UNLIMITED

n a stand and a stand and an an an an and a stand a stand a stan





じ つ

N-00

No. 4217

Ш,

25

œ

10 AV

# RSRE MEMORANDUM No. 4217

# ROYAL SIGNALS & RADAR ESTABLISHMENT

## SPECIFICATION OF VIPER2 IN Z

Author: D H Kemp

RELEASED UNDER AGREEMENT BUSING TEMPLE

96

-1

10

1/1

PROCUREMENT EXECUTIVE, MINISTRY OF DEFENCE, RSRE MALVERN, WORCS.



UNLIN ITED

### **ROYAL SIGNALS AND RADAR ESTABLISHMENT**

Memorandum 4217

Specification of Viper2 in Z

Author D.H. Kemp

Date October 1988

#### Summary

ļ

As a continuation of the use of the specification language Z which was used to specify the Viper1 microprocessor this paper covers the specification of the Viper2. This was completed before the definitive HOL specification was complete, therefore there is no proof of correspondence between the two. Using Z did highlight inconsistencies in the HOL specification that may not have appeared until later in the specification.

©Controller, HMSO 1988

#### 1. Introduction

1

This Memorandum is a description of the proposed Viper2 microprocessor using the specification language Z. The description is a continuation of the work done on the Viper1 processor <sup>1</sup>. This is a first attempt to specify the Viper2 and was done in parallel with the specification in Higher Order Logic (HOL)<sup>†</sup>. There may therefore be some inconsistencies between this document and the HOL description <sup>2</sup>. Where this occurs the latter should be taken as the definitive description.

In safety critical applications it is necessary to ensure that continued operation or safe shutdown of a system is achieved when erroneous data is input. There are two methods to increase the integrity of a system: to analyse the software for errors and to use a processor that is known to be functionally correct. Further confidence is achieved by using multi-channel systems incorporating processors of dissimilar technologies but with the same functionality. The functionality of any device is determined by the designers specification. If an error exists in this then all the channels in the system will experience the same common mode error.

By using a number of different methods to specify a processor, errors that may be present in one specification may become apparent in another. This is most effective when the methods used are basically different in character. This can be completed by using proofs of correspondence to confirm that the two texts have the same meaning.

An expertise in the use of Z already exists at RSRE and by using a Z editor and type checker available on the Computing Divisions PerqFlex workstations the task of specifying Viper2 made a useful project for a vacation student, who already had a Knowledge of Z. As a guide to the strategy required for this description J. Bowan's Z specification of the M6800 microprocessor<sup>3</sup> was used.

This report is the first attempt to specify the Viper2 in Z. It makes no attempt to explain the primary constructs of Z, nor to act as a tutorial in the use of Z to specify a microprocessor. Readers not familiar with Z should consult Specification Case studies <sup>4</sup> edited by I. Hayes. Although the specification has been type checked, it has neither been proved equivalent to the HOL specification nor to be free from errors. Any inconsistencies or errors found in this document should be reported back to the Computing Division, RSRE.

tHigher Order Logic (HOL) is a design tool developed at the Cambridge Computing Laboratory.

1



2 Besic Functions

2.1 Bits and Words

Bit ± {0,1}

Word  $\leq \{ w: \mathbb{N} \leftrightarrow B \mid t \mid \# w > 0 \land dom w = 0 \land (\#(w) - 1) \}$ 

Bits are represented as the set of elements with values 0 or 1. Words are represented as a set of partial functions from natural numbers to Bits. The natural numbers correspond to the position of the bit in the word, is the result of w(n) (the word w acting on the value n) gives the n+1<sup>th</sup> Bit of the word w.

V

-----

Find the most and least significant bits of the word.

val : Word → N ∀ μ : Word • (#μ=1) → ( val μ ≠ LSB μ ) (#μ>1) → ( val μ ≠ LSB μ + 2 \* val(succ;μ))

val returns the natural number represented by the word. Note succise gives the effect of a Right shift, is divide by two, on the word, is if succise is applied to n then first succine is calculated, and then wo of n+1 is calculated is the n+2<sup>th</sup> Bit is returned rather than the n+1<sup>th</sup> one.

pred : N<sub>1</sub> → N ∀n : N • pred n ≠ n = 1

Useful for left shifting (in a similar way to the technique described above).

(\_set\_) : (Word\*Bit) → Word  $\forall \mu$  : Word; b : Bit •  $\mu$  set b =  $\omega$ }{(0 $\mu$ b),(1 $\mu$ b)}

The set function returns a word which has all of its bits set to the specified value.

maxval : Word → N U µ : Word • VMaxval µ = val(µ set 1)

Z

⊢ ¬(Эµ:Word •((valµ)>maxvalµ))

Returns the maximum value which can be stored in the word.

The function wild returns the word of size size and set to the value valu (if that value can be held in a word of that size). Note no algorithm is given for calculating wild from its arguments, just the relationships which must hold between the word returned and the input arguments.

 $(\_^{}\_)$ : (Word:Word)  $\rightarrow$  Word  $\forall \mu 1, \mu 2$ : Word .  $\mu 1^{}\mu 2$  =  $\mu 1$  U (pred <sup>Nµ1</sup> ; µ2)

- + U H1,H2 : Word + #(H1^H2) = #H1 + #H2

Concatinate two words together.

and a subscription of the second s

2.2 Bitwise Functions

.

Generate the logical inverse of the input bit.

 $\begin{array}{c} (\_,\_), (\_+\_), (\_0\_) : (B(t*B(t) \rightarrow B(t)) \\ \hline \\ (\_+\_) = \{(0,0) \rightarrow 0, (0,1) \rightarrow 1, (1,0) \rightarrow 1, (1,1) \rightarrow 1\} \\ (\_0\_) = \{(0,0) \rightarrow 0, (0,1) \rightarrow 1, (1,0) \rightarrow 1, (1,1) \rightarrow 0\} \\ (\_,\_) = \{(0,0) \rightarrow 0, (0,1) \rightarrow 0, (1,0) \rightarrow 0, (1,1) \rightarrow 1\} \end{array}$ 

7

4

.

-

Standard bitwise logical functions. (note o is exclusive or)

4

#### 2.3 Logical fuctions on words

What : Ward >>> Ward U w : Word + what w = w ; hat

Generate the inverse of the input word.

WordPair ≙ {µ:N ↔ (Bit=Bit) | жн>0 ∧ dom н = 0 .. ((жн)-1) }

T

- 42

~~~~

(\_pair\_) : (Word×Word)→WordPair

U μ1.μ2 : Word + μ1 pair μ2 = ( i : N | ι∈ dom μ1 ∩ dom μ2 • ι ↔ ( μ1 ι.μ2 ι) }

Takes a pair of words and represents them as a set of bit pairs, indexed by a single natural number,

(\_and\_),(\_or\_),(\_exor\_) : (Word×Word)→Word

ਈ μ1/μ2 : Word + μ1 and μ2 = ((μ1 pa≀r μ2 ) ; (\_+\_)) μ1 or μ2 = {(μ1 pa≀r μ2 ) ; (\_+\_)) μ1 exor μ2 = ((μ1 pa≀r μ2 ) ; (\_o\_))

Standard wordwise logical functions.

(\_>>\_): (B:t×Word) → Word

∀и: Ward; b: Bit . b>>и= {((ми)-1) ∞ b} ∪ (succ Jи)

Shift right and left while inserting a particular bit into the right or left most position.

2.4 Arithmetic Functions

```
value : Word → Z
U н : Word •
((MSB н = 1) ∧ value н = val н - succ (maxval н )) v
((MSB н = 0) ∧ value н = val н )
```

 $7\sqrt{7}$ 

1

Return the integer value represented by the Word. This is using the 2's complement notation. (Remember the most significant bit has a weighting of  $-2^{n-1}$ . So to cope with negative numbers subtract  $2^n$ .

```
maxpos.maxneg : Word \rightarrow \mathbb{Z}

\forall \mu 1,\mu 2 : Word | \mu \mu 1 = ((\mu \mu 2)+1).

