Piton Automated Reasoning Series VOLUME Managing Editor William Pase, Odyssey Research Associates, Ottawa, Canada Editorial Board Robert S Boyer, University of Texas at Austin Deepak Kapur, State University of New York at Albany Hans Jiirgen Ohlbach, Max-Planck-Institut fUr Informatik Lawrence Paulson, Cambridge University Mark Stickel, SRI International Richard Waldinger, SRI International Larry Wos, Argonne National Laboratory Piton A Mechanically Verified Assembly-Level Language by J STROTHER MOORE Computational Logic, Inc., Austin, Texas, U.SA WKAP ARCHIEF KLUWER ACADEMIC PUBLISHERS A C.I.P Catalogue record for this book is available from the Library of Congress ISBN 0-7923-3920-7 Published by Kluwer Academic Publishers, P.O Box 17, 3300 AA Dordrecht, The Netherlands Kluwer Academic Publishers incorporates the publishing prograimnes of D Reidel, Martinus Nijhoff, Dr W Junk and MTP Press Sold and distributed in the U.S.A and Canada by Kluwer Academic Publishers, 101 Philip Drive, NorweU, MA 02061, U.S.A In all other countries, sold and distributed by Kluwer Academic Publishers Group, P.O Box 322, 3300 AH Dordrecht, The Netherlands Printed on acid-free paper All Rights Reserved © 1996 Kluwer Academic Publishers No part of the material protected by this copyright notice may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording or by any information storage and retrieval system, without written permission frorh the copyright owner Printed in the Netherlands Contents Preface Introduction and History 1.1 1.2 1.3 1.4 1.5 1.6 1.7 What This Book is About Piton as a Software Project About This Book Mechanized Mathematics and the Social Process The History of the Piton Project Related Work Outline of the Presentation The Nqtlim Logic 2.1 2.2 2.3 2.4 2.5 Syntax, Primitive Data Types and Conventions Primitive Function Symbols Let Notation Recursive Definitions User-Defined Data Types An Informal Sketch of Piton 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 An Example Piton Program Piton States Type Checking Data Types The Data Segment The Program Segment Instructions The Piton Interpreter Erroneous States Big Number Addition 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 An Informal Explanation A Formal Explanation A Piton Program An Initial State The Formal Specification Using the Formal Specification The Proof of the Correctness of Big-Add Summary vii 1 13 15 17 18 19 22 22 23 25 26 27 28 29 31 33 34 39 40 43 43 44 47 47 52 59 65 70 VI Contents ASketchofFM9001 5.1 5.2 5.3 5.4 71 FM9(X)1 Fetch-Execute Cycle Programming the FM9001 An FM9001 Assembly Language Formalization and Verification 71 73 75 76 The Correctness of Piton on FM9001 79 6.1 6.2 6.3 6.4 6.5 The Hypotheses of the Correctness Result The Conclusion of the Correctness Result The Termination of FM9001 Applying the Correctness Result to Big-Add Upwards versus Downwards The Implementation of Piton on FM9001 7.1 7.2 7.3 7.4 7.5 7.6 7.7 An Example A Sketch of the FM9001 Implementation The Intermediate States of Load Resource Representation Compiling The Link-Assembler Image Construction Proof of the Correctness Theorem 8.1 8.2 8.3 8.4 8.5 8.6 81 84 86 86 93 97 98 100 106 106 109 116 128 131 The R Machine The I Machine The M Machine The One-Way Correspondence Lemmas The Partialln version Lemmas The Correctness Proof 134 138 141 141 153 157 Appendix I Summary of Piton Instructions Appendix II The Formal Definition of Piton 161 173 II A Guide to the Formal Definition of Piton II.2 Alphabetical Listing of the Piton Definitions 173 178 Appendix III The Formal Definition of FM9001 243 m l A Guide to the Formal Definition of FM9001 m.2 Alphabetical Listing of the FM9001 Definitions 243 245 Appendix IV The Formal Implementation IV A Guide to the Formal Implementation IV.2 Alphabetical Listing of the Implementation Appendix V The Formal Correctness Theorem Bibliography Index 259 259 267 299 305 309 Preface Mountaineers use pitons to protect themselves from falls The lead climber wears a harness to which a rope is tied As the climber ascends, the rope is paid out by a partner on the ground As described thus far, the climber receives no protection from the rope or the partner However, the climber generally carries several spike-like pitons and stops when possible to drive one into a small crack or crevice in the rock face After climbing just above the piton, the climber clips the rope to the piton, using slings and carabiners A subsequent fall would result in the climber hanging from the piton—if the piton stays in the rock, the slings and carabiners not fail, the rope does not break, the partner is holding the rope taut and secure, and the climber had not climbed too high above the piton before falling The climber's safety clearly depends on all of the components of the system But the piton is distinguished because it connects the natural to the artificial In 1987 I designed an assembly-level language for Warren Hunt's FM8501 verified microprocessor I wanted the language to be conveniently used as the object code produced by verified compilers Thus, I envisioned the language as the first software link in a trusted chain from verified hardware to verified applications programs Thinking of the hardware as the "rock" I named the language "Piton." The trusted chain was actually built and became known as