NASA Technical Memorandum 100669 AVSCOM Technical Memorandum 88-B-017

# HARDWARE PROOFS USING EHDM AND THE RSRE VERIFICATION METHODOLOGY

(AASA-TM-100669)HABCNARE FECCES USING EHDMN89-14002AND THE BSEE VERIFICATION METHODOLOGY<br/>(NASA)90 FCSCL 09EUnclas

G3/62 0183249

Ricky W. Butler Jon A. Sjogren

December 1988



Langley Research Center Hampton, Virginia 23665-5225





## TABLE OF CONTENTS

| INTRODUCTION                                                | 2        |
|-------------------------------------------------------------|----------|
| SUMMARY OF RSRE HARDWARE VERIFICATION METHODOLOGY           | 2        |
| TOP-LEVEL SPECIFICATION OF SIX-BIT COUNTER                  | 2        |
| THE FINITE-STATE AUTOMATA SPECIFICATION                     | 2        |
| Definition of Finite-state Automate                         | 6        |
| Definition of Finite-state Automata                         | 7        |
| Mapping to the Top-Level Specification                      | 11       |
| BLOCK DIAGRAM SPECIFICATION                                 | 17       |
| SPECIFICATION OF CIRCUIT                                    | 21       |
| Listing of Cnt6_cir                                         | 21       |
| Translation of Circuit-Spec to Silicon                      | 24       |
| INFORMAL PROOFS                                             | 25       |
| Proof Between Top Level Spec and Major State Machine Spec   | 26       |
| Proof Between Major State Machine Spec and Block Model Spec | 31       |
| Proof Between Block Diagram Spec and Circuit-Level Spec     | 35       |
| SPECIFICATION OF N-BIT WORDS                                | 36       |
| FORMAL PROOFS                                               | 40       |
| Introduction to Proving in EHDM                             | 40<br>40 |
| Status of Proofs                                            |          |
| CONCLUSIONS                                                 | 41       |
| REFERENCES                                                  | 43       |
| APPENDIX A THEORY OF GENERAL WORDS                          | 44       |
|                                                             | 45       |
| APPENDIX B SUGGESTIONS FOR IMPROVING EHDM                   | 50       |
| Definition of the Values of a Type                          | 50       |
| Definitional Axioms                                         | 50       |
| Improvement to Proof Instantiator                           | 52       |
| APPENDIX C FULL LISTING OF SPECIFICATIONS INCLUDING PROOFS  | 54       |

,



#### INTRODUCTION

Recently NASA, Langley Research Center and the Royal Signals and Radar Establishment (RSRE) have initiated a joint research program in formal verification of life-critical systems. The first phase of this work involves a critical assessment of the RSRE work on the VIPER microprocessor. The VIPER was designed by RSRE researchers specifically for life-critical applications and was subjected to a formal proof of correctness. The proof methodology is based on a hierarchical specification of the system design. This methodology was first illustrated on a 6-bit counter by RSRE in the RSRE Memorandum 3832 entitled "Hardware Proofs using LCF-LSM and ELLA" by W. J. Cullyer and C. H. Pygott (ref. 1.) In this paper, the RSRE approach to hardware verification is studied in the context of a different specification language --- Revised Special developed by SRI International (ref. 2). The reason the methodology is explored via a different specification language is twofold: (1) to expose any weaknesses in the methodology due to the specification language LCF-LSM, and (2) to explore the feasibility of using EHDM (Enhanced Hierarchical Design Methodology) for hardware verification using the RSRE methodology.

In this paper RSRE's 6-bit counter example is re-specified in Revised Special. In the RSRE report, the proofs between the levels of the hierarchical specification were accomplished by hand. In this report, the proofs are performed using the EHDM (Enhanced Hierarchical Design Methodology) theorem proving system. The paper makes a comparison between the LCF-LSM and Revised Special languages. The viability of the RSRE methodology is discussed. Particular attention is given to the feasibility of using their methodology in concert with the EHDM tools.

# SUMMARY OF RSRE HARDWARE VERIFICATION METHODOLOGY

The RSRE approach to verification is based on the use of hierarchical specification. The formal hierarchy consists of the following four levels:

- (1) Functional
- (2) Finite-state automata
- (3) Block model
- (4) Circuit model

The proof between level (1) and (2) establish that the finite automata of level (2) implements all of the functions of the top level. The top level consists of axioms which define the output of the circuitry in response to inputs without any details of the steps that are performed to accomplish the computation. Thus, the top level is essentially the definition of a mathematical function. The second level decomposes the function into sequences of steps which can accomplish the overall functionality. The sequences of steps are defined by a finite-automata model. Proof that level (1) follows from (2) is accomplished by enumerating all possible sequences that the finite automata can perform and demonstrating that these accomplish the function of

At level (2) the computation performed by each transition of the finite automata is specified by a mathematical (sub)function. The details of how each of these subfunctions are computed is not specified until level (3). Level (3) specifies how each of the subfunctions of level (2) are accomplished in terms of an electronic block diagram. The proof between level (2) and (3) establishes that each of the subfunctions of level (2) are properly computed by the level (3) structure. Finally, the proof between level (3) and (4) establishes that each "block" in the level (3) model is correctly implemented with logic gates.

In the RSRE work the first three levels were specified in LCF-LSM. The last level was specified in ELLA (ref. 3.) The third level was also specified in ELLA in addition to the LCF-LSM specification. The properties at each level in the hierarchy must be proved to be theorems in the level below it. The proofs between levels (1) and (2) and between (2) and (3) are accomplished analytically. The proof between levels (3) and (4) are accomplished by the method of "intelligent exhaustion".

# TOP-LEVEL SPECIFICATION OF SIX-BIT COUNTER

The example used by RSRE to illustrate their specification/verification methodology was a six-bit counter. The counter holds a value "count" which is either retained at its current value, loaded with a new value from an external source, or incremented once or twice depending on the value of "func", a twobit control signal. The informal specification for the counter is

func = 0 Do nothing: "count" unchanged
func = 1 Load "count" from a 6-bit parallel input, "loadin"
func = 2 Increment "count": i.e. count := count + 1
func = 3 Increment "count" twice: i.e. count := count + 2

In the RSRE report this informal specification is translated into a formal specification written in LCF-LSM. The design of the counter is documented by a hierarchical specification where each successive level in the hierarchy introduces more detail as the result of design decisions. In this paper these specifications are presented in Revised Special.

The formal Specification of the counter in Revised Special is:

```
cnt6: MODULE
USING words
THEORY
  states: TYPE
  word6: TYPE is word[6]
  word2: TYPE is word[2]
  state: VAR states
  loadin, w: VAR word6
  func: VAR word2
  val2: function[word2 -> int] is val[2]
  val6: function[word6 -> int] is val[6]
  mw6: function[int -> word6] is mw[6]
  cnt: function[states -> word6]
  exec_cnt: function[states,word6,word2 -> states]
  ready: function[states -> bool]
  add1 mod64: function[word6 -> word6] ==
               ( LAMBDA w -> word6:
                       IF val6(w) = 63 THEN mw6(0)
                        ELSE mw6(val6(w)+1)
                        END)
  ready_ax: AXIOM ready(state) IMPLIES ready( exec_cnt(state,loadin,func) )
  counter_ax: AXIOM ready(state) IMPLIES cnt(exec_cnt(state,loadin,func)) =
                     IF val2(func) = 0 THEN cnt(state)
                     ELSIF val2(func) = 1 THEN loadin
                     ELSIF val2(func) = 2 THEN
                        add1 mod64(cnt(state))
                     ELSE
                        add1 mod64(add1 mod64(cnt(state)))
                     END
```

END cnt6

It is unnecessary to present details about Revised Special, since the above specification can be understood with a little explanation. (This is probably the best way to be introduced to a formal specification language -- by way of example.) The first line assigns the name "cnt6" to the specification. The second line indicates that an external module "words" will be used in this module. This will be explained in more detail in the following discussion. The next three lines which follow the THEORY keyword define three "types" -- "states", "word6", and "word2". These types will be used to distinguish logic variables which represent the state (or "count") of the machine, 6-bit words, and 2-bit words, respectively. Types serve the same function in the formal specification language as in a programming language -- they enable the automatic system to detect user errors.

The first type "state" is uninterpreted, that is, there is no domain of values or any meaning associated with it. At this level of abstraction it represents the state of the machine, but details about what constitutes the state of the machine are not specified. The two types, "word6" and "word2" are equated to word[6] and word[2] by the "is" clause. They represent the domain of 6-bit words and 2-bit words. N-bit words are used to specify an N-bit transmission lines which can be interpreted as integers or as ordered sets of boolean values. The properties of the generic type word[N] are defined in the module "words" which is discussed in detail in the section entitled "SPECIFICATION OF N-BIT WORDS". The next three lines of the specification define four logic variables - "state", "loadin", "w" and "func". (Note. These are mathematical variables, not program variables) Next, seven functions are defined. The meaning of these functions are:

- val2: maps an unsigned 2-bit word to its positive integer equivalent val6: maps an unsigned 6-bit word to its positive integer equivalent mw6: maps a positive integer into an unsigned 6-bit word
- cnt: returns the value of the 6-bit counter when applied to the "state"
   of the machine
- exec\_cnt: maps the state of the machine to its new state when the counter is
   "executed"
- ready: when applied to the state of the machine returns "true" if and only if the machine is in the ready state, i.e. ready to receive the next "func". This function is necessary since the execution

of the counter is not instantaneous. There are intermediate states in the machine. It is important to prove that when the counter is executed (i.e. via exec\_cnt) the machine is returned to a state where it is ready to receive the next input. (Note. This property was not considered in the RSRE work).

add1\_mod64: adds 1 (modulo-64) to a 6-bit word

The first three functions are equated to functions defined in the module "words". The last three functions are elaborated in more detail (formally) at lower levels of the specification hierarchy.

The last part of the specification provides two axioms which define the behavior of the counter. The first axiom expresses the most important properties of the counter in terms of the function "exec\_cnt". The function "exec\_cnt" transforms the state of the counter in response to the inputs "state", "loadin", and "func" and thus defines the "execution" of the counter:



At this level of abstraction, the state of the machine has only two properties -- the value of the counter, an integer between 0 and 63, and whether the machine is ready. The value of the counter is returned by the function "cnt". The function "ready" returns a boolean variable indicating whether the machine is ready for input. The execution of the counter is defined by "exec\_cnt". If the machine is ready, then the counter will operate correctly and the state of

the counter will be updated according to the "counter\_ax" axiom. If the value of func is 0 (i.e. val2(func) is 0), then the value of the counter remains the same (i.e. cnt(state) --- the original state). If the value of "func" is 1, then the value of the counter is changed to the value "loadin". If the value of "func" is 2, then the value of the counter is incremented by 1. Of course, one must consider the case where the counter "turns over" (i.e. if the counter is currently at  $63 = 111111_2$ , it next becomes 0). This concept is captured by modulo-64 arithmetic. The "add1\_mod64" function adds 1 to a word6 variable in modulo-64 arithmetic. The meaning of the "add1\_mod64" function specification is simple. If the value of the current value of the state (i.e. val6(cnt(state)) ) is 63, then a single increment will turn-over the counter to 0 (i.e. mw(6) -- the 6-bit word whose value is 0). Otherwise, it is just the value of the counter plus one (i.e. mw6(val6(cnt(state))+1) ).1 Thus, for "func" = 2 the value of the counter becomes

add1 mod64(cnt(state))

If the value of "func" is 3, then a double increment is performed:

add1\_mod64(add1\_mod64(cnt(state)))

The second axiom, "ready\_ax", expresses the concept that a complete execution of the counter returns the counter to a ready state, if it was originally ready.

# THE FINITE-STATE AUTOMATA SPECIFICATION

The six-bit counter is defined as a finite-state automata at this level of abstraction. The second level in the hierarchy is called the major-state specification in later RSRE documents, but is referred to as the finite-state automata specification throughout this paper. The finite automata consists of 4 states named "fetch", "incl", "inc2", and "load" shown in figure 1. The machine is assumed to start in the "fetch" state.

The "add1 mod64" function is defined using EHDM's LAMBDA notation. The concept is intuitive. The keyword "LAMBDA" indicates that a function is being defined. This keyword is followed by the formal arguments to the function. The symbol - is followed by the type of the function result. Finally, the function's body is provided. For example, the integer function  $x \to int$ ; would be formally defined by f: function[int -> int] = (LAMBDA



# Figure 1. Diagram of finite-state automata

It is necessary not only to describe this finite-state automata formally, but also mathematically map the more abstract specification onto this specification. These issues are addressed in the next two sections.

## Definition of Finite-state Automata

The finite state model is defined using two external modules -- "words" and "triples".<sup>2</sup> The first module "words" provides a formal definition of what constitutes an N-bit word. This specification module is generic and can be used for other hardware designs. The module "words" is described in detail in the section called "FORMAL SPECIFICATION OF N-BIT WORDS". The theory of N-bit

<sup>2</sup> Modules serve the same purpose in Revised Special as they do in a programming language -- they facilitate the definition and re-use of specifications.

words can be used by "importing" the "words" module via a USING clause or the similar MAPPING clause. This module defines the following functions:

٦

val: maps an N-bit word to an unsigned integer
mw: maps unsigned integer to an N-bit word
bit: returns the contents of a specified bit in a word

These functions are defined in a "parameterized" module (i.e. parameterized by N, the number of bits in a word). Thus, for each "instantiation" of the module (i.e. declaration in a USING clause), there are three different functions. For example,

USING words[2], words[6]

defines two types -- word[2] and word[6]-- and six functions -- val[2], mw[2], bit[2], val[6], mw[6], bit[6].

The module "triples" defines the concept of an "ordered triple".<sup>3</sup> The ordered triple has three components which can be accessed with the functions "first", "second", and "third". An ordered triple is created from individual components via the function make\_triple. The relationship between these functions is described by the following axiom in the triples module:

```
Make_triple_ax: AXIOM
x = first(make_triple(x, y, z))
AND y = second(make_triple(x, y, z))
AND z = third(make_triple(x, y, z))
The "state" of the finite-state machine is designated by an ordered triple:
    (count, double, node)
where
    count = the current value of the counter, a number between 0 and 63
    inclusive
    double= a boolean variable which is true if and only if a double
    increment is to be performed
    node = indicates at which node the machine is currently located
```

```
3 Mathematicians typically use the notation (x,y,z) to define a triple.
```

This triple is defined formally as follows:

USING triples[word[6],bool,word[2]]

statevector: TYPE is triple

count: function[ statevector -> word6 ] is first double: function[ statevector -> bool ] is second node: function[ statevector -> word2 ] is third<sup>4</sup>

The first line imports the generic theory of triples. The module was parameterized by "word[6], bool, word[2]". This results in a theory of triples where the first component is of type word[6], the second component is of type bool and the third component is word[2]. To enhance readability of the specification, alternate names are given to the names which are exported from the "triples" module in the next 4 lines. Thus statevector is an alternate name for the type "triple" with the following components -- a 6-bit word, a boolean, and a 2-bit word. The individual components of the triple can be accessed via the functions -- "count", "double", and "node".

The allowed transitions of the finite automata are defined by the NEXT function. The NEXT function maps the "statevector" to the new "statevector" in response to the 2-bit function code "func" and "loadin":

NEXT: function[statevector,word6,word2 -> statevector]

This function was defined as follows in the original version:

Unfortunately, when the function was defined in this manner, the EHDM theorem

4 In EHDM synonyms are defined using the keyword "is".

prover required excessive amounts of time. The properties of "NEXT" were consequently defined using 4 separate axioms:

By defining the properties of NEXT using four axioms, the theorem prover could be directed to find the proof in a more efficient manner.<sup>5</sup> The function NEXT is defined in terms of the subfunctions INC1, INC2, LOAD, and FETCH to enhance the readability of the specification. Originally all of the subfunctions were defined using the LAMBDA syntax. However, in this form the formal proofs (i.e., proving that this level implements the top\_Level spec) required exhorbitant amounts of CPU time. These functions were redefined using "axiomatic" definitions and the proofs required only a few minutes to complete.<sup>6</sup>

The total functionality of the counter is captured in the function "Finite\_automata":

```
Finite_automata: function[statevector,word6,word2 -> statevector] =
    (LAMBDA svt, ldn, fn -> statevector:
        IF val2(fn) = 0 THEN
            NEXT(svt,ldn,fn)
        ELSIF val2(fn) = 3 THEN
            NEXT(NEXT( NEXT(svt,ldn,fn), ldn,fn ),ldn,fn )
        ELSE
            NEXT( NEXT(svt,ldn,fn), ldn,fn )
        ELSE
            NEXT( NEXT(svt,ldn,fn), ldn,fn )
        END )
```

<sup>5</sup> One could easily prove that the former specification defines a function which is equivalent to the function defined by these four axioms.

<sup>6</sup> Although defining the subfunctions with axioms increases the work of the "human" prover -- i.e. one must explicitly cite the axiom whenever the function is used in a formula being proved --, the amount of proving time can be drasticly reduced. The reduction in proving time comes by only citing the functions whose expansion is relevant to the proof.

This function defines the sequence of calls of "NEXT" which accomplish each function. This function represents a "spanning tree" of the graph shown in figure 2.



Figure 2. - Spanning Tree for Finite-Automata

If "Finite\_Automata" is defined properly, the counter will be returned to the "fetch" node at the completion of the function as well as performing the specified function.

### Mapping to the Top-Level Specification

The mappings to the higher level of abstraction are made using EHDM mapping statements. (In the RSRE report the connections between models were informal). EHDM requires that a mapping be provided for every uninterpreted type and every constant of the module being mapped (i.e. the higher level specification). In "cnt6" the following uninterpreted type was defined:

#### states

The following functions were defined:

cnt, exec cnt, ready:

These are "mapped" in module "cnt6 fa" as follows:

The "cnt6." prefix indicates that "cnt6" functions are being mapped. The "cnt6" function "cnt" is mapped to "count" which is an abbreviation for the first component accessor function "first" of type "triples".

The "cnt6" function "exec\_cnt" is mapped to the function "Finite\_automata". The "cnt6" function "ready" is mapped by a function that returns true if and only if the automata is currently located at "fetchnode":

The need for this function now becomes clear. It is possible that an improperly designed counter could return the correct "count" but not correctly return the machine to the proper state, namely "fetchnode", where it is ready for the next input. This captures the "sequential" nature of the circuit. This property was not captured in the RSRE LCF-LSM specification.

External Interface and Timing Issues

The RSRE report does not formally define the interaction of the counter with respect to asynchronous changes in "func" and "loadin". The report examined the impact of changes in "func" and "loadin" while the finite automata is executing by a method called "hoisting the exit conditions". The method is built on the concept that the finite automata samples from lists of "func" and "loadin" values. These lists contain countable sequences of values which the "func" and "loadin" lines contain at the time points which the finite automata samples them. The finite automata is assumed to be driven by a synchronous clock -- one clock tick per transition of the finite automata. Thus, the calls

to "NEXT" are triggered by the synchronous clock. The analysis given in the RSRE report indicates how to match the values in the list with the execution of the counter.

Since it is possible that the value of "func" or "loadin" can change over time, this must be accounted for in the specification. In the "cnt6\_fa" specification above it is implicitly assumed that the values do not change until the counter has returned to the "fetchnode" state. This is implied by the fact that all of the calls to "NEXT" in the function "Finite\_automata", use the same values of "ldn" and "fn" (i.e. the parameters which correspond to "loadin" and "func" in the top spec). For example,

NEXT(NEXT( NEXT(svt,ldn,fn), ldn,fn ),ldn,fn )

If this assumption is not valid, the specification could be generalized by defining a list of "func" and "loadin" signal values:

clocktime: TYPE is int

funcsigs: function[clocktime -> word2]
loadinsigs: function[clocktime -> word6]

These functions "map" the synchronous clock time to the values of "func" and "loadin" at those times. It is necessary to assume that the values of "func" and "loadin" are "stable" at the time that the finite automata samples them.