maxpos \mu 1 = maxval \mu 2

maxnes \mu 1 = (maxval \mu 2) - (maxval \mu 1)
```

Return the maximum positive and negative numbers for a word of a particular size.

(\_s·gnextend\_) : (Word=N<sub>1</sub>) → Word U w1,w2 : Word; length : N<sub>1</sub> | (length ≥ Mw1)<sub>A</sub>(Mw2 = length) • (w1 signextend length) = (w2 set (MSB w1)) • w1

Sign extends the word to the length specified.

(\_pad\_) : (Word=N<sub>1</sub>) → Word U w1,w2 : Word; length : N<sub>1</sub> | (length ≥ Mw1)<sub>A</sub>(Mw2 = length) . (w1 pad length) = (w2 set 0) • w1

Pad out a word to the new word length with zeros

(\_trim\_) : (Word×N<sub>1</sub>) → Word U µ : Word; length : N<sub>1</sub> | length ≤ ₩µ • µ trim length =(0 .. length) < µ

Trim a word down to the new word length. Note, use the above with caution, as it simply returs a word with the top bits 'trimmed' off. No check is made to ensure that the value of the word has not changed. (\_plus\_) : (Word×Word) → Word

 $\forall \mu_1, \mu_2, \mu_3 : Word | (M \mu_1) = ((M \mu_2)+1)_A (M \mu_2) = (M \mu_3) .$ ( $\mu_2$  plus  $\mu_3 = (\mu_1 \text{ trim } M \mu_2))$  $\Leftrightarrow (value \mu_1) = (value \mu_2) + (value \mu_3)$ 

7

The word returned by plus is the same size as the two input words, and holds the value of the sum of the two words, iff this value can be held in a word of that size.

> (\_times\_): (Word=Word) → Word U μ1,μ2,μ3: Word | (#μ1) = ((#μ2)\*2) A (#μ2) =(#μ3) . (μ2 times μ3 = (μ1 trim #μ2)) ↔ (value μ1)>(value μ2)\*(value μ3)

The word returned by times is the same size as the two input words, and holds the value of the product of the two words, iff this value can be held in a word of that size.

(\_m:nus\_): (Word=Word) → Word

The word returned by minus is the same size as the two input words, and holds the value of the difference of the two words, iff this value can be held in a word of that size.

(\_carry\_) : (Word×Word) → Bit

 $\forall w1,w2 : Word \bullet$ (w1 carry w2 = 1)  $\Leftrightarrow$  ((val w1) + (val w2) > maxval w1)

Top level specification of carry, is a carry is generated when the result is larger than the maximum possable value which can be stored.

Top level specification of carry for multiplication.

(\_borrow\_) : (Word=Word) → Bit

 $\forall \ \omega_1, \omega_2 : \text{Mord } \circ$ ( $\omega_1 \text{ borrow } \omega_2 = 1$ )  $\iff ((v_2 | \omega_1) < (v_2 | \omega_2))$ 

7

Top level specification of Borrow.

(\_overflow\_): (Word=Word) → Bit U w1:w2: Word | Mw1 = Mw2 + (w1 overflow w2 = 1) ↔ ( ( (value w1) + (value w2) > maxpos w1 ) v ( (value w1) + (value w2) < maxneg w2 ) )

 $7\sqrt{}$ 

Top level specification of overflow, is overflow when the sum is greater than the largest positive value which can be held; or less than the largest negative number.

(\_moverflow\_): (Word+Word) → B:t U H1.H2: Word | HH1 = HH2 . (H1 moverflow H2 = 1) ↔ ( ( value H1) + (value H2) > maxpos H1 ) v ( (value H1) + (value H2) < maxneg H2 ) )

Top level specification of overflow for multiplication.

Top level specification of overflow on subtraction.

(\_equal\_): (Word×Word) → Bit ₩ μ1,μ2: Word | #μ1 = #μ2 • (μ1 equal μ2 = 1) ↔ (val μ1 = val μ2)

Returns 1 if the two numbers are the same.

(\_less\_) : (Word×Word) → Bit U µ1,µ2 : Word | Nµ1 = Nµ2 . (µ1 less µ2 = 1 ) ↔ ( value µ1 < value µ2)

Returns 1 if the first number is less than the second-

This completes the underlying theory of representing natural number arithmetic by operations on vectors of bits.

**3 Viper Specifics** 

3.1 Hord Lengths

......

Address & Word<sub>20</sub> Data & Word<sub>32</sub> Flag & Word<sub>1</sub>

Values one.zero : Word True.False : Flag value zero = 0 value one = 1 True = (0+1) False = (0+0)

#### 3.2 Memory

The definition of the memory and peripheral spaces, and the behaviour of these two regions.

G

F

.

4

Memory Mem : Address → Data PERIspace : Address → Data RAMspace : Address → Data io : Bit (io = 0) → (Mem = RAMspace) (io = 1) → (Mem = PEFIspace)

If to is zero then all memory reads are from the RAM space. If to is one then all of the reads are from the PERIspace.

```
ΔMemory

Memory

Memory'

δMem : Address ↔ Data

(:o = 0) → (RAMspace' = RAMspace • δMem)

