## THE FORMAL SPECIFICATION OF A MICROPROCESSOR INSTRUCTION SET



# Copyright (c) 1987 Jonathan Bowen 

Oxford University Computing Laboratory
Programming Research Group
8-11 Keble Road
Oxford OX1 3QD
England

Electronic mail: bowenQuk. oc.oxford.prg (JANET)

To Jane and Alice

"I only took the regular course ... the different branches of Arithmetic .. Ambition, Distraction, Uglification and Derision."
-- Lewis Carroll

Ovinnt Iniversity Computing Leibcratory

: 1, تin $]$
Unvin OXt SQU

# The Formal Specification of a Microprocessor Instraction Set 

Jonathan Bowen


#### Abstract

The specification language $Z$ is used to define a microprocessor based system in a formal notation. The Motorola 68008 -bit microprocessor is chosen as an example. Its simplicity allows the entire instruction set to be covered. Memory configuration and interrupts are also included. The use of a formal description language allows the possibility of verification of the instruction set. Additionally, the use of $\mathbf{Z}$ combined with informal text is sufficently readable for the specification to be used for documentation purposes.


## Contents

## 1. Introduction

## 2. Basic Concepts

2.1 Word organisation
2.2 Bitwise functions
2.3 Shift functions
2.4 Arithmetic functions
2.5 Teat conditions
2.6 Hexadecimal notation
3. State
3.1 Memory
3.2 Registera
3.3 System clock
3.4 M6800 system
3.5 Power-nP
4. Interrapts
6. Instructions
5.1 Addressing modes
5.2 Accumnlator and Memory instructions
5.3 Index Register and Stack instructions
5.4 Branch and Jump ingtructions
5.5 Condition Code Register instractions
5.6 Miscellaneous instructions
6. Overall operation
7. Conctasion

## 8. Acknowledgements

9. References

Appendix A. Example manual pages
Appendix B. Mathematical and Schema notation

## 1. Introduction

Currently, computer instruction sets are normally documented using tables, semi-formal formulae and informal text. This monograph attempts to show that they may be described just as easily and with more precision using formal specification methods. Microprocessors have been formally specified previously [1]. Often these specifications have been difficult to understand since they have not been designed for documentation purposes. The specification given here concentrates on presenting a specification which is readable by humans as well as computers.

In this monograph, the specification language $Z[2-7]$, developed at the Programming Research Group, is used to define the instruction set for an 8 -bit microprocessor, the Motorola 6800. As well as the instruction set, interrupts and memory configuration are also covered. Readers not familiar with the 6800 are referred to its programming manual [8] or instruction set summary card [9]. These may also be used as a comparison with the deacription given here.

It was felt that a complete microprocessor instruction set should be attempted in order to detect any possible weaknesses in the use of $Z$ for such a task. The relatively simple 6800 processor was chosen because this allowed the entire instruction set of a real microprocessor to be specified. A processor such as one of the 68000 family was deliberately not selected for an initial attempt at such a specification since its greater complexity would either require a good deal more work, or for many features not to be included.

Some of the material covered here is generally useful for any microprocessor based system. Hence any subsequent specifications could draw on this groundwork.

## 2. Basic Concepts

### 2.1 Word organisation

Machines such as microprocessors generally manipulate bits. These are organised into non-zero length finite words. By convention, bit positions are numbered from sero up.

```
Bit { {0,1 }
```



Often the least significant bit (LSB) and most significant bit (MSB) of a word are of partic ular interest.

$$
\begin{aligned}
& \text { LSB, MSB : Hord } \rightarrow \text { Bit } \\
& \forall H: \text { Word } \\
& \text { LSB } H=H 0 \wedge \\
& \text { MSB } H=H \text { H-1 }
\end{aligned}
$$

Each bit pattern in a word uniquely maps to a particular numerical value.

$$
\begin{aligned}
& \text { val : Word } \rightarrow \mathbf{N} \\
& \forall n \text { : Word. } \\
& \mathrm{m}_{\boldsymbol{\mu}}=1 \Rightarrow \text { val } \boldsymbol{\omega}=\operatorname{LSB} \boldsymbol{\mu} \wedge \\
& \mathrm{m}_{\mathrm{H}}>1 \Rightarrow \text { val } \mathrm{H}=\mathrm{LSB} \mathrm{H}+2 * \text { val (succ } 8 \mathrm{w} \text { ) }
\end{aligned}
$$

It is sometimes useful to set all of the bits in a word to a particular value, whatever their previous value.

$$
\left\lvert\, \begin{aligned}
& \quad \text { set__ (Hord } \times \text { Bit) } \rightarrow \text { Hord } \\
& \forall w: \text { Word; } b: B i t: \\
& w \text { set } b=w:\{0 \mapsto b, 1 \mapsto b\}
\end{aligned}\right.
$$

A word contains its maximum unsigned value when all the bits are set to l's.

```
maxvel : Hord }->\textrm{N
\forallw: Hord - 
```

For convenience, we define a function to generate a word of particular size and value:

Sometimes it is useful to concatenate words together since processors can often handle multiples of some base size of word. These two words may be of differing sizes for complete generality.

The number of bits in the resulting word is the sum of the number of bits in each of the words being concatenated:

$$
\vdash \forall \omega_{1}, \omega_{2}: \text { Hord } \cdot \#\left(\omega_{1}-\omega_{2}\right)=\# \omega_{1}+\# H_{2}
$$

The bigh and low halves of a word may be projected using two functions. These projections can be concatenated to form the original word.

$$
F \forall w: \text { Hord } \cdot \omega=\operatorname{lo}(\omega)-h i(\omega\rangle
$$

$$
\begin{aligned}
& \text { 10, hi : Word } \rightarrow \text { Hord } \\
& \forall \boldsymbol{w} \text { : Hord }
\end{aligned}
$$

$$
\begin{aligned}
& \text { wrd : } N_{1} \rightarrow N \rightarrow \text { Hord } \\
& \text { Vsize : } N_{1} \text {; value : } \mathrm{A} \text { : w : Hord } \cdot \\
& \text { wrd siza value }=\mu \Leftrightarrow \\
& \text { \#n = size } \wedge \\
& \text { vel } \omega=\text { value mod succ (maxval } \omega \text { ) }
\end{aligned}
$$

### 2.2 Bitwise functions

Bitwise logical functions involve individual bits. A bit may be complemented:

$$
\begin{array}{|l}
\sim: \text { Bit } \rightarrow \text { Bit } \\
\sim=\{0 \mapsto 1,1 \mapsto 0\}
\end{array}
$$

We can also AND, (inclusive) OR and (exclusive) XOR pairs of bits by providing the relevant truth table in each case:

$$
\begin{aligned}
& \text { - }=\{(0,0) \mapsto 0, \quad(0,1) \mapsto 0, \quad(1,0) \mapsto 0, \quad(1,1) \mapsto 1\} \\
& +=\{(0,0) \mapsto 0,(0,1) \mapsto 1, \quad(1,0) \mapsto 1, \quad(1,1) \mapsto 1\} \\
& \oplus=\{(0,0) \mapsto 0, \quad(0,1) \mapsto 1, \quad(1,0) \mapsto 1, \quad(1,1) \mapsto 0\}
\end{aligned}
$$

Most microprocessors allow bitwise logical operations on words. For instance, a word may be ( 1 's) complemented ie. all 0 bits are changed to 1 's and all 1 's are changed to 0 's. This is sometimes referred to as a bitwise logical NOT operation. We can upgrade the definition for a bit to a function which applies to a word:

```
~ : Hord >> Word
Vw: Hord - 
```

Many bitwise operations take pairs of bits as input (egg. those described above).

$$
\begin{aligned}
& \text { HordPair } \\
& \{\boldsymbol{L}: N \rightarrow \text { (Bit } \times \text { Bit) } \| \#>0 \wedge \text { dom } m=0 . . \# N-1\} \\
& \text { _ pair_ : (Hard x Word) } \rightarrow \text { HordPair } \\
& \forall H_{1}, W_{2} \text { : Word • } \\
& \mathrm{H}_{1} \text { pair } \mathrm{H}_{2}= \\
& \left\{i: N!i \in \operatorname{dom} w_{1} \cap \operatorname{dom} w_{Z} \text { • } i \mapsto\left(w_{1} i, w_{2} i\right)\right\}
\end{aligned}
$$

The corresponding pairs of bits in a pair of words may now be ADDed, ORed, and XORed, again by upgrading the equivalent bit functions:

### 2.3 Shift functions

A word may be shifted left or right. In this case, the bottom (LSB) or top (MSB) bit of the word can attain a certain value, depending on the type of shift (egg. arithmetic, logical or rotation).

$$
\begin{aligned}
& \forall w: \text { Hard; b : Bit • } \\
& \omega \ll b=(\{\# w\} \in \text { pred } ; w) \cup\{0 \mapsto b\} \wedge
\end{aligned}
$$

### 2.4 Arithmetic functions

Microprocessors normally allow arithmetic operations. For example, a word may be incremented or decremented. The result wraps around if there is overflow or underflow in each case.

```
inc, dec : Word >> Word
\forall : Word •
    incw = wrd #н (succ © {maxvel н \mapsto 0})(val w) ^
    dec н = wrd #w ({0 \mapsto maxval w} U pred)(val w)
```

Incrementing and then decrementing a word (or vice versa) leaves it unchanged. Additionally one is the inverse of the other.

```
| inc {dec = dec & inc = id[Word]
fdec=inc
```

This may be generalised for addition and subtraction by repeatedly incrementing or decrementing a word:

$$
\begin{aligned}
& \left\lvert\, \begin{array}{l}
\mathbf{-}_{-}^{+}, \\
-_{-}:(\text {Word } \times N\rangle \rightarrow \text { Hord }
\end{array}\right. \\
& \forall w: H o r d ; ~ i ~: ~ N \cdot ~ \\
& \omega+i=i n c{ }^{\prime} \omega \\
& \omega-i=\operatorname{dec}^{i} \omega
\end{aligned}
$$

Similarly, a second word, possibly of a different size, may be added to or subtracted from a word. The size of the resulting word is determined by the first word.

$$
\begin{aligned}
& \text { - }{ }^{+} \text {- } \\
& \text { _ }^{-} \text {: (Word } \times \text { Word) } \rightarrow \text { Word } \\
& \forall w_{1}, w_{2} \text { : Hord - } \\
& H_{1}+H_{2}=H_{1}+\left(\text { val } H_{2}\right) \wedge \\
& \omega_{1}-\omega_{2}=\omega_{1}-\left(\text { val } \omega_{2}\right)
\end{aligned}
$$

Some operations can return the 2's complement (negation) of a word:
$-:$ Word $\rightarrow$ Word
$\forall \omega:$ Word
$-\omega=(W$ get 0$)-W$

Note that the 1 's complement (bitwise logical NOT) and 2 's complement (negation) of a word are related as follows:

$$
\vdash \forall w: \text { Word } \cdot-H=\operatorname{inc}(W)
$$

Sometimes it is useful to "sign-extend" a word into another (normally longer) word. This involves setting any extra bits to the value of the most significant bit (the "sign" bit) in the first word. The rest of the bits in the resulting word are set to the values of the equivalent bits in the first word.

$$
\left\lvert\, \begin{aligned}
& - \text { signext _ : (Hord } \times \text { Hord }) \rightarrow \text { Hord } \\
& \forall H_{1}, w_{2}: \text { Hord } \\
& \omega_{1} \text { signext } H_{2}=\left(H_{2} \text { get }\left\langle\text { MSB } \omega_{1}\right\rangle\right) \oplus \omega_{1}
\end{aligned}\right.
$$

A word can be used as a signed relative offset. The value of the top bit determines the direction of the offset.

$$
\left\lvert\, \begin{aligned}
& - \pm \_:(\text {Hord } \times \text { Word }\rangle \rightarrow \text { Word } \\
& \forall \omega_{1}, w_{2}: \text { Word } \cdot \\
& \omega_{1} \pm w_{2}=w_{1}+\left(\omega_{2} \text { signext } w_{1}\right)
\end{aligned}\right.
$$

This is particularly useful for branch instructions which usually allow a relative branch forwards and backwards.