In order to relate the behavior of the finite automata over time to these input values it is necessary to extend the definition of state to include time:

(count, double, node, clk)

The first three components are as before. The fourth component indicates the current time, i.e. the number of clock pulses which have been sent to the automata thus far. Formally, we would have:

USING quads[word6, bool, word2, nat]

statevector: TYPE is quad

count: function[ statevector -> word6 ] is first double: function[ statevector -> bool ] is second node: function[ statevector -> word2 ] is third clk: function[ statevector -> word2 ] ] is fourth

Function "NEXT" and its subfunctions would have to be modified to increment the value of clk. For example,

The net result would be to formally connect the arguments of "NEXT" in the definition of "Finite\_automata" to the sequence of func and loadin values over clock time:

The cnt6 fa Specification

The cnt6\_fa specification excluding the proofs is:

cnt6 fa: MODULE MAPPING cnt6 ONTO words, triples[word[6],bool,word[2]],bsignal THEORY (\* ------ create some abbreviations ------ \*) word2: TYPE is word[2] word6: TYPE is word[6] mw2: function[int -> word2] is mw[2] mw6: function[int -> word6] is mw[6] val2: function[word2 -> int] is val[2] val6: function[word6 -> int] is val[6] bit2: function[int, word2 -> signalval] is bit[2]

```
statevector: TYPE is triple
count: function[statevector -> word6] is first
double: function[statevector -> bool] is second
node: function[statevector -> word2] is third
BOOLF: function[signalval -> bool] is signal_to_bool
(* ----- define logic constants ----- *)
fetchnode: word2 = mw2(0)
inclnode: word2 = mw2(1)
inc2node: word2 = mw2(2)
loadnode: word2 = mw2(3)
undef svt: statevector
(* ------ define logic variables ------ *)
svt: VAR statevector
ct, ldn, w: VAR word6
 fn: VAR word2
dbl,b: VAR bool
 (* ----- define functions ----- *)
 ADD1: function[word6 -> word6] ==
        (LAMBDA w -> word6:
           IF val6(w) = 63 THEN mw6(0) ELSE mw6(val6(w)+1)
           END)
 INC1: function[word6,bool,word6,word2 -> statevector]
 INC1_ax: AXIOM INC1(ct, dbl, ldn, fn) =
              IF dbl THEN
                make_triple(ADD1(ct),BOOLF(bit2(0,fn)),inc2node)
              ELSE
                make_triple(ADD1(ct),BOOLF(bit2(0,fn)),fetchnode)
              END
 INC2: function[word6,bool,word6,word2 -> statevector]
  INC2 ax: AXIOM INC2(ct, dbl, ldn, fn) =
                 make_triple( ADD1(ct),BOOLF(bit2(0,fn)),fetchnode)
  LOAD: function[word6,bool,word6,word2 -> statevector]
  LOAD ax: AXIOM LOAD(ct, dbl, ldn, fn) =
                 make_triple(ldn,BOOLF(bit2(0,fn)),fetchnode)
  FETCH: function[word6,bool,word6,word2 -> statevector]
  FETCH_ax: AXIOM FETCH(ct, dbl, ldn, fn)=
              IF val2(fn) = 0 THEN
                 make_triple(ct,BOOLF(bit2(0,fn)),fetchnode)
              ELSIF val2(fn) = 1 THEN
                 make_triple(ct,BOOLF(bit2(0,fn)),loadnode)
               ELSE
                 make_triple(ct,BOOLF(bit2(0,fn)),inclnode)
               END
```

```
NEXT: function[statevector,word6,word2 -> statevector]
     NEXT_ax: AXIOM NEXT(svt,ldn,fn) =
                      IF val2(node(svt)) = 0 THEN
                         FETCH(count(svt),double(svt),ldn,fn)
                      ELSIF val2(node(svt)) = 1 THEN
                         INCl(count(svt),double(svt),ldn,fn)
                      ELSIF val2(node(svt)) = 2 THEN
                         INC2(count(svt),double(svt),ldn,fn)
                      ELSIF val2(node(svt)) = 3 THEN
                         LOAD(count(svt),double(svt),ldn,fn)
                      ELSE
                         undef svt
                      END
                                               ----- *)
    NEXTO_ax: AXIOM val2(node(svt)) = 0 IMPLIES
                   NEXT(svt,ldn,fn) = FETCH(count(svt),double(svt),ldn,fn)
   NEXT1_ax: AXIOM val2(node(svt)) = 1 IMPLIES
                  NEXT(svt,ldn,fn) = INC1(count(svt),double(svt),ldn,fn)
   NEXT2_ax: AXIOM val2(node(svt)) = 2 IMPLIES
                  NEXT(svt,ldn,fn) = INC2(count(svt),double(svt),ldn,fn)
   NEXT3_ax: AXIOM val2(node(svt)) = 3 IMPLIES
                  NEXT(svt,ldn,fn) = LOAD(count(svt),double(svt),ldn,fn)
   Finite_automata: function[statevector,word6,word2 -> statevector] =
                    (LAMBDA svt, ldn, fn -> statevector:
                         IF val2(fn) = 0 THEN
                            NEXT(svt,ldn,fn)
                         ELSIF val2(fn) = 3 THEN
                           NEXT(NEXT( NEXT(svt,ldn,fn), ldn,fn ),
                                           ldn,fn )
                        ELSE
                           NEXT( NEXT(svt,ldn,fn), ldn,fn )
                        END)
  (* ----- Mapping to Top Level Spec in Module cnt6 ----- *)
  cnt6.states: TYPE FROM statevector
  cnt6.cnt: function[statevector -> word6] is count
  cnt6.exec_cnt: function[statevector,word6,word2 -> statevector]
                  is Finite automata
  cnt6.ready: function[statevector -> bool] =
                (LAMBDA svt -> bool: node(svt) = fetchnode )
END cnt6 fa
```

#### Strengthening the Top-Level Specification

The top-level specification defines the operation of the counter when "ready" is true, i.e. when it is ready for input. But, an implementation that is never ready satisfies the specification above. The following mappings would satisfy the specification:

cnt6.ready: function[statevector -> bool] = FALSE
cnt6.states: TYPE
cnt6.cnt: function[statevector -> word6]
cnt6.exec cnt: function[statevector,word6,word2 -> statevector]

The following property would preclude trivial implementations:

This property would define "func=0" as a reset, i.e., regardless of which state the counter is currently in, if the counter is "executed" with "func=0" it will be returned to "fetchnode". Unfortunately, the RSRE implementation does not satisfy this property. If the counter is located at state "inclnode" and "double(state)" is true, then the counter would transition to "inc2node" in response to a "func=0" command. The following more complicated property also precludes trivial solutions and is satisfied by the RSRE implementation:

eventually\_ready\_ax: AXIOM
 NOT ready(state) and func = 0 IMPLIES
 ready( exec\_cnt(exec\_cnt(state,loadin,func),loadin,func) )

#### BLOCK DIAGRAM SPECIFICATION

This section describes the third level in the hierarchy -- the block diagram specification. In the RSRE work the block-diagram spec was the lowest level of the system specified in the formal language LCF-LSM. They created a second description of the block diagram in the hardware design language ELLA (ref 3.) The connection between these two theoretically equivalent specifications was informal. The connection between the ELLA specification and the lower level circuit description was done using the method of "Intelligent Exhaustion" (ref. 4.)

This specification describes the system as a block diagram illustrated in figure 3.



Figure 3. - Block Diagram Specification

The finite automata is implemented by the following blocks (or subcircuits):

INCLOGIC MULTIPLEX MPLXCON INCCON NEXTNODE

The internal state variables (i.e. count, node and double) are assumed to be stored by latches which maintain their values between clock ticks. This is not explicitly formalized in the RSRE methodology. Consequently, it is possible that an implementation which failed to store these variables in latches would not be detected as erroneous by the RSRE methodology. Although informally this could be checked, it is not clear how this could be detected by an automatic theorem prover.

```
The cnt6_blk specification without proofs is:
cnt6 blk: MODULE
MAPPING cnt6_fa ONTO words,triples[word[6],bool,word[2]],bsignal
THEORY
  (* ----- define abbreviations for 'words' ----- *)
  word2: TYPE is word[2]
  word6: TYPE is word[6]
  mw2: function[int -> word2] is mw[2]
  val2: function[word2 -> int] is val[2]
  bit2: function[int, word2 -> signalval] is bit[2]
  mw6: function[int -> word6] is mw[6]
  val6: function[word6 -> int] is val[6]
  bit6: function[int, word6 -> signalval] is bit[6]
  BOOLF: function[signalval -> bool] is signal_to_bool
  statevector: TYPE is triple
   (* ----- logic constants defined in cnt6_fa ------
   fetchnode: word2 = mw2(0)
   inclnode: word2 = mw2(1)
   inc2node: word2 = mw2(2)
   loadnode: word2 = mw2(3)
    ----- define logic variables ------ *)
   stv: VAR statevector
   ct, incout, loadin: VAR word6
   noinc: VAR bool
   nd, func: VAR word2
   dbl: VAR bool
   mplxsel: VAR bool
   (* ------ define functions ----- *)
   INCLOGIC: function[word6,bool -> word6]
   INCLOGIC_ax: AXIOM INCLOGIC(ct,noinc) =
              IF noinc THEN ct
              ELSE ADD1(ct)
              END
   MULTIPLEX: function[word6,word6,bool -> word6]
   MULTIPLEX_ax: AXIOM MULTIPLEX(incout, loadin, mplxsel) =
                      IF mplxsel THEN incout
                      ELSE loadin
                      END
```

MPLXCON: function[word2 -> bool] = (LAMBDA nd -> bool: NOT (val2(nd) = 3) ) INCCON: function[word2 -> bool] = (LAMBDA nd  $\rightarrow$  bool: (val2(nd) = 0) ) NEXTNODE: function[word2,word2,bool -> word2] (\* \_\_\_\_\_ NEXTNODE\_ax: AXIOM NEXTNODE(nd,func,dbl) = IF val2(nd) = 0 THEN IF val2(func) = 0 THEN fetchnode ELSIF val2(func) = 1 THEN loadnode ELSE include END ELSIF val2(nd) = 1 THEN IF dbl THEN inc2node ELSE fetchnode END ELSE fetchnode END ----- \*) NEXTNODE0\_ax: AXIOM val2(nd) = 0 IMPLIES NEXTNODE(nd, func, dbl) = IF val2(func) = 0 THEN fetchnode ELSIF val2(func) = 1 THEN loadnode ELSE inclnode END NEXTNODE1 ax: AXIOM val2(nd) = 1 IMPLIES NEXTNODE(nd, func, dbl) = IF dbl THEN inc2node ELSE fetchnode END NEXTNODE2a3 ax: AXIOM val2(nd) = 2 or val2(nd) = 3 IMPLIES NEXTNODE(nd, func, dbl) = fetchnode COUNTLOGIC: function[statevector,word6,word2 -> statevector] = (LAMBDA stv, loadin, func -> statevector: make triple( MULTIPLEX(INCLOGIC(count(stv), INCCON(node(stv)) ), loadin, MPLXCON(node(stv)) ), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(stv)) ) )

cnt6\_fa.NEXT: function[statevector,word6,word2 -> statevector] = COUNTLOGIC END cnt6 blk

#### SPECIFICATION OF CIRCUIT

In this section the 6-bit counter is expressed in terms of low-level circuit elements -- NAND2, INV, XNOR, etc. In the RSRE paper, this level was only defined in the ELLA language. Although the MAPPINGS to "cnt6\_blk" have been included, none of the proofs between this level and the block model have yet been attempted.

### Listing of Cnt6 cir

cnt6 cir: MODULE

MAPPING cnt6 blk ONTO words, triples, bsignal

THEORY

(\* \_\_\_\_\_ abbreviations \_\_\_\_\_ \*) word2: TYPE is word[2] word6: TYPE is word[6] cntrlsigs: TYPE is triple[bool,bool,word[2]] bit2: function[int, word2 -> bool] is bit[2] bit6: function[int, word6 -> bool] is bit[6] assign2: function[int,bool,word2 -> word2] is assign[2] assign6: function[int,bool,word6 -> word6] is assign[6] (\* ------ circuit elements ----- \*) b,b1,b2,b3,b4: VAR bool INV: function [bool -> bool] = (LAMBDA b -> bool: not b) NAND2: function [bool, bool -> bool] = (LAMBDA b1, b2  $\rightarrow$  bool: not (b1 and b2)) NAND3: function [bool, bool, bool -> bool] = (LAMBDA b1,b2,b3 -> bool: not (b1 and b2 and b3)) NAND4: function [bool, bool, bool, bool -> bool] = (LAMBDA b1,b2,b3,b4 -> bool: not (b1 and b2 and b3 and b4)) XNOR: function [bool, bool -> bool] = (LAMBDA b1,b2 -> bool: not (not b1 and b2 or b1 and not b2)) NOR2: function [bool, bool -> bool] = (LAMBDA b1, b2  $\rightarrow$  bool: not (b1 or b2)) (\* ------ logic variables ----- \*) i0,i1,i2,i3,i4,i5: VAR bool lbit,lsel,incbit,incsel: VAR bool incout, loadin, cntr: VAR word6

mplxsel,noinc,Double: VAR bool Node, Func: VAR word2 ----- circuit definition -----\*) output: function [bool,bool,bool,bool,bool,bool -> word6] = (LAMBDA i0, i1, i2, i3, i4, i5 -> word6: assign6(0,i0, assign6(1,i1, assign6(2,i2, assign6(3,i3, assign6(4,i4, assign6(5,i5,newword[6])))))) bitsel: function[bool,bool,bool,bool -> bool] = (LAMBDA lbit, lsel, incbit, incsel -> bool: NAND2( NAND2(lbit,lsel), NAND2(incbit,incsel)) ) MPLEXCIRC: function[word6,word6,bool -> word6] MPLEXCIRC ax: AXIOM MPLEXCIRC(incout, loadin, mplxsel) = output( bitsel(bit6(0,loadin),INV(mplxsel),bit6(0,incout),mplxsel), bitsel(bit6(1,loadin),INV(mplxsel),bit6(1,incout),mplxsel), bitsel(bit6(2,loadin),INV(mplxsel),bit6(2,incout),mplxsel), bitsel(bit6(3,loadin),INV(mplxsel),bit6(3,incout),mplxsel), bitsel(bit6(4,loadin),INV(mplxsel),bit6(4,incout),mplxsel), bitsel(bit6(5,loadin),INV(mplxsel),bit6(5,incout),mplxsel) carry4bar: function[word6,bool -> bool] = (LAMBDA cntr, noinc -> bool: NAND4(INV(noinc),bit6(0,cntr),bit6(1,cntr),bit6(1,cntr)) ) INCCIRC: function[word6, bool -> word6] = (LAMBDA cntr, noinc -> word6: output( XNOR(bit6(0, cntr), noinc), XNOR(bit6(1,cntr), NAND2(INV(noinc),bit6(0,cntr)) ), XNOR(bit6(2,cntr), NAND3( INV(noinc), bit6(0,cntr), bit6(1,cntr) ) ), XNOR(bit6(3,cntr),carry4bar(cntr,noinc) ), XNOR(bit6(4, cntr), NAND2(INV(carry4bar(cntr,noinc)), bit6(3,cntr) ) ), XNOR(bit6(5,cntr), NAND3(INV(carry4bar(cntr,noinc)), bit6(3,cntr) , bit6(4,cntr) ) ) ) )

```
inccon: function[word2 -> bool] =
          (LAMBDA Node -> bool:
            NOR2(bit2(0,Node),bit2(1,Node))
                                             )
common: function[word2,word2 -> bool] =
          (LAMBDA Node, Func -> bool:
             NAND3(inccon(Node), INV(bit2(1,Func)), bit2(0,Func)) )
CONTROLCIR: function[word2,word2,bool -> cntrlsigs] =
            (LAMBDA Node, Func, Double -> cntrlsigs:
               make triple( inccon(Node),
                           NAND2(bit2(0,Node),bit2(1,Node)),
                           assign2(0, NAND2(common(Node,Func),
                                            NAND2(inccon(Node), bit2(1,Func))
                                           ),
                             assign2(1,NAND2(common(Node,Func),
                                             NAND3(Double,
                                                   bit2(0,Node),
                                                   INV(bit2(1,Node) ) )),
                                     newword[2])
                                    )
                           )
            )
     ----- Mappings to "cnt6_blk" ------ *)
(* ---
cnt6_blk.INCLOGIC: function[word6,bool -> word6] = INCCIRC
cnt6_blk.MULTIPLEX: function[word6,word6,bool -> word6] = MPLEXCIRC
cnt6 blk.INCCON: function[word2,word2,bool -> bool] =
                   (LAMBDA Node, Func, Double -> bool:
                       first(CONTROLCIR(Node,Func,Double))
                   )
cnt6 blk.MPLXCON: function[word2,word2,bool -> bool] =
                   (LAMBDA Node, Func, Double -> bool:
                       second(CONTROLCIR(Node,Func,Double))
                    )
cnt6 blk.NEXTNODE: function[word2,word2,bool -> word2] =
                   (LAMBDA Node, Func, Double -> word2:
                       third(CONTROLCIR(Node, Func, Double))
                    )
```

END cnt6 cir

# Translation of Circuit-Spec to Silicon

Although the circuit-level description is defined in terms of only lowlevel circuit elements, this level does not explicitly specify the layout of the circuit. There are many problems to be addressed here. The first is uncovering the basic element interconnections from the functional description. For example, suppose we have the following circuit specification

```
BLACK_BOX: function{bool,bool,bool,bool -> bool]
  (LAMBDA i1,i2,i3,i4 -> bool:
    NAND3( XNOR(i1,i2),
    NAND2(XNOR(i1,i2), INV(XNOR(i3,i4)))
    XNOR(i3,i4)
    )
)
```

A brute-force implementation of this function would yield:



Of course, by recognizing common sub-expressions, this could be implemented as follows:



INFORMAL PROOFS

The concept of hierarchical specification depends on the idea of proving the axioms of a specification level as theorems in the level below it. One first maps the uninterpreted types and constants of the high level theory into more concrete objects in the lower level. The axioms of the high level specification are mapped down (using the mappings) to the objects of the lower level and proved as theorems there:



One must then prove that  $Map(A_1)$  and  $Map(A_2)$  follow from  $B_1$ ,  $B_2$ ,  $B_3$ ,  $B_4$ .

In the next two sections, the proofs which establish the connection from the block model specification up to the top specification are presented informally.

Proof Between Top Level Spec and Major State Machine Spec

There were two axioms of the top level spec "cnt6": "counter ax" and "ready ax".

When "counter\_ax" is mapped down to the next level, the functions "ready", "cnt", and "exec\_cnt", are interpreted in terms of their mapping definitions. Thus, in the lower level, the "counter\_ax" is:

This must be proved as a theorem in terms of the axioms of "cnt6\_fa". The basic strategy is to decompose this theorem into four cases:

```
Case 1: val2(func) = 0
Case 2: val2(func) = 1
Case 3: val2(func) = 2
Case 4: val2(func) = 3
```

First, one lemma is proved which simplifies the proof of the four cases. Next, each case is proved separately. Finally, "counter\_ax" is proved from these four cases:

Proof of a Lemma

```
stb1: LEMMA ready(st) IMPLIES val2(node(st)) = 0
Proof: By definition, ready(st) => ( node(st) = fetchnode )
                                      => ( node(st) = mw2(0) ).
 Thus,
      ready(st) \implies val2(node(st)) = val2(mw2(0))
By the "val mw thm" theorem of words[2] we have:
      ready(st) \implies val2(node(st)) = val2(mw2(0)) = 0
Endproof.
Proof of cnt 0
cnt 0: LEMMA ready(state) and val2(func) = 0
               IMPLIES cnt(exec cnt(state,loadin,func)) = cnt(state)
Proof: From the definition of "exec cnt" and val2(func)=0 we have:
  cnt(exec cnt(state,loadin,func)) =
           cnt( NEXT(state,loadin,func), loadin,func )
Using "NEXT ax", the preceeding lemma, and "FETCH ax" we have:
  cnt(exec cnt(state,loadin,func)) =
     cnt( FETCH(cnt(state) ,doublef(state),loadin,func) ) =
     cnt( make triple(cnt(state),BOOLF(bit2(0,func)),fetchnode) )
Finally by definition of "cnt" and the "make triple ax" we have:
  cnt(exec cnt(state,loadin,func)) =
     cnt(state)
```

Endproof.