(:o = 1) → (RAMspace' = RAMspace)
```

If is is zero then any writes will affect the value in the memory if however is is one there are no changes to RAM. Note changes to PERI are not modeled.



No change in memory.

1

#### 3.3 Registers

1

1

The specification of the Viper2 registers.

[RegName]

Register & { r: RegName + Word | #r>0 }

The Registers are the partial function from Register names to Words.

V

Reg : RegName → Word Un : RegName; Regs : Register • Reg n = Regs n

Returns the value in the Register given as input.

| GeneralPurp<br>A.X.Y.Zi.Do |   |                    |
|----------------------------|---|--------------------|
| Reg A                      | e | Word <sub>32</sub> |
| Reg X                      | € | Word <sub>32</sub> |
| Reg Y                      | € | Word <sub>32</sub> |
| Reg Z1                     | € | Word <sub>32</sub> |
| Reg Double                 | € | Word <sub>64</sub> |
| Reg Double                 | = | (Res A) ^ (Res Z1) |

The four general purpose read write registers (note X.Y.21 are index registers. The register double is the concatination of the A and 2 registers.

AddressRegisters F.S.U.P : RegName Reg F & Word<sub>20</sub> Reg S & Word<sub>20</sub> Reg U & Word<sub>20</sub> Reg P & Word<sub>20</sub>

The four addressing registers. The Frame pointer F points to the start of the current stack frame. The Frame size S is the size of the current stack frame (ie the stack frame goes from F to F+S). The stack Limit U is the furthest up the stack is allowed to grow. Finally The Porgram Counter P is the position in memory where the current instruction was read from.

| DtherRegister<br>D.Watchdog.To |                      |
|--------------------------------|----------------------|
| Reg D                          | e Word <sub>32</sub> |
| Reg Watchdog                   | e Word <sub>32</sub> |
| Reg Temp                       | € Word <sub>32</sub> |

The three remaining registers. The D register is the error message register. If an error occurs then the error code for that particular error is placed in D. The Watchdog register is used when operating in untrusted mode. The value in Watchdog is the number of clock cycles left to complete any untrusted operations. The registers Temp hold the next 32-bit instruction to be executed.

C

| ProcessFlags<br>B,Postcall,T | rust : RegName      |
|------------------------------|---------------------|
| Reg 8                        | e Word <sub>1</sub> |
| Reg Postcall                 | e Word <sub>1</sub> |
| Reg Trust                    | € Word <sub>1</sub> |

The three process Flags are held as one bit registers. The B flag contains the result from various comparisons or unsigned arithmetic. The Postcall Flag is there to ensure that the Enter instruction always occurs after a call instruction, and never anywhere else. It is set true after a call and cleared during an enter. The Trust flag determines whether the machine is in trusted or untrusted mode.

| Reg E       | e Word,             |
|-------------|---------------------|
| Reg IA      | e Word <sub>1</sub> |
| Reg IX      | e Wordi             |
| Reg IY      | e Word1             |
| Reg IZ      | e Word <sub>1</sub> |
| Reg IB      | e Word <sub>1</sub> |
| Reg WE      | e Word <sub>1</sub> |
| Reg NoStack | e Word <sub>1</sub> |
| Reg NoSize  | e Word <sub>1</sub> |
| Res NoLimit | e Word,             |

The error flags. The E flag is set true if there has been an error. This is utilised by the Jump on error and Call on error instructions. The IA, IX, IY, IZ and IB flags show whether a register holds an invalid value, ie IA is true if A has not been loaded since the machine started, or since an error occured. The WE register is set if the Watchdog timer has Expired (hence WE). This flag will cause an

ı.

error to occur if it is set while the machine is in untrusted mode. It is ignored in trusted mode. The NoStack, NoSize and NoLimit Flags are set true if the F, S and U registers have not been set.

V

1

------

- 4

Regs & Errorflags A Processflags A OtherRegisters A AddressRegisters A GeneralPurposeRegisters

The Viper2 register types

Regs Registers : Register

The registers at split time consist of a 'bank' of registers and the Viper2 register types.

ΔRegisters registers registers' newp : Address NewWatchdog : Data NewWE : Flag δReg : RegName ↔ Word Registers' = Registers ● {P⊷newp,WE↔NewWE} ● {Watchdog→NewWatchdog} ● δReg

The Viper2 registers. The new values of the registers are the same as the old value, apart from the three registers which are always updated (the program counter watchdog timer and watchdog expired flag). These can be overwritten by any modifications to them in åReg. Any other changes in the registers (due to the various instructions) are also contained in åReg.

ERegisters ARegisters AReg = {}

All of the registers remain the same (apart from the three above)

#### 3.4 Clock

The Viper2 clock is not represented in the HOL specification. A definition is included here for completeness.

| ~ | Clo | 2k |   | _ |
|---|-----|----|---|---|
|   | Clk | ;  | N |   |
|   |     |    |   |   |

Clock simply counts up from 0.

| _ &Clock            |
|---------------------|
| Clock               |
| Clock'              |
| Cycles : N          |
|                     |
| Clk' = Clk + Cycles |

Cycles is the number of cycles needed to complete the present instruction. The parameter cycles is used by the Watchdog timer.

#### 3.5 Stop

Í.

The definition of the Stop Flag.

The single bit to determine whether the machine is stopped or not.

V

| _ 65top                                             |
|-----------------------------------------------------|
| δRegisters<br>Stop<br>Stop'<br>Values<br>sval : Bit |
| stop = 0<br>newp = Reg (P) plus one                 |

The machine has not stopped. The new value of the Program Counter is P+1. The value of stop' is set later in the specification.

3.6 Viper State

•

4

ł

ľ

ľ

ΔState & ΔMemory A ΔRegisters A ΔClock A ΔStop

The Viper2 changing state. The change in the Viper state is the change in memory and the change in registers and the change in stop.

 $\overline{C}$ 

ArithmeticAndLogicalUnit r.m : Data offs : Data base : Data Result : Data

The inputs and outputs to/from the ALU. r and m are the two inputs to the ALU and Result is the result from it. Base is the base address to read the memory (m) input to the ALU from and offs is the actual address of the read.

#### 3.7 Viper2 Operation Codes

.

Þ

| Viper       | 20pCode                                            |
|-------------|----------------------------------------------------|
| 0F          | : Word <sub>32</sub>                               |
| <b>s</b> 1  | : Wordz                                            |
| s2          | : Word <sub>4</sub>                                |
| s21         | : Word <sub>2</sub>                                |
| <b>s</b> 2u | : Word <sub>2</sub>                                |
| fq          | : Wordz                                            |
| fc          | : Word <sub>4</sub>                                |
| fcl         | : Wordz                                            |
| fch         | : Word <sub>2</sub>                                |
| addr        | : Word <sub>20</sub>                               |
| fc =        | s2 ^ s1 ^ fq ^ fc ^ øddr<br>fch ^ fc1<br>s2u ^ s21 |

The Viper2 Op code. Op is the op code and is loaded from the address pointed to by the Program Counter. The op code is the concatination of the five fields shown; s2, s1, fq, fc and addr. The fc and s2 fields are further subdivided into two 2 bit fields.

-----

- --

The s2 field selects the addressing mode for the m input to the ALU if the instruction is a data operation, or whether the operation is a control or write instruction. The s1 field selects the register (r) input to the ALU or the type of certain load instructions. The fq (functional qualifier) field selects the destination register of the data instructions, or whether the instruction is a control or a write instruction. It also determines the type of call or branch performed (is absolute or Program Counter relative). The fc (function code) determines the instruction to be performed. Finally the addr field determines the location to jump to, write to, read from etc.

3.8 Viper2 Overall State

ł

ĥ.

Viper2Inputs \_\_\_\_\_ attention : Bit reset : Bit

The two external input lines. These are assumed to be synchronous lines clocked in at the start of each instruction. The attention line is set by external devices to inform the processor when they require attention. It is polled by the Jump and Call on attention instructions.

🛶 🔨 - - -

| <u> <u>A</u>State</u>                                                                                                                                                     |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Ar i thmet i cAndLog i calUn : '<br>V : per 20pCode<br>V : per 21nputs<br>Values                                                                                          |
| ор ≠ Mem (Reg (P))<br>reset = 0<br>(Reg WE = False) → (NewWatchdog=(Reg Watchdog)<br>minus (wrd 32 Cycles))<br>(NewWE = True)→((Reg Watchdog) borrow (wrd 32 Cycles) = 1) |

The op code is the value in the memory location pointed to by Program Counter. The reset line must be low, otherwise the machine will reset. The new value of the Watchdog Expired flag will be set to True if the watchdog counter will became less than zero in the course of the present instruction (not quite true as WE in fact goes true immediately the Watchdog timer goes below zero). The watchdog timer is decremented if the WE flag is not set.

Stopped EMemory ERegisters Stop Stop' AClock stop = 1 stop' = 1 newp = Reg (P)

The machine has stopped, and cannot restart until there is a Reset.

| 3V; per 2    | - |
|--------------|---|
| ∆Viper2      |   |
| EMemory      |   |
| ERegisters   |   |
| <b>åStop</b> |   |
|              |   |

Viper state unchanged (except P, Watchdog and WE updated)

7

| Reset                                                                                                                                                      |
|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| EMemory                                                                                                                                                    |
| ôReg:sters                                                                                                                                                 |
| <b>SClock</b>                                                                                                                                              |
| <b>åStop</b>                                                                                                                                               |
| Viper 2Inputs                                                                                                                                              |
| Values                                                                                                                                                     |
| stop' = 0                                                                                                                                                  |
| reset = 1                                                                                                                                                  |
| val newp = 0                                                                                                                                               |
| δReg = {E⊶False,IA⇔True,IX⇔True,NoStack⇔True,NoSize⇔True,<br>IY⇔True,IZ⇔True,IB⇔True,Trust⇔True,NoLimit⇔True,<br>WE⇔False,Watchdog⇔((Reg Watchdog) set 1)} |

Machine status on a Reset. All of the Register Illegal flags are set to true (as the registers have not had any values loaded into them yet). The error flag is set false, as is the Watchdog Expired flag. The program counter is set to zero.

| V:per2INIT_<br>Reset | - |
|----------------------|---|
| C1k' = 0             |   |

Machine on start up.

Viper2\_machine\_state keeps

ΔClock, Stop, ΔStop, ΔViper2, 2Viper2, Viper2INIT. ΔMemory, 2Memory, registers, ΔRegisters, Clock, Address, Data, Flag, Memory, Reset, Reg, Word<sub>64</sub>, Word<sub>32</sub>, Word<sub>20</sub>, Word<sub>4</sub>, Word<sub>3</sub>, Word<sub>2</sub>, Word<sub>1</sub>, Stopped, RegName

This section specifies the inputs to the Viper2 ALU.

invalid : Hord - Bit

 $\forall \mu : Hord \bullet$ (invalid  $\mu = 1$ )  $\leftrightarrow$  (val  $\mu > maxval (Hrd 20 0)$ )

Returns True if the value is greater than can be held in a 20 bit word.

ErrorInstruction \_\_\_\_ &V:per2 ErrorValue : Data

The instruction being executed is illegal. The error code of the particular error is returned in ErrorValue.

| (Reg P)<br>fq = 3) $\mathbf{v}$ (val fc $\geq$ 7) |
|---------------------------------------------------|
|                                                   |

1

 $\mathcal{C}$ 

The program counter is about to carry, and the current instruction is not a jump. (there is no need to couse an error if the instruction is a jump, as there is no 'return' as in a call instruction).

#### 4 Viper Operations

#### 4.1 ViperZ ALU

This section specifies the vi input to the ViperZ ALU

7

F

- 4

-----

| Regis   | ste        | r Si | ele | ct _ |    |   | _   |      |
|---------|------------|------|-----|------|----|---|-----|------|
| ∆V i pi | er 2       |      |     |      |    |   |     |      |
| (val    | si         | =    | 0)  | -    | (r | = | Reg | A)   |
| (va)    | si         | =    | 1)  |      | (r | = | Reg | X)   |
| (val    | <b>s</b> 1 | =    | Z)  | -    | (r |   | Reg | Y)   |
| (val    | <b>s</b> 1 | =    | Э)  |      | (r | = | Reg | Z1 ) |
|         |            |      |     |      |    |   |     |      |

Select the register to be used as the r input to the ALU.

| _DataInstruction<br>AViper2 |  |  |  |  |  |  |
|-----------------------------|--|--|--|--|--|--|
| val s2 = 15                 |  |  |  |  |  |  |

The instruction is a data instruction. If s2 was 15 then it would be a control or write instruction.

4.2 Addressing Modes

GlobalAddressing DataInstruction val s2u = 0 Reg Trust = True base = addr pad 32

Relative addressing mode. The base address is the address in the Op code. The machine must be in trusted mode.

- 2 - B

 $\overline{C}$ 

```
_StackRelativeAddressing ______
DataInstruction
______
val s2u = 1
base = (addr pad 32) plus (Reg F pad 32)
```

Stack relative addressing. This gives access to local routine variables. The base address is the frame pointer offset by the address from the Op code. No check is made here to see if the address calculated is in the current stack frame. This is done in a later error frame.

```
ProgramCounterRelativeAddressing _____
DataInstruction
val s2u = 2
base = (addr pad 32) plus (Reg P pad 32)
```

Program Counter relative addressing. This gives access to constants embedded in the program. This allows routines to be relocatable in memory (ie standard RDMs can be bought which can plug straight into a system). The base address is the program counter plus the input address.

## AddressBases & GlobalAddressing v StackRelativeAddressing v ProgramCounterRelativeAddressing

The three basic addressing modes. The base address is offset by the various index registers (or not in the case of absolute addressing).

AbsoluteAddressing AddressBases vel s21 = 0 offs = base

Absolute Addressing. The location to read in from is simply the base address defined above.

