Abstract
Introduction
This paper describes the verification of a pipelined, IEEE compliant [7] , double-precision floating-point multiplier. The features of the multiplier include: 0 based on high-performance commercial designs 0 radix-eight multiplier array with carry-save adders e round-to-nearest rounding mode 0 optional non-IEEE-compliant mode: treats denor-0 four stage pipeline 0 three 56-bit carry-select adders with carrypropagate circuitry e over 33 000 two-input gate equivalents
The top-level specification of the circuit is written in terms of arithmetic operations on integers. The design was done in structural VHDL, then synthesised using a cell-library to a unit-delay gate-level model. The verification was carried out in the Voss hardware verification system [9] .
Voss includes an efficient implementation of ordered binary decision diagrams (BDDs); an event driven symbolic simulator with comprehensive delay and race from Digital Equipment Corp. [3] malised numbers as zero V6T 124 Canada analysis capabilities; a set of theorem-proving style inference rules; and a general purpose, functional programming language. The simulator implements symbolic trajectory evaluation, which offers a good compromise between expressibility of specifications and rapid verification. The inference rules allow the composition of verification results and support abstract data-types, such as integers. This enables Voss to overcome the limitations inherent in BDD-based modelchecking.
Large parts of the IEEE floating-point standard have been formalised by Barrett [2] in the Z specification language and by Carrefio and Miner [5] 
Background and Theory
In Voss, specifications consist of an antecedent, a consequent, and an optional relation (used for relational, but not functional, verification). The antecedent and consequent are temporal formulas. The key to the efficiency of trajectory evaluation is the restricted language of the temporal formulas: there is no negation, the only temporal operator is "next", and there is only a restricted form of disjunction. Typically the antecedent is used to initialise inputs to the circuit. In functional verification, the consequent specifies the values of the outputs as functions of the inputs. In relational trajectory evaluation, auxiliary variables are introduced in the consequent and the relation in the specification states the correctness condition in terms of the input and auxiliary variables. (Section 4.1 has an example of relational verification.)
Hazelhurst and Seger [6] defined a set of inference rules for composing verification results in Voss.
These rules include: pre-condition strengthening, postcondition weakening, structural composition, and instantiation of symbolic and temporal variables.
One of the most powerful ramifications of these rules is that abstract data types (ADTs) for integers and other objects can be defined and related to primitive trajectory formulas. This allows specifications to be written in terms of the ADTs (e.g. integers). Verification can be carried out by either mapping the specification down to bit-vectors or by manipulating the ADTs. As an example of the second method, a linearprogramming package has been added to Voss and we use this to simplify integer expressions, as illustrated in Section 4.2.l Trajectory evaluation is automated, but can exceed the capability of compute resources. In comparison, using inference rules requires human interaction, but is less compute intensive. Our normal verification technique is to rely primarily on trajectory evaluation, and use inference rules only when necessary. We use a mixture of top-down and bottom-up verification: topdown to isolate bugs and bottom-up to compose completed verifications. When doing divide-and-conquer verification with trajectory evaluation, only the specification needs to be partitioned. Trajectory evaluations can be carried out on the complete circuit, but only those parts related to the specification are exercised, which makes it very efficient.
2.

3,
Multiplication Implementation
The IEEE standard defines six different classes of floating-point data: infinity, normalised, denormalised, zero, quiet NaNs, and signalling NaNs. Multiplication is only performed if both operands are either normalised or denormalised. If multiplication is performed, the result may overflow, underflow, or be normalised or denormalised.
IEEE floating-point numbers are represented as bitvectors with three fields: a sign, exponent and significand. Denormalised numbers (or denorms) represent values that, if normalised, would require that the exponent field be less than its minimum value.
Due to the cost in both area and performance required to support denormalised numbers in hardware, we rely on software support when a fully IEEE compliant result is needed. When our multiplier (which we call the "ADK" multiplier) is in IEEE compliant mode, it generates an emulation exception when multiplication is to be performed on a denorm input or Each row in the multiplier array calculates the product of a digit from the recoded multiplier and the multiplicand. Digits in the radix-eight recoded multiplier are in the range -4.. .+4 and are in sign-magnitude format. The magnitude is used to select the desired multiple of the multiplicand and the sign is used to negate the product if needed. Negating the product is done by inverting it and including the extra "plusone" needed for the two's complement in the initial partial product. The least-significant cell in each row computes the sticky and guard bits used in rounding.
