Providing a formal linkage between MDG and HOL based on a verified MDG system. by Xiong, Haiyan
MX 0100433 6 
live rsit^ j Library-. 
Providing a Formal Linkage between M D G and 
HOL Based on a Verified M D G System / 
/ 
A thesis submitted to Middlesex University 
in partial fulfilment of the requirement for the degree of 
Doctor of Philosophy 
Haiyan Xiong 
School of Computing Science 
Middlesex University 
January 2002 
Site MIDDLESEX 
UNIVERSITY 
LIBRARY 
Accession 
No. C 1 U 0 4 3 3 
Class 
No. 
OoL+ . 0\S\ 
y 
Special 
Collection 

Abstract 
Formal vérification techniques cari be classified into two catégories: deductive the-
orem proving and symbolic state enumeration. Each method has complementary 
advantages and disadvantages. In general, theorem provers are high reliability Sys-
tems. They can be applied to the expressive formalisms that are capable of model-
ing complex designs such as processors. However, theorem provers use a glass-box 
approach. To complete a vérification, it is necessary to understand the internal' 
structure in detail. The learning curve is very steep and modeling and verifying a 
System is very time-consuming. In contrast, symbolic state enumeration tools use a 
black-box approach. When verifying a design, the user does not need to understand 
its internai structure. Their advantages are their speed and ease of use. But they 
can only be used to prove relatively simple designs and the system security is much 
lower than the theorem proving system. Many hybrid tools have been developed to 
reap the benefits of both theorem proving Systems and symbolic state enumeration 
Systems. Normalìy, the vérification results from one system are translated to another 
system. In other words, there is a linkage between the two Systems. However, how 
can we ensure that this linkage can be trusted? How can we ensure the vérification 
system itself is correct? 
The contribution of this thesis is that we have produced a methodology which 
can provide a formai linkage between a symbolic state enumeration system and a 
theorem proving system based on a verified symbolic state enumeration system. The 
methodology has been partly realized in two simplified versions of the M D G system 
i 
(a symbolic state enumeration system) and the H O L system (a theorem proving 
system) which involves the following three steps. First, we have verified aspects of 
correctness of two simplifìed versions of the M D G system. We have made certain that 
the semantics of a program is preserved in those of its translated form. Secondly, we 
have provided a formai linkage between the M D G system and the HOL system based 
on importing theorems. The M D G verifìcation results can be formally imported 
into HOL to form the HOL theorems. Thirdly, we have combined the translator 
correctness theorems with the importing theorems. This combination allows the low 
level M D G verifìcation results to be imported into H O L in terms of the semantics of a 
high level language (MDG-HDL) . We have also summarized a genera! method which 
is used to prove the ex is ten t ia l theorem for the specification and implementation 
of the design. The feasibility of this approach has been demonstrated in a case study: 
the verifìcation of the correctness and usability theorems of a vending machine. 
ii 
Acknowledgments 
I have been very fortunate to have had Dr. Paul Curzon, Prof. Ann Blandford 
and Prof. Sofiene Tahar as my supervisors. I am deeply grateful for their support 
and encouragement throughout my Ph.D studies. I am most indebted to them for 
the considerable amount of time they each devoted to me in my research work. I 
extend my deepest thanks especially to Dr. Paul Curzon, without whose invaluable 
guidance I could not have completed this work. 
In this thesis, several of the chapters are based on publications that were pro-
duced in the course of this research. The papers published jointly with my supervi-
sors were all first-authored by me, and all report on my own work, completed under 
their supervision [78 - 83]. The work reported in Chapter 5 realized a general idea of 
Curzon and Tahar [80]: I formalized that idea in HOL. The work reported in Chap-
ter 8 takes an example that was originally developed by Curzon and Blandford [24], 
and applies the approach developed within this thesis to that same example. The 
M D G verification was completed with the help of Tahar. A l l the HOL proof is my 
own work, again completed under their supervision. 
I would like to thank people in the Automated Reasoning Group in Cambridge 
and the M D G group in Montreal, Prof. Mike Gordon, Dr. Konrad Slind, Dr. 
Michael Norrish, Joe Hurd, Dr. Richard Boulton and Prof. Tom Melham. When I 
have needed help they have always lent me a hand. I have benefitted so very much 
iii 
from their vast knowledge and insight. 
I am particulariy thankful to Dr. Wai Wong, who not only introduced me to 
this Meld, but also provided a great deal of assistance. 
Many thanks to Sardia, who provided fabulous administrative support, and to 
Leonard, who was always available whenever I had problems with my computer. 
I would like to reserve my deepest thanks for my parents for their perpetuai love 
and encouragement, and to my husband and my son for their sacrifices and patience. 
I can never thank them enough. 
Lastly, I would like to acknowledge the support obtained from the School of 
Computing Science, Middlesex University and E P S R C grant GR/M45221. 
Haiyan Xiong 
iv 
Contents 
Abstract ii 
Acknowledgments iv 
1 Introduction 1 
1.1 The M D G System 5 
1.2 The H O L System 7 
1.3 Overview of the Research 8 
1.3.1 Verifying the M D G Translators 10 
1.3.2 The Importing Theorems 16 
1.3.3 Combining the Translator Correctness Theorems with the Im-
porting Theorems 18 
1.3.4 Proving the Existential Theorem 21 
1.4 Outline of Thesis 22 
v 
2 Literature Review 26 
2.1 Semantic Embedding 27 
2.2 Verifying Verification Systems 29 
2.3 Verifying Compiler Correctness 32 
2.4 Trusting Combined Systems 35 
3 Verifying the M D G Translators for a Boolean Subset 42 
3.1 The Syntax of the M D G - H D L Language 43 
3.2 The Syntax of the Core M D G - H D L Language 48 
3.3 The Syntax of the M D G Formula Representation Program 48 
3.4 Translating M D G - H D L into the Core M D G - H D L Language 50 
3.5 Translating the Core M D G - H D L Program into the M D G Formula 
Representation Program 52 
3.6 The Semantics of the M D G - H D L Program 56 
3.7 The Semantics of the Core M D G - H D L Program 63 
3.8 The Semantics of the M D G Formula Representation Program . . . . 64 
3.9 Translator Correctness Theorems 66 
4 Verifying the M D G Translator for the Extended Subset 70 
4.1 State Transitions of the Fairisle Switch Fabric Timing Block 71 
vi 
4.2 The Syntax of the M D G - H D L Language 73 
4.3 The Syntax of the Core M D G - H D L Language 75 
4.4 Compiling M D G - H D L into the Core M D G - H D L Language 76 
4.5 The Semantics of the M D G - H D L Program 77 
4.6 The Semantics of the Core M D G - H D L language 85 
4.7 Translator Correctness Theorem 87 
5 Importing Theorems 89 
5.1 Combinational Verification 92 
5.2 Sequential Verification 92 
5.3 Invariant Checking 96 
6 Combining the Compiler Correctness Theorems with the Importing 
Theorems 99 
6.1 Combining the Translator Correctness Theorems with the Importing 
Theorems for a Boolean Subset 102 
6.1.1 Combinational Verification 102 
6.1.2 Sequential Verification 105 
6.2 Combining the Translator Correctness Theorem with the Importing 
Theorems for an Extended Subset I l i 
6.2.1 Combinational Verification I l i 
vii 
6.2.2 Sequential Verification 112 
7 Existential Theorems 115 
7.1 Existential Theorem for the Extended Subset 118 
7.2 The Output Representation for the Basic M D G - H D L Components . . 119 
7.3 The Output Representation for T A B L E Components 121 
7.4 Dealing with the Existential Quantified Internal Variables 126 
7.5 An Example 127 
8 Case Study: Verification of the Correctness and Usability Theo-
rems of a Vending Machine 131 
8.1 Chocolate Machine 134 
8.2 Proving the Chocolate Machine using the M D G System 134 
8.2.1 The Implementation 136 
8.2.2 The Specification 139 
8.2.3 Three Other Specification Files 141 
8.3 The Importation Process of the Verification Results 141 
8.3.1 The Syntax and the Semantics of the Chocolate Machine . . . 142 
8.3.2 Importing the M D G Results into HOL 146 
8.4 Verification of the Usability Theorems 151 
viii 
9 Conclusions and Future Work 156 
9.1 Conclusions 156 
9.2 Future work 161 
A The Abstract Syntax of a Boolean Subset 174 
B The Abstract Syntax of an Extended Subset 177 
C The MDG-HDL programs of the vérification of the Chocolaté Ma-
chine 180 
ix 
List of Figures 
1.1 Overview of the Research 9 
1.2 The A N D Table 11 
1.3 Overview of the M D G Translation Phases 11 
1.4 The AND Gâte in the M D G Formula Représentation 12 
1.5 The M D G Translation Phases 12 
1.6 Compilation Correctness 14 
1.7 Hierarchical Vérification 17 
1.8 The M D G Vérification Process 20 
2.1 The M D G Vérification System 32 
3.1 The Circuit Description File of Three N O T Gates and One Register . 44 
3.2 The Syntax of a NOT Gâte Table 46 
3.3 The Abstract Syntax of a Core M D G - H D L Program 49 
x 
3.4 The Syntax of an A N D Gate Table 51 
3.5 Translating the M D G - H D L program into the Core M D G - H D L program 53 
4.1 State Transitions of the Fairisle Switch Fabric Timing Block 72 
4.2 The Behavior of the Fairisle Switch Fabric Timing Block 72 
5.1 The Hierarchy of Module A 90 
5.2 The Product Machine used in M D G Sequential Verification 93 
5.3 The Machine Verified in Invariant Checking 96 
6.1 Combining the Translator Correctness Theorems with Importing The-
orems for a Boolean Subset- 100 
6.2 Combining the Translator Correctness Theorems with Importing The-
orems for an Extended Subset 101 
6.3 Two Equivalent Combinational Circuits 104 
6.4 The Machine used for Sequential Verification of the R E G N O T 3 M 
Circuit 108 
7.1 The Output of a TABLE is a State Variable and Contains in the Input 
list 124 
7.2 A Circuit 127 
8.1 The Chocolate Machine 135 
xi 
8.2 The Circuit of the Chocolate Machine 137 
8.3 The State Transition Diagram of the Chocolate Machine 139 
8.4 The Abstract Syntax of the Specification File 144 
8.5 The Abstract Syntax of the Implementation File 145 
8.6 The Semantics of the Specification File 147 
8.7 The Existential Theorem of the Specification of the Chocolate Machinel49 
xii 
Chapter 1 
Introduction 
Formal methods are the application of applied mathematics - formal logie - to the 
design and analysis of computer Systems. Generally, formal verification techniques 
can be classified into two categories: deduetive theorem proving and symbolic state 
enumeration. In deduetive theorem proving Systems, the correetness condition for 
a design is represented as a theorem in a mathematical logie, and a mechanically 
checked proof of this theorem is generated using a general-purpose theorem prover. 
In symbolic state enumeration Systems, the design being verifìed is represented as a 
decision diagram. Techniques such as reachability analysis are used to automatically 
verify given properties of the design or machine equivalence. Much of this work is 
based on Binary Decision Diagrams (BDD) [4] [11]. 
Deduetive theorem proving Systems use interactive proof methods. In these 
Systems, an implementation and its behavioral specifìcation are represented as first-
order or higher-order logie formuìas. The user interactively construets a formai proof 
which proves a theorem stating the correetness of this implementation. Theorem 
proving Systems are naturally deduetive process Systems. They aìlow a hierarchical 
verification method to be used to model the overall functionality of designs with 
complex datapaths. They are very general in their applications. The theorems can 
1 
not only be used to formalize a specific design but also can be abstracted as a general 
Situation of this class of design. Theorem proving Systems are semi-automated. To 
complete a vérification, experts with good knowledge of the internal structure of the 
design are required to guide the proof searching process. This enables the designer 
to gain greater insight into the system and thus achieve better designs. However, 
the learning curve is very steep, modelling and verifying a system is very time-
consuming. This is the major difficulty to applying the theorem proving Systems in 
industry. 
In contrast, symbolic state enumeration Systems are automated décision dia-
gram approaches. In this kind of approach, an implementation and its behavioral 
spécification are represented as décision diagrams. A set of algorithms is used to 
efficienti}' manipulate the décision diagrams so as to get the correctness results. The 
introduction to the B D D based method by Hu [47] may be taken as a good référ-
ence. In contrast to the theorem prover, symbolic state enumeration vérification is 
a relatively modest activity. It normally deals with a single model rather than the 
whole design. The symbolic state enumeration vérification approach can be viewed 
as a black-box approach. Düring the vérification, the user does not need to under-
stand the internal structure of the design. The strength of this approach is its speed 
and ease of use. However, it does not scale well to complex designs since it uses 
non-hierarchy state-based descriptions of the design. A n increase in the number of 
design components can resuit in the state space growing exponentially. 
In the 1990s, the efficiency breakthrough in symbolic state enumeration was such 
that industry has successfully applied symbolic state enumeration tools in digitai 
circuit synthesis and vérification. Since then, more and more tools have been devel-
oped including Spin [45], M D G [20], STE [72] and so on. Although they have been 
very successfully used in industry, there are stili many deficiencies in the currently 
available symbolic state enumeration tools. Although the symbolic state enumera-
tion based tools can be applicable to circuits of considérable size, they stili do not 
scale up sufficiently. However, the theorem proving Systems can be applied to large 
2 
designs in theory, although in practice it is time consuming. One solution is to com-
bine thèse two kind of Systems to reap the advantages of both. This combination 
allows the fully automated proof tools to rely on a theorem proving system and the 
increasing size and complexity of a design can be handled in practice. 
Recently, there has been a great deal of work concerned with combining the 
theorem proving and symbolic state enumeration Systems. A common approach 
to combining proof tools is to use an symbolic state enumeration system as an 
oracle to provide results to the theorem proving system. The issue in such work 
is to guarantee that the results provided by external tools are theorems within the 
theory of the proof system. In other words, an oracle is used to receive problems 
and return answers. For example, the HOL system provides approaches for tagging 
theorems that are dépendent on the correctness of external vérification tools. An 
oracle can be built in the HOL system is viewed as a plug-in. This brings about two 
questions. 
1. Can we ensure the automated vérification system produces the correct results? 
2. Have the vérification results from an automated vérification system been cor-
rectly converted into a valid theorem in the current theory of the theorem 
proving system? 
The research describe here investigates the answers to the above two questions. 
In fact, some symbolic state enumeration based Systems such as M D G [20] consist 
of a séries of translators and a set of algorithms. Higher level languages such as 
hardware description languages are used to describe the spécification and imple-
mentation of the design. The spécification and implementation are then translated 
into the décision diagrams via intermediate languages. The algorithms in the system 
are used to efficiently and automatically deal with the décision diagrams so as to 
obtain the correctness results. We need to verify the translators and algorithms in 
order to get the answer of the first question. For solving the second question, we 
need to formally justify the correctness results, which are obtained from a symbolic 
3 
state enumeration system, into a theorem prover, to ensure the correctness of the 
theorem création process. 
In this thesis, we wil! produce a methodology, which can provide a formai link-
age between a theorem proving system and a symbolic state enumeration system 
based on a verified symbolic state enumeration system, to ensure the correctness of 
the theorem création process. We first need to verify aspects of correctness of the 
symbolic state enumeration system in an interactive theorem proving system. We 
then need to prove the translators and algorithms to ensure the correctness of the 
system. By combining the translator correctness theorems with the importing the-
orems, the vérification results from the state enumeration system can be imported 
into the theorem proving system in terms of the semantics of high leve] language 
(HDL) rather than low leve! language (décision graph). We also need to summarize 
a general method to prove the ex i s t en t i a l theorem of the design, which is needed 
for importing sequential vérification resuit into the theorem proving system. 
We will partly realize the methodology in the HOL system and two simpli-
fied versions of the M D G system. We will prove the correctness of aspects of the 
simplified versions of the M D G system and provide a formai linkage between the 
HOL system and the simplified versions of the M D G system. Lessons from the 
research could be applicable to other related Systems. We chose HOL and M D G 
because this research is part of a large project in collaboration with the Hardware 
Vérification group at Concordia University. They are developing a hybrid system 
(MDG-HOL) [54] [53] [66] which combines the M D G system and the H O L system. 
Our aim is différent to theirs. We are not developing a practical tool. We are do-
ing theoretical research about how to verify the M D G system and provide a formai 
linkage between the HOL system and the M D G system. Our deep embedding se-
mantics is in terms of the spécification of the M D G system. Since we will consider 
the simplified versions of the M D G system, in the rest of this thesis, we will refer 
to the simplified versions of the M D G system as 'the M D G system' except in the 
section 1.1. 
4 
In the research, we first consider verifying the translation phases of the M D G 
system using the HOL system and obtain a series of correctness theorems. By 
combining those theorems, we obtain that the semantics of a low level M D G program 
equals the semantics of a high level M D G - H D L program (the M D G input language). 
We then consider how to formally import the M D G verification results to a form 
that can be used in the H O L system. We formalize the M D G verification results 
in terms of the semantics of the low level M D G program and turn them into HOL 
to form the HOL theorems. By combining the translation correctness theorems 
with the importing theorems, we obtain theorems which convert the low level M D G 
verification results into HOL to form the HOL theorem based on the semantics of 
the M D G input language. In other words, this combination allows the imported 
theorem to be in terms of the semantics of the M D G - H D L . For easily importing 
the M D G results into HOL for sequential verification, we summarize a general way 
to prove the ex i s ten t ia l theorem (a theorem which has form: V i p . 3 op. C ip 
op). A l l the theorems in this thesis written with \ - t h m have been proved in HOL. 
The structure of the rest of this chapter is as follows: In sections 1.1 and 1.2, 
we will briefly introduce the M D G system and the HOL system respectively. An 
overview of the research will be given in section 1.3. Finally, an outline of this thesis 
will be presented in the last section. 
1.1 The MDG System 
The full M D G system is an automated verification tool for hardware verification. It 
uses a new class of decision graphs called Multiway Decision Graphs, which subsume 
the class of Bryant's Reduced and Ordered Binary Decision Diagrams (ROBDD) [12] 
while accommodating abstract sorts and uninterpreted function symbols. 
A multiway decision graph (MDG) is a finite directed acyclic graph G where the 
leaf nodes are labeled by formulas, the internal nodes are labeled by terms and the 
5 
edges issuing from an internal node, N, are labeled by terms of the same sort as the 
label of N. Such a graph represents a formula defined inductively as follows: 
1. If G consists of a single leaf node labeled by a formula P, then G represents P, 
2. If G has a root node labeled A with edges labeled B\...Bn leading to subgraphs 
Gi'...Gn', and if each G/ represents a formula Pi, then G represents the formula 
Vi<1<n((A = Bi)APi). 
In fact, when an M D G has been constructed as a graph, it must obey the restrictions 
that any path from the root to leaf yields a canonical representation. Like ROBDDs, 
an M D G must be reduced and ordered. Unlike ROBDDs, all the variables used in 
an M D G must have appropriate sort, and sort definitions must be provided for all 
functions. M D G can also represent the transition and output relations of a state 
machine, as well as the set of possible initial states and the sets of states that arise 
during reachability analysis. 
The underlying logic of M D G is a subset of many-sorted first-order logic with a 
distinction between concrete and abstract sorts. A concrete sort has an enumeration 
while an abstract sort does not. Therefore, a data signal can be represented by 
a single variable of abstract sort and a data operation can be represented by an 
uninterpreted function symbol. It partially fulfills the aim of interactive verification 
to verify hardware designs automatically at a high level of abstraction. It also lifts 
many R O B D D techniques from the boolean domain to a more abstract domain. In 
particular, a data signal in an M D G is represented by a single variable of abstract 
sort rather than a vector of boolean variables, and the data represents an operation 
by an uninterpreted function symbol. Therefore, MDGs are more compact than 
ROBDDs for circuits having a datapath, and this greatly increases the range of 
circuit that can be proved. 
The M D G package has been implemented in Prolog. Algorithms such as disjunc-
tion, relational product (combination of conjunction and existential quantification), 
6 
pruning-by-subsumption (for testing of set inclusion) and reachability analysis (using 
abstract implicit enumeration) have been developed. Applications for hardware véri-
fication such as combinational vérification, sequential vérification, invariant checking 
and model checking are provided. 
1.2 The HOL System 
The HOL system is an L C F (Logic of Computable Functions) style proof system. It 
uses higher-order logie to model and verify a system. There are two main différent 
proof methods: forward and backward proof. In forward proof, the Steps of a proof 
are implemented by applying inference rules chosen by the user, and H O L checks 
that the Steps are safe. A l l derived inference rules are built on top of a small number 
of primitive inference rules. In backward proof, the user sets the desired theorem as 
a goal. Small programs written in S ML [65] called tactics and tacticals are applied 
to breaking the goal into a list of subgoals. Tactics and tacticals are repeatedly 
applied to the subgoals until they can be resolved. A justification function is also 
created mapping a list of theorems corresponding to subgoals to a theorem that 
solves the goal. In practice, forward proof is often used within backward proof to 
convert each goal's assumptions to a suitable form. 
Theorems in the HOL system are represented by values of the M L abstract type 
thm. There is no way to construct a theorem except by carrying out a proof based on 
the primitive inference rules and axioms. More complex inference rules and tactics 
must ultimately cali a séries of primitive rules to do the work. In this way, the M L 
type system proteets the H O L logie from the arbitrary construction of a theorem, 
so that every computed value of the type-representing theorem is a theorem. The 
user can have a great deal of confidence in the results of the system. 
HOL has a rudimentary library facility which enable théories to be shared. This 
provides a file structure and documentation format for self contained H O L deveì-
7 
opments. Many basic reasoners are given as libraries such as mesonLib, simpLib, 
decisionLib and bossLib. Thèse libraries integrate rewriting, conversion and déci-
sion procédures that automate a proof. They free the user from performing low-level 
proof. 
1.3 Overview of the Research 
The intention of our research is to explore a way of increasing the degree of trust 
of the M D G system and provide a formai linkage between the HOL system and the 
M D G system as shown in Figure 1.1. This work can be divided into three steps. (a) 
We must verify the correctness of the M D G system using the H O L system. It con-
sists of two phases-(l) vérification of the translators [82] and (2) vérification of the 
algorithms. (b) We then must prove theorems (step 3 in Figure 1.1), which formally 
convert the vérification results of différent M D G applications into the traditional 
HOL hardware vérification theorems [80]. (c) By combining the correctness theo-
rems (theorems obtain from step 1, 2 in Figure 1.1) of the vérification of the M D G 
system with the importing theorems (theorems obtain from step 3 in Figure 1.1), 
the M D G vérification results can be imported into HOL in terms of the M D G input 
language. 
During this study, we concentrate on the vérification of the translation phase of 
the M D G System (step 1, Figure 1.1) using the HOL theorem prover and importing 
the M D G results into HOL to form the HOL theorems (step 3, Figure 1.1 ) [80]. Step 
2 is similar to Chou and Peled's work [17] which vérifies a partial-order réduction 
technique for model checking. Verifying the algorithms is beyond the scope of this 
thesis, as we are primariiy concerned with the linkage and how it could be combined 
with the correctness theorems and importing theorems. We outline the methodol-
ogy of the whole story and emphasize the importation process of the hybrid system. 
We not only verify the correctness of aspects of the M D G system in HOL, but also 
formally import the M D G results into HOL to form the HOL theorems based on the 
8 
M D G H D L 
Trans lalor 
1. 
Verify the trans) aio r 
M D G decisi on graphs 
M D G verif. algorithms T^  
2. 
Verify the algorithms 
Results (Yes/No) 
c Con versi on 
3. 
Verify the conversion 
Traditional HOL theorems 
Figure 1.1: Overview of the Research 
semantics of the high level M D G input language (MDG-HDL) [86] rather than the 
semantics of the low level language. Since we use a deep embedding semantics, the 
translator correctness theorems can be combined with other translator correctness 
theorems and the importing theorems. These combinations allow the low level M D G 
results to be converted into a form that can be easily reasoned about in HOL based 
on the semantics of M D G - H D L . We also summarize the general method about prov-
ing the ex i s t en t i a l theorem to remove the bürden from the user of the combined 
system. This theorem is needed for importing sequential verification result into the 
theorem proving system. 
In the remainder of this section, we will briefly introduce the individuai steps 
that we have undertaken: verifying the translator correctness theorems, proving the 
general importing theorems, combining the translator correctness theorems with 
the importing theorems on the basis of deep embedding semantics and proving 
the ex i s t en t i a l theorem. These will each be considered in detail in subsequent 
chapters. 
9 
1.3.1 Verifying the MDG Translateurs 
The input language of the M D G system is a Prolog-style hardware description lan-
guage (MDG-HDL) [86], which allows the use of abstract variables for representing 
data signais. It supports structural spécification, behavioral spécification or a mix-
ture of both. A structural spécification is usually a netlist of components connected 
by signais, and a behavioral spécification is given by a tabular représentation of 
transition/output relations or a truth table. In M D G , a circuit description file dé-
clares signais and their sort assignment, components network, outputs, initial values 
for sequential vérification and the mapping between state variables and next state 
variables. In the components network, there is a large set of predefined components 
such as logie gâtes, flip-flops, registers and constants, etc. Among the predefined 
components there is a special component called a Table, which is used to describe 
a functional block in the implementation and spécification. The Table constructor 
is similar to a truth table, but allows first-order terms in rows. It also allows the 
high-level description to construct ITE (If-Then-Else) formulas and C A S E formulas. 
A table is essentially a séries of lists, together with a single final default value. The 
first list contains variables and cross-terms. The last élément of the list is the output 
of the table which must be a variable (either concrete or abstract). For example, 
a two input AND gate can be described as the table as shown in Figure 1.2. In the 
figure, "*" means "don't care". It states that if x l is equal to false and x2 is DON'T 
CARE then the output y is equal to false, if x l is equal to true and x2 is equal to 
false then the output y is equal to false, otherwise the output y is equal to true. 
Most of the components in the M D G - H D L library are compiled into their own 
core M D G - H D L code (tabular codes) first. The core M D G - H D L program can then 
be compiled into an internai M D G décision graphs (MDGs). Some components, such 
as registers, are implemented directly in terms of MDGs. However, in theory thèse 
components also could be implemented as tables to provide general spécification 
mechanism. We assume the M D G - H D L program is firstly translated into a core 
M D G - H D L program and then the core M D G - H D L program is translated into M D G . 
10 
Table([[ x l , x2, y ], [0, * 0], [1, 0, 0]| 1]) 
INPUTS OUTPUT 
xl i x 2 y 
IF 
F 1 * F 
T ! F F 
ELSE 
T 
(a) A N D gate table in M D G - H D L and core M D G - H D L 
Figure 1.2: The A N D Table 
MDH-HDL 111—>• core MDG-HDL ® MDG décision graphs 
Figure 1.3: Overview of the M D G Translation Phases 
In this situation, the M D G system could be specified as in Figure 1.3. 
Because the Table constructor allows the high-level description to construct ITE 
formulas and C A S E formulas, the possible input value of the else condition is not 
listed in the table of the core M D G - H D L . For example, the possible input value for 
the else condition of the AND gate table should be that if x l is equal to true and x2 
is equal to true then the output y is equal to true. It is not contained in the table. 
However, an internai M D G décision graph is determined in terms of ail possible 
input value of its table which could be represented as a formula représentation. 
Therefore, the M D G system translates the core M D G - H D L program into its formula 
représentation first. In the M D G formula représentation program, the table not only 
contains the input value of the if condition, it also contains the possible input value 
of the else condition. For example, an AND gate can be described as shown in the 
Figure 1.4. 
11 
INPUTS OUTPUT 
xl ; x2 y 
IF 
F ! * F 
T ' F F 
ELSE x i T T 
Figure 1.4: The AND Gate in the M D G Formula Representation 
MDH-HDL ^ > core MDG-HDL ^ * MDG formula representation-^-^*- MDG decision graphs 
Figure 1.5: The M D G Translation Phases 
In other words, the step (2) in Figure 1.3 could be further divided into two steps. 
The core M D G - H D L program is translated into the M D G formula representation 
first and the M D G formula representation program can then be translated into 
an internal M D G decision graph. Now, the M D G system could be specified as in 
Figure 1.5. 
Adopting this approach makes the translation phase more amenable to verifica-
tion. We are not verifying the actual M D G implementation. Rather our formaliza-
tion of the translator is a specification of it. Once combined with a translator from 
core M D G - H D L to MDGs, it would be specifying the output required from the im-
plementation. This would be used as the basis for verifying such an implementation. 
Effectively we split the problem of verifying the translator into the two problems 
of verifying that the implementation meets a functional specification, and that the 
functional specification then meets the requirement of preserving semantics. We are 
concerned with the latter step here. This split between implementation correctness 
and specification correctness was advocated by Chirica and Martin [16] with respect 
to compiler correctness. 
12 
In our research, we intend to verify the translation phase of the M D G system 
(Figure 1.5) based on the semantics of the M D G input language using the HOL 
theorem prover. As we mentioned above, the M D G system can be considered as a 
séries of translators, translating between différent intermediate languages, as shown 
in Figure 1.6. The vérification process includes the following steps. Firstly, the 
syntax and the semantics of the subset M D G - H D L , core M D G - H D L , M D G formula 
représentation and M D G décision graph will be defined. A set of functions, which 
translate the program from M D G - H D L to core M D G - H D L , from core M D G - H D L 
to the M D G formula représentation and from the M D G formula représentation to 
the M D G décision graph, will then be defined. For each program in M D G - H D L , 
core M D G - H D L or the M D G formula représentation, the compilation Operators 
are defined as functions, which return their core M D G - H D L , the M D G formula 
représentation or M D G décision graph code. Translation functions TransProgMC, 
TransProgCF or TransProgFM are applied to each M D G - H D L program, core M D G -
H D L program or the M D G formula représentation so that the corresponding core 
M D G - H D L program, M D G formula représentation program or M D G décision graph 
program is established. In other words, the relations of the translations can be 
represented as below: 
V p. TransProgMC p = the core MDG-HDL program 
or 
V p. TransProgCF (TransProgMC p) = 
the MDG formula representation program 
or 
V p. TransProgFM (TransProgCF (TransProgMC p)) = 
the MDG decision graph program 
The standard approach to prove a translator between two languages is in terms 
of the semantics of the languages, shown in Figure 1.6. Essentially the translation 
should preserve the semantics of the source language. This has the traditional form 
of compiler spécification correctness used in the vérification of a compiler [16]. The 
13 
M D G - H D L 
Syntax 
(P) 
MDG-HDL 
Semantics 
M D G - H D L 
semantics p 
TransProgMC 
core M D G - H D L 
Syntax 
TransProgMC P 
TransProgCF 
M D G formula représentation 
Syntax 
TransProgCF (TransProgMC p) 
TransProgFM 
M D G décision graph 
Syntax 
TransProgFM (TransProgCF (TransProgMC p)) 
core MDG-HDL 
Semantics core M D G - H D L 
semantics (TransProgMC p) 
MDG formula représentation 
semantics 
M D G formula représentation 
semantics (TransProgCF (TransProgMCp)) 
MDG décision graph 
Semantics M D G décision graph 
semantics (TransProgFM (TransProgCF (TranProgMC p))) 
Figure 1.6: Compilation Correctness 
14 
analogous method can be used to specify and verify the translation part of the 
M D G system. For the translation to core M D G - H D L , the correctness theorem has 
the form 
V p. Semantics (p) = Semantics (TransProgMC p) 
For the translation to the M D G formula representation, the correctness theorem has 
the form 
V p. Semantics (TransProgMC p) = 
Semantics (TransProgCF (TransProgMC p)) 
For the translation to the M D G decision graph, the correctness theorem has the 
form 
V p. Semantics (TransProgCF (TransProgMC p)) = 
Semantics (TransProgFM (TransProgCF (TransProgMC p))) 
By combining the three correctness theorems above, we can obtain a correctness 
theorem. This theorem states that the semantics of the low level MDGs is equal to 
the semantics of the high level M D G - H D L . 
V p. Semantics (p) = 
Semantics (TransProgFM (TransProgCF (TransProgMC p))) 
The M D G system is based on Multiway Decision Graphs which extend ROBDDs 
with concrete sorts, abstract sorts and uninterpreted function symbols. It can also 
deal with the boolean subset as other R O B D D tools do. For the sake of easily 
applying our method to the other decision graph based verification tools, we will 
define the deep embedding semantics for two different subsets of the M D G - H D L 
language in this thesis. Both subsets we considered in this thesis do not contain 
15 
three M D G predefined components (Multiplexer, Driver and Constant) and the 
Transform construct used to apply functions. These components are omitted from 
our subsets as they have non-boolean inputs or outputs. We make the subset simple 
here since we want to explore the feasibility of this method. 
The first subset is a boolean subset of the language which corresponds to a 
R O B D D system. In this subset, the table representation in the core M D G - H D L 
language only can be defined in terms of the corresponding boolean inputs value 
(true or false). We consider this subset because it corresponds to a R O B D D system. 
The formalization of this subset can be integrated to other R O B D D based tools 
with relatively small modification. For this subset, we will concentrate on verifying 
the first two translation steps (see (1)(2), Figure 1.5). Detail will be discussed in 
Chapter 3. 
The second subset is an extension of the first subset. In the rest of this thesis we 
will call it the extended subset. This subset allows the program of the M D G - H D L 
language to contain concrete sorts. In other words, the subset we considered in 
this thesis is a subset language of M D G - H D L whose inputs and outputs of a table 
could be boolean sorts and concrete sorts. This is very important because this is 
the way the M D G system works. For coping with different types in one list, we 
define a new type Mdg_Basic in HOL. The value of the type can be either a boolean 
value or a string. As a result, the syntax and the semantics of this subset are more 
complex and the difficulty of the M D G translator verification will be increased a lot. 
For this subset, we will concentrate on verifying the first translation step (see (1), 
Figure 1.5). More detail will be discussed in Chapter 4. 
1.3.2 The Importing Theorems 
Generally, when we use HOL to verify a design, the design is modelled as a hi-
erarchy structure with modules divided into submodules as shown in Figure 1.7. 
The submodules are repeatedly subdivided until the logic gate level is eventually 
16 
Specification Verification 
Module 
Submodule Submodule 
Subsubmodule Subsubmodule 
Figure 1.7: Hierarchical Vérification 
reached. Both the structural and the behavioral spécifications of each module are 
given as relations in higher-order logic. The vérification of each module is carried out 
by proving a theorem asserting that the implementation (its structure) implements 
(implies) the spécification (its behavior). They have the very gênerai form: 
implementation D specification (i.i) 
The correctness theorem for each module states that its implementation down to the 
logic gate level satisfies the specification. The correctness theorem for each module 
can be established using the correctness theorems of its submodules. In this sense 
the submodule is treated as a black-box. A consequence of this is that different 
technologies can be used to address the correctness theorem for the submodules. In 
particular, we can use the M D G system instead of HOL to prove the correctness of 
submodules. 
In order to convert the M D G verification results into HOL, we need to formalize 
the results of the M D G verification applications in HOL. These formalizations have 
different forms for the different verification applications, i.e., combinational verifica-
tion gives a theorem of one form, sequential verification gives a different form and 
17 
so on. However, the most natural and obvious way to formalize the M D G result 
does not give theorems of the form that HOL needs if we are to use traditional HOL 
hardware verification techniques. Therefore, we need to be able to convert the M D G 
results into a form that can be used. In other words, we need to prove a series of 
translation theorems (one for combinational verification and one for sequential ver-
ification, etc.) that state how an M D G result can be converted into the traditional 
HOL form: 
Formalized MDG result D 
(implementation D specification) 
We have formally specified the correctness results produced by several different 
M D G verification applications. We have given a general importing theorem for 
some M D G applications. These theorems do not explicitly deal with the M D G -
H D L semantics or multiway decision graphs. Rather they are given in terms of 
general relations on inputs and outputs. The theorems proved could be applicable for 
other verification systems with similar architectures based on reachability analysis 
or equivalence checking. 
1.3.3 Combining the Translator Correctness Theorems with 
the Importing Theorems 
In this section, we will introduce the basic idea about how to combine the translator 
correctness theorems with the importing theorems based on the deep embedding 
semantics. This combination allows the M D G results to be reasoned about in HOL 
in terms of the M D G input language (MDG-HDL) . Ultimately in HOL we want 
a theorem about input language artifacts. However, the M D G verification results 
are obtained based on a low level data structure - a M D G representation: that is 
what the algorithms apply to. Therefore, the formalization of the M D G verification 
results in the importing theorems ought to be based on the semantics of the M D G 
18 
représentations. However, the theorem about the translator's correctness can be 
used to convert the resuit M D G proves about the low level représentation to one 
about the input language (MDG-HDL) . By combining the translator correctness 
theorems with the importation theorems, we obtain the new importing theorems 
which convert the low level M D G vérification results into HOL to form the HOL 
theorems in terms of the semantics of a high level language - M D G - H D L . In other 
words, we are not only able to import the M D G results into H O L based on a verified 
M D G system, but also the M D G vérification results can be converted to the theorems 
of HOL in terms of the semantics of M D G - H D L . 
For example, if we check that three NOT gâtes are équivalent to a single NOT gate, 
the whole M D G vérification process and the importing process can be illustrated 
in Figure 1.8. In the Figure 1.8, step (1) gives a main part of the two circuit 
description files (the M D G - H D L input language), which are translated into the core 
M D G - H D L (tabular représentations) language as shown in step (2). The core M D G -
H D L languages are then translated into the M D G formula représentation language 
(step (3)). The M D G formula représentation languages are further translated into 
the M D G décision graph language (step (4)). A set of the M D G algorithms is then 
applied to the MDGs in order to obtain two canonical MDGs and the M D G tool 
checks whether two canonical MDGs are identical and returns true or false (step 
(5))-
In our example the M D G tool returns true. The M D G vérification results are 
obtained based on the low level MDGs rather than the high level language M D G -
HDL. However, the translator correctness theorems state that the semantics of the 
low level M D G is equal to the semantics of the high level M D G - H D L (the M D G input 
language). By combining the translator correctness theorems, the M D G vérification 
results can be imported into HOL based on the semantics of the M D G input language 
(MDG-HDL) . Therefore, the traditional H O L theorem can be obtained in terms of 
the semantics of the M D G input language. 
In this thesis, we will prove two translators for the boolean subset and one 
19 
op 'P o p 
1. The MDG-HDL language 
component (not_gate, not (input (ip), output (u))) 
component (not_gate, not (input (u), output (v)) 
component (not_gaie, not(input (v), output (op))) 
component (not_gate, not (input (ip), output (op)) 
'P u 
0 
1 
1 
0 
'P u 
0 
1 
1 
0 
u v 
0 
1 
1 
0 
u v 
0 
1 
1 
0 
2. The core MDG-HDL language 
V op 
0 
1 
1 
0 
3. The MDG formula représentation 
V op 
0 
1 
1 
0 
4. The MDGs 
1 0/ \ l 
V © @ 
0 l \ / o 
5. Apply the MDG algorithms 
Obtain the canonical MDGs 
compare 
True 
6. importing theorems 
'P o p 
0 
1 
1 
0 
t 
Ip o p 
0 
1 
1 
0 
Traditional HOL theorems 
Figure 1.8: The M D G Vérification Process 
20 
translator for the extended subset. In order to demonstrate the combination of the 
translator correctness theorems and the importing theorems, the formalization of the 
M D G results will be in terms of the M D G formula representation for the boolean 
subset and the core M D G - H D L for the extended subset. In fact, the principle 
is the same. Similar conversion can be done for further translators if we prove 
corresponding translators. By combining the translator correctness theorems with 
the importation theorems, we obtain the new importing theorems which convert the 
low level M D G verification results into H O L to form the H O L theorems in terms of 
the semantics of M D G - H D L . The combination also allow the additional assumption 
for sequential verification to be proved in terms of the semantics of M D G - H D L and 
the conversion theorem to be obtained in terms of the semantics of M D G - H D L . 
1.3.4 Proving the Existential Theorem 
In the traditional HOL hardware verification, when we prove a design, we need 
to prove a theorem stating that the implementation of the design implements its 
specification. 
V ip op. IMPL ip op D SPEC ip op 
However, this representation might meet an inconsistent model that trivially 
satisfies any specification. This is sometimes called the "false implies anything 
problem" [14]. If the implementation (IMP ip op) of a design is false for all the 
inputs and outputs, then this implication is a theorem, no matter what constraint 
is imposed on the variables by its SPEC ip op. This is wrong because a theorem like 
this provides no meaning to ensure the correctness of the circuit. One solution to 
this problem is to verify a stronger consistency theorem against the implementation 
as suggested in [58], which has the form: 
V i p . 3 op. IMPL ip op 
21 
This means that for any input ip there is an output op which is consistent with it. 
On the other hand, when we formally import the M D G verification results into 
HOL to form the HOL theorems [80], we should prove an additional assumption 
against the specification. This theorem states that for all possible input traces, the 
behavior specification SPEC ip op can be satisfied for some Outputs: 
V i p . 3 op. SPEC ip op 
This means that the machine must be able to respond to whatever inputs are 
given. 
For ease of importing of M D G results into HOL for sequential verification and 
also for avoiding an inconsistent model, we will summarize a general way to prove 
theorem which has the form below: 
V i p . 3 op. C ip op 
where C represents any circuit, and i p , op represent external input and external 
output respectively. We called it the ex i s ten t ia l theorem [83]. More detail will be 
discussed in Chapter 7. 
1.4 Outline of Thesis 
The thesis is organized as follows: 
In Chapter 2, we give a review of the literature most directly related to our 
research. We discuss embedding a hardware description language (HDL) in a proof 
system, previous work on verifying verification Systems, an overview of Compiler 
verification work and technologies used in the combination of different verification 
Systems. 
22 
In Chapter 3, we investigate the verification of the translation phases of a simpli-
fied version of the M D G system (boolean subset) based on a theorem prover system 
(the HOL system). This can be viewed as a simple compiler correctness problem. 
We define a deep embedding formal semantics of the M D G - H D L language, the core 
M D G - H D L language and the M D G formula representation in higher order logic. A 
set of functions for translating the M D G - H D L subset language to their core M D G -
H D L language and translating the core M D G - H D L language to their M D G formula 
representation language are given. The correctness theorems of the translation which 
quantifies over syntactic structure are verified. In particular, we demonstrate that 
this compiler specification preserves the correctness results produced by the M D G 
verification system. 
In Chapter 4, we investigate the verification of the translation phases for the 
extended subset. We extend our formalization to accommodate a list of inputs (the 
first argument of the table component) with boolean sorts and concrete sorts. For 
this subset, we prove the first translator. We define the formal syntax and semantics 
of the M D G - H D L language and core M D G - H D L language. A set of functions for 
translating this subset language to their core M D G - H D L equivalent has then been 
given. The correctness theorem about the translation, which quantifies over its 
syntactic structure, has been proved. 
In Chapter 5, we describe how to convert the M D G results into theorems for 
use in the HOL system. The M D G system combines a variety of different hardware 
verification applications including combinational verification, sequential verification, 
invariant checking and model checking. We give a general importing theorem for 
converting M D G results of the different applications (except model checking) into 
HOL. The theorems proved do not explicitly deal with the M D G - H D L semantics or 
multiway decision graphs. They are given in terms of general relations on inputs 
and outputs. Thus they are applicable to other verification systems with a similar 
architecture. 
In Chapter 6, we show how to combine the translator correctness theorems with 
23 
the importing theorems for two subsets. This combination alìows the M D G results 
to be reasoned about in HOL in terms of the M D G input language ( M D G - H D L ) . 
The two différent M D G vérification applications have been formalized in terms of 
the semantics of the low level language and imported into HOL to form the HOL 
theorems in terms of the semantics of M D G - H D L . In other word, the low level 
M D G vérification resuit has been converted into a high level form which is usable 
in a traditional HOL hardware vérification. 
In Chapter 7, we summarize a general way of proving the existential theorem for 
the implementation and spécification of any design based on the syntax and the se-
mantics of M D G - H D L . This theorem is needed when importing the M D G sequential 
vérification resuit into HOL and avoiding an inconsistent model be produced. 
In Chapter 8, we use a simple example, the vérification of the correctness theorem 
and usability theorems for a vending machine, to demonstrate the feasibility of our 
approach. We have verified the correctness of the vending machine in M D G . This has 
been imported into HOL to form the HO L theorem. We have then proved a usability 
theorem about a spécification of the vending machine in HOL. By combining the 
imported theorem and spécification based usability theorem, we obtain a usability 
theorem about the vending machine implementation. 
In Chapter 9, we conclude the thesis and indicate the future work. 
Summary 
This chapter has motivated our emphasis on dependability of the hybrid system, and 
situated our approach which aims to import the M D G results into H O L in a trusted 
way. It also has indicated that we are concerned with how great a degree of trust the 
M D G system has, how to formally justify the conversion of the M D G results into 
the traditional HOL hardware vérification theorems and how to formally link two 
24 
systems in a naturai way. This chapter has pointed out that the deep embedding 
semantics play a very important role in our research. On the one hand, the deep 
embedding semantics could be used to verify the correctness of aspects of the M D G 
system using the HOL system. On the other hand, based on the verified M D G 
system, the deep embedding semantics is used to combine the translator correctness 
theorems with the importing theorems, allowing the M D G results to be reasoned 
about in HOL naturally. 
25 
Chapter 2 
Literatur e Review 
Combining theorem proving Systems with symbolic state enumeration Systems opens 
a way for theorem proving Systems to be applied more widely to the real world. Many 
researchers are working in these areas to contribute their ideas and approaches. In 
this thesis, we will focus on the vérification of a symbolic state enumeration system 
(the M D G system) and provide a theoretical underpinning to the formai linkage 
of a symbolic state enumeration system and a theorem proving system (MDG and 
HOL). We first verify the correctness of translators of the M D G system by using 
the H O L system. This can be viewed as a simple compiler correctness problem. 
