# NASA Contractor Report 189698 # Formal Design Specification of a Processor Interface Unit David A Fura Boeing Defense & Space Group Seattle, Washington Phillip J. Windley University of Idaho Moscow, Idaho G. C. Cohen Boeing Defense & Space Group Seattle, Washington NASA Contract NAS1-18586 November 1992 **Space Administration** Langley Research Center (MASA-CR-189693) FORMAL DESIGN SPECIFICATION OF A PROCESSOR Hampton, Virginia 23665-5525 INTERFACE UNIT (Roeing Military Airplane Cevelopment) 253 p N93-12538 **Unclas** 482176 76 04 G3/60 0127114 | | | • | |--|--|---| | | | | #### **Preface** This document was generated in support of NASA contract NAS1-18586, Design and Validation of Digital Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 9. Task 9 is concerned with the formal specification of a processor interface unit. This report describes the formal specification of the design for a processor interface unit using the HOL methodology. The processor interface unit is a single-chip subsystem within a fault-tolerant embedded system under development at the Boeing High Technology Center. It provides the opportunity to investigate the specification and verification of a real-world component within a commercially-developed fault-tolerant computer. The NASA technical monitor for this work is Sally Johnson of the NASA Langley Research Center, Hampton, Virginia. The work was accomplished at the Boeing Company, Seattle, Washington and the University of Idaho, Moscow, Idaho. Personnel responsible for the work include: Boeing Military Airplanes: D. Gangsaas, Responsible Manager T. M. Richardson, Program Manager Boeing High Technology Center: Gerald C. Cohen, Principal Investigator David A. Fura, Researcher University of Idaho: Dr. Phillip J. Windley, Chief Researcher ii # **Contents** | 1 | Intro | duction | | · · · · · · · · · · · · · · · · · · · | 1 | |---|-------|-----------|------------|---------------------------------------|----| | | 1.1 | Inform | al PIU De | escription | 1 | | | | 1.1.1 | PMM Ini | itialization | 3 | | | | 1.1.2 | CPU Acc | cesses to Memory | 4 | | | | | 1.1.2.1 | To Local Memory | 4 | | | | | 1.1.2.2 | To Internal Register File | 2 | | | | | 1.1.2.3 | To the C Bus | 0 | | | | 1.1.3 | C Bus A | Accesses to Memory | b | | | | 1.1.4 | Timers a | and Interrupts | 6 | | | 1.2 | Specif | ication O | verview | 6 | | | | - | | | | | 2 | Gene | eric Inte | rpreter Th | heory | 9 | | | 2.1 | Introd | uction | | 9 | | | 2.2 | Forma | l Micropr | ocessor Modeling | 9 | | | | 2.2.1 | Micropro | ocessor Specification | 10 | | | | 2.2.2 | Micropro | ocessor Verification | 10 | | | 2.3 | A For | mal Mode | el of Interpreters | 10 | | | | 2.3.1 | Abstract | Theories | IU | | | | 2.3.2 | Tempora | al Abstraction | 12 | | | | 2.3.3 | The Abs | tract Representation | 12 | | | | 2.3.4 | The The | ory Obligations | 14 | | | | 2.3.5 | Abstract | Theorems | 15 | | | | | 2.3.5.1 | Defining the Interpreter | 15 | | | | | 2.3.5.2 | Induction on Interpreters | 15 | | | | | 2.3.5.3 | The Implementation is Live | 16 | | | | | 2.3.5.4 | The Correctness Statement | 16 | | | | | 2.3.5.5 | Composing Interpreters Hierarchically | 17 | | | 2.4 | Parall | el Compo | sition | 17 | | | 2.5 | Concl | usion | | 17 | | | | | | | •• | | 3 | Desi | ign Spe | cification | | 19 | | | 3.1 | Gate- | Level Str | ucture | 19 | | | | 3.1.1 | Compor | ent Descriptions | 19 | | | | | 3.1.1.1 | Combinational Logic | 19 | | | | | 3.1.1.2 | Latches | 20 | | | | | 3.1.1.3 | Flip-Flops | 22 | | | | | 3.1.1.4 | Counters | 23 | | | | | 3.1.1.5 | CTR Datapath Block | 23 | | | | | 3.1.1.6 | ICR Datapath Block | 25 | | | | | 3.1.1.7 | CR Datapath Block | 26 | | | | | 3.1.1.8 | SR Datapath Block | 26 | | | | | 3.1.1.9 | Finite-State Machines | 26 | | | | 3.1.2 | Block D | Diagram Descriptions | 27 | | | | | 3.1.2.1 | P Port Structure | 28 | | | | | 3.1.2.2 | M Port Structure | 29 | | | | | 3.1.2.3 | R Port Structure | 32 | | | | | 3.1.2.4 | C_Port Structure | 34 | | | | | - | | | iii | | | 3.1.2.5 SU_Cont Structure | 38 | |---|-------------|-----------------------------------------------------------|------| | | 3.2 | Port Phase-Level Behavior | 39 | | | 3.3 | Port Clock-Level Behavior | 40 | | | 3.4 | PIU Port-Level Structure | 40 | | | 3.5 | PIU Clock-Level Behavior | 41 | | | | | 40 | | 4 | | els for Transaction Specification | 42 | | | 4.1 | Introduction | 42 | | | 4.2 | Abstract Views | 43 | | | 4.3 | Representing Transaction Systems | 45 | | | 4.4 | Preliminary Transaction Model Design | 47 | | | | 4.4.1 The Transaction Model | | | | | 4.4.1.1 Ports | | | | | 4.4.1.2 State | 48 | | | | 4.4.1.3 Transactions | 48 | | | | 4.4.1.4 Operation | 48 | | | | 4.4.2 Development Plan and Comments | 48 | | | 4.5 | Conclusions | 49 | | 5 | Т | ards an Integrated Simulation/Verification Environment | 50 | | 3 | | New Datatypes in HOL | 50 | | | 5.1 | 5.1.1 Arrays | 50 | | | | 5.1.1 Arrays | 51 | | | | 3.1.2 N-Bit Words | 51 | | | 5.2 | An Example in M | 52 | | | 5.3 | An Example in HOL | 22 | | 6 | Con | clusions | 54 | | 7 | Refe | rences | 56 | | A | МТ. | Source for Component Specifications | . 58 | | | | | | | В | ML | Source for the Gate-Level Specification of the PIU Ports | 80 | | | <b>B</b> .1 | P Port Specification | 80 | | | <b>B.2</b> | M Port Specification | 86 | | | <b>B.3</b> | R Port Specification | 94 | | | <b>B.4</b> | C Port Specification | 103 | | | B.5 | SU_Cont Specification | 114 | | C | Mī. | Source for the Phase-Level Specification of the PIU Ports | .121 | | | C.1 | P Port Specification | 121 | | | C.2 | M Port Specification | 128 | | | C.2 | R Port Specification | 136 | | | | C Port Specification | 151 | | | C.5 | SU_Cont Specification | 173 | | | | | | | D | ML | Source for the Clock-Level Specification of the PIU Ports | 182 | | | D.1 | P Port Specification | 182 | | | D.2 | M Port Specification | 186 | | | D.3 | R Port Specification | .190 | | | D.4 C Port Specification | .198<br>209 | |---|--------------------------------------------------|-------------| | E | ML Source for the PIU Block-Level Specification | .215 | | F | MI. Source for the PIU Clock-Level Specification | 219 | # **List of Figures** | 1.1 | Block Diagram of the Processor-Memory Module (PMM) | 2 | |------|------------------------------------------------------------|------| | 1.2 | Major Blocks of the Processor Interface Unit (PIU) | 3 | | 1.3 | PIU Specification Hierarchy | 7 | | 2.1 | A Hierarchy of Interpreters | 11 | | 2.2 | The Temporal Abstraction Functions $F$ and $G$ | 12 | | 3.1 | Two Series Latches Clocked by the Same Phase | 21 | | 3.2 | Interval Representations | 22 | | 3.3 | Example D Flip-Flop Constructed With Latches | 23 | | 3.4 | Functional Block Diagram of a Counter | 24 | | 3.5 | Functional Block Diagram of the CTR Datapath Block | 24 | | 3.6 | Functional Block Diagram of the ICR Datapath Block | 25 | | 3.7 | Functional Block Diagram of the CR Datapath Block | 26 | | 3.8 | Functional Block Diagram of the SR Datapath Block | 27 | | 3.9 | Functional Block Diagram for Finite-State Machines | 27 | | 3.10 | P Port Top-Level Block Diagram | 28 | | 3.11 | Block Diagram of P Port Datapath | 29 | | 3.12 | Block Diagram of P Port Controller | 30 | | 3.13 | M Port Top-Level Block Diagram | 30 | | 3.14 | Block Diagram of the M Port Datapath | 31 | | 3.15 | Block Diagram of the M Port Controller | 32 | | 3 16 | R Port Top-Level Block Diagram | 33 | | 3.17 | Block Diagram of Register File Controller | . 33 | | 3 18 | Block Diagram of the Timer Interrupt Block | 54 | | 3 19 | Block Diagram of the Register Interrupt Block | . 34 | | 3.20 | C Port Top-Level Block Diagram | 33 | | 3.21 | Block Diagram of the C Port Datapath | . 33 | | 3.22 | Block Diagram of the C Port Controller (Part A) | . 30 | | 3 23 | Rlock Diagram of the C. Port Controller (Part B) | . 37 | | 3.24 | Block Diagram of the Startup Controller PIU-Port Interface | . 38 | | 3.25 | Block Diagram of the Startup Controller CPU Interface | , 39 | | 4.1 | The View from the CPU | 43 | | 4.2 | View from the Memory | 44 | | 4.3 | View from the Network | . 44 | | 4.4 | Abstraction Views for the PIU | . 45 | | 4.5 | Modeling the Buses in a Computer System using Tuple Space | 47 | # **List of Tables** | 1.1 | R_Port Register Definitions | • | |-----|--------------------------------------------------------------------------|----| | 2.1 | The abstract functions and their types for the generic interpreter model | 13 | #### 1 Introduction This report describes work to formally specify the requirements and design of a processor interface unit (PIU), a single-chip subsystem providing memory-interface, bus-interface, and additional support services for a commercial microprocessor within a fault-tolerant computer system. This system, the Fault-Tolerant Embedded Processor (FTEP), is targeted towards applications in avionics and space requiring extremely high levels of mission reliability, extended maintenance-free operation, or both. The need for high-quality design assurance in such applications is an undisputed fact, given the disastrous consequences that even a single design flaw can produce. Thus, the further development and application of formal methods to fault-tolerant systems is of critical importance as these systems see increasing use in modern society. The work described in this report is but a first step towards developing a provably correct fault-tolerant computing platform for application to real commercial and military systems. Beyond the PIU verification task that follows this work, future formal methods targets include at least two additional application-specific integrated circuits (ASICs) and the operating system software for the FTEP system. It is expected that the lessons learned in this PIU effort will influence the future design and modeling of these components to facilitate their subsequent verification. This report contains five major sections following this introduction, as well as several appendices containing the PIU design specification in its full detail. Section 2 describes the generic interpreter theory used to formally specify portions of the PIU design. This theory builds on previous NASA-funded work described in [Win90], with important extensions in the handling of interpreter outputs to support subsystem composition. Section 3 explains the PIU design specification at a high level to facilitate the understanding of the formal models contained in the appendices. The specification itself was written using the HOL theorem-proving system developed at the University of Cambridge, England [Gor88]. Section 4 describes our progress in developing a transaction-based modeling approach for specifying the PIU requirements. A number of modeling candidates were investigated and a preferred approach was identified for formalization in HOL. Section 5 describes our initial efforts at integrating our hardware design and verification environments into a single framework. A prototype M-to-HOL translator was developed and was used to translate the PIU behavioral specifications initially written in the simulation language M. Section 6 contains a concluding discussion. Before leaving this section, we first present an informal description of the PIU, including both its structure and an overview of its behavior. Following this we introduce the specification hierarchy developed for the PIU. # 1.1 Informal PIU Description The PIU is a single-chip subsystem providing memory-interface, bus-interface, and additional support services within the Processor-Memory Module (PMM) of the FTEP system. The PIU's position within the PMM structure is shown in Figure 1.1. A PMM, itself a single block within an FTEP Core, interconnects three internal PMM subsystems: the local processors, the local memory, and the Core Bus (C\_Bus) interface. The PMM processors (CPU0 and CPU1) are arranged in a cold-sparing configuration to enhance long-life operation. Only one processor is active during a given mission, with the choice of active processor determined during initialization. The spare processor is disabled by the PIU through assertion of the processor's cpu\_reset input. For the first implementation of the PMM, described in this report, Intel 80960MC micro- processors are used for the local processors. They communicate with the PIU using the L\_Bus bus protocol of the 80960. Processor programs and data are stored in local electrically-erasable programmable read-only memory (EEPROM) and static random access memory (SRAM), respectively. Memory accesses are initiated by either the local processor or an external block acting as C\_Bus master. In either case the PIU provides the memory interface. The features provided by the PIU include memory error correction, memory locking to implement atomic read-modify-write operations, byte accesses, and block accesses of up to 64 words. EEPROM and SRAM memory capacity in the first implementation is 1 MB (megabyte) of actual information storage each, implemented within seven 256Kx8-bit memory chips each. A (7,4) Hamming code provides single-bit error correction on memory reads. The PIU also provides processor support features such as timers and interrupt control. Two 64-bit timers can be set by the processor to provide either timekeeping or watchdog functions. Processor interrupts are generated within the PIU under two conditions. One condition is a timer time-out; the other is a write operation to a specially designated PIU register by either the local processor or C\_Bus master. The reset and clock signals shown at the top of Figure 1.1 are produced by the Fault-Tolerant Clock Unit (FTCU) not shown here. The *pmm\_reset* signal is sent only to the PIU to allow it greater control over the local processors. For example, the PIU uses this signal to enter its initialization mode, during which it activates the processor reset signals. All of the PIU input signals produced by the FTCU are synchronized with those in the PIUs in redundant PMMs of a fault-tolerant FTEP core. The structure of the PIU itself is shown in Figure 1.2. The Processor Port (P\_Port), C\_Bus Port (C\_Port), and Memory Port (M\_Port) implement the communication protocols for the L\_Bus, C\_Bus, and M\_Bus, respectively. The M\_Port also implements (7,4) Hamming encoding and decoding on writes and reads, respectively, to the local memory, and the C\_Port implements single-bit parity encoding and decoding for C\_Bus transfers. Figure 1.1: Block Diagram of the Processor-Memory Module (PMM). The Register Port (R\_Port) is the fourth, and final, port residing on the PIU's Internal Bus (I\_Bus). It contains a state machine, counters, and various command and status registers used by the local processor to implement timers and interrupts. The Start-up Controller (SU\_Cont) implements the PMM initialization sequence. After it has concluded initialization, control is turned over to the other ports with the SU\_Cont continuing operation in a background mode. The SU\_Cont is not physically located on the I\_Bus, however, for convenience, we will sometimes refer to it as one of the five PIU ports. Behaviorally, the PIU functionality can be divided into four categories: (1) PMM initialization, (2) local-processor memory accesses, (3) C\_Bus memory accesses, and (4) timers and interrupts. #### 1.1.1 PMM Initialization The PIU controls the PMM initialization sequence. After receiving a synchronous pmm\_reset signal from the FTCU, the PIU initiates the testing of the two local processors (or CPUs). Based on the test results, the PIU selects one of the CPUs to be active for the upcoming mission, while at the same time isolating the Figure 1.2: Major Blocks of the Processor Interface Unit (PIU). other CPU. During the initialization, the PIU also maintains the inter-PMM synchronization that is initially established by the FTCUs. The PIU initiates CPU self-test via the CPU reset signals that it controls. To begin the initialization sequence, the PIU resets CPU0, which then goes through a two-phase (Intel 80960) testing process of its own. In the first phase the CPU executes a 47,000-cycle self-test procedure; in the second phase the CPU reads the first eight words of local memory (via the PIU) and performs a check-sum test. If either of these tests fail, then the CPU's failure0\_pin remains asserted, otherwise it is deasserted. After the CPU self-test is completed, the CPU executes a software-based test using a program and the prior-mission fault status stored in local memory. At preselected points in this program the CPU updates PIU registers in a prespecified manner. At the end of this program, the PIU compares the modified PIU register values against their expected values. This acceptance test is the final major test of CPU functionality during initialization. At the same time that CPU0 is being tested, the PIU isolates CPU1 by asserting its cpu1\_reset input. Once the testing of CPU0 is completed, the roles are reversed. After both CPUs have been tested, the PIU selects one to be active for the upcoming mission. The selection algorithm makes use of the CPU failure signal outputs and the acceptance-test results: if CPU0 is ok then it is selected, otherwise if CPU1 is ok then it is selected, otherwise neither one is selected. Once the selection is made, the selected CPU is reset again and begins normal operation. The PIU isolates the other CPU by keeping its reset active. An important PIU requirement is to maintain clock-level synchronization between redundant PMMs, yet accommodate possible nondeterminism within the PMM initialization sequences. Before the PMM initialization begins, the redundant PMM clocks are synchronized by the FTCUs, and pmm\_reset signals are delivered to the PIUs synchronously across all PMMs. Synchronization is maintained by establishing maximum time durations for each phase of the initialization and having each PMM use the entire duration. The PIUs enforce these phase boundaries and thus guarantee that each PMM leaves its initialization on precisely the same clock cycle. #### 1.1.2 CPU Accesses to Memory The PIU controls CPU reads and writes to the local memory, the internal PIU registers, and global memory. #### 1.1.2.1 To Local Memory The PIU implements error-correction code (ECC) encoding and decoding and supports atomic memory operations, byte accesses, and 2-, 3-, and 4-word block transfers. On writes to the local memory, the PIU encodes the 32-bit data words using a single-error-correction (7,4) Hamming code. The 56-bit encoded words are stored such that each 7-bit word (there are eight of these) is spread among the seven 256Kx8-bit memory chips. On reads, the decoding process implemented within the PIU masks all faults affecting one of the seven bits of each code word. Entire memory-chip failures are thus handled. Atomic memory accesses, the atomic add and atomic modify instructions of the Intel 80960 instruction set, are supported by the PIU. During these operations the PIU prevents the C\_Bus from gaining access to the local memory. The PIU uses the lock signal provided by the CPU during these operations. Byte accesses to the local memory are supported by the PIU. Reads are implemented in a straightforward way. Writes are implemented using a read-modify-write operation that reencodes the entire 32-bit data word. Byte accesses of up to four words are also supported to implement cache refilling within the CPU. ### 1.1.2.2 To Internal Register File The PIU supports atomic accesses and 2-, 3-, and 4-word block transfers to and from its internal registers within the R\_Port. Byte accesses are not supported, nor is the data encoded before being stored. Table 1.1 shows the R\_Port register definitions. The Interrupt Control Register (ICR) supports memory-mapped interrupts to the local processor. The register is divided into four fields. The first two contain the interrupt settings and mask bits for *int0*\_, in bits 0 through 7 and 8 through 15, respectively. A logic-1 in both a set location and the associated mask location signifies an active interrupt, which if enabled (external to the R\_Port) will generate an active *int0*\_ signal to the processor. Bits 16 through 31 are used in a corresponding way for *int3*\_. The ICR contents are updated in two different ways. A write to register address 0 implements a logical-AND operation on the new value and the old register contents, while a write to address 1 implements a logical-OR operation. These two operations implement the resetting and setting of register bits, respectively. A read to either of these addresses returns the current register value. The General Control Register (GCR) and Communication Control Register (CCR) provide control bits to the internal PIU and the C\_Bus, respectively. The GCR bits include the start-up software counter enable (used for the acceptance test discussed earlier), R\_Port counter configuration control bits, and parity-error-latch reset bits. The CCR contains the message header for the next C\_Bus transaction. Either of these registers can be written to or read from by the local processor. The Status Register (SR) holds status information produced internally to the PIU. This includes start-up error-detection status, local-memory and C\_Bus error-detection status, start-up controller state, and the last C\_Bus slave-status report. This register is read-only. Register addresses 8 through 11 are used to load new counter values to the 32-bit counters 0 through 3, respectively. These load values can be read by the local processor using the same addresses. Register addresses 12 through 15 are read-only locations containing the current value of the four counters. The four counters are combined to form two 64-bit counters which can be configured in a variety of ways via control bits in the GCR. The choices include enabled vs. disabled counting, enabled vs. disabled interrupting on overflow, and reloading vs. count-continuation on overflow. Counters 0 and 1 together support timer interrupts using the *int1* interrupt line; counters 2 and 3 use *int2*. Contents Register Address Interrupt Control Register (ICR) reset 0 ICR set 1 General Control Register (GCR) 2 Communication Control Register (CCR) 3 Status Register (SR) 4 Counter 0 in 8 9 Counter 1 in Counter 2 in 10 Table 1.1: R\_Port Register Definitions. Table 1.1: R\_Port Register Definitions. | Register Address | Contents | |------------------|---------------| | 11 | Counter 3 in | | 12 | Counter 0 out | | 13 | Counter 1 out | | 14 | Counter 2 out | | 15 | Counter 3 out | #### 1.1.2.3 To the C\_Bus The upper 2 GB (gigabytes) of the CPU address space is reserved for external memory and input/output (I/O). The PIU routes CPU memory accesses at these addresses to the C\_Bus. It implements the C\_Bus protocol, parity encoding and decoding of data, and support for atomic memory operations, byte transfers, and 2-, 3-, and 4-word block transfers. The PIU implements the C\_Bus communication protocol. This includes all arbitration actions and necessary handshaking. On writes to the C\_Bus the PIU encodes each byte of data using a single-error-detection parity code. Data arriving over the C\_Bus is likewise decoded. Atomic memory operations are supported by the PIU. Once the PIU acquires the C\_Bus it doesn't relinquish it until the atomic operation is completed. The PIU again makes use of the CPU lock signal to know when to do this. Byte transfers and 2-, 3-, and 4-word transfers are handled in a straightforward manner. #### 1.1.3 C\_Bus Accesses to Memory The PIU controls C\_Bus reads and writes to local memory and the PIU register file. All of the support features described earlier for the CPU-initiated transfers are supported here as well. The C\_Bus (i.e., the processing unit of an external block) has priority over the CPU for local memory accesses. The PIU holds off the local CPU using the CPU hold\_ input signal. The PIU supports block transfers as large as 64 words over the C\_Bus. #### 1.1.4 Timers and Interrupts As explained above, the PIU contains two 64-bit counters and an interrupt control register. The counters can be used to implement timed interrupts as well as a real-time clock. The timed interrupts can be programmed to provide either a single-shot interrupt or repeated, periodic interrupts. The interrupt register is a memory-mapped register used to implement 16 possible interrupts. These interrupts can be initiated by either the active local processor or an external C\_Bus master. #### 1.2 Specification Overview Figure 1.3 shows the specification hierarchy developed for the PIU. In constructing this hierarchy much emphasis was placed on maintaining compatibility with existing formal specification methods, particularly the generic interpreter theory described in Section 2. The resulting hierarchy reflects this emphasis, particularly in the lower levels where many of the techniques described in [Win90] are used. Consistent with established hierarchical specification methods, the levels in the hierarchy of Figure 1.3 are abstractions of the levels below them. Four types of abstraction are used here. Temporal abstraction relates time at a particular level to the time at lower levels; each unit of time at the higher level corresponds to multiple time units at the lower level. Data abstraction relates the states of two levels, with the higher level state being a function (typically a subset) of the state at the lower level. In behavioral abstraction, a structural description at the lower level, defined using the physical interconnection of components or subsystems, is replaced by a purely behavioral description at the higher level. Structural abstraction (or composition) combines subsystems defined at one level to form a higher level. At the bottom of the PIU specification hierarchy is the gate-level description. This is a structural description derived from the lowest-level detailed design developed by the PIU design team. The chip layout is obtained directly from this level using silicon compilation techniques that are not within the scope of the specification and subsequent verification tasks. Components at the gate level include individual logic gates, latches, counters, and finite-state machines. This level is comparable to the electronic block model (EBM) level of [Win90]. The phase-level behavioral description for each of the five PIU ports is a behavioral abstraction of each corresponding gate level. This level is comparable to the phase level used in [Win90]. The specification at this level consists of an instruction set containing two instructions, one for phase A and one for phase B, defining the state transition and outputs generated during each phase. The clock-level behavioral description for the PIU ports uses a time interval of an entire clock period rather than a single phase (temporal abstraction), and the state is a subset of the phase-level state (data abstraction). Only a single instruction is defined for each port, specifying the state change and outputs of the port occurring during its execution. This level is comparable to the microinstruction level of [Win90] and elsewhere except that only a subset of the chip design (i.e., a port) is described here rather than the entire chip. Figure 1.3: PIU Specification Hierarchy. The port-level structure is a structural composition of the five individual clock-level port specifications. The port composition is based on the established method of forming a logical conjunction of the individual port descriptions. The clock-level behavioral description for the PIU is a behavioral abstraction of the structural description at the PIU port level, providing a clock-level description for the entire chip. This level is comparable to the microinstruction level referred to above, an important difference being in the approach to instruction decoding: here no decoding is used, resulting in a single instruction compared to the many microinstructions in [Win90], for example. The transaction-style behavioral description is the topmost level in the PIU hierarchy providing a concise and easy-to-understand definition of PIU behavior. Whereas the lower five levels of the hierarchy represent the PIU design and were developed bottom-up, the transaction level specifies the PIU requirements. In this role as human interface the transaction level must address modeling problems not faced at the lower levels. Three important problems unique to the transaction level are: (1) independently-initiated concurrent behavior, (2) multiple sequential outputs, and (3) shared state. Because of these, hardware modeling approaches used within the HOL community to date are inadequate for transaction-level modeling. Section 4 describes these problems in more detail and explains our progress in developing a transaction-level model suitable for the PIU. #### 2 Generic Interpreter Theory This section describes the generic interpreter theory used to model portions of the PIU. The work described in this section grew out of efforts to model microprocessors and thus the model discusses microprocessor specification and verification heavily. We have discovered that the model is useful for describing other hardware devices as well, and, in particular, we have found it to be well-suited for specifying the PIU design. The generic interpreter theory is described more fully in [Win90]. #### 2.1 Introduction. The formal specification and verification of microprocessors has received much attention. Indeed, several verified microprocessors have been presented in the literature. This section presents an abstract model that describes a large class of hardware devices, including microprocessors and other devices with a single major control point. The model is called a generic interpreter and the theory contains important theorems about it. We have formalized the interpreter model in the HOL theorem proving system [Gor88,Gog88]. The formal model can be instantiated inside the system and serves as a framework for writing device specifications and verifying them. This framework clearly states what definitions must be made to specify the device and which lemmas must be established to complete the verification. After the user has defined the components of the hardware device model and proven the necessary lemmas about them, individual theorems from the abstract theory can be instantiated to provide concrete theorems about the actual device being verified. The model that we have defined has proven useful in specifying and verifying several microprocessors [Win90,Aro90]. The model is not, however, limited to microprocessors only. Recent work has shown that the model can be used in specifying other hardware devices as well [Win91]. Because the model was originally developed for microprocessor modeling, however, much of the terminology in the model (e.g., instruction set) is influenced by microprocessor terminology. We have kept it even though more general terminology might be better in some cases. The model we have defined differs from other formal descriptions of state machines (such as Loewenstein's model in [Low89]) by including the data and temporal abstractions that are important in specifying and verifying microprocessors in the formalization. #### 2.2 Formal Microprocessor Modeling. There have been numerous efforts to formally model microprocessors. At the time this project was begun the best known of these included Jeff Joyce's Tamarack microprocessor [Joy89], Warren Hunt's FM8501 and FM9001 microprocessors [Hun87, Hun92], and Avra Cohn's verification of VIPER [Coh88]. Tamarack is a simple microprocessor with only 8 instructions. FM8501 is larger (roughly the size of a PDP-11), but has not been implemented; FM9001 is a 32-bit version that is being verified and implemented. VIPER is the first microprocessor intended for commercial use where formal verification was used. However, the verification has not been completed because of the large case explosion that occurred and the size of the proofs in each of the cases. Recent work on hierarchical specification [Win88], coupled with the work presented here, has overcome this problem; microprocessors significantly more complicated than VIPER are now within the realm of formal treatment. # 2.2.1 Microprocessor Specification. The specifications for the microprocessors mentioned above appear very different on the surface; in fact, the specifications of FM8501 and FM9001 are even in a different language. On closer inspection, however, each uses the same implicit behavioral model. In general, the model uses a state transition system to describe the microprocessor. A microprocessor specification has four important parts: - 1. A representation of the state, S. - 2. A set of state transition functions, *J*, denoting the behavior of the individual instructions of the microprocessor. Each of these functions takes the state defined in step (1) as an argument and returns the state updated in some meaningful way. - 3. A selection function, N, that selects a function from the set J according to the current state. - 4. A predicate, I, relating the state at time t+1 to the state at time t by means of J and N. In some cases, the individual state transition functions, J, and the selection function, N, are combined to form one large state transition function. Also, a functional specification would use a function for part (4) instead of a predicate. The general form, however, is the same. #### 2.2.2 Microprocessor Verification. Just as most microprocessor specifications are similar, so too are their verifications. After the microprocessor has been specified, we can verify that a machine description, M, implements the specification, I, for some state, s, by showing: $$\forall s \in S \bullet (M(s) \Rightarrow I(s))$$ That is, we show that I has the same effect on the state, s, as M does. This theorem is typically shown by case analysis on the instructions in J by establishing the following lemma: $$\forall (j \in J) \bullet M(s) \Rightarrow (\forall t \bullet C(j, s, t) \Rightarrow (s(t + n_i) = j(s(t))))$$ where C is a predicate expressing the conditions for instruction j's selection, s(t) is the state at time t, and $n_j$ is the number of cycles that it takes to execute j. This lemma says that if an instruction j is selected, then applying j to the current state yields the state that results by letting the implementing interpreter M run for $n_j$ cycles. We call this lemma the instruction correctness lemma. #### 2.3 A Formal Model of Interpreters. An interpreter is a computing structure with one control point. One of the many available instructions is chosen at this control point based on the current state and inputs. The state is then processed by this instruction and the cycle begins again. In general, a microprocessor specification can consist of many abstraction levels. Every level except the bottom specification (which is the structural specification) can be modeled as an interpreter. A hierarchical approach to specification and verification has been shown to significantly reduce the amount of effort required to complete the verification of a microprocessor [Win88]. Figure 2.1 shows a generalized hierarchy of interpreters. Note that each communicates with the state and environment, although most interpreters see only an abstraction of the state. An interpreter sends instructions to the interpreter below it and communicates (mostly timing) information to the interpreter above it. #### 2.3.1 Abstract Theories. A theory is a set of types, definitions, constants, axioms and parent theories. Logics are extended by defining new theories. An abstract theory is parameterized so that some of the types and constants defined Figure 2.1: A Hierarchy of Interpreters. in the theory are undefined inside the theory except for their syntax and a loose algebraic specification of their semantics. Group theory is an example of an abstract theory. The multiplication operator is undefined except for its syntax (a binary operator on type ":group") and a loose semantics given by the axioms of group theory. Abstract theories are useful because they provide proofs about abstract structures that can be used to reason about specific instances of the structure. In groups, for example, after showing that addition over the integers satisfies the axioms of group theory, we can use the theorems from group theory to reason about addition on the integers. An abstract theory consists of three parts: - 1. An abstract representation of the uninterpreted constants and types in the theory. The abstract representation contains a set of abstract operations and a set of abstract objects. (These are sometimes called uninterpreted constants and uninterpreted types.) - 2. A set of theory obligations defining relationships between members of the abstract representation. Inside the theory, the obligations represent axiomatic knowledge concerning the abstract representation. Outside the theory, the obligations represent the criteria that a concrete representation must meet if it is to be used to instantiate the abstract theory. - 3. A collection of abstract theorems. The theorems are generally based on the theory obligations and can stand alone only after the theory obligations have been met. To instantiate an abstract theory, the concrete representation must meet the syntactic requirements of the abstract representation as well as the semantic requirements of the theory obligations. If the syntactic and semantic requirements are met, then the instantiation provides a collection of concrete theorems about the new representation. There are several specification and verification systems that support abstract theories. Some, such as OBJ [Gog88] and EHDM [SRI88], offer explicit support. HOL, the verification environment used for the research reported here, does not explicitly support abstract theories; however, HOL's metalanguage, ML, combined with higher-order logic, provides a framework for implementing abstract theories [Win90a] in a manner that does not degrade the trustworthiness of the theorem prover. #### 2.3.2 Temporal Abstraction Before we can discuss the formal model, we must describe the temporal abstraction that it uses. The development follows that of [Joy89,Mel88,Her88]. In general, different levels in the interpreter hierarchy will have different views of time. We use temporal abstraction to produce a function that maps time at one level to time at another. Figure 2.2 shows a temporal abstraction function F. The circles represent clock ticks. The number of clock ticks required at the implementing level to produce one clock tick at the implemented level is irregular. The predicate, G, is true whenever there is a valid abstraction from the lower level to the upper level. We can define a generic temporal abstraction function in terms of G. In a microprocessor specification, G is usually a predicate indicating when the lower level interpreter is at the beginning of its cycle—a condition that is easy to test. We will use a function $Temp\_Abs$ as our temporal abstraction function. The function is defined recursively so that $(Temp\_Abs \ g \ 0)$ is the first time that the predicate g is true and $(Temp\_Abs \ g \ (n+1))$ is the next time after time n when g is true. We will not develop the details of the temporal abstraction function here, but refer the interested reader to the references given above and [Win90]. #### 2.3.3 The Abstract Representation We specify the abstract representation by defining a list of abstract objects and operations. Table 2.1 shows the operations and their types. We must emphasize that the representation is abstract and, therefore, the objects and operations have no definitions. The descriptions that follow are what we intend for the representation to mean. The representation is purely syntactic, however. The following abstract types are used in the representation. - : \*state represents the state. - :\*env represents the environment. Figure 2.2: The Temporal Abstraction Functions F and G. Table 2.1: The abstract functions and their types for the generic interpreter model. | Operation | Туре | |--------------|-------------------------------------------| | instructions | ":*key->(*state->*env->*state)" | | select | ":*state->*env->*key" | | output | ":*key->(*state->*env->*out)" | | substate | ":*state'->*state" | | subenv | ":*env'->*env" | | subout | ":*out'->*out | | Impl | ":(time'->*state')->(time'->*env')->bool" | | count | ":*state'->*env'->*key'" | | start | ":*key'" | - : \*out represents the outputs. - :\*key is type containing all of the keys. Keys are used to select instructions. For example, the opcodes form the keys in the top-level specification of a microprocessor. We add primes to the types to indicate that they represent state, time, etc. at the implementing rather than the implemented level of the hierarchy. The abstract representation can be broken into two parts. The first contains those operations concerned with the interpreter. - instructions is the instruction set. The set is represented by a function from a key to a state transition function. - select picks a key based on the present state and environment. - output is a set of output functions. The set is represented by a function from a key to a function that produces output for a given state and environment. - substate is the state abstraction function for the interpreter. The substate function is used to hide the visible state in the interpreter. - subenv is the environment abstraction. - subout is the output abstraction. Because we want to prove correctness results about the interpreter, we must have an implementation. The second part of the abstract representation contains three functions that provide the necessary abstract definitions for the implementation. - Impl is the abstract implementation. We could have chosen to make this function more concrete, but doing so would have required that every implementation have some pre-chosen structure. Thus, we say nothing about it except to define its type. - count is analogous to select except it operates at the implementing level. - start denotes the beginning of the implementation clock cycle. We will ensure that count periodically reaches start as part of the synchronization process. #### 2.3.4 The Theory Obligations Proving that the implementation implies the interpreter definition is typically done by case analysis on the instructions; we show that when the conditions for an instruction's selection are right, the instruction is implied by the implementation. We call this the instruction correctness lemma. The predicate INSTRUCTION\_CORRECT expresses the conditions that we require in the instruction correctness lemma: 1 ``` |-defINSTRUCTION_CORRECT gi s' e' inst = (Impl gi s' e') ==> (!t:time'. let st = (substate gi (s't)) in let et = (subenv gi (e't)) in let ft = (count gi (s't) (e't) = (start gi)) in let k = (select gi (st) (et)) in ((inst = (instructions gi k)) \land (ft) ==> ?c. Next f(t,t+c) \land (inst (st) (et) = (s(t+c))))) ``` INSTRUCTION\_CORRECT operates on a single instruction inst. The implementation implies that for every time, t, if inst is selected and the implementation's counter is at the beginning, then there is a time c cycles in the future such that applying the instruction to the current state yields the same state change that the implementation does in c cycles. INSTRUCTION\_CORRECT is a good example of the kind of information that is captured in the generic model. Previous microprocessor verifications created this lemma, or one similar to it, in a largely ad hoc manner. Because our model has outputs as well as inputs (the environment), we must also assume something about the output in order to establish correctness. The predicate *OUTPUT\_CORRECT* expresses the conditions that we require in the output correctness lemma: ``` I-def OUTPUT_CORRECT gi s' e' p' k = (Impl \ gi \ s' \ e' \ p') ==> (!t:time'. let st = (substate \ gi \ (s't)) \ in let et = (subenv \ gi \ (e't)) \ in let pt = (subout \ gi \ (p't)) \ in let pt = (subout \ gi \ (s't) \ (e't) = (start \ gi)) \ in ((count pt = (start \ gi) \ ``` <sup>1.</sup> The HOL code in this report is shown using the HOL convention of representing universal quantification, existential quantification, implication, conjunction, disjunction, and negation by the symbols !, ?, ==>, $\land$ , $\lor$ , and $\sim$ , respectively. The form "e1 => e2 | e3" represents "if e1 then e2 else e3." Using $INSTRUCTION\_CORRECT$ and $OUTPUT\_CORRECT$ we can define the theory obligations in our model. The theory obligations are given as a predicate on an abstract representation gi: ``` |-defGIgi= (!s'e'p'k. INSTRUCTION_CORRECT gi s' e' p' k) \land (!s'e'p'k. OUTPUT_CORRECT gi s' e' p' k) ``` The predicate says that every instruction in the instruction set satisfies the predicate INSTRUCTION\_CORRECT and every output function satisfies the conditions set forth in OUTPUT\_CORRECT. #### 2.3.5 Abstract Theorems Using the abstract representation and the theory obligations, many useful theorem pertaining to interpreters can be established on the generic structure. ### 2.3.5.1 Defining the Interpreter One of the important parts of the collection of abstract theorems is the definition of a generic interpreter. The definition is based on functions from the abstract representation. ``` |-def INTERP gi s e p = | !t:time. let k = (select \ gi \ (st) \ (et)) in (s(t+1) = (instructions \ gi \ k) \ (st) \ (et)) \land (pt = (output \ gi \ k \ (st) \ (et)) ``` The specification of an interpreter is a predicate relating the contents of the state stream at time t+1 to the contents of the state stream at time t. The relationship is defined using the functions from the abstract representation. The definition also uses the currently selected output function to denote the current output. # 2.3.5.2 Induction on Interpreters The definition of the interpreter sets up a relation between the state at t and t+1. Sometimes it is useful to have a more explicit statement regarding induction. The following theorem, which follows from the definition of the interpreter given in Section 2.3.5.1, defines induction on an interpreter: ``` |-!Q. INTERP gi s e p ==> (Q (s0) \land \\ !t. let inst = (instructions gi (select gi (st) (et)) in \\ Q (st) ==> Q (inst (st) (et)))) ==> \\ !t. Q (st) ``` The theorem states that for any arbitrary predicate on states, Q, if Q is true of the state at time 0, and when Q is true of the state at time t, it follows that it's also true of the state returned by the current instruction, then Q is true of every state. We note that even though this theorem looks fairly simple, and indeed is quite easy to show in the generic theory, the theorem will eventually be instantiated with the entire denotational description of the semantics of a particular instruction set and will be quite involved. The same admonition holds for each of the theorems and definitions presented in this section. #### 2.3.5.3 The Implementation is Live Using the theory obligations, we can prove that the implementation is live. By *live* we mean that if the implementation starts at the beginning of its cycle, then there is a time in the future when the implementation will be at the beginning of its cycle again. That is, we show that the device will not go into an infinite loop. ``` 1- Impl gi s' e' ==> (!t. (count gi (s't) (e't) = start gi ==> (?n. Next \landt. count gi (s't) (e't) = start gi) (t, t+n))) ``` Next P(t1, t2) says that t2 is the next time after t1 when P is true. #### 2.3.5.4 The Correctness Statement The correctness result can be proven from the definition of the interpreter and the theory obligations: ``` |- | let st = (substate gi (s't)) and | et = (subenv gi (e't)) and | pt = (subout gi (p't)) and | ft = (count gi (s't) (e't) = (start gi)) in | let abs = (Temp_ABSf) in | (Impl gi s' e' p') \( \) | (?t. ft) ==> | (INTERP gi) (s o abs) (e o abs) (p o abs) ``` In the correctness statement, s', e', and p' are the state, environment, and output streams in the implementation. The terms ( $s \circ abs$ ), ( $e \circ abs$ ), and ( $e \circ abs$ ) are the state, environment, and output streams for the interpreter defined in the model. They are data and temporal abstractions of s', e', and p'. The correctness statement says that if the implementation is valid on its state, environment, and output streams and there is a time when the implementing clock is at the beginning of its cycle, then the interpreter is valid on its state and environment streams. #### 2.3.5.5 Composing Interpreters Hierarchically In [Win88], we show that hierarchical decomposition makes the verification of large microprocessors practical. To support this decomposition, the generic interpreter model contains a theorem about composing generic interpreters hierarchically. ``` |-(INTERP gi \ 1 = Impl gi \ 2) \land (select gi 1 = count gi 2) ==> !(s":time->*state")(e":time->*env")(p":time->*out"). let s't = (substate gi I (s''t)) and e't = (subenv \ gi \ 1 \ (e''t)) and p't = (subout gi 1 (p"t)) and ft = (count \ gi \ 1 \ (s"t) \ (e"t) = start \ gi \ 1) \ in let st = (substate gi 2 (s't)) and et = (subenv gi 2 (e't)) and pt = (subout gi 2 (p't)) and gt = (select \ gi \ 1 \ (s't) \ (e't) = start \ gi \ 2) \ in let abs1 = (Temp_ABS f) in let abs2 = abs1 o (Temp_ABS (g o abs1)) in (Impl gi 1 s" e" p") 人 (?t. ft) ==> (?t. (g \ o \ abs1) \ t) ==> INTERP gi 2 (s o abs2) (e o abs2) (p o abs2) ``` This theorem states that if gi 1 and gi 2 are generic interpreters and they are connected such that the interpreter definition of gi 1 is the implementation of gi 2 then the implementation of gi 1 implies the interpreter definition of gi 2. This important theorem captures the temporal and data abstraction required to compose two interpreters. This theorem is a good example of the utility of abstract theories in hardware verification. This theorem is tedious to prove and were it not contained in the abstract theory, it would have to be proven numerous times in the course of a single microprocessor verification. #### 2.4 Parallel Composition Our eventual goal is to use the work that is described in Section 4 to show how a set of interpreters can be composed with each other in parallel. This goal is significantly different from the theorem described in Section 2.3.5.5. In hierarchical composition, the implementation of one interpreter model is the interpreter from the other. In parallel composition, the two interpreters share a behavioral specification (i.e., interpreter definition), and the implementation is two or more interpreters linked together. The interpreters can be linked by shared state, common input, common output, and connections between the interpreters' inputs and outputs. Undoubtedly, as our theory of composition matures, the generic interpreter theory will change. The advantage of generic theories is that these changes can be made more easily in the generic theory than they can in a specific definition of a VLSI device. #### 2.5 Conclusion This section has described the generic interpreter model. The theory isolates the temporal and data abstractions of the proof inside the abstract theory. The theory also contains several important theorems about the abstract representation. These theorems are true of every instantiation of the abstract representation that meets the theory obligations. The theory has many important benefits: - The generic model structures the proof by stating explicitly which definitions must be made (one for each of the members of the abstract representation) and which lemmas need to be proven about these definitions (namely, the theory obligation). This is a substantial improvement over previous microprocessor verifications where these decisions were made on an ad hoc basis. - The generic model insulates users of the model from complex proofs about the data and temporal abstractions. These proofs are done once and then made available to the user by instantiation. - The use of a generic interpreter model for specifying and verifying microprocessors provides a methodological approach. Making specification and verification methodological is an important step in turning what has been primarily a research activity into an engineering activity. #### 3 Design Specification This section describes the lower five levels of the PIU specification hierarchy (Figure 1.3), which constitute the design specification. The discussion proceeds bottom-up, beginning with the gate-level specification of individual ports and finishing up with the clock-level specification for the entire PIU. The gate-level specification, described in Section 3.1, corresponds to the lowest-level design implemented by the PIU design team. Below this level a silicon compiler provides the translation to the mask layout used for chip fabrication. The specification effort described in this report is not concerned with this translation, which currently falls within the domain of the tool vendor — Mentor Graphics Corporation. A set of detailed-design schematics was produced by the design team as part of the design process. Unfortunately they are not suitable for this report because, in printed form, many are too small to be understood. Because of this we created our own set of schematics, included in Section 3.1, to accompany the HOL specifications located within the appendices. These schematics are provided as aids to understanding only, since, due to time constraints in developing them, they are not complete nor are they fully accurate. Sections 3.2 through 3.5 describe, in order, the phase-level specifications for the five ports, the clock-level specifications for the five ports, the port-level structural specification, and the clock-level specification for the entire PIU. #### 3.1 Gate-Level Structure The gate-level specifications for the five PIU ports use the structural definition style described in [Gor86] and in use throughout the HOL community. Within each port, each component, or block, has its behavior specified in the form of a predicate; in essence, the block behavior is defined to be the relationship between inputs, outputs, and internal states that results in the predicate's being true. The behavior of the composition of these blocks is defined as the logical conjunction of the individual block predicates. Existentially quantified variables are used for the block interconnections internal to the port-level composition. The gate-level specification for the PIU is much too unwieldy for a detailed coverage in these pages. This section therefore provides only a high-level explanation of the PIU's operation and the HOL models that represent it. References will be made to the appropriate sections of the appendices for the full details. We begin in Section 3.1.1 with a description of the components used in the PIU design. Fortunately, the design uses only a small subset of the component types available in the silicon compiler library, ranging in complexity from individual logic gates to medium-scale integration (MSI) datapath elements and finite-state machines. Section 3.1.2 explains how the components are combined to form the five PIU ports. ## 3.1.1 Component Descriptions The HOL models for elementary logic gates follow closely the previous work in this area and we say little about this subject. Modeling sequential logic is more interesting however. Previous sequential models generally depict even the most elementary components as edge-sensitive devices — a flip-flop perspective. However, in the design tool used for the PIU, the elementary sequential component is not edge-sensitive, but rather the level-sensitive latch. Flip-flops are higher order components, consisting of two or more latches. As explained below, the level-sensitive components used in the PIU require a different modeling approach. #### 3.1.1.1 Combinational Logic The PIU specification requires only a few inverters, AND and OR gates, and buffers from the component library. The specification style used for these components follows that of earlier work and is demonstrated as the component of strated in the AND-gate definition shown here. The theory gates\_def in Appendix A contains the complete HOL source for these components. ``` |- AND3_SPEC a b c z = \forall t:time z = (a t) \land (b t) \land (c t) ``` #### 3.1.1.2 Latches The HOL definitions for the latches used in the PIU design are contained in the theory latches\_def in Appendix A. In this section we describe the modeling of a simple D latch as an explanation of the HOL models. The following definition of a D latch demonstrates the specification style that we use for PIU latches. This specification states that the next state $q_state(t+1)$ equals the input $d_int$ if the clock $clk_int$ is active, otherwise it equals its current value $q_statet$ . The latch output $q_out$ equals the new state. ``` |- DLAT_SPEC d_in clk_in q_state q_out = \forall t:time. (q_state (t+1) = (clk_in t) => d_in t | q_state t) \(\lambda\) (q_out t = q_state (t+1)) ``` Latch behavior is being expressed here as a finite-state machine (FSM), using both a next-state function and an output function. Previous latch models in HOL, where the next-state function was also used for outputs, failed to faithfully represent true latch behavior. To demonstrate why this is true, Figure 3.1(a) shows an example circuit where two latches, in series, are clocked with the same phase of the system clock. To our knowledge, scenarios such as this have not been considered in prior verification work; however, we cannot dismiss them since they occur within the PIU design. Actually, such combinations might be expected in any standard-cell approach to chip design where designers work with predefined cells containing a multitude of latches in fixed locations. There are places in the PIU design, for example, where avoiding these combinations would actually require a more complicated design. The circuit in Figure 3.1(a) would be incorrectly modeled if latch models containing only the next-state function of *DLAT\_SPEC* were used. This is demonstrated in the HOL code segments of Figure 3.1(b), defining first the behavior of the implementation, including the next state of latch *L2* derived from this behavior, followed by a reasonable specification for its *required* behavior. The behavior of the implementation (IMP) is a standard composition of individual latch behaviors. The key observation here is that the value of z at time t+1 depends on signal values at time t-1 (e.g., a (t-1)). However, as expressed in the model of required behavior (REQ), in reality the circuit of Figure 3.1(a), when viewing the signal z, behaves no differently than a single A-clocked latch does (aside from propagation delay differences not expressed at this level). Therefore, the value of z (t+1) should be a function of signal values at time t, not t-1. Note that for the general case of t series, same-phase latches, we would have t as a function of signals at time t at time t is not what we want. We note that the source of this problem is the level-sensitive nature of latches, which results in cascaded latches behaving very much like combinational logic; this is not true of edge-sensitive components such as flip-flops. Revisiting fundamental FSM definitions suggests ways to solve this latch modeling problem. In automata theory texts, such as [Koh78], the next-state and present-output of an FSM are said to be functions of Figure 3.1: Two Series Latches Clocked by the Same Phase. the present-state and present-inputs. Figure 3.2(a) is a pictoral representation of this where the *present* and *next* times are denoted by t and t+1, respectively. Figure 3.2(b) shows an alternative approach where the inputs and outputs use the time index of the next-state. In models of synchronous systems such as FSMs, lower-level issues such as propagation delay are not represented. For a latch, whose time interval is a single clock phase, the present- and next-states correspond to the states at exactly the beginning and end of the phase, respectively. All present-inputs can similarly be assumed to arrive at either the phase beginning or end. Present-outputs are defined in terms of the present-state and -inputs, and are assumed to be transmitted with zero delay. Of course, in reality an input is a present-input only if it satisfies the setup and hold times of the latch with respect to the falling edge (the end) of the clock phase; state changes and output transmissions have propagation delay as well. With this view of FSM behavior, it is clear that for a formal latch model to be composable in all clocking scenarios it must use the same time index for both its present-inputs and -outputs. This is necessary to permit signal propagation through series-connected, same-phase latches in zero time. In a latch model using only a single FSM next-state function, this function must play the role of the output function as well; thus, the time index of the current-output is t+1. If the standard interval representation of Figure 3.2(a) is used, then the input and output time indexes don't match, resulting in the problem explained above. Two obvious solu- Figure 3.2: Interval Representations. tions are to either use the alternative interval representation of Figure 3.2(b) or else use a second FSM function for the output, matching its time index to that of the input. We mention the first solution, using the alternative interval representation, only to point it out as a candidate for future consideration. We currently prefer the second approach, expressed in the model DLAT\_SPEC above, since it is consistent with the generic interpreter model described in Section 2. #### **3.1.1.3** Flip-Flops HOL definitions for the flip-flops used in the PIU design are contained in the theory ffs\_def of Appendix A. In this section we describe the modeling of a simple D flip-flop as an explanation of the HOL models. Flip-flops are built out of latches as in the example phase-A-clocked D flip-flop shown in Figure 3.3. In this model inputs arriving at the flip-flop during phase B are latched on the falling edge of B. The new flip-flop output is available at the beginning of phase A and remains stable for an entire clock period. From an edge-triggered point of view this flip-flop is seen to be clocked on the rising edge of phase A. It is an interesting side note that in discussions with the PIU designers it became clear that their view of flip-flop behavior is somewhat different from the perspective that we employ. For example, if asked to choose which of the two latches in the flip-flop model of Figure 3.3 represents the true state of the flip-flop, the designers say latch L2 and we say L1. This difference is easy to understand given the modeling environments that each group uses, and it turns out that the FSM-based specification approach embodied in Figure 3.3(b) provides a perspective to help reconcile these two viewpoints. The PIU designers view latch L2 as the important one because it is the only one directly visible to them during simulation. All flip-flop changes occur on the rising edge of L2's clock (phase A) and the flip-flop is stable otherwise. From this perspective the purpose of latch L1 is only to ensure the edge-triggered nature of the flip-flop by restricting possible flip-flop output values to those inputs arriving before phase A rises. As formal verifiers we view LI as the important latch because it is clocked by phase B, the last phase in the clock cycle. This is important when we make the jump in abstraction from the phase level to the clock level and wish to eliminate one of the two state variables associated with these latches (data abstraction). As a general rule it is best to keep the latch with the most up-to-date state among the candidates for elimination, otherwise updated state will not be carried forward to the next clock cycle when the model is symbolically executed. From this perspective latch LI contains the essential state of the flip-flop of Figure 3.3 and LI serves only to control the time at which the new flip-flop state is made externally visible. At the clock level of abstraction we model the state of a flip-flop as the contents of its phase-B latch and Figure 3.3: Example D Flip-Flop Constructed With Latches. embed the behavior of the phase-A latch within the flip-flop output. This FSM-based approach is also compatible with the PIU designer perspective if we take a commonly-used black box view of fundamental components such as flip-flops. In such an approach, only the inputs and *outputs* of these components are visible to an outside observer during simulation — the internal state is hidden. #### **3.1.1.4** Counters Counters are implemented as flip-flops surrounded by increment/decrement and selection logic. All of the counters used in the PIU design are functionally of the form of the example in Figure 3.4 — incrementing is performed within the output stage rather than the input stage. The HOL source for all PIU counters is contained in the theory *counters\_def* of Appendix A. The inputs $ld_in$ and $up_in$ control the operation of this counter. If $ld_in$ is active then the input $d_in$ is loaded into the counter, otherwise the current value, incremented or nonincremented according to the $up_in$ input, is reloaded. The input $up_in$ also controls the value output by the counter. #### 3.1.1.5 CTR Datapath Block The PIU R\_Port contains two 64-bit counters implemented using a total of four 32-bit CTR datapath blocks. The CTR datapath blocks are themselves built from lower-level components of the compiler library, but we treat them as primitives here since they are used directly in the R\_Port specification. The HOL source for the CTR datapath block is contained in the theory datapaths\_def of Appendix A. Figure 3.5 shows the functionality of the CTR datapath block. It behaves much like the counter of the previous section, but with additional features such as provisions for carry-in and carry-out and multiple output ports. Figure 3.4: Functional Block Diagram of a Counter. Figure 3.5: Functional Block Diagram of the CTR Datapath Block. Of the 11 latches in this model, the one best representing the counter value is L4, holding the value ctr. Latch L2 contains the load-input, controlling whether a new value is loaded or the updated counter value is reloaded. Latches L1 and L8 hold these two values, respectively. Latches L5 and L6 hold values controlling the incrementer itself. For the top half of the 64-bit counters, L6 contains the carry-in from the lower half. Latch L7 holds the carry-out from the counter. Latches L9 and L10 implement a flip-flop holding the updated counter value for possible output. The two latches L3 and L11 control the writing of latch values onto Bus\_A, from the input side and output side, respectively. ## 3.1.1.6 ICR Datapath Block The R\_Port contains a single Interrupt Control Register (ICR) implementing memory-mapped interrupts for the local processor. The HOL source for this block is located in the theory datapaths\_def of Appendix A. Figure 3.6 shows a functional block diagram of this block. The true ICR value is located in the flip-flop implemented by latches L4 and L5. The flip-flop implemented by L1 and L2 holds the ICR value fed back using Bus\_A. Latch L3 holds a mask-adjustment value that resets or sets individual mask bits according to the value of input icr\_select. Latch L6 controls the writing of values onto Bus\_A either as part of an ICR read by an external processor or the feedback mentioned above. Figure 3.6: Functional Block Diagram of the ICR Datapath Block. ### 3.1.1.7 CR Datapath Block The R\_Port contains two control registers (CRs), called GCR (for General Control Register) and CCR (for Communications Control Register). The HOL source for the CR datapath block is located in the theory datapaths\_def of Appendix A. Figure 3.7 shows a functional block diagram of the CR datapath block. In comparison with the previous two datapath blocks, this one is relatively simple, containing a single latch (LI) to hold a loaded 32-bit value and a latch (L2) to control the writing of this value onto Bus\_A. The second output port, always enabled, provides the CR bits to the PIU subsystems controlled by the control register. Figure 3.7: Functional Block Diagram of the CR Datapath Block. ## 3.1.1.8 SR Datapath Block The R\_Port contains a single Status Register (SR) that may be read by an external processor. The HOL source for the SR datapath block is located with the previous datapath blocks in the theory datapaths\_def of Appendix A. Figures 3.8 shows a functional block diagram of this datapath block. Inputs provided by several subsystems of the PIU are collected and stored in latch L1; latch L2 controls the writing onto Bus\_A. #### 3.1.1.9 Finite-State Machines Finite-state machine (FSM) modules are used in every PIU port to control the sequencing of port operations. Each FSM module has the structure shown in Figure 3.9. FSM inputs are loaded during phase B, as is the fed back present-state. Combinational logic implements the next-state and output functions, whose results are loaded into the output latches during phase A for transmission to the external system. Figure 3.8: Functional Block Diagram for the SR Datapath Block. # 3.1.2 Block Diagram Descriptions To simplify the PIU specification task, we augmented the set of compiler-library components just described with several logic-blocks built of more-primitive components. Two guidelines were followed in constructing these superblocks. First, instances of multilevel logic were converted into equivalent behavioral descriptions. Secondly, memory elements holding multibit words were sometimes grouped into single blocks to facilitate modeling with our array-access functions. Together, these steps greatly decreased the number of components in the gate-level description of the PIU with a risk of introducing modeling error that we consider to be low. Figure 3.9: Functional Block Diagram for Finite-State Machines. Creating superblocks also has the beneficial side effect of simplifying our description of the five PIU ports. Even so, the complexity of the resulting specification remains formidable and a fully-detatiled pictoral description of the PIU structure is beyond the scope of this report. The HOL descriptions in Appendix B should be considered the gate-level specification for the five PIU ports; the descriptions in this section are intended only to provide insight so that the HOL is more easily understood. Although considerable care has gone into the construction of these descriptions, they are not complete and contain minor inaccuracies as well. The ports are described in the order: P\_Port, M\_Port, R\_Port, C\_Port, and SU\_Cont, in the following five subsections. #### 3.1.2.1 P\_Port Structure The top-level block diagram of the P\_Port, shown in Figure 3.10, describes the partitioning of the P\_Port into two subblocks: datapath and controller. These are further broken down in the two figures that follow Figure 3.10. Figure 3.10: P\_Port Top-Level Block Diagram. The P\_Port Datapath, shown in Figure 3.11, consists mainly of latches to hold L\_Bus-sourced information and tristate buffers for driving the L\_Bus and I\_Bus. Read from top to bottom, the latch contents are: 32-bit data, the 26 least significant address bits, the most significant address bit, the 4-bit byte enables, and the write/read bit, all sourced by the local processor. All control signals are provided by the P\_Port Controller. The P\_Port Controller is shown in Figure 3.12. The FSM block implements the I\_Bus protocol and supports atomic memory accesses by the local processor. The other blocks support the FSM by encoding information received from the two adjacent buses and by handling some of the control-signal generation. The $Req\_Inputs$ block implements the setting and resetting of the $P\_rqt$ latch, based on new-transaction requests and transaction-completed messages received from the $L\_Bus$ and $I\_Bus$ , respectively. An active high $P\_rqt$ indicates a pending or in-progress $L\_Bus$ transaction. The Ctr\_Logic block keeps track of the number of words remaining in the current transaction so that the slave port can be notified when the last word is being accessed. Figure 3.11: Block Diagram of P\_Port Datapath. The $Lock\_Inputs$ block and associated latches provide support for handling atomic operations. The $P\_lock\_$ latch holds the most recent valid lock signal provided by the local processor. The FSM implements memory locking by locking the I\_Bus. ## 3.1.2.2 M\_Port Structure The top-level structure of the M\_Port is shown in Figure 3.13. It has the same form as the P\_Port, containing a single datapath block and a single controller block. These are described further in the two figures following Figure 3.13. Figure 3.14 shows the structure of the M\_Port datapath. On the left is the interface to the M\_Bus. The EDAC\_Decode\_Logic block performs a Hamming decode on the 56-bit data received from the M\_Bus, while the Enc\_Out\_Logic block encodes 32-bit data for writing onto the M\_Bus. The Read\_Latches block stores the 32-bit decoded data word read from memory. The Mux\_Out\_Logic block selects bytes from this stored value or else the word currently on the I\_Bus for writing onto the M\_Bus. The stored bytes are written back as part of a read-modify-write implementation of byte-write operations. Figure 3.12: Block Diagram of the P\_Port Controller. Figure 3.13: M\_Port Top-Level Block Diagram. Figure 3.14: Block Diagram of the M\_Port Datapath. The M\_Port controller is shown in Figure 3.15. The left side of the figure is the I\_Bus interface. The SE\_Logic block determines whether a memory access is to SRAM