# Formal Design Specification of a Processor Interface Unit 

David A Fura<br>Boeing Defense \& Space Group<br>Seattle, Washington<br>Phillip J. Windley<br>University of Idaho<br>Moscow, Idaho<br>G. C. Cohen<br>Boeing Defense \& Space Group<br>Seattle, Washington

NASA Contract NAS1-18586
November 1992

## N/ SA

National Aeronautics and Space Administration ( $\because A S A-C ?-19693)$ FORMAL DESIGN N93-12533
Langley Research Center Hampton, Virginia 23665-5525 INTERFACE UNIT (RoPing Military Airplane revolopment) 2,2

## Preface

This document was generated in support of NASA contract NAS1-18586, Design and Validation of Digital Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 9. Task 9 is concerned with the formal specification of a processor interface unit.

This report describes the formal specification of the design for a processor interface unit using the HOL methodology. The processor interface unit is a single-chip subsystem within a fault-tolerant embedded system under development at the Boeing High Technology Center. It provides the opportunity to investigate the specification and verification of a real-world component within a commercially-developed fault-tolerant computer.

The NASA technical monitor for this work is Sally Johnson of the NASA Langley Research Center, Hampton, Virginia.

The work was accomplished at the Boeing Company, Seattle, Washington and the University of Idaho, Moscow, Idaho. Personnel responsible for the work include:

Boeing Military Airplanes:
D. Gangsaas, Responsible Manager
T. M. Richardson, Program Manager

Boeing High Technology Center:
Gerald C. Cohen, Principal Investigator
David A. Fura, Researcher
University of Idaho:
Dr. Phillip J. Windley, Chief Researcher

## Contents

1 Introduction ..... 1
1.1 Informal PIU Description ..... 1
1.1.1 PMM Initialization ..... 3
1.1.2 CPU Accesses to Memory ..... 4
1.1.2.1 To Local Memory ..... 4
1.1.2.2 To Internal Register File ..... 5
1.1.2.3 To the C_Bus ..... 6
1.1.3 C_Bus Accesses to Memory ..... 6
1.1.4 Timers and Interrupts ..... 6 ..... 6
1.2 Specification Overview ..... 6 ..... 6
2 Generic Interpreter Theory ..... 9
2.1 Introduction ..... 9
2.2 Formal Microprocessor Modeling ..... 9
2.2.1 Microprocessor Specification ..... 9
2.2.2 Microprocessor Verification ..... 10
2.3 A Formal Model of Interpreters ..... 10
2.3.1 Abstract Theories ..... 10
2.3.2 Temporal Abstraction ..... 12
2.3.3 The Abstract Representation ..... 12
2.3.4 The Theory Obligations ..... 14
2.3.5 Abstract Theorems ..... 15
2.3.5.1 Defining the Interpreter ..... 15
2.3.5.2 Induction on Interpreters ..... 15
2.3.5.3 The Implementation is Live ..... 16
2.3.5.4 The Correctness Statement ..... 16
2.3.5.5 Composing Interpreters Hierarchically ..... 17
2.4 Parallel Composition ..... 17
2.5 Conclusion ..... 17
3 Design Specification ..... 19
3.1 Gate-Level Structure ..... 19
3.1.1 Component Descriptions ..... 19
3.1.1.1 Combinational Logic ..... 19
3.1.1.2 Latches ..... 20
3.1.1.3 Flip-Flops ..... 22
3.1.1.4 Counters ..... 23
3.1.1.5 CTR Datapath Block ..... 23
3.1.1.6 ICR Datapath Block ..... 25
3.1.1.7 CR Datapath Block ..... 26
3.1.1.8 SR Datapath Block ..... 26
3.1.1.9 Finite-State Machines ..... 26
3.1.2 Block Diagram Descriptions ..... 27
3.1.2.1 P_Port Structure ..... 28
3.1.2.2 M_Port Structure ..... 29
3.1.2.3 R_Port Structure ..... 32
3.1.2.4 C_Port Structure ..... 34

3.1.2.5 SU_Cont Structure ..... 38
3.2 Port Phase-Level Behavior ..... 39
3.3 Port Clock-Level Behavior ..... 40
3.4 PIU Port-Level Structure ..... 40
3.5 PIU Clock-Level Behavior ..... 41
4 Models for Transaction Specification ..... 42
4.1 Introduction ..... 42
4.2 Abstract Views ..... 43
4.3 Representing Transaction Systems ..... 45
4.4 Preliminary Transaction Model Design ..... 47
4.4.1 The Transaction Model ..... 47
4.4.1.1 Ports ..... 48
4.4.1.2 State ..... 48
4.4.1.3 Transactions ..... 48
4.4.1.4 Operation ..... 48
4.4.2 Development Plan and Comments ..... 48
4.5 Conclusions ..... 49
5 Towards an Integrated Simulation/Verification Environment ..... 50
5.1 New Datatypes in HOL ..... 50
5.1.1 Arrays ..... 50
5.1.2 N-Bit Words ..... 51
5.2 An Example in M ..... 51
5.3 An Example in HOL ..... 53
6 Conclusions ..... 54
7 References ..... 56
A ML Source for Component Specifications ..... 58
B ML Source for the Gate-Level Specification of the PIU Ports ..... 80
B. 1 P Port Specification ..... 80
B. 2 M Port Specification ..... 86
B. 3 R Port Specification ..... 94
B. 4 C Port Specification ..... 103
B. 5 SU_Cont Specification ..... 114
C ML Source for the Phase-Level Specification of the PIU Ports ..... 121
C. 1 P Port Specification ..... 121
C. 2 M Port Specification ..... 128
C. 3 R Port Specification ..... 136
C. 4 C Port Specification ..... 151
C. 5 SU_Cont Specification ..... 173
D ML Source for the Clock-Level Specification of the PIU Ports ..... 182
D. 1 P Port Specification ..... 182
D. 2 M Port Specification ..... 186
D. 3 R Port Specification ..... 190
D. 4 C Port Specification ..... 198
D. 5 SU_Cont Specification ..... 209
E ML Source for the PIU Block-Level Specification ..... 215
F ML Source for the PIU Clock-Level Specification ..... 219

## List of Figures

1.1 Block Diagram of the Processor-Memory Module (PMM) ..... 2
1.2 Major Blocks of the Processor Interface Unit (PIU) ..... 3
1.3 PIU Specification Hierarchy
1.3 PIU Specification Hierarchy ..... 7 ..... 7
2.1 A Hierarchy of Interpreters ..... 11
2.2 The Temporal Abstraction Functions $F$ and $G$ ..... 12 ..... 12
3.1 Two Series Latches Clocked by the Same Phase ..... 21
3.2 Interval Representations ..... 22
3.3 Example D Flip-Flop Constructed With Latches ..... 23
3.4 Functional Block Diagram of a Counter ..... 24
3.5 Functional Block Diagram of the CTR Datapath Block ..... 24
3.6 Functional Block Diagram of the ICR Datapath Block ..... 25
3.7 Functional Block Diagram of the CR Datapath Block ..... 26
3.8 Functional Block Diagram of the SR Datapath Block ..... 27
3.9 Functional Block Diagram for Finite-State Machines ..... 27
3.10 P_Port Top-Level Block Diagram ..... 28
3.11 Block Diagram of P_Port Datapath ..... 29
3.12 Block Diagram of P_Port Controller ..... 30
3.13 M_Port Top-Level Block Diagram ..... 30
3.14 Block Diagram of the M_Port Datapath ..... 31
3.15 Block Diagram of the M_Port Controller ..... 32
3.16 R_Port Top-Level Block Diagram ..... 33
3.17 Block Diagram of Register File Controller ..... 33
3.18 Block Diagram of the Timer Interrupt Block ..... 34
3.19 Block Diagram of the Register Interrupt Block ..... 34
3.20 C_Port Top-Level Block Diagram ..... 35
3.21 Block Diagram of the C_Port Datapath ..... 35
3.22 Block Diagram of the C_Port Controller (Part A) ..... 36
3.23 Block Diagram of the C_Port Controller (Part B) ..... 37
3.24 Block Diagram of the Startup Controller PIU-Port Interface ..... 38
3.25 Block Diagram of the Startup Controller CPU Interface ..... 39
4.1 The View from the CPU ..... 43
4.2 View from the Memory ..... 44
4.3 View from the Network ..... 44 ..... 44
4.4 Abstraction Views for the PIU ..... 45
4.5 Modeling the Buses in a Computer System using Tuple Space ..... 47

## List of Tables

1.1 R_Port Register Definitions ................................................................................................... 5
2.1 The abstract functions and their types for the generic interpreter model 13

## -

## 1 Introduction

This report describes work to formally specify the requirements and design of a processor interface unit (PIU), a single-chip subsystem providing memory-interface, bus-interface, and additional support services for a commercial microprocessor within a fault-tolerant computer system. This system, the Fault-Tolerant Embedded Processor (FTEP), is targeted towards applications in avionics and space requiring extremely high levels of mission reliability, extended maintenance-free operation, or both. The need for high-quality design assurance in such applications is an undisputed fact, given the disastrous consequences that even a single design flaw can produce. Thus, the further development and application of formal methods to faulttolerant systems is of critical importance as these systems see increasing use in modern society.

The work described in this report is but a first step towards developing a provably correct fault-tolerant computing platform for application to real commercial and military systems. Beyond the PIU verification task that follows this work, future formal methods targets include at least two additional application-specific integrated circuits (ASICs) and the operating system software for the FTEP system. It is expected that the lessons learned in this PIU effort will influence the future design and modeling of these components to facilitate their subsequent verification.

This report contains five major sections following this introduction, as well as several appendices containing the PIU design specification in its full detail. Section 2 describes the generic interpreter theory used to formally specify portions of the PIU design. This theory builds on previous NASA-funded work described in [Win90], with important extensions in the handling of interpreter outputs to support subsystem composition.

Section 3 explains the PIU design specification at a high level to facilitate the understanding of the formal models contained in the appendices. The specification itself was written using the HOL theorem-proving system developed at the University of Cambridge, England [Gor88].

Section 4 describes our progress in developing a transaction-based modeling approach for specifying the PIU requirements. A number of modeling candidates were investigated and a preferred approach was identified for formalization in HOL .

Section 5 describes our initial efforts at integrating our hardware design and verification environments into a single framework. A prototype M-to-HOL translator was developed and was used to translate the PIU behavioral specifications initially written in the simulation language $M$.

Section 6 contains a concluding discussion.
Before leaving this section, we first present an informal description of the PIU, including both its structure and an overview of its behavior. Following this we introduce the specification hierarchy developed for the PIU.

### 1.1 Informal PIU Description

The PIU is a single-chip subsystem providing memory-interface, bus-interface, and additional support services within the Processor-Memory Module (PMM) of the FIEP system. The PIU's position within the PMM structure is shown in Figure 1.1. A PMM, itself a single block within an FTEP Core, interconnects three internal PMM subsystems: the local processors, the local memory, and the Core Bus (C_Bus) interface.

The PMM processors (CPU0 and CPU1) are arranged in a cold-sparing configuration to enhance longlife operation. Only one processor is active during a given mission, with the choice of active processor determined during initialization. The spare processor is disabled by the PIU through assertion of the processor's cpu_reset input. For the first implementation of the PMM, described in this report, Intel 80960MC micro-
processors are used for the local processors. They communicate with the PIU using the L_Bus bus protocol of the 80960.

Processor programs and data are stored in local electrically-erasable programmable read-only memory (EEPROM) and static random access memory (SRAM), respectively. Memory accesses are initiated by either the local processor or an external block acting as C_Bus master. In either case the PIU provides the memory interface. The features provided by the PIU include memory error correction, memory locking to implement atomic read-modify-write operations, byte accesses, and block accesses of up to 64 words. EEPROM and SRAM memory capacity in the first implementation is 1 MB (megabyte) of actual information storage each, implemented within seven $256 \mathrm{Kx8}$-bit memory chips each. A $(7,4)$ Hamming code provides single-bit error correction on memory reads.

The PIU also provides processor support features such as timers and interrupt control. Two 64-bit timers can be set by the processor to provide either timekeeping or watchdog functions. Processor interrupts are generated within the PIU under two conditions. One condition is a timer time-out; the other is a write operation to a specially designated PIU register by either the local processor or C_Bus master.

The reset and clock signals shown at the top of Figure 1.1 are produced by the Fault-Tolerant Clock Unit (FTCU) not shown here. The pmm_reset signal is sent only to the PIU to allow it greater control over the local processors. For example, the PIU uses this signal to enter its initialization mode, during which it activates the processor reset signals. All of the PIU input signals produced by the FTCU are synchronized with those in the PIUs in redundant PMMs of a fault-tolerant FTEP core.

The structure of the PIU itself is shown in Figure 1.2. The Processor Port (P_Port), C_Bus Port (C_Port), and Memory Port (M_Port) implement the communication protocols for the L_Bus, C_Bus, and M_Bus, respectively. The M_Port also implements $(7,4)$ Hamming encoding and decoding on writes and reads, respectively, to the local memory, and the C_Port implements single-bit parity encoding and decoding for C_Bus transfers.


Figure 1.1: Block Diagram of the Processor-Memory Module (PMM).

The Register Port (R_Port) is the fourth, and final, port residing on the PIU's Internal Bus (I_Bus). It contains a state machine, counters, and various command and status registers used by the local processor to implement timers and interrupts.

The Start-up Controller (SU_Cont) implements the PMM initialization sequence. After it has concluded initialization, control is turned over to the other ports with the SU_Cont continuing operation in a background mode. The SU_Cont is not physically located on the I_Bus, however, for convenience, we will sometimes refer to it as one of the five PIU ports.

Behaviorally, the PIU functionality can be divided into four categories: (1) PMM initialization, (2) local-processor memory accesses, (3) C_Bus memory accesses, and (4) timers and interrupts.

### 1.1.1 PMM Initialization

The PIU controls the PMM initialization sequence. After receiving a synchronous pmm_reset signal from the FTCU, the PIU initiates the testing of the two local processors (or CPUs). Based on the test results, the PIU selects one of the CPUs to be active for the upcoming mission, while at the same time isolating the


Figure 1.2: Major Blocks of the Processor Interface Unit (PIU).
other CPU. During the initialization, the PIU also maintains the inter-PMM synchronization that is initially established by the FTCUs.

The PIU initiates CPU self-test via the CPU reset signals that it controls. To begin the initialization sequence, the PIU resets CPUO, which then goes through a two-phase (Intel 80960) testing process of its own. In the first phase the CPU executes a 47,000-cycle self-test procedure; in the second phase the CPU reads the first eight words of local memory (via the PIU) and performs a check-sum test. If either of these tests fail, then the CPU's failure0_ pin remains asserted, otherwise it is deasserted.

After the CPU self-test is completed, the CPU executes a software-based test using a program and the prior-mission fault status stored in local memory. At preselected points in this program the CPU updates PIU registers in a prespecified manner. At the end of this program, the PIU compares the modified PIU register values against their expected values. This acceptance test is the final major test of CPU functionality during initialization.

At the same time that CPU0 is being tested, the PIU isolates CPU1 by asserting its cpu1_reset input. Once the testing of CPU0 is completed, the roles are reversed. After both CPUs have been tested, the PIU selects one to be active for the upcoming mission. The selection algorithm makes use of the CPU failure signal outputs and the acceptance-test results: if CPU 0 is ok then it is selected, otherwise if CPU1 is ok then it is selected, otherwise neither one is selected. Once the selection is made, the selected CPU is reset again and begins normal operation. The PIU isolates the other CPU by keeping its reset active.

An important PIU requirement is to maintain clock-level synchronization between redundant PMMs, yet accommodate possible nondeterminism within the PMM initialization sequences. Before the PMM initialization begins, the redundant PMM clocks are synchronized by the FTCUs, and pmm_reset signals are delivered to the PIUs synchronously across all PMMs. Synchronization is maintained by establishing maximum time durations for each phase of the initialization and having each PMM use the entire duration. The PIUs enforce these phase boundaries and thus guarantee that each PMM leaves its initialization on precisely the same clock cycle.

### 1.1.2 CPU Accesses to Memory

The PIU controls CPU reads and writes to the local memory, the internal PIU registers, and global memory.

### 1.1.2.1 To Local Memory

The PIU implements error-correction code (ECC) encoding and decoding and supports atomic memory operations, byte accesses, and 2-, 3-, and 4-word block transfers.

On writes to the local memory, the PIU encodes the 32-bit data words using a single-error-correction $(7,4)$ Hamming code. The 56 -bit encoded words are stored such that each 7 -bit word (there are eight of these) is spread among the seven 256 Kx 8 -bit memory chips. On reads, the decoding process implemented within the PIU masks all faults affecting one of the seven bits of each code word. Entire memory-chip failures are thus handled.

Atomic memory accesses, the atomic add and atomic modify instructions of the Intel 80960 instruction set, are supported by the PIU. During these operations the PIU prevents the C_Bus from gaining access to the local memory. The PIU uses the lock signal provided by the CPU during these operations.

Byte accesses to the local memory are supported by the PIU. Reads are implemented in a straightforward way. Writes are implemented using a read-modify-write operation that reencodes the entire 32 -bit data word.

Byte accesses of up to four words are also supported to implement cache refilling within the CPU.

### 1.1.2 $2 \quad$ To Internal Register File

The PIU supports atomic accesses and 2-, 3-, and 4-word block transfers to and from its internal registers within the R_Port. Byte accesses are not supported, nor is the data encoded before being stored. Table 1.1 shows the R_Port register definitions.

The Interrupt Control Register (ICR) supports memory-mapped interrupts to the local processor. The register is divided into four fields. The first two contain the interrupt settings and mask bits for int0_, in bits 0 through 7 and 8 through 15, respectively. A logic-1 in both a set location and the associated mask location signifies an active interrupt, which if enabled (external to the R_Port) will generate an active int0_ signal to the processor. Bits 16 through 31 are used in a corresponding way for int3_.

The ICR contents are updated in two different ways. A write to register address 0 implements a logicalAND operation on the new value and the old register contents, while a write to address 1 implements a log-ical-OR operation. These two operations implement the resetting and setting of register bits, respectively. A read to either of these addresses returns the current register value.

The General Control Register (GCR) and Communication Control Register (CCR) provide control bits to the internal PIU and the C_Bus, respectively. The GCR bits include the start-up software counter enable (used for the acceptance test discussed earlier), R_Port counter configuration control bits, and parity-errorlatch reset bits. The CCR contains the message header for the next C_Bus transaction. Either of these registers can be written to or read from by the local processor.

The Status Register (SR) holds status information produced internally to the PIU. This includes startup error-detection status, local-memory and C_Bus error-detection status, start-up controller state, and the last C_Bus slave-status report. This register is read-only.

Register addresses 8 through 11 are used to load new counter values to the 32-bit counters 0 through 3, respectively. These load values can be read by the local processor using the same addresses. Register addresses 12 through 15 are read-only locations containing the current value of the four counters.

The four counters are combined to form two 64 -bit counters which can be configured in a variety of ways via control bits in the GCR. The choices include enabled vs. disabled counting, enabled vs. disabled interrupting on overflow, and reloading vs. count-continuation on overflow. Counters 0 and 1 together support timer interrupts using the int 1 interrupt line; counters 2 and 3 use int2.

Table 1.1: R_Port Register Definitions.

| Register Address | Contents |
| :---: | :---: |
| 0 | Interrupt Control Register (ICR) reset |
| 1 | ICR set |
| 2 | General Control Register (GCR) |
| 3 | Communication Control Register (CCR) |
| 4 | Status Register (SR) |
| 8 | Counter 0 in |
| 9 | Counter 1 in |
| 10 | Counter 2 in |

Table 1.1: R_Port Register Definitions.

| Register Address | Contents |
| :---: | :---: |
| 11 | Counter 3 in |
| 12 | Counter 0 out |
| 13 | Counter 1 out |
| 14 | Counter 2 out |
| 15 | Counter 3 out |

### 1.1.2.3 To the C_Bus

The upper 2 GB (gigabytes) of the CPU address space is reserved for external memory and input/output (IV). The PIU routes CPU memory accesses at these addresses to the C_Bus. It implements the C_Bus protocol, parity encoding and decoding of data, and support for atomic memory operations, byte transfers, and 2-, 3-, and 4-word block transfers.

The PIU implements the C_Bus communication protocol. This includes all arbitration actions and necessary handshaking.

On writes to the C_Bus the PIU encodes each byte of data using a single-error-detection parity code. Data arriving over the C_Bus is likewise decoded.

Atomic memory operations are supported by the PIU. Once the PIU acquires the C_Bus it doesn't relinquish it until the atomic operation is completed. The PIU again makes use of the CPU lock signal to know when to do this.

Byte transfers and 2-, 3-, and 4-word transfers are handled in a straightforward manner.

### 1.1.3 C_Bus Accesses to Memory

The PIU controls C_Bus reads and writes to local memory and the PIU register file. All of the support features described earlier for the CPU-initiated transfers are supported here as well. The C_Bus (i.e., the processing unit of an external block) has priority over the CPU for local memory accesses. The PIU holds off the local CPU using the CPU hold_ input signal. The PIU supports block transfers as large as 64 words over the C_Bus.

### 1.1.4 Timers and Interrupts

As explained above, the PIU contains two 64-bit counters and an interrupt control register. The counters can be used to implement timed interrupts as well as a real-time clock. The timed interrupts can be programmed to provide either a single-shot interrupt or repeated, periodic interrupts.

The interrupt register is a memory-mapped register used to implement 16 possible interrupts. These interrupts can be initiated by either the active local processor or an external C_Bus master.

### 1.2 Specification Overview

Figure 1.3 shows the specification hierarchy developed for the PIU. In constructing this hierarchy much emphasis was placed on maintaining compatibility with existing formal specification methods, particularly the generic interpreter theory described in Section 2 . The resulting hierarchy reflects this emphasis, particularly in the lower levels where many of the techniques described in [Win90] are used.

Consistent with established hierarchical specification methods, the levels in the hierarchy of Figure 1.3 are abstractions of the levels below them. Four types of abstraction are used here. Temporal abstraction relates time at a particular level to the time at lower levels; each unit of time at the higher level corresponds to multiple time units at the lower level. Data abstraction relates the states of two levels, with the higher level state being a function (typically a subset) of the state at the lower level. In behavioral abstraction, a structural description at the lower level, defined using the physical interconnection of components or subsystems, is replaced by a purely behavioral description at the higher level. Structural abstraction (or composition) combines subsystems defined at one level to form a higher level.

At the bottom of the PIU specification hierarchy is the gate-level description. This is a structural description derived from the lowest-level detailed design developed by the PIU design team. The chip layout is obtained directly from this level using silicon compilation techniques that are not within the scope of the specification and subsequent verification tasks. Components at the gate level include individual logic gates, latches, counters, and finite-state machines. This level is comparable to the electronic block model (EBM) level of [Win90].

The phase-level behavioral description for each of the five PIU ports is a behavioral abstraction of each corresponding gate level. This level is comparable to the phase level used in [Win90]. The specification at this level consists of an instruction set containing two instructions, one for phase A and one for phase B, defining the state transition and outputs generated during each phase.

The clock-level behavioral description for the PIU ports uses a time interval of an entire clock period rather than a single phase (temporal abstraction), and the state is a subset of the phase-level state (data abstraction). Only a single instruction is defined for each port, specifying the state change and outputs of the port occurring during its execution. This level is comparable to the microinstruction level of [Win90] and elsewhere except that only a subset of the chip design (i.e., a port) is described here rather than the entire chip.


Figure 1.3: PIU Specification Hierarchy.

The port-level structure is a structural composition of the five individual clock-level port specifications. The port composition is based on the established method of forming a logical conjunction of the individual port descriptions.

The clock-level behavioral description for the PIU is a behavioral abstraction of the structural description at the PIU port level, providing a clock-level description for the entire chip. This level is comparable to the microinstruction level referred to above, an important difference being in the approach to instruction decoding: here no decoding is used, resulting in a single instruction compared to the many microinstructions in [Win90], for example.

The transaction-style behavioral description is the topmost level in the PIU hierarchy providing a concise and easy-to-understand definition of PIU behavior. Whereas the lower five levels of the hierarchy represent the PIU design and were developed bottom-up, the transaction level specifies the PIU requirements. In this role as human interface the transaction level must address modeling problems not faced at the lower levels.

Three important problems unique to the transaction level are: (1) independently-initiated concurrent behavior, (2) multiple sequential outputs, and (3) shared state. Because of these, hardware modeling approaches used within the HOL community to date are inadequate for transaction-level modeling. Section 4 describes these problems in more detail and explains our progress in developing a transaction-level model suitable for the PIU.

## 2 Generic Interpreter Theory

This section describes the generic interpreter theory used to model portions of the PIU. The work described in this section grew out of efforts to model microprocessors and thus the model discusses microprocessor specification and verification heavily. We have discovered that the model is useful for describing other hardware devices as well, and, in particular, we have found it to be well-suited for specifying the PIU design. The generic interpreter theory is described more fully in [Win90].

### 2.1 Introduction.

The formal specification and verification of microprocessors has received much attention. Indeed, several verified microprocessors have been presented in the literature. This section presents an abstract model that describes a large class of hardware devices, including microprocessors and other devices with a single major control point. The model is called a generic interpreter and the theory contains important theorems about it.

We have formalized the interpreter model in the HOL theorem proving system [Gor88,Gog88]. The formal model can be instantiated inside the system and serves as a framework for writing device specifications and verifying them. This framework clearly states what definitions must be made to specify the device and which lemmas must be established to complete the verification. After the user has defined the components of the hardware device model and proven the necessary lemmas about them, individual theorems from the abstract theory can be instantiated to provide concrete theorems about the actual device being verified.

The model that we have defined has proven useful in specifying and verifying several microprocessors [Win90,Aro90]. The model is not, however, limited to microprocessors only. Recent work has shown that the model can be used in specifying other hardware devices as well [Win91]. Because the model was originally developed for microprocessor modeling, however, much of the terminology in the model (e.g., instruction set) is influenced by microprocessor terminology. We have kept it even though more general terminology might be better in some cases.

The model we have defined differs from other formal descriptions of state machines (such as Loewenstein's model in [Low89]) by including the data and temporal abstractions that are important in specifying and verifying microprocessors in the formalization.

### 2.2 Formal Microprocessor Modeling.

There have been numerous efforts to formally model microprocessors. At the time this project was begun the best known of these included Jeff Joyce's Tamarack microprocessor [Joy89], Warren Hunt's FM8501 and FM9001 microprocessors [Hun87, Hun92], and Avra Cohn's verification of VIPER [Coh88]. Tamarack is a simple microprocessor with only 8 instructions. FM8501 is larger (roughly the size of a PDP11), but has not been implemented; FM9001 is a 32 -bit version that is being verified and implemented. VIPER is the first microprocessor intended for commercial use where formal verification was used. However, the verification has not been completed because of the large case explosion that occurred and the size of the proofs in each of the cases. Recent work on hierarchical specification [Win88], coupled with the work presented here, has overcome this problem; microprocessors significantly more complicated than VIPER are now within the realm of formal treatment.

### 2.2.1 Microprocessor Specification.

The specifications for the microprocessors mentioned above appear very different on the surface; in fact, the specifications of FM8501 and FM9001 are even in a different language. On closer inspection, however,
each uses the same implicit behavioral model. In general, the model uses a state transition system to describe the microprocessor. A microprocessor specification has four important parts:

1. A representation of the state, $S$.
2. A set of state transition functions, $J$, denoting the behavior of the individual instructions of the microprocessor. Each of these functions takes the state defined in step (1) as an argument and returns the state updated in some meaningful way.
3. A selection function, $N$, that selects a function from the set $J$ according to the current state.
4. A predicate, $I$, relating the state at time $t+1$ to the state at time $t$ by means of $J$ and $N$.

In some cases, the individual state transition functions, $J$, and the selection function, $N$, are combined to form one large state transition function. Also, a functional specification would use a function for part (4) instead of a predicate. The general form, however, is the same.

### 2.2.2 Microprocessor Verification.

Just as most microprocessor specifications are similar, so too are their verifications. After the microprocessor has been specified, we can verify that a machine description, $M$, implements the specification, $I$, for some state, $s$, by showing:

$$
\forall s \in S \bullet(M(s) \Rightarrow I(s))
$$

That is, we show that $I$ has the same effect on the state, $s$, as $M$ does. This theorem is typically shown by case analysis on the instructions in $J$ by establishing the following lemma:

$$
\forall(j \in J) \bullet M(s) \Rightarrow\left(\forall t \bullet C(j, s, t) \Rightarrow\left(s\left(t+n_{j}\right)=j(s(t))\right)\right)
$$

where $C$ is a predicate expressing the conditions for instruction $j$ 's selection, $s(t)$ is the state at time $t$, and $n_{j}$ is the number of cycles that it takes to execute $j$. This lemma says that if an instruction $j$ is selected, then applying $j$ to the current state yields the state that results by letting the implementing interpreter $M$ run for $n_{j}$ cycles. We call this lemma the instruction correctness lemma.

### 2.3 A Formal Model of Interpreters.

An interpreter is a computing structure with one control point. One of the many available instructions is chosen at this control point based on the current state and inputs. The state is then processed by this instruction and the cycle begins again.

In general, a microprocessor specification can consist of many abstraction levels. Every level except the bottom specification (which is the structural specification) can be modeled as an interpreter. A hierarchical approach to specification and verification has been shown to significantly reduce the amount of effort required to complete the verification of a microprocessor [Win88].

Figure 2.1 shows a generalized hierarchy of interpreters. Note that each communicates with the state and environment, although most interpreters see only an abstraction of the state. An interpreter sends instructions to the interpreter below it and communicates (mostly timing) information to the interpreter above it.

### 2.3.1 Abstract Theories.

A theory is a set of types, definitions, constants, axioms and parent theories. Logics are extended by defining new theories. An abstract theory is parameterized so that some of the types and constants defined


Figure 2.1: A Hierarchy of Interpreters.
in the theory are undefined inside the theory except for their syntax and a loose algebraic specification of their semantics. Group theory is an example of an abstract theory. The multiplication operator is undefined except for its syntax (a binary operator on type ":group") and a loose semantics given by the axioms of group theory.

Abstract theories are useful because they provide proofs about abstract structures that can be used to reason about specific instances of the structure. In groups, for example, after showing that addition over the integers satisfies the axioms of group theory, we can use the theorems from group theory to reason about addition on the integers.

An abstract theory consists of three parts:

1. An abstract representation of the uninterpreted constants and types in the theory. The abstract representation contains a set of abstract operations and a set of abstract objects. (These are sometimes called uninterpreted constants and uninterpreted types.)
2. A set of theory obligations defining relationships between members of the abstract representation. Inside the theory, the obligations represent axiomatic knowledge concerning the abstract representation. Outside the theory, the obligations represent the criteria that a concrete representation must meet if it is to be used to instantiate the abstract theory.
3. A collection of abstract theorems. The theorems are generally based on the theory obligations and can stand alone only after the theory obligations have been met.
To instantiate an abstract theory, the concrete representation must meet the syntactic requirements of the abstract representation as well as the semantic requirements of the theory obligations. If the syntactic and semantic requirements are met, then the instantiation provides a collection of concrete theorems about the new representation.

There are several specification and verification systems that support abstract theories. Some, such as OBJ [Gog88] and EHDM [SRI88], offer explicit support. HOL, the verification environment used for the
research reported here, does not explicitly support abstract theories; however, HOL's metalanguage, ML, combined with higher-order logic, provides a framework for implementing abstract theories [Win90a] in a manner that does not degrade the trustworthiness of the theorem prover.

### 2.3.2 Temporal Abstraction

Before we can discuss the formal model, we must describe the temporal abstraction that it uses. The development follows that of [Joy89,Mel88,Her88].

In general, different levels in the interpreter hierarchy will have different views of time. We use temporal abstraction to produce a function that maps time at one level to time at another. Figure 2.2 shows a temporal abstraction function $F$. The circles represent clock ticks. The number of clock ticks required at the implementing level to produce one clock tick at the implemented level is irregular.

The predicate, $G$, is true whenever there is a valid abstraction from the lower level to the upper level. We can define a generic temporal abstraction function in terms of $G$. In a microprocessor specification, $G$ is usually a predicate indicating when the lower level interpreter is at the beginning of its cycle-a condition that is easy to test.

We will use a function Temp_Abs as our temporal abstraction function. The function is defined recursively so that (Temp_Abs $g$ 0) is the first time that the predicate $g$ is true and (Temp_Abs $g(n+1)$ ) is the next time after time $n$ when $g$ is true. We will not develop the details of the temporal abstraction function here, but refer the interested reader to the references given above and [Win90].

### 2.3.3 The Abstract Representation

We specify the abstract representation by defining a list of abstract objects and operations. Table 2.1 shows the operations and their types. We must emphasize that the representation is abstract and, therefore, the objects and operations have no definitions. The descriptions that follow are what we intend for the representation to mean. The representation is purely syntactic, however.

The following abstract types are used in the representation.

- :*state represents the state.
- :*env represents the environment.


Figure 2.2: The Temporal Abstraction Functions $F$ and $G$.

Table 2.1: The abstract functions and their types for the generic interpreter model.

| Operation | Type |
| :---: | :---: |
| instructions | ":*key->(*state->*env->*state)" |
| select | ": *state->*env->*key" |
| output | ":*key->(*state->*env-> *out)" |
| substate | ": *state'->*state" |
| subenv | ": *env'->*env" |
| subout | ":*out'->*out |
| Impl | ":(time'->*state')->(time'->*env')-> bool" |
| count | ":*state'->*env'->*key'" |
| start | ":*key'" |

- :*out represents the outputs.
- :*key is type containing all of the keys. Keys are used to select instructions. For example, the opcodes form the keys in the top-level specification of a microprocessor.
We add primes to the types to indicate that they represent state, time, etc. at the implementing rather than the implemented level of the hierarchy.

The abstract representation can be broken into two parts. The first contains those operations concerned with the interpreter.

- instructions is the instruction set. The set is represented by a function from a key to a state transition function.
- select picks a key based on the present state and environment.
- output is a set of output functions. The set is represented by a function from a key to a function that produces output for a given state and environment.
- substate is the state abstraction function for the interpreter. The substate function is used to hide the visible state in the interpreter.
- subenv is the environment abstraction.
- subout is the output abstraction.

Because we want to prove correctness results about the interpreter, we must have an implementation. The second part of the abstract representation contains three functions that provide the necessary abstract definitions for the implementation.

- Impl is the abstract implementation. We could have chosen to make this function more concrete, but doing so would have required that every implementation have some pre-chosen structure. Thus, we say nothing about it except to define its type.
- count is analogous to select except it operates at the implementing level.
- start denotes the beginning of the implementation clock cycle.

We will ensure that count periodically reaches start as part of the synchronization process.

### 2.3.4 The Theory Obligations

Proving that the implementation implies the interpreter definition is typically done by case analysis on the instructions; we show that when the conditions for an instruction's selection are right, the instruction is implied by the implementation. We call this the instruction correctness lemma.

The predicate INSTRUCTION_CORRECT expresses the conditions that we require in the instruction correctness lemma: ${ }^{1}$

```
\(1_{-d e f}\) INSTRUCTION_CORRECT gi s' \(e^{\prime}\) inst \(=\)
    (Impl gi s' \(e^{\prime}\) ) ==>
    (!t:time'.
    let \(s t=\left(\right.\) substate gi \(\left.\left(s^{\prime} t\right)\right)\) in
    let et \(=\left(\right.\) subenv gi \(\left.\left(e^{\prime} t\right)\right)\) in
    let \(\mathrm{ft}=\left(\right.\) count gi \(\left(s^{\prime} t\right)\left(e^{\prime} t\right)=(\) start gi) \()\) in
    let \(k=(\) select \(g i(s t)(e t))\) in
    \(((\) inst \(=(\) instructions \(g i k)) \wedge(f t)==>\)
    ?c. Next \(f(L, t+c) \wedge(\) inst \((s t)(e t)=(s(t+c)))))\)
```

INSTRUCTION_CORRECT operates on a single instruction inst. The implementation implies that for every time, $t$, if inst is selected and the implementation's counter is at the beginning, then there is a time $c$ cycles in the future such that applying the instruction to the current state yields the same state change that the implementation does in $c$ cycles.

INSTRUCTION_CORRECT is a good example of the kind of information that is captured in the generic model. Previous microprocessor verifications created this lemma, or one similar to it, in a largely ad hoc manner.

Because our model has outputs as well as inputs (the environment), we must also assume something about the output in order to establish correctness. The predicate OUTPUT_CORRECT expresses the conditions that we require in the output correctness lemma:

```
|-defOUTPUT_CORRECT gi \(s^{\prime} e^{\prime} p^{\prime} k=\)
    (Impl gi s' \(e^{\prime} p^{\prime}\) ) ==>
    (It:time'.
                let \(s t=\left(\right.\) substate gi \(\left.\left(s^{\prime} t\right)\right)\) in
        let \(e t=\left(\right.\) subenv gi \(\left.\left(e^{\prime} t\right)\right)\) in
        let \(p t=\left(\right.\) subout gi \(\left.\left(p^{\prime} t\right)\right)\) in
        let \(f t=\left(\right.\) count \(g i\left(s^{\prime} t\right)\left(e^{\prime} t\right)=(\) start gi)) in
        \(\left(\left(\right.\right.\) count \(g i\left(s^{\prime} t\right)\left(e^{\prime} t\right)=(\) start gi)) \(\wedge\)
        (select gi (st \((e t)=k)==>\)
        \((p t=(o u t p u t g i k)(s t)(e t)))\)
```

[^0]Using INSTRUCTION_CORRECT and OUTPUT_CORRECT we can define the theory obligations in our model. The theory obligations are given as a predicate on an abstract representation gi:

$$
\begin{aligned}
& 1-\operatorname{def}^{G I g i}= \\
& \quad\left(!s^{\prime} e^{\prime} p^{\prime} k . \text { INSTRUCTION_CORRECT gi s' } e^{\prime} p^{\prime} k\right) \wedge \\
& \quad\left(!s^{\prime} e^{\prime} p^{\prime} k . \text { OUTPUT_CORRECT gi s' } e^{\prime} p^{\prime} k\right)
\end{aligned}
$$

The predicate says that every instruction in the instruction set satisfies the predicate INSTRUCTION_CORRECT and every output function satisfies the conditions set forth in OUTPUT_CORRECT.

### 2.3.5 Abstract Theorems

Using the abstract representation and the theory obligations, many useful theorem pertaining to interpreters can be established on the generic structure.

### 2.3.5.1 Defining the Interpreter

One of the important parts of the collection of abstract theorems is the definition of a generic interpreter. The definition is based on functions from the abstract representation.

```
\(1_{\text {def }}\) INTERP gi s ep \(=\)
    !t:time.
    let \(k=(\) select \(g i(s t)(e t))\) in
    \((s(t+1)=(\) instructions gi \(k)(s t)(e t)) \wedge\)
    ( \(p t=\) (output gi \(k(s t)(e t))\)
```

The specification of an interpreter is a predicate relating the contents of the state stream at time $t+1$ to the contents of the state stream at time $t$. The relationship is defined using the functions from the abstract representation. The definition also uses the currently selected output function to denote the current output.

### 2.3.5.2 Induction on Interpreters

The definition of the interpreter sets up a relation between the state at $t$ and $t+1$. Sometimes it is useful to have a more explicit statement regarding induction. The following theorem, which follows from the definition of the interpreter given in Section 2.3.5.1, defines induction on an interpreter:

```
1-!Q. INTERP gi sep==>
    (Q (s0) \(\wedge\)
            !t. let inst \(=(\) instructions gi (select gi \((s t)(e t))\) in
            \(Q(s t)==>Q(\) inst \((s t)(e t)))==>\)
    !t. \(Q\) (st)
```

The theorem states that for any arbitrary predicate on states, $Q$, if $Q$ is true of the state at time 0 , and when $Q$ is true of the state at time $t$, it follows that it's also true of the state returned by the current instruction, then $Q$ is true of every state.

We note that even though this theorem looks fairly simple, and indeed is quite easy to show in the generic theory, the theorem will eventually be instantiated with the entire denotational description of the semantics of a particular instruction set and will be quite involved. The same admonition holds for each of the theorems and definitions presented in this section.

### 2.3.5.3 The Implementation is Live

Using the theory obligations, we can prove that the implementation is live. By live we mean that if the implementation starts at the beginning of its cycle, then there is a time in the future when the implementation will be at the beginning of its cycle again. That is, we show that the device will not go into an infinite loop.

1. Impl gi s' $e^{\prime}==>$
(!t. (count gi ( $\left.s^{\prime} t\right)\left(e^{\prime} t\right)=$ start gi $==>$
(?n. Next N. count gi $\left(s^{\prime} t\right)\left(e^{\prime} t\right)=$ start gi) $\left.\left.(t, t+n)\right)\right)$
Next $P(t 1, t 2)$ says that $t 2$ is the next time after $t l$ when $P$ is true.

### 2.3.5.4 The Correctness Statement

The correctness result can be proven from the definition of the interpreter and the theory obligations:

```
1- let \(s t=\left(\right.\) substate \(g i\left(s^{\prime} t\right)\) ) and
        \(e t=\left(\right.\) subenv gi \(\left.\left(e^{\prime} t\right)\right)\) and
        \(p t=(\) subout \(g i(p ' t))\) and
        \(f t=\left(\right.\) count gi \(\left(s^{\prime} t\right)\left(e^{\prime} t\right)=(\) start gi) \()\) in
        let \(a b s=(\) Temp_ABSf \()\) in
        (lmpl gi s' \(e^{\prime} p\) ) \(\wedge\)
        (?t. \(f t\) ) \(==>\)
        (INTERP gi) (s o abs) (e o abs) (p o abs)
```

In the correctness statement, $s^{\prime}, e^{\prime}$, and $p^{\prime}$ are the state, environment, and output streams in the implementation. The terms ( $s o a b s$ ), ( $e o a b s$ ), and ( $e o a b s$ ) are the state, environment, and output streams for the interpreter defined in the model. They are data and temporal abstractions of $s^{\prime}, e^{\prime}$, and $p^{\prime}$. The correctness statement says that if the implementation is valid on its state, environment, and output streams and there is a time when the implementing clock is at the beginning of its cycle, then the interpreter is valid on its state and environment streams.

### 2.3.5.5 Composing Interpreters Hierarchically

In [Win88], we show that hierarchical decomposition makes the verification of large microprocessors practical. To support this decomposition, the generic interpreter model contains a theorem about composing generic interpreters hierarchically.

```
\(\mid-(\) INTERP gi \(1=\) Impl gi 2) \(\wedge\)
    (select gi \(1=\) count gi 2) \(==>\)
    !(s":time->*state") (e":time->*env")(p":time->*out").
    let \(s^{\prime} t=\left(\right.\) substate gi \(\left.I\left(s^{\prime \prime} t\right)\right)\) and
        \(e^{\prime} t=\left(\right.\) subenv gi \(\left.1\left(e^{\prime \prime} t\right)\right)\) and
        \(p^{\prime} t=\left(\right.\) subout gi \(I\left(p{ }^{\prime \prime} t\right)\) and
        \(f t=\left(\right.\) count gill \(\left(s^{\prime \prime} t\right)\left(e^{\prime \prime} t\right)=\) start gi I) in
    let \(s t=\left(\right.\) substate gi \(\left.2\left(s^{\prime} t\right)\right)\) and
        \(e t=\left(\right.\) subenv gi \(\left.2\left(e^{\prime} t\right)\right)\) and
        \(p t=\left(\right.\) subout gi \(\left.2\left(p^{\prime} t\right)\right)\) and
        \(g t=\left(\right.\) select gi \(1\left(s^{\prime} t\right)\left(e^{\prime} t\right)=\) start gi 2\()\) in
    let absl \(=\left(\operatorname{Temp}_{-} A B S f\right)\) in
    let \(a b s 2=a b s 1 \circ(\) Temp_ABS \((g \circ a b s 1))\) in
    (Impl gi 1 s" \(e^{\prime \prime} p\) ") 人
    (?t. ft) \(==>\)
    (?t. (g o absl) t) ==>
    INTERP gi 2 (s o abs2) (e o abs2) ( \(p o a b s 2\) )
```

This theorem states that if gi 1 and gi 2 are generic interpreters and they are connected such that the interpreter definition of $g i l$ is the implementation of $g i 2$ then the implementation of $g i l$ implies the interpreter definition of $g i 2$.

This important theorem captures the temporal and data abstraction required to compose two interpreters. This theorem is a good example of the utility of abstract theories in hardware verification. This theorem is tedious to prove and were it not contained in the abstract theory, it would have to be proven numerous times in the course of a single microprocessor verification.

### 2.4 Parallel Composition

Our eventual goal is to use the work that is described in Section 4 to show how a set of interpreters can be composed with each other in parallel. This goal is significantly different from the theorem described in Section 2.3.5.5. In hierarchical composition, the implementation of one interpreter model is the interpreter from the other. In parallel composition, the two interpreters share a behavioral specification (i.e., interpreter definition), and the implementation is two or more interpreters linked together. The interpreters can be linked by shared state, common input, common output, and connections between the interpreters' inputs and outputs.

Undoubtedly, as our theory of composition matures, the generic interpreter theory will change. The advantage of generic theories is that these changes can be made more easily in the generic theory than they can in a specific definition of a VLSI device.

### 2.5 Conclusion

This section has described the generic interpreter model. The theory isolates the temporal and data abstractions of the proof inside the abstract theory. The theory also contains several important theorems
about the abstract representation. These theorems are true of every instantiation of the abstract representation that meets the theory obligations.

The theory has many important benefits:

- The generic model structures the proof by stating explicitly which definitions must be made (one for each of the members of the abstract representation) and which lemmas need to be proven about these definitions (namely, the theory obligation). This is a substantial improvement over previous microprocessor verifications where these decisions were made on an ad hoc basis.
- The generic model insulates users of the model from complex proofs about the data and temporal abstractions. These proofs are done once and then made available to the user by instantiation.
- The use of a generic interpreter model for specifying and verifying microprocessors provides a methodological approach. Making specification and verification methodological is an important step in turning what has been primarily a research activity into an engineering activity.


## 3 Design Specification

This section describes the lower five levels of the PIU specification hierarchy (Figure 1.3), which constitute the design specification. The discussion proceeds bottom-up, beginning with the gate-level specification of individual ports and finishing up with the clock-level specification for the entire PIU.

The gate-level specification, described in Section 3.1, corresponds to the lowest-level design implemented by the PIU design team. Below this level a silicon compiler provides the translation to the mask layout used for chip fabrication. The specification effort described in this report is not concerned with this translation, which currently falls within the domain of the tool vendor - Mentor Graphics Corporation.

A set of detailed-design schematics was produced by the design team as part of the design process. Unfortunately they are not suitable for this report because, in printed form, many are too small to be understood. Because of this we created our own set of schematics, included in Section 3.1, to accompany the HOL specifications located within the appendices. These schematics are provided as aids to understanding only, since, due to time constraints in developing them, they are not complete nor are they fully accurate.

Sections 3.2 through 3.5 describe, in order, the phase-level specifications for the five ports, the clocklevel specifications for the five ports, the port-level structural specification, and the clock-level specification for the entire PIU.

### 3.1 Gate-Level Structure

The gate-level specifications for the five PIU ports use the structural definition style described in [Gor86] and in use throughout the HOL community. Within each port, each component, or block, has its behavior specified in the form of a predicate; in essence, the block behavior is defined to be the relationship between inputs, outputs, and internal states that results in the predicate's being true. The behavior of the composition of these blocks is defined as the logical conjunction of the individual block predicates. Existentially quantified variables are used for the block interconnections internal to the port-level composition.

The gate-level specification for the PIU is much too unwieldy for a detailed coverage in these pages. This section therefore provides only a high-level explanation of the PIU's operation and the HOL models that represent it. References will be made to the appropriate sections of the appendices for the full details.

We begin in Section 3.1.1 with a description of the components used in the PIU design. Fortunately, the design uses only a small subset of the component types available in the silicon compiler library, ranging in complexity from individual logic gates to medium-scale integration (MSI) datapath elements and finite-state machines. Section 3.1.2 explains how the components are combined to form the five PIU ports.

### 3.1.1 Component Descriptions

The HOL models for elementary logic gates follow closely the previous work in this area and we say little about this subject. Modeling sequential logic is more interesting however. Previous sequential models generally depict even the most elementary components as edge-sensitive devices - a flip-flop perspective. However, in the design tool used for the PIU, the elementary sequential component is not edge-sensitive, but rather the level-sensitive latch. Flip-flops are higher order components, consisting of two or more latches. As explained below, the level-sensitive components used in the PIU require a different modeling approach.

### 3.1.1.1 Combinational Logic

The PIU specification requires only a few inverters, AND and OR gates, and buffers from the component library. The specification style used for these components follows that of earlier work and is demon-
strated in the AND-gate definition shown here. The theory gates_def in Appendix A contains the complete HOL source for these components.

1-AND3_SPEC $a b c z=\forall$ t:time $\cdot z t=(a t) \wedge(b t) \wedge(c t)$

### 3.1.1.2 Latches

The HOL definitions for the latches used in the PIU design are contained in the theory latches_def in Appendix A. In this section we describe the modeling of a simple D latch as an explanation of the HOL models.

The following definition of a D latch demonstrates the specification style that we use for PIU latches. This specification states that the next state $q_{-}$state ( $t+1$ ) equals the input $d_{-}$in $t$ if the clock $c l k_{-}$in $t$ is active, otherwise it equals its current value $q_{-}$state $t$. The latch output $q_{-}$out $t$ equals the new state.

1- DLAT_SPEC d_in clk_in q_state q_out =
$\forall$ t:time.
$\left(q_{-}\right.$state $(t+1)=\left(c l k_{-} i n t\right)=>d_{-}$in $\left.t \mid q_{\text {_state }} t\right) \wedge$
(q_out $t=q_{\text {_state }}(t+1)$ )

Latch behavior is being expressed here as a finite-state machine (FSM), using both a next-state function and an output function. Previous latch models in HOL, where the next-state function was also used for outputs, failed to faithfully represent true latch behavior. To demonstrate why this is true, Figure 3.1(a) shows an example circuit where two latches, in series, are clocked with the same phase of the system clock. To our knowledge, scenarios such as this have not been considered in prior verification work; however, we cannot dismiss them since they occur within the PIU design. Actually, such combinations might be expected in any standard-cell approach to chip design where designers work with predefined cells containing a multitude of latches in fixed locations. There are places in the PIU design, for example, where avoiding these combinations would actually require a more complicated design.

The circuit in Figure 3.1(a) would be incorrectly modeled if latch models containing only the next-state function of DLAT_SPEC were used. This is demonstrated in the HOL code segments of Figure 3.1(b), defining first the behavior of the implementation, including the next state of latch $L 2$ derived from this behavior, followed by a reasonable specification for its required behavior.

The behavior of the implementation (IMP) is a standard composition of individual latch behaviors. The key observation here is that the value of $z$ at time $t+1$ depends on signal values at time $t-1$ (e.g., $a(t-1)$ ). However, as expressed in the model of required behavior ( $R E Q$ ), in reality the circuit of Figure 3.1(a), when viewing the signal $z$, behaves no differently than a single A-clocked latch does (aside from propagation delay differences not expressed at this level). Therefore, the value of $z(t+1)$ should be a function of signal values at time $t$, not $t-1$. Note that for the general case of $N$ series, same-phase latches, we would have $z(t+1)$ as a function of signals at time ( $t-N-1$ ); clearly this is not what we want. We note that the source of this problem is the level-sensitive nature of latches, which results in cascaded latches behaving very much like combinational logic; this is not true of edge-sensitive components such as flip-flops.

Revisiting fundamental FSM definitions suggests ways to solve this latch modeling problem. In automata theory texts, such as [Koh78], the next-state and present-output of an FSM are said to be functions of

(a) Block diagram.

$$
\begin{aligned}
& I M P=\left(b(t+1)=p h a s e \_A t=>a t \mid b t\right) \wedge \\
& (z(t+1)=\text { phase_At } \Rightarrow b t \mid z t) \\
& \text { : (derived) } \\
& z(t+1)=p h a s e \_A t=> \\
& (\text { phase_A }(t-1)=>a(t-1) \mid b(t-1)) \mid \\
& z t \\
& R E Q=\left(b(t+1)=p h a s e \_A t=>a t \mid b t\right) \wedge \\
& \left(z(t+1)=p h a s e \_A t=>a t \mid z t\right)
\end{aligned}
$$

(b) Relationship between next $\mathbf{z}$ and current values, using standard latch model.

Figure 3.1: Two Series Latches Clocked by the Same Phase.
the present-state and present-inputs. Figure 3.2(a) is a pictoral representation of this where the present and next times are denoted by $t$ and $t+1$, respectively. Figure 3.2(b) shows an alternative approach where the inputs and outputs use the time index of the next-state.

In models of synchronous systems such as FSMs, lower-level issues such as propagation delay are not represented. For a latch, whose time interval is a single clock phase, the present- and next-states correspond to the states at exactly the beginning and end of the phase, respectively. All present-inputs can similarly be assumed to arrive at either the phase beginning or end. Present-outputs are defined in terms of the presentstate and -inputs, and are assumed to be transmitted with zero delay. Of course, in reality an input is a present-input only if it satisfies the setup and hold times of the latch with respect to the falling edge (the end) of the clock phase; state changes and output transmissions have propagation delay as well.

With this view of FSM behavior, it is clear that for a formal latch model to be composable in all clocking scenarios it must use the same time index for both its present-inputs and -outputs. This is necessary to permit signal propagation through series-connected, same-phase latches in zero time. In a latch model using only a single FSM next-state function, this function must play the role of the output function as well; thus, the time index of the current-output is $t+1$. If the standard interval representation of Figure 3.2(a) is used, then the input and output time indexes don't match, resulting in the problem explained above. Two obvious solu-


Figure 3.2: Interval Representations.
tions are to either use the alternative interval representation of Figure 3.2(b) or else use a second FSM function for the output, matching its time index to that of the input.

We mention the first solution, using the alternative interval representation, only to point it out as a candidate for future consideration. We currently prefer the second approach, expressed in the model DLAT_SPEC above, since it is consistent with the generic interpreter model described in Section 2.

### 3.1.1.3 Flip-Flops

HOL definitions for the flip-flops used in the PIU design are contained in the theoryffs_def of Appendix A. In this section we describe the modeling of a simple $D$ flip-flop as an explanation of the HOL models.

Flip-flops are built out of latches as in the example phase-A-clocked D flip-flop shown in Figure 3.3. In this model inputs arriving at the flip-flop during phase B are latched on the falling edge of B . The new flipflop output is available at the beginning of phase $A$ and remains stable for an entire clock period. From an edge-triggered point of view this flip-flop is seen to be clocked on the rising edge of phase A.

It is an interesting side note that in discussions with the PIU designers it became clear that their view of flip-flop behavior is somewhat different from the perspective that we employ. For example, if asked to choose which of the two latches in the flip-flop model of Figure 3.3 represents the true state of the flip-flop, the designers say latch $L 2$ and we say $L 1$. This difference is easy to understand given the modeling environments that each group uses, and it turns out that the FSM-based specification approach embodied in Figure 3.3 (b) provides a perspective to help reconcile these two viewpoints.

The PIU designers view latch $L 2$ as the important one because it is the only one directly visible to them during simulation. All flip-flop changes occur on the rising edge of $L 2$ 's clock (phase A) and the flip-flop is stable otherwise. From this perspective the purpose of latch $L 1$ is only to ensure the edge-triggered nature of the flip-flop by restricting possible flip-flop output values to those inputs arriving before phase A rises.

As formal verifiers we view $L I$ as the important latch because it is clocked by phase B, the last phase in the clock cycle. This is important when we make the jump in abstraction from the phase level to the clock level and wish to eliminate one of the two state variables associated with these latches (data abstraction). As a general rule it is best to keep the latch with the most up-to-date state among the candidates for elimination, otherwise updated state will not be carried forward to the next clock cycle when the model is symbolically executed. From this perspective latch $L 1$ contains the essential state of the flip-flop of Figure 3.3 and $L 2$ serves only to control the time at which the new flip-flop state is made externally visible.

At the clock level of abstraction we model the state of a flip-flop as the contents of its phase-B latch and

(a) Functional block diagram.

1- DFF_SPEC d_in phase_A stateA stateB q_out $=$ $\forall$ t:time.
$\left(\right.$ state $B(t+1)=\sim($ phase_A $t) \Longrightarrow d_{-} i n t \mid$ stateB $\left.t\right) \wedge$
$($ stateA $(t+I)=($ phase_A $t) \Rightarrow \operatorname{stateB}| |$ stateA $t) \wedge$
( $q_{\text {_out }} t=\operatorname{state} A(t+1)$ )
(b) HOL representation.

Figure 3.3: Example D Flip-Flop Constructed With Latches.
embed the behavior of the phase-A latch within the flip-flop output. This FSM-based approach is also compatible with the PIU designer perspective if we take a commonly-used black box view of fundamental components such as flip-flops. In such an approach, only the inputs and outputs of these components are visible to an outside observer during simulation - the internal state is hidden.

### 3.1.1.4 Counters

Counters are implemented as flip-flops surrounded by increment/decrement and selection logic. All of the counters used in the PIU design are functionally of the form of the example in Figure 3.4 - incrementing is performed within the output stage rather than the input stage. The HOL source for all PIU counters is contained in the theory counters_def of Appendix A.

The inputs $l d_{-} i n$ and $u p_{-}$in control the operation of this counter. If $l d_{-}$in is active then the input $d_{-} i n$ is loaded into the counter, otherwise the current value, incremented or nonincremented according to the up_in input, is reloaded. The input up_in also controls the value output by the counter.

### 3.1.1.5 CTR Datapath Block

The PIU R_Port contains two 64 -bit counters implemented using a total of four 32-bit CTR datapath blocks. The CTR datapath blocks are themselves built from lower-level components of the compiler library, but we treat them as primitives here since they are used directly in the R_Port specification. The HOL source for the CTR datapath block is contained in the theory datapaths_def of Appendix A.

Figure 3.5 shows the functionality of the CTR datapath block. It behaves much like the counter of the previous section, but with additional features such as provisions for carry-in and carry-out and multiple output ports.


Figure 3.4: Functional Block Diagram of a Counter.


Figure 3.5: Functional Block Diagram of the CTR Datapath Block.

Of the 11 latches in this model, the one best representing the counter value is $L 4$, holding the value ctr. Latch $L 2$ contains the load-input, controlling whether a new value is loaded or the updated counter value is reloaded. Latches $L I$ and $L 8$ hold these two values, respectively. Latches $L S$ and $L \sigma$ hold values controlling the incrementer itself. For the top half of the 64 -bit counters, $L 6$ contains the carry-in from the lower half. Latch $L 7$ holds the carry-out from the counter. Latches $L 9$ and $L 10$ implement a flip-flop holding the updated counter value for possible output. The two latches $L 3$ and $L 11$ control the writing of latch values onto Bus_A, from the input side and output side, respectively.

### 3.1.1.6 ICR Datapath Block

The R_Port contains a single Interrupt Control Register (ICR) implementing memory-mapped interrupts for the local processor. The HOL source for this block is located in the theory datapaths_def of Appendix A.

Figure 3.6 shows a functional block diagram of this block. The true ICR value is located in the flip-flop implemented by latches $L A$ and $L 5$. The flip-flop implemented by $L 1$ and $L 2$ holds the ICR value fed back using Bus_A. Latch $L 3$ holds a mask-adjustment value that resets or sets individual mask bits according to the value of input icr_select. Latch L6 controls the writing of values onto Bus_A either as part of an ICR read by an external processor or the feedback mentioned above.


Figure 3.6: Functional Block Diagram of the ICR Datapath Block.

### 3.1.1.7 CR Datapath Block

The R_Port contains two control registers (CRs), called GCR (for General Control Register) and CCR (for Communications Control Register). The HOL source for the CR datapath block is located in the theory datapaths_def of Appendix A.

Figure 3.7 shows a functional block diagram of the CR datapath block. In comparison with the previous two datapath blocks, this one is relatively simple, containing a single latch $(L I)$ to hold a loaded 32 -bit value and a latch ( $L 2$ ) to control the writing of this value onto Bus_A. The second output port, always enabled, provides the CR bits to the PIU subsystems controlled by the control register.


Figure 3.7: Functional Block Diagram of the CR Datapath Block.

### 3.1.1.8 SR Datapath Block

The R_Port contains a single Status Register (SR) that may be read by an external processor. The HOL source for the SR datapath block is located with the previous datapath blocks in the theory datapaths_def of Appendix A.

Figures 3.8 shows a functional block diagram of this datapath block. Inputs provided by several subsystems of the PIU are collected and stored in latch $L I$; latch $L 2$ controls the writing onto Bus_A.

### 3.1.1.9 Finite-State Machines

Finite-state machine (FSM) modules are used in every PIU port to control the sequencing of port operations. Each FSM module has the structure shown in Figure 3.9. FSM inputs are loaded during phase B, as is the fed back present-state. Combinational logic implements the next-state and output functions, whose results are loaded into the output latches during phase A for transmission to the external system.


Figure 3.8: Functional Block Diagram for the SR Datapath Block.

### 3.1.2 Block Diagram Descriptions

To simplify the PIU specification task, we augmented the set of compiler-library components just described with several logic-blocks built of more-primitive components. Two guidelines were followed in constructing these superblocks. First, instances of multilevel logic were converted into equivalent behavioral descriptions. Secondly, memory elements holding multibit words were sometimes grouped into single blocks to facilitate modeling with our array-access functions. Together, these steps greatly decreased the number of components in the gate-level description of the PIU with a risk of introducing modeling error that we consider to be low.


Figure 3.9: Functional Block Diagram for Finite-State Machines.

Creating superblocks also has the beneficial side effect of simplifying our description of the five PIU ports. Even so, the complexity of the resulting specification remains formidable and a fully-detatiled pictoral description of the PIU structure is beyond the scope of this report. The HOL descriptions in Appendix B should be considered the gate-level specification for the five PIU ports; the descriptions in this section are intended only to provide insight so that the HOL is more easily understood. Although considerable care has gone into the construction of these descriptions, they are not complete and contain minor inaccuracies as well.

The ports are described in the order: P_Port, M_Port, R_Port, C_Port, and SU_Cont, in the following five subsections.

### 3.1.2.1 P_Port Structure

The top-level block diagram of the P_Port, shown in Figure 3.10, describes the partitioning of the P_Port into two subblocks: datapath and controller. These are further broken down in the two figures that follow Figure 3.10.


Figure 3.10: P_Port Top-Level Block Diagram.

The P_Port Datapath, shown in Figure 3.11, consists mainly of latches to hold L_Bus-sourced information and tristate buffers for driving the L_Bus and I_Bus. Read from top to bottom, the latch contents are: 32 -bit data, the 26 least significant address bits, the most significant address bit, the 4 -bit byte enables, and the write/read bit, all sourced by the local processor. All control signals are provided by the P_Port Controller.

The P_Port Controller is shown in Figure 3.12. The FSM block implements the I_Bus protocol and supports atomic memory accesses by the local processor. The other blocks support the FSM by encoding information received from the two adjacent buses and by handling some of the control-signal generation.

The Req_Inputs block implements the setting and resetting of the $P_{-}$rqt latch, based on new-transaction requests and transaction-completed messages received from the L_Bus and I_Bus, respectively. An active high $P_{-} r q t$ indicates a pending or in-progress $L_{-}$Bus transaction.

The Ctr_Logic block keeps track of the number of words remaining in the current transaction so that the slave port can be notified when the last word is being accessed.


Figure 3.11: Block Diagram of P_Port Datapath.

The Lock_Inputs block and associated latches provide support for handling atomic operations. The P_lock_ latch holds the most recent valid lock signal provided by the local processor. The FSM implements memory locking by locking the I_Bus.

### 3.1.2.2 M_Port Structure

The top-level structure of the M_Port is shown in Figure 3.13. It has the same form as the P_Port, containing a single datapath block and a single controller block. These are described further in the two figures following Figure 3.13.

Figure 3.14 shows the structure of the M_Port datapath. On the left is the interface to the M_Bus. The EDAC_Decode_Logic block performs a Hamming decode on the 56-bit data received from the M_Bus, while the Enc_Out_Logic block encodes 32-bit data for writing onto the M_Bus.

The Read_Latches block stores the 32-bit decoded data word read from memory. The Mux_Out_Logic block selects bytes from this stored value or else the word currently on the I_Bus for writing onto the M_Bus. The stored bytes are written back as part of a read-modify-write implementation of byte-write operations.


Figure 3.12: Block Diagram of the P_Port Controller.


Figure 3.13: M_Port Top-Level Block Diagram.


Figure 3.14: Block Diagram of the M_Port Datapath.

The M_Port controller is shown in Figure 3.15. The left side of the figure is the I_Bus interface. The SE_Logic block determines whether a memory access is to SRAM memory or to EEPROM memory, based on the memory address. It drives the appropriate chip-select signal based on this determination.

The WR_Logic block determines whether a memory access is a read or write and provides this information to the rest of the M_Port. The Addr_Ctr block and BE_Logic block store the memory address and byte enables, respectively, for the word being accessed.

The Rdy_Logic, Ctr_Logic, and Srdy_Logic blocks together implement most of the I_Bus protocol for the M_Port, which consists mainly of controlling the value of the $I_{-} s r d y_{-}$signal transmitted back to the I_Bus master. The 2-bit counter in Ctr_Logic implements variable wait-states for the SRAM and EEPROM memory.

The FSM block provides high-level control of the memory interface. It sequences through a series of states, depending on the type of memory transaction, and provides output signals mainly used by the Enable_Logic block to implement the control of the M_Port datapath. The FSM also directly controls bus enabling for the I_Bus.

The Memparity_In_Logic block and its associated latch store the error status for memory accesses. The output MB_parity is transmitted to the R_Port where it is stored in the Status Register.


Figure 3.15: Block Diagram of the M_Port Controller.

### 3.1.2.3 R_Port Structure

The R_Port top-level block diagram is shown in Figure 3.16. Of the five major blocks shown there three are described further in the figures that follow Figure 3.16. The Register File block is not broken down further since it consists entirely of the datapath blocks described in Sections 3.1.1.5 through 3.1.1.8. There are four CTR blocks implementing two 64-bit counters, one ICR block, two CR blocks implementing the GCR and CCR, and one SR block.

The Bus Interface block represents the multiple tristate buffers that potentially drive the Bus_A node of the R_Port. This block is similar to the approach used to model buses described in [Joy90].

The Register File Controller is shown in Figure 3.17. The Wr_Lat block determines whether a register access is a read or write and provides this information to the rest of the R_Port. The FSM block is a simple 3-state state machine providing high-level control of the register accesses and I_Bus interface. The RW_Sigs block encodes the FSM output to implement this control.

The Reg_Sel_Ctr block contains a 4-bit counter holding the register number for the current access. The $R_{-}$srdy_del_ latch value is used to increment the counter on multiword accesses. The Reg_File_Ctl block


Figure 3.16: R_Port Top-Level Block Diagram
decodes the register address to create most of the control signals needed by the register file.
The Timer Interrupt Block is shown in Figure 3.18. It consists of two identical sub-blocks, each implementing the interrupt logic for one of the two 64-bit counters.

The latches $\boldsymbol{R}_{-} c 01_{-}$cout and $R_{-} c 23$ _cout hold the carry-out values of the two counters. The Cir_Int-Logic blocks use this information and several bits of the GCR to determine whether the timer interrupts should be enabled or not. The two interrupt outputs, Intl and Int2, are active-high signals sent to the local processor.


Figure 3.17: Block Diagram of Register File Controller.


Figure 3.18: Block Diagram of the Timer Interrupt Block.
Figure 3.19 shows the structure of the Register Interrupt Block. The And_Tree block receives the 32-bit ICR value, consisting of 16 interrupt-set bits and 16 mask bits. Half of these bits are dedicated to interrupt Int0_ and half to Int3_. If an interrupt-set bit and its associated mask bit are simultaneously active-high, then the appropriate latch, $R_{-}$int0_en or $R_{-}$int3_en, is loaded with a logic-1.


Figure 3.19: Block Diagram of the Register Interrupt Block.

### 3.1.2.4 C_Port Structure

The C_Port top-level structure is shown in Figure 3.20, minus the complicated external interfaces. The C_Port controller is divided into two subunits because of its large size. Because we could not identify a logical partitioning, we simply divided the existing schematic down the center, creating a left half and a right half, controllers A and B, respectively.

Figure 3.21 shows the C_Port datapath block diagram. The right side of the figure shows the interface


Figure 3.20: C_Port Top-Level Block Diagram.


Figure 3.21: Block Diagram of the C_Port Datapath.
between the I_Bus and the C_Bus. The Parity_Decode_Logic block decodes the 18 -bit parity-encoded data received from the C_Bus data lines. It outputs 16 -bit data and a single-bit error-detection flag.

The CB_In_Latches block stores the messages received from the C_Bus. This information consists of transaction header information, address, and data. The BE_Out_Logic block outputs the byte enables onto the I_Bus. The CB_Out_Logic block parity-encodes data for transmission onto the C_Bus.

On the left side of the figure, the Grant_Logic block implements the C_Bus arbitration. The Addressed_Logic block determines whether this PIU is being addressed by the C_Bus master. The D_Writes_Logic block determines whether this PIU is an active channel or not; if not then it prohibits memory accesses using the Disable_writes output. The Parity_Signal_Inputs block controls the setting and resetting of the C_parity latch, whose output, CB_parity, is transmitted to the R_Port SR.

Part (A) of the C_Port controller is shown in Figure 3.22. The two state machines: Master FSM and Slave FSM, implement the C_Bus protocol from the master and slave perspectives, respectively. The Srdy FSM controls the enabling of I_Bus slave signals transmitted by the C_Port.

The Last_Logic block and the latches holding C_lock_in_ and C_last_in_ preprocess the I_lock_ and $I_{-}$last_I_Bus signals received from the $\mathrm{P}_{-}$Port. The Hold_Logic block and the latches holding C_last_out_ and $C_{-}$hold_ process the $I_{-}$last_ and $I_{-}$hold_ signals transmitted over the I_Bus. The Cout_Sel_Logic block determines which 16 -bit word is to be transmitted over the C_Bus and provides selection signals to the datapath to control this.


Figure 3.22: Block Diagram of the C_Port Controller (Part A).

Figure 3.23 shows part (B) of the C_Port controller. The DP_Ctls PLA block converts output signals from both the master and slave state machines of part (A) into control signals for the datapath. The latches at the output of this block, as well as the Cout_l_Le_Logic block, provide further processing for the datapath, primarily to control the enabling of the datapath latches.

The CBss_Out_Logic block and the CBms_Out_Logic block determine the master-status and slave-status, respectively, for C_Bus transactions. The Srdy_In_Logic block decodes the slave-status input from the C_Bus to determine whether the slave is ready for the next transaction.

The Rdy_Logic block, the ISrdy_Out_Logic block, and intervening latches implement the generation and transmission of the I_srdy_ signal to the I_Bus. The Iad_En_Logic block controls the enabling for address and data transmissions over the I_Bus.

The Pe_Cnt_Logic block controls the enabling of parity-error counting within the datapath.


Figure 3.23: Block Diagram of the C_Port Controller (Part B).

### 3.1.2.5 SU_Cont Structure

The SU_Cont structure is divided into the two subsections shown in Figures 3.24 and 3.25. The first figure shows mainly the blocks that interact with the other ports within the PIU, while the second shows mainly those that interface with the local processor.

The FSM block in Figure 3.24 controls the initialization process. It sequences through states that successively reset and test CPU0, reset and test CPU1, then select and initialize the active mission processor. It uses the output of the 18 -bit counter block, via the Muxes block, to control its time duration in many of its states. The Delay_In block processes the input signals for the counter block.

The Dis_Int_Out block determines and then transmits reset signals and various disable signals to the other ports.

The blocks Scnt_In, Scnt_In1, the 3-bit counter block, and the intervening latches support the softwarebased acceptance test of each processor. The output S_Soft_Cnt contains the number of instances that the local processor writes a specific pattern to the General Control Register in the R_Port. If not equal to a specific bit pattern, this counter value indicates a failed acceptance test.


Figure 3.24: Block Diagram of the Startup Controller PIU-Port Interface.

Figure 3.25 shows the SU_Cont blocks that interact mainly with the local processor. The Cpu_Ok block and the Fail_In block together control the loading of four latches holding failure-status information. The Cpu_Ok block uses the S_Soft_Cnt signal just discussed and the Failure_signals from the local processors. The latch outputs are transmitted to the R_Port where they are stored in the Status Register.

The Bad_Cpu_In block controls the loading of two latches holding processed failure status of the two local processors. These latch outputs are used, together with FSM block outputs, in the misc logic block to control the loading of two other latches. These latch outputs are used to maintain the local processors in a reset or nonreset state, as appropriate.

### 3.2 Port Phase-Level Behavior

The phase-level specification for each PIU port is a behavioral abstraction of the corresponding gatelevel structure. Each port is defined in terms of a 2-instruction instruction set, corresponding to the behavior occurring during each of the two clock phases. Each instruction is itself represented using two functions, defining the next-state transition and the output. Consistent with the generic interpreter model, the states and outputs for the ports are represented as $n$-tuples.


Figure 3.25: Block Diagram of the Startup Controller CPU Interface.

Appendix C contains the HOL phase-level specification. The ports are presented in the order: P Port, M Port, R Port, C Port, and SU_Cont, in Sections C. 1 through C.5, respectively. Within each section the next-state function for phase $A$ is presented first, followed by the output function for phase $A$, and the nextstate and output functions for phase $B$.

### 3.3 Port Clock-Level Behavior

The clock-level specification for each PIU port is both a temporal abstraction and a data abstraction of the corresponding phase-level specification. Here the unit of time is an entire 2-phase clock period, rather than a single phase. Data abstraction is achieved by eliminating state variables representing certain latch values. Usually the eliminated latches are part of edge-triggered devices, such as flip-flops and counters, and are clocked on phase A.

In contrast to the phase level, where the choice of instruction set is dictated by the number of clock phases, the choice at the clock level is much more subjective. For example, only a single instruction is really necessary to capture the behavior of the ports. This would provide the most concise description of behavior at the cost of providing the least understandable description. At the opposite extreme, the ports could be specified using an instruction set with millions of very simple and easy-to-understand instructions. However, verifying such a large instruction set would be infeasible, as would the mere goal of trying to print their descriptions.

Instruction sets provide the human interface to state-transition system behavior. Their existence implies an instruction selection capability such as that provided by the select function of the generic interpreter model. Often this functionality is referred to as instruction decoding, and the proper choice of this function (i.e., of the instruction set itself) is important for any specification attempting to provide a human-understandable yet concise description of behavior.

By their very nature, microprocessor instruction sets at the macro and microcode levels must be straightforward to specify since they provide the programming interface for the microprocessor However, since the PIU was never intended to be programmed, nor is it microcoded, (clock-level) instruction set elegance received little consideration from the PIU design team. As a result, a clock-level instruction set for each port in which each instruction specifies a single well-defined action would require many tens of individual port-level instructions. The composition of these port-level instructions would require many tens or hundreds of PIU-level instructions, requiring many thousands of pages to even print; verifying these instructions would be an enormous undertaking.

Based on these considerations, we have abandoned our earlier efforts to define human-friendly instruction sets at the clock level. Instead we have opted for practicality and we specify clock-level behavior using a single instruction for each port. Each port instruction has two parts - a next-state function and an output function, defining the next state and output under all operating conditions. Sections D. 1 through D. 5 of Appendix D contain the HOL specification for this level.

### 3.4 PIU Port-Level Structure

The PIU port-level structure is a structural composition of the five clock-level port specifications. We have used the standard approach to structural composition in which component-defining predicates are logically ANDed to form the composite behavior. Existentially-quantified variables are used for component outputs remaining internal to the composed system. Appendix E contains the HOL specification for this level.

### 3.5 PIU Clock-Level Behavior

Appendix F contains the HOL specification for the PIU clock-level behavior. As with the individual ports, the clock-level behavior of the entire PIU is represented using only a single instruction consisting of a next-state function and an output function.

## 4 Models for Transaction Specification

This section describes the work undertaken to determine the most appropriate model for specifying the top level of the Processor Interface Unit (PIU).

### 4.1 Introduction.

To complete the specification of the PIU, a top-level specification of the required behavior of the PIU must be written. This behavioral model should describe the actions of the device with respect to its environment and internal state.

The PIU is essentially a bus controller. However, there are some differences: the PIU contains special features for fault tolerance and dependability, such as an encoding of words sent to memory for error correction and the ability to select between two processors depending on the results of a power-on self test.

Our goal is to model each of the concurrent portions of the PIU individually using an interpreter (as discussed in Section 2) and to show that a composition of these interpreters entails the behavior of a more abstract model. At first, we believed that the composite behavior of the PIU could be described using the interpreter model as well. However, we found that the high-level behavior of a device such as the PIU is not easily modeled as an interpreter.

An interpreter is a computational device with one major control point. That is, one of a set of instructions is chosen based on the current state and that instruction is used to process the state; following the execution of the instruction, the process begins anew. While interpreters describe many interesting devices, the model is too restrictive to describe the PIU.

There are at least three aspects of the intended behavior of the PIU that make it difficult to describe using existing techniques:

- The feature of a bus controller that causes the greatest difficulty in using an interpreter model to describe it is its concurrency-a bus controller does many things at once. For example, most bus controllers contain timers that, in conjunction with an on-board interrupt controller, can interrupt the CPU. These timers operate concurrently with other portions of the bus controller, such as memory and network operations.
- A typical top-level specification of the PIU might include the memory subsystem because this corresponds to the CPU's view of the PIU (see the next section for a more complete discussion of this). This shared state between the PIU and other devices makes description using an interpreter model difficult.
- The outputs of the PIU do not correspond on a one-to-one basis with the inputs; there is a many-to-one relationship between the outputs and inputs. The interpreter model assumes that the output at a particular time is described by a function on the current state and environment. The PIU may make several outputs in sequence because of a single input request (a block memory read request is a good example).
In exploring possible models for use in describing the behavior of hardware devices such as bus controllers, we were concerned with the following issues:
- The notation and semantics should be amenable to embedding and automation in an automatic theorem prover such as HOL.
- The model and notation should be sufficiently general to allow a large number of interesting devices to be described.
- The model and notation should be sufficiently defined to allow a rich set of theorems to be proven about it in isolation of any particular application.


Figure 4.1: The view from the CPU.

### 4.2 A bstract Views

Before exploring specific notations for describing the PIU, we consider some of the features of the PIU that make its behavioral specification interesting. These abstract views contribute to the understanding necessary to specify its operation. In general, the behavior of the PIU can be looked on as a combination of behaviors from different viewpoints: that of the CPU, the network, and the memory. In order to simplify the discussion that follows, we will ignore certain behaviors of the PIU. In particular, we will assume that the start-up processor is finished and that the PIU is in steady-state operation.

Figure 4.1 shows the abstract view of the PIU from the CPU. In this view, the CPU sees the combination of the PIU, Network, and Memory (PNM) as a monolithic address space. Similarly, interrupt signals can be viewed as coming to the CPU from this abstract object rather than the individual components.

In the CPU view, when the CPU issues a read request to the PNM, the PNM responds with the information located at the virtual address given by the CPU. The actual location of the requested data, that is, whether it resides in local memory, remote memory, or a register in the PIU, is abstracted away. Similarly, when the CPU issues a write request, it does not know whether the request will update local memory, remote memory, or a register in the PIU.

Of course, inside the CPU view, the PIU either responds to requests from the CPU itself, or by issuing other requests to the network or the memory. Specifying what requests the PIU makes to other devices in response to a request from the CPU can be viewed as a specification of the implementation of the PNM. Another way of viewing these requests is that they will be specified in the other views of the system. The latter is the method we employ.

Figure 4.2 shows the view from the memory. The memory can be viewed as a processor, albeit a simple one. In the memory view, the PIU/CPU/Network abstraction (PCN) makes memory read and write requests and the memory responds appropriately. Because the memory device is simple, it makes no requests of the PCN itself, but only responds to requests.

The fact that some of these requests originated with the CPU and others with other hosts on the network is abstracted away. Inside the PCN abstraction, of course, the requests to the memory are originating with the CPU or the network and after some processing by the PIU (such as error correction encoding and decoding) are being passed on. The relationship between requests from the CPU and the network do not necessar-


Figure 4.2: View from the Memory.
ily correspond on a one-to-one basis with the requests sent to the memory. A single request from the CPU may result in many requests to the memory.

Figure 4.3 shows the view of the PIU from the perspective of the network. In this view, the PIU, memory, and CPU are abstracted into a single object (PMC). This is, perhaps, the most complex abstraction. The network makes requests of the PMC and the PMC makes requests of the network. These requests are primarily memory read and write requests.

The problem with the views presented in Figures 4.1-4.3 is that the abstractions include the behavior of the CPU, network, and memory. Our goal is to specify the behavior of the PIU independent of the devices to which it is connected. Each of these views can be thought of as a specification of the abstract interface to one portion of the PIU. As Figure 4.4 shows, we can superimpose the specifications on one another. The union of the PNM, PCN, and PMC specify the behavior of the entire unit. Their intersection, denoted by the shaded area, is meant to represent the behavior that is specific to the PIU.


Figure 4.3: View from the Network.


Figure 4.4: Abstraction Views for the PIU.
While we feel that this is a good way to think about the behavior of the PIU in abstract, we are not convinced that it is an appropriate method of specifying the behavior of the PIU. Before such a decision can be made, we will need to do further work. Primarily, we would like to attempt to model the specification of a small device in this way and evaluate the specification for readability and ease of use in verification.

### 4.3 Representing Transaction Systems

The last section discussed the specification of the abstract interfaces of the PIU, but ignored the details about how those specifications would be written. We talked abstractly about transactions between the PIU and other system components, but the question remains of how to represent those transactions.

One of the difficulties of representing the PIU was touched upon in the last section. If we were only faced with the problem of representing a transaction system such as the PNM (PIU, network, and memory abstraction), the problem would be much simpler. The model would consist of a set of response functions associated with incoming transactions. For each incoming transaction, the response function would update the state of the system and generate an outgoing response based on the current value of the state.

In the model shown in Figure 4.4, the PIU is not a transaction system, but a transaction translation system. The PIU cannot generate a response until it issues requests of its own and receives answers to those requests. In addition, there may be state internal to the PIU that needs to be updated and affects the response.

The ultimate goal of the work presented in this report is not to just specify the PIU, but to verify that specification against a lower-level specification. This goal creates several criteria that limit our choice of notation for the behavioral specification:

1. The notation must be capable of specifying concurrent operations of the PIU.
2. The notation must be capable of describing the PIU independent of the other devices to which it might be attached (i.e., the state of those devices should not be a necessary part of the PIU specification.
3. The notation must allow a many-to-one relationship between outputs and inputs.
4. The final specification must be concise and readable. We would like to be able to look at the specification and capture some overall feeling for what it means. Without this level of abstraction, it is very difficult to determine whether the specification is correct or not.
5. The notation must have, or be amenable to building, a collection of theorems about it so that we can reason about the specification and its relationship to the lower-level implementations.
6. The notation must be mechanizable and, since our verification system of choice is HOL, be representable in the HOL logic.
There are a number of candidate notations:
7. We could attempt to represent the transactions in HOL without resorting to any specific notation (i.e., raw HOL). We consider the generic interpreter theory (GIT) to be a representation of one kind of computational object in raw HOL. The use of raw HOL to represent transactions implies that we would build a model similar to the GIT, but capturing the abstractions envisioned in the previous section.
The advantages of this approach are that the model is likely to be tailored to the structure of the PIU more closely than with the other approaches. This means that the meaning of the specification may be clearer. Our experience with the GIT has shown us that abstract models built in HOL can be a fruitful avenue of exploration because they yield a great deal of information to aid in understanding the structure at hand. These models lend a structure to the specification and verification task that is usually not there otherwise; the model states explicitly what definitions must be made to complete the specification and which lemmas need to be proven to complete the verification.
The disadvantages of using raw HOL are that the model of a transaction system would have to be built and useful theorems about this model would have to be proven. This task is usually more easily done when at least one concrete specification of the type being modeled has been built. This prototype specification serves to guide the model development.
8. We could use temporal logic. The primary benefit of temporal logic is that transactions entail describing and reasoning about actions that will occur in the future because of something that occurs now. For example, when the CPU sends a memory read transaction to the PIU, this creates an obligation in the PIU to respond to the request in the future. In between receiving the request and answering it, the PIU would engage in a number of transactions with the network, memory, or both.
The primary advantage of temporal logic is that there has been much work in the area and it has been successfully used to model hardware devices in other specification efforts.
The disadvantage is that it is as general as any other general purpose logic and thus, while expressive, would not serve to structure the specification.
9. We could use a well-developed process algebra [Hen88, Hoa85, Mil89a, Mil89b, Mil89c]. Milner [Mi189a] presents a calculus of communicating concurrent processes called CCS; CCS is perhaps the best known process algebra. In process algebras, the specification concentrates on the communication between processes. The specification of the PIU would entail a specification of the events that occur and the events that follow from them.
There are several advantages to using a process algebra. Process algebras are well understood and there are several popular ones from which to choose. This implies that there are also a great many theories developed and ready for use in a proof effort. To the extent that deduction rules and theorems about the process algebra can be mechanized in HOL, the job of proving properties of the specification will be eased. Indeed, several of the most popular process algebras have been mechanized in HOL and are available for use [Sch91, Cam89, Me191]. These mechanizations are in various states, so the amount of effort in using one is difficult to predict.
The disadvantages are similar to those of temporal logics. We fear that the specification will be largely free-form because of the generality of the specification language and thus not structure the problem enough to make the specification and verification methodical.
10. We could use a formal model of a coordination language such as LINDA [But91] to model the actions of the system. In this model, the PIU, CPU, memory, and network are modeled as communicating in a
common area called tuple space. Figure 4.5 shows how this would look. In this model, the PIU writes to and reads from tuple space along with the other devices in the system. We can think of tuple space as an abstract model of the bus.
We have given considerable thought to this option. The advantage of this option is that the model is general and seems to be useful for describing ensembles of coordinated processes. The disadvantage is that the model is not yet fully formalized (not to mention mechanized), and thus there would be considerable work before we could begin using the model. Also, we consider this model to be better suited to describing interactions between system components (how ever they are specified) rather than specifying the components themselves. Thus, we plan to pursue the formalization of LINDA as a model for composing specifications, rather than for the specifications themselves.
Overall, we believe that approach (1) has the most promise and meets the criteria that we outlined above. We do, however, recognize that there is a rich body of research surrounding process algebras and thus will draw on that wherever possible. Indeed, much as the GIT looks similar to a state machine, but has specific features designed to specify and verify microprocessors, our transaction model will look similar to existing process algebras but have features specific to specifying and verifying hardware devices such as the PIU.

### 4.4 Preliminary Transaction Model Design

This section discusses some preliminary design concepts for the transaction model and gives our development plans.

### 4.4.1 The Transaction Model

Our preliminary transaction model contains elements common to other behavioral models, augmented by features targeting transaction-level behavior.


Figure 4.5: Modeling the Buses in a Computer System using Tuple Space.

### 4.4.1.1 Ports

A transaction system has a number of ports. The system will receive requests on input ports, send requests on output ports and communicate data on data ports. Our model will have an alphabet of port names that can be used to identify ports uniquely.

### 4.4.1.2 State

The transaction system will have internal state. This state will be represented in a concrete object as a tuple, but in the model will be represented abstractly.

### 4.4.1.3 Transactions

A transaction will be a triple consisting of an identifying request (taken from an alphabet of possible requests), a state transition function used to update the state, and a set of port-request function pairs representing the requests to be sent and the ports to issue them on in response to the transaction request. The request functions use the current state and values on the data ports to generate a request.

### 4.4.1.4 Operation

The model will be driven by request events. The model will consist of a set of transactions for each input port. The set represents the legal requests on that port. For each input port, the model will, in parallel, read a request, find the appropriate transaction in its transaction set, and use that transaction to update the state and issue requests on output ports.

### 4.4.2 Development Plan and Comments

We plan to refine the preliminary concepts outlined above as follows:

1. Build a function program in ML of the behavior of the PIU based on the model present above. The program will allow us to exercise the model and determine where there are problems. We chose ML since it is close to the syntax of HOL and will be readily converted into HOL when we are satisfied with it.
2. The program built in the previous step will be specific to the PIU. Our plan is to generalize that program into an abstract model of transaction systems. We plan to use the results of the experiments in the previous step to guide a formalization of the general model in HOL. Careful design of the abstraction in the program will make this task easier. Provided that the results of the experiments yield favorable results, we do not anticipate formalization to be a large effort.
3. After the model has been formalized, we will need to use it to assess its utility and determine what lemmas need to be proven in the abstract theory to enable effective reasoning in the concrete model. There is no way to determine what these theories will be until the model is used the first time.
4. As the model is used, there will undoubtedly be refinements and extensions. Our experience with the generic interpreter theory has shown that refining and extending abstract theories is not an arduous task and anticipate that the same will be true of the new model.
There are several areas that may lead to difficulties:

- The model specifies each input port separately (in the spirit of the abstract views of Section 4.2). There will have to be coordination between ports due to shared state and output ports. The network port and the CPU port cannot both issue requests of the memory port simultaneously. This, of course, is also a restriction in the design. Our problem is not what coordination to perform, since that exists in the PIU
already, but how to represent such coordination in the model. We hope that process algebras will give us some guidance.
- The state is shared and thus may be updated by several ports at once (provided that such updating does not cause interference). We hope that partial specifications of the changes, represented by predicates rather than functions, will solve this problem.
- We have ignored the start-up operation of the PIU in our model. We do not believe that this is a problem since the start-up portion of the chip operates in sequence with the rest of the PIU components. We can model the start-up portion using an interpreter or transaction system (whichever is more appropriate) and choose the behavior of the start-up device or the PIU device depending on the current state.
- The PIU has a number of on-board clocks that serve as internupt timers. We hope that they can be modeled using the concepts presented in this chapter by looking at the external clock port as another input port with its own set of transactions. One of those transactions will trigger interrupts when the state is correct.


### 4.5 Conclusions

Hardware devices such as the PIU present a unique challenge for behavioral specification. They differ from interpreters primarily in that there is a large amount of course-grained parallelism and they do not control all the state that they are expected to impact. The overall system (PIU, CPU, network, and memory) could be modeled as an interpreter, but our desire is to model the PIU independently.

One could just make a laundry list of all the actions that occur and use this as the specification, but the result would be nearly unreadable for a complex device such as the PIU. Our goal is to create an abstraction that organizes that behavior so that the specification is readable as well as useful for verification. An unreadable specification is likely to be wrong.

The research presented here is only a start at the top-level specification of the PIU. We plan the following follow-on work:

- The preliminary transaction model must be refined as presented in Section 4.4. The models need to be tested on the PIU design for utility. Furthermore, the model needs to be formalized in HOL.
- Further work must be done on the composition of our abstract-view approach to behavior. We plan a further review of the literature for applicable work and a small test study involving a small device with a simple semantics, but more than one interface, to determine whether composing the abstract behaviors of the interface is sufficient to represent behavior.
- We intend to pursue the formalization of the LINDA coordination language since it seems a likely candidate model for composing the specification of the PIU with the specifications of the CPU, memory, and network. This composition would be used to implement a more abstract view of the system. This work does not have consequences for the top-level specification of the PIU itself but may be important for future compositions.


## 5 Towards an Integrated Simulation/Verification Environment

This section describes work that links the M hardware description language and the HOL theorem proving system.

The M hardware description language is part of a simulation and synthesis system from Mentor Graphics Corporation. M is a superset of C with extensions for efficiently describing hardware.

The goal of the work presented in this section was to develop a prototype translator for converting $\mathbf{M}$ descriptions to the equivalent HOL descriptions. We chose to describe the implementation of the PIU in M for several reasons:

- Engineers working on the project are more comfortable with $M$ descriptions than they are with the logic of HOL. This is probably because of the similarity of M to imperative programming languages in which most engineers are schooled.
- M descriptions can be executed. This allows the specifications to be animated, providing a form of simulation. Engineers can observe the operation of the specification in an effort to judge its correctness.
The translator described here is a prototype tool. We have used the AWK programming language [Aho88] to construct a parser for the subset of $M$ actually used in the description of the PIU. In addition to parsing M, the tool generates HOL statements corresponding to the input. The generation is done on an ad hoc basis-no attempt has been made to describe the semantics of M formally.

The translator between M and HOL is important because a hand translation would be tedious and error prone. Using a machine translation, even one done informally, provides consistent translations. When an error in a translation is found, the translator can be corrected and the other translations redone to ensure that the error does not affect other specifications as well.

Future work may include a more formal translator between M and HOL if we determine that M descriptions are useful. The more formal translator would include a parser built into the HOL theorem prover as well as a formal semantic description. The translation would be done completely within the theorem prover for added assurance.

The following section will discuss data types developed for use with the model. We will not discuss the actual translation process in detail, but we will give a simple example of an M description of a finite state machine and its equivalent form in HOL as produced by the M-to-HOL translator. The HOL definitions are intended to be used with the generic interpreter model described in Section 2 of this report.

### 5.1 New Datatypes in HOL

In order to translate M to HOL, we had to make type definitions in HOL that correspond to the types used in the M language. Two of the more involved type definitions were arrays and n -bit words.

### 5.1.1 Arrays

Since $M$ is a superset of $C, M$ descriptions make heavy use of arrays. HOL does not have a built-in array type, but arrays are easy to model in higher-order logic using functions. In general we treat an array of objects as a function from the natural numbers to the same objects. There are four basic operations on arrays in $M$ that needed to be defined in HOL: array indexing, array assignment, array subsetting, and subarray assignment.

Array Indexing. In M, arrays are indexed using bracket notation. In HOL, since arrays are just functions, arrays are indexed by function application. Thus, the M term $x / i j$ is written in HOL as ( $x i$ ).

Array Assignment. In M, one can use an indexed array variable as the lvalue in an assignment statement. Logic does not have assignment, so the corresponding definition is functional. We define a function
called ALTER that operates on an array, an index, and a value and returns a new array with the value stored in the array at the index given. All other values are unchanged. Thus, the M term $x[i]=y$ is written (ALTER $x(i) y$ in HOL.

Array Subsetting. In M, one can use a subarray in an expression. The HOL function SUBARRAY serves the same purpose. Thus, the M term $x[15: 5$ ] (which represents an 11-element array with location 0 holding the same value as $x[5]$, location 1 holding the same value as $x[6]$, and so on) would be written in HOL as SUBARRAY $x(15,5)$.

Subarray Assignment. In M, one can assign arrays to portions of an existing array. The HOL function that does this is called MALTER. The M term $x[15: 5]=y$, would be written in HOL as MALTER $x(15,5) y$.

The theory of arrays also contains theorems pertaining to these definitions that aid in reasoning about arrays.

### 5.1.2 N-Bit Words

N -bit words are defined in M using arrays of booleans. Since we represent arrays as functions, the natural representation for $n$-bit words is a function from the natural numbers to the booleans. The theory of $n$ bit words that we defined uses this representation and makes definitions that allow the representation to be usable. There are four kinds of definitions in the n-bit word theory:

1. Definitions that interpret the meaning of an $n$-bit word.
2. Definitions that create n -bit words with special meanings and give them a name.
3. Definitions that test an n -bit word for a given property.
4. Definitions that operate on n -bit words.

There are two major functions for interpreting n-bit words: VAL and WORDN. VAL returns the numeric value of an $n$-bit word. WORDN returns the n -bit word representing a given number.

There are a number of functions for creating special n-bit words. We will not discuss all of them here, but only give a few examples. SETN returns an n-bit word with all of its bits set. Similarly, RSTN returns an n-bit word with all of its bits false.

Examples of test predicates include ONES which tests if all the bits in a word are true and ZEROS which tests if all the bits in a word are false.

Operations on n-bit words implement common boolean and arithmetic operations on n-bit words. For example, NOTN returns the n -bit complement of a word. INCN returns the n -bit word resulting from adding 1 (modulo $n$ ) to its argument.

So far, the theory does not contain many theorems regarding these definitions and their relationship to one another. These theorems will be proven as necessary.

### 5.2 An Example in M

The following example shows how a finite state machine is described in M. For brevity, the description contains only one state, S1; a more realistic description would contain more states, as well as more logic variables. The example does illustrate some of the features of $M$ that required translation such as logic operations, array subranging, and the mixture of output and logical statements in the same context.

```
/**********************************************************
    Module: test.M
    Authors: David Fura / PhillipWindley
    Date: 13MAR92
    Example of M description for translation.
***********************************************************
#define V1 1
#define V2 2
MODULE test () {
    /* State variables:*/
    MEMORY LOGIC new_A, A;
    MEMORY LOGIC new_B, B;
    MEMORY LOGIC new_C[32], C[32];
    /* Output variables:*/
    OUT I_X[32];
    /* Input variables:*/
    IN Clock;
    IN Rst;
    INITIALIZE {}
    SIMULATE {
        switch (Decode (Clock)) {
            case S1:
            new_A = (C == V1) || (C != V2);
            new_B = (C == V1) && new_A;
            new_C = wr (C,1);
            I_X[31] = new_A
                ? Clock
                : Rst;
                I_X[30:29] = new_C[1:0];
                I_X[28:0] = new_B
                ? new_C[28:0]
                : I_X[28:0];
            break;
                default:
                PRINT ("\nILLEGAL");
                break;
            )
    }
}
```


### 5.3 An Example in HOL

The following code represents the translation of the M code in the last section into HOL by the prototype translator developed for this project. No substantive changes have been made to the text. Except for indentation and spacing, everything is just as the translator produced it.

```
let V1 ="1";;
let V2 = "2";;
let test_state = ((A, B, C) : bool # bool # wordn); ;
let test_inputs = ((Rst, Clock): bool # bool);;
let test_outputs = ((I_X): wordn);;
let S1_inst_def = new_definition
    ('S1 inst',
    "S1_inst ^test_state ^test_inputs =
            let new_A = (C = (WORDN ^V1)) \/(~(C = (WORDN ^V2))) in
            let new_B = (C=(WORDN ^V1)) 八 new_A in
            let new_C = wr (C, (WORDN 1)) in
        (new_A, new_B, new_C)"
    );;
let S1_out_def = new_definition
    ('S1_out',
    "S1_out ^test_state ^test_inputs =
        let new_A = (C = (WORDN ^^V1)) \/(~ (C= (WORDN ^V2))) in
        let new_B = (C=(WORDN ^V1)) / new_A in
        let new_C = wr (C, (WORDN 1)) in
        let I_X_31_31 = new_A
            => Clock
                | Rst in
            let I_X_30_29 = (SUBARRAY new_C (1,0)) in
            let I_X_28_0 = new_B
                => (SUBARRAY new_C (28,0))
                | (SUBARRAY I_X (28,0)) in
            let I_X = (MALTER
                                    (MALTER
                            (MALTER I_X (31,31) I_X_31_31)
                                    (30,29) I_X_30_29)
                                    (28,0) I_X_28_0) in
        (I_X)"
        );;
```

The translator does a good job of translating most M programs into HOL. The largest limitation on its use is the simple type analysis that is done. A more thorough type analysis would catch some of the infrequent errors, but would have made the translator much more complicated. If a translator based on formal semantics is constructed, we will overcome this limitation.

## 6 Conclusions

We have completed the design specification for a processor interface unit (PIU) and identified the modeling approach to be used for the requirements specification. Along the way we have made progress in integrating our hardware design and verification environments into a single unified framework.

In performing this task a number of important conclusions have been reached concerning the state-of-the-art in formal specification, using HOL, with respect to the demands of real-world hardware systems.

The generic interpreter theory, described in Section 2, was shown to work well in a real-world hardware application. It is clear that this theory, which was initially funded by NASA in a previous task [Win90], fits applications well beyond the domain of microprocessors for which it was originally used. Our introduction of outputs into the theory accommodates the composition of subsystems modeled as interpreters, and enhances the theory's applicability to future system modeling problems.

Developing the lower five levels of the PIU specification hierarchy, described in Section 3, stretched existing specification tools and techniques to their limit. To illustrate the size of this modeling problem, the five phase-level specifications together required equations for 280 state variables and 60 output variables. The PIU clock-level model caused overflows in three different stacks in the original Lisp implementation used to build the HOL system.

Because of delays in the PIU design schedule, this task began while the design was still undergoing considerable change. Due to the multiple specification levels and the lack of any significant automation, modifying our models to reflect these changes required much more effort than that required by the design team, for example. As a result, the total effort required to complete the design specification was far greater than necessary. Although previous formal specification and verification efforts appear to have begun only after the design was finalized, and therefore didn't face this problem, formal methods will be most useful when they can be applied before a chip is initially fabricated, and thus before the design is finished as well. Based on this experience it is clear that major improvements are needed in the tools used to develop future design specifications.

Perhaps our most significant discovery is that current hardware specification approaches, although suitable for the lower levels of the PIU specification hierarchy, are inadequate for the topmost level. This motivated us to investigate the alternative modeling techniques described in Section 4, from which we have defined a preliminary model for use in formalizing a new transaction-based modeling level.

Although not explicitly part of this task's description, we have made progress in integrating our hardware design and verification environments to support this and future work. The M-to-HOL translator, described in Section 5, performs a nearly-complete translation of suitably-formatted M-language models into HOL. The utility of this tool was demonstrated by our translation of all the port-level behavioral models from their definitions in $M$. Although this translation is not based on a formal semantics for M , it provides a consistent translation capability that is available for use now. It should have an immediate impact on productivity for the next chip specification.

The work presented in this report has made a significant contribution to the specification and verification of real-world devices, but much remains to be done. In particular, this report has outlined the following tasks:

1. Before work on the specification of the top level can be completed, the formal model of the transaction level must be completed. Section 4 gives a more detailed plan for completing this work.
2. The specification hierarchy was outlined in Section 3, but this task did not include the completion of the specification. In particular, the PIU top-level specification remains to be written.

In addition to the work that must be completed to finish the specification, there are a number of open questions that have a direct bearing on how this work is used:

1. The proofs of correspondence between levels in the specification hierarchy should be completed. The specification process itself is useful because it gives designers an abstract view of the device and aids understanding. The detailed examination entailed in the specification is useful for finding errors. However, the primary benefit of a formal specification is that it is amenable to analysis.
2. If we intend to use the top-level specification along with specifications of other devices in the PMM, such as the CPU and memory, to write a specification of the PMM, a model of composition must be developed. Section 4 recommended a formalization of LINDA as that model, but no work has been done to explore the feasibility or utility of this method.
3. The translation between M and HOL is being done in a prototype system written in AWK. A more formal approach, with more confidence in its correctness, would be to embed M in HOL. This would involve defining the syntax of M (or a reasonable subset) in HOL and then defining a formal semantics of M for use in the translation. Because the translation would be done by the verification system itself, we could have increased confidence that the HOL model corresponded to the M model.

## 7 References

[Aho88] A.V. Aho, B.W. Kerninghan, P.J. Weinberger, The AWK Programming Language, Addison-Wesley, 1988.
[Aro90] Tejkumar Arora, The formal verification of the VIPER microprocessor: EBM to microcode level, Master's thesis, University of California, Davis, 1990.
[But91] P. Butcher, "A Behavioral Semantics for Linda-2," Software Engineering Journal, July 1991.
[Cam89] A. J. Camilleri, "Mechanizing CSP Trace Theory in Higher-Order Logic," Hewlett-Packard Laboratories, Technical Memorandum HPL-ISC-TM-89-131, August 1989.
[Coh88] Avra Cohn, "Correctness properties of the VIPER block model: The second level," University of Cambridge Computer Laboratory, Technical Report 134, May 1988.
[SRI88] SRI International Computer Science Laboratory, EHDM Specification and Verification System: User's Guide, Version 4.1, 1988.
[Gor86] M. Gordon, "Why Higher-Order Logic is a good Formalism for Specifying and Verifying Hardware," in G.J. Milne and P.A. Subrahmanyam, editors, Formal Aspects of VLSI Design, NorthHolland, 1986.
[Gor88] Michael J.C. Gordon, "HOL: A proof generating system for higher-order logic," in G. Birtwistle and P.A Subrahmanyam, editors, VLSI Specification, Verification, and Synthesis, Kluwer Academic Publishers, 1988.
[Gog88] J. Goguen and T. Winkler, "Introducing OBJ3," SRI International, Technical Report SRI-CSL-889, August 1988.
[Hen88] M. Hennessy, Algebraic Theory of Processes, MIT Press, 1988.
[Her88] John Herbert, "Temporal abstraction of digital designs," in G.J. Milne, editor, The Fusion of Hardware Design and Verification, Proceedings of the IFIP WG 10.2 International Working Conference, Glasgow, Scotland, North-Holland, 1988.
[Hoa85] C. A. R. Hoare, "Communicating Sequential Processes," Prentice Hall, 1985.
[Hun87] Warren A. Hunt, Jr., "The mechanical verification of a microprocessor design," in D. Borrione, editor, From HDL Descriptions to Guaranteed Correct Circuit Designs, Elsevier Scientific Publishers, 1987.
[Hun92] Warren A. Hunt, Jr., and Bishop Brock, "A Formal HDL and its use in the FM9001 Verification," in C.A.R. Hoare and M.J.C. Gordon, editors, Mechanized Reasoning and Hardware Design, Prentice Hall, 1992.
[Joy89] Jeffrey J. Joyce, Multi-Level Verification of Micnoprocessor-Based Systems, PhD thesis, University of Cambridge, December 1989.
[Koh78] Z. Kohavi, Switching and Finite Automata Theory, McGraw-Hill, 1978.
[Low89] Paul Loewenstein, "Reasoning about state machines in higher-order logic," in M. Leeser and G. Brown, editors, Workshop on Hardware Specification, Verification, and Synthesis: Mathematical Aspects, Lecture Notes in Computer Science, Springer-Verlag, 1989.
[Mel88] Thomas Melham, "Abstraction mechanisms for hardware verification," in G. Birtwistle and P. A. Subrahmanyam, editors, VLSI Specification, Verification and Synthesis, Kluwer Academic Publishers, 1988.
[Me190] T.F. Melham, "Formalizing Abstraction Mechanisms for Hardware Verification in Higher Order Logic," University of Cambridge Computer Laboratory, Technical Report 201, August 1990.
[[Mel91] T. F. Melham, "A Mechanized Theory of the $\pi$-Calculus in HOL," in G. Huet, G. Plotkin, and C. Jones, editors, Second Annual Workshop on Logical Frameworks, Edinburgh, May 1991.
[Mil89a] R. Milner, Communication and Concurrency, Prentice Hall, 1989.
[Mi189b] R. Milner, J. Parrow, and D. Walker, "A Calculus of Mobile Processes, Part I," University of Edinburgh, Laboratory for Foundations of Computer Science, Technical Report ECS-LFCS-89-85, June 1989.
[Mi189c] R. Milner, J. Parrow, and D. Walker, "A Calculus of Mobile Processes, Part II," University of Edinburgh, Laboratory for Foundations of Computer Science, Technical Report ECS-LFCS-89-86, June 1989.
[Sch91] E. T. Schubert, K. Levitt, G.C. Cohen,. "Towards Composition of Verified Hardware Devices," NASA Contractor Report 187504, November 1991.
[Win88] Phillip J. Windley, "A hierarchical methodology for the verification of microprogrammed microprocessors," in Proceedings of the IEEE Symposium on Security and Privacy, May 1990.
[Win90] Phillip J. Windley, The Formal Verification of Generic Interpreters, PhD thesis, University of California, Davis, Division of Computer Science, June 1990.
[Win90a] Phillip J. Windley, "A poor man's implementation of abstract theories," University of California, Davis, Division of Computer Science, " Technical Report CSE-90-06, 1990.
[Win91] Phillip J. Windley, "The formal specification of a high-speed CMOS correlator," in Proceedings of the Third Annual IEEE/NASA Symposium on VLSI Design, October 1991.