We next prove theorems that formally convert the M D G vérification results of the 
M D G différent applications into the traditional H O L hardware vérification theorems 
in the style of Gordon [35]. By combining the translator correctness theorems with 
the importing theorems, the M D G vérification results can be imported into H O L in 
terms of M D G - H D L . Our work is concerned with embedding a hardware description 
language (HDL) in a proof system, verifying vérification Systems, compiler vérifica-
tion and trusting combined Systems. This chapter gives a literature review which is 
related to our research and divided into the corresponding subsections listed below: 
• We briefly introduce embedding an H D L in a proof system. 
26 
• We discuss previous work on verifying vérification Systems. 
• An overview of compiler vérification work is given. 
• We review the différent technologies that have been used to combine the the-
orem proving Systems with other Systems and talk about the combined ap-
proaches and the degree of trust of the system. We then propose our own 
ideas. 
2.1 Semantic Embedding 
Semantic embedding is an approach to defining precise semantics of HDLs inside the 
logie so as to support the use of HDLs within a general theorem proving environ-
ment. Many researchers are aiming to find a tractable semantics for the hardware 
description languages such as V H D L [64]. For example, Reetz and Kropf [55] defined 
the semantics of a significant subset of V H D L in HOL to formalize a compiler gener-
ator. Gordon [31] defined three différent semantics (event semantics, trace semantics 
and cycle semantic) for a subset of V H D L for use in the différent applications. 
There are two ways to represent the semantics of HDLs inside logie: deep em-
bedding and shallow embedding. With a deep embedding, a type syn, is defined 
inside the logie to represent H D L texts. A type, sem, that represents the seman-
tics is also defined, and then a semantic function, meaning:sì/n—>sem, is defined, by 
structural induction over syn [33] [32] [7]. With a shallow embedding there is no 
type syn or semantics function inside the logie. Instead a parser is used to trans-
late H D L texts directly into terms of the logie. Each of these has advantages and 
disadvantages. The advantage of deep embedding is that it allows reasoning about 
classes of programs and so about the general properties of the programs. However, 
setting up types of abstract syntax and semantics is much work. The advantage 
of shallow embedding is that this work is avoided, because the process of assigning 
meaning to the texts does not have to be encoded as a function inside the logie. 
27 
A meta-language program can easily compute differentiy typed terms for différent 
H D L texts. 
Brock and Hunt [10] described a simple hardware description language in the 
Boyer-Moore theorem prover. It lacks delays and does not permit recursion: it 
thus deals with combinational logie only. However, this is the earliest research 
known to us which deflnes a deep embedding operational semantics for an H D L in 
a proof system. In their work, circuits were represented as list constants, which 
were interpreted by a semantics function. This semantics function traversed valid 
abstract syntax catégories. The circuit descriptions were hierarchically composed. 
A well-formed predicate was defined to check that thèse définitions are purely com-
binational. 
Melham [58] deeply embedded a denotational semantics of a CMOS circuit in-
side the HOL system, which is an ideal example for getting the general idea about 
deep embedding. He defined an abstract data type représentation of C M O S circuit 
descriptions. A semantics function was given in terms of the environments which 
mapped circuits to a formula describing their switch-level behavior. The environ-
ment with the type :string—ïbool mapped strings string, denoting wire names, to 
their values. 
Boulton et al [7] embedded semantics of three différent hardware description lan-
guages in higher-order logie ( H O L - E L L A , H O L - S I L A G E , H O L - V H D L ) . Both the 
H O L - E L L A and the H O L - S I L A G E projects used shallow embedding. The HOL-
V H D L .project used deep embedding. In their paper, they compared the two ap-
proaches used in three différent projects and summarized the benefits of the general 
technique of embedding a conventional notation in a mechanized formai system and 
indicated that embedding the H D L semantics allows the practical tool to act directly 
on logie représentations and thereby the designs can be reasoned about in a proof 
system. 
Goossens [30] investigated the integration of HDLs and automated proof Systems. 
28 
His aim was to clarify the semantics of the particular H D L and to présent a more 
standard interface to formai méthodologies. A formai static and dynamic operational 
semantics for a subset of the industriai H D L E L L A [28] were embedded within the 
L A M B D A proof system. 
In this thesis, we deeply embèd two subsets of M D G - H D L into HOL. We obtain 
the logie représentation of each M D G - H D L program, which could be reasoned about 
directly into HOL. However, our aim is to verify the correetness of aspects of the 
M D G system by using the HOL system and to provide a formai linkage between the 
M D G system and the HOL system in terms of the deep embedding semantics. We 
use the embedding semantics to prove the translation phases of the M D G system. 
Our semantics explicitly represent the relation with the external wires. This rep-
résentation can be used in formalizing the M D G vérification results and importing 
the M D G results into HOL naturally. We utilize this fact to allow M D G to be used 
when it would be easier than obtaining the result directly in HOL. 
2.2 Verifying Vérification Systems 
Différent technologies have been used to ensure the correetness of vérification Sys-
tems. In a sense, which method is chosen dépends on the architecture of the véri-
fication system. The Edinburgh L C F [34] (Logic of Computable Functions) family 
of theorem provers (including HOL) uses an abstract data type (Thm) to represent 
theorems. The type checker ensures the theorems can only be constructed by ap-
plying a small number of primitive inference rules. There is no method to construct 
a theorem except by carrying out a proof based on the primitive inference rules and 
axioms. This increases the reliability of the system. For HOL, thèse primitive infer-
ence rules have been proved sound via a set-theoretic semantics [40]. Pottinger [68] 
has also proved that they are complete with respect to Henkin's general models (the 
methods that Henkin used to establish completeness for Systems of second-order and 
higher-order logie). In this way if we guarantee the primitive inference rules correct 
29 
then invalici theorems can be avoided. 
The L C F approach also permits proofs to be recorded. Proofs can be stored 
in files and be represented by lists of inferences. It allows us to make use of the 
availability of the séquence of inferences and to check the consistency of each infer-
ence automatically. Wong [77], changed the HOL system so as to be able to record 
each proof and store it into proof files. He developed a proof checker to examine 
the correctness of the proof files - lists of inferences generated by the H O L sys-
tem. The proof checker first took a proof file as an argument and then checked 
whether the proofs were correct or not. A log file was then produced that contained 
the hypothèses, lemmas used by the proof and the resulting theorem of the proof. 
The application of this method is significant in developing safety-critical and high-
integrity Systems where high confidence of correctness is required. Since a proof 
checker accepts the proof files containing only primitive inference rules, it may pos-
sibly be verified formally. The proof checker also provided an independent means 
of ensuring the validity and consistency of the proof. Some other theorem provers 
such as Nqthm [9] and Coq [48] already store proof trees in the system. Boyer and 
Dowek [8] specified and implemented a proof checker in Nqthm logie. 
Is the proof checker itself correct? If the proof checker can be formally verified, 
it will greatly increase the confidence in the consistency of checked proofs. Since 
the proof checker is relatively simple, it is easier to verify than a full system. Von 
Wright [75] formalized the spécification of a proof checker in HOL. In his work, he 
carefulìy analysed what constituted a HOL proof, formalized the syntax of the terms, 
types, and theorems, and defined predicates to represent the primitive inference 
rules. He also demonstrated how the HOL system had been used to formally verify 
the spécification of a proof checker for higher-order logie proofs [76]. An alternative 
method of using refinement to verify the proof checker was also suggested by von 
Wright [74]. 
The architecture of the symboìic state enumeration based vérification Systems 
is différent. In some of thèse Systems, higher level languages such as hardware 
30 
description languages are used to describe the spécifications and implementations. 
The spécifications and implementations are then translated into décision graphs. A 
séries of algorithms in the system is used to efficiently and automatically deal with 
the décision graphs and obtain the correctness results. For verifying such Systems, 
we need to prove the translators from the higher level languages into décision graphs, 
and to prove the algorithms correct that are used to manipulate the décision graphs. 
Homeier and Martin [46] used the HOL system to verify a vérification system 
called a vérification condition generator (VCG) for a simple programming language. 
Since the V C G translated the annotated programs to the lists of vérification condi-
tions, the proof of the correctness of the V C G could be considered as an example 
of a compiler correctness problem. In other words, the proof of the correctness of 
the V C G can be obtained by proving a translator. The semantics of the annotated 
programs and vérification conditions were formalized in HOL. The correctness the-
orems showed that the truth of the vérification conditions implied the truth of the 
annotated programs. 
Chou and Peled [17] used the HOL system to verify a non-trivial algorithm 
- the Partial-Order réduction technique, implemented in the protocol tool SPIN. 
This algorithm is used to cut down the state-space exploration performed by model 
checkers. They built up the groundwork of a formai infrastructure that included the 
mathematical support for proving various automatic vérification algorithms. Their 
results not only gave more confidence in the algorithm but also demonstrated formai 
vérification is a practical and useful tool. 
In this thesis, we investigate the correctness of aspects of the M D G system 
(figure (2.1)) by using HOL. Verifying the algorithms is beyond the scope of this 
thesis which can be done similarly to Chou and Peled's work. We consider verifying 
the translation process is correct based on the deep embedding semantics. We need 
to verify the translator préserves the semantics of a program through the translation 
between languages as suggested for Homeier's work [78] [81] [79]. A différence is that 
Homeier used a compiler vérification method to verify a software vérification system. 
31 
M D G input language 
Translator 
f > 
M D G data structure 
M D G verif. algorithms 
Resuit (Yes/No) 
Figure 2.1: The M D G Vérification System 
We used a similar method to verify a hardware vérification system. We consider 
verifying the correctness of aspects of the M D G system. In the next section, we will 
review previous work that has been done on the compiler correctness problem. 
2.3 Verifying Compiler Correctness 
The literature on compiler correctness is large. The earliest example was described 
more than thirty years ago [56]; this reported how McCarthy and Painter successfully 
verified the correctness of a simple algorithm for compiling arithmetic expressions 
into machine language on an ideal machine. The syntax and semantics of the source 
and object language were given. The compiler correctness theorem stated that the 
semantics of the source program preserved the semantics of the target code. Their 
basic idea is still being used in compiler vérification. 
At the same time, Burstall and Landin [13] first proposed the use of algebraic 
32 
methods to verify compiler correctness. The key contribution from the algebraic 
approach to compiler correctness was to reject the simple function to be used as 
a compiler and impose structure on the program involved. Many researchers have 
developed this method including Morris [62] [63] and Chirica [15]. A tutorial intro-
duction to the algebraic method was given by Collier [19]. However, the early work 
focused on the basic methodology rather than verifying a real language. People 
could not deal with the tedium of formai proof if they verified a compiler by hand. 
With the development of mechanical assistance Systems, researchers began to 
verify some simple imperative languages by using mechanical checking technology. 
Milner and Weyhrauch [59] used the Stanford L C F system to mechanically check 
the formai vérification of a compiler for a simple imperative language. Cohn änd 
Milner [18] used the Edinburgh L C F system to prove a simple parsing algorithm. In 
their paper, a generally mechanized method of deriving structural induction rules 
within the system was discussed. Chirica and Martin [16] considered the problem 
of proving the correctness of parsing and syntax analysis. They indicated that a 
compiler implementation should specify exactly how the compiler was implemented 
to generate the object code. The correctness of a compiler implementation is verified 
by comparing corresponding object programs generated by the compiler spécifica-
tion and implementation. Howcvcr, most work including thosc mentioned above 
considered a very simple language and the target machine was idealized (no finite 
limitations on word size and memory size). 
In 1989, Young [85] verified a code generator which was one level of a stack 
of verified system components by using a Boyer-Moore theorem prover (the Boyer-
Moore prover is a theorem prover for a quantifier-free first-order classical logie with 
equality). Their source language was a subset of Gypsy [29] and the target language 
was the Piton [61] assembly level language. The operational semantics for a subset of 
Gypsy and Piton was given. Functions were implemented in the Boyer-Moore logie 
that translated Gypsy programs into Piton. The correctness of the translator was 
mechanically checked. Moore [60] verified that Piton was successfully implemented 
33 
on a general purpose microprocessor (FM8502) by using the Boyer-Moore theorem 
prover. 
Other notable work is that of Joyce [50], who described the formal specification 
and verification of a compiler for a very simple imperative programming language on 
an non-idealized target machine. The semantics for this programming language, the 
target machine and the compiler were all specified in higher-order logic. Inference 
rules of higher-order logic were used to construct a formal proof showing that com-
piled programs execute according to the semantics of the language. A compilation 
process was split into two phases for controlling the complexity of the formal proof 
of correctness. The first phase compiled the hierarchically structured program into 
a flat intermediate form. The second phase compiled the intermediate form into 
target machine code. 
At the same time, Gordon [37] did the original work of constructing within 
HOL a framework for proving the correctness of a program. He used a shallow 
embedding [7] (i.e. only the semantics is represented in the H O L logic) to embed 
the program logic in the HOL logic. HOL is a foundational system which means that 
one can define new constants in a way that does not affect the logical consistency 
of the system. In other words, thus means the embedding of a language can be 
obtained by using constant definitions rather than by introducing arbitrary axioms 
to describe the semantics. 
Curzon [22] successfully used the HOL system to verify compilers for a subset 
of the structured assembly language Vista, for a real microprocessor, V I P E R . The 
compiler correctness work was based on a general model of I /O. The verification of 
a generic compiler from a generic version of Vista to a generic flat assembly code 
had been considered. This made it possible to verify a compiler from different ver-
sions of Vista to the V I P E R microprocessor or to other similar machines easily (i.e. 
you just need to change some basic configurations). He also combined the verified 
compiler with a derived programming logic so that the corresponding properties of 
the compiled code can be automatically derived. 
34 
Our work concernes with verifying the correctness of the translators that trans-
lates a subset of the M D G input language M D G - H D L into the low level languages. 
Curzon et al. [26] did some basic work which verified the M D G components library 
in HOL. In their paper, the semantics of the T A B L E had been first formalized in 
HOL. The semantics of the M D G - H D L components was in the style of Gordon. 
They had verified the table implementations of each of the hardware components 
that were implemented in terms of tables in the M D G system. 
The work presented in this thesis is based on previous work to verify the M D G 
components library in HOL [26] and builds on the work of Curzon [22] concerned 
with compiler vérification. The source and target languages are différent to his. 
Our source language is a netlist level hardware description language and our target 
language is the core M D G - H D L language and the M D G formula représentation 
language. We only consider the correctness of a compiler spécification in this thesis. 
We define a deep embedding formai semantics for a subset of M D G - H D L and the 
corresponding low level languages in higher-order logie. However, the structures of 
the proofs are similar and also have been mechanically checked by using the HOL 
system. Most importantly, we are trying to investigate and develop a method that 
links compiler correctness to the combination of two différent vérification Systems 
(MDG and HOL) , rather than just vérifies the correctness of a compiler spécification. 
2.4 Trusting Combined Systems 
Recently, researchers have paid much attention to combining theorem provers and 
other symbolic computation Systems. Theorem provers have been linked to other 
theorem provers [49], to model checkers [51] [2] [39] and to computer algebra Sys-
tems [42]. Méthodologies for co-operation between Systems are dépendent on prop-
erties of the system. The motivation for combining différent Systems is to achieve 
the benefits of them both and to make the vérification simpler and more effective. 
35 
A common approach to combining proof tools is to use an automated tool as an 
oracle to provide results to the interactive proof process. Joyce and Seger [51] pre-
sented a hybrid verification system: HOL-Voss. In their system, several predicates 
were defìned in the HOL system, which presented a mathematical link between the 
specification language of the Voss system (symbolic trajectory evaluation) [44] and 
that of the HOL system. As a result this link caused the specification language 
of Voss to become a subset of the language of the HOL system. In other words, 
trajectory evaluation was used as a decision procedure for the HOL proof system. A 
HOL tactic, VOSS.TAC, which was implemented as a remote function, was written. 
This tactic enabled some HOL goals to be proved by calling symbolic trajectory 
evaluation and mirroring the results (true or false) in HOL. If it is true, then the 
assertion will be transformed into a HOL theorem and this theorem can be used by 
the H O L system to derive additional verification results. Zhu et al. [87] successfully 
applied HOL-Voss to the verification of the Tamarack-3 microprocessor. 
In 1995, Seger and Hazelhurst overcame some defects of the HOL-Voss system 
and created a new hybrid system called VossProver [43]. VossProver was imple-
mented in f i (a strongly-typed functional language in the M L family [65]) in typical 
L C F style with an abstract datatype for theorems. Its specification language was 
a deep embedding in f i of booleans and integers and shallow embedding of tuples, 
lists and other features. The transition from theorem proving to model checking 
was done by translating the deeply embedded boolean and integer expressions into 
their f i counterparts and then evaluating the resulting f i expressions. A number of 
case studies, including the verification of a pipelined IEEE-compliant floating-point 
multiplier by Aagaard and Seger [3], has demonstrated the success of the approach 
of the system. However, the translation from the deeply embedded specification 
language used in the theorem proving to the normal f i used in the model checking 
was complicated. The difficulty of evaluating Boolean expressions at the f i prompt 
was a serious detraction when compared to the ease of use provided by specification 
in f i . Therefore, they wanted a proof system to use f i as both the specification and 
implementation. 
36 
In 1999, Aagaard et al developed the Forte verification system [2][1]. Forte is a 
combined model checking (in Voss via symbolic trajectory evaluation) and theorem 
proving system (ThmTac) 1. Both specifìcation and implementation language are 
f i which has been deeply embedded in itself so as to be lifted. In other words, 
the system can execute f i functions in Voss and reason about the behavior of f i 
functions in ThmTac. The system has successfully verifìed the correctness of a 
floating-point divider unit of an Intel IA-32 microprocessor [52]. 
Schneider and Kropf [70] used hardware formulas, which are higher order formu-
las, to express the safety and liveliness properties hierarchically. i.e. each module 
either consisted of a set of submodules or a basic module. These formulas could 
be easily translated into a model-checking problem of temporal logie. In other 
words, these allowed each submodule to be verifìed by using state enumeration tech-
niques. Finally, the correctness results of the verifìed hardware could be obtained 
by using simple reasoning in HOL. With the same idea, an example, which could 
not be handled by decision procedures for temporal logie and was too expensive 
to use the theorem prover system, was verifìed easily with the combined model-
checking/theorem proving approach in less than two hours. With the same idea, 
Schneider and Kropf [71] presented an approach for combining different proof ap-
proaches in a unifying framcwork to devclop a hybrid system which is caìled C@S. 
This system was implemented on top of the HOL system and can be connected to 
the model checking system SMV (Symbolic Model Verifier) and the inductionless 
induction system R R L (Rewrite Rule Laboratory). 
The M D G - H O L system [54] is a hybrid system which links the HOL interactive 
proof system and the M D G automated hardware verification system. It supports 
a hierarchical verification approach and fits the use of M D G verification naturally 
within the H O L framework of compositional hierarchical verification. The HOL 
system is used to manage the proof. The M D G system is called to verify the sub-
modules of a design. When the M D G - H O L system is used to verify a design, the 
'ThmTac is written in f i and is an LCF style implementation of a higher order classical logie. 
37 
design is modeled as a hierarchy structure with modules divided into submodules. 
The submodules are repeatedly subdivided until the design can be verified by using 
the M D G system. If the design of any submodule is sufficiently simple, then the 
hierarchical approach can be abandoned for that block and the whole module verified 
in one go in M D G . If submodules are ali primitive components and the M D G system 
stili cannot prove them, the H O L system can then be used to do the vérification. The 
hybrid system is based on an embedding of the M D G hardware description language 
in HOL. It allows structural and behavioral spécifications to be given in HOL. M D G 
style behavioral spécifications must be used however. Essentially this means the 
spécifications must be in the form of a finite state machine or table description. If 
a higher level abstraction is unavailable in M D G , a separate HOL proof must be 
performed to show that an M D G style spécification meets this abstraction. 
Gordon [38] [39] integrated the B D D based vérification system B u D D Y into 
HOL in a différent way. Since "LCF-Style" general infrastructure was provided, 
users could implement their own BDD-based vérification algorithms inside H O L 
by building on top of primitives provided. By implementing B D D primitives in 
HOL - as long as they are correct, not only could the standard state algorithms be 
effìciently and safely programmed in HOL, but this also made it possible to achieve 
the advantage of theorem reason tools and state algorithms. For example, HOL was 
used to formalize the Q B F (Quantified Boolean Formulas) of BDDs. The formulas 
can be interactiveìy simplified by using a higher-order rewriting tool such as the 
HOL simplifier to get simplified BDDs. A table was used to map the simplified 
formulas to BDDs. The B D D algorithms can also strengthen its deductive ability 
in this system. 
Hurd [49] used a différent method to combine the strengths of two theorem-prover 
systems. One is Gandalf which is a resolution theorem-prover for first-order classical 
logie with equality. The other is the HOL system. A tactic G A N D A L F . T A C was 
implemented as a remote function. It called the Gandalf system that was then run as 
a child process of the HOL system and mirrored the proof results to the H O L system. 
38 
Briefly, G A N D A L F _ T A C took the input goal, converted it to a normal form, wrote 
it in an acceptable format, sent the string to Gandalf, parsed the Gandalf proof, 
translated it to a H O L proof, and proved the original goal. In this way, Gandalf's 
fast proof search can be used in HOL, whilst the translation into HOL ensured that 
the proofs were logically correct. Most importantly, in translating the Gandalf proof 
to HOL proof, he did not just tag the results proved in Gandalf into HOL to get 
HOL theorems. He wrote several functions to simulate the Gandalf proof according 
to the Gandalf logged file and did the proof in HOL to form the HOL theorems. As 
a result, the Gandalf proof results need not be tagged into H O L and the degree of 
trust is high. However, it is very hard to achieve a complex goal since the logged 
file might lose some détails when the goal is very complex. 
Rajan et al. [69] proposed an approach for the integration of model checking with 
PVS [21]: the Prototype Vérification System. Harrison and Théry [42] combined 
the theorem prover system (HOL) and a computer algebra system (Maple). Argon 
and McMillan [5] attempted to use the Coq Proof Assistant to formally prove the 
soundness of the proof décomposition rules implemented in the S M V system. Gunter 
and Obradovic [41] combined a model checker (SPIN) and a theorem prover (HOL) 
though a language GAS (for Guarded Assignments). 
A key point of combining theorem proving Systems with other Systems is to make 
the use of theorem proving Systems more practical. For example, the project PROS-
P E R 2 [27] aims to combine différent interactive and automated proof tools together 
to deliver the benefits of them to industry. A proof management system, which 
is an open proof architecture, permits formal methods technology to be combined 
in a modular fashion. The Prosper plug-ins allow developers to add specialized 
vérification tools (like Gandalf, Spin etc.) to the core proof engine in a relatively 
uniform way. In this way, différent advantages of différent techniques can be utilized 
according to the différent requirement applications, whilst the translation into HOL 
ensures that the proofs are logically correct. 
2 The description of the project is available via the Web page http://www.dcs.gla.ac.uk/"tfm/ 
39 
We have discussed many researchers using different approaches to combine dif-
ferent systems. Some of them, including those mentioned above, are used by the 
external tools as an oracle to guarantee the results provided by the external tools 
are theorems within the theory of the proof system. Ideally, if we could verify that 
the external verification tools are correct and formally convert the corresponding 
results into valid theorems in a current proof system, then the degree of trust of the 
combining system will increase a lot. 
In the work presented in this thesis, we shall use this idea to provide a formal 
linkage between the M D G system and the HOL system. We are not using the M D G 
system as an oracle to then prove results, already determined, by primitive inference 
in HOL as M D G - H O L did, nor are we using H O L to improve the way M D G works. 
Furthermore, we are not just farming out general lemmas (e.g., propositional tau-
tologies) that arise whilst verifying a particular hardware module and that can be 
proved more easily elsewhere. We are doing theoretical research about how to pro-
vide a formal linkage between M D G and HOL. Our formalization is defined in terms, 
of the specification of the M D G system and M D G - H O L system. We define deep 
embedding formal semantics in HOL for two simplified versions of the M D G input 
language, to verify the correctness of translators of the M D G system in the HOL 
system. We also prove a series of importing theorems [80], which formally convert 
the formalized M D G verification results into a form usable in a traditional HOL 
hardware verification, i.e., the structural specification implements the behavioral 
specification. By combining the translator's correctness theorems with the import-
ing theorem, the M D G verification results can be converted into HOL to form the 
traditional HOL theorems in terms of the semantics of M D G - H D L . 
Summary 
In this chapter, we have given a literature review which relates to our research 
including embedding an H D L in a proof system, previous work on verifying verifi-
40 
cation Systems, an overview of compiler vérification work and technologies used in 
the combination of the différent vérification Systems. We also summarize what we 
did in corresponding related fields. 
41 
Chapter 3 
Verifying the MD G Translators 
for a Boolean Subset 
In this chapter, we will verify the translation phase of the M D G system as shown 
in step (1) (2) of Figure 1.5 for a boolean subset. Our aim is to prove the M D G 
translators. A standard approach for proving a translator between two languages 
will be used. 
We will first define the syntax and the semantics of a subset M D G - H D L lan-
guage, a corresponding core M D G - H D L language and the M D G formula représen-
tation language. We then define a set of functions, which translates the program 
from the subset M D G - H D L language to the core M D G - H D L language, and from the 
core M D G - H D L language to the M D G formula représentation language. For each 
program in M D G - H D L , the compilation Operators are defined as functions, which 
return its core M D G - H D L code and M D G formula représentation code. The trans-
lation function TransProgMC is applied to each M D G - H D L program p so that the 
corresponding core M D G - H D L program is established and the translation function 
TransProgCF is applied to a core M D G - H D L program so that the M D G formula 
représentation program is established. The two correctness theorems for two trans-
42 
lation steps of this subset, which quantifies over the syntactic structure, are verified. 
By combining thèse two correctness theorems, we obtain that the semantics of the 
M D G - H D L program is équivalent to the semantics of the-MDG formula représenta-
tion program. The détail will be discussed in the following sections. 
3.1 The Syntax of the MDG-HDL Language 
In M D G - H D L programs, two kinds of information are provided. One is used in the 
M D G algorithm, the other is used in specifying the hardware. We can ignore the 
information which is used in the M D G algorithms when we write the syntax and 
semantics of programs, since this part is passed directly to the M D G algorithms 
and we do not consider the M D G algorithms in this thesis. Following the approach 
utilized in other compiler correctness work, we abstract the useful information from 
the M D G - H D L program and work with an abstract syntax rather than the concrete 
syntax of the language. It would be straightforward to write a parser that translates 
the M D G - H D L program into the abstract syntax. 
For example, a part of the M D G - H D L file which is used to specify the hardware 
of three NOT gâtes and one register connected in séries is given in Figure 3.1. The 
information for the algorithms is omitted. 
The abstract syntax of this file is 
PROG (EXOUT ["op"]) (EXIN ["ip"]) (INV ["u";"v";"w"]) 
CJOIN (NOT "ip" "u") 
(JOIN (NOT "u" "v") 
(JOIN (NOT "v" "w") (REG "w" "op")))) 
where PROG, EXOUT, EXIN, INV, JOIN, NOT and REG are syntactic constructors of the 
subset of the M D G - H D L language. More détails will be given later. 
43 
signal(ip,bool). 
signal(op,bool). 
signal(u,bool). 
signal(v,bool). 
signal(w,bool). 
component (u.comp, not ( input ( ip) , output (u) ) ) . 
component(v_comp,not(input(u),output(v))). 
component(op_comp,not(input(v) ,output(w))) . 
component (reg_comp,reg (input (w) ,output (op))) 
outputs([op] ). 
Figure 3.1: The Circuit Description File of Three N O T Gates and One Register 
The full abstract syntax of the subset of the M D G - H D L language is given in 
Appendix A . The abstract syntax of the program is represented by constructor PROG 
which is defìned in terms of four arguments - an external output wires list, an 
external input wire list, an internai wire list and a component term. 
Program ::= PROG of Exoutput => Exinput => Invariable => Mdg_Hdl 
For example, the abstract syntax of a program of one NOT gate circuit is given 
beìow: 
PROG (EXOUT ["op"]) (EXIN ["ip"]) (INV []) (NOT "ip" "op") 
where the first argument is a list of external outputs (["op"]), the second is a list 
of external inputs (["ip"]) and the third is a list of internai wires (in a NOT gate 
44 
circuii, there is no internai wire), and the final argument is the combination of the 
circuit components (a NOT gate). 
In the syntax of the program, the first three arguments are variable lists. We 
define new H O L types Exoutput, Exinput and Invar iàb le to represent the external 
output list, external input list and internai list respectively. 
Exoutput ::= EXOUT of string l i s t 
Exinput ::= EXIN of string l i s t 
I n v a r i à b l e ::= INV of string l i s t 
The fourth argument (component term) describes how circuits are constructed 
from subcircuits except the hiding opérations on internal wires. The hiding op-
érations on internal wires will be defined in the semantics of the program. The 
component term could be either a predefined M D G - H D L component, an opération 
to set the initial value of a variable, a next state variable command, or a compo-
sition opération that denotes a circuit built up by the opération of composition. 
The syntax of the component term introduces a specially-defined recursive data type 
Mdg_Hdl to provide an explicit représentation in logie of the M D G - H D L commands. 
We define a recursive type Mdg_Hdl with 33 constructors. The first 27 constructors 
are gâtes, flip-flops and registers. For example, the component term, 'NOT ip op', 
represents a NOT gate with one input labeled ip and one output labeled op. 
The constructor FORK represents the equality checker which is used to check the 
equality of two or more variables. The constructor INIT represents the initial value 
of a state variable. !INIT(v ,T) J déclares that the initial value of the variable v is 
true. The SNXT constructor maps between a state variable and a next state variable. 
'SNXT v nv' states that nv is the next state variable of the state variable v. 
The JOIN constructor represents the composition opération. If c l and c2 are two 
values of type Mdg_Hdl, then the term 'JOIN c l c2' represents the composition of the 
two terms represented by c l and c2. 
45 
INPUT " OUTPUT 
ELSE 
ipt op t 
TABLEJVAL F T 
TABLE_VAL T F 
ARB 
Figure 3.2: The Syntax of a N O T Gate Table 
Finally, the constructor TABLESYN represents the syntax of the table component. 
It has fìve arguments. The first argument is a list of inputs, and the second is the 
single output. The third argument is a list of table rows. Each row is a list itself, 
giving one allocation of values to the inputs. The fourth argument is a list of output 
values that correspond to the values in input rows. We called the third argument an 
"if condition", which means if the value of input matches the corresponding row of 
the table then the output value will be one of the éléments in the fourth argument's 
list. The final argument is the default value, which is taken by the output if the input 
values do not match any row of the third argument. We called those input values 
as the "else condition". The "else condition" is not listed in the third argument of 
constructor TABLESYN. For example, the abstract syntax of a NOT gate table is given 
below: 
TABLESYN ["ip"] (NOWV "op") [[TABLE.VAL F] ; 
[TABLE.VAL T]] 
[T; F] (DENORMAL ARB) 
where "ARB" is the predefìned HOL term representing an arbitrary value of a given 
type. Alternately, we can use a diagram to represent the abstract syntax of the NOT 
gate table, such as the one shown in Figure 3.2. 
46 
T h e f i r s t a r g u m e n t o f t h e c o n s t r u c t o r T A B L E S Y N i s a l i s t o f i n p u t s . I n a NOT g a t e 
t a b l e , i t h a s o n l y o n e i n p u t w h i c h is " i p " . T h e s e c o n d a r g u m e n t i s t h e s i n g l e o u t p u t 
" o p " w h o s e v a l u e c o u l d b e e i t h e r a c u r r e n t s t a t e v a r i a b l e o r a n e x t s t a t e v a r i a b l e . 
W e d e f i n e a n e w H O L t y p e O u t . T y p e t o r e p r e s e n t t h è s e o p t i o n s : 
O u t _ T y p e : : = NOWV o f s t r i n g i 
N E X T V o f s t r i n g 
T h e o u t p u t i n t h e NOT g a t e t a b l e i s a c u r r e n t s t a t e v a r i a b l e NOWV " o p " . T h e t h i r d 
a r g u m e n t l i s t s a l i t h e " i f c o n d i t i o n " . I n a NOT g a t e , t h e " i f c o n d i t i o n " is [ [ T A B L E _ V A L 
F ] , [ T A B L E - V A L T ] ] . T h e e n t r i e s i n t h e l i s t c a n b e e i t h e r a c t u a l v a l u e s o r a s p e c i a l 
d o n ' t c a r e m a r k e r . T h i s i s r e a l i z e d b y d e f i n i n g a n e w t y p e (as g i v e n i n [26]). 
T a b l e . V a l : := T A B L E . V A L o f a I D O N ' T . C A R E 
h d e / T a b l e V a l _ t o _ V a l ( T A B L E . V A L ( v : a ) ) = v 
T h e f o u r t h a r g u m e n t i s a l i s t o f o u t p u t v a l u e s t h a t c o r r e s p o n d t o t h e v a l u e s i n i n p u t 
r o w s ( t h e " i f c o n d i t i o n " ) . T h e final a r g u m e n t c o u l d b e a n a r b i t r a r y b o o l e a n v a l u e , 
a c u r r e n t s t a t e v a r i a b l e o r a n e x t s t a t e v a r i a b l e . A g a i n w e d e f i n e a n e w H O L t y p e 
D e f a u l t J T y p e i n t e r m s o f t h e t y p e O u t . T y p e . 
D e f a u l t . T y p e : : = DENORMAL o f b o o l I 
DEOUT o f O u t . T y p e 
C o r r e s p o n d i n g t o o u r NOT g a t e t a b l e , i f t h e v a l u e o f i n p u t i s f a l s e ( T A B L E J / A L F 
f r o m t h e t h i r d a r g u m e n t ) t h e n t h e v a l u e o f t h e o u t p u t i s t r u e (T f r o m t h e f o u r t h 
a r g u m e n t ) , i f t h e v a l u e o f i n p u t is t r u e ( T A B L E . V A L T) t h e n t h e v a l u e o f t h e o u t p u t 
i s f a l s e (F ) , o t h e r w i s e t h e v a l u e o f t h e o u t p u t c o u l d b e a n a r b i t r a r y v a l u e . 
47 
3.2 The Syntax of the Core MDG-HDL Language 
T h e c o r e M D G - H D L l a n g u a g e t h a t w e t r a n s l a t e t o i s a s u b s e t o f t h e M D G - H D L 
l a n g u a g e . T h e a b s t r a c t s y n t a x o f t h e p r o g r a m i s a l s o d e f ì n e d i n t e r m s o f f o u r 
a r g u m e n t s - a n e x t e r n a l o u t p u t w i r e l i s t , a n e x t e r n a l i n p u t w i r e l i s t , a n i n t e r n a l 
w i r e l i s t a n d a c o r e c o m p o n e n t t e r m . A c o r e c o m p o n e n t t e r r a o n l y c o n s i s t s o f f o u r 
c o n s t r u c t o r s . i . e . I N I T C ( i n i t i a l i s e ) , S N X T C ( s t a t e v a r i a b l e ) , T A B L E S Y N C ( t a b l e ) a n d 
J O I N C ( c o m p o n e n t c o m p o s i t i o n ) w h i c h c o r r e s p o n d t o t h e c o n s t r u c t o r s I N I T , S N X T , 
T A B L E S Y N a n d J O I N i n M D G - H D L . 
Mdg-HdljCore : : = 
I N I T C o f ( s t r i n g # b o o l ) | 
SNXTC o f s t r i n g = > s t r i n g | 
T A B L E S Y N C o f ( s t r i n g l i s t ) = > Out JType=> ( ( b o o l T a b l e . V a l l i s t ) l i s t ) 
=> ( b o o l l i s t ) = > D e f a u l t _ T y p e I 
J O I N C o f M d g _ H d l X o r e = > M d g J i d l . C o r e 
T h e s y n t a x o f t h e c o r e M D G - H D L p r o g r a m is 
P r o g r a m . C o r e : : = 
PROGC o f E x o u t p u t => E x i n p u t => I n v a r i a b l e => M d g _ H d l _ C o r e 
F o r e x a m p l e , t h e a b s t r a c t s y n t a x o f t h e c o r e M D G - H D L o f t h e t h r e e NOT g â t e s 
a n d o n e R E G I S T E R i s g i v e n i n F i g u r e 3.3. 
3.3 The Syntax of the MDG Formula Represen-
tation Program 
T h e s t r u c t u r e o f t h e M D G f o r m u l a r e p r é s e n t a t i o n p r o g r a m is s i m i l a r t o t h e s t r u c t u r e 
o f t h e c o r e M D G - H D L l a n g u a g e . I t c o n s i s t s o f f o u r c o n s t r u c t o r s . i . e . I N I T F , S N X T F , 
48 
PROGC (EXOUT [ " o p " ] ) ( E X I N [ " i p " ] ) ( I N V [ " u " ; " v " ; " w " ] ) 
J O I N C ( T A B L E S Y N C [ " i p " ] (NOWV " u " ) [ [ T A B L E _ V A L F ] ; 
[ T A B L E _ V A L T ] ] 
[ T ; F ] (DENORMAL A R B ) 
J O I N C ( T A B L E S Y N C [ " u " ] (NOWV " v " ) [ [ T A B L E . V A L F ] ; 
[ T A B L E _ V A L T] ] 
[ T ; F ] (DENORMAL A R B ) 
J O I N C ( T A B L E S Y N C [ " v " ] (NOWV " w " ) [ [ T A B L E _ V A L F ] ; 
[ T A B L E . V A L T ] ] 
[ T ; F ] (DENORMAL A R B ) ) ) ) 
( T A B L E S Y N C [ " w " ] (NOWV " o p " ) [ [ T A B L E _ V A L T] ; 
[ T A B L E _ V A L F ] ] 
[ T ; F ] (DENORMAL A R B ) ) ) ) 
Figure 3.3: The Abstract Syntax of a Core M D G - H D L Program 
T A B L E S Y N F a n d J O I N F w h i c h c o r r e s p o n d t o t h e c o n s t r u c t o r s I N I T , S N X T , T A B L E S Y N 
a n d J O I N i n M D G - H D L . A d i f f é r e n c e is t h a t t h e c o n s t r u c t o r T A B L E S Y N F c o n s i s t s of 
s i x a r g u m e n t s r a t h e r t h a n five a r g u m e n t s . It a d d s o n e m o r e a r g u m e n t w h i c h l i s t s 
t h e i n p u t v a l u e s o f t h e "else c o n d i t i o n " . In o t h e r w o r d s , t h i s a r g u m e n t l i s t s a l i t h e 
p o s s i b l e i n p u t v a l u e s w h o s e c o r r e s p o n d i n g o u t p u t v a l u e i s e q u a l t o t h e d e f a u l t v a l u e . 
This i s v e r y i m p o r t a n t b e c a u s e t h e s y s t e m n e e d s t h i s i n f o r m a t i o n f o r b u i l d i n g u p 
t h e MDGs. 
M d g _ H d l - F o r m u l a : : = 
I N I T F o f ( s t r i n g # b o o l ) I 
S N X T F o f s t r i n g = > s t r i n g i 
T A B L E S Y N F o f ( s t r i n g l i s t ) = > O u t _ T y p e = > ( ( b o o l T a b l e . V a l l i s t ) l i s t ) 
=> ( b o o l l i s t ) = > ( ( b o o l T a b l e . V a l l i s t ) l i s t ) = > D e f a u l t . T y p e I 
J O I N F o f M d g _ H d l _ F o r m u l a = > M d g _ H d l - F o r m u l a 
49 
For e x a m p l e , c o n s i d e r a n AND g a t e t a b l e . When i t r e p r e s e n t s M D G - H D L c o d e 
a n d c o r e M D G - H D L c o d e , i t h a s five a r g u m e n t s . It d o e s n o t l i s t i n p u t v a l u e s f o r t h e 
" e l s e c o n d i t i o n " (Figure 3.4 ( a ) ) . However, w h e n i t r e p r e s e n t s t h e M D G f o r m u l a r e p -
r é s e n t a t i o n , i t l i s t s a l i t h e i n p u t v a l u e s i n c l u d i n g t h o s e v a l u e s w h o s e c o r r e s p o n d i n g 
o u t p u t v a l u e i s e q u a l t o t h e d e f a u l t v a l u e ( t h e e l se c o n d i t i o n ) (Figure 3.4 ( b ) ) . 
The a b s t r a c t s y n t a x f o r a n AND g a t e c o m p o n e n t i n t h e M D G f o r m u l a r e p r é s e n -
t a t i o n p r o g r a m is s h o w n b e l o w : 
T A B L E S Y N F [ " i p l " ; "ip2"] (NDWV " o p " ) 
[ [ T A B L E . V A L F ; D O N T . C A R E ] ; 
[ T A B L E _ V A L T ; T A B L E . V A L F ] ] [T] 
[ [ T A B L E . V A L T ; T A B L E . V A L T ] ] (DENORMAL (BOOL F ) ) 
The s y n t a x of t h e M D G f o r m u l a r e p r é s e n t a t i o n p r o g r a m i s d e f ì n e d i n a v e r y 
s i m i l a r w a y 
P r o g r a m _ F o r m u l a : : = 
PROGF o f E x o u t p u t => E x i n p u t => I n v a r i a b l e => M d g J i d l . F o r m u l a 
3.4 Translating MDG-HDL into the Core MDG-
HDL Language 
The f i r s t s t e p i n s p e c i f y i n g a t r a n s l a t o r f o r M D G - H D L i s t o d e f i n e a set o f f u n c t i o n s 
t o t r a n s l a t e t h e M D G - H D L p r o g r a m i n t o t h e c o r e M D G - H D L l a n g u a g e . For e a c h 
c o m p o n e n t i n M D G - H D L , a c o m p i l a t i o n o p e r a t o r i s d e f ì n e d as a set o f f u n c t i o n s , 
w h i c h r e t u r n s i t s c o r e M D G - H D L c o d e . For e x a m p l e , a NOT g a t e is c o m p i l e d as 
f o l l o w s : 
50 
INPUTS OUTPUT 
iplt ip2 t op t 
IF 
F * F 
T F F 
ELSE T 
(a) AND gate table in MDG-HDL and core MDG-HDL 
INPUTS OUTPUT 
iplt ip2t op t 
IF 
F * F 
T F F 
E L S E T T T 
(b) AND gate in the MDG formula représentation. 
Figure 3.4: The Syntax of an A N D Gate Table 
51 
\~def T R A N S J J O T ( i p : s t r i n g ) o p = 
T A B L E S Y N C [ i p ] (NOWV o p ) [ [ T A B L E _ V A L F ] ; 
[ T A B L E _ V A L T ] ] [ T ; F ] (DENORMAL A R B ) 
For the M D G - H D L c o m p o n e n t t e r m , we define a function T r a n s G T inductively 
over the syntactic structure and this function translates the M D G - H D L c o m p o n e n t 
t e r m into the équivalent c o r e M D G - H D L c o m p o n e n t t e r m . 
\ - d e f ( T r a n s G T (NOT i p o p ) = T R A N S J I O T i p o p ) A 
( T r a n s G T ( T A B L E S Y N y l y 2 y 3 y 4 y 5 ) = T R A N S _ T A B L E y l y 2 y 3 y 4 y 5 ) A 
( T r a n s G T ( J U I N ( c o d e l : M d g _ H d l ) c o d e 2 ) = 
J O I N C ( T r a n s G T c o d e l ) ( T r a n s G T c o d e 2 ) ) 
For t h e M D G - H D L p r o g r a m , a f u n c t i o n T r a n s P r o g M C i s d e f i n e d i n t e r m s o f t h e 
f u n c t i o n T r a n s G T 
\~def T r a n s P r o g M C (PROG e x v e x i i n v c ) = PROGC e x v e x i i n v ( T r a n s G T c ) 
For e x a m p l e , t h e f o l l o w i n g t h e o r e m as s h o w n i n Figure 3.5, w h i c h is o b t a i n e d b y 
r e w r i t i n g w i t h t h e d é f i n i t i o n s , i l l u s t r â t e s t h e t r a n s l a t i o n of t h e M D G - H D L p r o g r a m 
o f t h r e e NOT g â t e s discussed above. 
3.5 Translating the Core MDG-HDL Program into 
the MDG Formula Représentation Program 
For d o i n g s u c h t r a n s l a t i o n , w e n e e d t o s p e c i f y a t r a n s l a t o r w h i c h t r a n s l a t e s t h e c o r e 
M D G - H D L l a n g u a g e i n t o t h e M D G f o r m u l a r e p r é s e n t a t i o n p r o g r a m . This t r a n s l a t o r 
c o n s i s t s o f a s e t o f f u n c t i o n s . 