memory or to EEPROM memory, based on the memory address. It drives the appropriate chip-select signal based on this determination. The WR\_Logic block determines whether a memory access is a read or write and provides this information to the rest of the M\_Port. The Addr\_Ctr block and BE\_Logic block store the memory address and byte enables, respectively, for the word being accessed. The Rdy\_Logic, Ctr\_Logic, and Srdy\_Logic blocks together implement most of the I\_Bus protocol for the M\_Port, which consists mainly of controlling the value of the I\_srdy\_ signal transmitted back to the I\_Bus master. The 2-bit counter in Ctr\_Logic implements variable wait-states for the SRAM and EEPROM memory. The FSM block provides high-level control of the memory interface. It sequences through a series of states, depending on the type of memory transaction, and provides output signals mainly used by the Enable\_Logic block to implement the control of the M\_Port datapath. The FSM also directly controls bus enabling for the I\_Bus. The Memparity\_In\_Logic block and its associated latch store the error status for memory accesses. The output MB\_parity is transmitted to the R\_Port where it is stored in the Status Register. Figure 3.15: Block Diagram of the M\_Port Controller. #### 3.1.2.3 R\_Port Structure The R\_Port top-level block diagram is shown in Figure 3.16. Of the five major blocks shown there three are described further in the figures that follow Figure 3.16. The Register File block is not broken down further since it consists entirely of the datapath blocks described in Sections 3.1.1.5 through 3.1.1.8. There are four CTR blocks implementing two 64-bit counters, one ICR block, two CR blocks implementing the GCR and CCR, and one SR block. The Bus Interface block represents the multiple tristate buffers that potentially drive the Bus\_A node of the R\_Port. This block is similar to the approach used to model buses described in [Joy90]. The Register File Controller is shown in Figure 3.17. The Wr\_Lat block determines whether a register access is a read or write and provides this information to the rest of the R\_Port. The FSM block is a simple 3-state state machine providing high-level control of the register accesses and I\_Bus interface. The RW\_Sigs block encodes the FSM output to implement this control. The $Reg\_Sel\_Ctr$ block contains a 4-bit counter holding the register number for the current access. The $R\_srdy\_del\_$ latch value is used to increment the counter on multiword accesses. The $Reg\_File\_Ctl$ block Figure 3.16: R\_Port Top-Level Block Diagram decodes the register address to create most of the control signals needed by the register file. The Timer Interrupt Block is shown in Figure 3.18. It consists of two identical sub-blocks, each implementing the interrupt logic for one of the two 64-bit counters. The latches $R_col_{cout}$ and $R_ccl_{cout}$ hold the carry-out values of the two counters. The $Ctr_{int}$ -Logic blocks use this information and several bits of the GCR to determine whether the timer interrupts should be enabled or not. The two interrupt outputs, Intl and Intl, are active-high signals sent to the local processor. Figure 3.17: Block Diagram of Register File Controller. Figure 3.18: Block Diagram of the Timer Interrupt Block. Figure 3.19 shows the structure of the Register Interrupt Block. The $And\_Tree$ block receives the 32-bit ICR value, consisting of 16 interrupt-set bits and 16 mask bits. Half of these bits are dedicated to interrupt $IntO\_$ and half to $Int3\_$ . If an interrupt-set bit and its associated mask bit are simultaneously active-high, then the appropriate latch, $R\_intO\_en$ or $R\_int3\_en$ , is loaded with a logic-1. Figure 3.19: Block Diagram of the Register Interrupt Block. ## 3.1.2.4 C\_Port Structure The C\_Port top-level structure is shown in Figure 3.20, minus the complicated external interfaces. The C\_Port controller is divided into two subunits because of its large size. Because we could not identify a logical partitioning, we simply divided the existing schematic down the center, creating a left half and a right half, controllers A and B, respectively. Figure 3.21 shows the C\_Port datapath block diagram. The right side of the figure shows the interface Figure 3.20: C\_Port Top-Level Block Diagram. Figure 3.21: Block Diagram of the C\_Port Datapath. between the I\_Bus and the C\_Bus. The *Parity\_Decode\_Logic* block decodes the 18-bit parity-encoded data received from the C\_Bus data lines. It outputs 16-bit data and a single-bit error-detection flag. The CB\_In\_Latches block stores the messages received from the C\_Bus. This information consists of transaction header information, address, and data. The BE\_Out\_Logic block outputs the byte enables onto the I Bus. The CB\_Out\_Logic block parity-encodes data for transmission onto the C\_Bus. On the left side of the figure, the *Grant\_Logic* block implements the C\_Bus arbitration. The *Addressed\_Logic* block determines whether this PIU is being addressed by the C\_Bus master. The *D\_Writes\_Logic* block determines whether this PIU is an active channel or not; if not then it prohibits memory accesses using the *Disable\_writes* output. The *Parity\_Signal\_Inputs* block controls the setting and resetting of the *C\_parity* latch, whose output, *CB\_parity*, is transmitted to the R\_Port SR. Part (A) of the C\_Port controller is shown in Figure 3.22. The two state machines: *Master FSM* and *Slave FSM*, implement the C\_Bus protocol from the master and slave perspectives, respectively. The *Srdy FSM* controls the enabling of I\_Bus slave signals transmitted by the C\_Port. The Last\_Logic block and the latches holding C\_lock\_in\_ and C\_last\_in\_ preprocess the I\_lock\_ and I\_last\_I\_Bus signals received from the P\_Port. The Hold\_Logic block and the latches holding C\_last\_out\_ and C\_hold\_ process the I\_last\_ and I\_hold\_ signals transmitted over the I\_Bus. The Cout\_Sel\_Logic block determines which 16-bit word is to be transmitted over the C\_Bus and provides selection signals to the datapath to control this. Figure 3.22: Block Diagram of the C\_Port Controller (Part A). Figure 3.23 shows part (B) of the C\_Port controller. The *DP\_Ctls PLA* block converts output signals from both the master and slave state machines of part (A) into control signals for the datapath. The latches at the output of this block, as well as the *Cout\_l\_Le\_Logic* block, provide further processing for the datapath, primarily to control the enabling of the datapath latches. The CBss\_Out\_Logic block and the CBms\_Out\_Logic block determine the master-status and slave-status, respectively, for C\_Bus transactions. The Srdy\_In\_Logic block decodes the slave-status input from the C\_Bus to determine whether the slave is ready for the next transaction. The Rdy\_Logic block, the ISrdy\_Out\_Logic block, and intervening latches implement the generation and transmission of the I\_srdy\_ signal to the I\_Bus. The Iad\_En\_Logic block controls the enabling for address and data transmissions over the I\_Bus. The Pe\_Cnt\_Logic block controls the enabling of parity-error counting within the datapath. Figure 3.23: Block Diagram of the C\_Port Controller (Part B). ## 3.1.2.5 SU\_Cont Structure The SU\_Cont structure is divided into the two subsections shown in Figures 3.24 and 3.25. The first figure shows mainly the blocks that interact with the other ports within the PIU, while the second shows mainly those that interface with the local processor. The FSM block in Figure 3.24 controls the initialization process. It sequences through states that successively reset and test CPU0, reset and test CPU1, then select and initialize the active mission processor. It uses the output of the 18-bit counter block, via the Muxes block, to control its time duration in many of its states. The Delay In block processes the input signals for the counter block. The Dis\_Int\_Out block determines and then transmits reset signals and various disable signals to the other ports. The blocks Scnt\_In, Scnt\_In1, the 3-bit counter block, and the intervening latches support the software-based acceptance test of each processor. The output S\_Soft\_Cnt contains the number of instances that the local processor writes a specific pattern to the General Control Register in the R\_Port. If not equal to a specific bit pattern, this counter value indicates a failed acceptance test. Figure 3.24: Block Diagram of the Startup Controller PIU-Port Interface. Figure 3.25 shows the SU\_Cont blocks that interact mainly with the local processor. The $Cpu\_Ok$ block and the $Fail\_In$ block together control the loading of four latches holding failure-status information. The $Cpu\_Ok$ block uses the $S\_Soft\_Cnt$ signal just discussed and the $Failure\_$ signals from the local processors. The latch outputs are transmitted to the R\_Port where they are stored in the Status Register. The Bad\_Cpu\_In block controls the loading of two latches holding processed failure status of the two local processors. These latch outputs are used, together with FSM block outputs, in the misc logic block to control the loading of two other latches. These latch outputs are used to maintain the local processors in a reset or nonreset state, as appropriate. # 3.2 Port Phase-Level Behavior The phase-level specification for each PIU port is a behavioral abstraction of the corresponding gate-level structure. Each port is defined in terms of a 2-instruction instruction set, corresponding to the behavior occurring during each of the two clock phases. Each instruction is itself represented using two functions, defining the next-state transition and the output. Consistent with the generic interpreter model, the states and outputs for the ports are represented as n-tuples. Figure 3.25: Block Diagram of the Startup Controller CPU Interface. Appendix C contains the HOL phase-level specification. The ports are presented in the order: P Port, M Port, R Port, C Port, and SU\_Cont, in Sections C.1 through C.5, respectively. Within each section the next-state function for phase A is presented first, followed by the output function for phase A, and the next-state and output functions for phase B. #### 3.3 Port Clock-Level Behavior The clock-level specification for each PIU port is both a temporal abstraction and a data abstraction of the corresponding phase-level specification. Here the unit of time is an entire 2-phase clock period, rather than a single phase. Data abstraction is achieved by eliminating state variables representing certain latch values. Usually the eliminated latches are part of edge-triggered devices, such as flip-flops and counters, and are clocked on phase A. In contrast to the phase level, where the choice of instruction set is dictated by the number of clock phases, the choice at the clock level is much more subjective. For example, only a single instruction is really necessary to capture the behavior of the ports. This would provide the most concise description of behavior at the cost of providing the least understandable description. At the opposite extreme, the ports could be specified using an instruction set with millions of very simple and easy-to-understand instructions. However, verifying such a large instruction set would be infeasible, as would the mere goal of trying to print their descriptions. Instruction sets provide the human interface to state-transition system behavior. Their existence implies an instruction selection capability such as that provided by the *select* function of the generic interpreter model. Often this functionality is referred to as instruction decoding, and the proper choice of this function (i.e., of the instruction set itself) is important for any specification attempting to provide a human-understandable yet concise description of behavior. By their very nature, *microprocessor* instruction sets at the macro and microcode levels must be straightforward to specify since they provide the programming interface for the microprocessor. However, since the PIU was never intended to be programmed, nor is it microcoded, (clock-level) instruction set elegance received little consideration from the PIU design team. As a result, a clock-level instruction set for each port in which each instruction specifies a single well-defined action would require many tens of individual port-level instructions. The composition of these port-level instructions would require many tens or hundreds of PIU-level instructions, requiring many thousands of pages to even print; verifying these instructions would be an enormous undertaking. Based on these considerations, we have abandoned our earlier efforts to define human-friendly instruction sets at the clock level. Instead we have opted for practicality and we specify clock-level behavior using a *single* instruction for each port. Each port instruction has two parts — a next-state function and an output function, defining the next state and output under all operating conditions. Sections D.1 through D.5 of Appendix D contain the HOL specification for this level. #### 3.4 PIU Port-Level Structure The PIU port-level structure is a structural composition of the five clock-level port specifications. We have used the standard approach to structural composition in which component-defining predicates are logically ANDed to form the composite behavior. Existentially-quantified variables are used for component outputs remaining internal to the composed system. Appendix E contains the HOL specification for this level. # 3.5 PIU Clock-Level Behavior Appendix F contains the HOL specification for the PIU clock-level behavior. As with the individual ports, the clock-level behavior of the entire PIU is represented using only a single instruction consisting of a next-state function and an output function. ## 4 Models for Transaction Specification This section describes the work undertaken to determine the most appropriate model for specifying the top level of the Processor Interface Unit (PIU). #### 4.1 Introduction. To complete the specification of the PIU, a top-level specification of the required behavior of the PIU must be written. This behavioral model should describe the actions of the device with respect to its environment and internal state. The PIU is essentially a bus controller. However, there are some differences: the PIU contains special features for fault tolerance and dependability, such as an encoding of words sent to memory for error correction and the ability to select between two processors depending on the results of a power—on self test. Our goal is to model each of the concurrent portions of the PIU individually using an interpreter (as discussed in Section 2) and to show that a composition of these interpreters entails the behavior of a more abstract model. At first, we believed that the composite behavior of the PIU could be described using the interpreter model as well. However, we found that the high-level behavior of a device such as the PIU is not easily modeled as an interpreter. An interpreter is a computational device with one major control point. That is, one of a set of instructions is chosen based on the current state and that instruction is used to process the state; following the execution of the instruction, the process begins anew. While interpreters describe many interesting devices, the model is too restrictive to describe the PIU. There are at least three aspects of the intended behavior of the PIU that make it difficult to describe using existing techniques: - The feature of a bus controller that causes the greatest difficulty in using an interpreter model to describe it is its concurrency—a bus controller does many things at once. For example, most bus controllers contain timers that, in conjunction with an on-board interrupt controller, can interrupt the CPU. These timers operate concurrently with other portions of the bus controller, such as memory and network operations. - A typical top-level specification of the PIU might include the memory subsystem because this corresponds to the CPU's view of the PIU (see the next section for a more complete discussion of this). This shared state between the PIU and other devices makes description using an interpreter model difficult. - The outputs of the PIU do not correspond on a one—to—one basis with the inputs; there is a many—to—one relationship between the outputs and inputs. The interpreter model assumes that the output at a particular time is described by a function on the current state and environment. The PIU may make several outputs in sequence because of a single input request (a block memory read request is a good example). In exploring possible models for use in describing the behavior of hardware devices such as bus controllers, we were concerned with the following issues: - The notation and semantics should be amenable to embedding and automation in an automatic theorem prover such as HOL. - The model and notation should be sufficiently general to allow a large number of interesting devices to be described. - The model and notation should be sufficiently defined to allow a rich set of theorems to be proven about it in isolation of any particular application. Figure 4.1: The view from the CPU. ### 4.2 Abstract Views Before exploring specific notations for describing the PIU, we consider some of the features of the PIU that make its behavioral specification interesting. These abstract views contribute to the understanding necessary to specify its operation. In general, the behavior of the PIU can be looked on as a combination of behaviors from different viewpoints: that of the CPU, the network, and the memory. In order to simplify the discussion that follows, we will ignore certain behaviors of the PIU. In particular, we will assume that the start—up processor is finished and that the PIU is in steady—state operation. Figure 4.1 shows the abstract view of the PIU from the CPU. In this view, the CPU sees the combination of the PIU, Network, and Memory (PNM) as a monolithic address space. Similarly, interrupt signals can be viewed as coming to the CPU from this abstract object rather than the individual components. In the CPU view, when the CPU issues a read request to the PNM, the PNM responds with the information located at the virtual address given by the CPU. The actual location of the requested data, that is, whether it resides in local memory, remote memory, or a register in the PIU, is abstracted away. Similarly, when the CPU issues a write request, it does not know whether the request will update local memory, remote memory, or a register in the PIU. Of course, inside the CPU view, the PIU either responds to requests from the CPU itself, or by issuing other requests to the network or the memory. Specifying what requests the PIU makes to other devices in response to a request from the CPU can be viewed as a specification of the implementation of the PNM. Another way of viewing these requests is that they will be specified in the other views of the system. The latter is the method we employ. Figure 4.2 shows the view from the memory. The memory can be viewed as a processor, albeit a simple one. In the memory view, the PIU/CPU/Network abstraction (PCN) makes memory read and write requests and the memory responds appropriately. Because the memory device is simple, it makes no requests of the PCN itself, but only responds to requests. The fact that some of these requests originated with the CPU and others with other hosts on the network is abstracted away. Inside the PCN abstraction, of course, the requests to the memory are originating with the CPU or the network and after some processing by the PIU (such as error correction encoding and decoding) are being passed on. The relationship between requests from the CPU and the network do not necessar- Figure 4.2: View from the Memory. ily correspond on a one-to-one basis with the requests sent to the memory. A single request from the CPU may result in many requests to the memory. Figure 4.3 shows the view of the PIU from the perspective of the network. In this view, the PIU, memory, and CPU are abstracted into a single object (PMC). This is, perhaps, the most complex abstraction. The network makes requests of the PMC and the PMC makes requests of the network. These requests are primarily memory read and write requests. The problem with the views presented in Figures 4.1–4.3 is that the abstractions include the behavior of the CPU, network, and memory. Our goal is to specify the behavior of the PIU independent of the devices to which it is connected. Each of these views can be thought of as a specification of the abstract interface to one portion of the PIU. As Figure 4.4 shows, we can superimpose the specifications on one another. The union of the PNM, PCN, and PMC specify the behavior of the entire unit. Their intersection, denoted by the shaded area, is meant to represent the behavior that is specific to the PIU. Figure 4.3: View from the Network. Figure 4.4: Abstraction Views for the PIU. While we feel that this is a good way to think about the behavior of the PIU in abstract, we are not convinced that it is an appropriate method of specifying the behavior of the PIU. Before such a decision can be made, we will need to do further work. Primarily, we would like to attempt to model the specification of a small device in this way and evaluate the specification for readability and ease of use in verification. # 4.3 Representing Transaction Systems The last section discussed the specification of the abstract interfaces of the PIU, but ignored the details about how those specifications would be written. We talked abstractly about transactions between the PIU and other system components, but the question remains of how to represent those transactions. One of the difficulties of representing the PIU was touched upon in the last section. If we were only faced with the problem of representing a transaction system such as the PNM (PIU, network, and memory abstraction), the problem would be much simpler. The model would consist of a set of response functions associated with incoming transactions. For each incoming transaction, the response function would update the state of the system and generate an outgoing response based on the current value of the state. In the model shown in Figure 4.4, the PIU is not a transaction system, but a transaction translation system. The PIU cannot generate a response until it issues requests of its own and receives answers to those requests. In addition, there may be state internal to the PIU that needs to be updated and affects the response. The ultimate goal of the work presented in this report is not to just specify the PIU, but to verify that specification against a lower-level specification. This goal creates several criteria that limit our choice of notation for the behavioral specification: - 1. The notation must be capable of specifying concurrent operations of the PIU. - 2. The notation must be capable of describing the PIU independent of the other devices to which it might be attached (i.e., the state of those devices should not be a necessary part of the PIU specification. - 3. The notation must allow a many-to-one relationship between outputs and inputs. - 4. The final specification must be concise and readable. We would like to be able to look at the specification and capture some overall feeling for what it means. Without this level of abstraction, it is very difficult to determine whether the specification is correct or not. - 5. The notation must have, or be amenable to building, a collection of theorems about it so that we can reason about the specification and its relationship to the lower-level implementations. 6. The notation must be mechanizable and, since our verification system of choice is HOL, be representable in the HOL logic. There are a number of candidate notations: 1. We could attempt to represent the transactions in HOL without resorting to any specific notation (i.e., raw HOL). We consider the generic interpreter theory (GIT) to be a representation of one kind of computational object in raw HOL. The use of raw HOL to represent transactions implies that we would build a model similar to the GIT, but capturing the abstractions envisioned in the previous section. The advantages of this approach are that the model is likely to be tailored to the structure of the PIU more closely than with the other approaches. This means that the meaning of the specification may be clearer. Our experience with the GIT has shown us that abstract models built in HOL can be a fruitful avenue of exploration because they yield a great deal of information to aid in understanding the structure at hand. These models lend a structure to the specification and verification task that is usually not there otherwise; the model states explicitly what definitions must be made to complete the specification and which lemmas need to be proven to complete the verification. The disadvantages of using raw HOL are that the model of a transaction system would have to be built and useful theorems about this model would have to be proven. This task is usually more easily done when at least one concrete specification of the type being modeled has been built. This *prototype* specification serves to guide the model development. 2. We could use temporal logic. The primary benefit of temporal logic is that transactions entail describing and reasoning about actions that will occur in the future because of something that occurs now. For example, when the CPU sends a memory read transaction to the PIU, this creates an obligation in the PIU to respond to the request in the future. In between receiving the request and answering it, the PIU would engage in a number of transactions with the network, memory, or both. The primary advantage of temporal logic is that there has been much work in the area and it has been successfully used to model hardware devices in other specification efforts. The disadvantage is that it is as general as any other general purpose logic and thus, while expressive, would not serve to structure the specification. 3. We could use a well-developed process algebra [Hen88, Hoa85, Mil89a, Mil89b, Mil89c]. Milner [Mil89a] presents a calculus of communicating concurrent processes called CCS; CCS is perhaps the best known process algebra. In process algebras, the specification concentrates on the communication between processes. The specification of the PIU would entail a specification of the events that occur and the events that follow from them. There are several advantages to using a process algebra. Process algebras are well understood and there are several popular ones from which to choose. This implies that there are also a great many theories developed and ready for use in a proof effort. To the extent that deduction rules and theorems about the process algebra can be mechanized in HOL, the job of proving properties of the specification will be eased. Indeed, several of the most popular process algebras have been mechanized in HOL and are available for use [Sch91, Cam89, Mel91]. These mechanizations are in various states, so the amount of effort in using one is difficult to predict. The disadvantages are similar to those of temporal logics. We fear that the specification will be largely free-form because of the generality of the specification language and thus not structure the problem enough to make the specification and verification methodical. 4. We could use a formal model of a coordination language such as LINDA [But91] to model the actions of the system. In this model, the PIU, CPU, memory, and network are modeled as communicating in a common area called *tuple space*. Figure 4.5 shows how this would look. In this model, the PIU writes to and reads from tuple space along with the other devices in the system. We can think of tuple space as an abstract model of the bus. We have given considerable thought to this option. The advantage of this option is that the model is general and seems to be useful for describing ensembles of coordinated processes. The disadvantage is that the model is not yet fully formalized (not to mention mechanized), and thus there would be considerable work before we could begin using the model. Also, we consider this model to be better suited to describing interactions between system components (how ever they are specified) rather than specifying the components themselves. Thus, we plan to pursue the formalization of LINDA as a model for composing specifications, rather than for the specifications themselves. Overall, we believe that approach (1) has the most promise and meets the criteria that we outlined above. We do, however, recognize that there is a rich body of research surrounding process algebras and thus will draw on that wherever possible. Indeed, much as the GIT looks similar to a state machine, but has specific features designed to specify and verify microprocessors, our transaction model will look similar to existing process algebras but have features specific to specifying and verifying hardware devices such as the PIU. # 4.4 Preliminary Transaction Model Design This section discusses some preliminary design concepts for the transaction model and gives our development plans. ## 4.4.1 The Transaction Model Our preliminary transaction model contains elements common to other behavioral models, augmented by features targeting transaction-level behavior. Figure 4.5: Modeling the Buses in a Computer System using Tuple Space. #### 4.4.1.1 Ports A transaction system has a number of ports. The system will receive requests on input ports, send requests on output ports and communicate data on data ports. Our model will have an alphabet of port names that can be used to identify ports uniquely. #### 4.4.1.2 State The transaction system will have internal state. This state will be represented in a concrete object as a tuple, but in the model will be represented abstractly. #### 4.4.1.3 Transactions A transaction will be a triple consisting of an identifying request (taken from an alphabet of possible requests), a state transition function used to update the state, and a set of port-request function pairs representing the requests to be sent and the ports to issue them on in response to the transaction request. The request functions use the current state and values on the data ports to generate a request. ### 4.4.1.4 Operation The model will be driven by request events. The model will consist of a set of transactions for each input port. The set represents the legal requests on that port. For each input port, the model will, in parallel, read a request, find the appropriate transaction in its transaction set, and use that transaction to update the state and issue requests on output ports. ## 4.4.2 Development Plan and Comments We plan to refine the preliminary concepts outlined above as follows: - 1. Build a function program in ML of the behavior of the PIU based on the model present above. The program will allow us to exercise the model and determine where there are problems. We chose ML since it is close to the syntax of HOL and will be readily converted into HOL when we are satisfied with it. - 2. The program built in the previous step will be specific to the PIU. Our plan is to generalize that program into an abstract model of transaction systems. We plan to use the results of the experiments in the previous step to guide a formalization of the general model in HOL. Careful design of the abstraction in the program will make this task easier. Provided that the results of the experiments yield favorable results, we do not anticipate formalization to be a large effort. - 3. After the model has been formalized, we will need to use it to assess its utility and determine what lemmas need to be proven in the abstract theory to enable effective reasoning in the concrete model. There is no way to determine what these theories will be until the model is used the first time. - 4. As the model is used, there will undoubtedly be refinements and extensions. Our experience with the generic interpreter theory has shown that refining and extending abstract theories is not an arduous task and anticipate that the same will be true of the new model. There are several areas that may lead to difficulties: • The model specifies each input port separately (in the spirit of the abstract views of Section 4.2). There will have to be coordination between ports due to shared state and output ports. The network port and the CPU port cannot both issue requests of the memory port simultaneously. This, of course, is also a restriction in the design. Our problem is not what coordination to perform, since that exists in the PIU already, but how to represent such coordination in the model. We hope that process algebras will give us some guidance. - The state is shared and thus may be updated by several ports at once (provided that such updating does not cause interference). We hope that partial specifications of the changes, represented by predicates rather than functions, will solve this problem. - We have ignored the start-up operation of the PIU in our model. We do not believe that this is a problem since the start-up portion of the chip operates in sequence with the rest of the PIU components. We can model the start-up portion using an interpreter or transaction system (whichever is more appropriate) and choose the behavior of the start-up device or the PIU device depending on the current state. - The PIU has a number of on-board clocks that serve as interrupt timers. We hope that they can be modeled using the concepts presented in this chapter by looking at the external clock port as another input port with its own set of transactions. One of those transactions will trigger interrupts when the state is correct. ## 4.5 Conclusions Hardware devices such as the PIU present a unique challenge for behavioral specification. They differ from interpreters primarily in that there is a large amount of course-grained parallelism and they do not control all the state that they are expected to impact. The overall system (PIU, CPU, network, and memory) could be modeled as an interpreter, but our desire is to model the PIU independently. One could just make a laundry list of all the actions that occur and use this as the specification, but the result would be nearly unreadable for a complex device such as the PIU. Our goal is to create an abstraction that organizes that behavior so that the specification is readable as well as useful for verification. An unreadable specification is likely to be wrong. The research presented here is only a start at the top-level specification of the PIU. We plan the following follow-on work: - The preliminary transaction model must be refined as presented in Section 4.4. The models need to be tested on the PIU design for utility. Furthermore, the model needs to be formalized in HOL. - Further work must be done on the composition of our abstract-view approach to behavior. We plan a further review of the literature for applicable work and a small test study involving a small device with a simple semantics, but more than one interface, to determine whether composing the abstract behaviors of the interface is sufficient to represent behavior. - We intend to pursue the formalization of the LINDA coordination language since it seems a likely candidate model for composing the specification of the PIU with the specifications of the CPU, memory, and network. This composition would be used to implement a more abstract view of the system. This work does not have consequences for the top-level specification of the PIU itself but may be important for future compositions. ## 5 Towards an Integrated Simulation/Verification Environment This section describes work that links the M hardware description language and the HOL theorem proving system. The M hardware description language is part of a simulation and synthesis system from Mentor Graphics Corporation. M is a superset of C with extensions for efficiently describing hardware. The goal of the work presented in this section was to develop a prototype translator for converting M descriptions to the equivalent HOL descriptions. We chose to describe the implementation of the PIU in M for several reasons: - Engineers working on the project are more comfortable with M descriptions than they are with the logic of HOL. This is probably because of the similarity of M to imperative programming languages in which most engineers are schooled. - M descriptions can be executed. This allows the specifications to be animated, providing a form of simulation. Engineers can observe the operation of the specification in an effort to judge its correctness. The translator described here is a *prototype* tool. We have used the AWK programming language [Aho88] to construct a parser for the subset of M actually used in the description of the PIU. In addition to parsing M, the tool generates HOL statements corresponding to the input. The generation is done on an *ad hoc* basis—no attempt has been made to describe the semantics of M formally. The translator between M and HOL is important because a hand translation would be tedious and error prone. Using a machine translation, even one done informally, provides *consistent* translations. When an error in a translation is found, the translator can be corrected and the other translations redone to ensure that the error does not affect other specifications as well. Future work may include a more formal translator between M and HOL if we determine that M descriptions are useful. The more formal translator would include a parser built into the HOL theorem prover as well as a formal semantic description. The translation would be done completely within the theorem prover for added assurance. The following section will discuss data types developed for use with the model. We will not discuss the actual translation process in detail, but we will give a simple example of an M description of a finite state machine and its equivalent form in HOL as produced by the M-to-HOL translator. The HOL definitions are intended to be used with the generic interpreter model described in Section 2 of this report. # 5.1 New Datatypes in HOL In order to translate M to HOL, we had to make type definitions in HOL that correspond to the types used in the M language. Two of the more involved type definitions were arrays and n-bit words. #### 5.1.1 Arrays Since M is a superset of C, M descriptions make heavy use of arrays. HOL does not have a built—in array type, but arrays are easy to model in higher—order logic using functions. In general we treat an array of objects as a function from the natural numbers to the same objects. There are four basic operations on arrays in M that needed to be defined in HOL: array indexing, array assignment, array subsetting, and subarray assignment. Array Indexing. In M, arrays are indexed using bracket notation. In HOL, since arrays are just functions, arrays are indexed by function application. Thus, the M term x[i] is written in HOL as (x i). Array Assignment. In M, one can use an indexed array variable as the *lvalue* in an assignment statement. Logic does not have assignment, so the corresponding definition is functional. We define a function called ALTER that operates on an array, an index, and a value and returns a new array with the value stored in the array at the index given. All other values are unchanged. Thus, the M term x[i] = y is written (ALTER x(i) y) in HOL. Array Subsetting. In M, one can use a subarray in an expression. The HOL function SUBARRAY serves the same purpose. Thus, the M term x[15:5] (which represents an 11-element array with location 0 holding the same value as x[5], location 1 holding the same value as x[6], and so on) would be written in HOL as SUBARRAY x(15,5). Subarray Assignment. In M, one can assign arrays to portions of an existing array. The HOL function that does this is called MALTER. The M term x[15:5] = y, would be written in HOL as MALTER x(15,5) y. The theory of arrays also contains theorems pertaining to these definitions that aid in reasoning about arrays. ## 5.1.2 N-Bit Words N-bit words are defined in M using arrays of booleans. Since we represent arrays as functions, the natural representation for n-bit words is a function from the natural numbers to the booleans. The theory of n-bit words that we defined uses this representation and makes definitions that allow the representation to be usable. There are four kinds of definitions in the n-bit word theory: - 1. Definitions that interpret the meaning of an n-bit word. - 2. Definitions that create n-bit words with special meanings and give them a name. - 3. Definitions that test an n-bit word for a given property. - 4. Definitions that operate on n-bit words. There are two major functions for interpreting n-bit words: VAL and WORDN. VAL returns the numeric value of an n-bit word. WORDN returns the n-bit word representing a given number. There are a number of functions for creating special n-bit words. We will not discuss all of them here, but only give a few examples. SETN returns an n-bit word with all of its bits set. Similarly, RSTN returns an n-bit word with all of its bits false. Examples of test predicates include *ONES* which tests if all the bits in a word are true and *ZEROS* which tests if all the bits in a word are false. Operations on n-bit words implement common boolean and arithmetic operations on n-bit words. For example, *NOTN* returns the n-bit complement of a word. *INCN* returns the n-bit word resulting from adding 1 (modulo n) to its argument. So far, the theory does not contain many theorems regarding these definitions and their relationship to one another. These theorems will be proven as necessary. # 5.2 An Example in M The following example shows how a finite state machine is described in M. For brevity, the description contains only one state, S1; a more realistic description would contain more states, as well as more logic variables. The example does illustrate some of the features of M that required translation such as logic operations, array subranging, and the mixture of output and logical statements in the same context. ``` Module: test.M Authors: David Fura / Phillip Windley Date: 13MAR92 Example of M description for translation. ************ #define V1 1 #define V2 2 MODULE test () { State variables:*/ MEMORY LOGIC new_A, A; MEMORY LOGIC new_B, B; MEMORY LOGIC new_C[32], C[32]; /* Output variables: */ I_X[32]; OUT /* Input variables:*/ Clock; IN IN Rst: INITIALIZE { } SIMULATE { switch (Decode (Clock)) { case S1: new_A = (C == V1) || (C != V2); new_B = (C == V1) \&\& new_A; new_C = wr(C,1); I_X[31] = new_A ? Clock : Rst; I_X[30:29] = new_C[1:0]; I_X[28:0] = new_B ? new_C[28:0] : I_X[28:0]; break: default: PRINT ("\nILLEGAL"); break; } } } ``` ## 5.3 An Example in HOL The following code represents the translation of the M code in the last section into HOL by the prototype translator developed for this project. No substantive changes have been made to the text. Except for indentation and spacing, everything is just as the translator produced it. ``` let V1 = "1";; let V2 = "2";; let test_state = ((A, B, C): bool # bool # wordn);; let test_inputs = ((Rst, Clock): bool # bool);; let test_outputs = ((I_X): wordn);; let S1_inst_def = new_definition ('S1_inst', "S1 inst ^test_state ^test_inputs = let new_A = (C = (WORDN ^V1)) \setminus (\sim (C = (WORDN ^V2))) in let new_B = (C = (WORDN ^V1)) /\ new_A in let new_C = wr(C, (WORDN 1)) in (new_A, new_B, new_C) " );; let S1_out_def = new_definition ('S1_out', "S1_out ^test_state ^test_inputs = let new_A = (C = (WORDN ^V1)) \setminus (\sim (C = (WORDN ^V2))) in let new_B = (C = (WORDN ^V1)) /\ new_A in let new_C = wr(C, (WORDN 1)) in let I_X_{31_{31}} = new_A => Clock Rst in let I_X_{30_29} = (SUBARRAY new_C (1,0)) in let I_X_28_0 = new_B => (SUBARRAY new_C (28,0)) | (SUBARRAY I_X (28,0)) in let I_X = (MALTER (MALTER (MALTER I_X (31,31) I_X_31_31) (30,29) I_X_30_29) (28,0) I_X_28_0) in (I_X) " );; ``` The translator does a good job of translating most M programs into HOL. The largest limitation on its use is the simple type analysis that is done. A more thorough type analysis would catch some of the infrequent errors, but would have made the translator much more complicated. If a translator based on formal semantics is constructed, we will overcome this limitation. #### 6 Conclusions We have completed the design specification for a processor interface unit (PIU) and identified the modeling approach to be used for the requirements specification. Along the way we have made progress in integrating our hardware design and verification environments into a single unified framework. In performing this task a number of important conclusions have been reached concerning the state-of-the-art in formal specification, using HOL, with respect to the demands of real-world hardware systems. The generic interpreter theory, described in Section 2, was shown to work well in a real-world hardware application. It is clear that this theory, which was initially funded by NASA in a previous task [Win90], fits applications well beyond the domain of microprocessors for which it was originally used. Our introduction of outputs into the theory accommodates the composition of subsystems modeled as interpreters, and enhances the theory's applicability to future system modeling problems. Developing the lower five levels of the PIU specification hierarchy, described in Section 3, stretched existing specification tools and techniques to their limit. To illustrate the size of this modeling problem, the five phase-level specifications together required equations for 280 state variables and 60 output variables. The PIU clock-level model caused overflows in three different stacks in the original Lisp implementation used to build the HOL system. Because of delays in the PIU design schedule, this task began while the design was still undergoing considerable change. Due to the multiple specification levels and the lack of any significant automation, modifying our models to reflect these changes required much more effort than that required by the design team, for example. As a result, the total effort required to complete the design specification was far greater than necessary. Although previous formal specification and verification efforts appear to have begun only after the design was finalized, and therefore didn't face this problem, formal methods will be most useful when they can be applied before a chip is initially fabricated, and thus before the design is finished as well. Based on this experience it is clear that major improvements are needed in the tools used to develop future design specifications. Perhaps our most significant discovery is that current hardware specification approaches, although suitable for the lower levels of the PIU specification hierarchy, are inadequate for the topmost level. This motivated us to investigate the alternative modeling techniques described in Section 4, from which we have defined a preliminary model for use in formalizing a new transaction-based modeling level. Although not explicitly part of this task's description, we have made progress in integrating our hardware design and verification environments to support this and future work. The M-to-HOL translator, described in Section 5, performs a nearly-complete translation of suitably-formatted M-language models into HOL. The utility of this tool was demonstrated by our translation of all the port-level behavioral models from their definitions in M. Although this translation is not based on a formal semantics for M, it provides a consistent translation capability that is available for use *now*. It should have an immediate impact on productivity for the next chip specification. The work presented in this report has made a significant contribution to the specification and verification of real-world devices, but much remains to be done. In particular, this report has outlined the following tasks: - 1. Before work on the specification of the top level can be completed, the formal model of the transaction level must be completed. Section 4 gives a more detailed plan for completing this work. - 2. The specification hierarchy was outlined in Section 3, but this task did not include the completion of the specification. In particular, the PIU top—level specification remains to be written. In addition to the work that must be completed to finish the specification, there are a number of open questions that have a direct bearing on how this work is used: - 1. The proofs of correspondence between levels in the specification hierarchy should be completed. The specification process itself is useful because it gives designers an abstract view of the device and aids understanding. The detailed examination entailed in the specification is useful for finding errors. However, the primary benefit of a formal specification is that it is amenable to analysis. - 2. If we intend to use the top-level specification along with specifications of other devices in the PMM, such as the CPU and memory, to write a specification of the PMM, a model of composition must be developed. Section 4 recommended a formalization of LINDA as that model, but no work has been done to explore the feasibility or utility of this method. - 3. The translation between M and HOL is being done in a prototype system written in AWK. A more formal approach, with more confidence in its correctness, would be to embed M in HOL. This would involve defining the syntax of M (or a reasonable subset) in HOL and then defining a formal semantics of M for use in the translation. Because the translation would be done by the verification system itself, we could have increased confidence that the HOL model corresponded to the M model. #### 7 References - [Aho88] A.V. Aho, B.W. Kerninghan, P.J. Weinberger, *The AWK Programming Language*, Addison-Wesley, 1988. - [Aro90] Tejkumar Arora, The formal verification of the VIPER microprocessor: EBM to microcode level, Master's thesis, University of California, Davis, 1990. - [But91] P. Butcher, "A Behavioral Semantics for Linda-2," Software Engineering Journal, July 1991. - [Cam89] A. J. Camilleri, "Mechanizing CSP Trace Theory in Higher-Order Logic," Hewlett-Packard Laboratories, *Technical Memorandum HPL-ISC-TM-89-131*, August 1989. - [Coh88] Avra Cohn, "Correctness properties of the VIPER block model: The second level," University of Cambridge Computer Laboratory, *Technical Report 134*, May 1988. - [SRI88] SRI International Computer Science Laboratory, EHDM Specification and Verification System: User's Guide, Version 4.1, 1988. - [Gor86] M. Gordon, "Why Higher-Order Logic is a good Formalism for Specifying and Verifying Hardware," in G.J. Milne and P.A. Subrahmanyam, editors, Formal Aspects of VLSI Design, North-Holland, 1986. - [Gor88] Michael J.C. Gordon, "HOL: A proof generating system for higher-order logic," in G. Birtwistle and P.A Subrahmanyam, editors, *VLSI Specification*, *Verification*, and Synthesis, Kluwer Academic Publishers, 1988. - [Gog88] J. Goguen and T. Winkler, "Introducing OBJ3," SRI International, *Technical Report SRI-CSL-88-9*, August 1988. - [Hen88] M. Hennessy, Algebraic Theory of Processes, MIT Press, 1988. - [Her88] John Herbert, "Temporal abstraction of digital designs," in G.J. Milne, editor, The Fusion of Hardware Design and Verification, Proceedings of the IFIP WG 10.2 International Working Conference, Glasgow, Scotland, North-Holland, 1988. - [Hoa85] C. A. R. Hoare, "Communicating Sequential Processes," Prentice Hall, 1985. - [Hun87] Warren A. Hunt, Jr., "The mechanical verification of a microprocessor design," in D. Borrione, editor, From HDL Descriptions to Guaranteed Correct Circuit Designs, Elsevier Scientific Publishers, 1987. - [Hun92] Warren A. Hunt, Jr., and Bishop Brock, "A Formal HDL and its use in the FM9001 Verification," in C.A.R. Hoare and M.J.C. Gordon, editors, *Mechanized Reasoning and Hardware Design*, Prentice Hall, 1992. - [Joy89] Jeffrey J. Joyce, Multi-Level Verification of Microprocessor-Based Systems, PhD thesis, University of Cambridge, December 1989. - [Koh78] Z. Kohavi, Switching and Finite Automata Theory, McGraw-Hill, 1978. - [Low89] Paul Loewenstein, "Reasoning about state machines in higher-order logic," in M. Leeser and G. Brown, editors, Workshop on Hardware Specification, Verification, and Synthesis: Mathematical Aspects, Lecture Notes in Computer Science, Springer-Verlag, 1989. - [Mel88] Thomas Melham, "Abstraction mechanisms for hardware verification," in G. Birtwistle and P. A. Subrahmanyam, editors, VLSI Specification, Verification and Synthesis, Kluwer Academic Publishers, 1988. - [Mel90] T.F. Melham, "Formalizing Abstraction Mechanisms for Hardware Verification in Higher Order Logic," University of Cambridge Computer Laboratory, *Technical Report 201*, August 1990. - [[Mel91] T. F. Melham, "A Mechanized Theory of the π-Calculus in HOL," in G. Huet, G. Plotkin, and C. Jones, editors, Second Annual Workshop on Logical Frameworks, Edinburgh, May 1991. - [Mil89a] R. Milner, Communication and Concurrency, Prentice Hall, 1989. - [Mil89b] R. Milner, J. Parrow, and D. Walker, "A Calculus of Mobile Processes, Part I," University of Edinburgh, Laboratory for Foundations of Computer Science, *Technical Report ECS-LFCS-89-85*, June 1989. - [Mil89c] R. Milner, J. Parrow, and D. Walker, "A Calculus of Mobile Processes, Part II," University of Edinburgh, Laboratory for Foundations of Computer Science, *Technical Report ECS-LFCS*-89-86, June 1989. - [Sch91] E. T. Schubert, K. Levitt, G.C. Cohen, "Towards Composition of Verified Hardware Devices," NASA Contractor Report 187504, November 1991. - [Win88] Phillip J. Windley, "A hierarchical methodology for the verification of microprogrammed microprocessors," in *Proceedings of the IEEE Symposium on Security and Privacy*, May 1990. - [Win90] Phillip J. Windley, *The Formal Verification of Generic Interpreters*, PhD thesis, University of California, Davis, Division of Computer Science, June 1990. - [Win90a] Phillip J. Windley, "A poor man's implementation of abstract theories," University of California, Davis, Division of Computer Science, "Technical Report CSE-90-06, 1990. - [Win91] Phillip J. Windley, "The formal specification of a high-speed CMOS correlator," in *Proceedings* of the Third Annual IEEE/NASA Symposium on VLSI Design, October 1991. # Appendix A ML Source for Component Specifications. This appendix contains the HOL models for components used in the gate-level specification for the PIU ports, as well as auxiliary definitions for n-bit words implemented as arrays and array accessing functions. ``` gates_def.ml File: (c) D.A. Fura 1992 Author: Date: 31 March 1992 This file contains the ml source for the combinational logic gates used in the gate-level description of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. system 'rm gates_def.th';; new_theory 'gates_def';; map new_parent ['aux_def'];; let NOT_SPEC = new_definition ('NOT_SPEC', "! a z . NOT_SPEC a z = (! t:time . z t = -a t)" let AND2_SPEC = new_definition ('AND2_SPEC', "!abz. AND2_SPEC abz = (! t:time . z t = a t \wedge b t)" let AND3_SPEC = new_definition ('AND3_SPEC', "labcz. AND3_SPEC a b c z = (! t:time . z t = a t \wedge b t \wedge c t)" );; let OR2_SPEC = new_definition ('OR2_SPEC', "labz. OR2\_SPEC a b z = (! t:time . z t = a t \lor b t)" );; let OR3_SPEC = new_definition ``` ``` ('OR3_SPEC', "labcz. OR3_SPEC a b c z = (! t:time . z t = a t \lor b t \lor c t)" );; let NAND2_SPEC = new_definition ('NAND2_SPEC', "! a b z . NAND2_SPEC a b z = (! t:time . z t = \sim(a t \wedge b t))" );; let NAND3_SPEC = new_definition ('NAND3_SPEC', "!abcz. NAND3_SPEC \ a \ b \ c \ z = (1 t:time . z t = \sim(a t \wedge b t \wedge c t))" );; let BUF_SPEC = new_definition ('BUF_SPEC', "! (a:time->*) z. BUF_SPEC a z = (1 t:time . z t = a t)" );; let TRIBUF_SPEC = new_definition ('TRIBUF_SPEC', "! (a:time->*) e z . TRIBUF_SPEC a e z = (! t:time . (e t) ==> (z t = a t))" );; close_theory();; File: latches_def.ml Author: (c) D.A. Fura 1992 31 March 1992 Date: This file contains the ml source for the latches used in the gate-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. system 'rm latches_def.th';; new_theory 'latches_def';; map new_parent ['aux_def'];; ``` ``` One-bit D-latch, no set, no reset, no enable. let DLAT_SPEC = new_definition ('DLAT_SPEC', "! (din:time->bool) clk state qout . DLAT_SPEC din clk state qout = ! t:time . (state (t+1) = (clk t) => din t | state t) \land (qout t = state (t+1))" );; One-bit D-latch, with set, no reset, no enable. let DSLAT_SPEC = new_definition ('DSLAT_SPEC', "! (din:time->bool) set clk state qout . DSLAT_SPEC din set clk state qout = (state (t+1) = (clk t) => ((set t) => T \mid din t) \mid state t) \land (qout t = state (t+1))" );; One-bit D-latch, no set, with reset, no enable. let DRLAT_SPEC = new_definition ('DRLAT_SPEC', "! (din:time->bool) rst clk state qout . DRLAT_SPEC din rst clk state qout = (state (t+1) = (clk t) => ((rst t) => F \mid din t) \mid state t) \land (qout t = state (t+1))" );; One-bit D-latch, with set, with reset, no enable. let DSRLAT_SPEC = new_definition ('DSRLAT_SPEC', "I (din:time->bool) set rst clk state qout . DSRLAT_SPEC din set rst clk state qout = ! t:time . (state (t+1) = (clk t) => ((set t \land \neg rst t) => T \mid (\sim set t \land rst t) => F (\sim set t \land \sim rst t) => din t ARB) I state t) A ``` ``` (qout t = state (t+1))" );; One-bit D-latch, no set, no reset, with enable. let DELAT_SPEC = new_definition ('DELAT_SPEC', "! (din:time->bool) en clk state qout . DELAT_SPEC din en clk state qout = ! t:time . (state (t+1) = (\operatorname{clk} t \wedge \operatorname{en} t) => \operatorname{din} t \mid \operatorname{state} t) \wedge (qout t = state (t+1))" );; 9,----- One-bit D-latch, no set, with reset, with enable. let DRELAT_SPEC = new_definition ('DRELAT_SPEC', "! (din:time->bool) rst en clk state qout. DRELAT_SPEC din rst en clk state qout = ! t:time . (state\ (t+1) = (clk\ t\ \land\ en\ t) \Longrightarrow ((rst\ t) \Longrightarrow F \mid din\ t) \mid state\ t)\ \land (qout t = state (t+1))" );; One-bit D-latch, with set, no reset, with enable. let DSELAT_SPEC = new_definition ('DSELAT_SPEC', "! (din:time->bool) set en clk state qout. DSELAT_SPEC din set en clk state qout = (state (t+1) = (clk t \land en t) => ((set t) => T | din t) | state t) \land (qout t = state (t+1))" );; One-bit D-latch, with set, with reset, with enable. let DSRELAT_SPEC = new_definition ('DSRELAT_SPEC', "! (din:time->bool) set rst en clk state qout. DSRELAT_SPEC din set rst en clk state qout = (state (t+1) = (clk t \land en t) => ((set t \land \neg rst t) => T l (-\operatorname{set} t \wedge \operatorname{rst} t) => F \mid (\sim set t \land \sim rst t) => din t ``` ``` ARB) ``` ``` state t) A (qout t = state (t+1))" );; Multiple-bit D-latch, no set, no reset, no enable. let DLATn_SPEC = new_definition ('DLATn_SPEC', "! (din:time->wordn) clk state qout . DLATn_SPEC din clk state qout = ! t:time . (state (t+1) = (clk t) = > din t | state t) \land (qout t = state (t+1))" );; close_theory();; ffs_def.ml File: Author: (c) D.A. Fura 1992 31 March 1992 Date: This file contains the ml source for the flip-flops used in the gate-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. system 'rm ffs_def.th';; new_theory 'ffs_def';; map new_parent ['aux_def'];; One-bit flip-flop, no set, no reset, no enable. let DFF_SPEC = new_definition ('DFF_SPEC', "! (din:time->bool) clk state0 state1 qout . DFF_SPEC din clk state0 state1 qout = (! t:time . (state0 (t+1) = (~clk t) => din t | state0 t) \Lambda (state1 (t+1) = (clk t) => state0 t | state1 t) \land (qout t = state1 (t+1)))" );; One-bit flip-flop, no set, with reset, no enable. ``` ``` let DRFF_SPEC = new_definition ('DRFF_SPEC', "! (din:time->bool) rst clk state0 state1 qout . DRFF_SPEC din rst clk state0 state1 qout = (! t:time . (state0 (t+1) = (~clk t) => (rst t => F | din t) | state0 t) \land (state1 (t+1) = (clk t) => state0 t | state1 t) \Lambda (qout t = state1 (t+1))" );; One-bit flip-flop, with set, no reset, no enable. let DSFF_SPEC = new_definition ('DSFF_SPEC', "! (din:time->bool) set clk state0 state1 qout . DSFF_SPEC din set clk state0 state1 qout = (! t:time . (state0 (t+1) = (~clk t) => (set t => T | din t) | state0 t) \land (state1 (t+1) = (clk t) => state0 t | state1 t) \land (qout t = state1 (t+1))" );; One-bit flip-flop, with set, with reset, no enable. -----g let DRSFF_SPEC = new_definition ('DRSFF_SPEC', "! (din:time->bool) rst set clk state0 state1 qout . DRSFF_SPEC din rst set clk state0 state1 qout = (! t:time . ((~clk t \land set t \land ~rst t) ==> state0 (t+1) = T) \land ((-clk t \land -set t \land rst t) ==> state0 (t+1) = F) \land ((\operatorname{clk} t \lor -\operatorname{set} t \land -\operatorname{rst} t) \Longrightarrow \operatorname{state0} (t+1) = \operatorname{state0} t) \land (state1 (t+1) = (clk t) => state0 t | state1 t) \land (qout t = state1 (t+1))" );; One-bit flip-flop, no set, no reset, with enable. let DEFF_SPEC = new_definition ('DEFF_SPEC', "! (din:time->bool) en clk state0 state1 qout . DEFF_SPEC din en clk state0 state1 qout = (! t:time . (state0 (t+1) = (~clk t) => din t | state0 t) \land (state1 (t+1) = (clk t \land en t) => state0 t | state1 t) \land (qout t = state1 (t+1))" );; Multiple-bit flip-flop, no set, no reset, with enable. ``` ``` let DEFFn_SPEC = new_definition ('DEFFn_SPEC', "! (din:time->wordn) en clk state0 state1 qout. DEFFn_SPEC din en clk state0 state1 qout = (1 t:time . (state0 (t+1) = (~clk t) => din t | state0 t) \land (state1 (t+1) = (clk t \land en t) => state0 t | state1 t) \land (qout t = statel (t+1))" );; 90------ One-bit flip-flop, no set, with reset, with enable. let DREFF_SPEC = new_definition ('DREFF_SPEC', "! (din:time->bool) en rst clk state0 state1 qout . DREFF_SPEC din en rst clk state0 state1 qout = (! t:time . (state0 (t+1) = (-clk t) => (rst t => F | din t) | state0 t) \Lambda (state1 (t+1) = (clk t \land en t) => state0 t | state1 t) \land (qout t = state1(t+1))" );; One-bit flip-flop, with set, no reset, with enable. let DSEFF_SPEC = new_definition ('DSEFF_SPEC', "! (din:time->bool) en set clk state0 state1 qout . DSEFF_SPEC din en set clk state0 state1 qout = (! t:time . (state0 (t+1) = (-clk t) => (set t => T | din t) | state0 t) \Lambda (state1 (t+1) = (clk t \land en t) => state0 t | state1 t) \land (qout t = state1(t+1))" );; One-bit flip-flop, with set, with reset, with enable. let DRSEFF_SPEC = new_definition ('DRSEFF_SPEC', "! (din:time->bool) en rst set clk state0 state1 qout. DRSEFF_SPEC din en rst set clk state0 state1 qout = (1 t:time . ((\simclk t \land set t \land \simrst t) ==> state0 (t+1) = T) \land ((-clk t \land -set t \land rst t) ==> state0 (t+1) = F) \land ((clk\ t\ V \sim set\ t\ \land \neg rst\ t) ==> state0\ (t+1) = state0\ t)\ \land (state1 (t+1) = (clk t \land en t) => state0 t | state1 t) \land (qout t = state1 (t+1))" );; close_theory();; ``` ``` counters_def.ml File: (c) D.A. Fura 1992 Author: 31 March 1992 Date: This file contains the ml source for the counters used in the gate-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. system 'rm counters_def.th';; new_theory 'counters_def';; map new_parent ['aux_def';'array_def';'wordn_def'];; Up-counter, no reset. -----% let UPCNT_SPEC = new_definition ('UPCNT_SPEC', "! size (din:time->wordn) ld up clk state0 state1 qout zero . UPCNT_SPEC size din ld up clk state0 state1 qout zero = It:time . (state0 (t+1) = (-clk t) => ((Id t) => din t | (up t) => INCN size (state1 t) | state1 t) | state() t) \( \Lambda \) (state1 (t+1) = (clk t) => state0 t | state1 t) \land (qout t = (up t) => INCN size (state1 (t+1)) | state1 (t+1)) \Lambda (zero t = (up t) \Rightarrow (INCN \text{ size (state1 } (t+1)) \Rightarrow WORDN 0) \mid (\text{state1 } (t+1) \Rightarrow WORDN 0))" );; Down-counter, no reset. let DOWNCNT_SPEC = new_definition ('DOWNCNT_SPEC', "! size (din:time->wordn) ld down clk state0 state1 qout zero . DOWNCNT_SPEC size din ld down clk state0 state1 qout zero = It:time. (state0 (t+1) = (\neg clk t) => ((ld t) => din t l (down t) \Rightarrow DECN size (state1 t) | state1 t) | state() t) A (state1 (t+1) = (clk t) => state0 t | state1 t) \land ``` ``` (qout t = (down t) \Rightarrow DECN size (state1 (t+1)) | state1 (t+1)) \land (zero t = (down t) \Rightarrow (DECN size (state1 (t+1)) = WORDN 0) | (state1 (t+1) = WORDN 0))" );; Up-counter, with reset. let UPRCNT_SPEC = new_definition ('UPRCNT_SPEC', "! size (din:time->wordn) ld up rst clk state0 state1 qout zero . UPRCNT_SPEC size din ld up rst clk state0 state1 qout zero = !t:time . (state0 (t+1) = (\sim clk t) => ((\operatorname{Id} t) => \operatorname{din} t \mid (up t) => INCN size (state1 t) | state1 t) | state() t) A (state1 (t+1) = (clk t) => ((rst t) => WORDN 0 | state0 t) | state1 t) A (qout t = (up t) \Rightarrow INCN size (state1 (t+1)) | state1 (t+1)) \land (zero t = (up t) \Rightarrow (INCN size (state1 (t+1)) = WORDN 0) | (state1 (t+1) = WORDN 0))" );; Down-counter, with reset. let DOWNRCNT_SPEC = new_definition ('DOWNRCNT_SPEC', "! size (din:time->wordn) ld down rst clk state0 state1 qout zero . DOWNRCNT_SPEC size din ld down rst clk state0 state1 qout zero = lt:time. (state0 (t+1) = (\sim cik t) => ((\operatorname{Id} t) => \operatorname{din} t (down t) => DECN size (state1 t) | state1 t) | stateOt) A (state1 (t+1) = (clk t) => ((rst t) \Rightarrow WORDN 0 \mid state0 t) \mid state1 t) A (qout t = (down t) => DECN size (state1 (t+1)) | state1 (t+1)) \land (zero \ t = (down \ t) \Rightarrow (DECN \ size \ (state1 \ (t+1)) = WORDN \ 0) \mid (state1 \ (t+1) = WORDN \ 0)) );; close_theory();; File: datapaths_def.ml Author: (c) D.A. Fura 1992 ``` ``` This file contains the ml source for the datapath blocks of the R-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. system 'rm datapaths_def.th';; new_theory 'datapaths_def';; map loadf ['abstract'];; map new_parent ['aux_def';'array_def';'wordn_def'];; let rep_ty = abstract_type 'aux_def' 'Andn';; Counter block used to build timers. let DP_CTR_SPEC = new_definition ('DP_CTR_SPEC', "! clkA clkB (busB_in:time->wordn) cir_wr c_ld cir_rd ce cin csror_ld cor_rd r_ctr_in r_ctr_mux_sel r_ctr_irden r_ctr r_ctr_ce r_ctr_cin r_ctr_cry r\_ctr\_new\ r\_ctr\_outA\ r\_ctr\_out\ r\_ctr\_orden\ busA\_out1\ busA\_out2\ c\_out\ . DP_CTR_SPEC clkA clkB busB_in cir_wr c_ld cir_rd ce cin csror_ld cor_rd r_ctr_in r_ctr_mux_sel r_ctr_irden r_ctr r_ctr_ce r_ctr_cin r_ctr_cry r_ctr_new r_ctr_outA r_ctr_out r_ctr_orden busA_out1 busA_out2 c_out = lt:time. ((clkA t) ==> ((r_{ctr_in} (t+1) = r_{ctr_in} t) \land (r_ctr_mux_sel(t+1) = r_ctr_mux_sel(t) \land (r_ctr_irden(t+1) = r_ctr_irden(t) \land (r\_ctr(t+1) = (r\_ctr\_mux\_sel t) => r\_ctr\_in t | r\_ctr\_new t) \land (r_ctr_ce(t+1) = cet) \land (r_{ctr_{cin}}(t+1) = cin t) \Lambda (r_ctr_cry(t+1) = r_ctr_cry(t) \land (r\_ctr\_new (t+1) = r\_ctr\_new t) \land (r_{ctr_outA}(t+1) = r_{ctr_new} t) \land (r_{ctr_out}(t+1) = r_{ctr_out}t) \land (r_{ctr_orden}(t+1) = r_{ctr_orden}(t)) \land ((clkB t) \Longrightarrow ((r\_ctr\_in\ (t+1) = (cir\_wr\ t) => busB\_in\ t \mid r\_ctr\_in\ t)\ \land (r_ctr_mux_sel(t+1) = c_ld(t) \land (r_{ctr_irden}(t+1) = cir_{rd} t) \land (r_ctr(t+1) = r_ctr(t) \land (r_ctr_ce(t+1) = r_ctr_ce(t) \land (r_{ctr_cin}(t+1) = r_{ctr_cin}t) \land (r\_ctr\_cry\ (t+1) = (r\_ctr\_ce\ t) \land (r\_ctr\_cin\ t) \land ONES\ 31\ (r\_ctr\ t)) \land (r\_ctr\_new\ (t+1) = ((r\_ctr\_ce\ t) \land (r\_ctr\_cin\ t)) => INCN\ 31\ (r\_ctr\ t) \mid r\_ctr\ t) \land (r\_ctr\_cin\ t (r_ctr_outA(t+1) = r_ctr_outA(t) \land ``` 31 March 1992 Date: ``` (r\_ctr\_out (t+1) = (csror\_ld t) => r\_ctr\_outA t | r\_ctr\_out t) \land (r_{ctr_orden}(t+1) = cor_{rd}(t))) \land ((busA\_out1\ t = ((r\_ctr\_irden\ (t+1)) \land (clkA\ t)) => r\_ctr\_in\ (t+1) \mid ARBN) \land (busA\_out2\ t = ((r\_ctr\_orden\ (t+1)) \land (clkA\ t)) => r\_ctr\_out\ (t+1) \mid ARBN) \land (c_out t = r_ctr_cry(t+1))" );; Interrupt Control Register (ICR) block. let DP_ICR_SPEC = new_definition ('DP_ICR_SPEC', "! (rep:^rep_ty) clkA clkB (busA_in:time->wordn) busB_in icr_wr_feedback icr_wr icr_select icr_ld icr_rd r_icr_oldA r_icr_old r_icr_mask r_icrA r_icr r_icr_rden busA_out icr_out . DP_ICR_SPEC rep clkA clkB busA_in busB_in icr_wr_feedback icr_wr icr_select icr_ld icr_rd r_icr_oldA r_icr_old r_icr_mask r_icrA r_icr r_icr_rden busA_out icr_out = !t:time . ((clkA t) ==> (r_icr_oldA(t+1) = busA_in t) \land (r_icr_old(t+1) = r_icr_old(t) \land (r_icr_mask(t+1) = r_icr_mask(t) \land (r_i - i - r_i) = (i - i - r_i) = \lambda \cdot (r_i r | Orn rep (r_icr_old t, r_icr_mask t)) ∧ (r_icr(t+1) = r_icrt) \land (r_icr_rden(t+1) = r_icr_rden(t)) \land ((clkB t) ==> (r_icr_oldA(t+1) = r_icr_oldA(t) \land (r_icr_old(t+1) = (icr_wr_feedback t) => r_icr_oldA t | r_icr_old t) \land (r_icr_mask(t+1) = (icr_wrt) => busB_int | r_icr_maskt) \land (r icrA(t+1) = r_icrAt) \wedge (r_icr(t+1) = (icr_ld t) \Rightarrow r_icrA t \mid r_icr t) \land (r_icr_rden(t+1) = icr_rd(t)) \land ((busA\_out\ t = ((r\_icr\_rden\ (t+1)\ \land\ (clkA\ t)) => r\_icr\ (t+1)\ |\ ARBN))\ \land (icr_out t = r_icr(t+1))" );; Control register used to build General Control Register (GCR) and Communication Control Register (CCR). let DP_CR_SPEC = new_definition ('DP_CR_SPEC', "! clkA clkB (busB_in:time->wordn) cr_wr cr_rd r_cr r_cr_rden busA_out cr_out . DP_CR_SPEC clkA clkB busB_in cr_wr cr_rd r_crr_cr_rden busA_out cr_out = It:time. ``` ``` ((clkA t) ==> (r_cr(t+1) = r_cr(t) \land (r_cr_rden(t+1) = r_cr_rden(t)) \land ((clkB t) ==> (r_cr(t+1) = (cr_wr t) => busB_in t | r_cr t) \land (r\_cr\_rden (t+1) = cr\_rd t)) \land ((busA\_out\ t = ((r\_cr\_rden\ (t+1)) \land (clkA\ t)) \Longrightarrow r\_cr\ (t+1) \mid ARBN) \land \\ (cr_out t = r_cr (t+1)))" );; %----- Status Register Block. ------% let DP_SR_SPEC = new_definition ('DP_SR_SPEC', "! clkA clkB (inp:time->wordn) sror_ld sr_rd r_sr r_sr_rden busA_out. DP_SR_SPEC clkA clkB inp sror_ld sr_rd r_sr r_sr_rden busA_out = !t:time . ((clkA t) \Longrightarrow (r_sr(t+1) = r_sr(t) \land (r_sr_rden(t+1) = r_sr_rden(t)) \land ((clkB t) ==> (r_sr(t+1) = (sror_ld t) \Rightarrow inp t | r_sr t) \land (r_sr_rden(t+1) = sr_rdt)) \land (busA\_out\ t = ((r\_sr\_rden\ (t+1)) \land (clkA\ t)) => r\_sr\ (t+1) \mid ARBN)" );; close_theory();; File: buses_def.ml (c) D.A. Fura 1992 Author: 31 March 1992 Date: This file contains the ml source for the buses used in the gate-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. system 'rm buses_def.th';; new_theory 'buses_def';; map new_parent ['aux_def'];; ``` ``` new_type_abbrev('time', ":num");; 90------ Specification for a conflict-free bus. let Bus_CF_12_SPEC = new_definition ('Bus_CF_12_SPEC', "I inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12. Bus_CF_12_SPEC inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12 = It:time . (inE1\ t) => \sim ((inE2\ t)\ \lor\ (inE3\ t)\ \lor\ (inE4\ t)\ \lor\ (inE5\ t)\ \lor\ (inE6\ t)\ \lor\ (inE7\ t)\ \lor\ (inE8\ t)\ \lor (inE9 t) V (inE10 t) V (inE11 t) V (inE12 t)) (inE2\ t) \Rightarrow \neg ((inE3\ t)\ V\ (inE4\ t)\ V\ (inE5\ t)\ V\ (inE6\ t)\ V\ (inE7\ t)\ V\ (inE8\ t)\ V\ (inE9\ t)\ V (inE10 t) V (inE11 t) V (inE12 t)) | (inE3 t) \Rightarrow \sim ((inE4 t) \lor (inE5 t) \lor (inE6 t) \lor (inE7 t) \lor (inE8 t) \lor (inE9 t) \lor (inE10 t) \lor (inE11 t) V (inE12 t)) | (inE4 t) = \sim ((inE5 t) \lor (inE6 t) \lor (inE7 t) \lor (inE8 t) \lor (inE9 t) \lor (inE10 t) \lor (inE11 (inE1 (inE12 t)) | (inE5 t) \Rightarrow \sim ((inE6 t) \lor (inE7 t) \lor (inE8 t) \lor (inE9 t) \lor (inE10 t) \lor (inE11 t) \lor (inE12 t)) (inE6\ t) => \sim ((inE7\ t)\ V\ (inE8\ t)\ V\ (inE9\ t)\ V\ (inE10\ t)\ V\ (inE11\ t)\ V\ (inE12\ t))\ | (inE7 t) = \sim ((inE8 t) \lor (inE9 t) \lor (inE10 t) \lor (inE11 t) \lor (inE12 t)) (inE8 t) = \sim ((inE9 t) \lor (inE10 t) \lor (inE11 t) \lor (inE12 t)) \mid (inE9 t) => \sim ((inE10 t) \lor (inE11 t) \lor (inE12 t)) (inE10 t) => \sim ((inE11 t) \lor (inE12 t)) (inE11 t) = \sim (inE12 t) | T" );; Specification for a 12-input bus component. let Bus_12_1_SPEC = new_definition ('Bus_12_1_SPEC', "! (inD1:time->*) inD2 inD3 inD4 inD5 inD6 inD7 inD8 inD9 inD10 inD11 inD12 inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12 out . Bus_12_1_SPEC inD1 inD2 inD3 inD4 inD5 inD6 inD7 inD8 inD9 inD10 inD11 inD12 inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12 out = It:time. (Bus_CF_12_SPEC inE1 inE2 inE3 inE4 inE5 inE6 inE7 inE8 inE9 inE10 inE11 inE12) ==> ((inE1 t ==> (out t = inD1 t)) \land (inE2 t \Longrightarrow (out t = inD2 t)) \land (inE3 t \Longrightarrow (out t = inD3 t)) \land (inE4 t \Longrightarrow (out t = inD4 t)) \land (inE5 t \Longrightarrow (out t = inD5 t)) \land (inE6 t ==> (out t = inD6 t)) \land (inE7 t \Longrightarrow (out t = inD7 t)) \Lambda (inE8 t ==> (out t = inD8 t)) \land (inE9 t ==> (out t = inD9 t)) \land (inE10 t \Longrightarrow (out t = inD10 t)) \land (inE11 t ==> (out t = inD11 t)) \land (inE12 t \Longrightarrow (out t = inD12 t)))" ``` ``` );; Specification for a single-input bus component where the input is sourced by an A-clocked latch. .