Specification and verification of gate-level VHDL models of synchronous and asynchronous circuits by Russinoff, David M.
NASA Contractor Report 191608
i
 IV -6 z.--.
O f
,9,'3D ..@
Specification and Verification of
Gate-Level VHDL Models of
Synchronous and Asynchronous Circuits
David M. Russinoff
Computational Logic, Inc., Austin, Texas
(NASA-CR-191608) SPECIFICATION AND
VERIFICATION OF GATE-LEVEL VHOL
MODELS OF SYNCHRONOUS AND
ASYNCHRONOUS CIRCUITS Final Report
(Computational Logic) 138 p
G3/62
N95-22830
Unclas
0043605
Contract NA S 1-18878
January 1995
National Aeronautics and
Space Administration
Langley Research Center
Hampton, Virginia 23681-0001
https://ntrs.nasa.gov/search.jsp?R=19950016413 2020-06-16T08:07:30+00:00Z
,..,,ld
Abstract
We present a mathematical definition of a hardware description language (HDL)
that admits a semantics-preserving translation to a subset of VHDL. Our HDL
includes the basic VHDL propagation delay mechanisms and gate-level circuit de-
scriptions. We also develop formal procedures for deriving and verifying concise
behavioral specifications of combinational and sequential devices. The HDL and
the specification procedures have been formally encoded in the computational logic
of Boyer and Moore, which provides a LISP implementation as well as a facility
for mechanical proof-checking. As an application, we design, specify, and verify a
circuit that achieves asynchronous communication by means of the biphase mark
protocol.

Contents
Introduction 1
1.1 Hardware Modeling ............................... 1
1.2 Behavioral Specifications ............................ 2
1.3 Asynchronous Communication ........................ 3
1.4 Nqthm Formalization .............................. 3
Definition of the Language 4
2.1 S-expressions .................................. 4
2.2 Waveforms ............. . ..................... 5
2.3 Behavioral Modules .............................. 8
2.4 Structural Modules ............................... 10
2.5 Simulation .................................... 13
Specification of Synchronous Circuits
3.1
3.2
3.3
3.4
3.5
3.6
17
Combinational Modules ............................ 17
Sequential Modules ............................... 20
Sequential Values ................................ 21
Behavior of dff ................................. 24
Parameters ................................... 25
The Main Theorem ............................... 27
Asynchronous Communication 30
4.1 Smooth and Quasi-Smooth Waveforms .................... 30
4.2 Describing Output as Input .......................... 31
4.3 Eliminating Metastability ........................... 32
4.4 The Main Theorem ............................... 36
Biphase Mark
5.1
5.2
5.3
5.4
5.5
5.6
5.7
37
Sending ..................................... 37
Receiving .................................... 38
Moore's Theorem ................................ 39
Basic Components ............................... 39
The Sender ................................... 43
The Receiver .................................. 46
The Main Theorem ............................... 50
6 NASA's Reliable Computing Platform 51
Appendix: Nqthm Formalization 54
A Language Definition 54
B Properties of the Simulator 68
C Synchronous Sequential Circuits 81
iii
_"_.G,_K)I,I_ PAGE lilLANK NOT FILMED

1 Introduction
NASA Langley Research Center has conducted a research program in formal methods,
focusing on the development of a practical verification methodology for fault-tolerant
digital flight-control systems. Computational Logic, Inc. (CLI) is one of several organi-
zations that have participated in this program. The first phase of the program addressed
the application of formal methods to various key design problems. During this phase,
CLI produced results in three areas:
(1) The formal design and verification of a circuit that achieves Byzantine agreement
among four synchronous processors [1];
(2) The mechanical verification of the Interactive Convergence clock synchronization
algorithm [22];
(3) The formalization of the Biphase Mark protocol for asynchronous communica-
tion [15].
The second phase of the program is concerned with exploring the integration of these
results in the design of a verified reliable computing pla_/orm (RCP) [9, 10] for real-time
control. This paper is a report on CLI's effort during this phase.
1.1 Hardware Modeling
A prerequisite for the realization of NASA's goals is a hardware description language
(HDL) that is both (a) amenable to formal verification and (b) suitable for representing
asynchronous systems of communicating processors. Much of our effort has been devoted
to the development of a language that meets these requirements.
Our previous research in hardware modeling and verification has been based on an
HDL developed at CLI by Brock and Hunt [5]. The utility of the Brock-Hunt HDL as a
verification tool, as demonstrated in the verification of the FMg001 microprocessor [4],
stems from the simplicity of its semantics. All circuits designed in this language are
assumed to be driven by an implicit global clock. Simulation of a circuit amounts to
a computation of a sequence of states corresponding to clock cycles. Thus, no explicit
representation of time or propagation delays is provided, so that the class of circuits
that can be satisfactorily modeled is limited. In particular, the language is unsuitable
for any application involving asynchrony.
Commercial event-driven simulation languages provide for a broader range of hard-
ware behaviors. VHDL [11], in particular, has gained wide acceptance in the hardware
design community as a validation tool. Since the limitations of simulation as a method
of validation are well known,, a formal verification system based on VHDL would have
clear practical value. Unfortunately, like most programming languages in common use,
the semantics of VHDL are complicated and obscure. There have been various attempts
to formalize these semantics [2, 8, 19, 21], 5ut none of these have provided an effective
verification methodology.
We have undertaken, therefore, to identify a core subset of VHDL that is small
enough to admit a clear and simple semantic definition, providing for correctness proofs
of comprehensive behavioral specifications, but extensive enough to provide realistic
gate-leveldescriptionsof the circuits involved in our inteneded application. Thus, we
have avoided complicated language constructs and focused on the VHDL models of time,
signal behavior, propagation delay, and event-driven simulation.
The definition of our language is presented in Section 2. Its syntax, based on the
S-ez'pressions of LISP (subsection 2.1), is more abstract and amenable to direct formal
analysis than the standard VHDL syntax [11]. The correspondence between the two
is straightforward--a simple translator from our language to VHDL is described else-
where [12]. Here, we concentrate on a mathematical treatment of the abstract language.
This begins in Subsection 2.2, where we present the notions of time and wave]otto, on
which the semantics of the language are based. We also define two waveform transforma-
tions that embody the main propagation delay modes of VHDL, transport and inertial,
and derive their fundamental properties.
In Subsection 2.3, we describe the form and execution of behavioral modules, which
are used to model gates and also to specify abstractly the behavior of circuits. Subsec-
tion 2.4 discusses structural modules, which provide hierarchical descriptions of circuits
in terms of connections among their components. For the purpose of illustration, we
exhibit the actual VHDL code generated by the translator for modules of both types.
The semantics of the language are given by an interpreter function, sire, which
produces a list of waveforms that represent the output generated by a module in response
to a given list of input waveforms. The definition of sire is presented in Subsection 2.5,
along with a number of basic results pertaining to its behavior.
1.2 Behavioral Specifications
During the course of the design process, a typical hardware device is modeled at various
levels of abstraction. An initial abstract model, derived from a given behavioral spec-
ification, is gradually refined to produce a concrete model, such as a network of gates,
which is more amenable to implementation. A design is validated by demonstrating the
equivalence of these representations.
This is most commonly effected through simulation. In VHDL, a circuit component
may be associated with various alternative architectures, which describe the component
at different levels of abstraction. The equivalence of architectures may be confirmed
through comparative simulations. Once a sufficiently low-level VHDL architecture has
been derived and validated in this manner, it may be implemented directly.
We propose to replace simulation with formal verification. In our VttDL subset,
circuit components are represented concretely at the gate level. In Section 3, we shall
describe a methodology for deriving abstract behavioral specifications and proving that
they are satisfied by these gate-level models.
In Subsection 3.1, we consider the relatively simple class of combinational circuits,
i.e., circuits that are free of cyclic paths. Each output of such a circuit is naturally
associated with a certain Boolean function of the inputs. This association is commonly
stated as follows: the value of an output at any time may be computed by applying the
associated function to the current input values. Obviously, this description is valid only
with respect to hardware models that ignore propagation delay. We shall derive a more
accurate specification of combinational circuits and verify its validity in the context of
our model.
Theanalysisofsequentialcircuitsis considerablymorecomplicated.Whiletheab-
stractsequentialmachinemodelis wellunderstood,its preciserelationshipwith the
actualbehaviorof thehardwarethat it is intendedto describeisnot. Thesequential
machinecharacterizationis traditionallybasedontheextravagantassumptionthatsig-
nalvaluesmaychangeonlyat discrete points occurring at regular time intervals. This
allows the behavior of a signal to be represented abstractly as a sequence of values. The
value of an output over a given interval is then expressed as a function of the sequence
of past input values. Of course, the underlying model again must disregard propaga-
tion delay. This approximation seems questionable, since the functionality of the basic
state-holding elements generally depends critically on the presence of delays.
In Subsection 3.2, we define a class of sequential circuits that may be characterized
as synchronous resettable rising-edge-triggered devices. The basic memory element em-
ployed in their construction is a resettable clocked d-flip-flop, composed of hand gates,
described in Subsection 3.3. In Subsections 3.4-3.5, we, establish a procedure for deriv-
ing high-level sequential machine descriptions for the class of circuits. In Subsection 3.6,
we prove a theorem that gives a precise statement of the relationship between the se-
quential machine description of a circuit and its behavior as defined by our gate-level
semantics.
1.3 Asynchronous Communication
The utility of our approach with respect ot the NASA RCP depends on our ability to
model asynchronous communication between individually synchronous processors. This
problem is addressed in Section 4. We present a solution based on Moore's model of
asynchrony [15]. After reviewing this model, we prove a theorem that demonstrates its
applicability to a class of circuits defined in our language. Each of these circuits consists
of a pair of sequential circuits that are driven by independent clocks of approximately
equal periods. They communicate with the aid of a latch that serves to smooth the
sender's output, allowing it to be read by the receiver.
In Section 5, we present a concrete definition of such a circuit that achieves asyn-
chronous communication by means of the well known biphase mark protocol [18]. The
circuit design and the proof of its correctness are both based on [15].
1,4 Nqthm Formalization
The decision to base our language on S-expressions was motivated by our desire to
support its analysis with the use of the Nqthm system of Boyer and Moore [3]. Nqthm
is based on a constructive formal logic for which the intended model is the domain of
S-expressions. Thus, there is a correspondence between the formulas of this logic and
informal propositions about S-expressions. A user of the system may extend the logic by
adding axioms that correspond to definitions of computable functions over this domain.
Mechanical support for the Nqthm logic is provided by a LISP implementation that
includes (1) an evaluator that computes values of functions defined in the logic, and (2) a
theorem prover that may be used to derive logical consequences of the axioms. Since
these theorems may be interpreted as propositions about functions of S-expressions, the
prover may be used to verify (formally and mechanically) the correctness of properties of
these functions that have been derived by traditional (informal) mathematical methods.
All of the functions involved in the construction of our language, which we describe
informally, meet the computability requirement for encoding as Nqthm definitions [3].
In fact, we have developed an Nqthm theory, presented in Appendix A, that formalizes
these functions, including the module recognizers that form the syntax of the language
and the interpreter that constitutes its semantics. Thus, we have a complete LISP
implementation of our language, provided by the Nqthm evaluator.
Moreover, all of our results, which are justified by informal (but mathematically
rigorous) proofs, correspond in a natural way to Nqthm formulas. Thus, these proofs
could, in principle, be checked mechanically by the Nqthm prover, thereby increasing
our confidence in their validity at the the expense of some effort. At the time of this
writing, mechanical proofs have been generated for most of the results of Section 2 (see
Appendix B), as well as most of the results pertaining to specific circuits, including the
components of the biphase mark implementation (Appendix C).
Another benefit of the Nqthm formalization is that it provides a basis for a LISP
implementation of the translator from our syntax to that of VHDL [12]. This potentially
allows commercial VHDL synthesis tools to be used to implement our programs in
silicon. As another application of more immediate interest, we have actually executed
(the translations of) many of our programs using the Vantage VHDL simulator. For
the simulations that we have tested, which include all of those described herein, the
Vantage results were identical to those produced by our LISP-based interpreter. Since
the official description of "_'HDL [11] is often ambiguous, this offers useful evidence that
we have achieved our goal of semantically capturing the VHDL subset in which we are
interested.
2 Definition of the Language
2.1 S-expressions
Along with the set N of natural numbers, we posit a set B = {T, T} and an infinite set
L, the elements of which are called Boolean and literal atoms, respectively. These three
sets are assumed to be palrwise disjoint, and any element of their union is called an
atom. We further assume that no atom is an ordered pair of atoms, and we recursively
define an S-expression to be an atom or an ordered pair of S-expressions. S denotes the
set of all S-expressions. Three basic operations on S are defined: If z = (x, y) E S × S,
then car(z) = x, cdr(z) = y, and cons(x, y) = z.
We also assume the e.xistence of various distinct literal atoms, which we shall mention
as we proceed. Among these is the atom INFINITY. We define a generalized number to
be an atom that is either INFINITY or an element of N. Both the order relation and the
addition operation on N are extended to the set of generalized numbers in the natural
manner: for any n E N, n < INFINITY and n + INFINITY = INFINITY + n = INFINITY.
A list is an S-expression that is either the literal atom NIL or an ordered pair z E S x S
such that cdr(z) is a list. The list NIL is denoted alternatively as (), and a non-NIL list
z is denoted as (hi ... a,_), where al = car(z) and (a= ... a,_) denotes cdr(z). In this
case, n is the length of z, and al,...,a,_ are its members. For 1 < i < n, nth(i, z) is
defined to be hi. A list is a bit vector if each of its members is a Boolean atom.
A function f : B n ---, B is an n-ary Boolean function. The following Boolean func-
tionsarecalled elementary: the 0-ary functions tO and fO, with values T and _, re-
spectively; the unary function notl; the binary functions and2, orZ, nandZ, nor2, zorZ;
the ternary functions and3, or3, hand3, nor3, xor3; the quaternary functions andS, or4,
nandJ, nor,_, and xor,_; and the quinary functions andS, orS, handS, notS, and zorS.
The definitions of these functions are assumed to be understood.
For the purpose of encoding Boolean function calls, we also assume that each ele-
mentary Boolean function f is associated with a unique literal atom f that is denoted
with the same name as f. Thus, the function not1 is associated with the literal atom
not--"-f= NOT1. We define a Boolean term over a list L of distinct literal atoms to be an
S-expression that is either (a) a member of L, or (b) a list (jZrl ... r,_), where f is an
n-ary elementary Boolean function and each r_ is an Boolean term over L.
Let L = (sl ...s_) be a list of distinct literal atoms and let V = (vl ... v_) be a
bit vector. Then pairlist(L, V) is the list A = ((sl,vl) ... (sk,v_)), which is called an
association list. If r is a Boolean term over L, then we define eraI(r, A) to be (a) v_, if
r = si, or (b) f(eval(rl,A),... ,eval(l",_,A)), if r = (frl ... r,_).
2.2 Waveforms
Let T be the quotient set determined by the equivalence relation on N U N×N that
identifies each n E N with the pair (n, 0) E N x N. An element of T is called a
time object. Thus, any element of N or NxN denotes a unique time object, with the
understanding that for n E N, n and (n, 0) denote the same object.
The motivation for this ordered-pair model of time is the need to provide records
of the behavior of zero-delay devices. The components of a time object in, k) may be
interpreted as follows: n represents the number of time units, which we arbitrarily take
to be picoseconds, that have elapsed since the start of a simulation; k represents the
number of successive delta cycles that have occurred during the current time unit.
Thus, T is ordered according to the lexicographic order on N x N, which is consistent
with the natural ordering of N: for time objects tl = (nl, kl) and t2 = (n2, k2), tl < $2
iff nl <_ n2 and either nl < n2 or kl _< /¢_. Thus the minimum element of T is the
time object that is denoted alternatively as 0 or (0,0). For t1,_2 E T, the interval
{t e T : t, < t < t_} will be denoted as it1, t_).
An event is an ordered pair e = (v, t), where v -- value(e) G B and t = time(e) e T.
Let w = ((v,,, t,_) ... (v0, t0)) be a list of events. If ti > ti-1 and v, # vi-l for 0 < i <: n,
and to = 0, then w is a wave/orm. Note that according to this definition, successive
events of a waveform must have different values; in VHDL terminology, all transactions
are events. This restriction is consistent with the absence of implicit signals from our
subset: since there is no way to detect transactions other than events (e.g., by means of
the ACTIVE and TRANSACTION attributes), they may be ignored.
We define lh : T _ B by _b(t) = vj, where j is the greatest value of i satisfying
ti < t; d_(t) is called the value o/w at t. Note that _bL = _b2 iff w_ = w2. If t ----tj, then
we shall say that w has a new value at t. We also define the history of w relative to t to
be the waveform hist(w, t) = ((v;, ti) ... (vo, to)).
A packet is a list of waveforms, p --- (w_ ... w,_), n > 0. For any t E T, the value ofp
at t is the bit vector _(t) = (_bl(t) ... Ib,,($)); p has a new value at t if any member ofp
does. The history of p relative to t is the packet hist(p, t) = (hist(wl, t) ... hist(w,,, t)).
The behavior of each signal occurring in a circuit will be modeled as a waveform.
During the course of a simulation, these waveforms are updated at various times. When
a waveform is considered in the context of a current time to, each of its members e is
viewed as a past, current, or future event, according to the relationship between time(e)
and to. Past and present events are immutable, but future events are subject to deletion
as they are superceded by newly scheduled events, as described below.
Whenever a new event e is to be scheduled for a signal, time(e) is computed from
the current time to = (n, k) and a delay d E N that is associated with the signal, by
means of an addition operation from TxN to T, defined as follows:
(n+d,0) ifd_:0(n,k)_d= ( ,k + 1) if = 0.
Thus, regardless of delay, when a new event e = (v, t_) is scheduled on a waveform
w at time to, we have to < t_. The scheduling may be performed by either of two
procedures, corresponding to the transport and inertial delay modes of VHDL. Note that
the definitions of these procedures are somewhat different from the processes described
in{11], due to our restricted notion of waveforrn.
Transport delay is the simpler of the two: each event (v _, t_) with t' > t. is deleted
from w, and e is then consed to the result, unless that result already has value v at
t_. The updated waveform w _ is computed as the value of transport(w,v, t_), which is
defined recursively as follows:
(1) Let car(w) = (yr, t/). If tf > t., then w' = transport(calf(w), v, t_); otherwise:
(2) If v/= v, then w' = w; otherwise:
(3) w' = cons((v, t_), w).
Alternatively, w _ may be described in terms of the function _b_:
v if t > t_
_3'(t) = _b(t) if t < t .
Inertial delay is somewhat more complicated: every event (v', t _) with t_ > g0 is
deleted from w, and if _b(t0) _- v, then a single event with value v is consed to the
result. If v3(t_) = v, then the time of this event is the time of the last event of w
that precedes t_; otherwise, it is t_. Note that this procedure takes the current time
to as an additional argument, and requires that to < t_. The recursive definition of
w _ = inertial(w,v, to, _) is given as follows:
(1) Let u3 = hist(w, go). If u3(to) = v, then w' = u3; otherwise:
(2) Let car(w) = (vf,tf). If Q > t., then w' = inertial(cdr(w), v, to, t_); otherwise:
(3) If vf = v, then w' = cons((v, t!), t_); otherwise:
(4) w' = cons(@, t_), _).
6
0(a) -_
(b) ----7
4 6 8 10
1 U
Figure 1: Transport and Inertial Delay
Transport mode is often used to model wires (along which pulses of arbitrarily small
duration are propagated to the delayed signal), while gate outputs are generally modeled
by inertial delay. The difference between the two modes is illustrated in Fig. 1. The
diagram labelled (a) represents the waveform
w = ((T, 9) (Y,S) (7",6)(_', 5)(_', 3)(_:, 1)(7",0)).
The results of updating w at time 1 by scheduling an event with time 7 and value T, in
both transport and inertial modes, are
transport(w, T, 7) = ((T, 6) (9v, 5) (T, 3) (_', 1) (7", 0))
and
inertial(w, T, 1,, 7) = ((T, 6) (_, 1) (T, 0)),
as shown in (b) and (c), respectively.
The following is a useful summary of both propagation functions. Each result may
be proved by a straightforward induction. Note that (b) is consistent with our earlier
informal observation that past and present events are immutable:
Lemma 2.1 Let w be a waveform, let to, tl, and t_ be natural numbers with to < t_,
and let w' be either transport(w, v, t, ) or inertial(w, v, to, t_ ). Then
(a) _,'(t) = v for t >_t_;
(b) _'(t) = _(t) /or t < to;
(c) if tl < to < t2 < tv and _b(t) = u for t e [tl, t2), then _b'(t) = u for t E [tl, t2).
A similar induction shows that both procedures are "idempotent" in the following
sense:
Lemma 2.2 If w is a waveform and to, t_,t'o, t_ are natural numbers with to < t_,
t_o< t;, to < t'o, and t_ < t_, then
(a) transport(transport(w, v, t,, ), v, t_ ) = transport(w, v, t_ );
(b) inertial(inertial(w, v, to, t.), v, t_, t_) = inertial(w, v, to, t, ).
2.3 Behavioral Modules
Thesimplestprogramsof our language are the behavioral modules, which contain ex-
plicit information concerning propagation delay and the functional dependence of out-
puts on inputs.
A behavioral module is a list M = (BEHAV I O T P D), where
(1) BEHAVis the identifying literal atom for modules of this type;
(2) I = I(M) = (rl ... r,_) is a list of literal atoms called the inputs of M;
(3) 0 = O(M) = (sl ... s,,) is a list of literal atoms called the outputs of M;
(4) T -- T(M) _ (vl ... r,_) is a list of elementary Boolean terms over I(M), called
the output terms of M;
(5) D - D(M) = (dl ... d,_) is a list of natural numbers, the delays of M;
(6) P - P(M) = (Pl ... pn) is a list of literal atoms called the propagation modes of
M, each of which is either TRANSPORT or INERTIAL.
The members of the list (rl ... r,_ sl ... s,_) are required to be distinct and are called
the signals of M.
Note that each output is associated with a term, a mode, and a delay. If every term
is either an atom or a list of atoms, (i.e., contains no nested function calls), then M is
primitive.
Gates are generally modeled as primitive modules with inertial delays. For example,
we represent a simple 2-input nand gate as the primitive module nand2:
(BEHAV (A B) (C) ((NAND2 A B)) (2000) (INERTIAL))
We may definea similarbehavioralmodule, with n inputsand I output,corresponding
to each elementary n-ary Boolean function,arbitrarilytaking the delay to be 2000 in
each case. In the sequel,we shallreferto these primitivemodules without explicitly
listingtheirdefinitions.
For the purpose of illustration,the followingprimitivemodule m isdefinedto have
one output of each propagation mode:
(BEHAV (A B) (C D) ((NAND2 A B) (NOT1 A)) (2000 SO00) (INERTIAL TRANSPORT))
The VHDL code corresponding to a behavioralmodule consistsof
(a) an entitydeclaration,consistingof a port clauselistingthe input signalsas ports
of mode IN and the output signalsas portsof mode OUT, alloftype BIT;
(b) an architecturebody, consistingofa concurrent signalassignment statement cor-
responding to each output signal.
The code (generated by our translator)for the module m definedabove isdisplayedin
Figure 2(a).Note that our time units are interpretedby the translatoras picoseconds,
and hence the delaysare expressed as 2 and 5 nanoseconds. Note also that there isno
mention ofinertialdelay inthe translation,sincethisisthe VHDL defaultmode.
Another example of a behavioralmodule isthe 1-bitadder adderl:
ENTITY m IS
PORT(a,b: IN BIT; c,d: OUT BIT)
END m;
ARCHITECTU_ m OF m IS
BEGIN
c <- a NAND b AFTER 2 MS;
d <- TRANSPORT NOT a AFTER 5 MS;
END m;
(a)
ENTITY adder2 IS
PORT (a,b,c: IN BIT; l,h: OUT BIT)
END adder2;
ARCHITECTURE adder2 OF adder2 IS
COMPONENT hand
PORT(a,b: IN BIT; l,h: OUT BIT);
END COMPONENT;
SIGNAL _l,t2,t3,_4,tS,t6,t7: BIT;
BEGIN
II: hand PORT MAP (a,b,tl);
I2: hand PORT NAP (a,¢l,t2);
I3: na_nd PORT MAP (b,_l,t3);
I4: nand PORT MAP (t2,t3,t4);
IS: hand PORT MAP (c,_4,t5);
I8: hand PORT MAP (c,t5,_7);
I7: hand PORT MAP (tS,t4,t6);
I8: hand PORT MAP (tS,tl,h);
I9: hand PORT MAP (t7,t6,1);
END adder2;
(b)
Figure 2: VHDL Code
(BEHAV (A B C) (L H)
((XOR3 A B C) (OR2 (AND2 I (0R2 B C)) (AND2 B C)))
(_2ooo toooo)
(INERTIAL INERTIAL))
The two outputs of this module represent the 2-bit sum of the three input bits. Since
the higher-order "carry" output bit is not expressed as an elementary function of the
inputs, this is not a primitive module.
Let s = nth(j, O(M)) be an output of a behavioral module M. Let _" = nth(j, T(M))
be the corresponding term. For any bit vector V of the same length as I(M), we define
the combinational value of s w.r.t. V as cv(s, V, M) = eval(7",pairlist(I(M), V)).
We shall say that a list of waveforms is an input (resp., output) packet for a module M
if it has the same length as I(M) (resp., O(M)). The semantics of behavioral modules
are defined by a function ezec of four arguments: (1) a module M, (2) an input packet
pi,, for M, (3) an output packet pout = (wl ... w,) for M, and (4) a time object to.
The value of exec(M, Pin, Pout, tO) is the updated output packet P_o_t = (wtl ... win) that
results from "executing" M at to. It is defined as follows: For i = 1,... ,n, let v_ be the
combinational value of nth(i, O(M)) w.r.t, iSi,,(t0), and let ti = to • nth(i, D(M)). Then
w_ is either transport(wi, vi, ti) or inertial(wi, vi, to, ti), according to nth(i, P(M)).
Our first observation concerning the behavior of ezec is that its value depends only
on the current values of the input:
Lemma 2.3 Let Pl and p_ be input packets and let po_,t be an output packet for a
behavioral module M. For any to E T, i/ iSl(t0) =/32(to), then exec(M, pl,po,,t, to) =
exec(M, I>2,Pout, to).
Two other basic properties may be derived as consequences of Lemmas 2.1(b) and 2.2:
Lemma 2.4 Let Pi,_ and Po,a be an input packet and an output packet/or a behavioral
module M. For any to E T, hist( exec( M, pin, pod,t, to), to) = hist(po_,t , to).
Lemma 2.5 Let p_,_ and Po,a be an input packet and an output packet .for a behavioral
module M and let to and tl be time objects. I.f to < tl and 151,_(t0) = iSi,_(tl), then
exec( M, Pi,_, exec( M, p,,, po_t, to), tl ) = exee( M, pi,,, Pod,t, to).
2.4 Structural Modules
Our language also includes modules that represent hierarchically constructed circuits.
These structures contain information concerning interconnections among the modules
of which they are composed.
A structural module is a list M = (STI_UCT [ 0 S LI LO), where
(1) STFtUCT is the identifying literal atom for modules of this type;
(2) I = I(M) = (rl ... r,_) is a list of literal atoms called the (global) inputs of M:
(3) O = O(M) = (sl ... s,_) is a list of literal atoms called the (global) outputs of 3I:
(4) S = S(M) = (/_l ... #k) is a list of (structural or behavioral) modules, called the
submodules of M:
(5) LI = LI(M) = (A1 ... A_), where forj = 1,...,k, Aj = (ajl ... aims) is a list
of literal atoms called the jth local inputs of M, and mj is the length of I(ttj);
(6) LO = (B1 ... B_), where for j = 1 .... ,k, Bj = (bjl ... bj,_j) is a list of literal
atoms called the jth local outputs of M, and nj is the length of O(#j).
The members of the list (rl ... r,,_ bll ... b1,,1 ... b_l ... bk,_), consisting of the global
inputs and all local outputs, are required to be distinct and are called the signals of M.
There is no such constraint on the global outputs or local inputs, but each local input
must be a signal of M, and each global output must be a local output.
Note that the local inputs and outputs of M correspond to its submodules. Thus.
intuitively, the submodules of a structure generate signals that are distinct from each
other and from the structure's inputs. Each signal may be connected to arbitrarily many
submodule inputs. A signal other than a global input may serve as any number of global
outputs, but global inputs and outputs are distinct.
One additional constraint must be imposed on structural modules: in order to ensure
that any simulation (as defined in the next section) of a module terminates, our struc-
tures are required to be free of zero-delay cyclic paths. Several preliminary definitions
will be needed in order to make this notion precise.
We shall define a computable function that measures the (possibly infinite) maximum
length of any path of signals within a structure along which the total delay is 0. The
definition will be based on an auxiliary function, 5(M, s, E, L), the arguments of which
are to be understood as follows:
10
(1) M may be either the top-level structure or one of its components at any level of
the hierarchy;
(2) s is a signal of M;
(3) E = (el ... e,_) is a list of generalized numbers corresponding to O(M). For each
i, e_ is intended to represent the maximum length of any path that starts at the
i th output and leads out of M. Such a list is called an environment for M;
(4) L is a list of signals of M, each of which is known to lie on some infinite path.
Under these assumptions, we may think of 6 = 6(M, s, E, L) as the maximum length of
a path starting at s. It is computed recursively as follows:
(1) If s is a member of L, then 6 = INFINITY. Otherwise:
(2) Let A1 = max{e_ : s -- s_}, where O(M) = (sl ... s,,). (The maximum of the
null set is taken to be 0.)
(3)
(4)
Suppose M is behavioral. Let D(M) = (dl ... d,_). If s is an input of M and some
d_ > 0, then let ,.6,2 = 1 + max{ei : di = 0}; otherwise, A2 = 0.
Suppose M is structural with S(M) = (#l ... #k). For 1 < i _< k, let nth(i, LI(M))
= (ail ... a_,,,,), nth(i, LO(M)) = (b_l ... b_,_,), I(#_) = (_l .-. ct_,_.), and
let E, be the environment (e_l ... ei,_) for _t_, where for 1 < k _ n,, e_k =
6(M,b_k,E, cons(s,L)). Let 6_j = 5(tti,a_j,E_,NIL) for i = 1,...,k and j =
1 ..... rni. Let A2 = max{5_j : s = ai_}.
(5) _ = rnax(Al, A2).
The function A is defined by by A(M, s, E) = 6(M, s, E, NIL). Next, we define the
relative 6-depth of a module M with respect to an environment E to be the number p
computed as follows:
(1) Let Do be the maximum value of A(M,s,E) over all signals s of M. If M is
behavioral, then p = Do. Otherwise:
(2) Let M be structural with S(M) = (gl ... #k). For 1 _< i < k, let nth(i, LO(M)) =
(bil ... bi,,j ) and let Di be the relative 6-depth of tti with respect to the environment
(A(M, bil,E) ... A(M, bi,_,,E)). Then p = max(Do,D1,... ,Dk).
Finally, we define the 6-depth of M to be its relative 6-depth with respect to the
environment (0 ... 0). This represents the length of the longest 0-delay path through
M. If it is not INFINITY, we shall say that M is 6-acyclic. All structural modules in
our language are required to have this property.
Although we have gone to considerable effort to formalize the VHDL "delta delay"
mechanism, the examples in which we are interested exhibit only positive delays. Our
first exa.mple is the structural module adder2, composed of nine hand gates and intended
as a gate-level "implementation" of the behavioral module adderl:
11
(STRUCT (A B C) (L H)
(nand2 nand2 nand2 hand2 hand2 nand2 nand2 nand2 hand2)
((A B) (A TI) (B T1) (T2 T3) (C T4) (T5 T4) (C T5) (T5 TI) (T7 T6))
((TI) (T2) (T3) (T4) (T5) (T6) (TT) (H) (L)))
The VHDL code corresponding to a structural module consists of
(a) an entity declaration, consisting of a port clause listing the inputs as ports of mode
IN and each output as a port, either of mode BUYFE_, if it occurs as a local input,
or of mode OUT, if it does not;
(b) an architecture body, consisting of a component declaration corresponding to each
module that occurs as a submodule, a signal declaration corresponding to each
local output that it not a global output (and hence does not already occur as a
port), and a component instantiation statement corresponding to each submodule.
The code for adder2 is shown in Figure 2(b), and a circuit diagram appears in Fig-
ure 3(b). Later, we shall compare the behaviors of adderl and adder2.
Of course, a signal path may be cyclic, provided that some signal in the path is
associated with a positive delay. This is an important feature of our language, as it
allows the modeling of state-holding devices. Figure 3(a) shows a clocked resetable
d-flip-flop, which is modeled by the structural module dff:
(STRUCT (CLK RST D) (O ON)
(notl and2 hand2 nand2 nand3 nand2 hand2 nand2)
((RST) (RN D) (B2 BI) (A1 CLK) (B1 CLK B2) (A2 DD) (B1 qN) (q A2))
((_) (DD) (A1) (B1) (A2) (B2) (Q) (QN)))
In addition to five 2-input nand gates, the submodules of dff include an inverter not1,
an a 2-input and gate and2, and a 3-input hand gate nand3, the definitions of which are
assumed to be understood.
We shall define the semantics of structural modules by means of a function step, based
on the exec function of Section 4. Note that the notions of input and output packets
may be naturally applied to any module. For a structural module M, however, instead
of a simple output packet, the third argument of step must be an object that consists of
a waveform corresponding to each signal generated by each component of M. Thus, for
any module M, we define a bundle/or M to be a list B such that (a) if M is behavioral,
then B is an output packet for M; (b) if M is a structure with S(M) = (_l ... #_),
then B = (B1 ... B_), where Bi is a bundle for #i, i = 1 .... , k.
Let B be a bundle for a module M and let s be a signal of M that is not an input of
M. The waveform for s determined by B is the waveform w that is computed as follows:
(a) if M is behavioral and s = nth(j, O(M)), then w = nth(j, B); (b) if M is struc-
tural and s = nth(j, nth(i, LO(M))), then w is the waveform for nth(j, O(nth(i, S(M)))
determined by nth( i, B).
The output packet/or M determined by B, denoted as outp(M, B), is defined as
follows: (a) if M is behavioral, then outp(M,B) = B; (b) if M is structural with
O(M) = (sl ... s,_), then outp(M,B) = (wl ... wn), where for 1 < j < n, wj is the
waveform for sj determined by B.
12
e •
Figure 3: (a) D-Flip-Flop (b) 1-Bit Adder
Let M be a structural module with nth(i, LI(M)) = (an ... ain,). Let p be an
input packet and let B be a bundle for M. The i th input packet determined by p and
B, denoted as inp(i, M, p, B), is the input packet (Wl ... w,n) for nth(i, S(M)), where
for 1 _ j < m, w3 is computed as follows: (a) if sj is a global input nth(k, I(M)), then
wj - nth(k,p); (b) if sj is a local output, then wj is the waveform for sj determined by
B.
