Reduced Precision Checking to Detect Errors in Floating Point Arithmetic by Zhang, Yaqi et al.
 1 
 
Reduced Precision Checking to  
Detect Errors in Floating Point Arithmetic 
Yaqi Zhang, Ralph Nathan, and Daniel J. Sorin 
Duke University 
  
Abstract 
 
In this paper, we use reduced precision checking (RPC) to detect 
errors in floating point arithmetic.  Prior work explored RPC for 
addition and multiplication.  In this work, we extend RPC to a 
complete floating point unit (FPU), including division and square 
root, and we present precise analyses of the errors undetectable 
with RPC that show bounds that are smaller than prior work. We 
implement RPC for a complete FPU in RTL and experimentally 
evaluate its error coverage and cost.  
 
1 INTRODUCTION 
In this paper, we focus on detecting errors in floating point 
arithmetic performed by the floating point units (FPUs) in 
processor cores. We focus on all of the common floating point 
operations: addition/subtraction, multiplication, division, and 
square root.   
We base our error detection on the previously introduced idea 
of reduced precision checking (RPC) [1][9].  The key idea behind 
RPC is to check a full-precision (32-bit, in this paper) FPU with a 
reduced-precision checker FPU. The full-precision FPU operates 
on IEEE standard operands that have a sign bit, 8 exponent bits, 
and 23 fraction bits. The checker FPU operates on operands that 
also have a sign bit and 8 exponent bits, but the fractions have k 
bits, where k≤23 is a parameter that is chosen by the designer. 
In the absence of errors, the full-precision result of the FPU will 
match the reduced-precision result of the checker; only errors in 
the least significant bits can evade detection. RPC has an 
inherent trade-off between the cost of the checker and the 
likelihood of it not detecting an error.   
Prior work has developed RPC for addition/subtraction [1] and 
multiplication [9]. The prior work introduced the idea of RPC and 
built and evaluated hardware implementations for 
addition/subtraction and multiplication. Prior work is limited, 
however, in several important ways.  First, it does not include 
floating point division or square root, both of which are common 
hardware units. Second, we show that the size of the undetected 
errors for addition/subtraction and multiplication can be greatly 
reduced; prior work made overly conservative assumptions that 
led to unnecessarily large errors evading detection. Third, for 
some floating point input operations on some standard 
operands1 (e.g., subtraction of two similarly sized numbers), the 
                                                        
1
 A non-standard operand is a denorm, infinity, or NaN. 
prior RPC schemes were unable to detect any errors at all and 
had to be disabled for these operation/operand combinations. 
In this paper, we make the following contributions: 
• We develop and evaluate RPC for a complete FPU in 
RTL—with addition/subtraction, multiplication, division, and 
square root.  The results include error detection coverage, 
chip area, and energy. 
• We mathematically compute the maximum undetectable 
error for every floating point operation, and we show that 
we can obtain tighter bounds for addition/subtraction and 
multiplication than prior work. 
• Using a new RPC technique, that we call “reverse 
checking,” we eliminate the unchecked operation/operand 
pairs of prior work.  That is, our RPC unit checks every 
operation on all standard operands. 
2 BACKGROUND AND NOTATION 
In this section, we introduce background and notation that we 
use throughout the rest of this paper. We assume that all full-
precision floating point numbers adhere to the IEEE-754 
standard.  Furthermore, we consider only 32-bit floating point 
numbers in this paper, but our approach applies in an identical 
way to 64-bit floating point numbers.  
2.1 Floating Point Format 
As illustrated in Figure 1, a 32-bit floating point number X has 
1 sign bit (X[31]), 8 exponent bits (X[30:23]), and 23 fraction bits 
(X[22:0]). For notational clarity, we use the symbol ∃ to denote 
the exponent bits (i.e. X[30:23]). The sign bit with value of 0 or 
1 indicates a positive or negative sign (SX), respectively, i.e.,  = −1	
[]. The base-2 exponent is represented in unsigned, 
biased notation, such that the exponent of X (  ) is the 
unsigned value of the exponent bits after 127 is subtracted (i.e.,  =	∃–127). The mantissa of X is an implicit 1 followed by the 
23 fraction bits.2  We define fraction () as the integer value of 
the lower 23 bits of X (X[22:0]), and mantissa ( ) as the 
floating point value of the mantissa, including the implicit one, i.e. 1. { }. Curly braces denote concatenation. Thus the floating 
point value of X is:  −1	[] × 2∃ × 1. {[22: 0]" =  × 2#$ × 1. {" =  × 2#$ ×% 
2
 In the IEEE format, the “implicit 1” is a 1 at the 
beginning of the mantissa that is not explicitly stored 
as part of the 32-bit representation. 
 2 
 
2.2 RPC Notation 
Because RPC involves computations on portions of a floating 
point number’s representation, it is helpful to introduce some 
notation for describing these quantities.  Assume that the RPC 
checker uses a fraction with k bits, where & ≤ 23. Thus, an RPC 
checker operates on numbers that have 9+k bits, where the 9 
corresponds to 1 sign bit and 8 exponent bits.    
We use A and B to refer to the FPU’s operands and C to refer 
to its (rounded) result. We use () to denote the “true” result that 
would be produced with unlimited precision. For example, for 
multiplication, * × + = () . We use the notation * × + → (  to 
denote that C is the result produced by the hardware. We denote 
the rounding error associated with the mantissa of C (%-) as ./. 
Thus, * × + = () = - × 2#0 × %- + 2-	.  
Assume the full-precision FPU computes * × + → (, where A, 
B, and C are full 32-bit numbers.  For purposes of comparing its 
result, C, to the result of the checker, we consider the most 
significant 9+k bits of C and denote them as CH.   
The checker takes as inputs the 9+k most significant bits of A 
and B, which we denote as AH and BH, respectively.  It produces 
a 9+k-bit result that we denote as C’; that is, *3 × +3 → (4.  To 
detect errors, RPC compares C’ to CH.   
The checker’s inputs, AH and BH, are the same as A and B, 
except their fractions are truncated. We denote the floating point 
value of AH’s mantissa, including the implicit one, as 56 . To 
denote the floating point value of the mantissa that gets 
truncated off, we use 57 , which has value of %8 −%83. Because %8and %83 both contain the implicit one, their difference %89 does 
not. For instance, if %8 = 1. {1"  and k = 7, %83 = 1. {1"  and %89 = 0. {0"{1":. The subscript indicates number of repetition of 
the bit within braces. In this case, 0. {0"{1": means 7 zeros and 
16 ones following the decimal point.  
The checker’s output, C’, has a fraction and mantissa that we 
denote as /4  and /4 , respectively. 
 
3 RPC AND ITS CHALLENGES 
At a high level, RPC is similar to dual modular redundancy. 
Assume the FPU performs a full-precision floating point 
operation on operands A and B, say * × +, and obtains the full-
precision result C. To check this result, the checker performs the 
same floating point operation on the inputs AH and BH, where AH 
and BH are 9+k most significant bits of operands A and B, 
respectively. The checking logic compares the 9+k-bit result from 
the checker, (4 ← *3 × +3, to the 9+k most significant bits of C 
from the full-precision FPU, denoted CH; if C’ significantly differs 
from CH, an error is reported. We illustrate this simplified version 
of RPC in Figure 2.   
Although RPC is quite simple at this high level of abstraction, 
it is challenging to efficiently compare CH  to C’. With identical 
dual modular redundancy, comparison between the two results 
can be efficiently implemented with bitwise comparison. In 
contrast, we need to compute the difference between the two 
results, because CH and C’ can differ even in the absence of 
errors. However, we do not want to perform floating point 
subtraction, because of the time and energy required to do so.  
Instead of comparing the floating point values CH and C’ by 
performing a floating point subtraction, RPC compares them 
using integer subtraction. First, RPC checks whether the first 
bits of CH (C[31]) and C’ (C’[31]) are equal; these bits are the 
signs of C and C’ and they should be equal in the absence of 
errors. Next, RPC treats the remaining bits of CH and C’ as 
unsigned integers and computes their integer difference 
(C[30:(23-k)]-C’[(7+k):0]), which we refer to as Diff. The 
comparison logic checks whether Diff is within a range—
bordered by an upper bound (UB) and a lower bound (LB)—that 
is possible in the absence of errors. 
Figure 2. RPC: Big Picture  
 <= = ([30: 23 − k	] − (’[7 + k	: 0] NoError = ([31] = (4[31]		⋀		E+ < <= < G+		 
In Sections 5-7, we prove that, in the absence of errors:  
The bounds on Diff for addition and subtraction are [-1,1] and the 
[-1,3] for multiplication, division, and square root. 
If Diff is outside of its allowable range, then either an error has 
occurred in the full-precision FPU or in the checker. (The latter 
scenario is a false positive.)  If Diff is non-zero but within its 
allowable range, then an error may or may not have occurred; if 
an error did occur, RPC would not detect it.  
Later, we prove that the integer values of the bounds on Diff 
do not vary with k. However, the significance of these integer 
bounds does vary.  The least significant bit of Diff is in the least 
significant bit position of the checker, which has the floating point 
value 2H. Intuitively, a larger value of k corresponds to a smaller 
significance of Diff (i.e., 2-k is smaller) and thus a smaller 
magnitude of error that will not be detected by RPC.  As a result, 
RPC provides a tune-able tradeoff between error coverage and 
cost.  
Figure 1. Representing a floating point number X 
 3 
 
We devote much of this paper to proving how large the integer 
difference of C’ and CH may be in the absence of errors; any 
difference larger than this allowable discrepancy will be detected 
as an error, and any difference smaller will be ignored. 
Although integer subtraction is cheap and easy to implement, 
it introduces the following challenges in bounding the maximum 
allowable difference in the absence of errors. 
 