Computational Logic, Inc.'s "short stack." It is now 1994 The Piton project did not take eight years Some of what happened in the meantime is relevant and is told as part of the history of the project But some of the delay is due to my own procrastination In addition, some thought was given to patenting some of the components of the stack and the publication of some of the Piton results might have compromised that attempt In the end, we decided it was in the best interests of all concerned simply to publish our results in the normal scientific tradition I am sorry for the delay The Piton project benefited substantially from the contributions of Warren Hunt, Matt Kaufmann, and Bill Young Warren showed me how to program in FM8502 machine code, helped write the first version of the linker, and produced FM8502 from FM8501 in response to my requests Matt volunteered to help construct the correctness proof and "contracted" to deliver the proof for one of the three main lemmas I can think of no higher testimony to his mathematical and clerical skills than merely to point out that he was given a formula involving, at some level, about 500 defined function symbols and two months later delivered his proof—after finding and correcting dozens of bugs His participation in the proof effort sped the whole project up far more than suggested by his two months of work Finally, Bill is VIII Preface the first user of Piton—it is tiie target language of his Micro-Gypsy compiler—and so he has had the burden of being the "bad guy" who always needed some (perfectly reasonable) feature I had omitted Without him, Piton would be far more of a toy than it is Bishop Brock helped me when I ported the FM8502 Piton downloader and its proof to the FM9001 I would also like to thank Matt Wilding for his careful reading and constructive criticism of the first draft of this book, his use of Piton to produce a verified NIM program [33], and his energy in getting the first Piton binary images actually downloaded to and running on the fabricated FM9001 device This actually happened first at the University of Indiana, to which we had sent one of our fabricated devices Ken Albin helped get the first Piton images running at CLI Finally, Art Flatau, who wrote and verified the second compiler which produces Piton object code [16], also helped clarify the presentation of Piton in the first draft of this book Bob Boyer has been very supportive throughout the Piton work, both as a source of technical advice and enthusiasm for the work and its distribution and publication Mike Smith wrote the infix printer which generated most of the formulas shown here from the Lisp-like s-expression notation actually used by Nqthm Mike was extremely helpful in producing the final draft of this book Some of the formulas were "hand prettyprinted" by me and so the responsibility for the typographical errors is on my shoulders not Mike's software Finally, I would like to thank all my other colleagues at Computational Logic, Inc., and especially Don Good, for making this such a good place for me to work Two anonymous referees of the early draft of this book deserve special thanks for their exceptionally detailed and thoughtful comments The book is much better for their efforts This work was supported in part at Computational Logic, Inc., by the Advanced Research Projects Agency, ARPA Orders 6082 and 9151 The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc., the Advanced Research Projects Agency or the U.S Government As for the name "Piton," I should point out that many climbers eschew their use They often damage the rock face and, when properly placed, they cannot be easily removed Because of concern for route protection, continued access to challenging climbs, new technology, and the changing aesthetics of sport climbing, pitons are not often found on the modern climber's rack They have been replaced by a variety of lightweight removable anchors that come in a plethora of sizes and styles such as nuts, cams, and stoppers Nevertheless, if I ever fall onto a single artificial anchor, I hope it's a well placed piton Introduction and History 1.1 What This Book is About Piton is a simple assembly-level programming language for a microprocessor called the FM9001 described at the machine code level The correctness of the implementation has been proved by a mechanical theorem prover This book is about the exact meaning of the previous paragraph What is Piton, exactly? Whatis theFM9001? How is Piton implemented on the FM9001? In what sense is the implementation correct? How is its correctness expressed mathematically? How is it proved? These questions are answered here Also discussed is the evolutionary character of software, the Piton implementation in particular, and how proof plays a continuing role in its design and improvement Should you spend your time reading this book? Don't approach it that way Read this first chapter and then decide It won't take long and it informally tells the whole story Piton is a simple but non-trivial programming language It provides execute-only programs, recursive subroutine call and return, stack based parameter passing, local variables, global variables and arrays, a user-visible stack for intermediate results, and seven abstract data types including integers, data addresses, program addresses and subroutine