (application of the initial.state.name of module 
to the empty sequence» and 
the conjunction of the sequence in order of the 
ovfn.correctness.assertions of each ovfn.specification of 
module with respect to module. 
The ~~11~e~~~r~!2~ of a module module is the conjunction of the 
sequence, in order, for each vfn.specification vs of module the equation 
of (the application of the vfn.name of vs to (the concatenation of the 
renamed vfn.parameter.sequence (see below) of vs to the sequence whose 
only member is "STATE"» with (the application of the vfn.name of vs (to 
the the concatenation of the renamed vfn.parameter.sequence of vs to the 
sequence whose only member is "NEWSTATE"». 
The r~~e~~g Yf~~Eere~~~~r~~~g~~~~~ of vs is a sequence of 
identifiers obtained, in order, from vs by concatenating each identifier 
in vs with the sequence whose only member is "'" 
V MACHINES 
The invoke function definition of a module module is the result of 
replacing-i~-the--f~~;~ia-~f-"(DEFN1 FN (RHS ENVIRONMENT STATE) BODY)" 
"FN" with the invoke.function.name of module and "BODY" with the 
invoke.code of the ovfn.specifications of module, where the !~Y2~~~£29~ 
of a sequence of specifications s is defined recursively as: 
If s is empty then the formula of "(MAKE.VECT 0 0 0 0)", 
Otherwise, the result of substituting in the formula of "(IF 
(EQUAL (CAR RHS) NAME) CALL REST)" the application* of "QUOTE" 
to the ovfn.name of the first member of s for "NAME", the 
calling pattern (see below) of the first member of s for 
"CALL", and the invoke.code of all but the first member of s 
for "REST". 
The £ell!~g Ee~~~r~ of an ovfn.specification ovfnspec is the 
application of the ovfn.name of ovfnspec to (the concatenation of the 
(RHS-arguments (see below) of the length of the ovfn.parameter.sequence 
of ovfnspec) with the sequence whose only member is "STATE"). 
The BB~=erg~~~~~~ of n is 
th 
the sequence of length n containing, in 
th 
the i position, the application* of "CAR" to the i 
below). 
CDR of RHS (see 
th 
The i 
is 0, and 
otherwise. 
QQB 2f BB~, where i a non-negative integer, is "RHS" if i 
is the application* of "CDR" to the i-1st CDR of RHS 
The g~f!~!~!2~ of the r~~! f~~~~i2~ 2f the module module is the 
459 
result. of substituting the invoke.function.name of module for "INVOKE" 
and (the concatenation "RUNl." with the module.name of module) for 
"RUNl" in the formula of 
"(DEFNl RUNl (CODE LOC ENVIRONMENT STATE) 
(IF 
(EQUAL (CAAR LOC) 
(QUOTE GO» 
(Ru~l CODE (GOTO (CADAR LOC) 
CODE) 
ENVIRON~NT STATE) 
(IF 
(EQUAL (CAAR LOC) 
(QUOTE SWITCH» 
(RUNl CODE (GOTO (IF (VALUE (QUOTE ACl) 
ENVIRONMENT) 
(CADAR LOC) 
(CADDAR LOC» 
CODE) 
ENVIRONMENT STATE) 
(IF 
(EQUAL (CAAR LOC) 
(QUOTE IMMEDIATE» 
(RUNl CODE (CDR LOC) 
(BIND (QUOTE ACl) 
(CADAR LOC) 
ENVIRONMENT) 
STATE) 
(IF 
(EQUAL (CAAR LOC) 
(QUOTE ASSIGN» 
(IF 
460 
(LISTP (CADDAR LOC» 
(RUN! 
CODE 
(NTH 
LOC 
(ADD! (RETURN.NUMBER 
(INVOKE (CADDAR LOC) 
ENVIRONMENT STATE») 
) . 
(IF 
(EQUAL 
o 
(RETURN. NUMBER 
(INVOKE (CADDAR LOC) 
ENVIRONMENT STATE») 
(BIND (CADAR LOC) 
(ANSWER 
(INVOKE (CADDAR LOC) 
ENVIRONMENT STATE» 
ENVIRONMENT) 
ENVIRONMENT) 
(STATE (INVOKE (CADDAR LOC) 
ENVIRONMENT STATE») 
(RUN! CODE (CDR LOC) 
(BIND (CADAR LOC) 
(VALUE (CADDAR LOC) 
. ENVIRONMENT) 
ENVIRONMENT) 
STATE) ) 
461 
(IF (EQUAL (CAAR LOC) 
(QUOTE ANSWER» 
(MAKE. VECT (VALUE (QUOTE ACI) 
ENVIRONMENT) 
ENVIRONMENT STATE 0) 
(IF (EQUAL (CAAR LOC) 
(QUOTE EXCEPTION» 
(MAKE.VECT 0 ENVIRONMENT STATE 
(CADAR LOC» 
(RUNI CODE (CDR LOC) 
ENVIRONMENT STATE»»»»". 
The r~~~f~~~~i2~~~~~~ of a module is the concatenation of "RUN." 
and the module.name of the module. 
The g~fi~i~i2~ 2f ~h~ r~~ f~~s~i2~ of the module module is the 
result of substituting the run.function.name of module for "RUN" and the 
concatenation of "RUNI." with the module.name of module for "RUNl" in 
the formula of 
"(DEFNl RUN (CODE ENVIRONMENT STATE) 
(RUN! CODE CODE ENVIRONMENT STATE»" 
VI IMPLEMENTATIONS 
An i~El£~~~~~~i2~ of a module upper.module on a module lower. module 
is a sequence consisting (in order) of an ovfn.implementation of 
upper.module (see below), a vfn.implementation of upper.module (see 
below), the applicatioD* of "INITIALIZATION" to a formula (called the 
initialization.prog), the application* of "TYPE" to a formula (called 
the type.formula), and the application* of "INVRNT" to a formula (called 
the invrnt.formula). 
An 2yf~~i~E!~~~~~~~i2~ of upper.module is a sequence beginning with 
"OVFNS" which contains for each ovfn.specification ov of upper module 
exactly one application* of the ovfn.name of ov to a formula (called the 
ovfn.implementation.formula). 
A Yf~~i~E!~~~~~~~i2~ of upper.module is a sequence beginning with 
"VFNS" which contains for each vfn.specification vfnspec of upper.module 
exactly one application* of the vfn.name to a formula (called the 
vfn.implementation.formula). 
The i~El~~~~~~~i2~ g~fi~i~i2~~ 2f an implementation implementation, 
a module upper.module, and a module lower.module is the sequence of 
formulas consisting of 
462 
the result of substituting the invrnt.formula of the 
implementation for "fm" and the invariant.function.name of the 
upper module for "name" in the formula of "(DEFNI name (STATE) 
fm)", 
the result of 
upper.module 
implementation 
fm)", 
substituting the type.function.name of the 
for "name" and the type. formula of the 
for "fm" in the formula of "(DEFNI name (OBJ) 
for each vfn.specification vs of the upper.module, the 
application* of "DEFNI" to the vfn.name of vs, the 
concatenation of ID(the vfn.parameter.sequence of vs) to the 
sequence whose only member is "STATE", and the 
vfn.implementation.formula of the vfn.name of vs in the 
vfn.imp'lementations of implementation, and 
the invoke function definition of lower.module, 
the runl function definition of lower.module, 
the run function definition of lower.module, 
the application* of "DEFNI" to the initial.state.name of 
upper.module, "NIL", and (the application* of the 
run.function.name of lower.module to the initialization.prog 
of implementation, the formula of " (EMPTY. ENVIRONMENT) " , and 
(the application of the initial.state.name of lower.module to 
the empty.sequence»). 
for each ovfn.specification ov of the upper.module, the 
application* of "DEFNI" to the ovfn.name of ov, the 
concatenation of ID(the ovfn.parameter.sequence of ov) to the 
sequence whose only member is "STATE", and (the application* 
of the run.function.name of lower.module to the 
ovfn.implementation.formula of the ovfn.name of ov in 
implementation, the initial environment of ID(the 
ovfn.parameter.sequence of ov), and "STATE"). 
The !~!~!~! ~~Y!rQ~~~~~ of a parameter sequence I is defined 
recursively as: 
If I is empty, then the formula of "(E~WTY.ENVIRONMENT)", 
Otherwise, the result of replacing "NAME" with the first of I 
and "REST" with the initial environment of all but the first 
of I in the formula of "(BIND (QUOTE NAME) NAME REST)". 
VII WHAT IT MEANS TO USE THE METHODOLOGY 
To ~~~ the ~~~~Q~Q!Qgl ~EQ~ upper.module, lower.module, and 
implementation ~~~r~!~g frQ~ the sequence of instructions instrsl ~~~ 
~~~i~g ~i~~ the sequence of instructions instrs2 
is to establish (=> hyps (the module.correctness.assertion of 
upper.module» where hyps is the concatenation of 
463 
the auxiliary definitions (see below), 
instrsl, 
the implementation definitions of implementation, 
upper.module, and lower.module, 
the application* of "ASSUME" to the 
module. correctness. assertion of lower.module, and 
instrs2. 
The ~~~!!!~r~ ~~f!~!~!9~~ are the formulas of the following 
strings: 
"(DEFNl AND (P Q) (IF P Q (FALSE»)", 
"(DEFNl OR (P Q) .(IF P (TRUE) Q»", 
"(DEFNl IMPLIES (P Q) (IF P Q (TRUE»)", 
"(DEFNl MAKE.VEeT (X Y Z U) (CONS X (CONS Y (CONS Z 
(CONS U (QUOTE NIL»»»", 
" (DEFN 1 RETURN. NUMBER (X) (CAR (CDR (CDR (CDR X»»)", 
"(DEFNl STATE (X) (CAR (CDR (CDR X»»", 
"(DEFNl ENVIRONMENT (X) (CAR (CDR X»)", 
"(DEFNl ANSWER (X) (CAR X»", 
"(DEFNl EMPTY.ENVIRONMENT () (QUOTE NIL»", 
"(DEFNI BIND (X Y Z) (CONS (CONS X Y) Z»", 
"(DEFNl GOTO (X L) 
(IF (LISTP L) 
(IF (EQUAL (CAR L) X) 
L 
(GOTO X (CDR L») 
(QUOTE NIL»)", 
"(DEFNl NTH (L I) 
(IF (LISTP L) 
(IF (EQUAL I 0) 
L 
(NTH (CDR L) (SUBl I») 
(QUOTE NIL»)", and 
464 
"(DEFNI VALUE (X Y) (IF (LISTP Y) 
(IF (EQUAL X (CAR (CAR Y))) 
(CDR (CAR Y)) 
(VALUE X (CDR Y))) 
0))" . 
465 
Appendix A 
USING <THOR>RUN 
This appendix discusses the use of the verification condition 
generator and semantics generators for the subset of the methodology 
just described. We here, and in the next appendix, return to the 
ordinary mathematical and programming style of requiring the reader to 
understand what we mean rather than what we say. 
The file <THOR>RUN is Interlisp-lO code. There are in that file 
three important functions, USE. THE. METHODOLOGY, USE. FLOYD , and 
VCG.COMPILE. We will discuss the use of these functions but not their 
implementation. 
The function USE.THE.METHODOLOGY takes as input three 
arguments, an UPPER.MODULE, a LOWER. MODULE , and an IMPLE~ffiNTATION. The 
form of these arguments should be obvious to the experienced Interlisp 
user from the foregoing discussion of the methodology. (We could of 
course spell things out precisely here but that would require linking up 
with the Interlisp virtual machine specification.) The result of 
calling USE.THE.METHODOLOGY is a formula of the form (=> hyp concl) that 
is the same as the formula described in the previous section except that 
instrsl, instrs2, and the auxiliary definitions are omitted. This 
statement is correct with the following reservations: 
The type.function.definition of an implementation 
to include as admissible objects (TRUE), (FALSE), 
and all numbers between 0 and (MAX.NO). 
An omitted ovfn.value is taken to be O. 
is coerced 
(UNDEF), 0, 
An omitted ovfD.assertion is taken to be the null.assertion. 
An omitted ovfn.exception.sequence is taken to be the empty 
sequence. 
An omitted vfn.assertion is taken to be (TRUE). 
The definition of RUN is enhanced as if the lower.module 
included among its ovfn.specifications the following: 
(TRUE NIL (VALUE (TRUE))) 
(FALSE NIL (VALUE (FALSE))) 
(UNDEF NIL (VALUE (UNDEF))) 
(EQUAL (X Y) 
(VALUE (EQUAL X Y))) 
(ZEROP (X) 
(VALUE (EQUAL X 0))) 
(GREATERP (X Y) 
466 
(VALUE (GREATERP X Y») 
(LESSP (X Y) 
(VALUE (LESSP X Y))) 
(ADDl (X) 
(EXCEPTIONS (GREATERP (ADDl X) 
(MAX. NUMBER) ) ) 
(VALUE (ADDl X») 
(PLUS (X Y) 
(EXCEPTIONS (GREATERP (PLUS X Y) 
(MAX. NUMBER) ») 
(VALUE (PLUS X Y») 
USE.FLOYD takes the same arguments as does USE.Tlffi.METHODOLOGY 
and it returns a list of things that are either definitions or =>'s. It 
is here alleged that if one takes the theory resulting from instrsl, the 
definitions in the output, and instrs2 and in that theory checks that A 
follows from B when (=> A B) occurs in the output, then one has 
correctly used the methodology, subject to the reservations made in the 
subsection on USE.THE.METHODOLOGY. 
In order to obtain from USE.FLOYD some =>'s that are provable, 
one must exercise considerable ingenuity in inventing what are called 
Floyd assertions and certain numeric formulas called "clocks" here. 
USE. FLOYD insists that every program has a formula of the form (ASSERT 
fm cl) cutting every loop. Variables in these formulas are taken to 
refer to the current value of the variable if it is anywhere used as a 
program variable in the program. Otherwise, the reference is taken to 
be universally quantified. The term (START) is taken to be a reference 
to the state at the beginning of the execution of the program, and the 
term (X*) is taken to be a reference to the value of the variable X at 
the beginning of the execution of the program. 
The formula fm in an assertion is used in 
Floyd-assertion. The formula cl is used as a 
expression and the verification condition generator 
requiring that these expressions get smaller on each 
these relations insure that the program terminates. 
the usual way as a 
numerically valued 
produces formulas 
path. If proved, 
Because it is painful for some people to write in the assembly 
language that RUN works on, both USE.THE.METIIODOLOGY and USE.FLOYD call 
the function VCG.COMPILE to translate all implementation programs into 
the assembly language used. VCG.COMPILE is given the program and the 
lower module as arguments. For convenience we have defined VCG.COMPILE 
467 
to translate a LISP-like language, containing COND, PROG, CLISP, etc. 
The user is invited to invent his own language. 
It should be observed that VCG.COMPILE is essentially a 
semantics for one's programming language. However, it should be 
realized that the intent is to use the "assembly" code to get a computer 
running. It would certainly be easier to write a correct assembler and 
loader for RUN than to prove the correctness of the implementation of 
one's programming language. The beauty of this approach is that it does 
not matter if there are "mistakes" in one's compiler. Those "mistakes" 
cannot cause incorrectly generated code to be proven correct when it is 
not. 
468 
Appendix B 
QUANTIFICATION 
The reader will have noted the omission of quantified expressions 
from our formalization of the methodology. We here explain how one can 
easily obtain the effects he wants. 
Suppose that ,one wished to write a specification in which some 
assertion included a subformula (SOME X (P X Y». Then let him simply 
invent a new function, say FOO, and conJOIn to his assertion (IMPLIES (P 
X Y) (P (FOO Y) Y» and let him use (P (FOO Y) Y) where he wanted to use 
the SOME. 
Since ALL can be defined in terms of SOME, the reader can see how 
to handle ALL. 
The construct LET can be handled by a similar hack. 
one wished to use the construct (LET X (P X Y) (Q X Y». 
just add to his assertion, for some new FOO, the conjunct 
Y) (P (FOO Y) Y», and let him use (IF (P (FOO Y) Y) 
(UNDEF» where he intended to use the LET expression. 
Suppose that 
Then, let him 
(IMPLIES (P X 
(Q (FOO Y) Y) 
It should be observed that using these "Skolem" functions 
explicitly will have a salient effect upon one's attempts at proving the 
correctness of his implementations. After all, when one uses a LET 
expression in a specification, he had better have in mind an explicit 
object in his implementation. 
One more observation is required. 
used in the VALUE part of an ovfn, 
conjoined to the assertion. 
469 
If the quantified 
then the conjunct 
expression is 
ought to be 
Appendix C 
A MISCELLANY 
The reader may have noticed that we have omitted derived V-
functions from our subset of the methodology. In fact, all the known 
uses for derived V-functions can be had by simply putting the 
definitions at the appropriate places in the process of using the 
methodology. The derived V-functions of the lower.module ought to occur 
simply as definitions in instrsl. The derived V-functions of the 
upper. module ought to occur right after the definitions of the V-
functions in the implementation definitions. 
If the user insists upon the previous practice of having some 
of his V-functions be also OV-functions, he is going to suffer the 
consequence of have the implementation definitions contain two 
definitions of the same concept that are radically different. 
The user familiar with the methodology may ask where the 
interfaces, those combinations of modules that previously were the main 
constituents of hierarchies, have gone. It is said that interfaces were 
a convenience, and that their exact semantics could have always been 
obtained by writing an appropriately large module. In the interest of 
semantic simplicity, then, we have imposed this burden of writing upon 
the user. It ought not to be hard actually to write the program that 
will merge modules together. It is undoubtedly safer to take this 
course than to meddle with constructing a new methodology semantics and 
a new verification condition generator. 
Lovers of abstract machine interpreters will note with regret 
that we have entirely evaded the issue of where RUN is actually 
implemented. That is, we nowhere permit the user actually to use the 
methodology upon the god that actually steps through one's programs. 
'Furthermore, we have not dealt with that special moment when the god of 
the lower machine suddenly becomes the god of the higher machine, 
presumably by the process of refusing to honor future requests for lower 
level operations (except as they arise in the implementations of higher 
level machines). The reason for these omissions is that we do not know 
yet how. to do these things precisely, and consequently it is 
inconceivable that we could have formalized these matters. It is also 
gravely doubtful whether the known ideas (particularly the Floyd(Hoare) 
ideas) are at all adequate to the task of practically proving 
correctness in such delicate matters, even if we had a clear idea of 
what correctness meant. The problem with the Floyd approach is that it, 
too, assumes the existence of the deus ex machina: it assumes that the 
program is a fixed entity that does not itself change (much less change 
itself) in the execution of the program. The fundamental idea of the 
stored program computer is utterly inconsistent with that assumption. 
470 
It has long been discussed whether objects can exist on the 
upper level machine that do not exist on the lower level machine (e.g., 
capabilities on an integer machine). We have taken the position that 
there is no way this can come about. Note, in RUNI, that the objects' in 
the upper level machine are passed, by INVOKE, to the ov-functions of 
the lower level machine, implicitly requiring that they be objects down 
there. (No proof of the correctness of an implementation of 
upper.module on lower.module could appeal to the correctness assertion 
for the lower module without establishing that the objects passed to the 
ov-functions were objects in the lower machine.) This implicit 
requirement in USE.THE.METHODOLOGY is made explicit in the output of 
USE.FLOYD, where we generate a condition requIrIng that the type 
function of the lower machine include that of the upper machine. 
In writing a compiler for our language (VCG.COMPILE, cf. 
above), we inadvertently adopted the LISP style of retaining the 
association between variables and identifiers in the compiled code. 
That is, if X had a certain value at a certain moment in the higher 
level version of a program, then X had the same value at a related 
moment in the lower program. The Algol style is, of course, completely 
to abandon any particular connection of this sort. The writer of any 
compiler for the RUN package should beware: the invariants and clocks in 
ASSERT statements are only useful if they refer to variables in a 
sensible way. If you rename the program variables, then you will need 
to rename the variables in the assertions. 
471 

CHAPTER 17 
AN INITIAL APPROACH TO VERIFYING A SCHEDULER-
WRITTEN IN ASSEMBLY LANGUAGE 
473 

On Why It Is Impossible to Prove.That the 
BDX90 Dispatcher Implements a'Time-
Sharing System . 
Robert S. Boyer and J S. Moore 
The SIFT system, as coded by Chuck Weinstock, is all written in Pascal 
except for about a page of machine code. The reason that machine code IS 
used at all is that the SIFT system implements a small time-sharing 
system in which Pascal programs for separate application tasks are 
executed according to a schedule with real-time constraints. The Pascal 
language has no provision for handling the notion of an "interrupt" such 
as the B930 clock interrupt. The Pascal'language also lacks the notion 
of running a Pascal subroutine for a given amount of time, suspending it, 
saving away the suspension, and later activating the suspension. Machine 
code was used to overcome these inadequacies of Pascal (and most other 
higher order languages). Code which handles clock interrupts and 
suspends processes is called a dispatcher. 
The BDX930 SIFT dispatcher consists of the following 14 BDX930 instructions. 
CINT 
SCHG 
PUSHF 
PUSHM 
PUSHM 
LOAD 
TRA 
LDM 
PUSHM 
JSS* 
TRA 
POPM 
POPM 
POPF 
CONT 
RET 
15 
1,13 
0,0 
O,ACLK 
1,15 
15, 15, STACK 
0,1 
ASCHE 
15,12 
0,0 
1,13 
15 
ES 
o 
save the flags 
Save registers 
and the resume address 
indicate a clock tick 
save the current stack pointer 
point at the "exec" stack 
set function code and resume stack 
call the scheduler which is a pascal function 
that returns the new tasks r15 value. 
restore the resume PC to RO 
restore some registers. 
and the flags 
allow interrupts 
and go resume this routine 
When the current task is interrupted by a clock interrupt before normal 
termination, control is transferred to CINT by the clock interrupt 
mechanism. The code at CINT pushes onto the task's Pascal stack the 
current flags, registers, and pc, and sets a flag in register 0 to 
indicate that the task was interrupted prematurely. Control then reaches 
SCHG. 
On the other hand, when the current task terminates normally, code not 
shown here does the following: the clock interrupt mechanism is 
disabled, the necessary reinitialization information is saved on its 
Pascal stack, register 0 is set to indicate that the task was terminated 
normally, and control is transferred to SCHG. 
In either case, the dispatcher then saves the task's stack pointer, 
reinstates a stack pointer used exclusively by the dispatcher and 
scheduler and jumps off to the Pascal code for the scheduler. The 
scheduler stores 1n the task table the task's stack and saved state 
information. The scheduler returns to the dispatcher the stack and state 
information for the next task to be run. The dispatcher then reinstates 
the flags, registers, and pc for that task, enables interrupts, and 
returns to the task. 
475 
Thus, the dispatcher and scheduler apparently implement a time-sharing 
system in which each user task is running on a "virtual" BDX930. We set 
out to try to prove that the 14 lines of code above correctly implemented 
those virtual BDX930s. 
A reasonably simple specification of the time-sharing system goes 
something like this: The real BDX930 is supporting n vitual BDX930s, each 
devoted to a different user task. The virtual BDX930s are identical to the 
real BDX930 except for the absence of clock interrupts and certain parts of 
memory. A "mapping function" can be defined that maps the state of the 
real machine into an n-tuple of states of the virtual machines. When an 
instruction is executed on the real machine either the n-tuple of virtual 
states is unchanged or else one of the virtual states is advanced by one 
instruction. and the remaining states are unchanged. 
To capture the semantics of the instruction set, we encoded in our logic 
a recursive function that describes the state changes induced by each 
BDX930 instruction. Thirty pages are required to describe the top level 
driver and the state changes induced by each instruction (in terms of 
certain still undefined bit-level functions such as the 8-bit signed 
addition function). We encountered difficulty getting the mechanical 
theorem-prover to process such a large definition. However, the system was 
improved and the function was eventually admitted. We still anticipate 
great difficulty proving anything about the function because of its large 
size. However, the problems that have stopped us have nothing to do with 
mechanical proof; instead they are in formalizing a suitable 
specification. 
We discuss three problems below: specifying the interrupt mechanism on 
the BDX930, specifying the mapping function, the specifying the 
restrictions on user tasks. 
Interrupts: Clock interrupts on the BDX930 occur at a specified interval. 
But it is difficult to get precise statements regarding how long any 
given instruction will take. The situation is complicated by the fact 
that some cycles are stolen to service writes to the data file by 
concurrent processors, thus introducing a true nondeterminacy in precise 
timings. The best one can expect is to get some kind of interval 
indicating how fast or slow each instruction is. For these reasons we 
abandoned the idea of trying to model precisely the clock interrupt 
mechanism. 
In our model of the BDX930, an interrupt can occur at any time while 
interrupts are enabled. One must state explicitly where interrupts are 
assumed not to occur. This exposes a problem in the dispatcher above. 
If control reaches the dispatcher because of the clock interrupt 
mechanism, the dispatcher and the scheduler are executed with clock 
interrupts enabled. A clock interrupt during either of these processes 
causes chaos. In our model, we must assume explicitly that no clock 
interrupt occurs during this processing. To prove that no interrupts can 
occur, one must determine the maximum time it takes to execute the 
dispatcher and scheduler .. To do this one must (a) have a precise 
specification of.the times taken by individual BDX930 operations and (b) 
treat the scheduler as BDX930 code rather than Pascal. This particular 
problem could be avoided if the dispatcher always disabled interrupts on 
entry. However, the complete lack of constraint on interrupts in the 
current model is unsettling and unrealistic. 
476 
Mapping Function: To determine the state of each virtual machine the 
mapping function must consider each task and determine the state of the 
task. Consider how one might determine the contents of the thirteen 
saved registers in each task. The registers of a suspended task are 
stored in positions 2 through 14 of the stack saved for the task in the 
task table. The registers of the active task are somewhat more difficult 
to ascertain. If the program counter (pc) is in the code for the active 
task, the virtual registers are in the corresponding actual registers. 
But if the pc is in the dispatcher or scheduler, the virtual registers 
may be in any number of places. For example, if the instruction at CINT 
has just been executed, they are in the actual registers. But if the 
instruction just after CINT has just been executed, the virtual registers 
are in positions 1 through 13 of the stack in register 15. And if the 
second instruction after CINT has just been executed, they are in 
positions 2 through 14 of that stack. 
In general, to recover the state of the active task, it is necessary to 
consider (while defining the mapping function) each instruction in the 
dispatcher and scheduler. Furthermore, it is necessary to treat the 
scheduler as BDX930 code rather than as Pascal code, since otherwise one 
cannot trace where in the real machine the components of the state are 
being kept while in transit to the task table. 
Restrictions on User Tasks: Two restrictions on user tasks are necessary 
if the dispatcher is to implement the kind of time-sharing system 
described. 
The first concerns the size of the Pascal stack for each task. Recall 
that the state of an interrupted process is saved by pushing the flags, 
13 registers, and the pc on the stack. If there is insufficient room on 
the stack, instructions or data (possibly from another task) are 
overwritten. Thus, one restriction on the user tasks is that they never 
come within 15 words of exhausting the allocated stack space. But the 
stack is used primarily to store temporaries and subroutine links and its 
management is entirely under the control of the Pascal compiler. One 
cannot determine whether a given Pascal program satisfies this 
restriction unless one looks at the code generated by a given compiler. 
Note that in general it is impossible to verify with a static analysis 
that a given user task -- even displayed as BDX930 code -- does not use too 
much of the stack, since depth of recursion and other runtime 
considerations influence stack use. 
The second restriction is more subtle. In its attempt to save the state 
of an interrupted process, the dispatcher saves only the flags, 
registers, and pc. It is assumed that all other parts of the state of 
the task are private to the task itself and will not be affected by the 
execution of other tasks. In particular, tasks may not share variables 
that are read and written. At first sight one may conclude that this 
assumption can be checked by confirming that the Pascal code for a set of 
tasks share no variables. However, such a check is insufficient. Again, 
the compiler must be considered. Suppose that the compiler uses certain 
memory locations as temporaries. Then those temporaries must be saved by 
the dispatcher too. But if user tasks are considered to be unrestricted 
BDX930 code, the check becomes even more difficult because it is not 
possible to determine with a static analysis what memory locations are 
read and written. It is also necessary to require of user tasks that 
they not use the clock interrupt mechanism and not overwrite the area of 
the BDX930 dedicated to the operating system. Specifying the 
requirements on user programs requires a rigorous formal understanding of 
477 
the BDX930, the Pascal compiler, and the linking loader. Thus an attempt 
to verify the few lines of machine code in SIFT lead to the requirement 
that we have formal specifications for several huge objects which have 
never yet been adequately formalized. 
