tutorial

Publicado por

NparameterizedtheseTinutorialSponexamplesUsingsuppPVS.forScienceHardwpareeVaseriationrotot?tutorialSbOwreComputerJofMOwreRushLabbvidedycon,proNelinedShankhecar1andofMvKInSriverienceasShankfLoMenlowreRushrushManbPyb,SystemshankarkarcapabilitiessrivandasegareslriomwComputerwScienceexamplesLabhasoratoryfor,theSRIanInPVSternationaleriationMenlolanguagePandarktoCAted94025TheoremUSA,AbstractmanPVS1standsMforerototeyp,eFVOwreeriationTheSystemRIteleconsistsSRIofebruaryaandspGuideeciationandlanguageaseinIntegrated1993.withwsuppareortytohoolscanandinaoftheoremeriationprotvederofPVShardwtriesoftoaprocessorvideeentheencmecdelhanizationersneededistotationapplyripplearryformaltromethostandsdsebItothsprigorouslytegratedandtoprotheoremductivPVSely?.asThisthetutorialConferenceservvesDesigntoandinHerrenalbtro,duce26-28,PVSOwreandanditsbusePVSinatiotheetaconasetextLabofInhardarkw1993.arearvJeriationyInPrtheckerstencsectionetaw.eoratorybrieternationalskCAetc3hShanktheMpurp.osestheforciwhicerihRPVSComputeris ...
Publicado el : viernes, 23 de septiembre de 2011
Lectura(s) : 64
Número de páginas: 22
Ver más Ver menos

N
parameterized
these
T
in
utorial
Sp
on
examples
Using
supp
PVS
.
for
Science
Hardw
p
are
e
V
as
eriation
rotot
?
tutorial
S
b
Owre
Computer
J
of
M
Owre
Rush
Lab
b
vided
y
con
,
pro
N
elined
Shank
hec
ar
1
and
of
M
v
K
In
Sriv
erience
as
Shank
f
L
o
Menlo
wre
Rush
rush
Man
b
P
y
b
,
System
shank
ark
ar
capabilities
sriv
and
as
e
g
are
slriom
w
Computer
w
Science
examples
Lab
has
oratory
for
,
the
SRI
an
In
PVS
ternational
eriation
Menlo
language
P
and
ark
to
CA
ted
94025
Theorem
USA
,
Abstract
man
PVS
1
stands
M
for
e
rotot
e
yp
,
e
F
V
Owre
eriation
The
System
R
It
ele
consists
SRI
of
ebruary
a
and
sp
Guide
eciation
and
language
ase
in
In
tegrated
1993.
with
w
supp
are
ort
y
to
ho
ols
can
and
in
a
of
theorem
eriation
pro
t
v
ed
er
of
PVS
hardw
tries
of
to
a
pro
cessor
vide
een
the
enc
mec
del
hanization
ers
needed
is
to
tation
apply
ripplearry
formal
tro
metho
stands
ds
e
b
It
oth
sp
rigorously
tegrated
and
to
pro
theorem
ductiv
PVS
ely
?
.
as
This
the
tutorial
Conference
serv
v
es
Design
to
and
in
Herrenalb
tro
,
duce
26-28,
PVS
Owre
and
and
its
b
use
PVS
in
atio
the
eta
con
ase
text
Lab
of
In
hard
ark
w
1993.
are
ar
v
J
eriation
y
In
Pr
the
cker
st
enc
section
eta
w
.
e
oratory
brie
ternational
sk
CA
etc
3
h
Shank
the
M
purp
.
oses
the
for
ci
whic
eri
h
R
PVS
Computer
is
,
in
Menlo
tended
F
and
and
the
o
rationale
erful
b
that
ehind
pro
its
b
design
PVS
men
demonstrate
tion
w
some
features
of
b
the
used
uses
the
that
text
w
hardw
e
v
and
W
others
presen
are
completely
making
ork
of
out
it
ofs
W
t
e
o
giv
are
e
One
an
the
o
is
v
pip
erview
micropro
of
that
the
b
PVS
used
sp
b
eciation
hmark
language
mo
and
c
pro
k
of
and
c
other
hec
a
k
implemen
er
of
The
Nit
PVS
adder
language
In
system
ducing
and
PVS
theorem
for
pro
yp
v
V
er
System
eac
consists
h
a
ha
eciation
v
in
e
with
their
ort
o
ols
wn
a
reference
pro
man
er
uals
tries
1
pro
;
This
2
w
;
presen
3
at
whic
Second
h
ternational
y
on
ou
Pro
will
ers
need
Circuit
to
Theory
study
Practice
in
Exp
order
Bad
to
Ger
mak
y
e
Septem
pro
er
ductiv
1994.
e
S
use
N
of
ar
the
J
sys
Rush
tem
y
A
The
p
Sp
o
ci
c
n
k
anguage
et
R
reference
le
card
.
summarizing
Science
all
oratory
the
SRI
features
ternational
of
P
the
CA
PVS
ebruary
language
2
system
Shank
and
S
pro
and
v
M
er
b
is
.
also
PVS
a
o
v
Che
ailable
A
The
efer
purp
e
ose
ual
of
R
this
ase
tutorial
Computer
is
Lab
not
,
to
In
describ
Menlo
e
ark
in
F
detail
1993.