3.1 Challenge #1: Unequal “Matches” of 
Exponents 
It might appear at first that CH and C’ can differ only in their 
fractions.  However, they can also differ in their exponents in rare 
situations that must be considered. When we truncate the inputs 
to the checker (i.e., convert A and B into AH and BH in 
multiplication, for example), it leads to the absolute value of C’ 
being less than or equal to the absolute value of C.  Thus, the 
exponent of C’ -4 	 can be less than the exponent of (3 	-	. 
The mis-match in exponents further causes mis-alignment 
between the fractions of C’ and CH for purposes of computing 
integer difference. This rare scenario leads to complexity in 
bounding Diff.  
 
3.2 Challenge #2: The Need for “Reverse” 
Checking 
The second challenge with RPC is the existence of certain 
scenarios in which direct checking is ineffective.  We illustrate 
this challenge with a base-10 example: consider the case of 
3.9999x1023-3.9996x1023, and assume that the reduced 
precision checker truncates the last two digits. The (error-free) 
full-precision result is C=3.0000x1019, and the RPC result C’ is 
3.99x1023-3.99x1023=0. The discrepancy between CH 
(3.00x1019) and C’ in scenarios like this can be almost arbitrarily 
large because the result of the reduced-precision subtraction is 
zero. More generally, the problem exists for subtraction when 
both operands have the same sign and for addition when both 
operands have different signs. Prior work detected these 
scenarios and disabled checking when they occurred [1]. 
To overcome this challenge, we propose reverse checking for 
same-sign subtraction (SSSUB) and different-sign addition 
(DSADD). In the case of SSSUB, forward checking would 
compute *3 − +3 → (’  and compare C’ to (3 . Instead, with 
reverse checking, RPC uses the truncated result of the full-
precision FPU, (3, as one of it inputs and then “reverses” the 
computation to check it. 
The operation of reverse checking depends on the signs of A, 
B, and C.   There are two cases.  First, if 8 = I = -  then the 
checker computes (3 + +3 → *’  and then compares *’  to *3 . 
This check avoids the problem of SSSUB because the checker 
is performing same-sign addition (SSADD) when computing (3 + +3 → *’. In the second case, 8 = I ≠ -, and the checker 
computes *3 − (3 → +’ and compares +’ to +3 . Because - =−8 , the checker is performing different-sign subtraction 
(DSSUB) in computing *3 − (3 → +’.  
For division and square root, we also adopt reverse checking, 
but for a different reason.  Both division and square root can be 
checked, using reverse checking, with the same reduced-
precision multiplier we use to check multiplication.  Reusing the 
multiplier checker is efficient, not least because multiplication is 
cheaper than division and square root.  To check * ÷ + → (, the 
checker performs (3 × +3 → *′  and compares *4  to *3 . To 
check MNOP+	 → ( , the checker performs (3 × (3 → +4  and 
compares +4 to +3.  
 
3.3 Challenge #3: the Rounding Effect 
Another challenge in bounding Diff is that both the full-
precision FPU and the reduced-precision checker produce 
inexact, rounded results. We must consider this rounding in two 
scenarios. 
First, rounding in the full-precision unit might produce a carry 
from low-order bits that could propagate to high-order bits, 
leading to a mis-match between the high-order bits of CH and C’.  
Second, rounding occurs twice in reverse checking, because 
one input operand used by the checker is rounded (and the result 
is rounded).  For instance, in the case of * ÷ + → (, even with 
full-precision ( × + ≠ * . With reverse checking, we compute (3 × +3 → *′ , during which we first round the input CH (by 
truncating C) and then round the result to get A’. 
 
4 AXIOMS 
In the following sections, we frequently use several axioms 
that derive from the format of IEEE floating point numbers.  
The smallest possible value of % is 1. {0" = 1. The largest 
possible value of %  is 1. {1" = 10. {0" − 0. {0"{1" = 2 −2.  
Axiom 1: 1 ≤ % ≤ 2 − 2 
 
Similarly, the smallest possible value of %3 is also 1 and its 
largest possible value is 1. {1"H = 10. {0"H − 0. {0"H{1" = 2 −2H. 
Axiom 2: 1 ≤ %3 ≤ 2 − 2H 
 
For %9, the smallest possible value is 0. {0" and the largest 
possible value is 0. {0"H{1"H = 0. {0"H{1"{0" −0. {0"{1" = 2H − 2.  
Axiom 3: 0 ≤ %9 ≤ 2H − 2 
 
For all floating point operations, the result gets rounded even 
in the full-precision unit. Take multiplication * × + → (  for 
example:  * × + = () = - × 2#0 × %- + 2-	 Eqn. (1) 
Rounding error 2- is bounded by machine epsilon (Q). In the 
following derivations, we assume the default IEEE rounding 
mode round-to-nearest (to even on tie), in which case Q equals 2R . For the other three modes (toward 0, +∞, and 	−∞), Q 
equals 2.  
Axiom 4: −2R ≤ 2( ≤ 2R 
 
For the reduced precision checker, the rounding error 2-4 	 is 
still 0.5 ulp of the checker. Because the least significant bit in the 
checker’s mantissa is 2H, 2-4  is bounded by 
Axiom 5: −2H ≤ 2(4 ≤ 2H 
 
Note that Axiom 4 and Axiom 5 apply to all operation types, 
not just multiplication, because we considered only the 
relationship between the result produced by a FPU and the true 
 4 
 
result with unlimited precision. Regardless of the type of 
operation, rounding is performed in the same manner.  
An important part of bounding Diff is to connect the integer 
subtraction used to calculate Diff to the floating point values of 
its two operands. Consider the integer subtraction for computing 
Diff in forward checking. 
Diff = ([30: 23 − &	] STU (4[7 + &	: 0] 
= {∃-"{-3" =VP {∃-4 "{-4" 
When - = -4 → ∃-= ∃-4  (common case scenario): <= = -3 =VP -4 
Because 1. {-3" = %-3  and 1. {-4" = %-4 , the difference above 
equals the floating point difference between %-3  and %-4  left 
shifted by k (i.e., converted to an integer).  
Axiom 6: When - = -4 ,	 <= = X%-3 YZ[\U%-4 ] × 2H 
Axiom 6 applies to reverse checking similarly, except that, 
instead of (3 − (’ , A’ or B’ is subtracted from *3  or +3 , 
respectively.  
 