This concludes our discussion of difficulties encountered while trying to 
formalize the simple time-sharing system sketched above. However, the 
worst is yet to come. The simple model sketched is inadequate for SIFT 
because tasks are supposed to share data. 
It is common in SIFT for task A to compute a result and put it somewhere 
for a later task, B, to read. For example, many tasks share parts of the 
datafile with the pre vote task. But this suddenly introduces the notion 
of time. In the simple model, tasks A and B each run on their own 
processor and do not interract. If each task is to be repeated 
indefinitely then each processor endlessly iterates its own task. There 
is no sense in which the iterations of A are synchronized with those of 
B. Under the current SIFT scheme however, the dispatcher is used to 
"time share" tasks that share data, but the schedules tables are arranged 
so that the iterations of A do not overlap those of B. 
If one attempts to patch things up while preserving .. the notion that A and 
B are running on independent virtual BDX930s, one is forced to introduce 
the notion of communicating virtual machines -- an idea somewhat more 
complicated than the truth. We now question the utility of the 
abstraction of virtual machines. Indeed, the whole idea that the 
dispatcher is implementing a time-sharing system comes into question since 
a major use of it is to orchestrate fixed sequences of subroutine calls. 
The time-sharing/virtual machine idea is completely destroyed by the 
reconfiguration task. This tasks redefines the task table. Thus, after 
termination of the reconfiguration task, the tasks run by the dispatcher 
have no relation to those run before reconfiguration. It is impossible 
to view the dispatcher as a time-sharing system implementing virtual 
BDX930s running concurrently when one "process" can wipe out the others. 
In our view, it is a mistake to think of the dispatcher in abstract 
terms. It seems to be just a program running on a von Neumann machine. 
By carefully arranging certain tables you can program the machine to 
execute a few instructions from here and then a few instructions from 
there, almost as though you had two different machines. By cleverly 
arranging those tables you can make one piece of code share data with 
another, almost as though your machines were communicating. By being 
still more clever you can synchronize them to the point that the two 
programs appear to be running sequentially on just one machine. Indeed, 
by carelessly arranging those same tables you can cause arbitrary chaos. 
But the moral is clear: you are programming a single machine and not a 
set of virtual machines. 
We think that things might be a lot more clear if schedules were not 
encoded as tables that were interpretted by the scheduler and dispatcher 
but were merely Pascal programs that iteratively called fixed sequences 
of subroutines. 
Research Topics Worthy of Consideration 
Abstract Interpreters: 
Interrupts: 
Real time -- Newtonian time -- clock synchronization. 
478 
CHAPTER 18 
FORMAL DEFINITION OF 8DX930 INSTRUCTION SET 
479 

Defining of the BDX9aO Assembly 
Language 
R. Boyer and J Moore 
Introduction 
We started with a shell definition for the B930 state which had 16 components, 12 of which were 
numerically typed. When we ran that through the <BOYER> theorem prover it blew up on 
the CONS.EQUAL axiom because it tried to normalize the IFs on the rhs (right hand sides) of the 
equality. 
We changed DEFNO and MAKE.REWRITE.RULES so that the bodies of defns and the rhs's of 
rewrites were not altered by the system. 
Because we anticipate being wiped out by all the nonrec defns in the B930, we considered editing 
REWRITE.FNCALL to make it open up nonrec fns more carefully than now. It has been 
suggested that we adopt some draconian restriction (e.g., open only if no IFs are introduced) just 
to force us to think about more reasonable restrictions. That would make us fail to prove (AND 
P Q) -> (AND Q P) by simplification alone. (We could actually prove it, by virtue of the 
expansion of ANDs in hypotheses if we recognized (AND P Q) as an AND.) Another idea was 
similar to ,V. Bledsoe's pairings (as we have always imagined it) namely keep track of what tests 
the fns were interested in and have some high level procedure split on the most important ones to 
force certain fns to open together. In the end we decided not to touch REWRITE.FNCALL for 
now but it is lying in wait for the B930 to come along. 
A BOOT.STRAP failed because DIFFERENCE was no longer numerically typed (and so 
RECURSION.BY.DIFFERENCE was rejected as an induction lemma) because it returns I after 
testing not (ZEROP I). 
We considered several alternatives. One was the idea oC a "type set lemma", e.g., (NOT (ZEROP 
X)) -> (NUMBERP X), which could be implemented by generalizing RECOGNIZER.ALIST to 
two alists, one for use when the recognizer is assumed true and one for when it is assumed false. 
E.g., NLISTP would be bound the type bits for LISTP on the false alist and bound to the 
complement on the true alist. ZEROP would be on the false one, bound to numbers. This would 
probably not slow down TYPE.SET. We would have to write some code to recognize type set 
lemmas and produce the bit patterns from the recognizer proposition. 
A second alternative was to define a new class oC Cunctions called "defined recognizers" which 
were boolean valued nonrec Cns and to open them up all the time (in preprocessing) and to 
normalize. That is the approach we took. 'Ve changed PUT.TYPE.PRESCRIPTION to so 
preprocess sdefns before guessing the type. But we left the un preprocessed sdefn as the one used 
in theorem proving. 
We then decided to address a problem Elspas raised, namely that (EQUAL NIL NIL) is proved 
rather circuitously by expanding the abbreviation PACK.EQUAL to the equality of the unpacks 
and {using CONS.EQUAL under the rule in CLAUSIFY.lNPUT that says you can split a 
481 
conjunction at the top level) rewrote that to the conjoined equalities of the ascii codes. When we 
tried to reproduce the silly proof with the just modified theorem prover it was not so silly because 
CONS.EQUAL wasn't used. The reason was that in the modified tp the rhs of CONS. EQUAL is 
(AND & &) instead of (IF & & F) and so is not recognized as a conjunction! 
\Ve are reluctant to let this state of affairs persist becallse we are basically happy with the 
current preprocessing of large vcs and don't want to inadvertantly change that preproce3sing. 
We thought perhaps we should always expand ANDs (and other boot strap propositional fns) and 
normalize. But that fails drastically on a 16 component shell. 
On the subject of abbreviations, we were troubled by the fact that PACK EQUAL is an 
abbreviation but ADD1.EQUAL is not. Thank goodness for that (and the fact that 
ADDl.EQUAL is not a conjunction), since otherwise (EQUAL 1000 1000) would fail due to the 
problem noted by Elspas. But it seems odd that two schematically related rewrite rules are not 
treated equally. 
Finally, Elspas's problem would never have arisen had the preprocessing put expressions in 
reduced form. One suggestion is to make CONS.TERM always apply Hns, instead of just doing 
it for shells. If we did that, one might argue that we ought to review the uses of FCONS.TERM 
to determine whether they should be replaced by CONS.TERMs to enforce a new invariant on 
terms, namely that they are always in reduced form. 
Another subject we have discussed is that we should make nonrccursive functions and 
unconditional rewrite rules behave identically. This idea was suggested after considering further 
how we might handle a 16 component shell with type restrictions. E.g., we could make 
CONS.EQUAL rewrite (EQUAL (CONS X Y) (CONS U V)) to the conjunction of things like 
(EQUAL (CAR (CONS X V)) (CAR (CONS U V))). 
And then treat the rewrite rule (CAR (CONS X Y)) = (IF type X dv) in the way we treat nonrec 
defns, namely not apply such rewrites when they introduce too many IFs or otherwise blow us up. 
If we decided to make unconditional rewrites and nonrec fns behave identically we could do it by 
eliminating nonrec defns altogether and just storing them as rewrite rules. 
Another idea on the subject of large shells is that we could rewrite the equality of two conses to 
the equality of some coercions, ego (FIX X) = (FIX U), instead of naked IFs, and then let the 
nonrec fn handler worry about the explosion. 
Still another suggestion was to eliminate shells other than the boot strap ones and force people to 
use lists the way mathematicians do. That will probably require some better handling of nonrec 
fns than we have now since abbreviations become quite useful. There is also the worry that 
things will get troublesome the way they did in our efforts at the University of Edinburgh when 
we couldn't distinguish lists from numbers. 
482 
BDX30 Assembly Language Definition 
483 

(SETQ xxx '( 
(ADD. SHELL STATE NIL STATEP 
«MEM (NONE.OF) ZERO) 
(PC (NONE. OF) ZERO) 
(ACS (NONE. OF) ZERO) 
(OV (NONE. OF) ZERO) 
(IE (NONE. OF) ZERO) 
(IR (NONE. OF) ZERO) 
(Fl (NONE. OF) ZERO) 
(F2 (NONE. OF) ZERO) 
(EXTl (NONE. OF) ZERO) 
(EXT2 (NONE. OF) ZERO) 
(EXT3 (NONE. OF) ZERO) 
(HALT (NONE. OF) FALSE) 
(ERROR (NONE. OF) FALSE) 
(CONTROL.PANELP (NONE. OF) FALSE) 
(INDIRECT.CNT (NONE.OF) ZERO) 
(EXECR.CNT (NONE.OF) ZERO))) 
(DEFN FETCH (MEM LOC) 
(IF (NLISTP MEM) 0 
(IF (EQUAL (CAAR MEM) LOC) (CDAR MEM) (FETCH (CDR MEM) LOC)))) 
(DEFN PUT (LOC VAL MEM) (CONS (CONS LOC VAL) MEM)) 
(DEFN SET.MEM (LOC VAL ST) 
(STATE (PUT LOC VAL (MEM ST)) 
(PC ST) 
(ACS ST) 
(OV ST) 
(IE ST) 
(IR ST) 
(Fl ST) 
(F2 ST) 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT 8T) 
(ERROR ST) 
(CONTROL.PANELP 8T) 
(INDIRECT.CNT ST) 
(EXECR.CNT 8T))) 
(DEFN SET.PC (PC ST) 
(STATE (MEM ST) 
PC 
(ACS 8T) 
(OV ST) 
(IE ST) 
(IR ST) 
(Fl ST) 
(F2 ST) 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT ST) 
(ERROR ST) 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST))) 
485 
(DEFN SET.AC (AC VAL ST) 
(STATE (MEM ST) 
(PC ST) 
(PUT AC VAL (ACS ST)) 
(OV ST) 
(IE ST) 
(IR ST) 
(F1 ST) 
(F2 ST) 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT ST) 
(ERROR ST) 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST))) 
(DEFN SET.AC.&.AC+1 (AC PAIR ST) 
(STATE (MEM ST) 
(PC ST) (PUT AC (CAR PAIR) (PUT (ADDl AC) (CDR PAIR) (ACS ST))) 
(OV ST) 
(IE ST) 
(IR ST) 
(Fl ST) 
(F2 ST) 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT ST) 
(ERROR ST) 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST))) 
(DEFN SET.OV (VAL ST) 
(STATE (MEM ST) 
(PC ST) 
(ACS ST) 
VAL 
(IE ST) 
(IR ST) 
(Fl ST) 
(F2 ST) 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT ST) 
(ERROR ST) 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST))) 
(DEFN SET.IE (VAL ST) 
(STATE (MEM ST) 
(PC ST) 
(ACS ST) 
486 
(OV ST) 
VAL 
(IR ST) 
(Fl ST) 
(F2 ST) 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT ST) 
(ERROR ST) 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST») 
(DEFN SET.Fl (VAL ST) 
(STATE (MEM ST) 
(PC ST) 
(ACS ST) 
(OV ST) 
(IE ST) 
(IR ST) 
VAL 
(F2 ST) 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT ST) 
(ERROR ST) 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST») 
(DEFN SET.F2 (VAL ST) 
(STATE (MEM ST) 
(PC ST) 
(ACS ST) 
(OV ST) 
(IE ST) 
(IR ST) 
(Fl ST) 
VAL 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT ST) 
(ERROR ST) 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST») 
(DEFN SET.HALT (VAL ST) 
(STATE (MEM ST) 
(PC ST) 
(ACS ST) 
(OV ST) 
(IE ST) 
(IR ST) 
(Fl ST) 
(F2 ST) 
487 
(EXT1 ST) 
(EXT2 ST) 
(EXT3 ST) 
VAL 
(ERROR ST) 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST))) 
(DEFN SET.ERROR (VAL ST) 
(STATE (MEM ST) 
(PC ST) 
(ACS ST) 
(OV ST) 
(IE ST) 
(IR ST) 
(F1 ST) 
(F2 ST) 
(EXTl ST) 
(EXT2 ST) 
(EXT3 ST) 
(HALT ST) 
VAL 
(CONTROL.PANELP ST) 
(INDIRECT.CNT ST) 
(EXECR.CNT ST))) 
(DEFN EXPT (I J) (IF (ZEROP J) 1 (TIMES I (EXPT I (SUB1 J))))) 
(DEFN FIELD (WRD HI LO) (REMAINDER (QUOTIENT WRD (EXPT 2 LO)) (EXPT 2 (ADD1 (DIFFERENCE HI LO)))) 
(* to be defined to return the integer 
represented by bits HI through LO 
inclusive in the binary representation 
of the integer WRD.)) 
(DEFN AM (WRD) (FIELD WRD 11 10)) 
(DEFN IBIT (WRD) (FIELD WRD 15 15)) 
(DEFN D (WRD) (FIELD WRD 7 0)) 
(DEFN OP1 (WRD) (FIELD WRD 14 12)) 
(DEFN OP2 (WRD) (FIELD WRD 11 8)) 
(DEFN A (WRD) (FIELD WRD 7 4)) 
(DEFN B (WRD) (FIELD WRD 3 0)) 
(DEFN AC (WRD) (FETCH WRD 9 8)) 
(DEFN OP3 (WRD) (FIELD WRD 7 4)) 
(DEFN DELTA (WRD) (FETCH WRD 3 0)) 
(DEFN TURN.OFF.HI.BIT (WRD) (FIELD WRD 14 0)) 
(DCL B930.ADD.8BIT (WRD DISPL) 
(* adds the 16 bit quantity WRD to the 8 bit 
signed quantity DISPL and produces a new 16 bit 
quantity. This fn is always used to 
construct an address -- e.g., a pc or 
488 
stack pointer or effective address. 
We are not sure what happens if WRD represents 
a negative quantity. Also, we assume such 
arithmetic isn't senstive to the Fl fIg. Also 
we don't know what happens when an overflow occurs.)) 
(DCL B930.ADD.4BIT (WRD DELTA) 
(* adds 16 bits to 4 bit signed quantity to 
produce new 16 bit thing. The comments about 
B930.ADD.8BIT apply here too.)) 
(DEFN PC+l (ST) (B930.ADD.8BIT (PC ST) 1)) 
(DEFN TRACE.INDIRECT.CHAIN (WRD MEM CNT) 
(IF (ZEROP CNT) 
o 
(IF (EQUAL (IBIT WRD) 1) 
(TRACE.INDIRECT.CHAIN (FETCH MEM (TURN.OFF.HI.BIT WRD)) 
MEM (SUBI CNT)) 
WRD)) 
(* We suppose you turn the high bit off before you treat WRD as 
an address. The ISP doesn't.)) 
(DEFN MAR (WRD ST) 
(TRACE. INDIRECT. CHAIN 
(IF (EQUAL (AM WRD) 0) 
(D WRD) 
(IF (EQUAL (AM WRD) 1) 
(B930.ADD.8BIT (PC ST) (D WRD)) 
(IF (EQUAL (AM WRD) 2) 
(B930.ADD.8BIT (FETCH (ACS ST) 0) 
(D WRD)) 
(B930.ADD.8BIT (FETCH (ACS ST) 1) 
(D WRD))))) 
(MEM ST) (INDIRECT.CNT ST)) 
(* The ISP seems to just add the displacement when we think it 
ought to use the 8-bit add and permit negative displacements. 
The ISP indicates that the indirect bit is to be interpreted 
as here, i.e., once calculate an address from D etc and then 
chain through the indirect pointers. But the programmers manual 
has evidence that the MAR calculation is more akin to the PDP-I0 
style where one recomputes the effective address recursively. 
Every place we call ~Uffi on WRD2 of a double word instr, we pass 
an ST whose PC points to the first of the two words. Should it 
pass BUMP.PC of ST instead? The ISP indicates yes with its 
GROUP command, but the manual indicates no under the discussion 
of JSS.)) 
(DCL B930.ADDR (WRDI WRD2 Fl) (* Returns the 16 bit number the 
B930 would if asked to add 
WRDI and WRD2 with Fl set to 1 or 0.)) 
(DCL B930.SUBR (WRDI WRD2 Fl)) 
(DCL B930.ADDR.OV (WRDI WRD2 Fl) (* Returns value of OV flag after 
the appropriate B930 add. What 
489 
is the parity of the bit? Sometimes 
e.g. in DECEQ -- we set the 
(DCL B930.SUBR.OV (WRDI WRD2 FI) 
OV fIg to 0 meaning NO O\~RFLOW. Is 
that right?» 
(DEFN JU (WRDl WRD2 ST) (SET.PC (MAR WRDl ST) ST» 
(DEFN JSAO (WRDl WRD2 ST) 
(SET.PC (MAR WfiD1 ST) 
(SET.AC 0 (PC+l ST) ST» 
(* We compute MAR w.r.t. the unmodified state. But the 
manual and the ISP imply that MAR is computed after 
smashing ac 0; We did it this way just because it 
seemed more likely.» 
(DEFN JSA1 (WRD1 WRD2 ST) 
(SET.PC (MAR WRDl ST) 
(SET.AC 1 (PC+l ST) ST» 
(* See JSAO» 
(DEFN JMAO (WRDl WRD2 ST) 
(SET.PC (MAR WRDl ST) 
(SET.AC 0 (PC+l ST) 
(SET.MEM (B930.ADD.8BIT (FETCH (ACS ST) 15) 1) 
(FETCH (ACS ST) 0) 
(SET.AC 15 (B930.ADD.8BIT (FETCH (ACS ST) 15) 1) 
ST»» 
(* we are unsure of whether we are to compute 
MAR of the original ST as here or of 
state after the modifications below. Note that the treatment 
of indirect address chains is affected.» 
(DEFN ADD (WRDl WRD2 ST) 
(BUMP.PC (SET.AC (AC WRDl) 
(B930.ADDR (FETCH (ACS ST) (AC WRD1» 
(FETCH (MEM ST) (MAR WRD1 ST» 
(F1 ST» (SET.OV (B930.ADDR.OV 
(FETCH (ACS ST) (AC WRDl» 
(FETCH (MEM ST) (MAR WRD1 ST» 
(Fl ST» 
ST»» 
(DEFN SUB (WRD1 WRD2 ST) 
(BUMP.PC (SET.AC (AC WRDl) 
(B930.SUBR (FETCH (ACS ST) (AC WRD1» 
(FETCH (MEM ST) (MAR WRDl ST» 
(Fl ST» 
(SET.OV (B930.SUBR.OV 
(DEFN CMP (WRDl WRD2 ST) 
(SET.PC 
(B930.ADD.8BIT (PC ST) 
(FETCH (ACS ST) (AC WRDl» 
(FETCH (MEM ST) (MAR WRD1 ST» 
(Fl ST» 
ST»» 
(IF (B930.LESSP (FETCH (ACS ST) 
(AC WRD1» 
(FETCH (MEM ST) 
(MAR WRDl ST») 
3 
(IF (B930.EQP (FETCH (ACS ST) (AC WRDl» 
(FETCH (MEM ST) (MAR WRD1 ST») 
490 
1 
2))) 
(SET.OV (B930.CMP.OV WRD1 WRD2 ST) ST))) 
(DEFN LOAD (WRD1 WRD2 ST) 
(BUMP.PC (SET.AC (AC WRD1) 
(FETCH (MEM ST) (MAR WRD1 ST)) 
ST))) 
(DEFN STO (WRD1 WRD2 ST) 
(BUMP.PC (SET.MEM (MAR WRD1 ST) 
(FETCH (ACS ST) (AC WRD1)) 
ST))) 
(DEFN TRA/NOP (WRD1 WRD2 ST) 
(BUMP.PC (SET.AC (A WRD1) 
(FETCH (ACS ST) (13 WRD1)) 
ST))) 
(DEFN DECEQ (WRD1 WRD2 ST) 
(IF (EQUAL (FETCH (ACS ST) (A WRD1)) 1) 
(SET.PC 
(B930.ADD.4BIT (PC+1 ST) 
(B WRD1)) 
(SET.AC (A WRD1) 0 
(SET.OV 0 ST))) 
(BUMP.PC (SET.AC (A WRD1) 
(B930.SUBR (FETCH (ACS ST) (A WRD1)) 
1 
(F1 ST)) 
(SET.OV (B930.SUBR.OV (FETCH (ACS ST) 
(A WRD1)) 
1 
(F1 ST)) 
ST))))) 
(DEFN LCM (WRD1 WRD2 ST) 
(BUMP.PC (SET.AC (A WRD1) 
(B930.LCM (FETCH (ACS ST) 
(B WRD1))) 
ST))) 
(DEFN RLS (WRD1 WRD2 ST) 
(BUMP.PC (SET.AC (A WRD1) 
(B930.RLS (FETCH (ACS ST) (A WRD1)) 
(B WRD1)) 
(DEFN B930.CONT (OLD FN) 
(IF (EQUAL FN 0) OLD 
(IF (EQUAL FN 1) 0 
ST))) 
(IF (EQUAL FN 2) 1 (IF (EQUAL OLD 0) 1 0))))) 
(DEFN CONT (WRD1 WRD2 ST) 
(BUMP. PC 
(SET.F1 (B930.CONT (F1 ST) (FIELD WRD1 5 4)) 
(SET.F2 (B930.CONT (F2 ST) (FIELD WRD1 7 6)) 
(SET.IE (B930.CONT (IE ST) (FIELD WRD1 3 2)) 
(SET.OV (B930.CONT (OV ST) (FIELD WRD1 1 0)) ST)))))) 
(DEFN DECNE (WRD1 WRD2 ST) 
(IF (NOT (EQUAL (FETCH (ACS ST) (A WRD1)) 1)) 
(SET.PC 
491 
(B930.ADD.4BIT (PC+l ST) 
(B WRDl» 
(SET.AC (A WRDl) 
(B930.SUBR (FETCH (ACS ST) (A VffiDl» 
1 
(Fl ST» 
(SET.OV (B930.SUBR.OV (FETCH (ACS ST) 
(A WRDl» 
1 
(Fl ST» 
ST») 
(BUMP.PC (SET.AC (A WRDl) 0 
(SET.OV 0 ST»») 
(DEFN ANDOP (WRDl WRD2 ST) 
(BUMP.PC (SET.AC (A WRDl) (B930.AND (FETCH (ACS ST) (A WRDl» 
(FETCH (ACS ST) (B WRDl») 
ST») 
(DEFN RLL (WRDl WRD2 ST) 
(IF (NOT (EVEN (A WRDl») 
(SET.ERROR T ST) 
(BUMP. PC 
(SET.AC.&.AC+l (A ~~Dl) 
(B930.RLL (FETCH (ACS ST) 
(A WRDl» 
(FETCH (ACS ST) 
ST»») 
(ADDl (A WRDl») 
(B WRDl» 
(DEFN ADDR (WRDl WRD2 ST) 
(BUMP.PC 
(SET .AC (A WRDl) (B930.ADDR (FETCH (ACS ST) (A WRDl» 
(FETCH (ACS ST) (B WRDl» 
(Fl ST» 
(SET.OV (B930.ADDR.OV 
(FETCH (ACS ST) (A WRDl» 
(FETCH (ACS ST) (B WRDl» 
(Fl ST» 
ST»» 
(DEFN IR/CLA (WRDl WRD2 ST) 
(IF (EQUAL (A WRDl) (B WRDl» 
(BUMP.PC (SET.AC (A WRDl) 0 ST» 
(BUMP.PC 
) 
(SET .AC (A WRDl) 
(FETCH (ACS ST) (B WRDl» 
(SET .AC (B WRDl) 
(FETCH (ACS ST) (A WRDl» 
ST»» 
(* The ISP uses arithmetic to achieve this effect. The manual 
does not mention the use of arithmetic. Neither document 
suggests that OV gets set.) 
(DEFN DROP (WRDl WRD2 ST) 
(BUMP.PC (SET.AC (A WRDl) (B930.0R (FETCH (ACS ST) (A WRDl» 
(FETCH (ACS ST) (B WRDl») 
ST») 
492 
(DCL B930.MPY (A B) (* Returns the double word value of A times B. 
The manual and the ISP both suggest that something 
weird happens at -1 but nobody seems to know what 
it is. The manual suggests that something weird 
happens with the most negative number. Finally, 
the result is apparently left shifted one.» 
(DEFN MPY (WRD1 WRD2 ST) 
(IF (OR (NOT (EVEN (A WRDl») 
(EQUAL (A WRDl) (B WRDl» 
(EQUAL (ADDI (A WRD1» (B WRDl») 
(SET.ERROR T ST) 
(BUMP. PC 
(SET.AC.&.AC+l (A WRDl) 
(B930.MPY (FETCH (ACS ST) (A WRDl» 
(FETCH (ACS ST) (B WRDl») 
ST))) ) 
(DEFN CLAO/SUBR (WRDI WRD2 ST) 
(BUMP. PC 
(SET.AC (A WRDl) 
(B930.SUBR (FETCH (ACS ST) (A WRDl» 
(FETCH (ACS ST) (B ~~Dl» 
(Fl ST» 
(SET.OV (B930.SUBR.OV 
(FETCH (ACS ST) (A WRD1» 
(FETCH (ACS ST) (B WRDl» 
(Fl ST» 
ST») 
(* The ISP says OV gets zeroed but we think not.» 