the
S
features
N
of
ar
PVS
J
and
Rush
ho
y
w
User
to
for
use
PVS
the
e
system
ation
Rather
V
its
ation
purp
eta
ose
ele
is
.
to
Science
in
oratory
tro
SRI
duce
ternational
some
P
of
CA
the
ebruary
more
A
uniquew
ligh
a
the
w
mec
ers
hanization
Metho
needed
w
to
the
apply
are
formal
of
metho
y
ds
a
b
HDM
oth
b
rigorously
is
and
and
pro
W
ductiv
used
ely
in
.
er
The
y
sp
y
eciation
E
language
ecause
of
to
PVS
t
is
a
a
tain
higherrder
In
logic
features
with
in
a
pro
ric
the
h
out
t
pip
yp
capacit
e
size
system
w
and
as
is
circuits
quite
adder
expressiv
design
e
templating
w
vide
e
26],
ha
W
v
V
e
built
found
t
that
tec
most
hea
of
Another
the
should
mathematical
no
and
easy
computational
elopmen
concepts
tirely
w
ose
e
e
wish
ho
to
purp
describ
of
e
erful
can
PVS
b
b
e
hardw
form
completely
ulated
t
v
the
ery
that
directly
hmark
and
del
naturally
ted
in
is
PVS
ving
Its
see
theorem
through
pro
del
v
is
er
TPCD
or
of
pro
illustrates
of
Goals
c
as
hec
in
k
formal
er
examples
(w
elopmen
e
DM
use
[30],
either
[22,
term
call
though
yp
the
System
latter
w
is
as
more
w
correct
yp
is
ext
b
for
oth
our
in
w
teractiv
eriation
e
for
and
that
highly
e
mec
ailable
hanized
licenses
the
relativ
user
install
c
use
ho
of
oses
funded
eac
y
h
The
step
this
that
to
is
detail
to
PVS
b
to
e
Rather
applied
is
and
duce
PVS
more
p
o
erforms
that
it
b
displa
demonstrate
ys
features
the
used
result
text
and
v
then
presen
w
ork
aits
ofs
for
o
the
One
next
is
command
micropro
PVS
b
dirs
b
from
testing
most
of
other
hec
in
handle
teractiv
While
e
the
theorem
an
pro
theorem
v
w
ers
ted
in
the
the
ould
p
as
o
a
w
hec
er
second
of
of
its
as
basic
enc
steps
implemen
these
Nit
can
second
in
of
v
1.1
ok
PVS
e
PVS
decision
ed
pro
exp
cedures
or
for
applications
arithmetic
ds
and
the
equalit
e
y
Dev
,
t
a
dology
BDDased
[25,
prop
STP
ositional
and
sim
HDM
plir
27].
eien
e
t
PVS
hashingased
rotot
automatic
e
conditional
eriation
rewriting
b
induction
it
and
as
other
partly
relativ
a
ely
t
large
eigh
units
protot
of
e
deduction
explore
it
generation
dirs
hnology
from
E
other
,
highly
main
automated
vy
theorem
eigh
pro
v
v
system
ers
goal
in
PVS
b
as
eing
it
directly
b
con
freely
trolled
v
b
require
y
costly
the
and
user
e
W
ely
e
to
ha
main
v
and
e
Dev
b
t
een
PVS
able
as
to
en
p
b
erform
SRI
some
ternational
signian
purp
t
of
new
tutorial
hardw
not
are
describ
v
in
eriation
the
exercises
of
quite
and
economically
w
using
use
PVS
system
w
its
e
ose
ha
to
v
tro
e
some
also
the
rep
unique
eated
p
some
w
v
capabilities
eriations
are
st
vided
undertak
y
en
and
in
ho
other
these
systems
can
and
e
ha
in
v
con
e
of
usually
are
b
eriation
een
e
able
t
to
w
complete
ed
them
pro
in
of
a
w
fraction
hardw
of
examples
the
of
original
examples
time
a
f
elined
course
cessor
these
has
are
een
previously
as
solv
enc
ed
for
problems
the
whic
y
h
mo
mak
c
es
k
them
to
m
datapathrien
uc
circuits
h
the
easier
of
for
datapath
us
irrelev
than
t
for
a
the
pro
original
exercise
dev
e
elop
an
ers
to
PVS
if
is
pro
the
w
most
go
recen
just
t
automatically
in
in
a
mo
line
c
of
k
sp
The
eciation
example
languages
one
theorem
the
pro
supplied
v
a
ers
b
and
hmark
v
parameterized
eriation
tation
systems
an
dev
ripplearry
elop
The
ed
example
at
pro
SRI
b
dating
induction
bac
Design
k
for
o
The
v
of
er
w
20
shap
y
b
ears
our
That
erience
line
doing
includes
con
the
earlyifecycle
Jo
of
vial
metho
V
Man
eriation
of
System
larger
[13],
w
the
2
Hierarc
hicalhardw
the
t
v
of
e
come
done
exp
concern
theorem
algorithms
e
and
to
arc
done
hitectures
theorems
for
v
faultolerance
y
ee
as
[23]
lev
for
and
an
of
o
a
v
h
erview
v
W
osed
e
vide
found
h
that
so
man
to
y
b
of
ehind
the
ob
published
to
pro
is
ofs
and
that
mak
w
are
e
has
attempted
sp
to
t
c
to
hec
its
k
\c
w
the
ere
follo
in
xecute
fact
E
incorrect
tency
as
later
w
sp
as
and
one
y
of
sp
the
The
imp
orts
ortan
an
t
The
algorithms
pro
W
automatic
e
parts
ha
user
v
v
e
pro
also
implemen
found
PVS
that
pro
man
logic
y
ectiv
of
cation
our
signian
o
analyses
wn
the
sp
prop
eciations
most
are
understand
subtly
tify
a
tally
w
a
ed
algorithm
when
it
st
the
written
as
F
A
or
sp
these
wing
reasons
a
PVS
e
is
b
designed
5
to
do
help
for
in
eciations
the
vide
detection
a
of
.
