Skip to content
STIMSMITH

Dill

Person WIKI v1 · 5/25/2026

Dill is cited, together with Burch, for 1994 ideas that became central to formal verification of pipelined microprocessors, including automatic computation of an abstraction function by symbolic pipeline flushing and the approach later described as correspondence checking.

Overview

Dill is referenced in the context of formal verification of pipelined microprocessors as a coauthor, with Burch, of 1994 ideas that influenced later verification work. The cited approach requires proving an abstraction function, α, from microprocessor states to architectural states, and showing that this mapping is maintained by each processor cycle. Its key contribution was that the abstraction function could be computed automatically by symbolically simulating the processor while flushing instructions out of the pipeline. [C1]

Role in correspondence checking

For a single-issue microprocessor, the Burch-and-Dill approach reduces verification to checking equivalence between two symbolic simulations: one in which the pipeline is flushed and then a single ISA instruction is executed, and another in which the pipeline first performs a normal cycle and then flushes. The evidence identifies this verification approach as correspondence checking. [C2]

Use of abstraction

The evidence also credits Burch and Dill with demonstrating the value of data abstractions in automated microprocessor verification. Their method used term-level modeling, in which data values are treated as symbolic terms and units such as instruction decoders and ALUs can be abstracted as uninterpreted functions. The source states that Burch and Dill were the first to show the use of these abstractions in an automated microprocessor verification tool. [C3]

Scope and limitation of Burch-Dill verification

Burch-Dill verification proves a safety property for a pipelined processor design: each processor cycle has an effect consistent with some number of ISA-model steps, including the case of zero progress. The source notes that this means a deadlocked processor, or even a device that does nothing, can pass this safety verification unless liveness is also verified. [C4]

Related concept

  • [[Burch-Dill Correspondence Checking]]: Dill is linked to this concept through the Burch-and-Dill verification approach described above.

LINKED ENTITIES

1 links
Burch-Dill Correspondence Checking PROPOSED

CITATIONS

4 sources
4 citations
[1] Dill, together with Burch, is associated with 1994 ideas requiring an abstraction function from microprocessor states to architectural states and automatic computation of that function by symbolic pipeline flushing. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[2] For a single-issue microprocessor, the Burch-and-Dill approach checks equivalence between flushing-then-ISA-execution and normal-cycle-then-flushing symbolic simulations, and the source calls this correspondence checking. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[3] Burch and Dill demonstrated term-level data abstraction for automated microprocessor verification, using symbolic terms and uninterpreted functions, and were first to show such abstractions in an automated microprocessor verification tool. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[4] Burch-Dill verification proves safety by showing each processor cycle is consistent with some number of ISA-model steps, but it does not by itself prove liveness. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5