52 
\~thm T r a n s P r o g M C ( P R 0 G [ " o p " ] [ " i p " ] C " v _ B " ; " u _ B " ] 
( J O I N (NOT " i p " " v _ B " ) (SEQ (NOT " v _ B " " u _ B " ) 
(NOT " u _ B " " o p " ) ) ) ) = 
PROGC [ " o p " ] [ " i p " ] [ " v _ B " ; " u _ B " ] 
( J O I N C ( T A B L E S Y N C [ i p ] (NOWV u_B) [ [ T A B L E . V A L F ] ; 
[ T A B L E . V A L T ] ] 
[ T ; F ] (DENORMAL A R B ) 
J O I N C ( T A B L E S Y N C [u_B] (NOWV v _ B ) [ [ T A B L E . V A L F ] ; 
[ T A B L E . V A L T ] ] 
[ T ; F ] (DENORMAL A R B ) 
T A B L E S Y N C [v_B] (NOWV o p ) [ [ T A B L E . V A L F ] ; 
[ T A B L E . V A L T ] ] 
[ T ; F ] (DENORMAL A R B ) ) ) ) 
F i g u r e 3.5: T r a n s l a t i n g t h e M D G - H D L p r o g r a m i n t o t h e C o r e M D G - H D L p r o g r a m 
A T A B L E i n M D G - H D L c a n b e u s e d t o s p e c i f y " i f - t h e n - e l s e " c o n d i t i o n s . I t o n l y 
l i s t s t h e i n p u t v a l u e s f o r t h o s e " i f c o n d i t i o n " s t h a t a r e t r u e a n d t h e c o r r e s p o n d i n g 
o u t p u t v a l u e o f e a c h i n p u t v a l u e i s g i v e n i n t h e c o r r e s p o n d i n g o u t p u t l i s t . F o r t h e 
" e l s e c o n d i t i o n " , b e c a u s e t h e o u t p u t v a l u e i s t h e s a m e , a d e f a u l t v a l u e i s g i v e n as 
t h e o u t p u t v a l u e . T h e s e m a n t i c s o f t h e T A B L E s t a t e s t h a t i f t h e i n p u t v a l u e is e q u a l 
t o o n e o f t h e é l é m e n t s t h a t a r e l i s t e d i n t h e t a b l e , t h e c o r r e s p o n d i n g o u t p u t v a l u e i s 
i n t h e o u t p u t l i s t , o t h e r w i s e t h e o u t p u t v a l u e i s e q u a l t o t h e d e f a u l t v a l u e . H o w e v e r , 
w h e n t h e M D G t o o l t r a n s l a t e s t h e c o r e M D G - H D L i n t o M D G , t h e r e i s a c o m p i l e r 
w h i c h a u t o m a t i c a l l y finds a l i o t h e r p o s s i b l e i n p u t v a l u e s f o r t h e " e l s e c o n d i t i o n " . 
I n o u r t r a n s l a t o r , w e h a v e t o f ì n d a l i t h e i n p u t v a l u e s f o r t h e " e l s e c o n d i t i o n " . F o r 
t h è s e i n p u t v a l u e s , t h e o u t p u t v a l u e i s t h e d e f a u l t v a l u e . 
F o r finding t h e i n p u t v a l u e f o r t h e " e l s e c o n d i t i o n " , w e n e e d t o f ì n d a l i t h e i n p u t 
v a l u e s i n t e r m s o f t h e l e n g t h o f t h e i n p u t l i s t o r t h e l e n g t h o f e a c h é l é m e n t o f t h e 
t a b l e first. T h e i n p u t v a l u e s f o r t h e " e l s e c o n d i t i o n " c a n b e o b t a i n e d i n t e r m s o f a l i 
t h e p o s s i b l e i n p u t v a l u e s a n d t h e i n p u t v a l u e s f o r t h e " i f c o n d i t i o n " . 
53 
First of ali, we begin to find out ali the possible input values. Because we consider 
the boolean subset here, each input has two possible values (T /F) . AU the possible 
input values are determined by the length of the list. We defìne a function n l i s t s 
for generating the list of enumerations of a given length. 
h d e / ( n l i s t s 0 » [ [ ] ] ) A 
( n l i s t s ( S U C n ) = A P P E N D (MAP (CONS ( T A B L E . V A L T ) ) ( n l i s t s n ) ) 
(MAP (CONS ( T A B L E . V A L F ) ) ( n l i s t s n ) ) ) 
For example, S I M P _ C 0 N V l i s t _ s s [ n l i s t s - d e f ] " n l i s t s ( S U C (SUC (SUC 0 ) ) ) " ; 
lists the combination of three éléments list. 
n l i s t s (SUC ( S U C ( S U C 0 ) ) ) = 
[ [ T A B L E . V A L T ; T A B L E . V A L T ; T A B L E _ V A L T ] ; 
[ T A B L E - V A L T ; T A B L E _ V A L T ; T A B L E . V A L F ] ; 
[ T A B L E . V A L T ; T A B L E . V A L F ; T A B L E . V A L T] ; 
[ T A B L E . V A L T ; T A B L E . V A L F ; T A B L E . V A L F ] ; 
[ T A B L E . V A L F ; T A B L E . V A L T ; T A B L E . V A L T] ; 
[ T A B L E . V A L F ; T A B L E . V A L T ; T A B L E . V A L F ] ; 
[ T A B L E . V A L F ; T A B L E . V A L F ; T A B L E . V A L T ] ; 
[ T A B L E . V A L F ; T A B L E . V A L F ; T A B L E . V A L F ] ] 
We then need to find out ali the input values which are not listed in the "if con-
dition". We use T a b l e . m a t c h to check the matching of input value to value listed in 
the table of the "if condition". A match occurs if either the table value is don't-care, 
or the value on the input is identical to the table value. If there is a match on a 
given row, this input value has been listed in the table. Otherwise, we must check 
the next row. If there is no match, this input value is not listed in the table. In 
other words, this input value belongs to the "else condition" and the correspond-
ing output equals the default value. This is defined by a function T a b l e _ m a t c h _ L i s t s . 
54 
\-dej ( T a b l e _ m a t c h _ L i s t s i n p u t s [] = F ) A 
( T a b l e _ m a t c h _ L i s t s i n p u t s (CONS v v s ) = 
( T a b l e . m a t c h i n p u t s v ) V ( T a b l e j n a t c h X i s t s i n p u t s v s ) ) 
W e n e e d t o c h e c k w h e t h e r a l i t h e p o s s i b l e i n p u t v a l u e s a r e i n t h e " i f c o n d i t i o n " 
o r t h e " e l s e c o n d i t i o n " . T h i s i s i m p l e m e n t e d b y f u n c t i o n P a t h . C h e c k . I t o b t a i n s a l i 
t h e i n p u t v a l u e l i s t s f o r t h e " e l s e c o n d i t i o n " . 
\-dej ( P a t h . C h e c k "[] V . o u t s = [] ) A 
( P a t h _ C h e c k (CONS i p i p s ) V . o u t s = 
i f ( ~ ( T a b l e _ m a t c h _ L i s t (MAP T a b l e V a l . t o . V a l i p ) V . o u t s ) ) 
t h e n CONS i p ( P a t h . C h e c k i p s V . o u t s ) 
e l s e ( P a t h . C h e c k i p s V . o u t s ) ) 
A s w e m e n t i o n e d b e f o r e , a l i t h e c o m b i n a t i o n s o f a l i s t a r e d e t e r m i n e d b y t h e 
l e n g t h o f t h e l i s t a n d t h e p o s s i b l e v a l u e s o f e a c h é l é m e n t i n t h e l i s t . S i n c e w e c o n s i d e r 
a b o o l e a n s u b s e t h e r e , a l i t h e c o m b i n a t i o n s o f a l i s t a r e d e t e r m i n e d b y i t s l e n g t h 
( t h e l e n g t h o f i n p u t l i s t ) . T h e r e f o r e , t h e i n p u t v a l u e s f o r t h e " e l s e c o n d i t i o n " c a n 
b e d e f i n e d i n t e r m o f t h e f u n c t i o n s P a t h . C h e c k , n l i s t s _ d e f w h i c h i s g i v e n b e l o w : 
\~dej ( E l s e . C o n d i t i o n s n ( V _ o u t : b o o l T a b l e . V a l l i s t l i s t ) = 
( ( P a t h . C h e c k ( n l i s t s n ) V . o u t ) ) ) 
w h e r e n i s t h e l e n g t h o f t h e i n p u t l i s t . N o w , w e c a n d e f ì n e a f u n c t i o n T R A N S . T A B L E C 
w h i c h t r a n s l a t e s t h e T A B L E S Y N C c o m p o n e n t t o t h e c o r r e s p o n d i n g M D G f o r m u l a r e p -
r é s e n t a t i o n . 
\ - d e J T R A N S . T A B L E C i p o p y l y2 d = 
T A B L E S Y N F i p o p y l y2 ( E l s e . C o n d i t i o n s ( L E N G T H i p ) y l ) d 
55 
T h e f u n c t i o n T r a n s C F i s d e f i n e d f o r t r a n s l a t i n g t h e c o r e M D G - H D L c o m p o n e n t t e r n i 
i n t o t h e MDG f o r m u l a r e p r e s e n t a t i o n t e r m . 
\ - d e f ( T r a n s C F ( I N I T C p ) = I N I T F p ) A 
( T r a n s C F ( S N X T C s s O ) = S N X T F s sO) A 
( T r a n s C F ( T A B L E S Y N C y l y 2 y 3 y 4 y 5 ) = 
T R A N S . T A B L E C y l y 2 y 3 y 5 y 5 A 
( T r a n s C F ( J O I N C c o d e l c o d e 2 ) = 
J G T N F ( T r a n s C F c o d e l ) ( T r a n s C F c o d e 2 ) ) 
F i n a l l y , t h e c o r e M D G - H D L p r o g r a m c a n b e t r a n s l a t e d i n t o t h e M D G f o r m u l a 
r e p r e s e n t a t i o n p r o g r a m b y t h e f u n c t i o n T r a n s P r o g C F . 
\~def T r a n s P r o g C F (PROGC e x v i n v s t a t e p ) = 
PRQGF e x v i n v s t a t e ( T r a n s C F p ) 
3.6 The Semantics of the MDG-HDL Program 
In t h i s s e c t i o n , w e w i l l s h o w h o w t o d e f i n e a r e l a t i o n a l s e m a n t i c s [36] o f t h e M D G -
H D L p r o g r a m f o r t h i s s u b s e t . F i r s t o f a l i , t h e s e m a n t i c s o f t h e M D G - H D L p r o g r a m 
i s d e f i n e d i n t e r m s o f a n e n v i r o n m e n t [58] [57]. An e n v i r o n m e n t i s a f u n c t i o n t h a t 
h a s t y p e : s t r i n g ->Ó. T h i s f u n c t i o n m a p s a v a r i a b l e n a m e ( m o d e l e d b y s t r i n g s ) t o t h e 
v a l u e o f t h a t v a r i a b l e . In o u r l a n g u a g e , t h e e n v i r o n m e n t e n v i s f o r s t a t e v a r i a b l e s a n d 
S i g n a l s . Its v a l u e i s a h i s t o r y f u n c t i o n a n d h a s a t y p e : n u m - + b o o l , w h i c h r e p r e s e n t s 
f u n c t i o n s f r o m t i m e ( n a t u r a i n u m b e r s ) t o t h e v a l u e a t t h a t t i m e . 
A s e m a n t i c f u n c t i o n S e m P r o g r a m f o r M D G - H D L p r o g r a m s i s d e f i n e d i n t e r m s o f 
t h e s e m a n t i c s o f t h e M D G - H D L c o m p o n e n t t e r m ( S e m M d g h d l ) . F o r e a c h c o m p o n e n t 
i n t h e M D G - H D L c o m p o n e n t l i b r a r y , w e d e f i n e a s p e c i f i c s e m a n t i c f u n c t i o n . T h e 
s e m a n t i c s o f t h e M D G - H D L c o m p o n e n t t e r m ( S e m M d g h d l ) i s d e f i n e d b a s e d o n t h e 
56 
semantic functions of each component. In the rest of this section, we will first define 
the semantic functions for each component in the M D G - H D L component library. We 
then define the semantics of the M D G - H D L c o m p o n e n t t e r m ( S e m M d g h d l ) . Finalìy, 
we will define the semantics of the M D G - H D L program ( S e m P r o g r a m ) . 
We first define the semantic function for each component. The first 27 primitive 
components of the M D G - H D L component are mainly logie gates and flip-flops. The 
traditional hardware semantics can be given [35]. The semantics of these components 
are relations between the input values and the output values. For example, the NOT 
gate can be expressed by 
\~def SEM_N0T i p op = ( V t . op t = ~ ( i p t ) ) 
The semantics of FORK represents the equality of two state variables. On each cycle, 
the output value ' o p ' and input value ' i p ' are identical at that time. 
\ - d e f SEM_F0RK i p o p = ( V t . o p t = i p t ) 
The constructor I N I T has two arguments. They are represented as a pair whose first 
component ( F S T y ) is a state variable and whose second component (SND y ) is a 
boolean value. The semantics of I N I T assigns an initiai value (at time zero) to the 
value of the variable. 
\ - d e f S E M _ I N I T ( y : ( n u m - > b o o l ) # b o o l ) = ( ( F S T y ) 0 = SND y ) 
The semantics of SNXT represents a relation between a state variable y and a next 
state variable n y . It déclares that the next state variable of y is n y . In other words, 
the value of the variable y at the time t is equal to the value of the variable n y at 
the following time. 
57 
H d e / SEM_SNXT ny y = (V t . ny (t+1) = y t) 
T h e s e m a n t i c s o f t h e t a b l e w a s i n i t i a l l y g i v e n b y C u r z o n e t a l [26]. S i n c e w e 
n e e d t o u s e t h e i n d u c t i o n t h e o r e m , w e a d a p t t h e i r t a b l e d é f i n i t i o n f o r a d d i n g o n e 
m o r e b a s e c a s e . I n t h e i r d é f i n i t i o n , t h e y d e f i n e a p r e d i c a t e T a b l e _ m a t c h t o c h e c k i f 
t h e i n p u t v a l u e s m a t c h t h e t a b l e v a l u e s . 
h d e y ( T a b l e - m a t c h i n p u t s [] t = T ) A 
( T a b l e - m a t c h i n p u t s (CONS v v s ) t = 
( ( ( H D ( i n p u t s ) t ) = T a b l e V a l _ t o _ V a l v ) V ( v = D O N ' T - C A R E ) ) A 
( T a b l e _ m a t c h ( T L i n p u t s ) v s t ) ) 
T h e f u n c t i o n t a b l e i s d e f i n e d i n t e r m s o f T a b l e - m a t c h . I t h a s five a r g u m e n t s . 
T h e first a r g u m e n t i s a l i s t o f t h e i n p u t s , t h e s e c o n d is t h e s i n g l e o u t p u t , t h e t h i r d 
i s a l i s t o f t a b l e r o w s . E a c h r o w i s a l i s t i t s e l f , g i v i n g o n e a l l o c a t i o n o f v a l u e s t o 
t h e i n p u t s . T h e f o u r t h a r g u m e n t i s a l i s t o f o u t p u t v a l u e s . E a c h is t h e v a l u e o n 
t h e o u t p u t w h e n t h e i n p u t s h a v e t h e v a l u e s i n t h e c o r r e s p o n d i n g r o w . T h e final 
a r g u m e n t i s t h e d e f a u l t v a l u e , t a k e n b y t h e o u t p u t i f t h e i n p u t v a l u e s d o n o t m a t c h 
a n y r o w . I t c h e c k s i f t h e r e is a m a t c h o n e a c h r o w . I f t h e r e i s , t h e o u t p u t h a s t h e 
c o r r e s p o n d i n g v a l u e . O t h e r w i s e , t h e o u t p u t e q u a l s t h e d e f a u l t v a l u e . S i n c e t h e t h i r d 
a n d f o u r t h a r g u m e n t a r e l i s t s , t h e y m a y h a v e u n e q u a l l e n g t h s . W h e n e i t h e r l i s t i s 
e m p t y , t h e o u t p u t v a l u e e q u a l s t h e d e f a u l t v a l u e . 
\-dej ( t a b l e i p o p [] V _ o u t d e f a u l t t = ( o p t = d e f a u l t t ) ) A 
( t a b l e i p o p v s [] d e f a u l t t = ( o p t = d e f a u l t t ) ) A 
( t a b l e i p o p (CONS v v s ) V . o u t d e f a u l t t = 
( i f ( T a b l e _ m a t c h i p v t ) 
t h e n ( o p t = (HD V _ o u t ) t ) 
e l s e ( t a b l e i p o p v s ( T L V _ o u t ) d e f a u l t t ) ) ) 
58 
T h e a b o v e d é f i n i t i o n r e f e r s t o t h e t i m e o f i n t e r e s t , t . F u n c t i o n T A B L E d e f i n e s a g i v e n 
t a b l e w h i c h w i l l r e l a t e a g i v e n i n p u t t o a g i v e n o u t p u t i f t h e t a b l e r e l a t i o n i s t r u e 
a t a l i t i m e . 
\-def T A B L E i p o p V . o u t s V _ o u t d e f a u l t = 
V t . t a b l e i p op V . o u t s V . o u t d e f a u l t t 
A s w e m e n t i o n e d b e f o r e , t h e s e c o n d a r g u m e n t o f t h e t a b l e i s t h e s i n g l e o u t p u t . 
I t s o u t p u t c o u l d b e e i t h e r a c u r r e n t s t a t e v a r i a b l e o r a n e x t s t a t e v a r i a b l e . We 
d e f i n e a n e w HOL t y p e O u t _ T y p e t o r e p r e s e n t t h è s e o p t i o n s . T h e final a r g u m e n t i s 
t h e d e f a u l t v a l u e , w h i c h i s t a k e n b y t h e o u t p u t i f t h e i n p u t v a l u e s d o n o t m a t c h 
a n y r o w . T h e d e f a u l t v a l u e c o u l d b e a n a r b i t r a r y v a l u e , a c u r r e n t s t a t e v a r i a b l e o r 
a n e x t s t a t e v a r i a b l e . We a l s o d e f i n e a n e w HOL t y p e D e f a u l t . T y p e i n t e r m s o f t h e 
t y p e O u t . T y p e . We d e f i n e t w o f u n c t i o n s SEM.OUTVAR a n d S E M - D E F A U L T V A R , i n o r d e r t o 
a c c e s s t h e c o r r e s p o n d i n g v a l u e s . 
\~def ( S e m _ O u t v a r (NOWV y ) e n v = ( e n v y ) ) A 
( S e m . O u t v a r ( N E X T V y ) e n v = ( e n v y ) o N E X T ) 
\-dej ( S e m _ D e f a u l t v a r (DENORMAL y ) e n v = ( A ( t : n u m ) . y ) ) A 
( S e m _ D e f a u l t v a r (DEOUT x ) e n v = ( S e m . O u t v a r x e n v ) ) , 
T h e v a l u e s g i v e i n t h e l i s t o f t h e Outputs a r e s i g n a i s , w h i c h a r e f u n c t i o n s f r o m 
t i m e t o a v a l u e . F u n c t i o n C 0 N S T _ T 0 _ F U N C T i s u s e d t o l i f t t h e c o n s t a n t l i s t t o a s i g n a l 
l i s t . 
\ - d e f ( C 0 N S T _ T 0 _ F U N C T [ c ] = [ A ( t : n u m ) . c ] ) A 
( C 0 N S T _ T 0 _ F U N C T (CONS v v i ) = 
CONS ( A ( t : n u m ) . v ) ( C O N S T . T O - F U N C T v i ) ) 
N o w , t h e s e m a n t i c s o f t h e M D G - H D L c o m p o n e n t t e r m ( S e m M d g h d l ) c a n b e d e f i n e d 
i n t e r m s o f f u n c t i o n s t h a t w e d e f i n e d a b o v e a s s h o w n b e l o w . 
59 
\~def ( S e m M d g h d l (NOT i p o p ) e n v = SEM_N0T ( e n v i p ) ( e n v o p ) ) A 
( S e m M d g h d l ( T A B L E S Y N y l y 2 y 3 y 4 y 5 ) e n v = 
T A B L E (HAP e n v y l ) ( S E M . O U T V A R y 2 e n v ) y 3 
( C 0 N S T _ T 0 _ F U N C T y 4 ) ( S E M _ D E F A U L T V A R y 5 e n v ) ) A 
( S e m M d g h d l ( J O I N c o d e l c o d e 2 ) e n v = 
( ( S e m M d g h d l c o d e l e n v ) A ( S e r a M d g h d l c o d e 2 e n v ) ) ) 
From t h e d e f i n i t i o n of S e m M d g h d l w e k n o w t h a t t h e s e m a n t i c s of T A B L E S Y N i s 
d e f i n e d i n t e r m s o f t h e f u n c t i o n T A B L E : 
h d e ; S e m M d g h d l ( T A B L E S Y N i p ( o p : o u t _ t y p e ) y 3 y 4 y 5 ) e n v = 
T A B L E (MAP e n v i p ) (SEM_OUTVAR o p e n v ) y 3 
( C 0 N S T _ T 0 _ F U N C T y 4 ) ( S E M _ D E F A U L T V A R y 5 e n v ) 
For e x a m p l e , t h e s e m a n t i c s o f t h e Table code o f t h e NOT gate i s 
\ - t h m S e m M d g h d l ( T A B L E S Y N [ i p ] (NOWV o p ) [ [ T A B L E . V A L F ] ; [ T A B L E _ V A L T ] ] 
[ T ; F ] (DENORMAL A R B ) ) e n v = 
T A B L E (MAP e n v [ i p ] ) (SEMJDUTVAR (NOWV o p ) e n v ) 
[ [ T A B L E - V A L F ] ; [ T A B L E - V A L T ] ] 
( C 0 N S T _ T 0 _ F U N C T [T ; F ] ) 
( S E M _ D E F A U L T V A R (DENORMAL A R B ) e n v ) 
The s e m a n t i c s o f s e q u e n c i n g ( J O I N ) i s d e f i n e d i n d u c t i v e l y i n t e r m s o f t h e p r i m a r y 
c o m p o n e n t c o m m a n d s . The s e m a n t i c s o f J O I N i s t h e c o n j u n c t i o n o f t h e c o r r e s p o n d -
i n g s e m a n t i c s o f e a c h s u b - c o m m a n d . 
60 
)~def S e m M d g h d l ( J O I N c l c2) e n v = 
( ( S e r a M d g h d l c l e n v ) A ( S e m M d g h d l c2 e n v ) ) 
F i n a l l y , t h e s e m a n t i c s of a full p r o g r a m c a n b e d e f i n e d i n t e r m s o f s o m e a u x i l i a r y 
f u n c t i o n s . F i r s t l y , t h e f u n c t i o n o f D s e m . I n t is d e f i n e d i n t e r m s o f t h e s e m a n t i c s o f 
t h e c o m p o n e n t t e r r a ( S e m M d g h d l ) . I t u s e s e x i s t e n t i a l q u a n t i f i c a t i o n t o h i d e t h e l o c a l 
v a r i a b l e f r o m t h e e n v i r o n m e n t o f t h e c i r c u i t . I t a d d s a n e x t r a e n t r y t o e n v i r o n m e n t 
e n v f o r e a c h i n t e r n a l w i r e . T h i s e f f e c t i v e l y h i d e s t h e i n t e r n a l w i r e s i n a c o r a p o n e n t 
t e r m ( c o d e ) . 
\-def ( D s e r a . I n t [] c o d e e n v = S e m M d g h d l c o d e e n v ) A 
( D s e m . I n t (CONS ( w : s t r i n g ) w s ) c o d e ( e n v : s t r i n g - > n u m - > b o o l ) = 
(3 v . ( D s e m _ I n t ws c o d e ( A w v . i f (wv = w) t h e n v e l s e ( e n v w v ) ) ) ) ) 
T h e s e m a n t i c s o f a c i r c u i t i s a r e l a t i o n o n t h e e x t e r n a l i n p u t s a n d Outputs. I n 
o r d e r t o e x p l i c i t l y r e p r e s e n t t h e r e l a t i o n w i t h t h e e x t e r n a l w i r e s , w e d e f ì n e a f u n c t i o n 
D s e m J E x t . I t a d d s a n e x t r a e n t r y t o t h e e n v i r o n m e n t e n v f o r e a c h e x t e r n a ! w i r e ( i n p u t 
o r o u t p u t ) . T h i s f u n c t i o n a s s i g n s a l i t h e v a l u e s o f e x t e r n a l i n p u t s o r a l i t h e v a l u e s o f 
e x t e r n a l Outputs t o a l i s t ( v a r : ( n u m - + b o o l ) l i s t ) . I n o t h e r w o r d s , e a c h é l é m e n t i n 
t h e l i s t v a r i n d i c a t e s a v a l u e o f a n e x t e r n a l i n p u t o r a v a l u e o f a n e x t e r n a l o u t p u t . 
T h i s f u n c t i o n m a k e s i t p o s s i b l e t o r e p r e s e n t t h e s e m a n t i c s o f a c i r c u i t e x p l i c i t l y as 
t h e r e l a t i o n b e t w e e n t h e e x t e r n a l i n p u t s a n d Outputs. 
\~def ( D s e m J E x t [] e n v ( v a r : ( n u m - > b o o l ) l i s t ) = e n v ) A 
( D s e m _ E x t (CONS ( v : s t r i n g ) v s ) e n v v a r = 
( D s e m _ E x t v s ( A w v . i f (wv = v ) t h e n (HD v a r ) 
e i s e ( e n v w v ) ) ( T L v a r ) ) ) 
W e a l s o d e f i n e f u n c t i o n s S e m E x o u t p u t , S e m E x i n p u t a n d S e m l n v a r i a b l e t o a c c e s s 
v a l u e s o f t h e e x t e r n a l o u t p u t a n d i n p u t w i r e s a n d i n t e r n a i w i r e s . 
61 
\-def S e r a E x o u t p u t (EXOUT x ) = x 
l~de/ S e m E x i n p u t ( E X I N x ) = x 
\~dej S e m l n v a r i a b l e ( I N V x ) = x 
Finally, t h e s e m a n t i c s of a p r o g r a m S e m P r o g r a m i s b a s e d o n t h e f u n c t i o n s w e 
i n t r o d u c e d above. We f i r s t a p p l y f u n c t i o n D s e m _ E x t t o t h e e x t e r n a l i n p u t s , w h i c h 
a d d s a n e n t r y t o t h e e n v i r o n m e n t f o r a l l e x t e r n a l i n p u t s a n d a s s i g n s t h e v a l u e o f 
e a c h e x t e r n a l i n p u t t o a n e l e m e n t of a l i s t i p . We t h e n a p p l y t h e f u n c t i o n D s e m _ E x t 
t o t h e e x t e r n a l o u t p u t s . Similarly, t h i s a d d s a n e n t r y t o t h e e n v i r o n m e n t f o r all 
e x t e r n a l o u t p u t s a n d a s s i g n s t h e v a l u e o f e a c h e x t e r n a l o u t p u t t o a n e l e m e n t o f a 
l i s t o p . Finally, t h e f u n c t i o n D s e m . I n t g i v e s t h e s e m a n t i c s o f t h e c i r c u i t i n t e r m s o f 
t h e s e m a n t i c s o f t h e c o m p o n e n t t e r m ( S e m M d g h d l ) a n d u s e s e x i s t e n t i a l q u a n t i f i c a t i o n 
t o h i d e t h e l o c a l v a r i a b l e f r o m t h e e n v i r o n m e n t o f t h e c i r c u i t . 
\~def S e m P r o g r a m (PROG e x o u t p u t e x i n p u t i n v c o d e ) i p o p = 
l e t e n v l = D s e m J E x t ( S e m E x i n p u t e x i n p u t ) E m p t y E n v i p 
i n 
l e t e n v 2 = Dsera_Ext ( S e m E x o u t p u t e x o u t p u t ) e n v l o p 
i n 
D s e m . I n t ( S e m l n v a r i a b l e i n v ) c o d e e n v 2 
w h e r e E m p t y E n v is t h e i n i t i a l v a l u e o f e n v i r o n m e n t e n v . 
The s e m a n t i c s o f a p r o g r a m e x p l i c i t l y r e p r e s e n t s t h e r e l a t i o n b e t w e e n t h e e x t e r -
n a l i n p u t s a n d o u t p u t s . Our s e m a n t i c s i s n o t o n l y u s e d t o v e r i f y t h e c o r r e c t n e s s o f 
t h e t r a n s l a t i o n , b u t i s a l s o u s e d t o f o r m a l l y i m p o r t t h e M D G r e s u l t s i n t o HOL t o 
f o r m t h e HOL t h e o r e m . During t h e i m p o r t a t i o n p r o c e s s , w e h a v e t o f o r m a l i z e t h e 
d i f f e r e n t M D G a p p l i c a t i o n s ( c o m b i n a t i o n a l v e r i f i c a t i o n , s e q u e n t i a l v e r i f i c a t i o n a n d 
p r o p e r t y c h e c k i n g a n d s o o n ) a n d a d d s o m e e x t r a a s s u m p t i o n s . A l l t h e s e f o r m a l i z a -
t i o n s a r e e x p l i c i t l y c o n c e r n e d w i t h t h e e x t e r n a l i n p u t s a n d o u t p u t s . Our s e m a n t i c s 
m a k e i t p o s s i b l e t o d o so. 
62 
For example, the semantics of a circuit of three NOT gates and one R E G I S T E R can 
be expressed as: 
S e m P r o g r a m (PROG (EXOUT [ " o p " ] ) ( E X I N [ " i p " ] ) ( I N V [ " u " ; " v " ; " w " ] ) 
( J O I N (NOT " i p " " u " ) 
( J O I N (NOT " u " " v " ) 
( J O I N (NOT " v " "w") (REG "w" " o p " ) ) ) ) ) i p o p 
By expanding the definitions, this circuit can actually be formalized as 
3 u v w. 
( V t . u t = ~ H D i p t ) A ( V t . v t = ~ u t ) A 
( V t . v t = ~ v t ) A ( V t . HD o p ( t + 1) = w t ) 
It can be simplified further to 
V t . HD o p (t+1) = " HD i p t 
Obviously, the semantics o f this circuit explicitly represents the relation between the 
external input list i p and output list o p in the circuit. 
3.7 The Semantics of the Core MDG-HDL Pro-
gram 
Similar t o t h e l a s t s e c t i o n , t h e s e m a n t i c s o f t h e c o r e M D G - H D L p r o g r a m 
( S e m P r o g r a m _ C o r e ) i s d e f i n e d i n t e r m s o f t h e s e m a n t i c s o f c o r e c o m p o n e n t t e r n i 
( S e m M d g h d l . C o r e ) a n d f u n c t i o n s D s e m _ E x t , D s e m _ I n t _ C o r e . Since t h e c o r e c o m p o n e n t 
t e r a o n l y c o n s i s t s o f f o u r c o m p o n e n t s , t h e s e m a n t i c s o f i t i s d e t e r m i n e d i n t e r m s o f 
i t s f o u r s e m a n t i c f u n c t i o n s . 
63 
hdef ( S e m M d g h d l . C o r e ( I N I T C i n i t ) e n v = 
S E M . I N I T ( ( e n v ( F S T i n i t ) ) , (SND i n i t ) ) A 
( S e m M d g h d l . C o r e ( S N X T C o p s t ) e n v = SEM-SNXT ( e n v o p ) ( e n v s t ) ) A 
( S e m M d g h d l _ C o r e ( T A B L E S Y N C y l y 2 y 3 y 4 y 5 ) e n v = 
T A B L E (MAP e n v y l ) ( S E M . O U T V A R y 2 e n v ) y 3 
(CDNST.TOJF'UNCT y 4 ) ( S E M _ D E F A U L T V A R y 5 e n v ) ) A 
( S e m M d g h d l . C o r e ( J O I N C c o d e l c o d e 2 ) e n v = 
( ( S e m M d g h d l . C o r e c o d e l e n v ) A ( S e m M d g h d l . C o r e c o d e 2 e n v ) ) ) 
In the s e m a n t i c f u n c t i o n o f t h e p r o g r a m ( S e m P r o g r a m _ C o r e ) , f u n c t i o n D s e m J E x t 
a d d s a n e n t r y t o the e n v i r o n m e n t for a l i e x t e r n a ] i n p u t s a n d o u t p u t s , a n d a s s i g n s 
the value of each e x t e r n a l i n p u t t o an element o f a l i s t i p a n d e a c h e x t e r n a l o u t p u t t o 
a n e l e m e n t o f a l i s t o p . Function D s e m _ I n t _ C o r e g i v e s t h e s e m a n t i c s o f t h e c i r c u i t i n 
t e r m s o f t h e s e m a n t i c s o f t h e c o m p o n e n t t e r m ( S e m M d g h d l . C o r e ) a n d u s e s e x i s t e n t i a l 
q u a n t i f i c a t i o n t o h i d e t h e l o c a i v a r i a b l e f r o m the e n v i r o n m e n t o f t h e c i r c u i t . 
J~<ie/ S e m P r o g r a m . C o r e (PROGC e x o u t p u t e x i n p u t i n v c o d e ) i p op -
l e t e n v l = D s e m _ E x t ( S e m E x i n p u t e x i n p u t ) E m p t y E n v i p 
i n 
l e t e n v 2 = D s e m _ E x t ( S e m E x o u t p u t e x o u t p u t ) e n v l o p 
i n 
D s e r a . I n t - C o r e ( S e m l n v a r i a b l e i n v ) c o d e e n v 2 
3.8 The Semantics of the MDG Formula Repre-
sentation Program 
The s e m a n t i c s o f t h e M D G f o r m u l a r e p r e s e n t a t i o n p r o g r a m ( S e m P r o g r a m _ F o r m u l a ) 
i s a l s o d e f ì n e d i n t e r m s o f t h e s e m a n t i c s o f i t s f o r m u l a c o m p o n e n t t e r m 
( S e m M d g h d l _ F o r m u l a ) a n d f u n c t i o n s D s e m J E x t , D s e m . I n t . F o r m u l a . The s e m a n t i c s o f 
t h e f o r m u l a c o m p o n e n t t e r m ( S e m M d g h d l _ F o r m u l a ) i s d e f ì n e d b a s e d o n i t s c o m p o -
64 
n e n t ' s s e m a n t i c f u n c t i o n s . Among t h o s e s e m a n t i c f u n c t i o n s , t h e s e m a n t i c f u n c t i o n 
f o r t h e c o n s t r u c t o r T A B L E S Y N F i s d i f f é r e n t t o t h e s e m a n t i c f u n c t i o n f o r t h e c o n s t r u c t o r 
T A B L E S Y N C ( T A B L E ) i n t h e l a s t s e c t i o n . 
For d e f i n i n g t h e s e m a n t i c f u n c t i o n f o r t h e c o n s t r u c t o r T A B L E S Y N F , w e n e e d t o 
define a f u n c t i o n T a b l e _ F o r m u l a first. This f u n c t i o n i s d e f i n e d i n t e r m s o f 
T a b l e _ m a t c h _ L i s t a n d t a b l e . It c h e c k s i f t h e r e is a m a t c h o n t h e " i f c o n d i t i o n " 
f o r a n y i n p u t . If t h e r e i s , t h e o u t p u t h a s t h e c o r r e s p o n d i n g v a l u e . Otherwise, t h e 
T a b l e _ F o r m u l a i s t h e c o n j u n c t i o n o f t h e T a b l e _ m a t c h _ L i s t o n t h e " e l s e c o n d i t i o n " 
a n d t h e output e q u a l s t h e d e f a u l t v a l u e . 
\~def T a b l e _ F o r m u l a i n p s o u t i f t u e l t d e f a u l t t = 
i f ( T a b l e j n a t c h X i s t ( M A P I i n p s t ) i f t ) 
t h e n ( t a b l e i n p s o u t i f t u d e f a u l t t ) 
e l s e ( ( T a b l e j n a t c h X i s t ( M A P I i n p s t ) e l t ) A ( o u t t = d e f a u l t t ) ) 
The a b o v e d é f i n i t i o n r e f e r s t o t h e t i m e o f i n t e r e s t , t . Function T A B L E _ F O R M U L A d e f i n e s 
a g i v e n table w h i c h w i l l relate a g i v e n i n p u t t o a g i v e n o u t p u t i f t h e T a b l e J r o r m ù l a 
r e l a t i o n i s t r u e a t a l i t i m e . 
h d e / T A B L E J r O R M U L A i p o p i f t i f o u t e l t d e f a u l t = 
V t . T a b l e _ F o r m u l a i p o p i f t i f o u t e l t d e f a u l t t 
The s e m a n t i c f u n c t i o n s f o r t h e c o n s t r u c t o r s I N I T F a n d S N X T F a r e t h e s a m e as w e 
d e f i n e d f o r the c o n s t r u c t o r s I N I T , I N I T C , SNXT a n d S N X T C i n t h e l a s t t w o s e c t i o n s . 
The s e m a n t i c s o f t h e f o r m u l a c o m p o n e n t t e r m c a n be d e f i n e d i n t e r m s of t h e a b o v e 
s e m a n t i c f u n c t i o n s . 
65 
\ - d e f ( S e m M d g h d l _ F o r m u l a ( T A B L E S Y N F y l y 2 y 3 y 4 y y 5 ) s = 
( T A B L E J r O R M U L A (MAP s y l ) ( S e m _ O u t v a r y 2 s ) y 3 
( C 0 N S T . T 0 J 7 U N C T y 4 ) y ( S e m _ D e f a u l t v a r y 5 s ) ) ) A 
( S e m M d g h d l _ F o r m u l a ( I N I T F i n i t ) s = 
S E M . I N I T ( s ( F S T i n i t ) , S N D i n i t ) ) A 
( S e i n M d g h d l - F o r m u l a ( S N X T F o p s t ) s = SEMJ3NXT ( s o p ) ( s s t ) ) A 
( S e m M d g h d l - F o r m u l a ( J O I N F m l m2) s = 
( S e m M d g h d l _ F o r m u l a m l s A S e m M d g h d l . F o r m u l a m2 s ) ) 
Finally, t h e s e m a n t i c s of t h e M D G f o r m u l a r e p r é s e n t a t i o n p r o g r a m c a n b e d e f i n e d 
i n a v e r y s i m i l a r w a y . 
\~def S e m P r o g r a m - F o r m u l a (PROGCF e x o u t p u t e x i n p u t i n v c o d e ) i p o p = 
l e t e n v i = D s e m _ E x t ( S e m E x i n p u t e x i n p u t ) E m p t y E n v i p 
i n 
l e t e n v 2 = D s e m _ E x t ( S e m E x o u t p u t e x o u t p u t ) e n v i o p 
i n 
D s e m _ I n t _ F o r m u l a ( S e m l n v a r i a b l e i n v ) c o d e e n v 2 
3.9 Translator Correctness Theorems 
To v e r i f y t h e c o r r e c t n e s s o f t r a n s l a t o r s as w e s u g g e s t e d a t t h e b e g i n n i n g o f t h i s 
s e c t i o n , w e h a v e t o o b t a i n t w o t h e o r e m s t h a t q u a n t i f y o v e r t h e i r s y n t a c t i c s t r u c t u r e , 
w h i c h s t a t e t h a t t h e s e m a n t i c s o f t h e s o u r c e p r o g r a m i s é q u i v a l e n t t o t h e s e m a n t i c s 
of i t s t r a n s l a t i o n f o r m . 
For v e r i f y i n g the first t r a n s l a t o r o f t h i s s u b s e t l a n g u a g e , w e h a v e p r o v e d t h r e e 
t h e o r e m s u s i n g HOL. The first t h e o r e m w e h a v e p r o v e d i s C o m p o n e n t J T e r m C . T H M , 
w h i c h s p é c i f i e s t h e s e m a n t i c s o f t h e c o m p o n e n t t e r m i s é q u i v a l e n t t o t h e s e m a n t i c s 
o f i t s c o r e M D G - H D L c o m p o n e n t t e r m . 
66 
h / i m v c - S e m M d g h d l c e n v = S e m M d g h d l _ C o r e ( T r a n s G T c) e n v 
i n w h i c h c r e p r e s e n t s a n y M D G - H D L c o r a p o n e n t t e r m , T r a n s G T i s t h e f u n c t i o n w h i c h 
t r a n s l a t e s t h e M D G - H D L c o m p o n e n t t e r m t o i t s c o r e M D G - H D L c o d e s a n d e n v is 
t h e e n v i r o n m e n t f o r v a r i a b l e s . T h e c o r r e c t n e s s t h e o r e m i s p r o v e d b y s t r u c t u r a l 
i n d u c t i o n o n t h e s y n t a x d o m a i n o f t h e M D G - H D L c o m p o n e n t t e r m . 
T h e s e c o n d t h e o r e m w e h a v e p r o v e d i s C i r c u i t _ D s e m C _ T H M , w h i c h is o b t a i n e d i n 
t e r m s o f t h e t h e o r e m C o m p o n e n t _ T e r m C J T H M . I t s t a t e s t h a t t h e s e m a n t i c s o f a c i r c u i t 
i s é q u i v a l e n t t o t h e s e m a n t i c s o f i t s t r a n s l a t i o n f o r m . 
ï~thm V i n v c e n v . D s e m . I n t i n v c e n v = 
D s e m _ I n t - C o r e i n v ( T r a n s G T c) e n v 
w h e r e i n v r e p r e s e n t s t h e i n t e r n a i w i r e s o f t h e c i r c u i t a n d c i s a s é q u e n c e o f t h e 
M D G - H D L c o m p o n e n t s . 
T h e t h i r d t h e o r e m is t h e c o r r e c t n e s s t h e o r e m o f t h e p r o g r a m P r o g C . T H M , w h i c h is 
p r o v e d i n t e r m s o f t h e t h e o r e m s C o m p o n e n t _ T e r m C _ T H M a n d C i r c u i t _ D s e m C _ T H M . T h e 
m e a n i n g o f t h i s t h e o r e m i s s i m i l a r t o t h a t o f t h e t h e o r e m Dsem_THM, i . e . , t h e s e m a n t i c s 
o f a c i r c u i t is é q u i v a l e n t t o t h e s e m a n t i c s o f i t s t r a n s l a t i o n f o r m . H o w e v e r , t h e 
d i f f é r e n c e s a r e t h a t t h e e x t e r n a l i n p u t l i s t i p a n d o u t p u t l i s t o p o f t h e c i r c u i t a r e 
e x p l i c i t l y r e p r e s e n t e d i n t h e s e m a n t i c s o f t h e p r o g r a m . 
h [ / i m V e x v e x i i n v c. 
S e m P r o g r a m (PROG e x v e x i i n v c) i p o p = 
S e m P r o g r a m _ C o r e ( T r a n s P r o g M C (PROG e x v e x i i n v c)) i p op (3.1) 
F o r v e r i f y i n g t h e s e c o n d t r a n s l a t o r o f t h i s s u b s e t l a n g u a g e , W e n e e d t o p r o v e 
a n o t h e r t h r e e t h e o r e m s i n a s i m i l a r w a y . T h e f i r s t t h e o r e m w e h a v e p r o v e d i s 
C o m p o n e n t _ T e r m C F . T H M , w h i c h s p é c i f i e s t h a t t h e s e m a n t i c s o f t h e c o r e c o m p o n e n t 
t e r m i s é q u i v a l e n t t o t h e s e m a n t i c s o f i t s HDG f o r m u l a c o m p o n e n t t e r m . 
67 
K / im V e s. S e m M d g h d l . C o r e c s = 
S e m M d g h d l J r o r m u l a ( T r a n s P r o g C F c) s 
T h e s e c o n d t h e o r e m i s C i r c u i t JDsemCFJTHM, w h i c h s t a t e s t h a t t h e s e m a n t i c s o f a 
c i r c u i t ( c o r e M D G - H D L p r o g r a m ) i s e q u i v a l e n t t o t h e s e m a n t i c s o f i t s t r a n s l a t i o n 
f o r m (MDG f o r m u l a r e p r e s e n t a t i o n p r o g r a m ) . 
V i n v c e n v . D s e m _ I n t _ C o r e i n v c e n v = 
D s e m . I n t . F o r m u l a i n v ( T r a n s P r o g C F c) e n v 
S i m i l a r l y , t h e l a s t t h e o r e m i s P r o g C F . T H M , w h i c h i s e x p l i c i t l y r e p r e s e n t e d as t h e 
e x t e r n a l i n p u t l i s t a n d o u t p u t l i s t o f t h e c i r c u i t , s t a t e s t h a t t h e s e m a n t i c s o f a c i r c u i t 
o f t h e c o r e M D G - H D L p r o g r a m i s e q u i v a l e n t t o t h e s e m a n t i c s o f i t s t r a n s l a t i o n f o r m 
(MDG f o r m u l a r e p r e s e n t a t i o n p r o g r a m ) . 
h i / , m V e x v e x i i n v c. 
S e m P r o g r a m . C o r e (PROGC e x v e x i i n v c ) i p o p = 
S e m P r o g r a m J r o r m u l a ( T r a n s P r o g C F (PROGC e x v e x i i n v c)) i p o p (3.2) 
W e h a v e p r o v e d t w o t r a n s l a t o r s a r e c o r r e c t a n d o b t a i n e d t w o c o r r e e t n e s s t h e -
o r e m s (3.1)(3.2). B y c o m b i n i n g t h e a b o v e t w o c o r r e e t n e s s t h e o r e m s , w e o b t a i n 
a n e w c o r r e e t n e s s t h e o r e m (3.3), w h i c h s t a t e s t h a t t h e s e m a n t i c s o f a c i r c u i t o f a n 
M D G - H D L p r o g r a m is e q u i v a l e n t t o t h e s e m a n t i c s o f a c o r r e s p o n d i n g M D G f o r m u l a 
r e p r e s e n t a t i o n p r o g r a m . 
h ^ „ , V e x v e x i i n v c. 
S e m P r o g r a m (PROG e x v e x i i n v c) i p o p = 
S e m P r o g r am - F o r m u l a 
( T r a n s P r o g C F ( T r a n s P r o g M C (PROG e x v e x i i n v c))) i p o p (3.3) 
68 
Summary 
In this chapter, we have investigateti a way to verify the correctness of aspects 
of a decision graph system (the M D G system) based on a theorem prover system 
(the HOL System). We have defined a deep embedding formal semantics for a 
boolean subset of M D G - H D L language, its core M D G - H D L codes and M D G formula 
representation language. Functions for translating the M D G - H D L subset languages 
to core M D G - H D L code and for translating the core M D G - H D L language to the 
M D G formula representation language are given. Two correctness theorems for two 
translators have been proved. By combining two translation correctness theorems, 
we obtain a new theorem states that the semantics of the M D G - H D L program is 
equivalent to the semantics of the M D G formula representation program. This 
combination allows the low level representation (the M D G formula representation 
language) to be converted to the high level language M D G - H D L . We will show, 
in Chapter 6, how such a translator correctness theorem can be combined with 
importing theorems. 