We may now define step. Let p and B be an input packet and a bundle, respectively,
for an arbitrary module M, and let t E T. Then step(M, p, B, t) is the bundle B', defined
as follows: (a) if M is behavioral, then B' = ezec(M,p,B,t) ifp has a new value at t,
and B' -- B if not; (b) if M is structural with S(M) = (_1 ... _) and B = (B1 .../3_),
I Ithen B' = (_ ... Bk), where _i = step(#i, inp(i, M, p, B), Bi, t).
Thus, the execution of a structure at time t amounts to the execution of each behav-
ioral component for which the value of some input signal changes at t.
We have the following generalization of Lemma 2.3:
Lemrna 2.6 Let Pl and P2 be input packets and let B be a bundle for a module M, Let
to E T. If hist(pl, to) -- hist(p2, to), then step(M, pl, B, to) = step(M, p2, B, to).
The history of a structural bundle (91 -.. Bk) relative to a time t is recursively defined
as hist(B, t) = (hist(j31, t) ... hist(l_k, t)). Lemma 2.4 may be generalized as follows:
Lemma 2.7 Let p and B be an input packet and a bundle for a module M. For any
to E T, hist(step(M,p,B, to),to) - hist(B, to).
2.5 Simulation
Let p and B be an input packet and a bundle for a module M. For any t E T, we define
t,_e_t(t, p, B, M) to be the minimum element of the set of all tr E T that occur as times
of events in the waveforms of p and B and that satisfy t' > t, if this set is nonempty;
otherwise, t,_,zt(t, p, B, M) is undefined.
13
A simulationof M consists of repeated applications of step, which are performed by
the function run. For to, tf E T, we define run(M,p, B, to, tl) to be the bundle B' that
is computed recursively as follows: Let t,_t = tnext(to, p, B, M). If t,_e_t is defined and
t,_,_ _< Q, then B' = run(M, p, step(M, p, B, t,_e_t), t_ext, tl); otherwise, B' = B.
It is not obvious that this is a valid recursive definition, i.e., that it is satisfied by a
unique function. This may be established by exhibiting some measure of the arguments
that decreases with each recursive call. More precisely, it suffices to define a function
meas such that under the assumptions imposed on the arguments of run,
meas( M, p, step(M, p, B, t,_czt), t,,,,t, t I) -_ meas( M. p, B, to, t I)
with respect to some well-founded order "-_". (In fact, this is the requirement for
admissibility of Nq_hm function definitions.)
We may construct an appropriate measure based on a function ¢(M, p, B) that com-
putes an upper bound on the delta component of any time object that occurs in an),
waveform during the course of a simulation. For each signal s of M or any module
occurring in M, this function computes the sum of (a) the length of the longest 0-delay
path through M starting at s and (b) the largest delta component that occurs in the
waveform of p or B that corresponds to s. O(M,p, B) is the maximum of these sums.
(We omit the actual recursive definition of 0, which parallels that of b-depth.)
Now, if to = (mi, k_) and ty = (m I, ki), then we define
meas(3L p, BI to, t f) = (mr - mi, ¢(M, p, B) - ki).
It may be shown that with respect to the lexicographic order "-_" on N×N, this function
satisfies the property stated above. Note that its definition, and hence that of run,
ultimately depends on the assumption that M is 6-acyclic.
The function meas provides an induction scheme for deriving properties of run.
The following, for example, is proved by induction as an immediate consequence of
Lemma 2.7:
Lemma 2.8 Let p and B be an input packet and a bundle for a module M. For any
to, tf E T, hist(run(M, p, B, to, tl), to) = hist(B, to).
The next lemma, similarly proved by induction, provides for the decomposition of a
simulation interval:
Lemma 2.9 If p and B are an input packet and a bundle for a module M, and to <_
t" < tI, then run(M, p, B, to, t!) = run(M, p, run(M, p, B, to, t'), t', t!).
Another property of run that is important in the analysis of circuit behavior is the
following basic result, which describes the behavior of a structural module in terms of
that of its components. It is interesting that its proof requires the two properties of
step that are stated in Lemmas 2.6 and 2.7, namely that module execution is neither
predictive (with respect to input) nor retroactive (with respect to output).
Lemma 2.10 Let p and A = (al ... a_) be an input packet and a bundle for a struc-
tural module M with S(M) = (/zt ... #_). Let to,tl E T and B = (3t .-. 3t_) =
run(M,p,A,,to,tl). Then 3i -- run(#i, bi,ai,to,tl), where bi = inp(i,M,p,B), i =
1,...,k.
14
Proof: Let A' = (_ ... _) = step(M,p,A,t'), where t' = t,_ezt(to,p,A,M).
Then by definition of step, a_ = step(#_,ai,ai,t_), where a_ = inp(i,M,p,A), and
by definition of run, B = run( M, p, A', t_, tl ). By induction, we may assume that
l_i = run(l_, bi, a_, t', tl).
It follows from Lemmas 2.7 and 2.8 that hist(A, t _) = hist(B, t'). Consequently,
hist(ai, t_) = hist(bi, t_). By Lemma 2.6, a_ = step(l_i, bi, oq, t'). Thus, we have _i =
run(#i, bi, step(#i, bl, ctl, tr), t', tl).
Let t" = t,_,_L(to, bi, ai, #i). Clearly, if t" is defined, then t" > t'. If t" = t _, then
run(l_i, bi, ai, to, tt) = run(#_, bi, step(#_, bi, a_, t"), t", tt)
= run(#i,bi,step(#i,bi,ai, t_),t_,tl) = _i.
In the remaining ease,
run(l_i,b_,ai, to,tl) = run(l_,bi,o_,t_,tl)
= run(l_i,bi, step(#_,b_,ai,t'),t',tl) = _i. t:3
The definition of our top-level simulation function sire depends on run as well as
a function init, which generates an initial bundle from a module and an input packet.
First, for a given module M, we define the bundle Bo(M):
(1) If M is behavioral, then Bo(M) is the output packet (wo ... Wo) for M, where
w0= ((.r, 0)).
(2) If M is structural and S(M) = (#1 ... #_), then Bo(M) = (Bo(#l) ... Bo(/_)).
Thus, every waveform of Bo(M) is the trivial w0, which has the constant value _bo(t) --
_'. Prior to simulation, each of these waveforms is updated by executing every behavioral
component of M. The result is the bundle init(M, p), defined as follows:
(1) If M is behavioral, then init(M,n) = exec(M,p, Bo(M),0);
(2) If M is structural with S(M) = (#1 ... _), then
init( M, p) = (init(#l , inn(l, M, p, Bo( M )) ) ... init(p._, inn(k, M, n, Bo(M)))).
Now, given an input packet p for M and a-time Object t, we define
sim(M, p, t) = run(M, p, init(M, p), O, t).
We note the following restatements of Lemmas 2.9 and 2.10:
Lemma 2.11 Ifp/s an input packet for a module M, and tl < t2, then sire(M, p, tz) =
run(M,p, sirn(M,p, tl), tt, t2).
Lernma 2.12 Let p be an input packet for a structural module M with S(M) = (#1 ... l_).
Let t E T and B = (/_t ... /_k) = sim(M,p,t). Then Bi = sim(#i,bi, t), where
b_ = inp(i,M,p,B), i = 1,...,k.
15
I0 2021 60 _ 12 72
I r L_.
30 70 15 _ 26 65
Figure 4: Simulation of ta
As a simple example, a simulation of the primitive module m is illustrated in Figure 4.
The waveforms corresponding to the inputs A and B are
w I = ((7", 60000) (._c,21000) (T, 20000) (.T', 10000) (T, 0))
and
= ((7", 70000) (:r, 30000) (7", 0)),
respectively. These are shown along with the waveforms
w e = (((.r, 72000) (7", 12000) (:r, 0)))
and
w D = ((.T', 65000) ('it', 26000) (_, 25000) ('T', 15000) (.T',0))
of the output sire(m, (wAwB), 80000) = (w c WD).
This example exhibits a fundamental difference between transport and inertial delay:
an input pulse of duration less than the delay, as occurs in w A, is not reflected in an
inertial output.
All of the simulation results that we report herein were produced by the Nqthm
implementation of sim and have been matched with the output of the corresponding
Vantage simulations of the VHDL translations of these modules. One further observation
is warranted, however, in support of the claim that our language definition adheres to
the VHDL standard [11]. There is an apparent discrepancy between the definition of
sire and the standard: in our language, each output waveform of a behavioral module
is updated whenever there is a change in any input value. In VHDL, on the other hand,
in the absence of any instruction to the contrary (i.e., an explicit "sensitivity list"), a
signal's waveform is updated only in response to changes in those inputs on which the
signal is functionally dependent.
Consider, for example, the output D of the module ra. The VHDL code corresponding
to this signal (Figure 2) is executed only in response to events of the input waveform
w A. However, according to our definitions of exec and step, its waveform is also updated
whenever the value of B changes, e.g., at time 30000 in our example.
Nonetheless, as illustrated in Figure 4, the behavior of this output signal is com-
pletely independent from that of B, in accordance with the VHDL standard. In or-
der to understand this, consider the waveform w that represents this signal before the
execution of m at time 21000. The updated waveform after this execution is w' =
transport(w,T,26000). Although w' is further updated when the value of B changes
at 30000, the value of (NOT1 ^) remains T, and hence, by Lemma 2.2, the resulting
waveform is transport(w', T, 35000) = w'.
The above argument is based on the simple observation that at the time of any
change in input during a simulation of a behavioral module, the output packet is the
16
resultof executing the module at that time. In fact, an interesting property of our
simulator is that this holds true even when there is no input change, i.e, regardless of
whether the execution actually occurs:
Lemma 2.13 Let p be an input packet for a behavioral module M, let t E T, and let
B -- sire(M, p, t}. Then B - exec(M, p, B, t).
Proof: It is easily shown by induction and Lemma 2.5, that if Bo - exec(M, p, Bo, to)
and BI = run(M, p, Bo, to, tl), then B1 = exec(M, p, B1, tl). The lemma is an instance
of this result, with to = t, Bo = init(M,p), tl = t, sad B1 = B. n
3 Specification of Synchronous Circuits
In order to simplify our analysis of circuit behavior, we shall assume in the sequel that
delays associated with outputs of behavior modules are positive. (All of the examples in
which we are interested conform to this assumption.) It follows that every time object.
occurring in a waveform produced by the simulator may be represented as a simple
natural number. Thus, we may replace T by N and "_" by "+".
3.1 Combinational Modules
Before undertaking a characterization of synchronous sequential circuits, we shall con-
sider the relatively simple class of combinational circuits. Let p = (Sl ... sp) be a list
of signals of a structural module M such that for each i, 1 < i _< p, there exists j such
that s_-i is a member of nth(j, LI(M)) and s_ is a member of nth(j, LO(M)). Then p
is a path in M from sl to sp. If sl -- sp, then p is a loop in M. An arbitrary module M
is combinational if either (a) M is behavioral or (b) M is structural with no loops and
all of its submodules are combinational.
The notion of combinational value, which previously applied only to outputs of be-
havioral modules, may be extended to combinational modules. Let s be any signal of a
combinational module M and let V be a bit vector of the same length as I(M).
(1) If s = nth(j, I(M)), then cv(s, V, M) = nth(j, V);
(2) If M is structural and s = nth(j, nth(i, LO(M))), where
# = nth(i, S(M)) and (at ... am) = nth(i, LI(M)), then
cv( s, V, M) = cv(nth(j, 0(#)), ( cv(al , V, M) ... cv(a,_, V, M) ), #).
We shall describe the behavior of combinational modules in terms of the function cv.
Our analysis begins with the following characterization of behavioral modules:
Lemma 3.1 Let s = nth(j,O(M)) be the j_ output of a behavioral module M, let
d = nth(j, D(M)) be the corresponding delay, and let w = nth(j, sim(M, p, tf)).
Assume that for all t E [tt,t2), the combinational yalue o/ s w.r.t, f_(t) is v, where
tt + d < t2 and tl < tf. Then for all t E It1 + d, t2 + d), _b(t) = v.
17
inpu!
I0 12 _ 60
" I I
4O
t Ic
adderl 32 52
•- ] !
92
I
!
adder3
20 22 32 44 64 72
1_1 70
Figure 5: Simulation of adder1 and adder2
Proof: Let Pl = sire(M, p, tl). Then according to Lemma 2.13. pl = exec(M, p, Pl, tl).
It follows from Lemma 2.1(a) that the value of nth(j, pl) is v for ai! t > tl + d.
We claim that if p' is any output packet for M such that nth(j, p') has value v
throughout It1 + d, t2 + d), then so does nth(j, run(M, p, p', t', t/)), for any t' > tl. Once
this claim is proved, the lemma will follow from Lemma 2.11 upon substituting Pl and
tl for p_ and t_.
The claim is proved by induction. It suffices to show that if p has a new value at t" =
t,_,_t(t',p,p', M), and p" = exec(M, p,p', t"), then nth(j, p') has value v throughout
[tl + d, t2 + d).
If t" > t2, then the desired result follows from Lemma 2.1(c). Thus, we may assume
t" < t2 and hence, the combinational value of s w.r.t. D(t") is v. In this case, nth(j, p')
has value v on [t 1 + d, t" + d) by Lemma 2.1 (c), and on It" + d, t2 + d) by Lemma 2_1(a). []
Lemma 3.1 is illustrated by the simulation of adder1 shown in Fig. 5, where we com-
pare its behavior with that of the combinational module adder2. Note, for example,
that the output L of adde_:l, with corresponding term (X0R3 A 3 C), has the combi-
national value 5" throughout the interval from 40000 to 80000, and thus, since its delay
is 12000, the actual value of the signal is .T" from 52000 to 92000. Note also that this
simple behavior is not shared by the combinational module adder2.
However, we shall derive a generalization of Lemma 3.1 that provides similar (al-
though somewhat weaker) behavioral specifications of arbitrary combinational modules.
First, we associate each signal s of a combinational moduIe M with two parameters,
called the minimum and maximum delays of s, which represent the range of total delays
18
alongall pathsconnectingtheinputsof M to s. These are defined as follows:
(1) If s is a member of I(M), then dmin(s, M) = dmax(s, M) = 0;
(2) If M is behavioral and s = nth(j, O(M)), then
drain(s, M) = dmax( s, M) = nth(j, D(M));
(3) If M is structural and s = nth(j, nth(i, LO(M))), where
l_ = nth(i, S(M)) and (al ... am) = nth(i, LI(M)), then
drain(s, M) = dmin(nth(j, O(lz) ), #)
+ min( dmin( al , M),..., drain(am, M ) ),
dmax( s, M) = dmax( nth(j, 0(#)), #)
+max( dmax( al , M),..., dmax( am, M) ).
Lemrna 3.2 Let s = nth(j,O(M)) be the jth output of a combinational module M,
d = dmin(s, M), d' = dmax(s, M), and
w = nth(j, outp(M, sim(M, p, t/))).
Assume that _ is constant on the interval [tl,t_), where tl + d' < t2 and tl < t f. Let
v = cv(s, _(tl), M). Then for all t E [ta + d', tz + d), lb(t) = v.
Proof: For behavioral 3/', the conclusion follows from Lemma 3.1. For structural M,
we shall show that it holds more generally for any local output s of M and the waveform
w for s determined by B = sim(M,p, t f). The proof is by induction on the length of
the longest path in M terminating at s.
Suppose s is a local output, say s = nth(j, nth(i, LO(M))). Let # = nth(i, S(M)),
l_ = nth(i, B), (al ... a,_) = nth(i, LI(M)), and
b = inp(i,M,p,B) = (wl ... w,,_).
Then w = nth(j, outp(#, /3) ), and by Lemma 2.12,/_ = sim(#, b, t/).
For 1 < e < m, let dt = drain(at, M), d't = dmax(at,M), and vt = cv(at,_(tl),M).
If at is a local output of M, then by inductive hypothesis, _bt(t) = vt for all t E
[tl + d't,t2 + de); otherwise, at is an input, and the same is true trivially. Thus,
b(t) = (vl ... v,,,) for all t E It1 + A, t2 + 8), where A = maz(d'_ .... ,d') and
= rain(all,..., d.,_) .....
By the definition of cv,
v = ev(nth(j, 0(#)), (vl ... v,n), _) = cv(nth(j, 0(1_)), b(tl + A), t_).
Since # is combinational,_b(t) = v for all
t E [tl + A + dmaz(nth(j, O(l_)), I_), t2 + 6 + dmin(nth(j, 0(1_)), I_))
= [tt +d',t2 +d). 1:3
19
±As an example, consider the output signal L of the combinational module adder2. By
tracing all paths from the inputs to L, we may compute cv(L, (abc), adder2) as a nested
nand2 expression that may be shown to be tautologically equivalent to xor3(a, b, c). By
a similar calculation, we have
dmin(L, adder2) = 4000 and dmax(L, adder2) = 12000.
Thus, according to Lemma 3.2, if tl + 12000 _< t2, tl _< t/, and the input packet p for
adder2 has the constant value 15(t) = (a b c) for t e [tl, t2), then
w = nth(l,outp(adder2,sim(adder2,p, t_)))
has the value _(t).= xor3(a,b,c) for t E [tl+ 12000,t2+ 4000). This resultisillus-
tratedin Fig. 5: sincethe input packet has the constant value (Y Y T) on the inter-
val [20000,40000), the value of the firstoutput isxor3(T, 7",7") = 7" on the interval
[32000,44000).
3.2 Sequential Modules
We shall describe a class of sequential circuits that may be characterized as synchronous
resettable rising-edge-triggered devices. The flip-flop dff of Subsection 2.4 will be used
as a primitive in the construction of these circuits.
Let M be a structural module with I(M) = (rl ... rm), where m > 2, S(M) =
(#1 ... #_), and for i = 1,...,k, nth(i, LI(M)) = (a_l ... ai,,_,) and nth(i, LO(M)) =
(bll ... b_,,). Let q E N. Then M is a sequential module with multiplicity q = mult(M)
if either (a) q = 0 and M = dff, or (b) 0 < q < k and the following conditions hold:
(1) For 1 _< i < q, #i is a sequential module;
(2) For q < i _< k, #i is a combinational module;
(3) Forl<i<kandl<j_<m_,a_j=rl iffi<qandj=l;
(4) Forl<i<kand l_<j_<mi, aij=r2iffi<qandj--2;
(5) If (sl ... sp) is a path in M with sl = sp, then for some i and j, where 1 < i < p
and 1 < j < q, s_ is a member of nth(j, LO(M));
(6) If (Sl ... s_) is a path in M with sl a global input and sp a global output of
M, then for some i and j, where 1 < i < p and 1 <_ j <_ q, s¢ is a member of
nth(j, LO(M)).
Throughout the remainder of this section, we shall assume that M is a sequential module
with I(M), S(M), LI(M), and LO(M) as denoted above. Note that M must have at
least two inputs, rl and r2, which we call the clock and reset, respectively; the other
inputs are called data. According to (3) and (4), if M ¢ dff, then the clock and reset
of M axe connected to the clock and reset, respectively, of each sequential submodule of
M, and to no other submodule inputs.
We define a path in M to be combinational if it contains no signal that is a local
output of a sequential submodule. According to (5) of the definition, M contains no
2O
combinational loop; according to (6), no combinational path connects an input to an
output.
We define a signal s of M to be native if there is no combinational path from any
global input to s; the signals 0 and 0N of dff are also defined to be native. Thus, all
outputs of M are native signals.
A native signal s of M is registered if either (a) M = clff and s is an output of M,
or (b) M _ dff and s is a local output b_j where i <_ q and nth(j,O(l_i)) is a registered
signal of #_. This property will have special significance in connection with asynchronous
communication.
Two examples of sequential modules are diagrammed in Fig. 6. The enabled d-flip-
flop, edff, is defined to be the following structure:
(STRUCT
(CLK RST EN D)
(0 QN)
(dff notl nand2 hand2 nand2)
((CLK ItST $4) (EN) ($1 Q) (DEN) ($2 S3))
((Q Q_) (St) (S2) (S3) (S4)))
Clearly, this module satisfies the definition, with mult(edff) = 1.
The 3-bit counter count3 is a sequential module of multiplicity 3, defined as follows:
(STRUCT
(CLK RST EN)
(0o Q1 02)
(edff edff edff and2 zor2 xor2)
((CLK RST EN ONO) (CLK RST EN $3) (CLK RST EN $2)
(qo 01) (sl q2) (00 01))
((O0 qNO) (O1 ON1) (02 ON2) (S1) (S2) ($3)))
Note that all outputs of both of these modules are registered.
3.3 Sequential Values
Our description of the behavior of sequential modules will be based on a function that
computes a sequence of values for each output corresponding to a given sequence of
input values. The definition of this function involves the notion of state. An object I] is
a state of M if
(1) M=dffandEEB,
(2) mult(M) = 1 and E is a state of #l, or
(3) mult(M) = q > 1 and E = (al ... aq), where for i = 1 .... , q, ai is a state of _.
Thus, a state associates a Boolean value with each flip-flop. The reset state Zo(M) is
the state for which each of these values is _':
(1) _o(dff) -" ._';
(2) If mult(M) = 1, then Zo(M) = E0(#l);
21
(3) If mult(M) = q > 1, then Eo(M) = (_-0(#t) ... 20(#q)).
A data vector for Af is a bit vector of length m - 2, the components of which
correspond to the data inputs of M. We shall define a function next(V, E,M) that
computes a state of M from a data vector V and a state E. This definition requires two
auxiliary functions.
First, for a native signal s and a state E of M, we define the native value of s
determined by E, denoted as nv(s, E, M), as follows:
(1) nv(Q, _, df_) = E and nv(Q_, _, d_) = notl(_,);
(2) If mult(M) = 1 and s = btj, then
nv(s, _, M) = nt'(nth(j,O(#l)), E,#I);
(3) If mult(M) = q > 1 and s = bi_, where i < q, then
nv(s, 2, M) = nv(nth(j, O(#i)), nth(i, E), #i);
(4) If mult(M) = q >_ 1 and s = bij, where i > q, then
nv(s, _, M) =
cv(nth(j, O(#i)), (nv(ail, _, M) ... nv(aimi, _,-_f)), #i).
Now, let V = (va ... v,_) and E be a data vector and a state of M, respectively. We
define the resultant value of a signal s determined by V and Yl. denoted as rv(s, V, _, M),
as follows:
(1) If s = ri is a data input of M, then rv(s, V, _, M) = vi;
(2) If s is native to M, then rv(s, V, _, M) = nv(s, P., M);
(3) If mult(M) = q > 0 and s = bij, where i > q, then
rv(s, V, _., M) =
cv(nth(j, O(#i)), (rv(an, V, _, M) ... rv(ai,m, V, _, M)), _i).
We may now define the function next. Let mult(M) = q and for i = 1,..., q, let
Li = (rv(an, V, 2, M) ... rv(ai,m, IF, 2, M)).
Then next(V, P., M) = r_', where
(1) If q = 0 (i.e., M = dff), then E' = v3;
(2) Ifq = 1, then Z' = next( Li , 2, #l );
(3) If q > 1 and E = (al ... aq), then
_' = (next(L1, ax, #1) ... next(Lq, aq, _q)).
22
05
Z
Figure 6: (a) edff (b) count3
Now, let V -- (V3 ... V,_), where for i - 3 .... , m, V, -- (vii ... vi_) is a bit vector
of length n. V may be viewed as a Boolean matrix, the rows of which correspond to the
data inputs of M. Each column of this matrix, _ = (v3j ... v,,,3), where j = 1,... ,n,
is a data vector for M. A sequence of n + 1 states is determined by N as follows:
{ E0(M)if j=0state(j, V, M) = next(_,, state(j - 1, V, M), M) if 0 < j < n.
For any native signal s of M, the jth sequential value of s determined by I) is defined as
sv(j, s, 1;, M) = nv(s, state(j, V, M), M).
Thus, the sequential values corresponding to a given matrix of input values are
determined by the functions nv and next. As an illustration, we shall analyze the
behavior of these functions for the modules edff and ¢otmt3. Clearly, a state of edff
is a state of tiff, i.e., a Boolean value. If E is such a state and V = (v3 v4) is a data
vector, then
rv(Q, V, _, edff) ----nv(Q, V, _, edf:f) -- nv(l_, F,, dff) ----Z
and
rv(QN, V, E, edff) = nv(QN, V, _, edff) = nv(f_N, _, dff) = notl!Z).
Expanding the definition of rv, we have
rv(S4, V, E, edff) = nand2(nand2(notl(v3), F.), nand2(v3, va)),
which is also the value of next(V, E, edff). A trivial calculation yields the following:
Proposition 3.1 Let E and V = (v3 v4) be a state and a data vector for edff. Then
nv(Q, V, _, edff) = E and nv(QN, V, E, edff) = notl(_);
v4 i[ v3 = Tnezt(V, E, edf_) = Z i!v3 ._'.
23
Astateofcount3 is a vector of 3 Boolean values, corresponding to the mult(count3) =
3 occurrences of edff. If _ = (a0 al a2) and V = (v3) are a state and a data vector,
then
rv(S1, V, E, cotmt3) = and2(ao, al),
rv(S2, V, E, count3) = zor2(and2(ao, O'1), 0"2),
rv(S3, V, E, count3) = xor2(a0, al),
and it follows from Proposition 3.1 that
next(V, _, cotmt3) =
(notl(ao) xor2(a0, a,) xor2(and2(ao, al), a2) if v3 = Tif v3 = Y.
This result is conveniently expressed in terms of the function inc(W), defined as follows
for an arbitrary bit vector W:
(1) If W = NIL, then inc(W) = NIL; otherwise:
(2) If car(W) = T, then inc(W) = cons(_, inc(cdr(W))); otherwise:
(3) inc(W) = cons(7",edr(W)).
Proposition 3.2 Let _ -- (_o al a2) and V = (v3) be a state and a data vector for
cotm_:3. Then
nv(Q0, V, E, count3) = _r0,
nv(ql, V, E, count3) = al,
nv(Q2, V, _, coun't:3) = a_;
next(V, _, couat3) = inc(_) iYv3
T
E iyvz = .r.k
3.4 Behavior of dff
Naturally, the behavior of sequential modules depends on that of the primitive dff.
A precise behavioral specification of dff is given by the following lemma, the proof of
which is an elaboration of the informal argument found in [20]:
Lemma 3.3 Let tl + 4000 < t_, t_ + 6000 < t_, and tl < ty. Let p = (WcLK WrtsT WV)
be an input packet for tiff, and suppose that
{ _" for allt E it1 -6000,tl)U[t_,t2)
_bcLK(t) = T f llt [t,,t_),
and
v3,_sT(t) = r for all t 6 [t_ - 8000, t_),
eD(t) = d for all t 6 it1 - 6000, tl).
Let sim(dff, p, ty) = ((waN)('[ODD) (WAI) (wB') ('_/'/A2)(_l'lB2)(WQ)(WQN)) and let v =
and2(notl(r), d). Then _bQ(t) = v and F%(t) = notl(v) for all t e [t_ + 6000, t2 + 4000).
Moreover, if these same values hold for all t E it1, t, + 4000), then they also hold for all
t E [tt + 4000, t_ + 6000).
24
Proof:ByLemmas3.1and2.12, we have ffJr_s(t) = notl(r) for all t E It1 - 6000, tl +
2000). Applying the same two lemmas again, we have _bDD(t) = v for all t E [tl -
4000, tl + 2000). Similarly, u),2(t) = _3,1 (t) = T for t E [t_ - 4000, tl + 2000), _h,_(t) =
notl(v) for t E [tt - 2000, tl + 4000), and hence _b^_(t) = v for t E [tl,tl + 4000).
We shall consider the case v -- 5.; the case v = T is similar. In this case, _,,(t) = 7"
for t E It1 + 2000, tl + 6000), and hence _3,2(t) = _-for t E [tl + 2000, tl + 6000).
Let t _ be the least time such that t _ > tl + 2000 and some waveform in the set
{w^_, win, w^2, w,2 } assumes a new value at t'. Then w^l (t) = zbA2(t) = Y and _bD, (t) =
_b_(t) = T for t E It1 + 2000, t'). Since t' > tt + 4000, it follows that u3_,(t) =
zb82(t) = T and _bA_(t) = Y for t E It1 + 4000, t' + 2000). Similarly, _bA2(t) = 5. for
t E It1 + 4000,min(t_+ 4000, t_ + 2000)). Thus, only w,,a can possibly assume a new
value at t', and this requires that t _ > t_ + 2000.
Hence, v)_,(t) = T and u3,,_(t) = F for t E [t_ + 2000, t_ + 2000). It follows that
@QN(t) = T for t e [tl + 4000, t_ + 4000), and hence v3q(t) = 5" for t E [tl + 6000, t_ +
4000).
Let t" be the least time such that t" > t_ +6000 and either wQ or wQ_ assumes a new
value at t". By an argument similar to the above, it is easily shown that t" >_ t2 + 4000.
Thus, _Q(t) = 9v = u_ for t e [tl + 6000,t2 + 4000), and _bQ_(t) = T = notl(u.) for
t E [tt + 4000, t_ + 4000).
Now suppose that _bo(t ) = _" and _oN(t) = T for t E It1, t_ +4000). Then _bQ_,(t) = 7"
for t E {t_, t2 + 4000). It follows that _bQ(t) = _" for t E [t_ + 4000, h + 4000). n
3.5 Parameters
Our objective is to impose constraints on the input to a sequential module that will allow
its outputs to be described in terms of sequential values. In particular, the clock input
will be required to exhibit periodic behavior. We shall call each event of its associated
waveform a rising or/ailing edge, according to whether its value is T or 5". An interval
between two successive rising edges is called a cycle. Each of the remaining inputs will
be required to maintain a stable value over a prescribed interval preceding each rising
edge. For the reset input r2, this value is 7" for an initial cycle, and _" for every cycle
thereafter.
Under these constraints, we shall show that the behavior of M admits a fairly simple
description. A state of M will be associated with each rising edge. This state may
computed from the data values prior to the edge and the previous state by the function
next. The values of the outputs, which may change only during a short interval following
a rising edge, axe the corresponding sequential values.
We shall describe the behavior of the signals of M in terms of several parameters.
First, we associate with each input other than the clock a setup time, which represents
the duration over which the signal is required to hold constant prior to a rising edge.
For the case M = dff, as suggested by Lemma 3.3, we define
setup(RST, dff) = 8000 and setup(D, d_f) = 6000.
Now suppose mult(M) = q > 0 and let s be any signal of M other than r_. Assume
setup(s', M) has been defined for each s' _ s that lies on a combinational path starting
at s. For i = 1 .... , k, let _'i be defined as follows:
25
(1) If s # aij for all j, 1 <_ j <_ m,, then _i = 0; otherwise:
(2) If i < q, then _, is the maximum setup(nth(j, I(#,)),#_) such that s = aij, j =
2,..., m_; otherwise:
(3) i > q, and C, is the maximum sum
dmax(nth(j, O(#i ) ), #i) + setup(bij, M)
such that setup(b_j, M) > O, j = 1,..., n,.
Then setup(s, M) = max( _x , . . . , _k ).
Each native signal of M is associated with a minimum and a maximum delay, which
determine an inter_'al during which the signal's value may change following a rising edge.
For the ease M = dff, we define
dmin( Q, tiff) = dmin( QN, dff)= 4000,
dmax(Q, tiff) = dmax(QN, tiff) = 6000.
Now suppose mult(M) = q > 0 and let s = bij be any native signal of M.
(1) If i < q, then
drain(s, M) = dmin(nth(j, O(ttl ) ), #,),
dmax( s, M) = dmax(nth(j, O(#i)), #i);
(2) If i > q, then
dmin( s, M) =dmin( nth(j, O(tzi ) ), #, )
+ min( dmin( ait , M),..., drain(aim,, M ) ),
dmax(s, M) =dmax(nth(j, O(ui) ), U_)
+max(dmax(ail, M) .... ,dmax(a,,,,i, M)).
We also define three parameters pertaining to the behavior of the clock input of M,
called the clock high, the clock low, and the minimum period of M. These represent
the minimum durations between a rising edge and the next falling edge, a falling edge
and the next rising edge, and successive rising edges, respectively. First, we define
high(dff) = 4000, low(dff) = 6000, and per(dff) = 10000. For mult(M) = q > 0, we
define
high(M) = max( high(#l ), . . . , high(#q) );
low(M) = max(low(#l ), . . . , low(t_q ));
26
where
per(M) - max( Pi , P: , P3 ),
Pl -- max{per(#i) : 1 < i < q};
P_ - max{setup(r,, M) : 2 <: i < m};
Pa = max{se.tup(b_j, M) Jr dmax(nth(j, O(ll_)), #_) : 1 <_ i < q, 1 <__j < n_}.
Consider, for example, the circuits edff and comll;3. First, the setup times for
the signals of edff may be computed directly from the definitions, by tracing along all
combinational paths. For example,
setup(RST, edff) = 8000,
setup(EN, edff) = 12000,
setup(D, edff) = 10000;
The setups for count3 follow trivially:
setup(RST, count3) = 8000,
setup(EN, coun=3) = 12000.
In fact, it follows from our definitions that the reset input of every sequential module is
8000.
All outputs of both of these devices are registered. It follows that the minimum and
maximum delay of each output are 4000 and 6000, respectively.
Similarly, the clock high and low of each device (in fact, of any sequential device) are
4000 and 6000, respectively, as determined by tiff. Calculation of the minimum period,
on the other hand, involves a comparison of various setups and delays. In the case of
ed_f, the minimum period is found to be
setup(Q, edff) + dmax(q, tiff) = 10000 Jr 6000 = 16000;
for count3, it is
setup(QO, court=3) + dmax(Q, edff) = 14000 + 6000 = 20000.
3.6 The Main Theorem
The input constraints for sequential modules will be expressed in terms of the functions
setup, high, low, and per. First, we define a waveform w to be an n-cycle pulse based
at to with high h, low _, and period 7r - h Jr _ if for k = 0 .... ,n - 1,
_(t)={ T for alltE[t0+kr, t0+k_r+h)
_" for all t e [to + kr + h, to Jr (k Jr 1)r).
If h > high(M), _ > low(M), and z" > per(M), then w is an admissible pulse for M.
27
LetV = (vl ... v,_) be a bit vector and let 7r > u > 0. Let w be a waveform such that
for k = 1 .... , n, lb(t) = vk for all t E [to + kTr - u, to + krr). Then w is a stable n-cycle
waveform based at to with setup u, value list V, and period rr. If u = setup(r2, M),
vl = 7", and v_ = ,.. = vr = .T', then w is an admissible reset waveform for M.
For i = 1,... ,k, let w_ be a stable n-cycle waveform based at to with value list V_,
setup ui, and period rr. Let _) = (111 ... Ve), U = (Ul ... uk), and W = (wl ... wk).
Then W is a stable n-cycle packet based at to with value matrix 1;, setup list U, and
period 7r. If k = m - 2 and u_ = setup(ri+2, M) for i = 1,..., k, then W is an admissible
data packet/or M.
Let wt be an admissible (n + 2)-cycle pulse for M based at to with period _r. Let
w2 be an admissible (n + 1)-cycle reset waveform for M based at to with period rr. Let
wz .., w,n) be an .admissible n-cycle data packet for M based at to +Tr with value matrix
V and period 7r. Then (wl ... w,_,) is an admissible n-cycle input packet for M based at
to with value matrix V and period r.
