Skip to content
STIMSMITH

Jerry Burch

Person WIKI v2 · 5/27/2026

The supplied materials contain two contexts for the name Jerry Burch: a public biographical context identifying Gerald Thomas Burch as a former American football tight end, and technical evidence referring to Burch and Dill's 1994 approach to formal verification of pipelined microprocessors. The technical evidence centers on Burch-Dill verification, correspondence checking, abstraction by pipeline flushing, and later implementation in a UCLID5 case study for Y86-64 processors.

Overview

The provided materials use the name Jerry Burch in two contexts. The public context identifies Gerald Thomas Burch as an American former professional football player, a tight end for the Oakland Raiders of the American Football League, who played college football for the Georgia Tech Yellow Jackets.[1]

The technical evidence, by contrast, discusses Burch-Dill verification, a 1994 approach attributed to Burch and Dill for formal verification of pipelined microprocessors.[2] The supplied technical evidence does not provide biographical details connecting the football player to the Burch-Dill work, so the two contexts should not be conflated on the basis of the provided sources.

Burch-Dill verification

In the technical evidence, the Burch-Dill approach addresses the verification problem created by pipelining: a processor overlaps multiple instructions for performance, while the instruction-set architecture (ISA) specifies a sequential model in which each instruction updates architectural state such as registers, the program counter, and memory.[3] Formal microprocessor verification must show that, for all possible instruction sequences, the pipelined implementation obtains the same result as a purely sequential ISA implementation.[3]

The Burch-Dill method requires an abstraction function, usually written as α, mapping microprocessor states to architectural states and preserved by each processor cycle.[2] Its key contribution, as described in the evidence, was showing that this abstraction function could be computed automatically by symbolically simulating the microprocessor while it flushes instructions from the pipeline.[2]

For a single-issue microprocessor, the verification task becomes proving equivalence between two symbolic simulations: one in which the pipeline is flushed and then a single instruction is executed in the ISA model, and another in which the pipeline executes one normal cycle and then flushes.[2] The cited report calls this approach correspondence checking.[2]

UCLID5 and Y86-64 case study

A 2018 Carnegie Mellon report by Randal E. Bryant applies the approach in a UCLID5 case study for Y86-64 pipelined microprocessors, a CISC processor family styled after the Intel64 instruction set.[4] The report states that the work translated control logic into UCLID5 automatically, modeled both pipelined and sequential reference versions modularly, and succeeded in showing that the pipeline processors generate the same results as the sequential reference model for all possible programs.[4]

In the UCLID5 formulation, the abstraction function maps a general pipeline state to the architectural state obtained after flushing the pipeline for enough steps to complete partially executed instructions, then transferring the resulting architectural state to the sequential model.[5] The report describes two simulation sequences: one that initializes a pipeline state, runs one PIPE step, flushes, and saves the resulting architectural state; and one that initializes the same pipeline state, flushes, transfers to SEQ, saves the abstracted state, executes one SEQ step, and saves the next sequential state.[5]

The correspondence condition requires that, for any possible initial pipeline state, the state after one PIPE step followed by abstraction equals either the state after one SEQ step from the abstracted initial state or the abstracted initial state itself.[5] The second case accounts for cycles that make no architectural progress, such as stalls or instructions later canceled after a mispredicted branch.[5]

Abstraction and term-level modeling

The evidence contrasts Burch and Dill's work with earlier automated formal hardware verification methods that often required precise bit-level modeling, limiting the size and complexity of systems that could be verified.[6] Burch and Dill demonstrated the use of data abstraction and term-level modeling for microprocessor verification: data values can be treated as symbolic terms, and components such as instruction decoders and ALUs can be modeled as uninterpreted functions.[6]

The cited report states that although such abstractions had previously been used with automatic theorem provers in hardware verification, Burch and Dill were the first to show their use in an automated microprocessor verification tool.[6]

Scope and limitation

Burch-Dill verification is characterized in the evidence as proving a safety property: every processor cycle has an effect consistent with some number of ISA-model steps, including zero steps.[7] Because zero progress is permitted, a deadlocked processor, or even a device that does nothing, could pass this safety check; the report therefore notes that liveness verification is also needed to show that the processor cannot remain forever in a non-progressing state.[7]

CITATIONS

8 sources
8 citations
[1] Public context identifies Gerald Thomas Burch as a former American football tight end for the Oakland Raiders who played college football for Georgia Tech. Jerry Burch
[2] The technical evidence attributes key 1994 microprocessor verification ideas to Burch and Dill and describes the abstraction-function approach. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[3] The verification problem is to prove that pipelined execution faithfully implements the sequential ISA semantics for all possible instruction sequences. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[4] The 2018 report uses UCLID5 to verify Y86-64 pipelined microprocessors and reports success in showing equivalence with the sequential reference model for all possible programs. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[5] In the UCLID5 implementation, the abstraction function is computed by flushing a general pipeline state and transferring the architectural state to the sequential model. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[6] The correspondence condition compares PIPE-after-abstraction with either one SEQ step from the abstracted state or the abstracted initial state, allowing for cycles with no architectural progress. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[7] Burch and Dill demonstrated data abstraction and term-level modeling for automated microprocessor verification, including symbolic terms and uninterpreted functions for units such as decoders and ALUs. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5
[8] Burch-Dill verification proves a safety property and requires additional liveness verification because zero-progress cycles, deadlock, or a do-nothing device can satisfy the safety check. Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5

VERSION HISTORY

v2 · 5/27/2026 · gpt-5.5 (current)
v1 · 5/26/2026 · gpt-5.5