------% let Bus1A_SPEC = new_definition ('Bus1 A_SPEC', "! (in_A:time->*) out_A out_B. Bus1A_SPEC in_A out_A out_B = !t:time . (out_A t = in_A t) \land (out_B t = in_A t)" );; %----- Specification for a single-input bus component where the input is sourced by a B-clocked latch. let Bus1B_SPEC = new_definition ('Bus1B_SPEC', "! (in_B:time->*) out_A out_B. Bus1B_SPEC in_B out_A out_B = It:time. (out A t = in_B (t-1)) \Lambda (out_B t = in_B t)" );; close_theory();; %----- File: aux_def.ml Author: (c) D.A. Fura 1992 31 March 1992 Date: This file contains auxiliary definitions needed for the gate-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. system 'rm aux_def.th';; new_theory 'aux_def';; loadf 'abstract';; new_type_abbrev('time', ":num'');; new_type_abbrev('wordn', ":(num->bool)");; ``` ``` let pfsm_ty_Axiom = define_type 'pfsm_ty_Axiom' 'pfsm_ty = PH | PA | PD | P_ILL';; let cmfsm_ty_Axiom = define_type 'cmfsm_ty_Axiom' 'cmfsm_ty = CMI | CMR | CMA3 | CMA1 | CMA0 | CMA2 | CMD1 | CMD0 ICMWICMABT';; let csfsm_ty_Axiom = define_type 'csfsm_ty_Axiom' 'csfsm_ty = CSI | CSL | CSA1 | CSA0 | CSA0W | CSALE | CSRR | CSD1 | CSD0 | CSACK | CSABT';; let cefsm_ty_Axiom = define_type 'cefsm_ty_Axiom' 'cefsm_ty = CEI | CEE';; let cc_state_ty = ":(cmfsm_ty#bool#bool#bool#bool#wordn#bool# csfsm_ty#bool#bool#wordn# cefsm_ty#bool#bool#bool#bool#bool# bool#wordn#bool#bool#wordn#bool# bool#bool#bool#bool#bool#bool# bool#bool#wordn#wordn#wordn#wordn#wordn#wordn)";; wordn#wordn#wordn#bool#bool#bool#bool#wordn#wordn#bool#wordn#bool#;; let cc_out_ty = ":(bool#bool#bool#bool#bool#bool#wordn#wordn# bool#wordn#wordn#wordn#bool#bool)";; let mfsm_ty_Axiom = define_type 'mfsm_ty_Axiom' 'mfsm_ty = MI \mid MA \mid MW \mid MRR \mid MR \mid MBW \mid M_ILL';; let rfsm_ty_Axiom = define_type 'rfsm_ty_Axiom' 'rfsm_ty = RI | RA | RD';; let \ rc\_state\_ty = ":(rfsm\_ty\#bool\#bool\#bool\#bool\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool#wordn\#bool#wordn\#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bo wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool# wordn#bool#wordn#bool#wordn#bool#wordn#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn# wordn#wordn#wordn#bool#bool#wordn)";; let rc_out_ty = ":(wordn#bool#bool#bool#bool#bool#wordn#bool#bool#bool";; let sfsm_ty_Axiom = define_type 'sfsm_ty_Axiom' 'sfsm_ty = SSTART | SRA | SPF | SCOI | SCOF | ST | SC1I | SCIF | SS | SSTOP | SCS | SN | SO | S_ILL';; let sc_state_ty = ":(sfsm_ty#bool#bool#bool#bool#bool#bool#wordn#wordn# ``` ``` let VDD = new_definition ('VDD', "! t:time . VDD t = T" );; let GND = new_definition ('GND', "! t:time . GND t = F" );; let abs_rep = new_abstract_representation [ ('Andn', ":(wordn#wordn->wordn)"); ('Orn', ":(wordn#wordn->wordn)"); ('Ham_Dec', ":(wordn->wordn)"); ('Ham_Det1', ":(wordn->wordn)"); ('Ham_Det2', ":(wordn#bool->bool)"); ('Ham_Enc', ":(wordn->wordn)"); ('Par_Dec', ":(wordn->wordn)"); ('Par_Det', ":(wordn->bool)"); ('Par_Enc', ":(wordn->wordn)"); ('p_interp', ":(^pc_state_ty#^pc_env_ty#^pc_out_ty->bool)"); ('c_interp', ":(^cc_state_ty#^cc_env_ty#^cc_out_ty->bool)"); (`m\_interp', ``:(^mc\_state\_ty\#^mc\_env\_ty\#^mc\_out\_ty->bool)"); ('r_interp', ":(^rc_state_ty#^rc_env_ty#^rc_out_ty->bool)"); ('s_interp', ":(^sc_state_ty#^sc_env_ty#^sc_out_ty->bool)")];; make_inst_thms abs_rep;; let rep_ty = abstract_type 'aux_def' 'Andn';; close_theory();; %----- File: array_def.ml Author: (c) P. J. Windley 1992 Description: Prove auxilliary theorems about functions so that functions can be easily used to represent arrays. Modification History: 24FEB92 -- Original file. Many of the theorems included were motivated by theorems defined on lists in list_aux.ml. 26FEB92 -- [DAF] Modified order of parameters in calls to ALTER, MALTER, SUBARRAY to match simulation ``` language syntax. Added definition of ELEMENT. ``` % Removed 26FEB92. [DAF] loadf 'libs_aux';; system '/bin/rm array_def.th';; system 'rm array_def.th';; new_theory 'array_def';; % Added 26FEB92 (from PJW). [DAF] % let SYM_RULE = (CONV_RULE (ONCE_DEPTH_CONV SYM_CONV)) ? failwith 'SYM_RULE';; Auxilliary array definitions and theorems. We will use functions to represent arrays. The definition that follows defines a ALTER function that can be used to set the nth member of an array. The following lemmas are useful in reasoning about array operations. let ALTER_DEF = new_definition ('ALTER_DEF', "ALTER (f:*->**) n x = (\mbox{\mbox{$\bf M$}}. (\mbox{$\bf m$} = \mbox{$\bf n$}) => \mbox{$\bf x$} \mid (\mbox{$\bf f$} \mbox{$\bf m$})" let ALTER_THM = prove_thm ('ALTER_THM', "ALTER (f:*->**) n x y = (y = n) => x | (f y)", REWRITE_TAC [ALTER_DEF] THEN BETA_TAC THEN REFL_TAC );; ALTER_EQUAL is simlar to the EL_SET_EL lemma for lists. let ALTER_EQUAL = prove_thm ('ALTER_EQUAL', "| x n (f:*->**) . (ALTER f n x) n = x", REPEAT GEN_TAC THEN REWRITE_TAC [ALTER_DEF] THEN BETA_TAC THEN REWRITE_TAC [] );; ``` ``` ALTER_NON_EQUAL is similar to NOT_EL_SET_EL for lists. <del>-----</del>% let ALTER_NON_EQUAL = prove_thm 'ALTER_NON_EQUAL', "! n m (f:*->**) x . ~(n = m) ==> (f n = (ALTER f m x) n)", REPEAT GEN_TAC THEN REWRITE_TAC [ALTER_THM] THEN STRIP_TAC THEN ASM_REWRITE_TAC [] );; %----- ALTER_COMMUTES is similar to SET_EL_SET_EL for lists. ------% let ALTER_COMMUTE = prove_thm ('ALTER_COMMUTE', "! (d1:*) d2 (f:*->**) (x:**) y . \sim(d1 = d2) ==> ((ALTER (ALTER f d2 x) d1 y) = (ALTER (ALTER f d1 y) d2 x))", REPEAT GEN_TAC THEN CONV_TAC (ONCE_DEPTH_CONV FUN_EQ_CONV) THEN REWRITE_TAC [ALTER_THM] THEN STRIP_TAC THEN GEN_TAC THEN REPEAT COND_CASES_TAC THEN ASM_REWRITE_TAC [] THEN UNDISCH_TAC "\sim((d1:*) = d2)" THEN ASSUM_LIST (\thl . REWRITE_TAC (map SYM_RULE thl)) );; 90----- Until now, it hasn't mattered what the type of the subscript is and so the previous lemmas were all general, even though someone using them to representa arrays, would probably be using numbers as subscripts. Now, we want to reason about subarrays given as a sequence from a starting value to an ending value. This presupposes that the subscripts can be totally ordered. To make life easy, we won't be that general, but will use numbers as subscripts. -----% let SUBARRAY_DEF = new_definition ('SUBARRAY_DEF', "! n m (f:num->*). SUBARRAY f(m,n) = \xspace \xspace ((x+n) <= m) => f(x+n) \xspace | ARB" );; ``` ``` let SUBARRAY_THM = prove_thm ('SUBARRAY_THM', "! n m (f:num->*). SUBARRAY f(m,n) x = ((x+n) \le m) => f(x+n) | ARB'', REPEAT GEN_TAC THEN REWRITE_TAC [SUBARRAY_DEF] THEN BETA_TAC THEN REFL_TAC let ELEMENT_DEF = new_definition ('ELEMENT_DEF', "! m (f:num->*) . ELEMENT f(m) = f m" );; MALTER alters multiple values in an array. let MALTER_DEF = new_definition ('MALTER_DEF', "! n m f (g:num->*). MALTER f(m,n) g = \xspace x \land x <= m) => g(x-n) | f x" );; let MALTER_THM = prove_thm ('MALTER_THM', "! n m (x:num) g (f:num->*). MALTER f(m,n) g x = (n \le x \land x \le m) => g(x-n) | f x", REPEAT GEN_TAC THEN REWRITE_TAC [MALTER_DEF] THEN BETA_TAC THEN REFL_TAC );; let MALTER_SUBARRAY_IDENT = prove_thm ('MALTER_SUBARRAY_IDENT', "!n m (f:num->*) . MALTER f(m,n) (SUBARRAY f(m,n)) = f", REPEAT GEN_TAC THEN CONV_TAC (ONCE_DEPTH_CONV FUN_EQ_CONV) THEN REWRITE_TAC [MALTER_THM;SUBARRAY_THM] THEN GEN TAC THEN REPEAT COND_CASES_TAC THEN ASM_REWRITE_TAC [] THEN ASSUM_LIST (\th1 . MAP_EVERY ASSUME_TAC (flat (map CONJUNCTS (filter (is_conj o concl) thl)))) THEN IMP_RES_TAC SUB_ADD THEN TRY (UNDISCH_TAC "\sim((n' - n) + n) <= m") THEN ASM_REWRITE_TAC [] );; ``` ``` let MALTER_SUBARRAY_SUBSCRIPTS = prove_thm (`MALTER\_SUBARRAY\_SUBSCRIPT', "ln m x (f:num->*) g. MALTER f(m,n) (SUBARRAY g(m,n)) x = (n \le x \land x \le m) => g x \mid f x", REPEAT GEN_TAC THEN CONV_TAC (ONCE_DEPTH_CONV FUN_EQ_CONV) THEN REWRITE_TAC [MALTER_THM;SUBARRAY_THM] THEN REPEAT COND_CASES_TAC THEN ASM_REWRITE_TAC [] THEN ASSUM_LIST (\thi . MAP_EVERY ASSUME_TAC (flat (map CONJUNCTS (filter (is_conj o concl) thl)))) THEN IMP_RES_TAC SUB_ADD THEN TRY (UNDISCH_TAC "\sim((x - n) + n) <= m") THEN ASM_REWRITE_TAC [] );; close_theory();; File: wordn_def.ml Description: Defines a theory of words which contains a definition for converting between functions from numbers to booleans and natural numbers and proves various useful theorems about this definition. This file is based on a theory that was orginally authored by Graham Birtwhistle of the University of Calgary in 1988. Authors: (c) Graham Birtwhistle, Phillip Windley, 1988, 1992 Modification History: 28FEB92 -- [PJW] Original file from words.ml 10MAR92 -- [PJW] Added definition of WORDN. 13MAR92 -- [DAF] Added definitions of bv, SETN, RSTN, GNDN, NOTN, INCN, DECN, ARBN. % Removed 13MAR92. [DAF] let add_root s = '/users/staff/windley/hol/Library/' ^ s;; set_search_path(search_path()@ (map add_root ['bits/'; 'numbers/'; 'array/']));; ``` ``` % ``` ``` system '/bin/rm wordn_def.th';; new_theory 'wordn_def';; % Replaced 13MAR92. [DAF] map load_parent [ 'bits'; 'num_thms'; 'exp'; 'array_def'];; map new_parent ['aux_def'; 'array_def'];; new_type_abbrev ('wordn',":num->bool");; Definitions let by = new_definition ('bv', "! (b:bool) . bv b = (b) => 1 | 0" let VAL = new_prim_rec_definition ('VAL', "(VAL 0 (f:wordn) = bv (f 0)) (VAL (SUC n) f = ((2 EXP (SUC n)) * (bv (f (SUC n)))) + VAL n f)" );; let pos_val = new_definition ('pos_val', "! (x:wordn) (y:num). pos_val x y = (bv(x y)) * (2 EXP y)" );; let ONES = new_prim_rec_definition ('ONES', "(ONES 0 a = (a 0)) (ONES (SUC n) a = (a(SUC n)) \land (ONES n a)) ");; let ZEROS = new_prim_rec_definition ('ZEROS', "(ZEROS 0 a = \sim (a \ 0)) (ZEROS (SUC n) a = \sim (a(SUC n)) \land (ZEROS n a)) ");; % Modified 13MAR92. [DAF] let WORDN = new_definition ('WORDN', "! (x:num). WORDN x = \ln (x DIV (2 EXP n)) MOD 2" ``` ``` );; let WORDN = new_definition ('WORDN', "! (x:num) . WORDN x = \ln . ((x DIV (2 EXP n)) MOD 2 = 1)" );; let SETN = new_definition ('SETN', "! (x:num) . SETN x = (n:num). (n \le x) \Rightarrow T \mid ARB" % Equivalent to "WORDN 0" but perhaps more convenient % let RSTN = new_definition ('RSTN', "! (x:num) . RSTN x = V(n:num). (n \le x) => F | ARB" let GNDN = new_definition ('GNDN', "! (x:num) (t:time) . GNDN x t = V(n:num). (n \le x) => F | ARB" );; let NOTN = new_definition ('NOTN', "! (x:num) (f:wordn) . NOTN x f = V(n:num) . (n \le x) => \sim (f n) I ARB" let INCN = new_definition ('INCN', "! nf. INCN n f = (ONES n f) => RSTN n | WORDN ((VAL n f) + 1)" );; let DECN = new_definition ('DECN', "! nf. DECN n f = (ZEROS n f) => SETN n | WORDN ((VAL n f) - 1)" let ARBN = new_definition ('ARBN'. "(ARBN:num->bool) = \n. ARB" );; %----- Theorems % Removed theorems for now 13MAR92. [DAF] close_theory();; ``` ## Appendix B ML Source for the Gate-Level Specification of the PIU Ports. This appendix contains the HOL models for the gate-level specification for the PIU ports. The ports are listed in the order: P\_Port, M\_Port, R\_Port, C\_Port, and SU\_Cont. ## **B.1 P Port Specification** ``` File: p_block.ml (c) D.A. Fura 1992 Author: Date: 31 March 1992 This file contains the ml source for the gate-level specification of the PIU P-Port, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm p_block.th';; new_theory 'p_block';; map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def';'aux_def';'aux_def';'paux_def'];; let p_state_ty = ":(pfsm_ty#bool#bool#bool#wordn#wordn#bool#wordn#bool#wordn#num#bool#bool# let p_state = "((P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_, P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) :^p_state_ty)";; let p_env = "((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) :^p_env_ty)";; let p_out = "((L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_male_, I_crqt_, I_cale_, I_mrdy_, I_last_, I_hlda_, I_lock_) :^p_out_ty)";; P-Port data latches. let Data_Latches_SPEC = new_definition ('Data_Latches_SPEC', "| clkA clkB (lad_in:time->(num->bool)) (lbe_in:time->(num->bool)) (lwr_in:time->bool) en_in be_sel wr data addr dest1 be wr be_n ``` ``` data_out addr_out be_out . Data_Latches_SPEC clkA clkB lad_in lbe_in lwr_in en_in be_sel wr_data addr dest1 be wr be_n data_out addr_out be_out = It:time. ((clkA t) ==> ((wr_data (t+1) = lad_in t) \land (addr(t+1) = (en_in t) \Rightarrow (lad_in t) \mid (addr t)) \land (dest1 (t+1) = (en_in t) => (ELEMENT (lad_in t) (31)) | (dest1 t)) \land (be (t+1) = (en_in t) => (lbe_in t) | (be t)) \land (w_T(t+1) = (en_in t) => (lwr_in t) | (wr t)) \land (be_n (t+1) = lbe_i n t)) \land ((clkB t) \Longrightarrow) ((wr_data (t+1) = wr_data t) \land (addr(t+1) = addrt) \wedge (dest1 (t+1) = dest1 t) \Lambda (be (t+1) = be t) \land (wr(t+1) = wrt) \wedge (be_n (t+1) = be_n t))) \land ((data_out t = wr_data (t+1)) \land (let od1 = MALTER (addr_out t) (31,27) (be (t+1)) in (let od2 = ALTER od1 (26) F in (let od3 = MALTER od2 (25,24) (SUBARRAY (addr (t+1)) (1,0)) in (let od4 = MALTER od3 (23,0) (SUBARRAY (addr (t+1)) (25,2)) in (addr_out t = od4))))) \land (be_out t = (be_sel t) => (be (t+1)) | (be_n (t+1)))" );; Input logic for P_rqt latch. let Req_Inputs_SPEC = new_definition ('Req_Inputs_SPEC', "! l_ads_ l_den_ (reset_rqt:time->bool) rqt_inS rqt_inR rqt_inE . Req_Inputs_SPEC 1_ads_ 1_den_ reset_rqt rqt_inS rqt_inR rqt_inE = (\operatorname{rqt\_inS} \ t = \sim (l\_\operatorname{ads\_} t) \wedge (l\_\operatorname{den\_} t)) \wedge (rqt_inR t = reset_rqt t) \land (rqt_inE t = (rqt_inS t) \lor (rqt_inR t))" );; Input logic for P_size counter. let Ctr_Logic_SPEC = new_definition ('Ctr_Logic_SPEC', "! clkA clkB l_ad_in load_in down_in zero_cnt p_size p_sizeA p_load p_loadA p_down p_downA . Ctr_Logic_SPEC clkA clkB l_ad_in load_in down_in zero_cnt p_size p_sizeA p_load p_loadA p_down p_downA = !t:time . ``` ``` ((clkA t) => ((p\_sizeA (t+1) = p\_size t) \land (p\_loadA (t+1) = p\_load t) \land (p_downA(t+1) = p_downt) \land (p_size(t+1) = p_size(t) \land (p_load(t+1) = p_load(t) \land (p_down(t+1) = p_down(t))) \land ((clkB t) \Longrightarrow > ((p\_sizeA (t+1) = p\_sizeA t) \land (p_loadA(t+1) = p_loadAt) \land (p_downA(t+1) = p_downAt) \land (p\_size(t+1) = (p\_loadA t) \Rightarrow SUBARRAY(l\_ad\_in t)(1,0) (p_downA t) \Rightarrow DECN 2 (p_sizeA t) p_sizeAt) \Lambda (p_load(t+1) = load_in t) \land (p_down(t+1) = down_in(t))) \land (zero\_cnt\ t = (p\_downA\ t) \Rightarrow (DECN\ 2\ (p\_sizeA\ (t+1)) = (WORDN\ 0)) \mid (p\_sizeA\ (t+1) = (WORDN\ 0)))" );; Accumulated random logic. let Scat_Logic_SPEC = new_definition ('Scat_Logic_SPEC', "! rst fsm_astate fsm_dstate fsm_blda_ p_addr p_wr p_rqt zero_cnt i_srdy_ i_ad_data_out_en l_ad_out_en_ i_rale_ i_male_ i_crqt_ fsm_mrqt fsm_rst fsm_sack reset_rqt l_ready . Scat_Logic_SPEC rst fsm_astate fsm_dstate fsm_hlda_p_addr p_wr p_rqt zero_cnt i_srdy_ i_ad_data_out_en l_ad_out_en_ i_rale_ i_male_ i_crqt_ fsm_mrqt fsm_rst fsm_sack reset_rqt l_ready = It:time. (i_ad_data_out_en t = (p_wr t) \land (fsm_dstate t)) \land (l_ad_out_en_t = (p_wr t) \land (fsm_dstate t) \lor \sim (fsm_hlda_t) \lor (fsm_astate t)) \land (i_rale_t = \sim (\sim (ELEMENT (p_addr t) (31)) \land (VAL 26 (SUBARRAY (p_addr t) (25,24)) = 3) \Lambda (fsm_astate t) \land (p_rqt t))) ∧ (i_male_t = \sim (\sim (ELEMENT (p_addr t) (31)) \land ~(VAL 26 (SUBARRAY (p_addr t) (25,24)) = 3) \Lambda (fsm_astate t) \land (p_rqt t))) \( \) (i\_crqt\_t = \sim ((ELEMENT(p\_addrt)(31)) \land (p\_rqtt))) \land (fsm_mrqt t = \sim(ELEMENT (p_addr t) (31)) \land (p_rqt t)) \land (fsm_rst t = rst t) \land (fsm\_sack\ t = (zero\_cnt\ t) \land \sim (i\_srdy\_t) \land (fsm\_dstate\ t)) \land (reset_rqt t = (rst t) \lor (fsm_sack t)) \land (l_ready t = \sim (i_srdy_t) \land (fsm_dstate t))" );; Input logic for P_lock_ latch. ``` ``` let Lock_Inputs_SPEC = new_definition ('Lock_Inputs_SPEC', "! rst fsm_dstate p_male_ p_rale_ lock_inE lock_inh_inE . Lock_Inputs_SPEC rst fsm_dstate p_male_ p_rale_ lock_inE lock_inh_inE = It:time . (lock_inE t = (rst t) \lor (fsm_dstate t)) \land (lock\_inh\_inE t = (rst t) \lor \sim (p\_male\_t) \lor \sim (p\_rale\_t))" );; P-Port controller state machine. let FSM_SPEC = new_definition ('FSM_SPEC', "! clkA clkB rst_in mrqt_in sack_in cgnt_in_ crqt_in_ hold_in_ lock_in_ state rst mrqt sack cgnt_ crqt_ hold_ lock_ stateA astate dstate hlda_ astate_out dstate_out hlda_out_ . FSM_SPEC clkA clkB rst_in mrqt_in sack_in cgnt_in_ crqt_in_ hold_in_ lock_in_ state rst mrqt sack cgnt_ crqt_ hold_ lock_ stateA astate dstate hlda_ astate_out dstate_out hlda_out_ = !t:time . ((clkA t) \Longrightarrow) ((state (t+1) = state t) \land (rst (t+1) = rst t) \land (\mathbf{mrqt}\ (t+1) = \mathbf{mrqt}\ t)\ \land (\operatorname{sack}(t+1) = \operatorname{sack} t) \wedge (cgnt_(t+1) = cgnt_t) \land (\operatorname{crqt}_{t+1}) = \operatorname{crqt}_{t} \wedge (hold_{t+1}) = hold_{t}) \land (lock_{t+1}) = lock_{t} \wedge (stateA(t+1) = ((rst t) => PA | (state t = PH) => ((hold_t) => PA \mid PH) \mid (state t = PA) => (((mrqt t) \lor \neg(cqnt_t) \land \neg(cqqt_t)) => PD i (((lock_t) \land \neg (hold_t)) => PH \mid PA)) \mid (((sack t) \land (hold_t)) \Rightarrow PA ((sack t) \land \sim (hold_t) \land \sim (lock_t)) \Longrightarrow PA \mid ((sack\ t) \land \sim (hold\_t) \land (lock\_t)) => PH \mid PD))) \land (astate (t+1) = (stateA(t+1) = PA)) \land (dstate (t+1) = (stateA (t+1) = PD)) \land (hlda_(t+1) = \sim (stateA(t+1) = PA)))) \land ((clkB t) ==> ((state (t+1) = state A t) \land (rst (t+1) = rst_in t) \land (mrqt (t+1) = mrqt_in t) \land (\operatorname{sack}(t+1) = \operatorname{sack}_{in} t) \wedge (cgnt_(t+1) = cgnt_in_t) \land (\operatorname{crqt}_{t}(t+1) = \operatorname{crqt}_{in}_{t}) \wedge (\mathbf{hold}_{-}(t+1) = \mathbf{hold}_{-}\mathbf{in}_{-}t) \land (lock_{t+1}) = lock_{in_{t}} \wedge (stateA (t+1) = stateA t) \Lambda ``` ``` (astate (t+1) = astate t) \land (dstate (t+1) = dstate t) \Lambda (hlda_(t+1) = hlda_t)) \land ((astate_out t = astate (t+1)) \land (dstate\_out\ t = dstate\ (t+1)) \land (hlda_out_t = hlda_(t+1))" );; P-Port Block. let P_Block_SPEC = new_definition ('P_Block_SPEC', "! (P_fsm_state A P_fsm_state :time->pfsm_ty) (P_wr_data P_addr P_be_ P_be_n_ P_sizeA P_size :time->wordn) (P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_dest1 P_wr P_loadA P_downA P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_ P_rqt P_load P_down P_lock_ P_lock_inh_ P_male_ P_rale_:time->bool) (L_ad_in L_be_ I_ad_in :time->wordn) (ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ I_hold_ I_srdy_:time->bool) (L_ad_out I_ad_data_out I_ad_addr_out I_be_:time->wordn) (L\_ready\_I\_rale\_I\_male\_I\_crqt\_I\_cale\_I\_mrdy\_I\_last\_I\_hlda\_I\_lock\_:time->bool)\;. P_Block_SPEC (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_, P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) (L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_male_, I_crqt_, I_cale_, I_mrdy_, I_last_, I_hlda_, I_lock_) = ? fsm_astate fsm_dstate rqt data_out addr_out be_out data_out_en reset_rqt rgt_inS rgt_inR rgt_inE rgt_outQ load_in down_in zero_cnt zero_cnt_ l_ad_out_en_ rale_ male_ fsm_mrqt fsm_rst fsm_sack l_ready i_cgnt lock\_inE\ lock\_outQ\ lock\_inh\_inE\ lock\_inh\_outQ\ p\_male\_outQ\ p\_rale\_outQ\ lock\_outQ\ . (Data_Latches_SPEC ClkA ClkB L_ad_in L_be_L_wr rqt fsm_astate P_wr_data P_addr P_dest1 P_be_ P_wr P_be_n_ data_out addr_out be_out) \( \Lambda \) (TRIBUF_SPEC data_out data_out_en I_ad_data_out) \( \Lambda \) (TRIBUF_SPEC addr_out fsm_astate I_ad_addr_out) \( \Lambda \) (TRIBUF_SPEC be_out I_hlda_ I_be_) ∧ (Req\_Inputs\_SPEC\ L\_ads\_\ L\_den\_\ reset\_rqt\ rqt\_inS\ rqt\_inR\ rqt\_inE)\ \land (DSRELAT_SPEC GND rqt_inS rqt_inR rqt_inE ClkB P_rqt rqt_outQ) \(\Lambda\) (NOT_SPEC rqt_outQ reset_rqt) ∧ (Ctr_Logic_SPEC ClkA ClkB L_ad_in load_in down_in zero_cnt P_size P_sizeA P_load P_loadA P_down P_downA) \( \Lambda \) (Scat_Logic_SPEC Rst fsm_astate fsm_dstate I_hlda_P_addr P_wr P_rqt zero_cnt I_srdy_ data_out_en l_ad_out_en_ rale_ male_ I_crqt_ fsm_mrqt fsm_rst fsm_sack reset_rqt l_ready) \( \Lambda \) (TRIBUF_SPEC rale_ I_hlda_ I_rale_) ∧ (TRIBUF_SPEC male_ i_hlda_ i_male_) ∧ (TRIBUF_SPEC GND I_hlda_ I_mrdy_) \land (NOT_SPEC zero_cnt zero_cnt_) ∧ ``` ``` (TRIBUF_SPEC zero_cnt_ I_hlda_ I_last_) \( \Lambda \) (NOT_SPEC l_ready L_ready_) A (DSELAT_SPEC L_lock_ Rst lock_inE ClkB P_lock_ lock_outQ) \land (DSELAT_SPEC L_lock_ Rst lock_inh_inE ClkB P_lock_inh_ lock_inh_outQ) \Lambda (Lock_Inputs_SPEC Rst fsm_dstate p_male_outQ p_rale_outQ lock_inE lock_inh_inE) \( \Lambda \) (DELAT_SPEC male_fsm_astate ClkB P_male_p_male_outQ) \Lambda (DELAT_SPEC rale_fsm_astate ClkB P_rale_ p_rale_outQ) \land (NOT_SPEC lock_outQ lock_outQ_) \land (NAND2\_SPEC\ lock\_outQ\_lock\_inh\_outQ\ I\_lock\_)\ \land (NOT_SPEC I_cgnt_ i_cgnt) ∧ (NAND3_SPEC i_cgnt fsm_astate I_hold_ I_cale_) \( \Lambda \) (BUF_SPEC I_ad_in L_ad_out) A (FSM_SPEC ClkA ClkB fsm_rst fsm_mrqt fsm_sack I_cgnt_ I_crqt_ I_hold_ lock_outQ P_fsm_state P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_ P_fsm_stateA P_fsm_astate P_fsm_dstate P_fsm_hlda_ fsm_astate fsm_dstate I_hlda_)" );; close_theory();; ``` ## **B.2** M Port Specification ``` %----- File: m_block.ml (c) D.A. Fura 1992 Author: 31 March 1992 Date: This file contains the ml source for the gate-level specification of the P-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm m_block.th';; new_theory 'm_block';; loadf 'abstract';; map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def';'maux_def';'aux_def';'array_def';'wordn_def'];; let m_state_ty = ":(mfsm_ty#bool#bool#bool#bool#wordn#wordn#wordn#bool#wordn# bool\#bool\#wordn\#wordn\#wordn\#wordn\#wordn";; let m_state = "((M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cut, M_fsm_rst, M_se, M_wr, M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) :^m_state_ty)";; let m_env = "((ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) :^m_env_ty)";; let m_out_ty = ":(wordn#bool#wordn#wordn#bool#bool#bool#bool#bool#bool");; let m_out = "((I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity) :^m_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; ______ SRAM/EEPROM selection logic. let SE_Logic_SPEC = new_definition ('SE_Logic_SPEC', "I clkA clkB (i_ad:time->wordn) male mem_enable M_se cs_e_cs_s_. ``` ``` SE_Logic_SPEC clkA clkB i_ad male mem_enable M_se cs_e_ cs_s_ = !t:time . ((clkA t) \Longrightarrow ((M_se (t+1) = M_se t))) \land ((clkB\ t) ==> ((M_se\ (t+1) = (male\ t) => ELEMENT\ (i_ad\ t)\ (23) \mid M_se\ t))) \land ((cs_e_t = \sim ((mem_enable t) \land \sim (M_se(t+1)))) \land (cs_s_t = \sim ((mem_enable t) \land (M_se(t+1))))" );; Read/write selection logic. let WR_Logic_SPEC = new_definition ('WR_Logic_SPEC', "! clkA clkB i_ad male mem_enable M_wr wr rd_mem wr_mem . WR_Logic_SPEC clkA clkB i_ad male mem_enable M_wr wr rd_mem wr_mem = It:time. ((clkA t) ==> ((M_wr (t+1) = M_wr t))) \land ((clkB t) ==> ((M_wr (t+1) = (male t) => ELEMENT (i_ad t) (27) | M_wr t))) \land ((\operatorname{wr} t = \operatorname{M_wr} (t+1)) \wedge (rd\_mem\ t = (mem\_enable\ t) \land \sim (M\_wr\ (t+1))) \land (wr_mem t = (mem_enable t) \land (M_wr (t+1)))" );; Address counter logic. let Addr_Ctr_SPEC = new_definition ('Addr_Ctr_SPEC', "! clkA clkB (i_ad:time->wordn) male rdyA M_addr M_addrA addr_out . Addr_Ctr_SPEC clkA clkB i_ad male rdyA M_addr M_addrA addr_out = !t:time . ((clkA t) ==> ((M_addr(t+1) = M_addrt) \land (M_addrA(t+1) = M_addr(t))) \land ((clkB t) ==> ((M_addr(t+1) = (male\ t) => (SUBARRAY\ (i_ad\ t)\ (18,0)) \mid (rdyA t) \Rightarrow (INCN 18 (M_addrA t)) | (M_addrA t)) \land (M_addrA(t+1) = M_addrA(t))) \land (addr_out t = (rdyA t) \Rightarrow (INCN 18 (M_addrA (t+1))) M_addrA (t+1)) );; Byte enable logic. let BE_Logic_SPEC = new_definition ('BE_Logic_SPEC', "I clkA clkB (i_be:time->wordn) male srdy wr_mem M_be M_beA be_out ww bw . BE_Logic_SPEC clkA clkB i_be male srdy wr_mem M_be M_beA be_out ww bw = It:time . ((clkA t) ==> ((M_be(t+1) = M_be t) \land ``` ``` (M_beA(t+1) = M_be(t)) \land ((clkB t) ==> ((M_be(t+1) = ((male t) \lor (srdy t)) => (i_be t) \lor (M_be t)) \land (M_beA(t+1) = M_beA(t)) \land ((be\_out\ t = M\_beA\ (t+1))\ \land (ww t = (wr_mem t) \land (VAL 3 (M_be (t+1)) = 15)) \land (bw t = (wr_mem t) \land \sim (VAL\ 3\ (M_be\ (t+1)) = 15)))" );; Input logic for M_rdy latch. let Rdy_Logic_SPEC = new_definition ('Rdy_Logic_SPEC', "I write read zero_cnt wr_mem rdy . Rdy_Logic_SPEC write read zero_cnt wr_mem rdy = (rdy t = (write t) \land (zero_cnt t) \lor (read t) \land (zero_cnt t) \land ~(wr_mem t))" );; Wait state counter logic. let Ctr_Logic_SPEC = new_definition ('Ctr_Logic_SPEC', "! clkA clkB in dn ld M_count M_countA zero_cnt . Ctr_Logic_SPEC clkA clkB in dn ld M_count M_countA zero_cnt = !t:time . ((clkA t) ==> ((\mathbf{M}_{\mathtt{count}}(t+1) = \mathbf{M}_{\mathtt{count}} t) \land (M_countA(t+1) = M_count(t))) \land ((clkB t) ==> ((M_{count}(t+1) = (ld t) => ((in t) => (WORDN 1) | (WORDN 2)) | (dn t) \Rightarrow (DECN 1 (M_countA t)) | (M_countA t)) \land (M_{count}A(t+1) = M_{count}A(t))) \land (zero\_cnt \ t = (M\_countA \ (t+1) = ((dn \ t) => (WORDN \ 1) \mid (WORDN \ 0))))" );; Memory control signal logic. let Enable_Logic_SPEC = new_definition ('Enable_Logic_SPEC', "! cs_eeprom_ rd_mem address read write byte_write wwdel disable_eeprom disable_writes oe_edac_le we_mb_wr_en_. Enable_Logic_SPEC cs_eeprom_ rd_mem address read write byte_write wwdel disable_eeprom disable_writes oe_edac_le we_mb_wr_en_ = It:time . (oe t = \sim ((rd\_mem\ t) \land (address\ t) \lor (read\ t))) \land (we_t = (cs_eprom_t) \land (disable_eprom_t) \lor (disable_writes t) V ``` ``` ~((write t) V (byte_write t) V (wwdel t))) \( \Lambda \) (edac_le t = read t) \Lambda (mb_wr_en_t = \sim (write t))" );; Generation logic for I_srdy_. let Srdy_Logic_SPEC = new_definition ('Srdy_Logic_SPEC', "! wr rdy rdy_outQ srdy_. Srdy_Logic_SPEC wr rdy rdy_outQ srdy_ = srdy_t = ((rdy_outQ t) \land (wr t) \lor (rdy t) \land (wr t))" );; Memory decode logic. let EDAC_Decode_Logic_SPEC = new_definition ('EDAC_Decode_Logic_SPEC', "! (rep:^rep_ty) (mb_data_in:time->wordn) edac_en data_out detect_out . EDAC_Decode_Logic_SPEC rep mb_data_in edac_en data_out detect_out = lt:time. (data\_out\ t = (edac\_en\ t) => (Ham\_Dec\ rep\ (mb\_data\_in\ t)) \mid (mb\_data\_in\ t)) \land (detect_out t = (edac_en t) => (Ham_Det1 rep (mb_data_in t)) | (WORDN 0))" );; Memory read latches. let Read_Latches_SPEC = new_definition ('Read_Latches_SPEC', "! (rep:^rep_ty) clkA clkB (data_inD:time->wordn) edac_en edac_le detect_inD detect_inE \label{eq:m_data_m_rd_data} M\_rd\_data A\ M\_detect\ m\_data\_outQ\ m\_detect\_outQ\ . Read_Latches_SPEC rep clkA clkB data_inD edac_en edac_le detect_inD detect_inE M_rd_data M_rd_dataA M_detect m_data_outQ m_detect_outQ = !t:time . ((clkA t) ==> ((M_rd_data(t+1) = M_rd_datat) \land (M_rd_dataA(t+1) = M_rd_datat) \land (M_{detect}(t+1) = (detect_inE t) => (detect_inD t) | (M_{detect}(t)))) \land ((clkB t) ==> ((M_rd_data(t+1) = (edac_le\ t) => (data_inD\ t) \mid (M_rd_data\ t)) \land (M_rd_dataA(t+1) = M_rd_datat) \land (M_{detect}(t+1) = M_{detect}(t))) \land ((\mathbf{m}_{data}_{out}Q\ t = \mathbf{M}_{rd}_{data}A\ (t+1)) \land (m_{detect}_{out}Q t = Ham_{Det}2 rep ((M_{detect}(t+1)), (edac_en t))))" );; ``` ``` Enable input logic for EDAC correction reporting. let Detect_Enable_Logic_SPEC = new_definition ('Detect_Enable_Logic_SPEC', "! edac_en edac_rd detect_inE . Detect_Enable_Logic_SPEC edac_en edac_rd detect_inE = It:time . (\text{detect\_inE } t = (\text{edac\_en } t) \land (\text{edac\_rd } t) \lor \sim (\text{edac\_rd } t))" );; Memory write data multiplexer. let Mux_Out_Logic_SPEC = new_definition ('Mux_Out_Logic_SPEC', "! (m_data_outQ:time->wordn) i_ad be mb_data_out . Mux_Out_Logic_SPEC m_data_outQ i_ad be mb_data_out = !t:time . let od1 = (MALTER (mb_data_out t) (7,0) ((ELEMENT (be t) (0)) => (SUBARRAY (i_ad t) (7,0)) (SUBARRAY (m_data_outQ t) (7,0))) in (let od2 = (MALTER od1 (15,8) ((ELEMENT (be t) (1)) => (SUBARRAY (i_ad t) (15,8)) (SUBARRAY (m_data_outQ t) (15,8)))) in (let od3 = (MALTER od2 (23,16) ((ELEMENT (be t) (2)) => (SUBARRAY (i_ad t) (23,16)) 1(SUBARRAY (m_data_outQ t) (23,16)))) in (let od4 = (MALTER od3 (31,24) ((ELEMENT (be t) (3)) => (SUBARRAY (i_ad t) (31,24)) | (SUBARRAY (m_data_outQ t) (31,24)))) in (mb_data_out t = od4)))) );; Data encoding logic. .....g let Enc_Out_Logic_SPEC = new_definition ('Enc_Out_Logic_SPEC', "I (rep:^rep_ty) (mb_data_out:time->wordn) mb_edata_out . Enc_Out_Logic_SPEC rep mb_data_out mb_edata_out = It:time. (mb_edata_out t = Ham_Enc rep (mb_data_out t))" );; Input logic for M_parity latch. ``` ``` let Memparity_In_Logic_SPEC = new_definition ('Memparity_In_Logic_SPEC', "!\ srdy\ mem\_enable\ detect\_outQ\ rst\ reset\_parity\ memparity\_inS\ memparity\_inR\ memparity\_inE\ . Memparity_In_Logic_SPEC srdy mem_enable detect_outQ rst reset_parity memparity_inS memparity_inR memparity_inE = !t:time . (memparity_inS \ t = (srdy \ t) \land (mem_enable \ t) \land (detect_outQ \ t)) \land (memparity_inR t = (rst t) \lor (reset_parity t)) \land (memparity_inE t = (memparity_inS t) V (memparity_inR t))" );; M-Port controller state machine. let FSM_SPEC = new_definition ('FSM_SPEC', "! clkA clkB male_in_ rd_in bw_in ww_in last_in_ mrdy_in_ zero_cnt_in rst_in state male_rd bw ww last_mrdy_zero_cnt rst stateA address read write byte_write mem_enable address_out read_out write_out byte_write_out mem_enable_out . FSM_SPEC clkA clkB male_in_rd_in bw_in ww_in last_in_ mrdy_in_ zero_cnt_in rst_in state male_rd bw ww last_mrdy_zero_cnt rst stateA address read write byte_write mem_enable address_out read_out write_out byte_write_out mem_enable_out = lt:time. ((clkA t) ==> ((state (t+1) = state t) \land (male_(t+1) = male_t) \land (rd(t+1) = rdt) \wedge (bw(t+1) = bwt) \Lambda (\mathbf{w}\mathbf{w}(t+1) = \mathbf{w}\mathbf{w} t) \Lambda (last_(t+1) = last_t) \land (mrdy_(t+1) = mrdy_t) \land (zero\_cnt(t+1) = zero\_cntt) \land (rst (t+1) = rst t) \land (stateA(t+1) = ((rst t) \Rightarrow MI \mid (state t = MI) => ((\sim(male_t)) => MA \mid MI)! (state\ t=MA) \Longrightarrow ((\sim (mrdy\_t) \land (ww\ t)) \Longrightarrow MW \mid (\sim (mrdy_t) \land ((rd\ t) \lor (bw\ t))) => MR \mid MA) \mid (state t = MR) \Rightarrow (((bw t) \land (zero\_cnt t)) \Rightarrow MBW \mid ((last_t) \land (rd t) \land (zero_cnt t)) => MA (\sim(last_t) \land (rd t) \land (zero\_cnt t)) => MRR \mid MR) \mid (state t = MRR) \Rightarrow MII (state\ t = MW) \Rightarrow (((zero\_cnt\ t) \land \neg (last\_t)) \Rightarrow MI ((zero\_cnt t) \land (last\_t)) => MA \mid MW) \mid MW) \Lambda (address (t+1) = (stateA (t+1) = MA)) \land (read (t+1) = (stateA (t+1) = MR)) \land (write (t+1) = (stateA(t+1) = MW)) \land (byte_write (t+1) = (stateA (t+1) = MBW)) \Lambda (\text{mem\_enable } (t+1) = \neg (\text{stateA } (t+1) = MI)))) \land ``` ``` ((clkB t) \Longrightarrow > ((state (t+1) = state A t) \land (male_(t+1) = male_in_t) \land (rd (t+1) = rd_in t) \Lambda (bw(t+1) = bw_in t) \Lambda (\mathbf{w}\mathbf{w}(t+1) = \mathbf{w}\mathbf{w}_{in} t) \wedge (last_(t+1) = last_in_t) \land (mrdy_(t+1) = mrdy_in_t) \land (zero\_cnt(t+1) = zero\_cnt\_int) \land (rst (t+1) = rst_in t) \land (stateA(t+1) = stateAt) \land (\mathbf{address}\ (t+1) = \mathbf{address}\ t)\ \land (read (t+1) = read t) \land (write (t+1) = write t) \Lambda (byte_write (t+1) = byte_write t) \land (mem_enable (t+1) = mem_enable t))) \land ((address\_out\ t = address\ (t+1))\ \land (read_out\ t = read\ (t+1)) \land (write_out t = write(t+1)) \land (byte_write_out t = byte_write(t+1)) \land (mem_enable_out t = mem_enable (t+1))) ");; M-Port Block. let M Block SPEC = new definition ('M_Block_SPEC', "! (M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable M_rdyA M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_ M_fsm_mrdy_ M_fsm_zero_cnt M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :(time->bool)) (M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :(time->wordn)) (M_fsm_state A M_fsm_state :(time->mfsm_ty)) (ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :(time->bool)) (I_ad_in I_be_ MB_data_in :(time->wordn)) (I_srdy_MB_cs_eeprom_MB_cs_sram_MB_we_MB_oe_MB_parity:(time->bool)) (I_ad_out MB_addr MB_data_out :(time->wordn)) (rep:^rep_ty). M_Block_SPEC (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I mrdy MB data in, Edac_en_, Reset_parity) (I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity) rep = ? male address read write byte_write mem_enable wr rd_mem wr_mem rdy_outQ srdy be ww bw zero_cnt rdy count_inDN count_inLD wwdel_inD wwdel_outQ edac_le rdy_outQ srdy_ edac_en data_out detect_out data_inD detect_inD detect_inE m_data_outQ m_detect_outQ mb_data_out mb_edata_out mb_wr_en_mb_wr_en memparity_inS memparity_inR memparity_inE. ``` ``` (NOT_SPEC I_male_ male) ∧ (SE_Logic_SPEC ClkA ClkB I_ad_in male mem_enable M_se MB_cs_eeprom_MB_cs_sram_) \( \) (WR_Logic_SPEC ClkA ClkB I_ad_in male mem_enable M_wr wr rd_mem wr_mem) \( \Lambda \) (Addr_Ctr_SPEC ClkA ClkB I_ad_in male rdy_outQ M_addr M_addrA MB_addr) \( \Lambda \) (BE\_Logic\_SPEC\ ClkA\ ClkB\ I\_be\_\ male\ srdy\ wr\_mem\ M\_be\ M\_beA\ be\ ww\ bw)\ \land (Rdy_Logic_SPEC write read zero_cnt wr_mem rdy) \( \Lambda \) (Ctr_Logic_SPEC ClkA ClkB MB_cs_eeprom_ count_inDN count_inLD M_count M_countA zero_cnt) \(\Lambda\) (OR2_SPEC write read count_inDN) A (OR2_SPEC address byte_write count_inLD) A (AND2_SPEC ww address wwdel_inD) A (DLAT_SPEC wwdel_inD ClkB M_wwdel wwdel_outQ) \( \Lambda \) (Enable_Logic_SPEC MB_cs_eeprom_ rd_mem address read write byte_write wwdel_outQ Disable_eeprom Disable_writes MB_oe_ edac_le MB_we_ mb_wr_en_) \( \Lambda \) (DFF_SPEC rdy ClkA M_rdy M_rdyA rdy_outQ) \( \Lambda \) (Srdy_Logic_SPEC wr rdy rdy_outQ srdy_) A (TRIBUF_SPEC srdy_ mem_enable I_srdy_) \land (NOT SPEC srdy_ srdy) ∧ (NOT_SPEC Edac_en_ edac_en) ∧ (EDAC_Decode_Logic_SPEC rep MB_data_in edac_en data_out detect_out) A (Read_Latches_SPEC rep ClkA ClkB data_inD edac_en edac_le detect_inD detect_inE M_rd_{data} M_rd_{data} M_{detect} m_{data_out} Q m_{detect_out} Q) \wedge (TRIBUF_SPEC m_data_outQ rd_mem I_ad_out) \( \Lambda \) (Detect_Enable_Logic_SPEC edac_en rd_mem detect_inE) \( \Lambda \) (Mux\_Out\_Logic\_SPEC\ m\_data\_outQ\ I\_ad\_in\ be\ mb\_data\_out)\ \land (Enc_Out_Logic_SPEC rep mb_data_out mb_edata_out) \Lambda (NOT_SPEC mb_wr_en_ mb_wr_en) ∧ (TRIBUF_SPEC mb_edata_out mb_wr_en MB_data_out) \( \Lambda \) (Memparity_In_Logic_SPEC srdy mem_enable m_detect_outQ Rst Reset_parity memparity_inS memparity_inR memparity_inE) \( \Lambda \) (DSRELAT_SPEC GND memparity_inS memparity_inR memparity_inE ClkB M_parity MB_parity) ∧ (FSM_SPEC ClkA ClkB I_male_rd_mem bw ww I_last_I_mrdy_zero_cnt Rst M_fsm_state M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_ M_fsm_mrdy_ M fsm_zero_cnt M_fsm_rst M_fsm_stateA M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable address read write byte_write mem_enable)" );; close_theory();; ``` 93 ## **B.3 R Port Specification** ``` File: r_block.ml (c) D.A. Fura 1992 Author: 31 March 1992 Date: This file contains the ml source for the gate-level specification of the R-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm r_block.th';; new_theory 'r_block';; map loadf ['abstract';'buses_def'];; map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def';'datapaths_def';'raux_def'; 'aux_def'; 'array_def';'wordn_def'];; bool#bool#wordn#wordn#bool#bool#wordn#wordn#bool#wordn#wordn#bool#bool# wordn#bool#wordn#wordn#wordn# bool#bool#wordn#wordn#bool#wordn#bool#bool#wordn#wordn#bool#wordn# bool#bool#wordn#wordn#bool#wordn#bool#bool#bool#wordn#wordn#bool#bool# wordn#wordn#wordn#bool#wordn#bool#wordn#bool)";; let r_state = "((R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_intO_en, R_intO_disA, R_int3_en, R_int3_disA, R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_, R reg selA, R ctr0, R ctr0 ce, R ctr0 cin, R ctr0 outA, R ctr1, R ctr1 ce, R ctr1 cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, R_ctr0_mux_sel, R_ctr0_irden, R_ctr0_cry, R_ctr0_new, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctr1_new, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R ctr2 mux sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load, R\_icr\_old, R\_icr\_mask, R\_icr, R\_icr\_rden, R\_ccr, R\_ccr\_rden, R\_gcr, R\_gcr\_rden, R\_sr, R_sr_rden) :^r_state_ty)";; wordn#wordn#wordn#bool#wordn)";; let r_env = "((ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) :^r_env_ty)";; ``` ``` let \ r\_out\_ty = ":(wordn\#bool\#bool\#bool\#bool\#bool\#wordn\#wordn\#bool\#bool)";;\\ let r_out = "((I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid) :^r_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; R-Port controller state machine. let FSM_SPEC = new_definition ('FSM_SPEC', "! (ClkA:time->bool) ClkB ale_in_ mrdy_in_ last_in_ rst_in ale_ mrdy_ last_ rst state cntlatch srdy_(stateA:time->rfsm_ty) s0_out s1_out cntlatch_out srdy_out_ . FSM_SPEC ClkA ClkB ale_in_mrdy_in_last_in_rst_in ale_mrdy_last_rst state cntlatch srdy_stateA s0_out s1_out cntlatch_out srdy_out_ = !t:time . ((ClkAt) ==> ((stateA (t+1) = ((rst t) => RI \mid ((state\ t) = RI) => ((-ale_t) => RA \mid RI) \mid ((state t) = RA) \Rightarrow ((\sim mrdy_t) \Rightarrow RD \mid RA) \mid ((-last_t) => RI | RA))) \land (cntlatch\ (t+1) = ((state\ t = RI)\ \land\ \neg ale\_\ t))\ \land (\operatorname{srdy}_{-}(t+1) = \sim ((\operatorname{state} t = RA) \land \sim \operatorname{mrdy}_{-} t)) \land (state (t+1) = state t) \wedge (ale_(t+1) = ale_t) \land (mrdy_(t+1) = mrdy_t) \land (last_(t+1) = last_t) \land (\operatorname{rst}(t+1) = \operatorname{rst}(t))) \wedge ((ClkB t) ==> ((stateA(t+1) = stateAt) \land (cntlatch (t+1) = cntlatch t) \Lambda (\operatorname{srdy}_{-}(t+1) = \operatorname{srdy}_{-}t) \land (state (t+1) = stateA t) \wedge (ale_{-}(t+1) = ale_{-}in_{-}t) \land (mrdy_(t+1) = mrdy_in_t) \land (last_(t+1) = last_in_t) \land (\operatorname{rst}(t+1) = \operatorname{rst}_{in}(t)) \land ((s0\_out\ (t+1) = (stateA\ (t+1) = RD))\ \land (s1\_out(t+1) = ((stateA(t+1) = RA) \lor (stateA(t+1) = RD))) \land (cntlatch_out t = cntlatch (t+1)) \land (srdy\_out\_t = srdy\_(t+1)))" );; R_wr latch definition. ``` ``` let Wr_Lat_SPEC = new_definition ('Wr_Lat_SPEC', "! clkB (iad_in:time->wordn) wr_inE r_wr wr_outQ. Wr_Lat_SPEC clkB iad_in wr_inE r_wr wr_outQ = It:time . ((\sim (clkB t)) ==> (r_wr (t+1) = r_wr t)) \land ((clkB\ t) \Longrightarrow (r_wr\ (t+1) = (wr_inE\ t) \Longrightarrow (ELEMENT\ (iad_in\ t)\ (27)) \mid r_wr\ t)) \land (wr\_outQ t = r\_wr (t+1))" );; Generation logic for control signals dp_read, r_write, r_read, icr_rd_en, srdy_en. let RW_Sigs_SPEC = new_definition ('RW_Sigs_SPEC', "! r_wr s0 s1 disable_writes dp_read r_write r_read icr_rd_en srdy_en. RW_Sigs_SPEC r_wr s0 s1 disable_writes dp_read r_write r_read icr_rd_en srdy_en = (!t:time. (dp\_read\ t = (\sim r\_wr\ t) \land ((s0\ t) \lor (s1\ t))) \land (r\_write\ t = (\neg disable\_writes\ t) \land (r\_wr\ t) \land (s0\ t) \land (s1\ t)) \land (r_read t = (-r_wr t) \land (-s0 t) \land (s1 t)) \land (icr_rd_en t = (\sim s0 t) \land (s1 t)) \land (srdy_en t = (s0 t) \lor (s1 t)))" );; R_reg_sel counter and logic. let Reg_Sel_Ctr_SPEC = new_definition ('Reg_Sel_Ctr_SPEC', "! clkA iad_in inL inU_ r_reg_sel r_reg_selA outQ. Reg_Sel_Ctr_SPEC clkA iad_in inL inU_ r_reg_sel r_reg_selA outQ = ((clkA t) \Longrightarrow > ((r_reg_sel(t+1) = r_reg_sel(t)) \land (r_reg_selA(t+1) = r_reg_sel(t))) \land ((\sim (clkA t)) \Longrightarrow > ((r_reg_sel(t+1) = (inL t) \Rightarrow SUBARRAY (iad_in t) (3,0) (\sim inU_t) => INCN 3 (r_reg_selA t) | r_reg_selA t) \land (r_reg_selA(t+1) = r_reg_selA(t))) \land (outQt = (\sim inU_t) \Rightarrow INCN 3 (r_reg_selA(t+1)) | r_reg_selA(t+1))" );; Generation logic for register file control signals. let Reg_File_Ctl_SPEC = new_definition ('Reg_File_Ctl_SPEC', "! (reg_sel:time->wordn) write read icr_rd_en ``` ``` cir_wr01 cir_wr23 c0ir_wr c0ir_rd c0or_rd c1ir_wr c1ir_rd c1or_rd c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd icr_wr_feedback icr_select icr_rd ccr_wr ccr_rd gcr_wr gcr_rd sr_rd . Reg_File_Ctl_SPEC reg_sel write read icr_rd_en cir_wr01 cir_wr23 cOir_wr cOir_rd cOor_rd clir_wr clir_rd clor_rd c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd icr_wr_feedback icr_select icr_rd ccr_wr ccr_rd gcr_wr gcr_rd sr_rd = (!t:time. (cir_wr01 t = (write t) \land (((reg_sel t) = WORDN 8) \lor ((reg_sel t) = WORDN 9))) \land (cir_wr23 t = (write t) \land (((reg_sel t) = WORDN 10) \lor ((reg_sel t) = WORDN 11))) \land (c0ir_wr t = (write t) \land ((reg_sel t) = WORDN 8)) \land (c0ir_rd t = (read t) \land ((reg_sel t) = WORDN 8)) \land (c0or\_rd\ t = (read\ t) \land ((reg\_sel\ t) = WORDN\ 12)) \land (clir_wr\ t = (write\ t) \land ((reg_sel\ t) = WORDN\ 9)) \land (clir_rd t = (read t) \land ((reg_sel t) = WORDN 9)) \land (clor_rd t = (read t) \land ((reg_sel t) = WORDN 13)) \land (c2ir\_wr\ t = (write\ t) \land ((reg\_sel\ t) = WORDN\ 10)) \land (c2ir\_rd\ t = (read\ t) \land ((reg\_sel\ t) = WORDN\ 10)) \land (c2or\_rd\ t = (read\ t) \land ((reg\_sel\ t) = WORDN\ 14)) \land (c3ir\_wr\ t = (write\ t) \land ((reg\_sel\ t) = WORDN\ 11)) \land (c3ir\_rd\ t = (read\ t) \land ((reg\_sel\ t) = WORDN\ 11)) \land (c3or_rd t = (read t) \land ((reg_sel t) = WORDN 15)) \land (icr_wr_feedback\ t = (write\ t)\ \land\ (((reg_sel\ t) = WORDN\ 0)\ \lor\ ((reg_sel\ t) = WORDN\ 1)))\ \land\ ((reg_sel\ t) = WORDN\ 1)))\ \land\ ((reg_sel\ t) = WORDN\ 1))) (icr_select t = \sim((reg_sel t) = WORDN 1)) \land (icr\_rd\ t = (icr\_rd\_en\ t) \land (((reg\_sel\ t) = WORDN\ 0) \lor ((reg\_sel\ t) = WORDN\ 1))) \land ((reg (ccr_wr t = (write t) \land ((reg_sel t) = WORDN 3)) \land (\operatorname{ccr}_{rd} t = (\operatorname{read} t) \land ((\operatorname{reg}_{sel} t) = \operatorname{WORDN} 3)) \land (gcr_wr t = (write t) \land ((reg_sel t) = WORDN 2)) \land (gcr_rd t = (read t) \land ((reg_sel t) = WORDN 2)) \land (sr_rd t = (read t) \land ((reg_sel t) = WORDN 4)))" );; Input logic for R_intl_en, R_int2_en latches. let Ctr_Int_Logic_SPEC = new_definition ('Ctr_Int_Logic_SPEC', "I one_shot interrupt reload cout cout_del cir_wr int en inR int en inS int en inE c_ld. Ctr_Int_Logic_SPEC one_shot interrupt reload cout cout_del cir_wr int_en_inR int_en_inS int_en_inE c_ld = (!t:time. (int_en_inR t = (one_shot t) \land (cout_del t) \lor (-interrupt t)) \land (int_en_inS t = (interrupt t) \land ((cout t) \land (reload t) \lor (cir_wr t))) \land (int_en_inE t = (one_shot t) \land (cout_del t) \lor (~interrupt t) \lor (interrupt t) \land ((cout t) \land (reload t) \lor (cir_wr t))) \land (c_{d} t = (cout t) \land (reload t) \lor (cir_wr t))" );; ``` ``` Input logic for R_int0_en, R_int3_en latches. let And_Tree_SPEC = new_definition ('And_Tree_SPEC', "I icr out0 out3. And_Tree_SPEC icr out0 out3 = (out0 t = (ELEMENT (icr t) (0)) \land (ELEMENT (icr t) (8)) \lor (ELEMENT (icr t) (1)) \land (ELEMENT (icr t) (9)) \lor (ELEMENT (icr t) (2)) A (ELEMENT (icr t) (10)) V (ELEMENT (icr t) (3)) \land (ELEMENT (icr t) (11)) \lor (ELEMENT (icr t) (4)) \land (ELEMENT (icr t) (12)) \lor (ELEMENT (icr t) (5)) A (ELEMENT (icr t) (13)) V (ELEMENT (icr t) (6)) \land (ELEMENT (icr t) (14)) \lor (ELEMENT (icr t) (7)) \land (ELEMENT (icr t) (15))) \land (out3 t = (ELEMENT (icr t) (16)) \land (ELEMENT (icr t) (24)) \lor (ELEMENT (icr t) (17)) \land (ELEMENT (icr t) (25)) \lor (ELEMENT (icr t) (18)) \land (ELEMENT (icr t) (26)) \lor (ELEMENT (icr t) (19)) ∧ (ELEMENT (icr t) (27)) ∨ (ELEMENT (icr t) (20)) \land (ELEMENT (icr t) (28)) \lor (ELEMENT (icr t) (21)) \land (ELEMENT (icr t) (29)) \lor (ELEMENT (icr t) (22)) A (ELEMENT (icr t) (30)) V (ELEMENT (icr t) (23)) \( \text{(ELEMENT (icr t) (31)))} \) );; Generation logic for IntO_, Int3_ signals. let Reg_Int_Logic_SPEC = new_definition ('Reg_Int_Logic_SPEC', "! int0_en int0_dis int3_en int3_dis disable_int int0_ int3_. Reg_Int_Logic_SPEC int0_en int0_dis int3_en int3_dis disable_int int0_ int3_ = (int0_t = \sim ((int0_e t) \land (\sim int0_d is t) \land (\sim d isable_i t))) \land (int3_t = \sim ((int3_en t) \land (\sim int3_dis t) \land (\sim disable_int t)))) );; Virtual logic to package several R-Port inputs into single SR input word. let SR_Inputs_SPEC = new_definition ('SR_Inputs_SPEC', "! cpu_fail reset_cpu piu_fail pmm_fail s_state id channelID cb_parity c_ss mb_parity (sr_inp:time->wordn). SR_Inputs_SPEC cpu_fail reset_cpu piu_fail pmm_fail s_state id channelID cb_parity c_ss mb_parity sr_inp = It time . let a1 = (MALTER ARBN (1,0) (cpu_fail t)) in let a3 = (MALTER a1 (3,2) (reset_cpu t)) in let a5 = (ALTER \ a3 \ (8) \ (piu_fail \ t)) in ``` ``` let a6 = (ALTER a5 (9) (pmm_fail t)) in let a7 = (MALTER \ a6 \ (15,12) \ (s_state \ t)) in let a8 = (MALTER \ a7 \ (21,16) \ (id \ t)) in let a9 = (MALTER a8 (23,22) (channelID t)) in let a10 = (ALTER a9 (24) (cb_parity t)) in let al1 = (MALTER al0 (27,25) (c_ss t)) in let a12 = (ALTER a11 (28) (mb_parity t)) in (sr_ip t = a12)" );; Virtual logic to distribute single GCR output word as several pieces. let GCR_Outputs_SPEC = new_definition ('GCR_Outputs_SPEC', "! (gcr_out:time->wordn) led reload01 oneshot01 interrupt01 enable01 reload23 oneshot23 interrupt23 enable23 reset_error pmm_invalid . GCR_Outputs_SPEC gcr_out led reload01 oneshot01 interrupt01 enable01 reload23 oneshot23 interrupt23 enable23 reset_error pmm_invalid = (led t = SUBARRAY (gcr_out t) (3,0)) \Lambda (reload01 t = ELEMENT (gcr_out t) (16)) \Lambda (oneshot01 t = ELEMENT (gcr_out t) (17)) \land (interrupt01 t = ELEMENT (gcr_out t) (18)) \Lambda (enable01 t = ELEMENT (gcr_out t) (19)) \Lambda (reload23 t = ELEMENT (gcr_out t) (20)) \land (oneshot23 t = ELEMENT (gcr_out t) (21)) \land (interrupt23 t = ELEMENT (gcr_out t) (22)) \Lambda (enable23 t = ELEMENT (gcr_out t) (23)) \Lambda (reset_error t = ELEMENT (gcr_out t) (24)) \Lambda (pmm_invalid t = ELEMENT (gcr_out t) (28))" );; Virtual logic to generate the 12 tristate driver enables for datapath Bus A. let Bus_Enab_SPEC = new_definition ('Bus_Enab_SPEC', "! clkA r_ctr0_irden r_ctr0_orden r_ctr1_irden r_ctr1_orden r_ctr2_irden r_ctr2_orden r_ctr3_irden r_ctr3_orden r_icr_rden r_ccr_rden r_gcr_rden r_sr_rden busA_c0_en1 busA_c0_en2 busA_c1_en1 busA_c1_en2 busA_c2_en1 busA_c2_en2 busA_c3_en1 busA_c3_en2 busA_icr_en busA_ccr_en busA_gcr_en busA_sr_en . Bus_Enab_SPEC clkA r_ctr0_irden r_ctr0_orden r_ctr1_irden r_ctr1_orden r_ctr2_irden r_ctr2_orden r_ctr3_irden r_ctr3_orden r_icr_rden r_ccr_rden r_gcr_rden r_sr_rden busA_c0_en1 busA_c0_en2 busA_c1_en1 busA_c1_en2 busA_c2_en1 busA_c2_en2 busA_c3_en1 busA_c3_en2 busA_icr_en busA_ccr_en busA_gcr_en busA_sr_en = It:time . (busA_c0_en1 t = (clkA t) \land (r_ctr0_irden t)) \land (busA_c0_en2 t = (clkA t) \land (r_ctr0_orden t)) \land (busA\_c1\_en1\ t = (clkA\ t) \land (r\_ctr1\_irden\ t)) \land \\ (busA_c1_en2 t = (clkA t) \land (r_ctr1_orden t)) \land ``` ``` (busA_c2_en1 t = (clkA t) \land (r_ctr2_irden t)) \land (busA_c2_en2 t = (clkA t) \land (r_ctr2_orden t)) \land (busA_c3_{en1} t = (clkA t) \land (r_ctr3_{irden} t)) \land (busA_c3_en2 t = (clkA t) \land (r_ctr3_orden t)) \land (busA\_icr\_en t = (clkA t) \land (r\_icr\_rden t)) \land (busA\_ccr\_en t = (clkA t) \land (r\_ccr\_rden t)) \land (busA\_gcr\_en\ t = (clkA\ t) \land (r\_gcr\_rden\ t)) \land (bus A\_sr\_en t = (clk A t) \land (r\_sr\_rden t))" );; R-Port block. let R_Block_SPEC = new_definition ('R_Block_SPEC', "! (rep:^rep_ty) (R_fsm_state A R_fsm_state :time->rfsm_ty) (R_reg_selA R_ctr0 R_ctr0_outA R_ctr1 R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA R_icrA R_busA_latch R_reg_sel R_ctr0_in R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr :time->wordn) (R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_ R_ctr0_ce R_ctr0_cin R_ctr1_cin R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R\_srdy\_del\_\ R\_ctr0\_mux\_sel\ R\_ctr0\_irden\ R\_ctr0\_cry\ R\_ctr0\_orden\ R\_ctr1\_mux\_sel\ R\_ctr1\_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden :time->bool) (I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChannelID C_ss :time->wordn) (ClkA ClkB Rst I_rale_ I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :time->bool) (I_ad_out Ccr Led :time->wordn) (I_srdy_IntO_Int1 Int2 Int3_Reset_error Pmm_invalid :time->bool). R Block SPEC rep (R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_intO_en, R_intO_disA, R_int3_en, R_int3_disA, R\_reg\_selA,\,R\_ctr0,\,R\_ctr0\_ce,\,R\_ctr0\_cin,\,R\_ctr0\_outA,\,R\_ctr1,\,R\_ctr1\_ce,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R\_ctr1\_cin,\,R R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, R_ctr0_mux_sel, R_ctr0_irden, R_ctr0_cry, R_ctr0_new, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctr1_new, R_ctr1_out, R_ctr1_orden, R_ctr2_in, ``` R\_c01\_cout, R\_c01\_cout\_delA, R\_c23\_cout, R\_c23\_cout\_delA, R\_cntlatch\_delA, R\_srdy\_delA\_, R\_ctr2\_mux\_sel, R\_ctr2\_irden, R\_ctr2\_cry, R\_ctr2\_new, R\_ctr2\_out, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr3\_mux\_sel, R\_ctr3\_irden, R\_ctr3\_cry, R\_ctr3\_new, R\_ctr3\_out, R\_ctr3\_orden, R\_icr\_load, R\_icr\_old, R\_icr\_mask, R\_icr, R\_icr\_rden, R\_ccr, R\_ccr\_rden, R\_gcr, R\_gcr\_rden, R\_sr, (ClkA, ClkB, Rst, I\_ad\_in, I\_rale\_, I\_last\_, I\_be\_, I\_mrdy\_, Disable\_int, Disable\_writes, Cpu\_fail, Reset\_cpu, Piu\_fail, Pmm\_fail, S\_state, Id, ChannellD, CB\_parity, MB\_parity, C\_ss) ? fsm\_s0 fsm\_s1 fsm\_cntlatch fsm\_srdy\_srdy\_en wr\_inE wr\_outQ (I\_ad\_out, I\_srdy\_, Int0\_, Int1, Int2, Int3\_, Ccr, Led, Reset\_error, Pmm\_invalid) = ``` icr_rd_en r_cir_wr01 r_cir_wr23 c0ir_wr c0ir_rd c0or_rd c1ir_wr c1ir_rd c1or_rd c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd icr_wr_feedback icr_select icr_rd ccr_wr ccr_rd gcr_wr gcr_rd sr_rd icr_ld c01_cout c01_cout_outQ c01_cout_delA_outQ c23 cout c23_cout_outQ c23_cout_delA_outQ oneshot01 interrupt01 reload01 int1_en_inR int1_en_inS int1_en_inE int1_en_outQ c01_ld oneshot23 interrupt23 reload23 int2_en_inR int2_en_inS int2_en_inE int2_en_outQ c23_ld enable01 enable23 c0_cout c2_cout ccr_out gcr_out sr_inp disable_int_ int0_en_inD int0_en_outQ int0_dis_outQ int3_en_inD int3_en_outQ int3_dis_outQ icr_out BusA BusB_in busA_latch_out (BusA_c0_out1 BusA_c0_out2 BusA_c1_out1 BusA_c1_out2 BusA_c2_out1 BusA_c2_out2 BusA_c3_out1 BusA_c3_out2 BusA_icr_out BusA_ccr_out BusA_gcr_out BusA_sr_out :time->wordn) (BusA_c0_en1 BusA_c0_en2 BusA_c1_en1 BusA_c1_en2 BusA_c2_en1 BusA_c2_en2 BusA_c3_en1 BusA_c3_en2 BusA_icr_en BusA_ccr_en BusA_gcr_en BusA_sr_en :time->bool) (FSM_SPEC ClkA ClkB I_rale_ I_mrdy_ I_last_ Rst R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_fsm_state R_fsm_cntlatch R_fsm_srdy_ R_fsm_stateA fsm_s0 fsm_s1 fsm_cntlatch fsm_srdy_) \( \Lambda \) (TRIBUF_SPEC fsm_srdy_ srdy_en I_srdy_) \( \Lambda \) (NOT_SPEC I_rale_ wr_inE) ∧ (Wr_Lat_SPEC ClkB I_ad_in wr_inE R_wr wr_outQ) A (RW_Sigs_SPEC wr_outQ fsm_s0 fsm_s1 Disable_writes dp_read r_write r_read icr_rd_en srdy_en) \( \) (DFF_SPEC fsm_cntlatch ClkA R_cntlatch_del R_cntlatch_delA c13or_ld) \(\Lambda\) (DFF_SPEC fsm_srdy_ClkA R_srdy_del_ R_srdy_delA_ srdy_del_outQ_) \(\Lambda\) (Reg_Sel_Ctr_SPEC ClkA I_ad_in wr_inE srdy_del_outQ_ R_reg_sel R_reg_selA reg_sel) \( \Lambda \) (Reg_File_Ctl_SPEC reg_sel r_write r_read icr_rd_en r_cir_wr01 r_cir_wr23 c0ir_wr c0ir_rd c0or_rd c1ir_wr c1ir_rd c1or_rd c2ir_wr c2ir_rd c2or_rd c3ir_wr c3ir_rd c3or_rd icr_wr_feedback icr_select icr_rd ccr_wr ccr_rd gcr_wr gcr_rd sr_rd) \( \Lambda \) (DFF_SPEC icr_wr_feedback ClkA R_icr_load R_icr_loadA icr_ld) \( \Lambda \) (DLAT_SPEC c01_cout ClkA R_c01_cout c01_cout_outQ) \(\Lambda\) (DLAT_SPEC c23_cout ClkA R_c23_cout c23_cout_outQ) \(\Lambda\) (DFF\_SPEC\ c01\_cout\_outQ\ ClkA\ R\_c01\_cout\_del\ R\_c01\_cout\_delA\ c01\_cout\_delA\_outQ)\ \land\ ClkA\ R\_c01\_cout\_delA\_outQ)\ Clk (DFF_SPEC c23_cout_outQ ClkA R_c23_cout_del R_c23_cout_delA c23_cout_delA_outQ) \( \Lambda \) (Ctr_Int_Logic_SPEC oneshot01 interrupt01 reload01 c01_cout_outQ c01_cout_delA_outQ r_cir_wr01 int1_en_inR int1_en_inS int1_en_inE c01_ld) \( \Lambda \) (Ctr_Int_Logic_SPEC oneshot23 interrupt23 reload23 c23_cout_outQ c23_cout_delA_outQ r_cir_wr23 int2_en_inR int2_en_inS int2_en_inE c23_ld) \( \Lambda \) (DSRELAT_SPEC GND intl_en_inS intl_en_inR intl_en_inE ClkB R_intl_en intl_en_outQ) \( \Lambda \) (DSRELAT_SPEC GND int2_en_inS int2_en_inR int2_en_inE ClkB R_int2_en int2_en_outQ) \( \Lambda \) (NOT SPEC Disable_int disable_int_) A (AND3_SPEC c01_cout_outQ int1_en_outQ disable_int_ Int1) \( \Lambda \) (AND3_SPEC c23_cout_outQ int2_en_outQ disable_int_ Int2) \( \Lambda \) (And_Tree_SPEC icr_out int0_en_inD int3_en_inD) \( \Lambda \) (DLAT_SPEC int0_en_inD ClkA R_int0_en int0_en_outQ) \( \Lambda \) (DLAT_SPEC int3_en_inD ClkA R_int3_en int3_en_outQ) A (DFF_SPEC int0_en_outQ ClkA R_int0_dis R_int0_disA int0_dis_outQ) \land (DFF_SPEC int3_en_outQ ClkA R_int3_dis R_int3_disA int3_dis_outQ) \(\Lambda\) (Reg_Int_Logic_SPEC int0_en_outQ int0_dis_outQ int3_en_outQ int3_dis_outQ Disable_int Int0_ Int3_) A ``` dp\_read r\_write r\_read icr\_rd\_en c13or\_ld srdy\_del\_outQ\_ reg\_sel ``` (DLATn_SPEC BusA ClkA R_busA_latch busA_latch_out) \( \Lambda \) (TRIBUF_SPEC busA_latch_out dp_read I_ad_out) \( \Lambda \) (BUF_SPEC I_ad_in BusB_in) ∧ (DP_CTR_SPEC ClkA ClkB BusB_in c0ir_wr c01_ld c0ir_rd enable01 VDD fsm_cntlatch c0or_rd R_ctr0_in R_ctr0_mux_sel R_ctr0_irden R_ctr0 R_ctr0_ce R_ctr0_cin R_ctr0_cry R_ctr0_new R_ctr0_outA R_ctr0_out R_ctr0_orden BusA_c0_out1 BusA_c0_out2 c0_cout) \( \Lambda \) (DP_CTR_SPEC ClkA ClkB BusB_in clir_wr c01_ld clir_rd VDD c0_cout c13or_ld clor_rd R_ctrl_in R_ctrl_mux_sel R_ctrl_irden R_ctrl R_ctrl_ce R_ctrl_cin R_ctrl_cry R_ctrl_new R_ctrl_outA R_ctrl_out R_ctrl_orden BusA_c1_out1 BusA_c1_out2 c01_cout) ∧ (DP_CTR_SPEC ClkA ClkB BusB_in c2ir_wr c23_ld c2ir_rd enable23 VDD fsm_cntlatch c2or_rd R_ctr2_in R_ctr2_mux_sel R_ctr2_irden R_ctr2 R_ctr2_ce R_ctr2_cin R_ctr2_cry R_ctr2_new R_ctr2_outA R_ctr2_out R_ctr2_orden BusA c2 out1 BusA_c2_out2 c2_cout) \( \Lambda \) (DP_CTR_SPEC ClkA ClkB BusB_in c3ir_wr c23_ld c3ir_rd VDD c2_cout c13or_ld c3or_rd R_ctr3_in R_ctr3_mux_sel R_ctr3_irden R_ctr3 R_ctr3_ce R_ctr3_cin R_ctr3_cry R_ctr3_new R_ctr3_outA R_ctr3_out R_ctr3_orden BusA_c3_out1 BusA_c3_out2 c23_cout) ∧ (DP_ICR_SPEC rep ClkA ClkB BusA BusB_in icr_wr_feedback icr_rd icr_select R_icr_loadA icr_rd R_icr_oldA R_icr_old R_icr_mask R_icrA R_icr R_icr_rden BusA_icr_out icr_out) ∧ (DP_CR_SPEC ClkA ClkB BusB_in ccr_wr ccr_rd R_ccr R_ccr_rden BusA_ccr_out ccr_out) \( \Lambda \) (DP_CR_SPEC ClkA ClkB BusB_in gcr_wr gcr_rd R_gcr R_gcr_rden BusA_gcr_out gcr_out) ∧ (GCR_Outputs_SPEC gcr_out Led reload01 oneshot01 interrupt01 enable 01 reload<br/>23 oneshot 23 interrupt 23 enable 23 Reset_error Pmm_invalid<br/>) \Lambda (SR_Inputs_SPEC Cpu_fail Reset_cpu Piu_fail Pmm_fail S_state Id ChannelID CB_parity C_ss MB_parity sr_inp) A (DP_SR_SPEC ClkA ClkB sr_inp fsm_cntlatch sr_rd R_sr R_sr_rden BusA_sr_out) \( \Lambda \) (Bus_Enab_SPEC ClkA R_ctr0_irden R_ctr0_orden R_ctr1_irden R_ctr1_orden R_ctr2_irden R_ctr2_orden R_ctr3_irden R_ctr3_orden R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden BusA_c0_en1 BusA_c0_en2 BusA_c1_en1 BusA_c1_en2 BusA_c2_en1 BusA_c2_en2 BusA_c3_en1 BusA_c3_en2 BusA_icr_en BusA_ccr_en BusA_gcr_en BusA_sr_en) \(\Lambda\) (Bus_12_1_SPEC BusA_c0_out1 BusA_c0_out2 BusA_c1_out1 BusA_c1_out2 BusA_c2_out1 BusA_c2_out2 BusA_c3_out1 BusA_c3_out2 BusA_icr_out BusA_ccr_out BusA_gcr_out BusA_sr_out BusA_c0_en1 BusA_c0_en2 BusA_c1_en1 BusA_c1_en2 BusA_c2_en1 BusA_c2_en2 BusA_c3_en1 BusA_c3_en2 BusA_icr_en BusA_ccr_en BusA_gcr_en BusA_sr_en BusA)" );; ``` # **B.4 C Port Specification** ``` c_block.ml File: (c) D.A. Fura 1992 Author: 31 March 1992 Date: This file contains the ml source for the gate-level specification of the C-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm c_block.th';; new_theory 'c_block';; loadf 'abstract';; map new_parent ['gates_def';'latches_def';'ffs_def';'counters_def';'caux_def';'aux_def';'array_def';'wordn_def'];; let MSTART = "WORDN 4";; let MEND = "WORDN 5";; let MRDY = "WORDN 6";; let MWAIT = "WORDN 7";; let MABORT = "WORDN 0";; let SACK = "WORDN 5";; let SRDY = "WORDN 6";; let SWAIT = "WORDN 7";; let SABORT = "WORDN 0";; wordn#bool#bool#bool#bool# cefsm_ty#bool# bool#bool#bool#bool#wordn#wordn#wordn#wordn#wordn#wordn#wordn# csfsm_ty#bool#bool#bool#bool#bool#wordn# cefsm_ty#bool#bool#bool#bool#bool# bool#bool#wordn#wordn#wordn)";; let\ c\_state = \text{``((C\_mfsm\_stateA,C\_mfsm\_mabort,C\_mfsm\_midle,C\_mfsm\_mrequest,C\_mfsm\_ma3,C\_mfsm\_ma2,C\_mfsm\_ma1,C\_mfsm\_ma1,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma1,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_ma2,C\_mfsm\_m C\_mfsm\_ma0, C\_mfsm\_md1, C\_mfsm\_md0, C\_mfsm\_iad\_en\_m, C\_mfsm\_m\_cout\_sel1, C\_mfsm\_m\_cout\_sel0, C\_mfsm\_m_cout\_sel0, C\_mfsm\_md1, C\_mfsm\_m_cout\_sel0, C_mfsm_ms,C_mfsm_rqt_,C_mfsm_cgnt_,C_mfsm_cm_en,C_mfsm_abort_le_en_,C_mfsm_mparity, C\_sfsm\_stateA, C\_sfsm\_ss, C\_sfsm\_iad\_en\_s, C\_sfsm\_sidle, C\_sfsm\_slock, C\_sfsm\_sa1, C\_sfsm\_sa0, c_sfsm\_sa1, C\_sfsm\_sa1, C\_sfs C\_sfsm\_sale, C\_sfsm\_sd1, C\_sfsm\_sd0, C\_sfsm\_sack, C\_sfsm\_sabort, C\_sfsm\_s\_cout\_sel0, C\_sfsm\_sparity, C\_sfsm\_sabort, C\_sfsm\_s C_efsm_stateA,C_efsm_srdy_en, C\_clkAA, C\_sidle\_delA, C\_mrqt\_delA, C\_last\_inA\_, C\_ssA, C\_holdA\_, C\_rd\_srdy, C\_cout\_0\_le\_delA, C\_mrqt\_delA, ``` ``` C cin 2 leA,C mrdy_delA_,C_iad_en_s_delA,C_wrdyA,C_rrdyA,C_iad_out,C_a1a0,C_a3a2, C mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C\_mfsm\_crqt\_, C\_mfsm\_hold\_, C\_mfsm\_last\_, C\_mfsm\_lock\_, C\_mfsm\_ss, C\_mfsm\_invalid, C sfsm_state, C_sfsm_D, C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state,C_efsm_cale_,C_efsm_last_,C_efsm_male_,C_efsm_rale_,C_efsm_srdy_,C_efsm_rst, C_wr,C_sizewrbe,C_clkA,C_sidle_del,C_mrqt_del,C_last_in_,C_lock_in_,C_ss,C_last_out_, C\_bold\_, C\_cout\_0\_le\_del, C\_cin\_2\_le, C\_mrdy\_del\_, C\_iad\_en\_s\_del, C\_wrdy, \\ C_rrdy,C_parity,C_source,C_data_in,C_iad_in) :^c_state_ty)";; wordn#wordn#wordn#bool#bool#bool#bool#bool#wordn#bool#bool#wordn#bool#wordn#bool# let c_env = "((I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) :^c_env_ty)";; let c_out_ty = ":(bool#bool#bool#bool#bool#bool#wordn#wordn# bool#wordn#wordn#wordn#bool#bool)";; let c_out = "((I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, CB\_rqt\_out\_, CB\_ms\_out, CB\_ss\_out, CB\_ad\_out, C\_ss\_out, Disable\_writes, CB\_parity) :^c_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; Input logic for C_last_in_ flip-flop. let Last_Logic = new_definition ('Last_Logic', "! rst clkD mfsm md1 mfsm mabort last_in_inE. Last_Logic rst clkD mfsm_md1 mfsm_mabort last_in_inE = (last_in_inE\ t = (rst\ t)\ V\ ((clkD\ t)\ \Lambda\ (mfsm_mdl\ t))\ V\ (mfsm_mabort\ t))" );; Input logic for C_last_out_ latch. let Hold_Logic = new_definition ('Hold_Logic', "I (cb_ms:time->wordn) clkD sfsm_sal last_out_inS last_out_inR last_out_inE. Hold_Logic cb_ms clkD sfsm_sal last_out_inS last_out_inR last_out_inE = it:time. (last_out_inS t = sfsm_sal t) \land (last\_out\_inR\ t = (clkD\ t) \land ((cb\_ms\ t = ^MEND) \lor (cb\_ms\ t = ^MABORT))) \land (last_out_inE t = (last_out_inS t) V (last_out_inR t))" );; ``` ``` Generation logic for cout_sel signal. let Cout_Sel_Logic_SPEC = new_definition ('Cout_Sel_Logic_SPEC', "! sfsm_s_cout_sel0 mfsm_m_cout_sel1 mfsm_m_cout_sel0 sfsm_sd0 sfsm_sd1 (cout_sel:time->wordn) . Cout_Sel_Logic_SPEC sfsm_s_cout_sel0 mfsm_m_cout_sel1 mfsm_m_cout_sel0 sfsm_sd0 sfsm_sd1 cout_sel = lt:time. (cout_sel t = ((sfsm_sd0 t) \lor (sfsm_sd1 t)) => (let a1 = (ALTER (cout_sel t) 0 (sfsm_s_cout_sel0 t)) in (ALTER al 1 F)) | (let al = (ALTER (cout_sel t) 0 (mfsm_m_cout_sel0 t)) in (ALTER al 1 (mfsm_m_cout_sel1 t))))" );; Generation logic for srdy signal. let Srdy_In_Logic_SPEC = new_definition ('Srdy_In_Logic_SPEC', "! (cb_ss:time->wordn) dfsm_srdy . Srdy_In_Logic_SPEC cb_ss dfsm_srdy = !t:time. (dfsm_srdy t = (cb_ss t = ^SRDY))" );; Input logic for C_wrdy, C_rrdy latches. -----% let Rdy_Logic_SPEC = new_definition ('Rdy_Logic_SPEC', "! mfsm_md0 mfsm_md1 clkD write srdy wrdy_inD rrdy_inD. Rdy_Logic_SPEC mfsm_md0 mfsm_md1 clkD write srdy wrdy_inD rrdy_inD = !t:time . (wrdy_inD t = (srdy t) \land (write t) \land (mfsm_md1 t) \land (clkD t)) \land (mdy\_inD \ t = (srdy \ t) \land \sim (write \ t) \land (mfsm\_md0 \ t) \land (clkD \ t))" );; Generation logic for I_srdy_out_ signal. -----g let ISrdy_Out_Logic_SPEC = new_definition ('ISrdy_Out_Logic_SPEC', "! wrdyA_outQ rrdyA_outQ fsm_mabort cale_ srdy_en isrdy_inD isrdy_inE . ISrdy_Out_Logic_SPEC wrdyA_outQ rrdyA_outQ fsm_mabort cale_ srdy_en isrdy_inD isrdy_inE = !t:time . (isrdy\_inD\ t = \sim ((wrdyA\_outQ\ t)\ \lor\ (rrdyA\_outQ\ t)\ \lor\ (fsm\_mabort\ t)))\ \land (isrdy_inE t = \sim (cale_t) \lor (srdy_en t))" );; %----- Generation logic for CBss_out signal. ``` ``` let CBss_Out_Logic_SPEC = new_definition ('CBss_Out_Logic_SPEC', "! (sfsm_ss:time->wordn) pmm_failure piu_valid cbss_out . CBss_Out_Logic_SPEC sfsm_ss pmm_failure piu_valid cbss_out = !t:time . (cbss_out\ t = (let\ a1 = (MALTER\ (cbss_out\ t)\ (1,0)\ (SUBARRAY\ (sfsm_ss\ t)\ (1,0))) in (ALTER a1 (2) ((ELEMENT (sfsm_ss t) (2)) \(\Lambda\) (pmm_failure t) \(\Lambda\) (piu_valid t) ))))" );; Generation logic for CBms_out signal. let CBms_Out_Logic_SPEC = new_definition ('CBms_Out_Logic_SPEC', "! (mfsm ms:time->wordn) pmm_failure piu_valid cbms_out. CBms_Out_Logic_SPEC mfsm_ms pmm_failure piu_valid cbms_out = (cbms_out t = (let al = (MALTER (cbms_out t) (1,0) (SUBARRAY (mfsm_ms t) (1,0))) in (ALTER a1 (2) ((ELEMENT (mfsm_ms t) (2)) \( \lambda \times \) (pmm_failure t) \( \lambda \times \) (piu_valid t))))" );; Generation logic for cout_1_le signal. let Cout_1_Le_Logic_SPEC = new_definition ('Cout_1_Le_Logic_SPEC', "| dfsm_master cout_0_le_del dfsm_cout_1_le cout_1_le . Cout_1_Le_Logic_SPEC dfsm_master cout_0_le_del dfsm_cout_1_le cout_1_le = It:time . (cout_1_{e} t = (dfsm_master t) \land (dfsm_cout_1_{e} t) \lor (dfsm_master t) \land (cout_0_{e} t)" );; %------ Generation logic for iad_en signal. let Iad_En_Logic_SPEC = new_definition ('Iad_En_Logic_SPEC', "! mfsm_iad_en_m sfsm_iad_en_s iad_en_s_del iad_en . Iad_En_Logic_SPEC mfsm_iad_en_m sfsm_iad_en_s iad_en_s_del iad_en = (iad_en t = (mfsm_iad_en_m t) V (sfsm_iad_en_s t) V (iad_en_s_del t))" );; Generation logic for c_pe_cnt signal. .....% let Pe_Cnt_Logic_SPEC = new_definition ('Pe_Cnt_Logic_SPEC', ``` ``` "! clkD (sfsm_sparity:time->bool) mfsm_mparity (cb_ss_in:time->wordn) c_pe_cnt . Pe_Cnt_Logic_SPEC clkD sfsm_sparity mfsm_mparity cb_ss_in c_pe_cnt = It:time. (c_pe_cnt t = (clkD t) \land (\sim((sfsm\_sparity\ t) = (mfsm\_mparity\ t))\ \lor\ ((SUBARRAY\ (cb\_ss\_in\ t)\ (1,0)) = WORDN\ 0))) );; Generation logic for c_grant, c_busy signals. let Grant_Logic_SPEC = new_definition ('Grant_Logic_SPEC', "! (id:time->wordn) (rqt_:time->wordn) busy grant . Grant_Logic_SPEC id rqt_ busy grant = !t:time . (busy t = ~(ELEMENT (rqt_t) (3)) \lor ~(ELEMENT (rqt_t) (2)) \lor ~(ELEMENT (rqt_t) (1))) \land (grant t = ((SUBARRAY (id t) (1,0)) = WORDN 0) \land \sim (ELEMENT (rqt_t) (0)) \lor (ELEMET ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg (ELEMENT\ (rqt\_t)\ (0)) \land (ELEMENT\ (rqt\_t)\ (1)) \lor ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg (ELEMENT\ (rqt\_t)\ (0)) \land (ELEMENT\ (rqt\_t)\ (1)) \lor ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg (ELEMENT\ (rqt\_t)\ (0)) \land (ELEMENT\ (rqt\_t)\ (1)) \lor ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg (ELEMENT\ (rqt\_t)\ (0)) \land (ELEMENT\ (rqt\_t)\ (1)) \lor ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg (ELEMENT\ (rqt\_t)\ (0)) \land (ELEMENT\ (rqt\_t)\ (1)) \lor ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg (ELEMENT\ (rqt\_t)\ (0)) \land (ELEMENT\ (rqt\_t)\ (1)) \lor ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg (ELEMENT\ (rqt\_t)\ (0)) \land (ELEMENT\ (rqt\_t)\ (1)) \lor ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg (ELEMENT\ (rqt\_t)\ (1)) \lor ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg ((SUBARRAY\ (id\ t)\ (1,0)) = WORDN\ 1) \land \neg ((SUBARRAY\ (id\ t)\ (id\ t)\ (id\ t)) \land ( ((SUBARRAY (id t) (1,0)) = WORDN 2) \land \neg (ELEMENT (rqt_t) (0)) \land (ELEMENT (rqt_t) (1)) (rq (ELEMENT (rqt_t) (2)) V ((SUBARRAY (id t) (1,0)) = WORDN 3) \land \sim (ELEMENT (rqt_t) (0)) \land (ELEMENT (rqt_t) (1)) (rq (ELEMENT (rqt_t) (2)) \land (ELEMENT (rqt_t) (3)))" );; Generation logic for addressed signal. let Addressed_Logic_SPEC = new_definition ('Addressed_Logic_SPEC', "! (id:time->wordn) (source:time->wordn) addressed . Addressed_Logic_SPEC id source addressed = It:time. (addressed t = ((ELEMENT (id t) (0)) = (ELEMENT (source t) (10))) \land ((ELEMENT (id t) (1)) = (ELEMENT (source t) (11))) \land ((ELEMENT (id t) (2)) = (ELEMENT (source t) (12))) \Lambda ((ELEMENT (id t) (3)) = (ELEMENT (source t) (13))) \land ((ELEMENT (id t) (4)) = (ELEMENT (source t) (14))) \land ((ELEMENT (id t) (5)) = (ELEMENT (source t) (15)))) );; Generation logic for Disable_writes signal. let D_Writes_Logic_SPEC = new_definition ('D_Writes_Logic_SPEC', "! dfsm_slave (chan_id:time->wordn) (source:time->wordn) disable_writes . D_Writes_Logic_SPEC dfsm_slave chan_id source disable_writes = It:time . (disable_writes t = (dfsm_slave t) \land \neg((ELEMENT (chan_id t) (0)) \land (ELEMENT (source t) (6))) \land \sim ((ELEMENT (chan_id t) (1)) \land (ELEMENT (source t) (7))) \land \sim ((ELEMENT (chan\_id t) (2)) \land (ELEMENT (source t) (8))) ``` ``` );; Generation logic for c_pe signal. let Parity_Decode_Logic_SPEC = new_definition ('Parity_Decode_Logic_SPEC', "!rep cad_in cad_in_dec cad_in_det . Parity_Decode_Logic_SPEC rep cad_in_cad_in_dec cad_in_det = (cad_in_dec t = (Par_Dec rep (cad_in t))) \land (cad_in_det t = (Par_Det rep (cad_in t)))" );; Input logic for C_parity latch. let Parity_Signal_Inputs_SPEC = new_definition ('Parity_Signal_Inputs_SPEC', "! rst cad_in_det clkD c_pe_cnt reset_parity c_parity_inS c_parity_inR c_parity_inE . Parity_Signal_Inputs_SPEC rst cad_in_det clkD c_pe_cnt reset_parity c_parity_inS c_parity_inR c_parity_inE = It:time . (c_parity_inS t = (cad_in_det t) \land (clkD t) \land (c_pe_cnt t)) \land (c_parity_inR t = (rst t) V (reset_parity t)) \Lambda (c_parity_inE t = (c_parity_inS t) V (c_parity_inR t))" );; C-Bus input latches. let CB_In_Latches_SPEC = new_definition ('CB_In_Latches_SPEC', "! clkA clkB rst (cad_in_dec:time->wordn) cin_0_le cin_1_le cin_2_le cin_3_le cin_4_le (source:time->wordn) (sizewrbe:time->wordn) iad_preout c_source c_data_in c_sizewrbe c_iad_preout . CB_In_Latches_SPEC clkA clkB rst cad_in_dec cin_0_le cin_1_le cin_2_le cin_3_le cin_4_le source sizewrbe iad_preout c_source c_data_in c_sizewrbe c_iad_preout = It:time . ((clkA t) \Longrightarrow > ((c_source(t+1) = c_sourcet) \land (c_{data_in}(t+1) = c_{data_in}(t) \land (c_sizewrbe (t+1) = c_sizewrbe t) \land (c_{iad\_preout}(t+1) = (cin_2_le\ t) => (c_{data\_in}\ t) \mid (c_{iad\_preout}\ t)))) \land ((clkB t) ==> ((c_source(t+1) = (rstt) \Rightarrow WORDN0) (cin_3_le t) \Rightarrow (cad_in_dec t) (c_{source} t) \land ``` ``` (c_{data_in}(t+1) = (rst t) => MALTER (c_{data_in} t) (31,16) (WORDN 0) t ((\operatorname{cin}_1_{\mathbf{l}} \operatorname{le} t) \wedge (\operatorname{\sim} \operatorname{cin}_0_{\mathbf{l}} \operatorname{le} t)) => \operatorname{MALTER} (c_{\mathbf{d}} \operatorname{ata}_{\mathbf{i}} \operatorname{n} t) (31,16) (\operatorname{cad}_{\mathbf{i}} \operatorname{n}_{\mathbf{d}} \operatorname{ce} t) \mathsf{l} (c_{data_in}(t+1)) \land (c_data_in(t+1) = (rst t) => WORDN 0 ((cin_0_le\ t) \land (\sim cin_1_le\ t)) => MALTER\ (c_data_in\ t)\ (15,0)\ (cad_in_dec\ t)\ l (c_data_in(t+1)) \land (c_sizewrbe (t+1) = (rst t) => WORDN 0 | (cin_4_le t) \Rightarrow SUBARRAY (c_data_in t) (31,22) (c_sizewrbe t)) ∧ (c_{iad\_preout}(t+1) = (c_{iad\_preout}(t)))) \land ((source t = c_source(t+1)) \land (sizewrbe t = c_sizewrbe(t+1)) \land (iad_preout t = c_iad_preout (t+1)))" );; Generation logic for I_be_out_ signal. let BE_Out_Logic_SPEC = new_definition ('BE_Out_Logic_SPEC', "! (sizewrbe:time->wordn) hlda be_out . BE_Out_Logic_SPEC sizewrbe hlda be_out = ((hlda t) \Longrightarrow (be_out t = SUBARRAY (sizewrbe t) (9,6)))" );; Generation logic for write signal. let Write_Logic_SPEC = new_definition ('Write_Logic_SPEC', "! clkA clkB (iad_in:time->wordn) sizewrbe cale_master_tran C_wr write . Write_Logic_SPEC clkA clkB iad_in sizewrbe cale_ master_tran C_wr write = ((clkA t) ==> C_wr (t+1) = C_wr t) \land ((clkB\ t) ==> C_wr\ (t+1) = (\neg cale_t) => (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> C_wr\ (t+1) = (\neg cale_t) => (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (27)) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (iad_in\ t)\ (iad_in\ t)\ (iad_in\ t) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (iad_in\ t)\ (iad_in\ t) \mid C_wr\ t) \land (clkB\ t) ==> (ELEMENT\ (iad_in\ t)\ (iad_in\ t)\ (iad_in\ t)\ (iad_in\ t) \mid C_wr\ t) \land (clkB\ t) == (ELEMENT\ (iad_in\ t)\ (iad_in\ t)\ (iad_in\ t)\ (iad_in\ t) \mid C_wr\ t) \land (iad_in\ (write t = (master_tran t) \Rightarrow (C_wr(t+1)) + (ELEMENT (sizewrbe t)(5)))" );; C-Bus output latches. let CB_Out_Logic_SPEC = new_definition ('CB_Out_Logic_SPEC', "! rep clkA clkB (iad_in:time->wordn) (ccr:time->wordn) dfsm_cout_0_le cout_1_le mfsm_mrequest cout_sel cad_preout C_iad_in C_ala0 C_a3a2. CB_Out_Logic_SPEC rep clkA clkB iad_in ccr dfsm_cout_0_le cout_1_le mfsm_mrequest cout_sel cad_preout C_iad_in C_a1a0 C_a3a2 = It:time. ((clkA t) ==> ((C_{iad_{in}(t+1)} = C_{iad_{in}t}) \land ``` ``` (C_ala0(t+1) = (cout_let) => (C_iad_int) (C_ala0t)) \land (C_a3a2 (t+1) = (mfsm\_mrequest t) \Rightarrow (ccr t) (C_a3a2 t)))) \land ((clkB t) \Longrightarrow > ((C_iad_in(t+1) = (dfsm_cout_0_le t) => (iad_in t) | (C_iad_in t)) \land (C_a1a0(t+1) = C_a1a0t) \land (C_a3a2(t+1) = C_a3a2t))) \land (cad\_preout\ t = ((cout\_sel\ (t+1)) = WORDN\ 0) => (Par\_Enc\ rep\ (SUBARRAY\ (C\_ala0\ (t+1))\ (15,0))) + (C\_ala0\ (t+1)) (t+1 ((cout\_sel(t+1)) = WORDN 1) \Rightarrow (Par\_Enc rep(SUBARRAY(C_alaO(t+1))(31,16))) ((cout\_sel\ (t+1)) = WORDN\ 2) => (Par\_Enc\ rep\ (SUBARRAY\ (C_a3a2\ (t+1))\ (15,0))) (Par_Enc rep (SUBARRAY (C_a3a2 (t+1)) (31,16))))" );; C-Port Block. let C_Block_SPEC = new_definition ('C_Block_SPEC', "! (C_mfsm_state A C_mfsm_state :time->cmfsm_ty) (C_sfsm_stateA C_sfsm_state :time->csfsm_ty) (C_efsm_stateA C_efsm_state:time->cefsm_ty) (C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_a1a0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_in :time->wordn) (C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_ma1 C_mfsm_ma0 C_mfsm_md1 C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sel1 C_mfsm_m_cout_sel0 C_mfsm_rqt_ C_mfsm_cgnt_ C_mfsm_cm_en C_mfsm_abort_le_en_ C_mfsm_mparity C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_sa0 C_sfsm_sale C_sfsm_sdl C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity C_efsm_srdy_en C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_ C_holdA_ C_rd_srdy C_cout_0_le_delA C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdyA C_rrdyA C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write C_mfsm_crqt_C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_ C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy C_rrdy C_parity :time->bool) (I_mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :time->bool) (I_ad_in I_be_in_ CB_rqt_in_ CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :time->wordn) (I_cgnt_ I_mrdy_out_ I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_ CB_rqt_out_ Disable_writes CB_parity :time->bool) (I_ad_out I_be_out_CB_ms_out CB_ss_out CB_ad_out C_ss_out :time->wordn) C_Block_SPEC (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2, C_mfsm_mal, C_mfsm_ma0, C_mfsm_md1, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sel1, C_mfsm_m_cout_sel0, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt_, C_mfsm_cm_en, C_mfsm_abort_le_en_, C_mfsm_mparity, C sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, C_sfsm_sal, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sd0, C_sfsm_sack, C_sfsm_sabort, C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA, C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_rd_srdy, C_cout_0_le_delA, C_cin_2_leA, C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out, ``` ``` C_mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss, C mfsm invalid, C_sfsm_state, C_sfsm_D, C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_in) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) (I_cgnt_, I_mrdy_out_, I_bold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity) ? (grant busy mfsm_mabort mfsm_midle mfsm_mrequest mfsm_ma3 mfsm_ma2 mfsm_ma1 mfsm_ma0 mfsm_md1 mfsm_md0 mfsm_iad_en_m mfsm_m_cout_sel1 mfsm_m_cout_sel0 mfsm_cm_en mfsm_abort_le_en_ mfsm_mparity sfsm_iad_en_s sfsm_sidle sfsm_slock sfsm_sal sfsm_sa0 sfsm_sale sfsm_sd1 sfsm_sd0 sfsm_sack sfsm_sabort sfsm_s_cout_sel0 sfsm_sparity efsm_srdy_en dfsm_master dfsm_slave dfsm_cin_0_le dfsm_cin_1_le dfsm_cin_3_le dfsm_cin_4_le dfsm_cout_0_le dfsm_cout_1_le dfsm_cad_en_ dfsm_male_ dfsm_rale_ dfsm_mrdy_last_in_inE last_in_outQ lock_in_inE lock_in_outQ clkA_outQ last_out_inS last_out_inR last_out_inE last_out_outQ sstatus_en_ sidle_del_outQ mrqt_del_outQ mstatus_en_ dfsm_srdy write wrdy_inD wrdy_outQ rrdy_inD rrdy_outQ wrdyA_outQ rrdyA_outQ i_srdy_en isrdy_inD isrdy_inE cout_0_le_del_out cin_2_le_out cout_1_le mrdy_del_out iad_en_s_del_outQ iad_en c_pe_cnt addressed cin_2_le cad_in_det c_parity_inS c_parity_inR c_parity_inE hlda :time->bool) (mfsm_ss mfsm_ms sfsm_ss cout_sel cad_in_dec source sizewrbe iad_preout cad_preout :time->wordn). (OR2_SPEC Rst mfsm_mal lock_in_inE) \( \Lambda \) (DRELAT_SPEC I_lock_ Rst lock_in_inE ClkB C_lock_in_lock_in_outQ) \(\Lambda\) (Last_Logic Rst ClkD mfsm_md1 mfsm_mabort last_in_inE) \(\Lambda\) (DREFF_SPEC I_last_in_ last_in_inE Rst ClkB C_last_inA_ C_last_in_ last_in_outQ) \(\Lambda\) (DEFFn_SPEC mfsm_ss mfsm_abort_le_en_ ClkB C_ssA C_ss C_ss_out) A (DFF_SPEC ClkD ClkA C_clkA C_clkAA clkA_outQ) ∧ (Hold_Logic CB_ms_in ClkD sfsm_sal last_out_inS last_out_inR last_out_inE) \(\Lambda\) (DSRELAT_SPEC GND last_out_inS last_out_inR last_out_inE ClkB C_last_out_ last_out_outQ) A (TRIBUF_SPEC last_out_outQ hlda I_last_out_) \( \Lambda \) (OR2_SPEC sfsm_sidle sfsm_sabort sstatus_en_) \( \Lambda \) (DFF_SPEC sfsm_sidle ClkA C_sidle_del C_sidle_delA sidle_del_outQ) \( \Lambda \) (DFF_SPEC mfsm_mrequest ClkA C_mrqt_del C_mrqt_delA mrqt_del_outQ) \land (Cout_Sel_Logic_SPEC sfsm_s_cout_sel0 mfsm_m_cout_sel1 mfsm_m_cout_sel0 sfsm_sd0 sfsm_sd1 cout_sel) \(\Lambda\) (NOT SPEC mfsm_cm_en mstatus_en_) \(\Lambda\) (DEFF_SPEC sfsm_sidle ClkD ClkA C_hold_ C_holdA_ I_bold_) \land (Srdy_In_Logic_SPEC CB_ss_in dfsm_srdy) \( \Lambda \) (Rdy_Logic_SPEC mfsm_md0 mfsm_md1 ClkD write dfsm_srdy wrdy_inD rrdy_inD) \( \Lambda \) ``` C\_a1a0, C\_a3a2, ``` (DLAT_SPEC wrdy_inD ClkB C_wrdy wrdy_outQ) A (DLAT_SPEC rrdy_inD ClkB C_rrdy rrdy_outQ) \( \Lambda \) (DLAT_SPEC wrdy_outQ ClkA C_wrdyA wrdyA_outQ) \(\Lambda\) (DLAT_SPEC rrdy_outQ ClkA C_rrdyA rrdyA_outQ) \(\Lambda\) (ISrdy_Out_Logic_SPEC wrdyA_outQ rrdyA_outQ mfsm_mabort I_cale_ i_srdy_en isrdy_inD isrdy_inE) ∧ (TRIBUF_SPEC isrdy_inD isrdy_inE I_srdy_out_) ∧ (CBss_Out_Logic_SPEC sfsm_ss Pmm_failure Piu_invalid CB_ss_out) \( \Lambda \) (DFF_SPEC dfsm_cout_0_le ClkA C_cout_0_le_del C_cout_0_le_delA cout_0_le_del_out) ∧ (DFF_SPEC dfsm_cin_0_le ClkA C_cin_2_le C_cin_2_leA cin_2_le_out) \( \Lambda \) (Cout_1_Le_Logic_SPEC dfsm_master cout_0_le_del_out dfsm_cout_1_le cout_1_le) \(\Lambda\) (DFF_SPEC dfsm_mrdy_ClkA C_mrdy_del_ C_mrdy_delA_ mrdy_del_out) \( \Lambda \) (NOT SPEC I hlda hlda) A (TRIBUF_SPEC dfsm_male_ hlda I_male_out_) \( \Lambda \) (TRIBUF_SPEC dfsm_rale_hlda I_rale_out_) ∧ (TRIBUF_SPEC mrdy_del_out hlda I_mrdy_out_) A (DEFF_SPEC sfsm_iad_en_s ClkD ClkA C_iad_en_s_del C_iad_en_s_delA iad_en_s_del_outQ) ∧ (Iad_En_Logic_SPEC mfsm_iad_en_m sfsm_iad_en_s iad_en_s_del_outQ iad_en) \( \Lambda \) (CBms_Out_Logic_SPEC mfsm_ms Pmm_failure Piu_invalid CB_ms_out) ∧ (Pe_Cnt_Logic_SPEC ClkD sfsm_sparity mfsm_mparity CB_ss_in c_pe_cnt) ∧ (Grant_Logic_SPEC Id CB_rqt_in_ busy grant) A (Addressed_Logic_SPEC Id C_source addressed) ∧ (D_Writes_Logic_SPEC dfsm_slave ChannelID C_source Disable_writes) \( \Lambda \) (Parity_Decode_Logic_SPEC rep CB_ad_in cad_in_dec cad_in_det) A (Parity_Signal_Inputs_SPEC Rst cad_in_det ClkD c_pe_cnt Reset_error c_parity_inS c_parity_inR c_parity_inE) \( \Lambda \) (DSRELAT_SPEC GND c_parity_inS c_parity_inR c_parity_inE ClkB C_parity CB_parity) \( \Lambda \) (CB_In_Latches_SPEC ClkA ClkB Rst cad_in_dec dfsm_cin_0_le dfsm_cin_1_le cin_2_le dfsm_cin_3_le dfsm_cin_4_le source sizewrbe iad_preout C_source C_data_in C_sizewrbe C_iad_out) \( \Lambda \) (BE_Out_Logic_SPEC sizewrbe hlda I_be_out_) Λ (TRIBUF_SPEC iad_preout iad_en I_ad_out) ∧ (Write_Logic_SPEC ClkA ClkB I_ad_in sizewrbe I_cale_ mfsm_cm_en C_wr write) \(\Lambda\) (CB_Out_Logic_SPEC rep ClkA ClkB I_ad_in Ccr dfsm_cout_0_le cout_1_le mfsm_mrequest cout_sel cad_preout C_{iad_{in}} C_{a1a0} C_{a3a2}) \Lambda (TRIBUF_SPEC cad_preout dfsm_cad_en_ CB_ad_out) \( \Lambda \) (CMFSM_SPEC ClkA ClkB efsm_srdy_en ClkD grant Rst busy write I_crqt_I_hold_last_in_outQ lock_in_outQ CB_ss_in Piu_invalid C_mfsm_state C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write C_mfsm_crqt_ C_mfsm_hold_ C_mfsm_last_ C_mfsm_lock_ C_mfsm_ss C_mfsm_invalid C_mfsm_stateA C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_mal C_mfsm_ma0 C_mfsm_md1 C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sel1 C_mfsm_m_cout_sel0 C_mfsm_ms C_mfsm_rqt_ C_mfsm_cgnt_ C_mfsm_cm_en C_mfsm_abort_le_en_ C_mfsm_mparity mfsm_mabort mfsm_midle mfsm_mrequest mfsm_ma3 mfsm_ma2 mfsm_ma1 mfsm_ma0 mfsm_md1 mfsm_md0 mfsm_iad_en_m mfsm_m_cout_sel1 mfsm_m_cout_sel0 mfsm_ms CB_rqt_out_I_cgnt_mfsm_cm_en_mfsm_abort_le_en_mfsm_mparity) \(\Lambda\) (CSFSM_SPEC ClkA ClkB ClkD grant Rst write addressed I_hlda_CB_ms_in C_sfsm_state C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_C_sfsm_ms C_sfsm_state A C_sfsm_ss C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sa1 C_sfsm_sa0 C_sfsm_sale C_sfsm_sd1 C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity sfsm_ss sfsm_iad_en_s sfsm_sidle sfsm_slock sfsm_sal sfsm_sa0 sfsm_sale sfsm_sd1 sfsm_sd0 sfsm_sack sfsm_sabort sfsm_s_cout_sel0 sfsm_sparity) \(\Lambda\) (CEFSM_SPEC ClkA ClkB I_cale_ I_last_in_ I_male_in_ I_rale_in_ I_srdy_in_ Rst ``` C\_efsm\_state C\_efsm\_cale\_ C\_efsm\_last\_ C\_efsm\_male\_ C\_efsm\_rale\_ C\_efsm\_srdy\_ C\_efsm\_rst C\_efsm\_stateA C\_efsm\_srdy\_en efsm\_srdy\_en) ∧ (CDFSM\_SPEC dfsm\_srdy ClkD clkA\_outQ write sizewrbe sfsm\_sidle sidle\_del\_outQ sfsm\_slock sfsm\_sal sfsm\_sa0 sfsm\_sale sfsm\_sd1 sfsm\_sd0 sfsm\_sack mfsm\_midle mrqt\_del\_outQ mfsm\_ma3 mfsm\_ma2 mfsm\_ma1 mfsm\_ma0 mfsm\_md1 mfsm\_md0 I\_cale\_ I\_srdy\_in\_ dfsm\_master dfsm\_slave dfsm\_cin\_0\_le dfsm\_cin\_1\_le dfsm\_cin\_3\_le dfsm\_cin\_4\_le dfsm\_cout\_0\_le dfsm\_cout\_1\_le dfsm\_cad\_en\_ dfsm\_male\_ dfsm\_rale\_ dfsm\_mrdy\_)" );; ### **B.5 SU\_Cont Specification** ``` File: s_block.ml Author: (c) D.A. Fura 1992 Date: 31 March 1992 This file contains the ml source for the gate-level specification of the startup controller of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm s_block.th';; new_theory 's_block';; map new_parent ['gates_def';'latches_def';'fs_def';'counters_def';'saux_def';'aux_def';'array_def';'wordn_def'];; bool#bool#wordn#bool#bool# sfsm_ty#bool#bool#bool#bool# let s_state = "((S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_src1, S\_fsm\_spf, S\_fsm\_sc0f, S\_fsm\_sc1f, S\_fsm\_spmf, S\_fsm\_sb, S\_fsm\_src, S\_fsm\_sec, S\_fsm\_srs, S\_fsm\_sec, S\_fsm\_s S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail) :^s_state_ty)";; let s_env = "((ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) :^s_env_ty)";; let s_out = "((S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail) :^s_out_ty)";; Input logic for S_soft_shot latch. let Scnt_In_SPEC = new_definition ('Scnt_In_SPEC', "I gerh gerl soft_shot_inD soft_ent_inL . Scnt_In_SPEC gcrh gcrl soft_shot_inD soft_cnt_inL = (! t:time . (soft_shot_inD t = \simgcrh t \land gcrl t) \land ``` ``` (soft\_cnt\_inL\ t = \sim gcrh\ t \land \sim gcrl\ t))" );; Input logic for S_soft_cnt counter. let Scnt_In1_SPEC = new_definition ('Scnt_In1_SPEC', \hbox{``! soft\_shot\_outQ soft\_shot\_del\_outQ soft\_cnt\_inU} \ . Scnt_In1_SPEC soft_shot_outQ soft_shot_del_outQ soft_cnt_inU = (! t:time . (soft_cnt_inU t = soft_shot_outQ t \( \widehint \sinc \text{soft_shot_del_outQ t} \))" );; Input logic for S_delay counter. let Delay_In_SPEC = new_definition ('Delay_In_SPEC', "! scpustart delay reset_cnt delay_inR . Delay_In_SPEC scpustart delay reset_cnt delay_inR = (! t:time . (delay_inR t = scpustart t \land (ELEMENT (delay t) (6)) \lor reset_cnt t))" );; Delay counter output multiplexers. let Muxes_SPEC = new_definition ('Muxes_SPEC', "! (delay:time->wordn) test instart_inD delay17. Muxes_SPEC delay test instart_inD delay17 = (lt:time . (instart_inD t = (test t) => ELEMENT (delay t) (5) | ELEMENT (delay t) (16)) \Lambda (delay 17 t = (test t) => ELEMENT (delay t) (6) | ELEMENT (delay t) (17)))" );; Generation logic for Disable_int output. let Dis_Int_Out_SPEC = new_definition ('Dis_Int_Out_SPEC', "! instart normal delay disable_int_in disable_int_out . Dis_Int_Out_SPEC instart normal delay disable_int_in disable_int_out = (! t:time . (disable_int_out t = ~instart t \land ~(normal t \land (ELEMENT (delay t) (6)) \land disable_int_in t)))" );; Input logic for S_bad_cpu0, S_bad_cpu1 latches. let Bad_Cpu_In_SPEC = new_definition ('Bad_Cpu_In_SPEC', ``` ``` "! normal operation cpu0_fail cpu1_fail begin bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE bad_cpu1_inS bad_cpu1_inR bad_cpu1_inE . Bad_Cpu_In_SPEC normal operation cpu0_fail cpu1_fail begin bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE bad_cpul_inS bad_cpul_inR bad_cpul_inE = (! t:time . (bad_cpu0_inS t = begin t) \Lambda (bad_cpu0_inR t = (normal t \lor operation t) \land \neg cpu0_fail t) \land (bad_cpu0_inE \ t = begin \ t \ V \ (normal \ t \ V \ operation \ t) \ \land \sim cpu0_fail \ t) \ \land (bad_cpul_inS t = begin t) \land (bad_cpul_inR t = (normal t \lor operation t) \land cpu0_fail t \land \neg cpu1_fail t) \land (bad_cpul_inE \ t = begin \ t \ V \ (normal \ t \ V \ operation \ t) \ \land \ cpul_fail \ t \ \land \ \neg cpul_fail \ t)) );; Generation logic for local signals cpu0_ok, cpu1_ok. let Cpu_Ok_SPEC = new_definition ('Cpu_Ok_SPEC', "! soft_cnt cpu0_fail cpu1_fail failure0_ failure1_ cpu0_ok cpu1_ok . Cpu_Ok_SPEC soft_cnt cpu0_fail cpu1_fail failure0_ failure1_ cpu0_ok cpu1_ok = (! t:time . (cpu0_ok t = ((soft_cnt t) = WORDN 5) \land cpu0_fail t \land failure0_t) \land (cpul_ok t = ((soft_cnt t) = WORDN 5) \land cpul_fail t \land failurel_t))" );; Input logic for S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail latches. let Fail In_SPEC = new_definition ('Fail_In_SPEC', "! begin pmm_fail piu_fail bypass cpu0_ok cpu1_ok pmm_fail_inS pmm_fail_inR pmm_fail_inE cpu0_fail_inS cpu0_fail_inR cpu0_fail_inE cpu1_fail_inS cpu1_fail_inR cpu1_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE . Fail In SPEC begin pmm_fail piu_fail bypass cpu0_ok cpu1_ok pmm_fail_inS pmm_fail_inR pmm_fail_inE cpu0_fail_inS cpu0_fail_inR cpu0_fail_inE cpu1_fail_inS cpu1_fail_inR cpu1_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE = (! t:time . (pmm_fail_inS t = begin t) \Lambda (pmm_fail_inR t = pmm_fail t) \land (pmm_fail_inE t = begin t \lor pmm_fail t) \land (cpu0_fail_inS t = begin t) \land (cpu0_fail_inR t = bypass t V cpu0_ok t) \Lambda (cpu0_fail_inE t = begin t \lor bypass t \lor cpu0_ok t) \land (cpul_fail_inS t = begin t) \land (cpul_fail_inR t = bypass t V cpul_ok t) \Lambda (cpul_fail_inE t = begin t V bypass t V cpul_ok t) \land (piu_fail_inS t = begin t) \land (piu_fail_inR t = bypass t \lor piu_fail t) \land (piu_fail_inE t = begin t V bypass t V piu_fail t))" );; ``` Startup-controller controller state machine. ``` let FSM_SPEC = new_definition ('FSM_SPEC', "! clkA clkB rst_in delay_in delay17_in bothbad_in bypass_in state rst delay6 delay17 bothbad bypass stateA sn so srcp sdi srp src0 src1 spf sc0f sc1f spmf sb src sec srs scs stateA_out sn_out so_out srcp_out sdi_out srp_out src0_out src1_out spf_out scOf_out sc1f_out spmf_out sb_out src_out sec_out srs_out scs_out . FSM_SPEC clkA clkB rst_in delay_in delay17_in bothbad_in bypass_in state rst delay6 delay17 bothbad bypass stateA sn so srcp sdi srp src0 src1 spf sc0f sc1f spmf sb src sec srs scs stateA_out sn_out so_out srcp_out sdi_out srp_out src0_out src1_out spf_out scOf_out sc1f_out spmf_out sb_out src_out sec_out srs_out scs_out = It:time. ((clkA t) \Longrightarrow) ((state (t+1) = state t) \land (rst (t+1) = rst t) \land (\text{delay6}(t+1) = \text{delay6}t) \land (delay17 (t+1) = delay17 t) \Lambda (bothbad (t+1) = bothbad t) \Lambda (bypass (t+1) = bypass t) \land (stateA(t+1) = ((rst t) => SSTART | ((state t) = SSTART) => SRA ((state\ t) = SRA) => ((delay6\ t) => ((bypass\ t) => SO \mid SPF) \mid SRA) \mid ((state t) = SPF) => SCOI | ((state\ t) = SCOI) \Rightarrow ((delay17\ t) \Rightarrow SCOF \mid SCOI) \mid ((state t) = SC0F) => ST | ((state t) = ST) \Rightarrow SC1I ((state t) = SC1I) \Rightarrow ((delay17 t) \Rightarrow SC1F \mid SC1I) \mid ((state t) = SC1F) => SS \mid ((state\ t)=SS) => ((bothbad\ t) => SSTOP\mid SCS)\mid ((state t) = SSTOP) => SSTOP | ((state t) = SCS) \Rightarrow ((delay6 t) \Rightarrow SN \mid SCS) \mid ((state\ t) = SN) => ((delay17\ t) => SO \mid SN) \mid SO)) \land (\operatorname{sn}(t+1) = (\operatorname{stateA}(t+1) = \operatorname{SN})) \wedge (so (t+1) = (stateA (t+1) = SO)) \land (\text{srcp }(t+1) = ((\sim(\text{stateA }(t+1) = \text{SO}) \land \sim((\text{state }t) = \text{SSTOP})) \lor ((\text{state }t) = \text{SRA}))) \land (\text{state }t) = (\text{SRA}))) (\text{SRA}) (sdi\ (t+1) = ((\sim(state A\ (t+1) = SO) \land \sim((state\ t) = SSTOP)) \lor ((state\ t) = SRA))) \land (srp(t+1) = ((stateA(t+1) = SSTART) \lor (stateA(t+1) = SRA) \lor (stateA(t+1) = SCOF) (state (stateA (t+1) = ST) \lor (stateA (t+1) = SC1F) \lor (stateA (t+1) = SS) \lor (stateA (t+1) = SCS))) \Lambda (src0 (t+1) = (\sim(stateA (t+1) = SPF) \land \sim(stateA (t+1) = SCOI))) \land (src1 (t+1) = (\sim(stateA (t+1) = ST) \land \sim(stateA (t+1) = SC1I))) \land (\operatorname{spf}(t+1) = (((\operatorname{state} t) = \operatorname{SRA}) \land (\operatorname{delay6} t) \land \sim (\operatorname{rst} t))) \land (scOf(t+1) = (stateA(t+1) = SCOF)) \land (sc1f(t+1) = (stateA(t+1) = SC1F)) \land (spmf(t+1) = (stateA(t+1) = SO)) \land (sb (t+1) = (stateA (t+1) = SSTART)) \Lambda (src\ (t+1) = ((state A\ (t+1) = SSTART)\ V\ (((state\ t) = SRA)\ \land\ (delay6\ t))\ V (stateA (t+1) = SC0F) \lor (stateA (t+1) = ST) \lor (stateA (t+1) = SC1F) \lor ``` ``` (state A (t+1) = SS) V(((state t) = SCS) \land (delay6 t)))) \land (sec\ (t+1) = ((\sim(stateA\ (t+1) = SSTOP)\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SO))\ \lor\ ((state\ t) = SN)))\ \land\ \sim(stateA\ (t+1) = SN)) (srs(t+1) = ((((state t) = SPF) \land \neg (rst t)) \lor (((state t) = ST) \land \neg (rst t)))) \land (scs (t+1) = (stateA (t+1) = SCS)))) \land ((clkB t) \Longrightarrow ((state (t+1) = state A t) \land (rst (t+1) = rst_in t) \Lambda (delay6 (t+1) = ELEMENT (delay_in t) (6)) \Lambda (\text{delay17}(t+1) = \text{delay17}_{in} t) \land (bothbad (t+1) = bothbad_in t) \land (bypass (t+1) = bypass_in t) \land (\operatorname{sn}(t+1) = \operatorname{sn}t) \wedge (so (t+1) = so t) \Lambda (\operatorname{srcp}(t+1) = \operatorname{srcp} t) \Lambda (sdi(t+1) = sdit) \land (srp(t+1) = srp t) \Lambda (\operatorname{src0}(t+1) = \operatorname{src0} t) \Lambda (\operatorname{src1}(t+1) = \operatorname{src1} t) \wedge (spf(t+1) = spft) \land (scOf(t+1) = scOft) \land (sclf(t+1) = sclft) \land (spmf(t+1) = spmft) \land (sb (t+1) = sb t) \Lambda (\operatorname{src}(t+1) = \operatorname{src}t) \wedge (\sec(t+1) = \sec t) \wedge (srs(t+1) = srst) \land (scs(t+1) = scs(t))) \Lambda ((let a0 = (ALTER (stateA_out t) (0) ((stateA(t+1) = SRA) \lor (stateA(t+1) = SPF) \lor (stateA(t+1) = ST) \lor (stateA(t+1) = SC1I) \lor (stateA(t+1) = SCS) \lor (stateA(t+1) = SN) \lor (stateA(t+1) = SO))) in (let al = (ALTER a0 (1) ((stateA\ (t+1) = SPF)\ \lor\ (stateA\ (t+1) = SC0I)\ \lor\ (stateA\ (t+1) = SC0F)\ \lor (stateA(t+1) = ST) \lor (stateA(t+1) = SSTOP) \lor (stateA(t+1) = SO))) in (let a2 = (ALTER a1 (2) ((stateA (t+1) = SC0F) \lor (stateA (t+1) = ST) \lor (stateA (t+1) = SC1I) \lor (stateA(t+1) = SC1F) \lor (stateA(t+1) = SS) \lor (stateA(t+1) = SSTOP) \lor (stateA (t+1) = SCS))) in (let a3 = (ALTER a2 (3)) ((stateA(t+1) = SS) \lor (stateA(t+1) = SSTOP) \lor (stateA(t+1) = SCS) \lor (stateA (t+1) = SN) \lor (stateA (t+1) = SO))) (stateA_out t = a3))))) \land (\operatorname{sn_out} t = \operatorname{sn}(t+1)) \wedge (so_ot t = so(t+1)) \land (\operatorname{srcp\_out} t = \operatorname{srcp} (t+1)) \land (sdi_out t = sdi(t+1)) \land (srp\_out\ t = srp\ (t+1))\ \land (src0_out t = src0(t+1)) \land (srcl_out\ t = srcl\ (t+1)) \land (\operatorname{spf}_{\operatorname{out}} t = \operatorname{spf}(t+1)) \wedge ``` ``` (sc0f\_out\ t = sc0f\ (t+1))\ \land (sclf_out t = sclf(t+1)) \land (spmf_out t = spmf (t+1)) \land (sb\_out\ t = sb\ (t+1))\ \land (\operatorname{src\_out} t = \operatorname{src} (t+1)) \land (\sec_{\text{out }} t = \sec(t+1)) \land (srs\_out\ t = srs\ (t+1))\ \land (scs_out t = scs (t+1))) ");; Startup controller block. let S_Block_SPEC = new_definition ('S_Block_SPEC', "! (S_fsm_stateA S_fsm_state :(time->sfsm_ty)) (S_soft_cntA S_delayA S_soft_cnt S_delay :(time->wordn)) (S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_src1 S_fsm_spf S_fsm_sc0f S\_fsm\_sc1f \ S\_fsm\_spmf \ S\_fsm\_sb \ S\_fsm\_src \ S\_fsm\_sec \ S\_fsm\_srs \ S\_fsm\_scs S_soft_shot S_soft_shot_delA S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_pmm_fail S_cpu0_fail S_cpu1_fail S_piu_fail S_cpu_hist :(time->bool)) (ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_ Failure1_:(time->bool)) (S_state:(time->wordn)) (Reset_cport Disable_int Reset_piu Reset_cpu0 Reset_cpu1 Cpu_hist Piu_fail Cpu0_fail Cpu1_fail Pmm_fail:(time->bool)). S_Block_SPEC (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_src1, S_fsm_spf, S_fsm_sc0f, S_fsm_sc1f, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) (S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail) = (!t:time. ? fsm_delay17 fsm_bothbad fsm_sn fsm_so fsm_sdi fsm_src0 fsm_src1 fsm_spf fsm_sc0f fsm_sc1f fsm_spmf fsm_sb fsm_src fsm_sec fsm_srs fsm_scs NC soft_shot_inD soft_shot_outQ soft_shot_del_outQ soft_cnt_inL soft_cnt_inU soft_cnt_inR soft_cnt_outQ delay_inL delay_inU delay_inR delay_outQ instart_inD instart_outQ bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE bad_cpu0_outQ reset_cpu0_inD bad_cpu1_inS bad_cpu1_inR bad_cpu1_inE bad_cpu1_outQ reset_cpu1_inD cpu_hist_inD cpu0_ok cpu1_ok pmm_fail_inS pmm_fail_inR pmm_fail_inE cpu0_fail_inS cpu0_fail_inR cpu0_fail_inE cpu1_fail_inS cpu1_fail_inR cpu1_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE. (Scnt_In_SPEC Gcrh Gcrl soft_shot_inD soft_cnt_inL) \( \Lambda \) (DLAT_SPEC soft_shot_inD ClkA S_soft_shot soft_shot_outQ) \(\Lambda\) (DFF\_SPEC\ soft\_shot\_outQ\ ClkA\ S\_soft\_shot\_del\ S\_soft\_shot\_delA\ soft\_shot\_del\_outQ)\ \land\ S\_soft\_shot\_delA\ soft\_shot\_delA\ soft\_shot\_delA (Scnt\_In1\_SPEC\ soft\_shot\_outQ\ soft\_shot\_del\_outQ\ soft\_cnt\_inU)\ \land\\ (UPRCNT_SPEC 2 (GNDN 2) soft_cnt_inL soft_cnt_inU soft_cnt_inR ClkA S_soft_cnt S_soft_cntA ``` ``` soft_cnt_outQ NC) \(\Lambda\) (Delay_In_SPEC fsm_scs delay_outQ fsm_src delay_inR) A (UPRCNT_SPEC 17 (GNDN 17) delay_inL delay_inU delay_inR ClkA S_delay S_delayA delay_outQ NC) ∧ (Muxes_SPEC delay_outQ Test instart_inD fsm_delay17) \(\Lambda\) (DLAT_SPEC instart_inD ClkA S_instart instart_outQ) A (Dis_Int_Out_SPEC instart_outQ fsm_sn delay_outQ fsm_sdi Disable_int) \( \Lambda \) (AND2_SPEC Cpu0_fail Cpu1_fail fsm_bothbad) A (Bad_Cpu_In_SPEC fsm_sn fsm_so Cpu0_fail Cpu1_fail fsm_sb bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE bad_cpu1_inS bad_cpu1_inR bad_cpu1_inE) \(\Lambda\) (DSRELAT_SPEC GND bad_cpu0_inS bad_cpu0_inR bad_cpu0_inE ClkB S_bad_cpu0 bad_cpu0_outQ) ∧ (DSRELAT_SPEC GND bad_cpu1_inS bad_cpu1_inR bad_cpu1_inE ClkB S_bad_cpu1 bad_cpu1_outQ) ∧ (AND2_SPEC bad_cpu0_outQ fsm_src0 reset_cpu0_inD) \( \Lambda \) (AND2_SPEC bad_cpu1_outQ fsm_src1 reset_cpu1_inD) \( \Lambda \) (DLAT_SPEC reset_cpu0_inD ClkB S_reset_cpu0 Reset_cpu0) A (DLAT_SPEC reset_cpu1_inD ClkB S_reset_cpu1 Reset_cpu1) \( \Lambda \) (AND3_SPEC Reset_cpu0 Reset_cpu1 Bypass cpu_hist_inD) \( \Lambda \) (DFF_SPEC cpu_hist_inD ClkB S_cpu_histA S_cpu_hist Cpu_hist) A (Fail_In_SPEC fsm_sb fsm_spmf fsm_spf Bypass cpu0_ok cpu1_ok pmm_fail_inS pmm_fail_inR pmm_fail_inE cpu0_fail_inS cpu0_fail_inR cpu0_fail_inE cpul_fail_inS cpul_fail_inR cpul_fail_inE piu_fail_inS piu_fail_inR piu_fail_inE) A (DSRELAT_SPEC GND pmm_fail_inS pmm_fail_inR pmm_fail_inE ClkB S_pmm_fail Pmm_fail) \( \Lambda \) (DSRELAT_SPEC GND cpu0_fail_inS cpu0_fail_inR cpu0_fail_inE ClkB S_cpu0_fail Cpu0_fail) \(\Lambda\) (DSRELAT_SPEC GND cpu1_fail_inS cpu1_fail_inR cpu1_fail_inE ClkB S_cpu1_fail Cpu1_fail) \(\Lambda\) (DSRELAT_SPEC GND piu_fail_inS piu_fail_inR piu_fail_inE ClkB S_piu_fail Piu_fail) \(\Lambda\) (Cpu_Ok_SPEC soft_cnt_outQ fsm_sc0f fsm_sc1f Failure0_ Failure1_ cpu0_ok cpu1_ok) \(\Lambda\) (FSM_SPEC ClkA ClkB Rst delay_outQ fsm_delay17 fsm_bothbad Bypass S_fsm_state S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_fsm_stateA S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_src1 S_fsm_spf S_fsm_sc0f S_fsm_sc1f S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S fsm scs S_state fsm_sn fsm_so Reset_cport fsm_sdi Reset_piu fsm_src0 fsm_src1 fsm_spf fsm_scOf fsm_sc1f fsm_spmf fsm_sb fsm_src fsm_sec fsm_srs fsm_scs))" );; ``` # Appendix C ML Source for the Phase-Level Specification of the PIU Ports. This appendix contains the HOL models used in the phase-level specification for the PIU ports. They are listed in the order: P\_Port, M\_Port, R\_Port, C\_Port, and SU\_Cont. ## **C.1 P Port Specification** ``` File: p_phase.ml Author: (c) D.A. Fura 1992 31 March 1992 Date: This file contains the ml source for the phase-level specification of the P-Port of the FTEP BIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm p_phase.th';; new_theory 'p_phase';; map new_parent ['paux_def';'aux_def';'array_def';'wordn_def'];; let p_state = "((P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_, P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, P_fsm_cgnt_, P_fsm_crqt_, P_fsm_bold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) let p_env = "((ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) let p_out = "((L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_male_, I_crqt_, I_cale_, I_mrdy_, I_last_, I_hlda_, I_lock_) Next_state definition for Phase-A instruction. let PH_A_inst_def = new_definition ``` ``` ('PH_A_inst', "! (P_fsm_state P_fsm_stateA :pfsm_ty) (P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_dest1 P_wr P_loadA P_downA :bool) (P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_ P_rqt P_load :bool) (P_down P_lock_ P_lock_inh_ P_male_ P_rale_:bool) (P_wr_data P_addr P_be_ P_be_n_ P_sizeA P_size :wordn) (ClkA\ ClkB\ Rst\ L\_ads\_\ L\_den\_\ L\_wr\ L\_lock\_\ I\_cgnt\_\ I\_hold\_\ I\_srdy\_:bool)\ (L\_ad\_in\ L\_be\_\ I\_ad\_in:wordn)\ . \\ PH_A_inst (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_, P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) = let new_P_fsm_stateA = ((P fsm rst) => PA! ((P_fsm_state = PH) \Rightarrow ((P_fsm_bold_) \Rightarrow PA \mid PH) \mid ((P_fsm_state = PA) => ((P_fsm_mrqt \lor (\sim P_fsm_crqt_ \land \sim P_fsm_cgnt_)) \Rightarrow PD \mid ((P_fsm_lock_ \land \neg P_fsm_hold_) \Rightarrow PH \mid PA)) \mid ((P_fsm_state = PD) => (((P_fsm\_sack \land P_fsm\_hold\_) \lor (P_fsm\_sack \land \neg P_fsm\_hold\_ \land \neg P_fsm\_lock\_)) => PA \lor P_fsm\_hold\_ \land P_fsm\_lock\_) ((P_fsm\_sack \land \neg P_fsm\_hold\_ \land P_fsm\_lock\_) \Longrightarrow PH \mid PD)) \mid P_ILL)))) \text{ in } let new_P_fsm_astate = (new_P_fsm_stateA = PA) in let new_P_fsm_dstate = (new_P_fsm_stateA = PD) in let new_P_fsm_hlda_ = ~(new_P_fsm_stateA = PH) in let new_P_wr_data = L_ad_in in let new_P_addr = ((\sim P_rqt) \Rightarrow (SUBARRAY L_ad_in (25,0)) \mid P_addr) in let new_P_dest1 = ((\sim P_rqt) \Rightarrow (ELEMENT L_ad_in (31)) \mid P_dest1) in let new_P_be_=((\sim P_rqt) \Rightarrow L_be_|P_be_) in let new_P_wr = ((-P_rqt) => L_wr | P_wr) in let new_P_be_n_ = L_be_ in let new_P_loadA = P_load in let new_P_downA = P_down in let new_P_sizeA = P_size in let new_P_fsm_state = P_fsm_state in let new_P_fsm_rst = P_fsm_rst in let new_P_fsm_mrqt = P_fsm_mrqt in let new_P_fsm_sack = P_fsm_sack in let new_P_fsm_cgnt_ = P_fsm_cgnt_ in let new_P_fsm_crqt_ = P_fsm_crqt_ in let new_P_fsm_hold_ = P_fsm_hold_ in let new_P_fsm_lock_ = P_fsm_lock_ in let new_P_rqt = P_rqt in let new_P_size = P_size in let new_P_load = P_load in let new_P_down = P_down in let new_P_lock_ = P_lock_ in let new_P_lock_inh_ = P_lock_inh_ in let new_P_male_ = P_male_ in let new_P_rale_ = P_rale_ in ``` ``` (new_P_fsm_stateA, new_P_fsm_astate, new_P_fsm_dstate, new_P_fsm_hlda_, new_P_wr_data, new_P_addr, new_P_dest1, new_P_be_, new_P_wr, new_P_be_n_, new_P_sizeA, new_P_loadA, new_P_downA, new_P_fsm_state, new_P_fsm_rst, new_P_fsm_mrqt, new_P_fsm_sack, new_P_fsm_cgnt_, new_P_fsm_crqt_, new_P_fsm_bold_, new_P_fsm_lock_, new_P_rqt, new_P_size, new_P_load, new_P_down, new_P_lock_, new_P_lock_inh_, new_P_male_, new_P_rale_)" );; Output definition for Phase-A instruction. let PH_A_out_def = new_definition ('PH_A_out', "! (P_fsm_state P_fsm_stateA :pfsm_ty) (P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_dest1 P_wr P_loadA P_downA :bool) (P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_ P_rqt P_load :bool) (P_down P_lock_ P_lock_inh_ P_male_ P_rale_:bool) (P_wr_data P_addr P_be_ P_be_n_ P_sizeA P_size :wordn) (ClkA\ ClkB\ Rst\ L\_ads\_\ L\_den\_\ L\_wr\ L\_lock\_\ I\_cgnt\_\ I\_hold\_\ I\_srdy\_:bool)\ (L\_ad\_in\ L\_be\_\ I\_ad\_in:wordn)\ . PH_A_out (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_, P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) = let new_P_fsm_stateA = ((P_fsm_rst) => PA \mid ((P_fsm_state = PH) \Rightarrow ((P_fsm_hold_) \Rightarrow PA \mid PH) \mid ((P_fsm_state = PA) => ((P_fsm_mrqt \lor (\sim P_fsm_crqt\_ \land \sim P_fsm_cgnt\_)) => PD \mid ((P_fsm_lock_ \land \neg P_fsm_hold_) \Rightarrow PH \mid PA)) \mid ((P_fsm_state = PD) => (((P\_fsm\_sack \land P\_fsm\_hold\_) \lor (P\_fsm\_sack \land -P\_fsm\_hold\_ \land -P\_fsm\_lock\_)) => PA \mid ((P\_fsm\_sack \land P\_fsm\_hold\_) \lor (P\_fsm\_sack \land -P\_fsm\_hold\_) \land (P\_fsm\_sack \land -P\_fsm\_hold\_) => PA \mid (P\_fsm\_sack \land P\_fsm\_hold\_) => PA \mid (P\_fsm\_sack \land -P\_fsm\_hold\_) -P\_fsm\_sack \land -P\_fsm\_hold\_) => PA \mid (P\_fsm\_sack \land -P\_fsm\_sack -P\_fsm\_s ((P\_fsm\_sack \land \neg P\_fsm\_hold\_ \land P\_fsm\_lock\_) => PH \mid PD)) \mid P\_ILL)))) \ in let new_P_fsm_astate = (new_P_fsm_stateA = PA) in let new_P_fsm_dstate = (new_P_fsm_stateA = PD) in let new_P_fsm_hlda_ = ~(new_P_fsm_stateA = PH) in let new_P_wr_data = L_ad_in in let new_P_addr = ((\sim P_rqt) => (SUBARRAY L_ad_in (25,0)) \mid P_addr) in let new_P_dest1 = ((\sim P_rqt) => (ELEMENT L_ad_in (31)) \mid P_dest1) in let new_P_be_= ((\sim P_rqt) \Rightarrow L_be_| P_be_) in let new_P_wr = ((\sim P_rqt) \Rightarrow L_wr \mid P_wr) in let new_P_be_n_ = L_be_ in let new_P_loadA = P_load in let new_P_downA = P_down in let new_P_sizeA = P_size in let new_P_fsm_state = P_fsm_state in let new_P_fsm_rst = P_fsm_rst in let new_P_fsm_mrqt = P_fsm_mrqt in let new_P_fsm_sack = P_fsm_sack in let new_P_fsm_cgnt_ = P_fsm_cgnt_ in let new_P_fsm_crqt_ = P_fsm_crqt_ in let new_P_fsm_hold_ = P_fsm_hold_ in let new_P_fsm_lock_ = P_fsm_lock_ in let new_P_rqt = P_rqt in ``` ``` let new_P_size = P_size in let new_P_load = P_load in let new_P_down = P_down in let new_P_lock_ = P_lock_ in let new_P_lock_inh_ = P_lock_inh_ in let new_P_male_ = P_male_ in let new_P_rale_ = P_rale_ in let p_ale = (\sim L_ads_ \land L_den_) in let p_sack = ((new_P_sizeA = ((new_P_downA) => WORDN 1 | WORDN 0)) \lambda ~I_srdy_ \lambda new_P_fsm_dstate) in let L_ad_out = ((\sim new_P_fsm_astate \land new_P_fsm_hlda_ \land \sim (new_P_fsm_dstate \land new_P_wr)) \Rightarrow L_ad_in \mid ARBN) in let L_{ready} = (\sim (\sim I_{srdy} \land new_P_{fsm_dstate})) in let od0 = ARBN in let od1 = (MALTER od0 (31,27) new_P_be_) in let od2 = (ALTER od1 (26) F) in let od3 = (MALTER od2 (25,24) (SUBARRAY new_P_addr (1,0))) in let od4 = (MALTER od3 (23,0) (SUBARRAY new_P_addr (25,2))) in let I_ad_addr_out = ((new_P_fsm_astate) => od4 | ARBN) in let I ad data_out = ((new_P_fsm_dstate \( \) new_P_wr) => new_P_wr_data \( \) ARBN) in let I_be_ = ((new_P_fsm_hlda_) => ((new_P_fsm_astate) => new_P_be_ | new_P_be_n_) | ARBN) in let I_rale_ = ((new_P_fsm_hlda_) => ~(~new_P_dest1 \( \) ((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) \( \) new_P_fsm_astate \( \) new_P_rqt \( \) | ARB) in let I_male_ = ((new_P_fsm_hida_) => \sim(\simnew_P_dest1 \land (\sim((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) \land new_P_fsm_astate \land new_P_rqt) | ARB) in let I_{crqt} = -(new_P_{dest1} \land new_P_{rqt}) in let I_{cale} = -(-I_{cgnt} \land new_P_{fsm_astate} \land I_{hold}) in let I_mrdy_ = ((new_P_fsm_hlda_) => F | ARB) in let I_last_ = ((new_P_fsm_hlda_) => (new_P_sizeA = ((new_P_downA) => WORDN 1 | WORDN 0)) | ARB) in let I_hlda_ = new_P_fsm_hlda_ in let I\_lock\_ = \sim (\sim new\_P\_lock\_ \land new\_P\_lock\_inh\_) in (L\_ready\_, I\_last\_, I\_be\_, I\_mrdy\_, I\_ad\_data\_out, I\_ad\_addr\_out, I\_hlda\_, I\_lock\_, I\_cale\_, I\_male\_, I\_rale\_, I\_rale\_ I_crqt_, L_ad_out)" );; Next-state definition for Phase-B instruction. let PH_B_inst_def = new_definition ('PH_B_inst', "! (P_fsm_state P_fsm_stateA :pfsm_ty) (P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_dest1 P_wr P_loadA P_downA :bool) (P\_fsm\_rst\ P\_fsm\_mrqt\ P\_fsm\_sack\ P\_fsm\_cqt\_\ P\_fsm\_crqt\_\ P\_fsm\_hold\_\ P\_fsm\_lock\_\ P\_rqt\ P\_load:bool) (P_down P_lock_ P_lock_inh_ P_male_ P_rale_:bool) (P_wr_data P_addr P_be_ P_be_n_ P_size A P_size :wordn) (ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ I_hold_ I_srdy_:bool) (L_ad_in L_be_ I_ad_in :wordn). PH_B_inst (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_, P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) = let p_ale = (-L_ads_ \land L_den_) in ``` ``` let \ p\_sack = ((P\_sizeA = ((P\_downA) => WORDN \ 1 \mid WORDN \ 0)) \land \neg I\_srdy\_ \land P\_fsm\_dstate) \ in \ an inverse in the p\_sack = ((P\_sizeA = ((P\_downA) => WORDN \ 1 \mid WORDN \ 0))) \land \neg I\_srdy\_ \land P\_fsm\_dstate) \ in \ P\_fsm\_dstate P\_fsm\_dstat let new_P_rqt = ((p_ale \land \sim (p_sack \lor Rst)) \Rightarrow T \mid ((\sim p\_ale \land (p\_sack \lor Rst)) \Longrightarrow F \mid ((\sim p\_ale \land \sim (p\_sack \lor Rst)) => P\_rqt \mid ARB))) in let new_P_load = ~new_P_rqt in let new_P_down = (\sim I_srdy_ \land P_fsm_dstate) in let new_P_size = ((P_loadA) \Rightarrow (SUBARRAY L_ad_in (1,0)) ((P_downA) => DECN 1 P_sizeA | P_sizeA)) in let new_P_male_ = ((P_fsm_astate) => \sim(\simP_dest1 \land (\sim((SUBARRAY P_addr (25,24)) = (WORDN 3))) \land new_P_rqt) | P_male_) in let new_P_rale_ = ((P_fsm_astate) => \sim (\sim P\_dest1 \land ((SUBARRAY P\_addr (25,24)) = (WORDN 3)) \land new\_P\_rqt) \mid P\_rale\_) in let new_P_lock_ = ((Rst) \Rightarrow T \mid ((P_fsm_dstate) \Rightarrow L_lock_| P_lock_)) in let new_P_lock_inh_ = ((Rst) => T \mid ((-\text{new}_P_\text{male}_V - \text{new}_P_\text{rale}_) \Rightarrow L_\text{lock}_I P_\text{lock}_\text{inh}_)) \text{ in} let new_P_fsm_state = P_fsm_stateA in let new_P_fsm_rst = Rst in let new_P_fsm_mrqt = (\sim P_dest1 \land new_P_rqt) in let new_P_fsm_sack = p_sack in let new_P_fsm_cgnt_ = I_cgnt_ in let new_P_fsm_crqt_ = \sim (P_dest1 \land new_P_rqt) in let new_P_fsm_hold_ = I_hold_ in let new_P_fsm_lock_ = new_P_lock_ in let new_P_fsm_stateA = P_fsm_stateA in let new_P_fsm_astate = P_fsm_astate in let new_P_fsm_dstate = P_fsm_dstate in let new P_fsm_hlda_ = P_fsm_hlda_ in let new_P_wr_data = P_wr_data in let new_P_addr = P_addr in let new_P_dest1 = P_dest1 in let new_P_be_ = P_be_ in let new_P_wr = P_wr in let new_P_be_n_ = P_be_n_ in let new_P_sizeA = P_sizeA in let new_P_loadA = P_loadA in let new_P_downA = P_downA in (new\_P\_fsm\_stateA, new\_P\_fsm\_astate, new\_P\_fsm\_dstate, new\_P\_fsm\_hlda\_, new\_P\_wr\_data, new\_P\_addr, new\_P\_dest1, new\_P\_tsm\_hlda\_, new\_P\_wr\_data, new\_P\_dest1, new\_P\_dest1, new\_P\_dest1, new\_p\_dest2, ne new\_P\_be\_, new\_P\_wr, new\_P\_be\_n\_, new\_P\_sizeA, new\_P\_loadA, new\_P\_downA, new\_P\_fsm\_state, new\_P\_fsm\_rst, new\_P\_toadA, ne new_P_fsm_mrqt, new_P_fsm_sack, new_P_fsm_cgnt_, new_P_fsm_crqt_, new_P_fsm_hold_, new_P_fsm_lock_, new_P_rqt, new_P_size, new_P_load, new_P_down, new_P_lock_, new_P_lock_inh_, new_P_male_, new_P_rale_)" );; Output definition for Phase-B instruction. let PH B out def = new_definition ('PH_B_out', "! (P_fsm_state P_fsm_stateA :pfsm_ty) (P_fsm_astate P_fsm_dstate P_fsm_hlda_ P_dest1 P_wr P_loadA P_downA :bool) (P_fsm_rst P_fsm_mrqt P_fsm_sack P_fsm_cgnt_ P_fsm_crqt_ P_fsm_hold_ P_fsm_lock_ P_rqt P_load :bool) ``` ``` (P_down P_lock_P_lock_inh_P_male_P_rale_:bool) (P_wr_data P_addr P_be_ P_be_n_ P_sizeA P_size :wordn) (ClkA\ ClkB\ Rst\ L\_ads\_\ L\_den\_\ L\_wr\ L\_lock\_\ I\_cgnt\_\ I\_hold\_\ I\_srdy\_:bool)\ (L\_ad\_in\ L\_be\_\ I\_ad\_in:wordn)\ . PH_B_out (P_fsm_stateA, P_fsm_astate, P_fsm_dstate, P_fsm_hlda_, P_wr_data, P_addr, P_dest1, P_be_, P_wr, P_be_n_, P_sizeA, P_loadA, P_downA, P_fsm_state, P_fsm_rst, P_fsm_mrqt, P_fsm_sack, P_fsm_cgnt_, P_fsm_crqt_, P_fsm_hold_, P_fsm_lock_, P_rqt, P_size, P_load, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) (ClkA, ClkB, Rst, L\_ad\_in, L\_ads\_, L\_den\_, L\_be\_, L\_wr, L\_lock\_, I\_ad\_in, I\_cgnt\_, I\_hold\_, I\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_ads\_, L\_den\_, L\_be\_, L\_wr, L\_lock\_, I\_ad\_in, I\_cgnt\_, I\_hold\_, I\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_ads\_, L\_den\_, L\_be\_, L\_wr, L\_lock\_, I\_ad\_in, I\_cgnt\_, I\_hold\_, I\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_ads\_, L\_den\_, L\_be\_, L\_wr, L\_lock\_, I\_ad\_in, I\_cgnt\_, I\_hold\_, I\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_ads\_, L\_den\_, L\_be\_, L\_wr, L\_lock\_, I\_ad\_in, I\_cgnt\_, I\_hold\_, I\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_ads\_, L\_den\_, L\_be\_, L\_wr, L\_lock\_, I\_ad\_in, I\_cgnt\_, I\_hold\_, I\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_cgnt\_, L\_hold\_, I\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_cgnt\_, L\_hold\_, L\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_cgnt\_, L\_hold\_, L\_srdy\_) = (ClkA, ClkB, Rst, L\_ad\_in, L\_ada\_in, L\_ada_in, L let p_ale = (\sim L_ads_ \land L_den_) in let p\_sack = ((P\_sizeA = ((P\_downA) => WORDN \ 1 \ | \ WORDN \ 0)) \land \neg I\_srdy\_ \land P\_fsm\_dstate) in let new_P_rqt = ((p_ale \land \neg(p_sack \lor Rst)) \Rightarrow T \mid ((-p_ale \land (p_sack \lor Rst)) \Rightarrow F ((\sim p\_ale \land \sim (p\_sack \lor Rst)) \Rightarrow P\_rqt \mid ARB))) in let new_P_load = ~new_P_rqt in let new_P_down = (\sim I_srdy_ \land P_fsm_dstate) in let new_P_size = ((P_loadA) \Rightarrow (SUBARRAY L_ad_in(1,0))! ((P_downA) => DECN 1 P_sizeA | P_sizeA)) in let new_P_male_ = ((P_fsm_astate) => \sim (\sim P_dest1 \land (\sim ((SUBARRAY P_addr (25,24)) = (WORDN 3))) \land new_P_rqt) \mid P_male_) in let new_P_rale_ = ((P_fsm_astate) => \sim (\sim P_{dest1} \land ((SUBARRAY P_{addr}(25,24)) = (WORDN 3)) \land new_P_{rqt}) \mid P_{rale_}) in let new_P_lock_ = ((Rst) => T \mid ((P_fsm_dstate) \Rightarrow L_lock_l P_lock_)) in let new_P_lock_inh_ = ((Rst) \Rightarrow T ((~new_P_male_ V ~new_P_rale_) => L_lock_ | P_lock_inh_)) in let new_P_fsm_state = P_fsm_stateA in let new_P_fsm_rst = Rst in let new_P_fsm_mrqt = (\sim P_dest1 \land new_P_rqt) in let new_P_fsm_sack = p_sack in let new_P_fsm_cgnt_ = I_cgnt_ in let new_P_fsm_crqt_ = \sim(P_dest1 \land new_P_rqt) in let new_P_fsm_hold_ = I_hold_ in let new_P_fsm_lock_ = new_P_lock_ in let new_P_fsm_stateA = P_fsm_stateA in let new_P_fsm_astate = P_fsm_astate in let new_P_fsm_dstate = P_fsm_dstate in let new_P_fsm_hlda_ = P_fsm_hlda_ in let new_P_wr_data = P_wr_data in let new_P_addr = P_addr in let new_P_dest1 = P_dest1 in let new_P_be_ = P_be_ in let new_P_wr = P_wr in let new_P_be_n_ = P_be_n_ in let new_P_sizeA = P_sizeA in let new_P_loadA = P_loadA in let new_P_downA = P_downA in let \ L\_ad\_out = ((\neg new\_P\_fsm\_astate \land new\_P\_fsm\_hlda\_ \land \neg (new\_P\_fsm\_dstate \land new\_P\_wr)) => I\_ad\_in \mid ARBN) \ in the substitution of subst let L_{ready} = (\sim (\sim I_{srdy} \land new_P_{fsm_dstate})) in let od0 = ARBN in let od1 = MALTER od0 (31,27) new_P_be_ in let od2 = ALTER od1 (26) F in ``` ``` let od3 = MALTER od2 (25,24) (SUBARRAY new_P_addr (1,0)) in let od4 = MALTER od3 (23,0) (SUBARRAY new_P_addr (25,2)) in let I_ad_addr_out = ((new_P_fsm_astate) => od4 | ARBN) in let I_ad_data_out = ((new_P_fsm_dstate \land new_P_wr) => new_P_wr_data \mid ARBN) in let I\_be\_ = ((new\_P\_fsm\_hlda\_) => ((new\_P\_fsm\_astate) => new\_P\_be\_l \ new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_hlda\_) => ((new\_P\_fsm\_astate) => new\_P\_be\_l \ new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_hlda\_) => ((new\_P\_fsm\_astate) => new\_P\_be\_l \ new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_hlda\_) => ((new\_P\_fsm\_astate) => new\_P\_be\_l \ new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_hlda\_) => ((new\_P\_fsm\_astate) => new\_P\_be\_l \ new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_hlda\_) => ((new\_P\_fsm\_astate) => new\_P\_be\_l \ new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_hlda\_) => ((new\_P\_fsm\_astate) => new\_P\_be\_l \ new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_astate) => new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_astate) => new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_astate) => new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_astate) => new\_P\_be\_n\_) \ | \ ARBN) \ in the let I\_be\_ = ((new\_P\_fsm\_astate) => new\_P\_be\_n\_) \ | \ ARBN) \ | \ ARBN \ | \ ARBN) \ | \ ARBN \ | \ ARBN) \ | \ ARBN \ | \ ARBN \ | \ ARBN) \ | \ ARBN \ | \ ARBN \ | \ ARBN) \ | \ ARBN \ | \ ARBN \ | \ ARBN \ | \ ARBN \ | \ ARBN) \ | \ ARBN A let l_rale_ = ((new_P_fsm_hlda_) => \sim (\sim \text{new}_P_\text{dest1} \land ((\text{SUBARRAY new}_P_\text{addr} (25,24)) = (\text{WORDN 3})) \land \text{new}_P_\text{fsm}_\text{astate} \land \text{new}_P_\text{rqt}) \mid \text{ARB}) \text{ in } \text{ and } \text{ are } \text{ astate} \land \text{new}_P_\text{rqt} \mid \text{ARB}) \text{ in } \text{ are } \text{ astate} \land \text{new}_P_\text{rqt} \mid \text{ARB}) \text{ in } \text{ are } \text{ astate} \land \text{new}_P_\text{rqt} \mid \text{ARB}) \text{ in } \text{ are ar let I_male_ = ((new_P_fsm_hlda_) => \sim (\sim \text{new}_P_\text{dest1} \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{fsm}_\text{astate} \land \text{new}_P_\text{rqt}) \mid ARB) \text{ in } ) let I_crqt_ = \sim (new_P_dest1 \land new_P_rqt) in let I_cale_ = \sim (\sim I_cgnt_ \land new_P_fsm_astate \land I_hold_) in let I_mrdy_ = ((new_P_fsm_hlda_) \Rightarrow F \mid ARB) in let I_last_=((new_P_fsm_hlda_) => (new_P_sizeA = ((new_P_downA) => WORDN \ 1 \mid WORDN \ 0)) \mid ARB) in Instruction of the property prop let I_hlda_ = new_P_fsm_hlda_ in let \ I\_lock\_ = \sim (\sim new\_P\_lock\_ \land new\_P\_lock\_inh\_) \ in (L_ready_, I_last_, I_be_, I_mrdy_, I_ad_data_out, I_ad_addr_out, I_hlda_, I_lock_, I_cale_, I_male_, I_rale_, I_crqt_, L_ad_out)" );; ``` ### C.2 M Port Specification ``` File: m_phase.ml Author: (c) D.A. Fura 1992 Date: 31 March 1992 This file contains the ml source for the phase-level specification of the M-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm m_phase.th';; new_theory 'm_phase';; loadf 'abstract';; map new_parent ['maux_def';'aux_def';'array_def';'wordn_def'];; let m state ty = ":(mfsm ty#bool#bool#bool#bool#bool#wordn#wordn#wordn#wordn# mfsm_ty#bool#bool#bool#bool#bool#bool#bool# bool#bool#wordn#wordn#wordn#bool#bool#wordn#wordn)";; let m_state = "((M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) :^m_state_ty)";; let m_env = "((ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) :^m_env_ty)";; let m_out = "((I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity) :^m_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; Next-state definition for Phase-A instruction. let PH_A_inst_def = new_definition ``` ``` ('PH_A_inst', "I (M_fsm_state A M_fsm_state :mfsm_ty) (M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :wordn) (M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable M_rdyA M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_ M_fsm_mrdy_ M_fsm_zero_cnt M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool) (I_ad_in I_be_ MB_data_in :wordn) (ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :bool) . PH_A_inst (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) = let new_M_fsm_stateA = ((M_fsm_rst) => MI \mid ((M_fsm_state = MI) => ((\sim M_fsm_male_) => MA \mid MI) \mid ((M_fsm_state = MA) => ((-M_fsm_mrdy_ \land M_fsm_ww) => MW \mid ((\sim M\_fsm\_mrdy\_ \land (M\_fsm\_rd \lor M\_fsm\_bw)) => MR \mid MA)) \mid ((M_fsm_state = MR) => ((M_fsm_bw \land M_fsm_zero\_cnt) => MBW \mid ((M_fsm_last_ \land M_fsm_rd \land M_fsm_zero\_cnt) => MA \mid ((-M_fsm_last_ \land M_fsm_rd \land M_fsm_zero_cnt) \Rightarrow MRR \mid MR))) ((M_fsm_state = MRR) => MI \mid ((M_fsm_state = MW) => ((\sim M_fsm_last_ \land M_fsm_zero_cnt) => MI ((M_fsm_last_ \land M_fsm_zero\_cnt) => MA \mid MW)) \mid ((M_fsm_state = MBW) => MW \mid M_ILL))))))) in let new_M_fsm_address = (new_M_fsm_stateA = MA) in let new_M_fsm_read = (new_M_fsm_stateA = MR) in let new_M_fsm_write = (new_M_fsm_stateA = MW) in let new_M_fsm_byte_write = (new_M_fsm_stateA = MBW) in let new_M_fsm_mem_enable = (~(new_M_fsm_stateA = MI)) in let new_M_addrA = M_addr in let new_M_beA = M_be in let new_M_countA = M_count in let new M_rdyA = M_rdy in let new_M_rd_dataA = M_rd_data in let new M_fsm_state = M_fsm_state in let new_M_fsm_male_ = M_fsm_male_ in let new_M_fsm_rd = M_fsm_rd in let new_M_fsm_bw = M_fsm_bw in let new_M_fsm_ww = M_fsm_ww in let new_M_fsm_last_ = M_fsm_last_ in let new_M_fsm_mrdy_ = M_fsm_mrdy_ in let new_M_fsm_zero_cnt = M_fsm_zero_cnt in let new_M_fsm_rst = M_fsm_rst in let new_M_se = M_se in let new_M_wr = M_wr in let new_M_addr = M_addr in let new_M_be = M_be in ``` ``` let new_M_count = M_count in let new_M_rdy = M_rdy in let new_M_wwdel = M_wwdel in let new_M_parity = M_parity in let new_M_rd_data = M_rd_data in let new_M_detect = M_detect in (new_M_fsm_stateA, new_M_fsm_address, new_M_fsm_read, new_M_fsm_write, new_M_fsm_byte_write, new_M_fsm_mem_enable, new_M_addrA, new_M_beA, new_M_countA, new_M_rdyA, new_M_rd_dataA, new_M_fsm_state, new_M_fsm_male_, new_M_fsm_rd, new_M_fsm_bw, new_M_fsm_ww, new_M_fsm_last_, new_M_fsm_mrdy_, new_M_fsm_zero_cnt, new_M_fsm_rst, new_M_se, new_M_wr, new_M_addr, new_M_be, new_M_count, new_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data, new_M_detect)" ):: Output definition for Phase-A instruction. let PH_A_out_def = new_definition ('PH_A_out', "! (M_fsm_stateA M_fsm_state :mfsm_ty) (M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :wordn) (M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable M_rdyA M_fsm_male_M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_M_fsm_mrdy_M_fsm_zero_cnt M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool) (I_ad_in I_be_ MB_data_in :wordn) (ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :bool) (rep:^rep_ty). PH_A_out (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) rep = let new_M_fsm_stateA = ((M_fsm_rst) => MI ((M_fsm_state = MI) \Rightarrow ((\sim M_fsm_male_) \Rightarrow MA \mid MI) \mid ((M_fsm_state = MA) => ((\sim\!M_{fsm_mrdy_} \land M_{fsm_ww}) => MW \mid ((\sim M_fsm_mrdy_ \land (M_fsm_rd \lor M_fsm_bw)) \Rightarrow MR \mid MA)) \mid ((M fsm state = MR) => ((M_fsm_bw \land M_fsm_zero_cnt) => MBW \mid ((M_fsm_last_ \land M_fsm_rd \land M_fsm_zero_cnt) => MA ((\sim M\_fsm\_last\_ \land M\_fsm\_rd \land M\_fsm\_zero\_cnt) => MRR \mid MR))) \mid ((M_fsm_state = MRR) => MI ((M_fsm_state = MW) => ((\sim M_fsm_last_ \land M_fsm_zero_cnt) => MII ((M_fsm_last_ \land M_fsm_zero_cnt) \Rightarrow MA \mid MW)) ((M_fsm_state = MBW) => MW \mid M_ILL))))))) in let new_M_fsm_address = (new_M_fsm_stateA = MA) in let new_M_fsm_read = (new_M_fsm_stateA = MR) in ``` ``` let new_M_fsm_write = (new_M_fsm_stateA = MW) in let new_M_fsm_byte_write = (new_M_fsm_stateA = MBW) in let new_M_fsm_mem_enable = (~(new_M_fsm_stateA = MI)) in let new M addrA = M_addr in let new_M_beA = M_be in let new_M_countA = M_count in let new_M_rdyA = M_rdy in let new_M_rd_dataA = M_rd_data in let new_M_fsm_state = M_fsm_state in let new_M_fsm_male_ = M_fsm_male_ in let new_M_fsm_rd = M_fsm_rd in let new_M_fsm_bw = M_fsm_bw in let new_M_fsm_ww = M_fsm_ww in let new_M_fsm_last_ = M_fsm_last_ in let new_M_fsm_mrdy_ = M_fsm_mrdy_ in let new_M_fsm_zero_cnt = M_fsm_zero_cnt in let new_M_fsm_rst = M_fsm_rst in let new M se = M se in let new_M_wr = M_wr in let new_M_addr = M_addr in let new_M_be = M_be in let new_M_count = M_count in let new_M_rdy = M_rdy in let new_M_wwdel = M_wwdel in let new_M_parity = M_parity in let new_M_rd_data = M_rd_data in let new_M_detect = M_detect in let m_rdy = ((new_M_fsm_write \land (new_M_countA = (WORDN 1))) V (\text{new}_M_{\text{fsm}_read} \land (\text{new}_M_{\text{count}} A = (\text{WORDN 1})) \land \neg \text{new}_M_{\text{wr}})) \text{ in} let m_srdy_= \sim ((new_M_rdyA \land \sim new_M_wr) \lor (m_rdy \land new_M_wr)) in let\ mb\_data\_7\_0 = ((ELEMENT\ new\_M\_beA\ (0)) => (SUBARRAY\ I\_ad\_in\ (7,0)) \mid (SUBARRAY\ new\_M\_rd\_dataA\ (7,0)))\ in let mb_data_15_8 = ((ELEMENT new_M_beA (1)) => (SUBARRAY I_ad_in (15,8)) | (SUBARRAY new_M_rd_dataA (15,8))) in let\ mb\_data\_23\_16 = ((ELEMENT\ new\_M\_beA\ (2)) \Rightarrow (SUBARRAY\ I\_ad\_in\ (23,16)) \mid (SUBARRAY\ new\_M\_rd\_dataA) new\_M\_rd\_ (23,16))) in let mb_data_31_24 = ((ELEMENT new_M_beA (3)) => (SUBARRAY I_ad_in (31,24)) | (SUBARRAY new_M_rd_dataA (31,24))) in let mb_data = ((MALTER (MALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0) (15,8) mb_data_15_8) (23,16) mb_data_23_16) (31,24) mb_data_31_24)) in let I_ad_out = ((\sim new_M_wr \land new_M_fsm_mem_enable) => new_M_rd_dataA \mid ARBN) in let I_srdy_ = ((new_M_fsm_mem_enable) => m_srdy_ | ARB) in let MB_addr = ((new_M_rdyA) => (INCN 18 new_M_addrA) | new_M_addrA) in let MB_data_out = ((new_M_fsm_write) => (Ham_Enc rep mb_data) | ARBN) in let MB_cs_eeprom_ = \sim (new_M_fsm_mem_enable \wedge \simnew_M_se) in let MB_{cs\_sram\_} = \sim (new\_M\_fsm\_mem\_enable \land new\_M\_se) in let MB_we_ = ~((new_M_se V ~new_M_fsm_mem_enable V ~Disable_eeprom) ^ (new_M_fsm_byte_write ∨ new_M_fsm_write ∨ new_M_wwdel)) in let MB_{oe} = ((-new_M_wr \land new_M_fsm_address) \lor new_M_fsm_read) in let MB_parity = new_M_parity in (I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity)" ``` ``` );; Next-state definition for Phase-B instruction. let PH_B_inst_def = new_definition ('PH_B_inst', "I (M_fsm_state A M_fsm_state :mfsm_ty) (M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :wordn) (M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable M_rdyA M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_ M_fsm_mrdy_ M_fsm_zero_cnt M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool) (I_ad_in I_be_MB_data_in :wordn) (ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity:bool) (rep: 'rep_ty). PH_B_inst (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) rep = let new_M_se = ((~I_male_) => (ELEMENT I_ad_in (23)) | M_se) in let new_M_wr = ((\sim I_male_) \Rightarrow (ELEMENT I_ad_in (27)) \mid M_wr) in let new M addr = ((-I_male_) => (SUBARRAY I_ad_in (18,0)) ((M_rdyA) => (INCN 18 M_addrA) | M_addrA)) in let new_M_count = ((M\_fsm\_address \lor M\_fsm\_byte\_write) \Longrightarrow ((new\_M\_se) \Longrightarrow (WORDN \ 1) \mid (WORDN \ 2)) \mid (WORDN \ 2)) \mid (WORDN \ 2) (W ((M_fsm_write V M_fsm_read) => (DECN 1 M_countA) | M_countA)) in let m_rdy = ((M_fsm_write \land (new_M_count = (WORDN 0))) V (M_f sm_read \land (new_M_count = (WORDN 0)) \land \neg new_M_wr)) in let m_srdy_ = \sim ((M_rdyA \land \sim new_M_wr) \lor (m_rdy \land new_M_wr)) in let new_M_be = ((\sim I_male_V \sim m_srdy_) => (NOTN 3 I_be_) \mid M_be) in let new_M_rdy = m_rdy in let new_M_wwdel = (M_fsm_address \land new_M_wr \land (new_M_be = (WORDN 15))) in let new_M_rd_data = ((M_fsm_read) => (Ham_Dec rep MB_data_in) | M_rd_data) in let new_M_detect = (((M_fsm_read \land \neg new_M_wr) \lor new_M_wr \lor \neg M_fsm_mem_enable) => ((~Edac_en_) => (Ham_Det1 rep MB_data_in) | (WORDN 0)) | M_detect) in let m_error = (~m_srdy_ \ M_fsm_mem_enable \( (Ham_Det2 rep (new_M_detect, ~Edac_en_))) in let new_M_parity = ((m\_error \land \sim (Rst \lor Reset\_parity)) => T \mid ((\sim m\_error \land (Rst \lor Reset\_parity)) => F \mid ((\sim m\_error \land \sim (Rst \lor Reset\_parity)) => M\_parity \mid ARB))) in let new_M_fsm_state = M_fsm_stateA in let new_M_fsm_male_ = I_male_ in let new_M_fsm_rd = (\neg new_M_wr \land M_fsm_mem_enable) in let new M fsm bw = ((~(new M be = (WORDN 15))) \lambda new M_wr \lambda M_fsm_mem_enable) in let new_M_fsm_ww = ((new_M_be = (WORDN 15)) \land new_M_wr \land M_fsm_mem_enable) in let new_M_fsm_last_ = I_last_ in ``` ``` let new M_fsm_mrdy_ = I_mrdy_ in let new_M_fsm_zero_cnt = (new_M_count = (WORDN 0)) in let new_M_fsm_rst = Rst in let new_M_fsm_stateA = M_fsm_stateA in let new_M_fsm_address = M_fsm_address in let new_M_fsm_read = M_fsm_read in let new_M_fsm_write = M_fsm_write in let new_M_fsm_byte_write = M_fsm_byte_write in let new_M_fsm_mem_enable = M_fsm_mem_enable in let new M addrA = M_addrA in let new_M_beA = M_beA in let new_M_countA = M_countA in let new_M_rdyA = M_rdyA in let new_M_rd_dataA = M_rd_dataA in (new_M_fsm_stateA, new_M_fsm_address, new_M_fsm_read, new_M_fsm_write, new_M_fsm_byte_write, new_M_fsm_mem_enable, new_M_addrA, new_M_beA, new_M_countA, new_M_rdyA, new_M_rd_dataA, new_M_fsm_state, new_M_fsm_male_, new_M_fsm_rd, new_M_fsm_bw, new_M_fsm_ww, new_M_fsm_last_, new_M_fsm_mrdy_, new_M_fsm_zero_cnt, new_M_fsm_rst, new_M_se, new_M_wr, new_M_addr, new_M_be, new_M_count, new_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data, new_M_detect)" );; Output definition for Phase-B instruction. let PH_B_out_def = new_definition ('PH_B_out', "! (M_fsm_state A M_fsm_state :mfsm_ty) (M_addrA M_beA M_countA M_rd_dataA M_addr M_be M_count M_rd_data M_detect :wordn) (M_fsm_address M_fsm_read M_fsm_write M_fsm_byte_write M_fsm_mem_enable M_rdyA M_fsm_male_ M_fsm_rd M_fsm_bw M_fsm_ww M_fsm_last_ M_fsm_mrdy_ M_fsm_zero_cnt M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool) (I_ad_in I_be_MB_data_in :wordn) (ClkA ClkB Rst Disable_eeprom Disable_writes I_male_I_last_I_mrdy_Edac_en_Reset_parity:bool) (rep:^rep_ty). PH_B_out (M_fsm_stateA, M_fsm_address, M_fsm_read, M_fsm_write, M_fsm_byte_write, M_fsm_mem_enable, M_addrA, M_beA, M_countA, M_rdyA, M_rd_dataA, M_fsm_state, M_fsm_male_, M_fsm_rd, M_fsm_bw, M_fsm_ww, M_fsm_last_, M_fsm_mrdy_, M_fsm_zero_cnt, M_fsm_rst, M_se, M_wr, M_addr, M_be, M_count, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I mrdy_, MB_data_in, Edac_en_, Reset_parity) rep = let new_M_se = ((~I_male_) => (ELEMENT I_ad_in (23)) | M_se) in let new_M_wr = ((-I_male_) \Rightarrow (ELEMENT I_ad_in (27)) \mid M_wr) in let new_M_addr = ((-I_male_) => (SUBARRAY I_ad_in (18,0)) ((M_rdyA) \Rightarrow (INCN 18 M_addrA) \mid M_addrA)) in let new_M_count = ((M_fsm\_address \lor M_fsm\_byte\_write) \Longrightarrow ((new\_M\_se) \Longrightarrow (WORDN \ 1) \mid (WORDN \ 2)) \mid (WORDN \ 2)) \mid (WORDN \ 2) (W ((M_fsm_write V M_fsm_read) => (DECN 1 M_countA) | M_countA)) in let m_rdy = ((M_fsm_write \land (new_M_count = (WORDN 0))) ``` ``` V (M_fsm_read \land (new_M_count = (WORDN 0)) \land \neg new_M_wr)) in let m_srdy_ = \sim ((M_rdyA \land \sim new_M_wr) \lor (m_rdy \land new_M_wr)) in let new_M_be = ((~I_male_ V ~m_srdy_) => (NOTN 3 I_be_) | M_be) in let new_M_rdy = m_rdy in let new_M_wwdel = (M_fsm_address \land new_M_wr \land (new_M_be = (WORDN 15))) in let new_M_rd_data = ((M_fsm_read) => (Ham_Dec rep MB_data_in) | M_rd_data) in let new_M_detect = (((M_fsm_read \land \neg new_M_wr) \lor new_M_wr \lor \neg M_fsm_mem_enable) => ((~Edac_en_) => (Ham_Det1 rep MB_data_in) | (WORDN 0)) | M_detect) in let \ m\_error = (\neg m\_srdy\_ \land M\_fsm\_mem\_enable \land (Ham\_Det2 \ rep \ (new\_M\_detect, \neg Edac\_en\_))) \ in let new_M_parity = ((m_error \land \neg(Rst \lor Reset\_parity)) => T \mid ((\sim m\_error \land (Rst \lor Reset\_parity)) => F \mid ((\sim m\_error \land \sim (Rst \lor Reset\_parity)) => M\_parity \mid ARB))) in let new_M_fsm_state = M_fsm_stateA in let new_M_fsm_male_ = I_male_ in let new_M_fsm_rd = (-\text{new}_M \text{wr } \land M_f \text{sm}_m \text{enable}) in let \ new\_M\_fsm\_bw = ((\sim (new\_M\_be = (WORDN \ 15))) \land new\_M\_wr \land M\_fsm\_mem\_enable) \ in let new M_{fsm_ww} = ((new_M_be = (WORDN 15)) \land new_M_wr \land M_{fsm_mem_enable}) in let new_M_fsm_last_ = I_last_ in let new_M_fsm_mrdy_ = I_mrdy_ in let new_M_fsm_zero_cnt = (new_M_count = (WORDN 0)) in let new_M_fsm_rst = Rst in let new_M_fsm_stateA = M_fsm_stateA in let new_M_fsm_address = M_fsm_address in let new_M_fsm_read = M_fsm_read in let new_M_fsm_write = M_fsm_write in let new_M_fsm_byte_write = M_fsm_byte_write in let new_M_fsm_mem_enable = M_fsm_mem_enable in let new_M_addrA = M_addrA in let new_M_beA = M_beA in let new_M_countA = M_countA in let new_M_rdyA = M_rdyA in let new_M_rd_dataA = M_rd_dataA in let m_r dy = ((new_M_f sm_write \land (new_M_countA = (WORDN 1))) V (\text{new}_M_{\text{fsm}_{\text{read}}} \land (\text{new}_M_{\text{countA}} = (WORDN 1)) \land \neg \text{new}_M_{\text{wr}})) \text{ in} let m_srdy_ = \sim ((new_M_rdyA \land \sim new_M_wr) \lor (m_rdy \land new_M_wr)) in let\ mb\_data\_7\_0 = ((ELEMENT\ new\_M\_beA\ (0)) => (SUBARRAY\ I\_ad\_in\ (7,0)) \mid (SUBARRAY\ new\_M\_rd\_dataA\ (7,0)))\ in let mb_data_15_8 = ((ELEMENT new_M_beA (1)) => (SUBARRAY I_ad_in (15,8)) | (SUBARRAY new_M_rd_dataA (15,8))) in let mb data 23 16 = ((ELEMENT new\_M\_beA (2)) => (SUBARRAY l\_ad\_in (23,16)) | (SUBARRAY new\_M\_rd\_dataA (23,16))) in let mb_data_31_24 = ((ELEMENT new M beA (3)) => (SUBARRAY I_ad_in (31,24)) | (SUBARRAY new_M_rd_dataA (31,24))) in let mb_data = ((MALTER (MALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0) (15,8) mb_data_15_8) (23,16) mb_data_23_16) (31,24) mb_data_31_24)) in let 1_ad_out = ((~new_M_wr \( \) new_M_fsm_mem_enable) => new_M_rd_dataA \( \) ARBN) in let I_srdy_=((new_M_fsm_mem_enable) => m_srdy_| ARB) in let MB_addr = ((new_M_rdyA) => (INCN 18 new_M_addrA) | new_M_addrA) in let MB_data_out = ((new_M_fsm_write) => (Ham_Enc rep mb_data) | ARBN) in let MB_{cs}_{eeprom} = \sim (new_M_{fsm}_{eep} - new_M_{se}) in ``` ## **C.3 R Port Specification** ``` File: r_phase.ml (c) D.A. Fura 1992 Author: Date: 31 March 1992 This file contains the ml source for the phase-level specification of the R-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center, The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm r_phase.th';; new_theory 'r_phase';; loadf 'abstract';; map new_parent ['raux_def';'aux_def';'array_def';'wordn_def'];; bool#bool#wordn#wordn#bool#bool#wordn#wordn#bool#bool#wordn#bool#bool# wordn#bool#wordn#wordn#wordn# bool#bool#bool#wordn#wordn#bool#wordn#bool#bool#wordn#wordn#bool#wordn# bool#bool#bool#wordn#bool#wordn#bool#bool#bool#wordn#wordn#bool#bool# wordn#wordn#bool#wordn#bool#wordn#bool#wordn#bool)";; let r_state = "((R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_int0_en, R_int0_disA, R_int3_en, R_int3_disA, R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_, R_reg_selA, R_ctr0, R_ctr0_ce, R_ctr0_cin, R_ctr0_outA, R_ctr1, R_ctr1_ce, R_ctr1_cin, R_ctr1_outA, R_ctr2_R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, R_ctr0_mux_sel, R_ctr0_irden, R_ctr0_cry, R_ctr0_new, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctrl_mux_sel, R_ctrl_irden, R_ctrl_cry, R_ctrl_new, R_ctrl_out, R_ctrl_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden) :^r_state_ty)";; wordn#wordn#wordn#bool#wordn)";; let r_env = "((ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) ``` ``` :^r_env_ty)";; let r_out = "((I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid) :^r_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; Next-state definition for Phase-A instruction. let PH_A_inst_def = new_definition ('PH_A_inst', "! (rep:^rep_ty) (R_fsm_stateA R_fsm_state :rfsm_ty) (R_reg_selA R_ctr0 R_ctr0_outA R_ctr1 R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA R_icrA R_busA_latch R_reg_sel R_ctr0_in R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr :wordn) (R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_ R_ctr0_ce R_ctr0_cin R_ctr1_ce R_ctr1_cin R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_R_ctr0_mux_sel R_ctr0_irden R_ctr0_cry R_ctr0_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden:bool) (I_ad_in I_be_ Cpu_fail Reset_cpu S_state Id ChannelID C_ss :wordn) (ClkA ClkB Rst I_rale_ I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool) . PH_A_inst rep (R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_int0_en, R_int0_disA, R_int3_en, R_int3_disA, R_reg_selA, R_ctr0, R_ctr0_ce, R_ctr0_cin, R_ctr0_outA, R_ctr1, R_ctr1_ce, R_ctr1_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_, R\_fsm\_mrdy\_, R\_fsm\_last\_, R\_fsm\_rst, R\_int0\_dis, R\_int3\_dis, R\_c01\_cout\_del, R\_int1\_en, R\_fsm\_mrdy\_, R\_fsm\_last\_, R\_fsm\_rst, R\_int0\_dis, R\_int3\_dis, R\_c01\_cout\_del, R\_int1\_en, R\_int0\_dis, R\_int0\_d R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, ``` R\_c01\_cout, R\_c01\_cout\_delA, R\_c23\_cout, R\_c23\_cout\_delA, R\_cntlatch\_delA, R\_srdy\_delA\_, R\_ctr0\_mux\_sel, R\_ctr0\_irden, R\_ctr0\_cry, R\_ctr0\_new, R\_ctr0\_out, R\_ctr0\_orden, R\_ctr1\_in, R\_ctr1\_mux\_sel, R\_ctr1\_irden, R\_ctr1\_cry, R\_ctr1\_new, R\_ctr1\_out, R\_ctr1\_orden, R\_ctr2\_in, R\_ctr2\_mux\_sel, R\_ctr2\_irden, R\_ctr2\_cry, R\_ctr2\_new, R\_ctr2\_out, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr3\_mux\_sel, R\_ctr3\_irden, R\_ctr3\_cry, R\_ctr3\_new, R\_ctr3\_out, R\_ctr3\_orden, R\_icr\_load, R\_icr\_old, R\_icr\_mask, R\_icr, R\_icr\_rden, R\_ccr, R\_ccr\_rden, R\_gcr, R\_gcr\_rden, R\_sr, (ClkA, ClkB, Rst, I\_ad\_in, I\_rale\_, I\_last\_, I\_be\_, I\_mrdy\_, Disable\_int, Disable\_writes, Cpu\_fail, Reset\_cpu, Piu\_fail, Pmm\_fail, S\_state, Id, ChannelID, CB\_parity, MB\_parity, C\_ss) = ``` let new_R_fsm_stateA = ((R_fsm_rst) => RI ((R_fsm_state = RI) => ((\sim R_fsm_ale_) => RA \mid RI) \mid ((R_fsm_state = RA) \Rightarrow ((\neg R_fsm_mrdy_) \Rightarrow RD \mid RA) \mid ((-R_fsm_last_) => RI | RA)))) in let new_R_fsm_cntlatch = ((R_fsm_state = RI) \land \neg R_fsm_ale_) in ``` ``` let new_R_fsm_srdy_ = \sim((R_fsm_state = RA) \wedge \simR_fsm_mrdy_) in let new_R_cntlatch_delA = R_cntlatch_del in let new_R_srdy_delA_ = R_srdy_del_ in let new_R_reg_selA = R_reg_sel in let r_reg_sel = ((~new_R_srdy_delA_) => (INCN 3 new_R_reg_selA) | new_R_reg_selA) in let r_{write} = (\sim Disable_{writes} \land R_{wr} \land (new_R_{fsm_state} \land = RD)) in let r_read = (-R_wr \land (new_R_fsm_stateA = RA)) in let r_{cir}wr01 = (r_{write} \land ((r_{reg}sel = (WORDN 8)) \lor (r_{reg}sel = (WORDN 9)))) in let r_cir_wr23 = (r_write \land ((r_reg_sel = (WORDN 10)) \lor (r_reg_sel = (WORDN 11)))) in let new_R_ctr0 = ((R_ctr0_mux_sel) => R_ctr0_in | R_ctr0_new) in let new_R_ctr0_ce = (ELEMENT R_gcr (19)) in let new_R_{ctr0}_{cin} = T in let new_R_ctr0_outA = R_ctr0_new in let new_R_{ctr1} = ((R_{ctr1}_{mux}_{sel}) \Rightarrow R_{ctr1}_{in} \mid R_{ctr1}_{new}) in let new_R_ctr1_ce = T in let new_R_ctr1_cin = R_ctr0_cry in let new_R_ctr1_outA = R_ctr1_new in let new_R_ctr2 = ((R_ctr2_mux_sel) \Rightarrow R_ctr2_in \mid R_ctr2_new) in let new_R_ctr2_ce = (ELEMENT R_gcr (23)) in let new_R_ctr2_cin = T in let new_R_ctr2_outA = R_ctr2_new in let new_R_ctr3 = ((R_ctr3_mux_sel) \Rightarrow R_ctr3_in \mid R_ctr3_new) in let new_R_ctr3_ce = T in let new_R_ctr3_cin = R_ctr2_cry in let new_R_ctr3_outA = R_ctr3_new in let new_R_icr_loadA = R_icr_load in let new_R_icr_oldA = (((\text{new}_R_{\text{sm}}_{\text{stateA}} = \text{RA}) \land ((\text{r}_{\text{reg}}_{\text{sel}} = (\text{WORDN 0})) \lor (\text{r}_{\text{reg}}_{\text{sel}} = (\text{WORDN 1})))) => R_{\text{icr}} \land R_ let new_R_icrA = ((~(r_reg_sel = (WORDN 1))) => Andn rep (R_icr_old, R_icr_mask) | Om rep (R_icr_old, R_icr_mask)) in let new_R_int0_en = (((ELEMENT R_icr(0)) \land (ELEMENT R_icr(8))) \lor ((ELEMENT R_icr (1)) \( \text{(ELEMENT R_icr (9))} \( \text{V} \) ((ELEMENT R_icr (2)) \( \text{(ELEMENT R_icr (10))} \) \( \text{V} ((ELEMENT R_icr (3)) \( \text{(ELEMENT R_icr (11))} \) \( \text{V} ((ELEMENT R_icr (4)) \( \text{(ELEMENT R_icr (12))} \) \( \text{V} \) ((ELEMENT R_icr (5)) A (ELEMENT R_icr (13))) V ((ELEMENT R_icr (6)) \( \text{(ELEMENT R_icr (14))} \) \( \text{V} \) ((ELEMENT R_icr (7)) A (ELEMENT R_icr (15)))) in let new_R_intO_disA = R_intO_dis in let new_R_int3_en = (((ELEMENT R_icr (16)) \land (ELEMENT R_icr (24))) \lor ((ELEMENT R_icr (17)) \land (ELEMENT R_icr (25))) \lor ((ELEMENT R_icr (18)) ∧ (ELEMENT R_icr (26))) ∨ ((ELEMENT R_icr (19)) ∧ (ELEMENT R_icr (27))) ∨ ((ELEMENT R_icr (20)) ∧ (ELEMENT R_icr (28))) ∨ ((ELEMENT R_icr (21)) ∧ (ELEMENT R_icr (29))) ∨ ((ELEMENT R_icr (22)) ∧ (ELEMENT R_icr (30))) ∨ ((ELEMENT R_icr (23)) \land (ELEMENT R_icr (31)))) in let new_R_int3_disA = R_int3_dis in let new_R_c01_cout = R_ctr1_cry in let new_R_c01_cout_delA = R_c01_cout_del in let new_R_c23_cout = R_ctr3_cry in let new_R_c23_cout_delA = R_c23_cout_del in let new_R_busA_latch = (((R_ctr0_irden) => R_ctr0_in) ``` ``` ((R_ctr0_orden) => R_ctr0_out | ((R_{ctr1}_{irden}) \Rightarrow R_{ctr1}_{in}) ((R_ctrl_orden) => R_ctrl_out | ((R_ctr2_irden) => R_ctr2_in ((R_ctr2\_orden) => R_ctr2\_out | ((R_ctr3_irden) => R_ctr3_in ((R_ctr3\_orden) => R_ctr3\_out | ((R_icr_rden) => R_icr | ((R_ccr_rden) => R_ccr ((R_{gcr_rden}) => R_{gcr}| ((R_sr_rden) \Rightarrow R_sr \mid ARBN))))))))))))))))))))))))))))))))) let new_R_fsm_state = R_fsm_state in let new_R_fsm_ale_ = R_fsm_ale_ in let new_R_fsm_mrdy_ = R_fsm_mrdy_ in let new_R_fsm_last_ = R_fsm_last_ in let new_R_fsm_rst = R_fsm_rst in let new_R_intO_dis = R_intO_dis in let new_R_int3_dis = R_int3_dis in let new_R_c01_cout_del = R_c01_cout_del in let new_R_int1_en = R_int1_en in let new_R_c23_cout_del = R_c23_cout_del in let new_R_int2_en = R_int2_en in let new_R_wr = R_wr in let new R cntlatch del = R cntlatch del in let new_R_srdy_del_ = R_srdy_del_ in let new_R_reg_sel = R_reg_sel in let new_R_ctr0_in = R_ctr0_in in let new_R_ctr0_mux_sel = R_ctr0_mux_sel in let new_R_ctr0_irden = R_ctr0_irden in let new_R_ctr0_cry = R_ctr0_cry in let new_R_ctr0_new = R_ctr0_new in let new_R_ctr0_out = R_ctr0_out in let new_R_ctr0_orden = R_ctr0_orden in let new_R_ctrl_in = R_ctrl_in in let new_R_ctrl_mux_sel = R_ctrl_mux_sel in let new_R_ctr1_irden = R_ctr1_irden in let new_R_ctr1_cry = R_ctr1_cry in let new_R_ctr1_new = R_ctr1_new in let new_R_ctr1_out = R_ctr1_out in let new_R_ctrl_orden = R_ctrl_orden in let new_R_ctr2_in = R_ctr2_in in let new_R_ctr2_mux_sel = R_ctr2_mux_sel in let new_R_ctr2_irden = R_ctr2_irden in let new_R_ctr2_cry = R_ctr2_cry in let new_R_ctr2_new = R_ctr2_new in let new_R_ctr2_out = R_ctr2_out in let new_R_ctr2_orden = R_ctr2_orden in let new_R_ctr3_in = R_ctr3_in in let new_R_ctr3_mux_sel = R_ctr3_mux_sel in let new_R_ctr3_irden = R_ctr3_irden in let new_R_ctr3_cry = R_ctr3_cry in let new_R_ctr3_new = R_ctr3_new in let new_R_ctr3_out = R_ctr3_out in let new_R_ctr3_orden = R_ctr3_orden in ``` ``` let new_R_icr_old = R_icr_old in let new_R_icr_mask = R_icr_mask in let new_R_icr = R_icr in let new_R_icr_rden = R_icr_rden in let new_R_ccr = R_ccr in let new_R_ccr_rden = R_ccr_rden in let new_R_gcr = R_gcr in let new_R_gcr_rden = R_gcr_rden in let new_R_sr = R_sr in let new_R_sr_rden = R_sr_rden in (new_R_fsm_stateA, new_R_fsm_cntlatch, new_R_fsm_srdy_, new_R_int0_en, new_R_int0_disA, new_R_int3_en, new_R_int3_disA, new_R_c01_cout, new_R_c01_cout_delA, new_R_c23_cout, new_R_c23_cout_delA, new_R_cntlatch_delA, new\_R\_srdy\_delA\_, new\_R\_reg\_selA, new\_R\_ctr0, new\_R\_ctr0\_ce, new\_R\_ctr0\_cin, new\_R\_ctr0\_outA, new\_R\_ctr1, new\_R\_ctr0\_ce, new new_R_ctr1_ce, new_R_ctr1_cin, new_R_ctr1_outA, new_R_ctr2, new_R_ctr2_ce, new_R_ctr2_cin, new_R_ctr2_outA, new_R_ctr3, new_R_ctr3_ce, new_R_ctr3_cin, new_R_ctr3_outA, new_R_icr_loadA, new_R_icr_oldA, new_R_icrA, new_R_busA_latch, new_R_fsm_state, new_R_fsm_ale_, new_R_fsm_mrdy_, new_R_fsm_last_, new_R_fsm_rst, new_R_int0_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_int1_en, new_R_c23_cout_del, new_R_int2_en, new_R_wr, new_R_cntlatch_del, new_R_srdy_del_, new_R_reg_sel, new_R_ctr0_in, new_R_ctr0_mux_sel, new_R_ctr0_irden, new\_R\_ctr0\_cry, new\_R\_ctr0\_new, new\_R\_ctr0\_out, new\_R\_ctr0\_orden, new\_R\_ctr1\_in, new\_R\_ctr1\_mux\_sel, new\_R\_ctr0\_orden, new_R_ctr1_irden, new_R_ctr1_cry, new_R_ctr1_new, new_R_ctr1_out, new_R_ctr1_orden, new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_ctr2_irden, new_R_ctr2_cry, new_R_ctr2_new, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3_irden, new_R_ctr3_cry, new_R_ctr3_new, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_load, new_R_icr_old, new_R_icr_mask, new_R_icr, new_R_icr_rden, new_R_ccr, new_R_ccr_rden, new_R_gcr, new_R_gcr_rden, new_R_sr, new_R_sr_rden)" );; Output definition for Phase-A instruction. let PH_A_out_def = new_definition ('PH_A_out', "! (rep:^rep_ty) (R_fsm_state A R_fsm_state :rfsm_ty) (R_reg_selA R_ctr0 R_ctr0_outA R_ctr1 R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA R_icrA R_busA_latch R_reg_sel R_ctr0_in R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr :wordn) (R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_ R_ctr0_ce R_ctr0_cin R_ctr1_ce R_ctr1_cin R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_R_ctr0_mux_sel R_ctr0_irden R_ctr0_cry R_ctr0_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden :bool) (I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChannelID C_ss :wordn) (ClkA ClkB Rst I_rale_ I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool) . PH_A_out rep ``` let new R icr\_load = R\_icr\_load in ``` R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_, R_reg_selA, R_ctr0, R_ctr0_ce, R_ctr0_cin, R_ctr0_outA, R_ctr1, R_ctr1_ce, R_ctr1_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, R_ctr0_mux_sel, R_ctr0_irden, R_ctr0_cry, R_ctr0_new, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctr1_new, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden) (ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) = let new_R_fsm_stateA = ((R_fsm_rst) => RI ((R_fsm_state = RI) \Rightarrow ((-R_fsm_ale_) \Rightarrow RA \mid RI) \mid ((R_fsm_state = RA) => ((\sim R_fsm_mrdy_) => RD \mid RA) \mid ((-R_fsm_last_) \Rightarrow RI \mid RA)))) in let new_R_fsm_cntlatch = ((R_fsm_state = RI) \land \sim R_fsm_ale_) in let new_R_fsm_srdy_ = \sim((R_fsm_state = RA) \land \simR_fsm_mrdy_) in let new_R_cntlatch_delA = R_cntlatch_del in let new_R_srdy_delA_ = R_srdy_del_ in let new R reg selA = R reg sel in let r_reg_sel = ((~new_R_srdy_delA_) => (INCN 3 new_R_reg_selA) | new_R_reg_selA) in let r_write = (\simDisable_writes \land R_wr \land (new_R_fsm_stateA = RD)) in let r_read = (-R_wr \land (new_R_fsm_stateA = RA)) in let \ r\_cir\_wr01 = (r\_write \land ((r\_reg\_sel = (WORDN \ 8)) \lor (r\_reg\_sel = (WORDN \ 9)))) \ in let \ r\_cir\_wr23 = (r\_write \land ((r\_reg\_sel = (WORDN \ 10)) \lor (r\_reg\_sel = (WORDN \ 11)))) \ in let new_R_ctr0 = ((R_ctr0_mux_sel) \Rightarrow R_ctr0_in \mid R_ctr0_new) in let new_R_ctr0_ce = (ELEMENT R_gcr (19)) in let new_R_ctr0_cin = T in let new_R_ctr0_outA = R_ctr0_new in let new_R_ctr1 = ((R_ctr1_mux_sel) => R_ctr1_in | R_ctr1_new) in let new_R_ctrl_ce = T in let new_R_ctr1_cin = R_ctr0_cry in let new_R_ctrl_outA = R_ctrl_new in let new_R_ctr2 = ((R_ctr2_mux_sel) \Rightarrow R_ctr2_in \mid R_ctr2_new) in let new_R_ctr2_ce = (ELEMENT R_gcr (23)) in let new_R_ctr2_cin = T in let new R_ctr2_outA = R_ctr2_new in let new_R_ctr3 = ((R_ctr3_mux_sel) \Rightarrow R_ctr3_in \mid R_ctr3_new) in let new_R_ctr3_ce = T in let new_R_ctr3_cin = R_ctr2_cry in let new_R_ctr3_outA = R_ctr3_new in let new_R_icr_loadA = R_icr_load in let new_R_icr_oldA = (((\texttt{new}_R\_\texttt{fsm}\_\texttt{stateA} = \texttt{RA}) \land ((\texttt{r}\_\texttt{reg}\_\texttt{sel} = (\texttt{WORDN 0})) \lor (\texttt{r}\_\texttt{reg}\_\texttt{sel} = (\texttt{WORDN 1})))) => R\_\texttt{icr} \mid R\_\texttt{icr}\_\texttt{oldA}) \text{ in } R let new_R_icrA = ((\sim(r_reg_sel = (WORDN 1))) => Andn rep (R_icr_old, R_icr_mask) | Orn rep (R_icr_old, R_icr_mask)) in let new_R_int0_en = (((ELEMENT R_icr (0)) \land (ELEMENT R_icr (8))) \lor ((ELEMENT R_icr (1)) A (ELEMENT R_icr (9))) V ``` (R\_fsm\_stateA, R\_fsm\_cntlatch, R\_fsm\_srdy\_, R\_int0\_en, R\_int0\_disA, R\_int3\_en, R\_int3\_disA, ``` ((ELEMENT R_icr (2)) A (ELEMENT R_icr (10))) V ((ELEMENT R_icr (3)) A (ELEMENT R_icr (11))) V ((ELEMENT R_icr (4)) \land (ELEMENT R_icr (12))) \lor ((ELEMENT R_icr (5)) \land (ELEMENT R_icr (13))) \lor ((ELEMENT R_icr (6)) \(\Lambda\) (ELEMENT R_icr (14))) \(\nabla\) ((ELEMENT R_icr (7)) A (ELEMENT R_icr (15)))) in let new_R_intO_disA = R_intO_dis in let new_R_int3_en = (((ELEMENT R_icr (16)) \land (ELEMENT R_icr (24))) \lor ((ELEMENT R_icr (17)) \land (ELEMENT R_icr (25))) \lor ((ELEMENT R_icr (18)) \land (ELEMENT R_icr (26))) \lor ((ELEMENT R_icr (19)) ∧ (ELEMENT R_icr (27))) V ((ELEMENT R_icr (20)) \( \text{(ELEMENT R_icr (28))) } \( \text{V} \) ((ELEMENT R_icr (21)) \( \text{(ELEMENT R_icr (29))) } \( \text{V} \) ((ELEMENT R_icr (22)) \land (ELEMENT R_icr (30))) \lor ((ELEMENT R_icr (23)) ∧ (ELEMENT R_icr (31)))) in let new R int3_disA = R_int3_dis in let new_R_c01_cout = R_ctr1_cry in let new_R_c01_cout_delA = R_c01_cout_del in let new_R_c23_cout = R_ctr3_cry in let new_R_c23_cout_delA = R_c23_cout_del in let new_R_busA_latch = (((R_ctr0_irden) => R_ctr0_in \mid ((R_ctr0_orden) => R_ctr0_out | ((R_{ctrl_irden}) => R_{ctrl_in} ((R_ctrl_orden) => R_ctrl_out | ((R_ctr2_irden) => R_ctr2_in ((R_ctr2\_orden) => R_ctr2\_out | ((R_ctr3_irden) => R_ctr3_in ((R_ctr3\_orden) => R_ctr3\_out i ((R_icr_rden) => R_icr ((R_{cr_rden}) => R_{cr} | ((R_{gcr_rden}) \Rightarrow R_{gcr}) let new_R_fsm_state = R_fsm_state in let new_R_fsm_ale_ = R_fsm_ale_ in let new_R_fsm_mrdy_ = R_fsm_mrdy_ in let new_R_fsm_last_ = R_fsm_last_ in let new_R_fsm_rst = R_fsm_rst in let new_R_intO_dis = R_intO_dis in let new_R_int3_dis = R_int3_dis in let new_R_c01_cout_del = R_c01_cout_del in let new_R_int1_en = R_int1_en in let new_R_c23_cout_del = R_c23_cout_del in let new_R_int2_en = R_int2_en in let new_R_wr = R_wr in let new_R_cntlatch_del = R_cntlatch_del in let new_R_srdy_del_ = R_srdy_del_ in let new_R_reg_sel = R_reg_sel in let new_R_ctr0_in = R_ctr0_in in let new_R_ctr0_mux_sel = R_ctr0_mux_sel in let new_R_ctr0_irden = R_ctr0_irden in let new_R_ctr0_cry = R_ctr0_cry in let new_R_ctr0_new = R_ctr0_new in let new_R_ctr0_out = R_ctr0_out in ``` ``` let new_R_ctr0_orden = R_ctr0_orden in let new_R_ctr1_in = R_ctr1_in in let new_R_ctr1_mux_sel = R_ctr1_mux_sel in let new_R_ctr1_irden = R_ctr1_irden in let new_R_ctr1_cry = R_ctr1_cry in let new_R_ctrl_new = R_ctrl_new in let new_R_ctr1_out = R_ctr1_out in let new_R_ctrl_orden = R_ctrl_orden in let new_R_ctr2_in = R_ctr2_in in let new_R_ctr2_mux_sel = R_ctr2_mux_sel in let new_R_ctr2_irden = R_ctr2_irden in let new_R_ctr2_cry = R_ctr2_cry in let new_R_ctr2_new = R_ctr2_new in let new_R_ctr2_out = R_ctr2_out in let new_R_ctr2_orden = R_ctr2_orden in let new_R_ctr3_in = R_ctr3_in in let new_R_ctr3_mux_sel = R_ctr3_mux_sel in let new R_ctr3_irden = R_ctr3_irden in let new_R_ctr3_cry = R_ctr3_cry in let new_R_ctr3_new = R_ctr3_new in let new_R_ctr3_out = R_ctr3_out in let new_R_ctr3_orden = R_ctr3_orden in let new_R_icr_load = R_icr_load in let new_R_icr_old = R_icr_old in let new_R_icr_mask = R_icr_mask in let new_R_icr = R_icr in let new_R_icr_rden = R_icr_rden in let new_R_ccr = R_ccr in let new_R_ccr_rden = R_ccr_rden in let new_R_gcr = R_gcr in let new_R_gcr_rden = R_gcr_rden in let new_R_{sr} = R_{sr} in let new_R_sr_rden = R_sr_rden in let I\_ad\_out = ((\neg new\_R\_wr \land ((new\_R\_fsm\_stateA = RA) \lor (new\_R\_fsm\_stateA = RD))) => new\_R\_busA\_latch \mid ARBN) in ARBN = ((\neg new\_R\_wr \land ((new\_R\_fsm\_stateA = RA)) \lor (new\_R\_fsm\_stateA = RD))) => new\_R\_busA\_latch \mid ARBN) = ((\neg new\_R\_wr \land ((new\_R\_fsm\_stateA = RA))))) => new\_R\_busA\_latch \mid ARBN) = ((\neg new\_R\_wr \land ((new\_R\_fsm\_stateA = RA))))) => new\_R\_busA\_latch \mid ARBN) = ((\neg new\_R\_fsm\_stateA = RA)) RA) let I\_srdy\_ = (((new\_R\_fsm\_stateA = RD) \lor ((new\_R\_fsm\_stateA = RA))) => new\_R\_fsm\_srdy\_ \mid ARB) in let Int0 = (\text{new}_R \text{ int} 0 \text{ en } \land \text{-new}_R \text{ int} 0 \text{ dis} A \land \text{-Disable}_i \text{int}) in let Int1 = (new_R_c01_cout \land new_R_int1_en \land ~Disable_int) in let Int2 = (new_R_c23_cout \land new_R_int2_en \land ~Disable_int) in let Int3_ = \sim(new_R_int3_en \land \simnew_R_int3_disA \land \simDisable_int) in let Ccr = new_R_ccr in let Led = (SUBARRAY new_R_gcr (3,0)) in let Reset_error = (ELEMENT new_R_gcr (24)) in let Pmm_invalid = (ELEMENT new_R_gcr (28)) in (I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)" );; Next-state definition for Phase-B instruction. let PH_B_inst_def = new_definition ``` ('PH\_B\_inst', ``` (R_fsm_state A R_fsm_state :rfsm_ty) (R_reg_selA R_ctr0 R_ctr0_outA R_ctr1 R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA R_icrA R_busA_latch R_reg_sel R_ctr0_in R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr :wordn) (R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_ R_ctr0_ce R_ctr0_cin R_ctr1_ce R_ctr1_cin R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_ R_ctr0_mux_sel R_ctr0_irden R_ctr0_cry R_ctr0_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden:bool) (I_ad_in I_be_Cpu_fail Reset_cpu S_state Id ChannelID C_ss:wordn) (ClkA ClkB Rst I_rale_ I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool). PH_B_inst rep (R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_intO_en, R_intO_disA, R_int3_en, R_int3_disA, R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_. R_reg_selA, R_ctr0, R_ctr0_ce, R_ctr0_cin, R_ctr0_outA, R_ctr1, R_ctr1_ce, R_ctr1_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, R_ctr0_mux_sel, R_ctr0_irden, R_ctr0_cry, R_ctr0_new, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_irden, R_ctr1_cry, R_ctr1_new, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_cry, R_ctr2_new, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R sr rden) (ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) = let new_R_wr = ((\sim I_rale_) \Rightarrow (ELEMENT I_ad_in (27)) \mid R_wr) in let new_R_srdy_del_ = R_fsm_srdy_ in let new_R_reg_sel = ((\sim I_rale_) => (SUBARRAY I_ad_in (3,0)) ((R_srdy_delA_) \Rightarrow (INCN 3 R_reg_selA) \mid R_reg_selA)) in let new_R_cntlatch_del = R_fsm_cntlatch in let r_reg_sel = ((-R_srdy_delA_) => (INCN 3 R_reg_selA) | R_reg_selA) in let r_write = (\simDisable_writes \land new_R_wr \land (R_fsm_state A = RD)) in let r_read = (-new_R_wr \land (R_fsm_stateA = RA)) in let r_cir_wr01 = (r_write \land ((r_reg_sel = (WORDN 8)) \lor (r_reg_sel = (WORDN 9)))) in let r_cir_wr23 = (r_write \land ((r_reg_sel = (WORDN 10))) \lor (r_reg_sel = (WORDN 11)))) in let new_R_ccr = ((r_write \land (r_reg_sel = (WORDN 3))) => I_ad_in \mid R_ccr) in let new_R_ccr_rden = (r_read \land (r_reg_sel = (WORDN 3))) in let new_R_gcr = ((r_write \land (r_reg_sel = (WORDN 2))) \Rightarrow I_ad_in \mid R_gcr) in let new_R_gcr_rden = (r_read \land (r_reg_sel = (WORDN 2))) in let new_R_ctr0_in = ((r_write \land (r_reg_sel = (WORDN 8))) \Rightarrow I_ad_in \mid R_ctr0_in) in let new_R_ctr0_mux_sel = (r_cir_wr01 \lor ((ELEMENT new_R_gcr(16)) \land R_c01_cout)) in let new_R_ctr0_irden = (r_read \land (r_reg_sel = (WORDN 8))) in let new R ctr0 new = ((R_ctr0_ce \land R_ctr0_cin) => (INCN 31 R_ctr0) | R_ctr0) in let new_R_ctr0_cry = (R_ctr0_ce \land R_ctr0_cin \land (ONES 31 R_ctr0)) in ``` "| (rep:^rep\_ty) ``` let new_R_ctr0_out = ((R_fsm_cntlatch) => R_ctr0_outA | R_ctr0_out) in let new_R_ctr0_orden = (r_read \land (r_reg_sel = (WORDN 12))) in let new_R_ctr1_in = ((r_write \land (r_reg_sel = (WORDN 9))) \Rightarrow I_ad_in \mid R_ctr1_in) in let new_R_ctr1_mux_sel = (r_cir_wr01 \ V ((ELEMENT new_R_gcr (16)) \land R_c01_cout)) in let new_R_ctr1_irden = (r_read \land (r_reg_sel = (WORDN 9))) in let new_R_ctr1_new = ((R_ctr1_ce \land R_ctr1_cin) \Rightarrow (INCN 31 R_ctr1) \mid R_ctr1) in let new_R_ctr1_cry = (R_ctr1_ce \land R_ctr1_cin \land (ONES 31 R_ctr1)) in let new_R_ctr1_out = ((R_cntlatch_delA) => R_ctr1_outA | R_ctr1_out) in let new_R_ctr1_orden = (r_read \land (r_reg_sel = (WORDN 13))) in let \ new_R_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10))) => I\_ad\_in \mid R\_ctr2\_in) \ in \ I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in) \ in \ I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in) \ in \ I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in) \ in \ I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in) \ in \ I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in) \ in \ I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in) \ in \ I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 10)))) => I_ad\_in \mid R\_ctr2\_in = ((r\_write \land (r\_write ) \land (r\_write \land (r\_write ) (r\_writ let\ new\_R\_ctr2\_mux\_sel = (r\_cir\_wr23\ \lor\ ((ELEMENT\ new\_R\_gcr\ (20))\ \land\ R\_c23\_cout))\ in let new_R_ctr2_irden = (r_read \land (r_reg_sel = (WORDN 10))) in let new_R_ctr2_new = ((R_ctr2_ce \land R_ctr2_cin) => (INCN 31 R_ctr2) \mid R_ctr2) \mid R_ctr2) \mid R_ctr2 \mid r let new_R_ctr2_cry = (R_ctr2_ce \land R_ctr2_cin \land (ONES 31 R_ctr2)) in let new_R_ctr2_out = ((R_fsm_cntlatch) => R_ctr2_outA | R_ctr2_out) in let new_R_ctr2_orden = (r_read \land (r_reg_sel = (WORDN 14))) in let \ new\_R\_ctr3\_in = ((r\_write \land (r\_reg\_sel = (WORDN \ 11))) => I\_ad\_in \mid R\_ctr3\_in) \ in let new_R_ctr3_mux_sel = (r_cir_wr23 \lor ((ELEMENT new_R_gcr (20)) \land R_c23_cout)) in let new_R_ctr3_irden = (r_read \land (r_reg_sel = (WORDN 11))) in let new_R_ctr3_new = ((R_ctr3_ce \land R_ctr3_cin) \Rightarrow (INCN 31 R_ctr3) \mid R_ctr3) in let new_R_ctr3_cry = (R_ctr3_ce \land R_ctr3_cin \land (ONES 31 R_ctr3)) in let new_R_ctr3_out = ((R_cntlatch_delA) => R_ctr3_outA | R_ctr3_out) in let new_R_ctr3_orden = (r_read \land (r_reg_sel = (WORDN 15))) in let new_R_icr_load = (r_write \( ((r_reg_sel = (WORDN 0)) \( V (r_reg_sel = (WORDN 1)))) \) in let new_R_icr_old = ((r\_write \land ((r\_reg\_sel = (WORDN \ 0)) \lor (r\_reg\_sel = (WORDN \ 1)))) => R\_icr\_oldA \mid R\_icr\_old) in let new R icr_mask = ((r\_write \land ((r\_reg\_sel = (WORDN \ 0)) \lor (r\_reg\_sel = (WORDN \ 1)))) => I\_ad\_in \mid R\_icr\_mask) in let new_R_{icr} = ((R_{icr}_{load}A) \Rightarrow R_{icr}A \mid R_{icr}) in let\ new\_R\_icr\_rden = ((R\_fsm\_stateA = RA) \land ((r\_reg\_sel = (WORDN\ 0)) \lor (r\_reg\_sel = (WORDN\ 1))))\ insulabel{eq:constraint} let sr28 = (ALTER ARBN (28) MB_parity) in let sr28_25 = (MALTER sr28 (27,25) C_ss) in let sr28_24 = (ALTER sr28_25 (24) CB_parity) in let sr28_22 = (MALTER sr28_24 (23,22) ChannelID) in let sr28_{16} = (MALTER sr28_{22} (21,16) Id) in let sr28_12 = (MALTER sr28_16 (15,12) S_state) in let sr28_9 = (ALTER sr28_12 (9) Pmm_fail) in let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in let sr28_0 = (MALTER sr28_2 (1,0) Cpu_fail) in let new_R_sr = ((R_fsm_cntlatch) => sr28_0 | R_sr) in let new_R_sr_rden = (r_read \land (r_reg_sel = (WORDN 4))) in let new_R_intO_dis = R_intO_en in let new_R_int3_dis = R_int3_en in let new_R_c01_cout_del = R_c01_cout in let new_R_c23_cout_del = R_c23_cout in let new_R_intl_en = ((((ELEMENT new_R_gcr (18)) \( (r_cir_wr01 \( \nabla (R_c01_cout \( \nabla (ELEMENT new_R_gcr (16)))))) \land \sim (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del)))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del)))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del)))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (17)) \land R\_c01\_cout\_del)))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ ((~((ELEMENT new_R_gcr (18)) \( \) (r_cir_wr01 \( \) (R_c01_cout \( \) (ELEMENT new_R_gcr (16))))) \land (\text{-(ELEMENT new}\_R\_\text{gcr }(18)) \lor (\text{(ELEMENT new}\_R\_\text{gcr }(17)) \land R\_\text{c}01\_\text{cout}\_\text{del}))) \Rightarrow F \vdash (\text{-(ELEMENT R\_\text{c}01\_\text{cout}\_\text{cout}\_\text{c}01\_\text{cout}\_\text{c}01\_\text{cout}\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text{c}01\_\text ((-((ELEMENT\ new_R\_gcr\ (18))\ \land\ (r\_cir\_wr01\ \lor\ (R\_c01\_cout\ \land\ (ELEMENT\ new_R\_gcr\ (16))))) \land \sim (\sim (ELEMENT\ new\_R\_gcr\ (18)) \lor ((ELEMENT\ new\_R\_gcr\ (17)) \land R\_c01\_cout\_del))) => R\_int1\_en \mid ARB)))\ insulation (ARB)) \land (\sim (ELEMENT\ new\_R\_gcr\ (18)) \lor ((ELEMENT\ new\_R\_gcr\ (17)) \land R\_c01\_cout\_del))) => R\_int1\_en \mid ARB))) \land (\sim (ELEMENT\ new\_R\_gcr\ (17)) \land R\_c01\_cout\_del))) => R\_int1\_en \mid ARB))) \land (\sim (ELEMENT\ new\_R\_gcr\ (17)) \land R\_c01\_cout\_del))) => R\_int1\_en \mid ARB))) \land (\sim (ELEMENT\ new\_R\_gcr\ (17)) \land R\_c01\_cout\_del))) => R\_int1\_en \mid ARB))) \land (\sim (ELEMENT\ new\_R\_gcr\ (17)) \land R\_c01\_cout\_del))) => R\_int1\_en \mid ARB))) \land (\sim (ELEMENT\ new\_R\_gcr\ (17)) \land R\_c01\_cout\_del))) => R\_int1\_en \mid ARB))) \land (\sim (ELEMENT\ new\_R\_gcr\ (17)) \land R\_int1\_en \mid ARB))) \Rightarrow R\_int1\_en \mid ARB))) \Rightarrow R\_int1\_en \mid ARB))) \Rightarrow R\_int1\_en \mid ARB))) \Rightarrow R\_int1\_en \mid ARB))) \Rightarrow R\_int1\_en \mid ARB)) \Rightarrow R\_int1\_en \mid ARB)) \Rightarrow R\_int1\_en \mid ARB))) \Rightarrow R\_int1\_en \mid ARB)) \Rightarrow R\_int1\_en \mid ARB)) \Rightarrow R\_int1\_en \mid ARB)) \Rightarrow R\_int1\_en \mid ARB) let new_R_int2_en = ``` ``` ((((ELEMENT\ new_R\_gcr\ (22))\ \land\ (r\_cir\_wr23\ \lor\ (R\_c23\_cout\ \land\ (ELEMENT\ new_R\_gcr\ (20))))) \land \sim (\sim (ELEMENT\ new_R\_gcr\ (22)) \lor ((ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (22)) \lor ((ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) ((~(ELEMENT new_R_gcr (22)) \(\lambda\) (r_cir_wr23 \(\nabla\) (R_c23_cout \(\lambda\) (ELEMENT new_R_gcr (20))))) ((~((ELEMENT new_R_gcr (22)) \(\Lambda\) (r_cir_wr23 \(\nabla\) (R_c23_cout \(\Lambda\) (ELEMENT new_R_gcr (20))))) \Lambda \sim (\sim (ELEMENT \text{ new}_R_gcr(22)) \lor ((ELEMENT \text{ new}_R_gcr(21)) \land R_c23\_cout\_del))) \Rightarrow R_int2\_en \mid ARB))) in let new_R_fsm_state = R_fsm_stateA in let new_R_fsm_ale_ = I_rale_ in let new_R_fsm_mrdy_ = I_mrdy_ in let new_R_fsm_last_ = I_last_ in let new_R_fsm_rst = Rst in let new_R_fsm_stateA = R_fsm_stateA in let new_R_fsm_cntlatch = R_fsm_cntlatch in let new_R_fsm_srdy_ = R_fsm_srdy_ in let new_R_intO_en = R_intO_en in let new_R_intO_disA = R_intO_disA in let new_R_int3_en = R_int3_en in let new_R_int3_disA = R_int3_disA in let new_R_c01_cout = R_c01_cout in let new_R_c01_cout_delA = R_c01_cout_delA in let new_R_c23_cout = R_c23_cout in let new_R_c23_cout_delA = R_c23_cout_delA in let new_R_cntlatch_delA = R_cntlatch_delA in let new_R_srdy_delA_ = R_srdy_delA_ in let new_R_reg_selA = R_reg_selA in let new_R_ctr0 = R_ctr0 in let new_R_ctr0_ce = R_ctr0_ce in let new_R_ctr0_cin = R_ctr0_cin in let new_R_ctr0_outA = R_ctr0_outA in let new_R_ctr1 = R_ctr1 in let new_R_ctrl_ce = R_ctrl_ce in let new_R_ctrl_cin = R_ctrl_cin in let new_R_ctr1_outA = R_ctr1_outA in let new_R_ctr2 = R_ctr2 in let new_R_ctr2_ce = R_ctr2_ce in let new_R_ctr2_cin = R_ctr2_cin in let new_R_ctr2_outA = R_ctr2_outA in let new_R_ctr3 = R_ctr3 in let new_R_ctr3_ce = R_ctr3_ce in let new_R_ctr3_cin = R_ctr3_cin in let new_R_ctr3_outA = R_ctr3_outA in let new_R_icr_loadA = R_icr_loadA in let new_R_icr_oldA = R_icr_oldA in let new_R_icrA = R_icrA in let new_R_busA_latch = R_busA_latch in (new_R_fsm_stateA, new_R_fsm_cntlatch, new_R_fsm_srdy_, new_R_int0_en, new_R_int0_disA, new_R_int3_en, new_R_int3_disA, new_R_c01_cout, new_R_c01_cout_delA, new_R_c23_cout, new_R_c23_cout_delA, new_R_cntlatch_delA, new_R_srdy_delA_, new_R_reg_selA, new_R_ctr0, new_R_ctr0_ce, new_R_ctr0_cin, new_R_ctr0_outA, new_R_ctr1, new_R_ctr1_ce, new_R_ctr1_cin, new_R_ctr1_outA, new_R_ctr2, new_R_ctr2_ce, new_R_ctr2_cin, new_R_ctr2_outA, ``` new\_R\_ctr3, new\_R\_ctr3\_ce, new\_R\_ctr3\_cin, new\_R\_ctr3\_outA, new\_R\_icr\_loadA, new\_R\_icr\_oldA, new\_R\_icrA, . new\_R\_busA\_latch, new\_R\_fsm\_state, new\_R\_fsm\_ale\_, new\_R\_fsm\_mrdy\_, new\_R\_fsm\_last\_, new\_R\_fsm\_rst, new\_R\_int0\_dis, new\_R\_int3\_dis, new\_R\_c01\_cout\_del, new\_R\_int1\_en, new\_R\_c23\_cout\_del, new\_R\_int2\_en, ``` new R wr. new\_R\_ctr0\_in, new\_R\_ctr0\_in, new\_R\_ctr0\_in, new\_R\_ctr0\_in, new\_R\_ctr0\_inden, new\_ new_R_ctr0_cry, new_R_ctr0_new, new_R_ctr0_out, new_R_ctr0_orden, new_R_ctr1_in, new_R_ctr1_mux_sel, new\_R\_ctr1\_irden, new\_R\_ctr1\_cry, new\_R\_ctr1\_new, new\_R\_ctr1\_out, new\_R\_ctr1\_orden, new\_R\_ctr2\_in, new\_R\_ctr1\_irden, new\_R\_ctr1\_cry, new\_R\_ctr1\_new, new\_R\_ctr1\_out, new\_R\_ctr1\_orden, new\_R\_ctr1\_irden, new\_R\_c new_R_ctr2_mux_sel, new_R_ctr2_irden, new_R_ctr2_cry, new_R_ctr2_new, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3_irden, new_R_ctr3_cry, new_R_ctr3_new, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_load, new_R_icr_old, new_R_icr_mask, new_R_icr, new_R_icr_rden, new_R_ccr, new_R_ccr_rden, new_R_gcr, new_R_gcr_rden, new_R_sr, new_R_sr_rden)" );; Output definition for Phase-B instruction. let PH_B_out_def = new_definition ('PH_B_out', "| (rep:^rep_ty) (R_fsm_stateA R_fsm_state :rfsm_ty) (R_reg_selA R_ctr0 R_ctr0_outA R_ctr1 R_ctr1_outA R_ctr2 R_ctr2_outA R_ctr3 R_ctr3_outA R_icr_oldA R_icrA R_busA_latch R_reg_sel R_ctr0_in R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr :wordn) (R_fsm_cntlatch R_fsm_srdy_ R_int0_en R_int0_disA R_int3_en R_int3_disA R_c01_cout R_c01_cout_delA R_c23_cout R_c23_cout_delA R_cntlatch_delA R_srdy_delA_ R_ctr0_ce R_ctr0_cin R_ctr1_ce R_ctr1_cin R_ctr2_ce R_ctr2_cin R_ctr3_ce R_ctr3_cin R_icr_loadA R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_R_ctr0_mux_sel R_ctr0_irden R_ctr0_cry R_ctr0_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden:bool) (I_ad_in I_be_ Cpu_fail Reset_cpu S_state Id ChannelID C_ss :wordn) (ClkA ClkB Rst I_rale_ I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool) . PH_B_out rep (R_fsm_stateA, R_fsm_cntlatch, R_fsm_srdy_, R_int0_en, R_int0_disA, R_int3_en, R_int3_disA, R_c01_cout, R_c01_cout_delA, R_c23_cout, R_c23_cout_delA, R_cntlatch_delA, R_srdy_delA_, R_reg_selA, R_ctr0, R_ctr0_ce, R_ctr0_cin, R_ctr0_outA, R_ctr1, R_ctr1_ce, R_ctr1_cin, R_ctr1_outA, R_ctr2, R_ctr2_ce, R_ctr2_cin, R_ctr2_outA, R_ctr3, R_ctr3_ce, R_ctr3_cin, R_ctr3_outA, R_icr_loadA, R_icr_oldA, R_icrA, R_busA_latch, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_ctr0_in, R_ctr0_mux_sel, R_ctr0_irden, R_ctr0_cry, R_ctr0_new, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R\_ctr1\_mux\_sel, R\_ctr1\_irden, R\_ctr1\_cry, R\_ctr1\_new, R\_ctr1\_out, R\_ctr1\_orden, R\_ctr2\_in, R\_ctr1\_out, R\_ctr1\_orden, R\_ctr2\_in, R\_ctr1\_out, R\_ctr1\_orden, R\_ctr2\_mux\_sel, R\_ctr2\_irden, R\_ctr2\_cry, R\_ctr2\_new, R\_ctr2\_out, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_cry, R_ctr3_new, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr, R_icr_rden, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden) (ClkA, ClkB, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) = ``` let new\_R\_wr = ((~I\_rale\_) => (ELEMENT I\_ad\_in (27)) | R\_wr) in let new\_R\_srdy\_del\_ = R\_fsm\_srdy\_ in let new\_R\_reg\_sel = ((~I\_rale\_) => (SUBARRAY I\_ad\_in (3,0)) | ``` ((-R_srdy_delA_) \Rightarrow (INCN 3 R_reg_selA) | R_reg_selA)) in let new_R_cntlatch_del = R_fsm_cntlatch in let r_reg_sel = ((-R_srdy_delA_) => (INCN 3 R_reg_selA) | R_reg_selA) in let r_write = (\simDisable_writes \land new_R_wr \land (R_fsm_stateA = RD)) in let r_read = (\neg new_R_wr \land (R_fsm_stateA = RA)) in let r_cir_wr01 = (r_write \land ((r_reg_sel = (WORDN 8)) \lor (r_reg_sel = (WORDN 9)))) in let r_cir_wr23 = (r_write \land ((r_reg_sel = (WORDN 10)) \lor (r_reg_sel = (WORDN 11)))) in let new_R_ccr = ((r_write \land (r_reg_sel = (WORDN 3))) \Rightarrow I_ad_in \mid R_ccr) in let new_R_ccr_rden = (r_read \land (r_reg_sel = (WORDN 3))) in let new_R_gcr = ((r_write \land (r_reg_sel = (WORDN 2))) => I_ad_in \mid R_gcr) in let new_R_gcr_rden = (r_read \land (r_reg_sel = (WORDN 2))) in let new_R_ctr0_in = ((r_write \land (r_reg_sel = (WORDN 8))) \Rightarrow I_ad_in \mid R_ctr0_in) in let new_R_ctr0_mux_sel = (r_cir_wr01 \lor ((ELEMENT new_R_gcr(16)) \land R_c01_cout)) in let new_R_ctr0_irden = (r_read \land (r_reg_sel = (WORDN 8))) in let new_R_ctr0_new = ((R_ctr0_ce \land R_ctr0_cin) \Rightarrow (INCN 31 R_ctr0) \mid R_ctr0) in let new_R_ctr0_cry = (R_ctr0_ce \land R_ctr0_cin \land (ONES 31 R_ctr0)) in let new_R_ctr0_out = ((R_fsm_cntlatch) => R_ctr0_outA | R_ctr0_out) in let new_R_ctr0_orden = (r_read \land (r_reg_sel = (WORDN 12))) in let new_R_ctrl_in = ((r_write \land (r_reg_sel = (WORDN 9))) => I_ad_in \mid R_ctrl_in) in let new_R_ctr1_mux_sel = (r_cir_wr01 \ V ((ELEMENT new_R_gcr (16)) \land R_c01_cout)) in let new_R_ctr1_irden = (r_read \land (r_reg_sel = (WORDN 9))) in let new_R_ctrl_new = ((R_ctrl_ce \land R_ctrl_cin) \Rightarrow (INCN 31 R_ctrl) \mid R_ctrl) in let new_R_ctr1_cry = (R_ctr1_ce \land R_ctr1_cin \land (ONES 31 R_ctr1)) in let new_R_ctr1_out = ((R_cntlatch_delA) => R_ctr1_outA | R_ctr1_out) in let new_R_ctrl_orden = (r_read \land (r_reg_sel = (WORDN 13))) in let new_R_ctr2_in = ((r_write \land (r_reg_sel = (WORDN 10))) \Rightarrow I_ad_in \mid R_ctr2_in) in let new_R_ctr2_mux_sel = (r_cir_wr23 \( ((ELEMENT new_R_gcr (20)) \) \( A \) R_c23_cout)) in let new_R_ctr2_irden = (r_read \land (r_reg_sel = (WORDN 10))) in let new_R_ctr2_new = ((R_ctr2_ce \land R_ctr2_cin) \Rightarrow (INCN 31 R_ctr2) \mid R_ctr2) in let new_R_ctr2_cry = (R_ctr2_ce \land R_ctr2_cin \land (ONES 31 R_ctr2)) in let new_R_ctr2_out = ((R_fsm_cntlatch) => R_ctr2_outA | R_ctr2_out) in let new_R_ctr2_orden = (r_read \land (r_reg_sel = (WORDN 14))) in let new_R_ctr3_in = ((r_write \land (r_reg_sel = (WORDN 11))) => I_ad_in \mid R_ctr3_in) in let new_R_ctr3_mux_sel = (r_cir_wr23 \ V ((ELEMENT new_R_gcr (20)) \land R_c23_cout)) in let new_R_ctr3_irden = (r_read \land (r_reg_sel = (WORDN 11))) in let new_R_ctr3_new = ((R_ctr3_ce \land R_ctr3_cin) \Rightarrow (INCN 31 R_ctr3) \mid R_ctr3) in let new_R_ctr3_cry = (R_ctr3_ce \land R_ctr3_cin \land (ONES 31 R_ctr3)) in let new_R_ctr3_out = ((R_cntlatch_delA) => R_ctr3_outA | R_ctr3_out) in let new_R_ctr3_orden = (r_read \land (r_reg_sel = (WORDN 15))) in let new_R_icr_load = (r_write \land ((r_reg_sel = (WORDN 0)) \lor (r_reg_sel = (WORDN 1)))) in let new_R_icr_old = ((r_write \land ((r_e_sel = (WORDN 0)) \lor (r_e_sel = (WORDN 1)))) \Rightarrow R_icr_old \land R_icr_old) in let new_R_icr_mask = ((r\_write \land ((r\_reg\_sel = (WORDN 0)) \lor (r\_reg\_sel = (WORDN 1)))) => I\_ad\_in \mid R\_icr\_mask) in let new_R_icr = ((R_icr_loadA) => R_icrA | R_icr) in let new_R_icr_rden = ((R_fsm_stateA = RA) \land ((r_reg_sel = (WORDN 0))) \lor (r_reg_sel = (WORDN 1)))) in let sr28 = (ALTER ARBN (28) MB_parity) in let sr28_25 = (MALTER sr28 (27,25) C_ss) in let sr28_24 = (ALTER \ sr28_25 \ (24) \ CB_parity) in let sr28_22 = (MALTER sr28_24 (23,22) ChannelID) in let sr28_16 = (MALTER sr28_22 (21,16) Id) in let sr28_{12} = (MALTER sr28_{16} (15,12) S_state) in let sr28_9 = (ALTER sr28_12 (9) Pmm_fail) in let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in ``` ``` let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in let sr28_0 = (MALTER sr28_2 (1,0) Cpu_fail) in let new_R_sr = ((R_fsm_cntlatch) => sr28_0 | R_sr) in let new_R_sr_rden = (r_read \land (r_reg_sel = (WORDN 4))) in let new_R_intO_dis = R_intO_en in let new_R_int3_dis = R_int3_en in let new_R_c01_cout_del = R_c01_cout in let new_R_c23_cout_del = R_c23_cout in let new_R_int1_en = ((((ELEMENT\ new_R\_gcr\ (18)) \land (r\_cir\_wr01 \lor (R\_c01\_cout \land (ELEMENT\ new_R\_gcr\ (16)))))) \land \sim (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_cOl\_cout\_del))) \Rightarrow T \vdash (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_cOl\_cout\_del))) \Rightarrow T \vdash (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ new_R\_gcr\ (17)) \land R\_cOl\_cout\_del))) \Rightarrow T \vdash (\sim (ELEMENT\ new_R\_gcr\ (17)) \land R\_cOl\_cout\_del))) \Rightarrow T \vdash (\sim (ELEMENT\ new_R\_gcr\ (18)) \lor ((ELEMENT\ ne ((\sim((ELEMENT\ new\_R\_gcr\ (18))\ \land\ (r\_cir\_wr01\ \lor\ (R\_c01\_cout\ \land\ (ELEMENT\ new\_R\_gcr\ (16))))) \land ( \sim (ELEMENT \ new\_R\_gcr \ (18)) \lor ((ELEMENT \ new\_R\_gcr \ (17)) \land R\_c01\_cout\_del))) => F \lor ( \sim (ELEMENT \ new\_R\_gcr \ (17)) \land R\_c01\_cout\_del))) => F \lor ( \sim (ELEMENT \ new\_R\_gcr \ (18)) \lor ((ELEMENT \ new\_R\_gcr \ (17)) \land R\_c01\_cout\_del))) => F \lor ( \sim (ELEMENT \ new\_R\_gcr \ (18)) \lor ((ELEMENT \ new\_R\_gcr \ (17)) \land R\_c01\_cout\_del))) => F \lor ( \sim (ELEMENT \ new\_R\_gcr \ (18)) \lor ((ELEMENT ((ELEM ((\sim((ELEMENT\ new_R_gcr\ (18))\ \land\ (r\_cir\_wr01\ \lor\ (R\_c01\_cout\ \land\ (ELEMENT\ new_R\_gcr\ (16)))))) \land \sim (\sim (ELEMENT\ new\_R\_gcr\ (18)) \lor ((ELEMENT\ new\_R\_gcr\ (17)) \land R\_cO1\_cout\_del))) => R\_int1\_en+ARB)))\ in (ARB) \land \sim (\sim (ELEMENT\ new\_R\_gcr\ (18)) \lor ((ELEMENT\ new\_R\_gcr\ (17)) \land R\_cO1\_cout\_del))) => R_int1\_en+ARB))) let new_R_int2_en = ((((ELEMENT\ new_R\_gcr\ (22))\land (r\_cir\_wr23\ \lor\ (R\_c23\_cout\land (ELEMENT\ new_R\_gcr\ (20))))) \land \sim (\sim (ELEMENT\ new_R\_gcr\ (22)) \lor ((ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow T \lor (\sim (ELEMENT\ new_R\_gcr\ (21)) \land R\_c23\_cout\_del)) ((\sim((ELEMENT\ new_R\_gcr\ (22))\ \land\ (r\_cir\_wr23\ \lor\ (R\_c23\_cout\ \land\ (ELEMENT\ new\_R\_gcr\ (20)))))) \land (\neg (ELEMENT\ new\_R\_gcr\ (22)) \lor ((ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) \Rightarrow F \vdash (\neg (ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del)) \land \sim (\sim (ELEMENT\ new\_R\_gcr\ (22)) \lor ((ELEMENT\ new\_R\_gcr\ (21)) \land R\_c23\_cout\_del))) => R\_int2\_en \mid ARB)))\ in (Coulomb of the property t let new_R_fsm_state = R_fsm_stateA in let new_R_fsm_ale_ = I_rale_ in let new_R_fsm_mrdy_ = I_mrdy_ in let new_R_fsm_last_ = I_last_ in let new_R_fsm_rst = Rst in let new_R_fsm_stateA = R_fsm_stateA in let new_R_fsm_cntlatch = R_fsm_cntlatch in let new_R_fsm_srdy_ = R_fsm_srdy_ in let new_R_intO_en = R_intO_en in let new_R_intO_disA = R_intO_disA in let new_R_int3_en = R_int3_en in let new_R_int3_disA = R_int3_disA in let new_R_c01_cout = R_c01_cout in let new_R_c01_cout_delA = R_c01_cout_delA in let new_R_c23_cout = R_c23_cout in let new_R_c23_cout_delA = R_c23_cout_delA in let new_R_cntlatch_delA = R_cntlatch_delA in let new_R_srdy_delA_ = R_srdy_delA_ in let new_R_reg_selA = R_reg_selA in let new_R_ctr0 = R_ctr0 in let new_R_ctr0_ce = R_ctr0_ce in let new_R_ctr0_cin = R_ctr0_cin in let new_R_ctr0_outA = R_ctr0_outA in let new_R_ctr1 = R_ctr1 in let new_R_ctr1_ce = R_ctr1_ce in let new_R_ctrl_cin = R_ctrl_cin in let new_R_ctrl_outA = R_ctrl_outA in let new_R_ctr2 = R_ctr2 in let new_R_ctr2_ce = R_ctr2_ce in let new_R_ctr2_cin = R_ctr2_cin in let new_R_ctr2_outA = R_ctr2_outA in let new_R_ctr3 = R_ctr3 in ``` ``` let new_R_ctr3_ce = R_ctr3_ce in let new_R_ctr3_cin = R_ctr3_cin in let new_R_ctr3_outA = R_ctr3_outA in let new_R_icr_loadA = R_icr_loadA in let new_R_icr_oldA = R_icr_oldA in let new_R_icrA = R_icrA in let new_R_busA_latch = R_busA_latch in let\ I\_ad\_out = ((\neg new\_R\_wr \land ((new\_R\_fsm\_stateA = RA) \lor (new\_R\_fsm\_stateA = RD))) => new\_R\_busA\_latch \mid ARBN)\ in let \ I\_srdy\_ = (((new\_R\_fsm\_stateA = RD) \ \lor \ ((new\_R\_fsm\_stateA = RA))) => new\_R\_fsm\_srdy\_ \ | \ ARB) \ in \ ARB i let Int0_= \sim (\text{new}_R \text{_int}0_\text{en} \land \sim \text{new}_R \text{_int}0_\text{dis} \land \land \sim \text{Disable}_\text{int}) in let Int1 = (\text{new}_R_c01_cut \land \text{new}_R_int1_en \land \sim \text{Disable}_int) in let Int2 = (\text{new}_R_c23\_\text{cout} \land \text{new}_R\_\text{int2}\_\text{en} \land \sim \text{Disable}\_\text{int}) in let Int3_ = \sim(new_R_int3_en \land \simnew_R_int3_disA \land \simDisable_int) in let Ccr = new_R_ccr in let Led = (SUBARRAY new_R_gcr (3,0)) in let Reset_error = (ELEMENT new_R_gcr (24)) in let Pmm_invalid = (ELEMENT new_R_gcr (28)) in (I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)" );; close_theory();; ``` ## C.4 C Port Specification ``` c_phase.ml File: Author: (c) D.A. Fura 1992 31 March 1992 Date: This file contains the ml source for the phase-level specification of the C-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm c_phase.th';; new theory 'c_phase';; loadf 'abstract';; map new_parent ['caux_def';'aux_def';'array_def';'wordn_def'];; let MSTART = "WORDN 4";; let MEND = "WORDN 5";; let MRDY = "WORDN 6";; let MWAIT = "WORDN 7";; let MABORT = "WORDN 0";; let SACK = "WORDN 5";; let SRDY = "WORDN 6";; let SWAIT = "WORDN 7";; let SABORT = "WORDN 0";; wordn#bool#bool#bool#bool# cefsm_ty#bool# csfsm_ty#bool#bool#bool#bool#bool#wordn# cefsm_ty#bool#bool#bool#bool#bool# bool#bool#wordn#wordn#wordn)";; let c_state = "((C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2, C_mfsm_mal, C_mfsm_ma0,C_mfsm_md1,C_mfsm_md0,C_mfsm_iad_en_m,C_mfsm_m_cout_sel1,C_mfsm_m_cout_sel0, C_mfsm_ms,C_mfsm_rqt_,C_mfsm_cgnt_,C_mfsm_cm_en,C_mfsm_abort_le_en_,C_mfsm_mparity, C\_sfsm\_stateA, C\_sfsm\_ss, C\_sfsm\_iad\_en\_s, C\_sfsm\_sidle, C\_sfsm\_slock, C\_sfsm\_sa1, C\_sfsm\_sa0, C\_sfsm\_sa1, C\_sfs ``` ``` C_sfsm_sale,C_sfsm_sd1,C_sfsm_sd0,C_sfsm_sack,C_sfsm_sabort,C_sfsm_s_cout_sel0,C_sfsm_sparity, C_efsm_stateA,C_efsm_srdy_en, C_clkAA,C_sidle_delA,C_mrqt_delA,C_last_inA_,C_ssA,C_holdA_,C_cout_0_le_delA, C_cin_2_leA,C_mrdy_delA_,C_iad_en_s_delA,C_wrdyA,C_rrdyA,C_iad_out,C_a1a0,C_a3a2, C_mfsm_state,C_mfsm_srdy_en,C_mfsm_D,C_mfsm_grant,C_mfsm_rst,C_mfsm_busy,C_mfsm_write, C_mfsm_crqt_,C_mfsm_hold_,C_mfsm_last_,C_mfsm_lock_,C_mfsm_ss,C_mfsm_invalid, C_sfsm_state,C_sfsm_D,C_sfsm_grant,C_sfsm_rst,C_sfsm_write,C_sfsm_addressed,C_sfsm_hlda_,C_sfsm_ms, C_efsm_state,C_efsm_cale_,C_efsm_last_,C_efsm_male_,C_efsm_rale_,C_efsm_srdy_,C_efsm_rst, C_wr,C_sizewrbe,C_clkA,C_sidle_del,C_mrqt_del,C_last_in_,C_lock_in_,C_ss,C_last_out_, C_hold_,C_cout_0_le_del,C_cin_2_le,C_mrdy_del_,C_iad_en_s_del,C_wrdy, C_rrdy,C_parity,C_source,C_data_in,C_iad_in) ^c_state_ty)";; let c_env = "((I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB rgt in , CB ad in, CB ms in, CB ss in, Rst, ClkA, ClkB, ClkD, Id, ChannellD, Pmm_failure, Piu_invalid, Ccr, Reset error) :^c_env_ty)";; let c_out_ty = ":(bool#bool#bool#bool#bool#bool#wordn#wordn# bool#wordn#wordn#wordn#bool#bool)";; let c_out = "((I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity) :^c_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; Next-state definition for Phase-A instruction. let PH_A_inst_def = new_definition ('PH_A_inst', "! (rep:^rep_ty) (C_mfsm_stateA C_mfsm_state :cmfsm_ty) (C_sfsm_stateA C_sfsm_state :csfsm_ty) (C_efsm_stateA C_efsm_state :cefsm_ty) (C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_al a0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_in :wordn) (C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_ma1 C_mfsm_ma0 C_mfsm_md1 C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sel1 C_mfsm_m_cout_sel0 C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_sa0 C_sfsm_sale C_sfsm_sd1 C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity C_efsm_srdy_en C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_ C_holdA_ C_cout_0_le_delA C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdyA C_rrdyA C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write C_mfsm_crqt_C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_ ``` ``` C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy C_rrdy C_parity :bool) (I_mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error:bool) (I_ad_in I_be_in_ CB_rqt_in_ CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :wordn) (I_cgnt_I_mrdy_out_I_hold_I_rale_out_I_male_out_I_last_out_I_srdy_out_CB_rqt_out_ Disable_writes CB_parity:bool). PH_A_inst rep (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2, C_mfsm_ma1, C_mfsm_ma0, C_mfsm_md1, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sel1, C\_mfsm\_m\_cout\_sel0, C\_mfsm\_ms, C\_mfsm\_rqt\_, C\_mfsm\_cgnt\_, C\_mfsm\_cm\_en, C\_mfsm\_abort\_le\_en\_, C\_mfsm\_cgnt\_, C\_mgs C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, C_sfsm_sa1, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sd0, C_sfsm_sack, C_sfsm_sabort, C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA, C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_cout_0_le_delA, C_cin_2_leA, C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out, C_a1a0, C_a3a2, C_mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_in) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) = let new_C_mfsm_stateA = ((C_mfsm_rst) => CMI \mid ((C\_mfsm\_state = CMI) => (C\_mfsm\_D \land \neg C\_mfsm\_crqt\_ \land \neg C\_mfsm\_busy \land \neg C\_mfsm\_invalid) => CMR \mid CMI ((C_mfsm_state = CMR) \Rightarrow (C_mfsm_D \land C_mfsm_grant \land C_mfsm_hold_) \Rightarrow CMA3 \mid CMR CM ((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 \mid CMA3) \mid ((C_mfsm_state = CMA1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMA01 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA1 \mid ((C_mfsm_state = CMA0) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) \Rightarrow CMA2 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA0 \mid ((C_mfsm_state = CMA2) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) \Rightarrow CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA2 \mid ((C_mfsm_state = CMD1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) \Rightarrow CMD0 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMD1 \mid ((C_mfsm_state = CMD0) = > (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land C_mfsm_last_) => CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land \sim C_mfsm_last_) => CMW (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMD0 \mid ((C_mfsm_state = CMW) => (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) \Rightarrow CMABT (C_mfsm_D \land (C_mfsm_ss = ^SACK) \land C_mfsm_lock_) => CMI (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land ~C_mfsm_lock_ \land ~C_mfsm_crqt_) => CMA3 \mid CMW \mid ``` ``` let new_C_mfsm_mabort = (new_C_mfsm_stateA = CMABT) in let new_C_mfsm_midle = (new_C_mfsm_stateA = CMI) in let new C mfsm mrequest = (new_C_mfsm_stateA = CMR) in let new_C_mfsm_ma3 = (new_C_mfsm_stateA = CMA3) in let new_C_mfsm_ma2 = (new_C_mfsm_stateA = CMA2) in let new_C_mfsm_ma1 = (new_C_mfsm_stateA = CMA1) in let new_C_mfsm_ma0 = (new_C_mfsm_stateA = CMA0) in let new_C_mfsm_md1 = (new_C_mfsm_stateA = CMD1) in let new C mfsm_md0 = (new_C_mfsm_stateA = CMD0) in let \ new\_C\_mfsm\_iad\_en\_m = (((new\_C\_mfsm\_stateA = CMD1) \land \neg C\_mfsm\_write \land C\_mfsm\_srdy\_en) \lor ((new\_C\_mfsm\_stateA = CMD0) \land \neg C\_mfsm\_write \land C\_mfsm\_srdy\_en) \label{eq:continuous_continuous_continuous} $$V ((new_C_mfsm_state = CMD0) \land \neg C_mfsm_write) $$ \wedge C_mfsm_srdy_en) in let new_C_mfsm_m_cout_sel1 = ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA2)) in let new_C_mfsm_m_cout_sel0 = ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA1) V (new_C_mfsm_stateA = CMD1)) in let ms2 = (ALTER ARBN (2) ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA1) V (new_C_mfsm_stateA = CMA0) V (new_C_mfsm_stateA = CMA2) V (new_C_mfsm_stateA = CMD1) V (new_C_mfsm_stateA = CMD0) V (new_C_mfsm_stateA = CMW) V (new_C_mfsm_stateA = CMABT))) in let ms1 = (ALTER ms2 (1) ((new_C_mfsm_stateA = CMA1) V (new_C_mfsm_stateA = CMA0) V (new_C_mfsm_stateA = CMA2) V (new_C_mfsm_stateA = CMD1) V ((new\_C\_mfsm\_stateA = CMD0) \land C\_mfsm\_last\_) \lor (new\_C\_mfsm\_stateA = CMW) (new\_C\_mfs (new_C_mfsm_stateA = CMABT))) in let\ ms0 = (ALTER\ ms1\ (0)\ (((new_C_mfsm_stateA = CMD0) \land \neg C_mfsm_last_) \lor \\ ((new C_mfsm_stateA = CMW) \(\Lambda\) C_mfsm_lock_) \(\nabla\) (new_C_mfsm_stateA = CMABT))) in let new_C_mfsm_ms = ms0 in let new_C_mfsm_rqt_ = \sim (\sim (new_C_mfsm_stateA = CMI)) in let new_C_mfsm_cgnt_ = ~(new_C_mfsm_stateA = CMA3) in let \ new\_C\_mfsm\_cm\_en = ((\sim (new\_C\_mfsm\_stateA = CMI)) \land (\sim (new\_C\_mfsm\_stateA = CMR))) \ in \ (new\_C\_ let new_C_mfsm_abort_le_en_ = ~((new_C_mfsm_stateA = CMABT) V (new_C_mfsm_stateA = CMI)) in let new_C_mfsm_mparity = ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA1) V (new_C_mfsm_stateA = CMA0) V (new_C_mfsm_stateA = CMA2) V (new_C_mfsm_stateA = CMD1) V (new_C_mfsm_stateA = CMD0) V(C_mfsm_state = CMA1) V(C_mfsm_state = CMA0) V (C_mfsm_state = CMA2) V (C_mfsm_state = CMD1)) in let new_C_sfsm_stateA = ((C_sfsm_rst) => CSI \mid (C_sfsm_state = CSI) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART)) \land \sim C_sfsm_grant \land C_sfsm_addressed) => CSA1 \mid CSI) \mid (C_sfsm_state = CSL) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim C_sfsm_grant \land C_sfsm_addressed) => CSA1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land ^C_sfsm_grant \land ^C_sfsm_addressed) => CSI \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSL) \mid (C_sfsm_state = CSA1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSA0 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA1) (C_sfsm_state = CSA0) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land \sim C_sfsm_hlda_) => CSALE \mid (C sfsm_D \land (C_sfsm_ms = ^MRDY) \land C_sfsm_hlda_) => CSAOW (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSAO) \mid ``` ``` (C_sfsm_state = CSA0W) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land ~C_sfsm_hlda_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT | CSAOW) | (C_sfsm_state = CSALE) => ((C_sfsm_D \land C_sfsm_write \land (C_sfsm_ms = ^MRDY)) => CSD1 \mid (C_sfsm_D \land \neg C_sfsm_write \land (C_sfsm_ms = \land MRDY)) => CSRR \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSALE) \mid (C_sfsm_state = CSRR) => ((C_sfsm_D \land \neg(C_sfsm_ms = ^MABORT)) \Rightarrow CSD1 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSRR) \mid (C_sfsm_state = CSD1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD0 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSD1) (C_sfsm_state = CSD0) => ((C_sfsm_D \land (C_sfsm_ms = ^MEND)) => CSACK \mid (C_sfsm_D \land (C_sfsm_ms = ^MRDY)) \Rightarrow CSD1 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSD0) \mid (C_sfsm_state = CSACK) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSL \mid (C_sfsm_D \land (C_sfsm_ms = ^MWAIT)) => CSI (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSACK) \mid (C_sfsm_D) \Rightarrow CSI \mid CSABT) in let ss2 = (ALTER ARBN (2) ((\sim(new_C_sfsm_stateA = CSI)) \land (\sim(new_C_sfsm_stateA = CSABT)))) in let \ ss1 = (ALTER \ ss2 \ (1) \ ((\sim (new\_C\_sfsm\_stateA = CSI)) \land (\sim (new\_C\_sfsm\_stateA = CSACK))) \land (\neg (\text{new}\_C\_sfsm\_stateA = CSABT)))) \text{ in } let ss0 = (ALTER ss1 (0) ((new_C_sfsm_stateA = CSA0W) V ((new_C_sfsm_stateA = CSALE) \land \sim C_sfsm_write) \lor (new_C_sfsm_stateA = CSACK))) in let new_C_sfsm_ss = ss0 in let \ new\_C\_sfsm\_iad\_en\_s = (((new\_C\_sfsm\_stateA = CSALE) \land (\sim (C\_sfsm\_state = CSALE))) V((new_C_sfsm_stateA = CSALE) \land C_sfsm_write) V((\text{new C sfsm stateA} = \text{CSD1}) \land C_{\text{sfsm write}} \land (\sim(C_{\text{sfsm state}} = \text{CSRR}))) V ((new_C_sfsm_stateA = CSD0) \land C_sfsm_write) V((new_C_sfsm_stateA = CSACK) \land C_sfsm_write)) in let new_C_sfsm_sidle = (new_C_sfsm_stateA = CSI) in let new_C_sfsm_slock = (new_C_sfsm_stateA = CSL) in let new_C_sfsm_sa1 = (new_C_sfsm_stateA = CSA1) in let new_C_sfsm_sa0 = (new_C_sfsm_stateA = CSA0) in let new_C_sfsm_sale = (new_C_sfsm_stateA = CSALE) in let new_C_sfsm_sd1 = (new_C_sfsm_stateA = CSD1) in let new_C_sfsm_sd0 = (new_C_sfsm_stateA = CSD0) in let new_C_sfsm_sack = (new_C_sfsm_stateA = CSACK) in let new_C_sfsm_sabort = (new_C_sfsm_stateA = CSABT) in let new_C_sfsm_s_cout_sel0 = (new_C_sfsm_stateA = CSD1) in let new_C_sfsm_sparity = ((\sim(\text{new}_C_sfsm_stateA = CSI)) \land (\sim(\text{new}_C_sfsm_stateA = CSACK)) \land (\sim (\text{new}_C_sfsm_stateA = CSABT))) in let new_C_efsm_stateA = ((C_efsm_rst) => CEI \mid (C_efsm_state = CEI) => ((\sim C_efsm_cale_) => CEE \mid CEI) \mid ((~C_efsm_last_ \( \lambda \cdot C_efsm_srdy_ \) \( \lambda \cdot C_efsm_male_ \) \( \lambda \cdot C_efsm_rale_ \) \( = \cdot CEI \) \( \text{CEE} \) \( \text{in} \) let new_C_efsm_srdy_en = ((new_C_efsm_stateA = CEE) V (C_efsm_state = CEE)) in let cout_sel0 = (ALTER ARBN (0) ((new_C_sfsm_sd1 V new_C_sfsm_sd0) => new_C_sfsm_s_cout_sel0 | new_C_mfsm_m_cout_sel0)) in ``` ``` let cout_sel1 = (ALTER cout_sel0 (1) ((new_C_sfsm_sd1 V new_C_sfsm_sd0) => F I new_C_mfsm_m_cout_sel1)) in let c_cout_sel = cout_sel1 in let c_busy = (\sim((SUBARRAY CB_rqt_in_(3,1)) = (WORDN 7))) in let c_{grant} = ((((SUBARRAY Id (1,0)) = (WORDN 0)) \land \sim (ELEMENT CB_rqt_in_(0))) \lor (((SUBARRAY Id (1,0)) = (WORDN 1)) \land \sim (ELEMENT CB_rqt_in_(0)) \land (ELEMENT CB_rqt_in_(1))) \lor (((SUBARRAY\ Id\ (1,0)) = (WORDN\ 2)) \land \neg (ELEMENT\ CB\_rqt\_in\_\ (0)) \land (ELEMENT\ CB\_rqt\_in\_\ (1)) A (ELEMENT CB_rqt_in_ (2))) \lor (((SUBARRAY\ Id\ (1,0)) = (WORDN\ 3)) \land \neg (ELEMENT\ CB\_rqt\_in\_\ (0)) \land (ELEMENT\ CB\_rqt\_in\_\ (1)) ) ∧ (ELEMENT CB_rqt_in_ (2)) ∧ (ELEMENT CB_rqt_in_ (3)))) in let c_write = ((new_C_mfsm_cm_en) => C_wr | (ELEMENT C_sizewrbe (5))) in let new C_clkAA = C_clkA in let new_C_sidle_delA = C_sidle_del in let new_C_mrqt_delA = C_mrqt_del in let c_dfsm_srdy = (CB_ss_in = ^SRDY) in let c_dfsm_master = (new_C_mfsm_ma3 V new_C_mfsm_ma2 V new_C_mfsm_ma1 V new_C_mfsm_ma0 V new_C_mfsm_md1 V new_C_mfsm_md0) in let c_dfsm_slave = (-new_C_sfsm_sidle \land -new_C_sfsm_slock) in let c_dfsm_cin_0_le = (ClkD \land ((new_C_mfsm_md0 \land c_dfsm_srdy \land \neg c_write) \lor a_{location} \land c_{location} c_{ (new_C_sfsm_sa0) V (new_C_sfsm_sd0 \land c_write))) in let c_dfsm_cin_1_le = (ClkD \land ((new_C_mfsm_md1 \land c_dfsm_srdy \land \neg c_write) \lor ((new_C_mfsm_md1 \land c_dfsm_srdy \land \neg c_write) \lor ((new_C_mfsm_md1 \land c_dfsm_srdy \land \neg c_write)) (new_C_sfsm_sal) V (new_C_sfsm_sdl \(\Lambda\) c_write))) in let c_dfsm_cin_3_le = (ClkD \land (new_C_sfsm_sidle \lor new_C_sfsm_slock)) in let c_dfsm_cin_4_le = (new_C_clkAA \land new_C_sfsm_sa0) in let c_dfsm_cout_0_le = ((I_cale_) \lor (I_srdy_in_ \land \sim c_write) V (new_C_mfsm_ma0 \land c_dfsm_srdy \land c_write \land ClkD) V (\text{new\_C\_mfsm\_md0} \land \text{c\_write} \land \text{c\_dfsm\_srdy} \land \text{ClkD})) \text{ in} let c_dfsm_cout_1_le = (new_C_clkAA \land new_C_sfsm_sd1) in let c_dfsm_cad_en = \sim ((new_C_mfsm_ma3) \ V \ (new_C_mfsm_ma1) \ V \ (new_C_mfsm_ma0) \label{lem:c_mfsm_ma2} $$V (new_C_mfsm_md1 \ V \ new_C_mfsm_md0))$$ V (~c_write \( \text{(new_C_sfsm_sd1 \( \text{new_C_sfsm_sd0} \)))} \) in let \ c\_dfsm\_i\_male\_ = \sim (new\_C\_sfsm\_sale \land (\sim ((SUBARRAY\ C\_sizewrbe\ (1,0)) = (WORDN\ 3))) \land new\_C\_clkAA) \ in let c_dfsm_i_rale_ = \sim (new_C_sfsm_sale \land ((SUBARRAY\ C_sizewrbe\ (1,0)) = (WORDN\ 3)) \land new_C_clkAA) \ in let c_dfsm_i_mrdy_= \sim ((\sim c_write \land ClkD \land (new_C_sfsm_sale \lor new_C_sfsm_sd1)) \lor (\sim c\_write \land new\_C\_clkAA \land new\_C\_sfsm\_sack) \lor (c_write \land ClkD \land new_C_sfsm_sd0)) in let new_C_last_inA_ = I_last_in_ in let new_C_ssA = CB_ss_in in let new_C_holdA_ = ((ClkD) => C_hold_l C_holdA_) in let new C cout_0_le_delA = C_cout_0_le_del in let new_C_cin_2_leA = C_cin_2_le in let new_C_mrdy_delA_ = C_mrdy_del_ in let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del | C_iad_en_s_delA) in let new_C_wrdyA = C_wrdy in let new_C_rrdyA = C_rrdy in let new_C_iad_out = ((new_C_cin_2_leA) => C_data_in | C_iad_out) in let new_C_ala0 = (((c\_dfsm\_master \land new\_C\_cout\_0\_le\_delA) \lor (\neg c\_dfsm\_master \land c\_dfsm\_cout\_1\_le)) \Rightarrow C\_iad\_in \mid C\_a1a0) in A c\_dfsm\_master \land c\_dfsm\_cout\_1\_le)) \Rightarrow C\_iad\_in \mid C\_a1a0) in A c\_dfsm\_master \land c\_dfsm\_cout\_1\_le)) \Rightarrow C\_iad\_in \mid C\_a1a0) in A c\_dfsm\_cout\_1\_le) let new_C_a3a2 = ((new_C_mfsm_mrequest) => Ccr | C_a3a2) in let new_C_mfsm_state = C_mfsm_state in let new_C_mfsm_srdy_en = C_mfsm_srdy_en in let new_C_mfsm_D = C_mfsm_D in let new_C_mfsm_grant = C_mfsm_grant in let new_C_mfsm_rst = C_mfsm_rst in let new_C_mfsm_busy = C_mfsm_busy in ``` ``` let new_C_mfsm_write = C_mfsm_write in let new_C_mfsm_crqt_ = C_mfsm_crqt_ in let new_C_mfsm_hold_ = C_mfsm_hold_ in let new_C_mfsm_last_ = C_mfsm_last_ in let new_C_mfsm_lock_ = C_mfsm_lock_ in let new C mfsm_ss = C_mfsm_ss in let new_C_mfsm_invalid = C_mfsm_invalid in let new_C_sfsm_state = C_sfsm_state in let new_C_sfsm_D = C_sfsm_D in let new_C_sfsm_grant = C_sfsm_grant in let new_C_sfsm_rst = C_sfsm_rst in let new_C_sfsm_write = C_sfsm_write in let new_C_sfsm_addressed = C_sfsm_addressed in let new_C_sfsm_hlda_ = C_sfsm_hlda_ in let new C_sfsm_ms = C_sfsm_ms in let new_C_efsm_state = C_efsm_state in let new_C_efsm_cale_ = C_efsm_cale_ in let new_C_efsm_last_ = C_efsm_last_ in let new_C_efsm_male_ = C_efsm_male_ in let new_C_efsm_rale_ = C_efsm_rale_ in let new_C_efsm_srdy_ = C_efsm_srdy_ in let new_C_efsm_rst = C_efsm_rst in let new_C_wr = C_wr in let new_C_sizewrbe = C_sizewrbe in let new_C_clkA = C_clkA in let new_C_sidle_del = C_sidle_del in let new_C_mrqt_del = C_mrqt_del in let new_C_last_in_ = C_last_in_ in let new_C_lock_in_ = C_lock_in_ in let new_C_ss = C_ss in let new_C_last_out_ = C_last_out_ in let new_C_hold_ = C_hold_ in let new_C_cout_0_le_del = C_cout_0_le_del in let new_C_cin_2_le = C_cin_2_le in let new_C_mrdy_del_ = C_mrdy_del_ in let new_C_iad_en_s_del = C_iad_en_s_del in let new_C_wrdy = C_wrdy in let new_C_rrdy = C_rrdy in let new_C_parity = C_parity in let new_C_source = C_source in let new_C_data_in = C_data_in in let new_C_iad_in = C_iad_in in (new\_C\_mfsm\_stateA, new\_C\_mfsm\_mabort, new\_C\_mfsm\_midle, new\_C\_mfsm\_mrequest, new\_C\_mfsm\_ma3, new\_C\_mfsm\_mabort, new\_C\_mfsm\_midle, new\_C\_mfsm\_mrequest, new\_ new_C_mfsm_ma2, new_C_mfsm_ma1, new_C_mfsm_ma0, new_C_mfsm_md1, new_C_mfsm_md0, new_C_mfsm_iad_en_m, new_C_mfsm_m_cout_sel1, new_C_mfsm_m_cout_sel0, new_C_mfsm_ms, new_C_mfsm_rqt_, new_C_mfsm_cgnt_, new_C_mfsm_cm_en, new_C_mfsm_abort_le_en_, new_C_mfsm_mparity, new_C_sfsm_stateA, new_C_sfsm_ss, new_C_sfsm_iad_en_s, new_C_sfsm_sidle, new_C_sfsm_slock, new_C_sfsm_sa1, new_C_sfsm_sa0, new_C_sfsm_sale, new_C_sfsm_sd1, new_C_sfsm_sd0, new_C_sfsm_sack, new_C_sfsm_sabort, new_C_sfsm_s_cout_sel0, new_C_sfsm_sparity, new_C_efsm_stateA, new_C_efsm_srdy_en, new_C_clkAA, new_C_sidle_delA, new_C_mrqt_delA, new_C_last_inA_, new_C_ssA, new_C_holdA_, new_C_cout_0_le_delA, new_C_cin_2_leA, new_C_mrdy_delA_, new_C_iad_en_s_delA, new_C_wrdyA, new_C_rrdyA, ``` new\_C\_iad\_out, new\_C\_a1a0, new\_C\_a3a2, new\_C\_mfsm\_state, new\_C\_mfsm\_srdy\_en, new\_C\_mfsm\_D, ``` new_C_mfsm_grant, new_C_mfsm_rst, new_C_mfsm_busy, new_C_mfsm_write, new_C_mfsm_crqt_, new_C_mfsm_hold_, new_C_mfsm_last_, new_C_mfsm_lock_, new_C_mfsm_ss, new_C_mfsm_invalid, new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_grant, new_C_sfsm_rst, new_C_sfsm_write, new_C_sfsm_addressed, new_C_sfsm_hlda_, new_C_sfsm_ms, new_C_efsm_state, new_C_efsm_cale_, new_C_efsm_last_, new_C_efsm_male_, new_C_efsm_rale_, new_C_efsm_srdy_, new_C_efsm_rst, new_C_wr, new_C_sizewrbe, new_C_clkA, new_C_sidle_del, new_C_mrqt_del, new_C_last_in_, new_C_lock_in_, new_C_ss, new_C_last_out_, new_C_hold_, new_C_cout_0_le_del, new_C_cin_2_le, new_C_mrdy_del_, new_C_iad_en_s_del, new_C_wrdy, new_C_rrdy, new_C_parity, new_C_source, new_C_data_in, new_C_iad_in)" );; Output definition for Phase-A instruction. let PH_A_out_def = new_definition ('PH A out', "! (rep:^rep_ty) (C_mfsm_state A C_mfsm_state :cmfsm_ty) (C_sfsm_stateA C_sfsm_state :csfsm_ty) (C_efsm_stateA C_efsm_state :cefsm_ty) (C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_ala0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_in :wordn) (C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_ma1 C_mfsm_ma0 C_mfsm_md1 C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sel1 C_mfsm_m_cout_sel0 C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sa1 C_sfsm_sa0 C_sfsm_sale C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity C_efsm_srdy_en C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_ C_holdA_ C_cout_0_le_delA C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdyA C_rrdyA C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write C_mfsm_crqt_C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_ C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy C_rrdy C_parity :bool) (I_mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :bool) (I_ad in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :wordn) (I_cgnt_ I_mrdy_out_ I_hold_ I_rale_out_ I_male_out_ I_last_out_ I_srdy_out_ CB_rqt_out_ Disable_writes CB_parity:bool). PH_A_out rep (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2, C_mfsm_ma1, C_mfsm_ma0, C_mfsm_md1, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sell, C_mfsm_m_cout_sel0, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt_, C_mfsm_cm_en, C_mfsm_abort_le_en_, C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, C_sfsm_sal, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sack, C_sfsm_sabort, C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA, C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_cout_0_le_delA, C_cin_2_leA, C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out, C_a1a0, C_a3a2, C_mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt_, C_mfsm_bold_, C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, ``` ``` C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_in) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) = let new_C_mfsm_stateA = ((C_mfsm_rst) => CMI ((C\_mfsm\_state = CMI) \Rightarrow (C\_mfsm\_D \land \neg C\_mfsm\_crqt\_ \land \neg C\_mfsm\_busy \land \neg C\_mfsm\_invalid) \Rightarrow CMR \mid CMI ((C\_mfsm\_state = CMR) => (C\_mfsm\_D \land C\_mfsm\_grant \land C\_mfsm\_hold\_) => CMA3 \mid CMR ((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 \mid CMA3) \mid ((C_mfsm_state = CMA1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMA0 \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA1 \mid ((C_mfsm_state = CMA0) => (C_mfsm_D \land (C_mfsm_ss = \land SRDY)) => CMA2 \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA0 \mid ((C_mfsm_state = CMA2) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) \Rightarrow CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = \land SABORT)) => CMABT \mid CMA2 \mid ((C_mfsm_state = CMD1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMD0 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMD1 \mid ((C_mfsm_state = CMD0) => (C_mfsm_D \land (C_mfsm_ss = \land SRDY) \land C_mfsm_last_) => CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land ~C_mfsm_last_) => CMW \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMD0 \mid ((C_mfsm_state = CMW) => (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid (C_mfsm_D \land (C_mfsm_ss = ^SACK) \land C_mfsm_lock_) \Rightarrow CMI (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land ~C_mfsm_lock_ \land ~C_mfsm_crqt_) => CMA3 \mid CMW \mid CMS C let new_C_mfsm_mabort = (new_C_mfsm_stateA = CMABT) in let new_C_mfsm_midle = (new_C_mfsm_stateA = CMI) in let new_C_mfsm_mrequest = (new_C_mfsm_stateA = CMR) in let new_C_mfsm_ma3 = (new_C_mfsm_stateA = CMA3) in let new_C_mfsm_ma2 = (new_C_mfsm_stateA = CMA2) in let new_C_mfsm_ma1 = (new_C_mfsm_stateA = CMA1) in let new_C_mfsm_ma0 = (new_C_mfsm_stateA = CMA0) in let new_C_mfsm_md1 = (new_C_mfsm_stateA = CMD1) in let new_C_mfsm_md0 = (new_C_mfsm_stateA = CMD0) in let \ new\_C\_mfsm\_iad\_en\_m = (((new\_C\_mfsm\_stateA = CMD1) \land \neg C\_mfsm\_write \land C\_mfsm\_srdy\_en) V ((new_C_mfsm_stateA = CMD0) \land \sim C_mfsm_write \land C_mfsm_srdy_en) \label{eq:continuous} \mbox{$V$ ((new_C_mfsm_state = CMD0) $$ $\Lambda$ $$ $$-C_mfsm_write $$ $\Lambda$ $C_mfsm_s$ and $$ $$ $$ $$ $$ $$ $$ srdy_en)) in let new_C_mfsm_m_cout_sel1 = ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA2)) in let new_C_mfsm_m_cout_sel0 = ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA1) V (new_C_mfsm_- stateA = CMD1)) in let ms2 = (ALTER ARBN (2) ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA1) V (new_C_mfsm_stateA = CMA0) \lor (new_C_mfsm_stateA = CMA2) \lor (new_C_mfsm_stateA = CMD1) V (new_C_mfsm_stateA = CMD0) V ``` ``` (new_C_mfsm_stateA = CMW) V (new_C_mfsm_stateA = CMABT))) in let ms1 = (ALTER ms2 (1) ((new_C_mfsm_stateA = CMA1) \( \text{ (new_C_mfsm_stateA} = CMA0) \( \text{ \text{ }} \) (new_C_mfsm_stateA = CMA2) \lor (new_C_mfsm_stateA = CMD1) \lor ((\text{new}_C_mfsm_stateA = CMD0) \land C_mfsm_last_) \lor (\text{new}_C_mfsm_stateA = CMW) \lor (new_C_mfsm_stateA = CMABT))) in let ms0 = (ALTER ms1 (0) (((new_C_mfsm_stateA = CMD0) \land \sim C_mfsm_last_) \lor ((\text{new}\_C\_\text{mfsm}\_\text{stateA} = \text{CMW}) \land C\_\text{mfsm}\_\text{lock}\_) \lor (\text{new}\_C\_\text{mfsm}\_\text{stateA} = \text{CMABT}))) \text{ in } let new_C_mfsm_ms = ms0 in let new_C_mfsm_rqt_ = \sim (\sim (new_C_mfsm_stateA = CMI)) in let new_C_mfsm_cgnt_ = \sim (new_C_mfsm_stateA = CMA3) in let new_C_mfsm_cm_en = ((\sim(\text{new}_C_mfsm_stateA = CMI)) \land (\sim(\text{new}_C_mfsm_stateA = CMR))) in let new_C_mfsm_abort_le_en_ = ~((new_C_mfsm_stateA = CMABT) \( \text{ (new_C_mfsm_stateA = CMI)} \) in let new_C_mfsm_mparity = ((new_C_mfsm_stateA = CMA3) V (new_C_mfsm_stateA = CMA1) V (new_C_mfsm_stateA = CMA0) V (new_C_mfsm_stateA = CMA2) V (new_C_mfsm_stateA = CMD1) V (new_C_mfsm_stateA = CMD0) V(C_mfsm_state = CMA1) V(C_mfsm_state = CMA0) V (C_mfsm_state = CMA2) V (C_mfsm_state = CMD1)) in let new_C_sfsm_stateA = ((C_sfsm_rst) => CSI \mid (C\_sfsm\_state = CSI) => ((C\_sfsm\_D \land (C\_sfsm\_ms = ^MSTART) \land ~C\_sfsm\_grant) \land C_sfsm_addressed) => CSA1 \mid CSI) \mid (C_sfsm_state = CSL) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim C_sfsm_grant \land C_sfsm_addressed) => CSA1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land ^C_sfsm_grant \land ^C_sfsm_addressed) => CSI | (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSL) \mid (C_sfsm_state = CSA1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSA0 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA1) \mid (C_sfsm_state = CSA0) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land \sim C_sfsm_hlda_) => CSALE! (C_sfsm_D \land (C_sfsm_ms = \land MRDY) \land C_sfsm_hlda_) \Rightarrow CSAOW I (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA0) \mid (C_sfsm_state = CSA0W) => ((C_sfsm_D \land (C_sfsm_ms = \land MRDY) \land \neg C_sfsm_hlda_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT | CSAOW) | (C_sfsm_state = CSALE) => ((C_sfsm_D \land C_sfsm_write \land (C_sfsm_ms = ^MRDY)) => C^1 \cup (C_sfsm_ms = ^MRDY)) (C_sfsm_D \land \neg C_sfsm_write \land (C_sfsm_ms = \land MRDY)) => CSRR \mid (C_sfsm_D \land (C_sfsm_ms = \land MABORT)) => CSABT \mid CSALE) \mid (C_sfsm_state = CSRR) => ((C_sfsm_D \land \neg(C_sfsm_ms = \land MABORT)) \Rightarrow CSD1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSRR) (C_sfsm_state = CSD1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD0 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT | CSD1) | (C_sfsm_state = CSD0) => ((C_sfsm_D \land (C_sfsm_ms = ^MEND)) => CSACK \mid (C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSDO) \mid (C_sfsm_state = CSACK) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) \Rightarrow CSL (C_sfsm_D \land (C_sfsm_ms = \land MWAIT)) => CSI (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSACK) \mid ``` ## (C\_sfsm\_D) => CSI | CSABT) in ``` let ss2 = (ALTER ARBN (2) ((-(new_C_sfsm_stateA = CSI)) \land (-(new_C_sfsm_stateA = CSABT)))) in let \ ss1 = (ALTER \ ss2 \ (1) \ ((\sim (new\_C\_sfsm\_stateA = CSI))) \land (\sim (new\_C\_sfsm\_stateA = CSACK)) \land (\sim (\text{new}_C_sfsm_stateA = CSABT)))) \text{ in } let ss0 = (ALTER ss1 (0) ((new_C_sfsm_stateA = CSA0W) V ((\text{new}_C_sfsm\_stateA = CSALE) \land \sim C_sfsm\_write) \lor (new_C_sfsm_stateA = CSACK))) in let new_C_sfsm_ss = ss0 in let \ new\_C\_sfsm\_iad\_en\_s = (((new\_C\_sfsm\_stateA = CSALE) \land (\sim (C\_sfsm\_state = CSALE))) V ((new_C_sfsm_stateA = CSALE) \( \Lambda \) C_sfsm_write) V ((\text{new\_C\_sfsm\_stateA} = \text{CSD1}) \land \text{C\_sfsm\_write} \land (\sim (\text{C\_sfsm\_state} = \text{CSRR}))) V((\text{new}_C_sfsm\_stateA = CSD0) \land C_sfsm\_write) V((new_C_sfsm_stateA = CSACK) \land C_sfsm_write)) in let new_C_sfsm_sidle = (new_C_sfsm_stateA = CSI) in let new_C_sfsm_slock = (new_C_sfsm_stateA = CSL) in let new_C_sfsm_sa1 = (new_C_sfsm_stateA = CSA1) in let new_C_sfsm_sa0 = (new_C_sfsm_stateA = CSA0) in let new_C_sfsm_sale = (new_C_sfsm_stateA = CSALE) in let new_C_sfsm_sd1 = (new_C_sfsm_stateA = CSD1) in let new_C_sfsm_sd0 = (new_C_sfsm_stateA = CSD0) in let new_C_sfsm_sack = (new_C_sfsm_stateA = CSACK) in let new_C_sfsm_sabort = (new_C_sfsm_stateA = CSABT) in let new_C_sfsm_s_cout_sel0 = (new_C_sfsm_stateA = CSD1) in let new_C_sfsm_sparity = ((\sim(new_C_sfsm_stateA = CSI)) \land (\sim(new_C_sfsm_stateA = CSACK)) \Lambda (\sim (\text{new}_C_sfsm_stateA = CSABT))) in let new_C_efsm_stateA = ((C_efsm_rst) => CEI \mid (C_efsm_state = CEI) \Rightarrow ((-C_efsm_cale_) \Rightarrow CEE \mid CEI) \mid ((-C_efsm_last_ \land -C_efsm_srdy_) \lor -C_efsm_male_ \lor -C_efsm_rale_) \Rightarrow CEI \lor CEE) in let new_C_efsm_srdy_en = ((new_C_efsm_stateA = CEE) V (C_efsm_state = CEE)) in let cout_sel0 = (ALTER ARBN (0) ((new_C_sfsm_sd1 V new_C_sfsm_sd0) => new_C_sfsm_s_cout_sel0 | new_C_mfsm_m_cout_sel0)) in let cout_sel10 = (ALTER cout_sel0 (1) ((new_C_sfsm_sd1 V new_C_sfsm_sd0) => F | new_C_mfsm_m_cout_sel1)) in let c_cout_sel = cout_sel10 in let c_busy = (\sim((SUBARRAY CB_rqt_in_(3,1)) = (WORDN 7))) in let c_{grant} = ((((SUBARRAY Id (1,0)) = (WORDN 0)) \land \sim (ELEMENT CB_rqt_in_(0))) \lor (((SUBARRAY\ Id\ (1,0)) = (WORDN\ 1)) \land \sim (ELEMENT\ CB\_rqt\_in\_\ (0)) \land (ELEMENT\ CB\_rqt\_in\_\ (1))) \lor (((SUBARRAY\ Id\ (1,0)) = (WORDN\ 2)) \land \neg (ELEMENT\ CB\_rqt\_in\_\ (0)) \land (ELEMENT\ CB\_rqt\_in\_\ (1)) ) ∧ (ELEMENT CB_rqt_in_ (2))) \land ( ELEMENT \ CB\_rqt\_in\_(2) ) \land ( ELEMENT \ CB\_rqt\_in\_(3) ) )) \ in \\ let c_write = ((new_C_mfsm_cm_en) => C_wr | (ELEMENT C_sizewrbe (5))) in let new_C_clkAA = C_clkA in let new_C_sidle_delA = C_sidle_del in let new_C_mrqt_delA = C_mrqt_del in let c_dfsm_srdy = (CB_ss_in = ^SRDY) in let c_dfsm_master = (new_C_mfsm_ma3 V new_C_mfsm_ma2 V new_C_mfsm_ma1 V new_C_mfsm_ma0 V new_C_mfsm_md1 V new_C_mfsm_md0) in let c_dfsm_slave = (\neg new_C_sfsm_sidle \land \neg new_C_sfsm_slock) in let c_dfsm_cin_0_le = (ClkD \land ((new_C_mfsm_md0 \land c_dfsm_srdy \land \neg c_write) \lor alpha for all fo (new_C_sfsm_sa0) \lor (new_C_sfsm_sd0 \land c_write))) in let c_dfsm_cin_1_le = (ClkD \land ((new_C_mfsm_md1 \land c_dfsm_srdy \land ~c_write) \lor ``` ``` (new_C_sfsm_sal) V (new_C_sfsm_sdl \(\Lambda\) c_write))) in let c_dfsm_cin_3_le = (ClkD \land (new_C_sfsm_sidle \lor new_C_sfsm_slock)) in let c_dfsm_cin_4_le = (new_C_clkAA \land new_C_sfsm_sa0) in let c_dfsm_cout_0_le = ((I_cale_) \lor (I_srdy_in_ \land \sim c_write) V (\text{new}_C_{\text{mfsm}_{\text{ma0}}} \land c_{\text{dfsm}_{\text{srdy}}} \land c_{\text{write}} \land ClkD) V (\text{new}\_C\_\text{mfsm}\_\text{md0} \land c\_\text{write} \land c\_\text{dfsm}\_\text{srdy} \land ClkD)) \text{ in} let c_dfsm_cout_1_le = (new_C_clkAA \land new_C_sfsm_sd1) in let c_dfsm_cad_en = \sim ((new_C_mfsm_ma3) \lor (new_C_mfsm_ma1) \lor (new_C_mfsm_ma0) V (\text{new}_C_mfsm_ma2) V (c_write \land (\text{new}_C_mfsm_md1 \lor \text{new}_C_mfsm_md0)) V (~c_write ∧ (new_C_sfsm_sd1 ∨ new_C_sfsm_sd0))) in let c_dfsm_i_male_ = ~(new_C_sfsm_sale \( (~((SUBARRAY C_sizewrbe (1,0)) = (WORDN 3))) \( \) new_C_clkAA) in let c_dfsm_i_rale_ = ~(new_C_sfsm_sale \((SUBARRAY C_sizewrbe (1,0)) = (WORDN 3)) \(\lambda\) new_C_clkAA) in let c_dfsm_i_mrdy_ = \sim ((\sim c_write \land ClkD \land (new_C_sfsm_sale \lor new_C_sfsm_sd1)) V (\sim c_write \land new_C_clkAA \land new_C_sfsm_sack) V(c_{\text{write}} \land ClkD \land new_{\text{c_sfsm_sd0}})) in let new_C_last_inA_ = I_last_in_ in let new_C_ssA = CB_ss_in in let new_C_holdA_=((ClkD) \Rightarrow C_hold_|C_holdA_) in let new_C_cout_0_le_delA = C_cout_0_le_del in let new_C_cin_2_leA = C_cin_2_le in let new_C_mrdy_delA_ = C_mrdy_del_ in let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del | C_iad_en_s_delA) in let new_C_wrdyA = C_wrdy in let new_C_rrdyA = C_rrdy in let new_C_iad_out = ((new_C_cin_2_leA) => C_data_in | C_iad_out) in let new_C_ala0 = (((c_dfsm_master \(\Lambda\) new_C_cout_0_le_delA) \(\(\) (\(\) c_dfsm_master \(\Lambda\) c_dfsm_cout_1_le)\) => C_iad_in \(\) (C_ala0) in let new_C_a3a2 = ((new_C_mfsm_mrequest) \Rightarrow Ccr | C_a3a2) in let new_C_mfsm_state = C_mfsm_state in let new_C_mfsm_srdy_en = C_mfsm_srdy_en in let new_C_mfsm_D = C_mfsm_D in let new_C_mfsm_grant = C_mfsm_grant in let new_C_mfsm_rst = C_mfsm_rst in let new_C_mfsm_busy = C_mfsm_busy in let new_C_mfsm_write = C_mfsm_write in let new_C_mfsm_crqt_ = C_mfsm_crqt_ in let new_C_mfsm_hold_ = C_mfsm_hold_ in let new_C_mfsm_last_ = C_mfsm_last_ in let new_C_mfsm_lock_ = C_mfsm_lock_ in let new_C_mfsm_ss = C_mfsm_ss in let new_C_mfsm_invalid = C_mfsm_invalid in let new_C_sfsm_state = C_sfsm_state in let new_C_sfsm_D = C_sfsm_D in let new_C_sfsm_grant = C_sfsm_grant in let new_C_sfsm_rst = C_sfsm_rst in let new_C_sfsm_write = C_sfsm_write in let new_C_sfsm_addressed = C_sfsm_addressed in let new_C_sfsm_hlda_ = C_sfsm_hlda_ in let new_C_sfsm_ms = C_sfsm_ms in let new_C_efsm_state = C_efsm_state in let new_C_efsm_cale_ = C_efsm_cale_ in let new_C_efsm_last_ = C_efsm_last_ in let new_C_efsm_male_ = C_efsm_male_ in let new_C_efsm_rale_ = C_efsm_rale_ in ``` ``` let new_C_efsm_srdy_ = C_efsm_srdy_ in let new_C_efsm_rst = C_efsm_rst in let new_C_wr = C_wr in let new_C_sizewrbe = C_sizewrbe in let new_C_clkA = C_clkA in let new_C_sidle_del = C_sidle_del in let new_C_mrqt_del = C_mrqt_del in let new_C_last_in_ = C_last_in_ in let new_C_lock_in_ = C_lock_in_ in let new_C_ss = C_ss in let new_C_last_out_ = C_last_out_ in let new_C_hold_ = C_hold_ in let new_C_cout_0_le_del = C_cout_0_le_del in let new_C_cin_2_le = C_cin_2_le in let new_C_mrdy_del_ = C_mrdy_del_ in let new_C_iad_en_s_del = C_iad_en_s_del in let new_C_wrdy = C_wrdy in let new_C_rrdy = C_rrdy in let new_C_parity = C_parity in let new_C_source = C_source in let new_C_data_in = C_data_in in let new_C_iad_in = C_iad_in in let I_cgnt_ = new_C_mfsm_cgnt_ in let I_mrdy_out_ = ((~I_hlda_) => new_C_mrdy_delA_ | ARB) in let I_hold_ = new_C_holdA_ in let I_rale_out_=((\sim I_hlda_) \Rightarrow c_dfsm_i_rale_! ARB) in let I_male_out_ = ((~I_hlda_) => c_dfsm_i_male_ | ARB) in let I_last_out_=((\sim I_hlda_) => new_C_last_out_| ARB) in let I_srdy_out_ = ((\sim I\_cale\_ \lor new\_C\_efsm\_srdy\_en) => \sim (new\_C\_wrdyA \lor new\_C\_rrdyA \lor new\_C\_mfsm\_mabort) \mid ARB) in the context of let I_be_out_ = ((~I_hlda_) => (SUBARRAY new_C_sizewrbe (9,6)) | ARBN) in let I_ad_out = ((new_C_iad_en_s_delA V new_C_mfsm_iad_en_m V new_C_sfsm_iad_en_s) => new_C_iad_out | ARBN) in let CB_rqt_out_ = new_C_mfsm_rqt_ in let cbms10 = (MALTER ARBN (1,0) (SUBARRAY new_C_mfsm_ms (1,0))) in let cbms210 = (ALTER cbms10 (2) ((ELEMENT new_C_mfsm_ms (2)) \( \lambda \text{-Pmm_failure} \( \lambda \text{-Piu_invalid} \) in let CB_ms_out = ((~new_C_mfsm_cm_en) => cbms210 | ARBN) in let cbss10 = (MALTER ARBN (1,0) (SUBARRAY new_C_sfsm_ss (1,0))) in let cbss210 = (ALTER cbms10 (2) ((ELEMENT new_C_sfsm_ss (2)) \( \lambda \cdot \text{Pmm_failure} \( \lambda \cdot \text{Piu_invalid} \)) in let \ CB\_ss\_out = ((\sim\! new\_C\_sfsm\_sidle \land \sim\! new\_C\_sfsm\_sabort) \Longrightarrow cbss210 \mid ARBN) \ in let CB_ad_out = ((c_dfsm_cad_en) => ((c\_cout\_sel = (WORDN 0)) \Rightarrow Par\_Enc rep ((SUBARRAY new\_C\_ala0 (15,0))) \mid ((c\_cout\_sel = (WORDN 1)) => Par\_Enc rep ((SUBARRAY new\_C\_a1a0 (31,16))) ((c\_cout\_sel = (WORDN 2)) \Rightarrow Par\_Enc rep ((SUBARRAY new\_C\_a3a2 (15,0))) Par_Enc rep ((SUBARRAY new_C_a3a2 (31,16)))))) ARBN) in let C_ss_out = new_C_ss in let Disable_writes = (c_dfsm_slave \land \sim ((ChannelID = (WORDN 0))) \land (ELEMENT new_C_source (6))) \land \sim ((ChannelID = (WORDN 1)) \land (ELEMENT new_C_source (7))) \land \sim ((ChannelID = (WORDN 2)) \land (ELEMENT new_C_source (8))) \land \sim ((ChannelID = (WORDN 3)) \land (ELEMENT new_C_source (9)))) in let CB_parity = new_C_parity in ``` ``` (I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)" );; Next-state definition for Phase-B instruction. let PH_B_inst_def = new_definition ('PH_B_inst', "! (rep:^rep_ty) (C_mfsm_state A C_mfsm_state :cmfsm_ty) (C_sfsm_stateA C_sfsm_state :csfsm_ty) (C_efsm_stateA C_efsm_state :cefsm_ty) (C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_ala0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_in :wordn) (C mfsm mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_ma1 C mfsm ma0 C mfsm md1 C mfsm md0 C mfsm iad en m C mfsm m cout sel1 C mfsm m cout sel0 C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sal C_sfsm_sa0 C_sfsm_sale C_sfsm_sdl C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity C_efsm_srdy_en C_clkAA C_sidle_delA C_mrqt_delA C_last_inA_ C_holdA_ C_cout_0_le_delA C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdyA C_rrdyA C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write C_mfsm_crqt_C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_ C\_efsm\_cale\_C\_efsm\_last\_C\_efsm\_male\_C\_efsm\_rale\_C\_efsm\_srdy\_C\_efsm\_rst C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy C_rrdy C_parity :bool) (I_mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error :bool) (I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :wordn) (I_cgnt_I_mrdy_out_I_hold_I_rale_out_I_male_out_I_last_out_I_srdy_out_CB_rqt_out_ Disable_writes CB_parity:bool). PH_B_inst rep (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2, C_mfsm_ma1, C_mfsm_ma0, C_mfsm_md1, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sel1, C\_mfsm\_m\_cout\_sel0, C\_mfsm\_ms, C\_mfsm\_rqt\_, C\_mfsm\_cgnt\_, C\_mfsm\_cm\_en, C\_mfsm\_abort\_le\_en\_, C\_mfsm\_cgnt\_, C\_mfs C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, C_sfsm_sa1, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sd0, C_sfsm_sack, C_sfsm_sabort, C sfsm s cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA, C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_cout_0_le_delA, C_cin_2_leA, C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out, C_ala0, C_a3a2, C_mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt_, C_mfsm_bold_, C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_in) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ``` ``` ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) = let new_C_wr = ((\sim I_cale_) \Rightarrow (ELEMENT I_ad_in (27)) \mid C_wr) in let new_C_sizewrbe = ((Rst) => ARBN | ((C_sfsm_sa0 \land C_clkAA) => (SUBARRAY C_data_in (31,22)) \mid C_sizewrbe)) in let c_write = ((C_mfsm_cm_en) => new_C_wr | (ELEMENT new_C_sizewrbe (5))) in let cout_sel0 = (ALTER ARBN (0) ((C_sfsm_sd1 V C_sfsm_sd0) => C_sfsm_s_cout_sel0 | C_mfsm_m_cout_sel0)) in let cout_sel10 = (ALTER cout_sel0 (1) ((C_sfsm_sd1 V C_sfsm_sd0) => F | C_mfsm_m_cout_sel1)) in let c_cout_sel = cout_sel10 in let c_busy = (\sim((SUBARRAY CB_rqt_in_(3,1)) = (WORDN 7))) in let c_{grant} = ((((SUBARRAY Id (1,0)) = (WORDN 0)) \land \sim (ELEMENT CB_{rqt_in_(0)})) V (((SUBARRAY Id (1,0)) = (WORDN 1)) \land \sim (ELEMENT CB_rqt_in_(0)) ∧ (ELEMENT CB_rqt_in_ (1))) V (((SUBARRAY Id (1,0)) = (WORDN 2)) \land \neg (ELEMENT CB\_rqt\_in\_(0)) ∧ (ELEMENT CB_rqt_in_ (1)) ∧ (ELEMENT CB_rqt_in_ (2))) V (((SUBARRAY Id (1,0)) = (WORDN 3)) \land \sim (ELEMENT CB_rqt_in_(0)) A (ELEMENT CB_rqt_in_ (1)) A (ELEMENT CB_rqt_in_ (2)) ∧ (ELEMENT CB_rqt_in_ (3)))) in let c_dfsm_srdy = (CB_ss_in = ^SRDY) in let c_dfsm_master = (C_mfsm_ma3 V C_mfsm_ma2 V C_mfsm_ma1 V C_mfsm_ma0 V C_mfsm_md1 V C_mfsm_md0) in let c_dfsm_slave = (-C_sfsm_sidle \land -C_sfsm_slock) in let \ c_dfsm_cin_0_le = (ClkD \land ((C_mfsm_md0 \land c_dfsm_srdy \land \neg c_write) \lor (C_sfsm_sa0)) V(C_sfsm_sd0 \land c_write))) in let c_dfsm_cin_1_le = (ClkD \land ((C_mfsm_md1 \land c_dfsm_srdy \land \neg c_write) \lor (C_sfsm_sa1) V (C_sfsm_sd1 ∧ c_write))) in let c_dfsm_cin_3_le = (ClkD \land (C_sfsm_sidle \lor C_sfsm_slock)) in let c_dfsm_cin_4_le = (C_clkAA \land C_sfsm_sa0) in let c_dfsm_cout_0_le = ((I_cale_) \lor (I_srdy_in_ \land \neg c_write) V(C_mfsm_ma0 \land c_dfsm_srdy \land c_write \land ClkD) V(C_mfsm_md0 \land c_write \land c_dfsm_srdy \land ClkD)) in let c_dfsm_cout_1_le = (C_clkAA \land C_sfsm_sd1) in let\ c_dfsm_cad_en = \sim ((C_mfsm_ma3)\ \lor\ (C_mfsm_ma1)\ \lor\ (C_mfsm_ma0)\ \lor\ (C_mfsm_ma2)\ (c\_write \land (C\_mfsm\_md1 \lor C\_mfsm\_md0)) \lor (\neg c\_write \land (C\_sfsm\_sd1 \lor C\_sfsm\_sd0))) in let c_dfsm_i_male_ = ~(C_sfsm_sale \lambda (~((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) \lambda C_clkAA) in let \ c\_dfsm\_i\_rale\_ = \sim (C\_sfsm\_sale \ \land \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) \ in \ ((SUBARRAY \ new\_C\_sizewrbe \ (1,0)) = (WORDN \ 3)) \ \land \ C\_clkAA) let c_dfsm_i_mrdy_ = \sim ((\sim c_write \land ClkD \land (C_sfsm_sale \lor C_sfsm_sd1)) \lor (C_sfsm_sd1) (\sim c\_write \land C\_clkAA \land C\_sfsm\_sack) \lor (c\_write \land ClkD \land C\_sfsm\_sd0)) in let new_C_clkA = ClkD in let new_C_sidle_del = C_sfsm_sidle in let new_C_mrqt_del = C_mfsm_mrequest in let new_C_last_in_ = ((Rst) \Rightarrow FI ((C_mfsm_mabort \lor C_mfsm_md1 \land ClkD) \Rightarrow C_last_inA_l C_last_in_)) in let \ new\_C\_lock\_in\_ = ((Rst) \Rightarrow F \mid ((C\_mfsm\_ma1) \Rightarrow I\_lock\_ \mid C\_lock\_in\_)) \ in let new_C_ss = ((C_mfsm_abort_le_en_) => C_ssA \mid C_ss) in let mend = (CB_ms_in = ^MEND) in let mabort = (CB_ms_in = ^MABORT) in let new_C_last_out_ = ``` $((C_sfsm_sal \land \sim (ClkD \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort))) => F \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort))) => F \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (ClkD \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor mabort))) => T \mid ((\sim C_sfsm_sal \land (mend \lor (mend \lor mabort)))) => T \mid ((\sim C_sfsm_sal \land (mend \lor (mend$ let new\_C\_hold\_ = C\_sfsm\_sidle in $((-C_sfsm_sal \land -(ClkD \land (mend \lor mabort))) => C_last_out_ \mid ARB)))$ in ``` let new_C_cout_0_le_del = c_dfsm_cout_0_le in let new_C_cin_2_le = c_dfsm_cin_0_le in let new_C_mrdy_del_ = c_dfsm_i_mrdy_ in let new_C_iad_en_s_del = C_sfsm_iad_en_s in let new_C_wrdy = (c_dfsm_srdy \land c_write \land C_mfsm_md1 \land ClkD) in let new_C_rrdy = (c_dfsm_srdy \land -c_write \land C_mfsm_md0 \land ClkD) in let c_pe = (Par_Det rep CB_ad_in) in let c_pe_cnt = (ClkD \land ((\sim(C_mfsm_mparity = C_sfsm_sparity)) \lor ((SUBARRAY CB_ss_in (1,0)) = (WORDN 0)))) in let new_C_parity = (((ClkD \land c_pe \land c_pe_cnt) \land I_cale_) => T \mid ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land \sim I\_cale\_) => F \mid ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land I\_cale\_) => C\_parity \mid ARB))) in let new_C_source = ((Rst) \Rightarrow (WORDN 0)) ((c_dfsm_cin_3_le) => Par_Dec rep (CB_ad_in) | C_source)) in let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0)) ((c_dfsm_cin_1_le) => Par_Dec rep (CB_ad_in) | (SUBARRAY C_data_in (31,16))))) in let data_in31_0 = (MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0)! ((c_dfsm_cin_0_le) \Rightarrow Par_Dec rep (CB_ad_in) \mid (SUBARRAY C_data_in (15,0)))) in let new_C_data_in = data_in31_0 in let new_C_{iad_in} = ((c_dfsm_cout_0_le) \Rightarrow I_ad_in \mid C_{iad_in}) in let new_C_mfsm_state = C_mfsm_stateA in let new_C_mfsm_srdy_en = C_efsm_srdy_en in let new_C_mfsm_D = ClkD in let new_C_mfsm_grant = c_grant in let new_C_mfsm_rst = Rst in let new_C_mfsm_busy = c_busy in let new_C_mfsm_write = c_write in let new_C_mfsm_crqt_ = I_crqt_ in let new_C_mfsm_hold_ = C_holdA_ in let new_C_mfsm_last_ = new_C_last_in_ in let new_C_mfsm_lock_ = new_C_lock_in_ in let new_C_mfsm_ss = CB_ss_in in let new_C_mfsm_invalid = Piu_invalid in let new_C_sfsm_state = C_sfsm_state in let new_C_sfsm_D = ClkD in let new_C_sfsm_grant = c_grant in let new_C_sfsm_rst = Rst in let new_C_sfsm_write = c_write in let new_C_sfsm_addressed = (Id = (SUBARRAY new_C_source (15,10))) in let new_C_sfsm_hlda_ = I_hlda_ in let new_C_sfsm_ms = CB_ms_in in let new_C_efsm_state = C_efsm_state in let new_C_efsm_cale_ = I_cale_ in let new_C_efsm_last_ = I_last_in_ in let new_C_efsm_male_ = I_male_in_ in let new_C_efsm_rale_ = I_rale_in_ in let new_C_efsm_srdy_ = I_srdy_in_ in let new_C_efsm_rst = Rst in let new_C_mfsm_stateA = C_mfsm_stateA in let new_C_mfsm_mabort = C_mfsm_mabort in let new_C_mfsm_midle = C_mfsm_midle in let new_C_mfsm_mrequest = C_mfsm_mrequest in ``` ``` let new_C_mfsm_ma3 = C_mfsm_ma3 in let new_C_mfsm_ma2 = C_mfsm_ma2 in let new_C_mfsm_mal = C_mfsm_mal in let new_C_mfsm_ma0 = C_mfsm_ma0 in let new_C_mfsm_md1 = C_mfsm_md1 in let new_C_mfsm_md0 = C_mfsm_md0 in let new_C_mfsm_iad_en_m = C_mfsm_iad_en_m in let new_C_mfsm_m_cout_sell = C_mfsm_m_cout_sell in let new_C_mfsm_m_cout_sel0 = C_mfsm_m_cout_sel0 in let new_C_mfsm_ms = C_mfsm_ms in let new_C_mfsm_rqt_ = C_mfsm_rqt_ in let new_C_mfsm_cgnt_ = C_mfsm_cgnt_ in let new_C_mfsm_cm_en = C_mfsm_cm_en in let new_C_mfsm_abort_le_en_ = C_mfsm_abort_le_en_ in let new_C_mfsm_mparity = C_mfsm_mparity in let new C sfsm_stateA = C_sfsm_stateA in let new_C_sfsm_ss = C_sfsm_ss in let new_C_sfsm_iad_en_s = C_sfsm_iad_en_s in let new_C_sfsm_sidle = C_sfsm_sidle in let new_C_sfsm_slock = C_sfsm_slock in let new_C_sfsm_sal = C_sfsm_sal in let new C_sfsm_sa0 = C_sfsm_sa0 in let new_C_sfsm_sale = C_sfsm_sale in let new_C_sfsm_sd1 = C_sfsm_sd1 in let new C_sfsm_sd0 = C_sfsm_sd0 in let new_C_sfsm_sack = C_sfsm_sack in let new_C_sfsm_sabort = C_sfsm_sabort in let new_C_sfsm_s_cout_sel0 = C_sfsm_s_cout_sel0 in let new_C_sfsm_sparity = C_sfsm_sparity in let new_C_efsm_stateA = C_efsm_stateA in let new_C_efsm_srdy_en = C_efsm_srdy_en in let new C clkAA = C_clkAA in let new_C_sidle_delA = C_sidle_delA in let new_C_mrqt_delA = C_mrqt_delA in let new_C_last_inA_ = C_last_inA_ in let new_C_ssA = C_ssA in let new_C_holdA_ = C_holdA_ in let new_C_cout_0_le_delA = C_cout_0_le_delA in let new_C_cin_2_leA = C_cin_2_leA in let new_C_mrdy_delA_ = C_mrdy_delA_ in let new_C_iad_en_s_delA = C_iad_en_s_delA in let new_C_wrdyA = C_wrdyA in let new_C_rrdyA = C_rrdyA in let new_C_iad_out = C_iad_out in let new_C_ala0 = C_ala0 in let new_C_a3a2 = C_a3a2 in (new_C_mfsm_stateA, new_C_mfsm_mabort, new_C_mfsm_midle, new_C_mfsm_mrequest, new_C_mfsm_ma3, new_C_mfsm_ma2, new_C_mfsm_ma1, new_C_mfsm_ma0, new_C_mfsm_md1, new_C_mfsm_md0, new_C_mfsm_iad_en_m, new_C_mfsm_m_cout_sel1, new_C_mfsm_m_cout_sel0, new_C_mfsm_ms, new_C_mfsm_rqt_, new_C_mfsm_cgnt_, new_C_mfsm_cm_en, new_C_mfsm_abort_le_en_, new_C_mfsm_mparity, new_C_sfsm_stateA, new_C_sfsm_ss, new_C_sfsm_iad_en_s, new_C_sfsm_sidle, new_C_sfsm_slock, new_C_sfsm_sal, new_C_sfsm_sa0, ``` new\_C\_sfsm\_sale, new\_C\_sfsm\_sd1, new\_C\_sfsm\_sd0, new\_C\_sfsm\_sack, new\_C\_sfsm\_sabort, ``` new_C_sfsm_s_cout_sel0, new_C_sfsm_sparity, new_C_efsm_stateA, new_C_efsm_srdy_en, new_C_clkAA, new_C_sidle_delA, new_C_mrqt_delA, new_C_last_inA_, new_C_ssA, new_C_holdA_, new_C_cout_0_le_delA, new_C_cin_2_leA, new_C_mrdy_delA_, new_C_iad_en_s_delA, new_C_wrdyA, new_C_rrdyA, new_C_iad_out, new_C_a1aO, new_C_a3a2, new_C_mfsm_state, new_C_mfsm_srdy_en, new_C_mfsm_D, new_C_mfsm_grant, new_C_mfsm_rst, new_C_mfsm_busy, new_C_mfsm_write, new_C_mfsm_crqt_, new_C_mfsm_bold_, new_C_mfsm_last_, new_C_mfsm_lock_, new_C_mfsm_ss, new_C_mfsm_invalid, new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_grant, new_C_sfsm_rst, new_C_sfsm_write, new_C_sfsm_addressed, new_C_sfsm_hlda_, new_C_sfsm_ms, new_C_efsm_state, new_C_efsm_cale_, new_C_efsm_last_, new_C_efsm_male_, new_C_efsm_rale_, new_C_efsm_srdy_, new_C_efsm_rst, new_C_wr, new_C_sizewrbe, new_C_clkA, new_C_sidle_del, new_C_mrqt_del, new_C_last_in_, new_C_lock_in_, new_C_ss, new_C_last_out_, new_C_hold_, new_C_cout_0_le_del, new_C_cin_2_le, new_C_mrdy_del_, new_C_iad_en_s_del, new_C_wrdy, new_C_rrdy, new_C_parity, new_C_source, new_C_data_in, new_C_iad_in)" );; Output definition for Phase-B instruction. let PH_B_out_def = new_definition ('PH_B_out', "! (rep:^rep_ty) (C_mfsm_state A C_mfsm_state : cmfsm_ty) (C_sfsm_stateA C_sfsm_state :csfsm_ty) (C_efsm_stateA C_efsm_state :cefsm_ty) (C_mfsm_ms C_sfsm_ss C_ssA C_iad_out C_a1a0 C_a3a2 C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_in :wordn) (C_mfsm_mabort C_mfsm_midle C_mfsm_mrequest C_mfsm_ma3 C_mfsm_ma2 C_mfsm_ma1 C_mfsm_ma0 C_mfsm_md1 C_mfsm_md0 C_mfsm_iad_en_m C_mfsm_m_cout_sel1 C_mfsm_m_cout_sel0 C_mfsm_rqt_C_mfsm_cgnt_C_mfsm_cm_en C_mfsm_abort_le_en_C_mfsm_mparity C_sfsm_iad_en_s C_sfsm_sidle C_sfsm_slock C_sfsm_sa1 C_sfsm_sa0 C_sfsm_sale C_sfsm_sd1 C_sfsm_sd0 C_sfsm_sack C_sfsm_sabort C_sfsm_s_cout_sel0 C_sfsm_sparity C efsm_srdy_en C clkAA C sidle_delA C_mrqt_delA C_last_inA_ C_holdA_ C_cout_0_le_delA C_cin_2_leA C_mrdy_delA_ C_iad_en_s_delA C_wrdyA C_rrdyA C_mfsm_srdy_en C_mfsm_D C_mfsm_grant C_mfsm_rst C_mfsm_busy C_mfsm_write C_mfsm_crqt_C_mfsm_hold_C_mfsm_last_C_mfsm_lock_C_mfsm_invalid C_sfsm_D C_sfsm_grant C_sfsm_rst C_sfsm_write C_sfsm_addressed C_sfsm_hlda_ C efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst C_wr C_clkA C_sidle_del C_mrqt_del C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_wrdy C_rrdy C_parity :bool) (I_mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error:bool) (I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :wordn) (I_cgnt_I_mrdy_out_I_hold_I_rale_out_I_male_out_I_last_out_I_srdy_out_CB_rqt_out_ Disable_writes CB_parity:bool). PH_B_out rep (C_mfsm_stateA, C_mfsm_mabort, C_mfsm_midle, C_mfsm_mrequest, C_mfsm_ma3, C_mfsm_ma2, C_mfsm_ma1, C_mfsm_ma0, C_mfsm_md1, C_mfsm_md0, C_mfsm_iad_en_m, C_mfsm_m_cout_sel1, C mfsm m cout_sel0, C_mfsm_ms, C_mfsm_rqt_, C_mfsm_cgnt_, C_mfsm_cm_en, C_mfsm_abort_le_en_, C_mfsm_mparity, C_sfsm_stateA, C_sfsm_ss, C_sfsm_iad_en_s, C_sfsm_sidle, C_sfsm_slock, C_sfsm_sa1, C_sfsm_sa0, C_sfsm_sale, C_sfsm_sd1, C_sfsm_sd0, C_sfsm_sack, C_sfsm_sabort, C_sfsm_s_cout_sel0, C_sfsm_sparity, C_efsm_stateA, C_efsm_srdy_en, C_clkAA, C_sidle_delA, C_mrqt_delA, C_last_inA_, C_ssA, C_holdA_, C_cout_0_le_delA, C_cin_2_leA, ``` ``` C_mrdy_delA_, C_iad_en_s_delA, C_wrdyA, C_rrdyA, C_iad_out, C_ala0, C_a3a2, C_mfsm_state, C_mfsm_srdy_en, C_mfsm_D, C_mfsm_grant, C_mfsm_rst, C_mfsm_busy, C_mfsm_write, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_last_, C_mfsm_lock_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_grant, C_sfsm_rst, C_sfsm_write, C_sfsm_addressed, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_sidle_del, C_mrqt_del, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_in) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) = let new_C_wr = ((\sim I_cale_) \Rightarrow (ELEMENT I_ad_in (27)) \mid C_wr) in let new_C_sizewrbe = ((Rst) => ARBN | ((C_sfsm_sa0 \land C_clkAA) \Rightarrow (SUBARRAY C_data_in (31,22)) \mid C_sizewrbe)) in let c_write = ((C_mfsm_cm_en) => new_C_wr | (ELEMENT new_C_sizewrbe (5))) in let cout_sel0 = (ALTER ARBN (0) ((C_sfsm_sd1 V C_sfsm_sd0) => C_sfsm_s_cout_sel0 | C_mfsm_m_cout_sel0)) in let cout_sel10 = (ALTER cout_sel0 (1) ((C_sfsm_sd1 V C_sfsm_sd0) => F | C_mfsm_m_cout_sel1)) in let c_cout_sel = cout_sel10 in let c_busy = (\sim((SUBARRAY CB_rqt_in_(3,1)) = (WORDN 7))) in let c\_grant = ((((SUBARRAY \ Id \ (1,0)) = (WORDN \ 0)) \land \neg (ELEMENT \ CB\_rqt\_in\_ \ (0)))) \land \neg (ELEMENT \ CB\_rqt\_in\_ \ (0))) \land \neg (ELEMENT \ CB\_rqt\_in\_ \ (0))) V (((SUBARRAY Id (1,0)) = (WORDN 1)) \land \neg (ELEMENT CB_rqt_in_(0)) A (ELEMENT CB_rqt_in_(1))) V (((SUBARRAY Id (1,0)) = (WORDN 2)) \land \neg (ELEMENT CB_rqt_in_(0)) \land (ELEMENT CB_rqt_in_(1)) A (ELEMENT CB_rqt_in_ (2))) V (((SUBARRAY Id (1,0)) = (WORDN 3)) \land \sim (ELEMENT CB_rqt_in_(0)) \land (ELEMENT CB_rqt_in_(1)) ∧ (ELEMENT CB_rqt_in_ (2)) \Lambda (ELEMENT