We may now state a behavioral specification for sequential modules:
Theorem 3.1 Let s = nth(j, O(M)) be the jeh output of a sequential module M, d r =
dmax(s, M), and w = nth(j, outp(M, sire(M, p, t f))).
Assume that p is an admissible n-cycle input packet for M based at to with value
matrix V and period r , where ty > to+(n+l)r. For i = 0 .... , n , let vi = sv( i, s, _), M ) .
Then w is a stable (n + 1)-cycle waveform based at to + rr with setup r - d', value list
( Vo ... v,, ), and period rr;
Assume further that s is a registered signal of M and vi-l = r,, for some i, 1 < i < n.
Then _v(t) = v_ for all t E [to + (i + 1)Tr, to + (i + 2)rr).
Theorem 3.1 is an immediate consequence of the following:
Lemma 3.4 Let s = nth(j, O(M)) be the jth output o/a sequential module M, d =
drain(s, M), d' = dmax( s, M), and
w = nth(j, outp(M, sim(M, p, tl))).
Assume that p is an admissible n-cycle input packet/or M based at to with value matrix
1_ and period 7r. Let to + (n + l)Tr = ti, ti + rr = t2, and assume tl < tf. Let
v = sv(n, s, )), M). Then tb(t) = v for all t E It1 + d', t2 + d).
Suppose further that s is a registered signal o/ M. If n > 0 and sv(n-1, s, _2, M) = v,
then _b(t) = v/or all t E Ill + d, t2 + d).
Proof: For the case M = dff, the lemma is simply a restatement of Lemma 3.3.
Thus, we may assume that M _ dff and proceed by induction on the structure of M.
Let )2= (V3 ... V,,_), where fori=3 ..... m, Vi = (vii ... vir). Forj = 0 .... ,n, let
_j = state(j, )2, M).
Let B = sim(M,p, tf), and for each signal s of M, let
nth(i, p) if s is a global input r_ws = the waveform for s determined by B if s is a local output bij,
If s is not rl or r_, then for 0 _< l < n, let
28
val(s, g) = rv(s, (vat+l) ... v,,(l+l)), Et, M).
If s is native, then by definition we have
val(s, g) = nv(s, Ze, M) = sv(t, s, V, M).
Thus, for native s, we extend the definition to e = n by
val(s, n) = sv(n, s, ];, M).
For any _ E N, let t t = to + (e + 1)Tr, so that tl = tn and t2 = t '_+I = t" + 7r. We
shall prove, by induction on t, that the following three statements hold for each t < T_:
(a) For each i, 1 .<_ i <_ q, inp(i, M, p, B) is an admissible t-cycle input packet for p_
based at to with value matrix
((val(ais, O) ... val(ai3, g - 1)) ... (val(aim,, O) ... val(ai,n,, t - 1)))
and period _r.
(b) For each native signal s = bij of M,
_s(t) = val(s, t) for all t E [t t + dmax(s, M), t t+l + drain(s, M));
if s is a registered signal of M, then the same is true for the interval
It t + drain(s, M), tTM + drain(s, M)):
(c) If g < n, then for each signal s of M other than rl and r2,
&_(t) -- val(s,t) for all t E ItTM - setup(s,M),t_+l).
The lemma will then follow from (b), taking g = n.
Proof of Ca): For t = 0, this follows from (3) and (4) in the definition of sequential
module. For t > 0, we must also invoke the inductive hypothesis that (c) holds with t
replaced by t- 1.
Proof of (b): We induct on the length of the longest combinational path terminating
at s. Let s = bij. In the base case, where i _< q, the result follows from the inductive
assumption that the lemma holds for the sequential submodule _, Lemma 2.12, and
(a). In the inductive case, where i > q, it follows from Lemmas 2.12 and 3.2.
Proof of (c): This is similarly proved by induction on the length of the longest
combinational path terminating at s. In the base case, s is either a global input ri,
i _> 3, or a local output bij, i < q. If s = r_, then the claim follows directly from the
admissibility of the input packet p. Suppose s = b_j, i < q. It follows from (b) that
d_s(t) = val(s, g) for all t E Itt + dmax(s, M), tt+l).
According to the definition of per(M),
> setup(b_j,, M) + drnax(nth(j, O(/.q)), #i).
Hence,
t t + dmax(s, M) = tTM - 7r + dmax(nth(j, O(p_)), #i) <_ tTM - setup(b_j, M).
The induction is completed as in the proof of (b). O
29
4 Asynchronous Communication
Suppose we have a circuit in which an output of one sequential module, called the sender,
is connected to a data input of another, called the receiver. Under suitable conditions
on the sender's input, its output waveform is guaranteed by Theorem 3.1 to be stable
with respect to the period of the sender's clock. On the other hand, in order to apply
the results of Section 3 to the behavior of the receiver, we must be able to assume that
its input is stable with respect to the period of its own clock. In general, this is true
only for a synchronous circuit, in which the two modules are driven by the same clock.
In this section, we shall examine the asynchronous case, in which the two clock inputs
have different periods.
Our treatment of this problem is based on Moore's model of asynchrony [15]. In this
model, the behavior of a signal is characterized abstractly by three quantities: a base
time, a period, and a bit vector (representing the values assumed on successive cycles).
Moore postulates that the receiver's input vector is determined by a function asynch,
the arguments of which include the sender's output vector, the two periods, and the two
base times. In this section, we shall present Moore's function asynch and establish the
applicability of his model to certain circuits represented in our language. In Section 5,
we shall employ a theorem of Moore to show that if the sender's and receiver's periods
are known to be approximately equal, then communication may be achieved by means
of a well known protocol.
4.1 Smooth and Quasi-Smooth Waveforms
The communication protocol is motivated by the observation that if the time at which
the receiver samples its input may be approximated by the sender, then the sender
may successfully communicate a value by redundantly writing the value on sufficiently
many successive cycles to guarantee that it is the value read by the receiver. For this
purpose, the assumption that the sender's output waveform is stable is too weak; the
waveform must be known to be constant on each cycle during some critical interval.
With this requirement in mind, we define a stable waveform to be smooth if its setup
time coincides with its period. Thus, w is a smooth n-cycle waveform based at to
with value list V = (vl ... v,_) and period rr if for i = 1, .... n, _b(t) = vi for all
t _ [to + (k - 1)7r,to + krr).
A somewhat weaker notion of smoothness is needed to describe waveforms that are
constant over some but not all cycles. First, we define a list V = (vl ... v,_) to be a
generalized bit vector if each vi is either Boolean or the literal atom Q. In this case, we
shall call w a quasi-smooth n-cycle waveform based at to with value list V and period rr
if for i = 1,..., n, either v_ = Q or _b(t) = v, for all t E [to + (k - 1)_-, to + kr). (Thus,
the value Q corresponds to cycles of unknown behavior.)
Our first objective is to derive a nontrivial representation of an output waveform
of a sequential device as a quasi-smooth waveform. For this purpose, we make the
following definition: If v is a Boolean atom and V is a bit vector, then smooth(v, V) is
the generalized bit vector V', where
(1) If V =/_IL, then V' = NIL; otherwise:
(2) If car(V) = v, then V' = cons(v, smooth(v, calf(V))); otherwise:
3O
(3) V' -- consiQ, smooth(car(V), cdr(V) ) ).
• ¢), =Thus, if v = vo and V = (vl .. v,_), then V' = (v[ ... where for i 1,...,n,
, ( v_ifv_=vi_l
vi=_ Qifv_#vi_l.
Lemma 4.1 Let s = nth(j, O( M) ) be a registered output of a sequential module M. Let
w = nth(j, outp(M, sire(M, p, t]))), where p is an admissible n-cycle input packet for S
based at to with value matrix Y and period _r, and t/ >_ to + in + 1)Tr.
Let U = (sv(O,s, V, M) ... sv(n,s, V, M)). Then w is an n.cycle quasi-smooth wave.
form based at to + 2r with value list smooth(car(U),cdr(U)) and period 7r.
Proof: For 0 < k < n, let U_ = (sv(n - k,s,V,M) ... st,(n,s,V,M)) and V_ -
smooth(cariUk), cdr(Uz)). We shall prove, by induction on k, that w is a k-cycle quasi-
smooth waveform based at to + (n - k + 2)r with value list Vk and period _r.
The base case k = 0 holds vacuously. For k > 0, since cdr(Vk) = Vk-1, we need
only consider car(V_) and the behavior of w on [to + (n - k + 2)rr, to + (n - k + 3)7r).
If car(Vk) = I_, there is nothing to prove. In the remaining case. car(Vk) = car(Uk) =
car(Uk_l), i.e., sv(n - k, s, _, M) = sv(n - k + 1, s, V, M), and the result follows from
Theorem 3.1. Q
4.2 Describing Output as Input
Next, for a given quasi-smooth waveform with period _r, (representing that of the
sender's clock), we would like to derive an alternative representation as a quasi-smooth
waveform with a given period 7r_ (that of the receiver's clock). Let w be an n-cycle
quasi-smooth waveform based at ts Ca rising edge of the sender's clock) with value list
V = @1 ... v,,} and period 7r_. Assume ts <_ t, < t_+_r_ iwhere t_ represents a rising edge
of the receiver's clock). We shall construct a list of values V' = warp(V, to, t_, _r_,_r_)
such that w is a quasi-smooth waveform based at t, with value list V' and period 7r_.
The definition of warp requires several auxiliary functions.
Let t satisfy ts < t <_ ts + nTrs. Choose k so that t, + (k - 1)rs < t < t_ + klr_. Then
1 ___k < n. (k represents the number of cycles of the sender that intersect the interval
[t,, t).) We define
sig(V, t,, t, lr_) = ( vlqififnot.Vl= v2 = ... = v_
Under the same constraints on t, choose _ so that t, + ers <: t < t_ + (_+ 1)lr,. Then
0 < £ _< n. ( t, + gr, represents the maximum sender's rising edge that is not exceeded
by t.) We define
t+(V,t,,t,_ro) = t, +_r,
and
Ist+(V,t,,t,_r,) = (vt+l ... v,,).
31
Nowwe may define V' = warp(V, t_, tr, 7r,, lrr): If t, + rrr > ts + nrr,, then V' = NIL;
otherwise,
i
V' = cons( sig, warp( lst +, t + , t_ + 7r_, 7r, , 7r_) ),
where sig = sig(V,t,,t, + r_,r,}, tst + = tst+(V,t,,t_ + rr, r,), and t + = t+(I/,t,,tr +
_r, 7rs ).
Lemma 4.2 Let w be a quasi-smooth n-cycle waveform based at t, with value list V
and period rr,. Let rr > 0 and t, < t_ < t, + _r,. Let V' = warp(V,t,,t_,_r,,rr_) and
let n' be the length of V'. Then w is a quasi-smooth n'-cycle waveform based at t_ with
value list V' and period rr_.
Proof: We may assume t_ +r_ < t, +nrr,, for otherwise, n' = 0. Let V = (vl ... v_)
and let sig, 1st +, and t + be defined as in the definition of warp. By induction, we may
further assume that w is a quasi-smooth (n' - 1)-cycle waveform based at t_ + rr_ with
value list cdr(V') = warp(lst+,t+,t_ + 7r_,rs,rr_) and period 7r_. We need only show
that either car(V') = sig = Q, or _b has the constant value sig on the cycle [t_, t_ + r_).
Suppose sig _ Q. Choose k so that t, + (k - 1)r, < t_ + r_ < t_ + kr,. According
to the definition of sig, sig = vl = v2 = ... = vk, and hence, v3(t) = sig for all
t E [t,,ts + krr,) _ [tr,t_ + rr_). []
4.3 Eliminating Metastability
Lemmas 4.1 and 4.2 together provide a representation of a registered output waveform
from the sender as a quasi-smooth waveform with respect to the receiver's clock. In
order to achieve communication, we shall design a clocked state-holding device, called
a d-latch, that converts a quasi-smooth input to a stable output. In our asynchronous
circuit, this device will share the receiver's clock, and its output will be connected to
the receiver's input.
The d-latch will consist of an inverter and three hand gates. Its functionality will
depend on the relative delays of these components. Thus, along with our standard gates
notl and nand2, both of which have delay 2000, we shall require the following faster
nand gate, fnand2:
(BFA_AV (A B) ((NAND2 A B)) (1000) (INERTIAL))
We define dlatch to be the following module, which is diagrammed in Fig. 7:
(STRUCT (CLK D) ($2)
(notl hand2 hand2 fnand2)
((CLK) (CLK D) ($1 53) (SO $2))
((SO) ($1) (S2) ($3)))
Unlike all other circuits that we have encountered, the specified behavior of dlatch will
also depend on the unique character of inertial delay. In particular, we shall need the
following result:
32
Lemma4.3 Let nth(j,O(M)) = s be the jth output of a behavioral module M. Let
nth(j, D(M)) = d and nth(j, P(M)) = INEKTIAL. Let p be an input packet for M, let v
be the combinational value of s w.r.t. _(to), and let w = nth(j, sim(M,p, to).
(a) ff _b(to) = v, then w = hist(w, to);
(a) /]'_(to) ¢ v, then w -" cons((v,tl),hist(w, to)), where to < tl < to + d.
Proof: By Lemma 2.13 and the definition of exec,
w = inertial(w, v, to, to + d).
The lemma follows from the definition of inertial. []
The behavioral specification of dlatch is an instance of the following, with do =
dl - d2 = 2000 and d3 = 1000.
Lemraa 4.4 Let Go be the inverter
(B_AV (,) (S0T1 A) (do) (rSEaTI*L))
and for i = 1, 2, 3, let Gi be the hand gate
(BEHAV (l B) (NAITD2 h B) (di) (INERTIIL)),
where dl <_ do and do + d3 < dl+ d2. Let D = do + dl + d2 + d3. Let L be the module
(STI%UCT (CLK) (D)
(Go GI G2 G_)
((CLK) (CLK D) (S1 S3) ($2 SO))
((SO) (Sl) ($2) ($3))).
Let p = (WcLK WD) be an input packet for L, and assume that
Y for all t e [t+,t_)
_bcLK(t) = 9v f llt E [t_,t/),
where t_ > t+ + D and t/> t_ + D. Let ((Wo) (wl) (w=) (w3)) = sim(L, p, t f). Then
_b2 has a constant value v on It_ +D, tf). If _bt_ has a constant value u on [t+,tf), then
IL=V.
Proof: For each t E N, let Bt = ((wo,t) (wl,t) (w2,t) (w3,t)) = sim(L,p,t). Then for
i = 0 ..... 3, wi = wi,tl. Let to = t_ + do. For each t _> to, the following results may be
derived from Lemmas 3.1 and 2.12:
(a) Tbo,t has the constant value F on It+ + do, to);
(b) _3,t has the constant value T on It+ + do + d3,to + d3);
(c) _bo,t has the constant value T on [to, t/+ do);
(d) _bl,t has the constant value T on [t_ + dl, t/+ dl).
In particular, for each t >_ to, _bo,e and _bt,_ are both constant on [to, t f).
By Lemma 2.12,
(w2._) = sire(G2, (wl,, w3.,), t)
and
(w3,_) = sim(G3, (Wo,t w2,t), t).
We shall apply Lemma 4.3 to both G2 and G3.
33
Weshallshowthat for sometl E [to, t_ + D) and some v E B, u)2,tl (tl) = v and
ff;3,t_(tl) --" notl(v). Let w2,to(to) = v2 and W3,to(tO) = V3. We consider the following
cases:
Case 1:v3 = notl(v2). In this case, we take tx = to and v = v2.
Case 2:v3 = v2. By Lemma 4.3(b),
w2,to - cons( (not l (v2 ), t 2), hist( w2,to , to)),
where to < t2 _< to + d_, and
w3,to -- cons( (not l (v2 ), tt ), hist( w3,to , to)),
where to < t3 _ t¢r+ d3.
Subcase 2a: t3 < t2. Here, t,_e_t(to,p, Bto,L) = ta. By Lemma 2.7,
• 2,t_(t3) = _2,_o(t3)= v2
and
_b3.t3(t3) = ff_3,to(t3) = notl(v2).
Thus, we have tl = t3 and v = v2.
Subcase 2b: t2 < t3. In this case, t,,e_t(to,p, Bto, L) = t3, and we have
_b2,t_(t_) = ffJ2,to(t2) = notl(v_)
and
In this case, tt = t_ and v = notl(v2).
Subcase 2c: t2 = t3. We have
w2,t2 (t2) = ffJs,t2 (t2) = notl(v2).
By Lemma 4.3(b),
and
w2,,_ = cons( (v2 , t2 + d_ ), w2,,o),
w3,,, = cons((v2, t_ + d3), w3,,o).
It follows from our hypotheses that d3 < d2. Hence,
_2.,,+a_(t2 + (/3) = nofl(v2)
and
lb3,t,+d3(t2 -4"d3) = v2.
Thus, tl = tz + d3 and v = notl(v2).
Now, by Lemma 4.3(a), _b2,t_ = hist(_b2,t_,tl) and _b3,tt = hi$t(_b3,,t,tt). Hence,
tn**t(t_,p, Bt_, L) > t I. It follows that for any t' _ Its, tf), Be, = B,_, and in particular,
w2,,_ (t') = w2,t, (t') = w2,tt (t') = v. Thus, w_,t_ has the constant value v on [h, t/)
It_ + D, tf).
34
rt lb.------
_d Ib-.----
Z4
mm ]1---*--
q,rJ I_.-
uTI ll-..--
cum ]1_
un--
Figure 7: (a) dlatch (b) bpm
Finally, suppose that zbD has a constant value u on It+, tf). Then u51(t) = notl(u)
for t E It+ + dl, t_ + dl). Since _3(t) -- T on It+ + do + ds, to + d3)_ the combinational
value corresponding to $2 is u on the intersection of these intervals, [max(t+ + di, t+ +
do + d3),min(t_ + dl,to + d3)). Thus, by Lemma 3.1, _b2(t) - u for t e [max(t+ +
dl + d_, t+ + do + d3 + d2 ), rain(t_ + dl + d2, to + d3 + d2 ) ). In particular, zb2(t) = u for
t E [to, to + d3 + d2). Thus, v_ = u. Moreover, Subcases 2b and 2c, in which _ assumes
the value notl(v2) at some point in this interval, are eliminated. In the remaining cases,
V _ V2 --. U. f'l
In order to avail ourselves of the results of [15], we must restate Lemma 4.4 in terms
of Moore's function det. If V is a generalized bit vector and oracle is a bit vector, then
det(V, oracle) is the bit vector V', defined as follows:
(1) If V = NIL, then V' = NIL; otherwise:
(2) If car(V) E B, then V' -- cons(car(V),det(cdr(V), oracle)); otherwise:
(3) If oracle -" NIL, then V' = cons(T, det(cdr(V), oracle)); otherwise:
(4) V' = cons(car(oracle), det(cdr(Y), cdr(oracle))).
Lemma 4.5 Let p = (WcLx wD) be an input packet/or dlatch, where WCLZ iS an n-cycle
pulse based at to with high h > 7000, low _ > 7000, and period _ - h + _, and wD is a
quasi-smooth n-cycle waveform based at to with value list V and period r. Let
((Wo) (wl)(w2)(w3)) = sim(dlatch, p, t/),
where t/ > to + hr. Then/or some bit vector oracle, w2 is a stable n-cycle wave/otto
based at to with setup _ - 7000, value list det(V, oracle), and period r.
Proof: We induct on n. For n = 0, the statement is vacuous. For n > 0, we m&y
assume that w2 is a stable (n - 1)-cycle waveform based at to + r with setup g - 7000,
value list det(cdr(V), oracle'), and period t-. By Lemma 4.4, zb2 has a constant value v
on [to+h+7000, t0+Tr) = [to+Tr-(t-7000), to+r), and if car(V) :# Q, then car(V) = v.
If car(V) = 0, then let oracle = cons(v, oracleS); otherwise, let oracle - oracle'. In
35
either case, w2 is a stable n-cycle waveform based at to with setup g - 7000, value list
det(V, oracle), and period _r. Cl
4.4 The Main Theorem
In Section 5, we shall apply the results of this section to a circuit bpm, consisting of two
sequential submodules, sndr and rcvr, and a dlatch: According to the definitions that
we shall present later, sndr has 9 data inputs and one registered output, SOUT, while
rcvr has one data input, SIN, and 9 outputs. The circuit bpm, which is diagrammed in
Fig. 7, is defined as follows:
(STRUCT
(CLKS RSTS CLKR RSTR SEND IO II I2 I3 I4 I5 I6 I7)
(DONE O00l 02 03 04 05 06 07)
(sndr dla_;ch rcvr)
((CLKS RSTS SEND IO I! I2 I3 I4 I5 I6 I7)
(CLKR StiLT)
(CLZR RSTS LOUT))
((soUT)
(LOUT)
(DONE O0 01 02 03 04 05 06 07)))
The following theorem summarizes our results on asynchrony, as they pertain to the
module bpm. The theorem refers to Moore's function asynch, which is defined as follows:
Let V and oracle be bit vectors and let ts, t_, 7r_, 7r_ E N such that zr, > 0, 7r_ > 0, and
t, < t, < t_ + 7r_. Then
asynch( V, t_, t_, _r,, r_, oracle) =
det(warp(smooth(T, V), t,, t_, 7r,, 7r_), oracle).
Theorem 4.1 Let p = (Wc, zs WdsTs WCLK, WaSTa WSZr_DWO ... WT) be an input packet
for bpln, where
(a) (WcLKS WRSrS WSZ,D W0 ... Wr) is an admissible n,-cycle input packet for sndr
based at b, with value matrix _ and period rr, ;
(b) WCLKa iS an admissible (n_ + 2)-cycle pulse for rcvr based at b_ with high h >
7000, low g > 7000 + setup(SIN, rcvr), and period _r_ = h + _;
(c) Wasra is an admissible (n_ + 1)-cycle reset waveform for rcvr based at b_ with
period r,.
Let t_ = b,+r_. Assume thatb,+2_rs < t, < b,+(ns+2)r, < t,+n_rr,. Choose j so that
b, + jrrs < t, < b, +(j+l)lr, and let ts = b, + jrr,. Assume sv(j- 2, SOUT, Y, sndr) = 7".
Let U = (sv(j - 1, s0trr, V, sndr) ... sv(n,, S01Yr, V, sndr)). Let WLOVT be the wave-
form for LOUT determined by sirn(bpm, p, t/), where t/ > t_ + n_rr,. Then for some bit
vector oracle, (WcLKa WRSZrt W,_OUr) iS an admissible input packet for rcvr based at b_
with value matriz
(asynch(U, t,, t_, r,, r,, oracle))
and period r,.
36
Proof: Let WsouTbe the waveform for SOUT determined by sim(bpm, p, tl). Ac-
cording to Lemma 4.1, WsovT is a quasi-smooth waveform based at tj with vMue list
smooth(T, U) and period r,. It follows from Lemma 4.2 that Wsot,r is also a quasi-
smooth waveform based at tr with value list warp(smooth(T, U), G, tr, 7rs, rr) and pe-
riod rr_. Finally, by Lemma 4.5, W_ouT is a stable waveform based at tr with setup
l- 7000 > setup(SIN, rcvr), value list
det( warp( smooth( T, U), ts, t,, r,, ,'r_), oracle) =
asynch(U, t,, t_, r,, rr_, oracle)),
for some oracle, and period rr_. 12
5 Biphase Mark
Moore's formulation [15] of the biphase mark protocol is based on two functions, send
and recv, which represent the computations performed by the sender and the receiver,
respectively. After presenting the definitions of these functions, we shall implement them
in the design of the sequential modules sndr and rcvr. Then, using a theorem of Moore
in combination with results of Section 4, we shall show that the circuit bpm achieves
communication between these modules.
5.1 Sending
The function send returns a bit vector that represents an encoding of a given input bit
vector msg. Each bit of msg is encoded as a bit vector called a cell, computed as the
value of cell(x, n, k, b), where b is the bit of msg to be encoded, x is the final bit of
the preceding cell, and a and k are parameters of the protocol. A cell consists of two
subcells, each of which is a uniform bit vector: a mark subcell of length n, followed by
a code subcell of length k. The mark subcell is intended as a signal to the receiver that
a new cell has been entered: each of its bits is notl(x). The code subcell is the region
in which the receiver is expected to look for information from which it will derive the
value b of the encoded bit: if b = T, then each bit of this subcell is x; if b = _, each bit
is notl(x).
The definition of cell requires three auxiliary functions. First, the subcells are con-
structed by the function listn: for any n E N and any x, listn(n, x) is the uniform vector
(x ... x) of length n. Next, the two subcells are combined by the function app: for any
two lists L -" (al ... a,_) and M = (bl ... b,,,), app(L, M) = (al ... anbl ... b,,_). Finally,
the bit occurring in the code subcell is determined by the Boolean function equal, where
equal(x, y) = T iff x = y, i.e., equal(x, y) = notl(xor2(x, y)).
Now, we may define
cell(x, n, k, b) = app(listn(n, notl(z) ), listn(k, equal(x, b) ) ),
and cells(x, n, k, msg) is defined as
(1) NIL, if msg = NIL;
(2) app(cell(x, n, k, car(msg ) ), cells(equal(x, car(msg) ), n, k, cdr(msg ) )), if msg # NIL.
37
Theprotocolincludes the convention that the value T is transmitted until the en-
coded message is sent. Thus, the encoded bit vector constructed by send includes "pads"
consisting arbitrarily many copies of 7" on both sides of the cells. The arguments of send
include the lengths Pl and P2 of these pads:
send(msg, pl , n, k, P2) =
app(listn(pl , 7"), app(cetts( T, n, k, msg), listn(p:. T) ) ).
5.2 Receiving
Next, we define recv(i, z, j, L) 1, which may be shown, under suitable assumptions, to be
the inverse of send. This function recovers a bit of the encoded message from each cell
by first detecting the beginning of the mark subcell, and then reading and decoding a
bit at a predetermined location within the cell, which has been calculated to lie within
the code subcell. Its arguments are interpreted as follows: i is the number of bits of
the original message yet to be recovered, z is the last bit to have been read (from the
preceding cell), j is the location within the cell of the bit to be read, and L is the
remaining input stream.
The beginning of a new cell is detected by the function scan(x. L), which successively
removes bits from the beginning of the list L until a value different from x is found. The
recursive definition follows:
(1) If L = NIL, then scan(x,L) = NIL; otherwise:
(2) If car(L) = x, then scan(x, L) = scan(x, cdr(L)); otherwise:
(3) scan(z, L) = L.
We shall require one other auxiliary function: If n e N and L is a list, then cdrn(n, L)
is defined to be
(1) L, ifn =0;
(2) cdrn(n - 1, calf(L)), if n > 0.
Finally, we define recv(i, x, j, L) to be the bit vector rnsg, where
(1) If i = 0, then msg = NIL; otherwise:
(2) Let S = scan(z, L). If length(S) < k, then msg = NIL; otherwise:
(3) Let b = nth(k + 1, S) and L' = cdrn(k + 1, S). If b = x, then
msg = cons(7", recv( i - 1, b, j, L'); otherwise:
(4) msg = cans(Y, recv(i - 1, b, j, L').
IFor technical reasons, we shall slightly modify Moore's original definition of this function. Our
modification does not affect the validity of any of his results.
38
5.3 Moore's Theorem
Moore has proved a statement of correctness of the protocol for certain values of the
parameters. The lengths of the mark and code subcells generated by send are taken to be
n -- 5 and k - 13, respectively. The index of the bit read by recv following the detection
of an edge is j -- 10, i.e., the eleventh bit after the edge is sampled. The theorem also
depends on an assumption concerning the proximity of the two clock periods:
Theorem 5.1 (Moore) Let 7r_ > 0, _r_ > 0, and 171r_ _ 18_r, _< 197r_. Let t, < t_ <
t, + r,. Let msg be a bit vector of length k. Then for any bit vector oracle and any
numbers Pl and P2,
reeD(k, T, 10, asynch(send(msg, pl, 5, 13, p2), ts, t_, 7r,, ?:_, oracle)) = ms9.
We shall apply Moore's theorem to the specification of the circuit bpm. The sequential
submodules _ndr and rcvr of bpm remain to be defined. As we present the definitions
of the these modules and their components, which are diagrammed in Figs. 8-12, we
shall derive characterizations of their behavior that are analogous to Propositions 3.1
and 3.2. The proofs of these results are based on straightforward calculations and have
all been mechanically checked. Therefore, the details of these proofs are omitted here.
5.4 Basic Components
The message that is transmitted from sndr to rcvr will consist of eight bits. It is stored
(by both sndr and rcvr) in a shift register, shiftS, which is constructed from eight
copies of the following 3-port cell, pore3:
(s'n_ucr
(CLK lIST SHIFT SIN LOAD DIN)
(Q)
(edff hand2 nand2 or2 hand2)
((CLK RST $3 $4) (DIN LOAD) (SIN SHIFT) (LOAD SHIFT) ($I $2))
((Q Q_) (sl) (s2) (s3) (54)))
The behavior of por'¢3 may be derived easily from that of edff (Proposition 3.1):
Proposition 5.1 Let _ and V = (shift sin load din) be a state and a data vector for
por_3. Assume that shift and load are not both T. Then
nv(q, V, E, por_3) = E;
nezt(V, _, por_3) =
I sin
din
E
if shift = T and load = yr
if shift = Y: and load = T
if shift = :7: and load = yr.
The register shift8 is defined as follows:
39
Qcut 3
(a) port3
' I
Figure 8: (b) shift8
(STRUCT
(CLK RST LOAD SHIFT SIN DO DI D2 D3 D4 D5 D6 D7)
(qo Q1 q2 Q3 04 qs Q6 qT)
(porz3 port3 port3 port3 port3 port3 port3 port3)
((CLK RST SHIFT SIN LOAD DO)
(CLK RST SHIFT GO LOAD D1)
(CLK RST SHIFT 01 LOAD D2)
(CLK RST SHIFT Q2 LOAD D3)
(CLK RST SHIFT 03 LOAD D4)
(CLK RST SHIFT Q4 LOAD DS)
(CLK RST SHIFT Q5 LOAD D6)
(CLK RST SHIFT q6 LOAD D7))
((QO) (ql) (q2) (Q3) (Q4) (Q5) (Q6) (Q7)))
Proposition 5.2 Let _ = (a0 ... at) and V = (loadshiftsindo ... dr) be a state and
a data vector or shift8. Assume that shift and load are not both T. Then
nv(Qi, V, E, shift8) = ffi, i = 0,..., 7;
(sinao ... a6) if shift=7"andload=F
next(V, E, shiftS) = (do ... dr) if shift = ? and load = T
E if shift = _" and load = F.
In order to describe the shifting operation that is performed by shift8, we define, for
any b E B and any bit vector V,
4O
exatl
Figure 9: (a) cdff (b) cedff
NIL if V = NILshift(b, V) = cons(b, shift(car(V), cdr(V))) if # I .
Thus. shift(sin, (ao ... Crr)) = (sin ao ... o's).
In addition to tiff and edff, we shall require two other versions of the flip-flop. The
first of these, ¢dff, has an input CLR, which may be used to override the other data
input D and reinitialize the state:
(STRUCT
(CLK RST CLR D)
(Q qN)
(dff not1 hand2)
((CLK RST DCN) (CLR) (D CN))
((Q ON) (CN) (DCN)))
Proposition 5.3 Let E and V = (clr d) be a state and a data vector/or cdff. Then
nv(O, V, _, cdff) = P_ and nv(QN, V, _, cdff) = notl(E);
{ _" if clr = Tnext(V, E, cdff) = d if l _r.
The second, cedff, is a combination of edff and cdff:
(STRUCT
(CLK RST CLR EN D)
(0 0_)
(dff notl norl hand3 hand3 hand2)
((CLK RST S5) (EN) (CLR) (Q Sl S2) (D S2 EI_) (S3 S4))
((Q 0_) (sl) (s2) (s3) (s4) (ss)))
Proposition 5.4 Let E and V = (clrend) be a state and a data vector/or cedff. Then
nv(q, V, Z, cedff) = E and nv(QN, V, _, cedff) = notl(E);
next(V, E, cedff) = { _ i/clr=7"
d if clr = jr and en = T
Z if elf = 2r and en = _'.
41
r,ee Z.
Figure 10: (a) count5 (b) comp5
Using cedff, we construct the following 5-bit counter, countS:
(STRUCT
(CLK RST CLR EN)
(Qo Ot 02 Q3 04)
(cedff cedff cedff cedff cedff
and2 and2 and2 zor2 zor2 xor2 xor2)
((CLK RST CLR EN QNO)
(CLK RST CLR EN X1)
(CLK RST CLR EN X2)
(CLK I_T CLR EN X3)
(CLK RST CLR E_ X4)
(QO 01) (A1Q2) (A2 q3) (O0 01) (Q2 A1) (_3 A2) (Q4 A3))
((O0 QNO) (Q1 ON1) (02 QN2) (Q3 QN3) (Q4 ON4)
(AI) (A2) (A3) (Xl) (X2) (X3) (X4)))
Proposition 5.5 Let E = (ao ... a4) and V = (clr en) be a state and a data vector for
count5. Then
nv(Qi, V, _, countS) = ai, i = 0,..., 4;
next(V, _, coant5) =
listn(5, jr) if clr = Tinc(cnt) if ctr = jr and en = Tif clr = Jr and en = jr.
For convenience in representing states of both count3 and count5, we define, for
k E N and n E N,
listn(k, jr) if n = 0bvk(n) = inc(bvk(n- 1)) if > .
42
Thus, bvk(n) is the k-bit vector that represents the number n.
We shall also require a combinational module, the following 5-bit comparator compS:
(STRUCT
(CO BO C1 BI C2 B2 C3 B3 C4 B4)
(MATCH)
(xor2 zor2 xor2 xor2 xor2 notS)
((co Bo) (cl B1) (c2 B2) (c3 B3) (C4 Be) (St S2 S3 S4 SS))
((St) ($2) ($3) ($4) ($5) (MATCH)))
This module simply determines whether two given 5-bit vectors are equal, i.e.,
cv(MATCH, (co bo cl bl ... c4 b4), compS) = { }'Y ififnot.(c°... c4) = (b0 ... b4)
5.5 The Sender
The action of sndr is controlled by the submodule scount, which is defined as follows:
(STRUCT
(CLK RST STOP BIT)
(MARK CODE)
(cdff count5 or2 or2 tO fO comps compS)
((CLK RST STOP $1) (CLK RST $2 Q) (BIT Q) (STDP BIT) 0 0
(F QO F Q1 T {)2 F 03 F 04) (T QO F Qt F 02 F 03 T 04))
((0 011) (00 01 02 03 04) (S1) ($2) (T) (F) (MARK) (CODE)))
A state of scount is a list (on cat) of two components, corresponding to the two
sequential submodules, cdff and count5. As long as both data inputs are 9v, the value
of on remains constant. While on = T, cat is incremented repreatedly; while on = _',
cat remains unchanged. If either input is T, then on is set accordingly and cat is reset
to bvs(0). The output values are both determined by cnt:
Proposition 5.6 Let _ = (on cat) and V = (stop bit) be a state and a data vector for
--count. Then
7" ffcat =bvs(4)nv(MARK, V, E, scotmt) = _. /f cat # bvs( );
T ifcnt = bvs(17)nv(C0DE, V, _, scount) = .;. /cnt # (17);
{ (_'b_s(o))
next(V, _, scount) = (7. bvs(O))
(T inc(cnt))
(ycat)
The definition of sndr is as follows:
if stop = T
i] stop = ._ and bit = T
if stop = bit = Jr and on = T
if stop = bit = Y: and on = yr.