69 
Chapter 4 
Verifying the M D G Translator for 
the Extended Subset 
In the last chapter, we defined the syntax and the semantics of the boolean subset 
M D G - H D L language. We obtained a theorem (3.3), which states that the semantics 
of the M D G - H D L program is equivalent to the semantics of the M D G formula 
representation program used in the M D G implementation. However, this subset 
could not cope with many M D G applications. As a matter of fact, the formal logic 
used in M D G - H D L is a many-sorted first-order logic, which contains abstract sorts 
and concrete sorts. The concrete sort of boolean values is treated separately as it 
is predefined in M D G and used with most components. It is therefore treated as 
a special case. The inputs and outputs of the component TABLE could be different 
sorts. These sorts could be boolean sorts, concrete sorts and abstract sorts. In this 
chapter, we will extend our formalization to accommodate a list of inputs (the first 
argument of the table component) with boolean sorts and concrete sorts. We did 
not consider the abstract sort because the Montreal M D G - H O L system can only 
deal with the concrete sort and boolean sorts. Also the subset we consider is similar 
to that of B D D systems so has wide application. 
70 
In this chapter, we will verify the translation phase of the M D G system as 
shown in step (1) of Figure 1.5 for the extended subset. Similarly, the formal syntax 
and semantics of the M D G - H D L language and core M D G - H D L language of this 
subset will be defined. A set of functions for translating this subset language to 
its core M D G - H D L equivalent will then be given. The correctness theorem about 
the translation, which quantifies over its syntactic structure, will be proved. Before 
we start proving the correctness of the translation, we will introduce an example. 
It is a state transition diagram of the Timing block of the Fairisle A T M switch 
fabric [66] [26]. This example will explain why it is necessary to embed the extended 
subset into HOL. 
4.1 State Transitions of the Fairisle Switch Fabric 
Timing Block 
The Fairisle Switch Fabric is a real switch fabric designed and in use at University 
of Cambridge for multimedia applications. The Fairisle switch forms the heart of 
the Fairisle network. Curzon (23] formally verified this Fairisle Switch Fabric using 
HOL. Tahar et al [73] reverified it using M D G . The Fairisle Switch Fabric can be 
split into 3 sub-modules namely Acknowledgement, Arbitration and Data Switch. 
The Timing Block is a sub-module of the Arbitration. Pisini et al [67] verified the 
Timing Block using a hybrid system (HOL and M D G ) . 
The Timing block controls the timing of the arbitration decision based on the 
frame start signal and the time the routing bytes arrive. Figure 4.1 shows the finite 
state machine of the behavior of this timing block, which is described using a state 
transition function and output function. The specification of the Timing block in 
M D G are as shown in Figure 4.2. An M D G table is used to represent the behavior 
of the Timing block. This M D G table is taken from [67]. 
71 
Figure 4.1: State Transitions of the Fairisle Switch Fabric Timing Block 
t a b l e [ [ a n y A c t i v e , f r a m e S t a r t , t i m i n g _ s t a t e , n _ t i m i n g _ s t a t e ] , 
[*, 1, R U N , W A I T ] , 
[*, 0, R U N , R U N ] , 
[1 , 0, W A I T , R O U T E ] , 
[*, 1, R O U T E , W A I T ] I W A I T ] 
INPUTS OUTPUT 
anyActive frameStart timing_state n_timing_state 
IF T RUN WAIT 
* F RUN RUN 
T F WAIT ROUTE 
* T ROUTE WAIT 
ELSE WAIT 
Figure 4.2: The Behavior of the Fairisle Switch Fabric Timing Block 
72 
In t h e t a b l e , a n y A c t i v e a n d f r a m e S t a r t a r e o f b o o l e a n s o r t , t i m i n g - s t a t e a n d 
n _ t i m i n g _ s t a t e a r e o f a c o n c r e t e s o r t w i t h t h e e n u m e r a t i o n : R U N , W A I T , R O U T E . In 
O r d e r t o f o r m a l i z e t h e b e h a v i o r o f t h e Timing b l o c k , w e n e e d t o r e d e f i n e t h e d é f i n i t i o n 
o f T A B L E t o a c c o m m o d a t e t h e d i f f é r e n t s o r t s , a s t h e v e r s i o n c o n s i d e r e d so f a r o n l y 
a l l o w e d b o o l e a n v a l u e s i n t h e t a b l e . In t h e f o l l o w i n g s e c t i o n , w e w i l l r e d e f i n e t h e 
s y n t a x a n d s e m a n t i c s o f t h e M D G - H D L l a n g u a g e a n d t h e c o r e M D G - H D L l a n g u a g e 
t o m e e t t h o s e r e q u i r e m e n t s . 
4.2 The Syntax of the MDG-HDL Language 
In this section, we will defìne the syntax of the M D G - H D L language for the extended 
subset. This subset allows the program to contain concrete sorts. A concrete sort is a 
set of distinct constants of that sort. We use a s t r ing to represent them. However, 
the inputs and Outputs of many basic components in the M D G - H D L library are 
of boolean value. Therefore, we use the function Hol_datatype to define a new 
type Mdg_Basic in HOL to meet this requirement. Since we use a boolean value 
to represent the inputs and Outputs of some basic components and use a string to 
represent each élément of a concrete sort (except the boolean type), this new type 
Mdg_Basic can be either a boolean value or a string. In other words, for any term 
with type M d g J 3 a s i c , it could be a BOOL bool term, a C O N C R E T E s t r ing term or a 
base case UNBOUND term. In the rest of this thesis, if a variable x is a (BOOL bool) 
term, we say x is of a bool sort. If a variable x is a (CONCRETE string) term, we say 
x is of a concrete sort. If a variable x is a (UNBOUND) term, we say x unbound. 
M d g _ B a s i c : : = UNBOUND I BOOL of bool | C O N C R E T E of s t r ing 
Therefore, the common type for ali the input variables of the Timing block is 
H d g J 3 a s i c . The anyActive and frameStart are of BOOL bool terms, the t i m i n g - s t a t e 
and n_tiraing_state are of C O N C R E T E s t r ing terms. 
73 
T h e f u l l a b s t r a c t s y n t a x o f t h e e x t e n d e d s u b s e t i s g i v e n i n A p p e n d i x B , w h i c h 
i s s i m i l a r t o t h a t w e g a v e b e f o r e . In t h i s v e r s i o n ' s s y n t a x , t h e t h i r d a r g u m e n t o f 
t h e c o n s t r u c t o r T A B L E S Y N h a s t h e t y p e o f ( (MdgJ3asic T a b l e . V a l l i s t ) l i s t ) r a t h e r 
t h a n ( ( b o o l T a b l e . V a l l i s t ) l i s t ) . T h i s i s b e c a u s e e a c h e l e m e n t o f t h i s a r g u m e n t 
g i v e s o n e a l l o c a t i o n o f v a l u e s t o t h e i n p u t s , w h i l e e a c h i n p u t is o f a n M d g _ B a s i c 
t e r m . In o t h e r w o r d s , i t c o u l d b e a (BOOL b o o l ) t e r m o r a (CONCRETE s t r i n g ) t e r m . 
S i m i l a r l y , t h e f o u r t h a r g u m e n t o f i t h a s t h e t y p e o f ( ( M d g _ B a s i c ) l i s t ) r a t h e r t h a n 
( b o o l l i s t ) . T h e final a r g u m e n t c o u l d b e a n a r b i t r a r y MdgJ3asic v a l u e , a c u r r e n t 
s t a t e v a r i a b l e o r a n e x t s t a t e v a r i a b l e . T h e s y n t a x o f t h e t a b l e c a n t h e r e f o r e b e u s e d 
t o f o r m a l i z e t h o s e d e s i g n s w h o s e M D G - H D L p r o g r a m c o n t a i n c o n c r e t e s o r t s u c h 
as T i m i n g b l o c k as s h o w n b e l o w ( T i m i n g . T A B L E S Y N ) . H o w e v e r , t h e s y n t a x a n d t h e 
s e m a n t i c s w i l l b e c o m p l i c a t e d . 
T i m i n g . T A B L E S Y N = 
( T A B L E S Y N 
[ " a n y A c t i v e " ; " f r a m e S t a r t " ; " t i m i n g _ s t a t e " ] 
( N E X T V ( " n _ t i m i n g _ s t a t e " ) ) 
[ [ D O N T . C A R E ; T A B L E . V A L (BOOL T) ; T A B L E . V A L ( C O N C R E T E " R U N " ) ] ; 
[DONT _CARE ; T A B L E . V A L (BOOL F ) ; T A B L E . V A L ( C O N C R E T E " R U N " ) ] ; 
[ T A B L E . V A L (BOOL T ) ; T A B L E . V A L (BOOL F ) ; T A B L E . V A L (CONCRETE "WATT")] ; 
[ D O N T . C A R E ; T A B L E . V A L (BOOL F ) ; T A B L E . V A L ( C O N C R E T E " R O U T E " ) ] ; 
[ D O N T . C A R E ; T A B L E . V A L (BOOL F ) ; T A B L E . V A L ( C O N C R E T E " R O U T E " ) ] ] 
[ ( C O N C R E T E " W A I T " ) ; ( C O N C R E T E " R U N " ) ; ( C O N C R E T E " R O U T E " ) ; 
( C O N C R E T E " R U N " ) ; ( C O N C R E T E " W A I T " ) ] 
(DENORMAL ( C O N C R E T E " W A I T " ) ) ) 
w h e r e w e u s e T i m i n g . T A B L E S Y N t o i n f o r m a l l y r e p r e s e n t t h e s y n t a x o f t h e F a i r i s l e 
S w i t c h F a b r i c T i m i n g B l o c k . W e c a n n o t i c e t h a t t h e t h i r d a r g u m e n t i n t h e t a b l e o f 
t h e T i m i n g B l o c k c o n t a i n s D O N T . C A R E , b o o l e a n v a l u e ( e g . T A B L E . V A L (BOOL T ) ) a n d 
c o n c r e t e s o r t v a l u e ( e g . T A B L E . V A L ( C O N C R E T E " R O U T E " ) ) . 
74 
T h e a b s t r a c t s y n t a x o f t h e p r o g r a m is g i v e n b y t h e c o n s t r u c t o r PROG. w h i c h i s 
s i m i l a r t o t h e PROG i n t h e l a s t c h a p t e r . I t c o n s i s t s o f a n e x t e r n a l o u t p u t w i r e l i s t , 
a n e x t e r n a l i n p u t w i r e l i s t , a n i n t e r n a i w i r e l i s t a n d a c o m p o n e n t t e r m . 
M d g _ P r o g r a m : : = PROG o f E x o u t p u t => E x i n p u t => I n v a r i a b l e => M d g _ H d l 
F o r e x a m p l e , t h e s y n t a x o f t h e T i m i n g b l o c k i s 
PROG (EXOUT [ " n _ t i m i n g _ s t a t e n ] ) 
( E X I N [ " a n y A c t i v e " ; " f r a m e S t a r t " ; " t i m i n g _ s t a t e " ] ) 
( I N V [ ] ) ( T i r a i n g . T A B L E S Y N ) 
4.3 The Syntax of the Core MDG-HDL Language 
The syntax of the core M D G - H D L language for the extended subset is similar to 
the syntax of the core M D G - H D L language for the boolean subset. However, their 
syntactic catégories are différent. The syntactic category for the extened subset 
is wider than the boolean subset, because the syntax for the extended subset can 
accommodate both concrete sort and boolean sort. 
The abstract syntax of the program is also defined in terms of four arguments 
- an external output wire list, an external input wire list, an internai wire list and 
a core component term. A core component term only consists of four constructors. 
i.e. INITC, SNXTC, TABLESYNC and JOINC. 
Mdg_Hdl_Core : : = 
INITC of (string#Mdg_Basic) I 
SNXTC of string=> stringi 
TABLESYNC of (string list)=> Out_Type=> ((Hdg_Basic Table.Val l i s t ) l i s t ) 
=> (Mdg-Basic list)=> Def ault_Type | 
JOINC of Mdg_Hdl_Core=>MdgJJdl_Core 
75 
T h e s y n t a x of t h e c o r e M D G - H D L p r o g r a m i s 
M d g _ C o r e _ P r o g r a m : : = 
PROGC o f E x o u t p u t => E x i n p u t => I n v a r i a b l e => M d g J i d l . C o r e 
4.4 Compiling MDG-HDL into the Core MDG-
HDL Language 
As w e m e n t i o n e d i n t h e l a s t c h a p t e r , w e specified a t r a n s l a t o r f o r M D G - H D L t o 
t r a n s l a t e t h e M D G - H D L p r o g r a m i n t o t h e c o r e M D G - H D L l a n g u a g e . However, t h e 
s y n t a c t i c c a t e g o r y i s d i f f é r e n t t o t h a t i n t h e l a s t c h a p t e r . 
Similarly, w e first d e f i n e a s e t o f f u n c t i o n s f o r e a c h c o m p o n e n t . T h s e s f u n c t i o n s 
a p p l y t o e a c h component a n d r e t u r n i t s c o r e M D G - H D L c o d e . F o r e x a m p l e , a NOT 
g a t e i s c o m p i l e d i n t o 
\ - d e f TRANS_N0T ( x : s t r i n g ) y = 
T A B L E S Y N C [ x ] (NOWV y ) [ [ T A B L E . V A L (BOOL T ) ] ; 
[ T A B L E . V A L (BOOL F ) ] ] 
[BOOL F ; BOOL T ] (DENORMAL A R B ) 
We t h e n d e f i n e a f u n c t i o n T r a n s G T f o r t h e M D G - H D L c o m p o n e n t t e r m i n d u c t i v e l y 
o v e r t h e s y n t a c t i c s t r u c t u r e . T h i s f u n c t i o n t r a n s l a t e s t h e M D G - H D L c o m p o n e n t 
t e r m i n t o t h e é q u i v a l e n t c o r e M D G - H D L f o r m . 
\-dej ( T r a n s G T (NOT i p o p ) = T R A N S J J O T i p o p ) A 
( T r a n s G T ( T A B L E S Y N y l y 2 y 3 y 4 y 5 ) = T R A N S . T A B L E y l y 2 y 3 y 5 y 5 A 
( T r a n s G T ( J O I N ( c o d e l : M d g _ H d l ) c o d e 2 ) = 
J O I N C ( T r a n s G T c o d e l ) ( T r a n s G T c o d e 2 ) ) 
76 
F i n a l l y , a f u n c t i o n T r a n s P r o g M C is d e f i n e d i n t e r m s o f t h e f u n c t i o n T r a n s G T w h i c h 
t r a n s l a t e s t h e M D G - H D L p r o g r a m i n t o i t s c o r e M D G - H D L p r o g r a m . 
\~dej T r a n s P r o g M C (PROG e x v e x i i n v p ) = PROGC e x v e x i i n v ( T r a n s G T p ) 
4.5 The Semantics of the MDG-HDL Program 
I n t h i s s e c t i o n , w e w i l l d e f i n e t h e s e m a n t i c s o f t h e M D G - H D L l a n g u a g e f o r t h e 
e x t e n d e d s u b s e t . W e w i l l first d e f i n e t h e s e m a n t i c f u n c t i o n s f o r e a c h c o m p o n e n t 
i n t h e M D G - H D L c o m p o n e n t l i b r a r y . W e t h e n d e f i n e t h e s e m a n t i c s o f t h e M D G -
H D L c o m p o n e n t t e r m ( S e m M d g h d l ) . W e n e x t d e f i n e s o m e p r e d i c a t e s t o c h e c k i f a i l 
t h e e x t e r n a l w i r e s h a v e p r o p e r v a l u e s . F i n a l l y , w e w i l l d e f i n e t h e s e m a n t i c s o f t h e 
M D G - H D L p r o g r a m ( S e m P r o g r a m ) . 
F i r s t l y , w e b e g i n t o d e f i n e t h e s e m a n t i c s o f t h e M D G - H D L c o m p o n e n t s . T h e 
p r i m i t i v e c o m p o n e n t s o f t h e M D G - H D L c o m p o n e n t t e r m a r e l o g i e g â t e s , f l i p - f l o p s , 
t a b l e , i n i t i a l v a l u e e t c . T h e s e m a n t i c s o f t h e l o g i e g â t e s a n d flip-flops a r e s i m i l a r t o 
t h e s e m a n t i c s w e d e f i n e d f o r t h e b o o l e a n s u b s e t . H o w e v e r , t h e y a r e m o r e c o m p l e x 
n o w b e c a u s e w e c o n s i d e r a d i f f é r e n t s u b s e t . T h e v a r i a b l e s i n t h i s s u b s e t h a v e d i f f é r e n t 
s o r t s . W e h a v e t o d e f i n e s o m e p r e d i c a t e s t o e n s u r e e a c h v a r i a b l e d o e s n o t g e t s o r t 
m i s m a t c h e d . F o r e x a m p l e , a NOT g a t e c a n o n l y h a v e b o o l e a n v a l u e s . I t i s m e a n i n g l e s s 
t o h a v e n o n b o o l e a n i n p u t . I n o t h e r w o r d s , t h e t y p e o f i n p u t s a n d o u t p u t s o f t h e 
c o m p o n e n t i n t h i s s u b s e t i s M d g _ B a s i c , w e n e e d t o c h e c k i f t h e i n p u t o r o u t p u t is 
e i t h e r a BOOL b o o l t e r m , a C O N C R E T E s t r i n g t e r m o r a n UNBOUND t e r m f o r t h e d i f f é r e n t 
c o m p o n e n t s a n d d i f f é r e n t a p p l i c a t i o n s . T h r e e p r e d i c a t e s I S . B 0 0 L , I S - C O N C R E T E a n d 
I S - U N B O U N D a r e d e f i n e d t o find o u t w h a t k i n d o f s o r t a n M d g _ B a s i c t e r m h a s . . 
J-rfe/ ( I S . B 0 D L (BDDL v ) = T ) A 
( I S _ B 0 0 L ( C O N C R E T E u ) = F ) A 
( I S _ B 0 0 L UNBOUND = F ) 
77 
\~def U S - C O N C R E T E (BOOL v ) = F ) A 
( I S _ C O N C R E T E ( C O N C R E T E u ) = T ) A 
( I S _ C O N C R E T E ÜNBOUND = F ) 
\ - d e J ( I S . U N B O U N D (BOOL v ) = F ) A 
( IS_UNBOUND ( C O N C R E T E u ) = F ) A 
( IS_UNBOUND UNBOUND = T ) 
T h e s e m a n t i c s o f t h e l o g i e g â t e s a n d flip-flops a r e t h e n a c o n j u n c t i o n o f t h e s o r t 
• j u d g m e n t o f i t s i n p u t s a n d O u t p u t s a n d a r e l a t i o n b e t w e e n t h e i n p u t v a l u e s a n d t h e 
o u t p u t v a l u e s . F o r e x a m p l e , t h e NOT g a t e c a n b e e x p r e s s e d b y 
\~def SEMJJOT i p o p = 
( V t . I S - B O O L ( x t ) A ( I S - B O O L ( y t ) ) A 
( ( M D G _ T 0 _ B 0 0 L ( y t ) ) = ( ~ MDG_T0_B00L ( x t ) ) ) ) 
w h e r e p r e d i c a t e I S _ B 0 0 L is u s e d t o c h e c k i f a v a l u e o f M d g _ B a s i c t e r m i s BOOL T o r 
BOOL F , a n d f u n c t i o n MDG_T0_B00L c o n v e r t s t h e M d g _ B a s i c t e r m s BOOL T a n d BOOL F 
t o b o o l e a n v a l u e s T a n d F . 
H d e / (MDG_T0_B00L (BOOL v ) = v ) 
W e d e f ì n e t h e s e m a n t i c s o f t h e AND g a t e i n a s i m i l a r w a y . 
h d e / SEM_AND x l x 2 y = 
( V t . ( I S . B 0 0 L ( x l t ) A I S _ B 0 0 L ( x 2 t ) A I S _ B 0 0 L ( y t ) ) A 
( ( M D G _ T 0 _ B 0 0 L ( y t ) ) = 
( ( M D G _ T 0 _ B 0 0 L ( x l t ) ) A (MDG_T0_B00L ( x 2 t ) ) ) ) 
T h e s e m a n t i c s o f o t h e r l o g i e g â t e s a n d f l i p - f l o p s a r e a l s o d e f i n e d i n a s i m i l a r w a y . 
T h e s e m a n t i c s o f t h e T A B L E S Y N i s e x t e n d e d t o d e a l w i t h t h e t y p e M d g _ B a s i c . I t is 
78 
a l s o d e f i n e d i n t e r m s o f t h e d é f i n i t i o n s o f T A B L E a n d t a b l e . T h e t a b l e f u n c t i o n f o r 
t h e e x t e n d e d s u b s e t i s d e f i n e d i n a s i m i l a r w a y t o t h e f u n c t i o n w e d e f i n e d f o r t h e 
b o o l e a n s u b s e t , e x c e p t t h a t t h e t y p e o f t h e i n p u t s a n d o u t p u t a r e n u m - M d g _ B a s i c 
(see F i g u r e 4 . 2 ) . I n o t h e r w o r d s , f o r a n y i n p u t a n d o u t p u t o f a t a b l e , t h e i r v a l u e s 
a r e h i s t o r y f u n c t i o n s f r o m t i m e , a n a t u r a i n u m b e r , t o t h e v a l u e a n M d g _ B a s i c t e r m 
a t t h a t t i m e . A n M d g - B a s i c t e r m c o u l d b e e i t h e r a (BOOL b o o l ) t e r m o r a (CONCRETE 
s t r i n g ) t e r m . W e d e f i n e p r e d i c a t e s t o c h e c k t h a t t h e v a l u e o f i n p u t s a n d o u t p u t i s 
w h e t h e r ( n u m - ^ BOOL b o o l ) t e r m o r (num-> CONCRETE s t r i n g ) t e r m . 
T h e f u n c t i o n T A B L E f o r t h e e x t e n d e d s u b s e t i s s l i g h t l y d i f f é r e n t . I t s t a t e s t h a t a t 
a l i t i m e e a c h i n p u t a n d e a c h o u t p u t o f t h e M D G t a b l e h a s a p r o p e r s o r t ( b o o l s o r t , 
c o n c r e t e s o r t o r is u n b o u n d e d ) a n d t h e r e l a t i o n o f t h e t a b l e is t r u e . 
\-def T A B L E i n p s o u t V . o u t s V _ o u t d e f a u l t = 
V t . 
S o r t C h e c k - I n p u t i n p s V . o u t s t A 
S o r t C h e c k - O u t p u t o u t (HD V _ o u t ) t A 
t a b l e i n p s o u t V _ o u t s V . o u t d e f a u l t t 
w h e r e f u n c t i o n s S o r t C h e c k _ I n p u t a n d S o r t C h e c k _ 0 u t p u t a r e d e f i n e d t o c h e c k t h e s o r t 
o f e a c h i n p u t a n d o u t p u t . 
A s w e m e n t i o n e d i n s e c t i o n 3.6, t h e t h i r d a r g u m e n t o f a t a b l e i s a l i s t o f t a b l e 
r o w s . E a c h r o w i s a l i s t i t s e l f , g i v i n g o n e a l l o c a t i o n o f v a l u e s t o t h e i n p u t s . T h e 
v a l u e s i n e a c h c o l u m n o f t h e t a b l e d é t e r m i n e s t h e p o s s i b l e s o r t s o f o n e i n p u t ( e i t h e r 
(BOOL b o o l ) t e r m , (CONCRETE s t r i n g ) t e r m o r d o n ' t _ c a r e ) . W e c a n c h e c k t h e s o r t o f 
e a c h i n p u t i n t h e c o r r e s p o n d i n g é l é m e n t s i n t h e t a b l e . W e first c h e c k e a c h r o w b y 
d e f i n i n g a r e c u r s i v e f u n c t i o n S o r t C h e c k _ I n p u t l . 
79 
\~def ( S o r t C h e c k _ I n p u t l ( i n s : ( n u m - > M d g _ B a s i c ) l i s t ) [] ( t : n u m ) = T ) A 
( S o r t C h e c k _ I n p u t l i n s (CDNS v v s ) t = 
( i f ( I S _ B 0 0 L ( T a b l e V a l . t O - V a l v ) ) 
t h e n ( I S 3 0 0 L ( ( H D i n s ) t ) ) 
e l s e ( i f ( I S . C O N C R E T E ( T a b i e V a l . t o . V a l v ) ) 
t h e n ( I S . C O N C R E T E ( ( H D i n s ) t ) ) e l s e T ) A 
( S o r t C h e c k _ I n p u t l ( T L i n s ) v s t ) ) ) 
The p r e d i c a t e S o r t C h e c k _ I n p u t l c h e c k s w h e t h e r e a c h i n p u t i s a b o o l s o r t o r c o n -
c r e t e s o r t i n t e r m s o f a t a b l e r o w . If f u n c t i o n T a b l e . t o . V a l a p p l i e s t o a n é l é m e n t 
i n t h e t a b l e r o w a n d o b t a i n s a (BOOL b o o l ) t e r m , t h i s i n p u t w i l l b e a ( n u m - » B 0 0 L 
b o o l ) t e r m . If i t o b t a i n s (CONCRETE s t r i n g ) t e r m , t h e c o r r e s p o n d i n g i n p u t w i l l be 
a (num->CONCRETE s t r i n g ) t e r m . If i t i s d o n ' t . c a r e , i t r e t u r n s T. 
The p r e d i c a t e S o r t C h e c k _ I n p u t i s d e f i n e d i n t e r m s o f t h e p r e d i c a t e 
S o r t C h e c k _ I n p u t l . It c h e c k s w h e t h e r a l i t h e i n p u t s a r e b o o l s o r t s o r c o n c r e t e s o r t s . 
hdej ( S o r t C h e c k _ I n p u t ( i n s : ( n u m - > M d g 3 a s i c ) l i s t ) [] ( t : n u m ) = T ) A 
( S o r t C h e c k _ I n p u t i n s (CONS v v s ) t = 
( S o r t C h e c k _ I n p u t l i n s v t ) A ( S o r t C h e c k _ I n p u t i n s v s t ) ) 
The f o u r t h a r g u m e n t o f a t a b l e i s a l i s t o f o u t p u t v a l u e s . The p r e d i c a t e 
S o r t C h e c k _ O u t p u t i s d e f i n e d t o c h e c k w h e t h e r t h e o u t p u t is a b o o l s o r t o r a c o n c r e t e 
s o r t . 
\~def S o r t C h e c k J D u t p u t o u t o u t v a l ( t : n u m ) = 
( i f I S . B 0 0 L ( o u t v a l t ) t h e n I S . B 0 0 L ( o u t t ) 
e l s e I S . C O N C R E T E ( o u t t ) ) 
T h e d é f i n i t i o n o f o t h e r c o m p o n e n t s s u c h as FORK a r e v e r y s i m i l a r t o t h e d é f i n i t i o n 
w e g a v e f o r t h e b o o l e a n s u b s e t . The o n l y d i f f é r e n c e i s t h a t t h e t y p e o f i t s i n p u t s 
80 
a n d o u t p u t a r e (num-» BOOL b o o l ) a n d (BOOL b o o l ) t e r m s i n s t e a d o f ( n u m - ^ b o o l ) 
a n d b o o l t e r m s . 
S e c o n d l y , t h e s e m a n t i c s o f t h e M D G - H D L c o r a p o n e n t t e r n i ( S e m M d g h d l ) i s d e f i n e d 
i n a v e r y s i m i l a r w a y e x c e p t t h a t t h e s y n t a c t i c c a t e g o r y i s d i f f e r e n t t o t h a t o f t h e 
d e f i n i t i o n i n t h e b o o l e a n s u b s e t . 
\-dej ( S e m M d g h d l (NOT x y ) e n v = SEMJJOT ( e n v x) ( e n v y ) ) A 
( S e m M d g h d l ( T A B L E S Y N y l y 2 y 3 y 4 y 5 ) e n v = 
T A B L E ( ( M A P e n v y l ) ) ( ( S E M . O U T V A R y 2 e n v ) ) y 3 
( C 0 N S T _ T 0 - F U N C T y 4 ) ( ( S E M _ D E F A U L T V A R y 5 e n v ) ) e n v s t b l ) A 
( S e m M d g h d l ( J O I N ( c o d e l : M d g _ H d l ) c o d e 2 ) e n v = 
S e m M d g h d l c o d e l e n v A S e m M d g h d l c o d e 2 e n v ) 
T h i r d l y , w e d e f i n e s o m e p r e d i c a t e s t o c h e c k t h a t e a c h e x t e r n a l w i r e h a s a p r o p e r 
s o r t . T h e t y p e o f t h e i n p u t s a n d O u t p u t s o f a n y c o m p o n e n t i s ( n u m - * M d g _ B a s i c ) . 
H o w e v e r , f o r a n y c o m p o n e n t s , t h e i r i n p u t s a n d Outputs m u s t b e e i t h e r ( n u m - > B 0 0 L 
b o o l ) t e r m s , ( n u m ^ - C O N C R E T E s t r i n g ) t e r m s o r UNBOUND t e r m . 
F o r e x a m p l e , t h e i n p u t a n d o u t p u t v a l u e o f t h e NOT g a t e m u s t b e num—^BOOL b o o l 
t e r m s , w h i c h i s c o r r e s p o n d i n g t o t h e b o o l e a n v a l u e . H o w e v e r , t h e t y p e o f i n p u t a n d 
o u t p u t a r e ( n u m - M d g _ B a s i c ) . T h e v a l u e o f t h e i n p u t a n d o u t p u t c o u l d t h e r e f o r e 
b e (num-> C O N C R E T E s t r i n g ) t e r m s . If o n e o f t h e i n p u t v a l u e o r o u t p u t v a l u e i s a n 
e x t e r n a l w i r e a n d a (num-> C O N C R E T E s t r i n g ) t e r m , t h e s e m a n t i c s o f t h e c i r c u i t w i l l 
r e t u r n f a l s e , [f t h e s p e c i f i c a t i o n o f a d e s i g n r e t u r n s f a l s e , t h e c o r r e c t n e s s t h e o r e m o f 
t h i s d e s i g n w i l l b e a l w a y s t r u e . T h i s i s b e c a u s e f a l s e i m p l i e s a n y t h i n g . In o t h e r 
w o r d s , a n i n c o n s i s t e n t m o d e l w i l l b e p r o d u c e d . W h e n w e d e f i n e t h e s e m a n t i c s o f 
t h e p r o g r a m f o r t h e e x t e n d e d s u b s e t , w e h a v e t o a d d a s s u m p t i o n s s o as t o a v o i d t h e 
s o r t o f e a c h v a r i a b l e b e i n g m i s m a t c h e d a n d t h e i n c o n s i s t e n t m o d e l b e i n g p r o d u c e d . 
T h e a s s u m p t i o n s a r e t o m a k e s u r e e a c h e x t e r n a l i n p u t a n d o u t p u t h a s p r o p e r s o r t 
( e i t h e r (BOOL b o o l ) t e r m o r (CONCRETE s t r i n g ) t e r m ) . 
81 
S i n c e w e o n l y n e e d t o j u d g e e x t e r n a l w i r e s , w e d e f i n e c h e c k t o c h e c k i f a v a r i a b l e 
is a n e x t e r n a l w i r e o r n o t . 
\ - d e f ( c h e c k x [] = T ) A 
( c h e c k x (CONS 1 l s ) = i f (x = 1 ) t h e n F e l s e ( c h e c k x l s ) ) 
w h e r e CONS 1 l s l i s t s a l i t h e i n t e r n a i v a r i a b l e s . 
P r e d i c a t e B 0 0 L _ N 0 T i s d e f i n e d t o m a k e s u r e t h a t i f t h e i n p u t o r o u t p u t o f a NOT 
g a t e i s a n e x t e r n a l v a r i a b l e t h e n i t m u s t b e a (BOOL b o o l ) t e r m . 
\-def BOOLJJQT ( x : s t r i n g ) ( y : s t r i n g ) 1 s -
( V t . ( i f ( c h e c k x 1) t h e n I S _ B 0 0 L ( s x t ) e l s e T ) A 
( i f ( c h e c k y 1) t h e n I S _ B 0 0 L ( s y t ) e l s e T ) ) 
P r e d i c a t e s f o r c h e c k i n g t h e s o r t o f e x t e r n a l i n p u t s a n d o u t p u t s f o r o t h e r l o g i e 
g a t e s a n d flip-flops h a v e b e e n d e f i n e d i n a v e r y s i m i l a r w a y . 
F o r c h e c k i n g t h e s o r t o f t h e e x t e r n a l i n p u t s a n d o u t p u t f o r a t a b l e , w e h a v e 
t o d e f i n e s o m e a u x i l i a r y f u n c t i o n s ( C h e c k _ I n p u t _ S o r t l , C h e c k _ I n p u t _ S o r t a n d 
C h e c k _ O u t p u t _ S o r t ) . T h e p r i n c i p l e o f t h e d é f i n i t i o n o f t h o s e p r e d i c a t e s is s i m i l a r 
t o t h e p r e d i c a t e s S o r t C h e c k _ I n p u t l , S o r t C h e c k - I n p u t a n d S o r t C h e c k _ O u t p u t . H o w -
e v e r , a d i f f é r e n c e i s t h a t w e h a v e t o c h e c k e a c h v a r i a b l e t o e s t a b l i s h w h e t h e r i t i s 
a n e x t e r n a l v a r i a b l e first. W e t h e n c h e c k t h e s o r t o f e a c h e x t e r n a l v a r i a b l e i n t h e 
c o r r e s p o n d i n g é l é m e n t s i n t h e t a b l e . 
T h e p r e d i c a t e C h e c k _ I n p u t . S o r t i first c h e c k s w h e t h e r a n i n p u t o f a t a b l e ( t h e 
first a r g u m e n t o f t h e t a b l e ) is a n e x t e r n a l w i r e . If i t i s , i t finds o u t t h e s o r t o f i n p u t 
i n t e r m s o f a t a b l e r o w ( t h e t h i r d a r g u m e n t o f t h e t a b l e ) . If a n é l é m e n t i n t h e t a b l e 
r o w i s a (BOOL b o o l ) t e r m , t h e v a l u e o f t h i s i n p u t w i l l b e a ( n u m - > B 0 0 L b o o l ) t e r m . 
If i t is a (CONCRETE s t r i n g ) t e r m , t h e c o r r e s p o n d i n g i n p u t w i l l b e a (num->CONCRETE 
s t r i n g ) t e r m . If i t i s d o n ' t _ c a r e , i t r e t u r n s T. 
82 
\~def ( C h e c k _ I n p u t _ S o r t l ( i n s : s t r i n g l i s t ) [] s 1 = T ) A 
( C h e c k _ I n p u t _ S o r t l i n s (CONS v v s ) s 1 = 
( V t . ( i f ( c h e c k (HD i n s ) 1 ) ) 
t h e n ( i f ( v = D 0 N T _ C A R E ) t h e n T 
e l s e i f ( I S _ B 0 0 L ( T a b l e V a l . t o _ V a l v ) ) 
t h e n ( I S _ B 0 0 L ( ( H D i n s ) t ) ) 
e l s e i f ( I S - C O N C R E T E ( T a b l e V a l - t o . V a l v ) ) 
t h e n ( I S _ C O N C R E T E ( ( H D i n s ) t ) ) e l s e T ) 
e l s e T ) A 
( C h e c k . I n p u t _ S o r t l ( T L i n s ) y s s 1 ) ) 
T h e p r e d i c a t e C h e c k _ I n p u t _ S o r t i s d e f i n e d i n t e r m s o f C h e c k _ I n p u t _ S o r t l . I t 
c h e c k s t h e s o r t o f a l i t h e e x t e r n a l w i r e s i n t h e t a b l e . 
hdef ( C h e c k _ I n p u t - S o r t ( i n p u t s : s t r i n g l i s t ) [] s 1 = T ) A 
( C h e c k _ I n p u t _ S o r t i n p u t s (CONS v v s ) s 1 = 
( C h e c k _ I n p u t _ S o r t l i n p u t s v s 1 ) A 
( C h e c k _ I n p u t - S o r t ( i n p u t s ) v s s 1 ) ) 
T h e f o u r t h a r g u m e n t o f a t a b l e is a l i s t o f o u t p u t v a l u e s . S i m i l a r l y , t h e p r e d i c a t e 
C h e c k _ O u t p u t _ S o r t first c h e c k s w h e t h e r t h e o u t p u t i s a n e x t e r n a l w i r e o r n o t . I f i t 
i s , t h e s o r t o f t h e e x t e r n a l o u t p u t is d e t e r m i n e d i n t e r m s o f t h e o u t p u t v a l u e ( t h e 
f o u r t h a r g u m e n t o f t h e t a b l e ) . 
\~def C h e c k _ O u t p u t _ S o r t o u t o u t v a l s 1 = 
V t . ( i f ( c h e c k ( O u t v a r . V a l o u t ) ) 
t h e n ( i f ( I S . B 0 0 L ( o u t v a l t ) ) 
t h e n I S _ B 0 0 L ( ( S e m . O u t v a r o u t s ) t ) 
e l s e I S _ C O N C R E T E ( ( S e m _ O u t v a r o u t s ) t ) ) 
e l s e T ) 
83 
P r e d i c a t e B o o l _ C o n c r e t e _ T a b l e is d e f i n e d f o r c h e c k i n g t h e s o r t o f e x t e r n a l i n p u t s 
a n d o u t p u t s f o r t h e T A B L E c o m p o n e n t . I t i s i n t e r m s o f t h e a b o v e p r e d i c a t e s . 
B o o l _ C o n c r e t e _ T a b l e i n p s o u t V _ o u t s V _ o u t s 1 = 
( ( C h e c k _ I n p u t J S o r t i n p s V _ o u t s s 1 ) A 
C h e c k - O u t p u t _ S o r t o n t (HD V . o u t ) s 1) 
T h e p r e d i c a t e C h e c k _ E x t e r n a l _ S o r t i s d e f i n e d i n d u c t i v e l y o v e r t h e s y n t a c t i c s t r u c -
t u r e f o r c h e c k i n g t h e s o r t o f t h e e x t e r n a l w i r e s o f a c i r c u i t . I t i s i n t e r m s o f t h o s e 
p r e d i c a t e s f o r c h e c k i n g t h e s o r t o f e a c h c o m p o n e n t . T h e d é f i n i t i o n is g i v e n b e l o w . 
hdej ( C h e c k _ E x t e r n a l _ S o r t (NOT x y ) s 1 = B 0 0 L J J 0 T x y s 1 ) A 
( C h e c k - E x t e r n a l _ S o r t ( T A B L E S Y N y l y 2 y 3 y 4 y 5 ) s 1 = 
B o o l - C o n c r e t e . T a b l e y l y 2 y 3 ( C 0 N S T _ T 0 _ F U N C T y 4 ) s 1 ) A 
( C h e c k _ E x t e r n a l _ S o r t (SEQ ( c o d e l : M d g _ H d l ) c o d e 2 ) s 1 = 
( ( C h e c k _ E x t e r n a l _ S o r t c o d e l s 1 ) A 
( C h e c k _ E x t e r n a l _ S o r t c o d e 2 s i ) ) ) 
F i n a l l y , w e d e f i n e t h e s e m a n t i c s f o r t h e M D G - H D L p r o g r a m o f t h i s e x t e n e d 
s u b s e t . T h e s e m a n t i c s o f a p r o g r a m i s d e s c r i b e d b y S e m P r o g r a m , w h i c h i s d e f i n e d i n 
t e r m s o f t h e p r e d i c a t e s D s e m _ E x t , D s e m _ I n t a n d C h e c k _ E x t e r n a l _ S o r t . T h e d é f i n i t i o n 
o f t h e first t w o p r e d i c a t e s a r e s i m i l a r t o t h a t w e d e f i n e d b e f o r e e x c e p t t h a t t h e i r 
s y n t a c t i c c a t é g o r i e s a r e w i d e r t h a n b e f o r e . 
As w e m e n t i o n e d a t t h e b e g i n n i n g o f t h i s s e c t i o n , t h e s e m a n t i c s o f t h e p r o g r a m 
i s d e f i n e d i n t e r m s o f t h e o n e e n v i r o n m e n t . T h e e n v i r o n m e n t m a p s a s y n t a c t i c 
o b j e c t t o a h i s t o r y f u n c t i o n ( n u m - > M d g _ B a s i c ) . W e u s e f u n c t i o n D s e m _ E x t a d d i n g a n 
e x t r a e n t r y t o t h i s e n v i r o n m e n t f o r e a c h e x t e r n a l w i r e ( i n p u t a n d o u t p u t ) . A l i s t 
i p i s u s e d t o r e p r e s e n t a l i t h e v a l u e s o f t h e e x t e r n a l i n p u t s a n d a l i s t o p is u s e d 
t o r e p r e s e n t a l i t h e v a l u e s o f t h e e x t e r n a l o u t p u t s . T h e r e f o r e , t h e s e m a n t i c s o f t h e 
84 
p r o g r a m cari b e r e p r é s e n t é e ! e x p l i c i t l y w i t h t h e e x t e r n a l i n p u t s i p a n d O u t p u t s o p . 
T h e f u n c t i o n D s e m _ I n t u s e s e x i s t e n t i a l q u a n t i f i c a t i o n t o h i d e t h e l o c a l v a r i a b l e f r o m 
t h e e n v i r o n r n e n t . T h e e n t r i e s f o r i n t e r n a l v a r i a b l e s a r e a d d e d t o t h e e n v i r o n m e n t . 
T h e f u n c t i o n C h e c k _ E x t e r n a l J 3 o r t m a k e s u r e t h a t t h e e x t e r n a l w i r e s d o n o t g e t s o r t 
m i s m a t c h e d . T h e s e m a n t i c s o f t h e M D G - H D L p r o g r a m i s d e f i n e d i n t e r m s o f t h o s e 
f u n c t i o n s . 
\~dej S e m P r o g r a r a (PROG e x o u t p u t e x i n p u t i n v c ) i p o p = 
l e t e n v l = ( D s e m _ E x t ( S e m E x i n p u t e x i n p u t ) E m p t y E n v i p ) 
i n 
l e t e n v 2 = D s e m _ E x t ( S e m E x o u t p u t e x o u t p u t ) e n v l o p 
i n 
( ( C h e c k _ E x t e r n a l - S o r t c e n v 2 ( S e r a l n v a r i a b l e i n v ) ) D 
D s e m _ I n t ( S e m l n v a r i a b l e i n v ) c e n v 2 ) 
C o m p a r i n g t h i s w i t h t h e s e m a n t i c s o f t h e M D G - H D L p r o g r a m f o r t h e b o o l e a n 
s u b s e t ( s e c t i o n 3.6), w e n o t i c e t h a t t h e s e m a n t i c s o f t h e M D G - H D L p r o g r a m f o r 
e x t e n d e d s u b s e t h a s a d d e d a n a d d i t i o n a l a s s u m p t i o n ( C h e c k - E x t e r n a l - S o r t ) . T h i s 
i s b e c a u s e t h e v a r i a b l e i n t h i s s u b s e t c a n b e e i t h e r a b o o l e a n s o r t o r a c o n c r e t e s o r t . 
T h e a s s u m p t i o n m a k e s s u r e t h a t a l i t h e e x t e r n a l v a r i a b l e s h a v e p r o p e r s o r t s . 
4.6 The Semantics of the Core MDG-HDL lan-
guage 
F o r d e f i n i n g t h e s e m a n t i c s o f t h e c o r e M D G - H D L l a n g u a g e , w e n e e d t o d e f i n e t h e 
s e m a n t i c s o f t h e c o r e c o m p o n e n t t e r m first ( S e m M d g h d l _ C o r e ) . It i s d e f i n e d i n t e r m s 
o f t h e s e m a n t i c f u n c t i o n f o r e a c h c o m p o n e n t . 
85 
\~dej ( S e m M d g h d l . C o r e ( I N I T C i n i t ) e n v = 
S E M . I N I T ( ( e n v ( F S T i n i t ) ) , (SND i n i t ) ) ) A 
( S e m M d g h d l . C o r e ( S N X T C op s t ) e n v = SEMJ3NXT ( e n v o p ) ( e n v s t ) ) A 
( S e m M d g h d l . C o r e ( T A B L E S Y N C y l y 2 y 3 y 4 y 5 ) e n v = 
T A B L E (MAP e n v y l ) ( S E M . O U T V A R y 2 e n v ) y 3 
( C O N S T . T 0 . F U N C T y 4 ) ( S E M J ) E F A U L T V A R y 5 e n v ) ) A 
( S e m M d g h d l . C o r e ( J O I N C c o d e l c o d e 2 ) e n v = 
( ( S e m M d g h d l . C o r e c o d e l e n v ) A ( S e m M d g h d l . C o r e c o d e 2 e n v ) ) ) 
where f u n c t i o n s S E M . I N I T , S E M . S N X T a n d T A B L E a r e s e m a n t i c f u n c t i o n s f o r c o m p o -
n e n t s as we d e f i n e d i n t h e l a s t s e c t i o n . 
The p r e d i c a t e C h e c k _ E x t e r n a l _ S o r t - C o r e i s d e f i n e d i n a s i m i l a r w a y t o t h e p r e d -
i c a t e C h e c k _ E x t e r n a l _ S o r t we d e f i n e d i n t h e l a s t s e c t i o n . It i s d e f i n e d i n d u c t i v e l y 
o v e r t h e s y n t a c t i c s t r u c t u r e for c h e c k i n g t h e s o r t o f the external w i r e s o f a c i r c u i t . It 
i s i n t e r m s o f t h e s o r t c h e c k i n g p r e d i c a t e s defined i n t h e l a s t s e c t i o n . The d é f i n i t i o n . 
i s g i v e n b e l o w . 