(DEFN ACM (WRDI WRD2 ST) 
(BUMP. PC 
(SET .AC (A WRD1) 
(B930.SUBR 0 
(FETCH (ACS ST) (B WRDl» 
(Fl ST» 
(SET.OV (B930.SUBR.OV 
o 
(FETCH (ACS ST) (B WRDl» 
(F1 ST» 
ST»» (DEFN CMPR (WRDI WRD2 ST) 
(SET.PC (B930.ADD.8BIT (PC ST) 
(IF (B930.LESSP (FETCH (ACS ST) 
(A WRDl» 
(FETCH (ACS ST) 
(B \VRDl») 
3 
(IF (B930.EQP (FETCH (ACS ST) (A WRDl» 
(FETCH (ACS ST) (B \VRDl») 
1 
2») 
(SET.OV (B930.CMP.OV WRDI WRD2 ST) ST») 
(DEFN DIV (WRDI WRD2 ST) 
(IF (OR (NOT (EVEN (A WRDl») 
(EQUAL (A WRDl) (B WRDl» 
(EQUAL (ADDI (A WRD1» (B WRDl») 
(SET.ERROR T ST) 
(BUMP.PC 
(SET.AC.&.AC+l (A WRD1) 
491 
(B930.DIV (FETCH (ACS ST) (A WRDl» 
. (FETCH (ACS ST) (ADDl (A WRDl») 
(FETCH (ACS ST) (B WRDl») 
(SET .OV 
(B930.DIV.OV 
(FETCH (ACS ST) (A WRDl» 
(FETCH (ACS ST) (ADDl (A WRDl») 
(FETCH (ACS ST) (B WRDl») 
ST»» 
(* The ISP contains an error in that SP[A] instead of SP[A]@SP[A+l] IS 
compared with SP[B]) 
) 
(DEFN SLSA (WRDI WRD2 ST) 
(BUMP.PC (SET.AC (A WRDl) (B930.SLSA (FETCH (ACS ST) (A WRDl» 
(B WRDl» 
(SET.OV (B930.SLSA.OV (FETCH (ACS ST)(A WRDl» 
(B WRDl» 
ST»» 
(DEFN SLLA (WRDl WRD2 ST) 
(IF (NOT (EVEN (A WRDl») 
(SET.ERROR T ST) 
(BUMP.PC 
(SET.AC.&.AC+l (A WRDl) 
(B930.SLLA (FETCH (ACS ST) 
(A WRDl» 
(FETCH (ACS ST) 
(ADDl (A WRDl») 
(B WRDl» 
(SET.OV 
(B930.SLLA (FETCH (ACS ST) 
(A WRDl» 
(FETCH (ACS ST) 
(ADDl (A WRDl») 
(B WRDl» 
ST»») 
(DEFN SKGT (WRDl WRD2 ST) 
(IF (B930.LESSP 0 (FETCH (ACS ST) (A WRDl») 
(SET.PC 
(B930.ADD.4BIT (PC+l ST) 
(B WRDl» 
ST) 
(BUMP.PC ST») 
(DEFN SKLT (WRDI WRD2 ST) 
(IF (B930.LESSP (FETCH (ACS ST) (A WRDl» 0) 
(SET.PC 
(B930.ADD.4BIT (PC+l ST) 
(B WRDl» 
ST) 
(BUMP.PC ST») 
(DEFN SLSL (WRDl WRD2 ST) 
(BUMP.PC (SET.AC (A WRDl) 
(B930.SLSL (FETCH (ACS ST) (A WRDl» 
(B WRDl» 
ST») 
(DEFN SLLL (WRDI WRD2 ST) 
(IF (NOT (EVEN (A WRDl») 
(SET.ERROR T ST) 
(BUMP.PC 
494 
(SET.AC.&.AC+l (A WRDl) 
(B930.SLLL (FETCH (ACS ST) 
(A WRDl)) 
(FETCH (ACS ST) 
ST)))) 
(DEFN SKGE (WRDI WRD2 ST) 
(ADD 1 (A WRDl))) 
(B WRDl)) 
(IF (NOT (B930.LESSP (FETCH (ACS ST) (A WRDl)) 0)) 
(SET.PC 
(B930.ADD.4BIT (PC+l ST) 
(B WRDl)) 
ST) 
(BUMP.PC ST))) 
(DEFN SKLE (WRDI WRD2 ST) 
(IF (NOT (B930.LESSP 0 (FETCH (ACS ST) (A WRDl)))) 
(SET.PC 
(B930.ADD.4BIT (PC+l ST) 
(B WRDl)) 
ST) 
(BUMP.PC ST))) 
(DEFN SRSA (WRDI WRD2 ST) 
(BUMP.PC (SET.AC (A "TIDl) 
(B930.SRSA (FETCH (ACS ST) (A WRDl)) 
(B WRDl)) 
ST))) 
(DEFN SRLA (WRDI WRD2 ST) 
(IF (NOT (EVEN (A WRDl))) 
(SET.ERROR T ST) 
(BUMP. PC 
(SET.AC.&.AC+l (A WRDl) 
(B930.SRLA (FETCH (ACS ST) 
(A WRDl)) 
(FETCH (ACS ST) 
ST)))) 
(DEFN SKEQ (WRDI \VRD2 ST) 
(ADDI (A WRDl))) 
(B WRDl)) 
(IF (B930.EQP 0 (FETCH (ACS ST) (A WRDl))) 
(SET.PC 
(B930.ADD.4BIT (PC+l ST) 
(B WRDl)) 
ST) 
(BUMP.PC ST))) 
(DEFN SRSL (WRDI WRD2 ST) 
(BUMP.PC (SET.AC (A WRDl) 
(B930.SRSL (FETCH (ACS ST) (A WRDl)) 
(B WRDl)) 
ST))) 
(DEFN SRLL (WRDI WRD2 ST) 
(IF (NOT (EVEN (A WRDl))) 
(SET.ERROR T ST) 
(BUMP .PC 
(SET.AC.&.AC+l (A WRDl) 
(B930.SRLL (FETCH (ACS ST) 
(A WRDl)) 
(FETCH (ACS ST) 
(ADD 1 (A WRDl))) 
(B WRDl)) 
495 
ST»» 
(DEFN SKNE (WRDI WRD2 ST) 
(IF (NOT (B930.EQP 0 (FETCH (ACS ST) (A WRDl»» 
(SET.PC 
(B930.ADD.4BIT (PC+l ST) (B WRDl» 
ST) 
(BUMP.PC ST») 
(DEFN IAR (WRDI WRD2 ST) 
(BUMP.PC (SET.AC (A WRDl) 
(B930.ADDR (FETCH (ACS ST) (A WRDl» 
(IF (LESSP (B WRDl) 8) 
(B WRDl) 
(DIFFERENCE 
(PLUS (EXPT 2 15) 
(B WRDl» 
(EXPT 2 3») 
(Fl ST» 
(SET.DV (B930.ADDR.DV (FETCH (ACS ST) (A WRDl» 
(IF (LESSP (B WRDl) 8) 
(B WRDl) 
(DIFFERENCE 
(PLUS (EXPT 2 15) 
(B WRDl» 
(EXPT 2 3») 
(Fl ST»»» 
(DEFN SFEI (WRDI WRD2 ST) 
(IF (EQUAL (EXTl 5T) 0) 
(SET.PC (B930.ADD.4BIT (PC+l ST) 
(B WRDl» 
ST) 
(BUMP.PC ST» (* We have assumed that TRUE means 1 and FALSE 0» 
(DEFN SFE2 (WRDI WRD2 ST) 
(IF (EQUAL (EXT2 ST) 0) 
(SET.PC (B930.ADD.4BIT (PC+l ST) 
(B WRDl» 
ST) 
(BUMP.PC ST») 
(DEFN SFE3 (WRDI WRD2 ST) 
(IF (EQUAL (EXT3 ST) 0) 
(SET.PC (B930.ADD.4BIT (PC+l ST) 
(B WRDl» 
ST) 
(BUMP.PC ST») 
(DEFN SRIE (WRDI WRD2 ST) 
(IF (EQUAL (IE ST) 0) 
(SET.PC (B930.ADD.4BIT (PC+l ST) 
(B WRDl» 
ST) 
(BUMP.PC ST» 
496 
(* The ISP calls this instr SFIE)) 
(DEFN SROV (WRDI WRD2 ST) 
(IF (EQUAL (OV ST) 0) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDI)) 
ST) 
(BUMP.PC ST))) 
(DEFN SFIR (WRDI WRD2 ST) 
(IF (EQUAL (IR ST) 0) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDI)) 
ST) 
(BUMP.PC ST))) 
(DEFN SRFI (WRDI WRD2 ST) 
(IF (EQUAL (FI ST) 0) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDI)) 
ST) 
(BUMP.PC ST))) 
(DEFN SRF2 (WRDI WRD2 ST) 
(IF (EQUAL (F2 ST) 0) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDI)) 
ST) 
(BUMP.PC ST))) 
(DEFN STEI (WRDI WRD2 ST) 
(IF (NOT(EQUAL (EXTI ST) 0)) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDI)) 
ST) 
(BUMP.PC ST))) 
(DEFN STE2 (WRDI WRD2 ST) 
(IF (NOT(EQUAL (EXT2 ST) 0)) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDI)) 
ST) 
(BUMP.PC ST))) 
(DEFN STE3 (WRDI WRD2 ST) 
(IF (NOT(EQUAL (EXT3 ST) 0)) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDI)) 
ST) 
(BUMP.PC ST))) 
(DEFN SSIE (WRDI WRD2 ST) 
(IF (NOT(EQUAL (IE ST) 0)) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDl)) 
ST) 
(BUMP.PC ST))) 
(DEFN SSOV (WRDI WRD2 ST) 
(IF (NOT(EQUAL (OV ST) 0)) 
(SET.PC (B930.ADD.4BIT (PC+I ST) 
(B WRDl)) 
ST) 
497 
(BUMP.PC ST))) 
(DEFN STIR (WRDI WRD2 ST) 
(IF (NOT(EQUAL (IR ST) 0)) 
(SET.PC (B930.ADD.4BIT (PC+l ST) 
(8 WRDl» 
ST) 
(BUMP.PC ST))) 
(DEFN SSFI (WRDl WRD2 ST) 
(IF (NOT(EQUAL (Fl ST) 0») 
(SET.PC (B930.ADD.4BIT (PC+l ST) 
(8 WRDl» 
ST) 
(BUMP.PC ST))) 
(DEFN SSF2 (WRDI WRD2 ST) 
(IF (NOT(EQUAL (F2 ST) 0)) 
(SET.PC (B930.ADD.4BIT (PC+l ST) 
(8 WRDl) 
ST) 
(BUMP.PC ST)) 
(DEFN SET.MULTIPLE.ACS (AC ADDR N ST) 
(IF (ZEROP N) 
ST 
(IF (LESSP AC 16) 
(SET.MULTIPLE.ACS (ADDI AC) 
(ADDI ADDR) 
(SUBI N) 
(SET.AC AC (FETCH (MEM ST) ADDR) ST)) 
(SET.ERROR T ST») 
(* We assume that if asked to smash acs beyond 15 we cause 
an error, but will have modified the preceding acs. 
We don't consider the possibility that ADDR is pushed 
beyond 15 bits.)) 
(DEFN LDM (WRDI WRD2 ST) 
(SET.PC (B930.ADD.8BIT (PC ST) 2) 
(SET.MULTIPLE.ACS (A WRDl) 
(MAR WRD2 ST) 
(ADDI (DELTA WRDl» 
ST)) 
(* Is the MAR to be calculated each iteration as in the ISP or just 
once as we have done? The manual says that B+l consecutive memory 
words are moved -- which agrees with us. 
Also, when calculating the ~Uffi of the second 
word of an instruction, does the PC point to the first or second 
word? We assume the second. What if the effective address is 
eventually bumped beyond the end of memory?» 
(DEFN SET.MULTIPLE.MEM (AC ADDR N ST) 
(IF (ZEROP N) 
ST 
(IF (LESSP AC 16) 
(STORE.MULTIPLE.MEM (ADDI AC) 
(ADDI ADDR) 
(SUBl N) 
(SET.~ffiM ADDR (FETCH (ACS ST) AC) ST» 
(SET.ERROR T ST») 
(* We assume that if asked to access acs beyond 15 we cause 
498 
an error, but will have modified the preceding acs. 
We don't consider the possibility that ADDR is pushed 
beyond 15 bits.)) 
(DEFN STM (WRD1 WRD2 ST) 
(SET.PC (B930.ADD.8BIT (PC ST) 2) 
(SET . MULTIPLE. MEM (A WRDl) 
(MAR WRD2 ST) 
(ADD 1 (DELTA WRDl)) 
ST)) 
(* See the questions under LDM)) 
(DEFN PADDM/POPM/PUSHM (WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD2) 0) 
(PADDM WRDI WRD2 ST) 
(IF (EQUAL (OP2 WRD2) 1) 
(POPM WRDI WRD2 ST) 
(IF (EQUAL (OP2 WRD2) 2) 
(PUSHM WRDI WRD2 ST) 
(SET.ERROR T ST))))) 
(DEFN POPM (WRD1 WRD2 ST) 
(IF (OR (LESSP (FETCH (ACS ST) (B WRD2)) 
(ADD 1 (DELTA WRD1))) 
(LESSP (A WRD2) (DELTA WRD1))) 
(SET.ERROR T ST) 
(SET.PC (B930.ADD.8BIT (PC ST) 2) 
(SET.AC (B WRD2) 
(DIFFERENCE (FETCH (ACS ST) (B WRD2)) 
(ADDI (DELTA WRDl))) 
(SET.MULTIPLE.ACS (DIFFERENCE (A WRD2) (DELTA WRDl)) 
(DIFFERENCE (FETCH (ACS ST) (B WRD2)) 
(DELTA WRDl)) 
(ADD1 (DELTA WRDl)) 
ST)))) 
(* We don't know what happens if the initial A is too small to 
be decremented delta+l times. We don't know what happens if 
the stack pointer in B is negative or too small to be popped 
delta+l times. We cause errors. We assume the ISP is wrong 
when it says you go back to the stack pointer in B each time 
-- permitting it to be one of the acs smashed -- instead of 
just moving delta+l consecutive words as stated by the manual.)) 
(DEFN PUSHM (WRDI WRD2 ST) 
(IF (OR (NOT (LESSP (IPLUS (FETCH (ACS ST) (B WRD2)) (ADD 1 (DELTA WRD1))) 
(EXPT 2 16))) 
(NOT (LESSP (IPLUS (A WRD2) (DELTA WRDl)) 16))) 
(SET.ERROR T ST) 
(SET.PC (B930.ADD.8BIT (PC ST) 2) 
(SET.AC (B WRD2) 
(IPLUS (FETCH (ACS ST) (B WRD2)) (ADD 1 (DELTA WRD1))) 
(SET.MULTIPLE.MEM (A WRD2) 
(* see the comments under POPM)) 
499 
(ADD 1 (FETCH (ACS ST) (B WRD2))) 
(ADDI (DELTA WRDl)) 
ST)))) 
(DEFN EXOR (WRDI WRD2 ST) 
(BUMP.PC (SET.AC (A WRDl) 
(B930.EXOR (FETCH (ACS ST) 
(A WRDl)) 
(FETCH (ACS ST) 
(B WRDl))) 
ST))) 
(DEFN HALT (WRDI WRD2 ST) 
(IF (CONTROL.PANELP ST) 
(BUMP.PC (SET.HALT T ST)) 
(BUMP.PC ST))) 
(DEFN RET (WRDI WRD2 ST) 
(IF (ZEROP (FETCH (ACS ST) 15)) 
(SET.ERROR T ST) 
(SET.PC (B930.ADD.8BIT (FETCH (ACS ST) 0) (D WRDl)) 
(SET.AC 0 (FETCH (MEM ST) (FETCH (ACS ST) 15)) 
(SET.AC 15 (SUBI (FETCH (ACS ST) 15)) 
ST))) 
(* We don't know if the new PC is supposed to permit a negative 
displacement or not, i.e., whether we can really use our 
8-bit adder. The ISP is wrong because it doesn't reference 
memory, it just loads ac 15 into ac 0))) 
(DEFN JSS (WRDI WRD2 ST) 
(SET.PC (MAR WRD2 ST) 
(SET.MEM (B930.ADD.8BIT (FETCH (ACS ST) 15) 1) 
(B930.ADD.8BIT (PC ST) 2) 
(SET.AC 15 
(B930.ADD.8BIT (FETCH (ACS ST) 15) 1) 
ST))) 
(* We don't really know the order of things. Is the stack 
smashed and the stack pointer bumped before or after the MAR 
calculation? Another question concerns the right half of 
the first word of the instr. The manual does not specify 
whether those bits are important or not. Our dispatcher, 
EXEC 17 , treats them as though the manual said they were 
don't cares.)) 
(DEFN RPS (WRDI WRD2 ST) 
(IF (ZEROP (FETCH (ACS ST) 15)) 
. (SET.ERROR T ST) 
(SET.PC (B930.ADD.8BIT (FETCH (MEM ST) 
(SET.AC 15 
(FETCH (ACS ST) 15)) 
(D WRD2)) 
(SUBI (FETCH (ACS ST) 15)) 
ST))) 
(* Is the right half of the first word of the instr important? 
Our EXEC17 treates it as don't care.)) 
(DEFN POPF (~RDI WRD2 ST) 
(IF (ZEROP (FETCH (ACS ST) (B WRD2))) 
(SET.ERROR T ST) 
(SET.PC (B930.ADD.8BIT (PC ST) 2) 
(SET.SW (FETCH (MEM ST) (FETCH (ACS ST) (B WRD2))) 
(SET.AC (8 WRD2) 
500 
(SUB1 (FETCH (ACS ST) (B WRD2») 
ST»» 
(* What is the difference between the "status word" of the 
programmers manual and the "switch register" of the ISP? 
Is the manual setting of switches and POPF the only 
way of setting SW?» 
(DEFN PUSHF (WRD1 WRD2 ST) 
(SET.PC (B930.ADD.8BIT (PC ST) 2) 
(SET.MEM (B930.ADD.8BIT (FETCH (ACS ST) (B \VRD2» 1) 
(SW ST) 
(SET.AC (B WRD2) 
(B930.ADD.8BIT (FETCH (ACS ST) 
(B WRD2» 
1) 
ST») 
(* See POPF» 
(DCL EXECR (WRD1 WRD2 ST)(* We should think carefully about 
what the PC is set to when the instr 
is executed.» 
(DEFN EXEC07 (WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 13) 
(IF (AND (EQUAL (OP1 WRD2) 1) 
(EQUAL (AC WRD2) 1» 
(LDM ~TID1 WRD2 ST) 
(SET.ERROR T ST» 
(IF (EQUAL (OP2 WRD1) 14) 
(IF (AND (EQUAL (OP1 WRD2) 1) 
(EQUAL (AC WRD2) 1» 
(STM WRD1 WRD2 ST) 
(SET.ERROR T ST» 
(IF (EQUAL (OP2 WRD1) 15) 
(IF (AND (EQUAL (A WRD1) 0) 
(EQUAL (IBIT WRD2) 0) 
(EQUAL (OP1 YffiD2) 4» 
(PADDM/POPM/PUSHM WRD1 WRD2 ST) 
(SET.ERROR T ST» 
(SET.ERROR T ST»» 
(* The ISP says that any OP2 other than 13, 14, and 15 is a no op; 
we say error. The programmers manual implies that in addition to 
the conditions on OP2 of WRD1 there are specific bit patterns required 
in WRD2. We cause errors if these bits are not set correctly. 
EXCEPT, the manual says that A of ~~D1 in PUSHM is don't care and 
we require zeroes as in PADDM.» 
(DEFN EXECOO (WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 0) 
(TRA/NOP WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 1) 
(DECEQ WRD1 ~~D2 ST) 
(IF (EQUAL (OP2 WRD1) 2) 
(LCM WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 3) 
(RLS WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 4) 
(CaNT WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 5) 
501 
(DECNE WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 6) 
(ANDOP WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 7) 
(RLL WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 8) 
(ADDR WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 9) 
(IR/CLA WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 10) 
(DROP WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 11) 
(MPY WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 12) 
(CLAD/SUER WRD1 "~D2 ST) 
(IF (EQUAL (OP2 WRD1) 13) 
(ACM WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 14) 
(CMPR WRD1 WRD2 ST) 
(DIV WRD1 WRD2 ST))))))))))))))))) 
(DEFN EXECF (WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 0) 
(SFE1 WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 1) 
(SFE2 WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 2) 
(SFE3 WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 3) 
(SRIE WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 4) 
(SROV WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 5) 
(SFIR WIlD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 6) 
(SRF1 WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 7) 
(SRF2 WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 8) 
(STE1 WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 9) 
(STE2 ~~D1 WRD2 ST) 
. (IF (EQUAL (OP3 WRD1) 10) 
eSTE3 WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 11) 
(SSIE WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 12) 
(SSOV WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 13) 
(STIR WRD1 WRD2 ST) 
(IF (EQUAL (OP3 WRD1) 14) 
(SSF1 WRD1 WRD2 ST) 
(SSF2 WRD1 WRD2 ST))))))))))))))))) 
(DEFN EXEC10 (WRD1 WRD2 ST) 
(IF (EQUAL (OP2 ~~D1) 0) 
(SLSA WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 1) 
(SLLA WRD1 WRD2 ST) 
502 
(IF (EQUAL (OP2 WRD1) 2) 
(SKGT WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 3) 
(SKLT WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 4) 
(SLSL WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 5) 
(SLLL WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 6) 
(SKGE WRD1 WRD2 ST) 
(IF (EQUAL (OP2 ~~D1) 7) 
(SKLE WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 8) 
(SRSA WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 9) 
(SRLA WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 10) 
(SKEQ WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 11) 
(EXECF WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 12) 
(SRSL WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 13) 
(SRLL WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 14) 
(SKNE WRD1 WRD2 ST) 
(IAR WRD1 WRD2 ST))))))))))))))))) 
(DEFN EXEC17 (WRD1 WRD2 ST) 
(IF (EQUAL (OP2 ~~D1) 0) 
(DADDR WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 1) 
(DSUBR WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 3) 
(EXOR WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 12) 
(HALT WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1)· 13) 
(RET WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD1) 15) 
(IF (EQUAL (OP1 WRD2) 1) 
(IF (EQUAL (AC WRD2) 0) 
(JSS WRD1 WRD2 ST) 
(IF (EQUAL (OP2 WRD2) 2) 
(IF (EQUAL (IBIT WRD2) 0) 
(RPS WRD1 WRD2 ST) 
(SET.ERROR T ST)) 
(IF (EQUAL (OP2 WRD2) 14) 
(IF (EQUAL (IBIT WRD2) 0) 
(EXECR WRD1 ~~D2 ST) 
(SET.ERROR T ST)) 
(SET.ERROR T ST)))) 
(IF (EQUAL (OP1 WRD2) 2) 
(IF (EQUAL (OP2 WRD2) 0) 
(IF (EQUAL (IBIT WRD2) 0) 
(DMPY WRD1 WRD2 ST) 
(SET.ERROR T ST)) 
(IF (EQUAL (OP2 WRD2) 1) 
(IF (EQUAL (IBIT WRD2) 0) 
503 
(DACM WRD1 WRD2 ST) 
(SET.ERROR T ST» 
(SET.ERROR T ST») 
(IF (EQUAL (OP1 WRD2) 4) 
(IF (EQUAL (OP2 WRD2) 5) 
(IF (EQUAL (IBIT WRD2) 0) 
(POPF WRD1 WRD2 ST) 
(SET.ERROR T ST» 
(IF (EQUAL (OP2 ~~D2) 6) 
(IF (AND (EQUAL (IBIT WRD2) 0) 
(EQUAL (A WRD2) 15» 
(PUSHF WRD1 WRD2 ST) 
(SET.ERROR T ST» 
(SET.ERROR T ST») 
(SET.ERROR T ST»» 
(SET.ERROR T ST»»»» 
(DEFN EXECUTE (WRD1 WRD2 ST) 
(IF (EQUAL (OP1 WRD1) 0) 
(IF (EQUAL (IBIT WRD1) 0) 
(EXECOO WRD1 WRD2 ST) 
(EXEC10 WRD1 WRD2 ST» 
(IF (EQUAL (OP1 WRD1) 1) 
(IF (EQUAL (AC WRD1) 0) 
(JU WRD1 WRD2 ST) 
(IF (EQUAL (AC WRD1) 1) 
(JSAO WRD1 WRD2 ST) 
(IF (EQUAL (AC WRD1) 2) 
(JSA1 WRD1 WRD2 ST) 
(JMAO WRD1 WRD2 ST»» 
(IF (EQUAL (OP1 WRD1) 2) 
(ADD WRD1 WRD2 ST) 
(IF (EQUAL (OP1 WRD1) 3) 
(SUB WRD1 WRD2 ST) 
(IF (EQUAL (OP1 WRD1) 4) 
(CMP WRD1 WRD2 ST) 
(IF (EQUAL (OP1 WRD1) 5) 
(LOAD WRD1 WRD2 ST) 
(IF (EQUAL (OP1 WRD1) 6) 
(STO WRD1 WRD2 ST) 
(IF (EQUAL (IBIT WRD1) 0) 
(EXEC07 WRD1 WRD2 ST) 
(EXEC17 WRD1 WRD2 ST»»»»» 
(DEFN B930 (ST INSTR.CNT INTER.INSTR.LST) 
(IF (ZEROP INSTR.CNT) 
(LIST ST INSTR.CNT) 
(IF (ERROR ST) (LIST ST INSTR.CNT) 
(IF (HALT ST) (LIST ST INSTR.CNT) 
(B930 
(IF (AND (IE ST) (MEMBER INSTR.CNT INTER.INSTR.LST» 
(EXECUTE (FETCH (MEM ST) 2001Q) (FETCH (MEM ST) 2002Q) ST) 
(EXECUTE (FETCH (MEM ST) (PC ST» 
(FETCH (MEM ST) (PC+1 ST» 
ST» 
(SUBl INSTR.CNT) 
INTER.INSTR.LST»» 
(* We assume from Chuck's code rather than the programmers manual 
504 
))) 
STOP 
or ISP that interrupts jump to 2001 octal = 200lQ 
For all purposes in the execution of the instruction at 2001, 
the PC points to the instruction we were about to execute.) 
505 

CHAPTER 19 
VERIFICATION OF NUMERICAL ALGORITHMS 
507 

1 Overview of Correctness Proofs 
During the past few years there has been very substantial progress in program verification 
techniques that employ Cormal methods of program specification together with machine-aided 
proofs of correctness. All oC these methods employ some variation of the inductive-proof schema 
originally proposed by Floyd [2]. The general approach is to annotate the text of a program with 
assertions about the relations among program variables at selected points between executable 
program statements, particularly at the entrance and exit points of program loops. Beginning 
with an input assertion that describes the domains and initial values of program input variables, 
every path through the program forms an "assertion chain" that leads to the output assertion. 
The input and output assertions together constitute a formal specification of the intent of the 
program. If it can be shown that the program terminates, and that the truth of each assertion in 
every chain logically implies the truth of its successor then a proof of correctness of the program 
with respect to its specification has been demonstrated. 
As an aid to formulating the intermediate assertions, Hoare [3] has suggested a uniform approach 
in which each different type of high-level language statement is associated with a "rule" of the 
form: P{statement}Q, where the informal interpretation is that if P is a true proposition about 
program values before execution of {statement}, then Q is necessarily true afterwards. Once the 
high-level language statements have been "axiomatized" in this way, a system called a 
verification condition generator (VC-generator) can be used to automatically construct the 
intermediate assertions and to combine the ones in each chain into propositions (theorems) to be 
proved. The resulting theorems may be proved "by hand" (at the risk of making human errors) 
or submitted to an automatic deductive system (theorem prover) for verification. Several such 
theorem provers have been constructed during the past ten years. The most advanced of these is 
the (SRI) Boyer-Moore system [1], which currently can apply inductive reasoning to sentential 
logical formulas involving recursive functions, and linear arithmetic in the integer domain. 
Most, if not all, of the successful applications of these ideas have been concerned with programs 
that presume exact representations of all data objects. The published literature on formal 
program proving topics, which currently comprises about 500 papers and reports, contains only a 
handful that addresses problems in the numerical algorithm category. The paucity of results in 
this area can be explained by the fact that in a general setting the problems of formal program 
specification and error analysis of numerical algorithms appear to be extremely difficult. 
However, as we shall observe in the following section, there are some classes of nontrivial and 
useful numerical algorithms for which mechanical verification problems seem to be more tractible. 
Part of the proposed study would be devoted to finding a good characterization of the types of 
numerical problems that can be successfully handled by the method explained below. Another 
part would be concerned with generalizing the technique to cope with a wider variety of 
algorithmic types. 
1 METHOD OF APPROACH 
"You must always invert." - C. G. J. Jacobi. 
509 
1.1 The Basic Ideas 
Our proposed approach differs from the customary methods of program proof described above in 
several respects that are believed to be novel in concept, and unique in providing opportunities 
for exploiting the capabilities of SRI's several mechanical deductive systems. The general strategy 
is based on the observation that it is usually quite difficult {or impossible} to compose the formal 
output-~pecification for a numerical algorithm prior to it's specific implementation in code. Since 
the output values computed by a program generally will not exactly satisfy any mathematical 
identities or relationships used in the computation, one does not know in advance precisely what 
to say in terms of an I/O assertion that will be both correct and acceptable to the program user. 
On the other hand, the specification of the "mathematical intent" of a numerical algorithm is 
usually fairly easy. The computational plan will typically use a combination of mathematical 
relations that are already very well specified by formal analytic definitions. Moreover, these 
relations, identities etc., are usually applied in a well-ordered sequence that would survive 
scrutiny by the so-called "social process" of examination, and consensus on just what 
mathematical object the program was intended to compute. The latter facts suggest the 
following strategy for specification and proof, which inverts the usual order of proceedings: 
• Defer the construction of a formal program sepecfication with respect to I/O 
assertions until the correctness of the program with respect to an abstract 
mathematical model of program intent has been demonstrated. 
• From the "partial" program specification in terms of the mathematical description of 
the object to be computed, prove that an abstract machine {using infinite-precision 
arithmetic} would compute that object exactly. 
• Next, prove that the computational sequences of arithmetic operations that occur in 
the abstract machine must be precisely the same at every step as those occurring on 
an actual machine (with finite-precision arithmetic), executing the same program. 