43
II I (
7
_ I_-"""""-_
,,-t_,IL m
Figure 11: (a) scount (b) sndr
(STRUCT
(CLK RST SEND IO I1 I2 I3 I4 IS 16 I7)
(souT)
(scounC shift8 coun¢3 edff or2 and2 and4 or3 fO)
((CLK RST *4 02) (CLK RST SEND CODE F IO I1 I2 I3 I4 IS 16 I7)
(CLK RST HARK) (CLK _T 03 SOUT) (CODE SEND) (Q7 MARK)
(MARK CO C1 C2) (A2 SEND CODE) ())
((MARK CODE) (GO ql 02 03 94 QS 06 07) (CO C1 C2)
(Q so_r) (02) (,2) (,4) (03) (F)))
This module has two modes of operation. In one mode, it waits dormantly for the
SEND input to become T. When this occurs, the current values of the other eight data
inputs are loaded into the shift register, the state of the flip-flop edff (which determines
the output value) changes, and the controller scount begins counting. This mode is
described by the following:
Proposition 5.7 Let V = (sdo . . .dr) be a data vector/or sndr, and let _ = (_la2v'3¢'4)
be a state of sndr, where ax = (on cnt). Assume that on = r and cnt = bvs(O). Let
_' = next(V, _, sndr).
(a) If s = T, then _' = ((Tbvs(O)) (do ... dr) a3 notl(a4));
(b} If s = .,x', then ?.' = E.
In the other mode of operation, the register contents are encoded and transmitted.
Each register bit is encoded as a cell consisting of a 5-bit mark subcell and a 13-bit
code subcell, as measured by scount. The number of cells that have been transmitted
is recorded as the contents of count3. At the end of each mark subcell, this number
is incremented. At the end of each code subcell, the scount counter is reset and the
register contents are shifted:
44
Proposition 5.8 Let V = (sdo... dr) be a data vector forsndr, and let E = (0"11721730"4)
be a state o/ sndr, where 0"1 = (on cnt) and 0"2 = (qo ... qr). Assume that s = .7r and
on = T. Let E' = next(V, E, sndr).
(a) l/cnt = bvs(4) and 0"3 = bo3(7), then
E' = ((.7r bos(O)) a2 inc(0"3) xor2(q7,0-4));
(b) If cnt = bvs(4) and a3 _ boa(7), then
E'= ((Tbos(5)) a2 inc(0"a) xor2(qr,a4));
(c) If cnt = bv5(17), then
E'= ((Tbos(0)) shift(_,0":) 0"a notl(0"4));
(d} I[ cnt _ bvs(4) and cnt _ bvs(17), then
r.'= ((7"inc(c_t)) 0"20"30"4).
Our main theorem on sndr is the following specification:
Proposition 5.9 Let Y = (Vs_.m_ Vto ... V_,) be a list of bit vectors, each of length
n > 144. Let m = n- 144. Assume thatforj = 1,...,n,
nth(j, Vs_ND) = { 7" if j = mi[j¢m.
Let di= nth(m, Vii), for i = 0 .... ,7. Let svj = sv(j, sotrr, V, sndr), for j = 1,..., n.
Then (svl ... sv,,) = send((dr ... do), m, 5, 13, 0).
Proof: Let E_ = state(j,Y, sndr), j = 0,...,n. By Proposition 5.7(b), for j =
0, • . •, m_
_j----E0(sndr)----((._"bos(0)) listn(8,._) boa(0) .7r)
and hence (svl ... sv,,,) = listn(m,7"). It remains to show that
(sv,_+l ... sv,_) = cells(7",5, 13, (dr ... do)).
By Proposition 5.7(a),
r,,_+_ = ((Tbos(o)) (do ... dr) boa(0) T).
We shall show that for all k, 0 .<_k < 7, if
E_+1+ls_ = ((T bvs(O)) app(listn(k, jr), (do ... dT-_)) boa(k) x),
then
(SV,,,+X+I8k ... sV,_) = cells(x, 5, 13, (dr-k ... do)).
The proposition will follow from this result upon setting k = 0.
45
Theproof is by induction on 7 - k. In the base case, k = 7, our assumption is that
E,,,+1+lsk =--E,,,+12r = ((Tbvs(0)) app(listn(7, fr), (do)) by3(7) x).
By Proposition 5.8(d), for e = 0,..., 4,
E,,_+lzr+t = ((7" bvs(e)) app(listn(7, _), (do)) by3(7) x),
and by Proposition 5.8(a),
Z,,_+t2r+5 = E,,,+132 = ((.T" bvs(0)) app(listn(7,ffz), (do)) bv3(0) xor2(d0, x)).
By Proposition 5.7(b), E,,_+t32+t = YL,,+la2 for e = 0,..., 12. It follows that
(svm+127 ... sv,_) = app(listn(5, notl(x)),listn(13, equal(do, x)))
= cell(x, 5, 13, do)
-- cells(x, 5, I3, (do)).
In the inductive case, k < 7, we again have, for e = 0,..., 4,
E,,,+l+lsk+t = ((Ttrvs(e)) app(listn(k,f),(do.., dr__)) bv3(k) z)
by Proposition 5.8(d). By Proposition 5.8(b) and (d), for e = 5 ..... 17,
'_"_m + l + 18k+ _
((T bvs(e)) app(listn(k,._'), (do ... dr-_)) bv3(k + 1) xor2(dr__, x)).
Thus, (svm+x+_s_ ... sv,_+t+_sk+lr) is
app(listn(5, notl(x) ), listn(13, equal(dr_k, x) ) ) = cell(x, 5, 13, dr-k).
By Proposition 5.8(c), E,_+t+ls(k+l) is
((T/rvs(0)) app(listn(k + 1,5r), (do... dr_(k+i))) bv3(k + 1) equal(dr_k,x)).
It follows from our inductive hypothesis that
(sv,,,+l+ls(k+l) ... sv,_) = cells(equal(dr_k, x), 5, 13, (dr-(k+l) ... do)),
and hence (sv,,+z+zsJ, ... sv,) is
app(cell(x, 5, 13, dr-k), cells(equal(dr_k, x), 5, 13, (dr-(k+U .-- do))
= cells(x, 5, 13, (dr-k ... do)). U
5.6 The Receiver
Its action of the receiver is controlled by a submodule, rcount, which is defined as
follows:
46
Jnu
R
Figure12: (a)rcount (b) rcvr
( STRUCT
(CLK RST STOP START)
(BIT)
(cdff count5 or2 tO fO compS)
((CLK RST STOP $I) (CLK RST STOP Q) (START Q)
() () (T qo F O_ F 02 T 03 S Q4))
((Q qN) ({}0 QI Q2 Q3 04) (S%) (T) (F) (BIT)))
The functionalityofrcount issimilarto thatof scount. A stateisagaina list
(onc'nt)oftwo components,correspondingtothe two sequentialsubmodules,cdff and
count5.As longas both datainputsare_',thevalueofon remainsconstant.While
on = T, cntisincrementedrepreatedly;whileon = 5r,cntremainsunchanged.IfSTOP
isT, thenon and cntareresetoY and bvs(0);otherwise,ifSTART isT, thenon isset
to7".The outputvalueisdeterminedby comparingc'ntwithbvs(9):
Proposition 5.10 Let Z = (on cnt) and V = (stop start) be a state and a data vector
]or rcouns. Then
V, E, rcount) = / T /fcnt = bvs(9)nv(BIW,
Y _/_t _ bvdg);l
(yr bvs (0))
(T inc(cnt))
(Tcnt)
(7" inc(cnt))
(7" cnt)
if stop = T
if stop = Jr and start = on = T
if stop = on = Y: and start = T
if stop -- start = yr and on = T
if stop = start = on = Y:.
The definitionfrcvr isasfollows:
47
(STRUCT
(CLK RST SIN)
(00 Ol 02 03 04 05 06 07 DONE)
(rcounr edff count3 shift8 dff .o_1 not1 zor2 and4 fO)
((CLK RST BIT N2) (CLK RST BIT N1)
(CLK RST BIT) (CLK RST F BIT X F F F F F F F F)
(CLK RST A) (SIN) (l) (SIN G) (GO 01 G2 BIT) ())
((BIT) (G QN) (QO Q1 Q2) CO0 01 02 03 04 05 06 07)
(DONE DONEN) (N1) (N2) (X) CA) (F)))
Like sndr, rcvr has two modes of operation. In the first mode, it waits for an edge,
i.e., a change in input. This is detected by comparing the input with the state of the
flip-flop edff, which is the negation of the most recently read value. In this mode, the
controller rcount is turned off. When an edge is detected, rcount is turned on and its
counter is reset:
Proposition 5.11 Let V = (sin) be a data vector for rcvr, and let _ = (al a2 a3 a4 as)
be a state o/rcvr, where al = (oncnt). Assume that on = 5c, cnt = bvs(O), and a5 = :7:.
Let _' -- next(V, _, rcvr).
(a) If sin = a2, then _' = ((7" bvs(0)) 0"2 0"3 o'4 .T');
(b) If sin _ a2, then _' = Z.
In its second mode, the receiver counts until it reaches the input bit to be sampled.
At this point, the appropriate value is shifted into the register shiD;8, the bit counter
count3 is incremented, the current input value is stored in edff, and rcount is turned
off. When the eighth bit has been computed, the state of dff is altered to indicate
termination:
Proposition 5.12 Let V = (sin) be a data vector for rcvr, and let _ = (al a2 a3 a4 as)
be a state of rcvr, where 0-t = (on cnt). Assume that on = T and 0-5 = _. Let
_' = next(V, _, rcvr).
(a) Ifcnt = bvs(9) and 0" 3 --" by3(7), then
Z' = ((_" by5 (0)) notl (sin) bvz Co)) shift(xor2(0-2, sin), 0-4) Y);
(b) If cnt = bvs(9) and a3 ¢ by3(7), then
Z'---((_'bv_(0)) notl(sin) inc(0-a) shift(xor2(a2,sin),a4) Y);
(c) If cnt ¢ bvs(9), then E' = ((Y inc(cnt)) a2 as 0-4 Y).
The specification of rcvr is given by the following lemma. For its proof, we require
the following definition: If L and M are two bit vectors, then
M if L = NILpush(L, M) = push(cdr(L), shift(car(L), M)) if _ .
Thus, if L = (xl ... xe) and M = (Yl ... Y,-), where g _< m, then
push(L,M) = (x_ ... xl Yl ... y,_-t).
48
Proposition 5,13 Let V = (V), where V is a bit vector of length n.
length(recv(8, T, 10, V)) = 8. Then for some m, 1 < m < n,
sv(j, DONE,V, rcvr) = { 7" if j = mifj<m.
For i = 1 ..... 7, let di = sv(m, Oi, "i), rcvr). Then
(dr ... do) = recv(8, T, 10, V).
Proof: Let V = (vl ... v_). For j = 0 .... ,n, let V/= (vj+l ... v_) and
Ej = state(j, _,rcvr) = ((onj cntj) ftgj bitsj regj donej).
We shall prove the following generalization of the desired result:
Suppose that for some j, onj = Jr, cntj =- bvs(O), donei = _r for all i < j, and
length(recv(8- b, notl(fl_j), 10, V_)) = 8 - b,
where bitsj = bvs(b). Then for some m > j, donei = _" for all i < m, done,,_ = T, and
reg,,_ = push(recv(8 - b, notl(flgj), 10, Vi), regj).
The proposition will then follow from the case j = 0.
First note that according to our assumption,
recv(8 - b, notl(flgj), 10, Vj) ¢ NIL,
and hence, scan(notl(flgj), Vj) = Vk for some k, j _< k < n - 10. Thus, vi = notl(flgj)
for i = j + 1,..., k, and v_+l = flgj. From the definition of recv, we have
recv(8 - b, notl(flgj), 10, Vj) =
cons(xor2(flgj, vk+11), recv(7 - k, vk+n, 10, Vk+l 1)),
and hence,
length(recv(7 - b, vk+11,10, Vk+11)) = 7 - b.
By Proposition 5.11, E_ = Ej for i = j,..., k, and
Ek+l = ((7"bvs(O)) flgj bitsj regj :7:).
By Proposition 5.12(c), for i = 0,..., 9,
Ek+l+i = ((Tbvs(i)) flgj bitsj regj 2r).
The proof is by induction on 7 - b. Consider first the base case, b = 7. By Proposi-
tion 5.12(a),
Ek+H = ((_'bvs(0)) notl(vk+ll) bvz(O) shift(xor2(flgi, v_+ll),regj) T).
Here, the result holds for m = k + 11, since
Assume that
49
push(recv(8 - b, notl ( flgj ), 10, Vj), regj )= push( ( xor2(flgj, Vk+ll)), regj )
-- shift(xor2(flgj, Vk+ll ), regj).
Now suppose that b < 7, and assume that the claim holds with b replaced with b + 1.
By Proposition 5.12(a),
E_+n = ((JCbvs(O)) notl(vk+n) bva(b + 1) shift(zor2(flgj,vk+n),regj) jr).
We may conclude that for some m > k + 11, donei = .T" for all i < m, done,_ = T, and
reg,,= push(recv(7 - b, vk+n, 10, Vk+n), shi ft(xor2(flgj, v_+n ), regj))
= push(cons(xor2(flgj, v_+n ), recv(7 - b, v_+n, 10, Vk+n )), regj)
= push(recv(8. - b, not 1 (flgj), 10, _), regj). []
5.7 The Main Theorem
Finally, we present our main result concerning the circuit bpm. We assume that the
two clock input waveforms are admissible pulses for sadr and rcvr, respectively, with
periods that conform to the constraints imposed by Moore's theorem, and that the other
inputs are well-behaved with respect to the clocks, as required by Theorem 3.1. We also
assume that the SEND input has the value T on exactly one cycle, during which an
8-bit message is read from the other data inputs. This message is then encoded and
transmitted by sndr, and received, decoded, and output by rcvr. As stated in the
theorem, the completion of this process is signalled by the output DONE: when its value
first becomes 7", the other outputs display the decoded message.
Theorem 5.2 Let pi, = (WcLKs WasP's WCLKR WRNTRWSENDW0 • • • WT) be an input packet
/or bpm, where
(a) (cLKS wasrs WSZND WO ... WT) is an admissible n,-cycle input packet/or sndr
based at b, with value matrix ]/_ = (VszsD V_o ... V_,) and period 7r_;
(b) WCLZa is an admissible (n, + 2)-cycle pulse .for rcvr based at b_ with high h >
7000, low _ > 7000 + setup(SIN, rcvr), and period T:r = h + g;
(c) wasva is an admissible (nr + 1)-cycle reset wave.form/or rcvr based at b_ with
period 7r,.
Assume 17r_ < 187r_ <_ 197r_. Suppose that .for some m,, 1 <_ m_ < n, - 144,
nth(j, Vsz_,D) = { T i] j = m,2 gj#m,,l<_j<n,;
Fori = O.... ,7, let di = nth(m_, g_,). Let t_ = b_ + Tr_. Assume that b, + 27r, < t_ <
b, + (m, + 2)Ir, and b, + (n, + 2)7r, < t_ + n_Tr_.
Let Po_,t - outp(bpm, sim(bpm, Pi,_, tl)), where t I > t_ + n_r_. Then Pout is a stable
n_-cycle packet based at t_ + 7r, with value matrix _ and period r_, for some Y_ =
(VDo,_ Voo ... Vo,). For some m,, 1 < m_ <_ n_,
T i/j=m_nth(j, VDoN_) = _ j # m,, 1 <_ j <_ n_,
and .for i = 0,..., 7, nth(m_, Voi) = di.
5O
Proof: We may assume, without loss of generality, that n, = m, + 144. For j =
0,..., n°, let svj = sv(j, sour, Vo, sndr). By Proposition 5.9,
(svl ... sV,_o) = send((dr ... do),m°,5, 13,0).
Since svo = T, we have svj = T for all j < m_.
Fix j so that b, +jrco < t_ < b_+ (j + 1)Tr_ and let G = b_+jTr_. Then 2 < j < m_ + 2,
and hence svj_2 = T. Let
S = (svj_l ... sv,.) = send((dr ... do),m° -j +2,5,13,0)
and let WLOUT be the waveform for LOUT determined by sim(bpm, p, t/). By Theorem 4.1,
(wc_Krt w_v, WLouv) is an admissible input packet for rcvr based at b_ with value matrix
(A) and period a'_, where
.4 = asynch(U, t°, t_, 7r°, 7r_,oracle)
for some bit vector oracle.
Let Vr = (Vt_oN_ Voo ... Vo,), where
VDOr_E= (SV(1, DONE, (A), rcvr) ... sv(n_, DONE, (A), rcvr))
and for i = 0,...,7,
Vo, = (sv(1,0i, (A),rcvr) ... sv(nr, Oi,(A),rcvr)).
By Theorem 3.1, pout is a stable n_-cycle packet based at br + rrr + rr = tr + 7rr with
value matrix Vr and period 7rr.
According to Moore's Theorem, recv(8, T, 10, A) = (dr ... do). But then, by Propo-
sition 5.13, there exists mr such that 1 <_ mr _< n_,
and
T ifj =m_nth(j, Vt_oN_) = _ j ¢ mr, 1 _< j _< n_,
(nth(m_, Vo,) ... nth(mr, Vo,)) = (dr ... do).
Thus, for i = 0 .... ,7, nth(m_, Voi) = d,. []
6 NASA's Reliable Computing Platform
The goal of NASA's RCP project is an implementation of a provably correct operating
system that provides the application software developer a mechanism for dispatching
periodic tasks on a fault-tolerant computing base that appears as a single ultra-reliable
processor. The RCP may be modeled at four levels of abstraction:
(1) The uniprocessor model;
(2) The fault-tolerant synchronous replicated model;
51
(3) The fault-tolerant asynchronous replicated model;
(4) The hardware/software implementation.
At the second level, fault-tolerance is achieved by voting results computed by the
replicated processors, which operate on the same sensor inputs, and are assumed to
behave synchronously. A verified version of this model was reported in Task 1 [1].
At the third level, the assumptions of the synchronous model must be discharged.
This requires (a) a mechanism for achieving synchronzation among the clocks that drive
the replicated processors and (b) a protocol for asynchronous communication. These
were addressed in Tasks 2 [22] and 3 [15], respectively.
Final realization of the RCP at the hardware level requires an appropriate hardware
description language that will allow the integration of these previous results in an im-
plementable design. This was the primary motivation for the present effort. Thus, we
have designed a language that provides for the modeling of asynchronous circuits, at
a sufficiently low level to allow straightforward implementation. In addition, we have
demonstrated a methodology for deriving and verifying comprehensive descriptions of
the behavior of these circuits.
Our verification of the simple biphase mark circuit defined in Section 5 is a first step
toward a verified RCP implementation. We would like to apply the same techniques,
along with our previous results on Byzantine agreement and clock synchronization, to
create a realistic implementation of a fault-tolerant circuit, verified at a greater level of
detail than has been previously possible.
References
[1] Bevier, William R. and Young, William D., Machine checked proofs of the Design
and Implementation of a Fault-Tolerant Circuit, Technical Report 62, Computational
Logic, Inc., NASA CR-182099, November 1990.
[2] Bickford, M., Formal Semantics for a Subset of VHDL and its Use in Analysis of
the FTPP Scoreboard Circuit, Odyssey Research Associates. Ithaca, N.Y., NASA
CR-191577, April 1994.
[3] Boyer, R. S. and Moore, J S., A Computational Logic Handbook, Academic Press,
Boston, 1988.
[4] Brock, Bishop C. and Hunt, Warren A., Jr., A Formal HDL and its use in the
FM9001 verification, in Proceedings of the Royal Society, 1992.
[5] Brock, Bishop C., Hunt, Warren A., Jr., and Young, William D., Introduction to a
formally defined hardware description language. In Proceedings of the IFIP Confer-
ence on Theorem Provers in Circuit Design, June 1992.
[6] Butler, R.W., A Survey of Provably Correct Fault-Tolerant Clock Synchronization
Techniques, NASA TM-100553, NASA, February 1988.
[7] Butler, R.W. and Johnson, S.C., The Art of Fault-Tolerant System Reliability Mod-
eling, NASA TM-102623, March 1990.
52
[8]Damm,W., A FormalSemanticsforVHDLbasedon Interpreted Petri Nets, Tech-
nical Report, University of Oldenburg, 1992.
[9] Di Vito, B.L., Butler, R.W., and Caldwell, J.L., Formal Design and Verification
of a Reliable Computing Platform for Real-Time Control: Phase 1 Results, NASA
TM-102716, 1990.
[10] Butler, R.W., and Di Vito, B.L., Formal Design and Verification of a Reliable
Computing Platform for Real-Time Control: Phase 2 Results, NASA TM-104196,
1992.
[11] Institute of Electrical and Electronic Engineers, Draft Standard VHDL Language
Reference Manual, 1993.
[12] Kaufmann, M., A Translator from an HDL of David Russinoff to VHDL, Internal
Note 278, Computational Logic, Inc., July 1993.
[13] Lamport, L. and Melliar-Smith, P.M., Synchronizing Clocks in the Presence of
Faults, Journal of the ACM, 32:1 (January, 1985), pp. 52-78.
[14] Lamport, L., Shostak. R., and Pease, M., The Byzantine Generals Problem, A CM
TOPLAS, 4:3 (July, 1982), pp. 382-401.
[15] Moore, J S., A Formal Model of Asynchronous Communication and its Use in Me-
chanically Verifying a Biphase Mark Protocol, Technical Report 68, Computational
Logic, Inc., NASA CR-4433, June 1992.
[16] Moore, J S., Mechanically Verified Hardware Implementing an 8-Bit Parallel IO
Byzantine Agreement Processor, Technical Report 69, Computational Logic, Inc.,
NASA CR-189588, 1992.
[17] Pease, M, Shostak, R.. and Lamport, L., Reaching Agreement in the Presence of
Faults, Journal of the ACM, 27:2 (April 1980), pp. 228-234.
[18] Roden, M. S., Digital Communication Systems Design, Prentice-Hall, 1988.
[19] Sanchez, L. and Kloos, C. D., "Functional Description of VHDL", in Segundo Con-
greso de Programacion Declarativa PRODE 93, Spain, September 1993.
[20] Taub, H. and Schilling, D., Digital Integrated Electronics, McGraw-Hill, New York,
1977.
[21] Van Tassel, J., A Formalization of the VHDL Simulation Cycle, Technical Report
249, University of Cambridge Computer Laboratory, June 1992.
[22] Young, William D., Verifying the interactive convergence clock synchronization al-
gorithm using the Boyer-Moore theorem prover, Technical Report 77, Computational
Logic, Inc., NASA CR-189649, April 1992.
53
Appendix: Nqthm Formalization
A Language Definition
;;Some basic definitions (the first 5 are from J_s asynchrony file):
(defn listn (n value)
(if (zerop n)
nil
(cone velue
(listn (subl n) value))))
(defn cdrn (n lst)
(if (zerop n) 1st (cdrn (subl n) (cdr ls¢))))
(defn nth (n lst)
(car (cdrn n 1st)))
(defn boolp (x) (or (equal x t) (equal x f)))
(defn bv_ (x)
(if (nlistp x)
(equal x nil)
(and (boolp (car x))
(bvp (cdr x)))))
(defn bvpn (x n)
(if (zerop n)
(equal x ())
(and (boolp (car x))
(bvpn (cdr x) (subl n)))))
(defn plistp (I)
(if (listp I)
(plistp (cdr i))
(equal 1 0)))
(defn firstn (n I)
(if (zerop n)
()
(cons (car i) (firstn (lubl n) (cdr I)))))
;;Boolean terms and their evaluation:
(defn arities ()
'((to . o) (fo . o)
(noel . i)
(and2 . 2) (or2 . 2) (nand2 . 2) (nor2 . 2) (xor2 . 2)
(and3 . 3) (or3 . 3) (nand3 . 3) (nor3 . 3) (xor3 . 3)
(and4 . 4) (or4 . 4) (hand4 . 4) (nor4 , 4) (xor4 . 4)
(and5 . 5) (ors . 5) (nand5 . 5) (nor5 . 5) (xor5 . 5)))
54
(defn elemp (fn)
(assoc fn (ariZies)))
(defn arity (fn)
(cdr (assoc fn (amities))))
(defn termp$ (flg x 1)
(if (equal fig 'list)
(if (listp x)
(and (termp$ t (car x) l)
(termp$ 'list (cdr x) 1))
t)
(if (listp x)
(and (elemp (car x))
(equal (lenKzh .(cdr x)) (arizy (car x)))
(termp$ 'list (car x) 1))
(member x i))))
(defn applyO (fn)
(case fn
(tO Z)
(fO f)
(othervise f)))
(defn applyl (fn x)
(case fn
(notl (not x))
(otbervise f)))
(dsfn apply2 (fn x y)
(case fn
(and2 (and x y))
(or2 (or x y))
(hand2 (not (and x y)))
(nor2 (not (or x y)))
(xor2 (not (equal x y)))
(otherWise f)))
(defn apply3 (fn x y z)
(case fn
(and3 (and x y z))
(or3 (or x y z))
(nand3 (not (and x y z)))
(nor3 (not (or x y z)))
(xor3 (not (equal x (not (equal y z)))))
(oZhergise f)))
(defn apply4 (fn v x y z)
(case fn
(and4 (and w x y z))
(or4 (or v x y z))
(hand4 (not (and u X y Z)))
(nor4 (not (or w x y z)))
(xor4 (not (equal w (not (equal • (not (equal y z)))))))
(othervise f)))
(defn applyS (fn v g • y Z)
(case fn
(ands (and v v • y z))
GG
(ors (or v v x y z))
(hand5 (no_ (and v . x y z)))
(nor$ (not (or v v x y z)))
(xor5 (not (equal v (not (equal w (not (equal x (not (equal y z)))))))))
(othsrviee f)))
(defn evaI (x a)
(if (listp x)
(case (arity (car x))
(0 (applyO (car x)))
(1 (applyl (car x)
(eval (¢adr x) a)))
(2 (apply2 (car x)
(eval (¢adr x) a)
(eval (caddr x) a)))
(3 (apply3 (car x)
(eval (cadr x) a)
(sval (caddr x) a)
(eval (cadddr x) a)))
(4 (apply4 (car x)
(eval (cadr x) a)
(eval (caddr x) a)
(eval (cadddr x) a)
(eval (caddddr x) a)))
45 (apply5 (car x)
(eval (¢adr x) a)
(eval (caddr x) a)
(eval (cadddr x) a)
(eval (caddddr x) a)
(eval (¢adddddr x) a)))
(othergise f))
(car (assoc x a))))
;;We define an "e_tended number" to be a number or F. (F represents
;;infinity.) The following operations are defined on this set:
(defn e=in (x y)
(if x
(if y
(if (lessp x y) x y)
x)
Y))
(defn emax (x y)
(if x
(if y
(if (lsssp x y) y x)
y)
x))
(defn eaddl (x)
(if x
(addl x)
x))
(defn eplus (x y)
(if y
(if y
56
(plus x y)
Y)
x))
;;A vaveform is a list ((wa . tn) .., (vl . tl) (vO . tO)) of **events",
;;each of vhich associates a Boolean value vl vlrh a rime ti at vhich
;;the value is to be assumed by the associated signal. We require Chat
;;0 * tO < tl < ,,, < tn and vO <> v_ <> ,., vii:
(defn vavep (w)
(if (listp w)
(and (boolp (rear w))
(if (llstp (cdr v))
(and (wavep (cdr v))
(numberp (cdar v))
(lessp (cdadr w) (cdar w))
(not (equal (caadr v) (caar w))))
(and (equal (cdar v) O)
(equal (cdr w) ()))))
f))
;;A packet is a list of waveforms:
(dsfn packetp (1 n)
(if (zsrop n)
(equal 1 ())
(and (listp 1)
(wavep (car 1))
(packetp (cdr 1) (subl n)))))
;;The value of a signal at a given time is computed from its vaveform
;;as fellers:
(dsfn uval (uave time)
(i_ (listp rave)
(if (Isssp rime (cdar gave))
(wval (cdr rave) rims)
(ca_ wave))
i))
(defn pval (packet time)
(if (listp packer)
(cons (vval (car packet) time)
(pval (cdr packst) time))
o))
;;Histories:
(defn whist (wave rime)
(if (listp wave)
(if (lessp time (cdar rave))
(vhist (cdr Nave) rime)
rave)
57
.ave))
(darn phist (packet time)
(if (llstp packet)
(cone (.hist (car packet) time)
(phist (cdr packet) time))
0))
;;To determine .hether some .aveform of a packet acquires a he. value
;;at a given time:
(defn vnevp (.ave time)
(if (listp .ave)
(if (lessp time (cdar vave))
(_ne_ (cdr .ave). time)
(equal time Cedar .ave)))
f))
(defn pnevp (packet time)
(if (listp packet)
(or (vnewp (car packet) time)
(pnevp (cdr packet) time))
;;The basic propagation functions:
(defn trans (w v tv)
(if (listp w)
(if (lessp (cdar w) tv)
(if (equal (tsar .) v)
w
(cons (cons v tv) w))
(trane (car w) v tv))
f))
(defn inert (v v tO tv)
(if (listp w)
(if (equal (wval w tO) v)
(whist w tO)
(if (lessp (cdar w) tv)
(if (equal (caar w) v)
(cons (car w) (whist w tO))
(cons (cons v tv) (whist w tO)))
(inert (cdr .) v tO tv)))
f))
;;A behavioral module is a list M • (BEHAV I 0 R P D), where
;; I is a list of litatoms, the inputs of M
;; 0 is a list of litatoms, the outputs of M
;; R is a list of elementary Boolean terms over I, corresponding to the outputs
;; D is a llst of delays correspondin_ to the outputs
;; P is a list of modes (T_NS or INERT) corresponding to the outputs
58
(defn type (mod)
;a litatom
(car mod))
(disable type)
(defn behavp (m) (equal (type m) 'behav))
(defn i (mod)
;a list of litatoms
(cadr mod))
(disable i)
(defn o (mod)
;a list of litatoms
(caddr mod))
(disable o)
(defn ni (mod)
(length (i mod)))
(defn no (mod)
(length (o mod)))
(defn r (mod)
;a list of Boolean terms
(cadddr mod))
(darn d (mod)
;a list of positive numbers
(caddddr mod))
(disable d)
(defa p (mod)
;a list of litatoms
(cadddddr mod))
(disable p)
(de/n dlstinct-symbols (i)
(if (listp i)
(and (litatom (car I))
(not (member (car 1) (cdr 1)))
(distinct-symbols (cdr I)))
t))
(defn check-_odee (modes)
(if (listp modes)
(and (member (car modes) '(trams inert))
(check-modes (cdr modes)))
t))
(defa check-delays (delays)
(if (listp delays)
(and (not (zerop (car delays)))
(check-delays (cdr delays)))
59
t))
(defn check-behav (m)
(and (distinct-symbols (append (i m) (o m)))
(equal (length (r m)) (length (o m)))
(termp$ Jllst (r m) (i m))
(equal (length (d m)) (length (o m)))
(check-delays (d m))
(equal (length (p m)) (length (o m)))
(check-modes (p m))))
(defn post-event (w v tO mode delay)
(case mode
(trams (trails v v (plus tO delay)))
(inert (inert e.v tO (plus tO delay)))
(othervi_e f)))
(darn post-events (packet outs pval tO modes delays m)
(if (listp packet)
(cons (post-event (car packet)
(eval (car outs)
(pairliet (i m) pval))
tO
(car modes)
(car delays))
(post-events (cdr packet)
(cdr outs)
pval
tO
(cdr modes)
(cdr delays)
m))
()))
;;The semantics of behavioral modules are defined by a function EXEC of
;;four arguments: (1) a module M, (2) an input packet INP, (3) an output packet
;;OUTP, and (4) a time TO. The value returned is the result Of updating OD_TP
; _y "executing" _ on the input INP at time TO:
(defn exec (m imp outp tO)
(post-events outp (r m) (pval inp tO) tO (p m) (d m) m))
;;Gates are iodeIed as behavioral modules gith inertial delay:
(darn tO ()
'(behav () (t) ((tO)) (2000) (inert)))
(defn fO ()
'(behav O (f) ((fO)) (2000) (inert)))
(darn notl ()
'(behav (a) (b) ((notl a)) (2000) (inert)))
(defn and2 ()
J(_ehav (a b) (c) ((and2 a b)) (2000) (inert)))
(darn or2 ()
'(behav (a b) (c) ((or2 a b)) (2000) (inert)))
6O
(defn nand2 C)
'(behav Ca b) (c) ((n_md2 a b)) (2000) (inert)))
(defn nor2 ()
'(behav Ca b) (¢) ((nor2 a b)) (2000) (inert)))
(defn xor2 ()
'(behav Ca b) (¢) ((xor2 a b)) (2000) (inert)))
(defn a_d3 ()
'(behav Ca b c) (d) ((and3 a b ¢)) (2000) (inert)))
(defn or3 0
'(behav (a b c) (d) ((or3 a b c)) (2000) (inert)))
(defn hand3 C)
'(behav Ca b c) (_) ((n_ad3 a b c)) (2000) (inert)))
(defn nor3 ()
'(behav Ca b c) (d) ((nor3 a b c)) (2000) (inert)))
(defn xor3 0
'(behav Ca b c) (d) ((xor3 a b c)) (2000) (inerz)))
(defn and4 ()
'(behav (a b c d) (e) ((and4 a b ¢ d)) (2000) (inert)))
(defn or4 ()
'(behav (a b c d) (e) ((or4 a b c d)) (2000) (inert)))
(defn hand4 ()
'(behav (a b c d) (e) ((nard4 a b c d)) (2000) (inert)))
(darn nor4 ()
'(behav (a b ¢ d) (e) C(nor4 a b c d)) (2000) (inert)))
(defn xor4 ()
'(behav (a b c d) (e) ((xor4 a b ¢ d)) (2000) (inert)))
(defn and5 ()
'(behav (a b ¢ d e) (g) ((and5 a b c d e)) (2000) (inert)))
(defn or5 ()
'(behav (a b c d e) (g) ((or5 a b c d e)) (2000) (inert)))
(defn hands ()
'(behav (a b c d e) (g) ((hands a b c d e)) (2000) (inert)))
(defn nor5 ()
'(behav Ca b c d e) (g) ((nor5 a b c d e)) (2000) (inert)))
(defn xor5 0
'(behav (a b c d e) (g) ((xor5 a b C d e)) (2000) (inert)))
61
;;a structural module is a list N = (STRUCT I 0 S LI LO), where
;; I is a list of (global) inputs
;; O is a list of (global) outputs
;; S is a list of submodules
;; LI is a list of local inputs: each member of LI is a list representing
;; the inputs to the corresponding submodule
;; LI is a list of local outputs: each member of LI is a list representing
;; the outputs to the corresponding submodule
(darn structp (m) (equal (type m) 'struct))
(defn s (m)
;a list of module_
(cadddr m))
(disable s)
(darn li (m)
;a list of lists of litatoms
(caddddr m))
(disable li)
(defn Io (m)
;a list of lists of litatoms
(cadddddr m))
(disable lo)
(darn lookup1 (key keys list)
(if (lietp keys)
(if (member key (car keys))
(car list)
(lookupl key (cdr keys) (cdr list)))
f))
(darn find-lo (out m)
(lookupl out (io m) (Io m)))
(defn find-s (out m)
(lookupl out (Io m) (s m)))
(defn find-ll (out m)
(lookupl out (Io m) (li m)))
(darn lookup (key keys list)
(if (listp keys)
(if (equal key (car keys))
(car list)
(lookup key (cdr keys) (¢dr list)))
f))
(defn find-o (out m)
(lookup out (find-lo out m) Co (find-s out m))))
(darn match-inputs (subins subs)
(if (listp subs)
62
(and (listp subins)
(equal (length (car subins)) (hi (car subs)))
(Latch-lnputs (cdr subins) (cdr subs)))
t))
(defn match-outputs (subouts subs)
(if (listp subs)
(and (equal (length (car subouts)) (no (car subs)))
(match-outputs (cdr eubouts) (cdr subs)))
t))
(defn appears (x 1)
(if (listp 1)
(or (nember x (car 1))
(appears x (cdr 1)))
f))
(defn all-appear (1 m)
(if (listp 1)
(and (appears (car 1) m)
(all-appear (cdr 1) m))
t))
(defn lists-all-appear (ls m)
(if (listp ls)
(and (all-appear (car ls) m)
(lists-all-appear (cdr ls) m))
t))
(defn none-appear (i m)
(if (listp I)
(and (not (appears (car i) m))
(none-appear (car I) m))
t))
(defu all-distinct-symbols (Is)
(if (listp is)
(and (distinct-symbols (car Is))
(none-appear (car Is) (cdr is))
(all-distinct-symbols (cdr Is)))
t))
(defn check-struct (m)
(and (equal (length (li m)) (length (s m)))
(Latch-inputs (li m) (s m))
(equal (length (io m)) (length (s m)))
(match-outputs (lo m) (s m))
(all-appear (o m) (Io m))
(lists-all-appear (li m) (cons (i m) (io m)))
(all-distinct-symbols (cons (i m) (io m)))))
(prove-le.-.a lessp-count-submodules (rewrite)
(implies (equal (type m) 'struct)
(equal (leesp (count (s m)) (count m)) t))
((enable s type)))
(defn modulep$ (flag m)
(if (equal flag 'list)
(if (llstp m)
63
(and (modulep$ t (car m))
(modulep$ Jlist (cdr m)))
(equal m 0))
(case (type m)
(struct
(and (check-struct m)
(modulep$ 'list (s m))))
(behav
(check-behav m))
(otherwise f))))
(prove-leman plistp-s ()
(implies (modulep$ 'list s)
(plistp s)))
(darn modulep (m)
(modulep$ t m))
(provo-lemma plistp-s-m (rewrite)
(implies (and (structp m) (modulep m))
(plistp (s m)))
((use (plistp-s (s (s m))))))
;;For a given structural module M, a bundle is an object that consists of
;;a waveform corresponding to each output of each behavioral component of M
(darn bundlep$ (flag b m)
(if (equal flag 'list)
(if (listp m)
(and (bundlep$ t (car b) (car m))
(bundlep$ 'list (cdr b) (cdr m)))
(equal b ()))
(if (structp m)
(bundlep$ 'list b (s m))
(packetp b (no m)))))
(defn bundlep (b m) (bundlep$ t b m))
;;An output packet for M may be extracted from a bundle for M as follows:
(defn select-wave (key signals packets)
(if (listp packets)
(if (member key (car signals))
(lookup key (car signals) (car packets))
(select-wave key (cdr signals) (cdr packets)))
f))
(defn select-packet (keys signals packets)
(if (listp keys)
(cons (select-wave (car keys) signals packets)
(select-packet (cdr keys) signals packets))
()))
(darn outp$ (flag m b)
(if (equal flag 'list)
(if (listp m)
(cons (outp$ t (car m) (car b))
(outp$ flag (cdr m) (cdr b)))
O)
64
(case (type =)
(struct (select-packet (o m) (Io m) (outp$ 'list (s m) b)))
(behav b)
(otherwise f))))
(defn outp (m b) (outp$ t m b))
;;A list of input packets for the submodules of M may be extracted from
;;an input packet and a bundle for M as follows:
(defn input-packet (ins p b m)
(select-packet ins
(cons (i m) (lo m))
(cons p (outp$ 'list (s at b))))
(defn input-packets (ins p b m)
(if (listp ins)
(cons (input-packet (car ins) p b m)
(input-packets (cdr ins) p b m))
()))
(defn inps (m p b)
(input-packets (li m) p b m))
;;The semantics of structural modules are defoned by a function STEP of
;;four arguments: (1) a module M, (27 an input packet P for M, (3) a bundle
;;B for M, and (4) a time TO. The value is the result of updating B by executing
;;each behavioral component of M for which some input acquires a hey value
;;at time TO:
(defn steps (flag m p b tO)
(if (equal flag 'list)
(if (listp m)
(cons (steps t (car m) (car p) (car b) tO)
(steps 'list (cdr m) (cdr p) (cdr b) tO))
o)
(case (type m)
(struct (steps 'list (s m) (inps m p b) b tO))
(behav (if (pnevp p tO) (exec m p b tO) b))
(otherviee f))))
(defn step (m p b tO) (steps t m p b tot)
;examples:
(defn adder2 ()
'(struct (a b c) (1 h)
(,(hand2) ,(hand2) ,(nand2) ,(nand2) ,(nand2) ,(nand2) ,(nand2) ,(nand2) ,(hand2))
((a b) (a tl) (b tl) (t2 t3) (c t4) (tS t4) (c tS) (tS tl) (t7 t6))
((tl) (t2) (t3) (t4) (iS) (t6) (t7) (h) (i))))
(defn dff ()
'(struct (clk rst d) (q qn)
(,(notl) ,(and2) ,(nand2) ,(nand2) ,(hand3) ,(nand2) ,(hand2) ,(nand2))
((rst) (rn d) (b2 bl) (al clk) (bl elk b2) (a2 dd) (bl qn) (q a2))
((rn) (dd) (al) (bl) (a2) (b2) (q) (qn))))
65
(defn fnand2 0
'(behav (a b) (c) ((nand2 a b)) (1000) (inert)))
(defn dlatch (1
'(strucz (elk d) (s2)
(,(noel) ,(nand2) ,(nand2) ,(fnand2))
((clk) (clk d) (el s3) (sO s2))
((cO) (st) (s2) (e3))))
*************************************************************************
;; SIMULATION
;;The top-level simulation function SIH takes three arguments: (I) a module
;;M, (2) an input packet P for M, and (3) a termination time TF. The value
;;returned is the bundle produced by simulating M with input P over the
;;interval from 0 to TF.