errors
[2,
as
ec
w
e
ell
users
as
ho
in
yle
the
most
conmation
problems
of
w
orrectness
PVS
One
detection
w
pro
a
tiv
y
v
it
rationale
supp
PVS
orts
er
early
pro
error
ort
detection
and
is
a
b
giving
y
abilit
ha
the
ving
at
a
of
v
This
ery
b
ric
the
h
steps
t
automatic
yp
t
eystem
for
and
o
corresp
approac
ondingly
PVS
rigorous
system
t
v
yp
most
ec
ofs
hec
amoun
king
and
A
exp
great
een
deal
of
of
v
sp
ab
eciation
is
can
e
b
to
e
con
em
to
b
This
edded
out
in
while
PVS
v
t
theorem
yp
that
es
hiev
or
ose
example
b
the
erately
in
cess
v
sp
arian
of
t
pro
to
hallenge
b
f
e
is
main
the
tained
t
b
t
y
case
a
a
stateac
w
hine
sp
can
pro
b
out
e
Unlik
expressed
,
as
not
a
ecial
t
the
yp
axiomatic
e
e
constrain
to
t
in
and
but
t
t
yp
E
ec
Directly
hec
languages
king
supp
can
of
generate
ha
pro
constructiv
of
forms
obligations
that
that
ma
amoun
c
t
ose
to
st
a
of
v
eciation
ery
appropriate
strong
their
consistency
4
c
third
hec
a
k
that
on
supp
some
error
asp
is
ects
y
of
viding
the
ec
sp
e
eciation
pro
Another
er
w
design
a
b
y
the
PVS
theorem
helps
v
eliminate
w
certain
to
kinds
vide
of
supp
errors
for
is
vious
b
tedious
y
of
pro
pro
viding
while
v
the
ery
the
ric
y
h
guide
mec
pro
hanisms
er
for
higher
conserv
els
ativ
a
e
of
extensionhat
goal
is
accomplished
deitional
y
forms
ting
that
primitiv
are
inference
guaran
of
teed
using
to
rewriting
preserv
eien
e
decision
consistency
cedures
.
arithmetic
Axiomatic
prop
sp
sitional
eciations
This
can
h
b
es
e
an
v
e
ery
for
ec
are
tiv
eri
e
since
for
hardw
certain
pro
kinds
need
of
t
problem
t
(e.g.,
rewriting
for
case
stating
Our
assumptions
erience
ab
b
out
that
the
act
en
trying
vironmen
pro
t
e
but
erties
axioms
out
can
eciations
also
the
in
ectiv
tro
w
duce
y
inconsistenciesnd
truly
our
their
exp
ten
erience
and
has
iden
b
errors
een
can
that
ab
this
inciden
do
,
es
attempting
happ
pro
en
e
rather
eal
more
suc
often
as
than
an
one
ac
w
es
ould
purp
wish
or
Dei
can
tional
e
constructs
delib
a
through
v
pro
oid
of
this
hallenging
problem
eciations
but
part
a
a
limited
alidation
rep
cess
ertoire
c
of
has
suc
form
h
this
constructs
eciation
(e.g.,
righ
requiring
then
ev
follo
erything
ough
to
to
b
wi
e
is
sp
test
ecid
p
as
as
a
putativ
recursiv
theorem
e
e
function
the
can
eciation
lead
y
to
ving
excessiv
ab
ely
it
constructiv
4
e
e
sp
HDM
eciations
PVS
sp
es
eciations
pro
that
sp
sa
facilities
y
demonstrating
o
consis
w
of
rather
sp
than
W
hat
do
PVS
ect
pro
pro
vides
these
b
a
oth
release
the
using
freedom
diren
of
approac
axiomatic
than
sp
HDM
eciations
5
and
executable
the
eciation
safet
(e.g.,
y
17])
of
ort
a
alidation
generous
sp
collection
3
of
deitionalW
is
abilit
Uses
with
of
for
PVS
exactly
PVS
of
has
tuple
so
e
far
can
b
allo
een
so
applied
0
to
total
sev
t
eral
ound
small
not
demonstration
es
examples
of
and
abili
a
of
gro
.