```
XIndexedAddressing _____
AddressBases
val s21 = 1
offs = base plus (Reg X)
```

Indexed Addressing using the X index register. The location to read in from is the base address plus the value contained in the X index register. Note the value in X can be either a positive or a negative value. This can be used to index arrays etc.

T

| _ YIndexedAddressing |                            |   |  |  |  |  |  |  |
|----------------------|----------------------------|---|--|--|--|--|--|--|
| val s21<br>offs      | = 2<br>= base plus (Reg Y) | • |  |  |  |  |  |  |

Indexed Addressing using the Y index register. The location to read in from is the base address plus the value contained in the Y index register. Note the value in Y can be either a positive or a negative value. This can be used to index arrays etc.

| _ZIndexedAddressing |                           |    |  |  |  |  |  |  |  |
|---------------------|---------------------------|----|--|--|--|--|--|--|--|
| val sZl<br>offs     | = 3<br>= base plus (Reg Z | 1) |  |  |  |  |  |  |  |

Indexed Addressing using the Z index register. The location to read in from is the base address plus the value contained in the Z index register. Note the value in Z can be either a positive or a negative value. This can be used to index arrays etc.

IndexedAddressing # ZIndexedAddressing v YIndexedAddressing v AbsoluteAddressing v XIndexedAddressing

All of the simple addressing modes.

.

- -

IndexedAddressing IndexedAddressing val fc = 13 val s2 < 12 m = Mem (offs trim 20) io = 0

The simple addressing modes. This does not include the case of the monadic instructions, where a memory read will not be taking place, or the Immediate and Register addressing modes, where no memory read is taking place. The value on the io pin is zero, so the word read in is read from the RAM space. The m input to the ALU is the value in the location pointed to by offset. The case of offset being outside the 20 bit address space is dealt with in the errors later. ImmediateAddressing DataInstruction (val s2 = 12)<sub>A</sub>(m = addr pad 32) v (val s2 = 13)<sub>A</sub>(m = whot (addr pad 32))

77

The two Immediate Addressing modes. The minput to the ALU is the value in the address field padded with zeros to 32 bits, if s2 is 12. If s2 is 13 then the minput is this value inverted (ie 1's complement). This allows both negative and positive values to be used as constants.

V

· · · ·

#### 4.3 Access to General Purpose Registers

#### RegisterAddress 🔔

DataInstruction

| va | •] ⊆ | :2 = | 14 |  |
|----|------|------|----|--|
|    |      |      |    |  |

l

In this case the m input to the ALU is one of the general purpose registers A: X. Y, or Z. Which register is used is determined by the bottom two bits in the address field of the op code.

 $\overline{U}$ 

| RegisterAddress                   |  |
|-----------------------------------|--|
| (val addr) mod 4 = 0<br>m = Reg A |  |

. .

The A register is used as the m input to the ALU.

UseRegisterX \_\_\_\_\_ RegisterAddress

|          |        |      | _ | _ |
|----------|--------|------|---|---|
| (val add | dr) mo | od 4 | 2 | 1 |
| m ≖ Reg  | X      |      |   |   |

The X register is used as the m input to the ALU.

| UseRegisterY                      |  |  |  |  |  |  |  |
|-----------------------------------|--|--|--|--|--|--|--|
| RegisterAddress                   |  |  |  |  |  |  |  |
|                                   |  |  |  |  |  |  |  |
| (val addr) mod 4 ≈ 2<br>m = Res Y |  |  |  |  |  |  |  |

The Y register is used as the m input to the ALU.

\_UseRegister2 \_\_\_\_\_ RegisterAddress

(val addr) mod 4 = 3 m = Reg 21

The Z register is used as the m input to the ALU.

RegisterAddressing & UseRegisterA v UseRegisterX v UseRegisterY v UseRegisterZ

The four cases of register addressing.

MemoryRead & ImmediateAddressing v IndexAddressing v RegisterAddressing

The fifteen cases of memory addressing for the fifteen values s2 can have for any data instruction.

#### 4.4 Illegal Addressing Operations

| StackNotSet        |  |  |  |  |  |  |  |
|--------------------|--|--|--|--|--|--|--|
| DataInstruction    |  |  |  |  |  |  |  |
| ErrorInstruction   |  |  |  |  |  |  |  |
|                    |  |  |  |  |  |  |  |
| val s2u = 1        |  |  |  |  |  |  |  |
| Reg NoStack = True |  |  |  |  |  |  |  |

Keg Nostack = Irue ôMem = {} \_\_\_\_\_\_

Stack Relative addressing has been specified, however no stack has been set up (ie no value has been loaded into F).

7

UnsetX AddressBases ErrorInstruction val s21 = 1 Reg IX = True &Mem = {}

The X register has been selected as the index register to be used, but it has either not been loaded, or an error has occured in untrusted mode and all of the registers have been marked as illegal

UnsetY AddressBases ErrorInstruction val s21 = 2 Reg IY = True ôMem = {}

The Y register has been selected as the index register to be used, but it has either not been loaded, or an error has occured in untrusted mode and all of the registers have been marked as illegal

Unset2 AddressBases ErrorInstruction val s21 = 3 Reg I2 = True ôMem = {}

The Z register has been selected as the index register to be used, but it has either not been loaded, or an error has occured in untrusted mode and all of the registers have been marked as illegal

UnsetAddressingRegister & StackNotSet v UnsetZ v UnsetY v UnsetX

26

The four cases of illegally used registers.

IndexedAddressing ErrorInstruction

val fc = 13 val sZu = 1 ((val offs) < (val (Reg F)) v (val offs) > (val (Reg F)) + (val (Reg S))) ôMem = {}

\_ IllegalReadAddress \_\_\_\_ IndexedAddressing ErrorInstruction

val fc = 13 val s2 < 12 inval:d offs = 1 &Mem = {}

This is the only check that is needed to see if the address is valid. This is because the base address is at most a 21 bit number, so there can be no overflow on the first addition. The index register added to this base value can be one of four cases,

(1) The index register holds a +ve number and the result causes overflow. Then the MSB of result is one and hence above predicate detects the invalid address.

(2) The index register holds a +ve number and no overflow occurs. Then the address is valid iff the above predicate holds.

(3) The index register holds a -ve number and a carry occurs. Then the result must be a positive number less than the base. It is valid.

(4) The index register is negative and no carry occurs, is the index register held a negative number which was 'larger' than the base. This is detected as for -ve numbers MSB = 1, and hence invalid address.

The case of the index register and overflow cannot occur as base is ALWAYS positive.

E

#### 4.5 Illegal Source Registers



Register addressing has been specified, with the m input to the ALU coming from the A register. This register however does not contain valid data.

7

Register XInvalid \_\_\_\_\_ Register Address Error Instruction (val addr ) mod 4 = 1 Reg IX = True &Mem = ()

Register addressing has been specified, with the m input to the ALU coming from the X register. This register however does not contain valid data.

RegisterYInvalid RegisterAddress ErrorInstruction (val addr) mod 4 = 2 Reg IY = True ôMem = {}

Register addressing has been specified, with the m input to the ALU coming from the Y register. This register however does not contain valid data.

RegisterZInvalid RegisterAddress ErrorInstruction (val addr) mod 4 = 3 Reg IZ = True &Mem = ()-

Register addressing has been specified, with the m input to the ALU coming from the Z register. This register however does not contain valid data.

RegisterInvalid & RegisterAInvalid v RegisterXInvalid v RegisterYInvalid v RegisterZInvalid The four cases where an illegal register has been selected to be the  ${\tt m}$  input to the ALU.

 $\overline{}$ 

| ٦ | egisti<br>Viperi<br>rrorI | 2              |     |               |        | valn       | dEri     | ° 01 | -        |   |        | - |
|---|---------------------------|----------------|-----|---------------|--------|------------|----------|------|----------|---|--------|---|
| ( | (val<br>(val<br>(val      | sZ<br>fq<br>fc | * * | 15<br>3<br>6) | ^<br>^ | val<br>val | fc<br>fc | * <  | 13<br>12 | ) | ×<br>v | 1 |
| ٥ | Mem =                     | o              |     |               |        |            |          |      |          |   |        |   |

The instruction selected requires a register be the r input to the ALU. (is either a dyadic data instruction s2  $\neq$  15 and fc  $\neq$  13, a write instruction s2  $\approx$  15, fq = 3 and fc  $\langle$  12 (this last condition because fc  $\geq$  12 would give a different error code), or the instruction is decrement with branch on zero.

\_RegisterSelectAInvalid \_\_\_\_\_ RegisterSelectInvalidError val s1 = 0 Reg IA = True

The instruction requires the r input to the ALU to be the A register, but this register does not contain valid data.

\_RegisterSelectXInvalid \_\_\_\_\_ RegisterSelectInvalidError

val s1 = 1 Reg IX = True

The instruction requires the r input to the ALU to be the X register, but this register does not contain valid data.

\_RegisterSelectYInvalid \_\_\_\_\_ RegisterSelectInvalidError val si = 2 Reg IY = True

The instruction requires the r input to the ALU to be the Y register, but this register does not contain valid data.

\_RegisterSelectZInvalid \_\_\_\_\_ RegisterSelectInvalidError

val s1 = 3 Reg IZ = True

The instruction requires the r input to the ALU to be the Z register, but this register does not contain valid data.

RegisterSelectInvalid & RegisterSelectZInvalid v RegisterSelectYInvalid v RegisterSelectXInvalid v RegisterSelectXInvalid v RegisterSelectAInvalid

F

ſ

The four cases of illegal register being used for the r input to the ALU.

G

4.6 Comparison Operations

ŀ

| - CompareFrame              | _ |
|-----------------------------|---|
| RegisterSelect              |   |
| MemoryRead                  |   |
| Bresult : Word <sub>1</sub> |   |
|                             |   |
| δMem = {}                   |   |
|                             |   |

Framing schema for comparison operations. All registers are unchanged exept for the Program counter. B is set in the various comparisons below.

T

- 42

| GreaterThanOrEqualTo |  |
|----------------------|--|
| CompareFrame         |  |
|                      |  |

val fc = 0 Bresult = wrd 1 (not (r less m))

Bresult is set true if the r input is greater than or equal to the m input.

| _EqualTo          |                            |
|-------------------|----------------------------|
| Comparef          | rame                       |
| val fc<br>Bresult | = 1<br>= wrd 1 (r equal m) |

Bresult is set true if the r input is equal to the m input.

| _GreaterThan<br>CompareFrame          |                         |
|---------------------------------------|-------------------------|
| val fc = 2<br>Bresult = wrd 1 (not((r | less m) + (r equal m))) |

Bresult is set true if the r input is greater than the m input.

| UnsignedLessThan<br>CompareFrame           |  |
|--------------------------------------------|--|
| val fc = 3<br>Bresult = wrd 1 (r borrow m) |  |

Bresult is set true if the r input, treated as an unsigned integer, is less than the m input.

| AndEqualZero      |                                         |
|-------------------|-----------------------------------------|
| Compare           | r ame                                   |
| val fc<br>Bresult | = 4<br>= wrd 1 ((r and m) equal (zero)) |

Bresult is set true if the r input logically anded with the m input is equal to zero.

G

#### CompOp & AndEqualZerc v UnsignedLessThan v GreaterThan v EqualTo v GreaterThanOrEqualTo

The five basic comparison operations. B is loaded with the following

| Conditi<br>CompOp | n                      |
|-------------------|------------------------|
| val fq            | : (                    |
| bReg              | : (B+Bresult,IB+false) |

B is loaded with Bresult. The Illegal B flag is set false to show that the B register contains valid information.

| NotCondit<br>CompDp | ion                          |
|---------------------|------------------------------|
| val fq =            | 1                            |
| bReg =              | {B+++not(Bresult),IB++False} |

B is loaded with not Bresult. The Illegal B flag is set false to show that the B register contains valid information.

| BorCondition_<br>CompOp   |           |                     |
|---------------------------|-----------|---------------------|
| val fq = 2<br>åReg = (8+( | Reg(B) or | Bresult), IB+False} |

 ${\bf B}$  is loaded with Bresult or B. The Illegal B flag is set false to show that the B register contains valid information.

BorNotCondition CompOp val fq = 3 &Reg = {B+(Reg (B) or +not(Bresult)),IB+False}

B is loaded with not Bresult or B. The Illegal B flag is set false to show that the B register contains valid information.

Compare & Condition + BorNotCondition + BorCondition + NotCondition The four operations loading B with a result. There are  $15 \times 4 \times 20 = 1200$  compare operations out of the possible  $2^{12}$  Viper2 operations.

÷

k

•

l

4.7 Viper2 Arithmetic

•

,

) . 1

ķ

| _ALUInstruction                                      |
|------------------------------------------------------|
| RegisterSelect<br>MemoryRead<br>68 : RegName ++ Word |
| óMem ≈ {}                                            |

Framing schema for all of the ALU operations. Note memory cannot be changed.  $\delta B$  holds any changes to the B register.

7

1

| _SignedA<br>A∟UInst | ruction    |
|---------------------|------------|
| val fc              | * 5        |
| Result              | * r plus m |
| 88                  | = {}       |

Add r to m. There is no check for overflow, this is done later in an error schema.

| _Unsigne<br>ALUInst | dAdd                             |
|---------------------|----------------------------------|
| val fc              | = 6                              |
| Result              | = r plus m                       |
| ôB                  | = {B+wrd 1 (r carry m),IB+False} |

Add r to  $\mathbf{m}_r$  setting B if there is a Carry. IB is set false whatever the result.

| _SignedSubtract<br>ALUInstruction |                            |
|-----------------------------------|----------------------------|
|                                   | = 7<br>= r minus m<br>= {} |

. Subtract r from  $\mathfrak{m}_r$  . There is no check for underflow, this is done later in an error schema.

| Unsigne | dSubtract                         |
|---------|-----------------------------------|
| ALVInst | ruction                           |
| val fc  | ≖8                                |
| Result  | ≖rminusa                          |
| ΔB      | = {Boord 1 (г Боггон m).IBoFalse} |

ΔB = {B+++rd 1 (r borrow m).IB+False}

Subtract m from r, and setting B if there is a Borrow. IB is set false whatever the result.

| ALUInstruction |             |  |
|----------------|-------------|--|
| val fc         | = 12        |  |
| Result         | = r times m |  |
| 68             | = {}        |  |

. . . . . . . . . . . . . . . . . . .

ł

j.

1

Multiply r by m. There is no check for overflow, this is done later in an error schema.

ArithmeticOp & ( UnsignedAdd y SignedSubtract y SignedMultiply y UnsignedSubtract y SignedAdd )

The five arithmetic operations. There are  $15 \times 4 \times 5 = 300$  possible operations (ie 15 addressing modes by four register inputs by five Possible operations).

35

4.8 Logical Operations

| Exclus: | veOr       |
|---------|------------|
| ALUInst | ruction    |
|         | = 11       |
| Result  | = r exor m |
| 68      | = {}       |
|         |            |

Returns the exclusive or of the two input words.

V

· - F

| - <sup>And</sup> |           |
|------------------|-----------|
| ALUInst          | ruction   |
|                  |           |
| val fc           | * 9       |
| Result           | = r and m |
| 68               | = ()      |
|                  |           |

Returns the logical and of the two inputs.

| Or<br>ALUInst | ruction  |
|---------------|----------|
| val fc        | = 10     |
| Result        | = r or m |
| ØB            | = {}     |

Returns the logical or of the two inputs.

### LogicalOp & ( Or y And y ExclusiveOr )

The three logical operators. There are 15 = 4 = 3 = 180 possible logical operations.

#### 4.9 Lond Instruction

| _MonadicInstruction                      |  |  |
|------------------------------------------|--|--|
| IndexedAddressing<br>&B : RegName ↔ Word |  |  |
| val fc ≈ 13                              |  |  |

1

The operation is a monadic or load instruction. There is no register select, the only operand comes from the m input to the ALU. The register select field s1 is used to determine which operation is performed.

 $\overline{U}$ 

| LoadRegister     |                            |  |
|------------------|----------------------------|--|
| val s1<br>Result | = 0<br>= Mem(offs trim 20) |  |
| <b>δ</b> 8       | = {}                       |  |
| io               | = 0                        |  |

Simply load the register with a value from a memory location.

|        | NegateRegister                   |
|--------|----------------------------------|
| vel si | = 1                              |
| Result | = zero minus (Mem(offs trim 20)) |
| ðB     | = {}                             |
| io     | = 0                              |

Load and find the 2's complement of the value from a memory location. There is no check to see if there has been an overflow as this is done in a later error schema.

LoadEffectiveAddress MonadicInstruction val s1 = 2 Result = offs  $\Delta B$  = {} val s2 s 12 io = 0

Load the address detemined by the addressing mode into the result.

|         | omPERI              |
|---------|---------------------|
| Monadic | Instruction         |
| val si  | = 3                 |
|         | = Mem(offs trim 20) |
| δB      | <b>=</b> {}         |
| val sZ  | \$ 3                |
| 10      | = 1                 |
|         | -                   |

Load in a word from PERIpheral space.

## LoadOp & LoadRegister y LoadAndNegateRegister y LoadEffectiveAddress y InputFromPERI

U

One of the four load operations. There are  $15 \times 1 \times 4 \approx 60$  possible operations.

ALU & LogicalOp v ArithmeticOp v LoadOp

An ALU operation. At present there are 300 + 180 + 60 = 540 operations defined.

4.10 Destination Registers

| Result<br>ALU | ToA                         |
|---------------|-----------------------------|
| val fq        | = 0                         |
| ØReg          | = {A+Result, IA+False} • 68 |

Load the result from the ALU into the A register and set the IA flag false to show that there is valid data in the A register. Also set the B and IB flags if they should be set by this operation.

| -Result1 | X                            | _  |
|----------|------------------------------|----|
| ALU      |                              |    |
| val fq   | 1<br>{X⊷Result,IX⊶False} ● & | _  |
| DReg     | (X+Result, IX+talse) • Ot    | \$ |

Load the result from the ALU into the X register and set the IX flag false to show that there is valid data in the A register. Also set the B and IB flags if they should be set by this operation.

| ResultToY                                     | _ |
|-----------------------------------------------|---|
| ALU                                           | • |
| val fq = 2<br>bReg = {Y#Result,IY#False} • bB | • |

Load the result from the ALU into the Y register and set the IY flag false to show that there is valid data in the A register. Also set the B and IB flags if they should be set by this operation.



Load the result from the ALU into the Z register and set the IZ flag false to show that there is valid data in the A register. Also set the B and IB flags if they should be set by this operation.

#### ALUOP . ResultToA y ResultToX y ResultToY y ResultToZ1

Load one of the four general purpose registers. There are 540  $\times$  4  $\approx$  2160 possable operations. The two other function codes fc = 13, fc = 14 will give another 15  $\times$  4  $\times$  2  $\times$  4  $\approx$  480 operations. This means that in total there are 2640 data operations possible.

### 4.11 Exception Handling for ALU Operations

 $\overline{C}$ 

SignedAddOverflow ALUInstruction ErrorInstruction val fc = 5 (r overflow m) = 1 &Mem = {}

An overflow has occured on a signed add.

SignedSubtractUndeflow ALUInstruction ErrorInstruction val fc = 7 (r underflow m) = 1 oMem = {}

An underflow has occured on a signed subtract.

SignedMultiplyOverflow ALUInstruction ErrorInstruction val fc = 12 (r overflow m) = 1 &Mem = {}

An overflow has occured on a signed multiply.