## Proof of cnt 1

```
cnt_1: LEMMA ready(state) and val2(func) = 1
               IMPLIES cnt(exec cnt(state,loadin,func)) = loadin
Proof:
  cnt(exec_cnt(state,loadin,func)) =
                                                          (* NEXT ax *)
  cnt( NEXT( NEXT(state,loadin,func), loadin,func )) =
  cnt( NEXT( FETCH(cnt(state) , doublef(state), loadin, func) )) =
  cnt( NEXT( make triple(cnt(state),BOOLF(bit2(0,func)),loadnode)
              loadin,func )) =
(\star --- \text{Since VAL2(loadnode}) = 3 --- \star)
 cnt(LOAD(cnt(make_triple(cnt(state),BOOLF(bit2(0,func)),loadnode),
           doublef(make_triple(cnt(state),BOOLF(bit2(0,func)),loadnode),
           loadin,func) ) =
 cnt(LOAD(cnt(state),
           BOOLF(bit2(0,func)),
           loadin,func) ) =
 cnt( make_triple(loadin,BOOLF(bit2(0,func)),fetchnode) ) =
 loadin
```

### Proof of cnt 2

```
cnt_2: LEMMA ready(state) and val2(func) = 2
            IMPLIES cnt(exec cnt(state,loadin,func)) =
               IF val6(cnt(state)) = 63 THEN mw6(0)
                  ELSE mw6(val6(cnt(state))+1)
                    END
Proof:
                                                         (* NEXT ax *)
  cnt(exec cnt(state,loadin,func)) =
  cnt( NEXT( NEXT(state,loadin,func), loadin,func )) =
  cnt( NEXT( FETCH(cnt(state) ,doublef(state),loadin,func) )) =
  cnt( NEXT( make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode)
              loadin,func )) =
(* --- Since VAL2(inclnode) = 1 --- *)
  cnt(INCl(cnt(make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode),
           doublef(make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode),
           loadin,func) ) =
  cnt(INC1( cnt(state),
            BOOLF(bit2(0,func),
            loadin,func) ) =
(* ---- Since bit2(0,func) = 0 ==> BOOLF(bit2(0,func)) = false ---- *)
 cnt(make_triple(ADD1(cnt(state)),BOOLF(bit2(0,func)),fetchnode)) =
 ADD1(cnt(state)) =
 IF val6(cnt(state)) = 63 THEN mw6(0) ELSE mw6(val6(cnt(state))+1)
 END
Proof of cnt 3
cnt_3: LEMMA ready(state) and val2(func) = 3
                IMPLIES cnt(exec cnt(state,loadin,func)) =
                        IF val6(cnt(state)) = 63 THEN mw6(1)
```

```
ELSIF val6(cnt(state)) = 62 THEN mw6(0)
ELSE mw6(val6(cnt(state))+2)
END
```

```
Proof:
  cnt(exec cnt(state,loadin,func)) =
                                                         (* NEXT ax *)
  cnt( NEXT( NEXT( State, loadin, func), loadin, func ), loadin, func)) =
  cnt( NEXT( NEXT( FETCH(cnt(state) ,doublef(state),loadin,func)),
             loadin,func) =
  cnt( NEXT( NEXT( make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode)
              loadin,func ), loadin,func )) =
(* --- Since VAL2(inclnode) = 1 --- *)
  cnt(NEXT(
      INC1(cnt(make_triple(cnt(state),BOOLF(bit2(0,func)),inc1node),
           doublef(make_triple(cnt(state),BOOLF(bit2(0,func)),inclnode),
           loadin,func),loadin,func ) ) =
  cnt(NEXT( INCl( cnt(state),
                  BOOLF(bit2(0,func),
                  loadin,func),loadin,func) ) =
(* ---- Since bit2(0,func) = 1 ==> BOOLF(bit2(0,func)) = true ---- *)
cnt(NEXT(make_triple(ADD1(cnt(state)),BOOLF(bit2(0,func)),inc2node),
         loadin,func) ) =
cnt(INC2(cnt(make_triple(ADD1(cnt(state)),BOOLF(bit2(0,func))),
         doublef( make triple(ADD1(cnt(state)),BOOLF(bit2(0,func)) ),
          loadin,func)) =
cnt(INC2(ADD1(cnt(state)),
         BOOLF(bit2(0,func)),
         loadin,func ) ) =
cnt( make_triple(ADD1((ADD1(cnt(state))),BOOLF(bit2(0,func)),fetchnode) ) =
ADD1((ADD1(cnt(state))) =
ADD1(IF val6(ADD1(cnt(state))) = 63 THEN mw6(0)
     ELSE mw6(val6(ADD1(cnt(state)))+1) END )
IF val6(IF val6(ADD1(cnt(state))) = 63 THEN mw6(0)
        ELSE mw6(val6(ADD1(cnt(state)))+1) END) = 63 THEN mw6(0)
ELSE mw6(val6(IF val6(ADD1(cnt(state))) = 63 THEN mw6(0)
              ELSE mw6(val6(ADD1(cnt(state)))+1) END)+1)
```

END

IF val6(cnt(state)) = 63 THEN mw6(1)
ELSIF val6(cnt(state)) = 62 THEN mw6(0)
ELSE mw6(val6(cnt(state))+2)
END

Proof of the cnt6 axioms

The "counter\_ax" follows from "cnt\_0", "cnt\_1", "cnt\_2", and "cnt\_3" and the "val\_range\_thm" applied to "func". The "val\_range\_thm" is needed to establish that "func" can only be equal to 0, 1, 2, or 3. Thus the "ELSE" clause in "counter\_ax" applies to "func" = 3 only. Thus, counter\_ax follows directly from cnt\_0, cnt\_1, cnt\_2, cnt\_3, and val\_range\_thm[2]. The axiom "ready\_ax" is proved from the same lemmas.

Proof Between Major State Machine Spec and Block Model Spec

In this section the connection between the major state machine model and the block diagram spec is demonstrated via informal proof. The following axioms of the major state machine model must be proved as theorems in the Block Model:

```
NEXT0_ax: AXIOM val2(node(stv)) = 0 IMPLIES
NEXT(stv,ldn,fn) = FETCH(count(stv),double(stv),ldn,fn)
NEXT1_ax: AXIOM val2(node(stv)) = 1 IMPLIES
NEXT(stv,ldn,fn) = INC1(count(stv),double(stv),ldn,fn)
NEXT2_ax: AXIOM val2(node(stv)) = 2 IMPLIES
NEXT(stv,ldn,fn) = INC2(count(stv),double(stv),ldn,fn)
NEXT3_ax: AXIOM val2(node(stv)) = 3 IMPLIES
NEXT(stv,ldn,fn) = LOAD(count(stv),double(stv),ldn,fn)
```

The function "NEXT" is mapped onto "COUNTLOGIC" at this level, so each of these axioms must be proved with respect to the "COUNTLOGIC" implementation:

```
NEXTO ax: AXIOM val2(node(stv)) = 0 IMPLIES
                  COUNTLOGIC(stv,ldn,fn) = FETCH(count(stv),double(stv),ldn,fn)
Proof:
  COUNTLOGIC(stv, loadin, func) =
           make triple(MULTIPLEX(INCLOGIC(count(stv), INCCON(node(stv))),
                                          loadin,
                                          MPLXCON(node(stv))),
                                  BOOLF(bit2(0,func)),
                                  NEXTNODE(node(stv), func, double(node)) ) =
{ by definition of INCCON and MPLXCON: }
                  make triple( MULTIPLEX(INCLOGIC(count(stv),
                                                   (val2(node(stv)) = 0)),
                                          loadin,
                                          NOT (val2(node(stv)) = 3)),
                                BOOLF(bit2(0,func)),
                                NEXTNODE(node(stv), func, double(node)) ) =
                  make triple( MULTIPLEX(INCLOGIC(count(stv),
                                                   true ),
                                          loadin,
                                          true ),
                                BOOLF(bit2(0,func)),
                                NEXTNODE(node(stv),func,double(node)) ) =
{ by INCLOGIC ax: }
                  make triple( MULTIPLEX(count(stv),
                                          loadin,
                                          true ),
                               BOOLF(bit2(0,func)),
                               NEXTNODE(node(stv),func,double(node)) ) =
{ by MULTIPLEX ax: }
                  make triple( count(stv),
                               BOOLF(bit2(0,func)),
                               NEXTNODE(node(stv),func,double(node)) ) =
{ by FETCH ax: }
                 FETCH(cnt(stv),doublef(stv),loadin,func) =
```

( The last step follows from the fact that val2(node(stv) = 0 IMPLIES that

Endproof

```
NEXT1 ax: AXIOM val2(node(stv)) = 1 IMPLIES
                 COUNTLOGIC(stv,ldn,fn) = INC1(count(stv),double(stv),ldn,fn)
Proof:
  COUNTLOGIC(stv, loadin, func) =
                  make_triple( MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))),
                                          loadin,
                                          MPLXCON(node(stv))),
                               BOOLF(bit2(0,func)),
                               NEXTNODE(node(stv),func,double(node)) ) =
{ by definition of MPLXCON: }
                  make_triple( MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))),
                                          loadin,
                                          NOT(val2(node(stv))=3) ),
                                BOOLF(bit2(0,func)),
                                NEXTNODE(node(stv), func, double(node)) ) =
{ by INCLOGIC ax: }
                   make_triple( MULTIPLEX(ADD1(count(stv),
                                          loadin,
                                          true),
                                BOOLF(bit2(0,func)),
                                NEXTNODE(node(stv),func,double(node)) ) =
 { by MULTIPLEX_ax: }
                   make triple( ADD1(count(stv),
                                BOOLF(bit2(0,func)),
                                NEXTNODE(node(stv),func,double(node)) ) =
 { by INC1 ax: }
                  INCl(cnt(stv),double(stv),loadin,func) =
 ( The last step follows from the fact that val2(node(stv) = 1 IMPLIES that
     NEXTNODE(node(stv),func,double(node)) ) is an element of
                 {fetchnode, inc2node}
```

Endproof

NEXT2 ax: AXIOM val2(node(stv)) = 2 IMPLIES COUNTLOGIC(stv,ldn,fn) = INC2(count(stv),double(stv),ldn,fn) Proof: COUNTLOGIC(stv, loadin, func) = make\_triple( MULTIPLEX(INCLOGIC(count(stv), INCCON(node(stv))), loadin, MPLXCON(node(stv))), BOOLF(bit2(0, func)), NEXTNODE(node(stv), func, double(node)) ) = make\_triple( MULTIPLEX(INCLOGIC(count(stv), INCCON(node(stv))), loadin, NOT(val2(node(stv))=3) ), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) ) = [ by INCLOGIC ax: ] make\_triple( MULTIPLEX(ADD1(count(stv), loadin, true), BOOLF(bit2(0,func)), NEXTNODE(node(stv), func, double(node)) ) = [ by MULTIPLEX ax: ] make\_triple( ADD1(count(stv), BOOLF(bit2(0,func)), NEXTNODE(node(stv), func, double(node)) ) = [ by NEXTNODE2a3 ax: ] make\_triple( ADD1(count(stv)), BOOLF(bit2(0,func)), fetchnode ) = { by INC2 ax: } INC2(cnt(stv),double(stv),loadin,func) =

NEXT3\_ax: AXIOM val2(node(stv)) = 3 IMPLIES COUNTLOGIC(stv,ldn,fn) = LOAD(count(stv),double(stv),ldn,fn)

COUNTLOGIC(stv, loadin, func) = make\_triple(MULTIPLEX(INCLOGIC(count(stv),INCCON(node(stv))), loadin, MPLXCON(node(stv))), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) ) = make\_triple(MULTIPLEX(INCLOGIC(count(stv),val2(node(stv))=0), loadin, NOT(val2(node(stv))=3) ), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) ) = [ by INCLOGIC ax: ] make\_triple(MULTIPLEX((count(stv) loadin, NOT(val2(node(stv))=3) ), BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) ) = [ by MULTIPLEX ax: ] make triple( loadin, BOOLF(bit2(0,func)), NEXTNODE(node(stv),func,double(node)) ) = [ by NEXTNODE2a3 ax: ] make\_triple( loadin, BOOLF(bit2(0,func)), fetchnode ) = { by LOAD ax: } LOAD(cnt(stv),double(stv),loadin,func) =

Proof Between Block Diagram Spec and Circuit-Level Spec

In the RSRE methodology, the proof between the block-diagram specification and the circuit-level specification is accomplished by the method of intelligent exhaustion (ref. 4) or the more recent "NODEN" method (ref 5). The proofs at this level have not yet been attempted. Future work will investigate the advantages and disadvantages of "NODEN" versus EHDM proof.

# SPECIFICATION OF N-BIT WORDS

A physical row of input or output lines are often interpreted as integers in some hardware devices. Of course the range of integer values which can be presented on N wires is finite, usually taken to be 0 to  $2^{N}-1$ . It is necessary to build a theory which enables one to reason about such rows of signal values as integers, in a simple manner. This section describes such a theory. In this theory a row of N inputs is referred to as a "N-bit word". This theory has been defined in a separate module "words" to facilitate its reuse. This module should be usable by most hardware verification projects without modification.

It is necessary to first define the possible signal values which can appear on a single line. For simplicity, the set of boolean values: {true, false} are used to represent signal values in "words". In the RSRE reports, the domain of signal values range over t, f, x, z, q and i, which stand for true, false, don't care, tri-state high impedance, unaltered memory element and indeterminate, respectively. The x, z, q, and i values were not needed to verify the counter in EHDM so the simpler boolean domain was used. Appendix A shows how the theory of words can be generalized to include these other values.

Conceptually, a word consists of N bits which are indexed by an integer between 0 and N-1 inclusive. Thus, the module is defined in terms of a generic parameter "N" which is the number of bits in the word. This module exports the type "word[N]". If only one type of word will be used in a specification, the user can declare the size of the words in a USING clause, e.g.

USING words[32]

and the identifier "word" can be used instead of word[32]. If more than one word type is needed, then the following using clause is used:

USING words

and the user must cite the length of the word explicitly, e.g. word[32], word[16], etc. This module also defines the following functions:

36

val(w): returns the unsigned integer value of the N-bit word "w"

mw(i): returns an N-bit word containing the binary representation of the unsigned integer "i".

bit(i,w): returns the contents of the "ith" bit of word "w"
assign(i,b,w): assigns the boolean value "b" to the "ith" bit of word "w"

If there is only one declaration of the "words" module, then the above functions cab be abbreviated as "val", "mw", "bit" and "assign". If there are multiple declarations of the "words" module, then the function names cannot be abbreviated, e.g.:

val[32](w): returns the unsigned integer value of the 32-bit word "w"
val[12](w): returns the unsigned integer value of the 12-bit word "w"
bit[16](i,w): returns the contents of the "ith" bit of the 16-bit word "w"
assign[12](i,b,w): assigns "b" to the "ith" bit of the 12-bit word "w"

The "bit" and "assign" functions enable the access and modification of individual bits of a N-bit word. These functions are defined formally as follows:

Thus, bit and assign are defined in terms of each other. The axiom defines the effect of retrieving a bit from a word which has been modified by assigning a new value to one of its bits. If the bit being retrieved is the same as the one just assigned, the new value is retrieved. Otherwise, the value retrieved is the same as before the assignment. Thus, assigning a bit in a word does not affect any other bit in the word. It should be noted that these functions are not defined in a "constructional" manner; that is, they have not been defined separately in terms of previously defined primitives. Their properties have been defined axiomatically in terms of each other. Such axioms must be carefully scrutinized to insure that inconsistencies are not introduced into the specification.

This method of defining a word differs considerably from the way they were defined in the RSRE report using LCF-LSM. In LCF-LSM there are specific builtin functions that manipulate lists of objects. In the RSRE work, a word is

37

represented by a list of objects. Thus, they "construct" a word using more primitive functions.

In the top-level specification of the 6-bit counter, its behavior is defined in terms of modulo-64 arithmetic over integers. Thus, it is necessary to define functions which "interpret" an N-bit word as an integer. The "val" and "mw" functions perform this duty. The "val" function is defined recursively as follows:

valm: function[word,int,int -> int] valm\_def: AXIOM valm(w,m,n) = IF m = 0 THEN 0 ELSE 2\*valm(w,m-1,n) + BOOLVAL(bit(n-m,w)) END val: function[word -> int] val\_def: AXIOM val(w) = valm(w,N,N) Similarly, the "mw" function is defined recursively: mw: function[int -> word] mwm.function[int,int,int -> word] mwm\_def: AXIOM mwm(v,m,n) = IF m = 0 THEN newword ELSE assign(n-m,BOOLVAR(MOD2(v)), mwm(DIVBY2(v),m-1,n) )

END

The constant "newword" used in "mwm\_def" above represents an undefined word. It is defined formally as:

accessnew: AXIOM bit(k, newword) = f

The major theorem of this module establishes that "val" and "mw" are inverse functions:

( ii >= 0 AND ii < power2(N) ) IMPLIES val(mw(ii)) = ii

The specification of "words" is:

words: MODULE[N: int]

USING power2\_th,divby2\_th

EXPORTING word, newword, bit, assign, val, mw, mwm, valm, bool\_to\_int
WITH power2\_th,divby2\_th

```
ASSUMING
  N pos: FORMULA N>0
THEORY
  word: TYPE
  k,i,ii,m,v,n: VAR int
  w,w1,w2: VAR word
  b: VAR bool
  newword: word
  assign: function[int, bool, word -> word]
  bit: function[int, word -> bool]
  bitassign: AXIOM (i \ge 0 and i < N) IMPLIES
                     bit(i, assign(k, b, w)) =
                          ( IF k = i THEN b ELSE bit(i,w) END )
  mw: function[int -> word]
  val: function[word -> int]
  mwm: function[int,int,int -> word]
  mwm def: AXIOM mwm(v,m,n) =
                IF m = 0 THEN newword
                 ELSE
                   assign(n-m,BMOD2(v),mwm(DIVBY2(v),m-1,n) )
                END
  mw def: AXIOM mw(ii) = mwm(ii,N,N)
  bool to int: function[bool -> int] =
                (LAMBDA b -> int: IF b THEN 1 ELSE 0 END )
  valm: function[word,int,int -> int]
  valm def: AXIOM valm(w, m, n) = IF m = 0 THEN 0
                               ELSE 2*valm(w,m-1,n) + bool to int(bit(n-m,w))
                               END
  val def: AXIOM val(w) = valm(w,N,N)
  (* _____ Big Theorems _____ *)
  val mw thm: THEOREM ( ii >= 0 AND ii < power2(N) )
                   IMPLIES val(mw(ii)) = ii
  val range thm: THEOREM val(w) >= 0 and val(w) < power2(N)
  val bits thm: THEOREM val(w1) = val(w2) IMPLIES
                   (FORALL m: m>=0 AND m<N IMPLIES bit(m,w1)=bit(m,w2))
END words
```

The proofs of the theorems are listed in Appendix C.

## FORMAL PROOFS

In this section a brief overview is given of the formal proofs performed using the EHDM theorem prover. The automatic theorem prover is used to guarantee that no errors have been made in the proofs themselves.

## Introduction to Proving in EHDM

Proving is accomplished in EHDM by reducing the problem to the decidable domain of the theorem prover by citing all premises which the theorem depends upon and "instantiating" the variables of the theorem and premises. TO illustrate this process, the cnt 0 proof will be examined. From the informal proof (see section entitled "INFORMAL PROOFS") we can see that the theorem follows from NEXT ax, FETCH ax, stbl, and make triple\_ax. The first step to proving the theorem is to list these premises. Next, the variable names in the premises must be "matched". This is accomplished by "instantiating" (i.e. substituting) the variables in the premises with the same names as in the The first premise used was NEXT ax. NEXT ax has three variables conclusion. which must be "instantiated", namely maj, loadin, and func.<sup>7</sup> The cnt 0 formula calls the "NEXT" function with arguments "state", "loadin", and "func". Therefore, these are the values that must be assigned to the "NEXT ax" variables. This is done as follows:

> maj <- state@C, loadin <- loadin@C, func <- func@C</pre>

The @C is used to indicate that the names come from the conclusion. (Names from premise one are designated by @P1, premise two by @P2 and so forth.) This matching process is done for all of the premises. The formal proof is:

<sup>7</sup> Substitutable variables are those that are universally quantified in the premises and existentially quantified in the conclusion.

Proof statements are included in the specification module in the last section which follows the reserved word "PROOF". The module is subjected to the theorem prover. The prover attempts to prove each of the theorems referenced by a "PROVE" statement. The prover returns either "PROVED" or "UNPROVED". A proof trace is supplied by the theorem prover to aid the user in accomplishing a proof.