### 2.5 Test conditions

Most microprocessors contain a status word which contains bits related to the results of previous operations. Different operations may affect different bits. Sometimes different operations affect the same bit in (possibly subtly) different ways.

Often we wish to test whether a word has a zero value, returning a ' 1 ' if it has and a ' 0 ' if not:

```
zero : Word \(\rightarrow\) Bit
\(\forall w\) : Word •
    ran \(\omega=\{0\} \Rightarrow\) zero \(\omega=1 \wedge\)
    \(\operatorname{ran} w \neq\{0\} \Rightarrow\) zero \(w=0\)
```

Conversely, we may wish to test whether a word contains all 1 's, returning a ' 1 ' if it does and a ' 0 ' if not. This test can not usually be performed by microprocessors explicitly (unlike the test for zero above). However it can still be useful for the specification of other test conditions (see later).

$|$| ones : Word $\rightarrow$ Bit |
| :--- |
| $\forall w:$ Word |
| ones w $=\operatorname{zero(\sim w)}$ |

Testing for a negative value can be performed by most microprocessors, returning a ' 1 ' if it is negative and a ' 0 ' if not. Negative words have the top " $\operatorname{sign}$ " bit set. Hence this function can be performed by the previously defined MSB function.

### 2.6 Hexadecimal notation

Most microprocessor documentation uses hexadecimal values for op-codes, addresses and so forth, since this notation may easily be converted to the corresponding bit pattern. Each digit is the equivalent of four bits. Hexadecimal digits are drawn from the set of characters (CHAR) and consist of the decimal digits ' 0 ' to ' 9 ' and the letters ' $A$ ' to ' $F$ '. Each of these hexadecimal digits uniquely maps to a numerical value:
[CHAR]

We can define a function to bandle a sequence of hexadecimal digits (i.e. a hexadecimal number). We shall employ the widely used notation of prefixing $0 x$ to the hexadecimal string.

$$
\begin{aligned}
& 0 \times:(\operatorname{seq} \text { CHAR) } \rightarrow N \\
& 0 \times\langle \rangle=0 \\
& \forall \mathbf{s}: \operatorname{seq}_{1} \text { CHAR | ran } s \mathrm{~s} \text { dom hex } \\
& 0 \times s=16 * 0 \times(\text { front } \mathrm{s})+\text { hex (lest } \mathrm{s})
\end{aligned}
$$

An alternative posibility would be to postfix the letter $H$ (i.e. to define a similar postfix function, _H).

## 3. State

We shall consider the state of a 6800 based system in three parts, covering static conditions and then changes in state in each case:

1. Memory
2. Registers
3. System clock

We shall then combine these and consider changes in state of the entire system (as defined above) when an instruction is executed or an interrupt occurs. Finally, the state of the system when it powers up is detailed.

The 6800 operates on 8-bit bytes of data and 16 -bit addresses:

$$
\begin{array}{ll}
\text { Byte } & \hat{\vdots}\{w: \text { Word } \mid \# w=8\} \\
\text { Address } & \hat{=}\{w: \text { Hord } \mid \# W=16\}
\end{array}
$$

The following functions convert values to data bytes and addresses respectively:

```
data a (wrd 8)
addr \hat{= (wrd 16)}
```

Some numerical values have known ranges. In particular, some numbers will fit into a nibble ( 4 bits), a data byte ( 8 bits) and a word address ( 16 bits). [t is useful to define these ranges.

$$
\begin{aligned}
& \text { Value }_{4} \xlongequal{=} 0.2^{4}-1 \\
& \text { Value }_{8} \triangleq 0.2^{8}-1 \\
& \text { Value }_{16} \triangleq 0.2^{16_{-1}}
\end{aligned}
$$

### 3.1 Memory

The address space of the 6800 (and many other microprocessors) may be considered as a total function from Addresses to Bytes. We shall assume that ROM (Read Only Memory) and RAM (Random Access Memory) make up the available real memory. These two areas do not overlap.

$$
\begin{aligned}
& \text { Memory } \\
& \text { Mem : Address } \rightarrow \text { Byte } \\
& \text { ROM. RAM : F Address } \\
& \text { RAM } \cap \text { ROM }=\emptyset
\end{aligned}
$$

The memory may be updated by operations such as instructions and interrupts. In this case, the ROM and RAM areas (i.e. their domajns) do not change. The RAM contents may be partially updated by an instruction or interrupt. Areas outside valid ROM and RAM may vary unpredictably and are thus not defined by this specification. The values in ROM do not vary. Only values in RAM may be updated reliably. Additionally, some operations do not affect the RAM contents.


EMemory $\hat{\boldsymbol{X}}$ M货mory | BMem $=0$
Note that the assumptions above are not strictly true in all cases. For example, it is possible to have software switchable banked memory. However they hold for the majority of simple systems. In practice areas outside ROM and RAM may be used for memory mapped I/O. This is not covered here since it is very system dependent. It could be considered separately.

### 3.2 Registers

The 6800 has a number of registers:

Most of these are 8-bit registers:

$$
\left.\operatorname{Regs}_{g} \xlongequal[=]{\{A, B, C C R}, P C_{H}, P C_{L}, S P_{H}, S P_{L}, X_{H}, X_{L}\right\}
$$

Two of the B-bit registers are general purpose accumulators:

$$
\text { Accumulator } \cong\{A, B\}
$$

Some of the registers are normally used in pairs, so that they may be used to hold 16 bit memory addresses:

$$
\operatorname{Reg}_{16} \hat{=}\{P C, S P . X\}
$$

The 8 -bit registers always contain byte values and the 16 -bit registers always contain address values. The low and high bytes of the PC, SP and $X$ registers concatenate to form 16-bit registers. The top two bits of the CCR are unused and are always set to 1 .

$$
\begin{aligned}
& \text { Registers } \rightarrow \text { Lerd } \\
& \operatorname{Reg}: \operatorname{Regs} \rightarrow \text { Hord } \\
& \operatorname{Reg}\left(\operatorname{Regs}_{B} \rrbracket \subseteq\right. \text { Byte } \\
& \operatorname{Reg}\left(\operatorname{Regs}_{16} \rrbracket \subseteq A d d r e s s\right. \\
& \operatorname{Reg}(P C)=\operatorname{Reg}\left(P C_{L}\right)-\operatorname{Reg}\left(P C_{H}\right) \\
& \operatorname{Reg}(S P)=\operatorname{Reg}\left(S P_{L}\right)-\operatorname{Reg}\left(S P_{H}\right) \\
& \operatorname{Reg}(X)=\operatorname{Reg}\left(X_{L}\right)-\operatorname{Reg}\left(X_{H}\right) \\
& \operatorname{Reg} C C R(6 . .7 \rrbracket=\{1\}
\end{aligned}
$$

Any of the registers may be updated by an instruction (or interrupt). Every instruction consists of one or more bytes. (External interrupts have no bytes.) Normally the next instruction to be executed is the instruction following the current instruction. This may be overridden, for example by a branch instruction (see later). Individual bits in the Condition Code Register may be updated by the instruction depending on the result of the operation. However the top two bits of the CCR remain set to l's even if the instruction attempts to overwrite them.

```
\(\Delta\) Registers
Reg isters
Registers'
NBytes : \(N\)
Next : Address
SReg : Regs \(\rightarrow\) Hord
SCCR : (0..7) \(\rightarrow\) Bit
Next \(=\operatorname{Reg}(P C)+\) NBytes
Reg' \(=\operatorname{Reg} \oplus\{P C \mapsto\) Next \(\}\)
    - \(\boldsymbol{\delta R}\) eg
    - \(\{\) CCR \(\mapsto(\mathrm{Reg}(C C R) \oplus\) SCCR
\(\oplus\{6 \mapsto 1,7 \mapsto 1\})\}\)
```

Sometimes an operation does not affect the 6800 registers (apart from the Program Counter which is automatically updated):


## Condition codes

The Condition Code Register holds various single bit codes at different bit positions． These are the carry，overflow，zero，negative，interrupt mask and half－carry bits：
$[\hat{\underline{E}} 0$
$v \approx 1$
$z \cong 2$
$N \cong 3$
I $\hat{\underline{\underline{~}} 4}$
$H \cong 5$

The contente of the individual condition code bits are often of interest．We make the following definitions for syntactic brevity：

$$
\begin{aligned}
& C_{c c} \text { 人 (Reg CCR) C } \\
& V_{c e} \hat{=} \text { (Reg CCR) } V \\
& Z_{t c} \xlongequal{=} \text { (Reg CCR) } Z \\
& \mathrm{~N}_{\mathrm{cc}} \xlongequal{\underline{\underline{1}}} \text { (Reg CCR) } \mathrm{N} \\
& \mathrm{I}_{\mathrm{c}:} \hat{=} \text { (Reg CCR) I } \\
& \mathrm{H}_{\mathrm{cc}} \text { 스 (Reg CCR) H }
\end{aligned}
$$

Condition code bits often depend on the values of bits in results of operations．For the convenience of these specifications，we use the following short forms for i $\in 0 . .7$ ， $j \in 0 . .15$ and $\times \in$ Accumulator：

| $x_{1}$ | 슬 | eg |
| :---: | :---: | :---: |
| M | 人 | （Mem M |
| R， | $\underline{\underline{1}}$ | R |
| $\mathrm{X}_{\text {J }}$ | － | $(\operatorname{Reg} X)$ |
| RR， |  | RR j |

### 3.3 System clock

The system contains a clock whicb controls the timing of the system. This consists of a sequence of pulses. This may be modelled as the number of clock pulses which have occurred since the system was powered-up:

$$
\begin{aligned}
& \text { Clock } \\
& \text { Clk : N }
\end{aligned}
$$

When an instruction is executed or an interrupt occurs, it takes a certain number of clock cycles to execute:

$$
\begin{aligned}
& \Delta C \text { lock } \\
& \text { Clock } \\
& \text { Clock } \\
& \text { Cyc les : } N \\
& \text { Clk }=\text { Clk }+ \text { Cycles }
\end{aligned}
$$

### 3.4 M6800 system

The system state consists of memory, registers and a clock:
M6800 © Memory A Registers A Clock

There are various types of 6800 addressing modes. Additionally, the 6800 may respond to an external Interrupt or execute an I l legel instruction.

| Modes | $:=$ | Immediate |
| :---: | :---: | :--- |
|  | \| | Direct |
|  | Indexed |  |
|  | I | Extended |
|  | 1 | Inherent |
|  | Reletive |  |
|  | I | Interrupt |
|  | I | Illegel |

Each of these modes is detailed later.

When an instruction is executed, the op-code is read from the memory location indicated by the current value of the Program Counter. The instruction will have a particular addressing mode. The state of the system will change when the instruction has executed:


Some operations do not affect the memory or registers (apart from the Program Counter which is automatically incremented depending on NBytes):

```
#M6800 @ AM6800 ^ EMemory ^ ERegisters
```


### 3.5 Power-up

The clock starts from zero for convenience in this model, when the system is initialised (i.e. powered up). It is assumed that the ROM already holds the program to be executed.

