Verification of Parameterised FPGA Circuit Descriptions with Layout ...

CHAPTER 4. VERIFYING CIRCUIT LAYOUTS 78
Theorem 12
∀ b t f. b ≤ t ∧ (∀y. 0 ≤ f y) ⇒
let max = maxf(b, t, f) in
∃y. b ≤ y ∧ y ≤ t ∧ f y = max ∧
∀x. b ≤ x ∧ x ≤ t ⇒ (f x) ≤ max
Proof The two parts of the conjunction can be proved separately. The first states that the
maxf function returns a value that is produced by the function f while the second states that
there is no greater value returned by f within the specified range. Both can be proved by
induction over t, bounded from below by b (in Isabelle this is done using the int ge induct
induction schema) and then re-arrangement using the definitions of max and maxf. Mech-
anised proofs are available as theorems maxf ansvalid, maxf fmax and maxf is maxf in
Appendix B.7.
This proof is significant since it provides a mechanism for moving between the functional and
logical definitions of the maxf should this be desired during a proof.
The Functions theory contains the proofs of many useful properties of maxf and sum, includ-
ing how they relate. Most of these proofs are carried out by induction on the value of top.
Some particularly useful theorems about maxf are:
Theorem 13 ∀ m n f. (∀y. 0 ≤ f y) ⇒ 0 ≤ maxf(m, n, f)
Theorem 14 ∀ m n f. n < m ⇒ 0 ≤ maxf(m, n, f)
Both of these theorems are useful in containment proofs. Some similarly useful theorems for
sum are:
Theorem 15 ∀ b t f g. b ≤ t ⇒ sum(b, t, λi. f i + g i) = sum(b, t, f) + sum(b, t, g)
Theorem 16 ∀ b t f. b ≤ t ⇒ sum(b, t, f) + f (t + 1) = sum(b, t + 1, f)