Automatic Datapath Abstraction Of Pipelined Circuits by Vlad, Ciubotariu




presented to the University of Waterloo
in fulfilment of the




Waterloo, Ontario, Canada, 2011
c©Vlad Ciubotariu 2011
I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including
any required final revisions, as accepted by my examiners. I understand th t my thesis may be made
electronically available to the public.
ii
Abstract
Pipelined circuits operate as an assembly line that starts processing new instruct ons while older
ones continue execution. Control properties specify the correct behaviour of the pipeline with re-
spect to how it handles the concurrency between instructions. Control properties stand out as one
of the most challenging aspects of pipelined circuit verification. Their verificat on depends on the
datapath and memories, which in practice account for the largest part of the state space of the
circuit. To alleviate the state explosion problem, abstraction of memories and datapath becomes
mandatory. This thesis provides a methodology for an efficient abstractionof the datapath under all
possible control-visible behaviours. For verification of control properties, the abstracted datapath
is then substituted in place of the original one and the control circuitry is left unchanged. With
respect to control properties, the abstraction is shown conservative by both language containment
and simulation.
For verification of control properties, the pipeline datapath is represented by a network of registers,
unrestricted combinational datapath blocks and muxes. The values flowing through the datapath
are called parcels. The control is the state machine that steers the parcels though the network.
As parcels travel through the pipeline, they undergo transformations throug the datapath blocks.
The control-visible results of these transformations fan-out into control variables which in turn
influence the next stage the parcels are transferred to by the control. The semantics of the datapath
is formalized as a labelled transition system called a parcel automaton. Parcelautomata capture the
set of all control visible paths through the pipeline and are derived without t e need of reachability
analysis of the original pipeline. Datapath abstraction is defined using familiarconcepts such as
language containment or simulation. We have proved results that show that datapath abstraction
leads to pipeline abstraction.
Our approach has been incorporated into a practical algorithm that yieldsdirectly the abstract parcel
automaton, bypassing the construction of the concrete parcel automaton. The algorithm uses a SAT
solver to generate incrementally all possible control visible behaviours of the pipeline datapath. Our
largest case study is a 32-bit two-wide superscalar OpenRISC microproess r written in VHDL,
where it reduced the size of the implementation from 35k gates to 2k gates in lessthan 10 minutes
while using less than 52MB of memory.
iii
Acknowledgments
I am very grateful to my supervisor Mark Aaagaard without whose support and encouragements
this thesis would not have reached completion. Also, I am grateful for all the good friends I have




List of Figures viii
List of Tables xii
1 Introduction 1
1.1 Overview Of Background And Related Work . . . . . . . . . . . . . . . . . .. . 4
1.2 Approach And Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.3 Outline Of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Background And Related Work 7
2.1 Labeled Transition Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.1 Microprocessor Verification . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.2 Hazard-Based Verification Techniques . . . . . . . . . . . . . . . . . . .. 29
2.4.3 Datapath Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3 Pipeline Models 33
3.1 Pipeline Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.2 Abstraction For Control Properties . . . . . . . . . . . . . . . . . . . . . . . .. . 46
3.2.1 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
v
3.2.2 Language Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.3 Abstract Interpretation Of Pipeline Datapath . . . . . . . . . . . . . . . . . . .. . 52
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4 Parcel Automata 56
4.1 Overview Of Abstraction Using Parcel Automata . . . . . . . . . . . . . . . . .. 57
4.2 Fan-Out Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
4.3 Parcel Steps InDiffAddMult . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.4 Parcel Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.5 Parcel Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.6 Abstractions Of Parcel Automata . . . . . . . . . . . . . . . . . . . . . . . . . . .88
4.7 Abstract Interpretation Using Parcel Automata . . . . . . . . . . . . . . . . .. . . 97
4.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5 Datapath Abstraction Framework 100
5.1 Parcel Independence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 100
5.2 Verification Of Parcel Independence . . . . . . . . . . . . . . . . . . . . .. . . . 103
5.3 Concrete Pipeline Models And Abstract Interpretation . . . . . . . . . . . .. . . . 106
5.3.1 Assumptions About Initial States . . . . . . . . . . . . . . . . . . . . . . 106
5.3.2 Fundamental Relationship . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.4 General Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 114
5.4.1 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.4.2 Language Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
6 Abstraction Of Parcel Automata 133
6.1 Path Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
6.2 Approximating The Induced Parcel Automaton . . . . . . . . . . . . . . . . . .. 146
vi
6.3 Parcel Steps In Propositional Logic . . . . . . . . . . . . . . . . . . . . . . .. . . 154
6.4 Path Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
6.5 Abstraction Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
6.6 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6.6.1 Design For Verification UsingPipeNet . . . . . . . . . . . . . . . . . . . 178
6.6.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.6.3 Abstraction Of The OpenRisc Processor . . . . . . . . . . . . . . . . . . .183





1.1 Overview of abstraction methodology. . . . . . . . . . . . . . . . . . . . . . . .. 4
2.1 Commuting diagram for the simulation relationS. . . . . . . . . . . . . . . . . . . 8
2.2 Example showing language containment without simulation. . . . . . . . . . . . .10
2.3 Structure ofCTL∗ formulas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 Adder circuit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5 Counter With Combinational Increment . . . . . . . . . . . . . . . . . . . . . . . 25
2.6 Counter With Registered Increment . . . . . . . . . . . . . . . . . . . . . . . . .26
3.1 Block Diagram ofDiffAddMult . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.2 DiffAddMultdata types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.3 Sub Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.4 Datapath Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.5 Neg Datapath Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.6 Add Datapath Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.7 Mult Datapath Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.8 Sequential Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.9 B waits untilA finishes processing. . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.10 B stalls becauseA has higher priority. . . . . . . . . . . . . . . . . . . . . . . . . 42
3.11 Mux tree corresponding to the expression in Equation 3.1. . . . . . . . .. . . . . 44
3.12 Concrete Pipeline Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
viii
3.13 Abstract Pipeline Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
3.14 Commuting diagrams for the caseqPc(r) = 〈a, a〉. . . . . . . . . . . . . . . . . . 50
3.15 Commuting diagrams for the caseqPc(r) = 〈a, b〉 with a 6= b. . . . . . . . . . . . 51
3.16 Abstract Pipeline Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
3.17 Proof Of Language Containment. . . . . . . . . . . . . . . . . . . . . . . . . .. . 53
4.1 AndOr Block Diagram. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.2 AndOr Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.3 AndOr Computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.4 AndOr Parcel Automaton. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.5 AndOr parcel automaton after one reduction step. . . . . . . . . . . . . . . . . . . 62
4.6 AndOr Abstract Parcel Automaton. . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.7 AndOr Abstract Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.8 AbstractAndOr Computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.9 Fan-out Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
4.10 Mux tree for the expressionif b1 then v1 else if b2 then v2 else if b3 then v3 else v1. 68