5 RPC FOR MULTIPLICATION 
The full-precision FPU computes * × + → (: 8 × 2#^ ×%8	 × _ × 2#` ×	%_	 = - × 2#0 × %- + 2-	 
During error-free execution, - = 8 × _ . So the signs on 
both sides of the equation cancel and leave: %8 ×	%_ × 2#^a#` = 	 %- + 2-	 × 2#0 Eqn. (2) %-3 = %8 ×	%_ × 2#^a#`#0 − 2- −%-9 Eqn. (3) 
The RPC unit computes *3 × +3 → (′: 8 × 2#^ ×%83	 ×	 _ × 2#` ×%_3	 	= -4 × 2#0b × %-4 + 2-4 		 
Because 8 × _ = -4 , %83 ×	%_3 × 2#^a#` =	 %-4 + 2-4 	 	× 2#0b  Eqn. (4) %-4 = %83 ×	%_3 × 2#^a#`#0b − 2-4  Eqn. (5) 
After the hardware adds EA and EB and multiplies MA and MB 
with integer operations, it must normalize the result. To 
normalize, the hardware shifts %8 ×%_ until only one non-zero 
bit is to the left of the binary point. The number of right shifts is 
then added to 8 + _ to get -. By Axiom 1, both MA and MB 
are less than 2. Therefore %8 ×%_ is strictly less than 4 (100 in 
binary), and there can be at most 2 non-zero bits to the left of the 
binary point. Thus, %8 ×%_ is right shifted by at most one bit.  
In multiplication, the exponent of the product is equal to or is 
one larger than the sum of the exponents of the operands. 
We apply this rule to both the FPU and the checker: 
FPU: 8 + _ = -			or			8 + _ + 1 = - 
Checker: 8 + _ = -4   or  8 + _ + 1 = -4  
Because operands used by the checker are truncated from 
operands used by the full-precision FPU, the absolute value of 
C’ is less than or equal to the absolute value of C. So EC’ must 
be less than or equal to EC.  -4 ≤ - 
Combining the conditions above, there are three cases we 
need to consider.   
Common Case 1: 8 + _ = -4 = - Eqn. (6) 
Common Case 2: 8 + _ + 1 = -4 = - Eqn. (7) 
Corner Case: 8 + _ + 1 = -4 + 1 = - Eqn. (8) 
The common cases are discussed in Sections 5.1 and 5.2. 
For both common cases, because - = -4 , Axiom 6 is valid, and 
thus we can subtract Eqn. (5) from Eqn. (3) to get: <= ÷ 2H = %-3 −%-4  = %83%_9 +%89%_3 +%89%_9	 × 2#^a#`#0 −%-9 + 2-4 − 2-	 
Let %∗ = %83%_9 +%89%_3 +%89%_9 Eqn. (9) %-3 −%-4 = %∗ 	× 2#^a#`#0 −%-9 + 2-4 − 2-	 Eqn. (10) 
Eqn. (8) is the corner case when Ed4 ≠ Ed  so Diff no longer 
equals Mdf	–Md4 	 × 	2g. We present this corner case in Appendix 
B.  
 
5.1 Common Case 1 
Using Eqn. (6), we simplify Eqn. (10) to %-3 −%-4 = %∗  + −%-9  + 2-4 − 2-  Eqn. (11) 
Using Axiom 2 and Axiom 3, we can bound boxed term 1 in 
Eqn. (11), which we denote <1> hereafter: 0 ≤ %∗ ≤ 2 − 2H	2H − 2	 × 2 + 2H − 2	 = 4 − 2H − 2	2H − 2	 = 4 ∙ 2H − 2	 − 2H + 2R: ≤ 4 ∙ 2H − 2	 
Using Axiom 3, we bound <2>: −2H + 2 < −%-9 ≤ 0 
Using Axiom 4 and Axiom 5, we bound <3>:  −2R − 2H ≤ 2-4 − 2- ≤ 2R + 2H 
We calculate the upper bound of Diff by summing the upper 
bounds of the three terms and multiplying by 2H. <= = %-3 −%-4 	 × 2H ≤ [4 ∙ 2H − 2	 + 2R + 2H] × 2H < 4.5 
Similarly for the lower bound on Diff, we have: <= = %-3 −%-4 	 × 2H ≥ [−2H + 2 − 2R − 2H] × 2H > −1.5 
The above analysis for the upper bound is simplified for 
purposes of providing intuition. With more sophisticated analysis 
(Appendix C), we can prove that the upper bound of Diff is strictly 
less than 4. The reason is because the three bounded terms 
above are not independent from each other and cannot reach 
their maximums at the same time. As Diff is an integer, the 
allowable range of values for Diff in this case is [-1,3]. 
 
5.2 Common Case 2 
Using Eqn. (7), Eqn. (10) can be rewritten as: %-3 −%-4 = %∗ × 2  + −%-9  + 2-4 − 2-  
Terms <2> and <3> are the same as in Section 5.1 and thus 
have the same bounds. Term <1> has an additional 2 factor 
not present in Section 5.1. Thus <1> is bounded by 0 ≤ %∗ × 2 ≤ 2 ∙ 2H − 2	 
The upper bound on Diff is: <= = %-3 −%-4 	 × 2H ≤ [2 ∙ 2H − 2	 + 2R + 2H] × 2H ≤ 2.5 
 5 
 
The lower bound is the same as in Section 5.1 (i.e., -1). The 
allowable range for Diff in this case is [-1,2]. 
 
Summary: In this section, Appendix B, and Appendix C, 
we have proved that the allowable range of Diff for 
multiplication is [-1, 3].  
Prior work [9] proved a looser bound of [-7,7]. 
6 RPC FOR DIVISION AND SQUARE ROOT 
RPC for division and square root uses reverse checking with 
multiplication. We use the same reduced-precision multiplier that 
checks multiplication.  
 
6.1 Division 
To check * ÷ + → (, the checker performs (3 × +3 → *′. In 
this section, we show that reverse checking of division has the 
same bounds on Diff as multiplication.  
The full precision FPU computes * ÷ + → (: 8 × 2#^ ×%8	 ÷ _ × 2#` ×%_	 = - × 2#0 × %- + 2(	 
Because 8 ÷ _ = -, %8 ÷%_ × 2#^#` = %- + 2-	 × 2#0 %83 = %- + 2-	 × %_ × 2#0a#`#^ −%89 Eqn. (12) 
The checker computes (3 × +3 → *′: - × 2#0 ×%-3	_ × 2#` ×%_3	 = 84 × 2#b^ × %84 + 2*4 	 
Because - × _ = 84 , %-3 ×%_3 × 2#`a#0 = %84 + 28′ 	 × 2#b^  %84 = %-3%_3 × 2#`a#0#b^ − 28′  Eqn. (13) 
Using similar analysis as for multiplication, because 1 ≤%8 , %_ < 2 according to Axiom 1, the FPU’s quotient %8 ÷%_ is 
in the range of (0.5, 2), open interval. Therefore, the quotient 
needs to be left-shifted by at most 1 to be normalized such that 
one bit is to the left of the binary point.  
In division, the exponent of the quotient is equal to or is one 
less than the difference between the exponents of the dividend 
and divisor.  
Applying this rule to the FPU and retaining the same rule for 
the checker that we had for multiplication, we have: 
FPU: 	8 − _ = -	 or 8 − _ − 1 = - 
Checker: - + _ = 84  or - + _ + 1 = 84  
The absolute value of A’ is less than or equal to the absolute 
value of A due to truncating the mantissas of %- and %_, and 
thus 84 ≤ 8.	
Combining the conditions above, there are again three cases 
we must consider: 
Common Case 1:	_ + - = 84 = 8 Eqn. (14) 
Common Case 2: _ + - + 1 = 84 = 8 Eqn. (15) 
Corner Case: _ + - + 1 = 84 + 1 = 8 Eqn. (16) 
The first two cases are presented in Sections 6.1.1 and 6.1.2. 
Because 84 = 8, <= = %83 −%84 	 × 2H according to Axiom 6. 
The difference between Eqn. (12) and Eqn. (13) can be simplified to: %83 −%84 = %_3%-9 +%_9%-3 +%_9%-9	 × 2#0a#`#^ −%89 	+m2-%_ × 2#0a#`#^ + 28′ n	Let	%∗ = %_3%-9 +%_9%-3 +%_9%-9,	
%83 −%84 = %∗ × 2#0a#`#^ −%89 	+2-%_ × 2#0a#`#^ + 28′  Eqn. (17) 
The corner case when Er ≠ Er4  can be analyzed similarly to 
the corner case of multiplication in Appendix B.  
6.1.1 Common Case 1 
Using Eqn. (14), Eqn. (17) can be simplified to: %83 −%84  = %∗  + −%89  + %_2( + 2*4  Eqn. (18) 
<1> and <2> have the same boundary conditions as <1> and 
<2> in Section 5.1, respectively. The only difference between 
Eqn. (18) and Eqn. (11) is that in <3> 2-4 − 2- becomes %_2( + 2*4 . 
Given %_,2(, and	2*4  are in the range [1,2	,[−2R, 2R], and	[−2H, 2H], according to Axiom 1, Axiom 4, 
and Axiom 5, respectively, <3> now has the following bounds: −2H − 2 < %_2- + 28′ < 2H + 2 
which slightly differs from the bounds on <3> in Section 5.1. This 
slight difference in this term does not affect the overall bounds 
on %83 −%84  as compared to Section 5.1. <= = %83 −%84 	 × 2H ≤ [4 ∙ 2H − 2	 + 2 + 2H] × 2H < 4.5 <= = %83 −%84 	 × 2H ≥ [−2H − 2 − 2H + 2] × 2H = −1.5 
Again, the upper bound can never reach 4 for the same 
reason as in multiplication. Therefore, the allowable range of Diff 
is still [-1,3]. 
6.1.2 Common Case 2 
Using Eqn. (15), Eqn. (17) can be simplified to: %83 −%84 = %∗ × 2−1 1 + −%*E 2 + 28′ + %+2- × 2−1 3 
The boundary condition of <3> becomes −2g − 2R ≤ X2*′ +%+2( × 2−1] ≤ 2g + 2R 
<1>, <2>, and <3> have the same boundary conditions as 
<1>, <2>, and <3> in Section 5.2, respectively. Therefore, both 
the upper and lower bounds of Diff are identical to those in 
Section 5.2.  
Summary: The corner case of division can be proved in 
the same manner as multiplication presented in Appendix 
B. Overall, Diff has the same bounded range for division 
as for multiplication, which is [-1,3]. 
 
