Verification of Parameterised FPGA Circuit Descriptions with Layout ...

CHAPTER 4. VERIFYING CIRCUIT LAYOUTS 96
2.ÎnRna.
∀ qs137 qs138 qs139. 0 ≤ Height (qs138 ;;; R $ qs137 ;;; qs139);
∀ qs137 qs138 qs139. 0 ≤ Width (qs138 ;;; R $ qs137 ;;; qs139);
∀ l t b r. 0 ≤ irow.width na R l t b r
=⇒ ∀ l t b r. 0 ≤ irow.width (Suc na) R l t b r
The proof should now be completed by auto intro: width ser ge0, however the automatic
proof tools do not work in this case. We can however prove the base case and expand the
induction case using only the simplifier:
> apply (simp, simp)
goal (theorem (width ge0 int), 1 subgoal):
1.ÎRna.
∀ qs137 a b aa ba. 0 ≤ Height R qs137 (a, b) (aa, ba);
∀ qs137 a b aa ba. 0 ≤ Width R qs137 (a, b) (aa, ba);
∀ l t b r. 0 ≤ irow.width na R l t b r
=⇒ ∀ l t b r.
0 ≤ Width
(snd.snd $ (converse.converse $ (apr $ int na)) ;;
beside $
((| Def = λb c. arbitrary, Height = λb c. arbitrary,
Width = λ(l, t). split (irow.width na R l t) |),
R $ int na + 1) ;;
fst . fst $ (apr $ int na))
(l, t) (b, r)
We can apply the width ser ge0 rule manually, after removing the universal quantifiers,
which splits the goal into three sub-goals:
> apply (rule allI )+
> apply (rule width ser ge0)+
goal (theorem (width ge0 int), 3 subgoals):
1.ÎRna l t b r x y xa ya.
∀ qs137 a b aa ba. 0 ≤ Height R qs137 (a, b) (aa, ba);
∀ qs137 a b aa ba. 0 ≤ Width R qs137 (a, b) (aa, ba);
∀ l t b r. 0 ≤ irow.width na R l t b r