names Here is part of a Piton program that illustrates the language The program is printed in an abstract syntax (but the Piton implementation deals with parse trees and does not include a parser) This program is discussed at length later It is used here merely to suggest the level at which the Piton programmer deals with computation subroutine b i g - a d d (a b n) push-constant f push-local a loop fetch push-local b fetch add-nat-with-carry push f on the stack push (the value of) a (an address) pop an address, fetch and push contents push b (an address) pop an address, fetch and push contents add the topmost elements of stack Introduction and History Piton is implemented on the FM9001 via a mathematical function that generates an FM9001 binary machine code image from a given system of Piton programs and data declarations This function, called the Piton "downloader," is realized by composing a compiler, assembler, and linker Note that the Piton downloader is not a program running on the FM9001 but a mathematically defined function It would not be misleading to think of it as a Pure Lisp program that generates FM9001 binary images from Piton programs Below are the first few few bit vectors in that portion of the image produced from the program above by the downloader 00001111111000001000100000000001 00001111111000000000010000000010 00001111111000001000100000110011 00001111111000001000100000110011 00001111111000001000100000110011 00001111111000001000110000111111 00000000000000000000000000000000 00001111111000000001000000111111 00000000000000000000000000000000 00000011111000000001000000000010 00001111111000001000110000010100 00001111111000000001000000110011 Of course, a binary image for an undescribed machine is of almost no interest Perhaps, however, the "core dump" communicates an intuitive appreciation of the transformation wrought by the Piton downloader This image is essentially the data for an abstract, finite, register-based von Neumann machine, the FM9001, and causes that machine to carry out a certain computation It would be interesting to show that the answer delivered by the above Piton program is "the same as" that produced by the FM9001 on the downloaded image In that case one might say the image is "suitable." The challenge addressed in this book is more general Roughly speaking, the Piton downloader should produce a suitable binary image for every legal Piton program Of course, this cannot be done because the FM9001 has only a finite amount of memory and Piton programs can be arbitrarily large But there is a practical sense in which the Piton implementation is correct and it is that sense captured in the theorem proved about it The theorem can be stated informally as follows Suppose p^ is a ' 'proper Piton state" for a "32-bit wide" "Piton machine." Suppose PQ is "loadable" onto the FM9001 Let p^ be the result of "running the Piton machine" n steps starting from PQ Suppose that no "runtime error" occurs and that the final "answer" has "type specification" ts Then the answer can be alternatively obtained by "downloading" PQ, "running FM900r' some k steps from that initial state, and then interpreting a certain region of memory (given by the "link tables") as representing data of type specification ts The k in the theorem is constructed from PQ and n Among the interesting technical aspects of the Piton project are that truly abstract objects and operations are implemented on a much lower level processor in a way that is mechanically proved correct, the notion of ' 'erroneous'' computation is for- Bibliography R Aubin Strategies for Mechanizing Structural Induction International Joint Conference on Artificial Intelligence, 1977 W Bevier A Verified Operating System Kernel Ph.D Th., University of Texas at Austin, 1987 W.R Bevier, W.A Hunt, J S Moore, and W.D Young "Special Issue on System Verification" Journal of Automated Reasoning 5,4 (1989), 409-530 J Bowen, M Franzle, E.R Olderog, and A.P Ravn Developing Correct Systems Proceedings of the 5th Euromicro Workshop on Real-Time Systems, 1993 R S Boyerand J S Moore A Computational Logic Handbook Academic Press, New York, 1988 R.S Boyer and Y Yu Automated Correctness Proofs of Machine Code Programs for a Commercial Microprocessor In 11th Conference on Automated Deduction, Lecture Notes in Computer Science, D Kapur, Ed., Springer-Verlag, 1992, pp 416-430 B.C Brock and W.A Hunt The Formal Specification and Verification of the FM9001 Microprocessor Tech Rept Technical Report 86, Computational Logic, Inc., 1717 W Sixth Street, Suite 290, Austin, TX 78703, October, 1994 R Burstall "ProvingPropertiesof Programs by Structural Induction" The Computer Journal 12, (1969), 41-48 R.M Burstall and P.J Landin Programs and Their Proofs: an Algebraic Approach In Machine Intellgience 4, B Meltzer and D Michie, Ed., Edinburgh University Press, 1969, pp 17-43 10 R Cartwright A Practical Formal Semantic Definition and Verification System for Typed LISP Ph.D Th., Stanford University, 1976 11 L.M Chirica and D.F Martin "Toward Compiler Implementation Correctness Proofs" ACM Transaction on Programming Languages and Systems 8, (1986), 185-214 12 A Cohn High Level Proof in LCF Proceedings of the Fifth Symposium on Automated Deduction, 1979 306 Bibliography 13 A.J Cohn "The Notion of Proof in Hardware Verification" Journal of Automated