• Following this, use a VC-generator that "knows" about the semantics of arithmetic 
operations (on the actual machine) to annotate the program with assertions that 
bound (or in some circumstances estimate) the differences between the actual machine 
state variables and the corresponding ones of the abstract machine. 
• Finally, construct the formal program specification by combining the verification 
conditions into theorems about computational error that can be proved with 
mechanical assistance. 
1.2 The Notion or Separability 
Our general approach simplifies the problem of reasoning about the correctness of numerical 
algorithms by separating the issues of "mathematical correctness" from those of computational-
error analysis. The property of mathematical correctness is essentially captured by the notion of 
executing a program on an abstract machine that carries out perfect (infinite precision) 
arithmetic. A program is a description of a sequence of arithmetic operations that is alleged to 
"construct" some mathematical object-for example, the sum of n terms of the Taylor series for 
510 
sin{x). Proof of mathematical correctness consists of showing by induction, symbolic evaluation, 
or otherwise that the sequence of operations carried out by the abstract machine produces a 
result that coincides exactly with some textbook formula, identity, or mathematical definition 
that is accepted (by human inspection) as a precise specification of the mathematical intent of the 
program. We believe that existing symbolic evaluation tools can be used to prove this 
correspondence. However, it may be more convenient to construct our own symbolic evaluators 
for this purpose. 
Having demonstrated mathematical correctness, the next step is to show that the program, when 
executed on an actual machine of limited precision, will follow exactly the same sequence of 
computational steps as the abstract machine (fa; all input data values). This is necessary because 
otherwise the two machines would not always be computing the same mathematical object. To 
prove identity of the computational sequences requires some reasoning about branching tests in 
the program. The property is certainly true if no branching test ever refers to a value that has 
been computed from imprecisely represented values--and that is quite easy to determine 
mechanically. It may also be true in other circumstances (such as those occurring in our example 
below). In such cases we need some additional reasoning to exhibit the correspondence between 
the computational sequences. Often this will be trivial to demonstrate because the branch te~t is 
made on some value (such as an input argument) that necessarily must have the same value on 
both the abstract and actual machines. 
Once the above correspondence has been established, all questions relating to the computational 
goals of the program (even its mathematical intent!) have been abstracted away. The only thing 
left is a specification of the domain of input values and a now "meaningless" but definite 
sequence of arithmetic operations on data. These operations need to be axiomatized-- for 
example, by replacing the operator + with a Boyer-Moore function-definition that simulates in 
the discrete-integer domain what happens in some reasonable implementation of finite-precision 
arithmetic, e.g. the IEEE standard. As a practical matter, such a model of arithmetic is going to 
be based on some some form of machine-level binary representation, and it will often be 
convenient to reason about computational error in terms of what happens to the low-order bits of 
the machine-representation of a value. 
Finally, we need to provide assertions about error bounds and prove that the given computational 
sequence always yields a value representation in that range. A typical assertion might be that an 
output value v computed on the actual machine will not differ in the first k bits of significance 
from the v computed on the abstract machine. There are mechanical aids (VC-generators) that 
can help us formulate such assertions, and automatic deductive systems can help us prove the 
resulting theorems. An important part of the proposed research would be to find good ways to 
mechanize the latter steps in the proof process. 
Following this plan, we wind up with a program that has been proved correct with respect to a 
particular specification of output error. The specification may be weaker than is acceptable to a 
user of the program, or it may be better than he might have expected. In any case it is correct. 
511 
1.3 An Annotated Example 
The following example is intended to illustrate the above ideas. It is a FORTRAN program to 
calculate an approximation to the mathematical function exp(Z) for a domain of positive or 
negative values of Z such that the result would not cause overflow of single-precision values on a 
machine with real representations equivalent to those of the DEC KL-10. This is not a "toy" 
program. It is a reasonably fast and relatively accurate algorithm of the sort one might write (as 
a first attempt) for use on a machine where the system-library did not contain the exponential 
function. We do not make any claims for optimality--better routines can be written without 
descending to the machine-code level (indeed, the proof process reveals two possible improvements 
to the algorithm). Refinements of an algorithm are evident whenever the generation of the I/O 
specification reveals where the main sources of computational error occur. 
The program: 
FUNCTION GEXP(Z) 
IF(Z.GE.O.O) GOTO 10 
X=-Z 
GOTO 15 
10 X= Z 
15 IF{X.GT.87.0) X = 87.0 
E = 2.7182818285 
ANS = 1.0 
N=X 
X=X-N 
20 IF(N.EQ.O) GOTO 30 
J = N/2 
IF(N.GT.2*J) ANS = E*ANS 
IF(J.GT.O) E = E*E 
N=J 
GOTO 20 
30 SERIES = 1.0 
DO 40 J = 1,12 
40 SERIES = 1.0+X*SERIES/(13-J) 
ANS = ANS*SERIES 
IF(Z.LT.O.O) ANS = 1.0/ANS 
GEXP = ANS 
RETURN 
END 
Discussion of the program: 
512 
Segment 1 
Segment 2 
Segment 3 
Segment 4 
Segment 5 
First let's walk through the program, just to observe the plan of the computation. 
Segment! notes whether the input argument of the function is negative and, if so, makes a 
positive copy of it. We make this code explicit, rather than using the statement 
x = ABS(Z) 
so that correctness of the program will not depend on the correctness of some other function, 
however trivial. 
The statemcnt labeled 15 is a feeble attempt to cope with the possibility of exponent overflow. 
Since FORTRAN has no explicit means for exception handling, the statement merely insures that 
we will always rcturn a value that is (approximately) between exp(-87.0) and exp(87.0) both of 
which are comfortably represented on the DEC KL-I0 or any machine that implements the 
proposed IEEE standard of a single-precision 8-bit exponent. In the rest of the program we 
ignore the possiblity of underflow on the assumption that underflow defaults to zero without 
raising an exception. If this were not the case, as in the current implementation of Pascal on the 
KL-lO, then we would have to insert some statements in the above program to check for and deal 
with this contingency. 
Segment .£ assigns to N the integer part of X and adjusts X to be the fractional part of its 
previous value. 
Segment ~ implements the Floyd-King algorithm for raising a value (in this case, E = 2.71828 ... 
to an integer exponent). Here the exponent is the integer value N. 
Segment .1 evaluates the sum of 13 terms of the Taylor series for exp(X) using a "nested" product 
expansion, that is, the Horner rule for polynomial evaluation. 
Segment Q. forms the product of the approximation to exp(N) from Segment 3 and the value 
obtained by the computation of the series. It then checks whether the original argument to 
GEXP(Z) was negative and if so, returns the reciprocal of the previous value. 
1.4 Outline of the Proor or Correctness 
The plan of the proof follows the scheme described in 1.1. above. To avoid being too tedious, we 
wiII merely sketch the main outline of the proof, leaving out a number of small details which 
would, of course, have to be handled in an actual machine-aided proof of correctness with respect 
to the final I/O specification. 
1.4.1 Mathematical Correctness 
First comes the issue of mathematical correctness. A partial specification of mathematical intent 
for the program (executed on the abstract machine) would state that it is supposed to compute 
the object represented by: 
if Z >= 0.0 then exp(N) * T(t3,X) else 1 I (exp(N) * T(t3,X» 
where T(j,x) is the sum of j terms of the Taylor series for exp(x), and 
513 
N = abs(Z) div 1, x = abs(Z) mod 1. 
Note that this specification does NOT say that the abstract machine is supposed to compute 
exp(Z). Even the abstract machine is computing an approximation to exp(Z), and it is matter of 
separate analysis and proof to establish that this object would (if computed correctly) have 
satisfactory accuracy. As a practical matter, it is easy to show in this case that the abstract 
machine will always compute an approximation to exp{Z) that is more accurate than can be 
represented in single precision on the DEC KL-I0, but it should be emphasized that questions of 
mathematical intent can and should be treated separately. 
Next, does the program actually realize its mathematical intent! A mechanical trace of the 
program now-of-control will show that if the Segments 3 and 4 terminate with values for ANS 
and SERIES, and if the familiar identities, 
exp(a. * b) = exp(a) * exp(b), exp(-Z) = l/exp(Z) 
are assumed, then the program meets the above specification. Segment 3 is one implementation 
of the Floyd-King algorithm which has an elegant mechanical proof of correctness and 
termination. Of course this needs to be re-proved in the context of this particular program. 
Here, we would make use of our currently available FORTRAN VC-generator and the Boyer-
Moore system. Segment 4 must terminate because the loop index runs through the literal values 
1..12, and the value returned can be shown by symbolic evaluation to coincide exactly with the 
sum of the first 13 terms of the textbook Taylor series for exp(X). 
This disposes of the question of mathematical correctness except for the exceptional case where 
the input argument exceeds 87.0 in absolute value. This contingency should be treated as part of 
the final I/O assertion. 
1.4.2 Computational Equivalence 
Next we must demonstrate that the computational sequences of the real and abstract machines 
are equivalent (identical). 
Segment! of the program contains no arithmetic operations on real representations (hereafter 
called reals) except for the unary minus operation and a test and branch on zero. We will assume 
that in our implementation of reals, each representable value has a representable negative inverse. 
This is not true for the KL-lO, but is true (or should be) for the IEEE standard. Moreover, the 
value 0.0 should be exactly (and uniquely) representable in such a standard, so that the abstrac.t 
and actual machines must take the same branch at the first program statement. It also follows 
that there is no loss of accuracy in Segment 1. All this is mechanically verifiable. 
The statement labled 15 involves a branch on a real value. But that value has not suffered any 
contamination by arithmetic operations, so this is a test that must lead to the same 
computational sequence in both the abstract and actual machines (again mechanically checkable). 
In Segment ~ we compute an integer N <= 87 and the fractional part of X, both necessarily 
exact, because N is exactly representable and, therefore, so is the value X - N. 
514 
In Segment ~ we use the Floyd-King algorithm to raise an internal representation E (of the 
"mathematical" e) to the Nth power. The three branching tests (IF statements) in his segment 
each refer only to integer values computed from N. Since N must have the same value on both 
machines, the computational sequences are necessarily the same for Segment 3. 
Segment i contains a DO-loop whose implied branching test does not depend on the values of 
reals. Indeed, the body of the loop is executed exactly 12 times on either machine, so 
computational equivalence is obvious. 
Finally, Segment 2 makes a branch on the value of the input argument Z, which has never been 
changed by the program. Consequently, both machines take the same path at this step. 
The above reasoning, which for this particular program was all essentially mechanical, establishes 
that the computational sequences on both the actual and abstract machines are identical. We can 
now turn to the more interesting part of the exercise, i.e., the error analysis that will form the 
basis or the I/O specification. 
1.4.3 Error Analysis 
We have already observed that no program error is generated in Segments 1. and 2., except for 
the assignment to E. Here E is a real (introduced as a literal program constant in decimal 
notation) whose internal representation may differ from the abstract machine value in the least 
significant bit of the machine value. Incidentally, we are aware of some cases in which poor 
implementation of a conversion algorithm causes the error to be even worse. It is necessary to 
know the precise semantics of the interpretation of literal program constants before an assertion 
can be made about the error introduced at this step. We will return to this question in the next 
section. 
The error of Segment 3 arises from two sources--the product E*E and the product E* ANS. 
According to one reasonable axiomatization of real arithmetic, the relative error of the result of a 
multiplication is the sum of the relative errors of its components, plus a possible additional error 
of half the value of the least significant bit of the representation of the product. A Floyd-like 
assertion to that errect can be constructed by a VC-generator and attached automatically to the 
appropriate points of the program. If we choose to reason about maximum error bounds in terms 
of integer units representing a "half-bit" in the least significant place of the representation, then 
an error assertion of the form 
EA=EA+EE+l 
could replace the asignment ANS = E* ANS in the program. In this, EA and EE stand for the 
errors of ANS and E, respectively. Similarly the statement 
EE=EE+EE+l 
could replace the assignment E = E*E. These statements may be interpreted as either assertions 
about error bounds, or as symbolically executable state- ments about error values. Note that 
error values such as EE and EA do not appear as explicit program variables. 
We would now like to prove a theorem that bounds the error EA in the value of ANS computed 
515 
by Segment 3. But what is the theorem! By inrormal reasoning one can conclude that the 
assignment E = E*E is executed log2(N) times, and that the assignment ANS = E* ANS is 
executed anum ber of times equal to the number of l's in the binary representation of 
N. Therefore. it seems that the error is likely to be a discouragingly complicated function of 
N. To investigate this possibility we first converted the symbolic execution of Segment 3 into an 
equivalent Boyer-Moore function-definition. This could be done mechanically; ours is a hand 
translation. The definition looked like this: 
(DEFN ERROR (N EE EA) 
(IF (ZEROP N) (FIX EA) 
(IF (ODD N) 
(ERROR (QUOTIENT N 2) 
(ADDI (PLUS-EE EE» 
(ADDl (PLUS EE EA))) 
(ERROR (QUOTIENT N 2) 
(ADDl (PLUS EE EE» 
EA)))) 
Next we executed this function on several combinations of values for the input errors of the 
arguments EE and EA. In the actual program the arguments to ERROR are (N 1 0). After a 
few such tries, the pattern or output values suggested the following surprising conjecture: 
WOR(N EE FA) = FA + N • (EE + 1) 
which (if true) would be a very simple relationship between the input and output errors of 
Segment 3 We next asked the Boyer-Moore system to prove the above conjecture. In their syntax 
this is sim ply 
(PROVE. LEMMA F ACT.ABOUT.ERROR (REWRITE) 
(EQUAL (ERROR N EE EA) 
(PLUS EA (TIMES N (ADDl EE))))) 
The mechanical deductive system easily proved the truth of the above lemma, therefore the truth 
of our conjecture, and therefore, in the context of the program, that EA = 2*N. 
This fact about the error induced by Segment 3 turns out to be much simpler than might have 
been expected from an inspection of the program. Moreover, we have proved its correctness for 
any call of GEXP(Z) under the particular axiomatization of error arithmetic modeled above. The 
analysis of the error induced by Segment 4 of the program follows much the same scheme. We 
omit the details, since the proof was carried out by hand rather than mechanically. The result is 
that the computation of the value SERIES cannot be in error by more than 3 "haIr-bit" units. 
Here the equivalent mechanicaly proved theorem should show that if the domain of values for X 
is 0.0 .. 0.5 instead of 0.0 .. 1.0 then the maximum error would be one unit instead of three. 
By combining the error analyses of Segments 2,3, and 4 with thr trivial analysis of Segment 5, 
one obtains an output assertion that can be stated informally as follows: 
516 
If -87.0 <= Z <= 87.0 then the program GEXP(Z) computes the intended mathematical object 
(described in II-D) with a difference of not more than 2*N + 5 units of "half-bit" significance. 
Otherwise it computes one of the values GEXP(87.0) or GEXP(-87.0). 
We omitted proving the last part of the output specification, but it follows easily from the fact 
that ANS can be proved to be monotone-increasing in Segment 3, and therefore overflow cannot 
occur on the actual machine. 
1.5 Conclusions 
What can be learned from the foregoing example! First, we find that it is possible to prove 
correctness of a program with respect to a realistic specification when that specification is the last 
thing that we discover. Second, we observe that the largely mechanical analysis and proof 
process furnishes a useful guide to the construction of a "better" program implementation of the 
intended mathematical object. In the case illustrated above, it is obvious that most of the error 
arises in the generation of integral powers of e. This suggests the use of a small table of accurate 
values for powers of e, indexed by N. The analysis of the evaluation of SERIES suggests that a 
further range reduction (so that the value of X lies between 0.0 and 0.5) would be beneficial. The 
resulting new program would be faster, more accurate, and easier to prove correct. 
In summary, we have suggested a method of approach to the proof of correctness of a certain 
class of numerical algorithms, and tried to indicate by examining a typical example, how 
mechanical proof aids such as the Boyer-Moore deductive system can be expected to handle many 
of the details involved in such exercises. Some of the steps in our outline of the proof process 
have involved human judgments rather than machine deductions, but most of these decisions 
were about obvious mathematical properties or the function being computed. Consequently, these 
facts could be introduced to the deductive system as axioms without incurring any human doubt 
about the validity of the mechanical portion or the proof process. 
517 
[1] Boyer, R.S. and Moore, J S. 
A Computational Logic. 
Academic Press, 1979. 
[2] Floyd, R.W. 
Assigning Meaning to Programs. 
References 
In Proceeding8 of a Sump08ium on Applied Mathematic8, pages 19-32. American 
Mathematical Society, 1967. 
[3] Hoare, C.A.R. and Wirth, N. 
An Axiomatic Definition of the Programming Language Pascal. 
Acta Informatica 2:335-355, 1973. 
518 
CHAPTER 20 
VERIFICATION OF FLIGHT CONTROL PROGRAMS 
519 

The Use of a Formal Simulator to Verify a 
Simple Real Time Control Program 
1.1 Abstract 
Robert S. Boyer 
Milton W. Green 
J Strother Moore 
We present an initial and elementary investigation of the formal specification and mechanical 
verification of programs that interact with environments. We describe a formal, mechanically 
produced proof that a simple, real time control program keeps a yehicle on a straightline course 
in a variable crosswind. To formalize the specification we define a mathematical function which 
models the interaction of the program and its environment. 'vVe then state and prove two 
theorems about this function: the simulated vehicle never gets farther than three units away 
from the intended course and homes to the course if the wind ever remains steady for at least 
four sampling intervals. 
Key Phrases: autopilot, formal specification, mechanical theorem-proving, modeling, program 
verification, real time control, simulation. 
1.2 Background 
Formal computer program verification is a research area in computer science aimed at aiding the 
production of reliable hardware and software. Formal verification is based on the observation 
that the properties of a computer program are subject to mathematical proof. 
1.2.1 Program Verification 
Consider, for example, the following FORTRAN program for computing integer square roots 
using a special case of Newton's method l 
IV. Kahan, of V.C. Berkeley, reports that the algorithm was in fact advocated by Heron of Alexandria 
before 400 A.D. 
521 
INTEGER FUNCTION ISQRT(I) 
IF «I .LT. 0» STOP 
IF «I .GT. 1» GOTO 100 
ISQRT = I 
RE11JRN 
100 ISQRT = (I I 2) 
200 IF « (I I ISQRT) . GE. ISQRT» RETURN 
ISQRT = «ISQRT + (I I ISQRT» I 2) 
GOTO 200 
Elm 
It is possible to prove, mathematically, that the program satisfies the following (informally stated) 
specification: 
If the program is executed on a machine implementing ANSI FORTRAN 66 or 
77 [13, 1], and the input to the program is a nonnegative integer representable on the 
host machine, then the program terminates, causes no arithmetic overflow or other run 
time error, and the output is the largest integer whose square is less than or equal to 
the input. 
Such program proofs are generally constructed in two steps. In the first step, the code and its 
mathematical specifications are transformed into a set of formulas to be proved. In the second 
step the formulas are proved using the usual laws of logic, algebra, number theory, etc. For an 
introduction to program verification, see [9, 10, 11, 2]. 
Because the mathematics involved in program verification is often tedious and elementary, 
mechanical program verification systems have been developed. One such system is described 
in [6]. That system handles a subset of ANSI FORTRAN 66 and 77 and has verified the above 
mentioned square root program [8], among others. 
To admit mechanical proof, the specifications must be written in a completely formal notation. 
For example, in the square root example the specification of the program's output is: 
j2 ~ i < (j+l)2 I: 0 ~ j, 
where it is understood that i refers to the value of the FORTRAN variable I on input to ISQRT 
and j refers to the value returned by ISQRT. 
1.2.2 Baehert's Challenge 
The square root program is a good example of a programming task in which the specification 
"obviously" captures the intent of the designer. At issue is whether some algorithm satisfies the 
specification. However, for some programming tasks it is difficult to find mathematical 
specifications that obviously capture the designer's intention. Real time control programs are an 
especially important example of such tasks. 
To spur the interest of the program verification research community to consider such 
specification problems, a version of the following problem was proposed by Earl Boebert.2 
2Honeywell Systems and Research Center, 2600 Ridgway Parkway, Minneapolis, Minnesota 55413 
522 
Consider the task of steering a vehicle down a straightline course in a crosswind that varies with 
time. Let the desired course be down the x-axis of a Cartesian plane (i.e, towards increasing 
values of x). Suppose the vehicle carries a sensor that, in each sampling interval of time, reads 
either +1, 0, or -1, according to whether the vehicle is to the left of t.he course (y>O), 011 the 
course (y=O), or to the right of the course (y<O). Suppose also that the vehicle has some 
actuator that can be used to change the y-component of it.s velocity under the control of some 
program reading the sensor. Problem: state formally what it means to keep the vehicle on 
course and, for some particular control program, prove mechanically that the program satisfies its 
high level specification. 
Observe that the problem necessarily involves a specification of the environment with which the 
program interacts. Furthermore, unlike the square root example, what is desired is not merely a 
description of a single input/output interchange between the environment and the program but 
rather the effects of repeated interchanges over time. 
In this paper we describe one solution to Boebert's challenge. Our method involves writing a 
simulator for the system in formal logic. We present our formal simulator after explaining 
informally the model and control program we will use. 
1.3 The Informal Model 
The mechanized logic into which we cast the model provides the integers and other discrete 
mathematical objects but does not provide the rationals or reals.3 Thus, we will measure all 
quantities, e.g., time, wind speed, vehicle position, etc., in unspecified integral units. 
We ignore the x-axis and concentrate entirely on the y-axis. For example, we do not consider the 
x-component of the vehicle's velocity and we ignore any x-component of the wind velocity. Thus, 
our model more accurately represents a one-dimensional control problem, such as maintaining 
constant temperature in an environment where the outside temperature varies, or maintaining 
constant speed, as in an automobile's "cruise control." 
We measure the wind speed, w, in terms of the number of units in the y-direction the wind would 
blow a passive vehicle in one sampling interval. We assume that from one sampling interval to 
the next w can change by at most one unit. Some such assumption is required since no control 
mechanism can compensate for an external agent capable of exerting arbitrarily large 
instantaneous forces. Thus, we assume that the wind speed at time t+ 1 is the speed at time t 
plus some increment, dw, that is either -1,0, or 1. 
w(t+1) = wet) + dw(t+1) 
where 
dw(t+1) = -1, 0, or 1. 
We permit the wind to build up to arbitrarily high velocities. 
3This is not a limitation or mechanized logic in general. Several existing mechanical theorem-provers, 
e.g., those or Bledsoe's school 14, 31, and the MAXSYMA symbolic manipulation system 1121, provide 
analytic capability. 
523 
At each sampling interval the control program may increment or decrement the y-component of 
its velocity (e.g., by turning a rudder or firing a thruster). We let v be the accumulated speed in 
the y-direct.ion measured as the number of units the vehicle would move in one sampling interval 
if there were no wind. \Ve make no assumption limiting how fast v may be changed by the 
control program; our illustrative program changes v by at most +5 each sampling interval. We 
permit v to become arbit.rarily large. 
The y-coordinate of the vehicle at time t+ 1 is thus its y-coordinate at time t, plus the 
accumulated vat time t, plus the displacement due to the wind at time t+l: 
y(t+l) = y(t) + v(t) + w(t+l). 
The sensor reading at any time is the sign of y, sgn(y). The control program changes v at each 
sampling interval as a function of the current sensor reading (and perhaps previous readings). 
Our illustrative control program is a function of the current reading and the previously obtained 
reading: 
v(t+l) = v(t) + deltav(senl,sen2) 
where 
senl = sgn(y(t+l» 
sen2 = sgn(y(t», 
and deltav is the mathematical function specifying the output of the control program. 
1.4 The Control Program 
It is instructive to consider first the control program with the following specification: 
deltav(senl,sen2) = -senl 
A steadily increasing wind can blow the vehicle arbitrarily far away from the x-axis. 
Furthermore, should the wind ever become constant, the vehicle begins to oscillate around the 
x-axis. See Figure 1. 
The control program we consider includes a damping term that also causes the vehicle to resist 
more strongly any initial push away from the x-axis. 
dcltav(senl,sen2) = -senl + 2(sen2-senl). 
See Figure 2 for an illustration of the behavior of the vehicle under this program. 
The following trivial FORTRAN program implements this specification in the following sense. If 
SENl is the current sensor reading, senl, and the value of the global variable SEN2 is the 
previous sensor reading, sen2, and senl and sen2 are both legal sensor readings, then at the 
conclusion of the subroutine, the global ANS is set to deltav(senl,sen2) and the global SEN2 is set 
to senl. 
524 
SUBROUTINE DEl.TAV(SENl) 
INTEGER SENt, SEN2, ANS 
COMMON /DVBLK/SEN2, MIS 
ANS = «2 * SEN2) - (3 * SENt» 
SEN2 = SENt 
RETURN 
END 
Proving that the program satisfies its specification is, of course, trivial. At issue is whether the 
vehicle stays on course. 
By observing the behavior of the simulated vehicle under several arbitrarily chosen wind histories 
we made two conjectures about the behavior of the vehicle: 
1. No matter how the wind behaves (within the constraints of the model), the vehicle 
never strays farther than 3 units away from the x-axis. 
2. If the wind ever becomes constant for at least 4 sampling intervals, the vehicle returns 
to the x-axis and stays there as long as the wind remains constant. 
How can we state such specifications in a form that makes them amenable t.o mechanical proof! 
1.5 Formalizing the Model 
To state the conjectures formally we must formalize the model of the control program and its 
environment. We will define this model as a function in the same mechanized mathematical logic 
used by the FORTRAN verification system [6]. The logic and a mechanical theorem-prover for it 
are completely described in [5]. 
The syntax of the logic is akin to that of Church's lambda-calculus. If f is a function in the logic 
and el and e2 are two expressions in the logic, then we write (f el e2) to denote the value of f on 
the two arguments el and e2. The more traditional equivalent notation is f(el,e2). For example, 
suppose ZPLUS is defined as the usual integer addition function. Then (ZPLUS X Y) is how we 
write X+Y. Thus, (ZPLUS 3 -10) = _7.4 
Our formal model is expressed as a recursive function that takes two arguments, a description of 
the behavior of the wind over some time period and the initial state of the system. The value of 
the function is the final state of the system after the vehicle has traveled through the given wind 
under the direction of the control program. Thus, the recursive function may be thought of as a 
simulation of the model. 
Formally, we let states be triples, <w,y,v>, containing the current wind speed, y-position of the 
vehicle, and accumulated v. The function STATE, of three arguments, is axiomatically defined to 
return such a triple, and the functions W, Y, and V are defined to return the respective 
components of such a triple. Thus, the expression (STATE 63 -2 -61) denotes a state in which the 
wind speed is 63, the y-position of the vehicle is -2, and the accumulated v is -61. 
4This choice of notation is convenient because most symbols used in program specification are user-
defined and do not have commonly accepted names or symbols. Furthermore, the uniformity of the 
syntax makes mechanical manipulation easier. 
525 
(W (STATE 63 -2 -61» = 63 
(Y (STATE 63 -2 -61» = -2 
(V (STATE 63 -2 -61» = -61 
The function NEXT.STATE is defined to return as its value the next state, given the change in 
the wind and the current state. The formal definition of NEXT.STATE is: 
Definition. 
(NEXT.STATE DW STATE) 
= (STATE (ZPLUS (W STATE) DW) 
(ZPLUS (Y STATE) (V STATE) (W STATE) DW) 
(ZPLUS (V STATE) 
(DaTAV (SGH (ZPLUS (Y STATE) 
(V STATE) 
(W STATE) 
DW» 
(SGH (Y STATE»»). 
The definition of next state follows immediately from our equations for w{ t+ 1), y{ t+ 1) and 
v{ t+ 1). The function DELTA V is formally defined as was deltav in our informal model. 
The behavior of the wind over n sampling intervals is represented as a sequence of length n. Each 
element of the sequence is either -1, 0, or 1 and indicates how the wind changes between sampling 
intervals. Formally, a sequence is either the empty sequence, NIL, or is an ordered pair 
<hd,tl>, where hd is the first element of the sequence and tl is a sequence containing the 
remaining elements. Such pairs are returned by the function CONS of two arguments. The 
functions liD and TL return the respective components of a nonempty sequence, and the function 
EMPTYP returns true or false according to whether its argument is an empty sequence. 
In general we are not interested in wind behaviors other than those permitted by our model. 