6.2 Square Root 
Checking square root is almost identical to checking division.  
To check MNOP+	 → (, the checker performs (3 × (3 → +4. The 
analysis for square root is identical to the analysis for division 
except the two operands of the checker are the same. Therefore, 
the allowable range of Diff for square root is also [-1,3].  
 
7 RPC FOR ADDITION/SUBTRACTION 
Because of the cancellation problem we discussed in Section 
3.2 for addition and subtraction [1], we must separately consider 
the following two scenarios:  
• addition of same-sign operands (SSADD) or subtraction of 
different-sign operands (DSSUB) (Section 7.1) 
 6 
 
• addition of different-sign operands (DSADD) or subtraction 
of same-sign operands (SSSUB) (Section 7.2) 
7.1 Same-Sign Addition (SSADD) or Different-
Sign Subtraction (DSSUB) 
For both addition of same-sign operands 8 	= 	 _	  and 
subtraction of different-sign operands Sr ≠	 SI	, RPC checks 
the result of the baseline FPU using forward checking, i.e., * ++ → ( is checked with *3 + +3 → (4, and * − + → ( is checked 
with *3 − +3 → (′. These two situations can be easily converted 
to one another to get * + −+	 → (. The resulting operation is 
an addition with same-sign operands (A and -B). As a result, 
SSADD and DSSUB have identical upper and lower bounds for 
Diff. Without loss of generality, we explain only SSADD in this 
section but the bounds apply equally to DSSUB.   
The full-precision FPU computes * + + → (:  8 × 2#^ ×%8	 + _ × 2#` ×%_	 = - × 2#0 × %- + 2(	 
Because 8 = _ = -, we have: 2#^ ×%8 +	2#` ×%_ = 2#0 × %- + 2-	 Eqn. (19) %-3 = %8 × 2#^#0 +	%_ × 2#`#0 −%-9 − 2( Eqn. (20) 
The RPC checker computes *3 + +3 → (4: 8 × 2#^ ×%83	 + _ × 2#` ×%_3	 = -4 	× 2#04 × X%-4 + 2(′ ] 
Because 8 = _ = -4 , 2#^ ×%83 +	2#` ×%_3 =	2#04 × %-4 + 2-4 	  Eqn. (21) %-4 = %83 × 2#^#0b +%_3 × 2#`#0b − 2-4   Eqn. (22) 
As with multiplication, division, and square root, a key aspect 
of our derivations is to understand the relationship between the 
exponents of the operands and results. To sum two numbers 
with the same sign, the mantissa of the operand with the smaller 
exponent w	  must right shift until its exponent matches the 
operand with the larger exponent 9 = max8, _		. If exactly 
one bit is to the left of the binary point after summing the two 
mantissas, then the exponent of the result equals 9 . Else, if 
more than one bit is to the left of the binary point, then the sum 
of the mantissas must right-shift accordingly, and the exponent 
of the result equals 9 plus the number of right shifts. The sum 
of the two mantissas reaches its maximum when both operands 
have the same exponent (i.e., no shift in mantissa of either 
operand), and this maximum sum of the mantissas is strictly less 
than 4 (100 in binary) by Axiom 1. As a result, the sum of the 
two mantissas has at most two bits to the left of the binary point, 
and thus the number of right shifts is either zero or one.  
Based on this analysis, the exponent of the sum, -  , equals 9  or 9 +1.  When - = 9 , we further know that 8 ≠	_ 
because, if 8 = _ ,	then we can add %8 and %_ without shifting. 
The smallest value %8 +%_ can be is 2 (10 in binary) because %8 , %_ ≥ 1 according to Axiom 1. Thus, the sum must right shift 
to normalize %-, which violates - = 9.  
For addition, the exponent of the sum is equal to or one 
greater than the maximum of the operands’ exponents (EL). 
Furthermore, when the exponent of the sum equals EL, the two 
operands must have unequal exponents. 
Applying this rule to the FPU and checker, we have: 
FPU: 
max8, _	 = -	zV{	8 ≠ _  
or max8, _	 + 1 = - 
Checker: 
max8, _	 = -4 	zV{	8 ≠ _  
or max8, _	 + 1 = -4  
The absolute value of C’ must be less than or equal to the 
absolute value of C. Therefore, -4 ≤ - 
Similar to multiplication and division, there are 3 types of 
relationships between 8, _ , and	-. 
Common Case 1: max8, _	 = -4 = - Eqn. (23) 
Common Case 2: max8, _	 + 1 = -4 = - Eqn. (24) 
Corner Case: max8, _	 + 1 = -4 + 1 = - Eqn. (25) 
The common cases are considered in Sections 7.1.1 and 
7.1.2. For both common cases, - = -4 , so Axiom 6 is valid and 
the difference between Eqn. (20) and Eqn. (22) can be simplified 
to: %-3 −%-4 = %89 × 2#^#0 +	%_9 × 2#`#0 −%-9+ 2-4 − 2-		 Eqn. (26) 
We present the corner case for Eqn. (25) when Ed ≠ Ed4  in 
Appendix B. 
 
7.1.1 Common Case 1 
In Eqn. (26), A and B are symmetric, and without loss of 
generality, we can explain only the case when abs(A)>abs(B) 
and 8 > _ because 8 ≠ _. - = -4 = 8 > _ Eqn. (27) 
Eqn. (26) can be simplified to: %-3 −%-4 = %89 +%_9 × 2#`#0  + −%-9  + 2-4 − 2-  
Because - > _, then - ≥ _ + 1:  0 < 2#`#0 ≤ 2 
Using Axiom 3, we can bound <1>: 0 < %89 +%_9 × 2#`#0 ≤ 2H − 2	 + 2H − 2	 × 2 = 1.5 × 2H − 2	 
and we can bound <2>: −2H + 2 ≤ −%-9 ≤ 0 
Using Axiom 4 and Axiom 5, we can bound <3>: −2g − 2R ≤ 2-4 − 2- ≤ 2H + 2R 
As a result, the upper bound of Diff is: %-3 −%-4 	 × 2H ≤ 1.5 × 2H − 2	 + 2H + 2R	 × 2H < 2 
The lower bound of Diff is %-3 −%-4 	 × 2H ≥ −2H + 2 − 2H − 2R	 × 2H > −1.5 
Therefore, the allowable range of Diff is [-1,1]. 
 
7.1.2 Common Case 2 
Without loss of generality, we can again explain only z|M*	 ≥ z|M+	 and 8 ≥ _.  - − 1 = -4 − 1 = 8 ≥ _ Eqn. (28) 
Eqn. (26) can be simplified to %-3 −%-4 = %89 × 2 +%_9 × 2#`#0  + −%-9  + 2-4 − 2-  
Using Axiom 3 and Eqn. (28), we bound <1>: 
 7 
 
0 < %89 × 2 +%_9 × 2#`#0 < 2H − 2	 × 2 × 2 = 2H − 2 
Terms <2> and <3> have the same boundary conditions as in 
Section 7.1.1. 
So the upper bound of Diff is: %-3 −%-4 	 × 2H ≤ 2H − 2 + 2H + 2R	 × 2H < 1.5 
The lower bound of Diff is still greater than -1.5. Therefore, 
the allowable range of Diff is [-1,1]. 
 