wing
t
n
of
um
e
b
used
er
to
of
e
signian
PVS
t
the
v
of
eriations
y
The
in
smaller
eciation
examples
an
include
ec
the
the
sp
es
eciation
the
and
obligation
v
system
eriation
lost
of
dic
ordered
yp
binary
of
tree
a
insertion
the
[28],
n
the
y
Bo
nat
y
subt
er
the
Mo
a
ore
e
ma
sp
jorit
yp
y
es
algorithm
further
an
yp
abstract
endent
pip
the
elined
t
pro
ends
cessor
en
Fisc
can
her
but
realime
eness
m
to
utual
are
exclusion
PVS
proto
an
col
that
and
correctness
the
es
Oral
to
Messages
pro
proto
disc
col
cedures
for
suc
Byzan
only
tine
PVS
agree
of
men
ec
t
b
Examples
pr
of
subtyp
this
predicate
scale
consists
can
elemen
t
giv
ypically
e
b
en
e
for
completed
yp
within
ositiv
a
b
da
en
y
t
.
n
More
n
substan
.
tial
es
examples
explicitly
include
and
the
erations
corresp
eciation
ondence
partial
b
vision
et
on
w
subt
een
general
the
hec
programmer
subt
and
undecidable
R
tains
TL
enric
lev
the
el
system
of
of
a
record
simple
structions
hardw
yp
are
comp
pro
a
cessor
alue
[11],
iations
the
con
correctness
test
of
think
a
e
realime
approac
railroad
it
crossing
the
con
the
troller
as
[29],
for
a
w
v
supp
arian
subset
t
PVS
of
v
the
t
Sc
k
hr
hec
oderernstein
yp
theorem
e
and
t
the
generates
correctness
corresp
of
subt
a
t
distributed
obligation
agreemen
e
t
b
proto
decision
col
pro
for
y
a
pro
h
is
ybrid
of
fault
in
mo
yp
del
that
consisting
b
of
t
Byzan
king
tine
1.2
symmetric
y
and
wing
crash
e
faults
ate
[19].
es
These
A
harder
subt
examples
e
can
of
tak
those
e
ts
from
a
sev
en
eral
yp
da
satisfying
ys
giv
to
predicate
a
that
w
example
eek
subt
Curren
e
tly
p
,
e
PVS
um
is
ers
b
giv
eing
b
applied
the
to
yp
the
f
requiremen
:
ts
|
sp
>
eciation
g
of
Predicate
selected
yp
asp
are
ects
to
of
constrain
the
domains
con
ranges
trol
op
soft
in
w
sp
are
and
for
dee
NASA
functions
space
di
sh
as
uttle
functions
pro
a
ject
ecid
and
yp
to
In
v
t
erify
ec
a
king
commercial
predicate
pip
yp
elined
is
micropro
6
cessor
con
AAMP
a
b
useful
eing
hmen
built
to
for
t
a
e
vionics
in
applica
form
tions
dep
at
function
Ro
and
c
con
kw
where
ell
t
In
e
ternational
one
2
onen
The
of
PVS
comp
Language
v
The
dep
PVS
on
sp
b
eciation
running
language
v
builds
tional
on
cases
a
e
classical
there
t
b
yp
merit
ed
this
higherrder
h
logic
that
The
should
base
compromise
t
ectiv
yp
of
es
sp
consist
language
of
a
b
ol
o
deductiv
oleans
analysis
real
e
n
considering
um
orting
b
executable
ers
within
rationals
6
in
do
tegers
ha
nat
e
ural
algorithmic
n
yp
um
hec
b
er
ers
c
lists
ks
and
t
so
e
forth
relativ
The
to
primitiv
simple
e
yp
t
It
yp
pro
e
obligations
constructors
onding
include
predicate
those
yp
for
The
forming
ypical
function
of
(e.g.,
s
at
b
->
automatically
nat
harged
),
y
record
PVS
(e.g.,
pro
[#
The
a
v
:
t
nat
of
b
h
:
of
listat
s
),
the
and
source
tuple
undecid
t
y
yp
the
es
t
(e.g.,
e
nt
so
listat
none
).
the
PVS
enes
departs
decidable
from
yp
simply
hec
t
are
yp
4
ed
logicssubt
automated
datat
v
whic
alue
obli
of
A
another
ense
comp
in
onen
ensure
t
the
PVS
more
terms
vides
include
lo
constan
of
ts
of
v
pro
ariables
er
ab
ed
stractions
eral
(e.g.,
constrain
AMBDA
PVS
(i
of
:
Co
nat
the
i
and
*
formal
i
automated
),
ab
applications
t
(e.g.,
wined
mod
hec
5)
ec
),
yp
record
the
constructions
in
(e.g.,
hec
(#
or
a
t
:=
include
2,
the
b
etaeduction
:=
hec
cons
lo
null
er
#)
LCF
),
HOL
tuple
trol
con
pro
structions
as
(e.g.,
e
(-5,
o
cons
ofs
null
,
),
at
function
What
up
the
dates
of
(e.g.,
k
f
er
WITH
ec
[(2)
the
:=
order
7]
arise
),
in
and
dep
record
of
up
hea
dates
hec
(e.g.,
in
r
are
WITH
the
[a
also
:=
either
5,
as
b
the
:=
are
cons
hec
b
of
).
the
PVS
b
sp
and
eciations
.
are
of
pac
er
k
than
aged
el
as
hec
the
h
ories
TH
that
Nuprl
can
[8],
b
but
e
user
parametric
v
in
of
t
than
yp
suc
es
[3,
and
[21].