Thus, we define a function that recognizes when an arbitrary sequence consists entirely of -1 's, 
O's, and 1 'so 
Definition. 
(ARBITRARY. WIND LST) 
= (IF (E1.!PTY LST) 
T 
(AND (OR (EQUAL (lID LST) -1) 
(EQUAL (lID LST) 0) 
(EQUAL (lID LST) 1» 
(ARBITRARY.WIND (TL LST»». 
(ARBITRARY.\VIND LST) returns true or false according to whether every element of LST is 
either -1, 0, or 1. The definition is recursive. The empty sequence has the property. A 
nonempty sequence has the property provided that (a) the liD of the sequence is -1, 0, or 1, and 
(b) the TL of the sequence (recursively) has the property. 
The recursive function FINAL.STATE takes a description of the wind and an initial state and 
returns the final state: 
526 
Definition. 
(FINAL. STATE L STATE) 
= (IF (awry L) 
STATE 
(FINAL. STATE (TL L) 
(NEXT.STATE (HD L) STATE)). 
Note that FINAL.STATE is recursively defined and may be thought of as simulating the state 
changes induced by each change in the wind. 
We can now state formally the two properties conjectured earlier. 
Theorem. VEHICLE. STAYS.WITHIN.3. OF. COURSE: 
(IMPLIES (AND (ARBITRARY. WIND LST) 
(EQUAL STATE 
(FINAL.STATE LST 
(STATE 0 0 0»» 
(AND (ZLESSEQP -3 (Y STATE) 
(ZLESSEQP (Y STATE) 3») 
This formula may be read as follows. If LST is an arbitrary wind history and STATE is the sta~e 
of the system after the vehicle has traveled through that wind starting from the initial state 
<0,0,0>, then the y-coordinate of STATE is between -3 and 3. Put another way, regardless of 
how the wind behaves, the vehicle is never farther than 3 from the x-axis. 
A formal statement of the second conjecture is: 
Theorem. VElIICLE. GETS. ON. COURSE. IN. STEADY. WIND: 
(IMPLIES (AND (ARBITRARY. WIND LSTl) 
(STEADY.WIND LST2) 
(ZGRFATEREQP (LENGTH LST2) 4) 
(EQUAL STATE 
(FINAL. STATE (APPEND LSTl LST2) 
(STATE 0 0 0»» 
(EQUAL (Y STATE) 0» 
The function STEADY.WIND recognizes sequences of D's. The function APPEND is defined to 
concatenate two sequences. The formula may be read as follows. Suppose LSTI is an arbitrary 
wind history. Suppose LST2 is a history of D's at least 4 sampling intervals long. Note that the 
concatenation of the two histories describes an arbitrary initial wind that eventually becomes 
constant for at least 4 sampling intervals. Let STATE be the state of the system after the vehicle 
has traveled through the concatenation of those two wind histories. Then the y-position of the 
vehicle in that final STATE is O. 
1.6 Proving the Conjectures 
The foregoing conjectures can be proved mathematically. Indeed, they have been proved by the 
mechanical theorem-prover described in [5]. The key to the proof is that the state space of the 
vehicle can be partitioned into a small finite number of classes. In particular, any state <w,y,v> 
reachable under the model starting from <0,0,0> can be put into one of the following classes 
according to y and w+v: 
527 
y y+v 
-3 1 
-2 1 or 2 
-1 2 or 3 
0 -1. 0 or 1 
1 -2 or -3 
2 -lor -2 
3 -1 
The automatic theorem-prover is incapable of discovering this fact for itself. Instead, the human 
user of the theorem-prover may suggest it by defining the function (GOOD.STATEP STATE) to 
return true or false according to whether STATE is in one of the 13 classes above, and then 
commanding the theorem-prover to prove the following key lemma: 
(IMPLIES (AND (GOOD. STATEP STATE) 
(OR (EQUAL DW -1) 
(EQUAL DW 0) 
(EQUAL DW +1») 
(GOOD.STATEP (NEXT.STATE OW STATE»). 
This theorem establishes that if the current state of the vehicle is one of the "good states" and 
the wind changes in an acceptable fashion then the next state is a good state. After proving this 
lemma (by considering the cases and using algebraic simplification) the theorem-prover can 
establish by induction on the number of sampling intervals that the final state of the vehicle is a 
good state. From that conclusion it is immediate that the y-position of the vehicle is within +3 of 
the x-axis. 
The proof of the second theorem is similar. The vehicle is in a good state after LSTI has been 
processed. But if the vehicle is in a good state and the wind remains steady for four sampling 
intervals, it is easy to show by cases and algebraic simplification that the vehicle returns to the 
x-axis with w+v=O. But in this case, it stays on the x-axis as long as w stays constant. 
1. 7 Comments on the Model 
We have proved that the simulated vehicle stays on course under each of the infinite number of 
different wind histories to which it might be subjected under the model. 
Just as the user of a square root or sorting subroutine must look at the specifications to 
determine whether the subroutine is suitable for his application, so too should the user of this 
control program. In particular, it is up to the user to determine whether the restrictions on the 
wind behavior and the model of the environment are sufficiently realistic for his application. 
Here are a few of the more obvious oversimplifications: 
• Real sensors sometimes give spurious readings due to vibration or other forms of 
disturbance. The program makes no allowance for such noise . 
• No consideration is given to motion or forces in the x- or z-directions. Furthermore, 
no consideration is given to the orientation of the vehicle with respect to its preferred 
direction of travel. 
528 
• The model of the physics of the vehicle is too simple. The use of discrete 
measurement is unsatisfying but perhaps justifiable under suitable assumptions about 
scale. But many physical aspects of real control situations have been ignored: inertia, 
reaction times of the actuators, response time of the vehicle, maximum permitted g-
forces. 
Allowance for noise in the sensors can be handled by existing program verification technology. 
For example, if one provides redundant sensors and employs a signal select algorithm based on 
software majority voting, DELTAV can be rewritten to use an algorithm such as that verified 
in [7] to comput.e the majority sensor reading (if any). The proof that the vehicle stays on course 
can then be carried over directly if one is willing to assume that at each sampling interval a 
majority of the sensors agree. 
However, the other two unrealistic aspects of our problem are more difficult to handle. While it 
is easy to define more sophisticated formal simulators it may well be practically impossible to 
prove interesting properties mechanically. Certainly the proof paradigm used here, depending as 
it did on the existence of a small partitioning of the state space, will not suffice for more 
sophisticated models. 
1.8 Conclusion 
We have illustrated how a formal simulator can be used to specify in a machine readable form the 
high level intention of a simple real time control program. We have also shown how such a 
program has been mechanically proved to satisfy its specifications. 
Simulation programs are used today to test a variety of applications programs. Among the 
applications that come to mind are real time control, scheduling, and page fault handling in 
operating systems. Such simulators suffer the inaccuracy introduced by finite precision 
arithmetic and resources and in addition offer only the testing of the applications program on a 
finite number of situations. 
Formal simulators are mathematical functions. They need not be realizable on machines and thus 
need not suffer resource limitations. In addition, formal simulators theoretically permit 
mechanical analysis of the behavior of the system in an infinite number of possible situations. 
529 
References 
[11 American National Standard Programming Language FORTRAN 
American National Standards Institute, Inc., 1430 Broadway, NY 10018, 1978. 
Tech. Rept. ANSI X3.9-1978. 
[2] Anderson, R. B. 
Proving Programs Correct. 
John Wiley & Sons, New York, NY, 1979. 
[3} Ballantyne, A. M. and Bledsoe, W.W. 
Automatic Proofs of Theorems in Analysis Using Non-Standard Techniques. 
Technical Report ATP-23, Dept. of Math., University of Texas at Austin, Jul, 1975. 
[41 Bledsoe, W.W. and Hines, L.M. 
Variable Elimination and Chaining in a Resolution-based Prover for Inequalities. 
In 'ltV. Bibel and R. Kowalski (editors), 5th Conference on Automated Deduction, pages 
70-87 . Springer-Verlag, 1980. 
[5] Boyer, R.S. and Moore, J S. 
A Computational Logic. 
Academic Press, New York, NY, 1979. 
[6} Boyer, R.S. and Moore, J S. 
A Verification Condition Generator for FORTRAN. 
In R.S. Boyer and J S. Moore (editors), The Correctness Problem in Computer Science, . 
Academic Press, London, 1981. 
[71 Boyer, R.S. and Moore J S. 
MJRTY - A Fast Majority Vote Algorithm. 
1981. 
SRI International. 
[8] Boyer, R.S. and Moore J S. 
The Mechanical Verification of a FORTRAN Square Root Program. 
SRI International. 
[9} Floyd, R. 
Assigning Meanings to Programs. 
In Mathematical Aspects of Computer Science, Proceedings of Symposia in Applied 
}.[athematics, pages 19-32. American Mathematical Society, Providence, RI, 1967. 
[101 King, J.C. 
A Program Verifier. 
PhD thesis, Carnegie-Mellon University, 1969. 
[11] Manna, z. 
Mathematical Theory of Computation. 
McGraw-Hili Book Company, New York, NY, 1974. 
[12} Moses. 
Algebraic Simplification: A Guide for the Perplexed. 
In 2nd Symposium on Symbolic and Algebraic Manipulation. ACM, 1971. 
530 
[13] United States of America Standards Institute. 
USA Standard FORTRAN. 
Technical Report USAS X3.9-1966, USA Standards Institute, 10 East 40th Street, New 
York, NY, 1966. 
531 

CHAPTER 21 
VERIFICATION OF HARDWARE LOGIC 
533 

Hierarchical Design and Verification for 
VLSI 
Robert E. Shostak 
W. David Elliott 
Karl N. Levitt 
Dramatic advances in LSI fabrication technology over the last few years have made it possible for 
the first time to bridge the gap between the high-level computer system architect and the 
integrated circuit designer. Standardized VLSI system design methodologies, for example, have 
permitted computer scientists with little or no previous hardware experience to map sophisticated 
computer architectures directly into silicon. Recognition of the vast potential of VLSI has already 
prompted researchers in diverse areas of computer science to apply their knowledge and ideas to 
this filed. The development of structured design disciplines such as the self-timed system (Muller 
[7J, Seitz [12]) and synchronous system concepts is already well under way. The same holds oC 
investigations into ways of exploiting the high levels of concurrency that VLSI makes possible 
(Foster, Kung [5]). Tools and methodologies that at one time fell exclusively within the province 
of software engineering are quickly making an impact in VLSI design. Powerful interactive layout 
systems such as those under development at MIT, Xerox, Cal Tech, and Stanford are exploiting 
the graphics, editing, and compiler technology that could once be found only in the context of 
programming environments. 
As this trend cont inues, and as further advances in fabrication technology permit circuits oC 
greater size and complexity, the problems oC design cost and reliability attendant to large systems 
of any kind will become increasingly pressing. For several years, the Computer Science 
Laboratory at SRI has been concerned with solutions to these problems Crom the standpoint oC 
large and/or critical software systems. We believe that the fruits of this work can be extended 
and applied to VLSI. 
Our approach is predicated upon two key, mutually-reinCorcing concepts: hierarchical design and 
Cormal verification. 
The hierarchical design methodologies we have developed enable a system architect or design 
team to decompose a complex design into a formal hierarchy of levels oC abstraction. The PSOS 
(Provably Secure) Operating System (Neumann, et al. [8]), for example, is specified using our 
methodology as a hierarchy in which successively lower levels of abstraction represent virtual 
machines that manage system resources successively closer to the hardware base. One could 
similarly decompose the design of a microprocessor, for instance, into a hierarchy of levels 
corresponding, say, to the user interface (top level), the register transfer level, the gate level, and 
the semiconductor level. Naturally, hardware designers have been thinking in terms of such levels 
of abstraction all along. The point of the design methodology is to formalize this process so that 
the various levels and their relationships to one another are specified ina clear, precise, and 
535 
uniform way. The result is a design that is more readily understood, more easily modified, and 
much more likely to be reliable. 
Formal hierarchical design also lends itself to a second key process: verification. What we mean 
by verification is the formal proof, in a mathematical sense, that a design meets its behavioral 
specifications. Verification differs from testing in the following important sense: whereas testing 
demonstrates proper operation of a design for a set of sample inputs, formal verification proves 
the correctness of the design over the range of all possible inputs. Although verification is 
generally a time-consuming process requiring the expertise of skilled individuals, its cost is easily 
justified were reliability is a critical requirement--and especially where thorough testing is 
difficult, as is often the case for VLSI designs. The techniques used for formal verification are 
useful even where the proof process is not carried to completion, because they force the designer 
both to specify and to understand his design clearly and precisely. 
The Computer Science Laboratory is known for its state-of-the-art posture with respect to 
hierarchical design and formal verification. We propose the transfer of this expertise to the VLSI 
domain in the form of an experimental set of design and verification tools. We envision the 
eventual incorporation of such tools within the kinds of VLSI design environments that are 
currently under development elsewhere in the research community. 
The following sections of this document describe our specification and verification work in greater 
detail, and discuss some of the problems and issues to be resolved in their application to VLSI 
systems. 
The Hierarchical Design Methodology (HDM) 
As we noted in the last section, SRI's hierarchical design approach factors the design of a system 
into a partially-ordered hierarchy of levels of abstraction. Each level is again decomposed into a 
set of modules. In the software development context, each module usually represents and 
abstract virtual "machine" with its own abstract state an a set of operations that can modify the 
state. The same would be true of modules at the highter hierarchical levels of a VLSI design. At 
the lower levels, modules would correspond to cells--PLAs, shifters, random logic, and so on. 
The specification of a module always has two components: a description of its structure, and a 
characterization of its function. At higher levels in the hierarchy, structure is represented as a 
collection of abstract data structures and operations on these structures. Functional behavior is 
specified by characterizing the effects of each operation in anon-procedural way. 
Figure 1, for example, shows a formal specification of a simple associative memory module. The 
associative memory maintains a correspondence between keys (represented by integers) and values 
(represented by items of type valid-entry-value). The single data structure of the module is the 
VFUN assoc ("VFUN", "OFUN", and OVFUN" are keywords that indicate structures, 
operations, and value-returning operations, respectively.) The three operations on the structure 
are read, write, and clear. The read function retrieves from assoc the value corresponding to a 
given key; the write function causes a given value to be associated with a given key, and the clear 
function disassociates all keys from their values. 
536 
It is important to note that the effects of each operation are specified completely non-
procedurally: they describe what happens, but not how. 
At the lower levels of a VLSI design, modules would describe cells, and at still lower levels, 
individual devices. Figure 2 for example, gives a simple specification of a VLSI barrel shifter. 
The lowest level of an NMOS design might contain modules explicitly describing the geometry of 
the poly, diffusion, and metal layers. 
Once the various levels of a design have been identified and the modules at each level have been 
defined, the designer must "sew" the various levels together. More specifically, he must show 
how each level of abstraction is implemented in terms of the levels beneath it in the hierarchy. 
This is done by giving, for each module, a formal mapping from the structures of that module to 
the structures of modules at lower levels. Similarly, the operations of each module are mapped to 
operations on the corresponding structures in the implementing modules. 
Figure 3 illustrates the idea with the implementation of the barrel shifter using arrays of FETS 
and buses. Note that the implementation formally specifies the connections among the devices of 
the implementation. 
A key aspect of the hierarchical design methodology is the specification language used. The value 
of specification languages for hardware design has, of course, long been established. Literally 
dozens of hardware design languages (HDLS) have been developed over the last decade for 
applications ranging from documentation to simulation. None of them, however, are well suited 
for hierarchical design. 
The deficiencies fall into anumber of categories. First, existing HDLs are adequate only for one or 
two levels of description. ISP, for example, lends itself well to description at the level of register 
transfer, but is less well suited to for description at the gate level, and totally inadequate for the 
topological level of specification required by VLSI design. VLSI layout description languages, of 
course, such as the Caltech intermediate Form, are well suited for describing graphic items (mask 
features) but are not at all appropriate for higher-level description. Among the most important 
benefits of hierarchical design is uniformity of expression from the highest to the lowest levels of 
design. In order to make this possible, the specification language must have the flexibility to be 
useful across levels. 
While it is presently unrealistic to expect a single description language to handle layout 
specifications and high-level architectural features with equal ease, we feel that a single 
specification language can be used to span most of the distance between these levels. The keys to 
the needed flexibility are extensibility and abstraction. These capabilities are almost universally 
absent from existing HDLs. Owing to the lack of adequate abstraction facilities, the hardware 
designer cannot specify the intended function of a design independently from its implementation. 
The ability to separate specification from implementation lies at the very heart of the hierarchical 
design philosophy. Without adequate extension features, moreover, the designer lacks the power 
of expression needed to define new constructs. 
Another deficiency of existing HDLs is their primitive capabilities for describing timing properties, 
even though timing permeates many aspects of hardware design. The designer must ensure that 
537 
MODULE AssocMemory 
$( This simple associative memory maintains a 
correspondence between keys and values. Entries are 
stored using "write" and retrieved using "read" with 
respect to a key. The use of parameters allows the 
specification to handle memory overflow.) 
TYPES 
valid_entry_value: { INTEGER i i >= 0 AND i < field size }; 
PARAMETERS 
INTEGER field size; 
INTEGER max_entries; 
FUNCTIONS 
VFUN assoc(INTEGER key) -> valid_entry_value v; 
HIDDEN; 
INITIALLY 
v = ?; 
OVFUN read(valid_entry value key) -> valid_entry_value v; 
EXCEPTIONS 
no entry: assoc(key) = ?; 
EFFECTS 
v = assoc( key) ; 
OFUN write(valid entry value key. v); 
EXCEPTIONS - -
overflow: assoc(key) = 1 
AND CARDINALITY({ INTEGER i 
>= max_entries; 
EFFECTS 
FORALL INTEGER i: 
assoc(i) -= 1 }) 
'assoc(i) =(IF i = key THEN v ELSE assoc(i»; 
OFUN clear(); 
EFFECTS 
FOR ALL INTEGER i: 'assoc(i) = 1; 
END MODULE 
Figure 1: Specification of an Associative Memory 
538 
MODULE BarrelShifter 
$( This barrel shifter cell rotates input signal bus inbus 
right by a number of positions specificied by the control 
bus controlbus and outputs to output bus outbus. 
For proper operation, exactly one control bus input must 
be high; the jth line is brought high to cause a rotate 
of j position. )$ 
PARAMETERS 
INTEGER n ;bus width 
INPUTS/OUTPUTS 
INPUT inbus ARRAY(O:n-1) OF SIGNAL-SOURCE 
INPUT controlbus ARRAY(O:n-1) OF SIGNAL-SOURCE 
OUTPUT outbus ARRAY(O:n-1) OF SIGNAL-OUTPUT 
I/O-EXCEPTIONS 
NOT THEREEXISTS INTEGER i 0 <= i <= n-1 SUCH THAT 
controlbus(i) = HIGH AND 
FORALL INTEGER j 0 <= j <= n-1 
j NOTE QUAL i IMPLIES controlbus(j) = LOW 
EFFECTS 
FORALL INTEGER i 0 <= i <= n-1 
controlbus(i) = HIGH IMPLIES 
FOR ALL INTEGER j 0 <= j <= n-1 
inbus(j) = outbus (MOD(n,j+i» 
Figure 2. Barrel Shifter Specification 
539 
IMPLEMENTATION-OF-MODULE BarrelShifter 
$(Implementation specification of barrel shifter module 
by means of an array of mosfets (See Mead and Conway[ 22], 
p. 159» 
STRUCTURES 
fet-array ARRAY(0:n-1, 0:n-1) OF mosfet 
vertical-bus ARRAY(0:n-1) OF bus 
diagonal-bus ARRAY(0:2n-2)OF bus 
CONNECTIONS 
FORALL INTEGER i 0 <= i <= n-1 CONNECTED(inbus(i),vertical-bus(i» 
FORALL INTEGER i,j 0 <= i,j <= n-1 
CONNECTED(vertical-bus(i),fet-array(i,j).source) 
FORALL INTEGER i,j 0 <= i,j <= n-1 
CONNECTED(outbus(j),fet-array(i,j).drain) 
FORALL INTEGER j 0 <= j <= n-1 
CONNECTED(controlbus(j),fet-array(O,j).gate) 
FORALL INTEGER k 0 <= k <= 2(n-1) ;counts diagonals 
FORALL INTEGER i,j 0 <= i,j <= n-1 
k = i+(n-1)-j IMPLIES 
CONNECTED(diagonal-bus(k),fet.array(i,j).gate) 
FORALL INTEGER k 0 <= k <= n-2 
CONNECTED(Fet-array(n-1,j).gate, control-bus(j+1» 
Figure 3. Implementation of Barrel Shifter Using Mosfet Gate Logic 
540 
a system meets its functional specifications without timing problems such as critical hazards and 
oscillations. He must therefore be able to express time-related phenomena in a natural way. 
The SPECIAL specification language (Robinson, et al. [10]) we have used in connection with our 
hierarchical software development methodology provides a starting point for the development of a 
suitable VLSI description language. Its abstraction and extension capabilities were specifically 
developed for the purpose of supporting hierarchical design. A great deal more work needs to be 
done, however, to provide the kind of capabilities necessary to support a useful VLSI design 
facility. 
Verification 
For the last several years SRI has been studying program verification as a means of reducing the 
possibility of errors in programs. \Ve have found that the reliability of programs that have been 
proved correct using mechanical tools far surpasses that of programs that have been "debugged" 
using conventional hit-or-miss techniques such as testing. By "correct", we mean that whenever 
a proven program is invoked on input data satisfying some precise mathematical specification, 
that program produces output data that satisfies some other precise mathematical description. 
By "using mechanical tools" we mean that the proof of correctness is checked by computer. 
SRI's work in this area has resulted in a number of program verification environments, including 
systems for proving FORTRAN (Boyer, Moore [2]) and JOVIAL (Elspas et al. [3]) programs, as 
well as a system for proving the correctness of designs specified using our hierarchical 
development methodology (Robinson [10)). 
The benefits to be gained by bringing verification methods to VLSI design are substantial. The 
transfer of this technology would not only make possible a degree of reliability not previously 
enjoyed by hardware designs, but could also decrease the number of costly iterations needed to 
finalize a design. We believe that these benefits can be achieved by modifying and extending 
existing methods for verifying programs. 
The various techniques for verifying sequential (Floyd [4]) and concurrent (Owicki [9], lamport 
[6]) programs all fundamentally depend on the method of loop invariants that was popularized 
by R. Floyd. The method of loop invariants entails the association of a mathematical formula, or 
assertion, with certain strategic points in a program. Each assertion characterizes a relationship 
among the variables of the program that must hold true whenever the point in the program with 
which the assertion is associated is reached. The input assertion associated with the program's 
entry point specifies properties that input data are assumed to satisfy. (In the case of a real 
square root program, for example, the input assertion might require the input datum to be non-
negative.) The output assertion specifies the relation that the program outputs should bear to 
the inputs. Finally, a number of intermediate assertions, called loop assertions, are used to 
capture the relationship among variables at intermediate points of program execution. These 
assertions are said to be invariants because they must hold whenever program flow reaches the 
points with which they are associated. 
The verification process is concerned with showing that if the program is invoked with inputs 
satisfying the input assertion, the resulting outputs must satisfy the output assertion. The 
541 
process involves three steps, the first two of which can be carried out automatically, and the third 
of which at least semi-automatically. 
The first step is to dissect the program into a set of straight-line paths each of which begins and 
terminates at an assertion point. The paths collectively account for all possible flows of control 
from one assertion point to another. The second step entails the development, for each path, of a 
mathematical formula called a verification condition. The verification condition for a given path 
is logically valid if and only if the truth of the assertion at the head of the path prior to the 
path's execution suffices to guarantee the truth of the assertion at the end of the path 
immediately after its execution. The third, and most difficult step in the process is the 
mathematical proof of the validity of each verification condition. This step is carried out either 
automatically or semi-automatically using a mechanical theorem-prover. 
Our proposed approach to the verification of hardware behavior depends upon the adaptation of 
the assertional method just described to circuit graphs. As one might expect, the proposed 
method also entails annotation of the circuit to be verified with assertions. Unlike program 
invariants, however, the assertions characterize the signals with which they are associated as a 
function of time. The input and output assertions, taken together, thus define the transfer 
predicate of the circuit. The transfer predicate at once characterizes the functional and timing 
behavior of the circuit. 
As we have said, the first step in the program verification process after assertion placement is 
path generation. The adaptation of this process to circuit verification is complicated by the fact 
that individual circuit elements may, unlike program elements, possess more than one input port. 
It therefore becomes necessary to develop trees rather than simple paths. 
The next step after tree formation is the generation from the trees of the verification conditions 
themselves. The approach taken here is similar in spirit to the corresponding step in program 
verification but requires modeling of the semantics of circuit elements rather than program 
statements. In the hierarchical design context, the "circuit elements" may in fact be complex 
aggregates whose semantics are specified by the user as part of the design at a given level. 
The last step is once again that of proving the verification conditions using a mechanical theorem-
prover. The theorem-prover must be capable of treating the kinds of constructs that occur in the 
verification conditions; these are likely to involve quantifiers and real variables that represent 
time. 
The appendix exemplifies the entire process with an outline of the proof of correctness of a simple 
but nontrivial circuit for comparing the frequencies of two a.~ynchronous spare waves. 
While the example focuses on sequential circuits, the underlying assertional method is applicable 
at all levels of a hierarchical design, from the user interface all the way down to the layout. 
What differs from level to level is the semantics of the primitive constructs, and the nature of the 
properties that must be established. One level of abstraction, for example, may be concerned 
with signaling among a set of self-timed (Seitz (12)) elements. The specification of semantics at 
this level might entail the use of a sequence logic, or perhaps temporal logic (Schwartz, Melliar-
Smith (11)). At lower levels of abstraction, paradigms able to express quasi-analog behavior are 
appropriate. 
542 
In some cases, specialized techniques developed for handling certain kinds of programs may be 
directly applicable. The communication among components in speed-independent circuits, for 
example, is similar to that occurring in communication networks, wherein nodes send and receive 
messages according to well-defined handshaking protocols. In other cases, such as the 
specification of timing properties, rather little existing program verification knowledge can be 
borrowed, but classical engineering techniques can be formalized and incorporated. In the case of 
synchronous circuits, for example, one must show that the delay in signal transmission through 
the combinatorial part of circuit is less than the clock period. Traditionally, circuit designers 
have determined whether timing problems can occur through the use of race detection algorithms 
or simply by computing delays along worst-case communication paths. We believe that this kind 
of analysis can easily be mechanized. 
As we mentioned earlier, the most difficult stage in the verification process is the automatic or 
semi-automatic proof of the verification conditions. SRI has developed a number of powerful 
mechanical theorem provers in connection with program verification. The Boyer-Moore prover 
(Boyer, Moore [1]), with its sophisticated induction facilities, is capable of proving verification 
conditions arising from extremely complex designs. A more recent theorem-prover (Shostak [13]) 
based on fast decision procedures is optimized for formulas involving real variable, and will soon 
have quantificational capabilities. This combination of abilities is particularly well suited for 
verification conditions that are likely to arise from hardware designs. In any case, a great deal 
more invest.igation of the theorem-proving aspects of the verification process will be necessary to 
apply this technique to its full potential. 
543 
[I] Boyer, R.S. and Moore, J S. 
A Computational Logic. 
Academic Press, New York, 1979. 
[2] Boyer, R.S. and Moore J S. 
A Fast Majority Vote Algorithm. 
1981. 
References 
ARI International, Computer Science Laboratory. 
[3] Elspas, B. et at. 
A JOVIAL Verifier. 
Interim, SRI International, Jul, 1978. 
[4] Floyd, R.W. 
Assigning Meanings to Programs. 
In Mathematical Aspects of Computer Science, Proceedings of the Symposium of 
Applied Mathematics, pages 19-32. American Mathematical Society, Providence, 
Rhode Island, 1967. 
Vol. 19. 
[5] Foster, M.J. and Kung, H.T. 
Design on Special-Purpose VLSI Chips: Example and Opinions. 
Computer Science Research Review 8(35), 1979. 
Carnegie-Mellon University. 
[61 Lamport, L. 
Proving the Correctness of Multiprocess Programs. 