Reasoning (1989), 127-138 14 W.J Cullyer Implementing Safety Critical Systems: The Viper Microprocessor In VLSI Specification, Verification and Synthesis, G Birtwistle and P.A Subrahmanyam, Ed., Kluwer Academic Publishers, 1988, pp 1-25 15 P Curzon "Deriving Correctness Properties of Compiled Code" Formal Methods in System Design 3, 1/2 (1993), 83-115 16 A Flatau A Verified Implementation of an Applicative Language with Dynamic Storage Allocation Ph.D Th., University of Texas, 1992 Also available through Computational Logic, Inc., Suite 290, 1717 West Sixth Street, Austin, TX 78703 17 M Gordon HOL: A Proof Generating System for Higher-Order Logic Tech Rept 103, University of Cambridge, Computer Laboratory, 1987 18 W.A Hunt, Jr FM8501: A Verified Microprocessor LNAI Number 795, Springer-Verlag, 1994 19 J.J Joyce A Verified Compiler for a Verified Microprocessor Tech Rept 167, University of Cambridge, Computer Laboratory, 1989 20 J.J Joyce Totally Verified Systems: Linking Verified Software to Verified Hardware Specification, Verification and Synthesis: Mathematical Aspects, 1989 21 M Kaufmann "An Extension of the Boyer-Moore Theorem Prover to Support First-Order Quantification" J Automated Reasoning 9, (December 1992), 355-372 22 K Kunen A Ramsey Theorem in Boyer-Moore Logic Tech Rept http://www.cs.wisc.edu/~kunen/kunen.html Computer Sciences Department, University of Wisconsin, 1994 23 R.L London Correctness of a Compiler for a LISP Subset Proceedings of an ACM Conference on Proving Assertions about Programs, 1972 24 J McCarthy and J Painter Correctness of a Compiler for Arithmetic Expressions Proceeding of Symposium on Applied Mathematics, American Mathematical Society, 1967 25 R Milner and R Weyhrauch Proving Compiler Correctness in a Mechanized Logic In Machine Intelligence 7, Edinburgh University Press, Edinburgh, Scotland, 1972, pp 51-70 26 J S.Moore Piton: A Verified Assembly-Level Language Tech Rept CLI-22, Computational Logic, Inc., Austin, Tx, June, 1988 27 F.L Morris Advice of Structuring Compilers and Proving Them Correct Proceedings of the ACM Symposium on Principles of Programming Languages, October, 1973, pp 144-152 28 D.P Oliva and M Wand A Verified Compiler for Pure PreScheme Tech Rept NU-CCS-92-5, Northeastern University College of Computer Science, 1992 Piton 307 29 W Polak Compiler Specification and Verification Springer-Verlag, Berlin, 1981 30 D.M Russinoff "A Mechanical Proof of Quadratic Reciprocity" Journal of Automated Reasoning 8, (1992), 3-21 31 N Shankar Metamathematics, Machines, and Godel's Proof Cambridge University Press, 1994 32 J R Shoenfield Mathematical Logic Addison-Wesley, Reading, Ma., 1967 33 M Wilding A Mechanically Verified Application for a Mechanically Verified Environment Proceedings of CAV '93, LNCS 697, 1993, pp 268-279 34 W.D Young A Verified Code-Generator for a Subset of Gypsy University of Texas at Austin, 1988 Also available through Computational Logic, Inc., Suite 290, 1717 West Sixth Street, Austin, TX 78703 35 Y Yu Automated Proofs of Object Code for a Widely Used Microprocessor Ph.D Th., University of Texas, 1992 Index The numbers associated with each entry of this index are page numbers Each number is in one of three fonts Bold face numbers, such as 27 and 135, indicate the defining occurrence of the symbol or phrase Numbers in Roman font, such as 27 and 135, indicate significant occurrences of the symbol or phrase in text Not every occurrence of the symbol or phrase in text is deemed "significant." Numbers in italic font, such as 27 and 135, indicate occurrences of the given symbol in the definitions listed in Appendices II-V of this report Every such occurrence is noted Such page numbers indicate the beginning of the containing definition, rather than the page on which the occurrence is found Symbols X 21 + 20 - 20,21 -1 20 / 21 1+ 20 < 20 = 20 A 20 € 21 e N 20 -» 20 -, 20 V 20 s 20 A-immediate 245,249 A-iramediate-p 245, 249 Absolute-address 267,267,288,297 Actuals 33 Add-addr US, 178,185 add-addr instruction, effects 185 add-addr instraction, precondition 185 add-addr instruction, summary 36,161 add-addr instruction, syntax 227 Add-adp 778,178 a d d - i n t instruction, effects 186 a d d - i n t instruction, precondition 186 a d d - i n t instruction, summary 37,162 a d d - i n t instruction, syntax 228 a d d - i n t - w i t h - o a r r y instruction, effects 187 a d d - i n t - w i t h - c a r r y instruction, precondition 186 a d d - i n t - w i t h - c a r r y instruction, summary 37,162 a d d - i n t - w i t h - c a r r y instruction, syntax 228 a d d - n a t instruction, effects 187 a d d - n a t instruction, precondition 187 a d d - n a t instruction, sunmiary 162 a d d - n a t instruction, syntax 228 a d d - n a t - w i t h - c a r r y instruction, effects 188 a d d - n a t - w i t h - c a r r y instruction, precondition 188 a d d - n a t - w i t h - c a r r y instruction, summary 162 a d d - n a t - w i t h - c a r r y instruction, syntax 228 Addl-addr 178, 778, 790, 797 a d d l - i n t instruction, effects 189 a d d l - i n t instruction, precondition 188 a d d l - i n t instruction, summary 162 a d d l - i n t instruction, syntax 228 a d d l - n a t instruction, effects 189 a d d l - n a t instruction, precondition 189 a d d l - n a t instruction, summary 162 310 a d d l - n a t instruction, syntax 