\~dej ( C h e c k . E x t e r n a l - S o r t _ C o r e ( I N I T C i n i t ) s 1 = B O O L . I N I T i n i t s 1 ) A 
( C h e c k _ E x t e m a l _ S o r t _ C o r e ( S N X T o p s t ) s 1 = B 0 0 L . S N X T o p s t s 1 ) A 
( C h e c k . E x t e r n a l _ S o r t _ C o r e ( T A B L E S Y N C y l y 2 y 3 y 4 y 5 ) s 1 = 
B o o l . C o n c r e t e . T a b l e y l y 2 y 3 ( C 0 N S T _ T 0 _ F U N C T y 4 ) s 1 ) A 
( C h e c k - E x t e r n a l _ S o r t _ C o r e (SEQ c o d e l c o d e 2 ) s 1 = 
( ( C h e c k _ E x t e r n a l _ S o r t _ C o r e c o d e l s 1 ) A 
( C h e c k . E x t e r n a l _ S o r t _ C o r e c o d e 2 s 1 ) ) ) 
As i n t h e l a s t s e c t i o n , f o r d e f i n i n g t h e s e m a n t i c s o f t h e p r o g r a m , we n e e d f u n c -
t i o n s D s e m _ E x t , D s e m _ I n t _ C o r e a n d C h e c k _ E x t e r n a l _ S o r t _ C o r e . Function D s e m _ E x t 
a d d s a n e n t r y t o t h e e n v i r o n m e n t f o r a i l e x t e r n a l i n p u t s a n d o u t p u t s , a n d a s s i g n s 
t h e v a l u e o f e a c h e x t e r n a l i n p u t t o a n é l é m e n t o f a l i s t i p a n d e a c h e x t e r n a l o u t p u t 
t o a n é l é m e n t o f a l i s t o p . Function D s e m _ I n t _ C o r e g i v e s t h e s e m a n t i c s o f t h e c i r c u i t 
i n t e r m s o f t h e s e m a n t i c s o f t h e c o r e c o m p o n e n t t e r m ( S e m M d g h d l . C o r e ) a n d u s e s 
86 
e x i s t e n t i a l q u a n t i f i c a t i o n t o h i d e t h e l o c a l v a r i a b l e s f r o m t h e e n v i r o n m e n t o f t h e 
c i r c u i t . The f u n c t i o n C h e c k _ E x t e r n a l _ S o r t _ C o r e find t h e p r o p e r s o r t f o r t h e e x t e r n a l 
w i r e s o f t h e c i r c u i t . The s e m a n t i c s o f t h e c o r e M D G - H D L l a n g u a g e i s d e f i n e d i n 
t e r m s o f t h e a b o v e f u n c t i o n s . 
\~def S e m P r o g r a m . C o r e (PROGC e x o u t p u t e x i n p u t i n v c o d e ) i p op = 
l e t e n v i = D s e m _ E x t ( S e m E x i n p u t e x i n p u t ) E m p t y E n v i p 
i n 
l e t e n v 2 = D s e m _ E x t ( S e m E x o u t p u t e x o u t p u t ) e n v i o p 
i n 
( ( C h e c k _ E x t e r n a l _ S o r t _ C o r e c e n v 2 ( S e r a l n v a r i a b l e i n v ) ) D 
D s e m _ I n t _ C o r e ( S e m l n v a r i a b l e i n v ) c o d e e n v 2 
4.7 Translator Correctness Theorem 
We a l s o p r o v e t h e c o r r e c t n e s s t h e o r e m f o r t h i s t r a n s l a t o r . We h a v e p r o v e d a t h e -
o r e m w h i c h q u a n t i f i e s o v e r its s y n t a c t i c s t r u c t u r e a n d s t a t e s t h a t t h e s e m a n t i c s 
o f t h e M D G - H D L p r o g r a m is é q u i v a l e n t t o t h e s e m a n t i c s o f t h e c o r e M D G - H D L 
p r o g r a m u s e d i n t h e M D G i m p l e m e n t a t i o n . For p r o v i n g t h e c o r r e c t n e s s t h e o r e m 
PR0G_THM, w e h a v e p r o v e d t h r e e t h e o r e m s C o m p o n e n t - T e r r a C T H M , C i r c u i t J ) s e m C T H M 
a n d C h e c k _ E x t e r n a l _ S o r t _ T H M u s i n g HOL. The first t w o t h e o r e m s a r e s i m i l a r t o t h e 
t h e o r e m s w e p r o v e d f o r t h e b o o l e a n s u b s e t e x c e p t t h a t t h e i r s y n t a c t i c c a t e g o r y i s 
d i f f é r e n t . In t h i s s u b s e t , t h e t a b l e c a n b e u s e d t o f o r m a l i z e d the d e s i g n w h o s e v a r i -
a b l e s a r e c o n c r e t e s o r t a n d b o o l e a n s o r t r a t h e r t h a n j u s t b o o l e a n s o r t . The t h i r d 
t h e o r e m s t a t e s t h a t t h e s o r t o f e a c h e x t e r n a l w i r e o f a c i r c u i t c i s é q u i v a l e n t t o t h e 
s o r t o f t h e c o r r e s p o n d i n g e x t e r n a l w i r e i n i t s t r a n s l a t i o n f o r m T r a n s G T c. This i s 
b e c a u s e t h e s o r t s o f t h e e x t e r n a l v a r i a b l e s d o n o t c h a n g e a f t e r t h e t r a n s l a t i o n . 
V c s 1 . C h e c k _ E x t e r n a l _ S o r t c s 1 = 
C h e c k _ E x t e r n a l _ S o r t _ C o r e ( T r a n s G T c) s 1 
87 
The correctness theorem of the program PR0G_THM is proved in terms of the above 
three theorems. 
\~thm V e x v e x i i - n v c • 
SemProgram (PROG exv exi inv c) ip op = 
SemProgram_Core (TransProgMC (PROG exv exi inv c)) ip op (4.1) 
Summary 
In this chapter, we have extended our formalization to accommodate a list of inputs 
of the component table with boolean sorts and concrete sorts. This allows our 
formalization to cope with many M D G applications. We have defined the syntax 
and the semantics for this extended subset of the M D G - H D L language and its core 
M D G - H D L code. Functions for translating the M D G - H D L subset languages to core 
M D G - H D L codes are given. The correctness theorem of the translation for this 
subset which quantifies over the syntactic structure is verified. Our semantics of the 
program is represented explicitly with the external inputs ip and outputs op. The 
semantic function can be used to combine the translator correctness theorem with 
the importing theorems in Chapter 5. 
88 
Chapter 5 
Importing Theorems 
Each formal hardware verification system has its own advantages and disadvantages. 
Many hybrid tools have been developed to reap the benefits of the different verifi-
cation systems presented in Chapter 2. Normally, the verification results from one 
system need to be translated to another system. In other words, there is a linkage 
between the two systems. How can we ensure that this linkage is trusted? 
Many different technologies have been used to link two different systems in a 
trusted way, such as the work presented in [39] & [49]. We provide another way 
to make the linkage more natural and trustworthy. The linkage between the two 
systems is based on a series of importing theorems [80], which formally convert 
the formalized automated verification results to a form usable in a traditional HOL 
hardware verification, i.e., the structural specification implements the behavioral 
specification. 
Formalized ve r i f i ca t ion result D 
(implementation D specification) (5-1) 
The importing theorems are based on the M D G verification applications. The for-
malizations have different forms for the different verification applications, i.e., com-
binational verification gives a theorem of one form, sequential verification gives a 
89 
A2 Al 
Bl B2 
Figure 5.1: The Hierarchy of Module A 
different form and so on. 
To illustrate why we need a particular form of result in H O L consider the H O L 
verification of a system A. A theorem that the implementation satisfies its specifi-
cation needs to be proved, i.e. semi formally 
A-imp 3 A.spec (5-2) 
where A.imp and A.spec express the implementation and specification of system A , 
respectively. Suppose system A consists of two subsystems A l and A2 and A l is 
further subdivided as shown in Figure 5.1. The structural specification of A will be 
defined by the equation: 
A . i m p = A l _ i m p A A 2 _ i m p (5-3) 
where Al_imp is defined in a similar way. Thus (5.2) can be rewritten to 
Al_imp A A2_imp Z> A.spec (5-4) 
The correctness theorem of the system A can be proved using the correctness state-
ments about its subsystems. In other words, we independently prove the correctness 
theorems: 
Al_imp D Al . spec (5-5) 
A2_imp D A2_spec (5.6) 
90 
As thèse are implications, to prove (5.4) it is then sufficient to prove 
A l _ s p e c A A 2 _ s p e c D A _ s p e c (5.7) 
Thus we verify A by independently verifying its submodules, then treating them as 
blackboxes using the more abstract spécification of A l and A2 to verify A. 
Suppose now that A l is verified using M D G instead of HOL, but that we stili 
wish to use the resuit in the vérification of A. To make use of the resuit, we need 
M D G to also prove results of the form 
so that the implementation can be substituted for a spécification. However, results 
from M D G are not of this form 1. For example, with sequential vérification M D G 
proves a resuit about "reachable states" of a product machine. We need to show 
how such a resuit can be expressed as an implication about the actual hardware 
under considération as above. If A1_MDG_RESULT is such a statement about a product 
machine, then we need to prove 
Theorems such as this convert M D G results to the appropriate form to make the 
step between (5.4) and (5.7). 
Ideaìly, we want a general theorem of this form that applies to any hardware 
verified using MDG's sequential vérification tool. We also want similar results for 
the other M D G vérification applications. In this chapter, we will consider each of 
the vérification applications of the M D G system in turn, describing the conversion 
theorem required to convert results to a form useful within a H O L proof. Each of 
thèse theorems has been proved within the H O L system. 
1 We give détails of the form of theorems that MDG does prove in the next section. 
A l _ i m p D A l . s p e c (5.8) 
A1_MDG_RESULT D ( A l . i m p D A l _ s p e c ) (5.9) 
91 
5.1 Combinational Verification 
The simplest verification application of M D G is the checking of equivalence of input-
output for two combinational circuits. A combinational circuit is a digital circuit 
without state-holding elements or feedback loops, so the output is a function of 
the current input. Combinational verification can also be used to compare two 
sequential circuits when a one-to-one correspondence between their registers exists 
and is known. In this situation, the output is also a function of the current input. 
The MDGs representing the input-output relation of each circuit are computed by 
a relational product algorithm to form the MDGs of the components of the circuit. 
Because an M D G is a canonical representation, we can check whether the two MDGs 
are isomorphic and so the circuits are equivalent. It is simple to formalize this 
in HOL. We use M ip op and M ' i p op to represent the circuits (machines) being 
compared. M is a relation on input traces (given by ip) and output traces (given by 
op). The relation is true if op represents a possible output trace for the given input 
trace ip and is false otherwise. M ' is a similar relation on inputs (ip) and outputs 
(op). An M D G combinational verification result can be formalized as: 
V ip op. M ip op = M ' ip op (5.10) 
It verifies that the two circuits are identical in behavior for all inputs and outputs. 
If ip and op are possible input and output traces for M, then they are also possible 
traces for M ' , and vice versa. This is not in the form of an implication as described 
above. However, the M D G result does not need to be converted to a different form 
for it to be useful in a HOL hardware verification, since an equality can be used just 
as well as an implication. 
5.2 Sequential Verification 
The behavioral equivalence of two abstract state machines (Figure 5.2) is verified 
by checking that the machines produce the same sequence of outputs for every 
92 
PSEQ 
i 
ip. 
M 
M' 
op 
EQ 
op 
flag ( T / F ) 
Figure 5.2: The Product Machine used in M D G Sequential Verification 
sequence of inputs. The sanie inputs are fed to the two machines M and M * and 
then reachability analysis is performed on their product machine using an invariant 
asserting the equality of the corresponding outputs in ali reachable S t a t e s . This 
effectively introduces new "hardware" (see Figure 5.2) which we refer to here as 
P S E Q (the Product machine for SEQuential verification). P S E Q has the sanie inputs 
as M and M ' , but has as output a single Boolean signal (flag). The outputs op and 
op3 of M and M ' are input into an equality checker. On each cycle, PSEQ outputs true 
if op and op' are identical at that time, and false otherwise. PSEQ can be formalized 
as 
PSEQ i p f l a g o p o p ' M M J = 
H i p o p A M 1 i p o p * A EQ o p o p * f l a g (5.11) 
Because the number of inputs and outputs of different P S E Q is different, we use a list 
to represent input ip, output op. Where EQ is the equality checker defined as: 
\ - d e f EQ o p o p ' f l a g = 
( V t . f l a g t = ( ( M A P I o p t ) = ( M A P I o p ' t ) ) ) (5.12) 
M A P I is a function that applies every element of a list to the variable t , returning 
a list of the function's results: 
h d e / ( M A P I ( [ ] : (<* ->/? ) l i s t ) ( t : a ) = ( [ ] : £ l i s t ) ) A 
( M A P I ((x:a->0) : : 1 ) t = ( x t ) : : M A P I 1 t ) 
93 
The resuit that M D G proves about P S E Q is that the fiag output is always true, i.e., 
the outputs are equal for ali inputs. This can be formalized as 
V ip op op ' . 
P S E Q ip f lag op op' H M ' D (V t . f lag t = T) (5.13) 
Note that this is not of the forni P-imp D P.spec, (i.e., implementation implies 
spécification) for M and M ' but is of that forni for the fictitious hardware P S E Q . To 
make use of such a resuit in a HOL hardware vérification, we need to convert it to 
that forni for M and M * . This can be done in a séries of steps starting from (5.13). 
Expanding the définitions and rewriting with the value of flag, we obtain 
V ip op op 5 . 
H ip op A H 1 ip op' D (V t . M A P I op t = M A P I op> t) (5.14) 
i.e., we have proved a lemma: 
V M M ' . 
(V ip op op' f lag . 
P S E Q ip f lag op op' M M ' D V t . f l ag t = T ) D 
(V ip op op' . M ip op A M ' ip op' D 
(Vt. M A P I op t = M A P I op' t )) (5.15) 
This is stili not in an appropriate form. The theorem should also be in the form of 
(1.1). The machine M can be considered as the structural spécification (implemen-
tation) and machine M ' the behavioral spécification (spécification). Based on this 
considération, the theorem that HOL needs is as follows: 
V ip op. M ip op D M ' ip op (5.16) 
i.e., for ali input and output traces if the relation M ip op is true, then the relation 
M ' ip op must be true. As mentioned above, the converting theorem from M D G 
to H O L should be in the form of (5.1). For sequential vérification the conversion 
theorem should be 
(5.13) D (5.16). 
94 
To prove this, given (5.15) it is sufficient to prove 
(5.14) D (5.16). 
However, this can only be proved with an additional assumption. Namely, for all 
possible input traces, the behavior specification M' can be satisfied for some output 
(i.e., there exists at least one output for which the relation is true): 
V ip. 3 op'. M' ip op' (5.17) 
This means that the machine must be able to respond to whatever inputs are given. 
This should always be true for reasonable hardware. You should not be able to give 
inputs which break it. For any input sequence given to this machine, at least one 
output will correspond. Therefore, we can actually only prove \~thm (5.13) A (5.17) 
D (5.16), 
\~thm V M M ' . 
((V ip op op' flag. 
PSEQ ip flag op op' MM' D V t. flag t = T) A 
(V ip . 3 op'. M' ip op')) D 
(V ip op. M ip op D M' ip op) (5.18) 
With the same reasoning, the machine M' could have been considered as the struc-
tural specification and machine M could have been considered as the behavioral 
specification. We would then need the assumption 
V ip. 3 op. M ip op (5.19) 
We would obtain the alternative conversion theorem (5.20) 
hhm V M M ' . 
((V ip op op' flag. 
PSEQ ip flag op op' MM' D V t. flag t = T ) A 
(V ip. 3 op. M ip op)) D 
(V ip op. M> ip op D M ip op) (5.20) 
95 
M 
op 
'P 
TESTPRO 
(PROPERTY) 
flag (T/F) 
Figure 5.3: The Machine Verified in Invariant Checking 
Both thèse theorems have been verified in HOL. As with combinational vérification, 
the universal quantification of M and M ' means the theorems can be instantiated for 
any hardware under considération. The symmetry in thèse équations is as might be 
expected given the symmetry of P S E Q . 
5.3 Invariant Checking. 
Systems such as M D G also provide property/invariant checking. Invariant checking 
is used for verifying that a design satisfies some spécifie requirements. This is useful 
since i t gives the designer confidence at low vérification cost. In M D G , reachability 
analysis is used to explore and check that a given invariant (property) holds in ail 
the reachable states of the sequential circuit under considération, M. We consider 
one gênerai form of property checking here. 
As was the case for sequential vérification, we introduce new "hardware" (see 
Figure 5.3) which we refer to as P I N V (Product machine for INVariant checking). It 
consists of the original hardware and hardware representing the test property2 wired 
together so that the property circuit has access to both the inputs and outputs of 
the circuit under test. P I N V checks whether the outputs of the machine M satisfy the 
2Invariants in MDG must be wrïtten in or converted to the same hardware description language 
as the actual hardware. 
96 
specific property or not. It is formalized as follows: 
P I N V ip f lag op M P R O P E R T Y = 
M ip op A T E S T P R O ip op f lag P R O P E R T Y (5.21) 
where 
h d e / T E S T P R O ip op f lag P R O P E R T Y = 
( V t . f lag t = P R O P E R T Y ( M A P I ip t) ( M A P I op t ) ) (5.22) 
i.e., T E S T P R O is a piece of hardware which tests if its inputs and outputs satisfy 
some specific requirements given at each time instance by P R O P E R T Y . P R O P E R T Y is a 
relation on input and output values. Again in discussing correctness it is actually 
a result about this different hardware that we obtain from the property checking. 
The result that the property checking proves about P I N V can be stated as: 
V ip f lag op. 
P I N V ip f lag op M P R O P E R T Y D V t . f lag t = T (5.23) 
i.e., its specification is that the f lag output should always be true. Note that this 
is not of the form (1.1) (i.e., implementation implies specification) for M but in 
that form for the fictitious hardware P I N V . To make use of such a result in a HOL 
hardware verification we need to convert it to the form: 
V ip op. H ip op D V t . P R O P E R T Y (ip t) (op t) (5.24) 
i.e., for all input and output sequences, if the relation M ip op is true then the 
relation P R O P E R T Y must be true for the input and output values at all times. In other 
words, the machine M satisfies the specific requirement V t . P R O P E R T Y (ip t) 
(op t ) . Hence the conversion theorem for invariant checking is: 
\ - t h m V M P R O P E R T Y . 
(V ip f lag op. 
( P I N V ip f lag op M P R O P E R T Y D V t . f lag t = T ) ) D 
(V ip op. M ip op D 
V t . P R O P E R T Y ( M A P I ip t) ( M A P I op t)) (5.25) 
97 
We have proved this general conversion theorem in HOL. Once more the theorems 
can be instantiated for any hardware and property under considération. 
We have looked explicitly at the M D G and HOL Systems. However, the general 
approach could be applied to the results importation between other Systems. The 
results could also be extended to other vérification applications. Furthermore, our 
treatment is very general. The theorems proved do not explicitly deal with the 
M D G - H D L semantics or multiway décision graphs. Rather they are given in terms 
of general relations on inputs and Outputs. Thus they are applicable to other vérifi-
cation Systems with a similar architecture based on reachability analysis, équivalence 
checking and/or invariant checking. This could include a pure B D D based system. 
Summary 
In this chapter, we introduced how to formally specify the correctness results pro-
duced by three différent hardware vérification applications using HOL. We have in 
each case proved a gênerai theorem that translates them into a form usable in a tra-
ditional HOL hardware vérification, i.e., that the structural spécification implements 
the behavioral spécification. The first application considered was combinational vér-
ification. The next application considered was sequential vérification, which checks 
that two abstract state machines produce the same séquence of outputs for every 
séquence of inputs. Finally, we considered a gênerai form of the checking of invariant 
properties of a circuit. 
98 
Chapter 6 
Combining the Compiler 
Correctness Theorems with the 
Importing Theorems 
As we mentioned in the last chapter, the main idea of the importing theorem can 
be represented as below. 
Formalized MDG resuit D 
(implementation D s p é c i f i c a t i o n ) 
M D G vérification results are obtained by applying the M D G algorithms to M D G 
décision graphs. The M D G algorithms really prove properties of the low level data 
structures (MDGs). However, spécifications and implementations are not described 
directly as décision graphs. A high level language, M D G - H D L , is used to specify 
spécifications and implementations, which are translated into the multiway décision 
graphs (MDGs) via intermediate languages. If the M D G algorithms are correct, 
M D G results can be formalized in terms of the semantics of the M D G décision 
graphs. If the translations are correct, the semantics of the M D G décision graphs 
99 
M D G - H D L - M D G formula representation 
The HOL theorems in 
terms of M D G - H D L convert 
Formalize the M D G results 
in terms of the M D G formula 
representations 
importing theorems 
Figure 6.1: Combining the Translator Correctness Theorems with Importing Theo-
rems for a Boolean Subset 
is equal to the semantics of M D G - H D L . By combining the translator correctness 
theorems with the importing theorem, the M D G results can be imported into H O L 
to form the H O L theorems in terms of the semantics of the high level language 
M D G - H D L rather than in terms of the semantics of the low level language MDGs. 
We have partly proved the translators for two different subsets. For the boolean 
subset, we have proved two translators which are correct. We have obtained a theo-
rem which states that the semantics of the M D G - H D L program is equivalent to the 
semantics of the M D G formula representation program (3.3). In order to demon-
strate the combination of the translator correctness theorems and the importing 
theorems, the formalization of the M D G results for the boolean subset will be in 
terms of the M D G formula representation (see Figure 6.1). In fact, the principle is 
the same. Similar conversion can be done for further translators if we prove corre-
sponding translator correctness theorems. In other words, the formalization of the 
M D G verification results we consider in this chapter is based on the semantics of the 
low level M D G formula representation. However, by using the translator correct-
ness theorems, the additional assumption can be proved in terms of the semantics 
of M D G - H D L and the HOL theorem we imported is in terms of the semantics of 
100 
M D G - H D L core M D G - H D L 
translator correctness theorems 
The HOL 
theorems 
in terms of 
MDG-HDL 
•a 
T3 
convert 
importing theorems 
Formalize the 
MDG results in 
terms of core 
MDG-HDL 
Figure 6.2: Combining the Translator Correctness Theorems with Importing Theo-
rems for an Extended Subset 
M D G - H D L . 
With the same reasoning, for the extended subset, we have obtained a theorem 
(4.1) which states that the semantics of the M D G - H D L program is equivalent to 
the semantics of the core M D G - H D L program. Therefore, the formalization of the 
M D G results for the extended subset will be in terms of the core M D G - H D L (see 
Figure 6.2). By using the translator correctness theorem, the verification of the 
additional assumption and importation theorem are based on the semantics of the 
M D G input language (MDG-HDL) . 
The reason we are doing such a conversion is that the syntax and the semantics 
of a low level program are more complex and unreadable than those of a program 
in a high level language such as M D G - H D L . It will be more convenient, readable 
and direct if we prove theorems in terms of the semantics of M D G - H D L and obtain 
the HOL theorems in terms of the semantics of M D G - H D L . We do not take it for 
granted. We formally convert it from the semantics of a low level language to the 
semantics of a high level language in terms of the translator correctness theorems. 
101 
In this chapter, we will focus on combining the importing theorems with the 
translator correctness theorems. We will first instantiate the importing theorems 
with the syntax and semantics of a low level program for two subsets (the M D G 
formula représentation program for the boolean subset and the core M D G - H D L 
program for the extended subset). We then combine the importing theorem with 
the translator correctness theorems and obtain the new importing theorems. The 
importation turns the M D G vérification results based on the semantics of the low 
level program into HOL to form HOL theorems based on the semantics of the high 
level language (MDG-HDL) . 
6.1 Combining the Translator Correctness The-
orems with the Importing Theorems for a 
Boolean Subset 
In this section, we will firstly instantiate importing theorems with the semantics of 
the M D G formula représentation for the combinational vérification and sequential 
vérification. By combining the translator correctness theorems, we can obtain the 
new importing theorems which convert the M D G vérification results into HOL to 
form the HOL theorems in terms of M D G - H D L . 
6.1.1 Combinational Vérification 
In combinational vérification, the M D G resuit does not need to be converted to a 
différent form for it to be useful in a HOL hardware vérification, since an equality 
can be used just as well as an implication. In this situation, we just need to formalize 
the M D G result in terms of the semantics of the M D G formula représentation. We 
use Cl and C2 to represent the abstract syntax of the circuits in M D G - H D L being 
compared. 
102 
T h e a b s t r a c t s y n t a x i n t h e M D G f o r m u l a r e p r e s e n t a t i o n w i l l b e ( T r a n s P r o g C F 
( T r a n s P r o g M C C I ) ) a n d ( T r a n s P r o g C F ( T r a n s P r o g M C C 2 ) ) . T h i s i s b e c a u s e t h e M D G 
s y s t e m u s e s f u n c t i o n s ( T r a n s P r o g M C ) a n d ( T r a n s P r o g C F ) w h i c h t r a n s l a t e t h e M D G -
H D L p r o g r a m t o t h e M D G f o r m u l a r e p r e s e n t a t i o n p r o g r a m . T h e s e m a n t i c s o f 
t h e c o r r e s p o n d i n g c i r c u i t s i s r e p r e s e n t e d a s ( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F 
( T r a n s P r o g M C C I ) ) i p o p ) a n d ( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C 
C 2 ) ) i p o p ) . T h e r e f o r e , b y i n s t a n t i a t i n g ( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F 
( T r a n s P r o g M C C I ) ) ) a n d ( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C C 2 ) ) ) 
f o r t h e m a c h i n e M a n d M ' i n t h e c o m b i n a t i o n a l v e r i f i c a t i o n , t h e M D G v e r i f i c a t i o n 
r e s u l t c a n b e s t a t e d as s h o w n b e l o w : 
V i p o p . 
S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C C I ) ) i p o p = 
S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C C 2 ) ) i p o p (6.1) 
w h e r e t h e f o r m a l i z a t i o n i s i n t e r m s o f t h e l o w l e v e l l a n g u a g e ( t h e M D G f o r m u l a 
r e p r e s e n t a t i o n ) . H o w e v e r , a s l o n g as t h e M D G s y s t e m r e t u r n s t r u e , t h i s t h e o r e m c a n 
b e t a g g e d i n t o HOL. W i t h t h e h e l p o f t h e t r a n s l a t o r c o r r e c t n e s s t h e o r e m (3.3), w e 
h a v e p r o v e d a t h e o r e m F o r m a l i z e . E q c b . T h m (6.2) w h i c h s t a t e s t h a t t h e f o r m a l i z a t i o n 
o f t h e M D G r e s u l t b a s e d o n a l o w l e v e l l a n g u a g e i s e q u i v a l e n t t o t h e f o r m a l i z a t i o n 
o f t h e M D G r e s u l t b a s e d o n t h e h i g h l e v e l l a n g u a g e ( M D G - H D L ) . T h e r e f o r e , t h e 
M D G v e r i f i c a t i o n r e s u l t s c a n b e c o n v e r t e d i n t o H O L t o f o r m t h e HOL t h e o r e m s i n 
t e r m s o f t h e s e m a n t i c s o f M D G - H D L . 
hhm (V i p o p . 
S e m P r o g r a n u F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C C I ) ) i p o p = 
S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C C 2 ) ) i p o p ) = 
V i p o p . S e m P r o g r a m C I i p o p = S e r a P r o g r a m C2 i p o p (6-2) 
Example 1. C o n s i d e r t h e t w o c i r c u i t s s h o w n i n F i g u r e 6.3. A s s u m e t h e y h a v e 
b e e n v e r i f i e d t o b e e q u i v a l e n t u s i n g M D G c o m b i n a t i o n a l e q u i v a l e n c e c h e c k i n g . W e 
w i l l s h o w i n t h e f o l l o w i n g h o w t o c o n v e r t a M D G r e s u l t t o a u s e f u l HOL t h e o r e m . 
103 
Figure 6.3: Two Equivalent Combinational Circuits 
The first circuit is a single N O T gate. Its abstract syntax can be specified as: 
NDT1 = PROG (EXOUT [ " o p " ] ) ( E X I N [ " i p " ] ) ( I N V [ ] ) 
(NOT " i p " " o p " ) 
where N 0 T 1 is an informal abbreviation for representing the abstract syntax of this 
circuit. The second circuit consists of three N O T gates in series and its abstract 
syntax can be formalized as: 
N 0 T 3 = PROG (EXOUT [ " o p " ] ) ( E X I N [ " i p " ] ) ( I N V [ " u " ; " v " ; " w " ] ) 
( J O I N (NOT " i p " " u " ) 
( J O I N (NOT " u " " v " ) 
( J O I N (NOT " v " " v " ) (REG " w " " o p " ) ) ) ) 
where N 0 T 3 is an informal abbreviation for representing the abstract syntax of this 
circuit. The M D G verification result can be stated as 
V i p o p . S e m P r o g r a m ( T r a n s P r o g C F ( T r a n s P r o g M C N 0 T 3 ) ) i p op = 
S e m P r o g r a m ( T r a n s P r o g C F ( T r a n s P r o g M C N 0 T 1 ) ) i p o p 
The formalization can be directly tagged into HOL to form a HOL theorem. Rewrit-
ing with the theorem F o r m a l i z e _ E q c b _ T h m (6.2), we obtain a new importing theorem 
which is in terms of the semantics of M D G - H D L . 
\~thm V i p o p - S e m P r o g r a m N0T1 i p o p = S e m P r o g r a m N 0 T 3 i p o p 
104 
6.1.2 Sequential Verification 
F o r s e q u e n t i a l v e r i f i c a t i o n , w e h a v e o b t a i n e d a g e n e r a l i m p o r t i n g t h e o r e m a s s h o w n 
i n (5.18) o r (5.20). I f w e u s e I M P t o r e p r e s e n t a n i n f o r m a i a b b r e v i a t i o n o f t h e a b -
s t r a c t s y n t a x o f t h e i m p l e m e n t a t i o n file i n M D G - H D L a n d u s e S P E C t o r e p r e s e n t 
a n i n f o r m a i a b b r e v i a t i o n o f t h e a b s t r a c t s y n t a x o f t h e s p e c i f i c a t i o n file i n M D G -
HDL, t h e c o r r e s p o n d i n g i n f o r m a i s y n t a x t o t h e i r M D G f o r m u l a r e p r e s e n t a t i o n w i l l 
b e ( T r a n s P r o g C F ( T r a n s P r o g M C I M P ) ) a n d ( T r a n s P r o g C F ( T r a n s P r o g M C S P E C ) ) . T h e 
s e m a n t i c s o f t h e c o r r e s p o n d i n g m a c h i n e c a n b e r e p r e s e n t e d as S e m P r o g r a m f o r m u l a 
( T r a n s P r o g C F ( T r a n s P r o g M C I M P ) ) i p o p a n d S e r a P r o g r a m - F orimi l a ( T r a n s P r o g C F 
( T r a n s P r o g M C S P E C ) ) i p o p . T h e r e f o r e , ( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F 
( T r a n s P r o g M C I M P ) ) ) a n d ( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C S P E C ) ) ) 
c a n b e i n s t a n t i a t e d f o r t h e m a c h i n e M a n d M* i n t h e c o n v e r s i o n t h e o r e m (5.18) o r 
(5.20). T h e r e f o r e , w e o b t a i n t h e i m p o r t i n g t h e o r e m b a s e d o n t h e s e m a n t i c s o f t h e 
M D G f o r m u l a r e p r e s e n t a t i o n as s h o w n b e l o w : 
hthm V I M P S P E C . 
(V i p f l a g o p o p ' . 
PSEQ i p o p o p ' f l a g 
( S e m P r o g r a r a _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C I M P ) ) ) 
( S e m P r o g r a m J o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C S P E C ) ) ) 
D (V t . ( f l a g t = T ) ) ) A 
(V i p . 3 o p ' . 
S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C S P E C ) ) i p o p ; ) 3 
(V i p o p . 
( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C I M P ) ) i p o p ) D 
( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C S P E C ) ) i p o p ) ) (6.3) 
W h e n w e f o r m a l l y i m p o r t t h e M D G r e s u l t i n t o HOL t o f o r m t h e HOL t h e o r e m , w e 
first n e e d t o f o r m a l i z e t h e M D G r e s u l t i n t e r m s o f t h e M D G f o r m u l a r e p r e s e n t a t i o n 
a n d t a g i t i n t o HOL. 
105 
W e t h e n n e e d t o p r o v e a n a d d i t i o n a l a s s u m p t i o n . N a m e l y , f o r a l i p o s s i b l e i n p u t 
t r a c e s , t h e b e h a v i o r s p e c i f i c a t i o n c a n b e s a t i s f i e d f o r s o m e o u t p u t a n d s t a t e t r a c e s : 
(V i p . 3 op ' . 
S e m P r o g r a m _ F o r r a u l a ( T r a n s P r o g C F ( T r a n s P r o g M C S P E C ) ) i p o p ' ) (6.4) 
B y u s i n g t h e t r a n s l a t o r c o r r e c t n e s s t h e o r e m (3.3), w e h a v e p r o v e d a t h e o r e m 
E x i s t _ E q _ T h m (6.5) w h i c h s t a t e s t h a t t h e a d d i t i o n a l a s s u m p t i o n b a s e d o n t h e s e m a n -
t i c s o f a l o w l e v e l l a n g u a g e i s e q u i v a l e n t t o t h a t b a s e d o n t h e s e m a n t i c s o f a h i g h 
l e v e l l a n g u a g e (MDG-HDL) . T h e r e f o r e , t h e a d d i t i o n a l a s s u m p t i o n c a n b e p r o v e d i n 
t e r m s o f t h e s e m a n t i c s o f M D G - H D L . 
r-thm (V i p - 3 0 P ' . 
( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C S P E C ) ) ) i p o p ' ) = 
(V i p . 3 o p ' . S e m P r o g r a m S P E C i p o p ' ) (6.5) 
S i m i l a r l y , w e h a v e a l s o p r o v e d a t h e o r e m Imp_Eq_Thm, w h i c h c o n v e r t s t h e t r a n d i -
t i o n a l HOL t h e o r e m ( i m p l e m e n t a t i o n D s p e c i f i c a t i o n ) b a s e d o n t h e s e m a n t i c s o f 
t h e l o w l e v e l l a n g u a g e t o t h a t b a s e d o n t h e s e m a n t i c s o f M D G - H D L . 
h / i m (V i p o p . 
( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C I M P ) ) ) i p o p D 
( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C S P E C ) ) ) i p op) = 
(V i p o p . ( S e m P r o g r a m I M P ) i p o p D ( S e m P r o g r a m S P E C ) i p o p ) (6.6) 
R e w r i t i n g t h e o r e m (6.3) w i t h t h e t h e o r e m s (6.5) a n d (6.6), w e o b t a i n a n e w 
i m p o r t i n g t h e o r e m (6.7). T h i s t h e o r e m s t a t e s t h a t t h e f o r m a l i z a t i o n o f t h e M D G 
r e s u l t s b a s e d o n t h e s e m a n t i c s o f t h e M D G f o r m u l a r e p r e s e n t a t i o n c a n b e i m p o r t e d 
i n t o t h e HOL t o f o r m a HOL t h e o r e m b a s e d o n t h e s e m a n t i c s o f M D G - H D L . 
106 
\-thm V IMP SPEC. 
V ip flag op op* . 
PSEQ ip op op' flag 
(SemProgram_Formula (TransProgCF (TransProgMC SPEC))) 
(SemProgram_Formula (TransProgCF (TransProgMC IMP))) 
D (V t. (flag t = T)) A 
V ip. 3 op'. SemProgram SPEC ip op' D 
(V ip op. SemProgram IMP ip op D SemProgram SPEC ip op) (6.7) 
Therefore, the additional assumption for the design can be proved in terms of the 
semantics of M D G - H D L 
V ip . 3 op 1 . SemProgram SPEC ip op' (6.8) 
The converted theorem which we obtain in HOL is in terms of the semantics of 
M D G - H D L too. 
(V ip op. SemProgram IMP ip op D SemProgram SPEC ip op) (6.9) 
Working with the semantics of a high level language (such as M D G - H D L ) makes 
verifìcation easier and more readable. Combining the importing theorem (5.18) or 
(5.20) with the translator correctness theorem (3.3) allows our additional assumption 
to be proved in terms of the semantics of M D G - H D L and the theorem we obtain 
in HOL to be imported in terms of the semantics of M D G - H D L . Therefore, the low 
level M D G verifìcation results can be converted into H O L in terms of the semantics 
of a high level language (MDG-HDL) . 
In the rest of this section, we give a simple example to illustrate the technical 
detail about how to formally import the verifìcation results proved in the M D G 
systems to results about circuits in a form that can be reasoned about in the H O L 
system. 
107 
PSEQ 
i 
REGN0T3M 
op 
ip. EQ flag (T/F) 
REGNOTM op 
Figure 6.4: The Machine used for Sequential Vérification of the R E G N 0 T 3 M Circuit 
Example 2. Consider verifying the sequential circuits in Figure 6.4 using sequential 
vérification. We check that three not gâtes and a register are équivalent to a single 
not gate and register. We first prove that the two circuits are équivalent in the M D G 
system. We next prove the additional assumption in H OL based on the M D G input 
language - M D G - H D L . Finally, we convert the M D G results into HOL to form the 
HOL theorem. 
Firstly, we prove the circuits using the M D G system. When we use the M D G 
system to prove the équivalence of thèse two circuits, we need to specify the circuit 
description files. The main part of the circuit description file for one N O T gate and 
one register is 
s i g n a l ( i p , b o o l ) . 
s i g n a l ( o p , b o o l ) . 
s i g n a l ( x , b o o l ) . 
c o m p o n e n t ( n o t _ A , n o t ( i n p u t ( i p ) , o u t p u t ( x ) ) ) . 
c o m p o n e n t ( r e g _ A , r e g ( i n p u t ( x ) , o u t p u t ( o p ) ) ) . 
i n i t _ v a l ( o p , 0 ) . 
o u t p u t s ( [ o p ] ) . 
s t _ n x s t ( o p , x ) . 
108 
The main part of the circuit description file for three N O T gâtes and one register is 
signal(ip.bool). 
signal(op fbool). 
signal(u,bool). 
signal(v,bool). 
signaKw.bool). 
component (u_comp,not(input(ip) ,output (u) ) ). 
component ( v.comp ,not ( input (u), output (v) ) ). 
component (op_comp,not( input (v) ,output(w))) . 
component (reg_comp, reg(input (w) , output (op) ) ) . 
outputs([op]). 
st_nxst(op,x). 
We also need to provide the algebraic specification file, the symbol order file and 
the invariant specification file. We input these five files into the M D G system. The 
M D G verification tool will take the M D G - H D L programs and translate them into 
two M D G representations. A set of M D G algorithms will be applied to them to 
obtain their canonical M D G representations. The M D G system will check whether 
two canonical M D G representations are identical or not and return true or false 
respectively. In our example, the M D G verification tool returns true so that the two 
circuits have been successfully proved. 
We then defìne the syntax of the two circuits. The abstract syntax of the first 
circuii REGN0T3M is: 
IMP = PROG (EXOUT ["op"]) (EXIN ["ip"]) (INV [ V j " v " ; V ] ) 
(SEQ (NOT "ip" "u") 
(SEQ (NOT "u" "v") 
(SEQ (NOT "v" "w") (REG "w" "op")))) 
109 
The abstract syntax of the second circuit REGN0T1M is 
S P E C V = PROG (EXOUT [ " o p " ' ] ) ( E X I N [ " i p " ] ) ( I N V ["x"]) 
(SEQ (NOT " i p " "x") (REG " v " " o p " ) ) 
Since t h e M D G t o o l r e t u r n s t u r e , w e c a n f o r m a l i z e M D G r e s u l t i n t o HOL i n 
t e r m s o f s e m a n t i c s o f t h e M D G f o r m u l a r e p r é s e n t a t i o n : t h e r e s u l t t h a t M D G p r o v e s 
a b o u t P S E Q i s t h a t t h e e q u a l i t y c h e c k e r i s a l w a y s t r ù e . The f o r m a l i z a t i o n c a n b e 
t a g g e d i n t o H O L t o f o r m a H O L t h e o r e m as s h o w n b e l o w : 
h/im v ip f l a g °P °P' • 
PSEQ i p o p o p ' f l a g 
( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g H C S P E C ) ) ) 
( S e m P r o g r a m _ F o r m u l a ( T r a n s P r o g C F ( T r a n s P r o g M C I M P ) ) ) 
D (V t. ( f l a g t = T ) ) (6.10) 
The n e x t s t e p i s t o p r o v e t h e a d d i t i o n a l a s s u m p t i o n b a s e d o n t h e s e m a n t i c s o f 
M D G - H D L . Namely, f o r a l l p o s s i b l e i n p u t t r a c e s , t h e b e h a v i o r s p é c i f i c a t i o n REG NOTI 
c a n b e s a t i s f ì e d f o r s o m e o u t p u t a n d s t a t e t r a c e s : 
h/im V i p . 3 o p ' . S e m P r o g r a m S P E C i p o p ' (6.11) 
By i n s t a n t i a t i n g t h e s y n t a x o f t h e t w o c i r c u i t s i n t o t h e i m p o r t i n g t h e o r e m f o r se-
q u e n t i a l v é r i f i c a t i o n (6.7), w e o b t a i n a t h e o r e m . 
h/im (V ip op op' flag. 
PSEQ ip op op' flag 
(SemProgram-Formula (TransProgCF (TransProgMC SPEC))) 
(SemProgram-Formula (TransProgCF (TransProgMC IMP))) D 
(Vt. flag t = T)) A 
(V ip. 3 op'. SemProgram SPEC ip op1) D 
(V ip op. SemProgram IMP ip op D SemProgram SPEC ip op) 
110 
Finally, we o b t a i n t h e c o n v e r s i o n t h e o r e m b y d i s c h a r g i n g t h e t h e o r e m o f f o r m a l -
i z i n g t h e M D G r e s u l t (6.10) a n d t h e e x i s t e n t i a l t h e o r e m (6.11). This t h e o r e m s t a t e s 
t h a t t h e i m p l e m e n t a t i o n i m p l i e s t h e s p e c i f i c a t i o n . 
K/tm V i p o p . S e m P r o g r a r a IMP i p o p 3 S e m P r o g r a m S P E C i p op 
6.2 Combining the Translator Correctness Theo-
rem with the Importing Theorems for an Ex-
tended Subset 
The m a i n i d e a o f t h i s s e c t i o n i s s i m i l a r t o t h a t o f t h e l a s t s e c t i o n . However, t h e 
s y n t a x a n d t h e s e m a n t i c s a r e d i f f e r e n t , b e c a u s e w e c o n s i d e r a n e x t e n d e d s u b s e t . 
Since w e o n l y p r o v e d t h e first t r a n s l a t o r f o r t h i s s u b s e t , t h e f o r m a l i z a t i o n o f t h e 
M D G r e s u l t i s b a s e d o n t h e c o r e M D G - H D L l a n g u a g e r a t h e r t h a n t h e M D G f o r m u l a 
r e p r e s e n t a t i o n (Figure 6.2). 
6.2.1 Combinational Verification 
As w e m e n t i o n e d i n s e c t i o n 6.1.1, f o r c o m b i n a t i o n a l v e r i f i c a t i o n , w e o n l y n e e d t o 
f o r m a l i z e M D G v e r i f i c a t i o n r e s u l t a n d t a g i t i n t o HOL. The t a g g e d t h e o r e m i s i n t h e 
f o r m t h e HOL s y s t e m n e e d e d . The f o r m a l i z a t i o n o f M D G v e r i f i c a t i o n r e s u l t b a s e d 
o n t h e s e m a n t i c s o f t h e c o r e M D G - H D L c a n b e g i v e n as b e l o w : 
V i p o p . 
S e m P r o g r a m _ C o r e ( T r a n s P r o g M C C I ) i p o p = 
S e m P r o g r a m _ C o r e ( T r a n s P r o g M C C2) i p o p (6.12) 
By u s i n g t h e t r a n s l a t o r c o r r e c t n e s s t h e o r e m (4.1), w e h a v e p r o v e d a t h e o r e m 
F o r m a l i z e _ E q c e _ T h m (6.13) w h i c h s t a t e s t h a t t h e f o r m a l i z a t i o n o f t h e M D G r e s u l t 
111 
based on the core M D G - H D L language is equivalent to the formalization of the 
M D G result based on M D G - H D L . 
h/im ( V i p o p . 
S e m P r o g r a m X o r e ( T r a n s P r o g M C C I ) i p o p = 
S e m P r o g r a m _ C o r e ( T r a n s P r o g M C C 2 ) i p o p ) = 
V i p o p . S e m P r o g r a m C I i p o p = S e m P r o g r a r a C 2 i p o p (6.13) 
Therefore, the M D G vérification results can be converted into HOL to form the 
HOL theorems in terms of the semantics of M D G - H D L . 
6.2.2 Sequential Verification 
Similar to the section 6.1.2, we first instantiate the two machines in terms of the 
semantics of the core M D G - H D L language in the importing theorem (5.18) or (5.20). 
Therefore, we obtain the importing theorem based on the semantics of the core 
M D G - H D L language as shown below: 
h h m V I M P S P E C . 
(V i p o p o p ' f l a g . 