Interrupts are disabled and the Program Counter is loaded from the top two locations in memory. Note that hexadecimal numbers are used, rather than decimal, for memory addresses and op-code values since this is more normal (and convenient) in microprocessor documentation as discussed earlier.

$$
\begin{aligned}
& M 6800_{I N I T}- \\
& M 6800^{\prime} \\
& C l k^{\prime}=0 \\
& I_{c C^{\prime}}=1 \\
& \operatorname{Reg}^{\prime}\left(P C_{H}\right)=M e m^{\prime}(\text { addr 0xFFFE }) \\
& \operatorname{Reg}^{\prime}\left(P C_{L}\right)=\operatorname{Mem}^{\prime}(\operatorname{addr} 0 \times F F F F)
\end{aligned}
$$

## 4. Interrupts

When an inlerrupt occurs, or if the SWI or WAI instructions are executed (see later), all the 6800 registers are saved on the stack. program control is transferred to a new address specified by the contents of memory at a particular vector address. The interrupt mask bit is set in the Condition Code Register. This is defined by a framing schema (denoted by $\Phi$ ) which may be used in the subsequent definitions of these cases:

```
$Interrupt
\DeltaM6800
Vector : Value}\mp@subsup{1}{g}{
8Mem = { Mem(Reg(SP)-6) \mapsto Reg(CCR),
    Mem(Reg(SP)-5) \mapsto Reg(B),
    Mem(Reg(SP)-4) \mapsto Reg(A),
    Mem(Reg(SP)-3) \mapsto Reg(X ( 
    Mem(Reg(SP)-2) \mapsto Reg(X ( 
    Mem(Reg(SP)-1) \mapsto hi(Next),
    Mem(Reg(SP)) \mapsto lo(Next)}
\deltaReg = { PC H
    PC
    SP }\mapsto\operatorname{Reg}(SP)-7
\deltaCCR = {I\mapsto | }
```

There are three interrupts which may be activated externally to the 6800 microprocessor. An external interrupt is not an instruction read from memory so it may be considered to have a length of zero bytes. This will result in program control returning to the current instruction when au RTI instruction (see later) is subsequently executed at the end of the interrupt service routine, provided the stack is not corrupted.

It takes a number of clock cycles to service the interrupt and stack the registers. The exact number of cycles could not be found in the documentation used to formulate this specification $[\beta, 9]$, so it is not given here. It is likely to be of the order of the minimum number of cycles taken by the WAl instruction. If known, it could easily be inserted in the following schemas.

The hardware interrupt (IRQ) can only be activated if the interrupt mask bit in the CCR is clear:
$\left[\begin{array}{l}\text { IRQ } \\ \text { \$Interrupt } \\ I_{c c}=0 \\ \text { Vector }=0 \times F F F 8 \\ \text { NBytes }=0\end{array}\right.$

The non-maskable interrupt (NMI) may be activated at any time:

```
NMI
$Interrupt
NMI? : Bit
NMI ? = 0
Vector = 0xFFFC
NBytes = 0
```

When a reset occurs, the registers are not stacked and the memory is left unaffected, but the areset" vector is used to restart the program in the same way as occurs at power-up:

```
Reset
AM6800
EMemory
SReg \(=\left\{P_{\mathrm{H}} \mapsto\right.\) Mam(addr 0xFFFE),
    \(\mathrm{PC}_{\mathrm{L}} \mapsto \operatorname{Mem}(\) eddr \(\left.0 \times F F F F)\right\}\)
\(\operatorname{SCCR}=\{I \mapsto 1\}\)
```

In conclusion, the system has three possible sources of external interrupt. Note that the 6800 interrupt vectors are all located at the top of memory. Hence it is normal for this area to be contained in ROM.

## 5. Instructions

All microprocessors have a set of instructions which they can execute. These instructions can affect the registers and/or the memory using a variety of addressing modes, depending on the microprocessor involved.

### 5.1 Addressing modes

Many of the 6800 instructions use a selection of memory addressing modes. Each has a memory address (1) of an operand calculated in a manner depending on the addressing mode. The op-code for a given type of addressing mode is always and constant offset from the op-code for a particular base addressing mode. The 6800 Extended addressing mode may conveniently be selected for this base addressing mode. The corresponding op-code for a particular instruction will be known as the base op-code (OpBese). The value of OpBase is specified in subsequent schemas defining specific instructions.

The number of clock cycles which an instruction takes to execute also depends on the addressing mode. Again this is easily calculated from a base number of cycles for a particular addressing mode (CyclesBase). The number of execution cycles may be defined in terms of an offset from the base number of cycles in subsequent schemas.

The information above may be combined together in a framing schema for use when defining each of the addressing modes covered in the rest of the section:

```
$AddrMode
AM6800
M : Address
OpBase : Velueg
CyclesBose : N
```

We shall now define the major addressing modes of the 6800 as framing schemas for use by subsequent schemas describing individual 6800 instructions.

Immediate mode addressing gives the address of the byte immediately following the instruction op-code byte:

$$
\begin{aligned}
& \text { Immediate } \quad \begin{array}{l}
\text { ImdrMode } \\
\text { IAdr }
\end{array} \\
& \text { Mode }=\text { Immediate } \\
& 0 p=O_{p} B a s e ~-0 \times 30 \\
& M=\text { Reg }(P C)+1 \\
& \text { NBytes }=3 \\
& \text { Cyc lesBase }=2
\end{aligned}
$$

Direct mode addresses are in the first 256 bytes of memory. The byte following the op-code specifies this address, the upper byte of the address being zero:
\$Direct
\$AddrMode

Mode $=$ Direct
$0 p=0 p B a s e-0 \times 20$
$M=\operatorname{Mem}(\operatorname{Reg}(P C)+1)^{\wedge} \operatorname{data}(0)$
NBytes $=2$
CyclesBase $=3$

Indexed mode address are calculated by adding the contents of the byte following the op-code (0-255) to the index register:

```
$Indexed
    \PhiAddrMode
    Mode = Indexed
    Op = OpBase - 0x10
    M= Reg(X) + Mem(Reg(PC)+1)
NBytes = 2
CyclesBase = 5
```

Extended mode addresses are specified fully using the two bytes following the op-code, high byte first, low byte second:

```
$Ext ended
$AddrMode
Mode = Extended
Op = OpBase
M= Mem(Reg(PC)+2) - Mem(Reg(PC)+1)
NBytes = 3
CyclesBase = 4
```

Several or all of these addressing modes may be used by a specific instruction. Hence we shall combine them together into one schema.

```
$lodes @ $Immediate V $Oirect V $Indexed V $Extended
```

There are two other addressing modes used by many instructions so these are also defined separately here.

Some instructions use inherent addressing. In this case there is no memory address to be calculated. The ingtruction consists of a single byte op-code.

$$
\begin{aligned}
& \Phi \text { Inherent } \\
& \text { ФAddrMode } \\
& \text { Mode }=\text { Inherent } \\
& \text { NBytes }=1 \\
& \text { CyclesBase }=2
\end{aligned}
$$

$$
\longrightarrow
$$

Note that the memory address (M) is left undefined in the above framing schema since it will never be used in later specifications making use of this schema.

Some "branch" instructions use relative addressing to calculate a new value for the Program Counter if a branch occurs. The byte following the op-code is sign-extended and added to the address of the next instruction. Hence a branch instruction may transfer program control up to 127 bytes forwards or 128 bytes backwards relative to the start of the instruction following the branch instruction.

```
ФRelative
\$AddrMode
Mode \(=\) Reletive
Op = OpBase
\(M=\operatorname{Next} \pm \operatorname{Mem}(\operatorname{Reg}(P C)+1)\)
NBytes \(=2\)
CyclesBase \(=4\)
```

The complete instruction set of the 6800 is covered in subsequent sections consisting of families of related instructions as designated by Motorola [8].

### 5.2 Accomnlator and Memory instrnctions

This family of instructions use one or both of the 8 -bit accumulators and/or a byte in memory. These can be further sub-divided into different types of instruction, depending on the allowed addressing modes.

## Inherent addressing

Some instructions use inherent addressing and operate on accumulator A or B only. The memory contents are unaffected. The instruction operation produces a byte result, $R$, which is used to update the accumulator.

```
$SingleAcc
    $Inherent
    EMemory
    x : Accumulator
    R : Byte
    Cycles = CyclesBase
    \deltaReg = { < \mapstoR }
```


## Accumulator addressing

Either of the accumulators may be pushed onto or popped off the stack. These operations take four cycles to execute.

$$
\begin{aligned}
& \Phi \text { StackAcc } \\
& \text { \$Inherent } \\
& x: \text { Accumulator } \\
& \text { OpBase : Valueg } \\
& (x=A \wedge O p=\text { OpBase }) \vee \\
& \left(x=B \wedge O_{n}=O p B a s e+1\right) \\
& \text { Cycles }=\text { CyclesBese }+2
\end{aligned}
$$

## Single operand addressing

Some instructions bave a single operand. They can update a memory byte by performing an operation on it, but only using a limited set of the available addressing modes:


These can also perform the same operation on one of the accumulators. These replace the op-codes which would have been used by the immediate and direct addressing modes not used because of the limited number of addressing modes above.

```
$AccUpdate
$SingleAcc
Operand : Byte
OpBase : Valueg
(x = A ^ Op = OpBase - 0x30) v
(x = B A Op = OpBase - 0x20)
Operand = Reg(x)
```

The last two schemas may be combined to produce a framing schema which describes single operand instructions with multiple addressing modes:

```
$Single @ $MemUpdate V $AccUpdate
```


## Double operand addressing

Some instructions have two operands. One is in one of the two accumulators and the other is extracted from memory using a selection of addressing modes. The op-code base offsets are calculated from the op-code base of the instruction which uses accumulator $A(0 p B a s e A)$. The value of OpBaseA is defined in subsequent schema definitions for specific instructions.

```
ФAccumulat or
\(\Phi\) Modes
\(x\) : Accumulator
OpBaseA : Valueg
\((x=A \wedge\) OpBase \(=0 p\) Base \(A) \vee\)
( \(x=B \wedge\) OpBese \(=0 p\) Base \(A+0 x 40\) )
```

These double operand instructions leave memory unaffected and take the basic number of clock cycles to execute. The instruction operation produces a byte result ( $R$ ).

$$
\begin{aligned}
& \text { Фouble } \\
& \text { ФAccumulator } \\
& \text { EMemory } \\
& \mathrm{R}: \text { Byte } \\
& \text { Cycles }=\text { CyclesBese } \\
& \text { SReg }=\{x \mapsto R\}
\end{aligned}
$$

## Test instruction framing schema

Some instructions simply perform tests on a byte value, $T$. In this case, the memory and registers (apart from the CCR) are left unaffected (or effectively updated with existing contents). The top "sign" bit of the byte may be of particular interest.

```
$Test
Modes
x : Accumulator
T : Byte
T
SMem \in{0,{M\mapsto Mem(M)}}
\deltaReg \in{0,{x\mapsto Reg(x)} }
T
```

The accumulator and memory family of instructions can now be defined using the framing schemas above. All the instructions operate on 8 -bit values in memory and the two accumulators.

