$$$pvs-strategies (defstep simp () (then (flatten)(assert)(simplify)(flatten)) " Flatten, assert, simplify" " ") (defstep LazyGrind () (then (grind$ :if-match nil)(grind$)) " Grind with the instantiation postponed to the end" " ") (defstep MyGrind () (grind$ :if-match nil) " Grind with no instantiation" " ") (defstep grind-best () (grind$ :if-match best) " Grind with best instantiation" " Grind with best instantiation") (defstep exp-buff (&optional (expsucc f)(expocc f)) (then (EXPAND "totalIssued") (EXPAND "issuedBefore") (EXPAND "numOccBuffers") (EXPAND " bufferIndex") (if (eq expocc 't)(EXPAND "occ_buffer")(skip)) (if (eq expsucc 't)(EXPAND "succ")(skip))) "Expand formulae related to buffers. Optional param (default f) expsucc and expocc for succ and occ_buffer." "Expand formulae related to buffers.") (defstep exp-trans (&optional (fnum *)(totiss f)(flush t)) (then (EXPAND "pc_issue" fnum )(EXPAND "RAT_issue" fnum ) (EXPAND "ROB_issue" fnum )(EXPAND "RS_issue" fnum ) (EXPAND "pc_issueB" fnum )(EXPAND "RAT_issueB" fnum ) (EXPAND "ROB_issueB" fnum )(EXPAND "RS_issueB" fnum ) (EXPAND "res_exec" fnum ) (EXPAND "res_iwriteb" fnum )(EXPAND "ROB_iwriteb" fnum ) (EXPAND "RS_iwriteb" fnum )(EXPAND "RAT_iretire" fnum ) (EXPAND "ROB_iretire" fnum ) (EXPAND "RS_iretire" fnum )(EXPAND "RF_iretire" fnum ) (EXPAND "pc_iretire" fnum ) (EXPAND "flushInt_iretire" fnum)(EXPAND "flushBr_iretire" fnum) (EXPAND "ROB_exec" fnum )(EXPAND "RS_exec" fnum ) (EXPAND "res_writeb" fnum)(EXPAND "RS_writeb" fnum)(EXPAND "ROB_writeb" fnum) (EXPAND "RF_retire" fnum)(EXPAND "RAT_retire" fnum)(EXPAND "ROB_retire" fnum) (EXPAND "RS_retire" fnum) (EXPAND "RF_flush" fnum)(EXPAND "RAT_flush" fnum)(EXPAND "ROB_flush" fnum) (EXPAND "RS_flush" fnum)(EXPAND "pc_flush" fnum) (if (eq flush 't)(then (EXPAND "pc_iflush")(EXPAND "RF_iflush") (EXPAND "RAT_iflush")(EXPAND "RS_iflush")(EXPAND "ROB_iflush"))(skip)) (if (eq totiss 't)(then (EXPAND "totalIssued" fnum )(EXPAND "numOccBuffers" fnum ))(skip)) (skosimp*)) "Expands out functions for RAT, ROB etc" " ") (defstep expand-rho (&optional (inv nil)) (then (EXPAND "rho_issue")(EXPAND "rho_execute") (EXPAND "rho_writeb")(EXPAND "rho_retire")(EXPAND "rho_extint") (EXPAND inv) (SKOSIMP*) (REPLACE*) (simp)) "Expands out rho, skosimps, replaces and hides" " " ) (defstep exp-inv-issue (&optional (inv1 nil)(inv2 nil)(inv3 nil)(inv4 nil)(inv5 nil)(split f)(expocc f)) (then (EXPAND "rho_issue") (EXPAND "dispatch")(expand "ROBpredCorrect") (EXPAND "predEqualDoOp")(EXPAND "OpsPredCorrect") (EXPAND "resPredCorrect")(EXPAND "PVopMatchRS_ROB")(expand "busyOperands") (EXPAND "ROBslotMatchRS")(EXPAND "slotUnique")(EXPAND "FUunique") (EXPAND "wrapWraps") (EXPAND "headTailEq")(EXPAND "occEqual")(EXPAND "freeHeadROBempty") (EXPAND "occBuffBusyRAT")(EXPAND "occRS")(EXPAND "RATpointsNewestBuff")(EXPAND "busyRAT") (EXPAND "occTailROBfull")(EXPAND "activeRes")(EXPAND "occRSops")(EXPAND "RS_ROB_opsEqual") (EXPAND "busyROBoccRSorActiveRes")(EXPAND "writeBoperandsNearest") (EXPAND "retiredOperandsMatchRF")(EXPAND "activeResOpsNotBusy") (EXPAND "busyOperandsNearest")(EXPAND "opsMatchROB")(EXPAND "intBrMatch")(expand "robeMatchesProgBr") (EXPAND "robeMatchesProg")(expand "activeResCorrectVal")(EXPAND "completedROBEcorrectVal") (EXPAND "headROBEcorrectVal")(expand "numOcc") (expand "busyOpBusyROB") (EXPAND inv1) (EXPAND inv2) (EXPAND inv3) (EXPAND inv4) (EXPAND inv5) (EXPAND "totalIssued") (EXPAND "issuedBefore")(expand "numOccBuffers")(expand "bufferIndex") (EXPAND "weakPreceed")(expand "preceed") (if (eq expocc 't)(then (expand "occ_buffer")(EXPAND "succ"))(skip)) (SKOSIMP*) (REPLACE*) (simp) (hide -2 -3 -4 -5 -6 -7) (if (eq split 't)(then (split +)(skosimp*)(simp))(skip))) "Expands out rho, skosimps, replaces and hides" " " ) (defstep exp-inv-exec (&optional (inv1 nil)(inv2 nil)(inv3 nil)(inv4 nil)(inv5 nil)(split f)(hideiex f)(expocc f)) (then (EXPAND "rho_execute") (EXPAND "enabled")(expand "ROBpredCorrect") (EXPAND "predEqualDoOp")(EXPAND "OpsPredCorrect")(EXPAND "resPredCorrect")(EXPAND "PVopMatchRS_ROB")(expand "chosenFUunique")(expand "busyOperands") (EXPAND "ROBslotMatchRS")(EXPAND "slotUnique")(EXPAND "FUunique") (EXPAND "wrapWraps") (EXPAND "headTailEq")(EXPAND "occEqual") (EXPAND "occBuffBusyRAT")(EXPAND "occTailROBfull")(EXPAND "freeHeadROBempty") (EXPAND "RATpointsNewestBuff")(EXPAND "busyRAT")(EXPAND "occRS")(EXPAND "activeRes")(EXPAND "occRSops")(EXPAND "RS_ROB_opsEqual") (EXPAND "busyROBoccRSorActiveRes") (EXPAND "busyROBoccRSorActiveRes")(EXPAND "writeBoperandsNearest") (EXPAND "retiredOperandsMatchRF")(EXPAND "activeResOpsNotBusy")(EXPAND "opsMatchROB")(EXPAND "intBrMatch")(expand "robeMatchesBr") (EXPAND "robeMatchesProg")(expand "activeResCorrectVal")(EXPAND "completedROBEcorrectVal") (EXPAND "headROBEcorrectVal")(expand "numOcc") (expand "busyOpBusyROB") (EXPAND inv1) (EXPAND inv2) (EXPAND inv3) (EXPAND inv4) (EXPAND inv5) (EXPAND "issuedBefore")(expand "numOccBuffers")(expand "bufferIndex") (EXPAND "weakPreceed")(expand "preceed") (if (eq expocc 't)(then (expand "occ_buffer"))(skip)) (SKOSIMP*) (replace*) (hide -1 -2 -4 -5 -6 -7 -8)(simp) (if (eq hideiex 't)(hide -1)(skip)) (if (eq split 't)(then (split +)(skosimp*)(simp))(skip))) "Expands out rho, skosimps, replaces and hides" " " ) (defstep exp-inv-writeb (&optional (inv1 nil)(inv2 nil)(inv3 nil)(inv4 nil)(inv5 nil)(split f)(expocc f)(res f)) (then (EXPAND "rho_writeb")(expand "enabled") (expand "wb_prop") (expand "ROBpredCorrect") (EXPAND "predEqualDoOp")(EXPAND "OpsPredCorrect") (EXPAND "resPredCorrect")(EXPAND "PVopMatchRS_ROB")(expand "busyOperands") (EXPAND "ROBslotMatchRS")(EXPAND "slotUnique")(EXPAND "FUunique") (EXPAND "wrapWraps") (EXPAND "headTailEq")(EXPAND "occEqual")(EXPAND "occTailROBfull")(expand "ROBpredCorrect") (EXPAND "freeHeadROBempty") (EXPAND "occBuffBusyRAT")(EXPAND "busyRAT")(EXPAND "RATpointsNewestBuff") (EXPAND "occRS")(EXPAND "activeRes") (EXPAND "occRSops")(EXPAND "RS_ROB_opsEqual") (EXPAND "busyROBoccRSorActiveRes") (EXPAND "busyOperandsNearest") (EXPAND "writeBoperandsNearest") (EXPAND "retiredOperandsMatchRF")(EXPAND "activeResOpsNotBusy")(EXPAND "opsMatchROB") (EXPAND "robeMatchesProg")(expand "activeResCorrectVal")(EXPAND "completedROBEcorrectVal") (EXPAND "headROBEcorrectVal")(expand "numOcc")(expand "chosenFUunique") (expand "busyOpBusyROB")(EXPAND "intBrMatch")(expand "robeMatchesProgBr") (EXPAND inv1) (EXPAND inv2) (EXPAND inv3) (EXPAND inv4) (EXPAND inv5) (EXPAND "issuedBefore")(expand "numOccBuffers")(expand "bufferIndex") (EXPAND "weakPreceed")(expand "preceed") (if (eq expocc 't)(then (expand "occ_buffer"))(skip)) (SKOSIMP*) (replace -1)(replace -2)(replace -5)(replace -6) (replace -7)(replace -8) (hide -1 -2 -5 -6 -7 -8) (simp) (if (eq res 't)(then (replace -2 :hide? t)(simp))(skip)) (if (eq split 't)(then (split +)(skosimp*)(simp))(skip))) "Expands out rho, skosimps, replaces and hides" " " ) (defstep exp-inv-retire (&optional (inv1 nil)(inv2 nil)(inv3 nil)(inv4 nil)(inv5 nil)(split f)(expocc f)) (then (EXPAND "rho_retire")(expand "ROBpredCorrect") (EXPAND "predEqualDoOp")(EXPAND "OpsPredCorrect") (EXPAND "resPredCorrect")(EXPAND "PVopMatchRS_ROB")(expand "busyOperands") (EXPAND "ROBslotMatchRS")(EXPAND "slotUnique")(EXPAND "FUunique") (EXPAND "wrapWraps") (EXPAND "headTailEq")(EXPAND "occEqual")(EXPAND "occTailROBfull") (EXPAND "freeHeadROBempty") (EXPAND "occBuffBusyRAT")(EXPAND "busyRAT")(EXPAND "RATpointsNewestBuff")(EXPAND "occRS") (EXPAND "activeRes")(EXPAND "occRSops")(EXPAND "RS_ROB_opsEqual") (EXPAND "busyROBoccRSorActiveRes")(EXPAND "busyOperandsNearest") (EXPAND "writeBoperandsNearest") (EXPAND "retiredOperandsMatchRF")(EXPAND "activeResOpsNotBusy")(EXPAND "opsMatchROB") (EXPAND "robeMatchesProgBr")(expand "activeResCorrectVal")(EXPAND "completedROBEcorrectVal") (EXPAND "headROBEcorrectVal")(expand "numOcc") (expand "busyOpBusyROB") (EXPAND "intBrMatch")(expand "robeMatchesBr") (EXPAND inv1) (EXPAND inv2) (EXPAND inv3) (EXPAND inv4) (EXPAND inv5) (EXPAND "issuedBefore")(expand "numOccBuffers")(expand "bufferIndex") (EXPAND "weakPreceed")(expand "preceed") (if (eq expocc 't)(then (expand "occ_buffer"))(skip)) (expand "succ") (SKOSIMP*) (then (split -2) (simp) (REPLACE*) (simp) (hide -1 -2 -3 -4 -5 -6) (if (eq split 't)(then (split 2)(skosimp*)(simp))(skip)))) "Expands out rho, skosimps, replaces and hides" " " ) (defstep expand-extint (&optional (inv1 nil)(inv2 nil)(inv3 nil)(inv4 nil)(inv5 nil)) (then (EXPAND "rho_extint") (EXPAND inv1) (EXPAND inv2) (EXPAND inv3) (EXPAND inv4) (EXPAND inv5) (SKOSIMP*) (REPLACE*) (simp) (hide -1 -2 -4 -5 -6)) "Expands out rho, skosimps, replaces and hides" " " ) (defstep exp-inv-extint (&optional (inv1 nil)(inv2 nil)(inv3 nil)(inv4 nil)(inv5 nil)(split t)) (then (EXPAND "rho_extint") (EXPAND "predEqualDoOp")(EXPAND "OpsPredCorrect") (EXPAND "wrapWraps") (EXPAND "headTailEq")(EXPAND "occEqual")(EXPAND "occTailROBfull")(EXPAND "ROBslotMatchRS")(EXPAND "slotUnique")(EXPAND "FUunique") (EXPAND "freeHeadROBempty") (EXPAND "occBuffBusyRAT")(EXPAND "busyRAT")(EXPAND "RATpointsNewestBuff") (EXPAND "occRS")(EXPAND "activeRes") (EXPAND "occRSops")(EXPAND "RS_ROB_opsEqual") (EXPAND "busyROBoccRSorActiveRes") (EXPAND " busyOperandsNearest")(EXPAND "writeBoperandsNearest")(EXPAND "intBrMatch") (EXPAND "retiredOperandsMatchRF")(EXPAND "activeResOpsNotBusy")(EXPAND "opsMatchROB") (EXPAND "robeMatchesProg")(expand "activeResCorrectVal")(EXPAND "completedROBEcorrectVal") (EXPAND "headROBEcorrectVal")(expand "numOcc")(expand "busyOpBusyROB") (EXPAND inv1) (EXPAND inv2) (EXPAND inv3) (EXPAND inv4) (EXPAND inv5) (EXPAND "issuedBefore")(expand "numOccBuffers")(expand "bufferIndex") (EXPAND "weakPreceed")(expand "preceed")(expand "occ_buffer") (SKOSIMP*) (REPLACE*) (simp) (hide -1 -2 -4 -5 -6) (if (eq split 't)(then (split +)(skosimp*)(simp))(skip))) "Expands out rho, skosimps, replaces and hides" " " ) (defstep expand-out (&optional (inv nil)) (then (EXPAND "PredInv")(EXPAND "rho")(EXPAND inv) (SKOSIMP*) (REPLACE*) (simp) (HIDE -4 -5 -6 -7) ) "Expands out the definitions, and rho, replaces and hides " " " ) (defstep expand-out-prop (&optional (inv nil)(dir +)) (then (EXPAND "rho")(expand "TomInvariants")(skosimp*) (expand inv dir)(skosimp*)(replace*)(simp)(hide -4 -5 -6 -7)) "Expands out the defintions, and rho, replaces and hides. The optional invariant is only expanded in succeedents, or as specified by dir" " " ) (defstep do-rewrites (&optional (toexpand nil)) (apply (then (AUTO-REWRITE-THEORY "TomPropRewrite") (expand toexpand)(SIMP) (SIMPLIFY-WITH-REWRITES :DEFS T :EXCLUDE "FUn") (auto-rewrite-ante)(assert))) "Rewrites using theory TomPropRewrite, expands an optional statement, simplifies, then SIMPLIFY-WITH-REWRITES" " Rewrites using theory TomPropRewrite, expands an optional statement, simplifies, then SIMPLIFY-WITH-REWRITES" ) (defstep lift-split(&optional (num +)) (then (lift-if +)(split num)(simp)(replace*)(simp)) "Lift, split, replace and simplify " " " ) (defstep instbest (&optional (fnum *)) (then (inst? fnum :if-match best)) "Applies inst? :if-match best to the optional line number (num, +, -)" " " ) (defstep lazy-grind (&optional (if-match t) (defs !) rewrites theories exclude (updates? t)) (then (grind$ :if-match nil :defs defs :rewrites rewrites :theories theories :exclude exclude :updates? updates?) (reduce$ :if-match if-match :updates? updates?)) "Equiv. to (grind) with the instantiations postponed until after simplification." "By skolemization, if-lifting, simplification and instantiation") (defstep stew (&optional lazy-match (if-match t) (defs !) rewrites theories exclude (updates? t) &rest lemmas) (then (if lemmas (let ((lemmata (if (listp lemmas) lemmas (list lemmas))) (x `(then ,@(loop for lemma in lemmata append `((skosimp*)(use ,lemma)))))) x) (skip)) (if lazy-match (then (grind$ :if-match nil :defs defs :rewrites rewrites :theories theories :exclude exclude :updates? updates?) (reduce$ :if-match if-match :updates? updates?)) (grind$ :if-match if-match :defs defs :rewrites rewrites :theories theories :exclude exclude :updates? updates?))) "Does a combination of (lemma) and (grind)." "~%Grinding away with the supplied lemmas,") (defstep split-if (&optional (fnum +)) (then (lift-if) (let ((fnums (gather-fnums (s-forms (current-goal *ps*)) fnum nil #'(lambda (sform) (or (branch? (formula sform)) (and (negation? (formula sform)) (branch? (args1 (formula sform)))))))) (fnum (when fnums (car fnums)))) (if fnum (then (split fnum)(simp)) (skip-msg "No IF-THEN-ELSE in the sequent.")))) "Applies LIFT-IF and splits only an IF-THEN-ELSE sequent formula in the result." "Lifting IF-THEN-ELSEs and splitting on an IF-THEN-ELSE") (defstep split-if-new (&optional (fnum *)) (try (lift-if fnum) (let ((newfnum (car *new-fmla-nums*))) (if newfnum (then (split newfnum)(split-if-new$ fnum)) (skip-msg "No IF-THEN-ELSE in the sequent."))) (skip-msg "Nothing to lift-if.")) "Applies LIFT-IF and splits only an IF-THEN-ELSE sequent formula in the result." "Lifting IF-THEN-ELSEs and splitting on an IF-THEN-ELSE") (defstep new-split-if (&optional (fnum +)) (then (split-if fnum)(simp)(replace*)(simp)) "Lift, split, replace and simplify " " " ) (defstep split-if-simp (&optional (fnum +)) (then (lift-if fnum)(then (split fnum)(simp))) "Lift, split and simplify " " " ) (defstep clean-up () (let ( ;(fmla (formula sform)) (fnums (gather-fnums (s-forms (current-goal *ps*)) * nil #'(lambda (sform) (or (and (negation? (formula sform)) (and (implication? (args1 (formula sform))) (tc-eq (args1 (args1 (formula sform))) *false*))) (and (conjunction? (formula sform)) (or (tc-eq (args1 (formula sform)) *false*) (tc-eq (args1 (formula sform)) *false*))))))) (fnum (when fnums (car fnums)))) (if fnum (hide fnums)(skip-msg "No formulae to clean-up"))) "Hide all antecedents of the form FALSE IMPLIES X and consequents FALSE AND Y " "Hide all antecedents of the form FALSE IMPLIES X and consequents FALSE AND Y" ) (defstep reduce-if (&optional (toreplace nil)(exclude nil)) (let ( ;(fmla (formula sform)) (fnums (gather-fnums (s-forms (current-goal *ps*)) * exclude #'(lambda (sform) (and (negation? (formula sform)) (and (branch? (args1 (formula sform))) (or (tc-eq (then-part (args1 (formula sform))) *false*) (tc-eq (else-part (args1 (formula sform))) *false*))))))) (fnum (when fnums (car fnums)))) (if fnum (then (split fnum)(flatten)(replace toreplace)) (skip-msg "Nothing to reduce if"))) "Split an antecedent if-formula if either the then-part or the else-part is false" "Reducing void if-formulae" ) (defstep split-all (&optional (fnum nil)(sko t)) (repeat* (then (split-if$ +)(if (eq sko 't)(skosimp*)(skip))(replace*)(simp$)(reduce-if$)(then (split-if$ fnum)(simp$)(replace*)(simp$)))) "Lift, splits consequents and those in fnum, if specified. Antecedents with FALSE then or else-parts also split" "Splitting consequents and antecedents with FALSE then- or else-parts " ) (defstep split-all-sko (&optional (fnum nil)(sko t)) (repeat* (then (split-if$ +)(simp$)(if (eq sko 't) (skosimp*)(skip))(replace*)(simp$)(reduce-if$) (then (split-if$ fnum)(simp$)(replace*)(simp$)))) "Lift, splits consequents and those in fnum, if specified. Antecedents with FALSE then or else-parts also split. Also skolemize" "Splitting consequents and antecedents with FALSE then- or else-parts. Also skolemize " ) (defstep simp-split (&optional (fnum +)) (then (lift-if)(then (split fnum)(simp))) "lift-if, split, simp" "lift-if, split, simp" ) (defstep rewrite-all (fnums) (let ((fnum (car fnums)) (rems (cdr fnums))) (if fnum (then (auto-rewrite fnum)(rewrite-all$ rems)) (skip-msg "Auto-rewrote all formulae"))) " " " " ) (defstep auto-rewrite-ante-new (&optional (exclude nil)) (let ( ;(fmla (formula sform)) ( fnums (gather-fnums (s-forms (current-goal *ps*)) * exclude #'(lambda (sform) (and (negation? (formula sform)) (or (and (forall-expr? (args1 (formula sform))) (implication? (expression (args1 (formula sform))))) (and (implication? (args1 (formula sform))) (not (equality? (args2 (args1 (formula sform) )))))))))) (fnum (when fnums (car fnums)))) (if fnum (rewrite-all$ fnums) (skip-msg "Nothing to auto-rewrite"))) " " " " ) (defstep auto-rewrite-ante (&optional (exclude nil)) (let ( ;(fmla (formula sform)) ( fnums (gather-fnums (s-forms (current-goal *ps*)) * exclude #'(lambda (sform) (and (negation? (formula sform)) (or (and (forall-expr? (args1 (formula sform))) (implication? (expression (args1 (formula sform))))) (implication? (args1 (formula sform)))))))) (fnum (when fnums (car fnums)))) (if fnum (rewrite-all$ fnums) (skip-msg "Nothing to auto-rewrite"))) " " " " ) (defstep hide-all-but (&optional (hidefrom *) keepnums) (let ((fnums (gather-fnums (s-forms (current-goal *ps*)) hidefrom keepnums))) (hide :fnums fnums)) "Hides all sequent formulas from FNUMS except those listed in KEEP-FNUMS. Useful when all but a few formulas need to be hidden." "Hiding ~a but keeping ~a") (defstep my-hide-all-but (keepnums &optional (hidefrom *)) (let ((fnums (gather-fnums (s-forms (current-goal *ps*)) hidefrom keepnums))) (hide :fnums fnums)) "Hides all sequent formulas" "Hiding" ) (defstep replace-all (fnums into) (let ((fnum (car fnums)) (rems (cdr fnums))) (if fnum (then (replace fnum into)(replace-all$ rems into)) (skip-msg " "))) " " " " ) (defstep rep-plus(&optional (fnum +)) (let ((fnums (gather-fnums (s-forms (current-goal *ps*)) * +)) (first (when fnums (car fnums)))) (if first (then (replace-all fnums fnum)(simp)) (skip-msg "No IF-THEN-ELSE in the sequent."))) " replace" " replace" ) (defstep rep-exp (from &optional (into +)) (apply (then (replace-all$ (from) into)(exp-trans$ into))) "Expands out functions for RAT, ROB etc" " ") (defstep prove-rewrites (&optional (prop nil)) (apply (then (EXPAND prop)(skosimp*)(iff)(then (split)(skosimp*)(repeat* (then (split 1)(skosimp*)))))) "Expands out the definitions, and rho, replaces and hides " " " ) $$$allTheories.pvs allTheories[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % This is just a dummy file allowing all the proofs to be dumped together. % It imports the three refinements: % RefSeq : DES(1) refines Seq % Ref3 : DES_s(B'+1) refines DES_f(B'+1) % RefB : DES_f(B'+1) refines DES(B') % Other files imported indirectly are: % Spec : The speculative design. Called DES in the paper % seq : The sequential design % FUdef : Definitions used in Spec % IOdef : Definitions used in Spec % def : Definitions used in both Spec and Seq % more_nat_types : Definitions used in both Spec and Seq % RefMap : The mapping between DES_s(B+1) and DES_f(B+1) % Ref1, Ref2 : Lemmas used in Ref3 % RefMapB : The mapping between DES_f(B+1) and DES(B) % SpecDefs : Invariant properties of DES % SpecInv : Proof that the properties in SpecDefs are invariants % SpecDefsOneBuff : Additional properties of DES(1) % SpecInvsOneBuff : Proof that these properties are invariant % *NOTE* % % When RefB or RefMapB is included in the context, a lot of extra type-checks % are generated on other proofs, causing some proofs to fail. % Should this occur exit PVS, remove .pvscontext, and restart PVS without % opening these two files. BEGIN IMPORTING RefSeq[R,U,Z], Ref3[R, U, Z, B], RefB[R, U, Z, B] END allTheories $$$TransB.pvs TransB[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % Definitions used in RefB BEGIN IMPORTING SpecInv[R, U, Z, B - 1] RF, fRF, rRF, RF_p, fRF_p: VAR [REG_ID -> RF_TYPE] RAT, fRAT, rRAT, RAT_p, fRAT_p: VAR [REG_ID -> RAT_TYPE] ROB, fROB, bROB, wROB, rROB, ROB_p, fROB_p: VAR ROB_TYPE RS, fRS, bRS, eRS, wRS, rRS, RS_p, fRS_p: VAR [SLOT_ID -> RS_TYPE] pc, fpc, rpc, pc_p, fpc_p: VAR posnat numinst, fnuminst, numinst_p, fnuminst_p, rnuminst: VAR nat FU, FUexec: VAR FU_ID S: VAR SLOT_ID Sn, Siex: VAR upto[Z] r: VAR REG_ID head: VAR upto_nz[B] rb, fhead: VAR ROB_ID retire, flushInt, flushBr, flushInt_p, flushBr_p: VAR boolean res, fres, res_p, fres_p, bres, eres, wres: VAR [FU_ID -> result_TYPE] pc_issueB(pc, Sn, RF, ROB, RAT, numinst): PC_RANGE = IF Sn > 0 THEN IF type_op(op(prog(pc))) = BRANCH AND branch_pred(pc, totalIssued(numinst, ROB) + 1) THEN br_target(prog(pc)) ELSE 1 + pc ENDIF ELSE pc ENDIF RAT_issueB(RAT, Sn, ROB, pc): [REG_ID -> RAT_TYPE] = IF Sn = 0 THEN RAT ELSE (LAMBDA r: IF Sn > 0 AND r = t(prog(pc)) THEN (# b := TRUE, al := tail(ROB) #) ELSE RAT(r) ENDIF) ENDIF ROB_issueB(Sn, ROB, RF, RAT, pc, numinst): ROB_TYPE = IF Sn = 0 THEN ROB ELSE (# head := head(ROB), tail := succ(tail(ROB)), wrap := wrap(ROB) OR succ(tail(ROB)) = 1, robe := (LAMBDA rb: IF rb /= tail(ROB) THEN robe(ROB)(rb) ELSE (# b := TRUE, v := 0, op := op(prog(pc)), int := FALSE, oc := TRUE, br_pred := branch_pred(pc, totalIssued(numinst, ROB) + 1), br_targ := br_target(prog(pc)), t := t(prog(pc)), pc := pc, slot := Sn, pv := IF type_op(op(prog(pc))) /= BRANCH THEN do_op (op(prog(pc)), IF b(RAT(src(prog(pc))(1))) THEN pv (robe(ROB) (al(RAT(src(prog(pc))(1))))) ELSE v(RF(src(prog(pc))(1))) ENDIF, IF b(RAT(src(prog(pc))(2))) THEN pv (robe(ROB) (al(RAT(src(prog(pc))(2))))) ELSE v(RF(src(prog(pc))(2))) ENDIF) ELSIF branch_act (pc, issuedBefore(numinst, ROB, rb) + 1) THEN 1 ELSE 0 ENDIF, pv_int := int_interrupt(pc, issuedBefore(numinst, ROB, rb) + 1) #) ENDIF) #) ENDIF RS_issueB(RS, Sn, RF, RAT, ROB, pc): [SLOT_ID -> RS_TYPE] = (LAMBDA S: IF S /= Sn THEN RS(S) ELSE (# oc := TRUE, p := tail(ROB), op := op(prog(pc)), ss := (LAMBDA (j: TWO): IF b(RAT(src(prog(pc))(j))) THEN (# st := IF b (robe(ROB) (al(RAT(src(prog(pc))(j))))) THEN BUSY ELSE WRITE_B ENDIF, p := al(RAT(src(prog(pc))(j))), v := v (robe(ROB)(al(RAT(src(prog(pc))(j))))), pv := pv (robe(ROB) (al(RAT(src(prog(pc))(j))))) #) ELSE (# st := RETIRED, v := v(RF(src(prog(pc))(j))), pv := v(RF(src(prog(pc))(j))), p := al(RAT(src(prog(pc))(j))) #) ENDIF) #) ENDIF) RAT_retire(RAT, ROB): [REG_ID -> RAT_TYPE] = (LAMBDA r: IF al(RAT(r)) = head(ROB) THEN (# b := FALSE, al := al(RAT(r)) #) ELSE RAT(r) ENDIF) RF_retire(RF, ROB): [REG_ID -> RF_TYPE] = (LAMBDA r: IF r = t(robe(ROB)(head(ROB))) THEN (# v := v(robe(ROB)(head(ROB))) #) ELSE RF(r) ENDIF) ROB_retire(ROB): ROB_TYPE = (# head := succ(head(ROB)), tail := tail(ROB), wrap := wrap(ROB) AND NOT succ(head(ROB)) = 1, robe := (LAMBDA rb: IF rb = head(ROB) THEN robe(ROB)(rb) WITH [oc := FALSE] ELSE robe(ROB)(rb) ENDIF) #) RS_retire(RS, ROB): [SLOT_ID -> RS_TYPE] = (LAMBDA S: IF oc(RS(S)) THEN RS(S) WITH [ss := (LAMBDA (j: TWO): (# st := IF p(ss(RS(S))(j)) = head(ROB) AND st(ss(RS(S))(j)) = WRITE_B THEN RETIRED ELSE st(ss(RS(S))(j)) ENDIF, p := p(ss(RS(S))(j)), v := v(ss(RS(S))(j)), pv := pv(ss(RS(S))(j)) #))] ELSE RS(S) ENDIF) RF_flush(RF, ROB): [REG_ID -> RF_TYPE] = IF int(robe(ROB)(head(ROB))) THEN RF ELSE (LAMBDA r: IF r = t(robe(ROB)(head(ROB))) THEN (# v := v(robe(ROB)(head(ROB))) #) ELSE RF(r) ENDIF) ENDIF RAT_flush: [REG_ID -> RAT_TYPE] = (LAMBDA r: (# b := FALSE, al := 1 #)) ROB_flush(ROB): ROB_TYPE = (# tail := 1, head := 1, wrap := FALSE, robe := (LAMBDA rb: robe(ROB)(rb) WITH [oc := FALSE]) #) RS_flush(RS): [SLOT_ID -> RS_TYPE] = (LAMBDA S: RS(S) WITH [oc := FALSE]) pc_flush(ROB): PC_RANGE = IF int(robe(ROB)(head(ROB))) THEN Int_interrupt_addr(pc(robe(ROB)(head(ROB))), type_op(op(robe(ROB)(head(ROB))))) ELSIF v(robe(ROB)(head(ROB))) > 0 THEN br_targ(robe(ROB)(head(ROB))) ELSE pc(robe(ROB)(head(ROB))) + 1 ENDIF ROB_writeb(ROB, res): ROB_TYPE = (# head := head(ROB), tail := tail(ROB), wrap := wrap(ROB), robe := (LAMBDA rb: IF occ_buffer(rb, ROB) AND (EXISTS FU: a(res(FU)) AND p(res(FU)) = rb) THEN (# b := FALSE, v := v(res(chooseFU(rb, res))), int := int(res(chooseFU(rb, res))), t := t(robe(ROB)(rb)), pc := pc(robe(ROB)(rb)), op := op(robe(ROB)(rb)), pv := pv(robe(ROB)(rb)), pv_int := pv_int(robe(ROB)(rb)), br_pred := br_pred(robe(ROB)(rb)), br_targ := br_targ(robe(ROB)(rb)), oc := oc(robe(ROB)(rb)), slot := slot(robe(ROB)(rb)) #) ELSE robe(ROB)(rb) ENDIF) #) RS_writeb(res, RS): [SLOT_ID -> RS_TYPE] = (LAMBDA S: IF (EXISTS FU: a(res(FU)) AND p(res(FU)) = p(RS(S))) THEN RS(S) WITH [oc := FALSE] ELSIF oc(RS(S)) THEN (# oc := oc(RS(S)), p := p(RS(S)), op := op(RS(S)), ss := (LAMBDA (j: TWO): IF st(ss(RS(S))(j)) = BUSY AND (EXISTS FU: a(res(FU)) AND p(ss(RS(S))(j)) = p(res(FU)) AND p(ss(RS(S))(j)) > 0) THEN (# st := WRITE_B, p := p(ss(RS(S))(j)), v := v (res (chooseFU(p(ss(RS(S))(j)), res))), pv := pv(ss(RS(S))(j)) #) ELSE ss(RS(S))(j) ENDIF) #) ELSE RS(S) ENDIF) END TransB $$$TransB.prf (|TransB| (IMPORTING2_TCC1 "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC1| "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC2| "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC3| "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC4| "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC5| "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC6| "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC7| "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC8| "" (SUBTYPE-TCC) NIL) (|ROB_issueB_TCC9| "" (SUBTYPE-TCC) NIL) (|RS_issueB_TCC1| "" (SUBTYPE-TCC) NIL) (|RS_issueB_TCC2| "" (SUBTYPE-TCC) NIL) (|RS_issueB_TCC3| "" (SUBTYPE-TCC) NIL) (|RS_issueB_TCC4| "" (SUBTYPE-TCC) NIL) (|RS_retire_TCC1| "" (SUBTYPE-TCC) NIL) (|RS_retire_TCC2| "" (SUBTYPE-TCC) NIL) (|RAT_flush_TCC1| "" (SUBTYPE-TCC) NIL) (|ROB_writeb_TCC1| "" (SKOSIMP*) (("" (LEMMA "chosenFUnonzero") (("" (INST?) (("" (SIMP) (("" (SIMP) NIL))))))))) (|RS_writeb_TCC1| "" (SUBTYPE-TCC) NIL) (|RS_writeb_TCC2| "" (SKOSIMP*) (("" (LEMMA "chosenFUnonzero") (("" (INST?) (("" (SIMP) (("" (SIMP) NIL)))))))))) $$$RefMapB.pvs RefMapB[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % Defines the refinement map from DES_f(B'+1) to DES(B') % I.e. from Spec(B) with one free buffer to Spec(B-1) % The variables of Spec(B-1) are prefixed with "f" BEGIN IMPORTING Spec[R, U, Z, B], Spec[R, U, Z, B - 1] RF: VAR [REG_ID -> RF_TYPE[R, U, Z, B]] RAT: VAR [REG_ID -> RAT_TYPE[R, U, Z, B]] ROB: VAR ROB_TYPE[R, U, Z, B] RS: VAR [SLOT_ID[R, U, Z, B] -> RS_TYPE[R, U, Z, B]] fRF: VAR [REG_ID -> RF_TYPE[R, U, Z, B - 1]] fRAT: VAR [REG_ID -> RAT_TYPE[R, U, Z, B - 1]] fROB: VAR ROB_TYPE[R, U, Z, B - 1] fRS: VAR [SLOT_ID[R, U, Z, B - 1] -> RS_TYPE[R, U, Z, B - 1]] pc, fpc: VAR posnat numinst, fnuminst: VAR nat FU: VAR FU_ID S: VAR SLOT_ID[R, U, Z, B - 1] r: VAR REG_ID rb, head: VAR ROB_ID[R, U, Z, B] fhead: VAR ROB_ID[R, U, Z, B - 1] buffInd(rb, head): upto[B - 1] = IF rb >= head THEN rb - head ELSE rb + B - head ENDIF Bp1MapB(rb, head, fhead): ROB_ID[R, U, Z, B - 1] = IF buffInd(rb, head) + fhead >= 2 * B - 1 THEN 1 ELSIF buffInd(rb, head) + fhead <= B - 1 THEN buffInd(rb, head) + fhead ELSE buffInd(rb, head) + fhead - B + 1 ENDIF refMapB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst): boolean = (NOT (tail(ROB) = head(ROB) AND wrap(ROB)) AND Bp1MapB(head(ROB), head(ROB), head(fROB)) = head(fROB) AND