constan
that
ts
el
T
ermphasize
yp
of
e
the
parametricit
their
y
the
r
emphasize
p
exp
olymorphism
pro
)
un
is
PVS
used
t
to
asp
capture
language
those
ec
concepts
and
or
hec
results
in
that
t
can
k
b
ok
e
of
stated
er
uniformly
disc
for
obligations
all
t
t
king
yp
olving
es
es
PVS
t
also
The
has
hec
a
mak
facilit
use
y
yp
for
er
automatically
all
generating
olv
abstract
pro
datat
ell
yp
use
e
yp
theories
er
on
pro
taining
that
recursion
harged
and
presen
induction
subgoals
sc
ects
hemes
particularly
for
e
a
in
class
of
of
er
abstract
automatic
datat
yp
yp
b
es
pro
[28].
giv
3
the
The
e
PVS
of
Pro
extensionalit
of
the
Chec
pro
k
c
er
k
The
is
cen
automated
tral
a
design
wev
assumptions
pro
in
c
PVS
k
are
suc
that
as
{
UTOMA
The
[12],
purp
[15],
ose
[7],
of
q
an
and
automated
[16],
pro
pro
of
more
c
con
hec
o
k
er
er
structure
is
the
not
of
merely
highly
to
systems
pro
h
v
Nqthm
e
4]
theorems
Otter
but
W
also
feel
to
the
pro
wev
vide
systems
useful
v
feedbac
the
k
correctness
from
pro
failed
at
and
exp
partial
of
pro
cogency
ofs
and
b
highly
y
systems
serving
theorems
as
the
a
ense
rigorous
their
sk
ofs
eptic
is
{
usual
Automation
out
serv
is
es
exten
to
to
minimi
h
ze
ects
the
the
tedious
the
asp
yp
ects
hec
of
er
formal
pro
reasoning
c
while
k
main
are
taining
tert
a
The
high
yp
lev
hec
el
er
of
v
accuracy
es
in
pro
the
c
b
k
o
in
ok
to
eeping
harge
and
of
formal
that
manip
from
ulations
yp
{
hec
Automation
expressions
should
v
also
predicate
b
yp
e
or
used
enden
to
t
capture
es
rep
pro
etitiv
c
e
k
patterns
also
of
es
argumen
vy
tation
of
{
t
The
ec
end
k
pro
to
duct
that
of
expressions
a
v
pro
ed
of
a
attempt
of
should
w
b
yp
e
This
a
of
pro
t
of
ec
that
k
with
can
only
generate
a
of
small
gations
amoun
are
t
disc
of
automatically
w
are
ork
ted
can
additional
b
Sev
e
asp
made
of
h
language
umanly
the
readable
yp
so
system
that
built
it
to
can
pro
b
c
e
k
sub
These
jected
the
to
use
the
t
so
e
cial
ts
pr
y
o
decision
c
cedures
ess
simpliations
of
en
mathematical
y
scrutin
abstract
y
yp
.
axioms
In
forms
follo
b
wing
and
these
y
design
5
assumptions
theer
mo
made
less
carefully
un
e
usual
the
asp
commands
ect
etitiv
of
Ev
PVS
it
is
as
the
represen
exten
to
t
erful
to
user
whic
ying
h
of
the
cedures
automatic
it
inference
database
and
subgoal
decision
In
pro
one
cedures
t
in
the
v
the
olving
of
equalities
eral
and
or
linear
to
arithmetic
commands
in
basic
equalities
The
are
cedures
emplo
hea
y
trying
ed
the
7
follo
The
information
most
use
direct
{
consequence
pro
of
other
this
ho
is
c
that
understand
the
y
trivial
the
ob
and
vious
and
or
m
tedious
ects
parts
pro
of
extremely
the
their
pro
can
of
supplying
are
ts
often
to
disc
strategies
harged
pro
so
ying
that
are
the
similar
user
highev
can
[20]
fo
er
cus
used
on
IMPS
the
use
in
goal
tellectually
pro
demanding
subgoal
parts
pro
of
erforms
the
tasks
pro
the
of
the
and
wing
the
b
resulting
it
pro
simplis
of
the
is
using
also
ell
easier
tec
to
to
read
to
PVS
pro
also
k
pro
ust
vides
sequen
an
used
eien
to
t
of
conditional
used
rewriter
e
that
parts
in
of
teracts
commands
v
help
ery
then
closely
tax
with
pro
its
to
decision
Man
pro
commands
cedures
o
to
en
simplify
usage
conditions
these
during
e
rewriting
b
More
with
details
optional
ab
adv
out
also
the
ho
rewriting
pro
and
capture
the
patterns
decision
commands
pro
for
cedures
and
used
ofs
in
out
PVS
and
are
um
describ
commonly
ed
strategies
in
tic
[10].
a
The
hec
capabilities
decision
of
ubiquitousl
the
[3,
inference
[24],
and
also
decision
on
pro
decision
ce
Another
dures
Besides
whic
to
h
v
pla
the
y
using
a
decision
cen
cedures
tral
p
role
the
in
wing
almost
{
all
stores
pro
subgoal
ofs
in
in
underlying
PVS
allo
are
automatic
made
to
a
e
v
of
ailable
later
to
it
the
the
user
using
b
decision
y
cedures
means
rewriting
of
w
the
as
follo
simpliation
wing
hniques
primitiv
order
e
learn
inference
w
steps
use
1.
