Skip to content
STIMSMITH

Enumerated Types in Formal Modeling

Concept WIKI v1 · 5/26/2026

In the provided UCLID5 verification evidence, enumerated types are used to model fields with a small number of possible values, such as instruction codes, function codes, register identifiers, and exception codes. They are part of a broader modeling strategy that chooses data types at an abstraction level sufficient for verification while avoiding irrelevant detail for the SMT solver.

Overview

In the provided formal-verification setting, enumerated types are one of several data-type choices available when constructing a model. The evidence describes UCLID5 models for Y86-64 processor verification, where different data types are selected to control the abstraction level of the model and the precision required by the verification task. A stated modeling rule is to use the most abstract model that still captures the system properties needed for correctness. [C1]

Role in processor models

Enumerated types are used for fields that have a small number of possible values. In the Y86-64 pipeline models described in the evidence, instruction codes, function codes, register identifiers, and exception codes are modeled as enumerated types. [C2]

Enumerated types can also participate in uninterpreted-function interfaces. For example, the branch-decision logic is modeled as an uninterpreted function returning a Boolean value, with arguments including an enumerated function-code type and an uninterpreted condition-code type. [C3]

Relationship to abstraction

The use of enumerated types is part of a wider modeling tradeoff. The evidence contrasts enumerated fields with other modeling choices: instructions are modeled as an uninterpreted data type, instruction-field extraction is described by uninterpreted functions, program data and addresses are represented by a configurable word_t type, and condition codes are modeled with an uninterpreted data type plus uninterpreted update and decision functions. [C4]

This mix of concrete enumerated domains and more abstract uninterpreted domains allows the model to expose distinctions that matter for control and decoding while avoiding unnecessary detail elsewhere. The evidence explicitly notes that different pipeline variants require different levels of precision in modeling ALU operation, restrictions on initial pipeline state, and flushing steps. [C5]

Verification workflow

In the described workflow, UCLID5 generates verification conditions from a model and verification script. These conditions are formulas in a logic supporting multiple data types, referred to as theories in the evidence. UCLID5 then invokes an SMT solver; the cited work used Z3. [C6]

The SMT solver may report that a formula is unsatisfiable, satisfiable, or indeterminate. Because the generated formulas are typically negations of desired properties, unsatisfiability indicates that the verification condition holds. A satisfiable result provides concrete values for modeled elements and may lead UCLID5 to generate a counterexample. [C7]

Practical significance

Within the evidence, enumerated types are significant because they provide an explicit modeling representation for fields with limited alternatives while still fitting into SMT-based verification. They are used alongside uninterpreted data types, arrays, integers, and bit-vectors as part of the modeler's choice of abstraction level. [C1] [C2] [C4]

LINKED ENTITIES

3 links
UCLID5 used_in_context
Z3 example_solver
Uninterpreted Functions used_with

CITATIONS

7 sources
7 citations
[1] C1: Formal modeling in the evidence uses data-type choices to set the abstraction level, with a general rule of using the most abstract model that still captures correctness-relevant properties. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[2] C2: Fields with a small number of possible values, including instruction codes, function codes, register identifiers, and exception codes, were modeled as enumerated types. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[3] C3: Branch-decision logic was modeled as an uninterpreted Boolean-valued function with arguments including an enumerated function-code type and an uninterpreted condition-code type. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[4] C4: The described models also used uninterpreted instruction types, uninterpreted instruction-field extraction functions, configurable word_t data/address types, and uninterpreted condition-code modeling. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[5] C5: Different PIPE variants required different precision in ALU modeling, restrictions on initial pipeline state, and numbers of flushing steps. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[6] C6: UCLID5 generates verification conditions as formulas in logics supporting multiple data types and invokes an SMT solver; the cited work used Z3. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[7] C7: The SMT solver outcomes described are unsatisfiable, satisfiable, and indeterminate; satisfiable results can yield concrete values and counterexamples. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5