```
_LoadAndNegateRegisterOverflow __
MonadicInstruction
ErrorInstruction
val s1 = 1
m = Mem(offs trim 20)
(zero underflow m) = 1
δMem = {}
```

An underflow has occured when loading and negating a register. This means that the value which was loaded must have been maxneg.

LoadEffectiveRddressError \_\_\_\_\_ Monad.cInstruction ErrorInstruction val s1 = 2 val s2 > 12 bMem = ()

Illegal operation, if s2 > 12 then it is immediate or register addressing, is there is no 'effective address'.

T

- Y.

-----

InputFromPERIError MonadicInstruction ErrorInstruction val s1 = 3 val s2 > 3 oMem = ()

The operation is an input from PERI, but the addressing mode is not global.

IllegalAddress \_\_\_\_\_ MonadicInstruction ErrorInstruction val s1 = 2 invalid offs = 1 offem = {}

The operation has been defined as a load address but the address is not legal.

MonError & LoadEffectiveAddressError v InputFromPERIError MonadError & MonError v ? (MonError) A IIIegalAddress Monad:cError & MonadError v ? (MonadError) A LoadAndNegateRegisterDverflow

Needed to cope with two errors in the same instruction. A load Effective Address Error will be noticed before an Illegal Input Address error which will be noticed before a Load and negate register overflow.

ArithError & SignedAddOverfloн v SignedSubtractUndefloн v SignedMultiplyOverfloн v MonadicError The Errors which can occur during ALU operations.

.

- 45

## 4.12 Jumps and Calls

\_ControlInstruction \_

| MemoryRead |  |  |  |  |
|------------|--|--|--|--|
| val<br>val |  |  |  |  |

The instruction is a control instruction.

7

\_\_\_\_\_\_DestinationSelect ControlInstruction Destination : Word<sub>32</sub> (val fq = 0)<sub>A</sub>(Destination = addr pad 32) (val fq = 1)<sub>A</sub> (Destination = (addr pad 32) plus (newp pad 32)) (val fq = 2)<sub>A</sub> (Destination = (addr pad 32) minus (newp pad 32))

The framing schema for a jump or a call. Destination is the location to call or branch to. Note three types of jump, absolute or Program Counter relative forwards or backwards.



Unconditional jump. P is loaded with the value of destination.

| _JumpIfError                                                                          |
|---------------------------------------------------------------------------------------|
| DestinationSelect                                                                     |
| val fc = 1                                                                            |
| Reg Trust = True                                                                      |
| val (Reg E) = 1                                                                       |
| &Reg * {P+(Destination trim 20), IA+False,<br>IX+False, IY+False, IZ+False, IB+False} |
| ôffem = {}                                                                            |

Jump if the E (error) flag is set. Set all of the Illegal Register flags to false?