Some suggestions for improving the EHDM Theorem Prover are given in Appendix B.

## Status of Proofs

All of the proofs between the Top Level and the Major-State Level and Between the Major-state level and the Block Model level have been completed. A complete listing of the specifications and proofs are given in Appendix C. The status reports generated by EHDM are listed below:

Proofs Between Top-level and Major-state level

The proof chain is complete

The following formulas were justified only as specific instances words[&1].N pos

The axioms and assumptions at the base are:

cnt6 fa.INC2 ax\* cnt6 fa.NEXT2 ax\* cnt6 fa.INC1 ax\* cnt6 fa.INC1 ax\* cnt6 fa.LOAD ax\* cnt6 fa.NEXT3 ax\* triples[&1, &2, &3].make triple\_ax

cnt6 fa.FETCH ax\* cnt6 fa.NEXT0 ax\* divby2 th.alt\_ax\* divby2 th.kill ax\* words[&1].valpos ax\* words[&1].twen ax\* words[&1].mw def words[&1].weir ax\* divby2\_th.tfun\_ax\* int inductions.int induct by 2 divby2 th.ifun ax\* words[&1].qfun ax" words[&1].vfun ax\* divby2 th.DIV ax divby2 th.BMOD2 ax divby2 th.MOD2 ax words[**&**1].bitassign words[&1].mwm def words[&1].zfun ax\* words[&1].val def int inductions.int induction words[&1].valm def words[&1].rang\_ax\* power2 th.power2 ax denotes the axioms which are merely name definitions (see section entitled "Definitional Axioms" in APPENDIX B. The critical axioms are triples[&1, &2, &3].make triple\_ax words[&1].mw def int inductions.int induct by 2 divby2 th.DIV ax divby2 th.BMOD2 ax divby2\_th.MOD2\_ax words[&1].bitassign words[&1].mwm def words[&1].val def int inductions.int induction words[&1].valm def power2 th.power2 ax Proofs Between Major-state level and Block-model level The proof chain is complete The axioms and assumptions at the base are: cnt6 fa.LOAD ax\* cnt6 blk.NEXTNODE2a3 ax\* cnt6 fa.INC2 ax\* cnt6 blk.NEXTNODE1 ax\* cnt6 fa.INC1 ax\* cnt6 blk.NEXTNODE0 ax\* cnt6 fa.FETCH ax\*

cnt6\_blk.MULTIPLEX\_ax\*
cnt6\_blk.INCLOGIC\_ax\*

\* denotes the axioms which are merely name definitions (see section entitled "Definitional Axioms" in APPENDIX B.

Status of modules in context

cnt6\_cir: Parsed and Typechecked signal: Parsed and Typechecked cnt6: Parsed and Typechecked cnt6 fa: Parsed and Typechecked, 31 proofs, 31 attempted, 31 succeeded ineq\_cases: Parsed and Typechecked, 5 proofs, 5 attempted, 5 succeeded divby2 th: Parsed and Typechecked, 29 proofs, 29 attempted, 29 succeeded power2 th: Parsed and Typechecked, 7 proofs, 7 attempted, 7 succeeded words prf: Parsed cnt6 blk: Parsed and Typechecked, 14 proofs, 14 attempted, 14 succeeded bsignal: Parsed and Typechecked, 58 proofs, 58 attempted, 58 succeeded int inductions: Parsed and Typechecked triples: Parsed and Typechecked

## CONCLUSIONS

The RSRE methodology appears to be a practical approach to designing and verifying digital hardware. No major problems have been discovered in the methodology thus far. The work of this paper has focused on the hierarchical specification method. Future work will concentrate on the method of intelligent exhaustion.

There was one property which should be demonstrated about sequential circuits that was not explicitly dealt with in the RSRE papers -- "readiness" of the finite state automata. The "readiness" property refers to whether the finite automata always returns to the fetch state after executing a function. Although RSRE's hand proofs clearly established this property, the property was not specified formally.

The RSRE report did not formalize in LCF-LSM the timing behavior of the counter. Although some timing diagrams were provided and some informal remarks were made about "hoisting exiting conditions", it is not clear how this material could be formalized. Although omitting timing details from the LCF-LSM specifications significantly reduces the complexity of the specifications, it raises the possibility that certain design errors could go undetected. For example, if the state variables were not stored in latches (e.g., connected via direct feedback line), the automatic theorem prover would not report this

43

deficiency. This appears to be an implicit assumption of the overall methodology which should be more carefully documented.<sup>8</sup>

The EHDM system was found to be fully capable of supporting the RSRE methodology for hardware verification. Two features of the EHDM system were found to be especially useful -- generic modules and the MAPPING constructs. The generic module capability provided a convenient method of defining the theory of words. This stands in contrast to LCF\_LSM where the "almost identical" text must be repeated which define "val2", "val6", "val32", etc. The MAPPING constructs enabled the user to formally connect the levels of the system hierarchy. This was only accomplished informally in the RSRE report.

## REFERENCES

- 1. Cullyer, W. J.; and Pygott, C. H.: Hardware Proofs Using LCF-LSM and ELLA, RSRE Memorandum No. 3832, Royal Signals and Radar Establishment, Sept. 1985
- 2. F. W. von Henke; J.S. Crow; R. Lee; J.M. Rushby; R.A. Whitehurst: The EHDM verification environment: an overview. Proc. of the 11th NBS/NCSC National Computer Security Conference, Baltimore, October 1988.
- Morison, J. D.; Peeling N. E.; Thorp T. L. : ELLA: Hardware Description Or Specification?, Proc. IEEE International Conference CAD-84, Santa Clara, Nov. 12-15, 1984.
- Pygott, C. H.: Formal Proof of Correspondence between the specification of a hardware module and its gate level implementation, RSRE Report No. 85012, Royal Signals and Radar Establishment, Sept. 1985
- 5. Pygott, C. H.: NODEN: An Engineering Approach to Hardware Verification, IFIPS Hardware Verification Conference, July 1988.

<sup>8</sup> A simple program could be written which examines the circuit-level specification to insure that all feedback paths contain a one clock delay device (e.g. a latch).

## APPENDIX A

## THEORY OF GENERAL WORDS

In this section, a general theory of words is developed. This theory defines the concept of a N-bit word where each bit can take values from a more general domain than the booleans. Although the theory developed does not depend upon the specific domain, the following values are of typical interest:

t -- true
f -- false
x -- don't care
q -- unaltered memory element
z -- tristate impedance high
i -- indeterminate

The following specification defines these values

```
exhaust: AXIOM x = t or x = f or x = x or x = q or x = z or x = i
```

Since EHDM has no method of defining a new domain of values automatically, the user must manually define its value and explicitly state the property of uniqueness and completeness.

The properties of words over the domain of "signalval" are defined in the same manner as words defined over booleans.

This is essentially the same as "bitassign" in the boolean words theory. The function names are capitalized to distinguish them from the boolean word

functions since EHDM does not support overloading of function names. The axiom defines the effect of retrieving a bit from a word which has been modified by assigning a new value to one of its bits. If the bit being retrieved is the same as the one just assigned, the new value is retrieved. Otherwise, the value retrieved is the same as before the assignment. It should be noted that these functions are not defined in a "constructional" manner, that is, they have not been defined separately in terms of previously defined primitives. Their properties have been defined axiomatically in terms of each other. Such axioms must be carefully scrutinized to insure that inconsistencies are not introduced into the specification.

Next, the functions "val" and "mw" are defined in the general theory of words. The "val" and "mw" functions "interpret" the N bits of boolean values as an integer. Consequently they are only defined for general words that contain only values of "t" and "f". They must be defined as partial functions. This is accomplished by defining a function which embeds the boolean words in the set of general words:

There are now two distinct types -- word and gword -- which represent boolean words and general words respectively. The function bool\_to\_signal associates the boolean values with "t" and "f" of "signalval":

```
bool_to_signal: function[bool -> signalval] =
    (LAMBDA bb -> signalval:
        IF bb THEN t
        ELSE f
        END)
```

Thus, the function "embed" maps boolean words to the corresponding general word which consists of only "t" and "f" values. Using the "embed" function, the partial functions "Val" and "Mw" can be defined:

```
Val: function[gword -> int]
Val_ax: AXIOM Val(embed(w)) = val(w)
Mw: function[int -> gword]
Mw ax: AXIOM Mw(ii) = embed(mw(ii))
```

The theorems of the "words" module are easily established in the theory of general words. For example:

The last step follows from the "val\_mw\_thm" theorem of "words", the boolean word theory.

The full specification of "gwords" follows:

gwords: MODULE[N: int]

USING words, power2\_th, signal, divby2\_th

EXPORTING gword, newgword, Valuable, Assign, Bit WITH power2\_th,signal,divby2\_th

ASSUMING

N\_pos: FORMULA N>0

THEORY

```
(* ----- abbreviations for words items ------ *)
 word: TYPE is word[N]
 assign: function[int, bool, word -> word] is assign[N]
 bit: function[int, word -> bool] is bit[N]
 mw: function[int -> word] is mw[N]
 val: function[word -> int] is val[N]
 (* ----- Theory needed to define words functions ----- *)
 gword: TYPE
 newgword: gword
 k,i,ii: VAR int
 w: VAR word
 gw, gw2: VAR gword
 s: VAR signalval
 a,b: VAR bool
 Assign: function[int, signalval, gword -> gword]
 Bit: function[int, gword -> signalval]
  Bit_Assign_ax: AXIOM (i < N and i \ge 0) IMPLIES
                    ( IF k = i THEN Bit(i,Assign(k,s,gw))= s
                     ELSE Bit(i,Assign(k,s,gw)) = Bit(i,gw) END )
```

```
accessnew: AXIOM Bit(k, newgword) = x
     (* ----- Concepts related to interpretation of words as integers ----- *)
     embed: function[word -> gword]
     embed_ax: AXIOM (i < N and i >= 0) IMPLIES
                     Bit(i,embed(w)) = bool_to_signal(bit(i,w))
     Val: function[gword -> int]
     Val_ax: AMIOM Val(embed(w)) = val(w)
    Mw: function[int -> gword]
                                                ÷ (
    Mw_ax: AXIOM Mw(ii) = embed(mw(ii))
    Valuable: function[gword -> bool]
    Valuable_def: AXIOM Valuable(gw2) = (EXISTS w: gw2 = embed(w))
    Val Mw_thm: AXIOM ( ii >= 0 AND ii < power2(N) )
                       IMPLIES Val(Mw(ii)) = ii
    Bit bit thm: THEOREM (i < N and i \ge 0) IMPLIES
                             bit(i,w) = signal_to_bool(Bit(i,embed(w)))
    Assign_assign_thm: THEOREM (i < N and i >= 0) IMPLIES
                      embed(assign(i,b,w)) = Assign(i,bool_to_signal(b),embed(w))
    Valuable_mw: THEOREM Valuable(embed(mw(ii)))
   Valuable_thm: THEOREM Valuable(gw) = ((i>=0) and (i < N) IMPLIES
                                          (Bit(i,gw) = t \text{ or } Bit(i,gw) = f))
   Val range thm: AXIOM Valuable(gw) IMPLIES
                         Val(gw) >= 0 and Val(gw) < power2(N)
 PROOF
   p_Val_Mw_thm: PROVE Val_Mw_thm FROM Mw ax,
                                        VaI ax\{w <-mw(ii)\},\
                                        val mw thm[N]
  p_Val_range_thm: PROVE Val_range_thm{gw <- embed(w@p3)} FROM</pre>
                                        Valuable_def{gw2 <- embed(w@P3)},</pre>
                                        Val_ax{w <- w@P3},
                                       val range thm[N]
  p_Valuable_mw: PROVE Valuable_mw FROM Valuable_def
  p_Bit_bit_thm: PROVE Bit_bit_thm FROM embed ax,
                                         signaI to bool ax
  p_Assign_assign_thm: PROVE Assign_assign_thm FROM
                                      Bit Assign ax,
                                      embed_ax{w <- assign(i,b,w)}</pre>
END gwords
```

```
signal: MODULE
EXPORTING signalval, t, f, x, (* EQsig, AND3, OR3, NOT3, EQUIV *)
          bool to signal, signal to bool, bool to int, BOOLF
          (* , int to signal , signal to int *)
THEORY
   signalval: TYPE
   t,f,x: signalval
   a,b,c: VAR signalval
   bb: VAR bool
   i: VAR int
  unique: AXIOM (t \tilde{} = f) and (t \tilde{} = x) and (f \tilde{} = x)
   exhaust: AXIOM a=t OR a=f OR a=x
   signal to bool: function[signalval -> bool]
   signal to bool ax: AXIOM signal to bool(t) = true and
                       signal to bool(\overline{f}) = false
  bool to signal: function[bool -> signalval] =
           (LAMBDA bb -> signalval:
               IF bb THEN t
               ELSE f
               END)
  BOOLF: function[signalval -> bool] is signal_to_bool
  bool to int: function[bool -> int] =
                (LAMBDA bb -> int: IF bb THEN 1 ELSE 0 END )
```

END signal

## APPENDIX B

## SUGGESTIONS FOR IMPROVING EHDM

In the following subsections, several suggestions are made for improving the EHDM verification system.

Definition of the Values of a Type

Frequently it is necessary to define a type which takes on a finite number of distinct values. This is accomplished in LCF-LSM as follows:

```
type signalval = NEW(t | f | x)
```

In EHDM this must be done via a laborious detailed specification of all of the properties needed:

signalval: TYPE
t,f,x: signalval
s: VAR signalval

unique: AXIOM t ~= f and t ~= x and f ~= x exhaust: AXIOM s = t or s = f or s = x

# Definitional Axioms

There is a need for another kind of "axiom" in EHDM. In order to facilitate the proof process it is often necessary to rewrite LAMBDA definitions as axioms. Instead of

F: function[int -> int] = (LAMBDA x -> int: x\*x)

one writes:

F: function[int -> int]
F ax: AXIOM F(x) = x\*x

Thus, the theorem prover only expands the definition of F when specifically stated as a premise. This is desirable when the definition is complicated and a proof does not depend upon the particulars of the definition. However, there is a unhappy side-effect of this procedure. There is now an additional axiom which appears at the base of the theory. (See section entitled "Status of Proofs".) In other words, when one performs a proof analysis, the big theorems you have proved are reported to depend upon a set of axioms. This set now includes all of these "axioms" which are merely definitions of temporary "names". The big result in no sense depends upon these "names". They were used as a convenience. If one would rewrite the module using LAMBDA definitions, then the same big theorems could be proved and the set of axioms it depended upon would not include these name definitions. Of course, the theorem prover may take weeks rather than minutes to prove the results. Perhaps EHDM could be extended with a new construct, say DEFINITION:

**F-ax:** DEFINITION  $f(x) = x \star x$ 

which must be of a particular restricted form.

In the User's Manual it states " EHDM currently requires a mapping for every uninterpreted type and every constant of the module being mapped." If one defines a function name to simplify the statement of a big theorem, one should not have to have to map this "temporary" function. For example, suppose the big theorem is:

big\_theorem: AXIOM x\*x + x = f(x\*x+x)g(x)

Suppose that f and g are mapped into some concrete form in a mapping module and big-theorem is proved there. What if for convenience the above axiom was written as:

h: function[int -> int]
h\_ax: AXIOM h(x) = x\*x + x
big\_theorem: AXIOM h(x) = f(h(x))g(x)

Would it be necessary to specifically "map" h down to the next level? Would "h ax" have to be proved as a theorem in the mapping module? It is not clear from the User's manual exactly what must be proved when doing hierarchical mappings.

Also the fact that axioms of one level are proved as theorems in the lower level leads to a terminology nightmare. It would be nice if a new keyword could be invented which conveyed this concept.

Improvement to Proof Instantiator

The Proof Instantiator "overlooks" some very obvious substitutions. Consider the function COUNTLOGIC (from module cnt6\_blk) listed below in full:

COUNTLOGIC: function[statevector,word6,word2 -> statevector] =
 (LAMBDA stv, loadin, func -> statevector:
 make\_triple( MULTIPLEX(INCLOGIC(count(stv),

INCCON(node(stv)) ),

loadin,

MPLXCON(node(stv)) ),

BOOLF(bit2(0,func)),

NEXINODE(node(stv),func,double(stv)) )

)

There is an axiom NEXTNODE0\_ax which will be cited as a premise:

The following lemma is to be proved:

claa: LEMMA val2(node(stv)) = 0 and val2(func) = 0 IMPLIES
 COUNTLOGIC(stv,loadin,func) =

make\_triple( MULTIPLEX(INCLOGIC(count(stv),

INCCON(node(stv)) ),

loadin, MPLXCON(node(stv)) ), BOOLF(bit2(0,func)), fetchnode)

The following proof statement does the job:

But the Instantiator will not find the instantiations! But, starting with the conclusion it is obvious that NEXTNODE is called:

NEXTNODE(node(stv),func,double(stv)) )

The only premise stated NEXTNODE0 is of the form:

NEXTNODE(nd, func, dbl) = ...

The required matchings are obvious, and would seem to be easily automated!

#### APPENDIX C

# FULL LISTING OF SPECIFICATIONS INCLUDING PROOFS

1

cnt6: MODULE USING words THEORY (\* ----- define abbreviations for 'words' types and functions ----- \*) word6: TYPE is word[6] word2: TYPE is word[2] val2: function[word2 -> int] is val[2] val6: function[word6 -> int] is val[6] mw6: function[int -> word6] is mw[6] (\* ----- define TYPE to represent state of machine ----- \*) states: TYPE (\* ------ define logic variables ----- \*) state: VAR states loadin,w: VAR word6 func: VAR word2 (\* ----- define properties of 6-bit counter ----- \*) cnt: function[states -> word6] exec\_cnt: function[states,word6,word2 -> states] ready: function[states -> bool] add1\_mod64: function[word6 -> word6] == ( LAMBDA w -> word6: IF val6(w) = 63 THEN mw6(0)ELSE mw6(val6(w)+1) END) ready\_ax: AXIOM ready(state) IMPLIES ready( exec\_cnt(state,loadin,func) ) counter\_ax: AXIOM ready(state) IMPLIES cnt(exec\_cnt(state,loadin,func)) = IF val2(func) = 0 THEN cnt(state) ELSIF val2(func) = 1 THEN loadin ELSIF val2(func) = 2 THEN add1 mod64(cnt(state)) ELSE add1 mod64(add1 mod64(cnt(state))) END

