A Mechanically Checked Proof of aComparator Sort

We describe a mechanically checked correctness proof for the compara-tor sort algorithm underlying a microcode program in a commercially designed digital signal processing chip. The abstract algorithm uses an unlimited number of systolic comparator modules to sort a stream of data. In addition to proving that the algorithm produces an ordered permutation of its input, we prove two theorems that are important to verifying the microcode implementation. These theorems describe how positive and negative \innnities" can be streamed into the array of comparators to achieve certain eeects. Interesting generalizations are necessary in order to prove these theorems inductively. The mechanical proofs were carried out with the ACL2 theorem prover. We nd these proofs both mathematically interesting and illustrative of the kind of mathematics that must be done to verify software. It is often necessary to perform statistical ltering and peak location in digital spectra for communications signal processing. In this paper we consider an abstraction of the algorithm implemented on one such microprocessor, the Motorola CAP digital signal processor 5]. One of the major functional units of the CAP is the adder array, a collection of 20-bit adder/subtracters, each of which has 8 dedicated input registers and a dedicated path to a local memory. The CAP adder array was originally designed to support fast FFT computations , but the designers also included the datapaths necessary to accelerate peak nding.