## Appendix A ML Source for Component Specifications.

This appendix contains the HOL models for components used in the gate-level specification for the PIU ports, as well as auxiliary definitions for $n$-bit words implemented as arrays and array accessing functions.

```
%
    File: gates_def.ml
    Author: (c) D.A. Fura }199
    Date: 31 March 1992
This file contains the ml source for the combinational logic gates used in the gate-level description of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
```

$\qquad$

```
system 'rm gates_def.th';
new_theory 'gates_def`;
map new_parent ['aux_def'];;
let NOT_SPEC = new_definition
    ('NOT_SPEC',
    "laz.
    NOT_SPEC a z =
        (1 t:ime.zt= ~at)"
    );;
let AND2_SPEC = new_definition
    ('AND2_SPEC',
    "labz.
    AND2_SPEC ab z=
        (lt:time.zt=at^bt)"
    );;
let AND3_SPEC = new_definition
    ('AND3_SPEC',
    "!abcz.
    AND3_SPECabcz=
        (1t:time.zt=at^bt^ct)"
    );;
```

let OR2_SPEC $=$ new_definition
('OR2_SPEC',
"labz.
OR2_SPEC abz $=$
( t time. $\mathrm{zt}=\mathrm{atVbt}$ )"
);
let OR3_SPEC = new_definition

```
    ('OR3_SPEC',
    "labcz.
    OR3_SPECabcz=
        (! time.zt=at\veebt\veect)"
    );;
let NAND2_SPEC = new_definition
    ('NAND2_SPEC',
    "labz.
    NAND2_SPEC abz =
        (lttime.zt=~(at\wedgebt))"
    );;
let NAND3_SPEC = new_definition
    ('NAND3_SPEC',
    "!abcz.
    NAND3_SPECabcz=
        (1 time.zt=~(at^bt^ct))"
    );;
let BUF_SPEC = new_definition
    ('BUF_SPEC',
    "!(a:time->*)z.
    BUF_SPEC az =
        (1 ttime.zt=at)"
    );
let TRIBUF_SPEC = new_definition
    ('TRIBUF_SPEC',
    "l(a:time->*)ez.
    TRIBUF_SPEC aez=
        (! t.ime. (et) => (zt=at))"
    );;
close_theory();
%-
    File: latches_def.ml
    Author: (c) D.A. Fura }199
    Date:
        31 March }199
    This file contains the ml source for the latches used in the gate-level specification of the FTEP PIU, an ASIC
    developed by the Embedded Processing Laboratory, Boeing High Technology Center.
-.----------------------------------------------------------------------------------------------------------------------
system 'rm latches_def.th';;
new_theory 'latches_def';;
map new_parent ['aux_def'];;
```



```
    One-bit D-latch, no set, no reset, no enable.
let DLAT_SPEC = new_defnition
    ('DLAT_SPEC',
    "1 (din:time->bool) clk state qout.
    DLAT_SPEC din clk state qout =
        It:time.
            (state (t+1)=(clk t) => din t state t) ^
        (qout t = state (t+1))"
    ;;
%
    One-bit D-latch, with set, no reset, no enable.
let DSLAT_SPEC = new_definition
    ('DSLAT_SPEC',
    "! (din:time->bool) set clk state qout.
    DSLAT_SPEC din set clk state qout =
            | t:time .
                (state (t+1)=(clk t) => ((set t) => T | din t) | state t) ^
                (qout t = state (t+1))"
    ;;
%--------------.-.-----------------------------------------------------------------------------------------------
    One-bit D-latch, no set, with reset, no enable.
let DRLAT_SPEC = new_definition
    ('DRLAT_SPEC',
    "!(din:time->bool) rst clk state qout .
    DRLAT_SPEC din rst clk state qout =
        It:time.
            (state (t+1)=(clk t) => ((rst t) => F| din t)| state t)^
            (qout t = state (t+1))"
    );
%-
    One-bit D-latch, with set, with reset, no enable.
let DSRLAT_SPEC = new_definition
    ('DSRLAT_SPEC',
    "l (din:time->bool) set rst clk state qout .
    DSRLAT_SPEC din set rst clk state qout =
        1 t:time
            (state (t+1)=(clk t) => ((set t ^~rst t) => T I
                            (~set t ^rst t) => FI
                            (~set t ^~rst t) => din tl
                        ARB)।
                state t)^
```

(qout $t=$ state $(t+1))^{\prime \prime}$
; ;

```
%
```

One-bit D-latch, no set, no reset, with enable.

```
let DELAT_SPEC = new_definition
    ('DELAT_SPEC',
    "I (din:time->bool) en clk state qout .
    DELAT_SPEC din en clk state qout =
        It:time.
            (state (t+1)=(clk t ^ en t) => din t| state t) }
            (qout t = state (t+1))"
    ;;;
```

\%

One-bit D-latch, no set, with reset, with enable.

```
let DRELAT_SPEC = new_definition
    ('DRELAT_SPEC',
    "! (din:time->bool) rst en clk state qout.
    DRELAT_SPEC din rst en clk state qout =
        It:time.
            (\mathrm{ state }(t+1)=(clk t ^en t) => ((rst t) => F| din t)| state t) ^
            (qout t = state (t+1))"
    );
%
    One-bit D-latch, with set, no reset, with enable.
```

let DSELAT_SPEC = new_definition
('DSELAT_SPEC',
"I (din:time->bool) set en clk state qout .
DSELAT_SPEC din set en clk state qout $=$
1 t:time .
$($ state $(t+1)=(c l k t \wedge e n t) \Rightarrow(($ set $t) \Rightarrow T \mid \operatorname{din} t) \mid$ state $t) \wedge$
(qout $t=$ state $(t+1)$ )"
);

let DSRELAT_SPEC = new_definition
('DSRELAT_SPEC',
" 1 (din:time->bool) set rst en clk state qout .
DSRELAT_SPEC din set rst en clk state qout $=$
! t:time.
(state $(\mathrm{t}+1)=(\mathrm{clk} \mathrm{t} \wedge$ en t$) \Rightarrow((\operatorname{set} \mathrm{t} \wedge \sim \mathrm{rst} \mathrm{t}) \Rightarrow \mathrm{T} \mid$
$(-$ set $t \wedge$ rst $t) \Rightarrow F \mid$
$(\sim$ set $\mathrm{t} \wedge \sim \mathrm{rst} \mathrm{t}) \Rightarrow \operatorname{din} \mathrm{t} \mid$

```
                                    ARB)।
            state t)^
        (qout t = state (t+1))"
    );;
%--------------------------------------------------------
let DLATn_SPEC = new_defnition
    ('DLATn_SPEC',
    "I (din:time->wordn) clk state qout .
    DLATn_SPEC din clk state qout =
        It:time.
            (state (t+1)=(clk t) => din t | state t) ^
            (qout t = state (t+1))"
    ;;
close_theory();
%-
    File: ffs_def.ml
    Author: (c) D.A. Fura }199
    Date: 31 March }199
This file contains the ml source for the flip-flops used in the gate-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
system 'rm ffs_def.th';;
new_theory 'ffs_def';
map new_parent ['aux_def'];
```


## \%

```
One-bit flip-flop, no set, no reset, no enable.
```

```
let DFF_SPEC = new_definition
```

let DFF_SPEC = new_definition
('DFF_SPEC',
('DFF_SPEC',
"I (din:time->bool) clk state0 statel qout .
"I (din:time->bool) clk state0 statel qout .
DFF_SPEC din clk state0 statel qout =
DFF_SPEC din clk state0 statel qout =
(I t:ime . (state0 (t+1) = (-clk t) => din t state0 t) }
(I t:ime . (state0 (t+1) = (-clk t) => din t state0 t) }
(statel (t+1)=(clk t) => state0 t | statel t) ^
(statel (t+1)=(clk t) => state0 t | statel t) ^
(qout t = statel (t+1)))"
(qout t = statel (t+1)))"
);;
);;
One-bit flip-flop, no set, with reset, no enable.

```
```

let DRFF_SPEC = new_definition
('DRFF_SPEC',
"1 (din:time->bool) rst clk state0 statel qout .
DRFF_SPEC din rst clk state0 statel qout =
(! t:ime . (state0 (t+1)=(~clk t) => (rst t => F | din t)| state0 t) \Lambda
(statel (t+1)=(clk t) => state0 || statel t) ^
(qout t = statel (t+1)))"
;;
%
One-bit flip-flop, with set, no reset, no enable.
let DSFF_SPEC = new_definition
('DSFF_SPEC',
"! (din:time->bool) set clk state0 statel qout .
DSFF_SPEC din set clk state0 statel qout =
(I t:ime. ( state0 (t+1)=(~-clk t) => (set t => T | din t)| state0 t) ^
(statel (t+1)=(clk t) => state0 t | statel t)^
(qout t = statel (t+1)))"
;;
%--------------------------------------------------------
let DRSFF_SPEC = new_defnition
('DRSFF_SPEC',
"l (din:time->bool) rst set clk state0 statel qout.
DRSFF_SPEC din rst set clk state0 statel qout =
(! t:time . ((~clk t ^ set t ^~rst t)\Longrightarrow state0 (t+1)=T)^
((~clk t ^~set t ^ rst t) \Longrightarrows state0 (t+1)=F) ^
((clk t \vee~set t ^~rst t)\Longrightarrow state0 (t+1)= state0 t) ^
(statel (t+1)=(clk t) => state0 t | statel t) ^
(qout t = statel (t+1)))"
);
%------------------------------------------------------------------------------------------------------------------
One-bit flip-flop, no set, no reset, with enable.

```
let DEFF_SPEC = new_definition
    ('DEFF_SPEC',
    " 1 (din:time->bool) en clk state0 statel qout .
    DEFF_SPEC din en clk state0 statel qout =
        ( 1 titime.\((\) state \(0(t+1)=(\sim\) clk \(t)=>\operatorname{din} t \mid\) state \(0 t) \wedge\)
            (statel \((\mathrm{t}+1)=(\mathrm{clk} \mathrm{t} \wedge\) en t\() \Rightarrow\) state \(0 \mathrm{t} \mid\) statel t\() \wedge\)
            (qout \(t=\) statel \((t+1)))^{\prime \prime}\)
    ; ;
\%
    Multiple-bit flip-flop, no set, no reset, with enable.
```

let DEFFn_SPEC = new_definition
('DEFFn_SPEC',
"! (din:time->wordn) en clk state0 statel qout.
DEFFn_SPEC din en clk state0 statel qout =
(1 time . (state0 (t+1)=(~clk t) => din t | state0 t) }
(statel (t+1)=(clk t ^ en t) => state0t| statel t) ^
(qout t = statel (t+1)))"
;;
%.
One-bit flip-flop, no set, with reset, with enable.
let DREFF_SPEC = new_definition
('DREFF_SPEC',
"I (din:time->bool) en rst clk state0 statel qout .
DREFF_SPEC din en rst clk state0 statel qout =
(1 t.time . (state0 (t+1) = (-clk t) => (rst t => F | din t) | state0 t)^
(statel (t+1)=(clk t ^ en t) => state0 t | statel t) ^
(qout t = statel (t+1)))"
);
%
One-bit flip-flop, with set, no reset, with enable.
let DSEFF_SPEC = new_definition
('DSEFF_SPEC',
"| (din:time->bool) en set clk state0 statel qout .
DSEFF_SPEC din en set clk state0 statel qout =
(| trime . (state0 (t+1)=(-clk t) => (set t => T | din t)| state0 t) ^
(statel (t+1)=(clk t^ en t) => state0 t | statel t) ^
(qout t = statel (t+1))"
;;
%----------------------------------------------------

```

```

let DRSEFF_SPEC = new_definition
('DRSEFF_SPEC',
"1 (din:time->bool) en rst set clk state0 statel qout .
DRSEFF_SPEC din en rst set cllk state0 statel qout =
(1 t.time. ((-clk t ^ set t \ ~rst t) \Longrightarrow> state0 (t+1)=T) }
((-clk t ^ -set t ^rst t) ==> state0 (t+1)=F) ^
((clk t V ~set t \Lambda ~rst t)\Longrightarrow state0 (t+1)= state0t) ^
(statel (t+1)=(clk t ^ en t) => state0 t | statel t) ^
(qout t = statel (t+1)))"
;;
close_theory():;

```

File: \(\quad\) counters_def.ml

Author: (c) D.A. Fura 1992

Date: 31 March 1992
This file contains the ml source for the counters used in the gate-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
.\%
system 'rm counters_def.th';;
new_theory 'counters_def';;
map new_parent ['aux_def';'array_def';'wordn_def'];:
\(\%\)
Up-counter, no reset.
```

let UPCNT_SPEC = new_definition
('UPCNT_SPEC',
"! size (din:time->wordn) ld up clk state0 statel qout zero .
UPCNT_SPEC size din ld up clk state0 statel qout zero =
Ittime.
(state0 (t+1) = (~clk t) =>
((ld t) => din tl
(upt) => INCN size (statel t)| state 1t)|
state0 t)^
(statel (t+1)=(clk t) => state0 t statel t)^

```

```

            (zero t = (up t) >> (INCN size (statel (t+1))= WORDN 0) | (statel (t+1)= WORDN 0))"
    ;;;
    %--------------------------------------------------------------------------------------------------------------------
Down-counter, no reset.\%

```
let DOWNCNT_SPEC \(=\) new_definition
    ('DOWNCNT_SPEC',
    "I size (din:time->wordn) ld down clk state0 statel qout zero .
    DOWNCNT_SPEC size din ld down clk state0 statel qout zero =
        Ittime.
        (state0 \((t+1)=(\sim\) clk \(t) \Rightarrow\)
                            ((ld t) \(\Rightarrow\) din t
                            (down \(t\) ) \(\Rightarrow\) DECN size (statel \(t\) ) statel \(t\) )
                            state0 t) \(\wedge\)
        \((\) statel \((t+1)=(c l k t) \Rightarrow\) state \(0 \mathrm{t} \mid\) state 1 t\() \wedge\)
```

        (qout t = (down t) => DECN size (statel (t+1)) | statel (t+1)) ^
        (zero t = (down t) => (DECN size (statel (t+1))= WORDN 0) | (statel (t+1)= WORDN 0))"
    ;;
    %
Up-counter, with reset
let UPRCNT_SPEC = new_definition
('UPRCNT_SPEC',
"! size (din:time->wordn) ld up rst clk state0 statel qout zero .
UPRCNT_SPEC size din ld up rst clk state0 statel qout zero =
It:time.
(state0 (t+1)=(~clk t) =>
((ld t) }=>\mathrm{ din (l
(up t) => INCN size (statel t) | statel t) |
state0 t)^
(statel (t+1) = (clk t) =>
((rst t) => WORDN 0 | state0 t) |
statel t)^
(qout t = (up t) => INCN size (statel (t+1)) | statel (t+1))^
(zero t=(upt) =>> (INCN size (statel (t+1))= WORDN 0) | (statel (t+1)= WORDN 0))"
;;
%
Down-counter, with reset.
let DOWNRCNT_SPEC = new_definition
('DOWNRCNT_SPEC',
"I size (din:time->wordn) Id down rst clk state0 statel qout zero .
DOWNRCNT_SPEC size din ld down rst clk state0 statel qout zero =
It:time
( state0 (t+1)=(~clk t) =>
((ld t) => din tl
(down t) => DECN size (statel t) | statel t)|
state0 t)^
(statel (t+1)=(clk t) =>
((rst t) => WORDN 0 | state0 t) |
statel t)^
(qout t = (down t) => DECN size (statel (t+1)) | statel (t+1)) ^
(zero t = (down t) => (DECN size (statel (t+1))= WORDN 0) | (statel (t+1)= WORDN 0))"
);;
close_theory();;
%-------------------------------------.----------------------------------------------------------------------------
File: datapaths_def.ml
Author: (c) D.A. Fura }199

```

This file contains the ml source for the datapath blocks of the R-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
```

system 'rm datapaths_def.th`;; new_theory 'datapaths_def'; map loadf ['abstract']; map new_parent ['aux_def';'array_def';'wordn_def'];; let rep_ty = abstract_type `aux_def' 'Andn`;;
%----------------------------------------------------------------------------------------------------------------
Counter block used to build timers.

```
let DP_CTR_SPEC = new_definition
('DP_CTR_SPEC',
"I clkA clkB (busB_in:time->wordn) cir_wr c_ld cir_rd ce cin csror_ld cor_rd
    \(r_{-}\)ctr_in \(r_{-}\)ctr_mux_sel \(r_{-} c t r_{-} i r d e n r_{-} c t r_{-} c t r_{-} c e r_{-} c t r_{-} c i n r_{-} c t r_{-} c r y\)
    \(r_{-} c t r_{-}\)new \(r_{-} c t r_{-} o u t A r_{-} c t r\) _out \(r_{-} c t r_{-} o r d e n ~ b u s A_{-} o u t l\) busA_out2 \(c_{-}\)out .
    DP_CTR_SPEC clkA clkB busB_in cir_wr c_ld cir_rd ce cin csror_ld cor_rd

                        r_ctr_new r_ctr_outA r_ctr_out r_ctr_orden busA_outl busA_out2 c_out \(=\)
    It:time .
    \(((\operatorname{clkA})) \Longrightarrow\)
        \(\left(\left(r_{-} c t r_{-}\right.\right.\)in \(\left.(t+1)=r_{-} c t r_{-} i n t\right) \wedge\)
        (r_ctr_mux_sel ( \(t+1\) ) = r_ctr_mux_sel t) \(\wedge\)
        ( \(r_{\text {_ }}\) ct_irden \((t+1)=r_{-} c t\) _irden \(\left.t\right) \wedge\)
        \(\left(r_{-} c t(t+1)=\left(r_{-} c t r_{-} m u x_{-}\right.\right.\)sel \(\left.\left.t\right)=>r_{-} c t r_{-} i n t \mid r_{-} c t r_{-} n e w t\right) \wedge\)
        ( \(r_{-}\)ctr_ce \(\left.(t+1)=c e t\right) \wedge\)
        \(\left(r_{-} c t r_{-} c i n(t+1)=\operatorname{cin} t\right) \Lambda\)
        (r_ctr_cry \(\left.(t+1)=r_{-} c t r_{-} c r y t\right) \wedge\)
        \(\left(r_{-} c t r_{-}\right.\)new \(\left.(t+1)=r_{-} c t r_{-} n e w t\right) \wedge\)
        (r_ctr_outA \((t+1)=r_{-} c t r_{-}\)new \(\left.t\right) \wedge\)
        (r_ctr_out \((t+1)=r_{-} c t r_{-}\)out \(\left.t\right) ~ \wedge\)
        \(\left.\left(r_{-} c t t_{-} \quad \operatorname{orden}(t+1)=r_{-} c t r_{-} o r d e n t\right)\right) \wedge\)
    ((clkB t) \(\Longrightarrow\)
        \(\left(\left(r_{-} c t r_{-} i n(t+1)=\left(\right.\right.\right.\) cir_wr \(\left.^{\prime} t\right)=>\) busB_in \(\left.t \mid r_{-} c t r_{-} i n t\right) \wedge\)
        (r_ctr_mux_sel \(\left.(t+1)=c_{-} l d t\right) \wedge\)
        (r_ctr_irden \((t+1)=\) cir_rd \(t) \wedge\)
        \(\left(r_{-} \operatorname{ctr}(t+1)=r_{-} c t r t\right) \wedge\)
        (r_ctr_ce \(\left.(t+1)=r_{-} c t r_{-} c e t\right) \wedge\)
        \(\left(r_{-} c t r_{-} c i n(t+1)=r_{-} c t r_{-} c i n t\right) \wedge\)
        \(\left(r_{-} c t r_{-} c r y(t+1)=\left(r_{-} c t r_{-} c e t\right) \wedge\left(r_{-} c t r_{-} c i n t\right) \wedge\right.\) ONES \(\left.31\left(r_{-} c t r t\right)\right) \wedge\)
        (r_ctr_new \(\left.(t+1)=\left(\left(r_{-} c t r_{-} c e t\right) \wedge\left(r_{-} c t r_{-} c i n t\right)\right)=>\mathbb{N C N} 31\left(r_{-} c t r t\right) \mid r_{-} c t r t\right) \wedge\)
        (r_ctr_outA ( \(\mathbf{t + 1}\) ) = \(r_{-}\)ctr_outA \(\left.t\right) \wedge\)
```

        (r_ctr_out (t+1)=(csror_ld t) => r_ctr_outA t | r_ctr_out t) }
        (r_ctr_orden (t+1)= cor_rd t))}^
        ((busA_outl t = ((r_ctr_irden (t+1)) ^(clkA t)) => r_ctr_in (t+1)| ARBN) ^
        (busA_out2 t = ((r_ctr_orden (t+1))^(clkA t)) => r_ct_out (t+1)| ARBN) ^
        (c_out t = r_ct_cry (t+1)))"
    );
    %
Interrupt Control Register (ICR) block.
let DP_ICR_SPEC = new_definition
('DP_ICR_SPEC',
"I (rep:^rep_ty) clkA clkB (busA_in:time->wordn) busB_in icr_wr_feedback icr_wr icr_select icr_ld icr_rd
r_icr_oldA r_icr_old r_icr_mask r_icrA r_icr r_icr_rden
busA_out icr_out.
DP_ICR_SPEC rep clkA clkB busA_in busB_in icr_wr_feedback icr_wr icr_select icr_ld icr_rd
r_icr_oldA r_icr_old r_icr_mask r_icrA r_icr r_icr_rden
busA_out icr_out =
It:time.
((clkA t) =>
(r_icr_oldA (t+1) = busA_in t) }
(r_icr_old (t+1) = r_ict_old t) ^
(r_icr_mask (t+1)=r_icr_mask t) }
(r_icrA (t+1) = (icr_select t) => Andn rep (r_icr_old t, r_icr_mask t)
IOm
(r_icr (t+1) = r_icr t)^
(r_icr_rden (t+1) = r_icr_rden t)) }
((clrB t) =>
(r_icr_oldA (t+1)= r_icr_oldA t) }
(r_icr_old (t+1)=(icr_wr_feedback t) => r_icr_oldA t |r_icr_old t) }
(r_icr_mask (t+1)=(icr_wr t) => busB_in t | r_icr_mask t) }
(r_icrA (t+1) = r_icrA t)^
(r_icr (t+1) = (icr_ld t) m> r_icrA t |r_icr t) }
(r_icr_rden (t+1)= icr_rd t))}
((busA_out t = ((r_icr_rden (t+1) ^(clkA t)) => r_icr (t+1) |ARBN)) }
(icr_out t = r_ict (t+1)))"
);;
%------------------------------------------------------------------------------------------------------------------
Control register used to build General Control Register (GCR) and Communication Control Register (CCR).
let DP_CR_SPEC = new_definition
('DP_CR_SPEC',
" clkA clkB (busB_in:time->wordn) cr_wr cr_rd
r_cr r_cr_rden
busA_out cr_out.
DP_CR_SPEC cikA clkB busB_in cr_wr cr_rd
r_Cr r_cr_rden
busA_out cr_out =
lt:time .

```
```

    (clkA t) =>
            (I_Cr (t+1)= I_crt) ^
            (I_cr_rden (t+1)= r_cr_rden t)) }
        ((clkB t) =>
            (r_cr (t+1) = (cr_wrt) => busB_in t|_cr t) ^
            (r_cr_rden (t+1)=cr_rd t)) ^
        ((busA_out t=((r_cr_rden (t+1))^(clkA t)) => r_cr (t+1)| ARBN ) ^
        (cr_out t = r_cr (t+1)))"
    ;;
    %
Status Register Block.
let DP_SR_SPEC = new_definition
('DP_SR_SPEC',
" I clkA clkB (inp:time->wordn) sror_ld sr_rd
I_ST I_sT_rden
busA_out.
DP_SR_SPEC clkA clkB inp sror_ld sr_rd
r_Sr r_sr_rden
busA_out =
It:time .
((clkA t) \Longrightarrow
(r_sr (t+1)= r_sr t) ^
(r_sr_rden (t+1)=r_sr_rden t)) }
((clkB t) \Longrightarrow
(r_sr (t+1) =(sror_ld t) => inpt |r_srt) ^
(r_sr_rden (t+1)= sr_rd t))^
(busA_out t= ((r_sr_rden (t+1)) ^(clkA t))=> r_sr (t+1)|ARBN)"
;;;
close_theory();
%---------------------------------------------------------------------------------------------------------------------
File: buses_def.ml
Author: (c) D.A. Fura }199
Date:
31 March }199
This file contains the ml source for the buses used in the gate-level specification of the FTEP PIU, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.

```
```

system 'mm buses_def.th';;
new_theory 'buses_def`;;
map new_parent ['aux_def'];;

```
```

new_type_abbrev('time", ":num");;
%
Specification for a conflict-free bus.
let Bus_CF_12_SPEC = new_definition
('Bus_CF_12_SPEC',
" % inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12.
Bus_CF_12_SPEC inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12 =
Ittime.
(inE1 t) => -((inE2 t) V (inE3 t) V (inE4 t) V (inE5 t) V (inE6 t) V (inE7t) V (inE8t) V
(inE9 t) }\vee(\mathrm{ inE10t) }V(inE11 t) V (inE12 t)) ।
(inE2 t) => -((inE3 t) V (inE4 t) V (inE5 t) V (inE6 t) V (inE7 t) V (inE8 t) V (inE9 t) V
(inE10t)V (inE1l t) V (inE12t))।

```

```

            (inE11t)\vee(inE12t))!
    ```

```

            (inE12t)) !
    (inE5 t) => ~((inE6 t) V (inE7 t) V (inE8 t) V (inE9 t) V (inE10t) V (inE11 t) V (inE12 t))।
    (inE6 t) => -((inE7 t) V (inE8 t) V (inE9 t) V (inE10 t) V (inE11 t) V (inE12 t))।
    ```

```

    (inE8 t) => -((inE9 t) \vee (inE10 t) \vee (inE11 t) \vee (inE12 t)) !
    (inE9 t) => -((inE10 t)\vee(inE11 t)V(inE12 t))।
    (inE10t) => ~((inE11 t) V(inE12t)) |
    (inE11 t) => -(inE12 t) | T*
    ;;
    %
Specification for a 12-input bus component.

```
let Bus_12_1_SPEC \(=\) new_definition
    ('Bus_12_1_SPEC',
    " ( \(\mathrm{inD1}\) : time->*) inD2 inD3 inD4 inD5 inD6 inD7 inD8 inD9 inD10 inD11 inD12
    inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12 out.
    Bus_12_1_SPEC inD1 inD2 inD3 inD4 inD5 inD6 inD7 inD8 inD9 inD10 inD11 inD12
                    inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12 out =
    Ittime.
    (Bus_CF_12_SPEC inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12) \(\Longrightarrow\)

);
```

\%-
Specification for a single-input bus component where the input is sourced by an A-clocked latch.
let Bus1A_SPEC = new_definition
('Bus1A_SPEC",
"I (in_A:time->*) out_A out_B .
Bus1A_SPEC in_A out_A out_B =
It:time.
(out_At=in_At) $\wedge$
(out_B $t=$ in_A t)"
);:
\%
Specification for a single-input bus component where the input is sourced by a B-clocked latch.
let Bus1B_SPEC = new_definition
('Bus1B_SPEC',
"1 (in_B:time->*) out_A out_B .
Bus1B_SPEC in_B out_A out_B =
It:time.
(out_At=in_B(t-1)) $\wedge$
(out_Bt=in_Bt)"
);
close_theory();
\%
File: aux_def.ml
Author: (c) D.A. Fura 1992
Date: $\quad 31$ March 1992
This file contains auxiliary definitions needed for the gate-level specification of the FTEP PIU, an ASIC
developed by the Embedded Processing Laboratory, Boeing High Technology Center.
system 'rm aux_def.th';;
new_theory 'aux_def';;
loadf 'abstract';;
new_type_abbrev('time", ":num");
new_type_abbrev('wordn', ":(num->bool)");"

```
```

let pfsm_ty_Axiom =
define_type 'pfsm_ty_Axiom'
'pfsm_ty = PH | PA | PD IP_ILL';;
let pc_state_ty = ":(wordn\#bool\#wordm\#bool\#pfsm_ty\#bool\#bool\#bool\#bool\#bool\#wordn\#bool\#bool"bool\#bool\#bool)";;
let pc_eav_ty = ":(bool\#bool*bool"wordn\#bool\#bool"wordn\#bool\#bool"wordn\#bool\#bool*bool)";;
let pc_out_ty = ":(wordn\#bool\#wordn\#wordn"wordn\#bool"bool"bool\#bool"bool\#bool\#bool\#bool)";;
let cmfsm_ty_Axiom =
define_type 'cmfsm_ty_Axiom'
'cmfsm_ty = CMI | CMR | CMA3 | CMA1 | CMA0 | CMA2 | CMD | CMD0
| CMW ICMABT';
let csfsm_ty_Axiom =
define_type 'csfsm_ty_Axiom'
`csfsm_ty = CSI | CSL | CSA| | CSA0 | CSA0W I CSALE I CSRR | CSD| | CSDO | CSACK I CSABT`;;
let cefsm_ty_Axiom =
define_type 'cefsm_ty_Axiom"
'cefsm_ty = CEI I CEE`;;
let cc_state_ty = ":(cmfsm_ty*bool\#bool\#bool\#bool\#wordn\#bool\#
csfsm_ty*bool\#bool\#bool\#wordn\#
cefsm_ty*bool\#bool\#bool\#bool**bool\#bool*
bool\#wordn\#bool\#bool\#bool\#wordn\#bool\#
bool\#bool\#bool\#bool\#bool\#bool\#bool\#
bool"bool\#bool\#wordn\#wordn\#wordn"wordn"wordn"wordn)";
let cc_env_ty = ":(wordn\#wordn\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#
wordn"wordn\#wordn\#wordn\#bool\#bool"bool\#bool\#wordn\#wordn"bool\#bool"wordn\#bool)";
let cc_out_ty = ":(bool\#bool\#bool\#bool\#bool\#bool\#bool\#wordn\#wordn\#
bool\#wordn\#wordn\#wordn\#wordn\#bool\#bool)";;

```
let mfsm_ty_Axiom =
    define_type 'mfsm_ty_Axiom'
            'mfsm_ty = MI|MA|MW|MRR|MR|MBW|M_ILL';;
let mc_state_ty = ":(mfsm_ty\#bool\#bool\#bool\#bool\#wordn\#bool"bool\#wordn\#wordn\#bool\#bool\#bool\#wordn\#wordn)";
let mc_env_ty = ":(bool\#bool"bool"bool\#bool\#wordn\#bool"\#bool\#wordn\#bool\#wordn\#bool\#bool)";
let mc_out_ty = ":(wordn"bool\#wordn"wordn\#bool"bool\#bool\#bool\#bool)";;
let \(\mathrm{ff} \mathrm{sm}_{\text {_ty_Axiom }}=\)
    define_type 'rfsm_ty_Axiom'
            'rfsm_ty = RI|RA \(\mid\) RD';
let rc_state_ty = ":(sfsm_ty\#bool\#bool\#bool\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn"bool\#wordn\#bool\#
                                    wordn"bool"wordn"bool*wordn"bool\#wordn\#bool\#wordn\#bool\#wordn"bool"wordn"bool\#wordn\#bool\#
                                    wordn \#bool"\#wordn\#bool.\#wordn\#bool"bool\#wordn\#wordn\#bool\#wordn\#wordn"bool\#wordn\#bool\#wordn\#

let rc_env_ty = ":(bool\#bool\#wordn\#bool"bool\#wordn\#bool\#boolwbool\#bool\#bool\#bool\#bool\#bool\#bool\#
                    wordn"wordn \#wordn\#bool" bool\#wordn)";;
let rc_out_ty = ":(wordn*bool\#bool*bool"bool\#bool\#wordn"wordn*bool*bool)";;
let sfsm_ty_Axiom =
    define_type 'sfsm_ty_Axiom'
            'sfsm_ty \(=\) SSTART \(\mid\) SRA \(\mid\) SPF \(\mid\) SCOI \(\mid\) SCOF \(\mid\) ST \(\mid\) SCII \(\mid\)
                SCIF|SS ISSTOP ISCS ISNISO IS_ILL';
let sc_state_ty = ":(sfsm_ty*bool\#bool"nbool"bool\#bool"\#bool\#wordn\#wordn"

let sc_env_ty = ":(bool" \({ }^{\text {bool }}\) bool" \({ }^{\text {bool }}\) "bool" wordn"bool"bool)"; ;
```

let sc_out_ty = ":(wordn\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool)";;
let VDD = new_definition
('VDD',
"! t:time.VDD t = T"
);;
let GND = new_definition
('GND',
"|t:time.GND t=F"
);
let abs_rep = new_abstract_representation [
("Andn", ":(wordn\#wordn->wordn)");
('Om', ":(wordn\#wordn->wordn)");
('Ham_Dec', ":(wordn->wordn)");
('Ham_Det1', ":(wordn->wordn)");
('Ham_Det2', ":(wordn\#bool->bool)");
("Ham_Enc", ":(wordn->wordn)");
('Par_Dec', ":(wordn->wordn)");
('Par_Det', ":(wordn->bool)");
('Par_Enc',":(wordn->wordn)");
('p_interp', ":(^pc_state_ty\#^pc_env_ty\#^pc_out_ty->bool)");
('c_interp', ":(^cc_state_ty\#^cc_env_ty\#^cc_out_ty->bool)");
('m_interp', ":(^mc_state_ty\#^mc_env_ty\#^mc_out_ty->bool)");
('r_interp', ":(^rc_state_ty\#^'rc_env_ty*^'Tc_out_ty->bool)");
('s_interp', ":(^sc_state_ty\#^sc_env_ty\#^sc_out_ty->bool)")];;
make_inst_thms abs_rep;
let rep_ty = abstract_type 'aux_def' 'Andn`;;
close_theory();
%-------------------------------------------------------------------

```

File: array_def.ml

Author: (c) P. J. Windley 1992
Description:
Prove auxilliary theorems about functions so that functions can be easily used to represent arrays.

\section*{Modification History:}

24FEB92 -. Original file. Many of the theorems included were motivated by theorems defined on lists in list_aux.ml.
```

26FEB92 -- [DAF] Modified order of parameters in calls to
ALTER, MALTER, SUBARRAY to match simulation
language syntax. Added definition of ELEMENT.

```
```

-------------------------------------.---.----------------------
% Removed 26FEB92. [DAF]
loadf 'libs_aux';
system 'bin/rm array_def.th';;
%
system 'rm array_def.th';;
new_theory 'array_def';
% Added 26FEB92 (from PJW). [DAF] %
let SYM_RULE =
(CONV_RULE (ONCE_DEPTH_CONV SYM_CONV))
? failwith 'SYM_RULE';;
%-
Auxilliary array definitions and theorems.
We will use functions to represent arrays. The definition
that follows defines a ALTER function that can be used to set
the nth member of an array. The following lemmas are useful
in reasoning about array operations.
let ALTER_DEF = new_definition
('ALTER_DEF',
"ALTER (f:*->**) nx=(m.(m=n) => x | (f m))"
);
let ALTER_THM = prove_thm
('ALTER_THM',
"ALTER (f:*->**) n x y = (y=n) => x | (f y)",
REWRITE_TAC [ALTER_DEF]
THEN BETA_TAC
THEN REFL_TAC
);
%
ALTER_EQUAL is simlar to the EL_SET_EL lemma for lists.
let ALTER_EQUAL = prove_thm
('ALTER_EQUAL',
"|n(f:*->**).(ALTER fnx)n=x",
REPEAT GEN_TAC
THEN REWRITE_TAC [ALTER_DEF]
THEN BETA_TAC
THEN REWRITE_TAC []
);;

```
```

%
ALTER_NON_EQUAL is similar to NOT_EL_SET_EL for lists.
let ALTER_NON_EQUAL = prove_thm
'ALTER_NON_EQUAL',
"!nm(f:*->**)}\times
~(n=m)\Longrightarrow
(f n=(ALTER fmx) n)",
REPEAT GEN_TAC
THEN REWRITE_TAC [ALTER_THM]
THEN STRIP_TAC
THEN ASM_REWRITE_TAC [
);;
%
ALTER_COMMUTES is similar to SET_EL_SET_EL for lists.
-----------------------------------------------------------
let ALTER_COMMUTE = prove_thm
('ALTER_COMMUTE',
"l(d1:*)d2 (f:*->**) (x:**) y .
~(d1 = d2) =>
((ALTER (ALTER fd2 x) d1 y)=
(ALTER (ALTER fd1 y)d2 x))",
REPEAT GEN_TAC
THEN CONV_TAC (ONCE_DEPTH_CONV FUN_EQ_CONV)
THEN REWRITE_TAC [ALTER_THM]
THEN STRIP_TAC
THEN GEN_TAC
THEN REPEAT COND_CASES_TAC
THEN ASM_REWRITE_TAC [
THEN UNDISCH_TAC "~((dl:*)= d2)"
THEN ASSUM_LIST (thl . REWRITE_TAC (map SYM_RULE thl))
);
%-
Until now, it hasn't mattered what the type of the subscript is and so the previous lemmas were all general, even though someone using them to representa arrays, would probably be using numbers as subscripts.
Now, we want to reason about subarrays given as a sequence from a starting value to an ending value. This presupposes that the subscripts can be totally ordered. To make life easy, we won't be that general, but will use numbers as subscripts.

```

\section*{\%}
```

let SUBARRAY_DEF = new_definition

```
let SUBARRAY_DEF = new_definition
    ('SUBARRAY_DEF`,
    ('SUBARRAY_DEF`,
    "Inm(f:num->*).
    "Inm(f:num->*).
    SUBARRAY f(m,n)=k. ((x+n)<=m) => f(x+n)|ARB"
    SUBARRAY f(m,n)=k. ((x+n)<=m) => f(x+n)|ARB"
    );;
```

    );;
    ```
```

let SUBARRAY_THM = prove_thm
('SUBARRAY_THM',
"lnm(f:num->*).
SUBARRAY f(m,n)x=((x+n)<=m)=> f(x+n)|ARB",
REPEAT GEN_TAC
THEN REWRITE_TAC [SUBARRAY_DEF]
THEN BETA_TAC
THEN REFL_TAC
;:
let ELEMENT_DEF = new_definition
('ELEMENT_DEF',
"lm(f:num->*).
ELEMENT f(m)=fm"
);
%------------------------------------------------------------
MALTER alters multiple values in an array.
let MALTER_DEF = new_definition
('MALTER_DEF',
"lnmf(g:num->*).
MALTER f(m,n)g=
L. (n<= x^x<=m) => g(x-D)|f x"
);
let MALTER_THM = prove_thm
('MALTER_THM',
"Inm (x:num)g(f:num->*).
MALTER f(m,n)gx=(n<=x\wedgex<=m)=>g(x-n)|f x",
REPEATGEN_TAC
THEN REWRITE_TAC [MALTER_DEF]
THEN BETA_TAC
THEN REFL_TAC
);
let MALTER_SUBARRAY_IDENT = prove_thm
('MALTER_SUBARRAY_IDENT',
"In m (f:num->*) . MALTER f(m,n) (SUBARRAY f(m,n))=f",
REPEAT GEN_TAC
THEN CONV_TAC (ONCE_DEPTH_CONV FUN_EQ_CONV)
THEN REWRITE_TAC [MALTER_THM;SUBARRAY_THM]
THEN GEN_TAC
THEN REPEAT COND_CASES_TAC
THEN ASM_REWRITE_TAC[]
THEN ASSUM_LIST (thl . MAP_EVERY ASSUME_TAC
(flat (map CONJUNCTS (filter (is_conj o concl) thi))))
THEN IMP_RES_TAC SUB_ADD
THEN TRY (UNDISCH_TAC " -( (n' - n) + n) <= m")
THEN ASM_REWRITE_TAC[]
);;

```
```

let MALTER_SUBARRAY_SUBSCRIPTS = prove_thm
('MALTER_SUBARRAY_SUBSCRIPT',
"lnmx (f:num->*)g .
MALTER f(m,n)(SUBARRAY g(m,n)) x =
(
REPEAT GEN_TAC
THEN CONV_TAC (ONCE_DEPTH_CONV FUN_EQ_CONV)
THEN REWRITE_TAC [MALTER_THM;SUBARRAY_THM]
THEN REPEAT COND_CASES_TAC
THEN ASM_REWRITE_TAC []
THEN ASSUM_LIST (thl . MAP_EVERY ASSUME_TAC
(flat (map CONJUNCTS (filter (is_conjo concl) thl))))
THEN IMP_RES_TAC SUB_ADD
THEN TRY (UNDISCH_TAC " }~((x-n)+n)<=m"
THEN ASM_REWRITE_TAC[]
);
close_theory();;
%

```
File: wordn_def.ml
Description:

Defines a theory of words which contains a definition for converting between functions from numbers to booleans and natural numbers and proves various useful theorems about this definition. This file is based on a theory that was orginally authored by Graham Birtwhistle of the University of Calgary in 1988.

Authors: (c) Graham Birtwhistle, Phillip Windley, 1988, 1992

Modification History:
28FEB92 -- [PJW] Original file from words.ml
10MAR92 -- [PJW] Added definition of WORDN.
13MAR92 -- [DAF] Added definitions of bv, SETN, RSTN, GNDN, NOTN, INCN, DECN, ARBN.
\(\qquad\)
\% Removed 13MAR92. [DAF]
let add_root \(\mathrm{s}=\) '/users/staff/windley/hol/Library/" ^ s;;
set_search_path(search_path() ©
(map add_root
['bits/';
'numbers \({ }^{\prime}\) ";
'array/‘]);;

\section*{\%}
```

system `/bin/rm wordn_def.th';;
new_theory 'wordn_def';
% Replaced 13MAR92. [DAF]
map load_parent [ 'bits'; 'num_thms' ; 'exp'; 'array_def'];;
%
map new_parent ['aux_def'; 'array_def'];;
new_type_abbrev ('wordn',':'num->bool");;
%------------------------------------------------------------
Definitions
let bv= new_definition
('bv',
"l(b:bool).
bv b = (b) => 1 | 0'
);
let VAL = new_prim_rec_definition
('VAL',
"(VAL 0 (f:wordn) = bv (f 0))
^
(VAL (SUC n)f=((2 EXP (SUC n))*(bv(f(SUC a)))) + VAL nf)*
;;
let pos_val = new_definition
('pos_val',
"l (x:wordn) (y:num).
pos_val x y = (bv(x y)) * (2 EXP y)"
);;
let ONES = new_prim_rec_defnition
('ONES',
"(ONES 0a=(a0))
^
(ONES (SUC n) a = (a(SUC n)) ^(ONES na))
";;
let ZEROS = new_prim_rec_definition
('ZEROS',
"(ZEROS 0a = ~(a 0))
^
(ZEROS (SUC n) a = ~(a(SUC n)) ^(ZEROS n a))
");
% Modified 13MAR92. [DAF]
let WORDN = new_definition
('WORDN',
"I (x:num).WORDN x = ln. (x DIV (2 EXP n))MOD 2"

```
```

    ;;
    %
let WORDN = new_definition
('WORDN',
"I(x:num). WORDN x = ln. ((x DIV (2 EXP n)) MOD 2 = 1)"
;;
let SETN = new_definition
('SETN',
" I (x:num) , SETN x = \(n:num). (n<= x) => T | ARB"
);;
% Equivalent to "WORDN 0" but perhaps more convenient %
let RSTN = new_definition
('RSTN',
" (x:num).RSTN x = \n:num). ( }|<=x)=> F|ARB
);
let GNDN = new_definition
('GNDN',
"l(x:num) (t:time).GNDN x t= \n:num). (n<= x) => F|ARB"
);;
let NOTN = new_definition
('NOTN',
"! (x:num) (f:wordn) . NOTN x f=\ (n:num) . (
;;
let INCN = new_definition
('INCN',
"!nf.
|NCN n f = (ONES n f) => RSTN n \ WORDN ((VAL n f) +1)"
);
let DECN = new_definition
('DECN',
"!nf.
DECN nf=(ZEROS nf)=> SETN n | WORDN ((VAL nf)-1)"
;;
let ARBN = new_definition
('ARBN',
"(ARBN:num->bool) = ln. ARB"
);

```
```

%-

```
%-
    Theorems
    Theorems
    % Removed theorems for now 13MAR92. [DAF]
    close_theory();
```


## Appendix B ML Source for the Gate-Level Specification of the PIU Ports.

This appendix contains the HOL models for the gate-level specification for the PIU ports. The ports are listed in the order: P_Port, M_Port, R_Port, C_Port, and SU_Cont.

## B. 1 P Port Specification

File: p_block ml

Author: (c) D.A. Fura 1992

Date: 31 March 1992

This file contains the ml source for the gate-level specification of the PIU P-Port, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.

```
set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);;
system 'rm p_block.th';;
new_theory 'p_block';;
map new_parent ['gates_def';'latches_def;'ffs_def';'counters_def';'aux_def';'array_def';'paux_def'];;
let p_state_ty = ":(pfsm_ty#bool#bool#bool"wordn#wordn#bool#wordn#bool#wordn#num#bbool"bool*
            pfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#num#bool#bool*bool#bool#bool#bool)";;
let p_state = "((P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_,
    P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack,
    P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_,
    P_lock_inh_, P_male_, P_rale_)
    :^p_state_ty)";;
```

let p_env_ty = ":(bool\#bool\#bool\#wordn\#bool\#bool\#wordn\#bool\#bool\#wordn"bool\#bool\#bool)";;
let P_env = "((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_)
:^p_env_ty)":;
let p_out_ty = ":(wordn"\#bool\#wordn"wordn\#wordn\#bool\#bool\#bool\#bool\#bool\#bool\#bool"bool)";;
let p_out = "( $\mathrm{L}_{-}$ad_out, L_ready, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_male, I_crqt_, I_cale,
I_mrdy_, I_last, I_hlda_ I_lock_)
:Ap_out_ty)":;

## \%

P-Port data latches.

```
let Data_Latches_SPEC = new_definition
    ('Data_Latches_SPEC',
    "I clkA clkB (lad_in:time->(num->bool)) (lbe_in:time->(num->bool)) (lwr_in:time->bool) en_in be_sel
        wr_data addr destl be wr be_n
```

data_out addr_out be_out.

```
    Data_Latches_SPEC clkA clkB lad_in lbe_in lwr_in en_in be_sel
                wr_data addr destl be wr be_n
                data_out addr_out be_out =
    It:time.
    ((clkA t) =>
        ((wr_data (t+1)= lad_int) }
        (addr (t+1)=(en_int) => (lad_int) | (addr t)) ^
        (destl (t+1) = (en_in t) => (ELEMENT (lad_in t) (31)) | (dest1 t)) ^
        (be (t+1) = (en_int) => (lbe_int) |(be t)) ^
        (wr (t+1)=(en_int) => (lwr_int) |(wrt))^
        (be_n (t+1)= lbe_in t)))}
    ((clkB t) =>
        ((wr_data (t+1)=wr_data t) }
        (addr (t+1)= addr t) ^
        (destl (t+1)= destl t) }
        (be (t+1) = be t)^
        (wT}(t+1)=wTt)
        (be_n (t+1)=be_n t))) }
    ((data_out t = wr_data (t+1)) ^
        (let od1 = MALTER (addr_out t) (31,27) (be (t+1)) in
        (let od2 = ALTER od1 (26) F in
        (let od3 = MALTER od2 (25,24) (SUBARRAY (addr (t+1)) (1,0)) in
        (let od4 = MALTER od3 (23,0) (SUBARRAY (addr (t+1)) (25,2)) in
        (addr_out t = od4))))) ^
        (be_out t=(be_sel t) => (be (t+1)) |(be_n (t+1))))"
    );;
%
    Input logic for P_rqt latch.
```

let Req_Inputs_SPEC = new_definition
('Req_Inputs_SPEC',
" 1 _ads_1_den_ (reset_rqt:ime->bool) rqt_inS rqt_inR rqt_inE .
Req_Inputs_SPEC 1_ads_ 1_den_ reset_rqt rqt_inS rqt_inR rqt_inE =
It:time .
$\left(\right.$ rqt_inS $_{t}=-\left(1_{-}\right.$ads_ $\left.\left.t\right) \wedge\left(1_{-} d e n_{-} t\right)\right) \wedge$
$($ rqt_inR $t=$ reset_rqt $t) \wedge$

);:
\%
Input logic for $P_{\text {_ }}$ size counter.
let Ctr_Logic_SPEC = new_defnition
('Ctr_Logic_SPEC',
" 1 clkA clkB 1_ad_in load_in down_in zero_cnt
p_size p_sizeA p_load p_loadA p_down p_downA .
Ctr_Logic_SPEC clkA clkB 1_ad_in load_in down_in zero_cnt
p_size p_sizeA p_load p_loadA p_down p_downA $=$
It:time

```
((clkA t) =>
    ((p_sizeA (t+1)= p_sizet) ^
    (p_loadA (t+1) = p_load t)^
    (p_downA (t+1)= p_down t)^
    (p_size (t+1)=p_size t) ^
    (p_logd (t+1)=p_load t) }
    (P_down (t+1) = P_down t))}
((clkB t) =>
    ((p_sizeA (t+1)= p_sizeA t) ^
    (p_loadA (t+1)=p_loadA t)^
    (p_downA (t+1)= p_downA t)^
    (p_size (t+1)= (p_loadA t) => SUBARRAY (1_ad_in t) (1,0)।
                (p_downA t) => DECN 2(p_sizeA t)।
                p_sizeA t) ^
    (p_load (t+1)= load_in t) }
    (p_down (t+1)= down_in t)))}
        (zero_cnt t = (p_downA t) => (DECN 2(p_sizeA (t+1))=(WORDN 0)) ! (p_sizeA (t+1) = (WORDN 0)))"
    ;;
%
    Accumulated random logic.
```

let Scat_Logic_SPEC = new_definition
('Scat_Logic_SPEC',
"I rst fsm_astate fsm_dstate fsm_hlda_ p_addr p_wr p_rqt zero_cnt i_srdy_
i_ad_data_out_en l_ad_out_en_i_rale_i_male_ i_crqt_
fsm_mrqt fsm_rst fsm_sack reset_rqt l_ready .
Scat_Logic_SPEC rst fsm_astate fsm_dstate fsm_hlda_ P_addr p_wr p_rqt zero_cnt i_srdy_
i_ad_data_out_en l_ad_out_en_i_rale_i_male_i_crqt_
fsm_mrqt fsm_rst fsm_sack reset_rqt l_ready $=$
Ittime.
(i_ad_data_out_en $\left.t=\left(p_{-} w r t\right) \wedge\left(f s m \_d s t a t e t\right)\right) \wedge$
(L_ad_out_en_t $=\left(p_{-} w r t\right) \wedge\left(f s m_{-}\right.$dstate $\left.t\right) \vee \sim\left(f s m_{\_}\right.$hlda_t) $\vee\left(f s m_{-}\right.$astate $\left.\left.t\right)\right) \wedge$
(i_rale_t $=\sim(\sim(E L E M E N T$ ( $p$ _addr t) (31)) $\wedge$
(VAL 26 (SUBARRAY (p_addr $t)(25,24))=3) \wedge$
(fsm_astate t) $\wedge$
(p_rqt t))) $\wedge$
(i_male_t $=\sim(\sim($ ELEMENT $($ p_addr $t)(31)) \wedge$
-(VAL 26 (SUBARRAY (p_addr $t)(25,24))=3) \wedge$
(fsm_astate I) $\wedge$
$\left.\left.\left(p \_r q t\right)\right)\right) \wedge$
(i_crqt_t $=-\left(\left(\right.\right.$ ELEMENT $\left.\left.\left.\left(p \_a d d r t\right)(31)\right) \wedge\left(p \_r q t\right)\right)\right) \wedge$
$\left(\right.$ fsm_mrqt $t=\sim\left(\right.$ ELEMENT $\left(p_{-}\right.$addr $\left.\left.t\right)(31)\right) \wedge\left(p \_\right.$rqt $\left.\left.t\right)\right) \wedge$
(fsm_rst t = rst t) $\wedge$
$\left(\right.$ fsm_sack $t=($ zero_cnt $t) \wedge \sim\left(i \_s r d y \_t\right) \wedge\left(f s m_{-}\right.$dstate $\left.\left.t\right)\right) \wedge$
(reset_rqt $t=($ rst $\left.t) \vee\left(f s m \_s a c k t\right)\right) \wedge$
(1_ready $t=\sim\left(\mathrm{i}_{-} \text {srdy_t) } \wedge\left(\mathrm{fsm}_{-} \text {dstate } \mathrm{t}\right)\right)^{\prime \prime}$
);
\%-
Input logic for P_lock_ latch.

```
let Lock_Inputs_SPEC = new_definition
    ('Lock_Inputs_SPEC'
    "! rst fsm_dstate P_male_ p_rale_ lock_inE lock_inh_inE .
    Lock_Inputs_SPEC rst fsm_dstate p_male_ P_rale_ lock_inE lock_inh_inE =
        It:time.
            (lock_inE t=(rst t)V (fsm_dstate t)) ^
            (lock_inh_inE t = (rst t)V~(p_male_t)V ~(p_rale_t))"
    );;
%---------------------------------------------------------------------------------------------------------------------
    P-Port controller state machine.
let FSM_SPEC = new_definition
    ('FSM_SPEC',
    " | clkA clkB rst_in mrqt_in sack_in cgnt_in_ crqt_in_ bold_in_ lock_in_
        state rst mrqt sack cgnt_ crqt_ hold_ lock_
        stateA astate dstate hlda_
        astate_out dstate_out hlda_out_.
        FSM_SPEC clkA clkB rst_in mrqt_in sack_in cgnt_in_crqt_in_hold_in_lock_in_
            state rst mrqt sack cgnt_ crqt_ bold_ lock_
            stateA astate dstate hlda_
                    astate_out dstate_out hlda_out_=
        It:time.
            ((clkAt)\Longrightarrow
                    ((state (t+1)= state t) }
                        (rst (t+1)= rst t) ^
                (mrqt (t+1)=mrqt t) ^
                (sack (t+1)= sack t)^
                (cgnt_(t+1)=cgnt_t) }
                (crqt_(t+1)= crqt_t)}
                (hold_(t+1) = hold_t) }
                    (lock_(t+1)= lock_t)^
                    (stateA (t+1)=
                        ((rst t) => PAI
                        (state t = PH) => ((bold_t) => PA | PH)।
                        (state t=PA) => (((mrqt t)\vee~(cgnt_t) ^~(crqt_t)) => PD |
                            (((lock_t)^ -(hold_t)) => PH | PA ))!
                            (((sack t) ^(bold_t)) => PA |
                            ((sack t) \wedge~(bold_t) }\wedge~(lock_t))=> PA |
                            ((sack t) \wedge~(bold_t) ^(lock_t)) => PH |PD))) }
                    (astate (t+1)=(stateA (t+1)=PA)) ^
                    (dstate (t+1)=(stateA (t+1)=PD))}
                    (hlda_(t+1)=-(stateA (t+1)=PA))))}
            (clkB t) =>
                    ((state (t+1)= stateA t) }
                    (rst (t+1)= rst_in t) ^
                    (mrqt (t+1)=mrqt_in t) }
                    (sack (t+1)= sack_in t) }
                    (cgnt_(t+1)=cgnt_in_t)^
                    (crqt_(t+1)=crgt_in_t) }
                    (hold_(t+1)=hold_in_t) }
                    (lock_(t+1)= lock_in_t)^
                    (stateA (t+1)= stateA t) ^
```

```
            (astate (t+1)= astate t) ^
            (dstate (t+1)= dstate t) }
            (hlda_(t+1)= hlda_t))) }
                ((astate_out t= astate (t+1))^
                (dstate_out t= dstate (t+1)) ^
                (blda_out_t = hlda_ (t+1)))"
    ;;
```

\%
P-Port Block.

```
let P_Block_SPEC = new_definition
    ('P_Block_SPEC',
    "I (P_fsm_stateA P_fsm_state :time->pfsm_ty)
        (P_wr_data P_addr P_be_P_be_n_P_sizeA P_size :time-> wordn)
        (P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_dest1 P_wr P_loadA P_downA P_fsm_rst P_fsm_mrqt
        P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_P_fsm_hold_ P_fsm_lock_ P_rqt P_load P_down P_lock_
        P_lock_inh_P_male_ P_rale_:time->bool)
        (L_ad_in L_be_I_ad_in :time->wordn)
        (ClkA ClkB Rst L_ads_ L_den_L_wr L_lock_ I_cgnt_ I_bold_I_srdy_ :time->bool)
        (L_ad_out I_ad_data_out I_ad_addr_out I_be_ :time->wordn)
        (L_ready_I_rale_ I_male_I_crqt_ I_cale_ I_mrdy_ I_last_ I_hlda_I_lock_ :time->bool).
    P_Block_SPEC (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_destl, P_be_,
                P_wr, P_be_n_ P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack,
                        P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_,
                                P_lock_inh_, P_male, P_rale_)
                                (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_)
                                (L_ad_out, L_ready,. I_ad_data_out, I_ad_addr_out, I_be,, I_rale,, I_male, I_crqt, I_cale,,
                        I_mrdy, I_last_, I_hlda_, I_lock_)=
    ? fsm_astate fsm_dstate rqt data_out addr_out be_out data_out_en reset_rqt
        rqt_inS rqt_inR rqt_inE rqt_outQ load_in down_in zero_cnt zero_cnt_
        l_ad_out_en_rale_male_fsm_mrgt fsm_rst fsm_sack I_ready i_cgnt
        lock_inE lock_outQ lock_inh_inE lock_inh_outQ P_male_outQ p_rale_outQ lock_outQ. .
    (Data_Latches_SPEC ClkA ClkB L_ad_in L_be_L_wr rqt fsm_astate
                        P_wr_data P_addr P_destl P_be_ P_wr P_be_n_
                                data_out addr_out be_out) }
    (TRIBUF_SPEC data_out data_out_ed I_ad_data_out) }
    (TRIBUF_SPEC addr_out fsm_astate I_ad_addr_out) }
    (TRIBUF_SPEC be_out I_hlda_I_be_) ^
    (Req_Inputs_SPEC L_ads_L_den_reset_rqt rqt_inS rqt_inR rqt_inE) }
    (DSRELAT_SPEC GND rqt_inS rqt_inR rqt_inE ClkB P_rqt rqt_outQ) }
    (NOT_SPEC rqt_outQ reset_rqt)^
    (Ctr_Logic_SPEC ClkA ClkB L_ad_in load_in down_in zero_cnt
    P_size P_sizeA P_load P_loadA P_down P_downA) ^
    (Scat_Logic_SPEC Rst fsm_astate fsm_dstate I_hlda_P_addr P_wT P_rqt zero_cnt I_srdy_
    data_out_en l_ad_out_en_rale_male_ I_crqt_
    fsm_urqt fsm_rst fsm_sack reset_rqt l_ready) }
    (TRIBUF_SPEC rale_I_hlda_I_rale_) }
    (TRIBUF_SPEC male_ _hlda_ __male_) }
    (TRIBUF_SPEC GND I_blda_I_mrdy_) }
    (NOT_SPEC zero_cnt zero_cnt_)^
```

```
    (TRIBUF_SPEC zero_cnt_ I_hlda_I_last_) ^
    (NOT_SPEC l_ready L_ready_)^
    (DSELAT_SPEC L_lock_Rst lock_inE ClkB P_lock_lock_outQ) ^
    (DSELAT_SPEC L_lock_Rst lock_inh_inE ClkB P_lock_inh_lock_inh_outQ) }
    (Lock_Inputs_SPEC Rst fsm_dstate p_male_outQ p_rale_outQ lock_inE lock_imh_inE) }
    (DELAT_SPEC male_fsm_astate ClkB P_male_p_male_outQ) ^
    (DELAT_SPEC rale_fsm_astate ClkB P_rale_p_rale_outQ) ^
    (NOT_SPEC lock_outQ lock_outQ)}
    (NAND2_SPEC lock_outQ_lock_inh_outQ I_lock_) ^
    (NOT_SPEC I_cgnt_i_cgnt)^
    (NAND3_SPEC i_cgnt fsm_astate I_bold_I_cale_) ^
    (BUF_SPEC I_ad_in L_ad_out)^
    (FSM_SPEC ClkA ClkB fsm_rst fsm_mrqt fsm_sack I_cgnt_ I_crqt_ I_hold_ lock_outQ
    P_fsm_state P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_P_fsm_crqt_
    P_fsm_hold_
    P_fsm_lock_P_fsm_stateA P_fsm_astate P_fsm_dstate P_fsm_hlda_
    fsm_astate fsm_dstate I_blda_)"
;;
close_theory();
```


## B. 2 M Port Specification

```
%
    File: m_block.ml
    Author: (c) D.A. Fura }199
    Date:
        31 March }199
    This file contains the ml source for the gate-level specification of the P-Port of the FTEP PIU,
    an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
set_search_path (search_path() © ['/home/titan3/dfura/ftep/piu/hol/lib/'l);;
system 'rm m_block.th';;
new_theory 'm_block';;
loadf 'abstract';
map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def ;'maux_def';'aux_def';'array_def';'wordn_def`];;
let m_state_ty = ":(mfsm_ty#bool#bool#bool#bool#bool#wordn#wordn#wordn*bool#wordn#
                mfsm_ty#bool#bool#bool#bool#bool#bool#bool*)
                bool"bool#wordn"wordn#wordn"bool"bool#bool#wordn"wordn)";
let m_state = "((M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable,
    M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd,
    M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr,
    M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
    :^m_state_ty)";;
let m_env_ty = ":(bool#bool#bool"bool#bool#wordn#bool*bool#wordn"bool#wordn*bool#bool)";
let m_env = "((ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_,
    I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
    :^m_env_ty)";;
let m_out_ty = ":(wordn#bool#wordn#wordn#bool#bool#bool#bool#bool)";;
let m_out = "(I_ad_out, I_srdy, MB_addr, MB_data_out, MB_cs_\proptoeprom_, MB_cs_sram_, MB_we, MB_oe,,
    MB_parity)
    :^m_out_ty)";;
let rep_ty = abstract_type 'aux_def' 'Andn';;
%---------------------------------------------------------------------------------------------------------------
```

```
let SE_Logic_SPEC = new_definition
```

let SE_Logic_SPEC = new_definition
('SE_Logic_SPEC',
('SE_Logic_SPEC',
"I clkA clkB (i_ad:time->wordn) male mem_enable M_se cs_e_cs_s_ .

```
    "I clkA clkB (i_ad:time->wordn) male mem_enable M_se cs_e_cs_s_ .
```

```
    SE_Logic_SPEC clkA clkB i_ad male mem_enable M_se cs_e_cs_s_=
        It:time.
            ((clkA t)\Longrightarrow((M_se (t+1)=M_set)))^
            ((clkB t) => ((M_se (t+1)=(male t) => ELEMENT (i_ad t) (23)|M_se t))) ^
            ((cs_e_t = ~((mem_enable t) \Lambda -(M_se (t+1)))) \Lambda
            (cs_s_t = ~((mem_enable t) }\wedge(M_se (t+1)))))"
    );;
%
    Read/write selection logic.
let WR_Logic_SPEC = new_definition
    ('WR_Logic_SPEC',
    "I clkA clkB i_ad male mem_enable M_wr wr rd_mem wr_mem .
    WR_Logic_SPEC clkA clkB i_ad male mem_enable M_wr wr rd_mem wr_mem =
        It:time.
            ((clkA t) \Longrightarrow> ((M_wr (t+1)=M_wr t)))}
            ((clkB t)\Longrightarrow((M_wr (t+1)=(male t) => ELEMENT (i_ad t) (27)|M_wrt)))^
            ((wr t = M_wr (t+1))^
            (rd_mem t=(mem_enable t) ^~(M_wr (t+1)))}
            (wr_mem t = (mem_enable t) ^(M_wr (t+1))))"
    );
%
    Address counter logic.
let Addr_Ctr_SPEC = new_definition
    ('Addr_Ctr_SPEC',
    "I clkA clkB (i_ad:time->wordn) male rdyA M_addr M_addrA addr_out .
    Addr_Ctr_SPEC clkA clkB i_ad male rdyA M_addr M_addrA addr_out =
        It:time.
            (clkA t) \Longrightarrow>
                    ((M_addr (t+1)= M_addr t)^
                        (M_addr }A(t+1)=M_addr t))) ^
            (clkB t) =>
                ((M_addr (t+1) = (male t) => (SUBARRAY (i_ad t) (18,0)) )
                            (rdyA t) => (INCN 18 (M_addrA t)) |(M_addrA t)) ^
            (M_addrA (t+1)= M_addrA t))) ^
            (addr_out t = (rdyA t) => (INCN 18(M_addrA (t+1))) |M_addrA (t+1))"
    ;;
%
    Byte enable logic.
```

let BE_Logic_SPEC $=$ new_definition
('BE_Logic_SPEC',
"I clkA clkB (i_be:ime->wordn) male srdy wr_mem M_be M_beA be_out ww bw .
BE_Logic_SPEC clkA clkB i_be male srdy wr_mem M_be M_beA be_out ww bw =
Ittime.
((clkA $t)=>$
( $\mathrm{M}_{\mathrm{L}}$ be ( $\mathrm{t}+1$ ) $=\mathbf{M}$ _be t$) \wedge$

```
            (M_beA(t+1)= M_be t))) }
        (clkB t)\Longrightarrow
            ((M_be (t+1)=((male t)V (srdy t)) => (i_be t) |(M_be t)) }
            (M_beA (t+1)=M_beAt)))^
        ((be_out t = M_beA (t+1)) ^
        (ww t = (wr_mem t) ^(VAL 3 (M_be (t+1))=15))^
        (bw t = (wr_mem t) ^~(VAL 3 (M_be (t+1))= 15)))"
    ;;
```

\%.
Input logic for $M_{-}$rdy latch.
let Rdy_Logic_SPEC = new_definition
('Rdy_Logic_SPEC',
"I write read zero_cnt wr_mem rdy .
Rdy_Logic_SPEC write read zero_cnt wr_mem rdy =
Ittime.
$\left(\text { rdy } t=(\text { write } t) \wedge(\text { zero_cnt } t) \vee(\text { read } t) \wedge(\text { zero_cnt } t) \wedge \sim\left(\text { wr_mem }^{t}\right)\right)^{\prime \prime}$
);i

Wait state counter logic.
let $\mathrm{Ctr}_{-}$Logic_SPEC $=$new_definition
('Cष_Logic_SPEC',
"I clkA clkB in do ld M_count $M_{\text {_ }}$ countA zero_cnt .
Ctr_Logic_SPEC clkA clkB in dn ld M_count M_countA zero_cnt =
!t:time.
((clkA $) \Longrightarrow$
$\left(\left(M_{-}\right.\right.$count $(t+1)=M_{-}$count $\left.t\right) \wedge$
$\left(M_{1} \operatorname{count}\left(A(t+1)=M_{-}\right.\right.$count $\left.\left.\left.t\right)\right)\right) \wedge$
$(($ clkB $t) \Longrightarrow$
$\left(\left(M_{1}\right.\right.$ count $(t+1)=(\mathrm{ld} t)=>(($ in $t)=>($ WORDN 1$) \mid($ WORDN 2$)) \mid$
$(\mathrm{dn} t) \Rightarrow\left(\right.$ DECN $1\left(\mathrm{M}_{-}\right.$count t$\left.)\right) \mid\left(\mathrm{M}_{-}\right.$count t$\left.)\right) \wedge$
(M_countA $(t+1)=M_{-}$count $\left.\left.A t\right)\right)$ ) $\wedge$
(zero_cnt $t=\left(\right.$ M_count $^{\prime}(t+1)=((\operatorname{dn} t)=($ WORDN 1$) \mid($ WORDN 0$\left.\left.))\right)\right)^{\prime \prime}$
ji;
\%
Memory control signal logic.

```
let Enable_Logic_SPEC = new_definition
    ('Enable_Logic_SPEC',
    "I cs_eeprom_rd_mem address read write byte_write wwidel
        disable_eeprom disable_writes oe_edac_le we_mb_wr_en_.
    Enable_Logic_SPEC cs_eeprom_rd_mem address read write byte_write wwdel
                        disable_eeprom disable_writes oe_edac_le we_mb_wr_en_=
        Ittime.
            \(\left(\right.\) oe_t \(^{t}=-((\) rd_mem \(t) \wedge(\) address \(t) \vee(\) read \(\left.t))\right) \wedge\)
            \((\) we_t \(=-(\) cs_eeprom_t) \(\wedge\) (disable_eeprom \(t) V\)
                (disable_writes t) \(V\)
```

```
            ~((write t) V (byte_write t) }V(\mathrm{ wwdel t)))}
        (edac_le t = read t) }
        (mb_wr_en_t = -(write t))"
    );
%
    Generation logic for I_srdy_.
let Srdy_Logic_SPEC = new_definition
    ('Srdy_Logic_SPEC',
    "! wr rdy rdy_outQ srdy_.
    Srdy_Logic_SPEC wr rdy rdy_outQ srdy_=
        It:time.
            srdy_t = -((rdy_outQ t) ^~(wr t)\vee(rdy t)^(wr t))"
    ;;
%--------------------------------------------------------------------------------------------------------------------
    Memory decode logic.
let EDAC_Decode_Logic_SPEC = new_definition
    ('EDAC_Decode_Logic_SPEC',
    "! (rep:^rep_ty) (mb_data_in:time->wordn) edac_en data_out detect_out .
    EDAC_Decode_Logic_SPEC rep mb_data_in edac_en data_out detect_out =
        It:time .
            (data_out t = (edac_en t) => (Ham_Dec rep (mb_data_in t)) | (mb_data_in t)) ^
            (detect_out t = (edac_en t) => (Ham_Det1 rep (mb_data_in t)) ! (WORDN 0))"
    );;
%
    Memory read latches.
let Read_Latches_SPEC = new_definition
    ('Read_Latches_SPEC',
    "I (rep:^rep_ty) clkA clkB (data_inD:time->wordn) edac_en edac_le detect_inD detect_inE
            M_rd_data M_rd_dataA M_detect m_data_outQ m_detect_outQ .
    Read_Latches_SPEC rep clkA clkB data_inD edac_en edac_le detect_inD detect_inE
                                    M_rd_data M_rd_dataA M_detect m_data_outQ m_detect_outQ =
        It:time .
            (clkA t) =>
            ((M_rd_data (t+1)= M_rd_data t) ^
            (M_rd_dataA (t+1)=M_rd_data t) }
                (M_detect (t+1)=(detect_inE t) => (detect_inD t)|(M_detect t)))})
            ((clkB t) =>
                ((M_rd_data (t+l)=(edac_le t) => (data_inD t) |(M_rd_data t))^
                    (M_rd_dataA (t+1)=M_rd_data t) ^
                    (M_detect (t+1)=M_detect t))) }
            ((m_data_outQ t= M_rd_dataA (t+1))^
            (m_detect_outQ t = Ham_Det2 rep ((M_detect (t+1)), (edac_en t))))"
    );;
%
```

Enable input logic for EDAC correction reporting.

```-\%
let Detect_Enable_Logic_SPEC = new_definition
    ('Detect_Enable_Logic_SPEC',
    "! edac_en edac_rd detect_inE .
    Detect_Enable_Logic_SPEC edac_en edac_rd detect_inE =
        Ittime.
            (detect_inE t = (edac_en t)^(edac_rd t) V (edac_rd t))"
    ;;
%-------------------------------------
let Mux_Out_Logic_SPEC = new_definition
    ('Mux_Out_Logic_SPEC',
    "! (m_data_outQ:time->wordn) i_ad be mb_data_out .
    Mux_Out_Logic_SPEC m_data_outQ i_ad be mb_data_out =
        It:time.
        let odl =
            (MALTER (mb_data_out t) (7,0) ((ELEMENT (be t) (0)) => (SUBARRAY (i_ad t) (7,0))
                                    I (SUBARRAY (m_data_outQ t) (7,0)))
        in
        (let od2 =
            (MALTER odl (15,8) ((ELEMENT (be t) (1)) => (SUBARRAY (i_ad t)(15,8))
                            | (SUBARRAY (m_data_outQ t) (15,8)))
        in
        (let od3 =
            (MALTER od2 (23,16) ((ELEMENT (be t) (2)) => (SUBARRAY (i_ad t) (23,16))
                            I (SUBARRAY (m_data_outQ t) (23,16)))
        in
        (let od4 =
            (MALTER od3 (31,24) ((ELEMENT (be t) (3)) => (SUBARRAY (i_ad t) (31,24))
                            I (SUBARRAY (m_data_outQ t) (31,24))))
        in(mb_data_out t=od4))))"
    );;
```



```
    Data encoding logic.
let Enc_Out_Logic_SPEC = new_definition
    ('Enc_Out_Logic_SPEC',
    "| (rep:^rep_ty) (mb_data_out:ime->wordn) mb_edata_out .
    Enc_Out_Logic_SPEC rep mb_data_out mb_edata_out =
        It:time .
            (mb_edata_out t = Ham_Enc rep (mb_data_out t))"
    );;
%-
    Input logic for M_parity latch.
```

```
let Memparity_In_Logic_SPEC = new_definition
    ('Memparity_In_Logic_SPEC',
    "I srdy mem_enable detect_outQ rst reset_parity memparity_inS memparity_inR memparity_inE .
    Memparity_In_Logic_SPEC srdy mem_enable detect_outQ rst reset_parity
                                    memparity_inS memparity_inR memparity_inE =
            It:time.
                    (memparity_inS t=(srdy t) ^(mem_enable t) }\wedge(\mathrm{ detect_outQ t)) }
                (memparity_inR t=(rst t) \vee(reset_parity t)) ^
                (memparity_inE t = (memparity_inS t) V(memparity_inR t))"
    );
%
    M-Port controller state machine.
let FSM_SPEC = new_definition
    ('FSM_SPEC',
    "! clkA clkB male_in_rd_in bw_in ww_in last_in_mrdy_in_ zero_cnt_in rst_in
        state male_rd bw ww last_ mrdy_ zero_cnt rst
        stateA address read write byte_write mem_enable
        address_out read_out write_out byte_write_out mem_enable_out .
    FSM_SPEC clkA clkB male_in_rd_in bw_in ww_in last_in_ mrdy_in_zero_cnt_in rst_in
                state male_rd bw ww last_ mrdy_ zero_cnt rst
                stateA address read write byte_write mem_enable
                address_out read_out write_out byte_write_out mem_enable_out =
        1t:time.
            ((clkA t) =>
                    ((state (t+1)= state t)^
                            (male_(t+1) = male_t) }
                (rd (t+1) = rd t)^
                (bw (t+1)=bw t)^
                    (ww (t+1) = ww t)^
                (last_(t+1)= last_t) }
                (mrdy_(t+1)=mrdy_t)^
                (zero_cnt (t+1)= zero_cnt t) ^
                (rst (t+1)= rst t)^
                    (stateA (t+1)=
                    ((rst t) => MI I
                    (state t = MI) => ((-(male_t)) => MA |MD)|
                    (state t = MA) >> ((~(mrdy_t) ^(ww t)) => MW I
                            (-(mrdy_t)^((rd t)\vee(bw t))) => MR |MA)।
                            (state t=MR) => (((bw t) ^(zero_cnt t)) => MBW ।
                            ((last_t) }\wedge(\mathrm{ rd t) }\wedge(\mathrm{ zero_cnt t)) => MA I
                            (~(last_t) }\wedge(\mathrm{ rd t) }\wedge(\mathrm{ zero_cnt t)) }=>> MRR I MR)।
                            (state t = MRR) => MI I
                            (state t=MW) => (((zero_cnt t) \wedge -(last_t)) =>> MII
                    ((zero_cnt t) ^(last_t)) => MA | MW)|
                    MW))}
                    (address (t+1) = (stateA (t+1)=MA))^
                (read (t+1)=(stateA (t+1)=MR))^
                (write (t+1)=(stateA (t+1)=MW))^
                (byte_write (t+1)=(stateA (t+1)=MBW))}
                (mem_enable ( }t+1)=-(\mathrm{ state A (t+1)=M1)))}
```

```
    (clkB t) =>
    ((state (t+1)= stateA t)^
    (male_(t+1) = male_in_t) \Lambda
    (rd (t+1) = rd_in t) ^
    (bw (t+1)=bw_in t) }
    (ww (t+1)=ww_in t) ^
    (last_(t+1) = last_in_t) ^
    (mrdy_(t+1) = mrdy_in_t) }
    (zero_cnt (t+1)= zero_cnt_in t) }
    (rst (t+1)= rst_in t)^
    (stateA(t+1)=stateA t) }
    (address (t+1) = address t) }
    (read (t+1) = read t)^
    (write (t+1) = write t) }
    (byte_write (t+1)= byte_write t) ^
    (mem_enable (t+1)= mem_enable t))) }
((address_out t = address (t+1)) ^
(read_out t = read (t+1)) ^
(write_out t = write (t+1)) ^
(byte_write_out t= byte_write (t+1)) ^
(mem_enable_out t= mem_enable (t+1))
";;
%
    M-Port Block.
    ('M_Block_SPEC',
    "! (M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable M_rdyA
        M_fsm_male_M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_M_fsm_mrdy_M_fsm_zero_cnt M_fsm_rst M_se
        M_wr M_rdy M_wwdel M_parity :(time->bool))
        (M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :(time->wordn))
        (M_fsm_stateA M_fsm_state :(time->mfsm_ty))
        (ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_Reset_parity :(time->bool))
        (I_ad_in I_be_MB_data_in :(time->wordn))
        (I_srdy_MB_cs_eeprom_MB_cs_sram_MB_we_MB_oe_MB_parity :(time->bool))
        (I_ad_out MB_addr MB_data_out :(time->wordn))
        (rep:^rep_ty).
    M_Block_SPEC (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable,
                                    M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd,
                                    M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wT,
                                    M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
                                    (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male, I_last, I_be_,
                I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
                (I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom, MB_cs_sram_, MB_we_, MB_oe_,
                MB_parity)
                rep =
```

? male address read write byte_write mem_enable wr rd_mem wr_mem rdy_outQ srdy be ww bw zero_cnt rdy count_inDN count_inLD wwdel_inD wwdel_outQ edac_le rdy_outQ srdy_ edac_en data_out detect_out data_inD detect_inD detect_inE m_data_outQ $m_{\text {_ }}$ detect_out $Q$ mb_data_out mb_edata_out mb_wr_en_ mb_wr_en memparity_inS memparity_in $R$ memparity_inE .
(NOT_SPEC I_male_male) $\wedge$
(SE_Logic_SPEC CIKA ClkB I_ad_in male mem_enable M_se MB_cs_eeprom_MB_cs_sram_) $\wedge$
(WR_Logic_SPEC CIkA ClkB I_ad_in male mem_enable M_wr wr rd_mem wr_mem) $\wedge$
(Addr_Ctr_SPEC ClkA ClkB I_ad_in male rdy_outQ M_addr M_addrA MB_addr) $\wedge$
(BE_Logic_SPEC ClkA ClkB I_be_ male srdy wr_mem M_be M_beA be ww bw) $\wedge$
(Rdy_Logic_SPEC write read zero_cnt wr_mem rdy) $\wedge$
(Ctr_Logic_SPEC ClKA ClkB MB_cs_eeprom_count_inDN count_inLD M_count M_countA zero_cnt) $\wedge$
(OR2_SPEC write read count_inDN) $\wedge$
(OR2_SPEC address byte_write count_inLD) $\wedge$
(AND2_SPEC ww address wwdel_inD) $\wedge$
(DLAT_SPEC wwdel_inD CikB M_wwdel wwdel_outQ) $\Lambda$
(Enable_Logic_SPEC MB_cs_eeprom_rd_mem address read write byte_write wwdel_outQ
Disable_eeprom Disable_writes MB_oe_edac_le MB_we_mb_w_en_) $\wedge$
(DFF_SPEC rdy ClkA M_rdy M_rdyA rdy_outQ) $\wedge$
(Srdy_Logic_SPEC wr rdy rdy_outQ srdy_) $\wedge$
(TRIBUF_SPEC srdy_ mem_enable I_srdy_) $\wedge$
(NOT_SPEC srdy_ srdy) $\wedge$
(NOT_SPEC Edac_en_edac_en) $\wedge$
(EDAC_Decode_Logic_SPEC rep MB_data_in edac_en data_out detect_out) $\wedge$
(Read_Latches_SPEC rep ClkA ClkB data_inD edac_en edac_le detect_inD detect_inE
M_rd_data $M_{-}$rd_dataA $M_{-}$detect $m_{-}$data_out $Q m_{\text {_ }}$ detect_out $Q$ ) $\wedge$
(TRIBUF_SPEC m_data_outQ rd_mem I_ad_out) $\wedge$
(Detect_Enable_Logic_SPEC edac_en rd_mem detect_inE) $\wedge$
(Mux_Out_Logic_SPEC m_data_outQ I_ad_in be mb_data_out) $\Lambda$
(Enc_Out_Logic_SPEC rep mb_data_out mb_edata_out) $\Lambda$
(NOT_SPEC mb_wr_en_mb_wr_en) $\wedge$
(TRIBUF_SPEC mb_edata_out mb_wr_en MB_data_out) $\wedge$
(Memparity_In_Logic_SPEC srdy mem_enable m_detect_outQ Rst Reset_parity memparity_inS memparity_in $R$ memparity_inE) $\wedge$
(DSRELAT_SPEC GND memparity_inS memparity_inR memparity_inE ClkB
M_parity MB_parity) $\wedge$
(FSM_SPEC ClkA ClkB I_male_rd_mem bw ww I_last_ I_mrdy_ zero_cnt Rst
$M_{-} f s m_{-}$state $M_{-} f s m_{-}$male_ $M_{-} f s m_{-}$rd $M_{\text {_ }} f s m_{-} b w M_{\_} f s m_{-} w w M_{-} f s m_{-} l a s t_{-} M_{-} f s m_{\_} m r d y_{-}$
M_fsm_zero_cnt $M_{-}$fsm_rst
M_fsm_stateA $M_{-}$fsm_address $M_{-} f s m_{\text {_read }} M_{\text {_ }}$ fsm_write $M_{\text {_ }}$ fsm_byte_write $M_{-}$fsm_mem_enable
address read write byte_write mem_enable)"
); ;
close_theory();

## B. 3 R Port Specification


#### Abstract

\%

File: r_block.ml

Author: (c) D.A. Fura 1992

Date: 31 March 1992


This file contains the ml source for the gate-level specification of the R-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
set_search_path (search_patb() © ['/home/titan3/dfura/ftep/piu/hol/lib/']);
system 'rm r_block.th';;
new_theory 'r_block';;
map loadf ['abstract';'buses_def'];;
map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def';'datapaths_def';'raux_def'; 'aux_def'; 'array_def';'wordn_def'];;
 bool wbool"wordn\#wordn \#boolwbool\#wordn"wordn\#bool"bool\#wordn\#wordn\#bool\#bool\# wordn"bool\#wordn\#wordn"wordn\#
 bool"bool"bool"wordn"wordn"bool*wordn"bool"bool\#bool.\#wordn"wordn"bool\#wordn"
 wordn"wordn\#wordn "bool\#wordn\#bool\#wordn\#bool\#wordn"bool)";;
 R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_, R_reg_selA, R_ctro, R_ctr0_ce, R_ctro_cin, R_ctro_outA, R_ctrl, R_ctrl_ce, R_ctr1_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, $R_{\text {_icr_loadA, }}$ R_icr_oldA, $R_{\text {_icr }}$, $R_{\text {_ }}$ bus A_latch, $R_{-}$fsm_state, $R_{-}$fsm_ale, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_001_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, $R_{-} w r, R_{\text {_ }}$ cntlatch_del, $R_{-}$sidy_del_, R_reg_sel, $R_{-} c t r 0 \_i n$, R_ctro_mux_sel, R_ctr0_irden, R_ctro_cry, R_ctro_new, R_ctro_out, R_ctro_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctr1_new, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load,
 R_sr_rden) : r_s_state_ty $^{\prime}$ ";;
let r_env_ty = ":(bool\#bool\#bool\#wordn\#book\#bool\#wordn\#bool\#bool\#bool\#wordn\#wordn\#bool\#bool\# wordn\#wordn\#wordn\#bool\#bool\#wordn)";
let r_env = "((CLKA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) :AT_env_ty)";;
let r_out_ty = ":(wordn"bool\#bool\#bool"bool\#bool\#wordn\#wordn\#bool\#bool)";:
let r_out = "((I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)
:^^_out_ty)";;
let rep_ty = abstract_type 'aux_def ' Andn';;

R-Port controller state machine.
let FSM_SPEC = new_definition
('FSM_SPEC',
"I (ClkA:time->bool) ClkB ale_in_mrdy_in_ last_in_rst_in
ale_ mrdy_ last_ rst state
cnuatch srdy_( stateA:time->rfsm_ty)
s0_out s1_out cntlatch_out srdy_out_.
FSM_SPEC ClkA ClkB ale_in_ mrdy_in_last_in_rst_in
ale_mrdy_last_rst state
cntlatch srdy_ stateA
s0_out s1_out cntlatch_out srdy_out_ =
It:time
(ClkAt) $=>$
$($ (stateA $(t+1)=(($ rst $t) \Rightarrow R I)$
$(($ state $t)=R I) \Rightarrow((\sim$ ale_t $) \Rightarrow R A \mid R D) \mid$
$(($ state $t)=R A)=>((\sim$ mrdy_ $t) \Rightarrow$ RD $\mid R A) \mid$
$(($ last_t $)=>$ RI $\mid$ RA $))) \wedge$
(cntlatch $(t+1)=(($ state $t=R I) \wedge \sim$ ale_t $)) \wedge$
$($ srdy_ $(t+1)=\sim(($ state $t=R A) \wedge \sim$ mrdy_ $t)) \wedge$
(state $(t+1)=$ state $t) \wedge$
(ale_( $\mathrm{t}+1$ ) $=$ ale_t t$) \wedge$
(mrdy_ $(t+1)=$ mrdy_ $\left._{-} t\right) \wedge$
(last_(t+1) = last_t) $\Lambda$
$($ rst $(t+1)=r s t))) \wedge$
((ClkB $t)=\Rightarrow$
$(($ state $A(t+1)=$ state $A t) \wedge$
(cntatch $(t+1)=$ cntlatch $t) \wedge$
(srdy_(t+1)=srdy_t) $\wedge$
(state $(\mathrm{t}+1)=$ stateA t$) \wedge$
(ale_( $t+1)=$ ale_in_t $) \wedge$
(mrdy_ $(t+1)=$ mrdy_in_t) $\Lambda$
(last_( $t+1$ ) $=$ last_in_t) $\wedge$
$($ rst $(t+1)=$ rst_in $t))$ ) $\wedge$
$(($ s 0 _out $(t+1)=($ stateA $(t+1)=R D)) \wedge$
$($ s1_out $(t+1)=(($ state $A(t+1)=R A) \vee($ state $A(t+1)=R D))) \wedge$
(cntlatch_out $t=$ cntlatch $(t+1)) \wedge$
(srdy_out_t $=$ srdy_ $(t+1))$ )"
);;

R_wr latch definition.

```
let Wr_Lat_SPEC = new_definition
    ('Wr_Lat_SPEC',
    "I clkB (iad_in:time->wordn) wr_inE r_wr wr_outQ .
    Wr_Lat_SPEC clkB iad_in wr_inE r_wr wr_outQ =
        It:time.
            ((~(clkB t)) => (r_wr (t+1) = r_wr t)) ^
            ((clkBt) => (r_wr (t+1)=(wr_inE t) => (ELEMENT (iad_in t) (27)) | r_wr t)) ^
            (wr_outQ t= r_wr (t+1))'
    ;;;
%
    Generation logic for control signals dp_read, r_write, r_read, icr_rd_en, srdy_en.
```

```
let RW_Sigs_SPEC = new_definition
```

let RW_Sigs_SPEC = new_definition
('RW_Sigs_SPEC',
('RW_Sigs_SPEC',
"! r_wr S0 sl disable_writes dp_read r_write r_read icr_rd_en srdy_en.
"! r_wr S0 sl disable_writes dp_read r_write r_read icr_rd_en srdy_en.
RW_Sigs_SPEC r_wr s0 s1 disable_writes dp_read r_write r_read icr_rd_en srdy_en =
RW_Sigs_SPEC r_wr s0 s1 disable_writes dp_read r_write r_read icr_rd_en srdy_en =
(lt:time .
(lt:time .
(dp_read t = (~r_wr t) ^((s0 t) \vee (sl t))) ^
(dp_read t = (~r_wr t) ^((s0 t) \vee (sl t))) ^
(r_write t= (~disable_writes t) }\wedge(\mp@subsup{r}{~}{\primewr}t)\wedge(s0t)\wedge(s1 t))
(r_write t= (~disable_writes t) }\wedge(\mp@subsup{r}{~}{\primewr}t)\wedge(s0t)\wedge(s1 t))
(r_read t= (~I_wrt) ^ (~s0t)^(slt)) ^
(r_read t= (~I_wrt) ^ (~s0t)^(slt)) ^
(icr_rd_ent=(~s0t)^(sl t))^
(icr_rd_ent=(~s0t)^(sl t))^
(srdy_ent = (s0t)V (sl t)))"
(srdy_ent = (s0t)V (sl t)))"
);
);
R_reg_sel counter and logic.
let Reg_Sel_Ct_SPEC = new_definition
('Reg_Sel_Ctr_SPEC',
"! clkA iad_in inL inU_r_reg_sel r_reg_selA outQ.
Reg_Sel_Ctr_SPEC clkA iad_in inL inU_r_reg_sel r_reg_selA outQ =
Ittime.
((clkA t) =>
((r_req_sel (t+1)= r_reg_sel t) ^
(r_reg_selA (t+1)=r_reg_sel t))) }
((~(clkA t)) =>
((r_reg_sel (t+1)=
(inL t) => SUBARRAY (iad_in t) (3,0)।
(~inU_t) => INCN 3 (r_reg_selA t) \r_reg_selA t) }
(r_reg_selA (t+1)=r_reg_selA t))}\
(outQ t = (~inU_t) => INCN 3 (r_reg_selA (t+1)) |r_reg_selA (t+1))"
;;
Generation logic for register file control signals.

```
```

let Req_File_Cul_SPEC = new_definition

```
let Req_File_Cul_SPEC = new_definition
    ('Reg_File_CtI_SPEC',
    ('Reg_File_CtI_SPEC',
    "l (reg_sel:time->wordn) write read icr_rd_en
```

    "l (reg_sel:time->wordn) write read icr_rd_en
    ```
```

    cir_wr01 cir_wr23
    cOir_wr cOir_rd cOor_rd clir_wr clir_rd clor_rd
    c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd
    icr_wr_feedback icr_select icr_rd
    ccr_wr ccr_rd gcr_wr gcr_rd sr_rd .
    Reg_File_Ctl_SPEC reg_sel write read icr_rd_en
            cir_wr01 cir_wr23
            COir_wr cOir_rd cOor_rd clir_wr clir_rd clor_rd
                    c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd
                    icr_wr_feedback icr_select ict_rd
                            ccr_wr ccr_rd gcr_wr ger_rd sr_rd =
    (It:time .
    (cir_wr01t=(write t) ^(((reg_sel t)=WORDN 8) \vee ((reg_sel t)=WORDN 9))) ^
    (cir_wr23 t = (write t) \wedge(((reg_sel t)=WORDN 10) \vee ((reg_sel t)=WORDN 11)))}
    (cOir_wr t = (write t) ^((reg_sel t)=WORDN 8)) ^
    (cOir_rdt = (read t) }\wedge((\mathrm{ reg_sel t)=WORDN 8)) }
    (cOor_rd t = (read t) }\wedge((\mathrm{ reg_sel t)= WORDN 12))}
    (clir_wr t = (write t) }\wedge((\mathrm{ reg_sel t)=WORDN 9)) }
    (clir_rd t=(read t) }\wedge((\mathrm{ reg_sel t)=WORDN 9)) }
    (clor_rd t = (read t) ^((req_sel t)=WORDN 13)) ^
    (c2ir_wrt = (write t) }\wedge((\mathrm{ reg_sel t)=WORDN 10)) }
    (c2ir_rdt = (read t) ^((reg_sel t)=WORDN 10)) ^
    (c2or_rdt = (read t) }\wedge((reg_sel t)=WORDN 14)) 
    (c3ir_wr t = (write t) ^((reg_sel t)=WORDN 11)) }
    (c3ir_rdt = (read t) ^((reg_sel t)=WORDN 11)) ^
    (c3or_rd t = (read t) ^((reg_sel t)= WORDN 15)) ^
    (icr_wr_feedback t=(write t) ^(((reg_sel t)=WORDN 0)V ((reg_sel t)=WORDN 1))) ^
    (icr_select t = ~((reg_sel t)=WORDN 1)) ^
    (icr_rdt = (icr_rd_en t) ^(((reg_sel t)=WORDN 0) V ((reg_sel t)=WORDN 1))) ^
    (ccr_wrt = (write t) }\wedge((reg_sel t)=WORDN 3)) ^
    (ccr_rd t=(read t) \wedge((reg_sel t)=WORDN 3)) }
    (gct_wr t = (write t) ^((reg_sel t)=WORDN 2))}
    (gcr_rd t = (read t) ^((reg_sel t)=WORDN 2))}
    (sr_rd t = (read t) ^((reg_sel t)=WORDN 4)))"
    );;
    %
Input logic for R_int1_en, R_int2_en latches.

```
let Ctr_Int_Logic_SPEC \(=\) new_definition
    ('Ctr_Int_Logic_SPEC',
    " one_shot interrupt reload cout cout_del cir_wr
        int_en_inR int_en_inS int_en_inE c_ld .
    Ctr_Int_Logic_SPEC one_shot interrupt reload cout cout_del cir_wr
                int_en_inR int_en_inS int_en_inE c_ld =
    (tt:ime .
        (int_en_inR \(t=(\) one_shot \(t) \wedge(\) cout_del \(t) \vee(\sim\) interrupt \(t)) \wedge\)
        \(\left(\right.\) int_en_inS \(t=(\) interrupt \(t) \wedge\left((\right.\) cout \(t) \wedge(\) reload \(t) \vee\left(\right.\) cir_wr \(\left.\left.\left.^{\prime}\right)\right)\right) \wedge\)
        (int_en_inE \(t=(\) one_shot \(t) \wedge(\) cout_del \(t) \vee(\sim\) interrupt \(t) \vee\)
                            \((\) interrupt \(t) \wedge((\) cout \(t) \wedge(\) reload \(t) \vee(\) cir_wr \(t))) \wedge\)
        \((\) c_ld \(t=(\) cout \(t) \wedge(\) reload \(t) \vee(\) cir_wr \(t)))^{n}\)
    );
```

%
Input logic for R_intO_en, R_int3_en latches.
let And_Tree_SPEC = new_definition
('And_Tree_SPEC',
"I icr out0 out3.
And_Tree_SPEC icr out0 out3 =
(It:ime .
(out0 t = (ELEMENT (icr t) (0)) ^(ELEMENT (icr t) (8)) \
(ELEMENT (icr t) (1)) ^(ELEMENT (icr t) (9)) }
(ELEMENT (icr t) (2)) ^(ELEMENT (icr t) (10)) V
(ELEMENT (icr t) (3)) ^(ELEMENT (ict t) (11)) V
(ELEMENT (icr t) (4)) ^(ELEMENT (icr t) (12)) V
(ELEMENT (icr t) (5)) ^(ELEMENT (icr t) (13)) V
(ELEMENT (icr t) (6)) ^(ELEMENT (icr t) (14)) V
(ELEMENT (icr t) (7)) }\wedge(\mathrm{ ELEMENT (icr t) (15))) }
(out3 t = (ELEMENT (icr t) (16)) ^(ELEMENT (icr t) (24)) V
(ELEMENT (icr t) (17)) ^(ELEMENT (icr t) (25)) V
(ELEMENT (icr t) (18)) ^(ELEMENT (icr t) (26)) V
(ELEMENT (icr t) (19)) ^(ELEMENT (icr t) (27)) V
(ELEMENT (icr t) (20)) ^(ELEMENT (icr t) (28)) \vee
(ELEMENT (icr t) (21)) ^(ELEMENT (icr t) (29)) V
(ELEMENT (icr t) (22))}^(\mathrm{ ELEMENT (icr t) (30)) }
(ELEMENT (icr t) (23))}^(ELEMENT (icr t) (31))))"
);
%
Generation logic for Int0_ Int3_ signals.
let Reg_Int_Logic_SPEC = new_definition
('Reg_Int_Logic_SPEC',
"! int0_en int0_dis int3_en int3_dis disable_int int0_ int3_.
Reg_Int_Logic_SPEC int0_en int0_dis int3_en int3_dis disable_int int0_int3_=
(It:time .
(int0_t= ((int0_en t) ^(~int0_dis t) ^(~disable_int t))}
(int3_t = ~((int3_en t) ^(~int3_dis t) ^(~disable_int t))))"
;;
%
Virtual logic to package several R-Port inputs into single SR input word.

```
let SR_Inputs_SPEC = new_definition
```

let SR_Inputs_SPEC = new_definition
('SR_Inputs_SPEC',
('SR_Inputs_SPEC',
"I cpu_fail reset_cpu piu_fail pmm_fail s_state
"I cpu_fail reset_cpu piu_fail pmm_fail s_state
id channelID cb_parity c_ss mb_parity (sr_inp:time->wordn).
id channelID cb_parity c_ss mb_parity (sr_inp:time->wordn).
SR_Inputs_SPEC cpu_fail reset_cpu piu_fail pmm_fail s_state
SR_Inputs_SPEC cpu_fail reset_cpu piu_fail pmm_fail s_state
id channelID cb_parity c_ss mb_parity sr_inp =
id channelID cb_parity c_ss mb_parity sr_inp =
Ittime.
Ittime.
let al = (MALTER ARBN (1,0) (cpu_fail t)) in
let al = (MALTER ARBN (1,0) (cpu_fail t)) in
let a3=(MALTER al (3,2)(reset_cput)) in
let a3=(MALTER al (3,2)(reset_cput)) in
let 25 = (ALTER a3 (8) (piu_fail t)) in

```
            let 25 = (ALTER a3 (8) (piu_fail t)) in
```

```
        let a6 = (ALTER aS (9) (pmm_fail t)) in
        let a7 = (MALTER a6 (15,12) (s_state t)) in
        let a8 = (MALTER a7 (21,16) (id t)) in
        let a9 = (MALTER a8 (23,22) (channeIID t)) in
        let al0 = (ALTER a9 (24) (cb_parity t)) in
        let all = (MALTER alO (27,25) (c_ss t)) in
        let al2 = (ALTER al1 (28)(mb_parity t)) in
        (sr_inpt = al2)"
    );;
%
    Virtual logic to distribute single GCR output word as several pieces.
let GCR_Outputs_SPEC = new_definition
    ('GCR_Outputs_SPEC',
    "l (gcr_out:time->wordn)
        led reload01 oneshot01 interrupt01 enable01
        reload23 oneshot23 interrupt23 enable23 reset_error pmm_invalid.
    GCR_Outputs_SPEC gcr_out led reload01 oneshot01 interrupt01
                enable01 reload23 oneshot23 interrupt23 enable23 reset_error pmm_invalid =
            It:time .
            (led t = SUBARRAY (gcr_out t) (3,0)) ^
            (reload01 t = ELEMENT (gcr_out t) (16)) }
            (oneshot01 t = ELEMENT (gcr_out t) (17)) }
            (interrupt01 t = ELEMENT (gcr_out t) (18)) ^
            (enable01 t = ELEMENT (gcr_out t) (19)) ^
            (reload23 t = ELEMENT (gcr_out t) (20)) }
            (oneshot23 t = ELEMENT (gcr_out t) (21)) }
            (interrupt23 t= ELEMENT (gcr_out t) (22)) ^
            (enable23 t = ELEMENT (gcr_out t) (23)) ^
            (reset_error t = ELEMENT (gcr_out t) (24)) ^
            (pmm_invalid t = ELEMENT (gcr_out t) (28))"
    ;;
%
Virtual logic to generate the 12 tristate driver enables for datapath Bus A.
```

```
let Bus_Enab_SPEC = new_definition
```

    ('Bus_Enab_SPEC',
    "I clkA r_ctro_irden r_ctr0_orden r_ctr \(1_{-} i r d e n r_{-} c t r 1_{-} o r d e n ~ r_{-} c t r 2 \_i r d e n ~ r_{-} c t r 2 \_o r d e n ~\)
        \(r_{-} \mathrm{ctr} 3\) _irden \(\mathrm{r}_{-} \mathrm{ctr} \mathbf{3}_{-}\)orden \(\mathrm{r}_{\text {_ }} \mathrm{icr}\) _rden \(\mathrm{r}_{-}\)ccr_rden \(\mathrm{r}_{-} \mathrm{ger}\) _rden \(\mathrm{r}_{-} \mathrm{sr}\) _rden
        busA_co_en1 busA_c0_en2 busA_cl_en1 busA_c1_en2 busA_c2_en1 busA_c2_en2
        busA_c3_en1 busA_c3_en2 busA_icr_en busA_ccr_en busA_gcr_en busA_sr_en.
    
r_ctr3_irden r_ctr3_orden r_icr_rden r_cer_rden r_gcr_rden r_sr_rden
busA_c0_enl busA_ $0_{\text {_en }} 2$ busA_c1_en1 busA_c1_en2 busA_c2_en1 busA_c2_en2
busA_c3_en1 busA_c3_en2 busA_icr_en busA_ccr_en busA_gcr_en busA_sr_en =
It:time .


```
(busA_c2_enl t=(clikAt) ^(r_ctr2_irden t))}
(busA_c2_en2t=(clkAt) ^(r_ctr2_orden t)) }
(busA_c3_en1 t = (clkA t) ^(r_ctr3_irden t)) ^
(busA_c3_en2t = (clkA t) }\wedge(\mp@subsup{r}{_}{\primectr3_orden t))}
(busA_icr_ent = (clkA t) ^(r_icr_rden t)) }
(busA_ccr_ent = (clkA t) ^(r_ccr_rden t))}
(busA_gcr_ent = (clkA t) ^(r_gcr_rden t))}
(busA_sr_entt=(clkA t) }\Lambda(\mp@subsup{r}{_}{\primesr_rden t))"
    j;;
%
```


## R-Port block.

```
let R_Block_SPEC = new_definition
('R_Block_SPEC',
"I (rep:^^tep_ty)
(R_fsm_stateA \(R_{-}\)fsm_state :time->ffsm_ty)
(R_req_selA R_ctro R_ctr0_outA R_ctr1 R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA R_icrA R_busA_latch R_reg_sel R_ctr0_in R_ctr0_new R_ctr0_out R_ctrl_in R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_ict_mask R_icr R_cer R_gcr R_sr :time->wordn)
(R_fsm_cntlatch \(R_{-}\)fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_R_ctrO_ce R_ctro_cin R_ctr1_ce R_ctrl_cin
```



``` R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_ R_ctro_mux_sel R_ctro_irden R_ctr0_cry R_ctro_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden \(R_{\text {_ctra_mux_sel }}\) R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_cer_rden R_gcr_rden R_sr_rden :time->bool) (I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChannelID C_ss :time->wordn) (ClkA ClkB Rst I_rale_ I_last_ I_mrdy_Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :time->bool)
(I_ad_out Cor Led :time->wordn) (I_srdy_Int0_ Int1 Int2 Int3_Reset_error Pmm_invalid :time->bool).
R_Block_SPEC rep
(R_fsm_stateA, \(R_{-}\)fsm_cntlatch, \(R_{\text {_ }}\) fsm_srdy, \(R_{\text {_int0_en, }} R_{\text {_int0_disA, }} R_{\text {_int3_en, }}\) R_int3_disA, R_co1_cout, \(R_{-}\)co1_cout_delA, \(R_{\_}\)c23_cout, \(R_{-} c 23\) _cout_delA, \(R_{-}\)cntlatcb_delA, \(R_{-}\)srdy_delA , R_reg_selA, R_ctr0, R_ctro_ce, R_ctro_cin, R_ctro_outA, R_ctrl, R_ctrl_ce, R_ctrl_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, \(R_{\text {_ }}\) ictA, \(R_{-}\)busA_latch, \(R_{\_}\)fsm_state, \(R_{-} f s m\) _ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_in0_dis, R_in63_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctro_in, R_ctro_mux_sel, R_ctro_irden, R_ctro_cry, R_ctr0_new, R_ctro_out, R_ctro_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctr1_new, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_cer, R_cer_rden, R_ger, R_ger_rden, R_sr, R_sr_rden)
(ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) (I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid) =
```

[^1]dp_read r_write r_read icr_rd_en cl3or_ld srdy_del_outQ_reg_sel
icr_rd_en I_cir_wrol r_cir_wr23 cOir_wr COir_rd cOor_rd clir_wr clir_rd clor_rd
c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd icr_wr_feedback icr_select icr_rd
ccr_wr ccr_rd ger_wr ger_rd sr_rd icr_ld c01_cout c01_cout_outQ col_cout_delA_outQ
c23_cout c23_cout_outQ c23_cout_delA_outQ
oneshot01 interrupt01 reload01 int1_en_inR int1_en_inS int1_en_inE int1_en_outQ c01_ld
oneshot23 interrupt23 reload23 int2_en_inR int2_en_inS int2_en_inE int2_en_outQ c23_ld
enable01 enable 23 c0_cout c2_cout ccr_out ger_out sr_inp
disable_int_int0_en_inD int0_en_outQ int0_dis_outQ int3_en_inD int3_en_outQ int3_dis_outQ
icr_out BusA BusB_in busA_latch_out
(BusA_c0_out1 BusA_c0_out2 BusA_c1_out1 BusA_c1_out2 BusA_c2_out1 BusA_c2_out2
BusA_c3_outl BusA_c3_out2 BusA_icr_out BusA_ccr_out BusA_gcr_out BusA_sr_out :time->wordn)
(BusA_c0_en 1 BusA_c0_en2 BusA_c1_en1 BusA_c1_en2 BusA_c2_en1 BusA_c2_en2
BusA_c3_en1 BusA_c3_en2 BusA_icr_en BusA_ccr_en BusA_gcr_en BusA_sr_en :time->bool)
(FSM_SPEC ClkA ClkB I_rale_ I_mrdy_ I_last_ Rst
R_fsm_ale_ R_fsm_mrdy_ $R_{\text {_ }}$ fsm_last_ $R_{-}$fsm_rst R_fsm_state
R_fsm_cntlatch R_fsm_srdy_ R_fsm_stateA
fsm_s0 fsm_s1 fsm_cntlatch fsm_srdy_) $\wedge$
(TRIBUF_SPEC fsm_srdy_ srdy_en I_srdy_) $\wedge$
(NOT_SPEC I_rale_wr_inE) ^
(Wr_Lat_SPEC ClikB I_ad_in wr_inE R_wr wr_outQ) $\wedge$
(RW_Sigs_SPEC wr_outQ fsm_s0 fsm_s1 Disable_writes dp_read r_write r_read icr_rd_en srdy_en) $\wedge$
(DFF_SPEC fsm_cntlatch ClkA R_cntlatch_del R_cntlatch_delA c13or_ld) $\wedge$
(DFF_SPEC fsm_srdy_ClKA R_srdy_del_ R_srdy_delA_srdy_del_outQ_) $\wedge$
(Reg_Sel_Ctr_SPEC ClkA I_ad_in wr_inE srdy_del_outQ_ R_reg_sel R_reg_selA reg_sel) $\wedge$
(Reg_File_Cu_SPEC reg_sel r_write r_read icr_rd_en
r_cir_wr01 r_cir_wr 23
COir_wr COir_rd cOor_rd clir_wr clir_rd clor_rd
c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd
icr_wr_feedback icr_select icr_rd
ccr_wr ccr_rd ger_wr ger_rd sr_rd) $\wedge$
(DFF_SPEC ict_wr_feedback ClkA R_icr_load R_icr_loadA icr_ld) $\wedge$
(DLAT_SPEC c01_cout ClkA R_c01_cout c01_cout_outQ) $\wedge$
(DLAT_SPEC c23_cout ClkA R_c23_cout c23_cout_outQ) $\wedge$
(DFF_SPEC c01_cout_outQ ClkA R_c01_cout_del R_c01_cout_delA c01_cout_delA_outQ) $\wedge$
(DFF_SPEC c23_cout_outQ ClkA R_c23_cout_del R_c23_cout_delA c23_cout_delA_outQ) $\wedge$
(Ctr_Int_Logic_SPEC oneshot01 interrupt01 reload01 c01_cout_outQ c01_cout_delA_outQ r_cir_wrol int1_en_inR intl_en_inS int1_en_inE c01_ld) $\wedge$
(Crr_Int_Logic_SPEC oneshot23 interrupt23 reload23 c23_cout_outQ c23_cout_delA_outQ r_cir_wr23 int2_en_inR int2_en_inS int2_en_inE c23_1d) $\wedge$
(DSRELAT_SPEC GND int1_en_inS intl_en_inR int1_en_inE ClkB R_int1_en int1_en_outQ) $\wedge$
(DSRELAT_SPEC GND in12_en_inS int2_en_inR int2_en_inE ClkB R_int2_en int2_en_outQ) $\wedge$
(NOT_SPEC Disable_int disable_int_) $\wedge$
(AND3_SPEC c01_cout_outQ int1_en_outQ disable_int_Int1) $\wedge$
(AND3_SPEC c23_cout_outQ int2_en_outQ disable_int_Int2) $\Lambda$
(And_Tree_SPEC icr_out int0_en_inD int3_en_inD) $\wedge$
(DLAT_SPEC int0_en_inDClkA R_int0_en int0_en_outQ) $\wedge$
(DLAT_SPEC int3_en_inD ClKA R_int3_en int3_en_outQ) $\wedge$
(DFF_SPEC int0_en_outQ ClkA R_int0_dis R_int0_disA int0_dis_outQ) $\wedge$
(DFF_SPEC int3_en_outQ ClkA R_int3_dis R_int3_disA int3_dis_outQ) $\wedge$
(Reg_Int_Logic_SPEC int0_en_outQ int0_dis_outQ int3_en_outQ int3_dis_outQ
Disable_int lnt0_Int3_) $\wedge$

```
(DLATn_SPEC BusA ClkA R_busA_latch busA_latch_out) }
(TRIBUF_SPEC busA_latch_out dp_read I_ad_out) ^
(BUF_SPEC I_gd_in BusB_in) ^
(DP_CTR_SPEC ClkA ClkB BusB_in cOir_wr c01_ld cOir_rd enable01 VDD fsm_cntlatch
                    cOor_rd R_ctro_in R_ctr0_mux_sel R_ctro_irden R_ctr0 R_ctr0_ce R_ctro_cin
    R_ctro_cry R_ctro_new R_ctrO_outA R_ctro_out R_ctro_orden
    BusA_c0_outl BusA_c0_out2 c0_cout) }
(DP_CTR_SPEC ClKA ClkB BusB_in clir_wr c01_ld clir_rd VDD c0_cout cl3or_ld
    clor_rd R_ctrl_in R_ctrl_mux_sel R_ctrl_irden R_ctrl R_ctr1_ce R_ctr1_cin
    R_ctrl_cry R_ctr1_new R_ctr1_outA R_ctr1_out R_ctr1_orden
    BusA_cl_out1 BusA_cl_out2 c01_cout)^
(DP_CTR_SPEC ClkA ClkB BusB_in c2ir_wr c23_ld c2ir_rd enable23 VDD fsm_cntlatch
    c2or_rd R_ctr2_in R_ctr2_mux_sel R_ctr2_irden R_ctr2 R_ctr2_ce R_ctr2_cin
    R_ctr2_cry R_ctr2_new R_ctr2_outA R_ct2_out R_ctr2_orden
    BusA_c2_out1 BusA_c2_out2 c2_cout) }
(DP_CTR_SPEC ClkA ClkB BusB_in c3ir_wr c23_ld c3ir_rd VDD c2_cout c13or_ld
    c3or_rd R_ctr3_in R_ctr3_mux_sel R_ctr3_irden R_ctr3 R_ctr3_ce R_ctr3_cin
    R_ctr3_cry R_ctr3_new R_ctr3_outA R_ctr3_out R_ctr3_orden
    BusA_c3_out1 BusA_c3_out2 c23_cout)^
    (DP_ICR_SPEC rep ClkA ClkB BusA BusB_in icr_wr_feedback icr_rd icr_select R_icr_loadA icr_rd
    R_icr_oldA R_icr_old R_icr_mask R_icrA R_icr R_icr_rden
    BusA_icr_out icr_out)^
(DP_CR_SPEC ClkA ClkB BusB_in cer_wr ccr_rd R_ccr R_ccr_rden BusA_ccr_out cer_out) }
(DP_CR_SPEC ClkA ClkB BusB_iv ger_wr gcr_rd R_ger R_ger_rden BusA_gcr_out gcr_out) ^
(GCR_Outputs_SPEC gcr_out Led reload01 oneshot01 intermpt01
                    enable01 reload23 oneshot23 interrupt23 enable23 Reset_error Pmm_invalid) ^
(SR_Inputs_SPEC Cpu_fail Reset_cpu Piu_fail Pmm_fail S_state
                            Id ChannellD CB_parity C_ss MB_parity sr_inp) ^
(DP_SR_SPEC ClkA ClkB sr_inp fsm_cntlatch sr_rd R_sr R_sr_rden BusA_sr_out) }
(Bus_Enab_SPEC CLKA R_ctr0_irden R_ctr0_orden R_ctr1_irden R_ctr1_orden R_ctr2_irden R_ctr2_orden
    R_ctr3_irden R_ctr3_orden R_icr_rden R_cer_rden R_gcr_rden R_sr_rden
    BusA_\infty_enl BusA_c_en2 BusA_c1_en1 BusA_c1_en2 BusA_c2_en1 BusA_c2_en2
    BusA_c3_enl BusA_c3_en2 BusA_icr_en BusA_ccr_en BusA_gcr_en BusA_sr_en) }
(Bus_12_1_SPEC BusA_co_out1 BusA_c0_out2 BusA_c1_out1 BusA_c1_out2 BusA_c2_out1 BusA_c2_out2
    BusA_c3_out1 BusA_c3_out2 BusA_icr_out BusA_cer_out BusA_gcr_out BusA_sr_out
    BusA_c0_en1 BusA_c0_en2 BusA_c1_en1 BusA_c1_en2 BusA_c2_en1 BusA_c2_en2
    BusA_c3_en1 BusA_c3_en2 BusA_icr_en BusA_ccr_en BusA_gcr_en BusA_sr_en BusA)"
;;
```

close_theory ();