IEEE Transactions on Software Engineering SE-3(2):125-143, Mar, 1977. 
[7] Muller, D.E. 
Asynchronous Logics and Application to Information Processing. 
In Switching Theory in Space Technology,. Stanford University Press, 1963. 
[8] Neumann, P. G., et al. 
A Provably Secure Operating System: The System, Its Applications, and Proof. 
Technical Report, SRI International, May, 1980. 
[9] Owicki, S.S. 
Axiomatic Proof Techniques for Parallel Programs. 
PhD thesis, Cornell University, Aug, 1975. 
[10] Robinson, L. 
The HDM Handbook, Volumes I-III. 
Technical Report, SRI International, Jun, 1979. 
[11] Schwartz, R.L. and Melliar-Smith, P.M. 
Temporal Logic Specification of Distributed Systems. 
In Proceedings of the Second International Conference on Distributed Systems, pages 
1981. IEEE, Paris, France, 1981. 
544 
[12J Seitz, C.L. 
System Timing. 
In Introduction to VLSI Systems, chapter 7. Addison Wesley, 1980. 
[13J Shostak, R.E. 
A Fast Simplirier ror Quantifier-Free Logic. 
Paper in progress. 
545 
APPENDIX: PROOF OF CORRECTNESS OF A FREQUENCY COMPARATOR 
This appendix demonstrates the feasibility of applying software verification techniques to digital 
circuitry. A nontrivial circuit for comparing the frequencies of two asynchronous squarewav~s is 
proved correct using an adaptation of Floyd's method of program verification. 
Circuit Description 
The frequency comparator shown in Figure 1, compares two squarewaves with frequencies K and 
K'. The circuit consists of two five-nip-flop ring counters, the outputs of which are fed through a 
combinatorial network to a latching circuit. (Although the circuit elements could be realized in a 
variety of technologies, TTL has been chosen so we can specify the function of each device 
unambiguously. The flip-flops, in particular, are assumed to be D-type; data is clocked in only on 
the rising edge of a clock input.) At time t=O, ring flops F 0 and F 0 are assumed to be set, and 
all other flops are assumed to be reset. As time proceeds, the two input squarewaves clock their 
corresponding ring counters, causing each" I" to race around its ring. As soon as one of the two 
l's attains a two-flop lead over the other (modulo 5), the output of one of the AND gates in the 
combinatorial network rises, clocking either output latch F OUT or F'OUT' If, for example, input 
K has higher frequency than input K', the nonprimed ring counter will win the race, causing 
F OUT to be clocked high. The D inputs of the two output flops are cross-coupled so that the 
first flop clocked will remain set indefinitely, locking the other one out. 
Note that the comparator produces an output only if the two inputs are of unequal frequency. 
The time required to produce a result, moreover, varies depending on the phasing and frequency 
of the inputs. Note also that the correctness of the circuit is not at all trivial; a four element 
ring, for example, would not work. 
Method of Proof 
Our approach to proving this property adapts Floyd's method for program verification, also 
known as the method of loop invariants. The basic idea is to associate an assertion with each 
input and output of the circuit and at certain internal points. Each assertion is a predicate that 
characterizes the signal at that point as a function of time. Input assertions specify assumptions 
about circuit inputs, while output assertions specify the intended behavior of the outputs. 
Internal assertions that facilitate the proof are placed so that each feedback loop in the circuit is 
cut. Assertion point Ao in Figure 1, for example, cuts the loop formed by the top ring counter. 
Assertion point C cuts the cross-coupling loop formed by F OUT and F'OUT' For convenience of 
proof, additional assertions are associated with certain other strategic points in the circuit to be 
verified (such as point B in the Figure 1). 
The proof process proceeds in much the same way as for programs. As we shall see, however, 
verification conditions are developed from trees embedded in the circuit graph rather than merely 
from paths. The verification conditions can then be proved. Our proof here is manual, although 
we believe that the proofs will be mechanized. 
Assertions 
546 
o 
K c 
..IlfL 
I 
---
0 
K' r C JUl. 
I' 
O2 
0' 0 
Cl:J 
0' ,
0 4 
0' 2 
0 0 
a; 
0, 
oGo 
FO 
7474 
0' o 0 
F' 0 
A' 
10 0 
r C 
o 
0, 
0' 
o ' 
F' 1 
0' 2 
00 
0, 
o o~ o oCl:J 
a; 0' 
0 0 0 0 3 
F' 2 F' 3 
r C r C 
B 
FIGURE 1 SCHEMATIC OF FREQUENCY COMPARATOR 
547 
0' 
0 O~ 
F' 4 
C 
0 OUT 0 
FOUT 
C 
ouT' 
NOTE: All flops 7474 
It is notation ally convenient to introduce two special types of assertions: a rising edge predicate 
Rt that is true for those times t when a rising edge occurs, and a level predicate Lt giving the 
logic level (true or false) of a given signal at time t. Rise and fall times will be assumed to be 
negligible in our model, so that rising edges can be specified to occur at points rather than 
intervals of time. Note that since level predicates completely characterize a signal, a level 
predicate for a given signal provides all the information that a rising edge predicate would. As in 
program verification, however, assertions need (and sometimes must) only capture incomplete 
information about the point in the program or circuit with which they are associated. 
The assertions associated with the assertion points indicated in Figure 1 are listed in Table 1. 
Since the circuit is completely symmetrical with respect to its primed and non primed elements, 
the table lists only those assertions associated with the nonprimed signals; the others are duals. 
As the ring counters in the example are sensitive only to rising edges at their clock inputs, the 
input assertions I and I' are rising edge assertions. The rising edges of the inputs are determined 
completely by their periods (P,P') and phases (~,W). The phase gives the time of the first rising 
edge after t=O. The rising edges of input K thus occur at t=~, ~+P, ~+2P, etc. The rising edge 
predicate Rt for K can therefore be written 
Rt ;:: [t]p = ~ 
where [t]p (read lit mod PII) denotes the smallest non-negative quantity that differs from t by an 
integral multiple of P. 
The output assertion D is formed using a level predicate. It states that if K is of higher frequency 
than K' (i.e., P < P') then at the same time u smaller than 
2PP' + P'~ - P~' 
---- --------T = P'- P 
the F OUT output will rise and remain high indefinitely. D also states that if P' < P, F OUT will 
remain low for all time t > o. 
The loop assertion AO associated with the Q output of FO captures the ring behavior. It is a level 
predicate that asserts that QO will be high every five pulses of the input clock K. 
Loop assertion C associated with the Q output of F OUT is understood merely by noting that this 
output must be complementary to the Q output. 
Assertion B is neither an input nor output assertion, nor does it cut any loop in the circuit. It is 
not strictly required by the proof methodology, but has been included to abstract the circuit 
behavior at the point at which it occurs and hence to simplify proof of the verification conditions. 
The assertion states that if P < pI, the OR-gate output will rise by t=r, but will remain low up 
until t=r otherwise. 
In addition to input, output, and loop assertions, it is necessary to provide an assertion at each 
point in the circuit for which an initial state (state at t=O) must be specified. Initial state 
548 
D: (P< pI ~ 3u (0 ~ u ~ I) Lt :. t ~ u) 
A (P ~ P I ~ \I t ~ 0 .., Lt ) 
C : (P < P I ~ \I t ~ 1 .., Lt ) 
B: (p<pI) ~ 3u (0 ~ u ~/) \It 0 < t < u R(t) :. t=u 
A (P ~ P I ~ \I t 0 ~ t ~ 1 I .., Lt 
where 1 = 2PP' + pI~ - p~I 
--- pI- p-
TABLE 1. ASSERTIONS FOR EXAMPLE 
549 
information is most frequently necessary at the outputs of devices such as flip-flops and counters 
that have explicit storage. Owing to the presence of loops, however, state may exist implicitly "at 
arbitrary points in the circuit. 
In our example, however, initial state information is necessary only for the outputs of the flip-
flops. Flops F 0 and F OUT (and their primed counterparts) already have assertions that specify 
t=O behavior, so only the outputs of F 1 through F 4 need to be annotated. The appropriate 
asserts (Ai' i=l to 4) are shown in Table 1. Note that these assertions are analogues to AO. 
Verification Condition Generation and Proof 
The first step in verification condition generation for programs is path analysis, which involves 
unfolding the flow chart of the program into straight-line paths between assertions. The paths 
account for all possible flows of control from one assertion point to another (possibly the same) 
assertion point. The adaptation of the method to circuit verification is somewhat more 
complicated, since individual circuit elements may, unlike program elements, possess more than 
one input port. It therefore becomes necessary to develop ~ rather than simple paths. A tree 
is constructed for each assertion point P other than input assertion points. The tree is rooted at 
P and is developed by tracing backwards from P through the circuit graph, splitting whenever a 
circuit element has more than one input, and terminating whenever another assertion point 
(possibly P) is encountered. (Our model assumes that devices whose outputs are wire-or'ed 
together be considered as a single device.) 
The tree corresponding to assertion point AO' for example, is shown in Figure 2. Note that the 
only non-trivial trees generated for our example are those for Band B'. 
I 
Figure 2. Graph for AO 
The next step after tree formation is the generation of the verification conditions themselves. 
Generation is carried out by a symbolic evaluation process beginning with the assertions at the 
leaves of each tree and proceeding forward toward the root. Each node is processed only after all 
of the nodes below it have been processed. Processing consists of the application of a Hoare-like 
rule or some other characterization of the transfer function of the processed node element to 
produce a post-condition assertion. The verification condition yielded by the tree consists of the 
implication whose hypothesis is the assertion resulting from the symbolic evaluation, and whose 
conclusion is the root assertion. 
The question of exactly how the semantics of each circuit element are encoded is a difficult one 
550 
and should be a subject of investigation. For our example, however, it is easy to verify by 
inspection and informal reasoning that the verification conditions arising from all assertion points 
other than B (and B') will be trivial, given any reasonable formal model of the D flip-flop. We 
will therefore confine ourselves, for the remainder of this discussion, to the verification condition 
for n. 
In as much as the only circuit elements in the tree for B are logic gates, the verification condition 
itself is easily generated: 
The proof of VB is more difficult, and requires some lemmas. We first introduce a useful 
definition: 
Defn. Let C(t) = 
t-0 
LPJ 
Intuit.ivelv. e(t) counts the number of rising edges (beginning at t=O) of input waveform K. 
Lemma 1 P < P' ~ T > 0 
Pf. T can be written. T= 
2+0 - 0' 
P pt 
1 - 1 
-p p' 
Since P, P', ~, Ware all non-negative and since ~<P', the numerator is positive. Then since P < 
P' implies that the denominator is positive, r>O. 
Lemma 2. C(T) = C' (T) + 2 
Pf. Straightforward from the defn. of r 
Lemma 1 P > P' ~ V t 0 ~ t < T' C ( t) < C' ( t) + 1 
Pf. also follows from the defn of r. 
Lemmas 2 and 3 immediately give rise to the following corollaries: 
551 
Corollary ~. [C(T) - c' (T)]5 = 2 
Corollary.2.. P > P' ~ 'It 0 < t < T' 
[C'(t) - C(t)]5~ = 2 
The proof of VB requires one other lemma: 
Lemma 6. For 0 < i < 4, Ai can be written 
Pf. We must show that 
~ - (1-i)P < [t]Sp < 0 + iP iff 
t-~ 
[L-P-J]5 = [1-1]5· 
The left hand expression is true iff 3 an integer k s.t. 
552 
o - (1-1)P < t-5Pk < 13 + 1P 
~ 5k+1-1 < t-13 < 1 + 5k 
P 
~ L t-13 J = 5k+1-1 
P 
~ [L t-13 J ]5 = [1-1]5 
P 
[C(t)]5 = [1-1 ]5 
Q.E.D. 
Now, it follows from Lemma 6 and Corollary 4 that the hypothesis H of VB implies P < p' -+L
T
• 
Then from Lemma 1, and from the fact that H -+ ..., LO' we have 
H ~ [ P < P' ~ 3u 0 < u < T Ru] 
Also, from Corollary 5 and Lemma 6 we have that 
H ~ [P ~ P' :::) \:I t 0 < t < T' ., Lt ] 
H thus implies B, completing the proof. 
553 

CHAPTER 22 
THE BOYER-MOORE THEOREM PROVER AND ITS APPLICATION TO 
PROGRAM VERIFICATION 
555 

Three Lectures on Theorem-Proving and 
Program Verification 
J Strother Moore 
1.1 History 
How does one prove theorems! How can we build a machine to prove theorems! 
Because mechanical theorem-proving has its roots in mathematics, and because mathematicians 
and philosophers have long asked the questions above, it is difficult to put a date on when 
mechanical theorem-proving was born. For example, the idea of mechanical proof, in the sense 
that we think of it today, would not have surprised Leibniz (1646-1716) who, on the one hand 
perfected and presented to the Royal Society, London, a mechanical binary adder (also capable of 
multiplication, division and square root computations) and on the other hand believed that all 
reasoning (moral and otherwise) could be reduced to an "algebra of thought." 
The early 20th century saw the development of formal axiomatic systems characterized by a set 
of "well-formed formulae," a set of "axioms" and a set of "inference rules" with which one may 
deduce "theorems" from the axioms and previously deduced theorems. A "proof" of some 
formula p is just a finite sequence of formulae, the last of which is p and each of which is either 
an axiom or is derived from the preceding formulae by a rule of inference. 
For example, here is a proof of the formula (-A v A) in the logic of Russell and Whitehead from 
Principia Mathematica. 
Proof of (-A v A). 
1. (Q -> R) -> ((P v Q) -> (P v R)) Axiom 4 
2. (Q -> A) -> ((-A v Q) -> (-A v A)) Subst into 1 
3. (Q -> A) -> ((A -> Q) -> (-A v A)) Def of "->" 
4. ((A v A) -> A) -> ((A -> (A v A)) -> (-A v A)) Subst into 3 
5. (P v P) -> P Axiom 1 
6. (A v A) -> A Subst into 5 
7. (A -> (A v A)) -> (-A v A) M.P. 4 and 6 
8. Q -> (P v Q) Axiom 2 
9. A -> (A v A) Subst into 8 
557 
1O.(-A v A) M.P. 7 and 9 
It is easy to determine whether a sequence of formulae is a proof; theorem-proving is the art of 
discovering a proof -- if any -- for a given formulae. 
The 1920's and 1930's saw the careful study of formal axiomatic systems, primarily to clarify the 
then extensive debates between the various schools of thought on how the newly uncovered 
paradoxes in the foundations of mathematics might be remedied. Hilbert proposed to formalize 
classical mathematics (e.g., arithmetic) in logic and undertake the proof of its consistency via 
constructive means. Starting in the 1920's, this program was undertaken by Hilbert, Ackermann, 
von Neumann, Herbrand and others. Among the interesting results proved by this school was 
Herbrand's Theorem (1930), which is a constructive version of a theorem proved earlier by 
Skolem [30] that,suggests a mechanical means for finding a proof when it exists. 
In 1931, Goedel showed that there exist formal sentences of arithmetic that are true (in the 
intended interpretation) but unproveable. Furthermore, he showed that if arithmetic is 
consistent then its consistency cannot be proved in arithmetic. In a certain sense, this 
undermined Hilbert's program. However, thanks in large part to Hilbert and his school, the 
formal study of formal proofs had been born. 
During this same period, Church, Turing, and Goedel (the latter following a suggestion by 
Herbrand) developed what turned out to be the equivalent notions of lambda-definable, Turing 
computable, and general recursive functions. These developments led, in 1936 and 1937, to the 
demonstrations that there were no decision procedures for arithmetic or first order predicate 
calculus. It is perhaps ironic that the concepts that eliminated the hope that perfect theorem-
provers could be built simultaneously formed part of the theoretical foundations for the 
development of the device that makes imperfect theorem-provers realizable and perhaps practical. 
The first heuristic mechanical theorem-prover physically realized was the Logic Theory Machine, 
programmed in the mid-50's by Newell, Shaw, and Simon. The Logic Theory Machine 
constructed proofs in the propositional calculus using the axioms and rules of inference of 
Principia Mathematica. A succinct description of the Logic Theory Machine and its capabilities is 
provided in Computers and Thought [11]. 
The Logic Theory Machine attacked its problems in much the same way a human might attack 
them, when limited to the axioms, rules of inference and previously proved theorems of Principia 
Mathematica. The program contained four "methods" or "heuristics" for decomposing the given 
problem into "simpler" subproblems (e.g., instances of the axioms). An executive routine selected 
the methods to be tried and the subproblems to be worked on. 
It should be observed that the authors of this early program were not so much concerned with 
answering the question "Is this propositional formula a theorem!" as they were with the question 
"How does one go about solving hard problems!" Judged solely by its ability to answer the . 
former quest.ion, the Logic Theory Machine was not impressive. It was able to prove only 38 of 
the 52 propositional theorems in Chapter 2 of Principia. By contrast, Wang's algorithm [32], 
published in January, 1960 and based on the "semantic" idea of attempting to construct an 
assignment for falsifying a formula, was able to announce the validity of all of the propositional 
theorems in Principia. 
558 
But the Logic Theory Machine was a significant contribution to the infant field of "artificial 
intelligence" and was the first program to confront the hard problem that is unavoidable in the 
nonpropositional case: how does one choose which of many alternatives to pursue! The Logic 
Theory Machine inspired several other early AI programs, notably Gelernter's Geometry Theorem 
Proving Machine and Slagle's Symbolic Automatic Integrator for elementary calculus problems. 
(Both Gelernter's and Slagle's programs are landmarks of AI and mechauical theorem-proving 
and are described in Computers and Thought, [11]. 
However, many researchers were more interested in the "ends" than the "means" and launched a 
no-holds barred attack on the problem of building a program to determine if a propositional 
formula, and more generally, a first order formula, was a theorem or, equivalently (thanks to 
Goedel), valid. 
In the early years -- the late 50's and early 60's -- the field was dominated by logicians who 
pursued quite different approaches to the theorem-proving problem. Among the early researchers 
were Wang, Gilmore, Davis and Putnam, and Prawitz. 
Then, in 1965, J. A. Robinson published the paper "A Machine-Oriented Logic Based on the 
Resolution Principle" [26]. The resolution principle's simplicity and elegance made it a very 
attractive mechanism. 
Suppose we wished to prove the following theorem of first order predicate calculus: 
[A X A Y P(X,Y) -> Q(Y) 
& 
A X E Y P(X,Y) 
& 
A X Q(X) -> Q( G(X))] 
-> 
E X Q( G( G(X))) 
To apply resolution we actually work on the negation of the problem and attempt to derive a 
contradiction. The negation of the formula above is that the first three hypotheses are true and 
the co?-c1usion is false. Then we put the conjecture into conjunctive normal form, using Skolem 
functions to eliminate the existential quantifiers. The result is the following conjunction of 
disjunctions: 
-P(X,Y) v Q(Y) 
& 
P(Z,F(Z)) 
559 
& 
-Q(U) v Q(G(U)) 
& 
-Q( G( G(V))) 
Finally, Robinson writes this as a set of clauses. A clause is set of literals, each literal being an 
atom or negated atom. 
{-P(X,Y) Q(Y)} 
{P(Z,F(Z))} 
{-Q(U) Q(G(U))} 
{-Q(G(G(V)))} 
Having distilled the problem down to this simple but universal notation we can now apply the 
"resolution principle": Consider any two clauses in the set, rename their variables so they have 
no variable in common, and then consider each literal of one clause against each literal of the 
other. If the two literals have opposite signs and there exists a substitution that makes their 
atoms identical, instantiate both clauses with the most general such substitution, delete the two 
(now complementary) literals from the two instantiated clauses and union the two resulting sets 
together. The resulting clause is a "resolvent" oC the two parent clauses and should be added to 
the set of clauses. Repeat this process indefinitely. Should the empty clause ever be formed, the 
original set of clauses was unsatisfiable -- i.e., the original quantified formula is a theorem. 
Perhaps more important than resolution itself was Robinson's "unification algorithm" which is a 
way to determine either the most general substitution that makes two terms identical or that no 
such substitution exists. For example, the unification algorithm determines that P(X,F(X)) and 
P(AO,Z) are unified by replacing X by AO and Z by F(A()), while P(X,X) and P(Y,F(Y)) have no 
common instance. 
Here is a resolution proof of the example theorem above: 
1. {-P(X,Y) Q(Y)} 
2. {P(Z,F(Z))} 
3. {-Q(U) Q( G(U))} 
4. {-Q(G(G(V)))} 
5. {Q(F(Z))} resolving 1 x 2 
560 
6. {Q(G(F(Z)))} resolving 3 x 5 
7. {Q(G(G(F(Z))))} resolving 3 x 6 
8. {} resolving 4 x 7 
Despite its simplicity, resolution is a sound and complete inference procedure for first order 
predicate calculus1. For more details the reader should see [9, 21, 27J 
Note how easily a resolution theorem-prover can be implemented. Clauses may be represented as 
lists of literals. The basic operation on a Resolution Logic Machine is: 
1. Choose a clause to factor or two clauses to resolve upon. 
2. Form all possible factors or resolvents and add them to the set of clauses. 
3. If any clause is empty, report that the original set was unsatisfiable. 
4. Otherwise, repeat from step 1. 
As one might gather from the above description, the only difficult problem is the choice of which 
two clauses to use as parents in any given round. This is called the search strategy and is the 
hard problem confronting the serious implementor of a resolution theorem-proving. 
There are two classic search strageties. One, called breadth first, constructs all the resolvents 
from among the initial set S before adding them to S to form the new set S', and then iterates on 
t.he set S'. Thus, the so-called "search tree" -- the tree of all possible resolvents -- is grown in 
horizontal layers. The other common variation is called depth first, in which one prefers as a 
parent the most recently produced clause. In a depth first search, long branches of the search 
tree are grown first. 
It is fair to say that very few resolution theorem-provers use either search strategy in the rigid 
way they are defined above. It is also fair to say that resolution is not the only part of theorem-
proving concerned with search strategy. The consideration of search strategy dominates the 
implementation of a resolution theorem-prover largely because resolution has distilled the 
theorem-proving process down to where there is very little else to do. But every theorem-proving 
machine (for sufficiently rich logics) stands or falls on its ability to make the right choices at the 
right time. 
To the criticism that resolution was "unnatural" (to many people) the response was similar to 
Minsky's later defense of the attempt to build an intelligent machine [paraphrase]: If you wanted 
to build a machine that flies, would you cover it with feathers! If you wanted to build a machine 
that thinks, would you use meat! During the late 60's the vast majority of published work on 
mechanical theorem-proving was resolution based. 
IFor completeness one must include an additional rule called -ractoring- with which one can instantiate 
a clause so as to cause two literals in it to become identical. 
561 
But saying that the vast majority of the published work in the 60's was resolution based is not to 
say that all the resolution researchers were working on the same idea. The very simplicity of 
resolution encouraged its elaboration. Resolution was restricted, refined, and extended. There 
was (in no particular order) unit resolution, hyperresolution, linear resolution, and 
paramodulation. There was linear paramodulation and hyperparamodulation. There was E-
resolution, OL-resolution, Pl-resolution, SL-resolution, V-resolution, and P-hyperparamodulation. 
In short, the late 60's were an exciting time in the history of mechanical theorem-proving. There 
were three (causally related) reasons: 
1. technological improvements brought a tremendous increase in the computer power 
available, 
2. the economy boomed and made money available for computer science research in 
previously unheard of quantities -- much of it funnelled through the Advanced 
Research Projects Agency (ARPA) of the U.S. Defense Department, and 
3. Artificial Intelligence emerged as an endeavor that captured the imaginations of many 
researchers (and funding agencies) and, theoretically at least, theorem-proving could 
solve many of the hard problems in AI. For example, several typical AI problems such 
as natural language understanding, robotics problem solving, and question answering 
systems could be cast in the framework of first order predicate calculus problems and 
solved with sufficient theorem-proving power. 
While resolution theorem-proving did not directly receive very much of the money channeled to 
AI, it benefited greatly from the availability of computer power and the interest in mechanical 
problem solving generated by AI. 
Of course, not all researchers pursued resolution, even in its heyday. Most nonresolution work 
was directed down branches of mathematics not easily cast into the predicate calculus. The 
interested reader should see, for example, the work of Bledsoe and Gilbert [2] on set theory and 
Bledsoe, Boyer and Henneman [4] on proofs of limit theorems in real analysis. During this same 
time, the field of "symbolic manipulation" matured to the point where programs were able to aid 
physicists and engineers in algebraic simplification and integral calculus. See the review by Moses 
[24]. 
In the mid-70's the excitement declined because researchers began to realize that the paradigm 
established by Robinson -- formulate a restriction of resolution and prove that it is complete 
-- produced a plethora of theoretical papers but very few successful mechanical theorem-provers. 
Many people attributed this disparity to the "unnaturalness" of resolution and began to pursue 
new directions. At about the same time, new AI programming languages began to catch on (e.g., 
PLANNER). For a while in the early 70's controversy raged between those on opposite sides of 
the question: "Is it better to use 'declarative' or 'procedural' encodings of knowledge!" This 
controversy has since died out, partially because PLANNER and its descendents did not really 
solve the hard problems and partially because people like Kowalski and Hayes successfully argued 
that predicate calculus could be used as a programming language and made to perform as well (or 
badly) as "conventional" languages like PLANNER. 
562 
In my view, the disparity between the number of publications and the number of successful 
implementations was due to inadequate attention to search strategy. While the search strategy 
problem was certainly recognized by all, it was more or less left to the "hackers" who put 
together theorem-provers. It is certainly safe to say that most researchers hoped that victory 
would be achieved without the invention of messy, ad hoc heuristics. That hope has waned 
considerably since the early 70's. 
During the 70's theorem-proving research was supported mainly by the emerging fields of 
programming language design and program verification. The main application in programming 
language design has been the implementation of efficient "interpreters" (i.e., theorem-provers) for 
nondeterministic predicate calculus programs. The interested reader should see Kowalski's article 
"Predicate Calculus as a Programming Language" [18], and the work on implementing such a 
language by Colmerauer and Roussel of the University of Marseille [10, 28], and Warren at the 
University of Edinburgh [33]. It is interesting to note that in this application search strategy is 
often less important than in general purpose theorem-proving because the user of the theorem-
prover can often constrain the search space by appropriately formulating his "programs." 
The theorem-proving research supported by program verification has been both more and less 
traditional -- more traditional in the sense that the goal is to mechanize mathematics and less 
traditional in the sense that the approaches used are often radically different from those 
suggested by resolution. The basic idea -- as will be elaborated in the third lecture -- is that it is 
easy to transform the question "Is this program correct!" into the question "Are these formulae 
theorems!" The formulae are then submitted to a mechanical theorem-prover for proof. A 
theorem-prover for program verification must be good at deriving theorems from a large data 
base containing facts that may be instantiated and chained together -- just as the AI applications 
demanded. But, in addition, program verification added some new demands: 
1. The proofs of the conjectures produced by program verifiers require induction. Why! 
Because those conjectures usually involve inductively constructed mathematical 
objects (e.g., integers, sequences, trees) and inductively defined concepts (e.g., 
addition, permutation, fringe). 
2. Program verification has caused the construction of new logical theories in which the 
semantics of programs are expressed. 
3. Program verification aims at putting the theorem-prover in the hands of a "user" who 
is considered willing to help the theorem-prover but who is not logically infallible. For 
example, to specify his program the user may need to define previously unstudied 
mathematical concepts (e.g., majority vote). The addition of axioms purported to 
describe the properties of such concepts must not be taken lightly. Experience has 
shown that users are notoriously bad at getting the details right when dealing with 
concepts outside of their traditional training -- and the accidental production of an 
inconsistent set of axioms may lead to "proofs" of incorrect programs whose 
specifications do not even involve those axioms. On the other hand, experience has 
shown that many users have excellent intuitions about why things are true and can be 
of great help in guiding the system to a proof. 
Because of these demands theorem-proving research in the 70's has branched out considerably. 
563 
Let me merely list some of the main themes of theorem-proving in the 70's: 
1. The construction of proof checkers and interactive theorem-provers. See for example 
the FOL system of Weyhrauch [34J or Jutting's description of the use of the 
AUTO MATH system to proof check all of Landau's text on the development of 
elementary mathematics from Peano axioms to the reals [17J. 
