This directory contains PVS files associated with the Tamarack example
described in section 5.5 and 5.7. The dump file for the entire example
is tamarack.dump.

Notes
-----

In the following, we explain how the proof of the main correctness
condition ("commutes condition") for Tamarack is constructed in terms
of the "standard pattern" of proof for proving microprocessor
verification conditions described in section 5.7 (page 189) of the
book.  The standard proof pattern, which is suitable for proving
properties of "bounded-length straight-line" computation, consists of
the following sequence of proof tasks:

Task 1: Quantifier Elimination

Task 2: Unfolding definitions

Task 3: Case analysis and simplification


The actual proof used for the commutes condition, which is generated
as the TCC Verif_TCC2 of the theory verification is given below.

1:(""
2: (SKOSIMP)
3: (TYPEPRED "s!1")
4: (APPLY (THEN@ 
5:    (AUTO-REWRITE! "oracle" "abs" "I" "start_condn") (ASSERT) (LIFT-IF)
6:    (ASSERT -) (AUTO-REWRITE -1) (HIDE -1)
7:    (THEN* (PROP)
8:      (THEN@
9:         (AUTO-REWRITE-THEORIES
10:             "verification" "verification_rewrites[wordt, addrt]"
11:             "soft[wordt, addrt]" ("hard2[wordt, addrt]"
12:                 :EXCLUDE ("hardstep" "microrom"))
13:             "microrom_rewrite[wordt, addrt]")
14:          (RECORD)
15:          (REPEAT (ASSERT)))))))


Line 2 of the proof performs the first task of the standard proof pattern.

To use the standard proof pattern for verifying Verif_TCC2, it is
necessary to split the proof into a finite number of cases one for
every Tamarack instruction.  Lines 4-7 perform this splitting task.
The function oracle gives the length of the microcode executed for
every instruction.

Line 3 brings in an invariant condition that is true at the start
of every instruction execution.

Lines 8-14 set up the rewrites for performing Task 2.  (RECORD is needed
to record the result of case-splitting done by PROP.)

Line 15 performs Task 2 as well as Task 3.  In this case, ASSERT itself
performs the necessary conditional simplification without the need
for a GROUND.