```
JumpIfBSet _____
DestinationSelect
```

T

val fc = 2 val (Reg B) = 1 åReg = {P+(Destination trim 20)} åMem = {}

Jump if the B flag is set.

Ī

₽

\_JumpIfBNotSet \_\_\_\_\_ DestinationSelect

val fc = 3 val (Reg B) = 0 δReg = {P↔(Destination trim 20)} δMem = {}

Jump if the B flag is not set.

JumpIfAttent:onSet \_\_\_\_\_ Destinat:onSelect val fc = 4 attention = 1 åReg = {P↔(Destinat:on trim 20)} åMem = {}

Jump if the attention input to the Viper2 microprocessor is set.

\_\_\_JumpIfAttentionNotSet \_\_\_\_

DestinationSelect

val fc = 5 attention = 0 åReg = {P⇔(Destination trim 20)} åMem = {}

Jump if the attention input to the Viper2 microprocessor is not set.

| Contri<br>EV:pe | olInstruct<br>r2 | ion              |      |
|-----------------|------------------|------------------|------|
| ((va)           | fc = 1)          | (val (Reg E) = 0 | )) v |
| ((va)           | fc = 2)          | (val (Reg B) = 0 |      |
| ((va)           | fc = 3)          | (val (Reg B) = 1 | )) v |
| ((va)           | fc = 4)          | (attention = 0)) |      |
| ((val           | fc = 5)          | (attention = 1)) |      |

If the Jump condition is false, then Viper2 state the same (apart from the Program counter increment).

1

DecrementAndJumpOnNotZero DestinationSelect RegisterSelect ∂PC : RegName → Data val fc = 6 Result = r minus one (Result = zero) → (ôPC = {P+(Destination trim 20)}) (Result = zero) → (ôPC = {}) (val s1 = 0) → (ôReg = {A+Result,IA+False} • ôPC) (val s1 = 1) → (ôReg = {A+Result,IA+False} • ôPC) (val s1 = 2) → (ôReg = {Y+Result,IX+False} • ôPC) (val s1 = 3) → (ôReg = {Y+Result,IY+False} • ôPC) (val s1 = 3) → (ôReg = {Z1+Result,IZ+False} • ôPC) ôMem = {}

Decrement the selected register, and jump if it is not zero.

CallInstruction \_ DestinationSelect ØFlags : RegName → Data TopOfCallFrame,BottomOfNewWorkspace : Data BottomDfCallFrame,ProgramStatusWord : Data BottomOfCallFrame = ((Reg F) pad 32) plus ((Reg S) pad 32) = BottomOfCallFrame plus one Toolf[a]]Frame ProgramStatusWord = (Reg P) pad 32 • {20+val(Reg Trust)} BottomOfNewWorkspace = TopOfCallFrame plus one = {(BottomOfCallFrame trim 20)++(Reg F), (TopOfCallFrame trim 20)++(PregramStatusWord)} ållen = {F+(BottomOfNe+Workspace), 6Reg P+(Destination trim 20),Postcall+True} • **bFlags** 

The Call instruction. Set up the link frame on the stack, set the frame pointer to point to the bottom of the new workspace, set the postcall register to True to ensure that the next instruction is an Enter and load in the new value for the program counter. The value in the error flags may also alter if there is a call on Error instruction. The link frame consists of two data words.

The first word is placed in the location above the top of the previous stack frame and is loaded with the old frame pointer. The second word is placed in the location above the first word. This holds the return program counter as well as the old value of the trust bit.

```
CallInstruction
```

val fc = B &Flags = C

المحاج فالفاح التياري المراجع

Unconditional jump. P is loaded with the value of destination.

T

CallIfError CallInstruction val fc = 9 val (Reg E) = 1 oflags = (IAHFalse,IXHFalse,IYHFalse, IZHFalse,IBHFalse,EHFalse)

Call (f the E (error) flag (s set. Set all of the Illegal Register flags to false?

CallIfBSet \_\_\_\_\_ CallInstruction val fc = 10 val (Reg B) = 1 &Flags = {}

Call if the B flag is set.

CallIfBNotSet CallInstruction val fc = 11 val (Reg B) = 0 oFlags = {}

Call if the B flag is not set.

| CallifAttentionSet                          |
|---------------------------------------------|
| val fc = 12<br>attention = 1<br>&Flags = {} |

Call if the attention input to the Viper2 microprocessor is set.

CallIfAttentionNotSet \_\_\_\_ CallInstruction val fc = 13 attention = 0 &Flags = {}

Call if the attention input to the ViperZ microprocessor is not set.

| FailedCallCondition<br>ControlInstruction<br>EViper2 |             |
|------------------------------------------------------|-------------|
|                                                      | *<br>*<br>* |

1

G

If the Call condition is false, then Viper2 state the same (apart from the Program counter increment).

47

------

#### 4.13 Copy Instruction

CopyFromRegisterToGeneralPurposeRegister \_ ControlInstruction ad : N val fc = 7val fq = 0 ad = (val addr) mod 15 (ad = 0) → (Result = Reg A) (ad = 1) and (Result = Reg X) (ad = 2) → (Result = Reg Y) (ad = 3) - (Result = Reg Z1) (ad = 4) → (Result = (Reg P) pad 32) (ad = 5) → (Result = (Reg F) pad 32)  $(ad = 6) \rightarrow (Result = (Reg S) pad 32)$ (ad = 7) → (Result = (Res U) pad 32) (ad = 8) → (Result = (Reg Watchdog) pad 32)  $(ad = 9) \implies (Result = Reg D)$ 

5

- 48

V

Copy from a register to a gebneral purpose register.

CopyToGeneralPurposeRegister \_\_\_\_

CopyFromRegisterToGeneralPurposeRegister

 $(val si = 0) \rightarrow (\delta Reg = \{A \neg Result, IA \neg False\}) \\ (val si = 1) \rightarrow \{\delta Reg = \{X \neg Result, IX \neg False\}) \\ (val si = 2) \rightarrow (\delta Reg = \{Y \neg Result, IY \neg False\}) \\ (val si = 3) \rightarrow (\delta Reg = \{Z \neg \neg Result, IZ \neg False\})$ 

Place value in general purpose register.