## B. 4 C Port Specification

\%

File: c_block.ml

Author:
(c) D.A. Fura 1992

Date: 31 March 1992
This file contains the ml source for the gate-level specification of the C-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
\%

```
set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);;
system 'rm c_block.th';;
new_theory 'c_block';;
loadf 'abstract`;
map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def';'caux_def';'aux_def';'array_def';'wordn_def'];;
let MSTART = "WORDN 4";;
let MEND = "WORDN 5";;
let MRDY = "WORDN 6";;
let MWAIT = "WORDN 7";;
let MABORT = "WORDN 0";
let SACK = "WORDN 5";;
let SRDY = "WORDN 6";;
let SWAIT = "WORDN T';;
let SABORT = "WORDN 0";;
let c_state_ty = ":(cmfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#
wordn#bool#bool#bool#bool#bool#
    csfsm_ty#wordn#bool#bool#bool#bool#bool#bool*bool#bool#bool#bool#bool#bool#
    cefsm_ty#bool#
    bool#bool#bool#bool#wordn#bool#bool#bool#bool#bool#bool#bool#bool#wordn#wordn#wordn#
    cmfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#bool#bool#wordn#bool#
    csfsm_ty#bool#bool#bool"bool"bool#bool#wordn#
    cefsm_ty#bool#bool#bool#bool#bool#bool#
    bool#wordn#bbol#bool#bool#bool"bool#wordn#bool#bool#bool"bool#bool#bool#bool#
    bool#bool#wordn#wordn#wordn)";
let c_state = "((C_mfsm_stateA,C_mfsm_mabort,C_mfsm_midle,C_mfsm_mrequest,C_mfsm_ma3,C_mfsm_ma2,C_mfsm_mal,
    C_mfsm_ma0,C_mfsm_mdl,C_mfsm_md0,C_mfsm_iad_en_m,C_mfsm_m_cout_sell,C_mfsm_m_cout_selO,
    C_mfsm_ms,C_mfsm_rqt_,C_mfsm_cgnt_C_mfsm_cm_en,C_mfsm_abort_le_en_,C_mfsm_mparity,
    C_sfsm_stateA,C_sfsm_ss,C_sfsm_iad_en_s,C_sfsm_sidle,C_sfsm_slock,C_sfsm_sal,C_sfsm_sa0,
    C_sfsm_sale,C_sfsm_sdl,C_sfsm_sd0,C_sfsm_sack,C_sfsm_sabort,C_sfsm_s_cout_sel0,C_sfsm_sparity,
    C_efsm_stateA,C_efsm_srdy_en,
    C_clkAA,C_sidle_delA,C_mrqt_delA,C_last_inA_,C_ssA,C_holdA_,C_rd_srdy,C_cout_0_le_delA,
```

```
    C_cin_2_leA,C_mrdy_delA_C_iad_en_s_delA,C_wrdyA,C_rrdyA,C_iad_out,C_a180,C_23a2,
    C_mfsm_state,C_mfsm_srdy_en,C_mfsm_D,C_mfsm_grant,C_mfsm_rst,C_mfsm_busy,C_mfsm_write,
    C_mfsm_crqt_,C_mfsm_hold_,C_mfsm_last_C_mfsm_lock_,C_mfsm_ss,C_mfsm_invalid,
    C_sfsm_state,C_sfsm_D,C_sfsm_grant,C_sfsm_rst,C_sfsm_write,C_sfsm_addressed,C_sfsm_hlda_,C_sfsm_ms,
    C_efsm_state,C_efsm_cale_,C_efsm_last_C_efsm_male_,C_efsm_rale_C_efsm_srdy_,C_efsm_rst,
    C_wr,C_sizewrbe,C_clkA,C_sidie_del,C_mrqt_del,C_last_in_,C_lock_in_,C_ss,C_last_out_,
    C_bold_,C_cout_O_le_del,C_cin_2_le,C_mrdy_del_C_iad_en_s_del,C_wrdy,
    C_rrdy,C_parity,C_source,C_data_in,C_iad_in)
    :^c_state_ty)";;
let c_env_ty = ":(wordn#wordn#bool#bool#bool*bool*bool#bool#bool#bool#bool#
            wordn#wordn#wordn#wordn"bool*bool#bool"bool#wordn#wordn#bool#bool#wordn#bool)";
let c_env = "((I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_,
    1_lock_, I_cale_, I_hlda_, I_crqt_,
    CB_rqt_in_,CB_ad_in, CB_ms_in, CB_ss_in,
    Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error)
    :Ac_env_ty)";;
let c_out_ty = ":(bool#bool#bool#bool#bool#bool#bool#wordn#wordn#
            bool#wordn#wordn#wordn#wordn#bool#bool)";;
let c_out = "((I_cgnt, I_mrdy_out_, I_bold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_,
    I_ad_out, I_be_out,
    CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)
    :^c_out_ty)";;
let rep_ty = abstract_type 'aux_def' 'Andn`;;
%
    Input logic for C_last_in_flip-flop.
let Last_Logic = new_definition
    ('Last_Logic',
    "! rst clkD mfsm_mdl mfsm_mabort last_in_inE.
    Last_Logic rst clkD mfsm_mdl mfsm_mabort last_in_inE =
            tt:time.
            (last_in_inE t = (rst t) V ((clkD t) }\wedge(mfsm_mdl t))V(mfsm_mabort t))"
    ;;
%------------------------------------
let Hold_Logic = new_definition
    ('Hold_Logic',
    "l (cb_ms:time->wordn) clkD sfsm_sal last_out_inS last_out_inR last_out_inE .
    Hold_Logic cb_ms clkD sfsm_sal last_out_inS last_out_inR last_out_inE =
        It:time .
            (last_out_inS t = sfsm_sal t) ^
            (last_out_inR t=(clkD t) }\wedge((cb_mst=^MEND)V(cb_ms t=^MABORT))) ^
            (last_out_inEt = (last_out_inS t)V (last_out_inR t))"
    ;i;
```

\%

```
let Cout_Sel_Logic_SPEC = new_definition
    ('Cout_Sel_Logic_SPEC',
    "I sfsm_s_cout_sel0 mfsm_m_cout_sell mfsm_m_cout_sel0 sfsm_sd0 sfsm_sdl (cout_sel:time->wordn).
    Cout_Sel_Logic_SPEC sfsm_s_cout_sel0 mfsm_m_cout_sel1 mfsm_m_cout_sel0 sfsm_sd0 sfsm_sd1 cout_sel =
        It:time.
            (cout_sel t= ((sfsm_sd0 t) V(sfsm_sd1 t))
                    => (let al = (ALTER (cout_sel t) 0(sfsm_s_cout_sel0t))
                        in (ALTER al 1 F))
                        I (let al = (ALTER (cout_sel t) 0(mfsm_m_cout_sel0 t))
                                in(ALTER al 1 (mfsm_m_cout_sell t)))"
    );
%
    Generation logic for srdy signal.
let Srdy_In_Logic_SPEC = new_definition
    ('Srdy_In_Logic_SPEC',
    "! (cb_ss:time->wordn) dfsm_srdy .
    Srdy_In_Logic_SPEC cb_ss dfsm_srdy =
        tt:time. (dfsm_srdy t= (cb_ss t = ^SRDY))"
    );;
%
    Input logic for C_wrdy, C_rrdy latches.
let Rdy_Logic_SPEC = new_definition
    ('Rdy_Logic_SPEC',
    "1 mfsm_md0 mfsm_mdl clkD write srdy wrdy_inD rrdy_inD .
    Rdy_Logic_SPEC mfsm_md0 mfsm_mdl clkD write srdy wrdy_inD rrdy_inD =
        It:time.
            (wrdy_inD t = (srdy t) }\wedge(\mathrm{ write t) }\wedge(mfsm_mdl t) \wedge(clkD t)) ^
            (rdy_inD t = (srdy t) }\wedge~(\mathrm{ write t) }\wedge(mfsm_md0 t) ^(clkD t))"
    );
%-----------------------------------------------------------------------------------------------------------------------
    Generation logic for I_srdy_out_ signal.
let ISrdy_Out_Logic_SPEC = new_definition
    ('ISrdy_Out_Logic_SPEC',
    "I wrdyA_outQ rrdyA_outQ fsm_mabort cale_ srdy_en isrdy_inD isrdy_inE .
    ISrdy_Out_Logic_SPEC wrdyA_outQ rrdyA_outQ fsm_mabort cale_srdy_en isrdy_inD isrdy_inE =
        It:ime
            (isrdy_inD t= -((wrdyA_outQ t) V(rdyA_outQ t) V(fsm_mabort t))) ^
            (isrdy_inE t = -(cale_t)V (srdy_en t))"
    ;;
%
    Generation logic for CBss_out signal.
```

```
let CBss_Out_Logic_SPEC = new_definition
    ('CBss_Out_Logic_SPEC',
    "!(sfsm_ss:time->wordn) pmm_failure piu_valid cbss_out .
    CBss_Out_Logic_SPEC sfsm_ss pmm_failure piu_valid cbss_out =
        It:time.
            (cbss_out t = (let al = (MALTER (cbss_out t) (1,0) (SUBARRAY (sfsm_ss t) (1,0))
                            in (ALTER al (2) ((ELEMENT (sfsm_ss t) (2)) ^(pmm_failure t) }\wedge(\mathrm{ piu_valid t) ))))"
    );;
%
    Generation logic for CBms_out signal.
let CBms_Out_Logic_SPEC = new_definition
    ('CBms_Out_Logic_SPEC',
    "!(mfsm_ms:time->wordn) pmm_failure piu_valid cbms_out .
    CBms_Out_Logic_SPEC mfsm_ms pmm_failure piu_valid cbms_out =
        Ittime.
            (cbms_out t = (let al = (MALTER (cbms_out t) (1,0) (SUBARRAY (mfsm_ms t) (1,0)))
                            in (ALTER al (2) ((ELEMENT (mfsm_mst) (2)) ^~(pmm_failure t) }\wedge~(piu_valid t)))))"
    );
%
    Generation logic for cout_1_le signal.
let Cout_1_Le_Logic_SPEC = new_definition
    ('Cout_1_Le_Logic_SPEC',
    "| dfsm_master cout_0_le_del dfsm_cout_1_le cout_1_le .
    Cout_1_Le_Logic_SPEC dfsm_master cout_0_le_del dfsm_cout_1_le cout_1_le =
        It:time.
            (cout_1_le t=~(dfsm_master t) ^(dfsm_cout_1_le t) V(dfsm_master t) ^(cout_0_le_del t))"
    );;
%----------------.----------------------------------------------------------------------------------------------------
    Generation logic for iad_en signal.
let Iad_En_Logic_SPEC = new_definition
    ('Iad_En_Logic_SPEC',
    "lmfsm_iad_en_m sfsm_iad_en_s iad_en_s_del iad_en
    lad_En_Logic_SPEC mfsm_iad_en_m sfsm_iad_en_s iad_en_s_del iad_en =
        It:time .
                (iad_en t = (mfsm_iad_en_m t)V (sfsm_iad_en_s t)V (iad_en_s_del t))"
    ;;
%-
    Generation logic for c_pe_cnt signal.
let Pe_Cnt_Logic_SPEC = new_definition
    ('Pe_Cnt_Logic_SPEC',
```

```
    "! clkD (sfsm_sparity:time->bool) mfsm_mparity (cb_ss_in:time->wordn) c_pe_cnt .
    Pe_Cnt_Logic_SPEC clkD sfsm_sparity mfsm_mparity cb_ss_in c_pe_cnt =
        It:time.
            (c_pe_cnt t=(clkD t) }
                (~((sfsm_sparity t)=(mfsm_mparity t)) \vee ((SUBARRAY (cb_ss_in t)(1,0))= WORDN 0)))"
    ;;;
%
    Generation logic for c_grant, c_busy signals.
let Grant_Logic_SPEC = new_definition
    ('Grant_Logic_SPEC',
    "I (id:time->wordn) (rqt_:time->wordn) busy grant .
    Grant_Logic_SPEC id rqt_ busy grant =
        It:time.
            (busy t = -(ELEMENT (rqt_t) (3)) V (ELEMENT (rqt_t) (2)) V -(ELEMENT (rqt_t) (1))) }
            (grant t= ((SUBARRAY (id t) (1,0)) = WORDN 0) ^~(ELEMENT (rqt_t) (0)) V
                        ((SUBARRAY (id t) (1,0)) = WORDN 1) ^~(ELEMENT (rqt_t) (0)) ^(ELEMENT (rqt_t) (1)) \vee
                        ((SUBARRAY (id t) (1,0)) = WORDN 2) ^~(ELEMENT (rqt_t)(0))^(ELEMENT (rqt_t) (1)) ^
                                    (ELEMENT (rqt_t) (2)) V
                            ((SUBARRAY (id t) (1,0))= WORDN 3) ^~(ELEMENT (rqt_t) (0)) ^(ELEMENT (rqt_t) (1)) ^
                                    (ELEMENT (rqt_t)(2))^(ELEMENT (rqt_t) (3)))"
    ;;
%
    Generation logic for addressed signal.
let Addressed_Logic_SPEC = new_definition
    ('Addressed_Logic_SPEC',
    "I (id:time->wordn) (source:time->wordn) addressed.
    Addressed_Logic_SPEC id source addressed =
        Ittime.
            (addressed t = ((ELEMENT (id t) (0))=(ELEMENT (source t) (10))) ^
                        ((ELEMENT (id t) (1)) = (ELEMENT (source t) (11)))}
                        ((ELEMENT (id t) (2))=(ELEMENT (source t) (12)))}
                        ((ELEMENT (id t) (3)) = (ELEMENT (source t) (13)))}
                        ((ELEMENT (id t) (4)) = (ELEMENT (source t) (14)))}
                        ((ELEMENT (id t) (5)) = (ELEMENT (source t) (15))))"
    ;;
%
    Generation logic for Disable_writes signal.
let D_Writes_Logic_SPEC = new_definition
    ('D_Writes_Logic_SPEC',
    "I dfsm_slave (chan_id:time->wordn) (source:time->wordn) disable_writes .
    D_Writes_Logic_SPEC dfsm_slave chan_id source disable_writes =
        It:time.
            (disable_writes t = (dfsm_slave t) ^~((ELEMENT (chan_id t) (0)) ^(ELEMENT (source t) (6)))
                    \wedge~((ELEMENT (chan_id t) (1)) ^(ELEMENT (source t) (7)))
                    \wedge~((ELEMENT (chan_idt) (2)) ^(ELEMENT (source t) (8)))
```

```
%
    Generation logic for c_pe signal.
let Parity_Decode_Logic_SPEC = new_definition
    ('Parity_Decode_Logic_SPEC',
    "Irep cad_in cad_in_dec cad_in_det .
    Parity_Decode_Logic_SPEC rep cad_in cad_in_dec cad_in_det =
        It:time
            (cad_in_dec t = (Par_Dec rep (cad_in t))) ^
            (cad_in_det t = (Par_Det rep (cad_in t)))"
    );;
%
    Input logic for C_parity latch.
let Parity_Signal_Inputs_SPEC = new_definition
    ('Parity_Signal_Inputs_SPEC',
    "I rst cad_in_det clkD c_pe_cnt reset_parity
        c_parity_inS c_parity_inR c_parity_inE.
    Parity_Signal_Inputs_SPEC rst cad_in_det clkD c_pe_cnt reset_parity
                        c_parity_inS c_parity_inR c_parity_inE =
        Ittime .
            (c_parity_inSt=(cad_in_det t) ^(clkD t) }\wedge(\mathrm{ c_pe_cnt t))}
            (c_parity_inR t = (rst t) V(reset_parity t)) }
            (c_parity_inEt = (c_parity_inS t) V (c_parity_inR t))"
    );;
%-
    C-Bus input latches.
let CB_In_Latches_SPEC = new_definition
    ('CB_In_Latches_SPEC',
    " I clkA clkB rst (cad_in_dec:time->wordn) cin_0_le cin_1_le cin_2_le cin_3_le cin_4_le
        (source:time->wordn) (sizewrbe:time->wordn) iad_preout
        c_source c_data_in c_sizewrbe c_iad_preout .
    CB_In_Latches_SPEC cikA clkB rst cad_in_dec cin_0_le cin_1_le cin_2_le cin_3_le cin_4_le
                    source sizewrbe iad_preout
                        c_source c_data_in c_sizewrbe c_iad_preout =
        Ittime.
            (clkA t) =>
                ((c_source (t+1)=c_source t) ^
                    (c_data_in (t+1)=c_data_in t) }
                    (c_sizewrbe (t+1)=c_sizewrbe t) ^
                        (c_iad_preout (t+1)=(cin_2_le t) => (c_data_in t) | (c_iad_preout t)))}\
            ((clleB t) =>
                ((c_source (t+1) = (rst t) => WORDN 0 I
                            (cin_3_le t) => (cad_in_dec t) ।
                            (c_source t)) ^
```

```
        (c_data_in (t+1)=(rst t) => MALTER (c_data_in t) (31,16) (WORDN 0)।
                        ((cin_l_le t) ^(~-cin_0_le t)) => MALTER (c_data_in t) (31,16) (cad_in_dec t)।
                        (c_data_in (t+1)))}
        (c_data_in (t+1)=(rst t) => WORDN 0 I
                        ((cin_0_le t) ^(~cin_1_le t)) => MALTER (c_data_in t) (15,0) (cad_in_dec t) I
                        (c_data_in (t+1)))}
        (c_sizewrbe (t+1)=(rst t) => WORDN 01
                        (cin_4_le t) => SUBARRAY (c_data_in t) (31,22)|
                        (c_sizewrbe t)) ^
        (c_iad_preout (t+1)=(c_iad_preout t)))}\
        ((source t = c_source (t+1)) ^
        (sizewrbe t = c_sizewrbe (t+1)) ^
        (iad_preout t = c_iad_preout (t+1))"
;;
%
    Generation logic for I_be_out_ signal.
let BE_Out_Logic_SPEC = new_definition
    ('BE_Out_Logic_SPEC',
    "! (sizewrbe:time->wordn) hlda be_out .
    BE_Out_Logic_SPEC sizewrbe hlda be_out =
        It:time.
                ((blda t) #> (be_out t= SUBARRAY (sizewrbe t) (9,6)))"
    );
%
    Generation logic for write signal.
```

let Write_Logic_SPEC = new_definition
('Write_Logic_SPEC',
" I clkA clkB (iad_in:time->wordn) sizewrbe cale_master_tran C_wr write .
Write_Logic_SPEC clkA clkB iad_in sizewrbe cale_ master_tran C_wr write $=$
It:time.
$\left((\operatorname{clkA} t) \Longrightarrow C_{-} w r(t+1)=C_{-} w i t\right) \wedge$
$\left((\right.$ clkB $t) \Longrightarrow C_{-} w r(t+1)=(-$ cale_t $t) \Rightarrow(E L E M E N T($ iad_in $\left.t)(27)) \mid C_{-} w r t\right) \wedge$
(write $t=($ master_tran $t) \Rightarrow\left(C_{-} w r(t+1)\right) \mid$ (ELEMENT (sizewrbe $\left.\left.t\right)(5)\right)$ )"
);
\%
C-Bus output latches.
let CB_Out_Logic_SPEC = new_definition
('CB_Out_Logic_SPEC',
"I rep clkA cikB (iad_in:time->wordn) (ccr:time->wordn) dfsm_cout_0_le cout_1_le mfsm_mrequest cout_sel cad_preout
C_iad_in C_ala0 C_a3a2.
CB_Out_Logic_SPEC rep clkA clkB iad_in ccr dfsm_cout_0_le cout_1_le mfsm_mrequest cout_sel cad_preout
C_iad_in C_ala0 C_a3a2 =
It:time
(clkA t$) \Longrightarrow$
$\left(\left(C_{\text {_iad_in }}(t+1)=\right.\right.$ C_iad_in $) \wedge$

```
        (C_ala0 (t+1)=(cout_1_le t) => (C_iad_in t) I(C_ala0 t)) ^
        (C_a3a2 (t+1)=(mfsm_mrequest t) => (ccr t) |(C_a3a2 t))))}
        (clkB t) \Longrightarrow
            ((C_iad_in (t+1)=(dfsm_cout_0_le t) => (iad_int) | (C_iad_in t)) ^
            (C_ala0 (t+1)=C_ala0t)^
            (C_a3a2 (t+1)=C_a3a2 t)) )
        (cad_preout t = ((cout_sel (t+1))= WORDN 0) => (Par_Enc rep (SUBARRAY (C_ala0 (t+1))(15,0)))।
            ((cout_sel (t+1))= WORDN 1) => (Par_Enc rep (SUBARRAY (C_ala0 (t+1)) (31,16)))।
                ((cout_sel (t+1))= WORDN 2) => (Par_Enc rep (SUBARRAY (C_a3a2 (t+1)) (15,0))) |
                    (Par_Enc rep (SUBARRAY (C_a3a2 (t+1)) (31,16))))"
    ;;
%
    C-Port Block.
let C_Block_SPEC = new_definition
    ('C_Block_SPEC',
    " (C_mfsm_stateA C_mfsm_state :time->cmfsm_ty)
        (C_sfsm_stateA C_sfsm_state :time->csfsm_ty)
        (C_efsm_stateA C_efsm_state :time->cefsm_ty)
        (C_mfsm_ms C_sfsm_ss C_ssA C_ied_out C_ala0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewsbe C_ss
        C_source C_data_in C_iad_in :time->wordn)
        (C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal
        C_mfsm_ma0 C_mfsm_mdl C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sell C_mfsm_m_cout_sel0
        C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity
        C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_sa0
        C_sfsm_sale C_sfsm_sdl C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity
        C_efsm_srdy_en
        C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_C_boldA_C_rd_srdy C_cout_0_le_delA
        C_cin_2_leA C_mrdy_delA_C_iad_en_s_delA C_wrdyA C_rdyA
        C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write
        C_mfsm_crqt_C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid
        C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_
        C_efsm_cale_C_efsm_last_ C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
        C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_C_lock_in_C_last_out_
        C_hold_C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy
        C_rrdy C_parity :time->bool)
        (I_mrdy_in_I_rale_in_ I_male_in_I_last_in_ I_srdy_in_I_lock_ I_cale_ I_hlda_I_crqt_
        Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :time->bool)
        (I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChanneliD Ccr :time->wordn)
        (I_cgnt_ I_mrdy_out_ I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_ CB_rqt_out_
        Disable_writes CB_parity :time->bool)
        (I_ad_out I_be_out_CB_ms_out CB_ss_out CB_ad_out C_ss_out :time->wordn)
        (rep:`rep_ty).
    C_Block_SPEC (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2,
        C_mfsm_mal, C_mfsm_maO, C_mfsm_mdl, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sel1,
        C_mfsm_m_cout_sel0, C_mfsm_ms, C_mfsm_rqt,C_mfsm_cgnt, C_mfsm_cm_en,
        C_mfsm_abort_le_en_, C_mfsm_mparity,
        C_sfsm_stateA, C_sfsm_ss, C_sffm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, C_sfsm_sal,
        C_sfsm_sa0, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sd0, C_sfsm_sack, C_sfsm_sabort,
        C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en,
        C_clkAA, C_sidle_delA, C_mrqt_delA, C_last_inA, C_ssA, C_boldA_, C_rd_srdy,
        C_cout_0_le_delA, C_cin_2_leA, C_mrdy_deLA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out,
```

```
C_ala0, C_a3a2,
C_mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy,
C_mfsm_write, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss,
C_mfsm_invalid,
C_sfsm_state, C_sfsm_D, C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed,
C_sfsm_hlda_, C_sfsm_ms,
C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_,
C_efsm_rst,
C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_, C_ss,
C_last_out, C_hold_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy,
C_ridy, C_parity, C_source, C_data_in, C_iad_in)
(I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in, I_male_in, I_last_in_, I_srdy_in_,
I_lock_I_cale, I_hlda, I_crqt_,
CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in,
Rst, ClkA, ClkB, ClkD, Id, ChanneliD, Pmm_failure, Piu_invalid, Ccr, Reset_error)
(I_cgnt_, I_mrdy_out, I_bold_, I_rale_out_, I_male_out, I_last_out, I_srdy_out,,
I_ad_out, I_be_out_,
CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)
```

rep $=$
? (grant busy mfsm_mabort mfsm _midle mfsm _mrequest mfsm_ma3 mfsm _ma2 mfsm _mal mfsm_ma0 mfsm_mdl mfsm _md0 mfsm _iad_en_m mfsm_m_cout_sell mfsm_m_cout_sel0 mfsm_cm_en mfsm_abort_le_en_mfsm_mparity sfsm_iad_en_s sfsm_sidle sfsm_slock sfsm_sal sfsm_saO sfsm_sale sfsm_sdl sfsm_sd0 sfsm_sack sfsm_sabort sfsm_s_cout_sel0 sfsm_sparity efsm_srdy_en dfsm_master dfsm_slave dfsm_cin_0_le dfsm_cin_1_le dfsm_cin_3_le dfsm_cin_4_le dfsm_cout_0_le dfsm_cout_1_le dfsm_cad_en_dfsm_male_dfsm_rale_ dfsm_mrdy_ last_in_inE last_in_outQ lock_in_inE lock_in_outQ clkA_outQ last_out_inS last_out_inR last_out_inE last_out_outQ sstatus_en_sidle_del_outQ mrqt_del_outQ mstatus_en_dfsm_srdy write wrdy_inD wrdy_outQ rrdy_inD rrdy_outQ wrdyA_outQ rrdyA_outQ i_srdy_en isrdy_inD isrdy_inE cout_0_le_del_out cin_2_le_out cout_1_le mrdy_del_out iad_en_s_del_outQ iad_en c_pe_cnt addressed cin_2_le cad_in_det c_parity_inS c_parity_inR c_parity_inE hlda :time->bool) (mfsm_ss mfsm_ms sfsm_ss cout_sel cad_in_dec source sizewrbe iad_preout cad_preout :time->wordn).
(OR2_SPEC Rst mfsm_mal lock_in_inE) $\wedge$
(DRELAT_SPEC I_lock_ Rst lock_in_inE ClkB C_lock_in_ lock_in_outQ) $\wedge$
(Last_Logic Rst ClkD mfsm_mdl mfsm_mabort last_in_inE) $\wedge$
(DREFF_SPEC I_last_in_last_in_inE Rst ClkB C_last_inA_C_last_in_last_in_outQ) $\wedge$
(DEFFn_SPEC mfsm_ss mfsm_abort_le_en_ClkB C_ssA C_ss C_ss_out) $\wedge$
(DFF_SPEC ClkD ClkA C_clkA C_clkAA clkA_outQ) $\wedge$
(Hold_Logic CB_ms_in ClkD sfsm_sal last_out_inS last_out_inR last_out_inE) $\wedge$
(DSRELAT_SPEC GND last_out_inS last_out_inR last_out_inE ClkB C_last_out_ last_out_outQ) $\wedge$
(TRIBUF_SPEC last_out_outQ hlda I_last_out_) $\wedge$
(OR2_SPEC sfsm_sidle sfsm_sabort sstatus_en_) $\wedge$
(DFF_SPEC sfsm_sidle ClkA C_sidle_del C_sidle_delA sidle_del_outQ) $\wedge$
(DFF_SPEC mfsm_mrequest ClkA C_mrqt_del C_mrqt_delA mrqt_del_outQ) $\wedge$
(Cout_Sel_Logic_SPEC sfsm_s_cout_sel0 mfsm_m_cout_sel1 mfsm_m_cout_sel0 sfsm_sd0 sfsm_sd1 cout_sel) $\Lambda$
(NOT_SPEC mfsm_cm_en mstatus_en_) $\wedge$
(DEFF_SPEC sfsm_sidle ClkD ClkA C_hold_C_holdA_ I_hold_) $\Lambda$
(Srdy_In_Logic_SPEC CB_ss_in dfsm_srdy) $\wedge$
(Rdy_Logic_SPEC mfsm_md0 mfsm_mdl ClkD write dfsm_srdy wrdy_inD rrdy_inD) $\wedge$

```
(DLAT_SPEC wrdy_inD ClkB C_wrdy wrdy_outQ)^
(DLAT_SPEC rrdy_inD ClkB C_rrdy rrdy_outQ) ^
(DLAT_SPEC wrdy_outQ ClkA C_wrdyA wrdyA_outQ) ^
(DLAT_SPEC rrdy_outQ ClikA C_rrdyA mdyA_outQ) ^
(ISrdy_Out_Logic_SPEC wrdyA_outQ rrdyA_outQ mfsm_mabort I_cale_ i_srdy_en isrdy_inD isrdy_inE) }
(TRIBUF_SPEC isrdy_inD isrdy_inE I_srdy_out_)^
(CBss_Out_Logic_SPEC sfsm_ss Pmm_failure Piu_invalid CB_ss_out) ^
(DFF_SPEC dfsm_cout_0_le ClkA C_cout_0_le_del C_cout_0_le_delA cout_0_le_del_out) ^
(DFF_SPEC dfsm_cin_0_le ClkA C_cin_2_le C_cin_2_leA cin_2_le_out) }
(Cout_1_Le_Logic_SPEC dfmm_master cout_0_le_del_out dfsm_cout_1_le cout_1_le) ^
(DFF_SPEC dfsm_mrdy_ClkA C_mrdy_del_C_mrdy_delA_mrdy_del_out)}
(NOT_SPEC I_hlda_ hlda)^
(TRIBUF_SPEC dfsm_male_ hlda I_male_out_) ^
(TRIBUF_SPEC dfsm_rale_ blda I_rale_out_) ^
(TRIBUF_SPEC mrdy_del_out hlda I_mrdy_out_) }
(DEFF_SPEC sfsm_iad_en_s ClkD ClKA C_iad_en_s_del C_iad_en_s_delA iad_en_s_del_outQ) ^
(Iad_En_Logic_SPEC mfsm_iad_en_m sfsm_iad_en_s iad_en_s_del_outQ iad_en) ^
(CBms_Out_Logic_SPEC mfsm_ms Pmm_failure Piu_invalid CB_ms_out) ^
(Pe_Cnt_Logic_SPEC ClkD sfsm_sparity mfsm_mparity CB_ss_in c_pe_cnt) }
(Grant_Logic_SPEC Id CB_rqt_in_busy grant) ^
(Addressed_Logic_SPEC Id C_source addressed) }
(D_Writes_Logic_SPEC dfsm_slave ChannelDD C_source Disable_writes) ^
(Parity_Decode_Logic_SPEC rep CB_ad_in cad_in_dec cad_in_det) ^
(Parity_Signal_Inputs_SPEC Rst cad_in_det ClkD c_pe_cnt Reset_error
                    c_parity_inS c_parity_inR c_parity_inE)^
(DSRELAT_SPEC GND c_parity_inS c_parity_inR c_parity_inE ClkB C_parity CB_parity) ^
(CB_In_Latches_SPEC ClkA ClkB Rst cad_in_dec dfsm_cin_0_le dfsm_cin_1_le cin_2_le dfsm_cin_3_le
                                    dfsm_cin_4_le source sizewrbe iad_preout
                                    C_source C_data_in C_sizewrbe C_iad_out) ^
(BE_Out_Logic_SPEC sizewrbe hlda I_be_out_) ^
(TRIBUF_SPEC iad_preout iad_en I_ad_out) ^
(Write_Logic_SPEC ClkA ClkB I_ad_in sizewrbe I_cale_mfsm_cm_en C_wr write) ^
(CB_Out_Logic_SPEC rep ClkA ClkB I_ad_in Ccr dfsm_cout_O_le cout_1_le mfsm_mrequest cout_sel cad_preout
                    C_iad_in C_al&0 C_&3a2)^
(TRIBUF_SPEC cad_preout dfsm_cad_en_CB_ad_out) }
(CMFSM_SPEC ClkA ClkB efsm_srdy_en ClkD grant Rst busy write
    I_crqt_ I_hold_ last_in_outQ lock_in_outQ CB_ss_in Piu_invalid
    C_mfsm_state C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfbm_write
    C_mfsm_crqt_ C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_ss C_mfsm_invalid
    C_mfsm_stateA C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2
    C_mfsm_mal C_mfsm_ma0 C_mfsm_mdl C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sel1
    C_mfsm_m_cout_selO C_mfsm_ms C_mfsm_rqt_ C_mfsm_cgnt_C_mfsm_cm_en
    C_mfsm_abort_le_en_C_mfsm_mparity
    mfsm_mabort mfsm_midle mfsm_mrequest mfsm_ma3 mfsm_ma2 mfsm_mal mfsm_ma0
    mfsm_mdl mfsm_md0 mfsm_iad_en_m mfsm_m_cout_sel1 mfsm_m_cout_sel0 mfsm_ms
    CB_rqt_out_ I_cgnt_mfsm_cm_en mfsm_abort_le_en_mfsm_mparity) }
(CSFSM_SPEC ClkA ClkB ClkD grant Rst write addressed l_hdda_ CB_ms_in
    C_sfsm_state C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed
    C_sfsm_hlda_ C_sfsm_ms C_sfsm_stateA C_sfsm_ss C_sfsm_iad_en_s C_sfsm_sidle
    C_sfsm_slock C_sfsm_sal C_sfsm_sa0 C_sfsm_sale C_sfsm_sd1 C_sfsm_sd0 C_sfsm_sack
    C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity
    sfsm_ss sfsm_iad_en_s sfsm_sidle sfsm_slock sfsm_sal sfsm_sa0 sfsm_sale
    sfsm_sdl sfsm_sd0 sfsm_sack sfsm_sabort sfsm_s_cout_sel0 sfsm_sparity) ^
(CEFSM_SPEC ClkA ClkB I_cale_I_last_in_I_male_in_ I_rale_in_ I_srdy_in_ Rst
```

```
    C_efsm_state C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst C_efsm_stateA C_efsm_srdy_en efsm_srdy_en) \(\wedge\)
```

(CDFSM_SPEC dfsm_srdy CIkD clkA_outQ write sizewrbe sfsm_sidle sidle_del_outQ sfsm_slock sfsm_sal sfsm_sa0 sfsm_sale sfsm_sd1 sfsm_sd0 sfsm_sack mfsm_midle mrqt_del_outQ mfsm_ma3 mfsm _ma2 mfsm _mal mfsm _ma0 mfsm _mdl mfsm _mdO I_cale_ I_srdy_in_ dfsm_master dfsm_slave dfsm_cin_0_le dfsm_cin_1_le dfsm_cin_3_le dfsm_cin_4_le dfsm_cout_0_le dfsm_cout_1_le dfsm_cad_en_dfsm_male_dfsm_rale_dfsm_mrdy_)"
);
close_theory();;

## B. 5 SU_Cont Specification

```
%
    File: s_block.ml
    Author: (c) D.A. Fura }199
    Date: 31 March }199
This file contains the ml source for the gate-level specification of the startup controller of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
```


## \%

```
set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/]];;
```

set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/]];;
system 'rm s_block.th';
new_theory 's_block';
map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def';'saux_def';'aux_def';'array_def';'wordn_def'l;;
let s_state_ty = ":(sfsm_ty\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#
bool"bool"wordn\#wordn\#bool"bool\#
sfsm_ty"bool\#\#booli\#bool\#bbol\#bool\#
bool"wordn\#wordn\#bool\#bool"bool\#bool*bool\#bool\#bool"bool\#bool)";
let s_state = "((S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_srcl,
S_fsm_spf, S_fsm_scOf, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs,
S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass,
S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1,
S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_cpu_hist, S_piu_fail)
:As_state_ty)";
let s_env_ty = ":(bool\#bool\#bool\#bool*bool\#bool"bool\#bool\#bool)";;
let s_env = "((ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, FailureO_, Failure1_)
:As_env_ty)";;
let s_out_ty = ":(wordn"bbol"bbol\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool)";;
let s_out = "((S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist,
Piu_fail, CpuO_fail, Cpul_fail, Pmm_fail)
:^\&_out_ty)";
%-
Input logic for S_soft_shot latch.
let Scnt_In_SPEC = new_definition
('Scnt_In_SPEC',
"l gcrh gcrl soft_shot_inD soft_cnt_inL.
Scnt_In_SPEC gert gcrl soft_shot_inD soft_cnt_inL =
(1 time. (soft_shot_inD t= -gcrh t ^ gcrl t) ^

```
```

        (soft_cnt_inL t = ~gcrh t ^ ~gcrl t)"'
    ;;
%
Input logic for S_soft_cnt counter.
let Scnt_ln1_SPEC = new_definition
('Scnt_In1_SPEC',
"I soft_shot_outQ soft_shot_del_outQ soft_cnt_inU .
Scnt_Inl_SPEC soft_shot_outQ soft_shot_del_outQ soft_cnt_inU =
(l t:ime . (soft_cnt_inU t = soft_shot_outQ t ^ ~soft_shot_del_outQ t))"
;;
%
Input logic for S_delay counter.
let Delay_In_SPEC = new_definition
('Delay_In_SPEC',
"! scpustart delay reset_cnt delay_inR .
Delay_In_SPEC scpustart delay reset_cnt delay_inR =
(! t:time . (delay_inR t = scpustart t ^(ELEMENT (delay t) (6)) V reset_ent t))"
);;
\#----------------------------------------
let Muxes_SPEC = new_definition
('Muxes_SPEC',
"I (delay:time->wordn) test instart_inD delay17 .
Muxes_SPEC delay test instart_inD delay17 =
(lt:time . (instart_inD t = (test t) => ELEMENT (delay t) (5) | ELEMENT (delay t) (16)) ^
(delay 17 t = (test t) => ELEMENT (delay t) (6) | ELEMENT (delay t) (17)))"
);;
%
Generation logic for Disable_int output.
let Dis_Int_Out_SPEC = new_definition
('Dis_Int_Out_SPEC',
"! instart normal delay disable_int_in disable_int_out.
Dis_Int_Out_SPEC instart normal delay disable_int_in disable_int_out =
(l t:ime. (disable_int_out t = - instart t }\wedge~(\mathrm{ normal }\textrm{t}\wedge(\mathrm{ ELEMENT (delay t) (6)) }\wedge\mathrm{ disable_int_in t)))"
;;
%
Input logic for S_bad_cpu0, S_bad_cpul latches.
let Bad_Cpu_In_SPEC = new_definition
('Bad_Cpu_In_SPEC',

```
```

    "I normal operation cpu0_fail cpul_fail begin
    bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE
    bad_cpul_inS bad_cpul_inR bad_cpul_inE.
    Bad_Cpu_In_SPEC normal operation cpu0_fail cpul_fail begin
                    bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE
                    bad_cpul_inS bad_cpul_inR bad_cpul_inE =
    (! t:ime . (bad_cpu0_inS t = begin t) }
            (bad_cpu0_inR t=(normal t V operation t) ^-cpu0_fail t) }
            (bad_cpu0_inEt = begin tV (bormal t V operation t) }\wedge\mathrm{ -cpu0_fail t) }
            (bad_cpul_inSt= begin t) }
            (bad_cpul_inR t = (normal t V operation t) \cpu0_fail t ^ ~cpul_fail t) }
            (bad_cpul_inE t = begin t V (normal tV operation t) ^ cpu0_fail t ^ ~cpul_fail t))"
    ;;
    %
Generation logic for local signals cpu0_ok, cpu1_ok.
let Cpu_Ok_SPEC = new_definition
('Cpu_Ok_SPEC',
"I soft_cnt cpu0_fail cpu1_fail failure0_failure1_ cpu0_ok cpul_ok.
Cpu_Ok_SPEC soft_cnt cpu0_fail cpul_fail failure0_failure1_ cpu0_ok cpu1_ok =
(1 ttime . (cpu0_okt = ((soft_cnt t)= WORDN 5) ^ cpu0_fail t ^ failure0_t) }
(cpul_okt = ((soft_cnt t)= WORDN 5) ^ cpul_fail t ^ failurel_t))"
;;
%
lnput logic for S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail latches.
let Fail_In_SPEC = new_definition
('Fail_In_SPEC',
"| begin pmm_fail piu_fail bypass cpu0_ok cpul_ok
pmm_fail_inS pmm_fail_inR pmm_fail_inE cpu0_fail_inS cpuO_fail_inR cpuO_fail_inE
cpul_fail_inS cpul_fail_inR cpul_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE.
Fail_In_SPEC begin pmm_fail piu_fail bypass cpu0_ok cpul_ok
pmm_fail_inS pmm_fail_inR pmm_fail_inE cpu0_fail_inS cpu0_fail_inR cpuO_fail_inE
cpul_fail_inS cpul_fail_inR cpul_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE =
(1 t: time . (pmm_fail_inS t= begin t) }
(pmm_fail_inR t=pmm_fail t) }
(pmm_fail_inEt=begin t \pmm_fail t) }
(cpu0_fail_inS t = begin t) ^
(cpu0_fail_inR t= bypass t V cpu0_ok t) ^
(cpu0_fail_inE t = begin tV bypass t V cpu0_ok t) }
(cpul_fail_inS t = begin t) ^
(cpul_fail_inR t= bypass tV cpul_okt) }
(cpul_fail_inE t = begin t V bypasst V cpul_ok t) }
(piu_fail_inS t= begin t) }
(piu_fail_inR t= bypass t\vee piu_fail t) ^
(piu_fail_inE t = begin t V bypass t V piu_fall t)"
;;
%
Startup-controller controller state machine.

```
```

let FSM_SPEC = new_definition
('FSM_SPEC',
"I cikA clkB rst_in delay_in delay17_in bothbad_in bypass_in
state rst delay6 delay }17\mathrm{ bothbad bypass
stateA sn so srep sdi srp src0 srcl spf sc0f sclf spmf sb stc sec srs scs
stateA_out sn_out so_out srcp_out sdi_out srp_out src0_out srcl_out spf_out
scOf_out sclf_out spmf_out sb_out src_out sec_out srs_out scs_out .
FSM_SPEC clkA clkB rst_in delay_in delay17_in bothbad_in bypass_in
state rst delay6 delay }17\mathrm{ bothbad bypass
stateA sn so srcp sdi srp sre0 srcl spf sc0f sclf spmf sb sre sec srs scs
stateA_out sn_out so_out srcp_out sdi_out srp_out src0_out srcl_out spf_out
scOf_out sclf_out spmf_out sb_out src_out sec_out srs_out scs_out =

```
It:time.
((clkA \(t) \Longrightarrow\)
((state \((t+1)=\) state \(t) \wedge\)
(rst \((\mathbf{t}+1)=\) rst t\() \wedge\)
(delay6 \((t+1)=\) delay \(6 t) \wedge\)
(delay \(17(t+1)=\) delay 17 t\() \wedge\)
(bothbad ( \(\mathbf{t + 1}\) ) = bothbad t) \(\wedge\)
(bypass \((t+1)=\) bypass \(t) \wedge\)
(stateA \((t+1)=\)
((rst t) \(\Rightarrow\) SSTART 1
\((\) (state t\()=\) SSTART \() \Rightarrow\) SRA \(\mid\)
\(((\) state \(t)=\) SRA \() \Rightarrow((\) delay 6\() \Rightarrow((\) bypass \(t) \Rightarrow\) SO \(\mid\) SPF \() \mid\) SRA \() \mid\)
( state t \()=\) SPF) \(\Rightarrow\) SCOI I
\(((\) state \(t)=S C O 1) \Rightarrow((\) delay 17 t\() \Rightarrow \operatorname{SCOF} \mid \mathrm{SCOI}) \mid\)
((state t\()=\mathrm{SCOF})=>\) ST \(\mid\)
((state t\()=\mathrm{ST}) \Rightarrow\) SC1I
\(((\) state \(t)=S C 1 I) \Rightarrow((\) delay \(17 t) \Rightarrow S C 1 F \mid S C 1 I) \mid\)
\((\) (state \(t)=S C 1 F) \Rightarrow\) SS I
\((\) (state \(t)=S S)=>((\) bothbad \()=>\) SSTOP \(\mid S C S) \mid\)
( (state \(t\) ) \(=\) SSTOP) \(\Rightarrow\) SSTOP )
\(((\) state t\()=\mathrm{SCS}) \Rightarrow((\) delay 6 t\() \Rightarrow\) SN \(\mid\) SCS \() \mid\)
\(((\) state \(t)=S N) \Rightarrow((\) delay \(17 t) \Rightarrow\) SO \(\mid\) SN \() \mid\) SO \()) \wedge\)
\((\mathrm{sn}(\mathrm{t}+\mathrm{l})=(\operatorname{state} \mathrm{A}(\mathrm{t}+1)=\mathrm{SN})) \wedge\)
    \((\) so \((t+1)=(\) stateA \((t+1)=S O)) \wedge\)
    \((\operatorname{srcp}(t+1)=((\sim(\) stateA \((t+1)=\) SO \() \wedge \sim((\) state \(t)=\) SSTOP \()) \vee((\) state \(t)=\) SRA \())) \wedge\)
    \((\) sdi \((t+1)=((\sim(\) stateA \((t+1)=\) SO \() \wedge \sim((\) state \(t)=\) SSTOP \()) \vee((\) state \(t)=\) SRA \())) \wedge\)
    \((\operatorname{srp}(t+1)=((\) stateA \((t+1)=\) SSTART \() \vee(\) stateA \((t+1)=\) SRA \() \vee(\) stateA \((t+1)=\) SC0F \() \vee\)
                            (stateA \((t+1)=S T) \vee(\) state \(A(t+1)=S C 1 F) \vee(\) stateA \((t+1)=S S) \vee\)
                            (stateA \((t+1)=\) SCS \()\) ) \(\wedge\)
\((\operatorname{src} 0(t+1)=(\sim(\) stateA \((t+1)=\) SPF \() \wedge \sim(\) stateA \((t+1)=\) SC0I \())) \wedge\)
    \((\operatorname{srcl}(t+1)=(\sim(\operatorname{state} A(t+1)=S T) \wedge \sim(\) stateA \((t+1)=S C 1 I))) \wedge\)
    \((\) spf \((t+1)=((\) state \(t)=S R A) \wedge(\) delay \(6 t) \wedge \sim(\) rst \(t))) \wedge\)
    \((\) scof \((t+1)=(\) stateA \((t+1)=S C O F)) \wedge\)
    \((\operatorname{sc} 1 \mathrm{f}(\mathrm{t}+1)=(\operatorname{state} \mathrm{A}(\mathrm{t}+1)=\mathrm{SC} 1 \mathrm{~F})) \wedge\)
    \((\operatorname{spmf}(t+1)=(\operatorname{state} A(t+1)=S O)) \wedge\)
    \((\mathrm{sb}(\mathrm{t}+1)=(\) stateA \((\mathrm{t}+1)=\) SSTART \()) \wedge\)
    \((\operatorname{src}(t+1)=((\) stateA \((t+1)=\) SSTART \() \vee(((\) state \(t)=\) SRA \() \wedge(\) delay \(t)) \vee\)
                            (stateA \((t+1)=S C O F) \vee(\) stateA \((t+1)=S T) \vee(\) stateA \((t+1)=S C 1 F) V\)
```

    (stateA (t+1)=SS)\vee(((state t)=SCS)^(delay6 t)))) ^
    (sec (t+1)=((-(stateA (t+1)=SSTOP) ^~(stateA (t+1)=SO)) V((state t)=SN))) ^
(srs (t+1)=((((state t)=SPF) \wedge~(rst t)) \vee (((state t) = ST) ^~(rst t)))) ^
(scs (t+1)=(stateA (t+1)=SCS)))}
((clkB t) \Longrightarrow>
((state (t+1)= stateA t) ^
(rst (t+1)= rst_in t)^
(delay6 (t+1) = ELEMENT (delay_in t) (6)) ^
(delay17 (t+1) = delay17_in t) }
(bothbad (t+1)= bothbad_in t) ^
(bypass (t+1)= bypass_in t) }
(sn (t+1)=snt) ^
(so (t+1)=sot) }
(srcp (t+1)=srcp t)^
(sdi (t+1)=sdi t) ^
(srp (t+1)=sipt) ^
(src0 (t+1)=ssc0t)^
(srcl (t+1)=srcl t) }
(spf(t+1)= spft)^
(scOf (t+1)=sc0ft)^
(sclf (t+1)=sclft)^
(spmf (t+1)=spmft)^
(sb (t+1)=sb t)^
(src (t+1)=srct) ^
(sec (t+1)=sect) ^
(srs (t+1)=srst) ^
(scs (t+1)=scst))) ^
(let a0 = (ALTER (stateA_out t) (0)
((stateA (t+1)=SRA) V(stateA (t+1)=SPF)V (stateA (t+1)=ST)V
(stateA (t+1)=SC1I) V(stateA (t+1)=SCS) V(stateA (t+1)=SN)V
(stateA (t+1)=SO))
in
(let al = (ALTER a0(1)
((stateA (t+1)=SPF) V(stateA (t+1)=SC0I)V(stateA (t+1)=SCOF) V
(stateA (t+1)=ST)V(stateA (t+1)=SSTOP)V(stateA (t+1)=SO))
in
(let a2 = (ALTER al (2)
((stateA (t+1)=SCOF) V(stateA (t+1)=ST) V(stateA (t+1)=SCLI)V
(stateA (t+1)=SC1F) \vee(stateA (t+1)=SS)\vee(stateA (t+1)=SSTOP)V
(stateA (t+1)=SCS))
in
(let a3 = (ALTER a2 (3)
((stateA (t+1)=SS) V(stateA (t+1)=SSTOP) V (stateA (t+1)=SCS)V
(stateA (t+1)=SN)\vee(stateA (t+1)=SO))
in
(stateA_out t= a3))))})
(sn_out t= sn(t+1))}
(so_out t = so (t+1)) ^
(srcp_out t= srcp (t+1))^
(sdi_out t= sdi (t+1)) ^
(srp_out t= ssp (t+1)) \Lambda
(src0_out t = src0 (t+1))^
(srcl_out t = srcl (t+1))^
(spf_out t= spf (t+1)) }

```
```

        (scOf_out t = scOf (t+1))^
        (sclf_out t= sclf (t+1)) ^
        (spmf_out t = spmf (t+1)) ^
        (sb_out t= sb (t+1))^
        (src_out t = src (t+1)) ^
        (sec_out t = sec (t+1)) ^
        (srs_out t = srs (t+1)) ^
        (scs_out t = scs (t+1)))
    ";;
%
Startup controller block.

```
let S_Block_SPEC = new_definition
    ('S_Block_SPEC',
    "I (S_fsm_stateA S_fsm_state :(time->sfsm_ty))
        (S_soft_cntA S_delayA S_soft_cnt S_delay :(time->wordn))
        (S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_srcl S_fsm_spf S_fsm_scof
        S_fsm_sclf \(S_{-}\)fsm_spmf \(S_{-} f s m_{-} s b S_{-} f s m_{-} s r c S_{-} f s m_{-} \sec S_{-} f s m_{-} s r s S_{-} f s m_{-} s c s\)
        S_soft_shot S_soft_shot_delA S_instart S_cpu_histA
        S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass
        S_soft_shot_del S_bad_cpu0 S_bad_cpul S_reset_cpu0 S_reset_cpul S_pmm_fail S_cpu0_fail S_cpu1_fail
        S_piu_fail S_cpu_hist :(time->bool))
        (ClkA CikB Rst Bypass Test Gcrh Gcrl Failure0_Failure _ :(time->bool))
        (S_state :(time->wordn))
        (Reset_cport Disable_int Reset_piu Reset_cpu0 Reset_cpul Cpu_hist Piu_fail Cpu0_fail Cpu1_fail
        Pmm_fail :(time->bool)).
    S_Block_SPEC (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_src1,
    S_fsm_spf, S_fsm_sc0f, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs,
    S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA,
    S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass,
    S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpu1,
    S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail)
    (ClkA, ClkB, Rst, Bypass, Test, Gcrb, Gcrl, Failure0_, Failure1_)
    (S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist,
    Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail) =
    (It:time
    ? fsm_delay 17 fsm_bothbad
        fsm_sn fsm_so fsm_sdi fsm_src0 fsm_srcl fsm_spf fsm_sc0f fsm_sclf fsm_spmf fsm_sb
        fsm_src fsm_sec fsm_srs fsm_scs NC
        soft_shot_inD soft_shot_outQ soft_shot_del_outQ
        soft_cnt_inL soft_cnt_inU soft_cnt_inR soft_cnt_outQ
        delay_inL delay_in \(U\) delay_in \(R\) delay_out \(Q\) instart_inD instart_out \(Q\)
        bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE bad_cpu0_outQ reset_cpu0_inD
        bad_cpul_inS bad_cpul_inR bad_cpu1_inE bad_cpul_outQ reset_cpu1_inD cpu_hist_inD
        cpu0_ok cpul_ok
        pmm_fail_inS pmm_fail_inR pmm_fail_inE cpu0_fail_inS cpu0_fail_inR cpu0_fail_inE
        cpu1_fail_inS cpul_fail_inR cpu1_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE.
    (Scnt_In_SPEC Gcrh Gcrl soft_shot_inD soft_cnt_inL) \(\wedge\)
    (DLAT_SPEC soft_shot_inD ClkA S_soft_sbot soft_shot_outQ) \(\wedge\)
    (DFF_SPEC soft_shot_outQ CIKA S_soft_shot_del S_soft_shot_delA soft_shot_del_outQ) \(\wedge\)
    (Scnt_Inl_SPEC soft_shot_outQ soft_shot_del_outQ soft_cnt_inU) \(\wedge\)
    (UPRCNT_SPEC 2 (GNDN 2) soft_cnt_inL soft_cnt_inU soft_cnt_inR ClkA S_soft_ent S_soft_cntA
soft_ent_outQ NC) \(\wedge\)
(Delay_In_SPEC fsm_scs delay_outQ fsm_src delay_inR) \(\wedge\)
(UPRCNT_SPEC 17 (GNDN 17) delay_inL delay_inU delay_inR ClkA S_delay S_delayA delay_outQ NC) \(\wedge\)
(Muxes_SPEC delay_outQ Test instart_inD fsm_delay17) \(\wedge\)
(DLAT_SPEC instart_inD CLEA S_instart instart_outQ) \(\wedge\)
(Dis_Int_Out_SPEC instart_outQ fsm_sn delay_outQ fsm_sdi Disable_int) \(\wedge\)
(AND2_SPEC Cpu0_fail Cpul_fail fsm_bothbad) \(\wedge\)
(Bad_Cpu_In_SPEC fsm_sn fsm_so Cpu0_fail Cpul_fail fsm_sb
bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE
bad_cpul_inS bad_cpul_inR bad_cpu1_inE) \(\wedge\)
(DSRELAT_SPEC GND bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE ClkB S_bad_cpu0 bad_cpu0_outQ) \(\wedge\)
(DSRELAT_SPEC GND bad_cpul_inS bad_cpul_inR bad_cpul_inE ClkB S_bad_cpul bad_cpul_outQ) \(\wedge\)
(AND2_SPEC bad_cpu0_outQ fsm_src0 reset_cpu0_inD) \(\wedge\)
(AND2_SPEC bad_cpul_outQ fsm_srcl reset_cpul_inD) \(\wedge\)
(DLAT_SPEC reset_cpu0_inD CILB S_reset_cpu0 Reset_cpu0) \(\wedge\)
(DLAT_SPEC reset_cpul_inD ClikB S_reset_cpu1 Reset_cpu1) \(\wedge\)
(AND3_SPEC Reset_cpu0 Reset_cpul Bypass cpu_hist_inD) \(\wedge\)
(DFF_SPEC cpu_hist_inD ClkB S_cpu_histA S_cpu_hist Cpu_hist) \(\wedge\)
(Fail_In_SPEC fsm_sb fsm_spmf fsm_spf Bypass cpu0_ok cpul_ok
pmm_fail_inS pmm_fail_inR pmm_fail_inE cpu0_fail_inS cpu0_fail_inR cpu0_fail_inE
cpul_fail_inS cpu1_fail_inR cpul_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE) \(\Lambda\)
(DSRELAT_SPEC GND pmm_fail_inS pmm_fail_inR pmm_fail_inE ClikB S_pmm_fail Pmm_fail) \(\wedge\)
(DSRELAT_SPEC GND cpu0_fail_inS cpuO_fail_inR cpu0_fail_inE CLkB S_cpuo_fail Cpu0_fail) \(\wedge\)
(DSRELAT_SPEC GND cpu1_fail_inS cpu1_fail_inR cpu1_fail_inE ClkB S_cpul_fail Cpu1_fail) \(\wedge\)
(DSRELAT_SPEC GND piu_fail_inS piu_fail_inR piu_fail_inE ClkB S_piu_fail Piu_fail) \(\wedge\)
(Cpu_Ok_SPEC soft_cnt_outQ fsm_scOf fsm_sclf Failure0_ Failurel_ cpu0_ok cpul_ok) \(\wedge\)
(FSM_SPEC ClkA ClkB Rst delay_outQ fsm_delay17 fsm_bothbad Bypass
S_fsm_state S_fsm_rst S_fsm_delay 6 S_fsm_delay 17 S_fsm_bothbad S_fsm_bypass
S_fsm_stateA S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_srcl

S_fsm_scs
S_state fsm_sn fsm_so Reset_cport fsm_sdi Reset_piu fsm_src0 fsm_srcl fsm_spf
fsm_scOf fsm_sclf fsm_spmf fsm_sb fsm_src fsm_sec fsm_srs fsm_scs))"
);
close_theory();

\section*{Appendix C ML Source for the Phase-Level Specification of the PIU Ports.}

This appendix contains the HOL models used in the phase-level specification for the PIU ports. They are listed in the order: P_Port, M_Port, R_Port, C_Port, and SU_Cont.

\section*{C. 1 P Port Specification}
\%-
File: P_phase.ml

Author: (c) D.A. Fura 1992

Date: 31 March 1992
This file contains the ml source for the phase-level specification of the P-Port of the FTEP BIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho.
set_search_path (search_path() @ ["/home/titan3/dfura/ftep/piu/hol/lib/']);;
system 'rm p_phase.th';
new_theory 'p_phase';;
map new_parent ['paux_def';'aux_def';'array_def';'wordn_def'];;
let p_state_ty = ":(pfsm_ty#bool#bool#bool#wordn#wordn#bool#wordn#bool#wordn#wordn#bool#bool#
                    pfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#wordn#bool#bool#bool#bool#bool#bool)";;
let P_state = "((P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_destl, P_be_,
    P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack,
    P_fsm_cgnt_, P_fsm_crqt,, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_,
    P_lock_inh_, P_male_, P_rale_)
    :(pfsm_ty#bool#bool#bool#wordn#wordn#bool#wordn#bool#wordn#wordn#bool#bool#
    pfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#wordn#bool#bool#bool#bool#bool#bool))';;
let p_env_ty = ":(bool#bool#bool#wordn#bool#bool#wordn#bool#bool#wordn#bool#bool#bool)";
let p_env = "((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_)
    :(bool#bool#bool#wordn#bool#bool#wordn#bool#bool#wordn#bool#bool#bool))";;
let p_out_ty = ":(wordn#bool#wordn#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool)";;
let p_out = "((L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_male,I_crqt_, I_cale_,
    I_mrdy_, I_last_, I_hlda_, I_lock_)
    :(wordn#bool#wordn#wordn#wordn#bool#bool#bool#bool#bool#bool#bool#bool))";;
%
    Next_state definition for Phase-A instruction.
```

    let PH _A_inst_def \(=\) new_definition
    ```
('PH_A_inst',
"l(P_fsm_state P_fsm_stateA :pfsm_ty)
    (P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_destl P_wr P_loadA P_downA :bool)
    (P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_P_rqt P_load :bool)
    (P_down P_lock_P_lock_inh_P_male_P_rale_:bool)
    (P_wr_data P_addr P_be_ P_be_n_P_sizeA P_size :wordn)
(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ I_bold_ I_sidy_: bool) (L_ad_in L_be_ I_ad_in :wordn) .
PH_A_inst ( \(P_{-} f s m_{-} s t a t e A, P_{-} f s m_{-}\)astate, \(P_{-} f s m_{-}\)dstate, \(P_{-}\)fsm_hlda_, \(P_{-} w T_{-}\)data, \(P_{-}\)addr, \(P_{-}\)destl, \(P_{-}\)be_, \(P_{-} w I_{1}, P_{-} b e_{-} n_{-}, P\) sizeA, \(P_{-}\)loadA, \(P_{\_}\)downA, \(P_{-} f s m \_\)state, \(P_{-} f s m \_r s t, P_{-} f s m \_m r q t, P_{-} f s m \_s a c k\), P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock, \(P_{-} r q t, P_{-}\)size, \(P_{\_}\)load, \(P_{\_}\)down, \(P_{\text {_lock_, }}\) P_lock_inh_, P_male_, P_rale_)
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) =
```

```
let new_P_fsm_stateA =
```

let new_P_fsm_stateA =
(P_fsm_rst) => PA!
(P_fsm_rst) => PA!
((P_fsm_state = PH) => ((P_fsm_bold_) )= PA |PH) |
((P_fsm_state = PH) => ((P_fsm_bold_) )= PA |PH) |
((P_fsm_state = PA) =>
((P_fsm_state = PA) =>
((P_fsm_mrqt \vee (~P_fsm_crqt_ ^~P_fsm_cgnt_)) => PD |
((P_fsm_mrqt \vee (~P_fsm_crqt_ ^~P_fsm_cgnt_)) => PD |
((P_fsm_lock_ ^~P_fsm_hold_) => PH | PA)) |
((P_fsm_lock_ ^~P_fsm_hold_) => PH | PA)) |
((P_fsm_state = PD) =>
((P_fsm_state = PD) =>
(((P_fsm_sack \ P_fsm_hold_)V(P_fsm_sack \~P_fsm_hold_ ^~P_fsm_lock_)) => PA I
(((P_fsm_sack \ P_fsm_hold_)V(P_fsm_sack \~P_fsm_hold_ ^~P_fsm_lock_)) => PA I
((P_fsm_sack }\wedge~P_fsm_hold_^P_fsm_lock_) => PH |PD)) |P_ILL)))) i
((P_fsm_sack }\wedge~P_fsm_hold_^P_fsm_lock_) => PH |PD)) |P_ILL)))) i
let new_P_fsm_astate = (new_P_fsm_stateA =PA) in
let new_P_fsm_astate = (new_P_fsm_stateA =PA) in
let new_P_fsm_dstate = (new_P_fsm_stateA = PD) in
let new_P_fsm_dstate = (new_P_fsm_stateA = PD) in
let new_P_fsm_hlda_ = -(new_P_fsm_stateA = PH) in
let new_P_fsm_hlda_ = -(new_P_fsm_stateA = PH) in
let new_P_wr_data = L_ad_in in
let new_P_wr_data = L_ad_in in
let new_P_addr = ((~P_rqt) => (SUBARRAY L_ad_in (25,0)) | P_addr) in
let new_P_addr = ((~P_rqt) => (SUBARRAY L_ad_in (25,0)) | P_addr) in
let new_P_destl = ((~P_rqt) => (ELEMENT L_ad_in (31)) |P_dest1) in
let new_P_destl = ((~P_rqt) => (ELEMENT L_ad_in (31)) |P_dest1) in
let new_P_be_= (( PP_rqt) => L_be_ IP_be_) in
let new_P_be_= (( PP_rqt) => L_be_ IP_be_) in
let new_P_wr = ((~P_rqt) => L_wr |P_wr) in
let new_P_wr = ((~P_rqt) => L_wr |P_wr) in
let new_P_be_n_= L_be_ in
let new_P_be_n_= L_be_ in
let new_P_loadA = P_load in
let new_P_loadA = P_load in
let new_P_downA = P_down in
let new_P_downA = P_down in
let new_P_sizeA = P_size in
let new_P_sizeA = P_size in
let new_P_fsm_state = P_fsm_state in
let new_P_fsm_state = P_fsm_state in
let new_P_fsm_rst = P_fsm_rst in
let new_P_fsm_rst = P_fsm_rst in
let new_P_fsm_mrqt = P_fsm_mrqt in
let new_P_fsm_mrqt = P_fsm_mrqt in
let new_P_fsm_sack = P_fsm_sack in
let new_P_fsm_sack = P_fsm_sack in
let new_P_fsm_cgnt_ = P_fsm_cgnt_ in
let new_P_fsm_cgnt_ = P_fsm_cgnt_ in
let new_P_fsm_crqt_ = P_fsm_crqt_ in
let new_P_fsm_crqt_ = P_fsm_crqt_ in
let new_P_fsm_hold_= P_fsm_hold_in
let new_P_fsm_hold_= P_fsm_hold_in
let new_P_fsm_lock_= P_fsm_lock_ in
let new_P_fsm_lock_= P_fsm_lock_ in
let new_P_rqt = P_rqt in
let new_P_rqt = P_rqt in
let new_P_size = P_size in
let new_P_size = P_size in
let new_P_load = P_load in
let new_P_load = P_load in
let new_P_down = P_down in
let new_P_down = P_down in
let new_P_lock_= P_lock_ in
let new_P_lock_= P_lock_ in
let new_P_lock_inh_ = P_lock_inh_in
let new_P_lock_inh_ = P_lock_inh_in
let new_P_male_= P_male_ in
let new_P_male_= P_male_ in
let new_P_rale_= = P_rale_ in

```
let new_P_rale_= = P_rale_ in
```

(new_P_fsm_stateA, new_P_fsm_astate, new_P_fsm_dstate, new_P_fsm_hlda_, new_P_wr_data, new_P_addr, new_P_destl, new_P_be_, new_P_Wr, new_P_be_n_, new_P_sizeA, new_P_loadA, new_P_downA, new_P_fsm_state, new_P_fsm_rst, new_P_fsm_mrqt, new_P_fsm_sack, new_P_fsm_cgnt, new_P_fsm_crqt, new_P_fsm_hold_, new_P_fsm_lock_, new_P_rqt, new_P_size, new_P_load, new_P_down, new_P_lock_, new_P_lock_inh_, new_P_male, new_P_rale_)" );
\%
Output definition for Phase-A instruction.
let PH _A_out_def $=$ new_definition
('PH_A_out',
"I (P_fsm_state P_fsm_stateA :pfsm_ty)
(P_fsm_astate $P_{-}$fsm_dstate $P_{-} f s m_{-} h l d a \_P_{-}$dest1 $P_{-} w r ~ P_{-}$loadA $P_{-}$downA :bool)

(P_down P_lock_P_lock_inh_P_male_P_rale_:bool)
(P_wr_data P_addr P_be_P_be_n_P_sizeA P_size :wordn)
(ClkA ClkB Rst L_ads_L_den_ L_wr L_lock_I_cgnt_ I_hold_ I_srdy_: bool) (L_ad_in L_be_I_ad_in :wordn) .
PH_A_out ( $\mathbf{P}_{-} f s m_{-}$stateA, $P_{-}$fsm_astate, $P_{-} f s m_{-}$dstate, $P_{-} f s m_{\_} h l d a_{-}, P_{-} w r_{-}$data, $P_{-}$addr, $P_{-}$dest1, $P_{-}$be_,
P_wr, $P_{-}$be_n_, $P_{-}$sizeA, $P_{\text {_loadA, }} P_{\_}$downA, $P_{\_} f s m \_$state, $P_{f} f s m_{-} r s t, P_{\_} f s m \_m r q t, ~ P \_f s m \_s a c k$,
P_fsm_cgnt_, $P_{-}$fsm_crqt_, $P_{-} f s m$ _hold, $P_{-} f s m_{-} l o c k$, , $P_{-} r q t, P_{-}$size, $P_{\_}$load, $P_{-}$down, $P_{\_}$lock_,
P_lock_inh_, $P_{-}$male_, $P_{-}$rale_)
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be, L_wr, L_lock_, I_ad_in, I_cgnt, I_hold_, I_srdy_) =
let new_P_fsm_stateA $=$

$$
\begin{aligned}
& \left(\left(P_{\_} \text {fsm_rst }\right)=>\text { PA } \mid\right. \\
& \left(\left(P_{-} \text {fsm_state }=P H\right)=>\left(\left(P_{-} \text {fsm_hold_ }\right) \Rightarrow P A \mid P H\right) \mid\right.
\end{aligned}
$$

$\left(\left(P_{-} f s m_{-}\right.\right.$state $\left.=P A\right) \Rightarrow$
$\left(\left(P_{-}\right.\right.$fsm_mrqt $V\left(\sim P_{-}\right.$ssm_crqt_ $\wedge \sim P_{-}$fsm_cgnt_) $)=>$PD $\mid$
$\left(\left(P_{-}\right.\right.$fsm_lock_ $\Lambda \sim P_{-}$fsm_bold_) $\left.\left.\Rightarrow \mathrm{PH} \mid \mathrm{PA}\right)\right) \mid$
$\left((P) f s m \_\right.$state $\left.=P D\right) \Rightarrow$
$\left(\left(P_{-}\right.\right.$ssm_sack $\wedge P_{-}$fsm_hold_) $V\left(P_{-}\right.$fsm_sack $\wedge-P_{-}$fsm_hold_ $\wedge-P_{-}$fsm_lock_ $\left.)\right)=>$PA $\mid$
$\left(\left(P_{-}\right.\right.$fsm_sack $\wedge \sim P \_$fsm_hold_ $\wedge P_{-}$fsm_lock_ $\left.\left.\left.\left.\left.)=>P H \mid P D\right)\right) \mid P \_I L L\right)\right)\right)$ in
let new_P_fsm_astate $=($ new_P_fsm_state $A=P A)$ in
let new_P_fsm_dstate $=($ new_P_fsm_stateA $=P D)$ in
let new_P_fsm_hlda_ $=\sim($ new_P_fsm_state $A=P H)$ in
let new_P_wr_data $=$ L_ad_in $^{\text {an }}$ in
let new_P_addr $=\left((\sim\right.$ P_rqt $) \Rightarrow$ (SUBARRAY $L_{-}$ad_in $\left.(25,0)\right) \mid P_{-}$addr) $)$in
let new_P_dest $=\left(\left(\sim P_{-}\right.\right.$rqt $) \Rightarrow\left(E L E M E N T L_{-}\right.$ad_in (31) $) \mid P_{-}$dest1) in
let new_P_be_ $=\left(\left(\sim P_{-} r q t\right) \Rightarrow L_{-} b e_{-} \mid P_{-} b e_{-}\right)$in
let new_P_wr $=\left(\left(\sim P_{-}\right.\right.$rqt $) \Rightarrow$ L_wr $\left._{-} \mid P_{-} w r\right)$ in
let new_P_be_n_= L_be_ in
let new_P_loadA $=P_{-}$load in
let new_P_downA $=P_{\text {_ }}$ down in let new_P_size $A=P$ _size in
let new_P_fsm_state $=P_{\text {_ }}$ fsm_state in
let new_P_fsm_rst = P_fsm_rst in
let new_P_fsm_mrqt $=P_{-}$fsm_mrqt in
let new_P_fsm_sack $=P_{-}$fsm_sack in
let new_P_fsm_cgnt_ = P_fsm_cgnt_in
let new_P_fsm_crqt_ $=P$ _fsm_crgt_in
let new_P_fsm_hold_ $=P_{-}$fsm_hold_ in let new_P_fsm_lock_ = P_fsm_lock_in let new_P_rqt $=P_{-}$rqt in

```
    let new_P_size = P_size in
    let new_P_load = P_load in
    let new_P_down = P_down in
    let new_P_lock_= P_lock_ in
    let new_P_lock_inh_= P_lock_inh_in
    let new_P_male_= P_male_ in
    let new_P_rale_ = P_rale_ in
    let p_ale = (-L_ads_ ^ L_den_) in
    let p_sack = ((new_P_sizeA = ((new_P_downA) => WORDN 1 | WORDN 0)) ^ ~I_srdy_ ^ new_P_fsm_dstate) in
    let L_ad_out = ((~new_P_fsm_astate ^new_P_fsm_hlda_ \Lambda ~(new_P_fsm_dstate }\Lambda\mathrm{ new_P_wr)) => I_ad_in | ARBN) in
    let L_ready_= (~(-I_srdy_ ^new_P_fsm_dstate)) in
    let od0 = ARBN in
    let odl = (MALTER od0 (31,27) new_P_be_) in
    let od2 = (ALTER odl (26) F) in
    let od3 = (MALTER od2 (25,24) (SUBARRAY new_P_addr (1,0))) in
    let od4 = (MALTER od3 (23,0) (SUBARRAY new_P_addr (25,2))) in
    let I_ad_addr_out = ((new_P_fsm_astate) => od4 I ARBN) in
    let I_ad_data_out = ((new_P_fsm_dstate ^new_P_wr) => new_P_wr_data | ARBN) in
    let I_be_= ((new_P_fsm_hlda_) => ((new_P_fsm_astate) => new_P_be_| new_P_be_n_)|ARBN ) in
    let I_rale_ = ((new_P_fsm_hlda_) =>
    ~(~new_P_destl ^((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) ^ new_P_fsm_astate ^ new_P_rqt) | ARB) in
    let I_male_= ((new_P_fsm_hlda_) m>
    ~(~new_P_destl ^(~((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) ^ new_P_fsm_astate ^ new_P_rqt) I ARB) in
    let I_crqt_ = ~(new_P_dest1 ^new_P_rqt) in
    let I_cale_= -( -I_cgnt_ ^ new_P_fsm_astate \LambdaI_hold_) in
    let I_mrdy_= ((new_P_fsm_hlda_) => F|ARB) in
    let I_last_ = ((new_P_fsm_hlda_) => (new_P_sizeA = ((new_P_downA) => WORDN 1| WORDN 0))। ARB) in
    let I_hlda_ = new_P_fsm_hlda_ in
    let I_lock_= ~(~new_P_lock_^new_P_lock_inh_) in
    (L_ready_, I_last, I_be,, I_mrdy_, I_ad_data_out, I_ad_addr_out, I_hlda_, I_lock_, I_cale_, I_male, I_rale_,
    I_crqt_, L_ad_out)"
;;
%
Next-state definition for Phase-B instruction.
```

```
let PH_B_inst_def = new_definition
```

let PH_B_inst_def = new_definition
('PH_B_inst',
('PH_B_inst',
"l (P_fsm_state P_fsm_stateA :pfsm_ty)
"l (P_fsm_state P_fsm_stateA :pfsm_ty)
(P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_destl P_wr P_loadA P_downA :bool)
(P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_destl P_wr P_loadA P_downA :bool)
(P_fsm_rst P_fsm_mrqt P_fsm_ssck P_fsm_cgnt_P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_ P_rqt P_load :bool)
(P_fsm_rst P_fsm_mrqt P_fsm_ssck P_fsm_cgnt_P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_ P_rqt P_load :bool)
(P_down P_lock_ P_lock_inh_P_male_P_rale_: bool)
(P_down P_lock_ P_lock_inh_P_male_P_rale_: bool)
(P_wI_data P_addr P_be_P_be_n_P_sizeA P_size :wordn)
(P_wI_data P_addr P_be_P_be_n_P_sizeA P_size :wordn)
(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ I_hold_ I_srdy_:bool) (L_ad_in L_be_ I_ad_in :wordn) .
(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ I_hold_ I_srdy_:bool) (L_ad_in L_be_ I_ad_in :wordn) .
PH_B_inst (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_.
PH_B_inst (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_.
P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack,
P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack,
P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_ P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_,
P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_ P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_,
P_lock_inh, P_male_, P_rale_)
P_lock_inh, P_male_, P_rale_)
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgat_, I_hold_, I_srdy_) =
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgat_, I_hold_, I_srdy_) =
let p_ale = (~L_ads_ \L_den_) in

```
```

    let p_sack = ((P_sizeA = ((P_downA) => WORDN 1 | WORDN 0)) ^~I_srdy_ ^P_fsm_dstate) in
    let new_P_rqt = ((p_ale }\wedge~(p_sack \vee Rst)) => T |
                            ((~p_ale ^(p_sack\vee Rst)) => Fl
                            ((~p_ale }\Lambda~(\mathrm{ p_sack V Rst)) => P_rqt | ARB )) in
    let new_P_load = ~new_P_rqt in
    let new_P_down = (~I_srdy_^P_fsm_dstate) in
    let new_P_size =((P_loadA) => (SUBARRAY L_ad_in (1,0))।
                            ((P_downA) => DECN 1 P_sizeA | P_sizeA)) in
    let new_P_male_=((P_fsm_astate) =>
~(~P_dest1 ^(~((SUBARRAY P_addr (25,24))=(WORDN 3))) ^ new_P_rqt) |P_male_) in
let new_P_rale_= ((P_fsm_astate) =>
-(-P_dest1 \Lambda((SUBARRAY P_addr (25,24)) =(WORDN 3)) ^new_P_rqt) (P_rale_) in
let new_P_lock_ = ((Rst) => T |
((P_fsm_dstate) => L_lock_ | P_lock_)) in
let new_P_lock_inh_ = ((Rst) => T |
((~new_P_male_V ~new_P_rale_) => L_lock_ | P_lock_inh_) ) in
let new_P_fsm_state = P_fsm_stateA in
let new_P_fsm_rst = Rst in
let new_P_fsm_mrqt = ( }~\mathrm{ P_dest1 }\Lambda\mathrm{ new_P_rqt) in
let new_P_fsm_sack = P_sack in
let new_P_fsm_cgnt_ = I_cgnt_ in
let new_P_fsm_crqt_= ~(P_destl ^ new_P_rqt) in
let new_P_fsm_hold_ = I_hold_ in
let new_P_fsm_lock_ = new_P_lock_ in
let new_P_fsm_stateA = P_fsm_stateA in
let new_P_fsm_astate = P_fsm_astate in
let new_P_fsm_dstate = P_fsm_dstate in
let new_P_fsm_hlda_ = P_fsm_hlda_ in
let new_P_wr_data = P_wr_data in
let new_P_addr = P_addr in
let new_P_destl = P_destl in
let new_P_be_ = P_be_ in
let new_P_wr = P_wr in
let new_P_be_n_ = P_be_n_ in
let new_P_sizeA = P_sizeA in
let new_P_loadA = P_loadA in
let new_P_downA = P_downA in
(new_P_fsm_stateA, new_P_fsm_astate, new_P_fsm_dstate, new_P_fsm_hlda_, new_P_wr_data, new_P_addr, new_P_dest1,
new_P_be_, new_P_wr, new_P_be_n_, new_P_sizeA, new_P_loadA, new_P_downA, new_P_fsm_state, new_P_fsm_rst,
new_P_fsm_mrqt, new_P_fsm_sack, new_P_fsm_cgnt_, new_P_fsm_crqt_, new_P_fsm_hold_, new_P_fsm_lock_,
new_P_rqt, new_P_size, new_P_load, new_P_down, new_P_lock_, new_P_lock_inh_, new_P_male_, new_P_rale_)"
);:
%------------------------------------------------
Output definition for Phase-B instruction.
let PH _B_out_def $=$ new_definition
('PH_B_out',
" ( $P_{-}$fsm_state $P_{-}$fsm_stateA :pfsm_ty)
(P_fsm_astate $P_{-}$fsm_dstate $P_{-}$fsm_hlda_ P_destl $P_{-} w r$ P_loadA $P_{-}$downA :bool)
(P_fsm_rst $P_{-}$fsm_mrqt $P_{-}$fsm_sack $P_{-} f s m_{\_}$cgnt_ $P_{-}$fsm_crqt_ $P_{-}$fsm_hold_ $P_{\_}$fsm_lock_ $\left.P_{-} r q t P_{-} l o a d ~: b o o l\right)$

```
```

(P_down P_lock_P_lock_inh_P_male_ P_rale_:bool)
(P_wr_data P_addr P_be_P_be_n_P_sizeA P_size :wordn)
(CikA ClkB Rst L_ads_ L_den_ L_wr L_lock_ __cgnt_ I_hold_ I_srdy_ :bool) (L_ad_in L_be_ I_ad_in :wordn).
PH_B_out (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_,
P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack,
P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_,
P_lock_inh_, P_male_, P_rale_)
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) =

```
```

let p_ale = (~_L_ads_ ^ L_den_) in
let p_sack = ((P_sizeA = ((P_downA ) => WORDN 1 | WORDN 0)) ^ -I_srdy_ \Lambda P_fsm_dstate) in
let new_P_rqt = ((p_ale }\wedge~(p_sack V Rst)) => T I
((-p_ale }\Lambda(p_sack V Rst)) => FI
((~P_ale }\Lambda~(p_sack V Rst)) => P_rqt | ARB))) i
let new_P_load = -new_P_rqt in
let new_P_down = (-I_srdy_ ^P_fsm_dstate) in
let new_P_size = ((P_loadA) => (SUBARRAY L_ad_in (1,0))।
((P_downA) => DECN 1 P_sizeA | P_sizeA)) in
let new_P_male_= ((P_fsm_astate) =>
-(-P_dest1 ^(-((SUBARRAY P_addr (25,24)) = (WORDN 3))) ^ new_P_rqt) | P_male_) in
let new_P_rale_= ((P_fsm_astate) =>
~(~P_dest1 ^((SUBARRAY P_addr (25,24)) = (WORDN 3)) ^ new_P_rqt) IP_rale_) in
let new_P_lock_= ((Rst) => T |
((P_fsm_dstate) => L_lock_I P_lock_)) in
let new_P_lock_inh_= ((Rst) => T I
((~new_P_male_V -new_P_rale_) => L_lock_ I P_lock_inh_) ) in
let new_P_fsm_state = P_fsm_stateA in
let new_P_fsm_rst = Rst in
let new_P_fsm_mrqt = (~P_destl }\Lambda\mathrm{ new_P_rqt) in
let new_P_fsm_sack = p_sack in
let new_P_fsm_cgnt_ = l_cgnt_ in
let new_P_fsm_crqt_= -(P_dest1 ^new_P_rqt) in
let new_P_fsm_hold_ = I_hold_ in
lee new_P_fsm_lock_ = new_P_lock_ in
let new_P_fsm_stateA = P_fsm_stateA in
let new_P_fsm_astate = P_fsm_astate in
let new_P_fsm_dstate = P_fsm_dstate in
let new_P_fsm_hlda_ = P_fsm_hlda_ in
let new_P_wr_data = P_wr_data in
let new_P_addr = P_addr in
let new_P_destl = P_destl in
let new_P_be_ = P_be_in
let new_P_wr = P_wr in
let new_P_be_n_ = P_be_n_ in
let new_P_sizeA = P_sizeA in
let new_P_loadA = P_loadA in
let new_P_downA = P_downA in
let L_ad_out = ((-new_P_fsm_astate ^ new_P_fsm_hlda_ ^ ~(new_P_fsm_dstate ^new_P_wr)) => I_ad_in I ARBN) in
let L_ready__ =(-(~__srdy_ }\cap\mathrm{ new_P_fsm_dstate)) in
let od0 = ARBN in
let odl = MALTER od0 (31,27) new_P_be_in
let od2 = ALTER odl (26) F in

```
```

let od3 = MALTER od2 (25,24) (SUBARRAY new_P_addr (1,0)) in
let od4 = MALTER od3 (23,0) (SUBARRAY new_P_addr (25,2)) in
let I_ad_addr_out = ((new_P_fsm_astate) => od4 | ARBN) in
let I_ad_data_out = ((new_P_fsm_dstate ^new_P_wr) => new_P_wr_data | ARBN) in
let I_be_= ((new_P_fsm_blda_) => ((new_P_fsm_astate) => new_P_be_| new_P_be_n_)। ARBN) in
let l_rale_ = ((new_P_fsm_hlda_) =>
~(-new_P_destl ^((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) ^ new_P_fsm_astate ^ new_P_rqt) | ARB) in
let I_male_= ((new_P_fsm_hlda_) =>
-(~new_P_destl ^(~((SUBARRAY new_P_addr (25,24)) =(WORDN 3))) ^new_P_fsm_astate ^new_P_rqt) | ARB ) in
let I_crqt_ = -(new_P_destl \ new_P_rqt) in
let I_cale_= -( }~\mathrm{ I_cgnt_ }\cap\mathrm{ new_P_fsm_astate }\Lambda\mp@subsup{I}{_}{\prime}\mathrm{ hold_) in
let I_mrdy_ = ((new_P_fsm_hlda_) => FIARB) in
let I_last_ = ((new_P_fsm_hlda_) => (new_P_sizeA = ((new_P_downA) )> WORDN 1 | WORDN 0)) | ARB ) in
let I_hlda_= new_P_fsm_hlda_ in
let I_lock_= ~(~new_P_lock_ ^new_P_lock_inh_) in
(L_ready, I_last_, I_be_, I_mrdy,, I_ad_data_out, I_ad_addr_out, I_hlda_, I_lock_, I_cale_, I_male, I_rale_,
I_crqt_, L_ad_out)"
;;

```
close_theory();;

\section*{C. 2 M Port Specification}
```

%
File: m_phase.ml
Author: (c) D.A. Fura }199
Date: 31 March }199
This file contains the ml source for the phase-level specification of the M-Port of the FTEP PIU,
an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.
The bulk of this code was translated from an M-language simulation program using a translator
written by P.J. Windley at the University of Idaho.

```

\section*{\%}
```

set_search_path (search_path() @ ['home/titan3/dfura/ftep/piu/hol/ib/`]);;

```
set_search_path (search_path() @ ['home/titan3/dfura/ftep/piu/hol/ib/`]);;
system 'rmm_phase.th';;
system 'rmm_phase.th';;
new_theory 'm_phase';;
new_theory 'm_phase';;
loadf 'abstract';;
loadf 'abstract';;
map new_parent ['maux_def';'aux_def';'array_def';'wordn_def'];;
map new_parent ['maux_def';'aux_def';'array_def';'wordn_def'];;
let m_state_ty = ":(mfsm_ty#bool#bool#bool#bool#bool#wordn#wordn#wordn#bool#wordn#
let m_state_ty = ":(mfsm_ty#bool#bool#bool#bool#bool#wordn#wordn#wordn#bool#wordn#
                mfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#
                mfsm_ty#bool#bool#bool#bool#bool#bool#bool#bool#
                    bool"bool#wordn#wordn#wordn#bool#bool#bool#wordn#wordn)";;
                    bool"bool#wordn#wordn#wordn#bool#bool#bool#wordn#wordn)";;
let m_state = "((M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable,
let m_state = "((M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable,
            M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd,
            M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd,
            M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr,
            M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr,
            M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
            M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
            :^m_state_ty)";;
            :^m_state_ty)";;
let m_env_ty = ":(bool#bool#bool*bool#bool#wordn#bool*bool#wordn"bool#wordn*bool#bool)";
let m_env_ty = ":(bool#bool#bool*bool#bool#wordn#bool*bool#wordn"bool#wordn*bool#bool)";
let m_env = "((ClKA, ClKB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_,
let m_env = "((ClKA, ClKB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_,
    I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
    I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
    :^m_env_ty)";
    :^m_env_ty)";
let m_out_ty = ":(wordn#bool"wordn#wordn#bool#bool#bool"bool#bool)";;
let m_out_ty = ":(wordn#bool"wordn#wordn#bool#bool#bool"bool#bool)";;
let m_out = "((I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_,
let m_out = "((I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_,
    MB_parity)
    MB_parity)
    :^m_out_ty)";
    :^m_out_ty)";
let rep_ty = abstract_type 'aux_def' 'Andn';;
let rep_ty = abstract_type 'aux_def' 'Andn';;
%----------------------------------------------------------------------------------------------------
%----------------------------------------------------------------------------------------------------
    Next-state definition for Phase-A instruction.
```

    Next-state definition for Phase-A instruction.
    ```
                        \%
let \(\mathrm{PH}_{-}\)A_inst_def \(=\)new_definition
('PH_A_inst',
" 1 (M_fsm_stateA \(M_{-} f s m_{-}\)state :mfsm_ty)
(M_addrA M_beA M_countA M_rd_dataA \(M_{-}\)addr \(M_{-}\)be \(M_{-}\)count \(M_{-}\)rd_data \(M_{-}\)detect :wordn)
(M_fsm_address \(M_{-} f s m_{-}\)read \(M_{-}\)fsm_write \(M_{-}\)fsm_byte_write \(M_{-} f s m_{-}\)mem_enable \(M_{-}\)rdyA
\(M_{\text {_ }} \mathrm{fm} m_{\text {_male_ }} M_{-} f s m_{\_}\)rd \(M_{-} f s m_{-} b w M_{-} f s m_{-} w w M_{-} f s m_{-}\)last_ \(M_{-} f s m_{-}\)mrdy_ \(M_{-}\)fsm_zero_crt \(M_{-} f s m_{-} r s t\)
M_se M_wr M_rdy M_wwdel M_parity :bool)
(I_ad_in I_be_MB_data_in :wordn)
(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_I_last_I_mrdy_ Edac_en_Reset_parity :bool).
PH_A_inst ( \(M_{-} f s m_{-} s t a t e A, M_{-} f s m_{-}\)address, \(M_{-} f s m_{-}\)read, \(M_{-} f s m_{-}\)write, \(M_{-} f s m_{-}\)byte_write, \(M_{-} f s m \_m e m \_e n a b l e\), M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, \(M_{\_}\)fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (CIkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) =
let new_M_fsm_stateA =
( \(\mathrm{M}_{1}\) fsm_rst) \(\Rightarrow\) MII
\(\left(\left(M_{-}\right.\right.\)fsm_state \(\left.=M I\right)=>\left(\left(\sim M_{-}\right.\right.\)fsm_male_ \(\left.) \Rightarrow M A \mid M I\right) \mid\)
( \(\left(M_{-}\right.\)fsm_state \(\left.=M A\right)=>\)
\(\left(\left(\sim M_{-}\right.\right.\)fsm_mrdy_ \(\left.\wedge M_{-} f s m_{-} w w\right) \Rightarrow M W I^{\prime}\)
\(\left.\left(\left(\sim M_{-} f s m_{-} m r d y_{-} \Lambda\left(M_{-} f s m_{-} r d V M_{-} f s m_{-} b w\right)\right)=>M R \mid M A\right)\right) \mid\)
\((\) (M_fsm_state \(=\) MR) \()=\)
( \(M_{-}\)fsm_bw \(\wedge M_{-}\)fsm_zero_cnt) \(\Rightarrow\) MBW I
( \(\left(M_{-}\right.\)fsm_last_ \(\wedge M_{-}\)fsm_rd \(\cap M_{-}\)fsm_zero_cnt) \()=>\)MA
\(\left.\left.\left(\left(\sim M_{-} f s m_{-} l a s t \_\wedge M_{-} f s m_{-} r d \wedge M_{-} f s m_{-} z e r o \_c n t\right)=>M R R \mid M R\right)\right)\right) \mid\)
( \(\left(M \_\right.\)fsm_state \(\left.=\mathbf{M R R}\right)=>\) MI I
( \(\mathrm{M}_{-}\)fsm_state \(\left.=\mathbf{M W}\right) \Rightarrow\)

\(\left(\left(M_{-}\right.\right.\)fsm_last_ \(\wedge M_{-}\)fsm_zero_cnt \()=>\)MA \(\left.\mid \mathbf{M W}\right)\) ) |
\(\left(\left(M_{-}\right.\right.\)fsm_state \(\left.=\mathbf{M B W}\right) \Rightarrow \mathbf{M W} \mid \mathrm{M}_{-}\)ILL \(\left.\left.)\right)\right)\))) ) \()\)in
let new_M_fsm_address \(=\left(n e w_{-} M_{-}\right.\)fsm_stateA \(\left.=M A\right)\) in
let new_M_fsm_read = (new_M_fsm_stateA = MR) in
let new_M_fsm_write \(=(\) new_M_fsm_state \(A=M W)\) in
let new_M_fsm_byte_write \(=(\) new_M_fsm_stateA \(=M B W)\) in
let new_M_fsm_mem_enable \(=\left(\sim\left(n e w_{-} M_{-}\right.\right.\)fsm_state \(\left.A=M I\right)\) in
let new_M_addr \(A=M_{-}\)addr in
let new_M_beA = M_be in
let new_M_count \(A=M_{-}\)count in
let new_M_rdyA = M_rdy in
let new_M_rd_dataA = M_rd_data in
let new_M_fsm_state \(=M_{-}\)fsm_state in
let new_M_fsm_male_ = M_fsm_male_in
let new_M_fsm_rd = M_fsm_rd in
let new_M_fsm_bw \(=M_{-} f s m_{-} b w\) in
let new_M_fsm_ww = \(M_{-} f s m_{-} w w\) in
let new_M_fsm_last_ = M_fsm_last_in
let new_M_fsm_mrdy_ = M_fsm_mrdy_in
let new_M_fsm_zero_cnt = M_fsm_zero_cnt in
let new_M_fsm_rst \(=M_{-}\)fsm_rst in
let new_M_se \(=M_{-}\)se in
let new_M_wr = M_wr in
let new_M_addr = M_addr in
let new_M_be \(=M_{-}\)be in
```

    let new_M_count = M_count in
    let new_M_rdy = M_rdy in
    let new_M_wwdel = M_wwdel in
    let new_M_parity = M_parity in
    let new_M_rd_data = M_rd_data in
    let new_M_detect = M_detect in
    (new_M_fsm_stateA, new_M_fsm_address, new_M_fsm_read, new_M_fsm_write, new_M_fsm_byte_write,
    new_M_fsm_mem_enable, new_M_addrA, new_M_beA, new_M_countA, new_M_rdyA, new_M_rd_dataA,
    new_M_fsm_state, new_M_fsm_male_, new_M_fsm_rd, new_M_fsm_bw, new_M_fsm_ww, new_M_fsm_last_,
    new_M_fsm_mrdy_new_M_fsm_zero_cnt,new_M_fsm_rst, new_M_se, new_M_wr, new_M_sddr, new_M_be,
    new_M_count, new_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data, new_M_detect)"
    ;;
    %
Output definition for Phase-A instruction.
let PH_A_out_def = new_defnition
('PH_A_out',
"I (M_fsm_stateA M_fsm_state :mfsm_ty)
(M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :wordn)
(M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable M_rdyA
M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_M_fsm_mrdy_M_fsm_zero_cnt M_fsm_rst
M_se M_wr M_rdy M_wwdel M_parity :bool)
(I_ad_in I_be_MB_data_in :wordn)
(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_I_last_I_mrdy_Edac_en_Reset_parity :bool)
(rep:^rep_ty).
PH_A_out (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable,
M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd,
M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr,
M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
(ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_,
I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
rep =
let new_M_fsm_stateA =
(M_fsm_rst) => MI I
((M_fsm_state = MD) => ((~M_fsm_male_) => MA | MD) |
((M_fsm_state = MA) =>
((~M_fsm_mrdy_ ^M_fsm_ww) => MW I
((~M_fsm_mrdy_ ^(M_fsm_rd VM_fsm_bw)) => MR | MA ))|
((M_fsm_state = MR) =>
((M_fsm_bw ^M_fsm_zero_cnt) => MBW I
((M_fsm_last_ ^M_fsm_rd ^M_fsm_zero_cnt) => MA |
((~M_fsm_last_^M_fsm_rd ^M_fsm_zero_cnt) => MRR I MR)))।
((M_fsm_state =MRR) => MI I
((M_fsm_state = MW) =>
((~M_fsm_last_ ^M_fsm_zero_cnt) => MI|
((M_fsm_last_ ^M_fsm_zero_cnt) => MA MW)) |
((M_fsm_state = MBW) => MW (M_ILL))))))) in
let new_M_fsm_address = (new_M_fsm_stateA = MA) in
let new_M_fsm_read = (new_M_fsm_stateA = MR) in

```
let new_M_fsm_write \(=(\) new_M_fsm_stateA \(=\mathbf{M W})\) in
let new_M_fsm_byte_write \(=(\) new_M_fsm_stateA \(=\mathbf{M B W})\) in
let new_M_fsm_mem_enable \(=\left(\sim\left(n e w \_M_{-} f s m_{-}\right.\right.\)state \(\left.A=M I\right)\) in
let new_M_addrA = M_addr in
let new_M_beA = M_be in
let new_M_countA \(=M_{-}\)count in
let new_M_rdyA = M_rdy in
let new_M_rd_dataA \(=M_{\text {_ }}\) rd_data in
let new_M_fsm_state \(=M_{-}\)fsm_state in
let new_M_fsm_male_ = M_fsm_male_in
let new_M_fsm_rd = M_fsm_rd in
let new_M_fsm_bw = M_fsm_bw in
let new_M_fsm_ww = M_fsm_ww in
let new_M_fsm_last_ = M_fsm_last_ in
let new_M_fsm_mrdy_ = M_fsm_mrdy_ in
let new_M_fsm_zero_cnt = M_fsm_zero_cnt in
let new_M_fsm_rst = M_fsm_rst in
let new_M_se = M_se in
let \(n e w_{-} M_{-} w r=M_{-} w r\) in
let new_M_addr = M_addr in
let new_M_be = M_be in
let new_M_count = M_count in
let new_M_rdy = M_rdy in
let new_M_wwdel = M_wwdel in
let new_M_parity = M_parity in
let new_M_rd_data \(=\) M_rd_data in
let new_M_detect \(=M_{-}\)detect in
let \(\mathrm{m}_{-}\)rdy \(=((\)new_M_fsm_write \(\Lambda(\) new_M_countA \(=(\) WORDN 1) \())\)
\(V(\) new_M_fsm_read \(\Lambda(\) new_M_countA \(=(\) WORDN 1\()) \wedge \sim\) new_M_wr) \()\) in
let \(m_{-}\)srdy_ \(=\sim\left(\left(\right.\right.\) new_M_rdyA \(\left.\wedge \sim n e w_{-} M_{-} w r\right) \vee\left(m_{-}\right.\)rdy \(\wedge\) new_M_wr \()\) in
let mb_data_7_ \(0=\left((E L E M E N T\right.\) new_M_beA \((0)) \Rightarrow\left(S U B A R R A Y I_{-}\right.\)ad_in \(\left.(7,0)\right) \mid\) (SUBARRAY new_M_rd_dataA \(\left.(7,0)\right)\) in let mb_data_15_8 \(=((E L E M E N T\) new_M_beA \((1)) \Rightarrow(S U B A R R A Y\) I_ad_in \((15,8))\) ( (SUBARRAY new_M_rd_dataA
\((15,8))\) ) in
let mb_data_23_16 = ((ELEMENT new_M_beA (2)) \(\Rightarrow\) (SUBARRAY I_ad_in (23,16)) | (SUBARRAY new_M_rd_dataA
\((23,16)\) ) in
let mb_data_31_24 = ((ELEMENT new_M_beA (3)) \(\Rightarrow\) (SUBARRAY I_ad_in (31,24)) |(SUBARRAY new_M_rd_dataA
\((31,24))\) ) in
let mb_data \(=(\) (MALTER (MALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0)
\((15,8)\) mb_data_15_8)
\((23,16)\) mb_data_23_16)
\((31,24)\) mb_data_31_24)) in
let I_ad_out \(=((\sim\) new_M_wr \(\wedge\) new_M_fsm_mem_enable \() \Rightarrow\) new_M_rd_dataA \(\mid\) ARBN \()\) in
let \(l_{-}\)srdy_ \(=\left((\right.\)new_M_fsm_mem_enable \() \Rightarrow m_{-}\)srdy_ \(\left.\mid A R B\right)\) in
let MB_addr \(=((\) new_M_rdyA \() \Rightarrow(\) INCN 18 new_M_addrA \() \mid\) new_M_addrA \(A)\) in
let MB_data_out \(=((\) new_M_fsm_write \() \Rightarrow\) (Ham_Enc rep mb_data) \(\mid\) ARBN \()\) in
let MB_cs_eeprom_ \(=\sim\) (new_M_fsm_mem_enable \(\Lambda \sim\) new_M_se) in

let MB_we_ \(=-\) ((new_M_se \(V \sim\) new_M_fsm_mem_enable \(V \sim\) Disable_eeprom)
\(\wedge\)-Disable_writes
\(\Lambda\) (new_M_fsm_byte_write \(V\) new_M_fsm_write \(V\) new_M_wwdel) ) in
let \(M_{B}\) oe_ \(=-((\sim\) new_M_wr \(\wedge\) new_M_fsm_address \() V\) new_M_fsm_read) in
let MB_parity = new_M_parity in
(I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity)"

Next-state definition for Phase-B instruction.
let \(\mathrm{PH}_{1} \mathrm{~B}\) _inst_def \(=\) new_definition
('PH_B_inst',
" ( \(\mathbf{M}_{-}\)fsm_stateA \(M_{-} f s m_{-}\)state :mfsm_ty)
(M_addrA M_beA M_countA \(M_{-}\)rd_dataA \(M_{-}\)addr \(M_{-}\)be \(M_{\text {_ }}\) count \(M_{-}\)rd_data \(M_{-}\)detect : wordn)
(M_fsm_address \(M_{-} f s m \_r e a d ~ M_{-} f s m_{\text {_ }} w r i t e ~ M_{-} f s m_{-} b y t e \_w r i t e ~ M_{-} f s m_{\_}\)mem_enable \(M_{\_}\)rdyA

M_se M_wr M_rdy M_wwdel M_parity :bool)
(I_ad_in I_be_MB_data_in :wordn)
(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_I_mrdy_ Edac_en_Reset_parity :bool)
(rep:^rep_ty).
PH_B_inst (M_fsm_stateA, \(M_{-} f s m_{-}\)address, \(M_{-} f s m_{-} r e a d, M_{-} f s m_{-}\)write, \(M_{-} f s m_{-} b y t e \_w r i t e, M_{-} f s m_{-} m e m_{-}\)enable,
M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd,

M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
(ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last, I_be_,
I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
rep \(=\)
let new_M_se \(=\left(\left(-I_{\text {_male_ }}\right) \Rightarrow\left(\right.\right.\) ELEMENT I_ad_in (23)) \(\mid M_{-}\)se \()\)in
let new_M_wr \(=\left(\left(\sim I \_m a l e \_\right)=>\left(E L E M E N T\right.\right.\) I_ad_in (27)) \(\left.\mid M_{-} w r\right)\) in
let new_M_addr =
( \((-\) I_male_) \()=>\) (SUBARRAY I_ad_in \((18,0))\) )
((M_rdyA) \(=>\) (INCN 18 M_addrA) |M_addrA)) in
let new_M_count =
((M_fsm_address \(V\) M_fsm_byte_write) \(\Rightarrow\) ((new_M_se) \(\Rightarrow\) (WORDN 1) |(WORDN 2)) |
( \(M_{-}\)fsm_write \(V M_{-}\)fsm_read) \(\Rightarrow\) (DECN \(1 M_{-}\)countA) \(\mid M_{\text {_ }}\) countA) \()\) in
let m_rdy \(=\left(\left(M_{-} f s m_{-}\right.\right.\)write \(\wedge\) (new_M_count \(=(\) WORDN 0\(\left.)\right)\) )
\(V\left(M_{-}\right.\)fsm_read \(\wedge(\) new_M_count \(=(\) WORDN 0\()) \wedge \sim\) new_M_wr \()\) in
let \(m_{-} s r d y \_=-\left(\left(M_{-} r d y A \wedge \sim n e w_{-} M_{-} w r\right) V\left(m_{\_} r d y \wedge n e w_{-} M_{-} w r\right)\right)\) in
let new_M_be \(=\left(\left(-I \_m a l e \_V \sim\right.\right.\) m_srdy_) \()=\) (NOTN 3 I_be_) |M_be) in
let new_M_rdy \(=m_{-}\)rdy in
let new_M_wwdel = (M_fsm_address \(\wedge_{\text {new_M_wr }} \wedge\) (new_M_be \(=(\) WORDN 15\(\left.\left.)\right)\right)\) in

let new_M_detect =
 (( Edac_en_) \(=>\) (Ham_Detl rep MB_data_in) | (WORDN 0)) | M_detect) in

let new_M_parity =
\(\left(\left(\mathrm{m}_{-}\right.\right.\)error \(\wedge \sim(\) Rst \(\vee\) Reset_parity \(\left.)\right) \Rightarrow \mathrm{T} \mid\)
\(\left(\left(-m_{-}\right.\right.\)error \(\wedge(\) Rst \(\vee\) Reset_parity \(\left.)\right) \Rightarrow F \mid\)
\(\left(\left(\sim m_{-}\right.\right.\)error \(\wedge \sim(\) Rst \(\vee\) Reset_parity \(\left.)\right) \Rightarrow M_{-}\)parity | ARB) \(\left.)\right)\)in
let new_M_fsm_state \(=M_{\text {_fsm_state }} A\) in
let new_M_fsm_male_ = I_male_ in
let new_M_fsm_rd = ( \(\sim\) new_M_wr \(\wedge M_{-}\)fsm_mem_enable \()\)in
let new_M_fsm_bw = ((-(new_M_be = (WORDN 15))) \(\wedge\) new_M_wr \(\left.\wedge M_{-} f s m \_m e m \_e n a b l e\right) ~ i n ~\)
let new_M_fsm_ww = ((new_M_be = (WORDN 15)) \(\wedge\) new_M_wI \(\wedge M_{-}\)fsm_mem_enable) in
let new_M_fsm_last_ = I_last_ in
```

let new_M_fsm_mrdy_= I_mrdy_ in
let new_M_fsm_zero_cnt = (new_M_count = (WORDN 0)) in
let new_M_fsm_rst = Rst in
let new_M_fsm_stateA = M_fsm_stateA in
let new_M_fsm_address = M_fsm_address in
let new_M_fsm_read = M_fsm_read in
let new_M_fsm_write = M_fsm_write in
let new_M_fsm_byte_write = M_fsm_byte_write in
let new_M_fsm_mem_enable = M_fsm_mem_enable in
let new_M_addrA = M_addrA in
let new_M_beA = M_beA in
let new_M_countA = M_countA in
let new_M_rdyA = M_rdyA in
let new_M_rd_dataA = M_rd_dataA in

```
(new_M_fsm_stateA, new_M_fsm_address, new_M_fsm_read, new_M_fsm_write, new_M_fsm_byte_write, new_M_fsm_mem_enable, new_M_addrA, new_M_beA, new_M_countA, new_M_rdyA, new_M_rd_dataA, new_M_fsm_state, new_M_fsm_male_, new_M_fsm_rd, new_M_fsm_bw, new_M_fsm_ww, new_M_fsm_last_, new_M_fsm_mrdy, new_M_fsm_zero_cnt, new_M_fsm_rst, new_M_se, new_M_wr, new_M_addr, new_M_be, new_M_count, new_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data, new_M_detect)"
```