P) ∈ RP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69




P). . . . . . . . . . . . . . . . . . . . . 70




P) ∈ RP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71




P). . . . . . . . . . . . . . . 71




P). . . . . . . . . . . . . . . . . . . . . 72




P) ∈ RP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72




P). . . . . . . . . . . . . . . . . . . . . 73




P). . . . . . . . . . . . . . 74




P). . . . . . . . . . . . . . . . . . . 75




P) ∈ RP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75




P). . . . . . . . . . . . . . . . . . . 76
ix




P). . . . . . . . . . . . . . 77




P) ∈ RP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78




P). . . . . . . . . . . . . . . . . . . 78




P). . . . . . . . . . . . . . 79
4.26 Parcelp = { r1, r2 } can have up to 8 distinct fan-out graphs. . . . . . . . . . . . . 81
4.27 Parcel step for parcelpC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.28 Parcel automaton for parcelpA. . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.29 Parcel automaton for parcelpA (continuation). . . . . . . . . . . . . . . . . . . . 86




P). . . . . . . . . . . . . . . . . . . 86
4.31 Parcel automaton illustrating an unreachable parcel computation. . . . .. . . . . . 87
4.32 Parcel automaton showing inconsistent datapath behaviour. . . . . . .. . . . . . . 89
4.33 Abstract parcel automaton. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 91
4.34 Abstract parcel automaton (continuation). . . . . . . . . . . . . . . . . . .. . . . 92
4.35 Abstract equivalent run corresponding topA. . . . . . . . . . . . . . . . . . . . . 96
4.36 Circuit equivalent toRSub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.1 Parcel map forDiffAddMult. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.2 AndOr example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.3 AndOr example (simulation). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
5.4 AndOr Computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
5.5 Associated parcel automaton run. . . . . . . . . . . . . . . . . . . . . . . . . . 125
5.6 Construction in Theorem 5.4.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
6.1 AndOr Parcel Automaton. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
6.2 An abstractAndOr parcel automaton. . . . . . . . . . . . . . . . . . . . . . . . . 137
6.3 Pipeline models with unreachable datapath computations. . . . . . . . . . . . . .. 148
6.4 Pipeline model with stall and exclusive paths. . . . . . . . . . . . . . . . . . . .. 171
6.5 Partial representation ofpac 1 using symbolic values. . . . . . . . . . . . . . . . . 172
x
6.6 Partial representation ofpaa constructed by Algorithm 6.3. . . . . . . . . . . . . . 173
6.7 Pipeline stage template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6.8 Combinational stage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.9 Sequential Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.10 Example of path formula forDiffAddMult. . . . . . . . . . . . . . . . . . . . . . . 182
6.11 DiffAddMultabstract parcel automaton. . . . . . . . . . . . . . . . . . . . . . . . 183
6.12 Abstract parcel automaton of edge-detector . . . . . . . . . . . . . . . .. . . . . 184
6.13 OpenRisc pipeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
6.14 OpenRisc abstract parcel automaton . . . . . . . . . . . . . . . . . . . . . .. . . 186
xi
List of Tables
3.1 Request variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 40
3.2 Accept variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
6.1 The path mapψ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138




Hardware and software systems have a pervasive presence in our day to day lives. From mass pro-
duced computer chips and embedded software in our computing devices andcars to systems that
control high speed trains, aeroplanes and nuclear plants, our well being and safety is increasingly
dependent on whether such systems behave as intended. The consequences of malfunctioning hard-
ware and software range from the nuisance of continuous operating system updates and firmware
for our computers and gadgets to mass recalls with high economic cost in the order of millions and
billions of dollars and catastrophic accidents that put human life at risk.
The traditional approach to validate hardware and software systems is testing. The testing paradigm
uses input vectors to check the input-output behaviour of the system or todrive the system through
execution scenarios which are checked against the expected behaviour. Black box testing or func-
tional testing checks the input-output behaviour of the system and is oblivious to its internal struc-
ture. White box testing uses the structural information about the system, sucha the control flow
graph of the program code, to craft input vectors that drive it through execution paths that visit
the structural elements such as lines of code or control-flow conditions. The success of testing is
measured using coverage metrics.
For medium to large systems the sheer multitude of possible input values makes anexhaustive ap-
proach intractable. Thus complete validation through testing is not achievableexcept for small scale
systems. Even when complete coverage is achieved it is not a certainty that all system behaviours
have been exercised, since coverage metrics are defined in terms of the structure of the system
while there can be exponentially more behaviours. Achieving reasonable coverage through testing
in modern day microprocessors takes enormous amounts of time. For instance, simulating a few
minutes of a 1GHZ microprocessor takes almost 6 months of simulation time on a largeclust r of
workstations [Bentley, 2001].
Formal methods [Clarke and Wing, 1996, Clarke and Kurshan, 1996, Dilland Rushby, 1996, Hall,
1
1990] stand for the collection of methods that apply mathematical reasoning to the proof of correct-
ness of hardware and software systems. The application of formal methods to a system is called
formal verification. Formal verification checks a given property holds ofall behaviours of the sys-
tem and is therefore exhaustive, providing a definitive answer to correctness. Formal verification has
been applied successful to a wide range of hardware and software systems [Bentley, 2001, Clarke
et al., 1995, McMillan, 2001, Dill et al., 1992]. In the real world, formal verification and testing co-
exist and techniques from formal verification have been used achieve better testing, creating hybrid
methodologies.
Due to the theoretical complexity of program verification, ranging from NP-hard to undecidable,
with formal verification comes the tradeoff between automation and capacity. In the wide spectrum
of formal methods we distinguish two categories of techniques. At one end whave deductive
methods that provide virtually unbounded capacity, being able to verify infinite systems, but are
also more likely to rely on the intervention of a knowledgeable user to guide the proof. At the
other end we have algorithmic methods that are highly automated but are not directly applicable to
large systems. The gap between the two types of formal methods is bridged using ab traction and
decomposition techniques.
In this thesis we are concerned with using abstraction to improve the capacity of one such automated
technique, called model checking, for the verification of pipelined circuits.In model checking, the
verified system is called a reactive system and the language in which the prop rties are described
is called temporal logic. To verify properties, model checking performs anexhaustive search of the
state space of the reactive system. The size of the state space is the major challenge that impedes the
direct use of model checking. The capacity problem incurred due to the state space factor is called
the state explosion problem. The state space explosion problem is mitigated usingab traction and
decomposition. Our research is concerned with abstraction in the applicationdomain of pipelined
circuits.
Pipelining uses the same principle as an assembly line that shifts products simultaneo sly from one
assembly stage to the next. A pipelined circuit divides the execution of instructions, also called
parcels, into stages. Upon entering the pipeline, the execution of an instruction happens incremen-
tally as it moves from one stage to the next, until it exits the pipeline. To achieve asimil r produc-
tivity increase to the assembly line, the pipeline overlaps the execution of instructions whereby each
execution stage holds a different instruction. Compared to a non-pipelinedcircuit that performs the
same operation, in an ideal linear pipeline that does not have instruction depe ncies, the execu-
tion time of individual instructions does not change. However the number ofinstructions processed
per unit of time increases proportionally to the length of the pipeline. The theoretical speedup of a
pipeline is not achieved in practice due to dependencies between instructions [Hartstein and Puzak,
2002].
2
A pipelined circuit consists of a network of stages through which the parcels flow, memories and
register files that store instructions and the data operated on, datapath elements that perform the
operation corresponding to each pipeline stage and control circuitry thatorchestrates the execution
of the instructions. The network of stages is linear but only in the simplest circuits. It may contain
branches and loops and the paths taken by instructions may be selected dynamically by the control
based on the current execution context. The concurrent execution ofnstructions leads to possible
race conditions which in pipeline circuits are called hazards.
There are three types of hazards. Data hazards arise due to data dependenci s when the operand of
one instruction, the consumer, is created by another, the producer. In such cases, the consumer waits
— it stalls — until the operand is ready. Structural hazards arise from resou ce contention when
multiple instructions need to transfer to the same next stage. Finally, control hazards happen due to
speculative execution. Instructions that were fetched after a control instruction that is mispredicted,
must be removed from the pipeline.
Because of the synchronization problems it solves, the control circuitry ishe main source of com-
plexity in the pipeline circuit and therefore, the most likely part of the design tocontain design
errors. The size of the controller is often within the verification capacity of model checking tech-
niques. What prevents its direct verification is the size of the memories and datapaths which con-
tribute the largest proportion to the state space of the circuit. Memories are easier to abstract, their
size reduces to what is needed to accommodate the read and write locations ofhe maximum number
of in-flight instructions. Datapaths are more challenging to abstract becaus they use the parcel’s
value to generate feedback signals to the control circuitry and thus affect the overall execution in
the pipeline.
In this thesis we present a novel datapath abstraction technique. The methodology is described
pictorially in Figure 1.1. At the core of our approach is the use of a mathematical representation,
called parcel automata, to describe the control-visible behaviour of the parc ls s they travel through
the pipeline. A parcel’s behaviour is defined by both the control signals it generates at each stage in
the pipeline and the path it takes through the pipeline. In our methodology datapath bstraction is
performed by abstracting the concrete parcel automata and then using the abs ract parcel automata
to define abstract datapaths that are then substituted in place of the concrete ones. The process of
replacing the concrete datapath by an abstract one is a form of abstractin erpretation. We show
that the conventional forms to define abstraction of automata, such as simulation and language
containment, carry over to abstract interpretation of the pipeline datapath using parcel automata.
Our contribution is threefold. First, we contribute a formal framework for datapath abstraction using
parcel automata. Within this framework we define pipeline models and parcel autom ta, abstraction
of parcel automata and prove correctness of pipeline abstraction using abstract parcel automata.