;;The time at which each simulation cycle occurs is computed by the function
;;TNEXT. Its arguments are (1) the time TO of the last simulation cycle,
;;(2) the input packet P, (3) the curent bundle B, and (4) the module M.
;;The value returned is the time of the earliest event occurring in either
;;P or 8 that is later than TO, if such an event exists, and F otherwise.
(defn tnextw (wave tO)
(if (listp wave)
(if (lessp tO (cdar wave))
(if (lesep tO (cdadr wave))
(tnextw (cdr wave) tO)
(cdar wave))
f)
f))
(defn tnextp (p tO)
(if (listp p)
(emin (tnextw (car p) tO)
(tnextp (cdr p) tO))
f))
(defn tnextb$ (flag bun n tO)
(if (equal flag 'list)
(if (liatp m)
(emin (tnextb$ t (car bun) (car m) tO)
(tnex_b$ 'list (cdr bun) (cdr m) tO))
f)
(case (type m)
(strnct (tnexzb$ 'list bun (s m) tO))
(behav (tnextp bun tO))
(otherwise f))))
(defn tnext (tO p b m)
(emin (tnextp p tO) (Znextb$ t b m tO)))
;;The function RUN is the guts of the simulator. Ire argtunente are
;;(1) a module M, (2) an input packet P, (3) an initial bundle B,
;;(4) an initial time TO, and (5) a termination time TF. It simulates
;;M over the interval from TO to TF, repeatedly calling STEP.
66
(prove-lemma lessp-tnextg (rewrite)
(implies (tnextw g tO)
(leasp tO (tnextv v _0))))
(prove-lem_a lessp-tnextp (rewrite)
(implies (tneztp p tO)
(lessp tO (tnextp p tO))))
(prove-lemma lesep-tnext-b (revrite)
(implies (tnextb$ flag b m tO)
(lesap tO (tnextb$ flag b m tO))))
(prove-lemma lessp-tnext (rewrite)
(implies (tnext tO p b m)
(leaap tO (tnext tO p b m))))
(defn run (m p b tO if)
(let ((tnext (tnext tO p b m)))
(if (and tnext (leq tnext tf))
(run m p (step m p b tnext) tnext tf)
b))
((lessp (difference tf tO))))
;;SIM calls RUN with an initial time TO - 0 and an initial bundle that
;;is computed by first associating the trivial vaveform ((F . 0)) with
;;each signal of M, and then executing every behavioral component of M:
(defn wO 0 '((,f • 0)))
(defn bO$ (flg m)
(if (equal flg 'list)
(if (listp m)
(cons (bOa t (car m)) (bO$ 'list (cdr m)))
O)
(case (type m)
(atruct (bO$ 'list (s m)))
(bebav (liatn (no m) (wO)))
(otherwise f))))
(defn bO (m) (bO$t m))
(defn init$ (flg m p)
(if (equal fl_ 'list)
(if (listp m)
(cons (init$ t (car m) (car p))
(init$ 'list (cdr m) (cdr p)))
O)
(cue (type a)
(strict (init$ 'list (s m) (inps m p (bO m))))
(behav (exec m p (bO m) 0))
(othervise f))))
(defn init (m p)
(init$ t m p))
(defn slm (m p if)
(run m p (lair m p) 0 tf))
67
B Properties of the Simulator
;;The value of a variform at any time is a Boolean:
(prove-lemla boolp-vval (rewrite)
(implies (vavep t)
(boolp (wval w tO))))
;;The value of a packet at any time is a bit vector:
(prove-lemaa bvp-pval (reurite)
(implies (packetp p n)
(bvpn (pval p tO) n))
((disable boolp)))
;;Any history of a gaveform is a waveform:
(prove-lena vavep-whist (rewrite)
(implies (uavep w)
(wavep (whist _ tO))))
(prove-ler_a listp-uhier (rewrite)
(implies (wavep w)
(listp (whist w tO))))
liThe history of a waveform W w.r.t, at time TO has the same value
;;at TO as W:
(prove-lena whist-value (rewrite)
(equal (wval (whist w tO) tO)
(uval w tO)))
(prove-lem_a wval-caar-whist (rewrite)
(implies (wavep w)
(equal (wval w tO) (tsar (whist w tO)))))
(disable wval-caar-whist)
(prove-lemlna leq-cdar-ehiet-tO (rewrite)
(implies (wavep w)
(not (lesap tO (cdar (whist w tO))))))
(prove-lemma lessp-cdar-whist (rewrite)
(implies (and (uavep w)
(not (equal (wval w :0) (caar w))))
(lesep (cdar (whist _ tO)) (cdar v))))
;;The history of W w,r.t. TO hae a constant value for all TI >- TO:
(prove-lena wal-whist (regrise)
(implies (and (uavep g)
(leq tO tl))
(equal (wval (whist w tO) tl)
(caar (whiet w tO)))))
68
(prove-lemma leq-cdar-uhist (rewrite)
(not (1wasp tO (cdar (whist v tO)))))
(prove-lem_a leq-cdar-vhist-tO-revrite (rewrite)
(implies (and (vavep v)
(lessp tO tv))
(equal (leeap (¢dar (whist v tO)) tv) t))
((use (leq-cdar-vhist*tO))))
;;Both propagation functions, TRANS and INERT. transform vaveforms
;;into vaveform|:
(prove-le_,na wavep-trans (rewrite)
(implies (and (vavep _)
(boolp v)
(not (zerop tO)))
(vavep (tranj v v tO))))
(prove-lerma vavep-inert (rewrite)
(implies (and (vavep w)
(boolp v)
(lessp tO iv))
(wavep (inert v v tO iv)))
((induct (inert w v tO iv))
(disable boolp)
(enable _val-caar-wbist)))
;;Both propagation functions are "nonretroactive", i.e., do not
;;alter the history of a vaveform _.r.t. the current time:
(prove-lemma trans-nonretroactive (rewrite)
(implies (and (wavep wave)
(lessp tO tl))
(equal (whist (trans wave val tl) tO)
(whist wave tO))))
(prove-lemma inert-nonretroactive (rewrite)
(implies (and (vavep wave)
(leeep tO tv))
(equal (whist (inert wave val tO tv) tO)
(whist wave tO)))
((induct (inert wave val tO tv))))
;;The predicate WCONP determines whether a vaveform W has a constant
;;value V over a time interval [TI,T2):
(defn wconp (v v tl t2)
(if (liatp w)
(if (leeep (cdar v) t2)
(and (leq (cdar v) tl)
(equal (caar v) v))
(wconp (cdr v) v tl t2))
(prove-lemma vval-wconp (rewrite)
(implies (and (vconp v v tl t2)
(vavep w)
(leq tltp)
69
(lessp tp t2))
(equal (vval v tp) v)))
;;The waveform (T_ANS W V TV) has the constant value V
;;for all T2 >= TV:
(prove-leman wconp-trans-1 (rewrite)
(implies (and (wavep v)
(not (zerop tv))
(lessp tv t2))
(vconp (franc w v tv) v tv t2)))
;;The vavefor: (INF£T W V TO TV) has the constant value V
;;for all T2 >- TV:
(prove-le:ma wconp-inert-I (rewrite)
(implies (and (vavep v)
(lessp tO tv)
(lessp tv t2))
(wconp (inert w v tO tv) v tv t2))
((enable wal-caar-whist)))
;;If W has the constant value U over IT1, T2), where T1 <= T2 <= TV,
;;then so does (TRANS W V TV):
(prove-lemma wconp-trans-2 (rewrite)
(implies (and (vavep w)
(vconp w u tl t2)
(leq tl t2)
(leq t2 tv)
(not (zerop t2)))
(vconp (trans v v tv) u tl t2)))
;;If W has the constant value U over [T1,T2), where
;;TI <= TO <= T2 <= TV, then so does (INERT W V TO TV):
(prove-le.ma vconp-inert-2 (revrite)
(implies (and (wavep w)
(vconp w u tl t2)
(lessp tO tv)
(leq tl tO)
(leq tO t2)
(leq t2 tv))
(vconp (inert w v tO tv) u ti t2)))
;;Both propagation functions are "idempotent" in the following sense:
(prove-lemma trans°trans (revrite)
(implies (and (wavep w)
(leq tvl tv2))
(equal (trane (trans w v tvl) v tv2)
(trane v v tvl))))
(prove-lemma inert-inert (revrite)
(implies (and (vavep w)
(lessp tO1 tvl) (lessp tO2 tv2)
(leesp tO1 tO2) (lesep tvl tv2))
(equal (inert (inert v v tO1 tvl) v tO2 tv2)
(inert w v tO1 tvl)))
TO
((induct (inert w v tO1 tvl))
(enable wval-caar-whist)))
(disable trans)
(disable inert)
;; BEHAVIORAL MODULES
;;_xecution of a behavioral module depends only on the current value of
;;the input (i.e., it is independent of both past and future input):
(prove-le_ma exec-comb (rewrite)
(implies (equal (pval pl tO) (pval p2 tO))
(equal (equal (exec m pl pout tO) (exec m p2 pout tO))
t)))
(prove-lemma exec-nonret-I ()
(implies (and (check-delays d) (equal (length d) n)
(check-_odas p_) (equal (length pm) n)
(packetp pout n))
(equal (phiet (post-events pout r inv tO pm d m) tO)
(ph£st pout tO))))
;;Execution is "nonretroactive', i,e., does not alter the history of
;;the output packet:
(prove-lemma exec-nonretroactive (rewrite)
(implies (and (modulep m)
(behavp m)
(packetp pout (no m)))
(equal (phiet (exec m pin pout tO) tO)
(phist pout tO)))
((use (exec-nonret-1 (d (d m)) (pm (p m)) (n (no m))
(r (r m)) (inv (pval pin tO))))))
(prove-lemma exec-idem°l ()
(implies (and (check-delays d) (equal (length d) n)
(check-modes pm) (equal (length pm) n)
(packetp pout n)
(lessp tO tl))
(equal (poet-events (post-events pout r £nv tO pm d m)
r inv tl pm d m)
(post-events pout r inv tO pm d m))))
;;Execution is "idempotent" in the follo_inE sense:
(prove-lemma exec-idempotent (rewrite)
(i_npltes (and (module{) m)
(behav_ m)
(packetp pout (no m))
(leesp tO tl)
(equal (pval pin tO) (pval pin tl)))
(equal (exec m pin (exec m pin pout tO) tl)
(exec m pin pout tO)))
((use (exec-idem-I (d (d m)) (l_e (p m)) (n (no m))
(r (r m)) (inv (pval pin tO))))))
71
;;We shall prove that under normal condition|, execution always
;;produces a valid output packet. We must first show that evaluation
;;of a Soolean term alvays produces a Boolean value:
(prove-lemma boolp-applyO (rewrite)
(boolp (applyO fn)))
(prove-lemma boolp-applyl (rewrite)
(boolp (applyl fn x)))
(prove-lemma boolp-apply2 (revrite)
(boolp (apply2 fn • y)))
(prove-lemma boolp-apply3 (rewrite)
(boolp (apply3 fn • y z)))
(prove-lema boolp-apply4 (rewrite)
(boolp (apply4 fn v x y z)))
(prove-lemma boolp-apply5 (rewrite)
(boolp (apply5 fn v v x y z)))
(prove-lemma boolp-eval-list (rewrite)
(implies (lietp x)
(boolp (eval • a)))
((expand (eval • a))
(disable applyO applyl apply2 apply3 apply4 apply5 boolp arity)))
(prove-lemma boolp-eval-nlietp (rewrite)
(implies (and (termp$ t term i) (nlistp term)
(bvpn pval (length i)))
(boolp (eval term (pairlist i pvai)))))
(prove-lenwaa boolp-eval (revrite)
(implies (and (termp$ t term i)
(bvpn pval (length i)))
(boolp (eval tel_ (pairliat I pval))))
((expand (eval x a))
(disable applyO applyl apply2 apply3 apply4 apply5 boolp arity)))
(defn ppe-induct (d pm r pout n)
(if (zerop n)
t
(ppe-induct (cdr d) (cdr l_n) (cdr r) (¢dr pout) (subl n))))
(prove-lena packetp-post-events ()
(implies (and (check-delays d) (equal (length d) n)
(check-modes pm) (equal (length _) n)
(termp$ Jliet r (i m)) (equal (length r) n)
(bvpn inv (length (i m)))
(packe_p pout n))
(packetp (post-events pout r Inv tO pm d m) n))
((induct (ppe-lnduct d pm r pout n))))
(prove-leenna packetp-exec (rewrite)
(implies (and (modulep m)
(behavp m)
(packetp pin (Ieng_h (i m)))
72
(packetp pout (length (o m))))
(packetp (exec m pin pout _0) (length (o m))))
((use (packetp-post-events
(d (d m)) (pm (p m)) (r (r m)) (n (no m)) (inv (pval pin tO))))))
;;We extend :he notion of "history" to bundles in the natural way:
(defn bhist$ (flag b m tO)
(if (equal flag 'list)
(if (llstp m_
(cons (bhist$ t (car b) (car m) tO)
(bhist$ 'list (cdr b) (cdr a) tot)
O)
(if (structp m)
(bhist$ 'list b (s m) tO)
(phist b %0))))
(defn bhist (b m tO)
(bhist$ t b m tO))
(prove-lem_a stepi-nonrst ()
(implies (and (modulep$ flag m)
(bundlep$ flag b m))
(equal (bhist$ flag (steps flag m p b t0) m tO)
(bhist$ flag b m tO)))
((disable exec)))
;;STEP is "nonretractive", i.e., does not alter the history of
;;its third argument:
(prove-lemma step-nonretroactive (revrite)
(implies (and (modulep m)
(bundlep b m))
(equal (bhist (step m p b tO) m tO)
(bhist b m tO)))
((use (step$-nonret (flag t)))))
(prove-lemma whist-lookup (rewrite)
(implies (equal (phist p! tO) (phist p2 tO))
(equal (equal (whist (lookup z v pl) tO)
(_hiat (lookup z v p2) tO))
t)))
(defn phist$ (flag p tO)
(if (equal flag 'list)
(if (listp p)
(cons (phist$ t (car p) tO)
(phist$ 'list (cdr p) tO))
o)
(phis¢ p tO)))
(prove-lela vhist-selict-vave (revrite)
(implies (equal (phist$ 'list pi tO)
73
(phimt$ 'list p2 tO))
(equal (equal (whist (select-wave z subouts pl) tO)
(whist (select-_ave z subouts p2) tO))
t)))
(prove-lemma phist-select-packet (rewrite)
(implies (equal (phlst$ 'list pl tO)
(phist$ 'list p2 tO))
(equal (equal (phist (seiect-packet sours subouts pl) tO)
(phist (select-packet sours suboute p2) tO))
t)))
(prove-lemma phist$-outp$ (rewrite)
(implies (equal (bhiat$ flag bl m tO) (bhist$ flag b2 m tO))
(equal (equal (phist$ flag (outp$ flag m bl) tO)
(phist$ flag (outp$ flag m b2) tO))
t)))
(prove-lem_a history-outp-submodules (rewrite)
(implies (Lud (structp m)
(equal (bhist bl m tO)
(bhist b2 m tO)))
(equal (equal (phist$ 'list (outp$ 'list (s m) bi) tO)
(phiet$ 'list (outp$ 'list (s m) b2) tO))
t)))
(prove-lemma phist-input-packet (rewrite)
(implies (and (structp m)
(equal (bhist bl m tO)
(bhist b2 m tO))
(equal (phist pl tO)
(phist p2 to)))
(equal (equal (phist (input-packet ins pl bl m) tO)
(phist (input-packet ins p2 b2 m) tO))
t)))
(prove-lemma phist$-input-packets (rewrite)
(implies (and (structp m)
(equal (bhist bl m tO)
(bhist b2 m tO))
(equal (pbist pl tO)
(phist p2 tO)))
(equal (equal (pbis_$ 'list (input-packets li pl bl m) tO)
(phist$ 'list (input-packets li p2 b2 m) tO))
t))
((disable input-packet)
(induct (input-packets li imp s m))))
(prove-lemma phist$-inps-2 (rewrite)
(implies (and (structp m)
(equal (phiat$ flag pX tO)
(phist$ flag p2 tO))
(not (equal flag 'list)))
(equal (equal (phist$ 'list (inps m pl b) tO)
(phiet$ 'list (inps m p2 b) tO))
t)))
(prove-lemma whist-vnewp (rewrite)
(implies (and (vnevp el tO)
74
(equal (whist wl tO) (whist w2 tO)))
(vnevp v2 tO)))
(defn list-2-induct (x y)
(if (listp x)
(list-2-induct (cdr x) (cdr y))
t))
(prove-lena phist-pue_p (revrite)
(implies (and (pnevp pi tO)
(equnl (phist pl tO) (phist p2 tO)))
(pnevp p2 tO))
((induct (list-2-induct pt p2))))
(provs-lenma pval-phiet 0
(equal (pval (phist p tO) tO)
(pval p tO)))
(prove-lemma equal-phist-pval (reurite)
(implies (equal (phist pl tO) (phist p2 tO))
(equal (equal (pval pi tO) (pval p2 tO))
t))
((use (pval-phist (p pl)) (pval-phist (p p2)))))
(defn sn-induct (flag m b pi p2)
(if (equal flag 'list)
(if (listp m)
(and (sn-induct t (car m) (car b) (car pl) (car p2))
(sn-induct flag (cdr m) (cdr b) (cdr pl) (cdr p2)))
t)
(if (structp m)
(sn-induct 'list (s m) b (inps m pl b) (inpe m p2 b))
t)))
(prove-lemma step-nonpred-i ()
(implies (and (modulep$ flag m)
(btmdlep$ flag b m)
(equal (phiet$ flag pl tO) (phist$ flag p2 tO)))
(equal (steps _lag m pl b tO) (e_ep$ flag m p2 b tO)))
((disable exec)
(induct (sn-induct flag m b pl p2))))
;;Unlike EXEC, STEP depends in general on the history (and not merely
;;the current values) of the input. However, STEP is "nonpredictive",
;;i.e., independent of future input:
(prove-lemma step-nonpredictive (rewrite)
(implies (and (modulsp m)
(bundlep b m)
(equal (phist pl tO) (phist p2 tO)))
(equal (equal (step m pt b tO) (step m p2 b tO))
t))
((use (step-nonpred-1 (flag t)))))
;;I);PACKETP teats whether P is a valid input packet for M:
(defn inpacketp (p m)
(packetp p (length (i m))))
75
(defn inpacketp$ (flag p m)
(if (equal flag 'list)
(if (listp m)
(and (inpacketp (car p) (car m))
(inpacketp$ 'list (cdr p) (cdr m)))
t)
(inpacketp p m)))
(prove-lemma wavep-lookup (reurite)
(implies (and (packetp w n)
(equal (length v) n)
(member z v))
(vavep (lookup z v v))))
(defn packetp$ (flag p n)
(if (equal flag 'list)
(if (lietp n)
(and (packetp (car p) (car n))
(packetp$ 'list (cdr p) (cdr n)))
t)
(packetp p n)))
(defn lengths (flag I)
(if (equal flag 'list)
(if (listp I)
(cons (length (car I)) (lengths 'list (cdr i)))
o)
(length i)))
(prove-lemma vavep-select-vave (revrite)
(implies (and (packetp$ 'list p ns)
(equal (lengths 'list subouts) ne)
(appears z subouts))
(wavep (eelect-vave z subouts p))))
(prove-lemma packetp$-select-packet (rewrite)
(implies (and (packetp$ 'list p ns)
(equal (lengths 'list suhouts) ns)
(all-appear sours subouts))
(packetp (select-packet sours subouts p)
(length sours))))
(defn hoe (flag mod)
(if (equal flag 'list)
(if (lietp mod)
(cons (no (car mod))
(hoe 'list (cdr mod)))
())
(no mod)))
(prove-lemma match-outputs-lengthS (revrite)
(implies (and (match-outputs x y)
(equal (length x) (length y)))
(equal (lengths 'list x) (no$ 'list y))))
(prove-lemma packetp-output-packet-1 (regrite)
(implies (and (packetp$ 'list
(outp$ 'list s (s mod))
(hoe 'list (e mod)))
76
(s_ructp mod)
(modulep mod))
(packe_p (select-packet (o Nod)
(lo sod)
(outp$ 'list s Ca mod)))
(no mod))))
(prove-lemma packetp$-outp$ (revrite)
(implies (and (modulep$ flag m)
(bundlep$ flag b m))
(packetp$ flag
(outp$ flag m b)
(no$ flag m)))
((disable packetp)))
(prove-lemma packetp$-outp$-list (re.rite)
(implies (and (etructp mod)
(modulep mod)
(bundlep b mod))
(packatp$ 'llst
(outp$ 'list (s mod) b)
(no$ 'list (s sod)))))
(prove-lemma packetp-length (revrite)
(implies (packetp p n)
(packetp p (leng$h p))))
(prove-lemma packetp$-cons-inp-outs (revrite)
(implies (and (structp m)
(modulep m)
(bu_dlep b m)
(inpacketp p m))
(packatp$ 'list
(cons p (outp$ 'list (s m) b))
(cons (length p) (lengthS 'list (lo m)))))
((disable bundlep)))
(prove-lemma packetp$-select-packet-2 (revrite)
(implies (and (packetp$ 'list p (lengths 'list p))
(equal (lengthS 'list subouts) (lengthS 'list p))
Call-appear sours subouts))
(packetp (select-packet gouts eubouts p)
(length sours))))
(prove-lem_a length-select-packe_ (revrite)
(equal (length (select-packet x y Z))
(length x)))
(prove-lemma length-packet (rewrite)
(implies (packetp p n)
(equal (length p) (fix n))))
(prove-leema length-outp (rewrite)
(implies (and (bundlep b m)
(modulep m))
(equal (length (outp$ t m b))
(no m)))
((expand (outp$ t m b))))
77
(prove-lezma length$-outp$ (rewrite)
(implies (and (bundlep$ flag b m)
(modulep$ flag m))
(equal (lengths flag (outp$ flag m b))
(no$ flag m))))
(prove-lemma lengtb-lo ()
(implies (and (modulep m)
(structp s))
(equal (no$ 'list (s m))
(lengths 'list (Io m)))))
(prove-lemma packetp-lnput-packet (rewrite)
(implies (and (structp m)
(modulep m)
(bundlep b m)
(inpacketp p m)
(all-appear ins (cons (i m) (Io m))))
(packetp (input-packet ins p b m) (length ins)))
((disable packetp$ length-packet)
(use (length-lo)
(length-packet (n (length (t m)))))
(expand (bundlep$ t b m))))
(prove-lezma packetsp-input-packets (rewrite)
(implies (and (structp m)
(modulep m)
(bundlep b m)
(inpacketp p m)
(lists-all-appear li (cons (i m) (Io m))))
(packetp$ 'list
(input-packets li p b _)
(lengthS 'list li)))
((disable input-packet)
(induct (input-packets Ii p b m))))
(defn ni$ (flag m)
(if (equal flag 'list)
(if (listp m)
(cons (hi (car m))
(ni$ 'list (cdr m)))
())
(hi m)))
(prove-lemma inpacketp$-packetp$ O
(equal (inpacketp$ 'list p s)
(packetp$ 'list p (hiS 'list s))))
(prove-lemma match-inputs-lengthS (re,trite)
(implies (and (match-inputs x y)
(equal (length x) (length y)))
(equal (lengthS 'list x) (ni$ 'list y))))
(prove-lemma packetp$-li 0
(implies (and (modulep m)
(structp m))
(equal (inpacketp$ 'list p (s m))
(packetp$ 'list p (lengths 'list (li m)))))
((use (inpacketp$-packetp$ (s (s m))))))
78
(prove-lemma inpacketp$-inps (rewrite)
(implies (and (structp m)
(modulep m)
(bundlep b m)
(Inpacketp p m))
(inpacketp$ 'list (inps m p b) (s m)))
((expand (modulep$ t m))
(disable match-inputs-lengthS)
(use (packetp$-li (p (inps m p b))))))
(prove-leua bundlep$-step$ 0
(implies (and (modulep$ flag m)
(inpacketp$ flag p m)
(bundlep$ flag b m))
(bundlep$ flag (_tsp$ flag m p b tO) m))
((disable exe¢ check-bebav inps)))
;;Under normal conditions, STEP always produces a valid bundle:
(prove-lemma bundlep-step (rewrite)
(implies (and (modulep m)
(inpacketp p m)
(bundlep b m))
(bundlep (step m p b tO) m))
((use (bundlep$-step$ (flag t)))))
(prove-lennna whist-whist 0
(implies (leq tO tl)
(equal (whist w tO)
(whist (whist w tl) tO))))
(prove-lenzma equal-whist-leq (rewrite)
(implies (and (equal (whist wl tl) (whist w2 tl))
(leq tO tl))
(equal (equal (whist wl tO) (whist w2 tO))
t))
((use (whist-whist (w wl)) (whist-whist (v e2)))))
(prove-lemma equal-phist-leq (rewrite)
(implies (and (equal (phis_ bl tl) (phist b2 tl))
(leq tO tl))
(equal (equal (phiet bl tO) (phist b2 tO))
t))
((induct (list-2-induct bl b2))))
(prove-le.-.a equal-bhist$-leq 0
(implies (and (equal (bhis$$ flag bl m tl) (bhiet$ flag b2 m tl))
(lsq tO tl))
(equal (bhisc$ flag bl m tO) (bhist$ flag b2 I tO))))
(prove-le_ma equal-bhis_-leq (rewrite)
(implies (and (equal (bbist bl m tl) (bhiet b2 m tl))
(leq tO tl))
?9
(equal (equal (bhiet bl m tO) (bhiet b2 m tO))
t))
((use (equal-bhist$-leq (flag t)))))
;;RUN is "nonretroactive", i.e., does not alter the history of the
;;bundle B v.r.t, the initial time TO:
(prove-lemma run-nonretroactive (rewrite)
(implies (and (modulep m)
(bundlep b m)
(inpacketp p m))
(equal (bhist (run m p b tO tf) m tO)
(bbist b m tO)))
((disable step bundlep modulep inpacketp bhiet)))
.
(prove-lemma tnextw-tnextw (rewrite)
(implies (and (lessp tp (tnextw w tO))
(wavep w)
(leq tO tp))
(equal (tnextw w tp) (tnextw w tO))))
(prove-lemma leq-tnextv-cdar (revr!te)
(implies (and (wavep w)
(lessp tO (¢dar w)))
(not (lessp (¢dar w) (tnextv v tO)))))
(prove-lemma tnextw-tnextw-2 (rewrite)
(implies (and (tnextw w tp)
(vavsp w)
(leq tO tp))
(not (lessp (tnextw w tp) (tnextw w tO) ))))
(prove-lemma tnextp-true (rewrite)
(implies (and (not (lessp tp tO))
(tnextp ptp))
(tnextp p tO)))
(prove-lena tnextw-true (rewrite)
(implies (and (not (lessp tp tO))
(tnextw w tp))
(tnextw w tO)))
(prove-ler_a tnextp-tnextp (rewrite)
(implies (and (packetp p n)
(lessp tp (tnextp p tO))
(leq CO tp))
(equal (tuextp p tp) (tnextp p tO)))
((disable tnextw wavep)))
(prove-lemma tnextb$-true (rewrite)
(implies (and (not (lessp tp tO))
(tnex_b$ flag b m tp))
(tnextb$ flag b m tO)))
(prove-lemma tnextb$-tnextb$ (rewrite)
(implies (and (modulep$ flag m)
(bundlep$ flag b m)
(lessp tp (tnextb$ flag b m tO))
(leq tO tp))
8O
(equal (tnextb$ flag b m tp) (tnextb$ flag b m tO))))
(prove-lemma lessp-emin 0
(implies (and x y (lessp m (emin x y)))
(and (lessp m x) (lessp m y))))
(prove-le...a tnext-tnext (rewrite)
(implies (and (modulep m)
(bundlep b m)
(inpacketp p m)
(lessp tp (tnext tO p b m))
(leq tO tp))
(equal (tnext tp p b m) (tnext tO p b m)))
((use (lessp-emin (x (tnextb$ t b m tO)) (y (tnextp p tO)) (m tp)))))
(prove-lemma tnext-true (rewrite)
(implies (and (not (lessp tp tO))
(tnext tp p b m))
(tnext tO p b m)))
;;This lemma provides for the decomposition of a simulation interval
;;into two subintervals:
(prove-lemma run-run 0
(implies (and (modulep m)
(bundlep b m)
(Inpacketp p m)
(leq tO tp) (leq tp tf))
(equal (run m p b tO tf)
(run m p (run m p b tO tp) tp tf)))
((disable step tnext bundlep modulep)
(induct (run m p b tO if))
(expand (run m p b tp tf) (run m p b tO tp))))
;;Under normal conditions, RUN always produces a valid bundle:
(prove-lemma bundlep-run (rewrite)
(implies (and (modulep m)
(inpacketp p m)
(bundlep b m))
(bundlep (run m p b tO if) m))
((disable modulep bundlep step inpacketp tnext)))
C Synchronous Sequential Circuits
;;We begin with the relatively simple class of "combinational" modules.