7.2 Different-Sign Addition (DSADD) or Same-
Sign Subtraction (SSSUB) 
Recall that our simple example in Section 3.2 was a SSSUB 
that motivated reverse checking.  The situation occurs when 8 = _ 	and	%83 = %_3, but %89 ≠ %_9. In this situation, the result 
of * − + → ( computed by the full-precision FPU has a non-zero 
value, whereas *3 − +3 → (4  computed by the checker (i.e., 
with forward checking) equals zero. As a result, Diff = C[30:(23-
k)]-C’[(7+k):0] can become arbitrarily large even in the absence 
of errors. DSADD is equivalent to SSSUB and thus suffers from 
the same problem in forward checking. 
To resolve the challenge, the checker applies reverse 
checking using (3 as one of its operands. In this way, we use 
SSADD/DSSUB to check SSSUB/DSADD. 
For SSSUB: * − + → (, 8 = _:  
• If 8 = _ = -, check (3 + +3 → *′ (SSADD).  
• If 8 = _ ≠ -, check *3 − (3 → +4 (DSSUB).  
Similarly, for DSADD * + + → (, 8 ≠ _: 
• If 8 = - ≠ _, check (3 − +3 → *4(DSSUB). 
• If 8 ≠ - = _, check (3 − *3 → +4(DSSUB). 
In the following section, we analyze the first scenario above: 
SSSUB with 8 = _ = - .  The other cases can be verified in a 
similar manner.  
The full-precision FPU computes * − + → (: 8 × 2#^ ×%8	 − _ × 2#` ×%_	 = - × 2#0 × %- + 2(	 
Because 8 = _ = - in this scenario: %8 −	2#`#^ ×%_ = 2#0#^ × %- + 2-	 %83 = %_ × 2#`#^ +%- × 2#0#^ −%89 + 2( × 2#0#^ 
The checker performs (3 + +3 → *′: - × 2#0 ×%-3	 + _ × 2#` × %_3	 = 	 84 × 2#^4 × m%84 + 2*′ n 
Because 84 = _ = -, 2#0#b^ ×%-3 + 2#`#b^ ×%_3 =	%84 + 2*′  %84 = %_3 × 2#`#b^ +%-3 × 2#0#b^ − 2*′  
To understand the relationships between 8 , _ , and	-  in 
SSSUB (which also apply to DSADD), consider * − + = () , 
where () is the true C with unlimited precision. Then + + () = *. 
From our previous analysis in Section 7.1, we have:  8 = max_, -)	 	zV{	_ ≠ -) (1) 
or 8 = max_, -)	 + 1 (2) 
From Axiom 4,  - = -) 	if	()	rounds	down (3) 
 or - = -) + 1	if	()	rounds	up  (4) 
We now look at the “cross-product” of possible scenarios: 
(1&3), (2&3), (1&4), (2&4): 
 
(1&3) 8 = max_, -	 , _ ≠ - 
(2&3) 8 = max_, -	 + 1 
The other two scenarios are either impossible or subsumed 
by a previous scenario. 
Scenario (1&4) differs from Scenario (1&3) only when -) >_, so 8 = max_, -	 = -)  in (1). Then because of (4), -) =- − 1. So 8 = - − 1 = max_, -	.  Thus, Scenario (1&4) is 
impossible because it implies that abs(C)>abs(A), which is 
impossible after B is subtracted from C, given that 8 	 = _. 
Scenario (2&4) differs from (2&3) only when -) > _ . 
Then8 = -) + 1 = - − 1	 + 1 = - . Because - > -) > _ , 8 = max_ , -	 , M	8 = max_ , -	 , which is the same as 
scenario (1&3).  
In subtraction, the exponent of the minuend (A) is equal to or 
one greater than 9, which is the maximum of the exponents of 
the subtrahend (B) and difference (C). Furthermore, when the 
exponent of the minuend equals 9 , the subtrahend and the 
difference must have unequal exponents. 
Applying this rule to the FPU and applying the rule for addition 
to the checker, we have: 
FPU: 
Er = max_, -	 	and	_ ≠ -  
or Er = max_, -	 + 1 
Checker: 
E′r = max_ , -	 and	_ ≠ -  
or 84 = max_ , -	 + 1 
Because of truncation in operands B and C, 84 ≤ 8. 
Therefore, 
Common Case 1: max_ , -	 = 84 = 8, _ ≠ - Eqn. (29) 
Common Case 2: max_ , -	 + 1 = 84 = 8 Eqn. (30) 
Corner Case: max_, -	 + 1 = 84 + 1 = 8 Eqn. (31) 
We analyze Eqn. (29) and Eqn. (30) in Sections 7.2.1 and 7.2.2. 
Because 8 = 84  in these common cases, Axiom 6 is valid and 
the difference between %83 and %84  is %83 −%84 = %_9 × 2#`#^ +%-9 × 2#0#^  + −%89  + 2*4 + 2( × 2#0#^  Eqn. (32) 
Eqn. (31) can be proved in similar way as the corner case of 
SSADD (Appendix A). 
7.2.1 Common Case 1 
In term <1>, because of Eqn. (29), either 2#`#^ or 2#0#^ must 
equal 1 because max_, -	 = 8 . The other is less than or 
equal to 2 because _ ≠ -. As a result, <1> is bounded by: 0 ≤ %_9 × 2#`#^ +%-9 × 2#0#^≤ 2H − 2	 + 2H − 2	 × 2= 1.5 × 2H − 2	 
For the same reason, 2#0#^ in <3> is smaller than or equal 
to 1. So we can bound <3>: −2H − 2R ≤ 2( × 2#0#^ + 2*′ ≤ 2H + 2R 
Term <2> is bounded to [−2H + 2, 0] according to Axiom 
3. As <1>, <2>, and <3> have the same boundary conditions as 
<1>, <2>, and <3> in Section 7.1.1, respectively, the bounds on 
Diff are identical to those in Section 7.1.1. Therefore, Diff is in 
the range [-1,1].  
 8 
 
7.2.2 Common Case 2 
Because of Eqn. (30), 0 < 2#`#^ , 2#0#^ ≤ 2  in <1>. As a 
result, <1> is bounded by: 0 ≤ %_9 × 2#`#^ +%-9 × 2#0#^≤ 2H − 2	 × 2 + 2H − 2	 × 2= 2H − 2 
In addition to the boundary condition from Axiom 4 and 
Axiom 5, <3> is bounded by −2H − 2 < 2( × 2#0#^ + 2*′ < 2H + 2 
Boxed term <3> has smaller bounds than <3> in Section 
7.1.2. Furthermore, <1> and <2> have same upper and lower 
bounds with <1> and <2> in Section 7.1.2, respectively. 
Therefore, Diff is in the range [-1,1].  
Summary: Along with analysis in Appendix A, the 
analysis in section 7 shows the allowable range of Diff for 
addition and subtraction are [-1,1]. 
Prior work [1] proved a looser bound of [-2,1]. 
 
8 MAXIMUM PERCENTAGE ERROR  
With bounds on Diff, we can now approximate the Maximum 
Percentage Error (MPE) for errors undetected by RPC. This 
derivation is an approximation in that it applies to all common 
situations but not some of the extremely rare corner cases. This 
section shows that the undetected errors are small. We compute 
the percentage error as:  %Error = Correct	Result − Erroneous	ResultCorrect	Result  × 100% 
We have proven that Diff is in the range of [-1,1] for 
addition/subtraction and [-1,3] for multiplication, division, and 
square root. For the common cases, Diff corresponds to the 
difference between the fractions of the baseline FPU and the 
checker.  
We represent an erroneous computation with an “E” above 
the right-arrow and an erroneous result as ( . 
8.1 Forward Checking 
In forward checking, the FPU and the checker compute  *		+ #→ (	and	*3 		+3 → (4 MPE = ( − ((  = %- −%-%-  	≅ %-4 − %-	3%-  	≅ <= × 2H%- 	 
RPC only misses an error when Diff is within the derived bounds. 
Also %- ≥ 1, so  MPE ≤ max|<=|	 × 2H × 100% 
8.2 Reverse Checking 
In reverse checking of division (which also applies to square 
root), Diff represents the difference in the fractions of *3 and A’. 
However, what we are really interested in is the difference 
between ( and C. We know that: * ÷ + #→( 	and	(3 × +3 = *4 
The percentage error is: ( − ((  ≅ *3 ÷ +3 − *4 ÷ +3(  	≅ *3 − *4	 ÷ +3(  
= <= × 2H ÷%_	 × 2#^#`%- × 2#0  
As 8 − _ ≥ - 	and	%_%- ≥ 1, MPE is loosely bounded by 
% ≤ <= × 2H	%_%- ≤ max|<=|	 × 2H × 100% 
In reverse checking of SSSUB (also applies to DSADD), * − + #→ ( 	and	(3 + +3 = *4 
Then ( − ((  ≅ * − + − *4 − +3	(  
When 8 ≅ - ≫ _, |( − (| ≅ |*3 − *4| = |%8f −%84 | × 2#0 MPE = max %83 −%84	%-  × 100% ≤ max|<=|	 × 2H × 100% 
When _ ≅ - ≫ 8, |( − (| ≅ +9 = %_9 × 2#0 MPE = max %_9 	%-  × 100% < 2H × 100% 
8.3 Summary 
Because max|<=|	  for SSSUB is just 1, MPE is 
approximately max|<=|	 × 2H ∗ 100% for all operations. This 
approximate analysis does not completely bound the maximum 
percentage error uncaught by RPC, but rather shows that, under 
most circumstances, undetected errors have very small 
percentage errors. For example, the MPE for a 16-bit checker 
(k=7) is 0.78% for addition and subtraction, and 2.34% for the 
other operations.  
9 IMPLEMENTATION AND INTEGRATION INTO 
PROCESSOR CORE 
We implemented RPC as an extension of a floating point unit 
developed by Kwon et al. [3]. Our implementation of RPC 
includes the following four components: one k+9-bit 
adder/subtractor, one k+9-bit multiplier, logic to determine how 
to perform the checking, and buffers to hold operands and results 
until checking can be performed. 
9.1 Handling Floating Point Exceptions 
When certain floating point exceptions occur, RPC is unable 
to check for errors. The reason for this limitation is that the 
assumptions we make about rounding error are valid only when 
the FPU does not encounter the following exceptions: overflow, 
underflow, invalid, and divide-by-zero. In these circumstances, 
the result of the FPU is formatted to positive/negative infinity, 
zero or denorm, NaN, and positive/negative infinity, accordingly. 
Therefore, our checker is suppressed when these rare cases are 
detected.  
9.2 Performance Impact 
RPC can impact performance if the processor core is waiting 
for a result to be checked before it can commit a floating point 
instruction.  For some floating point operations, we can perform 
checking in parallel with the full-precision FPU, but reverse 
checking does not permit this parallelism. If we try to begin each 
check as soon as it has its operands, we could encounter a 
situation in which a reverse check and a forward check need to 
use the same checker at the same time.  To avoid the complexity 
of managing these situations, we choose to have the checker 
always wait until the FPU has completed (even for forward 
checking). 
 9 
 