;;

```
Output definition for Phase--------------------------------------- instruction.
let PH_B_out_def \(=\) new_definition
('PH_B_out',
" 1 (M_fsm_stateA \(M_{-}\)fsm_state :mfsm_ty)
(M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :wordn)
(M_fsm_address \(M_{-} f s m_{\text {_ }}\) read \(M_{-}\)fsm_write \(M_{-} f s m_{\text {_ }}\) byte_write \(M_{-} f s m_{-} m e m_{-}\)enable \(M_{-}\)rdyA
\(M_{-} f s m_{-} m a l e_{-} M_{-} f s m_{-} r d M_{-} f s m_{-} b w M_{-} f s m_{-} w w M_{-} f s m_{-} l a s t_{-} M_{-} f s m_{-} m r d y_{-} M_{-} f s m_{-} z e r o\) _cnt \(M_{-} f s m_{-} r s t\)
M_se M_wr M_rdy M_wwdel M_parity :bool)
(I_ad_in I_be_MB_data_in :wordn)
(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_I_last_ I_mrdy_ Edac_en_Reset_parity :bool) (rep:'rep_ty).
PH_B_out ( \(M_{-}\)fsm_stateA, \(M_{-}\)fsm_address, \(M_{-}\)fsm_read, \(M_{-} f s m_{-}\)write, \(M_{\_} f s m \_b y t e \_w r i t e, ~ M \_f s m \_m e m \_e n a b l e\), M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, \(M_{-} f s m_{\_}\)male_, M_fsm_rd, \(M_{-} f s m_{-} b w, M_{-} f s m_{-} w w, M_{-} f s m_{\_} l a s t \_, M_{-} f s m_{-} m r d y_{-}, M_{-} f s m_{-} z e r o \_c n t, M_{-} f s m_{\_} r s t, M_{-} s e, M_{-} w r\), M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
\(\mathrm{rep}=\)
let new_M_se \(=\left(\left(\sim I \_m a l e \_\right) \Rightarrow\left(E L E M E N T I \_\right.\right.\)ad_in (23)) \(\mid M\) Me \()\) in
let new_M_wr \(=\left(\left(-I_{-}\right.\right.\)male_) \()=>\)(ELEMENT I_ad_in (27)) \(\left.\mid M_{-} w T\right)\) in
let new_M_addr =
(( I_male_) \(\Rightarrow\) (SUBARRAY I_ad_in (18,0)) )
((M_rdyA) \(=>\) (INCN 18 M_addrA \() \mid M_{-}\)addrA \()\)) in
let new_M_count =
((M_fsm_address V M_fsm_byte_write) \(\Rightarrow\) ((new_M_se) \(\Rightarrow\) (WORDN 1) |(WORDN 2)) |
((M_fsm_write V M_fsm_read) \(\Rightarrow\) (DECN \(1 M_{-}\)countA) \(\mid M_{-}\)countA \()\)) in
let \(m_{-}\)rdy \(=\left(\left(M_{-}\right.\right.\)fsm_write \(\Lambda(\) new_M_count \(=(\) WORDN 0\())\) )
```

    V(M_fsm_read ^(new_M_count = (WORDN 0)) ^~new_M_wr)) in
    let m_srdy_ = -((M_rdyA ^ -new_M_wr) V(m_rdy \Lambdanew_M_wr)) in
let new_M_be = (( I_male_V ~m_srdy_) => (NOTN 3 I_be_)|M_be) in
let new_M_rdy = m_rdy in
let new_M_wwdel = (M_fsm_address \ new_M_wr ^(new_M_be = (WORDN 15))) in
let new_M_rd_data = ((M_fsm_read) => (Ham_Dec rep MB_data_in)|M_rd_data) in
let new_M_detect =
(((M_fsm_read }\cap~new_M_wr) V new_M_wr V ~M_fsm_mem_enable) =>
((-Edac_en_) => (Ham_Detl rep MB_data_in) |(WORDN 0)) | M_detect) in
let m_error =(~\mp@subsup{m}{_}{\prime}srdy_ ^M_fsm_mem_enable ^(Ham_Det2 rep (new_M_detect, ~Edac_en_))) in
let new_M_parity =
((m_error ^ -(Rst \vee Reset_parity)) => T |
((~m_error ^(Rst \vee Reset_parity)) => Fl
((~m_error }\wedge~(Rst V Reset_parity)) => M_parity | ARB ))) i
let new_M_fsm_state = M_fsm_stateA in
let new_M_fsm_male_= I_male_in
let new_M_fsm_rd = (~new_M_wr \LambdaM_fsm_mem_enable) in
let new_M_fsm_bw = ((-(new_M_be = (WORDN 15))) ^new_M_wt ^M_fsm_mem_enable) in
let new_M_fsm_ww = ((new_M_be = (WORDN 15)) \new_M_wr ^M_fsm_mem_enable) in
let new_M_fsm_last_ = I_last_ in
let new_M_fsm_mrdy_= l_mrdy_ in
let new_M_fsm_zero_cnt = (new_M_count =(WORDN 0)) in
let new_M_fsm_rst = Rst in
let new_M_fsm_stateA = M_fsm_stateA in
let new_M_fsm_address = M_fsm_address in
let new_M_fsm_read = M_fsm_read in
let new_M_fsm_write = M_fsm_write in
let new_M_fsm_byte_write = M_fsm_byte_write in
let new_M_fsm_mem_enable = M_fsm_mem_enable in
let new_M_addrA = M_addrA in
let new_M_beA = M_beA in
let new_M_countA = M_countA in
let new_M_rdyA = M_rdyA in
let new_M_rd_dataA = M_rd_dataA in
let m_rdy = ((new_M_fsm_write \ (new_M_countA = (WORDN 1)))
V (new_M_fsm_read ^(new_M_countA = (WORDN 1)) ^ -new_M_wr)) in
let m_srdy_ = ~((new_M_rdyA ^ ~new_M_wr) V(m_rdy ^new_M_wr)) in
letmb_data_7_0 = ((ELEMENT new_M_beA (0)) => (SUBARRAY I_ad_in (7,0))!(SUBARRAY new_M_rd_dataA (7,0))) in
let mb_data_15_8 =
((ELEMENT new_M_beA (1)) => (SUBARRAY I_ad_in (15,8)) | (SUBARRAY new_M_rd_dataA (15,8))) in
let mb_data_23_16 =
((ELEMENT new_M_beA (2)) => (SUBARRAY I_ad_in (23,16)) | (SUBARRAY new_M_rd_dataA (23,16))) in
let mb_data_31_24=
((ELEMENT new_M_beA (3)) => (SUBARRAY I_ad_in (31,24)) (SUBARRAY new_M_rd_dataA (31,24))) in
let mb_data = ((MALTER (MALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0)

```
                                    \((15,8)\) mb_data_15_8)
                                    \((23,16)\) mb_data_23_16)
                                    \((31,24)\) mb_data_31_24)) in
let l_ad_out \(=((\sim\) new_M_wr \(\Lambda\) new_M_fsm_mem_enable \() \Rightarrow\) new_M_rd_dataA \(\mid\) ARBN \()\) in let \(I_{\_}\)srdy_ \(=\left((\right.\)new_M_fsm_mem_enable \() \Rightarrow m_{-}\)srdy_| \(\left.A R B\right)\) in let MB_addr \(=((\) new_M_rdyA \() \Rightarrow\) (INCN 18 new_M_addrA) | new_M_addrA \()\) in let MB_data_out \(=((\) new_M_fsm_write \()=>(\) Ham_Enc rep mb_data) \(\mid\) ARBN \()\) in let MB_cs_eeprom_ = \(\sim\) (new_M_fsm_mem_enable \(\cap \sim\) new_M_se) in
let MB_cs_sram_ = \(\sim(\) new_M_fsm_mem_enable \(\Lambda\) new_M_se) in
let \(M B_{-} w e_{-}=-\left(\left(n e w \_M \_s e V \sim n e w \_M \_f s m_{-} m e m_{-} e n a b l e V-\right.\right.\) Disable_eeprom \()\)
\(\Lambda\)-Disable_writes
\(\Lambda\) (new_M_fsm_byte_write \(V\) new_M_fsm_write \(V\) new_M_wwdel) in
let MB_oe_ \(=-\left(\left(-n e w_{-} M_{-} w r \Lambda\right.\right.\) new_M_fsm_address \() V\) new_M_fsm_read) in
let MB_parity \(=\) new_M_parity in
(I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity)" );:

\section*{C. 3 R Port Specification}
```

%-
File: I_phase.ml
Author: (c) D.A. Fura }199
Date: 31 March }199
This file contains the ml source for the phase-level specification of the R-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M -language simulation program using a translator written by P.J. Windley at the University of Idaho.
set_search_path (search_path() © ['/home/titan3/dfura/ftep/piu/hol/ib/']);
system 'rm r_phase.th';;
new_theory 'r_phase';;
loadf 'abstract';;
map new_parent ['raux_def';'aux_def';'array_def ';'wordn_def'];
let $r_{-}$state_ty = ":(rfsm_ty\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#wordn\#wordn\# bool*bool"wordn\#wordn\#bool"bool\#wordn\#wordn"bool"bool"wordn\#wordn\#bool\#bool\# wordn\#bool\#wordn\#wordn\#wordn\# rfsm_ty*bool\#bool\#bool\#bcol\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#wordn\#wordn\# boolwbool\#bool*wordn\#wordn*bool\#wordn\#bool\#bool\#bool\#wordn\#wordn\#bool\#wordn\#

```

``` wordn\#wordn\#wordn*bool\#wordn\#bool\#wordn\#bool\#wordn"bool)";
```



```
R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntatch_delA, R_srdy_delA_,
R_reg_selA, R_ctr0, R_ctro_ce, R_ctro_cin, R_ctro_outA, R_ctr1, R_ctr1_ce, R_ctr1_cin,
R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin,
R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_ictA, R_busA_latch, R_fsm_state, R_fsm_ale, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en,
R_c23_cout_del, R_int2_ed, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctro_in,
R_ctr0_mux_sel, R_ctro_irden, R_ctro_cry, R_ctro_new, R_ctr0_out, R_ctro_orden, R_ctrl_in,
R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctrl_new, R_ctr1_out, R_ctrl_orden, R_ctr2_in,
R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in,
R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load,
R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_ccr, R_cer_rden, R_ger, R_gcr_rden, R_sr,
R_sT_rden)
:Ar_state_ty)":;
let r_env_ty = ":(bool\#bool\#bool\#wordn\#bool\#bool\#wordn\#bool\#bool\#bool\#wordn\#wordn\#bool\#bool\# wordn"wordn\#wordn\#bool \#bool\#wordn)";;
let r_env = "((ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss)
```

let r_out_ty = ":(wordn\#bool\#bool*bool\#bool\#bool\#wordn\#wordn\#bool\#bool)";; let r_out = "((I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Cer, Led, Reset_error, Pmm_invalid)
: T_out_ty)"; $^{\prime}$
let rep_ty $=$ abstract_type 'aux_def' 'Andn';;

let $\mathrm{PH}_{-}$A_inst_def = new_definition
('PH_A_inst',
"I (rep:'rep_ty)
(R_fsm_stateA R_fsm_state :rfsm_ty)
(R_reg_selA R_ctr0 R_ctr0_outA R_ctr1 R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA R_ictA R_busA_latch R_reg_sel R_ctro_in R_ctro_new R_ctr0_out R_ctr1_in R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_cct R_gcr R_sr :wordn)
(R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_co1_cout_delA R_c23_cout R_c23_cout_delA R_cntlatch_delA R_stdy_delA_ R_ctr0_ce R_ctro_cin R_ctr1_ce R_ctr1_cin
 R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_ R_ctro_mux_sel R_ctro_irden R_ctro_cry R_ctro_orden R_ctrl_mux_sel R_ctrl_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden :bool)
(I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChannelID C_ss :wordn)
(ClkA ClkB Rst I_rale_ I_last_ I_mrdy_Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool).
PH_A_inst rep
(R_fsm_stateA, $R_{-}$fsm_cntlatch, $R_{\text {_ }}$ fsm_srdy, $R_{\text {_into_en, }} R_{\text {_int0_disA, }} R_{\text {_ }}$ int3_en, $R_{-}$int3_disA, R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntatch_delA, R_srdy_delA_, R_reg_selA, R_ctro, R_ctro_ce, R_ctro_cin, R_ctr0_outA, R_ctrl, R_ctrl_ce, R_ctrl_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_ictA, R_busA_latch, $R_{\text {_ fsm_state, } R_{-} f s m \_a l e, \text {, }}$ R_fsm_mrdy_, $\mathrm{R}_{\mathbf{\prime}} \mathrm{fs}$ _last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntatch_del, R_srdy_del_, R_reg_sel, R_ctro_in, R_ctro_mux_sel, R_ctr0_irden, R_ctr0_cry, R_ctr0_new, R_ctro_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cty, R_ctrl_new, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load,
 R_sr_rden)
(ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) =
let new_R_fsm_stateA =
((R_fsm_rst) $\Rightarrow$ RII
$\left(\left(R_{-}\right.\right.$fsm_state $\left.=R I\right) \Rightarrow\left(\left(\sim R_{-} f s m_{-}\right.\right.$ale_ $\left.)=>R A \mid R I\right) \mid$
$\left(\left(R_{-}\right.\right.$fsm_state $\left.=R A\right) \Rightarrow\left(\left(\sim R_{-}\right.\right.$fsm_mrdy_ $) \Rightarrow$ RD $\left.\mid R A\right) \mid$
( $\left(-R_{-}\right.$fsm_last_) $\Rightarrow$ RI|RA) )) in
let new_R_fsm_cntlatch $=\left(\left(R_{\_}\right.\right.$fsm_state $\left.=R I\right) \wedge \sim R_{-}$fsm_ale_) in

```
let new_R_fsm_srdy_= ~((R_fsm_state = RA) ^~R_fsm_mrdy_) in
let new_R_cntlatch_delA = R_cntlatch_del in
let new_R_srdy_delA_= R_srdy_del_ in
let new_R_reg_selA = R_reg_sel in
let r_reg_sel = ((~new_R_srdy_delA_) => (INCN 3 new_R_reg_selA) | new_R_reg_selA) in
let r_write = ( -Disable_writes ^R_wr ^(new_R_fsm_stateA = RD)) in
let r_read = ( }-\mp@subsup{R}{_}{\prime}wr ^(new_R_fsm_stateA = RA)) in
let r_cir_wr01 = (r_write ^ ((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9)))) in
let r_cir_wr23 = (r_write ^((r_reg_sel = (WORDN 10))V (r_reg_sel = (WORDN 11)))) in
let new_R_ctr0 = ((R_ctro_mux_sel) => R_ctro_in | R_ctro_new) in
let new_R_ctro_ce = (ELEMENT R_gcr (19)) in
let new_R_ctrO_cin = T in
let new_R_ctro_outA = R_ctro_new in
let new_R_ctrl = ((R_ctrl_mux_sel) => R_ctrl_in I R_ctrl_new) in
let new_R_ctrl_ce = T in
let new_R_ctrl_cin = R_ctr0_cry in
let new_R_ctrl_outA = R_ctrl_new in
let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2_in | R_ctr2_new) in
let new_R_ctr2_ce = (ELEMENT R_gcr (23)) in
let new_R_ctr2_cin = T in
let new_R_ctr2_outA = R_ctr2_new in
let new_R_ctr3 = ((R_ctr3_mux_sel) => R_ctr3_in | R_ctr3_new) in
let new_R_ctr3_ce =T in
let new_R_ctr3_cin = R_ctr2_cry in
let new_R_ctr3_outA = R_ctr3_new in
let new_R_icr_loadA = R_icr_load in
let new_R_icr_oldA =
    (((new_R_fsm_stateA = RA) ^ ((r_reg_sel = (WORDN 0)) V (r_reg_sel = (WORDN 1))) )=> R_icr | R_icr_oldA ) in
let new_R_icrA =
    ((~(r_reg_sel = (WORDN 1))) => Andn rep (R_icr_old, R_icr_mask) | Om rep (R_icr_old, R_icr_mask)) in
let new_R_int0_en = (((ELEMENT R_icr (0)) ^(ELEMENT R_icr (8))) V
                    ((ELEMENT R_icr (1)) ^(ELEMENT R_icr (9))) \vee
                    ((ELEMENT R_icr (2)) ^(ELEMENT R_icr (10)))}
                    ((ELEMENT R_ict (3)) ^(ELEMENT R_icr (11))) V
                    ((ELEMENT R_icr (4)) ^(ELEMENT R_icr (12))) \
                    ((ELEMENT R_icr (5)) ^(ELEMENT R_icr (13))) \
                    ((ELEMENT R_icr (6)) ^(ELEMENT R_icr (14))) V
                    ((ELEMENT R_icr (7)) ^(ELEMENT R_icr (15)))) in
let new_R_int0_disA = R_int0_dis in
let new_R_int3_en = (((ELEMENT R_icr (16)) ^(ELEMENT R_icr (24))) V
                    ((ELEMENT R_icr (17)) }^(\mathrm{ (ELEMENT R_icr (25))) V
                    ((ELEMENT R_icr (18))}\wedge(\mathrm{ (ELEMENT R_icr (26))) V
                    ((ELEMENT R_icr (19)) ^(ELEMENT R_icr (27))) V
                    ((ELEMENT R_icr (20)) ^(ELEMENT R_icr (28))) V
                    ((ELEMENT R_ict (21)) ^(ELEMENT R_ict (29))) V
                    ((ELEMENT R_ict (22)) ^(ELEMENT R_ict (30))) V
                    ((ELEMENT R_icr (23)) }^\mathrm{ (ELEMENT R_icr (31))) ) in
let new_R_int3_disA = R_int3_dis in
let new_R_c01_cout = R_ctrl_cry in
let new_R_c01_cout_delA = R_c01_cout_del in
let new_R_c23_cout = R_ctr3_cry in
let new_R_c23_cout_delA = R_c23_cout_del in
let new_R_busA_latch =
    (((R_ctrO_irden) => R_ctro_in I
```

```
    ((R_ctrO_orden) => R_ctrO_out |
    ((R_ctrl_irden) => R_ctrl_in |
    ((R_ctrl_orden) => R_ctr1_out |
    ((R_ctr2_irden) => R_ctr2_in |
    ((R_ctr2_orden) => R_ctr2_out |
    ((R_ctr3_irden) => R_ctr3_in |
    ((R_ctr3_orden) => R_ctr3_out I
    ((R_icr_rden) => R_icr |
    ((R_ccr_rden) => R_ccr |
    ((R_gcr_rden) => R_gcr l
    ((R_sr_rden) => R_sr ( ARBN ))))))})))))) i
let new_R_fsm_state = R_fsm_state in
let new_R_fsm_ale_ = R_fsm_ale_ in
let new_R_fsm_mrdy_ = R_fsm_mrdy_ in
let new_R_fsm_last_ = R_fsm_last_ in
let new_R_fsm_rst = R_fsm_rst in
let new_R_int0_dis = R_int0_dis in
let new_R_int3_dis = R_int3_dis in
let new_R_c01_cout_del = R_c01_cout_del in
let new_R_int1_en = R_int1_en in
let new_R_c23_cout_del = R_c23_cout_del in
let new_R_int2_en = R_int2_en in
let new_R_wr = R_wr in
let new_R_cntlatch_del = R_cntlatch_del in
let vew_R_srdy_del_= R_srdy_del_in
let new_R_reg_sel = R_reg_sel in
let new_R_ctr0_in = R_ctr0_in in
let new_R_ctro_mux_sel = R_ctr0_mux_sel in
let new_R_ctro_irden = R_ctr0_irden in
let new_R_ctro_cry = R_ctro_cry in
let new_R_ctrO_new = R_ctro_new in
let new_R_ctrO_out = R_ctro_out in
let new_R_ctro_orden = R_ctro_orden in
let new_R_ctr1_in = R_ctr1_in in
let new_R_ctr1_mux_sel = R_ctrl_mux_sel in
let new_R_ctr1_irden = R_ctrl_irden in
let new_R_ctrl_cry = R_ctr1_cry in
let new_R_ctrl_new = R_ctr1_new in
let new_R_ctrl_out = R_ctrl_out in
let new_R_ctr1_orden = R_ctr1_orden in
let new_R_ctr2_in = R_ctr2_in in
let new_R_ctr2_mux_sel = R_ctr2_mux_sel in
let new_R_ctr2_irden = R_ctr2_irden in
let new_R_ctr2_cry = R_ctr2_cry in
let new_R_ctr2_new = R_ctr2_new in
let new_R_ctr2_out = R_ctr2_out in
let new_R_ctr2_orden = R_ctr2_orden in
let new_R_ctr3_in = R_ctr3_in in
let new_R_ctr3_mux_sel = R_ctr3_mux_sel in
let new_R_ctr3_irden = R_ctr3_irden in
let new_R_ctr3_cry = R_ctr3_cry in
let new_R_ctr3_new = R_ctr3_new in
let new_R_ctr3_out = R_ctr3_out in
let new_R_ctr3_orden = R_ctr3_orden in
```

let new_R_ict_load = R_icr_load in
let new_R_icr_old $=R_{-}$icr_old in
let new_R_icr_mask = R_icr_mask in
let new_R_icr = R_icr in
let new_R_icr_rden = R_icr_rden in
let new_R_ccr = R_ccr in
let new_R_ccr_rden = R_ccr_rden in
let new $\_$R_gcr $=$R_gcr in
let new_R_gcr_rden = R_gcr_rden in
let $n e w \_R \_s r=$ R_sr in
let new_R_sr_rden $=\mathbf{R}_{-}$sI_rden in
(vew_R_fsm_stateA, new_R_fsm_cntlatch, $n e w_{-} R_{-} f s m_{-} s r d y$, $n e w_{-} R_{-} i n t 0_{-} e n, n e w_{-} R_{-} i n t 0_{-} d i s A, n e w w_{-} R_{-} n t 3 \_e n$, new_R_int3_disA, new_R_c01_cout, new_R_c01_cout_delA, new_R_c23_cout, new_R_c23_cout_delA,
new_R_cntlatch_delA,
new_R_stdy_delA_, new_R_reg_selA, new_R_ctr0, new_R_ctr0_ce, new_R_ctro_cin, new_R_ctro_outA, new_R_ctr1,
new_R_ctr1_ce, new_R_ctrl_cin, new_R_ctr1_outA, new_R_ctr2, new_R_ctr2_ce, new_R_ctr2_cin, new_R_ctr2_outA,
new_R_ctr3, new_R_ctr3_ce, new_R_ctr3_cin, new_R_ctr3_outA, new_R_icr_loadA, new_R_icr_oldA, new_R_ictA,
 new_R_int0_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_int1_en, new_R_c23_cout_del, new_R_int2_en, new_R_wr,
new_R_cntlatch_del, new_R_srdy_del_, new_R_reg_sel, new_R_ctro_in, new_R_ctro_mux_sel, new_R_ctro_irden, new_R_ctro_cry, new_R_ctro_new, new_R_ctro_out, new_R_ctro_orden, new_R_ctr_in, new_R_ctr1_mux_sel, new_R_ctrl_irden, new_R_ctr1_cry, new_R_ctr1_new, new_R_ctrl_out, new_R_ctr1_orden, new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_ctr2_irden, new_R_ctr2_cry, new_R_ctr2_new, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3_irden, new_R_ctr3_cry, new_R_ctr3_new, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_load, new_R_icr_old, new_R_icr_mask, new_R_icr, new_R_icr_rden, new_R_ccr, new_R_ccr_rden, new_R_gcr, new_R_gcr_rden, new_R_sr, new_R_sr_rden)"
);

## 

## let $\mathrm{PH} \_\mathrm{A} \_$out_def $=$new_definition

('PH_A_out',
"! (rep: ${ }^{\wedge}$ rep_ty)
(R_fsm_stateA R_fsm_state :rfsm_ty)
(R_reg_selA R_ctr0 R_ctr0_outA R_ctr1 R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA R_icrA R_busA_latch R_reg_sel R_ctr0_in R_ctr0_new R_ctro_out R_ctr1_in R_ctr1_new R_ctr1_out

R_cer R_ger R_sr :wordn)
(R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA


R_int0_dis R_int3_dis R_col_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del

R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel
R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_cer_rden R_ger_rden
R_sr_rden :bool)
(I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChanneliD C_ss :wordn)
(ClkA ClkB Rst I_rale_ I_last_I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail
CB_parity MB_parity :bool).
PH_A_out rep
(R_fsm_stateA, R_fsm_cntlatch, $R_{\_} f s m_{\_}$srdy, $R_{-}$int0_en, $R_{-}$int0_disA, $R_{\_}$int3_en, R_int3_disA, R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntiatch_delA, R_srdy_delA_, R_reg_selA, R_ctro, R_ctro_ce, R_ctro_cin, R_ctr0_outA, R_ctr1, R_ctrl_ce, R_ctrl_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, $R_{-}$icr_loadA, R_ict_oldA, $R_{\_} i c r A, R_{-} b u s A \_l a t c h, ~ R \_f s m \_s t a t e, ~ R \_f s m \_a l e ., ~$ R_fsm_mody_, $R_{-}$fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_intl_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, R_ctro_mux_sel, R_ctro_irden, R_ctro_cry, R_ctro_new, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctrl_new, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctt3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load,
 R_si_rden)
(CikA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelD, CB_parity, MB_parity, C_ss) =
let new_R_fsm_stateA $=$
( R_fsm_rst $^{\prime}$ ) $=>$ RII
( $\left(R_{-}\right.$fsm_state $\left.=R I\right) \Rightarrow\left(\left(-R_{-} f s m \_a l e \_\right)=>R A \mid R I\right) \mid$
$\left((\right.$ R_fsm_state $=R A) \Rightarrow\left(\left(\sim R_{-}\right.\right.$fsm_mrdy_) $\Rightarrow$ RD $\left.\mid R A\right) \mid$
$\left(\left(\sim R \_f s m \_\right.\right.$last_) $\left.\left.) \Rightarrow R I(R A)\right)\right)$ in
let new_R_fsm_cntlatch $=\left(\left(R_{-} f s m_{-}\right.\right.$state $\left.=R_{I}\right) \wedge \sim R_{\_}$fsm_ale_ $)$in
let new_R_fsm_srdy_ $=\sim\left(\left(R_{-} f s m_{-}\right.\right.$state $\left.\left.=R_{A}\right) \wedge \sim R_{-} f s m_{-} m r d y_{-}\right)$in
let new_R_cntlatch_delA $=$ R_cntlatch_del in
let new_R_srdy_delA_= R_srdy_del_in
let new_R_reg_selA $=$ R_reg_sel in
let r_reg_sel $=((\sim$ new_R_srdy_delA_ $)=>($ INCN 3 new_R_reg_selA $) \mid$ new_R_reg_selA $)$ in
let $r_{-}$write $=\left(\sim\right.$ Disable_writes $\wedge R_{-} w r_{1} \wedge($ new_R_fsm_state $\left.A=R D)\right)$ in
let r_read $=\left(\sim R_{-} w_{r} \wedge\right.$ (new_ $R_{-}$fsm_state $\left.A=R A\right)$ in
let $r_{\text {_cir_wrol }}=\left(r_{-}\right.$write $\wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 8$\left.)\right) \vee\left(r_{-}\right.$reg_sel $=($WORDN 9$\left.\left.\left.)\right)\right)\right)$ in
let $r_{-} c i r \_w r 23=\left(r_{-} w r i t e ~ \Lambda\left(\left(r_{\_}\right.\right.\right.$reg_sel $=($WORDN 10$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 11$\left.\left.)\right)\right)$ in
let new_R_ctr0 $=\left(\left(R_{-} c t r 0 \_m u x \_s e l\right) \Rightarrow R_{-} c t r 0 \_i n \mid R \_c t r 0 \_n e w\right) ~ i n ~$
let new_R_ctro_ce $=$ (ELEMENT R_gcr (19)) in
let new_R_ctro_cin = $T$ in
let new_R_ctro_out A = R_ctro_new in

let new_R_ctrl_ce $=T$ in
let new_R_ctrl_cin = R_ctro_cry in
let new_R_ctrl_outA $=$ R_ctrl_new in $^{\text {n }}$
let new_R_ctr2 $=(($ R_ctr2_mux_sel $)=>$ R_ctr2_in R_ctr2_new) in
let new_R_ctr2_ce $=$ (ELEMENT R_gcr (23)) in
let new_R_ctr2_cin $=T$ in
let new_R_ctr2_outA $=$ R_ctr2_new in
let new_R_ctr3 $=($ ( R_ctr3_mux_sel $) \Rightarrow$ R_ctr3_in $\mid$ R_ctr3_new $)$ in
let new_R_ctr3_ce $=T$ in
let new_R_ctr3_cin = R_ctr2_cry in
let new_R_ctr3_outA = R_ctr3_new in
let new_R_icr_loadA = R_icr_load in
let new_R_icr_oldA =
$\left(\left((\right.\right.$ new_R_fsm_stateA $=R A) \wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) V\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.\left.)\right)\right)\right)=>R_{-}$icr $\mid R_{-}$icr_oldA $)$in let new_R_icrA =
$\left(\left(\sim\left(r_{\_}\right.\right.\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)=>$ Andn rep (R_icr_old, $R_{\text {_icr_mask) }} \mid$ Orn rep (R_icr_old, R_icr_mask) $)$ in
let new_R_int0_en $=((($ ELEMENT R_icr (0)) $) \wedge$ (ELEMENT R_icr (8))) $V$
((ELEMENT R_icr (1)) $\wedge$ (ELEMENT R_icr (9))) $\vee$
((ELEMENT R_icr (2)) $\left.\wedge\left(E L E M E N T R_{-} i c r(10)\right)\right) \vee$ ((ELEMENT R_icr (3)) $\wedge$ (ELEMENT R_icr (11))) $\vee$ ((ELEMENT R_ict (4)) $\wedge$ (ELEMENT R_ict (12))) $\vee$ ((ELEMENT R_icr (5)) $\wedge$ (ELEMENT R_icr (13))) $\vee$ ((ELEMENT R_icr (6)) $\wedge$ (ELEMENT R_icr (14))) $\vee$ ((ELEMENT R_icr (7)) $\wedge$ (ELEMENT R_icr (15)))) in
let new_R_int0_disA = R_int0_dis in
let new_R_int3_en $=((($ ELEMENT R_icr (16)) $\wedge$ (ELEMENT R_icr (24))) $V$ ((ELEMENT R_ict (17)) $\wedge($ ELEMENT R_icr (25))) $\vee$ ((ELEMENT R_icr (18)) $\wedge$ (ELEMENT R_icr (26))) $\vee$ ((ELEMENT R_ict (19)) $\wedge$ (ELEMENT R_icr (27))) $\vee$ ( (ELEMENT R_icr (20)) $\wedge($ ELEMENT R_icr (28))) $\vee$ ( $($ ELEMENT R_icr (21)) $\wedge($ ELEMENT R_icr (29))) $\vee$ ( $($ ELEMENT R_ict (22)) $\wedge$ (ELEMENT R_ict (30))) $\vee$ ((ELEMENT R_ict (23)) $\wedge$ (ELEMENT R_icr (31)))) in
let new_R_int3_dis $A=$ R_int3_dis in $^{\text {n }}$
let new_R_c01_cout = R_ctrl_cry in let new_R_c01_cout_del $\mathbf{A}=\mathbf{R}_{-}$c01_cout_del in let new_R_c23_cout = R_ctr3_cry in let new_R_c23_cout_delA $=$ R_c23_cout_del in let new_R_busA_latch $=$
( ( $R_{-}$ctro_irden) $=>$R_ctro_in I
( (R_ctro_orden) $=>$ R_ctro_out I
( R_ctrl_irden) $)=>$ R_ctrl_in $\mid ~_{\text {R }}$
( (R_ctr1_orden) => R_ctr1_out I

( R_ctr2_orden) $)=>$ R_ctr2_out $1 ~_{\text {R }}$

( R_ctr3_orden) $)=>$ R_ctr3_out I $^{\text {R }}$
( R_icr_rden $\left.^{\prime}\right) \Rightarrow$ R_icr $^{\text {I }}$
( R_ccr_rden $\left.^{( }\right)=>$R_ccr I $^{( }$
( $($ R_gcr_rden) $)=>R_{\_}$gcr $\mid$

let new_R_fsm_state $=R_{-} f s m_{-}$state in
let $n e w_{-} R_{\_} f s m_{-} a l e_{-}=R_{-} f s m_{-} a l e_{-}$in
let new_R_fsm_mrdy_ = R_fsm_mrdy_ in
let new_R_fsm_last_ = R_fsm_last_in
let new_R_fsm_rst = $R_{-}$fsm_rst in
let new_R_int0_dis = R_in10_dis in
let new_R_int3_dis = R_in13_dis in let new_R_c01_cout_del = R_C01_cout_del in let new_R_int1_en = R_intl_en in let new_R_c23_cout_del = R_c23_cout_del in let new_R_int2_en = R_int2_en in let new_R_wr $=R_{-} w r$ in
let new_R_ctlatch_del = R_cntlatch_del in let new_R_srdy_del_ = R_srdy_del_ in let new_R_reg_sel $=$ R_reg_sel in let new_R_ctro_in = R_ctro_in in let new_R_ctr0_mux_sel = R_ctro_mux_sel in let new_R_ctro_irden = R_ctro_irden in let new_R_ctro_cry = R_ctro_cry in let new_R_ctro_new = R_ctro_new in let new_R_ctro_out = R_ctro_out in

```
let new_R_ctro_orden = R_ctr0_orden in
let new_R_ctr1_in = R_ctrl_in in
let new_R_ctr1_mux_sel = R_ctrl_mux_sel in
let new_R_ctrl_irden = R_ctr1_irden in
let new_R_ctrl_cry = R_ctr1_cry in
let new_R_ctrl_new = R_ctr1_new in
let new_R_ctrl_out = R_ctr1_out in
let new_R_ctrl_orden = R_ctrl_orden in
let new_R_ctr2_in = R_ctr2_in in
let gew_R_ctr2_mux_sel = R_ctr2_mux_sel in
let new_R_ctr2_irden = R_ctr2_irden in
let new_R_ctr2_cry = R_ctr2_cry in
let new_R_ctr2_new = R_ctr2_new in
let new_R_ctr2_out = R_ctr2_out in
let new_R_ctr2_orden = R_ctr2_orden in
let new_R_ctr3_in = R_ctr3_in in
let new_R_ctr3_mux_sel = R_ctr3_mux_sel in
let new_R_ctr3_irden = R_ctr3_irden in
let new_R_ctr3_cry = R_ctr3_cry in
let new_R_ctr3_new = R_ctr3_new in
let new_R_ctr3_out = R_ctr3_out in
let new_R_ctr3_orden = R_ctr3_orden in
let new_R_icr_load = R_icr_load in
let new_R_icr_old = R_icr_old in
let new_R_icr_mask = R_icr_mask in
let new_R_icr = R_icr in
let new_R_ict_rden = R_ict_rden in
let new_R_ccr = R_ccr in
let new_R_ccr_rden = R_ccr_rden in
let new_R_gcr = R_gcr in
let new_R_gcr_rden = R_gcr_rden in
let new_R_sr = R_sr in
let new_R_sr_rden = R_sr_rden in
    let I_ad_out = (( new_R_wr ^((new_R_fsm_stateA = RA) V (new_R_fsm_stateA = RD))) => new_R_busA_latch | ARBN) in
    let I_srdy_= (((new_R_fsm_stateA = RD)V ((new_R_fsm_stateA = RA))) => new_R_fsm_srdy_| ARB) in
    let Int0_ = ~(new_R_int0_en }\wedge~\mathrm{ new_R_int0_disA }\wedge~\mathrm{ Disable_int) in
    let Int1 = (new_R_001_cout }\wedge\mathrm{ new_R_int1_en }\wedge~\mathrm{ Disable_int) in
    let Int2 = (new_R_c23_cout ^new_R_int2_en ^~Disable_int) in
    let Int3_ = -(new_R_int3_en \Lambda ~new_R_int3_disA }\Lambda~\mathrm{ Disable_int) in
    let Ccr = new_R_ccr in
    let Led = (SUBARRAY new_R_gcr (3,0)) in
    let Reset_error = (ELEMENT new_R_gcr (24)) in
    let Pmm_invalid = (ELEMENT new_R_gcr (28)) in
    (I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)"
);
%---------------------------------------------------------------------------------------------------------------------
Next-state definition for Phase-B instruction.
```

let PH _B_inst_def $=$ new_definition
('PH_B_inst',

```
"| (rep:^rep_ty)
    (R_fsm_stateA R_fsm_state :rfsm_ty)
    (R_reg_selA R_ctr0 R_ctr0_outA R_ctrl R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA
    R_icrA R_busA_latch R_reg_sel R_ctr0_in R_ctr0_new R_ctro_out R_ctr 1_in R_ctrl_new R_ctrl_out
    R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr
    R_cor R_gcr R_sr :wordn)
    (R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA
    R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_R_ctrO_ce R_ctrO_cin R_ctrl_ce R_ctrl_cin
    R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_R_fsm_mrdy_R_fsm_last_R_fsm_rst
    R_intO_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cutlatch_del
    R_srdy_del_R_ctrO_mux_sel R_ctr0_irden R_ctr0_cry R_ctrO_orden R_ctrl_mux_sel R_ctrl_irden
    R_ctrl_cry R_ctrl_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel
    R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_cor_rden R_gcr_rden
    R_sr_rden :bool)
    (I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChanneIID C_ss :wordn)
    (ClkA ClkB Rst I_rale_I_last_I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail
    CB_parity MB_parity :bool).
PH_B_inst rep
            (R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_int0_en, R_int0_disA, R_int3_en, R_int3_disA,
            R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA,R_srdy_delA_,
            R_reg_selA, R_ctr0, R_ctr0_ce, R_ctr0_cin, R_ctr0_outA, R_ctrl, R_ctrl_ce, R_ctrl_cin,
            R_ctrl_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin,
                R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_,
                R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_intl_en,
                R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in,
                R_ctr0_mux_sel, R_ctr0_irden, R_ctr0_cry, R_ctr0_new, R_ctrO_out, R_ctrO_orden, R_ctrl_in,
                R_ctrl_mux_sel, R_ctrl_irden, R_ctr1_cry, R_ctr1_new, R_ctr1_out, R_ctrl_orden, R_ctr2_in,
                R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in,
                R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load,
                R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_cer, R_ocr_rden, R_gcr, R_ger_rden, R_sr,
                R_sr_rden)
                (ClkA, CLkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy,, Disable_int, Disable_writes,
                    Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) =
let new_R_wr = ((-I_rale_) => (ELEMENT I_ad_in (27)) | R_wr) in
let new_R_srdy_del_ = R_fsm_srdy_ in
let new_R_reg_sel =
    ((-I_rale_) => (SUBARRAY I_ad_in (3,0))|
    ((~R_srdy_delA_) => (INCN 3 R_reg_selA) | R_reg_selA)) in
let new_R_cntlatch_del = R_fsm_cntlatch in
let r_reg_sel = ((~R_srdy_delA_) => (INCN 3 R_reg_selA)| R_reg_selA) in
let r_write = (-Disable_writes \ new_R_wr ^(R_fsm_stateA = RD)) in
let r_read = (-new_R_wr ^(R_fsm_stateA = RA)) in
let r_cir_wrOl = (r_write ^((r_reg_sel = (WORDN 8)) V (r_reg_sel = (WORDN 9)))) in
let r_cir_wr23 = (r_write ^((r_reg_sel = (WORDN 10))V (r_reg_sel = (WORDN 11))) in
let new_R_ccr = ((r_write ^(r_reg_sel = (WORDN 3))) => I_ad_in I R_ccr) in
let new_R_ccr_rden = (r_read ^(r_reg_sel = (WORDN 3))) in
let new_R_gcr = ((r_write }\Lambda(r_reg_sel = (WORDN 2))) => I_ad_in | R_gcr) in
let new_R_gcr_rden = (r_read ^(r_reg_sel = (WORDN 2))) in
let new_R_ctrO_in = ((r_write \Lambda (r_reg_sel = (WORDN 8))) => I_ad_in | R_ctrO_in) in
let new_R_ctr0_mux_sel = (r_cir_wr01 V ((ELEMENT new_R_gcr (16)) ^R_c01_cout)) in
let new_R_ctr0_irden =(r_read ^(r_reg_sel = (WORDN 8))) in
let new_R_ctr0_new = ((R_ctro_ce }\wedge\mathrm{ R_ctro_cin) => (INCN 31 R_ctrO) / R_ctr0) in
let new_R_ctr0_cry = (R_ctr0_ce }\cap\mathrm{ R_ctr0_cin }\cap(ONES 31 R_ctrO)) in
```


let new_R_ctr0_orden = (r_read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 12$\left.\left.)\right)\right)$ in
let new_R_ctr1_in = ((r_write $\wedge\left(r_{-}\right.$reg_sel $=\left(\right.$WORDN 9) )) $\Rightarrow$ I_ad_in $\mid R_{\text {_ctr1_in }) ~ i n ~}^{\text {a }}$
let new_R_ctrl_mux_sel $=\left(r_{-}\right.$cir_wro1 V ((ELEMENT new_R_gcr (16)) $\wedge R_{\_}$c01_cout) $)$in
let new_R_ctrl_irden $=\left(r_{\text {_read }} \wedge\left(r_{\_}\right.\right.$reg_sel $=($WORDN 9$\left.)\right)$ ) in
let new_R_ctrl_new $=\left(\right.$ (R_ctr1_ce $\left.\left.\wedge R_{-} c t r 1_{-} c i n\right) ~ \Rightarrow\left(\mathbb{N C N} 31 R_{-} \operatorname{ctr} 1\right) \mid R_{\text {_ctrl }}\right)$ in

let new_R_ctrl_out $=\left(\left(R_{-}\right.\right.$cntlatch_delA $) \Rightarrow R_{-}$ctr1_outA $\mid R_{-}$ctr1_out $)$in
let new_R_ctr1_orden $=\left(r_{-}\right.$read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 13)) $)$in
let new_R_ctr2_in $=\left(\left(r_{-} w r i t e \wedge\left(r_{-} r e g \_s e l=(\right.\right.\right.$ WORDN 10 $\left.\left.)\right)\right)=>I_{-}$ad_in $\left.\mid R_{-} c t r 2_{-} i n\right)$ in
let new_R_ctr2_mux_sel =(r_cir_wr23 V ((ELEMENT new_R_gcr (20)) $\wedge R_{\_}$c23_cout) $)$in
let new_R_ctr2_irden =(r_read $\wedge$ (r_reg_sel $=($ WORDN 10)) ) in
let new_R_ctr2_new $=\left(\right.$ (R_ctr2_ce $\left.\left.\Lambda R_{-} c t r 2 \_c i n\right) ~ \Rightarrow\left(\mathbb{N C N} 31 R_{-} c t r 2\right) \mid R_{-} c t r 2\right)$ in
let new_R_ctr2_cry $=\left(R_{-} \operatorname{ctr} 2\right.$ ce $\wedge R_{-} \operatorname{ctr} 2_{-} \operatorname{cin} \wedge\left(\right.$ ONES $\left.31 R_{-} c t r 2\right)$ ) in
let new_R_ctr2_out $=\left(\left(R_{-}\right.\right.$fsm_cntlatch $)=>R_{-} c t r 2$ _outA $\mid R_{\_} c t r 2_{2}$ out $)$ in
let new_R_ctr2_orden $=\left(r_{-}\right.$read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 14 $\left.)\right)$) in
let new_R_ctr3_in $=\left(\left(r_{-} w r i t e ~ \wedge\left(r_{-} r e g_{-} s e l=(W O R D N 11)\right)\right) \Rightarrow I_{-}\right.$ad_in $\mid R_{-} c t r 3$ _in $)$ in
let new_R_ctr3_mux_sel =(r_cir_wr23 V ((ELEMENT new_R_gcr (20)) ^R_c23_cout)) in
let new_R_ctr3_irden $=\left(r_{\text {_read }} \wedge\left(r_{-}\right.\right.$reg_sel $=($WORDN 11) $)$) in
let new_R_ctr3_new $=\left(\right.$ (R_ctr3_ce $\left.\left.\wedge R_{-} c t r 3 \_c i n\right) ~ \Rightarrow\left(\mathbb{N C N} 31 R_{-} c t 3\right) \mid R_{1} c t r 3\right)$ in

let new_R_ctr3_out $=(($ R_cntlatch_delA $)=>$ R_ctr3_outA $\mid$ R_ctr3_out $)$ in
let new_R_ctr3_orden $=\left(r_{-}\right.$read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 15$\left.\left.)\right)\right)$ in
let new_R_icr_load $=\left(r_{-}\right.$write $\wedge\left(\left(r_{\text {_reg_sel }}=(\right.\right.$ WORDN 0$\left.)\right) \vee\left(r_{-}\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)$ in
let new_R_icr_old =
$\left(\left(r_{\_}\right.\right.$write $\Lambda\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.\left.)\right)\right)\right)=>R_{-}$icr_oldA $\mid R_{\text {_ }}$ icr_old $)$ in let new_R_icr_mask =
$\left(\left(r_{-}\right.\right.$write $\wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) \vee\left(r_{-}\right.$reg_sel $=($WORDN 1$\left.\left.\left.\left.)\right)\right)\right)=I_{\text {_ad_in }} \mid R_{\text {_icr_mask }}\right)$ in

let new_R_ict_rden = $\left(\left(R_{-}\right.\right.$fsm_state $\left.A=R A\right) \wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) V\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.\left.)\right)\right)\right)$ in
let s 28 = (ALTER ARBN (28) MB_parity) in
let sr28_25 = (MALTER sr28 $(27,25)$ C_ss $^{\text {s }}$ ) in
let sr28_24 = (ALTER st28_25 (24) CB_parity) in
let sr28_22 = (MALTER sr28_24 $(23,22)$ ChannelID) in
let sr28_16 = (MALTER sr28_22 $(21,16)$ Id) in
let sr28_12 $=$ (MALTER sr28_16 $(15,12)$ S_state) in
let $\operatorname{sr} 28 \_9=$ (ALTER sr28_12 (9) Pmm_fail) in
let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in
let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in
let sr28_0 = (MALTER st28_2 $(1,0)$ Cpu_fail) in
let new_R_sr $=\left(\left(R_{-} f s m \_c n t l a t c h\right) ~=>~ s r 28 \_0 \mid R_{-} s r\right)$ in
let new_R_sr_rden = (r_read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 4$\left.\left.)\right)\right)$ in
let new_R_int0_dis = R_int0_en in
let new_R_int3_dis = R_int3_en in
let new_R_c01_cout_del = R_c01_cout in
let new_R_c23_cout_del $=$ R_c23_cout in
let new_R_int1_en =
(((ELEMENT new_R_gcr (18)) $\wedge\left(r_{-} c i r_{\text {_w }}\right.$ (E1 V (R_c01_cout $\wedge$ (ELEMENT new_R_gcr (16)))))
$\wedge \sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(\right.\right.$ ELEMENT new_R_gcr (17)) $\left.\left.\left.\wedge R \_c 01 \_c o u t \_d e l\right)\right)\right) \Rightarrow T \mid$
$\left(\left(-\left(\right.\right.\right.$ (ELEMENT new_R_gcr (18)) $\wedge\left(r_{-} c i r \_w r 01 \vee\left(R \_c 01 \_c o u t \wedge(E L E M E N T\right.\right.$ new_R_gcr (16) )) ))
$\wedge(\sim(E L E M E N T$ new_R_gcr (18)) $\vee(($ ELEMENT new_R_gcr (17)) $\wedge$ R_c01_cout_del) $)) \Rightarrow$ FI
$\left(\left(\sim\left(\right.\right.\right.$ ELEMENT new_R_gcr (18)) $\wedge\left(r_{-}\right.$cir_wrol $\vee\left(R_{-} c 01 \_\right.$cout $\wedge(E L E M E N T$ new_R_gcr (16)))))
$\wedge \sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (17)) $\left.\left.\left.\wedge R_{-} c 01 \_c o u t \_d e l\right)\right)\right)=$ R_int1_en ARB $\left.)\right)$ ) in
let new_R_int2_en =

```
    (((ELEMENT new_R_gcr (22)) ^(r_cir_wr23 V (R_c23_cout ^(ELEMENT new_R_gcr (20))))
    ^~(~(ELEMENT new_R_gcr (22))}\vee((ELEMENT new_R_gcr (21)) ^R_c23_cout_del))) => T |
    ((-((ELEMENT new_R_gcr (22)) ^(r_cir_wr23 V (R_c23_cout ^(ELEMENT new_R_gcr (20)))))
    ^(-(ELEMENT new_R_gcr (22)) V ((ELEMENT new_R_gcr (21)) ^ R_c23_cout_del))) => F।
    ((-((ELEMENT new_R_gcr (22)) ^(r_cir_wr23 V (R_c23_cout ^(ELEMENT new_R_gcr (20)))))
    ^~(~(ELEMENT new_R_gcr (22))}\vee((ELEMENT new_R_gcr (21)) ^R_c23_cout_del))) => R_int2_en | ARB))) i
let new_R_fsm_state = R_fsm_stateA in
let new_R_fsm_ale_ = I_rale_in
let new_R_fsm_mrdy_ = I_mrdy_ in
let new_R_fsm_last_ = I_last_ in
let new_R_fsm_rst = Rst in
let new_R_fsm_stateA = R_fsm_stateA in
let new_R_fsm_cntlatch = R_fsm_cntlatch in
let new_R_fsm_srdy_= = R_fsm_srdy_ in
let new_R_int0_en = R_int0_en in
let new_R_int0_disA = R_int0_disA in
let new_R_int3_en = R_int3_en in
let new_R_int3_disA= R_int3_disA in
let new_R_c01_cout = R_c01_cout in
let new_R_c01_cout_delA = R_c01_cout_delA in
let new_R_c23_cout = R_c23_cout in
let new_R_c23_cout_delA = R_c23_cout_delA in
let new_R_cntlatch_delA = R_cnllatch_delA in
let new_R_srdy_delA_= R_srdy_delA_ in
let new_R_reg_selA = R_reg_selA in
let new_R_ctro = R_ctr0 in
let new_R_ctro_ce = R_ctro_ce in
let new_R_ctrO_cin = R_ctro_cin in
let new_R_ctro_outA = R_ctr0_outA in
let new_R_ctrl = R_ctr1 in
let new_R_ctrl_ce = R_ctr1_ce in
let new_R_ctrl_cin = R_ctrl_cin in
let new_R_ctr1_outA = R_ctr1_outA in
let new_R_ctr2 = R_ctr2 in
let new_R_ctr2_ce = R_ctr2_ce in
let new_R_ctr2_cin = R_ctr2_cin in
let new_R_ctr2_outA = R_ctr2_outA in
let new_R_ctr3 = R_ctr3 in
let new_R_ctr3_ce = R_ctr3_ce in
let new_R_ctr3_cin = R_ctr3_cin in
let new_R_ctr3_outA = R_ctr3_outA in
let new_R_icr_losdA = R_icr_loadA in
let new_R_icr_oldA = R_icr_oldA in
let new_R_icrA = R_icrA in
let new_R_busA_latch = R_busA_latch in
(new_R_fsm_stateA, new_R_fsm_cntlatch, new_R_fsm_srdy_, new_R_int0_en, new_R_int0_disA, new_R_int3_en,
new_R_int3_disA, new_R_c01_cout, new_R_c01_cout_delA, new_R_c23_cout, new_R_c23_cout_delA,
new_R_cntlatch_delA,
new_R_srdy_delA_, new_R_reg_selA, new_R_ctro, new_R_ctro_\inftye, new_R_ctro_cin, new_R_ctr0_outA, new_R_ctrl,
new_R_ctrl_ce, new_R_ctrl_cin, new_R_ctrl_outA, new_R_ctr2, new_R_ctr2_ce, new_R_ctr2_cin, new_R_ctr2_outA,
new_R_ctr3, new_R_ctr3_ce, new_R_ctr3_cin, new_R_ctr3_outA, new_R_icr_loadA, new_R_icr_oldA, new_R_ictA, .
new_R_busA_latch, new_R_fsm_state, new_R_fsm_ale,new_R_fsm_mrdy_, new_R_fsm_last_, new_R_fsm_rst,
new_R_int0_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_int1_en, new_R_c23_cout_del, new_R_int2_en,
```

new_R_wr,
new_R_cntlatch_del, new_R_srdy_del_, new_R_reg_sel, new_R_ctro_in, new_R_ctr0_mux_sel, new_R_ctro_irden, new_R_ctro_cry, new_R_ctro_new, new_R_ctr0_out, new_R_ctr0_orden, new_R_ctr1_in, new_R_ctr1_mux_sel, new_R_ctr1_irden, new_R_ctr1_cry, new_R_ctr1_new, new_R_ctr1_out, new_R_ctr1_orden, new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_ctr2_irden, new_R_ctr2_cry, new_R_ctr2_new, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3_irden, new_R_ctr3_cry, new_R_ctr3_new, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_load, new_R_icr_old, new_R_ict_mask, new_R_icr, new_R_icr_rden, new_R_ccr, new_R_ccr_rden, new_R_gcr, new_R_gcr_rden, new_R_sr, new_R_sr_rden)"
);:

## \%

Output definition for Phase-B instruction.

## let PH_B_out_def = new_definition

('PH_B_out',
"I (rep:^rep_ty)
(R_fsm_stateA R_fsm_state :rfsm_ty)
(R_reg_selA R_ctr0 R_ctr0_outA R_ctrl R_ctrl_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA
R_icrA R_busA_latch R_reg_sel R_ctro_in R_ctr0_new R_ctro_out R_ctr1_in R_ctr1_new R_ctr1_out
R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr
R_ocr R_gct R_st :wordn)
(R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA
R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_R_ctro_ce R_ctro_cin R_ctr1_ce R_ctr1_cin
R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA $R_{-}$fsm_ale_ $R_{-}$fsm_mrdy_ $R_{-}$fsm_last_ $R_{-} f s m_{-} r s t$
R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del
R_stdy_del_ R_ctro_mux_sel R_ctro_irden R_ctro_cry R_ctro_orden R_ctrl_mux_sel R_ctrl_irden
R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel
R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_ger_rden
$\mathbf{R}_{-}$sr_rden :bool)
(I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChanneIID C_ss :wordn)
(ClkA ClkB Rst I_rale_I_last_I_mrdy_Disable_int Disable_writes Piu_fail Pmm_fail
CB_parity MB_parity :bool).
PH_B_out rep
(R_fsm_stateA, R_fsm_cntlatch, $R_{-}$fsm_srdy_, R_into_en, R_int0_disA, R_int3_en, R_int3_disA, R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntatch_delA, R_srdy_delA_, R_reg_selA, R_ctro, R_ctro_ce, R_ctro_cin, R_ctro_outA, R_ctr1, R_ctr1_ce, R_ctr1_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, $R_{\text {_icr_loadA, }}$ R_icr_oldA, $R_{\text {_icrA, }} R_{\text {_ }}$ busA_latch, $R_{\text {_ }}$ fsm_state, $R_{-}$fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, R_ctro_mux_sel, R_ctro_irden, R_ctro_cry, R_ctro_new, R_ctro_out, R_ctro_orden, R_ctr1_in, R_ctrl_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctrl_new, R_ctr1_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_ict_load, R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_cer, R_cer_rden, R_ger, R_ger_rden, R_sr, R_sr_rden)
(ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) =
let new_R_wr $=\left(\left(\sim I_{-} r a l e \_\right) \Rightarrow\left(E L E M E N T I_{-} a d \_i n(27)\right) \mid R_{-} w r\right)$ in
let new_R_srdy_del_= R_fsm_srdy_in
let new_R_reg_sel =

$$
((\text { I_rale_) }) \Rightarrow \text { (SUBARRAY I_ad_in }(3,0)) \mid
$$

$\left(\left(-R_{-}\right.\right.$sdy_delA_) $)$(INCN 3 R_reg_selA $^{\prime} \mid R_{-}$reg_selA $)$) in
let new_R_cntlatch_del = R_fsm_cntlatch in
let r_reg_sel $=\left(\left(\sim R_{\_} s r d y \_d e l A \_\right)=>(\mathbb{N C N} 3\right.$ R_reg_selA $) \mid R_{\_}$reg_selA $)$in
let r_write $=\left(\sim\right.$ Disable_writes $\wedge$ new_R_wr $\left.\wedge\left(R_{-} f s m \_s t a t e A=R D\right)\right)$ in
let $r_{-}$read $=\left(-n e w R_{-} w r \wedge\left(R_{-} f 8 m_{-}\right.\right.$state $\left.\left.A=R_{A}\right)\right)$ in
let $r_{-}$cir_wr01 $=\left(r_{-}\right.$write $\wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 8$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 9$\left.\left.\left.)\right)\right)\right)$ in
let r_cir_wr23 $=\left(r_{-}\right.$write $\wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 10) $) \vee\left(r_{-}\right.$reg_sel $=($WORDN 11) $\left.)\right)$in
let new_R_ccr $=\left(\left(r_{-} w r i t e \wedge\left(r \_r e g \_s e l=(W O R D N 3)\right)\right) \Rightarrow I_{\text {_ad_in }} \mid R_{-} c c r\right)$ in
let new_R_ccr_rden $=\left(\right.$ r_read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 3$\left.\left.)\right)\right)$ in
let new_R_gcr $=\left(\left(r_{-} w r i t e ~ \Lambda\left(r \_r e g \_s e l=(W O R D N 2)\right)\right) \Rightarrow I_{\text {_ad_in }} \mid\right.$ R_gcr) in
let new_R_gcr_rden $=\left(r_{-}\right.$read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 2$\left.)\right)$ ) in
let new_R_ctro_in $=\left(\left(r_{-}\right.\right.$write $\wedge\left(r_{\_}\right.$reg_sel $=($WORDN 8$\left.\left.)\right)\right) \Rightarrow I_{-}$ad_in $\mid R_{-} c t r 0 \_$in $)$in
let new_R_ctro_mux_sel = (r_cir_wr01 V ((ELEMENT new_R_gct (16)) $\wedge R_{\text {_ }}$ col_cout) $)$ in
let new_R_ctr0_irden $=\left(r_{\_}\right.$read $\wedge\left(r_{\_}\right.$reg_sel $=($WORDN 8$\left.\left.)\right)\right)$ in
let new_R_ctro_new $=\left(\right.$ ( $R_{-}$ctro_ce $\cap R_{-}$ctr0_cin $) \Rightarrow\left(\right.$ (NCN $\left.\left.31 R_{-} c t r 0\right) \mid R_{-} c t r 0\right)$ in
let new_R_ctro_cry = ( ${\text { R_ctro_ce } \wedge R_{-} c t r 0 \_c i n ~}_{( }$(ONES $31 R_{\text {_ }}$ ctro) ) in

let new_R_ctr0_orden $=\left(\right.$ r_read $\wedge\left(r \_r e g \_s e l ~=(\right.$ WORDN 12) $)$ ) in
let new_R_ctr_in = ((r_write $\wedge$ (r_reg_sel =(WORDN 9))) $=>$ I_ad_in $\mid R_{-} c t 1_{-}$in $)$in
let new_R_ctrl_mux_sel = (r_cir_wr01 V ((ELEMENT new_R_gcr (16)) $\wedge$ R_c01_cout)) in
let new_R_ctr1_irden = (r_read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 9$\left.)\right)$ ) in
let new_R_ctrl_new $=($ R_ctr1_ce $\wedge$ R_ctr1_cin $) \Rightarrow(\mathbb{N C N} 31$ R_ctrl $) \mid$ R_ctr1) in
let new_R_ctrl_cry = (R_ctr1_ce $\wedge R_{\text {_ctr1_cin }}$ (ONES 31 R_ctrl)) in
let new_R_ctr_out $=\left((\right.$ R_cntlatch_delA $) \Rightarrow R_{\text {_ }}$ ctr1_outA $\mid$ R_ctrl_out $)$ in
let new_R_ctrl_orden $=\left(r_{-}\right.$read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 13 $\left.)\right)$) in
let new_R_ctr2_in = ((r_write $\wedge$ (r_reg_sel = (WORDN 10))) $\Rightarrow{\left.\text { I_ad_in } \mid R_{-} c t r 2 \_i n\right) ~ i n ~}_{\text {( }}$ let new_R_ctr2_mux_sel =(r_cir_wr23 V ((ELEMENT new_R_gcr (20)) $\wedge R_{\text {_ }}$ c23_cout) ) in let new_R_ctr2_irden $=\left(r_{\text {_read }} \wedge\left(r_{-}\right.\right.$reg_sel $=($WORDN 10) $)$) in
let new_R_ctr2_new $=\left(\right.$ (R_ctr2_ce $\left.\left.\wedge R_{-} c t r 2 \_c i n\right) ~ \Rightarrow\left(\mathbb{N C N} 31 R_{-} \operatorname{ctr} 2\right) \mid R_{-} c t r 2\right)$ in
let new_R_ctr2_cry $=\left(R_{-} \operatorname{ctr} 2 \_\operatorname{ce} \wedge R_{-} \operatorname{ctr} 2 \_\operatorname{cin} \wedge\left(O N E S ~ 31 ~ R \_c t r 2\right)\right)$ in
let new_R_ctr2_out $=\left(\left(R_{-} f s m_{-} c n t a t c h\right) \Rightarrow R_{-} c t r 2 \_o u t A \mid R_{-} c t r 2 \_o u t\right)$ in
let new_R_ctr2_orden $=\left(r_{-}\right.$read $\wedge\left(r_{-} r e g_{-} s e l=(\right.$ WORDN 14) $)$ ) in
let new_R_ctr3_in $=\left(\left(r_{\text {_ }}\right.\right.$ write $\wedge\left(r_{-}\right.$req_sel $=($WORDN 11$\left.\left.)\right)\right) \Rightarrow I_{-}$ad_in $\left.\mid R_{-} c t r 3 \_i n\right)$ in
let new_R_ctr3_mux_sel = (r_cir_wr23V ((ELEMENT new_R_ger (20)) $\wedge$ R_c23_cout)) in
let new_R_ctr3_irden $=\left(r_{\_}\right.$read $\Lambda\left(r_{-}\right.$reg_sel $\left.=(W O R D N 11)\right)$ ) in
let new_R_ctr3_new $=\left(\right.$ (R_ctr3_ce $\left.\wedge R_{-} c t r 3 \_c i n\right) ~ \Rightarrow\left(\mathbb{N C N} 31\right.$ R_ctr3) $\left.\mid R_{-} c t r 3\right)$ in
let new_R_ctr3_cry = (R_ctr3_ce $\wedge R_{-} c t r 3$ _cin $\wedge$ (ONES 31 R_ctr3)) in
let new_R_ctr3_out $=\left(\left(R_{-} c n t l a t c h \_d e l A\right)=>R_{-} c t r 3 \_o u t A \mid R \_c t r 3 \_o u t\right)$ in
let new_R_ctr3_orden $=\left(r_{-}\right.$read $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 15) $)$) in
let new_R_icr_load $=\left(r_{-} w r i t e ~ \wedge\left(\left(r \_r e g \_s e l=(\right.\right.\right.$ WORDN 0$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)$ in
let new_R_icr_old =
$\left(\left(r_{\_}\right.\right.$write $\wedge\left(\left(r_{\_} r e g \_\right.\right.$sel $=($WORDN 0$\left.)\right) \vee\left(r_{-} r e g \_s e l=(\right.$ WORDN 1$\left.\left.\left.)\right)\right)\right)=>$ R_icr_oldA $\left.\mid R_{\text {_icr_old }}\right)$ in let new_R_icr_mask =
$\left(\left(r_{-} w r i t e \wedge\left(\left(r_{\_} r e g \_s e l=(\right.\right.\right.\right.$ WORDN 0$\left.)\right) \vee\left(r_{\_} r e g_{-} s e l=(\right.$ WORDN 1$\left.\left.\left.)\right)\right)\right)=>I_{-}$ad_in $\mid R_{-}$icr_mask $)$in let new_R_icr $=\left(\left(R_{-}\right.\right.$icr_loadA $)=>R_{-}$icrA $\left.\mid R_{\text {_icr }}\right)$ in let new_R_icr_rden $=\left(\left(\mathbf{R} \_\right.\right.$fsm_state $\left.A=R A\right) \wedge\left(\left(r_{-} r e g_{-} s e l=(\right.\right.$ WORDN 0$\left.)\right) V\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)$ in let sr28 = (ALTER ARBN (28) MB_parity) in let sr28_25 = (MALTER sr28 $(27,25)$ C_s $\left.^{28}\right)$ in let sr28_24 = (ALTER sr28_25 (24) CB_parity) in let sr28_22 = (MALTER sr28_24 $(23,22)$ ChanneliD) in
let sr28_16 = (MALTER sr28_22 (21.16) Id) in let sr28_12 $=$ (MALTER sr28_16 $(15,12)$ S_state) in let sr28_9 = (ALTER st28_12 (9) Pmm_fail) in let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in
let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in
let sr28_0 = (MALTER sr28_2 (1,0) Cpu_fail) in
let new_R_sr = ( $\left(R_{-}\right.$fsm_cntlatch $)=>\mathrm{sr} 28$ _0 $\left.0 \mid \mathbf{R}_{-} s r\right)$ in
let new_R_sr_rden $=\left(r_{-}\right.$read $\Lambda\left(r_{\_}\right.$reg_sel $=($WORDN 4$\left.)\right)$ ) in
let new_R_int0_dis $=R_{\text {_int0_en }}$ in
let new_R_int3_dis $=$ R_int3_en in
let new_R_c01_cout_del = R_c01_cout in
let new_R_c23_cout_del = R_c23_cout in
let new_R_int1_en =
(((ELEMENT new_R_gcr (18)) $\wedge\left(r_{-} c i r \_w r 01 V(\right.$ R_c01_cout $\wedge(E L E M E N T$ new_R_gcr (16)))))
$\wedge \sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(\right.\right.$ ELEMENT new_R_gcr (17)) $\wedge R_{\_}$c01_cout_del) )) $\Rightarrow T$ |
$\left(\left(\sim\left(\right.\right.\right.$ ELEMENT new_R_gcr (18)) $\wedge\left(r_{-} c i r \_w r 01 \vee\left(R_{-} c 01 \_c o u t ~ \wedge(E L E M E N T\right.\right.$ new_R_gcr (16)))))
$\wedge(($ ELEMENT new_R_gcr (18)) $\vee(($ ELEMENT new_R_gct (17)) $\wedge$ R_c01_cout_del)) $) \Rightarrow \mathrm{Fl}$
$\left(\left(\sim\left(\right.\right.\right.$ ELEMENT new_R_gcr (18)) $\wedge\left(r_{-} c i r \_w r 01 \vee\left(R_{\_} c 01 \_c o u t \wedge(E L E M E N T\right.\right.$ new_R_gcr (16)))))
$\wedge \sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $V\left(\left(E L E M E N T\right.\right.$ new_R_gcr (17)) $\wedge R_{-}$c01_cout_del) $\left.)\right) \Rightarrow R_{-}$int1_en $\left.\left.\left.\mid A R B\right)\right)\right)$ in
let new_R_int2_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_gcr (22)) $\wedge\left(r_{-} c i r \_w r 23 \vee\left(R_{-} c 23 \_c o u t \wedge(E L E M E N T\right.\right.$ new_R_gcr (20)))))
$\wedge \sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (22)) $\vee\left(\right.$ (ELEMENT new_R_gcr (21)) $\left.\left.\left.\wedge R \_c 23 \_c o u t \_d e l\right)\right)\right)=>$ T

$\wedge(-(E L E M E N T$ new_R_gcr (22)) $\vee(($ ELEMENT new_R_gcr (21)) $\wedge$ R_c23_cout_del)) ) $\Rightarrow \mathrm{Fl}$

$\wedge \sim\left(-\left(E L E M E N T\right.\right.$ new_R_gcr (22)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (21)) $\left.\left.\left.\wedge R \_c 23 \_c o u t \_d e l\right)\right)\right)=>R$ int2_en $\mid$ ARB $\left.)\right)$ ) in
let new_R_fsm_state $=$ R_fsm_stateA in
let new_R_fsm_ale_ = I_rale_in
let new_R_fsm_mrdy_ = I_mrdy_in
let new_R_fsm_last_ = I_last_in
let new_R_fsm_rst = Rst in
let new_R_fsm_stateA $=R_{-}$fsm_state $A$ in
let new_R_fsm_cntlatch $=$ R_fsm_cntlatch in $^{\text {in }}$
let new_R_fsm_srdy_ $=$ R_fsm_srdy_in $^{\text {in }}$
let new_R_int0_en = R_int0_en in
let new_R_int0_disA $=$ R_int0_disA in
let new_R_int3_en = R_int3_en in
let new_R_int3_dis $A=R_{-}$int3_dis $A$ in
let new_R_c01_cout $=$ R_col_cout in $^{\text {col }}$
let new_R_c01_cout_delA $=$ R_c01_cout_delA in
let new_R_c23_cout = R_c23_cout in
let new_R_c23_cout_delA = R_c23_cout_delA in
let new_R_cntlatch_delA $=$ R_cntlatch_delA in
let new_R_srdy_delA_ = $R_{-} s r d y \_d e l A_{-}$in
let new_R_reg_selA = R_reg_selA in
let new_R_ctr0 $=$ R_ctro $^{2}$ in
let new_R_ctro_ce $=$ R_ctro_ce in
let new_R_ctro_cin = R_ctro_cin in
let new_R_ctro_outA = R_ctro_outA in
let new_R_ctrl = R_ctr 1 in
let new_R_ctr1_ce $=$ R_ctrl_ce in
let new_R_ctrl_cin = R_ctrl_cin in
let new_R_ctrl_outA = R_ctr1_outA in
let new_R_ctr2 $=$ R_ctr 2 in
let new_R_ctr2_ce $=$ R_ctr2_ce in
let new_R_ctr2_cin = R_ctr2_cin in
let new_R_ctr2_outA = R_ctr2_outA in
let new_R_ctr3 $=$ R_ctr3 in

```
    let new_R_ctr3_ce = R_ctr3_ce in
    let new_R_ctr3_cin = R_ctr3_cin in
    let new_R_ctr3_outA = R_ctr3_outA in
    let new_R_icr_loadA = R_icr_loadA in
    let new_R_icr_oldA = R_icr_oldA in
    let new_R_icrA = R_icrA in
    let new_R_busA_latch = R_busA_latch in
    let I_ad_out = ((-new_R_wr ^((new_R_fsm_stateA = RA) V (new_R_fsm_stateA = RD))) => new_R_busA_latch | ARBN) in
    let I_srdy_ = (((new_R_fsm_stateA = RD) V ((new_R_fsm_stateA = RA))) => new_R_fsm_srdy_ I ARB) in
    let IntO_ = ~(new_R_int0_en }\Lambda~~n\mp@code{w_R_int0_disA }\wedge~\mathrm{ -Disable_int) in
    let Intl = (new_R_C01_cout }\Lambda\mathrm{ new_R_int1_en \ }~\mathrm{ Disable_int) in
    let Int2 = (new_R_c23_cout ^new_R_int2_en ^~ Disable_int) in
    let Int3_= -(new_R_int3_en \Lambda ~new_R_int3_disA ^ ~Disable_int) in
    let Ccr = new_R_ccr in
    let Led = (SUBARRAY new_R_gcr (3,0)) in
    let Reset_error = (ELEMENT new_R_gcr (24)) in
    let Pmm_invalid =(ELEMENT new_R_gcr (28)) in
    (I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)"
    );
close_theory();
```


## C. 4 C Port Specification


This file contains the ml source for the phase-level specification of the C-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho.

```
set_search_path (search_path() @ ["/home/titan3/dfura/ftep/piu/hol/lib/']);;
```

system 'rm c_phase.th';;
new_theory 'c_phase';;
loadf 'abstract';;
map new_parent ['caux_def';'aux_def';'array_def';'wordn_def'];;
let MSTART = "WORDN 4";;
let MEND = "WORDN 5";;
let MRDY = "WORDN 6 ";
let MWAIT = "WORDN 7";
let MABORT = "WORDN 0 ";;
let SACK = "WORDN 5";
let SRDY = "WORDN 6 ";
let SWATT = "WORDN 7";;
let SABORT = "WORDN 0";;
let c_state_ty = ":(cmfsm_ty\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\# wordn\#bool\#bool\#bool\#bool"\#bool\#
csfsm_ty\#wordn\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\# cefsm_ty\#bool\# bool\#bool\#bool\#bool\#wordn\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#wordn\#wordn\#wordn\# cmfsm_ty*bool\#bool\#bool*bool"bool\#bool\#bool"bool\#bool"bool"wordn\#bool\# csfsm_ty*bool\#bool"bool\#bool\#bool\#bool\#wordn\# cefsm_ty\#bool\#bool\#bool\#bool\#bool\#bool\# bool\#wordn\#bool\#bool\#bool\#bool\#bool\#wordn\#bool\#bool\#bool\#bool\#bool\#bool\#bool\# bool*bool"wordn\#wordn\#wordn)";;
let c_state $=$ " ( $\left(C_{-}\right.$mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2,
C_mfsm_mal,
C_mfsm_ma0 $, C_{\_} m f s m_{1} m d l, C_{-} m f s m \_m d 0, C \_m f s m \_i a d \_e n \_m, C \_m f s m \_m \_c o u t \_s e l l, C \_m f s m \_m \_c o u t \_s e l 0$,
C_mfsm_ms,C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en,C_mfsm_abort_le_en_,C_mfsm_mparity,
C_sfsm_stateA,C_sfsm_ss,C_sfsm_iad_en_s,C_sfsm_sidle,C_sfsm_slock,C_sfsm_sal,C_sfsm_saO,

```
    C_sfsm_sale,C_sfsm_sd1,C_sfsm_sd0,C_sfsm_sack,C_sfsm_sabort,C_sfsm_s_cout_sel0,C_sfsm_sparity,
    C_efsm_stateA,C_efsm_srdy_en,
    C_clkAA,C_sidle_delA,C_mrqt_delA,C_last_inA_,C_ssA,C_holdA_,C_cout_0_le_delA,
    C_cin_2_leA,C_mrdy_delA_,C_iad_en_s_delA,C_wrdyA,C_rrdyA,C_iad_out,C_ala0,C_a3a2,
    C_mfsm_state,C_mfsm_srdy_en,C_mfsm_D,C_mfsm_grant,C_mfsm_rst,C_mfsm_busy,C_mfsm_write,
    C_mfsm_crqt_,C_mfsm_hold_C_mfsm_last_C_mfsm_lock_,C_mfsm_ss,C_mfsm_invalid,
    C_sfsm_state,C_sfsm_D,C_sfsm_grant,C_sfsm_rst,C_sfsm_write,C_sfsm_addressed,C_sfsm_hlda_,C_sfsm_ms,
    C_efsm_state,C_efsm_cale_,C_efsm_last_C_efsm_male_,C_efsm_rale_C_efsm_srdy_,C_efsm_rst,
    C_wr,C_sizewrbe,C_clkA,C_sidle_del,C_mrqt_del,C_last_in_,C_lock_in_,C_ss,C_last_out_,
    C_hold_,C_cout_0_le_del,C_cin_2_le,C_mrdy_del_,C_iad_en_s_del,C_wrdy,
    C_rrdy,C_parity,C_source,C_data_in,C_iad_in)
    ^c_state_ty)";
let c_env_ty = ":(wordn*wordn#bool#bool#bool"bool"bbol#bool#bool#bool"bbool#
            wordn#wordn#wordn#wordn#bool#bool#bool#bool#wordn#wordn#bool*bool#wordn#bool)";;
let c_env = "((I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_,
    I_lock_, I_cale_, I_hlda_, I_crqt,
    CB_rqt_in_,CB_ad_in, CB_ms_in, CB_ss_in,
    Rst, ClkA, ClkB, ClkD, Id, ChannelDD, Pmm_failure, Piu_invalid, Ccr,
    Reset_error)
    :Ac_env_ty)";;
let c_out_ty = ":(bool#bool#bool#bool#bool#bool#bool#wordn#worda#
        bool"wordn#wordn#wordn#wordn#bool#bool)";;
let c_out = "((I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_,
    I_ad_out, I_be_out,
    CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)
    :^c_out_ty)";;
let rep_ty = abstract_type 'aux_def' 'Andn';;
%
    Next-state defnition for Phase-A instruction.
let PH_A_inst_def = new_definition
('PH_A_inst',
    "I (rep:^rep_ty)
        (C_mfsm_stateA C_mfsm_state :cmfsm_ty)
        (C_sfsm_stateA C_sfsm_state :csfsm_ty)
        (C_efsm_stateA C_efsm_state :cefsm_ty)
        (C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_ala0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss
        C_source C_data_in C_iad_in :wordn)
        (C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal
        C_mfsm_ma0 C_mfsm_md1 C_mfsm_md0 C_mfsm_iad_ev_m C_mfsm_m_cout_sell C_mfsm_m_cout_sel0
        C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity
        C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_saO
        C_sfsm_sale C_sfsm_sdl C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity
        C_efsm_srdy_en
        C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_C_holdA_C_cout_O_le_delA
        C_cin_2_leA C_mrdy_delA_C_iad_en_s_delA C_wrdyA C_mrdyA
        C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write
        C_mfsm_crqt_ C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid
        C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_
```

```
    C_efsm_cale_C_efsm_last_ C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
    C_wI C_ckA C_sidle_del C_mrqt_del C_last_in_C_lock_in_ C_last_out_
    C_bold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_C_iad_en_s_del C_wrdy
    C_rrdy C_parity :bool)
    (I_mrdy_in_ I_rale_in_I_male_in_I_last_in_ I_srdy_in_I_lock_ I_cale_ I_hlda_ I_crqt_
    Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :bool)
    (I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChanneliD Ccr :wordn)
    (I_cgnt_ I_mrdy_out_ I_hold_ _ _rale_out_ I_male_out_ I_last_out_ I_srdy_out_CB_rqt_out_
    Disable_writes CB_parity :bool).
PH_A_inst rep
(C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2,
C_mfsm_mal, C_mfsm_ma0, C_mfsm_md1, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sell,
C_mfsm_m_cout_sel0, C_mfsm_ms, C_mfsm_rqt_ C_mfsm_cgnt_, C_mfsm_cm_en, C_mfsm_abort_le_en_,
C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock,
C_sfsm_sal, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sdl, C_sfsm_sdO, C_sfsm_sack, C_sfsm_sabort,
C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA,
C_mrqt_delA, C_last_inA_, C_ssA, C_holdA, C_cout_0_le_delA, C_cin_2_leA,
C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out, C_ala0, C_a3a2, C_mfsm_state,
C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt,
C_mfsm_hold_C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D,
C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms,
C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_,
C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_,
C_ss, C_last_out_, C_hold_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy,
C_rrdy, C_parity, C_source, C_data_in, C_iad_in)
(I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock,
    I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB,
    CIkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) =
let new_C_mfsm_state \(A=\)
    ((C_mfsm_rst) \(=>\) CMI।
    \(\left(\left(C_{-}\right.\right.\)mfsm_state \(\left.=C M I\right) \Rightarrow\left(C_{-} m f s m_{-} D \wedge \sim C_{-} m f s m_{-}\right.\)crqt_ \(\wedge \sim C_{-}\)mfsm_busy \(\wedge \sim C_{-}\)mfsm_invalid) \(\Rightarrow\) CMR \(|C M I|\)
    \(\left(\left(C_{-} m f s m_{-}\right.\right.\)state \(\left.=C M R\right) \Rightarrow\left(C_{\_} m f s m_{-} D \wedge C_{\sim} m f s m \_g r a n t \wedge C_{\_} m f s m_{\_}\right.\)hold_) \() \Rightarrow C M A 3 \mid C M R 1\)
    ((C_mfsm_state \(=\) CMA3) \()=(\) (C_mfsm_D) \(\Rightarrow\) CMA1 \(\mid C M A 3) \mid\)
    ((C_mfsm_state \(=\) CMA1) \()=>\)
            (C_mfsm_D \(\wedge\left(C_{-} m f s m \_s s=\right.\) ASRDY)) \(=>\) CMA01
            (C_mfsm_D \(\wedge\left(C_{-}\right.\)mfsm_ss \(=\)^SABORT \(\left.)\right) \Rightarrow\) CMABT \(\mid\) CMA1 \(\mid\)
\(\left(\left(C_{-}\right.\right.\)mfsm_state \(=\)CMA0 \()=>\)
            (C_mfsm_D \(\wedge\left(C_{-}\right.\)mfsm_ss \(={ }^{\wedge}\) SRDY) \() \Rightarrow\) CMA2 1
            (C_mfsm_D \(\wedge\) (C_mfsm_ss \(={ }^{\wedge}\) SABORT) \() \Rightarrow\) CMABT \(|C M A 0|\)
\(((C\) _mfsm_state \(=C M A 2)=>\)
            (C_mfsm_D \(\wedge\left(C_{-} m f s m \_s s=\wedge\right.\) SRDY \(\left.)\right)=>\) CMD1 ।
            (C_mfsm_D \(\wedge\left(C_{-}\right.\)mfsm_ss \(=\wedge\) SABORT) \()=>\) CMABT \(\mid\) CMA2 \(\mid\)
((C_mfsm_state \(=\) CMD1) \()=>\)
            (C_mfsm_D (C_mfsm_ss = ^SRDY)) \(\Rightarrow\) CMDO
            (C_mfsm_D \(\wedge\) (C_mfsm_ss \(=\) ^SABORT \()\) ) \(=>\) CMABT \(\mid\) CMD1 \(\mid\)
((C_mfsm_state \(=\) CMD0) \()=\)
```



```
            (C_mfsm_D \(\wedge\left(C_{-} m f s m_{-} s s={ }^{\wedge} S R D Y\right) \wedge \sim C_{-}\)mfsm_last_) \(\Rightarrow C M W\) |
            (C_mfsm_D \(\left.\wedge\left(C \_m f s m_{-} s s=\wedge S A B O R T\right)\right)=>C M A B T I C M D 01\)
((C_mfsm_state \(=\) CMW) \(\Rightarrow\)
            (C_mfsm_D \(\left.\wedge\left(C_{-} m f s m_{-} s s=\wedge S A B O R T\right)\right)=>C M A B T\) I
            (C_mfsm_D \(\wedge\left(C_{-}\right.\)mfsm_ss = ^SACK) \(\wedge C_{-} m f s m_{-}\)lock_) \(=>\)CMI \(\mid\)
            (C_mfsm_D \(\wedge\left(C_{-} m f s m_{-} s s=\wedge S R D Y\right) \wedge \sim C_{-}\)mfsm_lock_ \(\left.\wedge \sim C_{-} m f s m_{-} c r q t_{-}\right) \Rightarrow C M A 3|C M W|\)
```

$\left(\left(\sim C_{-}\right.\right.$mfsm_last_) $\Rightarrow$ CMI ( CMABT $)$ ) $)$ ) $)$ ) $)$ ) ) ) in
let new_C_mfsm_mabort $=$ ( $n e w$ _C_mfsm_state $A=C M A B T)$ in let new_C_mfsm_midle $=$ ( $n$ ew_C_mfsm_stateA $=\mathbf{C M I}$ ) in let new_C_mfsm_mrequest = (new_C_mfsm_stateA $=\mathbf{C M R})$ in let new_C_mfsm_ma3 $=$ (new_C_mfsm_stateA $=C M A 3$ ) in let new_C_mfsm_ma2 $=$ (new_C_mfsm_stateA $=$ CMA2 $)$ in let new_C_mfsm_mal $=($ new_C_mfsm_state $A=C M A 1)$ in let new_C_mfsm_ma0 $=$ ( new _C_mfsm_state $A=C M A 0)$ in let new_C_mfsm_mdl $=\left(n e w \_C \_m f s m \_s t a t e A=C M D 1\right)$ in let new_C_mfsm_mdO $=$ (new_C_mfsm_stateA $=$ CMD0) in

$V\left((\right.$ new_C_mfsm_state $\left.A=C M D 0) \wedge \sim C_{-} m f s m_{-} w r i t e ~ \wedge C_{-} m f s m_{-} s r d y_{-} e n\right)$
$V\left((\right.$ new_C_mfsm_state $A=C M W) \wedge\left(C_{-}\right.$mfsm_state $\left.=C M D 0\right) \wedge \sim C_{-} m f s m_{-}$write ^C_mfsm_srdy_en)) in
let new_C_mfsm_m_cout_sell $=(($ new_C_mfsm_state $A=C M A 3) V$ (new_C_mfsm_stateA $=$ CMA2 $)$ ) in let new_C_mfsm_m_cout_sel0 $=\left((\right.$ new_C_mfsm_stateA $=C M A 3) V\left(n e w \_C \_m f s m \_s t a t e A=C M A 1\right)$ $V\left(n e w \_C \_m f s m \_s t a t e A=C M D 1\right)$ ) in
let ms2 $=($ ALTER ARBN $(2)($ new_C_mfsm_stateA $=$ CMA3) $V($ new_C_mfsm_stateA $=$ CMA1 $) V$
(new_C_mfsm_stateA $=$ CMAO) $V($ new_C_mfsm_stateA $=C M A 2) V$
( new _C_mfsm_stateA $=\mathrm{CMD1}) \vee($ new_C_mfsm_stateA $=\mathrm{CMD} 0) \mathrm{V}$
$($ new_C_mfsm_stateA $=C M W) \vee($ new_C_mfsm_state $A=C M A B T))$ in

(new_C_mfsm_stateA = CMA2) V (new_C_mfsm_stateA = CMD1) V
$\left((\right.$ new_C_mfsm_state $A=C M D 0) \wedge C_{-}$mfsm_last_) $V($ new_C_mfsm_stateA $=C M W) V$
(new_C_mfsm_stateA = CMABT)) ) in
let ms0 $=\left(\right.$ ALTER msl (0) $\left((\right.$ (new_C_mfsm_stateA $=$ CMD0 $) \wedge \sim C_{-}$mfsm_last_) $V$
$\left((\right.$ new_C_mfsm_stateA $=C M W) \wedge C_{-}$mfsm_lock_ $) V($ new_C_mfsm_stateA $\left.=C M A B T)\right)$ in
let new_C_mfsm_ms $=m s 0$ in
let new_C_mfsm_rqt_ $=\sim\left(\sim\left(n e w \_C \_m f s m \_s t a t e A=C M I\right)\right)$ in
let new_C_mfsm_cgnt_ $=\sim\left(\mathrm{new}_{-} \mathrm{C}_{-} \mathrm{mfs} \mathrm{m}_{-}\right.$state $\left.A=\mathrm{CMA} 3\right)$ in
let new_C_mfsm_cm_en $=\left((\sim(\right.$ new_C_mfsm_stateA $\left.=\mathbf{C M I})) \wedge\left(\sim\left(n e w_{-} C_{-} m f s m_{-} s t a t e A=C M R\right)\right)\right)$ in

let new_C_mfsm_mparity $=\left(\left(n e w \_C \_m f s m \_s t a t e A=C M A 3\right) V\left(n e w \_C \_m f s m \_s t a t e A=C M A 1\right)\right.$
$V$ (new_C_mfsm_stateA $=C M A 0) V\left(n e w \_C \_m f s m_{-}\right.$stateA $=$CMA2 $)$
$V$ (new_C_mfsm_stateA $=$ CMD1) $V$ (new_C_mfsm_state $A=C M D 0)$
$V\left(C_{\text {_ mfsm_state }}=C M A 1\right) V\left(C_{-}\right.$mfsm_state $=$CMA0 $)$
$V\left(C_{-} m f s m_{-}\right.$state $\left.=C M A 2\right) V\left(C_{-}\right.$mfsm_state $\left.=C M D 1\right)$ in
let new_C_sfsm_stateA =
((C_sfsm_rst) $\Rightarrow$ CSII
(C_sfsm_state $=C S I)=>\left(\left(C \_s f s m \_D \wedge\left(C_{-} s f s m \_m s={ }^{\wedge} M S T A R T\right)\right.\right.$

(C_sfsm_state $=$ CSL) $=>$
$\left(\left(C_{-} s f s m_{\_} D \wedge\left(C_{-} s f s m_{-} m s={ }^{\wedge} M S T A R T\right) \wedge \sim C_{-}\right.\right.$sfsm_grant $\wedge C_{-}$sfsm_addressed $)=$CSA1 $\mid$
(C_sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MSTART $) \wedge \sim C_{-}$sfsm_grant $\wedge \sim C_{-}$sfsm_addressed) $\Rightarrow$ CSI I
$\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s={ }^{\wedge} M A B O R T\right)\right)=(C S A B T$ ICSL $) \mid$
(C_sfsm_state $=$ CSA1) $=>$
$\left(\left(C_{-} s f s m_{-} D \wedge\left(C_{-} s f s m_{-} m s={ }^{\wedge}\right.\right.\right.$ MRDY) $) \Rightarrow$ CSA0 1
(C_sfsm_D $\wedge$ (C_sfsm_ms = ^MABORT)) $\Rightarrow$ CSABT ICSAl) I
(C_sfsm_state $=$ CSAO $) \Rightarrow$
$\left(\left(C \_s f s m \_D \wedge\left(C \_s f s m \_m s=\wedge M R D Y\right) \wedge \sim C \_s f s m \_h l d a \_\right)=>C S A L E \mid\right.$
$\left(C_{-} s f s m_{-} D \wedge\left(C_{-} s f s m_{-} m s=\wedge M R D Y\right) \wedge C_{-} s f s m_{-}\right.$hida_) $\Rightarrow C S A O W$ I
(C_sfsm_D $\wedge\left(C_{-} s f s m_{-} m s=\wedge\right.$ MABORT $)$ ) $\Rightarrow$ CSABT $\left.\mid C S A 0\right) \mid$

```
    (C_sfsm_state = CSAOW) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MRDY) ^ ~C_sfsm_hlda_) => CSALE I
        (C_sfsm_D \(C_sfsm_ms = ^MABORT)) => CSABT |CSA0W)।
    (C_sfsm_state = CSALE) =>
        ((C_sfsm_D ^C_sfsm_write ^(C_sfsm_ms = ^MRDY)) => CSD1 |
        (C_sfsm_D ^ ~C_sfsm_write }^(\mp@subsup{C}{-}{\prime}sfsm_ms = ^MRDY)) => CSRR I
        (C_sfsm_D ^(C_sfsm_ms = ^MABORT)) => CSABT | CSALE)|
    (C_sfsm_state = CSRR) =>
        ((C_sfsm_D ^ -(C_sfsm_ms = ^MABORT)) => CSD1 |
        (C_sfsm_D ^(C_sfsm_ms = ^MABORT)) => CSABT | CSRR)|
    (C_sfsm_state = CSD1) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MRDY)) => CSD0 I
        (C_sfsm_D^(C_sfsm_ms = ^MABORT)) => CSABT |CSDl)|
    (C_sfsm_state = CSD0) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MEND)) => CSACK I
        (C_sfsm_D ^(C_sfsm_ms = ^MRDY)) => CSD1 |
        (C_sfsm_D ^(C_sfsm_ms = ^MABORT)) => CSABT | CSD0)।
        (C_sfsm_state = CSACK) =>
        ((C_sfsm_D^(C_sfsm_ms = ^MRDY)) => CSL |
        (C_sfsm_D ^(C_sfsm_ms = ^MWAFT)) => CSI |
        (C_sfsm_D ^(C_sfsm_ms =^MABORT)) => CSABT ICSACK)।
        (C_sfsm_D) => CSI|CSABT) in
let ss2 = (ALTER ARBN (2) ((~(new_C_sfsm_stateA = CSI)) ^(~(new_C_sfsm_stateA = CSABT)))) in
let ssl = (ALTER ss2 (1) ((~)(new_C_sfsm_stateA = CSI)) ^(~(new_C_sfsm_stateA = CSACK))
                            ^(-(new_C_sfsm_stateA = CSABT)))) in
let ss0 = (ALTER ss1 (0) ((new_C_sfsm_stateA = CSAOW)V
                            ((new_C_sfsm_stateA = CSALE) }\wedge~C_sfsm_write) V
                            (new_C_sfsm_stateA = CSACK)) ) in
let new_C_sfsm_ss = ss0 in
let new_C_sfsm_iad_en_s = (((new_C_sfsm_stateA = CSALE) }\wedge(~(C_sfsm_state = CSALE)))
    V ((new_C_sfsm_stateA = CSALE) ^C_sfsm_write)
    V ((new_C_sfsm_stateA = CSD1) ^C_sfsm_write ^(~(C_sfsm_state = CSRR)))
    V ((new_C_sfsm_stateA = CSD0) ^C_sfsm_write)
    V ((new_C_sfsm_stateA = CSACK) ^C_sfsm_write)) in
let new_C_sfsm_sidle = (new_C_sfsm_stateA = CSI) in
let new_C_sfsm_slock = (new_C_sfsm_stateA = CSL) in
let new_C_sfsm_sal = (new_C_sfsm_stateA = CSA1) in
let new_C_sfsm_saO= (new_C_sfsm_stateA = CSAO) in
let new_C_sfsm_sale = (new_C_sfsm_stateA = CSALE) in
let new_C_sfsm_sd1 = (new_C_sfsm_stateA = CSD1) in
let new_C_sfsm_sd0=(new_C_sfsm_stateA = CSD0) in
let new_C_sfsm_sack = (new_C_sfsm_stateA = CSACK) in
let new_C_sfsm_sabort = (new_C_sfsm_stateA = CSABT) in
let new_C_sfsm_s_cout_sel0 = (new_C_sfsm_stateA = CSD1) in
let new_C_sfsm_sparity = ((~(new_C_sfsm_stateA = CSI)) ^(~(new_C_sfsm_stateA = CSACK))
                                    ^(-(new_C_sfsm_stateA = CSABT))) in
let new_C_efsm_stateA =
    ((C_efsm_rst) => CEI |
    (C_efsm_state = CEI) => ((~C_efsm_cale_) => CEE ICEI) |
    ((~C_efsm_last_^~C_efsm_srdy_) \vee~C_efsm_male_ V~C_efsm_rale_) => CEI | CEE) in
let new_C_efsm_srdy_en = ((new_C_efsm_stateA =CEE)V (C_efsm_state =CEE)) in
let cout_sel0 = (ALTER ARBN (0) ((new_C_sfsm_sd1 Vnew_C_sfsm_sd0) =>
                                    new_C_sfsm_s_cout_sel0 | new_C_mfsm_m_cout_sel0)) in
```

let cout_sell $=($ ALTER cout_sel0 (1) ( $($ new_C_sfsm_sdl V new_C_sfsm_sd0) $\Rightarrow$ Fl new_C_mfsm_m_cout_sell $)$ ) in

> let c_cout_sel = cout_sell in
let c_busy $=(\sim(($ SUBARRAY CB_rqt_in_( 3,1$))=($ WORDN 7) $))$ in
let $c \_g r a n t=((($ SUBARRAY Id $(1,0))=($ WORDN 0$)) \wedge \sim($ ELEMENT CB_rqt_in_( 0$\left.))\right)$
$\vee(((S U B A R R A Y$ Id $(1,0))=($ WORDN 1$)) \wedge \sim(E L E M E N T$ CB_rqt_in_(0) $) \wedge$ (ELEMENT CB_rqt_in_(1)))
$V\left(((S U B A R R A Y \operatorname{Id}(1,0))=(\right.$ WORDN 2$)) \wedge \sim\left(E L E M E N T C B \_r q t \_i n \_(0)\right) \wedge\left(E L E M E N T C B \_r q t \_i n \_(1)\right)$ $\wedge(E L E M E N T$ CB_rqt_in_(2)))
$\begin{aligned} \vee((\text { SUBARRAY Id }(1,0))=(\text { WORDN } 3)) & \wedge-(E L E M E N T \text { CB_rqt_in_(0)) } \wedge \text { (ELEMENT CB_rqt_in_(1)) }) \\ & \left.\left.\wedge\left(E L E M E N T C B \_r q t i n \_(2)\right) \wedge\left(E L E M E N T C B \_r q t \_i n \_(3)\right)\right)\right) \text { in }\end{aligned}$
let c_write $=($ (new_C_mfsm_cm_en) $)=>C_{-} w I($ (ELEMENT C_sizewrbe (5))) in
let new_C_clkAA = C_clkA in
let new_C_sidle_delA $=C_{\text {_s }}$ sidle_del in
let new_C_mrqt_delA = C_mrqt_del in
let $c_{\text {_ }}$ dfsm_srdy $=\left(C B_{-} s s_{-}{ }^{n}={ }^{\wedge} S R D Y\right)$ in
let c_dfsm_master $=$ (new_C_mfsm_ma3 $V$ new_C_mfsm_ma2 $V$ new_C_mfsm_mal $V$
new_C_mfsm_ma $\mathrm{V}_{\mathrm{new}} \mathrm{ne} \mathrm{C}_{\mathbf{m}} \mathrm{mfsm}$ _mdl $V$ new_C_mfsm_md0) in
let $c_{-}$dfsm_slave $=\left(-n e w_{-} C \_\right.$sfsm_sidle $\Lambda$-new_C_sfsm_slock) in
let $c_{-} d f s m_{-} c i n_{-} 0 \_l e=\left(C l k D \wedge\left(\left(n e w \_C \_m f s m \_m d 0 \wedge c_{-} d f s m \_s r d y ~ \wedge \sim c_{-} w r i t e\right) V\right.\right.$
(new_C_sfsm_se0) $V\left(\right.$ new_C_sfsm_sd $\left.\left.0 \wedge c_{-} w r i t e\right)\right)$ ) in
let $c_{-}$dfsm_cin_1_le $=\left(\right.$ClkD $\wedge\left(\left(n e w \_C \_m f s m \_m d 1 \wedge c_{-} d f s m \_\right.\right.$srdy $\left.\wedge \sim c_{-} w r i t e\right) V$
(new_C_sfsm_sal) $V$ ( new_C_sfsm_sdl $\left.\Lambda c_{-} w r i t e\right)$ ) in
let c_dfsm_cin_3_le $=(\mathrm{ClkD} \wedge$ (new_C_sfsm_sidle $V$ new_C_sfsm_slock $)$ ) in
let $c_{-}$dfsm_cin_4_le $=$( $\mathrm{new} \mathrm{C}_{\text {_ }}$ clkAA $\wedge$ new_C_sfsm_saO) in
let c_dfsm_cout_0_le $=\left(\left(I_{-} c a l e \_\right) \vee\left(1 \_s n d y \_i n \_\Lambda \sim c_{-} w r i t e\right)\right.$
$V$ (new_C_mfsm_ma0 $\wedge c_{-} d f s m$ _srdy $\left.\wedge c_{-} w r i t e ~ \wedge C M D\right) ~$
$V\left(\right.$ new_C_mfsm_md0 $\left.\wedge c_{-} w r i t e \wedge c_{-} d f s m \_s r d y ~ \cap C E D\right)$ ) in
let c_dfsm_cout_1_le $=($ new_C_clkAA $\wedge$ new_C_sfsm_sd 1$)$ in
let $c_{\text {_dfsm_cad_en }}=-(($ new_C_mfsm_ma3 $) V$ (new_C_mfsm_mal) $V$ (new_C_mfsm_ma0)


let c_dfsm_i_male_ $=-($ new_C_sfsm_sale $\wedge(-(($ SUBARRAY C_sizewrbe $(1,0))=($ WORDN 3$))) \wedge$ new_C_clkAA $)$ in
let c_dfsm_i_rale_ = -(new_C_sfsm_sale $\wedge($ (SUBARRAY C_sizewrbe $(1,0))=($ WORDN 3$)) \wedge$ new_C_clkAA $)$ in
let $c_{-} d f s m_{-} i_{1} m r d y_{-}=\sim\left(\left(\sim c_{-} w r i t e ~ \Lambda C I K D \wedge\right.\right.$ (new_C_sfsm_sale $V$ new_C_sfsm_sdi))
$V$ (~c_write $\wedge$ new_C_clkAA $\wedge$ new_C_sfsm_sack)
$V\left(c_{-} w r i t e ~ \wedge C l k D \wedge\right.$ new_C_sfsm_sdO) $)$ in
let new_C_last_inA_ = I_last_in_in
let new_C_ssA = CB_ss_in in
let new_C_holdA_ $=\left((\mathrm{ClkD}) \Rightarrow C_{-}\right.$hold_ $\left.I C_{\text {_hold }} A_{-}\right)$in
let new_C_cout_O_le_delA = C_cout_O_le_del in
let new_C_cin_2_leA = C_cin_2_le in
let new_C_mrdy_delA_ = C_mrdy_del_ in
let new_C_iad_en_s_delA $=\left((C l k D)=>C_{-} i a d \_e n \_s \_d e l \mid C \_i a d \_e n \_s \_d e l A\right) ~ i n ~$
let new_C_wrdyA = C_wrdy in
let new_C_rrdyA $=$ C_rrndy $^{\text {in }}$
let new_C_iad_out $=($ (new_C_cin_2_leA $)=>$ C_data_in $\left.\mid C_{-} i a d \_o u t\right)$ in
let new_C_ala0 =

let new_C_a3a2 $=\left((\right.$ new_C_mfsm_mrequest $)=>$ Ccr $\left.\mid C_{-} a 3 a 2\right)$ in
let new_C_mfsm_state $=$ C_mfsm_state in
let new_C_mfsm_srdy_en = C_mfsm_srdy_en in
let new_C_mfsm_D = C_mfsm_D in
let new_C_mfsm_grant $=$ C_mfsm_grant in
let new_C_mfsm_rst = C_mfsm_rst in
let new_C_mfsm_busy = C_mfsm_busy in
let new_C_mfsm_write $=C_{-} m f s m_{-}$write in let new_C_mfsm_crqt_ = C_mfsm_crqt_ in let new_C_mfsm_hold_ $=$ C_mfsm_hold_ in let new_C_mfsm_last_ = C_mfsm_last_in let new_C_mfsm_lock_ = C_mfsm_lock_ in let new_C_mfsm_ss = C_mfsm_ss in let new_C_mfsm_invalid $=\mathrm{C}_{\text {_ }}$ mfsm_invalid in let new_C_sfsm_state $=$ C_sfsm_state in let new_C_sfsm_D = C_sfsm_D in let new_C_sfsm_grant $=C_{-}$sfsm_grant in let new_C_sfsm_rst = C_sfsm_rst in let new_C_sfsm_write = C_sfsm_write in let new_C_sfsm_addressed = C_sfsm_addressed in let new_C_sfsm_hlda_ = C_sfsm_hlda_in let new_C_sfsm_ms = C_sfsm_ms in let new_C_efsm_state $=$ C_efsm_state in let new_C_efsm_cale_= C_efsm_cale_in let new_C_efsm_last_= C_efsm_last_in let new_C_efsm_male_ = C_efsm_male_in let new_C_efsm_rale_ $=$ C_efsm_rale $_{-}$in let new_C_efsm_srdy_ $=C_{-}$efsm_srdy_in let new_C_efsm_rst = C_efsm_rst in let new_C_wr $=C_{-} w r$ in let new_C_sizewrbe $=C_{-}$sizewrbe in let new_C_clkA = C_clkA in
let new_C_sidle_del = C_sidle_del in let new_C_mrqt_del = C_mrqt_del in let new_C_last_in_ = C_last_in_ in let new_C_lock_in_= C_lock_in_in let new_C_ss = C_ss in let new_C_last_out_ = C_last_out_ in let new_C_hold_= C_hold_in let new_C_cout_0_le_del = C_cout_0_le_del in let new_C_cin_2_le = C_cin_2_le in let new_C_mrdy_del_ = C_mrdy_del_in let new_C_iad_en_s_del = C_iad_en_s_del in let new_C_wrdy = C_wrdy in let new_C_rrdy = C_rrdy in let new_C_parity = C_parity in let new_C_source $=$ C_s source in $^{\text {n }}$ let new_C_data_in = C_data_in in let new_C_iad_in = C_iad_in in
(new_C_mfsm_stateA, new_C_mfsm_mabort, new_C_mfsm_mide, new_C_mfsm_mrequest, new_C_mfsm_ma3, new_C_mfsm_ma2, new_C_mfsm_mal, new_C_mfsm_ma0, new_C_mfsm_mdl, new_C_mfsm_md0, new_C_mfsm_iad_en_m,
new_C_mfsm_m_cout_sell, new_C_mfsm_m_cout_sel0, new_C_mfsm_ms, new_C_mfsm_rqt_, new_C_mfsm_cgnt.,
new_C_mfsm_cm_en, new_C_mfsm_abort_le_en_, new_C_mfsm_mparity, new_C_sfsm_stateA, new_C_sfsm_ss,
new_C_sfsm_iad_en_s, new_C_sfsm_side, new_C_sfsm_slock, new_C_sfsm_sal, new_C_sfsm_sa0,
new_C_sfsm_sale, new_C_sfsm_sd1, new_C_sfsm_sd0, new_C_sfsm_sack, new_C_sfsm_sabort,
new_C_sfsm_s_cout_sel0, new_C_sfsm_sparity, new_C_efsm_stateA, new_C_efsm_srdy_en, new_C_clkAA,
new_C_sidle_delA, new_C_mrat_delA, new_C_last_inA, new_C_ssA, new_C_holdA_
new_C_cout_0_le_delA, new_C_cin_2_leA, new_C_mrdy_delA_, new_C_iad_en_s_delA, new_C_wrdyA, new_C_rrdyA, new_C_iad_out, new_C_ala0, new_C_a3a2, new_C_mfsm_state, new_C_mfsm_srdy_en, new_C_mfsm_D,

```
    new_C_mfsm_grant, new_C_mfsm_rst, new_C_mfsm_busy, new_C_mfsm_write, new_C_mfsm_crqt,
    new_C_mfsm_hold_, new_C_mfsm_last_ new_C_mfsm_lock_, new_C_mfsm_ss, new_C_mfsm_invalid,
    new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_grant, new_C_sfsm_rst, new_C_sfsm_write,
    new_C_sfsm_addressed, new_C_sfsm_hlda_, new_C_sfsm_ms, new_C_efsm_state, new_C_efsm_cale_,
    new_C_efsm_last,, new_C_efsm_male_, new_C_efsm_rale_, new_C_efsm_srdy,new_C_efsm_rst, new_C_wr,
    new_C_sizewrbe, new_C_clkA, new_C_sidle_del, new_C_mrqt_del, new_C_last_in_, new_C_lock_in_,
    new_C_ss, new_C_last_out, new_C_bold_, new_C_cout_0_le_del, new_C_cin_2_le, new_C_mrdy_del_
    new_C_iad_en_s_del, new_C_wrdy, new_C_rrdy, new_C_parity, new_C_source, new_C_data_in, new_C_iad_in)"
    );;
%
    Output definition for Phase-A instruction.
```

    let \(\mathrm{PH}_{\text {_ }}\) A_out_def \(=\) new_definition
    ('PH_A_out',
    "I (rep:^^ep_ty)
        (C_mfsm_stateA C_mfsm_state :cmfsm_ty)
        (C_sfsm_stateA C_sfsm_state :csfsm_ty)
        (C_efsm_stateA C_efsm_state :cefsm_ty)
        (C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_ala0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss
        C_source C_data_in C_iad_in :wordn)
        (C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal
        C_mfsm_ma0 C_mfsm_mdl C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sell C_mfsm_m_cout_sel0
        C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity
        C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_saO
        C_sfsm_sale C_sfsm_sdl C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel C_sfsm_sparity
        C_efsm_srdy_en
        C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_C_holdA_C_cout_0_le_delA
        C_cin_2_leA C_mrdy_delA_C_iad_en_s_delA C_wrdyA C_rrdyA
        C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write
        C_mfsm_crqt_C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid
        C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_
        C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
        C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_C_lock_in_ C_last_out_
        C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy
        C_rrdy C_parity :bool)
        (I_mrdy_in_ I_rale_in_ I_male_in_I_last_in_ I_srdy_in_I_lock_ I_cale_ I_hida_ I_crqt_
        Rst ClkA CkB ClkD Pmm_failure Piu_invalid Reset_error :bool)
        (I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :wordn)
        (I_cgnt_ I_mrdy_out_ I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_CB_rqt_out_
        Disable_writes CB_parity :bool).
    PH_A_out rep
            (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2,
            C_mfsm_mal, C_mfm_maO, C_mfsm_md1, C_mfsm_mdO, C_mfsm_iad_en_m, C_mfsm_m_cout_sell,
                C_mfsm_m_cout_sel0, C_mfsm_ms, C_mfsm_rqt, C_mfsm_cgnt_, C_mfsm_cm_en, C_mfsm_abort_le_en_,
                C_mfsm_mparity, C_sfm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock,
                C_sfsm_sal, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sdO, C_sfsm_sack, C_sfsm_sabort,
                C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA,
                C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_cout_0_le_delA, C_cin_2_leA,
                C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out, C_ala0, C_a3a2, C_mfsm_state,
                C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt_, .
                C_mfsm_hold_, C_mfsm_last_ C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D.
                C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms,
    C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidie_del, C_mrqt_del, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_in)
(I_ad_in, I_be_in, I_mrdy_in_, I_rale_in_, I_male_in, I_last_in, I_srdy_in_, I_lock_,
I_cale_, I_hlda_ I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, CIkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) =
let new_C_mfsm_state $A=$