228 Addl-p-pc 178, 185,186,187,188,189, 190, 192, 193, 194, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 226, 241 Addr-to-v 267,289 Adp-name 778, 178, 180, 181, 227, 240, 267, 289 Adp-offset 178,178,181,185,227 240,267 Adpp 178,208 Albin, Ken vii Alist 118 All-but-last 179,240 AU-find-labelp 179,233 All-litatoms 179,235 AU-p-objectps 179,228 AU-zero-bitvp 179,224 And-bit 179,/79 And-bitv 179,789 a n d - b i t v instruction, effects 189 a n d - b i t v instruction, precondition 189 a n d - b i t v instruction, summary 162 a n d - b i t v instruction, syntax 228 And-bool 180,790 a n d - b o o l instruction, effects 190 a n d - b o o l instruction, precondition 190 a n d - b o o l instruction, summary 162 a n d - b o o l instruction, syntax 228 21 Area-name 180, 797,203,212,229, 237,296 Area-type-specification 300,302 Array 31,52 Assembler 97 Assoc 21 Assoc-cdrp 300,507 Association list 118 B B-and 245,254,255 B-buf 245,255 B-equv 245,254 B-if 245,255 B-not 245,256 B-or 245,254,256 B-xor 246,246,254,257 B-xor3 246,254 Base-address 267, 267, 288, 297, 300, 301 Basic block 110, 150,262, 263 Bevier, Bill 11 Big number (in beise base) 44 Big number addition 43, 44 Big-add-array 44 Big-add-array-loop 65 Big-add-carry-out 45 Big-add-clock 56 Big-add-input-conditionp 55 Big-add-loop-clock 57 Index Big-add-program 52 Big-plus 46 Bign=*nat 44 Bignp 44 Bindings 27, 180, 784, 794, 202, 203, 211, 229, 240,294 Bit-vectorp 180,208 Bitp 780,180 Bitv-to-v 267,289 Body 33,110 Bool 180, 787, 788, 193, 204, 205, 206, 220, 222 Bool-to-logical 268,277 Bool-to-nat 180, 787, 788, 220, 222 Bool-to-v 268,289 Booleanp 180,208 Boolfix 246,252,254,256 Boot code] 101 Boot-code 268,297 booC-lst 79,101 Boyer, Bob vii Brock, B ishop vii, 71, 76 Bv 246,248,250 C 246,253 C-flag 246,248,252,253 C-set 246,253 Caddr 21 Cadr 21 c a l l instruction, effects 149,191 c a l l instruction, precondition 190 c a l l instruction, summary 37,163 c a l l instruction, syntax 228 Car 21 Carry out 45 case 19 Cddr 21 Cdr 21 Cfp register 100 Clock 145 Compiler 97 Cons 21 Control stack 27 Control stack area 102 Corollary 144 Correctness of b i g - a d d 57 Correctness of FM9001 Piton 79 Csp register 100 Current instruction 27 Current program 27 Cvzbv 246,247,254 Cvzbv-dec 246,254 Cvzbv-inc 246,254 Cvzbv-neg 246,254 Cvzbv-v-adder 246,247,254 Cvzbv-v-asr 247,254 Cvzbv-v-lsr 247,254 311 Piton Cvzbv-v-not 247,254 Cvzbv-v-ror 247,254 Cvzbv-v-subtracter 246, 247, 254 D Data area 31 Data segment 27 Def-label form 33 Defmedp 178, 180, 208, 227, 228, 229, 234, 236 Defmiens 178,181,181,184 Definition 181, 181, 190,191, 227, 229, 233, 234, 235,236,237,238, 296 Denotational semantics 14 Deposit m, 192,210,218 d e p o s i t instruction, effects 192 d e p o s i t instruction, precondition 192 d e p o s i t instruction, summary 37,163 d e p o s i t instruction, syntax 229 Deposit-adp 787,181 d e p o s l t - t e n p - s t k instruction, effects 192 d e p o s l t - t e n p - s t k instruction, precondition 192 d e p o s l t - t e n p - s t k instruction, summary 37,163 d e p o s l t - t e n p - s t k instruction, syntax 229 Display-fm9001-array 300,500 Display-fm9001-data-area 300,301 Display-fm9001-data-segment 85,301 Display-fm9001-data-segmentl 301,301 d l v - n a t instruction, effects 193 d i v - n a t instruction, precondition 192 d i v - n a t instruction, summary 163 d l v - n a t instruction, syntax 229 d l 33 Dl 268,268,277 Dl-block 268,275 Effects function 39 else 19 elseif 19 Empty temporary stack address 105 endif 19 e a instruction, effects 193 e q instruction, precondition 193 e g instruction, summary 37,163 e g instruction, syntax 229 Erroneous 40 Error conditions 40 Errorp 301 Exp 181, 782, 222, 237, 240, 268, 288, 293, 295,302, 303 Exposing hidden resources 149 Extended data object 114 Extract-cvnz 268,295 Extract-mode 269,295 Extract-move-bits 269,293 Extract-op 269,295 Extract-reg 270,295 Extract-regl 270,270 Fall-off-proofp 181,255 Falsep 20 Fetch 181,795,274 f e t c h instruction, effects 193 f e t c h instruction, precondition 193 f e t c h instruction, suimnary 38,163 f e t c h instruction, syntax 229 Fetch-adp 787,181 f e t c h - t e n p - s t k instruction, effects 194 f e t c h - t o n p - s t k instruction, precondition 194 f e t c h - t e m p - s t k instruction, summary 164 f e t c h - t e m p - s t k instruction, syntax 229 Find-containing-area-name 301, 507 Find-containing-label-table 301,302 Find-label 181,227,296 Find-labelp 779,182, 233,235, 236, 238 Find-position-of-var 270,295 First-n 182,226 Firstn 247,254,296 Fix 20 Fix-small-integer 182, 787,220 Fix-small-natural 182, 788,206 Flags 248,250 Flatau, Art vii Fm9001 243,248 Fm9001 Piton is correct 80,157, 299 Fm9001-alu-operation 248,249 Fm9001-clock 86, 145, 299 Fm9001-fetch 244,248,250 Fm9001-operand-a 244,248,249 Fm9001-operand-b 249,249 Fm9001-step 243,248,250 Formal parameters 33 Formal-vars 182, 784, 790, 797, 255, 277 Frame 27 Full control stack address 105 Full temporary stack address 105 Generate-postlude 271, 288 Generate-prelude 262,271,288 Generate-preludel 149, 263,277,271 Generate-prelude2 149,263, 277, 271 Get 787,182, 797, 207, 205,240 Global variable 31 Good, Don vii 312 H Hidden resources 142 Hunt, Warren vii, 8, 9, 11, 71, 76 I I 138 I=>.m 97, 116,264,271,293 I-c-Hg 272 I-cfp 272 I-csp 272 I-link-tables 117, 277, 272, 