% Fixes to this model... module0's xor as well as % many other modules are incorrect... see below for % correct ones. % % 5/25 morning: This is the correct model, and not % the one in module0. Fix identified by Ganesh on the % night of 5/24. Almost works. See below. % % 5/25 evening: Even this model needs a tiny amount of % fixing. That's why the last theorem does not prove. % Fix Courtesy of Robert Jones and John O'Leary. % See xor (good xor - courtesy of Robert Jones and John O'Leary) % and xor_wrong - "courtesy" of Ganesh. hoaretr: THEORY BEGIN % The 6-transistor XOR % Weste and Esraghian, P. 317, 1985. % Also in Winskel's paper, p. 345. % The ckt is: % % ntr(in1, Gnd, temp) % ptr(in1, Vdd, temp) % ntr(in2, temp, out) % ptr(in2, in1, out) % ntr(temp, in2, out) % ptr(in1, in2, out) % % Prove that the output is driven. % % Other stuff may be proven (e.g. that this % ckt is equivalent to a standard XOR) % g, dg, s, ds, d, dd, i, di, o, do : VAR bool ckt_constr: TYPE = [# cons, driv, need : bool #] % An n-transistor operating with g,dg,s,ds,d,dd as % formal parameters % ntr(g,dg,s,ds,d,dd): ckt_constr = (# cons := g implies (s=d), driv := g and dg and (not(s) or not(d)) IMPLIES (ds=dd), need := dg or (s=d) #) % A p-transistor operating with g,dg,s,ds,d,dd as % formal parameters % ptr(g,dg,s,ds,d,dd): ckt_constr = (# cons := not(g) implies (s=d), driv := not(g) and dg and (s or d) IMPLIES (ds=dd), need := dg or (s=d) #) % An inverter % inv(i,di,o,do): ckt_constr = LET nc = ntr(i,di,false,true,o,do), pc = ptr(i,di,true,true,o,do) IN (# cons := cons(nc) and cons(pc), driv := driv(nc) and driv(pc), need := need(nc) and need(pc) #) % Check cons - this is an inverter % cons_chk: THEOREM cons(inv(i,di,o,do)) implies (o=not(i)) % % proved via grind % Check cons - this is NOT a buffer % cons_chk_nok: THEOREM cons(inv(i,di,o,do)) implies (o=i) % Trying repeated skolemization, instantiation, and if-lifting, % this yields 2 subgoals: % cons_chk_nok.1 : % % {-1} i!1 % |------- % {1} oh!1 % % Rule? (postpone) % Postponing cons_chk_nok.1. % % cons_chk_nok.2 : % % {-1} oh!1 % |------- % {1} i!1 % % Rule? % Check driv - see if do when di % driv_chk: THEOREM driv(inv(i,di,o,do)) implies (di implies do) % % proved via grind % Check that driv does NOT happen automagically % driv_chk_nok: THEOREM driv(inv(i,di,o,do)) implies do % % % % |------- %{1} di!1 %{2} do!1 % %Rule? bbuf(i,di,o,do): ckt_constr = LET nc = ntr(i,di,true,true,o,do), pc = ptr(i,di,false,true,o,do) IN (# cons := cons(nc) and cons(pc), driv := driv(nc) and driv(pc), need := need(nc) and need(pc) #); % CHeck this IS a buffer cons_chk_buf: THEOREM cons(bbuf(i,di,o,do)) implies (o=i) % grind does it % CHeck this is not an inverter cons_chk_buf_nok: THEOREM cons(bbuf(i,di,o,do)) implies (o=not(i)) % stuck % CHeck there is no do even when di driv_chk_buf_nok: THEOREM driv(bbuf(i,di,o,do)) implies (di implies do) % stuck in1,din1,in2,din2,out,dout,temp,dtemp: VAR bool % 6-transistor naked XOR - define thus because % let barfs at free variables... % xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp): ckt_constr = LET nc1 = ntr(in1,din1,false,true,temp,dtemp), pc1 = ptr(in1,din1,true,true,temp,dtemp), nc2 = ntr(in2,din2,temp,dtemp,out,dout), pc2 = ptr(in2,din2,in1,din1,out,dout), nc3 = ntr(temp,dtemp,in2,din2,out,dout), pc3 = ptr(in1,din1,in2,din2,out,dout) IN (# cons := cons(nc1) and cons(nc2) and cons(nc3) and cons(pc1) and cons(pc2) and cons(pc3), driv := driv(nc1) and driv(nc2) and driv(nc3) and driv(pc1) and driv(pc2) and driv(pc3), need := need(nc1) and need(nc2) and need(nc3) and need(pc1) and need(pc2) and need(pc3) #); %^xor(in1,din1,in2,din2,out,dout): ckt_constr = %^ %^ (# cons := EXISTS (temp,dtemp): %^ cons(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)), %^ driv := EXISTS (temp,dtemp): %^ driv(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)), %^ need := FORALL (temp,dtemp): %^ need(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)) #) % See erratum above to understand why this is wrong. % Basically the exists quantification for cons and driv % are SEPARATE - so temp and dtemp are decoupled % xor_wrong(in1,din1,in2,din2,out,dout): ckt_constr = (# cons := EXISTS ((temp:bool),(dtemp:bool)): cons(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)), driv := EXISTS ((temp:bool),(dtemp:bool)): driv(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)), need := FORALL ((temp:bool),(dtemp:bool)): need(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)) #); %--- I don't understand why I need ";" above,... but w/o that it does not parse % Corrected one - % This couples temp and dtemp % MORAL: % before you hide using exists, put in the % Hoare canonical form (C, C/\D, C/\D ==> N) % xor(in1,din1,in2,din2,out,dout): ckt_constr = (# cons := EXISTS ((temp:bool),(dtemp:bool)): cons(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)), driv := EXISTS ((temp:bool),(dtemp:bool)): cons(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)) and driv(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)), need := FORALL ((temp:bool),(dtemp:bool)): cons(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)) and driv(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)) implies need(xor_naked(in1,din1,in2,din2,out,dout,temp,dtemp)) #) % this is an xor - check cons % Proves as expected! cons_xor: THEOREM cons(xor(in1,din1,in2,din2,out,dout)) implies (out = not(in1=in2)) % Proves as expected! cons_xor_wrong: THEOREM cons(xor_wrong(in1,din1,in2,din2,out,dout)) implies (out = not(in1=in2)) % Check if drive happens automagically - it mustn't % does not prove - as expected driv_chk_xor_nok: THEOREM driv(xor(in1,din1,in2,din2,out,dout)) implies dout % does not prove - as expected driv_chk_xor_wrong_nok: THEOREM driv(xor_wrong(in1,din1,in2,din2,out,dout)) implies dout % does not prove - as expected driv_chk_xor_wrong_nok1: THEOREM driv(xor_wrong(in1,din1,in2,din2,out,dout)) implies ((din1 and din2) implies dout) % Check if drive happens if inputs driven and consistent operation % Proves as expected! driv_chk_xor_ok: THEOREM (driv(xor(in1,din1,in2,din2,out,dout)) implies ((din1 and din2) implies dout)) % does not prove - as expected driv_chk_xor_wrong_ok: THEOREM (driv(xor_wrong(in1,din1,in2,din2,out,dout)) and cons(xor(in1,din1,in2,din2,out,dout))) implies ((din1 and din2) implies dout) end hoaretr