Figure 1.1: Overview of abstraction methodology.
explosion problem by the symbolic traversal of the concrete parcel automaton using a satisfiability
solver. And third, our approach is implemented in a prototype. The tool allowsits users to create
pipeline models by specifying the top level structure of interconnected pipeline stages. The datapath
and control are defined directly in VHDL and then referenced from the high-level model. Datapath
abstraction is then performed with the click of a button. As cases studies we used several designs,
spanning from simple 32-bit arithmetic pipelines to an edge detector circuit anda 32-bit superscalar
OpenRISC microprocessor.
1.1 Overview Of Background And Related Work
The most complex pipelined circuits appear in today’s microprocessors. Approaches to formal
verification of microprocessors include deductive methods using theoremp oving and automated
techniques using model checking or specialized decision procedures. With any such verification
technique one must specify the correctness criteria and then provide a sound verification strategy.
Often, the correctness statement specifies a relationship described usingconcepts from automata
theory. Simulation states that a relationship between the value of specification vriables in the
implementation states and the specification states is preserved after an execution step f the imple-
mentation and specification. Another way to define correctness is through lan uage containment.
In this definition, the sets of implementation traces are compared against the setof traces of the
4
specification. Formulating correctness statements for pipelined circuits is madech ll nging by the
fact that the implementation variables that correspond to the specification reflect changes by par-
tially executed instructions. The pipelined circuit executes multiple instructions inone step while
the specification is sequential and executes one instruction at a time.
A correctness framework that overcomes the challenges of aligning the implementation and spec-
ification states is called flushing [Burch and Dill, 1994]. In this approach, the implementation
state is run, without fetching new instructions into the pipeline, until all the instructions being cur-
rently executed complete. Verification techniques using flushing have beenperformed using both
deductive and automatic methods. In deductive approaches, the challenge of applying flushing is
identifying proof strategies to deal with the various optimizations of a microprocessor design such
as scoreboarding, execution units with variable latency and branch prediction [Sawada and Hunt,
1997, Hosabettu et al., 1998, Skakkebak et al., 1998]. Automatic techniques use efficient decision
procedures to prove a simulation relation based on flushing [Lahiri et al., 2002, Velev and Bryant,
2000, Manolios and Srinivasan, 2004].
In a hazard based approach [Aagaard, 2003] the top-level correctness is defined with respect to the
three types of pipeline hazards: data, structural and control. Hazard correctness is formulated in
terms of pipeline specific properties and thus are more straightforward to define. Most of these
properties target the control circuitry. The main impediment in the automatic verification of control
properties of pipelined circuits is the large contribution of datapath and memories t their overall
size.
Approaches to datapath abstraction vary in the degree of automation and precision and often per-
form a tradeoff. When a decision procedure is used, datapath abstraction is performed using unin-
terpreted functions. In model checking, datapath abstraction is done by reducing the bitwidth of the
operands. The equivalent of uninterpreted functions in this context is tosever the feedback signals
from datapath to control and replace the datapath implementation by wires [Ho et al., 1998]. How-
ever, imprecise abstractions pose the threat of false counterexamples: traces of the abstract circuit
that violate the property and do not have an equivalent trace in the concrete implementation. The
solution is to refine the abstraction in a refinement loop [Andraus et al., 2006] until the property
passes or a true counterexample is found.
1.2 Approach And Contributions
Our approach to datapath abstraction targets the verification of control properties. We exploit struc-
tural rules in the design of pipelined circuits to derive efficient and accurate abstractions. Our
approach is particularly useful for properties that specify the parcelflow through the pipeline and
are sensitive to the latency of the paths through the pipeline.
5
Our contribution is an abstraction technique that leverages a novel mathematical representation for
the pipeline datapath using a type of automata, called parcel automata. A parcel automaton is a
mathematical model for the execution of an instruction. Each state of the automaton represents a
parcel in a pipeline state. A transition denotes the transformation of the parcel by the datapath as it
moves to the next stage. The label of the transition indicates the control visibleeffects. A run of the
parcel automaton corresponds to a run of a single parcel through the pipeline.
Formalizing the datapath as an automaton presents the advantage of clean mathematical reasoning
about datapath abstraction. Simulation and language containment formalize thenotion of equivalent
parcels, parcels that have the same control visible behaviour as they movethr ugh the pipeline. We
prove in our framework that both simulation and language containment on parcel automata transfer
to pipeline abstraction using parcel automata. Our abstraction algorithm usesa symbolic method
based on SAT to simultaneously traverse all equivalent runs of the parcel automaton. The abstraction
of the pipeline datapath reduces to collapsing the equivalent runs of the concrete parcel automaton
into a run of the abstract parcel automaton. Datapath abstraction is represented as abstraction of
parcel automata and pipeline abstraction for control properties is performed as a form of abstract
interpretation using abstract datapaths derived from abstract parcelautomata.
We have implemented our methodology as part of a verification flow using a prototype tool called
Bluenose II. The tool reads the annotated model that describes the structure of the pipeline as a
network of interconnected stages. The descriptions of the stages reference the VHDL files that
implement the datapaths. Datapath abstraction using a SAT solver is performedby g nerating CNF
formulas from the netlists obtained by synthesis of the datapath files. From theabstract parcel
automaton the tool generates VHDL for the abstract datapaths which in turn define the abstract
pipeline circuit through abstract interpretation. The abstract circuit is then verified with a model
checker.
1.3 Outline Of Thesis
Chapter 2 introduces known concepts that we use throughout the thesis:labeled state machines,
circuits and model checking. It also discusses related work. Chapter 3 defines the model of pipelined
circuits. In Chapter 4 we present the definition of parcel automata, their abst action and use in
abstract interpretation of pipelined circuits. Chapter 5 describes parcelmaps and the correctness of
datapath abstraction using parcel automata. Chapter 6 defines path abstraction for parcel automata