```
CopyFromGeneralPurposeRegisterToRegister _
ControlInstruction
RegisterSelect
ad : N
val fc = 7
val fq = 1
Reg Trust = True
ad = (val addr) mod 16
(ad = 0) \rightarrow (\delta Reg = (A + r_1 A + False))
(ad = 1) → (åReg = {X+r,IX+False})
(ad = 2) \rightarrow (\delta Reg = {Y_{HF}, IY_{HF}})
(ad = 3) → (&Reg = {Z1+r,IZ+False})
(ad = 4) \rightarrow (\delta Reg = (P \mapsto (r \ trim 20)))
(ad = 5) → (ÅReg = {F+(r trim 20),NoLimit+True,
NoSize+True,NoStac(+False})
(ad = 6) → (åReg = (S⊷(r trim 20),NoS:ze+False})
(ad = 7) → (åReg = (U+(r trim 20),NoLimit+False))
(ad = 8) → (åReg = {Watchdog↔(r trim 16),WE↔False})
(ad = 9) \rightarrow (\delta Reg = \{D_{HT}\})
```

48

Copy a value from a general purpose register to a special register.

V

ſ

.

b

4.14 Enter and Return

| ControlInstruction                                                                                                                                                                                                                                            |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <pre>val fc = 14 (val (Reg F)) + (val addr) + 2 ≤ (val (Reg U)) Reg Postcall = True (val fq = 0) → (δReg ={S+addr,Postcall+False}) (val fq = 1) → (δReg ={S+addr,Trust+False,Postcall+False}) (val fq = 2) → (δReg ={S+addr,Trust+True,Postcall+False})</pre> |
| <pre>(val fq = 0) → (&amp;Reg ={Swaddr,PostcallwFalse}) (val fq = 1) → (&amp;Reg ={Swaddr,TrustwFalse,PostcallwFalse}) (val fq = 2) → (&amp;Reg ={Swaddr,TrustwTrue,PostcallwFalse})</pre>                                                                    |

 $7\nabla$ 

The Enter Instruction. This must be executed immediately after a call instruction. If it is called at any other time it will generate an error. The enter instruction sets up the frame size required by the routine, after checking that at least 2 words of memory are free at the top of the new frame to accomadate a call instruction in the new routine. It also sets up the trusted ness of the routine. Finally the postcall bit is reset.

| _Return                       |                                                                                                                                |
|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
| CallInstruction               |                                                                                                                                |
| TopOfCallFrame                | = (Reg F) minus one                                                                                                            |
| ProgramStatusWord             | = Mem(TopOfCallFrame)                                                                                                          |
| BottomOfCallFrame             | = TopOfCallFrame minus one                                                                                                     |
| BottomOfNewWorkspace          | = Mem(BottomOfCallFrame)                                                                                                       |
| P+(Prog<br>Trust+(<br>S+(Bott | omOfNewWorkspace),<br>ramStatusWord trim 20),<br>ProgramStatusWord 20),<br>omOfCallFrame minus<br>tomOfNewWorkspace trim 20))} |
|                               |                                                                                                                                |

The Return from subroutine command. This basically undoes the call command. The frame pointer (F) program counter and trust bit are reloaded from the link frame. The value in the frame size register is calculated and loaded back in.

Copies & CopyFromGeneralPurposeRegisterToRegister v CopyToGeneralPurposeRegister

The two copy commands. This covers 1 = 4 = 1 = 2 = 8 operations.

Jump 

JumpIfAttentionSet v JumpIfBNotSet v
DecrementAndJumpOnNotZero v JumpIfAttentionNotSet v
JumpIfBSet

Jumps 🔺 Jump 🗸 FailedJumpCondition

The seven jump commands. This covers 1 = 4 = 7 = 3 = 84 operations.

## Call 🛎 UnconditionalCall y CallIfError y CallIfB5et y CallIfBNotSet y CallIfAttentionSet y CallIfAttentionNotSet

4

Calls & Call v FailedCallCondition

 $7^{\checkmark}$ 

.

**k** 

ł

I

.

.

i i The six call commands. This covers 1 = 4 = 5 = 3 = 72 operations.

Control 🛎 Calls 🗸 Jumps 🗸 Copies 🖌 Enter 🖌 Return

The control operations. There are 8 + 84 + 72 + 1 + 4 + 2 + 3 = 188 operations.

## 4.14 Illegal Calls and Jumps

ł

| _ IllegalJump            | _ | _ |
|--------------------------|---|---|
| Jump<br>ErrorInstruction |   |   |
|                          |   |   |
| invalid Destination      | _ | 1 |

The operation is a jump but the destination is not in memory space.

4

 $7^{1}$ 

IllegalJumpCondition Jumps ErrorInstruction Reg IB = True (val fc = 2) v (val fc = 3)

The jump is dependent on B, but B has not been set.

```
IllegalJumps ≜ IllegalJump ♥
IllegalJumpCondition
```

.

Framing schema for Call errors.

IllegalDestination \_\_\_\_\_ IllegalCallError invalid Destination = 1 ôMem = {}

The operation is a call but the destination is not in memory space.



The bottom of the call space is not in memory.

\_IllegalTopOfCallFrame \_\_\_\_ IllegalCallError

invalid TopOfCallFrame = 1 δMem = {(BottomOfCallFrame trim 20)⊶(Reg F)}

T

The top of the call space is not in memory. This is only noticed after the first write to memory has been made.

\_\_IllegalBottomOfNewWorkspace \_\_ IllegalCallError

```
invalid BottomOfNe∺Workspace = 1
δMem = {(BottomOfCallFrame trim 20)∺(Reg F),
(TopOfCallFrame trim 20)∺(ProgramStatusWord)}
```

The bottom of the new work space is not in memory. This is only noticed after the first two writes to memory have been made.

\_StackNotSet \_\_\_\_\_ IllegalCallError (Reg NoStack = True) ν (Reg NoSize = True) δMem = {}

A call has been made with the stack not set.

IllegalCalls 
 IllegalDestination v
 IllegalBottomDfCallFrame v
 IllegalTopOfCallFrame v
 IllegalBottomOfNewWorkspace v
 StackNotSet

All of the Illegal Call schemas.

## 4.15 Illegal Copy

| ControlInstruction<br>ErrorInstruction                                                                                                                    |                                                |                                                                |                            |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|----------------------------------------------------------------|----------------------------|
| <pre>val fc = 7 val fq = 0  &amp;Mem = {} ((val addr = 0) (val addr = 1) (val addr = 1) (val addr = 3) (val addr = 5) (val addr = 6) (val addr = 6)</pre> | A (Reg<br>A (Reg<br>A (Reg<br>A (Reg<br>A (Reg | IX = True<br>IY = True<br>IZ = True<br>NoStack =<br>NoSize = 1 | v<br>V<br>True)v<br>True)v |

ſ

Attempt to copy invalid register.

| _CopyError2                                                                                                                             |
|-----------------------------------------------------------------------------------------------------------------------------------------|
| ControlInstruction<br>ErrorInstruction                                                                                                  |
|                                                                                                                                         |
| val fc = 7<br>val fg = 1                                                                                                                |
| Reg Trust = True                                                                                                                        |
| δMem = {}<br>((val s1 = 0) κ (Reg IA = True) ν                                                                                          |
| (val s1 = 1) $\wedge$ (Reg IX = True) $\vee$<br>(val s1 = 2) $\wedge$ (Reg IY = True) $\vee$<br>(val s1 = 3) $\wedge$ (Reg IZ = True) ) |

Attempt to copy invalid register.

| IllegalCopy<br>ControlInstruction<br>ErrorInstruction      |
|------------------------------------------------------------|
| val fc = 7<br>val fq = 1<br>Reg Trust = False<br>&Mem = {} |

Attempt to copy to protected register, in untrusted mode.

IllegalCopies 🔺 CopyError1 v CopyErrorZ v IllegalCopy Error in copying from register to register.



## 4.16 Postcell and Enter Errors

PostcallNotSet \_\_\_\_\_ ControlInstruction ErrorInstruction val fc = 14 Reg Postcall = False &Mem = {}

Postcall is not set and Enter has been found, ie Enter has occured somewhere other than at the start of a subroutine.

Ū

· · · ·

T

----

\_EnterNotFound \_\_\_\_\_ ControlInstruction ErrorInstruction val fc ≠ 14 Reg Postcall = True δMem = {}

Postcall is set and Enter has not been found, ie Enter has not occured at the start of a subroutine.

| _StackOverflow<br>ControlInstruction<br>ErrorInstruction                |                           |
|-------------------------------------------------------------------------|---------------------------|
| val fc = 14<br>(val (Reg F)) + (val<br>Reg Postcall = True<br>ôMem = {} | addr) + 2 > (val (Reg U)) |

The stack cannot accomadate the present frame.

# 4.17 Write Operations

ł

| WriteInstruction<br>RegisterSelect |
|------------------------------------|
| val s2 = 15                        |
| val fq = 3                         |
| val fc ≤ 11                        |
| δReg = {}                          |
|                                    |

Write instruction. Note fo > 11 is an illegal op code.

1

7

| GlobalWrite<br>WriteInstruction                                 |
|-----------------------------------------------------------------|
| val fch = 0<br>base = addr pad 32<br>io = 0<br>Reg Trust = True |

Write to Global memory.

| Γ       | ackFrameWrite                |
|---------|------------------------------|
| val fch | = 1                          |
| base    | = (addr pad 32) plus (Reg F) |
| io      | = 0                          |

Write to local stack frame.

| OutputTo<br>WriteIns  | PERIstruction               | - |
|-----------------------|-----------------------------|---|
| val fch<br>base<br>io | = 2<br>= addr pad 32<br>= 1 |   |

Output to PERIpheral.

WriteBase & GlobalWrite v LocalStackFrameWrite v OutputToPERI

The three addressing modes.

| _Write<br>Write   |                   | e |             |   | . <u> </u>           | _ |      |                           |      |    |    |
|-------------------|-------------------|---|-------------|---|----------------------|---|------|---------------------------|------|----|----|
| val<br>val<br>val | fcl<br>fcl<br>fcl | * | 1<br>2<br>3 | * | offs<br>offs<br>offs | * | base | plus<br>plus<br>plus<br>} | (Reg | Y) | v. |



#### 4.18 Write Errors

|                      | or                                                                                                                                         |
|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| (val fcl<br>(val fcl | = 0) A (offs = base) v<br>= 1) A (offs = base plus (Reg X)) v<br>= 2) A (offs = base plus (Reg Y)) v<br>= 3) A (offs = base plus (Reg 21)) |

V

Write error framing schema.



The index register specified is illegal.

| GlobalWriteError<br>WriteError               |
|----------------------------------------------|
| val fch = 0<br>ôMem = {}<br>invalid offs = 1 |

The write location is not in the memory space.



The write location is not in the stack frame.

| _GlobalOutputError<br>WriteError |
|----------------------------------|
| val fch = 2<br>&Mem = {}         |
| invalid offs = 1                 |

The output location is not in the memory space.

\_\_\_\_ 7 IllegalWriteAddress ≜ GlobalWriteError v StackFrameWriteError v GlobalOutputError v IllegalIndex The Write Errors.

## 4.19 Other ViperZ Errors

| WatchdogTimout<br>AViper2<br>ErrorInstruction |
|-----------------------------------------------|
| Reg WE = True<br>Reg Trust = False            |

The watchdog timer has timed out, and Viper2 is in untrusted mode.

F

| IllegalOpCode                                                                    |     |
|----------------------------------------------------------------------------------|-----|
| ΔViper2<br>ErrorInstruction                                                      |     |
| <pre>val s2 = 15 ((val fc = 6) ^ (val fq = 2) ((val fq = 3) ^ (val fc ≥12)</pre> | ) v |

An illegal Op code. There are  $1 \times 4 \times 1 \times 1 + 1 \times 4 \times 1 \times 4 = 20$  possibilities.