302 I-n-flg 272 I-pc 272 I-prog-segment 272 I-psw 272 I-state 261,277,272,272,295 I-statep 272 I-sys-data-segment 272 I-tsp 272 I-usr-data-segment 272 I-v-flg 272 I-word-size 272 I-x 272 I-y 272 I-z-flg 272 Icode 273,288 Icode-add-addr 273,285 Icode-add-int 273,285 Icode-add-int-with-carry 273,285 Icode-add-nat 273,285 Icode-add-nat-with-carry 273,285 Icode-addl-int 274,285 Icode-addl-nat 274,285 Icode-and-bitv 274,285 Icode-and-bool 274,285 Icode-call 274,285 Icode-deposit 274,285 Icode-deposit-temp-stk 274,285 Icode-div2-nat 275,285 Icode-eq 275,285 Icode-fetch 275,285 Icode-fetch-temp-stk 275,285 Icode-instructionp 275, 292 Icode-int-to-nat 276,285 Icode-jump 276,285 Icode-jump-case 276,285 Icode-jump-if-temp-stk-empty 276,285 Icode-jump-if-temp-stk-full 276,285 Icode-locn 276,285 Icode-lsh-bitv 277,285 Icode-lt-addr 277,285 Icode-lt-int 277,285 Icode-lt-nat 277,285 Icode-mult2-nat 277,285 Icode-mult2-nat-with-cany-out 278, 285 Icode-neg-int 278,285 Icode-no-op 278,285 Index Icode-not-bitv 278,285 Icode-not-bool 278,285 Icode-or-bitv 278,285 Icode-or-bool 278,285 Icode-pop 278,285 Icode-pop* 278,285 Icode-pop-call 279,285 Icode-pop-global 279,285 Icode-pop-local 279,285 Icode-pop-locn 279,285 Icode-popj 279,285 Icode-popn 279,285 Icode-push-constant 264,279,285 Icode-push-ctrl-stk-free-size 280,285 Icode-push-global 280,285 Icode-push-local 264,280,285 Icode-push-temp-stk-free-size 280,285 Icode-push-temp-stk-index 280,285 Icode-pushj 281,285 Icode-ret 281,285 Icode-rsh-bitv 281,285 Icode-set-global 281,285 Icode-set-local 281,285 Icode-sub-addr 281,285 Icode-sub-int 282,285 Icode-sub-int-with-carry 282, 285 Icode-sub-nat 282,285 Icode-sub-nat-with-cany 282,285 Icode-subl-int 282,285 Icode-subl-nat 282,285 Icode-test-bitv-and-jump 282,285 Icode-test-bool-and-jump 283,285 Icode-test-int-and-jump 283,285 Icode-test-nat-and-jump 284, 285 Icode-xor-bitv 285,285 Icodel 273,285 Icompile 262,288,295, 302 Icompile-program 262,288,288,296 Icompile-program-body 263, 288,288 Idifference 182, 219, 220, 222, 303 if 19 Ilessp 1S2, 204,240,288 Image construction 98 Ineg 782,183 Inegate 183,206 Initial value 33 i n t - t o - n a t instruction, effects 200 i n t - t o - n a t instruction, precondition 200 i n t - t o - n a t instruction, summary 38,164 i n t - t o - n a t instruction, syntax 232 Int-to-v 288,289 Integerp 183,240 Invert-absolute-address 301, 303, 304 Invert-base-address 301,502,304 Invert-label-address 302,303 Ipc-to-v 288,289 Iplus 782,183, 786, 787, 788, 789, 220, 288 313 Piton J i ump instruction, effects 202 jump instruction, precondition 202 jump instruction, summary 164 jump instruction, syntax 233 j u m p - c a s e instruction, effects 201 j u m p - c a s e instruction, precondition 201 j u m p - c a s e instruction, summary 164 j u m p - c a s e instruction, syntax 233 junp-lf-tenp-stk-empty instruction, effects 201 jump-if-temp-stk-empty instruction, precondition 201 jump-if-temp-stk-empty instruction, summary 38,164 junp-i£-t:enp-8tk-eiq?ty instruction, syntax 233 j u m p - i f - t e m p - s t k - £ u l l instruction, effects 202 jump-if-temp-Btk-full instruction, precondition 202 jump-if-temp-stk-full instruction, summary 164 jump-if-tomp-stk-full instruction, syntax 233 Jump_*-lst 276,288 K Kaufmann, Matt vii, 10 Label 33 Label table 123 Label tables 123 Label-address 288,289 Label-links 288,289 Label-to-v 289,289 Labeledp 181,182,183,183,241, 292 Legal-labelp 183,227 Length 178, 181, 184, 190, 191, 192, 201, 202, 205, 209, 211, 213, 214, 215, 226, 227, 228, 229,232, 233, 234, 235, 237, 238, 239, 240, 246, 254,255, 271, 292,295,297,303 Let 22 Link-aiea 289,292 Link-assembler 97 Link-data-word 126,266,289,292 Link-instr-word 118, 266, 289, 292 Link-instruction-alist 289, 289 Link-mem 27i, 291 Link-segment 297,292 Link-table-for-labels 292,292 Link-table-for-prog-labels 272,292 Link-table-for-segment 272,292 Link-tables 302 Link-word 265, 271, 289, 292 List 21 List* 21 Listp 21 Litatom 22 Load 97,259,293 load-addr 79 Local variables 33 Local-var-value 184, 202, 203,211, 215 Local-vars 184, 229, 233, 234, 235, 236, 237, 293 l o c n instruction, effects 203 l o c n instruction, precondition 202 l o c n instruction, summary 164 l o c n instruction, syntax 233 Lsh-bitv 184,205 I s h - b i t v instruction, effects 203 l s h - b i t v instruction, precondition 203 l s h - b i t v instruction, summary 164 l s h - b i t v instruction, syntax 233 LSI Logic, Inc 3,12,76 I t - a d d r instruction, effects 204 I t - a d d r instruction, precondition 203 I t - a d d r instruction, summary 164 I t - a d d r instruction, syntax 233 I t - i n t instruction, effects 204 I t - i n t instruction, precondition 204 I t - i n t instruction, summary 165 I t - i n t instruction, syntax 233 I t - n a t instruction, effects 205 I t - n a t instruction, precondition 204 I t - n a t instruction, summary 165 I t - n a t instruction, syntax 233 M 194, 216, 236, 281, M 141 M=>fm9001 98,267,295,293 M-c-flg 293 M-mem 293 M-n-flg 293 M-regs 293 M-state 277,295,293 M-statep 293 M-v-flg 293 M-z-flg 293 Main-program 59 Make-list 250,252 Make-p-call-frame 184,190,191 Maximum control stack size 27 Maximum temporary stack size 27 Mci 266,289,293 mod 21 Mode-a 249,250 Mode-b 248,249,250 m u l t - n a t instruction, effects 205 m u l t - n a t instruction, precondition 205 m u l t - n a t