Background And Related Work
In this chapter we describe several concepts that are used throughout the thesis: labeled transition
system, model checking and circuits. In Section 2.4 we present related work.
2.1 Labeled Transition Systems
2.1.1 Definition(Labeled Transition System). A labeled transition system is a tupleM = 〈Q ,R,T , I 〉:
• Q denotes the set of states
• T is the set of transition labels
• R ⊆ Q × T × Q is the transition relation
• I ⊆ Q is the set of initial states
The languageL(M) of a labeled transitionM is the set of infinite runs represented by functions of
form run : N → Q × T such thatrun k = (qk, tk) andq0 ∈ I ∧ ∀ k. (qk, tk, qk+1) ∈ R.
Consider two labeled transition systemsM1 = 〈Q1,R1,T1, I1〉 andM2 = 〈Q2,R2,T2, I2〉. In
order to formulate criteria of abstraction, we need to compare states and transition labels of the two
transition systems. In general they may belong to disjoint sets and thereforemay not be directly
comparable. Instead of direct equality, for states we use the labeling functions labQ1 : Q1 → LQ
and labQ2 : Q2 → LQ with the same codomainLQ, and, respectively, for transitions uselabT 1 :
T1 → LT andlabT 2 : T2 → LT, sharing the codomainLT.













Figure 2.1: Commuting diagram for the simulation relationS.
2.1.2 Definition (Simulation). A simulation relation betweenM1 andM2 is a relationS ⊆ Q1 ×
Q2 that satisfies the following conditions:
1. S is compatible with the state labeling.
∀ q1 ∈ Q1. ∀ q2 ∈ Q2. (q1, q2) ∈ S =⇒ labQ1 q1 = labQ2 q2
2. S is total over the initial states ofM1.
∀ q1 ∈ I1. ∃ q2 ∈ I2. (q1, q2) ∈ S
3. S is invariant under the transition relations.
∀ q1 ∈ Q1. ∀ t1 ∈ T1. ∀ q
′
1 ∈ Q1.
∀ q2 ∈ Q2.
(q1, q2) ∈ S ∧ (q1, t1, q
′
1) ∈ R1 =⇒
∃ t2 ∈ T2. ∃ q
′
2 ∈ Q2. labT 1 t1 = labT 2 t2 ∧ (q2, t2, q
′






Pictorially, Equation 2.1 is described in Figure 2.1. We say thatM2 simulatesM1 if there exists a
simulation relationS ⊆ Q1 × Q2.
The other way to state abstraction is through language containment. Language containment between
M1 andM2 holds if for everyrun1 ∈ L(M1) there exists an equivalent runrun2 ∈ L(M2):
∀ run1 ∈ L(M1). ∃ run2 ∈ L(M2).
∀ k ∈ N. labQ1 q
k
1 = labQ2 q
k
2 ∧ labT 1 t
k




2.1.3 Proposition. Simulation implies language containment.
Proof. LetS be a simulation relation betweenM1 andM2. Considerrun1 ∈ L(M1). We construct
8










2 ) ∈ S and for allk ≤ n− 1
labQ1 q
k












2 ) ∈ R2 (2.5)
If q02 ∈ I2 and Equation 2.5 holds fork ∈ N then the functionrun2 : N → Q2 × T2 defined by




2) is a run ofM2 equivalent torun1.





Inductive Casen > 0 By induction we have that(qn−11 , q
n−1
2 ) ∈ S. Therefore, there existt
n−1
2 ∈























The converse of Proposition 2.1.3 is not necessarily true as shown by theexample in Figure 2.2. For
each of the two possible runs ofM1 there exists an equivalent run ofM2. However, there is no state















state label transition label
q10 a1 t10 a2
q11 b1 t11 a3
q12 c1 t12 b2
t13 c2
Fig. 2.2b.Labeling ofM1.
state label transition label
q20 a1 t20 a2
q21 b1 t21 b2
q22 a1 t22 a3
q23 c1 t23 c2
Fig. 2.2c.Labeling ofM2.
Figure 2.2: Example showing language containment without simulation.
10
2.2 Model Checking
Traditional approaches to verification use deductive methods and focusmainly on the proof of cor-
rectness of sequential systems [Hoare, 1969, Lamport, 1980]. Such techniques rely on precondition
and postcondition properties of smaller programs to derive correctness properties of larger pro-
grams. Model checking uses temporal logic [Pnueli, 1977, Clarke et al., 1986] to specify properties
about systems that run on an ongoing basis and automated techniques to verify such properties.
There are two main approaches in model checking. In the automata theoretic approach [Vardi,
1996], the temporal specification is converted to an automaton, negated andthen intersected with
the automaton for the implementation. The property holds if the language of the intersection is
empty. In the algorithmic approach, the specification is verified directly by graph traversal on the
automaton that represents the implementation. The implementation automaton can be repres nt d
either explicitly by storing its states in memory or symbolically using Boolean functions hat repre-
sent their corresponding characteristic function. The latter form is calledsymbolic model checking
[Burch et al., 1992] and the Boolean functions are represented compactly using binary decision
diagrams [Bryant, 1986].
We present a temporal logic calledCTL∗ [Clarke et al., 1986]. The semantics of the logic is
described in terms of a state machine that represents the implementation, called a Kripke structure.
A Kripke structure is a tupleM = 〈Q ,R, I ,AP , L〉 where〈Q ,R, I 〉 represents the state machine