2. The construction of theorem-provers for decidable theories, such as Presburger 
arithmetic and "data structures." See for example the work of Bledsoe [31, Shostak 
[29], Oppen [25]. 
3. The construction of theorem-provers or proof-checkers for logics other than first-order 
predicate calculus. For example, our work [6J is based on a quantifier free logic with 
recursive functions and induction. The Edinburgh LCF system [14J is based on Scott's 
logic and Litvintchouk and Pratt's system is based on modal logic [20J. 
4. The application of rewrite rules to simplify formulas and the study of the theoretical 
properties of such "rewrite systems." See the survey paper by Huet and Oppen [16J. 
5. The study of "metatheoretic extensibility" -- the use of a theorem-prover to prove the 
correctness of extensions. See below and [71. 
6. The further study of resolution and proof procedures suggested by resolution. See for 
example the proceedings of the latest Workshop on Automatic Deduction or 
Kowalski's "connection graph" proof procedure suggested by the failure modes of 
resolution [19]. 
Rather than try to summarize each of these fields I will, in my next lecture, acquaint you with 
how one state-of-the-art theorem-prover works and what are the current limits of its abilities. 
1.2 The Boyer-Moore Theorem-Prover 
For the past nine years Bob Boyer and I have been developing an automatic theorem-prover 
capable of constructing inductive proofs. The development of the theorem-prover is being 
sponsored by NSF Grant MCS-79040Bl and ONR Contract NOOOI4-75-C-OBI6. The theorem-
prover deals with a quantifier free first order logic. In addition to modus ponens, instantiation, 
and substitution of equals for equals, the logic provides for the axiomatic introduction of new 
"types" of inductively constructed objects (e.g., integers, sequences, graphs) the definition of new 
mathematical functions (e.g., prime, permutation, path), and proof by induction on well-founded 
relations. 
The addition of definitional equations purporting to define new functions raises a difficult 
problem: how can we insure that the new axiom actually defines a function! In our logic we 
require that for each new definition there exist a "measure" of the arguments of the function and 
a well-founded relation such that in every "recursive call" in the body, the measure of the 
arguments to the call is strictly smaller than the measure of the input arguments. This condition, 
together with some trivial syntactic requirements, is sufficient to insure that the new axiom 
satisfied by one and only one function. 
564 
For example, consider the idea of computing th~ "fringe" of a binary tree. One way to do it is to 
consider the successive CDR's of the tree and repeatedly transform subtrees of the form: 
* 
* c 
a b 
into the form: 
* 
a * 
b c 
until a is an atom. Using a LISP-like syntax we express this function as: 
(NORMTREE X) 
(IF (LISTP X) 
(IF (LISTP (CAR X)) 
(NORMTREE (CONS (CAAR X) 
(CONS (CDAR X) (CDR X)))) 
(CONS (CAR X) (NORMTREE (CDR X)))) 
(CONS X NIL)). 
What measure is going down here! Our system is not capable of discovering (on its own) such a 
measure. However, if the user of our system defines the function: 
(MS X) 
(IF (LISTP X) 
(TIMES (SQUARE (MS (CAR X))) (MS (CDR X))) 
1 ), 
which is accepted because the size of the argument gets smaller in each call, then the system can 
prove that (MS X) decreases in both of the recursive calls of NORMTREE in the definition of 
NORMTREE. Thus, after the introduction of MS and the proof of the two lemmas establishing 
that it decreases, NORMTREE is accepted by our system as a true definitional equation. 
565 
The theorem-prover itself consists of an ad hoc collection of heuristic proof techniques. The two 
most important ones are simplification and the invention of "appropriate" induction arguments. 
The system also contains heuristics for eliminating "undesirable" expressions (e.g., X-Y can be 
eliminated by replacing X with 1+ Y), the use of equality, generalization, and the elimination of 
irrelevance. 
The simplification routine is driven by conditional rewrite rules derived from axioms, recursive 
definitions, and previously proved theorems. The system contains fairly sophisticated search 
strategic heuristics for controlling the expansion of definitions, backwards chaining to establish 
hypotheses of rewrite rules, permutative rewrites, etc. 
The induction routine attempts to find an induction argument that is "appropriate" for the 
conjecture being proved. Roughly speaking, it attempts to find an n-way case split and some 
induction hypotheses such that when certain of the recursive functions in the induction conclusion 
of a given case are expanded, the resulting recursive calls are involved in the hypotheses for that 
case. To find -- and justify -- the induction argument, the induction routine analyzes the 
measures and well-founded relations justifying the recursive functions in the conjecture. We have 
found that the direct analysis of these measures and well-founded relations is simpler than the 
analysis of the recursive functions themselves and permits the system more often to piece together 
induction arguments "appropriate" for several functions in the conjecture. The reason for this is 
that the function definitions frequently contain tests that are irrelevant to the recursions and 
these tests obscure the correct choice of induction cases. 
To illustrate how our system proves theorems, let us consider proving that NORMTREE 
computes the fringe as defined (in the more traditional way) by the recursive function 
FLATTEN: 
(FLATTEN X) 
(IF (LISTP X) 
(APPEND (FLATTEN (CAR X)) 
(FLATTEN (CDR X))) 
(CONS X NIL)), 
where APPEND concatentates two lists: 
(APPEND X Y) 
(IF (LISTP X) 
(CONS (CAR X) 
(APPEND (CDR X) Y)) 
Y). 
We will prove: 
566 
(EQUAL (NORMTHEE X) (FLATTEN X)). 
The proof may be briefly sketched as follows: We induct on X, using the measure and well-
founded relation justifying NORMTREE, we simplify, using the axioms defining lists and 
"opening up" certain recursive functions "calls", we rerepresent the variables in the problem to 
simplify the conjecture, use our induction hypothesis (and throw it away to generalize our goal), 
replace certain terms by variables, restricted to the range of the terms replaced, to generalize the 
problem still more, and then perrorm a second induction. Below is the complete proof, as 
discovered and described in English by our system: 
_ PROVE.LEMMA( CORRECTNESS.OF .NORMTREE 
(REWRITE) 
(EQUAL (NORMTREE X) (FLATTEN X))) 
Give the conjecture the name * 1. 
We will appeal to induction. Two inductions are suggested by terms in the conjecture, both of 
which are unflawed. So we will choose the one suggested by the largest number of nonprimitive 
recursive functions. We will induct according to the following scheme: 
(AND (IMPLIES (NOT (LISTP X)) (p X)) 
(IMPLIES (AND (LISTP X) 
(LISTP (CAR X)) 
(p (CONS (CAAR X) 
(CONS (CDAR X) (CDR X))))) 
(p X)) 
(IMPLIES (AND (LISTP X) 
(NOT (LISTP (CAR X))) 
(p (CDR X))) 
(p X))). 
The inequalities MS.DECREASES.UNDER.CDR and MS.DECREASES.UNDER.ROTATION 
establish that the measure (MS X) decreases according to the well-founded function LESSP in 
each induction step of the scheme. The above induction scheme generates the following three new 
conjectures: 
Case 1. (IMPLIES (NOT (LISTP X)) 
(EQUAL (NORMTREE X) (FLATTEN X))), 
which we simplify, unfolding the definitions of NORMTREE 
and FLATTEN, to: 
(TRUE). 
Case 2. (IMPLIES 
(AND 
(LISTP X) 
(LISTP (CAR X)) 
567 
(EQUAL (NORMTREE (CONS (CAAR X) 
(CONS (CDAR X) (CDR X)))) 
(FLATTEN (CONS (CAAR X) 
(CONS (CDAR X) (CDR X)))))) 
(EQUAL (NORMTREE X) (FLATTEN X))), 
which simplifies, applying CDR.CONS and CAR.CONS, and 
opening up FLATTEN and NORMTREE, to: 
(IMPLIES 
(AND 
(LlSTP X) 
(LISTP (CAR X)) 
(EQUAL 
(NORMTREE (CONS (CAAR X) 
(CONS (CDAR X) (CDR X)))) 
(APPEND (FLATTEN (CAAR X)) 
(FLATTEN (CONS (CDAR X) (CDR X)))))) 
(EQUAL (NORMTREE.(CONS (CAAR X) 
(CONS (CDAR X) (CDR X)))) 
(APPEND (FLATTEN (CAR X)) 
(FLATTEN (CDR X))))). 
This simplifies again, applying CDR.CONS and CAR.CONS, 
and opening up the definition of FLATTEN, to: 
(IMPLIES 
(AND 
(LlSTP X) 
(LlSTP (CAR X)) 
(EQUAL (NORMTREE (CONS (CAAR X) 
(CONS (CDAR X) (CDR X)))) 
(APPEND (FLATTEN (CAAR X)) 
(APPEND (FLATTEN (CDAR X)) 
(FLATTEN (CDR X)))))) 
(EQUAL (NORMTREE (CONS (CAAR X) 
(CONS (CDAR X) (CDR X)))) 
(APPEND (APPEND (FLATTEN (CAAR X)) 
(FLATTEN (CDAR X))) 
(FLATTEN (CDR X))))). 
Applying the lemma CAR/CDR.ELIM, we now replace X by 
(CONS Z V) to eliminate (CAR X) and (CDR X) and Z by 
(CONS W D) to eliminate (CAR Z) and (CDR Z). This 
generates: 
(IMPLIES 
(EQUAL (NORMTREE (CONS W (CONS D V))) 
568 
(APPEND (FLATTEN W) 
(APPEND (FLATTEN D) (FLATTEN V)))) 
(EQUAL (NORMTREE (CONS W (CONS D V))) 
(APPEND (APPEND (FLATTEN W) (FLATTEN D)) 
(FLATTEN V)))). 
We now use the above equality hypothesis by substituting: 
(APPEND (FLATTEN W) 
(APPEND (FLATTEN D) (FLATTEN V))) 
for (NORMTREE (CONS W (CONS D V))) and throwing away the 
equality. The result is: 
(EQUAL (APPEND (FLATTEN W) 
(APPEND (FLATTEN D) (FLATTEN V))) 
(APPEND (APPEND (FLATTEN W) (FLATTEN D)) 
(FLATTEN V))), 
which we generalize by replacing (FLATTEN V) by Y, 
(FLATTEN D) by A, and (FLATTEN W) by U. We restrict the 
new variables by appealing to the type restriction lemma 
noted when FLATTEN was introduced. This produces: 
(IMPLIES (AND (LlSTP Y) (LISTP A) (LlSTP U)) 
(EQUAL (APPEND U (APPEND A Y)) 
(APPEND (APPEND U A) Y))), 
which we will name *1.1. 
Case 3. (IMPLIES (AND (LISTP X) 
(NOT (LISTP (CAR X))) 
(EQUAL (NORMTREE (CDR X)) 
(FLATTEN (CDR X)))) 
(EQUAL (NORMTREE X) (FLATTEN X))), 
which we simplify, expanding the definitions of NORMTREE 
and FLATTEN, to: 
(IMPLIES (AND (LISTP X) 
(NOT (LlSTP (CAR X))) 
(EQUAL (NORMTREE (CDR X)) 
(FLATTEN (CDR X)))) 
(EQUAL (CONS (CAR X) (NORMTREE (CDR X))) 
(APPEND (FLATTEN (CAR X)) 
(FLATTEN (CDR X))))). 
This simplifies again, applying CDR.CONS, CAR.CONS, and 
CONS.EQUAL, and opening up the functions FLATTEN and 
APPEND, to: 
569 
(TRUE). 
So let us turn our attention to: 
(IMPLIES (AND (LISTP Y) (LISTP A) (LlSTP U)) 
(EQUAL (APPEND U (APPEND A Y)) 
(APPEND (APPEND U A) Y))), 
which we named *1.1 above. We will appeal to induction. Three inductions are suggested by 
terms in the conjecture. They merge into two likely candidate inductions. However, only one is 
unflawed. We will induct according to the following scheme: 
(AND (IMPLIES (NOT (LISTP U)) (p U A Y)) 
(IMPLIES (AND (LISTP U) (p (CDR U) A Y)) 
(p U A Y))). 
The inequality CDR.LESSP establishes that the measure (COUNT U) decreases according to the 
well-founded function LESSP in the induction step of the scheme. The above induction scheme 
produces two new goals: 
Case 1. (IMPLIES (AND (NOT (LISTP (CDR U))) 
(LISTP Y) 
(LlSTP A) 
(LISTP U)) 
(EQUAL (APPEND U (APPEND A Y)) 
(APPEND (APPEND U A) Y))). 
This simplifies, applying CDR.CONS, CAR.CONS, and 
CONS.EQUAL, and expanding the definition of APPEND, to: 
(IMPLIES (AND (NOT (LlSTP (CDR U))) 
(LISTP Y) 
(LlSTP A) 
(LISTP U)) 
(EQUAL (APPEND (CDR U) (APPEND A Y)) 
(APPEND (APPEND (CDR U) A) Y))), 
which again simplifies, opening up the definition of 
APPEND, to: 
(TRUE). 
Case 2. (IMPLIES (AND (EQUAL (APPEND (CDR U) (APPEND A Y)) 
(APPEND (APPEND (CDR U) A) Y)) 
(LlSTP Y) 
(LISTP A) 
(LlSTP U)) 
570 
(EQUAL (APPEND U (APPEND A Y)) 
(APPEND (APPEND U A) Y))), 
which simplifies, applying CDR.CONS, CAR.CONS, and 
CONS.EQUAL, and opening up the function APPEND, to: 
(TRUE). 
That finishes the proof of *1.1, which, consequently, finishes the proof of *1. Q.E.D. 
Load average during proof: 1.865178 
Elapsed time: 14.509 seconds 
CPU time (devoted to theorem proving): 7.727 seconds 
10 time: 3.385 seconds 
CONScs consumed: 11520 
In the proof above the system "discovers" the lemma that APPEND is associative and proves it 
by the second induction. 
The theorem-prover is automatic in the sense that once it begins a proof the user contributes 
nothing. However, it is interactive in the sense that the user can improve the theorem-prover's 
behavior by "teaching" it important relationships and rewrite rules. This "t.eaching" (which 
might be more appropriately called "memorization by rote") is accomplished by instructing the 
theorem-prover to prove lemmas that "inform" it of new conditional rewrite rules, useful 
measures for the justification of recursions and inductions, etc. For example, had the user 
previously instructed the system prove the associativity of APPEND the system would have used 
that fact early in the proof above, leading to a substanially simpler proof. 
The user of our system does not have to be trusted. That is, as long as he confines himself to the 
"rules of the game" (i.e., defining new types and functions and proving new lemmas), the 
theorem-prover is entirely responsibible for the validity of any conjecture it claims is a theorem. 
While the user who abides by the rules need not be trusted, an intelligent and well-trained user is 
indispensable in the proof of difficult theorems because the theorem-prover requires so much 
carefully prepared groundwork in the form of previously proved lemmas. Much of our research is 
aimed at reducing some of this burden on the user. However, even at the current rudimentary 
stage of the system's development, we have found that we (as human users) are quite good at the 
task required of us (i.e., the strategic planning of proofs encoded in the statement of key lemmas) 
and are relatively weak at the tasks already performed by the system (the consideration of 
countless nitty gritty details). 
The system has been used to prove the correctness of a wide variety of programs including: 
1. a "toy" expression compiler, 
2. a recursive descent parser (the theorem-prover established the required relationship 
between "printing" and "reading"), 
571 
3. the totality, soundness, and completeness of a decision procedure for propositional 
calculus, 
4. the soundness of an arithmetic simplifier now in routine use in the system, 
5. the termination of the TAK function over the positive and negative integers (using a 
lexicographic measure corresponding to "less than" in omega" 3'), and 
6. several working FORTRAN programs including the correctness of the fastest known 
string searching algorithm. 
The FORTRAN programs were coded in a subset of both ANSI FORTRAN 66 and ANSI 
FORTRAN 77 and the verification conditions included the consideration of aliasing, side-effects 
via labeled COMMON, arithmetic overnow, array bounds violations, undefined variables, and 
termination. I will discuss this aspect of our work in the third lecture. 
The most difficult theorem proved to date is the existence and uniqueness of prime factorizations, 
which was derived entirely from Peano's axioms. While this theorem is not often involved in the 
correctness proofs of real programs (encryption algorithms excepted), the system's ability to prove 
it from the ground up is indicative of the theorem-prover's power. 
All of the theorems cited above were proved by the same version of the theorem-prover from the 
same initial set of axioms. The axioms are those defining TRUE, FALSE, IF, and EQUAL, plus 
the Peano-like axiomatization of the "data types" involved. 
Given that the system has some "learning" (or "rote memorization") ability, the question arises: 
"ls it possible to teach the system new proof techniques that were not anticipated by the 
designers of the theorem-prover!" Of course, we wish to preserve the soundness of the system, 
i.e., it should not be possible for the user to render the system unsound by teaching it faulty 
"proof" techniques. 
Since our system is oriented towards proving properties of programs, an obvious approach is for 
the user to write a new theorem-proving routine to be added to the system, and then have the 
trusted version of the system prove the new extension correct before encorporating it. Can a 
system which is inherently inadequate (after all, it is in need of extension) be expected to prove 
the correctness of a useful extension! We have investigated this problem and believe the answer, 
for our system, is "yes." 
One experiment we performed involved the addition of a simple cancellation routine. Suppose I, 
J, K, and L are nonnegative integers. Then it is easy to prove that I+J=I+K iff J=K. This is 
the traditional statement of the cancellation law for addition. But note that this rule cannot be 
applied to L+J=K+(I+L), because the common term, L, does not occur as the first addend. 
While we could prove many different versions of the cancellation law, no finite number of rewrite 
rules can capture the underlying idea: you can cancel any term occurring as an addend on both 
sides of an equality. How can we teach our system this idea! 
We can proceed as follows. Define the function CANCEL on list expressions that, when given an 
expression representing an equation between two PLUS-trees, returns a new expression with all 
572 
the common addends deleted, and when given any other expression returns the input expression. 
To cancel common addends CANCEL computes the fringe of the two PLUS-trees, intersects 
them, subtracts the intersection from each fringe, and then reconstitutes the remaining lists of 
terms as right-associated PLUS-trees and equates them. One must be careful to keep in mind 
that the fringes are bags, not sets, and that duplications have significance (e.g., if A occurs twice 
on one side and only once on the other, one A can be cancelled). 
Once CANCEL has been defined it can be used as a new proof technique provided we can prove 
the following" metatheorem": Suppose X is a list structure representing a term in our logic and 
MEANING is the function that assigns meanings to terms, given an assignment of values to 
variables. Then we wish to prove that under all assignments the MEANING of X is equal to the 
MEANING of (CANCEL X) and (CANCEL X) represents a term. That is, we wish to prove: 
(IMPLIES (FORMP X) 
(AND (EQUAL (MEANING X A) 
(MEANING (CANCEL X) A)) 
(FORMP (CANCEL X)))). 
This theorem can be proved by the current system, after the user has had the system prove the 
rudiments of "bag theory" (e.g., that the difference between two bags is a subbag of the first) 
and the fundamental relationships induced by MEANING between bag operations and arithmetic 
(e.g., if Y is a subbag of X then the MEANING of the PLUS-tree formed from the bag difference 
of X and Y is the arithmetic difference of the MEANINGs of the PLUS-trees formed from X and 
Y individually). 
After proving the correctness of CANCEL, the system is justified in using CANCEL to perform 
arbitrarily deep cancellations, an ability it did not have before or during the correctness proofs. 
Except for the work on "metatheorems" all of the work described here is described in complete 
detail in our book, [6]. The book describes our formal theory (assuming only that the reader is 
familiar with propositional calculus and equality) and all of the proof techniques used by our 
program. The techniques are demonstrated in many substantial examples worked by the 
program. The techniques are described in sufficient detail to permit a student to use our 
techniques to discover proofs as well as to program a computer to reproduce our results. The 
work on metatheorems mentioned here is described in complete detail in [7]. 
1.3 Program Verification 
There are many ways to reduce the question "Is this program correct!" to the question "Are 
these formulae theorems!" Once such a reduction has occurred, it would be convenient if a 
mechanical theorem-prover were capable of proving the necessary theorems. In this talk I will 
illustrate how we are using the theorem-prover described above to address such questions. I will 
use three different methods of giving meaning to programs: the functional method, the 
interpreter method, and the inductive assertion method. Each will be illustrated by the same 
"toy" problem. Then I will describe a verification condition generator for ANSI FORTRAN that 
handles such real problems as aliasing, global COMMON, and arithmetic overflow. The talk will 
573 
conclude with a description of the verification of a FORTRAN version of the fastest known string 
searching algorithm. 
1.3.1 A Toy Example 
Let us consider a simple assembly language program to sum the numbers from 1 to I: 
0 MOVEI AC, 0 iset AC to 0 
1 SKIPNE I iskip next if I not 0 
2 STOP istoP 
3 ADD AC, I jset AC to AC+I 
4 SUBI I, 1 iset I to 1-1 
5 JUMP 1 ;jump to instruction 1 
We wish to prove that when this program is executed the final value of AC is (i*i+l)/2, where i 
is the initial value of I. 
We will consider three different methods of attaching semantics to this program. It is 
advantageous in all three cases to first introduce the recursive function that sums the integers 
from I to M: 
(SIGMA I M) 
(IF (LESSP I M) 
(PLUS M (SIGMA I (SUBI M))) 
0). 
For example, (SIGMA 3 7) is 7+6+5+4+3. It is also worthwhile proving the general result that 
(SIGMA 0 I) is (1+(1+1))/2. This is proved by the theorem-prover described above, using 
induction on I. Having proved this lemma, it is now sufficient to establish that our 6-Iine 
assembly program computes (SIGMA 0 I). 
1.3.2 The Functional Method 
The first method we will consider, often called the "functional" or "McCarthy" method [22], is to 
view one's program as a mathematical function from input states to output states and to prove 
the correctness of the resulting function. To transform the program above into this paradigm we 
first construct the function, FN, of I and AC, that embodies the loop through instruction 1, and 
think of the entire program as being functionally equivalent to (FN I 0). 
(FN lAC) 
(IF (ZEROP I) 
AC 
(FN (DIFFERENCE I 1) 
(PLUS AC I))). 
As McCarthy notes, this transformation from a program to a recursive equation can be carried 
574 
out by a machine which embodies the semantics of the programming language. (For example, see 
the applicat.ion described in [23].) 
The conjecture we wish t.o prove is that (FN I 0) is equal (SIGMA 0 I). As often is the case, it is 
easier to prove the following more general fact about FN: 
(EQUAL (FN lAC) 
(PLUS AC (SIGMA 0 I))), 
for all numeric AC. The proof of this generalization is straightforward by induction on I and can 
be constructed by the theorem-prover described above. 
1.3.3 The Interpreter Method 
A second method for formalizing the properties of a program is to specify formally an interpreter 
for the programming language. This is akin to "denotational semantics" [13]. 
In this case we must specify the "hardware" that runs our 6-line program. We will do so by 
writing a recursive function, EXEC, that takes three arguments: the program counter, pc; a 
memory, mem, mapping integer addresses to their values; and a clock, clk, that ticks once every 
time we execute a jump instruction. The clock is used to make EXEC a total recursive function. 
EXEC is an accurrate if somewhat simple formalization of the idea of a stored program computer. 
Each instruction is a list encoding an "opcode" and some arguments and will occupy one location 
in memory. In our example, the program will be loaded into memory locations 0 through 5, we 
will use locations 6 and 7 for the variables I and AC. 
EXEC operates as follows. If the clock is 0, EXEC returns an error signal. Otherwise, EXEC 
fetches the contents of location pc in mem and decodes it as an instruction, obtaining an 
"opcode," op, and two operands argl and arg2. If op is STOP, EXEC returns the final memory 
configuration. Otherwise, EXEC determines new values for pc, mem, and clk based on op and 
the operands and recurses on those new values. For example, if op is JUMP, EXEC recurses, 
replacing pc by argl and decrementing clk. If op is ADD, EXEC recurses replacing pc by pc+l 
and mem by 
(SET argl 
(PLUS (GET argl mem) (GET arg2 mem)) 
mem). 
That is, the "new" memory is that obtained by adding the contents of argl and arg2 in the old 
memory and then setting the contents of argi to that sum. (GET and SET are defined functions 
that operate on finite sequences denoting the contents of successive memory locations.) The other 
opcodes used in our program are handled similarly. 
Once EXEC is defined we can state the correctness of our program as the following conjecture: 
(IMPLIES (AND (EQUAL MEM 
(APPEND '((MOVEI 7 0) 
(SKIPNE 6) 
575 
(STOP) 
(ADD 7 6) 
(SUBI6 1) 
(JUMP 1)) 
REST)) 
(EQUAL I (GET 6 MEM)) 
(LESSP I CLK)) 
(EQUAL (GET 7 (EXEC 0 MEM CLK)) 
(SIGMA 0 I))) 
This formula says: If locations 0-5 of MEM contain the program in question and if I is the 
contents of location 6 in MEM and is less than CLK, then t.he value of location 7 in the memory 
obtained by executing the program starting at pc 0 in MEM with CLK is (SIGMA 0 I). 
This conjecture can be proved by the theorem-prover described above. The proof requires that 
the system first prove a lemma similar in spirit to an "inductive assertion": provided there is 
sufficient time on the clock, EXEC computes AC+(SIGMA 0 I) if started at location 1 (instead of 
location 0) in our program. 
1.3.4 The Inductive Assertion Approach 
We now move on to an illustration of the "inductive assertion" or "Floyd/Hoare" method 
[12, 15]. The basic idea is to decorate one's program with assertions that purport to describe the 
state of the machine at certain points in the computation and then to generate a set of formulas, 
called "verification conditions" that establish that each assertion holds each time it is 
encountered. The verification condition generator ("vcg") is an encoding of the semantics of the 
programming language. 
The annotation of our example program above is as follows. Suppose K is the initial value of 
I. The "input assertion" is T; that is, we put no constraints on I initially. The "output 
assertion," at the STOP instruction at location 2, is that AC is equal to (SIGMA 0 K). The "loop 
invariant," at the SKIPNE instruction at location 1, is that AC is equal to (SIGMA I K) and I 
< $M-l_ K. By exploring the paths through the program (using some formal specification of the 
effects of each instruction) we generate three "verification conditions" to prove: 
The loop assertion is true when first encountered: 
(AND (EQUAL 0 (SIGMA K K)) 
(LESSEQP K K)). 
The loop assertion remains true as we go around the loop: 
(IMPLIES (AND (NOT (ZEROP I)) 
576 
(EQUAL AC (SIGMA I K)) 
(LESSEQP I K)) 
(AND (EQUAL (PLUS AC I) 
(SIGMA (SUBl I) K)) 
(LESSEQP (SUBI I) K))). 
The loop assertion implies the output assertion when the loop stops: 
(IMPLIES (AND (ZEROP I) 
(EQUAL AC (SIGMA I K)) 
(LESSEQP I K)) 
(EQUAL AC (SIGMA 0 K))). 
These formulas can be proved by the theorem-prover described above. 
1.3.5 Comparisons 
The three program verification methods sketched are more striking in their similarities than in 
their differences. 
First, it should be noted that the introduction of SIGMA simplifies the conjectures produced by 
all three methods. A more commonly used specification style -- at least when the inductive 
assertion method is chosen -- is to restrict oneself to the II primitives II such as addition, 
multiplication, and division already built into the system. This makes the verification conditions 
more difficult to prove because one is simultaneously grappling with the fundamental 
mathematical fact that (SIGMA 0 I) is (1*(1+1))/2 and with a part.icular algorithm for comput.ing 
(SIGMA 0 I). 
Second, all three methods require some creative step beyond the mere specification of the 
input/output relation. In the functional method, this creative step was the generalization of: 
(EQUAL (FN I 0) (SIGMA 0 I)) 
to 
(EQUAL (FN I AC) (PLUS AC (SIGMA 0 I))). 
In the interpreter method, the creative step was the statement of the lemma that when EXEC 
starts executing at location 1 and runs to normal completion, the answer is (PLUS AC (SIGMA 0 
I)). In the inductive assertion method, the creative step was the invention of the loop invariant 
that AC is (SIGMA I K). Note the subtle difference between the latter two invariants: while an 
inductive assertion generally states an invariant that holds between two successive arrivals at 
some program point, the interpreter-style lemma states an invariant that holds between arrival at 
the point and the end of the computation. 