instruction, summary 165 m u l t - n a t instruction, syntax 233 314 mult2-nat-with-cBrry-out tion, effects 206 inult2-nat-with-carry-out tion, precondition 205 mult2-nat-with-carry-out tion, summary 165 mult2-nat-wlth-carry-out tion, syntax 234 Index instrucinstrucinstruc- o r - b i t v instruction, syntax 234 Or-bool 185,209 o r - b o o l instruction, effects 209 o r - b o o l instruction, precondition 209 o r - b o o l instruction, summary 166 o r - b o o l instruction, syntax 234 instruc- N 250,255 N-flag 250,252,253 N-set 251,255 N Name 184,227, 235 271, 273, 274,279,281, 283,288 Name (of a program) 33 Nat-Os 293,294,295 Nat-to-v 246, 248, 251, 255, 267, 268, 288, 289,295,296, 297, 300 NDL 3,76 n e g - l n t instruction, effects 206 n e g - i n t instruction, precondition 206 n e g - l n t instruction, summary 165 n e g - i n t instruction, syntax 234 Negative-guts 21 Negativep 21 Netlist Description Language 3, 76 Nlistp 21 n o - o p instruction, effects 206 n o - o p instruction, precondition 206 n o - o p instruction, summary 165 n o - o p instruction, syntax 234 Not-bit 184,784 Not-bitv 184,207 n o t - b i t v instruction, effects 207 n o t - b i t v instruction, precondition 207 n o t - b i t v instruction, summary 165 n o t - b i t v instruction, syntax 234 Not-bool 184,207 n o t - b o o l instruction, effects 207 n o t - b o o l instruction, precondition 207 n o t - b o o l instruction, summary 165 n o t - b o o l instruction, syntax 234 Nth 245, 246, 247, 248, 250, 251, 251, 252, 254,255, 256 257 o Offset ns, 191,204,219 Offset-from-csp 276,279, 280, 281,293 Ok predicate 39 Oldcfp 104 Op-code 248,251 Or-bit 185,785 Or-bitv 185,208 o r - b i t v instruction, effects 208 o r - b i t v instruction, precondition 208 o r - b i t v instruction, summary 165 P 39,177,185 P=»r 97,106,259, 293,293,302 P=i>r_cfp 295,294,294 P=>r_csp 295,294,294 P=>r_ctrl-stk 294,294 P=>r_ctrl-stkl 294,294 P=>r_p-frame 294,294 P=>r_sys-data-segment 260,295,294 P=>r_temp-stk 260,294,295 P=»r_tsp 260,295,295 P-add-addr-okp 185,795 P-add-addr-step 185, 797 P-add-int-okp 186,795 P-add-int-step 186, 797 P-add-int-with-carry-okp 186, 795 P-add-int-with-carry-step 187, 797 P-add-nat-okp 187,795 P-add-nat-step 187,797 P-add-nat-with-carry-okp 188, 795 P-add-nat-with-carry-step 188, 797 P-addl-int-okp 188,795 P-addl-int-step 189, 797 P-addl-nat-okp 189,795 P-addl-nat-step 189, 797 P-and-bitv-okp 189,795 P-and-bitv-step 189,797 P-and-booI-okp 190,795 P-and-bool-step 190,797 P-call-okp 190,795,270 P-call-step 191,797,270 P-ctrl-stk 218 P-ctrl-stk-siz6 790,191,274, 237,294 P-current-instruction 191, 279 P-current-program 797, 191, 207, 202, 27 - s t k - f r e e - s i z e instruction, syntax 236 p u s h - t e m p - s t k - i n d e x instruction, effects 216 push-temp-stk-index instruction, precondition 216 p u s h - t e m p - s t k - i n d e x instruction, summary 167 p u s h - t e m p - s t k - i n d e x instruction, syntax 236 p u s h j instruction, effects 216 p u s h j instruction, precondition 216 p u s h j instruction, summary 168 p u s h j instruction, syntax 236 Put 181,239,240 Put-array 52 Put-assoc 239,259 Put-value 181,239,240 Put-value-indirect 239, 240 R R 134 R=>i 97, 109,261,293, 295,302 R=>i_pc 295,296 R=*i_psw 295,296 R-c-flg 296 R-cfp 296 R-csp 296 R-equal 142 R-n-flg 296 R-pc 296 318 R-prog-segment 296 R-psw 296 R-state 259, 264, 293, 295, 296 R-statep 296 R-sys-data-segment 296 R-tsp 296 R-usr-data-segment 296 R-v-flg 296 R-word-size 296 R-x 296 R-y 296 R-z-flg 296 Ram 128,251,251,257,296 Ram tree 128 Ram-guts 251 Ram-tree 267,295,296 Ramp 251 Read-mem 248,249,251,300 Read-meml 257,251 Reg-direct-p 248, 249, 251 Reg-size 248,252 Regs 250,252 Representable 29,30 Resource representation 97 Restn 296,297 r e t instruction, effects 217 r e t instruction, precondition 217 r e t instruction, summary 168 r e t instruction, syntax 236 Ret-pc 217,229,237,239,240,294 Return program counter 27 Rev 226,240 Revl 252,252 Reverse 257,252,257,277 Rget 794,240 Rn-a 249,252 Rn-b 248,249,252 Rom 128,257,252 Rom-guts 252 Romp 252 Rput 792,240 Rsh-bitv 277,240 r s h - b i t v instruction, effects 217 r s h - b i t v instruction, precondition 217 r s h - b i t v instruction, summary 168 r s h - b i t v instruction, syntax 236 Segment-length 272, 297, 302 Sequential execution 61 Set-flags 248,252 s e t - g l o b a l instruction, effects 218 s e t - g l o b a l instruction, precondition 218 s e t - g l o b a l instruction, summary 168 s e t - g l o b a l instruction, syntax 236 s e t - l o c a l instruction, effects 218 s e t - l o c a l instruction, precondition 218 s e t - l o c a l instruction, summary 168 Index s e t - l o c a l instruction, syntax 237 Set-local-var-indirect 277,240 Set-local-var-value 277,278,240 Sign-extend 249,252 Small-integerp 782, 786, 787, 788, 206, 208, 219, 220, 222, 240 Small-naturalp 787, 788, 789, 205, 206, 208, 234, 236, 240 Smith, Mike vii Social process Step function 39 Store-cc 248,252 Store-resultp 248,252 Strip-cars 21 Strip-cdrs 294,297 Stub 129, 257,253,257,296 Stub-guts 253 Stubbed out ram tree 129 Stubp 253 Sub-addr 279,240,294 s u b - a d d r instruction, effects 219 s u b - a d d r instruction, precondition 219 s u b - a d d r instruction, summary 168 s u b - a d d r instruction, syntax 237 Sub-adp 240,240 s u b - i n t instruction, effects 220 s u b - i n t