## Trangier instructions

Some instructions simply transfer bytes between registers and/or memory without modifying their contents. For example, an accumulator may be loaded from a memory byte. The Condition Code Register bits are updated appropriately.

$$
\begin{aligned}
& \text { LDA } \begin{array}{l}
\text { DDouble } \\
\text { OpBase }=0 \times B 6 \\
R=\operatorname{Mem}(M) \\
\delta C C R=\left\{N \mapsto R_{7},\right. \\
Z \mapsto z e r o(R), \\
\\
V \mapsto 0\}
\end{array}
\end{aligned}
$$

Conversely, there is an instruction to store the contents of an accumulator into a byte in memory. This cannot use the immediate addressing mode. It takes an extra clock cycle to execute compared to most other similar instructions (e.g. LDA). The addressed memory byte is updated with the result and the CCR bits are set appropriately.

$$
\begin{aligned}
& \text { STA — } \left.\begin{array}{l}
\text { ФAccumulator } \\
\text { OpBaseA }=0 \times B 7 \\
\text { Mode } \neq \text { Immediate } \\
\text { Cycles }=\text { CyclesBase }+1 \\
\text { SMem }=\{M \mapsto \operatorname{Reg}(x)\} \\
\text { SReg }=0 \\
\text { SCCR }=\{N \mapsto M S B(\operatorname{Reg} x), \\
Z \mapsto z e r o(\operatorname{Reg} x), \\
V
\end{array}>0\right\}
\end{aligned}
$$

The accumulators may be transferred back and forth:


The accumulators may be pushed on to the stack. In this case, the condition codes are not affected.

```
PSH
ФStackAcc
OpBase \(=0 \times 36\)
8Mem \(=\{\operatorname{Reg}(S P) \mapsto \operatorname{Reg}(x)\}\)
8Reg \(=\{S P \mapsto \operatorname{Reg}(S P)-1\}\)
SCCR = \(\quad\) ■
```

The accumulators may also be restored from the stack. Again, the CCR is unaffected. In this case the memory contents are also unaffected.

```
PULA
$StackAcc
EMemory
OpBese = 0\times32
\deltaReg = {x \mapsto Mem(Reg(SP)+1),
    SP}\mapsto\operatorname{Reg}(SP)+1
SCCR = 0
```


## Logical instructions

Some instructions perform bitwise logical operations on the accumulators and memory bytes. For example, a byte operand may be l's complemented:


There is a bitwise logical AND instruction:

| $\left[\begin{array}{l} \text { AND } \\ \$ O \text { ouble } \end{array}\right.$ |
| :---: |
| OpBase $A=0 \times B 4$ |
| $R=\operatorname{Reg}(x) \cdot \operatorname{Mem}(M)$ |
| SCCR $=\left\{\mathrm{N} \mapsto \mathrm{R}_{7}\right.$, |
| $z \rightarrow$ zero(R) |
| $\vee \mapsto 0\}$ |

a bitwise logical inclusive OR instruction:

$$
\begin{aligned}
& \text { ORA } \\
& \text { \$Oouble } \\
& \text { OpBeseA }=0 \times B A \\
& R=\operatorname{Reg}(x)+\operatorname{Mem}(H) \\
& \delta C C R=\left\{N \mapsto R_{7},\right. \\
& Z \mapsto z e r o(R), \\
& V \mapsto 0\}
\end{aligned}
$$

and a bitwise logical exclusive OR instruction:

$$
\begin{aligned}
& \text { EOR } \begin{array}{l}
\text { \$Oouble } \\
\text { OpBaseA }=0 \times B 8 \\
R=\operatorname{Reg}(x) \oplus \operatorname{Mem}(M) \\
\text { SCCR }=\left\{N \mapsto R_{7},\right. \\
\\
Z \mapsto \text { zero(R), } \\
V \mapsto 0\}
\end{array}
\end{aligned}
$$

## Arithmetic instructions

Some instructions perform simple arithmetic operations on bytes.
An operand may be incremented. The overflow bit in the CCR is set if the original contents of the operand had the top bit clear and the rest of the operand bits were set to 1's.

```
INC
\$Single
    OpBase \(=0 \times 7 C\)
    \(R=0\) perand +1
    SCCR \(=\left\{N \mapsto R_{7}\right.\).
    \(Z \mapsto\) zero( \(R\) ),
    \(\mathrm{V} \mapsto \sim\) Operand (7)•ones (740per and) \}
```

Conversely, an operand may be decremented. The overflow bit in the CCR is set if the original contents of the operand had the top bit set and the rest of the operand bits were zero.

$$
\begin{aligned}
& \text { DEC } \\
& \text { \$Single } \\
& \text { OpBase }=0 \times 7 A \\
& R=\text { Operand }-1 \\
& \delta C C R=\left\{N \mapsto R_{7},\right. \\
& Z \mapsto \text { zero(R), } \\
& \\
& \quad V \mapsto \text { Operand(7)*zero(740perand) }\}
\end{aligned}
$$

There are three "add" instructions. They all update the half-carry bit in the CCR with the carry from hit 3 . The overflow bit is set if there was a 2 's complement overflow. The carry bit is set if there was a carry from the most significant bit of the result. The standard "add" instruction simply adds a byte from memory to an accumulator.

ADD
\$0ouble

$$
\begin{aligned}
& \text { OpBaseA }=0 \times B B \\
& R=\operatorname{Reg}(x)+\operatorname{Mem}(M) \\
& \text { SCCR }=\left\{H \mapsto x_{3} \bullet M_{3}+M_{3} \bullet \sim R_{3}+\sim R_{3} \bullet x_{3},\right. \\
& N \mapsto R_{7} \text {, } \\
& Z \mapsto \text { zero( } R \text { ), } \\
& V \mapsto x_{7} \bullet H_{7} \bullet \sim R_{7}+\sim x_{7} \bullet \sim H_{7} \cdot R_{7} \text {, } \\
& \left.C \mapsto x_{7} \bullet M_{7}+M_{7} \bullet \sim R_{7}+\sim R_{7} \bullet x_{7}\right\}
\end{aligned}
$$

Accumulator B can be added to accumulator A (but not vice versa):

$$
\begin{aligned}
& \text { ABA } \\
& \text { \$SingleAcc } \\
& 0 p=0 \times 1 B \\
& R=\operatorname{Reg}(A)+\operatorname{Reg}(B) \\
& \delta \operatorname{Reg}=\{A \mapsto R\} \\
& \delta C C R=\left\{H \mapsto A_{3} \bullet B_{3}+B_{3} \bullet \sim R_{3}+\sim R_{3} \bullet A_{3},\right. \\
& N \mapsto R_{7} \text {, } \\
& Z \mapsto \text { zero ( } \mathrm{R} \text { ), } \\
& V \mapsto A_{7} \bullet B_{7} \bullet \sim R_{7}+\sim A_{7} \bullet \sim B_{7} \bullet R_{7} \text {, } \\
& \left.C \mapsto A_{7} \bullet B_{7}+B_{7} \bullet \sim R_{7}+\sim R_{7} \bullet A_{7}\right\}
\end{aligned}
$$

The current value of the carry bit in the CCR may be added to the result as well:

$$
\begin{aligned}
& \text { ADC } \\
& \text { \$0ouble } \\
& \text { OpBaseA }=0 \times B 9 \\
& R=\operatorname{Reg}(x)+\operatorname{Mem}(M)+C_{c c} \\
& \text { SCCR }=\left\{H \mapsto x_{3} \bullet M_{3}+M_{3} \bullet \sim R_{3}+\sim R_{3} \bullet x_{3},\right. \\
& N \mapsto R_{7} \text {. } \\
& Z \mapsto \text { zero( } \mathrm{R} \text { ), } \\
& V \mapsto x_{7} \bullet M_{7} \bullet \sim R_{7}+x_{7} \bullet \sim M_{7} \bullet R_{7} \text {, } \\
& \left.C \mapsto x_{7} \bullet M_{7}+M_{7} \bullet \sim R_{7}+\sim R_{7} \bullet x_{7}\right\}
\end{aligned}
$$

There is a "Decimal Adjust Accumulator" instruction for use when binary coded decimal ( BCD ) operands are involved. The adjustment to be added to the accumulator is calculated from the carry bit, upper half-byte value of the accumulator, half-carry bit and lower half-byte value of the accumulator as follows:

Entries not included in the table are undefined. The overflow bit in the CCR is always undefined after this instruction has been executed. It is intended that this instruction should be used immediately after an "add" instruction.

```
DAA
$SingleAcc
Adjustment : Byte
Undefined : Bit
Op = 0\times1B
Adjustment = data daa(C Cc, val hi(Reg A),
        Hcc
R=A+Adjustment
\deltaReg = {A\mapstoR}
\deltaCCR = {N\mapstoR ,
    Z\mapstozero(R).
    V}\mapsto\mathrm{ Undef ined,
    C\mapsto~zero(hi Adjustment) }
```

There are matching "subtract" instructions for each "add" instruction. Note however that the half-carry bit in the CCR is left unaffected by these instructions.

SUB
\$Double

OpBeseA $=0 \times B 0$
$R=\operatorname{Reg}(x)-\operatorname{Mem}(M)$
SCCR $=\left\{N \mapsto R_{\gamma}\right.$,

$$
z \mapsto z \operatorname{ero}(R),
$$

$$
v \mapsto x_{7} \bullet \sim M_{7} \bullet \sim R_{7}+\sim x_{7} \bullet M_{7} \bullet R_{7},
$$

$$
\left.C \mapsto \sim x_{7} \cdot M_{7}+M_{7} \bullet R_{7}+R_{7} \bullet \sim x_{7}\right\}
$$

SBA
©SingleAcc
$0 p=0 \times 10$
$R=\operatorname{Reg}(A)-\operatorname{Reg}(B)$
SReg $=\{A \mapsto R\}$
SCCR $=\left\{N \mapsto R_{7}\right.$, $Z \mapsto$ zero( $R$ ), $v \mapsto A_{7} \bullet \sim B_{7} \bullet \sim R_{7}+\sim A_{7} \bullet B_{7} \bullet R_{7}$. $\left.C \mapsto \sim A_{7} \bullet B_{7}+B_{7} \bullet R_{7}+R_{7} \bullet \sim A_{7}\right\}$

SBC
\$Double

$$
\left.\begin{array}{l}
\text { OpBaseA }=0 \times B 2 \\
R=\operatorname{Reg}(x)-\operatorname{Mem}(M)-C_{c c} \\
\text { SCCR }=\left\{N \mapsto R_{7},\right. \\
Z
\end{array}\right)
$$

An operand may be negated (2's complemented). The overflow bit in the CCR is set if the result has the top bit set and the rest of the result bits are zero. The carry bit is set to the opposite of the zero bit.

```
NEG
\$Single
OpBase \(=0 \times 70\)
\(R=-\) Operand
\(\delta C C R=\left\{N \mapsto R_{7}\right.\),
    \(Z \mapsto z e r o(R)\),
        \(V \mapsto R_{7}\)-zero(74R),
        C \(\mapsto\) ~zero ( \(R\) ) \}
```

A memory byte or an accumulator may be cleared to all 0's.


Note that there is no equivalent instruction to set a byte to all l's.

## Shift instructions

Some 6800 instructions shift hytes by one bit position left or right. Note that the overflow bit in the CCR is always set as the XOR of the resulting negative and carry CCR bits for all $\mathbf{6 8 0 0}$ shift instructions.

There are shift instructions which rotate a byte left or right by one bit through the carry bit in the CCR:

ROL
©Single
OpBase $=0 \times 79$
$R=$ Operand $\ll C_{c c}$
SCCR $=\left\{N \mapsto R_{7}\right\}$.
$Z \mapsto$ zero( R$)$,
$\mathrm{V} \mapsto \mathrm{N}_{\mathrm{cc}}{ }^{\prime} \oplus \mathrm{C}_{\mathrm{cc}}{ }^{\prime}$,
$C \mapsto$ Operand(7) \}

ROR
©Single
OpBase $=0 \times 76$
$\mathbf{R}=\mathrm{C}_{\mathrm{cc}} \gg$ Operand
SCCR $=\left\{N \mapsto R_{\text {, }}\right.$,
$Z \mapsto z e r o(R)$,
$\mathrm{V} \mapsto \mathrm{N}_{\mathrm{cc}}{ }^{\prime} \oplus \mathrm{C}_{\mathrm{cc}}{ }^{\prime}$,
C $\mapsto$ Operand( 0 ) \}

There are arithmetic shift instructions which shift a byte left or right by one bit. These are equivalent to multiplying and dividing a signed byte value by 2 .

$$
\begin{aligned}
& \text { ASL } \\
& \text { }{ }_{\boldsymbol{W}} \text { Single } \\
& \text { OpBase }=0 \times 78 \\
& R=O \text { operend } \ll 0 \\
& \text { SCCR }=\left\{N \mapsto R_{7}\right. \text {. } \\
& Z \mapsto \text { zero( } R \text { ), } \\
& V \mapsto N_{c c}{ }^{\prime} \oplus C_{c c}{ }^{\prime} \text {, } \\
& C \mapsto \text { Operand(7) \} } \\
& \text { ASR } \\
& \Phi \text { Single } \\
& \text { OpBase }=0 \times 77 \\
& R=\text { Operend (7) } \gg \text { Operand } \\
& \text { SCCR }=\left\{N \mapsto R_{7}\right. \text {, } \\
& Z \mapsto \text { zero( } R \text { ), } \\
& V \mapsto N_{c c}{ }^{\prime} \bullet C_{c c}{ }^{\prime} \text {, } \\
& C \mapsto \text { Operand ( } 0 \text { ) \} }
\end{aligned}
$$

There is a logical shift right instruction, filling the result with a gero in its top bit:


Note that there is no matching LSL (logical shift left) instruction since this is equivalent to an ASL instruction (see above).