```
(C_mfsm_rst) \(=>\) CMI
\(\left(\left(C \_m f s m \_s t a t e=C M I\right) \Rightarrow\left(C \_m f s m \_D \wedge \sim C_{-} m f s m_{-} c r q t \_\wedge \sim C_{-}\right.\right.\)mfsm_busy \(\wedge \sim C_{-}\)mfsm_invalid) \(\Rightarrow\) CMR \(|C M I|\)
\(\left(\left(C \_m f s m_{-}\right.\right.\)state \(\left.=C M R\right) \Rightarrow\left(C_{2} m f s m_{-} D \wedge C_{\_} m f s m_{\_}\right.\)grant \(\wedge C_{\_}\)mfsm_hold_) \(\Rightarrow\) CMA3 \(\mid C M R 1\)
\(\left((C\right.\) _mfsm_state \(=\) CMA3 \() \Rightarrow\left(\left(C \_m f s m \_D\right)=>\right.\) CMAl \(\mid\) CMA3 \() \mid\)
\(\left(\left(C_{-} m f s m_{-}\right.\right.\)state \(=\)CMA1) \()=>\)
    (C_mfsm_D \(\wedge\left(C_{2} m f s m \_s s={ }^{\wedge}\right.\) SRDY) ) \(\Rightarrow\) CMAOI
    (C_mfsm_D \(\left.\wedge\left(C_{-} m f s m_{-} s s={ }^{\wedge} S A B O R T\right)\right)=>\) CMABT \(|C M A I|\)
((C_mfsm_state \(=\) CMA0) \()=\)
    (C_mfsm_D \(\wedge\) (C_mfsm_ss \(=\) ^SRDY)) \(\Rightarrow\) CMA2 1
    (C_mfsm_D \(\wedge\) (C_mfsm_ss \(\left.\left.={ }^{\wedge} S A B O R T\right)\right)=>\) CMABT \(|C M A 0|\)
((C_mfsm_state \(=C M A 2)=>\)
    (C_mfsm_D \(\wedge\) (C_mfsm_ss = ^SRDY)) \(=>\) CMD1I
    (C_mfsm_D \(\left.\wedge\left(C_{-} m f s m \_s s=\wedge S A B O R T\right)\right)=>\) CMABT \(|C M A 2|\)
((C_mfsm_state \(=\) CMD1) \(=>\)
    (C_mfsm_D \(\wedge\) (C_mfsm_ss = ^SRDY)) \(=>\) CMD0
    (C_mfsm_D \(\left.\wedge\left(C_{-} m f s m_{-} s s=\wedge S A B O R T\right)\right) \Rightarrow\) CMABT \(|C M D 1|\)
\(\left(\left(C \_m f s m \_s t a t e=C M D 0\right)=>\right.\)
    (C_mfsm_D \(\wedge\left(C_{-} m f s m_{-} s s=\right.\) ASRDY) \(\wedge C_{\_}\)mfsm_last_) \(\Rightarrow\) CMD1 \(\mid\)
    (C_mfsm_D \(\wedge\left(C_{-} m f s m_{\_} s s=\wedge S R D Y\right) \wedge \sim C_{\_} m f s m_{-}\)last_) \(\Rightarrow\) CMW
    (C_mfsm_D \(\left.\wedge\left(C_{-} m f s m_{-} s s=\wedge S A B O R T\right)\right)=>C M A B T \mid C M D 01\)
((C_mfsm_state \(=\) CMW) \(\Rightarrow\)
    (C_mfsm_D \(\wedge\) (C_mfsm_ss \(=\) ^SABORT) \()=>\) CMABT 1
    (C_mfsm_D \(\wedge\left(C_{-} m f s m_{-} s s={ }^{\wedge} S A C K\right) \wedge C_{-}\)mfsm_lock_) \(\Rightarrow\) CMII
    (C_mfsm_D \(\wedge\left(C_{-} m f s m_{-} s s=\right.\) ^SRDY) \(\wedge \sim C_{\_}\)mfsm_lock_ \(\left.\wedge \sim C_{-} m f s m_{-} c r q t_{-}\right) \Rightarrow\) CMA3 \(|C M W|\)
    \(\left(\left(\sim C_{-}\right.\right.\)mfsm_last_) \(\Rightarrow\) CMI ( CMABT) \()\) )) )) )) )) ) \()\) in
```

    let new_C_mfsm_mabort \(=(\) new_C_mfsm_stateA \(=\) CMABT \()\) in
    let new_C_mfsm_midle \(=\) (new_C_mfsm_stateA \(=\) CMI) in
    let new_C_mfsm_mrequest = (new_C_mfsm_stateA \(=\) CMR) in
    let new_C_mfsm_ma3 \(=\) (new_C_mfsm_stateA \(=\) CMA3 ) in
    let new_C_mfsm_ma2 \(=\) (new_C_mfsm_stateA \(=\) CMA2 \()\) in
    let new_C_mfsm_mal \(=\) (new_C_mfsm_stateA \(=\) CMA1) in
    let new_C_mfsm_maO \(=\) (new_C_mfsm_stateA \(=\) CMAO \()\) in
    let new_C_mfsm_md1 \(=\) (new_C_mfsm_stateA \(=\) CMDI) in
    let new_C_mfsm_md0 \(=\) (new_C_mfsm_stateA \(=\) CMD0) in
    let new_C_mfsm_iad_en_m \(=\left\{\left((\right.\right.\) new_C_mfsm_stateA \(\left.=C M D 1) \wedge \sim C_{-} m f s m \_w r i t e ~ \Lambda C \_m f s m \_s r d y \_e n\right)\)
                                    \(V\left((\right.\) new_C_mfsm_stateA \(\left.=C M D 0) \wedge \sim C_{-} m f s m \_w r i t e ~ \Lambda C_{-} m f s m \_s r d y \_e n\right)\)
                                    \(V\left(\left(n e w_{-} C_{-} m f s m_{-}\right.\right.\)state \(\left.A=C M W\right) \wedge\left(C_{-} m f s m_{-}\right.\)state \(\left.=C M D 0\right) \wedge \sim C_{-} m f s m_{-}\)write \(\wedge C_{-} m f s m_{-}\)
    srdy_en)) in
let new_C_mfsm_m_cout_sell $=\left((\right.$ new_C_mfsm_state $A=C M A 3) V\left(n e w \_C \_m f s m_{1}\right.$ state $\left.\left.A=C M A 2\right)\right)$ in
let new_C_mfsm_m_cout_sel0 $=\left((\right.$ new_C_mfsm_stateA $=$ CMA3 $) V\left(n e w_{-} C_{-} m f s m_{-} s t a t e A=C M A 1\right) V\left(n e w w_{-} C_{-} m f s m_{-}-\right.$
stateA = CMD1 ) in
let ms2 $=\left(\right.$ ALTER ARBN $(2)\left(\left(n e w=C \_m f s m \_s t a t e A=C M A 3\right) V(\right.$ new_C_mfsm_stateA $=C M A 1) V$
(new_C_mfsm_stateA $=$ CMAO $) V\left(n e w \_C \_m f s m_{-} s t a t e A=C M A 2\right) V$
(new_C_mfsm_stateA $=C M D 1) V\left(n e w \_C \_m f s m \_\right.$state $\left.A=C M D 0\right) V$
(new_C_mfsm_stateA $=$ CMW) $V($ new_C_mfsm_stateA $=C M A B T)$ ) in

```
let ms1 = (ALTER ms2 (1) (new_C_mfsm_stateA = CMA1)V (new_C_mfsm_stateA = CMA0)V
    (new_C_mfsm_stateA = CMA2) V (new_C_mfsm_stateA = CMD1) V
    ((new_C_mfsm_stateA = CMD0) ^C_mfsm_last_) V (new_C_mfsm_stateA =CMW) V
    (new_C_mfsm_stateA = CMABT)), in
let ms0=(ALTER msl (0) (()
    ((new_C_mfsm_stateA = CMW) ^C_mfsm_lock_)V (new_C_mfsm_stateA = CMABT)) in
let new_C_mfsm_ms = ms0 in
let new_C_mfsm_rqt_ = -(-(new_C_mfsm_stateA = CMI)) in
let new_C_mfsm_cgnt_ = ~(new_C_mfsm_stateA = CMA3) in
let new_C_mfsm_cm_en = ((~(new_C_mfsm_stateA = CMI)) }\wedge(~(new_C_mfsm_stateA = CMR)) in
let new_C_mfsm_abort_le_en_= ~((new_C_mfsm_stateA = CMABT) V (new_C_mfsm_stateA = CMI)) in
let new_C_mfsm_mparity = ((new_C_mfsm_stateA = CMA3)V (new_C_mfsm_stateA = CMA1)
V (new_C_mfsm_stateA = CMAO)V (new_C_mfsm_stateA = CMA2)
V (new_C_mfsm_stateA = CMD1) V (new_C_mfsm_stateA = CMD0)
V (C_mfsm_state = CMA1)V(C_mfsm_state = CMA0)
V(C_mfsm_state = CMA2)V(C_mfsm_state = CMD1)) in
```

let new_C_sfsm_stateA $=$
((C_sfsm_rst) $=>$ CSI 1
$\left(C_{-}\right.$sfsm_state $\left.=C S I\right)=>\left(\left(C \_s f s m \_D \wedge\left(C \_s f s m \_m s=\wedge M S T A R T\right) \wedge \sim\right.\right.$ C_sfsm_grant
^C_sfsm_addressed) $=>$ CSA1 $\mid$ CSI) 1
(C_sfsm_state $=$ CSL) $=>$
$\left(\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s={ }^{\wedge} M S T A R T\right) \wedge \sim C_{-}\right.\right.$sfsm_grant $\wedge C_{-}$sfsm_addressed $)=$CSAII
(C_sfsm_D $\wedge\left(C_{-} s f s m \_m s=\wedge\right.$ MSTART $) \wedge \sim C_{-}$sfsm_grant $\wedge \sim C_{-}$sfsm_addressed) $\Rightarrow$ CSII
$\left(C_{-} s f s m_{-} D \wedge\left(C_{-} s f s m_{-} m s=\wedge M A B O R T\right)\right)=($ CSABT $\mid C S L) \mid$
(C_sfsm_state $=$ CSA1) $)=$
$\left(\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s=\wedge M R D Y\right)\right) \Rightarrow C S A 01\right.$
$\left(C_{-} s f s m \_D \wedge\left(C \_s f s m \_m s=\right.\right.$ AMABORT) $) \Rightarrow$ CSABT ICSA1 $) 1$
(C_sfsm_state $=$ CSA 0 ) $=>$
$\left(\left(C_{-} s f s m_{-} D \wedge\left(C_{-} s f s m_{-} m s=\wedge\right.\right.\right.$ MRDY $) \wedge \sim C_{-} s f s m_{-}$hlda_ $) \Rightarrow$ CSALE 1
$\left(C_{-} s f s m_{-} D \wedge\left(C_{-} s f s m_{-} m s={ }^{\wedge} M R D Y\right) \wedge C_{-}\right.$sfsm_hlda_) $\Rightarrow$ CSAOW I
(C_sfsm_D^(C_sfsm_ms = ^MABORT)) $\Rightarrow$ CSABT $\mid C S A 0) \mid$
(C_sfsm_state $=$ CSAOW) $\Rightarrow$
$\left(\left(C \_s f s m \_D \wedge\left(C_{-} s f s m_{-} m s={ }^{\wedge} M R D Y\right) \wedge-C_{-} s f s m \_h l d a \_\right) \Rightarrow\right.$ CSALE $\mid$
(C_sfsm_D $\wedge$ (C_sfsm_ms = ^MABORT)) $\Rightarrow$ CSABT $\mid C S A 0 W) \mid$
(C_sfsm_state $=$ CSALE $)=>$
((C_sfsm_D $\wedge C_{-}$sfsm_write $\wedge\left(C \_s f s m \_m s=\right.$ MRDY) ) $\Rightarrow$ CSD1 I
(C_sfsm_D $\wedge \sim C_{-} s f s m_{-}$write $\wedge\left(C_{-} s f s m_{-} m s=\wedge\right.$ MRDY) $) \Rightarrow$ CSRR I
(C_sfsm_D $\wedge\left(C_{-} s f s m \_m s=\wedge\right.$ MABORT) $\left.) \Rightarrow C S A B T \mid C S A L E\right) \mid$
(C_sfsm_state $=$ CSRR $)=>$
$\left(\left(C_{-} s f s m_{-} D \wedge \sim\left(C_{-} s f s m_{-} m s=\wedge\right.\right.\right.$ MABORT $\left.)\right) \Rightarrow C S D 1 ।$
(C_sfsm_D $\left.\left.\wedge\left(C_{-} s f s m \_m s=\wedge M A B O R T\right)\right)=>C S A B T \mid C S R R\right) \mid$
(C_sfsm_state $=$ CSD1) $)$ >
$\left(\left(C_{-} s f s m \_D \wedge\left(C \_s f m_{-} m s=\wedge M R D Y\right)\right) \Rightarrow C S D 0\right.$ I
(C_sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MABORT $\left.)\right) \Rightarrow$ CSABT $\left.\mid C S D 1\right) \mid$
(C_sfsm_state $=$ CSD0) $=>$
$\left(\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m_{-} m s=\wedge M E N D\right)\right) \Rightarrow C S A C K\right.$ ।
(C_sfsm_D $\wedge$ (C_sfsm_ms = ^MRDY)) $\Rightarrow$ CSDI I
(C_sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $={ }^{\wedge}$ MABORT) $)=>$ CSABT $\left.\mid C S D 0\right) \mid$
(C_sfsm_state $=$ CSACK) $\Rightarrow$
$\left(\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s={ }^{\text {M }}\right.\right.\right.$ MRDY $\left.)\right)=>C S L \mid$
(C_sfsm_D $\wedge\left(C \_s f s m \_m s=\wedge\right.$ MWATT $)$ ) $=>$ CSI $\mid$
$\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s={ }^{\wedge}\right.\right.$ MABORT $\left.)\right)=(C S A B T \mid C S A C K) \mid$

$$
\text { (C_sfsm_D) }=>\text { CSI } \mid C S A B T) \text { in }
$$

let ss2 $=($ ALTER ARBN $(2)((-($ new_C_sfsm_stateA $=$ CSII) $) \wedge(\sim($ new_C_sfsm_stateA $=$ CSABT $))))$ in let ss1 $=($ ALTER ss2 $(1)((\sim($ new_C_sfsm_stateA $=$ CSII $) \wedge(\sim($ new_C_sfsm_stateA $=$ CSACK $))$

$$
\Lambda(\sim(\text { new_C_sfsm_state } A=C S A B T)))) \text { in }
$$

let ss0 $=($ ALTER ss1 $(0)(($ new_C_sfsm_stateA $=C S A 0 W) V$
((new_C_sfsm_stateA $=$ CSALE) $\wedge \sim C_{-}$sfsm_write) $V$
(new_C_sfsm_stateA = CSACK)) in
let new_C_sfsm_ss =ss0 in
let new_C_sfsm_iad_en_s $=\left(\left(\left(n e w \_C \_s f s m \_s t a t e A=C S A L E\right) \wedge\left(\sim\left(C \_s f s m_{\_}\right.\right.\right.\right.$state $\left.\left.\left.=C S A L E\right)\right)\right)$
$V(($ new_C_sfsm_stateA $=$ CSALE $) \wedge$ C_sfsm_write $)$
$V\left(\left(n e w_{-} C_{-} s f s m_{-} s t a t e A=C S D 1\right) \wedge C_{-}\right.$sfsm_write $\wedge\left(\sim\left(C_{-}\right.\right.$sfsm_state $\left.\left.\left.=C S R R\right)\right)\right)$
$V\left((\right.$ new_C_sfsm_stateA $=$ CSD0 $) \wedge C_{-}$sfsm_write $)$
$V\left((\right.$ new_C_sfsm_stateA $=C S A C K) \wedge C_{-} s f s m_{-}$write $\left.)\right)$in
let new_C_sfsm_sidle $=\left(n e w \_C \_\right.$sfsm_state $\left.A=C S I\right)$ in
let new_C_sfsm_slock = (new_C_sfsm_stateA = CSL) in
let new_C_sfsm_sal $=($ new_C_sfsm_stateA $=$ CSA1 $)$ in
let new_C_sfsm_sa0 $=($ new_C_sfsm_state $A=C S A 0)$ in
let new_C_sfsm_sale $=($ new_C_sfsm_stateA $=$ CSALE $)$ in
let new_C_sfsm_sd1 $=$ (new_C_sfsm_stateA = CSD1) in
let new_C_sfsm_sd0 $=$ ( (ew_C_sfsm_stateA $=$ CSD0 $)$ in
let new_C_sfsm_sack $=($ new_C_sfsm_state $A=C S A C K) ~ i n ~$
let new_C_sfsm_sabort $=($ new_C_sfsm_state $A=C S A B T)$ in
let new_C_sfsm_s_cout_sel $0=$ (new_C_sfsm_stateA $=$ CSD1 $)$ in
let new_C_sfsm_sparity $=\left((\sim(\right.$ new_C_sfsm_state $A=C S I)) \wedge\left(\sim\left(n e w_{-} C_{-} s f s m_{-}\right.\right.$stateA $\left.\left.=C S A C K\right)\right)$ $\Lambda(\sim($ new_C_sfsm_state $A=C S A B T)))$ in
let new_C_efsm_stateA =
((C_efsm_rst) $=>$ CEI )
(C_efsm_state $=\mathrm{CEI}) \Rightarrow\left(\left(-\mathrm{C}_{-}\right.\right.$efsm_cale_) $)=$CEE $\left.\mid \mathrm{CEI}\right) \mid$
$\left(\left(\sim C_{-}\right.\right.$efsm_last_ $\Lambda \sim C_{-}$efsm_srdy_) $\vee \sim C_{-}$efsm_male_ $V \sim C_{-}$efsm_rale_) $\Rightarrow$ CEI $\left.\mid C E E\right)$ in
let new_C_efsm_srdy_en $=\left(\left(n e w \_C_{-}\right.\right.$efsm_stateA $\left.=C E E\right) V\left(C_{-}\right.$efsm_state $\left.=C E E\right)$ ) in let cout_sel0 $=\left(\right.$ ALTER ARBN $(0)\left(\left(n e w_{-} C_{-} s f s m_{-} s d l V\right.\right.$ new_C_sfsm_sd 0$)=>$
new_C_sfsm_s_cout_sel0 I new_C_mfsm_m_cout_sel0)) in
let cout_sel10 $=\left(\right.$ ALTER cout_sel0 $(1)\left(\left(n e w_{-} C_{-} s f s m_{-} s d 1 V\right.\right.$ new_C_sfsm_sd0) $\Rightarrow F \mid n e w_{-} C_{-}$mfsm_m_cout_sel1 $)$) in
let c_cout_sel = cout_sel10 in
let c_busy $=(\sim(($ SUBARRAY CB_rqt_in_(3,1)) $=($ WORDN 7) ) $)$ in
let $c \_g r a n t=((((S U B A R R A Y$ Id $(1,0))=($ WORDN 0$)) \wedge \sim($ ELEMENT CB_rqt_in_(0)))
$V(($ SUBARRAY Id $(1,0))=($ WORDN 1$)) \wedge \sim(E L E M E N T$ CB_rqt_in_(0)) $\wedge$ (ELEMENT CB_rqt_in_(1)))
$V\left(((\operatorname{SUBARRAY} \operatorname{Id}(1,0))=(\right.$ WORDN 2$)) \wedge \sim\left(E L E M E N T C B \_r q t \_i n_{-}(0)\right) \wedge$ (ELEMENT CB_rqt_in_(1))
$\Lambda$ (ELEMENT CB_rqt_in_(2)))
$\begin{aligned} V((\text { SUBARRAY Id }(1,0))=(\text { WORDN 3) }) & \wedge \sim(E L E M E N T \text { CB_rqt_in_( } 0)) \wedge(\text { ELEMENT CB_rqt_in_(1)) } \\ & \wedge(\text { ELEMENT CB_rqt_in_(2)) } \wedge(\text { ELEMENT CB_rqt_in_(3))) }) \text { in }\end{aligned}$
let c_write $=\left((\right.$ new_C_mfsm_cm_en) $)=>C_{-} w T$ (ELEMENT C_sizewrbe (5))) in
let new_C_clkAA = C_clkA in
let new_C_sidle_del $A=C_{-}$sidle_del in
let new_C_mrqt_delA = C_mrqt_del in
let $c_{-}$dfsm_srdy $=\left(\right.$CB_ss_in $^{\prime}{ }^{\wedge}$ ASRY $)$ in
let $c_{-} d f s m \_m a s t e r=\left(n e w \_C \_m f s m \_m a 3 V\right.$ new_C_mfsm_ma $2 V$ new_C_mfsm_mal $V$
new_C_mfsm_ma $0 \vee$ new_C_mfsm_mdl $V$ new_C_mfsm_md0) in
let c_dfsm_slave $=(\sim$ new_C_sfsm_sidle $\wedge \sim$ new_C_sfsm_slock $)$ in
let c_dfsm_cin_0_le $=\left(\mathrm{ClkD} \wedge\left(\left(\mathrm{new}_{-} C_{-} m f s m_{-} m d 0 \wedge c_{-}\right.\right.\right.$dfsm_srdy $\left.\wedge \sim c_{-} w r i t e\right) ~ V$
(new_C_sfsm_sa0) $V$ (new_C_sfsm_sd0 $\left.\left.\Lambda c_{-} w r i t e\right)\right)$ ) in
let c_dfsm_cin_1_le $=\left(\mathrm{ClkD} \wedge\left(\left(\mathrm{new}_{-} \mathrm{C}_{-} m f s m_{-} m d 1 \wedge c_{-}\right.\right.\right.$dfsm_srdy $\left.\wedge \sim c_{-} w r i t e\right) ~ V$

```
                                    (new_C_sfsm_sal) V (new_C_sfsm_sdl \Lambdac_write))) in
let c_dfsm_cin_3_le =(ClkD ^(new_C_sfsm_sidle V new_C_sfsm_slock)) in
let c_dfsm_cin_4_le = (new_C_clkAA ^new_C_sfsm_saO) in
let c_dfsm_cout_0_le = ((L_cale_)V (I_srdy_in_^ -c_write)
    V (new_C_mfsm_ma0 ^c_dfsm_srdy ^c_write ^ClkD)
    V (new_C_mfsm_md0 ^c_write ^c_dfsm_srdy ^ ClkD)) in
let c_dfsm_cout_1_le = (new_C_clkAA ^new_C_sfsm_sd1) in
let c_dfsm_cad_en = ~((new_C_mfsm_ma3)V (new_C_mfsm_mal)V (new_C_mfsm_ma0)
                    V (new_C_mfsm_ma2) V (c_write ^(new_C_mfsm_mdl V new_C_mfsm_md0))
                    V (~c_write ^(new_C_sfsm_sdl V new_C_sfsm_sd0))) in
let c_dfsm_i_male_= ~(new_C_sfsm_sale ^( (-(SUBARRAY C_sizewrbe (1,0))=(WORDN 3))) ^ new_C_clkAA) in
let c_dfsm_i_rale_ = -(new_C_sfsm_sale ^((SUBARRAY C_sizewrbe (1,0))=(WORDN 3)) ^new_C_clkAA) in
let c_dfsm_i_mrdy_ = -((~c_write ^ClkD ^(new_C_sfsm_sale V new_C_sfsm_sdl))
                    V (-c_write \ new_C_clkAA ^ new_C_sfsm_sack)
                            V (c_write ^ClkD ^new_C_sfsm_sd0)) in
let new_C_last_inA_ = I_last_in_ in
let new_C_ssA = CB_ss_in in
let new_C_holdA_=((ClLD) => C_hold_ I C_holdA_) in
let new_C_cout_0_le_delA = C_cout_0_le_del in
let new_C_cin_2_leA = C_cin_2_le in
let new_C_mrdy_delA_ = C_mrdy_del_in
let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del | C_iad_en_s_delA ) in
let new_C_wrdyA = C_wrdy in
let new_C_rrdyA = C_rrdy in
let new_C_iad_out = ((new_C_cin_2_leA) => C_data_in | C_iad_out) in
let new_C_ala0 =
    ((c_dfsm_master ^ new_C_cout_0_le_delA) V (~c_dfsm_master ^c_dfsm_cout_1_le)) => C_iad_in I C_al a0) in
let new_C_a3a2 = ((new_C_mfsm_mrequest) => Ccr I C_a3a2) in
let new_C_mfsm_state = C_mfsm_state in
let new_C_mfsm_srdy_en=C_mfsm_srdy_en in
let new_C_mfsm_D = C_mfsm_D in
let new_C_mfsm_grant =C_mfsm_grant in
let new_C_mfsm_rst = C_mfsm_rst in
let new_C_mfsm_busy = C_mfsm_busy in
let new_C_mfsm_write = C_mfsm_write in
let new_C_mfsm_crqt_ = C_mfsm_crqt in
let new_C_mfsm_hold_= C_mfsm_bold_in
let new_C_mfsm_last_= C_mfsm_last_ in
let new_C_mfsm_lock_ = C_mfsm_lock_ in
let new_C_mfsm_ss = C_mfsm_ss in
let new_C_mfsm_invalid = C_mfsm_invalid in
let new_C_sfsm_state = C_sfsm_state in
let new_C_sfsm_D = C_sfsm_D in
let new_C_sfsm_grant = C_sfsm_grant in
let new_C_sfsm_rst = C_sfsm_rst in
let new_C_sfsm_write = C_sfsm_write in
let new_C_sfsm_addressed = C_sfsm_addressed in
let new_C_sfsm_hlda_ = C_sfsm_hlda_ in
let new_C_sfsm_ms = C_sfsm_ms in
let new_C_efsm_state = C_efsm_state in
let new_C_efsm_cale_= C_efsm_cale_in
let new_C_efsm_last_= C_efsm_last_ in
let new_C_efsm_male_= C_efsm_male_in
let new_C_efsm_rale_= C_efsm_rale_in
```

```
let new_C_efsm_srdy_ = C_efsm_srdy_ in
let new_C_efsm_rst = C_efsm_rst in
let new_C_wr = C_wr in
let new_C_sizewrbe = C_sizewrbe in
let gew_C_clkA = C_clkA in
let new_C_sidle_del = C_sidle_del in
let new_C_mrqt_del = C_mrqt_del in
let new_C_last_in_= C_last_in_ in
let new_C_lock_in_= C_lock_in_in
let new_C_ss = C_ss in
let new_C_last_out_= C_last_out_ in
let new_C_hold_= C_hold_in
let new_C_cout_0_le_del = C_cout_0_le_del in
let new_C_cin_2_le = C_cin_2_le in
let new_C_mrdy_del_= C_mrdy_del_ in
let new_C_iad_en_s_del = C_iad_en_s_del in
let new_C_wrdy = C_wrdy in
let new_C_rrdy = C_rrdy in
let new_C_parity = C_parity in
let new_C_source = C_source in
let new_C_data_in = C_data_in in
let new_C_iad_in = C_iad_in in
let I_cgnt_ = new_C_mfsm_cgnt_in
let I_mrdy_out_ = (( -I_hlda_) => new_C_mrdy_delA_I ARB) in
let I_hold_ = new_C_boldA_ in
let I_rale_out_ = ((-1_hlda_) => c_dfsm_i_rale_I ARB) in
let I_male_out_ = (( }-\mathrm{ I_hlda_) => c_dfsm_i_male_| ARB) in
let I_last_out_ = ((~I_hlda_) => new_C_last_out_ | ARB ) in
let I_srdy_out_=
                            ((~I_cale_V new_C_efsm_srdy_en) => ~(new_C_wrdyA V new_C_rrdyA V new_C_mfsm_mabort)| ARB) in
let I_be_out_ = ((~I_hlda_) => (SUBARRAY new_C_sizewrbe (9,6)) | ARBN) in
let I_ad_out =
                            ((new_C_iad_en_s_delA V new_C_mfsm_iad_en_m V new_C_sfsm_iad_en_s) => new_C_iad_out I ARBN) in
let CB_rqt_out_= new_C_mfsm_rqt_ in
let cbms10 = (MALTER ARBN (1,0) (SUBARRAY new_C_mfsm_ms (1,0))) in
let cbms210 = (ALTER cbms10 (2) ((ELEMENT new_C_mfsm_ms (2)) }\wedge~Pmm_failure ^~Piu_invalid)) in
let CB_ms_out = ((~new_C_mfsm_cm_en) => cbms210 \ARBN) in
let cbss10 = (MALTER ARBN (1,0) (SUBARRAY new_C_sfsm_ss (1,0)) in
let cbss210= (ALTER cbms10 (2) ((ELEMENT new_C_sfsm_ss (2)) }\wedge~Pmm_failure ^~Piu_invalid)) i
let CB_ss_out =((-new_C_sfsm_sidle \Lambda ~new_C_sfsm_sabort) => cbss210| ARBN) in
let CB_ad_out = ((c_dfsm_cad_en) =>
                                    ((c_cout_sel = (WORDN 0)) => Par_Enc rep ((SUBARRAY new_C_ala0 (15,0)))।
                                    ((c_cout_sel = (WORDN 1)) )> Par_Enc rep ((SUBARRAY new_C_ala0 (31,16))) )
                                    ((c_cout_sel =(WORDN 2)) => Par_Enc rep ((SUBARRAY new_C_a3a2 (15,0))) I
                                    Par_Enc rep ((SUBARRAY new_C_a3a2 (31,16))))))
                            ARBN) in
```

let C_ss_out $=$ new_C_ss in
let Disable_writes $=($ c_dfsm_slave $\wedge \sim(($ ChanneIID $=($ WORDN 0$)) \wedge($ ELEMENT new_C_source (6)))
$\wedge \sim(($ ChannelID $=($ WORDN 1$)) \wedge($ ELEMENT new_C_source (7)))
$\wedge \sim(($ ChannelID $=($ WORDN 2$)) \wedge$ (ELEMENT new_C_source (8)))
$\wedge \sim(($ ChannelID $=($ WORDN 3$)) \wedge($ ELEMENT new_C_source (9))) $)$ in
let CB_parity = new_C_parity in

```
    (I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_,
    CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)"
    );
%
    Next-state definition for Phase-B instruction.
let PH_B_inst_def = new_definition
('PH_B_inst',
    "!(rep:^тep_ty)
        (C_mfsm_stateA C_mfsm_state :cmfsm_ty)
        (C_sfsm_stateA C_sfsm_state :csfsm_ty)
        (C_efsm_stateA C_efsm_state :cefsm_ty)
        (C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_ala0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss
        C_source C_data_in C_iad_in :wordn)
        (C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal
        C_mfsm_ma0 C_mfsm_mdl C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sell C_mfsm_m_cout_selO
        C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity
        C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_saO
        C_sfsm_sale C_sfsm_sdl C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity
        C_efsm_srdy_en
        C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_C_holdA_C_cout_0_le_delA
        C_cin_2_leA C_mrdy_delA_C_iad_en_s_delA C_wrdyA C_rrdyA
        C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write
        C_mfsm_crqt_C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid
        C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_
        C_efsm_cale_C_efsm_last_ C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
        C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_C_lock_in_ C_last_out_
        C_bold_C_cout_0_le_del C_cin_2_le C_mrdy_del_C_iad_en_s_del C_wrdy
        C_rrdy C_parity :bool)
        (I_mrdy_in_ I_rale_in_ I_male_in_I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_blda_ I_crqt_
        Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :bool)
        (l_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :wordn)
        (I_cgnt_ I_mrdy_out_I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_CB_rqt_out_
        Disable_writes CB_parity :bool).
    PH_B_inst rep
        (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2,
        C_mfsm_mal, C_mfsm_ma0, C_mfsm_mdl, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sel1,
        C_mfsm_m_cout_sel0, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt_, C_mfsm_cm_en, C_mfsm_abort_le_en_,
        C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock,
        C_sfsm_sal, C_sfsm_saO, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sd0, C_sfsm_sack, C_sfsm_sabort,
        C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA,
        C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_cout_0_le_delA, C_cin_2_leA,
        C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out, C_alaO, C_a3a2, C_mfsm_state,
        C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt_,
        C_mfsm_bold_, C_mfsm_last, C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D,
        C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms,
        C_efsm_state, C_efsm_cale, C_efsm_last_, C_efsm_male_, C_efsm_rale,, C_efsm_srdy_,
        C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_,
        C_ss, C_last_out_, C_hold,, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy,
        C_rrdy, C_parity, C_source, C_data_in, C_isd_in)
        (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_,
        I_cale_, I_blda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB,
```

ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) =
let new_C_wr $=\left(\left(\sim I_{-} c a l e \_\right) \Rightarrow\right.$ (ELEMENT I_ad_in (27)) $\left.\mid C_{-} w r\right)$ in
let new_C_sizewrbe $=(($ Rst $)=>$ ARBN I
((C_sfsm_sa0 $\left.\wedge C_{-} c l k A A\right) ~=>\left(S U B A R R A Y C_{-}\right.$data_in $\left.(31,22)\right)$ IC_sizewrbe)) in
let c_write $=\left(\left(C_{-} m f s m_{-} c m_{-} e n\right) \Rightarrow\right.$ new_C_wT $\mid$ (ELEMENT new_C_sizewrbe (5))) in
let cout_sel0 $=\left(\right.$ ALTER ARBN $(0)\left(\left(C_{-}\right.\right.$sfsm_sdl V C_sfsm_sd0) $)>$
C_sfsm_s_cout_sel0 IC_mfsm_m_cout_sel0) ) in
let cout_sel10 $=\left(\right.$ (ALTER cout_sel0 $(1)\left(\left(C_{\_}\right.\right.$sfsm_sdl V C_sfsm_sd 0$) \Rightarrow$ FIC_mfsm_m_cout_sel1 $\left.)\right)$ in
let c_cout_sel = cout_sell 0 in
let c_busy $=(-(($ SUBARRAY CB_rqt_in_( 3,1$))=($ WORDN 7$)))$ in
let c_grant $=((($ SUBARRAY Id $(1,0))=($ WORDN 0$)) \wedge \sim($ ELEMENT CB_rqt_in_(0)) $)$
$V((($ SUBARRAY Id $(1,0))=($ WORDN 1$)) \wedge \sim($ ELEMENT CB_rqt_in_( 0$))$
$\wedge$ (ELEMENT CB_rqt_in_(1)))
$V(((\operatorname{SUBARRAY} \operatorname{Id}(1,0))=($ WORDN 2$)) \wedge \sim($ ELEMENT CB_rqt_in_(0)) $\wedge$ (ELEMENT CB_rqt_in_(1))
$\wedge\left(E L E M E N T C B \_r q t\right.$ in_(2)) $)$
$V(((\operatorname{SUBARRAY}$ Id $(1,0))=($ WORDN 3$)) \wedge \sim(E L E M E N T$ CB_rqt_in_(0) $)$
$\wedge$ (ELEMENT CB_rqt_in_(1))
$\wedge$ (ELEMENT CB_rqt_in_(2))
$\wedge($ ELEMENT CB_rqt_in_(3))) $)$ in
let c_dfsm_srdy $=\left(\right.$ CB_ss_in $^{\prime}={ }^{\wedge}$ SRDY $)$ in
let c_dfsm_master $=\left(C_{-} m f s m_{-} m a 3 \vee C_{-} m f s m_{-} m a 2 \vee C_{-} m f s m_{-} m a l \vee C_{-} m f s m_{-} m a 0 \vee C_{-} m f s m_{-} m d 1 V C_{-} m f s m \_m d 0\right)$ in let $\mathrm{C}_{-}$dfsm_slave $=\left(\sim \mathrm{C}_{-}\right.$sfsm_sidle $\Lambda \sim \mathrm{C}_{-}$sfsm_slock) in
let $c_{-} d f s m_{-} c i n_{-} 0 \_l e=\left(C l k D \wedge\left(\left(C_{-} m f s m_{-} m d 0 \wedge c_{-} d f s m_{-} s r d y ~ \wedge-c_{-} w r i t e\right) \vee\left(C_{-} s f s m \_s a 0\right)\right.\right.$
$\left.\left.V\left(C_{-} s f s m_{-} s d 0 \wedge c_{-} w r i t e\right)\right)\right)$ in
let $c_{-} d f s m_{-} c i n_{-} 1 \_l e=\left(C l k D \wedge\left(\left(C_{-} m f s m_{-} m d 1 \wedge c_{-} d f s m_{-} s r d y \wedge-c_{-} w r i t e\right) V\left(C_{-} s f s m_{-} s a 1\right)\right.\right.$
$V\left(C_{-}\right.$sfsm_sdl $\left.\left.\left.\wedge c_{-} w r i t e\right)\right)\right)$ in
let c_dfsm_cin_3_le $=\left(\mathrm{ClkD} \wedge\left(\mathrm{C}_{-} \mathrm{sfsm}\right.\right.$ _sidle V C_sfsm_slock $)$ ) in
let c_dfsm_cin_4_le $=\left(C_{-} c l k A A \wedge C_{-} s f s m \_s a O\right)$ in
let c_dfsm_cout_0_le $=\left(\left(I_{-} c a l e \_\right) \vee\right.$ (I_srdy_in_ $\Lambda \sim c_{-}$write $)$
$V\left(C_{-} \operatorname{mfsm}\right.$ ma0 $\wedge c_{-} d f s m_{-}$srdy $\left.\wedge c_{-} w r i t e ~ \Lambda C l k D\right)$
$V\left(C_{-} m f s m_{-} m d 0 \wedge c_{-} w r i t e \wedge c_{-} d f s m_{-} s r d y \wedge C l k D\right)$ in
let $\mathrm{c}_{\text {_ }}$ dfsm_cout_1_le $=\left(\mathrm{C}_{-}\right.$clkAA $\wedge \mathrm{C}_{-}$sfsm_sd1 $)$in
let $c$ _dfsm_cad_en $=\sim\left(\left(C_{\_}\right.\right.$mfsm_ma3 $) V\left(C_{\_} m f s m \_m a 1\right) V\left(C \_m f s m \_m a 0\right) V\left(C \_m f s m \_m a 2\right) V$
(c_write $\left.\wedge\left(C_{-} m f s m_{-} m d 1 \vee C_{-} m f s m_{-} m d 0\right)\right) \vee\left(\sim c_{-} w r i t e \wedge\left(C_{-} s f s m_{-} s d l \vee C_{-} s f s m_{-} s d 0\right)\right)$ ) in
let $c_{-}$dfsm_i_male_ $=\sim\left(C_{-}\right.$sfsm_sale $\wedge(-(($ SUBARRAY new_C_sizewrbe $(1,0))=($ WORDN 3$))) \wedge C_{-}$clkAA $)$in
let $c_{-}$dfsm_i_rale_ $=-\left(C_{-}\right.$sfsm_sale $\wedge(($ SUBARRAY new_C_sizewrbe $(1,0))=($ WORDN 3$\left.)) \wedge C_{-} c l k A A\right)$ in
let c_dfsm_i_mrdy_ $=\sim\left(\left(\sim c_{-} w r i t e \wedge C l k D \wedge\left(C \_s f s m_{-}\right.\right.\right.$sale $V C_{-}$sfsm_sd1 $\left.)\right) V$
( $\sim c_{-}$write $\wedge C_{-} c l k A A \wedge C_{-}$sfsm_sack) $V\left(c_{-}\right.$write $\left.\wedge C l k D \wedge C_{-} s f s m_{-} s d 0\right)$ ) in
let new_C_clkA $=$ ClkD in
let new_C_sidle_del = C_sfsm_sidle in
let new_C_mrgt_del = C_mfsm_mrequest in
let new_C_last_in_ $=(($ Rst $)=>$ FI

let new_C_lock_in_ $=\left((\right.$ Rst $) \Rightarrow \mathrm{F} \mid\left(\left(\mathrm{C}_{-} \mathrm{mfsm} \mathrm{m}_{\text {_ }} \mathrm{mal}\right)=>I_{\text {_lock_ }} \mid \mathrm{C}_{-}\right.$lock_in_ $\left.)\right)$in
let new_C_ss $=\left(\left(C_{-} m f s m_{-}\right.\right.$abort_le_en_) $\left.)>C_{-} s s A \mid C_{-} s s\right)$ in
let mend $=\left(\right.$ CB_ms_in $={ }^{\wedge}$ MEND $)$ in
let mabort $=\left(\right.$ CB_ms_in $={ }^{\wedge}$ MABORT $)$ in
let new_C_last_out_ =
$\left(\left(C_{-}\right.\right.$sfsm_sal $\wedge \sim(C l k D \wedge($ mend $\vee$ mabort $\left.\left.))\right)\right)=\mathrm{T} \mid$
$\left(\left(\sim C_{-}\right.\right.$sfsm_sal $\wedge(C l k D \wedge($ mend $V$ mabort $\left.))\right)=>F \mid$
$\left(\left(-C_{-}\right.\right.$sfsm_sal $\wedge \sim(C l k D \wedge($ mend $\vee$ mabort $\left.))\right)=>C_{-}$last_out_ $\left.\left.\mid A R B\right)\right)$ in
let new_C_hold_= C_sfsm_sidle in

```
let new_C_cout_0_le_del = c_dfsm_cout_0_le in
let new_C_cin_2_le = c_dfsm_cin_0_le in
let new_C_mrdy_del_=c_dfsm_i_mrdy_in
let new_C_iad_en_s_del = C_sfsm_iad_en_s in
let new_C_wrdy = (c_dfsm_srdy ^c_write ^ C_mfsm_mdl ^ClkD) in
let new_C_rrdy = (c_dfsm_srdy ^ -c_write ^C_mfsm_md0 ^ ClkD) in
let c_pe = (Par_Det rep CB_ad_in) in
let c_pe_cnt = (ClkD ^((~(C_mfsm_mparity = C_sfsm_sparity)) V ((SUBARRAY CB_ss_in (1,0)) =(WORDN 0))) in
let new_C_parity =
    (((ClkD ^c_pe ^c_pe_cnt) \I_cale_) => T I
    ((~(ClkD ^c_pe ^c_pe_cnt) ^~I_cale)) => F |
    ((~(CkD ^c_pe ^c_pe_cnt) ^ I_cale_) => C_parity | ARB))) in
let new_C_source = ((Rst) => (WORDN 0)।
    ((c_dfsm_cin_3_le) => Par_Dec rep (CB_ad_in) IC_source)) in
let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0) |
                                    ((c_dfsm_cin_1_le) => Par_Dec rep (CB_ad_in)!
                                    (SUBARRAY C_data_in (31,16)))) ) in
let data_in31_0 = (MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0) )
                                    ((c_dfsm_cin_0_le) => Par_Dec rep (CB_ad_in)।
                                    (SUBARRAY C_data_in (15,0))))) in
let new_C_data_in = data_in31_0 in
let new_C_iad_in = ((c_dfsm_cout_0_le) => I_ad_in | C_iad_in) in
let new_C_mfsm_state = C_mfsm_stateA in
let new_C_mfsm_srdy_en=C_efsm_srdy_en in
let new_C_mfsm_D = ClkD in
let new_C_mfsm_grant = c_grant in
let new_C_mfsm_rst = Rst in
let new_C_mfsm_busy = c_busy in
let new_C_mfsm_write = c_write in
let new_C_mfsm_crgt_ = I_crqt_ in
let new_C_mfsm_hold_ = C_holdA_ in
let new_C_mfsm_last_ = new_C_last_in_ in
let new_C_mfsm_lock_= new_C_lock_in_in
let new_C_mfsm_ss = CB_ss_in in
let new_C_mfsm_invalid = Piu_invalid in
let new_C_sfsm_state = C_sfsm_state in
let new_C_sfsm_D = ClkD in
let new_C_sfsm_grant = c_grant in
let new_C_sfsm_rst = Rst in
let new_C_sfsm_write = c_write in
let new_C_sfsm_addressed = (Id = (SUBARRAY new_C_source (15,10)) in
let new_C_sfsm_hlda_ = I_hlda_ in
let new_C_sfsm_ms = CB_ms_in in
let new_C_efsm_state = C_efsm_state in
let new_C_efsm_cale_= I_cale_in
let new_C_efsm_last_= I_last_in_ in
let new_C_efsm_male_= I_male_in_ in
let new_C_efsm_rale_ = I_rale_in_ in
let new_C_efsm_srdy_ = I_srdy_in_ in
let new_C_efsm_rst = Rst in
let new_C_mfsm_stateA = C_mfsm_stateA in
let new_C_mfsm_mabort = C_mfsm_mabort in
let new_C_mfsm_midle = C_mfsm_midle in
let new_C_mfsm_mrequest = C_mfsm_mrequest in
```

let new_C_mfsm_ma3 $=$ C_mfsm_ma3 in let new_C_mfsm_ma2 $=$ C_mfsm_ma2 in let new_C_mfsm_mal = C_mfsm_mal in let new_C_mfsm_ma0 $=$ C_mfsm_ma0 in let new_C_mfsm_mdl $=$ C_mfsm_mdl in let new_C_mfsm_md0 $=$ C_mfsm_md0 in let new_C_mfsm_iad_en_m = C_mfsm_iad_en_m in let new_C_mfsm_m_cout_sell = C_mfsm_m_cout_sel 1 in let new_C_mfsm_m_cout_sel $0=C_{-} m f s m_{-} m_{-}$cout_sel 0 in let new_C_mfsm_ms $=$ C_mfsm_ms in $^{\text {m }}$ let new_C_mfsm_rqt_ $=$ C_mfsm_rqt_in let new_C_mfsm_cgnt_ $=$ C_mfsm_cgnt_in $^{\text {m }}$ let new_C_mfsm_cm_en $=C_{-} m f s m_{-} c m_{-} e n$ in let new_C_mfsm_abort_le_en_ = C_mfsm_abort_le_en_in let new_C_mfsm_mparity = C_mfsm_mparity in let new_C_sfsm_stateA $=$ C_sfsm_stateA $^{\text {in }}$ let new_C_sfsm_ss = C_sfsm_ss in let new_C_sfsm_iad_en_s $=C_{-} s f s m_{-} i a d \_e n_{-} s$ in let new_C_sfsm_sidle = C_sfsm_sidle in let new_C_sfsm_slock $=$ C_sfsm_slock in $^{\text {s }}$ let new_C_sfsm_sal = C_sfsm_sal in let new_C_sfsm_sa0 = C_sfsm_sa 0 in let new_C_sfsm_sale = C_sfsm_sale in let new_C_sfsm_sdl = C_sfsm_sdl in let new_C_sfsm_sd0 = C_sfsm_sd0 in let new_C_sfsm_sack = C_sfsm_sack in let new_C_sfsm_sabort = C_sfsm_sabort in let new_C_sfsm_s_cout_sel0 = C_sfsm_s_cout_sel0 in let new_C_sfsm_sparity $=$ C_s $_{-}$sfm_sparity in
let new_C_efsm_state $A=C_{-}$efsm_state $A$ in
let new_C_efsm_srdy_en = C_efsm_srdy_en in
let new_C_clkAA = C_clkAA in
let new_C_sidle_delA = C_sidle_delA in
let new_C_mrqt_delA $=$ C_mrqt_delA in
let new_C_last_in $A_{-}=C_{-}$last_in $A_{-}$in
let new_C_ssA = C_ssA in
let new_C_holdA_ = C_holdA_in
let new_C_cout_0_le_del $A=C$ _cout_0_le_delA in
let new_C_cin_2_leA = C_cin_2_leA in
let new_C_mrdy_delA_ = C_mrdy_delA_in
let new_C_iad_en_s_del $A=C_{\text {_iad_en_s_del } A \text { in }}$
let new_C_wrdyA = C_wrdyA in
let new_C_rrdyA $=C_{-}$rrdyA in
let new_C_iad_out = C_iad_out in
let new_C_ala0 = C_alaO in
let new_C_a3a2 = C_a3a2 in
(new_C_mfsm_stateA, new_C_mfsm_mabort, new_C_mfsm_midle, new_C_mfsm_mrequest, new_C_mfsm_ma3, new_C_mfsm_ma2, new_C_mfsm_mal, new_C_mfsm_maO, new_C_mfsm_md1, new_C_mfsm_mdO.
new_C_mfsm_iad_en_m,
new_C_mfsm_m_cout_sell, new_C_mfsm_m_cout_sel0, new_C_mfsm_ms, new_C_mfsm_rqt_, new_C_mfsm_cgnt_, new_C_mfsm_cm_en, new_C_mfsm_abort_le_en_, new_C_mfsm_mparity, new_C_sfsm_stateA, new_C_sfsm_ss, new_C_sfsm_iad_en_s, new_C_sfsm_sidle, new_C_sfsm_slock, new_C_sfsm_sal, new_C_sfsm_ss0, new_C_sfsm_sale, new_C_sfsm_sdI, new_C_sfsm_sd0, new_C_sfsm_sack, new_C_sfsm_sabort,
new_C_sfsm_s_cout_sel0, new_C_sfsm_sparity, new_C_efsm_stateA, new_C_efsm_srdy_en, new_C_clikAA, new_C_sidle_delA, new_C_mrqt_delA, new_C_last_inA, new_C_ssA, new_C_holdA _
new_C_cout_o_le_delA, new_C_cin_2_leA, new_C_mrdy_delA_, new_C_iad_en_s_delA, new_C_wrdyA, new_C_rrdyA, new_C_iad_out, new_C_ala0, new_C_a3a2, new_C_mfsm_state, new_C_mfsm_srdy_en, new_C_mfsm_D, new_C_mfsm_grant, new_C_mfsm_rst, new_C_mfsm_busy, new_C_mfsm_write, new_C_mfsm_crqt_, new_C_mfsm_hold_, new_C_mfsm_last_, new_C_mfsm_lock_, new_C_mfsm_ss, new_C_mfsm_invalid, new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_grant, new_C_sfsm_rst, new_C_sfsm_write, new_C_sfsm_addressed, new_C_sfsm_hida_, new_C_sfsm_ms, new_C_efsm_state, new_C_efsm_cale., new_C_efsm_last, new_C_efsm_male, new_C_efsm_rale_, new_C_efsm_srdy, new_C_efsm_rst, new_C_wr, new_C_sizewrbe, new_C_cliA, new_C_sidle_del, new_C_mrqt_del, new_C_last_in_, new_C_lock_in_, new_C_ss, new_C_last_out, new_C_hold_, new_C_cout_0_le_del, new_C_cin_2_le, new_C_mrdy_del_, new_C_iad_en_s_del, new_C_wrdy, new_C_rrdy, new_C_parity, new_C_source, new_C_data_in, new_C_iad_in)" ); \%

Output definition for Phase-B instruction.
let PH_B_out_def = new_definition
('PH_B_out',
"I (rep:^rep_ty)
(C_mfsm_stateA C_mfsm_state :cmfsm_ty)
(C_sfsm_stateA C_sfsm_state :csfsm_ty)
(C_efsm_stateA C_efsm_state :cefsm_ty)
(C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_ala0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss
C_source C_data_in C_igd_in :wordn)
(C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal
C_mfsm_ma0 C_mfsm_mdl C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sell C_mfsm_m_cout_sel0
C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity
C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_sa0
C_sfsm_sale C_sfsm_sdl C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity
C_efsm_srdy_en
C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_C_holdA_C_cout_0_le_delA
C_cin_2_leA C_mrdy_delA_C_iad_en_s_delA C_wrdyA C_ridyA
C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write
C_mfsm_crqt_ C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid
C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hida_
C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_ C_lock_in_ C_last_out_
C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_C_iad_en_s_del C_wrdy
C_rrdy C_parity :bool)
(I_mrdy_in_I_rale_in_ I_male_in_ I_last_in_ I_srdy_io_ I_lock_ I_cale_ I_hlda_ I_crqt_ Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :bool)
(I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChanneliD Ccr :wordn)
(I_cgnt_ I_mrdy_out_I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_CB_rqt_out_ Disable_writes CB_parity :bool).
PH_B_out rep
(C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2,
C_mfsm_mal, C_mfsm_ma0, C_mfsm_md1, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sell,
C_mfsm_m_cout_sel $0, C_{-} m f s m_{-} m s, C_{-} m f s m_{-} r q t, C_{\_} m f s m_{-} c g n t \_$, C_mfsm_cm_en, C_mfsm_abort_le_en_,
C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock,
C_sfsm_sal, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sd0, C_sfsm_sack, C_sfsm_sabort,
C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA,
C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_cout_0_le_delA, C_cin_2_leA,

C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_ridyA, C_iad_out, C_ala0, C_a3a2, C_mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt., C_mfsm_hold_C_mfsm_last_ C_mfsm_lock_ C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale, C_efsm_srdy, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_, C_ss, C_last_out, C_hold, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_in) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) =
let new_C_wr $=\left((\sim\right.$ I_cale_) $) \Rightarrow$ (ELEMENT I_ad_in (27)) $\left.\mid C_{-} w r\right)$ in
let new_C_sizewrbe $=(($ Rst $)=>$ ARBN I
((C_sfsm_sa0 $\left.\wedge C_{-} c l k A A\right) \Rightarrow\left(S U B A R R A Y C_{-}\right.$data_in (31,22)) $\mid C_{-}$sizewrbe)) in
let c_write $=\left(\left(C_{-}\right.\right.$mfsm_cm_en) $\Rightarrow$ new_C_wr $\mid$ (ELEMENT new_C_sizewibe (5))) in
let cout_sel0 $=\left(\right.$ ALTER ARBN $(0)\left(\left(C_{-}\right.\right.$sfsm_sdl V C_sfsm_sd0) $)=$

> C_sfsm_s_cout_sel0 I C_mfsm_m_cout_sel0)) in
let cout_sel10 $=\left(\right.$ ALTER cout_sel0 $(1)\left(\left(C_{\_}\right.\right.$sfsm_sdl VC_sfsm_sd $\left.)\right) \Rightarrow F \mid C \_$mfsm_m_cout_sel1 $\left.)\right)$in
let c_cout_sel = cout_sel10 in
let c_busy $=\left(\sim\left(\left(S U B A R R A Y C B \_r q t \_i n \_(3,1)\right)=(\right.\right.$ WORDN 7$\left.\left.)\right)\right)$ in
let c_grant $=((((S U B A R R A Y$ Id $(1,0))=($ WORDN 0$)) \wedge \sim($ ELEMENT CB_rqt_in_(0)))
$\vee((($ SUBARRAY Id $(1,0))=($ WORDN 1$)) \wedge \sim(E L E M E N T$ CB_rqt_in_( 0$))$
$\wedge$ (ELEMENT CB_rqt_in_(1)))
$\vee(((\operatorname{SUBARRAY} \operatorname{ld}(1,0))=($ WORDN 2$)) \wedge \sim($ ELEMENT CB_rqt_in_( 0$))$
$\wedge$ (ELEMENT CB_rqt_in_(1))
$\wedge$ (ELEMENT CB_rqt_in_(2)))
$V((($ SUBARRAY Id $(1,0))=($ WORDN 3$)) \wedge \sim($ ELEMENT CB_rqt_in_(0) $)$
$\wedge$ (ELEMENT CB_rqt_in_(1))
$\wedge$ (ELEMENT CB_rqt_in_(2))
$\wedge$ (ELEMENT CB_rqt_in_(3)))) in
let $c_{-}$dfsm_srdy $=\left(\right.$CB_ss_in $^{\text {^ }}$ 'SRDY $)$ in
 let c_dfsm_slave $=\left(\sim C_{-}\right.$sfsm_sidle $\wedge \sim C_{-}$sfsm_slock) in
let $c_{-}$dfsm_cin_0_le $=\left(C l k D \wedge\left(\left(C \_m f s m_{-} m d 0 \wedge c_{-} d f s m_{-} s r d y ~ \wedge \sim c_{-} w r i t e\right) V\left(C_{-} s f s m \_s a 0\right)\right.\right.$
$\left.V\left(C_{-} s f s m \_s d 0 \wedge c_{-} w r i t e\right)\right)$ ) in
let c_dfsm_cin_1_le $=\left(\operatorname{ClkD} \wedge\left(\left(C \_m f s m \_m d 1 \wedge c_{-} d f s m_{-} s r d y \wedge \sim c_{-} w r i t e\right) \vee\left(C \_s f s m \_s a l\right)\right.\right.$
$V\left(C_{-}\right.$sfsm_sdl $\left.\left.\wedge c_{-} w r i t e\right)\right)$ ) in
let c_dfsm_cin_3_le $=\left(\mathrm{ClkD}_{\mathbf{\prime}} \wedge\right.$ (C_sfsm_sidle VC_sfsm_slock $)$ ) in
let $c_{-}$dfsm_cin_4_le $=\left(C_{-} c i k A A \wedge C_{-} s f s m_{-} s a 0\right)$ in
let c_dfsm_cout_0_le $=\left(\left(I_{-} c a l e_{-}\right) \vee\left(I \_s r d y_{-} i n_{-} \wedge \sim c_{-} w r i t e\right)\right.$
$V\left(C_{-} m f s m \_m a 0 \wedge c_{-} d f s m_{-}\right.$srdy $\wedge c_{-}$write $\wedge$ ClkD $)$
$V\left(C_{-} m f s m \_m d 0 \wedge c_{-} w r i t e \wedge c_{-} d f s m \_s r d y \wedge C l k D\right)$ in
let $c_{-}$dfsm_cout_1_le $=\left(C_{-} c l k A A \wedge C_{-} s f s m_{-} s d 1\right)$ in
let $c_{-} d f s m_{-} c a d \_e n=-\left(\left(C_{-} m f s m_{-} m a 3\right) V\left(C_{-} m f s m_{-} m a l\right) V\left(C_{-} m f s m_{-} m a 0\right) \vee\left(C_{\text {_ }} m f s m \_m a 2\right) V\right.$
(c_write $\left.\wedge\left(C_{-} m f s m_{-} m d 1 \vee C_{-} m f s m_{-} m d 0\right)\right) V\left(\sim c_{-} w r i t e \wedge\left(C_{-} s f s m_{-} s d 1 \vee C_{-} s f s m_{-} s d 0\right)\right)$ ) in
let $c_{-}$dfsm_i_male_ $=\sim\left(C_{-}\right.$sfsm_sale $\wedge(\sim((S U B A R R A Y$ new_C_sizewrbe $(1,0))=($ WORDN 3$\left.))) \wedge C_{-} c l k A A\right)$ in let c_dfsm_i_rale $=\sim\left(C_{-} s f s m_{-}\right.$sale $\wedge((S U B A R R A Y$ new_C_sizewrbe $(1,0))=($ WORDN 3$\left.)) \wedge C_{-} c l i k A A\right)$ in let c_dfsm_i_mrdy_ $=\sim\left(\left(-c_{-} w r i t e \wedge \mathrm{ClkD}^{\prime} \wedge\left(\mathrm{C}_{-}\right.\right.\right.$sfsm_sale VC_sfsm_sd1)) V
$\left(\sim c_{-} w r i t e \wedge C_{-} c l k A A \wedge C_{-} s f s m_{-} s a c k\right) V\left(c_{-} w r i t e \wedge C l k D \wedge C_{-} s f s m_{-} s d 0\right)$ in
let new_C_clkA $=\mathbf{C l k D}$ in
let new_C_sidle_del = C_sfsm_sidle in
let new_C_mrqt_del = C_mfsm_mrequest in

```
let new_C_last_in_ = ((Rst) => F|
                            ((C_mfsm_mabort V C_mfsm_mdl ^ClkD) => C_last_inA_ I C_last_in_)) in
let new_C_lock_in_= ((Rst) => FI ((C_mfsm_mal) => I_lock_l C_lock_in_)) in
let new_C_ss = ((C_mfsm_abort_le_en_) => C_ssA | C_ss) in
let mend = (CB_ms_in = ^MEND) in
let mabort = (CB_ms_in = ^MABORT) in
let new_C_last_out_=
    ((C_sfsm_sal ^~(ClkD ^(mend V mabort))) => T |
    ((-C_sfsm_sal }\wedge(ClkD ^(mend V mabort))) => F
    ((-C_sfsm_sal \Lambda ~(ClkD ^(mend V mabort))) => C_last_out_| ARB))) in
let new_C_hold_= C_sfom_sidle in
let new_C_cout_O_le_del = c_dfsm_cout_0_le in
let new_C_cin_2_le = c_dfsm_cin_0_le in
let new_C_mrdy_del_= c_dfsm_i_mrdy_in
let new_C_iad_en_s_del = C_sfsm_iad_en_s in
let new_C_wrdy =(c_dfsm_srdy ^c_write ^C_mfsm_mdl ^ClkD) in
let new_C_rrdy = (c_dfsm_srdy }\wedge~\mp@subsup{c}{_}{\prime}write ^C_mfsm_md0 ^ClED) in
let c_pe = (Par_Det rep CB_ad_in) in
let c_pe_cnt = (ClkD ^((~(C_mfsm_mparity = C_sfsm_sparity))V ((SUBARRAY CB_ss_in (1,0))=(WORDN 0)))) in
let new_C_parity =
    (((ClkD ^c_pe ^c_pe_cnt) \ I_cale_) => T I
    ((-(ClkD ^c_pe ^c_pe_cnt) ^-I_cale_) => FI
    ((~(ClkD ^c_pe ^c_pe_cnt) ^I_cale_) => C_parity | ARB))) in
let new_C_source = ((Rst) => (WORDN 0) I
                    ((c_dfsm_cin_3_le) => Par_Dec rep (CB_ad_in)| C_source)) in
let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0)।
                                    ((c_dfsm_cin_1_le) => Par_Dec rep (CB_ad_in)।
                                    (SUBARRAY C_data_in (31,16))))) in
let data_in31_0 = (MALTER data_in31_16(15,0) ((Rst) => (WORDN 0)।
                                    ((c_dfsm_cin_0_le) => Par_Dec rep (CB_ad_in) |
                                    (SUBARRAY C_data_in (15,0)))) in
let new_C_data_in = data_in31_0 in
let new_C_iad_in = ((c_dfsm_cout_0_le) => I_ad_in I C_iad_in) in
let new_C_mfsm_state = C_mfsm_stateA in
let new_C_mfsm_srdy_en = C_efsm_srdy_en in
let new_C_mfsm_D = ClkD in
let new_C_mfsm_grant = c_grant in
let new_C_mfsm_rst = Rst in
let new_C_mfsm_busy = c_busy in
let new_C_mfsm_write = c_write in
let new_C_mfsm_crgt_ = I_crqt_ in
let new_C_mfsm_bold_= C_holdA_ in
let new_C_mfsm_last_ = new_C_last_in_ in
let new_C_mfsm_lock_ = new_C_lock_in_ in
let new_C_mfsm_ss = CB_ss_in in
let new_C_mfsm_invalid = Piu_invalid in
let new_C_sfsm_state = C_sfsm_state in
let new_C_sfsm_D = ClkD in
let new_C_sfsm_grant = c_grant in
let new_C_sfsm_rst = Rst in
let new_C_sfsm_write = c_write in
let new_C_sfsm_addressed = (Id = (SUBARRAY new_C_source (15,10)) ) in
let new_C_sfsm_hlda_ = I_hlda_ in
let new_C_sfsm_ms = CB_ms_in in
```

```
let new_C_efsm_state = C_efsm_state in
let new_C_efsm_cale_= I_cale_in
let new_C_efsm_last_ = I_last_in_in
let new_C_efsm_male_= I_male_in_ in
let new_C_efsm_rale_= I_rale_in_ in
let new_C_efsm_srdy_ = I_srdy_in_in
let new_C_efsm_rst = Rst in
let new_C_mfsm_stateA = C_mfsm_stateA in
let new_C_mfsm_mabort =C_mfsm_mabort in
let new_C_mfsm_midle = C_mfsm_midle in
let new_C_mfsm_mrequest = C_mfsm_mrequest in
let new_C_mfsm_ma3 = C_mfsm_ma3 in
let new_C_mfsm_ma2 = C_mfsm_ma2 in
let new_C_mfsm_mal = C_mfsm_mal in
let new_C_mfsm_ma0 = C_mfsm_ma0 in
let new_C_mfsm_mdl = C_mfsm_mdl in
let new_C_mfsm_md0 = C_mfsm_md0 in
let new_C_mfsm_iad_en_m = C_mfsm_iad_en_m in
let new_C_mfsm_m_cout_sell = C_mfsm_m_cout_sell in
let new_C_mfsm_m_cout_sel0 = C_mfsm_m_cout_sel0 in
let new_C_mfsm_ms = C_mfsm_ms in
let new_C_mfsm_rqt_= C_mfsm_rqt_in
let new_C_mfsm_cgnt_ = C_mfsm_cgnt_ in
let new_C_mfsm_cm_en = C_mfsm_cm_en in
let new_C_mfsm_abort_le_en_= C_mfsm_abort_le_en_ in
let new_C_mfsm_mparity =C_mfsm_mparity in
let new_C_sfsm_stateA = C_sfsm_stateA in
let new_C_sfsm_ss = C_sfsm_ss in
let new_C_sfsm_iad_en_s = C_sfsm_iad_en_s in
let new_C_sfsm_sidle = C_sfsm_sidle in
let new_C_sfsm_slock =C_sfsm_slock in
let new_C_sfsm_sal = C_sfsm_sal in
let new_C_sfsm_sa0 = C_sfsm_sa0 in
let new_C_sfsm_sale = C_sfsm_sale in
let new_C_sfsm_sdl = C_sfsm_sdl in
let new_C_sfsm_sd0 = C_sfsm_sd0 in
let new_C_sfsm_sack = C_sfsm_sack in
let new_C_sfsm_sabort = C_sfsm_sabort in
let new_C_sfsm_s_cout_sel0 = C_sfsm_s_cout_sel0 in
let new_C_sfsm_sparity = C_sfsm_sparity in
let new_C_efsm_stateA = C_efsm_stateA in
let new_C_efsm_srdy_en = C_efsm_srdy_en in
let new_C_clkAA = C_clkAA in
let new_C_sidle_delA = C_sidle_delA in
let new_C_mrqt_delA = C_mrqt_delA in
let new_C_last_inA_= C_last_inA_ in
let new_C_ssA = C_ssA in
let new_C_holdA_= C_holdA_ in
let new_C_cout_0_le_delA = C_cout_0_le_delA in
let new_C_cin_2_leA = C_cin_2_leA in
let new_C_mrdy_delA_ = C_mrdy_delA_ in
let new_C_iad_en_s_delA = C_iad_en_s_delA in
let new_C_wrdyA = C_wrdyA in
let new_C_rrdyA = C_rrdyA in
```

```
let new_C_iad_out = C_iad_out in
let new_C_ala0 = C_ala0 in
let new_C_a3a2 = C_a3a2 in
let I_cgnt_ = new_C_mfsm_cgnt_ in
let I_mrdy_out_= (( -I_hlda_) => new_C_mrdy_delA_| ARB) in
let I_hold_= new_C_holdA_ in
let I_rale_out_ = ((~I_hlda_) => c_dfsm_i_rale_| ARB) in
let I_male_out_= (( I__hlda_) => c_dfmm_i_male_ | ARB) in
let I_last_out_ = (( )I_hlda_) => new_C_last_out_| ARB) in
let I_srdy_out_ = 
                            (( -I_cale_V new_C_efsm_srdy_en) => -(new_C_wrdyA V new_C_rdyA V new_C_mfsm_mabort) | ARB) in
let I_be_out_ = ((-I_hlda_) => (SUBARRAY new_C_sizewTbe (9,6))| ARBN) in
let I_ad_out =
    ((new_C_iad_en_s_delA V new_C_mfsm_iad_en_m V new_C_sfsm_iad_en_s) => new_C_iad_out | ARBN) in
let CB_rqt_out_= new_C_mfsm_rqt_ in
let cbms10= (MALTER ARBN (1,0) (SUBARRAY new_C_mfsm_ms (1,0)) in
let cbms210=(ALTER cbms10 (2) ((ELEMENT new_C_mfsm_ms (2)) ^~Pmm_failure }\Lambda~Piu_invalid)) in
let CB_ms_out = (( new_C_mfsm_cm_en) => cbms2101 ARBN) in
let cbss 10= (MALTER ARBN (1,0) (SUBARRAY new_C_sfsm_ss (1,0)) ) in
let cbss210 = (ALTER cbms10 (2) ((ELEMENT new_C_sfsm_ss (2)) ^ ~Pmm_failure ^ ~Piu_invalid)) in
let CB_ss_out = ((-new_C_sfsm_sidle \ -new_C_sfsm_sabort) => cbss210 | ARBN) in
let CB_ad_out = ((c_dfsm_cad_en) =>
                                    ((c_cout_sel = (WORDN 0)) => Par_Enc rep ((SUBARRAY new_C_ala0 (15,0)))।
                                    ((c_cout_sel = (WORDN 1)) => Par_Enc rep ((SUBARRAY new_C_als0 (31,16)))।
                                    ((c_cout_sel = (WORDN 2)) => Par_Enc rep ((SUBARRAY new_C_a3a2 (15,0)))।
                                    Par_Enc rep ((SUBARRAY new_C_a3a2 (31,16))))))।
                    ARBN) in
let C_ss_out = new_C_ss in
let Disable_writes = (c_dfsm_slave }\wedge~((CbanneIID = (WORDN 0)) ^(ELEMENT new_C_source (6)))
                                    ~((ChanneIID = (WORDN 1)) ^(ELEMENT new_C_source (7)))
                                    \wedge~((ChanneIID = (WORDN 2)) ^(ELEMENT new_C_source (8)))
                                    \wedge((ChanneIID = (WORDN 3)) ^(ELEMENT new_C_source (9))) in
let CB_parity = new_C_parity in
(I_cgnt, I_mrdy_out_, I_bold_, I_rale_out_, I_male_out, I_last_out_, I_srdy_out, I_ad_out, I_be_out_,
CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)"
);;
```

close_theory();

## C. 5 SU_Cont Specification

\%

File: s_phase.ml
Author: (c) D.A. Fura 1992

Date: 31 March 1992

This file contains the ml source for the phase-level specification of the P-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk this code was translated from an M -language simulation program using a translator written by P.J. Windley at the University of Idaho.
set_search_path (search_path() © ['/home/titan3/dfura/ftep/piu/hol/hib/']);
system 'rm s_block.th';;
new_theory 's_block';;
map new_parent ['saux_def';'aux_def';'array_def';'wordn_def'];;
let s_state_ty = ":(sfsm_ty\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\# bool\#bool\#wordn\#wordn\#bool\#bool\#
sfsm_ty\#bool\#bool\#bool\#bool\#bool\# bool\#wordn\#wordn\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool"bool)"; ;

S_fsm_spf, S_fsm_scof, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs,
S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay 17, S_fsm_bothbad, S_fsm_bypass,
S_soft_shot_del, S_soft_cent, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpu1,
S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail)
:^s_state_ty)";
let s_env_ty = ":(bool\#bool\#bool\#bool\#bool\#bool"bool\#bool"bool)";
let s_env = "((ClkA, ClkB, Rst, Bypass, Test, Gcrb, Gcrl, Failure0_, Failurel_)
:As_env_ty)";;
let s_out_ty = " : (wordn\#bool\#bool"bool"bool\#bool\#bool\#bool\#bool\#bool\#bool)";;
let s_out = "((S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist,
Piu_fail, CpuO_fail, Cpul_fail, Pmm_fail)
:^s_out_ty)";;
\%-
Next-state definition for Phase-A instruction.
let $\mathrm{PH}_{-} \mathrm{A}$ _inst_def $=$ new_definition
( ${ }^{\text {PH_A_inst' }}$.

## " 1 (S_fsm_stateA S_fsm_state :sfsm_ty)

(S_soft_cntA S_delayA S_soft_cnt S_delay :wordn)
(S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_srcl S_fsm_spf S_fsm_scof
S_fsm_sclf S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot_delA
S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass
S_soft_shot_del S_bad_cpu0 S_bad_cpul S_reset_cpu0 S_reset_cpul S_pmm_fail S_cpu0_fail S_cpul_fail
S_cpu_hist S_piu_fail :bool)
(ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_Failurel_ :bool) .
PH_A_inst (S_fsm_stateA, $S_{-} f s m_{-} s n, S_{-} f s m \_s o, S_{-} f s m \_s r c p, S_{-} f s m_{-} s d i, S_{-} f s m \_s r p, S_{-} f s m \_s r c 0, S_{-} f s m \_s r c 1$, S_fsm_spf, S_fsm_scof, S_fsm_sc1f, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpul, S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_cpu_hist, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) =

```
let new_S_fsm_stateA =
    ((S_fsm_rst) => SSTART |
    ((S_fsm_state \(=\) SSTART) \()=\) SRA 1
    \(\left((\right.\) S_fsm_state \(=\) SRA \() \Rightarrow\left((\right.\) S_fsm_delay6 \() \Rightarrow\left(\left(S \_f s m \_b y p a s s\right) \Rightarrow\right.\) SO \(\mid\) SPF \() \mid\) SRA \() \mid\)
    ( \((\mathrm{S}\) _fsm_state \(=\) SPF) \() \Rightarrow\) SCOI ।
    \((\) (S_fsm_state \(=\) SCOI) \()=>\left(\left(S \_\right.\right.\)fsm_delay17) \()=\)SCOF \(\mid\)SCOI \() \mid\)
    ( \((\) S_fsm_state \(=S C O F) \Rightarrow\) ST \(\mid\)
    ((S_fsm_state \(=\) ST) \(\Rightarrow\) SC1II
    \(\left(\left(S \_\right.\right.\)fsm_state \(\left.=S C 1 I\right) \Rightarrow\left(\left(S \_\right.\right.\)fsm_delay17 \()=\)SC1F \(\left.\mid S C 1 I\right) \mid\)
    ( \(\left(\mathbf{S} \_\right.\)fsm_state \(\left.=S C 1 F\right)=>\) SS |
    ((S_fsm_state \(=\mathbf{S S}) \Rightarrow((\) S_fsm_bothbad \() \Rightarrow\) SSTOP | SCS \() \mid\)
    ( \((\) S_fsm_state \(=\) SSTOP) \() \Rightarrow\) SSTOP \(\mid\)
    \(\left(\left(S \_\right.\right.\)fsm_state \(\left.=S C S\right) \Rightarrow\left(\left(S \_\right.\right.\)fsm_delay6) \()=>\)SN \(\mid\)SCS \() \mid\)
    \(\left(\left(S \_\right.\right.\)fsm_state \(\left.=S N\right) \Rightarrow\left(\left(S \_f s m \_d e l a y 17\right)\right)=>\) SO \(\left.\mid \mathrm{SN}\right) \mid\)
```



```
let new_S_fsm_sn \(=(\) new_S_fsm_stateA \(=S N)\) in
let new_S_fsm_so = (new_S_fsm_stateA \(=\mathbf{S O}\) ) in
let new_S_fsm_srcp \(=\left(\left(\left(\sim\left(n e w_{-} S_{-} f s m_{-} s t a t e A=S O\right)\right) \wedge\left(\sim\left(S_{-} f s m_{-} s t a t e=S S T O P\right)\right)\right) V\left(S_{-} f s m_{-}\right.\right.\)state \(\left.\left.=S R A\right)\right)\) in
let new_S_fsm_sdi \(=\left(\left(\left(\sim\left(n e w \_\right.\right.\right.\right.\)__fsm_stateA \(\left.\left.=S O\right)\right) \wedge\left(\sim\left(S_{-} f s m_{-}\right.\right.\)state \(\left.\left.\left.=S S T O P\right)\right)\right) \vee\left(S_{-}\right.\)fsm_state \(=\)SRA \(\left.)\right)\)in
let new_S_fsm_srp \(=((\) new_S_fsm_stateA \(=\) SSTART \() \vee(\) new_S_fsm_stateA \(=\) SRA \()\)
                    \(V\) (new_S_fsm_stateA \(=\) SCOF) \(V(\) new_S_fsm_stateA \(=S T)\)
                    \(V\) (new_S_fsm_stateA \(=\) SCIF) \(V(\) new_S_fsm_stateA \(=S S)\)
                    \(V(\) new_S_fsm_state \(A=S C S)\) ) in
let new_S_fsm_src0 \(=((\sim(\) new_S_fsm_stateA \(=\) SPF \()) \wedge(\sim(\) new_S_fsm_stateA \(=\) SCOI \()))\) in
let new_S_fsm_srcl \(=((\sim(\) new_S_fsm_stateA \(=S T)) \wedge(\sim(\) new_S_fsm_stateA \(=S C 11)))\) in
let new_S_fsm_spf \(=\left(\left(S_{-}\right.\right.\)fsm_state \(\left.=S R A\right) \wedge\) S_fsm_delay \(6 \wedge \sim S_{-}\)fsm_rst \()\)in
let new_S_fsm_scof = (new_S_fsm_stateA = SCOF) in
let new_S_fsm_sclf = (new_S_fsm_stateA = SC1F) in
let new_S_fsm_spmf \(=\) ( \(\mathrm{new} \mathbf{w}_{-} \mathbf{S}_{-} \mathrm{fsm}\) _state \(\mathrm{A}=\mathrm{SO}\) ) in
let new_S_fsm_sb = (new_S_fsm_stateA \(=\) SSTART) in
let new_S_fsm_src \(=\left(\left(n e w \_S \_f s m \_s t a t e A=S S T A R T\right) V\left(\left(S \_f s m \_s t a t e=S R A\right) \wedge S \_f s m \_d e l a y 6\right)\right.\)
                    \(V\) (new_S_fsm_stateA \(=\) SCOF \() V(\) new_S_fsm_stateA \(=S T)\)
                    \(V(\) new_S_fsm_stateA \(=S C 1 F) V\left(n e w_{-} S \_f s m_{-}\right.\)state \(\left.A=S S\right)\)
                    \(V\left(\left(S \_\right.\right.\)fsm_state \(\left.=S C S\right) \wedge S_{-} f s m_{-}\)delay 6\(\left.)\right)\) in
let new_S_fsm_sec \(=\left(\left(\left(-\left(n e w_{-} S_{-} f s m_{-} s t a t e A=S S T O P\right)\right) \wedge(\sim(\right.\right.\) new_S_fsm_stateA \(\left.=S O))\right) \vee\left(S_{-}\right.\)fsm_state \(\left.\left.=S N\right)\right)\) in
let new_S_fsm_srs \(=\left(\left(\left(S_{-} f s m_{-} s t a t e=S P F\right) \wedge-S_{-} f s m_{-} r s t\right) V\left(\left(S \_f s m_{-} s t a t e=S T\right) \wedge-S_{-} f s m_{-} r s t\right)\right)\) in
let new_S_fsm_scs \(=\) (new_S_fsm_state \(A=S C S)\) in
let new_S_soft_shot \(=(\sim\) Gcrb \(\wedge\) Gcrl \()\) in
```

let new_S_soft_shot_delA = S_soft_shot_del in
let new_S_soft_cntA $=\left((\right.$ new_S_fsm_srs $)=>($ WORDN 0$\left.) \mid S \_s o f t \_c n t\right) ~ i n ~$
let s_delay_out $=(($ S_fsm_sec $)=>(\mathbb{N} C N 17$ S_delayA $) \mid$ S_delayA $)$ in

let s_delay_out $=(($ new_S_fsm_sec) $) \Rightarrow(\mathbb{N C N} 17$ new_S_delayA $) \mid$ new_S_delayA $)$ in
let new_S_instart $=($ (Test) $\Rightarrow$ (ELEMENT s_delay_out (5)) (ELEMENT s_delay_out (16))) in
let s_soft_cnt_out $=\left(\left(n e w_{-} S \_\right.\right.$soft_shot $\Lambda \sim$ new_S_soft_shot_delA $) \Rightarrow$
(INCN 2 new_S_soft_cntA) | Dew_S_soft_cntA) in
let s_cpu0_ok $=\left(\right.$ new_S_fsm_scOf $\wedge$ Failure $0 \_\wedge$ (s_soft_cnt_out $=($ WORDN 5) $)$ ) in
let s_cpul_ok $=\left(\right.$ new_S_fsm_sclf $\wedge$ Failurel_ $\wedge\left(\delta_{-}\right.$soft_cnt_out $=($WORDN 5) )) in
let s_cpu0_select $=\left(\left(n e w_{-} S_{-} f s m \_\right.\right.$sn $V$ new_S_fsm_so $\left.) \wedge-S \_c p u 0_{-} f a i l\right)$ in
let s_cpu1_select $=\left((\right.$ new_S_fsm_sn $\vee$ new_S_fsm_so $) \wedge S_{-} c p u 0_{-}$fail $\wedge \sim$ S_cpul_fail $)$ in
let new_S_cpu_histA $=\left(S \_r e s e t \_c p u 0 \wedge S_{-}\right.$reset_cpul $\wedge$ Bypass) in
let new_S_fsm_state = S_fsm_state in
let new_S_fsm_rst = S_fsm_rst in
let new_S_fsm_delay6 = S_fsm_delay6 in
let new_S_fsm_delay 17 = S_fsm_delay 17 in
let new_S_fsm_bothbad = S_fsm_bothbad in
let new_S_fsm_bypass = S_fsm_bypass in
let new_S_soft_shot_del = S_soft_shot_del in
let new_S_soft_cnt = S_soft_cnt in
let new_S_delay = S_delay in
let new_S_bad_cpu0 = S_bad_cpu0 in
let new_S_bad_cpul = S_bad_cpul in
let new_S_reset_cpu0 $=$ S_reset_cpu0 in
let new_S_reset_cpul $=$ S_reset_cpul in
let new_S_pmm_fail = S_pmm_fail in
let new_S_cpu0_fail = S_cpu0_fail in
let new_S_cpul_fail = S_cpul_fail in
let new_S_cpu_hist = S_cpu_hist in
let new_S_piu_fail = S_piu_fail in
(new_S_fsm_stateA, new_S_fsm_sn, new_S_fsm_so, new_S_fsm_srep, new_S_fsm_sdi, new_S_fsm_srp,
new_S_fsm_src0, new_S_fsm_srcl, new_S_fsm_spf, new_S_fsm_scOf, new_S_fsm_sclf, new_S_fsm_spmf,
new_S_fsm_sb, new_S_fsm_src, new_S_fsm_sec, new_S_fsm_srs, new_S_fsm_scs, new_S_soft_shot,
new_S_soft_shot_delA, new_S_soft_cntA, new_S_delayA, new_S_instart, new_S_cpu_histA, new_S_fsm_state,
new_S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delay17, new_S_fsm_bothbad, new_S_fsm_bypass,
new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpu0, new_S_bad_cpul, new_S_reset_cpu0,
new_S_reset_cpul, new_S_pmm_fail, new_S_cpu0_fail, new_S_cpu1_fail, new_S_cpu_hist, new_S_piu_fail)"
);

Output definition for Phase-A instruction.

```
let PH_A_out_def = new_definition
('PH_A_out',
    " (S_fsm_stateA S_fsm_state :sfsm_ty)
        (S_soft_cotA S_delayA S_soft_cnt S_delay :wordn)
        (S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_srcl S_fsm_spf S_fsm_scof
        S_fsm_sclf S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot_delA
        S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass
        S_soft_shot_del S_bad_cpuO S_bad_cpul S_reset_cpu0 S_reset_cpul S_pmm_fail S_cpu0_fail S_cpu1_fail
    S_cpu_hist S_piu_fail :bool)
```

(ClkA ClkB Rst Bypass Test Gcrh Gcrl Failureo_Failurel_ :bool) .
PH_A_out (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_srcl,
S_fsm_spf, S_fsm_scOf, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs,
S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_bistA, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_sof_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpul, S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_cpu_bist, S_piu_fail)
(ClkA, CikB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failurel_) =
let new_S_fsm_state $A=$
((S_fsm_rst) $=>$ SSTART $\mid$
((S_fsm_state $=$ SSTART) $\Rightarrow$ SRA $\mid$
$\left((\right.$ S_fsm_state $=$ SRA $)=>\left(\left(S_{\_} f s m_{-}\right.\right.$delay6 $)=>\left(\left(S_{-} f s m_{-}\right.\right.$bypass $)=>$SO $\mid$SPF) $\mid$SRA $) \mid$
( $($ S_fsm_state $=$ SPF) $) \Rightarrow$ SCOI $\mid$
$\left(\left(S \_f s m_{\_}\right.\right.$state $\left.=S C O I\right) \Rightarrow\left(\left(S \_\right.\right.$fsm_delay17) $\left.) \Rightarrow S C O F \mid S C O I\right) \mid$
((S_fsm_state $=S C O F)=$ ST 1
((S_fsm_state $=$ ST) $)=$ SC1II
$\left(\left(S \_f s m_{-}\right.\right.$state $=$SC1I) $\Rightarrow$ ( (S_fsm_delay17) $\Rightarrow$ SC1F $\left.\mid S C 11\right) \mid$
((S_fsm_state $=$ SClF) $\Rightarrow$ SS I
((S_fsm_state $=$ SS $)=>\left(\left(S \_\right.\right.$fsm_bothbad $)=>$SSTOP $\mid$SCS $) \mid$
((S_fsm_state $=$ SSTOP) $\Rightarrow$ SSTOP I
$\left(\left(S \_\right.\right.$fsm_state $\left.=S C S\right) \Rightarrow\left(\left(S \_\right.\right.$fsm_delay6) $) \Rightarrow$ SN $\left.\mid S C S\right) \mid$
$\left((\right.$ S_fsm_state $=S N) \Rightarrow\left(\left(S \_f s m \_d e l a y 17\right) \Rightarrow\right.$ SO $\left.\mid S N\right) \mid$

let $n e w / S \_f s m \_s n=\left(n e w / S \_f s m \_s t a t e A=S N\right)$ in
let new_S_fsm_so = (new_S_fsm_stateA = SO) in
let new_S_fsm_srcp $=\left(\left((\sim(\right.\right.$ new_S_fsm_stateA $=S O)) \wedge\left(\sim\left(S_{-}\right.\right.$fsm_state $\left.\left.\left.=S S T O P\right)\right)\right) \vee(S$ fsm_state $\left.=S R A)\right)$ in
let new_S_fsm_sdi $=\left(\left(\left(\sim\left(n e w \_S \_f s m_{-}\right.\right.\right.\right.$stateA $\left.\left.=S O\right)\right) \wedge\left(\sim\left(S \_f s m_{-}\right.\right.$state $\left.\left.\left.=S S T O P\right)\right)\right) \vee\left(S \_\right.$fsm_state $\left.\left.=S R A\right)\right)$ in
let new_S_fsm_stp = ((new_S_fsm_stateA = SSTART) V $\left(\right.$ new_S_fsm_stateA $^{2}=$ SRA $)$
$V$ (new_S_fsm_stateA $=S C O F) V($ new_S_fsm_stateA $=S T)$
$V($ new_S_fsm_stateA $=S C I F) V($ new_S_fsm_stateA $=S S)$
$V$ (new_S_fsm_state $A=S C S)$ ) in
let new_S_fsm_src0 $=((-($ new_S_fsm_stateA $=S P F)) \wedge(\sim($ new_S_fsm_stateA $=S C O I)))$ in
let new_S_fsm_srcl $=\left((\sim(\right.$ new_S_fsm_stateA $\left.=S T)) \wedge\left(-\left(n e w_{-} S \_f s m_{-} s t a t e A=S C 1 I\right)\right)\right)$ in
let new_S_fsm_spf $=\left(\left(S \_f s m_{-}\right.\right.$state $\left.=S R A\right) \wedge S \_$fsm_delay $6 \wedge-S \_f s m_{-}$rst $)$in
let new_S_fsm_scOf = (new_S_fsm_stateA = SCOF) in
let new_S_fsm_sclf = (new_S_fsm_stateA $=\mathbf{S C 1 F}$ ) in
let new_S_fsm_spmf = (new_S_fsm_stateA $=S O$ ) in
let new_S_fsm_sb $=$ ( $n e w, S \_$fsm_state $\left.A=S S T A R T\right)$ in

$V$ (new_S_fsm_stateA $=S C O F) V($ new_S_fsm_stateA $=S T)$
$V$ (new_S_fsm_stateA $=$ SCIF) $\vee($ new_S_fsm_stateA $=S S$ )
$V\left(\left(S \_f s m \_\right.\right.$state $\left.\left.\left.=S C S\right) \wedge S \_f s m \_d e l a y 6\right)\right)$ in
let new_S_fsm_sec $=\left(((\sim(\right.$ new_S_fsm_stateA $=S S T O P)) \wedge(\sim($ new_S_fsm_stateA $=S O))) \vee\left(S_{-}\right.$fsm_state $\left.\left.=S N\right)\right)$ in
let new_S_fsm_srs $=\left(\left(\left(S \_f s m_{-} s t a t e=S P F\right) \wedge \sim S \_f s m_{\_} r s\right) V\left(\left(S \_f s m_{-} s t a t e=S T\right) \wedge \sim S \_f s m \_r s t\right)\right)$ in
let new_S_fsm_scs $=\left(\begin{array}{l}\text { new_S_fsm_state } A=S C S\end{array}\right)$ in
let new_S_soft_shot $=(\sim$ Gcrh $\wedge$ Gcrl $)$ in
let new_S_soft_shot_delA = S_soft_shot_del in

let s_delay_out $=\left(\left(\mathbf{S} \_\right.\right.$fsm_sec $) \Rightarrow($ INCN 17 S_delayA $)$ | S_delayA $)$ in
let new_S_delayA $=\left(\left(\right.\right.$ new_S_fsm_src $V$ (new_S_fsm_scs $\wedge$ (ELEMENT s_delay_out (6)))) $\Rightarrow($ WORDN 0$)$ ) $S_{-}$delay) in
let s_delay_out $=\left(\left(n_{1} w_{-} S \_f s m_{-}\right.\right.$sec $) \Rightarrow($ INCN 17 new_S_delayA) $)$ new_S_delayA $)$ in
let new_S_instart $=((T e s t) \Rightarrow$ (ELEMENT s_delay_out (5)) ( (ELEMENT s_delay_out (16))) in
let s_soft_ent_out $=(($ new_S_soft_shot $\Lambda \sim$ new_S_soft_shot_delA $) \Rightarrow$
(INCN 2 new_S_soft_cntA) |new_S_soft_cn(A) in

```
let s_cpu0_ok = (new_S_fsm_scOf ^ Failure0_ ^(s_soft_cnt_out = (WORDN 5))) in
let s_cpu1_ok = (new_S_fsm_sclf ^ Failurel_ ^(s_soft_cnt_out = (WORDN 5))) in
let s_cpu0_select = ((new_S_fsm_sn V new_S_fsm_so) }\wedge~S_cpu0_fail) in
let s_cpu1_select = ((new_S_fsm_sn V new_S_fsm_so) }\wedge\mathrm{ S_cpu0_fail }\Lambda-\mp@subsup{S}{_}{\primecpu1_fail) in
let new_S_cpu_histA = (S_reset_cpu0 ^ S_reset_cpul }\wedge\mathrm{ Bypass) in
let new_S_fsm_state = S_fsm_state in
let new_S_fsm_rst = S_fsm_rst in
let new_S_fsm_delay6 = S_fsm_delay6 in
let new_S_fsm_delay17 = S_fsm_delay17 in
let new_S_fsm_bothbad = S_fsm_botbbad in
let new_S_fsm_bypass = S_fsm_bypass in
let new_S_soft_shot_del = S_soft_shot_del in
let new_S_soft_cnt = S_soft_cnt in
let new_S_delay = S_delay in
let new_S_bad_cpu0 = S_bad_cpu0 in
let new_S_bad_cpul = S_bad_cpul in
let new_S_reset_cpu0 = S_reset_cpu0 in
let new_S_reset_cpul = S_reset_cpul in
let new_S_pmm_fail = S_pmm_fail in
let new_S_cpu0_fail = S_cpu0_fail in
let new_S_cpu1_fail = S_cpul_fail in
let new_S_cpu_hist = S_cpu_hist in
let new_S_piu_fail = S_piu_fail in
let ss0 = (ALTER ARBN (0) ((new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SSTOP)
                                    V (new_S_fsm_stateA = SCS)V (new_S_fsm_stateA = SN)
                                    V(new_S_fsm_stateA = SO))})\mathrm{ in
let ss1 = (ALTER ss0 (1) ((new_S_fsm_stateA = SCOF) V(new_S_fsm_stateA = ST)
                                    V (new_S_fsm_stateA = SC1I) V (new_S_fsm_stateA = SC1F)
                                    V (new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SSTOP)
                            V (new_S_fsm_stateA = SCS))) in
let ss2 = (ALTER ss 1 (2) ((new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = SCOI)
                            V (new_S_fsm_stateA = SCOP)V (new_S_fsm_stateA = ST)
                            V(new_S_fsm_stateA = SSTOP)V (new_S_fsm_stateA = SO))) in
let ss3 = (ALTER ss2 (3) ((new_S_fsm_stateA = SRA) V (new_S_fsm_stateA = SPF)
                    V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1I)
                        V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN)
                            V(new_S_fsm_stateA = SO))})\mathrm{ in
let S_state = ss3 in
let Reset_cport = new_S_fsm_srcp in
let Disable_int =(~new_S_instart }\Lambda~(\mathrm{ new_S_fsm_sn }\Lambda(\mathrm{ ELEMENT s_delay_out (6)))}\\mathrm{ \new_S_fsm_sdi) in
let Reset_piu = new_S_fsm_srp in
let Reset_cpu0 = new_S_reset_cpu0 in
let Reset_cpul = new_S_reset_cpul in
let Cpu_hist = new_S_cpu_hist in
let Piu_fail = new_S_piu_fail in
let CpuO_fail = new_S_cpuO_fail in
let Cpul_fail = new_S_cpul_fail in
let Pmm_fail = new_S_pmm_fail in
```

(S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpul, Cpu_hist, Piu_fail, Cpu0_fail, Cpul_fail, Pmm_fail)" );;
\%

Next-state definition for Phase-B instruction.
let $\mathrm{PH}_{\mathbf{\prime}}$ B_inst_def = new_definition
('PH_B_inst',
"! (S_fsm_stateA S_fsm_state :sfsm_ty)
(S_soft_cntA S_delayA S_soft_cnt S_delay :wordn)
(S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 $S_{-} f s m_{-} s r c l$ S_fsm_spf S_fsm_scof
S_fsm_sclf S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot_delA
S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass
S_soft_shot_del S_bad_cpu0 S_bad_cpul S_reset_cpu0 S_reset_cpul S_pmm_fail S_cpu0_fail S_cpu1_fail S_cpu_hist S_piu_fail :bool)
(CLkA ClkB Rst Bypass Test Gcrh Gcrl Failureo_Failurel_ :bool).
 S_fsm_spf, S_fsm_scof, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpul, S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_cpu_hist, S_piu_fail)
(CikA, ClkB, Rst, Bypass, Test, Gcrb, Gcrl, Failure0_, Failurel_) =
let s_soft_cnt_out $=\left(\left(\right.\right.$ S_soft_shot $\Lambda-S_{-}$soft_shot_delA $)=>\left(\mathbb{N N C N} 2 S_{-}\right.$soft_cntA $) \mid$S_soft_cntA $)$in
let s_delay_out $=\left(\left(S \_f s m \_s e c\right) \Rightarrow(\mathbb{N C N} 17\right.$ S_delayA $\left.) \mid S \_d e l a y A\right)$ in
let s_cpuO_ok $=\left(S_{-}\right.$fsm_scOf $\wedge$ Failure $0 \_\wedge$ (s_soft_cnt_out $=($ WORDN 5$\left.)\right)$ ) in
let s_cpul_ok $=\left(S_{-}\right.$fsm_sclf $\wedge$ Failurel_ $\wedge\left(s_{-}\right.$soft_cnt_out $=($WORDN 5$\left.\left.)\right)\right)$ in
let new_S_soft_shot_del = S_soft_shot in
let new_S_soft_cnt $=((-$ Gcrh $\wedge \sim$ Gcrl $) \Rightarrow$ (WORDN 0$) \mid$ s_soft_cnt_out) in
let new_S_delay $=$ s_delay_out in
let new_S_pmm_fail =
( $\left(\mathrm{S}_{-} \mathrm{fs} \mathrm{m}_{-} \mathrm{sb} \wedge \sim \mathrm{S}_{-} \mathrm{fsm}\right.$ _spmf) $\Rightarrow \mathrm{T} \mid$
$\left(\left(\sim S_{-} f s m_{-} s b \wedge S_{-} f s m_{-} s p m f\right)=>F \mid\right.$
$\left(\left(\sim S \_f s m \_s b \wedge \sim S \_f s m \_s p m f\right) \Longrightarrow\right.$ S_pmm_fail $\mid$ ARB $)$ ) in
let new_S_cpu0_fail =
((S_fsm_sb $\wedge \sim\left(s_{-} c p u O_{-}\right.$ok $V$ Bypass)) $)=T$ I
$\left(\left(\sim S_{\_}\right.\right.$fsm_sb $\wedge$ (s_cpu0_ok $\vee$ Bypass $\left.)\right)=>$ F 1
$\left(\left(-S \_f s m \_s b \wedge \sim\left(s \_c p u 0 \_o k V\right.\right.\right.$ Bypass $\left.)\right)=>S_{\_}$cpu0_fail | ARB) )) in
let new_S_cpul_fail =
((S_fsm_sb $\wedge \sim\left(s_{-} c p u l \_\right.$ok $\vee$ Bypass)) $)=$ T I
$\left(\left(-S \_\right.\right.$fsm_sb $\wedge$ (s_cpul_ok $\vee$ Bypass)) $)=>$ F $\mid$
$\left(\left(-S_{-} f s m_{1}\right.\right.$ sb $\wedge$-(s_cpul_ok $\vee$ Bypass $\left.)\right)=>S_{\text {_ }}$ cpul_fail $\left.\left.\mid A R B\right)\right)$ ) in
let new_S_piu_fail =
((S_fsm_sb $\left.\wedge \sim\left(S \_f s m \_s p f \vee B y p a s s\right)\right)=>T \mid$
$\left(\left(-S \_f s m_{-} s b \wedge\right.\right.$ (S_fsm_spf $V$ Bypass $\left.)\right)=$ F $^{( }$

let s_cpu0_select $=\left(\left(S_{-} f s m_{-}\right.\right.$sn $V S_{-}$fsm_so $) \wedge \sim n e w \_S \_c p u 0_{-}$fail $)$in
let s_cpul_select $=\left(\left(S_{-}\right.\right.$fsm_sn $\vee$ S_fsm_so $) \wedge$ new_S_cpu0_fail $\wedge \sim$ new_S_cpul_fail $)$ in
let new_S_bad_cpu0 $=$
( $($ S_fsm_sb $\wedge-$ s_cpu0_select) $)=>$ T $\mid$
(( $\sim S_{-}$fsm_sb $\cap$ s_cpu0_select) $\Rightarrow \mathrm{FI}$
(( $\left(S_{-}\right.$fsm_sb $\cap \sim$ s_cpu0_select) $)$ > S_bad_cpu0 ( ARB)) ) in
let new_S_bad_cpul =
((S_fsm_sb $\wedge$-s_cpul_select) $\Rightarrow$ T 1
( (-S_fsm_sb $\wedge$ s_cpul_select) $\Rightarrow$ F $\mid$
(( S_fsm_sb $\wedge$-s_cpul_select) $\Rightarrow>$ S_bad_cpul | ARB)) in

```
let new_S_reset_cpu0 = (new_S_bad_cpu0 ^ S_fsm_sr00) in
let new_S_reset_cpul = (new_S_bad_cpul ^ S_fsm_srcl) in
let new_S_cpu_hist = S_cpu_histA in
let new_S_fsm_state = S_fsm_stateA in
let new_S_fsm_rst = Rst in
let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in
let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) l (ELEMENT s_delay_out (17))) in
let new_S_fsm_bothbad = (new_S_cpu0_fail ^ new_S_cpul_fail) in
let new_S_fsm_bypass = Bypass in
let new_S_fsm_stateA = S_fsm_stateA in
let new_S_fsm_sn = S_fsm_sn in
let new_S_fsm_so = S_fsm_so in
let new_S_fsm_srcp = S_fsm_srep in
let new_S_fsm_sdi = S_fsm_sdi in
let new_S_fsm_srp = S_fsm_srp in
let new_S_fsm_src0 = S_fsm_src0 in
let new_S_fsm_srcl = S_fsm_srcl in
let new_S_fsm_spf = S_fsm_spf in
let new_S_fsm_scOf = S_fsm_scOf in
let new_S_fsm_sclf = S_fsm_sclf in
let new_S_fsm_spmf = S_fsm_spmf in
let new_S_fsm_sb = S_fsm_sb in
let new_S_fsm_src = S_fsm_src in
let new_S_fsm_sec = S_fsm_sec in
let new_S_fsm_srs = S_fsm_srs in
let new_S_fsm_scs = S_fsm_scs in
let new_S_soft_shot = S_soft_shot in
let new_S_soft_shot_delA = S_soft_shot_delA in
let new_S_soft_cntA = S_soft_cntA in
let new_S_delayA = S_delayA in
let new_S_instart = S_instart in
let new_S_cpu_histA = S_cpu_histA in
```

(new_S_fsm_stateA, new_S_fsm_sn, new_S_fsm_so, new_S_fsm_srcp, new_S_fsm_sdi, new_S_fsm_stp, new_S_fsm_src0, new_S_fsm_src1, new_S_fsm_spf, new_S_fsm_scof, new_S_fsm_sclf, new_S_fsm_spmf, new_S_fsm_sb, new_S_fsm_src, new_S_fsm_sec, new_S_fsm_srs, new_S_fsm_scs, new_S_soft_shot, new_S_soft_shot_delA, new_S_soft_cntA, new_S_delayA, new_S_instart, new_S_cpu_histA, new_S_fsm_state, new_S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delay17, new_S_fsm_bothbad, new_S_fsm_bypass, new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpu0, new_S_bad_cpu1, new_S_reset_cpu0, new_S_reset_cpul, new_S_pmm_fail, new_S_cpu0_fail, new_S_cpul_fail, new_S_cpu_hist, new_S_piu_fail)" );:

## 

```
let \(\mathrm{PH}_{\mathbf{B}}\) B_out_def = new_definition
('PH_B_out',
    "! (S_fsm_stateA S_fsm_state :sfsm_ty)
        (S_soft_cntA S_delayA S_soft_cnt S_delay :wordn)
        (S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_srco S_fsm_srcl S_fsm_spf S_fsm_scof
        S_fsm_sclf S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot_delA
        S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass
        S_soft_shot_del S_bad_cpu0 S_bad_cpul S_reset_cpu0 S_reset_cpul S_pmm_fail S_cpu0_fail S_cpu1_fail
```


## S_cpu_hist S_piu_fail :bool)

(ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_Failurel_:bool).
 S_fsm_spf, S_fsm_scof, S_fsm_sclf, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpu1, S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_cpu_hist, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failurel_) =
let s_soft_cnt_out $=\left(\left(S_{-}\right.\right.$soft_shot $\wedge \sim S_{-}$soft_shot_deLA $)=>($INCN 2 S_soft_cntA $) \mid$ S_soft_cntA $)$ in let s_delay_out $=\left(\left(\mathbf{S} \_f s m \_s e c\right) \Rightarrow(\mathbb{N C N} 17\right.$ S_delayA $) \mid$ S_delayA $)$ in
let s_cpu0_ok $=\left(S_{-}\right.$fsm_sc0f $\wedge$ Failure0_ $\wedge\left(s_{\_}\right.$soft_cnt_out $=($WORDN 5$\left.)\right)$ ) in
let s_cpul_ok $=\left(S_{-}\right.$fsm_sclf $\wedge$ Failure $1_{-} \wedge\left(s_{-}\right.$soft_cnt_out $=($WORDN 5) $)$) in
let new_S_soft_shot_del = S_soft_shot in
let new_S_soft_cnt $=((\sim$ Gerh $\wedge \sim$ Gcrl $)=>($ WORDN 0$) \mid$ s_soft_cnt_out $)$ in
let new_S_delay $=$ s_delay_out in
let new_S_pmm_fail =
( $\left(S_{-} \_\right.$fsm_sb $\wedge-S_{-}$fsm_spmf) $\Rightarrow \mathrm{T} \mid$
$\left(\left(-S_{-} f s m_{-}\right.\right.$sb $\wedge S_{-}$fsm_spmf) $\Rightarrow \mathrm{F} \mid$
$\left(\left(-S \_f s m \_s b \wedge-S \_\right.\right.$fsm_spmf) $=>$S_pmm_fail | ARB $\left.)\right)$) in
let new_S_cpuo_fail =
$\left(\left(S \_\right.\right.$fsm_sb $\wedge \sim\left(s_{-} c p u 0_{0}\right.$ ok $V$ Bypass $\left.)\right)=>T$ I
$\left(\left(-S \_f s m \_\right.\right.$sb $\wedge($ s_cpu0_ok $\vee$ Bypass $\left.)\right)=F$ F
$\left(\left(\sim S_{-} f s m_{-}\right.\right.$sb $\wedge \sim\left(s_{-} c p u 0^{\prime}\right.$ ok $\vee$ Bypass $\left.)\right)=>S_{-} c p u 0_{-}$fail $\mid$ARB $\left.)\right)$) in
let new_S_cpu1_fail =
((S_fsm_sb $\wedge \sim\left(s_{-}\right.$cpul_ok $\vee$ Bypass)) $)>\mathrm{T} \mid$
(( $\sim S_{-}$fsm_sb $\wedge$ (s_cpu1_ok $\vee$ Bypass)) $\Rightarrow \mathrm{F} \mid$
$((\sim$ S_fsm_sb $\wedge \sim($ s_cpu1_ok V Bypass $))=>$ S_cpu1_fail | ARB)) ) in
let new_S_piu_fail =
((S_fsm_sb $\wedge \sim\left(S_{-} f s m \_\right.$spf $\vee$ Bypass)) $)=>T \mid$
$\left(\left(\sim S_{-} f s m_{-}\right.\right.$sb $\wedge\left(S_{-} f s m_{\_}\right.$spf $\vee$ Bypass $\left.)\right) \Rightarrow F I$
$\left(\left(\sim S \_f s m_{-} s b \wedge \sim\left(S_{-} f s m_{-}\right.\right.\right.$spf $\vee$ Bypass $\left.)\right) \Rightarrow S_{\text {_piu_fail I ARB) })) \text { in }}$
let s_cpu0_select $=\left(\left(S_{-} f s m \_s n \vee S_{-} f s m_{-} s o\right) \wedge \sim n e w_{-} S_{-} c p u 0_{-} f a i l\right)$ in
let s_cpul_select $=\left(\left(S_{-} f s m \_s n \vee S \_f s m \_s o\right) \wedge\right.$ new_S_cpu0_fail $\left.\wedge \sim n e w \_S \_c p u 1 \_f a i l\right)$ in
let new_S_bad_cpu0 =

( $\left(-S_{-}\right.$fsm_sb $\wedge$ s_cpu0_select) $\Rightarrow$ F FI
$\left(\left(-S \_\right.\right.$fsm_sb $\wedge \sim$ s_cpu0_select) $)=$ S_bad_cpu0 $\left.\left.\mid A R B\right)\right)$ ) in
let new_S_bad_cpul =
((S_fsm_sb $\wedge \sim$ s_cpul_select $)^{\text {s }}$ T |
$\left(\left(\sim S \_f s m \_\right.\right.$sb $\wedge$ s_cpu1_select) $\Rightarrow F \mid$
$\left(\left(\sim S \_f s m \_\right.\right.$sb $\wedge \sim s_{-}$cpul_select) $\Rightarrow$ S_bad_cpul | ARB)) ) in
let new_S_reset_cpu0 $=\left(\right.$ new_S_bad_cpu0 $\wedge S_{-}$fsm_stc0) in
let new_S_reset_cpul $=$ (new_S_bad_cpul $\wedge$ S_fsm_stcl) in
let new_S_cpu_hist = S_cpu_histA in
let new_S_fsm_state = S_fsm_state $A$ in
let new_S_fsm_rst $=$ Rst in
let new_S_fsm_delay6 $=$ (ELEMENT s_delay_out (6)) in
let new_S_fsm_delay $17=(($ Test $) \Rightarrow($ ELEMENT s_delay_out (6)) ) (ELEMENT s_delay_out (17))) in
let new_S_fsm_bothbad $=($ new_S_cpu0_fail $\wedge$ new_S_cpu1_fail $)$ in
let new_S_fsm_bypass $=$ Bypass in
let new_S_fsm_stateA $=$ S_fsm_stateA in
let new_S_fsm_sn = S_fsm_sn in

```
    let new_S_fsm_so = S_fsm_so in
    let new_S_fsm_srcp = S_fsm_srcp in
    let new_S_fsm_sdi = S_fsm_sdi in
    let new_S_fsm_srp = S_fsm_srp in
    let new_S_fsm_src0 = S_fsm_src0 in
    let new_S_fsm_srcl = S_fsm_srcl in
    let new_S_fsm_spf = S_fsm_spf in
    let new_S_fsm_scOf = S_fsm_scOf in
    let new_S_fsm_sclf = S_fsm_sclf in
    let new_S_fsm_spmf = S_fsm_spmf in
    let new_S_fsm_sb = S_fsm_sb in
    let new_S_fsm_src = S_fsm_src in
    let new_S_fsm_sec = S_fsm_sec in
    let new_S_fsm_srs = S_fsm_srs in
    let new_S_fsm_scs = S_fsm_sce in
    let new_S_soft_shot = S_soft_shot in
    let new_S_soft_shot_delA = S_soft_shot_delA in
    let new_S_soft_cntA = S_soft_cntA in
    let new_S_delayA = S_delayA in
    let new_S_instart = S_instart in
    let new_S_cpu_histA = S_cpu_histA in
    let ss0=(ALTER ARBN (0) ((new_S_fsm_stateA = SS)V (new_S_fsm_stateA = SSTOP)
        V(new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN)
        V(new_S_fsm_stateA = SO))) in
    let ss1 = (ALTER ss0 (1) ((new_S_fsm_stateA = SCOF)V (new_S_fsm_stateA = ST)
        V (new_S_fsm_stateA = SCII) V (new_S_fsm_stateA = SC1F)
        V (new_S_fsm_stateA = SS)V (new_S_fsm_stateA = SSTOP)
        V (new_S_fsm_stateA = SCS)) in
    let ss2 = (ALTER ss1 (2) ((new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = SCOI)
        V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST)
        V (new_S_fsm_stateA = SSTOP) V (new_S_fsm_stateA = SO)) ) in
    let ss3 = (ALTER ss2 (3) ((new_S_fsm_stateA = SRA)V (new_S_fsm_stateA = SPF)
        V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1I)
        V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN)
        V(new_S_fsm_stateA = SO))}\mathrm{ ) in
    let S_state = ss3 in
    let Reset_cport = new_S_fsm_srcp in
    let Disable_int = (~new_S_instart }\Lambda~(new_S_fsm_sn ^(ELEMENT s_delay_out (6))) \ new_S_fsm_sdi) in
    let Reset_piu = new_S_fsm_srp in
    let Reset_cpu0 = new_S_reset_cpu0 in
    let Reset_cpul = new_S_reset_cpul in
    let Cpu_hist = new_S_cpu_hist in
    let Piu_fail = new_S_piu_fail in
    let Cpu0_fail = new_S_cpu0_fail in
    let Cpu1_fail = new_S_cpu1_fail in
    let Pmm_fail = new_S_pmm_fail in
    (S_state,Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail,
    Cpu1_fail, Pmm_fail)"
);
```

close_theory();;

## Appendix D ML Source for the Clock-Level Specification of the PIU Ports.

This appendix contains the HOL models for the clock-level specification for the PIU ports. The ports are listed in the order: P_Port, M_Port, R_Port, C_Port, and SU_Cont.

## D. 1 P Port Specification



File: p_clock1.ml

Author: (c) D.A. Fura 1992
Date: 31 March 1992

This file contains the ml source for the clock-level specification of the P-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M -language simulation program using a translator written by P.J. Windley at the University of Idaho.