 
As the checker is modified based on the baseline FPU, it 
should have at least the same throughput and thus the 
performance impact of RPC is limited to the extra reorder buffer 
(ROB) pressure incurred by floating point instructions that are 
ready to commit but have not yet been checked.  The 
performance penalty due to this extra ROB pressure depends on 
the microarchitecture and the software running on it, but we do 
not expect it to be large. 
 
 
10 ERROR DETECTION COVERAGE 
The primary goal of our experimental evaluation is to 
determine the error detection coverage of RPC.   
10.1 Error Injection Methodology 
To evaluate the error detection coverage, we ran an extensive 
set of error injection experiments.  In each experiment, we forced 
a single stuck-at error on a different wire in the flattened netlist 
that includes the full-precision FPU and all of the RPC hardware. 
Note that a single stuck-at error on a wire can often cause 
multiple errors downstream of the injected error, due to fan-out, 
 
 
Figure 3. Classification of Injected Errors Figure 4. Distribution of Size of UMUD Errors 
 10 
 
and thus injecting errors at this low level is far more realistic than 
injecting errors in a microarchitectural simulator [4].   
For every wire in the netlist, we ran 2000 experiments. Half of 
the experiments inject a stuck-at-0 error on the wire and test 
1000 different inputs; the other half inject a stuck-at-1 on the wire 
and test the same 1000 random inputs. 
We considered injecting transient errors, but a very large 
fraction of transient errors were masked (i.e., had no impact on 
execution).  Masking is quite common, as in prior work in error 
injection [8], because each error affects the results for only a 
subset of all possible inputs, and often these subsets are tiny. 
Transient errors, in particular, are masked with very high 
probability. To obtain statistically significant data in a tractable 
amount of time, we injected permanent stuck-at errors, which are 
less likely to be masked. Moreover, a floating point operation is 
a relatively short latency event, which makes transient errors 
similar to permanent errors.  
10.2 Results 
In Figure 3, we show our results by classifying errors into 
categories, and we present a separate graph for each of the five 
arithmetic operations (add, sub, mul, div, sqrt). The figures focus 
on the errors that are unmasked, i.e., those  
errors that affect the result of the FPU and/or the result of the 
checker.   
Among the unmasked errors, we classify the errors into four 
categories:  
• unmasked and detected (UMD) – our desired outcome 
• unmasked undetected (UMUD) – a silent data corruption, 
which is the worst outcome 
• unmasked unchecked (UMUC) –unusual corner case when 
RPC suppresses checking 
• false positive (FP) – error affected checker and is detected 
even though result of FPU is correct 
 
The first observation from Figure 3 is that there is a clear 
trade-off between error detection capability and cost.  As the 
checker is made wider, there are fewer undetected errors.   
A corollary to this first result is that there are also more false 
positives, because the checker is larger and thus more liable to 
be the victim of an injected error.  Notice that there are fewer 
false positives in division and square root than addition, 
subtraction, and multiplication; this is because the divider and 
square root unit are significantly larger than the checker 
multiplier.  Unlike a dual modular redundancy scheme (i.e., 
simply replicate the unit to be checked), which has 50% false 
positives, RPC can reduce the fraction of false positives by 
having a smaller checker.  
From Figure 3, it appears RPC misses a large portion of 
unmasked errors at small checker width (such as 16, i.e., 7 bits 
mantissa). However, Figure 4 shows that RPC detects the vast 
majority of the large errors.   
Figure 4 presents the distribution of the size of the unmasked 
undetected (UMUD) errors. In these graphs, the top, middle, and 
bottom bars of the vertical box indicate the first quartile, median, 
and second quartile of percentage errors, respectively. The top 
whisker defines a 1.5 inter-quartile range away from the first 
quartile, and data above here are defined as outliers. The 
connected green diamonds mark the approximate MPE 
computed in Section 8. The percentage number above the 
diamonds is the percentage of UMUD errors that has percentage 
error larger than the approximate MPE.  An error larger than the 
approximate MPE includes the corner case scenarios and faults 
in a handful of components that, when faulty, can cause 
extremely strange behavior.  For example, an error in the wire 
that determines whether the output should be formatted in an 
exceptional way (e.g., as a NaN) can cause the output to differ 
dramatically from the correct result and cause an outlier in the 
percentage error calculation. 
We observe that only a very small fraction of UMUDs have 
percentage errors that are not bounded by the MPE. Overall, the 
percentage errors of UMUDs are extremely small; the median is 
less than 0.1% even with a minimally-sized 1-bit mantissa (10-
bit checker) for all operations. At checker width 16, only 
0.003%~0.055% undetected errors have percentage error larger 
than the approximate MPE (0.78% for addition and subtraction, 
and 2.34% for the other operations). This means a vast majority 
of those undetected errors in Figure 3 at width 16 are very small.  
 
11 AREA, POWER, AND ENERGY OVERHEADS 
We now evaluate the area and power overheads of our RPC 
implementation. 
11.1 Area 
We used Synopsys CAD tools to layout the FPU, with and 
without RPC, in 45nm technology [7]. The results in Figure 5 (a) 
show that RPC’s area overhead ranges from about 30% to 
about 90%, depending on the checker’s width. This overhead is 
far less than that of simple dual modular redundancy (100%). 
11.2 Energy 
We compute the per operation energy overhead using the 
power and latency results from the CAD tools. As with the area 
analysis, we determine the dynamic and static power overheads 
of RPC with post-synthesis gate-level power estimation.  After 
laying out the circuitry, we obtained the parasitic resistances and 
capacitances and back-annotated the circuits with them.   
To determine the power, we feed the synthesized module with 
1000 random inputs for each operation at all checker widths to 
acquire switching activities of each wire/cell, which is further 
used to compute both dynamic and static power. To minimize 
power consumed by buffers for reverse checking, we use clock 
gating to optimize our design.  
Our experiments show that static power comprises roughly 
20% of overall power and, unlike dynamic power, is relevantly 
stable across different operations and checker widths. Figure 
 