## Test instructions

Some instructions only affect the condition codes by performing tests on byte values.

There is a bitwise logical AND test instruction which gimply sets the condition code bits as if an AND instruction had been performed, but does not update the result:


A byte operand may be tested. The condition codes are set as if zero had been subtracted from the operand.


There is a "compare" instruction which simply sets the condition code bits as if a SUB instruction had been performed, but does not update the result:

```
CMP
$Double
$Test
OpBaseA = 0xB5
T = Reg(x) - Mem(M)
SCCR = {N H T % ,
    Z\mapstozero(T).
    V\mapsto 
    C\mapsto~\mp@subsup{x}{7}{}\bullet\mp@subsup{M}{7}{}+\mp@subsup{H}{7}{*}\bullet\mp@subsup{T}{7}{}+\mp@subsup{T}{7}{}\bullet~\mp@subsup{x}{7}{}}
```

The two accumulators may be compared in a similar way without changing the contents of either:


## Instruction types

The 6800 includes the following transfer/logical/arithmetic/shift/test type accumulator and memory instructions:

```
DoubleOp 人 LDA V STAV
    AND V ORA V EOR V
    ADD V ADC V SUB V SBC V
    BIT V CMP
SingleOp @ COMV
    DEC V INC V NEG V CLR V
    ROL V ROR V ASL V ASR V LSR V
    TST
InherentOp \cong TAB V TBA V
    ABA V DAA V SBA V
    CBA
Stack0p \hat{= PSH V PUL}
```

We can combine all these sub-types of instruction together:

AccMemOp $\hat{=}$ Double0p V SingleOp V Inherantop V StackOp

### 5.3 Index Register and Stack instructions

These instructions manipulate the 16 -bit index register and stack pointer. Some have several addressing modes. These can be further sub-divided into "load" and "store" type operations, each of which produces a 16 -bit result, RR. Load operations do not affect memory:


Store operations cannot be used in immediate mode:

```
$XStore
$Modes
RR : Address
Mode f Immediate
Cycles = CyclesBese + 2
```

Some of the instructions use inherent addressing. None of these affect the memory contents.
$\boldsymbol{\Phi}$ XInherent
\$Inherent
Memory
$O p=O p B a s e$
Cycles $=$ CyclesBase +2

This family of instructions can now be defined using the framing schemas above.

The index register and stack pointer can be loaded from memory:

```
LDX
\$XLoad
OpBase \(=0 \times C E\)
\(R R=\operatorname{Reg}(X)\)
\&Reg \(=\left\{X_{H} \mapsto \operatorname{Mem}(M)\right.\),
\(\left.X_{L} \mapsto \operatorname{Mem}(M+1)\right\}\)
SCCR \(=\left\{N \mapsto R R_{15}\right.\),
\(Z \mapsto\) zero(RR),
\(v \mapsto 0\}\)
```

LDS
\$ X Load

```
OpBase \(=0 \times 8 \mathrm{E}\)
    \(R R=\operatorname{Reg}(S P)\)
    SReg \(=\left\{S P_{H} \mapsto \operatorname{Mem}(M)\right.\),
    \(\left.S P_{L} \mapsto \operatorname{Mem}(M+1)\right\}\)
    SCCR \(=\left\{N \mapsto R_{15}\right.\),
    \(Z \mapsto z e r o(R R)\),
    \(\vee \mapsto 0\}\)
```

and stored into memory:

```
STX
\$XStore
OpBase \(=0 \times C F\)
\(R R=\operatorname{Reg}(X)\)
SReg \(=0\)
SCCR \(=\left\{\mathrm{N} \mapsto \mathrm{RR}_{15}\right.\),
    \(Z \mapsto\) zero(RR),
    \(\vee \mapsto 0\}\)
    SMem \(=\left\{H \mapsto \operatorname{Reg}\left(X_{H}\right), M+1 \mapsto \operatorname{Reg}\left(X_{L}\right)\right\}\)
```

```
STS
\$XStore
OpBase \(=0 \times 8 \mathrm{~F}\)
\(R R=\operatorname{Reg}(S P)\)
8Reg \(=\emptyset\)
SCCR \(=\left\{\mathrm{N} \mapsto \mathrm{RR}_{15}\right.\),
    \(Z \mapsto\) zero(RR),
    \(\vee \mapsto 0\}\)
SMem \(=\left\{M \mapsto \operatorname{Reg}\left(S P_{H}\right), M+1 \mapsto \operatorname{Reg}\left(S P_{L}\right)\right\}\)
```

They can also be transferred back and forth:

```
TXS
    $XInherent
    Op = 0\times35
    8Reg = {SP \mapsto Reg(X)-1}
    8CCR = \emptyset
    TSX
    $XInherent
    0p = 0x30
    &Reg = {X }\mapsto\operatorname{Reg}(SP)+1
    8CCR = Ø
```

Note that the SP is loaded with one less than the contents of the index register and the index register is loaded with one more than the SP in each case. This is for programming convenience so that the index register can be pointed to the first entry on the stack, not the next empty entry.

The index register and stack pointer can both be incremented and decremented. In the case of the index register, the zero flag bit in the CCR is set appropriately. In the case of the stack pointer, the CCR is not affected.

INX
\$X Inherent
$0 p=0 \times 08$
$\delta \operatorname{Reg}=\{x \mapsto \operatorname{Reg}(X)+1\}$
SCCR $=\{Z \mapsto \operatorname{zero}(\operatorname{Reg}(X)-1)\}$

INS
\$XInherent
$0 p=0 \times 31$
$\delta \operatorname{Reg}=\{S P \mapsto \operatorname{Reg}(S P)+1\}$
©CCR $=\varnothing$

DEX
\$XInherent
$0 p=0 \times 09$
$\delta \operatorname{Reg}=\{x \mapsto \operatorname{Reg}(x)-1\}$
SCCR $=\{Z \mapsto$ zero $(\operatorname{Reg}(X)-1)\}$

DES
\$XInherent
$0 p=0 \times 34$
$\delta \operatorname{Reg}=\{S P \mapsto \operatorname{Reg}(S P)-1\}$
©CCR $=\varnothing$

The index register can be compared with memory:

```
CPX
$XLoad
OpBase = 0x 8C
RR = Reg(X) - Mem(M+1) - Mem(M)
SReg = © 
\deltaCCR = {N\mapstoRR 
    Z\mapstozero(RR),
    V}\mapsto\mp@subsup{X}{15**~M}{***RR
```

The 6800 includes the following instructions involving the index register and/or stack pointer:

$$
\begin{array}{ll}
\text { Index0p \& } \quad \text { LDX } \vee \text { LDS } \vee \text { STX } \vee \text { STS } \vee \text { TXS } \vee \text { TSX } V \\
& \text { INX } \vee \text { INS } \vee \text { DEX } \vee \text { DES } \vee C P X ~
\end{array}
$$

## 5．4 Branch and Jnmp instructions

All＂branch＂instructions use the relative addressing mode．They leave the memory unchanged and take four cycles to execute．The CCR is not affected．If a branch condition occurs，then the PC is updated with the relative offset．Otherwise the program procedes to the next instruction as normal．

```
$Branch
$Relative
EMemory
Cond : Bit
Cycles = CyclesBase
8CCR = 0
Cond =1=> &Reg = {PC \mapstoM}
Cond = 0 % Reg = Ø
```

The 6800 has the following branch instructions：

| BRA | ＠ | ¢Branch $\mid ~ O p=0 \times 20 \wedge$ Cond |
| :---: | :---: | :---: |
| BCC |  | ¢Branch I $0 p=0 \times 24 \wedge$ Cond $=\sim C_{c c}$ |
| BCS | 人 | ¢Branch 1 $0 p=0 \times 25 \wedge$ Cond $=C_{c c}$ |
| BEQ | $\hat{}$ | $\phi$ Branch $10 p=0 \times 27 \wedge$ Cond $=Z_{\text {cc }}$ |
| BGE | 샃 | ¢Branch I $O_{p}=0 \times 2 \mathrm{C} \wedge$ Cond $=\sim\left\langle\mathrm{N}_{\mathrm{cc}} \oplus \mathrm{V}_{\mathrm{cc}}\right)$ |
| BGT | ล | \＄Branch I $0 p=0 \times 2 E \wedge$ Cond $=\sim\left(Z_{c c}+\left(N_{c c} \oplus V_{c c}\right)\right)$ |
| BHI | 슬 | ¢Brench｜ $0 p=0 \times 22 \wedge$ Cond $=\sim\left(C_{c c}+Z_{\text {cc }}\right)$ |
| BLE | 人 | \＄Branch 1 0 p $=0 \times 2 \mathrm{~F} \wedge$ Cond $=Z_{c c}+\left(N_{c c} \oplus V_{c c}\right)$ |
| BLS | 人 | \＄8ranch I $0 p=0 \times 23 \wedge$ Cond $=C_{c c}+Z_{\text {cc }}$ |
| BLT | 人 | ¢0ranch \｜ $0 p=0 \times 2 \mathrm{D} \wedge$ Cond $=N_{c c} \oplus \mathrm{~V}_{\mathrm{cc}}$ |
| BMI | $\underline{\underline{1}}$ | ¢Branch I $0 p=0 \times 2 \mathrm{~B} \wedge$ Cond $=\mathrm{N}_{\text {cc }}$ |
| BNE | 슬 | ¢Branch $1 O_{p}=0 \times 26 \wedge$ Cond $=\sim Z_{\text {cc }}$ |
| BVC | $\underline{\underline{1}}$ | \＄Branch 1 $0 p=0 \times 28 \wedge$ Cond $=\sim V_{c c}$ |
| BVS | $\hat{\underline{1}}$ | $\phi$ rranch $10 p=0 \times 29 \wedge$ Cond $=V_{c c}$ |
| BPL | 人 | ¢Branch $10 \rho=0 \times 2 A \wedge$ Cond $=-N_{c c}$ |

There is also a "Branch to Subroutine" instruction, which saves the return address on the stack and calculates a new value for the PC:

```
BSR
$Relative
Op=0\times8D
Cycles = 8
\deltaMem = { Mem(Reg(SP)-1) \mapsto hi(Next),
    Mem(Reg(SP)) \mapsto lo(Next)}
\deltaReg = { PC \mapstoM,
    SP }\mapsto\operatorname{Reg}(SP)-2
    SCCR = 
```

There is a "Jump" instruction. Indexed and extended addressing modes may be used. The memory and CCR contents are unaffected.

```
JMP
    $Modes
    EMemory
    Mode E { Indexed, Extended }
    OpBase = 0x7E
    Cycles = CyclesBase-1
    \deltaReg = {PC \mapstoM}
    SCCR = ■
```

There is a ${ }^{\text {a }}$ Jump to Subroutide ${ }^{\text {w }}$ instruction, similar to the JMP instruction, which saves the return address on the stack. The number of cycies taken to execute this instruction does not obey the normal rules which apply to all other instructions with multiple addressing modes.

```
JSR
MModes
Mode E { Indexed, Extended }
OpBase = OxBD
Mode = Indexed }=>\mathrm{ Cycles = 8
Mode = Extended }=>\mathrm{ Cycles = 9
\deltaMem = {Mem(Reg(SP)-1) \mapsto hi(Next),
    Mem(Reg(SP)) \mapsto lo(Next)}
\deltaReg = {PC \mapstoM}
    SP }\mapsto\operatorname{Reg}(SP)-2}
SCCR = 0
```

The 6800 includes the following branch and jump instructions:

$$
\begin{aligned}
\text { Branch0p }= & \text { BRA } \vee \text { BCC } \vee \text { BCS } \vee \text { BEQ } \vee \text { BCE } \vee \\
& \text { BCT } \vee \text { BHI } \vee \text { BLE } \vee B L S ~ \vee B L T \vee \\
& \text { BMI } \vee B N E \vee B V C \vee B V S \vee B P L \vee \\
& \text { JMP } \vee J S R
\end{aligned}
$$

### 5.5 Condition Code Register instructions

This set of instructions use inherent addressing and do not affect the memory contents. Most of the instructions update CCR flag bits, but not the rest of the registers.