```
set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);;
system 'rm p_clock 1.th';;
new_theory 'p_clock 1';
map new_parent ['paux_def';'aux_def';'array_def';'wordn_def'];;
let pc_state_ty = ":(wordn#bool#wordn#bool#pfsm_ty*bool*bool"bool"bool"bool#wordn#bool#bool*bool#bool#bool)";;
let pc_state = "((P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_,
    P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_)
    :Apc_state_ty)";;
let pc_env_ty = ":(bool#bool"bool#wordn"bool"bbol"wordn"bool"bool"wordn#bool"bool#bool)";;
let pc_env = "((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, __ad_in, I_cgnt_, I_hold_, I_srdy_)
    :^pc_env_ty)"::
let pc_out_ty = ":(wordn#bool#wordn"wordn#wordn#bool"bool#bool"bool#bool#bool#bool"bool)";;
let pc_out = "((L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be, I_rale,, I_male_, I_crqt_, I_cale,,
    I_mordy_, 1_last_, I_hlda_, I_lock_)
    :^pc_out_ty)";
%
    Next-state definition for EXEC instruction.
let pEXEC_inst_def = new_definition
('pEXEC_inst',
    "(P_fsm_state :pfsm_ty)
        (P_addr P_be_P_size :wordn)
        (P_destl P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_P_fsm_bold_ P_rqt P_down P_lock_
```

P_lock_inh_P_male_P_rale_ :bool)
(L_ad_in L_be_I_ad_in:wordn)
(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ I_hold_ I_srdy_ :bool)
pEXEC_inst ( $P_{-}$addr, $P_{-}$dest1, $P_{-} b e_{-}, P_{-} w r, P_{-}$fsm_state, $P_{-}$fsm_rst, $P_{-}$fsm_sack, $P_{-} f s m_{\_}$cgnt_, $P_{-} f s m \_$hold_, $P_{-}$rqt, $P_{-}$size, $P_{-}$down, $P_{-}$lock_, $P_{-}$lock_inh_, $P_{-}$male_, $P_{-}$rale_)
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) =
let new_P_fsm_state $=$

```
( \(\mathrm{P}_{-}\)fsm_rst) \(=>\)PA I
    \(((\) P_fsm_state \(=\) PH \() \Rightarrow((\sim\) P_fsm_hold_ \()=>\) PH \(\mid\) PA \() \mid\)
    \(\left(\left(P_{-}\right.\right.\)fsm_state \(=\)PA \() \Rightarrow\)
            \(\left(\left(\left(P \_r q t \wedge \sim P \_d e s t 1\right) \vee\left(P \_r q t \wedge P \_d e s t 1 \wedge \sim P \_\right.\right.\right.\)fsm_cgnt_) \(\left.)\right)=>P D \mid\)
            \(\left(\left(\sim P \_\right.\right.\)fsm_hold_ \(\wedge P \_\)lock_ \(\left.\left.)=>P H \mid P A\right)\right) \mid\)
        \(\left(\left(P_{-}\right.\right.\)fsm_state \(\left.=P D\right)=>\)
            \(\left(\left(\left(P_{-}\right.\right.\right.\)fsm_sack \(\wedge P_{-} f s m_{-}\)hold_ \() V\left(P_{-}\right.\)fsm_sack \(\Lambda \sim P_{-} f s m_{-}\)hold_ \(\Lambda \sim P_{-}\)lock_ \(\left.)\right)=>P A \mid\)
            \(\left(\left(P_{-} f s m_{-}\right.\right.\)sack \(\Lambda-P_{-}\)fsm_hold_ \(\wedge P_{-}\)lock_ \(\left.\left.\left.\left.\left.) \Rightarrow P H \mid P D\right)\right) \mid P_{-} \mathbb{I L L}\right)\right)\right)\) in
```

let new_P_addr $=\left(\left(\sim P \_r q t\right) \Rightarrow\left(S U B A R R A Y L_{1}\right.\right.$ ad_in $\left.(25,0)\right) \mid P$ _addr) in
let new_P_destl $=\left(\left(-P_{-} r q t\right) \Rightarrow\right.$ (ELEMENT L_ad_in (31)) $\mid$ P_dest1) in
let new_P_be_ $=\left(\left(-P_{-} r q t\right) \Rightarrow L_{-} b e_{-} \mid P_{-} b e_{-}\right)$in
let new_P_wr $=\left(\left(\sim P_{-} r q t\right) \Rightarrow L_{-} w r \mid P_{-} w r\right)$ in
let new_P_size =
$((\sim$ P_rqt $) \Rightarrow$ (SUBARRAY L_ad_in $(1,0))$ )
$\left((\right.$ P_down $) \Rightarrow\left(D E C N 1 P_{-}\right.$size $) \mid P \_$size $)$) in
let $p_{-}$ale $=\left(\sim L_{-}\right.$ads_ $\wedge L_{-}$den_) in
let P_sack $=\left(\left(P_{-}\right.\right.$size $=\left(\left(P_{-}\right.\right.$down $) \Rightarrow($ WORDN 1$) \mid($ WORDN 0$\left.\left.)\right)\right) \wedge \sim I \_$srdy_ $\wedge($ new_P_fsm_state $\left.=P D)\right)$ in
let new_P_rqt =
$(($ p_ale $\wedge \sim($ p_sack $\vee R s t))=>T \mid$
$((\sim$ p_ale $\wedge($ p_sack $\vee$ Rst $))=>\mathrm{F} \mid$
$((\sim$ p_ale $\Lambda \sim($ p_sack $\vee$ Rst $))=>$ P_rqt $\mid$ ARB $))$ in
let new_P_down $=\left(\sim I_{-}\right.$srdy_ $\wedge($ new_P_fsm_state $\left.=P D)\right)$ in
let new_P_male_ $=(($ new_P_fsm_state $=P A) \Rightarrow$
$\sim(\sim$ new_P_dest1 $\wedge(\sim(($ SUBARRAY new_P_addr $(25,24))=($ WORDN 3$))) \wedge$ new_P_rqt $) \mid P_{-}$male_) in
let new_P_rale_ $=(($ new_P_fsm_state $=P A) \Rightarrow$
$\sim(\sim$ new_P_destl $\wedge(($ SUBARRAY new_P_addr $(25,24))=($ WORDN 3$)) \wedge$ new_P_rqt $) \mid$ P_rale_) in
let new_P_lock_ =
( Rst) $\Rightarrow$ T 1
$\left((\right.$ new_P_fsm_state $=P D)=>$ L_lock_ $^{\prime}$ P_lock_ $)$ ) in
let new_P_lock_inh_=
( Rst) $=>\mathrm{T}$ I
$\left(\left(\right.\right.$ new_P_male_ $V$ new_P_rale_) $\Rightarrow$ L_lock_ $\left.\left.\mid P \_l o c k \_i n h \_\right)\right)$in
let new_P_fsm_rst = Rst in
let new_P_fsm_sack $=P_{-}$sack in
let new_P_fsm_cgnt_ = I_cgnt_ in
let new_P_fsm_hold_ = I_hold_in
(new_P_addr, new_P_dest1, new_P_be_, new_P_wr, new_P_fsm_state, new_P_fsm_rst, new_P_fsm_sack,
new_P_fsm_cgnt_, new_P_fsm_hold, new_P_rqt, new_P_size, new_P_down, new_P_lock_, new_P_lock_inh_,
new_P_male, new_P_rale_)"
);:
$\%$

Output definition for EXEC instruction.

```
let pEXEC_out_def = new_definition
('pEXEC_out',
    "l (P_fsm_state :pfsm_ty)
        (P_addr P_be_P_size :wordn)
        (P_destl P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_
        P_lock_inh_ P_male_P_rale_:bool)
        (L_ad_in L_be_ L_ad_in:wordn)
        (ClkA ClkB Rst L_ads_ L_den_L_wr L_lock_ I_cgnt_ I_bold_I_srdy_ :bool).
    pEXEC_out (P_addr, P_dest1, P_be_ P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold,
            P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_)
            (CIKA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_bold_,
            1_srdy_) =
    let new_P_fsm_state =
        ((P_fsm_rst) => PA I
        ((P_fsm_state = PH) )> ((~P_fsm_hold_) => PH |PA)|
        ((P_fsm_state = PA) =>
            (((P_rqt ^~P_dest1) V (P_rqt ^P_dest1 ^~P_fsm_cgnt_)) => PD |
            ((~P_fsm_hold_ ^P_lock_) => PH |PA))।
        ((P_fsm_state = PD) =>
            ((P_fsm_sack ^ P_fsm_hold_) V (P_fsm_sack ^~P_fsm_hold_ ^~P_lock_)) => PA |
            ((P_fsm_sack }\cap~\mp@subsup{P}{_}{\prime}\mathrm{ fsm_hold_ ^P_lock_) => PH |PD))|P_几L )))) in
    let new_P_addr =((~P_rqt) }=>\mathrm{ (SUBARRAY L_ad_in (25,0)) |P_addr) in
    let new_P_destl = ((~P_rqt) }=>\mathrm{ (ELEMENT L_ad_in (31)) |P_dest1) in
    let new_P_be_ = ((~P_rqt) => L_be_|P_be_) in
    let new_P_wr = ((~P_rqt) => L_wr | P_wr) in
    let new_P_size =
        ((~P_rqt) => (SUBARRAY L_ad_im (1,0)) |
    ((P_down) => (DECN 1 P_size) |P_size)) in
    let P_ale = (~L_ads_ ^L_den_) in
    let p_sack = ((new_P_size = ((P_down) => (WORDN 1)|(WORDN 0))) ^~I_srdy_ ^(new_P_fsm_state = PD ) ) in
    let new_P_rqt =
```



```
    ((~p_ale }^(p_\mathrm{ sack V Rst)) )=> FI
    ((~p_ale }\Lambda~(p_sack \ Rst)) => P_rqt | ARB))) i
    let new_P_down = (~I_srdy_ ^(new_P_fsm_state = PD)) in
    let new_P_male_ = ((new_P_fsm_state = PA ) =>
        (~new_P_destl ^(~((SUBARRAY new_P_addr (25,24))=(WORDN 3))) ^new_P_rqt) |P_male_) in
    let new_P_rale_= ((new_P_fsm_state = PA ) =>
        ~(~new_P_destl ^((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) ^new_P_rqt) }|\mathrm{ P_rale_) in
    let new_P_lock_=
        ((Rst) => T |
        ((new_P_fsm_state = PD) => L_lock_ I P_lock_)) in
    let new_P_lock_inh_=
    ((Rst) => T |
    ((~new_P_male_V ~new_P_rale_) => L_lock_| P_lock_inh_)) in
    let new_P_fsm_rst = Rst in
    let new_P_fsm_sack = P_sack in
    let new_P_fsm_cgnt_ = I_cgnt_ in
    let new_P_fsm_hold_ = I_hold_ in
    let L_ad_out = (((-(new_P_fsm_state = PA))
        ^(~(new_P_fsm_state = PH))
```

```
    \Lambda~((new_P_fsm_state = PD) ^ new_P_wr)) => I_ad_in I ARBN) in
    let L_ready_ = ( (-I_srdy_ }\Lambda(new_P_fsm_state = PD)) in
    let odO = ARBN in
    let od1 = (MALTER odO (31,27) new_P_be_) in
    let od2 = (ALTER od1 (26) F) in
    let od3 = (MALTER od2 (25,24) (SUBARRAY new_P_addr (1,0))) in
    let od4 = (MALTER od3 (23,0) (SUBARRAY new_P_addr (25,2))) in
    let I_ad_addr_out = ((new_P_fsm_state = PA) => od4 | ARBN) in
    let I_ad_data_out = (((new_P_fsm_state = PD) \ new_P_wr) => L_ad_in I ARBN ) in
    let I_be_ = ((~(new_P_fsm_state = PH)) => ((new_P_fsm_state = PA) => new_P_be_| L_be_)|ARBN) in
    let I_rale_ = ((~(new_P_fsm_state = PH)) =>
    ~(~new_P_dest1 ^((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) ^(new_P_fsm_state = PA)
        \Lambda new_P_rqt)| ARB) in
    let I_male_= (( (new_P_fsm_state = PH)) =>
    ~(~new_P_destl \ (~)((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) ^(new_P_fsm_state = PA)
                                    \Lambda new_P_rqt) | ARB) in
    let I_crqt_ = ~(new_P_destl ^new_P_rqt) in
    let I_cale_= ~(~I_cgnt_ }\cap\mathrm{ (new_P_fsm_state = PA) ^I_hold_) in
    let I_mrdy__ =((~(new_P_fsm_state =PH)) => F| ARB) in
    let I_last_ = ((~(new_P_fsm_state =PH)) => (P_size = ((P_down) => (WORDN 1)|(WORDN 0)))| ARB) in
    let I_hlda_= -(new_P_fsm_state = PH) in
    let I_lock_= ~(-new_P_lock_\new_P_lock_inh_) in
    (L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_male_, I_crqt, I_cale_, I_mrdy_,
    I_last_, I_hlda_, I_lock_)"
);
close_theory();;
```


## D. 2 M Port Specification

$\%$

File: $\quad$ m_clock $1 . m 1$

Author: $\quad$ (c) D.A. Fura 1992

Date: 31 March 1992

This file contains the ml source for the clock-level specification of the M-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an $M$-language simulation program using a translator written by P.J. Windley at the University of Idaho.

```
set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piw/hol/lib/`]);:
system 'rm m_clock1.th';:
new_theory 'm_clockl';;
loadf 'abstract';;
map new_parent ['maux_def';'aux_def';'array_def';'wordn_def`];;
let mc_state_ty = ":(mfsm_ty#bool#bool#bool#bool#wordn#bool#boo|#wordn#wordn#bool#bool#bool"wordn#wordn)";;
let mc_state = "((M_fsm_state, M_fsm_male_, M_fsm_last,, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr,
                    M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
    :^mc_state_ty)";;
let mc_env_ty = ":(bool#bool#bool*bool"bool#wordn"bool#bool#wordn#bool#wordn#bool#bool)";;
let mc_env = "((ClKA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male, I_last_, I_be_,
    I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
    :^mc_env_ty)";
let mc_out_ty = ":(wordn"bool#wordn#wordn#bool"bool#bool#bool#bool)";;
let mc_out = "((I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity)
    :^mc_out_ty)';
let rep_ty = abstract_type 'aux_def' 'Andn`;;
%
    Next-state definition for EXEC instruction.
let mEXEC_inst_def = new_definition
('mEXEC_inst'.
    "!(M_fsm_state :mfsm_ty)
        (M_count M_addr M_be M_rd_data M_detect :wordn)
        (M_fsm_male_M_fsm_last_ M_fsm_mrdy_M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool)
        (I_ad_in I_be_MB_data_in :wordn)
```

(ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_I_mrdy_ Edac_en_Reset_parity :bool) (rep:^rep_ty).
mEXEC_inst (M_fsm_state, M_fsm_male_, M_fsm_last, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr,
M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
(CIkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_,
I_mrdy_, MB_data_in, Edac_en_, Reset_parity)
rep $=$
let $m_{-} b w=\left(\left(\sim\left(M_{-} b e=(\right.\right.\right.$ WORDN 15$\left.\left.)\right)\right) \wedge M_{-} w T \wedge\left(\sim\left(M_{-}\right.\right.$fsm_state $\left.\left.\left.=M I\right)\right)\right)$ in
let $m_{-} w w=\left(\left(M_{-} b e=(\right.\right.$ WORDN 15$\left.)\right) \wedge M_{-} w T \wedge\left(\sim\left(M_{-}\right.\right.$fsm_state $\left.\left.=M D\right)\right)$ in
let new_M_fsm_state =
( $\mathrm{M}_{-}$fsm_rst) $=>$MII
$\left(\left(M_{-}\right.\right.$fsm_state $\left.=\mathbf{M I}\right)=>\left(\left(\sim M_{-}\right.\right.$fsm_male_) $\left.)=>\mathrm{MA}^{\prime} \mid \mathrm{MI}\right) \mid$
$\left(\left(M_{\_}\right.\right.$fsm_state $=$MA $)=>$
$\left(\left(\sim M_{-}\right.\right.$fsm_mrdy_ $\left.\wedge_{m_{-}} w w\right) \Rightarrow M W$ I
$\left(\left(\sim M_{-} f s m_{-} m r d y_{-} \wedge\left(\left(\sim M_{-} w r \wedge\left(\sim\left(M_{-} f s m_{-}\right.\right.\right.\right.\right.\right.$state $\left.\left.\left.\left.\left.\left.\left.=M D\right)\right)\right) \vee m_{-} b w\right)\right) \Rightarrow M R^{\prime} \mid M A\right)\right) \mid$
$\left(\left(M_{-}\right.\right.$fsm_state $\left.=M R\right) \Rightarrow$
$\left(\left(m_{-}\right.\right.$bw $\wedge\left(M_{-}\right.$count $=($WORDN 0$\left.\left.)\right)\right)=>$ MBW I
$\left(\left(M_{-}\right.\right.$fsm_last_ $\wedge \sim M_{-}$wr $\wedge\left(\sim\left(M_{-}\right.\right.$fsm_state $\left.\left.=M I\right)\right) \wedge\left(M_{-}\right.$count $=($WORDN 0$\left.\left.)\right)\right)=$ MA $^{\text {I }}$
$\left(\left(\sim M_{-}\right.\right.$fsm_last_ $\wedge \sim M_{-} w \mathbb{} \wedge\left(-\left(\mathbf{M}_{-}\right.\right.$fsm_state $\left.\left.=\mathbf{M I}\right)\right) \wedge\left(\mathbf{M}_{-}\right.$count $=($WORDN 0$\left.\left.\left.\left.\left.)\right)\right) \Rightarrow \operatorname{MRR} \mid M R\right)\right)\right) \mid$
((M_fsm_state $=$ MRR) $\Rightarrow$ MI
$\left(\left(M_{\text {_fsm_state }}=\mathbf{M W}\right) \Rightarrow\right.$
$\left(\left(\sim M_{-}\right.\right.$fsm_last_ $\wedge\left(M_{-}\right.$count $=($WORDN 0$\left.\left.)\right)\right)=>$ MI I
$\left(\left(M_{-}\right.\right.$fsm_last_ $\wedge\left(M_{-}\right.$count $=($WORDN 0$\left.\left.)\right)\right)=>$ MA $\left.\left.\mid M W\right)\right) \mid$
$\left(\left(M_{-} f s m_{-}\right.\right.$state $\left.\left.\left.\left.\left.\left.\left.=M B W\right) \Rightarrow M W \mid M_{-} I L L\right)\right)\right)\right)\right)\right)$ in
let new_M_se $=\left(\left(-I_{-}\right.\right.$male_ $) \Rightarrow(E L E M E N T$ I_ad_in (23)) $)$ M_se) in
let new_M_wr $=\left((\sim\right.$ I_male_) $) \Rightarrow$ (ELEMENT I_ad_in (27)) $\left.\mid M_{-} w r\right)$ in
let new_M_addr =
$((-$ I_male_) $)=>$ (SUBARRAY I_ad_in $(18,0)) \mid$
((M_rdy) $\Rightarrow$ ( (NCN 18 M_addr) $\mid M_{-}$addr) $)$in
let new_M_count =
$((($ new_M_fsm_state $=$ MA $) V($ new_M_fsm_state $=$ MBW $)) \Rightarrow(($ new_M_se $) \Rightarrow($ WORDN 1$) \mid($ WORDN 2$)) \mid$
$\left(((\right.$ new_M_fsm_state $=M W) V($ new_M_fsm_state $=M R)) \Rightarrow\left(D E C N 2 M_{-}\right.$count $) \mid M_{-}$count $\left.)\right)$in
let $m_{-}$rdy $=((($new_M_fsm_state $=$MW $) \wedge($ new_M_count $=($ WORDN 0) $))$
$V(($ new_M_fsm_state $=M R) \wedge($ new_M_count $=($ WORDN 0$)) \wedge \sim$ new_M_wr $))$ in

let new_M_be $=\left(\left(-I_{-}\right.\right.$male_ $V \sim$ m_srdy_ $\left._{-}\right)=>($NOTN 3 I_be_) $) M_{-}$be $)$in
let new_M_rdy $=m \_$rdy in
let new_M_wwdel $=(($ new_M_fsm_state $=M A) \wedge$ new_M_wr $\wedge($ new_M_be $=($ WORDN 15$)))$ in
 let new_M_detect =
 (( $\sim$ Edac_en_) $)$ (Ham_Detl rep MB_data_in) | WORDN 0 ) | M_detect) in
let $m_{-}$error $=\left(\sim m_{-}\right.$srdy_ $\wedge(\sim($ new_M_fsm_state $=\mathbf{M I})) \wedge \operatorname{Ham}$ Det2 rep $($ new_M_detect, - Edac_en_ $)$ in
let new_M_parity =
$((\mathrm{m}$ _error $\wedge \sim($ Rst $\vee$ Reset_parity $)) \Rightarrow T 1$
$((\sim$ m_error $\wedge$ (Rst $\vee$ Reset_parity) $)=>$ FI
$\left(\left(\sim \mathrm{m} \_\right.\right.$error $\wedge \sim($ Rst $V$ Reset_parity $\left.)\right) \Rightarrow M_{1}$ parity $\mid$ ARB $\left.)\right)$ ) in
let new_M_fsm_male_ = I_male_in
let new_M_fsm_last_ = l_last_ in
let new_M_fsm_mrdy_ = I_mrdy_in
let new_M_fsm_rst $=$ Rst in
(new_M_fsm_state, new_M_fsm_male_, new_M_fsm_last, new_M_fsm_mrdy, new_M_fsm_rst, new_M_count,

```
    new_M_se, new_M_wr, new_M_addr, new_M_be, new_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data,
    new_M_detect)"
    j;
%
    Output definition for EXEC instruction.
let mEXEC_out_def = new_definition
('mEXEC_out',
    "! (M_fsm_state :mfsm_ty)
        (M_count M_addr M_be M_rd_data M_detect :wordn)
        (M_fsm_male_M_fsm_last_M_fsm_mrdy_M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool)
        (l_ad_in I_be_MB_data_in :wordn)
        (ClkA ClkB Rst Disable_eeprom Disable_writes I_male_I_last_ I_mrdy_ Edac_en_Reset_parity :bool)
        (rep:^Tep_ty).
    mEXEC_out (M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr,
        M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect)
        (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last, I_be_,
        I_mrdy_,MB_data_in, Edac_en_, Reset_parity)
        rep =
    let m_bw = ((-(M_be = (WORDN 15))) ^M_wr ^( (~(M_fsm_state = MI))) in
    let m_ww = ((M_be = (WORDN 15)) ^M_wr ^(~(M_fsm_state = MI)) in
    let new_M_fsm_state =
        ((M_fsm_rst) => MI I
        ((M_fsm_state = MI) => ((-M_fsm_male_) => MA | MI) |
        ((M_fsm_state = MA) =>
        ((~M_fsm_mrdy_ ^m_ww) => MW |
```



```
        ((M_fsm_state = MR) =>
        ((m_bw ^(M_count = (WORDN 0))) => MBW I
        ((M_fsm_last_ ^~M_wr ^(~(M_fsm_state = MI)) ^(M_count = (WORDN 0))) => MA I
        ((~M_fsm_last_ ^~M_wr }\wedge(~(M_fsm_state = MD) ) ^(M_count = (WORDN 0))) => MRR | MR))) |
        ((M_fsm_state = MRR) => MI I
        ((M_fsm_state = MW) =>
            ((-M_fsm_last_ ^(M_count = (WORDN 0))) => MI |
            ((M_fsm_last_ ^(M_count = (WORDN 0))) => MA |MW))।
        ((M_fsm_state = MBW) }=>>\mathrm{ MW (M_ILL))))))) in
    let new_M_se = ((-I_male_) }=>\mathrm{ (ELEMENT I_ad_in (23)) | M_se) in
    let new_M_wr = ((~I_male_) }=>\mathrm{ ( ELEMENT I_ad_in (27)) |M_wr) in
    let new_M_addr =
        ((~I_male_) => (SUBARRAY I_ad_in (18,0))।
        ((M_rdy) => (INCN 18 M_addr) | M_addr)) in
    let new_M_count =
    (((new_M_fsm_state = MA) V (new_M_fsm_state = MBW)) => ((new_M_se) => (WORDN 1)|(WORDN 2)) |
    (((new_M_fsm_state = MW)V (new_M_fsm_state = MR)) => (DECN 2 M_count) | M_count)) in
    let m_rdy = (((new_M_fsm_state = MW)^(new_M_count = (WORDN 0)))
            V ((new_M_fsm_state = MR )}\wedge(new_M_count = (WORDN 0)) ^~new_M_wr)) i
    let m_srdy_= ~((M_rdy ^ ~new_M_wr) V (m_rdy \ new_M_wr)) in
    let vew_M_be = ((~I_male_V -m_srdy_) => (NOTN 3 I_be_) | M_be) in
    let new_M_rdy = m_rdy in
    let new_M_wwdel = ((new_M_fsm_state = MA) \ new_M_wr ^(new_M_be = (WORDN 15))) in
    let new_M_rd_data = (((new_M_fsm_state = MR)) => (Ham_Dec rep MB_data_in) | M_rd_data) in
```

let new_M_detect =
$\left(((\right.$ new_M_fsm_state $=M R) \wedge \sim$ new_M_wr $) V$ new_M_wr $\left.V\left(n e w \_M \_f s m \_s t a t e=M I\right)\right) \Rightarrow$
( $(-$ Edac_en_) $=>$ (Ham_Det1 rep MB_data_in) | WORDN 0) | M_detect) in

let new_M_parity =
$(($ m_error $\wedge \sim($ Rst $\vee$ Reset_parity $))=>T \mid$
$\left(\left(\sim \mathrm{m}_{2}\right.\right.$ error $\Lambda$ (Rst $\vee$ Reset_parity) $)=>$ Fl
$\left((\sim\right.$ m_error $\Lambda \sim($ Rst $V$ Reset_parity $))=>M_{\text {_parity }} \mid$ ARB $\left.)\right)$ ) in
let new_M_fsm_male_= I_male_in
let new_M_fsm_last_ = I_last_ in
let new_M_fsm_mrdy_ = I_mrdy_ in
let new_M_fsm_rst = Rst in
let I_ad_out $=((\sim$ new_M_wr $\wedge(-($ new_M_fsm_state $=M I)))=$ M_rd_data ARBN $)$ in
let I_srdy_ $=\left(((-(\right.$ new_M_fsm_state $=$ MI) $)))=>m_{\_}$srdy_ $\left.\mid ~ A R B\right)$ in
let MB_addr $=\left(\left(M_{-}\right.\right.$rdy $)=>$(INCN 18 M_addr) $)$ M_addr) in
let mb_data_7_0 $=((($ ELEMENT M_be (0))) ) $\Rightarrow$ (SUBARRAY I_ad_in (7,0)) $\mid$ (SUBARRAY M_rd_data (7,0))) in
let mb_data_15_8 = (((ELEMENT M_be (1))) $\Rightarrow$ (SUBARRAY I_ad_in ( 15,8$))!$ (SUBARRAY M_rd_data ( 15,8$)$ )) in
let mb_data_23_16=(((ELEMENT M_be (2)))) $\Rightarrow$ (SUBARRAY I_ad_in (23,16)) $)$ (SUBARRAY M_rd_data (23,16))) in let mb_data_31_24 =((ELEMENT M_be (3))) $)=($ (SUBARRAY I_ad_in $(31,24)) \mid$ (SUBARRAY M_rd_data $(31,24))$ ) in let mb_data $=($ (MALTER (MALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0)
$(15,8)$ mb_data_15_8)
$(23,16)$ mb_data_23_16)
$(31,24)$ mb_data_31_24)) in
let MB_data_out $=\left(\left(\right.\right.$ new_M_fsm_state $\left.^{\mathbf{N}} \mathbf{M W}\right) \Rightarrow($ Ham_Enc rep mb_data) $\mid$ ARBN $)$ in
let MB_cs_eeprom_ $=-\left(\left(\sim\left(\right.\right.\right.$ new_M_fsm_state $\left.\left.=M_{1}\right)\right) \wedge \sim$ Dew_M_se $)$ in
let MB_cs_sram_ $=-((\sim($ new_M_fsm_state $=M I)) \wedge$ new_M_se $)$ in
let $M_{B}$ we__ $=\sim\left(\right.$ (new_M_se $V \sim\left(\sim\left(n e w_{-} M_{-}\right.\right.$fsm_state $\left.\left.=M I\right)\right) V \sim$ Disable_eeprom $)$
$\wedge \sim$ Disable_writes
$\Lambda\left((\right.$ new_M_fsm_state $=M B W) V\left(n e w / M \_f s m_{-}\right.$state $\left.=M W\right) V$ new_M_wwdel $\left.)\right)$ in
let MB_oe_ $=\sim\left((\sim\right.$ new_M_wI $\wedge($ new_M_fsm_state $\left.=M A)) V\left(n e w \_M \_f s m_{-} s t a t e=M R\right)\right)$ in
let MB_parity $=$ new_M_parity in
(I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity)" );;
close_theory();;

## D. 3 R Port Specification

```
%
    File: r_clockl.ml
    Author: (c) D.A. Fura }199
    Date: 31 March 1992
This file contains the ml source for the clock-level specification of the R-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing Higb Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idabo.
```

```
set_search_path (search_path() @ ['/home/itan3/dfura/ftep/piu/hol/lib/']);;
system 'rm r_clock 1.th';;
new_theory 'r_clock1';
loadf 'abstract`;
map new_parent ['raux_def';'aux_def';'array_def';'wordn_def'];;
let rc_state_ty = ":(rfsm_ty#bool#bool#bool#bool#bool#wordn#bool#wordn#bool"wordn*bool*wordn#bool#wordn#bool#
                wordn"bool#wordn"bool#wordn*bool#wordn"bool"wordn"bool#wordn#bool#wordn#bool#wordn#bool#
                        wordn#bbol#wordn#bool#wordn#bool*bool#wordn"wordn#bool#wordn#wordn#bool#wordn#bool#wordn#
                bool#bool#bool#bool"bool#bool#bool"#bol|bool# bool"wordn#wordn)";
let rc_state = "((R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctr0,
    R_ctro_irden, R_ctro_new, R_ctr0_cry, R_ctro_out, R_ctr0_orden, R_ctrl_in, R_ctr1_mux_sel,
    R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctt2_mux_sel,
    R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctt3_in, R_ctr3_mux_sel,
    R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old,
    R_icr_mask, R_icr_rden, R_icr, R_cer, R_cer_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_int0_dis,
    R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_in1_en, R_wr, R_cntlatch_del, R_srdy_del_
    R_reg_sel, R_busA_latch)
    :ATc_state_ty)";;
let rc_env_ty = ":(bool\#bool\#wordn\#bool\#bool\#wordn\#bool\#bool\#bool\#wordn\#wordn\#bool\#bool\# wordn"wordn"wordn"bool\#bool"wordn)";:
let rc_env = "((ClkA, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) :Arc_env_ty)";;
let r_out_ty = ":(wordn"bool"\#bool*bool"bool"bool\#wordn\#wordn\#bool\#bool)";;
let r_out = "((1_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)
:^^_out_ty)";;
let rep_ty = abstract_type 'aux_def' 'Andn';;
```

(R_ctro_in R_ctro R_ctro_new R_ctr0_out R_ctr1_in R_ctr1 R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2 R_ctr2_new
R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_cer R_ger R_sr R_reg_sel
R_busA_latch :wordn)
(R_fsm_ale_ R_fsm_mrdy_R_fsm_last_R_fsm_rst R_ctro_mux_sel R_ctro_irden R_ctr0_cry R_ctro_orden
R_ctrl_mux_sel
R_ctr1_irden R_ctr1_cry R_ctt1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel
R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden $R_{\text {_cr_rden }} R_{\text {_ }}$ ger_rden $R_{\text {_s__r }}$ rden $R_{\text {_int0_dis }}$
R_in'3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_in2_en R_wr R_cntlatch_del R_srdy_del_ :bool)
(I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChanneliD C_ss :wordn)
(ClkA Rst I_rale_ I_last_ I_mrdy_Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool) .
rEXEC_inst rep
(R_fsm_state, R_fsm_ale, $R_{-}$fsm_mrdy_, $R_{-}$fsm_last, $R_{-}$fsm_rst, $R_{-}$ctro_in, $R_{-}$ctr0_mux_sel, $R_{-} \operatorname{ctr} 0$,
R_ctro_irden, R_ctro_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctrl_in, R_ctrl_mux_sel,
R_ctrl, R_ctrl_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel,
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel,
R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_ict_load, R_icr_old,

R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntatch_del, R_srdy_del_,
R_reg_sel, R_busA_latch)
(ClkA, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes,
Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChamneliD, CB_parity, MB_parity, C_ss) =
let new_R_fsm_state =

$$
\text { ((R_fsm_rst) }=>\text { RI }
$$

$$
\begin{aligned}
& \left(\left(R_{R} \text { tsm_rst }\right)=>\right.\text { KI } \\
& (\text { R_fsm_state }=R I) \Rightarrow\left(\left(\sim R_{-} f s m_{-} \text {ale_) }\right) \Rightarrow \text { RA } \mid R I\right) \mid
\end{aligned}
$$

$$
\left(\left(R_{-} \text {fsm_state }=\text { RA }\right) \Rightarrow\left(\left(-R_{-} \text {fsm_mrdy_ }\right) \Rightarrow \text { RD } \mid R A\right) \mid\right.
$$

$$
\left.\left.\left(\left(-R_{-} f s m_{-} \text {last_ }\right) \Rightarrow R_{1} \mid R A\right)\right)\right) \text { ) in }
$$

let $\mathrm{r}_{\mathrm{f}} \mathrm{fsm}$ _cntatch $=\left(\left(R_{\text {_ }}\right.\right.$ fsm_state $\left.=R I\right) \wedge \sim R_{-}$fsm_ale_) in
let $r_{-}$fsm_srdy_ $=-\left(\left(R_{-}\right.\right.$fsm_state $\left.=R A\right) \wedge \sim R_{-}$fsm_mrdy_) in
let new_R_wr $=\left(\left(\sim I_{\_}\right.\right.$rale_ $) \Rightarrow\left(E L E M E N T I_{-}\right.$ad_in (27)) $\left.\mid R_{-} w r\right)$ in
let new_R_cntlatch_del $=$ r_fsm_cntlatch in
let new_R_srdy_del_ = r_fsm_srdy_in
let new_R_reg_sel =
(( I_rale_) $\Rightarrow$ (SUBARRAY I_ad_in (3,0)) |
$\left(\left(\sim R_{-}\right.\right.$srdy_del_$)=>\left(\right.$INCN 3 R_reg_sel) $\mid R_{\_}$reg_sel $)$in
let r_reg_sel $=((\sim$ R_srdy_del_) $\Rightarrow$ (INCN 3 R_reg_sel) $\mid$ R_reg_sel) in
let r_write $A=\left(\sim\right.$ Disable_writes $\wedge R_{-} w r \wedge\left(n e w \_R \_\right.$fsm_state $\left.=R D\right)$ ) in
let $r_{\text {_writeB }}=(\sim$ Disable_writes $\wedge$ new_R_wr $\wedge$ (new_R_fsm_state $=R D)$ ) in
let r_read $A=\left(\sim R_{-} w r \wedge\left(n e w \_R_{-}\right.\right.$fsm_state $\left.\left.=R A\right)\right)$ in
let $r_{-}$readB $=(\sim$ new_R_wr $\wedge($ new_R_fsm_state $=R A))$ in
let r_cir_wr01A $=\left(\left(r_{-}\right.\right.$writeA $\wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 8$\left.)\right) \vee\left(r_{-}\right.$reg_sel $=($WORDN 9$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let $r_{-} c i r_{-}$wr01B $=\left(\left(r_{-}\right.\right.$writeB $\wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 8$\left.)\right) \vee\left(r_{-}\right.$reg_sel $=($WORDN 9$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let r_cir_wr23A $=\left(\left(r_{\_} w r i t e A \wedge\left(\left(r_{\_}\right.\right.\right.\right.$reg_sel $=($WORDN 10 $\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 11) $\left.\left.\left.)\right)\right)\right)$in
let r_cir_wr23B $=\left(\left(r_{-} w r i t e B \wedge\left(\left(r_{-} r e g_{-}\right.\right.\right.\right.$sel $=($WORDN 10$\left.)\right) \vee\left(r_{-}\right.$reg_sel $=($WORDN 11$\left.\left.\left.\left.)\right)\right)\right)\right)$ in

let new_R_ccr_rden $=\left(r_{\_}\right.$readB $\wedge\left(r_{-}\right.$req_sel $=($WORDN 3$\left.)\right)$ ) in
let new_R_gcr $=\left(\left(r_{-} w r i t e B \wedge\left(r_{\_} r e g \_s e l=(W O R D N 2)\right)\right) \Rightarrow I_{\text {_ad_in }} \mid R_{-}\right.$gcr $)$in
let new_R_gcr_rden $=\left(r_{-} r e a d B \wedge\left(r_{-} r e g \_s e l=(W O R D N 2)\right)\right)$ in
let new_R_c01_cout_del = R_ctrl_cry in
let new_R_int1_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_gcr (18)) $\wedge\left(r_{\_}\right.$cir_wr01B $\vee($ R_ctrl_cry (ELEMENT new_R_gcr (16))))) $\wedge$
$\sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (17)) $\left.\left.\left.\wedge R \_c 01 \_c o u t \_d e l\right)\right)\right)=>$ T I
$\left(\left(-\left(\left(E L E M E N T\right.\right.\right.\right.$ new_R_gcr (18)) $\wedge\left(r_{\text {_cir_wrolB } \vee\left(R \_c t r l \_c r y ~\right.} \wedge\right.$ (ELEMENT new_R_gcr (16)) )) $) \wedge$
$\left(\sim\left(E L E M E N T\right.\right.$ new_R_ger (18)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (17)) $\left.\left.\left.\wedge R_{-} c 01 \_c o u t \_d e l\right)\right)\right) \Rightarrow$ Fi
$\left(\left(-\left((E L E M E N T\right.\right.\right.$ new_R_gcr (18)) $) \wedge\left(r_{\text {_cir_wr01B }} \vee\left(R_{\_}\right.\right.$ctrl_cry $\wedge$ (ELEMENT new_R_gcr (16)) )) $) \wedge$

let new_R_c23_cout_del = R_ctr3_cry in
let new_R_int2_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_gcr (22)) $\wedge\left(r_{\_} c i r \_w r 23 B \vee\left(R_{-} \operatorname{ctr} 3 \_c r y ~ \wedge(E L E M E N T\right.\right.$ new_R_gcr (20)) )) $) \wedge$
$\sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (22)) $\vee\left(\right.$ (ELEMENT new_R_gcr (21)) $\left.\left.\left.\wedge R \_c 23 \_c o u t \_d e l\right)\right)\right)=>$ T 1

$(\sim(E L E M E N T$ new_R_gcr (22)) $\vee((E L E M E N T$ new_R_gcr (21)) $\wedge$ R_c23_cout_del)) $) \Rightarrow F \mid$
$\left(\left(\sim\left(\left(E L E M E N T\right.\right.\right.\right.$ new_R_gcr (22)) $\wedge\left(r_{\text {_cir_w }}\right.$ 23B $\vee\left(R_{-}\right.$ctr3_cry $\wedge(E L E M E N T$ new_R_gcr (20)) ))) $) \wedge$

 let new_R_ctro_mux_sel = (r_cir_wro1B V ((ELEMENT new_R_gcr (16)) $\left.\wedge R_{\_} c t r l_{-} c r y\right)$ ) in
let new_R_ctro_irden = (r_readB $\wedge$ (r_reg_sel = (WORDN 8))) in

let new_R_ctro_new = (( $($ ELBMENT new_R_ger (19))) $=>$ (NCN 31 R_ctr0) | R_ctr0) in
let new_R_ctro_cry = ((ONES 31 R_ctr0) $\wedge$ (ELEMENT new_R_gct (19))) in
let new_R_ctro_out $=\left(\left(r_{-} f s m_{-}\right.\right.$cntlatch $)=>R_{-} c t r 0 \_n e w \mid R_{-} c t r 0 \_$out $)$in
let new_R_ctro_orden $=\left(r_{\text {_readB }} \wedge\left(r_{\_}\right.\right.$reg_sel $=($WORDN 12 $)$) $)$in
let new_R_ctrl_in = ((r_writeB $\wedge\left(r_{\_}\right.$reg_sel = (WORDN 9))) $=>$I_ad_in $\left.\mid R_{\_} c t r 1 \_i n\right)$ in let new_R_ctrl_mux_sel = (r_cir_wr01B V ((ELEMENT new_R_gcr (16)) $\left.\left.\wedge R \_c t r l \_c r y\right)\right) ~ i n ~$
let new_R_ctr1_irden =(r_readB $\wedge\left(r_{\_}\right.$reg_sel = (WORDN 9)) ) in
let new_R_ctrl $=\left(\left(R_{-} c t r l_{-} m u x \_s e l\right) \Rightarrow R_{-} c t r l_{-}\right.$in $\left.\mid R_{-} c t r l_{-} n e w\right)$ in
let new_R_ctrl_new $=\left(\left(\right.\right.$ R_ctro_cry $\left._{\mathbf{n}}\right) \Rightarrow\left(\right.$ (NNCN $31 R_{-}$ctr1 $) \mid R_{-}$ctrl $)$in
let new_R_ctrl_cry = ((ONES $31 R_{-}$ctrl) $\left.\wedge R_{-} c t r 0 \_c r y\right)$ in
let new_R_ctrl_out $=\left(\left(R_{-}\right.\right.$cntlatch_del $) \Rightarrow R_{-}$ctr1_new $\mid R_{-} c t r l_{-}$out $)$in

let new_R_ctr2_in = ((r_writeB $\Lambda$ (r_reg_sel = (WORDN 10))) $=>$ I_sd_in $\left.\mid R_{\text {_ }} c t r 2 \_i n\right)$ in let new_R_ctr2_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) $\left.\left.\wedge R_{\_} c t r 3 \_c r y\right)\right)$ ) in let new_R_ctr2_irden $=\left(r_{\text {_readB }} \wedge\left(r_{\_}\right.\right.$reg_sel $=($WORDN 10)) $)$in let new_R_ctr2 $=($ (R_ctr2_mux_sel $) \Rightarrow{\left.\text { R_ctr2_in } \mid R_{-} c t r 2 \_n e w\right) ~ i n ~}_{\text {2 }}$ let new_R_ctr2_new $=\left(\left(\right.\right.$ (ELEMENT new_R_ger (23))) $=>$ (INCN 31 R_ctr2) $\left.\mid R_{-} c t r 2\right)$ in let new_R_ctr2_cry $=(($ ONES 31 R_ctr2) $\wedge$ (ELEMENT new_R_gcr (23))) in
let new_R_ctr2_out $=\left(\left(r_{-}\right.\right.$fsm_cntlatch $) \Rightarrow R_{-}$ctr2_new $\left.\mid R_{-} c t r 2 \_o u t\right)$ in
let new_R_ctr2_orden $=\left(r_{\text {_readB }} \wedge\left(r_{\text {_reg_sel }}=(\right.\right.$ WORDN 14) $\left.)\right)$ in let new_R_ctr3_in = ((r_writeB $\wedge$ (r_reg_sel =(WORDN 11))) $\Rightarrow$ I_ad_in $\left.\mid R_{\_} c t r 3 \_i n\right)$ in let new_R_ctr3_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) $\wedge R_{\mathbf{\prime}}$ ctr3_cry)) ) in let new_R_ctr3_irden = (r_readB $\wedge\left(r_{\_}\right.$reg_sel = (WORDN 11)) $)$in

let new_R_ctr3_new $=($ ( R_ctr2_cry $) \Rightarrow\left(\right.$ INCN $\left.\left.31 R_{-} c t r 3\right) \mid R_{-} c t r 3\right)$ in
let new_R_ctr3_cry = ((ONES 31 R_ctr3) $\wedge R_{\text {_ctr3_cry }) ~ i n ~}^{\text {in }}$
let Dew_R_ctr3_out $=\left((\right.$ R_cntlatch_del $) \Rightarrow R_{-} c t$ 3_new $\mid$ R_ctr3_out $)$ in
let new_R_ctr3_orden $=\left(r_{\_}\right.$readB $\wedge\left(r_{\text {_reg_sel }}=(\right.$ WORDN 15) $)$ in
let new_R_icr_load =(r_writeB $\wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)$ in let new_R_icr_old =
$\left(\left(r_{\_}\right.\right.$write $B \wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)=>$ R_icr $\mid$ R_icr_old $)$ in let new_R_icr_mask =
$\left(\left(r_{\_}\right.\right.$writeB $\wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) V\left(r_{\_}\right.$reg_sel = (WORDN 1$\left.\left.\left.)\right)\right)\right)=>$ I_ad_in $\mid$ R_icr_mask) in let new_R_icr =
(R_icr_load) $=>$ $\left(\left(\sim\left(r_{\_}\right.\right.\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)=>\left(\right.$ Andn rep (R_icr_old, $R_{\_}$icr_mask) $) \mid\left(\right.$Orn rep (R_icr_old, $R_{-}$icr_mask $\left.\left.)\right)\right) \mid$
R_icr) in
let new_R_icr_rden $=\left((\right.$ new_R_fsm_state $=R A) \wedge\left(\left(r_{-} r e g_{\_} s e l=(\right.\right.$ WORDN 0$\left.)\right) V\left(r_{-}\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)$ in let sr28 = (ALTER ARBN (28) MB_parity) in let sr28_25 = (MALTER sr28 $(27,25)$ C_ss) in let sr28_24 = (ALTER sr28_25 (24) CB_parity) in let sr28_22 = (MALTER sr28_24 $(23,22)$ ChannelID) in let sr28_16 = (MALTER sr28_22 $(21,16)$ Id) in let sr28_12 $=$ (MALTER sr28_16 $(15,12)$ S_state) in let sr28_9 = (ALTER sr28_12 (9) Pmm_fail) in let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in let sr28_2 $=$ (MALTER sr28_8 $(3,2)$ Reset_cpu) in let sr28_0 = (MALTER sr28_2 $(1,0)$ Cpu_fail) in let new_R_sr $=\left(\left(r \_f s m_{-}\right.\right.$cntlatch $\left.) \Rightarrow s r 28 \_0 \mid R_{\_} s r\right)$ in let new_R_sr_rden $=\left(r_{-}\right.$readB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 4$\left.)\right)$ ) in let r_int0_en $=(((E L E M E N T$ R_icr (0)) $\wedge$ (ELEMENT R_icr (8)) $) \vee$ ((ELEMENT R_ict (1)) $\wedge($ ELEMENT R_icr (9))) $\vee$ ((ELEMENT R_icr (2)) $\wedge($ ELEMENT R_icr (10))) $\vee$ ((ELEMENT R_icr (3)) $\wedge($ ELEMENT R_icr (11))) $\vee$ ((ELEMENT R_icr (4)) $\wedge$ (ELEMENT R_ict (12))) $\vee$ ((ELEMENT R_icr (5)) $\wedge($ ELEMENT R_icr (13))) $\vee$ ((ELEMENT R_icr (6)) $\wedge($ ELEMENT R_icr (14))) $\vee$ ((ELEMENT R_ict (7)) $\wedge($ ELEMENT R_icr (15)))) in
let new_R_int0_dis = r_int0_en in
let r_int3_en $=((($ ELEMENT R_icr (16) $) \wedge$ (ELEMENT R_icr (24))) $\vee$ ((ELEMENT R_icr (17)) $\wedge($ ELEMENT R_icr (25))) $\vee$ $(($ ELEMENT R_icr (18)) $\wedge($ ELEMENT R_icr (26))) $V$ ((ELEMENT R_ict (19)) $\wedge($ (ELEMENT R_ict (27))) $\vee$ ((ELEMENT R_icr (20)) $\wedge($ (ELEMENT R_icr (28))) $\vee$ ((ELEMENT R_icr (21)) $\wedge$ (ELEMENT R_icr (29))) $\vee$ ((ELEMENT R_icr (22)) $\wedge($ ELEMENT R_icr (30))) $\vee$ ((ELEMENT R_icr (23)) $\wedge(E L E M E N T$ R_icr (31)))) in
let new_R_int3_dis = r_int3_en in
let new_R_busA_latch =
( R_ctro_irden) $)=>~ R \_c t r 0 \_i n ~$
( R_ctro_orden) $)=>$ R_ctro_out I $^{\text {R }}$
( $($ R_ctrl_irden) $)=>$ R_ctrl_in $\mid$

( R_ctr2_irden $)=$ R_ctr2_in 1
( R_ctr2_orden) $)=>$ R_ctr2_out $\mid ~_{\text {I }}$

( R_ctr3_orden) $)=$ R_ctr3_out |
( $($ R_icr_rden) $)=>$ new_R_icr l
( $\left(R_{\_}\right.$cct_rden) $)>$R_ccr I
( $($ R_gcr_rden $) \Rightarrow$ R_gcr $\mid$
$\left(\left(R_{-}\right.\right.$sr_rden) $)=R_{-}$sr $\left.\left.\left.\left.\left.\left.\left.\left.(A R B)\right)\right)\right) \mid\right)\right) \mid\right)\right)\right)$ in
let new_R_fsm_ale_ = I_rale_in
let new_R_fsm_mrdy_ = I_mrdy_in
let new_R_fsm_last_ = I_last_in
let new_R_fsm_rst = Rst in

```
    (new_R_fsm_state, new_R_fsm_ale_, new_R_fsm_mrdy_, new_R_fsm_last_, new_R_fsm_rst, new_R_ctr0_in,
    new_R_ctro_mux_sel, new_R_ctr0, new_R_ctr0_irden, new_R_ctr0_new, new_R_ctr0_cry, new_R_ctro_out,
    new_R_ctr0_orden, new_R_ctr1_in, new_R_ctr1_mux_sel, new_R_ctr1, new_R_ctrl_irden, new_R_ctr1_new,
    new_R_ctrl_cry,
    new_R_ctr1_out, new_R_ctr1_orden, new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_ctr2, new_R_ctr2_irden,
    new_R_ctr2_new,
    new_R_ctr2_cry, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3,
    new_R_ctr3_irden,
    new_R_ctr3_new, new_R_ctr3_cry, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_load, new_R_icr_old,
    new_R_icr_mask,
    new_R_icr_rden, new_R_icr, new_R_ccr, new_R_ccr_rden, new_R_gcr, new_R_ger_rden, new_R_sr, new_R_sr_rden,
    new_R_int0_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_int1_en, new_R_c23_cout_del, new_R_int2_en,
    new_R_wr,
    new_R_cntlatch_del, new_R_srdy_del_, new_R_reg_sel, new_R_busA_latch)"
    );;
```

$\%$
Output definition for EXEC instruction.
let rEXEC_out_def $=$ new_definition
('rEXEC_out',
" 1 (rep : rep_ty $^{\prime}$
(R_fsm_state :rfsm_ty)
(R_ctro_in R_ctro R_ctro_new R_ctr0_out R_ctr1_in R_ctr1 R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2 R_ctr2_new
R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_cer R_ger R_sr R_reg_sel
R_busA_latch :wordn)
(R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_R_fsm_rst R_ctro_mux_sel R_ctro_irden R_ctr0_cry R_ctro_orden
R_ctrl_mux_sel
R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel

R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_ :bool)
(I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChanneliD C_ss :wordn)
(ClkA Rst I_rale_I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool) .
rEXEC_out rep
(R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctro_in, R_ctro_mux_sel, R_ctro,
R_ctro_irden, R_ctro_new, R_ctro_cry, R_ctro_out, R_ctro_orden, R_ctrl_in, R_ctr1_mux_sel,
R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctrl_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel,
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cty, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel,
R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old,

R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_in12_en, R_wr, R_cntlatch_del, R_srdy_del_,
R_reg_sel, R_busA_latch)
(ClkA, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy, Disable_int, Disable_writes,
Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) =
let new_R_fsm_state $=$
( R_fsm_rst $^{\prime}$ ) $\Rightarrow$ RII
$\left(\left(R_{-} f s m_{-}\right.\right.$state $\left.=R I\right)=>\left(\left(-R_{-}\right.\right.$fsm_ale_) $\left.\Rightarrow R_{R A} \mid R I\right) \mid$
$\left(\left(R_{-}\right.\right.$fsm_state $\left.=R A\right) \Rightarrow\left(\left(-R_{-} f s m_{\_} m r d y_{-}\right) \Rightarrow\right.$ RD $\left.\mid R A\right) \mid$
( ( $\sim$ R_fsm_last_) $=>$ RI $\mid R A))$ ) in
let r_fsm_cntiatch $=\left(\left(R_{-} f s m_{-}\right.\right.$state $\left.=R 1\right) \wedge \sim R \_f s m_{\_}$ale_) in
let $r_{-}$fsm_srdy_ $=\sim\left(\left(R_{-} f s m_{-}\right.\right.$state $\left.=R A\right) \wedge \sim R_{-}$fsm_mrdy_) in
let new_R_wr $=\left(\left(-I_{\_} r a l e \_\right) \Rightarrow\left(E L E M E N T ~ I \_a d \_i n(27)\right) \mid R \_w r\right)$ in
let new_R_cntlatch_del $=r_{\text {_ }}$ fsm_cntlatch in let new_R_srdy_del_ = $r_{-} \mathrm{fsm}_{-}$srdy $y_{-}$in
let new_R_reg_sel =
(( $\sim$ I_rale_) $)>$ (SUBARRAY I_ad_in (3,0)) |
( $\left(\sim\right.$ R_srdy_del_) $=>$ (INCN 3 R_reg_sel) $\mid R_{\_}$reg_sel) $)$in
let r_reg_sel $=((\sim$ R_srdy_del_) $\Rightarrow$ (INCN 3 R_reg_sel) $\mid$ R_reg_sel) in
let r_writeA $=\left(\sim\right.$ Disable_writes $\wedge R_{\mathbf{\prime}} w r \wedge$ (new_R_fsm_state $\left.=R D\right)$ ) in
let r_writeB $=(\sim$ Disable_writes $\wedge$ new_R_wr $\wedge$ (new_R_fsm_state $=R D)$ ) in
let r_read $A=\left(-R_{-} w r \wedge(\right.$ new_R_fsm_state $\left.=R A)\right)$ in
let r_readB $=(-$ new_R_wr $\wedge($ new_R_fsm_state $=R A))$ in
let r_cir_wro1A $=\left(\left(r_{\_}\right.\right.$writeA $\wedge\left(\left(r_{\text {_reg_sel }}=(\right.\right.$ WORDN 8$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 9$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let r_cir_wr01B $=\left(\left(r_{-}\right.\right.$writeB $\wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 8$\left.)\right) \vee\left(r_{\text {_reg_sel }=(\text { WORDN } 9)))))}\right)$ in
let $r_{-}$cir_wr23A $=\left(\left(r_{-} w r i t e A \wedge\left(\left(r_{-} r e g_{-} s e l=(\right.\right.\right.\right.$ WORDN 10) $) \vee\left(r_{-} r e g_{-}\right.$sel $=($WORDN 11) $\left.\left.\left.)\right)\right)\right)$in
let r_cir_wr23B $=\left(\left(r_{-}\right.\right.$writeB $\wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 10) $) \vee\left(r_{\text {_reg_sel }}=(\right.$ WORDN 11) $\left.\left.\left.)\right)\right)\right)$ in
let new_R_ccr $=\left(\left(r_{\text {_writeB }} \wedge\left(r_{\_}\right.\right.\right.$reg_sel $=($WORDN 3) )) $\Rightarrow$ I_ad_in $\mid$ R_ccr $)$ in
let new_R_ect_rden $=\left(r_{\text {_readB }} \wedge\left(r_{\text {_reg_sel }}=(\right.\right.$ WORDN 3$\left.\left.)\right)\right)$ in
let new_R_gcr $=\left(\left(r_{\text {_writeB }} \wedge\left(r_{\text {_reg_sel }}=(\right.\right.\right.$ WORDN 2$\left.\left.\left.)\right)\right) \Rightarrow I_{\text {_ad_in }} \mid R \_g c I\right)$ in
let new_R_ger_rden $=\left(r_{\text {_readB }} \wedge\left(r_{\text {_reg_sel }}=(\right.\right.$ WORDN 2$\left.\left.)\right)\right)$ in
let new_R_c01_cout_del = R_ctrl_cry in
let oew_R_int1_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_gct (18)) $\wedge\left(r_{\text {_cir_wr01B } \vee\left(R \_c t r 1 \_c r y ~\right.} \wedge(\right.$ ELEMENT new_R_gcr (16) ) )) $) \wedge$
$\sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(\right.\right.$ ELEMENT new_R_gcr (17)) $\wedge R_{-}$col_cout_del) )) $\Rightarrow \mathrm{T} \mid$

$\left(\sim(E L E M E N T\right.$ new_R_ger (18)) $) V\left(\left(E L E M E N T\right.\right.$ new_R_gcr (17)) $\left.\left.\left.\wedge R_{-} c 01 \_c o u t \_d e l\right)\right)\right)=>$ F1
$\left(\left(-\left(\left(E L E M E N T\right.\right.\right.\right.$ new_R_gcr (18)) $\wedge\left(r_{-} c i r_{-} w r 01 B \vee\left(R_{-} \operatorname{ctr} l_{-} c r y \wedge(E L E M E N T\right.\right.$ new_R_gcr (16))$\left.\left.)\right)\right) \wedge$

let new_R_c23_cout_del = R_ctr3_cry in
let new_R_int2_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_gcr (22)) $\wedge\left(r_{-}\right.$cir_wr23B $\vee\left(\right.$ R_ctr3_cry $_{(1)(E L E M E N T}$ new_R_gcr (20))))) $\wedge$
$\sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (22)) $\vee\left(\left(\right.\right.$ ELEMENT new_R_gcr (21)) $\wedge R_{\text {_c }}$ c23_cout_del) $\left.)\right) \Rightarrow \mathrm{T} \mid$
$\left(\left(\left((E L E M E N T\right.\right.\right.$ new_R_gcr (22)) $)\left(r_{-}\right.$cir_wr $23 B \vee\left(R_{-} \operatorname{ctr} 3_{-} c r y ~ \wedge(E L E M E N T\right.$ new_R_gcr (20)) )) $) \wedge$
$\left(\sim\left(E L E M E N T\right.\right.$ new_R_ger (22)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (21)) $\left.\left.\left.\wedge R_{-} c 23 \_c o u t \_d e l\right)\right)\right)=>F \mid$
$\left(\left(-\left(\right.\right.\right.$ ELEMENT new_R_gcr (22)) $\wedge\left(r_{-} \operatorname{cir}\right.$ _wr 23B V (R_ctr3_cry $\wedge(E L E M E N T$ new_R_gcr (20))))) $\wedge$
$\sim(-(E L E M E N T$ new_R_gcr (22)) $\vee((E L E M E N T$ new_R_gcr (21)) $\wedge$ R_c23_cout_del)) $)=>$ R_int2_en $\mid$ ARB $))$ ) in
let new_R_ctr0_in $=\left(\left(r_{-}\right.\right.$writeB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 8$\left.\left.)\right)\right) \Rightarrow I_{-}$ad_in $\mid R_{\text {_ }} c t r 0$ _in $)$ in
let new_R_ctr0_mux_sel $=\left(r_{-} c i r \_w r 01 B \vee\left(\left(E L E M E N T\right.\right.\right.$ new_R_gcr (16)) $\wedge R_{\_}$ctr1_cry $)$) in
let new_R_ctro_irden = (r_readB $\wedge\left(r_{\_}\right.$reg_sel $=($WORDN 8)) ) in
let new_R_ctr0 $=\left(\left(R_{-} c t r 0 \_\right.\right.$mux_sel $) \Rightarrow$ R_ctro_in $\left.^{\text {R_ctro_new }}\right)$ in
let new_R_ctro_new $=\left(\left((\right.\right.$ ELEMENT new_R_ger (19))) $)=\left(\right.$ INCN 31 R_ctro) $\left.\mid R_{-} c t r 0\right)$ in
let new_R_ctro_cry $=(($ ONES 31 R_ctr0) $\wedge($ ELEMENT new_R_gcr (19))) in
let new_R_ctro_out $=\left(\left(r_{-} f s m \_c n t l a t c h\right) \Rightarrow R_{-}\right.$ctro_new $\mid R_{-} c t r 0 \_$out $)$in let new_R_ctro_orden $=\left(\right.$ r_readB $\wedge\left(r_{\text {_reg_sel }}=(\right.$ WORDN 12 $\left.)\right)$ ) in let new_R_ctr1_in $=\left(\left(r_{-} w r i t e B \wedge\left(r_{-} r e g_{-} s e l=(\right.\right.\right.$ WORDN 9$\left.\left.)\right)\right)=>I_{-}$ad_in $\left.\mid R_{\_} c t r 1 \_i n\right)$ in let new_R_ctr1_mux_sel = (r_cir_wrolB $V\left(\left(E L E M E N T\right.\right.$ new_R_gcr (16)) $\wedge R_{-}$ctrl_cry $)$) in let new_R_ctrl_irden = (r_readB $\wedge\left(r_{-}\right.$reg_sel =(WORDN 9)) in
let new_R_ctrl $=\left(\left(R_{-} c t r 1_{-} m u x \_s e l\right) \Rightarrow R_{-} c t r l_{-}\right.$in $\left.\mid R_{-} c t r l_{-} n e w\right)$ in
let new_R_ctr1_new $=($ (R_ctro_cry $)=>\left(\right.$ INCN 31 R_ctr1) $\left.\mid R_{-} c t r 1\right)$ in
let new_R_ctrl_cry $=\left((\right.$ ONES 31 R_ctrl $\left.) \wedge R_{\text {_ctro_cry }}\right)$ in
let new_R_ctr1_out $=\left(\left(R_{-}\right.\right.$cntlatch_del $) \Rightarrow$ R_ctrl_new $\mid R_{-} c t r 1 \_$out $)$in let new_R_ctrl_orden $=\left(r_{\text {_readB }} \wedge\right.$ (r_reg_sel $=($ WORDN 13) $\left.)\right)$ in let new_R_ctr2_in $=\left(\left(r_{-} w r i t e B \wedge\left(r_{-} r e g_{-} s e l=(\right.\right.\right.$ WORDN 10$\left.\left.)\right)\right)=$ I_ad_in $\mid R_{-} c t r 2_{-}$in $)$in let new_R_ctr2_mux_sel $=\left(\left(r_{\text {_cir_wr23B } V((E L E M E N T}\right.\right.$ new_R_gcr (20)) $\wedge$ R_ctr3_cry $\left.)\right)$ in let new_R_ctr2_irden = $\left(r_{\text {_readB }} \wedge\right.$ (r_reg_sel = (WORDN 10) )) in
let new_R_ctr2 $=\left(\left(R_{-} c t r 2 \_m u x \_\right.\right.$sel $) \Rightarrow$ R_ctr2_in $\mid R_{-} c t r 2 \_$new $)$in
let new_R_ctr2_new =(((ELEMENT new_R_gcr (23))) $\Rightarrow($ INCN 31 R_ctr2) $\mid$ R_ctr2) in
let new_R_ctr2_cry = ((ONES 31 R_ctr2) $\wedge(E L E M E N T$ new_R_gct (23))) in
let new_R_ctr2_out = ((r_fsm_cntlatch) $\Rightarrow$ ) R_ctr2_new R_ctr2_out) in
let new_R_ctr2_orden $=\left(r_{\text {_readB }} \wedge\left(r_{\text {_reg_sel }}=(\right.\right.$ WORDN 14)) ) in
let new_R_ctr3_in = ((r_writeB $\wedge$ (r_reg_sel =(WORDN 11))) $\Rightarrow$ I_ad_in $\mid$ R_ctr3_in) in
let new_R_ctr3_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) $\wedge$ R_ctr3_cry)) $)$ in
let new_R_ctr3_irden = (r_readB $\wedge\left(r_{1}\right.$ reg_sel = (WORDN 11)) ) in
let new_R_ctr3 = ( $($ R_ctr3_mux_sel $)=>$ R_ctr3_in $\left.\mid R_{-} c t r 3 \_n e w\right)$ in
let new_R_ctr3_new $=($ (R_ctr2_cry $) \Rightarrow\left(\right.$ INCN $\left.\left.31 R_{-} \operatorname{ctr} 3\right) \mid R_{-} c t r 3\right)$ in
let new_R_ctr3_cry = ((ONES 31 R_ctr3) $\wedge R_{\text {_ctr3_cry }) ~ i n ~}^{\text {( }}$
let new_R_ctr3_out $=\left(\left(R_{-}\right.\right.$cotlatch_del $\left.)=>R_{-} c t r 3 \_n e w \mid R_{-} c t r 3 \_o u t\right)$ in

let new_R_icr_load = $\left(r_{-} w r i t e B \wedge\left(\left(r_{\text {_reg_sel }}=(\right.\right.\right.$ WORDN 0$\left.)\right) V\left(r_{\text {_reg_sel }}=(\right.$ WORDN 1$\left.\left.)\right)\right)$ ) in
let new_R_icr_old =
$\left(\left(r_{\_}\right.\right.$writeB $\wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.\left.)\right)\right)\right)=>R_{-}$icr $\left.\mid R_{\text {_icr_old }}\right)$ in
let new_R_icr_mask =
$\left(\left(r_{\_}\right.\right.$writeB $\wedge\left(\left(r_{\text {_ }}\right.\right.$ reg_sel $=($ WORDN 0$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.\left.)\right)\right)\right) \Rightarrow$ I_ad_in $\left.\mid R_{\text {_icr_mask }}\right)$ in
let new_R_ict =
( R_icr_load $)^{\text {l }}$ )
$\left(\left(\sim\left(r \_r e g \_s e l=(\right.\right.\right.$ WORDN 1) $\left.)\right)=>($ Andn rep (R_icr_old, R_icr_mask) $) \mid($ Om rep (R_icr_old, R_icr_mask) $\left.)\right) \mid$
R_icr) in
let new_R_icr_rden $=\left((\right.$ new_R_fsm_state $=R A) \wedge\left(\left(r_{-} r e g_{-} s e l=(\right.\right.$ WORDN 0$\left.)\right) V\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.\left.)\right)\right)\right)$ in
let sr28 = (ALTER ARBN (28) MB_parity) in
let sr28_25 = (MALTER sr28 $(27,25)$ C_ss) in
let sr28_24 = (ALTER st28_25 (24) CB_parity) in
let sr28_22 = (MALTER sr28_24 $(23,22)$ ChannelID) in
let sr28_16 = (MALTER sr28_22 $(21,16)$ Id) in
let sr28_12 = (MALTER sr28_16 $(15,12)$ S_state) in
let sr28_9 = (ALTER sr28_12 (9) Pmm_fail) in
let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in
let sr28_2 $=$ (MALTER sr28_8 $(3,2)$ Reset_cpu) in
let sr28_0 = (MALTER si28_2 $(1,0)$ Cpu_fail) in
let new_R_sr $=\left(\left(r_{-} f s m \_\right.\right.$cntlatch $\left.) \Rightarrow s r 28 \_0 \mid R_{-} s r\right)$ in
let new_R_sr_rden = (r_readB $\wedge\left(r_{-} r e g_{-} s e l=(\right.$ WORDN 4)) $)$ in
let r_int0_en $=(((E L E M E N T$ R_icr (0)) $) \wedge($ ELEMENT R_icr (8)) ) $V$
((ELEMENT R_icr (1)) $\wedge($ ELEMENT R_icr (9))) $\vee$
((ELEMENT R_icr (2)) $\wedge($ ELEMENT R_icr (10))) $\vee$
((ELEMENT R_icr (3)) $\wedge($ ELEMENT R_icr (11))) $\vee$
((ELEMENT R_icr (4)) $\wedge($ ELEMENT R_icr (12))) $\vee$
((ELEMENT R_icr (5)) $\wedge$ (ELEMENT R_icr (13))) $\vee$
$(($ ELEMENT R_icr (6)) $\wedge($ ELEMENT R_icr (14))) $\vee$
((ELEMENT R_icr (7)) $\wedge($ ELEMENT R_icr (15)))) in
let new_R_int0_dis = r_int0_en in
let r_int3_en = (((ELEMENT R_icr (16)) $\wedge$ (ELEMENT R_icr (24))) $V$
((ELEMENT R_icr (17)) $\wedge$ (ELEMENT R_icr (25))) $\vee$
$(($ ELEMENT R_icr (18)) $\wedge$ (ELEMENT R_icr (26))) $) ~ \vee$
((ELEMENT R_ict (19)) $\wedge$ (ELEMENT R_ict (27))) $\vee$
((ELEMENT R_icr (20)) $\wedge$ (ELEMENT R_ict (28))) $\vee$
((ELEMENT R_icr (21)) $\wedge$ (ELEMENT R_icr (29))) V
((ELEMENT R_icr (22)) $\wedge$ (ELEMENT R_icr (30))) $\vee$
((ELEMENT R_ict (23)) $\wedge$ (ELEMENT R_icr (31)))) in
let new_R_int3_dis = r_int3_en in
let new_R_busA_latch =
( R_ctro_irden $)=>^{\text {R_ctro_in } I}$

```
    ((R_ctrO_orden) => R_ctro_out |
    ((R_ctrl_irden) => R_ctrl_in I
    ((R_ctr1_orden) => R_ctr1_out I
    ((R_ctr2_irden) => R_ctr2_in I
    ((R_ctr2_orden) => R_ctr2_out I
    ((R_ctr3_irden) => R_ctr3_in I
    ((R_ctr3_orden) => R_ctr3_out I
    ((R_icr_rden) => new_R_icr I
    ((R_ccr_rden) => R_cer I
    ((R_gcr_rden) => R_gcr l
    ((R_sr_rden) => R_sr ( ARB ))))))))))})\mathrm{ ) in
let new_R_fsm_ale_= I_rale_ in
let new_R_fsm_mrdy_ = I_mrdy_in
let new_R_fsm_last_= I_last_ in
let new_R_fsm_rst = Rst in
let I_ad_out =((~R_wr ^((new_R_fsm_state = RA) V (new_R_fsm_state = RD ))) => new_R_busA_latch I ARBN ) in
let I_srdy_ =
    (((new_R_fsm_state = RA) V(new_R_fsm_state = RD )) => ~((R_fsm_state = RA) ^(new_R_fsm_state =RD)) 
                                    ARB) in
let Int0_ = ~(r_int0_en }\wedge~R_int0_dis \Lambda~\mathrm{ Disable_int) in
let Intl = (R_ctrl_cry ^ new_R_int1_en }\wedge~\mathrm{ Disable_int) in
let Int2 = (R_ctr3_cry ^new_R_int2_en }\wedge~\mathrm{ Disable_int) in
let Int3_=~(\mp@subsup{x}{-}{\primeint3_en }\wedge~R_int3_dis }\wedge -Disable_int) in
let Ccr = R_ccr in
let Led = (SUBARRAY new_R_gcr (3,0)) in
let Reset_error = (ELEMENT new_R_gcr (24)) in
let Pmm_invalid = (ELEMENT new_R_gcr (28)) in
(I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)"
);;
```


## D. 4 C Port Specification

```
%
    File: c_clockl.ml
    Author: (c) D.A. Fura }199
    Date: 31 March 1992
    This file contains the ml source for the clock-level specification of the C-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho.
```

set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);;

```
set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);;
system 'rm c_clock1.th';;
new_theory 'c_clock 1';;
loadf 'abstract';
map new_parent ['caux_def';'aux_def';'array_def';'wordn_def'];;
let MSTART = "WORDN 4";;
let MEND = "WORDN 5";;
let MRDY = "WORDN 6";
let MWAIT = "WORDN 7";;
let MABORT = "WORDN 0";;
let SACK = "WORDN 5";;
let SRDY = "WORDN 6";
let SWAIT = "WORDN 7";;
let SABORT = "WORDN 0";
let cc_state_ty = ":(cmfsm_ty#bool#bool#bool#bool#wordn#bool#
            csfsm_ty#bool#bool#bool"wordn#
            cefsm_ty*bool#bool#bool#bool*bool*bool*
                        bool#wordn#bool#bool#bool#wordn#bool#
                        bool"bool#bool*bool"bool#bool#bool#
                            bool#bool#bool#wordn#wordn#wordn"wordn#wordn#wordn)";;
let cc_state = "((C_mfsm_state,C_mfsm_D,C_mfsm_rst,C_mfsm_crqt_C_mfsm_hold_,C_mfsm_ss,C_mfsm_invalid,
    C_sfsm_state,C_sfsm_D,C_sfsm_rst,C_sfsm_hlda_,C_sfsm_ms,
    C_efsm_state,C_efsm_cale_,C_efsm_last_C_efsm_male_,C_efsm_rale_C_efsm_srdy_,C_efsm_rst,
    C_wr,C_sizewrbe,C_clkA,C_last_in_,C_lock_in_,C_ss,C_last_out_,
    C_hold_,C_holdA_C_cout_O_le_del,C_cin_2_le,C_mrdy_del_,C_iad_en_s_del,C_iad_en_s_delA,
    C_wrdy.C_rrdy,C_parity,C_source,C_data_in,C_iad_out,C_iad_in,C_a ala0,C_a3a2)
    :^cc_state_ty)";;
```

let cc_env_ty = ":(wordn\#wordn\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#bool\#
wordn\#wordn\#wordn\#wordn\#bool\#bool"bool"bool"wordn\#wordn\#bool\#bool"wordn\#bool)";
let cc_env = "( (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in, I_last_in_, I_srdy_in_,
I_lock, I_cale_, I_hlda_, I_crqt,
CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in,
Rst, ClkA, ClkB, CIkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr,
Reset_error)
:Acc_env_ty)";;
let cc_out_ty $=$ ":(bool\#bool\#bool\#bool\#bool\#bool\#bool\#wordn\#wordn\# bool\#wordn\#wordn\# wordn\#wordn\#bool\#bool)";;
let cc_out = "((I_cgnt_, I_mrdy_out_, I_bold, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_,
I_ad_out, I_be_out,
CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)
:Acc_out_ty)";;
let rep_ty = abstract_type 'aux_def' 'Andn`; ;

$$
\%-
$$

Next-state definition for EXEC instruction.
let $\mathbf{c E X E C}$ _inst_def $=$ new_definition
('cEXEC_inst',
" 1 (rep: ${ }^{\wedge}$ rep_ty)
(C_mfsm_state:cmfsm_ty) (C_sfsm_state:csfsm_ty) (C_efsm_state:cefsm_ty)
(C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_ala0 C_a3a2 :wordn)
(C_mfsm_D C_mfsm_rst C_mfsm_crqt_ C_mfsm_hold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_
C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
C_wr C_clkA C_last_in_C_lock_in_C_last_out_C_hold_ C_holdA_C_cout_0_le_del C_cin_2_le
C_mrdy_del_C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool)
(I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChanneliD Ccr :wordn)
(I_mrdy_in_ __rale_in_I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crat_
Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :bool).
cEXEC_inst rep
(C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_ C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid,
C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_C_sfsm_ms,
C_efsm_state, C_efsm_cale_, C_efsm_last, C_efsm_male, C_efsm_rale, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_cikA, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0,C_a3a2) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, 1_hlda_, I_crqt_, $C B_{-}$rqt_in_, $C B_{\_}$ad_in, $C B_{\text {_ms_in, }} \mathrm{CB}_{\text {_ss_in }}$, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) =
let c_write $=\left(\left(\left(\sim\left(C_{\_}\right.\right.\right.\right.$mfsm_state $\left.\left.=C M I\right)\right) \wedge\left(\sim\left(C_{\_}\right.\right.$mfsm_state $\left.\left.\left.=C M R\right)\right)\right) \Rightarrow C_{-}$wr 1 (ELEMENT C_sizewrbe (5))) in
let $c$ _busy $=(-(($ SUBARRAY CB_rqt_in_( 3,1$))=($ WORDN 7) $))$ in
let c_grant $=((($ SUBARRAY Id $(1,0))=($ WORDN 0$)) \wedge \sim($ ELEMENT CB_rqt_in_(0)) $)$
$\vee(($ SUBARRAY Id $(1,0))=($ WORDN 1$)) \wedge$-(ELEMENT CB_rqt_in_(0) $)$
$\wedge$ (ELEMENT CB_rqt_in_(1)))
$\vee(($ SUBARRAY Id $(1,0))=($ WORDN 2$)) \wedge \sim($ ELEMENT CB_rqt_in_( 0$))$
$\wedge$ (ELEMENT CB_rqt_in_(1))
$\wedge$ (ELEMENT CB_rqt_in_(2)))
$V(((\operatorname{SUBARRAY} \operatorname{Id}(1,0))=($ WORDN 3$)) \wedge \sim($ ELEMENT CB_rqt_in_(0))

## ^(ELEMENT CB_rqt_in_(2))

$\Lambda(E L E M E N T$ CB_rqt_in_(3)))) in
let c_addressed $=($ Id $=($ SUBARRAY C_source $(15,10))$ ) in
let c_mfsm_stateA =
((C_mfsm_rst) $\Rightarrow$ CMI |
((C_mfsm_state $=\mathrm{CMI})=>$
(C_mfsm_D $\wedge-C_{-}$mfsm_crqt_ $\wedge \sim c_{-}$busy $\wedge \sim C_{-} m f s m$ invalid) $\Rightarrow$ CMR $|C M I|$
$\left(\left(C \_m f s m \_s t a t e=C M R\right) \Rightarrow\left(C \_m f s m \_D \wedge c \_g r a n t \wedge C_{\_}\right.\right.$mfsm_hold_) $)=$CMA3 $|C M R|$
((C_mfsm_state $=$ CMA3) $)=>\left(\left(C \_m f s m \_D\right)=>\right.$ CMA1 $\left.\mid C M A 3\right) \mid$
$\left(\left(C \_m f s m \_\right.\right.$state $\left.=C M A 1\right) \Rightarrow$
(C_mfsm_D $\wedge\left(C \_m f s m \_s s=\right.$ ASRDY)) $=>$ CMA0 $\mid$
(C_mfsm_D $\left.\wedge\left(C \_m f s m \_s s=\wedge S A B O R T\right)\right) \Rightarrow C M A B T|C M A 1|$
( $\left(C_{-}\right.$mfsm_state $=$CMAO) $)=>$
(C_mfsm_D $\wedge\left(C \_m f s m \_s s=\right.$ ^SRDY) $)=>$ CMA2 1
(C_mfsm_D^(C_mfsm_ss $={ }^{\wedge}$ SABORT $)$ ) $=>$ CMABT $|C M A 0|$
((C_mfsm_state $=$ CMA2) $)=$
(C_mfsm_D $\wedge\left(C_{-}\right.$mfsm_ss = ^SRDY)) $\Rightarrow$ CMD1 ।
(C_mfsm_D $\wedge\left(C \_m f s m \_s s=\right.$ ASABORT) $) \Rightarrow$ CMABT $|C M A 2|$
( $\left(C_{-}\right.$mfsm_state $=$CMD1) $)=>$
(C_mfsm_D $\wedge$ (C_mfsm_ss $=$ ^SRDY)) $\Rightarrow$ CMDO
(C_mfsm_D $\wedge$ (C_mfsm_ss = $\left.{ }^{\text {ASABORT }}\right)$ ) $\Rightarrow$ CMABT 1 CMD 1 I
$\left(\left(C \_m f s m \_s t a t e=C M D 0\right)=>\right.$
(C_mfsm_D $\left.\wedge\left(C \_m f s m \_s s=\wedge S R D Y\right) \wedge C_{-} l a s t \_i n \_\right)=>C M D 1 \mid$
(C_mfsm_D $\wedge\left(C_{-} m f s m_{-} s s=\right.$ ^SRDY) $\wedge \sim C_{l}$ last_in_) $=>$ CMW $\mid$
(C_mfsm_D $\wedge$ (C_mfsm_ss $=$ ^SABORT)) $\Rightarrow$ CMABT $|C M D O|$
((C_mfsm_state $=C M W) \Rightarrow$
(C_mfsm_D $\left.\wedge\left(C_{-} m f s m \_s s=\wedge S A B O R T\right)\right) \Rightarrow C M A B T ।$
(C_mfsm_D $\wedge\left(C_{-} m f s m_{-} s s=\wedge S A C K\right) \wedge C_{-}$lock_in_) $\Rightarrow$ CMII
$\left(C \_m f s m \_D \wedge\left(C \_m f s m_{-} s s=\wedge S R D Y\right) \wedge \sim C \_l o c k \_i n \_\wedge \sim C \_m f s m \_c r q t \_\right) \Rightarrow C M A 3|C M W|$
$\left(\left(-C_{-}\right.\right.$last_in_) $\Rightarrow$ CMI (CMABT) $\left.)\right)$ )) )) ) )) $)$ in
let c_sfsm_stateA $=$
((C_sfsm_rst) $\Rightarrow$ CSI $\mid$
(C_sfsm_state $=$ CSI) $\Rightarrow$

(C_sfsm_state $=$ CSL) $)=$

(C_sfsm_D $\wedge$ (C_sfsm_ms $={ }^{\wedge}$ MSTART) $\wedge \sim$ c_grant $\wedge-c_{-}$addressed) $)=$CSI ।
(C_sfsm_D $\wedge\left(C_{-} s f s m_{\_} m s=\wedge\right.$ MABORT $\left.)\right) \Rightarrow$ CSABT $\left.\mid C S L\right) \mid$
(C_sfsm_state $=$ CSA1) $=>$
$\left(\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s=\wedge\right.\right.\right.$ MRDY $\left.)\right)=>$ CSA0 1
(C_sfsm_D $\wedge\left(C_{-} s f s m \_m s={ }^{\wedge}\right.$ MABORT) $)=>$ CSABT $\left.\mid C S A 1\right) \mid$
(C_sfsm_state $=$ CSAO $)=>$

(C_sfsm_D $\wedge$ (C_sfsm_ms $={ }^{\wedge}$ MRDY) $\wedge C_{-} s f s m_{-}$hlda_) $\Rightarrow$ CSAOW I
(C_sfsm_D $\wedge$ (C_sfsm_ms $=\wedge$ MABORT) ) $\Rightarrow$ CSABT $\mid C S A 0)$ I
(C_sfsm_state $=$ CSAOW) $\Rightarrow$
$\left(\left(C \_s f s m \_D \wedge\left(C \_s f s m \_m s=\wedge\right.\right.\right.$ MRDY $\left.) \wedge-C_{-} s f s m \_h l d a \_\right)=>C S A L E ~ I$
(C_sfsm_D $\wedge$ (C_sfsm_ms = ^MABORT)) $\Rightarrow$ CSABT $\mid C S A O W) \mid$
(C_sfsm_state $=$ CSALE $) \Rightarrow$
$\left(\left(C \_s f s m \_D \wedge c_{-} w r i t e \wedge\left(C \_s f s m \_m s=\wedge M R D Y\right)\right) \Rightarrow C S D 1\right.$ I
(C_sfsm_D $\wedge \sim c_{-}$write $\wedge$ (C_sfsm_ms $={ }^{\wedge}$ MRDY) ) $\Rightarrow$ CSRR $\mid$
(C_sfsm_D $\wedge\left(C_{-} s f s m \_m s=\right.$ ^MABORT) $) \Rightarrow$ CSABT |CSALE $) \mid$
(C_sfsm_state $=$ CSRR) $)=$
$\left(\left(C \_s f s m \_D \wedge \sim\left(C \_s f s m \_m s=\wedge M A B O R T\right)\right)=>C S D 1 \mid\right.$

```
        \(\left.\left(C \_s f s m \_D \wedge\left(C \_s f s m \_m s=\wedge M A B O R T\right)\right)=>C S A B T \mid C S R R\right) \mid\)
    (C_sfsm_state \(=\) CSD1) \(\Rightarrow\)
        \(\left(\left(C_{-}\right.\right.\)sfsm_D \(\left.\wedge\left(C \_s f s m \_m s={ }^{\wedge} M R D Y\right)\right)=>\) CSD0 1
        \(\left(C_{\_}\right.\)sfsm_D \(\wedge\left(C_{-}\right.\)sfsm_ms \(=\wedge\) MABORT \(\left.)\right)=>\) CSABT \(\left.\mid C S D 1\right) \mid\)
    (C_sfsm_state \(=\) CSD0) \(=>\)
        \(\left(\left(C_{-} s f s m_{-} D \wedge\left(C_{-}\right.\right.\right.\)sfsm_ms \(={ }^{\wedge}\) MEND \(\left.)\right) \Rightarrow\) CSACK \(\mid\)
        (C_sfsm_D \(\wedge\left(C_{-} s f s m_{-} m s=\wedge\right.\) MRDY \()\) ) \(\Rightarrow\) CSD1 \(\mid\)
        (C_sfsm_D \(\wedge\left(C_{-} s f s m_{-} m=\right.\) ^MABORT) \(\left.) \Rightarrow C S A B T \mid C S D 0\right) \mid\)
    (C_sfsm_state \(=\) CSACK \() \Rightarrow\)
        \(\left(\left(C_{-} s f m_{-} D \wedge\left(C_{-}\right.\right.\right.\)sfsm_ms \(={ }^{\wedge}\) MRDY \(\left.)\right)=>\) CSL \(I\)
        (C_sfsm_D \(\wedge\left(C_{-} s f s m \_m s=\wedge\right.\) MWATT) \() \Rightarrow C S I I\)
        (C_sfsm_D \(\left.\left.\wedge\left(C_{-} s f s m \_m s=\wedge M A B O R T\right)\right) \Rightarrow C S A B T I C S A C K\right) \mid\)
    \(\left(C_{-}\right.\)sfsm_D) \(=>\)CSI \(\mid C S A B T\) ) in
```

let c_efsm_stateA =
((C_efsm_rst) $\Rightarrow$ CEI I
(C_efsm_state $=$ CEI $) \Rightarrow\left(\left(\sim C_{-}\right.\right.$efsm_cale_) $\Rightarrow$ CEE I CEI) ।
$\left(\left(\sim C_{-}\right.\right.$efsm_last_ $\Lambda \sim C_{-}$efsm_srdy_) $\vee \sim C_{-}$efsm_male_ $V \sim C_{-}$efsm_rale_) $=>$CEI I CEE $)$in let c_srdy_en $=\left(\left(c_{-}\right.\right.$efsm_state $\left.A=C E E\right) V\left(C_{\_}\right.$efsm_state $\left.\left.=C E E\right)\right)$ in let cout_sel0 $=\left(\right.$ ALTER ARBN $(0)\left(\left(c_{-} s f s m_{-} s t a t e A=C S D 1\right) \vee\left(c_{-} s f s m_{-} s t a t e A=C S D 0\right)\right)=>$
(c.sfsm_state $A=C S D 1)!$
(c_mfsm_state $A=C M A 3) V\left(c \_m f s m \_\right.$state $\left.A=C M A 1\right)$
$V\left(c_{\_}\right.$mfsm_state $\left.\left.A=C M D 1\right)\right)$ in
let cout_sell $0=\left(\right.$ ALTER cout_sel0 $(1)\left(\left(\left(c_{-}\right.\right.\right.$sfsm_state $\left.A=C S D 1\right) \vee\left(c_{-}\right.$sfsm_stateA $=$CSD0 $\left.)\right)=>$ FI
$\left(c_{\_} m f s m \_\right.$state $\left.\left.A=C M A 3\right) V\left(c \_m f s m \_s t a t e A=C M A 2\right)\right)$ in
let c_cout_sel = cout_sel10 in
let new_C_wr $=\left(\left(-I \_c a l e \_\right) \Rightarrow>\left(E L E M E N T\right.\right.$ I_ad_in (27)) $\left.\mid C_{-} w r\right)$ in
let new_C_sizewrbe $=(($ Rst $) \Rightarrow($ WORDN 0$)$ )
$\left(\left(\left(c_{-} s f s m \_s t a t e A=C S A 0\right) \wedge C_{-} c l k A\right)=>(\right.$ SUBARRAY C_data_in $(31,22))$ ) C_sizewrbe) $)$ in
let c_new_write $=\left(\left(\left(\sim\left(c \_m f s m \_\right.\right.\right.\right.$state $\left.\left.\left.A=C M I\right)\right) \wedge\left(\sim\left(c \_m f s m \_s t a t e A=C M R\right)\right)\right) \Rightarrow$
new_C_wr l (ELEMENT new_C_sizewrbe (5))) in
let new_C_clkA $=$ ClkD in
let new_C_last_in_ $=(($ Rst $) \Rightarrow$ F I
$\left(\left(\left(c \_m f s m \_\right.\right.\right.$state $\left.A=C M A B T\right) \vee\left(c \_\right.$mfsm_state $\left.\left.A=C M D 1\right) \wedge C l k D\right)=>$ I_last_in_1
C_last_in_)) in
let new_C_lock_in_ $=($ (Rst $)=>$ F
((c_mfsm_stateA = CMA1) $)$ I_lock_1
C_lock_in_) in
let new_C_ss $=\left(\left(\left(\sim\left(c_{1}\right.\right.\right.\right.$ mfsm_state $\left.\left.\left.A=C M A B T\right)\right) \wedge\left(\sim\left(c_{-} m f s m \_s t a t e A=C M I\right)\right)\right) \Rightarrow$ CB_ss_in IC_ss $)$ in
let $\mathrm{c} \_$mend $=\left(\right.$CB_ms_in $={ }^{\wedge}$ MEND $)$ in
let c_mabort $=($ CB_ms_in $=$ ^MABORT $)$ in
let new_C_last_out_=
$\left(\left(\left(c \_s f s m \_s t a t e A=C S A 1\right) \wedge \sim\left(C l k D \wedge\left(c \_m e n d V \operatorname{c}\right.\right.\right.\right.$ mabort $\left.\left.)\right)\right)=>T$
$\left(\left(\sim\left(c_{-}\right.\right.\right.$sfsm_state $\left.A=C S A 1\right) \wedge\left(C l k D \wedge\left(c_{1}\right.\right.$ mend $\vee c_{-}$mabort $\left.\left.)\right)\right) \Rightarrow F I$
$\left(\left(\sim\left(c_{-}\right.\right.\right.$sfsm_state $\left.A=C S A 1\right) \wedge \sim\left(C l k D \wedge\left(c_{-}\right.\right.$mend V c_mabort) $\left.)\right) \Rightarrow C_{-}$last_out_I ARB $\left.)\right)$in
let c_srdy $=\left(C B \_\right.$ss_in $=$^SRDY $)$in
let $c_{-}$dfsm_master $=\left(\left(c_{-} m f s m_{\_}\right.\right.$state $\left.A=C M A 3\right) V\left(c_{\_} m f s m_{-} s t a t e A=C M A 2\right) V\left(c_{\_} m f s m_{\_}\right.$stateA $=$CMA1 $)$
$V\left(c_{\_} m f s m_{\_}\right.$state $\left.A=C M A 0\right) V\left(c \_m f s m_{-} s t a t e A=C M D 1\right) V\left(c_{\_}\right.$mfsm_state $\left.A=C M D 0\right)$ in
let $c_{-} d f s m_{-} c a d \_e n=-\left(\left(c \_m f s m_{-} s t a t e A=C M A 3\right) V\left(c_{-} m f s m_{-} s t a t e A=C M A 1\right) V\left(c_{\_} m f s m \_s t a t e A=C M A 0\right)\right.$
$V$ (c_mfsm_state $A=C M A 2)$
$V\left(c_{-}\right.$new_write $\wedge\left(\left(c_{\_}\right.\right.$mfsm_state $\left.\left.\left.A=C M D 1\right) V\left(c \_m f s m \_s t a t e A=C M D 0\right)\right)\right)$
$\vee\left(-c_{-}\right.$new_write $\wedge\left(\left(c_{-}\right.\right.$sfsm_state $\left.\left.\left.A=C S D 1\right) V\left(c_{-} s f s m \_s t a t e A=C S D 0\right)\right)\right)$ in
let new_C_hold_ $=\left(c_{-}\right.$sfsm_state $\left.A=C S I\right)$ in