;;The definition of this class depends on a function SLEVEL$$, which
;;computes the maximum length from any input signal to a given signal
;;of an arbitrary module. The definition of SLEVEL$$ is difficult to
;;establish for two reasons: (1) we allow arbitrarily deep hierarchical
;;module definitions, and (2) the desired maximum path length may not exist,
81
;;i.e., the signal may lie on a structural loop, which must be effectively
;;detected.
(defn unionl (I)
(if (listp I)
(Union (car i) (unionl (cdr i)))
0))
(defn signals (mod)
(unionl (cons (i mod) (io mod))))
(defn delete (x i)
(if (lietp I)
(if (equal x (car i))
Ccch" i)
(cons (car I) (delete x (¢ctr 1))))
1))
(defn subbagp (i m)
(if (listp I)
(and (member (car l) m)
(subbagp (cctr I) (delete (car I) m)))
t))
(defn subsetp (i m)
(if (listp i)
(and (member (car I) m)
(subsetp (cdr I) m))
t))
(prove-lemma length-delete (regrite)
(implies (member x I)
(equal (length (delete x i))
(subl (length I)))))
(prove-lem_a member-delete (re,trite)
(implies (and (member x I)
(not (equal x y)))
(member X (delete y 1))))
(prove-lema lessp-length-subbagp 0
(implies (and (subba_ 1 m)
(member x m)
(not (member x 1)))
(leesp (length i) (length m))))
(prove-le_aa subsetp-delete (revrite)
(implies (and (subsetp 1 m)
(not (member x 1)))
(subeeCp 1 (delete x m))))
(prove-le_ma subsetp-subbagp (re_ri_e)
(implies (and (distinct-symbols 1)
(subsetp i m))
(subbagp 1 m))
((induct (subbagp 1 m))))
(prove-lemma lesep-length-subset (revrite)
(implies (and (subeetp I m)
82
(distinct-symbols i)
(member x a)
(not (member x 1)))
(lsssp (length 1) (length m)))
((use (leesp-length-subbagp))))
(darn index (e lo)
(if (listp io)
(if (member s (car lo))
0
(addl (index s (cdr lo))))
f))
(darn slevel$$ (flag out a bad q)
;(SLEVEL$$ T OUT M.() Q) is the length of the longest path to OUT that does not
;pass through any of the first 0 submodules of M
(if (equal flag 'list)
(if (lietpout)
(emax (slevel$$ t (car out) m bad q)
(elevel$$ 'list (cdr out) m bad q))
o)
(if (or (member out (i m))
(leesp (index out (lo m)) q))
0
(if (and (not (member out bad))
(distinct-symbols bad)
(member out (signals m))
(subsetp bad (signals m)))
(eaddl (slevel$$ 'list (_ind-li ou_ m) m (cons out bad) q))
f)))
((ord-lessp (lex (list (difference (length (signals m)) (length bad))
(count out))))))
;;SDEPTH returns the maximum SLEVEL$$ of all signals of M:
(defn sdepth (m q)
(elevel$$ _liet (signals m) m 0 q))
;;The final argumen_ of SLEVEL$$ will be relevant to our analysis of
;;sequential modules. For the present purpose, ge take it to be O.
;;We may nov define "combinational module":
(defn combp$ (flag m)
(if (equal flag 'list)
(if (lletp m)
(and (combp$ t (car m))
(combp$ 'lis_ (cdr m)))
t)
(if (modulep m)
(case (type m)
(etruct (and (sdepth m O) (combp$ 'list (s m))))
(behav t)
(otherwise f))
f)))
(defn combp (m) (combp$ t 8))
;;Now that $LEVEL$$ has been defined, we may use it to define a simpler
;;version, SLEVEL$, which will be easier to use. The purpose of thls
83
;;function is to provide a recur•ion scheme for various functions
;;pertaining to combinational and sequential modules.
;;The definition will take some work:
(prove-lee.ha member-slevel$$ (rewrite)
(implies (and (member s i)
(slevel$$ 'list i m bad q))
(slevel$$ t s m bad q)))
(prove-le_m subsetp-slevel$$ (re,trite)
(implies (and (subsetp s 1)
(slevel$$ 'list 1 m bad q))
(slevel$$ 'list • m bad q)))
(prove-lemma signaI_-slevel$$ (rewrite)
(implies (and (•depth m q) (subeetp • (signals m)))
(slevel$$ 'list 8 m () q))
((use (subsetp-slevel$$ (1 (signals m)) (bad ())))))
(prove-leRa leq-slevel$$-cdr (rewrite)
(implies (and (sdepth m q) (listp st (subsetp s (signals m)))
(equal (lessp (slevel$$ 'list s m () q)
(slevel$$ 'list (cdr s) m 0 q))
f))
((use (eignals-slevel$$))
(expand (slevel$$ 'list e m () q))))
(prove-lemma leq-slevel$$-car (rewrite)
(implies (and (sdepth m q) (listp e) (subsetp s (signals m)))
(equal (leesp (slevel$$ 'list e m () q)
(elevel$$ t (car s) m (7 q))
f))
((use (signals-slevel$$))
(expand (elevel$$ _liet s m () q))))
(defn es-induct (flag e m bad1 bad2 q)
(if (equal flag 'list)
(if (listp s)
(and (•s-induct t (car s) m badl bad2 q)
(ss-induct 'list (¢dr s) m badl bad2 q))
t)
(if (or (member s (i m))
(lesep (index s (lo m)) q))
(if (and (not (member s bad2))
(distinct-symbols bad2)
(member • (signals m))
(eubsetp bad2 (signals m)))
(ss-induct 'list (find-li s m) m (cons • badl) (cons s bad2) q)
t)))
((ord-lessp (lex (list (difference (length (signals m)) (length bad2))
(¢ou.te))))))
(defn sublistp (I m)
(if (listp I)
(if (lietp m)
(if (equal (car i) (car m))
(sublietp (cdr I) (cdr m))
84
f)
(sublistp I (cdr m)))
t))
(prove-lama distinct-symbols-sublistp (rewrite)
(implies (and (distinct-symbols m)
(eublistp I m))
(distinct-symbols I)))
(prove-lemma sublis_p-subsetp (rewrite)
(implies (and (sublistp 1 m)
(subsetp m p))
(subeetp i p)))
(prove-lemma sublis_p-member (rewrite)
(implies (and (sublistp 1 m)
(member x 1))
(member x m)))
(disable sublistp-member)
(prove-lemma slevel$$-sublistp ()
(implies (and (elevel$$ flag s m bad2 q)
(sublietp badl bad2))
(equal (slevel$$ flag s m badl q)
(slsvel$$ flag s m bad2 q)))
((induct (as-induct flag s m badl bad2 q))
(enable sublisrp-member)))
(prove-lemma slevel$$-nil (rewrite)
(implies (slevel$$ flag s m (list b) q)
(equal (elevel$$ flag S m (list b) q)
(slevel$$ flag s m () q)))
((use (slevel$$-sublistp (badl ()) (bad2 (list b))))))
(prove-lemma slevel$$-lis_-find-li (revrite)
(implies (and (sdepth m q)
(member s (signals m))
(not (member s (i m)))
(no_ (lessp (index s 41o m)) q)))
(slevel$$ 'list (lookupl s (Io m) (li m)) m (list s) q))
((use (member-slevel$$ (I (signals m)) (bad ())))
(disable member-slevel$$)))
(prove-lemna slevel$$-list-find-li-nil (revrite)
(implies (a_d (sdepth m q)
(member s (signals m))
(no_ (member s (i m)))
(not (lessp (index s (lo m)) q)))
(slevel$$ 'list (lookupl s (lo m) (li m)) m () q))
((use (slevel$$-list-find-li))))
(prove-lemma lessp-slevel$$-find-li (re,trite)
(implies (and (sdepth m q)
(not (equal flag 'llst))
(member s (signals m))
(not (member s (i m)))
(not (lessp (index s (lo m)) q)))
(equal (lessp (s!evel$$ 'list (lookupl s (lo m) (li m)) m 0 q)
85
(slevel$$ flag s m 0 q))
t))
((expand (slevel$$ flag s m () q))))
(defn slevel$ (flag s m q)
(if (sdepth m q)
(if (equal flag 'list)
(if (subeetp s (signals m))
(iI (lietp s)
(max (slevel$ t (car s) m q)
(slevel$ 'list (cdr s) m q))
O)
I)
(if (member s (signals m))
(if (or (member s (i m))
(lessp (index s (Io m)) q))
(addl (slevel$ 'list (find-li s m) m q)))
f))
f)
((ord-lessp (lex (list (slevel$$ flag s m () q) (count s))))))
(prove-lem_a leq-slevel$-cdx (rewrite)
(implies (and (sdepth m q) (listp s) (aubsetp s (signals m)))
(equal (lessp (slevel$ 'list s m q)
(slevel$ _list (cdr s) m q))
I)))
(prove-lem_na leq-slevelS-car (rewrite)
(implies (and (sdeptb m q) (liatp s) (subsetp s (signals m)))
(equal (lessp (slevel$ 'list s m q)
(slevel$ t (car s) m q))
1)))
(prove-lemma lessp-slevel$-find-li (rewrite)
(implies (and (sdepth m q)
(not (equal flag 'list))
(member s (signals m))
(not (member s (i m)))
(net (lessp (index s (io m)) q)))
(equal (lessp (slevel$ 'list (lookupl s (Io m) (li m)) m q)
(slevel$ flag s m q))
t)))
(prove-lema combp-sdepth (revrite)
(implies (and (structp m) (combp m))
(sdepth m 0)))
(prove-le-e.a lessp-count-lookup (rewrite)
(implies (iessp (count s) (count m))
(equal (lessp (count (lookupl x y s)) (count m))
t)))
;;CVECP determines whether V is a valid input vector for M:
(defn cvecp (v m)
(bvpn v (nim)))
;;Each signal of a combinational module is naturally associated
86
;;_ith a certain Boolean function of _he inputs. This function
;;is computed ae follows:
(defn ¢v$ (flag s v m)
(if (equal flag 'list)
(if (and (¢ombp m) (etructp m) (subeetp s (signals m)))
(if (listp e)
(cone (cv$t (car e) v m)
(cv$ 'list (cch- s) v m))
O)
f)
(if (behavp m)
(eval (lookup • (o m) (r m)) (pairliet (i m) v))
(if (and (combp m) (member s (si_qlals m)))
(if (and (str_ctp m) (member a (signals m)))
(if (member s (i m))
(lookup • (i m) v)
(cv$c
(find-o s m)
(cv$ 'llst (find-li e m) v m)
(find-s • m)))
f)
f)))
((ord-lessp (lex (list (count m) (slevel$ flag s m O) (count s))))))
(defn cv (s v m)
(cv$t • v m))
;;Each signal S of a combina:ional module H is associated uith
;;a maximum and a minimum delay, uhich represent the range of total
;;delays along all paths connecting the inputs of X to S:
(defn dcmin$ (flag s m)
(if (equal flag 'list)
(if (and (combp m) (s=ructp m) (subsetp s (signals m)))
(if (listp s)
(emln (dcmin$ t (car s) m)
(dcmin$ 'list (cdr s) m))
f)
f)
(if (behavp m)
(lookup s (o m) (d m))
(if (and (combp m) (member s (signals m)))
(if (and (structp m) (member s (signals m)))
(if (member 8 (i m))
0
(eplue (dcmin$ t (find-o s m) (find-s s m))
(dcmin$ Jlist (find-li 8 m) m)))
f)
f)))
((ord-lesep (lex (list (coUnt m) (slevel$ flag s m O) (coun_ e))))))
(defn dcmin (s m) (dcmin$ t s m))
(defn dcmax$ (flag s m)
(if (equal flag 'list)
(if (and (combp m) (ecr_ctp m) (subeetp s (signals m)))
(if (liscp s)
(emeuc (dcsax$ t (car s) m)
87
(dcmax$ 'list (cdr s) m))
O)
f)
(if (behavp m)
(lookup s (o m) (dm))
(if (and (¢ombp m) (member m (signals m)))
(if (and (structp m) (member s (signals m)))
(if (member s (i m))
0
(eplus (dcJ_ax$ t (find-o s m) (find-s sm))
(dc_u$ 'list (find-li s m) m)))
f)
f)))
((ord-lessp (lex (list (count a) (slevel$ fla_ s a O) (count s))))))
(defn dcmax (s m) (dcm_$ t sm))
;; SEQUENTIAL MODULES
;;We shall define a class of synchronous sequential circuits, using the
;;flip-flop DFF as the primitive state-holding device. The rscursive
;;definition will reqnire that for some Q > O, the first Q eubmodules
;;of a sequential module M (other than DFF) are sequential and the rest
;;are all combinational. For any module H, ue define the parameter
;;(Q M) as follows:
(defn q$ (mode)
(if (lietp mods)
(if (combp (car mods))
0
(addl (q$ (cdr mode))))
0))
(defn q (m)
(q$ (e m)))
(provs-lemma leq-q$ ()
(leq (q$ e) (length s)))
(prove-lemma lesep-count-firstn ()
(implies (and (plistp 1) (leq q (length 1)))
(leq (count (firstn q 1)) (count 1)))
((induct (firstn q 1))))
(prove-lemma lessp-count-firs_-q (rewrite)
(implies (and (modulep m) (structp m))
(equal (lessp (coun_ (firstn (q$ (s m)) (s m)))(countm))
t))
((use (lessp-count-firs_n (q (q m)) (i (s m)))
(lessp-count-submodules)
(leq-q$ (s (s m))))
(disable lessp-count-$ubmodules)))
;;k path is "combinational" if it passes through only combinational
;; components, k signal is "native" if it is not connected to any
88
;;global input by a combination path:
(defn nativep$ (flag s m)
(if (sdepth m (q m))
(if (equal flag 'list)
(if (subsetp 8 (signals m))
(if (listp s)
(and (nativep$ t (car s) m)
(nativep$ 'list (cdr s) a))
t)
f)
(if (equal m (dff))
(member s (o m))
(if (member S (siSals m))
(if (member s (i m))
f
(if (lesap (index s (Io m)) (q m))
t
(nativep$ 'list (find-ll s m) m)))
f)))
f)
((ord-lessp (lex (list (slevel$ flag s m (q m)) (count s))))))
(defn nativep (s m) (nativep$ t s m))
(defn check-seq-li (elk rst li)
(if (listp li)
(and (equal elk (cast li))
(equal rst (cedar li))
(not (member elk (cddar li)))
(not (member rst (cddar li)))
(check-seq-li clk rat (cdr li)))
t))
(defn cbeck-comb-li (clk rst li)
(if (listp li)
(and (not (member elk (car li)))
(not (member rst (car li)))
(cbeck-comb-li clk rat (cdr li)))
t))
;;A sequential module other than DFF has Q sequential submodules, Q > O,
;;vith the rest combinational. It has at least tvo inputs. The first
;;and secong inputs are by convention the clock and the reset. The clock
;;(reap., reset) is connected the the clock (resp., reset) input of each
;;sequential submodule, and not to any other submodule input. No combinational
;;loops are permitted. Finally, all outputs are required to be native signals:
(defn sectS (flag m)
(if (equal flag 'list)
(if (listp m)
(and (seqp$ t (car m))
(seqp$ 'list (cdr m)))
t)
(if (and (modulep m) (structp m))
(or (equal m (dff))
(and (geq (hi m) 2)
(not (zerop (q m)))
(aegiS 'list (firetn (q m) (s m)))
89
(check-ssq-li (car (i m)) (cadr (i m)) (firstn (q m) (ii m)))
(check-comb-li (car (i m)) (cadr (i m)) (cdrn (q m) (li m)))
(sdepth m (q m))
(nativep$ 'list (o m) m)))
f))
((lessp (count m))))
(defn seqp (m) (sects t m))
(prove-lemma lessp-count-car-s (rewrite)
(implies (etructp m)
(equal (lessp (coun= (car (s m))) (count m))
t))
((use (lessp-count-submodules))
(disable lessp-cpunt-submodules)))
(prove-lemma modulep-se_ (revrite)
(implies (sec_ m)
(modulep$ t m)))
(prove-lemma ssqp-sdepth (rewrite)
(implles (and (seqp m) (not (equal m (dff))))
(sdepth m (q$ (s m))))
((disable sdepth dff q$)))
(prove-lemma seqp-structp (revrite)
(implies (seqp m) (equal (type m) 'struct)))
;;A native signal S of M is "registered" if either (a) M • DFF and S is an
;;output of M, or (b) M <> DFF and S is associated with a registered output
;;of a sequential submodule of M:
(defn regp (s m)
(if (se@ m)
(if (equal m (dff))
(member s (o m))
(and (lessp (index e (Io m)) (q m))
(regp (find-o s m) (find-s s m))))
f))
;;A "state" of a sequential module is a srtructure that associates a
;;Boolean value with each flip-flop:
(defn statep$ (fla T state m)
(if (equal flag 'list)
(if (listp m)
(and (statep$ t (car stats) (car m))
(statep$ 'list (cdr state) (cdr m)))
(equal state ()))
(if (and (modulep m) (etructp m))
(if (equal m (dff))
(boolp state)
(if (equal (q m) 1)
(statep$ t state (car (s m)))
(statep$ qist state (firstn (q m) (S m)))))
f)))
(dsfn statep (state m)
(statep$ t state m))
9O
(defn find-state (s state m)
(if (equal (q m) I)
state
(lookupl a (lo m) state)))
(disable sdepth)
;;A state determines a "resultant value" for each native signal:
(defn rv$ (flag s state u)
(if (seqp m)
(if (equal flag Plier)
(if (and (8ubsetp s (signals mr) (not (equal m (dtf))))
(if (liatp 8)
(cons (rv$ t (car st state m)
(rv$ 'list (cdr st state m))
(t)
f)
(if (member s (signals m))
(i_ (member • (i _))
f
(if (equal m (dff))
(if (equal s 'q) state (not starer)
(if (lessp (index s (lo m)) (q at)
(rv$ t (find-o s m) (find-state s state m) (find-s s m))
(cv (find-o a _) (rv$ 'list (find-li s m) state m) (find-s s attt))
f))
f)
((ord-lessp (lex (list (count m) (slevel$ flag s m (q m)) (count s))))))
(defn rv (s state m) (rv$ t s state m))
;;A "data vector" associates a Boolean value vith each data input:
(defn svecp (x m)
(bvpn x (difference (hi m) 2tit
;;A state and a data vector determine a "sequential value" for each signal
;;(other than the clock and reset inputs):
(defn sv$ (flag s v state :)
(if (seqp m)
(if (equal flag 'list)
(if (and (subsetp s (signals m)) (not (equal m (d_f))))
(if (listp s)
(cone (sv$ t (car st v state m)
(sv$ 'list (cdr s) v state m))
())
f)
(if (member 8 (signals m))
(if (=ember e (i m))
(lookup s (cddr (i art v)
(if (or (equal m (dff))
(lessp (index s (lo a)) (q m)))
(rv | state m)
(cv (find-o 8 m) (sv$ 'list (find-ll s m) v state m) (find-8 s m))))
f))
f)
Ol
((ord-lessp (lex (list (slevel$ flag s m (q m)) (count s))))))
(defn sv (s v state m)
(sv$ t s v state m))
(defn svl (li v state m)
(sv$ 'list (cddr li) v stats m))
(defn svll (s v state m)
(if (listp s)
(cons (svl (car e) v stats m)
(evll (cdr e) v stats m))
0))
;;NEXT computes a new stats frog a stats and a data vector:
(defn next$ (flag v state m)
(if (equal flag 'list)
(if (listp m)
(cons (next$ t (car v) (car state) (car =))
(next$ 'list (cdr v) (cdr state) (cdr m)))
O)
(if (eeqp m)
(if (equal m (dff))
(car v)
(if (equal (q m) I)
(hexes t (svl (car (li m)) v stats m) state (car (s m)))
(next$ 'list
(svll (firetn (q m) (li m)) v state m)
state
(firstu (q m) (s m)))))
f)))
(defn next (v state m)
(hexes t v state m))
;;Each native signal is associated with a minimum and a
;;maximum delay, vhich determine an interval during which the
;;signal's value may change folloving a rising edge:
(defn dsmin$ (flag s m)
(if (seqp m)
(if (equal flag 'list)
(if (and (subseZp s (signals m)) (not (equal m (dff))))
(if (listp e)
(emin (dsmin$ t (car s) m)
(dsmln$ 'list (car s) m))
f)
f)
(if (member s (signals m))
(if (member s (i m))
0
(if (equal m (dff))
4000
(if (lessp (index s (io m)) (q m))
(dsmin$ t (find-o s m) (find-s s m))
(eplus (de=in (find-o s m) (find-s s m))
(d_min$ 'list (find-li s m) m)))))
f))
92
f)((ord-lessp(lex (list (countm)(slevel$ flag s m (q m)) (count s))))))
(defn dsmin (s m) (dsmin$ t s m))
(defn dsmax$ (flag s m)
(if (seqp m)
(if (equal flag 'list)
(if (and (subsetp s (signals m)) (not (equal m (dff))))
(if (listp s)
(max (dsmax$ t (car s) m)
(dsmax$ 'lis_ (cdr s) m))
O)
f)
(if (member s (signals m))
(if (member s (i m))
0
(if (equal m (tiff))
6O00
(if (lessp (index s (io m)) (q m))
(demos t (find-o s m) (find-s s m))
(eplus (dcmax (find-o s m) (find-s s m))
(dsmax$ 'list (find-li • m) m)))))
f))
f)
((ord-lessp (lex (list (count m) (slevel$ flag s m (q m)) (count s))))))
(defn dsmax (s m) (dsmax$ t s m))
;;The definition of "setup" times requires some work:
(defn setup-comb (sigs setups m)
(if (listp slgs)
(if (zerop (car setups))
(setup-comb (cdr alga) (cdr setups) m)
(emax (eplus (dcmax (car sigs) m) (car setups))
(setup-comb (cdr eigs) (cdr setups) m)))
0))
(defn collect-i Ca li i)
(if (listp li)
(if (equal s (car li))
(cons (car i) (collect-i s (cdr li) (cdr i)))
(¢ollect-i s (cdx li) (cdr i)))
0))
(defn collect-ll (sli m)
(if (listp li)
(if (member s (car li))
(cons (collec_-i s (car li) (i (car m)))
(collect-li a (cdr li) (cdr m)))
(collect-li s (cdr li) (cdr m)))
0))
(defn collect-lo (sli Io)
(if (listp li)
(if (member s (car ii))
(cons (car lo) (collect-lo s (cdr li) (cdr lo)))
(collect-lo s (cdr li) (cdr lo)))
93
0))
(defn slevel (a m)
(slevel$ t s m (q m)))
(defn sm_x (m)
(slevel$ 'lLat (signals m) m (q m)))
(prove-lemma leq-slevel-member ()
(implies (and (subsetp I (sisals m))
(member s 1))
(leq (slevel$ t s m q)
(slevel$ 'list 1 m q))))
(preve-lemma subsetp-cdr (revrite)
(implies (subsetp I (cdr m))
(subsetp 1 m)))
(prove-lemma subsetp-l-i (rewrite)
(,ubsetp i I))
(prove-lemma leq-slevel-smax 0
(Implies (member s (signals m))
(leq (slevel s m) (smax m)))
((use (leq-slevel-member (1 (sisals m)) (q (q m))))
(disable signals q slevel$)))
(defn mO (s m)
(eddl (difference (smax m) (slevel s m))))
(defn mL (s m)
(if (listp s)
(max (mO (car s) m)
(ml (cdr s) m))
0))
(defn m4 (s m)
(if (listp s)
(max (ml (car s) m)
(m4 (car s) m))
0))
(defn setup-mess (flag s m)
(case flag
(0 (mO s m))
(1 (ml s n))
(3 (el s m))
(4 (m4 s m))
(othsrvise f)))
(defn attachedp (x y ili lo)
(if (zerop i)
(and (member x (car li))
(member y (car lo)))
(attachedp x y (aubl i) (cdr li) (cdr Io))))
(prove-lesxna member-union (revrite)
(i_plies (member x m)
(member x (union 1 m))))
94
(prove-le--,a attached-unionl ()
(implies (attachedp x y i li lo)
(member y (unionl lo))))
(prove-lemma attachedp-member-signals (rewrite)
(implies (attacbedp x y i (li m) (Io m))
(member y (signals m)))
((use (attached-unionl (li (li m)) 41o (lo m))))))
(prove-lem_a member-unienl-appeare (reurite)
(Impliee (not (appears x lo3)
(hOe (member x (unionl lo)))))
(prove-lem_a none-appear-member-unionl ()
(impliea (and (none-appear in lo)
(member x (unionl lo)))
(not (member x in))))
(prove-lemma attachedp-not-member-i (rewrite)
(implies (and (attachedp x y i (li m) (lo m))
(check-struct m))
(not (member y (i m))))
((use (attached-unionl (li (li m)) (lo 41o m)))
(nonelappear-member-unionl (in (i m)) (lo (lo m)) (x y)))))
(prove-le_na none-appear-not-attached (revrite)
(implies (and (member y car)
(none-appear car cdr))
(not (attachedp x y ili cdr)))
((use (attached-unionl (lo ¢dr))
(none-appear-member-unionl (in car) (lo cdr) (x y)))))
(prove-lemma attachedp-index ()
(implies (and (attachedp x y ili Io)
(all-distinct-symbols io))
(equal (index y lo) (fix i))))
(prove-lemma attacbedp-index-rewrite (rewrice)
(implies (and (attachedp x y i (li m) (lo m))
(check-etruct m))
(equal (index y (lo m)) (fix i)))
((use (attachedp-index (li (li m)) (lo (lo m))))))
(prove-lemma attachedp-member-lookupl 4)
(implies (and (attachedp x y ili lo)
(all-die_inct-eymbole lo))
(member x (lookupl y loli))))
(prove-lemma attachedp-member-find-li (rewrite)
(implies (and (attachedp x y i (li m) (lo m))
(¢heck-struct m))
(member x (find-li y m)))
((use (attachedp-membar-lookupl (li (li m)) (Io (Io m))))))
(prove-lemma appears-member-unionl (rewrite)
(implies (appears x i)
(member x (unionl 1))))
95
(prove-lama all-appear-subsezp-unionl (rewrite)
(implies (all-appear li 1)
(subeetp li (unionl i))))
(prove-lema subsezp-lookupl ()
(implies (lists-all-appear li 1)
(subsetp (lookupl y lo li) (unionl 1))))
(prove-lemma subsetp-ftnd-li (rewrite)
(implies (check-strucz m)
(subsetp (find-li y m) (signals m)))
((use (eubsetp-lookupl (li (li m)) (lo (lo m)) (1 (cons (i m) (lo m)))))))
(prove-lemma attached-!essp-slevel$ 0
(impLies Cand (sdepth a q)
(modulep m)
(szructp m)
(attachedp x y i (li m) (lo m))
(leq q i))
(lessp (slevel$ t x m q)
(slevel$ t y m q)))
((disable sdepth find-li signals index slevel$ check-struct attachedp)
(use (leq-slevel-member (1 (find-li y m)) (s x))
(slevel$ (flag Z) (s y)))
(expand (modulep$ t m))))
(prove-lemma lessp-mO 0
(implies (and (seqp m)
(not (equal m (dff)))
(attachedp x y i (li m) (lo m))
(leq (q m) i))
(lessp (mO y m) (mO x m)))
((use (attached-lessp-slevel$ (q (q m)))
(leq-slevel-smax (s y)))
(disable modulep attachedp slevel$ sdepth sma% q signals dff *l.dff)))
(prove-lewma not-zerop-mO 0
(not (zerop (mO x m))))
(disable mO)
(prove-lemma attacbedp-alt ()
(implies (and (member x (car (cdrn ili)))
(member y (car (cdrn i lo))))
(attachedp x y i li lo)))
(prove-lemna lessp-mO-revrite (rewrite)
(implies (and (seqp m)
(not (equal m (dff)))
(leq (q m) i)
(member x (car (cdrn i (li m))))
(member y (car (¢drn i (lo m)))))
(equal (lessp (mO y m) (mO x m)) t))
((u,e (lessp-mO)
(attacbedp-alt (li (li m)) (Io (Io m))))
(disable attachedp dff *l*dff seqp member q)))
(prove-lema lessp-ml 0
(implies (and (seqp m)
96
Cnot (equal m (dff)))
(leq (q m) i)
(member x (car (cdrn i (li m))))
(subsetp ye (Car (cdr_ i (lo m)))))
(equal (lesep (ml ys m) (mO x m)) t))
((disable attachedp dff *l*dff eeqp member q)
(INDUCT (_.NGTH YS))
(use (not-zerop-mO))))
(prove-lemma lessp-ml-mO (revrite)
(implies (and (seqp m)
(not (equal m (dr/)))
(leq (q m) i)
(member x (car (cdrn i (li m)))))
(equal (lessp (ml (car (cdrn i (lo m))) m)
(mO x m))
t))
((disable attachedp dff .l*dff seop member q)
(use (lessp-ml (ys (car (¢drn i (lo m))))))))
(prove-le.--a cdr-cdr_ (revrite)
(equal (cdr (cdrn r i)) (cdrn (addl r) I)))
(defn lm4-induct (r m)
(if (lessp r (length (li m)))
(Im4-induct (addl r) m)
t)
((lessp (difference (length (li m)) r))))
(prove-lemma nlistp-cdrn (rewrite)
(implies (leq (lenGth 1) n)
(not (listp (cdrn n i)))))
(prove-lemma lessp-m4 0
(implies (and (aeqp m)
(not (equal m (dff)))
(leq (q m) r)
(leq r (length (li m))))
(equal (lessp (m4 (collect-lo s (cdrn r (li m)) (cdrn r (Io m))) m)
(mO s m))
t))
((disable dff *l*dff eeqp q cdrn ml)
(induc_ (lm4-1nduct r m))
(use (not-zerop-mO (x s)))))
(prove-lemma equal-len_h-li-e ()
(implies (eeqp m)
(equal (lenGth (li m)) (lenE_h (s m))))
((expand (seqp$ t m) (modulep$ t m))))
(prove-lemma lessp-m4-revrite (rewrite)
(implies (and (seqp m)
(not (equal m (dff))))
(equal (lessp (m4 (collect-lo s (cdrn (q$ (8 m)) (li m)) (cdrn (q$ (8
(mO • m))
t))
((disable dff *l*dff seop q$ cdrn ml m4 collect-lo)
(use (leesp-m4 (r (q m)))
(leq-q$ (s (s I)))
m)) (lo m)))m)
g7
(equal-length-li-a))))
(prove-lemma leq-count-collect-lo ()
(implies (and (equal (length li) (length s))
(plistp s))
(leq (count (collect-lo x li s)) (count s)))
((induct (collect-lo x lie))))
(prove-lemma leq-count-cdrn ()
(implies (plistp m)
(leq (count (cdrn q e)) (count s))))
(prove-lsmma equal-length-cdrn (re.rite)
(£mplies (equal (length x) (length y))
(equal (equal (length (¢drn q x)) (length (cdrn q y)))
t)))
(prove-lemma plistp-cdrn 0
(implies (and (leq q (length s)) (pliatp s))
(plistp (cam q a))))
(prove-lemma plistp-cdrn-q (revrite)
(implies (plistp s)
(plistp (cdrn (q$ s) s)))
((use (plistp-cdrn (q (q$ s)))
(leq-q$))))
(prove-lemma lessp-count-collect-lo (rewrite)
(implies (and (seqp m) (not (equal m (dff))))
(equal (lessp (count (collect-lo x
(¢drn (q$ (s m)) (li m))
(cdru (q$ (e m)) (s m))))
(counZ m))
_))
((use (leq-count-collect-lo (li (cdrn (q m) (li m))) (a (cdrn (q m) (s m))))
(leq-count-cdrn (a (s m)) (q (q m)))
(equal-length-li-s)
(lessp-count-submodulee))
(disable modulep$ dff *l*dff leesp-count-eubmodules)))
(prove-le_ma lenEth-firstn (rewrite)
(equal (length (firetn q x)) (fix q)))
(prove-lemma plietp-firstn (rewrite)
(plistp (firstn q 1)))
(prove-laughs lessp-count-collsct-lo-firstn (rewrite)
(implies (and (seqp m) (not (equal a (dff))))
(equal (lsssp (count (collect-lo x
(firstn (q$ (s m)) (li m))
(firstn (q$ (e m)) (s m))))
(count m))
t))
((use (lessp-count-first-q)
(equal-length-li-e)
(leq-count-colle¢_-lo (li (firstn (q m) (li m))) (s (firstn (q m) (s m)))))
(disable lessp-count-first-q dff eledff modulep$)))
98
(prove-lemma leq-mO (rewrite)
(implles (listp x)
(equal (lusp (m! x m) (mO (car x) m)) f)))
(prove-lemna leq-cdrtl (revrite)
(implies (listp x)
(equal (lessp (ml x m) (ml (cdr x) =)) f)))
(prove-lemma leq-ml (rewrite)
(implies (listp x)
(equal (lessp (m4 • m) (ml (car x) m)) f)))
(prove-le-.-a leq-cdr-m4 (rsvrite)
(implies (listp x)
(equal (lessp (m4 x m) (m4 (cdr x) m)) f)))
;;Each input ozher than the clock ks associated vi£h a "setup time",
;;vhich represents the duration over _hich the signal is required to
;;hold constant prior to a rising edge:
(disable se%p)
(disable dff)
(disable *l*dff)
(defn setups (flag x m)
(case flag
(0 (if (seqp m)
(if (equal m (dff))
(case x
(rst 8000)
(d 6000)
(othervise f))
(emax (setups 2
(collect-li x (firstn (q m) (li m)) (firetn (q a) (s m)))
(collecZ-lo x (firstn (q m) (li m)) (firstn (q m) (s n))))
(setups S
(setupS 4
(collect-lo x (cdrn (q m) (li m)) (cdrn (q m) (Io m)))
m)
(collect-lo x (cdrn (q m) (li m)) (cdrn (q m) (s m))))))
f))
(1 (if (liszp x)
(em_x (setups 0 (car x) m)
(setupS ! (cdr x) m))
0))
(2 (if (listp m)
(emax (setupS 1 (car x) (car m))
(setups 2 (cdr x) (cdr m)))
0))
(3 (if (listp x)
(cons (setupS 0 (car x) m)
(aetup$ 3 (cdr x) m))
()))
(4 (if (listp x)
(cons (setups 3 (car x) m)
(setups 4 (cdr x) m))
0))
(S (if (listp m)
(emaz (setup-comb (o (car m)) (car x) (car m))
99
(setups 5 (cdr x) (cdr m)))
0))
(othorvise f))
((ord-leasp (lex (list (count m) (satup-moas flag x m) (co_t x))))))
(enable seqp)
(enable dff)
(enable *ledff)
(defn setup (a m)
(setups 0 s m))
;;Finally, we define three parameters pertaining to the behavior of the
;;clock input, called the "clock high", the "clock low",
;;and the "minimum period". These represent the minimum
;;durations between a rising edge and the nex$ falling edge, a falling
;;edge and the next rising edge, and successive rising edges,
;;respectively:
(defn highs (flag m)
(if (equal flag 'list)
(if (listp a)
(max (highs t (car m))
(highs 'list (cdr m)))
O)
(if (seqp m)
(if (equal m (dff))
4000
(highs 'list (firstn (q m) (s m))))
f)))
(defn high (m)
(highs t m))
(darn lows (flag m)
(if (equal flag 'list)
(if (listp :)
(max (love t (car m))
(lows 'list (cdr m)))
O)
(if (saqp m)
(if (equal m (dff))
6000
(lows 'list (firstn (q =) Ca m))))
f)))
(defnlov Ca)
(Iov$ t m))
(defn setups-plus-delays (setups outs sub)
(if (listp outs)
(max (plus (dsmax (car outs) sub)
(car setups))
(setups-plus-delays (cdr setups) (cdr outs) sub))
0))
(darn p3 (s io m)
(if (liatp a)
(max (setups-plus-delays (secup$ 3 (car io) m) (o (car s)) (car s))
00
(p3 (cdr s) (car lo) m))
0))
(defn per$ (flag m)
(if (equal flag 'list)
(if (listp a)
(max (per$ t (car a))
(petS 'lisz (cdr i)))
O)
(if (eeqp m)
(if (equal s (dff))
10000
(max (per$ 'list (flrezn (q m) (s m)))
(max (setupS 3 (cdr (i m)) m)
(p3 (firstn (q m) (s m)) (firstn (q m) (io i)) m))))
f)))
(defn per (m) (per$ Z m))
(disable seqp-structp)
;;Whenever a combinational module is introduced, we derive all its of
;;relevant properties and then disable its definition. This procedure
;;is automated by means of several macros, which we define in this section.