The following instructions may be performed to clear and set individual Condition Code Register bits:


The setable bits of the CCR may be loaded from accumulator $A$ :
TAP $\because \$ C C R \mid O p=0 \times 06 \wedge$ SCCR $=\operatorname{Reg}(A)$
Conversely, accumulator A may be loaded with the contents of the CCR:


These operations may be collected together as a family of instructions:

$$
\text { CCROp } \varepsilon \text { CLC } \vee C L I \vee C L \vee \vee S E C \vee S E I \vee S E V \vee T A P \vee T P A
$$

### 5.6 Miscellaneods instructions

There is a ${ }^{\text {a }}$ No Operation" instruction which does nothing but pass program control to the next instruction:


There is a "Return from Subroutine" instruction. The PC is restored from the stack. The memory contents and the CCR are left unaffected.

```
RTS
\$Inherent
EMemory
\(0 p=0 \times 39\)
Cycles \(=5\)
SReg \(=\left\{\mathrm{PC}_{\mathrm{H}} \mapsto \operatorname{Mem}(\operatorname{Reg}(S P)+1)\right.\),
    \(\mathrm{PC}_{\mathrm{L}} \mapsto \operatorname{Mem}(\operatorname{Reg}(S P)+2)\),
    SP \(\mapsto \operatorname{Reg}(S P)+2\}\)
SCCR \(=\varnothing\)
```

There is a "Software Interrupt" instruction. This simulates an interrupt using its own vector.

```
SWI
```

\$Inherent
ФInt errupt
$0 \mathrm{p}=0 \times 3 \mathrm{~F}$
Cycles $=12$
Vector $=0 \times F F F A$

There is a "Wait for Interrupt" instruction. This stacks the registers and then waits for an IRQ (if the interrupt mask bit in the CCR is not set) or an NMI interrupt to occur, or for the system to be reset. UnIess an external interrupt is received, the program will be suspended forever.

```
WAI
$Inherent
$Interrupt
Op = Ox 3E
Cycles \geqslant 9
Vector E {0xFFF8, 0xFFFC, 0xFFFE}
I
```

There is a "Return from Interrupt" instruction. The registers are all restored from the stack. The memory contents are left unaffected. The CCR is loaded from a memory byte on the stack but the individual bits are not subsequently affected by the instruction.

```
RTI
$Inherent
EMemory
Op = 0x 3B
Cycles = 10
\deltaReg = { CCR }\mapstoM\textrm{Mem}(\operatorname{Reg}(SP)+1)
    B }\mapsto\operatorname{Mem(Reg(SP)+2),
    A \mapsto Mem(Reg(SP)+3),
    XH}\mapstoMem(Reg(SP)+4)
    XL}\mapstoMem(Reg(SP)+5)
    PC}\mp@subsup{H}{H}{}\mapsto\operatorname{Mem(Reg(SP)+6),
    PC}L\mp@code{L}\mapstoMem(Reg(SP)+7)
    SP }\mapsto\operatorname{Reg(SP)+7}
SCCR = 0
```

The 6800 includes the following miscellaneous instructions:

```
MiscOp & NOP V RTS V SWI V WAI V RTI
```


## 6. Overall operation

Op-codes which have not so far been specified are considered illegal. The state of the system after the execution of such an op-code is undefined.

$$
\text { Illegal0p } \hat{\underline{E}} \Delta M 6800 \mid \text { Mode }=\text { Illegal }
$$

This specification could be tightened if more were known about an illegal instruction. For example, at present this specification allows the contents of the registers and RAM to be entirely changed after an illegal instruction. If more information were available, predicates could be added to this schema.

The following groups of legal instructions discussed in previous sections may be executed by the 6800 . We project the (change of) state of the 6800 since we are not interested in any of the temporary components defined in each of the individual instruction schemas for the convenience of the specification.

```
Legal Op 순
    (AccMem0p V Index0p V Branch0p V CCROp V Misc0p) 1 AM6800
```

The system has three possible sources of external interrupt:

$$
\text { Ext Interrupt } \hat{\approx} \text { (IRQ V NMI V Reset) | Mode }=\text { Interrupt }
$$

The priority of external interrupts bas not been defined above (i.e. if two interrupts occur simultaneously either could be serviced first) since the documentation used $[8,9]$ did not make any ordering clear. Such details could easily be included in the formal definition of the $\mathbf{6 8 0 0}$ by including the status of the external interrupts as part of the state.

Each operation execution of the 6800 consists of the execution of an instruction (legal or otherwise) or an external interrupt:

$$
\begin{aligned}
& \text { Instruction } \hat{=} \text { Illegal0p } \oplus \text { Legal0p } \\
& \text { Exec } \hat{=} \text { Instruction V Ext Interrupt }
\end{aligned}
$$

When the 6800 is started, a sequence of such operations is executed depending on the contents of memory and (non-deterministically in this specification) on the occurence of external interrupts.

Given the specification of each of the instructions, it is possible to consider sequences of instructions and prove (in the absence of any external interrupts) properties of such sequences. For example, often a decrement instruction is followed by a conditional branch instruction at the end of a loop. We could prove the following properties of such a construct:

## DEXBNE $\hat{=}$ DEXT $\triangle M 6800$ : BNET AM6800

DEXBNE $\vdash \operatorname{Reg}(X) \neq 1 \Rightarrow \operatorname{Reg}^{\prime}(P C)=(\operatorname{Reg}(P C)+3) \pm \operatorname{Mem}(\operatorname{Reg}(P C)+2)$
DEXBNE $\vdash \operatorname{Reg}(X)=1 \Rightarrow \operatorname{Reg}^{\prime}(P C)=\operatorname{Reg}(P C)+3$

## 7. Conclusion

The instruction set of the Motorola 6800 microprocessor has been formally specified. Enough experience has been gained so that more complicated and modern microprocessors such as the 68000 family could be specified in a similar manner. However such processors would require a larger document and more work in order to cover them fully.

The specification of the instructions have been factored out using framing schemas to reduce the overall length of the specification given here. If $Z$ where to be used to present an instruction set in the form of a manual, then it is anticipated that each instruction would be allocated at least a page with an expanded schema allowing easy reference for the instruction on that page alone. A possible example layout is shown in Appendix A.

Z has proved an excellent tool for specifying a microprocessor instruction set. The length of the specification is very favourable with the more informal methods currently used for instruction set documentation in industry and elsewhere. Not only that, but we also gain a means of formally reasoning about the properties of the instruction set. This could prove to be invaluable, especially at the design stage. In the future, computer-based tools should be available to check consistency and give assistance with proofs. It is to be hoped that manufacturers will adopt such methods in duecourse.

## 8. Acknowledgements

Thank you to the developers of the 2 specification language at the PRG and the inventors of the 6800 microprocessor at Motorola. Carroll Morgan, Tim Gleeson and Brian Monahan at the PRG provided helpful comments on early drafts. Ruaridh Macdonald at RSRE, Malvern and Stephen Murrell at the University of Miami also gave some useful suggestions. Steve Heath of Motorola, UK and Rajit Chandra of Intel, California commented on the paper from a manufacturer's point of view. Roger Gimson, Karen Paliwoda, Stig Topp-Jorgensen and Bernard Sufrin at the PRG kindly checked jater drafts.

## 9. References

1. Hunt, W. A. "FM8501: A Verified Microprocessor", Technical Report 47. Institute for Computing Science, The University of Texas at Austin, (1986).
2. Sufrin, B. A. (Editor) "Z Handbook", Draft 1.1, Programming Research Group, Oxford University, (1986).
3. Spivey, J. M. "Understanding Z: A Specification Language and its Formal Semantics ${ }^{n}$, DPhil Thesis, Programming Research Group, Oxford University, (1986).
4. Spivey, J. M. "The Z Library - A Reference Manual ${ }^{\boldsymbol{*}}$, Programming Research Group, Oxford University, (1986).
5. Woodcock, J. "Structuring Specifications - Notes on the Schema Notation", Programming Research Group, Oxford University, (1986).
6. King, S., Sørensen, I., Woodcock, J. ${ }^{\alpha} Z:$ Concrete and Abstract Syntaxes ${ }^{\text { }}$, Version 1.0, Programming Research Group, Oxford University, (1987).
7. Hayes, I. J. (Editor) "Specification Case Studies", Prentice-Hall International Series in Computer Science, (1987).
8. "M6800 Microprocessor Programıning Manual", Motorola Semiconductor Products Inc., (1975).
9. "M6800 Microprocessor Instruction Set Summary", Motorola Microcomputer Applications Engineering.

## Appendix A

## Example manaal pages

An example layout for two instructions in a 6800 microprocessor instruction set manual are given overleaf. It is suggested that each instruction should be given a page like this in such a manual to allow quick reference for a particular instruction without the necessity for cross reference, once the framework of the specification has been assimilated by the reader.

## Operation

```
BGT
AM6800
Cond : Bit
\(0 \mathrm{p}=0 \times 2 \mathrm{E}\)
Mode = Relative
NBytes \(=2\)
Cycles \(=4\)
Cond \(=Z_{c c}+\left(N_{c c} \oplus V_{c c}\right)\)
Cond \(=0 \Rightarrow\) RReg \(=0\)
Cond \(=1 \Rightarrow\) Reg \(=\{P C \mapsto \operatorname{Next} \pm \operatorname{Mem}(\operatorname{Reg}(P C)+1)\}\)
SCCR \(=\varnothing\)
8Mem \(=0\)
```


## Description

Causes a branch if $Z$ is set or one of $N$ and $V$ (but not both) is set.
If the BGT instruction is executed immediately after execution of any of the instructions CBA, CMP, SBA, or SUB, the branch will occur if and only if the two's complement number represented by the minuend (i.e. accumulator $A$ or $B$ contents) was greater than the two's complement number represented by the aubtrahend (i.e. memory contents).

Only the PC is affected. If a branch occurs, then the PC is updated with the relative offset, otherwise the program procedes to the next instruction as normal.
Jump to Subroutine ..... JSR

## Operation

```
JSR
AM6800
OD = O AD
    Mode = Indexed
    NBytes = 2
    Cycles = 8
    \deltaReg = {PC \mapsto Reg(X)+Mem(Reg(PC)+1)),
        SP}\mapsto\operatorname{Reg(SP)-2 })
    v
    <Op = OxBD
    Mode = Extended
    NBytes = 3
    Cycles = 9
    &Reg = { PC H}\mapstoM\operatorname{Mem}(\operatorname{Reg}(PC)+1)
    PC
    SP }\mapsto\operatorname{Reg}(SP)-2}
SCCR = 0
8Mem = {Mem(Reg(SP)-1) \mapsto hi(Next),
    Mem(Reg(SP)) \mapstolo(Next)}
```


## Description

The program counter is incremented by 2 or by 3 , depending on the addressing mode, and is then pushed onto the stack, eight bits at a time. The stack pointer points to the next empty location on the stack. A jump occurs to the instruction stored at the numerical address, obtained according to the addressing mode.