```
let new_C_holdA_ = ((ClkD) => C_hold_ I C_holdA_) in
let new_C_cout_0_le_del = (I_cale_) V (I_srdy_in_\ ~c_new_write)
                            V ((c_mfsm_stateA = CMA0) ^c_srdy ^c_new_write \ClkD)
                            V ((c_mfsm_stateA = CMD0) ^c_new_write ^c_srdy ^ ClkD)) in
let new_C_cin_2_le = (ClkD ^(((c_mfsm_stateA = CMD0) ^c_srdy ^ ~c_new_write) V
                    ((c_sfsm_stateA = CSAO)) V
                    ((c_sfsm_stateA = CSDO) ^c_new_write))) in
let new_C_mrdy_del_= ~((-c_new_write ^ ClkD ^((c_sfsm_stateA = CSALE ) V (c_sfsm_stateA = CSD1)))V
                    (-c_new_write }\Lambda\mp@subsup{C}{_}{\prime}cl/AA(c_sfsm_stateA=CSACK))
                            (c_new_write }\wedge\mathrm{ ClkD ^(c_sfsm_stateA = CSDO))) in
let new_C_iad_en_s_del = (((c_sfsm_stateA = CSALE) ^(~(C_sfsm_state = CSALE)))
                            V ((c_sfsm_stateA = CSALE) ^c_new_write)
                            V((c_sfsm_stateA = CSD1) ^c_new_write ^(~(C_sfsm_state = CSRR)))
                    V ((c_sfsm_stateA = CSD0) ^c_new_write) V
                    ((c_sfsm_stateA = CSACK) ^c_new_write)) in
let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del IC_iad_en_s_delA) in
let new_C_wrdy = (c_srdy ^c_new_write ^(c_mfsm_stateA = CMD1) }^\mathrm{ ClkD) in
let new_C_rrdy = (c_srdy ^ ~c_new_write }^(\mp@subsup{c}{_}{\primemfm_stateA = CMD0) }\wedge\mathrm{ ClkD) in
let c_pe = (Par_Det rep (CB_ad_in)) in
let c_mparity = ((c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA1) V (c_mfsm_stateA = CMAO)
                    V (c_mfsm_stateA = CMA2)V (c_mfsm_stateA = CMD1)V (c_mfsm_stateA = CMD0)
                    V(C_mfsm_state =CMA1)V(C_mfsm_state = CMA0) V (C_mfsm_state = CMA2)
                    V(C_mfsm_state = CMD1) in
let c_sparity =((~(c_sfsm_stateA = CSI))^(~(c_sfsm_stateA = CSACK)) ^(~(c_sfsm_stateA = CSABT)) in
let c_pe_cnt = (ClkD ^((~(c_mparity =c_sparity)) V ((SUBARRAY CB_ss_in (1,0)) =(WORDN 0)))) in
let new_C_parity =
    ((ClkD ^c_pe ^c_pe_cnt) }\wedge~\mathrm{ Reset_error ) => T I
    (( (ClkD }\wedgec_pe \wedgec_pe_cnt) ^ Reset_error) => F1
    ((-(ClkD ^c_pe }\wedge\mathrm{ c_pe_cnt) }\wedge -Reset_error) => C_parity | ARB))) i
let new_C_source =
    ((Rst) => (WORDN 0)।
    ((ClkD ^((c_sfsm_stateA = CSI) }\vee(c_sfsm_stateA = CSL))) m> Par_Dec rep (CB_ad_in)|C_source)) in
let data_in31_16=
    (MALTER ARBN (31,16) ((Rst) => (WORDN 0) ।
                                    ((ClkD ^(((c_mfsm_stateA = CMD1) ^c_srdy ^ ~c_new_write) \
                                    ((c_sfsm_stateA = CSA1))V
                                ((c_sfsm_stateA = CSD1) ^c_new_write))) => Par_Dec rep (CB_ad_in)।
                            (SUBARRAY C_data_in (31,16)))) in
let data_in31_0=
    (MALTER data_in31_16 (15,0) (Rst) => (WORDN 0)।
                            ((new_C_cin_2_le) => Par_Dec rep (CB_ad_in) |
                            (SUBARRAY C_data_in (15,0)))) in
let new_C_data_in = data_in31_0 in
let new_C_iad_out = ((C_cin_2_le) => C_data_in I C_iad_out) in
let new_C_iad_in = ((new_C_cout_O_le_del) => I_ad_in IC_iad_in) in
let new_C_alaO =
    (((c_dfsm_master ^C_cout_O_le_del) V
    (~c_dfsm_master ^C_clkA ^(c_sfsm_stateA = CSDI))) => C_iad_in |C_alaO) in
let new_C_a3a2 = ((c_mfsm_stateA = CMR) => Ccr | C_a3a2) in
let new_C_mfsm_state = c_mfsm_stateA in
let new_C_mfsm_D = ClkD in
let new_C_mfsm_rst = Rst in
let new_C_mfsm_crqt_ = I_crgt_ in
let new_C_mfsm_bold_ = new_C_hold\mp@subsup{A}{_}{\prime}\mathrm{ in}
```

let new_C_mfsm_ss =CB_ss_in in let new_C_mfsm_invalid $=$ Piu_invalid in let new_C_sfsm_state = c_sfsm_state $A$ in let new_C_sfsm_D = ClkD in let new_C_sfsm_rst = Rst in let new_C_sfsm_hlda_ = I_hlda_ in let new_C_sfsm_ms = CB_ms_in in let new_C_efsm_cale_ = I_cale_ in let new_C_efsm_last_ = I_last_in_ in let new_C_efsm_male_= 1_male_in_ in let new_C_efsm_rale_ = I_rale_in_in let new_C_efsm_srdy_ = I_srdy_in_in let new_C_efsm_rst = Rst in
(C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_. C_efsm_male, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0, C_a3a2)" );

Output definition for EXEC instruction.
let cEXEC_out_def = new_definition
('cEXEC_out',
" 1 (rep:^тep_ty)
(C_mfsm_state:cmfsm_ty) (C_sfsm_state:csfsm_ty) (C_efsm_state:cefsm_ty)
(C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_ala0 C_a3a2 :wordn)
(C_mfsm_D C_mfsm_rst C_mfsm_crqt_C_mfsm_hold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hida_
C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
C_wr C_clkA C_last_in_ C_lock_in_C_last_out_C_hold_ C_holdA_C_cout_0_le_del C_cin_2_le
C_mrdy_del_C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool)
(I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChanneliD Ccr :wordn)
(I_mrdy_in_I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_
Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :bool).
cEXEC_out rep
(C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid,
C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms,
C_efsm_state, C_efsm_cale, C_efsm_last, C_efsm_male_, C_efsm_rale, C_efsm_srdy_, C_efsm_rst,
C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_,
C_hold, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA,
C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0,C_a3a2)
(I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) $=$
let c_write $=\left(\left(\left(\sim\left(C_{-}\right.\right.\right.\right.$mfsm_state $=$CMI $\left.)\right) \wedge\left(\sim\left(C_{-}\right.\right.$mfsm_state $\left.\left.\left.=C M R\right)\right)\right) \Rightarrow C_{-}$wr 1 (ELEMENT C_sizewrbe (5))) in let c_busy $=(\sim(($ SUBARRAY CB_rqt_in_( 3,1$))=($ WORDN 7$)))$ in
let c_grant $=((($ (SUBARRAY Id $(1,0))=($ WORDN 0$)) \wedge \sim($ (ELEMENT CB_rqt_in_(0)))
$\vee(((\operatorname{SUBARRAY}$ Id $(1,0))=($ WORDN 1$)) \wedge \sim($ ELEMENT CB_Iqt_in_( 0$))$
$\wedge$ (ELEMENT CB_rqt_in_(1)))
$V(((\operatorname{SUBARRAY}$ Id $(1,0))=($ WORDN 2$)) \wedge \sim($ ELEMENT CB_rqt_in_( 0$))$

$$
\begin{aligned}
& \wedge \text { (ELEMENT CB_rqt_in_(1)) } \\
& \wedge(E L E M E N T \text { CB_rqt_in_(2))) } \\
V(((\text { SUBARRAY Id }(1,0))=(\text { WORDN } 3)) & \wedge \sim(\text { ELEMENT CB_rqt_in_(0)) } \\
& \wedge(\text { ELEMENT CB_rqtin_(1)) } \\
& \wedge(E L E M E N T \text { CB_qt_in_(2)) } \\
& \wedge \text { (ELEMENT CB_rqt_in_(3))) in }
\end{aligned}
$$

let c_addressed = (Id = (SUBARRAY C_source $(15,10))$ ) in
let c_mfsm_stateA =
((C_mfsm_rst) $\Rightarrow$ CMI
((C_mfsm_state $=C M I) \Rightarrow$
(C_mfsm_D $\wedge \sim C \_m f s m \_c r q t \_\wedge \sim c \_$busy $\left.\wedge \sim C \_m f s m \_i n v a l i d\right)=>$ CMR I CMI I
$\left(\left(C \_m f s m \_s t a t e=C M R\right) \Rightarrow\left(C \_m f s m_{\_} D \wedge c \_g r a n t \wedge C_{\_}\right.\right.$mfsm_hold_) $\Rightarrow$ CMA3 I CMR I
((C_mfsm_state $=$ CMA3) $)=\left(\left(C \_m f s m \_D\right) \Rightarrow C M A 1 \mid C M A 3\right) \mid$
$\left(\left(C \_m f s m \_s t a t e=C M A 1\right) \Rightarrow\right.$
(C_mfsm_D $\wedge$ (C_mfsm_ss = ^SRDY)) $=>$ CMA0
(C_mfsm_D $\wedge$ (C_mfsm_ss = ^SABORT)) $\Rightarrow$ CMABT $\mid$ CMAI $\mid$
((C_mfsm_state $=$ CMAO) $)=$
(C_mfsm_D^(C_mfsm_ss = ^SRDY)) $=>$ CMA2 1
(C_mfsm_D $\wedge$ (C_mfsm_ss = ^SABORT)) $\Rightarrow$ CMABT $\mid$ CMAO 1
((C_mfsm_state $=$ CMA2) $)=$
(C_mfsm_D $\wedge\left(C \_m f s m \_s s=\right.$ ^SRDY)) $\Rightarrow$ CMD1 1
(C_mfsm_D $\wedge$ (C_mfsm_ss $=$ ^SABORT) $)=>$ CMABT $|C M A 2|$
$\left(\left(C \_m f s m_{-}\right.\right.$state $=$CMD1 $)=>$
(C_mfsm_D $\wedge\left(C_{-} m f s m_{-s s}={ }^{\wedge}\right.$ SRDY $\left.)\right) \Rightarrow$ CMDO $\mid$
(C_mfsm_D $\wedge$ (C_mfsm_ss $={ }^{\wedge}$ SABORT) $)=>$ CMABT $\mid$ CMD $1 \mid$
( $\left(C \_m f s m \_\right.$state $=$CMDO $)=>$
(C_mfsm_D $\wedge\left(C \_m f s m \_s s=\right.$ ^SRDY) $\wedge C_{\text {_last_in_) }} \Rightarrow$ CMD1 $\mid$
(C_mfsm_D $\wedge\left(C_{-} m f s m_{-} s s={ }^{\text {A }}\right.$ SRDY) $\wedge \sim C_{-}$last_in_) $\Rightarrow$ CMW $\mid$
(C_mfsm_D $\wedge$ (C_mfsm_ss = ^SABORT)) $\Rightarrow$ CMABT $|C M D 0|$
( $\left(C \_\right.$mfsm_state $\left.=C M W\right)=>$
(C_mfsm_D $\wedge\left(C_{-} m f s m \_s s=\right.$ ^SABORT) $) \Rightarrow C M A B T \mid$
(C_mfsm_D $\wedge$ (C_mfsm_ss = ^SACK) $\wedge$ C_lock_in_) $\Rightarrow$ CMII
(C_mfsm_D $\wedge\left(C_{-} m f s m_{-} s s=\wedge\right.$ SRDY $) \wedge \sim C_{1}$ lock_in_ $\wedge \sim C_{-}$mfsm_crqt_) $=>$CMA3 $\mid$CMW $\mid$
$\left(\left(\sim C_{-}\right.\right.$last_in_) $=>$CMI ( CMABT) $)$)) )) ) ) )) $)$in
let c_sfsm_stateA =
( $\mathrm{C}_{-}$sfsm_rst) $=>\mathrm{CSI} \mid$
(C_sfsm_state $=C S I)=>$
$\left(\left(C_{-}\right.\right.$sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $={ }^{\wedge}$ MSTART $) \wedge \sim c_{-}$grant $\left.\wedge c_{\text {_addressed }}\right)=>$ CSAl|CSI)|
(C_sfsm_state $=$ CSL) $\Rightarrow$
$\left(\left(C \_s f s m \_D \wedge\left(C \_s f s m \_m s=\wedge M S T A R T\right) \wedge \sim c \_g r a n t \wedge c_{-}\right.\right.$addressed $) \Rightarrow C S A 1 \mid$

(C_sfsm_D $\wedge\left(C\right.$ _sfsm_ms $={ }^{\wedge}$ MABORT) $) \Rightarrow$ CSABT $\left.\mid C S L\right) \mid$
(C_sfsm_state $=$ CSA1) $\Rightarrow$
$\left(\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s=\wedge M R D Y\right)\right) \Rightarrow C S A O 1\right.$
$\left.\left(C_{-} s f s m \_D \wedge\left(C \_s f s m \_m s=\wedge M A B O R T\right)\right) \Rightarrow C S A B T \mid C S A 1\right) \mid$
(C_sfsm_state $=$ CSA 0 ) $\Rightarrow$
$\left(\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s=\right.\right.\right.$ AMRDY $\left.) \wedge \sim C_{-} s f s m \_h l d a_{-}\right)=>C S A L E \mid$
(C_sfsm_D $\wedge\left(C_{-} s f s m_{-} m s=\wedge M R D Y\right) \wedge C_{-} s f s m_{-}$hlda_) $\Rightarrow$ CSAOW $^{\text {A }}$
(C_sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MABORT) $) \Rightarrow$ CSABTICSA0) |
(C_sfsm_state $=$ CSAOW $) \Rightarrow$
$\left(\left(C_{-} s f s m_{-} D \wedge\left(C_{-} s f s m_{-} m s=\right.\right.\right.$ ^MRDY $\left.) \wedge \sim C_{-} s f s m_{-} h l d a \_\right)=>$CSALE 1
(C_sfsm_D $\wedge$ (C_sfsm_ms = ^MABORT)) $\Rightarrow$ CSABT $\mid C S A O W) \mid$
(C_sfsm_state $=$ CSALE $)=>$
$\left(\left(C_{-} s f s m_{-} D \wedge c_{-} w r i t e \wedge\left(C_{-} s f s m_{-} m s=\right.\right.\right.$ MRDY) ) $\Rightarrow$ CSD1 ।

$$
\begin{aligned}
& \text { (C_sfsm_D } \left.\wedge \sim c_{-} w r i t e \wedge\left(C_{-} s f s m_{-} m s={ }^{\wedge} M R D Y\right)\right)=\text { CSRR I } \\
& \left.\left(C_{-} \text {sfsm_D } \wedge\left(C_{-} s f s m_{-} m s=\wedge M A B O R T\right)\right)=>C S A B T \mid C S A L E\right) \mid \\
& \text { (C_sfsm_state }=\text { CSRR) })= \\
& \left(\left(C_{-} s f s m \_D \wedge \sim\left(C_{-} s f s m_{\_} m s=\wedge \text { MABORT }\right)\right) \Rightarrow \text { CSD } 11\right. \\
& \text { (C_sfsm_D } \left.\left.\wedge\left(C_{-} \text {sfsm_ms }=\wedge \text { MABORT }\right)\right) \Rightarrow \text { CSABT } \mid C S R R\right) \mid \\
& \text { (C_sfsm_state }=\text { CSD1) }=> \\
& \left(\left(C \_s f s m \_D \wedge\left(C \_s f s m \_m s={ }^{\wedge} M R D Y\right)\right) \Rightarrow C S D 01\right. \\
& \left.\left(C_{-} \text {sfsm_D } \wedge\left(C_{-} s f s m \_m s=\wedge \text { MABORT }\right)\right) \Rightarrow \text { CSABT } \mid C S D 1\right) \mid \\
& \text { (C_sfsm_state }=\text { CSDO })=> \\
& \left(\left(C_{-} \text {sfsm_D } \wedge\left(C_{-} \text {sfsm_ms }={ }^{\wedge} \text { MEND }\right)\right) \Rightarrow \text { CSACK } 1\right. \\
& \text { (C_sfsm_D } \wedge\left(C_{-} s f s m \_m s=\wedge \text { MRDY) }\right)=>\text { CSD1 I } \\
& \text { (C_sfsm_D } \left.\left.\wedge\left(C_{-} s f s m \_m s=\wedge \text { MABORT }\right)\right)=\text { CSABT } \mid C S D 0\right) \mid \\
& \text { (C_sfsm_state }=\text { CSACK })=> \\
& \left(\left(C_{-} s f s m_{-} D \wedge\left(C_{-} s f s m_{-} m s={ }^{\wedge} M R D Y\right)\right)=>\text { CSL } \mid\right. \\
& \left(C_{-} s f s m \_D \wedge\left(C \_s f s m \_m s={ }^{\wedge} \text { MWAIT }\right)\right)=>\text { CSII } \\
& \text { (C_sfsm_D } \left.\left.\wedge\left(C_{-} s f s m_{-} m s=\wedge M A B O R T\right)\right)=>\text { CSABT } \mid C S A C K\right) \mid \\
& \text { (C_sfsm_D) }=>\text { CSI | CSABT) in }
\end{aligned}
$$

let $c_{\text {_efsm_state }} A=$
((C_efsm_rst) $=>$ CEI I
(C_efsm_state $=\mathrm{CEI}) \Rightarrow\left(\left(\sim C_{-}\right.\right.$efsm_cale_) $\Rightarrow$ CEE $\mid$ CEI $) 1$
$\left(\left(\sim C_{-}\right.\right.$efsm_last_ $\wedge-C_{-}$efsm_srdy_) $\vee \sim C_{-}$efsm_male_ $V-C_{-}$efsm_rale_) $\Rightarrow$ CEI $\left.\mid C E E\right)$ in let c_srdy_en $=\left(\left(c_{-}\right.\right.$efsm_state $\left.A=C E E\right) \vee\left(C_{-}\right.$efsm_state $\left.\left.=C E E\right)\right)$ in let cout_sel0 $=\left(\right.$ ALTER ARBN $(0)\left(\left(c_{\text {_sfsm_stateA }}=\right.\right.$ CSD1 $) \vee\left(c_{\text {_sfsm_state }}=\right.$ CSD0 $\left.)\right) \Rightarrow$

$$
\text { (c_sfsm_state } A=\text { CSD } 1) \text { ) }
$$

(c_mfsm_stateA $=$ CMA3 $) \vee\left(c \_\right.$mfsm_state $\left.A=C M A 1\right)$
$V\left(c_{-}\right.$ffsm_state $\left.\left.A=C M D 1\right)\right)$ in
let cout_sell0 $=\left(\right.$ ALTER cout_sel0 $(1)\left(\left(c_{-} s f s m \_s t a t e A=C S D 1\right) V\left(c_{-}\right.\right.$sfsm_state $\left.\left.A=C S D 0\right)\right)=>$ FI
$($ c_mfsm_stateA $=C M A 3) V\left(c_{-}\right.$mfsm_state $\left.\left.A=C M A 2\right)\right)$ ) in
let c_cout_sel = cout_sell 0 in
let new_C_wr $=\left((\sim\right.$ I_cale_ $) \Rightarrow$ (ELEMENT I_ad_in (27)) $\left.\mid C_{-} w r\right)$ in
let new_C_sizewrbe $=(($ Rst $) \Rightarrow($ WORDN 0$) \mid$
$\left(\left(\left(c_{-}\right.\right.\right.$sfsm_state $A=$ CSAO $) \wedge C_{-}$clkA $) \Rightarrow($ (SUBARRAY C_data_in $(31,22)) \mid C_{-}$sizewrbe $\left.)\right)$in
let $c_{-}$new_write $=\left(\left(\left(\sim\left(c \_m f s m_{-}\right.\right.\right.\right.$state $\left.\left.A=C M I\right)\right) \wedge\left(\sim\left(c \_m f s m \_\right.\right.$state $\left.\left.\left.A=C M R\right)\right)\right)=>$
new_C_wr 1 (ELEMENT new_C_sizewrbe (5)) in
let new_C_clkA $=\mathrm{ClkD}$ in
let new_C_last_in_ $=(($ Rst $)=>$ F
$\left(\left(\left(c \_m f s m \_s t a t e A=C M A B T\right) V\left(c \_m f s m \_\right.\right.\right.$state $\left.\left.A=C M D 1\right) \wedge C l k D\right)=I \_$last_in_l
C_last_in_)) in
let new_C_lock_in_ $=(($ Rst $)=>F \mid$
( $\left(\mathrm{c} \_\right.$mfsm_state $A=$ CMA1 $)=>$ I_lock_1
C_lock_in_)) in
let new_C_ss $=\left(\left(\left(\sim\left(c_{-}\right.\right.\right.\right.$mfsm_stateA $=$CMABT $\left.)\right) \wedge\left(\sim\left(c_{-} m f s m_{-}\right.\right.$state $\left.\left.\left.A=C M I\right)\right)\right) \Rightarrow C B \_s s \_i n \mid C_{\_}$ss $)$in
let c_mend $=\left(C B \_m s \_i n={ }^{\wedge}\right.$ MEND $)$ in
let c_mabort $=\left(C B \_m s \_i n={ }^{\wedge}\right.$ MABORT $)$ in
let new_C_last_out_=

$\left(\left(\sim\left(c_{\_}\right.\right.\right.$sfsm_stateA $\left.=C S A 1\right) \wedge\left(C l k D \wedge\left(c_{\_}\right.\right.$mend $\left.\left.\left.\vee c_{\text {_mabort }}\right)\right)\right)=>F \mid$
$\left(\left(-\left(c_{-}\right.\right.\right.$sfsm_state $\left.A=C S A 1\right) \wedge \sim\left(C l k D \wedge\left(c_{-} m e n d V c_{-}\right.\right.$mabort $\left.\left.)\right)\right) \Rightarrow C_{\text {_last_out_ } \mid ~ A R B)))}$ in
let $\mathrm{c}_{-}$srdy $=\left(\right.$CB_ss_in $^{\prime}=$ ^SRDY $)$ in
let c_dfsm_master $=\left(\left(c_{\_}\right.\right.$mfsm_state $\left.A=C M A 3\right) V\left(c_{1} m f s m_{\_} s t a t e A=C M A 2\right) V\left(c \_m f s m \_s t a t e A=C M A 1\right)$
$V\left(c \_m f s m \_\right.$state $\left.\left.A=C M A 0\right) V\left(c \_m f s m \_s t a t e A=C M D 1\right) V\left(c \_m f s m \_s t a t e A=C M D 0\right)\right)$ in
let $c_{-}$dfsm_cad_en $=\sim\left(\left(c_{\_} m f s m_{-} s t a t e A=C M A 3\right) \vee\left(c_{-} m f s m_{-} s t a t e A=C M A 1\right) \vee\left(c_{\_} m f s m_{\_} s t a t e A=C M A 0\right)\right.$
$V\left(c \_m f s m \_s t a t e A=C M A 2\right)$
$V\left(c_{-}\right.$new_write $\wedge\left(\left(c_{\text {_mfsm_state }}=\right.\right.$ CMD1 $\left.\left.) V\left(c_{-} m f s m \_s t a t e A=C M D 0\right)\right)\right)$
$V\left(\sim c_{-}\right.$new_write $\left.\Lambda\left(\left(c_{-} s f s m_{-} s t a t e A=C S D 1\right) V\left(c_{-} s f s m_{-} s t a t e A=C S D 0\right)\right)\right)$ in
let new_C_bold_ $=\left(c_{-}\right.$sfsm_state $\left.A=C S I\right)$ in
let new_C_holdA_ $=\left((\mathrm{ClkD})=>\right.$ C_hold_ $^{\prime} \mathrm{C}_{-}$holdA_) in
let new_C_cout_0_le_del $=\left(I_{-} c a l e_{-}\right) V\left(I \_s r d y \_i i_{-} \Lambda \sim c \_n e w, w r i t e\right)$
$V\left(\left(c_{\_}\right.\right.$mfsm_stateA $\left.=C M A 0\right) \wedge c_{-}$srdy $\wedge c_{-}$new_write $\left.\wedge C l k D\right)$
$V\left(\left(c \_\right.\right.$mfsm_state $\left.A=C M D 0\right) \wedge c_{-}$new_write $\wedge c_{\text {_s }}$ srdy $\wedge$ ClkD $\left.)\right)$ in
let new_C_cin_2_le $=\left(\mathrm{ClkD} \wedge\left(\left(\mathrm{c} \_\right.\right.\right.$mfsm_state $\left.A=C M D 0\right) \wedge c_{-}$srdy $\wedge \sim c_{-}$new_write $) \vee$
$\left(\left(c_{-}\right.\right.$sfsm_state $\left.\left.A=C S A 0\right)\right) V$
((c_sfsm_stateA $=$ CSDO) $\wedge c_{-}$new_write) )) in
let new_C_mrdy_del_ $=\sim\left(\left(-c_{-} n e w_{-} w r i t e ~ \wedge C l k D \wedge\left(\left(c_{-} s f s m_{-} s t a t e A=C S A L E\right) \vee\left(c_{-} s f s m_{-} s t a t e A=C S D 1\right)\right)\right) \vee\right.$
( $\sim c_{-}$new_write $\wedge C_{-} c l k A \wedge\left(c_{-}\right.$sfsm_stateA $\left.\left.=C S A C K\right)\right) V$
(c_new_write $\wedge$ ClkD $\wedge$ (c_sfsm_stateA = CSD0))) in
let new_C_iad_en_s_del $=\left(\left(\left(c_{\text {_sfsm_state }}=\right.\right.\right.$ CSALE $) \wedge\left(\sim\left(C_{-}\right.\right.$sfsm_state $=$CSALE $\left.\left.)\right)\right)$
$V\left(\left(c_{-} s f s m \_s t a t e A=C S A L E\right) \wedge c \_n e w \_w r i t e\right)$
$V\left(\left(c_{-} s f s m_{-}\right.\right.$state $\left.A=C S D 1\right) \wedge c_{-}$new_write $\wedge\left(\sim\left(C_{-}\right.\right.$sfsm_state $=$CSRR $\left.\left.)\right)\right)$
$V\left(\left(c_{-} s f s m_{-}\right.\right.$state $\left.\left.A=C S D 0\right) \wedge c_{-} n e w_{-} w r i t e\right) V$
((c_sfsm_state $\left.A=C S A C K) \wedge c_{\text {_new_write })}\right)$ in

let new_C_wrdy $=\left(c_{-}\right.$srdy $\wedge c_{-}$new_write $\wedge\left(c_{-} m f s m_{-}\right.$state $\left.\left.A=C M D 1\right) \wedge C l k D\right)$ in
let new_C_rrdy $=\left(c_{-}\right.$srdy $\wedge \sim c_{-}$new_write $\left.\wedge\left(c \_m f s m \_s t a t e A=C M D 0\right) \wedge C l k D\right)$ in
let c_pe = (Par_Det rep (CB_ad_in)) in
let c_mparity $=\left(\left(c_{\_}\right.\right.$mfsm_state $\left.A=C M A 3\right) V\left(c \_m f s m \_s t a t e A=C M A 1\right) V\left(c \_m f s m \_s t a t e A=C M A 0\right)$
$V\left(c \_m f s m \_s t a t e A=C M A 2\right) V\left(c \_m f s m \_s t a t e A=C M D 1\right) V\left(c \_m f s m \_s t a t e A=C M D 0\right)$
$V\left(C \_m f s m \_\right.$state $\left.=C M A 1\right) V\left(C \_m f s m_{\_}\right.$state $\left.=C M A 0\right) V\left(C \_m f s m \_\right.$state $\left.=C M A 2\right)$
$V\left(C \_\right.$mfsm_state $\left.\left.=C M D 1\right)\right)$ in
let c_sparity $=\left(\left(\sim\left(c_{-} s f s m_{-}\right.\right.\right.$state $\left.\left.A=C S I\right)\right) \wedge\left(\sim\left(c_{-} s f s m_{-}\right.\right.$state $\left.\left.A=C S A C K\right)\right) \wedge\left(\sim\left(c_{-}\right.\right.$sfsm_stateA $=$CSABT $\left.)\right)$in
let c_pe_cnt $=\left(\operatorname{ClkD} \wedge\left(\left(\sim\left(c_{-}\right.\right.\right.\right.$mparity $\left.\left.=c_{\text {_sparity }}\right)\right) \vee(($ SUBARRAY CB_ss_in $(1,0))=($ WORDN 0$\left.\left.))\right)\right)$ in
let new_C_parity =
$((($ ClkD $\wedge$ c_pe $\wedge$ c_pe_cnt $) \wedge \sim$ Reset_error $)=>\mathrm{T} \mid$
$\left(\left(-\left(C l k D \wedge c \_p e \wedge\right.\right.\right.$ c_pe_cnt $) \wedge$ Reset_error $)=>F \mid$
$((\sim($ ClkD $\wedge$ c_pe $\wedge$ c_pe_cnt $) \wedge \sim$ Reset_error $)=>$ C_parity $\mid A R B)))$ in
let new_C_source $=$
((Rst) $\Rightarrow$ (WORDN 0 )।
$\left(\left(C l k D \wedge\left(\left(c_{-} s f s m \_s t a t e A=C S I\right) V\left(c \_s f s m \_s t a t e A=C S L\right)\right)\right)=>\right.$ Par_Dec rep (CB_ad_in) IC_source) $)$ in
let data_in31_16 =
(MALTER ARBN $(31,16)($ Rst $)=>$ (WORDN 0$)$ I

(SUBARRAY C_data_in (31,16))))) in
let data_in31_0=
(MALTER data_in31_16 (15,0) ( Rst ) $\Rightarrow$ (WORDN 0$) 1$
((new_C_cin_2_le) $\Rightarrow$ Par_Dec rep (CB_ad_in) |
(SUBARRAY C_data_in (15,0)))) in
let new_C_data_in = data_in31_0 in
let new_C_iad_out $=\left((C\right.$ _cin_2_le $)=>$ C_data_in $\left.C_{\text {_iad_out }}\right)$ in
let new_C_iad_in = ((new_C_cout_0_le_del) $=>$ I_ad_in $\left.^{\text {I C_iad_in }}\right)$ in
let new_C_ala0 =
(((c_dfsm_master $\wedge C_{-}$cout_0_le_del) V
( $-C_{-}$dfsm_master $\wedge C_{-} c l k A \wedge\left(c_{-} s f s m_{-}\right.$state $\left.\left.A=C S D 1\right)\right)$ ) $=C_{-}$iad_in $\left.\mid C_{-} a 1 a 0\right)$ in
let new_C_a3a2 $=\left(\left(C_{-} m f s m \_\right.\right.$state $\left.\left.A=C M R\right) \Rightarrow C c r \mid C \_23 a 2\right)$ in
let new_C_mfsm_state $=\mathrm{c}_{-}$mfsm_state $A$ in
let new_C_mfsm_D $=\mathrm{ClkD}$ in

```
let new_C_mfsm_rst = Rst in
let new_C_mfsm_crqt_ = I_crqt_ in
let new_C_mfsm_hold_ = new_C_holdA_in
let new_C_mfsm_ss = CB_ss_in in
let new_C_mfsm_invalid = Piu_invalid in
let new_C_sfsm_state =c_sfsm_stateA in
let new_C_sfsm_D = ClkD in
let new_C_sfsm_rst = Rst in
let new_C_sfsm_hlda_= I_hlda_ in
let new_C_sfsm_ms = CB_ms_in in
let new_C_efsm_cale_= I_cale_ in
let new_C_efsm_last_ = I_last_in_ in
let new_C_efsm_male_= I_male_in_ in
let new_C_efsm_rale_= I_rale_in_in
let new_C_efsm_srdy_= I_srdy_in_in
let new_C_efsm_rst = Rst in
let I_cgnt_ = ~(c_mfsm_stateA = CMA3) in
let I_mrdy_out_ = (( -I_hlda_) => C_mrdy_del_ | ARB) in
let I_hold_= new_C_holdA_ in
let I_rale_out_=
    ((~I_hlda_) =>
                            ~((c_sfsm_stateA = CSALE) ^((SUBARRAY new_C_sizewrbe (1,0)) =(WORDN 3))^C_clkA)। ARB) in
let I_male_out_=
    ((~I_hlda_) =>
        ~((c_sfsm_stateA = CSALE) ^(~((SUBARRAY new_C_sizewrbe (1,0))=(WORDN 3))) ^C_clkA)| ARB) in
let I_last_out_ = ((~l_hlda_) => C_last_out_ | ARB) in
let I_srdy_out_ = (( -I_cale_Vc_srdy_en) => ~(C_wrdy VC_rrdy V (c_mfsm_stateA = CMABT)) |ARB) in
let I_be_out_= ((~I_hlda_) => (SUBARRAY new_C_sizewrbe (9,6)) | ARBN) in
let I_ad_out = ((new_C_iad_en_s_delA
                            V ((c_mfsm_stateA = CMD1) ^~c_new_write \c_srdy_en)
                            V((c_mfsm_stateA = CMDO) }\wedge~\mp@subsup{c}{_}{\prime}new_write \c_srdy_en
                            V ((c_mfsm_stateA = CMW) }\wedge(C_mfsm_state = CMD0) ^ -c_new_write ^c_srdy_en)
                            V((c_sfsm_stateA = CSALE) }\wedge(~(C_sfsm_state = CSALE)))
    V ((c_sfsm_stateA = CSALE) ^c_new_write)
    V ((c_sfsm_stateA = CSD1) ^c_new_write ^(~(C_sfsm_state=CSRR)))
    V ((c_sfsm_stateA = CSDO) ^c_new_write)
    V((c_sfsm_stateA = CSACK) ^c_new_write)) => new_C_iad_out I ARBN) in
let CB_rqt_out_= ~(~(c_mfsm_stateA=CMD) in
let ms0=(ALTER ARBN (0) ((c_mfsm_stateA = CMD0) }\wedge~\mp@subsup{C}{_}{\prime}last_in_) V
                                    ((c_mfsm_stateA = CMW) ^C_lock_in_) V
                                    (c_mfsm_stateA = CMABT))) in
let ms10=(ALTER ms0 (1) (()c_mfsm_stateA = CMA1)V (c_mfsm_stateA = CMAO) V
                    (c_mfsm_stateA = CMA2)V(c_mfsm_stateA = CMD1)V
                        ((c_mfsm_stateA = CMDO) ^C_last_in_) V(c_mfsm_stateA = CMW)V
                    (c_mfsm_stateA = CMABT))) in
let ms210=(ALTER ms10 (2) (()c_mfsm_stateA = CMA3)V (c_mfsm_stateA = CMA1)V
                    (c_mfsm_stateA = CMA0)V (c_mfsm_stateA = CMA2) V
                            (c_mfsm_stateA = CMD1)V (c_mfsm_stateA = CMD0) V
                            (c_mfsm_stateA =CMW) V(c_mfsm_stateA =CMABT))}\wedge~Pmm_failure \~Piu_invalid)
in
let CB_ms_out = (((~(c_mfsm_stateA = CMI)) ^(~(c_mfsm_stateA=CMR ))) => ms210I ARBN) in
let ss0 = (ALTER ARBN (0) ((c_sfsm_stateA = CSAOW)V
                    ((c_sfsm_stateA = CSALE) }\wedge-\mp@subsup{c}{-}{\prime}\mathrm{ new_write) V
```

(c_sfsm_stateA $=$ CSACK $)$ ) ) in
let ss10 = (ALTER ssO (1) -(c_sfsm_stateA = CSACK) $)$ in
let $\mathrm{ss} 210=$ (ALTER ss10 (2) ( $\sim$ Pmm_failure $\wedge \sim$ Piu_invalid) ) in
let CB_ss_out $=\left(\left(\left(-\left(c_{-}\right.\right.\right.\right.$sfsm_state $\left.\left.A=C S I\right)\right) \wedge\left(-\left(c_{\text {_sfsm_state }} A=\right.\right.$ CSABT $\left.\left.)\right)\right) \Rightarrow$ ss210 1 ARBN $)$ in let CB_ad_out $=$ ((c_dfsm_ced_en) $=>$
((c_cout_sel = (WORDN 0)) $\Rightarrow$ Par_Enc rep (SUBARRAY new_C_ala0 $(15,0)$ )
((c_cout_sel = (WORDN 1)) $\Rightarrow$ Par_Enc rep (SUBARRAY new_C_ala0 (31,16))
((c_cout_sel = (WORDN 2)) $=>$ Par_Enc rep (SUBARRAY new_C_a3a2 $(15,0)$ )
Par_Enc rep (SUBARRAY new_C_a3a2 $(31,16))$ )) ) $\mid$ ARBN) in
let C_ss_out = new_C_ss in
let Disable_writes $=\left(\left(\sim\left(c_{-} s f s m_{-}\right.\right.\right.$state $\left.\left.A=C S I\right)\right) \wedge\left(\sim\left(c_{-}\right.\right.$sfsm_state $\left.\left.A=C S L\right)\right) \wedge$
$\sim(($ ChannelID $=($ WORDN 0$)) \wedge($ ELEMENT C_source (6))) $\wedge$
$\sim(($ ChanneliID $=($ WORDN 1$)) \wedge($ ELEMENT C_source (7)) $) \wedge$
$\sim(($ ChanneliD $=($ WORDN 2$)) \wedge($ ELEMENT C_source (8)) $) \wedge$
$-(($ ChannelID $=($ WORDN 3$)) \wedge($ ELEMENT C_source (9)))) in
let $C B$ _parity $=$ new_C_parity in
(I_cgnt, I_mrdy_out, I_hold_, I_rale_out_, I_male_out, I_last_out_, I_srdy_out_, I_ad_out, I_be_out, CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)" );:
close_theory 0 ;;

## D. 5 SU_Cont Specification

\%

File: s_clock1.ml
Author: $\quad$ (c) D.A. Fura 1992

Date: 31 March 1992
This file contains the ml source for the clock-level specification of the startup controller of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho.

```
set_search_path (search_patb() @ ['/home/titan3/dfura/ftep/piu/hol/ib/`]);;
system 'rm s_clock1.th';;
new_theory 's_clockl';
map new_parent ['saux_def';'aux_def';'array_def';'wordn_def'];;
let sc_state_ty = ":(sfsm_ty#bool#bool"#bool#bool#bool#bool#wordn#wordn#
                bool#bool#bool"bool"bool#bool#bool#bool#bool)";;
let sc_state = "((S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass,
    S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpul,
    S_cpu_bist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail)
    :^sc_state_ty)";;
let sc_env_ty = ":(bool#bool#bool#bool#bool#bool#bool#bool#bool)";;
let sc_env = "((ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_)
    :^sc_env_ty)";;
let sc_out_ty = ":(wordn#bool#bool#bool*bool#bool#bool#bool#bool#bool"bool)";;
let sc_out = "((S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpul, Cpu_hist,
    Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail)
    :^sc_out_ty)";;
%-------------------------------------------------------------------------------------------------------
    Next-state definition for EXEC instruction.
let sEXEC_inst_def = new_definition
('sEXEC_inst',
    "I (S_fsm_state :sfsm_ty)
            (S_soft_cnt S_delay :wordn)
            (S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0
                S_bad_cpul S_reset_cpu0 S_reset_cpul S_cpu_hist S_pmm_fail S_cpu0_fail S_cpul_fail
                S_piu_fail :bool)
            (ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_Failurel_ :bool) .
```

sEXEC_inst (S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_ctt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpu1, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) =
let new_S_fsm_state $=$
((S_fsm_rst) $\Rightarrow$ SSTART 1
$\left(\left(S \_\right.\right.$fsm_state $=$SSTART) $)=$SRA $\mid$
$\left((\right.$ S_fsm_state $=$ SRA $) \Rightarrow\left((\right.$ S_fsm_delay6 $) \Rightarrow\left(\left(S \_f s m_{-}\right.\right.$bypass $) \Rightarrow$ SO $\mid$ SPF $) \mid$ SRA $) \mid$
( $($ S_fsm_state $=$ SPF) $) \Rightarrow$ SCOI 1
((S_fsm_state $=$ SCOI) $)=\left(\left(S_{-}\right.\right.$fsm_delay17) $)=$SCOF $\left.\mid S C O I\right) \mid$
( $($ S_fsm_state $=S C O F)=$ ST I
((S_fsm_state $=$ ST) $\Rightarrow$ SCIII
$\left(\left(S \_\right.\right.$fsm_state $\left.=S C 11\right) \Rightarrow\left(\left(S \_f s m_{\_}\right.\right.$delay17) $\left.) \Rightarrow S C 1 F \mid S C 1 I\right) \mid$
( (S_fsm_state $=$ SC1F) $=>$ SS I
((S_fsm_state $=$ SS $)=>\left(\left(S \_\right.\right.$fsm_bothbad) $)=$SSTOP $\left.\mid S C S\right) \mid$
( $($ S_fsm_state $=$ SSTOP) $) \Rightarrow$ SSTOP $\mid$
$\left(\left(S \_\right.\right.$fsm_state $=$SCS $) \Rightarrow\left(\left(S \_\right.\right.$fsm_delay6 $) \Rightarrow$ SN $\mid$ SCS $) \mid$
$\left(\left(S \_\right.\right.$fsm_state $\left.=S N\right) \Rightarrow\left(\left(S \_\right.\right.$fsm_delay17) $) \Rightarrow$ SO $\mid$ SN $) \mid$

let $\mathrm{s}_{-} \mathrm{fsm} \mathrm{s}_{-} \mathrm{sn}=\left(\mathrm{new} \mathbf{S}_{-} \mathrm{fsm}\right.$ _state $\left.=\mathrm{SN}\right)$ in
let s_fsm_so $=\left(n e w_{-} S \_f s m \_\right.$state $\left.=S O\right)$ in

let $\mathrm{s}_{\mathrm{f}} \mathrm{fs}$ _sdi $=\left(\left((\sim(\right.\right.$ new_S_fsm_state $=S O)) \wedge\left(\sim\left(S_{-}\right.\right.$fsm_state $\left.\left.\left.=S S T O P\right)\right)\right) \vee\left(S \_\right.$fsm_state $=$SRA $\left.)\right)$in
let s_fsm_srp $=(($ new_S_fsm_state $=$ SSTART $) V($ new_S_fsm_state $=$ SRA $)$
$V($ new_S_fsm_state $=S C O F) V($ new_S_fsm_state $=S T)$
$V($ new_S_fsm_state $=S C 1 F) V\left(n e w_{-} S_{-} f s m_{-}\right.$state $\left.=S S\right) V($ new_S_fsm_state $=S C S)$ in
let $\mathrm{s}_{\mathrm{f}} \mathrm{fsm} \_$src0 $=((\sim($ (new_S_fsm_state $=S P F)) \wedge(\sim($ new_S_fsm_state $=S C O I)))$ in
let s_fsm_srcl $=((-($ new_S_fsm_state $=S T)) \wedge(\sim($ new_S_fsm_state $=$ SClI) $))$ in
let s_fsm_spf $=\left(\left(S \_f s m \_s t a t e=S R A\right) \wedge S \_f s m \_d e l a y 6 \wedge \sim S \_f s m \_r s t\right)$ in
let s_fsm_scOf $=($ (new_S_fsm_state $=$ SCOF $)$ in
let s_fsm_sclf $=($ new_S_fsm_state $=$ SC1F $)$ in
let $\mathrm{s}_{\mathrm{f}} \mathrm{fsm}$ _spmf $=($ new_S_fsm_state $=S O)$ in
let s_fsm_sb $=($ new_S_fsm_state $=$ SSTART $)$ in
let s_fsm_src $=\left((\right.$ new_S_fsm_state $=$ SSTART $) V\left(\left(S \_f s m \_\right.\right.$state $=$SRA $) \wedge$ S_fsm_delay6 $)$
$V($ new_S_fsm_state $=S C 0 F) V($ new_S_fsm_state $=S T) V($ new_S_fsm_state $=S C 1 F)$
$V($ new_S_fsm_state $=S S) V\left(\left(S \_f s m_{-}\right.\right.$state $\left.=S C S\right) \wedge S_{-} f s m_{-}$delay6) $)$in
let _fsm_sec $_{\sim}=\left(((\sim(\right.$ new_S_fsm_state $=\mathbf{S S T O P})) \wedge(\sim($ new_S_fsm_state $=S O))) \vee\left(S \_\right.$fsm_state $\left.\left.=S N\right)\right)$ in
 let $\mathrm{s}_{-} \mathrm{fsm}$ _scs $=($ (new_S_fsm_state $=S C S)$ in
let new_S_soft_shot_del $=(\sim G c r b \wedge G c r l)$ in
let s_soft_cnt_out =

$$
\left(\left(s_{-} f s m_{-} s t s\right)=>\right.
$$

((Gcrl $\wedge \sim \mathrm{Gcrb} \wedge \sim$ S_soft_shot_del) $\Rightarrow$ (WORDN 1) |(WORDN 0)) |
((Gcrl $\wedge \sim$ Gcrb $\wedge \sim S_{-}$soft_shot_del) $\Rightarrow\left(\mathbb{N C N} 2 S \_\right.$soft_cont) $\mid$S_soft_cnt $)$in
let new_S_soft_cnt $=((-G c r h \wedge \sim$ Gcrl $) \Rightarrow($ WORDN 0$) \mid$ s_soft_cnt_out $)$ in let s_delay_out =
$\left(\left(s_{\_}\right.\right.$fsm_src $\vee\left(s_{\_} f s m_{-} \operatorname{scs} \wedge\right.$ (ELEMENT S_delay (6)) )) $\Rightarrow>$
$\left(\left(s_{\_} f s m_{-}\right.\right.$sec) $)=>$(WORDN 1) |(WORDN 0$)$ )!
((s_fsm_sec) $=>$ (INCN 17 S_delay) | S_delay)) in
let new_S_delay $=$ s_delay_out in
let s_cpu0_ok $=\left(s_{\_} f s m_{-} s c 0 f\right.$ f $\wedge$ Failure0_ $\wedge$ (s_soft_cnt_out $=($ WORDN 5) )) in let s_cpul_ok $=\left(s_{\_} f s m_{-}\right.$sclf $\wedge$ Failurel_ $\wedge\left(s_{-}\right.$soft_cnt_out $=($WORDN 5$\left.)\right)$ ) in let new_S_pmm_fail =

```
    ((s_fsm_sb \ -s_fsm_spmf) => T I
    ((~s_fsm_sb }\wedge\mathrm{ s_fsm_spmf) => F |
    ((~s_fsm_sb }\Lambda~\mp@subsup{~}{_}{\prime}fs\mp@subsup{m}{_}{\prime}spmf)=> S_pmm_fail | ARB))) i
let new_S_cpu0_fail =
    ((s_fsm_sb ^~(s_cpu0_ok V Bypass)) => T I
    ((~s_fsm_sb ^(s_cpu0_ok \vee Bypass)) => Fl
    ((~-_fsm_sb \~(s_cpu0_ok V Bypass)) => S_cpu0_fail I ARB))) in
let new_S_cpul_fail =
    ((s_fsm_sb }\wedge~(s_cpul_ok \vee Bypass)) => T I
    ((~s_fsm_sb }\wedge(\mathrm{ s_cpul_ok V Bypass)) => F।
    ((~s_fsm_sb \cap~(s_cpul_ok V Bypass)) => S_cpul_fail | ARB))) in
    let new_S_piu_fail =
    ((s_fsm_sb }\wedge~(s_fsm_spf \vee Bypass)) => T l
    ((~s_fsm_sb }\wedge(s_fsm_spf V Bypass)) => FI
    ((-s_fsm_sb }\Lambda~\mathrm{ (s_fsm_spf V Bypass)) => S_piu_fail | ARB))) in
    let s_cpu0_select = ((s_fsm_sn V s_fsm_so) ^ -S_cpu0_fail) in
    let s_cpul_select = ((s_fsm_sn V s_fsm_so) }\wedge\mp@subsup{S}{_}{\prime}cpu0_fail ^~S_cpu1_fail) in
    let new_S_bad_cpu0 =
    ((s_fsm_sb ^~s_cpu0_select) => T I
    ((-s_fsm_sb ^ s_cpu0_select) => F |
    ((~s_fsm_sb ^ -s_cpu0_select) => S_bad_cpu0 | ARB))) in
    let new_S_bad_cpu1 =
    ((s_fsm_sb ^~s_cpu1_select) => T I
    ((~s_fsm_sb ^s_cpul_select) => FI
    ((-s_fsm_sb ^ -s_cpu1_select) => S_bad_cpul I ARB))) in
    let new_S_reset_cpu0 = (new_S_bad_cpu0 }\AA\mathrm{ s_fsm_src0) in
    let new_S_reset_cpul = (new_S_bad_cpul ^ s_fsm_srcl) in
    let new_S_cpu_hist = (S_reset_cpu0 ^ S_reset_cpu1 ^ Bypass) in
    let new_S_fsm_rst = Rst in
    let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in
    let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) |(ELEMENT s_delay_out (17))) in
    let new_S_fsm_bothbad = (new_S_cpu0_fail ^ new_S_cpul_fail) in
    let new_S_fsm_bypass = Bypass in
    (new_S_fsm_state, new_S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delay17, new_S_fsm_bothbad,
        new_S_fsm_bypass, new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpu0, new_S_bad_cpul,
        new_S_reset_cpu0, new_S_reset_cpul, new_S_cpu_hist, new_S_pmm_fail, new_S_cpu0_fail, new_S_cpul_fail,
        new_S_piu_fail)"
    );
```


## \%

```
Output defnition for EXEC instruction.
```

```
let sEXEC_out_def = new_definition
('sEXEC_out',
    "l(S_fsm_state :sfsm_ty)
        (S_soft_cnt S_delay :wordn)
        (S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0
        S_bad_cpul S_reset_cpu0 S_reset_cpul S_cpu_hist S_pmm_fail S_cpu0_fail S_cpul_fail
        S_piu_fail :bool)
        (ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_Failurel_ :bool).
    sEXEC_out (S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass,
        S_soft_sbot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpul,
```

S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_piu_fail)
(ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failurel_) =

```
let new_S_fsm_state \(=\)
    ( S_fsm_rst) \(=>\) SSTART 1
    ((S_fsm_state \(=\) SSTART) \(\Rightarrow\) SRA 1
    \(\left((\right.\) S_fsm_state \(=\) SRA \() \Rightarrow\left(\left(S \_\right.\right.\)fsm_delay6 \() \Rightarrow\left(\left(S \_f s m \_\right.\right.\)bypass \() \Rightarrow\) SO \(\mid\) SPF \() \mid\) SRA \() \mid\)
    ( \((\) S_fsm_state \(=S P F) \Rightarrow\) SCOII
    \(\left((\right.\) S_fsm_state \(=\) SCOI \() \Rightarrow\left(\left(S \_f s m \_d e l a y 17\right) \Rightarrow\right.\) SCOF \(\mid\) SCOI \() \mid\)
    ((S_fsm_state \(=\) SCOF) \(\Rightarrow\) ST 1
    ((S_fsm_state \(=\) ST) \()=\) SC1II
    \(\left(\left(S \_f s m\right.\right.\) _state \(=\) SC1I) \()=>\left(\left(S \_f s m \_d e l a y 17\right)=>S C 1 F \mid S C 1 I\right) \mid\)
    ((S_fsm_state \(=\) SC1F) \()=\) SS \(\mid\)
    \(\left(\left(S \_f s m\right.\right.\) _state \(\left.=S S\right) \Rightarrow\left(\left(S \_\right.\right.\)fsm_bothbad \(\left.) \Rightarrow S S T O P \mid S C S\right) \mid\)
    ( \((\) S_fsm_state \(=\) SSTOP) \(\Rightarrow\) SSTOP \(\mid\)
    ((S_fsm_state \(=\) SCS \() \Rightarrow((\) S_fsm_delay 6\() \Rightarrow\) SN \(\mid\) SCS \() \mid\)
    \(\left(\left(S \_\right.\right.\)fsm_state \(\left.=S N\right) \Rightarrow\left(\left(S \_\right.\right.\)fsm_delay17 \() \Rightarrow\) SO |SN \() \mid\)
    \(((\) S_fsm_state \(=\) SO) \(\Rightarrow\) SO (S_ILL) )) )) )) )) )) )) )) in
let s_fsm_sn = (new_S_fsm_state = SN) in
let s_fsm_so = (new_S_fsm_state \(=\mathbf{S O})\) in
```



```
let s_fsm_sdi \(=\left(\left((-(\right.\right.\) new_S_fsm_state \(=S O)) \wedge\left(\sim\left(S \_f s m \_\right.\right.\)state \(\left.\left.\left.=S S T O P\right)\right)\right) \vee\left(S \_\right.\)fsm_state \(\left.\left.=S R A\right)\right)\) in
let s_fsm_srp \(=((\) new_S_fsm_state \(=\) SSTART \() V(\) new_S_fsm_state \(=\) SRA \()\)
    \(V\) (new_S_fsm_state \(=S C O F) V(\) new_S_fsm_state \(=S T)\)
    \(V(\) new_S_fsm_state \(=S C 1 F) V(\) new_S_fsm_state \(=S S) V(\) new_S_fsm_state \(=S C S)\) ) in
let s_fsm_src0 \(=((\sim(\) new_S_fsm_state \(=\) SPF \()) \wedge(\sim(\) new_S_fsm_state \(=S C O I)))\) in
let s_fsm_srcl \(=((\sim(\) dew_S_fsm_state \(=S T)) \wedge(\sim(\) new_S_fsm_state \(=\) SC1I) \())\) in
let s_fsm_spf \(=\left(\left(S \_f s m_{-}\right.\right.\)state \(\left.=S R A\right) \wedge S_{-}\)fsm_delay \(\left.6 \wedge \sim S \_f s m \_r s t\right)\) in
let s_fsm_scOf \(=\) (new_S_fsm_state \(=\) SCOF) in
let \(\mathrm{s}_{-} \mathrm{fsm}\) _sclf \(=(\) new_S_fsm_state \(=\mathbf{S C 1 F})\) in
let \(\mathrm{s}_{\mathrm{f}} \mathrm{fsm}\) _spmf \(=(\) new_S_fsm_state \(=S O)\) in
let s_fem_sb \(=(\) new_S_fsm_state \(=\) SSTART \()\) in
let s_fsm_src \(=\left((\right.\) new_S_fsm_state \(=\) SSTART \() V\left(\left(S \_f s m \_s t a t e=S R A\right) \wedge S \_f s m \_d e l a y 6\right)\)
    \(V\) (new_S_fsm_state \(=\) SCOF) \(V\) (new_S_fsm_state \(=S T) V\) (new_S_fsm_state \(=\) SC1F)
    \(V(\) new_S_fsm_state \(=S S) V\left(\left(S \_\right.\right.\)fsm_state \(\left.=S C S\right) \wedge S \_\)fsm_delay6) \()\)in
let s_fsm_sec \(=\left(((\sim(\right.\) new_S_fsm_state \(=S S T O P)) \wedge(-(\) new_S_fsm_state \(=S O))) \vee\left(S_{-} f s m_{-}\right.\)state \(\left.\left.=S N\right)\right)\) in
let s_fsm_srs \(=\left(\left(\left(S_{-} f s m_{-} s t a t e=S P F\right) \wedge \sim S \_f s m \_r s t\right) V\left(\left(S \_f s m \_s t a t e=S T\right) \wedge \sim S \_f s m \_r s t\right)\right)\) in
let s_fsm_scs \(=(\) new_S_fsm_state \(=S C S)\) in
let new_S_soft_shot_del \(=(\sim\) Gcrh \(\wedge\) Gcrl \()\) in
let s_soft_cnt_out =
    ( \(\left(s_{-}\right.\)fsm_srs) \()\)>
    ((Gcrl \(\wedge \sim\) Gcrh \(\wedge \sim S \_\)soft_shot_del) \(\Rightarrow>(\) WORDN 1) \(\mid(W O R D N ~ 0)) \mid\)
    ((Gcrl \(\wedge \sim\) Gcrh \(\wedge \sim\) S_soft_shot_del) \(\Rightarrow\) ( (INCN 2 S_soft_cnt) \(\mid\) S_soft_cnt)) in
let new_S_soft_cnt \(=((-\) Gcri \(\wedge \sim\) Gcrl \()=>\) (WORDN 0\()\) I s_soft_cnt_out) in
let s_delay_out =
    \(\left(\left(s_{-} f s m_{-} \operatorname{sic} V\left(s_{-} f s m_{-} \operatorname{scs} \wedge\right.\right.\right.\) (ELEMENT \(S_{-}\)delay (6)))) \()=\)
    \(\left(\left(s_{\_}\right.\right.\)fsm_sec) \()>\)(WORDN 1) |(WORDN 0)) ।
    \(\left(\left(s_{-}\right.\right.\)fsm_sec) \(=>\)(INCN 17 S_delay) I S_delay)) in
```

let new_S_delay $=$ s_delay_out in
let s_cpu0_ok $=\left(\mathrm{s}\right.$ _fsm_scOf $\wedge$ Failure $0 \_\wedge$ (s_soft_cnt_out $=($ WORDN 5) )) in
let s_cpu1_ok $=($ s_fsm_sclf $\wedge$ Failure1_ $\wedge$ (s_soft_cnt_out $=($ WORDN 5) )) in
let new_S_pmm_fail =

( $\left(\sim s_{f} \mathrm{fsm}\right.$ _sb $\left.\wedge \mathrm{s}_{-} \mathrm{fs} \mathrm{m}_{-} \mathrm{spm}\right) \Rightarrow \mathrm{Fl}$

```
    \(((\sim\) _fsm_sb \(\wedge \sim\) s_fsm_spmf \() \Rightarrow\) S_pmm_fail I ARB))) in
```

let new_S_cpu0_fail =

$((\sim$ s_fsm_sb $\wedge$ (s_cpu0_ok $\vee$ Bypass $))=>$ F
$\left(\left(\sim s_{-}\right.\right.$fsm_sb $\wedge \sim\left(s_{-} c p u 0_{-}\right.$ok $\vee$ Bypass $\left.)\right) \Rightarrow S_{-} c p u 0_{-}$fail $\mid$ARB $\left.)\right)$) in
let new_S_cpu1_fail =
((s_fsm_sb $\wedge$-(s_cpul_ok V Bypass)) $=$ T $\mid$
$((\sim$ s_fsm_sb $\wedge$ (s_cpul_ok $\vee$ Bypass $))=>F \mid$
$\left(\left(\sim\right.\right.$ s_fsm_sb $\wedge \sim\left(s_{-} c p u 1 \_\right.$ok $V$ Bypass $\left.)\right)=>$ S_cpul_fail | ARB $\left.)\right)$ ) in
let new_S_piu_fail =
((s_fsm_sb $\wedge \sim\left(s_{-}\right.$fsm_spf $\vee$ Bypass)) $\Rightarrow T \mid$
$((\sim$ s_fsm_sb $\wedge$ (s_fsm_spf $\vee$ Bypass)) $)=\mathrm{Fl}$
$\left(\left(\sim s_{-} f s m_{-}\right.\right.$sb $\wedge \sim\left(s \_\right.$fsm_spf $\vee$ Bypass $\left.)\right)=>S_{-}$piu_fail $\mid$ARB $\left.)\right)$) in
let s_cpu0_select $=\left(\left(s_{-} f s m_{-}\right.\right.$sn $V s_{-}$fsm_so $) \wedge \sim S_{-}$cpu0_fail $)$in
let s_cpul_select $=\left(\left(s_{-} f s m_{-}\right.\right.$sn $\vee$ s_fsm_so $\left.^{\prime}\right) \wedge S_{-}$cpu0_fail $\wedge \sim S$ _cpu1_fail $)$ in
let new_S_bad_cpu0 =
( $\left(\mathrm{s} \_\right.$fsm_sb $\wedge \sim$ s_cpu0_select) $) \Rightarrow \mathrm{T}$ I
$\left(\left(-s \_f s m \_s b \wedge\right.\right.$ s_cpu0_select) $) \Rightarrow F \mid$
(( $\sim$ s_fsm_sb $\wedge \sim$ s_cpu0_select) $=>$ S_bad_cpu0 I ARB)) ) in
let new_S_bad_cpul =
( $(\mathrm{s}$ _fsm_sb $\wedge \sim$ s_cpul_select $)=\mathrm{T} \mid$
( $(\sim$ s_fsm_sb $\wedge$ s_cpul_select) $)=>$ F
$\left(\left(\sim s \_f s m_{-}\right.\right.$sb $\wedge \sim$ s_cpul_select) $)=>S_{\text {_ }}$ bad_cpul | ARB $)$ ) in
let new_S_reset_cpu $0=($ new_S_bad_cpu $0 \wedge$ s_fsm_src0) in
let new_S_reset_cpul $=($ new__S_bad_cpul $\wedge$ s_fsm_srcl $)$ in
let new_S_cpu_hist $=\left(\right.$ S_reset_cpu $0 \wedge S_{-}$reset_cpul $\wedge$ Bypass $)$ in
let new_S_fsm_rst = Rst in
let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in
let new_S_fsm_delay17 $=(($ Test $) \Rightarrow($ ELEMENT s_delay_out (6)) ) (ELEMENT s_delay_out (17))) in
let new_S_fsm_bothbad = (new_S_cpu0_fail $\wedge$ new_S_cpu1_fail) in
let new_S_fsm_bypass = Bypass in
let ss0 $=\left(\right.$ ALTER ARBN $(0)\left(\left(n e w / S \_\right.\right.$fsm_state $\left.=S S\right) V\left(n e w \_S \_f s m_{-}\right.$state $\left.=S S T O P\right)$
$V($ new_S_fsm_state $=S C S) V($ new_S_fsm_state $=S N)$
$V($ new_S_fsm_state $=S O))$ ) in
let ssl $=($ ALTER ss0 $(1)($ (new_S_fsm_state $=$ SCOF $) V($ new_S_fsm_state $=\mathbf{S T})$
$V($ new_S_fsm_state $=S C 1 I) V\left(n e w_{-} S_{-}\right.$fsm_state $\left.=S C 1 F\right)$
$V($ new_S_fsm_state $=\mathbf{S S}) V($ new_S_fsm_state $=$ SSTOP $)$
$V($ new_S_fsm_state $=S C S))$ in
let ss2 $=($ ALTER ss1 (2) ( $($ new_S_fsm_state $=$ SPF) $V($ new_S_fsm_state $=S C 0 I)$
$V($ new_S_fsm_state $=S C O F) V($ new_S_fsm_state $=S T)$
$V($ new_S_fsm_state $=S S T O P) V\left(n e w_{-} S \_\right.$fsm_state $\left.\left.=S O\right)\right)$ ) in
let ss3 $=$ (ALTER ss2 (3) ( $($ new_S_fsm_state $=$ SRA $) V\left(n e w_{-} S_{-}\right.$fsm_state $=$SPF)
$V($ new_S_fsm_state $=S T) V($ new_S_fsm_state $=$ SC1I)
$V($ new_S_fsm_state $=S C S) V\left(n e w \_S \_f s m_{-}\right.$state $\left.=S N\right)$
$V($ new_S_fsm_state $=S O))$ in
let S_state $=$ ss 3 in
let Reset_cport $=$ s_fsm_srcp in
let Disable_int $=\left(\sim\left(s_{-}\right.\right.$fsm_sn $\wedge(E L E M E N T$ s_delay_out (6))) $) \wedge$ s_fsm_sdi
$\wedge(($ Test $)=>\sim($ ELEMENT s_delay_out (5)) $\mid \sim(E L E M E N T$ s_delay_out (16)))) in
let Reset_piu = s_fsm_srp in
let Reset_cpu0 $=$ new_S_reset_cpu0 in
let Reset_cpul = new_S_reset_cpul in
let Cpu_hist = new_S_cpu_hist in
let Piu_fail = new_S_piu_fail in
let Cpu0_fail = new_S_cpu0_fail in let Cpu1_fail = new_S_cpu1_fail in let Pmm_fail = new_S_pmm_fail in
(S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail)"

## );

close_theory();,

## Appendix E ML Source for the PIU Block-Level Specification.

This appendix contains the HOL model for the PIU block-level structural specification. \%

File: $\quad$ piu_block.ml
Author: $\quad$ (c) D.A. Fura 1992

Date: 31 March 1992
This file contains the ml source for the block-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing Higb Technology Center. At this level the blocks correspond to the four PIU ports and the startup controller.
set_search_path (search_path() © ['/home/titan3/dfura/ftep/piu/hol/hib/";
'/home/titan3/dfura/ftep/piu/hol/pport';
'/home/titan3/dfuraftep/piu/hol/cport';
'/home/titan3/dfuraftep/piu/hol/mport/;
'/home/titan3/dfura/ftep/piu/hol/cport/';
'/home/titan3/dfura/ftep/piu/hol/sucont']);;

```
system 'rm piu_block.th`;;
new_theory 'piu_block';;
loadf 'abstract';;
map new_parent ['aux_def';'P_clock1';'c_clock1';'m_clock1';'c_clock1';'s_clock1`];;
let rep_ty = abstract_type 'aux_def' 'Andn`;;
let PIU_Block_SPEC = new_definition
    ('PIU_Block_SPEC',
    "l (rep:^rep_ty)
        (P_fsm_state :pfsm_ty)
        (P_addr P_be_P_size :wordn)
        (P_dest1 P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_
        P_lock_inh_P_male_P_rale_:bool)
        (C_mfsm_state :cmfsm_ty)(C_sfsm_state :csfsm_ty) (C_efsm_state :cefsm_ty)
        (C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_ala0 C_a3a2 :wordn)
        C_mfsm_DC_mfsm_rst C_mfsm_crqt__ C_mfsm_hold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_
        C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
        C_wr C_clkA C_last_in_C_lock_in_C_last_out_C_hold_C_holdA_C_cout_O_le_del C_cin_2_le
        C_mrdy_del_C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool)
        (M_fsm_state :mfsm_ty)
        (M_count M_addr M_be M_rd_data M_detect :wordn)
        (M_fsm_male_M_fsm_last_M_fsm_mrdy_M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool)
        (R_fsm_state :rfsm_ty)
        (R_ctro_in R_ctr0 R_ctro_new R_ctr0_out R_ctr1_in R_ctr1 R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2 R_ctr2_new
        R_ctr2_out R_ctr3in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_cer R_gcr R_sr
```

```
R_reg_sel R_busA_latch :wordn)
(R_fsm_ale_R_fsm_mrdy_R_fsm_last_ R_fsm_rst R_ctro_mux_sel R_ctro_irden R_ctro_cry R_ctr0_orden
R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden
R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden
R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_in12_en R_wr R_cntlatch_del R_srdy_del_ :bool)
(S_fsm_state :sfsm_ty)
(S_soft_cnt S_delay :wordn)
(S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpul
S_reset_cpu0 S_reset_cpu1 S_cpu_hist S_pmm_fail S_cpu0_fail S_cpu1_fail S_piu_fail :bool)
(L_ad_in L_be_: wordn)
(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_: bool)
(CB_rqt_in_ CB_ad_in CB_ms_in CB_ss_in Id ChannelID :wordn)
(CILED :bool)
(MB_data_in :wordn)
(Edac_en_: bool)
(Bypass Test Failure0_Failurel_:bool)
(L_ad_out :wordn)
(L_ready_:bool)
(CB_ad_out CB_ms_out CB_ss_out :wordn)
(CB_rqt_out_ :bool)
(MB_addr MB_data_out :wordn)
(MB_cs_eeprom_MB_cs_sram_ MB_we_MB_oe_: bool)
(Led :wordn)
(Int0_ Int1 Int2 Int3_Cpu_hist :bool).
PIU_Block_SPEC rep
(P_addt, P_dest1, P_be_, P_wr, P_fsm_state, \(P_{-} f s m_{\_}\)rst, \(P_{-} f s m_{\_}\)sack, \(P_{-} f s m_{-} c g n t\), , \(P_{-} f s m \_h o l d \_\),
P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale,
C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hida_, C_sfsm_ms,
C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out,
C_hold_, C_holdA_, C_cout_O_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_isd_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_al a0,C_a3a2,
```



``` M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect,
```



``` R_ctro_irden, R_ctro_new, R_ctro_cry, R_ctro_out, R_ctro_orden, \(R_{-}\)ctrl_in, R_ctr1_mux_sel,
R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_onden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old,
```



``` R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wI, R_cntatch_del, R_srdy_del_, R_reg_sel, R_busA_latch,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cat, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpu1, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_piu_fail)
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock,
CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, ClkD, Id, ChanneliD,
MB_data_in, Edac_en_,
Bypass, Test, Failure0_, Failure1_)
(L_ad_out, L_ready_.
```

```
CB_ad_out, CB_ms_out, CB_ss_out, CB_rqt_out_,
MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_,
Int0_, Int1, Int2, Int3_, Led, Cpu_hist) =
```

? (i_ad i_be_: wordn)
(i_male_i_rale_i_crqt_i_cgnt_i_cale_i_mrdy_i_srdy_i_last_i_bold_ i_hlda_i_lock_:bool)
(c_ss :wordn)
(disable_writes cb_parity :bool)
(cct :wordn)
(reset_error piu_invalid :bool)
(mb_parity :bool)
(s_state :wordn)
(reset_cport disable_int reset_piu reset_cpu0 reset_cpul piu_fail pmm_fail cpu0_fail cpul_fail :bool).
 P_rqt, P_size, $P_{-}$down, $P_{-}$lock_, $P_{-}$lock_inh_, $P_{-}$male, $P_{\text {_rale_), }}$
(ClkA, ClkB, reset_piu, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, i_ad, i_cgnt_, i_hold_, i_srdy_),
(L_ad_out, L_ready, i_ad, i_ad, i_be_, i_rale_, i_male_, i_crqt_, i_cale, i_mrdy_, i_last_, i_hlda_, i_lock_))) $\Lambda$
(c_interp rep ((C_mfsm_state,C_mfsm_D,C_mfsm_rst,C_mfsm_crqt_C_mfsm_hold_, C_mfsm_ss,C_mfsm_invalid, C_sfsm_state,C_sfsm_D,C_sfsm_rst,C_sfsm_hlda_,C_sfsm_ms, C_efsm_state,C_efsm_cale_, C_efsm_last_C_efsm_male_, C_efsm_rale_, C_efsm_srdy_,C_efsm_rst, C_wr,C_sizewrbe,C_clkA,C_last_in_,C_lock_in_C_ss,C_last_out_. C_hold_, C_holdA_C_cout_0_le_del,C_cin_2_le,C_mrdy_del_. C_iad_en_s_del,C_iad_en_s_delA, C_wrdy,C_rrdy,C_parity,C_source,C_data_in,C_iad_out,C_iad_in,C_ala0,C_a3a2),
(i_ad, i_be_, i_mody, i_rale_, i_male_, i_last, i_srdy, i_lock_, i_cale_, i_hlda_, i_crqt,
CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in,
reset_cport, CLKA, ClkB, CIKD, Id, ChanneIID, pmm_fail, piu_invalid, ccr, reset_error),
(i_cgnt_, i_mrdy, i_hold,, i_rale, i_male_, i_last_, i_srdy, i_ad, i_be,
CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, c_ss, disable_writes, cb_parity))) $\wedge$

M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect),
(ClkA, CikB, reset_piu, reset_cport, disable_writes, i_ad, i_male_, i_last_, i_be_,
i_mrdy_, MB_data_in, Edac_en_, reset_error),
(i_ad, i_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, mb_parity)) $\wedge$

R_ctr0_irden, R_ctro_new, R_ctro_cry, R_ctro_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel,
R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel,
R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel,
R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old,
R_icr_mask, R_icr_rden, $R_{-} i c r, R_{-} c c r, R_{-}$ecr_rden, $R_{-}$ger, $R_{\_}$gcr_rden, $R_{-}$sr, $R_{\_}$sr_rden, $R_{\text {_into_dis, }}$
R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_,
R_reg_sel, R_busA_latch),
(Clk $A$, reset_piu, i_ad, i_rale_, i_last, i_be_, i_mrdy_, disable_int, disable_writes,
cpu0_fail, cpul_fail, reset_cpu0, reset_cpu1, piu_fail, pmm_fail, s_state, Id,
ChanneliD, cb_parity, mb_parity, c_ss),
(i_ad, i_srdy_, Int0_, Int1, In $2, \operatorname{Int} 3_{-}$, ccr, Led, reset_error, piu_invalid))) $\wedge$
(s_interp rep ( $\left(\mathbf{S} \_\right.$fsm_state, $\mathrm{S}_{\text {_fsm_rst, }}$ S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass,
S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1,
S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail),
(ClkA, CikB, Rst, Bypass, Test, Led, Failureo_, Failure1_),
(s_state, reset_cport, disable_int, reset_piu, reset_cpu0, reset_cpul, Cpu_hist, piu_fail, cpuO_fail, cpul_fail, pmm_fail)))" );
close_theory();

## Appendix F ML Source for the PIU Clock-Level Specification.

This appendix contains the HOL model for the clock-level specification of the PIU.
\%

File: $\quad$ piu_clock 1 ml

Author: (c) D.A. Fura 1992

Date: $\quad 31$ March 1992

This file contains the ml source for the clock-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center.

```
set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/;
                '/home/titan3/dfura/ftep/piu/hol/pport/;
                        '/home/titan3/dfura/ftep/piu/hol/cport/;
                        '/home/titan3/dfura/ftep/piu/hol/mport/;
                        '/home/titan3/dfura/ttep/piu/hol/rport/;
                        '/home/titan3/dfura/ftep/piu/hol/sucont/'l);;
```

system 'rm piu_clock $1 . t h$ ';;
new_theory 'piu_clock $1^{\text {'; }}$;
map new_parent ['paux_def';'caux_def';'maux_def';'raux_def';'saux_def';'aux_def';'array_def';'wordn_def'l;
loadf 'abstract';;
let MSTART = "WORDN 4";;
let MEND = "WORDN 5";
let MRDY = "WORDN 6";
let MWAIT = "WORDN 7";
let MABORT = "WORDN 0 ";
let SACK = "WORDN 5";
let SRDY = "WORDN 6";
let SWATT = "WORDN 7";;
let SABORT = "WORDN 0";;
let piu_state_ty = ":(wordn\#bool\#wordn\#bool\#pfsm_ty\#bool\#bool\#bool\#bool\#bool\#wordn\#bool\#bool\#bool\#bool\#bool\# cmfsm_ty\#bool\#bool\#bool\#bool\#wordn\#bool\#
csfsm_ty\#bool\#bool\#bool\#wordn\#
cefsm_ty\#bool\#bool\#bool\#bool\#bool\#bool\#
bool\#wordn\#bool\#bool\#bool\#wordn\#bool\#
bool" ${ }^{\text {bool }}$ Wbool\#bool\#bool\#bool\#bool\#
bool\#bool\#bool\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#
mfsm_ty\#bool\#bool\#bool\#bool\#wordn\#bool\#bool\#wordn\#wordn\#bool\#bool\#bool\#wordn\#wordn\# rfsm_ty\#bool\#bool\#bool\#bool\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\# wordn\#bool\#wordn\#bool\#wordn\#bool\#bool\#wordn\#wordn\#bool\#wordn\#wordn\#bool\#wordn\#bool\#wordn\#

```
                    bool#bool#bool#bool#bool"bool#bool#bool##bool*bool#wordn#wordn#
                    sfsm_ty*bool*bool#bool#bool#bool#bool#wordn#wordn#
                    bool"bool"bool"#bool#bool"#bool##bool#bool#bool)";
let piu_state = "((P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_,
    P_rqt, P_size, P_down, P_lock_ P_lock_inh_, P_male_, P_rale_,
    C_mfsm_state,C_mfsm_D,C_mfsm_rst,C_mfsm_crqt_,C_mfsm_bold_,C_mfsm_ss,C_mfsm_invalid,
    C_sfsm_state,C_sfsm_D,C_sfsm_rst,C_sfsm_hlda_,C_sfsm_ms,
    C_efsm_state,C_efsm_cale_,C_efsm_last_,C_efsm_male_C_efsm_rale_,C_efsm_srdy_,C_efsm_rst,
    C_wr,C_sizewrbe,C_clkA,C_last_in_,C_lock_in_C_ss,C_last_out,
    C_hold_,C_holdA_,C_cout_0_le_del,C_cin_2_le,C_mrdy_del_C_iad_en_s_del,C_iad_en_s_deLA,
    C_wrdy,C_rrdy,C_parity,C_source,C_data_in,C_iad_out,C_iad_in,C_ala0,C_a3a2,
    M_fsm_state, M_fsm_male_,M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr,
    M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect,
    R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctro,
    R_ctr0_irden, R_ctr0_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctrl_in, R_ctr1_mux_sel,
    R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctrl_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel,
    R_ctt2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel,
    R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cty, R_ctr3_out, R_ctr3_orden, R_icr_logd, R_icr_old,
    R_icr_mask, R_icr_rden, R_icr, R_cer, R_cer_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_int0_dis,
    R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_,
    R_reg_sel, R_busA_latch,
    S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass,
    S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpul,
    S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_piu_fail)
    :^piu_state_ty)";;
let piu_env_ty = ":(bool#bool#bool#wordn#bool#bool#wordn#bool#bool#
            wordn"wordn"wordn#wordn#bool#wordn#wordn#
        wordn"bool#
        bool#bool#bool#bool)";
let piu_env = "((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_,
    CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, ClKD,Id, ChannelDD,
    MB_data_in, Edac_en_
    Bypass, Test, Failure0_, Failure1_)
    :^piu_env_ty)";;
let piu_out_ty = ":(wordn#bool#
            book#wordn"wordn*wordn*
            wordn"wordn#bool#bool#bool#bool#
            bool*#bool#bool#bool#worda#
            bool#bool*bool"bool"bool"bool"bool)";
let piu_out = "((L_ad_out, L_ready_,
    CB_rqt_out_,CB_ms_out, CB_ss_out, CB_ad_out,
    MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_,
    Int0_, Int1, Int2, Int3, Led,
    Reset_cpuO, Reset_cpul, Cpu_hist, Piu_fail, Cpu0_fail, Cpul_fail, Pmm_fail)
    :^piu_out_ty)";;
let rep_ty = abstract_type 'aux_def' 'Andn';;
```



```
    Next-state definition for EXEC instruction.
```

"! (rep:^rep_ty)
(P_fsm_state :pfsm_ty)
(P_addr P_be_P_size :wordn)
(P_dest1 $P_{-} w r P_{-} f s m_{\_}$rst $P_{-} f s m_{-}$sack $P_{-}$fsm_cgnt_ $P_{-} f s m_{-}$bold_ $P_{-} r q t P_{-}$down $P_{-}$lock_
P_lock_inh_P_male_ P_rale_ :bool)
(C_mfsm_state :cmfsm_ty) (C_sfsm_state :csfsm_ty) (C_efsm_state :cefsm_ty)
(C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_al a0 C_a3a2 :wordn)
(C_mfsm_D C_mfsm_rst C_mfsm_crqt_C_mfsm_hold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_
C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
C_wr C_clkA C_last_in_C_lock_in_C_last_out_ C_hold_C_holdA_C_cout_0_le_del C_cin_2_le
C_mrdy_del_ C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool)
(M_fsm_state :mfsm_ty)
(M_count M_addr M_be M_rd_data M_detect :wordn)
(M_fsm_male_M_fsm_last_M_fsm_mrdy_M_fsm_rst M_se $M_{-} w r M_{-} r d y M_{-} w w d e l M_{-}$parity :bool) (R_fsm_state :rfsm_ty)
(R_ctro_in R_ctr0 R_ctro_new R_ctro_out R_ctr1_in R_ctr1 R_ctr 1_new R_ctr 1_out R_ctr2_in R_ctr2 R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_cer R_gct R_st R_reg_sel R_busA_latch :wordn)

R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_ger_rden R_sr_rden R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int 2_en R_wr R_cntlatch_del R_srdy_del_ :bool)
(S_fsm_state :sfsm_ty)
(S_soft_cnt S_delay :wordn)
(S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpul
S_reset_cpu0 S_reset_cpul S_cpu_hist S_pmm_fail S_cpu0_fail S_cpu1_fail S_piu_fail :bool)
(L_ad_in L_be_: wordn)
(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_: bool)
(CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID :wordn)
(ClkD :bool)
(MB_data_in :wordn)
(Edac_en_: bool)
(Bypass Test Failure0_Failurel_:bool).
piuEXEC_inst rep
(P_addr, $P_{-}$dest1, $P_{-} b e_{-}, P_{-} w r, P_{-} f s m_{-}$state, $P_{-}$fsm_rst, $P_{-} f s m_{-}$sack, $P_{-} f s m_{-} c g n t$, $P_{-} f s m_{\text {_ }}$ hold_, P_rqt, $P_{-}$size, $P_{-}$down, $P_{-}$lock_, $P_{-}$lock_inh_, $P$ _male_, $P_{\_}$rale_, C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_ridy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0,C_a3a2, $M_{\_}$fsm_state, M_fsm_male, M_fsm_last_M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect,
 R_ctr0_irden, R_ctro_new, R_ctr0_cry, R_ctro_out, R_ctro_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel,

R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr_rden, R_icr, R_cer, R_ccr_rden, R_gcr, R_gcr_rden, $R_{\_} s r, R_{\_} s r \_r d e n, ~ R \_i n t 0 \_d i s$, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_ R_reg_sel, R_busA_latch,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpul, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail)
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, ClkD, Id, ChannelID, MB_data_in, Edac_en_, Bypass, Test, Failure0_, Failure1_) =
let new_P_fsm_state $=$
( $\mathbf{P}_{\text {_f }}$ fs_rst) $=>$ PA $\mid$
$\left((\right.$ P_fsm_state $=P H) \Rightarrow\left(\left(\sim P_{-}\right.\right.$fsm_bold_ $) \Rightarrow$ PH $\mid$ PA $) \mid$
$(($ P_fsm_state $=P A) \Rightarrow$
$\left(\left(\left(P \_r q t \wedge \sim P_{-} d e s t 1\right) \vee\left(P_{-}\right.\right.\right.$rqt $\wedge P_{-}$dest1 $\wedge \sim P_{-}$fsm_cgnt_) $) \Rightarrow$ PD 1
$\left(\left(\sim P \_\right.\right.$fsm_hold_ $\wedge P \_$lock_ $\left.\left.)=>P H \mid P A\right)\right) \mid$
$\left(\left(P_{-}\right.\right.$fsm_state $\left.=P D\right) \Rightarrow$
$\left(\left(\left(P_{-} f s m_{\_}\right.\right.\right.$sack $\wedge P_{-} f s m_{-}$hold_ $) V\left(P_{-} f s m_{-}\right.$sack $\wedge \sim P_{-} f s m_{-}$hold_ $\wedge \sim P_{-}$lock_ $\left.)\right)=P$ PA $\mid$
$\left(\left(P \_\right.\right.$fsm_sack $\Lambda \sim P \_f s m \_$hold_ $\wedge P_{-}$lock_ $\left.\left.\left.\left.\left.)=>P H \mid P D\right)\right) \mid P \_L L\right)\right)\right)$ ) in
let c_write $=\left(\left(\left(\sim\left(C_{-}\right.\right.\right.\right.$mfsm_state $\left.\left.=C M I\right)\right) \wedge\left(\sim\left(C_{-}\right.\right.$mfsm_state $\left.\left.\left.=C M R\right)\right)\right) \Rightarrow C_{-}$wr $1($ ELEMENT C_sizewrbe $\left.(5))\right)$ in let c_busy $=(-(($ SUBARRAY CB_rqt_in_( 3,1$))=($ WORDN 7$))$ ) in
let c_grant $=(((($ SUBARRAY Id $(1,0))=($ WORDN 0$)) \wedge \sim(E L E M E N T$ CB_rqt_in_( 0$)))$
V (((SUBARRAY Id ( 1,0$)$ ) $=($ WORDN 1$)) \wedge \sim($ ELEMENT CB_rqt_in_( 0$))$
$\wedge$ (ELEMENT CB_rqt_in_(1)))
$\mathrm{V}\left(((\right.$ SUBARRAY Id $(1,0))=($ WORDN 2$)) \wedge \sim\left(E L E M E N T C B \_\right.$qq_in_( 0$\left.)\right)$
$\wedge$ (ELEMENT CB_rqt_in_(1))
$\wedge$ (ELEMENT CB_rqt_in_(2)))
$V(($ SUBARRAY Id $(1,0))=($ WORDN 3$)) \wedge \sim(E L E M E N T$ CB_rqt_in_( 0$))$
$\wedge$ (ELEMENT CB_rqt_in_(1))
$\wedge$ (ELEMENT CB_rqt_in_(2))
$\wedge$ (ELEMENT CB_rqt_in_(3)))) in
let c_addressed $=(\operatorname{Id}=($ SUBARRAY C_source $(15,10)))$ in
let new_C_mfsm_state =
((C_mfsm_rst) $\Rightarrow$ CMII
((C_mfsm_state $=C M I) \Rightarrow$
(C_mfsm_D $\wedge \sim C_{-} m f s m_{-}$crqt_ $\wedge \sim c_{-}$busy $\left.\wedge \sim C_{-} m f s m \_i n v a l i d\right)=>$ CMR $|C M I|$
((C_mfsm_state $=C M R) \Rightarrow\left(C \_m f s m \_D \wedge c_{\_}\right.$grant $\wedge C_{\_}$mfsm_bold_) $\Rightarrow$ CMA3 $|C M R|$
((C_mfsm_state $=$ CMA3) $\Rightarrow$ ( (C_mfsm_D) $=>$ CMA1 $\mid C M A 3) \mid$
((C_mfsm_state $=$ CMA1) $\Rightarrow>$
(C_mfsm_D $\wedge$ (C_mfsm_ss $=$ ^SRDY)) $\Rightarrow$ CMAOI
(C_mfsm_D $\left.\wedge\left(C \_m f s m \_s s=\wedge S A B O R T\right)\right)=>$ CMABT $|C M A 1|$
((C_mfsm_state $=$ CMAO) $)=$
(C_mfsm_D $\wedge\left(C \_m f s m \_s s=\right.$ ^SRDY) $)=>$ CMA2 1
(C_mfsm_D $\wedge\left(C_{-}\right.$mfsm_ss $=\wedge$ SABORT) $)=>$ CMABT $|C M A 0|$
((C_mfsm_state $=$ CMA2 $)=>$
(C_mfsm_D $\wedge\left(C_{-}\right.$mfsm_ss $=$^SRDY)) $\Rightarrow$ CMD1 1
(C_mfsm_D^(C_mfsm_ss = ^SABORT)) $\Rightarrow$ CMABT 1 CMA2 1
((C_mfsm_state $=$ CMD1) $)=>$
(C_mfsm_D $\wedge$ (C_mfsm_ss = ^SRDY)) $\Rightarrow$ CMDO
(C_mfsm_D $\left.\wedge\left(C_{-} m f s m_{-} s s={ }^{\wedge} S A B O R T\right)\right) \Rightarrow C M A B T|C M D 1|$
$\left(\left(C \_m f s m \_\right.\right.$state $\left.=C M D 0\right)=>$
(C_mfsm_D $\wedge\left(C_{-}\right.$mfsm_ss = ^SRDY) $\left.\wedge C_{\text {_last_in_) }}\right) \Rightarrow$ CMDI I
(C_mfsm_D $\wedge\left(C_{\_} m f s m_{-} s s=\right.$ ^SRDY) $\wedge \sim C_{\text {_last_in_ })} \Rightarrow C M W$ I
(C_mfsm_D $\wedge\left(C \_m f s m_{-} s s=\right.$ ASABORT) $)=>$ CMABT $|C M D 0|$
((C_mfsm_state $=$ CMW) $)=$
(C_mfsm_D $\left.\wedge\left(C_{-} m f s m \_s s=\wedge S A B O R T\right)\right)=>C M A B T \mid$
(C_mfsm_D $\wedge\left(C_{-} m f s m \_s s=\wedge S A C K\right) \wedge C_{-}$lock_in_) $\Rightarrow C M I \mid$

$\left(\left(\sim C_{-}\right.\right.$last_in_) $)=$CMI ( CMABT) $)$)) $)$) $)$) $)$) in
let new_C_sfsm_state $=$
((C_sfsm_rst) $\Rightarrow$ CSII
(C_sfsm_state $=$ CSI) $)=$
$\left(\left(C \_\right.\right.$sfsm_D $\wedge\left(C_{1}\right.$ sfsm_ms $=\wedge$ MSTART $) \wedge \sim$ c_grant $\left.\wedge c \_a d d r e s s e d\right)=>$ CSA1 $\left.\mid C S I\right) \mid$
(C_sfsm_state = CSL) $)=$
$\left(\left(C_{-}\right.\right.$sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MSTART $) \wedge \sim c_{\_}$grant $\wedge c_{-}$addressed $)=$CSA1 $\mid$
(C_sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MSTART) $\wedge \sim$ c_grant $\wedge \sim$ c_addressed $) \Rightarrow$ CSI $\mid$
(C_sfsm_D $\wedge\left(C_{-} s f s m_{-} m s=\wedge\right.$ MABORT $\left.)\right) \Rightarrow$ CSABT $\left.\mid C S L\right) \mid$
(C_sfsm_state $=$ CSA1) $)=$
$\left(\left(C \_s f s m \_D \wedge\left(C \_s f s m \_m s={ }^{\wedge} M R D Y\right)\right)=>\right.$ CSA 01
$\left(\right.$ C_sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MABORT $\left.)\right)=>$ CSABT $\left.\mid C S A 1\right) \mid$
(C_sfsm_state $=$ CSA 0 ) $=>$
$\left(\left(C_{-} s f s m_{-} D \wedge\left(C_{-} s f s m_{-} m s={ }^{\wedge} M R D Y\right) \wedge \sim C_{-} s f s m_{-} h l d a \_\right)=>C S A L E I\right.$
(C_sfsm_D $\wedge\left(C_{-} s f s m_{-} m s=\wedge M R D Y\right) \wedge C_{-} s f s m_{-}$hlda_) $\Rightarrow$ CSAOW I
(C_sfsm_D $\wedge$ (C_sfsm_ms $={ }^{\wedge}$ MABORT)) $=>$ CSABT ICSAO) $\mid$
(C_sfsm_state $=C S A O W) \Rightarrow$
$\left(\left(C_{-} s f s m \_D \wedge\left(C_{-} s f s m \_m s=\wedge M R D Y\right) \wedge \sim C_{-}\right.\right.$sfsm_hlda_) $)=>$CSALE $\mid$
(C_sfsm_D $\wedge$ (C_sfsm_ms $=\wedge$ MABORT) $)=>$ CSABT I CSA0W) $\mid$
(C_sfsm_state $=$ CSALE) $\Rightarrow$
$\left(\left(C_{-}\right.\right.$sfsm_D $\wedge c_{-}$write $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MRDY $\left.)\right)=>$ CSD1 1
(C_sfsm_D $\wedge \sim c_{-}$write $\wedge\left(C_{-}\right.$sfsm_ms $\left.=\wedge_{\text {MRDY }}\right)$ ) $=$ CSRR I
$\left(C_{-}\right.$sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MABORT $\left.)\right)=>$ CSABT $\mid$ CSALE $) \mid$
(C_sfsm_state $=$ CSRR $)=>$
$\left(\left(C_{-} s f s m_{-} D \wedge \sim\left(C_{-} s f s m_{-} m s=\wedge\right.\right.\right.$ MABORT $\left.)\right)=>$ CSD1 $\mid$
(C_sfsm_D $\wedge\left(C_{-} s f s m_{-} m s=\right.$ ^MABORT) $)=>$ CSABT $\mid$ CSRR $) \mid$
(C_sfsm_state = CSD1) =>
$\left(\left(C_{-} s f s m \_D \wedge\left(C \_s f s m \_m s={ }^{\wedge} M R D Y\right)\right)=>\right.$ CSDO 1
(C_sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms $=\wedge$ MABORT $\left.)\right) \Rightarrow$ CSABT $\left.\mid C S D 1\right) \mid$
(C_sfsm_state $=$ CSDO $)=$
$\left(\left(C\right.\right.$ _sfsm_ $D \wedge\left(C_{-} s f s m \_m s=\right.$ ^MEND $\left.)\right) \Rightarrow$ CSACK $\mid$
(C_sfsm_D $\wedge\left(C \_s f s m \_m s=\wedge\right.$ MRDY $\left.)\right) \Rightarrow C S D 1 \mid$
(C_sfsm_D $\left.\left.\wedge\left(C_{-} s f s m \_m s=\wedge M A B O R T\right)\right)=>C S A B T \mid C S D 0\right) \mid$
(C_sfsm_state $=$ CSACK) $=>$
$\left(\left(C \_s f s m \_D \wedge\left(C \_s f s m \_m s={ }^{\wedge} M R D Y\right)\right)=>C S L I\right.$
(C_sfsm_D $\wedge\left(C_{-} s f s m \_m s={ }^{\wedge}\right.$ MWAIT) $) \Rightarrow C S I ।$
(C_sfsm_D $\wedge\left(C_{-}\right.$sfsm_ms = ^MABORT)) $=>$CSABT $\left.\mid C S A C K\right) \mid$
(C_sfsm_D) $\Rightarrow$ CSI $\mid C S A B T$ ) in
let new_C_efsm_state $=$
((C_efsm_rst) $=>$ CEI $\mid$
(C_efsm_state $=C E I)=>\left(\left(\sim C_{-}\right.\right.$efsm_cale_) $\Rightarrow$ CEE I CEI) $\mid$
$\left(\left(\sim C_{-}\right.\right.$efsm_last_ $\wedge \sim C_{-}$efsm_srdy_) $\vee \sim C_{-}$efsm_male_ $\vee \sim C_{-}$efsm_rale_) $=>$CEI $\mid$CEE $)$in
let $\mathrm{m}_{-} \mathrm{bw}=\left(\left(\sim\left(\mathrm{M}_{-}\right.\right.\right.$be $=($WORDN 15$\left.\left.)\right)\right) \wedge \mathrm{M}_{-} w \boldsymbol{1} \wedge\left(-\left(\mathbf{M}_{-}\right.\right.$fsm_state $\left.\left.\left.=\mathbf{M I}\right)\right)\right)$ in

```
let \(m_{-} w w=\left(\left(M_{-} b e=(\right.\right.\) WORDN 15) \() \wedge M_{-} w i \wedge\left(\sim\left(M_{-} f s m_{-}\right.\right.\)state \(\left.\left.=M D\right)\right)\) in
let new_M_fsm_state \(=\)
    (M_fsm_rst) \(\Rightarrow \mathbf{M I} \mid\)
    \(\left(\left(M_{1}\right.\right.\) fsm_state \(\left.=\mathbf{M I}\right)=>\left(\left(\sim M_{\_}\right.\right.\)fsm_male_) \()=>\)MA \(\left.\mid M I\right) \mid\)
    ( \((\) M_fsm_state \(=\) MA \()=>\)
```



```
        \(\left(\left(\sim M_{-} f s m_{-} m r d y \_\wedge\left(\left(\sim M_{-} w r \wedge\left(-\left(M_{-} f s m_{-}\right.\right.\right.\right.\right.\right.\)state \(\left.\left.\left.\left.=M D\right)\right) V m_{-} b w\right)\right)=>\) MR \(\left.\left.\mid M A\right)\right) \mid\)
( \(\mathbf{M}_{-}\)fsm_state \(\left.=\mathbf{M R}\right) \Rightarrow\)
        \(\left(\left(\mathrm{m}_{1}\right.\right.\) bw \(\wedge\left(M_{\_}\right.\)count \(=(\)WORDN 0\(\left.\left.)\right)\right) \Rightarrow\) MBW I
        \(\left(\left(M_{-}\right.\right.\)fsm_last_ \(\wedge \sim M_{-} w \mathcal{1} \wedge\left(\sim\left(M_{\_}\right.\right.\)fsm_state \(=\)MI \(\left.)\right) \wedge\left(M_{-}\right.\)count \(=(\)WORDN 0\(\left.\left.)\right)\right)=>\) MA I
        \(\left(\left(\sim M_{-}\right.\right.\)fsm_last_ \(\wedge \sim M_{-} w r \wedge\left(\sim\left(M_{-} f s m_{-}\right.\right.\)state \(\left.\left.=M_{1}\right)\right) \wedge\left(M_{-}\right.\)count \(=(\)WORDN 0\(\left.\left.)\right)\right)=>\) MRR \(\mid\) MR \(\left.\left.)\right)\right) \mid\)
    ((M_fsm_state \(=\) MRR) \(\Rightarrow\) MI I
    ( \(\mathbf{M}_{-}\)fsm_state \(=\mathbf{M W}\) ) \(\Rightarrow\)
        \(\left(\left(\sim M_{f}\right.\right.\) fsm_last_ \(\Lambda(\) M_count \(=(\) WORDN 0\(\left.))\right)=>\) MI
        \(\left(\left(M_{-}\right.\right.\)fsm_last_ \(\wedge\left(M_{-}\right.\)count \(=(\)WORDN 0\(\left.\left.)\right)\right)=>\) MA \(\mid\) MW) \()\) I
    \(\left(\left(M_{-} f s m_{-}\right.\right.\)state \(\left.=\mathbf{M B W}\right) \Rightarrow\) MW \(\left.\left.\left.\left.\left.\left.\mid M_{-} I L L\right)\right)\right)\right)\right)\right)\) ) in
let new_R_fsm_state \(=\)
    ( \(R_{\text {_f }}\) fs_rst) \(=>\) RI |
    ( \(\left(R_{\_}\right.\)fsm_state \(\left.=R I\right)=>\left(\left(\sim R_{-} f s m \_a l e_{-}\right)=>R A \mid R D\right) \mid\)
    \(\left(\left(R_{-} f s m_{\_}\right.\right.\)state \(=\)RA \()=>\left(\left(\sim R_{\_}\right.\right.\)fsm_mrdy_) \(\Rightarrow\) RD \(\left.\mid R A\right) \mid\)
    (( \(\left(R_{-}\right.\)fsm_last_) \(\left.\left.=>R_{R} \mid R A\right)\right)\) ) in
let \(\mathrm{r}_{-}\)fsm_cntlatch \(=\left(\left(R_{-} f s m_{-}\right.\right.\)state \(\left.=R I\right) \wedge \sim R_{-} f s m_{-}\)ale \()\)in
let \(r_{-}\)fsm_srdy_ \(=\sim\left(\left(R_{-}\right.\right.\)fsm_state \(\left.=R A\right) \wedge \sim R_{-}\)fsm_mrdy_) in
let new_S_fsm_state \(=\)
    ((S_fsm_rst) \(\Rightarrow\) SSTART \(\mid\)
    ( \((\) S_fsm_state \(=\) SSTART \()=\) SRA \(\mid\)
    \(\left(\left(S \_\right.\right.\)fsm_state \(=\)SRA \()=>\left(\left(S \_\right.\right.\)fsm_delay6 \()=>\left(\left(S \_\right.\right.\)fsm_bypass \()=>\)SO \(\mid\)SPF \() \mid\)SRA \() \mid\)
    \(\left(\left(S \_\right.\right.\)fsm_state \(=\)SPF \() \Rightarrow\) SCOI I
    \(\left((\right.\) S_fsm_state \(=\) SCOI \()=>\left(\left(S \_f s m_{-}\right.\right.\)delay17) \()=>\)SCOF \(\mid\)SCOI \() \mid\)
    ( \((\) S_fsm_state \(=S C O F) \Rightarrow S T\) I
    ( \((\) S_fsm_state \(=S T\) ) \(\Rightarrow\) SC1II
    ((S_fsm_state \(=\) SC1I) \(\Rightarrow\) ((S_fsm_delay17) \(=>\) SC1F \(\mid S C 11) \mid\)
    ((S_fsm_state = SC1F) \(=>\) SS I
    ((S_fsm_state \(=\) SS) \()=\) ((S_fsm_bothbad) \(\Rightarrow\) SSTOP | SCS) |
    ((S_fsm_state \(=\) SSTOP) \()=>\) SSTOP I
    \(\left(\left(S \_\right.\right.\)fsm_state \(=\)SCS \()=>\left(\left(S \_\right.\right.\)fsm_delay6) \() \Rightarrow\) SN I SCS) \()\)
    \(\left(\left(S \_\right.\right.\)fsm_state \(\left.=\mathbf{S N}\right)=>\left(\left(S \_\right.\right.\)fsm_delay17) \()=>\)SO \(\mid\)SN \() \mid\)
    \(\left(\left(S_{-}\right.\right.\)fsm_state \(=\)SO \()=>\)SO (S_ILL) )) )) )) )) )) ) ) ) \()\)in
let \(\mathrm{s}_{-} \mathrm{fsm} \_\mathrm{sn}=(\mathrm{new}\) _S_fsm_state \(=\mathrm{SN})\) in
let \(s_{-}\)fsm_so \(=\left(n e w_{-} S_{-}\right.\)fsm_state \(\left.=S O\right)\) in
let reset_cport \(=\left(\left((\sim(\right.\right.\) new_S_fsm_state \(\left.=S O)) \wedge\left(-\left(S \_f s m \_s t a t e=S S T O P\right)\right)\right) \vee\left(S \_f s m \_\right.\)state \(=\)SRA \(\left.)\right)\)in
let s_fsm_sdi \(=\left(\left(\left(\sim\left(n e w_{\_} S \_f s m_{-}\right.\right.\right.\right.\)state \(=\)SO \(\left.)\right) \wedge\left(\sim\left(\mathbf{S}_{-} f s m_{-}\right.\right.\)state \(\left.\left.\left.=S S T O P\right)\right)\right) V\left(\mathbf{S}_{-} f s m_{-}\right.\)state \(=\)SRA \(\left.)\right)\)in
let reset_piu \(=((\) new_S_fsm_state \(=\) SSTART \() V(\) new_S_fsm_state \(=\) SRA \()\)
    \(V(\) new_S_fsm_state \(=S C 0 F) V(\) new_S_fsm_state \(=S T)\)
    \(V(\) new_S_fsm_state \(=S C I F) V\left(n e w_{\sim} S \_f s m \_s t a t e=S S\right) V(\) new_S_fsm_state \(\left.=S C S)\right)\) in
let \(s_{-}\)fsm_src \(0=((-(\) new_S_fsm_state \(=\) SPF \()) \wedge(\sim(\) new_S_fsm_state \(=S C O I)))\) in
let \(s_{-}\)fsm_srcl \(=((\sim(\) new_S_fsm_state \(=\) ST \()) \wedge(-(\) new_S_fsm_state \(=\) SC11) \())\) in
let s_fsm_spf \(=\left(\left(S \_f s m_{-}\right.\right.\)state \(\left.=S R A\right) \wedge S_{-} f s m_{-}\)delay6 \(\wedge \sim S \_f s m_{\_}\)rst \()\)in
let \(\mathrm{s}_{-} \mathrm{fsm}\) _scOf \(=(\) (new_S_fsm_state \(=\mathrm{SCOF})\) in
let s_fsm_sc1f = (new_S_fsm_state \(=\) SCIF) in
let s_fsm_spmf \(=(\) new_S_fsm_state \(=\) SO \()\) in
let s_fsm_sb \(=(\) new_S_fsm_state \(=\) SSTART \()\) in
```

let s_fsm_src $=\left((\right.$ new_S_fsm_state $=S S T A R T) V\left(\left(S \_f s m \_\right.\right.$state $\left.=S R A\right) \wedge S_{\_}$fsm_delay6 $)$
$V$ (new_S_fsm_state $=S C O F) V($ new_S_fsm_state $=S T) V($ new_S_fsm_state $=S C 1 F)$
$V($ new_S_fsm_state $=S S) V\left(\left(S \_\right.\right.$fsm_state $\left.=S C S\right) \wedge S \_f s m_{-}$delay6 $\left.)\right)$in
let s_fsm_sec $=\left(\left(\left(\sim\left(\right.\right.\right.\right.$ new_S_fsm_state $\left.\left.^{\prime}=S S T O P\right)\right) \wedge(\sim($ new_S_fsm_state $\left.=S O))\right) \vee\left(S_{-}\right.$fsm_state $\left.\left.=S N\right)\right)$ in
let s_fsm_srs $=\left(\left(\left(S_{-}\right.\right.\right.$fsm_state $\left.=S P F\right) \wedge \sim S_{-}$fsm_rst $) \vee\left(\left(S S_{-}\right.\right.$fsm_state $\left.=S T\right) \wedge \sim S_{-}$fsm_rst $\left.)\right)$in
let s_fsm_scs $=$ (new_S_fsm_state $=$ SCS $)$ in
let new_P_addr $=\left((\sim\right.$ P_rqt $)=>\left(S U B A R R A Y L_{-}\right.$ad_in (25,0)) $\mid$P_addr) in
let new_P_destl $=((\sim$ P_rqt $) \Rightarrow$ (ELEMENT L_ad_in (31)) $\mid$ P_dest 1$)$ in
let new_P_be_ $=\left(\left(-P \_\right.\right.$rqt $\left.)=>L_{-} b e_{-} \mid P \_b e_{-}\right)$in
let new_P_wr $=\left(\left(\sim P_{-} r q t\right) \Rightarrow L_{-} w I \mid P_{-} w r\right)$ in
let new_P_size =
$((\sim$ P_rqt) $)$ (SUBARRAY L_ad_in $(1,0)) \mid$
((P_down) $=>$ (DECN 1 P_size) $\mid P_{-}$size $)$) in
let new_C_hold $A_{-}=\left(\left(\mathrm{Clk}^{2}\right) \Rightarrow\right.$ C_hold_l $_{\text {I }}$ CholdA_) in
let i_cale_ $=\sim\left((\right.$ new_C_mfsm_state $=C M A 3) \wedge\left(n e w_{-} P \_\right.$fsm_state $\left.=P A\right) \wedge$ new_C_holdA_) in
let c_srdy_en $=\left((\right.$ new_C_efsm_state $=C E E) V\left(C \_\right.$efsm_state $\left.\left.=C E E\right)\right)$ in
let new_M_count =
$\left(((\right.$ new_M_fsm_state $=$ MA $) \vee($ new_M_fsm_state $=M B W)) \Rightarrow\left(\left(M_{-}\right.\right.$se $) \Rightarrow($ WORDN 1$) \mid($ WORDN 2$\left.)\right) \mid$
$\left(((\right.$ new_M_fsm_state $=\mathbf{M W}) \vee($ new_M_fsm_state $=\mathbf{M R})) \Rightarrow\left(D E C N 2 M_{-}\right.$count $) \mid M_{-}$count $\left.)\right)$in
let m_rdy $=((($ new_M_fsm_state $=\mathbf{M W}) \wedge($ new_M_count $=($ WORDN 0$)))$
$V\left((\right.$ new_M_fsm_state $=M R) \wedge($ new_M_count $=($ WORDN 0$)) \wedge \sim M_{-}$wT $\left.)\right)$in
let $\mathrm{m}_{-}$srdy_ $=-\left(\left(M_{-}\right.\right.$rdy $\left.\wedge \sim M_{-} w r\right) V\left(m_{-}\right.$rdy $\left.\left.\wedge M_{-} w r\right)\right)$ in
let $i_{-}$srdy_ $=\left(\left(\sim i_{-} c a l e_{-} V c_{-}\right.\right.$srdy_en $)=>\sim\left(C_{-} w r d y V C_{-} r d y V\left(n e w_{-} C_{-} m f s m_{-} s t a t e=C M A B T\right)\right)$ |
$\sim($ new_M_fsm_state $=M I) \Rightarrow m_{-}$srdy_1
$(($ new_R_fsm_state $=R A) V($ new_R_fsm_state $=R D)) \Rightarrow \sim\left(\left(R \_f s m_{-}\right.\right.$state $\left.=R A\right) \Lambda$ (new_R_fsm_state $=$ RD) $) \mid A R B$ ) in
let $p_{-}$ale $=\left(-L_{-}\right.$ads_ $\wedge L_{-}$den_) in
let p_sack $=\left(\left(P_{-}\right.\right.$size $=\left(\left(P_{-}\right.\right.$down $) \Rightarrow($ WORDN 1$) \mid($ WORDN 0$\left.\left.)\right)\right) \wedge-$ i_srdy_ $\wedge($ (new_P_fsm_state $\left.=P D)\right)$ in
let new_P_rqt =
$(($ p_ale $\wedge \sim($ p_sack $\vee$ reset_piu) $) \Rightarrow \mathrm{T} \mid$
$((\sim$ p_ale $\wedge$ (p_sack $\vee$ reset_piu) $)=>$ FI
$\left((-\right.$ p_ale $\wedge \sim($ p_sack $V$ reset_piu $))=>P_{-}$rqt $\mid$ARB $\left.)\right)$) in
let new_P_down $=\left(-i_{-}\right.$srdy_ $\wedge($ new_P_fsm_state $\left.=P D)\right)$ in
let new_P_male_ $=\left(\left(n e w \_\right.\right.$P_fsm_state $\left.=P A\right)=>$
$\sim(\sim$ new_P_destl $\wedge(\sim(($ SUBARRAY new_P_addr $(25,24))=($ WORDN 3$))) \wedge$ new_P_rqt $) \mid$ P_male_) in
let new_P_rale_ $=(($ new_P_fsm_state $=P A)=>$
$\sim(\sim$ new_P_dest1 $\wedge(($ SUBARRAY new_P_addr $(25,24))=($ WORDN 3$)) \wedge$ new_P_rqt $\left.) \mid P_{-} r a l e \_\right)$in
let new_P_lock_ =
((reset_piu) $=>$ T
$\left((\right.$ new_P_fsm_state $=P D)=>$ L_lock_ $\mid P_{-}$lock_ $\left.)\right)$in
let new_P_lock_inh_=
((reset_piu) $=>$ T I
(( new_P_male_ V -new_P_rale_) $\Rightarrow$ L_lock_ $\mid P_{-}$lock_inh_) in
let pod31_27 = (MALTER ARBN (31,27) new_P_be_) in
let pod31_26 = (ALTER pod31_27 (26) F) in
let pod31_24 $=$ (MALTER pod31_26 $(25,24)$ (SUBARRAY new_P_addr $(1,0))$ ) in
let new_C_iad_en_s_delA $=\left((\mathrm{ClkD}) \Rightarrow \mathrm{C}_{\left.\text {_iad_en_s_del } \mid \mathrm{C}_{-} \text {iad_en_s_delA }\right) \text { in }}\right.$
let new_C_sizewrbe $=(($ reset_cport $) \Rightarrow($ WORDN 0$) \mid$
$\left(\left((\right.\right.$ (bew_C_sfsm_state $=$ CSAO $) \wedge C_{\_}$clkA $)=>($SUBARRAY C_data_in $(31,22)) \mid C_{-}$sizewrbe $)$) in
let $c_{-}$new_write $=(((\sim($ new_C_mfsm_state $=C M I)) \wedge(\sim($ new_C_mfsm_state $=C M R))) \Rightarrow$
C_wr 1 (ELEMENT new_C_sizewrbe (5)) ) in
let new_C_iad_out = ((C_cin_2_le) => C_data_in | C_iad_out) in
let r_reg_sel $=((\sim$ R_srdy_del_) $)=>($ INCN 3 R_reg_sel $) \mid$ R_reg_sel) in
let new_R_icr =
( R_icr_load) $=>$

R_icr) in
let new_R_busA_latch $=$

( $\left(R_{-}\right.$ctro_orden) $)=R_{\text {_ }}$ ctro_out I
( (R_ctri_irden) $\Rightarrow>$ R_ctrl_in
( R_ctr1_orden) $=>$ R_ctr1_out I

( $($ R_ctr2_orden) $)=>$ R_ctr2_out 1
( $($ R_ctr3_irden) $)=>$ R_ctr3_in |
( $($ R_ctr3_orden) $)=$ R_ctr3_out I $^{\prime}$
( $\left(R_{\text {_icr_riden }}\right)=>$ new_R_icr I
( $\mathrm{R}_{\text {_ }}$ ccr_rden) $)=$ R_cer $^{\text {I }}$
( $\left.\mathrm{R}_{\text {_ger_rden }}\right) \Rightarrow \mathrm{R}_{\text {_ }} \mathrm{gcr} \mid$

let $i_{\_}$ad $=($(new_P_fsm_state $=P A)=>$ pod31_24 |
$(($ new_P_fsm_state $=P D) \wedge$ new_P_wr) $\Rightarrow$ L_ad_in $\mid$
(new_C_iad_en_s_delA V
$\left(\left(n e w_{-} C \_m f s m_{-} s t a t e=C M D 1\right) \wedge \sim c_{-}\right.$new_write $\Lambda c_{-}$sidy_en) $) V$
$\left(\left(n e w_{-} C \_m f s m_{-}\right.\right.$state $\left.=C M D 0\right) \wedge-c_{-}$new_write $\wedge c_{-}$srdy_en $) \vee$
$\left((\right.$ new_C_mfsm_state $=C M W) \wedge\left(C \_m f s m_{-} s t a t e=C M D 0\right) \wedge-c_{-}$new_write $\left.\wedge c_{-} s r d y \_e n\right) V$
$\left((\right.$ new_C_sfsm_state $=$ CSALE $) \wedge\left(\sim\left(C \_s f s m \_\right.\right.$state $=$CSALE $\left.\left.)\right)\right) \vee$
((new_C_sfsm_state $=$ CSALE) $\left.\wedge c \_n e w=w r i t e\right) V$
$\left((\right.$ new_C_sfsm_state $=C S D 1) \wedge c_{-}$new_write $\wedge\left(\sim\left(C_{-}\right.\right.$sfsm_state $=$CSRR $\left.\left.)\right)\right) V$
((new_C_sfsm_state $=$ CSD0) $\wedge$ c_new_write) $V$
((new_C_sfm_state = CSACK) $\wedge c_{-}$new_write)) $=>$new_C_iad_out |
(M_wr $\wedge \sim($ new_M_fsm_state $=M I))=>M_{\_}$rd_data $\mid$
$\left(\sim R_{-} w r \wedge((\right.$ new_R_fsm_state $=R A) \vee($ new_R_fsm_state $\left.=R D))\right)=>$ new_R_busA_latch $\left.\mid A R B\right)$ in
let disable_writes $=((\sim($ new_C_sfsm_state $=C S I)) \wedge(\sim($ new_C_sfsm_state $=C S L)) \wedge$
$\sim(($ ChannelD $=($ WORDN 0$)) \wedge($ ELEMENT C_source (6)) $) \wedge$
$\sim(($ ChannelID $=($ WORDN 1$)) \wedge($ ELEMENT C_source (7))) $\wedge$
$\sim(($ ChannelID $=($ WORDN 2$)) \wedge($ ELEMENT C_source (8))) $) \wedge$
$\sim(($ ChannelD $=($ WORDN 3) $) \wedge($ ELEMENT C_source (9)))) in
let i_rale_=
( - new_P_fsm_state $=P H$ ) $\Rightarrow$
$\sim(\sim$ new_P_destl $\wedge(($ SUBARRAY new_P_addr $(25,24))=($ WORDN 3$)) \wedge($ new_P_fsm_state $=P A) \wedge$ new_P_rqt $)$ ।
$\sim\left((\right.$ new_C_sfsm_state $=$ CSALE $) \wedge(($ SUBARRAY new_C_sizewrbe $(1,0))=($ WORDN 3$)) \wedge C_{-}$clkA $\left.)\right)$in
let new_R_wr $=\left(\left(\sim i \_r a l e \_\right) \Rightarrow\left(\right.\right.$ ELEMENT i_ad (27)) $\left.\mid R_{-} w r\right)$ in
let $I_{-} w r i t e B=\left(-d i s a b l e \_w r i t e s ~ \wedge\right.$ new_R_wT $\wedge$ (new_R_fsm_state $\left.=R D\right)$ ) in
let r_readB $=(\sim$ new_R_wr $\wedge($ new_R_fsm_state $=R A))$ in
let new_R_gcr $=\left(\left(r_{\_} w r i t e B \wedge\left(r \_r e g \_s e l=(\right.\right.\right.$ WORDN 2$\left.\left.)\right)\right) \Rightarrow i_{1}$ ad $\left.\mid R \_g c r\right)$ in
let new_R_gcr_rden $=\left(r_{\_}\right.$readB $\wedge\left(r_{\text {_reg_sel }}=(\right.$ WORDN 2$\left.\left.)\right)\right)$ in
let gerl = (ELEMENT new_R_gcr (0)) in
let gcrb $=$ (ELEMENT new_R_gcr (1)) in
let reset_error = (ELEMENT new_R_gcr (24)) in
let piu_invalid = (ELEMENT new_R_ger (28)) in
let cout_sel0 $=($ ALTER ARBN $(0)(($ new_C_sfsm_state $=$ CSD1 $) V($ new_C_sfsm_state $=$ CSD0 $)) \Rightarrow$
(new_C_sfsm_state $=$ CSD1) ।
(new_C_mfsm_state $=$ CMA3 $) \mathrm{V}$ (new_C_mfsm_state $=$ CMA1)
$V($ new_C_mfsm_state $=C M D 1))$ ) in
let $c_{\text {_cout_sel }}=($ ALTER cout_sel0 $(1)(($ new_C_sfsm_state $=C S D 1) \vee($ new_C_sfsm_state $=C S D 0))=>$
(new_C_mfsm_state $\left.=C M A 3) V\left(n e w \_C \_m f s m \_s t a t e=C M A 2\right)\right)$ ) in
let new_C_hold_ $=($ new_C_sfsm_state $=$ CSI $)$ in
let new_C_wr $=\left(\left(\sim i_{-}\right.\right.$cale_ $\left.) \Rightarrow\left(E L E M E N T i \_a d ~(27)\right) \mid C_{-} w T\right)$ in
let new_C_clkA $=\mathbf{C l k D}$ in
leti_last_=
$(\sim$ new_P_fsm_state $=P H)=>$
$\left(P_{-}\right.$size $=\left(\left(P_{-}\right.\right.$down $) \Rightarrow($ WORDN 1$) \mid($ WORDN 0 $\left.\left.)\right)\right) \mid$
C_last_out_) in
let new_C_last_in_ $=(($ reset_cport $)=>F \mid$
$((($ new_C_mfsm_state $=C M A B T) \vee($ new_C_mfsm_state $=C M D 1) \wedge C I K D)=>$ i_last_ 1
C_last_in_)) in
let new_C_lock_in_ $=(($ reset_cport $) \Rightarrow \mathrm{Fl}$
((new_C_mfsm_state $=$ CMA1) $)=\sim\left(\sim\right.$ new_P_lock_ $\Lambda_{\text {new_P_lock_inh_) })}$
C_lock_in_)) in
let new_C_ss $=\left(\left(\left(\sim\left(n e w_{-} C_{-} m f s m_{-} s t a t e=C M A B T\right)\right) \wedge\left(\sim\left(n e w_{-} C_{-}\right.\right.\right.\right.$mfsm_state $\left.\left.\left.=C M I\right)\right)\right) \Rightarrow C_{B} s s \_$in $\left.\mid C_{-} s s\right)$ in let new_C_last_out_=
$\left(\left((\right.\right.$ new_C_sfsm_state $\left.=C S A l) \wedge \sim\left(C l k D \wedge\left(\left(C B \_m s \_i n={ }^{\wedge} M E N D\right) \vee\left(C B \_m s \_i n={ }^{\wedge} M A B O R T\right)\right)\right)\right)=\mathrm{T} \mid$
$\left(\left(\sim(\right.\right.$ new_C_sfsm_state $=$ CSAl $) \wedge\left(\right.$ ClkD $\wedge\left(\left(C B_{-}\right.\right.$ms_in $^{\prime}={ }^{\wedge}$ MEND $) \vee\left(C B \_m s \_i n=\wedge\right.$ MABORT $\left.\left.\left.)\right)\right)\right) \Rightarrow$ FI

ARB)) ) in
let c_srdy $=\left(\right.$ CB_ss_in $^{-}{ }^{\text {A }}$ SRDY $)$ in
let c_dfsm_master $=(($ new_C_mfsm_state $=C M A 3) \vee($ new_C_mfsm_state $=C M A 2) \vee($ new_C_mfsm_state $=C M A 1)$
$V($ new_C_mfsm_state $=C M A 0) \vee($ new_C_mfsm_state $=C M D 1) V\left(n e w_{-} C_{-} m f s m_{-}\right.$state $\left.=C M D 0\right)$ ) in
let c_dfsm_cad_en $=\sim(($ new_C_mfsm_state $=C M A 3) V($ new_C_mfsm_state $=C M A 1) V($ new_C_mfsm_state $=C M A 0)$
$V$ (new_C_mfsm_state $=$ CMA2)
$V\left(c_{-}\right.$new_write $\Lambda\left((\right.$ new_C_mfsm_state $\left.\left.=C M D 1) V\left(n e w \_C \_m f s m \_s t a t e=C M D 0\right)\right)\right)$
$V\left(\sim c_{-}\right.$new_write $\Lambda(($ new_C_sfsm_state $=C S D 1) V($ new_C_sfsm_state $\left.=C S D 0))\right)$ in
let new_C_cout_0_le_del = ((i_cale_) $V$ (i_srdy_ $\Lambda \sim c_{-}$new_write $)$
$V\left((\right.$ new_C_mfsm_state $=C M A 0) \wedge c_{-}$srdy $\wedge c_{-}$new_write $\wedge$ CIkD $)$
$V\left((\right.$ new_C_mfsm_state $=C M D 0) \wedge c_{-}$new_write $\wedge c_{-}$srdy $\left.\wedge \mathrm{ClkD}\right)$ in
let new_C_cin_2_le $=\left(\mathrm{ClkD} \wedge\left(\binom{\right.\right.$ new_C_mfsm_state }{$=C M D 0} \wedge c_{-}$srdy $\left.\wedge \sim c_{-} n e w_{-} w r i t e\right) \vee$
$(($ new_C_sfsm_state $=$ CSAO $)) \mathrm{V}$
$\left((\right.$ new_C_sfsm_state $=C S D 0) \wedge c_{-}$new_write $\left.)\right)$) in
let new_C_mrdy_del_ $=-\left(\left(\sim c_{\text {_new_write }} \wedge\right.\right.$ ClkD $\wedge\left(\left(n e w \_C \_s f s m_{-}\right.\right.$state $\left.=C S A L E\right) \vee($ new_C_sfsm_state $\left.\left.=C S D 1)\right)\right) V$
( $-c_{-}$new_write $\wedge C_{-} c l k A \wedge\left(n e w \_C_{-} s f s m\right.$ _state $\left.\left.=C S A C K\right)\right) V$
(c_new_write $\wedge$ ClkD $\wedge$ (new_C_sfsm_state $=$ CSDO)) in
let new_C_iad_en_s_del $=\left(\left(\left(n e w_{-} C_{-}\right.\right.\right.$sfsm_state $=$CSALE $) \wedge\left(\sim\left(C_{-}\right.\right.$sfsm_state $=$CSALE $\left.\left.)\right)\right)$
$V\left((\right.$ new_C_sfsm_state $=C S A L E) \wedge c_{-}$new_write $)$
$V\left((\right.$ new_C_sfsm_state $=$ CSD1 $) \wedge c_{-}$new_write $\Lambda\left(\sim\left(C_{-} s f s m_{-}\right.\right.$state $=$CSRR $\left.\left.)\right)\right)$
$V\left((\right.$ new_C_sfsm_state $=C S D 0) \wedge c_{-}$new_write $) V$
$\left((\right.$ new_C_sfsm_state $\left.\left.=C S A C K) \wedge c_{-} n e w=w r i t e\right)\right)$ in
let new_C_wrdy $=\left(c_{\text {_ssdy }} \wedge c_{\text {_ }}\right.$ new_write $\wedge($ new_C_mfsm_state $=$ CMD1 $) \wedge$ ClkD $)$ in
let new_C_rrdy $=\left(c_{-}\right.$srdy $\wedge \sim c_{-}$new_write $\wedge\left(n e w_{-} C_{-} m f s m_{-}\right.$state $\left.\left.=C M D 0\right) \wedge C l k D\right)$ in
let c _pe $=($ Par_Det rep (CB_ad_in)) in
let c_mparity $=(($ new_C_mfsm_state $=C M A 3) V($ new_C_mfsm_state $=C M A 1) V($ new_C_mfsm_state $=C M A 0)$
$V($ new_C_mfsm_state $=C M A 2) V\left(n e w_{-} C_{-} m f s m_{-} s t a t e=C M D 1\right) V\left(n e w / C_{-} m f s m_{1} s t a t e=C M D 0\right)$
$V\left(C_{-}\right.$mfsm_state $\left.=C M A 1\right) \vee\left(C_{-}\right.$mfsm_state $\left.=C M A 0\right) V\left(C_{-}\right.$mfsm_state $\left.=C M A 2\right)$ $V\left(C_{-}\right.$mfsm_state $=$CMD1 $)$in
let c_sparity $=((\sim($ new_C_sfsm_state $=$ CSI $)) \wedge(\sim($ new_C_sfsm_state $=$ CSACK $)) \wedge(\sim($ new_C_sfsm_state $=$ CSABT $)))$ in
let c_pe_cnt $=\left(\right.$ ClkD $\wedge\left(\left(\sim\left(c_{-}\right.\right.\right.$mparity $=$c_sparity $\left.\left.^{\prime}\right)\right) \vee\left(\left(\operatorname{SUBARRAYCB\_ ss\_ in~}(1,0)\right)=(\right.$ WORDN 0$\left.\left.)\right)\right)$ in
let new_C_parity =