END cnt6

```
words: MODULE[N: int]
USING power2 th, divby2_th
EXPORTING word, newword, bit, assign, val, mw, mwm, valm, bool_to_int
  WITH power2 th, divby2 th
ASSUMING
  N pos: FORMULA N>0
THEORY
  word: TYPE
  k,i,ii,m,v,n,h,jj,y: VAR int
  w,w1,w2: VAR word
  a,b: VAR bool
  newword: word
  assign: function[int, bool, word -> word]
  bit: function[int, word -> bool]
  bitassign: AXIOM (i \geq 0 and i < N) IMPLIES
                      bit(i,assign(k,b,w)) =
                           ( IF \bar{k} = i THEN b ELSE bit(i,w) END )
  mw: function[int -> word]
  val: function[word -> int]
  mwm: function[int,int,int -> word]
   mwm def: AXIOM mwm(v,m,n) =
                  IF m = 0 THEN newword
                  ELSE
                     assign(n-m,BMOD2(v),mwm(DIVBY2(v),m-1,n) )
                  END
   mw def: AXIOM mw(ii) = mwm(ii,N,N)
   bool_to_int: function[bool -> int] =
                 (LAMBDA b -> int: IF b THEN 1 ELSE 0 END )
   valm: function[word,int,int -> int]
   valm_def: AXIOM valm(w,m,n) = IF m = 0 THEN 0
                                 ELSE 2*valm(w,m-1,n) + bool_to_int(bit(n-m,w))
                                 END
   val_def: AXIOM val(w) = valm(w,N,N)
                                                                       ----- *)
   (* ----- Big Theorems -----
   val_mw_thm: THEOREM ( ii >= 0 AND ii < power2(N) )</pre>
                     IMPLIES val(mw(ii)) = ii
   val_range_thm: THEOREM val(w) >= 0 and val(w) < power2(N)
```

```
val bits thm: THEOREM val(w1) = val(w2) IMPLIES
                      (FORALL m: m>=0 AND m<N IMPLIES bit(m,w1)=bit(m,w2))
  (* ----- Definition Axioms That Should Be in Proof Section ------ *)
   zfun: function[int -> bool]
   zfun ax: AXIOM zfun(n) = ((n > 0 AND n \le N AND ii >= 0 AND ii < power2(n))
                                IMPLIES valm(mwm(ii,n,n),n,n) = ii )
   vfun: function[int -> bool]
   vfun_ax: AXIOM vfun(m) = ( (m<n and m>=0 and n<=N ) IMPLIES
                                 (valm(w,m,n) = valm(assign(0,b,w),m,n)) )
   qfun: function[int -> bool]
   qfun ax: AXIOM qfun(m) =
                 ((m+1>0 \text{ and } ii>=0 \text{ and } m<n \text{ and } ii < power2(m) \text{ and } n<=N) IMPLIES
                       valm(mwm(ii,m,n),m,n) = valm(mwm(ii,m,n-1),m,n-1))
   twen: function[int->bool]
  twen ax: AXIOM twen(k) = (k>=0 AND k<N AND valm(w1,N,N) = valm(w2,N,N)</pre>
                  IMPLIES valm(w1,N-k,N)=valm(w2,N-k,N))
  weir: function[int -> bool]
  weir ax: AXIOM weir(m) = (
                        (m < n \text{ and } k > 0 \text{ and } m >= 0 \text{ and } n <= N) IMPLIES
                                (valm(w,m,n) = valm(assign(n-m-k,b,w),m,n)))
  valpos:function[int -> bool]
  valpos_ax: AXIOM valpos(m) = (m>=0 IMPLIES valm(w,m,n) >=0)
  build: function[int->bool]
  build ax: AXIOM build(k) = (k>=0 AND (FORALL m: m>=N-k AND m<N IMPLIES
              bit(m,w1)=bit(m,w2)) IMPLIES valm(w1,k,N) = valm(w2,k,N))
  copy m bits: function[int,word,word -> word]
  copy_m_bits_ax: AXIOM copy_m_bits(m,w1,w2) =
              \overline{(IF m=0 THEN w2)}
                ELSE assign(N-m,bit(N-m,w1),copy_m_bits(m-1,w1,w2)) END)
  gnu: function[int -> bool]
  gnu ax: AXIOM gnu(k) = (k>=0 AND k<m AND k+N-m>=0 IMPLIES
                bit(k+N-m,copy m bits(m,w1,w2)) = bit(k+N-m,w1))
  rang: function[int -> bool]
  rang_ax: AXIOM rang(m) = (m \ge 0 and m <= N IMPLIES valm(w,m,N)>=0 AND
                              valm(w,m,N) < power2(m) )
PROOF
        ----- val_mw_thm THEOREM -----
 val mw thm: AXIOM ( ii >= 0 AND ii < power2(N) ) IMPLIES val(mw(ii)) = ii *)</pre>
```

```
inv axiom: LEMMA ( n > 0 AND n \le N AND ii \ge 0 AND ii \le 0 power2(n) )
                     IMPLIES valm(mwm(ii,n,n),n,n) = ii
(*zfun: function[int -> bool]
 zfun_ax: AXIOM zfun(n) = ( (n > 0 AND n <= N AND ii >= 0 AND ii < power2(n) )</pre>
                              IMPLIES valm(mwm(ii,n,n),n,n) = ii )
                                                                             *)
 LO: LEMMA zfun(0)
 L1: LEMMA zfun(1)
   Lla: LEMMA ( ii >= 0 AND ii < power2(1) ) IMPLIES MOD2(ii) = ii
      L1a a: LEMMA MOD2(0) = 0
      L1a b: LEMMA MOD2(1) = 1
  L2: LEMMA zfun(m) IMPLIES zfun(m+1)
    L2a: LEMMA (m>=0 and ii>=0) IMPLIES valm(mwm(ii,m+1,m+1),m+1,m+1) =
                 2*valm(assign(0,BMOD2(ii),
                                mwm(DIVBY2(ii),m,m+1)),m,m+1)+
                 bool to int(bit(0,assign(0,BMOD2(ii),
                                       mwm(DIVBY2(ii),m,m+1))))
    L2b: LEMMA (m>=0 and m+1<=N and ii>=0) IMPLIES
        valm( assign( 0, BMOD2(ii), mwm(DIVBY2(ii),m,m+1) ) ,m,m+1) =
               valm( mwm(DIVBY2(ii),m,m+1) ,m,m+1)
      vfun: function[int -> bool]
(*
      vfun_ax: AXIOM vfun(m) = ( (m<n and m>=0 and n<=N ) IMPLIES
                                (valm(w,m,n) = valm(assign(0,b,w),m,n))) *)
      b20: LEMMA vfun(0)
      b21: LEMMA vfun(1)
      b2m: LEMMA(vfun(m) IMPLIES vfun(m+1))
      b2h: LEMMA (h>=0) IMPLIES vfun(h)
    L2c: LEMMA (m+1>0 and m+1<=N and ii>=0) IMPLIES
             valm(mwm(ii,m+1,m+1),m+1,m+1) =
                  2*valm( mwm(DIVBY2(ii),m,m+1) ,m,m+1) + MOD2(ii)
    L2d: LEMMA (m+1>0 and ii>=0 and ii < power2(m+1) and m+1<=N) IMPLIES
                          valm( mwm(DIVBY2(ii),m,m+1) ,m,m+1) =
                          valm( mwm(DIVBY2(ii),m,m) ,m,m)
      qfun: function[int -> bool]
 (*
       qfun ax: AXIOM qfun(m) =
                 ( (m+1>0 \text{ and } ii>=0 \text{ and } m<n \text{ and } ii < power2(m) \text{ and } n<=N) IMPLIES
                       valm(mwm(ii,m,n),m,n) = valm(mwm(ii,m,n-1),m,n-1))
 *)
       d20: LEMMA qfun(0)
         d20_a: LEMMA valm(mwm(ii,0,n),0,n) = valm(mwm(ii,0,n-1),0,n-1)
```

```
57
```

d2m: LEMMA(qfun(m) IMPLIES qfun(m+1)) (\* weir: function[int -> bool] weir ax: AXIOM weir(m) = ( (m<n and k>0 and m>=0 and n<=N) IMPLIES (valm(w,m,n) = valm(assign(n-m-k,b,w),m,n)) ) \*)d2m 1: LEMMA weir(0) d2m<sup>2</sup>: LEMMA weir(m) IMPLIES weir(m+1) d2m 3: LEMMA h>=0 IMPLIES weir(h) d2m\_4: LEMMA (m<n AND m>=0 AND n<=N) IMPLIES (valm(w,m,n) = valm(assign(n-m-1,b,w),m,n))d2m\_5: LEMMA n - m - 1 > 0 IMPLIES n - m - 2 >= 0 d2h: LEMMA (h>=0) IMPLIES qfun(h) L2e: LEMMA (m+1>0 and ii>=0 and m+1<=N and ii < power2(m+1)) IMPLIES valm(mwm(ii,m+1,m+1),m+1,m+1) = 2\*valm( mwm(DIVBY2(ii),m,m) ,m,m) + MOD2(ii) L2h: LEMMA (ii>=0 AND m+1 > 0 AND ii < power2(m+1)) IMPLIES (DIVBY2(ii) < power2(m)) L2i: LEMMA (m>0 AND zfun(m)) IMPLIES zfun(m+1) L3: LEMMA (m>=0) IMPLIES zfun(m) (\* ----- PROVE Statements for Val\_mw\_thm ----- \*) p\_val\_mw\_thm: PROVE val\_mw\_thm FROM inv axiom{n <- N},</pre> val\_def{w <- mwm(ii,N,N)},</pre> mw def, N pos pinv: PROVE inv\_axiom FROM L3{m <- n},</pre> zfun ax, val def{w <- mwm(ii,n,n)},</pre> mw def p\_L0: PROVE L0 FROM zfun\_ax{n <- 0}</pre> p\_L1: PROVE L1 FROM  $zfun_ax\{n <-1\}$ , valm\_def{m <- 1, n <- 1, w <- mwm(ii@P1,1,1) },</pre> valm\_def{m <- 0, n <- 1, w <- mwm(ii@P1,1,1) },</pre> mwm\_def{v <- ii@P1, m <- 1, n <- 1},</pre> bitassign{i <- 0,k <- 0,</pre> b <- BMOD2(ii@P1),</pre> w <- mwm(DIVBY2(ii@P1),0,1)},</pre> MOD2  $ax\{i \leftarrow ii@P1\}$ , N\_pos, Lla{ii <- ii@P1}

p Lla: PROVE Lla FROM Lla a, Lla b,  $MOD\overline{2} ax\{i < 0\},\$ power2  $ax\{i < -1\}$ , power2  $ax\{i < -0\}$ , Y 1{y<-ii} p Llaa: PROVE Lla a FROM BMOD2 ax  $\{i < 0\},\$ MOD2 ax{i < -0}, DIV  $ax\{i < -0\}$ p Llab: PROVE Lla b FROM BMOD2 ax  $\{i < -1\}, MOD2 ax \{i < -1\}, MO$ DIV  $ax\{i < -1\}$ p L2: PROVE L2 FROM  $zfun_ax\{n < -m\}, zfun_ax\{n < -m+1\}, L1, L2i, zfun_ax\{n < -1\}$ p L2a: PROVE L2a FROM valm def{w <- mwm(ii,m+1,m+1), m <- m+1, n <- m+1},  $mwm def\{v < -ii, m < -m+1, n < -m+1\},\$ bitassign{i <- 0, k <- 0, b <- BMOD2(ii),</pre>  $w \leftarrow mwm(DIVBY2(ii),0,1)$ N\_pos p L2b: PROVE L2b FROM  $b2h\{h < -m\}$ , vfun  $ax\{m <-m, n <-m+1, b <-BMOD2(ii),$ w <-mwm(DIVBY2(ii),m,m+1)p b20: PROVE b20 FROM vfun ax  $\{m < -0\}$ , valm def{m <- 0}, valm def{m <- 0,w <- assign(0,b@p1,w)}</pre> p b21: PROVE b21 FROM vfun ax  $\{m < -1\}$ , valm def{m <-1}, valm\_def{m <- 1,w <- assign(0,b@p1,w)},</pre> valm def{m <- 0}, valm\_def{m <- 0,w <- assign(0,b@p1,w)},</pre> bitassign{i <- (n@p1-1),k <- 0}</pre> p b2m: PROVE b2m FROM vfun ax, vfun  $ax\{m < -m+1\}$ , valm def{m <- m+1},</pre> valm def{m <- m+1, w <- assign(0,b@p1,w)},</pre>  $bitassign{i <- n@p1-m-1, k<- 0}$ p b2h: PROVE b2h FROM b20, b2m{m<-d1@p3}, int induction{p <- vfun,</pre> d2 < - h@Cp L2c: PROVE L2c FROM L2a, L2b, bitassign{i <- 0, k <- 0,b <- BMOD2(ii),</pre>  $w \leftarrow mwm(DIVBY2(ii),m,m+1)$ , MOD2  $ax\{i < -ii\},\$ N pos

```
p_L2d: PROVE L2d FROM d2h{h <- m},</pre>
                        qfun ax{ii <- DIVBY2(ii@C),n<-m+1},
                        L2h{Ii<-ii@C},DIVBY2g0{ii<-ii@C}
   p_d20_a: PROVE d20_a FROM valm_def{w<- mwm(ii,0,n),m<-0},</pre>
                               valm def{w<- mwm(ii,0,n-1),m<-0,n<-n-1}</pre>
  p_d20: PROVE d20 FROM power2 ax{i<-0},</pre>
         qfun ax \{m < -0\},
         d20 \overline{a}
  p d2m 5: PROVE d2m 5
  p d2m: PROVE d2m FROM
         qfun ax,
         qfun ax\{m < -m+1\},
         valm_def{w<-mwm(ii@P1,m+1,n@P1),m <- m+1},</pre>
         valm_def{w<-mwm(ii@P1,m+1,n@P1-1),m <- m+1,n<-n@P1-1},
         mwm def{v<-ii@P1,m<-m+1},</pre>
         mwm_def{v<-ii@P1,m<-m+1,n<-n@P1-1},
         L2h{ii<-ii@P1},DIVBY2g0{ii<-ii@P1},
         d2m_4\{w < -mwm(DIVBY2(ii@P1), m, n), b < -BMOD2(ii@P1)\},
         qfun ax{ii<-DIVBY2(ii@P1)},
        d2m_{4} = 4 (w<-mwm(DIVBY2(ii@P1),m,n),b<-BMOD2(ii@P1),
              n < -n(P_{1-1}),
        bitassign{i<-n@P1-m-1,k<-n@P1-m-1,b<- BMOD2(ii@P1),</pre>
                    w<- mwm(DIVBY2(ii@P1),m,n@P1)},</pre>
        bitassign{i<-n@P1-m-2,k<-n@P1-m-2,b<- BMOD2(ii@P1),</pre>
                   w<- mwm(DIVBY2(ii@P1),m,n@P1-1)
                                                           },
        d2m 5
   p_d2m_1: PROVE d2m_1 FROM weir_ax{m<-0}, valm def{m<-0},</pre>
                   valm_def{w<-assign(n-m-k@P1,b@P1,w),m<-0}
   p d2m 2: PROVE d2m 2 FROM weir ax,
                                valm def(w<-assign(n-m-1-k@P1,b@P1,w),</pre>
                                              m < -m + 1},
                                weir ax{m<-m+1,k<-k@P1,b<-b@P1},
                                valm def{m<-m+1},</pre>
                                weir ax{k<-k@P1+1,b<-b@P1},
                                bitassign(i<-n@P1-m-1,</pre>
                                               k < -n@P1-m-1-k@P1, b < -b@P1
   p d2m 3:PROVE d2m 3 FROM d2m 1,
                               d2m 2\{m < -d1@p3\},
                               int_induction{p <- weir,</pre>
                                              d2 < - h@C
  p_d2m_4: PROVE d2m_4 FROM d2m_3{h<-m},weir_ax{m<-m@C,k<-1}
```

p d2h: PROVE d2h FROM d20,  $d2m\{m < -d1@p3\},$ int induction{p <- qfun,</pre>  $d2 \leftarrow h@C$ p L2e: PROVE L2e FROM L2c, L2d p L2h: PROVE L2h FROM power2  $ax\{i < -m+1\}$ , DIVBY2x2 p L2i: PROVE L2i FROM zfun ax  $\{n \le m + 1, ii \le power2(m@CS + 1)\}$ , L2e {ii <- ii@P1},  $z f u x \{n < -m, ii < -DIVBY2(ii@P1)\},$ DIV MOD thm,  $DIV\overline{B}Y2g\overline{O}$  {ii <- ii@P1}, L2h {ii <- ii@P1} p L3: PROVE L3 FROM L0, L2{m<-d1@p3}, int induction{p <- zfun,</pre> d2 <- m@C,  $z f u a x \{n < -m+1\},$  $zfun ax\{n < -m\}$ (\* ------ val bits thm THEOREM -----val bits thm: THEOREM val(w1) = val(w2) IMPLIES (FORALL m: m>=0 AND m<N IMPLIES bit(m,w1)=bit(m,w2)) \*) Subwords: THEOREM val(w1) = val(w2) IMPLIES (FORALL m:  $0 \le M$  AND  $m \le N$  IMPLIES valm(w1, m, N) = valm(w2, m, N)) (\* twen: function[int->bool] twen ax: AXIOM twen(k) =  $(k \ge 0 \text{ AND } k \le N \text{ AND } valm(w1, N, N) = valm(w2, N, N)$ IMPLIES valm(w1,N-k,N)=valm(w2,N-k,N)) \*) tw0: LEMMA twen(0) twk: LEMMA twen(k) IMPLIES twen(k+1) twh: LEMMA h>=0 IMPLIES twen(h) T1: LEMMA m>0 AND valm(w1,m,N) = valm(w2,m,N) IMPLIES valm(w1,m-1,N) = valm(w2,m-1,N)T1corol: LEMMA m>0 AND valm(w1,m,N) = valm(w2,m,N) IMPLIES bool to int(bit(N-m,w1))=bool to int(bit(N-m,w2)) V1: LEMMA m>0 IMPLIES DIVBY2(valm(w,m,N)) = valm(w,m-1,N) (\* valpos:function[int -> bool] valpos ax: AXIOM valpos(m) = (m>=0 IMPLIES valm(w,m,n) >=0) \*) val0: LEMMA valpos(0) valm step: LEMMA valpos(m) IMPLIES valpos(m+1) valh: LEMMA h>=0 IMPLIES valpos(h)

valpos result: LEMMA m>=0 IMPLIES valm(w,m,n)>=0 (\* ----- Proof of val\_bits\_thm Theorem ------ \*) p\_val\_bits\_thm: PROVE val\_bits\_thm FROM Subwords{m<-N-m@C},</pre>  $T1corol\{m < -N-m@C\}$ p\_Subwords: PROVE Subwords FROM twh{h<-N-m@C}, twen\_ax{k<-N-m@C}, val def{w<-w1},val def{w<-w2}</pre> p\_val0: PROVE val0 FROM valm\_def{m<-0},valpos\_ax{m<-0}</pre> p valm: PROVE valm step FROM valm def{m<-m@C+1},</pre> val0,valpos ax{m<-m@C},valpos ax{m<-m@C+1}</pre> p valh: PROVE valh FROM val0,valm step{m<-d1@P3},</pre> int induction {p<-valpos,d2<-h@c} p\_valpos: PROVE valpos\_result FROM valh{h<-m@C},valpos ax{m<-m@C}</pre> p V1: PROVE V1 FROM valm def{w<-w@C,m<-m@C,n<-N}, valpos result{m <- m-1, n<-N},</pre> valm  $def\{w < -w@C, m < -0, n < -N\}$ , DIV doub{ii <- valm(w,m-1,N)} p\_T1: PROVE T1 FROM V1{w<-w1@C},V1{w<-w2@C}</pre> p\_T1corol: PROVE T1corol FROM T1,valm\_def{w<-w1,n<-N},</pre> valm def{w<-w2,n<-N} p tw0: PROVE tw0 FROM twen  $ax\{k \le 0\}$ p\_twk: PROVE twk FROM tw0, twen\_ax, twen\_ax{k<-k+1}, T1{m<-N-k}</pre> p\_twh: PROVE twh FROM tw0,twk{k<-d1@P3},int\_induction{p<-twen,d2<-h@C}</pre> (\* ----- Bits enuf THEOREM ----- \*) Bits enuf: THEOREM (FORALL m: m>=0 AND m<N IMPLIES bit(m,w1)=bit(m,w2)) IMPLIES val(w1)=val(w2) Build: LEMMA k>=0 AND (FORALL m: m>=N-k AND m<N IMPLIES bit(m,w1)=bit(m,w2)) IMPLIES valm(w1,k,N) = valm(w2,k,N) build: function[int->bool] build\_ax: AXIOM build(k) = (k>=0 AND (FORALL m: m>=N-k AND m<N IMPLIES bit(m,w1)=bit(m,w2)) IMPLIES valm(w1,k,N) = valm(w2,k,N)) \*) bld0: LEMMA build(0) bldk: LEMMA build(k) IMPLIES build(k+1)