```
Viper2_Error 
# IllegalP
Viper2_Error 
# UnsetAddressingRegister v
RegisterSelectInvalid
V
RegisterInvalid
V
IllegalReadAddress
ArithError
V
IllegalJumps
V
IllegalLopies
V
LimitNotSet
V
EnterNotFound
V
StackOverflow
V
IllegalWriteAddress
V
UllegalUpFode
V
```

The Viper2 Error conditions.

arb : Word → Word

U w1,w2 : Word | #w1 = #w2 . w1 = arb w2

The arb function, is no relationship between input and output words

| TrustedError<br>Viper2_Error  |
|-------------------------------|
| Reg Trust = True<br>stop' = 1 |

Error in trusted state, machine stops.

| UntrustedError<br>Viper2_Error<br>CallInstruction                                                                                                                                                                                                                                                                                                                     |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Reg Trust = False         TopOfCallFrame       = (Reg F) minus one         ProgramStatusWord       = Mem(TopOfCallFrame)         BottomOfCallFrame       = TopOfCallFrame minus one         BottomOfCallFrame       = TopOfCallFrame minus one         BottomOfCallFrame       = TopOfCallFrame minus one         BottomOfNewWorkspace       = Mem(BottomOfCallFrame) |
| stop'=0                                                                                                                                                                                                                                                                                                                                                               |

R

Error in untrusted state. Set all Error falgs true and return from subroutine.

ViperZ\_Errors 
 UntrustedError 
 TrustedError

4.20 The Viper Top Level Specification

|       | _NotStopped<br>∆Viper2 |  |  |  |  |  |  |  |
|-------|------------------------|--|--|--|--|--|--|--|
| stop' | = 0                    |  |  |  |  |  |  |  |

ViperOK ≜ Compare v ALUBp v Control v Write

ViperZ has successfully completed an operation. There are 1200 + 2640 + 188 + 48 + 20 = 4095 possible operations, is all Op codes accounted for.

U

OKState & ¬(Viper2\_Errors) & ViperOK & NotStopped

NextState & Viper2\_Errors v OKState v Stopped v Reset

The next state of the Viper2 machine.

#### 5 Conclusions

F

ŀ

This document gives an initial specification of the Viper2 in 2. It has been shown that 2 provides a higher level of specification than that written in HOL. It has also demonstrated that it is a useful language to produce a high level specification of a microprocessor.

This specification was completed before the HOL specification was complete and so no attempt was made to ensure conformity between the two.

## 6 Acknowledgements

Ł

W.J. Cullyer who produced the HOL specification.

- C. Pygott and J. Kershaw for the design of the ViperZ.
- ··· C. O'Halloran for his help with the Z editor and type checker.

- . -

F

- 5. Wiseman for suggesting modifications.
- A. Passa for turning the 2 document into a Memorandum.

## 7 References

4....

- 1. Kemp D.H. Specification of Viper1 in Z
- Cullyer W.J. Viper2 Microprocessor:Formal Specification To be published.
- 3. Bowen J. The Formal Specification of a Microprocessor Instruction Set.
- Hayes I. (editor) Specification Case Studies Prentice-Hall International series in computer science, 1987.

## DOCUMENT CONTROL SHEET

|         |          |                  |          | UNCLASSIFIED |
|---------|----------|------------------|----------|--------------|
| Overall | security | / classification | of sheet |              |

(As far as possible this sheet should contain only unclassified information. If it is necessary to enter classified information, the box concerned must be marked to indicate the classification eq. (R) (C) or (S) )

| 1. DRIC Reference (if known)                                                                                                                    |                                                                                                                                                         | iginator's Reference<br>emo 4217                                          | 3. Agency Reference                                                                     | <b>↓. Re</b> port Se<br>U/C                              | curity<br>Classification     |  |  |  |  |  |
|-------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|----------------------------------------------------------|------------------------------|--|--|--|--|--|
| 5. Originator's Code (if<br>known)<br>7784000                                                                                                   | 6. Originator (Corporate Author) Name and Location<br>ROYAL SIGNALS & RADAR ESTABLISHMENT<br>ST ANDREWS ROAD, GREAT MALVERN,<br>WORCESTERSHIRE WR14 3PS |                                                                           |                                                                                         |                                                          |                              |  |  |  |  |  |
| 5a. Sponsoring Agency's<br>Code (if known)                                                                                                      |                                                                                                                                                         |                                                                           |                                                                                         |                                                          |                              |  |  |  |  |  |
| 7. Title<br>Specification of Vip                                                                                                                | er 2                                                                                                                                                    | in Z.                                                                     |                                                                                         |                                                          |                              |  |  |  |  |  |
| 7a. Title in Foreign Language                                                                                                                   | (in th                                                                                                                                                  | e case of translation                                                     | is)                                                                                     |                                                          |                              |  |  |  |  |  |
| 7b. Presented at (for conferen                                                                                                                  | ice nap                                                                                                                                                 | ers) Title, place a                                                       | ind date of conference                                                                  |                                                          |                              |  |  |  |  |  |
| 8. Author 1 Surname, initials 9(a)<br>Kemp D H                                                                                                  |                                                                                                                                                         | Author 2                                                                  | 9(b) Authors 3,4                                                                        | 10. Date<br>1988.10                                      | pp. ref.<br>64               |  |  |  |  |  |
| 11. Contract Number                                                                                                                             |                                                                                                                                                         | 12, Period                                                                | 13. Project                                                                             | 14. Other Reference                                      |                              |  |  |  |  |  |
| 15. Distribution statement<br>Unlimited                                                                                                         |                                                                                                                                                         | └───── <b>─</b> └                                                         |                                                                                         | <u>1</u>                                                 |                              |  |  |  |  |  |
| Descriptors (or keywords)                                                                                                                       |                                                                                                                                                         |                                                                           |                                                                                         |                                                          |                              |  |  |  |  |  |
|                                                                                                                                                 |                                                                                                                                                         |                                                                           |                                                                                         |                                                          |                              |  |  |  |  |  |
| /                                                                                                                                               | continue on separate piece of paper                                                                                                                     |                                                                           |                                                                                         |                                                          |                              |  |  |  |  |  |
| Abstract                                                                                                                                        |                                                                                                                                                         |                                                                           |                                                                                         |                                                          |                              |  |  |  |  |  |
| As a continuation of<br>specify the Viper 1 m<br>Viper 2. This was co<br>complete, therefore t<br>Z did highlight incor<br>appeared until later | nicrop<br>omple<br>there<br>nsist                                                                                                                       | processor this p<br>ted before the d<br>is no proof of<br>encies in the H | paper covers the sp<br>definitive HOL spec<br>correspondence bet<br>OL specification th | Decification<br>Dification<br>Sween the t<br>Nat may not | n of the<br>was<br>wo. Using |  |  |  |  |  |
|                                                                                                                                                 |                                                                                                                                                         |                                                                           |                                                                                         |                                                          |                              |  |  |  |  |  |

1

\$80/48