Figure 2.3: Structure ofCTL∗ formulas.
The structure ofCTL∗ formulas is described in Figure 2.3.CTL∗ has two types of temporal
formulas. Atomic formulas are those in the setAP . Any atomic formula is also a state formula,
11
and any state formula is also a path formula, verified on the first state of the pa. Complex path
formulas are constructed using path operators. The application of a path quantifier to a path formula
yields a state formula. The syntax of formulas is defined inductively as follows:
Atomic Formulas If p ∈ AP is a proposition thenp is an atomic formula.
State Formulas
• Any atomic formula is also a state formula.
• If f is a path formula thenE f andA f are state formulas.
Path Formulas
• Any state formula is also a path formula.
• If f is a path formula thenX f , G f , F f are paths formulas.
• If f andg are path formulas thenf U g is a path formula.
E andA are called path quantifiers.E f holds in a state if there exists a path from the state that
satisfiesf . Similarly,A f holds in a state, if for all paths from the statef holds. The formulaX f
is true of a path if holds on the path starting in the next state.G f holds whenf holds on all
suffixes of the path, i.e. holds globally. Similarly,F f holds if there exists a suffix that satisfiesf ,
i.e. f holds in the future. The formulaf U g states thatf must hold continously on all suffixes of
the path up to, but not necessarily including, the suffix whereg holds.
The transition relation of a Kripke structure is required to be total, i.e. for anystateq there exists a
stateq′ such that(q, q′) ∈ R. If π is an infinite path(q0, q1, . . .) we denote the suffix that starts at
positionk by πk = (qk, qk+1, . . .). Satisfiability ofCTL∗ formulas is defined as follows:
Atomic Formulas
q |= p ≡ p ∈ L(q)
State Formulas
q |= E f ≡ ∃ π = (q0, q1, . . .). q = q0 ∧ π |= f
q |= A f ≡ ∀ π = (q0, q1, . . .). q = q0 =⇒ π |= f
Path Formulas
π |= X f ≡ π1 |= f
π |= G f ≡ ∀ k. πk |= f
π |= F f ≡ ∃ k ∈ N. πk |= f
π |= f U g ≡ ∃ k. πk |= g ∧ ∀ l < k. πl |= f
12
There are two subsets ofCTL∗ that are used in practice.LTL is the subset that consists of formulas
of form A f wheref is a path formula that does not contain path quantifiers. The other subset is
CTL which allows only for formulas in which the occurrence of a path operator isp eceded by a
path quantifier. TheCTL temporal operators becomeEX, EG, EF, EU and respectivelyAX,
AG, AF, AU.
ACTL∗ is a subset ofCTL∗ that does not include existential quantifiers. The temporal proper-
ties ofACTL∗ are preserved by simulation. SinceLTL is a subset ofACTL∗, simulation also
preservesLTL properties. In addition,LTL is also preserved by language containment.
2.3 Circuits
In this section we formalize a language for describing circuits. The syntax and semantics of the
language are similar to the ones provided by model checkers such as NuSMV [Cimatti et al., 2002].
Circuits are defined using a language for bitvector expressions and theirsemantics is given using
labeled transition systems.
A name is a string of characters that begins with a letter or underscore and then continues with zero
or more letters, underscore or digits. An identifier is a sequence of one ormore names separated by
a ‘.’. Primed identifiers, identifiers followed by the prime symbol ‘′’, are used to denote next-state
variables.
2.3.1 Definition(Identifier). The setId of identifiers is defined inductively as follows:
• Any name is an identifier.
• If id1 andid2 are identifiers thenid1 . id2 is also an identifier.
Priming an identifier adds the prime symbol to the identifer. The set of primed identifiers is denoted
by Id′. If id ∈ Id thenid ′ ∈ Id′ denotes its primed version. IfV is a set of identifiers,V ′ denotes
the set{ id ′ | id ∈ V }.
LetB denote the set{ 0, 1 }. Bitvector constants are finite words over the alphabetB.
2.3.2 Definition (Bitvector Constant). For n ≥ 1, let Bn denote the set of bitvector constants of
sizen. The set of all bitvectors
⋃
n≥1
Bn is denoted byB+. Given a bitvector constantw ∈ Bn and
i ≤ n, w(i) denotes thei-th bit ofw.
Variables are identifiers with a type. The type of a variable is the setBn, for somen ≥ 1.
13
2.3.3 Definition (Variables). V ⊆ Id is called a set of variables if it is associated with a type
functionTy
Ty : V → {Bn }n≥1
Tyis extended overV ′ ⊆ Id′: Ty(v′) = Ty(v). Primed variables refer to next-state variables. If
v is a current state variable,v′ denotes its next-state version. Similarly, ifv′ ∈ V ′ is a next-state
variable,v denotes its current-state version.
2.3.4 Definition(Environment). An environment over the set of variablesV is a function
e : V → B+
that assigns each variable a value of its type:
∀ v ∈ V. e(v) ∈ Ty(v)
If V1 andV2 are disjoint sets of variables ande1 and e2 are environments defined overV1 and
respectively,V2, their unione1 ∪ e2 is the environment overV1 ∪ V2 defined by




e1(v) : v ∈ V1
e2(v) : v ∈ V2
Let V ⊆ Id and lete be an environment overV . The environmente′ over V ′ is defined by
e′(v′) = e(v).
Consider a set of variablesV1. We sayV2 is a copy ofV1 if there exists a bijective functionφ :
V1 → V2 such that
∀ v ∈ V1. Ty(v) = Ty(φ(v))




the environmente2 ∈ Env(V2)
such that:
∀ v ∈ V2. e2(v) = e1(φ
−1(v))
2.3.5 Definition(Bitvector Expression). Let V ⊆ Id be a set of variables andTy be the associated
type function. Bitvectors are typed expressions over constants inB+ and variables inV . We say
that the bitvectort has typeBn using the typing expressiont : Bn. If t : B we sayt is single-bit.
Base Case
• If v ∈ V is a variable such thatTy(v) = Bn, thenv is a bitvector expression of type
Bn.
• If w ∈ Bn is a constant, thenw is a bitvector of typeBn.
14
Inductive Case Bitvector expressions are constructed using a set of operators. For such an operator
op, a type rule is used to denote the type requirements on its operands and the type of its
application:
t1 : B
n1 , . . . , tk : B
nk
op(t1, . . ., tk) : Bn
If t is a bitvector expression thenvars(t) stands for the set of variables that appear syntactically in
t. Similarly, consts(t) denotes the set of constantsw ∈ B+ that appear syntactically int.
Variables are assigned values by an environmente overV . The semantics of a constantw : Bn
is [[w]]e = w. The semantics of a variablev : B
n is [[v]]e = e(v). The semantics of a bitvector