(\*

# bldh: LEMMA h>=0 IMPLIES build(h)

(\* ----- Proof of Bits\_enuf Theorem ------ \*) p Bits: PROVE Bits\_enuf{m<-m@P1} FROM Build{k<-N},val\_def{w<-w1},</pre> val def{w<-w2}, N pos p Build: PROVE Build{m<-m@P2} FROM bldh{h<-k@C}, build ax{k<-k@C} p bld0: PROVE bld0 FROM build\_ax{k<-0},valm\_def{w<-w1@P1,m<-0,n<-N},</pre> valm  $\overline{def}\{w < -w2@P1, m < -0, n < -N\}$ p bldk: PROVE bldk FROM bld0, build\_ax, build\_ax{k<-k@P2+1,m<-m@P2},</pre> valm def{w<-w1@P2,m<-k@P2+1,n<-N}, valm\_def{w<-w2@P2,m<-k@P2+1,n<-N}, build  $ax\{k < -k@P2+1, m < -N-k@P2-1\}$ p bldh: PROVE bldh FROM bld0, bldk {k <- d1@P3},</pre> int induction{p<-build,d2<-h@C}</pre> (\* ----- Copy\_word\_thm THEOREM ----- \*) (\* copy\_m\_bits: function[int,word,word -> word] copy m bits\_ax: AXIOM copy m bits(m,w1,w2) = ( IF m=0 THEN w2 ELSE assign(N-m,bit(N-m,w1),copy\_m\_bits(m-1,w1,w2)) END) \*) copy: function[word -> word] = (LAMBDA w1 -> word: copy\_m\_bits(N,w1,newword) ) Copy word thm: THEOREM k>=0 AND k<N IMPLIES bit(k,copy(w1)) = bit(k,w1) gnu: function[int -> bool] (\* gnu\_ax: AXIOM gnu(k) = (k>=0 AND k<m AND k+N-m>=0 IMPLIES bit(k+N-m,copy\_m\_bits(m,w1,w2)) = bit(k+N-m,w1)) \*) gnu0: LEMMA gnu(0) gnuk: LEMMA gnu(k) IMPLIES gnu(k+1) qnuh: LEMMA h>=0 IMPLIES gnu(h) gnu lemma: LEMMA k>=0 AND k<m AND k+N-m>=0 IMPLIES bit(k+N-m,copy m bits(m,w1,w2)) = bit(k+N-m,w1) (\* ----- Proof of Copy\_word\_thm ----- \*) p\_gnu\_lemma: PROVE gnu\_lemma FROM gnuh{h<-k@C},gnu\_ax</pre>

p\_Copy\_word\_thm: PROVE Copy\_word\_thm FROM gnu\_lemma{m<-N, w2 <- newword} p\_gnu0: PROVE gnu0 FROM gnu\_ax{k<-0},copy\_m\_bits\_ax,</pre> bitassign{i<-N-m@P1, k<-N-m@P1,b<-bit(N-m@P1,w1@P1), w<-copy\_m\_bits(m@P1-1,w1@P1,w2@P1)} p gnuk: PROVE gnuk FROM gnu0, gnu\_ax, gnu\_ax{k<-k+1}, gnu\_ax{m<-m@P2-1}, copy m bits ax, bitassIgn{i<-k+1+N-m@P2,k<-N-m@P2, b<-bit(N-m@P2,w1@P2),</pre> w<-copy\_m bits(m@P2-1,w1@P2,w2@P2)}</pre> p gnuh: PROVE gnuh FROM gnu0, gnuk {k<-d1@P3}, int\_induction{p<-gnu,d2<-h@C} ------ val\_range\_thm THEOREM ------(\* \_\_\_\_\_ val range thm: THEOREM val(w) >= 0 and val(w) < power2(N) \*) (\* rang: function[int -> bool] rang\_ax: AXIOM rang(m) =  $(m \ge 0$  and m <= N IMPLIES valm(w,m,N)>=0 AND valm(w,m,N) < power2(m) )</pre> \*) rang0: LEMMA rang(0) lrana: LEMMA m>=0 AND valm(w,m,N) < power2(m) IMPLIES</pre> 2\*valm(w,m,N) + bool\_to\_int(bit(N-m-1,w)) < 2\*power2(m)</pre> lranb: LEMMA m>=0 and valm(w,m,N) >=0 IMPLIES 2\*valm(w,m,N) + bool to int(bit(N-m-1,w))>=0 rangm: LEMMA rang(m) IMPLIES rang(m+1) rangh: LEMMA h>=0 IMPLIES rang(h) valm range: THEOREM m>=0 and m<=N IMPLIES valm(w,m,N)>=0 AND valm(w,m,N) < power2(m)(\* ----- Proof of Val\_range\_thm ----- \*) p\_val\_range: PROVE val\_range\_thm FROM valm\_range{m<-N},</pre> val def,N pos p\_rang0: PROVE rang0 FROM rang\_ax{m<-0},valm\_def{w<-w@P1,m<-0,n<-N},</pre> N pos, power2  $ax{i < -0}$ p lrana: PROVE lrana FROM N pos plranb: PROVE lranb

```
p rangm: PROVE rangm FROM rang0, rang ax, rang ax{m<-m+1},
                                valm def{w<-w@P2,m<-m@C+1,n<-N},
                                power2 ax{i<-m@C+1},lrana,lranb</pre>
     p rangh: PROVE rangh FROM rang0, rangm{m<-d10P3},
                                 int induction{p<-rang,d2<-h@C}</pre>
     p valm range: PROVE valm range FROM rangh{h<-m@C}, rang_ax
END words
power2 th: MODULE
USING int inductions
EXPORTING power2
THEORY
   x: VAR bool
   y,m,i,ii,h: VAR int
   power2: function[int -> int]
   power2 ax: AXIOM power2(i) = IF i=0 THEN 1 ELSE 2*power2(i-1) END
   pow eq: THEOREM (y \ge 0) IMPLIES (power2(y) \ge 0)
   pow gr: THEOREM (y>=0) IMPLIES (power2(y+1) >= power2(y))
     xpow: function[int -> bool]
     xpow_ax: AXIOM xpow(m) = (power2(m) >= 0)
     xp0: LEMMA xpow(0)
     xpm: LEMMA (xpow(m) IMPLIES xpow(m+1))
     xph: LEMMA (FORALL h: (h>=0 IMPLIES xpow(h)))
    G 0: THEOREM y \ge 0 IMPLIES 2*y \ge 0
    G 1: THEOREM y \ge 0 IMPLIES 2 + y + 1 \ge 0
PROOF
  p pow eg: PROVE pow_eg FROM xpow_ax{m<-y},
                                xph{h < -y}
  p pow_gr: PROVE pow_gr FROM
                         G 0, pow_eg, power2_ax{i <-y+1}
    p xp0: PROVE xp0 FROM power2 ax{i<- 0}, xpow ax{m<-0}</pre>
    p xpm: PROVE xpm FROM
                 xpow ax,
                 xpow ax\{m < -m+1\},
                 power2 ax\{i < -m+1\},
                 G 0{y < -power2(m)}
```

```
p xph: PROVE xph FROM xp0,
                          xpm{m<-d1@p3},</pre>
                          int induction{p <- xpow,</pre>
                                         d2 \leftarrow h@C
  p GO: PROVE G 0
  p Gl: PROVE G 1
END power2 th
divby2 th: MODULE
USING int_inductions,power2_th,ineq_cases
EXPORTING DIVBY2, MOD2, BMOD2
THEORY
 b: VAR bool
 y,m,i,ii,h: VAR int
 DIVBY2: function[int -> int]
 DIV_ax: AXIOM DIVBY2(i) = IF i >= 2 THEN 1 + DIVBY2(i-2)
                             ELSE IF i \leq -2 THEN -DIVBY2(-i)
                             ELSE 0 END END
 BMOD2: function [int -> bool]
 BMOD2 ax: AXIOM BMOD2(i) = (2*DIVBY2(i) = i)
 MOD2: function [int -> int]
 MOD2_ax: AXIOM MOD2(i) = IF BMOD2(i) THEN 1 ELSE 0 END
 B0: LEMMA BMOD2(0) = false
 B1: LEMMA BMOD2(1) = true
 Balt: THEOREM h \ge 0 IMPLIES BMOD2(h) = NOT BMOD2(h+1)
   alt: function[int -> bool]
   alt_ax: AXIOM alt(ii) = (ii >= 0 IMPLIES BMOD2(ii) = NOT BMOD2(ii+1))
   alto: LEMMA alt(0)
   alt1: LEMMA alt(1)
   altm: LEMMA alt(m) IMPLIES alt(m+2)
   alth: LEMMA h>=0 IMPLIES alt(h)
Even: LEMMA ii>=0 IMPLIES NOT BMOD2(2*ii)
Even MOD: LEMMA ii \ge 0 IMPLIES MOD2(2*ii) = 0
  kill: function[int -> bool]
  kill ax: AXIOM kill(ii) =( ii>=0 IMPLIES NOT BMOD2(2*ii))
  killo: LEMMA kill(0)
```

\_\_\_\_

```
killm: LEMMA kill(m) IMPLIES kill(m+1)
          killh: LEMMA h>=0 IMPLIES kill(h)
  Odd MOD: LEMMA ii>=0 IMPLIES MOD2(2*ii+1) = 1
     DIVBY2x2: LEMMA (ii >= 0) IMPLIES 2*DIVBY2(ii) <= ii
                   ifun: function[int -> bool]
                   ifun ax: AXIOM ifun(ii) = (ii>=0 IMPLIES 2*DIVBY2(ii) <= ii)</pre>
                   if0: LEMMA ifun(0)
                   if1: LEMMA ifun(1)
                   ifm: LEMMA ifun(m) IMPLIES ifun(m+2)
                   ifh: LEMMA (h>= 0 ) IMPLIES ifun(h)
    DIVBY2x2p1: LEMMA (ii >= 0) IMPLIES 2*DIVBY2(ii)+1 >= ii
                   tfun: function[int -> bool]
                   tfun ax: AXIOM tfun(ii) = (ii>=0 IMPLIES 2*DIVBY2(ii)+1 >= ii)
                   tf0: LEMMA tfun(0)
                   tfl: LEMMA tfun(1)
                   tfm: LEMMA tfun(m) IMPLIES tfun(m+2)
                   tfh: LEMMA (h>= 0 ) IMPLIES tfun(h)
     DIV MOD_thm: LEMMA ii>=0 IMPLIES 2*DIVBY2(ii) + MOD2(ii) = ii
                Pre2f: LEMMA ii>=0 IMPLIES (2*DIVBY2(ii) = ii OR 2*DIVBY2(ii) + 1 = ii)
     DIVBY2g0: LEMMA (ii >= 0) IMPLIES (DIVBY2(ii) >= 0)
     DIV doub: LEMMA (ii >= 0 IMPLIES DIVBY2(2*ii) = ii) AND
                                                  (ii \ge 0 \text{ IMPLIES DIVBY2}(2*ii+1) = ii)
     MODO 0: LEMMA MOD2(0) = 0
     MOD1 1: LEMMA MOD2(1) = 1
PROOF
     p MOD0 0: PROVE MOD0 0 FROM BMOD2 ax \{i < -0\},\
                                                                                    MOD2 \overline{ax}\{i < -0\},\
                                                                                      DIV ax{i <- 0}
     p MOD1 1: PROVE MOD1 1 FROM BMOD2 ax \{i < -1\}, MOD2 ax\{i < -1\}, MOD2 ax\{
                                                                                      DIV ax\{i < -1\}
     p B0: PROVE B0 FROM BMOD2 ax\{i < -0\}, DIV ax\{i < -0\}
     p B1: PROVE B1 FROM BMOD2 ax\{i < -1\}, DIV ax\{i < -1\}
     p Balt: PROVE Balt FROM alth{h<-h@C},alt ax{ii<-h@C}</pre>
```

67

palt0: PROVE alt0 FROM alt ax{ii<-0},B0,B1</pre> palt1: PROVE alt1 FROM alt\_ax{ii<-1},B0,B1,</pre>  $BMOD2_ax\{i < -2\}, BMOD2_ax\{i < -1\}, DIV_ax\{i < -1\},$  $DIV_ax{i<-2}, DIV_ax{i<-0}$ paltm: PROVE altm FROM alt\_ax{ii<-m@C},alt\_ax{ii<-m@C+2},BMOD2\_ax{i<-m},</pre>  $alt0, \overline{alt1}, BMOD2_ax\{i < -m+1\}, BMOD2_ax\{i < -m+2\},$  $BMOD2_ax\{i < -m+3\}, DIV_ax\{i < -m+2\}, \overline{D}IV_ax\{i < -m+3\}$ palth: PROVE alth FROM alt0, alt1, altm{m<-d1@P4}, int induct by 2{p<-alt,d2<-h@C} p\_Even: PROVE Even FROM killh{h<-ii@C},kill\_ax{ii<-ii@C}</pre> p\_Even\_MOD: PROVE Even\_MOD FROM Even{ii<-ii@C},MOD2\_ax{i<-2\*(ii@C)}</pre> p Odd MOD: PROVE Odd MOD FROM MOD2 ax{i<-2\*ii@C+1},Balt{h<-2\*ii@C}, Even{ii<-ii@C} pDIVBY2x2: PROVE DIVBY2x2 FROM ifh{h<-ii}, ifun ax pif0: PROVE if0 FROM ifun\_ax{ii<-0}, DIV\_ax{i<-0} pif1: PROVE if1 FROM ifun\_ax{ii<-1}, DIV\_ax{i<-1} pifm: PROVE ifm FROM ifun\_ax{ii<-m}, ifun\_ax{ii<- (m+2)}, DIV  $ax\{i < (m+2)\}$ pifh: PROVE ifh FROM if0, if1, ifm{m<-d1@P4}, int induct by 2{p<-ifun,d2<-h@C}</pre> pDIVBY2x2p1: PROVE DIVBY2x2p1 FROM tfh{h<-ii},tfun\_ax ptf0: PROVE tf0 FROM tfun\_ax{ii<-0}, DIV\_ax{i<-0} ptf1: PROVE tf1 FROM tfun\_ax{ii<-1}, DIV\_ax{i<-1} ptfm: PROVE tfm FROM tfun\_ax{ii<-m}, tfun\_ax{ii<- (m+2)},</pre> DIV  $\overline{ax}\{i < -(m+2)\}$ ptfh: PROVE tfh FROM tf0, tf1, tfm{m<-d10P4}, int\_induct by 2{p<-tfun,d2<-h@C}</pre> p\_DIVBY2g0: PROVE DIVBY2g0 FROM DIVBY2x2p1 p\_doub: PROVE DIV\_doub FROM Even\_MOD{ii<-ii@C}, Odd\_MOD{ii<-ii@C},  $G_0{\overline{y}}{-ii}@C$ ,  $G_1{\overline{y}}{-ii}@C$ , DIV\_MOD\_thm{ii<-2\*ii@C},DIV\_MOD\_thm{ii<-2\*ii@C+1} p\_DIV\_MOD\_thm: PROVE\_DIV\_MOD\_thm\_FROM\_Pre2f,MOD2\_ax{i<-ii},  $BMOD2ax{i <-ii}$ p pre2f: PROVE Pre2f FROM DIVBY2x2,DIVBY2x2p1, Y 1{y<-2\*DIVBY2(ii) - ii +1} END divby2 th

cnt6 fa: MODULE

(\* -----This module provides a more detailed view of the 6-bit counter function \*counter\* defined in the module cnt6. These module defines the counter as a finite state automata with the following states: fetchnode inclnode inc2node loadnode The state transitions are performed by the function NEXT. \_\_\_\_\* ) MAPPING cnt6 ONTO words, triples[word[6],bool,word[2]],bsignal (\* ----- create some abbreviations ----- \*) THEORY word2: TYPE is word[2] word6: TYPE is word[6] mw2: function[int -> word2] is mw[2] mw6: function[int -> word6] is mw[6] val2: function[word2 -> int] is val[2] val6: function[word6 -> int] is val[6] bit2: function[int, word2 -> signalval] is bit[2] statevector: TYPE is triple count: function[statevector -> word6] is first double: function[statevector -> bool] is second node: function[statevector -> word2] is third BOOLF: function[signalval -> bool] is signal\_to\_bool (\* ----- define logic constants ----- \*) fetchnode: word2 = mw2(0)inclnode: word2 = mw2(1)inc2node: word2 = mw2(2)loadnode: word2 = mw2(3)undef svt: statevector (\* ------ define logic variables ----- \*) svt: VAR statevector ct, ldn, w: VAR word6 fn: VAR word2 dbl,b: VAR bool (\* ----- define functions ----- \*)

هی هند هی بند چو نبه هی خط به خبر چو هم هم به به به خبر

```
ADD1: function[word6 -> word6] ==
           (LAMBDA w -> word6:
              IF val6(w) = 63 THEN mw6(0) ELSE mw6(val6(w)+1)
              END)
   INC1: function[word6,bool,word6,word2 -> statevector]
   INC1_ax: AXIOM INC1(ct, dbl, ldn, fn) =
                IF dbl THEN
                  make_triple(ADD1(ct),BOOLF(bit2(0,fn)),inc2node)
               ELSE
                  make_triple(ADD1(ct),BOOLF(bit2(0,fn)),fetchnode)
               END
  INC2: function[word6,bool,word6,word2 -> statevector]
  INC2_ax: AXIOM INC2(ct, dbl, ldn, fn) =
                  make_triple( ADD1(ct),BOOLF(bit2(0,fn)),fetchnode)
  LOAD: function[word6,bool,word6,word2 -> statevector]
  LOAD ax: AXIOM LOAD(ct, dbl, ldn, fn) =
                 make triple(ldn,BOOLF(bit2(0,fn)),fetchnode)
 FETCH: function[word6,bool,word6,word2 -> statevector]
 FETCH_ax: AXIOM FETCH(ct, dbl, ldn, fn)=
              IF val2(fn) = 0 THEN
                 make triple(ct,BOOLF(bit2(0,fn)),fetchnode)
              ELSIF val2(fn) = 1 THEN
                 make triple(ct,BOOLF(bit2(0,fn)),loadnode)
              ELSE
                 make_triple(ct,BOOLF(bit2(0,fn)),inclnode)
              END
 NEXT: function[statevector,word6,word2 -> statevector]
 (* ___.
 NEXT ax: AXIOM NEXT(svt,ldn,fn) =
                   IF val2(node(svt)) = 0 THEN
                      FETCH(count(svt),double(svt),ldn,fn)
                   ELSIF val2(node(svt)) = 1 THEN
                      INC1(count(svt),double(svt),ldn,fn)
                  ELSIF val2(node(svt)) = 2 THEN
                     INC2(count(svt),double(svt),ldn,fn)
                  ELSIF val2(node(svt)) = 3 THEN
                     LOAD(count(svt),double(svt),ldn,fn)
                  ELSE
                     undef svt
                  END
                            ----- *)
NEXTO_ax: AXIOM val2(node(svt)) = 0 IMPLIES
              NEXT(svt,ldn,fn) = FETCH(count(svt),double(svt),ldn,fn)
NEXT1 ax: AXIOM val2(node(svt)) = 1 IMPLIES
              NEXT(svt,ldn,fn) = INC1(count(svt),double(svt),ldn,fn)
```

NEXT2 ax: AXIOM val2(node(svt)) = 2 IMPLIES NEXT(svt,ldn,fn) = INC2(count(svt),double(svt),ldn,fn) NEXT3 ax: AXIOM val2(node(svt)) = 3 IMPLIES NEXT(svt,ldn,fn) = LOAD(count(svt),double(svt),ldn,fn) Finite automata: function[statevector,word6,word2 -> statevector] = (LAMBDA svt, ldn, fn -> statevector: IF val2(fn) = 0 THEN NEXT(svt,ldn,fn) ELSIF val2(fn) = 3 THEN NEXT(NEXT( NEXT(svt,ldn,fn), ldn,fn ), ldn,fn ) ELSE NEXT( NEXT(svt,ldn,fn), ldn,fn ) END) (\* ----- Mapping to Top Level Spec in Module cnt6 ----- \*) cnt6.states: TYPE FROM statevector cnt6.cnt: function[statevector -> word6] is count cnt6.exec\_cnt: function[statevector,word6,word2 -> statevector] is Finite automata cnt6.ready: function[statevector -> bool] = (LAMBDA svt -> bool: node(svt) = fetchnode ) (\* -----\*) st, state: VAR states loadin, ld: VAR word6 func: VAR word2 y,m: VAR int (\* ----- LEMMAs needed to prove counter ax ----- \*) q1: LEMMA power2(2) = 4g2: LEMMA val2(fn) = 0 or val2(fn) = 1 or val2(fn) = 2 or val2(fn) = 3g2a: THEOREM (y >= 0 AND y < m) IMPLIES ((y >= 0 AND y < m-1) OR (y=m-1)) g3: LEMMA bit2(0,fn) = BMOD2(val2(fn)) stb1: LEMMA ready(st) IMPLIES val2(node(st)) = 0 cnt 0: LEMMA ready(state) and val2(func) = 0 IMPLIES cnt(exec\_cnt(state,loadin,func)) = cnt(state) AND ready(exec\_cnt(state,loadin,func))

```
71
```

