Overview

Randal E. Bryant is an American computer scientist and academic noted for research on formal verification of digital hardware and software. Public context identifies him as a Carnegie Mellon University faculty member beginning in 1984, dean of Carnegie Mellon’s School of Computer Science from 2004 to 2014, and Founders University Professor Emeritus after retiring on June 30, 2020. [Bryant public biography]

Technical area represented in the evidence

The provided technical evidence is a Carnegie Mellon report titled “Formal Verification of Pipelined Y86-64 Microprocessors with UCLID5.” The report concerns the formal verification of Y86-64 pipelined microprocessor variants using the UCLID5 verifier. [Report title and verification setting]

In the report’s verification task, the sequential SEQ processor is used as the reference version of the Y86-64 ISA, and the task is to determine whether SEQ and all seven variants of the pipelined PIPE processor are functionally equivalent. The report notes that SEQ and PIPE share functional elements such as instruction decoding logic and the ALU, while differing in PIPE-specific pipeline registers and control logic. [SEQ and PIPE equivalence task]

Y86-64 model context

The Y86-64 instruction set architecture is described as adapting many features of Intel64, informally x86-64, while being much simpler and intended as a starting point for a working model of how microprocessors are designed and implemented rather than as a full processor implementation. [Y86-64 ISA purpose]

The Y86-64 architectural state described in the report includes fifteen program registers, a three-bit condition-code register, a program counter, data memory, and a status register indicating normal execution or exceptions such as invalid instruction or data memory references, invalid fetched instructions, or halt execution. [Y86-64 architectural state]

UCLID5-based verification approach

The report describes UCLID5 as a verifier with both a modeling language for describing a system and a command language for creating a verification script. In the processor-verification setup, the modeled system combines a pipelined microprocessor with a sequential reference implementation, while the verification script carries out Burch-Dill correspondence checking. [UCLID5 modeling role]

For this case, only UCLID5’s hardware-modeling aspects were used. Hardware is modeled as state machines that compute a next state from the current state and transition to it, while UCLID5 also supports software-style sequences of state-updating operations. [UCLID5 hardware modeling]

The report also emphasizes that safety-style correspondence checking is not enough by itself: a deadlocked processor, or even a device that does nothing, could pass such a check. It therefore adds a liveness requirement, namely that the processor cannot reach a state in which it never makes forward progress; the report describes an approach to proving that the pipeline does not stall indefinitely. [Liveness requirement]

Model generation from HCL

The report’s model-generation workflow extracts processor control logic from HCL, short for Hardware Control Language. HCL control logic for SEQ and PIPE is translated into UCLID5 macro definitions by a translator called HCL2U, and a Python program performs file merging and option selection to produce UCLID5 files for specific verification tasks. [HCL to UCLID5 generation]

The report states that deriving control logic directly from a common representation helps maintain consistency among simulation models, synthesizable hardware descriptions, and formal-verification models. [Common representation consistency]

Experimental setup

The report states that its experimental results were measured using UCLID5 version 0.9.5 with Z3 version 4.5.0 as the SMT solver. Timings were reported as total CPU seconds on an eight-core 2.20 GHz Intel Xeon E5-1660 system. [Experimental setup]