PSEQ i p o p o p ' f l a g 
( S e m P r o g r a m _ C o r e ( T r a n s P r o g M C S P E C ) ) 
( S e m P r o g r a m . C o r e ( T r a n s P r o g M C I M P ) ) 
D ( V t . ( f l a g t = T ) ) ) A 
(V i p . 3 o p ' . S e m P r o g r a m . C o r e ( T r a n s P r o g M C S P E C ) i p o p ' ) D 
(V i p o p . ( S e m P r o g r a m _ C o r e ( T r a n s P r o g M C I M P ) i p o p ) D 
( S e r a P r o g r a r a . C o r e ( T r a n s P r o g M C S P E C ) i p o p ) ) (6.14) 
Secondly, we need to prove an additional assumption. 
l~t/im (V i p . 3 o p ' . S e m P r o g r a m . C o r e ( T r a n s P r o g M C S P E C ) i p o p ' ) (6.15) 
112 
B y u s i n g t h e t r a n s l a t o r c o r r e c t n e s s t h e o r e m (4.1), w e p r o v e a t h e o r e m E x i s t _ E q e _ T h m 
(6.16). T h i s t h e o r e m s t a t e s t h a t t h e a d d i t i o n a l a s s u m p t i o n b a s e d o n t h e s e m a n t i c s 
o f t h e c o r e M D G - H D L l a n g u a g e i s e q u i v a l e n t t o t h a t b a s e d o n t h e s e m a n t i c s o f 
M D G - H D L . I n o t h e r w o r d s , w e c a n p r o v e t h e a d d i t i o n a l a s s u m p t i o n i n t e r m s o f t h e 
s e m a n t i c s o f M D G - H D L . 
I~i/im (V i p . 3 o p ' . ( S e m P r o g r a m _ C o r e ( T r a n s P r o g M C S P E C ) ) ) i p o p ' ) = 
(V i p . 3 o p ' . S e m P r o g r a r a S P E C i p o p ' ) (6.16) 
T h i r d l y , w e p r o v e t h e t h e o r e m Imp_Eqe_Thm, w h i c h s t a t e s t h a t t h e t r a n d i t i o n a l HOL 
t h e o r e m b a s e d o n t h e s e m a n t i c s o f t h e c o r e M D G - H D L l a n g u a g e is e q u i v a l e n t t o 
t h a t b a s e d o n t h e s e m a n t i c s o f M D G - H D L . 
h/im (V i p o p . 
( S e m P r o g r a m . C o r e ( T r a n s P r o g M C I M P ) ) i p o p D 
( S e m P r o g r a m . C o r e ( T r a n s P r o g M C S P E C ) ) i p op) = 
(V i p o p . ( S e m P r o g r a m I M P ) i p o p D 
( S e m P r o g r a m S P E C ) i p o p ) (6-17) 
F i n a l l y , t h e n e w i m p o r t i n g t h e o r e m I m p o r t J 4 d g h d l _ T h m i s o b t a i n e d b y r e w r i t i n g t h e -
o r e m s (6.14) w i t h t h e t h e o r e m (6.16) a n d (6.17). 
\-thm V IMP S P E C . 
(V i p o p o p * f l a g . 
PSEQ i p o p o p ' f l a g 
( S e m P r o g r a m _ C o r e ( T r a n s P r o g M C S P E C ) ) 
( S e m P r o g r a m . C o r e ( T r a n s P r o g M C I M P ) ) 
D ( V t . ( f l a g t = T ) ) ) A 
( V i p . 3 o p ' . S e m P r o g r a m S P E C i p o p ' ) D 
(V i p o p . S e m P r o g r a m IMP i p o p D 
S e m P r o g r a m S P E C i p o p ) (6.18) 
113 
As a resuit, combination of the translater correetness theorem and importing 
theorems allows M D G vérification resuit to be imported into H O L in terms of se-
mantics of M D G - H D L . An example for importing M D G vérification resuit into H O L 
for the extended subset will be given in Chapter 8. 
Summary 
We have combined the compiler correetness theorems with the importing theorems 
based on the deep embedding semantics. This combination allows the M D G results 
to be reasoned about in HOL in terms of the M D G input language ( M D G - H D L ) . 
The two différent M D G vérification applications for two subsets have been formalized 
in terms of the low level language and imported in a way that corresponds to the 
semantics of M D G - H D L . 
114 
Chapter 7 
Existential Theorems 
As we stated in Chapter 5, the importing theorem for sequential vérification has the 
form: 
^thm F o r m a l i z e d MDG r e s u i t A 
V i p . 3 o p . S P E C i p o p D 
(V i p o p . ( I M P L i p o p D S P E C i p o p ) ) 
where S P E C represents the behavioral spécification and I M P L represents the structural 
spécification. The first assumption is discharged by the M D G vérification. However, 
for importing the sequential vérification results into HOL, a user of the hybrid system 
strictly needs to prove an additional assumption (an existential theorem) to ensure 
the correct H O L theorem can be made. This theorem states that for ail possible 
input traces, the behavioral spécification S P E C can be satisfied for some outputs (Le., 
there exists at least one output for which the relation is true): 
V i p . 3 o p . S P E C i p o p (7.1) 
When we convert the M D G results into H O L to form the H O L theorems, the 
theorems actually state that the implementation of the design implements its spec-
115 
ification as shown in (7.2). 
V i p o p . ( I M P L i p o p D S P E C i p o p ) (7.2) 
This représentation might meet an inconsistent model that trivially satisfles any 
spécification. We need to verify a stronger consistency theorem against the imple-
mentation as suggested in [58], which has the form: 
This means that for any set of input values ip there is a set of output values op 
which is consistent with it. This shows that the model does not satisfy a spécification 
merely because it is inconsistent. 
In this chapter, we investigate a way of proving the additional assumption and 
the stronger consistency theorem based on the syntax and semantics of the M D G 
input language [82]. As we mentioned above, we prove the additional assumption 
because we want to make the linking process easier and remove the burden from the 
user of the hybrid system. We prove the stronger consistency theorem because we 
want to avoid an inconsistent model occurring. The above two theorems actually 
have the same form. In the rest of this thesis, we cali them ex i s t en t i a l theorems. 
If we use C to represent any spécification or implementation of a circuit, ip and op 
to represent the external inputs and outputs, the ex i s t en t i a l theorem should have 
the form: 
For example, if we consider a circuit consisting of two NOT gates in séries, the exis-
tential theorem for this circuit should be: 
i-thm V i p . 3 op. (3 op l . SEMJJOT ip opl A SEM_N0T opl op) 
In fact, the stronger consistency theorem (7.3) is an ex i s t en t i a l theorem for the 
structural spécification, whereas the additional assumption (7.1) for the importing 
theorem is an ex i s t en t i a l theorem for the behavioral spécification. 
V i p . 3 o p . I M P L i p o p (7.3) 
V i p . 3 o p . C i p o p (7.4) 
116 
The goal of the ex i s t en t i a l theorem is existentially quantified. We can remove 
hidden lines in goals of this forni using E X I S T S J T A C , which strips away the leading 
existentially quantified variable and substitutes term for each free occurrence in the 
body. This terra is called the ex i s ten t ia l term. An ex i s t en t i a l term of a vari-
able is determined by one or several output representations of the corresponding 
M D G - H D L components. An output representation of a component represents an 
output function of this component, which depends on its input value and output 
value at the current time or an earlier time instance. There is a HOL tactic, E X -
ISTS-ELIM_TAC [6], which is used to eliminate existentially quantified variables in 
a goal. This tactic corresponds to a theorem E X I S T S - E L I M given below. 
\~thm (3 x. (x = t) A (A x ) ) = A t (7.5) 
In other words, if the existentially quantified variable (x) is explicitly represented by 
its value as in (7.5) with (x = t) in the goal, the tactic E X I S T S _ E L I M _ T A C can be used 
to remove the hidden lines. The general purpose simplification tactic, S I M P J T A C can 
similarly be used to eliminate existentially quantified variables. However, for dealing 
with those existentially quantified variables such as (x) which are not represented 
as (x = t), we need to find their output representations. 
In this chapter, we concentrate on proving the existential theorems based on 
the syntax and semantics of M D G - H D L [82] [26]. However, a similar method can 
be used to solve other existentially quantified goals. This is because we provide 
the output representation for each component (mainly logie gates and flip-flops). 
The ex i s t en t i a l term of a design, which reduces the goal 3 x. t to t [u /x] , is 
determined in terms of the corresponding output representations. We also pro-
vide tactics for expanding the semantics of the circuit and proving the ex i s t en t i a l 
theorem. 
We have defined semantic functions for two subsets M D G - H D L . For giving a 
corresponding importing theorem for sequential verification, we need to prove the 
existential theorem for the implementation of the design in term of the semantics. 
We need to provide the general output representation for each component of the 
117 
two subsets of the M D G - H D L library. Because the main ideas of defining the output 
representation for each component of the two subsets are same, we will only give 
the detail about how to define the output representation for the extended subset. 
In other words, we will talk about how to prove the existential theorem for the 
extended subset. 
7.1 Existential Theorem for the Extended Subset 
In this section, we provide the general output representation for each component 
in the M D G - H D L library. Because the ex i s ten t ia l term for a design is determined 
in terms of the output representation of its components, these provide a toolkit for 
then proving the ex i s t en t i a l theorem of the design. We also provide three tactics 
E X P A N D _ S E M A N T I C S _ T A C , P R O V E _ E X I S T _ T A C and P R O V E _ T A B L E _ E X I S T _ T A C which automat-
ically expand the semantics of the program and prove the goal. The first tactic is 
used for expanding the semantics of the program (design) and obtaining a goal of the 
form3 a l . . . an. body. The tactics P R D V E _ E X I S T _ T A C and P R O V E _ T A B L E _ E X I S T J T A C 
are used for verifying goals. 
The proof process for proving an existential theorem is divided into three steps. 
We first expand its semantics and rewrite away the abstract syntax, and obtain the 
existentially quantified goal. We then strip away the existential quantified variable. 
Finally, we prove the goal. 
E x a m p l e 1. Consider a circuit that only consists of one NOT gate. The abstract 
syntax of this circuit is represented as: 
(PROG (EXOUT [ " o p " ] ) ( E X I N ["ip"]) ( I N V [ ] ) (NOT " ip" "op")) 
The existential theorem for this circuit is 
118 
h/im V i p . 3 O p . 
S e m P r o g r a m (PROG (EXOUT [ " o p " ] ) ( E X I N [ " i p " 3 ) 
( I N V [ ] ) ( N 0 T " i p " " o p " ) ) i p o p 
Expanding t h e s e m a n t i c s o f t h e p r o g r a m u s i n g t h e t a c t i c E X P A N D _ S E M A N T I C S _ T A C , 
w e o b t a i n a s u b g o a l w h i c h h a s t h e form 3 a l . . . a n . b o d y . Here: 
3 o p . V t . ' I S - B D O L (HD i p t) A I S _ B 0 0 L (HD o p t ) D 
Vt. MDG_T0_B00L (HD op t) = ~ MDG_T0_B00L (HD ip t) 
The e x i s t e n t i a l t h e o r e m o f t h i s c i r c u i t is e x i s t e n t i a l l y q u a n t i f i e d b y i t s e x t e r n a l 
o u t p u t op. More d e t a i l w i l l b e g i v e n l a t e r . 
In t h e rest o f t h i s c h a p t e r , w e first d e f ì n e t h e o u t p u t r e p r é s e n t a t i o n f o r e a c h 
c o m p o n e n t i n t h e M D G - H D L l i b r a r y a p a r t f r o m t h e T A B L E . We t h e n p r o v i d e a 
m e t h o d t o find t h e o u t p u t r e p r é s e n t a t i o n f o r t h e T A B L E c o m p o n e n t . We n e x t d e a l 
w i t h t h e e x i s t e n t i a l l y q u a n t i f i e d i n t e r n a i v a r i a b l e . Finally, w e g i v e a n e x a m p l e t h a t 
d e m o n s t r a t e s h o w t o a p p l y o u r a p p r o a c h t o p r o v e t h e e x i s t e n t i a l t h e o r e m o f a 
w h o l e c i r c u i t . 
7.2 The Output Representation for the Basic MDG-
HDL Components 
In t h e M D G - H D L l i b r a r y , t h e r e a r e t w o c l a s s e s o f n o n - t a b l e c o m p o n e n t . In o n e t h e 
o u t p u t o f t h e c o m p o n e n t is a s i g n a l v a r i a b l e ( ie n o n s t a t e h o l d i n g ) , i n t h e o t h e r t h e 
o u t p u t o f t h e c o m p o n e n t is a s t a t e v a r i a b l e . The e x i s t e n t i a l t e r m s f o r t h e t w o 
c l a s s e s a r e s l i g h t l y d i f f é r e n t . 
( 1 ) The output of a component is signal variable. 
119 
Most components in the M D G - H D L library belong to this class having no state 
componenti their output is a signal variable. For stripping away the existentially 
quantified variable, we have defined the output representation for each component. 
For example, the general output representation for the NOT gate is defined as 
\~def existnot ( i p : M d g _ B a s i c ) = 
( B o o l l _ M d g ~ ( A w v . ( i f wv = BOOL T then T e l s e F ) ) ip) 
where B o o l l _ M d g is an auxiliary function, which converts a boolean value to a 
M d g _ B a s i c value. This definition states that the function is related to the input 
ip. We use this term as the basis of the witness term for existential quantification 
eìimination ( E X I S T S _ T A C in HOL). 
In Example 1 above, both external inputs and external outputs are one element 
lists. The input of the circuit is therefore (HD ip) (taking the first element of list ip); 
we therefore use (HD ip) to represent our input variable in the existential term rather 
than ip. The output op is a (num ->Mdg.Basic) l i s t . We use [A(t:num). existnot 
(HD ip (t:num))] to represent the ex i s t en t i a l term of the circuit. It is used to 
strip away the existentially quantified goal. The second tactic P R O V E _ E X I S T _ T A C can 
then be used to prove the goal. The output representation for other components 
in this class can be defined in a very similar way. 
(2) The output of a component is a state variable. 
In this class, the output value of a component refers to values at an earlier time 
instance. When we strip away the existentially quantified variable o p , the time value 
in the existential term must be one instance earlier. 
E x a m p l e 2. Consider proving an existential theorem for a one register circuit. 
The output representation for a register existreg is given below: 
120 
\-dej existreg ( i p : M d g _ B a s i c ) = 
( B o o l l _ M d g ( A w v . ( i f wv = BOOL T then T e l s e F ) ) i p ) 
We first use the tactic E X P A N D _ S E M A N T I C S _ T A C [SEM_REG] which expands the se-
mantics of the circuit. The existential quantifier elimination tactic E X I S T S _ T A C is 
then used to strip away the existentially quantifìed variable op. However, the exis-
tential terni C(A(t :num). existreg (HD ip ((t-1):num)))] is different to the one 
we described above. Because the output value of the register refers to values at 
an earlier time instance, the Urne in function existreg is ( t - l ) rather than t. 
Finally, the ex i s ten t ia l theorem for one register can be proved by using tactic 
P R O V E - E X I S T _ T A C . 
7.3 The Output Representation for TABLE Com-
ponents 
The p r e d e f i n e d T A B L E c o m p o n e n t m u s t b e d e a l t w i t h s e p a r a t e l y . There exist t h r e e 
d i f f e r e n t s i t u a t i o n s . In e a c h of t h e s e s i t u a t i o n s , t h e o u t p u t r e p r e s e n t a t i o n of t h e 
T A B L E i s b a s e d o n t h e o u t p u t f u n c t i o n e x i s t t a b l e w h o s e d e f i n i t i o n i s g i v e n b e l o w : 
t~de/ ( e x i s t t a b l e i n p u t [] u _ o u t d e f a u l t t = d e f a u l t t ) A 
( e x i s t t a b l e i n p u t v s [] d e f a u l t t = d e f a u l t t ) A 
( e x i s t t a b l e i n p u t (CONS v v s ) (CONS u u . o u t ) d e f a u l t t = 
( i f ( T a b l e j n a t c h i n p u t v t ) t h e n ( u t ) 
e l s e ( e x i s t t a b l e i n p u t v s u _ o u t d e f a u l t t ) ) ) 
This d e f i n i t i o n r e p r e s e n t s t h e o u t p u t v a l u e of t h e t a b l e . In t h e d e f i n i t i o n , t h e 
i n p u t of t h e t a b l e i n p u t is a l i s t . Each e l e m e n t i n t h e l i s t c o u l d be u s e d t o r e p -
r e s e n t t h e o u t p u t v a l u e a t a n e a r l i e r t i m e i n s t a n c e . From t h i s d e f i n i t i o n , w e h a v e 
p r o v e d a t h e o r e m w h i c h s t a t e s t h e r e l a t i o n b e t w e e n t h e p r e d i c a t e t a b l e a n d p r e d i -
121 
c a t e e x i s t t a b l e . A t a b l e ' s o u t p u t v a l u e a t t i m e t i s e q u a l t o t h e v a l u e of p r e d i c a t e 
e x i s t t a b l e a t t i m e t . 
^~thm V U . O U t S U . O U t t . 
t a b l e i n p u t o p u . o u t s u . o u t d e f a u l t t = 
( o p t = ( e x i s t t a b l e i n p u t u . o u t s u . o u t d e f a u l t t ) ) 
Now, w e w i l l c o n s i d e r h o w t o u s e e x i s t t a b l e t o g i v e t h e o u t p u t r e p r é s e n t a t i o n 
f o r t h e t h r e e d i f f é r e n t t a b l e s i t u a t i o n s i n t u r n . 
(1) The output of a T A B L E is a signal variable. 
In t h i s s i t u a t i o n , t h e o u t p u t is a r e l a t i o n o f t h e i n p u t a n d t h e o t h e r t h r e e t a -
b l e a r g u m e n t s . The o u t p u t r e p r é s e n t a t i o n f o r T A B L E i s e x i s t t a b l e i p v s u . o u t 
d e f a u l t . In o t h e r w o r d s , t h e f u n c t i o n e x i s t t a b l e r e p r e s e n t s t h e o u t p u t r e l a t i o n . 
For e x a m p l e , i f w e w a n t t o p r o v e a n e x i s t e n t i a l t h e o r e m f o r t h e T A B L E o f a NOT 
g a t e c i r c u i t , t h e e x i s t e n t i a l t e r m f o r t h e t a b l e s p e c i f y i n g a NOT g a t e i s 
[ e x i s t t a b l e [ ( H D i p ) : ( n u m -> M d g _ B a s i c ) ] 
[ [ T A B L E _ V A L (BOOL T ) ] ; [ T A B L E . V A L (BOOL F ) ] ] 
[(At. BOOL F ) ; (At. BOOL T ) ] (At. A R B ) ] 
( 2 ) The output of a T A B L E is a state variable and the input of the T A B L E 
does not contain the output variable. 
In t h i s c a s e , t h e o u t p u t o f t h e T A B L E a t t h e c u r r e n t t i m e d o e s n o t d é p e n d o n i t s e l f 
a t a n e a r l i e r t i m e i n s t a n c e . The e x i s t e n t i a l t e r m r e f e r s t o t h e v a l u e s a t a n e a r l i e r 
t i m e i n s t a n c e , w h i c h is At . e x i s t t a b l e i p v s u . o u t d e f a u l t ( t - 1 ) . The t i m e i n 
f u n c t i o n e x i s t t a b l e i s ( t - 1 ) r a t h e r t h a n t . For e x a m p l e , i f w e w a n t t o p r o v e a n 
e x i s t e n t i a l t h e o r e m f o r t h e T A B L E o f a R e g i s t e r c i r c u i t , t h e e x i s t e n t i a l t e r m w h i c h 
r e f e r s t o v a l u e s a t a n e a r l i e r t i m e i n s t a n c e f o r t h i s c i r c u i t i s 
122 
[At. e x i s t t a b l e C(HD i p ) : ( n u m -> M d g _ B a s i c ) ] 
[ [ T A B L E . V A L (BOOL T ) ] ; [ T A B L E _ V A L (BOOL F ) ] ] 
[(At. BOOL T ) ; (At. BOOL F ) ] (At. A R B ) (t-1)] 
(3) The output of a T A B L E is a state variable and the input of the T A B L E 
contains the output variable. 
In this situation, the output value of the T A B L E not only depends on inputs 
but also depends on its own value at an earlier time instance. We cannot give 
the general o u t p u t r e p r e s e n t a t i o n for this kind of T A B L E . However, we provide a 
method through an example to explain how to obtain an o u t p u t r e p r e s e n t a t i o n 
for the T A B L E . 
Example 3. We consider the following goal for a program containing a table 
in which the table output value not only depends on inputs but also depends on its 
own value at an earlier time instance (see Figure 7.1). 
After using the tactic E X P A N D _ S E M A N T I C S _ T A C to expand the semantics of the syn-
tax, we obtain: 
3 o p . (V t . ( I S _ B 0 0 L (HD i p t ) A I S . B 0 0 L (HD o p t ) ) A 
I S - B O O L ( ( H D o p o N E X T ) t ) ) D 
T A B L E [HD ( i p : ( n u m -> M d g _ B a s i c ) l i s t ) ; HD o p ] (HD o p ( t + 1)) 
[ [ T A B L E . V A L (BOOL F ) ; T A B L E . V A L (BOOL F ) ] ; 
[ T A B L E . V A L (BOOL F ) ; T A B L E . V A L (BOOL T ) ] ; 
[ T A B L E . V A L (BOOL T ) ; T A B L E . V A L (BOOL F ) ] ; 
[ T A B L E . V A L (BOOL T ) ; T A B L E . V A L (BOOL T ) ] ] 
[(A(t : n u m ) . BOOL F ) ; (A ( t : n u m ) . BOOL T ) ; (A(t : n u m ) . BOOL T ) ; 
(A(t : n u m ) . BOOL T)3 (A ( t r n u m ) . A R B ) 
We notice that the output value at the time t+1 depends on the output value at 
the time t . For stripping away the existentially quantified variable o p , we have to 
123 
. V i p . 
3 o p . S e m P r o g r a m (PROG (EXOUT [ " o p " ] ) ( E X I N [ " i p " ] ) ( I N V [ ] ) 
( T A B L E S Y N [ " i p " ; " o p " ] ( N E X T V " o p " ) 
[ [ T A B L E _ V A L (BOOL F ) ; T A B L E - V A L (BOOL F ) ] ; 
[ T A B L E _ V A L (BOOL F ) ; T A B L E - V A L (BOOL T ) ] ; 
[ T A B L E _ V A L (BOOL T ) ; T A B L E . V A L (BOOL F ) ] ; 
[ T A B L E _ V A L (BOOL T ) ; T A B L E . V A L (BOOL T ) ] ] 
[BOOL F ; B O O L T ; B O O L T ; B O O L T ] (DENORMAL A R B ) ) ) i p o p 
INPUT OUTPUT 
i p t 1 o p t o p (t+1) 
IF BOOL F 1 BOOL F BOOL F 
BOOL F 1 BOOLT BOOLT 
BOOL T \ BOOLT BOOL F 
BOOLT 1 BOOLT BOOLT 
ELSE ARB 
Figure 7.1: The Output of a T A B L E is a State Variable and Contains in the Input list 
124 
d e f i n e a n e w c o n s t a n t e x i s t t a b l e _ n e x t o f t h e f o r m : 
e x i s t t a b l e _ n e x t i p ( S U C t ) = 
e x i s t t a b l e [HD i p ; (Aa. e x i s t t a b l e _ n e x t i p a)] 
[ [ T A B L E . V A L (BOOL F ) ; T A B L E . V A L (BOOL F ) ] ; 
[ T A B L E . V A L (BOOL F ) ; T A B L E - V A L (BOOL T ) ] ; 
[ T A B L E . V A L (BOOL T ) ; T A B L E . V A L (BOOL F ) 3 ; 
[ T A B L E . V A L (BOOL T ) ; T A B L E . V A L (BOOL T ) ] ] 
[(A(t : n u i n ) . BOOL F ) ; (A(t : n u m ) . BOOL T ) ; (A(t : n u m ) . BOOL T ) ; 
(A(t : n u m ) . BOOL T ) ] (A(t : n u m ) . A R B ) t 
w h e r e ( ( S U C t) = t+1). However, w e c a n n o t d e f i n e t h i s f u n c t i o n d i r e c t l y i n HOL 
b y u s i n g t h e D e f i n e f u n c t i o n b e c a u s e i t i s n o t w e l l - d e f i n e d . I n p a r t i c u l a r , i t i s o f t h e 
f o r n i 
f ( S U C t ) = g f 
where f is e x i s t t a b l e _ n e x t a p p l i e d t o a r g u m e n t s , a n d g i s e x i s t t a b l e a p p l i e d t o 
a r g u m e n t s . The f u n c t i o n i s p a s s i n g f ( a f u n c t i o n a l v a l u e o f t y p e : n u m - > M d g _ B a s i c ) 
t o a n o t h e r f u n c t i o n . I n o r d e r t o m a k e t h i s v a l i d , w e h a v e t o s h o w t h a t t h e f u n c t i o n s 
c a l l e d b y g a r e o n l y c a l l e d i n w a y s t h a t d e c r e a s e s o m e m e a s u r e f u n c t i o n . Therefore, 
w e e x p a n d t h e d é f i n i t i o n first a n d o b t a i n a w e l l - d e f i n e d f u n c t i o n so as t o u s e D e f i n e 
t o d e f i n e t h i s f u n c t i o n . 
We first e x p a n d t h e d é f i n i t i o n o f t h e e x i s t t a b l e , T a b l e j n a t c h , H D , T L a n d 
T a b l e V a l _ t o _ V a l i n o r d e r t o d e f i n e e x i s t t a b l e j i e x t b y u s i n g REWRITE_CONV. We 
c a n t h e n o b t a i n a w e l l - d e f i n e d f u n c t i o n a n d u s e D e f i n e t o d e f i n e t h e f u n c t i o n 
e x i s t t a b l e _ n e x t . We n e x t o b t a i n t h e e x i s t e n t i a l t e r m w h i c h is 
[ ( ( e x i s t t a b l e _ n e x t ( i p : ( n u m - > M d g _ B a s i c ) l i s t ) ) : n u m - > M d g _ B a s i c ) ] 
F i n a l l y , t h e e x i s t e n t i a l g o a l c a n b e p r o v e d b y u s i n g P R O V E _ T A B L E _ E X I S T _ T A C . There-
f o r e , w e c a n p r o v e t h e e x i s t e n t i a l t h e o r e m of t h e a b o v e c i r c u i t b y u s i n g t h e a b o v e 
125 
t h r e e s t e p s as l o n g as we f i n d i t s O u t p u t r e p r e s e n t a t i o n s . 
7.4 Dealing with the Existential Quantified Inter-
nal Variables 
When we p r o v e t h e e x i s t e n t i a l t h e o r e m f o r a c i r c u i t , i f t h e c i r c u i t c o n t a i n s i n t e r n a l 
w i r e s , w e a l s o n e e d t o s t r i p a w a y t h e s e w i r e s . The e x i s t e n t i a l t e r m s f o r t h e s e w i r e s 
a r e n e a r l y t h e s a m e as w e d e s c r i b e d a b o v e . A d i f f e r e n c e i s t h a t t h e t y p e o f t h e s e 
w i r e s i s : n u m -> M d g _ B a s i c r a t h e r t h a n : (num -> M d g _ B a s i c ) l i s t . This i s b e c a u s e 
w e d o n o t u s e a l i s t t o r e p r e s e n t a n i n t e r n a l w i r e . 
E x a m p l e 4 . We c o n s i d e r t h e p r o o f o f t h e e x i s t e n t i a l t h e o r e m f o r a c i r c u i t 
c o n s i s t i n g o f o n e AND g a t e a n d o n e R E G I S T E R . The s e m a n t i c s o f t h i s c i r c u i t i s 
V i p . 3 o p . 
S e m P r o g r a m (PROG (EXOUT [ " o p " ] ) ( E X I N [ " i p l " ; " i p 2 " ] ) ( I N V [ " u " ] ) 
( J O I N (AND " i p l " " i p 2 " " u " ) ( R E G " u " " o p " ) ) ) i p o p 
By e x p a n d i n g t h e s e m a n t i c s u s i n g E X P A N D _ S E M A N T I C S _ T A C [ S E M J I N D , S E M J t E G ] , w e 
o b t a i n 
3. x l o p . 
(V t . I S _ B 0 0 L (HD i p t ) A I S _ B 0 0 L (HD ( T L i p ) t ) ) A 
I S _ B 0 0 L (HD o p ( t + 1 ) ) ) D 
(V t . 
I S - B 0 0 L ( x l t ) A 
(MDG_T0_BU0L ( x l t ) = 
MDG_TÜ_B00L (HD i p t ) A MDG_T0_B00L (HD ( T L i p ) t ) ) ) A 
I S _ B 0 0 L ( x l t ) A (MDG_T0J300L (HD o p ( t + 1 ) ) = MDG_T0_B00L ( x l t ) ) 
126 
NOT OR AND NOT 
Figure 7.2: A Circuit 
where x l is ari internai wire which is the output of the AND gate and the input of the 
R E G I S T E R . It is a (num -> Mdg_Basic) terni. The existential terni of x l (xl .exist) 
depends on the output representation of the AND gate (existand). 
x l -ex is t = (A(t:num). existand (HD ip (t:num)) (HD ( T L ip) t )) 
op represents an external output, it is a (num -> Mdg_Basic) l i s t term. The output 
of the R E G I S T E R is the only élément of this list. Thus the corresponding existential 
term depends on the output representation of the R E G I S T E R . 
[(A(t:num). (existreg (xl_exist (t-1))))] 
The tactic E X I S T S . T A C can then be used to strip away the existentially quantified 
external variable op and internai variable x l . Finally, the theorem can be proved by 
using tactic P R O V E _ E X I S T _ T A C . 
7.5 An Example 
E x a m p l e 5. Consider the circuit shown in Figure 7.2. We will prove the existential 
theorem of this circuit to illustrate how our approach is deployed with a circuit 
containing a combination of the situations considered: internai wires, a table, a 
127 
register and combinational components. The existential theorem for this circuit is 
represented as: 
h/tm V ip. 
3 op. 
SemProgram(PROG (EXOUT ["opl"]) (EXIN ["ipl"; "ip2"; "ip3"]) 
(INV ["xl"; "x2"; "x3]) 
(JOIN (TABLESYN ["ip"] (NOWV "op") 
[ [TABLE.VAL (BOOL T)] ; [TABLE.VAL (BOOL F)]] 
[BOOL F; BOOL T] (DENORMAL ARB)) 
(JOIN (OR "xl" nip2" "x2") 
(JOIN (AND "x2" "ip3" "x3") 
(NOT "x3" "opl")))) ip op 
The proof process can be divided into three steps. We first use the tactic 
EXPAND_SEMANTICS_TAC to expand the semantics of the syntax. We obtain: 
3 xl x2 x3 op. 
(Vt. IS-BOOL (HD ip t) A IS_B00L (HD (TL ip) t) A 
IS.B00L (HD (TL (TL ip)) t) A IS-BOOL (HD op t)) D 
TABLE [HD ip] xl [[TABLE.VAL (BOOL T)] ; [TABLE.VAL (BOOL F)]] 
[(At. BOOL F); (At. BOOL T)3 (At. ARB) A 
(Vt. (IS.B0OL (xl t) A IS_BOOL (x2 t) A 
(MDG_TO_BOOL (x2 t) = 
HDG_T0_B00L (xl t) V MDG_T0_B00L (HD (TL ip) t))) A 
(ISJ300L (x2 t) A IS_B00L (x3 t) A 
(MDG_TO_BOOL (x3 t) = 
MDG_T0_B00L (x2 t) A MDG.T0.B00L (HD (TL (TL ip)) t))) A 
IS_B00L (x3 t) A (MDG_T0_B00L (HD op t) = - MDG_T0_B00L (x3 t))) 
where x l , x2, x3 are internai wires, op is an external wire list which is one element 
list [opl], ip is an external input list, which contains three elements [ ipl; ip2; 
ip3]. 
128 
We then strip away the existential quantified goal. The internai variable x l is 
the output of the NOT gate ( T A B L E representation) and the input of the OR gate. 
The output representation for stripping away this variable is determined by the 
NOT T A B L E , which is represented as xl_exist. 
x l . ex i s t = exist table [(HD ip)] [[TABLE_VAL (BOOL T)] ; 
[TABLE_VAL (BOOL F)]] 
[(At. BOOL F); (At. BOOL T)] (At. ARB) 
The internai variable x2 is the output of the OR gate and the input of the AND 
gate. The ex i s ten t ia l term is determined by the output representation of the OR 
gate, which is represented as x2_exist. 
x2_exist = (A (t:num). existor (x l .exis t t ) (HD (TL ip) t)) 
where x l . ex i s t is the input of the OR gate. The output representation is in terms 
of its input. Similarìy, the internai variable x3 is the output of the AND gate and 
the input of the NOT gate. The ex i s t en t i a l term is determined by the output 
representation of the AND gate, which is represented as x3_exist. 
x3_exist = (A (t:num). existand (x2_exist t) (HD (TL (TL ip)) t )) 
Finally, the external output is the output of a NOT gate; the ex i s ten t ia l term is 
determined by output representation of the NOT gate. 
op_exist - (A (t:num). existnot (x3_exist t) 
After stripping away the existentially quantified variables using the above terms, 
we can finally prove the goal using tactic PROVE_EXIST_TAC. 
129 
This example demonstrates that knowing the output representation for each 
component in the M D G - H D L component library is practically useful when finding 
a proper ex i s ten t ia l term of the whole circuit. For any circuit in M D G - H D L , as 
long as we find the corresponding ex i s ten t ia l term of the circuit, the ex i s t en t i a l 
theorem of this circuit can be proved. 
Although we concentrate on proving the existential theorem for the specification 
and implementation of a design based on the syntax and semantics of M D G - H D L 
in this thesis, our methods can be used to solve other H O L goals which are ex-
istentially quantified. In fact, we have developed a library for giving the output 
representation of each component in a boolean subset. It can be used to construct 
the ex i s t en t i a l term, which strips away the existentially quantified variable in the 
HOL goal. In other words, our ex i s ten t ia l terms and output representations 
can be used to solve some existential quantified HOL goal in other applications. 
Summary 
In this chapter, we investigate existential theorems based on the syntax and seman-
tics of the M D G input language (MDG-HDL) in HOL. We define an output repre-
sentation for each component in the M D G - H D L component library. We summarize 
a general method which is used to prove the existential theorem for any M D G - H D L 
program. The method can also be used to solve other existentially quantified goals. 
130 
Chapter 8 
Case Study: Vérification of the 
Correctness and Usability 
Theorems of a Vending Machine 
Up to now, we have proved some translator correctness theorems and some importing 
theorems. We have combined the translator correctness theorems with the importing 
theorems. The combination allows the M D G vérification results to be imported into 
HOL in terms of the semantics of M D G - H D L . However, how can we ensure this 
method is feasible in practice? In other words, how can we ensure the low level 
M D G vérification results can be imported into HOL to form the traditional H O L 
theorems? Moreover, can the importing theorems be used in HOL? 
In this chapter, we will use a simple example, the vérification of a correctness 
theorem and a usability theorem of a vending machine (chocolaté machine), to an-
swer the above questions. This example was originally used to verify the absence of 
post-completion errors within the framework of a traditional hardware vérification 
by Curzon and Blandford [25] [24]. In this work, the correctness of the vending ma-
chine was verified, ie it was proved that the implementation of the vending machine 
131 
meets its specification. A usability property based on its specif icat ion was then 
proved. By combining the above two theorems, the usability theorem based on its 
implementation was proved. A l l the formalization and verification were implemented 
in HOL. 
In our case study, we follow their steps. However, we use the M D G system to 
verify the correctness of the chocolate machine and formally import the M D G veri-
fication result into HOL to form the HOL theorem based on the deep embedding se-
mantics of the M D G input language (MDG-HDL) . We then prove the specif icat ion 
based usability theorem in the HOL system. By combining those two theorems, one 
the correctness theorem of the chocolate machine which is verified in M D G (the 
importing theorem), the other the specif icat ion based usability theorem which is 
proved in H O L , we obtain the implementation based usability theorem. Therefore, 
the importing theorem (the correctness theorem) can not only be imported into 
HOL but also can be used in HOL. 
When we use the M D G system to verify the chocolate machine, we give a hard-
ware implementation of the machine and verify it against the specification of a 
finite state machine. Both are described in the M D G input language (MDG-HDL) 
and verified in the M D G system. After we verify the correctness of the chocolate 
machine in the M D G system, the theorem about the formalization of the M D G 
verification result can be tagged into HOL in terms of the syntax and semantics of 
the core M D G - H D L language. The importing theorem for the chocolate machine 
can be obtained by instatiating the theorem (6.18) with the syntax (MDG-HDL) 
of the implementation and specification of the chocolate machine. We also prove 
the existential theorem based on semantics of M D G - H D L for the implementation 
of the chocolate machine using the method we proposed in Chapter 7. Finally, a 
correctness theorem based on the semantics of M D G - H D L of the chocolate machine, 
which states that the specification implies the implementation, is obtained. 
When we prove the usability theorem based on its specif icat ion in HOL, we 
follow the idea of Curzon & Blandford [24]. However, the specification of the choco-
132 
late machine is différent to theirs. This is because the spécification in M D G must 
be in the form of a finite state machine or table description. Another différence is 
that we have to add some reasonable assumptions to cope with the différent sorts of 
inputs of the T A B L E . By combining the correctness theorem and the spéc i f i ca t i on 
based usability theorem, we can obtain the implementation based usability theorem. 
More détail will be discussed in section 8.3. 
During this case study, we will show the détail about how to define the syntax 
and the semantics of the spécification and implementation, how to use a new type 
M d g _ B a s i c to accommodate the différent sorts of the inputs for the T A B L E , how to 
prove the existential theorem and how to formally import the M D G vérification 
results into HOL to form the HOL theorems and make use of the theorems. We 
will also explain why the assumptions of the usability theorem are reasonable. In 
other words, we will go though the methods proposed in Chapter 4, Chapter 5, 
Chapter 6 and Chapter 7. We will use this example to prove the feasibility of the 
methodology of our research. This is very important. Since we formally import the 
M D G vérification results into HOL on the trusted M D G system, the degree of trust 
of the linkage between the M D G and HOL system is high. If our methodology is 
feasible, it can be used in deveìoping a hybrid system. This will greatly increase the 
trustworthiness of the hybrid system. 
In the rest of this chapter, we will first briefly introduce the chocolaté machine in 
section 8.1. We then verify the machine using the M D G system in section 8.2. We 
next consider the importation process which formally imports the M D G vérification 
results into H O L to form the HOL theorems in section 8.3. In section 8.4, we prove 
the s p é c i f i c a t i o n based usability theorem in H O L and prove the implementation 
based usability theorem by making use of the above two proved theorems. 
133 
8.1 Chocolate Machine 
The chocolate machine is used to sell chocolate as shown in Figure 8.1. It takes 
pound coins only, returning 20p change. To get the change a button must be pressed. 
Similarly a further button must be pressed to get the chocolate. The machine has 
lights next to the coin slot and 2 buttons to indicate the order things should be 
done. The lights light up to indicate the next action the user should perform. The 
order of opération is that a coin is inserted, the change button is pressed and the 
change removed, and then finally the chocolate button is pressed and the chocolate 
removed. If the user does not press the appropriate button the machine does nothing 
until the correct button is pressed. 
The chocolate machine has three inputs which correspond to the buttons being 
pressed and a coin inserted. It has five outputs which correspond to three lights and 
a signal each to reléase change and chocolate. 
8.2 Proving the Chocolate Machine using the 
MDG System 
In this section, we will use the sequential vérification of the M D G system to prove 
the correctness of the chocolate machine. For sequential vérification, we need to 
provide five kinds of input files: the circuit description files (the implementation file 
and the spécification file), the algebraic spécification file, the symbol order file and 
the invariant spécification file. The implementation file and the spécification file 
have the same inputs (InsertCoin, PushChange, PushChoc) but différent outputs. 
We use (CoinLight_a, ChocLight_a, ChangeLight_a, GivenChoca, GivenChange.a) 
to represent the outputs in the implementation file and (CoinLight, ChocLight, 
ChangeLight, GiveChoc, GiveChange) to represent the outputs in the spécification 
file. We will explain the four différent files in turn in the following subsections. 
134 
CHOCOLATE - 80p 
1 Insert Coin 
£1 ONLY 
2. Push for Change 
3. Push for Chocolate 
Figure 8.1: The Chocolate Machine 
135 
8.2.1 The Implementation 
The chocolaté machine is implemented in hardware as shown in Figure 8.2. We 
can use the predefined components in the M D G - H D L library to represent the cor-
responding circuit as described in [25]. In the circuit, two registers (X and Y) are 
needed to store the 4 internai states of the chocolaté machine (reset, coin, choc, 
change). The inputs are connected to wire x in and y in and their Outputs to wires 
x and y, respectively. In M D G - H D L , we use command comportent to specify their 
spécifications. 
component (reg_x, r e g ( input (xin) , output (x) ) ) . 
component ( r e g . y , reg ( input (yin) , output (y) ) ) . 
The following représentation of abstract states is used: 
X Y 
reset 0 0 
coin 0 1 
change 1 1 
choc 1 0 
The output side of the circuit involves using NOT gate and AND gate to turn the x 
and the y values into 4 signais representing thèse states. 
component (out J.nv_x,not (input (x) ,output (xbar) ) ) . 
component (out_inv_y,not (input (y) » O u t p u t (ybar) ) ) . 
component(out_and_xy, and(input(x,y) .output(change))) . 
component(out_and_xybar, and(input(x,ybar) »Output(choc))) . 
component(out_and_xbary, and(input(xbar ,y) .output (coin))) . 
component (out _and_xbarybar, and(input (xbar, ybar ) , output ( r eset ) ) ) . 
136 
InsertCoin PushChange PushChoc 
yin 
reset 
AND AND NOT 
12 change 13 
OR OR AND 
14 xin 
15 
OR REG 
REG NOT 
xbar 
NOT AND AND 
ybar reset 
change 
AND 
choc 
AND 
coin 
FORK FORK FORK FORK FORK 
GiveChoc CoinLight ChangeLight ChocLight GiveChange 
Figure 8.2: The Circuit of the Chocolate Machine 
137 
Thèse signais are then wired to the appropriate outputs. The coin light is wired 
to the r e s e t signal, the change light to the c o i n signal, the chocolaté light and the 
mechanism to release the change to the c h a n g e signal. 
c o m p o n e n t ( w i r e _ c h o c _ g i v e n c h o c , f o r k ( i n p u t ( c h o c ) . o u t p u t ( G i v e n C h o c _ a ) ) ) . 
c o m p o n e n t ( w i r e _ c h o c _ c h a n g l i g h t , f o r k ( i n p u t ( c h a n g e ) . o u t p u t ( C h o c L i g h t ^ a ) ) ) . 
c o m p o n e n t ( w i r e _ c h a n g e _ g i v e c h a n g e , f o r k ( i n p u t ( c h a n g e ) . o u t p u t ( G i v e n C h a n g e _ a ) ) ) . 
c o m p o n e n t ( u i r e _ c o i n _ c h o c l i g h t , f o r k ( i n p u t ( c o i n ) . o u t p u t ( C h a n g e L i g h t _ a ) ) ) . 
c o m p o n e n t ( w i r e _ r e s e t _ c o i n l i g h t , f o r k ( i n p u t ( r e s e t ) . o u t p u t ( C o i n L i g h t _ a ) ) ) . 
The input s i d e o f t h e c i r c u i t c o m b i n e s t h e i n p u t s w i t h t h e signals r e p r e s e n t i n g 
t h e states. Signal x i s 1 i n t h e next state if 
(1) we are in the coin state AND the change button is pressed OR 
(2) we are i n t h e c h a n g e state. 
This is given as: 
c o m p o n e n t ( x _ a n d , a n d ( i n p u t ( c o i n , P u s h C h a n g e ) , o u t p u t ( 1 1 ) ) ) . 
c o m p o n e n t ( x _ o r , o r ( i n p u t ( c h a n g e , 1 1 ) , o u t p u t ( x i n ) ) ) . 
Signal y is 1 in the next state if 
(1) we a r e i n t h e c o i n s t a t e OR 
(2) we a r e i n t h e c h a n g e s t a t e AND t h e c h o c o l a t e b u t t o n i s NOT p r e s s e d OR 
(3) we a r e i n t h e r e s e t state AND a c o i n i s inserted. 
c o m p o n e n t ( y _ a n d _ r e i n , a n d ( i n p u t ( r e s e t , I n s e r t C o i n ) , o u t p u t ( 1 2 ) ) ) . 
c o m p o n e n t ( y _ o r _ c o l 2 , o r ( i n p u t ( c o i n , 1 2 ) , o u t p u t ( 1 4 ) ) ) . 
138 
T 
PushChange 
CoinLight ChangeLîght ChocLight GiveChange GiveChoc 
Figure 8.3: The State Transition Diagram of the Chocolate Machine 
component(y_inv, not(input(PushChoc).output(13))). 
component(y_and_chl3, and(input(change,13) .output(15))). 
component (y_orJL415, or (input (14,15), output (y in))) . 
We thus obtain the hardware implementation. 
The M D G spécification description is given by a tabular représentation of the tran-
sition/output relation T A B L E . We formally specify the chocolate machine as a finite 
state machine with 4 states - ( R E S E T , C O I N , C H A N G E , CHOC) (see Figure 8.3). 
The R E S E T state is the initial state. Each of the other states represent the cor-
responding action having been done: in the C O I N state a coin has been accepted; 
in the CHOC state the chocolate is dispensed and in the CHANGE state the change is 
dispensed. 