1

cnt 1: LEMMA ready(state) and val2(func) = 1 IMPLIES cnt(exec\_cnt(state,loadin,func)) = loadin AND ready(exec\_cnt(state,loadin,func)) cnt\_2: LEMMA ready(state) and val2(func) = 2 IMPLIES cnt(exec\_cnt(state,loadin,func)) = add1 mod64(cnt(state)) AND ready(exec\_cnt(state,loadin,func)) cnt\_3: LEMMA ready(state) and val2(func) = 3 IMPLIES cnt(exec\_cnt(state,loadin,func)) = add1 mod64(add1\_mod64(cnt(state))) AND ready(exec\_cnt(state,loadin,func)) (\* ----- LEMMAs needed to prove cnt\_1 ----- \*) cla: LEMMA ready(st) and val2(fn) = 1 IMPLIES exec cnt(st,ld,fn) = NEXT( FETCH(cnt(st),double(st),ld,fn), ld,fn ) clb: LEMMA val2(fn) = 1 IMPLIES NEXT( FETCH(cnt(st),double(st),ld,fn), ld,fn ) = LOAD( cnt(st), BOOLF(bit2(0,fn)), ld,fn) (\* ----- LEMMAs needed to prove cnt 2 ----- \*) c2a: LEMMA ready(st) and val2(fn) = 2 IMPLIES exec cnt(st, ld, fn) =NEXT( FETCH(cnt(st),double(st),ld,fn), ld,fn) c2b: LEMMA ready(st) and val2(fn) = 2 IMPLIES NEXT( FETCH(cnt(st),double(st),ld,fn), ld,fn) = NEXT( make\_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode), ld,fn) c2c: LEMMA ready(st) and val2(fn) = 2 IMPLIES NEXT( make\_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode), ld,fn) = INCl(cnt(make\_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode) ), double(make\_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)), ld,fn) c2d: LEMMA ready(st) and val2(fn) = 2 IMPLIES INC1(cnt(make\_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode) ), double(make\_triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)), ld,fn) INC1(cnt(st),BOOLF(bit2(0,fn)),ld,fn) c2e: LEMMA val2(fn) = 2 IMPLIES NOT BOOLF(bit2(0,fn)) c2f: LEMMA ready(st) and val2(fn) = 2 IMPLIES INCl(cnt(st),BOOLF(bit2(0,fn)),ld,fn) = make triple(ADD1(cnt(st)),BOOLF(bit2(0,fn)),fetchnode) (\* ----- LEMMAs needed to prove cnt\_3 ----- \*)

c3a: LEMMA ready(st) and val2(fn) = 3 IMPLIES exec cnt(st,ld,fn) = NEXT(NEXT(NEXT(st,ld,fn),ld,fn),ld,fn) c3b: LEMMA ready(st) and val2(fn) = 3 IMPLIES NEXT(NEXT(NEXT(st,ld,fn),ld,fn),ld,fn) = NEXT(NEXT(FETCH(cnt(st),double(st),ld,fn),ld,fn),ld,fn) c3c: LEMMA ready(st) and val2(fn)=3 IMPLIES NEXT(NEXT(FETCH(cnt(st),double(st),ld,fn),ld,fn),ld,fn) = NEXT(NEXT(make triple(cnt(st), BOOLF(bit2(0,fn)),inclnode), ld,fn),ld,fn) c3d: LEMMA ready(st) and val2(fn) = 3 IMPLIES NEXT(NEXT(make triple(cnt(st), BOOLF(bit2(0, fn)), inclnode),  $\mathrm{Id},\mathrm{fn}$ ,  $\mathrm{Id},\mathrm{fn}$ )= NEXT(INC1(cnt(make triple(cnt(st), BOOLF(bit2(0,fn)),inclnode)), double(make triple(cnt(st),  $BOOLF(bit2(\overline{0}, fn)),$ inclnode)), ld,fn),ld,fn) c3e: LEMMA ready(st) and val2(fn) = 3 IMPLIES NEXT(INCl(cnt(make triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)), double(make triple(cnt(st),BOOLF(bit2(0,fn)),inclnode)), ld,fn,ld,fn) = NEXT(make triple(ADD1(cnt(st)), BOOLF(bit2(0,fn)), inc2node), Id, fn) c3f: LEMMA ready(st) and val2(fn) = 3 IMPLIES NEXT(make triple(ADD1(cnt(st)), BOOLF(bit2(0,fn)),inc2node),ld,fn) = INC2(cnt(make triple(ADD1(cnt(st)), BOOLF(bit2(0,fn)), inc2node)), double(make triple(ADD1(cnt(st)),BOOLF(bit2(0,fn)), inc2node)),ld,fn) c3g: LEMMA ready(st) and val2(fn) = 3 IMPLIES INC2(cnt(make triple(ADD1(cnt(st)),BOOLF(bit2(0,fn)),inc2node)), double(make triple(ADD1(cnt(st)),BOOLF(bit2(0,fn)), inc2node)), ld, fn) =INC2(ADD1(cnt(st)),BOOLF(bit2(0,fn)),ld,fn) c3h: LEMMA ready(st) and val2(fn) = 3 IMPLIES INC2(ADD1(cnt(st)),BOOLF(bit2(0,fn)),ld,fn)= make triple(ADD1(ADD1(cnt(st))),BOOLF(bit2(0,fn)),fetchnode) c3n: LEMMA val2(inclnode) = 1 c3p: LEMMA val2(fn) = 3 IMPLIES BOOLF(bit2(0,fn))

## PROOF

p assuming1: PROVE words[2].N pos p counter ax: PROVE counter ax FROM cnt\_0{func <- func@C,loadin <- loadin@C},</pre> cnt 1{func <- func@C,loadin <- loadin@C},</pre> cnt<sup>2</sup>{func <- func@C,loadin <- loadin@C},</pre> cnt 3{func <- func@C,loadin <- loadin@C},</pre>  $q_{\frac{1}{n} < - func_{\frac{1}{n}}$ val range thm[2]{w <- func@C}</pre> p ready ax: PROVE ready ax FROM cnt 0{func <- func@C,loadin <- loadin@C}, cnt 1{func <- func@C,loadin <- loadin@C},</pre> cnt\_2{func <- func@C,loadin <- loadin@C},</pre> cnt 3{func <- func@C,loadin <- loadin@C},</pre>  $g_{\{fn < - func@c\}}$ val range thm[2]{w <- func@C}</pre> p g1: PROVE g1 FROM power2  $ax\{i < -2\}$ , power2  $ax\{i < -1\}$ ,  $power2ax{i <- 0}$ p g2: PROVE g2 FROM g1, val range thm[2]{w <- fn@C},</pre>  $g_{2a}\{y < -val_{2(f_n)}, m < -4\},\$  $g_{2a}\{y < -val_{2}(f_{n}), m < -3\},$  $g_{2a}\{y \leftarrow val_{2}(f_{n}), m \leftarrow 2\},\$  $g_{2a}\{y < -val_{2}(f_{n}), m < -1\}$ p g2a: PROVE g2a p g3: PROVE g3 FROM val mw thm[2]{ii <- val2(fn)}, g1, val range thm[2]{w <- fn},</pre> val bits thm[2]{w1 <- fn, m <- 0,</pre> w2 <- mw2(val2(fn))}, mw def[2]{ii <- val2(fn)},</pre> mwm\_def[2]{v <- val2(fn), m <- 2, n <- 2},</pre> bitassign[2]{i <- 0, k <- 0,b <- BMOD2(val2(fn)),</pre> w <- mwm[2](DIVBY2(val2(fn)),1,2)}</pre>

p stb1: PROVE stb1 FROM val mw thm[2]{ii <- 0}, g1

(\* ----- PROVE cnt\_0 ----- \*) p\_cnt\_0: PROVE cnt\_0 FROM NEXT0\_ax{svt <- state@C,</pre> ldn <- loadin@C, fn <- func@C},</pre> FETCH ax{ct <- cnt(state@C),</pre> dbl <- double(state@C),</pre> ldn <- loadin@C, fn <- func@C}, make\_triple\_ax{x <- cnt(state@C),</pre> y <- BOOLF(bit2(0,func@C)),</pre>  $z \leftarrow fetchnode$ , stb1{st <- state@C}</pre> ----- PROVE cnt\_1 ----- \*) LOAD\_ax{ct <- cnt(state@C), dbl <- BOOLF(bit2(0,func@C)), ldn <- loadin@C, fn <- func@C}, make\_triple\_ax{x <- loadin@C,</pre> y <- BOOLF(bit2(0,func@C)),</pre>  $z \leftarrow fetchnode$ p\_cla: PROVE cla FROM NEXT0\_ax{svt <- st@C,</pre> ldn <- 1d@C, fn <- fneC}, stb1{st <- st@C}</pre> p\_clb: PROVE clb FROM FETCH\_ax{ct <- cnt(st@C),</pre> dbl <- double(st@C), ldn < - ld@C,  $fn \leftarrow fn@C$ , NEXT3\_ax{svt <- make\_triple(cnt(st@C),</pre> BOOLF(bit2(0,fn@C)), loadnode), ldn <- ld@C,  $fn \leftarrow fn@C$ , make\_triple\_ax{x <- cnt(st@C ),</pre> y <- BOOLF(bit2(0,fn@C)),  $z \leftarrow loadnode$ , val mw thm[2]{ii <- 3},</pre>  $power2^{ax}{i <-2},$ power2  $ax\{i < -1\}$ , power2  $ax\{i < -0\}$ 

(\* \_\_\_\_\_ PROVE cnt\_2 \_\_\_\_\_ \*) p\_cnt\_2: PROVE cnt\_2 FROM c2a{st<-state@C,fn<-func@C,ld<-loadin@C},</pre> c2b{st<-state@C,fn<-func@C,ld<-loadin@C}, c2c{st<-state@C,fn<-func@C,ld<-loadin@C}, c2d{st<-state@C,fn<-func@C,ld<-loadin@C}, c2e{fn<-func@C}, c2f{st<-state@C,fn<-func@C,ld<-loadin@C}, make\_triple\_ax{x<-ADD1(cnt(state@C)),</pre> y<-BOOLF(bit2(0,func@C)),</pre> z<-fetchnode} p c2a: PROVE c2a FROM stb1, NEXTO ax{svt <- st, ldn <- ld,  $fn \leftarrow fn$ p\_c2b: PROVE c2b FROM FETCH\_ax{ct <- cnt(st),</pre> dbl <- double(st), ldn <- ld,  $fn \leftarrow fn$ p\_c2c: PROVE c2c FROM NEXT1\_ax{svt <- make\_triple(cnt(st),</pre> BOOLF(bit2(0,fn)), inclnode), ldn <- ld,  $fn \leftarrow fn$ , val mw thm[2]{ii <- 1},g1,</pre> make triple ax{x <- cnt(st),</pre>  $y \leftarrow BOOLF(bit2(0, fn)),$ z <- inclnode}</pre> p\_c2d: PROVE c2d FROM make\_triple\_ax{x <- cnt(st ),</pre> y <- BOOLF(bit2(0,fn)),</pre> z <- inclnode}</pre> p c2e: PROVE c2e FROM g3,  $BMOD2_ax\{i < -2\}, BMOD2_ax\{i < -0\},\$  $DIV_ax{i <-2}, DIV_ax{i <-0}$ p\_c2f: PROVE c2f FROM INC1\_ax{ct <- cnt(st@C),</pre> dbl <- BOOLF(bit2(0,fn)), ldn <- ld@C,  $fn \leftarrow fn@C$ , c2e

-----

(\* ----- PROVE cnt 3 ----- \*) p cnt\_3: PROVE cnt\_3 FROM c3a{st<-state@c,fn<-func@c,ld<-loadin@c},</pre> c3b{st<-state@C,fn<-func@C,ld<-loadin@C}, c3c{st<-state@C,fn<-func@C,ld<-loadin@C}, c3d{st<-state@C,fn<-func@C,ld<-loadin@C}, c3e{st<-state@C,fn<-func@C,ld<-loadin@C}, c3f{st<-state@C,fn<-func@C,ld<-loadin@C}, c3p{fn<-func@C},c3n, c3g{st<-state@C,fn<-func@C,ld<-loadin@C}, c3h{st<-state@C,fn<-func@C,ld<-loadin@C}, make triple ax{x<-cnt(state@C),</pre> y<-BOOLF(bit2(0,func@C)),</pre> z<-inclnode},</pre> make triple ax{x<-ADD1(cnt(state@C)),</pre>  $y \leq BOOLF(bit2(0, func@C)),$ z<-inc2node},</pre> make triple ax{x<-ADD1(ADD1(cnt(state@C))),</pre> y<-BOOLF(bit2(0,func@C)),</pre> z<-fetchnode} p c3a: PROVE c3a p c3b: PROVE c3b FROM stb1,NEXT0 ax{svt<-st@C,ldn<-ld@C,fn<-fn@C}</pre> p c3c: **PROVE** c3c FROM FETCH ax{ct<-cnt(st@C),dbl<-double(st@C),ldn<-ld@C, fn < -fn @Cp c3d: PROVE c3d FROM NEXT1 ax{svt<-make triple(cnt(st@C), BOOLF(bit2(0,fn@C)),inclnode),ldn<-ld@C,fn<- fn@C},</pre> g1, val mw thm[2]{ii<-1}, make triple ax{x<-cnt(st@C),</pre> y<-BOOLF(bit2(0,fn@C)),z<-inclnode}</pre> p\_c3e: PROVE c3e FROM INC1\_ax{ct<-cnt(make triple(cnt(st@C),</pre> BOOLF(bit2(0,fn@C)),inclnode)), dbl<-double(make triple(cnt(st@C), BOOLF(bit2(0,fn@C)),inclnode)),ldn<-ld@C,fn<-fn@C}, c3p, make triple ax{x <- cnt(st@C),</pre> y <- BOOLF(bit2(0,fn@C)),</pre> z <- inclnode}</pre> p\_c3f: PROVE c3f FROM NEXT2 ax{svt<-make triple(ADD1(cnt(st@C)),</pre>  $BOOLF(bit2(0, fnQC)), inc2node), ldn<-ldQC, fn<-fnQC}, q1,$ val mw thm  $[2]{ii < -2}$ , make triple ax{x<-ADD1(cnt(st@C)),</pre> y<-BOOLF(bit2(0,fn@C)),z<-inc2node}</pre> p c3n: PROVE c3n FROM power2  $ax\{i < -1\}$ , power2  $ax\{i < -0\}$ , val mw thm  $[2]{ii < -1}, g1$ 

```
p c3g: PROVE c3g FROM make_triple_ax{x<-ADD1(cnt(st@C)),</pre>
                                          y<-BOOLF(bit2(0,fn)),z<-inc2node}</pre>
          PROVE c3h FROM INC2_ax{ct<-ADD1(cnt(st@C)),dbl<-BOOLF(bit2(0,fn@C)),</pre>
   p c3h:
                                   ldn<-ld@C,fn<-fn@C}
   p c3p: PROVE c3p FROM g3,
                           BMOD2 ax\{i < -3\}, BMOD2 ax\{i < -3\},\
                           DIV ax\{i < -3\}, DIV ax\{i < -1\}
END cnt6 fa
triples: MODULE [firsttype, secondtype, thirdtype: TYPE]
EXPORTING triple, first, second, third, make_triple
THEORY
  triple: TYPE
  first: function[triple -> firsttype]
  second: function[triple -> secondtype]
  third: function[triple -> thirdtype]
  make triple: function{firsttype, secondtype, thirdtype -> triple}
  x: VAR firsttype
  y: VAR secondtype
  z: VAR thirdtype
  t: VAR triple
  make triple ax: AXIOM
    x = first(make triple(x, y, z))
      AND y = second(make triple(x, y, z))
        AND z = third(make_triple(x, y, z))
(* exists triple ax: AXIOM
    (FORALL t : (EXISTS x, y, z : t = make triple(x, y, z)))
*)
END triples
bsignal: MODULE
EXPORTING signalval, signal to bool
THEORY
   b: VAR bool
   signalval: TYPE is bool
   signal_to_bool: function[signalval -> bool] = (LAMBDA b -> bool: b)
END bsignal
```

```
78
```

cnt6 blk: MODULE
MAPPING cnt6 fa ONTO words,triples[word[6],bool,word[2]],bsignal

THEORY

```
(* ------ define abbreviations for 'words' ------ *)
word2: TYPE is word[2]
word6: TYPE is word[6]
mw2: function[int -> word2] is mw[2]
val2: function[word2 -> int] is val[2]
bit2: function[int, word2 -> signalval] is bit[2]
mw6: function[int -> word6] is mw[6]
val6: function[word6 -> int] is val[6]
bit6: function[int, word6 -> signalval] is bit[6]
BOOLF: function[signalval -> bool] is signal to bool
statevector: TYPE is triple
(* ----- logic constants defined in cnt6 fa ------
fetchnode: word2 = mw2(0)
inclnode: word2 = mw2(1)
inc2node: word2 = mw2(2)
loadnode: word2 = mw2(3)
        ----- define logic variables ----- *)
stv: VAR statevector
ct, incout, loadin: VAR word6
noinc: VAR bool
nd, func: VAR word2
dbl: VAR bool
mplxsel: VAR bool
(* ------ define functions ----- *)
INCLOGIC: function[word6, bool -> word6]
INCLOGIC ax: AXIOM INCLOGIC(ct,noinc) =
          IF noinc THEN ct
          ELSE ADD1(ct)
          END
MULTIPLEX: function[word6,word6,bool -> word6]
MULTIPLEX ax: AXIOM MULTIPLEX(incout, loadin, mplxsel) =
                  IF mplxsel THEN incout
                  ELSE loadin
                  END
MPLXCON: function[word2 -> bool] =
         (LAMBDA nd \rightarrow bool: NOT (val2(nd) = 3) )
```

```
INCCON: function[word2 -> bool] =
        (LAMBDA nd \rightarrow bool: (val2(nd) = 0))
NEXTNODE: function[word2,word2,bool -> word2]
(* -----
NEXTNODE ax: AXIOM NEXTNODE(nd,func,dbl) =
               IF val2(nd) = 0 THEN
                  IF val2(func) = 0 THEN fetchnode
                  ELSIF val2(func) = 1 THEN loadnode
                  ELSE inclnode
                  END
               ELSIF val2(nd) = 1 THEN
                  IF dbl THEN inc2node
                            ELSE fetchnode
                  END
              ELSE
                  fetchnode
              END
                                                              ---- *)
NEXTNODE0 ax: AXIOM val2(nd) = 0 IMPLIES
                 NEXTNODE(nd, func, dbl) =
                    IF val2(func) = 0 THEN fetchnode
                    ELSIF val2(func) = 1 THEN loadnode
                    ELSE inclnode
                    END
NEXTNODE1 ax: AXIOM val2(nd) = 1 IMPLIES
                 NEXTNODE(nd, func, dbl) = IF dbl THEN inc2node
                                          ELSE fetchnode
                                          END
NEXTNODE2a3 ax: AXIOM val2(nd) = 2 or val2(nd) = 3 IMPLIES
                   NEXTNODE(nd, func, dbl) = fetchnode
COUNTLOGIC: function[statevector,word6,word2 -> statevector] =
                (LAMBDA stv, loadin, func -> statevector:
                make triple( MULTIPLEX(INCLOGIC(count(stv),
                                                 INCCON(node(stv)) ),
                                        loadin,
                                        MPLXCON(node(stv)) ),
                             BOOLF(bit2(0,func)),
                             NEXTNODE(node(stv), func, double(stv)) )
                   )
cnt6 fa.NEXT: function[statevector,word6,word2 -> statevector] = COUNTLOGIC
 (* ----- LEMMAs needed to prove NEXTO ax ----- *)
 ldn: VAR word6
 fn: VAR word2
```