PVS
Bddsimp
of
p
hec
erforms
er
eien
m
t
st
BDDased
the
prop
t
ositional
tation
simpliation
b
on
PVS
the
represen
curren
pro
t
goals
goal
commands
2.
to
Doewrite
v
p
around
erforms
undo
automatic
of
conditional
pro
rewriting
tree
on
the
expressions
used
in
get
the
One
curren
ust
t
understand
goal
syn
using
and
rewrite
of
rules
of
stored
used
in
build
the
ofs
underlying
y
database
these
used
are
b
p
y
w
the
ev
inference
in
pro
simplest
cedures
Sev
PVS
of
pro
commands
vides
b
sev
more
eral
directed
commands
y
for
them
the
one
user
more
to
argumen
mak
The
e
anced
rewrite
will
rules
need
out
understand
of
w
deitions
dee
lemmas
of
and
that
axioms
rep
and
e
en
of
ter
of
them
and
in
used
the
displa
database
editing
The
repla
rewriter
pro
in
There
v
ab
ok
20
es
commands
the
a
decision
n
pro
b
cedures
of
to
used
simplify
el
conditions
7
of
On
conditional
system
rewrite
is
rules
pro
3.
c
Assert
k
in
where
v
pro
ok
are
es
y
the
Nqthm
arithmetic
4],
and
es
equalit
and
y
[14]
decision
rely
pro
vily
cedures
the
on
of
the
pro
cur
6
ren
tresult
diagram
see
Rest
R
of
along
the
pro
T
function
utorial
ely
In
.
the
t
follo
c
wing
primitiv
sections
src
w
.
e
src
in
co
tro
register
duce
three
some
sp
of
pro
the
done
details
see
of
rep
PVS
Figure
system
cessor
b
the
y
ten
w
stages
orking
con
the
in
complete
ALU
pro
of
of
Up
of
the
correctness
eline
of
stage
t
instruction
w
of
o
size
examples
c
This
of
will
as
in
As
tro
wing
duce
e
some
oking
of
.
the
a
most
eline
useful
the
commands
estination
and
b
pro
opcode
vide
registers
a
is
glimpse
the
in
Obtain
to
the
the
clo
philosoph
opreg
y
:
b
onding
ehind
ered
PVS
clo
PVS
.
uses
e
E
in
MA
v
CS
uses
as
execute
its
That
in
t
terface
stage
b
ecause
y
and
extending
indep
E
the
MA
a
CS
exercise
with
is
PVS
the
functions
b
but
as
all
mo
the
k
underlying
e
capabilities
the
of
PVS
E
can
MA
b
CS
in
are
of
a
commands
v
Informal
ailable
sho
Th
c
us
the
the
The
user
instructions
can
pcode
read
,
mail
dstn
and
e
news
some
edit
b
nonPVS
the
es
of
or
and
execute
ery
commands
in
in
b
a
cessor
shell
ad
bur
prop
in
ts
the
e
usual
src
w
k
a
opreg
y
resp
.
2.
All
erform
PVS
eration
commands
the
are
emem
en
opcoded
tered
instruction
as
k
extended
to
E
Write
MA
the
CS
the
commands
b
The
)
pro
with
of
in
c
pro
hec
threetage
k
sim
er
stages
runs
e
as
the
a
the
subpro
is
cess
the
inside
the
E
4
MA
the
CS
eciation
.
pro
5
are
A
enden
Pip
of
elined
datapath
Micropro
As
cessor
theorem
In
ving
this
the
section
hallenge
w
to
e
if
dev
pro
elop
can
a
e
complete
just
pro
automatically
of
a
of
del
a
hec
correctness
er
prop
w
ert
will
y
in
of
follo
the
in
con
the
troller
of
logic
b
of
obtained
a
y
simple
eatedly
pip
v
elined
one
pro
its
cessor
e
design
assert
describ
5.1
ed
Description
at
1
a
ws
registerransfer
blo
lev
k
el
of
The
pip
design
design
and
pro
the
executes
prop
of
ert
form
y
src
v
dstn
erid
i
are
register
b
in
oth
register
based
REGFILE
on
ecomes
the
ALU
pro
determined
cessor
y
ex
of
ample
con
giv
ts
en
source
in
src
[5].
src
The
Ev
example
instruction
has
executed
b
three
een
ycles
used
y
as
pro
a
1.
b
e
enc
:
hmark
the
for
er
ev
ten
aluating
of
ho
register
w
at
w
and
ell
and
ite
c
staten
them
umeration
to
based
and
to
,
ols
ectiv
suc
.
h
Compute
as
P
mo
the
del
op
c
corresp
hec
to
k
op
ers
de
can
b
handle
in
datapathrien
)
ted
the
circuits
and
with
c
a
the
large
in
n
wbreg
um
3.
b
:
er
date
of
register
states
at
b
destination
y
emem
v
ered
arying
dstndd
the
of
size
instruction
of
the
the
alue
datapath
wbreg
F
The
rom
cessor
the
a
p
pip
ersp
to
ectiv
ultaneously
e
distinct
of
of
a
successiv
theorem
instructions
pro
is
v
read
er
of
the
curren
size
instruction
of
executed
the
with
datapath
compute
is
of
irrelev
previous
an
7
t
bco
in
whic
.
of
.
e
.
and
.
parts
.
the
.
y
.
eciation
.
yp
.
theories
.
theories
.
can
.
pro
.
with
.
instruction
.
write
.
is
.
um
.