## Appendix B

## Mathernatical and Schema notation

A glossary of the $Z$ mathematical and schema notation used in this monograph is included here for easy reference. Readers should note that the definitive concrete and abstract syntax for $\mathbf{Z}$ is available elsewhere [5].

# Z Reference Glossary 

## Mathematical Notation

## 1. Definitions and declarations.

Let $x, x$ be identifiers and let $T, T$, sets.
$\left[T_{1}, T_{2}\right]$ Introduction of generic sets.
LHS $\triangleq$ RHS Definition of LHS as
syntactically equivalent to RHS.
$T: i=x_{1}\left|x_{2}\right| \ldots \mid x_{n}$ Data type definition.
$x$ : $T \quad$ Declaration of $x$ as type $T$.
$x_{1}: T_{1} ; x_{2}: T_{2} ; \ldots ; x_{n}: T_{n}$
List of declarations.
$x_{1}, x_{2}, \ldots . x_{n}$ : $T$
$\neq x_{1}: T ; x_{2}: T ; \ldots ; x_{n}: T$.

## 2. Logle.

Let $P . Q$ be predicates and $D$ declarations.
$\rightarrow P \quad$ Negation: ${ }^{\boldsymbol{\alpha}}{ }_{\text {not }} \mathrm{P}^{\boldsymbol{n}}$.
$P \wedge Q \quad$ Conjunction: ${ }^{\infty} P$ and $Q$.
$P \vee \mathbb{D}$ Disjunction: $\mathbb{P}$ or $\mathbb{Q}^{\text {² }}$ :
人 $-(\square \mathrm{PA}-\mathrm{Q})$.
$P \Rightarrow Q$ Implication: $P$ implies $Q^{n}$ or "if $P$ then $Q$ ": $0-P \vee Q$.
$P \mapsto Q \quad$ Equivalence: ${ }^{\text {ap }}$ is logically equivalent to $Q^{\prime \prime}$ : - ( $P \rightarrow Q$ ) ^ ( $Q \rightarrow P$ ).
true Logical constant.
false $\hat{=}$-true
$\forall x$ : $T$ - $P$ Universal quantification:
"for all $\times$ of type $T, P$ holds".
$\exists \times$ : $\mathrm{T} \cdot \mathrm{P}$ Existential quantification:
${ }^{4}$ there exists an $\times$ of type $T$ such that $P^{p}$.
$\exists_{1} \times$ : $T \cdot P_{x}$ Unique existence:
"there exists a unique $x$ of type
$T$ such that $P^{n}$.


$$
\begin{aligned}
& \text {-( } \left.\boldsymbol{\exists}_{y}: T \mid y \neq x \cdot P_{y}\right) \text { ). } \\
& \forall x_{1}: T_{1} ; x_{2}: T_{2} ; \ldots ; x_{n}: T_{n} \cdot P \\
& \text { "For all } x_{1} \text { of type } T_{1} \text {, } \\
& x_{2} \text { of type } T_{2}, \ldots \text {, and } \\
& x_{n} \text { of type } T_{n}, P \text { holds." } \\
& \exists x_{1}: T_{1}: x_{2}: T_{2} ; \ldots ; x_{n}: T_{n} \cdot P \\
& \text { Similar to } \forall \text {. } \\
& \exists_{1} x_{1}: T_{1} ; x_{2}: T_{2} ; \ldots: x_{n}: T_{n} \cdot P \\
& \text { Similar to } \forall \text {. } \\
& \forall D \mid P \cdot Q \hat{=}(\forall D \cdot P \Rightarrow Q) \text {. } \\
& \exists D \mid P \cdot Q \_(\exists D \cdot P \wedge Q) \text {. } \\
& D \vdash P \quad \text { Theorem: } Q \vdash \forall D \cdot P \text {. } \\
& \text { 3. Seta. }
\end{aligned}
$$

Let $\mathrm{S}, \mathrm{T}$ and X be sets; t , $\mathrm{t}_{\mathrm{k}}$ terms; P a predicate and $D$ declarations.
$t_{1}=t_{2}$ Equality between terms.
$t_{1} \neq t_{2}$ Inequality: $\propto-\left(\mathrm{t}_{1}=\mathrm{t}_{2}\right)$.
$t \in S \quad$ Set membership: ${ }^{4}$ is an element of $\mathrm{S}^{7}$.
$t \& S \quad$ Non-membersbip: $\& \neg(t \in S)$.
© Empty set: $\because\{x: X \mid f$ filse $\}$.
S ¢ T Set inclusion:
© ( $\forall x: S$. $x \in T$ ).
$S \subset T \quad$ Strict set inclusion:
人 $\mathrm{S} \leq \mathrm{TAS} \mathrm{F}$ T.
$\left\{t_{1}, t_{2}, \ldots, t_{n}\right\} \quad$ The set containing $t_{1}, t_{2}, \ldots$ and $t_{n}$.
\{x:T|P\}
The set containing exactly those $x$ of type $T$ for which $P$ holds.
$\left(t_{1}, t_{2}, \ldots, t_{n}\right) \quad$ Ordered $n$-tuple of $t_{1}, t_{2} \ldots$ and $t_{n}$.
$T_{1} \times T_{2} \times \ldots \times T_{n}$ Cartesian product:
the set of all n -tuples such that the $k$ th component is of type $T_{k}$.
$\left\{x_{1}: T_{1} ; x_{2}: T_{2} ; \ldots ; x_{n}: T_{n} \mid P\right\}$
The set of $n$-tuples
$\left(x_{1}, x_{2}, \ldots, x_{n}\right)$ with each $x_{k}$ of type $T_{k}$ such that $P$ holds.


## 5．Functions．

A function is a relation with the property that for each element in its domain there is a unique element in its range related to it． As functions are relations all the operators for relations also apply to functions．
$X \rightarrow Y \quad$ The set of partial functions from $X$ to $Y$ ：
－$\{f: X \leftrightarrow Y \mid \forall x: \operatorname{dom} f \cdot$

$$
\left.\left(\exists_{1} y: Y \cdot x f y\right)\right\}
$$

$X \rightarrow Y \quad$ The set of total functions from $X$ to $Y$ ： ＠$\{f: X \rightarrow Y \mid \operatorname{dom} f=X\}$ ．
$X \geqslant Y$ The set of partial injective（one－ to－one）functions from $X$ to $Y$ ：
人 $\{f: X \rightarrow Y \mid \forall y: r a n f$－ $\left.\left(\exists_{1} \times: X \cdot f x=y\right)\right\}$ ．
$X \leadsto Y$ The set of total injective functions from $X$ to $Y$ ： －（ $X \rightarrow Y$ ）$\cap(X \rightarrow Y)$ ．
$X \mapsto Y$ The set of partial surjective functions from $X$ to $Y$ ： a $\{f: X \leftrightarrow Y \mid \operatorname{ran} f=Y\}$ ．
$X \rightarrow Y \quad$ The set of total surjective functions from $X$ to $Y$ ：人 $(X \rightarrow Y) \cap(X \rightarrow Y)$ ．
$X$＊$Y \quad$ The set of total bijective （injective and surjective） functions from $X$ to $Y$ ：
人 $(X \rightarrow Y) \cap(X) Y$ ）．
$X \rightarrow Y \quad$ The set of finite partial functions from $X$ to $Y$ ：
© $\{f: X \nrightarrow Y$｜
$f \in F(X \times Y)\}$ ．
$\rightarrow$ かけか）Partial functions．
$\rightarrow \lambda+\rightarrow$ Total functions．
$\rightarrow \gg \rightarrow \boldsymbol{m}$
$f_{1} \oplus f_{Z} \quad$ Functional overriding：given $f_{1}, f_{2}: X \rightarrow Y$ ， $0\left(\operatorname{dom} f_{z} \in f_{1}\right) \cup f_{2}$ ．
$f_{-} \quad$ Prefix function（default）．
＿f＿Infix function（often underlined for clarity）．
＿f Postfix function．
$f t \quad$ The function $f$ applied to $t$ ．
$f(t) \quad \therefore f t$ ．
（ $\lambda \times \mathrm{x} \| \mathrm{P}$ • t）Lambda－abstraction： the function that，given an argument $x$ of type $X$ such that $P$ holds，the result is $t$ ．
－$\{x: X \mid P \cdot x \rightarrow t\}$ ．
$\left(\lambda x_{1}: T_{1} ; \ldots ; x_{n}: T_{n} \mid P \cdot t\right)$
气 $\left\{x_{1}: T_{1} ; \ldots ; x_{n}: T_{n} \mid P\right.$ ．
$\left.\left(x_{1}, \ldots, x_{n}\right) \mapsto t\right\}$.
6．Numbers．

Let $m, n$ be natural numbers．
$N \quad$ The set of natural numbers （non－negative integers）．
$\mathrm{N}_{1} \quad$ The set of strictly positive natural numbers： $\boldsymbol{N} \backslash\{0\}$ ．
Z
suce $n$ Successive ascending natural number．
pred $n$ Previous descending natural number：a succ ${ }^{-1} \mathrm{n}$ ．
$m+n \quad$ Addition：© succ ${ }^{n} m$ ．
$m$－$n \quad$ Subtraction：${ }^{\text {人 }} \operatorname{pred}^{\mathrm{n}} \mathrm{m}$ ．
$m * n \quad$ Multiplication：$\propto\left(\_+m\right)^{n} 0$ ．
$m$ div $n$ Integer division．
$m$ mod $n$ Modulo aritbmetic．
$m^{n} \quad$ Exponentiation：$\hat{=}\left(\_^{*} m\right)^{n} 1$ ．
$m \leqslant n \quad$ Less than or equal，Ordering：
＿${ }^{\text {＿}}$ 人 succ ${ }^{*}$ ．
$m<n$ Less than，Strict ordering：
－$m \leqslant n \wedge m \neq n$ ．
$m \geqslant n \quad$ Greater than or equal：$\% n \leqslant m$ ．
$m>n \quad$ Greater than： $0 n<m$ ．
$m$ ．．n Range： $\mathfrak{a}\{k: N \mid m \leqslant k \wedge k \leqslant n\}$ ．

```
min \(S \quad\) Minimum of a finite set;
    for \(S: F_{1} N_{\text {, }}\)
    \(\min S \in S \wedge\)
    ( \(\forall x: 5 \cdot x \geqslant \min 5\) ).
max \(S\) Maximum of a finite set;
for 5 : \(\mathbf{F}_{1} \mathbf{N}\),
\(\max S \in S \wedge\)
( \(\forall x: 5 \cdot x \leqslant \max 5\) ).
```


## 7．Sequences．

Let $a, b$ be elements of sequences，$A, B$ be sequences and $m, n$ be natural numbers．
seq $X \quad$ The set of sequences whose elements are drawn from $X$ ：
人 $\{A: N \rightarrow X \mid$

$$
\operatorname{dom} A=1 \ldots \# A\} .
$$

〈〉 The empty sequence $\varnothing$ ．
seq $_{1} X \quad$ The set of non－empty sequences： aseq $X \backslash\{\rangle\}$
$\left\langle a_{1}, \ldots, a_{n}\right\rangle$
人 $\left\{1 \mapsto a_{1}, \ldots, n \mapsto a_{n}\right\}$ ．
$\left\langle e_{1}, \ldots, e_{n}\right\rangle^{-}\left\langle b_{1}, \ldots, b_{m}\right\rangle$
Concatenation：
© 〈a $\left.a_{1}, \ldots, a_{n}, b_{1}, \ldots, b_{m}\right\rangle$ ， $\left\rangle^{\wedge} A=A^{\wedge}\langle \rangle=A\right.$ ．
head $A$ The first element of a non－empty sequence：
$A \neq\langle>\Rightarrow$ head $A=A(1)$ ．
last $A$ The final element of a non－empty sequence：
$A \neq\langle \rangle \Rightarrow$ lest $A=A(\# A)$ ．
tail All but the head of a sequence：
tail $(\langle x\rangle-A)=A$ ．
front A All but the last of a sequence：
front $\left(A^{\sim}\langle x\rangle\right)=A$ ．
$\operatorname{rev}\left\langle a_{1}, a_{2}, \ldots, a_{n}\right\rangle$ Reverse：
$\Delta\left\langle a_{n}, \ldots, a_{2}, a_{1}\right\rangle$ ，
$\operatorname{rev}\rangle=\langle \rangle$ ．
－／AA Distributed concatenation：
given $A A=\operatorname{seq}(\operatorname{seq}(X))$ ，
人 $A A(1)-\ldots$－$A A(\# A A)$ ， $-/\langle \rangle=\langle \rangle$.
：／AR Distributed relational composition：
given $A R: \operatorname{seq}(X \leftrightarrow X)$ ， －$A R(1): \ldots: A R(\# A R)$ ， $: /\langle \rangle=i d X$ ．
－／AR Distributed overriding： given $A: \operatorname{seq}(X \rightarrow Y)$ ， \＆$A R(1) \oplus \ldots \operatorname{AR}(\# A R)$ ， $\bullet\rangle=\varnothing$.
squash $f$ Convert a finite function， $f: N \leftrightarrow X$ ，into a sequence by squashing its domain．That is， squash $\varnothing=\langle \rangle$ ， and if $f \neq \emptyset$ then squash $\mathbf{f}=$
$\langle f(i)\rangle$ - squash $(\{i\} \triangleleft f)$
where $i=\min (d o m f)$.

