previous | contents | next

if inputs are physically possible they will in fact occur at some time and someone will want to be alerted to the possibility of aberrant behavior by a subsystem such as our multiplier. This incompleteness in specifications is much more serious when it occurs for a general purpose component, such as our multiplier, than for a subsystem to be used only within a specific arrangement, where the inputs that will occur in the environment can be known.

We have three choices in completing the specification. One is simply, to enunciate explicitly the conditions under which the system will produce an error. With this solution we would say: Our system multiplies two 8-bit numbers located in registers P and MPD in such and such fashion; if the other halves of the registers are non-zero an error will occur. This is not very satisfactory, but at least it is honest. The second choice is to make explicit what the output actually is, especially if it is understandable so that its effects could be detected. With this solution we would say: Our system multiplies two 8-bit numbers located in the low-6rder half of P and the high-order half of MPD, assuming the other halves are zero; if the high-order half of P is non-zero, it is added to the product; if the low-order of half of MPD is non-zero the result is garbage. This choice is somewhat more useful: The third and conceptually most satisfactory choice is to specify appropriate behavior on all inputs and then modify the design to achieve it. For instance, we could enforce the assumptions by setting the two halves to be zero. With this solution we would say: Our system multiplies two 8-bit numbers located in the low-order half of P and high-order half of MPD; a larger number in P is truncated to the least significant 8 bits; the low-order bits of MPD are set to zero. The trouble with solutions of this type is that they cost both in time and in hardware to implement. For instance, Figure 5 shows the control part for an initialization process for the multiplier to meet these new specifications. It must be judged whether the additional costs are worth the cleanliness of the behavior specification.

Fig. 5. Control part of initialization process for multiplier.

We emphasize the completeness and correctness of the specification because it is so easily overlooked, being taken as a given. Correctness of the rest of the

115

previous | contents | next