```
\(\left(\left(\left(\mathrm{ClkD} \wedge\right.\right.\right.\) c_pe \(\left.\wedge c_{\text {_pe_cnt }}\right) \wedge \sim\) reset_error \() \Rightarrow \mathrm{T} \mid\)
\(\left(\left(\sim\left(\mathrm{ClkD} \wedge c \_p e \wedge\right.\right.\right.\) c_pe_cnt) \(\wedge\) reset_error \() \Rightarrow \mathrm{F} \mid\)
\(\left(\left(\sim\left(\right.\right.\right.\) ClkD \(\wedge\) c_pe \(\wedge c_{-}\)pe_cnt \() \wedge \sim\) reset_error \() \Rightarrow\) C_parity \(_{\mid}\)ARB \(\left.\left.)\right)\right)\)in
```

let new_C_source $=$
((reset_cport) $=>$ (WORDN 0) ।
$\left(\left(C l k D \wedge\left(\left(n e w \_C \_\right.\right.\right.\right.$sfsm_state $\left.=C S I\right) V\left(n e w \_C \_\right.$sfm_state $\left.\left.\left.=C S L\right)\right)\right)=>$ Par_Dec rep (CB_ad_in) |C_source)) in let data_in31_16=
(MALTER ARBN $(31,16)$ ((reset_cport) $\Rightarrow$ (WORDN 0 ) ।

> ((ClkD $\wedge$ (((new_C_mfsm_state $=$ CMD1) $\wedge c_{-}$srdy $\left.\wedge-c_{-} n e w \_w r i t e\right) ~ V$
> $(($ new_C_sfsm_state $=$ CSA1 $)) V$
> ((new_C_sfsm_state = CSD1) $\wedge$ c_new_write))) $=>$ Par_Dec rep (CB_ad_in) ।
> (SUBARRAY C_data_in (31,16)))) ) in
let new_C_data_in =
(MALTER data_in31_16 (15,0) ((reset_cport) $\Rightarrow$ (WORDN 0)।
((new_C_cin_2_le) $=>$ Par_Dec rep (CB_ad_in)।
(SUBARRAY C_data_in ( 15,0 )) )) in
let new_C_iad_in = ((new_C_cout_0_le_del) $=>$ i_ad IC_iad_in) in
let new_C_ala0 =
(( $\left(c_{-}\right.$dfsm_master $\wedge C_{-}$cout_0_le_del) $V$

let new_C_a3a2 $=($ (new_C_mfsm_state $=C M R) \Rightarrow R_{-}$ccr $\left.\mid C_{-} a 3 a 2\right)$ in
let i_be_ $=\left(\left(n e w \_P \_f s m_{-}\right.\right.$state $\left.=P A\right)=>$ new_P_be_1
(new_P_fsm_state $=$ PD) $=>$ L_be_I SUBARRAY new_C_sizewrbe $(9,6)$ ) in
let i_male_=
( $\sim($ new_P_fsm_state $=P H) \Rightarrow$
$\sim(\sim$ new_P_dest $1 \wedge(\sim(($ SUBARRAY new_P_addr $(25,24))=($ WORDN 3$))) \wedge($ new_P_fsm_state $=P A) \wedge$ new_P_rqt $) \mid$
$\sim\left((\right.$ new_C_sfim_state $=$ CSALE $) \wedge(\sim((S U B A R R A Y$ new_C_sizewrbe $(1,0))=($ WORDN 3$))) \wedge C_{-}$clikA $\left.)\right)$in
let new_M_se $=\left(\left(-i \_m a l e \_\right) \Rightarrow\left(E L E M E N T i \_a d ~(23)\right) / M \_s e\right)$ in
let new_M_wr $=\left(\left(-i \_\right.\right.$male_ $\left.) \Rightarrow>\left(E L E M E N T i \_a d ~(27)\right) \mid M \_w r\right)$ in
let new_M_addr =
$\left(\left(-\right.\right.$ i_male__ $\left.^{\prime}\right)=>$ (SUBARRAY i_ad $\left.(18,0)\right) \mid$
((M_rdy) $=>$ (INCN 18 M_addr) $\mid M_{-}$addr) ) in
let new_M_be $=\left(\left(\sim i_{-} m a l e \_V \sim\right.\right.$ m_srdy_ $\left._{\text {_ }}\right) \Rightarrow\left(\right.$ NOTN 3 i_be_) $\left.\mid M_{-} b e\right)$ in
let new_M_rdy = m_rdy in
let new_M_wwdel $=\left((\right.$ new_M_fsm_state $=M A) \wedge_{\text {new_ }} M_{-} w r \wedge\left(n e w_{-} M_{-} b e=(W O R D N 15)\right)$ in
let new_M_rd_data $=\left(\left(\left(\mathrm{eew} \mathbf{M}_{-}\right.\right.\right.$_fsm_state $\left.\left.=\mathbf{M R}\right)\right) \Rightarrow($ Ham_Dec rep MB_data_in $) \mid M_{-}$rd_data $)$in
let new_M_detect =

( $(\sim$ Edac_en_) $)>$ (Ham_Det1 rep MB_data_in) | WORDN 0) | M_detect) in
let $\mathrm{m}_{-}$error $=\left(\sim \mathrm{m}_{-}\right.$srdy_ $\wedge(\sim($ new_M_fsm_state $=\mathbf{M I})) \wedge$ Ham_Det 2 rep $($ new_M_detect, $\sim$ Edac_en_) $)$ in let new_M_parity =
$\left(\left(m_{\_}\right.\right.$error $\wedge \sim$ (reset_piu $\vee$ reset_error) ) $)=\mathrm{T} \mid$
$((\sim$ m_error $\wedge($ reset_piu $\vee$ reset_error $)) \Rightarrow \mathrm{F} \mid$
$((\sim$ m_error $\wedge$-(reset_piu $V$ reset_error) ) $\Rightarrow$ M_parity $\mid A R B))$ in
let new_R_cntlatch_del $=$ r_fsm_cntlatch in
let new_R_srdy_del_ = r_fsm_srdy_in
let new_R_reg_sel =
( $(-$ i_rale_) $)$ (SUBARRAY i_ad (3,0)) |
( $\left(\sim R_{-}\right.$srdy_del_) $\Rightarrow$ ( $\operatorname{INCN} 3$ R_reg_sel) $\mid R_{\text {_reg_sel }) \text { ) in }}$
let $r_{-}$write $A=\left(\sim\right.$ disable_writes $\wedge R_{-} w T \wedge$ (new_R_fsm_state $\left.=R D\right)$ ) in
let r_readA $=\left(\sim R_{-} w r \wedge\right.$ (new_R_fsm_state $\left.=R A\right)$ ) in
let r_cir_wr01A $=\left(\left(r_{\_}\right.\right.$write $A \cap\left(\left(r_{\_} r e g \_s e l=(W O R D N 8)\right) \vee\left(r_{\text {_reg_sel }}=(\right.\right.$ WORDN 9$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let $r_{\_} c i r_{-} w$ O1B $=\left(\left(r_{-} w r i t e B \wedge\left(\left(r_{-} r e g_{-} s e l=(\right.\right.\right.\right.$ WORDN 8$\left.)\right) \cup\left(r_{\_}\right.$reg_sel $=($WORDN 9$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let $r_{-}$cir_wr23A $=\left(\left(r_{-} w r i t e A \wedge\left(\left(r_{\text {_reg_sel }}=(\right.\right.\right.\right.$ WORDN 10$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 11$\left.\left.\left.)\right)\right)\right)$ ) in
let r_cir_wr23B $=\left(\left(r_{-} w r i t e B \wedge\left(\left(r_{\_}\right.\right.\right.\right.$reg_sel $=($WORDN 10) $) \vee\left(r_{\text {_ }}\right.$ reg_sel $=($ WORDN 11$\left.\left.\left.\left.)\right)\right)\right)\right)$ in let new_R_cct $=\left(\left(r_{-} w r i t e B \wedge\left(r_{\_}\right.\right.\right.$reg_sel $=($WORDN 3$\left.\left.)\right)\right) \Rightarrow$ i_ad $\left.\mid R_{-} c c r\right)$ in let new_R_ccr_rden $=\left(r_{-}\right.$readB $\wedge\left(r_{\text {_reg_sel }}=(\right.$ WORDN 3$\left.)\right)$ ) in
let new_R_c01_cout_del = R_ctrl_cry in
let new_R_intl_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_gcr (18)) $\wedge\left(r_{-} c i r_{-} w r 01 B \vee\left(R_{-} c t r 1 \_c r y ~ \wedge(E L E M E N T\right.\right.$ new_R_gcr (16))))) $\wedge$
$\sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(\right.\right.$ ELEMENT new_R_gcr (17)) $\left.\left.\left.\wedge R_{\_} c 01 \_c o u t \_d e l\right)\right)\right) \Rightarrow T \mid$
$\left(\left(\sim\left(\right.\right.\right.$ ELEMENT new_R_gcr (18)) $\wedge\left(r_{-} c i r \_w r 01 B \vee\left(R \_c t r 1 \_c r y ~ \wedge(E L E M E N T\right.\right.$ new_R_gcr (16))))) $\wedge$
$\left(-\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (17)) $\wedge R_{-} c 01$ _cout_del $\left.\left.)\right)\right)=>\mathrm{Fi}$
$\left(\left(\sim\left(\left(E L E M E N T\right.\right.\right.\right.$ new_R_ger (18)) $\wedge\left(r_{-} c i r \_w r 01 B \vee\left(R_{-}\right.\right.$ctr 1_cry $\wedge(E L E M E N T$ new_R_gcr (16))))) $\wedge$

let new_R_c23_cout_del = R_ctr3_cry in
let new_R_int2_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_gcr (22)) $\wedge\left(r_{\_}\right.$cir_wr23B $\vee($ R_ctr3_cry $\wedge(E L E M E N T$ new_R_gcr (20))) )) $\wedge$
$\sim(\sim(E L E M E N T$ new_R_gcr (22)) $\vee((E L E M E N T$ new_R_gcr (21)) $\wedge$ R_c23_cout_del) )) $\Rightarrow$ T 1
$\left(\left(\sim\left(\right.\right.\right.$ (ELEMENT new_R_gcr (22)) $\wedge\left(r_{-}\right.$cir_wr $23 B \vee($ R_ctr3_cry $\wedge$ (ELEMENT new_R_gcr (20)) )) $) \wedge$
$\left(\sim\left(E L E M E N T\right.\right.$ new_R_ger (22)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (21)) $\left.\left.\left.\wedge R \_c 23 \_c o u t \_d e l\right)\right)\right)=>F 1$
$\left(\left(-\left(\right.\right.\right.$ ELEMENT new_R_gcr (22)) $\wedge\left(r_{\text {_cir_wr } 23 B} \vee\left(R_{-} \operatorname{ctr} 3\right.\right.$ cry $\wedge(E L E M E N T$ new_R_gcr (20))))) $\wedge$
$\sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gct (22)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (21)) $\left.\left.\left.\wedge R_{-} c 23 \_c o u t \_d e l\right)\right)\right)=>R_{\text {in }}$ 2_en $\mid$ ARB) $\left.)\right)$ in
let new_R_ctro_in $=\left(\left(r_{-} w r i t e B \wedge\left(r_{-} r e g_{-} s e l=(\right.\right.\right.$ WORDN 8) $\left.)\right)=>$ i_ad $\mid R_{-} c t r 0 \_$in $)$in
let new_R_ctr0_mux_sel $=\left(r_{-} c i r \_w r 01 B \vee\left(\left(E L E M E N T\right.\right.\right.$ new_R_gcr (16)) $\left.\left.\wedge R_{\text {_ }} c t r 1 \_c r y\right)\right)$ in
let new_R_ctro_irden $=\left(r_{\text {_readB }} \wedge\left(r_{-}\right.\right.$reg_sel $=($WORDN 8$\left.)\right)$ ) in

let new_R_ctro_new $=\left(\left(\left(E L E M E N T\right.\right.\right.$ new_R_gcr (19))) $\Rightarrow\left(\right.$ INCN $\left.\left.31 R_{-} c t r 0\right) \mid R_{-} c t r 0\right)$ in
let new_R_ctro_cry $=(($ ONES 31 R_ctr0) $\wedge$ (ELEMENT new_R_gcr (19))) in
let new_R_ctro_out $=\left(\left(r_{-} f s m_{-}\right.\right.$cntlateh $)=>R_{-}$ctro_new $\mid R_{-} c t r 0 \_$out $)$in
let new_R_ctro_orden $=\left(r_{-}\right.$readB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 12 $)$) $)$in
let new_R_ctrl_in = ((r_writeB $\wedge\left(r_{-}\right.$reg_sel = (WORDN 9))) $\Rightarrow$ i_ad $\left.\mid R_{-} c t r 1 \_i n\right)$ in
let new_R_ctrl_mux_sel $=\left(r_{\_} c i r_{-} w r 01 B \vee\left(\left(E L E M E N T\right.\right.\right.$ new_R_gcr (16)) $\left.\left.\wedge R_{-} c t r 1 \_c r y\right)\right)$ in
let new_R_ctr1_irden $=\left(r_{-}\right.$readB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 9$\left.)\right)$ ) in
let new_R_ctr1 = ( (R_ctr1_mux_sel) $)=$ R_ctr1_in $_{\text {R }}^{1}$ _ctr1_new $)$ in
let new_R_ctrl_new $=\left(\left(R_{-} c t r 0 \_c r y\right)=>\left(\right.\right.$ INCN $\left.\left.31 R_{-} c t r 1\right) \mid R_{-} c t r 1\right)$ in
let new_R_ctr1_cry $=\left(\right.$ (ONES 31 R_ctr1) $\left.\wedge R_{-} c t r 0 \_c r y\right)$ in
let new_R_ctrl_out $=\left(\left(R_{-}\right.\right.$cntlatch_del $)=>R_{\text {_ }}$ ctr1_new $\mid R_{-}$ctrl_out $)$in
let new_R_ctrl_orden $=\left(r_{-}\right.$readB $\wedge\left(r_{-} r e g_{-}\right.$sel $=($WORDN 13 $)$) $)$in
let new_R_ctr2_in $=\left(\left(r_{-} w r i t e B \wedge\left(r_{-} r e g_{-} s e l=(\right.\right.\right.$ WORDN 10$\left.\left.)\right)\right) \Rightarrow i_{-}$ad $\left.\mid R_{-} c t r 2_{-} i n\right)$ in
let new_R_ctr2_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) $\wedge$ R_ctr3_cry)) ) in
let new_R_ctr2_irden $=\left(r_{-}\right.$readB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 10 $\left.)\right)$) in
let new_R_ctr2 $=($ (R_ctr2_mux_sel $)=>$ R_ctr2_in R_ctr2_new $^{2}$ in
let new_R_ctr2_new $=((($ ELEMENT new_R_ger (23))) $)>($ INCN 31 R_ctr2) $\mid$ R_ctr2 $)$ in
let new_R_ctr2_cry $=(($ ONES 31 R_ctr2) $\wedge$ (ELEMENT new_R_gcr (23))) in
let new_R_ctr2_out $=\left(\left(r_{-} f s m \_c n t l a t c h\right) \Rightarrow R_{-} c t r 2 \_n e w \mid R_{-} c t r 2 \_\right.$out $)$in
let new_R_ctr2_orden $=\left(r_{\_}\right.$readB $\wedge\left(r_{\_}\right.$reg_sel $=($WORDN 14) $\left.)\right)$in
let new_R_ctr3_in $=\left(\left(r_{-} w r i t e B \Lambda\left(r_{-} r e g_{-} s e l=(\right.\right.\right.$ WORDN 11) $\left.)\right)=>$ i_ad $\mid R_{\_} c t r 3$ in $)$ in
let new_R_ctr3_mux_sel = ((r_cir_wr23B V ((ELEMENT new_R_gcr (20)) $\wedge R_{\_}$ctr3_cry)) in
let new_R_ctr3_irden $=\left(r_{\text {_readB }} \wedge\left(r_{\_}\right.\right.$reg_sel $=($WORDN 11) $\left.)\right)$in
let new_R_ctr $3=\left(\left(R_{-}\right.\right.$ctr3_mux_sel $) \Rightarrow R_{\text {_ }}$ ctr3_in $\mid R_{-} c t r 3 \_$new $)$in
let new_R_ctr3_new $=\left(\left(R_{-c t r} 2\right.\right.$ _cry $) \Rightarrow\left(\right.$ INCN $\left.\left.31 R_{-} c t r 3\right) \mid R_{-} c t r 3\right)$ in
let new_R_ctr3_cry $=\left(\left(\right.\right.$ ONES 31 R_ctr3) $\left.\wedge R_{\text {_ctr3_cry }}\right)$ in
let new_R_ctr3_out $=\left(\left(R_{-}\right.\right.$cntlatch_del $)=>R_{-}$ctr3_new $\mid R_{-} c t r 3 \_$out $)$in
let new_R_ctr3_orden $=\left(r_{\_}\right.$readB $\wedge\left(r_{\_}\right.$reg_sel $=($WORDN 15) $\left.)\right)$in
let new_R_icr_load $=\left(r_{-}\right.$writeB $\wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) V\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)$ ) in
let new_R_icr_old =
$\left(\left(r_{\_}\right.\right.$writeB $\wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) \vee\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.\left.)\right)\right)\right)=>R_{\text {_ }}$ icr $\left.\mid R_{\text {_icr_old }}\right)$ in let new_R_icr_mask =
$\left(\left(r_{\_}\right.\right.$writeB $\wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) \vee\left(r_{-}\right.$reg_sel $=($WORDN 1$\left.\left.\left.)\right)\right)\right)=$ i_ad $\mid$ R_icr_mask $)$ in let new_R_icr_rden $=\left((\right.$ new_R_fsm_state $=$ RA $) \wedge\left(\left(\right.\right.$ r_reg_sel $^{\prime}=($ WORDN 0$\left.)\right) \vee\left(r_{\text {_reg_sel }}=(\right.$ WORDN 1$\left.\left.)\right)\right)$ in

```
let r_int0_en = (((ELEMENT R_icr (0)) ^(ELEMENT R_icr (8))) \
    ((ELEMENT R_icr (1)) ^(ELEMENT R_icr (9))) V
    ((ELEMENT R_icr (2)) ^(ELEMENT R_icr (10))) V
    ((ELEMENT R_icr (3)) ^(ELEMENT R_icr (11))) V
    ((ELEMENT R_icr (4)) }\wedge(\mathrm{ (ELEMENT R_icr (12))) V
    ((ELEMENT R_icr (5)) ^(ELEMENT R_icr (13))) \vee
    ((ELEMENT R_icr (6)) ^(ELEMENT R_icr (14))) \
    ((ELEMENT R_icr (7)) ^(ELEMENT R_icr (15))) in
let new_R_int0_dis = r_int0_en in
let r_int3_en = (((ELEMENT R_icr (16)) ^(ELEMENT R_icr (24))) V
    ((ELEMENT R_icr (17)) ^ (ELEMENT R_icr (25))) V
    ((ELEMENT R_icr (18)) ^(ELEMENT R_icr (26))) V
    ((ELEMENT R_icr (19)) ^(ELEMENT R_icr (27)))
    ((ELEMENT R_icr (20)) ^(ELEMENT R_icr (28))) V
    ((ELEMENT R_icr (21))}^(ELEMENT R_icr (29))) V
    ((ELEMENT R_icr (22)) ^(ELEMENT R_icr (30)))
    ((ELEMENT R_ict (23)) ^(ELEMENT R_icr (31)))) in
let new_R_int3_dis = r_int3_en in
let new_S_soft_shot_del = (-gcrh ^ gcrl) in
let s_soft_cnt_out =
    ((s_fsm_srs) =>
            ((gcrl ^~gcrh }\wedge~\mathrm{ -S_soft_shot_del) => (WORDN 1) |(WORDN 0)) |
            ((gcrl ^ ~gcrh }^~\mathrm{ S_soft_shot_del) => (INCN 2 S_soft_cnt) | S_soft_cnt)) in
let new_S_soft_cnt = ((~gcrh ^~gcrl) => (WORDN 0) | s_soft_cnt_out) in
let s_delay_out =
    ((s_fsm_stc V (s_fsm_scs ^(ELEMENT S_delay (6)))) =>
    ((s_fsm_sec) => (WORDN 1)।(WORDN 0))।
    ((s_fsm_sec) => (NNCN 17 S_delay) | S_delay)) in
let new_S_delay = s_delay_out in
let s_cpu0_ok = (s_fsm_scOf ^ Failure0_ ^(s_soft_cnt_out = (WORDN 5))) in
let s_cpul_ok = (s_fsm_sclf ^ Failurel_^(s_soft_cnt_out = (WORDN 5))) in
let new_S_pmm_fail =
    ((s_fsm_sb }\Lambda~\mp@subsup{s}{-}{\prime}\mathrm{ fm_spmf) => T I
    ((~s_fsm_sb \s_fsm_spmf) => F|
    ((~s_fsm_sb \ ~s_fsm_spmf) => S_pmm_fail | ARB))) in
let new_S_cpuO_fail =
    ((s_fsm_sb }\wedge~(s_cpu0_ok\vee Bypass)) => T I'
    ((~s_fsm_sb ^(s_cpu0_ok \vee Bypass)) => FI
    ((~s_fsm_sb }\wedge~(\mp@subsup{s}{-}{\primecpuO_ok V Bypass)) => S_cpu0_fail | ARB))) in
let new_S_cpu1_fail =
    ((s_fsm_sb \ ~(s_cpul_ok V Bypass)) => T |
    ((-s_fsm_sb ^(s_cpul_ok V Bypass)) => FI
    ((-s_fsm_sb ^ -(s_cpul_ok V Bypass)) => S_cpul_fail | ARB))) in
let new_S_piu_fail =
    ((s_fsm_sb }\wedge~-(s_fsm_spf \vee Bypass)) => T |
    ((~s_fsm_sb ^(s_fsm_spf V Bypass)) => FI
    ((~s_fsm_sb ^~(s_fsm_spf V Bypass)) => S_piu_fail | ARB))) in
let s_cpu0_select = ((s_fsm_sn V s_fsm_so) \Lambda -S_cpu0_fail) in
let s_cpul_select = ((s_fsm_sn V s_fsm_so) }\wedge S_cpu0_fail ^ -S_cpu1_fail) in
let new_S_bad_cpu0=
    ((s_fsm_sb ^ -s_cpu0_select) => T |
    ((~s_fsm_sb ^s_cpu0_select) => F|
    ((~s_fsm_sb ^~s_cpuO_select) => S_bad_cpuO|ARB))) in
```

let new_S_bad_cpul =
( $\left(\mathrm{s}\right.$ _fsm_sb $\wedge \sim s_{-}$cpu1_select) $)=\mathrm{T} \mid$
( $(\sim$ s_fsm_sb $\wedge$ s_cpu1_select) $)=>\mathrm{F} \mid$
$\left(\left(\sim\right.\right.$ s_fsm_sb $\wedge \sim$ s_cpul_select) $\Rightarrow S_{\text {_ }}$ bad_cpul| ARB $\left.)\right)$ ) in
let new_S_reset_cpu0 $=($ new_S_bad_cpu $0 \wedge$ s_fsm_src0 $)$ in
let new_S_reset_cpul $=$ (new_S_bad_cpul $\wedge s_{\text {_f }}$ fsm_srcl) in
let new_S_cpu_hist $=($ S_reset_cpu $0 \wedge$ S_reset_cpul $\wedge$ Bypass) in
let $s s 0=\left(\right.$ ALTER ARBN $(0)\left(\left(n e w \_S \_f s m \_s t a t e=S S\right) V\left(n e w \_S \_f s m \_s t a t e=S S T O P\right)\right.$ $V$ (new_S_fsm_state $=S C S) V($ new_S_fsm_state $=S N)$ $V($ new_S_fsm_state $=S O)$ ) in
let ss1 $=($ ALTER ss0 $(1)(($ new_S_fsm_state $=$ SCOF $) V($ new_S_fsm_state $=$ ST $)$
$V($ new_S_fsm_state $=S C 1 I) V\left(n e w_{-} S_{-} f s m_{-}\right.$state $\left.=S C 1 F\right)$
$V($ new_S_fsm_state $=S S) V\left(n e w_{-} S \_f s m_{-}\right.$state $\left.=S S T O P\right)$
$V($ new_S_fsm_state $=S C S)$ ) $)$ in
let ss2 $=($ ALTER ss 1 (2) $($ (new_S_fsm_state $=$ SPF) $)($ new_S_fsm_state $=$ SCOI $)$
$V($ new_S_fsm_state $=S C 0 F) V($ new_S_fsm_state $=S T)$
$V($ (new_S_fsm_state $=S S T O P) V\left(n e w_{-} S \_f s m_{-}\right.$state $\left.\left.=S O\right)\right)$ in
let ss3 $=\left(\right.$ ALTER ss2 $(3)\left(\left(n e w_{-} S_{-}\right.\right.$fsm_state $=$SRA $) V\left(n e w_{-} \mathbf{S}_{-}\right.$fsm_state $=$SPF $)$
$V$ (new_S_fsm_state $=S T) V($ new_S_fsm_state $=S C 1 I)$
$V$ (new_S_fsm_state $=S C S) V\left(n e w / S \_f s m_{-}\right.$state $\left.=S N\right)$
$V($ new_S_fsm_state $=S O))$ in
let s_state $=s s 3$ in
let sr28 = (ALTER ARBN (28) new_M_parity) in
let sr28_25 = (MALTER sr28 $(27,25)$ new_C_ss) in
let sr28_24 = (ALTER sr28_25 (24) new_C_parity) in
let sr28_22 $=$ (MALTER sr28_24 $(23,22)$ ChannelD) in
let sr28_16 = (MALTER sr28_22 $(21,16)$ Id) in
let ss28_12 = (MALTER sr28_16 $(15,12)$ s_state) in
let sr28_9 = (ALTER sr28_12 (9) new_S_pmm_fail) in
let sr28_8 = (ALTER sr28_9 (8) new_S_piu_fail) in
let sr28_3 = (ALTER sr28_8 (3) new_S_reset_cpu1) in
let sr28_2 $=$ (ALTER sr28_3 (2) new_S_reset_cpu0) in
let sr28_1 = (ALTER sr28_2 (1) new_S_cpul_fail) in
let sr28_0 = (ALTER sr28_1 (0) new_S_cpu0_fail) in
let new_R_sr $=\left(\left(r_{-} f s m \_c n t l a t c h\right) \Rightarrow s r 28 \_01 R_{-} s r\right)$ in
let new_R_sr_rden $=\left(\right.$ r_readB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 4$\left.)\right)$ in
let new_P_fsm_rst = reset_piu in
let new_P_fsm_sack = p_sack in
let new_P_fsm_cgnt_ $=\sim\left(n e w \_C \_m f s m_{-}\right.$state $\left.=C M A 3\right)$ in
let new_P_fsm_hold_ $=n e w_{-} C_{-} h o l d A_{-}$in
let new_C_mfsm_D = ClkD in
let new_C_mfsm_rst = reset_cport in
let new_C_mfsm_crqt_ = $\left(n e w_{-} P\right.$ _destl $\wedge$ new_P_rqt $)$ in
let new_C_mfsm_hold_= new_C_holdA_in
let new_C_mfsm_ss = CB_ss_in in
let new_C_mfsm_invalid = piu_invalid in
let new_C_sfsm_D = ClkD in
let new_C_sfsm_rst = reset_cport in
let new_C_sfsm_hlda_ $=\sim$ (new_P_fsm_state $=P H$ ) in
let new_C_sfsm_ms = CB_ms_in in
let new_C_efsm_cale_ = i_cale_ in
let new_C_efsm_last_ = i_last_ in
let new_C_efsm_male_= i_male_ in

```
    let new_C_efsm_rale_= i_rale_in
    let new_C_efsm_srdy_ = i_srdy_ in
    let new_C_efsm_rst = reset_cport in
    let new_M_fsm_male_ = i_male_ in
    let new_M_fsm_last_ = i_last_ in
    let new_M_fsm_mrdy_= ((~)P_fsm_state = PH)) => F|C_mrdy_del_) in
    let new_M_fsm_rst = reset_piu in
    let new_R_fsm_ale_= i_rale_ in
    let new_R_fsm_mrdy_ = ((~(P_fsm_state = PH)) => F|C_mrdy_del_) in
    let new_R_fsm_last_= i_last_ in
    let new_R_fsm_rst = reset_piu in
    let new_S_fsm_rst = Rst in
    let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in
    let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) I (ELEMENT s_delay_out (17))) in
    let new_S_fsm_bothbad = (new_S_cpu0_fail ^ new_S_cpul_fail) in
    let new_S_fsm_bypass = Bypass in
    (new_P_addr, new_P_dest1, new_P_be_, new_P_wr, new_P_fsm_state, new_P_fsm_rst, new_P_fsm_sack,
    new_P_fsm_cgnt, new_P_fsm_hold_, new_P_rqt, new_P_size, new_P_down, new_P_lock_, new_P_lock_inh_,
    new_P_male_, new_P_rale_,
    new_C_mfsm_state, new_C_mfsm_D, new_C_mfsm_rst, new_C_mfsm_crqt_, new_C_mfsm_hold_, new_C_mfsm_ss,
    new_C_mfsm_invalid, new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_rst, new_C_sfsm_hlda_, new_C_sfsm_ms,
    new_C_efsm_state, new_C_efsm_cale_, new_C_efsm_last_, new_C_efsm_male_, new_C_efsm_rale_,new_C_efsm_srdy_,
    new_C_efsm_rst, new_C_wr, new_C_sizewrbe, new_C_clkA, new_C_last_in_, new_C_lock_in_, new_C_ss,
    new_C_last_out,, new_C_hold_, new_C_holdA_, new_C_cout_0_le_del, new_C_cin_2_le, new_C_mrdy_del_,
    new_C_iad_en_s_del, new_C_iad_en_s_delA, new_C_wrdy, new_C_rrdy, new_C_parity, new_C_source, new_C_data_in,
    new_C_iad_out, new_C_iad_in, new_C_ala0, new_C_a3a2,
    new_M_fsm_state, new_M_fsm_male_, new_M_fsm_last_, new_M_fsm_mrdy_, new_M_fsm_rst, new_M_count,
    new_M_se, new_M_wr, new_M_addr, new_M_be, new_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data,
    new_M_detect.
    new_R_fsm_state, new_R_fsm_ale_, new_R_fsm_mrdy_, new_R_fsm_last_, new_R_fsm_rst, new_R_ctr0_in,
    new_R_ctr0_mux_sel, new_R_ctr0, new_R_ctr0_irden, new_R_ctr0_new, new_R_ctr0_cry, new_R_ctr0_out,
    new_R_ctr0_orden, new_R_ctrl_in, new_R_ctrl_mux_sel, new_R_ctrl, new_R_ctrl_irden, new_R_ctrl_new,
    new_R_ctrl_cry,
    new_R_ctrl_out, new_R_ctrl_orden, new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_ctr2, new_R_ctr2_irden,
    new_R_ctr2_new,
    new_R_ctr2_cry, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3,
    new_R_ctr3_irden,
    new_R_ctr3_new, new_R_ctr3_cry, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_load, new_R_icr_old,
    new_R_icr_mask,
    new_R_icr_rden, new_R_icr, new_R_ccr, new_R_ccr_rden, new_R_gcr, new_R_gcr_rden, new_R_sr, new_R_sr_rden,
    new_R_int0_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_int1_en, new_R_c23_cout_del, new_R_int2_en,
    new_R_wr,
    new_R_cntlatch_del, new_R_srdy_del_, new_R_reg_sel, new_R_busA_latch,
    new_S_fsm_state, new_S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delay17, new_S_fsm_bothbad,
    new_S_fsm_bypass, new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpu0, new_S_bad_cpu1,
    new_S_reset_cpu0, new_S_reset_cpul, new_S_cpu_hist, new_S_pmm_fail, new_S_cpu0_fail, new_S_cpul_fail,
    new_S_piu_fail)"
);;
%
    Ouqut definition for EXEC instruction.
```

let piuEXEC_out_def = new_definition
('piuEXEC_out',

## " (rep:^rep_ty)

(P_fsm_state :pfsm_ty)
(P_addr P_be_P_size :wordn)
(P_destl P_wr $P_{-}$fsm_rst $P_{-}$fsm_sack $P_{-}$fsm_cgnt_ $P_{-} f s m_{-}$hold_ $P_{-} r q$ P_down $P_{-}$lock_
P_lock_inh_P_male_P_rale_: bool)
(C_mfsm_state :cmfsm_ty) (C_sfsm_state :csfsm_ty) (C_efsm_state :cefsm_ty)
(C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_ala0 C_a 3 a 2 : wordn)
(C_mfsm_DC_mfsm_rst C_mfsm_crqt_C_mfsm_hold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda
C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst
C_wI C_clkA C_last_in_C_lock_in_C_last_out_C_hold_C_holdA_C_cout_0_le_del C_cin_2_le
C_mrdy_del_C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool)
(M_fsm_state :mfsm_ty)
(M_count M_addr M_be M_rd_data M_detect :wordn)
(M_fsm_male_ $M_{-} f s m_{-} l a s t \_M_{-} f s m_{-}$mrdy_ $M_{-} f s m_{-} r s t M_{-}$se $M_{-} w M_{-}$rdy $M_{-} w w d e l M_{-}$parity :bool)
(R_fsm_state :rfsm_ty)
(R_ctr0_in R_ctro R_ctr0_new R_ctr0_out R_ctr1_in R_ctrl R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2 R_ctr2_new
R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_cer R_gct R_sr
R_reg_sel R_busA_latch :wordn)

R_ctr1_mux_sel R_ctr __irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden
R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_st_rden
R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_ :bool)
(S_fsm_state :sfsm_ty)
(S_soft_cnt S_delay :wordn)
(S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpul
S_reset_cpu0 S_reset_cpul S_cpu_hist S_pmm_fail S_cpu0_fail S_cpul_fail S_piu_fail :bool)
(L_ad_in L_be_: wordn)
(ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ :bool)
(CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID :wordn)
(ClkD :bool)
(MB_data_in :wordn)
(Edac_en_: bool)
(Bypass Test Failure0_Failurel_:bool).
piuEXEC_out rep
(P_addt, $P_{-}$dest1, $P_{-} b e_{-}, P_{-} w, P_{-} f s m_{-}$state, $P_{-}$fsm_rst, $P_{-} f s m_{-}$sack, $P_{-} f s m_{-} c g n t \_, P_{-} f s m_{\_} h o l d$, P_rqt, $P_{\_}$size, $P_{-}$down, $P_{-}$lock_, $P_{-}$lock_inh_, $P_{-}$male_, $P_{-}$rale,
$C_{-} m f s m_{-} s t a t e, C_{-} m f s m_{-} D, C_{-} m f s m_{\_} r t, C_{-} m f s m_{-} c r q t, C_{-} m f s m_{-} h o l d_{\text {_ }}, C_{-} m f s m_{-} s s, C_{-} m f s m_{-} i n v a l i d$, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_,
C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0,C_a3a2,
 M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect,
$R_{\_}$fsm_state, $R_{-}$fsm_ale, $R_{-}$fsm_mrdy_, $R_{-}$fsm_last_, $R_{-} f s m_{\_}$rst, $R_{\_}$ctro_in, $R_{-}$ctr0_mux_sel, $R_{-}$ctro, R_ctro_irden, R_ctro_new, R_ctr0_cry, R_ctr0_out, R_ctro_orden, R_ctr1_in, R_ctrl_mux_sel, R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_cta2_in, R_ctr2_mux_sel, R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_ger, R_gcr_rden, $R_{-}$sr, $R_{-}$sr_rden, R_int0_dis,

R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_stdy_del_, R_reg_sel, R_busA_latch,
S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpul, S_reset_cpu0, S_reset_cpul, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpul_fail, S_piu_fail)
(ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be, L_wr, L_lock,
CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, CIkD, Id, ChannelID,
MB_data_in, Edac_en_,
Bypass, Test, Failure0_, Failure1_) $=$

```
let new_P_fsm_state =
    ((P_fsm_rst) => PA I
    ((P_fsm_state = PH) => ((~P_fsm_hold_) => PH | PA)|
    ((P_fsm_state = PA) =>
        (((P_rqt ^~P_destl) ) (P_rqt ^ P_dest1 ^~P_fsm_cgnt_)) => PD |
        ((~P_fsm_hold_^P_lock_) => PH |PA)) |
    ((P_fsm_state = PD) =>
        (((P_fsm_sack \ P_fsm_hold_) V (P_fsm_sack \~P_fsm_hold_ ^~P_lock_)) => PA I
        ((P_fsm_sack ^~P_fsm_hold_^P_lock_) => PH |PD)) (P_ILL ))) ) in
let c_write =(((~(C_mfsm_state = CMD) ^(~(C_mfsm_state = CMR))) => C_wT l (ELEMENT C_sizewrbe (5))) in
let c_busy =(~((SUBARRAY CB_rqt_in_( (3,1)) = (WORDN 7))) in
let c_grant = ((((SUBARRAY Id (1,0)) = (WORDN 0)) ^ -(ELEMENT CB_rqt_in_(0)))
    V ((SUBARRAY Id (1,0)) = (WORDN 1)) ^ -(ELEMENT CB_rqt_in_(0))
    ^(ELEMENT CB_rqt_in_(1)))
    V (((SUBARRAY ld (1,0)) = (WORDN 2)) }^~(\mathrm{ (ELEMENT CB_rqt_in_(0))
                                    ^(ELEMENT CB_rqt_in_(1))
                            ^(ELEMENT CB_rqt_in_(2)))
    V (((SUBARRAY Id (1,0)) = (WORDN 3)) ^ -(ELEMENT CB_rqt_in_(0))
                        ^(ELEMENT CB_rqt_in_(1))
                        ^(ELEMENT CB_rqt_in_(2))
                        ^(ELEMENT CB_rqt_in_(3)))) in
let c_addressed = (Id = (SUBARRAY C_source (15,10))) in
let new_C_mfsm_state =
    (C_mfsm_rst) => CMI |
    ((C_mfsm_state = CMI) =>
        (C_mfsm_D ^~C_mfsm_crqt_ ^ ~c_busy }\wedge~-C_mfsm_invalid) => CMR | CMI |
    ((C_mfsm_state =CMR) => (C_mfsm_D ^c_grant ^C_mfsm_hold_) => CMA3 ICMR |
    ((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 |CMA3)|
    ((C_mfsm_state = CMA1) )>
        (C_mfsm_D ^(C_mfsm_ss = ^SRDY)) => CMA0 I
        (C_mfsm_D ^(C_mfsm_ss = ^SABORT)) => CMABT | CMAl|
((C_mfsm_state = CMAO) =>
    (C_mfsm_D ^(C_mfsm_ss = ^SRDY)) => CMA2 I
        (C_mfsm_D^(C_mfsm_ss=^SABORT)) => CMABT I CMAO|
((C_mfsm_state = CMA2) =>
    (C_mfsm_D ^(C_mfsm_ss = ^SRDY)) => CMD1 I
    (C_mfsm_D^(C_mfsm_ss = ^SABORT)) => CMABT I CMA2 I
((C_mfsm_state = CMD1) =>
            (C_mfsm_D ^(C_mfsm_ss = ^SRDY)) => CMDO I
            (C_mfsm_D^(C_mfsm_ss = ^SABORT)) => CMABT I CMD1 |
((C_mfsm_state = CMDO) =>
    (C_mfsm_D ^(C_mfsm_ss = ^SRDY) ^C_last_in_) => CMD1 I
```

```
    (C_mfsm_D ^(C_mfsm_ss = ^SRDY) ^~C_last_in_) => CMW |
    (C_mfsm_D^(C_mfsm_ss = ^SABORT)) => CMABT |CMD0 |
    ((C_mfsm_state = CMW) =>
    (C_mfsm_D ^(C_mfsm_ss = ^SABORT)) => CMABT |
    (C_mfsm_D ^(C_mfsm_ss=^SACK)^C_lock_in_) => CMII
```



```
    ((~C_last_in_) => CMI ( CMABT)))))))))}))\mathrm{ ) in
let new_C_sfsm_state =
    ((C_sfsm_rst) => CSI|
    (C_sfsm_state = CSI) =>
            ((C_sfsm_D ^(C_sfsm_ms = ^MSTART) ^~c_grant ^ c_addressed) => CSAl | CSI)।
    (C_sfsm_state = CSL) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MSTART) ^~c_grant ^c_addressed) => CSAl I
        (C_sfsm_D ^(C_sfsm_ms = ^MSTART) }\wedge~c_grant ^-c_addressed) => CSI|
        (C_sfsm_D ^(C_sfsm_ms=^MABORT)) => CSABT |CSL)।
    (C_sfsm_state = CSAl) =>
        ((C_sfsm_D^(C_sfsm_ms = ^MRDY)) => CSAO I
        (C_sfsm_D (C_sfsm_ms = ^MABORT)) => CSABT |CSAl)|
    (C_sfsm_state = CSA0) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MRDY) ^~C_sfsm_hlda_) => CSALE |
        (C_sfsm_D }\wedge(\mp@subsup{C}{-}{}sfsm_ms=^MRDY)^\mp@subsup{C}{-}{\prime}sfsm_hlda_) => CSAOW |
        (C_sfsm_D ( (C_sfsm_ms = ^MABORT)) => CSABT | CSA0) |
    (C_sfsm_state = CSAOW) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MRDY)^ -C_sfsm_blda_) => CSALE 
        (C_sfsm_D (C_sfsm_ms = ^MABORT)) => CSABT |CSAOW)।
    (C_sfsm_state = CSALE) =>
        ((C_sfsm_D^c_write ^(C_sfsm_ms = ^MRDY)) => CSD1 I
    (C_sfsm_D^ ~c_write ^(C_sfsm_ms = ^MRDY)) => CSRR I
    (C_sfsm_D ^(C_sfsm_ms = ^MABORT)) => CSABT ICSALE)
    (C_sfsm_state = CSRR) =>
        ((C_sfsm_D ^~(C_sfsm_ms = ^MABORT ) ) => CSD1 I
        (C_sfsm_D ^(C_sfsm_ms = ^MABORT)) => CSABT | CSRR)।
    (C_sfsm_state = CSD1) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MRDY)) => CSD0 |
        (C_sfsm_D (C_sfsm_ms = ^MABORT)) => CSABT ICSDI)।
    (C_sfsm_state = CSD0) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MEND)) => CSACK I
        (C_sfsm_D ^(C_sfsm_ms = ^MRDY)) => CSD1 I
        (C_sfsm_D^(C_sfsm_ms = ^MABORT)) => CSABT | CSD0)।
    (C sfsm_state = CSACK) =>
        ((C_sfsm_D ^(C_sfsm_ms = ^MRDY)) => CSL I
        (C_sfsm_D }\wedge(C_sfsm_ms = ^MWAIT)) => CSI !
        (C_sfsm_D (C_sfsm_ms = ^MABORT)) => CSABT |CSACK)।
    (C_sfsm_D) => CSI ICSABT) in
let new_C_efsm_state \(=\)
((C_efsm_rst) \(\Rightarrow\) CEI |
(C_efsm_state \(=C E I) \Rightarrow\left(\left(\sim C_{-}\right.\right.\)efsm_cale_) \(\Rightarrow\) CEE \(\left.\mid C E I\right) \mid\)
\(\left(\left(\sim C_{-}\right.\right.\)efsm_last_ \(\wedge \sim C_{-}\)efsm_srdy_) \(\vee \sim C_{-}\)efsm_male_ \(V \sim C_{-}\)efsm_rale_) \(\Rightarrow\) CEI \(\left.\mid C E E\right)\) in
let \(m_{-} b w=\left(\left(\sim\left(M_{-} b e=(\right.\right.\right.\) WORDN 15) \(\left.)\right) \wedge M_{-} w r \wedge\left(\sim\left(M_{-} f s m_{-}\right.\right.\)state \(=\)MII) \()\)in let \(m_{-} w w=\left(\left(M_{-} b e=(\right.\right.\) WORDN 15) \() \wedge M_{-} w r \wedge\left(\sim\left(M_{-} f s m_{-}\right.\right.\)state \(\left.\left.\left.=M I\right)\right)\right)\) in let new_M_fsm_state =
```

```
(M_fsm_rst) \(=>\) MI
\(\left(\left(M_{1}\right.\right.\) fsm_state \(\left.=\mathbf{M I}\right)=>\left(\left(\sim M_{-}\right.\right.\)fsm_male_) \()=\)MA \(\left.^{\prime} \mid M I\right) \mid\)
( \(\left(\mathrm{M}_{\mathrm{f}}\right.\) fsm_state \(\left.=\mathrm{MA}\right) \Rightarrow\)
    ( \(\left(\sim M_{-} f s m_{-}\right.\)mrdy_ \(\left.\wedge_{m_{-}} w w\right)=>M W^{\prime}\)
```



```
((M_fsm_state \(=\) MR) \(=>\)
```



```
    \(\left(\left(M_{-}\right.\right.\)fsm_last_ \(\wedge-M_{-} w r \wedge\left(-\left(M_{-}\right.\right.\)fsm_state \(\left.\left.=M I\right)\right) \wedge\left(M_{-}\right.\)count \(=(\)WORDN 0\(\left.\left.)\right)\right) \Rightarrow\) MA
    \(\left(\left(\sim M_{-} f s m_{-}\right.\right.\)last_ \(\wedge \sim M_{-} W_{T} \wedge\left(\sim\left(M_{-}\right.\right.\)fsm_state \(\left.\left.=M I\right)\right) \wedge\left(M_{-}\right.\)count \(=(\)WORDN 0\(\left.\left.\left.\left.\left.)\right)\right) \Rightarrow M_{R} \mid M R\right)\right)\right) \mid\)
((M_fsm_state \(=\mathbf{M R R}) \Rightarrow\) MII
( \(\mathrm{M}_{\mathrm{L}}\) fsm_state \(=\mathrm{MW}\) ) \(\Rightarrow\)
    \(((\sim\) M_fsm_last_ \(\wedge(\) M_count \(=(\) WORDN 0\())) \Rightarrow\) MI
    \(\left(\left(M_{-}\right.\right.\)fsm_last_ \(\wedge(\) M_count \(=(\) WORDN 0\(\left.))\right)=>\) MA \(\mid\) MW \(\left.)\right) \mid\)
\(\left(\left(M_{-} f s m \_s t a t e=M B W\right)=>\right.\) MW (M_ILL)))))) in
let new_R_fsm_state \(=\)
    ( R_fsm_rst \(^{\prime}\) ) \(=\) RII
    ( \(\left(R_{\_}\right.\)fsm_state \(\left.=R I\right) \Rightarrow\left(\left(\sim R_{-} f s m_{-}\right.\right.\)ale_) \(\left.) \Rightarrow R A \mid R I\right) \mid\)
    \(\left(\left(R_{-}\right.\right.\)fsm_state \(\left.=R A\right)=>\left(\left(-R_{-} f s m_{\_}\right.\right.\)mrdy_) \(\left.)=>R D \mid R A\right) \mid\)
    ( ( \(-R_{-}\)fsm_last_) \(\Rightarrow\) RI \(\left.\mid R A\right)\) )) in
let \(r_{-}\)fsm_cntlatch \(=\left(\left(R_{-}\right.\right.\)fsm_state \(\left.=R I\right) \wedge \sim R \_f s m_{\_}\)ale_) in
let \(\mathrm{r}_{\mathrm{f}}\) fsm_srdy_ \(=\sim\left(\left(R_{-}\right.\right.\)fsm_state \(\left.=R A\right) \wedge \sim R \_\)fsm_mrdy_) in
let new_S_fsm_state =
    ((S_fsm_rst) \(=>\) SSTART ।
    ( \((\) S_fsm_state \(=\) SSTART) \(\Rightarrow\) SRA I
    \(\left(\left(S \_\right.\right.\)fsm_state \(=\)SRA \()=>\left(\left(S_{-}\right.\right.\)fsm_delay6) \()=>\left(\left(S \_\right.\right.\)fsm_bypass \()=>\)SO | SPF \() \mid\)SRA \() \mid\)
    ((S_fsm_state \(=\) SPF) \(\Rightarrow\) SCOI |
    \(\left(\left(S_{-}\right.\right.\)fsm_state \(=\)SCOI \()=>\left(\left(S \_\right.\right.\)fsm_delay 17\()=>\) SC0F \(\mid\) SCOI \() \mid\)
    ( \((\) S_fsm_state \(=S C O F) \Rightarrow S T\) ।
    ( (S_fsm_state \(=\) ST) \(\Rightarrow\) SCIII
    \(\left((\right.\) S_fsm_state \(=\) SClI) \() \Rightarrow\left(\left(S \_\right.\right.\)fsm_delay17) \()=\)SClF \(\mid\)SC1I \() \mid\)
    ( (S_fsm_state \(=\) SCIF) \(\Rightarrow\) SS I
    ((S_fsm_state \(=\) SS) \(\Rightarrow\) ((S_fsm_bothbad) \()=>\) SSTOP | SCS) |
    ((S_fsm_state = SSTOP) \(=>\) SSTOP I
    ((S_fsm_state \(=\) SCS \()=>\left(\left(S \_f s m \_\right.\right.\)delay6) \()=>\)SN \(\mid\)SCS \() \mid\)
    \(\left((\right.\) S_fsm_state \(=\) SN \()=>\left(\left(S \_\right.\right.\)fsm_delay 17\()=>\) SO|SN \() \mid\)
    \(((\) S_fsm_state \(=\) SO \() \Rightarrow\) SO (S_ILL) )) )) )) )) )) )) )) \()\) in
let \(s_{-} f s m \_s n=\left(n e w / S \_f s m \_\right.\)state \(\left.=S N\right)\) in
let \(\mathrm{s}_{-} \mathrm{fsm}\) _so \(=(\) new_S_fsm_state \(=S O)\) in
let reset_cport \(=\left(\left((\sim(\right.\right.\) new_S_fsm_state \(\left.=S O)) \wedge\left(\sim\left(S \_f s m \_s t a t e=S S T O P\right)\right)\right) V\left(S \_f s m \_\right.\)state \(=\)SRA \(\left.)\right)\)in
let s_fsm_sdi \(=\left(\left((-(\right.\right.\) new_S_fsm_state \(=S O)) \wedge\left(\sim\left(S_{-} f s m \_\right.\right.\)state \(\left.\left.\left.=S S T O P\right)\right)\right) V\left(S \_f s m \_\right.\)state \(\left.\left.=S R A\right)\right)\) in
let reset_piu \(=((\) new_S_fsm_state \(=\) SSTART \() V(\) new_S_fsm_state \(=\) SRA \()\)
    \(V\) (new_S_fsm_state \(=\) SCOF) \(V(\) new_S_fsm_state \(=S T)\)
    \(V(\) new_S_fsm_state \(=S C I F) V\left(n e w_{1} S_{-} f m_{\text {_ }}\right.\) state \(\left.=S S\right) V\left(n e w_{1} S\right.\) _fsm_state \(\left.=S C S\right)\) ) in
let s_fsm_src0 \(=((\sim(\) new_S_fsm_state \(=S P F)) \wedge(\sim(\) new_S_fsm_state \(=\mathbf{S C O I}))\) in
let s_fsm_srcl \(=((-(\) new_S_fsm_state \(=S T)) \wedge(-(\) new_S_fsm_state \(=\) SC1I) \())\) in
let s_fsm_spf \(=\left(\left(S_{-} f s m_{-}\right.\right.\)state \(\left.\left.=S R A\right) \wedge S_{-} f s m_{-} d e l a y 6 \wedge \sim S_{-} f s m_{-} r s t\right)\) in
let \(\mathrm{s}_{-}\)fsm_scOf \(=\left(n e w \_\right.\)_fsm_state \(=\)SCOF \()\)in
let \(\mathrm{s}_{-}\)fsm_sclf \(=(\)new_S_fsm_state \(=\)SCIF) in
let s_fsm_spmf = (new_S_fsm_state \(=\) SO \()\) in
let s_fsm_sb = (new_S_fsm_state \(=\) SSTART \()\) in
let s_fsm_src \(=\left((\right.\) new_S_fsm_state \(=\) SSTART \() \vee\left(\left(S \_\right.\right.\)fsm_state \(=\)SRA \() \wedge S\) _fsm_delay6 \()\)
    \(V(\) new_S_fsm_state \(=\) SCOF \() V(\) new_S_fsm_state \(=S T) V\left(n e w_{-} S \_f s m_{-}\right.\)state \(\left.=S C 1 F\right)\)
```

$V($ new_S_fsm_state $=S S) V\left(\left(S \_f s m \_\right.\right.$state $\left.=S C S\right) \wedge S \_$fsm_delay6 $)$) in
let s_fsm_sec $=\left(((\sim(\right.$ new_S_fsm_state $=S S T O P)) \wedge(\sim($ new_S_fsm_state $=S O))) \vee\left(S_{-}\right.$fsm_state $\left.\left.=S N\right)\right)$ in
let s_fsm_srs $=\left(\left(\left(S_{-} f s m_{-}\right.\right.\right.$state $\left.=S P F\right) \wedge \sim S_{-}$fsm_rst $) V\left(\left(S_{-}\right.\right.$fsm_state $\left.=S T\right) \wedge \sim S_{-}$fsm_rst $)$in
let s_fsm_scs $=($ new_S_fsm_state $=S C S)$ in
let new_P_addr $=\left(\left(\sim P \_\right.\right.$rqt $)=>(S U B A R R A Y$ L_ad_in (25,0)) $\mid P$ _addr) in
let new_P_destl $=((\sim$ P_rqt $) \Rightarrow$ (ELEMENT L_ad_in (31)) $\mid$ P_destl $)$ in
let new_P_be_ $=\left(\left(\sim P_{-} r q t\right) \Rightarrow L_{-} b e_{-} \mid P_{-} b e_{-}\right)$in
let new_P_wr $=\left(\left(\sim P_{-} r q t\right)=>L_{-} w r \mid P_{-} w r\right)$ in
let new_P_size $=$
$\left(\left(\sim P_{-} \mathrm{rqt}\right) \Rightarrow\right.$ (SUBARRAY L_ad_in $\left.(1,0)\right)$ )
$\left(\left(P_{-}\right.\right.$down $) \Rightarrow\left(D E C N 1\right.$ P_size) $\mid P_{-}$size $)$) in
let new_C_holdA_ $=\left((\mathrm{ClkD}) \Rightarrow\right.$ C_hold_ $^{\prime} \mathrm{C}_{3}$ holdA_) in
let i_cale_ $=\sim(($ new_C_mfsm_state $=C M A 3) \wedge($ new_P_fsm_state $=P A) \wedge$ new_C_holdA_) in
let c_srdy_en $=\left((\right.$ new_C_efsm_state $=C E E) \vee\left(C_{-}\right.$efsm_state $\left.\left.=C E E\right)\right)$ in
let new_M_count =
$\left(((\right.$ new_M_fsm_state $=\mathbf{M A}) V($ new_M_fsm_state $=$ MBW $))=>\left(\left(M_{-}\right.\right.$se $) \Rightarrow($ WORDN 1$) \mid($ WORDN 2$\left.)\right) \mid$
$\left(((\right.$ new_M_fsm_state $=\mathbf{M W}) V($ new_M_fsm_state $=M R)) \Rightarrow\left(D E C N 2 M_{-}\right.$count $) \mid M_{-}$count $\left.)\right)$in
let $m_{-}$rdy $=((($new_M_fsm_state $=M W) \wedge($ new_M_count $=($ WORDN 0) $))$
$V\left((\right.$ new_M_fsm_state $=M R) \wedge($ new_M_count $=($ WORDN 0$\left.\left.)) \wedge \sim M_{-} w r\right)\right)$ in
let $m_{-}$srdy $y_{-}=\sim\left(\left(M_{-} r d y \wedge \sim M_{-} w r\right) V\left(m_{-} r d y \wedge M_{-} w r\right)\right)$ in
let i_srdy_ $=\left(\left(\sim i_{-}\right.\right.$cale_ $V c_{-}$srdy_en $) \Rightarrow \sim\left(C_{-} w r d y \vee C_{-}\right.$rrdy $\vee($ new_C_mfsm_state $\left.=C M A B T)\right)$ I
(new_M_fsm_state $=$ MI) $=>$ m_srdy_l $^{\text {n }}$
$\left(\left(n e w_{-} R_{-}\right.\right.$fsm_state $\left.\left.=R A\right) \vee\left(n e w_{-} R_{-} f s m_{-} s t a t e=R D\right)\right) \Rightarrow \sim\left(\left(R_{-}\right.\right.$fsm_state $\left.=R A\right) \wedge\left(n e w_{-} R_{-}\right.$fsm_state $\left.\left.=R D\right)\right) \mid$
ARB) in
let $p_{-}$ale $=\left(\sim L_{-}\right.$ads_ $\wedge L_{-}$den_) in
let p_sack $=\left(\left(P_{\_}\right.\right.$size $=\left(\left(P_{-}\right.\right.$down $) \Rightarrow($ WORDN 1$) \mid($ WORDN 0$\left.\left.)\right)\right) \wedge \sim$ i_srdy_ $^{\wedge}($ new_P_fsm_state $\left.=P D)\right)$ in
let new_P_rqt =
$\left(\left(p \_\right.\right.$_ale $\wedge \sim\left(p \_\right.$sack $\vee$ reset_piu) $)=>T \mid$
$((\sim$ p_ale $\wedge($ p_sack $\vee$ reset_piu) $))=>F \mid$
$\left(\left(\sim p_{-}\right.\right.$ale $\wedge \sim\left(p \_\right.$sack $V$ reset_piu $\left.)\right)=>P_{-}$rq $\mid$ARB $\left.)\right)$in
let new_P_down $=\left(\sim i_{-}\right.$srdy_ $\wedge($ new_P_fsm_state $\left.=P D)\right)$ in
let new_P_male_ $=($ (new_P_fsm_state $=P A)=>$
$\sim(\sim$ new_P_dest1 $\wedge(\sim(($ SUBARRAY pew_P_addr $(25,24))=($ WORDN 3$))) \wedge$ dew_P_rqt $) \mid P_{-}$male_ $)$in
let new_P_rale_ $=(($ new_P_fsm_state $=P A)=>$
$\sim(\sim$ new_P_destl $\wedge(($ SUBARRAY new_P_addr $(25,24))=($ WORDN 3$)) \wedge$ new_P_rqt $) \mid P_{-}$rale_ $)$in
let new_P_lock_=
((reset_piu) $=>$ T 1
$\left((\right.$ new_P_fsm_state $=P D)=$ L_lock_ $^{\prime}$ P_lock_ $)$ ) in
let new_P_lock_inh_=
((reset_piu) $=>$ T I
$\left(\left(\sim\right.\right.$ new_P_male_ $V \sim$ new_P_rale_) $=>$ L_lock_ $_{-} \mid P_{-}$lock_inh_) $)$in
let pod31_27 = (MALTER ARBN $(31,27)$ new_P_be」) in
let pod31_26 = (ALTER pod31_27 (26) F) in
let pod31_24 = (MALTER pod31_26 (25,24) (SUBARRAY new_P_addr ( 1,0 )) ) in
let new_C_iad_en_s_delA $=\left((C L E D) \Rightarrow C_{-}\right.$iad_en_s_del $\left.\mid C_{-} i a d \_e n \_s \_d e l A\right)$ in
let new_C_sizewrbe $=($ (reset_cport) $) \Rightarrow($ WORDN 0$)$ |
$\left((\right.$ new_C_sfsm_state $=$ CSA0 $) \wedge C_{-}$clkA $)=>($SUBARRAY C_data_in $(31,22)) \mid C_{-}$sizewrbe $\left.)\right)$in
let c_new_write $=(((-($ new_C_mfsm_state $=C M I)) \wedge(\sim($ new_C_mfsm_state $=C M R)))=>$
C_wr 1 (ELEMENT new_C_sizewrbe (5))) in
let new_C_iad_out $=\left(\left(C_{-} c i n \_2 \_\right.\right.$le $)=>C_{-}$data_in $\left.\mid C_{\text {_iad_out }}\right)$ in let r_reg_sel $=((\sim$ R_srdy_del_) $\Rightarrow$ (INCN 3 R_reg_sel) $\mid$ R_reg_sel) in
let new_R_icr =
( R_icr_load) $)=$

```
            ((~(r_reg_sel = (WORDN 1 ))) => (Andn rep (R_icr_old, R_icr_mask))।(Orn rep (R_icr_old, R_icr_mask)))।
        R_icr) in
let new_R_busA_latch =
    ((R_ctrO_irden) => R_ctrO_in I
    ((R_ctrO_orden) => R_ctrO_out !
    ((R_ctrl_irden) => R_ctrl_in |
    ((R_ctr1_orden) => R_ctr1_out |
    ((R_ctr2_irden) => R_ctr2_in |
    ((R_ctr2_orden) => R_ctr2_out 1
    ((R_ctr3_irden) => R_ctr3_in |
    ((R_ctr3_orden) => R_ctr3_out I
    ((R_icr_rden) => new_R_icr I
    ((R_cer_rden) => R_ccr I
    ((R_gcr_rden) => R_gcr l
    ((R_sT_rden) => R_sr ( ARB)))))))))))) in
let i_ad = ((new_P_fsm_state = PA) => pod31_241
        ((new_P_fsm_state = PD) ^ new_P_wr) => L_ad_in |
        (new_C_iad_en_s_delA V
        ((new_C_mfsm_state = CMD1) ^ -c_new_write ^ c_srdy_en) V
        ((new_C_mfsm_state = CMD0) ^ -c_new_write ^c_srdy_en)V
```



```
        ((new_C_sfsm_state = CSALE) ^(~(C_sfsm_state = CSALE))) V
        ((new_C_sfsm_state = CSALE) ^c_new_write) V
        ((new_C_sfsm_state = CSD1) ^c_new_write ^(~(C_sfsm_state = CSRR)) ) V
        ((new_C_sfsm_state = CSD0) ^c_new_write) V
        ((new_C_sfsm_state = CSACK) ^c_vew_write)) => new_C_iad_out I
        (M_wI ^~(new_M_fsm_state = MI)) => M_rd_data I
        (-R_wr }\wedge((new_R_fsm_state = RA)V (new_R_fsm_state = RD))) => new_R_busA_latch | ARB) in
let disable_writes = ((~(new_C_sfsm_state = CSI)) ^(~(new_C_sfsm_state = CSL ))}
                            ~((ChannelID = (WORDN 0)) ^(ELEMENT C_source (6)))}
                            ~((ChannelID = (WORDN 1))}\wedge(\mathrm{ ELEMENT C_source (7)))}
                                    -((CbannelID = (WORDN 2))}\wedge(\mathrm{ (LLEMENT C_source (8)))}
                                    -((CbannelID = (WORDN 3))}\wedge(\mathrm{ ELEMENT C_source (9)))) in
let i_rale_=
    (~new_P_fsm_state = PH) =>
    ~(~new_P_destl ^((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) ^(new_P_fsm_state = PA) ^new_P_rqt)।
    ~((new_C_sfsm_state = CSALE) ^((SUBARRAY new_C_sizewibe (1,0))=(WORDN 3)) ^C_clkA)) in
let new_R_wr = (( i__rale_) => (ELEMENT i_ad (27))|R_wr) in
let r_writeB = (~disable_writes ^new_R_wr ^(new_R_fsm_state = RD)) in
let r_readB = (~new_R_wI ^(new_R_fsm_state = RA)) in
let new_R_gcr = ((r_writeB ^(r_reg_sel = (WORDN 2))) => i_ad I R_gcr) in
let new_R_gcr_rden = (r_readB ^(r_reg_sel = (WORDN 2))) in
let gcrl = (ELEMENT new_R_gcr (0)) in
let gcrh = (ELEMENT new_R_gcr (1)) in
let reset_error = (ELEMENT new_R_gcr (24)) in
let piu_invalid = (ELEMENT new_R_gcr (28)) in
let cout_sel0 = (ALTER ARBN (0) (()new_C_sfsm_state = CSD1)V (new_C_sfsm_state = CSD0)) =>
                                    (new_C_sfsm_state = CSD1)।
                                    (new_C_mfsm_state = CMA3) V (new_C_mfsm_state= CMA1)
                                    V(new_C_mfsm_state = CMD1))) in
let c_cout_sel = (ALTER cout_sel0 (1) (()new_C_sfsm_state = CSD1) V (new_C_sfsm_state = CSDO)) =>
                                    Fl
                            (new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA2))) in
let new_C_hold_= (new_C_sfsm_state = CSI) in
```

let new_C_wr $=\left(\left(\sim i_{-} c a l e_{-}\right) \Rightarrow\left(E L E M E N T\right.\right.$ i_ad (27)) $\left.\mid C_{-} w r\right)$ in
let new_C_clkA $=\mathbf{C l E D}$ in
let i_last_ =
( $\sim$ (new_P_fsm_state $=$ PH) $)=$
$\left(P_{-}\right.$size $=\left(\left(P_{-}\right.\right.$down $) \Rightarrow($ WORDN 1$) \mid($ WORDN 0$\left.\left.)\right)\right) \mid$
C_last_out_) in
let new_C_last_in_ $=(($ reset_cport $) \Rightarrow \mathrm{F}$ |

C_last_in_)) in
let new_C_lock_in_ $=(($ reset_cport $) \Rightarrow \mathrm{F} \mid$
$\left((\right.$ new_C_mfsm_state $=C M A 1) \Rightarrow \sim\left(-n e w_{-} P \_l o c k \_\wedge\right.$ new_P_lock_inh_) $)$
C_lock_in_) in
let new_C_ss $=\left(\left((\sim(\right.\right.$ new_C_mfsm_state $=C M A B T)) \wedge\left(\sim\left(n e w_{-} C_{-}\right.\right.$mfsm_state $\left.\left.\left.=C M I\right)\right)\right) \Rightarrow C_{\text {_ }}$ ss_in $\mid C_{-}$ss $)$in
let new_C_last_out_=
$\left(\left((\right.\right.$ new_C_sfsm_state $\left.=C S A 1) \wedge \sim\left(C l k D \wedge\left(\left(C B \_m s \_i n=\wedge M E N D\right) \vee\left(C B \_m s \_i n=\wedge M A B O R T\right)\right)\right)\right)=\mathrm{T} \mid$
$\left(\left(\sim(\right.\right.$ new_C_sfsm_state $=$ CSA1 $) \wedge\left(\right.$ ClkD $\wedge\left(\left(C B_{-}\right.\right.$ms_in $\left.={ }^{\wedge} M E N D\right) V\left(C B \_m s \_i n=\wedge\right.$ MABORT $\left.\left.\left.)\right)\right)\right) \Rightarrow$ Fl

ARB)) ) in
let $c_{-}$srdy $=\left(C B \_\right.$ss_in $={ }^{\wedge}$ SRDY $)$ in
let $c_{-}$dfsm_master $=\left((\right.$new_C_mfsm_state $=C M A 3) V\left(n e w_{-} C_{-} m f s m_{-} s t a t e=C M A 2\right) V\left(n e w \_C \_m f s m_{-}\right.$state $\left.=C M A 1\right)$
$V($ new_C_mfsm_state $=C M A 0) V($ new_C_mfsm_state $=C M D 1) V\left(n e w_{-} C_{-}\right.$mfsm_state $=$CMD0 $)$) in
let c_dfsm_cad_en $=\sim\left(\left(n e w_{-} C_{-} m f s m_{-} s t a t e=C M A 3\right) V\left(n e w_{-} C_{-} m f s m_{-} s t a t e=C M A 1\right) V\left(n e w_{-} C_{-} m f s m \_s t a t e=C M A 0\right)\right.$
$V$ (new_C_mfsm_state $=$ CMA2 $)$
$V\left(c_{-} n e w_{-} w r i t e ~ \Lambda\left(\left(n e w \_C \_m f s m \_s t a t e=C M D 1\right) V\left(n e w_{-} C \_m f s m_{-} s t a t e=C M D 0\right)\right)\right)$
$V\left(\sim c_{-}\right.$new_write $\Lambda(($ new_C_sfsm_state $=C S D 1) V($ new_C_sfsm_state $\left.=C S D 0))\right)$ ) in
let new_C_cout_0_le_del $=\left(\left(i \_c a l e \_\right) V\right.$ (i_srdy_ $\left.\Lambda-c_{-} n e w-w r i t e\right)$
$V\left((\right.$ new_C_mfsm_state $=C M A 0) \wedge c_{-}$srdy $\wedge c_{-}$new_write $\wedge$ ClkD $)$
$V\left((\right.$ new_C_mfsm_state $=C M D 0) \wedge c_{-} n e w_{-} w r i t e ~ \wedge c_{-}$srdy $\left.\wedge C l k D\right)$ in
let new_C_cin_2_le $=\left(\operatorname{ClkD} \wedge\left(\left((\right.\right.\right.$ new_C_mfsm_state $=C M D 0) \wedge c_{-}$srdy $\wedge-c_{-}$new_write $) \vee$
$(($ new_C_sfsm_state $=$ CSAO $)) \mathrm{V}$
$(($ new_C_sfsm_state $=$ CSD0 $) \wedge$ c_new_write $))$ in
let new_C_mrdy_del_ $=\sim\left(\left(\sim c_{-}\right.\right.$new_write $\Lambda$ ClkD $\wedge\left((\right.$ new_C_sfsm_state $=C S A L E) V\left(n e w_{-} C_{-} s f s m_{-}\right.$state $\left.\left.\left.=C S D 1\right)\right)\right) V$
( $\sim$ c_new_write $\wedge C_{-} c l k A \wedge$ (new_C_sfsm_state $=$ CSACK $)$ ) $V$
(c_new_write $\wedge$ CIkD $\wedge$ (new_C_sfsm_state $=C S D 0)$ )) in
let new_C_iad_en_s_del $=\left(\left((\right.\right.$ new_C_sfsm_state $=$ CSALE $) \wedge\left(\sim\left(C_{-}\right.\right.$sfsm_state $=$CSALE $\left.\left.)\right)\right)$
$V\left((\right.$ new_C_sfsm_state $\left.=C S A L E) \wedge c_{-} n e w_{-} w r i t e\right)$
$V\left(\left(n e w_{-} C_{-}\right.\right.$sfsm_state $=$CSD1 $) \wedge c_{-}$new_write $\Lambda\left(\sim\left(C_{-}\right.\right.$sfsm_state $\left.\left.\left.=C S R R\right)\right)\right)$
$V(($ new_C_sfsm_state $=\operatorname{CSD} 0) \wedge$ c_new_write $) V$
( $($ new_C_sfsm_state $=C S A C K) \wedge c_{-}$new_write $)$) in
let new_C_wrdy $=\left(c_{-}\right.$srdy $\wedge c_{-}$new_write $\wedge($ new_C_mfsm_state $=C M D 1) \wedge$ ClkD $)$ in
let new_C_rrdy $=\left(c_{-}\right.$srdy $\wedge \sim c_{-}$new_write $\wedge($ new_C_mfsm_state $=C M D 0) \wedge$ ClkD $)$ in let $\mathbf{c}$ _pe $=$ (Par_Det rep (CB_ad_in)) in
let c_mparity $=(($ new_C_mfsm_state $=C M A 3) V($ new_C_mfsm_state $=C M A 1) V($ new_C_mfsm_state $=C M A 0)$
$V($ new_C_mfsm_state $=C M A 2) V\left(n e w_{-} C \_m f s m \_s t a t e=C M D 1\right) V\left(n e w_{-} C_{-} m f s m \_s t a t e=C M D 0\right)$
$V\left(C_{-}\right.$mfsm_state $\left.=C M A 1\right) V\left(C_{-} m f s m_{-}\right.$state $\left.=C M A 0\right) V\left(C_{-} m f s m_{-} s t a t e=C M A 2\right)$
$V\left(C \_m f s m \_\right.$state $\left.\left.=C M D 1\right)\right)$ in
let c_sparity $=((\sim($ new_C_sfsm_state $=$ CSI $)) \wedge(\sim($ new_C_sfsm_state $=C S A C K)) \wedge(\sim($ new_C_sfsm_state $=C S A B T)))$ in
let c_pe_cnt $=\left(\right.$ CIkD $\wedge\left(\left(\sim\left(c_{-}\right.\right.\right.$mparity $=c_{-}$sparity $\left.)\right) \vee(($ SUBARRAY CB_ss_in $(1,0))=($ WORDN 0$\left.\left.))\right)\right)$ in
let new_C_parity =
(((ClkD $\wedge$ c_pe $\left.\wedge c_{\text {_pe_cnt }}\right) \wedge \sim$ reset_error) $\Rightarrow T 1$
$\left(\left(\sim\left(C L K D \wedge\right.\right.\right.$ c_pe $\wedge c_{-}$pe_cnt $) \wedge$ reset_error) $) \Rightarrow F \mid$
$\left(\left(\sim\left(\mathrm{ClkD} \wedge\right.\right.\right.$ c_pe $\left.\wedge c \_p e \_c n t\right) \wedge \sim$ reset_error $)=>$ C_parity $\left.\left.\mid \mathrm{ARB}\right)\right)$ in
let new_C_source $=$
((reset_cport) $=>$ (WORDN 0 ) ।
$(($ ClkD $\wedge(($ new_C_sfsm_state $=C S I) V($ new_C_sfsm_state $=C S L)))=>$ Par_Dec rep (CB_ad_in) $\mid$ C_source $))$ in let data_in31_16 =
(MALTER ARBN $(31,16)$ ( reset_cport) $\Rightarrow$ (WORDN 0 ) ।

> ((ClkD $\wedge\left((\right.$ new_C_mfsm_state $=C M D 1) \wedge c_{-}$srdy $\wedge \sim c_{-}$new_write) $) V$
> $(($ new_C_sfsm_state $=$ CSA1 $)) V$
> ((new_C_sfsm_state = CSD1) $\wedge c_{-}$new_write))) $=>$Par_Dec rep (CB_ad_in) |
> (SUBARRAY C_data_in $(31,16)$ ))) ) in
let new_C_data_in =
(MALTER data_in $31 \_16(15,0)(($ reset_cport) $) \Rightarrow$ (WORDN 0$)$ )
((new_C_cin_2_le) $=>$ Par_Dec rep (CB_ad_in)।
(SUBARRAY C_data_in ( 15,0 )))) in
let new_C_iad_in $=\left((\right.$ new_C_cout_0_le_del $) \Rightarrow i_{-}$ad $\mid C_{\text {_ }}$ iad_in $)$ in
let new_C_ala0 =
(( (c_dfsm_master $\wedge$ C_cout_0_le_del) V
( $\sim$ c_dfsm_master $\left.\left.\wedge C_{-} c l k A \wedge\left(n e w \_C \_s f s m \_s t a t e=C S D 1\right)\right)\right)=>C_{-}$iad_in $\left.\mid C_{-} a 1 a 0\right)$ in
let new_C_a3a2 = ((new_C_mfsm_state = CMR) $\Rightarrow$ R_ccx C_a3a2) in
let i_be_= $\left(\left(n e w_{-} P \_f s m \_s t a t e=P A\right)=>n e w \_P \_b e \_1\right.$
(new_P_fsm_state $=$ PD) $\Rightarrow$ L_be_ I SUBARRAY new_C_sizewrbe $(9,6)$ ) in
let i_male_ =
(-(new_P_fsm_state $=$ PH) $=>$
$\sim(-$ new_P_destl $\wedge(\sim($ SUBARRAY new_P_addr $(25,24))=($ WORDN 3$))) \wedge($ new_P_fsm_state $=P A) \wedge$ new_P_rqt $) \mid$
$-\left((\right.$ new_C_sfsm_state $=$ CSALE $) \wedge(-(($ SUBARRAY new_C_sizewrbe $(1,0))=($ WORDN 3$))) \wedge C_{-}$clkA $\left.)\right)$in
let new_M_se $=\left(\left(\sim i \_m a l e \_\right) \Rightarrow(E L E M E N T\right.$ i_ad (23)) 1 M_se) in
let new_M_wr $=\left(\left(\sim i \_m a l e \_\right) \Rightarrow>\left(E L E M E N T\right.\right.$ i_ad (27)) $\left.\mid M_{-} w r\right)$ in
let new_M_addr =
( $(\sim$ i_male_) $\Rightarrow$ (SUBARRAY i_ad $(18,0))$ )
((M_rdy) $\Rightarrow$ ( (NCN 18 M_addr) $\mid M_{-}$addr) $)$in
let new_M_be $=\left(\left(\sim i \_m a l e \_V \sim m_{-} s r d y \_\right) \Rightarrow\right.$ (NOTN 3 i_be_) 1 M_be) in
let new_M_rdy $=m_{\text {_ }}$ rdy in
let new_M_wwdel $=\left(\left(n e w \_M \_f s m_{-} s t a t e=M A\right) \wedge n e w \_M \_w r \wedge\left(n e w \_M \_b e=(W O R D N 15)\right)\right)$ in let new_M_rd_data $=\left(((\right.$ new_M_fsm_state $=\mathbf{M R}))=>($ Ham_Dec rep MB_data_in $) \mid M_{-}$rd_data $)$in let new_M_detect =
$\left(((\right.$ new_M_fsm_state $=M R) \wedge$-new_M_wr $\left.) V n e w_{-} M_{-} w T V\left(n e w_{-} M_{-} f s m_{-} s t a t e=M I\right)\right) \Rightarrow$ ( $(-$ Edac_en_) $\Rightarrow$ (Ham_Detl rep MB_data_in) I WORDN 0 ) | M_detect) in
let $\mathrm{m}_{-}$error $=\left(\sim \mathrm{m}_{\_}\right.$srdy_ $\wedge(\sim($ new_M_fsm_state $=\mathbf{M I})) \wedge$ Ham_Det2 rep $($ new_M_detect, $\sim$ Edac_en_) $)$ in
let new_M_parity =
$\left(\left(m_{-}\right.\right.$error $\wedge$-(reset_piu $\vee$ reset_error) $)=>T \mid$
$\left(\left(\sim \mathrm{m}_{-}\right.\right.$error $\wedge$ (reset_piu $\vee$ reset_error) ) $=>$ F
$\left(\left(\sim \mathrm{m}_{\text {_error }} \wedge \sim(\right.\right.$ reset_piu $\vee$ reset_error $\left.)\right) \Rightarrow \mathrm{M}_{\text {_parity }} \mid$ ARB $\left.)\right)$ ) in
let new_R_cotlatch_del $=$ r_fsm_cntatch in
let new_R_srdy_del_ = r_fsm_srdy_ in
let new_R_reg_sel =
( $($ i_rale_) $\Rightarrow$ (SUBARRAY i_ad ( 3,0$)$ ) I
( ( $\sim$ R_srdy_del_) $=>$ (INCN 3 R_reg_sel) $\mid$ R_reg_sel) ) in
let $r_{-}$write $A=\left(-\right.$ disable_writes $\wedge R_{-} w r \wedge(n e w)_{-} R_{-}$fsm_state $\left.=R D\right)$ ) in
let r_read $A=\left(-R_{-} w r \wedge\right.$ (new_R_fsm_state $\left.=R A\right)$ ) in
let $r_{-} c i r_{-} w r 01 A=\left(\left(r_{-} w r i t e A \wedge\left(\left(r_{-} r e g_{-} s e l=(\right.\right.\right.\right.$ WORDN 8$\left.)\right) \vee\left(r_{-} r e q_{-} s e l=(\right.$ WORDN 9$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let $r_{-}$cir_wr01B $=\left(\left(r_{-} w r i t e B \wedge\left(\left(r_{\_} r e g_{\_} s e l=(\right.\right.\right.\right.$ WORDN 8$\left.)\right) \vee\left(r_{\_}\right.$reg_sel = (WORDN 9$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let r_cir_wr23A $=\left(\left(r_{-} w r i t e A \wedge\left(\left(r_{\_} r e g_{-} s e l=(W O R D N 10)\right) \vee\left(r_{\_}\right.\right.\right.\right.$reg_sel $=($WORDN 11$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let r_cir_wr23B $=\left(\left(r_{-} w r i t e B \wedge\left(\left(r_{-} r e g_{-} s e l=(\right.\right.\right.\right.$ WORDN 10 $\left.)\right) \vee\left(r_{-}\right.$reg_sel $=($WORDN 11$\left.\left.\left.\left.)\right)\right)\right)\right)$ in
let new_R_ccr = ((r_writeB $\wedge\left(r_{-}\right.$reg_sel =(WORDN 3))) $\left.\Rightarrow>i_{\text {_ad }} \mid R_{-} c c r\right)$ in
let new_R_ccr_rden $=\left(r_{-}\right.$readB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 3$\left.\left.)\right)\right)$ in
let new_R_cO1_cout_del $=$ R_ctrl_cry in
let new_R_int1_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_gcr (18)) $\wedge\left(r_{-} c i r \_w r 01 B \vee\left(R \_c t 1 \_c r y ~ \wedge(E L E M E N T\right.\right.$ new_R_gcr (16))))) $\wedge$
$-\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (17)) $\left.\left.\left.\wedge R \_c 01 \_c o u t \_d e l\right)\right)\right) \Rightarrow T \mid$
$\left(\left(\sim\left(\right.\right.\right.$ ELEMENT new_R_gcr (18)) $\wedge\left(r_{\text {_cir_wr01B }} \vee(\right.$ R_ctrl_cry $\wedge(E L E M E N T$ new_R_gcr (16)))) $) \wedge$
$\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (18)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (17)) $\wedge R_{\mathbf{c}} c 01 \_$cout_del) $\left.)\right)=>$F 1
$\left(\left(\sim(E L E M E N T\right.\right.$ new_R_gcr (18)) $)\left(r_{-} c i r_{-} w r 01 B \vee\left(R_{-} c t r 1 \_c r y ~ \wedge(E L E M E N T\right.\right.$ new_R_gcr (16)) )) $) \wedge$
 let new_R_c23_cout_del = R_ctr3_cry in
let new_R_int2_en =
$\left(\left(\left(\right.\right.\right.$ ELEMENT new_R_ger (22)) $\left.\wedge\left(r_{-} c i r \_w r 23 B V\left(R_{-} c t r 3 \_c r y ~ \wedge\left(E L E M E N T ~ n e w \_R \_g c r(20)\right)\right)\right)\right) \wedge$
$\sim\left(\sim(E L E M E N T\right.$ new_R_gcr (22)) $)\left(\right.$ (ELEMENT new_R_gcr (21)) $\left.\left.\left.\wedge R \_c 23 \_c o u t \_d e l\right)\right)\right) \Rightarrow$ T
$\left(\left(-\left(\left(E L E M E N T\right.\right.\right.\right.$ new_R_gcr (22)) $\wedge\left(r_{-}\right.$cir_wr23B $\vee($ R_ctr3_cry $\wedge(E L E M E N T$ new_R_gcr (20))))) $\wedge$
$\left(-\left(E L E M E N T\right.\right.$ new_R_gcr (22)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (21)) $\wedge R_{-} c 23 \_$cout_del) $\left.)\right)=>$Fl
$\left(\left(-\left(\left(E L E M E N T\right.\right.\right.\right.$ new_R_gcr (22)) $\wedge\left(r_{\text {_cir_wr23B }} \vee\left(R_{\text {_ctr3_cry }} \wedge(E L E M E N T\right.\right.$ new_R_gcr (20)) )) $) \wedge$
$\sim\left(\sim\left(E L E M E N T\right.\right.$ new_R_gcr (22)) $\vee\left(\left(E L E M E N T\right.\right.$ new_R_gcr (21)) $\left.\left.\left.\wedge R_{\_} c 23 \_c o u t \_d e l\right)\right)\right)=>R_{\_}$int2_en $\left.\left.\mid A R B\right)\right)$ in
let new_R_ctro_in $=\left(\left(r_{-} w r i t e B \wedge\left(r_{-}\right.\right.\right.$reg_sel $=($WORDN 8) $\left.)\right)=>$i_ad $\mid R_{\text {_ }}$ ctr0_in $)$ in
let new_R_ctro_mux_sel $=\left(r_{-}\right.$cir_wrolB $V\left(\left(E L E M E N T\right.\right.$ new_ $\left.\left.\left.R_{-} \quad g c r(16)\right) \wedge R_{-} c t r l_{-} c r y\right)\right)$ in
let new_R_ctro_irden =(r_readB $\wedge\left(r_{-}\right.$reg_sel = (WORDN 8))) in
let new_R_ctro $=($ (R_ctro_mux_sel $)=>$ R_ctro_in R_ctro_new) in
let new_R_ctro_new $=(((E L E M E N T$ new_R_ger (19))) $)=($ (NCN 31 R_ctro $) \mid$ R_ctr0) in
let new_R_ctro_cry $=(($ ONES 31 R_ctro) $\wedge$ (ELEMENT new_R_gcr (19))) in
let new_R_ctr0_out $=\left(\left(r_{-} f\right.\right.$ fm_cntlatch $)=>R_{-}$ctro_new $\mid R_{-}$ctro_out $)$in
let new_R_ctro_orden $=\left(r_{-}\right.$readB $\wedge\left(r_{\text {_reg_sel }}=(\right.$ WORDN 12) $\left.)\right)$ in
let new_R_ctr1_in $=\left(\left(r_{\_} w r i t e B \wedge\left(r_{-} r e g_{-} s e l=(\right.\right.\right.$ WORDN 9$\left.\left.)\right)\right)=>$ i_ad $\left.\mid R_{-} c t r 1 \_i n\right)$ in
let new_R_ctrl_mux_sel =(r_cir_wrol B V ((ELEMENT new_R_gcr (16)) $\wedge R_{-}$ctrl_cry)) in
let new_R_ctrl_irden $=\left(r_{-}\right.$readB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 9) $)$) in
let new_R_ctrl $=\left(\left(R_{-} c t r 1 \_m u x \_s e l\right)=>R_{-} c t r l_{-}\right.$in $\left.\mid R_{-} c t r 1 \_n e w\right)$ in
let new_R_ctr1_new $=\left(\left(R_{-} \operatorname{ctr} 0\right.\right.$ _cry $)=>\left(\operatorname{INCN} 31 R_{-}\right.$ctr1 $\left.) \mid R_{\text {_ctr }}\right)$ in
let new_R_ctr1_cry $=\left((\right.$ ONES 31 R_ctr1) $) R_{\text {_ctro_cry }}$ in
let new_R_ctr1_out $=\left(\left(R_{-}\right.\right.$cntlatch_del $)=>R_{-}$ctr1_new $\mid R_{-} c t r l_{1}$ out $)$ in
let new_R_ctr1_orden $=\left(r_{-}\right.$readB $\wedge\left(r_{-} r e g \_\right.$sel $=($WORDN 13) $)$in
let new_R_ctr2_in = ((r_writeB $\wedge$ (r_reg_sel $=($ WORDN 10) $))=>$ i_ad $\left.\mid R_{-} c t r 2 \_i n\right)$ in
let new_R_ctr2_mux_sel = ((r_cir_wr23B V (ELEMENT new_R_ger (20)) $\wedge R_{-}$ctr3_cry)) in
let new_R_ctr2_irden $=\left(r_{\text {_readB }} \wedge\left(r_{\_}\right.\right.$reg_sel $=($WORDN 10 $\left.)\right)$) in
let new_R_ctr2 $=\left(\left(R_{-}\right.\right.$ctr2_mux_sel $)=>$R_ctr2_in R_ctr2_new) in
let new_R_ctr2_new $=(((E L E M E N T$ new_R_gcr (23))) $\Rightarrow$ (INCN 31 R_ctr2) $\mid$ R_ctr2) in
let new_R_ctr2_cry $=(($ ONES 31 R_ctr2) $\wedge$ (ELEMENT new_R_gcr (23))) in
let new_R_ctr2_out $=\left(\left(r_{-}\right.\right.$fsm_cntlatch $)=>R_{-} c t r 2 \_n e w \mid R_{-} c t r 2 \_$out $)$in
let new_R_ctr2_orden $=\left(r_{-}\right.$readB $\wedge\left(r_{-}\right.$reg_sel $=($WORDN 14$\left.\left.)\right)\right)$ in
let new_R_ctr3_in = ((r_writeB $\wedge$ (r_reg_sel =(WORDN 11))) $=>$ i_ad $/ R_{-}$ctr3_in) in
let new_R_ctr3_mux_sel $=\left(\left(r_{-} c i r_{-} w r 23 B V\left(\left(E L E M E N T\right.\right.\right.\right.$ new_R_gcr (20)) $\left.\left.\left.\wedge R_{-} c t r 3 \_c r y\right)\right)\right)$ in
let new_R_ctr3_irden $=\left(r_{-} r e a d B \wedge\left(r_{-}\right.\right.$reg_sel $=($WORDN 11 $\left.)\right)$in
let new_R_ctr3 = ( (R_ctr3_mux_sel) $\Rightarrow$ > R_ctr3_in $\mid R_{\text {_ }} c t r 3 \_$new $)$in
let new_R_ctr3_new $=($ (R_ctr2_cry $\left.) \Rightarrow\left(\operatorname{INCN} 31 R_{-} c t r 3\right) \mid R \_c t 3\right)$ in
let new_R_ctr3_cry $=\left((\right.$ ONES 31 R_ctr3 $\left.) \wedge R_{1} c t r 3 \_c r y\right) ~ i n ~$
let new_R_ctr3_out $=(($ R_cntlatch_del $)=>$ R_ctr3_new $\mid$ R_ctr3_out $)$ in
let new_R_ctr3_orden $=\left(r_{\text {_readB }} \wedge\left(r_{\text {_reg_sel }}=(\right.\right.$ WORDN 15$\left.\left.)\right)\right)$ in
let new_R_icr_load $=\left(r_{-}\right.$writeB $\wedge\left(\left(r_{\_}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) \vee\left(\right.$ r_reg_sel $^{\prime}=($ WORDN 1$\left.\left.)\right)\right)$ in let new_R_icr_old =

let new_R_icr_mask =

let new_R_icr_rden $=\left((\right.$ new_R_fsm_state $=$ RA $) \wedge\left(\left(r_{-}\right.\right.$reg_sel $=($WORDN 0$\left.)\right) V\left(r_{\_}\right.$reg_sel $=($WORDN 1$\left.\left.)\right)\right)$ in let $r_{-}$int0_en $=\left(\left(\left(\right.\right.\right.$ELEMENT $R_{-}$icr ( 0$\left.)\right) \wedge($ ELEMENT R_icr (8)) $) \vee$
$(($ ELEMENT R_icr (1)) $\wedge($ ELEMENT R_icr (9) )) $\vee$

```
((ELEMENT R_icr (2)) ^(ELEMENT R_icr (10))) \
((ELEMENT R_icr (3)) }\wedge\mathrm{ (ELEMENT R_icr (11))) V
((ELEMENT R_icr (4)) ^(ELEMENT R_icr (12))) }
((ELEMENT R_icr (5)) ^(ELEMENT R_icr (13))) V
((ELEMENT R_icr (6)) }\wedge(ELEMENT R_icr (14))) V
((ELEMENT R_icr (7)) ^(ELEMENT R_icr (15)))) in
let new_R_int0_dis = r_intO_en in
let r_int3_en = (((ELEMENT R_icr (16)) ^(ELEMENT R_ict (24))) V
((ELEMENT R_icr (17)) ^(ELEMENT R_icr (25))) V
((ELEMENT R_icr (18)) ^(ELEMENT R_icr (26))) V
((ELEMENT R_icr (19)) ^(ELEMENT R_icr (27))) V
((ELEMENT R_icr (20)) ^(ELEMENT R_icr (28))) V
((ELEMENT R_ict (21)) ^(ELEMENT R_icr (29)))}
((ELEMENT R_icr (22))}^(ELEMENT R_icr (30))) V
((ELEMENT R_icr (23)) ^(ELEMENT R_icr (31)))) in
let new_R_int3_dis = r_int3_en in
let new_S_soft_shot_del = (-gcrh ^ gcrl) in
let s_soft_cnt_out =
    ((s_fsm_srs) =>
            ((gcrl ^~gcrh }\wedge~\mathrm{ -S_soft_shot_del) => (WORDN 1)|(WORDN 0)) |
            ((gcrl ^~gcrh ^ -S_soft_shot_del) => (INCN 2 S_soft_cnt) | S_soft_cnt)) in
let new_S_soft_cnt =((~gcrh ^~gcrl) => (WORDN 0) I s_soft_cnt_out) in
let s_delay_out =
    ((s_fsm_src V (s_fsm_scs ^(ELEMENT S_delay (6)))) =>
    ((s_fsm_sec) => (WORDN 1) |(WORDN 0))।
    ((s_fsm_sec) => (INCN 17 S_delay) | S_delay)) in
let new_S_delay = s_delay_out in
let s_cpuO_ok =(s_fsm_scOf ^ Failure0_ ^(s_soft_cnt_out = (WORDN 5))) in
let s_cpul_ok =(s_fsm_sclf ^Failure1_ ^(s_soft_cnt_out = (WORDN 5))) in
let new_S_pmm_fail =
    ((s_fsm_sb ^~s_fsm_spmf) => T I
    ((~s_fsm_sb ^s_fsm_spmf) => Fl
    ((~s_fsm_sb ^~s_fsm_spmf) => S_pmm_fail | ARB))) in
let new_S_cpu0_fail =
    ((s_fsm_sb \~(s_cpu0_ok V Bypass)) => T |
    ((-s_fsm_sb ^(s_cpu0_ok \vee Bypass)) => Fl
    ((-s_fsm_sb ^-(s_cpu0_ok V Bypass)) => S_cpu0_fail | ARB))) in
let new_S_cpu1_fail =
    ((s_fsm_sb ^ -(s_cpul_ok V Bypass)) => T I
    ((-s_fsm_sb ^(s_cpul_ok V Bypass)) => Fi
    ((-s_fsm_sb ^~(s_cpul_ok V Bypass)) => S_cpul_fail | ARB))) in
let new_S_piu_fail =
    ((s_fsm_sb \wedge~(s_fsm_spf \vee Bypass)) => T |
    ((~s_fsm_sb }\wedge(s_fsm_spf V Bypass)) => F 
    ((~s_fsm_sb ^~(s_fsm_spf V Bypass)) => S_piu_fail I ARB)) ) in
let s_cpu0_select = ((s_fsm_sn V s_fsm_so) }\Lambda~\mathrm{ -S_cpu0_fail) in
let s_cpu1_select = ((s_fsm_su V s_fsm_so) ^S_cpu0_fail }\Lambda~-S_cpul_fail) in
let new_S_bad_cpu0 =
    ((s_fsm_sb ^ -s_cpu0_select) => T |
    ((~s_fsm_sb ^s_cpu0_select) =>F FI
    ((-s_fsm_sb ^ -s_cpu0_select) => S_bad_cpu0 I ARB))) in
let new_S_bad_cpul =
    ((s_fsm_sb ^ -s_cpul_select) => T I
```

$$
\begin{aligned}
& ((- \text { s_fsm_sb } \wedge \text { s_cpul_select })=>\text { F } \\
& ((\sim \text { s_fsm_sb } \wedge \sim \text { s_cpu1_select })=>\text { S_bad_cpul } \mid A R B)) \text { in }
\end{aligned}
$$

let new_S_reset_cpu0 $=\left(\right.$ new_S_bad_cpu $0 \wedge \delta_{\text {_fsm_src }}$ ) in
let new_S_reset_cpul $=($ new_S_bad_cpu1 $\wedge$ s_fsm_srcl) in
let new_S_cpu_hist $=\left(S_{-}\right.$reset_cpu0 $\wedge$ S_reset_cpul $\wedge$ Bypass $)$ in
let $s s 0=\left(\right.$ ALTER ARBN $(0)($ new_S_fsm_state $=S S) \vee\left(n e w \_S \_f s m \_\right.$state $\left.=S S T O P\right)$
$V($ new_S_fsm_state $=S C S) V($ new_S_fsm_state $=S N)$
$V($ new_S_fsm_state $=S O)$ ) $)$ in
let ss1 $=($ ALTER ss0 (1) $($ (new_S_fsm_state $=$ SCOF $) V($ new_S_fsm_state $=$ ST $)$
$V$ (new_S_fsm_state $=S C 1 I) V\left(n e w_{1} S_{-}\right.$fsm_state $\left.=S C I F\right)$
$V($ new_S_fsm_state $=S S) V($ new_S_fsm_state $=S S T O P)$
$V($ new_S_fsm_state $=S C S))$ ) in
let ss2 $=($ ALTER ss 1 (2) ( $($ new_S_fsm_state $=$ SPF) $)$ (new_S_fsm_state $=$ SCOI)
$V($ new_S_fsm_state $=S C O F) V\left(n e w \_S \_f s m \_\right.$state $\left.=S T\right)$
$V($ new_S_fsm_state $=S S T O P) V($ new_S_fsm_state $=S O))$ ) in
let ss3 $=\left(\right.$ ALTER ss2 $(3)\left(\left(n e w_{-} S \_f s m_{-}\right.\right.$state $=$SRA $) \vee\left(n e w_{-} S_{-}\right.$fsm_state $=$SPF $)$
$V($ new_S_fsm_state $=S T) V($ new_S_fsm_state $=S C 1 I)$
$V($ new_S_fsm_state $=S C S) V($ new_S_fsm_state $=S N)$
$V\left(n e w_{-} S_{-} f m_{-}\right.$state $\left.\left.=S O\right)\right)$ in
let $\mathrm{s}_{-}$state $=\mathrm{ss} 3$ in
let sr28 = (ALTER ARBN (28) new_M_parity) in
let sr28_25 = (MALTER sr28 $(27,25)$ new_C_8s) in
let sr28_24 = (ALTER sr28_25 (24) new_C_parity) in
let sr28_22 = (MALTER sr28_24 $(23,22)$ ChannelID) in
let sr28_16 = (MALTER sr28_22 $(21,16)$ Id) in
let sr28_12 = (MALTER sr28_16 $(15,12)$ s_state) in
let $\operatorname{sr28} 9=$ (ALTER sr28_12 (9) new_S_pmm_fail) in
let sr28_8 = (ALTER sr28_9 (8) new_S_piu_fail) in
let $\operatorname{sr28} 3=$ (ALTER sr28_8 (3) new_S_reset_cpul) in
let sr28_2 $=$ (ALTER sr28_3 (2) new_S_reset_cpu0) in
let sr28_1 = (ALTER sr28_2 (1) new_S_cpul_fail) in
let sr28_0 = (ALTER sr28_1 (0) new_S_cpu0_fail) in
let new_R_sr $=\left(\left(r_{-}\right.\right.$fsm_cntlatch $\left.) \Rightarrow s r 28 \_0 \mid R \_s r\right)$ in
let new_R_sr_rden $=\left(r_{-} r e a d B \wedge\left(r_{-} r e g_{-}\right.\right.$sel $=($WORDN 4$\left.)\right)$ ) in
let new_P_fsm_rst = reset_piu in
let new_P_fsm_sack $=p_{-}$sack in
let new_P_fsm_cgnt_ = -(new_C_mfsm_state $=$ CMA3 $)$ in
let new_P_fsm_hold_ = new_C_holdA_ in
let new_C_mfsm_D = ClkD in
let new_C_mfsm_rst = reset_cport in
let new_C_mfsm_crqt_ $=\sim\left(\right.$ new_P_destl $^{\Lambda_{n}}$ new_P_rqt) in
let new_C_mfsm_hold_ $=$ new_C_holdA_in
let new_C_mfsm_ss = CB_ss_in in
let new_C_mfsm_invalid = piu_invalid in
let new_C_sfsm_D $=$ ClkD in
let new_C_sfsm_rst = reset_cport in
let new_C_sfsm_hlda_ $=\sim$ (new_P_fsm_state $=P H)$ in
let new_C_sfsm_ms = CB_ms_in in
let new_C_efsm_cale_ = i_cale_in
let new_C_efsm_last_ = i_last_ in
let new_C_efsm_male_= i_male_in
let new_C_efsm_rale_= i_rale_in
let new_C_efsm_srdy_ = i_srdy_ in
let new_C_efsm_rst = reset_cport in
let new_M_fsm_male_ = i_male_in
let new_M_fsm_last_ = i_last_ in
let new_M_fsm_mrdy_ $=\left(\left(-\left(P_{-}\right.\right.\right.$fsm_state $\left.\left.=P H\right)\right)=>F \mid C_{-}$mrdy_del_ $)$in
let new_M_fsm_rst = reset_piu in
let new_R_fsm_ale_ = i_rale_ in
let new_R_fsm_mrdy_ $=\left(\left(-\left(P_{-} f s m_{-}\right.\right.\right.$state $\left.\left.=P H\right)\right)=P$ F|C_mrdy_del_ $)$ in
let new_R_fsm_last_ = i_last_ in
let new_R_fsm_rst = reset_piu in
let new_S_fsm_rst = Rst in
let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in
let new_S_fsm_delay17 $=($ (Test) $\Rightarrow>$ (ELEMENT s_delay_out (6)) $\mid$ (ELEMENT s_delay_out (17)) ) in
let new_S_fsm_bothbad = (new_S_cpu0_fail $\wedge$ new_S_cpu1_fail) in
let new_S_fsm_bypass = Bypass in
let $L_{-}$ad_out $=(((-($bew_P_fsm_state $=P A))$
$\Lambda(\sim($ new_P_fsm_state $=P H))$
$\wedge \sim(($ new_P_fsm_state $=P D) \wedge$ new_P_wr) $) \Rightarrow i_{-}$ad $\left.\mid A R B N\right)$ in
let L_ready_ $=-\left(\sim i_{-} s t y_{-} \wedge(\right.$ new_P_fsm_state $\left.=P D)\right)$ in
let CB_rqt_out_ $=-(\sim($ new_C_mfsm_state $=C M I))$ in
let $m s 0=\left(\right.$ ALTER ARBN $(0)\left(\left(\right.\right.$ new_C_mfsm_state $\left.^{\prime}=C M D 0\right) \wedge-C_{\_}$last_in_) $V$
((new_C_mfsm_state = CMW) $\wedge C_{\text {_ }}$ lock_in_) $V$
(new_C_mfsm_state $=$ CMABT)) in
let $\mathrm{ms} 10=($ ALTER $\mathrm{ms} 0(1)(($ (new_C_mfsm_state $=\mathrm{CMA1}) V($ (new_C_mfsm_state $=\mathrm{CMAO}) \mathrm{V}$
(new_C_mfsm_state $=C M A 2) \vee($ new_C_mfsm_state $=C M D 1) V$
$\left((\right.$ new_C_mfsm_state $=$ CMD0 $) \wedge C_{\text {_last_in_ }) V(\text { new_C_mfsm_state }=C M W) V}$
(new_C_mfsm_state = CMABT))) ) in
let ms210=(ALTER ms 10 (2) (( $($ new_C_mfsm_state $=$ CMA3) $) V($ new_C_mfsm_state $=C M A 1) V$

$$
\text { (new_C_mfsm_state }=\text { CMA0) } V \text { (new_C_mfsm_state }=C M A 2) V
$$

(new_C_mfsm_state $=$ CMDI) $V$ (new_C_mfsm_state $=C M D 0) V$ (new_C_mfsm_state $=C M W) V($ new_C_mfsm_state $=C M A B T)) \wedge$
$\sim$ dew_S_pmm_fail $\wedge$-(ELEMENT new_R_gcr (28)))) in
let CB_ms_out $=(((\sim($ new_C_mfsm_state $=C M 1)) \wedge(\sim($ new_C_mfsm_state $=C M R)))=>m s 210 \mid$ ARBN $)$ in
let $\mathrm{ss} 0=(\operatorname{ALTER}$ ARBN ( 0 ) ( $($ new_C_sfsm_state $=$ CSAOW $) \mathrm{V}$
((new_C_sfsm_state $=$ CSALE) $\left.\wedge \sim c \_n e w \_w r i t e\right) ~ V$
$($ new_C_sfsm_state $=$ CSACK) )) in
let $\mathrm{ss} 10=($ ALTER ssO $(1)-($ new_C_sfsm_state $=$ CSACK $)$ ) in
let ss210 = (ALTER ss10 (2) ( $\sim$ new_S_pmm_fail $\wedge$-(ELEMENT new_R_gcr (28)))) in
let CB_ss_out $=(((\sim($ new_C_sfsm_state $=C S I)) \wedge(-($ new_C_sfsm_state $=C S A B T)))=$ ss210|ARBN $)$ in
let CB_ad_out $=\left(\left(c \_d f s m \_c a d \_e n\right)=>\right.$
((c_cout_sel = (WORDN 0)) $\Rightarrow$ P Par_Enc rep (SUBARRAY new_C_al e0 (15,0)) )
((c_cout_sel = (WORDN 1)) $\Rightarrow>$ Par_Enc rep (SUBARRAY new_C_ala0 $(31,16)$ )।
((c_cout_sel = (WORDN 2)) $\Rightarrow$ Par_Enc rep (SUBARRAY new_C_a3a2 (15,0)) |
Par_Enc rep (SUBARRAY new_C_a3a2 $(31,16)$ ))) ) I ARBN) in
let MB_addr $=\left(\left(M_{-}\right.\right.$rdy $) \Rightarrow\left(\mathbb{N C N} 18\right.$ M_addr $\left.^{\prime}\right)$ M_addr) in
let mb_data_7_0 $=((($ ELEMENT M_be (0))) $)=($ SUBARRAY i_ad (7,0)) $\mid$ (SUBARRAY M_rd_data $(7,0))$ ) in let mb_data_15_8 = ((ELEMENT M_be (1))) $\Rightarrow$ (SUBARRAY i_ad (15,8)) | (SUBARRAY M_rd_data (15,8))) in let mb_data_23_16=(((ELEMENT M_be (2)))) $\Rightarrow$ (SUBARRAY i_ad $(23,16)) \mid$ (SUBARRAY M_rd_data (23,16))) in let mb_data_31_24 = (( $($ ELEMENT M_be (3))) $)=($ SUBARRAY i_ad (31,24)) | (SUBARRAY M_rd_data (31,24))) in let mb_data $=($ MALTER (MALTER (MALTER (MALTER ARBN $(7,0)$ mb_data_7_0)
$(15,8)$ mb_data_15_8)
$(23,16)$ mb_data_23_16)
$(31,24)$ mb_data_31_24)) in
let MB_data_out $=(($ new_M_fsm_state $=\mathbf{M W})=>($ Ham_Enc rep mb_data $) \mid$ ARBN $)$ in

```
let MB_cs_eeprom_ = -((~(new_M_fsm_state = MI)) ^ ~new_M_se) in
let MB_cs_sram_ = -((~(new_M_fsm_state = MI)) ^new_M_se) in
let MB_we_= ~((new_M_se V -(~(new_M_fsm_state = MI)) V ~reset_cport)
    ^-disable_writes
    \Lambda ((new_M_fsm_state = MBW) V (new_M_fsm_state = MW) V new_M_wwdel ) ) in
let MB_oe_= ~ (( new_M_wr ^(new_M_fsm_state = MA)) V (new_M_fsm_state = MR)) in
let disable_int = (~(s_fsm_sn ^(ELEMENT s_delay_out (6)))}\wedges_fsm_sdi
    \Lambda((Test) => ~(ELEMENT s_delay_out (5)) | (ELEMENT s_delay_out (16)))) in
let Int0_ = ~(r_int0_en }\wedge~R_R_int0_dis \Lambda ~-disable_int) in
let Intl = (R_ctrl_cry ^new_R_int1_en }\wedge~\mathrm{ disable_int) in
let Int2 = (R_ctr3_cry ^new_R_int2_en }\Lambda~\mathrm{ disable_int) in
let Int3_= -(r_int3_en ^~R_int3_dis }\wedge~\mathrm{ -disable_int) in
let Led = (SUBARRAY new_R_gcr (3,0)) in
let Reset_cpu0 = new_S_reset_cpu0 in
let Reset_cpul = new_S_reset_cpul in
let Cpu_hist = new_S_cpu_hist in
let Piu_fail = new_S_piu_fail in
let Cpu0_fail = new_S_cpu0_fail in
let Cpul_fail = new_S_cpul_fail in
let Pmm_fail = new_S_pmm_fail in
(L_ad_out, L_ready_,
    CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out,
    MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_,
    Int0_, Int1, Int2, Int3_, Led,
    Reset_cpu0, Reset_cpul, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail)"
;;
```

close_theory();

| REPORT DOCUMENTATION PAGE | Form Approved |
| :--- | :--- | :--- |
| OMB No OTO4-0188 |  |


$\cdots$


[^0]:    1. The HOL code in this report is shown using the HOL convention of representing universal quantification, existential quantification, implication, conjunction, disjunction, and negation by the symbols !, ?, $==>, \wedge, V$., and $\sim$, respectively. The form "e1 => e2 le3" represents "if e1 then e2 else e3."
[^1]:    ? fsm_s0 fsm_s1 fsm_cntlatch fsm_srdy_srdy_en wr_inE wr_outQ