(a) (b) 
Figure 5. Area and Energy Overheads 
 11 
 
5(b) shows the per operation energy overhead of 5 operations. 
Addition and subtraction suffer the most from energy overhead 
because they are relatively cheap operations. Hence, the 
checking logic incurs nontrivial overhead. However, before width 
18, the overhead is still cheaper than dual modular redundancy. 
Multiplication incurs somewhat less energy overhead, reaching 
100% at width 28. For the most expensive operations, division 
and square root, as their checker multiplier is significantly smaller 
in size, RPC is very efficient and has less than 70% overhead at 
full checker width. Note that the overheads in Figure 5(b) include 
the impact of the checker, logic, and buffer over each single 
operation. However, the checker adder is shared between 
addition and subtraction; the checker multiplier is shared among 
the other 3 operations; and logic and buffers are shared among 
all operations. So the overheads do not sum up for a mixture of 
5 operations.  
12 RELATED WORK 
The most related work is the prior work on RPC, which we 
have already discussed [1][9].  In addition, there have been other 
proposed schemes for detecting errors in floating point 
hardware. 
Lipetz and Schwarz [5] propose residue checking, which is 
complete and cost-efficient, in principle, but we cannot resolve 
how their scheme handles the issue of rounding.  We speculate 
that, based on an IBM patent [2], the FPU passes rounding 
information to the residue checker, but such a design would be 
unable to detect errors in rounding logic.   
Maniatakos et al. [6] propose a low-cost scheme in which the 
hardware checks only the exponents of floating point operations.  
Like us, they seek to detect all large errors, but checking only 
exponents misses many errors that we consider too large to be 
acceptable.  
13 CONCLUSIONS 
In this work, we have applied RPC to an entire floating point 
unit.  We have comprehensively analyzed its ability to detect 
errors and the size of errors that can go undetected.  Based on 
our results, we believe that RPC is an attractive method for 
detecting errors in FPUs.  We are unaware of other approaches 
for detecting errors in FPUs that can be tuned to trade off error 
detection coverage versus cost.   
REFERENCES 
[1]  P. J. Eibl, A. D. Cook, and D. J. Sorin, “Reduced Precision Checking 
for a Floating Point Adder,” in Proceedings of the 24th IEEE 
International Symposium on Defect and Fault Tolerance in VLSI 
Systems, 2009. 
[2]  S. Iacobovici, “United States Patent: 7769795 - End-to-end residue-
based protection of an execution pipeline that supports floating point 
operations,” U.S. Patent 776979503-Aug-2010. 
[3]  T.-J. Kwon, J.-S. Moon, J. Sondeen, and J. Draper, “A 0.18 um 
Implementation of a Floating-point Unit for a Processing-in-memory 
System,” in Proceedings of the International Symposium on Circuits 
and Systems, 2004, vol. 2, pp. II–453–6 Vol.2. 
[4]  M.-L. Li, P. Ramachandran, R. U. Karpuzcu, S. K. S. Hari, and S. Adve, 
“Accurate Microarchitecture-level Fault Modeling for Studying 
Hardware Faults,” in Proc. Fourteenth International Symposium on 
High-Performance Computer Architecture, 2009. 
[5]  D. Lipetz and E. Schwarz, “Self Checking in Current Floating-Point 
Units,” in 20th IEEE Symposium on Computer Arithmetic, 2011, pp. 73–
76. 
[6]  M. Maniatakos, Y. Makris, P. Kudva, and B. Fleischer, “Exponent 
Monitoring for Low-Cost Concurrent Error Detection in FPU Control 
Logic,” in IEEE VLSI Test Symposium, 2011. 
[7]  Nangate Development Team, “Nangate 45nm Open Cell Library.” 
2012. 
[8]  A. Pellegrini, R. Smolinski, L. Chen, X. Fu, S. K. S. Hari, J. Jiang, S. V. 
Adve, T. Austin, and V. Bertacco, “CrashTest’ing SWAT: Accurate, 
Gate-Level Evaluation of Symptom-Based Resiliency Solutions,” in 
Design, Automation Test in Europe Conference Exhibition (DATE), 
2012, 2012, pp. 1106–1109. 
[9]  K. Seetharam, L. Co Ting Keh, R. Nathan, and D. J. Sorin, “Applying 
Reduced Precision Arithmetic to Detect Errors in Floating Point 
Multiplication,” in Proceedings of the Pacific Rim International 
Symposium on Dependable Computing, 2013. 
  
Acknowledgments 
This material is based on work supported by the National 
Science Foundation under grant CCF-111-5367. 
 
Appendix A: EC=EC’+1 for SSADD 
In this section we consider the corner case scenario for 
SSADD Eqn. (25). When - = -4 + 1, Axiom 6 is no longer valid. 
To derive the upper bound of Diff in this case, we need to 
understand the difference (we denote as D) between what is 
computed by the FPU and the checker and under what 
circumstance D causes - ≠ -4 .  To simplify the analysis, we 
introduce the notation |X| to denote the integer represented by 
the concatenation of the exponent and mantissa bits of X without 
sign bits. So for example, ([30: 23 − &	]  is |(3|  and (4[7 +&	: 0] is |(4|.  
We know that |(4| ≤ |(| because of truncation in operands in 
computing C’. As we care only about the magnitude of the 
difference in this case, we define D = |C|-|C’|. Then |C| = |C’| + 
D. (Note that D is not Diff, which is |CH|-|C’|.) D is the difference 
between the left-hand sides of Eqn. (19) and Eqn. (21): < = %89 × 2#^ +%_9 × 2#` 	
Let < = 2# × % and let  = -4 .  Then % = %*E × 2*−(′ + %+E × 2+−(′ -4  differs from - only when %-4 +% ≥ 2. Then to normalize 
the sum, %-4 +% must right shift, resulting in - = -4 + 1. From 
Eqn. (25), -4 = max8, _	 , 8 ≠ _ . Therefore, 2#^#0b ≤1	and	2#`#0b ≤ 1, but they cannot both equal 1 at the same time.  
Thus, we have: % < %89 +%_9 < 2 × 2H 
Therefore, %  must be in the form of 0. {0"H{ … ", where 
each x represents an unknown bit and can be either zero or one. 
Each x is independent from each other and they may or may not 
hold the same value. %-4  is all zero after its first k bits to the right 
of its binary point, i.e., it is in the form 1. {"H{0… " %: 0. 000…000  … %-4 : 1.  … 0…0 
  k bits  
 12 
 
If the sum of the two ever reaches 2, the first x in the fraction 
of % must equal 1 and all x in %-4  must equal 1. Their sum must 
be in the form of 10. {0"H{… " before being normalized. After 
being normalized, %- must be in the form of 1. {0"Ha{ … ". %: 0. 000…0001  … +			%-4 : 1. 111…1111 0…0 % +%-4 : 10. 000…0000  … %- : 1. 000…0000 0 … 
  k bits  
So when	- ≠ -4 , the fractions (not including the implicit 1) 
must be -3 = {0"H, -4 = {1"H. Now consider <= = |(3| − |(4|: |(3|  {∃-"{-3"  {∃-4 + 1"{00…0" −		|(4| → −		{∃-4 "{-4" → −		{∃-4 "{11…1" <=  - − -4 	 × 2H + -3 − -4	  1 
where ∃-= - + 127	and	∃-4 = -4 + 127 . Therefore, for the 
corner case Eqn. (25), Diff equals 1, which is within the range [-
1,1].  
 
Appendix B: EC=EC’+1 for Multiplication 
 
This corner case of multiplication, Eqn. (8), follows a similar 
analysis as in Appendix A. In this case, D is the difference 
between the left hand sides of Eqn. (2) and Eqn. (4).  < = %∗ × 2#^a#` 
where M* is defined in Eqn. (9). From Eqn. (8), we know that 8 +_ = -4 . Let < = 2# ×% ,  = -4 . Then we have % = %∗. In 
Section 5.1, we bound %∗ in <1>. So % < 4 × 2H and is thus in 
the form of 0. {0"H{ … ".  We also know that %-4  has only k 
mantissa bits, so it is of the form 1. {"H{0… ". 
 %: 0. 000…00  … %-4 : 1.  … 0…0 
  k bits  
The first (k-2) values of x in the fraction of %-4  must be 1 for 
the sum to reach 2. The sum of the last two x bits of % (denoted 
as ab) and last two y bits of %-4  (denoted as cd) must be greater 
than or equal to 4 	 = 	100 to produce the carry one.  %: 0. 000…00z|  … +			%-4 : 1. 111…11{ 0…0 % +%-4 : 10. 000…00  … %- : 1. 000…000  … 
  k bits  
Now Diff can be evaluated in the following steps: |(3|  {∃-"{0…00"  {∃-4 + 1"{0…0"{0−		|(4 → −		{∃-4 "{1…1{" → −		{∃-4 "{1…1"{{" <=  2H − {1"H{0" + {0 − {"  {1}{0e-cd}=10e-cd 
Consider all possible value of ab, cd, and ef, where ab + cd = 
1ef. The two-bit values ab and cd are both less than or equal to 11 	 = 	3. Therefore, ef cannot be 11, as that requires z|	 +	{	 = 	111 	 = 	7. Thus, the possible values of ab, cd, ef, and 
Diff are as follows: 
ab cd 1ef 10e Diff = 10e - cd 
01 11 
100 100 
1 = 1  
11 01 11 = 3  
10 10 10 = 2  
10 11 101 1 = 1  
11 10 10 = 2  
11 11 110 101 10 = 2  
Therefore, Diff is still within the range [-1,3] of multiplication. 
 