CB_rqt_in_(3))) in let c_dfsm_srdy = (CB_ss_in = ^SRDY) in let\ c\_dfsm\_master = (C\_mfsm\_ma3\ \lor\ C\_mfsm\_ma2\ \lor\ C\_mfsm\_ma1\ \lor\ C\_mfsm\_ma0\ \lor\ C\_mfsm\_md1\ \lor\ C\_mfsm\_md0)\ in let c_dfsm_slave = (-C_sfsm_sidle \land -C_sfsm_slock) in let c_dfsm_cin_0_le = (ClkD \land ((C_mfsm_md0 \land c_dfsm_srdy \land \neg c_write) \lor (C_sfsm_sa0)) V(C_sfsm_sd0 \land c_write))) in let \ c_dfsm_cin_1_le = (ClkD \land ((C_mfsm_mdl \land c_dfsm_srdy \land \neg c_write) \lor (C_sfsm_sal)) V (C_sfsm_sd1 A c_write))) in let c_dfsm_cin_3_le = (ClkD \land (C_sfsm_sidle \lor C_sfsm_slock)) in let c_dfsm_cin_4_le = (C_clkAA \land C_sfsm_sa0) in let c_dfsm_cout_0_le = ((I_cale_) \lor (I_srdy_in_ \land \neg c_write) \label{eq:c_mfsm_ma0} $$ \ \ C_dfsm\_srdy \land c\_write \land ClkD)$ V(C_mfsm_md0 \land c_write \land c_dfsm_srdy \land ClkD)) in let c_dfsm_cout_1_le = (C_clkAA \land C_sfsm_sd1) in let\ c\_dfsm\_cad\_en = \sim ((C\_mfsm\_ma3) \ \lor \ (C\_mfsm\_ma1) \ \lor \ (C\_mfsm\_ma0) \ \lor \ (C\_mfsm\_ma2) \ \lor \ (C\_mfsm\_ma3) (C\_mfs (c\_write \land (C\_mfsm\_md1 \lor C\_mfsm\_md0)) \lor (\neg c\_write \land (C\_sfsm\_sd1 \lor C\_sfsm\_sd0))) \ in \ (c\_write \land (C\_mfsm\_md1 \lor C\_mfsm\_md0)) \lor (\neg c\_write \land (C\_sfsm\_sd1 \lor C\_sfsm\_sd0))) \ in \ (c\_write \land (C\_mfsm\_md1 \lor C\_mfsm\_md0)) \lor (\neg c\_write \land (C\_sfsm\_sd1 \lor C\_sfsm\_sd0))) \ in \ (c\_write (c\_write \land (C\_sfsm\_sd1 \lor C\_sfsm\_sd0))) \ (c\_write \land (C\_sfsm\_sd1 \lor C\_sfsm\_sd1 \lor C\_sfsm\_sd1))) \ (c\_write \land (C\_sfsm\_sd1 \lor C\_sfsm\_sd1 \lor C\_sfsm\_sd1)) \ (c\_write \land (C\_sfsm\_sd1 \lor C\_sfsm\_sd1))) C\_sfsm\_sd2))) \ (c\_write \land (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write \land (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write \land (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write \land (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write \land (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write \land (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write \lor (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write \lor (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write \lor (C\_sfsm\_sd2 \lor C\_sfsm\_sd2))) \ (c\_write let c_dfsm_i\_male\_ = \sim (C_sfsm\_sale \land (\sim ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3))) \land C\_clkAA)\ in let\ c\_dfsm\_i\_rale\_ = \sim (C\_sfsm\_sale \land ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)) \land C\_clkAA)\ in let c_dfsm_i_mrdy_ = \sim ((\sim c_write \land ClkD \land (C_sfsm_sale \lor C_sfsm_sd1)) \lor (\neg c\_write \land C\_clkAA \land C\_sfsm\_sack) \lor (c\_write \land ClkD \land C\_sfsm\_sd0)) in let new_C_clkA = ClkD in let new_C_sidle_del = C_sfsm_sidle in let new_C_mrqt_del = C_mfsm_mrequest in ``` ``` let new_C_{last_in_} = ((Rst) \Rightarrow F \mid ((C_mfsm_mabort \lor C_mfsm_md1 \land ClkD) \Rightarrow C_last_inA_! C_last_in_)) in let new_C_lock_in_ = ((Rst) => F | ((C_mfsm_mal) => I_lock_ | C_lock_in_)) in let new_C_ss = ((C_mfsm_abort_le_en_) => C_ssA | C_ss) in let mend = (CB_ms_in = ^MEND) in let mabort = (CB_ms_in = ^MABORT) in let new_C_last_out_ = ((C_sfsm_sa1 \land \sim (ClkD \land (mend \lor mabort))) => T \mid ((-C_sfsm_sa1 \land (ClkD \land (mend \lor mabort))) => F ((-C_sfsm_sal \land -(ClkD \land (mend \lor mabort))) => C_last_out_| \land ARB))) in let new_C_hold_ = C_sfsm_sidle in let new_C_cout_0_le_del = c_dfsm_cout_0_le in let new_C_cin_2_le = c_dfsm_cin_0_le in let new_C_mrdy_del_ = c_dfsm_i_mrdy_ in let new_C_iad_en_s_del = C_sfsm_iad_en_s in let new_C_wrdy = (c_dfsm_srdy \land c_write \land C_mfsm_md1 \land ClkD) in let new_C_rrdy = (c_dfsm_srdy \land -c_write \land C_mfsm_md0 \land ClkD) in let c_pe = (Par_Det rep CB_ad_in) in let c_pe_cnt = (ClkD \( ((~(C_mfsm_mparity = C_sfsm_sparity)) \( (SUBARRAY CB_ss_in (1,0)) = (WORDN 0)))) in let new_C_parity = (((ClkD \land c_pe \land c_pe_cnt) \land I_cale_) => T ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land \sim I\_cale\_) => F \mid ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land I\_cale\_) => C\_parity \mid ARB))) in let new_C_source = ((Rst) \Rightarrow (WORDN 0) ((c_dfsm_cin_3_le) => Par_Dec rep (CB_ad_in) | C_source)) in let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0)) ((c_dfsm_cin_1_le) => Par_Dec rep (CB_ad_in) (SUBARRAY C_data_in (31,16))))) in let data_in31_0 = (MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0)) ((c_dfsm_cin_0_le) => Par_Dec rep (CB_ad_in) | (SUBARRAY C_data_in (15,0)))) in let new_C_data_in = data_in31_0 in let new_C_iad_in = ((c_dfsm_cout_0_le) => I_ad_in | C_iad_in) in let new_C_mfsm_state = C_mfsm_stateA in let new_C_mfsm_srdy_en = C_efsm_srdy_en in let new_C_mfsm_D = ClkD in let new_C_mfsm_grant = c_grant in let new_C_mfsm_rst = Rst in let new_C_mfsm_busy = c_busy in let new_C_mfsm_write = c_write in let new_C_mfsm_crqt_ = I_crqt_ in let new_C_mfsm_hold_ = C_holdA_ in let new_C_mfsm_last_ = new_C_last_in_ in let new_C_mfsm_lock_ = new_C_lock_in_ in let new_C_mfsm_ss = CB_ss_in in let new_C_mfsm_invalid = Piu_invalid in let new_C_sfsm_state = C_sfsm_state in let new_C_sfsm_D = ClkD in let new_C_sfsm_grant = c_grant in let new_C_sfsm_rst = Rst in let new_C_sfsm_write = c_write in let new_C_sfsm_addressed = (Id = (SUBARRAY new_C_source (15,10))) in let new_C_sfsm_hlda_ = I_hlda_ in let new_C_sfsm_ms = CB_ms_in in ``` ``` let new_C_efsm_state = C_efsm_state in ``` let new\_C\_efsm\_cale\_ = I\_cale\_ in let new\_C\_efsm\_last\_ = I\_last\_in\_ in let new\_C\_efsm\_male\_ = I\_male\_in\_ in let new\_C\_efsm\_rale\_ = I\_rale\_in\_ in let new\_C\_efsm\_srdy\_ = I\_srdy\_in\_ in let new\_C\_efsm\_rst = Rst in let new\_C\_mfsm\_stateA = C\_mfsm\_stateA in let new\_C\_mfsm\_mabort = C\_mfsm\_mabort in let new\_C\_mfsm\_midle = C\_mfsm\_midle in let new\_C\_mfsm\_mrequest = C\_mfsm\_mrequest in let new\_C\_mfsm\_ma3 = C\_mfsm\_ma3 in let new\_C\_mfsm\_ma2 = C\_mfsm\_ma2 in let new\_C\_mfsm\_ma1 = C\_mfsm\_ma1 in let new\_C\_mfsm\_ma0 = C\_mfsm\_ma0 in let new\_C\_mfsm\_md1 = C\_mfsm\_md1 in let new\_C\_mfsm\_md0 = C\_mfsm\_md0 in let new\_C\_mfsm\_iad\_en\_m = C\_mfsm\_iad\_en\_m in let new\_C\_mfsm\_m\_cout\_sel1 = C\_mfsm\_m\_cout\_sel1 in let new\_C\_mfsm\_m\_cout\_sel0 = C\_mfsm\_m\_cout\_sel0 in let new\_C\_mfsm\_ms = C\_mfsm\_ms in let new\_C\_mfsm\_rqt\_ = C\_mfsm\_rqt\_ in let new\_C\_mfsm\_cgnt\_ = C\_mfsm\_cgnt\_ in let new\_C\_mfsm\_cm\_en = C\_mfsm\_cm\_en in let new\_C\_mfsm\_abort\_le\_en\_ = C\_mfsm\_abort\_le\_en\_ in let new\_C\_mfsm\_mparity = C\_mfsm\_mparity in let new C sfsm\_stateA = C\_sfsm\_stateA in let new\_C\_sfsm\_ss = C\_sfsm\_ss in let new\_C\_sfsm\_iad\_en\_s = C\_sfsm\_iad\_en\_s in let new\_C\_sfsm\_sidle = C\_sfsm\_sidle in let new\_C\_sfsm\_slock = C\_sfsm\_slock in let new\_C\_sfsm\_sa1 = C\_sfsm\_sa1 in let new\_C\_sfsm\_sa0 = C\_sfsm\_sa0 in let new C sfsm\_sale = C\_sfsm\_sale in let new\_C\_sfsm\_sd1 = C\_sfsm\_sd1 in let new\_C\_sfsm\_sd0 = C\_sfsm\_sd0 in let new\_C\_sfsm\_sack = C\_sfsm\_sack in let new\_C\_sfsm\_sabort = C\_sfsm\_sabort in let new\_C\_sfsm\_s\_cout\_sel0 = C\_sfsm\_s\_cout\_sel0 in let new\_C\_sfsm\_sparity = C\_sfsm\_sparity in let new\_C\_efsm\_stateA = C\_efsm\_stateA in let new\_C\_efsm\_srdy\_en = C\_efsm\_srdy\_en in let new\_C\_clkAA = C\_clkAA in let new\_C\_sidle\_delA = C\_sidle\_delA in let new\_C\_mrqt\_delA = C\_mrqt\_delA in let new\_C\_last\_inA\_ = C\_last\_inA\_ in let new\_C\_ssA = C\_ssA in let new\_C\_holdA\_ = C\_holdA\_ in let new\_C\_cout\_0\_le\_delA = C\_cout\_0\_le\_delA in let new\_C\_cin\_2\_leA = C\_cin\_2\_leA in let new C\_mrdy\_delA\_ = C\_mrdy\_delA\_ in let new\_C\_iad\_en\_s\_delA = C\_iad\_en\_s\_delA in let new\_C\_wrdyA = C\_wrdyA in let new\_C\_rrdyA = C\_rrdyA in ``` let new_C_iad_out = C_iad_out in let new_C_ala0 = C_ala0 in let new_C_a3a2 = C_a3a2 in let I_cgnt_ = new_C_mfsm_cgnt_ in let I_mrdy_out_ = ((~I_hlda_) => new_C_mrdy_delA_ | ARB) in let I_hold_ = new_C_holdA_ in let I_rale_out_=((\sim I_hlda_) => c_dfsm_i_rale_| ARB) in let I_male_out_=((\sim I_hlda_) \Rightarrow c_dfsm_i_male_! ARB) in let I_last_out_ = ((~I_hlda_) => new_C_last_out_ | ARB) in let I_srdy_out_ = ((~I_cale_V new_C_efsm_srdy_en) => ~(new_C_wrdyA V new_C_rrdyA V new_C_mfsm_mabort) | ARB) in let I_be_out_=((\sim I_hlda_) => (SUBARRAY new_C_sizewrbe (9,6)) | ARBN) in let I_ad_out = ((new_C_iad_en_s_delA V new_C_mfsm_iad_en_m V new_C_sfsm_iad_en_s) => new_C_iad_out | ARBN) in let CB_rqt_out_ = new_C_mfsm_rqt_ in let cbms10 = (MALTER ARBN (1,0) (SUBARRAY new_C_mfsm_ms (1,0))) in let cbms210 = (ALTER cbms10 (2) ((ELEMENT new_C_mfsm_ms (2)) \( \lambda \times \text{Pmm_failure} \lambda \times \text{Piu_invalid} \)) in let CB_ms_out = ((~new_C_mfsm_cm_en) => cbms210 | ARBN) in let cbss10 = (MALTER ARBN (1,0) (SUBARRAY new_C_sfsm_ss (1,0))) in let cbss210 = (ALTER cbms10 (2) ((ELEMENT new_C_sfsm_ss (2)) ∧ ~Pmm_failure ∧ ~Piu_invalid)) in let CB_ss_out = ((-\text{new}_C_sfsm_sidle \land -\text{new}_C_sfsm_sabort) => \text{cbss210} \mid ARBN) in let CB_ad_out = ((c_dfsm_cad_en) => ((c\_cout\_sel = (WORDN 0)) => Par\_Enc rep ((SUBARRAY new\_C\_ala0 (15,0))) | ((c_cout_sel = (WORDN 1)) => Par_Enc rep ((SUBARRAY new_C_als0 (31,16))) | ((c\_cout\_sel = (WORDN 2)) \Rightarrow Par\_Enc rep((SUBARRAY new\_C_a3a2(15,0))) Par_Enc rep ((SUBARRAY new_C_a3a2 (31,16))))) | ARBN) in let C_ss_out = new_C_ss in let Disable_writes = (c_dfsm_slave \land \sim ((ChannelID = (WORDN 0)) \land (ELEMENT new_C_source (6))) \land \sim ((ChannelID = (WORDN 1)) \land (ELEMENT new_C_source (7))) \land \sim ((ChannelID = (WORDN 2)) \land (ELEMENT new_C_source (8))) \land \sim ((ChannelID = (WORDN 3)) \land (ELEMENT new_C_source (9)))) in let CB_parity = new_C_parity in (I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)" );; close_theory();; ``` 172 # C.5 SU\_Cont Specification ``` s_phase.ml File: (c) D.A. Fura 1992 Author: Date: 31 March 1992 This file contains the ml source for the phase-level specification of the P-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm s_block.th';; new_theory 's_block';; map new_parent ['saux_def';'aux_def';'array_def';'wordn_def'];; bool#bool#wordn#wordn#bool#bool# sfsm_ty#bool#bool#bool#bool# bool \# wordn \# bool # let s_state = "((S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_src1, S_fsm_spf, S_fsm_sc0f, S_fsm_sc1f, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, S\_fsm\_state, S\_fsm\_rst, S\_fsm\_delay6, S\_fsm\_delay17, S\_fsm\_bothbad, S\_fsm\_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail) :^s_state_ty)";; let s_env = "((ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) :^s_env_ty)";; let s_out = "((S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail) :^s_out_ty)";; Next-state definition for Phase-A instruction. let PH_A_inst_def = new_definition ('PH_A_inst', ``` ``` "! (S_fsm_stateA S_fsm_state :sfsm_ty) (S_soft_cntA S_delayA S_soft_cnt S_delay :wordn) (S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_src1 S_fsm_spf S_fsm_sc0f S_fsm_sc1f S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot_delA S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_pmm_fail S_cpu0_fail S_cpu1_fail S_cpu_hist S_piu_fail :bool) (ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_ Failure1_:bool). PH_A_inst (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_src1, S_fsm_spf, S_fsm_sc0f, S_fsm_sc1f, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S\_fsm\_scs, S\_soft\_shot, S\_soft\_shot\_delA, S\_soft\_cntA, S\_delayA, S\_instart, S\_cpu\_histA, S\_soft\_shot, S\_sof S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) = let new_S_fsm_stateA = ((S_fsm_rst) => SSTART | ((S_fsm_state = SSTART) => SRA ((S_fsm_state = SRA) \Rightarrow ((S_fsm_delay6) \Rightarrow ((S_fsm_bypass) \Rightarrow SO \mid SPF) \mid SRA) \mid ((S_fsm_state = SPF) => SCOI | ((S_fsm_state = SCOI) => ((S_fsm_delay17) => SCOF \mid SCOI) \mid ((S_fsm_state = SC0F) \Rightarrow ST ((S fsm state = ST) => SC1I) ((S_fsm_state = SC1I) \Rightarrow ((S_fsm_delay17) \Rightarrow SC1F \mid SC1I) \mid ((S_fsm_state = SC1F) => SS1 ((S_fsm_state = SS) => ((S_fsm_bothbad) => SSTOP \mid SCS) \mid ((S_fsm_state = SSTOP) => SSTOP | ((S_fsm_state = SCS) \Rightarrow ((S_fsm_delay6) \Rightarrow SN \mid SCS) \mid ((S_fsm_state = SN) \Rightarrow ((S_fsm_delay17) \Rightarrow SO \mid SN) \mid let new_S_fsm_sn = (new_S_fsm_stateA = SN) in let new_S_fsm_so = (new_S_fsm_stateA = SO) in let\ new\_S\_fsm\_sdi = (((\sim(new\_S\_fsm\_stateA = SO)) \land (\sim(S\_fsm\_state = SSTOP))) \lor (S\_fsm\_state = SRA))\ in \ (\sim(S\_fsm\_sdi = (((\sim(new\_S\_fsm\_stateA = SO))))))) \lor (S\_fsm\_stateA = SO)) let new_S_fsm_srp = ((new_S_fsm_stateA = SSTART) V (new_S_fsm_stateA = SRA) V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1F) V (new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SCS)) in let \ new\_S\_fsm\_src0 = ((\sim (new\_S\_fsm\_stateA = SPF)) \land (\sim (new\_S\_fsm\_stateA = SCOI))) \ in \ (new\_S\_fsm let new_S_fsm_src1 = ((~(new_S_fsm_stateA = ST)) \(\lambda\) (~(new_S_fsm_stateA = SC11))) in let new_S_fsm_spf = ((S_fsm_state = SRA) \land S_fsm_delay6 \land ~S_fsm_rst) in let new_S_fsm_scOf = (new_S_fsm_stateA = SCOF) in let new_S_fsm_sc1f = (new_S_fsm_stateA = SC1F) in let new_S_fsm_spmf = (new_S_fsm_stateA = SO) in let new_S_fsm_sb = (new_S_fsm_stateA = SSTART) in let \ new\_S\_fsm\_src = ((new\_S\_fsm\_stateA = SSTART) \ \lor ((S\_fsm\_state = SRA) \land S\_fsm\_delay6) V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1F) V (new_S_fsm_stateA = SS) V((S fsm_state = SCS) \land S_fsm_delay6)) in let \ new\_S\_fsm\_sec = (((\sim(new\_S\_fsm\_stateA = SSTOP))) \land (\sim(new\_S\_fsm\_stateA = SO))) \lor (S\_fsm\_state = SN)) \ in \ (\sim(new\_S\_fsm\_sec = (((\sim(new\_S\_fsm\_stateA = SSTOP)))))) \ (\sim(new\_S\_fsm\_stateA = SO)))) \lor (S\_fsm\_stateA = SN)) \ in \ (\sim(new\_S\_fsm\_stateA = SO)))) \lor (S\_fsm\_stateA = SN)) \ in \ (\sim(new\_S\_fsm\_stateA = SO)))) SO))) \ (\sim(new\_S\_fsm\_stateA = SO)))) SO))) \ (\sim(new\_S\_fsm\_stateA = SO)))) \ (\sim(new\_S\_fsm\_stateA = SO)))) \ (\sim(new\_S\_fsm\_stateA = SO))) \ (\sim(new\_S\_fsm\_stateA = SO)))) \ (\sim(new\_S\_fsm\_stateA = SO)))) \ (\sim(new\_S\_fsm\_stateA = SO))) \ (\sim(new\_S\_fsm\_stateA = SO)))) \ (\sim(new\_S\_fsm\_stateA = SO))) (\sim(new\_S\_ let \ new\_S\_fsm\_srs = (((S\_fsm\_state = SPF) \land \neg S\_fsm\_rst) \lor ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) \ in \ ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst) let new_S_fsm_scs = (new_S_fsm_stateA = SCS) in let new_S_soft_shot = (\simGcrh \wedge Gcrl) in ``` ``` let new_S_soft_shot_delA = S_soft_shot_del in let new_S_soft_cntA = ((new_S_fsm_srs) => (WORDN 0) | S_soft_cnt) in let s_delay_out = ((S_fsm_sec) => (INCN 17 S_delayA) | S_delayA) in let new_S_delayA = ((new_S_fsm_src V (new_S_fsm_scs \( (ELEMENT s_delay_out (6)))) => (WORDN 0) | S_delay) in let s_delay_out = ((new_S_fsm_sec) => (INCN 17 new_S_delayA) | new_S_delayA) in let new_S_instart = ((Test) => (ELEMENT s_delay_out (5)) | (ELEMENT s_delay_out (16))) in let s_soft\_cnt\_out = ((new_S\_soft\_shot \land \neg new_S\_soft\_shot\_delA) => (INCN 2 new_S_soft_cntA) | new_S_soft_cntA) in let \ s\_cpu0\_ok = (new\_S\_fsm\_sc0f \land Failure0\_ \land (s\_soft\_cnt\_out = (WORDN \ 5))) \ in let s_cpul_ok = (new_S_fsm_sc1f \land Failurel_ \land (s_soft_cnt_out = (WORDN 5))) in let s_cpu0\_select = ((new_S_fsm_sn \lor new_S_fsm_so) \land \neg S\_cpu0\_fail) in let \ s\_cpu1\_select = ((new\_S\_fsm\_sn \ V \ new\_S\_fsm\_so) \land S\_cpu0\_fail \land \sim S\_cpu1\_fail) \ in let new_S_cpu_histA = (S_reset_cpu0 \land S_reset_cpu<math>1 \land Bypass) in let new_S_fsm_state = S_fsm_state in let new_S_fsm_rst = S_fsm_rst in let new_S_fsm_delay6 = S_fsm_delay6 in let new_S_fsm_delay17 = S_fsm_delay17 in let new_S_fsm_bothbad = S_fsm_bothbad in let new_S_fsm_bypass = S_fsm_bypass in let new_S_soft_shot_del = S_soft_shot_del in let new_S_soft_cnt = S_soft_cnt in let new_S_delay = S_delay in let new_S_bad_cpu0 = S_bad_cpu0 in let new_S_bad_cpu1 = S_bad_cpu1 in let new_S_reset_cpu0 = S_reset_cpu0 in let new_S_reset_cpu1 = S_reset_cpu1 in let new_S_pmm_fail = S_pmm_fail in let new_S_cpu0_fail = S_cpu0_fail in let new_S_cpu1_fail = S_cpu1_fail in let new_S_cpu_hist = S_cpu_hist in let new_S_piu_fail = S_piu_fail in (new_S_fsm_stateA, new_S_fsm_sn, new_S_fsm_so, new_S_fsm_srcp, new_S_fsm_sdi, new_S_fsm_srp, new_S_fsm_src0, new_S_fsm_src1, new_S_fsm_spf, new_S_fsm_sc0f, new_S_fsm_sc1f, new_S_fsm_spmf, new_S_fsm_sb, new_S_fsm_src, new_S_fsm_sec, new_S_fsm_srs, new_S_fsm_scs, new_S_soft_shot, new_S_soft_shot_delA, new_S_soft_cntA, new_S_delayA, new_S_instart, new_S_cpu_histA, new_S_fsm_state, new_S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delay17, new_S_fsm_bothbad, new_S_fsm_bypass, new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpu0, new_S_bad_cpu1, new_S_reset_cpu0, new_S_reset_cpu1, new_S_pmm_fail, new_S_cpu0_fail, new_S_cpu1_fail, new_S_cpu_hist, new_S_piu_fail)" );; Output definition for Phase-A instruction. let PH_A_out_def = new_definition ('PH_A_out', "I (S_fsm_state A S_fsm_state :sfsm_ty) (S_soft_cntA S_delayA S_soft_cnt S_delay :wordn) (S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_src1 S_fsm_spf S_fsm_sc0f S_fsm_sc1f S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot S_soft_shot S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_pmm_fail S_cpu0_fail S_cpu1_fail S_cpu_hist S_piu_fail :bool) ``` ``` (ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_ Failure1_:bool). PH_A_out (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_src1, S_fsm_spf, S_fsm_sc0f, S_fsm_sc1f, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) = let new_S_fsm_stateA = ((S_fsm_rst) => SSTART | ((S_fsm_state = SSTART) => SRA | ((S_fsm_state = SRA) \Rightarrow ((S_fsm_delay6) \Rightarrow ((S_fsm_bypass) \Rightarrow SO \mid SPF) \mid SRA) \mid ((S_fsm_state = SPF) => SCOI | ((S_fsm_state = SCOI) \Rightarrow ((S_fsm_delay17) \Rightarrow SCOF \mid SCOI) \mid ((S_fsm_state = SCOF) => ST | ((S_fsm_state = ST) => SC1II ((S_fsm_state = SC1I) \Rightarrow ((S_fsm_delay17) \Rightarrow SC1F \mid SC1I) \mid ((S_fsm_state = SC1F) => SS \mid ((S_fsm_state = SS) => ((S_fsm_bothbad) => SSTOP \mid SCS) \mid ((S_fsm_state = SSTOP) \Rightarrow SSTOP) ((S_fsm_state = SCS) \Rightarrow ((S_fsm_delay6) \Rightarrow SN \mid SCS) \mid ((S_fsm_state = SN) \Rightarrow ((S_fsm_delay17) \Rightarrow SO \mid SN) \mid let new_S_fsm_sn = (new_S_fsm_stateA = SN) in let new_S_fsm_so = (new_S_fsm_stateA = SO) in let \ new\_S\_fsm\_srcp = (((\sim (new\_S\_fsm\_stateA = SO)) \land (\sim (S\_fsm\_state = SSTOP))) \lor (S\_fsm\_state = SRA)) \ in \ (\sim (S\_fsm\_stateA = SO)) \land (\sim (S\_fsm\_stateA = SO)) \land (\sim (S\_fsm\_stateA = SO)) \land (\sim (S\_fsm\_stateA = SSTOP))) \lor (S\_fsm\_stateA = SRA)) \ in \ (\sim (S\_fsm\_stateA = SO)) \land (\sim (S\_fsm\_stateA = SSTOP))) \lor (S\_fsm\_stateA = SRA)) \ in \ (\sim (S\_fsm\_stateA = SO)) \land (\sim (S\_fsm\_stateA = SSTOP))) \lor (S\_fsm\_stateA = SRA)) \ in \ (\sim (S\_fsm\_stateA = SO)) \land (\sim (S\_fsm\_stateA = SSTOP))) \lor (S\_fsm\_stateA = SRA)) \ in \ (\sim (S\_fsm\_stateA = SO)) \land (\sim (S\_fsm\_stateA = SSTOP))) \lor (S\_fsm\_stateA = SRA)) \ in \ (\sim (S\_fsm\_stateA = SSTOP)) \ (\sim (S\_fsm\_stateA = SSTOP))) \ (\sim (S\_fsm\_stateA = SSTOP)) \ (\sim (S\_fsm\_stateA = SSTOP))) \ (\sim (S\_fsm\_stateA = SSTOP))) \ (\sim (S\_fsm\_stateA = SSTOP))) \ (\sim (S\_fsm\_stateA = SSTOP)) \ (\sim (S\_fsm\_stateA = SSTOP))) \ (\sim (S\_fsm\_stateA = SSTOP))) \ (\sim (S\_fsm\_stateA = SSTOP))) \ (\sim (S\_fsm\_stateA = SSTOP)) \ (\sim (S\_fsm\_stateA = SSTOP))) let new_S_fsm_sdi = (((~(new_S_fsm_stateA = SO)) \( ((S_fsm_state = SSTOP))) \( (S_fsm_state = SRA)) \) in let new_S_fsm_srp = ((new_S_fsm_stateA = SSTART) V (new_S_fsm_stateA = SRA) V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1F) V (new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SCS)) in let \ new\_S\_fsm\_src0 = ((\sim (new\_S\_fsm\_stateA = SPF)) \land (\sim (new\_S\_fsm\_stateA = SCOI))) \ in let new_S_fsm_src1 = ((\sim(\text{new}_S_f\text{sm}_s\text{tateA} = ST)) \land (\sim(\text{new}_S_f\text{sm}_s\text{tateA} = SC1I))) in let new_S_fsm_spf = ((S_fsm_state = SRA) \land S_fsm_delay6 \land ~S_fsm_rst) in let new_S_fsm_scOf = (new_S_fsm_stateA = SCOF) in let new_S_fsm_sc1f = (new_S_fsm_stateA = SC1F) in let new_S_fsm_spmf = (new_S_fsm_stateA = SO) in let new_S_fsm_sb = (new_S_fsm_stateA = SSTART) in let new_S_fsm_src = ((\text{new_S_fsm\_stateA} = \text{SSTART}) \lor ((\text{S_fsm\_state} = \text{SRA}) \land \text{S_fsm\_delay6}) V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1F) V (new_S_fsm_stateA = SS) V((S_fsm_state = SCS) \land S_fsm_delay6)) in let new_S_fsm\_sec = (((((new_S_fsm\_stateA = SSTOP)) \land ((new_S_fsm\_stateA = SO))) \lor (S_fsm\_state = SN)) in (((new_S_fsm\_stateA = SO))) \lor ((((new_S_fsm\_stateA = SN))) in (((new_S_fsm\_stateA = SN))) in (((new_S_fsm\_stateA = SN)))) \lor ((((new_S_fsm\_stateA = SN)))) \lor ((((new_S_fsm\_stateA = SN))))) \lor ((((new_S_fsm\_stateA = SN))))) \lor ((((new_S_fsm\_stateA = SN))))) \lor ((((new_S_fsm\_stateA = SN))))) \lor ((((new_S_fsm\_stateA = SN)))))) \lor ((((new_S_fsm\_stateA = SN)))))) \lor ((((new_S_fsm\_stateA = SN)))))) \lor ((((new_S_fsm\_stateA = SN))))) \lor ((((new_S_fsm\_stateA = SN)))))) \lor ((((new_S_fsm\_stateA = SN)))))) \lor ((((new_S_fsm\_stateA = SN))))))) \lor ((((new_S_fsm\_stateA = SN)))))) \lor ((((new_S_fsm\_stateA = SN))))))) let new_S_fsm_srs = (((S_fsm_state = SPF) \land \sim S_fsm_rst) \lor ((S_fsm_state = ST) \land \sim S_fsm_rst)) in let new_S_fsm_scs = (new_S_fsm_stateA = SCS) in let new_S_soft_shot = (\simGcrh \wedge Gcrl) in let new_S_soft_shot_delA = S_soft_shot_del in let new_S_soft_cntA = ((new_S_fsm_srs) => (WORDN 0) | S_soft_cnt) in let s_delay_out = ((S_fsm_sec) => (INCN 17 S_delayA) | S_delayA) in let new_S_delayA = ((new_S_fsm_src V (new_S_fsm_scs \ (ELEMENT s_delay_out (6)))) => (WORDN 0) + S_delay) in let s_delay_out = ((new_S_fsm_sec) => (INCN 17 new_S_delayA) | new_S_delayA) in let new_S_instart = ((Test) => (ELEMENT s_delay_out (5)) | (ELEMENT s_delay_out (16))) in ``` $let s_soft_cnt_out = ((new_S_soft_shot \land \neg new_S_soft_shot_delA) =>$ ``` (INCN 2 new_S_soft_cntA) I new_S_soft_cntA) in let s_cpu0_ok = (new_S_fsm_sc0f \( \) Failure0_ \( \) (s_soft_cnt_out = (WORDN 5))) in let \ s\_cpu1\_ok = (new\_S\_fsm\_sc1f \land Failure1\_ \land (s\_soft\_cnt\_out = (WORDN \ 5))) \ in let s\_cpu0\_select = ((new\_S\_fsm\_sn \lor new\_S\_fsm\_so) \land \sim S\_cpu0\_fail) in let \ s\_cpu1\_select = ((new\_S\_fsm\_sn \ \lor \ new\_S\_fsm\_so) \ \land \ S\_cpu0\_fail \ \land \ \neg S\_cpu1\_fail) \ in let new_S_cpu_histA = (S_reset_cpu0 \land S_reset_cpu1 \land Bypass) in let new_S_fsm_state = S_fsm_state in let new_S_fsm_rst = S_fsm_rst in let new_S_fsm_delay6 = S_fsm_delay6 in let new_S_fsm_delay17 = S_fsm_delay17 in let new_S_fsm_bothbad = S_fsm_bothbad in let new_S_fsm_bypass = S_fsm_bypass in let new_S_soft_shot_del = S_soft_shot_del in let new_S_soft_cnt = S_soft_cnt in let new_S_delay = S_delay in let new_S_bad_cpu0 = S_bad_cpu0 in let new_S_bad_cpu1 = S_bad_cpu1 in let new_S_reset_cpu0 = S_reset_cpu0 in let new_S_reset_cpu1 = S_reset_cpu1 in let new_S_pmm_fail = S_pmm_fail in let new_S_cpu0_fail = S_cpu0_fail in let new_S_cpu1_fail = S_cpu1_fail in let new_S_cpu_hist = S_cpu_hist in let new_S_piu_fail = S_piu_fail in let ss0 = (ALTER ARBN (0) ((new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SSTOP) V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN) V(\text{new}_S_{\text{fsm}_{\text{state}}}A = SO))) in let ss1 = (ALTER ss0 (1) ((new_S_fsm_stateA = SC0F) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1I) V (new_S_fsm_stateA = SC1F) V (new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SSTOP) V (new_S_fsm_stateA = SCS))) in let ss2 = (ALTER ss1 (2) ((new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = SC0I) V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SSTOP) V (new_S_fsm_stateA = SO))) in let ss3 = (ALTER ss2 (3) ((new_S_fsm_stateA = SRA) V (new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1I) V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN) V (new_S_fsm_stateA = SO))) in let S_state = ss3 in let Reset_cport = new_S_fsm_srcp in let\ Disable\_int = (\neg new\_S\_instart\ \land\ \neg (new\_S\_fsm\_sn\ \land\ (ELEMENT\ s\_delay\_out\ (6)))\ \land\ new\_S\_fsm\_sdi)\ in\ in\ (ELEMENT\ s\_delay\_out\ (6)))\ in\ (ELEMENT\ s\_delay\_out\ (6)))\ in\ (ELEMENT\ s\_delay\_out\ (6)))\ in\ (ELEMENT\ s\_delay\_out\ s\_delay\_out\ s\_delay\_out\ s\_delay\ s\_de let Reset_piu = new_S_fsm_srp in let Reset_cpu0 = new_S_reset_cpu0 in let Reset_cpu1 = new_S_reset_cpu1 in let Cpu_hist = new_S_cpu_hist in let Piu fail = new_S_piu_fail in let Cpu0_fail = new_S_cpu0_fail in let Cpu1_fail = new_S_cpu1_fail in let Pmm_fail = new_S_pmm_fail in (S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail)" ``` ``` let PH_B_inst_def = new_definition ('PH_B_inst', "! (S_fsm_stateA S_fsm_state :sfsm_ty) (S_soft_cntA S_delayA S_soft_cnt S_delay:wordn) (S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_src1 S_fsm_spf S_fsm_sc0f S_fsm_sc1f S_fsm_spmf S_fsm_stc S_fsm_src S_fsm_src S_fsm_src S_fsm_src S_fsm_scs S_soft_shot S_soft_shot_delA S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_pmm_fail S_cpu0_fail S_cpu1_fail S_cpu_hist S_piu_fail :bool) (ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_ Failure1_:bool). PH_B_inst (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_src1, S_fsm_spf, S_fsm_sc0f, S_fsm_sc1f, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S_fsm_scs, S_soft_shot, S_soft_shot_delA, S_soft_cntA, S_delayA, S_instart, S_cpu_histA, S\_fsm\_state, S\_fsm\_rst, S\_fsm\_delay6, S\_fsm\_delay17, S\_fsm\_bothbad, S\_fsm\_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) = let \ s\_soft\_cnt\_out = ((S\_soft\_shot \land \neg S\_soft\_shot\_delA) => (INCN \ 2 \ S\_soft\_cntA) \ | \ S\_soft\_cntA) \ in \ (INCN \ 2 \ S\_soft\_cntA) \ | let s_delay_out = ((S_fsm_sec) => (INCN 17 S_delayA) | S_delayA) in let \ s\_cpu0\_ok = (S\_fsm\_sc0f \land Failure0\_ \land (s\_soft\_cnt\_out = (WORDN \ 5))) \ in let s_{pul}_{ok} = (S_{fsm}_{scl} \land Failurel_ \land (s_{soft}_{cnt}_{out} = (WORDN 5))) in let new_S_soft_shot_del = S_soft_shot in let new S soft_cnt = ((\sim Gcrh \land \sim Gcrl) \Rightarrow (WORDN 0) \mid s soft_cnt_out) in let new_S_delay = s_delay_out in let new_S_pmm_fail = ((S_fsm_sb \land \sim S_fsm_spmf) \Longrightarrow T \mid ((\sim S_fsm_sb \land S_fsm_spmf) \Longrightarrow F \mid ((\sim S_fsm_sb \land \sim S_fsm_spmf) => S_pmm_fail \mid ARB))) in let new_S_cpu0_fail = ((S_fsm_sb \land \sim (s_cpu0_ok \lor Bypass)) => T \lor ((\sim S_f sm_sb \land (s_cpu0_ok \lor Bypass)) => F \mid ((-S_{sm\_sb} \land \neg (s_{cpu0\_ok} \lor Bypass)) => S_{cpu0\_fail} \mid ARB))) in let new_S_cpu1_fail = ((S_fsm_sb \land \sim (s_cpul_ok \lor Bypass)) => T \mid ((-S_fsm_sb \land (s_cpu1_ok \lor Bypass)) => F \mid ((\sim S_{sm\_sb} \land \sim (s_{cpu1\_ok} \lor Bypass)) => S_{cpu1\_fail} \land ARB))) in let new_S_piu_fail = ((S_fsm_sb \land \sim (S_fsm_spf \lor Bypass)) => T \mid ((\sim S_fsm_sb \land (S_fsm_spf \lor Bypass)) => F \mid ((\sim S_fsm_sb \land \sim (S_fsm_spf \lor Bypass)) \Longrightarrow S_piu_fail \land ARB))) in let s_{pu0}_select = ((S_{sm_sn} \lor S_{sm_so}) \land \neg new_S_{pu0}_fail) in let s_{cpu1}_{select} = ((S_{fsm_sn} \lor S_{fsm_so}) \land new_S_{cpu0}_{fail} \land \neg new_S_{cpu1}_{fail}) in let new_S_bad_cpu0 = ((S_fsm_sb \land -s_cpu0_select) => T \mid ((\sim S_fsm_sb \land s_cpu0_select) => F ((\sim S_fsm_sb \land \sim s_cpu0\_select) => S_bad_cpu0 \mid ARB))) in let new_S_bad_cpu1 = ((S fsm_sb \land \neg s\_cpul\_select) => T \mid ((-S_fsm_sb \land s_cpul_select) \Rightarrow F! ``` $((\sim S_fsm_sb \land \sim s_cpul\_select) => S_bad_cpul \mid ARB)))$ in ``` let new_S_reset_cpu0 = (new_S_bad_cpu0 \( \Lambda \) S_fsm_src0) in let new_S_reset_cpu1 = (new_S_bad_cpu1 \( \Lambda \) S_fsm_src1) in let new_S_cpu_hist = S_cpu_histA in let new_S_fsm_state = S_fsm_stateA in let new_S_fsm_rst = Rst in let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) | (ELEMENT s_delay_out (17))) in let \ new_S_fsm_bothbad = (new_S\_cpu0\_fail \land new_S\_cpu1\_fail) \ in let new_S_fsm_bypass = Bypass in let new_S_fsm_stateA = S_fsm_stateA in let new_S_fsm_sn = S_fsm_sn in let new_S_fsm_so = S_fsm_so in let new_S_fsm_srcp = S_fsm_srcp in let new_S_fsm_sdi = S_fsm_sdi in let new_S_fsm_srp = S_fsm_srp in let new_S_fsm_src0 = S_fsm_src0 in let new_S_fsm_src1 = S_fsm_src1 in let new_S_fsm_spf = S_fsm_spf in let new_S_fsm_sc0f = S_fsm_sc0f in let new_S_fsm_sclf = S_fsm_sclf in let new_S_fsm_spmf = S_fsm_spmf in let new_S_fsm_sb = S_fsm_sb in let new_S_fsm_src = S_fsm_src in let new_S_fsm_sec = S_fsm_sec in let new_S_fsm_srs = S_fsm_srs in let new_S_fsm_scs = S_fsm_scs in let new_S_soft_shot = S_soft_shot in let new_S_soft_shot_delA = S_soft_shot_delA in let new_S_soft_cntA = S_soft_cntA in let new_S_delayA = S_delayA in let new_S_instart = S_instart in let new_S_cpu_histA = S_cpu_histA in (new_S_fsm_stateA, new_S_fsm_sn, new_S_fsm_so, new_S_fsm_srcp, new_S_fsm_sdi, new_S_fsm_srp, new_S_fsm_src0, new_S_fsm_src1, new_S_fsm_spf, new_S_fsm_sc0f, new_S_fsm_sc1f, new_S_fsm_spmf, new_S_fsm_sb, new_S_fsm_src, new_S_fsm_sec, new_S_fsm_srs, new_S_fsm_scs, new_S_soft_sbot, new_S_soft_shot_delA, new_S_soft_cntA, new_S_delayA, new_S_instart, new_S_cpu_histA, new_S_fsm_state, new\_S\_fsm\_rst, new\_S\_fsm\_delay6, new\_S\_fsm\_delay17, new\_S\_fsm\_bothbad, new\_S\_fsm\_bypass, new\_S\_fsm\_delay6, new\_S\_fsm\_delay17, new\_S\_fsm\_bothbad, new\_S\_fsm\_bypass, new\_S\_fsm\_delay17, new\_S\_fsm\_bothbad, new\_S\_fsm\_bypass, new\_S\_fsm\_delay17, new\_S\_fsm\_bothbad, new\_S\_fsm\_bypass, new\_S new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpu0, new_S_bad_cpu1, new_S_reset_cpu0, new_S_reset_cpu1, new_S_pmm_fail, new_S_cpu0_fail, new_S_cpu1_fail, new_S_cpu_hist, new_S_piu_fail)" Output definition for Phase-B instruction. let PH_B_out_def = new_definition ('PH_B_out', "! (S_fsm_state A S_fsm_state :sfsm_ty) (S_soft_cntA S_delayA S_soft_cnt S_delay :wordn) (S_fsm_sn S_fsm_so S_fsm_srcp S_fsm_sdi S_fsm_srp S_fsm_src0 S_fsm_src1 S_fsm_spf S_fsm_sc0f S_fsm_sc1f S_fsm_spmf S_fsm_sb S_fsm_src S_fsm_sec S_fsm_srs S_fsm_scs S_soft_shot S_soft_shot_delA S_instart S_cpu_histA S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_pmm_fail S_cpu0_fail S_cpu1_fail ``` ``` S_cpu_hist S_piu_fail :bool) (ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_ Failure1_:bool). PH_B_out (S_fsm_stateA, S_fsm_sn, S_fsm_so, S_fsm_srcp, S_fsm_sdi, S_fsm_srp, S_fsm_src0, S_fsm_src1, S_fsm_spf, S_fsm_sc0f, S_fsm_sc1f, S_fsm_spmf, S_fsm_sb, S_fsm_src, S_fsm_sec, S_fsm_srs, S\_fsm\_scs, S\_soft\_shot, S\_soft\_shot\_delA, S\_soft\_cntA, S\_delayA, S\_instart, S\_cpu\_histA, S\_soft\_shot, S\_sof S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_cpu_hist, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) = let s\_soft\_cnt\_out = ((S\_soft\_shot \land \neg S\_soft\_shot\_delA) => (INCN \ 2 \ S\_soft\_cntA) \ | \ S\_soft\_cntA) \ in let s_delay_out = ((S_fsm_sec) => (INCN 17 S_delayA) | S_delayA) in let s_cpu0_ok = (S_fsm_sc0f \land Failure0_ \land (s_soft_cnt_out = (WORDN 5))) in let s_{pul} = (S_{su} - c_{l} \land Failure_{l} \land (s_{su} - c_{l} \land C_{l}))) in let new_S_soft_shot_del = S_soft_shot in let new_S_soft_cnt = ((\simGcrh \land \simGcrl) => (WORDN 0) | s_soft_cnt_out) in let new_S_delay = s_delay_out in let new_S_pmm_fail = ((S_fsm_sb \land \sim S_fsm_spmf) \Rightarrow T \mid ((-S_fsm_sb \land S_fsm_spmf) => F ((\sim S_{fsm\_sb} \land \sim S_{fsm\_spmf}) => S_{pmm\_fail} \mid ARB))) in let new_S_cpu0_fail = ((S_fsm_sb \land \sim (s_cpu0_ok \lor Bypass)) => T \mid ((-S_fsm_sb \land (s_cpu0_ok \lor Bypass)) => F \mid ((-S_fsm_sb \land -(s_cpu0_ok \lor Bypass)) => S_cpu0_fail | ARB))) in let new_S_cpu1_fail = ((S_fsm_sb \land \sim (s_cpul_ok \lor Bypass)) => T! ((\sim S\_fsm\_sb \land (s\_cpu1\_ok \lor Bypass)) \Longrightarrow F \mid ((\sim S_{sm\_sb} \land \sim (s_{cpu1\_ok} \lor Bypass)) => S_{cpu1\_fail} \land ARB))) in let new_S_piu_fail = ((S_fsm_sb \land \neg(S_fsm_spf \lor Bypass)) => T \mid ((\sim S_fsm_sb \land (S_fsm_spf \lor Bypass)) => F I ((\sim S_fsm_sb \land \sim (S_fsm_spf \lor Bypass)) => S_piu_fail \mid ARB))) in let s_{pu0}_select = ((S_{sm_s} V S_{sm_s} ) \land -new_S_{pu0}_fail) in let new_S_bad_cpu0 = ((S_fsm_sb \land \sim s_cpu0_select) => T ((\sim S_fsm_sb \land s_cpu0_select) => FI ((-S_fsm_sb \land -s_cpuO_select) => S_bad_cpuO \mid ARB))) in let new_S_bad_cpu1 = ((S_fsm_sb \land \sim s_cpul_select) => T \mid ((-S_fsm_sb \land s_cpul_select) => F1 ((\sim S_fsm_sb \land \sim s_cpul_select) => S_bad_cpul \mid ARB))) in let new S reset_cpu0 = (new_S_bad_cpu0 \( \Lambda \) S_fsm_src0) in let new_S_reset_cpu1 = (new_S_bad_cpu1 \( \Lambda \) S_fsm_src1) in let new_S_cpu_hist = S_cpu_histA in let new_S_fsm_state = S_fsm_stateA in let new_S_fsm_rst = Rst in let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) | (ELEMENT s_delay_out (17))) in let new_S_fsm_bothbad = (new_S_cpu0_fail \land new_S_cpu1_fail) in let new_S_fsm_bypass = Bypass in let new S_fsm_stateA = S_fsm_stateA in let new_S_fsm_sn = S_fsm_sn in ``` ``` let new_S_fsm_so = S_fsm_so in let new_S_fsm_srcp = S_fsm_srcp in let new_S_fsm_sdi = S_fsm_sdi in let new_S_fsm_srp = S_fsm_srp in let new S fsm_src0 = S_fsm_src0 in let new_S_fsm_src1 = S_fsm_src1 in let new_S_fsm_spf = S_fsm_spf in let new_S_fsm_scOf = S_fsm_scOf in let new_S_fsm_sc1f = S_fsm_sc1f in let new_S_fsm_spmf = S_fsm_spmf in let new_S_fsm_sb = S_fsm_sb in let new_S_fsm_src = S_fsm_src in let new_S_fsm_sec = S_fsm_sec in let new S_fsm_srs = S_fsm_srs in let new_S_fsm_scs = S_fsm_scs in let new_S_soft_shot = S_soft_shot in let new_S_soft_shot_delA = S_soft_shot_delA in let new_S_soft_cntA = S_soft_cntA in let new_S_delayA = S_delayA in let new_S_instart = S_instart in let new S_cpu_histA = S_cpu_histA in let ss0 = (ALTER ARBN (0) ((new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SSTOP) V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN) V(new_S_fsm_stateA = SO))) in let ss1 = (ALTER ss0 (1) ((new_S_fsm_stateA = SC0F) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1I) V (new_S_fsm_stateA = SC1F) V (new_S_fsm_stateA = SS) V (new_S_fsm_stateA = SSTOP) V (new_S_fsm_stateA = SCS))) in let ss2 = (ALTER ss1 (2) ((new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = SC0I) V (new_S_fsm_stateA = SCOF) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SSTOP) V (new_S_fsm_stateA = SO))) in let ss3 = (ALTER ss2 (3) ((new_S_fsm_stateA = SRA) V (new_S_fsm_stateA = SPF) V (new_S_fsm_stateA = ST) V (new_S_fsm_stateA = SC1I) V (new_S_fsm_stateA = SCS) V (new_S_fsm_stateA = SN) V (new_S_fsm_stateA = SO))) in let S_state = ss3 in let Reset_cport = new_S_fsm_srcp in let\ Disable\_int = (\sim new\_S\_instart\ \land\ \sim (new\_S\_fsm\_sn\ \land\ (ELEMENT\ s\_delay\_out\ (6)))\ \land\ new\_S\_fsm\_sdi)\ in let Reset_piu = new_S_fsm_srp in let Reset_cpu0 = new_S_reset_cpu0 in let Reset_cpu1 = new_S_reset_cpu1 in let Cpu_hist = new_S_cpu_hist in let Piu_fail = new_S_piu_fail in let Cpu0_fail = new_S_cpu0_fail in let Cpu1_fail = new_S_cpu1_fail in let Pmm_fail = new_S_pmm_fail in (S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail)" );; ``` 181 close\_theory();; # Appendix D ML Source for the Clock-Level Specification of the PIU Ports. This appendix contains the HOL models for the clock-level specification for the PIU ports. The ports are listed in the order: P\_Port, M\_Port, R\_Port, C\_Port, and SU\_Cont. #### **D.1 P Port Specification** ``` File: p_clock1.ml (c) D.A. Fura 1992 Author: Date: 31 March 1992 This file contains the ml source for the clock-level specification of the P-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. ._____% set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm p_clock1.th';; new_theory 'p_clock1';; map new_parent ['paux_def';'aux_def';'array_def';'wordn_def'];; let pc_state = "((P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) :^pc_state_ty)";; let\ pc\_env = "((ClkA,\ ClkB,\ Rst,\ L\_ad\_in,\ L\_ads\_,\ L\_den\_,\ L\_be\_,\ L\_wr,\ L\_lock\_,\ I\_ad\_in,\ I\_cgnt\_,\ I\_bold\_,\ I\_srdy\_) :^pc_env_ty)";; let pc_out = "((L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_male_, I_crqt_, I_cale_, I_mrdy_, I_last_, I_hlda_, I_lock_) :^pc_out_ty)";; %______ Next-state definition for EXEC instruction. let pEXEC_inst_def = new_definition ('pEXEC_inst', "! (P_fsm_state :pfsm_ty) (P_addr P_be_ P_size :wordn) (P_dest1 P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_ ``` ``` P_lock_inh_ P_male_ P_rale_:bool) (L_ad_in L_be_ I_ad_in:wordn) (ClkA ClkB Rst L_ads_L_den_L_wr L_lock_I_cgnt_I_hold_I_srdy_:bool). pEXEC_inst (P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) = let new_P_fsm_state = ((P_fsm_rst) => PA ((P_fsm_state = PH) \Rightarrow ((\sim P_fsm_bold_) \Rightarrow PH \mid PA) \mid ((P_fsm_state = PA) => (((P_rqt \land \neg P_dest1) \lor (P_rqt \land P_dest1 \land \neg P_fsm_cgnt_)) \Rightarrow PD \mid ((\sim P_fsm_hold_ \land P_lock_) => PH \mid PA)) \mid ((P_fsm_state = PD) => (((P_fsm\_sack \land P_fsm\_hold\_) \lor (P_fsm\_sack \land \neg P_fsm\_hold\_ \land \neg P\_lock\_)) => PA \lor ((P_fsm\_sack \land P_fsm\_hold\_) \lor (P_fsm\_sack \land P_fsm\_hold\_) => PA \lor P_fsm\_hold\_) => PA \lor (P_fsm\_s ((P_fsm\_sack \land \neg P_fsm\_hold\_\land P\_lock\_) => PH \mid PD)) \mid P\_ILL)))) \ in let new_P_addr = ((\sim P_rqt) \Rightarrow (SUBARRAY L_ad_in (25,0)) \mid P_addr) in let new_P_dest1 = ((-P_rqt) \Rightarrow (ELEMENT L_ad_in (31)) \mid P_dest1) in let new_P_be_ = ((-P_rqt) \Rightarrow L_be_!P_be_) in let new_P_wr = ((\sim P_rqt) \Rightarrow L_wr \mid P_wr) in let new_P_size = ((\sim P_rqt) => (SUBARRAY L_ad_in (1,0)) ((P_down) \Rightarrow (DECN \ 1 \ P_size)) \ in let p_ale = (\sim L_ads_ \land L_den_) in let \ p\_sack = ((P\_size = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \ \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \ \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \ \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \ \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \ \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in the p\_sack = ((P\_down) => (WORDN \ 1) \mid (WORDN \ 0))) \ \land ((P\_down) => (WORDN \ 1) \ \land ((P\_down) => (WORDN \ 1) \ \land ((P\_down) => (WORDN \ 1))) \ \land ((P\_down) => (WORDN \ 1)) let new_P_rqt = ((p\_ale \land \neg (p\_sack \lor Rst)) => T \mid ((\sim p\_ale \land (p\_sack \lor Rst)) => F \mid ((\sim p\_ale \land \sim (p\_sack \lor Rst)) => P\_rqt \mid ARB))) in let new_P_down = (\sim I_srdy_\wedge (new_P_fsm_state = PD)) in let new_P_male_ = ((new_P_fsm_state = PA) => let new_P_rale_ = ((new_P_fsm_state = PA) => \sim (\sim \text{new}_P_\text{dest1} \land ((\text{SUBARRAY new}_P_\text{addr} (25,24)) = (\text{WORDN 3})) \land \text{new}_P_\text{rqt}) \mid P_\text{rale}) \text{ in } P_\text{rale} \land (P_\text{rale}) \mid P_ let new_P_lock_ = ((Rst) => T \mid ((\text{new}_P_\text{fsm}_\text{state} = PD) => L_\text{lock}_| P_\text{lock}_)) \text{ in} let new_P_lock_inh_ = ((Rst) => T \mid ((~new_P_male_ V ~new_P_rale_) => L_lock_ | P_lock_inh_)) in let new_P_fsm_rst = Rst in let new P_fsm_sack = p_sack in let new_P_fsm_cgnt_ = I_cgnt_ in let new_P_fsm_hold_ = I_hold_ in (new_P_addr, new_P_dest1, new_P_be_, new_P_wr, new_P_fsm_state, new_P_fsm_rst, new_P_fsm_sack, new_P_fsm_cgnt_, new_P_fsm_bold_, new_P_rqt, new_P_size, new_P_down, new_P_lock_, new_P_lock_inh_, new_P_male_, new_P_rale_)" );; ``` Output definition for EXEC instruction. ``` let pEXEC_out_def = new_definition ('pEXEC_out', "! (P fsm_state:pfsm_ty) (P_addr P_be_ P_size :wordn) (P_dest1 P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_ P_lock_inh_ P_male_ P_rale_:bool) (L_ad_in L_be_ I_ad_in:wordn) (ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_ I_cgnt_ I_bold_ I_srdy_:bool). pEXEC_out (P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, I_ad_in, I_cgnt_, I_hold_, I_srdy_) = let new_P_fsm_state = ((P_fsm_rst) => PA \mid ((P_fsm_state = PH) \Rightarrow ((\sim P_fsm_hold_) \Rightarrow PH \mid PA) \mid ((P_fsm_state = PA) => (((P_rqt \land \neg P_dest1) \lor (P_rqt \land P_dest1 \land \neg P_fsm_cgnt_)) \Rightarrow PD \mid ((\sim P_fsm_hold_ \land P_lock_) => PH \mid PA)) \mid ((P_fsm_state = PD) => (((P_fsm_sack \land P_fsm_hold_) \lor (P_fsm_sack \land \neg P_fsm_hold_ \land \neg P_lock_)) \Longrightarrow PA \vdash ((P_fsm_sack \land P_fsm_hold_) \lor (P_fsm_sack \land P_fsm_hold_)) \Longrightarrow PA \vdash (P_fsm_sack \land P_fsm_hold_) \lor ((P_fsm_sack \land \neg P_fsm_hold_\land P_lock_) \Rightarrow PH \mid PD)) \mid P_ILL)))) in let new_P_addr = ((-P_rqt) \Rightarrow (SUBARRAY L_ad_in (25,0)) | P_addr) in let new_P_{dest1} = ((-P_{rqt}) \Rightarrow (ELEMENT L_ad_in (31)) | P_{dest1}) in let new_P_be_=((\sim P_rqt) \Rightarrow L_be_! P_be_) in let new_P_wr = ((\sim P_rqt) \Rightarrow L_wr \mid P_wr) in let new_P_size = ((\sim P_rqt) => (SUBARRAY L_ad_in(1,0)) ((P_down) => (DECN 1 P_size) | P_size)) in let p_ale = (-L_ads_ \land L_den_) in let p\_sack = ((new\_P\_size = ((P\_down) => (WORDN 1) | (WORDN 0))) \land \neg I\_srdy\_ \land (new\_P\_fsm\_state = PD)) in let new_P_rqt = ((p_ale \land \neg (p_sack \lor Rst)) \Rightarrow T \mid ((-p_ale \land (p_sack \lor Rst)) => FI ((\neg p\_ale \land \neg (p\_sack \lor Rst)) \Rightarrow P\_rqt \land ARB))) in let new_P_down = (\sim I_srdy_ \land (new_P_fsm_state = PD)) in let new_P_male_ = ((new_P_fsm_state = PA) => \sim (\sim \text{new}_P_\text{dest1} \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male}) \text{ in } A \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male}) \text{ in } A \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male}) \text{ in } A \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male}) \text{ in } A \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male}) \text{ in } A \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3)))) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3))) \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3)) \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3)) \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3)) \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3)) \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = let new_P_rale_ = ((new_P_fsm_state = PA) => \sim(\simnew_P_dest1 \wedge ((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) \wedge new_P_rqt) | P_rale_) in let new_P_lock_ = ((Rst) \Rightarrow T \mid ((\text{new}_P_\text{fsm}_\text{state} = PD) => L_\text{lock}_| P_\text{lock}_)) \text{ in} let new_P_lock_inh_ = ((Rst) \Rightarrow T \mid ((~new_P_male_ V ~new_P_rale_) => L_lock_ | P_lock_inh_)) in let new_P_fsm_rst = Rst in let new_P_fsm_sack = p_sack in let new_P_fsm_cgnt_ = I_cgnt_ in let new_P_fsm_hold_ = I_hold_ in let L_ad_out = (((\sim(new_P_fsm_state = PA))) \Lambda (\sim (\text{new}_P_f \text{sm}_s \text{tate} = PH)) ``` ``` \land \sim ((\text{new}_P_\text{fsm}_\text{state} = PD) \land \text{new}_P_\text{wr})) \Rightarrow I_\text{ad}_\text{in} \land ARBN) \text{ in} let L_{ready} = -(-I_{srdy} \land (new_P_{fsm_state} = PD)) in let od0 = ARBN in let od 1 = (MALTER od0 (31,27) new_P_be_) in let od2 = (ALTER od1 (26) F) in let od3 = (MALTER od2 (25,24) (SUBARRAY new_P_addr (1,0))) in let od4 = (MALTER od3 (23,0) (SUBARRAY new_P_addr (25,2))) in let I_ad_addr_out = ((new_P_fsm_state = PA) => od4 | ARBN) in let \ I\_ad\_data\_out = (((new\_P\_fsm\_state = PD) \land new\_P\_wr) => L\_ad\_in \mid ARBN) \ in let I\_be\_ = ((-(new\_P\_fsm\_state = PH)) => ((new\_P\_fsm\_state = PA) => new\_P\_be\_ \mid L\_be\_) \mid ARBN) in let I_rale_ = ((~(new_P_fsm_state = PH)) => \sim (\sim \text{new}\_P\_\text{dest1} \land ((\text{SUBARRAY new}\_P\_\text{addr}(25,24)) = (\text{WORDN 3})) \land (\text{new}\_P\_\text{fsm}\_\text{state} = \text{PA}) \land new_P_rqt) | ARB) in let I_male_ = ((~(new_P_fsm_state = PH)) => \sim (\sim \text{new}_P_\text{dest} 1 \land (\sim ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3))) \land (\text{new}_P_\text{fsm}_\text{state} = PA) ) ) \land (\sim \text{new}_P_\text{addr} (25,24)) ) \land (\sim \text{new}_P_\text{addr} (25,24)) ) \land (\sim \text{new}_P_\text{addr} (25,24)) ) \land (\sim \text{new}_P_\text{addr} (25,24)) ) ) \land (\sim \text{new}_P_\text{addr} (25,24)) ) ) ) ) ∧ new_P_rqt) | ARB) in let I_{crqt} = \sim (new_P_{dest1} \land new_P_{rqt}) in let I_cale_ = -(-I_cgnt_ \land (new_P_fsm_state = PA) \land I_hold_) in let I_mrdy_ = ((-(new_P_fsm_state = PH)) => F | ARB) in let I_{last_{-}} = ((\sim(new_{-}P_{fsm_{-}state} = PH)) => (P_{size} = ((P_{down}) => (WORDN \ 1) \mid (WORDN \ 0)))) \mid ARB) in P_{size} = ((P_{down}) => (P_{size} = (P_{down}) (P_{size} = (P_{down}) => (P_{size} = (P_{down}) => (P_{size} = (P_{s let I_hlda_ = ~(new_P_fsm_state = PH) in let I_lock_ = \sim (\sim new_P_lock_ \land new_P_lock_inh_) in (L_ad_out, L_ready_, I_ad_data_out, I_ad_addr_out, I_be_, I_rale_, I_male_, I_crqt_, I_cale_, I_mrdy_, I_last_, I_hlda_, I_lock_)" );; close_theory();; ``` 185 ### **D.2 M Port Specification** ``` File: m_clock1.ml Author: (c) D.A. Fura 1992 31 March 1992 Date: This file contains the ml source for the clock-level specification of the M-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm m_clock1.th';; new_theory 'm_clock1';; loadf 'abstract';; map new_parent ['maux_def';'aux_def';'array_def';'wordn_def'];; let mc_state = "((M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) :^mc_state_ty)";; let mc_env = "((ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) :^mc_env_ty)";; let mc_out = "((I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity) :^mc_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; Next-state definition for EXEC instruction. let mEXEC_inst_def = new_definition ('mEXEC_inst', "! (M_fsm_state :mfsm_ty) (M_count M_addr M_be M_rd_data M_detect :wordn) (M_fsm_male_ M_fsm_last_ M_fsm_mrdy_ M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool) (I_ad_in I_be_ MB_data_in :wordn) ``` ``` (ClkA ClkB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :bool) (rep:^rep_ty) . mEXEC_inst (M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) rep = let m_bw = ((\sim (M_be = (WORDN 15))) \land M_wr \land (\sim (M_fsm_state = MI))) in let m_w = ((M_b = (WORDN 15)) \land M_w \land (\sim (M_f = MI))) in let new_M_fsm_state = ((M_fsm_rst) => MI ((M_fsm_state = MI) => ((\sim M_fsm_male_) => MA \mid MI) \mid ((M_fsm_state = MA) => ((\sim M_fsm_mrdy_ \land m_ww) \Longrightarrow MW \mid ((\sim M\_fsm\_mrdy\_ \land ((\sim M\_wr \land (\sim (M\_fsm\_state = MI))) \lor m\_bw)) => MR \mid MA)) \mid ((M_fsm_state = MR) => ((m_bw \land (M_count = (WORDN 0))) => MBW \mid ((M\_fsm\_last\_ \land \neg M\_wr \land (\neg (M\_fsm\_state = MI)) \land (M\_count = (WORDN \ 0))) => MA \mid (M\_fsm\_last\_ \land \neg M\_wr \land (\neg (M\_fsm\_state = MI))) \land (M\_count = (WORDN \ 0))) => MA \mid (M\_fsm\_last\_ \land \neg M\_wr \land (\neg (M\_fsm\_state = MI))) \land (M\_count = (WORDN \ 0))) => MA \mid (M\_fsm\_state = MI)) \land (M\_fsm\_state = MI)) ((-M\_fsm\_last\_ \land -M\_wr \land (-(M\_fsm\_state = MI)) \land (M\_count = (WORDN \ 0))) => MRR \mid MR))) \mid (M\_fsm\_last\_ \land -M\_wr \land (-(M\_fsm\_state = MI)) \land (M\_count = (WORDN \ 0))) => MRR \mid MR))) \mid (M\_fsm\_last\_ \land -M\_wr \land (-(M\_fsm\_state = MI)) \land (M\_count = (WORDN \ 0))) => MRR \mid MR))) \mid (M\_fsm\_last\_ \land -M\_wr \land (-(M\_fsm\_state = MI)) \land (M\_count = (WORDN \ 0)))) => MRR \mid MR))) \mid (M\_fsm\_state = MI)) (M_fsm\_state ((M_fsm_state = MRR) => MI ((M_fsm_state = MW) => ((\sim M_fsm_last_ \land (M_count = (WORDN 0))) \Rightarrow MI ((M_fsm_last_ \land (M_count = (WORDN 0))) => MA \mid MW)) \mid ((M_fsm_state = MBW) => MW \mid M_ILL))))))) in let new_M_se = ((~I_male_) => (ELEMENT I_ad_in (23)) | M_se) in let new_M_wr = ((~I_male_) => (ELEMENT I_ad_in (27)) | M_wr) in let new_M_addr = ((-I_male_) => (SUBARRAY I_ad_in (18,0)) ((M_rdy) \Rightarrow (INCN 18 M_addr) \mid M_addr)) in let new_M_count = (((new\_M\_fsm\_state = MA) \lor (new\_M\_fsm\_state = MBW)) => ((new\_M\_se) => (WORDN 1) \lor (WORDN 2)) \lor ((new\_M\_fsm\_state = MA) \lor (new\_M\_fsm\_state = MBW)) => ((new\_M\_se) => (WORDN 1) \lor (WORDN 2)) \lor ((new\_M\_fsm\_state = MBW)) => ((new\_M\_se) => (WORDN 1) \lor ((new\_M\_fsm\_state = MBW))) => ((new\_M\_se) => (WORDN 1) \lor ((new\_M\_fsm\_state = MBW))) => ((new\_M\_se) => (WORDN 1) \lor ((new\_M\_fsm\_state = MBW))) => ((new\_M\_se) => (WORDN 1) \lor ((new\_M\_fsm\_state = MBW))) => ((new\_M\_se) => (WORDN 1) \lor ((new\_M\_fsm\_state = MBW))) => ((new\_M\_se) => (wordn 1) \lor (w (((new\_M\_fsm\_state = MW) \lor (new\_M\_fsm\_state = MR)) => (DECN \ 2 \ M\_count) \mid M\_count)) \ in \ M_count) \mid M_count let \ m\_rdy = (((new\_M\_fsm\_state = MW) \land (new\_M\_count = (WORDN \ 0))) V ((\text{new\_M\_fsm\_state} = MR) \land (\text{new\_M\_count} = (\text{WORDN 0})) \land \neg \text{new\_M\_wr})) \text{ in} let m_srdy_ = \sim ((M_rdy \land \sim new_M_wr) \lor (m_rdy \land new_M_wr)) in let new_M_be = ((\sim I_male_V \sim m_srdy_) \Rightarrow (NOTN 3 I_be_) \mid M_be) in let new_M_rdy = m_rdy in let new_M_wwdel = ((\text{new}_M_{\text{fsm}_{\text{state}}} = \text{MA}) \land \text{new}_M_{\text{wr}} \land (\text{new}_M_{\text{be}} = (\text{WORDN 15}))) in let new_M_rd_data = (((new_M_fsm_state = MR)) => (Ham_Dec rep MB_data_in) | M_rd_data) in let new_M_detect = ((((new\_M\_fsm\_state = MR) \land \neg new\_M\_wr) \lor new\_M\_wr \lor (new\_M\_fsm\_state = MI)) => ((~Edac_en_) => (Ham_Det1 rep MB_data_in) | WORDN 0) | M_detect) in let \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI)) \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det3 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det4 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det4 \ rep \ (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI))) \ \land Ham\_Det4 \ rep \ (\sim (new\_M\_fsm\_state = MI)) \ \land Ham\_Det4 \ rep \ (\sim (new\_M\_fsm\_state = MI)) \ \land Ham\_Det4 \ rep \ (\sim (new\_M\_fsm\_state = MI)) \ \land Ham\_Det4 \ rep \ (\sim (new\_M\_fsm\_state = MI)) \ \land Ham\_Det4 \ r let new_M_parity = ((m_{error} \land \neg(Rst \lor Reset_parity)) => T \mid ((\sim m\_error \land (Rst \lor Reset\_parity)) => F \mid ((\sim m\_error \land \sim (Rst \lor Reset\_parity)) => M\_parity \mid ARB))) in let new_M_fsm_male_ = I_male_ in let new_M_fsm_last_ = I_last_ in let new_M_fsm_mrdy_ = I_mrdy_ in let new_M_fsm_rst = Rst in (new_M_fsm_state, new_M_fsm_male_, new_M_fsm_last_, new_M_fsm_mrdy_, new_M_fsm_rst, new_M_count, ``` ``` new_M_se, new_M_wr, new_M_addr, new_M_be, new_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data, new_M_detect)" );; Output definition for EXEC instruction. let mEXEC_out_def = new_definition ('mEXEC_out', "! (M_fsm_state :mfsm_ty) (M count M addr M be M rd data M detect :wordn) (M_fsm_male_ M_fsm_last_ M_fsm_mrdy_ M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool) (I_ad_in I_be_ MB_data_in :wordn) (CIKA CIKB Rst Disable_eeprom Disable_writes I_male_ I_last_ I_mrdy_ Edac_en_ Reset_parity :bool) (rep:^rep_ty). mEXEC_out (M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect) (ClkA, ClkB, Rst, Disable_eeprom, Disable_writes, I_ad_in, I_male_, I_last_, I_be_, I_mrdy_, MB_data_in, Edac_en_, Reset_parity) rep = let m_bw = ((\sim(M_be = (WORDN 15))) \land M_wr \land (\sim(M_fsm_state = MI))) in let m_ww = ((M_be = (WORDN 15)) \land M_wr \land (\sim (M_fsm_state = MI))) in let new_M_fsm_state = ((M_fsm_rst) => MI ((M_fsm_state = MI) \Rightarrow ((\sim M_fsm_male_) \Rightarrow MA \mid MI) \mid ((M fsm_state = MA) => ((\sim M_fsm_mrdy_ \land m_ww) => MW ((-M\_fsm\_mrdy\_ \land ((-M\_wr \land (-(M\_fsm\_state = MI))) \lor m\_bw)) => MR \mid MA)) \mid ((M_fsm_state = MR) => ((m_bw \land (M_count = (WORDN 0))) => MBW \mid ((M\_fsm\_last\_ \land \neg M\_wr \land (\neg (M\_fsm\_state = MI)) \land (M\_count = (WORDN \ 0))) => MA \mid (M\_fsm\_last\_ \land \neg M\_wr \land (\neg (M\_fsm\_state = MI)) \land (M\_count = (WORDN \ 0))) => MA \mid (M\_fsm\_last\_ \land \neg M\_wr \land (\neg (M\_fsm\_state = MI)) \land (M\_count = (WORDN \ 0))) => MA \mid (M\_fsm\_state = MI)) \land (M\_fsm\_state = MI) = (M \land M\_fsm\_state = MI)) ((-M_fsm_last_ \land -M_wr \land (-(M_fsm_state = MI)) \land (M_count = (WORDN 0))) => MRR \mid MR))) \mid ((M_fsm_state = MRR) => MI ((M_fsm_state = MW) => ((\sim M_fsm_last_ \land (M_count = (WORDN 0))) => MI ((M_fsm_state = MBW) => MW | M_ILL))))))) in let new_M_se = ((~I_male_) => (ELEMENT I_ad_in (23)) | M_se) in let new_M_wr = ((\sim I_male_) \Rightarrow (ELEMENT I_ad_in (27)) \mid M_wr) in let new_M_addr = ((-I_male_) \Rightarrow (SUBARRAY I_ad_in (18,0)) ((M_rdy) \Rightarrow (INCN 18 M_addr) \mid M_addr)) in let new_M_count = (((\texttt{new\_M\_fsm\_state} = \texttt{MA}) \lor (\texttt{new\_M\_fsm\_state} = \texttt{MBW})) \Longrightarrow (((\texttt{new\_M\_se}) \Longrightarrow (\texttt{WORDN}\ 1) \mid (\texttt{WORDN}\ 2))) \mid ((\texttt{NORDN}\ 2)) \mid (\texttt{NORDN}\ 2)) \mid (\texttt{NORDN}\ 2)) \mid (\texttt{NORDN}\ 2)) \mid (\texttt{NORDN}\ 2) \mid (\texttt{NORDN}\ 2) \mid (\texttt{NORDN}\ 2)) \mid (\texttt{NORDN}\ 2) (((\texttt{new\_M\_fsm\_state} = \texttt{MW}) \ \lor \ (\texttt{new\_M\_fsm\_state} = \texttt{MR})) => (\texttt{DECN 2 M\_count}) \ \lor \ \texttt{M\_count})) \ in let m_r dy = (((new_M_f sm_state = MW) \land (new_M_count = (WORDN 0))) V((\text{new}_M_{\text{fsm}}_{\text{state}} = MR) \land (\text{new}_M_{\text{count}} = (WORDN \ 0)) \land \neg \text{new}_M_{\text{wr}})) \text{ in} let m_srdy_= \sim ((M_rdy \land \sim new_M_wr) \lor (m_rdy \land new_M_wr)) in let new_M_be = ((\sim I_male_V \sim m_srdy_) => (NOTN 3 I_be_) \mid M_be) in let new_M_rdy = m_rdy in let new_M_wwdel = ((\text{new_M}_{\text{fsm}}) \land \text{new_M}_{\text{wr}} \land (\text{new_M}_{\text{be}} = (\text{WORDN 15}))) in let new_M_rd_data = (((new_M_fsm_state = MR)) => (Ham_Dec rep MB_data_in) | M_rd_data) in ``` ``` let new_M_detect = ((((new\_M\_fsm\_state = MR) \land \neg new\_M\_wr) \lor new\_M\_wr \lor (new\_M\_fsm\_state = MI)) => ((-Edac_en_) => (Ham_Det1 rep MB_data_in) | WORDN 0) | M_detect) in let \ m\_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI)) \land Ham\_Det2 \ rep \ (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) \land (\sim (new\_M\_fsm\_state = MI)) \land (\sim (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) \land (\sim (new\_M\_fsm\_state = MI)) \land (\sim (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) \land (\sim (new\_M\_fsm\_state = MI)) \land (\sim (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) \land (\sim (new\_M\_fsm\_state = MI)) \land (\sim (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) \land (\sim (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) \land (\sim (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) \land (\sim (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) \land (\sim (new\_M\_detect, \sim Edac\_en\_)) \ in \ detects = MI) let new_M_parity = ((m\_error \land \sim (Rst \lor Reset\_parity)) => T \mid ((\sim m\_error \land (Rst \lor Reset\_parity)) => F \mid ((\sim m\_error \land \sim (Rst \lor Reset\_parity)) => M\_parity \mid ARB))) in let new_M_fsm_male_ = I_male_ in let new_M_fsm_last_ = I_last_ in let new_M_fsm_mrdy_ = I_mrdy_ in let new_M_fsm_rst = Rst in let I_ad_out = ((\neg new_M_wr \land (\neg (new_M_fsm_state = MI))) => M_rd_data \mid ARBN) in let I\_srdy\_ = (((\sim (new\_M\_fsm\_state = MI))) => m\_srdy\_ \mid ARB) in let MB_addr = ((M_rdy) => (INCN 18 M_addr) | M_addr) in let\ mb\_data\_7\_0 = (((ELEMENT\ M\_be\ (0))) => (SUBARRAY\ I\_ad\_in\ (7,0)) \mid (SUBARRAY\ M\_rd\_data\ (7,0)))\ in let \ mb\_data\_15\_8 = (((ELEMENT \ M\_be \ (1))) => (SUBARRAY \ I\_ad\_in \ (15,8)) + (SUBARRAY \ M\_rd\_data \ (15,8))) \ in (SUBARRAY \ M\_rd\_data \ (15,8)) + (SUBARRAY \ M\_rd\_data \ (15,8))) \ in (SUBARRAY \ M\_rd\_data \ (15,8)) + (SUBARRAY \ M\_rd\_data \ (15,8))) M\_rd\_d let \ mb\_data\_23\_16 = (((ELEMENT \ M\_be\ (2))) => (SUBARRAY \ I\_ad\_in\ (23,16)) \ |\ (SUBARRAY \ M\_rd\_data\ (23,16))) \ in let mb_data_31_24 = (((ELEMENT M_be (3))) => (SUBARRAY I_ad_in (31,24)) | (SUBARRAY M_rd_data (31,24))) in let mb_data = ((MALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0) (15,8) mb_data_15_8) (23,16) mb_data_23_16) (31,24) mb_data_31_24)) in let MB_data_out = ((new_M_fsm_state = MW) => (Ham_Enc rep mb_data) | ARBN) in let MB_cs_eeprom_ = \sim((\sim(new_M_fsm_state = MI)) \wedge \simnew_M_se) in let MB_cs_sram_ = \sim ((\sim (new_M_fsm_state = MI)) \land new_M_se) in let MB_we_= \sim ((new_M_se \ \lor \sim (\sim (new_M_fsm_state = MI)) \ \lor \sim Disable_eeprom) ∧ ~Disable_writes \land ((\text{new\_M\_fsm\_state} = \text{MBW}) \lor (\text{new\_M\_fsm\_state} = \text{MW}) \lor \text{new\_M\_wwdel})) \text{ in } let MB_oe_= \sim ((\sim new_M_wr \land (new_M_fsm_state = MA)) \lor (new_M_fsm_state = MR)) in let MB_parity = new_M_parity in (I_ad_out, I_srdy_, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, MB_parity)" close_theory();; ``` ## **D.3 R Port Specification** ``` File: r clock1.ml Author: (c) D.A. Fura 1992 Date: 31 March 1992 This file contains the ml source for the clock-level specification of the R-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm r_clock1.th';; new_theory 'r_clock1';; loadf 'abstract';; map new_parent ['raux_def';'aux_def';'array_def';'wordn_def'];; let rc_state_ty = ":(rfsm_ty#bool#bool#bool#bool#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool# wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool# wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#wordn#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool let rc_state = "((R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctr0, R_ctr0_irden, R_ctr0_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_busA_latch) :^rc_state_ty)";; let rc_env_ty = ":(bool#bool#wordn#bool#bool#wordn#bool#bool#wordn#bool#bool#wordn#bool#bool# wordn#wordn#wordn#bool#wordn)";; let rc_env = "((ClkA, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) :^rc_env_ty)";; let r_out = "((I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid) :^r_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; ``` ``` Next-state definition for EXEC instruction. let rEXEC_inst_def = new_definition ('rEXEC_inst', "! (rep : \rep_ty) (R_fsm_state :rfsm_ty) (R_ctr0_in R_ctr0 R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1 R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr R_reg_sel R_busA_latch :wordn) (R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_ctr0_mux_sel R_ctr0_irden R_ctr0_cry R_ctr0_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_:bool) (I_ad_in I_be_ Cpu_fail Reset_cpu S_state Id ChannelID C_ss :wordn) (ClkA Rst I_rale_ I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool) . rEXEC_inst rep (R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctr0, R_ctr0_irden, R_ctr0_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_busA_latch) (ClkA, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) = let new_R_fsm_state = ((R_fsm_rst) => RI ((R_fsm_state = RI) => ((-R_fsm_ale_) => RA | RI) | ((R_fsm_state = RA) \Rightarrow ((-R_fsm_mrdy_) \Rightarrow RD \mid RA) \mid ((-R_fsm_last_) => RI | RA)))) in let r_fsm_cntlatch = ((R_fsm_state = RI) \land \neg R_fsm_ale_) in let r_fsm_srdy_ = \sim((R_fsm_state = RA) \land \sim R_fsm_mrdy_) in let new_R_wr = ((\sim I_rale_) \Rightarrow (ELEMENT I_ad_in (27)) \mid R_wr) in let new_R_cntlatch_del = r_fsm_cntlatch in let new_R_srdy_del_ = r_fsm_srdy_ in let new_R_reg_sel = ((\sim I_rale_) => (SUBARRAY I_ad_in (3,0)) \mid ((-R_srdy_del_) => (INCN 3 R_reg_sel) | R_reg_sel)) in let r_reg_sel = ((-R_srdy_del_) \Rightarrow (INCN 3 R_reg_sel) | R_reg_sel) in let r_{\text{writeA}} = (-\text{Disable\_writes} \land R_{\text{wr}} \land (\text{new\_R\_fsm\_state} = RD)) in let r_writeB = (-Disable_writes \land new_R_wr \land (new_R_fsm_state = RD)) in let r_readA = (-R_wr \land (new_R_fsm_state = RA)) in let r_readB = (\neg new_R_wr \land (new_R_fsm_state = RA)) in let \ r\_cir\_wr01\ A = ((r\_writeA\ \land\ ((r\_reg\_sel = (WORDN\ 8))\ \lor\ (r\_reg\_sel = (WORDN\ 9)))))\ in let r\_cir\_wr01B = ((r\_writeB \land ((r\_reg\_sel = (WORDN 8)) \lor (r\_reg\_sel = (WORDN 9))))) in let \ r\_cir\_wr23A = ((r\_writeA \land ((r\_reg\_sel = (WORDN \ 10)) \lor (r\_reg\_sel = (WORDN \ 11))))) \ in let \ r\_cir\_wr23B = ((r\_writeB \land ((r\_reg\_sel = (WORDN \ 10)) \lor (r\_reg\_sel = (WORDN \ 11))))) \ in let new_R_ccr = ((r_writeB \land (r_reg_sel = (WORDN 3))) \Rightarrow I_ad_in \mid R_ccr) in let new_R_ccr_rden = (r_readB \land (r_reg_sel = (WORDN 3))) in ``` ``` let new_R_gcr = ((r_writeB \land (r_reg_sel = (WORDN 2))) \Rightarrow I_ad_in \mid R_gcr) in let new_R_gcr_rden = (r_readB \land (r_reg_sel = (WORDN 2))) in let new_R_c01_cout_del = R_ctr1_cry in let new_R_intl_en = ((((ELEMENT new_R_gcr (18)) ∧ (r_cir_wr01B ∨ (R_ctr1_cry ∧ (ELEMENT new_R_gcr (16))))) ∧ \sim (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R_gcr(17)) \land R_c01\_cout_del))) => T \lor (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R_gcr(17)) \land R_c01\_cout_del))) => T \lor (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R_gcr(17)) \land R_c01\_cout_del))) => T \lor (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R_gcr(17)) \land R_c01\_cout_del))) => T \lor (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R_gcr(17)) \land R_c01\_cout_del))) => T \lor (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R_gcr(17)) \land R_c01\_cout_del))) => T \lor (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R_gcr(17)) \land R_c01\_cout_del))) => T \lor (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R_gcr(17)) \land R_c01\_cout_del))) => T \lor (\sim (ELEMENT new_R_gcr(18)) \lor ((ELEMENT new_R ((~((ELEMENT new_R_gcr (18)) ∧ (r_cir_wr01B ∨ (R_ctr1_cry ∧ (ELEMENT new_R_gcr (16))))) ∧ (\sim (ELEMENT new_R_gcr (18)) \lor ((ELEMENT new_R_gcr (17)) \land R_c01\_cout_del))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)) \lor ((ELEMENT new_R_gcr (17)) \land R_c01\_cout_del))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)) \lor ((ELEMENT new_R_gcr (18)) \lor ((ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18)))) \Rightarrow F \vdash (\sim (ELEMENT new_R_gcr (18))) ((-((ELEMENT new_R_gcr (18)) ∧ (r_cir_wr01B ∨ (R_ctr1_cry ∧ (ELEMENT new_R_gcr (16))))) ∧ ~(~(ELEMENT new_R_gcr (18)) V ((ELEMENT new_R_gcr (17)) \( \Lambda \) R_c01_cout_del))) => R_int1_en | ARB))) in let new_R_c23_cout_del = R_ctr3_cry in let new_R_int2_en = ((((ELEMENT new_R_gcr (22))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20)))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20)))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20)))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20))))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20))))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20)))))) \land (r_cir_wr23B \lor (R_ctr3_cry \land (ELEMENT new_R_gcr (20)))))))))))))) \sim(\sim(ELEMENT new_R_gcr (22)) \vee ((ELEMENT new_R_gcr (21)) \wedge R_c23_cout_del))) => T1 (\sim (ELEMENT new_R_gcr (22)) \lor ((ELEMENT new_R_gcr (21)) \land R_c23\_cout\_del))) \Rightarrow F ((\sim((ELEMENT new_R_gcr (22)) \land (r\_cir\_wr23B \lor (R\_ctr3\_cry \land (ELEMENT new_R_gcr (20))))) \land \sim (\sim (ELEMENT\ new_R_gcr\ (22))\ \lor\ ((ELEMENT\ new_R_gcr\ (21))\ \land\ R_c23\_cout\_del))) => R_int2\_en\ I\ ARB)))\ in let new_R_ctr0_in = ((r_writeB \land (r_reg_sel = (WORDN 8))) => I_ad_in \mid R_ctr0_in) in let new_R_ctr0_mux_sel = (r_cir_wr01B \lor ((ELEMENT new_R_gcr (16)) \land R_ctr1_cry)) in let new_R_ctr0_irden = (r_readB \land (r_reg_sel = (WORDN 8))) in let new_R_ctr0 = ((R_ctr0_mux_sel) \Rightarrow R_ctr0_in | R_ctr0_new) in let\ new\_R\_ctr0\_new = (((ELBMENT\ new\_R\_gcr\ (19))) => (INCN\ 31\ R\_ctr0) \mid R\_ctr0)\ in let new_R_ctr0_cry = ((ONES 31 R_ctr0) \land (ELEMENT new_R_gcr (19))) in let new_R_ctr0_out = ((r_fsm_cntlatch) => R_ctr0_new | R_ctr0_out) in let new_R_ctr0_orden = (r_readB \land (r_reg_sel = (WORDN 12))) in let new_R_ctr1_in = ((r_writeB \land (r_reg_sel = (WORDN 9))) \Rightarrow I_ad_in \mid R_ctr1_in) in let new_R_ctr1_mux_sel = (r_cir_wr01B \lor ((ELEMENT new_R_gcr (16)) \land R_ctr1_cry)) in let new_R_ctr1_irden = (r_readB \land (r_reg_sel = (WORDN 9))) in let new_R_ctr1 = ((R_ctr1_mux_sel) => R_ctr1_in | R_ctr1_new) in let new_R_ctr1_new = ((R_ctr0_cry) \Rightarrow (INCN 31 R_ctr1) | R_ctr1) in let new_R_ctr1_cry = ((ONES 31 R_ctr1) \land R_ctr0_cry) in let new_R_ctr1_out = ((R_cntlatch_del) => R_ctr1_new | R_ctr1_out) in let new_R_ctr1_orden = (r_readB \land (r_reg_sel = (WORDN 13))) in let \ new\_R\_ctr2\_in = ((r\_writeB \land (r\_reg\_sel = (WORDN \ 10))) => I\_ad\_in \mid R\_ctr2\_in) \ in let new_R_ctr2_mux_sel = ((r_cir_wr23B \lor ((ELEMENT new_R_gcr (20)) \land R_ctr3_cry))) in let new_R_ctr2_irden = (r_readB \land (r_reg_sel = (WORDN 10))) in let new_R_ctr2 = ((R_ctr2_mux_sel) \Rightarrow R_ctr2_in \mid R_ctr2_new) in let new_R_ctr2_new = (((ELEMENT new_R_gcr(23))) => (INCN 31 R ctr2) | R ctr2) in let new_R_ctr2_cry = ((ONES 31 R_ctr2) \land (ELEMENT new_R_gcr (23))) in let new_R_ctr2_out = ((r_fsm_cntlatch) => R_ctr2_new | R_ctr2_out) in let new_R_ctr2_orden = (r_readB \land (r_reg_sel = (WORDN 14))) in let new_R_ctr3_in = ((r_writeB \land (r_reg_sel = (WORDN 11))) \Rightarrow I_ad_in \mid R_ctr3_in) in let new_R_ctr3_mux_sel = ((r_cir_wr23B \lor ((ELEMENT new_R_gcr (20)) \land R_ctr3_cry))) in let new_R_ctr3_irden = (r_readB \land (r_reg_sel = (WORDN 11))) in let new_R_ctr3 = ((R_ctr3_mux_sel) \Rightarrow R_ctr3_in | R_ctr3_new) in let new_R_ctr3_new = ((R_ctr2_cry) \Rightarrow (INCN 31 R_ctr3) \mid R_ctr3) in let new_R_ctr3_cry = ((ONES 31 R_ctr3) \land R_ctr3_cry) in let new_R_ctr3_out = ((R_cntlatch_del) => R_ctr3_new | R_ctr3_out) in let new_R_ctr3_orden = (r_readB \land (r_reg_sel = (WORDN 15))) in let new_R_icr_load = (r_writeB \( ((r_reg_sel = (WORDN 0)) \) \( (r_reg_sel = (WORDN 1)))) \) in let new_R_icr_old = ((r\_writeB \land ((r\_reg\_sel = (WORDN 0)) \lor (r\_reg\_sel = (WORDN 1)))) \Rightarrow R\_icr \mid R\_icr\_old) in let new_R_icr_mask = ``` ``` ((r\_writeB \land ((r\_reg\_sel = (WORDN \ 0)) \lor (r\_reg\_sel = (WORDN \ 1)))) => I\_ad\_in \lor R\_icr\_mask) in let new_R_icr = ((R_icr_load) => ((\sim(r\_reg\_sel=(WORDN\ 1)))=>(Andn\ rep\ (R\_icr\_old,\ R\_icr\_mask)))\mid(Orn\ (R_icr\_old,\ R\_icr\_mask)))\mid(Orn\ rep\ (R_icr\_old,\ R_icr\_mask)))\mid( R icr) in let\ new\_R\_icr\_rden = ((new\_R\_fsm\_state = RA) \land ((r\_reg\_sel = (WORDN\ 0)) \lor (r\_reg\_sel = (WORDN\ 1)))) \ in \ ((r\_reg\_sel = (WORDN\ 0))) \lor (r\_reg\_sel = (WORDN\ 1)))) \ in \ ((r\_reg\_sel = (WORDN\ 0))) \lor (r\_reg\_sel = (WORDN\ 1)))) \ in \ ((r\_reg\_sel 1 let sr28 = (ALTER ARBN (28) MB_parity) in let sr28_25 = (MALTER sr28 (27,25) C_ss) in let sr28_24 = (ALTER sr28_25 (24) CB_parity) in let sr28_22 = (MALTER sr28_24 (23,22) ChannelID) in let sr28 16 = (MALTER sr28_22 (21,16) Id) in let sr28_12 = (MALTER sr28_16 (15,12) S_state) in let sr28_9 = (ALTER sr28_12 (9) Pmm_fail) in let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in let sr28_0 = (MALTER sr28_2 (1,0) Cpu_fail) in let new_R_sr = ((r_fsm_cntlatch) => sr28_0 | R_sr) in let new_R_sr_rden = (r_readB \land (r_reg_sel = (WORDN 4))) in let r_{int0}_{en} = (((ELEMENT R_{icr}(0)) \land (ELEMENT R_{icr}(8))) \lor ((ELEMENT R_icr (1)) A (ELEMENT R_icr (9))) V ((ELEMENT R_icr (2)) A (ELEMENT R_icr (10))) V ((ELEMENT R_icr (3)) A (ELEMENT R_icr (11))) V ((ELEMENT R_icr (4)) \( \text{(ELEMENT R_icr (12))) } \( \text{V} \) ((ELEMENT R_icr (5)) \land (ELEMENT R_icr (13))) \lor ((ELEMENT R_icr (6)) \( (ELEMENT R_icr (14))) \( \nabla \) ((ELEMENT R_icr (7)) \land (ELEMENT R_icr (15)))) in let new_R_int0_dis = r_int0_en in let r_int3_en = (((ELEMENT R_icr (16)) \land (ELEMENT R_icr (24))) \lor ((ELEMENT R_icr (17)) ∧ (ELEMENT R_icr (25))) V ((ELEMENT R_icr (18)) ∧ (ELEMENT R_icr (26))) ∨ ((ELEMENT R_icr (19)) A (ELEMENT R_icr (27))) V ((ELEMENT R_icr (20)) ∧ (ELEMENT R_icr (28))) ∨ ((ELEMENT R_icr (21)) ∧ (ELEMENT R_icr (29))) ∨ ((ELEMENT R_icr (22)) A (ELEMENT R_icr (30))) V ((ELEMENT R_icr (23)) A (ELEMENT R_icr (31)))) in let new_R_int3_dis = r_int3_en in let new_R_busA_latch = ((R_ctr0_irden) => R_ctr0_in | ((R_{ctr0}_{orden}) => R_{ctr0}_{out} | ((R_ctrl_irden) => R_ctrl_in | ((R_{ctr1\_orden}) \Rightarrow R_{ctr1\_out}) ((R_ctr2_irden) => R_ctr2_in ((R_ctr2\_orden) => R_ctr2\_out | ((R_ctr3_irden) => R_ctr3_in ((R_ctr3\_orden) => R_ctr3\_out | ((R_icr_rden) => new_R_icr | ((R_ccr_rden) \Rightarrow R_ccr ((R_gcr_rden) \Rightarrow R_gcr ((R_sr_rden) => R_sr | ARB))))))))))))) in let new_R_fsm_ale_ = I_rale_ in let new_R_fsm_mrdy_ = I_mrdy_ in let new_R_fsm_last_ = I_last_ in let new_R_fsm_rst = Rst in ``` ``` (new R fsm_state, new R fsm_ale_, new R fsm_mrdy_, new R fsm_last_, new R fsm_rst, new R ctr0_in, new_R_ctr0_mux_sel, new_R_ctr0, new_R_ctr0_irden, new_R_ctr0_new, new_R_ctr0_cry, new_R_ctr0_out, new_R_ctr0_orden, new_R_ctr1_in, new_R_ctr1_mux_sel, new_R_ctr1, new_R_ctr1_irden, new_R_ctr1_new, new_R_ctrl_cry, new_R_ctr1_out, new_R_ctr1_orden, new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_ctr2, new_R_ctr2_irden, new_R_ctr2_new, new_R_ctr2_cry, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3, new R ctr3 irden. new_R_ctr3_new, new_R_ctr3_cry, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_load, new_R_icr_old, new_R_icr_mask, new_R_icr_rden, new_R_icr, new_R_ccr, new_R_ccr_rden, new_R_gcr_rden, new_R_gcr_rden, new_R_sr_rden, new_R_int0_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_int1_en, new_R_c23_cout_del, new_R_int2_en, new_R_cntlatch_del, new_R_srdy_del_, new_R_reg_sel, new_R_busA_latch)" );; Output definition for EXEC instruction. let rEXEC_out_def = new_definition ('rEXEC_out', "! (rep : 'rep_ty) (R_fsm_state :rfsm_ty) (R_ctr0_in R_ctr0 R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1 R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2 R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr R_reg_sel R_busA_latch:wordn) (R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_ctr0_mux_sel R_ctr0_irden R_ctr0_cry R_ctr0_orden R_ctrl_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden R_intO_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_:bool) (I_ad_in I_be_ Cpu_fail Reset_cpu S_state Id ChannelID C_ss:wordn) (ClkA Rst I_rale_ I_last_ I_mrdy_ Disable_int Disable_writes Piu_fail Pmm_fail CB_parity MB_parity :bool) . rEXEC_out rep (R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctr0, R_ctr0_irden, R_ctr0_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_intO_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_busA_latch) (ClkA, Rst, I_ad_in, I_rale_, I_last_, I_be_, I_mrdy_, Disable_int, Disable_writes, Cpu_fail, Reset_cpu, Piu_fail, Pmm_fail, S_state, Id, ChannelID, CB_parity, MB_parity, C_ss) = let new_R_fsm_state = ((R_fsm_rst) => RI ((R_fsm_state = RI) => ((-R_fsm_ale_) => RA | RI) | ((R_fsm_state = RA) \Rightarrow ((\sim R_fsm_mrdy_) \Rightarrow RD \mid RA) \mid ((-R_fsm_last_) => RI | RA)))) in let r_fsm_cntlatch = ((R_fsm_state = RI) \land \neg R_fsm_ale_) in let r_fsm_srdy_ = \sim ((R_fsm_state = RA) \land \sim R_fsm_mrdy_) in let new_R_wr = ((\sim I_rale_) \Rightarrow (ELEMENT I_ad_in (27)) \mid R_wr) in ``` ``` let new_R_cntlatch_del = r_fsm_cntlatch in let new_R_srdy_del_ = r_fsm_srdy_ in let new_R_reg_sel = ((\sim I_rale_) \Rightarrow (SUBARRAY I_ad_in (3,0)) ((-R_srdy_del_) => (INCN 3 R_reg_sel) | R_reg_sel)) in let r_reg_sel = ((-R_srdy_del_) \Rightarrow (INCN 3 R_reg_sel) | R_reg_sel) in let r_writeA = (~Disable_writes \land R_wr \land (new_R_fsm_state = RD)) in let r_{writeB} = (\sim Disable_{writes} \land new_R_{wr} \land (new_R_{sm_state} = RD)) in let r_readA = (-R_wr \land (new_R_fsm_state = RA)) in let r_readB = (\sim new_R_wr \land (new_R_fsm_state = RA)) in let \ r\_cir\_wr01A = ((r\_writeA \land ((r\_reg\_sel = (WORDN \ 8)) \lor (r\_reg\_sel = (WORDN \ 9))))) \ in let \ r\_cir\_wr01B = ((r\_writeB \land ((r\_reg\_sel = (WORDN \ 8)) \lor (r\_reg\_sel = (WORDN \ 9))))) \ in \ r\_reg\_sel = (WORDN \ 9))))) \ in \ r\_reg\_sel = (WORDN \ 9))))) let r\_cir\_wr23A = ((r\_writeA \land ((r\_reg\_sel = (WORDN 10)) \lor (r\_reg\_sel = (WORDN 11))))) in let \ r\_cir\_wr23B = ((r\_writeB \land ((r\_reg\_sel = (WORDN \ 10)) \lor (r\_reg\_sel = (WORDN \ 11))))) \ in let new_R_ccr = ((r\_writeB \land (r\_reg\_sel = (WORDN 3))) => I\_ad\_in \mid R\_ccr) in let new_R_ccr_rden = (r_readB \land (r_reg_sel = (WORDN 3))) in let new_R_gcr = ((r_writeB \land (r_reg_sel = (WORDN 2))) \Rightarrow I_ad_in \mid R_gcr) in let new_R_gcr_rden = (r_readB \land (r_reg_sel = (WORDN 2))) in let new_R_c01_cout_del = R_ctr1_cry in let new_R_intl_en = \sim (\sim (ELEMENT\ new_R\_gcr\ (18))\ \lor\ ((ELEMENT\ new_R\_gcr\ (17))\ \land\ R\_c01\_cout\_del))) => T\ |\ | \sim (\sim (ELEMENT\ new_R_gcr\ (18))\ \lor\ ((ELEMENT\ new_R_gcr\ (17))\ \land\ R_c01\_cout\_del))) => R_int1\_en\ |\ ARB)))\ in\ R_c01\_cout\_del))) > R_int1\_en\ |\ ARB))) let new_R_c23_cout_del = R_ctr3_cry in let new_R_int2_en = \sim (\sim (ELEMENT\ new_R\_gcr\ (22))\ \lor\ ((ELEMENT\ new_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => T\ logical (22) (\sim\!