Bp1MapB(tail(ROB), head(ROB), head(fROB)) = tail(fROB) AND (FORALL rb: IF oc(robe(ROB)(rb)) THEN robe(fROB)(Bp1MapB(rb, head(ROB), head(fROB))) = robe(ROB)(rb) ELSE NOT oc(robe(fROB)(Bp1MapB(rb, head(ROB), head(fROB)))) OR succ(rb) = head(ROB) ENDIF) AND fnuminst = numinst AND fRF = RF AND (FORALL r: b(RAT(r)) = b(fRAT(r)) AND (b(RAT(r)) IMPLIES al(fRAT(r)) = Bp1MapB(al(RAT(r)), head(ROB), head(fROB)))) AND (FORALL S: IF oc(RS(S)) THEN oc(fRS(S)) AND p(fRS(S)) = Bp1MapB(p(RS(S)), head(ROB), head(fROB)) AND op(fRS(S)) = op(RS(S)) AND (FORALL (j: TWO): IF st(ss(RS(S))(j)) = BUSY THEN st(ss(fRS(S))(j)) = BUSY AND p(ss(fRS(S))(j)) = Bp1MapB(p(ss(RS(S))(j)), head(ROB), head(fROB)) AND pv(ss(RS(S))(j)) = pv(ss(fRS(S))(j)) ELSE st(ss(fRS(S))(j)) /= BUSY AND v(ss(RS(S))(j)) = v(ss(fRS(S))(j)) ENDIF) ELSE NOT oc(fRS(S)) ENDIF) AND fpc = pc) END RefMapB $$$RefMapB.prf (|RefMapB| (IMPORTING2_TCC1 "" (SUBTYPE-TCC) NIL) (|buffInd_TCC1| "" (SUBTYPE-TCC) NIL) (|buffInd_TCC2| "" (SUBTYPE-TCC) NIL) (|buffInd_TCC3| "" (SUBTYPE-TCC) NIL) (|Bp1MapB_TCC1| "" (SUBTYPE-TCC) NIL) (|Bp1MapB_TCC2| "" (SUBTYPE-TCC) NIL) (|Bp1MapB_TCC3| "" (SUBTYPE-TCC) NIL) (|refMapB_TCC1| "" (SUBTYPE-TCC) NIL) (|refMapB_TCC2| "" (SUBTYPE-TCC) NIL) (|refMapB_TCC3| "" (SUBTYPE-TCC) NIL) (|refMapB_TCC4| "" (SUBTYPE-TCC) NIL)) $$$RefB.pvs RefB[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % Proves that DES_f(B'+1) refines DES(B') % I.e. Spec(B) with one free buffer to Spec(B-1) % The variables of Spec(B-1) are prefixed with "f" BEGIN IMPORTING RefMapB[R, U, Z, B], SpecInv[R, U, Z, B], SpecInv[R, U, Z, B - 1], TransB[R, U, Z, B] RF, RF_p: VAR [REG_ID -> RF_TYPE[R, U, Z, B]] RAT, RAT_p: VAR [REG_ID -> RAT_TYPE[R, U, Z, B]] ROB, ROB_p: VAR ROB_TYPE[R, U, Z, B] RS, RS_p: VAR [SLOT_ID[R, U, Z, B] -> RS_TYPE[R, U, Z, B]] res, res_p: VAR [FU_ID -> result_TYPE[R, U, Z, B]] fRF, fRF_p: VAR [REG_ID -> RF_TYPE[R, U, Z, B - 1]] fRAT, fRAT_p: VAR [REG_ID -> RAT_TYPE[R, U, Z, B - 1]] fROB, fROB_p: VAR ROB_TYPE[R, U, Z, B - 1] fRS, fRS_p: VAR [SLOT_ID[R, U, Z, B - 1] -> RS_TYPE[R, U, Z, B - 1]] fres, fres_p: VAR [FU_ID -> result_TYPE[R, U, Z, B - 1]] pc, fpc, pc_p, fpc_p: VAR posnat numinst, fnuminst, numinst_p, fnuminst_p: VAR nat FU: VAR FU_ID S: VAR SLOT_ID[R, U, Z, B - 1] r: VAR REG_ID rb: VAR ROB_ID[R, U, Z, B] issBeforeEq: LEMMA refMapB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) AND occEqual(ROB) AND occEqual(fROB) IMPLIES (FORALL rb: oc(robe(ROB)(rb)) AND oc(robe(fROB)(Bp1MapB(rb, head(ROB), head(fROB)))) IMPLIES issuedBefore(numinst, ROB, rb) = issuedBefore(fnuminst, fROB, Bp1MapB(rb, head(ROB), head(fROB)))) totIssEqual: LEMMA refMapB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) AND NOT succ(tail(ROB)) = head(ROB) AND headTailEq(ROB) AND headTailEq(fROB) AND freeHeadROBempty(ROB) AND freeHeadROBempty(fROB) IMPLIES totalIssued(numinst, ROB) = totalIssued(fnuminst, fROB) issBeforeTail: LEMMA occEqual(ROB) AND occEqual(fROB) AND NOT oc(robe(ROB)(tail(ROB))) AND NOT oc(robe(fROB)(tail(fROB))) IMPLIES issuedBefore(numinst, ROB, tail(ROB)) = totalIssued(numinst, ROB) AND issuedBefore(fnuminst, fROB, tail(fROB)) = totalIssued(fnuminst, fROB) tailConstIssue: LEMMA (FORALL (ROB, fROB): tail(fROB) = Bp1MapB(tail(ROB), head(ROB), head(fROB)) AND NOT succ(tail(ROB)) = head(ROB) AND NOT (head(ROB) = tail(ROB) AND wrap(ROB)) IMPLIES succ(tail(fROB)) = Bp1MapB(succ(tail(ROB)), head(ROB), head(fROB))) mapUnique: LEMMA (FORALL (rb1, rb2: ROB_ID[R, U, Z, B], ROB, fROB): Bp1MapB(rb1, head(ROB), head(fROB)) = Bp1MapB(rb2, head(ROB), head(fROB)) AND NOT succ(rb1) = head(ROB) AND NOT succ(rb2) = head(ROB) AND NOT (head(ROB) = tail(ROB) AND wrap(ROB)) AND wrapWraps(ROB) IMPLIES rb1 = rb2) buffIndUnique: LEMMA (FORALL (rb, rb2, head: ROB_ID[R, U, Z, B]): buffInd(rb, head) = buffInd(rb2, head) IMPLIES rb = rb2) issueMatchB: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMapB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) AND NOT (head(ROB_p) = tail(ROB_p) AND wrap(ROB_p)) IMPLIES (EXISTS (fpc_p, fRS_p, fROB_p, fRAT_p): rho_issue(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF, fRS_p, fRAT_p, fROB_p, fnuminst) AND refMapB(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF, fRS_p, fRAT_p, fROB_p, fnuminst)) writebMatchB: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) AND refMapB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) IMPLIES (EXISTS (fres_p, fRS_p, fROB_p): rho_writeb(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc, fRF, fRS_p, fRAT, fROB_p, fnuminst, fres_p) AND refMapB(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc, fRF, fRS_p, fRAT, fROB_p, fnuminst)) indexConst_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMapB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) AND head(ROB_p) = succ(head(ROB)) IMPLIES (FORALL rb: oc(robe(ROB_p)(rb)) IMPLIES Bp1MapB(rb, succ(head(ROB)), succ(head(fROB))) = Bp1MapB(rb, head(ROB), head(fROB))) retireMatchB: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMapB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) IMPLIES (EXISTS (fpc_p, fRS_p, fRF_p, fROB_p, fRAT_p, fnuminst_p): rho_retire(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p) AND refMapB(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p)) rhoaB(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p): bool = rho_issue(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p) OR rho_writeb(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) OR rho_retire(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p) rhoaB_star(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p, fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p): bool = rhoaB(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) AND refMapB(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p) rhocB(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p): bool = NOT (head(ROB_p) = tail(ROB_p) AND wrap(ROB_p)) AND (rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) OR rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) OR rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p)) alphaB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst): bool = refMapB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) OC_B(pc, RF, RS, RAT, ROB, numinst): [REG_ID -> RF_TYPE[R, U, Z, B]] = RF OA_B(fpc, fRF, fRS, fRAT, fROB, fnuminst): [REG_ID -> RF_TYPE[R, U, Z, B - 1]] = fRF R1B: LEMMA rhocB(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) AND alphaB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) IMPLIES (EXISTS (fpc_p, fRS_p, fRF_p, fROB_p, fRAT_p, fnuminst_p, fres_p): rhoaB_star(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p, fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p)) R2B: LEMMA rhoaB_star(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p, fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) IMPLIES rhoaB(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) R3B: LEMMA rhocB(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) AND rhoaB_star(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p, fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) AND alphaB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) IMPLIES alphaB(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p) R4B: LEMMA alphaB(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst) IMPLIES OC_B(pc, RF, RS, RAT, ROB, numinst) = OA_B(fpc, fRF, fRS, fRAT, fROB, fnuminst) END RefB $$$RefB.prf (|RefB| (IMPORTING2_TCC1 "" (SUBTYPE-TCC) NIL) (|issBeforeEq_TCC1| "" (SUBTYPE-TCC) NIL) (|issBeforeEq| "" (SKOSIMP*) (("" (EXP-BUFF) (("" (EXPAND "refMapB") (("" (SIMP) (("" (HIDE -6 -7) (("" (EXPAND "occEqual") (("" (SIMP) (("" (INST -8 "rb!1") (("" (INST -10 "Bp1MapB(rb!1, head(ROB!1), head(fROB!1))") (("" (HIDE -7 -9) (("" (SIMP) (("" (EXPAND "occ_buffer") (("" (HIDE -1 -2 -3) (("" (CASE "head(ROB!1) = tail(ROB!1)") (("1" (SIMP) NIL) ("2" (CASE "rb!1 = head(ROB!1)") (("1" (SIMP) NIL) ("2" (CASE "rb!1 = tail(ROB!1)") (("1" (SIMP) NIL) ("2" (EXPAND "Bp1MapB" +) (("2" (EXPAND "buffInd") (("2" (SPLIT-ALL) NIL))))))))))))))))))))))))))))))))))))) (|totIssEqual| "" (SKOSIMP*) (("" (EXPAND "refMapB") (("" (SIMP) (("" (REPLACE*) (("" (HIDE -4 -5 -6 -7 -8) (("" (EXP-BUFF) (("" (INST -3 "head(ROB!1)") (("" (CASE "tail(ROB!1) = head(ROB!1) ") (("1" (SIMP) (("1" (SPLIT-IF) (("1" (EXPAND "headTailEq") (("1" (INST?) (("1" (INST?) (("1" (SPLIT-IF -) NIL))))))))))) ("2" (SIMP) (("2" (CASE "tail(fROB!1) = head(fROB!1)") (("1" (EXPAND "headTailEq") (("1" (SIMP) (("1" (EXPAND "freeHeadROBempty") (("1" (SIMP) (("1" (REPLACE*) (("1" (CASE "wrap(fROB!1)") (("1" (SIMP) (("1" (CLEAN-UP) (("1" (GRIND) NIL))))) ("2" (SIMP) (("2" (INST? -6) (("2" (SIMP) NIL))))))))))))))))) ("2" (SIMP) (("2" (CLEAN-UP) (("2" (HIDE -4 -5) (("2" (GRIND) NIL))))))))))))))))))))))))))) (|issBeforeTail| "" (SKOSIMP*) (("" (EXPAND "occEqual") (("" (EXP-BUFF) (("" (SPLIT +) (("1" (SIMP) (("1" (INST?) (("1" (SIMP) (("1" (HIDE -1 -2 -3 3 4) (("1" (EXPAND "occ_buffer") (("1" (SPLIT-ALL) NIL))))))))))) ("2" (SIMP) (("2" (INST? -3) (("2" (SIMP) (("2" (HIDE -1 -2 -3 3 4) (("2" (EXPAND "occ_buffer") (("2" (SPLIT-ALL) NIL))))))))))))))))))) (|tailConstIssue| "" (SKOSIMP*) (("" (EXPAND "Bp1MapB") (("" (LIFT-IF) (("" (SPLIT 3) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (CASE "head(ROB!1) = tail(ROB!1)") (("1" (SIMP) (("1" (EXPAND "buffInd") (("1" (EXPAND "succ") (("1" (APPLY (REPEAT* (LIFT-IF))) (("1" (APPLY (THEN (REPEAT* (THEN (SPLIT) (FLATTEN))) (SIMP))) NIL))))))))) ("2" (HIDE 5) (("2" (CASE "head(fROB!1) = tail(fROB!1)") (("1" (EXPAND "buffInd") (("1" (EXPAND "succ") (("1" (LIFT-IF) (("1" (SPLIT 4) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))))) ("2" (EXPAND "buffInd") (("2" (EXPAND "succ") (("2" (LIFT-IF) (("2" (SPLIT +) (("1" (SIMP) (("1" (LIFT-IF) (("1" (SPLIT -) (("1" (SIMP) (("1" (SPLIT 3) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))) ("2" (LIFT-IF) (("2" (SPLIT +) (("1" (SPLIT -) (("1" (SIMP) NIL) ("2" (FLATTEN) (("2" (HIDE -2 -3 -4 1 2 4 5 6) (("2" (REPLACE*) (("2" (SIMP) NIL))))))))) ("2" (SIMP) NIL))))))))) ("2" (SPLIT +) (("1" (FLATTEN) (("1" (SIMP) NIL))) ("2" (SIMP) (("2" (SPLIT +) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))) ("2" (SIMP) (("2" (SPLIT-IF) NIL))))))))))))))) ("2" (SIMP) (("2" (CASE "NOT tail(ROB!1) = B") (("1" (SIMP) NIL) ("2" (REPLACE*) (("2" (SPLIT +) (("1" (SPLIT-IF) NIL) ("2" (SPLIT-IF) NIL))))))))))))))))))))))))))))))))) (|mapUnique| "" (SKOSIMP*) (("" (SIMP) (("" (GRIND) NIL))))) (|buffIndUnique| "" (GRIND) NIL) (|issueMatchB| "" (SKOSIMP*) (("" (HIDE -1 -2 -3 -4) (("" (REVEAL -1 -2 -3 -4) (("" (EXPAND "rho_issue" -) (("" (SKOSIMP*) (("" (CASE "not (exists (iRAT : [REG_ID -> RAT_TYPE[R, U, Z, B - 1]]): iRAT = RAT_issueB(fRAT!1, Sn!1, fROB!1, fpc!1))") (("1" (INST 1 "RAT_issueB(fRAT!1, Sn!1, fROB!1, fpc!1)") NIL) ("2" (CASE "not (exists (iROB : ROB_TYPE[R, U, Z, B - 1]): iROB = ROB_issueB(Sn!1, fROB!1, fRF!1, fRAT!1, fpc!1, fnuminst!1))") (("1" (INST 1 "ROB_issueB(Sn!1, fROB!1, fRF!1, fRAT!1, fpc!1, fnuminst!1)") NIL) ("2" (CASE "not (exists (iRS: [SLOT_ID[R, U, Z, B - 1] -> RS_TYPE[R, U, Z, B - 1]]): iRS = RS_issueB(fRS!1, Sn!1, fRF!1, fRAT!1, fROB!1, fpc!1))") (("1" (INST 1 "RS_issueB(fRS!1, Sn!1, fRF!1, fRAT!1, fROB!1, fpc!1)") NIL) ("2" (SKOSIMP*) (("2" (CASE "not (exists (ipc : PC_RANGE): ipc = pc_issueB(fpc!1, Sn!1, fRF!1, fROB!1, fRAT!1, fnuminst!1))") (("1" (INST 1 "pc_issueB(fpc!1, Sn!1, fRF!1, fROB!1, fRAT!1, fnuminst!1)") NIL) ("2" (SKOSIMP*) (("2" (INST 2 "ipc!1" "iRS!1" "iROB!1" "iRAT!1") (("2" (SPLIT 2) (("1" (EXPAND "rho_issue") (("1" (INST?) (("1" (CASE "not Sn!1 > 0") (("1" (SIMP) (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (APPLY-EXTENSIONALITY 2 :HIDE? T) NIL))))))) ("2" (EXPAND "can_issue") (("2" (EXPAND "dispatch") (("2" (SIMP) (("2" (EXPAND "refMapB") (("2" (SIMP) (("2" (INST? -18 :COPY? T) (("2" (SIMP) (("2" (REPLACE -10 +) (("2" (SIMP) (("2" (CASE "(tail(fROB!1) = head(fROB!1) AND wrap(fROB!1))") (("1" (HIDE 1) (("1" (EXPAND "SpecInv") (("1" (EXPAND "headTailEq") (("1" (SIMP) (("1" (INST -41 "head(fROB!1)") (("1" (INST -16 "head(ROB!1)") (("1" (SIMP) (("1" (REPLACE*) (("1" (HIDE -4 -5 -6 -7 -8 -9 -10 -11 -12 -13) (("1" (HIDE -9 -10 -32) (("1" (LEMMA "mapUnique") (("1" (INST?) (("1" (INST?) (("1" (SIMP) (("1" (SPLIT -) (("1" (SIMP) (("1" (INST? -14) (("1" (NEW-SPLIT-IF -) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF -) NIL))))))))) ("2" (EXPAND "succ") (("2" (NEW-SPLIT-IF -) NIL))) ("3" (SIMP) (("3" (EXPAND "succ") (("3" (NEW-SPLIT-IF) (("3" (EXPAND "wrapWraps") (("3" (PROPAX) NIL))))))))) ("4" (SIMP) NIL))))))))))))))))))))))))))))))) ("2" (APPLY (THEN (SPLIT 2) (REP-PLUS) (EXP-TRANS +))) NIL))))))))))))))))))))))))))) ("2" (LEMMA "totIssEqual") (("2" (LEMMA " tailConstIssue") (("2" (INST?) (("2" (INST -1 "fROB!1") (("2" (INST? -2 :WHERE -) (("2" (SIMP) (("2" (HIDE -1 -2) (("2" (EXPAND "refMapB") (("2" (CASE "not (NOT (tail(ROB_p!1) = head(ROB_p!1) AND wrap(ROB_p!1)) AND Bp1MapB(head(ROB_p!1), head(ROB_p!1), head(iROB!1)) = head(iROB!1) AND Bp1MapB(tail(ROB_p!1), head(ROB_p!1), head(iROB!1)) = tail(iROB!1))") (("1" (HIDE 2) (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (HIDE -1 -2 -3 -4 -7 -8 -9 -10 -11 -12) (("1" (EXPAND "dispatch") (("1" (SPLIT-IF) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (REVEAL -11) (("2" (SIMP) (("2" (SPLIT 1) (("1" (SIMP) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "wrapWraps") (("1" (PROPAX) NIL))))))))))) ("2" (SIMP) NIL))))))))))))))))))))) ("2" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (SKOSIMP*) (("1" (INST -16 "rb!1") (("1" (EXPAND "dispatch") (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (REP-PLUS (-1 -2)) (("1" (HIDE -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13 -19 -20) (("1" (EXP-TRANS) (("1" (HIDE -3) (("1" (CASE "Sn!1 = 0") (("1" (SIMP) NIL) ("2" (SIMP) (("2" (CASE "succ(tail(ROB!1)) = head(ROB!1)") (("1" (SIMP) (("1" (HIDE 2) (("1" (EXPAND "succ") (("1" (EXPAND "SpecInv") (("1" (EXPAND "wrapWraps") (("1" (SPLIT-IF) NIL))))))))))) ("2" (REVEAL -17) (("2" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (HIDE 1 5 7) (("1" (LEMMA "mapUnique") (("1" (INST?) (("1" (INST?) (("1" (EXPAND "SpecInv") (("1" (SIMP) (("1" (SPLIT +) (("1" (EXPAND "succ" -1) (("1" (CASE "oc(robe(ROB!1)(rb!1))") (("1" (SIMP) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -14) (("1" (SIMP) (("1" (EXPAND "occ_buffer") (("1" (SPLIT-IF -) (("1" (REDUCE-IF) (("1" (SIMP) NIL))) ("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))))))) ("2" (REVEAL 1) (("2" (REPLACE 2) (("2" (EXPAND "succ" 1) (("2" (PROPAX) NIL))))))))))) ("2" (SIMP) NIL))))))))))))))))) ("2" (EXPAND "SpecInv") (("2" (SIMP) (("2" (LEMMA "issBeforeTail") (("2" (INST?) (("2" (INST?) (("2" (SIMP) (("2" (SPLIT -7) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -14) (("1" (EXPAND "occ_buffer") (("1" (REDUCE-IF) (("1" (SIMP) NIL))))))))))) ("2" (SIMP) (("2" (REPLACE*) (("2" (REPLACE*) (("2" (SPLIT-IF) (("2" (CASE "not (forall (j : TWO): IF b(fRAT!1(src(prog(pc!1))(j))) then pv(robe(fROB!1)(al(fRAT!1(src(prog(pc!1))(j))))) else v(fRF!1(src(prog(pc!1))(j))) endif = IF b(RAT!1(src(prog(pc!1))(j))) then pv(robe(ROB!1)(al(RAT!1(src(prog(pc!1))(j))))) else v(RF!1(src(prog(pc!1))(j))) endif)") (("1" (HIDE 3) (("1" (REVEAL -15 -17) (("1" (SKOSIMP*) (("1" (INST?) (("1" (EXPAND "busyRAT") (("1" (INST?) (("1" (INST?) (("1" (SPLIT-IF) (("1" (SIMP) NIL))))))))))))))))) ("2" (INST-CP -1 "1") (("2" (INST -1 "2") (("2" (SIMP) (("2" (REVEAL -16) (("2" (INST-CP -1 "src(prog(pc!1))(1)") (("2" (INST -1 "src(prog(pc!1))(2)") (("2" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) NIL) ("2" (NEW-SPLIT-IF) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (REP-PLUS) (("2" (EXP-TRANS +) (("2" (INST? -19) (("2" (SPLIT-IF) (("2" (SPLIT-IF) NIL))))))))))) ("3" (SKOSIMP*) (("3" (INST? -20) (("3" (REP-PLUS) (("3" (EXP-TRANS +) (("3" (HIDE -1 -2 -3 -4 -5 -6 -8 -9 -10 -11 -12 -13 -14) (("3" (EXPAND "dispatch") (("3" (SPLIT-IF 2) (("1" (NEW-SPLIT-IF) (("1" (SKOSIMP*) (("1" (INSTBEST -11) (("1" (NEW-SPLIT-IF) NIL))))))) ("2" (SPLIT 2) (("1" (SIMP) (("1" (NEW-SPLIT-IF) (("1" (SKOSIMP*) (("1" (INST? -12) (("1" (SPLIT-IF) (("1" (SIMP) NIL))))))))))) ("2" (SIMP) (("2" (SKOSIMP*) (("2" (INST? -) (("2" (INST? -) (("2" (SIMP) (("2" (EXPAND "SpecInv") (("2" (EXPAND "busyRAT") (("2" (SIMP) (("2" (INST? -17) (("2" (SPLIT-IF) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))) ("4" (REP-PLUS) (("4" (EXP-TRANS +) (("4" (SPLIT-IF 2) (("4" (REVEAL -2) (("4" (EXPAND "SpecInv") (("4" (SIMP) (("4" (CASE "succ(tail(ROB!1)) = head(ROB!1)") (("1" (SIMP) (("1" (EXPAND "succ") (("1" (EXPAND "wrapWraps") (("1" (NEW-SPLIT-IF -) NIL))))))) ("2" (NEW-SPLIT-IF) NIL))))))))))))))))))))))))))))))))))))))))))))))))) ("3" (NEW-SPLIT-IF) NIL))))))))))))) (|writebMatchB| "" (SKOSIMP*) (("" (HIDE -1 -2 -3 -4) (("" (REVEAL -1 -2 -3 -4) (("" (EXPAND "rho_writeb" -) (("" (SKOSIMP*) (("" (CASE "not (exists (wres : [FU_ID -> result_TYPE[R, U, Z, B - 1]]): wres = (LAMBDA (FU: FU_ID): IF exec!1(FU) THEN (# a := TRUE, p := p(fRS!1(iex!1(FU))), v := IF type_op(op(fRS!1(iex!1(FU)))) /= BRANCH THEN do_op(op(fRS!1(iex!1(FU))), v(ss(fRS!1(iex!1(FU)))(1)), v(ss(fRS!1(iex!1(FU)))(2))) ELSIF branch_act (pc(robe(fROB!1)(p(fRS!1(iex!1(FU))))), 1 + issuedBefore(fnuminst!1, fROB!1, p(fRS!1(iex!1(FU))))) THEN 1 ELSE 0 ENDIF, int := int_interrupt (pc(robe(fROB!1)(p(fRS!1(iex!1(FU))))), 1 + issuedBefore(fnuminst!1, fROB!1, p(fRS!1(iex!1(FU))))) #) ELSE (# a := FALSE, p := 1, v := 0, int := FALSE #) ENDIF))") (("1" (INST 1 "(LAMBDA (FU: FU_ID): IF exec!1(FU) THEN (# a := TRUE, p := p(fRS!1(iex!1(FU))), v := IF type_op(op(fRS!1(iex!1(FU)))) /= BRANCH THEN do_op(op(fRS!1(iex!1(FU))), v(ss(fRS!1(iex!1(FU)))(1)), v(ss(fRS!1(iex!1(FU)))(2))) ELSIF branch_act(pc(robe(fROB!1)(p(fRS!1(iex!1(FU))))), 1 + issuedBefore(fnuminst!1, fROB!1, p(fRS!1(iex!1(FU))))) THEN 1 ELSE 0 ENDIF, int := int_interrupt(pc(robe(fROB!1)(p(fRS!1(iex!1(FU))))), 1 + issuedBefore(fnuminst!1, fROB!1, p(fRS!1(iex!1(FU))))) #) ELSE (# a := FALSE, p := 1, v := 0, int := FALSE #) ENDIF)") (("1" (SKOSIMP*) (("1" (SIMP) NIL))) ("2" (SKOSIMP*) (("2" (SIMP) NIL))) ("3" (SKOSIMP*) (("3" (SIMP) NIL))))) ("2" (SKOSIMP*) (("2" (CASE "not (exists (wROB : ROB_TYPE[R, U, Z, B - 1]): wROB = ROB_writeb(fROB!1, wres!1))") (("1" (INST 1 "ROB_writeb(fROB!1, wres!1)") NIL) ("2" (CASE "not (exists (wRS : [SLOT_ID[R, U, Z, B - 1] -> RS_TYPE[R, U, Z, B - 1]]): wRS = RS_writeb(wres!1, fRS!1))") (("1" (INST 1 "RS_writeb(wres!1, fRS!1)") NIL) ("2" (SKOSIMP*) (("2" (INST 1 "wres!1" "wRS!1" "wROB!1") (("2" (CASE "not rho_writeb(fpc!1, fRF!1, fRS!1, fRAT!1, fROB!1, fnuminst!1, fpc!1, fRF!1, wRS!1, fRAT!1, wROB!1, fnuminst!1, wres!1)") (("1" (HIDE 2) (("1" (EXPAND "rho_writeb") (("1" (INST 1 "exec!1" "iex!1") (("1" (EXPAND "can_execute") (("1" (EXPAND "enabled") (("1" (CASE "not (FORALL (FU: FU_ID[R, U]): (exec!1(FU) IMPLIES ((oc(fRS!1(iex!1(FU))) AND (FORALL (j: TWO): NOT st(ss(fRS!1(iex!1(FU)))(j)) = BUSY)) AND fu_table(op(fRS!1(iex!1(FU)))) = FU)))") (("1" (HIDE 2) (("1" (SKOSIMP*) (("1" (EXPAND "refMapB") (("1" (SIMP) (("1" (INST? -19) (("1" (INST?) (("1" (SIMP) (("1" (SIMP) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INSTBEST) (("1" (INST? -24) (("1" (SIMP) NIL))))))))))))))))))))))))) ("2" (SPLIT +) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL) ("3" (REPLACE -3) (("3" (EXP-TRANS +) NIL))) ("4" (REP-EXP -2 +) NIL))))))))))))))) ("2" (SIMP) (("2" (LEMMA "writeb_prop[R,U,Z,B-1]") (("2" (INST?) (("2" (SIMP) (("2" (LEMMA "writeb_prop[R,U,Z,B]") (("2" (REVEAL -2) (("2" (INST?) (("2" (SIMP) (("2" (HIDE -1 -4) (("2" (EXPAND "refMapB") (("2" (CASE "not (NOT (tail(ROB_p!1) = head(ROB_p!1) AND wrap(ROB_p!1)) AND Bp1MapB(head(ROB_p!1), head(ROB_p!1), head(wROB!1)) = head(wROB!1) AND Bp1MapB(tail(ROB_p!1), head(ROB_p!1), head(wROB!1)) = tail(wROB!1))") (("1" (HIDE 2) (("1" (REP-PLUS) (("1" (EXP-TRANS +) NIL))))) ("2" (SIMP) (("2" (CASE "not (forall (rb : ROB_ID[R,U,Z,B]), (FU, FU2 : FU_ID): a(res_p!1(FU)) AND p(res_p!1(FU)) = rb and a(wres!1(FU2)) AND p(wres!1(FU2)) = Bp1MapB(rb, head(ROB!1), head(fROB!1)) implies v(wres!1(chooseFU(Bp1MapB(rb, head(ROB!1), head(fROB!1)), wres!1))) = v(res_p!1(chooseFU(rb, res_p!1))) AND int(wres!1(chooseFU(Bp1MapB(rb, head(ROB!1), head(fROB!1)), wres!1))) = int(res_p!1(chooseFU(rb, res_p!1))))") (("1" (HIDE 4) (("1" (SKOSIMP*) (("1" (EXPAND "SpecInv") (("1" (SIMP) (("1" (EXPAND "wb_prop") (("1" (EXPAND "chosenFUunique") (("1" (SIMP) (("1" (INST? -) (("1" (INST?) (("1" (REPLACE -2) (("1" (REPLACE -4) (("1" (SIMP) (("1" (REPLACE -9) (("1" (REPLACE -13) (("1" (REP-PLUS 1) (("1" (HIDE -1 -2 -3 -4) (("1" (REVEAL -1 -2 -3 -4) (("1" (REP-PLUS (-1 -2 -3 -4)) (("1" (HIDE -22 -23 -24 -25 -28 -29 -30 -31 -32) (("1" (REDUCE-IF) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (LEMMA "issBeforeEq") (("1" (REVEAL -20) (("1" (INST?) (("1" (SIMP) (("1" (HIDE -1) (("1" (INST -1 "rb!1") (("1" (EXPAND "activeRes") (("1" (SIMP) (("1" (REVEAL -12 -14) (("1" (INSTBEST) (("1" (INSTBEST) (("1" (SIMP) (("1" (SIMP) (("1" (REVEAL -10) (("1" (REP-PLUS 1) (("1" (REPLACE -1) (("1" (REPLACE -4 :DIR RL :HIDE? T) (("1" (REVEAL -10) (("1" (INST?) (("1" (SIMP) (("1" (REP-PLUS 1) (("1" (REVEAL -14) (("1" (INST?) (("1" (INST-CP -29 "FU!1") (("1" (INST -29 "FU2!1") (("1" (EXPAND "enabled") (("1" (SIMP) (("1" (INST-CP -3 "1") (("1" (INST -3 "2") (("1" (SIMP) (("1" (HIDE -29 -40) (("1" (INST-CP -37 "1") (("1" (INST -37 "2") (("1" (SIMP) (("1" (NEW-SPLIT-IF) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (APPLY (THEN (SPLIT 3) (SIMP) (SKOSIMP*))) (("1" (REPLACE -15 + :HIDE? T) (("1" (SIMP) (("1" (REP-EXP -7 +) (("1" (EXPAND "SpecInv") (("1" (SPLIT +) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -27) (("1" (INST? -44) (("1" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (INST? -22) (("1" (SKOSIMP*) (("1" (INST? -) (("1" (SIMP) (("1" (INST -7 "FU!2") (("1" (SIMP) NIL))))))))))) ("2" (SKOSIMP*) (("2" (HIDE 2) (("2" (SIMP) (("2" (INST? -29) (("2" (SIMP) (("2" (INSTBEST) (("2" (REPLACE -12 (-2 -3)) (("2" (REPLACE -16 +) (("2" (SIMP) (("2" (REDUCE-IF) (("2" (SIMP) (("2" (INST? -26) (("2" (INST? -15) (("2" (EXPAND "enabled") (("2" (SIMP) (("2" (REPLACE -3) (("2" (LEMMA "mapUnique") (("2" (INST?) (("2" (HIDE -20 -21 -22 -23 -13 -34) (("2" (SIMP) (("2" (EXPAND "occTailROBfull") (("2" (SPLIT +) (("1" (EXPAND "succ") (("1" (EXPAND "occ_buffer" -31) (("1" (SPLIT-IF -) (("1" (REDUCE-IF) (("1" (SIMP) NIL))) ("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))) ("2" (EXPAND "occRS") (("2" (INST? -38) (("2" (SIMP) (("2" (REVEAL -13) (("2" (INST -1 "p(RS!1(iex!1(FU!1)))") (("2" (EXPAND "occ_buffer" -1) (("2" (SIMP) (("2" (EXPAND "succ") (("2" (SPLIT-IF -) (("2" (SPLIT-IF -) NIL))))))))))))))))))) ("3" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))) ("2" (INST? -26) (("2" (SPLIT-IF) (("1" (INST? -20) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (HIDE 1) (("1" (INSTBEST) (("1" (REPLACE -11 +) (("1" (HIDE -1 -2) (("1" (REVEAL -1 -2) (("1" (SIMP) (("1" (REPLACE -15 (-1 -2)) (("1" (INST? -14) (("1" (EXPAND "enabled") (("1" (SIMP) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (INST? -28) (("1" (SIMP) NIL))))))))))))))))))))))))))))))))) ("2" (INST? -19) (("2" (SIMP) NIL))))))))))))))))) ("2" (SIMP) (("2" (INST? -19) (("2" (SIMP) NIL))))))))))))))) ("2" (REP-PLUS) (("2" (EXP-TRANS +) (("2" (INST? -22) NIL))))) ("3" (REPLACE -16 :HIDE? T) (("3" (REP-EXP -6 +) (("3" (SIMP) (("3" (INST? -22) (("3" (SPLIT-IF) (("1" (REDUCE-IF) (("1" (SKOSIMP*) (("1" (INSTBEST) (("1" (REPLACE -15 (-2 -3) :HIDE? T) (("1" (REP-EXP -11 +) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (INST? -18) (("1" (EXPAND "enabled") (("1" (SIMP) (("1" (HIDE -9 -10 -11 -12 -13) (("1" (HIDE -10 -19 -25) (("1" (EXPAND "SpecInv") (("1" (EXPAND "slotUnique") (("1" (SIMP) (("1" (INST -38 "iex!1(FU!1)" "S!1") (("1" (SIMP) NIL))))))))))))))))))))))))))))))))))))) ("2" (HIDE -1 -2 -3 -4 -5) (("2" (SPLIT +) (("1" (SIMP) (("1" (SIMP) (("1" (SPLIT-IF) (("1" (HIDE 1) (("1" (SKOSIMP*) (("1" (INSTBEST) (("1" (REPLACE -10 +) (("1" (REPLACE -6 (-1 -2)) (("1" (SIMP) (("1" (INST?) (("1" (EXPAND "enabled") (("1" (SPLIT-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "slotUnique") (("1" (SIMP) (("1" (INST -58 "iex!1(FU!1)" "S!1") (("1" (SIMP) (("1" (REVEAL -8) (("1" (INST?) (("1" (SIMP) NIL))))))))))))))))))))))))))))))))) ("2" (HIDE 1 3) (("2" (REP-EXP -3 +) (("2" (REPLACE -11 + :HIDE? T) (("2" (SIMP) (("2" (INST? -20) (("2" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (SIMP) (("1" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (REVEAL -3) (("1" (INST -1 "p(ss(RS!1(S!1))(j!1))" "FU!1" "FU!2") (("1" (SIMP) NIL))))))) ("2" (INSTBEST) (("2" (REPLACE -7 + :HIDE? T) (("2" (REPLACE -10 (-2 -3)) (("2" (SIMP) (("2" (INST?) (("2" (EXPAND "enabled") (("2" (SPLIT-IF) (("2" (HIDE -13 -21) (("2" (REVEAL -12) (("2" (INST -1 "iex!1(FU!1)") (("2" (SIMP) NIL))))))))))))))))))))))))))) ("2" (SPLIT-IF) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INSTBEST) (("1" (REPLACE -14 1 :HIDE? T) (("1" (REPLACE -10 (-5 -6) :HIDE? T) (("1" (SIMP) (("1" (INST?) (("1" (EXPAND "enabled") (("1" (SPLIT-IF) (("1" (REVEAL -11) (("1" (INST -1 "iex!1(FU!1)") (("1" (SIMP) (("1" (LEMMA "mapUnique") (("1" (INST?) (("1" (INST -1 "p(ss(RS!1(S!1))(j!1))") (("1" (SIMP) (("1" (EXPAND "SpecInv" -32) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (EXPAND "succ") (("1" (SPLIT +) (("1" (INST -35 "p(RS!1(iex!1(FU!1)))") (("1" (EXPAND "occ_buffer" -35) (("1" (SIMP) (("1" (EXPAND "occRS") (("1" (INST? -42) (("1" (SIMP) (("1" (SPLIT-IF -) (("1" (REDUCE-IF) (("1" (SIMP) NIL))) ("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))))))) ("2" (INST -35 "p(ss(RS!1(S!1))(j!1)) ") (("2" (REVEAL -7) (("2" (INST?) (("2" (EXPAND "occRSops") (("2" (INST? -42) (("2" (SIMP) (("2" (EXPAND "preceed") (("2" (EXPAND "occ_buffer") (("2" (SIMP) (("2" (SPLIT-IF -) (("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))))))))))))) ("3" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))) ("2" (SPLIT-IF) (("2" (SIMP) NIL))))))))))))))))))))))) ("2" (SIMP) NIL))))))))))))))))) ("3" (SKOSIMP*) (("3" (LEMMA "chosenFUnonzero[R, U, Z, B]") (("3" (INST?) (("3" (SIMP) (("3" (SIMP) NIL))))))))) ("4" (SKOSIMP*) (("4" (LEMMA "chosenFUnonzero[R,U,Z,B-1]") (("4" (INST -1 "wres!1" "FU2!1") (("4" (SIMP) (("4" (SIMP) NIL))))))))) ("5" (SKOSIMP*) (("5" (SIMP) (("5" (LEMMA "chosenFUnonzero[R,U,Z,B]") (("5" (INST?) (("5" (SIMP) (("5" (SIMP) NIL))))))))))) ("6" (SKOSIMP*) (("6" (LEMMA "chosenFUnonzero[R,U,Z,B-1]") (("6" (INST? :WHERE +) (("6" (INST?) (("6" (SIMP) (("6" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))) ("3" (SKOSIMP*) (("3" (SIMP) NIL))) ("4" (SKOSIMP*) (("4" (SIMP) NIL))) ("5" (SIMP) NIL))))))))))))) (|indexConst_retire_TCC1| "" (SKOSIMP*) (("" (SIMP) NIL))) (|indexConst_retire| "" (SKOSIMP*) (("" (EXPAND "refMapB") (("" (EXPAND "rho_retire") (("" (SIMP) (("" (SKOSIMP*) (("" (SPLIT -2) (("1" (SIMP) (("1" (REPLACE*) (("1" (SIMP) (("1" (SPLIT-IF -18) (("1" (EXPAND "succ" -) (("1" (NEW-SPLIT-IF -) (("1" (REDUCE-IF) (("1" (HIDE -2 -3 -4 -5 -6 -7 -8 -9 -10 -14 -15 -16 -17 -18) (("1" (HIDE 2 3 4) (("1" (HIDE -2 -4) (("1" (EXPAND "Bp1MapB") (("1" (CASE "succ(head(fROB!1)) + buffInd(rb!1, succ(head(ROB!1))) >= 2 * B - 1 ") (("1" (HIDE 3 -3) (("1" (EXPAND "buffInd") (("1" (NEW-SPLIT-IF) NIL))))) ("2" (CASE "head(fROB!1) + buffInd(rb!1, head(ROB!1)) >= 2 * B - 1") (("1" (HIDE -3 4) (("1" (EXPAND "buffInd" -) (("1" (NEW-SPLIT-IF -) NIL))))) ("2" (REPLACE 1) (("2" (REPLACE 2) (("2" (HIDE -2 1 2) (("2" (EXPAND "buffInd") (("2" (EXPAND "succ") (("2" (SPLIT-ALL) NIL))))))))))))))))))))))))))))))))))))) ("2" (SIMP) NIL))))))))))))) (|retireMatchB| "" (SKOSIMP*) (("" (LEMMA "indexConst_retire") (("" (INST?) (("" (INST?) (("" (SIMP) (("" (EXPAND "rho_retire" -) (("" (SKOSIMP*) (("" (CASE "not retire!1") (("1" (HIDE -1) (("1" (INST 2 "fpc!1" "fRS!1" "fRF!1" "fROB!1" "fRAT!1" "fnuminst!1") (("1" (SPLIT +) (("1" (EXPAND "rho_retire") (("1" (INST 1 "false") (("1" (SIMP) NIL))))) ("2" (EXPAND "refMapB") (("2" (SIMP) (("2" (REPLACE*) (("2" (SIMP) NIL))))))))))))) ("2" (EXPAND "SpecInv" -6) (("2" (EXPAND "occEqual") (("2" (SIMP) (("2" (INST? -8) (("2" (SPLIT -5) (("1" (CASE "not (EXISTS (rRAT: [REG_ID -> RAT_TYPE[R, U, Z, B-1]]): rRAT = RAT_retire(fRAT!1, fROB!1))") (("1" (INST 1 " RAT_retire(fRAT!1, fROB!1)") NIL) ("2" (CASE "not (exists (rRF : [REG_ID -> RF_TYPE[R, U, Z, B - 1]]): rRF = RF_retire(fRF!1, fROB!1))") (("1" (INST 1 "RF_retire(fRF!1, fROB!1)") NIL) ("2" (CASE "not (exists (rROB : ROB_TYPE[R, U, Z, B - 1]): rROB = ROB_retire(fROB!1))") (("1" (INST 1 " ROB_retire(fROB!1)") NIL) ("2" (CASE "not (exists (rRS :[SLOT_ID[R, U, Z, B - 1] -> RS_TYPE[R, U, Z, B - 1]]): rRS = RS_retire(fRS!1, fROB!1))") (("1" (INST 1 "RS_retire(fRS!1, fROB!1)") NIL) ("2" (SKOSIMP*) (("2" (INST 4 "fpc!1" "rRS!1" "rRF!1" "rROB!1" "rRAT!1" "fnuminst!1 + 1") (("2" (SPLIT 4) (("1" (EXPAND "rho_retire") (("1" (INST 1 "true") (("1" (EXPAND "can_retire") (("1" (EXPAND "refMapB") (("1" (SIMP) (("1" (INST? -16 :COPY? T) (("1" (SIMP) (("1" (EXPAND "SpecInv") (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -42) (("1" (SIMP) (("1" (SPLIT +) (("1" (SIMP) (("1" (APPLY (THEN (SPLIT 2) (REP-PLUS) (EXP-TRANS +) (SIMP))) NIL))) ("2" (INSTBEST -16 :COPY? T) (("2" (SIMP) NIL))))))))))))))))))))))))))))) ("2" (EXPAND " refMapB") (("2" (CASE "not (NOT (tail(ROB_p!1) = head(ROB_p!1) AND wrap(ROB_p!1)) AND Bp1MapB(head(ROB_p!1), head(ROB_p!1), head(rROB!1)) = head(rROB!1) AND Bp1MapB(tail(ROB_p!1), head(ROB_p!1), head(rROB!1)) = tail(rROB!1))") (("1" (HIDE 2) (("1" (REPLACE*) (("1" (SIMP) (("1" (HIDE -1 -2 -3 -4 -5 -6 -7 -8 -9 -10 -11 -20 -21 2 3) (("1" (EXPAND "occ_buffer" -3) (("1" (HIDE -1 -4 -6) (("1" (EXPAND "Bp1MapB") (("1" (SPLIT +) (("1" (SIMP) (("1" (EXPAND "wrapWraps") (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF) NIL))))))) ("2" (EXPAND "buffInd") (("2" (EXP-TRANS +) (("2" (SPLIT-ALL) NIL))))) ("3" (EXP-TRANS +) (("3" (EXPAND "buffInd") (("3" (EXPAND "wrapWraps") (("3" (HIDE -1 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13 -14 -15 -16 -17 -18 -19 -20 -21 -22 -23) (("3" (NEW-SPLIT-IF) (("1" (LIFT-IF +) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (EXPAND "succ") (("1" (LIFT-IF +) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (SIMPLIFY) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))))) ("2" (SIMP) (("2" (LIFT-IF) (("2" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))))))))))) ("2" (SIMP) (("2" (EXPAND "succ") (("2" (LIFT-IF) (("2" (SPLIT +) (("1" (FLATTEN) (("1" (SPLIT -) (("1" (FLATTEN) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))))) ("2" (SIMP) NIL))))) ("2" (LIFT-IF) (("2" (SPLIT +) (("1" (FLATTEN) (("1" (PROPAX) NIL))) ("2" (FLATTEN) (("2" (SPLIT +) (("1" (FLATTEN) (("1" (PROPAX) NIL))) ("2" (FLATTEN) (("2" (SPLIT +) (("1" (FLATTEN) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))))))))))))))) ("2" (SPLIT -) (("1" (FLATTEN) (("1" (SIMP) NIL))) ("2" (FLATTEN) (("2" (LIFT-IF) (("2" (SPLIT 3) (("1" (SPLIT 4) (("1" (SIMP) NIL) ("2" (SIMP) NIL))) ("2" (FLATTEN) (("2" (SPLIT 5) (("1" (FLATTEN) (("1" (PROPAX) NIL))) ("2" (FLATTEN) (("2" (SPLIT +) (("1" (SIMP) NIL) ("2" (SPLIT -3) (("1" (FLATTEN) (("1" (SPLIT -2) (("1" (FLATTEN) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))) ("2" (FLATTEN) (("2" (CASE "not head(fROB!1) = B -1") (("1" (SIMP) NIL) ("2" (REPLACE -1 :HIDE? T) (("2" (CASE "not head(ROB!1) = B") (("1" (SIMP) NIL) ("2" (REPLACE -1 :HIDE? T) (("2" (HIDE 1 2 4 5 7 8) (("2" (CASE "not tail(ROB!1) = B") (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))) ("2" (LIFT-IF +) (("2" (SPLIT +) (("1" (EXPAND "succ") (("1" (LIFT-IF +) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (LIFT-IF +) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (SPLIT 2) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))) ("2" (SIMP) NIL))))))) ("2" (FLATTEN) (("2" (CASE "not head(fROB!1) = B - 1") (("1" (SIMP) NIL) ("2" (REPLACE -1 :HIDE? T) (("2" (LIFT-IF) (("2" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))))))))))))) ("2" (FLATTEN) (("2" (EXPAND "succ") (("2" (LIFT-IF +) (("2" (SPLIT +) (("1" (FLATTEN) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))))) ("2" (FLATTEN) (("2" (LIFT-IF) (("2" (SPLIT +) (("1" (FLATTEN) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))) ("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))) ("2" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (SKOSIMP*) (("1" (REPLACE*) (("1" (SIMP) (("1" (EXP-TRANS) (("1" (SPLIT-IF) (("1" (HIDE -6 -7 -8 -9 -10 -11 -12 -13 -14 -15 -16 -17 -22 -23 -24 -25 -26 -33 -34 -35 -36 -37 -36 -39 -40 -41 -42) (("1" (HIDE -3 -4 -5 -6) (("1" (CASE "Bp1MapB(rb!1, succ(head(ROB!1)), succ(head(fROB!1))) = Bp1MapB(rb!1, (head(ROB!1)), (head(fROB!1)))") (("1" (REPLACE*) (("1" (INST?) (("1" (SPLIT +) (("1" (SIMP) (("1" (SPLIT-IF) (("1" (LEMMA "mapUnique") (("1" (INST?) (("1" (INST?) (("1" (SIMP) (("1" (SPLIT +) (("1" (INST?) (("1" (EXPAND "occ_buffer") (("1" (SPLIT-IF -) (("1" (EXPAND "succ") (("1" (SIMP) NIL))) ("2" (EXPAND "succ") (("2" (SPLIT-IF -) NIL))))))))) ("2" (EXPAND "succ") (("2" (SPLIT-IF -) NIL))) ("3" (SIMP) NIL))))))))))))))) ("2" (SIMP) (("2" (REDUCE-IF) (("2" (SIMP) (("2" (EXPAND "Bp1MapB" 1) (("2" (EXPAND "succ" -5) (("2" (EXPAND "buffInd") (("2" (LIFT-IF) (("2" (SPLIT -5) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))))))))))))))))))) ("2" (HIDE 3 5 6 7) (("2" (HIDE -1 -2 -3 -4 -5 -6 -8 -9 -10 -11 -12) (("2" (EXPAND "Bp1MapB") (("2" (EXPAND "succ") (("2" (EXPAND "buffInd") (("2" (CASE "tail(ROB!1) = head(ROB!1)") (("1" (SIMP) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (SIMP) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))) ("2" (LIFT-IF) (("2" (SPLIT +) (("1" (FLATTEN) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))) ("2" (SIMP) NIL))))))))))) ("2" (FLATTEN) (("2" (LIFT-IF) (("2" (SPLIT +) (("1" (FLATTEN) (("1" (LIFT-IF) (("1" (SPLIT +) (("1" (FLATTEN) (("1" (SIMP) (("1" (SPLIT-IF) NIL))))) ("2" (FLATTEN) (("2" (LIFT-IF) (("2" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))))))))) ("2" (SIMP) NIL))))))))))))) ("2" (HIDE -1) (("2" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (SPLIT-IF) NIL) ("2" (SPLIT-IF) NIL))) ("2" (SPLIT-IF) (("2" (SPLIT-IF) NIL))))))))))))))))))))))))))))))))))) ("2" (REP-PLUS) (("2" (EXP-TRANS 1) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (INST? -19) (("2" (NEW-SPLIT-IF) NIL))))))))) ("3" (SKOSIMP*) (("3" (INST? -22) (("3" (REP-PLUS) (("3" (EXP-TRANS +) (("3" (NEW-SPLIT-IF) (("1" (REDUCE-IF) (("1" (EXPAND "busyRAT") (("1" (INST? -35) (("1" (INST -16 "al(RAT!1(r!1))") (("1" (SIMP) NIL))))))))) ("2" (SPLIT-IF) (("1" (INST? -20) (("1" (SIMP) (("1" (REPLACE*) (("1" (CASE "b(fRAT!1(r!1))") (("1" (SIMP) (("1" (EXP-TRANS) (("1" (EXPAND "Bp1MapB" (-19 -25)) (("1" (EXPAND " buffInd") (("1" (SPLIT-IF -25) (("1" (SPLIT-IF -) (("1" (EXPAND "occ_buffer") (("1" (EXPAND "busyRAT") (("1" (INST? -36) (("1" (INST -31 "al(RAT!1(r!1))") (("1" (SIMP) (("1" (SPLIT-IF -31) NIL))))))))))))) ("2" (SPLIT-IF -) (("2" (EXPAND "busyRAT") (("2" (INST? -35) (("2" (INST -30 "al(RAT!1(r!1))") (("2" (EXPAND "occ_buffer") (("2" (SIMP) (("2" (SIMP) (("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))))))))))))))))) ("2" (SIMP) NIL))))))))) ("2" (SIMP) (("2" (INST -15 "al(RAT!1(r!1))") (("2" (SIMP) (("2" (EXPAND "busyRAT") (("2" (INST? -33) (("2" (SIMP) NIL))))))))))))))))))))))) ("4" (SKOSIMP*) (("4" (REP-PLUS) (("4" (EXP-TRANS +) (("4" (INST? -23) (("4" (SPLIT-IF) (("4" (SIMP) (("4" (REPLACE -12 :HIDE? T) (("4" (SIMP) (("4" (INST-CP -14 "p(RS!1(S!1))") (("4" (EXPAND "occRS") (("4" (INST? -38) (("4" (SIMP) (("4" (SIMP) (("4" (SKOSIMP*) (("4" (INST? -27) (("4" (SPLIT-IF) (("1" (SPLIT-IF) NIL) ("2" (SPLIT-IF) (("2" (SPLIT-IF) (("1" (EXPAND "occRSops") (("1" (INST? -40) (("1" (SIMP) (("1" (INST -15 "p(ss(RS!1(S!1))(j!1))") (("1" (SIMP) (("1" (EXPAND "preceed") (("1" (PROPAX) NIL))))))))))))) ("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))) ("3" (SIMP) NIL))) ("3" (SIMP) NIL))) ("3" (SIMP) NIL))) ("3" (SIMP) NIL))) ("2" (SIMP) (("2" (CASE "not (exists (rROB : ROB_TYPE[R, U, Z, B - 1]): rROB = ROB_flush(fROB!1))") (("1" (INST 1 "ROB_flush(fROB!1)") NIL) ("2" (SKOSIMP*) (("2" (INST 2 "pc_p!1" "(LAMBDA S: fRS!1(S) with [oc := FALSE])" "RF_p!1" "rROB!1" "(LAMBDA r: (# b:= FALSE, al := 1 #))" "numinst_p!1") (("1" (SPLIT 2) (("1" (EXPAND "rho_retire") (("1" (INST 1 "true") (("1" (SIMP) (("1" (EXPAND "can_retire") (("1" (EXPAND "refMapB") (("1" (SIMP) (("1" (INST-CP -14 "head(ROB!1)") (("1" (EXPAND "SpecInv") (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -40) (("1" (SIMP) (("1" (SPLIT 1) (("1" (SIMP) (("1" (HIDE 3) (("1" (INST? -15) (("1" (SIMP) NIL))))))) ("2" (SIMP) (("2" (REPLACE*) (("2" (EXP-TRANS +) NIL))))))))))))))))))))))))))))))) ("2" (EXPAND "refMapB") (("2" (REPLACE*) (("2" (SIMP) (("2" (EXP-TRANS +) (("2" (EXPAND "Bp1MapB" 1) (("2" (EXPAND "buffInd") (("2" (PROPAX) NIL))))))))))))))) ("2" (SIMP) NIL))))) ("3" (SIMP) NIL))))))))))))))))))))))))))))))) (R1B "" (SKOSIMP*) (("" (EXPAND "rhoaB_star") (("" (EXPAND "alphaB") (("" (EXPAND "rhocB") (("" (SIMP) (("" (EXPAND "rhoaB") (("" (SPLIT -) (("1" (LEMMA "issueMatchB") (("1" (INST?) (("1" (INST?) (("1" (SIMP) (("1" (REPLACE 1) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INST?) (("1" (SIMP) (("1" (INST 2 "(LAMBDA (FU: FU_ID[R, U]):(# a:= false, p:= 1, v:= 0, int:= false #))") (("1" (SIMP) NIL))))))))))))))))))))) ("2" (LEMMA "writebMatchB") (("2" (INST?) (("2" (INST?) (("2" (SIMP) (("2" (SKOSIMP*) (("2" (INST?) (("2" (SIMP) NIL))))))))))))) ("3" (LEMMA "retireMatchB") (("3" (INST?) (("3" (INST?) (("3" (SIMP) (("3" (SKOSIMP*) (("3" (INST?) (("3" (SIMP) (("3" (INST 2 "(LAMBDA (FU: FU_ID[R, U]):(# a:= false, p:= 1, v:= 0, int:= false #))") (("3" (SIMP) NIL))))))))))))))))))))))))))))))) (R2B "" (EXPAND "rhoaB_star") (("" (SKOSIMP*) NIL))) (R3B "" (SKOSIMP*) (("" (EXPAND "rhoaB_star") (("" (EXPAND "alphaB") (("" (SIMP) (("" (SPLIT +) (("1" (EXPAND "rhocB") (("1" (SIMP) (("1" (SPLIT -) (("1" (LEMMA "SpecInv_issue[R, U, Z, B]") (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (LEMMA "SpecInv_writeb[R, U, Z, B]") (("2" (INST?) (("2" (SIMP) NIL))))) ("3" (LEMMA "SpecInv_retire[R, U, Z, B]") (("3" (INST?) (("3" (SIMP) NIL))))))))))) ("2" (EXPAND "rhoaB") (("2" (SPLIT -) (("1" (LEMMA "SpecInv_issue[R, U, Z, B-1]") (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (LEMMA "SpecInv_writeb[R, U, Z, B-1]") (("2" (INST?) (("2" (SIMP) NIL))))) ("3" (LEMMA "SpecInv_retire[R, U, Z, B-1]") (("3" (INST?) (("3" (SIMP) NIL))))))))))))))))))) (R4B "" (EXPAND "alphaB") (("" (EXPAND "refMapB") (("" (EXPAND "OC_B") (("" (EXPAND "OA_B") (("" (SKOSIMP*) (("" (SIMP) NIL)))))))))))) $$$Trans2.pvs Trans2[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % Definitions used in Ref2 BEGIN IMPORTING RefMap[R, U, Z, B], SpecInv[R, U, Z, B] RF, fRF, rRF, RF_p, fRF_p: VAR [REG_ID -> RF_TYPE] RAT, fRAT, rRAT, RAT_p, fRAT_p: VAR [REG_ID -> RAT_TYPE] ROB, fROB, bROB, wROB, rROB, ROB_p, fROB_p: VAR ROB_TYPE RS, fRS, bRS, eRS, wRS, rRS, RS_p, fRS_p: VAR [SLOT_ID -> RS_TYPE] pc, fpc, rpc, pc_p, fpc_p: VAR posnat numinst, fnuminst, numinst_p, fnuminst_p, rnuminst: VAR nat FU, FUexec: VAR FU_ID S: VAR SLOT_ID Sn, Siex: VAR upto[Z] r: VAR REG_ID rb: VAR ROB_ID retire, flushInt, flushBr, flushInt_p, flushBr_p: VAR boolean res, fres, res_p, fres_p, bres, eres, wres: VAR [FU_ID -> result_TYPE] RAT_retire(RAT, ROB, retire): [REG_ID -> RAT_TYPE] = IF NOT retire THEN RAT ELSE (LAMBDA r: IF al(RAT(r)) = head(ROB) THEN (# b := FALSE, al := al(RAT(r)) #) ELSE RAT(r) ENDIF) ENDIF RF_retire(RF, ROB, retire): [REG_ID -> RF_TYPE] = IF NOT retire THEN RF ELSE (LAMBDA r: IF r = t(robe(ROB)(head(ROB))) THEN (# v := v(robe(ROB)(head(ROB))) #) ELSE RF(r) ENDIF) ENDIF ROB_retire(ROB, retire): ROB_TYPE = IF NOT retire THEN ROB ELSE (# head := succ(head(ROB)), tail := tail(ROB), wrap := wrap(ROB) AND NOT succ(head(ROB)) = 1, robe := (LAMBDA rb: IF rb = head(ROB) THEN robe(ROB)(rb) WITH [oc := FALSE] ELSE robe(ROB)(rb) ENDIF) #) ENDIF RS_retire(RS, ROB, retire): [SLOT_ID -> RS_TYPE] = IF NOT retire THEN RS ELSE (LAMBDA S: IF oc(RS(S)) THEN RS(S) WITH [ss := (LAMBDA (j: TWO): (# st := IF p(ss(RS(S))(j)) = head(ROB) AND st(ss(RS(S))(j)) = WRITE_B THEN RETIRED ELSE st(ss(RS(S))(j)) ENDIF, p := p(ss(RS(S))(j)), v := v(ss(RS(S))(j)), pv := pv(ss(RS(S))(j)) #))] ELSE RS(S) ENDIF) ENDIF RF_flush(RF, ROB): [REG_ID -> RF_TYPE] = IF int(robe(ROB)(head(ROB))) THEN RF ELSE (LAMBDA r: IF r = t(robe(ROB)(head(ROB))) THEN (# v := v(robe(ROB)(head(ROB))) #) ELSE RF(r) ENDIF) ENDIF RAT_flush: [REG_ID -> RAT_TYPE] = (LAMBDA r: (# b := FALSE, al := 1 #)) ROB_flush(ROB): ROB_TYPE = (# tail := 1, head := 1, wrap := FALSE, robe := (LAMBDA rb: robe(ROB)(rb) WITH [oc := FALSE]) #) RS_flush(RS): [SLOT_ID -> RS_TYPE] = (LAMBDA S: RS(S) WITH [oc := FALSE]) pc_flush(ROB): PC_RANGE = IF int(robe(ROB)(head(ROB))) THEN Int_interrupt_addr(pc(robe(ROB)(head(ROB))), type_op(op(robe(ROB)(head(ROB))))) ELSIF v(robe(ROB)(head(ROB))) > 0 THEN br_targ(robe(ROB)(head(ROB))) ELSE pc(robe(ROB)(head(ROB))) + 1 ENDIF ROB_writeb(ROB, res): ROB_TYPE = (# head := head(ROB), tail := tail(ROB), wrap := wrap(ROB), robe := (LAMBDA rb: IF occ_buffer(rb, ROB) AND (EXISTS FU: a(res(FU)) AND p(res(FU)) = rb) THEN (# b := FALSE, v := v(res(chooseFU(rb, res))), int := int(res(chooseFU(rb, res))), t := t(robe(ROB)(rb)), pc := pc(robe(ROB)(rb)), op := op(robe(ROB)(rb)), pv := pv(robe(ROB)(rb)), pv_int := pv_int(robe(ROB)(rb)), br_pred := br_pred(robe(ROB)(rb)), br_targ := br_targ(robe(ROB)(rb)), oc := oc(robe(ROB)(rb)), slot := slot(robe(ROB)(rb)) #) ELSE robe(ROB)(rb) ENDIF) #) res_writeb(ROB, res): [FU_ID -> result_TYPE] = (LAMBDA (FU: FU_ID): IF a(res(FU)) AND oc(robe(ROB)(p(res(FU)))) AND b(robe(ROB)(p(res(FU)))) THEN res(FU) ELSE (# a := FALSE, p := 1, v := 0, int := FALSE #) ENDIF) RS_writeb(res, RS): [SLOT_ID -> RS_TYPE] = (LAMBDA S: IF (EXISTS FU: a(res(FU)) AND p(res(FU)) = p(RS(S))) THEN RS(S) WITH [oc := FALSE] ELSIF oc(RS(S)) THEN (# oc := oc(RS(S)), p := p(RS(S)), op := op(RS(S)), ss := (LAMBDA (j: TWO): IF st(ss(RS(S))(j)) = BUSY AND (EXISTS FU: a(res(FU)) AND p(ss(RS(S))(j)) = p(res(FU)) AND p(ss(RS(S))(j)) > 0) THEN (# st := WRITE_B, p := p(ss(RS(S))(j)), v := v (res (chooseFU(p(ss(RS(S))(j)), res))), pv := pv(ss(RS(S))(j)) #) ELSE ss(RS(S))(j) ENDIF) #) ELSE RS(S) ENDIF) END Trans2 $$$Trans2.prf (|Trans2| (|RAT_flush_TCC1| "" (SIMP) NIL) (|ROB_writeb_TCC1| "" (SKOSIMP*) (("" (LEMMA "chosenFUnonzero[R, U, Z, B]") (("" (INST?) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SKOSIMP*) (("2" (SIMP) NIL))))))))) (|RS_writeb_TCC1| "" (SKOSIMP*) (("" (LEMMA "chosenFUnonzero[R, U, Z, B]") (("" (INST?) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SKOSIMP*) (("2" (SIMP) NIL)))))))))) $$$Trans1.pvs Trans1[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY BEGIN IMPORTING RefMap[R, U, Z, B], SpecInv[R, U, Z, B] RF, fRF, rRF, RF_p, fRF_p: VAR [REG_ID -> RF_TYPE] RAT, fRAT, rRAT, RAT_p, fRAT_p: VAR [REG_ID -> RAT_TYPE] ROB, fROB, bROB, wROB, rROB, ROB_p, fROB_p: VAR ROB_TYPE RS, fRS, bRS, eRS, wRS, rRS, RS_p, fRS_p: VAR [SLOT_ID -> RS_TYPE] pc, fpc, rpc, pc_p, fpc_p: VAR posnat numinst, fnuminst, numinst_p, fnuminst_p, rnuminst: VAR nat FU, FUexec: VAR FU_ID S: VAR SLOT_ID Sn, Siex: VAR upto[Z] r: VAR REG_ID rb: VAR ROB_ID retire, flushInt, flushBr, flushInt_p, flushBr_p: VAR boolean res, fres, res_p, fres_p, bres, eres, wres: VAR [FU_ID -> result_TYPE] RAT_iretire(RAT, ROB): [REG_ID -> RAT_TYPE] = (LAMBDA r: IF al(RAT(r)) = head(ROB) THEN (# b := FALSE, al := al(RAT(r)) #) ELSE RAT(r) ENDIF) RF_iretire(RF, ROB): [REG_ID -> RF_TYPE] = (LAMBDA r: IF r = t(robe(ROB)(head(ROB))) THEN (# v := v(robe(ROB)(head(ROB))) #) ELSE RF(r) ENDIF) ROB_iretire(ROB): ROB_TYPE = (# head := succ(head(ROB)), tail := tail(ROB), wrap := wrap(ROB) AND NOT succ(head(ROB)) = 1, robe := (LAMBDA rb: IF rb = head(ROB) THEN robe(ROB)(rb) WITH [oc := FALSE] ELSE robe(ROB)(rb) ENDIF) #) RS_iretire(RS, ROB): [SLOT_ID -> RS_TYPE] = (LAMBDA S: IF oc(RS(S)) THEN RS(S) WITH [ss := (LAMBDA (j: TWO): (# st := IF p(ss(RS(S))(j)) = head(ROB) AND st(ss(RS(S))(j)) = WRITE_B THEN RETIRED ELSE st(ss(RS(S))(j)) ENDIF, p := p(ss(RS(S))(j)), v := v(ss(RS(S))(j)), pv := pv(ss(RS(S))(j)) #))] ELSE RS(S) ENDIF) flushInt_iretire(retire, flushInt, ROB): boolean = flushInt OR (retire AND int(robe(ROB)(head(ROB)))) flushBr_iretire(retire, flushBr, flushInt, ROB): boolean = flushBr OR (retire AND NOT flushInt_iretire(retire, flushInt, ROB) AND type_op(op(robe(ROB)(head(ROB)))) = BRANCH AND EXOR(br_pred(robe(ROB)(head(ROB))), (v(robe(ROB)(head(ROB))) > 0))) pc_iflush(pc, ROB, flushInt): PC_RANGE = IF flushInt THEN Int_interrupt_addr(pc(robe(ROB)(head(ROB))), type_op(op(robe(ROB)(head(ROB))))) ELSE IF v(robe(ROB)(head(ROB))) > 0 THEN br_targ(robe(ROB)(head(ROB))) ELSE pc(robe(ROB)(head(ROB))) + 1 ENDIF ENDIF RAT_iflush: [REG_ID -> RAT_TYPE] = (LAMBDA r: (# b := FALSE, al := 1 #)) ROB_iflush(ROB): ROB_TYPE = (# tail := 1, head := 1, wrap := FALSE, robe := (LAMBDA rb: robe(ROB)(rb) WITH [oc := FALSE]) #) RS_iflush(RS): [SLOT_ID -> RS_TYPE] = (LAMBDA S: RS(S) WITH [oc := FALSE]) RF_iflush(RF, ROB, flushInt): [REG_ID -> RF_TYPE] = IF flushInt THEN RF ELSE (LAMBDA r: IF r = t(robe(ROB)(head(ROB))) THEN (# v := v(robe(ROB)(head(ROB))) #) ELSE RF(r) ENDIF) ENDIF res_iwriteb(RS, ROB, numinst, FUexec, Siex): [FU_ID -> result_TYPE] = (LAMBDA (FU: FU_ID): IF FUexec = FU AND Siex > 0 THEN (# a := TRUE, p := p(RS(Siex)), v := IF type_op(op(RS(Siex))) /= BRANCH THEN do_op(op(RS(Siex)), v(ss(RS(Siex))(1)), v(ss(RS(Siex))(2))) ELSIF branch_act(pc(robe(ROB)(p(RS(Siex)))), issuedBefore (numinst, ROB, p(RS(Siex))) + 1) THEN 1 ELSE 0 ENDIF, int := int_interrupt(pc(robe(ROB)(p(RS(Siex)))), issuedBefore(numinst, ROB, p(RS(Siex))) + 1) #) ELSE (# a := FALSE, p := 1, v := 0, int := FALSE #) ENDIF) ROB_iwriteb(res, ROB): ROB_TYPE = (# head := head(ROB), tail := tail(ROB), wrap := wrap(ROB), robe := (LAMBDA rb: IF occ_buffer(rb, ROB) AND (EXISTS FU: a(res(FU)) AND p(res(FU)) = rb) THEN (# b := FALSE, v := v(res(chooseFU(rb, res))), int := int(res(chooseFU(rb, res))), t := t(robe(ROB)(rb)), pc := pc(robe(ROB)(rb)), op := op(robe(ROB)(rb)), pv := pv(robe(ROB)(rb)), pv_int := pv_int(robe(ROB)(rb)), br_pred := br_pred(robe(ROB)(rb)), br_targ := br_targ(robe(ROB)(rb)), oc := oc(robe(ROB)(rb)), slot := slot(robe(ROB)(rb)) #) ELSE robe(ROB)(rb) ENDIF) #) RS_iwriteb(res, RS): [SLOT_ID -> RS_TYPE] = (LAMBDA S: IF (EXISTS FU: a(res(FU)) AND p(res(FU)) = p(RS(S))) THEN RS(S) WITH [oc := FALSE] ELSIF oc(RS(S)) THEN (# oc := oc(RS(S)), p := p(RS(S)), op := op(RS(S)), ss := (LAMBDA (j: TWO): IF st(ss(RS(S))(j)) = BUSY AND (EXISTS FU: a(res(FU)) AND p(ss(RS(S))(j)) = p(res(FU)) AND p(ss(RS(S))(j)) > 0) THEN (# st := WRITE_B, p := p(ss(RS(S))(j)), v := v (res (chooseFU(p(ss(RS(S))(j)), res))), pv := pv(ss(RS(S))(j)) #) ELSE ss(RS(S))(j) ENDIF) #) ELSE RS(S) ENDIF) pc_issue(pc, Sn, ROB, numinst): PC_RANGE = IF Sn > 0 THEN IF type_op(op(prog(pc))) = BRANCH AND branch_pred(pc, totalIssued(numinst, ROB) + 1) THEN br_target(prog(pc)) ELSE 1 + pc ENDIF ELSE pc ENDIF RAT_issue(RAT, Sn, ROB, pc): [REG_ID -> RAT_TYPE] = IF Sn = 0 THEN RAT ELSE (LAMBDA r: IF Sn > 0 AND r = t(prog(pc)) THEN (# b := TRUE, al := tail(ROB) #) ELSE RAT(r) ENDIF) ENDIF ROB_issue(Sn, ROB, RF, RAT, pc, numinst): ROB_TYPE = IF Sn = 0 THEN ROB ELSE (# head := head(ROB), tail := succ(tail(ROB)), wrap := wrap(ROB) OR succ(tail(ROB)) = 1, robe := (LAMBDA rb: IF rb /= tail(ROB) THEN robe(ROB)(rb) ELSE (# b := TRUE, v := 0, op := op(prog(pc)), int := FALSE, oc := TRUE, br_pred := branch_pred(pc, totalIssued(numinst, ROB) + 1), br_targ := br_target(prog(pc)), t := t(prog(pc)), pc := pc, slot := Sn, pv := IF type_op(op(prog(pc))) /= BRANCH THEN do_op (op(prog(pc)), IF b(RAT(src(prog(pc))(1))) THEN pv (robe(ROB) (al(RAT(src(prog(pc))(1))))) ELSE v(RF(src(prog(pc))(1))) ENDIF, IF b(RAT(src(prog(pc))(2))) THEN pv (robe(ROB) (al(RAT(src(prog(pc))(2))))) ELSE v(RF(src(prog(pc))(2))) ENDIF) ELSIF branch_act (pc, issuedBefore(numinst, ROB, rb) + 1) THEN 1 ELSE 0 ENDIF, pv_int := int_interrupt(pc, issuedBefore(numinst, ROB, rb) + 1) #) ENDIF) #) ENDIF RS_issue(RS, Sn, RF, RAT, ROB, pc): [SLOT_ID -> RS_TYPE] = (LAMBDA S: IF S /= Sn THEN RS(S) ELSE (# oc := TRUE, p := tail(ROB), op := op(prog(pc)), ss := (LAMBDA (j: TWO): IF b(RAT(src(prog(pc))(j))) THEN (# st := IF b (robe(ROB) (al(RAT(src(prog(pc))(j))))) THEN BUSY ELSE WRITE_B ENDIF, p := al(RAT(src(prog(pc))(j))), v := v (robe(ROB)(al(RAT(src(prog(pc))(j))))), pv := pv (robe(ROB) (al(RAT(src(prog(pc))(j))))) #) ELSE (# st := RETIRED, v := v(RF(src(prog(pc))(j))), pv := v(RF(src(prog(pc))(j))), p := al(RAT(src(prog(pc))(j))) #) ENDIF) #) ENDIF) END Trans1 $$$Trans1.prf (|Trans1| (|RAT_iflush_TCC1| "" (SUBTYPE-TCC) NIL) (|res_iwriteb_TCC1| "" (SUBTYPE-TCC) NIL) (|res_iwriteb_TCC2| "" (SUBTYPE-TCC) NIL) (|res_iwriteb_TCC3| "" (SUBTYPE-TCC) NIL) (|ROB_iwriteb_TCC1| "" (SKOSIMP*) (("" (LEMMA "chosenFUnonzero") (("" (INST?) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SKOSIMP*) (("2" (SIMP) NIL))))))))) (|RS_iwriteb_TCC1| "" (SKOSIMP*) (("" (LEMMA "chosenFUnonzero") (("" (INST?) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SKOSIMP*) (("2" (SIMP) NIL))))))))) (|ROB_issue_TCC1| "" (SUBTYPE-TCC) NIL) (|ROB_issue_TCC2| "" (SUBTYPE-TCC) NIL) (|ROB_issue_TCC3| "" (SUBTYPE-TCC) NIL) (|ROB_issue_TCC4| "" (SUBTYPE-TCC) NIL) (|ROB_issue_TCC5| "" (SUBTYPE-TCC) NIL) (|ROB_issue_TCC6| "" (SUBTYPE-TCC) NIL) (|ROB_issue_TCC7| "" (SUBTYPE-TCC) NIL)) $$$RefMap.pvs RefMap[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % Defines the refinent mapping between DES_s(B+1) and DES_f(B+1) % I.e. between stuttering SPEC(B) and SPEC(B) with one buffer always free % The variables of SPEC(B) with one buffer always free are prefixed with "f" BEGIN IMPORTING Spec[R, U, Z, B] RF, fRF, rRF, iRF: VAR [REG_ID -> RF_TYPE] RAT, fRAT, rRAT, iRAT: VAR [REG_ID -> RAT_TYPE] ROB, fROB, rROB, iROB, wROB: VAR ROB_TYPE RS, fRS, rRS, iRS, wRS: VAR [SLOT_ID -> RS_TYPE] pc, fpc, rpc, ipc: VAR posnat numinst, fnuminst, rnuminst: VAR nat FU: VAR FU_ID S: VAR SLOT_ID r: VAR REG_ID rb: VAR ROB_ID flushInt, flushBr, rflushInt, rflushBr, WB, ret, intermediate: VAR boolean stutter, stutter_p: VAR upto[2] fres_p: VAR [FU_ID -> result_TYPE] OC(pc, RF, RS, RAT, ROB, numinst, stutter): [REG_ID -> RF_TYPE] = IF NOT (head(ROB) = tail(ROB) AND wrap(ROB)) OR stutter = 2 THEN RF ELSE (LAMBDA r: IF r /= t(robe(ROB)(head(ROB))) OR pv_int(robe(ROB)(head(ROB))) THEN RF(r) ELSE (# v := pv(robe(ROB)(head(ROB))) #) ENDIF) ENDIF OA(fpc, fRF, fRS, fRAT, fROB, fnuminst): [REG_ID -> RF_TYPE] = fRF refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, intermediate): boolean = (NOT (tail(fROB) = head(fROB) AND wrap(fROB)) AND IF (flushInt OR flushBr) THEN (tail(fROB) = 1 AND head(fROB) = 1 AND NOT wrap(fROB) AND IF intermediate THEN succ(tail(ROB)) = head(ROB) ELSE tail(ROB) = head(ROB) AND wrap(ROB) ENDIF AND fnuminst = numinst + 1 AND (FORALL S: NOT oc(fRS(S))) AND (FORALL rb: NOT oc(robe(fROB)(rb))) AND (FORALL r: NOT b(fRAT(r))) AND IF flushInt THEN pv_int(robe(ROB)(head(ROB))) AND RF = fRF AND fpc = Int_interrupt_addr(pc(robe(ROB)(head(ROB))), type_op (op (robe(ROB)(head(ROB))))) ELSE EXOR(br_pred(robe(ROB)(head(ROB))), (pv(robe(ROB)(head(ROB))) > 0)) AND type_op(op(robe(ROB)(head(ROB)))) = BRANCH AND NOT pv_int(robe(ROB)(head(ROB))) AND fRF = (LAMBDA r: IF r /= t(robe(ROB)(head(ROB))) THEN RF(r) ELSE (# v := pv(robe(ROB)(head(ROB))) #) ENDIF) AND fpc = IF pv(robe(ROB)(head(ROB))) > 0 THEN br_targ(robe(ROB)(head(ROB))) ELSE pc(robe(ROB)(head(ROB))) + 1 ENDIF ENDIF) ELSE tail(ROB) = tail(fROB) AND (head(fROB) = head(ROB) OR (head(fROB) = succ(head(ROB)) AND IF intermediate THEN succ(tail(ROB)) = head(ROB) ELSE tail(ROB) = head(ROB) AND wrap(ROB) ENDIF)) AND (FORALL rb: IF oc(robe(fROB)(rb)) THEN oc(robe(ROB)(rb)) AND IF NOT b(robe(ROB)(rb)) THEN NOT b(robe(fROB)(rb)) AND v(robe(ROB)(rb)) = v(robe(fROB)(rb)) AND int(robe(ROB)(rb)) = int(robe(fROB)(rb)) ELSE (NOT b(robe(fROB)(rb)) IMPLIES rb = head(ROB) AND IF intermediate THEN succ(tail(ROB)) = head(ROB) ELSE tail(ROB) = head(ROB) AND wrap(ROB) ENDIF) ENDIF AND op(robe(ROB)(rb)) = op(robe(fROB)(rb)) AND br_pred(robe(ROB)(rb)) = br_pred(robe(fROB)(rb)) AND br_targ(robe(ROB)(rb)) = br_targ(robe(fROB)(rb)) AND slot(robe(ROB)(rb)) = slot(robe(fROB)(rb)) AND t(robe(ROB)(rb)) = t(robe(fROB)(rb)) AND pc(robe(ROB)(rb)) = pc(robe(fROB)(rb)) AND pv(robe(ROB)(rb)) = pv(robe(fROB)(rb)) AND pv_int(robe(ROB)(rb)) = pv_int(robe(fROB)(rb)) ELSE (NOT (flushInt OR flushBr) AND oc(robe(ROB)(rb))) IMPLIES (rb = head(ROB) AND NOT pv_int(robe(ROB)(head(ROB))) AND NOT (type_op(op(robe(ROB)(head(ROB)))) = BRANCH AND EXOR(br_pred(robe(ROB)(head(ROB))), (pv(robe(ROB)(head(ROB))) > 0))) AND (t(robe(ROB)(rb)) > 0 IMPLIES pv(robe(ROB)(rb)) = v(fRF(t(robe(ROB)(rb)))))) ENDIF) AND IF head(ROB) = head(fROB) THEN RF = fRF AND (FORALL r: IF b(RAT(r)) THEN RAT(r) = fRAT(r) ELSE NOT b(fRAT(r)) ENDIF) AND numinst = fnuminst ELSE (FORALL r: IF r = t(robe(ROB)(head(ROB))) AND oc(robe(ROB)(head(ROB))) THEN IF al(RAT(r)) = head(ROB) THEN NOT b(fRAT(r)) ELSE RAT(r) = fRAT(r) ENDIF AND v(fRF(r)) = pv(robe(ROB)(head(ROB))) ELSE IF b(RAT(r)) THEN RAT(r) = fRAT(r) ELSE NOT b(fRAT(r)) ENDIF AND RF(r) = fRF(r) ENDIF) AND fnuminst = numinst + 1 ENDIF AND (FORALL S: IF oc(fRS(S)) THEN oc(RS(S)) AND p(RS(S)) = p(fRS(S)) AND op(RS(S)) = op(fRS(S)) AND (FORALL (j: TWO): IF st(ss(RS(S))(j)) = BUSY THEN IF st(ss(fRS(S))(j)) = BUSY THEN p(ss(RS(S))(j)) = p(ss(fRS(S))(j)) AND pv(ss(RS(S))(j)) = pv(ss(fRS(S))(j)) ELSE v(ss(fRS(S))(j)) = pv(ss(RS(S))(j)) ENDIF ELSE st(ss(fRS(S))(j)) /= BUSY AND v(ss(RS(S))(j)) = v(ss(fRS(S))(j)) ENDIF) ELSE oc(RS(S)) IMPLIES p(RS(S)) = head(ROB) AND IF intermediate THEN succ(tail(ROB)) = head(ROB) ELSE tail(ROB) = head(ROB) AND wrap(ROB) ENDIF ENDIF) AND pc = fpc ENDIF) refMapStutter(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, intermediate, stutter): boolean = IF stutter = 0 THEN refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, intermediate) ELSE (head(ROB) = tail(ROB) AND wrap(ROB)) AND IF stutter = 1 THEN (EXISTS (ipc, iRS, iRAT, iROB): rho_issue(fpc, fRF, fRS, fRAT, fROB, fnuminst, ipc, fRF, iRS, iRAT, iROB, fnuminst) AND refMap(pc, RF, RS, RAT, ROB, numinst, ipc, fRF, iRS, iRAT, iROB, fnuminst, flushInt, flushBr, FALSE)) ELSE (EXISTS (rpc, rRS, rRF, rROB, rRAT, rnuminst, rflushInt, rflushBr): rho_retire(fpc, fRF, fRS, fRAT, fROB, fnuminst, rpc, rRF, rRS, rRAT, rROB, rnuminst) AND (succ(head(ROB)) = head(rROB) OR rflushInt OR rflushBr) AND (EXISTS (ipc, iRS, iRAT, iROB): rho_issue(rpc, rRF, rRS, rRAT, rROB, rnuminst, ipc, rRF, iRS, iRAT, iROB, rnuminst) AND refMap(pc, RF, RS, RAT, ROB, numinst, ipc, rRF, iRS, iRAT, iROB, rnuminst, rflushInt, rflushBr, FALSE))) ENDIF ENDIF AND OC(pc, RF, RS, RAT, ROB, numinst, stutter) = fRF END RefMap $$$RefMap.prf (|RefMap| (|refMap_TCC1| "" (SUBTYPE-TCC) NIL)) $$$Ref1.pvs Ref1[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % The three theories Ref1, Ref2 and Ref3 prove that DES_s(B'+1) refines DES_f(B'+1) % In this file we define theories used to show that every dispatch in % stuttering DES(B'+1) is matched with some transitions in DES_f % The variables of DES_f are prefixed with "f", "e", "w", "r" or "i" BEGIN IMPORTING RefMap[R, U, Z, B], SpecInv[R, U, Z, B], Trans1[R, U, Z, B] RF, fRF, rRF, RF_p, fRF_p, iRF: VAR [REG_ID -> RF_TYPE] RAT, fRAT, rRAT, RAT_p, fRAT_p, iRAT: VAR [REG_ID -> RAT_TYPE] ROB, fROB, bROB, wROB, rROB, ROB_p, fROB_p, iROB: VAR ROB_TYPE RS, fRS, bRS, eRS, wRS, rRS, RS_p, fRS_p, iRS: VAR [SLOT_ID -> RS_TYPE] pc, fpc, rpc, pc_p, fpc_p, ipc: VAR posnat numinst, fnuminst, numinst_p, fnuminst_p, rnuminst: VAR nat FU, FUexec: VAR FU_ID S: VAR SLOT_ID Sn, Siex: VAR upto[Z] r: VAR REG_ID rb: VAR ROB_ID retire, flushInt, flushBr, flushInt_p, flushBr_p, rflushInt, rflushBr: VAR boolean res, fres, res_p, fres_p, bres, eres, wres: VAR [FU_ID -> result_TYPE] issueNoFlush: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) IMPLIES tail(ROB) = tail(ROB_p) OR NOT (flushInt OR flushBr) issueWB: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) AND tail(ROB) /= head(ROB) AND tail(ROB_p) = head(ROB_p) IMPLIES (EXISTS (fres_p, wRS, wROB): rho_writeb(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc, fRF, wRS, fRAT, wROB, fnuminst, fres_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, wRS, fRAT, wROB, fnuminst, flushInt, flushBr, TRUE) AND head(ROB) = head(wROB) AND NOT b(robe(wROB)(head(wROB))) AND SpecInv(fRF, wRS, fRAT, wROB, fnuminst)) issueRetire: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) AND tail(ROB) /= head(ROB) AND tail(ROB_p) = head(ROB_p) IMPLIES (EXISTS (fres_p, wRS, wROB): rho_writeb(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc, fRF, wRS, fRAT, wROB, fnuminst, fres_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, wRS, fRAT, wROB, fnuminst, flushInt, flushBr, TRUE) AND head(ROB) = head(wROB) AND NOT b(robe(wROB)(head(wROB))) AND SpecInv(fRF, wRS, fRAT, wROB, fnuminst) AND (EXISTS (rRS, rROB, rRAT, rRF, rnuminst, rpc, rflushInt, rflushBr): rho_retire(fpc, fRF, wRS, fRAT, wROB, fnuminst, rpc, rRF, rRS, rRAT, rROB, rnuminst) AND refMap(pc, RF, RS, RAT, ROB, numinst, rpc, rRF, rRS, rRAT, rROB, rnuminst, rflushInt, rflushBr, TRUE) AND (succ(head(ROB)) = head(rROB) OR rflushInt OR rflushBr) AND SpecInv(rRF, rRS, rRAT, rROB, rnuminst))) issueMatchFull: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) AND tail(ROB_p) = head(ROB_p) AND NOT tail(ROB) = head(ROB) IMPLIES (EXISTS (fres_p, wRS, wROB): rho_writeb(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc, fRF, wRS, fRAT, wROB, fnuminst, fres_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, wRS, fRAT, wROB, fnuminst, flushInt, flushBr, TRUE) AND head(ROB) = head(wROB) AND NOT b(robe(wROB)(head(wROB))) AND SpecInv(fRF, wRS, fRAT, wROB, fnuminst) AND (EXISTS (rRS, rROB, rRAT, rRF, rnuminst, rpc, rflushInt, rflushBr): rho_retire(fpc, fRF, wRS, fRAT, wROB, fnuminst, rpc, rRF, rRS, rRAT, rROB, rnuminst) AND refMap(pc, RF, RS, RAT, ROB, numinst, rpc, rRF, rRS, rRAT, rROB, rnuminst, rflushInt, rflushBr, TRUE) AND (succ(head(ROB)) = head(rROB) OR rflushInt OR rflushBr) AND SpecInv(rRF, rRS, rRAT, rROB, rnuminst) AND (EXISTS ipc, iRS, iRAT, iROB: rho_issue(rpc, rRF, rRS, rRAT, rROB, rnuminst, ipc, rRF, iRS, iRAT, iROB, rnuminst) AND refMap(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, ipc, rRF, iRS, iRAT, iROB, rnuminst, rflushInt, rflushBr, FALSE)))) issueMatchNotFull: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) AND NOT (tail(ROB_p) = head(ROB_p) AND NOT tail(ROB) = head(ROB)) IMPLIES (EXISTS (fpc_p, fRS_p, fRAT_p, fROB_p): rho_issue(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF, fRS_p, fRAT_p, fROB_p, fnuminst) AND refMap(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF, fRS_p, fRAT_p, fROB_p, fnuminst, flushInt, flushBr, FALSE)) END Ref1 $$$Ref1.prf (|Ref1| (|issueNoFlush| "" (SKOSIMP*) (("" (EXPAND "rho_issue") (("" (EXPAND "refMap") (("" (SKOSIMP*) (("" (REPLACE*) (("" (SIMP) (("" (EXPAND "dispatch") (("" (NEW-SPLIT-IF) NIL))))))))))))))) (|issueWB| "" (SKOSIMP*) (("" (LEMMA "issueNoFlush") (("" (INST?) (("" (INST?) (("" (SIMP) (("" (HIDE -2) (("" (REVEAL -1) (("" (EXPAND "rho_issue") (("" (SKOSIMP*) (("" (REPLACE -6 :HIDE? T) (("" (SIMP) (("" (HIDE -3 -4 -5 -6) (("" (NEW-SPLIT-IF -) (("" (EXPAND "dispatch") (("" (CASE "not oc(robe(fROB!1)(head(fROB!1)))") (("1" (EXPAND "SpecInv" -6) (("1" (EXPAND "freeHeadROBempty") (("1" (SIMP) (("1" (EXPAND "refMap" -) (("1" (SIMP) NIL))))))))) ("2" (CASE "not b(robe(fROB!1)(head(fROB!1)))") (("1" (INST 6 "(lambda FU: (# a:= false, p:= 1, v:= 0, int:= false #))" "fRS!1" "fROB!1") (("1" (CASE "not rho_writeb(fpc!1, fRF!1, fRS!1, fRAT!1, fROB!1, fnuminst!1, fpc!1, fRF!1, fRS!1, fRAT!1, fROB!1, fnuminst!1, (LAMBDA FU: (# a := FALSE, p := 1, v := 0, int := FALSE #)))") (("1" (HIDE 7) (("1" (EXPAND "rho_writeb") (("1" (INST 1 "(lambda FU : false)" "(lambda FU : Z)") (("1" (SIMP) (("1" (SPLIT +) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL))) ("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (NEW-SPLIT-IF) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL))))))))))))))))) ("2" (SIMP) (("2" (EXPAND "refMap") (("2" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL) ("3" (SIMP) NIL) ("4" (SKOSIMP*) (("4" (INST?) (("4" (SPLIT-ALL) NIL))))) ("5" (SIMP) NIL) ("6" (SIMP) NIL) ("7" (SKOSIMP*) (("7" (INST? -10) (("7" (NEW-SPLIT-IF) NIL))))) ("8" (SIMP) NIL) ("9" (SIMP) NIL))))))))))) ("2" (CASE "not (exists (wres : [FU_ID -> result_TYPE]): wres = res_iwriteb(fRS!1, fROB!1, fnuminst!1, fu_table(op(fRS!1(slot(robe(fROB!1)(head(fROB!1)))))), slot(robe(fROB!1)(head(fROB!1)))))") (("1" (INST 1 "res_iwriteb(fRS!1, fROB!1, fnuminst!1, fu_table(op(fRS!1(slot(robe(fROB!1)(head(fROB!1)))))), slot(robe(fROB!1)(head(fROB!1))))") (("1" (SIMP) NIL))) ("2" (SKOSIMP*) (("2" (CASE "not (exists (wRS : [SLOT_ID -> RS_TYPE] ): wRS = RS_iwriteb(wres!1, fRS!1))") (("1" (INST 1 "RS_iwriteb(wres!1, fRS!1)") NIL) ("2" (CASE "not (exists (wROB : ROB_TYPE): wROB = ROB_iwriteb(wres!1, fROB!1))") (("1" (INST 1 "ROB_iwriteb(wres!1, fROB!1)") NIL) ("2" (SKOSIMP*) (("2" (INST 5 "wres!1" "wRS!1" "wROB!1") (("2" (CASE "not rho_writeb(fpc!1, fRF!1, fRS!1, fRAT!1, fROB!1, fnuminst!1, fpc!1, fRF!1, wRS!1, fRAT!1, wROB!1, fnuminst!1, wres!1)") (("1" (HIDE 6) (("1" (EXPAND " rho_writeb") (("1" (INST 1 "(lambda FU : if FU = fu_table(op(fRS!1(slot(robe(fROB!1)(head(fROB!1)))))) then true else false endif)" "(lambda FU : slot(robe(fROB!1)(head(fROB!1))))") (("1" (SIMP) (("1" (SPLIT +) (("1" (SKOSIMP*) (("1" (EXPAND "enabled") (("1" (EXPAND "can_execute") (("1" (NEW-SPLIT-IF -) (("1" (EXPAND "SpecInv" -12) (("1" (EXPAND "ROBslotMatchRS") (("1" (SIMP) (("1" (INST? -) (("1" (SIMP) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (EXPAND "occRSops") (("1" (INST?) (("1" (SIMP) (("1" (EXPAND "preceed") (("1" (PROPAX) NIL))))))))))))))))))))))))))))))) ("2" (HIDE -1 -2) (("2" (REPLACE*) (("2" (EXP-TRANS) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (HIDE -1) (("2" (NEW-SPLIT-IF) NIL))))))))))) ("3" (REPLACE -1) (("3" (EXP-TRANS +) NIL))) ("4" (REPLACE -2) (("4" (EXP-TRANS +) NIL))))))))))))) ("2" (SIMP) (("2" (LEMMA "writeb_prop") (("2" (INST?) (("2" (SIMP) (("2" (SPLIT +) (("1" (EXPAND "SpecInv" -13) (("1" (SIMP) (("1" (EXPAND "refMap") (("1" (CASE "not ((NOT (tail(wROB!1) = head(wROB!1) AND wrap(wROB!1)) AND tail(ROB!1) = tail(wROB!1) AND (head(wROB!1) = head(ROB!1) OR head(wROB!1) = succ(head(ROB!1)))))") (("1" (HIDE 2) (("1" (REP-PLUS) (("1" (EXP-TRANS +) NIL))))) ("2" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL) ("3" (SIMP) NIL) ("4" (SKOSIMP*) (("4" (INST -15 "rb!1") (("4" (HIDE -7) (("4" (REPLACE*) (("4" (EXP-TRANS +) (("4" (EXPAND "occEqual") (("4" (SIMP) (("4" (INST? -23) (("4" (SIMP) (("4" (SPLIT +) (("1" (SIMP) (("1" (SIMP) (("1" (NEW-SPLIT-IF) (("1" (SKOSIMP*) (("1" (EXPAND "wb_prop") (("1" (EXPAND "activeRes") (("1" (SIMP) (("1" (INST?) (("1" (SIMP) (("1" (REPLACE*) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (REVEAL -3) (("1" (REP-EXP -1 (-3 -4)) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (EXPAND "ROBslotMatchRS") (("1" (SIMP) (("1" (INST? -49) (("1" (SIMP) NIL))))))))))))))))))))))))))))))))))) ("2" (NEW-SPLIT-IF) NIL))))))) ("2" (SIMP) NIL))))))))))))))))))))) ("5" (REP-PLUS) NIL) ("6" (SIMP) (("6" (SPLIT +) (("1" (SKOSIMP*) (("1" (SIMP) (("1" (INST? -17) (("1" (REP-EXP -5 (-2)) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF -) NIL))))))))))) ("2" (REP-EXP -5 (-2)) (("2" (EXPAND "succ") (("2" (SPLIT-IF -) NIL))))))))) ("7" (SKOSIMP*) (("7" (REPLACE -6) (("7" (EXP-TRANS +) (("7" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (INST? -22) (("1" (REP-EXP -10 (-2 -1)) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (EXPAND "ROBslotMatchRS") (("1" (SIMP) (("1" (INST? -38) (("1" (SIMP) NIL))))))))))))))))))))))) ("2" (INST? -19) (("2" (SPLIT +) (("1" (SIMP) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INST? -23) (("1" (SPLIT-IF) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (EXPAND "wb_prop") (("1" (EXPAND "resPredCorrect") (("1" (SIMP) (("1" (INST? -13) (("1" (SIMP) (("1" (EXPAND "chosenFUunique") (("1" (INST?) (("1" (SIMP) (("1" (INST?) (("1" (REPLACE -6 :DIR RL) (("1" (SIMP) (("1" (REPLACE -12 :HIDE? T) (("1" (REPLACE -12) (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (REP-EXP -17 (-5 -6)) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (EXPAND "PVopMatchRS_ROB") (("1" (INST? -45) (("1" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))) ("2" (SPLIT-IF) (("2" (CASE "st(ss(fRS!1(S!1))(j!1)) = BUSY") (("1" (PROPAX) NIL) ("2" (SIMP) NIL))))))))))))))) ("2" (SIMP) NIL))))))))))))) ("8" (SIMP) NIL))))))))))) ("2" (REP-PLUS) (("2" (EXP-TRANS +) (("2" (EXPAND "refMap") (("2" (SIMP) NIL))))))) ("3" (REP-EXP -4 (-1)) (("3" (REDUCE-IF) (("3" (EXPAND "SpecInv" -14) (("3" (EXPAND "occEqual") (("3" (SIMP) (("3" (INST? -16) (("3" (SIMP) (("3" (REP-PLUS) (("3" (EXP-TRANS +) (("3" (INSTBEST) (("3" (SIMP) (("3" (EXPAND "ROBslotMatchRS") (("3" (SIMP) (("3" (INST? -) (("3" (INST? -) (("3" (SIMP) NIL))))))))))))))))))))))))))))))) ("4" (LEMMA "SpecInv_writeb") (("4" (INST?) (("4" (SIMP) NIL))))))))))))))))))))))))))) ("3" (SIMP) NIL))))))))))))))))))))))))))))))))))) (|issueRetire| "" (SKOSIMP*) (("" (LEMMA "issueWB") (("" (INST?) (("" (INST?) (("" (SIMP) (("" (SKOSIMP*) (("" (INST?) (("" (SIMP) (("" (LEMMA "issueNoFlush") (("" (INST?) (("" (INST?) (("" (SIMP) (("" (SPLIT -) (("1" (EXPAND "rho_issue") (("1" (SKOSIMP*) (("1" (REPLACE*) (("1" (SIMP) (("1" (NEW-SPLIT-IF) NIL))))))))) ("2" (HIDE -1 -6 -8) (("2" (HIDE -4) (("2" (REVEAL -1) (("2" (EXPAND "rho_issue") (("2" (SKOSIMP*) (("2" (EXPAND "dispatch") (("2" (CASE "not oc(robe(wROB!1)(head(wROB!1)))") (("1" (EXPAND "SpecInv" -10) (("1" (REPLACE -6 :HIDE? T) (("1" (SIMP) (("1" (NEW-SPLIT-IF -) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -) (("1" (SIMP) (("1" (EXPAND "occ_buffer" +) (("1" (NEW-SPLIT-IF) (("1" (EXPAND "wrapWraps") (("1" (SIMP) (("1" (EXPAND "refMap" -) (("1" (PROPAX) NIL))))))))))))))))))))))))))) ("2" (CASE "not (exists (rflushInt : bool): rflushInt = flushInt_iretire(true, flushInt!1, wROB!1))") (("1" (INST 1 "flushInt_iretire(TRUE, flushInt!1, wROB!1)") NIL) ("2" (CASE "not (exists (rflushBr :bool) : rflushBr = flushBr_iretire(true, flushBr!1, flushInt!1, wROB!1))") (("1" (INST 1 "flushBr_iretire(TRUE, flushBr!1, flushInt!1, wROB!1)") NIL) ("2" (SKOSIMP*) (("2" (CASE "rflushInt!1 or rflushBr!1") (("1" (INST 5 "RS_iflush(wRS!1)" "ROB_iflush(wROB!1)" "RAT_iflush" "RF_iflush(fRF!1, wROB!1, rflushInt!1)" "fnuminst!1 + 1" "pc_iflush(fpc!1, wROB!1, rflushInt!1)" "rflushInt!1" "rflushBr!1") (("1" (CASE "not rho_retire(fpc!1, fRF!1, wRS!1, fRAT!1, wROB!1, fnuminst!1, pc_iflush(fpc!1, wROB!1, rflushInt!1), RF_iflush(fRF!1, wROB!1, rflushInt!1), RS_iflush(wRS!1), RAT_iflush, ROB_iflush(wROB!1), fnuminst!1 + 1)") (("1" (HIDE 6) (("1" (EXPAND "rho_retire") (("1" (INST 1 "true") (("1" (HIDE -8 -7 -11) (("1" (REPLACE -8 :HIDE? T) (("1" (SIMP) (("1" (EXPAND "can_retire") (("1" (EXPAND " SpecInv" -10) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -12) (("1" (SIMP) (("1" (SPLIT +) (("1" (SIMP) (("1" (REP-PLUS -1) (("1" (EXP-TRANS -1) (("1" (SIMP) NIL))))))) ("2" (SIMP) (("2" (APPLY (THEN (SPLIT +) (REP-PLUS) (EXP-TRANS +))) NIL))))))))))))))))))))))))))))) ("2" (SIMP) (("2" (HIDE -8 -9 -12) (("2" (REPLACE -9 :HIDE? T) (("2" (SIMP) (("2" (HIDE -1) (("2" (SPLIT +) (("1" (SPLIT-IF -12) (("1" (EXPAND "refMap") (("1" (SPLIT +) (("1" (REP-PLUS -1) (("1" (EXP-TRANS -1 -2) NIL))) ("2" (SIMP) (("2" (CASE "not (tail(ROB_iflush(wROB!1)) = 1 AND head(ROB_iflush(wROB!1)) = 1 AND NOT wrap(ROB_iflush(wROB!1)))") (("1" (HIDE 2) (("1" (REP-PLUS) (("1" (EXP-TRANS 1) NIL))))) ("2" (SIMP) (("2" (EXP-TRANS (-1 -2 1 2)) (("2" (EXPAND "SpecInv") (("2" (EXPAND "ROBpredCorrect") (("2" (SIMP) (("2" (INST? -14) (("2" (INST? -46) (("2" (EXPAND "freeHeadROBempty") (("2" (SIMP) (("2" (SPLIT -14) (("1" (SIMP) (("1" (SIMP) (("1" (EXP-TRANS -10) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (EXP-TRANS -9) (("2" (EXP-TRANS -9) (("2" (SIMP) (("2" (SIMP) (("2" (SPLIT +) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (SPLIT-IF) NIL))) ("2" (SPLIT-IF) NIL))))))))))))))))))) ("2" (SIMP) (("2" (EXP-TRANS (-8 -9)) (("2" (EXP-TRANS -8) (("2" (INST? -38) (("2" (SIMP) (("2" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (SIMP) (("2" (SPLIT +) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (SPLIT-IF) NIL))) ("2" (SPLIT-IF) NIL))))))))))))))))))))))))))))))))))))))))))) ("3" (SIMP) NIL))))))) ("2" (EXP-TRANS +) (("2" (NEW-SPLIT-IF -) NIL))) ("3" (REVEAL -1) (("3" (LEMMA "SpecInv_retire") (("3" (INST?) (("3" (SIMP) NIL))))))))))))))))))))))) ("2" (CASE "not (exists (rRS : [SLOT_ID -> RS_TYPE]): rRS = RS_iretire(wRS!1, wROB!1))") (("1" (INST 1 "RS_iretire(wRS!1, wROB!1)") NIL) ("2" (CASE "not (exists (rROB : ROB_TYPE): rROB = ROB_iretire(wROB!1))") (("1" (INST 1 "ROB_iretire(wROB!1)") NIL) ("2" (CASE "not (exists (rRAT : [REG_ID -> RAT_TYPE] ): rRAT = RAT_iretire(fRAT!1, wROB!1))") (("1" (INST 1 "RAT_iretire(fRAT!1, wROB!1)") NIL) ("2" (SKOSIMP*) (("2" (CASE "not (exists (rRF : [REG_ID -> RF_TYPE]): rRF = RF_iretire(fRF!1, wROB!1))") (("1" (INST 1 "RF_iretire(fRF!1, wROB!1)") NIL) ("2" (SKOSIMP*) (("2" (INST 7 "rRS!1" "rROB!1" "rRAT!1" "rRF!1" "fnuminst!1 +1" "fpc!1" "rflushInt!1" "rflushBr!1") (("2" (CASE "not rho_retire(fpc!1, fRF!1, wRS!1, fRAT!1, wROB!1, fnuminst!1, fpc!1, rRF!1, rRS!1, rRAT!1, rROB!1, fnuminst!1 + 1)") (("1" (HIDE 8) (("1" (EXPAND "rho_retire") (("1" (INST 1 "true") (("1" (EXPAND "can_retire") (("1" (EXPAND "SpecInv" -17) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -17) (("1" (SIMP) (("1" (HIDE -8 -9 -10 -11 -12) (("1" (SPLIT +) (("1" (SIMP) (("1" (APPLY (THEN (SPLIT 3) (REP-PLUS) (EXP-TRANS +))) NIL))) ("2" (SIMP) (("2" (HIDE 1) (("2" (EXP-TRANS +) (("2" (SPLIT -) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL))))))))))))))))))))))))))))))) ("2" (SIMP) (("2" (HIDE -9 -10 -11 -12 -13) (("2" (SPLIT +) (("1" (EXPAND "refMap") (("1" (SIMP) (("1" (CASE "not ((NOT (tail(rROB!1) = head(rROB!1) AND wrap(rROB!1)) AND tail(ROB!1) = tail(rROB!1) AND (head(rROB!1) = head(ROB!1) OR (head(rROB!1) = succ(head(ROB!1)) AND succ(tail(ROB!1)) = head(ROB!1)))))") (("1" (HIDE 2) (("1" (REP-PLUS) (("1" (EXP-TRANS 1) (("1" (SPLIT +) (("1" (SIMP) (("1" (EXPAND "succ" -) (("1" (EXPAND "SpecInv" -19) (("1" (EXPAND "wrapWraps") (("1" (SPLIT-IF -) NIL))))))))) ("2" (SIMP) (("2" (REVEAL -4) (("2" (REPLACE -1 :HIDE? T) (("2" (SIMP) (("2" (NEW-SPLIT-IF -) NIL))))))))))))))))) ("2" (SPLIT +) (("1" (SIMP) NIL) ("2" (SIMP) NIL) ("3" (SIMP) NIL) ("4" (SKOSIMP*) (("4" (INST -12 "rb!1") (("4" (REP-PLUS) (("4" (EXPAND "SpecInv" -19) (("4" (EXPAND "ROBpredCorrect") (("4" (SIMP) (("4" (INST? -28) (("4" (SIMP) (("4" (REP-PLUS) (("4" (EXP-TRANS 1) (("4" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) (("1" (EXP-TRANS +) (("1" (SIMP) (("1" (EXPAND "SpecInv") (("1" (EXPAND "ROBpredCorrect") (("1" (SIMP) (("1" (INST? -47) (("1" (SIMP) (("1" (SPLIT -15) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SIMP) (("2" (SIMP) NIL))))))))))))))))))))) ("2" (NEW-SPLIT-IF) NIL))))))))))))))))))))))) ("5" (REP-PLUS) (("5" (EXP-TRANS -1) (("5" (EXPAND "succ" -) (("5" (NEW-SPLIT-IF -) NIL))))))) ("6" (SIMP) (("6" (SKOSIMP*) (("6" (REP-PLUS) (("6" (EXP-TRANS +) (("6" (REPLACE*) (("6" (INST? -15) (("6" (SPLIT 2) (("1" (SIMP) (("1" (SPLIT +) (("1" (EXPAND "SpecInv") (("1" (EXPAND "occBuffBusyRAT") (("1" (SIMP) (("1" (REDUCE-IF) (("1" (INST? -45) (("1" (SIMP) NIL))))))))))) ("2" (SIMP) (("2" (EXPAND "SpecInv") (("2" (EXPAND "occBuffBusyRAT") (("2" (SIMP) (("2" (INST? -43) (("2" (SIMP) (("2" (SPLIT-IF) NIL))))))))))))) ("3" (EXPAND "SpecInv") (("3" (EXPAND "ROBpredCorrect") (("3" (SIMP) (("3" (INST? -31) (("3" (SIMP) (("3" (INST? -15) (("3" (SIMP) (("3" (SPLIT-IF) NIL))))))))))))))))))) ("2" (SIMP) (("2" (SPLIT 2) (("1" (SIMP) (("1" (SPLIT-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "busyRAT") (("1" (SIMP) (("1" (INST? -44) (("1" (SIMP) (("1" (SIMP) NIL))))))))))))))) ("2" (SIMP) NIL) ("3" (SPLIT-IF) (("3" (INST? -14) (("3" (SIMP) (("3" (SIMP) NIL))))))))))))))))))))))))) ("7" (SKOSIMP*) (("7" (REP-PLUS 1) (("7" (EXP-TRANS 1) (("7" (INST? -16) (("7" (SPLIT +) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INST? -20) (("1" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) NIL))))))))))))))) ("2" (SIMP) (("2" (SPLIT-IF) (("2" (SIMP) NIL))))))))))))))))))))))) ("2" (REP-PLUS) (("2" (EXP-TRANS +) NIL))) ("3" (LEMMA "SpecInv_retire") (("3" (INST?) (("3" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|issueMatchFull| "" (SKOSIMP*) (("" (LEMMA "issueRetire") (("" (INST?) (("" (INST?) (("" (SIMP) (("" (SKOSIMP*) (("" (INST?) (("" (SIMP) (("" (INST 3 "rRS!1" "rROB!1" "rRAT!1" "rRF!1" "rnuminst!1" "rpc!1" "rflushInt!1" "rflushBr!1") (("" (SIMP) (("" (LEMMA "issueNoFlush") (("" (INST?) (("" (INST?) (("" (SIMP) (("" (HIDE -2 -3 -4 -5 -6 -11 -13) (("" (HIDE -5) (("" (REVEAL -1) (("" (EXPAND "rho_issue" -) (("" (SKOSIMP*) (("" (SPLIT -8) (("1" (REPLACE*) (("1" (SIMP) NIL))) ("2" (EXPAND "dispatch") (("2" (CASE "rflushInt!1 or rflushBr!1") (("1" (SIMP) (("1" (SPLIT +) (("1" (PROPAX) NIL) ("2" (INST 1 "rpc!1" "rRS!1" "rRAT!1" "rROB!1") (("2" (SPLIT +) (("1" (EXPAND "rho_issue") (("1" (INST 1 "0") (("1" (SIMP) (("1" (APPLY (THEN (SPLIT +) (APPLY-EXTENSIONALITY 1 :HIDE? T))) NIL))))))) ("2" (EXPAND "refMap") (("2" (SIMP) (("2" (SPLIT +) (("1" (PROPAX) NIL) ("2" (SIMP) (("2" (SPLIT -10) (("1" (SIMP) (("1" (SPLIT +) (("1" (REPLACE -17 :HIDE? T) (("1" (SIMP) (("1" (NEW-SPLIT-IF) (("1" (EXPAND "SpecInv" -19) (("1" (EXPAND "wrapWraps") (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF -) NIL))))))))))))) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL) ("4" (PROPAX) NIL) ("5" (SIMP) (("5" (REP-PLUS) NIL))) ("6" (SIMP) (("6" (REP-PLUS) (("6" (APPLY-EXTENSIONALITY 2 :HIDE? T) (("6" (SPLIT-ALL) NIL))))))))))) ("2" (SIMP) NIL))))) ("3" (SIMP) NIL))))))))))))))) ("2" (CASE "not (exists (ipc : PC_RANGE) : ipc = pc_issue(rpc!1, Sn!1, rROB!1, rnuminst!1))") (("1" (INST 1 "pc_issue(rpc!1, Sn!1, rROB!1, rnuminst!1)") NIL) ("2" (CASE "not (exists (iRS : [SLOT_ID -> RS_TYPE]): iRS = RS_issue(rRS!1, Sn!1, rRF!1, rRAT!1, rROB!1, rpc!1))") (("1" (INST 1 "RS_issue(rRS!1, Sn!1, rRF!1, rRAT!1, rROB!1, rpc!1)") NIL) ("2" (CASE "not (exists (iRAT : [REG_ID -> RAT_TYPE]): iRAT = RAT_issue(rRAT!1, Sn!1, rROB!1, rpc!1))") (("1" (INST 1 "RAT_issue(rRAT!1, Sn!1, rROB!1, rpc!1)") NIL) ("2" (CASE "not (exists (iROB : ROB_TYPE): iROB = ROB_issue(Sn!1, rROB!1, rRF!1, rRAT!1, rpc!1, rnuminst!1))") (("1" (INST 1 "ROB_issue(Sn!1, rROB!1, rRF!1, rRAT!1, rpc!1, rnuminst!1)") NIL) ("2" (SKOSIMP*) (("2" (SIMP) (("2" (INST 7 "ipc!1" "iRS!1" "iRAT!1" "iROB!1") (("2" (SPLIT +) (("1" (EXPAND "rho_issue" +) (("1" (INST?) (("1" (EXPAND "dispatch") (("1" (EXPAND "can_issue") (("1" (SIMP) (("1" (EXPAND "refMap") (("1" (CASE "not Sn!1 > 0") (("1" (SIMP) NIL) ("2" (SIMP) (("2" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (INST? -) (("1" (INST? -) (("1" (SIMP) NIL))))) ("2" (REP-PLUS) (("2" (EXP-TRANS +) NIL))) ("3" (REP-PLUS) (("3" (EXP-TRANS +) NIL))) ("4" (REP-PLUS) (("4" (EXP-TRANS +) NIL))) ("5" (REP-PLUS) (("5" (EXP-TRANS +) NIL))))))))))))))))))))) ("2" (EXPAND "refMap") (("2" (CASE "not ((NOT (tail(iROB!1) = head(iROB!1) AND wrap(iROB!1)) AND tail(ROB_p!1) = tail(iROB!1) AND (head(iROB!1) = head(ROB_p!1) OR (head(iROB!1) = succ(head(ROB_p!1)) AND wrap(ROB_p!1)))))") (("1" (HIDE 2) (("1" (REP-PLUS) (("1" (HIDE -1 -2 -3 -4) (("1" (EXP-TRANS) (("1" (NEW-SPLIT-IF) (("1" (HIDE -3 -4 -5 -6 -7) (("1" (HIDE -7) (("1" (NEW-SPLIT-IF -) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF -) NIL))) ("2" (EXPAND "succ") (("2" (EXPAND "SpecInv") (("2" (EXPAND "wrapWraps") (("2" (NEW-SPLIT-IF -12) NIL))))))))))))))))))))))) ("2" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (REPLACE*) (("1" (SIMP) (("1" (SIMP) (("1" (HIDE -3 -4 -5 -6 -9 -10 -11 -12 -13) (("1" (EXP-TRANS) (("1" (INST?) (("1" (HIDE -9) (("1" (NEW-SPLIT-IF) (("1" (SPLIT +) (("1" (SPLIT-ALL) (("1" (EXPAND "succ") (("1" (SPLIT-ALL -) NIL))))) ("2" (SIMP) (("2" (SPLIT +) (("1" (EXP-BUFF) (("1" (SPLIT -9) (("1" (SPLIT-ALL) NIL) ("2" (SIMP) (("2" (NEW-SPLIT-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "wrapWraps") (("1" (SIMP) (("1" (EXPAND "succ") (("1" (SPLIT-ALL) NIL))))))))) ("2" (NEW-SPLIT-IF) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF -13) NIL))) ("2" (EXPAND "succ") (("2" (NEW-SPLIT-IF -12) NIL))))))))))))) ("2" (SPLIT -9) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF -11) NIL))) ("2" (SIMP) (("2" (NEW-SPLIT-IF) (("1" (CASE "(forall (j:TWO): IF b(RAT!1(src(prog(rpc!1))(j))) then pv(robe(ROB!1)(al(RAT!1(src(prog(rpc!1))(j))))) = IF b(rRAT!1(src(prog(rpc!1))(j))) then pv(robe(rROB!1)(al(rRAT!1(src(prog(rpc!1))(j))))) else v(rRF!1(src(prog(rpc!1))(j))) endif else v(RF!1(src(prog(rpc!1))(j))) = IF b(rRAT!1(src(prog(rpc!1))(j))) then pv(robe(rROB!1)(al(rRAT!1(src(prog(rpc!1))(j))))) ELSE v(rRF!1(src(prog(rpc!1))(j))) endif endif)") (("1" (INST-CP -1 "1") (("1" (INST -1 "2") (("1" (SPLIT-ALL) NIL))))) ("2" (HIDE -9 -10 3) (("2" (SKOSIMP*) (("2" (INST?) (("2" (EXPAND "SpecInv") (("2" (EXPAND "busyRAT") (("2" (SPLIT +) (("1" (SIMP) (("1" (INST? -34) (("1" (SIMP) (("1" (SPLIT-IF) (("1" (REDUCE-IF) (("1" (REVEAL -6) (("1" (INST?) (("1" (INST? -20) (("1" (SIMP) (("1" (SIMP) (("1" (SIMP) NIL))))))))))))))))))))) ("2" (SIMP) (("2" (SPLIT-IF) (("2" (SPLIT-IF -) (("1" (REDUCE-IF) (("1" (EXPAND "occBuffBusyRAT") (("1" (INST? -35) (("1" (SIMP) NIL))))))) ("2" (REDUCE-IF) (("2" (EXPAND "occBuffBusyRAT") (("2" (INST? -35) (("2" (SIMP) NIL))))))))))))))))))))))))))) ("2" (HIDE -10 -11) (("2" (EXP-BUFF) (("2" (EXPAND "succ") (("2" (NEW-SPLIT-IF) (("2" (NEW-SPLIT-IF) (("2" (REDUCE-IF) (("2" (NEW-SPLIT-IF) NIL))))))))))))))))))) ("3" (EXP-BUFF) (("3" (HIDE -8) (("3" (SPLIT -8) (("1" (EXPAND "succ") (("1" (SPLIT-ALL) NIL))) ("2" (SIMP) (("2" (EXPAND "succ") (("2" (SPLIT-ALL) NIL))))))))))))))))))))))))))))))))) ("2" (REPLACE*) (("2" (SIMP) (("2" (HIDE -3 -4 -5 -6 -7 -10 -11 -12 -13 -14) (("2" (HIDE -7 -9) (("2" (EXP-TRANS) (("2" (NEW-SPLIT-IF) (("2" (SKOSIMP*) (("2" (INST? -) (("2" (NEW-SPLIT-IF) NIL))))))))))))))))) ("3" (REPLACE*) (("3" (SIMP) (("3" (HIDE -4 -5 -6 -7 -10 -11 -12 -13 -14 3) (("3" (HIDE -8 -10) (("3" (NEW-SPLIT-IF -) (("3" (SKOSIMP*) (("3" (EXP-TRANS) (("3" (INST?) (("3" (SPLIT-ALL) NIL))))))))))))))))) ("4" (SKOSIMP*) (("4" (REPLACE*) (("4" (SIMP) (("4" (HIDE -3 -4 -5 -6 -9 -10 -11 -12 -13 -16) (("4" (EXP-TRANS) (("4" (NEW-SPLIT-IF -) (("4" (INST?) (("4" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) (("1" (SKOSIMP*) (("1" (INST?) (("1" (SPLIT-ALL) NIL))))) ("2" (EXPAND "succ") (("2" (SPLIT-ALL -) NIL))))) ("2" (SKOSIMP*) (("2" (NEW-SPLIT-IF) (("1" (EXPAND "SpecInv" -15) (("1" (EXPAND "busyRAT") (("1" (SIMP) (("1" (INST?) (("1" (SPLIT -10) (("1" (EXPAND "succ") (("1" (SIMP) (("1" (NEW-SPLIT-IF -16) NIL))))) ("2" (SIMP) (("2" (INST?) (("2" (REVEAL -13) (("2" (INST?) (("2" (EXPAND "SpecInv") (("2" (EXPAND "busyRAT") (("2" (SIMP) (("2" (INST?) (("2" (SPLIT +) (("1" (SIMP) (("1" (SPLIT-IF) (("1" (REDUCE-IF) (("1" (CASE "not RAT!1(src(prog(rpc!1))(j!1)) = rRAT!1(src(prog(rpc!1))(j!1))") (("1" (REPLACE 1) (("1" (SIMP) NIL))) ("2" (SIMP) (("2" (SIMP) NIL))))))))))) ("2" (SIMP) (("2" (SPLIT-IF) (("1" (REDUCE-IF) (("1" (SPLIT-IF -) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))) ("2" (REDUCE-IF) (("2" (REPLACE*) (("2" (EXPAND "ROBpredCorrect") (("2" (INST? -43) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))) ("2" (SPLIT +) (("1" (SPLIT-IF -) (("1" (SPLIT-IF -) (("1" (SPLIT -11) (("1" (SIMP) (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (SIMP) (("2" (INST?) (("2" (SIMP) NIL))))))))))) ("2" (SPLIT -9) (("1" (SIMP) (("1" (INST?) (("1" (SPLIT-IF) NIL))))) ("2" (SIMP) (("2" (INST?) (("2" (EXPAND "SpecInv") (("2" (EXPAND "occBuffBusyRAT") (("2" (SPLIT-IF) (("2" (SPLIT-IF -) (("1" (REDUCE-IF) (("1" (INST? -38) (("1" (SIMP) NIL))))) ("2" (REDUCE-IF) (("2" (INST? -38) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))) ("5" (REPLACE*) (("5" (SIMP) (("5" (HIDE -3 -4 -5 -6 -9 -10 -11 -12 -13 -16 -18) (("5" (EXP-TRANS) (("5" (NEW-SPLIT-IF) (("5" (NEW-SPLIT-IF -) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF -13) NIL))) ("2" (HIDE -1) (("2" (EXPAND "succ" -10) (("2" (EXP-BUFF) (("2" (SPLIT-ALL -) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|issueMatchNotFull| "" (SKOSIMP*) (("" (LEMMA "issueNoFlush") (("" (INST?) (("" (INST?) (("" (SIMP) (("" (HIDE -2 -3 -4 -5) (("" (REVEAL -1 -2 -3 -4) (("" (EXPAND "rho_issue" -) (("" (SKOSIMP*) (("" (EXPAND "dispatch") (("" (REPLACE -6 (-11 1)) (("" (SIMP) (("" (NEW-SPLIT-IF) (("1" (INST 3 "fpc!1" "fRS!1" "fRAT!1" "fROB!1") (("1" (SPLIT 3) (("1" (EXPAND "rho_issue") (("1" (INST 1 "0") (("1" (SIMP) (("1" (APPLY (THEN (SPLIT 1) (APPLY-EXTENSIONALITY 1 :HIDE? T))) NIL))))))) ("2" (SIMP) (("2" (CASE "not (LAMBDA (S: SLOT_ID[R, U, Z, B]): RS!1(S)) = RS!1") (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL) ("2" (CASE "not (LAMBDA (r: REG_ID[R]): RAT!1(r)) = RAT!1") (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL) ("2" (SIMP) NIL))))))))))) ("2" (CASE "tail(ROB!1) = succ(tail(ROB!1))") (("1" (EXPAND "succ" -1) (("1" (NEW-SPLIT-IF -) NIL))) ("2" (CASE "not (exists (ipc :PC_RANGE): ipc = pc_issue(fpc!1, Sn!1, fROB!1, fnuminst!1))") (("1" (INST 1 "pc_issue(fpc!1, Sn!1, fROB!1, fnuminst!1)") NIL) ("2" (CASE "not (exists (iRAT : [REG_ID -> RAT_TYPE]): iRAT = RAT_issue(fRAT!1, Sn!1, fROB!1, fpc!1))") (("1" (INST 1 "RAT_issue(fRAT!1, Sn!1, fROB!1, fpc!1)") NIL) ("2" (CASE "not (exists (iROB : ROB_TYPE ): iROB = ROB_issue(Sn!1, fROB!1, fRF!1, fRAT!1, fpc!1, fnuminst!1))") (("1" (INST 1 "ROB_issue(Sn!1, fROB!1, fRF!1, fRAT!1, fpc!1, fnuminst!1)") NIL) ("2" (CASE "not (exists (iRS : [SLOT_ID -> RS_TYPE]): iRS = RS_issue(fRS!1, Sn!1, fRF!1, fRAT!1, fROB!1, fpc!1))") (("1" (INST 1 "RS_issue(fRS!1, Sn!1, fRF!1, fRAT!1, fROB!1, fpc!1)") NIL) ("2" (SKOSIMP*) (("2" (SIMP) (("2" (INST 7 "ipc!1" "iRS!1" "iRAT!1" "iROB!1") (("2" (SPLIT 7) (("1" (HIDE -8 -9 -10 -11 -12) (("1" (EXPAND "rho_issue") (("1" (INST 1 "Sn!1") (("1" (EXPAND "dispatch") (("1" (SIMP) (("1" (EXPAND "can_issue") (("1" (APPLY (THEN (SPLIT +) (REP-PLUS) (EXP-TRANS +) (SIMP))) (("1" (EXPAND "refMap") (("1" (PROPAX) NIL))) ("2" (EXPAND "refMap") (("2" (SIMP) (("2" (INST? -12) (("2" (SIMP) NIL))))))))))))))))))))) ("2" (EXPAND "refMap") (("2" (SIMP) (("2" (SPLIT +) (("1" (REP-PLUS -1) (("1" (EXP-TRANS (-1 -2)) (("1" (HIDE -11 -12 -13 -14 -17 -18 -19) (("1" (SPLIT -12) (("1" (SIMP) NIL) ("2" (EXPAND "succ") (("2" (SPLIT-IF -) NIL))))))))))) ("2" (SIMP) (("2" (REP-PLUS) (("2" (EXP-TRANS 1) NIL))))) ("3" (REP-PLUS) (("3" (EXP-TRANS +) (("3" (SIMP) (("3" (SIMP) NIL))))))) ("4" (CASE "not ( tail(ROB_p!1) = tail(iROB!1) AND (head(iROB!1) = head(ROB_p!1) OR (head(iROB!1) = succ(head(ROB_p!1)) AND tail(ROB_p!1) = head(ROB_p!1) AND wrap(ROB_p!1))))") (("1" (HIDE 2) (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (SIMP) (("1" (SIMP) NIL))))))))) ("2" (SKOSIMP*) (("2" (INST -17 "rb!1") (("2" (SPLIT +) (("1" (SIMP) (("1" (REP-PLUS (-1 1)) (("1" (EXP-TRANS (-1 1)) (("1" (EXP-BUFF) (("1" (HIDE -11 -12 -13 -14 -15) (("1" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (SIMP) (("1" (SIMP) (("1" (SIMP) NIL))))))) ("2" (SPLIT +) (("1" (SPLIT-ALL) NIL) ("2" (REVEAL -6) (("2" (EXPAND "SpecInv" -18) (("2" (EXPAND "busyRAT") (("2" (SIMP) (("2" (NEW-SPLIT-IF) (("1" (HIDE -4 -14 -18) (("1" (CASE "(forall (j:TWO): IF b(RAT!1(src(prog(fpc!1))(j))) THEN pv(robe(ROB!1)(al(RAT!1(src(prog(fpc!1))(j))))) = IF b(fRAT!1(src(prog(fpc!1))(j))) then pv(robe(fROB!1)(al(fRAT!1(src(prog(fpc!1))(j))))) else v(fRF!1(src(prog(fpc!1))(j))) endif else v(RF!1(src(prog(fpc!1))(j))) = if b(fRAT!1(src(prog(fpc!1))(j))) then pv(robe(fROB!1)(al(fRAT!1(src(prog(fpc!1))(j))))) else v(fRF!1(src(prog(fpc!1))(j))) endif endif )") (("1" (INST-CP -1 "1") (("1" (INST -1 "2") (("1" (SPLIT-ALL) NIL))))) ("2" (HIDE 3) (("2" (SKOSIMP*) (("2" (INST?) (("2" (INST?) (("2" (INST?) (("2" (SPLIT-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "busyRAT") (("1" (SIMP) (("1" (INST? -40) (("1" (SPLIT-ALL) NIL))))))))) ("2" (SPLIT-ALL) NIL))))))))))))))))) ("2" (SPLIT-ALL) NIL))))))))))) ("3" (SPLIT-ALL) NIL))))))))))))))) ("2" (REP-PLUS) (("2" (HIDE -3 -4 -5 -6 -11 -12 -13 -14 -15) (("2" (EXP-TRANS +) (("2" (EXP-BUFF) (("2" (NEW-SPLIT-IF) NIL))))))))))))))))) ("5" (REP-PLUS) (("5" (EXP-TRANS +) (("5" (SPLIT -17) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INST?) (("1" (SPLIT-IF) NIL))))))) ("2" (SIMP) (("2" (SIMP) NIL))))))))) ("6" (SIMP) (("6" (REP-PLUS 1) (("6" (EXP-TRANS 1) (("6" (SIMP) (("6" (SIMP) NIL))))))))) ("7" (SKOSIMP*) (("7" (REP-PLUS) (("7" (EXP-TRANS +) (("7" (INST? -17) (("7" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) (("1" (SKOSIMP*) (("1" (INST? -23) (("1" (SPLIT-ALL) NIL))))))) ("2" (SKOSIMP*) (("2" (SIMP) (("2" (SPLIT -17) (("1" (SIMP) (("1" (INST?) (("1" (SPLIT-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "busyRAT") (("1" (SIMP) (("1" (INST? -30) (("1" (INST? -) (("1" (INST? -46) (("1" (SPLIT-IF) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (SIMP) NIL))))) ("2" (SPLIT-IF) (("2" (EXPAND "ROBpredCorrect") (("2" (INST? -61) (("2" (SIMP) NIL))))))))))))))))))))))))))) ("2" (SIMP) (("2" (INST?) (("2" (EXPAND "SpecInv") (("2" (EXPAND "busyRAT") (("2" (SPLIT-IF) NIL))))))))))))))))))))))))) ("8" (REP-PLUS) (("8" (EXP-TRANS +) (("8" (EXP-BUFF) (("8" (HIDE -1 -2 -3 -4 -9 -10 -11 -12) (("8" (HIDE -9) (("8" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) (("1" (REDUCE-IF) (("1" (SIMP) NIL))) ("2" (REDUCE-IF) (("2" (SIMP) NIL))))) ("2" (SPLIT-ALL -) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|issueMatch| "" (SKOSIMP*) (("" (LEMMA "issueNoFlush") (("" (INST?) (("" (INST?) (("" (SIMP) (("" (CASE "tail(ROB!1) /= head(ROB!1) AND tail(ROB_p!1) = head(ROB_p!1)") (("1" (LEMMA "issueMatchFull") (("1" (INST?) (("1" (INST?) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INST? +) (("1" (SIMP) (("1" (INST?) (("1" (INST 3 "rflushInt!1" "rflushBr!1") (("1" (SIMP) (("1" (INST?) (("1" (SIMP) NIL))))))))))))))))))))))) ("2" (HIDE -2) (("2" (REVEAL -1) (("2" (EXPAND "rho_issue" -) (("2" (SKOSIMP*) (("2" (EXPAND "dispatch") (("2" (REPLACE -6 (-8 1)) (("2" (SIMP) (("2" (INST 2 "(lambda FU : (# a:= false, p:= 1, v:= 0, int:= false #))" "fRS!1" "fROB!1") (("2" (SPLIT 2) (("1" (EXPAND "rho_writeb" 1) (("1" (INST 1 "(lambda FU :false)" "(lambda FU : Z)") (("1" (SIMP) (("1" (SPLIT 1) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL))) ("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (SPLIT-IF) NIL) ("2" (SPLIT-IF) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL))))))))))) ("2" (SIMP) NIL))))) ("2" (INST 1 "fpc!1" "fRS!1" "fRF!1" "fROB!1" "fRAT!1" "fnuminst!1" "flushInt!1" "flushBr!1") (("2" (SPLIT +) (("1" (EXPAND "rho_retire" +) (("1" (INST 1 "false") (("1" (SIMP) NIL))))) ("2" (SPLIT-IF) (("1" (INST 3 "fpc!1" "fRS!1" "fRAT!1" "fROB!1") (("1" (SPLIT 3) (("1" (EXPAND "rho_issue") (("1" (INST 1 "0") (("1" (SIMP) (("1" (SPLIT +) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL) ("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL))))))))) ("2" (EXPAND "refMap") (("2" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (SPLIT -9) (("1" (SIMP) (("1" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (SPLIT +) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (NEW-SPLIT-IF) NIL))) ("2" (NEW-SPLIT-IF) NIL))))))))) ("2" (SIMP) NIL))) ("2" (APPLY (THEN (SPLIT +) (SIMP) (SIMP) (SKOSIMP*))) (("1" (INST? -10) (("1" (SPLIT-ALL) NIL))) ("2" (REPLACE*) (("2" (SIMP) (("2" (INST? -13) NIL))))) ("3" (REPLACE*) (("3" (INST? -13) (("3" (SIMP) NIL))))) ("4" (INST? -12) (("4" (REPLACE*) (("4" (SIMP) NIL))))))))))))))) ("2" (SPLIT -9) (("1" (EXPAND "succ") (("1" (SPLIT-IF -) NIL))) ("2" (CASE "not (exists (ipc :PC_RANGE): ipc = pc_issue(fpc!1, Sn!1, fROB!1, fnuminst!1))") (("1" (INST 1 "pc_issue(fpc!1, Sn!1, fROB!1, fnuminst!1)") NIL) ("2" (CASE "not (exists (iRAT : [REG_ID -> RAT_TYPE]): iRAT = RAT_issue(fRAT!1, Sn!1, fROB!1, fpc!1))") (("1" (INST 1 "RAT_issue(fRAT!1, Sn!1, fROB!1, fpc!1)") NIL) ("2" (CASE "not (exists (iROB : ROB_TYPE ): iROB = ROB_issue(Sn!1, fROB!1, fRF!1, fRAT!1, fpc!1, fnuminst!1))") (("1" (INST 1 "ROB_issue(Sn!1, fROB!1, fRF!1, fRAT!1, fpc!1, fnuminst!1)") NIL) ("2" (CASE "not (exists (iRS : [SLOT_ID -> RS_TYPE]): iRS = RS_issue(fRS!1, Sn!1, fRF!1, fRAT!1, fROB!1, fpc!1))") (("1" (INST 1 "RS_issue(fRS!1, Sn!1, fRF!1, fRAT!1, fROB!1, fpc!1)") NIL) ("2" (SKOSIMP*) (("2" (INST 4 "ipc!1" "iRS!1" "iRAT!1" "iROB!1") (("2" (SPLIT 4) (("1" (HIDE -8 -9 -10 -11 -12) (("1" (EXPAND "rho_issue") (("1" (INST 1 "Sn!1") (("1" (EXPAND "dispatch") (("1" (SIMP) (("1" (EXPAND "can_issue") (("1" (APPLY (THEN (SPLIT +) (REP-PLUS) (EXP-TRANS +) (SIMP))) (("1" (EXPAND "refMap") (("1" (PROPAX) NIL))) ("2" (EXPAND "refMap") (("2" (SIMP) (("2" (INST? -12) (("2" (SIMP) NIL))))))))))))))))))))) ("2" (EXPAND "refMap") (("2" (SPLIT +) (("1" (REP-PLUS -1) (("1" (EXP-TRANS (-1 -2)) (("1" (HIDE -11 -12 -13 -14 -17 -18 -19) (("1" (SPLIT -12) (("1" (SIMP) (("1" (EXPAND "succ") (("1" (SPLIT-IF -) NIL))))) ("2" (SIMP) NIL))))))))) ("2" (SIMP) NIL) ("3" (SIMP) (("3" (CASE "not ( tail(ROB_p!1) = tail(iROB!1) AND (head(iROB!1) = head(ROB_p!1) OR (head(iROB!1) = succ(head(ROB_p!1)) AND tail(ROB_p!1) = head(ROB_p!1) AND wrap(ROB_p!1))))") (("1" (HIDE 4) (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (SPLIT -14) (("1" (PROPAX) NIL) ("2" (SIMP) NIL))))))))) ("2" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (SKOSIMP*) (("1" (INST -17 "rb!1") (("1" (SPLIT +) (("1" (SIMP) (("1" (REP-PLUS (-1 1)) (("1" (EXP-TRANS (-1 1)) (("1" (EXP-BUFF) (("1" (HIDE -11 -12 -13 -14 -15) (("1" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (SIMP) (("1" (SIMP) (("1" (SIMP) NIL))))))) ("2" (SPLIT +) (("1" (SPLIT-ALL) NIL) ("2" (REVEAL -6) (("2" (EXPAND "SpecInv" -18) (("2" (EXPAND "busyRAT") (("2" (SIMP) (("2" (NEW-SPLIT-IF) (("1" (HIDE -4 -14 -18) (("1" (CASE "(forall (j:TWO): IF b(RAT!1(src(prog(fpc!1))(j))) THEN pv(robe(ROB!1)(al(RAT!1(src(prog(fpc!1))(j))))) = IF b(fRAT!1(src(prog(fpc!1))(j))) then pv(robe(fROB!1)(al(fRAT!1(src(prog(fpc!1))(j))))) else v(fRF!1(src(prog(fpc!1))(j))) endif else v(RF!1(src(prog(fpc!1))(j))) = if b(fRAT!1(src(prog(fpc!1))(j))) then pv(robe(fROB!1)(al(fRAT!1(src(prog(fpc!1))(j))))) else v(fRF!1(src(prog(fpc!1))(j))) endif endif )") (("1" (INST-CP -1 "1") (("1" (INST -1 "2") (("1" (SPLIT-ALL) NIL))))) ("2" (HIDE 3) (("2" (SKOSIMP*) (("2" (INST?) (("2" (INST?) (("2" (INST?) (("2" (SPLIT-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "busyRAT") (("1" (SIMP) (("1" (INST? -40) (("1" (SPLIT-ALL) NIL))))))))) ("2" (SPLIT-ALL) NIL))))))))))))))))) ("2" (SPLIT-ALL) NIL))))))))))) ("3" (SPLIT-ALL) NIL))))))))))))))) ("2" (REP-PLUS) (("2" (HIDE -3 -4 -5 -6 -11 -12 -13 -14 -15) (("2" (EXP-TRANS +) (("2" (EXP-BUFF) (("2" (NEW-SPLIT-IF) NIL))))))))))))))) ("2" (REP-PLUS) (("2" (EXP-TRANS +) (("2" (SPLIT -19) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INST?) (("1" (SPLIT-IF) NIL))))))) ("2" (SIMP) (("2" (SIMP) NIL))))))))) ("3" (SPLIT -20) (("1" (SIMP) (("1" (REP-PLUS 1) (("1" (REP-PLUS (-5 -6 -7)) NIL))))) ("2" (EXP-TRANS (-5 -6 -7)) (("2" (SPLIT +) (("1" (SKOSIMP*) (("1" (INST?) (("1" (REP-PLUS) (("1" (SIMP) NIL))))))) ("2" (SIMP) (("2" (SIMP) NIL))))))))) ("4" (SKOSIMP*) (("4" (REP-PLUS) (("4" (EXP-TRANS +) (("4" (HIDE -3 -4 -5 -6 -10 -11 -12 -13 -14 -15) (("4" (INST? -9) (("4" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) (("1" (SKOSIMP*) (("1" (INST? -13) (("1" (SPLIT-ALL) NIL))))))) ("2" (SKOSIMP*) (("2" (SIMP) (("2" (SPLIT -9) (("1" (SIMP) (("1" (INST?) (("1" (SPLIT-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "busyRAT") (("1" (SIMP) (("1" (INST? -22) (("1" (INST? -) (("1" (INST? -38) (("1" (SPLIT-IF) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (SIMP) NIL))))) ("2" (SPLIT-IF) (("2" (EXPAND "ROBpredCorrect") (("2" (INST? -53) (("2" (SIMP) NIL))))))))))))))))))))))))))) ("2" (SIMP) (("2" (INST?) (("2" (EXPAND "SpecInv") (("2" (EXPAND "busyRAT") (("2" (SPLIT-IF) NIL))))))))))))))))))))))))))) ("5" (REP-PLUS) (("5" (EXP-TRANS +) (("5" (EXP-BUFF) (("5" (HIDE -3 -4 -5 -6 -11 -12 -13 -14) (("5" (HIDE -11) (("5" (SPLIT-ALL -) NIL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) $$$Ref2.pvs Ref2[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % The three theories Ref1, Ref2 and Ref3 prove that DES_s(B'+1) refines DES_f(B'+1) % In this file we define lemmas used to show that every writeback or retirement % in stuttering Spec(B) is matched with a transitions in Spec_f(B) % The variables of DES_f are prefixed with "f", "e", "w", "r" or "i" BEGIN IMPORTING Ref1[R, U, Z, B], Trans2[R, U, Z, B] RF, fRF, rRF, RF_p, fRF_p: VAR [REG_ID -> RF_TYPE] RAT, fRAT, rRAT, RAT_p, fRAT_p: VAR [REG_ID -> RAT_TYPE] ROB, fROB, bROB, wROB, rROB, ROB_p, fROB_p: VAR ROB_TYPE RS, fRS, bRS, eRS, wRS, rRS, RS_p, fRS_p: VAR [SLOT_ID -> RS_TYPE] pc, fpc, rpc, pc_p, fpc_p: VAR posnat numinst, fnuminst, numinst_p, fnuminst_p: VAR nat FU, FUexec: VAR FU_ID S: VAR SLOT_ID Sn, Siex: VAR upto[Z] r: VAR REG_ID rb: VAR ROB_ID retire, flushInt, flushBr, flushInt_p, flushBr_p: VAR boolean res, fres, res_p, fres_p, bres, eres, wres: VAR [FU_ID -> result_TYPE] writebMatch: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) IMPLIES (EXISTS (fres_p, fRS_p, fROB_p): rho_writeb(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc, fRF, fRS_p, fRAT, fROB_p, fnuminst, fres_p) AND refMap(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc, fRF, fRS_p, fRAT, fROB_p, fnuminst, flushInt, flushBr, FALSE)) retireMatch: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) IMPLIES (EXISTS (fpc_p, fRS_p, fRF_p, fROB_p, fRAT_p, fnuminst_p, flushInt_p, flushBr_p): rho_retire(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p) AND refMap(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, flushInt_p, flushBr_p, FALSE)) END Ref2 $$$Ref2.prf (|Ref2| (|writebMatch| "" (SKOSIMP*) (("" (LEMMA "writeb_prop") (("" (INST?) (("" (SIMP) (("" (EXPAND "rho_writeb" -) (("" (SKOSIMP*) (("" (EXPAND "refMap" -) (("" (EXPAND "SpecInv") (("" (SIMP) (("" (SPLIT -) (("1" (SIMP) (("1" (INST 3 "(lambda FU : (# a:= false, p:= 1, v:= 0, int:= false #))" "fRS!1" "fROB!1") (("1" (SPLIT 3) (("1" (EXPAND "rho_writeb") (("1" (INST 1 "(lambda FU : false)" "iex!1") (("1" (SIMP) (("1" (SPLIT +) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL))) ("2" (SPLIT-IF) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (SPLIT-IF) NIL) ("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) NIL))))))))))))))) ("2" (EXPAND "refMap") (("2" (APPLY (THEN (SPLIT +) (SIMP))) (("2" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (REPLACE -22 :HIDE? T) (("1" (SIMP) NIL))) ("2" (REPLACE -21 :HIDE? T) (("2" (SIMP) (("2" (REP-PLUS) (("2" (APPLY-EXTENSIONALITY 2 :HIDE? T) (("2" (SPLIT-IF) NIL))))))))))))))))))))) ("2" (SIMP) (("2" (CASE "not (exists (wres : [FU_ID -> result_TYPE]) : wres = res_writeb(fROB!1, res_p!1))") (("1" (INST 1 "res_writeb(fROB!1, res_p!1)") NIL) ("2" (CASE "not (exists (wRS : [SLOT_ID -> RS_TYPE]): wRS = RS_writeb(res_p!1, fRS!1))") (("1" (INST 1 "RS_writeb(res_p!1, fRS!1)") NIL) ("2" (SKOSIMP*) (("2" (CASE "not (exists (wROB : ROB_TYPE): wROB = ROB_writeb(fROB!1, res_p!1))") (("1" (INST 1 "ROB_writeb(fROB!1, res_p!1) ") NIL) ("2" (SKOSIMP*) (("2" (INST 4 "wres!1" "wRS!1" "wROB!1") (("2" (SPLIT 4) (("1" (EXPAND "rho_writeb") (("1" (INST 1 "(lambda FU : exec!1(FU) and oc(robe(fROB!1)(p(res_p!1(FU)))) AND b(robe(fROB!1)(p(res_p!1(FU)))))" "iex!1") (("1" (APPLY (THEN (SPLIT +) (SKOSIMP*) (SIMP))) (("1" (EXPAND "can_execute") (("1" (EXPAND "enabled") (("1" (HIDE -20 -21) (("1" (INST? -16) (("1" (INST? -11) (("1" (SIMP) (("1" (REPLACE -19 (-2 -3) :HIDE? T) (("1" (SIMP) (("1" (INST?) (("1" (EXPAND "ROBslotMatchRS") (("1" (SIMP) (("1" (INST? -41) (("1" (SIMP) (("1" (INST? -59) (("1" (SIMP) (("1" (INST? -57) (("1" (INST? -39) (("1" (SIMP) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INSTBEST -26) (("1" (INST? -20) (("1" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))) ("2" (REP-EXP -3 +) (("2" (REPLACE -14 + :HIDE? T) (("2" (SIMP) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (CASE "exec!1(x!1)") (("1" (SIMP) (("1" (CASE "oc(robe(fROB!1)(p(RS!1(iex!1(x!1))))) AND b(robe(fROB!1)(p(RS!1(iex!1(x!1)))))") (("1" (SIMP) (("1" (INST?) (("1" (EXPAND "ROBslotMatchRS") (("1" (SIMP) (("1" (INST? -40) (("1" (INST? -41) (("1" (INST? -57) (("1" (SIMP) (("1" (REPLACE*) (("1" (HIDE -28 -29) (("1" (INST? -25) (("1" (INST? -58) (("1" (SIMP) (("1" (EXPAND "enabled") (("1" (SIMP) (("1" (CASE "issuedBefore(numinst!1, ROB!1, p(RS!1(iex!1(x!1)))) = issuedBefore(fnuminst!1, fROB!1, p(fRS!1(iex!1(x!1))))") (("1" (SIMP) (("1" (SPLIT-IF-SIMP) (("1" (INST-CP -27 "1") (("1" (INST -27 "2") (("1" (INST? -20) (("1" (SIMP) (("1" (INST-CP -20 "1") (("1" (INST -20 "2") (("1" (SIMP) (("1" (SIMP) NIL))))))))))))))))))) ("2" (HIDE 2) (("2" (EXP-BUFF) (("2" (CASE " head(ROB!1) = head(fROB!1)") (("1" (SPLIT-IF-SIMP) NIL) ("2" (EXPAND "succ") (("2" (EXPAND "occEqual") (("2" (SIMP) (("2" (INST? -54) (("2" (EXPAND "occ_buffer" -54) (("2" (SPLIT-IF-SIMP -) (("1" (SPLIT-IF-SIMP) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (REPLACE 1) (("2" (PROPAX) NIL))))))) ("2" (REPLACE 1) (("2" (SIMP) NIL))))))))))))) ("3" (REPLACE -1) (("3" (EXP-TRANS +) (("3" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (HIDE -17 -18) (("1" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (EXPAND "wb_prop") (("1" (EXPAND "chosenFUunique") (("1" (SIMP) (("1" (INST-CP -17 "FU!2") (("1" (EXPAND "FUunique") (("1" (SIMP) (("1" (INST -15 "FU!1" "FU!2") (("1" (SIMP) (("1" (REPLACE -5) (("1" (REPLACE -18) (("1" (CASE "not FU!2 = chooseFU(x!1, wres!1)") (("1" (HIDE 2) (("1" (EXPAND "chooseFU" +) (("1" (SPLIT-IF) (("1" (EXPAND "choose") (("1" (USE "epsilon_ax[FU_ID]") (("1" (SPLIT -) (("1" (SIMP) (("1" (REVEAL -2) (("1" (INST -1 "epsilon(LAMBDA (FU: FU_ID[R, U]): a(wres!1(FU)) AND p(wres!1(FU)) = x!1)" "FU!2") (("1" (SIMP) (("1" (CASE "not (exists FU : FU = epsilon(LAMBDA (FU: FU_ID[R, U]): a(wres!1(FU)) AND p(wres!1(FU)) = x!1))") (("1" (INST 1 "epsilon(LAMBDA (FU: FU_ID[R, U]): a(wres!1(FU)) AND p(wres!1(FU)) = x!1)") NIL) ("2" (SKOSIMP*) (("2" (REPLACE -1 :DIR RL) (("2" (REP-EXP -13 (-2 -3)) (("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))))))))) ("2" (INST 1 "FU!1") (("2" (SIMP) NIL))))))))))))))) ("2" (REPLACE -1 :DIR RL) (("2" (REP-EXP -9 (-2 -3 1)) (("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (INSTBEST) (("2" (REP-EXP -6 +) (("2" (EXPAND "wb_prop") (("2" (EXPAND "activeRes") (("2" (SIMP) (("2" (INST? -14) (("2" (SIMP) (("2" (SPLIT-IF) (("2" (INST?) (("2" (SIMP) (("2" (EXPAND "occEqual") (("2" (SIMP) (("2" (INST? -43) (("2" (SIMP) (("2" (REPLACE 1) (("2" (SIMP) (("2" (SPLIT -) (("1" (SIMP) (("1" (EXPAND "headTailEq") (("1" (INST? -57) NIL))))) ("2" (SIMP) (("2" (EXPAND "occ_buffer" -) (("2" (REDUCE-IF) (("2" (EXPAND "succ") (("2" (SPLIT-IF -) NIL))))))))))))))))))))))))))))))))))))))))))))))) ("2" (SPLIT-IF) (("2" (SKOSIMP*) (("2" (HIDE 1) (("2" (INSTBEST) (("2" (REP-EXP -6 (-2 -3)) (("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))))))) ("2" (SKOSIMP*) (("2" (LEMMA "chosenFUnonzero") (("2" (INST?) (("2" (SIMP) (("2" (SIMP) NIL))))))))) ("3" (SKOSIMP*) (("3" (LEMMA "chosenFUnonzero") (("3" (SIMP) (("3" (INST?) (("3" (SIMP) (("3" (SIMP) NIL))))))))))))))))) ("4" (REP-EXP -2 +) (("4" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (INSTBEST) (("1" (INST? -10) (("1" (HIDE -19 -20) (("1" (REP-EXP -5 (1)) (("1" (EXPAND "wb_prop") (("1" (EXPAND "activeRes") (("1" (SIMP) (("1" (INST? -13) (("1" (SIMP) (("1" (INST? -8) (("1" (SIMP) (("1" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (HIDE 1) (("1" (EXPAND "enabled") (("1" (EXPAND "occRS") (("1" (INST? -52) (("1" (SIMP) (("1" (SIMP) NIL))))))))))) ("2" (APPLY-EXTENSIONALITY 2 :HIDE? T) NIL))))))))))))))))))))))))))))))) ("2" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (INSTBEST) (("1" (REP-EXP -5 (-1 -2)) (("1" (REDUCE-IF) (("1" (SPLIT-IF) NIL))))))))) ("2" (SPLIT-IF) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (SPLIT-IF) (("1" (SPLIT-IF) (("1" (EXPAND "wb_prop") (("1" (EXPAND "chosenFUunique") (("1" (SIMP) (("1" (SKOSIMP*) (("1" (REPLACE -5) (("1" (INST? -18) (("1" (SIMP) (("1" (REPLACE -18) (("1" (CASE "not chooseFU(p(res_p!1(FU!2)), wres!1) = FU!2") (("1" (HIDE 2) (("1" (HIDE -26 -27) (("1" (EXPAND "chooseFU") (("1" (SPLIT-IF) (("1" (EXPAND "choose") (("1" (USE "epsilon_ax[FU_ID]") (("1" (SPLIT -) (("1" (SIMP) (("1" (EXPAND "FUunique") (("1" (INST -19 "epsilon(LAMBDA (FU: FU_ID[R, U]): a(wres!1(FU)) AND p(wres!1(FU)) = p(res_p!1(FU!2)))" "FU!2") (("1" (SIMP) (("1" (CASE "not (exists FU : FU = epsilon(LAMBDA (FU: FU_ID[R, U]): a(wres!1(FU)) AND p(wres!1(FU)) = p(res_p!1(FU!2))))") (("1" (INST 1 "epsilon(LAMBDA (FU: FU_ID[R, U]): a(wres!1(FU)) AND p(wres!1(FU)) = p(res_p!1(FU!2)))") NIL) ("2" (SKOSIMP*) (("2" (REPLACE -1 :DIR RL) (("2" (REP-EXP -14 (-2 -3)) (("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))))))))) ("2" (INST 1 "FU!1") (("2" (SIMP) NIL))))))))) ("2" (INST?) (("2" (SIMP) NIL))))))))))) ("2" (REPLACE -1) (("2" (REP-EXP -10 1) (("2" (SPLIT-IF) (("2" (HIDE -27 -28 3 4) (("2" (EXPAND "occRSops") (("2" (INST? -50) (("2" (SIMP) (("2" (EXPAND "preceed") (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (INSTBEST) (("2" (REP-EXP -7 1) (("2" (EXPAND "occRSops") (("2" (SIMP) (("2" (INST? -46) (("2" (SIMP) (("2" (EXPAND "preceed") (("2" (SIMP) NIL))))))))))))))))))) ("2" (SPLIT-IF) (("2" (SKOSIMP*) (("2" (INSTBEST) (("2" (REP-EXP -7 (-2 -3)) (("2" (REDUCE-IF) (("2" (SIMP) NIL))))))))))))) ("2" (SKOSIMP*) (("2" (LEMMA "chosenFUnonzero") (("2" (INST?) (("2" (SIMP) (("2" (SIMP) NIL))))))))) ("3" (SKOSIMP*) (("3" (LEMMA "chosenFUnonzero") (("3" (INST?) (("3" (SIMP) (("3" (SIMP) NIL))))))))))))))))) ("2" (SKOSIMP*) (("2" (LEMMA "chosenFUnonzero") (("2" (INST?) (("2" (SIMP) (("2" (SIMP) NIL))))))))) ("3" (SKOSIMP*) (("3" (LEMMA "chosenFUnonzero") (("3" (INST?) (("3" (SIMP) (("3" (SIMP) NIL))))))))))))))))))) ("2" (EXPAND "refMap") (("2" (CASE "not (NOT (tail(wROB!1) = head(wROB!1) AND wrap(wROB!1)) AND tail(ROB_p!1) = tail(wROB!1) AND (head(wROB!1) = head(ROB_p!1) OR (head(wROB!1) = succ(head(ROB_p!1)) AND tail(ROB_p!1) = head(ROB_p!1) AND wrap(ROB_p!1))))") (("1" (HIDE 2) (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (REPLACE 4) (("1" (SIMP) NIL))))))))) ("2" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (SKOSIMP*) (("1" (REPLACE -19 (1 -1 -2)) (("1" (SIMP) (("1" (HIDE -19 -20) (("1" (REP-EXP -3 +) (("1" (SPLIT-IF) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -39) (("1" (SIMP) (("1" (INST? -) (("1" (SKOSIMP*) (("1" (SIMP) (("1" (SIMP) (("1" (INST? -32) (("1" (INST? -33) (("1" (SIMP) (("1" (SPLIT-IF) NIL))))))))))))))))))))))) ("2" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -23) (("1" (INST? -41) (("1" (INST?) (("1" (SIMP) (("1" (SPLIT-IF) (("1" (INSTBEST) (("1" (SIMP) NIL))))))))))))))))))) ("2" (INST?) NIL))))))))))))))) ("2" (REP-PLUS) (("2" (EXP-TRANS +) (("2" (SPLIT -10) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (REP-PLUS (-3 -4)) (("2" (EXP-TRANS (-3 -4)) NIL))))))))))) ("3" (REP-PLUS (1 2 -1 -2 -3 -4)) (("3" (EXP-TRANS (1 2 -1 -2 -3 -4)) (("3" (SIMP) NIL))))) ("4" (SKOSIMP*) (("4" (REPLACE -20 :HIDE? T) (("4" (SIMP) (("4" (REPLACE -19 + :HIDE? T) (("4" (SIMP) (("4" (REPLACE -4) (("4" (REPLACE -3) (("4" (EXP-TRANS +) (("4" (SPLIT-IF) (("1" (REDUCE-IF) (("1" (SKOSIMP*) (("1" (INST?) (("1" (SIMP) (("1" (INST? -13) (("1" (EXPAND "wb_prop") (("1" (EXPAND "activeRes") (("1" (SIMP) (("1" (REDUCE-IF) (("1" (INST? -18) (("1" (SIMP) NIL))))))))))))))))))))) ("2" (HIDE -8) (("2" (INST? -) (("2" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (INST?) (("1" (SPLIT-IF) NIL))))) ("2" (SPLIT-IF) (("2" (SIMP) (("2" (SKOSIMP*) (("2" (INST? -) (("2" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (SPLIT-IF) (("1" (CASE "st(ss(fRS!1(S!1))(j!1)) = BUSY") (("1" (SIMP) (("1" (INSTBEST) (("1" (SIMP) NIL))))) ("2" (REPLACE 1) (("2" (SIMP) (("2" (CLEAN-UP) (("2" (EXPAND "wb_prop") (("2" (EXPAND "resPredCorrect") (("2" (EXPAND "chosenFUunique") (("2" (SIMP) (("2" (INSTBEST -20) (("2" (REPLACE -3) (("2" (SIMP) (("2" (REPLACE -20) (("2" (INSTBEST -21) (("2" (SIMP) (("2" (REPLACE -21) (("2" (REVEAL -6) (("2" (REPLACE -1 + :HIDE? T) (("2" (SIMP) (("2" (EXPAND "occRSops") (("2" (INST? -36) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))) ("2" (SPLIT-IF) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INSTBEST) (("1" (SIMP) NIL))))))))) ("2" (SPLIT-IF) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|retireMatch| "" (SKOSIMP*) (("" (EXPAND "rho_retire" -) (("" (SKOSIMP*) (("" (CASE "not retire!1") (("1" (INST 2 "fpc!1" "fRS!1" "fRF!1" "fROB!1" "fRAT!1" "fnuminst!1" "flushInt!1" "flushBr!1") (("1" (SPLIT +) (("1" (EXPAND "rho_retire ") (("1" (INST 1 "false") (("1" (SIMP) NIL))))) ("2" (EXPAND "refMap") (("2" (SIMP) (("2" (REPLACE*) (("2" (SIMP) NIL))))))))))) ("2" (CASE "flushInt!1 or flushBr!1 or not head(ROB!1) = head(fROB!1)") (("1" (INST 1 "fpc!1" "fRS!1" "fRF!1" "fROB!1" "fRAT!1" "fnuminst!1" "false" "false") (("1" (SPLIT +) (("1" (EXPAND "rho_retire") (("1" (INST 1 "false") (("1" (SIMP) NIL))))) ("2" (EXPAND "refMap") (("2" (SIMP) (("2" (SPLIT -5) (("1" (SIMP) (("1" (SPLIT -11) (("1" (HIDE 3) (("1" (SIMP) (("1" (EXPAND "SpecInv" -21) (("1" (EXPAND "freeHeadROBempty") (("1" (EXPAND "ROBpredCorrect") (("1" (SIMP) (("1" (INST? -30) (("1" (SIMP) (("1" (SPLIT -10) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (SIMP) NIL))))))))))))))))))))) ("2" (SIMP) (("2" (REPLACE*) (("2" (SIMP) (("2" (HIDE -12 -13 -14 -15) (("2" (SPLIT 5) (("1" (SKOSIMP*) (("1" (INST? -) (("1" (EXPAND "SpecInv") (("1" (EXPAND "freeHeadROBempty") (("1" (NEW-SPLIT-IF) (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -35) (("1" (EXPAND "occ_buffer") (("1" (SIMP) NIL))))))))) ("2" (SPLIT-ALL) NIL))))))))))) ("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (INST? -6) (("2" (SPLIT -6) (("1" (SIMP) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (EXPAND "SpecInv" -18) (("1" (EXPAND "ROBpredCorrect") (("1" (SIMP) (("1" (INST? -27) (("1" (SIMP) NIL))))))))))))) ("2" (SIMP) (("2" (SPLIT-IF) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (HIDE -8 -9 -10) (("2" (EXPAND "SpecInv") (("2" (EXPAND "freeHeadROBempty") (("2" (PROPAX) NIL))))))))))))))))))) ("3" (SKOSIMP*) (("3" (HIDE -5 -8) (("3" (INST? -) (("3" (SPLIT-ALL) (("3" (EXPAND "SpecInv" -16) (("3" (EXPAND "busyRAT") (("3" (EXPAND "freeHeadROBempty") (("3" (SIMP) (("3" (INST? -22) (("3" (SIMP) NIL))))))))))))))))))) ("4" (SKOSIMP*) (("4" (INST? -8) (("4" (NEW-SPLIT-IF) (("4" (NEW-SPLIT-IF) (("1" (SKOSIMP*) (("1" (INST? -12) (("1" (SPLIT-ALL) NIL))))) ("2" (HIDE -6 -7) (("2" (EXPAND "SpecInv") (("2" (EXPAND "occRS") (("2" (SIMP) (("2" (INST?) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))) ("2" (SIMP) (("2" (SPLIT -12) (("1" (SIMP) (("1" (EXPAND "SpecInv" -22) (("1" (EXPAND " ROBpredCorrect") (("1" (SIMP) (("1" (INST? -31) (("1" (EXPAND "freeHeadROBempty") (("1" (SPLIT +) (("1" (SKOSIMP*) (("1" (INST? -8) (("1" (SIMP) NIL))))) ("2" (REPLACE*) (("2" (SPLIT -10) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SIMP) (("2" (SIMP) (("2" (REPLACE*) (("2" (APPLY-EXTENSIONALITY 3 :HIDE? T) (("2" (NEW-SPLIT-IF) NIL))))))))))))) ("3" (PROPAX) NIL) ("4" (SKOSIMP*) (("4" (INST?) (("4" (SIMP) NIL))))) ("5" (REPLACE*) (("5" (SPLIT -10) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SIMP) (("2" (SIMP) (("2" (NEW-SPLIT-IF) NIL))))))))))))))))))))))) ("2" (SIMP) (("2" (SIMP) (("2" (INST? -5) (("2" (EXPAND "SpecInv") (("2" (EXPAND "occEqual") (("2" (EXPAND "ROBpredCorrect") (("2" (EXPAND "freeHeadROBempty") (("2" (SIMP) (("2" (HIDE 3) (("2" (SPLIT-IF -) (("1" (INST? -49) (("1" (EXPAND "occ_buffer") (("1" (PROPAX) NIL))))) ("2" (INST? -30) (("2" (SIMP) (("2" (SIMP) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))) ("2" (SPLIT -3) (("1" (SIMP) (("1" (CASE "not (exists (rRAT : [REG_ID -> RAT_TYPE]): rRAT = RAT_retire(fRAT!1, fROB!1, retire!1 AND head(ROB!1) = head(fROB!1)))") (("1" (INST 1 "RAT_retire(fRAT!1, fROB!1, retire!1 AND head(ROB!1) = head(fROB!1))") NIL) ("2" (CASE "not (exists (rRF : [REG_ID -> RF_TYPE]): rRF = RF_retire(fRF!1, fROB!1, retire!1 AND head(ROB!1) = head(fROB!1)))") (("1" (INST 1 "RF_retire(fRF!1, fROB!1, retire!1 AND head(ROB!1) = head(fROB!1))") NIL) ("2" (CASE "not (exists (rROB : ROB_TYPE): rROB = ROB_retire(fROB!1, retire!1 and head(ROB!1) = head(fROB!1)))") (("1" (INST 1 "ROB_retire(fROB!1, retire!1 AND head(ROB!1) = head(fROB!1))") NIL) ("2" (CASE "not (exists (rRS : [SLOT_ID -> RS_TYPE] ): rRS = RS_retire(fRS!1, fROB!1, retire!1 and head(ROB!1) = head(fROB!1)))") (("1" (INST 1 "RS_retire(fRS!1, fROB!1, retire!1 AND head(ROB!1) = head(fROB!1))") NIL) ("2" (SKOSIMP*) (("2" (INST 6 "fpc!1" "rRS!1" "rRF!1" "rROB!1" "rRAT!1" "if retire!1 and head(ROB!1) = head(fROB!1) then fnuminst!1 +1 else fnuminst!1 endif" "false" "false") (("2" (CASE "not rho_retire(fpc!1, fRF!1, fRS!1, fRAT!1, fROB!1, fnuminst!1, fpc!1, rRF!1, rRS!1, rRAT!1, rROB!1, IF retire!1 AND head(ROB!1) = head(fROB!1) THEN fnuminst!1 + 1 ELSE fnuminst!1 ENDIF)") (("1" (HIDE 7) (("1" (EXPAND "rho_retire") (("1" (INST 1 "retire!1") (("1" (SIMP) (("1" (EXPAND "can_retire") (("1" (EXPAND "SpecInv") (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -16) (("1" (INST? -34) (("1" (SIMP) (("1" (EXPAND "refMap") (("1" (INST? -33) (("1" (SIMP) (("1" (INST? - :COPY? T) (("1" (SIMP) (("1" (SPLIT-IF -16) (("1" (SPLIT 3) (("1" (SIMP) (("1" (REPLACE*) (("1" (APPLY (THEN (SPLIT 2) (EXP-TRANS +) (SIMP))) NIL))))) ("2" (SIMP) NIL))) ("2" (EXPAND "freeHeadROBempty") (("2" (SIMP) (("2" (INST -16 "succ(head(ROB!1))") (("2" (INST -43 "succ(head(ROB!1))") (("2" (SIMP) (("2" (EXPAND "headTailEq") (("2" (SIMP) (("2" (CASE "wrap(ROB!1)") (("1" (SIMP) (("1" (INST -26 "succ(head(ROB!1))") (("1" (SIMP) (("1" (EXPAND "succ" -17) (("1" (NEW-SPLIT-IF -17) NIL))))))))) ("2" (SIMP) (("2" (INST? -26) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (SPLIT 6) (("1" (PROPAX) NIL) ("2" (EXPAND "refMap") (("2" (CASE "not (NOT (tail(rROB!1) = head(rROB!1) AND wrap(rROB!1)) AND tail(ROB_p!1) = tail(rROB!1) AND (head(rROB!1) = head(ROB_p!1) OR (head(rROB!1) = succ(head(ROB_p!1)) AND tail(ROB_p!1) = head(ROB_p!1) AND wrap(ROB_p!1)))) ") (("1" (HIDE 2) (("1" (REPLACE*) (("1" (HIDE -1) (("1" (SIMP) (("1" (EXP-TRANS +) (("1" (EXPAND "succ") (("1" (EXPAND "SpecInv") (("1" (EXPAND "wrapWraps") (("1" (SPLIT-IF) NIL))))))))))))))))) ("2" (APPLY (THEN (SPLIT 1) (SIMP))) (("1" (SKOSIMP*) (("1" (REP-PLUS) (("1" (EXP-TRANS +) (("1" (INST? -19) (("1" (NEW-SPLIT-IF) (("1" (HIDE -1 -2 -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13) (("1" (APPLY (THEN (SPLIT +) (SIMP))) (("1" (NEW-SPLIT-IF -) NIL))))))))))))))) ("2" (REP-PLUS) (("2" (EXP-TRANS +) (("2" (SIMP) (("2" (SPLIT +) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (INST? -20) (("1" (EXPAND "SpecInv") (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -27) (("1" (SIMP) (("1" (INST? -44) (("1" (EXPAND "occ_buffer") (("1" (SPLIT -20) (("1" (NEW-SPLIT-IF) NIL) ("2" (SIMP) (("2" (NEW-SPLIT-IF 12) (("2" (REVEAL -1 -2 -3) (("2" (INST -3 "succ(head(ROB!1))") (("2" (INST -47 "succ(head(ROB!1))") (("2" (INST? -) (("2" (SIMP) (("2" (INST? -) (("2" (CASE "oc(robe(ROB!1)(succ(head(ROB!1))))") (("1" (SIMP) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF) NIL))))) ("2" (EXPAND "freeHeadROBempty") (("2" (EXPAND "headTailEq") (("2" (SIMP) (("2" (INST? -30) NIL))))))))))))))))))))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (INST? -22) (("2" (SPLIT-ALL) NIL))))))))))))) ("3" (HIDE 2) (("3" (REPLACE*) (("3" (SIMP) (("3" (EXP-TRANS (-2 -3)) NIL))))))) ("4" (SKOSIMP*) (("4" (REP-PLUS) (("4" (INST? -23) (("4" (EXP-TRANS +) (("4" (NEW-SPLIT-IF) (("1" (HIDE -11 -12 -13 -14) (("1" (SKOSIMP*) (("1" (INST? -23) (("1" (SPLIT-ALL) NIL))))))) ("2" (HIDE -4 -10 -11 -12 -13 -14) (("2" (EXPAND "SpecInv") (("2" (EXPAND "headTailEq") (("2" (INST -14 "succ(head(ROB!1))") (("2" (SIMP) (("2" (INST -24 "succ(head(ROB!1))") (("2" (INST -40 "succ(head(ROB!1))") (("2" (SIMP) (("2" (EXPAND "succ") (("2" (NEW-SPLIT-IF) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (SIMP) (("2" (CASE "not (exists (rRF : [REG_ID -> RF_TYPE]): rRF = RF_flush(fRF!1, fROB!1))") (("1" (INST 1 "RF_flush(fRF!1, fROB!1)") NIL) ("2" (CASE "not (exists (rRAT : [REG_ID -> RAT_TYPE]): rRAT = RAT_flush)") (("1" (INST 1 "RAT_flush") NIL) ("2" (CASE "not (exists (rROB :ROB_TYPE): rROB = ROB_flush(fROB!1))") (("1" (INST 1 "ROB_flush(fROB!1)") NIL) ("2" (CASE "not (exists (rpc : PC_RANGE) : rpc = pc_flush(fROB!1))") (("1" (INST 1 "pc_flush(fROB!1)") NIL) ("2" (CASE "not (exists (rRS : [SLOT_ID -> RS_TYPE]): rRS = RS_flush(fRS!1))") (("1" (INST 1 "RS_flush(fRS!1)") NIL) ("2" (SKOSIMP*) (("2" (INST 4 "rpc!1" "rRS!1" "rRF!1" "rROB!1" "rRAT!1" "fnuminst!1 + 1" "false" "false") (("2" (SPLIT 4) (("1" (EXPAND "rho_retire") (("1" (INST 1 "true") (("1" (EXPAND "can_retire") (("1" (HIDE -8 -9 -10 -11) (("1" (EXPAND "refMap") (("1" (EXPAND "SpecInv") (("1" (EXPAND "occEqual") (("1" (SIMP) (("1" (INST? -21) (("1" (INST? -) (("1" (HIDE -8 -9) (("1" (SIMP) (("1" (SPLIT -12) (("1" (SIMP) (("1" (INST? -47) (("1" (SIMP) (("1" (SPLIT +) (("1" (SIMP) (("1" (HIDE 3) (("1" (SIMP) NIL))))) ("2" (SIMP) (("2" (REPLACE*) (("2" (APPLY (THEN (SPLIT +) (EXP-TRANS +) (SIMP))) NIL))))))))))))) ("2" (SIMP) (("2" (INST? -36) (("2" (SIMP) (("2" (EXPAND "occ_buffer") (("2" (NEW-SPLIT-IF -) (("2" (EXPAND "wrapWraps") (("2" (EXPAND "headTailEq") (("2" (INST -34 "succ(head(ROB!1))") (("2" (SIMP) (("2" (REVEAL -5) (("2" (INST -1 "succ(head(ROB!1))") (("2" (INST? -20) (("2" (SIMP) (("2" (EXPAND "succ") (("2" (NEW-SPLIT-IF) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (EXPAND "refMap") (("2" (REPLACE*) (("2" (SIMP) (("2" (EXP-TRANS +) (("2" (INST? -) (("2" (EXPAND "SpecInv") (("2" (EXPAND "occEqual") (("2" (SIMP) (("2" (INST? -25) (("2" (SIMP) (("2" (SPLIT -18) (("1" (SIMP) (("1" (NEW-SPLIT-IF) NIL))) ("2" (SIMP) (("2" (HIDE 4) (("2" (EXPAND "freeHeadROBempty") (("2" (EXPAND "headTailEq") (("2" (SIMP) (("2" (INST -46 "succ(head(ROB!1))") (("2" (CASE "wrap(ROB!1)") (("1" (SIMP) (("1" (REVEAL -3) (("1" (INST -1 "succ(head(ROB!1))") (("1" (SIMP) (("1" (INST? -29) (("1" (SIMP) (("1" (EXPAND "succ") (("1" (NEW-SPLIT-IF -) NIL))))))))))))))) ("2" (SIMP) (("2" (INST? -28) NIL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) $$$Ref3.pvs Ref3[R, U, Z: posnat, (IMPORTING more_nat_types[1]) B: greater_one_nat]: THEORY % The three theories Ref1, Ref2 and Ref3 prove that DES_s(B'+1) refines DES_f(B'+1) % In this file we the proof is completed by showing that R1, R2, R3 and R4 hold % The variables of DES_f are prefixed with "f", "e", "w", "r" or "i" BEGIN IMPORTING Ref2[R, U, Z, B] RF, fRF, rRF, RF_p, fRF_p, iRF, wRF: VAR [REG_ID -> RF_TYPE] RAT, fRAT, rRAT, RAT_p, fRAT_p, iRAT, wRAT: VAR [REG_ID -> RAT_TYPE] ROB, fROB, bROB, wROB, rROB, ROB_p, fROB_p, iROB: VAR ROB_TYPE RS, fRS, bRS, eRS, wRS, rRS, RS_p, fRS_p, iRS: VAR [SLOT_ID -> RS_TYPE] pc, fpc, rpc, pc_p, fpc_p, ipc, wpc: VAR posnat numinst, fnuminst, numinst_p, fnuminst_p, rnuminst, wnuminst: VAR nat FU, FUexec: VAR FU_ID S: VAR SLOT_ID Sn, Siex: VAR upto[Z] r: VAR REG_ID rb: VAR ROB_ID retire, flushInt, flushBr, flushInt_p, flushBr_p: VAR boolean stutter, stutter_p: VAR upto[2] res, fres, res_p, fres_p, bres, eres, wres: VAR [FU_ID -> result_TYPE] rho_a(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p): bool = (rho_issue(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p) OR rho_writeb(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) OR rho_retire(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p)) and NOT (tail(fROB_p) = head(fROB_p) AND wrap(fROB_p)) rho_c(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p): bool = rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) OR rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) OR rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) rho_c_stutter(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p, stutter, stutter_p): bool = IF stutter > 0 THEN stutter_p = stutter - 1 AND pc_p = pc AND RF_p = RF AND RS_p = RS AND RAT_p = RAT AND ROB_p = ROB AND numinst_p = numinst ELSE (rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND stutter_p = IF head(ROB_p) = tail(ROB_p) AND head(ROB) /= tail(ROB) THEN 2 ELSE 0 ENDIF) OR (rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) AND stutter_p = 0) OR (rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND stutter_p = 0) ENDIF refMapImpliesObsEqual: LEMMA refMap(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) AND stutter /= 2 IMPLIES OC(pc, RF, RS, RAT, ROB, numinst, stutter) = OA(fpc, fRF, fRS, fRAT, fROB, fnuminst) alpha(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, stutter): bool = SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) AND (EXISTS flushInt, flushBr: refMapStutter(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE, stutter)) rho_a_star(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, stutter_p): bool = rho_a(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) AND alpha(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, stutter_p) existsRho_a: LEMMA refMapStutter(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, flushInt, flushBr, FALSE, stutter) AND SpecInv(RF, RS, RAT, ROB, numinst) AND SpecInv(fRF, fRS, fRAT, fROB, fnuminst) AND rho_c_stutter(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p, stutter, stutter_p) IMPLIES (EXISTS (fpc_p, fRS_p, fRF_p, fROB_p, fRAT_p, fnuminst_p, fres_p): rho_a(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) AND (EXISTS (flushInt, flushBr): refMapStutter(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, flushInt, flushBr, FALSE, stutter_p))) R1: LEMMA alpha(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, stutter) AND rho_c_stutter(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p, stutter, stutter_p) IMPLIES (EXISTS (fpc_p, fRS_p, fRF_p, fROB_p, fRAT_p, fnuminst_p, fres_p): rho_a_star(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, stutter_p)) R2: LEMMA rho_a_star(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, stutter_p) IMPLIES rho_a(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p) Theta_stutter(pc, RF, RS, RAT, ROB, numinst, stutter): bool = Theta(pc, RF, RS, RAT, ROB, numinst) AND stutter = 0 R3_theta: LEMMA Theta_stutter(pc, RF, RS, RAT, ROB, numinst, stutter) AND Theta(fpc, fRF, fRS, fRAT, fROB, fnuminst) IMPLIES alpha(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, stutter) R3: LEMMA alpha(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, stutter) AND rho_c_stutter(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p, stutter, stutter_p) AND rho_a_star(fpc, fRF, fRS, fRAT, fROB, fnuminst, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, fres_p, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, stutter_p) IMPLIES alpha(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, fpc_p, fRF_p, fRS_p, fRAT_p, fROB_p, fnuminst_p, stutter_p) R4: LEMMA alpha(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, stutter) IMPLIES OC(pc, RF, RS, RAT, ROB, numinst, stutter) = OA(fpc, fRF, fRS, fRAT, fROB, fnuminst) R4a: LEMMA alpha(pc, RF, RS, RAT, ROB, numinst, fpc, fRF, fRS, fRAT, fROB, fnuminst, stutter) IMPLIES ((EXISTS rb: NOT oc(robe(ROB)(rb))) IMPLIES RF = fRF) END Ref3 $$$Ref3.prf (|Ref3| (|refMapImpliesObsEqual| "" (SKOSIMP*) (("" (EXPAND "refMap") (("" (EXPAND "OC") (("" (EXPAND "OA") (("" (SIMP) (("" (SPLIT -) (("1" (SIMP) (("1" (APPLY-EXTENSIONALITY 4 :HIDE? T) (("1" (SPLIT -10) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (APPLY-EXTENSIONALITY 3 :HIDE? T) (("2" (NEW-SPLIT-IF) NIL))))))))))) ("2" (SIMP) (("2" (NEW-SPLIT-IF) (("1" (APPLY-EXTENSIONALITY 2 :HIDE? T) (("1" (REDUCE-IF) (("1" (INST?) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (SIMP) NIL))))))))))) ("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (NEW-SPLIT-IF) (("1" (REDUCE-IF) (("1" (INST?) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (SIMP) (("1" (HIDE -12) (("1" (INST?) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (EXPAND "SpecInv") (("1" (EXPAND "occTailROBfull") (("1" (SIMP) NIL))))))))))))))))))))))) ("2" (APPLY-EXTENSIONALITY 2 :HIDE? T) (("2" (HIDE -8) (("2" (SPLIT -7) (("1" (SIMP) (("1" (INST? -10) (("1" (SIMP) (("1" (EXPAND "SpecInv") (("1" (EXPAND "wrapWraps") (("1" (EXPAND "headTailEq") (("1" (SIMP) (("1" (INST? -13) (("1" (SIMP) (("1" (REDUCE-IF) (("1" (EXPAND "occTailROBfull") (("1" (PROPAX) NIL))))))))))))))))))))))) ("2" (SIMP) (("2" (INST?) (("2" (SIMP) (("2" (REDUCE-IF) (("2" (INST?) (("2" (SIMP) (("2" (REDUCE-IF) (("2" (EXPAND "SpecInv") (("2" (EXPAND "headTailEq") (("2" (SIMP) (("2" (INST?) NIL))))))))))))))))))))))))))))))))))))))))))))))) (|existsRho_a| "" (SKOSIMP*) (("" (HIDE -1 -2 -3 -4) (("" (REVEAL -1 -2 -3 -4) (("" (EXPAND "rho_c_stutter") (("" (SPLIT -) (("1" (EXPAND "refMapStutter") (("1" (EXPAND "rho_a") (("1" (SIMP) (("1" (SPLIT -) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INST?) (("1" (INST 1 "(lambda FU : (# a:= false, p:= 1, v:= 0, int:= false #)) ") (("1" (SIMP) (("1" (SPLIT +) (("1" (EXPAND "refMap") (("1" (SIMP) NIL))) ("2" (INST 1 " flushInt!1" "flushBr!1") (("2" (SIMP) (("2" (EXPAND "OC") (("2" (SIMP) (("2" (REPLACE -14 :DIR RL) (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (NEW-SPLIT-IF) (("2" (NEW-SPLIT-IF) NIL))))))))))))))))))))))))))) ("2" (SIMP) (("2" (SKOSIMP*) (("2" (INST? +) (("2" (INST 2 "(lambda FU : (# a:= false, p:= 1, v:= 0, int:= false #))") (("2" (SIMP) (("2" (CASE "(tail(rROB!1) = head(rROB!1) AND wrap(rROB!1))") (("1" (SIMP) (("1" (CLEAN-UP) (("1" (EXPAND "rho_retire") (("1" (SKOSIMP*) (("1" (EXPAND "refMap") (("1" (CASE "rflushInt!1 OR rflushBr!1") (("1" (SIMP) (("1" (SPLIT -8) (("1" (SIMP) (("1" (EXPAND "rho_issue") (("1" (SKOSIMP*) (("1" (REPLACE -18) (("1" (SIMP) NIL))))))))) ("2" (SIMP) NIL))))) ("2" (EXPAND "rho_issue") (("2" (SIMP) (("2" (SKOSIMP*) (("2" (REPLACE -9) (("2" (SIMP) (("2" (REDUCE-IF) (("2" (SIMP) (("2" (SPLIT-IF-SIMP 5) (("2" (CASE "retire!1") (("1" (SIMP) (("1" (REPLACE -7) (("1" (SIMP) (("1" (EXPAND "dispatch") (("1" (SIMP) NIL))))))))) ("2" (EXPAND "dispatch") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))) ("2" (SPLIT 3) (("1" (PROPAX) NIL) ("2" (INST 1 "rflushInt!1" "rflushBr!1") (("2" (CASE "not ((EXISTS (ipc: posnat, iRS: [SLOT_ID[R, U, Z, B] -> RS_TYPE[R, U, Z, B]], iRAT: [REG_ID[R] -> RAT_TYPE[R, U, Z, B]], iROB: ROB_TYPE[R, U, Z, B]): rho_issue(rpc!1, rRF!1, rRS!1, rRAT!1, rROB!1, rnuminst!1, ipc, rRF!1, iRS, iRAT, iROB, rnuminst!1) AND refMap(pc_p!1, RF_p!1, RS_p!1, RAT_p!1, ROB_p!1, numinst_p!1, ipc, rRF!1, iRS, iRAT, iROB, rnuminst!1, rflushInt!1, rflushBr!1, FALSE)))") (("1" (SIMP) (("1" (INST? +) (("1" (SIMP) NIL))))) ("2" (SPLIT +) (("1" (PROPAX) NIL) ("2" (SKOSIMP*) (("2" (REPLACE*) (("2" (EXPAND "OC") (("2" (HIDE -1 -2) (("2" (HIDE -1 -2 -3 -4) (("2" (REVEAL -1 -2 -3 -4) (("2" (EXPAND "refMap" -4) (("2" (SIMP) (("2" (SPLIT -4) (("1" (SIMP) (("1" (SPLIT -8) (("1" (SIMP) (("1" (APPLY-EXTENSIONALITY 3 :HIDE? T) NIL))) ("2" (SIMP) NIL))))) ("2" (SIMP) (("2" (SPLIT -4) (("1" (SIMP) (("1" (APPLY-EXTENSIONALITY 4 :HIDE? T) (("1" (NEW-SPLIT-IF) (("1" (INST -8 "head(iROB!1)") (("1" (SIMP) (("1" (APPLY-EXTENSIONALITY 2 :HIDE? T) (("1" (LEMMA "SpecInv_retire") (("1" (INST? :WHERE -12) (("1" (LEMMA "SpecInv_issue") (("1" (INST? :WHERE -15) (("1" (SIMP) (("1" (EXPAND "SpecInv") (("1" (EXPAND "headTailEq") (("1" (FLATTEN) (("1" (INST?) (("1" (SIMP) (("1" (INST? -58) (("1" (SIMP) NIL))))))))))))))))))))))))))))))))))) ("2" (SIMP) (("2" (APPLY-EXTENSIONALITY 5 :HIDE? T) (("2" (INST?) (("2" (CASE " x!1 = t(robe(ROB!1)(head(ROB!1))) AND oc(robe(ROB!1)(head(ROB!1)))") (("1" (SIMP) (("1" (NEW-SPLIT-IF) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (EXPAND "rho_retire") (("1" (SKOSIMP*) (("1" (SPLIT -13) (("1" (SIMP) (("1" (CASE "retire!1") (("1" (SIMP) (("1" (REPLACE -5) (("1" (SIMP) (("1" (NEW-SPLIT-IF) (("1" (INST -17 "tail(iROB!1)") (("1" (SIMP) (("1" (REDUCE-IF) (("1" (REVEAL -5 -7) (("1" (LEMMA "SpecInv_retire") (("1" (INST?) (("1" (LEMMA "SpecInv_issue") (("1" (INST?) (("1" (SIMP) (("1" (EXPAND "SpecInv" -1) (("1" (EXPAND "occTailROBfull") (("1" (PROPAX) NIL))))))))))))))))))))))))))))))) ("2" (SIMP) NIL))))) ("2" (SIMP) (("2" (NEW-SPLIT-IF -3) (("2" (INST -18 "(tail(iROB!1))") (("2" (SIMP) (("2" (REDUCE-IF) (("2" (EXPAND "rho_issue") (("2" (SKOSIMP*) (("2" (CASE "Sn!1 = 0") (("1" (SIMP) NIL) ("2" (SIMP) (("2" (REP-PLUS -1) NIL))))))))))))))))))))))))))) ("2" (APPLY-EXTENSIONALITY 2 :HIDE? T) NIL))))) ("2" (REPLACE 1) (("2" (SIMP) (("2" (NEW-SPLIT-IF) (("2" (EXPAND "SpecInv" -24) (("2" (EXPAND "headTailEq") (("2" (SIMP) (("2" (INST? -26) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (EXPAND "rho_a") (("2" (EXPAND "refMapStutter") (("2" (SIMP) (("2" (SPLIT -) (("1" (SIMP) (("1" (NEW-SPLIT-IF -) (("1" (LEMMA "issueMatchFull") (("1" (INST?) (("1" (INST?) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (SIMP) (("1" (INST 4 "fpc!1" "wRS!1" "fRF!1" "wROB!1" "fRAT!1" "fnuminst!1" "fres_p!1") (("1" (SIMP) (("1" (CASE "(tail(wROB!1) = head(wROB!1) AND wrap(wROB!1))") (("1" (SIMP) (("1" (CLEAN-UP) (("1" (EXPAND "refMap") (("1" (PROPAX) NIL))))))) ("2" (EXPAND "rho_writeb") (("2" (SIMP) (("2" (SPLIT 5) (("1" (PROPAX) NIL) ("2" (SIMP) (("2" (INST 1 "rflushInt!1" "rflushBr!1") (("2" (CASE "not wrap(ROB_p!1)") (("1" (SIMP) (("1" (CLEAN-UP) (("1" (EXPAND "rho_issue" -13) (("1" (SKOSIMP*) (("1" (CASE "Sn!1 > 0") (("1" (SIMP) (("1" (EXPAND "dispatch") (("1" (REPLACE -19) (("1" (SIMP) (("1" (EXPAND "SpecInv") (("1" (EXPAND "wrapWraps") (("1" (SIMP) (("1" (REPLACE -54) (("1" (SIMP) (("1" (EXPAND "succ") (("1" (SPLIT-IF-SIMP) NIL))))))))))))))))))))) ("2" (SIMP) NIL))))))))))) ("2" (SIMP) (("2" (EXPAND "OC") (("2" (SPLIT 1) (("1" (INST? +) (("1" (INST? +) (("1" (SIMP) (("1" (CASE "head(ROB!1) = head(ROB_p!1)") (("1" (SIMP) (("1" (SPLIT +) (("1" (SIMP) NIL) ("2" (INST? +) (("2" (SIMP) NIL))))))) ("2" (EXPAND "rho_issue" -14) (("2" (SKOSIMP*) (("2" (REPLACE -22 1) (("2" (SIMP) NIL))))))))))))))) ("2" (EXPAND "rho_issue" -14) (("2" (SKOSIMP*) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))) ("2" (LEMMA "issueMatchNotFull") (("2" (INST?) (("2" (INST?) (("2" (SIMP) (("2" (SPLIT -) (("1" (SKOSIMP*) (("1" (INST 3 "fpc_p!1" "fRS_p!1" "fRF!1" "fROB_p!1" "fRAT_p!1" "fnuminst!1" "(lambda FU : (# a:= false, p:= 1, v:= 0, int:= false #))") (("1" (SIMP) (("1" (HIDE -2) (("1" (REVEAL -1) (("1" (EXPAND "refMap" -1) (("1" (SIMP) (("1" (SPLIT 4) (("1" (PROPAX) NIL) ("2" (REVEAL -1) (("2" (INST?) (("2" (SIMP) (("2" (LEMMA "refMapImpliesObsEqual") (("2" (INST? :WHERE -2) (("2" (INST -1 "0") (("2" (SIMP) (("2" (LEMMA "SpecInv_issue") (("2" (INST?) (("2" (SIMP) (("2" (LEMMA "SpecInv_issue") (("2" (INST? :WHERE -8) (("2" (SIMP) (("2" (EXPAND "OA") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))) ("2" (SIMP) NIL))))))))))))))) ("2" (LEMMA "writebMatch") (("2" (INST?) (("2" (INST?) (("2" (SIMP) (("2" (SKOSIMP*) (("2" (INST? +) (("2" (SIMP) (("2" (HIDE -2) (("2" (REVEAL -1) (("2" (SPLIT +) (("1" (EXPAND "refMap") (("1" (SIMP) NIL))) ("2" (INST?) (("2" (SIMP) (("2" (LEMMA " refMapImpliesObsEqual") (("2" (EXPAND "OA") (("2" (INST?) (("2" (INST -1 "0") (("2" (SIMP) (("2" (LEMMA "SpecInv_writeb") (("2" (INST?) (("2" (SIMP) (("2" (LEMMA "SpecInv_writeb") (("2" (INST? :WHERE -5) (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))) ("3" (LEMMA "retireMatch") (("3" (INST?) (("3" (INST?) (("3" (SIMP) (("3" (SKOSIMP*) (("3" (INST?) (("3" (INST 2 "(lambda FU : (# a:= false, p:= 1, v:= 0, int:= false #))") (("3" (SIMP) (("3" (SPLIT +) (("1" (EXPAND "refMap") (("1" (SIMP) NIL))) ("2" (INST?) (("2" (SIMP) (("2" (LEMMA "refMapImpliesObsEqual") (("2" (INST? :WHERE -3) (("2" (INST -1 "0") (("2" (SIMP) (("2" (LEMMA "SpecInv_retire") (("2" (INST?) (("2" (SIMP) (("2" (LEMMA "SpecInv_retire[R,U,Z,B+1]") (("2" (INST? :WHERE -6) (("2" (SIMP) (("2" (EXPAND "OA") (("2" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (R1 "" (LEMMA " existsRho_a ") (("" (EXPAND "alpha") (("" (EXPAND "rho_a_star") (("" (EXPAND "alpha") (("" (SKOSIMP*) (("" (INST? -) (("" (SIMP) (("" (INST? -) (("" (SIMP) (("" (SKOSIMP*) (("" (INST? +) (("" (SIMP) (("" (SPLIT +) (("1" (EXPAND "rho_c_stutter") (("1" (SPLIT -) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (SPLIT -) (("1" (LEMMA "SpecInv_issue") (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (LEMMA "SpecInv_writeb") (("2" (INST?) (("2" (SIMP) NIL))))) ("3" (LEMMA "SpecInv_retire") (("3" (INST?) (("3" (SIMP) NIL))))))))))))) ("2" (EXPAND "rho_a") (("2" (SIMP) (("2" (SPLIT -) (("1" (LEMMA "SpecInv_issue") (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (LEMMA "SpecInv_writeb") (("2" (INST?) (("2" (SIMP) NIL))))) ("3" (LEMMA "SpecInv_retire") (("3" (INST?) (("3" (SIMP) NIL))))))))))) ("3" (INST? +) NIL))))))))))))))))))))))))))) (R2 "" (EXPAND "rho_a_star") (("" (SKOSIMP*) NIL))) (|R3_theta| "" (SKOSIMP*) (("" (EXPAND "Theta_stutter") (("" (EXPAND "alpha") (("" (LEMMA "SpecInv_theta") (("" (INST?) (("" (SIMP) (("" (LEMMA "SpecInv_theta") (("" (INST? :WHERE +) (("" (INST?) (("" (SIMP) (("" (EXPAND "refMapStutter") (("" (EXPAND "refMap") (("" (EXPAND "Theta") (("" (INST 1 "false" "false") (("" (SIMP) (("" (EXPAND "OC") (("" (SPLIT +) (("1" (SIMP) (("1" (APPLY (THEN (SPLIT +) (SKOSIMP*) (SIMP))) (("1" (INST? -6) (("1" (INST? -13) (("1" (SIMP) NIL))))))))) ("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (INST?) (("2" (INST? -13) (("2" (SIMP) NIL))))))) ("3" (SKOSIMP*) (("3" (INST?) (("3" (INST? -13) (("3" (SIMP) NIL))))))) ("4" (SKOSIMP*) (("4" (INST? -9) (("4" (INST? -16) (("4" (SIMP) NIL))))))) ("5" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("5" (INST?) (("5" (INST? -13) (("5" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))) (R3 "" (SKOSIMP*) (("" (EXPAND "rho_a_star") (("" (SIMP) NIL))))) (R4 "" (EXPAND "alpha") (("" (EXPAND "refMapStutter") (("" (SKOSIMP*) (("" (EXPAND "OA") (("" (PROPAX) NIL))))))))) (|R4a| "" (SKOSIMP*) (("" (EXPAND "alpha") (("" (SKOSIMP*) (("" (EXPAND "SpecInv" -1) (("" (EXPAND "headTailEq") (("" (SIMP) (("" (CASE "head(ROB!1) = tail(ROB!1) AND wrap(ROB!1)") (("1" (SIMP) (("1" (INST?) NIL))) ("2" (EXPAND "refMapStutter") (("2" (FLATTEN) (("2" (EXPAND "refMap") (("2" (SPLIT -19) (("1" (SIMP) (("1" (SPLIT -2) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (SPLIT -) (("1" (SIMP) NIL) ("2" (SIMP) NIL))))))))) ("2" (SIMP) NIL)))))))))))))))))))))))) $$$SpecDefsOneBuff.pvs SpecDefsOneBuff[R, U, Z: posnat]: THEORY % Properties that, in addition to those of SpecDefs, are invariants of the % Speculative machine with one retirement buffer, are defined here BEGIN IMPORTING SpecDefs[R, U, Z, 1] RF, RF_p: VAR [REG_ID -> RF_TYPE] RAT, RAT_p: VAR [REG_ID -> RAT_TYPE] ROB, ROB_p: VAR ROB_TYPE RS, RS_p: VAR [SLOT_ID -> RS_TYPE] res, res_p: VAR [FU_ID -> result_TYPE] pc, pc_p: VAR posnat numinst, numinst_p: VAR nat FU: VAR FU_ID S, S2: VAR SLOT_ID r: VAR REG_ID rb: VAR ROB_ID headROBEcorrectVal(RF, ROB, numinst): boolean = (oc(robe(ROB)(head(ROB))) AND NOT b(robe(ROB)(head(ROB)))) IMPLIES IF type_op(op(robe(ROB)(head(ROB)))) /= BRANCH THEN v(robe(ROB)(head(ROB))) = do_op(op(robe(ROB)(head(ROB))), v(RF(src(prog(pc(robe(ROB)(head(ROB)))))(1))), v(RF(src(prog(pc(robe(ROB)(head(ROB)))))(2)))) ELSE v(robe(ROB)(head(ROB))) = IF branch_act(pc(robe(ROB)(head(ROB))), issuedBefore(numinst, ROB, head(ROB)) + 1) THEN 1 ELSE 0 ENDIF ENDIF AND (int(robe(ROB)(head(ROB))) = int_interrupt(pc(robe(ROB)(head(ROB))), issuedBefore(numinst, ROB, head(ROB)) + 1)) robeMatchesProgBr(RF, ROB, pc, numinst): boolean = oc(robe(ROB)(head(ROB))) IMPLIES op(robe(ROB)(head(ROB))) = op(prog(pc(robe(ROB)(head(ROB))))) AND br_pred(robe(ROB)(head(ROB))) = branch_pred(pc(robe(ROB)(head(ROB))), issuedBefore(numinst, ROB, head(ROB)) + 1) AND t(robe(ROB)(head(ROB))) = t(prog(pc(robe(ROB)(head(ROB))))) AND br_targ(robe(ROB)(head(ROB))) = br_target(prog(pc(robe(ROB)(head(ROB))))) AND pv(robe(ROB)(head(ROB))) = IF type_op(op(robe(ROB)(head(ROB)))) = BRANCH THEN IF branch_act(pc(robe(ROB)(head(ROB))), issuedBefore(numinst, ROB, head(ROB)) + 1) THEN 1 ELSE 0 ENDIF ELSE do_op(op(robe(ROB)(head(ROB))), v(RF(src(prog(pc(robe(ROB)(head(ROB)))))(1))), v(RF(src(prog(pc(robe(ROB)(head(ROB)))))(2)))) ENDIF AND IF type_op(op(robe(ROB)(head(ROB)))) = BRANCH AND br_pred(robe(ROB)(head(ROB))) THEN pc = br_targ(robe(ROB)(head(ROB))) ELSE pc = pc(robe(ROB)(head(ROB))) + 1 ENDIF END SpecDefsOneBuff $$$SpecDefsOneBuff.prf (|SpecDefsOneBuff| (|headROBEcorrectVal_TCC1| "" (SUBTYPE-TCC) NIL) (|headROBEcorrectVal_TCC2| "" (SUBTYPE-TCC) NIL) (|robeMatchesProgBr_TCC1| "" (SUBTYPE-TCC) NIL) (|robeMatchesProgBr_TCC2| "" (SUBTYPE-TCC) NIL)) $$$SpecInvsOneBuff.pvs SpecInvsOneBuff[R, U, Z: posnat]: THEORY % The properties defined in SpecDefsOneBuff are proved invariant of DES(1) BEGIN IMPORTING SpecDefsOneBuff[R, U, Z], SpecInv[R, U, Z, 1] RF, RF_p: VAR [REG_ID -> RF_TYPE] RAT, RAT_p: VAR [REG_ID -> RAT_TYPE] ROB, ROB_p: VAR ROB_TYPE RS, RS_p: VAR [SLOT_ID -> RS_TYPE] res, res_p: VAR [FU_ID -> result_TYPE] pc, pc_p: VAR posnat numinst, numinst_p: VAR nat robeMatchesProgBr_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND robeMatchesProgBr(RF, ROB, pc, numinst) AND SpecInv(RF, RS, RAT, ROB, numinst) IMPLIES