51 A Index restriction： －squesh（ $5 \backslash$ A） ．
$A \upharpoonright T$ Sequence restriction： －squash（ $A D T$ ）．
disjoint AS Pairwise disjoint： given $A S: \operatorname{seq}(P X)$ ， －（ $\forall i, j=\operatorname{dom} A S \cdot i \neq j$ $\Rightarrow A S(i) \cap A S(j)=\boldsymbol{\sigma})$ ．
AS partitions 5
人 disjoint AS＾ $U$ ren AS＝S．
$A$ in $B$ Contiguous subsequence： －（ $3 \mathrm{C}, \mathrm{D}$ ：seq X － $C^{-} A^{-} D=B$ ）．

## Schema Notation

Axiomatic definition: introduces global declarations which satisfy one or more predicates for use in the entire document.
declaration(s)
predicate(s)

Schema definition: a schema groups together some declarations of variables and a predicate relating these variables. There are two ways of writing schemas: vertically, for example

or horizontally, for the same example

$$
S \cong[x: N ; y: \operatorname{seq} N \mid x \leqslant \# y]
$$

Use in signatures after $\forall, \lambda,\{\ldots\}$, etc.:
$(\forall S \cdot y \neq\langle \rangle) \wedge(\forall x: N ; y: \operatorname{seq} N\}$

$$
x \leqslant \# y \cdot y \neq\langle \rangle)
$$

Schemas as types: when a schema name $S$ is used as a type it stands for the set of all objects described by the schema, \{S\}. For example, $\omega$ : $S$ declares a variable $w$ with components $\times$ (a natural number) and $y$ (a sequence of natural numbers) such that $x \leqslant \# y$.

Projection functions: the component names of a schema may be used as projection (or selector) functions. For example, given $w=S, w . x$ is $w$ 's $\times$ component and $w . y$ is its $y$ component; of course, the following
predicate holds: $\boldsymbol{\omega} . \mathrm{x} \leqslant \boldsymbol{*} \boldsymbol{w} . \mathrm{y}$. Additionally, given $\omega: X \rightarrow S, \omega$ ( $\lambda S . x$ ) is a function $X \rightarrow N$, etc.

OS The tuple formed from a schema's variables: for example, $\theta S$ is $(x, y)$. Where there is no risk of ambiguity, the $\theta$ is sometimes omitted, so that just " S " is written for " $(x, y$ )".
pred 5 The predicate part of a schema: e.g. pred $S$ is $x \leqslant \# y$.

Inclusion A schema $S$ may be included within the declarations of a schema $T$, in which case the declarations of $S$ are merged with the other declarations of $T$ (variables declared in both $S$ and T must be of the same type) and the predicates of $S$ and $T$ are conjoined. For example,
${ }^{T}$

```
S
z : N
    z<x
```

is

```
\(x, z: N\)
\(y: \operatorname{seq} N\)
\(x \leqslant \# y \wedge z<x\)
```

$S \| P \quad$ The schema $S$ with $P$ conjoined to its predicate part. E.g., ( $S \mid x>0$ ) is $[x: N: y: \operatorname{seq} N \mid x \leqslant \# \wedge x>0]$.
$S$; D The schema $S$ with the declarations $D$ merged with the declarations of S. For example, ( $\mathrm{S}: \mathbf{z}: N$ ) is $[x, z: N ; y: s e q ~ N \mid x \leqslant \# y]$.
$S[$ new/old] Renaming of components: the schema $S$ in which the component old bas been renamed to new both in the declaration and at its every free occurrence in the predicate. For example, $S[z / x]$ is
$|z: N ; y: \operatorname{seq} N| z \leqslant \# y]$ and $5[y / x, x / y]$ is | $y: N ; x: \operatorname{seq} N \mid y \leqslant \# x]$. In the second case above, the renaming is simultaneous.
Decoration Decoration with subscript, superscript, prime, etc.; systematic renaming of the variables declared in the schema. For example, $S^{\prime}$ is [ $\left.x^{\prime}: N ; y^{\prime}: \operatorname{seq} N \mid x^{\prime} \leqslant y^{\prime}\right]$.
$\rightarrow S \quad$ The schema $S$ with its predicate part negated. E.g., ${ }^{-S}$ is $[x: N ; y: \operatorname{seq} N \mid \neg(x \leqslant \# y)]$.
SAT The schema formed from schemas $S$ and $T$ by merging their declarations (see inclusion above) and conjoining (and-ing) their predicates. Given $T$ a [ $x$ : $N ; z: P N \mid x \in z], S A T$ is

$$
\begin{aligned}
& \mathbf{x}: \mathbf{N} \\
& \mathbf{y}: \operatorname{seq} \mathbf{N} \\
& \mathbf{z}: \mathbf{P} \mathbf{N}
\end{aligned}
$$

```
x\leqslant#y^x\inz
```

S V T The schema formed from schemas $S$ and $T$ by merging their declarations and disjoining (or-ing) their predicates. For example, S V T is

$S \Rightarrow T$ The schema formed from schemas $S$ and $T$ by merging their declarations and taking pred $S \rightarrow$ pred $T$ as the predicate. E.g., $S \Rightarrow T$ is

$\mathrm{S} \Leftrightarrow \mathrm{T}$ The schema formed from schemas $S$ and $T$ by merging their declarations and taking pred $S \Leftrightarrow$ pred $T$ as the predicate. E.g., $S \Leftrightarrow T$ is

$S \backslash\left(v_{1}, v_{2}, \ldots, v_{n}\right)$
Hiding: the schema $S$ with the variables $v_{1}, v_{2}, \ldots$, and $v_{n}$ hidden: the variables listed are removed from the declarations and are existentially quantified in the predicate. E.g., $S \backslash \times$ is [ $y$ :seq $N \mid(3 x: N \cdot x \leqslant \# y)]$.
(We omit the parentbeses when only one variable is bidden.) A schema may be specified instead of a list of variables; in this case the variables declared in that schema are bidden. For example, ( $\mathrm{S} \wedge \mathrm{T}$ ) $\backslash \mathrm{S}$ is

$$
\begin{aligned}
& z: P N \\
& \left(3 x: N_{i} y: \operatorname{seq} N .\right. \\
& x \leqslant \# y \wedge x \in z)
\end{aligned}
$$

$S \mid\left(v_{1}, v_{2}, \ldots, v_{n}\right)$
Projection: The schema $S$ with any variables that do not occur in the list $v_{1}, v_{2}, \ldots, v_{n}$ hidden: the variables removed from the declarations are existentially quantified in the predicate.
E.g., (S $\wedge T) \mid(x, y)$ is

| $x: N$ |
| :--- |
| $y: \operatorname{seq} N$ |
| $(\exists z: P N \cdot$ |
| $x \leqslant \# \wedge x \in z)$ |

As for hiding above, we may project a single variable with no parentheses or the variables in a schema.

The following conventions are used for variable names in those schemas which represent operations - that is, which are written as descriptions of operations on some state:

| undashed | state before, |
| :--- | :--- |
| dashed (" $" n)$ | state after, |
| ending in "?" | inputs to (arguments for), |
| ending in "!" | outputs from (results of) <br>  <br>  <br> the operation. |

The following schema operations only apply to schemas following the above conventions.
pre S Precondition: all the state after components (dashed) and the outputs (ending in ${ }^{*}!$ ) are hidden. E.g. given S

$$
\frac{x ?, s, s^{\prime}, y!: N}{s^{\prime}=s-x ? \wedge y!=s}
$$

pre $S$ is

$$
\begin{aligned}
& x ?, s: N \\
& \left(\exists s^{\prime}, y!: N \cdot\right. \\
& \left.s^{\prime}=s-x ? \wedge y!=s\right)
\end{aligned}
$$

post $S$ Postcondition: this is similar to precondition except all the state before components (undashed) and inputs (ending in "?") are hidden. (Note that this definition differs from some others, in which the "postcondition" is the predicate relating all of initial state, inputs, outputs, and final state.)
$S \oplus T \quad$ Overriding:
: (S A -pre T) V T.
For example, given $S$ above and T
$x ?, s, s^{\prime}: N$
$s<x ? \wedge s^{\prime}=5$
$S \oplus T$ is

$$
\begin{array}{|l}
\hline x ?, s, s^{\prime}, y!: N \\
\left(s^{\prime}=s-x ? \wedge y!=s \wedge\right. \\
\neg\left(\exists s^{\prime}: N \cdot\right. \\
\left.\left.s<x ? \wedge s^{\prime}=s\right)\right) \\
\vee\left(s<x ? \wedge s^{\prime}=s\right)
\end{array}
$$

Because (given the declaration s: N above):
( $\exists s^{\prime}: ~ N \cdot s^{\prime}=s \wedge s<x$ ?)
( $s \in N \wedge s<x$ ?)

$$
\mathrm{s}<x ?
$$

the predicate can be simplified:

| $x ?, s, s^{\prime}, y!: N$ |
| :--- |
| $\left(s^{\prime}=s-x ? \wedge y!=s\right.$ |
| $\wedge s \geqslant x ?)$ |
| $v$ |
| $\left(s<x ? \wedge s^{\prime}=s\right)$ |

S : T Schema composition: if we consider an intermediate state that is both the final state of the operation $S$ and the initial state of the operation $T$ then the composition of $S$ and $T$ is the operation which relates the initial state of $S$ to the final state of $T$ through the intermediate state. To form the composition of $S$ and $T$ we take
the state-after components of S and the state-before components of $T$ that have a basename" in common, rename both to new variables, take the schema which is the "and" ( $\Lambda$ ) of the resulting schemas, and hide the new variables. E.g., $S: T$ is

$$
\begin{aligned}
& x ?, s, s^{\prime}, y!: N \\
& \left(\exists s_{0}: N .\right. \\
& s_{0}=s^{-x} \wedge y!=s \wedge \\
& \left.s_{0}<x ? \wedge s^{\prime}=s_{0}\right)
\end{aligned}
$$

* basename is the pame with any decoration ("'n, "!", "?", etc.) removed.
S >> Tiping: this schema operation is similar to schema composition; the difference is that, rather than identifying the state after components of $S$ with the state before components of $T$, the output components of $S$ (ending in ${ }^{\boxed{n}}{ }^{\triangleright}$ ) are identified with the input components of $T$ (ending in "?n) that have the same basename.

The following conventions are used for prefixing of schema names:
$\Delta 5$ change of before and after state, $\equiv$ S no change of state, \$S framing schema for definition of further operations.

For example