577 
It should be noted that with the runctional and interpreter methods the creativity occurred arter 
the problem had been cast mathematically and while a proor was being sought. That is, the 
creative steps were just generalizations in the mathematical sense: given to prove p we decided to 
prove q, where q implies p. In the inductive assertion method, we were obliged to think about q 
berore the problem could be stated without rererence to the program text. Thus, when the 
rormer methods are applied, the creative aspect or the problem is just a theorem-proving 
problem. 
On this particularly simple problem, the theorems required by the runctional method are the 
easiest to prove, with the inductive assertion method second and the interpreter method a distant 
third. or course, nothing in general should be inrerred rrom this ranking. 
For example, applying the runctional method to messier programs -- especially programs 
manipulating large global data structures -- orten produces unmanageably large recursive 
equations; in such cases the inductive assertion method can orten be used to segment the program 
and isolate side-erfects. 
On the other hand, the interpreter method has an elegance the other two lack because the 
program was proved correct with respect to a rormal programming language semantics expressed 
entirely within the logic itselr rather than in some extralogical axioms or vcg programs. 
Furthermore, the interpreter method as it was applied here dealt with a problem neither or the 
other two methods could possibly handle: the instructions were being retched rrom a memory 
that was being modified by the execution or the program. While the program does not happen to 
modify itself, consideration or that possibility vastly complicates the proor. When the interpreter 
method is formalized so that the program is in "read only" memory (i.e., a memory not changed 
by any instruction) the interpreter-based proors are comparable to the inductive assertion style 
proors. 
1.3.6 Toys v. Reality 
The preceding sketches were meant to summarize several difrerent approaches to program 
verification and to illustrate the role or theorem-proving in each or them. However, all three 
sketches dealt with toy problems. They do not describe real programming languages. They 
ignore many difficult problems or programming language design (e.g., global data structures, 
subroutine calls, aliasing). They ignore many difficult problems or programming language 
implementation (e.g., arithmetic overflow, nontermination, undefined variables). In short, the toy 
problems discussed here bear about as much resemblence to real programming problems as 
E=Mc" "2" does to a nuclear power plant. Rather than attempt to describe how these problems 
can be dealt with I will simply "advertise" and illustrate how we have dealt with them in the 
context of one real programming language. 
We have implemented a verification condition generator for a subset both or FORTRAN 66 [31] 
and FORTRAN 77 [1]. While constraints are placed on the language that are not found in the 
ANSI specifications, our language is a true subset in the sense that a processor that correctly 
implements either FORTRAN correctly implements our language. The development or the 
FORTRAN verification condition generator was supported by ONR Contract NOOOI4-75-C-0816. 
578 
Unusual features of our system -- aside from our choice of FORTRAN and our use of a quantifier 
free specification language -- include a syntax checker that enforces all our syntactic restrictions 
on the language, the thorough analysis of aliasing, the generation of verification conditions to 
prove termination, and the generation of verification conditions to ensure against such run-time 
errors as array-bound violations and arithmetic overflow. 
Although our syntax checker and verification condition generator handle programs involving 
finite precision REAL arithmetic, we have not yet formalized the semantics of those operations 
and hence cannot mechanically verify programs that operate on REALs. 
We define our subset precisely in [8] and specify the verification conditions we generate. The 
following description of our work is extremely informal. 
The input to our verification condition generator must include not only the subprogram (function 
or subroutine) to be verified, but also all subprograms referenced somehow by the candidate 
subprogram. Each referenced subprogram must have been previously specified and verified. 
The FORTRAN statements in our subset are: 
Arithmetic assignment 
Logical assignment 
GO TO assignment 
Unconditional GO TO 
Assigned GO TO 
Computed GO TO 
Arithmetic IF 
CALL 
RETURN 
CONTINUE 
STOP 
PAUSE 
Logical IF 
DO 
DIMENSION 
COMMON 
INTEGER 
REAL 
DOUBLE PRECISION 
COMPLEX 
LOGICAL 
EXTERNAL 
Statement function 
FUNCTION 
SUBROUTINE 
END 
Our subset does not include the following FORTRAN 77 statements: 
BACKSPACE 
BLOCK DATA 
Block IF 
CHARACTER 
Character assignment 
CLOSE 
DATA 
ELSE 
ELSEIF 
ENDFILE 
ENDIF 
ENTRY 
EQUIVALENCE 
FORMAT 
IMPLICIT 
INQUIRE 
INTRINSIC 
OPEN 
PARAMETER 
PRINT 
PROGRAM 
READ 
REWIND 
SAVE 
WRITE 
579 
For t.hose statements in our subset we enforce all of the restrictions of both FORTRAN 66 and 
77; furthermore, we enforce some additional restrictions. Some of our restrictions are: 
Every expression using infix operators must be fully parenthesized. For example, either 
(A + (B + C)) or ((A + B) + C) must be written instead of A + B + C. The precise 
order of combination affects the analysis of overflow. 
Subroutines and functions may not be passed as arguments to subprograms. 
In a CALL statement or function reference, if the actual argument isan array, then the 
corresponding argument must be an array of the same number of dimensions. 
Function subprograms may not side-effect their arguments or anything in COMMON. 
No call of a subroutine may pass an entity to a subroutine that might violate the strict 
aliasing restrictions of FORTRAN. For example, if a subroutine has two arguments 
and possibly smashes the first, then that subroutine may not be called with the same 
array passed in both arguments nor mayan array in common be passed as the first 
argument if the subroutine "knows" about the common block, even via subprograms. 
While some of our restrictions may appear radical to those unfamiliar with the details of the 
FORTRAN specifications, many of the most severe (e.g., prohibition of side-effects in 
FUNCTIONs and aliasing in SUBROUTINEs) are in fact closely related to restrictions in both 
the 1966 and 1977 specifications. Many of the restrictions in the ANSI specifications were 
motivated by the desire to encourage the implementation of correct optimizing compilers and 
-- while the restrictions are not as elegantly stated as they might have been -- it could be argued 
that FORTRAN 66 was several years ahead of its time. In [8] we compare our restrictions to 
those of the ANSI specifications. All of our restrictions are enforced by the system in the sense 
that programs violating these restrictions are rejected by the verification condition generator. 
We make the following claim about our system. If a FORTRAN subprogram is accepted by our 
syntax checker, the verification conditions are proved, and the program can be loaded onto a 
FORTRAN processor that meets the ANSI specification of FORTRAN and satisfies certain 
parameterized constraints on the accuracy of arithmetic, then any invocation of the program in 
an environment satisfying the input condition of the program will terminate without run-time 
errors and produce an environment satisfying the output condition of the program. 
We have used the theorem-prover to prove the verification conditions produced for several 
working FORTRAN programs, including a FORTRAN implementation of the Boyer-Moore fast 
string searching algorithm, and several subprograms performing "big number" arithmetic 
operations on arrays of integers regarded as numbers in a large base (e.g., 218). 
1.3.7 A Real Example 
In a 1977 Communications of the ACM article [5], we described an algorithm for finding the first 
occurrence of one character string, PAT, in another, STR. The algorithm is currently the fastest 
known way to solve this problem on the average. Our algorithm has two unusual properties. 
First, in verifying that PAT does not occur within the first i characters of STR the algorithm will 
typically fetch and look at fewer than i characters. Second, as PAT gets longer the algorithm 
580 
speeds up. That is, the algorithm typically spends less time to find long patterns than short ones. 
In this section we will briefly describe the verification of a FORTRAN version of the algorithm. 
A more complete description may be found in [8]. 
The whole idea behind the algorithm is illustrated by the following example. Suppose we are 
trying to find PAT in STR and, having scanned some initial part of STR and failed to find PAT, 
are now ready to ask whether PAT occurs at the position marked by the arrow below: 
PAT: EXAMPLE 
STR: LET US CONSIDER A SIMPLE EXAMPLE 
Instead of focusing on the left-hand end of the pattern (i.e., on the "E" indicated by the arrow) 
the algorithm considers the right-hand end of the pattern. In particular, the algorithm fetches 
the "I" in the word "SIMPLE." Since "I" does not occur in PAT, the algorithm can slide the 
pattern down by seven (the length of PAT) without missing a possible match. Afterwards, it 
focuses on the end of the pattern again, as marked by the arrow below. 
PAT: EXAMPLE 
STR: LET US CONSIDER A SIMPLE EXAMPLE 
In general, as the next step would suggest, the algorithm slides PAT down by the number of 
characters that separate the end of the pattern from the last occurrence in PAT of the character, 
c, just fetched from STR (or the length of PAT if c does not occur in PAT). In the configuration 
above, PAT would be moved forward by five characters, so as to align the "X" in PAT with the 
just fetched "X" in STR. 
If the algorithm finds that the charact.er just fetched from STR matches the corresponding 
character of PAT, it moves the arrow backwards and repeats the process until it either finds a 
mismatch and can slide PAT forward, or matches all the characters of PAT. 
The algorithm must be able to determine efficiently for any character c, the distance from the 
last occurrence of c in PAT to the right-hand end of PAT. But since there are only a finite 
number of characters in the alphabet we can preprocess PAT and set up a table that answers this 
question in a single array access. 
The reader is referred to [5] for a thorough description of an improved version of the algorithm 
that can be implemented so as to search for PAT through i characters of STR and execute less 
than i machine instructions, on the average. In addition, [5] contains a statistical analysis of the 
average case behavior of the algorithm and discusses several implementation questions. 
A FORTRAN version of the algorithm is exhibited below. The subroutine FSRCH is the search 
algorithm itself; it takes five arguments, PAT, STR, PATLEN, STRLEN, and X. PAT and STR 
are one-dimensional adjustable arrays of length PATLEN and STRLEN respectively. X is the 
dummy argument into which the answer is smashed. The answer is either the index into STR at 
which the winning match is found, or else it is STRLEN+l indicating no match exists. 
581 
FSRCH starts by CALLing the subroutine SETUP, which preprocesses PAT and smashes the 
COMMON array DELTAl. DELTA! has one entry for each character code in the alphabet. 
SETUP executes in time linear in PATLEN. It initializes DELTA! as though no character 
occurred in P AT and then sweeps PAT once, from left to right, filling in the correct value of 
DELTA! for each character occurrence, as though that occurrence were the last occurrence of the 
character in PAT. Thus, if the same character occurs several times in PAT (as "E" does in 
"EXAMPLE") then its DELTA! entry is smashed several times and the last value is the correct 
one. 
582 
SUBROUTINE FSRCH(PAT, STR, PATLEN, STRLEN, X) 
INTEGER DELTAI 
INTEGER PATLEN 
INTEGER STRLEN 
INTEGER PAT 
INTEGER STR 
INTEGER I 
INTEGER J 
INTEGER C 
INTEGER NEXTI 
INTEGER X 
INTEGER MAXO 
DIMENSION DELTAI(I28) 
DIMENSION PAT(PATLEN) 
DIMENSION STR(STRLEN) 
COMMON /BLK/DELTAI 
CALL SETUP(PAT, PATLEN) 
1= PATLEN 
200 CONTINUE 
IF ((I.GT.STRLEN)) GO TO 500 
J = PATLEN 
NEXTI = (1 +1) 
300 CONTINUE 
C = STR(I) 
IF ((C.NE.PAT(J))) GO TO 400 
IF ((J.EQ.I)) GO TO 600 
J = (J-I) 
I = (1-1) 
GO TO 300 
400 1= MAXO((I+DELTAI(C)), NEXTI) 
GO TO 200 
500 X = (STRLEN+l) 
RETURN 
600 X = I 
RETURN 
END 
583 
SUBROUTINE SETUP(A, MAX) 
INTEGER DELTAI 
INTEGER A 
INTEGER MAX 
INTEGER I 
INTEGER C 
DIMENSION DELTA1(128) 
DIMENSION A(MAX) 
COMMON /BLK/DELTAI 
DO 501=1, 128 
DELTA1(1) = MAX 
50 CONTINUE 
DO 1001=1, MAX 
C = A(I) 
DELTAl(C) = (MAX-I) 
100 CONTINUE 
RETURN 
END 
To specify the input and output assertions FSRCH we must introduce the mathematical concepts 
of (a) a sequence being a "character string" on a given sized alphabet, (b) the initial segments of 
two strings "matching," and (c) the leftmost match of PAT in STR. Below we give the 
definitions of these mathematical functions. 
Definition. 
(STRINGP A I SIZE) 
(IF (ZEROP I) 
T 
(AND (NUMBERP (ELTI A I)) 
(NOT (EQUAL (ELTI A I) 0)) 
(NOT (LESSP SIZE (ELTI A I))) 
(STRINGP A (SUBI I) SIZE))) 
Definition. 
(MATCH PAT J P A TLEN STR I STRLEN) 
(IF (LESSP P A TLEN J) 
T 
(IF (LESSP STRLEN I) 
F 
(AND (EQUAL (ELTl PAT J) (ELTl STR I)) 
(MATCH PAT 
(ADDl J) 
PATLEN STR 
(ADDl I) 
STRLEN)))) 
584 
Definition. 
(SEARCH PAT STR PATLEN STRLEN I) 
(IF (LESSP STRLEN I) 
(ADDI STRLEN) 
(IF (MATCH PAT I PATLEN STR I STRLEN) 
I 
(SEARCH PAT STR PATLEN STRLEN 
(ADDI I))))) 
For example, (MATCH PAT J PATLEN STR I STRLEN) determines whether the characters of 
P AT in positions J through P A TLEN are equal to the corresponding characters of STR starting 
at position I and not exceeding STRLEN. MATCH is recursive. That is, provided J < PATLEN 
and I < STRLEN , MATCH checks that the Jth character of P AT is equal to the Ith character of 
STR and, if so, requires that there be a MATCH starting at positions 1+1 and J+l. The 
recursive function SEARCH is the mathematical expression of the naive string searching 
algorithm. (SEARCH PAT STR PATLEN STRLEN I) asks, for each position in STR between I 
and STRLEN, whether a MA TOll with PAT occurs at that position. 
The input specification for FSROH includes the assertion that PAT and STR are both strings on 
the alphabet from I to 128. The output assertion for FSRCH is that whenever it exits, X is set to 
(SEARCH PAT STR PATLEN STRLEN I). The loop invariants for FSRCH are just expressions 
in terms of MATCH and SEARCH, asserting that (at label 200) the winning occurrence of PAT in 
STR has not yet been found and (at label 300) that a partial match has been established between 
the terminal substring of PAT and part of STR. The verification condition generator produces 
some 50 theorems that must be proved to establish that these assertions hold, that both SETUP 
and FSRCH terminate, and that no runtime errors occur. For example, the statement, at 
location 400 in FSRCH: 
I = MAXO((I+DELTAI(C)),NEXTI) 
requires that we prove (I) C is defined, (2) C is a legal index into DELTAl, (3) DELTAI(C) is 
defined, (4) I is defined, (5) I+DELTAI(C) does not cause an overflow, and (6) NEXTI is defined. 
The proof that I+DELTAI(C) does not cause an overflow requires that we put an additional 
input assertion on FSRCH, namely that the sum of lengths of PAT and STR be expressible on 
our machine. 
585 
References 
[I] American National Standards Institute, Inc. 
American National Standard Programming Language FORTRAN. 
American National Standards Institute, Inc., 1430 Broadway, New York, NY, 1978. 
[2] Bledsoe, W.W. 
Splitting and Reduction Heuristics in Automatic Theorem-Proving. 
Artificial Intelligence (3):27-60, 1972. 
[3] Bledsoe. 
A New Method for Proving Certain Pres burger Formulas. 
In Advance Papers, 4th Int. Joint Conf. on Artificial Intelligence, pages 15-21. 
Conference, Tibilisi, Georgia, USSR, 1975. 
[4] Bledsoe, W.W., Boyer, R.S., and Henneman, W.H. 
Computer Proofs of Limit Theorems. 
Artificial Intelligence (3):27-60, 1972. 
[5] Boyer, R.S. and Moore, J S. 
A Fast String Searching Algorithm. 
Communications of the Association for Computer Machinery 20(10):762-772, 1977. 
[6J Boyer, R.S. and Moore, J S. 
A Computational Logic. 
Academic Press, New York, 1979. 
[7] Boyer, R.S. and Moore, J S. 
Metafunctions: Proving Them Correct and U8ing Them Efficiently as New Proof 
Procedures. 
Technical Report CSL Technical Report 108, SRI International, Menlo Park, CA, 1979. 
[8] Boyer, R.S. and Moore, J S. 
A Verification Condition Generator for FORTRAN. 
Technical Report CSL Technical Report 103, SRI International, Menlo Park, CA, 1980. 
[9J Chang, C. and Lee, R.C.T. 
Symbolic Logic and Mechanical Theorem Proving. 
Academic Press, 1973. 
[10] Colmerauer, A., et al. 
Un Systeme de Communication Homme-Machine en Francais. 
Technical Report, Groupe de Researche en Intelligence Artificielle, Universite d'Aix-
Marseille, Luminy, 1972. 
[11] Feigenbaum, E. and Feldman, J. 
Computers and Thought. 
McGraw-Hill Book Company, 1963. 
586 
[12] Floyd, R. 
Assigning Meanings to Programs. 
In Alathematical Aspects of Computer Science, Proceedings Symposium on Applied 
Mathematics, pages 19-32. American Mathematical Society, Providence Rhode Island, 
1967. 
[13] Gordon, M. 
The Denotational Description of Programming Languages. 
Springer-Verlag, New York, 1979. 
[14] Gordon, M., et al. 
Edinburgh LCF. 
Technical Report CSR-ll-77, Edinburgh University, 1977. 
[15] Hoare, C. 
An Axiomatic Basis for Computer Programming. 
Communications Association on Computer Machinery 12{1O):576-583, 1969. 
[16] Huet, G. and Oppen, D.C. 
Equations and Rewrite Rules, A Survey. 
Technical Report, SRI International, Menlo Park, CA, 1981. 
[17] Jutting, L.S. 
Checking Landau's, 'Grundlagen' in the AUTO/VfATH System. 
PhD thesis, Eindhoven University of Technology, 1976. 
[18] Kowalski, R. 
Predicate Calculus as a Programming Language. 
North-Holland, 1974. 
[19] Kowalski, R. 
A Proof Procedure Using Connection Graphs. 
Journal for the Association of Computer Machinery 22:572-595, 1975. 
[20] Litvintchouk, S. and Pratt, V. 
A Proof-Checker for Dynamic Logic. 
In Proceedings of the Fifth International Joint Conference on Artificial Intelligence. 
Carnegie-Mellon University, Pittsburgh, PA, 1977. 
[21] Loveland, D.W. 
Automated Theorem Proving: A Logical Basis. 
North-Holland, 1978. 
[22] McCarthy, J. 
Recursive Functions or Symbolic Expressions and Their Computation by Machine. 
Communications of Association for Computer Machinery 3(4):184-195, 1960. 
[23] Moore, J S. 
Introducing Iteration into the Pure LISP Theorem Prover. 
IEEE Transactions on Software Engineering 1(3):328-338, 1975. 
587 
[24] Moses, J. 
Algebraic Simplification: A Guide for the Perplexed. 
In S.R. Petrick (editor), Proceedings ACM 2nd Symposium on Symbolic and Algebraic 
Manipulation. ACM, 1971. 
[251 Oppen, D. 
Reasoning About Recursively Defined Data Structures. 
Technical Report CS Report STAN-CS-78-678, Stanford University, ]978. 
[26] Robinson, J.A. 
A Machine-Oriented Logic Based on the Resolution Principle. 
Journal for the Association of Computer Machinery 12:23-41, Jan, 1965. 
[27] Robinson, J.A. 
Logic: Form and Function. 
North-Holland, New York, 1979. 
[28] Roussel. 
PROLOG: Manuel de reference et d'utilisation. 
Technical Report, Groupe de Researche en Intelligence Artificielle, Universite d'Aix-
Marseille, Luminy, 1975. 
[29] Shostak. 
Deciding Linear Inequalities by Computing Loop Residues. 
Technical Report, SRI International, Menlo Park, 1978. 
[30] Skolem. 
On Mathematical Logic. 
In J. van Heijenoort (editor), From Frege to Goedel,. Harvard University Press, 
Cambridge, MA, 1967. 
[31} United States of America Standards Institute. 
USA Standard FORTRAN. 
USA, 10 East 40th Street, New York, 1966. 
[32] Wang, H. 
Towards Mechanical Mathematics. 
IBM Journal for Research Development (4):2-22, Jan, 1960. 
[33) Warren, D. 
Implementing PROWG, a Language for Programming in Logic. 
Technical Report, University of Edinburgh, 1976. 
[34} Weyhrauch. 
A User's Manual for FOL. 
Technical Report STAN-CS-77-432, Stanford University, 1977. 
588 
CHAPTER 23 
CONCLUSIONS 
589 

1. Conclusions and Recommendations 
Our general conclusions are the following: 
1. This effort and others (University of Texas, Stanford University, University of 
Southern California - Information Sciences Institute, Com pion Company, and the 
System Development Corporation) show that the mechanized verification of complex 
systems is now feasible, although still difficult. 
2. We are quite pleased with the progress in verification from 5 years ago when most of 
the effort was on verifying algorithms (albeit complex ones). 
3. We are also quite pleased that comparatively simple requirements statements can be 
formulated for complex statements; when one removes the implementation detail from 
a description or a system what is left can be quite simple. 
4. In the verification of SIFT, most of the effort was absorbed in creating the models; 
once created, the verification of the models was not difficult using the STP Theorem 
Prover. 
5. The creation of models is not a routine activity. It is likely that inexperienced users or 
those not skilled in mathematical logic will have to go through many iterations of 
model creation/proof before succeeding in a verification of a complex system. 
Frustration might force such users to give up before achieving success. Several 
improvements below should help alleviate this problem, including a more intuitive 
specification language, a library of previously created models, and tools that are more 
helpful in the design/verification process. 
6. The tools we developed, although still relatively primitive and experimental, were 
useful; indeed, a completely manual proof of SIFT would have been too tedious and 
error-prone. 
7. The techniques for verification of numerical algorithms and hardware are still very 
tentative. A major erfort, perhaps of the magnitude we carried out for SIFT, is 
required to fully understand the problems and to develop the tools and techniques to 
make the verification process feasible. 
Our recommendations for future investigation are the following: 
1. The verification of SIFT should be completed, including the reconfiguration design 
(and code), the synchronization and interactive consistency programs, and the actual 
running code of SIFT. By having the running code verified, it will be possible for 
demonstrate that a verified system can withstand the careful testing that skeptics of 
verification would wish to carry out. Under a continuation of the effort reported here, 
SRI is moving towards a complete verification of SIFT. 
2. A single specification language should be developed; in this project we surrered 
through a succession of three specification languages, each with its advantages for 
particular situations, but none ideal. Under contract to the DoD Computer Security 
Center, we are currently developing such a language, the novel fea~ures of which are: 
59l 
• Semantics that can be completely defined in terms of the STP Theorem Prover 
logic 
• Support for the creation and use of new types 
• Parameterized types, to allow specifications to apply in many situations 
'. Specifications that can apply to a single operation or to a sequence of operations 
• Specifications of temporal behavior. Current techniques require time to directly 
expressed as functions. A more implicit approach, as provided by the newly 
emerging Temporal and Interval Logics, give promise of leading to more concise 
specifications of real time systems. 
• Incorporation of Hoare logic directly in the language. This feature will allow the 
user to direct the verification of programs without having to confront 
verification conditions. It has been our experience that errors in programs are 
difficult to analyze when presented with reference to verification conditions. 
Moreover, it is difficult for a user to create lemmas that would help verify 
verification conditions; such lemmas are more easily formulated with reference to 
the code and specifications -- as facilitated by the inclusion of Hoare logic in the 
specification language. 
3. Better engineered tools are essential. These tools should support an incremental 
approach to verification, since that is the only way a complex system can be verified. 
In this incremental paradigm, the user should be able to compose and verify 
incomplete programs, models and specifications; to change and reverify components 
-- the reverification being only for those components impacted by the change; and to 
ask for the status of the verification at any time. 
4. The verification of other real systems should be attempted; only by gaining experience 
in verifying such systems can the verification community fully understand what is 
required for particular applications and the user community appreciate the utility of 
the verification technique There is considerable effort being devoted to the design and 
verification of operating systems that are secure, where 8ecuritv means that the 
operating system prevents data flows in violation of various security models. Despite 
some limitations, the most popular security model is that concerned with multilevd 
8ecurity -- the allowed information flows are governed by the security level 
(unclassified, confidential, etc.) of the system users and their documents. Other 
applications worthy of verification are those typically associated with life-critical 
Cunctions or where errors can have a severe cost penalty, e.g., power plant control 
systems, mass transit control systems, flight-critical aircraft control systems, or 
electronic funds transfer systems. 
5. As experience is accumulated in real system verification, specifications and models 
should be published and made available - perhaps over the Arpanet. Having such 
documentation should make it easier for the less experienced users to verify their 
systems. 
592 
1. Report No. ~I 2. Government Accession No. 3. Recipient's Cltalog No. 
NASA Contractor Report 166008 
4. Title and Subtitie 5. Report Date 
Investigation, Development and Evaluation of Performance 
Proving for Fault-Tolerant Computers 6. Performing Organization Code 
1. Author!sj Karl N. Levitt, P.M. Melliar-Smith, 'Richard Schwartz, 8. Performing Organization Report No. 
Robert E. Shostak, Dwight Hare, Robert Boyer, J S. Moore, SRI Project 7821 
Milton Green, W. David Elliott 
10. Work Unit No. 
9. Performing Or!iOnization Name and Address 
SRI International 
333 Ravenswood Avenue 11. Contract or Grant No. 
Menlo Park, CA 94025 NASl-15528 
13. Type of Report and Period Covered 
12. Sponsoring Agency Name and Address I'nterimRepart 
National Aeronautics and Space Administration 
Langley Research Center 14. Sponsoring Agency Code 
Hampton, VA 23665 
• 15. Supplerr.entary Notes 
16. AbstT3ct 
Formal Verification is a technique for demonstrating by mathematical reasoning that a system satisfies 
its requirement. By a system we mean the computer hardware and the collection of programs that run 
on the hardware. A requirement is a description of the function to be carried out by the system. The 
requirement indicates the system's response to all sequences of inputs that could be applied to the 
If the verification is successfully carried out, the system is, in principle, guaranteed to be system. 
correct; no further validation (e.g., testing) should be required. In practice, testing will be required to 
discharge assumptions that undrrly the verification, e.g., docs the formally stated requirement satisfy the 
intents of the client, and is the hardware implementation correct. 
This report is concerned with the Formal Verification of computer systems. In the course of carrying out 
the work reported herein we developed several methodologies for verifying systems, developed computer-
based tools that assist users in verifying their systems, and have applied these tools to verifying in part 
the SIFT ultrareliable aircraft computer. Our approach to verifying SIFT consists of two steps: (I) 
Design Verification in which specifications for each of SIFT's top-level subprograms is shown to be a 
refinement of a sequence of high-level models, the topmost being an intuitive model of the goals of SIFT, 
and (2) Code Verification in which the subprograms' specifications are shown to be consistent with the 
Pascal im plcmentation. Using design verification tools, the heart of which is the STP Theorem Prover, 
we verified that tasks processed by SIFT will yield correct values within predctemined deadlines as long 
as enough working proc('ssors remain to assure that voting masks failures. Current work is considering 
the verification of other properties of SIFT (e.g., reconfiguration -- faulty processors are ignored by good 
processors), and continuing the verification of the SIFT implementation. 
Other work reported herein is concerned with techniques for the verification of (1) the precision of 
numerical algorithms, (2) control systems, e.g., where the requirement is a control law for a flight control 
system, and (3) hardware logic. 
11. Key Words (Suggested by Author(s)) 18. Distribution Statemant 
System verification, design proof, code proo , 
fault-tolerant computers, flight control Unclassified--Unlimited 
system verification, hardware logic verifi-
cation. 
19. Security Classit. (of this report) 20. Security Classif. (of this page) 21. No. of Pages 22. Price 
Unclassified 
"-305 
Unclassified 597 
For sale by the National Technicallnrormation Service, Springrield. Virginia 22161 
593 
End of Document 