We first defìne a table which spécifies the relations among the current state, 
inputs and next state. If the machine is in the R E S E T state with the insert coin light 
lit, the next state is C O I N . If the machine is in the C O I N state without the insert light 
Ut, the next state is R E S E T . If the machine is in the C O I N state with the push change 
light lit, the next state is CHANGE. If the machine is in the C O I N state without the 
8.2.2 The Specifìcation 
139 
p u s h c h a n g e l i g h t l i t , t h e n e x t s t a t e is C O I N . If t h e m a c h i n e i s i n t h e CHANGE s t a t e 
w i t h t h e p u s h c h o c o l a t é l i g h t l i t , t h e n e x t s t a t e i s CHOC. O t h e r w i s e t h e n e x t s t a t e i s 
R E S E T . T h e " * " i s u s e d t o r e p r e s e n t d o n ' t c a r e 
c o m p o n e n t ( c h o c _ m a c h i n e , 
t a b l e ( [ [ C h o c S t , I n s e r t C o i n , P u s h C h a n g e , P u s h C h o c , r u C h o c S t ] , 
[ R E S E T , 1 , * , * , C O I N ] , [ R E S E T , 0 , * , * , R E S E T ] , 
[ C O I N , * , 1 , * , C H A N G E ] , [ C O I N , * , 0 , * , C O I N ] , 
[ C H A N G E , * , * , 1 , C H O C ] , [ C H A N G E , * , * , 0 , C H A N G E ] , 
[ C H O C , * , * , * , R E S E T ] ] ) ) . 
F o r e a c h s t a t e w e d e f i n e a t a b l e t o r e p r e s e n t t h e r e l a t i o n b e t w e e n t h e s t a t e s a n d 
t h e o u t p u t s . If t h e m a c h i n e i s i n t h e R E S E T s t a t e t h e n t h e c o i n l i g h t s h o u l d b e o n , 
o t h e r w i s e t h e c o i n l i g h t s h o u l d b e of f . 
c o m p o n e n t ( c o i n J L i g h t , t a b l e ( [ [ C h o c S t , C o i n L i g h t ] , [ R E S E T , 1] | 0 ] ) ) . 
If t h e m a c h i n e i s i n t h e C O I N s t a t e t h e n t h e c h a n g e l i g h t s h o u l d b e o n , o t h e r w i s e 
t h e c h a n g e l i g h t s h o u l d b e o f f . 
c o m p o n e n t ( c h a n g e . l i g h t , t a b l e ( [ [ C h o c S t , C h a n g e L i g h t ] , [ C O I N , 1] I 0 ] ) ) . 
If t h e m a c h i n e i s i n t h e CHANGE s t a t e , t h e c h o c o l a t é l i g h t s h o u l d b e o n a n d t h e 
c h a n g e s h o u l d b e g i v e n . O t h e r w i s e , t h e c h o c o l a t é l i g h t s h o u l d b e o f f a n d t h e c h a n g e 
s h o u l d n o t b e g i v e n . 
c o m p o n e n t ( g i v e _ c h a n g e , t a b l e ( [ [ C h o c S t , G i v e C h a n g e ] , [ C H A N G E , 1] I 0 ] ) ) . 
c o m p o n e n t ( c h o c J L i g h t , t a b l e ( [ [ C h o c S t , C h o c L i g h t ] , [ C H A N G E , 1] I 0 ] ) ) . 
If t h e m a c h i n e i s i n t h e CHOC s t a t e t h e n t h e c h o c o l a t é s h o u l d b e g i v e n , o t h e r w i s e 
t h e c h o c o l a t é s h o u l d n o t b e g i v e n . 
140 
component (give_choc, table([[ChocSt.GiveChoc], [CHOC, 1] I 0] ) ) . 
8.2.3 Three Other Specification Files 
We have provided the specification file and the implementation file of the chocolate 
machine. We also need to provide the algebraic specification file, the symbol order 
file and the invariant specification file. The algebraic specification file declares sorts, 
function types and generic constants.The algebraic specification file of the chocolate 
machine specifies the new concrete sort ChocStates which has four different states. 
conc_sort(ChocStates, [RESET, COIN, CHOC, CHANGE]). 
The symbol order file provides the custom (user-defined) symbol order for all the 
variables and cross-operators which would be used in the M D G algorithms. The 
invariant specification file specifies the invariant condition to be checked during 
reachability analysis. The full M D G - H D L programs are given in Appendix C. 
We input these five files into the M D G system. The M D G verification tool begins 
to check whether the outputs of the specification file are identical to those of the 
implementation file or not and returns true or false respectively. In our verification, 
the M D G system returns true. In other words, the correctness of the chocolate 
machine has been successfully proved by using the M D G system. 
8.3 The Importation Process of the Verification 
Results 
In the last section, the chocolate machine was verified by using the M D G system. 
In this section, we will show how to import the M D G result into HOL to form the 
HOL theorems. As we described in Chapter 6, the M D G verification result can be 
141 
f o r m a t i z e d a n d t a g g e d i n t o HOL i n t e r n i s of t h e s e m a n t i c s of t h e c o r e M D G - H D L . In 
o r d e r t o d o s o , w e n e e d t o d e f i n e t h e s y n t a x a n d s e m a n t i c s of t h e s p é c i f i c a t i o n a n d 
i m p l e m e n t a t i o n o f t h e c h o c o l a t é m a c h i n e i n HOL. We m a k e u s e o f t h e i m p o r t i n g 
t h e o r e m f o r s e q u e n t i a l v é r i f i c a t i o n (6.18) a n d p r o v e t h e e x i s t e n t i a l t h e o r e m f o r t h e 
i m p l e m e n t a t i o n of t h e c h o c o l a t é m a c h i n e . The c o r r e c t n e s s t h e o r e m i n t h e t r a d i t i o n a l 
HOL f o r m c a n b e o b t a i n e d . This t h e o r e m s t a t e s t h a t t h e i m p l e m e n t a t i o n i m p l i e s 
t h e s p é c i f i c a t i o n . 
8.3.1 The Syntax and the Semantics of the Chocolaté Ma-
chine 
The a b s t r a c t s y n t a x o f M D G - H D L f o r t h e s p é c i f i c a t i o n a n d i m p l e m e n t a t i o n o f t h e 
c h o c o l a t é m a c h i n e c a n b e g i v e n as w e m e n t i o n e d i n Chapter 4 i n t e r m s o f t h e M D G 
i n p u t files - t h e a l g e b r a i c s p é c i f i c a t i o n file, t h e s p é c i f i c a t i o n file a n d t h e i m p l e m e n -
t a t i o n file. As w e m e n t i o n e d b e f o r e , t h e a l g e b r a i c s p é c i f i c a t i o n file d é c l a r e s s o r t s , 
f u n c t i o n t y p e s a n d g e n e r i c c o n s t a n t s u s e d i n t h e h a r d w a r e d e s c r i p t i o n . When w e 
d e f i n e t h e a b s t r a c t s y n t a x f o r t h e s p é c i f i c a t i o n a n d i m p l e m e n t a t i o n files, t h i s p a r t 
of i n f o r m a t i o n s h o u l d b e p r o v i d e d i n t h e d é c l a r a t i o n o f t h e s p é c i f i c a t i o n a n d i m p l e -
m e n t a t i o n files r e s p e c t i v e l y . However, s i n c e w e o n l y c o n s i d e r d e c l a r i n g a s é q u e n c e 
o f c o n c r e t e s o r t s a t p r é s e n t , t h e r e is n o n e e d t o d é c l a r e i t i n t h e d é c l a r a t i o n . We 
c a n u s e a n y s t r i n g t o r e p r e s e n t o n e c o n c r e t e s o r t a s w e d i s c u s s e d f o r t h e e x t e n d e d 
s u b s e t . 
The a b s t r a c t s y n t a x o f t h e M D G - H D L p r o g r a m c o n s i s t s o f a n e x t e r n a l o u t p u t 
s t r i n g l i s t , a n e x t e r n a l i n p u t s t r i n g l i s t , a n i n t e r n a i s t r i n g l i s t a n d a c o m p o n e n t t e r m . 
In b o t h t h e s p é c i f i c a t i o n a n d i m p l e m e n t a t i o n files o f t h e c h o c o l a t é m a c h i n e , w e 
u s e a t h r e e é l é m e n t l i s t [ " I n s e r t C o i n " ; " P u s h C h a n g e " ; " P u s h C h o c " ] t o r e p r e s e n t 
t h e a b s t r a c t s y n t a x o f t h e e x t e r n a l i n p u t s a n d a five é l é m e n t l i s t [ " C o i n L i g h t " ; 
" C h o c L i g h t " ; " C h a n g e L i g h t " ; " G i v e C h o c " ; " G i v e C h a n g e " ] t o r e p r e s e n t t h e e x t e r -
n a l o u t p u t s . The i n t e r n a i w i r e s l i s t a n d t h e c o m p o n e n t t e r m o f b o t h files a r e d i f f é r e n t 
1 4 2 
as described below. 
In the specification file, a one element list ChocSt is used to represent the internal 
variable, whose value could be one of the four states. Its component term consists of 
six TABLESYN constructors that are composed by constructor JOIN. The full syntax 
of the specification file of the chocolate machine is given in Figure 8.4. For conve-
nience, in the rest of this section we will use Choc_Spe_Syn to informally represent 
the abstract syntax of the specification. 
In the implementation file, there are 15 internal variables. They are repre-
sented by a string list [ " 1 1 " ; " 1 2 " ; " 1 3 " ; " 1 4 " ; " 1 5 " ; "xin"; "yin"; "x"; "y"; 
"xbar"; "ybar"; "choc"; "change"; "coin"; "reset"]. The component term con-
sists of some basic logic gates (AND, NOT, OR gate), FORK and REGISTER which are 
composed by constructor JOIN. The full syntax of the implementation file of the 
chocolate machine is given in Figure 8.5. In the rest of this section we will use 
Choc_Imp_Syn to informally represent the syntax of the implementation 
As we mentioned in Chapter 3 and 4, the semantics of any circuit is described 
by SemProgram, which explicitly represents the relation between the external inputs 
and the external outputs. In the semantic function, we use a list ip to represent 
external inputs and a list op to represent external outputs. In this case, all the 
formalizations can be represented explicitly with the external inputs ip and outputs 
op. The semantics of the specification and implementation files are given below: 
V ip op. CHOC_MACHINE_SPEC ip op = SemProgram Choc_Spe_Syn ip op 
\-def V ip op. CHOC_MACHINE_IMPL ip op = SemProgram Choc_Imp_Syn ip op 
By expanding the semantics of the program in HOL, we obtain the specification 
and implementation of the chocolate machine which represent the relation between 
the external inputs and external outputs. 
As we mentioned in Chapter 4, when we define the semantics of the program 
143 
(PROG 
(EXDUT ["CoinLight"; "ChocLight"; "ChangeLight"; "GiveChoc"; "GiveChange"]) 
(EXIN ["InsertCoin"; "PushChange"; "PushChoc"] ) 
(INV ["ChocSt"]) 
(JOIN (TABLESYN ["ChocSt"; "InsertCoin"; "PushChange"; "PushChoc"] 
(NEXTV( "ChocSt")) 
[[TABLE.VAL (CONCRETE "RESET"); TABLE-VAL (BOOL T) ; DONT.CARE; DONT.CARE]; 
[TABLE_VAL (CONCRETE "RESET") ; TABLE.VAL (BOOL F); DONT.CARE ; D0NT_CARE] ; 
[TABLE.VAL (CONCRETE "COIN") ; DONT.CARE; TABLE.VAL (BOOL T) ; DONT.CARE] ; 
[TABLE.VAL (CONCRETE "COIN") ; DONT.CARE; TABLE-VAL (BOOL F); DONT.CARE]; 
[TABLE.VAL (CONCRETE "CHANGE"); DONT.CARE ; DONT.CARE; TABLE.VAL (BOOL T)] ; 
[TABLE.VAL (CONCRETE "CHANGE") ; DONT.CARE; DONT.CARE; TABLE.VAL (BOOL F)]; 
[TABLE.VAL (CONCRETE "CHOC") ; DONT.CARE; DONT.CARE ; DONT.CARE]] 
[(CONCRETE "COIN"); (CONCRETE "RESET"); (CONCRETE "CHANGE"); 
(CONCRETE "COIN"); (CONCRETE "CHOC"); (CONCRETE "CHANGE"); 
(CONCRETE "RESET")] 
(DENORMAL (CONCRETE "RESET"))) 
(JOIN (TABLESYN ["ChocSt"] (NOWV ("CoinLight")) 
[[TABLE.VAL (CONCRETE "RESET")]] [BOOL T] (DENORMAL (BOOL F))) 
(JOIN (TABLESYN ["ChocSt"] (NOWV ("ChangeLight")) 
[[TABLE.VAL (CONCRETE "COIN")]] [BOOL T] (DENORMAL (BOOL F))) 
(JOIN (TABLESYN ["ChocSt"] (NOWV ("GiveChange")) 
[[TABLE.VAL (CONCRETE "CHANGE")]] [BOOL T] (DENORMAL (BOOL F))) 
(JOIN (TABLESYN ["ChocSt"] (NOWV ("ChocLight")) 
[[TABLE.VAL (CONCRETE "CHANGE")]] [BOOL T] (DENORMAL (BOOL F))) 
(TABLESYN ["ChocSt"] (NOWV ("GiveChoc")) [[TABLE.VAL (CONCRETE "CHOC")]] 
[[TABLE.VAL (CONCRETE "CHOC")]] [BOOL T] (DENORMAL (BOOL F) ) ) ) ) ) ) ) ) 
Figure 8.4: The Abstract Syntax of the Spécification File 
144 
(PRDG (EXOUT ["CoinLight"; "ChocLight"; "ChaDgeLight"; "GiveChoc"; "GiveChange"]) 
(EXIN ["InsertCoin"; "PushChange"; "PushChoc"] ) 
(INV C"H"; "12"; "13"; "14"; "15"; "xin"; "yin" ; "x"; "y"; 
"xbar"; "ybar"; "choc"; "change"; "coin"; "reset"]) 
(JOIN (AND "coin" "PushChange" "11") 
(JOIN (OR "change" "11" "xin") 
(JOIN (AND "reset" "InsertCoin" "12") 
(JOIN (OR "coin" "12" "14") 
(JOIN (NOT "PushChoc" "13") 
(JOIN (AND "change" "13" "15") 
(JOIN (OR "14" "15" "yin") 
(JOIN (REG "xin" "x") 
(JOIN (REG "yin" "y") 
(JOIN (NOT "x" "xbar") 
(JOIN (NOT "y" "ybar") 
(JOIN (AND "x" "y" "change") 
(JDIN (AND "x" "ybar" "choc") 
(JOIN (AND "xbar" "y" "coin") 
(JOIN (AND "xbar" "ybar" "reset") 
(JOIN (FORK "choc" "GiveChoc") 
(JOIN (FORK "change" "ChocLight" ) 
(JOIN (FORK "change" "GiveChange" ) 
(JOIN (FORK "coin" "ChangeLight" ) 
(FORK "reset" "CoinLight" ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) 
Figure 8.5: The Abstract Syntax of the Implementation File 
145 
f o r t h e e x t e n d e d s u b s e t , w e h a v e t o a d d a s s u m p t i o n s s o as t o a v o i d t h e s o r t o f e a c h 
v a r i a b l e b e i n g m i s m a t c h e d a n d i n c o n s i s t e n t m o d e l b e i n g p r o d u c e d . T h e a s s u m p t i o n s 
a r e t o m a k e s u r e e a c h o f t h e e x t e r n a l i n p u t s a n d Outputs h a s p r o p e r s o r t ( e i t h e r 
(BOOL b o o l ) t e r m s o r (CONCRETE s t r i n g ) t e r m s ) . F o r e x a m p l e , t h e s e m a n t i c s o f t h e 
s p é c i f i c a t i o n o f t h e c h o c o l a t é m a c h i n e ( F i g u r e 8.6) S t a t e s t h a t i f t h e e x t e r n a l i n p u t s 
a n d Outputs a r e b o o l e a n v a l u e s t h e n t h e s e m a n t i c s o f t h e p r o g r a m w i l l b e s i x T A B L E s 
c o n n e c t e d t o g e t h e r . I n F i g u r e 8.6, o n e o f t h e i n p u t s o f t h e first T A B L E is C h o c S t . T h e 
v a l u e C h o c S t c a n o n l y b e o n e o f t h e f o u r s t a t e s , b u t t h e v a l u e o f t h e e x t e r n a l i n p u t s 
c a n ö n l y b e a b o o l e a n v a l u e . T h e n e w t y p e M d g _ B a s i c i s d e f i n e d t o d e a l w i t h t h i s 
s i t u a t i o n . S i m i l a r l y , t h e i m p l e m e n t a t i o n o f t h e c h o c o l a t é m a c h i n e c a n b e o b t a i n e d . 
8.3.2 Importing the MDG Results into HOL 
A s w e s t a t e d i n C h a p t e r 6, t h e i m p o r t i n g t h e o r e m f o r t h e c h o c o l a t é m a c h i n e c a n b e 
o b t a i n e d b y i n s t a n t i a t i n g t h e o r e m (6.18) w i t h t h e s y n t a x o f i t s i m p l e m e n t a t i o n a n d 
s p é c i f i c a t i o n ( C h o c _ S p e _ S y n a n d C h o c _ I m p _ S y n ) . 
v a l I m p o r t - C h o c . T h m = 
( S P E C L C — ( C h o c _ S p e _ S y n ( — , — ' C h o c _ I m p _ S y n ' — 3 I m p o r t J l d g h d l . T h m ) ; 
W e o b t a i n t h e t h e o r e m I m p o r t _ C h o c _ T h m 
h f t m ( v i P f l a S ° P ° P ' • 
P S E Q i p f l a g o p o p * 
( S e m P r o g r a m _ C o r e ( T r a n s P r o g M C C h o c l m p _ S y n ) ) 
( S e m P r o g r a m . C o r e ( T r a n s P r o g M C C h o c , S p e _ S y n ) ) 
D ( V t . ( f l a g t = T ) ) A 
V i p . 3 o p ' . S e m P r o g r a m C h o c _ S p e _ S y n i p o p ' D 
(V i p o p . S e m P r o g r a m C h o c _ I m p _ S y n i p o p D 
S e m P r o g r a m Choc_SpeJ3yn i p op) (81) 
146 
(V t. IS-J300L (HD ip t) A IS_BDOL (HD (TL ip) t) A 
IS_BOOL (HD (TL (TL ip)) t) A IS-BÛOL (HD op t) A 
IS-BOOL (HD (TL op) t) A IS_B0DL (HD (TL (TL op)) t) A 
IS_BD0L (HD (TL (TL (TL op))) t) A 
IS_B00L (HD (TL (TL (TL (TL op)))) t)) D 
(3 ChocSt. 
(TABLE [ChocSt; (HD ip); (HD (TL ip)); (HD (TL(TL ip)))] (( ChocSt) o NEXT) 
[[TABLE.VAL (CONCRETE "RESET"); TABLE.VAL (BOOL T) ; D0NT_CARE; DONT.CARE] ; 
[TABLE-VAL (CONCRETE "RESET"); TABLE.VAL (BOOL F); DONT.CARE ; DONT.CARE]; 
[TABLE.VAL (CONCRETE "COIN") ; DONT.CARE; TABLE-VAL (BOOL T) ; DONT.CARE] ; 
[TABLE-VAL (CONCRETE "COIN"); DONT-CARE; TABLE.VAL (BOOL F); DONT.CARE]; 
[TABLE.VAL (CONCRETE "CHANGE"); DONT.CARE; DONT.CARE; TABLE.VAL (BOOL T)] ; 
[TABLE.VAL (CONCRETE "CHANGE"); DONT.CARE; DONT-CARE ; TABLE.VAL (BOOL F)]; 
[TABLE.VAL (CONCRETE "CHOC"); DONT.CARE; DONT.CARE; D0NT_CARE]] 
[(At. CONCRETE "COIN"); (At. CONCRETE "RESET"); 
(At. CONCRETE "CHANGE"); (At. CONCRETE "COIN"); 
(At. CONCRETE "CHOC"); (At. CONCRETE "CHANGE"); 
(At. CONCRETE "RESET")] (At. (CONCRETE "RESET")) t) A 
(TABLE [ChocSt] (HD op) [[TABLE.VAL (CONCRETE "RESET")]] [TSIG1] (FSIG1)) A 
(TABLE [ChocSt] (HD(TL(TL op))) [[TABLE.VAL (CONCRETE "COIN")]] 
[TSIG1] (FSIG1)) A 
(TABLE [ChocSt] (HD(TL(TL(TL(TL op))))) [[TABLE.VAL (CONCRETE "CHANGE")]] 
[TSIG1] (FSIG1)) A 
(TABLE [ChocSt] (HD (TL op)) [[TABLE.VAL (CONCRETE "CHANGE")]] 
[TSIG1] (FSIG1)) A 
(TABLE [ChocSt] (HD(TL(TL(TL op)))) [[TABLE.VAL (CONCRETE "CHOC")]] 
[(TSIG1)] (FSIG1) 
Figure 8.6: The Semantics of the Spécification File 
147 
S i n c e t h e M D G t o o l h a v e v e r i f i e d t h e c o r r e c t n e s s o f t h e c h o c o l a t e m a c h i n e , t h e 
t h e o r e m a b o u t t h e f o r m a l i z a t i o n o f t h e M D G v e r i f i c a t i o n r e s u l t c a n b e t a g g e d i n t o 
HOL i n t e r m s o f t h e s e m a n t i c s o f c o r e M D G - H D L . 
h/im (V i p f l a g o p o p ' . 
P S E Q i p f l a g op o p ' 
( S e m P r o g r a m . C o r e ( T r a n s P r o g M C C h o c _ I m p _ S y n ) ) 
( S e m P r o g r a m X o r e ( T r a n s P r o g M C C h o c _ S p e _ S y n ) ) 
D ( V t . ( f l a g t - T ) ) ) (8.2) 
We t h e n p r o v e t h e a d d i t i o n a l a s s u m p t i o n b y u s i n g t h e m e t h o d w e p r o p o s e d i n 
C h a p t e r 7. T h i s t h e o r e m s t a t e s t h a t f o r a l l p o s s i b l e i n p u t t r a c e s , t h e b e h a v i o r 
s p e c i f i c a t i o n ( S e m P r o g r a m C h o c _ S p e _ S y n i p o p ' ) c a n b e s a t i s f i e d f o r s o m e o u t p u t 
a n d s t a t e t r a c e s ( i . e . , t h e r e e x i s t s a t l e a s t o n e o u t p u t a n d s t a t e t r a c e f o r w h i c h t h e 
r e l a t i o n i s t r u e ) : 
V i p . 3 o p ' . ( S e m P r o g r a m C h o c _ S p e _ S y n i p o p ' ) (8-3) 
A f t e r e x p a n d i n g t h e s e m a n t i c s b y u s i n g E X P A N D _ S E M A N T I C S _ T A C [ ] , w e o b t a i n a s u b -
g o a l as s h o w n i n F i g u r e 8.7. I t i s e x i s t e n t i a l l y q u a n t i f i e d b y t w o v a r i a b l e s x l , o p . 
V a r i a b l e x l i s a n i n t e r n a l w i r e v a r i a b l e w i t h t y p e : (num -> M d g _ B a s i c ) , b u t v a r i a b l e 
o p i s a n e x t e r n a l o u t p u t w i t h t y p e : ( ( n u m -> M d g _ B a s i c ) l i s t ) . 
F i r s t l y , w e n e e d t o find t h e e x i s t e n t i a l t e r m f o r i n t e r n a l v a r i a b l e x l . T h e v a r i -
a b l e x l i s a s t a t e v a r i a b l e ; i t i s a n o u t p u t o f a T A B L E a n d t h e i n p u t o f t h e o t h e r T A B L E S . 
A s w e m e n t i o n e d i n s e c t i o n 7.2, t h e o u t p u t v a l u e o f t h e T A B L E n o t o n l y d e p e n d s o n 
i n p u t s b u t a l s o d e p e n d s o n i t s o w n v a l u e a t a n e a r l i e r t i m e i n s t a n c e . I n t h i s s i t u a t i o n , 
t h e e x i s t e n t i a l t e r m f o r t h e v a r i a b l e x l c a n b e o b t a i n e d as w e i n t r o d u c e d i n C h a p -
t e r 7. We u s e REWRITE.CONV t o e x p a n d t h e s e m a n t i c s o f e x i s t t a b l e , T a b l e j n a t c h , 
H D , T L , T a b l e V a l _ t o _ V a l s o as t o o b t a i n a w e l l - d e f i n e d f u n c t i o n a n d u s e t h e D e f i n e 
t o d e f i n e t h e f u n c t i o n e x i s t t a b l e _ n e x t . T h e r e f o r e , t h e e x i s t e n t i a l t e r m f o r t h e 
T A B L E i s d e t e r m i n e d b y t h e f u n c t i o n e x i s t t a b l e j i e x t , i . e . e x i s t t a b l e _ n e x t i p . 
148 
3 x l op. (V t . 
(IS_B00L (HD ip t) A IS_B00L (HD ip t) A IS_B00L (HD (TL ip) t) A 
IS_B00L (HD (TL ip) t) A IS_B00L (HD (TL (TL ip)) t)) A 
IS_B00L (HD op t) A IS-BOOL (HD (TL (TL op)) t) A 
ISJ300L (HD (TL (TL (TL (TL op)))) t) A IS_B00L (HD (TL op) t ) A 
IS.B00L (HD (TL (TL (TL op))) t ) ) D 
TABLE [ x l ; HD ip; HD (TL i p ) ; HD (TL (TL ip))] ( x l o NEXT) 
[[TABLE.VAL (CONCRETE "RESET"); TABLE.VAL (BOOL T) ; DONT.CARE; 
DONT .CARE] ; 
[TABLE.VAL (CONCRETE "RESET"); TABLE.VAL (BOOL F); DONT.CARE; 
DONT.CARE] ; 
[TABLE.VAL (CONCRETE "COIN"); DONT.CARE; TABLE.VAL (BOOL T) ; 
DONT.CARE] ; 
[TABLE.VAL (CONCRETE "COIN"); DONT.CARE; TABLE.VAL (BOOL F); 
DONT.CARE] ; 
[TABLE.VAL (CONCRETE "CHANGE"); DONT.CARE; DONT.CARE; 
TABLE.VAL (BOOL T)] ; 
[TABLE.VAL (CONCRETE "CHANGE"); DONT.CARE; DONT.CARE; 
TABLE.VAL (BOOL F)] ; 
[TABLE.VAL (CONCRETE "CHOC"); DONT.CARE; DONT.CARE; DONT.CARE]] 
[(At. CONCRETE "COIN"); (At. CONCRETE "RESET") 
(At. CONCRETE "CHANGE"); (At. CONCRETE "COIN") 
(At. CONCRETE "CHOC"); (At. CONCRETE "CHANGE") 
(At. CONCRETE "RESET")] (At. CONCRETE "RESET") A 
TABLE [xl] (HD op) [[TABLE.VAL (CONCRETE "RESET")]] [(At. BOOL T)] 
(At. BOOL F) A 
TABLE [xl] (HD (TL (TL op))) [[TABLE.VAL (CONCRETE "COIN")]] 
[(At. BOOL T)] (At. BOOL F) A 
TABLE [xl] (HD (TL (TL (TL (TL op))))) [[TABLE.VAL (CONCRETE "CHANGE")]] 
[(At. BOOL T)] (At. BOOL F) A 
TABLE [xl] (HD (TL op)) [[TABLE.VAL (CONCRETE "CHANGE")]] [(At. BOOL T)] 
(At. BOOL F) A 
TABLE [xl] (HD (TL (TL (TL op)))) [[TABLE.VAL (CONCRETE "CHOC")]] 
[(At. BOOL T)] (At. BOOL F) 
Figure 8.7: The Existential Theorem of the Spécification of the Chocolaté Machine 
149 
Secondly, we need to fìnd the ex i s ten t ia l terni for the output op. The connected 
five T A B L E s are quantified b y external output op. Bach output of a T A B L E décides 
one élément of the output list. Because ali the outputs of the T A B L E are signais, 
the ex i s t en t i a l term for the T A B L E s is determined b y the function existtable. For 
example, the first élément of the ex i s t en t i a l term is defined in terms of the T A B L E 
whose output is (HD op) and is defined b y the function exist table, which is given 
below: 
(existtable [(existtable_next ip)] [ [ T A B L E . V A L ( C O N C R E T E " R E S E T " ) ] ] 
[(At. BOOL T)] (At. BOOL F ) ) 
Other éléments i n t h e ex i s t en t i a l term list can b e obtained i n a very similar 
way. They are also d e f i n e d i n t e r m s of corresponding T A B L E and function existtable. 
Therefore, the ex i s ten t ia l term for the output op can b e given below: 
[existtable [(existtablejiext ip)] [ [ T A B L E . V A L ( C O N C R E T E " R E S E T " ) ] ] 
[(At. BOOL T ) ] (At. BOOL F ) ; 
exist table [(existtablejnext i p ) ] [ [ T A B L E _ V A L ( C O N C R E T E " C H A N G E " ) ] ] 
[(At. BOOL T ) ] (At. BOOL F ) ; 
existtable [(existtable_next i p ) ] [ [ T A B L E _ V A L ( C O N C R E T E " C O I N " ) ] ] 
[(At. BOOL T)3 (At. BOOL F ) ; 
existtable [(existtablejiext ip)] [ [ T A B L E _ V A L ( C O N C R E T E " C H O C " ) ] ] 
[(At. BOOL T ) ] (At. BOOL F ) ; 
existtable [(existtableJiext i p ) ] [ [ T A B L E _ V A L ( C O N C R E T E " C H A N G E " ) ] ] 
[(At. BOOL T ) ] (At. BOOL F ) ] 
After stripping away the leading existentially quantified variable x l , op using 
the above t e r m s , the existential theorem for the spécification of the chocolaté m a -
chine (8.3) has been proved using tactic P R O V E _ E X I S T _ T A B L E _ T A C . 
Finally, the conversion theorem can b e obtained b y discharging the formalization 
theorem (8.2) and the existential theorem (8.3) from the importing theorem (8.1). 
150 
This theorem states that the impìementation implies the spécification. 
\~thm V i p o p . S e m P r o g r a m C h o c . I m p _ S y n i p o p D 
S e m P r o g r a m C h o c _ S p e _ S y n i p o p (8-4) 
We have translatée! the M D G vérification resuit into HOL to form a traditional 
HOL theorem. The translation process is based on the importing theorem. In other 
words, the linkage between the M D G system and the H O L system is the importing 
theorem. 
8.4 Vérification of the Usability Theorems 
In the previous section, we imported the M D G vérification resuit into HOL and 
formed the HOL theorem. How can we ensure this theorem is usable in HOL? 
In this section, we will use this theorem with other HOL theorems to prove the 
impìementation based usability theorem to demonstrate the use of the importing 
theorem. 
As we mentioned at the beginning of this chapter, this example was originally 
used by Curzon Se Blandford [24], to prove the absence of post-completion errors 
within the framework of a traditional hardware vérification. In their work, they 
define a formai general user model which describes the behavior of a rational user. 
It spécifies concrete types for the machine and user state, a list of pairs of lights and 
the actions associated with them, history functions that represent the possessions 
of the user, functions that extract the part of the user state that indicates when the 
user has finished and has achieved their main goal and an invariant that indicates 
the part of the state that the user intends to be preserved after the interaction. More 
détails can be found in [25] [24]. The general user model for a chocolaté machine 
is defined as CHOC_MACHINE_USER u s t a t e o p i p which spécifies the relation between 
the arguments discussed above. 
151 
\ - d e J C H O C J 1 A C H I N E . U S E R u s t a t e o p i p = 
U S E R 
[ ( C o i n L i g h t , I n s e r t C o i n ) ; ( C h o c L i g h t , P u s h C h o c ) ; 
( C h a n g e L i g h t , P u s h C h a n g e ) ] 
( C H 0 C _ P 0 S S E S S I 0 N S U s e r H a s C h o c G i v e C h o c C o u n t C h o c U s e r H a s C h a n g e 
G i v e C h a n g e C o u n t C h a n g e U s e r H a s C o i n I n s e r t C o i n C o u n t C o i n ) 
U s e r F i n i s h e d 
U s e r H a s C h o c 
( V A L U E . I N V A R I A N T ( C H O C _ P D S S E S S I O N S U s e r H a s C h o c G i v e C h o c C o u n t C h o c 
U s e r H a s C h a n g e G i v e C h a n g e C o u n t C h a n g e 
U s e r H a s C o i n I n s e r t C o i n C o u n t C o i n ) ) 
u s t a t e o p i p 
The u s a b i i i t y o f a c h o c o l a t é m a c h i n e is d e f i n e d as C H O C M A C H I N E . U S A B L E u s t a t e o p 
i p i n t e r m s o f a u s e r - c e n t r i c p r o p e r t y . I t s t a t e s t h a t i f a t a n y t i m e , t , a u s e r 
a p p r o a c h e s t h e m a c h i n e w h e n i t s c o i n l i g h t i s o n , t h e n t h e y w i l l a t s o m e t i m e , t l , 
h a v e b o t h c h o c o l a t é a n d c h a n g e . 
\-def C H O C _ M A C H I N E _ U S A B L E u s t a t e o p i p = 
V t . ~ ( U s e r H a s C h o c u s t a t e t ) A 
~ ( U s e r H a s C h a n g e u s t a t e t ) A 
( U s e r H a s C o i n u s t a t e t ) A 
( V A L U E _ I N V A R I A N T ( C H 0 C . P O S S E S S I O N S U s e r H a s C h o c G i v e C h o c 
C o u n t C h o c U s e r H a s C h a n g e G i v e C h a n g e C o u n t C h a n g e 
U s e r H a s C o i n I n s e r t C o i n C o u n t C o i n ) u s t a t e t ) A 
( ( C o i n L i g h t o p t ) = BOOL T ) 3 
3 t l . ( U s e r H a s C h o c u s t a t e t l ) A 
( U s e r H a s C h a n g e u s t a t e t l ) 
The s p é c i f i c a t i o n b a s e d u s a b i i i t y t h e o r e m s t a t e s t h a t i f a u s e r a c t s r e a c t i v e l y a n d 
t h e m a c h i n e b e h a v e s a c c o r d i n g t o i t s s p é c i f i c a t i o n , t h e n t h e u s a b i i i t y p r o p e r t y w i l l 
152 
hold. As a matter of fact, this theorem has been proved in [25]. However, we 
can not make use of the usability theorem directly because the specification of the 
chocolate machine is different and the new type has to be defined to accommodate 
the different sorts. In M D G , the specifications must be in the form of a finite state 
machine or table description. However, the advantage of it is its speed. In HOL, 
the formalization is more flexible and reasonable. It need not deal with extra stuff 
although it might slow hardware verification. 
Using our method, we have to prove a slightly different usability theorem in HOL. 
In the syntax of the M D G - H D L program, we use a new type M d g _ B a s i c , defined in 
Chapter 4, to represent the concrete type and boolean value. This is because the 
inputs of a T A B L E could be either a concrete type variable or a boolean value variable. 
Since all the inputs and outputs of the chocolate machine are boolean values, we 
add additional conditions in thé usability theorem to specify this fact. Hence, the 
usability theorem asserts the usability of an abstract specification of a chocolate 
machine as proved below. 
t~thm V u s t a t e o p i p . 
(V t . I S - B O O L ( ( H D o p ) t ) A 
IS_B00L ( ( H D ( T L o p ) ) t ) A 
IS_B00L ( ( H D ( T L ( T L o p ) ) ) t ) A 
I S _ B 0 0 L ( ( H D ( T L ( T L ( T L o p ) ) ) ) t ) A 
I S _ B 0 0 L ( ( H D ( T L ( T L ( T L ( T L o p ) ) ) ) ) t ) A 
I S _ B 0 0 L ( ( H D i p ) t ) A IS_B00L ( ( H D ( T L i p ) ) t ) A 
I S _ B 0 0 L ( ( H D ( T L ( T L i p ) ) ) t ) ) A 
CHOC_MACHINE_USER u s t a t e o p i p A 
C H O C _ M A C H I N E _ S P E C i p o p D 
CHfJC_MACHINE_USABLE u s t a t e o p i p (8.5) 
Therefore, the main differences are that we need to add assumptions so as to 
153 
avoid the sort of each external variable being mismatched and to ensure the spec-
ifications are in the form of a finite state machine. In practice, we can formalize 
the design according to this requirement at the very beginning. Although the for-
malization of a design is a little bit harder than the formalization of it directly in 
HOL, the M D G proof is quicker than HOL proof. In other words, we have to pay 
the price for the speed. 
In the last section, we proved the correctness of the chocolate machine by using 
the M D G system, and formally imported it into HOL to form a HOL theorem. This 
theorem states that the implementation meets its specification (8.4). We also prove 
the specif icat ion based usability theorem (8.5) in HOL. The implementation based 
usability theorem can be proved in terms of the above two theorems (8.4) (8.5). This 
theorem (8.6) states that if the inputs and outputs are boolean value, a user acts 
rationally according to the user model and the machine behaves according to its 
implementation, then the usability property will hold. 
\~thm V ustate op i p . 
(V t . I S _ B 0 0 L ( ( H D op) t) A 
I S _ B 0 0 L ( ( H D ( T L op)) t ) A 
I S - B O O L ( ( H D ( T L ( T L op))) t) A 
I S _ B 0 0 L ( ( H D ( T L ( T L ( T L op)))) t) A 
I S - B O O L ( ( H D ( T L ( T L ( T L ( T L op))))) t ) A 
I S _ B 0 0 L ( ( H D ip) t ) A 
I S _ B 0 0 L ( ( H D ( T L ip)) t) A 
I S _ B 0 0 L ( ( H D ( T L ( T L ip))) t)) A 
CHOC_MACHINE_USER ustate op ip A 
C H O C J I A C H I N E . I M P L ip op D 
C H O C _ M A C H I N E _ U S A B L E ustate op ip (8.6) 
From this example, we have shown that a system can be verified in two parts. One 
154 
part of proof can be done in M D G , the other part of the proof can be done in HOL. 
The division allows M D G to be used when it woutd be easier than obtaining the 
resuit directly in HOL. We have provided a formai linkage between the M D G system 
and the HOL system, which allows the M D G vérification results to be formally 
imported into H O L to form the HOL theorem. We do not simply assume that 
the results proved by M D G are directly équivalent to the resuit that would have 
been proved in HOL. The linkage is based on the importing theorems being given 
a greater degree of trust. We have made use of the importing theorem. In other 
words, the M D G vérification resuit not only can be imported into HOL to form the 
HOL theorem, it also can be used as part of hierarchical hardware vérification proof 
in HOL. We have also shown that two différent applications (hardware vérification 
and usability vérification) suited to two différent tools can be combined together. 
However, for importing the M D G vérification resuit into HOL, we need to prove 
the ex i s t en t i a l theorem for the spécification of the design. The behaviour spécifi-
cations must be in the form of a finite state machine or table description. 
Summary 
In this chapter, we have proved the usability theorem of a chocolaté machine to 
demonstrate the feasibility of our methodoìogy. We have verified the correctness of 
the chocolaté machine in M D G , and this resuit has been imported into H O L to form 
the HOL theorem. We have proved the spéc i f i ca t i on based usability theorem in 
HOL. By using the importing theorem and s p é c i f i c a t i o n based usability theorem, 
we obtain the implementation based usability theorem. 
155 
Chapter 9 
Conclusions and Future Work 
9.1 Conclusions 
In this thesis, we have produced a methodology which can provide a formai linkage 
between the symbolic state enumeration system and the theorem proving system 
based on a verified symbolic state enumeration system. The methodology involves 
the following three steps. 
First, we verify aspects of correctness of the symbolic state enumeration system 
in an interactive theorem proving system. In fact, some symbolic state enumeration 
based Systems, such as M D G , consist of a séries of translators and a set of algorithms. 
We need to verify the translators and algorithms to ensure the correctness of the 
whole system. For verifying the translators, we need to define the deep embedding 
semantics and translation functions. We have to make certain that the semantics 
of a program is preserved in its translated form. This work greatly increases the 
degree of trust of the symbolic state enumeration system. 
Secondly, we prove importing theorems in the theorem proving system about 
the results from the symbolic state enumeration system. We need to formalize the 
156 
correctness results produced by different hardware verification applications using 
the theorem proving system. The formalization is based on the semantics of the 
low level language (decision graph). We need to prove a theorem in each case that 
translates them into a form usable in the theorem proving system. In other words, 
we have to provide the theoretical justification for linking two systems. 
Thirdly, we combine the translator correctness theorems with importing theo-
rems. This combination-allows the verification results from the state enumeration 
system to be formalized in terms of the semantics of a low level language (decision 
graph) and imported in terms of the semantics of a high level language (HDL). 
Therefore, we are able to import the result into the theorem proving system based 
on the semantics of the input language of a verified symbolic state enumeration 
system. This makes formalization, importation and verification easier, more direct 
and trustworthy. 
We have also summarized a general method to prove the ex i s t en t i a l theorem 
of the design, which is needed for importing the sequential verification results into 
the theorem proving system. This work makes the linking process easier and remove 
the burden from the user of the hybrid system. 
We have partly implemented this methodology in two simplified versions of the 
M D G system (the boolean subset and the extended subset) and the HOL system, 
and provide a formal linkage by using the above mentioned steps. 
The standard approach of proving a translator has been used to prove the aspects 
of correctness of the M D G system using the HOL system. For the boolean subset, we 
have proved that two translators are correct (Figure 1.5). The syntax of the M D G -
H D L language, the core M D G - H D L language and the M D G formula representation 
language have been defined in higher order logic. The semantic functions are defined 
by structural induction over their syntactic structure. The translation functions that 
translate the syntax of an M D G - H D L program to the syntax of the core M D G - H D L 
language and translate the syntax of the core M D G - H D L program to the syntax 
157 
of the M D G formula representation language have been defined. The correctness 
theorem ((3.1)(3.2)) for each translator, which quantifies over its syntactic structure, 
has been verified. By combining these two correctness theorems we obtain a new 
theorem (3.3). This theorem states that the semantics of the original M D G - H D L 
program is equivalent to the semantics of the M D G formula representation program 
used in the M D G implementation. 
For the extended subset, we have extended our formalization to accommodate 
a list of inputs of the T A B L E component with boolean sorts and concrete sorts. We 
have proved that the first translator is correct (Figure 1.5). Similarly, the formal 
syntax and semantics of the M D G - H D L language and core M D G - H D L language of 
this subset has been defined. A set of functions for translating this subset language 
to their core M D G - H D L equivalence has then been given. The correctness theorem 
about the translation, which quantifies over its syntactic structure, has be proved. 
In doing such a translator verification, we do more than just to prove the correct-
ness of the system, but also build a solid foundation to formally import the M D G 
verification results into HOL to form the HOL theorem in terms of M D G - H D L . 
Our semantics of the program is represented explicitly with the external inputs and 
outputs, which allows the semantic function to be used in the importing theorems. 
We have formally proved the general importing theorems for three different hard-
ware verification applications using HOL. We have in each case proved a theorem 
that translates them into a form usable in a traditional H O L hardware verification, 
i.e., that the structural specification implements the behavioral specification. The 
first applications considered were the checking of input-output equivalence of two 
combinational circuits. The next application considered was sequential verification, 
which checks that two abstract state machines produce the same sequence of outputs 
for every sequence of inputs. Finally, we considered a general form of the checking 
of invariant properties of a circuit. These theorems are very general because they 
do not explicitly deal with the M D G - H D L semantics or multiway decision graph. 
They are given in terms of general relations on inputs and outputs. Thus they are 
158 
applicable to other verification systems with a similar architecture based on reach-
ability analysis, equivalence checking and/or invariant checking. This could include 
a pure B D D based system. 
The two general importing theorems for each subset, combinational verification 
and sequential verification, have been instantiated for the semantics of the low level 
language. In theory, the formalization of the M D G verification result should be in 
terms of the M D G decision graph. However, we just proved some translators. In 
order to demonstrate the combination of the translator correctness theorems and 
the importing theorems, the formalization of the M D G results we considered here 
is in terms of the M D G formula representation (see Figure 6.1) for the boolean 
and the core M D G - H D L for the extended subset. We have combined the translator 
correctness theorems with the importing theorems. The combination allows the 
low level formalization of the M D G verification results to be imported into H O L to 
form the HOL theorems in terms of the semantics of M D G - H D L and the existential 
theorem for sequential verification to be proved in terms of the semantics of M D G -
HDL. In other words, we have obtained the different theorems for two different 
M D G applications which explicitly deal with the M D G - H D L semantics. We thus 
obtain theorems that convert the low level results, which actually proved in the 
M D G system, to results about circuits in the high level languages in a form that 
can be reasoned about in HOL. 
For ease of importing of M D G results into HOL for sequential verification and 
also for avoiding an inconsistent model, we summarize a general way to prove the ex-
istential theorem for the implementation or specification of designs based on the syn-
tax and the semantics of M D G - H D L . We have defined the output representation 
for each component in the M D G component library. The existential term of a de-
sign, which strips away the leading existentially quantified variable and substitutes 
term for each free occurrence in the body, is determined in terms of those output 
representations. Since we directly deal with the syntax and semantics of the M D G -
H D L program, we use a tactic EXPAND_SEMANTICS_TAC to expand the semantics of the 
159 
program (design) and obtain a HOL goal of the form 3 a l . . . an. b o d y . The 
ex i s t en t i a l term can then be used to strip away the existentially quantified vari-
able and substitute term for each free occurrence in the body. Two further tactics 
P R O V E _ E X I S T _ T A C and P R O V E _ T A B L E - E X I S T _ T A C are used to solve the goal which strips 
away the existentially quantified variables. Although we concentrate on proving the 
existential theorem for the specification and implementation of a design based on the 
syntax and semantics of M D G - H D L , our methods can be used to solve other HOL 
goals which are existentially quantified. In other words, our ex i s ten t ia l terras and 
output representations can be used to solve existentially quantified HOL goals in 
other applications. 