robeMatchesProgBr(RF_p, ROB_p, pc_p, numinst_p) robeMatchesProgBr_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND robeMatchesProgBr(RF, ROB, pc, numinst) IMPLIES robeMatchesProgBr(RF_p, ROB_p, pc_p, numinst_p) robeMatchesProgBr_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND robeMatchesProgBr(RF, ROB, pc, numinst) IMPLIES robeMatchesProgBr(RF_p, ROB_p, pc_p, numinst_p) headROBEcorrectVal_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND headROBEcorrectVal(RF, ROB, numinst) IMPLIES headROBEcorrectVal(RF_p, ROB_p, numinst_p) headROBEcorrectVal_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND headROBEcorrectVal(RF, ROB, numinst) AND SpecInv(RF, RS, RAT, ROB, numinst) AND robeMatchesProgBr(RF, ROB, pc, numinst) IMPLIES headROBEcorrectVal(RF_p, ROB_p, numinst_p) headROBEcorrectVal_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND headROBEcorrectVal(RF, ROB, numinst) IMPLIES headROBEcorrectVal(RF_p, ROB_p, numinst_p) SpecInvOneBuff(RF, RS, RAT, ROB, pc, numinst): bool = SpecInv(RF, RS, RAT, ROB, numinst) AND headROBEcorrectVal(RF, ROB, numinst) AND robeMatchesProgBr(RF, ROB, pc, numinst) SpecInvOneBuff_theta: LEMMA Theta(pc, RF, RS, RAT, ROB, numinst) IMPLIES SpecInvOneBuff(RF, RS, RAT, ROB, pc, numinst) SpecInvOneBuff_rho: LEMMA (rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) OR (EXISTS res: rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res)) OR rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p)) AND SpecInvOneBuff(RF, RS, RAT, ROB, pc, numinst) IMPLIES SpecInvOneBuff(RF_p, RS_p, RAT_p, ROB_p, pc_p, numinst_p) END SpecInvsOneBuff $$$SpecInvsOneBuff.prf (|SpecInvsOneBuff| (|robeMatchesProgBr_issue| "" (EXP-INV-ISSUE) (("" (NEW-SPLIT-IF) (("1" (SPLIT-ALL -) NIL) ("2" (EXPAND "SpecInv") (("2" (EXPAND "busyRAT") (("2" (SIMP) (("2" (INST-CP -10 "src(prog(pc!1))(1)") (("2" (INST -10 "src(prog(pc!1))(2)") (("2" (EXPAND " headTailEq") (("2" (INST-CP -6 "al(RAT!1(src(prog(pc!1))(2)))") (("2" (INST -6 "al(RAT!1(src(prog(pc!1))(1)))") (("2" (SPLIT-ALL) NIL))))))))))))))))))))) (|robeMatchesProgBr_writeb| "" (EXP-INV-WRITEB) (("" (SPLIT-ALL) NIL))) (|robeMatchesProgBr_retire| "" (EXP-INV-RETIRE) (("" (SPLIT-ALL -) NIL))) (|headROBEcorrectVal_issue| "" (EXP-INV-ISSUE) (("" (SPLIT-ALL) NIL))) (|headROBEcorrectVal_writeb| "" (SKOSIMP*) (("" (LEMMA "writeb_prop") (("" (INST?) (("" (EXPAND "SpecInv") (("" (SIMP) (("" (EXPAND "rho_writeb") (("" (SKOSIMP*) (("" (REPLACE -7 :HIDE? T) (("" (REPLACE -7 :HIDE? T) (("" (REPLACE -3 :HIDE? T) (("" (HIDE -2 -5 - 6) (("" (EXPAND "headROBEcorrectVal") (("" (EXP-BUFF) (("" (EXPAND "occEqual") (("" (HIDE -4) (("" (SIMP) (("" (INST? -6) (("" (SIMP) (("" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (HIDE -1 -2) (("1" (REVEAL -1 -2) (("1" (REVEAL -1 -2) (("1" (REPLACE -7 (-3 -4) :HIDE? T) (("1" (SIMP) (("1" (INST?) (("1" (NEW-SPLIT-IF -) (("1" (EXPAND "enabled") (("1" (NEW-SPLIT-IF -) (("1" (EXPAND "wb_prop") (("1" (EXPAND "chosenFUunique") (("1" (SIMP) (("1" (HIDE -1) (("1" (INST?) (("1" (REPLACE*) (("1" (REPLACE*) (("1" (CASE "type_op(op(robe(ROB!1)(head(ROB!1)))) = BRANCH") (("1" (SIMP) (("1" (EXPAND "resPredCorrect") (("1" (INST?) (("1" (EXPAND "predEqualDoOp") (("1" (INST? -27) (("1" (SIMP) (("1" (EXP-BUFF) (("1" (EXPAND "activeRes") (("1" (REPLACE -10) (("1" (SIMP) (("1" (EXPAND "ROBslotMatchRS") (("1" (SIMP) (("1" (INST? -26) (("1" (INST? -27) (("1" (SIMP) (("1" (SIMP) (("1" (EXPAND "robeMatchesProgBr") (("1" (NEW-SPLIT-IF) (("1" (REDUCE-IF) (("1" (REDUCE-IF) (("1" (EXP-BUFF) NIL))))) ("2" (EXP-BUFF) NIL))))))))))))))))))))))))))))))))))))) ("2" (SIMP) (("2" (EXPAND "resPredCorrect") (("2" (INST?) (("2" (EXPAND "predEqualDoOp") (("2" (INST? -26) (("2" (SIMP) (("2" (EXPAND "ROBslotMatchRS") (("2" (SIMP) (("2" (INST? -25) (("2" (INST? -26) (("2" (SIMP) (("2" (SIMP) (("2" (EXP-BUFF) (("2" (SIMP) (("2" (REPLACE*) (("2" (REPLACE*) (("2" (EXPAND "robeMatchesProgBr") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (INSTBEST +) NIL))))))))))))))))))))) ("2" (REPLACE 1) (("2" (HIDE -1 -2 -3) (("2" (SPLIT-ALL) NIL))))))))))))))))))))))))))))))))))))))))))) (|headROBEcorrectVal_retire| "" (EXP-INV-RETIRE) (("" (SPLIT-ALL -) NIL))) (|SpecInvOneBuff_theta| "" (SKOSIMP*) (("" (LEMMA "SpecInv_theta") (("" (INST?) (("" (EXPAND "SpecInvOneBuff") (("" (EXPAND "headROBEcorrectVal") (("" (EXPAND "robeMatchesProgBr") (("" (SIMP) (("" (EXPAND "Theta") (("" (FLATTEN) (("" (INST? -5) (("" (SIMP) NIL))))))))))))))))))))) (|SpecInvOneBuff_rho| "" (SKOSIMP*) (("" (EXPAND "SpecInvOneBuff") (("" (SPLIT -) (("1" (SIMP) (("1" (LEMMA "SpecInv_issue") (("1" (LEMMA "headROBEcorrectVal_issue") (("1" (LEMMA " robeMatchesProgBr_issue") (("1" (INST?) (("1" (INST?) (("1" (INST?) (("1" (SIMP) NIL))))))))))))))) ("2" (LEMMA "headROBEcorrectVal_writeb") (("2" (LEMMA "robeMatchesProgBr_writeb") (("2" (LEMMA "SpecInv_writeb") (("2" (SKOSIMP*) (("2" (INST?) (("2" (INST?) (("2" (INST?) (("2" (SIMP) NIL))))))))))))))) ("3" (SKOSIMP*) (("3" (SIMP) (("3" (LEMMA "SpecInv_retire") (("3" (LEMMA "headROBEcorrectVal_retire") (("3" (LEMMA "robeMatchesProgBr_retire") (("3" (INST?) (("3" (INST?) (("3" (INST?) (("3" (SIMP) NIL)))))))))))))))))))))))) $$$seq.pvs seq[R: posnat]: THEORY % Definition of the sequential system. BEGIN IMPORTING more_nat_types, def[R] pc, pc_p: VAR PC_RANGE reg, reg_p: VAR [REG_ID[R] -> VALUE] delay, extint: VAR bool numinst, numinst_p: VAR nat r: VAR REG_ID THETA(pc, reg, numinst): bool = (pc = 1 AND numinst = 0 AND (FORALL (r: REG_ID): reg(r) = 0)) rho(pc, reg, numinst, pc_p, reg_p, numinst_p): bool = (EXISTS delay: IF delay THEN numinst_p = numinst AND reg_p = reg AND pc_p = pc ELSIF int_interrupt(pc, numinst + 1) THEN pc_p = Int_interrupt_addr(pc, type_op(op(prog(pc)))) AND numinst_p = numinst + 1 AND reg_p = reg ELSIF type_op(op(prog(pc))) = BRANCH THEN IF branch_act(pc, numinst + 1) THEN pc_p = br_target(prog(pc)) ELSE pc_p = pc + 1 ENDIF AND numinst_p = numinst + 1 AND reg_p = (LAMBDA r: IF r = t(prog(pc)) THEN IF branch_act(pc, numinst + 1) THEN 1 ELSE 0 ENDIF ELSE reg(r) ENDIF) ELSE pc_p = pc + 1 AND numinst_p = numinst + 1 AND reg_p = (LAMBDA r: IF r = t(prog(pc)) THEN do_op(op(prog(pc)), reg(src(prog(pc))(1)), reg(src(prog(pc))(2))) ELSE reg(r) ENDIF) ENDIF) END seq $$$seq.prf (|seq| (|rho_TCC1| "" (SUBTYPE-TCC) NIL) (|rho_TCC2| "" (SUBTYPE-TCC) NIL)) $$$def.pvs def[R: posnat]: THEORY % Defintions used in both Spec and Seq BEGIN IMPORTING more_nat_types REG_ID: TYPE = upto_nz[R] TARGET: TYPE = upto[R] VALUE: TYPE = real OP_TYPE: TYPE+ do_op: [OP_TYPE, VALUE, VALUE -> VALUE] TWO: TYPE = upto_nz[2] TYPE_OF_OP: TYPE = {BRANCH, ARITH} PC_RANGE: TYPE = posnat type_op: [OP_TYPE -> TYPE_OF_OP] SRC: TYPE = [TWO -> REG_ID] INST: TYPE = [# op: OP_TYPE, t: TARGET, br_target: PC_RANGE, src: SRC #] INST_INDEX: TYPE = posnat prog: [INST_INDEX -> INST] EXOR(b1, b2: bool): bool = (b1 OR b2) AND NOT (b1 AND b2) int_interrupt: [PC_RANGE, nat -> bool] ext_interrupt: [nat -> bool] Int_interrupt_addr(pc: PC_RANGE, op: TYPE_OF_OP): PC_RANGE Ext_interrupt_addr(pc: PC_RANGE, numinst: nat): PC_RANGE branch_pred: [PC_RANGE, nat -> bool] branch_act: [PC_RANGE, nat -> bool] END def $$$FUdef.pvs FUdef[R, U: posnat]: THEORY BEGIN IMPORTING def[R] FU_ID: TYPE = upto_nz[U] fu_table: FUNCTION[OP_TYPE -> FU_ID] BUSY: TYPE = bool STATUS : TYPE = {BUSY, WRITE_B, RETIRED} OCCUPIED: TYPE = bool ACTIVE: TYPE = bool END FUdef $$$IOdef.pvs IOdef[R, U, Z, B: posnat]: THEORY % Defintions used in Spec BEGIN IMPORTING more_nat_types, FUdef[R,U] SLOT_ID: TYPE = upto_nz[Z] ROB_ID: TYPE = upto_nz[B] SRC_RS_TYPE: TYPE = [# st: STATUS, p: ROB_ID, v: VALUE, pv :VALUE #] SRC_TYPE: TYPE = [TWO -> SRC_RS_TYPE] RS_TYPE: TYPE = [# oc: OCCUPIED, p: ROB_ID, op: OP_TYPE, ss: SRC_TYPE #] RF_TYPE: TYPE = [# v: VALUE #] ROB_ENTRY_TYPE: TYPE = [# oc: OCCUPIED, b : BUSY, v: VALUE, t: TARGET, op: OP_TYPE, pc: PC_RANGE, br_pred : bool, slot: SLOT_ID, br_targ : PC_RANGE, pv : VALUE, pv_int : bool, int: bool #] %, ss: [TWO -> SRC_ROB_TYPE] #] ROB_TYPE : TYPE = [# robe : [ROB_ID -> ROB_ENTRY_TYPE], head, tail : ROB_ID, wrap : bool #] % head > tail => the ROB has been wrapped. % wrap is set to 1 when tail goes to first buffer % wrap is set to 0 when head goes to first buffer % if wrap is set and head = tail then buffer is full RAT_TYPE: TYPE = [# b: BUSY, al: ROB_ID #] result_TYPE: TYPE = [# a: ACTIVE, p: ROB_ID, v: VALUE, int : bool #] pc: VAR posnat fu: VAR upto[U] Sn, S: VAR SLOT_ID r: VAR REG_ID rb: VAR ROB_ID ext_int : VAR bool RF: VAR [REG_ID -> RF_TYPE] RAT: VAR [REG_ID -> RAT_TYPE] ROB: VAR ROB_TYPE RS: VAR [SLOT_ID -> RS_TYPE] res: VAR [FU_ID -> result_TYPE] FUn(pc): FU_ID = fu_table(op(prog(pc))) succ(rb): ROB_ID = IF (rb < B) THEN rb + 1 ELSE 1 ENDIF pred(rb): ROB_ID = IF (rb > 1) THEN rb - 1 ELSE B ENDIF occ_buffer(rb, ROB): boolean = IF (tail(ROB) > head(ROB)) THEN rb >= head(ROB) AND rb < tail(ROB) ELSE (rb < tail(ROB) OR rb >= head(ROB)) AND wrap(ROB) ENDIF can_issue(ROB): bool = TRUE; can_execute(ROB) : bool = TRUE; can_writeb(ROB) : bool = TRUE; can_retire(ROB) : bool = TRUE; dispatch(RS, ROB, Sn): bool = NOT ((tail(ROB) = head(ROB) AND wrap(ROB))) AND NOT oc(RS(Sn)) enabled(RS, S): bool = oc(RS(S)) AND (forall (j:TWO): NOT st(ss(RS(S))(j)) = BUSY) preceed((rb1, rb2: ROB_ID), ROB): boolean = oc(robe(ROB)(rb1)) AND oc(robe(ROB)(rb2)) AND rb1 /= rb2 AND IF (rb2 = head(ROB)) THEN FALSE ELSIF (rb1 = head(ROB)) THEN TRUE ELSE ((rb2 <= head(ROB) AND (rb1 < rb2 OR rb1 > head(ROB))) OR (rb1 < rb2 AND rb1 > head(ROB))) ENDIF weakPreceed((rb1, rb2: ROB_ID), ROB): boolean = rb1 = rb2 AND oc(robe(ROB)(rb1)) OR preceed(rb1, rb2, ROB) bufferIndex(rb, ROB): upto[B] = IF rb >= head(ROB) THEN rb - head(ROB) ELSE rb + B - head(ROB) ENDIF numOccBuffers(ROB): upto[B] = IF tail(ROB) > head(ROB) THEN tail(ROB) - head(ROB) ELSIF tail(ROB) = head(ROB) THEN IF wrap(ROB) THEN B ELSE 0 ENDIF ELSE tail(ROB) + B - head(ROB) ENDIF totalIssued(numinst: nat, ROB): nat = numOccBuffers(ROB) + numinst; issuedBefore(numinst:nat, ROB, rb) : nat = bufferIndex(rb, ROB) + numinst; chooseFU((prod: ROB_ID), res): upto[U] = IF (EXISTS (FU: FU_ID): a(res(FU)) AND p(res(FU)) = prod) THEN choose(LAMBDA (FU: FU_ID): a(res(FU)) AND p(res(FU)) = prod) ELSE 0 ENDIF chosenFUnonzero: LEMMA (FORALL res, (FU: FU_ID): a(res(FU)) IMPLIES chooseFU(p(res(FU)), res) > 0 AND a(res(chooseFU(p(res(FU)), res)))) END IOdef $$$IOdef.prf (|IOdef| (|succ_TCC1| "" (SUBTYPE-TCC) NIL) (|succ_TCC2| "" (SUBTYPE-TCC) NIL) (|pred_TCC1| "" (SUBTYPE-TCC) NIL) (|pred_TCC2| "" (SUBTYPE-TCC) NIL) (|bufferIndex_TCC1| "" (SUBTYPE-TCC) NIL) (|bufferIndex_TCC2| "" (SUBTYPE-TCC) NIL) (|numOccBuffers_TCC1| "" (SUBTYPE-TCC) NIL) (|numOccBuffers_TCC2| "" (SUBTYPE-TCC) NIL) (|numOccBuffers_TCC3| "" (SUBTYPE-TCC) NIL) (|numOccBuffers_TCC4| "" (SUBTYPE-TCC) NIL) (|chooseFU_TCC1| "" (SUBTYPE-TCC) NIL) (|chooseFU_TCC2| "" (SUBTYPE-TCC) NIL) (|chooseFU_TCC3| "" (SUBTYPE-TCC) NIL) (|chosenFUnonzero_TCC1| "" (SUBTYPE-TCC) NIL) (|chosenFUnonzero| "" (SKOSIMP*) (("" (EXPAND "chooseFU") (("" (EXPAND "choose") (("" (USE "epsilon_ax[FU_ID]") (("" (SPLIT -) (("1" (SIMP) (("1" (SPLIT +) (("1" (NEW-SPLIT-IF) (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (SIMP) (("2" (CASE "not (exists (FU : FU_ID): epsilon(LAMBDA (FU: FU_ID): a(res!1(FU)) AND p(res!1(FU)) = p(res!1(FU!1))) = FU)") (("1" (INST 1 "epsilon(LAMBDA (FU: FU_ID): a(res!1(FU)) AND p(res!1(FU)) = p(res!1(FU!1)))") NIL) ("2" (SKOSIMP*) (("2" (REPLACE*) NIL))))))) ("3" (SIMP) (("3" (INSTBEST) (("3" (SIMP) NIL))))))))) ("2" (INST?) (("2" (SIMP) NIL)))))))))))))) $$$Spec.pvs Spec[R, U, Z, B: posnat]: THEORY % Defines the speculative machine, Spec, referred to as DES in the paper. BEGIN IMPORTING IOdef[R, U, Z, B] RF, RF_p: VAR [REG_ID -> RF_TYPE] RAT, RAT_p: VAR [REG_ID -> RAT_TYPE] ROB, ROB_p: VAR ROB_TYPE RS, RS_p: VAR [SLOT_ID -> RS_TYPE] res, res_p: VAR [FU_ID -> result_TYPE] pc, pc_p: VAR posnat numinst, numinst_p: VAR nat FU: VAR FU_ID S: VAR SLOT_ID r: VAR REG_ID rb: VAR ROB_ID Theta(pc, RF, RS, RAT, ROB, numinst): bool = pc = 1 AND numinst = 0 AND (FORALL r: RF(r) = (# v := 0 #) AND RAT(r) = (# b := FALSE, al := r #)) AND (FORALL rb: NOT oc(robe(ROB)(rb))) AND tail(ROB) = 1 AND head(ROB) = 1 AND NOT wrap(ROB) AND (FORALL S: NOT (oc(RS(S)))) rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p): bool = EXISTS (Sn: upto[Z]): (Sn > 0 IMPLIES (can_issue(ROB) AND dispatch(RS, ROB, Sn))) AND numinst_p = numinst AND pc_p = IF Sn > 0 THEN IF type_op(op(prog(pc))) = BRANCH AND branch_pred(pc, totalIssued(numinst, ROB) + 1) THEN br_target(prog(pc)) ELSE 1 + pc ENDIF ELSE pc ENDIF AND RAT_p = (LAMBDA r: IF Sn > 0 AND r = t(prog(pc)) THEN (# b := TRUE, al := tail(ROB) #) ELSE RAT(r) ENDIF) AND RF_p = RF AND ROB_p = IF NOT (Sn > 0) THEN ROB ELSE (# head := head(ROB), tail := succ(tail(ROB)), wrap := wrap(ROB) OR succ(tail(ROB)) = 1, robe := (LAMBDA rb: IF rb /= tail(ROB) THEN robe(ROB)(rb) ELSE (# b := TRUE, v := 0, op := op(prog(pc)), int := FALSE, oc := TRUE, br_pred := branch_pred (pc, totalIssued(numinst, ROB) + 1), br_targ := br_target(prog(pc)), t := t(prog(pc)), pc := pc, slot := Sn, pv := IF type_op(op(prog(pc))) /= BRANCH THEN do_op (op(prog(pc)), IF b(RAT(src(prog(pc))(1))) THEN pv (robe(ROB) (al (RAT (src(prog(pc))(1))))) ELSE v(RF(src(prog(pc))(1))) ENDIF, IF b(RAT(src(prog(pc))(2))) THEN pv (robe(ROB) (al (RAT (src(prog(pc))(2))))) ELSE v(RF(src(prog(pc))(2))) ENDIF) ELSIF branch_act (pc, issuedBefore (numinst, ROB, rb) + 1) THEN 1 ELSE 0 ENDIF, pv_int := int_interrupt (pc, issuedBefore(numinst, ROB, rb) + 1) #) ENDIF) #) ENDIF AND RS_p = (LAMBDA S: IF S /= Sn THEN RS(S) ELSE (# oc := TRUE, p := tail(ROB), op := op(prog(pc)), ss := (LAMBDA (j: TWO): IF b(RAT(src(prog(pc))(j))) THEN (# st := IF b (robe(ROB) (al(RAT(src(prog(pc))(j))))) THEN BUSY ELSE WRITE_B ENDIF, p := al(RAT(src(prog(pc))(j))), v := v (robe(ROB) (al(RAT(src(prog(pc))(j))))), pv := pv (robe(ROB) (al(RAT(src(prog(pc))(j))))) #) ELSE (# st := RETIRED, v := v(RF(src(prog(pc))(j))), pv := v(RF(src(prog(pc))(j))), p := al(RAT(src(prog(pc))(j))) #) ENDIF) #) ENDIF) rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res): bool = (EXISTS (exec: [FU_ID -> boolean]), (iex: [FU_ID -> SLOT_ID]): pc_p = pc AND numinst_p = numinst AND (FORALL (FU: FU_ID): exec(FU) IMPLIES can_execute(ROB) AND enabled(RS, iex(FU)) AND fu_table(op(RS(iex(FU)))) = FU) AND res = (LAMBDA (FU: FU_ID): IF exec(FU) THEN (# a := TRUE, p := p(RS(iex(FU))), v := IF type_op(op(RS(iex(FU)))) /= BRANCH THEN do_op(op(RS(iex(FU))), v(ss(RS(iex(FU)))(1)), v(ss(RS(iex(FU)))(2))) ELSIF branch_act(pc(robe(ROB)(p(RS(iex(FU))))), issuedBefore (numinst, ROB, p(RS(iex(FU)))) + 1) THEN 1 ELSE 0 ENDIF, int := int_interrupt(pc(robe(ROB)(p(RS(iex(FU))))), issuedBefore (numinst, ROB, p(RS(iex(FU)))) + 1) #) ELSE (# a := FALSE, p := 1, v := 0, int := FALSE #) ENDIF) AND RAT_p = RAT AND RF_p = RF AND ROB_p = (# head := head(ROB), tail := tail(ROB), wrap := wrap(ROB), robe := (LAMBDA rb: IF occ_buffer(rb, ROB) AND (EXISTS FU: a(res(FU)) AND p(res(FU)) = rb) THEN (# b := FALSE, v := v(res(chooseFU(rb, res))), int := int(res(chooseFU(rb, res))), t := t(robe(ROB)(rb)), pc := pc(robe(ROB)(rb)), op := op(robe(ROB)(rb)), pv := pv(robe(ROB)(rb)), pv_int := pv_int(robe(ROB)(rb)), br_pred := br_pred(robe(ROB)(rb)), br_targ := br_targ(robe(ROB)(rb)), oc := oc(robe(ROB)(rb)), slot := slot(robe(ROB)(rb)) #) ELSE robe(ROB)(rb) ENDIF) #) AND RS_p = (LAMBDA S: IF (EXISTS FU: a(res(FU)) AND p(res(FU)) = p(RS(S))) THEN RS(S) WITH [oc := FALSE] ELSIF oc(RS(S)) THEN (# oc := oc(RS(S)), p := p(RS(S)), op := op(RS(S)), ss := (LAMBDA (j: TWO): IF st(ss(RS(S))(j)) = BUSY AND (EXISTS FU: a(res(FU)) AND p(ss(RS(S))(j)) = p(res(FU)) AND p(ss(RS(S))(j)) > 0) THEN (# st := WRITE_B, p := p(ss(RS(S))(j)), v := v (res (chooseFU (p(ss(RS(S))(j)), res))), pv := pv(ss(RS(S))(j)) #) ELSE ss(RS(S))(j) ENDIF) #) ELSE RS(S) ENDIF)) rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p): bool = (EXISTS (retire: boolean): (retire IMPLIES can_retire(ROB) AND occ_buffer(head(ROB), ROB) AND NOT b(robe(ROB)(head(ROB)))) AND IF NOT (retire AND (int(robe(ROB)(head(ROB))) OR (type_op(op(robe(ROB)(head(ROB)))) = BRANCH AND EXOR(br_pred(robe(ROB)(head(ROB))), (v(robe(ROB)(head(ROB))) > 0))))) THEN numinst_p = IF NOT retire THEN numinst ELSE numinst + 1 ENDIF AND pc_p = pc AND RAT_p = IF NOT retire THEN RAT ELSE (LAMBDA r: IF al(RAT(r)) = head(ROB) THEN (# b := FALSE, al := al(RAT(r)) #) ELSE RAT(r) ENDIF) ENDIF AND RF_p = IF NOT retire THEN RF ELSE (LAMBDA r: IF r = t(robe(ROB)(head(ROB))) THEN (# v := v(robe(ROB)(head(ROB))) #) ELSE RF(r) ENDIF) ENDIF AND ROB_p = IF NOT retire THEN ROB ELSE (# head := succ(head(ROB)), tail := tail(ROB), wrap := wrap(ROB) AND NOT succ(head(ROB)) = 1, robe := (LAMBDA rb: IF rb = head(ROB) THEN robe(ROB)(rb) WITH [oc := FALSE] ELSE robe(ROB)(rb) ENDIF) #) ENDIF AND RS_p = IF NOT retire THEN RS ELSE (LAMBDA S: IF oc(RS(S)) THEN RS(S) WITH [ss := (LAMBDA (j: TWO): (# st := IF p(ss(RS(S))(j)) = head(ROB) AND st(ss(RS(S))(j)) = WRITE_B THEN RETIRED ELSE st(ss(RS(S))(j)) ENDIF, p := p(ss(RS(S))(j)), v := v(ss(RS(S))(j)), pv := pv(ss(RS(S))(j)) #))] ELSE RS(S) ENDIF) ENDIF ELSE RF_p = IF int(robe(ROB)(head(ROB))) THEN RF ELSE (LAMBDA r: IF r = t(robe(ROB)(head(ROB))) THEN (# v := v(robe(ROB)(head(ROB))) #) ELSE RF(r) ENDIF) ENDIF AND RAT_p = (LAMBDA r: (# b := FALSE, al := 1 #)) AND ROB_p = (# tail := 1, head := 1, wrap := FALSE, robe := (LAMBDA rb: robe(ROB)(rb) WITH [oc := FALSE]) #) AND RS_p = (LAMBDA S: RS(S) WITH [oc := FALSE]) AND numinst_p = numinst + 1 AND pc_p = IF (int(robe(ROB)(head(ROB)))) THEN Int_interrupt_addr(pc(robe(ROB)(head(ROB))), type_op (op(robe(ROB)(head(ROB))))) ELSIF v(robe(ROB)(head(ROB))) > 0 THEN br_targ(robe(ROB)(head(ROB))) ELSE pc(robe(ROB)(head(ROB))) + 1 ENDIF ENDIF) rho_extint(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p): bool = RF_p = RF AND RAT_p = (LAMBDA r: (# b := FALSE, al := 1 #)) AND ROB_p = (# tail := 1, head := 1, wrap := FALSE, robe := (LAMBDA rb: robe(ROB)(rb) WITH [b := FALSE, oc := FALSE]) #) AND RS_p = (LAMBDA S: RS(S) WITH [oc := FALSE]) AND numinst_p = numinst AND pc_p = Ext_interrupt_addr(IF head(ROB) = tail(ROB) AND NOT wrap(ROB) THEN pc ELSE pc(robe(ROB)(head(ROB))) ENDIF, numinst + 1) END Spec $$$Spec.prf (|Spec| (|rho_issue_TCC1| "" (SUBTYPE-TCC) NIL) (|rho_issue_TCC2| "" (SUBTYPE-TCC) NIL) (|rho_issue_TCC3| "" (SUBTYPE-TCC) NIL) (|rho_issue_TCC4| "" (SUBTYPE-TCC) NIL) (|rho_issue_TCC5| "" (SUBTYPE-TCC) NIL) (|rho_issue_TCC6| "" (SUBTYPE-TCC) NIL) (|rho_issue_TCC7| "" (SUBTYPE-TCC) NIL) (|rho_writeb_TCC1| "" (SUBTYPE-TCC) NIL) (|rho_writeb_TCC2| "" (SUBTYPE-TCC) NIL) (|rho_writeb_TCC3| "" (SKOSIMP*) (("" (LEMMA "chosenFUnonzero") (("" (INST?) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SKOSIMP*) (("2" (SIMP) NIL))))))))) (|rho_writeb_TCC4| "" (SKOSIMP*) (("" (LEMMA "chosenFUnonzero[R, U, Z, B]") (("" (INST?) (("1" (SIMP) (("1" (SIMP) NIL))) ("2" (SKOSIMP*) (("2" (SIMP) NIL)))))))))) $$$SpecDefs.pvs SpecDefs[R, U, Z, B: posnat]: THEORY % Invariants of the Speculative machine, DES, are defined here. BEGIN IMPORTING Spec[R, U, Z, B] RF, RF_p: VAR [REG_ID -> RF_TYPE] RAT, RAT_p: VAR [REG_ID -> RAT_TYPE] ROB, ROB_p: VAR ROB_TYPE RS, RS_p: VAR [SLOT_ID -> RS_TYPE] res, res_p: VAR [FU_ID -> result_TYPE] pc, pc_p: VAR posnat numinst, numinst_p: VAR nat FU: VAR FU_ID S, S2: VAR SLOT_ID r: VAR REG_ID rb: VAR ROB_ID wrapWraps(ROB): boolean = (wrap(ROB) IMPLIES tail(ROB) <= head(ROB)) AND (tail(ROB) < head(ROB) IMPLIES wrap(ROB)) headTailEq(ROB): boolean = ((head(ROB) = tail(ROB) AND wrap(ROB)) IMPLIES (FORALL rb: oc(robe(ROB)(rb)))) AND ((head(ROB) = tail(ROB) AND NOT wrap(ROB)) IMPLIES (FORALL rb: NOT oc(robe(ROB)(rb)))) occTailROBfull(ROB): boolean = oc(robe(ROB)(tail(ROB))) IMPLIES (tail(ROB) = head(ROB) AND wrap(ROB)) freeHeadROBempty(ROB): boolean = NOT oc(robe(ROB)(head(ROB))) IMPLIES (tail(ROB) = head(ROB) AND NOT wrap(ROB) AND (FORALL rb: NOT oc(robe(ROB)(rb)))) occEqual(ROB): boolean = (FORALL rb: occ_buffer(rb, ROB) IMPLIES oc(robe(ROB)(rb))) AND (FORALL rb: oc(robe(ROB)(rb)) IMPLIES occ_buffer(rb, ROB)) busyRAT(RAT, ROB): boolean = (FORALL r: b(RAT(r)) IMPLIES (oc(robe(ROB)(al(RAT(r)))) AND t(robe(ROB)(al(RAT(r)))) = r)) occBuffBusyRAT(RAT, ROB): boolean = (FORALL rb: (oc(robe(ROB)(rb)) AND t(robe(ROB)(rb)) > 0) IMPLIES b(RAT(t(robe(ROB)(rb))))) RATpointsNewestBuff(RAT, ROB): boolean = (FORALL r: b(RAT(r)) IMPLIES (FORALL rb: oc(robe(ROB)(rb)) AND t(robe(ROB)(rb)) = r IMPLIES weakPreceed(rb, al(RAT(r)), ROB))) slotUnique(RS): boolean = (FORALL S, S2: (oc(RS(S)) AND oc(RS(S2)) AND p(RS(S)) = p(RS(S2))) IMPLIES S = S2) FUunique(res): boolean = (FORALL FU, (FU2: FU_ID): (a(res(FU)) AND a(res(FU2)) AND p(res(FU)) = p(res(FU2))) IMPLIES FU = FU2) activeRes(res, RS, ROB, RS_p, ROB_p): boolean = (FORALL FU: a(res(FU)) IMPLIES oc(robe(ROB)(p(res(FU)))) AND b(robe(ROB)(p(res(FU)))) AND NOT b(robe(ROB_p)(p(res(FU)))) AND NOT (EXISTS S: oc(RS_p(S)) AND p(RS_p(S)) = p(res(FU))) AND fu_table(op(robe(ROB)(p(res(FU))))) = FU) occRS(RS, ROB): boolean = (FORALL S: oc(RS(S)) IMPLIES oc(robe(ROB)(p(RS(S)))) AND b(robe(ROB)(p(RS(S))))) occRSops(RS, ROB): boolean = (FORALL S, (j: TWO): oc(RS(S)) AND st(ss(RS(S))(j)) /= RETIRED IMPLIES preceed(p(ss(RS(S))(j)), p(RS(S)), ROB) AND pv(ss(RS(S))(j)) = pv(robe(ROB)(p(ss(RS(S))(j)))) AND (st(ss(RS(S))(j)) = BUSY IMPLIES b(robe(ROB)(p(ss(RS(S))(j)))))) ROBslotMatchRS(RS, ROB): boolean = (FORALL rb: (oc(robe(ROB)(rb)) AND b(robe(ROB)(rb))) IMPLIES (oc(RS(slot(robe(ROB)(rb)))) AND p(RS(slot(robe(ROB)(rb)))) = rb) AND op(RS(slot(robe(ROB)(rb)))) = op(robe(ROB)(rb))) AND (FORALL S: oc(RS(S)) IMPLIES (oc(robe(ROB)(p(RS(S)))) AND b(robe(ROB)(p(RS(S)))) AND slot(robe(ROB)(p(RS(S)))) = S)) PVopMatchRS_ROB(RS, ROB): boolean = (FORALL S, (j: TWO): (oc(RS(S)) AND st(ss(RS(S))(j)) /= RETIRED) IMPLIES (preceed(p(ss(RS(S))(j)), p(RS(S)), ROB) AND pv(ss(RS(S))(j)) = pv(robe(ROB)(p(ss(RS(S))(j)))))) ROBpredCorrect(ROB): boolean = (FORALL rb: (oc(robe(ROB)(rb)) AND NOT b(robe(ROB)(rb))) IMPLIES (pv(robe(ROB)(rb)) = v(robe(ROB)(rb)) AND int(robe(ROB)(rb)) = pv_int(robe(ROB)(rb)))) predEqualDoOp(RS, ROB, numinst): boolean = (FORALL S: oc(RS(S)) IMPLIES (pv(robe(ROB)(p(RS(S)))) = IF type_op(op(RS(S))) /= BRANCH THEN do_op(op(RS(S)), pv(ss(RS(S))(1)), pv(ss(RS(S))(2))) ELSIF branch_act(pc(robe(ROB)(p(RS(S)))), issuedBefore(numinst, ROB, p(RS(S))) + 1) THEN 1 ELSE 0 ENDIF AND pv_int(robe(ROB)(p(RS(S)))) = int_interrupt(pc(robe(ROB)(p(RS(S)))), issuedBefore(numinst, ROB, p(RS(S))) + 1))) chosenFUunique(res): boolean = (FORALL FU: a(res(FU)) IMPLIES chooseFU(p(res(FU)), res) = FU) OpsPredCorrect(RS): boolean = (FORALL S, (j: TWO): (oc(RS(S)) AND st(ss(RS(S))(j)) /= BUSY) IMPLIES pv(ss(RS(S))(j)) = v(ss(RS(S))(j))) resPredCorrect(res, ROB): boolean = (FORALL FU: a(res(FU)) IMPLIES (v(res(FU)) = pv(robe(ROB)(p(res(FU)))) AND int(res(FU)) = pv_int(robe(ROB)(p(res(FU)))))) SpecInv(RF, RS, RAT, ROB, numinst): boolean = wrapWraps(ROB) AND occEqual(ROB) AND headTailEq(ROB) AND freeHeadROBempty(ROB) AND occTailROBfull(ROB) AND occBuffBusyRAT(RAT, ROB) AND busyRAT(RAT, ROB) AND occRSops(RS, ROB) AND occRS(RS, ROB) AND ROBpredCorrect(ROB) AND ROBslotMatchRS(RS, ROB) AND PVopMatchRS_ROB(RS, ROB) AND predEqualDoOp(RS, ROB, numinst) AND OpsPredCorrect(RS) AND slotUnique(RS) AND RATpointsNewestBuff(RAT, ROB) wb_prop(res, RS, ROB, RS_p, ROB_p): boolean = FUunique(res) AND activeRes(res, RS, ROB, RS_p, ROB_p) AND chosenFUunique(res) AND resPredCorrect(res, ROB_p) END SpecDefs $$$SpecDefs.prf (|SpecDefs| (|occBuffBusyRAT_TCC1| "" (SUBTYPE-TCC) NIL) (|predEqualDoOp_TCC1| "" (SUBTYPE-TCC) NIL) (|predEqualDoOp_TCC2| "" (SUBTYPE-TCC) NIL)) $$$SpecInv.pvs SpecInv[R, U, Z, B: posnat]: THEORY % Properties defined in SpecDefs are proved invariants of the speculative system BEGIN IMPORTING SpecDefs[R, U, Z, B] RF, RF_p: VAR [REG_ID -> RF_TYPE] RAT, RAT_p: VAR [REG_ID -> RAT_TYPE] ROB, ROB_p: VAR ROB_TYPE RS, RS_p: VAR [SLOT_ID -> RS_TYPE] res, res_p: VAR [FU_ID -> result_TYPE] pc, pc_p: VAR posnat numinst, numinst_p: VAR nat FU: VAR FU_ID S, S2: VAR SLOT_ID r: VAR REG_ID rb: VAR ROB_ID wrapWraps_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND wrapWraps(ROB) IMPLIES wrapWraps(ROB_p) wrapWraps_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND wrapWraps(ROB) IMPLIES wrapWraps(ROB_p) wrapWraps_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND wrapWraps(ROB) IMPLIES wrapWraps(ROB_p) occEqual_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND occEqual(ROB) AND wrapWraps(ROB) IMPLIES occEqual(ROB_p) occEqual_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND occEqual(ROB) IMPLIES occEqual(ROB_p) occEqual_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND occEqual(ROB) AND wrapWraps(ROB) IMPLIES occEqual(ROB_p) freeHeadROBempty: LEMMA occEqual(ROB) AND wrapWraps(ROB) IMPLIES freeHeadROBempty(ROB) headTailEq: LEMMA occEqual(ROB) IMPLIES headTailEq(ROB) occTailROBfull: LEMMA occEqual(ROB) IMPLIES occTailROBfull(ROB) busyRAT_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND busyRAT(RAT, ROB) AND occEqual(ROB) IMPLIES busyRAT(RAT_p, ROB_p) busyRAT_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND busyRAT(RAT, ROB) IMPLIES busyRAT(RAT_p, ROB_p) busyRAT_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND busyRAT(RAT, ROB) IMPLIES busyRAT(RAT_p, ROB_p) occBuffBusyRAT_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND occBuffBusyRAT(RAT, ROB) IMPLIES occBuffBusyRAT(RAT_p, ROB_p) occBuffBusyRAT_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND occBuffBusyRAT(RAT, ROB) IMPLIES occBuffBusyRAT(RAT_p, ROB_p) occBuffBusyRAT_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND occBuffBusyRAT(RAT, ROB) AND RATpointsNewestBuff(RAT, ROB) IMPLIES occBuffBusyRAT(RAT_p, ROB_p) RATpointsNewestBuff_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND RATpointsNewestBuff(RAT, ROB) AND busyRAT(RAT, ROB) AND headTailEq(ROB) AND wrapWraps(ROB) AND occEqual(ROB) IMPLIES RATpointsNewestBuff(RAT_p, ROB_p) RATpointsNewestBuff_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND RATpointsNewestBuff(RAT, ROB) AND busyRAT(RAT, ROB) IMPLIES RATpointsNewestBuff(RAT_p, ROB_p) RATpointsNewestBuff_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND RATpointsNewestBuff(RAT, ROB) AND occEqual(ROB) AND headTailEq(ROB) AND wrapWraps(ROB) IMPLIES RATpointsNewestBuff(RAT_p, ROB_p) slotUnique_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND slotUnique(RS) AND occTailROBfull(ROB) AND occRS(RS, ROB) IMPLIES slotUnique(RS_p) slotUnique_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND slotUnique(RS) IMPLIES slotUnique(RS_p) slotUnique_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND slotUnique(RS) IMPLIES