;;First, for the sake of efficiency, re derive some revrite rules that allow
;;us to diaable various definitions:
(prove-le._a bvpn-rewrize-I (reurite)
(implies (not (zerop n))
(equal (bvpn x n)
(and (boolp (car x))
(bvpn (cdr x) (subl n))))))
(prove-lemma bvpn-revrite-2 (rewrite)
(implies (zerop n)
(equal (bvpn x n)
(equal x 0))))
(disable bvpn)
(prove-le,ma combp-rewriZe-I (reerite)
(_pliee (listp m)
(equL1 (colbp$ 'list a)
(and (combp (car m))
(combp$ 'lisz (cdr a))))))
(prove-leenua combp-reerite-2 (rewrite)
(implies (nlistp m)
(combpl 'list m)))
(prove-le-_a combp-revrite-3 (rewrite)
(implies (and (modulep m) (structp m))
101
(equal (combp$ t m)
(and (sdepch m O) (combp$ 'list (s m))))))
(prove-lem_a combp-modulep (rewrite)
(implies (combp m) (modulep m)))
(disable combp)
(disable combp$)
(prove-lema match-inputs-rewrite-! (rewrite)
(implies (lietp subs)
(equal (match-inputs subins subs)
(and (listp subins)
(equal (length (car subine)) (hi (car subs)))
(match-inputs (cdr subins) (cdr subs))))))
(prove-lemma match-inputs-rewrite-2 (rewrite)
(implies (nlistp subs)
(match-inputs subins subs)))
(prove-lemma match-outputs-rewrite-1 (rewrite)
(implies (listp subs)
(equal (match-outputs subouts subs)
(and (equal (length (car suboute)) (no (car subs)))
(match-outputs (cdr subouts) (cdr subs))))))
(prove-lem_a match-outputs-rewrlte-2 (rewrite)
(implies (nlistp subs)
(match-outputs subouts subs)))
(disable match-inputs)
(disable match-outputs)
(prove-lemma modulep$-rewrite-1 (rewrite)
(implies (structp m)
(equal (modulep$ t m)
(and (equal (length (li m)) (length (s m)))
(match-inputs (li m) (s m))
(equal (length (lo m)) (length (a m)))
(match-outputs (lo m) (s m))
(all-appear (o m) (lo m))
(lists-all-appear (li m) (cons (i m) (io m)))
(all-distinct-symbols (cons (i m) (Io m)))
(modulep$ 'list (s m))))))
(prove-lemma modulep$-reurite-2 (rewrite)
(implies (listp m)
(equal (modulep$ 'list m)
(and (modulep (car m))
(modulep$ 'list (cdr m))))))
(prove-le,.,.a modulep$-rewrite-3 (rewrite)
(modulep$ 'list 0))
(disable modulep)
(disable modulep$)
102
(prove-le_a elevel$$-re_ri_e-i (rewrite)
(implies (listp out)
(equal (slevel$$ 'list out m bad q)
(emax (slevel$$ t (car out) m bad q)
(elevel$$ 'list (cdr out) m bad q)))))
(prove°leema slevelS$-revrite-2 (revrite)
(implies (nlistp out)
(equal (alevel$$ 'list out m bad q) 0)))
(prove-lena slevel$S-regrite-3 (regrite)
(implies (or (_ember out (i m))
(lessp (index out (lo m)) q))
(equal (slevelS$.t out m bad q) 0)))
(prove-lemma slevel$$-regrite-4 (revrite)
(implies (and (not (member out (i m)))
(not (lessp (index ou_ (lo m)) q))
(not (member out bad))
(distinct-symbols bad)
(member out (signals m))
(subsecp bad (signals m)))
(equal (slevel$$ t out m bad q)
(eaddl (slevel$$ 'lis_ (ftnd-li out m) m (cons out bad) q)))))
(disable slevel$$)
(provs-lemma cv$-revri_e-I (re,rite)
(implies (and (combp a) (structp m) (subsetp s (signals m)) (listp s))
(equal (cv$ 'llst s v m)
(cons (cv (car s) v m)
(cv$ 'list (ccLr s) v m)))))
(prove-luzna cv$-re_riCe-2 (revriCe)
(implies (and (combp m) (strucCp m) (nlistp s))
(equal (cv$ 'list s v m) 0)))
(prove-lena cv$-re_rrite-3 (revrite)
(implies (and (combp m) (etructp m) (member s (signals m)))
(equal (cv$t s v m)
(if (member s (i m))
(lookup s (i m) v)
(cv (find-o | m)
(cv$ 'list (find-li s m) v m)
(find-s s m))))))
(prove-lena cv$-revrite-4 (rewrite)
(implies (bebavp m)
(equal (cv$t s v m)
(eval (lookup s (o m) (r m)) (pairliet (i m) v)))))
(prove-leema cv-rewrite (rewrite)
(equal (cv s v m) (cv$t s v m)))
(disable cv)
(disable cv$)
103
(prove-lemma dcmin$-rewrite-1 (rewrite)
(implies (and'(combp m) (structp m) (eubeetp s (signals m)) (listp s))
(equal (dcmin$ 'list s m)
(emin (dcmin (car s) m)
(dcmin$ 'list (cdr |) m)))))
(prove-le--a dcminS-revrite°2 (revTite)
(in_lie. (and (combp m) (structp m) (nli.tp s))
(equal (dcmin$ 'list • m) f)))
(prove-lew.a dcmin$-reurite-3 (rewrite)
(implies (and (combp m) (atructp m) (member s (signals m)))
(equal (dcmin$ t • m)
(if (member • (i m))
0
(eplus (dc_n (find-o • m) (fi_d-s a m))
(dcmin$ 'list (find-li s m) m))))))
(prove-lemma dcmin$-rewrite-4 (rewrite)
(implies (behavp m)
(equal (dcmin$ t s m)
(lookup • (o m) (d m)))))
(prove-lewina dcmin-revrite (revrite)
(equal (dcmin • m) (dcmin$ t s m)))
(disable dcmin$)
(disable dcmin)
(prove-lemma dcmax$-rewrite-I (rewrite)
(implies (and (combp m) (structp m) (subsetp s (signals m)) (listp s))
(equal (dcmax$ 'list s m)
(emax (dcmax (car s) m)
(dcmax$ 'list (cdr s) m)))))
(prove-lemma dcmax$-rewrite-2 (rewrite)
(implies (and (¢ombp m) (structp m) (nlistp s))
(equal (dcmax$ 'list s m) 0)))
(prove-lsmma dcmax$-rewrite-3 (rewrite)
(implies (and (combp m) (structp m) (member s (signals m)))
(equal (dcmax$ t • m)
(if (member s (i m))
0
(eplus (dcm_x (find-o • m) (find-s a m))
(dcmax$ 'list (find-li a m) m))))))
(prove-lemma dcmax$-rewrite-4 (rewrite)
(implies (behavp m)
(equal (dcmax$ t • m)
(lookup s (o m) '(d m)))))
(prove-lemma dc_ax-rewrite (revrite)
(equal (dcmax s m) (dcmax$ t s m)))
(disable dcmu$)
(disable dcmax)
104
(prove-leJma lookup-regrite (rewrite)
(implies (llstp i)
(equal (lookup s i v)
(if (equal s (car i))
(carv)
(lookup • (cdr I) (cdr v))))))
(disable lookup)
(prove-lenma lookupl-rewrite (rewrite)
(fmplies (listp i)
(equal (lookupl • i v)
(if (member s (car i))
(car v)
(lookupl s (¢dr i) (cdr v))))))
(disable lookupl)
;;For each gate, ve establish its components, prove that it ss a
;;combinational module, derive its basic parameters, and then disable its
;;definition:
(dsfmacro print-and-prove (trest args)
'(and (print '(prove-lama ,Oargs))
(prove-lema ,@arEs)))
(defun hyphen (x y)
(intern (format () "'A°'W ' x y)))
(defun ex (m)
(intern (format () "*I*'A °' m)))
(defmacro dogate (m i o r d ¢v)
'(and (print-and-prove ,(hyphen m 'type) (rewrite)
(equal (type (,m)) 'behav)
((enable type)))
(print-and-prove ,(hyphen m 'i) (rewrite)
(equal (i (,m)) ',i)
((enable i)))
(print-and-prove ,(hyphen m 'o) (revrite)
(equal (o (,m)) '(,o))
((enable o)))
(print-and-prove ,(hyphen m 'r) (relrrite)
(equal (r (,m)) '(,r))
((enable r)))
(print-and-prove ,(hyphen m 'd) (revrite)
(equal (d (,m)) '(,d))
((enable d)))
(print-and-prove ,(hyphen n 'p) (rewrite)
(equal (p (,m)) '(inert))
((enable p)))
(print-and-prove ,(hyphen m 'modulsp) (revrite)
(modulep (,m)))
(print-and-prove ,(hyphen m '¢ombp) (rewrite)
(combp (.m)))
(print-and-prove ,(hyphen m 'cv) (revrite)
(equal (cv ',o v (.m))
105
,cv))
(print-and-prove .(hyphen m 'dmin) (rewrite)
(equal (dc_n _,o (,m)) ,d))
(print-and-prove .(hyphen m Jdmax) (revrite)
(equal (dcmax ',o (.m)) _d))
(disable .m)
(disable .(ex I))))
(dogate tO () t (tO) 2000 t)
(dogate fO 0 f (fO) 2000 f)
(dogate notl (a) b (notl a) 2000
(no_ (car v)))
(dogaCe and2 (a b) c (and2 a b) 2000
(and (car v) (cadr v)))
(dogate or2 (a b) c (or2 a b) 2000
(or (car v) (cadr v)))
(dogate nand2 (a b) c (nand2 a b) 2000
(not (and (car v) (cadr v))))
(dogate fnand2 (a b) c (nand2 a b) 1000
(not (and (car v) (cadr v))))
(dogate nor2 (a b) c (nor2 a b) 2000
(not (or (car v) (cadr v))))
(dogate xor2 (a b) c (xor2 a b) 2000
(noc (equal (car v) (cadx v))))
(dogate and3 Ca b c) d (and3 a b c) 2000
(and (car v) (cadr v) (caddr v)))
(dogate or3 (a b c) d (or3 a b c) 2000
(or (car v) (cadr v) (caddr v)))
(dogate nand3 (a b c) d (nand3 a b c) 2000
(not (and (car v) (cadr v) (caddr v))))
(dogaCe nor3 (a b c) d (nor3 a b c) 2000
(not (or (car v) (cadr v) (caddr v))))
(dogate xor3 (a b c) d (xor3 a b c) 2000
(not (equal (car v) (not (equal (cadr v) (caddr v))))))
(dogate and4 (a b c d) • (and4 a b c d) 2000
(and (car v) (cadr v) (caddr v) (cadddr v)))
(dogate or4 (a b c d) • (or4 a b c d) 2000
(or (car v) (cadr v) (caddr v) (cadddr v)))
(dogate nand4 Ca b c d) • (nand4 a b c d) 2000
(not (and (car v) (cadr v) (¢addr v) (cadddr v))))
(dogate nor4 (a b c d) • (nor4 a b c d) 2000
(not (or (car v) (cadr v) (caddr v) (cadddr v))))
106
(dogate xor4 (a b c d) • (xor4 a b c d) 2000
(not (equal (car v) (not (equal (cadr v) (not (equal (¢addr v) (¢adddr v))))))))
(dogate ands (a b c d e) g (and5 a b c d e) 2000
(and (car v) (cadr v) (caddr v) (cadddr v) (caddddr v)))
(dogate or5 (a b c d e) g (or5 a b ¢ d e) 2000
(or (car v) (cadr v) (caddr v) (cadddr v) (caddddr v)))
(dogate nand5 (a b c d e) g (uand5 a b c d e) 2000
(not (and (car v) (¢adr v) (caddr v) (¢adddr v) (¢addddr v))))
(dogate nots (a b c d e) g (nor5 a b ¢ d e) 2000
(not (or (car v) (cadr v) (caddr v) (cadddr v) (¢addddz v))))
(dogats xor5 (a b c d e) g (xor5 a b c d e) 2000
(not (equal (car v)
(not (equal (cadr v)
(not (equal (caddr v)
(not (equal (¢adddr v) (¢addddr v))))))))))
;;The same is done for every combinational structure at the _ine of its
;;definition. We illustrate vith the structure ADDER2:
(prove-lemma t_e-adder2 (re_lte)
(equal (type (adder2)) 'struct)
((enable type)))
(prove-lema i-adder2 (revrite)
(equal (i (adder2)) '(a b ¢))
((enable i)))
(prove-lena o-adder2 (revrite)
(equal (o (adder2)) '(l h))
((enable o)))
(prove-lem_a s-adder2 (reurite)
(equal (s (adder2))
(list (nand2) (nand2) (hand2) (nand2) (nand2) (nand2) (hand2) (nand2) (nand2)))
((enable s)))
(prove-lena li-adder2
(equal (li (adder2))
'((a b) (a tl) (b tl)
((enable li)))
(revrite)
(t2 t3) (c t4) (t5 t4) (c t5) (t5 tl) (t7 t6)))
(prove-lemma lo-adder2
(equal (lo (adder2))
'((tl) (t2) (t3) (t4)
((enable lo)))
(revrite)
(tS) (t6) (t7) (h) (1)))
(disable adder2)
(disable *l,adder2)
(prove-lena aodulep-adder2 (revriCe)
(modulep (adder2))
((use (modulep (m (adder2))))))
107
(prove-lemma combp-adder2 (re_ri_e)
(¢ombp (adder2)1
((enable sdepthl
(use (combp Ca (adder2))))))
(preve-lemma cv-adder2-1 (revrite)
(irRplies (cvecp v (adder2))
(equal (cv '1 v (adder2)1
(not (equal (car v) (not (equal (cadr v) (caddr v1))))1))
(prove-lszma cv-addsr2-h (rewrite)
(i_plles (creep v (adder2))
(equal (cv "h v (adder21)
(if (car v) (or _cadr vl (caddr v)) (and (cadr vl (¢addr v)))1)1
(prove-lacuna adder2-dcmin-1 (rewrite)
(equal (dc_in '1 (adder2)1 4000))
(prove-lena addar2-dcmax-1 (revrite)
(equal (dcmax '1 (adder2)) 12000))
(prove-lena adder2-dcmin-h (rewrite)
(equal (dcmin 'h (adder21) 400011
(prove-lense adder2-dcmax-h (rswrite)
(equal (dcmax 'h (adder21) 10000)/
(defun =ake-s (subs)
(if (consp subs)
(cons (list (caar subs)) (make-s (cdr subs))1
0))
(defun make-li (subs1
(if (consp subs)
(cons (cedar subs) (make-li (cdr subs))/
(1)1
(defun make-lo (subs)
(if (consp subs)
(cons (caddar subs) (make-lo (cdr subs)))
(111
;;We use the following Nacre to introduce nay combfnational structures:
(def=acro defcomb (m i o krest subs)
(let ((s (=ake-s subs)) (li (maks-lt subs)) (lo (:ake-lo subs)))
'(and (darn ,m ()
(list 'struct ',i ',o (list ,B1) _,li ',io11
(print-and-prove ,(hyphen m 'type) (rewrite)
(equal (type (,m)) 'atruct)
((enable type)))
(print-and-prove ,(hyphen m 'i) (re.rite)
(equal (i (,m)) ',i)
((enable i)))
(print-and-prove ,(hyphsn m 'o) (rewrite)
(equal (o (,m)) I,o)
((enable o)))
108
(print-and-prove ,(hyphen m 's) (regri_e)
(equal (e (.m)) (list .as))
((enable 8)))
(print-and-prove ,(hyphen n 'li) (revrite)
(equal (li (.m)) '.li)
((enable li)))
(print-aJld-prove .(hyphen m _1o) (revrite)
(equal (io (,m)) ',Io)
((enable io)))
(disable ,n)
(disable .(ex m))
(print-and-prove ,(hyphen m 'modulep) (revrite)
(modulep (.m))
((use (modulep (m (.m))))))
(print-and-prove ,(hyphen m 'combp) (revrite)
(combp (,a))
((enable 8deptb)
(use (combp (m (,m)))))))))
;;We establish a similar procedure for deriveing the relevant properties
;;of a sequential module before disabling its definition.
;;First, we derive the basic properties of DFF:
(prove-lena not-combp-dff (revrite)
(not (combp (dff)))
((enable *l*notl *leand2 *l*nand2 *lsnand3)))
(prove-lemma modulep-dff (revrite)
(modulep (dff))
((enable *l*notl *leand2 *l*nand2 el*nard3)))
(prove-lemma type-dff (revrlte)
(equal (type (dff)) 'scruct)
((enable type)))
(prove-lem_a i-dff (revrite)
(equal (i (dff)) '(elk rst d))
((enable i)))
(prove-lena o-dlf (re,rite)
(equal (o (dff)) '(q qn))
((enable o)))
(prove-le_a seqp-dfl (revrite)
(seqp (dff))
((enable *l*notl *l,and2 *l*nand2 el*hand3)))
(prove-leman rv-rewrite (revrite)
(equal (rv s etate m) (rv$ t s crate m)))
(prove-lemma rv-dff-q (revri_e)
(equal (rv 'q state (dff)) state)
I09
((enable *1*not1 *1*and2 *l*nand2 *l*nand3 i lo)))
(prove-lemma rvodff-qn (re_ite)
(equal (rv 'qn state (dff)) (not state))
((enable *l*notl *l,and2 *i*nand2 *l.hand3 i lo)))
(prove-lema next-dff (revrite)
(equal (next v state (dff)) (car v))
((enable *l*notl el*lnd2 *l*nand2 *l*na_d3)))
(disable dff)
(disable *l*dff)
;;Next, ve derive some reuite rules that allou um to disable various
;;function definitions:
(defn sc-induct (m)
(if (e_ruc_p m)
(if (equal m (dff))
t
(so-induct (car (s m))))
t))
(prove-lemma coabp-car-s (rewrite)
(implies (and (structp m)
(combp m)
(listp (s m)))
(combp (car (s m))))
((enable combp combp$)
(expand (combp$ t m))))
(prove-lsmma seqp$-car-s (rewrite)
(implies (and (seqp m) (not (equal m (dff))))
(seqp$ t (car (s m))))
((expand (seclp$ t m) (firstn (q$ (s m)) (s m)))))
(prove-lema seq-combp (revrite)
(implies (eeqp m) (not (combp m)))
((induct (sc-induct m))))
(prove-lena nativep$-revrite-1 (reurite)
(implies (and (sdepth m (q m))
(eubsetp s (signals m))
(lis_p s))
(equal (nativep$ 'list s m)
(and (nativep$ t (car s) m)
(nativep$ 'list (¢dr s) m)))))
(prove-lema nativep$-rewrite-2 (rewrite)
(implies (and (sdepth m (q m))
(nlistp s))
(nativep$ 'list s m)))
(prove-lemna nativep$-rewrite-3 (rewrite)
(implies (and (sdepth m (q m))
(not (equal m (dff)))
(member • (signals m))
(no_ (member s (i m))))
110
(equal (nativep$ t a m)
(if (lessp (index s (lo m)) (q m))
t
(nativep$ 'lis$ (find-li s m) m)))))
(disable nativep$)
(prove-lacuna firstn-rewrite-1 (rewrite)
(implies (not (zerop n))
(equal (firstn n i)
(cons (car 1) (firstn (subl n) (cdr 1))))))
(prove-le---a firatn-revrite-2 (revrite)
(implies (zerop n)
(equal (firstn n.l) 0)))
(disable firstn)
(prove-lemma seqp$-revrite-1 (rewrite)
(implies (listp m)
(equal (eeqp$ _list m)
(and (seqp (car m))
(eeqp$ 'list (cdr m))))))
(prove-le_na seqp$-revrite-2 (rewrite)
(implies (nlietp m)
(seqp$ 'list m)))
(prove-lama seqp$-revrite-3 (revrite)
(implies (and (modulep m) (structp m) (not (equal m (dff))))
(equal (seqp$ t m)
(and (geq (ni m) 2)
(not (zerop (q m)))
(eeqp$ 'list (firstn (q m) (e m)))
(check-seq-li (car (i m)) (¢adr (i m)) (firatn (q m) (li m)))
(check-co_b'li (car (i m)) (cadr (i m)) (cdrn (q m) (if m)))
(sdepth m (q m))
(nativep$ 'list (0 m) m))))
((expand (seqp$ _ _))))
(disable eelS)
(disable seqp)
(prove-lemma rv$-revrite-i (revri_a)
(implies (and (aeqp m)
(subsetp s (signals m))
(listp s)
(not (equal m (dff))))
(equal (rv$ 'liet a state m)
(cons (rv (car s) state m)
(rv$ 'list (cdr e) state m)))))
(prove-lamas rv$-revrite-2 (rewrite)
(implies (and (aeqp m)
(nlietp J)
(not (equal a (dff))))
(equal (rv$ 'list S state m) 0)))
111
(prove-lemma rv$-rewrite-3 (rewrite)
(implies (and (eeqp m)
(not (equal m (dff)))
(member e (signals m))
(not (member s (i m))))
(equal(rv$ t a statem)
(if (lesep (index s (lo m)) (q m))
(rv (find-o e m) (find-state s state m) (find-s am))
(¢v (find-o s m) (rv$ 'list (find-li s m) state m) (find-s sm))))))
(disable rv$) b
(disable rv)
(prove-lemma sv$-re_rite-1 (rewrite)
(implies (and (seqp m)
(subsetp s (signals m))
(listp s)
(not (equal m (dff))))
(equal (sv$ 'list s v state m)
(cons (sv$ t (car s) v state m)
(sv$ 'list (¢dr s) v state m)))))
(prove-lemma sv$-revrite-2 (rewrite)
(implies (and (seqp m)
(nlistp s)
(not (equal m (dff))))
(equal (sv$ 'list a v state m) ())))
(prove-lemma sv$-revrite-3 (rewrite)
(implies (and (seo_ m)
(not (equal m (dff)))
(member s (signals m)))
(equal (sv$ t • v state m)
(if (member s (i m))
(lookup s (cddr (i m)) v)
(if (lesep (index s (Io m)) (q m))
(rv • state m)
(cv (find-o s m) (sv$ 'list (find-li s m) v state m) (find-s s m))))))
((disable member)))
(disable sv$)
(prove-lemma next$-rewrite-I (rewrite)
(implies (listp m)
(equal (next$ 'list v state m)
(cons (next (car v) (car state) (car m))
(next$ 'list (cdr v) (cdr state) (cdr m))))))
(prove-lemma next$-revrite-2 (rewrite)
(implies (nlietp m)
(equal (next$ 'list v state m) 0)))
(prove-lemma next$-revrite-3 (revrite)
(implies (and (seqp m) (not (equal m (dff))))
(equal (next$ t v state m)
(if (equal (q m) 1)
(next (svl (car (li m)) v state m) state (car (s m)))
112
(next$ 'list
(evil (firstn (q m) (li m)) v state n)
state
(firstn (q m) (s m))))))
((disable dff)))
(disable next$)
(disable next$)
(prove-lemma q$-reurite-1 (revrite5
(implies (listp mode)
(equal (q$ mode)
(if (combp (car mode))
0
(addl (q$ (¢dr mode)))))))
(prove-lena q$-revrite-2 (rewrite)
(implies (nlistp mode)
(equal (q$ mode) 0)))
(disable q$)
(disable q5
(prove-lemma statep$-revrite-1 (reurite5
(implies (listp m)
(equal (statep$ 'list state m)
(and (statep (car state) (car m))
(statep$ 'list (¢dr state) (¢dr m))))))
(prove-lemma statep$-rewrite-2 (rewrite)
(implies (nlistp m)
(equal (statep$ 'list state m)
(equalstate (557)5
(prove-lem_a etatep$-reurite-3 (re_rlte5
(implies (and (modulep m) (structp m) (not (equal m (dff))))
(equal (statep$ t state m)
(if (equal (q m) 1)
(statep state (car (s m)))
(etatep$ 'list state (firstn (q m) (e m)))))))
(prove-lemma statep-dff-rewrite (rewrite)
(equal (statep state (dff))
(boolp stateS)
((disable boolp)))
(disable statep$)
(disable statep)
(prove-lumps regp-revrite (rewrite)
(implies (seqp m)
(equal (re d S m)
(if (equal m (dff))
(member S (o m))
(and (lesep (index s (lo m)) (q m))
(regp (find-o s m) (find-s a m)))))))
113
(disable regp)
(preve-le_aa dsmin$-rewrite-1 (rsvrite)
(implies (and (seqp m) (eubeetp s (signals m)) (not (equal m (dff))) (lietp e))
(equal (dsmin$ _liat • m)
(emin (damin$ t (car e) m)
(dsmin$ 'list (¢dr e) m)))))
(prove-lema dsmin$-revrite-2 (rewrite)
(implies (and (segp m) (subsetp s (signals m)) (not (equal m (dff))) (nlietp s))
(equal (dsmin$ 'list s m) f)))
(prove-lemma dsmin$-revrite-3 (rewrite)
(implies (and (seqp m)
(member S (aipals m))
(no_ (member e (i m)))
(not (equal m (dff))))
(equal (dsmin$ t s m)
(if (leesp (index s (lo m)) (q m))
(demin (find-o e m) (find-s S m))
(eplus (dcmin (find-o s m) (find-s • m))
(dsmin$ 'list (find-li s m) m))))))
(prove-lemma dsmin$-rewrite-4 (revrite)
(implies (and (member s (signals (dff)))
(not (member s (i (dff)))))
(equal (demin$ t • (dff)) 4000)))
(prove-lemma dsmin-rewrite (revrite)
(equal (demin s m) (demin$ t s m)))
(disable dsmin$)
(disable dsmin)
(prove-lemma dff-dsmin-q (rewrite)
(equal (demin 'q (dff)) 4000)
((enable *l*dff *l*nand2 *1.1o *l*i *l*nand3 *l*notl)))
(prove-lemma dff-dsmin-qn (revrite)
(equal (dsmin 'qn (dff)) 4000)
((enable *l*dff *i.hand2 *1.1o *l*i *1*hands *l,not1)))
(prove-lena dsmax$-rewrite-1 (re,trite)
(implies (and (eeqp m) (subsetp s (signals m)) (not (equal m (dff))) (listp s))
(equal (dsmax$ 'list s m)
(emax (dsmax$ t (car s) m)
(dsmax$ 'list (cdr s) m)))))
(prove-lemma dsmax$-rewrite-2 (rewrite)
(implies (and (seqp m) (eubsetp s (signals m)) (not (equal m (dff))) (nlistp s))
(equal (demax$ 'list s m) 0)))
(prove-lemma demax$-revrite-3 (rewrite)
(implies (and (seqp m)
(member s (signals m))
(not (member • (i m)))
(not (equal m (dff))))
114
(equal (dsmax$ t s m)
(if (lessp (index s (lo m)) (q m))
(dsmax (find-o s m) (find-s s m))
(eplus (dcmax (find-o s m) (find-s s m))
(dsmaxS 'list (find-li s m) m))))))
(prove-lem_a dsmax$-rewrite-4 (rewrite)
(implies (and (member s (signals (dff)))
(not (member s (i (dff)))))
(equal (dsmax$ t s (dff)) 6000)))
(prove-le---a dsmax-revrite (rewrite)
(equal (dmax • m) (demax$ t s a)))
(disable dsmax$)
(disable dsmax)
(prove-len_a dff-dsmax-q (rewrite)
(equal (dsmax 'q (dff)) 6000)
((enable *l*dff *l*nand2 *1.1o *l*i *l*nand3 *lenotl)))
(prove-lemma dff-demax-qn (rewrite)
(equal (dsmax 'qn (dff)) 6000)
((enable *l*dff *l.hand2 *i*io *l*i *l,hand3 *lenotl)))
(prove-lemma setup-revrite (re_rite)
(equal (setup s m) (setups 0 s m)))
(disable setup)
(prove-le.-.a dff-setup-rst (revrite)
(equal (setup 'rst (dff)) 8000))
(prove-lemma dff-setup-d (rewrite)
(equal (setup 'd (dff)) 6000))
(prove-lemma setupS-rewrite-1 (revrite)
(implies (and (seqp m) (not (equal m (dff))))
(equal (setupS 0 x m)
(emax (setupS 2
(collect-li x (firstn (q m) (li m)) (firstn (q m) (s m)))
(collect-lo x (firetn (q m) (li m)) (firstn (q m) (s m))))
(setups 5
(setups 4
(collect-lo x (cdrn (q m) (li m)) (cdrn (q m) (lo m)))
m)
(collect-lo x (cdrn (q m) (li m)) (¢drn (q m) (s m))))))))
(prove-lemma setupS-rewrite-2 (rewrite)
(implies (listp x)
(equal (setups 1 x m)
(emax (setup (car x) m)
(setups t (car x) m)))))
(prove-lemma setupS-rewrite-3 (rewrite)
(implies (nlistp x)
115
(equal (setups ! x m) 0)))
(prove-le.-.a setupS-revrite-4 (rewrite)
(implies (listp =)
(equal (setups 2 x m)
(emax (setups I (car x) (car m))
(setups 2 (cdr x) (cdr m))))))
(prove-lemma setupS-revrite-S (revrite)
(implies (nlistp a)
(equal (setupS 2 x a) 0)))
(prove-lemma setupS-rcvrite-6 (rewrite)
(implies (lietp x)
(equal (setups 3 x m)
(cons (setup (car x5 m)
(setups 3 (cdr x) m)))))
(prove°lemma setupS-revrite-7 (revrite)
(implies (nlistp x)
(equal (setups 3 X m) (5)))
(prove-lemma setup$-revrite-8 (revrite)
(implies (listp x)
(equal (setups 4 x m)
(cons (setups 3 (car x) m)
(setups 4 (cdr x) m)))))
(prove-lemma setupS-revrite-9 (rewrite)
(i=plies (nlistp x)
(equal (setups 4 x m) (5)))
(prove-lemma setup$-reurite-lO (revrite)
(implies (listp m)
(equal (setups 5 x m)
(emax (setup-comb (o (car m)) (car x) (car m))
(setups5 (cdrx) (cdrm55)55)
(prove-Iemma setupS-revrite-ll (rewrite)
(implies (nlistp m)
(equal (setups 5 x m) 0)))
(disable setupS)
(prove-le._a setup-comb-revrite-i (rewrite)
(implies (listp sigs)
(equal (setup-comb sigs setups m)
(if (zerop (car setups))
(setup-comb (cdr sigs) (cdr setups) m)
(emax (eplus (dcmax (car alga) m) (car setups))
(setup-comb (cdr sigs) (cdr setups) m))5)))
(prove-lem=a eetup-comb-revrits-2 (rewrite5
(implies (nlistp sigs)
(equal (setup-comb sigs setups m) 0)))
(prove-lemBa collect-i-revrite-1 (revrite)
(implies (listp li)
I16
(equal (collec=-i • li i)
(if (equal s (car li))
(cons (car i) (collect-i s (cdr li) (cdr i)))
(collect-i s (cdr li) (cdr i))))))
(prove-lemma collect-i-rewrite-2 (rewrite)
(implies (nlistp li)
(equal (collect-i sli i) 0)))
(prove-le--.a collect-li-rewrite-i (rewrite)
(implies (lietp li)
(equal (collect-li sli m)
(if (member s (car li))
(cons (collect-i s (car li) (i (car m)))
(collect-li s (olr li) (ccLrm)))
(collect-li e (cdr li) (cdr m))))))
(prove-lemma collect-li-rewrite-2 (rewrite)
(implies (nlistp li)
(equal (collect-li S li m) ())))
(prove-lemma collect-lo-revrite-1 (rewrite)
(implies (listp li)
(equal (collect-lo sli 1o)
(if (member s (car li))
(cons (car Io) (collect-lo s (cdr li) (cdr Io)))
(collect-lo s (cdr li) (cdr io))))))
(prove-lemma collect-lo-rewrite-2 (rewrite)
(implies (nlietp li)
(equal (collect-lo sli io) 0)))
(prove-lemma high-rewrite (rewrite)
(equal (high m) (highs t m)))
(disable high)
(prove-lemma highS-rewrite-1 (rewrite)
(implies (listp m)
(equal (highs 'list m)
(max (high (car m))
(highs 'list (cdr m))))))
(prove-lemma highS-rewrite-2 (rewrite)
(implies (nlistp m)
(equal (highs 'list m) 0)))
(prove-lemma highS-rewrite-3 (rewrite)
(implies (and (seqp m) (not (equal m (dff))))
(equal (highs t m)
(highs 'list (firstn (q m) (s m))))))
(prove-lemma dff-high-rewrite (rewrite)
(equal (high (dff)) 4000))
(disable highS)
(prove-lemma low-rewrite (rewrite)
(equal (low m) (lows t m)))
117
(disable low)
(prove-ler_a lowS-reerite-I (rewrite)
(implies (listp m)
(equal (lows 'list m)
Cmax Clow (car m))
(lows 'list (¢dr m))))))
(prove-le.-.a lowS-rewrite-2 (rewrite)
(implies (nlistp a)
(equal (lows 'list m) 0)))
(prove-lemma lowS-rewrite-3 (rewrite)
(implies (and (seqp m) (not (equal m (dff))))
(equal (lows t m)
(lows 'list (firstn (q m) (s m))))))
(prove-le.--a dff-low-reurite (rewrite)
(equal (low (dfl)) 6000))
(disable lowS)
(prove-le--ra setups-plus-delays-rewrite-1 (rewrite)
(implies (listp outs)
(equal (setups-plus-delays setups outs sub)
(max (plus (dsmax (car outs) sub)
(car setups))
(setups-plus-delays (cdr setups) (cdr outs) sub)))))
(prove-lemma setups-plus-delays-re_rite-2 (re,trite)
(implies (nlistp outs)
(equal (setups-plus-delays setups outs sub) 0)))
(prove-le_ma p3-rewrite-1 (rewrite)
(implies (listp s)
(equal (p3 s Io a)
(max (setups-plus-delays (setups 3 (car io) m) (o (car s)) (car s))
(p3 (cdr s) (cdr Io) m)))))
(prove-lema p3-re_rite-2 (rewrite)
(implies (nlistp s)
(equal (p3 s io m) 0)))
(prove-lemma per-reurite (re_rite)
(equal (per m) (pets t m)))
(disable per)
(prove-le.--a perS-rewrite-I (rewrite)
(implies (listp m)
(equal (per$ 'list m)
(max (per (car m))
(petS 'list (¢dr m))))))
(prove-lena per$-rewrite-2 (rewrite)
(implies (nlistp m)
(equal (psr$ 'list n) 0)))
118
(prove-lemma per-dff-rewrite (rewrite)
(equal (per (dff)) 10000))
(prove-lemma per$-rewrite-3 (rewrite)
(implies (and (seqp m) (not (equal m (dff))))
(equal (per$ t m)
(max (per$ 'list (firstn (q m) (s m)))
(max (setups 3 (cdr (i m)) m)
(p3 (firstn (q m) (s m)) (firstn (q m) (lo m)) m))))))
(disable per$)
;;Finally, we define the following macro, which we use to define
;;sequential modules and derive their properties:
(defmacro defseq (m q i o _rest subs)
(let ((s (make-s subs)) (li (make-li subs)) (io (make-lo subs)))
'(and (defn ,m 0
(list 'struct ',i ',o (list ,Os) ',li '.io))
(print-and-prove ,(hyphen m 'type) (rewrite)
(equal (type (,m)) 'struct)
((enable type)))
(print-and-prove ,(hyphen m 'i) (rewrite)
(equal (i (,m)) ',i)
((enable i)))
(print-and-prove ,(hyphen m 'o) (rewrite)
(equal (o (,m)) ',o)
((enable o)))
(print-and-prove ,(hyphen m 's) (rewrite)
(equal (s (,m)) (list ,@s))
((enable s)))
(print-and-prove ,(hyphen m 'li) (rewrite)
(equal (li (,m)) ',li)
((enable li)))
(print-and-prove ,(hyphen m 'Io) (rewrite)
(equal (io (,m)) ',Io)
((enable Io)))
(print-and-prove ,(hyphen m 'not-dff) (rewrite)
(not (equal (,m) (dff)))
((enable dff)))
(disable .m)
(disable ,(ex m))
(print-and-prove .(hyphen m 'modulep) (rewrite)
(modulep (.m))
((use (modulep (m (,m))))))
(print-and-prove ,(hyphen m 'q) (rewrite)
(equal (q (,m)) ,q)
((use (q (m (,m))))))
(print-and-prove ,(hyphen m 'sdepth) (rewrite)
(edepth (.m) ,q)
((use (sdepth (m (,m)) (q ,q)))))
(print-and-prove ,(hyphen m 'seq) (rewrite)
(eeo_(.m))
((use(seqp(m (,m)))))))))
;;I_se_eeeee_t$e_eee_e_eee_ee_e_e_e_eeeee_eee_eeeeeee_eee_ee_e
;; BPM
119
;;We illustrate our methodology with a pair of circuits, RCVR and SNDR,
;;which achieve asynchronous com-unication via the biphase mark protocol.