Verification
Our verification of the multiplier relies on a hierarchy of specifications (Figure 1) . IEEE Re1 is a relational formalization of the IEEE standard for multiplication (including NaNs, infinities, etc.). ADK Re1 is a relational specification of our multiplier, which is identical to IEEE Rei except for those cases where our multiplier raises an emulation exception. ADK Fun is a functional specification describing exactly what result our multiplier should produce for any set of inputs. Below ADK Fun are specifications for subparts of the circuit, such as the Booth recoder and rounding circuitry.
Our formalization of the IEEE standard is relatzonal, not functzonal. The IEEE standard is nonfunctional in several cases, in that it specifies prop- erties that the result must satisfy but not the exact value that must be produced. For example, if one of the operands is a NaN, the standard requires that result is a NaN, but it does not specify which NaN.
The IEEE standard is informal and written in natural language, so formalizations of the standard can only be verified against it informally. Our formalization [I] is only a few pages and (we believe) quite readable. Thus, we claim that others can inspect our formalization and convince themselves that it conforms to the standard.
We began the verification by using test-vector simulation as a quick and effective way of catching many bugs and then relied on trajectory evaluation to verify individual components (the lowest layer in Figure 1) . Once the components had been verified, we needed to compose the results to verify the complete circuit. We used a single trajectory evaluation to verify the significand datapaths in stages three and four and Exp/Special against ADK Fun2. We used inference rules to combine the verification results from Booth/Preadd, Prod, and Sum to prove that the circuit multiplies correctly (Sig Mult). The verification results for Sig Mult and A D K Fun2 were combined together using inference rules to complete the verification of the multiplier against ADK Fun. We used BDDs and inference rules to verify that ADK Fun implies ADK Re1 and ADK Rei implies IEEE Rel.
The total design and verification effort took approximately sixty work days (Table 2) 
Booth Recoder
The Booth recoder in stage one was verified against the relational specification in Equation 1. The input is the multiplier ( m ) and the outputs are eighteen signmagnitude digits in the range -4 . . .+4 (sgn, and mag, for 05iL17). A functional specification would require separate equations defining sgn, and mag, in terms of m, which would clearly be much more difficult to write than the relational specification. 
Significand Multiplication
Theorem 1 says that the composition of the specifications for the components in the significand datapaths in stages one and two imply that the sum of the carry (C) and sum (S) vectors output from the multiplier array is the upper fifty-five bits of the product of the multiplier ( M I ) and multiplicand ( M 2 ) . The theorem was proved automatically by Voss' arithmetic decision procedures in three minutes.
Theorem 1: Composition of significand specifications
The first line describes the Booth recoding of the multiplier ( M I ) . The second line is for the preaddition of the plus-ones into the initial partial product ( P ) for the generation of two's complement products in the multiplier array (see Section 3). The third and fourth lines describe the calculation of the product terms ( p z ) and the summation of the partial products using carrysave addition ( C and S).
Conclusion
As shown in Table 2 , we found many bugs, both in our design and specifications. Many of these could have been found through extensive use of test-vectors, but it is doubtful that they could have been found as quickly as with trajectory evaluation. Most of the bugs were related to the multiplier array or the special cases. Because of the regularity of the multiplication implementation, many of these bugs were found using test vectors. However, the control circuitry for the special cases is very irregular, making test vectors impractical. Our most subtle bug illustrates the need for relational and high-level specificiations. We were very confident in our specification ADK Fun, but verifying it against ADK Re1 revealed that a particular NaN value would sometimes produce a result of infinity, rather a NaN. This error was in both our implementation and functional specification and would very likely have remained undetected in test-vector simulation.
Our long-term goal is to develop practical and rigourous formal verification techniques. From experience with a variety of model-checking and theoremproving techniques, we have concluded that trajectory evaluation and built-in support for debugging hardware is a very effective verification process. Composing verification results using either trajectory evaluation or inference rules provides the freedom to choose the most appropriate technique for each situation. Using a general-purpose programming language as an interface makes it easy to automate repetitive tasks and customize interfaces. More experience with combined model-checking and theorem-proving based verification is clearly needed, but even at this early stage, we are very optimistic that the combination offers the promise of practical formal verification, scalability, and high-level specifications.