LEMMA val2(node(stv)) = 0 IMPLIES COUNTLOGIC(stv,ldn,fn) = FETCH(count(stv),double(stv),ldn,fn) case 0: cs0a: LEMMA val2(node(stv)) = 0 IMPLIES COUNTLOGIC(stv,ldn,fn) = make triple( count(stv), BOOLF(bit2(0,fn)), NEXTNODE(node(stv), fn, double(stv)) ) cs0b: LEMMA val2(node(stv)) = 0 IMPLIES make\_triple( count(stv), BOOLF(bit2(0,fn)), NEXTNODE(node(stv),fn,double(stv)) ) = FETCH(count(stv),double(stv),ldn,fn) (\* ----- LEMMAs needed to prove NEXT1\_ax ----- \*) case\_1: LEMMA val2(node(stv)) = 1 IMPLIES COUNTLOGIC(stv,ldn,fn) = INCl(count(stv),double(stv),ldn,fn) csla: LEMMA val2(node(stv)) = 1 IMPLIES COUNTLOGIC(stv,ldn,fn) = make\_triple( ADD1(count(stv)), BOOLF(bit2(0,fn)), NEXTNODE(node(stv),fn,double(stv)) ) cs1b: LEMMA val2(node(stv)) = 1 IMPLIES make\_triple( ADD1(count(stv)), BOOLF(bit2(0,fn)), NEXTNODE(node(stv), fn, double(stv)) ) = INCl(count(stv),double(stv),ldn,fn) (\* ----- LEMMAs needed to prove NEXT2\_ax ----- \*) case\_2: LEMMA val2(node(stv)) = 2 IMPLIES COUNTLOGIC(stv,ldn,fn) = INC2(count(stv),double(stv),ldn,fn) cs2a: LEMMA val2(node(stv)) = 2 IMPLIES COUNTLOGIC(stv,ldn,fn) = make\_triple( ADD1(count(stv)), BOOLF(bit2(0,fn)), NEXTNODE(node(stv), fn, double(stv)) ) cs2b: LEMMA val2(node(stv)) = 2 IMPLIES make\_triple( ADD1(count(stv)), BOOLF(bit2(0,fn)), NEXTNODE(node(stv), fn, double(stv)) ) = INC2(count(stv),double(stv),ldn,fn) (\* ----- LEMMAs needed to prove NEXT3\_ax ----- \*) case\_3: LEMMA val2(node(stv)) = 3 IMPLIES COUNTLOGIC(stv,ldn,fn) = LOAD(count(stv),double(stv),ldn,fn)

cs3a: LEMMA val2(node(stv)) = 3 IMPLIES COUNTLOGIC(stv,ldn,fn) = make triple( ldn, BOOLF(bit2(0,fn)), NEXTNODE(node(stv), fn, double(stv)) ) cs3b: LEMMA val2(node(stv)) = 3 IMPLIES make triple( ldn, BOOLF(bit2(0,fn)), NEXTNODE(node(stv), fn, double(stv)) ) = LOAD(count(stv),double(stv),ldn,fn) PROOF p case 0: PROVE case 0 FROM cs0a,cs0b p\_cs0a: PROVE cs0a FROM INCLOGIC\_ax{ct <- count(stv),</pre> noinc <- INCCON(node(stv))},</pre> MULTIPLEX\_ax{incout <- count(stv),</pre> loadin <- ldn, mplxsel <- MPLXCON(node(stv))}</pre> P\_cs0b: PROVE cs0b FROM FETCH\_ax{ct <- count(stv),</pre> dbl <- double(stv), ldn <- ldn, fn <- fn}, NEXTNODE0 ax{nd <- node(stv), func <- fn, dbl <- double(stv)}</pre> p case 1: PROVE case 1 FROM cs1a,cs1b p\_csla: PROVE csla FROM INCLOGIC\_ax{ct <- count(stv),</pre> noinc <- INCCON(node(stv))},</pre> MULTIPLEX ax{incout <- ADD1(count(stv)), loadin <- ldn, mplxsel <- MPLXCON(node(stv))}</pre> P cslb: PROVE cslb FROM INC1\_ax {ct <- count(stv),</pre> dbl <- double(stv),  $ldn \leftarrow ldn, fn \leftarrow fn$ , NEXTNODE1 ax{nd <- node(stv),</pre> func <- fn, dbl <- double(stv))</pre>

p\_case\_2: PROVE case\_2 FROM cs2a,cs2b

p\_cs2a: PROVE cs2a FROM INCLOGIC\_ax{ct <- count(stv),</pre> noinc <- INCCON(node(stv))},</pre> MULTIPLEX ax{incout <- ADD1(count(stv)), loadin <- ldn,</pre> mplxsel <- MPLXCON(node(stv))}</pre> P cs2b: PROVE cs2b FROM INC2\_ax{ct <- count(stv), dbl <- double(stv),  $1dn \leftarrow 1dn, fn \leftarrow fn$ NEXTNODE2a3 ax{nd <- node(stv), func <- fn,</pre> dbl <- double(stv)} p\_case\_3: PROVE case\_3 FROM cs3a,cs3b p cs3a: PROVE cs3a FROM MULTIPLEX\_ax{incout <-INCLOGIC(count(stv), INCCON(node(stv))) , loadin <- ldn, mplxsel <- MPLXCON(node(stv))}</pre> p\_cs3b: PROVE cs3b FROM LOAD\_ax{ct <- count(stv), dbl <- double(stv),  $1dn \leftarrow 1dn, fn \leftarrow fn$ NEXTNODE2a3 ax{nd <- node(stv), func <- fn, dbl <- double(stv)} END cnt6 blk cnt6 cir: MODULE MAPPING cnt6\_blk ONTO words, triples, bsignal THEORY \_\_\_\_ \*) ----- abbreviations -----(\* \_\_\_\_\_ word2: TYPE is word[2] word6: TYPE is word[6] cntrlsigs: TYPE is triple[bool,bool,word[2]] bit2: function[int, word2 -> bool] is bit[2] bit6: function[int, word6 -> bool] is bit[6] assign2: function[int,bool,word2 -> word2] is assign[2] assign6: function[int,bool,word6 -> word6] is assign[6] --- \*) ----- circuit elements -----(\* \_\_\_\_

b,b1,b2,b3,b4: VAR bool

```
INV: function [bool -> bool] = (LAMBDA b -> bool: not b)
 NAND2: function [bool, bool -> bool] =
        (LAMBDA b1, b2 \rightarrow bool: not (b1 and b2))
 NAND3: function [bool, bool, bool -> bool] =
        (LAMBDA b1, b2, b3 -> bool: not (b1 and b2 and b3))
 NAND4: function [bool, bool, bool, bool -> bool] =
        (LAMBDA b1, b2, b3, b4 -> bool: not (b1 and b2 and b3 and b4))
 XNOR: function [bool, bool -> bool] =
        (LAMBDA b1, b2 -> bool: not (not b1 and b2 or b1 and not b2))
 NOR2: function [bool, bool -> bool] =
        (LAMBDA b1, b2 \rightarrow bool: not (b1 or b2))
 (* ------ logic variables ----- *)
 i0, i1, i2, i3, i4, i5: VAR bool
 lbit,lsel,incbit,incsel: VAR bool
 incout, loadin, cntr: VAR word6
mplxsel, noinc, Double: VAR bool
Node, Func: VAR word2
      ----- circuit definition ------ *)
(* ---
output: function [bool,bool,bool,bool,bool,bool -> word6] =
        (LAMBDA i0, i1, i2, i3, i4, i5 -> word6:
                 assign6(0,i0,
                  assign6(1,i1,
                   assign6(2,i2,
                    assign6(3,i3,
                     assign6(4,i4,
                      assign6(5,i5,newword[6]))))))
bitsel: function[bool,bool,bool,bool -> bool] =
        (LAMBDA lbit, lsel, incbit, incsel -> bool:
         NAND2( NAND2(lbit,lsel), NAND2(incbit,incsel)) )
MPLEXCIRC: function[word6,word6,bool -> word6]
MPLEXCIRC ax: AXIOM MPLEXCIRC(incout, loadin, mplxsel) =
             output(
         bitsel(bit6(0,loadin),INV(mplxsel),bit6(0,incout),mplxsel),
        bitsel(bit6(1,loadin),INV(mplxsel),bit6(1,incout),mplxsel),
        bitsel(bit6(2,loadin),INV(mplxsel),bit6(2,incout),mplxsel),
        bitsel(bit6(3,loadin),INV(mplxsel),bit6(3,incout),mplxsel),
        bitsel(bit6(4,loadin),INV(mplxsel),bit6(4,incout),mplxsel),
        bitsel(bit6(5,loadin),INV(mplxsel),bit6(5,incout),mplxsel)
                   )
carry4bar: function[word6,bool -> bool] =
            (LAMBDA cntr, noinc -> bool:
              NAND4(INV(noinc), bit6(0, cntr), bit6(1, cntr), bit6(1, cntr))
            )
```

```
INCCIRC: function[word6,bool -> word6] =
         (LAMBDA cntr, noinc -> word6:
            output(
              XNOR(bit6(0, cntr), noinc),
              XNOR(bit6(1,cntr), NAND2(INV(noinc),bit6(0,cntr)) ),
              XNOR(bit6(2,cntr),
                   NAND3( INV(noinc), bit6(0,cntr), bit6(1,cntr) ) ),
              XNOR(bit6(3,cntr),carry4bar(cntr,noinc) ),
              XNOR(bit6(4, cntr),
                   NAND2(INV(carry4bar(cntr,noinc)), bit6(3,cntr) )
                   ),
              XNOR(bit6(5, cntr),
                   NAND3(INV(carry4bar(cntr,noinc)),
                         bit6(3,cntr) ,
                                                 )
                         bit6(4,cntr) )
                  )
           )
inccon: function[word2 -> bool] =
           (LAMBDA Node -> bool:
             NOR2(bit2(0,Node),bit2(1,Node))
                                              )
common: function[word2,word2 -> bool] =
           (LAMBDA Node, Func -> bool:
             NAND3(inccon(Node), INV(bit2(1,Func)), bit2(0,Func)) )
CONTROLCIR: function[word2,word2,bool -> cntrlsigs] =
             (LAMBDA Node, Func, Double -> cntrlsigs:
                make triple( inccon(Node),
                            NAND2(bit2(0,Node),bit2(1,Node)),
                            assign2(0, NAND2(common(Node,Func),
                                             NAND2(inccon(Node),bit2(1,Func))
                                            ),
                              assign2(1,NAND2(common(Node,Func),
                                              NAND3(Double,
                                                    bit2(0,Node),
                                                    INV(bit2(1,Node) ) )),
                                      newword[2])
                                     )
                            )
             )
           ----- Mappings to "cnt6_blk" ----- *)
 (* ----
 cnt6 blk.INCLOGIC: function[word6,bool -> word6] = INCCIRC
 cnt6_blk.MULTIPLEX: function[word6,word6,bool -> word6] = MPLEXCIRC
(*
```

cnt6\_blk.INCCON: function[word2,word2,bool -> bool] = (LAMBDA Node, Func, Double -> bool: first(CONTROLCIR(Node,Func,Double)) ) cnt6\_blk.MPLXCON: function[word2,word2,bool -> bool] = (LAMBDA Node, Func, Double -> bool: second(CONTROLCIR(Node,Func,Double)) ) \*) cnt6\_blk.NEXINODE: function[word2,word2,bool -> word2] = (LAMBDA Node, Func, Double -> word2: third(CONTROLCIR(Node,Func,Double)) ) END cnt6 cir ineq\_cases: MODULE THEORY y,m: VAR int Y\_0: THEOREM (y>=0 AND y<1) IMPLIES y=0 Y\_01: THEOREM (y>=1 AND y<2) IMPLIES y=1 Y\_S: THEOREM ( $y \ge 0$  AND y < 2) IMPLIES ( $(y \ge 0$  AND y < 1) OR ( $y \ge 1$  AND y < 2)) Y\_1: THEOREM ( $y \ge 0$  AND y < 2) IMPLIES (y = 0 OR y = 1) M\_R: THEOREM ( $y \ge 0$  AND  $y \le m$ ) IMPLIES (( $y \ge 0$  AND  $y \le m-1$ ) OR ( $y \ge m$ )) PROOF pY0: PROVE Y 0 pY01: prove  $\overline{Y}$  01 pYS: PROVE Y S pY1: PROVE Y 1 FROM Y\_S, Y\_0, Y 01 pMR: PROVE M R END ineq\_cases int\_inductions: MODULE EXPORTING next, pred, geq, bge THEORY i,j: VAR int d1, d2, d3, d4, de: VAR int x,y,z,s: VAR int

First: int = 0next: function[int -> int] = (LAMBDA i -> int: i+1) pred: function[int  $\rightarrow$  int] = (LAMBDA i  $\rightarrow$  int: IF i > 0 THEN i-1 ELSE 0 END) geq: function[int,int -> bool] = (LAMBDA i,j -> bool: (i>=j)) bge: function[int -> bool] = (LAMBDA i -> bool: IF i>=0 THEN true ELSE false END ) p: VAR function[int -> bool] int complete: THEOREM (FORALL dl: geq(dl,First) IMPLIES (FORALL d3: (geq(d3,First) AND geq(d1,d3) AND d3 ~= d1) IMPLIES p(d3)) IMPLIES p(d1)) IMPLIES (FORALL d2: geq(d2,First) IMPLIES p(d2)) int induction: THEOREM (p(First) AND (FORALL d1: p(d1) IMPLIES p(next(d1)))) **IMPLIES** (FORALL d2: geq(d2,First) IMPLIES p(d2)) int induct by 2: THEOREM (p(First) AND p(next(First)) AND (FORALL d1: p(d1) IMPLIES p(next(next(d1))))) IMPLIES (FORALL d2: ( geq(d2,First) IMPLIES p(d2) ))

END int inductions

| NASA<br>National Amonautics and<br>Space Advinution                                                                                                                                                                                                                                                                                                                                                                                                                                   | Repo                                                                                                                                    | rt Documentation Pag                                                                                                                                                                                                                                                                               | e                                                                                                                                                                                     |                                                                                                                     |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| 1. Report No.                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                         | . Government Accession No.                                                                                                                                                                                                                                                                         |                                                                                                                                                                                       | 3. Recipient's Catalog No.                                                                                          |
| NASA TM-100669 AVSCOM TM-88-                                                                                                                                                                                                                                                                                                                                                                                                                                                          | -B-017                                                                                                                                  |                                                                                                                                                                                                                                                                                                    | 5. Report Dat                                                                                                                                                                         |                                                                                                                     |
| Hardware Proofs Using EHDM and the RSRE Verification                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                       |                                                                                                                     |
| Methodology                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    | December 1988                                                                                                                                                                         |                                                                                                                     |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    | 6. Performing                                                                                                                                                                         | Organization Code                                                                                                   |
| 7. Author(s)                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                       |                                                                                                                     |
| Ricky W. Butler and Jon A. Sjogren                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    | 8. Performing Organization Report No.                                                                                                                                                 |                                                                                                                     |
| 9. Performing Organization Name and Address                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                       | ······································                                                                              |
| NASA Langley Research Center<br>Hampton, VA 23665-5225 and<br>Joint Research Programs Office/AVRADA, Langley Re<br>Center, Hampton, VA 23665-5225                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    | 10. Work Unit No.<br>505-66-21-01                                                                                                                                                     |                                                                                                                     |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                         | Langlev Research                                                                                                                                                                                                                                                                                   |                                                                                                                                                                                       |                                                                                                                     |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                         | ·                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                       | or Grant No.                                                                                                        |
| 12. Sponsoring Agency Name and Address                                                                                                                                                                                                                                                                                                                                                                                                                                                | ace Admin                                                                                                                               | istration                                                                                                                                                                                                                                                                                          |                                                                                                                                                                                       |                                                                                                                     |
| National Aeronautics and Space Administration<br>Washington, DC 20546-0001<br>and                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                       |                                                                                                                     |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    | 13. Type of Report and Period Covered                                                                                                                                                 |                                                                                                                     |
| U.S. Army Aviation Systems Command                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    | Technical Memora                                                                                                                                                                      |                                                                                                                     |
| St. Louis, MO 63120-1798                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    | 14. Army Project No.                                                                                                                                                                  |                                                                                                                     |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                         |                                                                                                                                                                                                                                                                                                    | 1L16110                                                                                                                                                                               | D2AH45E                                                                                                             |
| Hampton, Vi<br>16. Abstract                                                                                                                                                                                                                                                                                                                                                                                                                                                           | A                                                                                                                                       | <u></u>                                                                                                                                                                                                                                                                                            | AVSCOM, Lan                                                                                                                                                                           | gley Research Center,                                                                                               |
| Hampton, V                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | A<br>odology f<br>hment (RS<br>lierarchic<br>system.<br>th he fol<br>el, and ci<br>level bel<br>problem<br>in EHDM'                     | or hardware verifica<br>RE) in the context of<br>al Design Methodolog<br>The methodology ut<br>lowing levels: fund<br>rcuit level. The pr<br>ow it. In this pape<br>and is critically es<br>s specification land                                                                                   | AVSCOM, Lan<br>ation devel<br>of the SRI<br>gy (EHDM)<br>ilizes a fo<br>ctional lev<br>roperties c<br>er, this me<br>kamined. T<br>guage, Exte                                        | oped by Royal<br>our-level<br>rel, finite<br>of a level are<br>thodology is<br>the<br>ended Special,                |
| Hampton, W<br>16. Abstract<br>This paper examines a meth<br>Signals and Radar Establis<br>International's Enhanced H<br>specification/verification<br>specification hierarchy wi<br>automata model, block mode<br>proved as theorems in the<br>applied to a 6-bit counter<br>specifications are written                                                                                                                                                                               | A<br>odology f<br>hment (RS<br>lierarchic<br>system.<br>th he fol<br>el, and ci<br>level bel<br>problem<br>in EHDM'                     | or hardware verifica<br>RE) in the context of<br>al Design Methodolog<br>The methodology ut<br>lowing levels: fund<br>rcuit level. The pr<br>ow it. In this pape<br>and is critically es<br>s specification land                                                                                   | AVSCOM, Lan<br>ation devel<br>of the SRI<br>gy (EHDM)<br>ilizes a foc<br>tional lev<br>roperties of<br>er, this me<br>kamined. T<br>guage, Exte<br>and the EF                         | oped by Royal<br>our-level<br>rel, finite<br>of a level are<br>chodology is<br>the<br>ended Special,<br>IDM system. |
| Hampton, Va<br>16. Abstract<br>This paper examines a meth<br>Signals and Radar Establis<br>International's Enhanced H<br>specification/verification<br>specification hierarchy wi<br>automata model, block mode<br>proved as theorems in the<br>applied to a 6-bit counter<br>specifications are written<br>and the proofs are improvi<br>17. Key Words (Suggested by Authors(s))<br>Verification<br>Formal Proof<br>Formal Specification<br>Theorem Proving<br>Hardware Verification | A<br>andology f<br>thment (RS<br>lierarchic<br>a system.<br>th he fol<br>el, and ci<br>level bel<br>problem<br>h in EHDM'<br>ang both t | or hardware verifica<br>RE) in the context of<br>al Design Methodolog<br>The methodology ut:<br>lowing levels: fund<br>rcuit level. The pr<br>ow it. In this pape<br>and is critically e:<br>s specification land<br>he RSRE methodology<br>18. Distribution Stater<br>Unclassified<br>Subject Cat | AVSCOM, Lan<br>ation devel<br>of the SRI<br>gy (EHDM)<br>ilizes a for<br>ctional lev<br>roperties of<br>er, this me<br>kamined. T<br>guage, Exter<br>and the EF<br>ment<br>and the EF | oped by Royal<br>our-level<br>rel, finite<br>of a level are<br>chodology is<br>the<br>ended Special,<br>IDM system. |
| Hampton, Vi<br>16. Abstract<br>This paper examines a meth<br>Signals and Radar Establis<br>International's Enhanced H<br>specification/verification<br>specification hierarchy wi<br>automata model, block mode<br>proved as theorems in the<br>applied to a 6-bit counter<br>specifications are written<br>and the proofs are improvi<br>17. Key Words (Suggested by Authors(s))<br>Verification<br>Formal Proof<br>Formal Specification<br>Theorem Proving<br>Hardware Verification | A<br>andology f<br>thment (RS<br>lierarchic<br>a system.<br>th he fol<br>el, and ci<br>level bel<br>problem<br>h in EHDM'<br>ang both t | or hardware verifica<br>RE) in the context of<br>al Design Methodolog<br>The methodology uti<br>lowing levels: fund<br>rcuit level. The pr<br>ow it. In this pape<br>and is critically ex<br>s specification land<br>he RSRE methodology<br>18. Distribution Stater<br>Unclassified<br>Subject Cat | AVSCOM, Lan<br>ation devel<br>of the SRI<br>gy (EHDM)<br>ilizes a foc<br>tional lev<br>roperties of<br>er, this me<br>kamined. T<br>guage, Exte<br>and the EF                         | oped by Royal<br>our-level<br>rel, finite<br>of a level are<br>chodology is<br>the<br>ended Special,<br>IDM system. |

-

NASA FORM 1626 OCT 86 For sale by the National Technical Information Service, Springfield, Virginia 22161-2171

-. د