(ELEMENT\ new\_R\_gcr\ (22))\ \lor\ ((ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (22))\ \lor\ ((ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) \sim (\sim (ELEMENT\ new_R_gcr\ (22))\ \lor\ ((ELEMENT\ new_R_gcr\ (21))\ \land\ R_c23\_cout\_del))) \Rightarrow R_int2\_en\ |\ ARB)))\ in\ R_c23\_cout\_del))) \Rightarrow R_int2\_en\ |\ ARB))) let \ new_R\_ctr0\_in = ((r\_writeB \land (r\_reg\_sel = (WORDN \ 8))) \Rightarrow I\_ad\_in \mid R\_ctr0\_in) \ in let\ new\_R\_ctr0\_mux\_sel = (r\_ctr\_wr01B\ \lor\ ((ELEMENT\ new\_R\_gcr\ (16)) \land R\_ctr1\_cry))\ in let new_R_ctr0_irden = (r_readB \land (r_reg_sel = (WORDN 8))) in let new_R_ctr0 = ((R_ctr0_mux_sel) \Rightarrow R_ctr0_in \mid R_ctr0_new) in let new_R_ctr0_new = (((ELEMENT new_R_gcr (19))) => (INCN 31 R_ctr0) | R_ctr0) in let new_R_ctr0_cry = ((ONES 31 R_ctr0) \( (ELEMENT new_R_gcr (19))) in let new_R_ctr0_out = ((r_fsm_cntlatch) => R_ctr0_new | R_ctr0_out) in let new_R_ctr0_orden = (r_readB \land (r_reg_sel = (WORDN 12))) in let \ new_R_ctr1\_in = ((r\_writeB \ \land \ (r\_reg\_sel = (WORDN \ 9))) => I\_ad\_in \ | \ R\_ctr1\_in) \ in let new_R_ctr1_mux_sel = (r_cir_wr01B \lor ((ELEMENT new_R_gcr(16)) \land R_ctr1_cry)) in let new_R_ctr1_irden = (r_readB \land (r_reg_sel = (WORDN 9))) in let new_R_ctrl = ((R_ctrl_mux_sel) => R_ctrl_in | R_ctrl_new) in let new_R_ctr1_new = ((R_ctr0_cry) \Rightarrow (INCN 31 R_ctr1) \mid R_ctr1) in let new_R_ctr1_cry = ((ONES 31 R_ctr1) \land R_ctr0_cry) in let new_R_ctr1_out = ((R_cntlatch_del) => R_ctr1_new | R_ctr1_out) in let new_R_ctr1_orden = (r_readB \land (r_reg_sel = (WORDN 13))) in let new_R_ctr2_in = ((r_writeB \land (r_reg_sel = (WORDN 10))) => I_ad_in \mid R_ctr2_in) in let new_R_ctr2_mux_sel = ((r_cir_wr23B \lor ((ELEMENT new_R_gcr (20)) \land R_ctr3_cry))) in let new_R_ctr2_irden = (r_readB \land (r_reg_sel = (WORDN 10))) in let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2_in | R_ctr2_new) in ``` ``` let new_R_ctr2_new = (((ELEMENT new_R_gcr(23))) \Rightarrow (INCN 31 R_ctr2) \mid R_ctr2) in let new_R_ctr2_cry = ((ONES 31 R_ctr2) \land (ELEMENT new_R_gcr (23))) in let new_R_{ctr2_out} = ((r_fsm_cntlatch) \Rightarrow R_{ctr2_new} \mid R_{ctr2_out}) in let new_R_ctr2_orden = (r_readB \land (r_reg_sel = (WORDN 14))) in let new_R_ctr3_in = ((r_writeB \land (r_reg_sel = (WORDN 11))) => I_ad_in \mid R_ctr3_in) in let new_R_ctr3_mux_sel = ((r_cir_wr23B \lor ((ELEMENT new_R_gcr (20)) \land R_ctr3_cry))) in let new_R_ctr3_irden = (r_readB \land (r_reg_sel = (WORDN 11))) in let new_R_ctr3 = ((R_ctr3_mux_sel) => R_ctr3_in | R_ctr3_new) in let new_R_ctr3_new = ((R_ctr2_cry) => (INCN 31 R_ctr3) | R_ctr3) in let new_R_ctr3_cry = ((ONES 31 R_ctr3) \land R_ctr3_cry) in let new_R_ctr3_out = ((R_cntlatch_del) => R_ctr3_new | R_ctr3_out) in let new_R_ctr3_orden = (r_readB \land (r_reg_sel = (WORDN 15))) in let new_R_icr_load = (r_writeB \( ((r_reg_sel = (WORDN 0)) \) \( (r_reg_sel = (WORDN 1)))) \) in let new_R_icr_old = ((r\_writeB \land ((r\_reg\_sel = (WORDN 0)) \lor (r\_reg\_sel = (WORDN 1)))) \Rightarrow R\_icr \mid R\_icr\_old) in let new_R_icr_mask = ((r\_writeB \land ((r\_reg\_sel = (WORDN 0)) \lor (r\_reg\_sel = (WORDN 1)))) \Rightarrow I\_ad\_in \mid R\_icr\_mask) in let new R icr = ((R_icr_load) => ((~(r_reg_sel = (WORDN 1))) => (Andn rep (R_icr_old, R_icr_mask)) | (Orn rep (R_icr_old, R_icr_mask))) | R icr) in let new_R_icr_rden = ((new_R_fsm_state = RA) \land ((r_reg_sel = (WORDN 0)) \lor (r_reg_sel = (WORDN 1)))) in let sr28 = (ALTER ARBN (28) MB_parity) in let sr28_25 = (MALTER sr28 (27,25) C_ss) in let sr28_24 = (ALTER sr28_25 (24) CB_parity) in let sr28_22 = (MALTER sr28_24 (23,22) ChannelID) in let sr28_16 = (MALTER sr28_22 (21,16) Id) in let sr28_12 = (MALTER sr28_16 (15,12) S_state) in let sr28_9 = (ALTER \ sr28_{12} (9) \ Pmm_fail) in let sr28_8 = (ALTER sr28_9 (8) Piu_fail) in let sr28_2 = (MALTER sr28_8 (3,2) Reset_cpu) in let sr28_0 = (MALTER sr28_2 (1,0) Cpu_fail) in let new_R_{sr} = ((r_fsm_cntlatch) => sr28_0 | R_{sr}) in let new_R_sr_rden = (r_readB \land (r_reg_sel = (WORDN 4))) in let r_{int0}_{en} = (((ELEMENT R_{icr}(0)) \land (ELEMENT R_{icr}(8))) \lor ((ELEMENT R_icr (1)) \( \text{(ELEMENT R_icr (9))) } \( \text{V} \) ((ELEMENT R_icr (2)) \( \text{(ELEMENT R_icr (10))} \) \( \text{V} ((ELEMENT R_icr (3)) \land (ELEMENT R_icr (11))) \lor ((ELEMENT R_icr (4)) ∧ (ELEMENT R_icr (12))) V ((ELEMENT R_icr (5)) ∧ (ELEMENT R_icr (13))) V ((ELEMENT R_icr (6)) ∧ (ELEMENT R_icr (14))) V ((ELEMENT R_icr (7)) \land (ELEMENT R_icr (15)))) in let new_R_{int}O_{dis} = r_{int}O_{en} in let r_int3_en = (((ELEMENT R_icr (16)) \land (ELEMENT R_icr (24))) \lor ((ELEMENT R_icr (17)) A (ELEMENT R_icr (25))) V ((ELEMENT R_icr (18)) ∧ (ELEMENT R_icr (26))) V ((ELEMENT R_icr (19)) A (ELEMENT R_icr (27))) V ((ELEMENT R_icr (20)) A (ELEMENT R_icr (28))) V ((ELEMENT R_icr (21)) A (ELEMENT R_icr (29))) V ((ELEMENT R_icr (22)) A (ELEMENT R_icr (30))) V ((ELEMENT R_icr (23)) \land (ELEMENT R_icr (31)))) in let new_R_int3_dis = r_int3_en in let new_R_busA_latch = ((R_ctr0_irden) => R_ctr0_in1 ``` ``` ((R_ctr0_orden) => R_ctr0_out | ((R_ctr1_irden) => R_ctr1_in \mid ((R_ctr1\_orden) => R_ctr1\_out ((R_ctr2\_irden) => R_ctr2\_in \mid ((R_ctr2\_orden) => R_ctr2\_out | ((R_ctr3_irden) => R_ctr3_in ((R_ctr3\_orden) => R_ctr3\_out | ((R_icr_rden) => new_R_icr | ((R_ccr_rden) => R_ccr \mid ((R_gcr_rden) \Rightarrow R_gcr \mid let new_R_fsm_ale_ = I_rale_ in let new_R_fsm_mrdy_ = I_mrdy_ in let new_R_fsm_last_ = I_last_ in let new_R_fsm_rst = Rst in let \ I\_ad\_out = ((-R\_wr \land ((new\_R\_fsm\_state = RA) \lor (new\_R\_fsm\_state = RD))) => new\_R\_busA\_latch \mid ARBN) \ in the substitution of substitut let I_srdy_ = (((new_R_fsm_state = RA) \lor (new_R_fsm_state = RD)) => \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RD)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (new_R_fsm_state = RA)) \vdash \\ \\ -((R_fsm_state = RA) \land (n ARB) in let Int0_ = \sim(r_int0_en \land \simR_int0_dis \land \simDisable_int) in let Int1 = (R_ctr1_cry \land new_R_int1_en \land \sim Disable_int) in let Int2 = (R_ctr3_cry \land new_R_int2_en \land \sim Disable_int) in let Int3_ = \sim(r_int3_en \land \simR_int3_dis \land \simDisable_int) in let Ccr = R_ccr in let Led = (SUBARRAY new_R_gcr (3,0)) in let Reset_error = (ELEMENT new_R_gcr (24)) in let Pmm_invalid = (ELEMENT new_R_gcr (28)) in (I_ad_out, I_srdy_, Int0_, Int1, Int2, Int3_, Ccr, Led, Reset_error, Pmm_invalid)" );; ``` ## **D.4 C Port Specification** ``` File: c_clock1.ml (c) D.A. Fura 1992 Author: 31 March 1992 Date: This file contains the ml source for the clock-level specification of the C-Port of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm c_clock1.th';; new_theory 'c_clock1';; loadf 'abstract';; map new_parent ['caux_def';'aux_def';'array_def';'wordn_def'];; let MSTART = "WORDN 4";; let MEND = "WORDN 5";; let MRDY = "WORDN 6";; let MWAIT = "WORDN 7";; let MABORT = "WORDN 0";; let SACK = "WORDN 5";; let SRDY = "WORDN 6";; let SWAIT = "WORDN 7";; let SABORT = "WORDN 0";; let cc_state_ty = ":(cmfsm_ty#bool#bool#bool#bool#wordn#bool# csfsm_ty#bool#bool#wordn# cefsm_ty#bool#bool#bool#bool#bool# bool#wordn#bool#bool#wordn#bool# bool#bool#bool#bool#bool#bool# bool#bool#bool#wordn#wordn#wordn#wordn#wordn#wordn)";; let cc_state = "((C_mfsm_state,C_mfsm_D,C_mfsm_rst,C_mfsm_crqt_,C_mfsm_hold_,C_mfsm_ss,C_mfsm_invalid, C_sfsm_state,C_sfsm_D,C_sfsm_rst,C_sfsm_hlda_,C_sfsm_ms, C_efsm_state,C_efsm_cale_,C_efsm_last_,C_efsm_male_,C_efsm_rale_,C_efsm_srdy_,C_efsm_rst, C_wr,C_sizewrbe,C_clkA,C_last_in_,C_lock_in_,C_ss,C_last_out_, C_hold_,C_holdA_,C_cout_0_le_del,C_cin_2_le,C_mrdy_del_,C_iad_en_s_del,C_iad_en_s_delA, C_wrdy,C_rrdy,C_parity,C_source,C_data_in,C_iad_out,C_iad_in,C_a1a0,C_a3a2) :^cc_state_ty)";; ``` ``` wordn \# wordn \# wordn \# bool \# bool \# bool \# bool \# bool \# wordn \# bool # boo let cc_env = "((I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) :^cc_env_ty)";; let cc_out_ty = ":(bool#bool#bool#bool#bool#bool#wordn#wordn# bool#wordn#wordn#wordn#bool#bool)";; let cc_out = "((I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity) :^cc_out_ty)";; let rep_ty = abstract_type 'aux_def' 'Andn';; Next-state definition for EXEC instruction. let cEXEC_inst_def = new_definition ('cEXEC_inst', "! (rep:^rep_ty) (C_mfsm_state:cmfsm_ty) (C_sfsm_state:csfsm_ty) (C_efsm_state:cefsm_ty) (C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_ala0 C_a3a2 :wordn) (C_mfsm_D C_mfsm_rst C_mfsm_crqt_C_mfsm_bold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_ C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst C_wr C_clkA C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_holdA_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool) (I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :wordn) (I_mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ Rst ClkA ClkB ClkD Pmm_failure Piu_invalid Reset_error:bool). cEXEC inst rep (C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0,C_a3a2) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) = let \ c\_write = (((\sim (C\_mfsm\_state = CMI))) \land (\sim (C\_mfsm\_state = CMR))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in \ (\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMR))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in \ (\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMI))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in \ (\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMI))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in \ (\sim (C\_mfsm\_state = CMI))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in \ (\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMI))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in \ (\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMI))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in \ (\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMI))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in \ (\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMI))) => C\_wr \mid (C\_mfsm\_state = CMI)) \ in \ (\sim (C\_mfsm\_state = CMI)) \land let c_busy = (\sim((SUBARRAY CB_rqt_in_(3,1)) = (WORDN 7))) in let \ c\_grant = ((((SUBARRAY \ Id \ (1,0)) = (WORDN \ 0)) \land \neg (ELEMENT \ CB\_rqt\_in\_ \ (0))) \lor (((SUBARRAY Id (1,0)) = (WORDN 1)) \land \sim (ELEMENT CB\_rqt\_in\_(0)) ∧ (ELEMENT CB_rqt_in_ (1))) \lor (((SUBARRAY Id (1,0)) = (WORDN 2)) \land \sim (ELEMENT CB_rqt_in_(0)) A (ELEMENT CB_rqt_in_(1)) ∧ (ELEMENT CB_rqt_in_ (2))) V (((SUBARRAY Id (1,0)) = (WORDN 3)) \land \sim (ELEMENT CB_rqt_in_(0)) ∧ (ELEMENT CB_rqt_in_ (1)) ``` ``` A (ELEMENT CB_rqt_in_ (2)) A (ELEMENT CB_rqt_in_ (3)))) in let c_addressed = (Id = (SUBARRAY C_source (15,10))) in let c_mfsm_stateA = ((C_mfsm_rst) => CMI \mid ((C_mfsm_state = CMI) => (C_mfsm_D \land \neg C_mfsm\_crqt_ \land \neg c\_busy \land \neg C_mfsm\_invalid) => CMR \mid CMI \mid ((C_mfsm_state = CMR) \Rightarrow (C_mfsm_D \land c_grant \land C_mfsm_hold_) \Rightarrow CMA3 \mid CMR \mid ((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 \mid CMA3) \mid ((C_mfsm_state = CMA1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMA0 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) \Rightarrow CMABT \mid CMA1 \mid ((C_mfsm_state = CMA0) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) \Rightarrow CMA21 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA0 \mid ((C_mfsm_state = CMA2) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA2 \mid ((C_mfsm_state = CMD1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) \Rightarrow CMD0 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) \Rightarrow CMABT \mid CMD1 \mid ((C_mfsm_state = CMD0) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land C_last_in_) => CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = \land SRDY) \land \neg C_last_in_) => CMW (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMD0 \mid ((C_mfsm_state = CMW) => (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) \Rightarrow CMABT \mid (C_mfsm_D \land (C_mfsm_ss = ^SACK) \land C_lock_in_) \Rightarrow CMI (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land -C_lock_in_ \land -C_mfsm_crqt_) => CMA3 \mid CMW \mid let c_sfsm_stateA = ((C_sfsm_rst) => CSI \mid (C_sfsm_state = CSI) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land c_addressed) => CSA1 \mid CSI) \mid (C_sfsm_state = CSL) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land c_addressed) => CSA1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land \sim c_addressed) => CSI (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSL) \mid (C_sfsm_state = CSA1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSA01 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT | CSA1) | (C_sfsm_state = CSA0) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land \sim C_sfsm_hida_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land C_sfsm_hlda_) => CSAOW \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA0) \mid (C_sfsm_state = CSA0W) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land \sim C_sfsm_hlda_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA0W) \mid (C_sfsm_state = CSALE) => ((C_sfsm_D \land c_write \land (C_sfsm_ms = ^MRDY)) => CSD1 \mid (C_sfsm_D \land \neg c\_write \land (C_sfsm\_ms = \land MRDY)) => CSRR (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSALE) \mid (C_sfsm_state = CSRR) => ((C_sfsm_D \land \sim (C_sfsm_ms = \land MABORT)) => CSD1 \mid ``` ``` (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSRR) (C_sfsm_state = CSD1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD0 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSD1) \mid (C_sfsm_state = CSD0) => ((C_sfsm_D \land (C_sfsm_ms = \land MEND)) => CSACK \mid (C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD1 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSD0) \mid (C_sfsm_state = CSACK) => ((C\_sfsm\_D \land (C\_sfsm\_ms = ^MRDY)) => CSL \mid (C sfsm D \land (C_sfsm_ms = ^MWAIT)) => CSI (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSACK) \mid (C_sfsm_D) \Rightarrow CSI \mid CSABT) in let c_efsm_stateA = ((C_efsm_rst) => CEI \mid (C_efsm_state = CEI) \Rightarrow ((\sim C_efsm_cale_) \Rightarrow CEE \mid CEI) \mid ((\sim C_efsm_last\_ \land \sim C_efsm_srdy\_) \lor \sim C_efsm_male\_ \lor \sim C_efsm_rale\_) => CEI \mid CEE) in let c_srdy_en = ((c_efsm_stateA = CEE) V (C_efsm_state = CEE)) in let cout_sel0 = (ALTER ARBN (0) (((c_sfsm_stateA = CSD1) V (c_sfsm_stateA = CSD0)) => (c_sfsm_stateA = CSD1) (c_mfsm_stateA = CMA3) \lor (c_mfsm_stateA = CMA1) V(c mfsm_stateA = CMD1))) in let cout_sel10 = (ALTER cout_sel0 (1) (((c_sfsm_stateA = CSD1) V (c_sfsm_stateA = CSD0)) => (c_mfsm_stateA = CMA3) \lor (c_mfsm_stateA = CMA2))) in let c_cout_sel = cout_sel10 in let new_C_wr = ((\sim I_cale_) \Rightarrow (ELEMENT I_ad_in (27)) \mid C_wr) in let new_C_sizewrbe = ((Rst) => (WORDN 0) | (((c_sfsm_stateA = CSA0) \land C_clkA) \Rightarrow (SUBARRAY C_data_in (31,22)) \mid C_sizewrbe)) in let c_new_write = (((\sim(c_mfsm_stateA = CMI)) \land (\sim(c_mfsm_stateA = CMR))) => new_C_wr | (ELEMENT new_C_sizewrbe (5))) in let new_C_clkA = ClkD in let new_C_last_in_ = ((Rst) => F l (((c_mfsm_stateA = CMABT) \lor (c_mfsm_stateA = CMD1) \land ClkD) \Rightarrow I_last_in_l C_last_in_)) in let new_C_lock_in_ = ((Rst) => F \mid ((c_mfsm_stateA = CMA1) => I_lock_1 C_lock_in_)) in let \ new\_C\_ss = (((\sim (c\_mfsm\_stateA = CMABT)) \land (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (c\_mfsm\_stateA = CMI)) => CB\_ss\_in \mid C\_ss) \ in \ (c\_mfsm\_stateA = CMI)) let c_mend = (CB_ms_in = ^MEND) in let c_mabort = (CB_ms_in = ^MABORT) in let new_C_last_out_ = (((c_sfsm_stateA = CSA1) \land \neg(ClkD \land (c_mend \lor c_mabort))) => T \mid ((\sim(c_sfsm_stateA = CSA1) \land (ClkD \land (c_mend \lor c_mabort))) => F \mid ((\sim(c_sfsm_stateA = CSA1) \land \sim(ClkD \land (c_mend \lor c_mabort))) => C_last_out_lARB))) in let c_srdy = (CB_ss_in = ^SRDY) in let c_dfsm_master = ((c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CMA1) V(c_mfsm_stateA = CMA0) V(c_mfsm_stateA = CMD1) V(c_mfsm_stateA = CMD0)) in let \ c\_dfsm\_cad\_en = \sim ((c\_mfsm\_stateA = CMA3) \ \lor \ (c\_mfsm\_stateA = CMA1) \ \lor \ (c\_mfsm\_stateA = CMA0) V(c_mfsm_stateA = CMA2) V(c_new_wite \land ((c_mfsm_stateA = CMD1) \lor (c_mfsm_stateA = CMD0))) V(-c_new_write \land ((c_sfsm_stateA = CSD1) \lor (c_sfsm_stateA = CSD0)))) in let new_C_hold_ = (c_sfsm_stateA = CSI) in ``` ``` let new_C_holdA_ = ((ClkD) => C_hold_ | C_holdA_) in let new_C_cout_0_le_del = ((I_cale_) \lor (I_srdy_in_ \land \sim c_new_write) V((c_mfsm_stateA = CMA0) \land c_srdy \land c_new_write \land ClkD) V((c_mfsm_stateA = CMD0) \land c_new_write \land c_srdy \land ClkD)) in let \ new\_C\_cin\_2\_le = (ClkD \land (((c\_mfsm\_stateA = CMD0) \land c\_srdy \land \neg c\_new\_write) \lor \\ ((c sfsm stateA = CSA0)) V ((c_sfsm_stateA = CSD0) \land c_new_write))) in let \ new\_C\_mrdy\_del\_ = \sim ((-c\_new\_write \land ClkD \land ((c\_sfsm\_stateA = CSALE) \lor (c\_sfsm\_stateA = CSD1))) CSD1)) (-c_new_write \land C_clkA \land (c_sfsm_stateA = CSACK)) \lor (c_new_write \land ClkD \land (c_sfsm_stateA = CSD0))) in let \ new\_C\_iad\_en\_s\_del = (((c\_sfsm\_stateA = CSALE) \land (\sim (C\_sfsm\_state = CSALE))) V((c_sfsm_stateA = CSALE) \land c_new_write) V((c_sfsm_stateA = CSD1) \land c_new\_write \land (\sim(C_sfsm_state = CSRR))) V((c_sfsm_stateA = CSD0) \land c_new_write) V ((c_sfsm_stateA = CSACK) \land c_new_write)) in let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del | C_iad_en_s_delA) in let new_C_wrdy = (c_srdy \land c_new_write \land (c_mfsm_stateA = CMD1) \land ClkD) in let new_C_rrdy = (c_srdy \land \simc_new_write \land (c_mfsm_stateA = CMD0) \land ClkD) in let c_pe = (Par_Det rep (CB_ad_in)) in let c_mparity = ((c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA1) V (c_mfsm_stateA = CMA0) V (c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CMD1) V (c_mfsm_stateA = CMD0) V (C_mfsm_state = CMA1) V (C_mfsm_state = CMA0) V (C_mfsm_state = CMA2) V(C_mfsm_state = CMD1)) in let c_sparity = ((\sim(c_sfsm_stateA = CSI)) \land (\sim(c_sfsm_stateA = CSACK)) \land (\sim(c_sfsm_stateA = CSABT))) in let c_pe_cnt = (ClkD \land ((\sim(c_mparity = c_sparity)) \lor ((SUBARRAY CB_ss_in (1,0)) = (WORDN 0)))) in let new_C_parity = (((ClkD \land c\_pe \land c\_pe\_cnt) \land \neg Reset\_error) => T \mid ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land Reset\_error) => F1 ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land \sim Reset\_error) => C\_parity \mid ARB))) in let new_C_source = ((Rst) \Rightarrow (WORDN 0) ((ClkD \land ((c_sfsm_stateA = CSI) \lor (c_sfsm_stateA = CSL))) \Rightarrow Par_Dec rep (CB_ad_in) \lor C_source)) in let data_in31_16 = (MALTER ARBN (31,16) ((Rst) => (WORDN 0)) ((ClkD \land (((c_mfsm_stateA = CMD1) \land c_srdy \land \neg c_new_write) \lor ((c_sfsm_stateA = CSA1)) V ((c_sfsm_stateA = CSD1) \land c_new_write))) => Par_Dec rep (CB_ad_in) | (SUBARRAY C_data_in (31,16)))) in let data_in31_0 = (MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0)) ((\text{new}_C_{\text{cin}_2}]e) \Rightarrow \text{Par}_Dec \text{ rep } (CB_ad_in) (SUBARRAY C_data_in (15,0)))) in let new_C_data_in = data_in31_0 in let new_C_iad_out = ((C_cin_2_le) \Rightarrow C_data_in \mid C_iad_out) in let new_C_iad_in = ((new_C_cout_0_le_del) => I_ad_in | C_iad_in) in let new_C_ala0 = (((c_dfsm_master \land C_cout_0_le_del) \lor (\sim c_dfsm_master \land C_clkA \land (c_sfsm_stateA = CSD1))) \Rightarrow C_iad_in \mid C_ala0) in let new_C_a3a2 = ((c_mfsm_stateA = CMR) \Rightarrow Ccr | C_a3a2) in let new_C_mfsm_state = c_mfsm_stateA in let new_C_mfsm_D = ClkD in let new_C_mfsm_rst = Rst in let new_C_mfsm_crqt_ = I_crqt_ in let new_C_mfsm_hold_ = new_C_holdA_ in ``` ``` let new_C_mfsm_ss = CB_ss_in in let new_C_mfsm_invalid = Piu_invalid in let new_C_sfsm_state = c_sfsm_stateA in let new_C_sfsm_D = ClkD in let new_C_sfsm_rst = Rst in let new_C_sfsm_hlda_ = I_hlda_ in let new_C_sfsm_ms = CB_ms_in in let new_C_efsm_cale_ = I_cale_ in let new_C_efsm_last_ = I_last_in_ in let new_C_efsm_male_ = I_male_in_ in let new_C_efsm_rale_ = I_rale_in_ in let new_C_efsm_srdy_ = I_srdy_in_ in let new_C_efsm_rst = Rst in (C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0, C_a3a2)" );; Output definition for EXEC instruction. let cEXEC_out_def = new_definition ('cEXEC_out', "! (rep:^rep_ty) (C_mfsm_state:cmfsm_ty) (C_sfsm_state:csfsm_ty) (C_efsm_state:cefsm_ty) (C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_a1a0 C_a3a2 :wordn) (C_mfsm_D C_mfsm_rst C_mfsm_crqt_C_mfsm_bold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_ C_efsm_cale_ C_efsm_last_ C_efsm_male_ C_efsm_rale_ C_efsm_srdy_ C_efsm_rst C_wr C_clkA C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_holdA_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool) (I_ad_in I_be_in_CB_rqt_in_CB_ad_in CB_ms_in CB_ss_in Id ChannelID Ccr :wordn) (I_mrdy_in_ I_rale_in_ I_male_in_ I_last_in_ I_srdy_in_ I_lock_ I_cale_ I_hlda_ I_crqt_ Rst\ ClkA\ ClkB\ ClkD\ Pmm\_failure\ Piu\_invalid\ Reset\_error:bool)\ . cEXEC_out rep (C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_a1a0,C_a3a2) (I_ad_in, I_be_in_, I_mrdy_in_, I_rale_in_, I_male_in_, I_last_in_, I_srdy_in_, I_lock_, I_cale_, I_hlda_, I_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, Rst, ClkA, ClkB, ClkD, Id, ChannelID, Pmm_failure, Piu_invalid, Ccr, Reset_error) = let c\_write = (((\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMR))) => C\_wr \mid (ELEMENT C\_sizewrbe (5))) \ in the complex of let c_busy = (\sim((SUBARRAY CB_rqt_in_(3,1)) = (WORDN 7))) in let \ c\_grant = ((((SUBARRAY \ Id \ (1,0)) = (WORDN \ 0)) \land \sim (ELEMENT \ CB\_rqt\_in\_ \ (0))) \lor (((SUBARRAY\ Id\ (1,0)) = (WORDN\ 1)) \land \neg (ELEMENT\ CB\_rqt\_in\_\ (0)) ∧ (ELEMENT CB_rqt_in_(1))) V (((SUBARRAY Id (1,0)) = (WORDN 2)) \land \sim (ELEMENT CB_rqt_in_(0)) ``` ``` \Lambda (ELEMENT CB_rqt_in_ (1)) \land (ELEMENT CB_rqt_in_ (2))) V(((SUBARRAY Id (1,0)) = (WORDN 3)) \land \sim (ELEMENT CB_rqt_in_(0)) A (ELEMENT CB_rqt_in_ (1)) ∧ (ELEMENT CB_rqt_in_ (2)) A (ELEMENT CB_rqt_in_ (3)))) in let c_addressed = (Id = (SUBARRAY C_source (15,10))) in let c_mfsm_stateA = ((C_mfsm_rst) => CMI \mid ((C_mfsm_state = CMI) => (C_mfsm_D \land \neg C_mfsm_crqt_ \land \neg c_busy \land \neg C_mfsm_invalid) => CMR \mid CMI \mid ((C_mfsm_state = CMR) => (C_mfsm_D \land c_grant \land C_mfsm_hold_) => CMA3 \mid CMR \mid ((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 | CMA3) | ((C_mfsm_state = CMA1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMA0 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA1 \mid ((C_mfsm_state = CMA0) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMA2 \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA0 \mid ((C_mfsm_state = CMA2) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMD1 (C_mfsm_D \land (C_mfsm_ss = \land SABORT)) \Rightarrow CMABT \mid CMA2 \mid ((C_mfsm_state = CMD1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) \Rightarrow CMD0 (C_mfsm_D \land (C_mfsm_ss = \land SABORT)) => CMABT \mid CMD1 \mid ((C_mfsm_state = CMD0) => (C_mfsm_D \land (C_mfsm_ss = \land SRDY) \land C_last_in_) => CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = \land SRDY) \land \neg C_last_in_) \Rightarrow CMW \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMD0 \mid ((C_mfsm_state = CMW) => (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT (C_mfsm_D \land (C_mfsm_ss = \land SACK) \land C_lock_in_) \Rightarrow CMI \mid (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land \sim C_lock_in_ \land \sim C_mfsm_crqt_) => CMA3 \mid CMW \mid let c_sfsm_stateA = ((C_sfsm_rst) => CSI \mid (C_sfsm_state = CSI) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land c_addressed) => CSA1 | CSI) | (C_sfsm_state = CSL) => ((C_sfsm_D \land (C_sfsm_ms = \land MSTART) \land \neg c_grant \land c_addressed) => CSA1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land \sim c_addressed) => CSI (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT | CSL) | (C_sfsm_state = CSA1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSA01 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSA1) \mid (C_sfsm_state = CSA0) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land \sim C_sfsm_hlda_) => CSALE (C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land C_sfsm_hlda_) => CSA0W \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT (CSA0) (C_sfsm_state = CSAOW) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land \sim C_sfsm_hlda_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSA0W) \mid (C_sfsm_state = CSALE) => ((C_sfsm_D \land c_write \land (C_sfsm_ms = ^MRDY)) => CSD1 \mid ``` ``` (C_sfsm_D \land \neg c_write \land (C_sfsm_ms = \land MRDY)) => CSRR \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSALE) \mid (C_sfsm_state = CSRR) => ((C_sfsm_D \land \sim (C_sfsm_ms = \land MABORT)) \Rightarrow CSD1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT | CSRR) | (C_sfsm_state = CSD1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) \Rightarrow CSD01 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSD1) \mid (C_sfsm_state = CSD0) => ((C_sfsm_D \land (C_sfsm_ms = ^MEND)) => CSACK \mid (C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD1 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSD0) \mid (C_sfsm_state = CSACK) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSL \mid (C_sfsm_D \land (C_sfsm_ms = ^MWAIT)) => CSI \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSACK) \mid (C_sfsm_D) \Rightarrow CSI \mid CSABT) in let c_efsm_stateA = ((C_efsm_rst) => CEI \mid (C_efsm_state = CEI) => ((\sim C_efsm_cale_) => CEE \mid CEI) \mid ((\mbox{$^{-}$C_efsm\_rate}) \lor \mbox{$^{-}$C_efsm\_rate}) \lor \mbox{$^{-}$C_efsm\_rate}) \Rightarrow CEI \lor CEE) in let c_srdy_en = ((c_efsm_stateA = CEE) V (C_efsm_state = CEE)) in let cout_sel0 = (ALTER ARBN (0) (((c_sfsm_stateA = CSD1) V (c_sfsm_stateA = CSD0)) => (c sfsm stateA = CSD1) | (c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA1) V(c_mfsm_stateA = CMD1))) in let cout_sel10 = (ALTER cout_sel0 (1) (((c_sfsm_stateA = CSD1) V (c_sfsm_stateA = CSD0)) => (c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA2))) in let c_cout_sel = cout_sel10 in let new_C_wr = ((\sim I_cale_) => (ELEMENT I_ad_in (27)) | C_wr) in let new_C_sizewrbe = ((Rst) => (WORDN 0) 1 (((c_sfsm_stateA = CSA0) \land C_clkA) => (SUBARRAY C_data_in (31,22)) \mid C_sizewrbe)) in let c_new\_write = (((\sim(c_mfsm\_stateA = CMI))) \land (\sim(c_mfsm\_stateA = CMR))) => new_C_wr | (ELEMENT new_C_sizewrbe (5))) in let new_C_clkA = ClkD in let new_C_last_in_ = ((Rst) \Rightarrow F \mid (((c\_mfsm\_stateA = CMABT) \lor (c\_mfsm\_stateA = CMD1) \land ClkD) \Rightarrow I\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_in\_last\_ C_last_in_)) in let new_C_lock_in_ = ((Rst) \Rightarrow F) ((c_mfsm_stateA = CMA1) => I_lock_l C_lock_in_)) in let \ new\_C\_ss = (((\sim (c\_mfsm\_stateA = CMABT)) \land (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (c\_mfsm\_stateA = CMI))) => CB\_ss\_in \mid C\_ss let c_mend = (CB_ms_in = ^MEND) in let c_mabort = (CB_ms_in = ^MABORT) in let new_C_last_out_ = (((c_sfsm_stateA = CSA1) \land \sim (ClkD \land (c_mend \lor c_mabort))) => T \mid ((\sim (c_sfsm_stateA = CSA1) \land (ClkD \land (c_mend \lor c_mabort))) => F \mid ((-(c\_sfsm\_stateA = CSA1) \land \neg (ClkD \land (c\_mend \lor c\_mabort))) => C\_last\_out\_ \mid ARB))) in let c_srdy = (CB_ss_in = ^SRDY) in let c_dfsm_master = ((c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CMA1) V(c_mfsm_stateA = CMA0) V(c_mfsm_stateA = CMD1) V(c_mfsm_stateA = CMD0)) in let \ c\_dfsm\_cad\_en = \sim ((c\_mfsm\_stateA = CMA3) \ V \ (c\_mfsm\_stateA = CMA1) \ V \ (c\_mfsm\_stateA = CMA0) V(c_mfsm_stateA = CMA2) ``` ``` V(c_{new} \text{ write } \land ((c_{mfsm_stateA} = CMD1)) \lor (c_{mfsm_stateA} = CMD0))) V(-c_new_write \land ((c_sfsm_stateA = CSD1) \lor (c_sfsm_stateA = CSD0)))) in let new_C_hold_ = (c_sfsm_stateA = CSI) in let new_C_holdA_ = ((ClkD) \Rightarrow C_hold_|C_holdA_) in let new_C_cout_0_le_del = ((I_cale_) \lor (I_srdy_in_ \land \neg c_new_write) V((c_mfsm_stateA = CMA0) \land c_srdy \land c_new_write \land ClkD) V((c_mfsm_stateA = CMD0) \land c_new_write \land c_srdy \land ClkD)) in let new_C_cin_2_le = (ClkD \land (((c_mfsm_stateA = CMD0) \land c_srdy \land ~c_new_write) \lor ((c_sfsm_stateA = CSA0)) V ((c_sfsm_stateA = CSD0) \land c_new_write))) in let \ new\_C\_mrdy\_del\_ = \sim ((\sim c\_new\_write \land ClkD \land ((c\_sfsm\_stateA = CSALE) \lor (c\_sfsm\_stateA = CSD1))) CSD1)) CSD1) (\sim c_new_write \land C_clkA \land (c_sfsm_stateA = CSACK)) \lor (c_new_write \land ClkD \land (c_sfsm_stateA = CSD0))) in let new_C_iad_en_s_del = (((c_sfsm_stateA = CSALE)) \land (\sim(C_sfsm_state = CSALE))) V((c_sfsm_stateA = CSALE) \land c_new_write) V((c_sfsm_stateA = CSD1) \land c_new_write \land (\sim(C_sfsm_state = CSRR))) V((c_sfsm_stateA = CSD0) \land c_new_write) V ((c_sfsm_stateA = CSACK) \land c_new_write)) in let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del | C_iad_en_s_delA) in let new_C_wrdy = (c_srdy \land c_new_write \land (c_mfsm_stateA = CMD1) \land ClkD) in let new_C_rrdy = (c_srdy \land \neg c_new_write \land (c_mfsm_stateA = CMD0) \land ClkD) in let c_pe = (Par_Det rep (CB_ad_in)) in let \ c\_mparity = ((c\_mfsm\_stateA = CMA3) \ \lor \ (c\_mfsm\_stateA = CMA1) \ \lor \ (c\_mfsm\_stateA = CMA0) V(c_mfsm_stateA = CMA2) V(c_mfsm_stateA = CMD1) V(c_mfsm_stateA = CMD0) V (C mfsm state = CMA1) V (C_mfsm_state = CMA0) V (C_mfsm_state = CMA2) V(C_mfsm_state = CMD1)) in let c sparity = ((\sim (c \text{ sfsm stateA} = \text{CSI})) \land (\sim (c \text{ sfsm} \text{ stateA} = \text{CSACK})) \land (\sim (c \text{ sfsm} \text{ stateA} = \text{CSABT}))) in let c\_pe\_cnt = (ClkD \land ((\neg(c\_mparity = c\_sparity)) \lor ((SUBARRAY CB\_ss\_in (1,0)) = (WORDN \ 0)))) in (Color of the color let new_C_parity = (((ClkD \land c\_pe \land c\_pe\_cnt) \land \neg Reset\_error) => T \mid ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land Reset\_error) => F ((\sim(ClkD \land c_pe \land c_pe_cnt) \land \sim Reset_error) => C_parity \mid ARB))) in let new_C_source = ((Rst) => (WORDN 0) | (MALTER ARBN (31,16) ((Rst) => (WORDN 0) | ((ClkD \land (((c_mfsm_stateA = CMD1) \land c_srdy \land \neg c_new\_write) \lor ((c_sfsm_stateA = CSA1)) V ((c_sfsm_stateA = CSD1) \land c_new_write))) => Par_Dec rep (CB_ad_in) | (SUBARRAY C_data_in (31,16))))) in let data_in31_0 = (MALTER data_in31_16 (15,0) ((Rst) => (WORDN 0) | ((\text{new}_C_{\text{cin}_2}]_e) \Rightarrow \text{Par}_Dec \text{ rep } (CB_ad_in) (SUBARRAY C_data_in (15,0)))) in let new_C_data_in = data_in31_0 in let new_C_iad_out = ((C_cin_2_le) => C_data_in | C_iad_out) in let new_C_iad_in = ((new_C_cout_0_le_del) => I_ad_in | C_iad_in) in let new_C_ala0 = (((c_dfsm_master \land C_cout_0_le_del) \lor (\sim c_dfsm_master \land C_clkA \land (c_sfsm_stateA = CSD1))) \Rightarrow C_iad_in \mid C_ala0) in let new_C_a3a2 = ((c_mfsm_stateA = CMR) => Ccr | C_a3a2) in let new_C_mfsm_state = c_mfsm_stateA in let new_C_mfsm_D = ClkD in ``` ``` let new_C_mfsm_rst = Rst in let new_C_mfsm_crqt_ = I_crqt_ in let new_C_mfsm_hold_ = new_C_holdA_ in let new_C_mfsm_ss = CB_ss_in in let new_C_mfsm_invalid = Piu_invalid in let new_C_sfsm_state = c_sfsm_stateA in let new_C_sfsm_D = ClkD in let new_C_sfsm_rst = Rst in let new_C_sfsm_hlda_ = I_hlda_ in let new_C_sfsm_ms = CB_ms_in in let new_C_efsm_cale_ = I_cale_ in let new_C_efsm_last_ = I_last_in_ in let new_C_efsm_male_ = I_male_in_ in let new_C_efsm_rale_ = I_rale_in_ in let new_C_efsm_srdy_ = I_srdy_in_ in let new_C_efsm_rst = Rst in let I_{cgnt} = -(c_{mfsm_{state}} = CMA3) in let I_mrdy_out_= ((\sim I_hlda_) => C_mrdy_del_! ARB) in let I_hold_ = new_C_holdA_ in let I_rale_out_ = ((\sim I_hlda_) => \sim ((c\_sfsm\_stateA = CSALE) \land ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)) \land C\_clkA) \mid ARB) \ in \ ((c\_sfsm\_stateA = CSALE) \land ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)) \land C\_clkA) \mid ARB) \ in \ ((c\_sfsm\_stateA = CSALE) \land ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)) \land C\_clkA) \mid ARB) \ in \ ((c\_sfsm\_stateA = CSALE) \land ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)) \land C\_clkA) \mid ARB) \ in \ ((c\_sfsm\_stateA = CSALE) \land ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)) \land C\_clkA) \mid ARB) \ in \ ((c\_sfsm\_stateA = CSALE) \land ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)) \land C\_clkA) \mid ARB) \ in \ ((c\_sfsm\_stateA = CSALE) \land ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)) \land C\_clkA) \mid ARB) \ in \ ((c\_sfsm\_stateA = CSALE) \land ((s\_sfsm\_stateA let I_male_out_ = ((\sim I_hlda_) => \sim ((c\_sfsm\_stateA = CSALE) \land (\sim ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3))) \land C\_clkA) \mid ARB)\ in \ (\sim ((c\_sfsm\_stateA = CSALE) \land (\sim ((SUBARRAY\ new\_C\_sizewrbe\ (1,0)) = (WORDN\ 3)))) \land C\_clkA) \mid ARB)\ in \ (\sim ((c\_sfsm\_stateA = CSALE) \land (\sim ((s\_sfsm\_stateA ( let I_last_out_=((\sim I_hlda_) => C_last_out_| ARB) in let \ I\_srdy\_out\_ = ((~I\_cale\_ \lor c\_srdy\_en) => ~(C\_wrdy \lor C\_rrdy \lor (c\_mfsm\_stateA = CMABT)) \mid ARB) \ in \ ARB \mid let I_be_out_=((\sim I_hlda_) \Rightarrow (SUBARRAY new_C_sizewrbe (9,6)) \mid ARBN) in let I_ad_out = ((new_C_iad_en_s_delA V((c_mfsm_stateA = CMD1) \land \neg c_new_write \land c_srdy_en) V((c_mfsm_stateA = CMD0) \land \neg c_new_write \land c_srdy_en) V((c\_mfsm\_stateA = CMW) \land (C\_mfsm\_state = CMD0) \land \neg c\_new\_write \land c\_srdy\_en) V((c\_sfsm\_stateA = CSALE) \land (\sim(C\_sfsm\_state = CSALE))) V ((c_sfsm_stateA = CSALE) \(\Lambda\) c_new_write) V((c_sfsm_stateA = CSD1) \land c_new\_write \land (\sim(C_sfsm_state = CSRR))) V((c_sfsm_stateA = CSD0) \land c_new_write) V ((c_sfsm_stateA = CSACK) \( \Lambda \) c_new_write)) => new_C_iad_out | ARBN) in let CB_{qt}out = ((c_mfsm_stateA = CMI)) in let ms0 = (ALTER ARBN (0) (((c_mfsm_stateA = CMD0) \land \sim C_last_in_) \lor ((c_mfsm_stateA = CMW) \land C_lock_in_) \lor (c_mfsm_stateA = CMABT))) in let ms10 = (ALTER ms0 (1) (((c_mfsm_stateA = CMA1)) V (c_mfsm_stateA = CMA0) V (c_mfsm_stateA = CMA2) V (c_mfsm_stateA = CMD1) V ((c\_mfsm\_stateA = CMD0) \land C\_last\_in\_) \lor (c\_mfsm\_stateA = CMW) \lor (c_mfsm_stateA = CMABT)))) in let ms210 = (ALTER ms10 (2) (((c_mfsm_stateA = CMA3) V (c_mfsm_stateA = CMA1) V (c_mfsm_stateA = CMA0) \lor (c_mfsm_stateA = CMA2) \lor (c_mfsm_stateA = CMD1) V (c_mfsm_stateA = CMD0) V (c\_mfsm\_stateA = CMW) \lor (c\_mfsm\_stateA = CMABT)) \land \sim Pmm\_failure \land \sim Piu\_invalid)) let CB\_ms\_out = (((\sim(c\_mfsm\_stateA = CMI)) \land (\sim(c\_mfsm\_stateA = CMR))) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR)) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) in (a) \land (c\_mfsm\_stateA = CMR) => ms210 \mid ARBN) => ms210 \mid ARBN) => ms210 \mid ARBN let ss0 = (ALTER ARBN (0) ((c_sfsm_stateA = CSA0W) V ((c_sfsm_stateA = CSALE) \land \neg c_new_write) \lor ``` ``` (c_sfsm_stateA = CSACK))) in let ss10 = (ALTER ss0 (1) ~(c_sfsm_stateA = CSACK)) in let ss210 = (ALTER ss10 (2) (~Pmm_failure \( \lambda \) ~Piu_invalid)) in let CB_ss_out = (((\sim(c_sfsm_stateA = CSI)) \land (\sim(c_sfsm_stateA = CSABT))) \Rightarrow ss210 \mid ARBN) in let CB_ad_out = ((c_dfsm_cad_en) => ((c_cout_sel = (WORDN 0)) => Par_Enc rep (SUBARRAY new_C_ala0 (15,0)) | ((c\_cout\_sel = (WORDN 1)) \Rightarrow Par\_Enc rep (SUBARRAY new\_C\_a1a0 (31,16)) ((c\_cout\_sel = (WORDN 2)) => Par\_Enc rep (SUBARRAY new\_C\_a3a2 (15,0)) | Par_Enc rep (SUBARRAY new_C_a3a2 (31,16)))) | ARBN) in let C_ss_out = new_C_ss in let Disable_writes = ((\sim(c_sfsm_stateA = CSI)) \land (\sim(c_sfsm_stateA = CSL)) \land \sim((ChannelID = (WORDN 0)) \land (ELEMENT C_source (6))) \land ~((ChannelID = (WORDN 1)) \land (ELEMENT C_source (7))) \land \sim((ChannelID = (WORDN 2)) \land (ELEMENT C_source (8))) \land \sim((ChannelID = (WORDN 3)) \land (ELEMENT C_source (9)))) in let CB_parity = new_C_parity in (I_cgnt_, I_mrdy_out_, I_hold_, I_rale_out_, I_male_out_, I_last_out_, I_srdy_out_, I_ad_out, I_be_out_, CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, C_ss_out, Disable_writes, CB_parity)" );; close_theory();; ``` 208 ## D.5 SU\_Cont Specification ``` s clock 1.ml File: Author: (c) D.A. Fura 1992 31 March 1992 Date: This file contains the ml source for the clock-level specification of the startup controller of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. The bulk of this code was translated from an M-language simulation program using a translator written by P.J. Windley at the University of Idaho. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/']);; system 'rm s_clock1.th';; new_theory 's_clock1';; map new_parent ['saux_def';'aux_def';'array_def';'wordn_def'];; let sc_state = "((S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail) :^sc_state_ty)";; let sc_env = "((ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) :^sc_env_ty)";; let sc_out = "((S_state, Reset_cport, Disable_int, Reset_piu, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail) :^sc_out_ty)";; Next-state definition for EXEC instruction. let sEXEC_inst_def = new_definition ('sEXEC_inst', "! (S_fsm_state :sfsm_ty) (S_soft_cnt S_delay :wordn) (S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_cpu_hist S_pmm_fail S_cpu0_fail S_cpu1_fail S_piu_fail:bool) (ClkA ClkB Rst Bypass Test Gorh Gorl Failure0_ Failure1_:bool). ``` ``` sEXEC_inst (S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0_, Failure1_) = let new_S_fsm_state = ((S_fsm_rst) => SSTART! ((S_fsm_state = SSTART) => SRA | ((S_fsm_state = SRA) => ((S_fsm_delay6) => ((S_fsm_bypass) => SO | SPF) | SRA) | ((S_fsm_state = SPF) => SCOI | ((S_fsm_state = SCOI) \Rightarrow ((S_fsm_delay17) \Rightarrow SCOF \mid SCOI) \mid ((S_fsm_state = SCOF) => STI ((S_fsm_state = ST) => SCII) ((S_fsm_state = SC1I) \Rightarrow ((S_fsm_delay17) \Rightarrow SC1F \mid SC1I) \mid ((S_fsm_state = SC1F) => SS | ((S_fsm_state = SS) \Rightarrow ((S_fsm_bothbad) \Rightarrow SSTOP \mid SCS) \mid ((S_fsm_state = SSTOP) => SSTOP | ((S_fsm_state = SCS) \Rightarrow ((S_fsm_delay6) \Rightarrow SN \mid SCS) \mid ((S_fsm_state = SN) \Rightarrow ((S_fsm_delay17) \Rightarrow SO \mid SN) \mid let s_fsm_sn = (new_S_fsm_state = SN) in let s_fsm_so = (new_S_fsm_state = SO) in let s_fsm_srcp = ((((new_S_fsm_state = SO))) \land ((s_fsm_state = SSTOP)))) \lor (s_fsm_state = SRA)) in let s\_fsm\_sdi = (((\sim(new\_S\_fsm\_state = SO)) \land (\sim(S\_fsm\_state = SSTOP))) \lor (S\_fsm\_state = SRA)) in let s_fsm_srp = ((new_S_fsm_state = SSTART) V (new_S_fsm_state = SRA) V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1F) V (new_S_fsm_state = SS) V (new_S_fsm_state = SCS)) in let s_fsm_src0 = ((-(new_S_fsm_state = SPF)) \land (-(new_S_fsm_state = SCOI))) in let s_fsm_src1 = ((\neg(new_S_fsm_state = ST)) \land (\neg(new_S_fsm_state = SC1I))) in let s_fsm_spf = ((S_fsm_state = SRA) \land S_fsm_delay6 \land ~S_fsm_rst) in let s_fsm_scOf = (new_S_fsm_state = SCOF) in let s_fsm_sc1f = (new_S_fsm_state = SC1F) in let s_fsm_spmf = (new_S_fsm_state = SO) in let s_fsm_sb = (new_S_fsm_state = SSTART) in let s_fsm_src = ((new_S_fsm_state = SSTART) \lor ((S_fsm_state = SRA) \land S_fsm_delay6) V (new_S_fsm_state = SC0F) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1F) V (new_S_{fsm_state} = SS) V ((S_{fsm_state} = SCS) \land S_{fsm_delay6})) in let s_fsm_sec = (((\neg(new_S_fsm_state = SSTOP)) \land (\neg(new_S_fsm_state = SO))) \lor (S_fsm_state = SN)) in let s_fsm_srs = (((S_fsm_state = SPF) \land \sim S_fsm_rst) \lor ((S_fsm_state = ST) \land \sim S_fsm_rst)) in let s_fsm_scs = (new_S_fsm_state = SCS) in let new_S_soft_shot_del = (\simGcrh \wedge Gcrl) in let s_soft_cnt_out = ((s_fsm_srs) => ((Gcrl \land \neg Gcrb \land \neg S\_soft\_shot\_del) \Rightarrow (WORDN 1) \mid (WORDN 0)) \mid ((Gcrl \land \neg Gcrh \land \neg S\_soft\_shot\_del) \Rightarrow (INCN 2 S\_soft\_cnt) \mid S\_soft\_cnt)) in let new_S_soft_cnt = ((\sim Gcrh \land \sim Gcrl) \Rightarrow (WORDN 0) \mid s_soft_cnt_out) in let s_delay_out = ((s_fsm_src \lor (s_fsm_scs \land (ELEMENT S_delay (6)))) => ((s_fsm_sec) => (WORDN 1) | (WORDN 0))! ((s_fsm_sec) => (INCN 17 S_delay) | S_delay)) in let new_S_delay = s_delay_out in let s_{pu0} ok = (s_{sm}s_0) \land Failure_ \land (s_{so}t_{cut}) in let s_{\text{cpul}} ok = (s_{\text{fsm}} sclf \land Failure 1_{\text{o}} \land (s_{\text{soft}} cnt_out = (WORDN 5))) in let new_S_pmm_fail = ``` ``` ((s_fsm_sb \land \neg s_fsm_spmf) => T \mid ((-s_fsm_sb \land s_fsm_spmf) => F ((\sim s\_fsm\_sb \land \sim s\_fsm\_spmf) => S\_pmm\_fail \mid ARB))) in let new_S_cpu0_fail = ((s\_fsm\_sb \land \neg(s\_cpu0\_ok \lor Bypass)) \Rightarrow T \mid ((\sim s\_fsm\_sb \land (s\_cpu0\_ok \lor Bypass)) => F \mid ((-s\_fsm\_sb \land -(s\_cpu0\_ok \lor Bypass)) => S\_cpu0\_fail | ARB))) in let new_S_cpu1_fail = ((s_fsm_sb \land \sim (s_cpul_ok \lor Bypass)) => T \mid ((-s\_fsm\_sb \land (s\_cpu1\_ok \lor Bypass)) => F \mid ((-s\_fsm\_sb \land \neg (s\_cpul\_ok \lor Bypass)) => S\_cpul\_fail \mid ARB))) in let new_S_piu_fail = ((s\_fsm\_sb \land \neg(s\_fsm\_spf \lor Bypass)) => T \mid ((-s\_fsm\_sb \land (s\_fsm\_spf \lor Bypass)) => F I ((\neg s\_fsm\_sb \land \neg (s\_fsm\_spf \lor Bypass)) \Longrightarrow S\_piu\_fail \mid ARB))) \ in let s_{pu0}_s = ((s_{sm_sn} \lor s_{sm_so}) \land \neg S_{pu0}_f ) in let \ s\_cpul\_select = ((s\_fsm\_sn \ \lor \ s\_fsm\_so) \ \land \ S\_cpul\_fail \ \land \ \sim S\_cpul\_fail) \ in let new_S_bad_cpu0 = ((s\_fsm\_sb \land \neg s\_cpu0\_select) => T \mid ((\sim s\_fsm\_sb \land s\_cpu0\_select) => F \mid ((\sim s\_fsm\_sb \land \sim s\_cpu0\_select) => S\_bad\_cpu0 \mid ARB))) in let new_S_bad_cpu1 = ((s\_fsm\_sb \land \neg s\_cpul\_select) => T \mid ((\sim s\_fsm\_sb \land s\_cpu1\_select) \Rightarrow F \mid ((-s\_fsm\_sb \land -s\_cpul\_select) => S\_bad\_cpul \mid ARB))) in let new_S_reset_cpu0 = (new_S_bad_cpu0 \land s_fsm_src0) in let new_S_reset_cpu1 = (new_S_bad_cpu1 \lambda s_fsm_src1) in let new_S_cpu_hist = (S_reset_cpu0 \land S_reset_cpu<math>1 \land Bypass) in let new_S_fsm_rst = Rst in let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) | (ELEMENT s_delay_out (17))) in let new_S_fsm_bothbad = (new_S_cpu0_fail \( \Lambda \) new_S_cpu1_fail) in let new S_fsm_bypass = Bypass in (new_S_fsm_state, new_S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delay17, new_S_fsm_bothbad, new_S_fsm_bypass, new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpu0, new_S_bad_cpu1, new_S_reset_cpu0, new_S_reset_cpu1, new_S_cpu_hist, new_S_pmm_fail, new_S_cpu0_fail, new_S_cpu1_fail, new_S_piu_fail)" );; Output definition for EXEC instruction. let sEXEC_out_def = new_definition ('sEXEC_out', "! (S_fsm_state :sfsm_ty) (S_soft_cnt S_delay :wordn) (S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_cpu_hist S_pmm_fail S_cpu0_fail S_cpu1_fail S_piu_fail :bool) (ClkA ClkB Rst Bypass Test Gcrh Gcrl Failure0_ Failure1_:bool) . sEXEC_out (S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, ``` ``` let new_S_fsm_state = ((S_fsm_rst) => SSTART | ((S_fsm_state = SSTART) => SRA | ((S_fsm_state = SRA) => ((S_fsm_delay6) => ((S_fsm_bypass) => SO | SPF) | SRA) | ((S_fsm_state = SPF) => SCOII ((S_fsm_state = SCOI) \Rightarrow ((S_fsm_delay17) \Rightarrow SCOF \mid SCOI) \mid ((S_fsm_state = SCOF) => STI ((S_fsm_state = ST) => SC1I) ((S_fsm_state = SC1I) \Rightarrow ((S_fsm_delay17) \Rightarrow SC1F | SC1I) | ((S_fsm_state = SC1F) => SS1 ((S_fsm_state = SS) => ((S_fsm_bothbad) => SSTOP \mid SCS) \mid ((S_fsm_state = SSTOP) => SSTOP | ((S_fsm_state = SCS) \Rightarrow ((S_fsm_delay6) \Rightarrow SN \mid SCS) \mid ((S_fsm_state = SN) \Rightarrow ((S_fsm_delay17) \Rightarrow SO \mid SN) \mid let s_fsm_sn = (new_S_fsm_state = SN) in let s_fsm_so = (new_S_fsm_state = SO) in let s_fsm_srcp = ((((new_S_fsm_state = SO))) \land ((s_fsm_state = SSTOP))) \lor (s_fsm_state = SRA)) in let s_fsm_sdi = (((\sim(new_S_fsm_state = SO))) \land (\sim(S_fsm_state = SSTOP))) \lor (S_fsm_state = SRA)) in let s_fsm_srp = ((new_S_fsm_state = SSTART) V (new_S_fsm_state = SRA) V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1F) V (new_S_fsm_state = SS) V (new_S_fsm_state = SCS)) in let s_fsm_src0 = ((\sim(new_S_fsm_state = SPF)) \land (\sim(new_S_fsm_state = SCOI))) in let s_fsm_src1 = ((\sim(new_S_fsm_state = ST)) \land (\sim(new_S_fsm_state = SC1I))) in let s_fsm_spf = ((S_fsm_state = SRA) \land S_fsm_delay6 \land \sim S_fsm_rst) in let s_fsm_sc0f = (new_S_fsm_state = SC0F) in let s_fsm_sc1f = (new_S_fsm_state = SC1F) in let s_fsm_spmf = (new_S_fsm_state = SO) in let s_fsm_sb = (new_S_fsm_state = SSTART) in let s_fsm_src = ((new_S_fsm_state = SSTART) \lor ((S_fsm_state = SRA) \land S_fsm_delay6) V (new_S_fsm_state = SC0F) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1F) V (new_S_{fsm_state} = SS) V ((S_{fsm_state} = SCS) \land S_{fsm_delay6})) in let s_fsm_sec = (((\neg(new_S_fsm_state = SSTOP)) \land (\neg(new_S_fsm_state = SO))) \lor (S_fsm_state = SN)) in let s_fsm_srs = (((S_fsm_state = SPF) \land \simS_fsm_rst) \lor ((S_fsm_state = ST) \land \simS_fsm_rst)) in let s_fsm_scs = (new_S_fsm_state = SCS) in let new_S_soft_shot_del = (\simGcrh \wedge Gcrl) in let s_soft_cnt_out = ((s_fsm_srs) => ((Gcrl \land \neg Gcrh \land \neg S\_soft\_shot\_del) => (WORDN 1) | (WORDN 0)) | ((Gcrl \land \neg Gcrh \land \neg S\_soft\_shot\_del) => (INCN 2 S\_soft\_cnt) \mid S\_soft\_cnt)) in let new_S_soft_cnt = ((\simGcrh \land \simGcrl) => (WORDN 0) | s_soft_cnt_out) in let s_delay_out = ((s_fsm_src \lor (s_fsm_scs \land (ELEMENT S_delay (6)))) => ((s_fsm_sec) \Rightarrow (WORDN 1) | (WORDN 0)) | ((s\_fsm\_sec) => (INCN 17 S\_delay) | S\_delay)) in let new S delay = s delay out in let s_{pu0} ok = (s_{sm}s_{c0} \land Failure_{0} \land (s_{soft}cut_{0} = (WORDN 5))) in let s_{\text{cpul}} = (s_{\text{s}} - s_{\text{clf}} \land Failure 1 \land (s_{\text{s}} - s_{\text{clf}} \land s_{\text{clf}}))) in let new_S_pmm_fail = ((s\_fsm\_sb \land \neg s\_fsm\_spmf) => T \mid ((-s_fsm_sb \land s_fsm_spmf) => F \mid ``` S\_cpu\_hist, S\_pmm\_fail, S\_cpu0\_fail, S\_cpu1\_fail, S\_piu\_fail) (ClkA, ClkB, Rst, Bypass, Test, Gcrh, Gcrl, Failure0\_, Failure1\_) = ``` ((\sim s\_fsm\_sb \land \sim s\_fsm\_spmf) => S\_pmm\_fail \mid ARB))) in let new_S_cpu0_fail = ((s_fsm_sb \land \sim (s_cpu0_ok \lor Bypass)) => T \mid ((\neg s\_fsm\_sb \land (s\_cpu0\_ok \lor Bypass)) => F \mid ((\sim s\_fsm\_sb \land \sim (s\_cpu0\_ok \lor Bypass)) => S\_cpu0\_fail \mid ARB))) in let new_S_cpu1_fail = ((s_fsm_sb \land \neg (s_cpul_ok \lor Bypass)) => T \mid ((\sim s\_fsm\_sb \land (s\_cpul\_ok \lor Bypass)) => F I ((-s\_fsm\_sb \land \sim (s\_cpu1\_ok \lor Bypass)) => S\_cpu1\_fail \mid ARB))) in let new_S_piu_fail = ((s\_fsm\_sb \land \sim (s\_fsm\_spf \lor Bypass)) => T \mid ((\sim s\_fsm\_sb \land (s\_fsm\_spf \lor Bypass)) => F I ((\sim s\_fsm\_sb \land \sim (s\_fsm\_spf \lor Bypass)) => S\_piu\_fail \mid ARB))) in let s_{cpu0}_select = ((s_fsm_sn \lor s_fsm_so) \land \neg S_{cpu0}_fail) in let \ s\_cpu1\_select = ((s\_fsm\_sn \ \lor \ s\_fsm\_so) \ \land \ S\_cpu0\_fail \ \land \ \neg S\_cpu1\_fail) \ in let new_S_bad_cpu0 = ((s_fsm_sb \land -s_cpu0_select) => T \land ((-s_fsm_sb \land s_cpu0_select) \Rightarrow F \mid ((\sim s\_fsm\_sb \land \sim s\_cpu0\_select) => S\_bad\_cpu0 \mid ARB))) in let new_S_bad_cpu1 = ((s_fsm_sb \land \neg s_cpul_select) \Longrightarrow T \mid ((\sim\!s\_fsm\_sb \land s\_cpul\_select) => F \mid ((\sim s\_fsm\_sb \land \sim s\_cpu1\_select) => S\_bad\_cpu1 \mid ARB))) in let new_S_reset_cpu0 = (new_S_bad_cpu0 \land s_fsm_src0) in let new_S_reset_cpu1 = (new_S_bad_cpu1 \Lambda s_fsm_src1) in let new_S_cpu_hist = (S_reset_cpu0 \land S_reset_cpu1 \land Bypass) in let new S_fsm_rst = Rst in let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) | (ELEMENT s_delay_out (17))) in let new_S_fsm_bothbad = (new_S_cpu0_fail \( \Lambda \) new_S_cpu1_fail) in let new_S_fsm_bypass = Bypass in let ss0 = (ALTER ARBN (0) ((new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) V(new_S_{fsm_state} = SCS) V(new_S_{fsm_state} = SN) V (new_S_fsm_state = SO))) in let\ ss1 = (ALTER\ ss0\ (1)\ ((new\_S\_fsm\_state = SC0F)\ V\ (new\_S\_fsm\_state = ST) V (new_S_fsm_state = SC1I) V (new_S_fsm_state = SC1F) V (new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SCS))) in let ss2 = (ALTER ss1 (2) ((new_S_fsm_state = SPF) V (new_S_fsm_state = SCOI) V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SO))) in let \ ss3 = (ALTER \ ss2 \ (3) \ ((new\_S\_fsm\_state = SRA) \ \lor \ (new\_S\_fsm\_state = SPF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1I) V (new_S_fsm_state = SCS) V (new_S_fsm_state = SN) V (new_S_fsm_state = SO))) in let S_state = ss3 in let Reset_cport = s_fsm_srcp in let Disable_int = (\sim(s_fsm_sn \land (ELEMENT s_delay_out (6))) \land s_fsm_sdi \land ((Test) => ~(ELEMENT s_delay_out (5)) | ~(ELEMENT s_delay_out (16)))) in let Reset_piu = s_fsm_srp in let Reset_cpu0 = new_S_reset_cpu0 in let Reset cpu1 = new_S_reset_cpu1 in let Cpu_hist = new_S_cpu_hist in let Piu_fail = new_S_piu_fail in ``` ## Appendix E ML Source for the PIU Block-Level Specification. This appendix contains the HOL model for the PIU block-level structural specification. ``` piu_block.ml File: (c) D.A. Fura 1992 Author: 31 March 1992 Date: This file contains the ml source for the block-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. At this level the blocks correspond to the four PIU ports and the startup controller. set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/'; '/home/titan3/dfura/ftep/piu/hol/pport/'; '/home/titan3/dfura/ftep/piu/hol/cport/'; '/home/titan3/dfura/ftep/piu/hol/mport/'; '/home/titan3/dfura/ftep/piu/hol/cport/'; '/home/titan3/dfura/ftep/piu/hol/sucont/']);; system 'rm piu_block.th';; new_theory 'piu_block';; loadf 'abstract';; map new_parent ['aux_def';'p_clock1';'c_clock1';'m_clock1';'c_clock1';'s_clock1'];; let rep_ty = abstract_type 'aux_def' 'Andn';; let PIU_Block_SPEC = new_definition ('PIU_Block_SPEC', "! (rep:^rep_ty) (P fsm_state:pfsm_ty) (P_addr P_be_ P_size :wordn) (P_dest1 P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_ P_lock_inh_ P_male_ P_rale_:bool) (C_mfsm_state :cmfsm_ty) (C_sfsm_state :csfsm_ty) (C_efsm_state :cefsm_ty) (C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_a1a0 C_a3a2 :wordn) (C_mfsm_D C_mfsm_rst C_mfsm_crqt_C_mfsm_bold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_ C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst C_wr C_clkA C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_hold_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool) (M_fsm_state:mfsm_ty) (M_count M_addr M_be M_rd_data M_detect :wordn) (M_fsm_male_ M_fsm_last_ M_fsm_mrdy_ M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool) (R_fsm_state :rfsm_ty) (R_ctr0_in R_ctr0 R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1 R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr ``` ``` R_reg_sel R_busA_latch : wordn) (R\_fsm\_ale\_\ R\_fsm\_mrdy\_\ R\_fsm\_last\_\ R\_fsm\_rst\ R\_ctr0\_mux\_sel\ R\_ctr0\_irden\ R\_ctr0\_cry\ R\_ctr0\_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_:bool) (S_fsm_state :sfsm_ty) (S_soft_cnt S_delay :wordn) (S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_cpu_hist S_pmm_fail S_cpu0_fail S_cpu1_fail S_piu_fail :bool) (L_ad_in L_be_:wordn) (ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_:bool) (CB_rqt_in_ CB_ad_in CB_ms_in CB_ss_in Id ChannelID :wordn) (ClkD:bool) (MB_data_in :wordn) (Edac_en_:bool) (Bypass Test Failure0_ Failure1_:bool) (L_ad_out:wordn) (L_ready_:bool) (CB_ad_out CB_ms_out CB_ss_out :wordn) (CB_rqt_out_:bool) (MB_addr MB_data_out :wordn) (MB_cs_eeprom_ MB_cs_sram_ MB_we_ MB_oe_:bool) (Led:wordn) (Int0_ Int1 Int2 Int3_ Cpu_hist :bool) . PIU_Block_SPEC rep (P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_, C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_bold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_a1a0,C_a3a2, M\_fsm\_state,\ M\_fsm\_male\_,\ M\_fsm\_last\_,\ M\_fsm\_mrdy\_,\ M\_fsm\_rst,\ M\_count,\ M\_se,\ M\_wr,\ M\_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctr0, R_ctr0_irden, R_ctr0_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1_, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R\_ctr2\_irden, R\_ctr2\_new, R\_ctr2\_cry, R\_ctr2\_out, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr3\_mux\_sel, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr3\_mux\_sel, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr3 R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_intO_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_busA_latch, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, ClkD, Id, ChannelID, MB_data_in, Edac_en_, Bypass, Test, Failure0_, Failure1_) (L_ad_out, L_ready_, ``` ``` ? (i_ad i_be_:wordn) (i_male_i_rale_i_crqt_i_cgnt_i_cale_i_mrdy_i_srdy_i_last_i_hold_i_hlda_i_lock_:bool) (c_ss:wordn) (disable_writes cb_parity :bool) (ccr :wordn) (reset_error piu_invalid :bool) (mb_parity:bool) (s state:wordn) (reset_cport disable_int reset_piu reset_cpu0 reset_cpu1 piu_fail pmm_fail cpu0_fail cpu1_fail :bool). (p_interp rep ((P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_), (ClkA, ClkB, reset_piu, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, i_ad, i_cgnt_, i_hold_, i_srdy_), (L\_ad\_out, L\_ready\_, i\_ad, i\_ad, i\_be\_, i\_rale\_, i\_male\_, i\_crqt\_, i\_cale\_, i\_mrdy\_, i\_last\_, i\_hlda\_, i\_lock\_))) \land (L\_ad\_out, L\_ready\_, i\_ad, i\_ad, i\_be\_, i\_rale\_, i\_male\_, i\_crqt\_, i\_cale\_, i\_mrdy\_, i\_last\_, i\_hlda\_, i\_lock\_))) \land (L\_ad\_out, L\_ready\_, i\_ad, i\_ad, i\_be\_, i\_rale\_, i\_male\_, i\_crqt\_, i\_cale\_, i\_mrdy\_, i\_last\_, i\_hlda\_, i\_lock\_))) \land (L\_ad\_out, L\_ready\_, i\_ad, i\_ad, i\_be\_, i\_rale\_, i\_male\_, i\_crqt\_, i\_cale\_, i\_mrdy\_, i\_last\_, i\_hlda\_, i\_lock\_))) \land (L\_ad\_out, L\_ready\_, L\_ad\_out, L\_ad\_ (c_interp rep ((C_mfsm_state,C_mfsm_D,C_mfsm_rst,C_mfsm_crqt_,C_mfsm_hold_,C_mfsm_ss,C_mfsm_invalid, C\_sfsm\_state, C\_sfsm\_D, C\_sfsm\_rst, C\_sfsm\_hlda\_, C\_sfsm\_ms, C\_efsm\_state, C\_efsm\_cale\_, C\_efsm\_last\_, C\_efsm\_male\_, C\_efsm\_rale\_, C\_efsm\_rst, C\_efsm\_rale\_, C\_efsm\_state, C\_ C_wr,C_sizewrbe,C_clkA,C_last_in_,C_lock_in_,C_ss,C_last_out_, C\_hold\_, C\_holdA\_, C\_cout\_0\_le\_del, C\_cin\_2\_le, C\_mrdy\_del\_, C\_iad\_en\_s\_del, C\_iad\_en\_s\_delA, C\_iad\_en\_s\_d C_wrdy,C_rrdy,C_parity,C_source,C_data_in,C_iad_out,C_iad_in,C_a1a0,C_a3a2), (i_ad, i_be_, i_mrdy_, i_rale_, i_male_, i_last_, i_srdy_, i_lock_, i_cale_, i_hlda_, i_crqt_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, reset_cport, ClkA, ClkB, ClkD, Id, ChannelID, pmm_fail, piu_invalid, ccr, reset_error), (i_cgnt_, i_mrdy_, i_hold_, i_rale_, i_male_, i_last_, i_srdy_, i_ad, i_be_, CB_rqt_out_, CB_ms_out, CB_ss_out, CB_ad_out, c_ss, disable_writes, cb_parity))) \( \) (m_interp rep ((M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect), (ClkA, ClkB, reset_piu, reset_cport, disable_writes, i_ad, i_male_, i_last_, i_be_, i_mrdy_, MB_data_in, Edac_en_, reset_error), (i\_ad,i\_srdy\_,MB\_addr,MB\_data\_out,MB\_cs\_eeprom\_,MB\_cs\_sram\_,MB\_we\_,MB\_oe\_,mb\_parity))) \land \\ (r_interp rep ((R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctr0, R_ctr0_irden, R_ctr0_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_busA_latch), (ClkA, reset_piu, i_ad, i_rale_, i_last_, i_be_, i_mrdy_, disable_int, disable_writes, cpu0_fail, cpu1_fail, reset_cpu0, reset_cpu1, piu_fail, pmm_fail, s_state, Id, ChannelID, cb_parity, mb_parity, c_ss), (i_ad, i_srdy_, Int0_, Int1, Int2, Int3_, ccr, Led, reset_error, piu_invalid))) \( \Lambda \) (s_interp rep ((S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail), (ClkA, ClkB, Rst, Bypass, Test, Led, Failure0_, Failure1_), ``` CB\_ad\_out, CB\_ms\_out, CB\_ss\_out, CB\_rqt\_out\_, Int0\_, Int1, Int2, Int3\_, Led, Cpu\_hist) = MB\_addr, MB\_data\_out, MB\_cs\_eeprom\_, MB\_cs\_sram\_, MB\_we\_, MB\_oe\_, ``` (s_state, reset_cport, disable_int, reset_piu, reset_cpu0, reset_cpu1, Cpu_hist, piu_fail, cpu0_fail, cpu1_fail, pmm_fail)))" );; close_theory();; ``` ## Appendix F ML Source for the PIU Clock-Level Specification. This appendix contains the HOL model for the clock-level specification of the PIU. ``` piu_clock1.ml File: (c) D.A. Fura 1992 Author: 31 March 1992 Date: This file contains the ml source for the clock-level specification of the FTEP PIU, an ASIC developed by the Embedded Processing Laboratory, Boeing High Technology Center. -----% set_search_path (search_path() @ ['/home/titan3/dfura/ftep/piu/hol/lib/'; '/home/titan3/dfura/ftep/piu/hol/pport/'; '/home/titan3/dfura/ftep/piu/hol/cport/'; '/home/titan3/dfura/ftep/piu/hol/mport/'; '/home/titan3/dfura/ftep/piu/hol/rport/'; '/home/titan3/dfura/ftep/piu/hol/sucont/']);; system 'rm piu_clock1.th';; new_theory 'piu_clock1';; map new_parent ['paux_def';'caux_def';'maux_def';'raux_def';'saux_def';'aux_def';'array_def';'wordn_def'];; loadf 'abstract';; let MSTART = "WORDN 4";; let MEND = "WORDN 5";; let MRDY = "WORDN 6";; let MWAIT = "WORDN 7";; let MABORT = "WORDN 0";; let SACK = "WORDN 5";; let SRDY = "WORDN 6";; let SWAIT = "WORDN 7";; let SABORT = "WORDN 0";; cmfsm_ty#bool#bool#bool#wordn#bool# csfsm_ty#bool#bool#wordn# cefsm_ty#bool#bool#bool#bool#bool# bool#wordn#bool#bool#wordn#bool# bool#bool#bool#bool#bool#bool# bool#bool#wordn#wordn#wordn#wordn#wordn# mfsm\_ty\#bool\#bool\#bool\#wordn\#bool\#wordn\#wordn\#bool\#bool\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn\#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wordn#wo rfsm\_ty\#bool\#bool\#bool\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool#wordn\#bool#wordn\#bool#wordn\#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wor wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool#wordn\#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#boo wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool\#wordn\#bool#wordn\#bool#wordn\#bool#wordn\#bool#wordn\#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wordn#bool#wor ``` ``` sfsm_ty#bool#bool#bool#bool#bool#wordn#wordn# let piu_state = "((P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_, C_mfsm_state,C_mfsm_D,C_mfsm_rst,C_mfsm_crqt_,C_mfsm_bold_,C_mfsm_ss,C_mfsm_invalid, C_sfsm_state,C_sfsm_D,C_sfsm_rst,C_sfsm_hlda_,C_sfsm_ms, C_efsm_state,C_efsm_cale_,C_efsm_last_,C_efsm_male_,C_efsm_rale_,C_efsm_srdy_,C_efsm_rst, C_wr,C_sizewrbe,C_clkA,C_last_in_,C_lock_in_,C_ss,C_last_out_, C_hold_,C_holdA_,C_cout_0_le_del,C_cin_2_le,C_mrdy_del_,C_iad_en_s_del,C_iad_en_s_delA, C_wrdy,C_rrdy,C_parity,C_source,C_data_in,C_iad_out,C_iad_in,C_a1a0,C_a3a2, M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctr0, R_ctr0_irden, R_ctr0_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, R_ctr3_irden, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, ``` R\_reg\_sel, R\_busA\_latch, S\_fsm\_state, S\_fsm\_rst, S\_fsm\_delay6, S\_fsm\_delay17, S\_fsm\_bothbad, S\_fsm\_bypass, S\_soft\_shot\_del, S\_soft\_cnt, S\_delay, S\_bad\_cpu0, S\_bad\_cpu1, S\_reset\_cpu0, S\_reset\_cpu1, S\_cpu\_hist, S\_pmm\_fail, S\_cpu0\_fail, S\_cpu1\_fail, S\_piu\_fail) :^piu\_state\_ty)";; R\_icr\_mask, R\_icr\_rden, R\_icr, R\_ccr, R\_ccr\_rden, R\_gcr, R\_gcr\_rden, R\_sr, R\_sr\_rden, R\_int0\_dis, R\_int3\_dis, R\_c01\_cout\_del, R\_int1\_en, R\_c23\_cout\_del, R\_int2\_en, R\_wr, R\_cntlatch\_del, R\_srdy\_del\_, let piu\_out\_ty = ":(wordn#bool# bool#bool#bool#bool#bool#bool)";; ``` let piuEXEC_inst_def = new_definition ('piuEXEC_inst', "! (rep:^rep_ty) (P_fsm_state :pfsm_ty) (P_addr P_be_ P_size :wordn) (P_dest1 P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_ P lock_inh_ P_male_ P_rale_:bool) (C_mfsm_state :cmfsm_ty) (C_sfsm_state :csfsm_ty) (C_efsm_state :cefsm_ty) (C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_ala0 C_a3a2 :wordn) (C_mfsm_D C_mfsm_rst C_mfsm_crqt_C_mfsm_hold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_ C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst C_wr C_clkA C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_holdA_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool) (M_fsm_state :mfsm_ty) (M_count M_addr M_be M_rd_data M_detect :wordn) (M_fsm_male_ M_fsm_last_ M_fsm_mrdy_ M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity :bool) (R_fsm_state :rfsm_ty) (R_ctr0_in R_ctr0 R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1 R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3 R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr R_reg_sel R_busA_latch :wordn) (R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_ctr0_mux_sel R_ctr0_irden R_ctr0_cry R_ctr0_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_:bool) (S fsm state:sfsm_ty) (S_soft_cnt S_delay :wordn) (S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_cpu_hist S_pmm_fail S_cpu0_fail S_cpu1_fail S_piu_fail :bool) (L_ad_in L_be_:wordn) (ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_:bool) (CB_rqt_in_ CB_ad_in CB_ms_in CB_ss_in Id ChannelID :wordn) (ClkD:bool) (MB_data_in :wordn) (Edac_en_:bool) (Bypass Test Failure0_ Failure1_:bool). piuEXEC_inst rep (P_addr, P_dest1, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_, C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0,C_a3a2, M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect, R_fsm_state, R_fsm_ale_, R_fsm_mrdy_, R_fsm_last_, R_fsm_rst, R_ctr0_in, R_ctr0_mux_sel, R_ctr0, R_ctr0_irden, R_ctr0_new, R_ctr0_cry, R_ctr0_out, R_ctr0_orden, R_ctr1_in, R_ctr1_mux_sel, R_ctr1, R_ctr1_irden, R_ctr1_new, R_ctr1_cry, R_ctr1_out, R_ctr1_orden, R_ctr2_in, R_ctr2_mux_sel, R_ctr2, R_ctr2_irden, R_ctr2_new, R_ctr2_cry, R_ctr2_out, R_ctr2_orden, R_ctr3_in, R_ctr3_mux_sel, ``` ``` R_ctr3, R_ctr3_irden, R_ctr3_new, R_ctr3_cry, R_ctr3_out, R_ctr3_orden, R_icr_load, R_icr_old, R_icr_mask, R_icr_rden, R_icr, R_ccr, R_ccr_rden, R_gcr, R_gcr_rden, R_sr, R_sr_rden, R_int0_dis, R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_busA_latch, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, ClkD, Id, ChannelID, MB_data_in, Edac_en_, Bypass, Test, Failure0_, Failure1 ) = let new_P_fsm_state = ((P_fsm_rst) => PA ((P_fsm_state = PH) \Rightarrow ((\sim P_fsm_hold_) \Rightarrow PH \mid PA) \mid ((P_fsm_state = PA) => (((P_rqt \land P_dest1) \lor (P_rqt \land P_dest1 \land P_fsm_cgnt_)) => PD \lor ((\sim P_fsm_hold_\land P_lock_) \Rightarrow PH \mid PA)) ((P_fsm_state = PD) => (((P_fsm_sack \land P_fsm_hold_) \lor (P_fsm_sack \land \neg P_fsm_hold_ \land \neg P_lock_)) \Rightarrow PA \vdash ((P_fsm_sack \land \neg P_fsm_hold_\land P_lock_) \Rightarrow PH \mid PD)) \mid P_ILL)))) in let \ c\_write = (((\sim (C\_mfsm\_state = CMI)) \land (\sim (C\_mfsm\_state = CMR))) => C\_wr \mid (ELEMENT \ C\_sizewrbe \ (5))) \ in let c_busy = (-((SUBARRAY CB_rqt_in_(3,1)) = (WORDN 7))) in let c_{grant} = ((((SUBARRAY Id (1,0)) = (WORDN 0)) \land \sim (ELEMENT CB_rqt_in_(0))) V(((SUBARRAY Id (1,0)) = (WORDN 1)) \land \sim (ELEMENT CB_rqt_in_(0)) A (ELEMENT CB_rqt_in_ (1))) V(((SUBARRAY Id (1,0)) = (WORDN 2)) \land \sim (ELEMENT CB\_rqt\_in\_(0)) A (ELEMENT CB_rqt_in_ (1)) A (ELEMENT CB_rqt_in_ (2))) V(((SUBARRAY Id (1,0)) = (WORDN 3)) \land \neg (ELEMENT CB_rqt_in_(0)) A (ELEMENT CB_rqt_in_ (1)) A (ELEMENT CB_rqt_in_ (2)) \Lambda (ELEMENT CB_rqt_in_(3))) in let c_addressed = (Id = (SUBARRAY C_source (15,10))) in let new_C_mfsm_state = ((C_mfsm_rst) => CMI \mid ((C_mfsm_state = CMI) => (C_mfsm_D \land \neg C_mfsm_crqt_ \land \neg c_busy \land \neg C_mfsm_invalid) => CMR \mid CMI \mid ((C_mfsm_state = CMR) => (C_mfsm_D \land c_grant \land C_mfsm_hold_) => CMA3 ! CMR | ((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 \mid CMA3) \mid ((C_mfsm_state = CMA1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) \Longrightarrow CMA01 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA1 \mid ((C_mfsm_state = CMA0) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMA2 (C_mfsm_D \land (C_mfsm_ss = \land SABORT)) => CMABT \mid CMA0 \mid ((C_mfsm_state = CMA2) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = \land SABORT)) => CMABT \mid CMA2 \mid ((C_mfsm_state = CMD1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMD0 (C_mfsm_D \land (C_mfsm_ss = \land SABORT)) \Rightarrow CMABT \mid CMD1 \mid ``` ``` ((C_mfsm_state = CMD0) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land C_last_in_) => CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = \land SRDY) \land \neg C_last_in_) => CMW \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMD0 \mid ((C_mfsm_state = CMW) => (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT (C_mfsm_D \land (C_mfsm_ss = ^SACK) \land C_lock_in_) => CMI (C\_mfsm\_D \land (C\_mfsm\_ss = ^SRDY) \land ~C\_lock\_in\_ \land ~C\_mfsm\_crqt\_) => CMA3 \mid CMW let new C sfsm_state = ((C_sfsm_rst) \Rightarrow CSI \mid (C_sfsm_state = CSI) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \neg c_grant \land c_addressed) => CSA1 \mid CSI) \mid (C_sfsm_state = CSL) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land c_addressed) => CSA1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land \sim c_addressed) => CSI (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSL) \mid (C_sfsm_state = CSA1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSA0! (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSA1) (C_sfsm_state = CSA0) => ((C\_sfsm\_D \land (C\_sfsm\_ms = ^MRDY) \land ~C\_sfsm\_hlda\_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land C_sfsm_hlda_) => CSA0W \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA0) \mid (C_sfsm_state = CSA0W) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land ~C_sfsm_hlda_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA0W) \mid (C_sfsm_state = CSALE) => ((C_sfsm_D \land c_write \land (C_sfsm_ms = ^MRDY)) => CSD1 \mid (C_sfsm_D \land \neg c_write \land (C_sfsm_ms = \land MRDY)) => CSRR \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSALE) (C_sfsm_state = CSRR) => ((C_sfsm_D \land \sim (C_sfsm_ms = \land MABORT)) => CSD1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT | CSRR) | (C_sfsm_state = CSD1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD0 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSD1) \mid (C_sfsm_state = CSD0) => ((C_sfsm_D \land (C_sfsm_ms = \land MEND)) => CSACK \mid (C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD1 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSD0) \mid (C_sfsm_state = CSACK) => ((C\_sfsm\_D \land (C\_sfsm\_ms = ^MRDY)) => CSL \mid (C_sfsm_D \land (C_sfsm_ms = ^MWAIT)) => CSI (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSACK) \mid (C_sfsm_D) \Rightarrow CSI \mid CSABT) in let new_C_efsm_state = ((C_efsm_rst) \Rightarrow CEI \mid (C\_efsm\_state = CEI) => ((\sim C\_efsm\_cale\_) => CEE \mid CEI) \mid ((-C_efsm_last_ \land -C_efsm_srdy_) \lor -C_efsm_male_ \lor -C_efsm_rale_) => CEI \mid CEE) in let m_bw = ((\sim (M_be = (WORDN 15))) \land M_wr \land (\sim (M_fsm_state = MI))) in ``` ``` let m_w = ((M_b = (WORDN 15)) \land M_w \land (\sim (M_f = MI))) in let new_M_fsm_state = ((M_fsm_rst) => MI ((M_fsm_state = MI) => ((\sim M_fsm_male_) => MA \mid MI) \mid ((M_fsm_state = MA) => ((\sim M_fsm_mrdy_ \land m_ww) => MW \mid ((\sim M_fsm_mrdy_ \land ((\sim M_wr \land (\sim (M_fsm_state = MI))) \lor m_bw)) => MR \mid MA)) \mid ((M_fsm_state = MR) => ((m_bw \land (M_count = (WORDN 0))) => MBW \mid ((-M_fsm_last_ \land -M_wr \land (-(M_fsm_state = MI)) \land (M_count = (WORDN 0))) => MRR \mid MR))) \mid ((M_fsm_state = MRR) => MI ((M_fsm_state = MW) => ((\sim M_fsm_last_ \land (M_count = (WORDN 0))) \Rightarrow MI ((M_fsm_last_ \land (M_count = (WORDN 0))) => MA \mid MW)) \mid ((M_fsm_state = MBW) \Rightarrow MW \mid M_ILL))))))) in let new_R_fsm_state = ((R_fsm_rst) => RI ((R_fsm_state = RI) \Rightarrow ((\sim R_fsm_ale_) \Rightarrow RA \mid RI) \mid ((R_fsm_state = RA) => ((-R_fsm_mrdy_) => RD | RA) | ((\sim R_fsm_last_) => RI \mid RA)))) in let r_fsm_cntlatch = ((R_fsm_state = RI) \land \sim R_fsm_ale_) in let r_fsm_srdy_ = \sim ((R_fsm_state = RA) \land \sim R_fsm_mrdy_) in let new_S_fsm_state = ((S_fsm_rst) => SSTART | ((S_fsm_state = SSTART) => SRA ((S_fsm_state = SRA) => ((S_fsm_delay6) => ((S_fsm_bypass) => SO | SPF) | SRA) | ((S_fsm_state = SPF) => SCOI | ((S_fsm_state = SCOI) \Rightarrow ((S_fsm_delay17) \Rightarrow SCOF \mid SCOI) \mid ((S_fsm_state = SCOF) \Rightarrow STI ((S_fsm_state = ST) \Rightarrow SC1I) ((S_fsm_state = SC1I) \Rightarrow ((S_fsm_delay17) \Rightarrow SC1F \mid SC1I) \mid ((S_fsm_state = SC1F) => SSI ((S_fsm_state = SS) => ((S_fsm_bothbad) => SSTOP \mid SCS) \mid ((S_fsm_state = SSTOP) => SSTOP | ((S_fsm_state = SCS) \Rightarrow ((S_fsm_delay6) \Rightarrow SN \mid SCS)) ((S_fsm_state = SN) => ((S_fsm_delay17) => SO | SN) | let s_fsm_sn = (new_S_fsm_state = SN) in let s_fsm_so = (new_S_fsm_state = SO) in let reset_cport = (((\sim(\text{new_S_fsm_state} = SO))) \land (\sim(\text{S_fsm_state} = STOP))) \lor (\text{S_fsm_state} = SRA)) in let s_fsm_sdi = (((\sim(new_S_fsm_state = SO)) \land (\sim(S_fsm_state = SSTOP))) \lor (S_fsm_state = SRA)) in let reset_piu = ((new_S_fsm_state = SSTART) V (new_S_fsm_state = SRA) V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1F) V (new_S_fsm_state = SS) V (new_S_fsm_state = SCS)) in let s_fsm_src0 = ((\neg(new_S_fsm_state = SPF)) \land (\neg(new_S_fsm_state = SCOI))) in let s_fsm_src1 = ((\sim(new_S_fsm_state = ST)) \land (\sim(new_S_fsm_state = SC1I))) in let s_fsm_spf = ((S_fsm_state = SRA) \land S_fsm_delay6 \land \neg S_fsm_rst) in let s_fsm_scOf = (new_S_fsm_state = SCOF) in let s_fsm_sc1f = (new_S_fsm_state = SC1F) in let s_fsm_spmf = (new_S_fsm_state = SO) in let s_fsm_sb = (new_S_fsm_state = SSTART) in ``` ``` let \ s\_fsm\_src = ((new\_S\_fsm\_state = SSTART) \ \lor ((S\_fsm\_state = SRA) \ \land \ S\_fsm\_delay6) \label{local_state} $$V (new_S_fsm_state = SC0F) \ V (new_S_fsm_state = SC1F) $$ V (new_S_{fsm_state} = SS) V ((S_{fsm_state} = SCS) \land S_{fsm_delay6})) in let s\_fsm\_sec = (((\sim(new\_S\_fsm\_state = SSTOP)) \land (\sim(new\_S\_fsm\_state = SO))) \lor (S\_fsm\_state = SN)) in (\sim(new\_S\_fsm\_state let \ s\_fsm\_srs = (((S\_fsm\_state = SPF) \land \sim S\_fsm\_rst) \lor ((S\_fsm\_state = ST) \land \sim S\_fsm\_rst)) \ in \ same state = ST \land let s_fsm_scs = (new_S_fsm_state = SCS) in let new_P_addr = ((\sim P_rqt) \Rightarrow (SUBARRAY L_ad_in (25,0)) \mid P_addr) in let new_P_dest1 = ((\sim P_rqt) \Rightarrow (ELEMENT L_ad_in (31)) \mid P_dest1) in let new_P_be_ = ((\sim P_rqt) => L_be_1 P_be_) in let new_P_wr = ((\sim P_rqt) \Rightarrow L_wr \mid P_wr) in let new_P_size = ((\sim P_rqt) \Rightarrow (SUBARRAY L_ad_in (1,0)) ((P_down) \Rightarrow (DECN 1 P_size) | P_size)) in let new_C_holdA_ = ((ClkD) \Rightarrow C_hold_l C_holdA_) in let i\_cale\_ = \text{--}((new\_C\_mfsm\_state = CMA3) \land (new\_P\_fsm\_state = PA) \land new\_C\_holdA\_) in let c_srdy_en = ((new_C_efsm_state = CEE) V (C_efsm_state = CEE)) in let new_M_count = (((new\_M\_fsm\_state = MA) \lor (new\_M\_fsm\_state = MBW)) => ((M\_se) => (WORDN \ 1) \lor (WORDN \ 2)) \lor (((M\_se) => (WORDN \ 1) \lor (WORDN \ 2)) \lor ((M\_se) => (WORDN \ 1) \lor (WORDN \ 2)) \lor ((M\_se) => (WORDN \ 1) \lor (WORDN \ 2)) \lor ((M\_se) => (WORDN \ 1) \lor (WORDN \ 2)) \lor ((M\_se) => (WORDN \ 1) \lor (WORDN \ 2)) \lor ((M\_se) => ((M\_se (((new\_M\_fsm\_state = MW) \lor (new\_M\_fsm\_state = MR)) => (DECN \ 2 \ M\_count) \mid M\_count)) \ in \ M_count) \mid M_count let \ m\_rdy = (((new\_M\_fsm\_state = MW) \land (new\_M\_count = (WORDN \ 0))) V ((new_M_fsm_state = MR) \land (new_M_count = (WORDN 0)) \land \sim M_wr)) in let m_srdy_ = \sim ((M_rdy \land \sim M_wr) \lor (m_rdy \land M_wr)) in let i_srdy_ = ((~i_cale_ V c_srdy_en) => ~(C_wrdy V C_rrdy V (new_C_mfsm_state = CMABT)) | \sim(new_M_fsm_state = MI) => m_srdy_1 ((new_R_fsm_state = RA) \lor (new_R_fsm_state = RD)) => \sim ((R_fsm_state = RA) \land (R_fsm_state (new_R_fsm_state = RD)) \mid ARB) in let p_ale = (\sim L_ads_\Lambda L_den_) in let \ p\_sack = ((P\_size = ((P\_down) \Rightarrow (WORDN \ 1) \ I \ (WORDN \ 0)))) \land \neg i\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in \ (P\_size = (P\_down) \Rightarrow (P\_down) \land (P\_size = (P\_down) \Rightarrow (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \Rightarrow (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \Rightarrow (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \Rightarrow (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \Rightarrow (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \land (P\_size = PD)) \ in \ (P\_size = (P\_down) \land (P\_size = PD)) \ in \ (P\_size = PD)) \ in \ (P\_size = (P\_size = PD)) \ in \ (P\_size = (P\_size = PD)) \ in \ (P\_size = PD)) \ in \ (P\_size = PD) let new_P_rqt = ((p\_ale \land \neg (p\_sack \lor reset\_piu)) => T \mid ((\sim p\_ale \land (p\_sack \lor reset\_piu)) => F \mid ((\neg p\_ale \land \neg (p\_sack \lor reset\_piu)) => P\_rqt \mid ARB))) in let new_P_down = (\sim i_srdy_ \land (new_P_fsm_state = PD)) in let new_P_male_ = ((new_P_fsm_state = PA) => \sim (-\text{new}_P_\text{dest1} \land (\sim ((\text{SUBARRAY new}_P_\text{addr} (25,24)) = (\text{WORDN 3}))) \land \text{new}_P_\text{rqt}) \mid P_\text{male}) \text{ in } A \mid P_\text{male} let new_P_rale_ = ((new_P_fsm_state = PA) => \sim (\sim \text{new}_P_\text{dest1} \land ((\text{SUBARRAY new}_P_\text{addr}(25,24)) = (\text{WORDN 3})) \land \text{new}_P_\text{rqt}) \mid P_\text{rale}) \text{ in } P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P_\text{rel}(P let new_P_lock_ = ((reset\_piu) => T ((new_P_fsm_state = PD) => L_lock_| P_lock_)) in let new_P_lock_inh_ = ((reset\_piu) \Rightarrow T ((~new_P_male_ V ~new_P_rale_) => L_lock_ | P_lock_inh_)) in let pod31_27 = (MALTER ARBN (31,27) new_P_be_) in let pod31_26 = (ALTER pod31_27 (26) F) in