Semantics [[w]]e = w
Variable
Type Rule
v ∈ V, Ty(v) = Bn
v : Bn
Semantics [[v ]]e = e(v)
Bitwise Operators The bitvector operatorop ∈ {not, and, or, xor, . . . } is defined using the
corresponding Boolean operatorop2 ∈ {not2, and2, or2, xor2, . . . }.
Type Rule
t1 : B
n, t2 : B
n
t1 op t2 : Bn
Semantics [[t1 op t2]]e (i) = [[t1]]e (i) op2 [[t2]]e (i), i = 0, n− 1
Bitwise negation requires only one argument and we present it separately.
Type Rule
t : Bn
not t : Bn




, i = 0, n− 1
Subrange Let 0 ≤ l ≤ m. The subrange operator[l : m] extracts the sequence of bitsl, l + 1, . . .
m.
Type Rule
t : Bn, m ≤ n
t[l : m] : Bm−l+1
Semantics [[t[l : m]]]e (i) = [[t]]e (i+ l), i = 0, m− l
15
Concatenation The concatenation operator:: appends the second argument to the first one.
Type Rule
t1 : B
n1 , t2 : B
n2
t1 :: t2 : Bn1+n2




[[t1]]e (i) : i < n1
[[t2]]e (i− n1) : i ≥ n1
, i = 0, n1 + n2 − 1
Equality The equality operator= compares its operands for equality.
Type Rule
t1 : B
n, t2 : B
n
t1 = t2 : B




0 : if [[t1]]e not equals[[t2]]e
1 : if [[t1]]e equals[[t2]]e
Assignment The assignment operator:= is a special case of equality when the left operand is a
variable.
Type Rule
v : Bn, t : Bn
v := t : B




0 : if e(v) not equals[[t]]e
1 : if e(v) equals[[t]]e
Nondeterministic Assignment It is a special case of assignment when the right hand side of the
assignment is the expressionchoice.
Type Rule
v : Bn
v := choice : B
Semantics [[v := choice]]e = 1
If-then-else The operatorif-then-elseinterprets its first operand as a Boolean and selects between
the second and third arguments accordingly.
Type Rule
t1 : B, t2 : B
n, t3 : B
n
if t1 then t2 else t3 : Bn




[[t2]]e : if [[t1]]e equals1
[[t3]]e : if [[t1]]e equals0
Arithmetic Operators We allow bitvector expressions using the standard arithmetic operatorsop
in the set{+, −, ∗, . . . }. The semantics of arithmetic operations uses two functions that
convert bitvectors to integers and conversely, integers to bitvectors:integer : B+ → Z and
repr : Z × N → B+ such that ifw : Bn then
repr(integer(w), n) = w
16
The exact definition ofintegerand repr depends on whether bitvector arguments are inter-
preted as signed or unsigned. For the signed case, two’s complement is a suitable represen-
tation. For unsigned operations we use the binary representation of positive integers. The
choice of these encodings and the semantics of overflowing operations does not influence
upon the remaining work.
Type Rule
t1 : B
n, t2 : B
n
t1 op t2 : Bn
Semantics [[t1 op t2]]e = repr
(
integer([[t1]]e) op integer([[t2]]e), n
)
Relational Operators Bitvectors can be compared using the integer relational operatorsop in the
set{<, ≤, ≥, > }.
Type Rule
t1 : B
n, t2 : B
n
t1 op t2 : Bn




0 : if integer([[t1]]e) op integer([[t2]]e)
1 : if not integer([[t1]]e) op integer([[t2]]e)


