instruction, precondition 219 s u b - i n t instruction, summary 169 s u b - i n t instruction, syntax 237 s \ i b - i n t - w i t h - c a r r y instruction, effects 220 s u b - i n t - w i t h - c a r r y instruction, precondition 220 s u b - i n t - w i t h - c a r r y instruction, summary 169 s u b - i n t - w i t h - c a r r y instruction, syntax 237 s u b - n a t instruction, effects 221 s u b - n a t instruction, precondition 221 s u b - n a t instruction, summary 169 s u b - n a t instruction, syntax 237 s u b - n a t - w i t h - c a r r y instruction, effects 222 s u b - n a t - w i t h - c a r r y instruction, precondition 221 s u b - n a t - w i t h - c a r r y instruction, summary 169 s u b - n a t - w i t h - c a r r y instruction, syntax 237 s u b l - i n t instruction, effects 222 s u b l - i n t instruction, precondition 222 s u b l - i n t instruction, summary 169 s u b l - i n t instruction, syntax 238 s u b l - n a t instruction, effects 223 s u b l - n a t instruction, precondition 223 s u b l - n a t instruction, summary 169 s u b l - n a t instruction, syntax 238 Subr-to-v 289,297 Subrange 245,250,251, 252,253 319 Piton Subroutine definition 33 Symbolic execution 62 Sys-addr-to-v 289,297 Sys-data-links 289, 297, 302 System data address 107 System data area 107 System data link table 123 System data segment 102 System-initial-state 59 System-initial-state-clock 60 System-initial-state-okp 60 Tag 178, 180, 186, 187, 188, 189, 190, 191, 193, 200, 203, 205, 206, 207, 208, 209, 210, 214, 215, 216, 217, 218, 220, 221, 222, 223, 226, 227, 240, 241, 274, 276, 278, 279, 280, 281,283,293,294,295,296, 302 Temp-var-dcls 184,190,191, 235, 241, 271 Temporary stack 27 Temporary stack area 102 Temporary variables 33 t e s t - b i t v - a n d - j u m p instruction, effects 224 t o s t - b i t v - a n d - j u i a p instruction, precondition 224 t e s t - b i t v - a n d - j u n i ) instruction, summary 169 t e s t - b i t v - a n d - j u i n p instruction, syntax 238 t e s t - b o o l - a n d - j u r a p instruction, effects 225 t e s t - b o o l - a n d - j u m p instruction, precondition 224 t e s t - b o o l - a n d - j u m p instruction, summary 170 t e s t - b o o l - e u i d - j u m p instruction, syntax 238 t e s t - i n t - a n d - j u m p instruction, effects 225 t e s t - i n t - a n d - j i u n p instruction, precondition 225 t e s t - i n t - a n d - j u m p instruction, summary 38,170 t e s t - i n t - a n d - j u m p instruction, syntax 238 t e s t - n a t - a m d - j u m p instruction, effects 226 t e s t - n a t - a n d - j u m p instruction, precondition 225 t e s t - n a t - a n d - j u m p instruction, summary 170 t e s t - n a t - a n d - j i m p instruction, syntax 238 then 19 Theorem 143 Theorems 155 Theorem 156 Top 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212,213,217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 229, 237, 238, 240, TAX, 241,294 Topi 185,186, 187, 188, 189, 190, 192, 193, 203, 204, 205, 208, 209, 219, 220, 221, 222, 226, 241 Top2 186,187,188, 220, 221, 222,241 Total-p-system-size 302, 302 Truep 20 Tsp register 100 Tv^nat 45 Type 178,193,208,240,241, 289,302 Type specification 83 Type-lst 500,302 Type-specification 302 U Unabbreviate-constant 213, 241 Unlabel 181,191,227,241,273,289 Unlink 154 Unlink-data-word 500,302 Unlinking inverts linking 155 Unpack 22 Untag 178,180,181,185,186,187,188,189, 190,192,193,194, 200, 201,202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 213, 217, 219, 220, 221, 222, 223, 224, 225, 226, 240, 241,271,289,296 Update-flags 248,253 User data link table 123 User data segment 101 Usr-data-links 289, 297, 300, 302 V 255,254 V-adder 254,254 V-adder-carry-out 247, 254, 256 V-adder-output 247, 254, 254, 255, 256 V-adder-overflowp 247, 254, 256 V-alu 248,254 V-and 254,255 V-asr 247,255 V-buf 254,255,256 V-dec 249,255 V-flag 252,255,255 V-inc 248,249,255 V-lsr 247,255 V-negp 250,255 V-not 247,256,256 V-nzerop 256,257 V-or 254,256 V-ror 247,256 V-set 255,256 V-shift-right 255,256,256 V-subtracter-cany-out 247,256 320 V-subtracter-output 247, 255, 256 V-subtracter-overflowp 247^ 256 V-to-addr 502,303 V-to-bitv 302,303 V-to-bool 502,303 V-to-int 502,303 V-to-label 502,303 V-to-nat 502, 303, 303, 304 V-to-subr 502,304 V-to-sys-addr 502,304 V-xor 254,257 V-zerop 246,257 Value 31 Visible resources 142 W Wilding, Matt 13 Word size 27 Write-mem 248,249,257 Write-meml 257,257 X register 100 X-y-error-msg 2i9, 241 Xor-bit 241,242 Xor-bitv 226,242 x o r - b i t v instruction, effects 226 x o r - b i t v instruction, precondition 226 x o r - b i t v instruction, sununary 171 x o r - b i t v instruction, syntax 239 Y register 100 Young, Bill vii, 11 Z-flag 252,255,257 Z-set 255,257 Zb 255,257 Index ... International Larry Wos, Argonne National Laboratory Piton A Mechanically Verified Assembly- Level Language by J STROTHER MOORE Computational Logic, Inc., Austin, Texas, U.SA WKAP ARCHIEF KLUWER ACADEMIC...Automated Reasoning Series VOLUME Managing Editor William Pase, Odyssey Research Associates, Ottawa, Canada Editorial Board Robert S Boyer, University of Texas at Austin Deepak Kapur, State... interesting aspects of Piton are its reality and its history as a small but representative software project in which mathematical specification and proof play an integral role Piton is only part of a much