An example, the verification of correctness and usability theorems of a vend-
ing machine, has demonstrated the feasibility of our method. We have verified the 
correctness of the chocolate machine in M D G . The verification result has been im-
ported into HOL to form the HOL theorem. We have proved the specification based 
usability theorem in HOL. By using the importing theorem and specification based 1 
usability theorem, we obtain the implementation based usability theorem. 
From this example, we have shown that our method supports the hierarchical 
hardware verification approach as we mentioned in section 1.3.2. The M D G verifi-
cation results can be fitted naturally within the H O L framework with great security 
using the importing theorem. We have used the importing theorem in verifying a 
property of a system. In other words, the M D G verification result not only can be 
imported into H O L to form the HOL theorem, it also can be used as part of hier-
archical hardware verification proof in HOL. Furthermore, we have shown that two 
different applications (hardware verification and usability verification) suited to two 
different tools can be combined together. However, for importing the M D G verifica-
tion result into H O L , we need to prove the ex i s t en t i a l theorem for the specification 
of the design. 
The main difficulty we encountered is the formalization of the T A B L E . This is 
because the inputs could be of different types. As a result, the formalization of a 
160 
d e s i g n i s m o r e c o m p l e x t h a n t h e f o r m a l i z a t i o n o f i t d i r e c t i n HOL. This e x p e r i e n c e 
t e l l s u s w h e n w e d e s i g n a n e w t o o l , t h e d e s i g n e r s s h o u l d t r y t h e i r b e s t t o m a k e t h e 
t o o l e a s y t o b e p r o v e d a t t h e v e r y b e g i n n i n g . 
9.2 Future work 
We h a v e p r o v i d e d a f o r m a l l i n k a g e b e t w e e n M D G a n d HOL b a s e d o n a t r u s t e d M D G 
s y s t e m . There a r e m a n y o p p o r t u n i t i e s f o r f u r t h e r w o r k o n v e r i f y i n g t h e c o r r e c t n e s s 
o f t h e M D G s y s t e m a n d b u i l d i n g a v e r i f i e d l i n k a g e b e t w e e n M D G a n d HOL. 
• V e r i f y the MDG a l g o r i t h m s . In M D G , a set o f t h e M D G a l g o r i t h m s i s u s e d 
t o m a n i p u l a t e t h e MDGs. If t h e c o r r e c t n e s s t h e o r e m s o f t h e a l g o r i t h m s h a v e 
b e e n p r o v e d , t h e d e g r e e o f t r u s t o f t h e s y s t e m w i l l i n c r e a s e c o n s i d e r a b l y a n d 
t h e i m p o r t i n g t h e o r e m s w h i c h i s b a s e d o n t h e h i g h l e v e l l a n g u a g e ( M D G -
HDL) w i l l b e m o r e r e l i a b l e . Chou a n d Peled [17] h a v e v e r i f i e d a p a r t i a l - o r d e r 
r e d u c t i o n t e c h n i q u e f o r m o d e l c h e c k i n g . Similar m e t h o d s c a n b e u s e d t o v e r i f y 
t h e M D G a l g o r i t h m s . 
• V e r i f y t h e t r a n s l a t o r s . We h a v e p r o v e d t h e t r a n s l a t o r s f r o m t h e M D G - H D L 
l a n g u a g e t o t h e M D G f o r m u l a r e p r e s e n t a t i o n l a n g u a g e f o r t h e b o o l e a n s u b s e t 
a n d h a v e p r o v e d t h e t r a n s l a t o r f r o m t h e M D G - H D L l a n g u a g e to t h e c o r e 
M D G - H D L l a n g u a g e f o r t h e e x t e n d e d s u b s e t . Similar v e r i f i c a t i o n s c a n a l s o b e 
d o n e f o r o t h e r t r a n s l a t i o n , s u c h as f r o m t h e M D G f o r m u l a r e p r e s e n t a t i o n t o 
M D G f o r t h e b o o l e a n s u b s e t a n d f r o m t h e c o r e M D G - H D L t o M D G f o r t h e 
e x t e n d e d s u b s e t . The m o r e t r a n s l a t o r s h a v e b e e n p r o v e d , t h e h i g h e r t h e d e g r e e 
of t r u s t t h e s y s t e m w i l l h a v e . Of c o u r s e we n e e d to u s e t h e d e e p e m b e d d i n g 
s e m a n t i c s of t h e c o r r e s p o n d i n g l a n g u a g e in HOL a n d t o d e f i n e t h e t r a n s l a t i o n 
f u n c t i o n s b e t w e e n t h e l a n g u a g e s . 
• V e r i f y i n g the MDG i m p l e m e n t a t i o n . We s p l i t t h e p r o b l e m of v e r i f y i n g t h e 
t r a n s l a t o r i n t o t w o p r o b l e m s of v e r i f y i n g t h a t t h e i m p l e m e n t a t i o n m e e t s a 
161 
functional specification, and that the functional specification meets the re-
quirement of preserving semantics. This split was advocated by Chirica and 
Martin [16] with respect to compiler correctness. We are concerned with the 
latter step here. We are not verifying the actual M D G implementation. Our 
formalization of the translator is a specification of it. Once combined with 
the translators from the core M D G - H D L to MDGs or from the M D G formula 
representation to MDGs, it would be specifying the output required from the 
implementation. It is possible to verify the M D G implementation based on 
the compiler specification theorems. 
Expanding the subset language to the whole language. The subset language 
we considered here did not consider three M D G predefined components (Mul-
tiplexer, Drivers and Constant) and the Transform construct used to apply 
functions. These components are omitted from our subset as they have non-
boolean inputs or outputs. Furthermore, the subset considered does not in-
clude abstract sorts. It is possible to extend the subset to the whole language. 
Making a linkage between two different specifications. In M D G , the spec-
ifications must be in the form of a finite state machine or table description. 
This is not very abstract. The advantage of H O L is that it allows much more 
abstract specification. The complex M D G specification might lead to difficulty 
in the H O L proof. Since two different specifications formalize the same de-
sign, it may be possible to investigate the feasibility of proving the equivalent 
of two specifications. Or it is possible to write the tactics to simplify the M D G 
specification. 
The importing theorems for model checking. We have formally proved the 
general importing theorems for three different hardware verification applica-
tions using HOL. These were the original M D G tools. More recently a model 
checking tool was added [84]. The importing theorems for model checking can 
be obtained using the similar method. 
162 
• M a k i n g u s e o f o u r i m p o r t i n g t h e o r e m s w i t h M D G - H O L . Our i m p o r t i n g t h e o -
r e m s h a v e b u i l t a s o l i d t h e o r e t i c a l u n d e r p i n n i n g f o r t h e l i n k a g e o f H O L a n d 
M D G . It c a n b e u s e d i n M D G - H O L o r a n o t h e r c o m b i n e d s y s t e m . Indeed, t h e 
M D G - H O L s y s t e m s h a l l o w l y e m b e d s t h e s e m a n t i c s o f M D G - H D L i n t o HOL. 
It is p o s s i b l e t o u s e o u r d e e p e m b e d d i n g s e m a n t i c s i n s t e a d o f t h e s h a l l o w 
e m b e d d i n g s e m a n t i c s s o as t o m a k e u s e o f o u r i m p o r t i n g t h e o r e m s . 
• A p p l y i n g t h e m e t h o d o l o g y t o a BDD b a s e d t o o l a n d t h e o r e m p r o v e r . Our 
m e t h o d o l o g y w o r k s f o r t h e M D G s y s t e m a n d t h e H O L s y s t e m w h i c h g r e a t l y 
i n c r e a s e t h e d e g r e e o f t r u s t o f t h e l i n k a g e b e t w e e n t h e t w o S y s t e m s . Similar 
w o r k c a n b e a p p l i e d t o o t h e r s i m i l a r a u t o m a t e d v é r i f i c a t i o n t o o l s a n d t h e o r e m 
p r o v i n g S y s t e m s . 
Summary 
The c o n t r i b u t i o n o f this t h e s i s i s t h a t w e h a v e p r o d u c e d a m e t h o d o l o g y w h i c h c a n 
p r o v i d e a f o r m a i l i n k a g e b e t w e e n a s y m b o l i c s t a t e e n u m e r a t i o n s y s t e m a n d a t h e -
o r e m p r o v i n g s y s t e m b a s e d o n a v e r i f i e d s y m b o l i c s t a t e e n u m e r a t i o n S y s t e m . The 
m e t h o d o l o g y h a s b e e n p a r t l y r e a l i z e d i n t w o s i m p l i f i e d v e r s i o n s o f the M D G S y s t e m 
a n d t h e HOL s y s t e m . We h a v e v e r i f i e d a s p e c t s o f c o r r e c t n e s s o f t w o s i m p l i f i e d v e r -
s i o n s o f the M D G S y s t e m . We h a v e p r o v i d e d a f o r m a i l i n k a g e b e t w e e n the M D G 
s y s t e m a n d t h e HOL s y s t e m based o n i m p o r t i n g t h e o r e m s . We h a v e c o m b i n e d the 
t r a n s l a t o r c o r r e c t n e s s t h e o r e m s w i t h t h e i m p o r t i n g t h e o r e m s . This c o m b i n a t i o n a l -
l o w s t h e l o w l e v e l M D G v é r i f i c a t i o n r e s u l t s t o b e i m p o r t e d i n t o H O L i n t e r m s o f t h e 
s e m a n t i c s o f a h i g h l e v e l l a n g u a g e (MDG-HDL) . We h a v e a l s o s u m m a r i z e d a g ê n e r a i 
m e t h o d w h i c h i s u s e d t o p r o v e the e x i s t e n t i a l t h e o r e m f o r t h e s p é c i f i c a t i o n a n d 
i m p l e m e n t a t i o n o f t h e d e s i g n . The f e a s i b i l i t y o f t h i s a p p r o a c h h a s b e e n d e m o n -
s t r a t e d i n a c a s e s t u d y : the v é r i f i c a t i o n o f t h e c o r r e c t n e s s a n d u s a b i l i t y t h e o r e m s o f 
a v e n d i n g m a c h i n e . 
163 
Bibliography 
[1] M . D. Aagaard, R. B. Jones, R. Kaivola, and C. J. H . Seger. Formai vérification 
of iterative algorithms in microprocessors. DAC, June 2000. 
[2] M . D. Aagaard, R. B. Jones, and C. H. Seger. Lifted-FL: A pragmatic im-
plementation of combined model checking and theorem proving. In Theorem 
Proving in Higher Order Logics, number 1690 in Lecture Notes in Computer 
Science, pages 323-340. Springer-Verlag, September 1999. 
[3] M . D. Aagaard and C. J . H. Seger. The formai vérification of a pipelined 
doubleprecision IEEE floating-point multiplier. ICCAD, IEEE Comp. Soc, 
pages 7-10, November 1995. 
[4] S. B. Akers. Binary décision diagrams. IEEE Transactions on Computers, 
c-27(6):509-516, June 1978. 
[5] P. Argon and K . McMillan. Deriving a special-purpose prover for compositional 
model checking in Coq. In TPHOLs 2000 Supplemental Proceedings, pages 1-5. 
Oregon Graduate Institute, 2000. 
[6] G. Birtwistle, S. Chin, and B. Graham. nemJheory 'HOL';; An Introduc-
tion io Hardware Vérification in Higher Order Logic. Unpublished, 1994. 
http://www.comp.leeds.ac.uk/graham/research/hv/hvbooks.html. 
[7] R. Boulton, A . Gordon, M . Gordon, J . Harrison, J. Herbert, and J. Van-Tassel. 
Expérience with embedding hardware description language in HOL. In T. F. 
164 
Melham and R. T. Boute, editors, Theorem Provers in Circuit Design, pages 
129-156. North-Holland, 1992. 
[8] R. S. Boyer and G. Dowek. Towards checking proof checkers. In Workshop on 
Types for Proofs and Programs (Type'93), 1993. 
[9] R. S. Boyer and J. Moore. A Computational Logic Handbook. Académie Press, 
London, 1997. 
[10] B. C. Brock and W. A . Hunt. The formalization of a simple hardware descrip-
tion language. In Luc Claesen, editor, Applied Formai Methods for Correct VLSI 
Design, pages 778-792, Amsterdam, November 1989. IMEC-IFIP International 
Workshop, Elsevier Science Publishers. 
[11] R. Bryant. Graph-based algorithms for boolean function manipulation. IEEE 
Transactions in Computers, 35(8):677-691, August 1986. 
[12] R. E. Bryant. Symbolic boolean manipulation with ordered binary-decision 
diagrams. ACM Computer Surveys, 24(3), September 1992. 
[13] R. S. Burstall and P. J. Landin. Programs and their proofs: an algebraic ap-
proach. In B . Meltzer and D. Mitchie, editors, Machine Intelligence, number 4, 
pages 17-43. Edinburgh University Press, 1969. 
[14] A. Camilleri, M . Gordon, and T. Melham. Hardware vérification using Higher-
Order Logic. In D. Borrione, editor, From HDL Descriptions to Guaranteed 
Correct Circuit Designs: Proceedings ofthe IFIP WG 10.2 Working Conférence, 
pages 43-67, Grenoble, September 1986. 
[15] L. M . Chirica. Contributions to Compiler Correctness. Number Report U C L A -
ENG-7697. Computer Science Department, University of California, Los Ange-
les, October 1976. Ph.D. thesis. 
[16] L . M . Chirica and D. F. Martin. Toward compiler implementation correctness 
proofs. ACM Transactions on Programming Languages and Systems, 8(2): 185-
214, April 1986. 
[17] C. T. Chou and D. Peled. Formal verification of a partial-order reduction 
technique for model checking. In T. Margaria and B . Steffen, editors, Tools 
and Algoritkms for the Construction and Analysis of Systems, number 1055 in 
Lecture Notes in Computer Science, pages 241-257, 1996. 
[18] A . Cohn and R. Milner. On using Edinburgh L C F to prove the correctness of 
a parsing algorithm. Technical Report 20, University of Edinburgh Computer 
Science, 1982. 
[19] P. A. Collier. Simple Compiler correctness - a tutorial on the algebraic approach. 
The Australian Computer Journal, 18(3), August 1986. 
[20] F. Corella, Z. Zhou, X . Song, M . Langevin, and E. Cerny. Multiway decision 
graphs for automated hardware verification. Formal Methods in System Design, 
10(l):7-46, 1997. 
[21] J. Crow, S. Owre, J. Rushby, N . Shankar, and M . Srivas. A tutorial introduction 
to PVS. http://wvvw.dcs.gla.ac.uk/prosper/papers.html, 1999. 
[22] P. Curzon. A verified Vista implementation. Technical Report 311, University 
of Cambridge, Computer Laboratory, September 1993. 
[23] P. Curzon. The formal verification of the Fairisle A T M switching element. 
Technical Report 329, University of Cambridge, Computer Laboratory, March 
1994. 
[24] P. Curzon and A. Blandford. Using a verification System to reason about post-
completion errors. In Participants Proceedings of DSV-IS 2000: 7th Interna-
tional Workshop on Design, Specification and Verification of Interactive Sys-
tems, at the 22nd International Conference on Software Engineering. 
[25] P. Curzon and A. Blandford. Reasoning about Order errors in interaction. In 
TPHOLs 2000 Supplemental Proceedings, Technical Reprot CSE-00-009, pages 
33-48. Oregon Graduate Institute, August 2000. 
166 
[26] P. Curzon, S. Tahar, and 0 . Ai't-Mohamed. Verification of the M D G compo-
nents library in HOL. In Jim Grundy and Malcolm Newey, editors, Theorem 
Proving in Bigher-Order Logics: Emerging Trends, pages 31-46. Department 
of Computer Science, The Australian National University, 1998. 
[27] L. A. Dennis, G. Collins, M . Norrish, R. Boulton, K. Slind, 
G. Robinson, M . Gordon, and T. Melham. The P R O S P E R toolkit. 
http://www.dcs.gla.ac.uk/prosper/papers.html, 1999. 
[28] Computer General Electronic Design. The ELLE Language Reference Manual, 
Issue 4-0. Greenways Business Park, Bellinger Close, Chippenham, Wiltshire, 
SN15 1BN, England, 1989. 
[29] D. I. Good, R. L. Akers, and L. M . Smith. Report on Gypsy 2.05. Technical 
Report CLI-1, Computational Logic, Inc., 1986. 
[30] K . Goossens. Embedding Hardware Description Languages in Proof Systems. 
Laboratory for Foundations of Computer Science, Department of Computing 
Science , University of Edinburgh, December 1992. Ph.D. thesis. 
[31] M . J. Gordon. Synthesizable verilog syntax and semantics. Techni-
cal report, University of Cambridge, Computer Laboratory, January 1997. 
www.cl.cam.ac.uk/users/mjcg/V/V.html. 
[32] M . J . Gordon. Notes on the representation of state machines in higher Or-
der logic. Technical report, University of Cambridge, Computer Laboratory, 
January 1999. 
[33] M . J . Gordon, T. Kropf, and D. Hoffmann. P R O S P E R ESPRIT L T R project 
26241, semantics of the intermediate language IL. Technical report, University 
of Cambridge, Computer Laboratory, February 1999. 
[34] M . J . Gordon, R. Milner, and C. P. Wadsworth. Edinburgh L C F : A mechanised 
logic of computation. Number 78 in Lecture Notes in Computer Science, 1979. 
167 
[35] M . J . C. Gordon. Why higher-order logic is a good formalism for specifying and 
verifying hardware. In G. J . Milne and P. A. Subrahmanyam, editors, Formal 
Aspects of VLSI Design: the 1985 Edinburgh Workshop on VLSI, pages 153-
177. North-Holland, 1986. 
[36] M . J . C. Gordon. HOL: A proof generating System for higher-order logic. In 
G. Birtwistle and P. A . Subrahmanyam, editors, VLSI Specification, Verifica-
tion and Synthesis, pages 73-128. Kluwer Academic, 1988. 
[37] M . J. C. Gordon. Mechanizing programming logics in higher order logic. In 
P. A . Subrahmanyam and G. Birtwistle, editors, Current Trends in Hardware 
Verification and Automated Theorem Proving, number 7, pages 387-489, New 
York, 1989. Springer-Verlag. 
[38] M . J. C. Gordon. Combining deductive theorem proving with sym-
bolic state enumeration. Presented at 21 Years of Hardware Ver-
ification, Royal Society Workshop to mark 21 years of BCS FACS, 
http://www.cl.cam.ac.uk/users/mjcg/BDD, December 1998. 
[39] M . J. C. Gordon. Reachability programming in HOL98 using BDDs. In Mark 
Aagaard and John Harrison, editors, Theorem Proving in Higher Order Logics, 
number 1869 in Lecture Notes in Computing Science, pages 179-196. Springer-
Verlag, Aug. 2000. 
[40] M . J. C. Gordon and T. F. Melham. Introduction to HOL: A Theorem Proving 
Environment for Higher-order Logic. Cambridge University Press, 1993. 
[41] E. L . Gunter and D. Obradovic. Towards the Integration of model checking and 
theorem proving: Embedding a subset of Promela into HOL. In TPHOLs 2000 
Supplemental Proceedings, Technical Reprot CSE-00-009, pages 75-85. Oregon 
Graduate Institute, August 2000. 
[42] J. Harrison and L. Thery. A skeptic's approach to combining HOL and Maple. 
Journal of Automated Reasoning, 21:279-294, 1998. 
168 
[43] S. Hazelhurst and C. J . H . Seger. A simple theorem prover based on symbolic 
trajectory evaluation and BDDs. IEEE Trans, on CAD, Apr i l 1995. 
(44] S. Hazelhurst and C. J. H. Seger. Symbolic trajectory evaluation. Springer 
Verlag. New York, 1997. 
[45] G. J . Holzmann. Design and Validation of Computer Protocols. Prentice Hall, 
1990. 
[46] P. V . Homeier and D. F. Martin. A verified verification condition generator. 
The Computer Journal, 38(2):131-141, July 1995. 
[47] A. Hu. Formal hardware verification with BDDs: An introduction. In IEEE 
Pacific Rim Conference on Communications, Computers, and Signal Processing 
(PACRIM), pages 667-682, 1997. 
[48] G. Huet, G. Kahn, and C. Paulin-Mohring. The Coq proof assistant - a tutorial, 
version 6.1. Technical Report 204, INRIA, August 1997. 
[49] J. Hurd. Integrating G A N D A L F and HOL. Technical Report 461, University 
of Cambridge, Computer Laboratory, Apri l 1999. 
[50] J. Joyce. A verified Compiler for a verified microprocessor. Technical Report 
167, University of Cambridge, Computer Laboratory, March 1989. 
[51] J . Joyce and C. Seger. Linking BDD-based symbolic evaluation to interactive 
theorem-proving. In the 30th Design Automation Conference, 1993. 
[52] R. Kaivola and M . D. Aagaard. Divider circuit verification with model checking 
and theorem proving. In Mark Aagaard and John Harrison, editors, Theorem 
Proving in Higher Order Logics, number 1869 in Lecture Notes in Computer 
Science, 13 International Conference, T P H O L s 2000, Portland, OR, USA, Au-
gust 2000. Springer-Verlag. 
[53] S. Kort, S. Tahar, and P. Curzon. Hierarchical hardware verification using a 
hybrid tool. Technical report, Dept. of Electrical and Computer Engineering, 
169 
Concordia University, 1455 De Maisonncuve West, Montreal, Quebee - H3G 
LM8, Canada, 2000. 
[54] S. Kort, S. Tahar, and P. Curzon. Hierarchical verification using an M D G -
HOL hybrid tool. In T. Margaria and T. Melham, editors, llth IFIP WG 
10.5 Advanced Research Working Conference (CHARME'2001), number 2144 
in Lecture Notes in Computer Science, pages 244-258, Livingston, Scotland, 
U K , September 2001. Springer-Verlag. 
[55] T. Kropf and R. Reetz. Simplifying deep embedding: A formalised code gen-
erator. In J. Camilleri and T. Melham, editors, Higher Order Logic Theorem 
Proving and its Applications, number 859 in Lecture Notes in Computer Sci-
ence. Springer-Verlag, September 1995. 
[56] J . McCarthy and J . Painter. Correctness of a Compiler for arithmetic expres-
sions. In J. Schwartz, editor, A Symposium on Applied Mathematics, pages 
33-41, 1967. 
[57] T. F. Melham. Automating recursive type deflnitions in Higher Order Logic. 
In Current Trends in Hardware Verification and Automated Theorem Proving, 
pages 341-386. Springer Verlag, 1989. 
[58] T. F. Melham. Higher Order Logic and Hardware Verification. Cambridge 
Tracts in Theoretical Computer Science 31. Cambridge University Press, 1993. 
[59] R. Milner and R. Weyhrauch. Proving Compiler correctness in a mechanized 
logic. In B. Meitzer and D. Mitchie, editors, Machine Intelligence, number 7, 
pages 51-70, Edinburgh, Scotland, 1972. Edinburgh University Press. 
[60] J . Moore. A mechanically verified language implementation. Journal of Auto-
mated Reasoning, (5):461-492, 1989. 
[61] J. S. Moore. A mechanically verified language implementation. Technical Re-
port CLI-22, Computational Logic, Inc., 1988. 
170 
[62] F. L . Morris. Correctness of Translations of Programming Languages. Report 
STAN-CS-72-303. Computer Science Department, Stanford University, August 
1972. Ph.D. thesis. 
[63] F. L. Morris. Advice on structure Compilers and proving theorem correct. In 
The ACM Symposium on Principles of Programming Languages, pages 144-152, 
Boston, October 1973. 
[64] Institute of Electrical and Electronics Engineers. IEEE Standard VHDL lan-
guage Reference Manual. IEEE press. New York, 1988. 
[65] L. C. Paulson. ML for the Working Programmer. Cambridge University Press, 
1991. 
[66] V . K . Pisini and S. Tahar. Integration of HOL and M D G for hardware verifi-
cation. Technical report, Dept. of Electrical and Computer Engineering, Con-
cordia University, 1455 De Maisonncuve West, Montreal, Quebee - H3G LM8, 
Canada, March 1999. 
[67] V. K . Pisini, S. Tahar, P. Curzon, and 0 . Ait-Mohamed. A hybrid approach to 
formal verification using HOL and M D G . Technical report, Dept. of Electrical 
and Computer Engineering, Concordia University, 1455 De Maisonncuve West, 
Montreal, Quebee - H3G LM8, Canada, November 1999. 
[68] G. Pottinger. Completeness for the H O L logic: Preliminary report. In Posted 
to info-hol mail list on 28th Jan 1992., 1992. Available in the info-hol archive 
by anonymous F T P from ftp.cl.cam.ac.uk in directory hvg/info-hol-archive. 
[69] S. Rajan, N . Shankar, and M . K . Srivas. An Integration of model-checking 
with automated proof checking. In Pierre Wolper, editor, Computer-Aided 
Verification, number 939 in Lecture Notes in Computer Science, pages 84-97. 
Springer-Verlag, 1995. 
[70] K . Schneider and T. Kropf. Verifying hardware correctness by combining theo-
rem proving and model checking. Technical Report SBF 358-C2-5/95, Univer-
sity of Karlsruhe, Department of Computer Science, 1995. 
171 
[71] K . Schneider and T. Kropf. Unified approach for combining different formalisms 
for hardware verification. Technical Report SBF 358-C2-6/96, University of 
Karlsruhe, Department of Computer Science, January 1996. 
[72] C.-J . H. Seger and R. E. Bryant. Formal verification by symbolic evaluation of 
partially-ordered trajectories. Formal Methods in System Design, 6(2):147-190, 
March 1995. 
[73] S. Tahar, X . Song, E. Cerny, Z. Zhou, M . Langevin, and 0 . A'it-Mohamed. 
Modeling and automatic formal verification of the Fairisle A T M switch fabric 
using MDGs. To appear in IEEE Transactions on CAD of Integrated Circuits 
and Systems. 
[74] J. von Wright. Program refinement by theorem prover. In Proc. 6th Refinement 
Workshop, London, January 1994. Springer-Verlag. 
[75] J. von Wright. Representing higher-order logic proofs in HOL. The Computer 
Journal, 38(2):171-179, July 1995. 
[76] J. von Wright. The formal verification of a proof checker. SRI internal report, 
November 1998. 
[77] W. Wong. Validation of HOL proofs by proof checking. Formal Methods in 
System Design, 14(2):193-212, March 1999. 
[78] H . Xiong and P. Curzon. The verification of a translator for MDG's components 
in HOL. In MUCORT98, Third Middlesex University Conference on Research 
in Technology, pages 55-59, April 1998. 
[79] H. Xiong, P. Curzon, and A. Blandford. Combining verification Systems in a 
trusted way to reap the benefits of both. In Automated Reasoning-Bridging the 
Gap between Theory and Practice The 6th Workshop, pages 71-73, April 1999. 
[80] H. Xiong, P. Curzon, and S. Tahar. Importing M D G verification results into 
HOL. In Theorem Proving in Higher Order Logics, number 1690 in Lecture 
Notes in Computer Science, pages 293-310. Springer-Verlag, September 1999. 
172 
[81] H . Xiong, P. Curzon, S. Tahar, and A . Blandford. Verification of a translator for 
MDG's library in HOL. In 15th British Colloquium for Theoretical Computer 
Science, Apri l 1999. 
[82] H. Xiong, P. Curzon, S. Tahar, and A. Blandford. Embedding and verification 
of an M D G - H D L translator in HOL. In TPHOLs 2000 Supplemental Proceed-
ings, Technical Reprot CSE-00-009, pages 237-248. Oregon Graduate Institute, 
August 2000. 
[83] H. Xiong, P. Curzon, S. Tahar, and A. Blandford. Proving existential theorems 
when importing results from M D G to HOL. In Richard J. Boulton and Paul B. 
Jackson, editors, TPHOLs 2001 Supplemental Proceedings, Informatic Research 
Report EDI-INF-RR-0046, pages 384-399. Division of Informatics, University 
of Edinburgh, Edinburgh, U K , September 2001. 
[84] Y . X u . Model Checking for a Forst-order Temporal Logic Using Multiway De-
cision Graphs. 1455 De Maisonncuve West, Montreal, Quebee - H3G LM8, 
Canada, 1999. Ph.D. thesis. 
[85] W. D. Young. A mechanically verified code generator. Journal of Automated 
Reasoning, (5):493-519, 1989. 
[86] Z. Zhou and N . Boulerice. MDG Tools (V1.0) User Manual. University of 
Montreal, Dept. D'IRO, 1996. 
[87] Z. Zhu, J. Joyce, and C. Seger. Verification of the Tamarack-3 microprocessor 
in a hybrid verification environment. In Higher-Order Logic theorem proving 
and Its Applications, The 6th International Workshop, number 780 in Lecture 
Notes in Computer Science, pages 252-266. B. C , Canada, August 1993. 
173 
Appendix A 
The Abstract Syntax of a Boolean 
Subset 
The full abstract syntax of the boolean subset of the M D G - H D L language is given 
below: 
out_type ::= NOWV of string | 
NEXTV of string 
default_type ::= DENORMAL of num->bool I 
DEOUT of out.type I 
DECONST of string 
Table.Val : := TABLE.VAL of a I DON'T_CARE 
mdgJidl ::= NOT of string=>string I 
AND of string=>string=>string l 
OR of string=>string=>string I 
NAND of string=>string=>string | 
XOR of string=>string=>string I 
174 
NOR of string=>string=>string | 
AND3 of string=>string=>string=>string | 
0R3 of string=>string=>string=>string I 
NAND3 of string=>string=>string=>string I 
N0R3 of string=>string=>string=>string I 
AND4 of string=>string=>string=>string=>string | 
0R4 of string=>string=>string=>string=>string | 
NAND4 of string=>string=>string=>string=>string I 
N0R4 of string=>string=>string=>string=>string | 
AND5 of string=>string=>string=>string=>string=>string I 
0R5 of string=>string=>string=>string=>string=>string I 
NAND5 of string=>string=>string=>string=>string=>string | 
N0R5 of string=>string=>string=>string=>string=>string I 
AND6 of string=>string=>string=>string=>string=>string=>string | 
0R6 of string=>string=>string=>string=>string=>string=>string I 
NAND6 of string=>string=>string=>string=>string=>string=>string I 
N0R6 of string=>string=>string=>string==>string=>string=>string | 
JKFF of string=>string=>string | 
RSFF of string=>string=>string | 
JKFFE of string=>string=>string=>string | 
AO of string=>string=>string=>string=>string | 
REGCON of string=>string=>string I 
REG of string=>string | 
FORK of string=>string | 
INIT of (string#bool) I 
SNXT of string=>string I 
TABLESYN of (string list)=>out-type=> ( (bool Table_Val l i s t ) l i s t ) 
=>((num->bool) list)=>default_type | 
JOIN of mdg_hdl=>mdgJidl 
Exoutput ::= EXOUT of string l i s t 
Exinput ::= EXIN of string l i s t 
Invariable ::= INV of string l i s t 
175 
1 
program ::= PROG of PROG of Exoutput=>Exinput=>Invariable=>Mdg_Hdl 
176 
Appendix B 
The Abstract Syntax of an 
Extended Subset 
The full abstract syntax of the extended subset of the M D G - H D L language is given 
below: 
O u t . T y p e : : = NOWV o f s t r i n g I 
N E X T V o f s t r i n g 
D e f a u l t . T y p e : : = DENORMAL o f n u m - > b o o l I 
DEQUT o f o u t . t y p e I 
DECONST o f s t r i n g 
T a b l e . V a l : : = T A B L E . V A L o f a | D 0 N ' T _ C A R E 
M d g _ B a s i c : : = UNBOUND | BOOL o f b o o l I CONCRETE o f s t r i n g 
M d g _ H d l : : = NOT o f s t r i n g = > s t r i n g | 
AND o f s t r i n g = > s t r i n g = > s t r i n g | 
OR o f s t r i n g = > s t r i n g = > s t r i n g I 
177 
NAND o f s t r i n g = > s t r i n g = > s t r i n g | 
XOR o f s t r i n g = > s t r i n = > s t r i n g | 
NOR o f s t r i n g = > s t r i n g = > s t r i n g | 
AND3 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
0 R 3 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
NAND3 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
N 0 R 3 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
AND4 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
0R4 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
NAND4 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g | 
N0R4 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g | 
AND5 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
0 R 5 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g | 
NAND5 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
N0R5 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
AND6 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
0 R 6 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
NAND6 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g I 
N0R6 o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g | 
J K F F o f s t r i n g = > s t r i n g = > s t r i n g t 
R S F F o f s t r i n g = > s t r i n g = > s t r i n g | 
J K F F E o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g | 
AO o f s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g = > s t r i n g | 
REGCON o f s t r i n g = > s t r i n g = > s t r i n g | 
REG o f s t r i n g = > s t r i n g | 
FORK o f s t r i n g = > s t r i n g I 
I N I T o f ( s t r i n g # M d g _ B a s i c ) I 
SNXT o f s t r i n g = > s t r i n g I 
T A B L E S Y N o f ( s t r i n g l i s t ) = > O u t _ T y p e = > ( ( M d g _ B a s i c T a b l e . V a l l i s t ) l i s t ) 
= > ( ( n u m - > b o o l ) l i s t ) = > D e f a u l t _ T y p e I 
SEQ o f M d g - H d l = > M d g _ H d l I 
I N T E R N A L o f s t r i n g => M d g _ H d l 
178 
Exoutput ::= EXOUT of string l i s t 
Exinput ::= EXIN of string l i s t 
Invariable ::= INV of string l i s t 
Mdg_Program ::= PROG of Exoutput =>Exinput => Invariable => Mdg-Hdl 
179 
Appendix C 
The MDG-HDL programs of the 
verification of the Chocolate 
Machine 
When we verify the correctness of the chocolate machine in M D G , we need to provide 
four M D G - H D L files. Those files are given below: 
( 1 ) . The Circuit Specification File. 
7, M u l t i f i l e declaration required by Prolog system.'/, 
: - mu l t i f i l e s i gna l /2 . 
: - mu l t i f i l e component/2. 
: - mu l t i f i l e st_nxst/2. 
: - mu l t i f i l e next_state_partition/l. 
: - m u l t i f i l e output_part i t ion/l . 
: - mu l t i f i l e outputs/1. 
: - m u l t i f i l e i n i t _ v a l / 2 . 
: - mu l t i f i l e in i t_va r /2 . 
: - mu l t i f i l e par_strategy/2. 
180 
7. Common s i g n a i s 7. 
s i g n a l ( i n s e r t C o i n , b o o l ) . 
s i g n a l ( p u s h C h o c , b o o l ) . 
s i g n a l ( c h o c S t , c h o c S t a t e s ) . 
s i g n a l ( g i v e C h a n g e , b o o l ) . 
s i g n a l ( p u s h C h a n g e , b o o l ) . 
s i g n a l ( c h o c L i g h t , b o o l ) . 
s i g n a l ( c o i n L i g h t , b o o l ) . 
s i g n a l ( g i v e C h o c , b o o l ) . 
S i g n a l ( c h a n g e L i g h t , b o o l ) . 
7. C o m p o n e n t s o f X 7. 
c o m p o n e n t ( c h o c _ m a c h i n e , 
t a b l e ( [ [ c h o c S t , i n s e r t C o i n , p u s h C h a n g e , p u s h C h o c , n . c h o c S t ] , 
[ r e s e t , 1 , * , * , c o i n ] , [ r e s e t , 0 , * , * , r e s e t ] , 
[ c o i n , * , 1 , * , c h a n g e ] , [ c o i n , * , 0 , * , c o i n ] , 
[ c h a n g e , * , * , 1 , c h o c ] , [ c h a n g e , * , * , 0 , c h a n g e ] , 
[ c h o c , * , * , * , r e s e t ] ] ) ) . 
c o m p o n e n t ( c o i n _ l i g h t , t a b l e ( [ [ c h o c S t , c o i n L i g h t ] , [ r e s e t , 1] I 0 ] ) ) . 
c o m p o n e n t ( c h a n g e _ l i g h t , t a b l e ( [ [ c h o c S t , c h a n g e L i g h t ] , [ c o i n , 1] I 0 ] ) ) 
c o m p o n e n t ( g i v e _ c h a n g e , t a b l e ( [ [ c h o c S t , g i v e C h a n g e ] , [ c h a n g e , 1] I 0 ] ) ) 
c o m p o n e n t ( c h o c J . i g h t , t a b l e ( [ [ c h o c S t , c h o c L i g h t ] , [ c h a n g e , 1] I 0 ] ) ) . 
c o m p o n e n t ( g i v e _ c h o c , t a b l e ( [ [ c h o c S t , g i v e C h o c ] , [ c h o c , 1] I 0 ] ) ) . 
'/, I n i t i a l s t a t e 7. 
i n i t - v a l ( c h o c S t , r e s e t ) . 
O u t p u t s ( [ c o i n L i g h t , c h o c L i g h t , c h a n g e L i g h t , g i v e C h o c , g i v e C h a n g e ] ) . 
7. P a r t i t i o n s 7. 
o u t p u t _ p a r t i t i o n ( [ [ [ c o i n L i g h t ] ] , [ [ c h o c L i g h t ] ] , [ [ c h a n g e L i g h t ] ] , 
[ [ g i v e C h o c ] ] , [ [ g i v e C h a n g e ] ] ] ) . 
n e x t - S t a t e _ p a r t i t i o n ( [ [ [ n . c h o c S t ] ] ] ) . 
7. S t a t e v a r i a b l e s t o n e x t s t a t e v a r i a b l e s m a p p i n g 7. 
s t _ n x s t ( c h o c S t , n . c h o c S t ) . 
'/. P a r t i t i o n s t r a t e g y 7. 
p a r _ s t r a t e g y ( a u t o , a u t o ) . 
181 
(2). The C i r c u i t Implementat ion F i l e 
*/. Multif i le declaration required by Prolog system.*/, 
: - multifi le signal/2. 
: - multifi le component/2. 
: - multifi le st_nxst/2. 
: - multifi le next_state_partition/l. 
multifi le output_partition/l. 
: - multifi le outputs/1. 
: - multifi le init_val/2. 
: - multifi le init_var/2. 
: - multifi le par_strategy/2. 
'/, Common signals '/, 
signal(insertCoin,bool). 
signal(pushChange,bool). 
signal(pushChoc,bool). 
signal(11,bool). 
signal(choc_a,bool). 
signal(xin,bool). 
signal(coin_a, bool). 
signal(reset_a,bool). 
signal(12,bool). 
signal(14,bool). 
signal(13,bool). 
signal(15,bool). 
signal(yin.bool). 
signal(x.bool). 
signal(givenChoc_a,bool). 
signal(y,bool). 
signal(xbar,bool). 
signaKybar ,bool) . 
signal(change_a,bool). 
signal(givenChange_a,bool). 
182 
signaKchocLight_a,bool) . 
signal(changeLight_a,bool) . 
signal(coinLight_a,bool). 
7, Components of X 7. 
component (x_and, and (input (coin_a,pushChange), output (11))) . 
component (x_or,or (input (change_a, 11 ).output (xin))) . 
7. Components of Y */, 
component(y_and_rein, and(input(reset_a,insertCoin), output(12))) . 
component (y_or_col2, or (input (coin _a,12) ,output (14)) ) . 
component(y_inv, not(input(pushChoc),output(13))). 
component (y_and_chl3, and(input(change_a, 13) .output(15))) . 
component (y_or_1415, or (input (14,15), output (y in) ) ). 
7. Component of Register—7. 
component(reg_x,reg(input(xin),output(x))). 
component(reg_y,reg(input(yin),output(y))). 
'/. Component of Output from the register—7. 
component (outreg_Lnv_x,not (input (x) ,output(xbar))) . 
component (outreg_inv_y,not (input (y) ,output (ybar))) . 
component (outreg^and_xy, and(input (x,y) ,output (change^a) ) ) . 
component (outreg_and_xybar, and(input (x,ybar) .output (choc_a) ) ). 
component(outreg_and_xbary, and(input(xbar,y) .output(coin^a))). 
component(outreg_and_xbarybar, and(input(xbar ,ybar), output (reset^a))) . 
7. Wire output 7. 
component (wire_choc_givenchoc , f ork(input (choc_a) .output (givenChoc_a) ) ). 
component (wire_choc_changlight,f ork(input (change_a) .output (chocLight_a) ) ) . 
component (wire_change_givechange ,f ork (input (change_a) .output (givenChange_a) 
component (wire_coin_choclight , f ork (input (coin_a) .output (changeLight^a)) ). 
component (wire_reset_coinlight ,f ork (input (reset _a) .output (coinLight .a))) . 
7. In i t ia l state 7. 
init_val(x, 0). 
in i t . vaKy , 0) . 
outputs ( [coinLight_a, chocLight_a, changeLight _a,givenChoc_a,givenChange_a] ) 
7. Partitions 7. 
183 
o u t p u t _ p a r t i t i o n ( [ [ [ c o i n L i g h t _ a ] ] , [ [ c h o c L i g h t _ a ] ] , [ [ c h a n g e L i g h t ^ a ] ] , 
[ [ g i v e n C h o c _ a ] ] , [ [ g i v e n C h a n g e _ a ] J ] ) . 
n e x t _ s t a t e _ p a r t i t i o n ( [ [ [ x ì n ] ] , [ [ y i n ] ] ] ) . 
7. S t a t e v a r i a b l e s t o n e x t s t a t e v a r i a b l e s m a p p i n g 7. 
s t _ n x s t ( x , x i n ) . 
s t _ n x s t ( y , y i n ) . 
7. P a r t i t i o n s t r a t e g y % 
p a r . s t r a t e g y ( a u t o , a u t o ) . 
(3).The Algebra ic Specification F i l e 
'/. M u l t i f i l e d e f i n i t i o n f o r P r o l o g p r e d i c a t e s . 7 , : - m u l t i f i l e a b s _ s o r t / l . 
: - m u l t i f i l e c o n c _ s o r t / 2 . 
m u l t i f i l e f u n c t i o n / 3 . 
: - m u l t i f i l e g e n _ c o n s t / 2 . 
: - m u l t i f i l e r r / 3 . 
: - m u l t i f i l e u c r r / 2 . 
7, A l g e b r a i c s p e c i f ication7, c o n c _ s o r t ( c h o c S t a t e s , [ r e s e t , c o i n , c h o c , c h a n g e ] ) . 
(4). T h e Symbol Order F i l e 
o r d e r _ m a i n ( [ 
i n s e r t C o i n , 
p u s h C h o c , 
p u s h C h a n g e , 
7. i n t e r n a i 7. 
c h o c S t , 
n _ c h o c S t , 
c o i n _ a , 
1 1 , 
c h o c a , 
r e s e t _ a , 
184 
12, 
14, 
13, 
15, 
xin, 
X , 
yin, 
y> 
xbar, 
ybar, 
change _a, 
7. outputs 7. 
giveChange, 
givenChange_a, 
chocLight, 
chocLight_a, 
coinLight, 
coinLight_a, 
giveChoc, 
givenChoc_a, 
changeLight, 
changeLight_a 
]). 
(5). The Invariant Specification F i l e 
signal(insertCoin,bool). 
signal(pushChoc,bool). 
signal(pushChange,bool). 
signal(coinLight,bool). 
signaKcoinLight^a.bool). 
signal(u_CoinLight,bool) . 
signal(chocLight,bool). 
185 
signal(chocLight_a,bool). 
signal (u-ChocLight,bool) . 
signal(changeLight,bool). 
signaMchangeLight ^a.bool). 
signal (u.ChangeLight,bool). 
signal(giveChoc,bool). 
signal(givenChoc_a,bool) . 
signal(u_GivenChoc,bool). 
signal(giveChange.bool). 
signal(givenChange_a,bool) . 
signal(u_GivenChange,bool) . 
'/, Components */. 
component ( coinLight _f orkl , f ork (input (u.CoinLight) .output (coinLight) ) ) . 
component (coinLight_fork2 ,f ork(input (u_CoinLight) .output(coinLight a^) ) ) . 
component (chocLight_f orkl , f ork (input (u.ChocLight) .output (chocLight) ) ). 
component (chocLight_f ork2 ,f ork (input (u.ChocLight) .output (chocLight_a) ) ) . 
component (changeLight_f orkl , f ork (input (u-ChangeLight) , output (changeLight ) ) ) . 
component ( changeLight _f ork2 ,f ork (input (u_ChangeLight) .output ( changeLight _a) ) ) . 
component (givenChoc_f orkl , f ork (input (u_GivenChoc) .output (giveChoc) )) . 
component (givenChoc-f ork2, f ork (input (u_Gi venChoc ), output (gi venChoc_a) ) ). 
component (givenChangejf orkl ,f ork (input (u_GivenChange) .output (giveChange) ) ). 
component (gi venChange_fork2, f ork ( input (u_GivenChange) , output (givenChange_a) ) ). 
y,— output s —y. 
outputs([coinLight,coinLight_a, chocLight, chocLight_a, changeLight, 
changeLight_a, giveChoc,givenChoc_a, giveChange, givenChange_a] ). 
*/. Order of condition signais */. 
order_cond( [ 
insertCoin, 
pushChoc, 
pushChange, 
u_CoinLight, 
coinLight, 
coinLight1, 
186 
u.ChocLight, 
chocLight, 
chocLight_a, 
u.ChangeLight, 
changeLight, 
changeLight-a, 
u.GivenChoc, 
giveChoc, 
givenChoc.a, 
u.GivenChange, 
giveChange, 
givenChange.a] ) 