Examples of bitvector expression and their semantics is given below:
expression [[·]]e
v4 1011
v1 :: v3 1011
v4 xor (v1 :: v3) 0000
notv4 0100
(v1 :: v3)[1 : 3] 011
(v1 :: v3)[1 : 3] = v3 1
v3 := 111 0
not(v1 :: v3)[1 : 3] = v3) 0
if not((v1 :: v3)[1 : 3] = v3) then v4 else notv4 0100
v2 + 01 11
v4 ≤ 1100 1
Formulas overV are defined inductively: basic formulas are single-bit bitvectors and complex
formulas are formed from simple ones using Boolean connectives. Semantically formulas identify
with a subset of the single-bit bitvectors.
2.3.7 Definition(Formula).
Syntax
• If t : B is a single-bit bitvector thent is a formula.
• If f , f1, f2 are formulas then¬f , f1 ∧ f2, f1 ∨ f2 are formulas.
Semantics The truth value of a formulaf under a given environmente that valuates its variables
is defined by induction over its structure. Iff is true ine, we writee |= f . We define|= as
follows:
• If f is the Boolean bitvectort then
e |= f if [[t]]e = 1
• If f has form¬f1, f1 ∧ f2, f1 ∨ f2 then
e |= ¬f1 if e 6|= f1
e |= f1 ∧ f2 if |= f1 ande |= f2
e |= f1 ∨ f2 if e |= f1 or e |= f2
18
2.3.8 Definition(Circuit). A circuit is a tuple
C = 〈Vr ,Vc ,Ty,Vi ,Vo , Insts, Init,Tr〉
• Vr andVc are disjoint sets of identifiers.Vr denotes the set of register variables (also called
state variables or current-state variables).Vc denotes the combinational variables.Vr ′ de-
notes the next-state variables.
• Ty : Vr ∪ Vc → {Bn }n≥1 is the type function.
• Vi andVo are disjoint subsets ofVr ∪ Vc and represent the input and respectively, output
variables.
• Input variables are required to be combinational:Vi ⊆ Vc .
• Instsis a set of circuit instances.
• Init is a set of assignments to current state variables.
• Tr is a set of assignments to combinational and next-state variables and containsex ctly
one assignment of formv := t, wheret is defined over variables inVr ∪ Vc , for each
v ∈ Vr ′ ∪ Vc .
Circuits are defined inductively:
Base caseInsts= ∅
Inductive case Insts= { inst1, . . . , instn }
2.3.9 Definition(Circuit Instance). A circuit instance is a tupleinst = 〈id,C, InputArg,OutputArg〉
where:
• id is an identifier
• C is a circuit
• InputArg is a set of bitvector expressions in bijection withC .Vi and denotes the input argu-
ments
• OutputArgis a set of combinational or next-state variables of the enclosing circuit, in bijection
with C .Vo and denotes the output arguments
19
The instanceinst stands for a copyφinst .id(C ) of C with variables and instance names renamed by
the mappingφinst .id : Id ∪ Id′ → Id ∪ Id′ defined by
φinst .id(id) = id . id
The mappingφinst .id naturally extends to bitvector expressions, to formulas, to sets of such objects
and to functions over such sets. Given a bitvectort, φinst .id(t) is obtained by substituting each
occurrence of a variablev in t by φinst .id(v). Renaming preserves the variable types:
φinst .id(Ty)(φinst .id(v)) = Ty(v)
Instancesinst i = 〈id i,Ci, InputArg i,OutputArg i〉 of C are renamed to
φinst .id(inst i) = 〈φinst .id(id i),Ci, φinst .id(InputArg i), φinst .id(OutputArgvi)〉
Let inst be an instance of a circuitC . Let v ∈ inst .C .Vi ∪ inst .C .Vo . We defineArg(C , inst .v)
to be the actual argument toinst .v in C . When the context is clear, we only writeArg(v).
LetC be a circuit and letC .Insts= { inst1, . . . , instn }. We use the notation
Labels(C .Insts) = { inst1.id, . . . , instn.id }
If id ∈ LabelsC .InststhenC .Insts[id ] denotesinst ∈ C .Instssuch thatinst .id = id .
In the next example we introduce syntactic sugar to represent circuits textually.
2.3.10 Example.In Figure 2.4 we describe a 1-bit adder implemented using two half-adders.Lines
1–5 describe the HalfAdder circuit:
Vr = ∅
Vc = { a, b, sum, cout }
Vi = { a, b }
Vo = { sum, cout }
Insts = ∅
Init = ∅
Tr = { sum := a xor b, cout := a and b }
Lines 6–14 describe the Adder circuit:
Vr = ∅
20
1 ckt HalfAdder(a, b : bitvec[1])(sum, cout : bitvec[1])
2 assign
3 sum := a xor b;
4 cout := a and b;
5 end
7 ckt Adder (a, b, cin : bitvec[1])(sum, cout : bitvec[1])
8 var
9 sum1, cout1, cout2 : bitvec[1];
10 inst
11 ha1 : HalfAdder(a, b)(sum1, cout1)
12 ha2 : HalfAdder(sum1, cin)(sum, cout2)
13 assign
14 cout := cout1 or cout2;
15 end
Figure 2.4: Adder circuit.
Vc = { a, b, cin, sum, cout , sum1, cout1, cout2 }
Vi = { a, b, cin }
Vo = { sum, cout }
Insts = { 〈ha1,HalfAdder, { a, b }, { sum1, cout1 }〉,
〈ha2,HalfAdder, { sum1, cin }, { sum, cout2 }〉}
Init = ∅
Tr = { cout := cout1 or cout2 }
2.3.11 Definition(Variable Dependency Graph). Let C = 〈Vr ,Vc ,Ty,Vi ,Vo , Insts, Init,Tr〉. The
variable dependency graph is a digraphVarDepGraph(C ) = 〈Nodes,Succ〉:
Nodes ≡ Vr ∪ Vc ∪ Vr ′
Succ ≡ { (v1, v2) | ∃ t ∈ Expr(Vr ∪ Vc ∪ B+). v2 := t ∈ Tr ∧ v1 ∈ vars(t) } ∪ Succinsts
The setSuccinsts is defined inductively. We writev1 var v2 to denote thatv1 andv2 are in the
transitive closure ofSucc.






{ (v1, v2) | ∃ vi ∈ inst .C .Vi .
∃ vo ∈ inst .C .Vo .
∃ t ∈ Expr(Vr ∪ Vc ∪ B+).
vi var vo ∧
t = Arg(vi) ∧
v2 = Arg(vo) ∧
v1 ∈ vars(t) }
In order to simplify the analysis of circuits we require that all circuits have cycle free variable
dependency graphs.
2.3.12 Definition(Circuit Elaboration). Circuit elaboration gives a precise semantics to circuit in-
stantiation. The elaboration of a circuitC , denoted by byElab(C ), is a circuit that has no instances:
Elab(C ).Insts= ∅
Elab(C ) is defined by induction over the structure ofC .
• If C .Insts= ∅ then
Elab(C ) = C
• If C .Insts= { 〈id1,C1, InputArg1,OutputArg1〉, . . . , (〈idn,Cn, InputArgn,OutputArgn〉 }
then





















Elab(C ).Vi = C .Vi
Elab(C ).Vo = C .Vo





































Equation 2.6 explains why input variables and the arguments of output variables must be com-
binational: the semantics of input and output arguments to circuit intances is given by variable
assigment, and variable assignment is allowed only to combinational or next-state variables.
2.3.13 Example.We elaborate the adder circuit introduced in Example 2.3.10. The adder hastwo
instancesha1 andha2 of the HalfAdder circuit. The two instances are renamed. By applyingφha1
to HalfAdder we get:
φha1(HalfAdder).Vr = ∅
φha1(HalfAdder).Vc = { ha1.a, ha1.b, ha1.sum, ha1.cout }
φha1(HalfAdder).Vi = { ha1.a, ha1.b }
φha1(HalfAdder).Vo = { ha1.sum, ha1.cout }
φha1(HalfAdder).Insts = ∅
φha1(HalfAdder).Init = ∅
φha1(HalfAdder).Tr = { ha1.sum := ha1.a xor ha1.b, ha1.cout := ha1.a and ha1.b }
Similarly, applyingφha2 to HalfAdder yields:
φha2(HalfAdder).Vr = ∅
φha2(HalfAdder).Vc = { ha2.a, ha2.b, ha2.sum, ha2.cout }
φha2(HalfAdder).Vi = { ha2.a, ha2.b }
φha2(HalfAdder).Vo = { ha2.sum, ha2.cout }
φha2(HalfAdder).Insts = ∅
φha2(HalfAdder).Init = ∅
φha2(HalfAdder).Tr = { ha2.sum := ha2.a xor ha2.b, ha2.cout := ha2.a and ha2.b }




We proceed to the elaboration of the Adder:
Elab(Adder).Vr = ∅
Elab(Adder).Vc = { a, b, cin, sum, cout , sum1, cout1, cout2 } ∪
{ ha1.a, ha1.b, ha1.sum, ha1.cout } ∪
{ ha2.a, ha2.b, ha2.sum, ha2.cout }
Elab(Adder).Vi = { a, b, cin }
Elab(Adder).Vo = { sum, cout }
Elab(Adder).Insts = ∅
Elab(Adder).Init = ∅
Elab(Adder).Tr = { cout := cout1 or cout2 } ∪
{ ha1.sum := ha1.a xor ha1.b, ha1.cout := ha1.a and ha1.b } ∪
{ ha2.sum := ha2.a xor ha2.b, ha2.cout := ha2.a and ha2.b }





2.3.14 Definition(Circuit Semantics). The semantics of a circuitC is given as a labeled transition
system
LTS(C ) = 〈QC,RC,TC, IC〉
• The set of statesQC is the set of environments overElab(C ).Vr .
• The set of transition labelsTC is the set of environments overElab(C ).Vc .
• The transition relationRC ⊆ QC × TC × QC is defined by the assignmentsElab(C ).Tr:
(qC, tC, qC