slotUnique(RS_p) activeRes_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND ROBslotMatchRS(RS, ROB) AND slotUnique(RS) AND occEqual(ROB) IMPLIES activeRes(res, RS, ROB, RS_p, ROB_p) ROBslotMatchRS_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND ROBslotMatchRS(RS, ROB) AND occTailROBfull(ROB) IMPLIES ROBslotMatchRS(RS_p, ROB_p) ROBslotMatchRS_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND ROBslotMatchRS(RS, ROB) AND occEqual(ROB) AND activeRes(res, RS, ROB, RS_p, ROB_p) IMPLIES ROBslotMatchRS(RS_p, ROB_p) ROBslotMatchRS_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND ROBslotMatchRS(RS, ROB) AND occEqual(ROB) IMPLIES ROBslotMatchRS(RS_p, ROB_p) occRSops_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND occRSops(RS, ROB) AND busyRAT(RAT, ROB) AND headTailEq(ROB) AND occTailROBfull(ROB) AND occEqual(ROB) IMPLIES occRSops(RS_p, ROB_p) occRSops_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND occRSops(RS, ROB) AND activeRes(res, RS, ROB, RS_p, ROB_p) IMPLIES occRSops(RS_p, ROB_p) occRSops_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND occRSops(RS, ROB) IMPLIES occRSops(RS_p, ROB_p) occRS_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND occRS(RS, ROB) IMPLIES occRS(RS_p, ROB_p) occRS_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND occRS(RS, ROB) AND activeRes(res, RS, ROB, RS_p, ROB_p) IMPLIES occRS(RS_p, ROB_p) occRS_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND occRS(RS, ROB) IMPLIES occRS(RS_p, ROB_p) PVopMatchRS_ROB_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND PVopMatchRS_ROB(RS, ROB) AND headTailEq(ROB) AND occTailROBfull(ROB) AND occEqual(ROB) AND busyRAT(RAT, ROB) IMPLIES PVopMatchRS_ROB(RS_p, ROB_p) PVopMatchRS_ROB_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND PVopMatchRS_ROB(RS, ROB) IMPLIES PVopMatchRS_ROB(RS_p, ROB_p) PVopMatchRS_ROB_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND PVopMatchRS_ROB(RS, ROB) AND occRSops(RS, ROB) IMPLIES PVopMatchRS_ROB(RS_p, ROB_p) OpsPredCorrect_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND OpsPredCorrect(RS) AND ROBpredCorrect(ROB) AND busyRAT(RAT, ROB) IMPLIES OpsPredCorrect(RS_p) OpsPredCorrect_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND predEqualDoOp(RS, ROB, numinst) AND chosenFUunique(res) AND OpsPredCorrect(RS) AND resPredCorrect(res, ROB_p) AND PVopMatchRS_ROB(RS, ROB) IMPLIES OpsPredCorrect(RS_p) OpsPredCorrect_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND OpsPredCorrect(RS) IMPLIES OpsPredCorrect(RS_p) predEqualDoOp_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND predEqualDoOp(RS, ROB, numinst) AND occTailROBfull(ROB) AND occRS(RS, ROB) IMPLIES predEqualDoOp(RS_p, ROB_p, numinst_p) predEqualDoOp_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND predEqualDoOp(RS, ROB, numinst) IMPLIES predEqualDoOp(RS_p, ROB_p, numinst_p) predEqualDoOp_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND predEqualDoOp(RS, ROB, numinst) AND occRS(RS, ROB) IMPLIES predEqualDoOp(RS_p, ROB_p, numinst_p) resPredCorrect_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND predEqualDoOp(RS, ROB, numinst) AND OpsPredCorrect(RS) IMPLIES resPredCorrect(res, ROB_p) ROBpredCorrect_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND ROBpredCorrect(ROB) IMPLIES ROBpredCorrect(ROB_p) ROBpredCorrect_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND ROBpredCorrect(ROB) AND resPredCorrect(res, ROB_p) AND chosenFUunique(res) IMPLIES ROBpredCorrect(ROB_p) ROBpredCorrect_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND ROBpredCorrect(ROB) IMPLIES ROBpredCorrect(ROB_p) writeb_prop: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND ROBslotMatchRS(RS, ROB) AND slotUnique(RS) AND occEqual(ROB) AND predEqualDoOp(RS, ROB, numinst) AND OpsPredCorrect(RS) IMPLIES wb_prop(res, RS, ROB, RS_p, ROB_p) SpecInv_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND SpecInv(RF, RS, RAT, ROB, numinst) IMPLIES SpecInv(RF_p, RS_p, RAT_p, ROB_p, numinst_p) SpecInv_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res) AND SpecInv(RF, RS, RAT, ROB, numinst) IMPLIES SpecInv(RF_p, RS_p, RAT_p, ROB_p, numinst_p) SpecInv_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND SpecInv(RF, RS, RAT, ROB, numinst) IMPLIES SpecInv(RF_p, RS_p, RAT_p, ROB_p, numinst_p) SpecInv_theta: LEMMA Theta(pc, RF, RS, RAT, ROB, numinst) IMPLIES SpecInv(RF, RS, RAT, ROB, numinst) END SpecInv $$$SpecInv.prf (|SpecInv| (|wrapWraps_issue| "" (EXP-INV-ISSUE) (("" (GRIND) NIL))) (|wrapWraps_writeb| "" (EXP-INV-WRITEB) (("" (GRIND) NIL))) (|wrapWraps_retire| "" (EXP-INV-RETIRE) (("" (GRIND) NIL))) (|occEqual_issue| "" (EXP-INV-ISSUE) (("" (EXPAND "occ_buffer") (("" (CASE "Sn!1 > 0") (("1" (SIMP) (("1" (APPLY (THEN (SPLIT 3) (SKOSIMP*) (INST?) (INST?) (EXPAND "succ") (SPLIT-ALL -))) NIL))) ("2" (SIMP) (("2" (APPLY (THEN (SPLIT 2) (SKOSIMP*) (INST?) (INST?) (EXPAND "succ") (SPLIT-ALL -))) NIL))))))))) (|occEqual_writeb| "" (EXP-INV-WRITEB) (("" (EXPAND "occ_buffer") (("" (APPLY (THEN (SPLIT +) (SKOSIMP*) (INST?) (INST?) (SPLIT-ALL -))) NIL))))) (|occEqual_retire| "" (EXP-INV-RETIRE) (("1" (EXPAND "occ_buffer") (("1" (APPLY (THEN (SPLIT 2) (SKOSIMP*) (INST?) (INST?))) (("1" (SPLIT-ALL) (("1" (SPLIT-ALL -) NIL) ("2" (SPLIT-ALL -) NIL))) ("2" (SPLIT-ALL -) NIL))))) ("2" (EXPAND "occ_buffer") (("2" (PROPAX) NIL))))) (|freeHeadROBempty| "" (SKOSIMP*) (("" (EXPAND "freeHeadROBempty") (("" (EXPAND "occEqual") (("" (SIMP) (("" (INST?) (("" (EXPAND "occ_buffer") (("" (EXPAND "wrapWraps") (("" (NEW-SPLIT-IF) NIL))))))))))))))) (|headTailEq| "" (EXPAND "occEqual") (("" (EXPAND "headTailEq") (("" (SKOSIMP*) (("" (EXPAND "occ_buffer") (("" (SPLIT +) (("1" (SIMP) (("1" (SKOSIMP*) (("1" (INST?) (("1" (SIMP) (("1" (SIMP) NIL))))))))) ("2" (SIMP) NIL))))))))))) (|occTailROBfull| "" (GRIND) NIL) (|busyRAT_issue| "" (EXP-INV-ISSUE) (("" (INST?) (("" (NEW-SPLIT-IF) (("" (NEW-SPLIT-IF) (("" (NEW-SPLIT-IF) (("" (INST?) (("" (INST?) (("" (EXPAND "occ_buffer") (("" (REDUCE-IF) (("" (SIMP) NIL))))))))))))))))))) (|busyRAT_writeb| "" (EXP-INV-WRITEB) (("" (INST? -3) (("" (SIMP) NIL))))) (|busyRAT_retire| "" (EXP-INV-RETIRE) (("" (INST?) (("" (SPLIT-ALL) NIL))))) (|occBuffBusyRAT_issue| "" (EXP-INV-ISSUE) (("" (INST?) (("" (SPLIT-ALL) NIL))))) (|occBuffBusyRAT_writeb| "" (EXP-INV-WRITEB) (("" (INST? -3) (("" (SIMP) NIL))))) (|occBuffBusyRAT_retire| "" (EXP-INV-RETIRE) (("" (INST?) (("" (NEW-SPLIT-IF) (("" (REDUCE-IF) (("" (SIMP) (("" (NEW-SPLIT-IF) (("" (INST?) (("" (SIMP) (("" (INST?) (("" (SIMP) NIL))))))))))))))))))) (|RATpointsNewestBuff_issue| "" (EXP-INV-ISSUE) (("" (INST?) (("" (INST?) (("" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) (("1" (INST?) NIL) ("2" (NEW-SPLIT-IF) (("2" (INST -11 "rb!1") (("2" (EXPAND "occ_buffer") (("2" (SIMP) (("2" (NEW-SPLIT-IF -11) NIL))))))))))) ("2" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF -) (("1" (INST? :WHERE +) (("1" (SIMP) NIL))) ("2" (REDUCE-IF) (("2" (SIMP) (("2" (INST? :WHERE +) (("2" (SIMP) NIL))))))))) ("2" (NEW-SPLIT-IF) (("2" (NEW-SPLIT-IF -) (("1" (INST?) (("1" (SIMP) (("1" (SPLIT -3) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL))))))) ("2" (REDUCE-IF) (("2" (INST?) (("2" (SIMP) (("2" (SPLIT -) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL))))))))))))))))))))))) (|RATpointsNewestBuff_writeb| "" (EXP-INV-WRITEB) (("" (HIDE -1 -2) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (INST?) (("" (SIMP) NIL))))))))))))) (|RATpointsNewestBuff_retire| "" (EXP-INV-RETIRE) (("" (INST?) (("" (NEW-SPLIT-IF) (("1" (CLEAN-UP) (("1" (SPLIT -) (("1" (SIMP) (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (SIMP) (("2" (INST?) (("2" (SIMP) NIL))))))))) ("2" (REDUCE-IF) (("2" (REDUCE-IF) (("2" (SIMP) (("2" (INST?) (("2" (SIMP) (("2" (SIMP) (("2" (NEW-SPLIT-IF) (("2" (SPLIT -) (("1" (SIMP) (("1" (NEW-SPLIT-IF) NIL))) ("2" (NEW-SPLIT-IF) NIL))))))))))))))))))))))) (|slotUnique_issue| "" (EXP-INV-ISSUE) (("" (INST -2 "S!1" "S2!1") (("" (SIMP) (("" (NEW-SPLIT-IF -) (("1" (NEW-SPLIT-IF -) (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (INST?) (("2" (SIMP) NIL))))))))))) (|slotUnique_writeb| "" (EXP-INV-WRITEB) (("" (INST -3 "S!1" "S2!1") (("" (REDUCE-IF) (("" (REDUCE-IF) (("" (REDUCE-IF) (("" (REDUCE-IF) (("" (SIMP) NIL))))))))))))) (|slotUnique_retire| "" (EXP-INV-RETIRE) (("" (INSTBEST) (("" (NEW-SPLIT-IF -) (("" (REDUCE-IF) (("" (REDUCE-IF) (("" (SIMP) NIL))))))))))) (|activeRes_writeb| "" (EXP-INV-WRITEB :EXPOCC F) (("" (REPLACE -2 :HIDE? T) (("" (SIMP) (("" (INSTBEST) (("" (INSTBEST) (("1" (INSTBEST) (("1" (SPLIT-ALL) (("1" (INSTBEST) (("1" (INST? -14) (("1" (SIMP) NIL))))) ("2" (INSTBEST -12) (("2" (SIMP) (("2" (INST?) NIL))))))))) ("2" (SIMP) NIL))))))))))) (|ROBslotMatchRS_issue| "" (EXP-INV-ISSUE) (("" (APPLY (THEN (SPLIT +) (SKOSIMP*) (INSTBEST) (INSTBEST) (SPLIT-ALL -))) NIL))) (|ROBslotMatchRS_writeb| "" (EXP-INV-WRITEB :EXPOCC F) (("" (APPLY (THEN (SPLIT +) (SKOSIMP*))) (("1" (INSTBEST -5) (("1" (INSTBEST -8) (("1" (REDUCE-IF) (("1" (APPLY (THEN (SPLIT +) (SKOSIMP*) (SIMP) (SIMP))) (("1" (APPLY (THEN (SPLIT +) (SKOSIMP*))) (("1" (INSTBEST) (("1" (INSTBEST) (("1" (SIMP) NIL))))))))))))))) ("2" (REDUCE-IF) (("2" (REDUCE-IF) (("2" (INSTBEST -5) (("2" (INSTBEST -4) (("2" (SPLIT-ALL) NIL))))))))))))) (|ROBslotMatchRS_retire| "" (EXP-INV-RETIRE :EXPOCC F) (("" (APPLY (THEN (SPLIT 2) (SKOSIMP*))) (("1" (INSTBEST) (("1" (SPLIT-ALL) NIL))) ("2" (INSTBEST) (("2" (INSTBEST) (("2" (SPLIT-ALL -) NIL))))))))) (|occRSops_issue| "" (EXP-INV-ISSUE) (("" (INST?) (("" (INST?) (("" (NEW-SPLIT-IF) (("1" (SPLIT +) (("1" (SIMP) (("1" (SPLIT-ALL) NIL))) ("2" (SIMP) (("2" (SPLIT-ALL) NIL))))) ("2" (SPLIT-ALL) (("1" (INST? -) NIL) ("2" (INST?) (("2" (INST?) (("2" (EXPAND "occ_buffer") (("2" (NEW-SPLIT-IF -) NIL))))))))))))))))) (|occRSops_writeb| "" (EXP-INV-WRITEB :EXPOCC F) (("" (REPLACE -2 :HIDE? T) (("" (SIMP) (("" (INST? -2) (("" (SPLIT-ALL) (("1" (INST?) (("1" (SIMP) NIL))) ("2" (INST?) (("2" (SIMP) NIL))) ("3" (INST?) (("3" (INST?) (("3" (SIMP) NIL))))))))))))))) (|occRSops_retire| "" (EXP-INV-RETIRE) (("" (INST?) (("" (SPLIT-ALL) (("1" (NEW-SPLIT-IF -) NIL) ("2" (SPLIT -) (("1" (SIMP) (("1" (SPLIT -) (("1" (PROPAX) NIL) ("2" (SIMP) NIL))))) ("2" (SIMP) NIL))))))))) (|occRS_issue| "" (EXP-INV-ISSUE) (("" (INST?) (("" (SPLIT-ALL) NIL))))) (|occRS_writeb| "" (EXP-INV-WRITEB :RES T) (("" (INST? -2) (("" (SPLIT-ALL) NIL))))) (|occRS_retire| "" (EXP-INV-RETIRE) (("" (INST?) (("" (SPLIT-ALL) NIL))))) (|PVopMatchRS_ROB_issue| "" (EXP-INV-ISSUE) (("" (INST?) (("" (INST? -8) (("" (SPLIT-ALL -) (("1" (INST?) NIL) ("2" (INST?) (("2" (INST -7 "al(RAT!1(src(prog(pc!1))(j!1)))") (("2" (SIMP) (("2" (EXPAND "occ_buffer" -) (("2" (CLEAN-UP) (("2" (GROUND) NIL))))))))))))))))))) (|PVopMatchRS_ROB_writeb| "" (EXP-INV-WRITEB :RES T) (("" (INST? -2) (("" (SPLIT-ALL -) NIL))))) (|PVopMatchRS_ROB_retire| "" (EXP-INV-RETIRE) (("" (INST?) (("" (INST?) (("" (SPLIT-ALL -) (("" (SPLIT -) (("1" (SIMP) (("1" (SPLIT -) (("1" (PROPAX) NIL) ("2" (SIMP) NIL))))) ("2" (SIMP) NIL))))))))))) (|OpsPredCorrect_issue| "" (EXP-INV-ISSUE) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SPLIT-ALL) NIL))))))))) (|OpsPredCorrect_writeb| "" (EXP-INV-WRITEB) (("" (INST? -3) (("" (INSTBEST -5) (("" (INSTBEST -7) (("" (REDUCE-IF) (("" (REDUCE-IF) (("" (SPLIT-IF) (("" (SPLIT-IF) (("" (SPLIT-IF) (("" (SPLIT-IF) (("" (SKOSIMP*) (("" (INSTBEST) (("" (INSTBEST -) (("" (INSTBEST -) (("" (SIMP) (("" (HIDE -8) (("" (REPLACE*) (("" (INSTBEST -) (("" (SIMP) NIL))))))))))))))))))))))))))))))))))))) (|OpsPredCorrect_retire| "" (EXP-INV-RETIRE) (("" (INST?) (("" (SPLIT-ALL) NIL))))) (|predEqualDoOp_issue| "" (EXP-INV-ISSUE :SPLIT F) (("" (INST?) (("" (INST?) (("" (NEW-SPLIT-IF) (("" (NEW-SPLIT-IF) (("1" (SPLIT-ALL) NIL) ("2" (CASE "(Sn!1 > 0)") (("1" (SIMP) (("1" (SPLIT-ALL) NIL))) ("2" (SIMP) NIL))))))))))))) (|predEqualDoOp_writeb| "" (EXP-INV-WRITEB :SPLIT F :RES T) (("" (INST? -2) (("" (SPLIT-ALL) NIL))))) (|predEqualDoOp_retire| "" (EXP-INV-RETIRE :SPLIT F) (("" (INST?) (("" (INST?) (("" (SPLIT-ALL) NIL))))))) (|resPredCorrect_writeb| "" (EXP-INV-WRITEB) (("" (REPLACE -2 :HIDE? T) (("" (SIMP) (("" (INSTBEST) (("" (INST?) (("" (REDUCE-IF) (("" (SIMP) (("" (SIMP) (("" (INST-CP -4 "1") (("" (INST -4 "2") (("" (INST-CP -7 "iex!1(FU!1)" "1") (("" (INST -7 "iex!1(FU!1)" "2") (("" (SPLIT-ALL) NIL))))))))))))))))))))))))) (|ROBpredCorrect_issue| "" (EXP-INV-ISSUE) (("" (GRIND-BEST) NIL))) (|ROBpredCorrect_writeb| "" (EXP-INV-WRITEB) (("" (INST? -3) (("" (SPLIT-IF) (("1" (SKOSIMP*) (("1" (SPLIT-IF) (("1" (INSTBEST) (("1" (INSTBEST) (("1" (INSTBEST) (("1" (HIDE -6) (("1" (REPLACE*) (("1" (SIMP) NIL))))))))))))))) ("2" (REPLACE 1) (("2" (SIMP) NIL))))))))) (|ROBpredCorrect_retire| "" (EXP-INV-RETIRE) (("" (INST?) (("" (SPLIT-ALL) NIL))))) (|writeb_prop| "" (SKOSIMP*) (("" (EXPAND "wb_prop") (("" (CASE "not activeRes(res!1, RS!1, ROB!1, RS_p!1, ROB_p!1)") (("1" (LEMMA "activeRes_writeb") (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (CASE "not resPredCorrect(res!1, ROB_p!1)") (("1" (LEMMA "resPredCorrect_writeb") (("1" (INST?) (("1" (SIMP) NIL))))) ("2" (SIMP) (("2" (HIDE -3) (("2" (REVEAL -1) (("2" (CASE "not FUunique(res!1)") (("1" (HIDE 2) (("1" (EXPAND "rho_writeb") (("1" (EXPAND " FUunique") (("1" (SKOSIMP*) (("1" (REPLACE -7 (-1 -2 -3)) (("1" (SIMP) (("1" (INST-CP -6 "FU!1") (("1" (INST -6 "FU2!1") (("1" (REDUCE-IF) (("1" (REDUCE-IF) (("1" (EXPAND "enabled") (("1" (EXPAND "slotUnique") (("1" (SIMP) (("1" (INSTBEST -22) (("1" (SIMP) NIL))))))))))))))))))))))))))))) ("2" (SIMP) (("2" (EXPAND "FUunique") (("2" (EXPAND "chosenFUunique") (("2" (SKOSIMP*) (("2" (EXPAND "chooseFU") (("2" (EXPAND "choose") (("2" (LIFT-IF) (("2" (NEW-SPLIT-IF) (("1" (USE "epsilon_ax[FU_ID[R, U]]") (("1" (SPLIT -) (("1" (SIMP) (("1" (INSTBEST) (("1" (SIMP) NIL))))) ("2" (INST?) (("2" (SIMP) NIL))))))) ("2" (INST?) (("2" (SIMP) NIL))))))))))))))))))) ("3" (SKOSIMP*) (("3" (SIMP) NIL))))))))))) ("3" (SIMP) (("3" (SPLIT +) (("1" (SKOSIMP*) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))) ("4" (SKOSIMP*) (("4" (SIMP) NIL))))) ("3" (SIMP) (("3" (SPLIT +) (("1" (SKOSIMP*) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))) ("4" (SKOSIMP*) (("4" (SIMP) (("4" (SPLIT +) (("1" (SKOSIMP*) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))))) ("5" (SIMP) (("5" (SPLIT +) (("1" (SKOSIMP*) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))) ("6" (SKOSIMP*) (("6" (SIMP) (("6" (SPLIT +) (("1" (SKOSIMP*) (("1" (SIMP) NIL))) ("2" (SIMP) NIL))))))) ("7" (SKOSIMP*) (("7" (SIMP) NIL))))))))) (|SpecInv_issue| "" (SKOSIMP*) (("" (HIDE -2) (("" (REVEAL -1) (("" (EXPAND "SpecInv") (("" (LEMMA "wrapWraps_issue") (("" (LEMMA "occEqual_issue") (("" (LEMMA "occBuffBusyRAT_issue") (("" (LEMMA "busyRAT_issue") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "occRSops_issue") (("" (LEMMA "occRS_issue") (("" (LEMMA "ROBpredCorrect_issue") (("" (LEMMA "ROBslotMatchRS_issue") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "PVopMatchRS_ROB_issue") (("" (LEMMA "predEqualDoOp_issue") (("" (LEMMA "OpsPredCorrect_issue") (("" (LEMMA "slotUnique_issue") (("" (LEMMA "RATpointsNewestBuff_issue") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "headTailEq") (("" (LEMMA "freeHeadROBempty") (("" (LEMMA "occTailROBfull") (("" (INST? :WHERE +) (("" (INST? :WHERE +) (("" (INST? :WHERE +) (("" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|SpecInv_writeb| "" (SKOSIMP*) (("" (HIDE -2) (("" (REVEAL -1) (("" (EXPAND "SpecInv") (("" (LEMMA "wrapWraps_writeb") (("" (LEMMA "occEqual_writeb") (("" (LEMMA "occBuffBusyRAT_writeb") (("" (LEMMA "busyRAT_writeb") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "occRSops_writeb") (("" (LEMMA "occRS_writeb") (("" (LEMMA "ROBpredCorrect_writeb") (("" (LEMMA "ROBslotMatchRS_writeb") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "PVopMatchRS_ROB_writeb") (("" (LEMMA "predEqualDoOp_writeb") (("" (LEMMA "OpsPredCorrect_writeb") (("" (LEMMA "slotUnique_writeb") (("" (LEMMA "RATpointsNewestBuff_writeb") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "headTailEq") (("" (LEMMA "freeHeadROBempty") (("" (LEMMA "occTailROBfull") (("" (INST? :WHERE +) (("" (INST? :WHERE +) (("" (INST? :WHERE +) (("" (SIMP) (("" (LEMMA "writeb_prop") (("" (INST?) (("" (EXPAND "wb_prop") (("" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|SpecInv_retire| "" (SKOSIMP*) (("" (HIDE -2) (("" (REVEAL -1) (("" (EXPAND "SpecInv") (("" (LEMMA "wrapWraps_retire") (("" (LEMMA "occEqual_retire") (("" (LEMMA "occBuffBusyRAT_retire") (("" (LEMMA "busyRAT_retire") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "occRSops_retire") (("" (LEMMA "occRS_retire") (("" (LEMMA "ROBpredCorrect_retire") (("" (LEMMA "ROBslotMatchRS_retire") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "PVopMatchRS_ROB_retire") (("" (LEMMA "predEqualDoOp_retire") (("" (LEMMA "OpsPredCorrect_retire") (("" (LEMMA "slotUnique_retire") (("" (INST?) (("" (INST?) (("" (INST?) (("" (INST?) (("" (SIMP) (("" (LEMMA "headTailEq") (("" (LEMMA "freeHeadROBempty") (("" (LEMMA "occTailROBfull") (("" (INST? :WHERE +) (("" (INST? :WHERE +) (("" (INST? :WHERE +) (("" (SIMP) (("" (LEMMA "RATpointsNewestBuff_retire") (("" (INST?) (("" (SIMP) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|SpecInv_theta| "" (SKOSIMP*) (("" (EXPAND "Theta") (("" (EXPAND "SpecInv") (("" (SIMP) (("" (SPLIT +) (("1" (GRIND) NIL) ("2" (GRIND) NIL) ("3" (GRIND) NIL) ("4" (EXPAND "freeHeadROBempty") (("4" (SIMP) NIL))) ("5" (GRIND) NIL) ("6" (GRIND) NIL) ("7" (EXPAND "busyRAT") (("7" (SKOSIMP*) (("7" (INST?) (("7" (SIMP) NIL))))))) ("8" (GRIND) NIL) ("9" (GRIND) NIL) ("10" (GRIND) NIL) ("11" (GRIND) NIL) ("12" (GRIND) NIL) ("13" (GRIND) NIL) ("14" (GRIND) NIL) ("15" (GRIND) NIL) ("16" (GRIND) NIL)))))))))))) $$$RefSeq.pvs RefSeq[R, U, Z: posnat]: THEORY % This theory proves that DES(1) (Spec[R, U, Z, 1]) refines Seq. BEGIN IMPORTING SpecInv[R, U, Z, 1], seq[R], SpecInvsOneBuff[R, U, Z] reg, reg_p: VAR [REG_ID -> VALUE] RF, RF_p: VAR [REG_ID -> RF_TYPE] RAT, RAT_p: VAR [REG_ID -> RAT_TYPE] ROB, ROB_p: VAR ROB_TYPE RS, RS_p: VAR [SLOT_ID -> RS_TYPE] res, res_p: VAR [FU_ID -> result_TYPE] pca, pca_p, pc, pc_p: VAR posnat numinst, numinst_p, numinsta, numinsta_p: VAR nat FU: VAR FU_ID S, S2: VAR SLOT_ID r: VAR REG_ID rb, rb2: VAR ROB_ID obsType: TYPE = [# registers: [REG_ID -> VALUE], numinst: nat, pc: posnat #] rhostar(reg, pca, numinsta, pc, ROB, numinst, reg_p, pca_p, numinsta_p, pc_p, numinst_p): boolean = IF numinsta /= numinst_p THEN IF int_interrupt(pca, numinst + 1) THEN pca_p = Int_interrupt_addr(pca, type_op(op(prog(pca)))) AND reg_p = reg AND numinsta_p = numinsta + 1 ELSE pca_p = IF type_op(op(prog(pca))) = BRANCH AND branch_act(pca, numinst + 1) THEN br_target(prog(pca)) ELSE pca + 1 ENDIF AND reg_p = (LAMBDA r: IF r = t(prog(pca)) THEN IF type_op(op(prog(pca))) = BRANCH THEN IF branch_act(pca, numinsta + 1) THEN 1 ELSE 0 ENDIF ELSE do_op(op(prog(pca)), reg(src(prog(pca))(1)), reg(src(prog(pca))(2))) ENDIF ELSE reg(r) ENDIF) AND numinsta_p = numinsta + 1 ENDIF ELSE pca_p = pca AND reg_p = reg AND numinsta_p = numinsta ENDIF reg_I(RF): [REG_ID -> VALUE] = (LAMBDA r: 0) rhoc(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p): bool = (rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) OR rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) OR rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p)) OC(pc, RF, ROB, numinst): obsType = (# registers := (LAMBDA r: v(RF(r))), numinst := numinst, pc := IF wrap(ROB) THEN pc(robe(ROB)(head(ROB))) ELSE pc ENDIF #) OA(reg, pca, numinsta): obsType = (# registers := reg, numinst := numinsta, pc := pca #) alpha(pc, RF, RS, RAT, ROB, numinst, reg, pca, numinsta): bool = SpecInvOneBuff(RF, RS, RAT, ROB, pc, numinst) AND OC(pc, RF, ROB, numinst) = OA(reg, pca, numinsta) R1: LEMMA rhoc(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) IMPLIES (EXISTS reg_p, pca_p, numinsta_p: rhostar(reg, pca, numinsta, pc, ROB, numinst, reg_p, pca_p, numinsta_p, pc_p, numinst_p)) R2: LEMMA rhostar(reg, pca, numinst, pc, ROB, numinst, reg_p, pca_p, numinsta_p, pc_p, numinst_p) IMPLIES seq.rho(pca, reg, numinst, pca_p, reg_p, numinsta_p) R3_theta: LEMMA seq.THETA(pca, reg, numinsta) AND Spec.Theta(pc, RF, RS, RAT, ROB, numinst) IMPLIES alpha(pc, RF, RS, RAT, ROB, numinst, reg, pca, numinsta) R3_issue: LEMMA rho_issue(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND rhostar(reg, pca, numinsta, pc, ROB, numinst, reg_p, pca_p, numinsta_p, pc_p, numinst_p) AND alpha(pc, RF, RS, RAT, ROB, numinst, reg, pca, numinsta) IMPLIES alpha(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, reg_p, pca_p, numinsta_p) R3_writeb: LEMMA rho_writeb(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) AND rhostar(reg, pca, numinsta, pc, ROB, numinst, reg_p, pca_p, numinsta_p, pc_p, numinst_p) AND alpha(pc, RF, RS, RAT, ROB, numinst, reg, pca, numinsta) IMPLIES alpha(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, reg_p, pca_p, numinsta_p) R3_retire: LEMMA rho_retire(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p) AND rhostar(reg, pca, numinsta, pc, ROB, numinst, reg_p, pca_p, numinsta_p, pc_p, numinst_p) AND alpha(pc, RF, RS, RAT, ROB, numinst, reg, pca, numinsta) IMPLIES alpha(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, reg_p, pca_p, numinsta_p) R3_rho: LEMMA rhoc(pc, RF, RS, RAT, ROB, numinst, pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, res_p) AND rhostar(reg, pca, numinsta, pc, ROB, numinst, reg_p, pca_p, numinsta_p, pc_p, numinst_p) AND alpha(pc, RF, RS, RAT, ROB, numinst, reg, pca, numinsta) IMPLIES alpha(pc_p, RF_p, RS_p, RAT_p, ROB_p, numinst_p, reg_p, pca_p, numinsta_p) R4: LEMMA alpha(pc, RF, RS, RAT, ROB, numinst, reg, pca, numinsta) IMPLIES OC(pc, RF, ROB, numinst) = OA(reg, pca, numinsta) END RefSeq $$$RefSeq.prf (|RefSeq| (|rhostar_TCC1| "" (SUBTYPE-TCC) NIL) (|rhostar_TCC2| "" (SUBTYPE-TCC) NIL) (R1 "" (SKOSIMP*) (("" (EXPAND "rhostar") (("" (CASE "int_interrupt(pca!1, 1 + numinst!1)") (("1" (SIMP) (("1" (NEW-SPLIT-IF) (("1" (INST 2 "reg!1" "Int_interrupt_addr(pca!1, type_op(op(prog(pca!1))))" "1 + numinsta!1") (("1" (SIMP) NIL))) ("2" (INST 1 "reg!1" "pca!1" "numinsta!1") (("2" (SIMP) NIL))))))) ("2" (SIMP) (("2" (NEW-SPLIT-IF) (("1" (NEW-SPLIT-IF) (("1" (INST 1 "(LAMBDA (r: REG_ID[R]): IF r = t(prog(pca!1)) THEN IF branch_act(pca!1, 1 + numinsta!1) THEN 1 ELSE 0 ENDIF ELSE reg!1(r) ENDIF)" "br_target(prog(pca!1))" "1 + numinsta!1") (("1" (SIMP) NIL))) ("2" (INST 2 " (LAMBDA (r: REG_ID[R]): IF r = t(prog(pca!1)) THEN IF type_op(op(prog(pca!1))) = BRANCH THEN IF branch_act(pca!1, 1 + numinsta!1) THEN 1 ELSE 0 ENDIF ELSE do_op(op(prog(pca!1)), reg!1(src(prog(pca!1))(1)), reg!1(src(prog(pca!1))(2))) ENDIF ELSE reg!1(r) ENDIF)" "1 + pca!1" "1 + numinsta!1") (("2" (SIMP) NIL))))) ("2" (INST 1 "reg!1" "pca!1" "numinsta!1") (("2" (SIMP) NIL))))))))))))) (R2 "" (EXPAND "rhostar") (("" (EXPAND "rho") (("" (SKOSIMP*) (("" (SPLIT-ALL -) (("1" (INST 2 "false") (("1" (SIMP) NIL))) ("2" (INST 3 "false") (("2" (SIMP) NIL))) ("3" (INST 1 "true") (("3" (SIMP) NIL))) ("4" (INST 3 "false") (("4" (SIMP) NIL))) ("5" (INST 4 "false") (("5" (SIMP) (("5" (SPLIT-ALL) (("5" (APPLY-EXTENSIONALITY 2 :HIDE? T) (("5" (SPLIT-ALL) NIL))))))))) ("6" (INST 2 "true") (("6" (SIMP) NIL))))))))))) (|R3_theta| "" (EXPAND "alpha") (("" (LEMMA "SpecInvOneBuff_theta") (("" (SKOSIMP*) (("" (INST?) (("" (SIMP) (("" (HIDE -1) (("" (GRIND :IF-MATCH NIL) (("" (APPLY-EXTENSIONALITY 2 :HIDE? T) (("" (GRIND) NIL))))))))))))))))) (|R3_issue| "" (EXPAND "alpha") (("" (SKOSIMP*) (("" (LEMMA "SpecInvOneBuff_rho") (("" (INST?) (("" (SIMP) (("" (EXPAND "OC") (("" (EXPAND "OA") (("" (HIDE -1) (("" (EXP-INV-ISSUE) (("" (EXPAND "rhostar") (("" (SIMP) (("" (REPLACE*) (("" (SPLIT-ALL) NIL))))))))))))))))))))))))) (|R3_writeb| "" (EXPAND "alpha") (("" (SKOSIMP*) (("" (LEMMA "SpecInvOneBuff_rho") (("" (INST? :WHERE -2) (("" (INST? :WHERE +) (("" (INST? :WHERE -4) (("" (SIMP) (("" (SPLIT -) (("1" (SIMP) (("1" (EXPAND "OA") (("1" (EXPAND "OC") (("1" (SIMP) (("1" (REPLACE*) (("1" (HIDE -1 -4) (("1" (EXP-INV-WRITEB) (("1" (EXPAND "rhostar") (("1" (SIMP) (("1" (REPLACE*) NIL))))))))))))))))))) ("2" (SIMP) (("2" (INST?) NIL))))))))))))))))))) (|R3_retire| "" (SKOSIMP*) (("" (EXPAND "alpha") (("" (EXPAND "OC") (("" (EXPAND "OA") (("" (LEMMA "SpecInvOneBuff_rho") (("" (SKOSIMP*) (("" (INST? :WHERE 1) (("" (INST? :WHERE -4) (("" (SIMP) (("" (HIDE -1) (("" (EXPAND "rhostar") (("" (EXPAND "SpecInvOneBuff") (("" (EXP-INV-RETIRE) (("1" (EXPAND "SpecInv") (("1" (EXPAND "occEqual") (("1" (EXPAND "headTailEq") (("1" (SIMP) (("1" (INST?) (("1" (NEW-SPLIT-IF) (("1" (CLEAN-UP) (("1" (NEW-SPLIT-IF) NIL))) ("2" (CASE "not wrap(ROB!1) ") (("1" (SIMP) (("1" (INSTBEST) NIL))) ("2" (SIMP) (("2" (SPLIT -) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (REPLACE -27 :DIR RL) (("2" (NEW-SPLIT-IF -) (("1" (SPLIT -27) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (NEW-SPLIT-IF -) (("1" (APPLY-EXTENSIONALITY 2 :HIDE? T) (("1" (NEW-SPLIT-IF) NIL))) ("2" (EXPAND "EXOR") (("2" (PROPAX) NIL))))))))) ("2" (NEW-SPLIT-IF -) (("1" (CLEAN-UP) (("1" (NEW-SPLIT-IF -) (("1" (APPLY-EXTENSIONALITY 4 :HIDE? T) (("1" (NEW-SPLIT-IF) NIL))) ("2" (APPLY-EXTENSIONALITY 6 :HIDE? T) (("2" (NEW-SPLIT-IF) NIL))))))) ("2" (EXPAND "EXOR") (("2" (NEW-SPLIT-IF -) (("2" (APPLY-EXTENSIONALITY 4 :HIDE? T) (("2" (SPLIT-ALL) NIL))))))))))))))))))))))))))))))))) ("2" (EXPAND "SpecInv") (("2" (EXPAND "wrapWraps") (("2" (EXPAND "occEqual") (("2" (SIMP) (("2" (INST? -) (("2" (CASE "not wrap(ROB!1)") (("1" (SIMP) (("1" (EXPAND "occ_buffer") (("1" (PROPAX) NIL))))) ("2" (SIMP) (("2" (SPLIT -6) (("1" (SIMP) NIL) ("2" (SIMP) (("2" (REPLACE*) (("2" (SIMP) (("2" (REPLACE -33 :DIR RL) (("2" (REVEAL -3) (("2" (EXPAND "EXOR") (("2" (SIMP) (("2" (SPLIT-ALL) (("1" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("1" (SPLIT-ALL) NIL))) ("2" (APPLY-EXTENSIONALITY 3 :HIDE? T) (("2" (SPLIT-ALL) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|R3_rho| "" (SKOSIMP*) (("" (EXPAND "rhoc") (("" (SPLIT -) (("1" (LEMMA "R3_issue") (("1" (INST?) (("1" (INST?) (("1" (SIMP) NIL))))))) ("2" (LEMMA "R3_writeb") (("2" (INST?) (("2" (INST?) (("2" (SIMP) NIL))))))) ("3" (LEMMA "R3_retire") (("3" (INST?) (("3" (INST?) (("3" (SIMP) NIL))))))))))))) (R4 "" (GROUND) (("" (EXPAND " alpha") (("" (SKOSIMP*) NIL)))))) $$$more_nat_types.pvs more_nat_types[m: posnat]: THEORY BEGIN upto : TYPE = {i: nat | i >= 0 and i <= m } CONTAINING m upto_nz : TYPE = {i: posnat | i <= m and not i = 0} CONTAINING m greater_one_nat : TYPE = {i : posnat | NOT i = 1} containing 2 END more_nat_types $$$more_nat_types.prf (|more_nat_types| (|upto_TCC1| "" (SUBTYPE-TCC) NIL) (|upto_nz_TCC1| "" (SUBTYPE-TCC) NIL) (|greater_one_nat_TCC1| "" (SUBTYPE-TCC) NIL))