let pod31_24 = (MALTER pod31_26 (25,24) (SUBARRAY new_P_addr (1,0))) in let\ new\_C\_iad\_en\_s\_delA = ((ClkD) \Longrightarrow C\_iad\_en\_s\_del \mid C\_iad\_en\_s\_delA)\ in let new_C_sizewrbe = ((reset_cport) => (WORDN 0) | (((new_C_sfsm_state = CSA0) \land C_clkA) => (SUBARRAY C_data_in (31,22)) \mid C_sizewrbe)) in let c_new\_write = (((\neg(new\_C\_mfsm\_state = CMI)) \land (\neg(new\_C\_mfsm\_state = CMR))) => C_wr | (ELEMENT new_C_sizewrbe (5))) in let new_C_iad_out = ((C_cin_2_le) => C_data_in | C_iad_out) in let r_reg_sel = ((-R_srdy_del_) \Rightarrow (INCN 3 R_reg_sel) | R_reg_sel) in ``` ``` let new_R_icr = ((R_icr_load) => ((-(r_{reg\_sel} = (WORDN 1))) => (Andn rep (R_icr_old, R_icr_mask)) | (Orn rep (R_icr_old, R_icr_mask))) | R_icr) in let new_R_busA_latch = ((R_ctr0_irden) => R_ctr0_in \mid ((R_ctr0_orden) => R_ctr0_out I ((R_{ctrl_irden}) => R_{ctrl_in}) ((R_ctrl_orden) => R_ctrl_out | ((R_ctr2_irden) => R_ctr2_in ((R_ctr2\_orden) => R_ctr2\_out | ((R_ctr3_irden) => R_ctr3_in ((R_ctr3\_orden) => R_ctr3\_out \mid ((R_icr_rden) => new_R_icr | ((R_{cr_rden}) => R_{cr}) ((R_gcr_rden) => R_gcr let i_ad = ((new_P_fsm_state = PA) => pod31_24! ((new_P_fsm_state = PD) \land new_P_wr) => L_ad_in (new_C_iad_en_s_delA V ((\text{new}_C_\text{mfsm}_\text{state} = \text{CMD1}) \land \neg c_\text{new}_\text{write} \land c_\text{srdy}_\text{en}) \lor ((\text{new}_C_mfsm_state = CMD0) \land \neg c_new_write \land c_srdy_en) \lor ((\text{new}\_C\_\text{mfsm}\_\text{state} = \text{CMW}) \land (C\_\text{mfsm}\_\text{state} = \text{CMD0}) \land \neg c\_\text{new}\_\text{write} \land c\_\text{srdy}\_\text{en}) \lor ((\text{new}_C_sfsm_state} = CSALE) \land (\sim(C_sfsm_state} = CSALE))) \lor ((\text{new}_C_sfsm\_state = CSALE) \land c_new\_write) \lor ((\text{new}\_\text{C}\_\text{sfsm}\_\text{state} = \text{CSD1}) \land \text{c}\_\text{new}\_\text{write} \land (\sim(\text{C}\_\text{sfsm}\_\text{state} = \text{CSRR}))) \lor ((\text{new}_C_sfsm_state} = CSD0) \land c_new_write) \lor ((new_C_sfsm_state = CSACK) \(\Lambda\) c_new_write)) => new_C_iad_out | (M_wr \land \sim (new_M_fsm_state = MI)) => M_rd_data | (R_wr \land ((new_R_fsm_state = RA) \lor (new_R_fsm_state = RD))) => new_R_busA_latch \mid ARB) in let disable_writes = ((\neg(new_C_sfsm_state = CSI)) \land (\neg(new_C_sfsm_state = CSL)) \land \sim((ChannelID = (WORDN 0)) \land (ELEMENT C_source (6))) \land \sim ((ChannelID = (WORDN 1)) \land (ELEMENT C_source (7))) \land ~((ChannelID = (WORDN 2)) \(\Lambda\) (ELEMENT C_source (8))) \(\Lambda\) ~((ChannelID = (WORDN 3)) \(\Lambda\) (ELEMENT C_source (9)))) in let i_rale_ = (\sim(\text{new}_P_f\text{sm}_s\text{tate} = PH) => \sim (\sim \text{new}_P_\text{dest1} \land ((\text{SUBARRAY new}_P_\text{addr}(25,24)) = (\text{WORDN 3})) \land (\text{new}_P_\text{fsm}_\text{state} = \text{PA}) \land \text{new}_P_\text{rqt}) \mid \text{Particles}(1,0) \text{Particl ~((new_C_sfsm_state = CSALE) \( ((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3)) \( \Lambda C_clkA)) \) in let new_R_wr = ((-i_rale_) \Rightarrow (ELEMENT i_ad(27)) \mid R_wr) in let r_{\text{writeB}} = (\text{-disable_writes } \land \text{new}_{\text{R_wr}} \land (\text{new}_{\text{R_fsm_state}} = \text{RD})) in let r_readB = (\neg new_R_wr \land (new_R_fsm_state = RA)) in let new_R_gcr = ((r_writeB \land (r_reg_sel = (WORDN 2))) => i_ad \mid R_gcr) in let new_R_gcr_rden = (r_readB \land (r_reg_sel = (WORDN 2))) in let gcrl = (ELEMENT new_R_gcr (0)) in let gcrh = (ELEMENT new_R_gcr(1)) in let reset_error = (ELEMENT new_R_gcr (24)) in let piu_invalid = (ELEMENT new_R_gcr (28)) in let cout_sel0 = (ALTER ARBN (0) (((new_C_sfsm_state = CSD1) V (new_C_sfsm_state = CSD0)) => (new_C_sfsm_state = CSD1) | (new_C_mfsm_state = CMA3) \lor (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMD1))) in let c_cout_sel = (ALTER cout_sel0 (1) (((new_C_sfsm_state = CSD1) V (new_C_sfsm_state = CSD0)) => ``` ``` (new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA2))) in let new_C_hold_ = (new_C_sfsm_state = CSI) in let new_C_wr = ((\sim i\_cale\_) \Rightarrow (ELEMENT i\_ad (27)) \mid C\_wr) in let new_C_clkA = ClkD in let i_last_ = (\sim(\text{new}_P_f\text{sm}_s\text{tate} = PH) => (P_{size} = ((P_{down}) => (WORDN 1) | (WORDN 0))) | C_last_out_) in let new_C_last_in_ = ((reset_cport) => F | (((new_C_mfsm_state = CMABT) \lor (new_C_mfsm_state = CMD1) \land ClkD) \Rightarrow i\_last\_! C last_in_)) in let new_C_lock_in_ = ((reset_cport) => F I ((\text{new}\_C\_\text{mfsm}\_\text{state} = \text{CMA1}) => \sim (\sim \text{new}\_P\_\text{lock}\_ \land \text{new}\_P\_\text{lock}\_\text{inh}\_) \mid C lock_in_)) in let \ new\_C\_ss = (((\sim (new\_C\_mfsm\_state = CMABT))) \land (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMABT)) \land (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI)))) => CB\_ss\_in \mid C\_ss \ in \ (\sim (new\_C\_mfsm\_stat let new_C_last_out_ = ((\sim(\text{new}\_C\_sfsm\_state = CSA1) \land \sim(ClkD \land ((CB\_ms\_in = ^MEND) \lor (CB\_ms\_in = ^MABORT)))) => C\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_out\_last\_o ARB))) in let c_{srdy} = (CB_{ss_{in}} = ^SRDY) in let c_dfsm_master = ((new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA2) V (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMA0) V (new_C_mfsm_state = CMD1) V (new_C_mfsm_state = CMD0)) in let\ c\_dfsm\_cad\_en = \sim ((new\_C\_mfsm\_state = CMA3)\ V\ (new\_C\_mfsm\_state = CMA1)\ V\ (new\_C\_mfsm\_state = CMA0) V(new_C_mfsm_state = CMA2) V(c_new\_write \land ((new\_C\_mfsm\_state = CMD1) \lor (new\_C\_mfsm\_state = CMD0))) V(-c_new_write \land ((new_C_sfsm_state = CSD1) \lor (new_C_sfsm_state = CSD0)))) in let \ new\_C\_cout\_0\_le\_del = ((i\_cale\_) \ \lor \ (i\_srdy\_ \land \neg c\_new\_write) V ((new_C_mfsm_state = CMA0) \land c_srdy \land c_new_write \land ClkD) V ((new_C_mfsm_state = CMD0) \land c_new_write \land c_srdy \land ClkD)) in let \ new\_C\_cin\_2\_le = (ClkD \land (((new\_C\_mfsm\_state = CMD0) \land c\_srdy \land \neg c\_new\_write) \lor (((new\_C\_mfsm\_state = CMD0) \land c\_srdy \land \neg c\_new\_write) \lor (((new\_C\_mfsm\_state = CMD0) \land c\_srdy \land \neg c\_new\_write) \lor (((new\_C\_mfsm\_state = CMD0) \land c\_srdy \land \neg c\_new\_write)))) ((new_C_sfsm_state = CSA0)) V ((new_C_sfsm_state = CSD0) \land c_new_write))) in let \ new\_C\_mrdy\_del\_ = \sim ((\sim c\_new\_write \land ClkD \land ((new\_C\_sfsm\_state = CSALE) \lor (new\_C\_sfsm\_state = CSD1))) \lor ((new\_C\_sfsm\_state (~c_new_write \land C_clkA \land (new_C_sfsm_state = CSACK)) \lor (c_new_write \land ClkD \land (new_C_sfsm_state = CSD0))) in let \ new\_C\_iad\_en\_s\_del = (((new\_C\_sfsm\_state = CSALE) \land (\sim (C\_sfsm\_state = CSALE)))) V((\text{new}_C_sfsm\_state = CSALE) \land c\_\text{new}\_write) V((\text{new}_C_sfsm\_state = CSD1) \land c\_\text{new}\_write \land (\sim(C_sfsm\_state = CSRR))) V ((\text{new}_C_sfsm\_state = CSD0) \land c\_\text{new}\_write) V ((\text{new}_C_sfsm_state = CSACK) \land c_new_write)) in let new_C_wrdy = (c_srdy \land c_new_write \land (new_C_mfsm_state = CMD1) \land ClkD) in let new_C_rrdy = (c_srdy \land \neg c_new\_write \land (new\_C\_mfsm\_state = CMD0) \land ClkD) in let c_pe = (Par_Det rep (CB_ad_in)) in let c_mparity = ((new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMA0) V(C_mfsm_state = CMA1) V(C_mfsm_state = CMA0) V(C_mfsm_state = CMA2) V (C_mfsm_state = CMD1)) in let\ c\_sparity = ((\sim (new\_C\_sfsm\_state = CSI)) \land (\sim (new\_C\_sfsm\_state = CSACK)) \land (\sim (new\_C\_sfsm\_state = CSABT)))\ in\ (\sim (new\_C\_sfsm\_state = CSABT)))\ in\ (\sim (new\_C\_sfsm\_state = CSABT))) let new C_parity = (((ClkD \land c\_pe \land c\_pe\_cnt) \land \neg reset\_error) => T \land ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land reset\_error) => F \mid ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land \sim reset\_error) => C\_parity \mid ARB))) in ``` ``` let new_C_source = ((reset_cport) => (WORDN 0) | ((ClkD \(((new_C_sfsm_state = CSI) \(\neg (new_C_sfsm_state = CSL))) => Par_Dec rep (CB_ad_in) \(\neg (C_source))\) in let data_in31_16 = (MALTER ARBN (31,16) ((reset\_cport) => (WORDN 0) | ((ClkD \land (((new_C_mfsm_state = CMD1) \land c_srdy \land \neg c_new_write) \lor ((new_C_sfsm_state = CSA1)) V ((new_C_sfsm_state = CSD1) \(\Lambda\) c_new_write))) => Par_Dec rep (CB_ad_in) | (SUBARRAY C_data_in (31,16)))) in let new_C_data_in = (MALTER data_in31_16 (15,0) ((reset_cport) => (WORDN 0) | ((\text{new}_C_{\text{cin}_2}]_e) \Rightarrow \text{Par}_Dec \text{ rep } (CB_ad_in) (SUBARRAY C_data_in (15,0)))) in let new_C_iad_in = ((new_C_cout_0_le_del) => i_ad \mid C_iad_in) in let new_C_ala0 = (((c_dfsm_master \land C_cout_0_le_del) \lor (\sim c_dfsm_master \land C_clkA \land (new_C_sfsm_state = CSD1))) => C_iad_in \mid C_ala0) in let new_C_a3a2 = ((new_C_mfsm_state = CMR) \Rightarrow R_ccr | C_a3a2) in let i_be_ = ((new_P_fsm_state = PA) => new_P_be_1 (new_P_fsm_state = PD) => L_be_1 SUBARRAY new_C_sizewrbe (9,6)) in let i_male_ = (\sim(\text{new}_P_\text{fsm}_\text{state} = PH) => \sim(-new_P_dest1 \land (\sim((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) \land (new_P_fsm_state = PA) \land new_P_rqt) | ~((new_C_sfsm_state = CSALE) \lambda (~((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) \lambda C_clkA)) in let new_M_se = ((\sim i_male_) => (ELEMENT i_ad (23)) \mid M_se) in let new_M_wr = ((\sim i_male_) \Rightarrow (ELEMENT i_ad (27)) \mid M_wr) in let new_M_addr = ((-i_male_) => (SUBARRAY i_ad (18,0)) | ((M_rdy) => (INCN 18 M_addr) | M_addr)) in let new_M_be = ((\sim i_male_V \sim m_srdy_) \Rightarrow (NOTN 3 i_be_) \mid M_be) in let new_M_rdy = m_rdy in let new_M_wwdel = ((\text{new_M_fsm_state} = \text{MA}) \land \text{new_M_wr} \land (\text{new_M_be} = (\text{WORDN 15}))) in let new_M_rd_data = (((new_M_fsm_state = MR)) => (Ham_Dec rep MB_data_in) | M_rd_data) in let new_M_detect = ((((new\_M\_fsm\_state = MR) \land \neg new\_M\_wr) \lor new\_M\_wr \lor (new\_M\_fsm\_state = MI)) => ((~Edac_en_) => (Ham_Det1 rep MB_data_in) | WORDN 0) | M_detect) in let m_{error} = (\sim m_s r dy_ \land (\sim (new_M_f sm_s tate = MI)) \land Ham_Det2 rep (new_M_detect, \sim Edac_en_)) in let new_M_parity = ((m_{error} \land \neg (reset\_piu \lor reset\_error)) => T \mid ((\sim m\_error \land (reset\_piu \lor reset\_error)) => F \mid ((\sim m\_error \land \sim (reset\_piu \lor reset\_error)) => M\_parity | ARB))) in let new_R_cntlatch_del = r_fsm_cntlatch in let new_R_srdy_del_ = r_fsm_srdy_ in let new_R_reg_sel = ((\sim i\_rale\_) \Rightarrow (SUBARRAY i\_ad(3,0)) ((-R_srdy_del_) => (INCN 3 R_reg_sel) | R_reg_sel)) in let r_writeA = (\simdisable_writes \land R_wr \land (new_R_fsm_state = RD)) in let r_readA = (\sim R_wr \land (new_R_fsm_state = RA)) in let r_cir_wr01A = ((r_writeA \land ((r_reg_sel = (WORDN 8))) \lor (r_reg_sel = (WORDN 9))))) in let r_cir_wr01B = ((r_writeB \land ((r_reg_sel = (WORDN 8))) \lor (r_reg_sel = (WORDN 9))))) in let r_cir_wr23A = ((r_writeA \land ((r_reg_sel = (WORDN 10)) \lor (r_reg_sel = (WORDN 11))))) in let r_cir_wr23B = ((r_writeB \land ((r_reg_sel = (WORDN 10)) \lor (r_reg_sel = (WORDN 11))))) in let new_R_ccr = ((r_writeB \land (r_reg_sel = (WORDN 3))) => i_ad \mid R_ccr) in let new_R_ccr_rden = (r_readB \land (r_reg_sel = (WORDN 3))) in ``` ``` let new_R_c01_cout_del = R_ctr1_cry in let new_R_int1_en = \sim (\sim (ELEMENT\ new_R\_gcr\ (18))\ \lor\ ((ELEMENT\ new_R\_gcr\ (17))\ \land\ R\_c01\_cout\_del))) => T\ |\ | (\sim\!(ELEMENT\ new\_R\_gcr\ (18))\ \lor\ ((ELEMENT\ new\_R\_gcr\ (17))\ \land\ R\_c01\_cout\_del))) => F + ((ELEMENT\ new\_R\_gcr\ (18))) new\_gcr\ (18))) => F + ((ELEMENT\ \sim (\sim (ELEMENT\ new\_R\_gcr\ (18)) \ \lor \ ((ELEMENT\ new\_R\_gcr\ (17)) \ \land \ R\_c01\_cout\_del))) => R\_int1\_en\ |\ ARB)))\ in let new_R_c23_cout_del = R_ctr3_cry in let new_R_int2_en = (\sim\!(ELEMENT\ new\_R\_gcr\ (22))\ \lor\ ((ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (22))\ \lor\ ((ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) => F \ |\ (\sim\ (ELEMENT\ new\_R\_gcr\ (21))\ \land\ R\_c23\_cout\_del))) \sim (\sim (ELEMENT\ new_R_gcr\ (22))\ \lor\ ((ELEMENT\ new_R_gcr\ (21))\ \land\ R_c23\_cout\_del))) \Rightarrow R_int2\_en\ |\ ARB)))\ in\ R_c23\_cout\_del))) \Rightarrow R_int2\_en\ |\ ARB))) let \ new_R\_ctr0\_in = ((r\_writeB \ \land \ (r\_reg\_sel = (WORDN \ 8))) => i\_ad \ l \ R\_ctr0\_in) \ in let \ new\_R\_ctr0\_mux\_sel = (r\_ctr\_wr01B \ \lor ((ELEMENT \ new\_R\_gcr \ (16)) \land R\_ctr1\_cry)) \ in let new_R_ctr0_irden = (r_readB \land (r_reg_sel = (WORDN 8))) in let new_R_ctr0 = ((R_ctr0_mux_sel) => R_ctr0_in | R_ctr0_new) in let new_R_ctr0_new = (((ELEMENT new_R_gcr (19))) => (INCN 31 R_ctr0) | R_ctr0) in let new_R_ctr0_cry = ((ONES 31 R_ctr0) \land (ELEMENT new_R_gcr (19))) in let new_R_ctr0_out = ((r_fsm_cntlatch) => R_ctr0_new | R_ctr0_out) in let new_R_ctr0_orden = (r_readB \land (r_reg_sel = (WORDN 12))) in let new_R_ctr1_in = ((r_writeB \land (r_reg_sel = (WORDN 9))) \Rightarrow i_ad \mid R_ctr1_in) in let \ new\_R\_ctr1\_mux\_sel = (r\_cir\_wr01B \ \lor ((ELEMENT \ new\_R\_gcr \ (16)) \land R\_ctr1\_cry)) \ in let new_R_ctrl_irden = (r_readB \land (r_reg_sel = (WORDN 9))) in let new_R_ctr1 = ((R_ctr1_mux_sel) \Rightarrow R_ctr1_in \mid R_ctr1_new) in let new_R_ctr1_new = ((R_ctr0_cry) \Rightarrow (INCN 31 R_ctr1) \mid R_ctr1) in let new_R_ctr1_cry = ((ONES 31 R_ctr1) \land R_ctr0_cry) in let new_R_ctrl_out = ((R_cntlatch_del) => R_ctrl_new | R_ctrl_out) in let new_R_ctr1_orden = (r_readB \land (r_reg_sel = (WORDN 13))) in let new_R_ctr2_in = ((r_writeB \land (r_reg_sel = (WORDN 10))) => i_ad \mid R_ctr2_in) in let \ new_R\_ctr2\_mux\_sel = ((r\_ctr\_wr23B \ \lor ((ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry))) \ in \ (ELEMENT \ new_R\_gcr \ (20)) \land R\_ctr3\_cry)) let new_R_ctr2_irden = (r_readB \land (r_reg_sel = (WORDN 10))) in let new_R_ctr2 = ((R_ctr2_mux_sel) => R_ctr2_in \mid R_ctr2_new) in let new_R_ctr2_new = (((ELEMENT new_R_gcr (23))) => (INCN 31 R_ctr2) | R_ctr2) in let new_R_ctr2_cry = ((ONES 31 R_ctr2) \land (ELEMENT new_R_gcr (23))) in let new_R_ctr2_out = ((r_fsm_cntlatch) => R_ctr2_new | R_ctr2_out) in let new_R_ctr2_orden = (r_readB \land (r_reg_sel = (WORDN 14))) in let new_R_ctr3_in = ((r_writeB \land (r_reg_sel = (WORDN 11))) \Rightarrow i_ad \mid R_ctr3_in) in let\ new\_R\_ctr3\_mux\_sel = ((r\_cir\_wr23B\ \lor\ ((ELEMENT\ new\_R\_gcr\ (20))\ \land\ R\_ctr3\_cry)))\ in let new_R_ctr3_irden = (r_readB \land (r_reg_sel = (WORDN 11))) in let new_R_ctr3 = ((R_ctr3_mux_sel) \Rightarrow R_ctr3_in \mid R_ctr3_new) in let new_R_ctr3_new = ((R_ctr2_cry) \Rightarrow (INCN 31 R_ctr3) \mid R_ctr3) in let new_R_ctr3_cry = ((ONES 31 R_ctr3) \land R_ctr3_cry) in let new_R_ctr3_out = ((R_cntlatch_del) => R_ctr3_new | R_ctr3_out) in let new_R_ctr3_orden = (r_readB \land (r_reg_sel = (WORDN 15))) in let \ new_R_icr_load = (r_writeB \land ((r_reg_sel = (WORDN \ 0)) \lor (r_reg_sel = (WORDN \ 1)))) \ in \ respectively. \\ let new_R_icr_old = ((r\_writeB \land ((r\_reg\_sel = (WORDN \ 0)) \lor (r\_reg\_sel = (WORDN \ 1))))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_writeB \land ((r\_reg\_sel = (WORDN \ 0))) \lor (r\_reg\_sel = (WORDN \ 1))))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 0))) \lor (r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 0))) \lor (r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 0))) \lor (r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1)))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr \mid R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr\_old) \ in \ ((r\_reg\_sel = (WORDN \ 1))) => R\_icr\_old) ((r\_re let new_R_icr_mask = ((r\_writeB \land ((r\_reg\_sel = (WORDN 0)) \lor (r\_reg\_sel = (WORDN 1)))) \Rightarrow i\_ad \lor R\_icr\_mask) in let\ new\_R\_icr\_rden = ((new\_R\_fsm\_state = RA) \land ((r\_reg\_sel = (WORDN\ 0)) \lor (r\_reg\_sel = (WORDN\ 1))))\ insulabel{eq:constraint} ``` ``` let r_{int}0_{en} = (((ELEMENT R_{icr}(0)) \land (ELEMENT R_{icr}(8))) \lor ((ELEMENT R_icr (1)) \( \text{(ELEMENT R_icr (9))) } \( \text{V} \) ((ELEMENT R_icr (2)) \( (ELEMENT R_icr (10))) \( \) ((ELEMENT R_icr (3)) \( (ELEMENT R_icr (11))) \( \noting \) ((ELEMENT R_icr (4)) \land (ELEMENT R_icr (12))) \lor ((ELEMENT R_icr (5)) \( (ELEMENT R_icr (13))) \( \) ((ELEMENT R_icr (6)) \land (ELEMENT R_icr (14))) \lor ((ELEMENT R_icr (7)) \( \text{(ELEMENT R_icr (15)))} \) in let new_R_int0_dis = r_int0_en in let r_int3_en = (((ELEMENT R_icr (16)) \land (ELEMENT R_icr (24))) \lor ((ELEMENT R_icr (17)) \( \text{(ELEMENT R_icr (25))) V} ((ELEMENT R_icr (18)) ∧ (ELEMENT R_icr (26))) ∨ ((ELEMENT R_icr (19)) ∧ (ELEMENT R_icr (27))) V ((ELEMENT R_icr (20)) \land (ELEMENT R_icr (28))) \lor ((ELEMENT R_icr (21)) \( \text{(ELEMENT R_icr (29))} \) \( \text{V} ((ELEMENT R_icr (22)) \land (ELEMENT R_icr (30))) \lor ((ELEMENT R_icr (23)) \land (ELEMENT R_icr (31)))) in let new_R_int3_dis = r_int3_en in let new_S_soft_shot_del = (\simgcrh \land gcrl) in let s_soft_cnt_out = ((s_fsm_srs) => ((gcrl \land \neg gcrh \land \neg S\_soft\_shot\_del) => (WORDN 1) | (WORDN 0)) | ((gcrl \land \neg gcrh \land \neg S\_soft\_shot\_del) \Longrightarrow (INCN 2 S\_soft\_cnt) \mid S\_soft\_cnt)) in let new_S_soft_cnt = ((-gcrh \land -gcrl) \Rightarrow (WORDN 0) \mid s_soft_cnt_out) in let s_delay_out = ((s_fsm_src \lor (s_fsm_scs \land (ELEMENT S_delay (6)))) => ((s_fsm_sec) => (WORDN 1) | (WORDN 0)) | ((s_fsm_sec) => (INCN 17 S_delay) | S_delay)) in let new_S_delay = s_delay_out in let s_{pu} = (s_{s_{pu}} - k = (s_{s_{pu}} - k)) in let s_{pul} = (s_{s_{pul}} - k = (s_{s_{pul}} - k)) in let new_S_pmm_fail = ((s_fsm_sb \land \neg s_fsm_spmf) => T ((-s_fsm_sb \land s_fsm_spmf) => F ((\sim s\_fsm\_sb \land \sim s\_fsm\_spmf) => S\_pmm\_fail \mid ARB))) in let new_S_cpu0_fail = ((s_fsm_sb \land \sim (s_cpu0_ok \lor Bypass)) => T \lor ((\sim s\_fsm\_sb \land (s\_cpu0\_ok \lor Bypass)) => F \mid ((\sim s\_fsm\_sb \land \sim (s\_cpu0\_ok \lor Bypass)) => S\_cpu0\_fail \mid ARB))) \ in let new_S_cpu1_fail = ((s\_fsm\_sb \land \sim (s\_cpul\_ok \lor Bypass)) => T ((-s\_fsm\_sb \land (s\_cpu1\_ok \lor Bypass)) \Longrightarrow F I ((\sim s\_fsm\_sb \land \sim (s\_cpul\_ok \lor Bypass)) => S\_cpul\_fail \mid ARB))) in let new_S_piu_fail = ((s_fsm_sb \land -(s_fsm_spf \lor Bypass)) => T ((-s_fsm_sb \land (s_fsm_spf \lor Bypass)) => FI ((\sim s\_fsm\_sb \land \sim (s\_fsm\_spf \lor Bypass)) => S\_piu\_fail \mid ARB))) in let s_cpu0_select = ((s_fsm_sn \lor s_fsm_so) \land \neg S_cpu0_fail) in let s_{cpul}_{select} = ((s_{fsm_sn} \lor s_{fsm_so}) \land S_{cpul}_{fail} \land \neg S_{cpul}_{fail}) in let new_S_bad_cpu0 = ((s_fsm_sb \land -s_cpu0_select) => T ((\sim s\_fsm\_sb \land s\_cpu0\_select) => F \mid ((\sim s\_fsm\_sb \land \sim s\_cpu0\_select) => S\_bad\_cpu0 \mid ARB))) in ``` ``` let new_S_bad_cpu1 = ((s\_fsm\_sb \land \neg s\_cpul\_select) => T \mid ((\sim s\_fsm\_sb \land s\_cpu1\_select) => F \mid ((\sim s\_fsm\_sb \land \sim s\_cpu1\_select) => S\_bad\_cpu1 \mid ARB))) in let new_S_reset_cpu0 = (new_S_bad_cpu0 \( \Lambda \) s_fsm_src0) in let new_S_reset_cpu1 = (new_S_bad_cpu1 \Lambda s_fsm_src1) in let new_S_cpu_hist = (S_reset_cpu0 \land S_reset_cpu1 \land Bypass) in let ss0 = (ALTER ARBN (0) ((new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) V(new_S_{fsm_state} = SCS) V(new_S_{fsm_state} = SN) V(new_S_fsm_state = SO))) in let\ ss1 = (ALTER\ ss0\ (1)\ ((new\_S\_fsm\_state = SC0F)\ V\ (new\_S\_fsm\_state = ST) V (new_S_fsm_state = SC1I) V (new_S_fsm_state = SC1F) V (new_S_{fsm_state} = SS) V (new_S_{fsm_state} = SSTOP) V (new_S_fsm_state = SCS))) in let ss2 = (ALTER ss1 (2) ((new_S_fsm_state = SPF) V (new_S_fsm_state = SC0I) V (new_S_fsm_state = SC0F) V (new_S_fsm_state = ST) V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SO))) in let ss3 = (ALTER ss2 (3) ((new_S_fsm_state = SRA) V (new_S_fsm_state = SPF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1I) V (new_S_fsm_state = SCS) V (new_S_fsm_state = SN) V (new_S_fsm_state = SO))) in let s_state = ss3 in let sr28 = (ALTER ARBN (28) new_M_parity) in let sr28_25 = (MALTER sr28 (27,25) new_C_ss) in let sr28_24 = (ALTER sr28_25 (24) new_C_parity) in let sr28_22 = (MALTER sr28_24 (23,22) ChannelID) in let sr28_16 = (MALTER sr28_22 (21,16) Id) in let sr28_12 = (MALTER sr28_16 (15,12) s_state) in let sr28_9 = (ALTER sr28_12 (9) new_S_pmm_fail) in let sr28_8 = (ALTER sr28_9 (8) new_S_piu_fail) in let sr28_3 = (ALTER sr28_8 (3) new_S_reset_cpu1) in let sr28_2 = (ALTER sr28_3 (2) new_S_reset_cpu0) in let sr28_1 = (ALTER sr28_2 (1) new_S_cpu1_fail) in let sr28_0 = (ALTER sr28_1 (0) new_S_cpu0_fail) in let new_R_sr = ((r_fsm_cntlatch) => sr28_0 | R_sr) in let new_R_sr_rden = (r_readB \land (r_reg_sel = (WORDN 4))) in let new_P_fsm_rst = reset_piu in let new_P_fsm_sack = p_sack in let new_P_fsm_cgnt_ = ~(new_C_mfsm_state = CMA3) in let new_P_fsm_hold_ = new_C_holdA_ in let new_C_mfsm_D = ClkD in let new_C_mfsm_rst = reset_cport in let new_C_mfsm_crqt_ = \sim (new_P_dest1 \land new_P_rqt) in let new_C_mfsm_hold_ = new_C_holdA_ in let new_C_mfsm_ss = CB_ss_in in let new_C_mfsm_invalid = piu_invalid in let new_C_sfsm_D = ClkD in let new_C_sfsm_rst = reset_cport in let new_C_sfsm_hlda_ = ~(new_P_fsm_state = PH) in let new_C_sfsm_ms = CB_ms_in in let new_C_efsm_cale_ = i_cale_ in let new_C_efsm_last_ = i_last_ in let new_C_efsm_male_ = i_male_ in ``` ``` let new_C_efsm_rale_ = i_rale_ in let new_C_efsm_srdy_ = i_srdy_ in let new_C_efsm_rst = reset_cport in let new_M_fsm_male_ = i_male_ in let new_M_fsm_last_ = i_last_ in let new_M_fsm_mrdy_ = ((-(P_fsm_state = PH)) => F | C_mrdy_del_) in let new_M_fsm_rst = reset_piu in let new_R_fsm_ale_ = i_rale_ in let new_R_fsm_mrdy_ = ((\sim (P_fsm_state = PH)) \Rightarrow F \mid C_mrdy_del_) in let new_R_fsm_last_ = i_last_ in let new_R_fsm_rst = reset_piu in let new_S_fsm_rst = Rst in let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) | (ELEMENT s_delay_out (17))) in let new_S_{fsm_bothbad} = (new_S_{cpu0_fail} \land new_S_{cpu1_fail}) in let new_S_fsm_bypass = Bypass in (new_P_addr, new_P_dest1, new_P_be_, new_P_wr, new_P_fsm_state, new_P_fsm_rst, new_P_fsm_sack, new_P_fsm_cgnt_, new_P_fsm_hold_, new_P_rqt, new_P_size, new_P_down, new_P_lock_, new_P_lock_inh_, new_P_male_, new_P_rale_, new_C_mfsm_state, new_C_mfsm_D, new_C_mfsm_rst, new_C_mfsm_crqt_, new_C_mfsm_hold_, new_C_mfsm_ss, new_C_mfsm_invalid, new_C_sfsm_state, new_C_sfsm_D, new_C_sfsm_rst, new_C_sfsm_hlda_, new_C_sfsm_ms, new_C_efsm_state, new_C_efsm_cale_, new_C_efsm_last_, new_C_efsm_male_, new_C_efsm_rale_, new_C_efsm_srdy_, new_C_efsm_rst, new_C_wr, new_C_sizewrbe, new_C_clkA, new_C_last_in_, new_C_lock_in_, new_C_ss, new_C_last_out_, new_C_hold_, new_C_holdA_, new_C_cout_0_le_del, new_C_cin_2_le, new_C_mrdy_del_, new_C_iad_en_s_del, new_C_iad_en_s_delA, new_C_wrdy, new_C_rdy, new_C_parity, new_C_source, new_C_data_in, new_C_iad_out, new_C_iad_in, new_C_a1a0, new_C_a3a2, new_M_fsm_state, new_M_fsm_male_, new_M_fsm_last_, new_M_fsm_mrdy_, new_M_fsm_rst, new_M_count, new_M_se, new_M_wr, new_M_addr, new_M_be, new_M_rdy, new_M_wwdel, new_M_parity, new_M_rd_data, new_M_detect, new_R_fsm_state, new_R_fsm_ale_, new_R_fsm_mrdy_, new_R_fsm_last_, new_R_fsm_rst, new_R_ctr0_in, new_R_ctr0_mux_sel, new_R_ctr0, new_R_ctr0_irden, new_R_ctr0_new, new_R_ctr0_cry, new_R_ctr0_out, new_R_ctr0_orden, new_R_ctr1_in, new_R_ctr1_mux_sel, new_R_ctr1, new_R_ctr1_irden, new_R_ctr1_new, new_R_ctrl_cry, new_R_ctr1_out, new_R_ctr1_orden, new_R_ctr2_in, new_R_ctr2_mux_sel, new_R_ctr2, new_R_ctr2_irden, new_R_ctr2_new, new_R_ctr2_cry, new_R_ctr2_out, new_R_ctr2_orden, new_R_ctr3_in, new_R_ctr3_mux_sel, new_R_ctr3, new_R_ctr3_new, new_R_ctr3_cry, new_R_ctr3_out, new_R_ctr3_orden, new_R_icr_load, new_R_icr_old, new_R_icr_mask, new_R_icr_rden, new_R_icr, new_R_ccr, new_R_ccr_rden, new_R_gcr, new_R_gcr_rden, new_R_sr_rden, new_R_int0_dis, new_R_int3_dis, new_R_c01_cout_del, new_R_int1_en, new_R_c23_cout_del, new_R_int2_en, new_R_wr, new_R_cntlatch_del, new_R_srdy_del_, new_R_reg_sel, new_R_busA_latch, new_S_fsm_state, new_S_fsm_rst, new_S_fsm_delay6, new_S_fsm_delay17, new_S_fsm_bothbad, new_S_fsm_bypass, new_S_soft_shot_del, new_S_soft_cnt, new_S_delay, new_S_bad_cpu0, new_S_bad_cpu1, new_S_reset_cpu0, new_S_reset_cpu1, new_S_cpu_hist, new_S_pmm_fail, new_S_cpu0_fail, new_S_cpu1_fail, new_S_piu_fail)" );; Output definition for EXEC instruction. ``` ``` let piuEXEC_out_def = new_definition ('piuEXEC_out', "| (rep:^rep_ty) (P_fsm_state :pfsm_ty) (P_addr P_be_ P_size :wordn) (P_dest1 P_wr P_fsm_rst P_fsm_sack P_fsm_cgnt_ P_fsm_hold_ P_rqt P_down P_lock_ P_lock_inh_ P_male_ P_rale_:bool) (C_mfsm_state:cmfsm_ty) (C_sfsm_state:csfsm_ty) (C_efsm_state:cefsm_ty) (C_mfsm_ss C_sfsm_ms C_sizewrbe C_ss C_source C_data_in C_iad_out C_iad_in C_ala0 C_a3a2 :wordn) (C_mfsm_D C_mfsm_rst C_mfsm_crqt_C_mfsm_hold_C_mfsm_invalid C_sfsm_D C_sfsm_rst C_sfsm_hlda_ C_efsm_cale_C_efsm_last_C_efsm_male_C_efsm_rale_C_efsm_srdy_C_efsm_rst C_wr C_clkA C_last_in_ C_lock_in_ C_last_out_ C_hold_ C_holdA_ C_cout_0_le_del C_cin_2_le C_mrdy_del_ C_iad_en_s_del C_iad_en_s_delA C_wrdy C_rrdy C_parity :bool) (M_fsm_state :mfsm_ty) (M_count M_addr M_be M_rd_data M_detect :wordn) (M_fsm_male_ M_fsm_last_ M_fsm_mrdy_ M_fsm_rst M_se M_wr M_rdy M_wwdel M_parity:bool) (R_fsm_state :rfsm_ty) (R_ctr0_in R_ctr0 R_ctr0_new R_ctr0_out R_ctr1_in R_ctr1 R_ctr1_new R_ctr1_out R_ctr2_in R_ctr2_new R_ctr2_out R_ctr3_in R_ctr3_new R_ctr3_out R_icr_old R_icr_mask R_icr R_ccr R_gcr R_sr R_reg_sel R_busA_latch :wordn) (R_fsm_ale_ R_fsm_mrdy_ R_fsm_last_ R_fsm_rst R_ctr0_mux_sel R_ctr0_irden R_ctr0_cry R_ctr0_orden R_ctr1_mux_sel R_ctr1_irden R_ctr1_cry R_ctr1_orden R_ctr2_mux_sel R_ctr2_irden R_ctr2_cry R_ctr2_orden R_ctr3_mux_sel R_ctr3_irden R_ctr3_cry R_ctr3_orden R_icr_load R_icr_rden R_ccr_rden R_gcr_rden R_sr_rden R_int0_dis R_int3_dis R_c01_cout_del R_int1_en R_c23_cout_del R_int2_en R_wr R_cntlatch_del R_srdy_del_:bool) (S_fsm_state:sfsm_ty) (S_soft_cnt S_delay :wordn) (S_fsm_rst S_fsm_delay6 S_fsm_delay17 S_fsm_bothbad S_fsm_bypass S_soft_shot_del S_bad_cpu0 S_bad_cpu1 S_reset_cpu0 S_reset_cpu1 S_cpu_hist S_pmm_fail S_cpu0_fail S_cpu1_fail S_piu_fail :bool) (L_ad_in L_be_:wordn) (ClkA ClkB Rst L_ads_ L_den_ L_wr L_lock_:bool) (CB_rqt_in_ CB_ad_in CB_ms_in CB_ss_in Id ChannelID :wordn) (ClkD :bool) (MB_data_in :wordn) (Edac_en_:bool) (Bypass Test Failure0_ Failure1_:bool) . piuEXEC_out rep (P_addr, P_destl, P_be_, P_wr, P_fsm_state, P_fsm_rst, P_fsm_sack, P_fsm_cgnt_, P_fsm_hold_, P_rqt, P_size, P_down, P_lock_, P_lock_inh_, P_male_, P_rale_, C_mfsm_state, C_mfsm_D, C_mfsm_rst, C_mfsm_crqt_, C_mfsm_hold_, C_mfsm_ss, C_mfsm_invalid, C_sfsm_state, C_sfsm_D, C_sfsm_rst, C_sfsm_hlda_, C_sfsm_ms, C_efsm_state, C_efsm_cale_, C_efsm_last_, C_efsm_male_, C_efsm_rale_, C_efsm_srdy_, C_efsm_rst, C_wr, C_sizewrbe, C_clkA, C_last_in_, C_lock_in_, C_ss, C_last_out_, C_hold_, C_holdA_, C_cout_0_le_del, C_cin_2_le, C_mrdy_del_, C_iad_en_s_del, C_iad_en_s_delA, C_wrdy, C_rrdy, C_parity, C_source, C_data_in, C_iad_out, C_iad_in, C_ala0,C_a3a2, M_fsm_state, M_fsm_male_, M_fsm_last_, M_fsm_mrdy_, M_fsm_rst, M_count, M_se, M_wr, M_addr, M_be, M_rdy, M_wwdel, M_parity, M_rd_data, M_detect, ``` R\_fsm\_state, R\_fsm\_ale\_, R\_fsm\_mrdy\_, R\_fsm\_last\_, R\_fsm\_rst, R\_ctr0\_in, R\_ctr0\_mux\_sel, R\_ctr0, R\_ctr0\_irden, R\_ctr0\_new, R\_ctr0\_cry, R\_ctr0\_out, R\_ctr0\_orden, R\_ctr1\_in, R\_ctr1\_mux\_sel, R\_ctr1, R\_ctr1\_irden, R\_ctr1\_new, R\_ctr1\_cry, R\_ctr1\_out, R\_ctr1\_orden, R\_ctr2\_in, R\_ctr2\_mux\_sel, R\_ctr2, R\_ctr2\_irden, R\_ctr2\_new, R\_ctr2\_cry, R\_ctr2\_out, R\_ctr2\_orden, R\_ctr3\_in, R\_ctr3\_mux\_sel, R\_ctr3, R\_ctr3\_irden, R\_ctr3\_new, R\_ctr3\_cry, R\_ctr3\_out, R\_ctr3\_orden, R\_icr\_load, R\_icr\_old, R\_icr\_mask, R\_icr\_rden, R\_icr, R\_ccr, R\_ccr\_rden, R\_gcr, R\_gcr\_rden, R\_sr, R\_sr\_rden, R\_int0\_dis, ``` R_int3_dis, R_c01_cout_del, R_int1_en, R_c23_cout_del, R_int2_en, R_wr, R_cntlatch_del, R_srdy_del_, R_reg_sel, R_busA_latch, S_fsm_state, S_fsm_rst, S_fsm_delay6, S_fsm_delay17, S_fsm_bothbad, S_fsm_bypass, S_soft_shot_del, S_soft_cnt, S_delay, S_bad_cpu0, S_bad_cpu1, S_reset_cpu0, S_reset_cpu1, S_cpu_hist, S_pmm_fail, S_cpu0_fail, S_cpu1_fail, S_piu_fail) (ClkA, ClkB, Rst, L_ad_in, L_ads_, L_den_, L_be_, L_wr, L_lock_, CB_rqt_in_, CB_ad_in, CB_ms_in, CB_ss_in, ClkD, Id, ChannelID, MB_data_in, Edac_en_, Bypass, Test, Failure0_, Failure1_) = let new_P_fsm_state = ((P_fsm_rst) => PAI ((P_fsm_state = PH) \Rightarrow ((\sim P_fsm_hold_) \Rightarrow PH \mid PA) \mid ((P_fsm_state = PA) => (((P_rqt \land \neg P_dest1) \lor (P_rqt \land P_dest1 \land \neg P_fsm_cgnt_)) \Rightarrow PD \mid ((\sim P_fsm_bold_ \land P_lock_) \Rightarrow PH \mid PA)) \mid ((P_fsm_state = PD) => (((P_fsm_sack \land P_fsm_hold_) \lor (P_fsm_sack \land \neg P_fsm_hold_ \land \neg P_lock_)) => PA \mid ((P_fsm_sack \land \neg P_fsm_hold_\land P_lock_) \Rightarrow PH \mid PD)) \mid P_ILL)))) in let c_write = (((~(C_mfsm_state = CMI)) \lambda (~(C_mfsm_state = CMR))) => C_wr | (ELEMENT C_sizewrbe (5))) in let c_busy = (\sim((SUBARRAY CB_rqt_in_(3,1)) = (WORDN 7))) in let c_{grant} = ((((SUBARRAY Id (1,0)) = (WORDN 0)) \land \sim (ELEMENT CB_{rqt_in_(0)})) V(((SUBARRAY Id (1,0)) = (WORDN 1)) \land \neg(ELEMENT CB\_rqt\_in\_(0)) \Lambda (ELEMENT CB_rqt_in_(1))) V(((SUBARRAY Id (1,0)) = (WORDN 2)) \land \neg (ELEMENT CB\_rqt\_in\_(0)) \Lambda (ELEMENT CB_rqt_in_(1)) A (ELEMENT CB_rqt_in_ (2))) V(((SUBARRAY Id (1,0)) = (WORDN 3)) \land \sim (ELEMENT CB_rqt_in_(0)) \Lambda (ELEMENT CB_rqt_in_ (1)) ∧ (ELEMENT CB_rqt_in_ (2)) ∧ (ELEMENT CB_rqt_in_ (3)))) in let c_addressed = (Id = (SUBARRAY C_source (15,10))) in let new_C_mfsm_state = ((C_mfsm_rst) => CMI \mid ((C_mfsm_state = CMI) => (C_mfsm_D \land \neg C_mfsm_crqt_ \land \neg c_busy \land \neg C_mfsm_invalid) => CMR \mid CMI \mid ((C_mfsm_state = CMR) \Rightarrow (C_mfsm_D \land c_grant \land C_mfsm_hold_) \Rightarrow CMA3 \mid CMR \mid ((C_mfsm_state = CMA3) => ((C_mfsm_D) => CMA1 | CMA3) | ((C_mfsm_state = CMA1) => (C_mfsm_D \land (C_mfsm_ss = \land SRDY)) \Rightarrow CMA0 (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA1 \mid ((C_mfsm_state = CMA0) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMA2 \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA0 \mid ((C_mfsm_state = CMA2) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMD1 \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMA2 \mid ((C_mfsm_state = CMD1) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY)) => CMD0 \mid (C_mfsm_D \land (C_mfsm_ss = \land SABORT)) => CMABT \mid CMD1 \mid ((C_mfsm_state = CMD0) => (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land C_last_in_) => CMD1 ``` ``` (C_mfsm_D \land (C_mfsm_ss = \land SRDY) \land \neg C_last_in_) => CMW \mid (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid CMD0 \mid ((C_mfsm_state = CMW) => (C_mfsm_D \land (C_mfsm_ss = ^SABORT)) => CMABT \mid (C_mfsm_D \land (C_mfsm_ss = ^SACK) \land C_lock_in_) => CMI \mid (C_mfsm_D \land (C_mfsm_ss = ^SRDY) \land ^C_lock_in_ \land ^C_mfsm_crqt_) => CMA3 \mid CMW \mid C_mfsm_b \land C_mfsm_crqt_) => CMA3 \mid CMW \mid C_mfsm_b \land C_mfsm_ss = ^SRDY \mid C_mfsm_ss = ^SRDY \mid C_mfsm_crqt_) => CMA3 \mid CMW \mid C_mfsm_ss = ^SRDY \mid C_mfsm_ss = ^SRDY \mid C_mfsm_crqt_) => CMA3 \mid CMW \mid C_mfsm_ss = ^SRDY \mid C_mfsm_ss = ^SRDY \mid C_mfsm_crqt_) => CMA3 \mid CMW \mid C_mfsm_ss = ^SRDY C_m let new_C_sfsm_state = ((C_sfsm_rst) => CSI \mid (C_sfsm_state = CSI) => ((C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land c_addressed) => CSA1 \mid CSI) \mid (C_sfsm_state = CSL) => ((C\_sfsm\_D \land (C\_sfsm\_ms = ^MSTART) \land \sim c\_grant \land c\_addressed) => CSA1 \mid C\_addressed (C_sfsm_D \land (C_sfsm_ms = ^MSTART) \land \sim c_grant \land \sim c_addressed) => CSI \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSL) \mid (C_sfsm_state = CSA1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSA0 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA1) \mid (C_sfsm_state = CSA0) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land \neg C_sfsm_hlda_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = \land MRDY) \land C_sfsm_hlda_) => CSA0W \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA0) \mid (C_sfsm_state = CSA0W) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY) \land \sim C_sfsm_hlda_) => CSALE \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSA0W) \mid (C_sfsm_state = CSALE) => ((C_sfsm_D \land c_write \land (C_sfsm_ms = ^MRDY)) => CSD1 \mid (C_sfsm_D \land \sim c_write \land (C_sfsm_ms = ^MRDY)) => CSRR \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSALE) \mid (C_sfsm_state = CSRR) => ((C_sfsm_D \land \neg(C_sfsm_ms = \land MABORT)) \Rightarrow CSD1 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT \mid CSRR) (C_sfsm_state = CSD1) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD0 \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) \Rightarrow CSABT | CSD1) | (C_sfsm_state = CSD0) => ((C_sfsm_D \land (C_sfsm_ms = ^MEND)) => CSACK \mid (C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSD1 (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSD0) \mid (C_sfsm_state = CSACK) => ((C_sfsm_D \land (C_sfsm_ms = ^MRDY)) => CSL (C_sfsm_D \land (C_sfsm_ms = ^MWAIT)) => CSI \mid (C_sfsm_D \land (C_sfsm_ms = ^MABORT)) => CSABT \mid CSACK) \mid (C_sfsm_D) \Rightarrow CSI \mid CSABT) in let new_C_efsm_state = ((C_efsm_rst) => CEII (C_efsm_state = CEI) \Rightarrow ((\sim C_efsm_cale_) \Rightarrow CEE \mid CEI) \mid ((\neg C_efsm_last\_ \land \neg C_efsm_srdy\_) \lor \neg C_efsm_male\_ \lor \neg C_efsm_rale\_) \Rightarrow CEI \lor CEE) in let m_bw = ((\sim(M_be = (WORDN 15))) \land M_wr \land (\sim(M_fsm_state = MI))) in let m_ww = ((M_be = (WORDN 15)) \land M_wr \land (\sim(M_fsm_state = MI))) in ``` let new\_M\_fsm\_state = ``` ((M_fsm_rst) => MI ((M_fsm_state = MI) => ((\sim M_fsm_male_) => MA \mid MI) \mid ((M_fsm_state = MA) => ((\sim M_fsm_mrdy_ \land m_ww) => MW ((\sim M_fsm_mrdy_ \land ((\sim M_wr \land (\sim (M_fsm_state = MI))) \lor m_bw)) => MR \mid MA)) \mid ((M_fsm_state = MR) => ((m_bw \land (M_count = (WORDN 0))) => MBW \mid ((M_fsm_last_ \land -M_wr \land (-(M_fsm_state = MI)) \land (M_count = (WORDN 0))) => MA ((-M_fsm_last_ \land -M_wr \land (-(M_fsm_state = MI)) \land (M_count = (WORDN 0))) => MRR \mid MR))) \mid ((M_fsm_state = MRR) \Rightarrow MI ((M_fsm_state = MW) => ((-M_fsm_last_ \land (M_count = (WORDN 0))) => MI ((M_fsm_last_ \land (M_count = (WORDN 0))) => MA \mid MW)) ((M_fsm_state = MBW) \Rightarrow MW \mid M_ILL))))))) in let new_R_fsm_state = ((R_fsm_rst) => RI ((R_fsm_state = RI) \Rightarrow ((-R_fsm_ale_) \Rightarrow RA \mid RI) \mid ((R_fsm_state = RA) => ((-R_fsm_mrdy_) => RD \mid RA) \mid ((-R_fsm_last_) => RI | RA)))) in let r_fsm_cntlatch = ((R_fsm_state = RI) \land \sim R_fsm_ale_) in let r_fsm_srdy_ = \sim ((R_fsm_state = RA) \land \sim R_fsm_mrdy_) in let new_S_fsm_state = ((S_fsm_rst) => SSTART! ((S_fsm_state = SSTART) => SRA | ((S_fsm_state = SRA) => ((S_fsm_delay6) => ((S_fsm_bypass) => SO \mid SPF) \mid SRA) \mid ((S_fsm_state = SPF) => SCOI | ((S_fsm_state = SCOI) \Rightarrow ((S_fsm_delay17) \Rightarrow SCOF \mid SCOI) \mid ((S_fsm_state = SCOF) => ST \mid ((S_fsm_state = ST) \Rightarrow SC1I) ((S_fsm_state = SC1I) \Rightarrow ((S_fsm_delay17) \Rightarrow SC1F \mid SC1I) \mid ((S_fsm_state = SC1F) \Rightarrow SS \mid ((S_fsm_state = SS) => ((S_fsm_bothbad) => SSTOP \mid SCS) \mid ((S_fsm_state = SSTOP) => SSTOP | ((S_fsm_state = SCS) => ((S_fsm_delay6) => SN | SCS)| ((S_fsm_state = SN) => ((S_fsm_delay17) => SO | SN) | let s_fsm_sn = (new_S_fsm_state = SN) in let s_fsm_so = (new_S_fsm_state = SO) in let reset_cport = (((\neg(new_S_fsm_state = SO)) \land (\neg(S_fsm_state = SSTOP))) \lor (S_fsm_state = SRA)) in let s_fsm_sdi = (((\neg(new_S_fsm_state = SO)) \land (\neg(S_fsm_state = SSTOP))) \lor (S_fsm_state = SRA)) in let reset_piu = ((new_S_fsm_state = SSTART) V (new_S_fsm_state = SRA) V (new_S_fsm_state = SCOF) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1F) V (new_S_fsm_state = SS) V (new_S_fsm_state = SCS)) in let s_fsm_src0 = ((\sim(new_S_fsm_state = SPF)) \land (\sim(new_S_fsm_state = SCOI))) in let s_fsm_src1 = ((\sim(new_S_fsm_state = ST)) \land (\sim(new_S_fsm_state = SC1I))) in let s_fsm_spf = ((S_fsm_state = SRA) \land S_fsm_delay6 \land \sim S_fsm_rst) in let s_fsm_scOf = (new_S_fsm_state = SCOF) in let s_fsm_sc1f = (new_S_fsm_state = SC1F) in let s_fsm_spmf = (new_S_fsm_state = SO) in let s_fsm_sb = (new_S_fsm_state = SSTART) in let s_fsm\_src = ((new\_S\_fsm\_state = SSTART) \lor ((S\_fsm\_state = SRA) \land S\_fsm\_delay6) V (new_S_fsm_state = SC0F) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1F) ``` ``` V (new_S_{fsm_state} = SS) V ((S_{fsm_state} = SCS) \land S_{fsm_delay6})) in let s\_fsm\_sec = (((\sim(new\_S\_fsm\_state = SSTOP)) \land (\sim(new\_S\_fsm\_state = SO))) \lor (S\_fsm\_state = SN)) in (\sim(new\_S\_fsm\_state let s\_fsm\_srs = (((S\_fsm\_state = SPF) \land \neg S\_fsm\_rst) \lor ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) in ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst)) in ((S\_fsm\_state = ST) \land \neg S\_fsm\_rst) ((S\_fsm\_state = ST) \land ((S\_fsm\_state = ST) \land ((S\_fsm\_state = ST) \land ((S\_fsm\_state = ST) \land ((S\_fsm\_state = let s fsm_scs = (new_S_fsm_state = SCS) in let\ new\_P\_addr = ((\sim P\_rqt) => (SUBARRAY\ L\_ad\_in\ (25,0))\ |\ P\_addr)\ in let \ new\_P\_dest1 = ((\sim P\_rqt) \Longrightarrow (ELEMENT \ L\_ad\_in \ (31)) \mid P\_dest1) \ in let new_P_be_ = ((\sim P_rqt) => L_be_1 P_be_) in let new_P_wr = ((\sim P_rqt) \Rightarrow L_wr \mid P_wr) in let new_P_size = ((\sim P_rqt) \Rightarrow (SUBARRAY L_ad_in(1,0)) ((P_down) \Rightarrow (DECN 1 P_size) | P_size)) in let new_C_holdA_ = ((ClkD) \Rightarrow C_hold_l C_holdA_) in let i_cale_ = \sim((new_C_mfsm_state = CMA3) \land (new_P_fsm_state = PA) \land new_C_holdA_) in let c_srdy_en = ((new_C_efsm_state = CEE) V (C_efsm_state = CEE)) in let new_M_count = (((new\_M\_fsm\_state = MA) \lor (new\_M\_fsm\_state = MBW)) => ((M\_se) => (WORDN \ 1) \lor (WORDN \ 2)) \lor ((M\_se) => (WORDN \ 2)) \lor (M\_se) => (WORDN \ 2) (M\_ (((\text{new\_M\_fsm\_state} = MW) \lor (\text{new\_M\_fsm\_state} = MR)) \Rightarrow (DECN 2 M\_count) \mid M\_count)) \text{ in } (((\text{new\_M\_fsm\_state} = MW) \lor (\text{new\_M\_fsm\_state} = MR))) \Rightarrow (DECN 2 M\_count) \mid M\_count)) \text{ in } ((\text{new\_M\_fsm\_state} = MW)) \mid M\_count) M\_coun let \ m\_rdy = (((new\_M\_fsm\_state = MW) \land (new\_M\_count = (WORDN \ 0))) V ((\text{new\_M\_fsm\_state} = MR) \land (\text{new\_M\_count} = (WORDN 0)) \land \sim M_wr)) \text{ in} let m_srdy_ = \sim ((M_rdy \land \sim M_wr) \lor (m_rdy \land M_wr)) in let i_srdy_ = ((~i_cale_ V c_srdy_en) => ~(C_wrdy V C_rrdy V (new_C_mfsm_state = CMABT)) | \sim(new_M_fsm_state = MI) => m_srdy_| ((\texttt{new}\_R\_\texttt{fsm}\_\texttt{state} = \texttt{RA}) \lor (\texttt{new}\_R\_\texttt{fsm}\_\texttt{state} = \texttt{RD})) => \sim ((R\_\texttt{fsm}\_\texttt{state} = \texttt{RA}) \land (\texttt{new}\_R\_\texttt{fsm}\_\texttt{state} = \texttt{RD})) \lor ((R\_\texttt{fsm}\_\texttt{state} = RA) \land ((R\_\texttt{fsm}\_\texttt{state} = RA)) ((R_\texttt{fsm}\_\texttt{state} ((R_\texttt{fsm}\_\texttt ARB) in let p_ale = (\sim L_ads_ \land L_den_) in let \ p\_sack = ((P\_size = ((P\_down) => (WORDN \ 1) \ | \ (WORDN \ 0))) \land \neg i\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in \ | \ (P\_size = ((P\_down) => (WORDN \ 1) \ | \ (WORDN \ 0))) \land \neg i\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in \ | \ (P\_size = ((P\_down) => (WORDN \ 1) \ | \ (WORDN \ 0))) \land \neg i\_srdy\_ \land (new\_P\_fsm\_state = PD)) \ in \ | \ (P\_size = ((P\_down) => (WORDN \ 1) \ | \ (P\_size = ((P\_down) => (WORDN \ 1) \ | \ (P\_size = ((P\_size = (P\_down) => (WORDN \ 1) \ | \ (P\_size = (P\_ let new_P_rqt = ((p_ale \land \neg (p_sack \lor reset\_piu)) => T \mid ((\sim p\_ale \land (p\_sack \lor reset\_piu)) => F \mid ((\neg p\_ale \land \neg (p\_sack \lor reset\_piu)) => P\_rqt \land ARB))) in let new_P_down = (\sim i_srdy_A (new_P_fsm_state = PD)) in let new_P_male_ = ((new_P_fsm_state = PA) => \sim (-\text{new}_P_\text{dest1} \land (\sim ((\text{SUBARRAY new}_P_\text{addr}(25,24)) = (\text{WORDN 3}))) \land \text{new}_P_\text{rqt}) \mid P_\text{male}) \text{ in } A \cap (-\text{Normal}(25,24)) = (\text{Normal}(25,24)) = (\text{Normal}(25,24)) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\text{Normal}(25,24)) = (\text{Normal}(25,24)) = (\text{Normal}(25,24)) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\text{Normal}(25,24)) = (\text{Normal}(25,24)) \land \text{new}_P_\text{rqt}) \mid P_\text{male} \land (\text{Normal}(25,24)) = (\text{Normal}(25,24)) \land (\text{Normal}(25,24)) = (\text{Normal}(25,24)) \land let new_P_rale_ = ((new_P_fsm_state = PA) => \sim (\sim \text{new}_P_\text{dest1} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3)) \land \text{new}_P_\text{rqt}) \mid P_\text{rale}) \text{ in } P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24)) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3)) \land \text{new}_P_\text{rel} \land ((SUBARRAY \text{ new}_P_\text{addr} (25,24))) = (WORDN 3)) (2 let new_P_lock_ = ((reset\_piu) => T \mid ((new_P_fsm_state = PD) => L_lock_| P_lock_)) in let new_P_lock_inh_ = ((reset\_piu) => T ((~new_P_male_ V ~new_P_rale_) => L_lock_ | P_lock_inh_)) in let pod31_27 = (MALTER ARBN (31,27) new_P_be_) in let pod31_26 = (ALTER pod31_27 (26) F) in let pod31_24 = (MALTER pod31_26 (25,24) (SUBARRAY new_P_addr (1,0))) in let new_C_iad_en_s_delA = ((ClkD) => C_iad_en_s_del | C_iad_en_s_delA) in let new_C_sizewrbe = ((reset_cport) => (WORDN 0) | (((\text{new}_C_sfsm_state = CSA0) \land C_clkA) => (SUBARRAY C_data_in (31,22)) \mid C_sizewrbe)) in let c_new\_write = (((\neg(new\_C\_mfsm\_state = CMI)) \land (\neg(new\_C\_mfsm\_state = CMR))) = > (\neg(new\_C\_mfsm\_state = CMR))) = > (\neg(new\_C\_mfsm\_state = CMR))) = > (\neg(new\_C\_mfsm\_state = CMR))) = > (\neg(new\_C\_mfsm\_state = CMR))) = > (\neg(new\_C\_mfsm\_state = CMR))) = C_wr | (ELEMENT new_C_sizewrbe (5))) in let new_C_iad_out = ((C_cin_2_le) => C_data_in | C_iad_out) in let r_reg_sel = ((~R_srdy\_del\_) \Rightarrow (INCN 3 R_reg\_sel) | R_reg\_sel) in let new_R_icr = ((R_icr_load) => ``` ``` ((\neg(r\_reg\_sel = (WORDN 1))) = > (Andn rep (R\_icr\_old, R\_icr\_mask)) | (Orn rep (R\_icr\_old, R\_icr\_mask))) | (Orn rep (R\_icr\_old, R\_icr\_mask))) | (Orn rep (R\_icr\_old, R\_icr\_mask)) R\_icr\_old, R_icr) in let new_R_busA_latch = ((R_ctr0_irden) => R_ctr0_in ((R_ctr0_orden) => R_ctr0_out) ((R_ctrl_irden) => R_ctrl_in | ((R_ctr1_orden) => R_ctr1_out | ((R_ctr2_irden) => R_ctr2_in ((R_ctr2\_orden) => R_ctr2\_out l ((R_ctr3_irden) => R_ctr3_in ((R_ctr3_orden) \Rightarrow R_ctr3_out) ((R_icr_rden) => new_R_icr | ((R_{cr_rden}) => R_{cr_i} ((R_gcr_rden) => R_gcr let i_ad = ((new_P_fsm_state = PA) => pod31_24 | ((new_P_fsm_state = PD) \land new_P_wr) => L_ad_in (new_C_iad_en_s_delA V ((\text{new}_C_mfsm_state = CMD1) \land \neg c_new_write \land c_srdy_en) \lor ((\text{new}_C_mfsm_state = CMD0) \land \neg c_new_write \land c_srdy_en) \lor ((\text{new}\_C\_\text{mfsm}\_\text{state} = \text{CMW}) \land (C\_\text{mfsm}\_\text{state} = \text{CMD0}) \land \neg c\_\text{new}\_\text{write} \land c\_\text{srdy}\_\text{en}) \lor ((\underline{new}\_C\_sfsm\_state = CSALE) \land (\sim(C\_sfsm\_state = CSALE))) \lor ((new_C_sfsm_state = CSALE) \(\Lambda\) c_new_write) \(\nabla\) ((\text{new}_C_sfsm_state = CSD1) \land c_new\_write \land (\sim(C_sfsm_state = CSRR))) \lor ((new_C_sfsm_state = CSD0) \(\Lambda\) c_new_write) \(\nabla\) ((new_C_sfsm_state = CSACK) \(\Lambda\) c_new_write)) => new_C_iad_out | (M_wr \land \sim (new_M_fsm_state = MI)) => M_rd_data \mid (-R_{\text{wr}} \land ((\text{new}_{R_{\text{state}}} = RA) \lor (\text{new}_{R_{\text{state}}} = RD))) => \text{new}_{R_{\text{bus}}} \land (\text{new}_{R_{\text{state}}} = RA) \lor (\text{new}_{R_{\text{state}}} = RD))) => \text{new}_{R_{\text{bus}}} \land (\text{new}_{R_{\text{state}}} = RA) \lor (\text{new}_{R_{\text{statee}}} = RA) \lor (\text{new}_{R_{\text{statee}}} = RA) \lor (\text{new}_{R_{\text{statee}}} = RA) \lor (\text{new}_{R_{\text{statee}}} = RA) \lor (\text{new}_{R_{\text{statee}}} = RA) \lor (\text{new}_{R_{\text{statee}}} = RA) \lor (\text{new}_{R_{\text{statee let disable_writes = ((\sim(\text{new}_C_sfsm\_state = CSL)) \land (\sim(\text{new}_C_sfsm\_state = CSL)) \land \sim((ChannelID = (WORDN 0)) \land (ELEMENT C_source (6))) \land \sim((ChannelID = (WORDN 1)) \land (ELEMENT C_source (7))) \land \sim((ChannelID = (WORDN 2)) \land (ELEMENT C_source (8))) \land ~((ChannelID = (WORDN 3)) \(\Lambda\) (ELEMENT C_source (9)))) in let i_rale_ = (\sim(\text{new}_P_f\text{sm}_s\text{tate} = PH) => \sim(\simnew_P_dest1 \land((SUBARRAY new_P_addr (25,24)) = (WORDN 3)) \land (new_P_fsm_state = PA) \land new_P_rqt) | ~((new_C_sfsm_state = CSALE) \( ((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3)) \( \Lambda C_clkA) \) in let new R_wr = ((-i_rale_) \Rightarrow (ELEMENT i_ad(27)) \mid R_wr) in let r_{\text{writeB}} = (\text{~disable\_writes } \land \text{new\_R\_wr } \land (\text{new\_R\_fsm\_state} = \text{RD})) in let r_readB = (\sim new_R_wr \land (new_R_fsm_state = RA)) in let \ new\_R\_gcr = ((r\_writeB \ \land \ (r\_reg\_sel = (WORDN \ 2))) \Longrightarrow i\_ad \ | \ R\_gcr) \ in let new_R_gcr_rden = (r_readB \land (r_reg_sel = (WORDN 2))) in let gcrl = (ELEMENT new_R_gcr (0)) in let gcrh = (ELEMENT new_R_gcr(1)) in let reset_error = (ELEMENT new_R_gcr (24)) in let piu_invalid = (ELEMENT new_R_gcr (28)) in let cout_sel0 = (ALTER ARBN (0) (((new_C_sfsm_state = CSD1) V (new_C_sfsm_state = CSD0)) => (new_C_sfsm_state = CSD1) (new_C_mfsm_state = CMA3) \lor (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMD1))) in let c_cout_sel = (ALTER cout_sel0 (1) (((new_C_sfsm_state = CSD1) V (new_C_sfsm_state = CSD0)) => (new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA2))) in let new_C_hold_ = (new_C_sfsm_state = CSI) in ``` ``` let new_C_wr = ((\sim i\_cale\_) \Rightarrow (ELEMENT i\_ad (27)) \mid C\_wr) in let new_C_clkA = ClkD in let i_last_ = (\sim(new_P_fsm_state = PH) => (P_size = ((P_down) => (WORDN 1) | (WORDN 0))) | C_last_out_) in let new_C_last_in_ = ((reset_cport) => F | (((new_C_mfsm_state = CMABT) \lor (new_C_mfsm_state = CMD1) \land ClkD) => i\_last\_l C_last_in_)) in let new_C_lock_in_ = ((reset_cport) => F | ((new_C_mfsm_state = CMA1) => \neg(\neg new_P_lock_\wedge new_P_lock_inh_) \mid C lock_in_)) in let \ new\_C\_ss = (((\sim (new\_C\_mfsm\_state = CMABT)) \land (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss) \ in \ (\sim (new\_C\_mfsm\_state = CMI))) => CB\_ss\_in \mid C\_ss let new_C_last_out_ = ((\sim(\texttt{new}\_\texttt{C}\_\texttt{sfsm}\_\texttt{state} = \texttt{CSA1}) \land \sim(\texttt{ClkD} \land ((\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND}) \lor (\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MABORT})))) => \texttt{C}\_\texttt{last}\_\texttt{out}\_\texttt{in} = \texttt{CSA1}) \land \sim(\texttt{ClkD} \land ((\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND}) \lor (\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MABORT})))) => \texttt{C}\_\texttt{last}\_\texttt{out}\_\texttt{in} = \texttt{CSA1}) \land \sim(\texttt{ClkD} \land ((\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND}) \lor (\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MABORT})))) => \texttt{C}\_\texttt{last}\_\texttt{out}\_\texttt{in} = \texttt{CSA1}) \land \sim(\texttt{ClkD} \land ((\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND}) \lor (\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MABORT})))) => \texttt{C}\_\texttt{last}\_\texttt{out}\_\texttt{in} = \texttt{CSA1}) \land \sim(\texttt{ClkD} \land ((\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND}) \lor (\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MABORT})))) => \texttt{C}\_\texttt{last}\_\texttt{out}\_\texttt{in} = \texttt{CSA1}) \land \sim(\texttt{ClkD} \land ((\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND}) \lor (\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MABORT})))) => \texttt{C}\_\texttt{last}\_\texttt{out}\_\texttt{in} = \texttt{CSA1}) \land \sim(\texttt{ClkD} \land ((\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND}) \lor (\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND})))) => \texttt{C}\_\texttt{last}\_\texttt{out}\_\texttt{in} = \texttt{CSA1}) \land \sim(\texttt{ClkD} \land ((\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND})) \land (\texttt{CB}\_\texttt{ms}\_\texttt{in} = ^\texttt{MEND}) \land (\texttt{CB}\_\texttt{in} = ^\texttt{MEND})) => \texttt{C}\_\texttt{last}\_\texttt{in} = \texttt{CSA1}) \land (\texttt{ClkD} \land (\texttt{CB}\_\texttt{in} = ^\texttt{MEND}) \land (\texttt{CB}\_\texttt{in} = ^\texttt{MEND}) => \texttt{C}\_\texttt{last}\_\texttt{in} = \texttt{CSA1}) \land (\texttt{ClkD} \land (\texttt{CB}\_\texttt{in} = ^\texttt{MEND})) => \texttt{C}\_\texttt{last}\_\texttt{in} = \texttt{CSA1}) \land (\texttt{ClkD} \land (\texttt{CB}\_\texttt{in} = ^\texttt{MEND}) => \texttt{C}\_\texttt{last}\_\texttt{in} = \texttt{CSA1}) \land (\texttt{ClkD} \land (\texttt{CB}\_\texttt{in} = ^\texttt{MEND}) => \texttt{C}\_\texttt{last}\_\texttt{in} = \texttt{CSA1}) \land (\texttt{ClkD} \land (\texttt{CR}) = \texttt{CLCLD}) => \texttt{C}\_\texttt{in} = \texttt{CLCLD}) => \texttt{C}\_\texttt{in} => \texttt{C}\_\texttt{in} = \texttt{CCLD} ARB))) in let c_srdy = (CB_ss_in = ^SRDY) in let \ c\_dfsm\_master = ((new\_C\_mfsm\_state = CMA3) \ V \ (new\_C\_mfsm\_state = CMA2) \ V \ (new\_C\_mfsm\_state = CMA1) \ V \ (new\_C\_mfsm\_state = CMA2) (new\_ V (new\_C\_mfsm\_state = CMA0) \ V (new\_C\_mfsm\_state = CMD1) \ V (new\_C\_mfsm\_state = CMD0)) \ in let\ c\_dfsm\_cad\_en = \sim ((new\_C\_mfsm\_state = CMA3)\ \lor\ (new\_C\_mfsm\_state = CMA1)\ \lor\ (new\_C\_mfsm\_state = CMA0) V (new_C_mfsm_state = CMA2) V\left(c\_new\_write \land ((new\_C\_mfsm\_state = CMD1) \lor (new\_C\_mfsm\_state = CMD0))\right) V \ (\neg c\_new\_write \ \land \ ((new\_C\_sfsm\_state = CSD1) \ \lor \ (new\_C\_sfsm\_state = CSD0)))) \ in let \ new\_C\_cout\_0\_le\_del = ((i\_cale\_) \ \lor \ (i\_srdy\_ \land \neg c\_new\_write) \label{eq:cmsm_state} \mbox{$V$ ((new_C_mfsm_state = CMA0) $\land$ $c\_srdy $\land$ $c\_new_write $\land$ $ClkD)$ } V ((new_C_mfsm_state = CMD0) \land c_new_write \land c_srdy \land ClkD)) in let \ new\_C\_cin\_2\_le = (ClkD \land (((new\_C\_mfsm\_state = CMD0) \land c\_srdy \land \neg c\_new\_write) \lor (((new\_C\_mfsm\_state = CMD0) \land c\_srdy \land \neg c\_new\_write)) \lor (((new\_C\_mfsm\_state = CMD0) \land c\_srdy \land \neg c\_new\_write))) ((new_C_sfsm_state = CSA0)) V ((new_C_sfsm_state = CSD0) \land c_new_write))) in let new_C_mrdy_del_ = ~((~c_new_write \lambda ClkD \lambda ((new_C_sfsm_state = CSALE) \lambda (new_C_sfsm_state = CSD1))) \lambda (\sim c_new_write \land C_clkA \land (new_C_sfsm_state = CSACK)) \lor (c_new_write \land ClkD \land (new_C_sfsm_state = CSD0))) in let \ new\_C\_iad\_en\_s\_del = (((new\_C\_sfsm\_state = CSALE) \land (\sim (C\_sfsm\_state = CSALE))) V ((new_C_sfsm_state = CSALE) \land c_new_write) V((\text{new}_C_sfsm\_state = CSD1) \land c\_\text{new}\_write \land (\neg(C_sfsm\_state = CSRR))) V ((new_C_sfsm_state = CSD0) \land c_new_write) V ((\text{new}_C_sfsm_state} = CSACK) \land c_new_write)) in let new_C_wrdy = (c_srdy \land c_new_write \land (new_C_mfsm_state = CMD1) \land ClkD) in let new_C_rrdy = (c_srdy \land -c_new_write \land (new_C_mfsm_state = CMD0) \land ClkD) in let c_pe = (Par_Det rep (CB_ad_in)) in let c_mparity = ((new_C_mfsm_state = CMA3) V (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMA0) V (new_C_mfsm_state = CMA2) V (new_C_mfsm_state = CMD1) V (new_C_mfsm_state = CMD0) V(C_mfsm_state = CMA1) V(C_mfsm_state = CMA0) V(C_mfsm_state = CMA2) V(C_mfsm_state = CMD1)) in let \ c\_sparity = ((\sim (new\_C\_sfsm\_state = CSI)) \land (\sim (new\_C\_sfsm\_state = CSACK)) \land (\sim (new\_C\_sfsm\_state = CSABT))) \ in \ (new\_C\_s let c_pe_cnt = (ClkD \land ((\sim (c_mparity = c_sparity)) \lor ((SUBARRAY CB_ss_in (1,0)) = (WORDN 0)))) in (Comparity = c_sparity)) \lor ((ClkD \land ((\sim (c_mparity = c_sparity)))))))) let new_C_parity = (((ClkD \land c\_pe \land c\_pe\_cnt) \land \neg reset\_error) => T \mid ((\sim(ClkD \land c\_pe \land c\_pe\_cnt) \land reset\_error) => F \mid ((\sim (ClkD \land c\_pe \land c\_pe\_cnt) \land \sim reset\_error) \Rightarrow C\_parity \mid ARB))) in let new_C_source = ((reset_cport) => (WORDN 0) | ``` ``` ((ClkD \( ((new_C_sfsm_state = CSI) \( (new_C_sfsm_state = CSL))) => Par_Dec rep (CB_ad_in) | C_source)) in let data_in31_16 = (MALTER ARBN (31,16) ((reset\_cport) => (WORDN 0) | ((ClkD \land (((new_C_mfsm_state = CMD1) \land c_srdy \land \sim c_new_write) \lor ((new_C_sfsm_state = CSA1)) V ((new_C_sfsm_state = CSD1) \(\Lambda\) c_new_write))) => Par_Dec rep (CB_ad_in) \(\) (SUBARRAY C_data_in (31,16)))) in let new_C_data_in = (MALTER data_in31_16 (15,0) ((reset_cport) => (WORDN 0) | ((\text{new}_C_{\text{cin}_2}]e) => \text{Par}_Dec \text{ rep } (CB_ad_in) \mid (SUBARRAY C_data_in (15,0)))) in let new_C_iad_in = ((new_C_cout_0_le_del) => i_ad | C_iad_in) in let new_C_ala0 = (((c_dfsm_master \( \) C_cout_0_le_del) \( \) (\sim c_dfsm_master \land C_clkA \land (new_C_sfsm_state = CSD1))) => C_iad_in \mid C_a1a0) in let new_C_a3a2 = ((\text{new}_C_mfsm_state = CMR) \Rightarrow R_ccr | C_a3a2) in let i_be_ = ((new_P_fsm_state = PA) => new_P_be_! (new_P_fsm_state = PD) => L_be_ | SUBARRAY new_C_sizewrbe (9,6)) in let i_male_ = (\sim(\text{new}_P_f\text{sm}_s\text{tate} = PH) => \sim(\simnew_P_dest1 \wedge (\sim((SUBARRAY new_P_addr (25,24)) = (WORDN 3))) \wedge (new_P_fsm_state = PA) \wedge new_P_rqt) | ~((new_C_sfsm_state = CSALE) ∧ (~((SUBARRAY new_C_sizewrbe (1,0)) = (WORDN 3))) ∧ C_clkA)) in let new_M_se = ((\sim i_male_) \Rightarrow (ELEMENT i_ad (23)) \mid M_se) in let new_M_wr = ((\sim i\_male\_) \Rightarrow (ELEMENT i\_ad (27)) \mid M\_wr) in let new_M_addr = ((\sim i_male_) => (SUBARRAY i_ad (18,0)) ((M_rdy) \Rightarrow (INCN 18 M_addr) | M_addr)) in let new_M_be = ((\sim i_male_V \sim m_srdy_) \Rightarrow (NOTN 3 i_be_) \mid M_be) in let new_M_rdy = m_rdy in let new_M_wwdel = ((\text{new_M_fsm\_state} = \text{MA}) \land \text{new_M_wr} \land (\text{new_M_be} = (\text{WORDN 15}))) in let new_M_rd_data = (((new_M_fsm_state = MR)) => (Ham_Dec rep MB_data_in) | M_rd_data) in let new_M_detect = ((((\text{new\_M\_fsm\_state} = MR) \land \neg \text{new\_M\_wr}) \lor \text{new\_M\_wr} \lor (\text{new\_M\_fsm\_state} = MI)) => ((~Edac_en_) => (Ham_Det1 rep MB_data_in) | WORDN 0) | M_detect) in let m_error = (\sim m\_srdy\_ \land (\sim (new\_M\_fsm\_state = MI)) \land Ham\_Det2 rep (new\_M\_detect, \sim Edac\_en\_)) in let new_M_parity = ((m_error \land \neg (reset_piu \lor reset_error)) => T ((~m_error \( \text{(reset_piu \( \neq \text{reset_error} \)) => \( \neq \) ! ((-m\_error \land \neg (reset\_piu \lor reset\_error)) => M\_parity | ARB))) in let new_R_cntlatch_del = r_fsm_cntlatch in let new_R_srdy_del_ = r_fsm_srdy_ in let new_R_reg_sel = ((-i_rale_) => (SUBARRAY i_ad (3,0)) I ((-R_srdy_del_) => (INCN 3 R_reg_sel) | R_reg_sel)) in let r_writeA = (\simdisable_writes \land R_wr \land (new_R_fsm_state = RD)) in let r_readA = (-R_wr \land (new_R_fsm_state = RA)) in let r_{cir} wr01A = ((r_{w}nteA \wedge ((r_{eg} sel = (WORDN 8)) \vee (r_{eg} sel = (WORDN 9)))) in let r_{cir} wr01B = ((r_{writeB} \land ((r_{reg} = (WORDN 8))) \lor (r_{reg} = (WORDN 9))))) in let r\_cir\_wr23A = ((r\_writeA \land ((r\_reg\_sel = (WORDN 10)) \lor (r\_reg\_sel = (WORDN 11))))) in let \ r\_cir\_wr23B = ((r\_writeB \land ((r\_reg\_sel = (WORDN \ 10)) \lor (r\_reg\_sel = (WORDN \ 11))))) \ in let new_R_ccr = ((r_writeB \land (r_reg_sel = (WORDN 3))) => i_ad \mid R_ccr) in let new_R_ccr_rden = (r_readB \land (r_reg_sel = (WORDN 3))) in let new_R_c01_cout_del = R_ctr1_cry in let new_R_int1_en = ``` ``` (\sim\!(ELEMENT\;new\_R\_gcr\;(18))\;\vee\;((ELEMENT\;new\_R\_gcr\;(17))\;\wedge\;R\_c01\_cout\_del))) => F \mid (\sim \mid ELEMENT\;new\_R\_gcr\;(17)) \mid A \mid ELEMENT\;new\_R\_gcr\;(18)) \mid A \mid ELEMENT\;new\_R\_gcr\;(18)) \sim (\sim (ELEMENT\ new_R_gcr\ (18))\ \lor\ ((ELEMENT\ new_R_gcr\ (17))\ \land\ R_c01\_cout\_del))) \Rightarrow R_int1\_en\ |\ ARB)))\ in let new_R_c23_cout_del = R_ctr3_cry in let new_R_int2_en = \sim (\sim (ELEMENT\ new_R_gcr\ (22))\ \lor\ ((ELEMENT\ new_R_gcr\ (21))\ \land\ R_c23\_cout\_del))) \Rightarrow T \vdash (CLEMENT\ new_R_gcr\ (21)) \land R_c23\_cout\_del)) (\sim\!(\texttt{ELEMENT new}\_\texttt{R}\_\texttt{gcr}\;(22)) \lor ((\texttt{ELEMENT new}\_\texttt{R}\_\texttt{gcr}\;(21)) \land \texttt{R}\_\texttt{c23}\_\texttt{cout}\_\texttt{del}))) \Rightarrow \texttt{F} \vdash \texttt{R}\_\texttt{c23}\_\texttt{cout}\_\texttt{del})) \Rightarrow \texttt{F} \vdash \texttt{R}\_\texttt{c23}\_\texttt{cout}\_\texttt{del})) \Rightarrow \texttt{F} \vdash \texttt{R}\_\texttt{c23}\_\texttt{cout}\_\texttt{del})) \Rightarrow \texttt{F} \vdash \texttt{R}\_\texttt{c23}\_\texttt{cout}\_\texttt{c23}\_\texttt{cout}\_\texttt{del}))) \Rightarrow \texttt{F} \vdash \texttt{R}\_\texttt{c23}\_\texttt{c23}\_\texttt{c23} \sim (\sim (ELEMENT\ new_R_gcr\ (22))\ \lor\ ((ELEMENT\ new_R_gcr\ (21))\ \land\ R_c23\_cout\_del))) \Rightarrow R_int2\_en+ARB)))\ in\ R_c23\_cout\_del))) \Rightarrow R_int2\_en+ARB))) let new_R_ctr0_in = ((r_writeB \land (r_reg_sel = (WORDN 8))) => i_ad | R_ctr0_in) in let new_R_ctr0_mux_sel = (r_cir_wr01B \lor ((ELEMENT new_R_gcr (16)) \land R_ctr1_cry)) in let new_R_ctrO_irden = (r_readB \land (r_reg_sel = (WORDN 8))) in let new_R_ctr0 = ((R_ctr0_mux_sel) => R_ctr0_in | R_ctr0_new) in let new_R_ctr0_new = (((ELEMENT new_R_gcr (19))) => (INCN 31 R_ctr0) | R_ctr0) in let new_R_ctr0_cry = ((ONES 31 R_ctr0) \land (ELEMENT new_R_gcr (19))) in let new_R_ctr0_out = ((r_fsm_cntlatch) => R_ctr0_new | R_ctr0_out) in let new_R_ctr0_orden = (r_readB \land (r_reg_sel = (WORDN 12))) in let new_R_ctr1_in = ((r_writeB \land (r_reg_sel = (WORDN 9))) \Rightarrow i_ad \mid R_ctr1_in) in let\ new\_R\_ctr1\_mux\_sel = (r\_ctr\_wr01B\ V\ ((ELEMENT\ new\_R\_gcr\ (16)) \land R\_ctr1\_cry))\ in let new_R_ctrl_irden = (r_readB \land (r_reg_sel = (WORDN 9))) in let new_R_ctr1 = ((R_ctr1_mux_sel) \Longrightarrow R_ctr1_in \mid R_ctr1_new) in let new_R_ctr1_new = ((R_ctr0_cry) \Rightarrow (INCN 31 R_ctr1) \mid R_ctr1) in let new R ctr1_cry = ((ONES 31 R_ctr1) \land R_ctr0_cry) in let new_R_ctr1_out = ((R_cntlatch_del) => R_ctr1_new | R_ctr1_out) in let new_R_ctrl_orden = (r_readB \land (r_reg_sel = (WORDN 13))) in let new_R_ctr2_in = ((r_writeB \land (r_reg_sel = (WORDN 10))) => i_ad \mid R_ctr2_in) in let new_R_ctr2_mux_sel = ((r_ctr_wr23B \lor ((ELEMENT new_R_gcr (20)) \land R_ctr3_cry))) in the context of cont let new_R_ctr2_irden = (r_readB \land (r_reg_sel = (WORDN 10))) in let new_R_ctr2 = ((R_ctr2_mux_sel) \Rightarrow R_ctr2_in \mid R_ctr2_new) in let new_R_ctr2_new = (((ELEMENT new_R_gcr (23))) => (INCN 31 R_ctr2) | R_ctr2) in let new_R_ctr2_cry = ((ONES 31 R_ctr2) \land (ELEMENT new_R_gcr (23))) in let new_R_ctr2_out = ((r_fsm_cntlatch) => R_ctr2_new | R_ctr2_out) in let new_R_ctr2_orden = (r_readB \land (r_reg_sel = (WORDN 14))) in let \ new_R_ctr3\_in = ((r\_writeB \ \land \ (r\_reg\_sel = (WORDN \ 11))) => i\_ad \ | \ R\_ctr3\_in) \ in let \ new_R_ctr3_mux\_sel = ((r_ctr\_wr23B \ \lor \ ((ELEMENT \ new_R\_gcr \ (20)) \ \land \ R_ctr3\_cry))) \ in let new_R_ctr3_irden = (r_readB \( \) (r_reg_sel = (WORDN 11))) in let new_R_ctr3 = ((R_ctr3_mux_sel) \Rightarrow R_ctr3_in \mid R_ctr3_new) in let new_R_ctr3_new = ((R_ctr2_cry) \Rightarrow (INCN 31 R_ctr3) \mid R_ctr3) in let new_R_ctr3_cry = ((ONES 31 R_ctr3) \land R_ctr3_cry) in let new_R_ctr3_out = ((R_cntlatch_del) => R_ctr3_new | R_ctr3_out) in let new_R_ctr3_orden = (r_readB \land (r_reg_sel = (WORDN 15))) in let \ new\_R\_icr\_load = (r\_writeB \land ((r\_reg\_sel = (WORDN \ 0)) \lor (r\_reg\_sel = (WORDN \ 1)))) \ in let new_R_icr_old = ((r\_writeB \land ((r\_reg\_sel = (WORDN 0))) \lor (r\_reg\_sel = (WORDN 1)))) => R\_icr \mid R\_icr\_old) in let new_R_icr_mask = ((r\_writeB \land ((r\_reg\_sel = (WORDN \ 0)) \lor (r\_reg\_sel = (WORDN \ 1)))) \Rightarrow i\_ad \mid R\_icr\_mask) in let new_R_icr_rden = ((new_R_fsm_state = RA) \( ((r_reg_sel = (WORDN 0)) \( (r_reg_sel = (WORDN 1)))) \) in let r_{int0} = (((ELEMENT R_{icr}(0)) \land (ELEMENT R_{icr}(8))) \lor ``` ((ELEMENT R\_icr (1)) ∧ (ELEMENT R\_icr (9))) V ``` ((ELEMENT R_icr (2)) \( \text{(ELEMENT R_icr (10))) } \( \text{V} \) ((ELEMENT R_icr (3)) A (ELEMENT R_icr (11))) V ((ELEMENT R_icr (4)) \land (ELEMENT R_icr (12))) \lor ((ELEMENT R_icr (5)) \( \text{(ELEMENT R_icr (13))) } \( \text{V} \) ((ELEMENT R_icr (6)) A (ELEMENT R_icr (14))) V ((ELEMENT R_icr (7)) A (ELEMENT R_icr (15)))) in let new_R_intO_dis = r_intO_en in let r_int3_en = (((ELEMENT R_icr (16)) \land (ELEMENT R_icr (24))) \lor ((ELEMENT R_icr (17)) \land (ELEMENT R_icr (25))) \lor ((ELEMENT R_icr (18)) ∧ (ELEMENT R_icr (26))) V ((ELEMENT R_icr (19)) A (ELEMENT R_icr (27))) V ((ELEMENT R_icr (20)) ∧ (ELEMENT R_icr (28))) V ((ELEMENT R_icr (21)) A (ELEMENT R_icr (29))) V ((ELEMENT R_icr (22)) ∧ (ELEMENT R_icr (30))) V ((ELEMENT R_icr (23)) \land (ELEMENT R_icr (31)))) in let new_R_int3_dis = r_int3_en in let new_S_soft_shot_del = (\simgcrh \land gcrl) in let s_soft_cnt_out = ((s_fsm_srs) => ((gcrl \land \neg gcrh \land \neg S\_soft\_shot\_del) => (WORDN 1) | (WORDN 0)) | ((gcrl \land \neg gcrh \land \neg S\_soft\_shot\_del) \Rightarrow (INCN \ 2 \ S\_soft\_cnt) \mid S\_soft\_cnt)) \ in let new_S_soft_cnt = ((\sim gcrh \land \sim gcrl) \Rightarrow (WORDN 0) \mid s_soft_cnt_out) in let s_delay_out = ((s_fsm_src \lor (s_fsm_scs \land (ELEMENT S_delay (6)))) => ((s_fsm_sec) \Rightarrow (WORDN 1) | (WORDN 0)) | ((s_fsm_sec) => (INCN 17 S_delay) | S_delay)) in let new_S_delay = s_delay_out in let s_{pu0} ok = (s_{sm}sc0f \land Failure0 \land (s_{soft}cnt_out = (WORDN 5))) in let s_{\text{cpul}} = (s_{\text{s}} - s_{\text{clf}} \land Failure 1 \land (s_{\text{s}} - s_{\text{clf}} \land s_{\text{clf}}))) in let new_S_pmm_fail = ((s_fsm_sb \land \sim s_fsm_spmf) => T ((-s_fsm_sb \land s_fsm_spmf) => F I ((-s_fsm_sb \land -s_fsm_spmf) => S_pmm_fail \mid ARB))) in let new_S_cpu0_fail = ((s\_fsm\_sb \land \neg (s\_cpu0\_ok \lor Bypass)) => T \mid ((\sim s\_fsm\_sb \land (s\_cpu0\_ok \lor Bypass)) => F i ((-s_fsm_sb \land -(s_cpu0_ok \lor Bypass)) => S_cpu0_fail \mid ARB))) in let new_S_cpu1_fail = ((s_fsm_sb \land \sim (s_cpul_ok \lor Bypass)) \Rightarrow T \mid ((-s_fsm_sb \land (s_cpul_ok \lor Bypass)) => Fi ((-s_fsm_sb \land -(s_cpul_ok \lor Bypass)) => S_cpul_fail | ARB))) in let new_S_piu_fail = ((s_fsm_sb \land \neg(s_fsm_spf \lor Bypass)) => T \mid ((\sim s\_fsm\_sb \land (s\_fsm\_spf \lor Bypass)) => F \mid ((\sim s\_fsm\_sb \land \sim (s\_fsm\_spf \lor Bypass)) \Rightarrow S\_piu\_fail \mid ARB))) in let s_{pu0}_s = ((s_f s_m s_n \lor s_f s_s_s_s) \land \sim S_{pu0}_f = ((s_f s_m s_s_s_s) \land \sim S_{pu0}_f = (s_f s_m s_s_s) S_{pu0}_ let s_{cpul}_{select} = ((s_{fsm_sn} \lor s_{fsm_so}) \land S_{cpul}_{fail} \land \neg S_{cpul}_{fail}) in let new_S_bad_cpu0 = ((s_fsm_sb \land \neg s_cpu0_select) => T \mid ((-s_fsm_sb \land s_cpu0_select) => F ((-s_fsm_sb \land -s_cpu0\_select) => S_bad_cpu0 \mid ARB))) in let new_S_bad_cpu1 = ((s_fsm_sb \land \neg s_cpul_select) => T ``` ``` ((-s_fsm_sb \land s_cpul_select) => F ((-s\_fsm\_sb \land -s\_cpu1\_select) => S\_bad\_cpu1 \mid ARB))) in let new_S_reset_cpu0 = (new_S_bad_cpu0 \land s_fsm_src0) in let new_S_reset_cpu1 = (new_S_bad_cpu1 \( \Lambda \) s_fsm_src1) in let new_S_cpu_hist = (S_reset_cpu0 \( \Lambda \) S_reset_cpu1 \( \Lambda \) Bypass) in let ss0 = (ALTER ARBN (0) ((new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SCS) V (new_S_fsm_state = SN) V(new_S_fsm_state = SO))) in let ss1 = (ALTER ss0 (1) ((new_S_fsm_state = SC0F) V (new_S_fsm_state = ST) V (new_S_fsm_state = SC1I) V (new_S_fsm_state = SC1F) V (new_S_fsm_state = SS) V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SCS))) in let ss2 = (ALTER ss1 (2) ((new_S_fsm_state = SPF) V (new_S_fsm_state = SC0I) V (new_S_fsm_state = SC0F) V (new_S_fsm_state = ST) V (new_S_fsm_state = SSTOP) V (new_S_fsm_state = SO))) in let ss3 = (ALTER ss2 (3) ((new_S_fsm_state = SRA) V (new_S_fsm_state = SPF) V (\text{new}_S_{\text{fsm}_{\text{state}}} = ST) V (\text{new}_S_{\text{fsm}_{\text{state}}} = SC1I) V (new_S_fsm_state = SCS) V (new_S_fsm_state = SN) V (new_S_fsm_state = SO))) in let s_state = ss3 in let sr28 = (ALTER ARBN (28) new_M_parity) in let sr28_25 = (MALTER sr28 (27,25) new_C_ss) in let sr28_24 = (ALTER sr28_25 (24) new_C_parity) in let sr28_22 = (MALTER sr28_24 (23,22) ChannelID) in let sr28_16 = (MALTER sr28_22 (21,16) Id) in let sr28_12 = (MALTER sr28_16 (15,12) s_state) in let sr28_9 = (ALTER sr28_12 (9) new_S_pmm_fail) in let sr28_8 = (ALTER sr28_9 (8) new_S_piu_fail) in let sr28_3 = (ALTER sr28_8 (3) new_S_reset_cpu1) in let sr28_2 = (ALTER sr28_3 (2) new_S_reset_cpu0) in let sr28_1 = (ALTER sr28_2 (1) new_S_cpu1_fail) in let sr28_0 = (ALTER sr28_1 (0) new_S_cpu0_fail) in let new_R_sr = ((r_fsm_cntlatch) => sr28_0 | R_sr) in let new_R_sr_rden = (r_readB \land (r_reg_sel = (WORDN 4))) in let new_P_fsm_rst = reset_piu in let new_P_fsm_sack = p_sack in let new_P_fsm_cgnt_ = ~(new_C_mfsm_state = CMA3) in let new_P_fsm_hold_ = new_C_holdA_ in let new_C_mfsm_D = ClkD in let new_C_mfsm_rst = reset_cport in let new_C_mfsm_crqt_ = \sim(new_P_dest1 \land new_P_rqt) in let new_C_mfsm_hold_ = new_C_holdA_ in let new_C_mfsm_ss = CB_ss_in in let new_C_mfsm_invalid = piu_invalid in let new_C_sfsm_D = ClkD in let new_C_sfsm_rst = reset_cport in let new_C_sfsm_hlda_ = ~(new_P_fsm_state = PH) in let new_C_sfsm_ms = CB_ms_in in let new C efsm_cale_ = i_cale_ in let new_C_efsm_last_ = i_last_ in let new_C_efsm_male_ = i_male_ in let new_C_efsm_rale_ = i_rale_ in let new_C_efsm_srdy_ = i_srdy_ in ``` ``` let new_C_efsm_rst = reset_cport in let new_M_fsm_male_ = i_male_ in let new_M_fsm_last_ = i_last_ in let new_M_fsm_mrdy_ = ((\sim (P_fsm_state = PH)) => F | C_mrdy_del_) in let new_M_fsm_rst = reset_piu in let new_R_fsm_ale_ = i_rale_ in let new_R_fsm_mrdy_ = ((\sim (P_fsm_state = PH)) => F | C_mrdy_del_) in let new_R_fsm_last_ = i_last_ in let new_R_fsm_rst = reset_piu in let new_S_fsm_rst = Rst in let new_S_fsm_delay6 = (ELEMENT s_delay_out (6)) in let new_S_fsm_delay17 = ((Test) => (ELEMENT s_delay_out (6)) | (ELEMENT s_delay_out (17))) in let new_S_fsm_bothbad = (new_S_cpu0_fail \land new_S_cpu1_fail) in let new_S_fsm_bypass = Bypass in let L_ad_out = (((\neg(new_P_fsm_state = PA))) \wedge (\sim (\text{new}_P_f \text{sm}_s \text{tate} = PH)) \land \sim ((\text{new}_P_\text{fsm}_\text{state} = PD) \land \text{new}_P_\text{wr})) \Rightarrow i_\text{ad} \mid ARBN) \text{ in} let L_{ready} = \sim (\sim i_srdy_ \land (new_P_fsm_state = PD)) in let CB_rqt_out_ = \sim (\sim (new_C_mfsm_state = CMI)) in let ms0 = (ALTER ARBN (0) (((new_C_mfsm_state = CMD0) \land \neg C_last_in_)) \lor ((\text{new}\_C\_\text{mfsm}\_\text{state} = \text{CMW}) \land C\_\text{lock}\_\text{in}\_) \lor (new_C_mfsm_state = CMABT))) in let ms10 = (ALTER ms0(1)(((new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMA0) V (new_C_mfsm_state = CMA2) V (new_C_mfsm_state = CMD1) V ((\text{new}_C_\text{mfsm}_\text{state} = \text{CMD0}) \land C_\text{last}_\text{in}) \lor (\text{new}_C_\text{mfsm}_\text{state} = \text{CMW}) \lor (new_C_mfsm_state = CMABT)))) in let ms210 = (ALTER ms10 (2) (((new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMA1) V (new_C_mfsm_state = CMA0) V (new_C_mfsm_state = CMA2) V (new_C_mfsm_state = CMD1) \lor (new_C_mfsm_state = CMD0) \lor (new_C_mfsm_state = CMW) \lor (new_C_mfsm_state = CMABT)) \land -new_S_pmm_fail \land -(ELEMENT new_R_gcr (28)))) in let CB_ms_out = (((\sim(\text{new}_C_mfsm_state = CMI)) \land (\sim(\text{new}_C_mfsm_state = CMR))) => \text{ms}210 \mid ARBN) in let ss0 = (ALTER ARBN (0) ((new_C_sfsm_state = CSA0W) V ((new_C_sfsm_state = CSALE) \land \sim c_new_write) \lor (new_C_sfsm_state = CSACK))) in let ss10 = (ALTER ss0 (1) ~(new_C_sfsm_state = CSACK)) in let ss210 = (ALTER ss10 (2) (\sim new_S_pmm_fail \land \sim (ELEMENT new_R_gcr (28)))) in let CB_ss_out = (((((new_C_sfsm_state = CSI))) \land ((new_C_sfsm_state = CSABT))) \Rightarrow ss210 \mid ARBN) in let CB_ad_out = ((c_dfsm_cad_en) => ((c_cout_sel = (WORDN 0)) => Par_Enc rep (SUBARRAY new_C also (15,0)) | ((c\_cout\_sel = (WORDN 1)) \Rightarrow Par\_Enc rep (SUBARRAY new\_C\_a1a0 (31,16)) ((c\_cout\_sel = (WORDN 2)) \Rightarrow Par\_Enc rep (SUBARRAY new\_C\_a3a2 (15,0)) Par_Enc rep (SUBARRAY new_C_a3a2 (31,16))))) | ARBN) in let MB_addr = ((M_rdy) \Rightarrow (INCN 18 M_addr) \mid M_addr) in let mb_data_7_0 = (((ELEMENT M_be (0))) => (SUBARRAY i_ad (7,0)) | (SUBARRAY M_rd_data (7,0))) in let mb_data_15_8 = (((ELEMENT M_be (1))) => (SUBARRAY i_ad (15,8)) | (SUBARRAY M_rd_data (15,8))) in let mb_data_23_16 = (((ELEMENT M_be (2))) => (SUBARRAY i_ad (23,16)) | (SUBARRAY M_rd_data (23,16))) in let mb_data_31_24 = (((ELEMENT M_be (3))) => (SUBARRAY i_ad (31,24)) | (SUBARRAY M_rd_data (31,24))) in let mb_data = ((MALTER (MALTER (MALTER (MALTER ARBN (7,0) mb_data_7_0) (15,8) mb_data_15_8) (23,16) mb_data_23_16) (31,24) mb data 31 24)) in let MB_data_out = ((new_M_fsm_state = MW) => (Ham_Enc rep mb_data) | ARBN) in ``` ``` let MB_cs_eeprom_ = \sim ((\sim (\text{new}_M_f \text{sm}_s \text{tate} = \text{MI})) \land \sim \text{new}_M_s \text{e}) in let MB_cs_sram_ = \sim((\sim(new_M_fsm_state = MI)) \land new_M_se) in let \ MB\_we\_ = \sim ((new\_M\_se \ \lor \sim (\sim (new\_M\_fsm\_state = MI)) \ \lor \sim reset\_cport) ∧ ~disable_writes \land ((new\_M\_fsm\_state = MBW) \lor (new\_M\_fsm\_state = MW) \lor new\_M\_wwdel)) in let MB_oe_= \sim ((\sim new_M_wr \land (new_M_fsm_state = MA)) \lor (new_M_fsm_state = MR)) in let disable_int = (\sim(s_fsm_sn \land (ELEMENT s_delay_out (6))) \land s_fsm_sdi \land ((Test) => ~(ELEMENT s_delay_out (5)) | ~(ELEMENT s_delay_out (16)))) in let Int0_ = \sim(r_int0_en \land \simR_int0_dis \land \simdisable_int) in let Int1 = (R_ctr1_cry \land new_R_int1_en \land \sim disable_int) in let Int2 = (R_ctr3_cry \land new_R_int2_en \land \sim disable_int) in let Int3_ = \sim(r_int3_en \land \simR_int3_dis \land \simdisable_int) in let Led = (SUBARRAY new_R_gcr (3,0)) in let Reset_cpu0 = new_S_reset_cpu0 in let Reset_cpu1 = new_S_reset_cpu1 in let Cpu_hist = new_S_cpu_hist in let Piu_fail = new_S_piu_fail in let Cpu0_fail = new_S_cpu0_fail in let Cpu1_fail = new_S_cpu1_fail in let Pmm_fail = new_S_pmm_fail in (L_ad_out, L_ready_, CB\_rqt\_out\_, CB\_ms\_out, CB\_ss\_out, CB\_ad\_out, MB_addr, MB_data_out, MB_cs_eeprom_, MB_cs_sram_, MB_we_, MB_oe_, Int0_, Int1, Int2, Int3_, Led, Reset_cpu0, Reset_cpu1, Cpu_hist, Piu_fail, Cpu0_fail, Cpu1_fail, Pmm_fail)" );; ``` close\_theory();; \_ . . ## REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Washington or Hoaduranters Services, Directorate for information operations and Reports, 1215 Jefferso-Davis Highway Suite 1204. Actington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188). Washington, DC 25033 | Davis Highway, Suite 1204, Arrington, VA 22202-4302 | | | | | |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|--| | 1. AGENCY USE ONLY (Leave blank) | <b>b</b> | 3. REPORT TYPE AND DATE | | | | | November 1, 1992 | Contractor Rep | | | | 4. TITLE AND SUBTITLE Formal Design Specificat | nterface Unit C | 5. FUNDING NUMBERS<br>C NAS1-18586<br>WU 505-64-10-07 | | | | 6. AUTHOR(S) | | | | | | David A. Fura | | | | | | Phillip J. Windley | | | | | | Gerald C. Cohen | | | | | | 7. PERFORMING ORGANIZATION NAME | (S) AND ADDRESS(ES) | | REPORMING ORGANIZATION | | | Boeing Military Airplane | s | KEI | PORT NUMBER | | | P.O. Box 3707 M/S 4C-70 | | | | | | Seattle, WA 98124-2207 | | | | | | | | | | | | | | | | | | 9. SPONSORING/MONITORING AGENCY | | | ONSORING / MONITORING<br>JENCY REPORT NUMBER | | | NASA Langley Research Cer | nter | NAC | CD 100/00 | | | Hampton, VA 23681-0001 | | INASA | A CR-189698 | | | | | | | | | | | | | | | 11. SUPPLEMENTARY NOTES | | | | | | Langley Technical Monitor<br>Task 9 Report | r: Sally C. Johnson | 1 | l | | | 12a. DISTRIBUTION / AVAILABILITY STATE | TEMENT | 12b. C | DISTRIBUTION CODE | | | | | | | | | Unclassified-Unlimited | | | | | | Subject Category 60 | | | | | | | | | 1 | | | | | <b>__</b> | | | | 13. ABSTRACT (Maximum 200 words) | | | | | | This report describes word of a processor interface interface, microprocessor within a Fault-Tolerant Embedded in avionics and space recextended maintenance-free assurance in such applications equences that even a development and application of critical importance as | unit (PIU), a single and additional support fault-tolerant comput Processor (FTEP), is quiring extremely high e | e-chip subsystem propert services for a context services for a context system. This system property is a context of the need towards appeared for higher than produce. Thus, as to fault-tolerant | oviding memory- commercial ystem, the oplications reliability, -quality design disastrous the further systems is | | | 14. SUBJECT TERMS | Specification<br>Generic Interpreter | Theory | 15. NUMBER OF PAGES | | | Fault Tolerant Memory Interface | | | 256 | | | HOL Fault Tolerant Embedded Processor (FTE | | | 16. PRICE CODE<br>P) A12 | | | Bus Interface 17. SECURITY CLASSIFICATION 18. | | 9. SECURITY CLASSIFICATION | | | | | OF THIS PAGE | OF ABSTRACT | | | NSN 7540-01-280-5500 Unclassified Unclassified | <u> </u> | | | |----------|--|--| | | | |