Appendix C: Upper Bound of Diff in 
Multiplication  
In Section 5.1 we proved the upper bound of Diff is less than 
4.5, indicating that this integer difference can be as large as 4. 
However, after billions of simulations, we never observed Diff 
equaling 4. In this section, we introduce a more sophisticated 
proof that bounds Diff to be less than 4 (i.e. %-3 −%-4 < 4 × 2H) 
and thus this integer difference can be at most 3. This proof also 
implies that the upper bounds on Diff for division and square root 
are also less than 4.  
To bound Diff, we must understand how %-4  differs from %-3.  
Thus, we need to understand how rounding happens in the 
checker and how rounding in the FPU affects the most significant 
k bits in %- (i.e. %-3).  
In the following analysis, we denote the unrounded (unlimited 
precision) result of the FPU’s mantissa as %-)  and the unrounded 
result of the checker’s mantissa as %-)4 . With unlimited precision, %-)  has more than 23 bits of fraction (i.e., bits after the binary 
point), and %-)4  has more than k bits of fraction even though their 
input operands have only 23 and k bits of fractions, respectively. 
We split both %-)  and %-)4  into High and Low terms: %-) = %-)3 +%-)9 and %-)4 = m%-)4 n3 + m%-)4 n9, where %3 refers to the implicit 1 
and the first k bits of the fraction; %9  refers to the bits less 
significant than %3 . For example, % = 1. { … ", %3 = 1. {"H ,%9 = 0. {0"H{… ". 
We derive an upper bound on %-3 −%-4  in three steps:  
Step 1: Analyze the relationship between %-)3 and m%-)4 n3. 
Step 2: Analyze (a) how rounding in the FPU affects %-3 and 
(b) how rounding in the checker affects %-4 . 
Step 3: Analyze the relationship between %-3 and %-4 . 
 
Step 1 
Given 8 + _ = - in Eqn. (2), the unrounded product of the 
mantissas is: %8%_ = %-) = %-)3 +%-)9 
In Eqn. (4), the checker computes the unrounded product: %83%_3 = %-)4 = m%-)4 n3 + m%-)4 n9 
From Eqn. (2), we can write: %-) = %8%_ = %-)4 +%∗ 
where %∗  was defined to be %83%_9 +%89%_3 +%89%_9  and %-)4 = %83%_3. Again, note that %∗ can have more than k bits after 
the binary point. Splitting the mantissas into High and Low on 
both sides, we can write the previous expression as %-)3 +%-)9 = m%-)4 n3 + m%-)4 n9 + %∗	3 + %∗	9 Eqn. (33) 
By Axiom 3, a Low term is always smaller than 2H , so m%-)4 n9 + %∗	9  is in the range [0,2 × 2H	.  We sub-divide this 
range into two sub-ranges for purposes of our analysis: 
Range 1:  0 ≤ m%-)4 n9 + %∗	9 < 2H 
Range 2:  2H ≤ m%-)4 n9 + %∗	9 < 2 × 2H 
In Range 1, the sum of m%-)4 n9 + %∗	9 does not cause a carry 
into the sum of the High terms m%-)4 n3 + %∗	3 in Eqn. (33). So: 
 13 
 
%-)3 = m%-)4 n3 + %∗	3%-)9 = m%-)4 n9 + %∗	9  Case I 
In Range 2, the sum of m%-)4 n9 + %∗	9 causes a carry into the 
sum of the High terms. So %-)3 = m%-)4 n3 + %∗	3 + 2H. And  %-)9 = %-) −%-3 = m%-)4 +%∗n − Xm%-)4 n3 + %∗	3 + 2H] = m%-)4 n9 + %∗	9 − 2H 
Thus, 
%-)3 = m%-)4 n3 + %∗	3 + 2H%-)9 = m%-)4 n9 + %∗	9 − 2H  Case II 
Step 2.a 
For the FPU, %-) = %- + 2-. So  %-) = %-)3 +%-)9 = %-3 +%-9 + 2- 
The only way in which %-)3 ≠ %-3  is if, after rounding, the 
carried one at the 23rd
 
bit propagates to the most significant k 
bits. For this to happen, the (k+1)th to the 23rd bits after the binary 
point in %-)9 must all equal 1. To produce the carried one, the bits 
after the 23rd bit of %-)  must be larger than 2R, so %-) rounds up 
to get %-. Thus, %-)3 ≠ %-3 when %-)9 > 0. {0"H{1"H{1" = 2H −2R. After rounding, all bits in %-9 must be zero because they all 
sum with the carried one. For purposes of analysis, we consider 
two ranges of values for %-)9: 
Range 1: 0 < %-)9 < 2H − 2R 
Range 2: 2H − 2R < %-)9 < 2H 	and	%-9 = 0 
In Range 1, %-3 is equivalent to %-)3 after rounding:  %-)3 = %-3%-)9 = %-9 + 2- Case III 
In Range 2, %-)  rounds up to %-3  and is 2H larger than %-)3 
after rounding: 
 %-)3 = %-3 − 2H%-)9 = %-9 + 2- + 2H= 2- + 2H  
Case IV 
Step 2.b 
For the checker, %-)4 = m%-)4 n3 + m%-)4 n9 = %-4 + 2- 
Notice there is no %-4 	9 term, because %-4  is produced by the 
checker and has only k bits after the binary point. For analysis, 
we consider two ranges of values for m%-)4 n9: 
Range 1: 0 ≤ m%-)4 n9 < 2H 
Range 2: 2H ≤ m%-)4 n9 < 2H 
In Range 1, Md4  rounds down to get Md4 .	%-4  equals m%-)4 n3after 
rounding. 
m%-)4 n3 = %-4m%-)4 n9 = 2-4  Case V 
In Range 2, Md4  rounds up to get Md4 . %-4  is 2H greater than m%-)4 n3after rounding.  
m%-)4 n3 = %-4 − 2Hm%-)4 n9 = 2-4 + 2H  Case VI 
Step 3 
We now have to consider all possible combinations of cases 
from Steps 1, 2.a, and 2.b.  Because there are two cases in each 
step, there are 23=8 theoretical combinations, but some 
combinations are impossible.  
 
• Case I-Case III-Case V: Plug in the equations for the high bits 
in Case III and Case V into Case I.  %-3 = %-4 + %∗	3 
Rearrange the equation to get:  %-3 −%-4 = %∗	3 < 4 × 2H 
 
• Case I-Case IV-Case V (impossible):  %-)9 = m%-)4 n9 + %∗	9 
from Case I. %-)9 is in the range (2H − 2R, 2H), and m%-)4 n9 
is in the range [0, 2H	. Then the boundary condition for %∗	9 is 2H − 2R < %∗	9 < 2H 
Since the upper bound is smaller than the lower bound, 
because k<24, there is no %∗	9 that satisfies the requirements 
of Case I-Case IV-Case V, i.e. the case does not exist. 
 
• Case I-Case III-Case VI: Plug Case III and Case VI into Case 
I: %-3 = %-4 + %∗	3 − 2H %-3 −%-4 = %∗	3 − 2H < 3 × 2H 
 
• Case I-Case IV-Case VI: Plug in Case Case IV and Case VI 
into Case I: %-3 − 2H = %-4 + %∗	3 − 2H %-3 −%-4 = %∗	3 < 4 × 2H 
 
• Case II-Case III-Case V (impossible): From Case II, m%-)4 n9 +%∗	9 = %-)9 + 2H . m%-)4 n9 + %∗	9  is in the range (2H , 2 ×2H − 2R), and m%-)4 n9  is in the range [0, 2H). Then the 
boundary condition of %∗	9 is 2H < %∗	9 < 1.5 × 2H − 2R 
which is invalid because %∗	9 < 2H. Therefore, Case II-
Case III-Case V is impossible.  
 
• Case II-Case III-Case VI: Plug Case III and Case VI into Case 
II: %-3 − 2H = %-4 + %∗	3 − 2H %-3 −%-4 = %∗	3 < 4 × 2H 
 
• Case II-Case III-Case V (impossible): m%-)4 n9 + %∗	9 = %-)9 +2H  from Case II. m%-)4 n9 + %∗	9  is in the range (2 × 2H −2R, 2 × 2H). m%-)4 n9 is in the range [0, 2H	. Then 2 × 2H − 2R < %∗	9 < 1.5 × 2H 
Because the upper bound is smaller than the lower bound, 
this case is impossible.  
 
• Case II-Case IV-Case VI (impossible): As in Case II-Case III-
Case V, +%∗	9  is in the range (2 × 2H − 2R, 2 × 2H ). m%-)4 n9 is in the range [2H, 2H	. Thus 1.5 × 2H − 2R < %∗	9 < 1.5 × 2H 
Because %∗	9 < 2H, this case is impossible.  
 
 14 
 
Conclusion Overall, %-3 −%-4 < 4 × 2H. Therefore <= = %-3 −%-4 	 × 2H in Section 5.1 is in [-1,3]. 
 
 
 