;;The definitions of these circuits are presented below.
;;Each combinational component is defined via DEFCOMB. For each of its
;;outputs, three le_-_as are proved, establishing the valuen of the functions
;;RV, DCMIN, and DCMAX.
;;Each sequential component is defined via DEFSEQ. For each output, a lemma
;;is proved pertaining to RV. For each input, a le-ma is proved, giving the
;;setup time. Other le-mas give the period and characterize the behavior of
;;STATEP and NEXT:
(defseq cdff 1
(elk rst clear d) (q qn)
(dff (clk rst dcn) (q qn))
(notl (clear) (cn))
(and2 (d on) (dcn)))
(prove-lemma cdff-statep (rewrite)
(equal (statep state (cdff))
(boolp state))
((use (statep (m (cdff))))))
(prove-len_ma rv-cdff-q (rewrite)
(equal (rv 'q state (cdff)) state))
(prove-lemma rv-cdff-qn (rewrite)
(equal (rv 'qn state (cdff)) (not state)))
(prove-lemma next-cdff (rewrite)
(implies (svecp v (cdff))
(equal (next v state (cdff))
(if (car v) f (cadr v))))
((use (next (m (cdff))))))
(prove-lemma cdff-setup-rst (rewrite)
(equal (setup 'rst (cdff)) 8000))
(prove-lel_a cdff-setup-clear (rewrite)
(equal (setup 'clear (cdff)) 10000))
(prove-lemlna cdff-setup-d (rewrite)
(equal (setup 'd (cdff)) 8000))
(prove-leala cdff-per (rewrite)
(equal (per (cdff)) 10000))
(defseq edff i
(clk rst enable d) (q qn)
(dff (clk rst s4) (q qn))
(notl (enable) (el))
(nand2 (el q) (s2))
(hand2 (d enable) (s3))
(hand2 (s2 s3) (s4)))
(prove-lemma edff-statep (rewrite)
120
(equal (statep state (edff))
(boolp state))
((use (atatep (m (edff))))))
(prove-le.-.a rv-edff-q (revrite)
(equal (rv 'q state (edff)) state))
(prove-lemma rv-edft-qn (reurite)
(equal (rv 'qn state (edff)) (not state)))
(prove-le._a next-edff (reurite)
(implies (and (svecp v (edf$))
(statep state (edff)))
(equal (next v state (edff))
(if (car v) (cadr v) state)))
((use (next (m (edff)))
(statep (m (edff))))))
(prove-lemma edff-setup-rst (rewrite)
(equal (setup Jrst (edff)) 80007)
(prove-le.--a edff-setup-enable (rewrite)
(equal (setup 'enable (edff)) 12000))
(prove-lemma edff-setup-d (revrite)
(equal (setup 'd (edff)) 10000))
(prove-len_a edff-per (rewrite)
(equal (per (edff)) 16000))
(defseq ecdff l
(clk rat clear enable d) (q qn)
(dff (elk rat s5) (q qn))
(notl (enable) (el))
(notl (clear) (s2))
(nand3 (q sl s2) (e3))
(hand3 (d s2 enable) (s4))
(nand2 (s3 s4) (aS)))
(prove-lemma ecdff-statep (rewrite)
(equal (statep state (ecdff))
(boolp state))
((use (statep (m (ecdff))))))
(prove-lemma rv-ecdff-q (revrite)
(equal (rv 'q state (ecdff)) state))
(prove-lem,na rv-ecdff-qn (rewrite)
(equal (rv 'qn state (ecdff)) (not state)))
(prove-le._a next-ecdff (reuri_e)
(implies (and (svecp v (ecdff))
(statep state (ecdff)))
(equal (next v state (ecdff))
(if (car v) f (if (cadr v) (caddr v) state))))
((use (next (m (ecdff)))
(statep (m (ecdff))))))
121
(prove-le._a ecdff-eetup-rst (rewrite)
(equal (setup 'rst (ecdff)) 8000))
(prove-lemma ecdff-setup-clear (rewrite)
(equal (setup 'clear (scarf)) 12000))
(prove-lemBa ecdff-setup-anable (rewrite)
(equal (setup 'enable Cecdff)) %2000))
(prove-le...a ecdff-setup-4 (revrite)
(equal (setup 'd (ecdff)) %0000))
(prove-le.-aa ecdff-per (revrite)
(equal (per (ecdff)) 16000))
(defseq port3 1
(elk rat shift sin load din) (q)
(edff (elk rst e3 s4) (q qn))
(nand2 (din load) (sl))
(nand2 (sin shift) (s2))
(or2 (load shift) (s3))
(nand2 (sl s2) (s4)))
(prove-lemma port3-statep (rewrite)
(equal (statep state (port3))
(boolp state))
((use (statep (m (port3))))))
(prove-lemma rv-portS-q (revrite)
(equal (rv 'q state (port3)) state))
(prove-lemma next-port3-I (rewrite)
(implies (and (svecp v (port3))
(statep state (port3))
(not (car v)))
(equal (next v state (port3))
(if (¢addr v) (¢adddr v) state)))
((use (next (m (port3)))
(statep (m (port3))))))
(prove-lemma next-port3-2 (rewrite)
(implies (and (svecp v (port3))
(statep state (port3))
(not (caddr v)))
(equal (next v state (port3))
(if (car v) (cadr v) state)))
((use (next (m (port3)))
(statep (m (portS))))))
(prove-lemma port3-setup-rst (rewrite)
(equal (setup 'rat (port3)) 8000))
(prove-lemons port3-setup-shift (rewrite)
(equal (setup 'shift (port3)) 14000))
(prove-lemma port3-setup-sin (rewrite)
(equal (setup 'sin (port3)) 14000))
122
(prove-len.za port3-setup-load (rewrite)
(equal (setup _load (port3)) 14000))
(prove-lemma port3-setup-din (rewrite)
(equal (setup 'din (port3)) 14000))
(prove-le_.a port3-psr (revrite)
(equal (per (port3)) 16000))
(defseq shift8 8
(elk rst load shift sin dO dl d2 d3 d4 d5 d6 dT)
(qO ql q2 q3 q4 q5 q6 qT)
(port3 (elk rst
(port3 (clk ret
(port3 (clk rst
(port3 (elk rst
(port3 (clk rst
(port3 (clk rst
(port3 (clk rst
(port3 (clk rst
shift sin load dO) (qO))
shift qO load dl) (ql))
shift ql load d2) (q2))
shift q2 load d3) (q3))
shift q3 load d4) (q4))
shift q4 load dS) (qS))
shift q5 load d6) (q6))
shift q6 load d7) (q7)))
(prove-lemma shiftq-statep (rewrite)
(equal (statep state (shift8))
(bvpn state 8))
((use (statep (m (shiftS))))
(disable boolp)))
(prove-lemma rv-shiftq-qO (rewrite)
(equal (rv 'qO state (shiftS)) (car state)))
(prove-lemma rv-shift8-ql (revrite)
(equal (rv 'ql state (shiftS)) (cadr state)))
(prove-lemma rv-shift8-q2 (rewrite)
(equal (rv 'q2 state (shift8)) (caddr state)))
(prove-lemma rv-shift8-q3 (rewrite)
(equal (rv 'q3 state (shiftS)) (cadddr state)))
(prove-le.-.a rv-shift8-q4 (rewrite)
(equal (rv 'q4 state (shiftS)) (caddddr state)))
(prove-lemma rv-shiftq-q5 (revrite)
(equal (rv 'q5 state (shiftS)) (cadddddr state)))
(prove-lemma rv-shiftq-q6 (rewrite)
(equal (rv 'q6 state (shift8)) (caddddddr state)))
-(prove-lemma rv-ehift8-q7 (rewrite)
(equal (rv 'q7 state (shift8)) (cadddddddr state)))
(defn shift (sin I)
(if (listp I)
(cons sin (shift (car I) (cdr I)))
0))
(prove-lemma shift-rewrite-1 (rewrite)
(implies (boolp (car 1))
123
(equal (shift s I)
(cons s (shift (car i) (cdr i))))))
(prove_le.ma shift-rewrite-2 (rewrite)
(implies (nlietp 1)
(equal (shift s 1) 0)))
(disable shift)
(prove-lenma cons-car-nil (rewrite)
(implies (equal (cdr u) ())
(equal (cone (car u) ()) u)))
(disable cons-car-nil)
(prove-lenna next-shiftS-1 (rewrite)
(implies (and (sweep v (shift8))
(statep state (shift8))
(not (carv)))
(equal (next v state (shiftS))
(if (cadr v) (shift (caddr v) state) state)))
((use (next (m (shift8)))
(statep (m (shift8))))
(enable cons-car-nil)
(disable boolp)))
(prove-lemma next-shiftS-2 (rewrite)
(implies (and (svecp v (shiftS))
(etatep state (shiftS))
(not (cadr v)))
(equal (next v state (shift8))
(it (car v) (cdddr v) state)))
((use (next (m (shift8)))
(statep (m (shift8))))
(enable cons-car-nil)
(disable boolp)))
(prove-lemma shiftS-setup-ret (rewrite)
(equal (setup 'rst (shift8)) 8000))
(prove-lenua shiftS-setup-shift (rewrite)
(equal (setup Jehift (shiftS)) 14000))
(prove-le-_.a shift8-setup-sin (rewrite)
(equal (setup 'sin (shift8)) 14000))
(prove-le.._a shift8-eetup-load (re,trite)
(equal (setup 'load (shift8)) 14000))
(prove-leem_a shift8-setup-dO (rewrite)
(equal (setup 'dO (shiftS)) 14000))
(prove-lela shift8-setup-dl (rewrite)
(equal (setup 'dl (shift8)) 14000))
(prove-lenna shiftS-setup-d2 (rewrite)
(equal (setup 'd2 (ehift8)) 14000))
(prove-lemma shiftS-setup-d3 (rewrite)
124
(equal (setup 'd3 (shiftS)) 1400077
(prove-lemma shiftS-setup-d4 (rewrite)
(equal (setup 'd4 (shiftS)) 1400017
(prove-lemma shift8-setup-dS (regrite)
(equal (setup 'd5 (shiftS)) 14000))
(prove-lemma shift8-setup-d6 (reurite)
(equal (setup 'd6 (shiftS)) 14000))
(prove-lemma shiftS-setup-d7 (revrite)
(equal (setup 'd7 (shift8)) 14000)I
(prove-lemma shiftS_per (rewrite)
(equal (per (shiftS)) 20000))
(defcomb comps (cO bO cl bl c2 b2 c3 b3 c4 b4) (match)
(xor2 (cO bO) (sl))
(xor2 (cl bl) (s2))
(xor2 (c2 b2) (e3))
(xor2 (c3 b3) (s4))
(xor2 (c4 b4) (sS))
(nor5 (sl s2 s3 s4 sS) (match)))
(prove-lemma cv-compS (rewrite)
(let ((cO (car v)) (bO (cadr v))
(ci (caddr v)) (bl (cadddr v))
(c2 (caddddr v)) (b2 (cadddddr v))
(c3 (caddddddr v)) (b3 (cadddddddr v))
(c4 (caddddddddr v)) (b4 (cadddddddddr v)))
(implies (cvecpv (compS))
(equal (cv 'match v (compS))
(equal (list bO bl b2 b3 b4) (list cO cl c2 c3 c4)))))
((disable boolp)))
(defseq count3 3
(clk rst enable) (qO ql q2)
(edff (clk ret enable qnO) (qO qnO))
(edff (clk rat enable s3) (ql qnl))
(edff (elk rst enable s2) (q2 qn2))
(and2 (qO ql) (sit)
(xor2 (el q2) (s2))
(xor2 (qO ql) (.3)))
(prove-lemma countp-statep (rewrite)
(equal (statep state (count3))
(bvpn state 37)
((USe (statep (m (cou_t3))))
(disable boolp)))
(prove-lemma rv-count3-qO (rewrite)
(equal (rv 'qO state (count3)) (car state)))
(prove-lemma rv-count3-q! (revrite)
(equal (rv 'ql state (count3)) (cadr state)))
125
(prove-lemma rv-count3-q2 (rewrite)
(equal (rv 'q2 state (count3)) (caddr state)))
(defn modinc (n)
(if (lietp n)
(if (car n)
(cons f (modinc (cdr n)))
(cons t (cdr n)))
n))
(prove-lenma modinc-rewrite-1 (revrite)
(implies (not (car n))
(equal (modinc n)
(cons t (cdr n)))))
(prove-lem_a modlnc-revrite-2 (rewrite)
(implies (and (boolp (car n)) (car n))
(equal (modinc n)
(cons f (modinc (cdr n))))))
(prove-lemma modinc-rsvrite°3 (revrite)
(implies (nlistp n)
(equal (modinc n) n)))
(disable modinc)
(prove-lemma next-count3 (rewrite)
(implies (statep state (count3))
(equal (next v state (count3))
(if (car v)
(modinc state)
state)))
((use (next (m (count3))))))
(prove-lemma count3-setup-rst (revrite)
(equal (setup 'rst (count3)) 8000))
(prove-lemma count3-setup-enable (rewrite)
(equal (setup 'enable (count3)) 12000))
(prove-lemma count3-per (revrite)
(equal (per (count3)) 20000))
(4efseq counts 5
(elk rst clear enable) (qO ql q2 q3 q4)
(ecdff (elk rst clear enable qnO) (qO qnO))
(ecdff (elk rst clear enable xl) (ql qnl))
(ecdff (clk rst clear enable x2) (q2 qn2))
(ecdff (clk rst clear enable x3) (q3 qn3))
(ecdff (elk rst clear enable x4) (q4 qn4))
(and2 (qO ql) (al))
(and2 (al q2) (a2))
(and2 (a2 q3) (a3))
(xor2 (qO ql) (xl))
(xor2 (q2 al) (x2))
(xor2 (q3 a2) (x3))
(xor2 (q4 a3) (x4)))
(prov_-lemma countS-statep (revrite)
126
(equal (statep state (countS))
(bvpn state 5))
((use (statep (m (countS))))
(disable boolp)))
(prove-lemma rv-countS-qO (rewrite)
(equal (rv 'qO state (countS)) (car state)))
(prove-lemma rv-countS-ql (rewrite)
(equal (rv 'ql state (countS)) (cadr state)))
(prove-lemma rv-countS-q2 (revrite)
(equal (rv 'q2 state (countS)) (caddr state)))
(prove-lenuna rv-cou_tS-q3 (rewrite)
(equal (rv 'q3 state (countS)) (cadddr state)))
(prove-lennna rv-countS-q4 (revrite)
(equal (rv 'q4 state (countS)) (caddddr state)))
(prove-lemma next-count5 (rewrite)
(implies (statep State (countS))
(equal (next v state (countS))
(if (car v)
(listn S f)
(if (cadr v)
(modinc state)
state))))
((use (next (m (countS))))))
(prove-lemma countS-setup-rst (rewrite)
(equal (setup 'rst (countS)) 8000))
(prove-len_na countS-setup-clear (rewrite)
(equal (setup 'clear (countS)) 12000))
(prove-len_na countS-setup-enable (rewrite)
(equal (setup 'enable (countS)) 12000))
(prove-lemma countS-per (rewrite)
(equal (per (count5)) 24000))
(defseq rcount 2
(elk rst stop start) (bit)
(cdff (clk rst stop sl) (q qn))
(counts (clk rst stop q) (qO ql q2 q3 q4))
(or2 (start q) (el))
(to 0 (t))
(f0 () (_))
(comps (t qO f ql f q2 t q3 f q4) (bit)))
(prove-lemma rcount-statep (rewrite)
(equal (statep state (rcoun_))
(and (boolp (car state))
(bvpn (cadr state) 5)
(equal (cddr state) ())))
((use (statep (m (rcount))))
(disable boolp)))
127
(prove-lemma rv-rcount-bit (revrite)
(implies (statep state (rcount))
(equal (rv 'bit state (rcount))
(equal (cadr state) (list t f f t f))))
((disable bvpn boolp)))
(prove-lemma next-rcount (rewrite)
(implies Cstatep state (rcount))
(equal (next v state (rcount))
(if (car v)
(list f (lietn 5 f))
(list (if (cadr v) t (car state))
(if (car state)
(modinc (cadr .state))
(ca_ state))))))
((use(next(m (rcount)))
(boolp (x (car state))))
(disable boolp bvpn-revrite-I bvpn-revrits-2)))
(prove-lemma rcount-eetup-rst (rewrite)
(equal (setup 'rst (rcount)) 8000))
(prove-le...a rcount-setup-stop (rewrite)
(equal (setup 'stop (rcount)) 12000))
(prove-lemma rcount-setup-start (rewrite)
(equal (setup 'start (rcount)) 10000))
(prove-len_na rcount-per (rewrite)
(equal (per (rcount)) 24000))
(defseq scount 2
(clk rst stop bit) (mark code)
(cdff (elk rst stop sl) (q qn))
(counts (clk rst s2 q) (qO ql q2 q3 q4))
(or2 (bit q) (sl))
(or2 (stop bit) (s2))
(to () (t))
(fo () (f))
(comp5 (f qO f ql t q2 f q3 f q4) (mark))
(comps (t qO f ql f q2 f q3 t q4) (code)))
(prove-lemma scount-statep (rewrite)
(equal (etatep state (scount))
(and (boolp (car state))
(bvpn (cadr state) 5)
(equal (cddr state) ())))
((use (statep (m (scount))))
(disable boolp)))
(prove-lemma rv-scount-mark (rewrite)
(implies (statep state (scount))
(equal (rv 'mark state (ecount))
(equal (cadr state) (list f f t f f))))
((disable bvpn boolp)))
(prove-lemma rv-scount-code (rewrite)
128
(implies (statep state (scount))
(equal (rv 'code state (scount))
(equal (cadr state) (list t f f f t))))
((disable bvpn boolp)))
(prove-lemma next-scount (rewrite)
(implies (statep state (scount))
(equal (next v state (scount))
(if (car v)
(list f (listn S f))
(if (cadr v)
(list t (listn 5 f))
(if (car state)
(list (car state) (modinc (cadr state)))
state)))))
((use (neXt (m (sco_t)))
(boolp(x (car state))))
(disable boolp bvpn-revrite-I bvpn-rewrite-2)))
(prove-lemma scount-setup-rst (revrite)
(equal (setup 'rat (scount)) 8000))
(prove-lemma scount-setup-stop (rewrite)
(equal (setup 'stop (scount)) 14000))
(prove-le--.a scount-setup-bit (rewrite)
(equal (setup 'bit (scount)) 14000))
(prove-le_ma scoun=-per (rewrite)
(equal (per (scount)) 24000))
(defseq rcvr 5
(clk rst sin) (dO dl d2 d3 d4 d5 d6 d7 done)
(edff (clk rst bit nl) (q qn))
(rcount (clk rst bit n2) (bit))
(count3 (clk rst bit) (qO ql q2))
(shift8 (clk rst f bit x f f f f f f f f) (dO dl d2 d3 d4 dS d6 dT))
(dff (clk rst a) (done donen))
(notl (sin) (nl))
(notl (x) (n2))
(xor2 (sin q) (x))
(and4 (qO ql q2 bit) (a))
(to 0 (_)))
(prove-lemma rcvr-statep (rewrite)
(equal (statep state (rcvr))
(and (boolp (car state))
(statep (¢adr state) (rcount))
(bvpn (¢addr state) 3)
(bvpn (cadddr state) 8)
(boolp (caddddr state))
(equal (cdddddr state) ())))
((use (statep (m (rcvr))))
(disable boolp bvpn-rewrite-1 bvpn-revrite-2)))
(prove-lemma rv-rcvr-dO (rewrite)
(implies (statep state (rcvr))
(equal (rv 'dO state (rcvr))
129
(caadddr state)))
((disable bvpn boolp)))
(prove-lena rv-rcvr-dl (rewrite)
(implies (statep state (rcvr))
(equal (rv 'dl state (rcvr))
(cadadddr state)J)
((disable bvpn boolp)))
(prove-lena rv-rcvr-dR (revrite)
(implies (etatep state (rcvr))
(equal (rv 'dR state (rcvr))
(caddadddr state)))
((disable bvpn boolp)))
(prove-lemsm rv-rcvr-d3 (revrlte)
(implies (statep state (rcvr))
(equal (rv 'd3 state (rcvr))
(cadddadddr state)))
((disable bvpn boolp)))
(prove-lena rv-rcvr-d4 (rewrite)
(implies (statep state (rcvr))
(equal (rv 'd4 state (rcvr))
(¢addddadddr state)))
((disable bvpn boolp)))
(prove-lemma rv-rcvr-d5 (rewrite)
(implies (statep state (rcvr))
(equal (rv 'd5 state (rcvr))
(¢adddddadddr state)))
((disable bvpn boolp)))
(prove-lennna rv-rcvr-d6 (rewrite)
(implies (statep state (rcvr))
(equal (rv 'd6 stats (rcvr))
(caddddddadddr state)))
((disable bvpn boolp)))
(prove-le_na rv-rcvr-d7 (revrite)
(implies (statep state (rcvr))
(equal (rv 'd7 state (rcvr))
(cadddddddadddr state)))
((disable bvpn boolp)))
(prove-lemma rv-rcvr-done (rewrite)
(_lies (statep state (rcvr))
(equal (rv 'done state (rcvr))
(caddddr state)))
((disable bvpn boolp)))
(prove-lema next-rcvr-1 (rewrlte)
(implies (and (etatep state (rcvr))
(svecp v (rcvr))
(equal (cadr state) (list f (lietn 5 f)))
(equal (caddddr state) f))
(equal (next v state (rcvr))
(i_ (equal (car v) (car state))
(list (car state)
130
(list t (listn 5 f))
(caddr state)
(cadddr state)
f)
state)))
((use (next (m (rcvr)))
(boolp (x (car state))))
(disable boolp bvpn-rewrite-I bvpn-rewrite-2)
(enable cons-car-nil)))
(prove-lemma bvp3-t (rewrite)
(implies (and (bvpn v 3)
(car v)
(cadr v)
(caddr v))
(equal (equal v ilist t t t)) r)))
(prove-le_ma next-rcvr-2 (rewrite)
(implies (and (statep state (rcvr))
(sweep v (rcvr))
(equal (caadr state) t)
(equal (caddddr state) f))
(equal (next v state (rcvr))
(if (equal (cadadr state) (list t f f t f))
(list (not (car v))
(list _ (listn S f))
(modinc (caddr state))
(shift (not (equal (car v) (car state))) (cadddr state))
(equal (caddr state) (list t t t)))
(list (car state)
(list t (modinc (cadadr state)))
(caddr state)
(cadddr state)
f))))
((use (next (m (rcvr)))
(boolp (x (car state))))
(disable boolp bvpn-rewrite-1 bvpn-rewrite-2)
(enable cons-car-nil)))
(prove-le.-.a rcvr-setup-rst (rewrite)
(equal (setup 'rst (rcvr)) 8000))
(prove-lemma tort-setup-sin (rewrite)
(eQual (setup 'sin (rcvr)) 16000))
(prove-lemma rcvr-per (rewrite)
(equal (per (rcvr)) 24000))
(defseq sndr 4
(clk rst send dO dl d2 d3 d4 d5 d6 d7) (sour)
(ecount (clk rst a4 o2) (mark code))
(shift8 (elk rst send code f dO dl d2 d3 d4 d5 d6 d7) (qO ql q2 q3 q4 q5 q6 q7))
(count3 (clk rst mark) (cO cl c2))
(edff (clk rst 03 sour) (q sout))
(or2 (code send) (02))
(and2 (q7 mark) (a2))
(and4 (mark cO cl c2) (a4))
(or3 (a2 send code) (o3))
131
(_00 (_)))
(prove-lemma sndr-statep (rewrite)
_(equal (statep state (sndr))
(and (statep (car state) (scount))
(bvpn (cadr state) 8)
(bvpn (caddr state) 3)
(boolp (cadddr state))
(equal (cddddr state) ())))
((use (statep (m (endr})))
(disable boolp bvpn-revrite-1 bvpn-regrite-2)))
(prove-lemma rv-sndr-sout (re_rite)
(implies (state D state (sndr))
(equal (rv 'sour state (sndr))
(not (cadddr state))))
((disable bvpn boolp)))
(prove-lemma re_rp-sndr-sout (rewrite)
(regp 'sour (sndr)))
(prove-lemma boolp-car-listp (rewrite)
(implies (boolp (car v))
(listp v)))
(disable boolp-car-lietp)
(prove-!e_a equal-list-4 (regrite)
(implies (and (equal a (car s))
(equal b (cadr s))
(equal c (caddr s))
(equal d (cadddr e))
(equal () (cddddr s)))
(equal (equal (list a b c d) s)
t)))
(prove-lemma uext-sndr-1 (rewrite)
(implies (and (statep state (snc_r))
(svecp v (endr))
(equal (car state) (list f (listn 5 f))))
(equal (next v state (sndr))
(if (car v)
(list (list t (listn 5 f))
(list (cacLr v)
(caddr v)
(cadddr v)
(caddddr v)
(cadddddr v)
(caddddddr v)
(cadddddddr v)
(caddddddddr v))
(caddr state)
(not (cadddr state)))
stats)))
((use (next (m (sndr)))
(boolp (x (cadddr state))))
(disable boolp)
(enable cons-car-rill boolp-car-listp)))
132
(prove-lemma next-sndr-2 (rewrite)
(implies (and (statep state (sndr))
(avecp v (sndr))
(not (carv))
(equal (caar state) t))
(equal (next v state (endr))
(if (equal (cedar state) (list f f t f f)) ;mark
(if (equal (caddr state) (list t t t)) ;Sth bit
(list (list f (listn 5 f))
(ca_" stats)
(list f f f)
(if (cadddddddadr state)
(not (cadddr state))
(cadddr state)))
(list (list t (modinc (cadar state)))
(cadr state)
(modinc (caddr state))
(if (cadddddddadr state)
(not (cadddr state))
(caddcLr state))))
(if (equal (cadar state) (lie% t f f f t)) ;code
(list (list t (listn 5 f))
(shift f (cadr state))
(caddr state)
(not (cadddr state)))
(list (list t (modinc (cedar state)))
(cadr state)
(caddr state)
(cadddr state))))))
((use (next (m (sndr)))
(boolp (x (cadddr state))))
(disable boolp)
(enable cons-car-hi1 boolp-car-listp)))
(prove-lemma sndr-setup-rst (rewrite)
(equal (setup 'rat (sndr)) 8000))
(prove-lemma sndr-setup-send (rewrite)
(equal (setup 'send (sndr)) 16000))
(prove-lemma sndr-setup-dO (rewrite)
(equal (setup 'dO (sndr)) 14000))
(prove-lemma sndr-setup-dl (regrite)
(equal (setup 'dl (sndr)) 14000))
(prove-lemma sndr-setup-d2 (rewrite)
(equal (setup 'd2 (sndr)) 14000))
(prove-lemma sndr-setup-d3 (rewrite)
(equal (setup 'd3 (sndr)) 14000))
(prove-lemma sndr-setup-d4 (rewrite)
(equal (setup 'd4 (andr)) 14000))
(prove-lemma sndr-setup-d5 (rewrite)
(equal (setup 'd5 (sndr)) 14000))
(prove-lemma sndr-setup-d6 (rewrite)
133
(equal (setup 'd6 (sndr)) 14000))
(prove-le-.-a sndr-setup-d7 (revrite)
(equal (setup 'd7 (sndr)) 14000))
(prove-le-._a sndr-per (revrite)
(equal (per (sndr)) 26000))
134

Form Approved
REPORT DOCUMENTATION PAGE OMBNo.0704-0188
._u-_l_c.epor_,n9 burden for :h,s _.ec'_,on of ,nfotm_art,o. ,s estimated to ]_,erage I _'our Per resl:)_r_e, ,nduch'_g the '._me_or re_, ewmg ,nstruct,ons. searching e.,;l ng d_a '.OUtc'_'S.
athef nq and ma_r'talnlncj _he dafa needed and comDtetlng and rev,e_lng the ,:oHec_lon of lnforma_on Send commet_ts re_ar_J;ng tl"is burden es'_m }I_ cr 3n_ Dt_Pr a_'Dect _f !hls
_i[e_on of 4rlformaIion, ,nc_udlng _ucjge_tlOn,_ for reducing :h_s burden Io Wash_ngIon Heaciauarter_ $erw_es, DJrec_otate (of _nforma%_on ODerat_¢r_s _nd i_p_. :_, ! 2 ! 5 ;et_erson
O._v,_, Highway. Suite 1204. Arl,r, cj(on. _/A 2220_30A ,)nd to the Office of Managemen[ and Budget. P'Jl:_er_or._ Recluct_on ProJect (0704-0 _B) 'WashingTon. DC 205C3
1. AGENCY USE ONLY (Leave blank) 2. REPORT 0ATE 3. REP()RT TYPE AND DATES COVERED
January 1995 Cont_actoc Repoct
4. TITLE AND SUBTITLE 5. FUNDING NUMBERS
Specification and Vecification of Gate-Level VHDL C NASI-18878
Models of Synchconous and Asynchconous Circuits
6. AUTHOR(S)
David M. Russinoff
,,,,m
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
Computational Logic, Inc.
1717 W. Sixth St., Suite 290
Austin, TX 78703-4776
g. SPONSORING/MONITORING AGENCY NAME(S)' AND ADDRESS(ES)
National Aeconautics and Space Administcation
Langley Reseacch Centec
Hampton, VA 23681-O001
WU 505-64-10-13
8. PERFORMING ORGANIZATION
REPORT NUMBER
10. SPONSORING _ MONITORING
AGENCY REPORT NUMBER
NASA CR-191608
it. SUPPLEMENTARY NOTES
Langley Technical Nonitoc:
Final Repoct
RickyW. Butlec
|2a. DISTRIBUTION /r AVAILABILITY STATEMENT
Unclassified-Unlimited
Subject Category 62
12b. DISTRIBUTION CODE
13. ABSTRACT (Maximum 200 wor_)
We pcesent a mathematical definition of a hacdwace descciption language (HDL)
that admits a semantics-pcesecving tcanslation to a subset of VHDL. Ouc HDL
includes the basic VHDL pcopagation delay mechanisms and gate-level ciccuit
descciptions. We also develop formal pcoceduces foc deciving and vecifying concise
behaviocal specifications of combinational and sequential devices. The HDL and
the specification pmocedu_es have been formally encoded in the computational logic
of Boyec and Mooce, which pcovides a LISP implementation as well as a facility
for mechanical pcoof-checking. As an application, we design, specify, and vecify a
ciccuit that achieves asynchronous communcation by means of the biphase ma_k
pcotocol.
14. SUBJECT TERMS
VHDL; Formal Verification; Asynchronous Communication; Modeling;
Theorem Proving
"t'7. SECURITY CLASSIFICATION 18. {'ECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION
OF REPORT OF THIS PAGE OF ABSTRACT
Unclassified Unclassified
NSN 7540-0_-280-S_00 " -
15. NUMBER OF PAGES
16. PRICE CODE
A07
20. LIMITATION OF ABSTRACT
.............. Standard Form 298 (Rev 2-89)
Pre_c.bed by _,N¢)I r)td zJg-IB
298-102