A
.
express
.
v
.
a
.
part
.
eciation
.
Figures
.
pipe
.
the
.
igure
.
in
.
of
.
parameter
.
pip
.
correctly
.
in
.
pro
.
5.2
.
consist
.
es
-
one
-
collection
-
ncluding
?
out
6
to
-
y
-
tit
-
b
-
theory
.
he
.
The
.
to
.
are
.
he
.
in
.
tains
.
a
.
y
.
theories
.
b
.
signal
.
theory
.
the
.
data
.
the
.
that
.
tering
.
at
.
gets
.
i
.
correct
.
the
.
cycles
.
the
.
ab
.
ormal
.
sp
.
a
.
er
.
h
.
con
.
more
.
is
.
declarations
.
constan
.
axioms
.
erties
.
constan
.
and
.
e
.
Theories
.
ort
.
ery
.
used
.
m
.
either
.
imp
.
b
.
the
.
collection
.
to
?
cessor
.
organized
?
theories
.
whic
.
wn
.
and
-
sp
-
e
6
The
6
2)

sp
-
design
-
t
-
prop
-
b
stall
ed
REGFILE
and
op
imp
co
pipe
de
yp
U
time
L
.
A
is
CONTR
ect
OL
yp
dsn
register
tdd
the
dstnd
ld
stalld
A
stalldd
8
wbreg
an
opreg
en
opreg
the
dstn
eline
op
an
co
time
ded
completed
src
,
src
will
Fig
the
1.
result
A
to
Pip
register
elined
three
Micropro
later
cessor
vided
and
instruction
the
not
write
orted
stage
F
of
Sp
the
PVS
previousorevious
eciations
instruction
of
Since
n
the
b
REGFILE
of
is
eac
not
of
up
h
dated
tains
with
or
the
theories
results
theory
of
a
the
of
previous
t
and
es
previousorevious
ts
instruc
functions
tions
that
while
prop
a
ab
read
the
is
ts
b
theorems
eing
lemmas
p
b
erformed
pro
for
ed
the
ma
curren
imp
t
other
instruction
Ev
the
en
con
y
troller
in
\b
theory
ypasses
ust
REGFILE
e
,
declared
if
an
necessary
orted
,
or
to
e
get
of
the
prelude
correct
standard
v
of
alues
builtn
for
PVS
the
micropro
read
sp
The
is
pro
in
cessor
three
can
selected
ab
of
ort
h
i
sho
treat
in
as
2
NOP
3.
,
complete
the
eciation
instruction
b
in
found
the
[31].)
read
theory
stage
igure
b
con
y
a
asserting
eciation
the
the
stall
and
signal
statemen
true
of
An
correctness
instruction
ert
is
to
ab
e
orted
v
b
The
y
signal
inhibiting
time
its
3)
write
orted
stage
y
b
declares
y
t
remem
es
b
and
ering
used
the
pipe
stall
The
signal
pipe
un
parameterized
til
resp
the
to
write
t
stage
es
via
the
the
address
registers
and
stalld
op
and
de
stalldd
of
.
instructions
W
theory
e
in
v
.
erifyyp
mo
parameterized
:
rc
TYPE
,
data
parametric
TYPE
=
opcodes
e
TYPE
restriction
THEORY
tiate
BEGIN
F
IMPORTIN
to
G
pipeddr
signal
r
time
2.
ASSUMING
a
addronem
pipe
pt
requiremen
y
part
ASSUMPTI
Ev
ON
ect
XISTS
declared
(a:
maps
addr
he
TRUE
imp
dataonem
dst
pt
t
y
,
ASSUMPTI
)
ON
eciation
XISTS
yp
(d:
to
data
as
TRUE
imp
opcodeso
ters
ne
b
mp
stated
ty
,
:
y
ASSUMPTI
y
ON
y
XISTS
of
(o:
t
opcodes
theory
:
denoting
TRUE
ym
ENDASSUM
e
ING
signal
t
in
VAR
signal
time
+3
%%
t
Signal
od
declara
t
tio
(t
ns
+2
opcode
t
signalp
pipe
co
cessor
de
can
s
a
src
parameter
src
b
dstn
particular
signal
suc
dd
.
r
es
stall
an
signal
its
boo
than
l
that
aluout
nonempt
signala
h
ta
the
]
the
regfile
can
signal
with
ad
yp
dr
en
->
in
data
is
...
with
%%
the
Specifica
theory
ti
example
on
e
of
the
constrai
is
nt
yp
s
function
on
(a
the
nat
signals
t
dstndx
T
:
yp
AXIOM
used
dstnd
the
1)
design
=
the
dstn
tiated
dstndd
regfile
x
)(
AXIOM
n
dstndd
)
1)
aluoppc
=
e
dstnd
regfile
)
2)
.....
c
regfile
))
ax
regfile
:
s
AXIOM
2(
regfile
))
t
END
1)
Fig
=
Micropro
IF
Sp
stalldd
PVS
)
b
THEN
either
regfile
t
)
e
ELSE
or
regfile
parameter
)
elonging
WITH
a
dstndd
t
(t)
e
)
h
:=
nat
wbreg
Since
]
do
ENDIF
not
oprega
ose
x
y
AXIOM
on
opregt
parame
1)
other
=
the
IF
t
srct
they
=
e
dstnd
y
&
whic
NOT
is
stalld
in
THEN
ASSUMING
aluout
of
ELSIF
theory
srct
one
=
instan
dstndd
them
t
an
&
t
NOT
e
stalldd
ery
(t)
tit
THEN
declared
wbreg
a
ELSE
theory
regfile
implicitl
s
parameterized
rc
resp
1(
to
t
parameters
)
the
ENDIF
.
opregax
or
:
the
AXIOM
yp
...
signal
aluop
in
pcodes
parameterized
data
signal
data
a
->
t
data
e
ALUx
a
AXIOM
that
aluout
time
=
synon
aluopp
for
co
)
ded
the
(t
yp
),
parameter
opregt
.
),
t
opregt
e
))
is
correctn
to
es
del
s
wires
THEOREM
our
ORALL
By
t
orting
NOTtal
theory
l
uninstan
t
9
)
IMPLIESat
used
instan
:
yp
TYPE
in
THEORY
design
BEGIN
represen
signal
ha
TYPE
terms
=
essen
ime
erforming
->
in
val
outputs
END
signal
signal
v
time
the
THEORY
output
BEGIN
descriptiv
time
steps
TYPE
predicates
nat
ariables
END
h
signal
to
Fig
parts
3.
and
Signal
osite
Sp
data
eciation
un
in
set
pipe
time
,
eciation
w
alue
e
that
ha
com
v
instan
e
in
the
ts
freedom
predicativ
to
the
create
and
an
tially
y
a
desired
discussed
instances
ples
of
PVS
the
micropro
t
of
yp
declares
e
inputs
signal
wires
.
nen
In
,
this
function
tutorial
deled
w
signals
e
ts
use
part
a
sp
functional
signals
st
e
yle
sho
of
of
sp
example
eciation
of
to
deed
mo
a
del
whic
register
t
transferev
at
el
one
digital
of
hardw
b
are
erties
in
theory
logic
for
In
sp
this
un
st
onen
yle
their
the
ap
inputs
the
to
tid
the
automatic
design
of
and
translation
the
[31],
outputs
more
of
hardw
ev
eriation
ery
bac
comp
example
onen
sp
t
con
in
w
the
st
design
the
are
the
mo
the
deled
in
as
denote
signals
comp
Ev
The
ery
of
signal
h
that
as
is
addr
an
is
output
y
of
.
a
declared
comp
terpreted
onen
appropriate
t
The
is
of
sp
AXIOMs
ecid
the
as
of
a
v
function
o
of
w
the
e
signals
the
app
a
earing
signals
at
F
the
signal
inputs
the
to
register
the
t
comp
b
onen
its
t
earlier
This
the
st
is
yle
comp
should
deed
b
the
e
same
con
In
trasted
use
with
st
a
as
pr
ex
e
selectiv
dic
ducing
ative
the
st
in
yle
signalal
whic
required
h
a
is
e
commonl
eciation
y
tially
used
wind
in
comp
most
t
HOL
using
applications
deitions
In
then
the
propriately
predicativ
tiate
e
existen
st
quan
yle
v
ev
An
ery
w
hardw
y
are
p
com
this
p
is
onen
in
t
whic
is
illustrates
sp
exam
ecid
of
as
are
a
v
predicate
using
relating
Getting
the
k
input
our
and
the
output
cessor
signals
eciation
of
pipe
the
sists
comp
t
onen
o
t
The
and
part
a
all
design
signals
is
in
sp
designhe
ecid
to
as
design
a
the
conjunction
ternal
of
that
the
the
comp
of
onen
o
t
ts
predi
comp
cates
state
with
REGFILE
all
whic
the
is
in
ted
ternal
a
signals
from
used
to
to
,
connect
mo
the
b
comp
the
onen
regfile
ts
The
hidden
are
b
as
y
in
existen
constan
tial
of
quan
t
tiation
es
A
second
pro
consists
of
a
of
of
correctness
that
for
ecify
a
the
predicativ
alues
e
the
st
o
yle
er
sp
(T
ecia
conserv
tion
space
usually
e
in
v
v
only
olv
wn
es
sp
executing
of
a
subset
few
the
additional
in
steps
design
at
or
the
the
start
v
of
at
the
output
pro
the
of
dstnd
to
time
essen
is
tially
to
transform
e
the
of
predictativ
input
e
cycle
sp
The
eciation
of
in
ALU
to
h
an
a
equiv
binational
alen
onen
t
is
functional
in
st
of
yle
inputs
After
the
that
time
the
t
pro
PVS
of
can
pro
a
ceeds
e
similar
yle
to
deition
that
illustrated
of
this
a
ample
pro
y
of
ely
in
tro
a
prop
functional
of
sp
constan
eciation
declared
The
a
additional
10
pro
of

¡Sé el primero en escribir un comentario!

13/1000 caracteres como máximo.