) |= formula(Elab(C ).Tr)
• The set of intial states is defined by the assignmentsElab(C ).Init:
qC ∈ IC ≡ qC |= formula(Elab(C ).Init)
2.3.15 Example.Figure 2.5 and Figure 2.6 describe two two-bit counters. Each figure shows the
circuit description and the corresponding labeled transition system definein Definition 2.3.14.
Both circuits have a register variable for the counter value; they differ withrespect to the increment.
24
1 ckt counter(inc : bool)(count : bitvec[2])
2 assign






inc = 0inc = 0inc = 1 inc = 1
count = 10 count = 01
count = 11 count = 10
Figure 2.5: Counter With Combinational Increment
In one the increment is a combinational input and in the other it is a register. The two counters
have the same language with respect to the value of the counter variable. However they are not
bisimilar: the counter with combinational increment simulates the one with registeredincrement,
but not viceversa.
2.3.16 Proposition.Let C be a circuit such that all its instances are combinational. LetqC ∈ QC,
qC
′ ∈ QC andtC ∈ Env(Vc). If the following conditions hold:





)(v) = [[expr ]]qC∪qC (2.7)
∀ inst ∈ Insts. ∃ (qI , tI , qI ′) ∈ LTS(inst .C ).RC.
∀ v ∈ inst .C .Vi ∪ inst .C .Vo . tI(v) = tC(Arg(v))
(2.8)
then there existstC1 ∈ TC such thatC ⊆ tC1 and(qC, tC1, qC′) is a step ofLTS(C ), i.e.(qC, tC1, tC′) ∈
RC.
25
6 ckt counter(inci : bool)(count : bitvec[2])
7 var
8 inc : bool;
9 assign
10 count ′ := if inc then count + 1 elsecount ;































Figure 2.6: Counter With Registered Increment
Proof. We definetC1 as follows:
∀ inst i ∈ Insts. ∀ v ∈ (Elab(inst i.C )).Vc .
tC1(id i.v) = tIi(v)




) satisfies all the assignments inElab(C ) since the restric-
tion of tC1 to the variables of each elaborated instance equals the transition label of theinstance.
26
2.4 Related Work
Pipelining is a prevalent technique to improve the throughput of hardware circuits. The most ad-
vanced use of pipelining occurs in microprocessors circuits. Formal verification and other validation
techniques that target microprocessors will therefore deal implicitly or explicitly with the challenges
of pipelining. We catalog the well known approaches to microprocessor verification in Section 2.4.1.
We describe pipeline specific approaches in Section 2.4.2. The current body of work on datapath
abstraction is summarized in Section 2.4.3.
2.4.1 Microprocessor Verification
The challenges of microprocessor verfication manifest at two main levels: specification and the state
explosion problem. First, a verfication technique must formulate correctness of the implementation
with respect to a reference specification. Second, such a methodology must address the state explo-
sion problem by casting the correctness problem in a logic with an efficient decision procedure or
decomposition and abstraction techniques.
In the case of microprocessors, the specification is readily available in the form of the instruction
set architecture. At this level, the specification is often thought of as a circuit that executes one
instruction at a time. Each type of instruction is described in terms of the side effects it performs
on the specification state which consists of the programmer visible state holding eements such as
the program counter, register file and memory. A pipelined microprocessoroverlaps the execution
of several instructions at a time and updates to its state holding elements are perfo med by multiple
instructions in various stages of execution.
One of the well accepted correctness criteria is Milner’s simulation [Milner, 1971]. The challenge
in applying simulation as a correctness statement for microprocessors is to align the specification
state with the implementation state. Microprocessor designs usually allow for an execution mode
called flushing that continues the execution of inflight instructions but prevents new ones from being
fetched and entering the pipeline. Burch and Dill [1994] were the first to use fl shing to formulate
a correctness criterion. Their method uses an abstraction function that flushes the implementation
state and then projects out the programmer visibile state: the program counter, register file and
memory. The abstraction function reduces to projectio when the pipeline is in thebeginning and end
state of a computation. Proving the commuting diagram in Milner’s simulation implies correctness
with respect to the programmer visible state.
Burch and Dill model the pipeline datapath using uninterpreted functions andreduce the verification
of the commuting diagram to a decision problem in a restricted logic with uninterpred functions
and positive equality. The scalability of the approach is limited by the capacity ofthe decision
27
procedure and therefore by the size of the terms that describe the commutingdiagram. The terms
that describe flushing increase proportionally to the number of cycles needed to flush the imple-
mentation. For simple linear pipelines, this corresponds to the number of inflightinstructions. For
complex pipelines with out-of-order execution and variable instruction latencies, flushing becomes
more expensive.
Velev and Bryant [Velev and Bryant, 2000, Velev, 2001] extend the capa ity of the Burch-Dill
flushing technique with customized rewrite rules that target the various typesof logic subterms
encountered in flushing the implementation. They also migrate the underlying decision procedure
to a SAT based implementation [Velev and Bryant, 2003]. A similar approach to the verification of
an XScale microprocessor has been applied in Srinivasan and Velev [2003].
Another way to improve flushing is through compositional verification [Levitt and Olukotun, 1997,
Skakkebak et al., 1998, Hosabettu et al., 1998]. The method of completion functions of Hosabettu
et al. decomposes the commuting diagram based on flushing into several commuting diagrams
each dealing with a particular stage of the pipeline. The proof of the diagramfor a particular stage
assumes the correctness of the downstream stages. For a linear pipeline of le gthn, there aren
commuting diagrams. For more complex pipelines, the method suffers from a combinatorial explo-
sion in the number of possible paths through the pipeline. Initially proposed in atheorem prover
setting, the modularity of completion functions was leveraged using an off-the-shelf equivalence
checker on several RTL design [Aagaard et al., 2004]. Equivalence checking techniques were also
used by Appenzeller and Kuehlmann [1995] to verify a PowerPC microprocessor and by Bhagwati
and Devadas [1994] to verify a reduced Alpha design.
The logic of positive equality of Burch and Dill was extended in the UCLID verifier [Lahiri et al.,
2002]. The decision procedure was implemented by translation to SAT. The translation does how-
ever suffer from false negatives and requires manual effort to debug the counterexamples. Proofs
done in UCLID are inductive and in most cases benefit from user generated invariants. Other ap-
proaches to microprocessor verification that use UCLID include that of Manolios and Srinivasan
[2004], Andraus and Sakallah [2004].
General theories for conducting microprocessor correctness proofs in a theorem proving setting have
been presented [Windley, 1995, Huggins and Campenhout, 1998]. Millerand Srivas [1995] describe
using the PVS theorem prover to prove a commuting diagram based correctness statement for an
industrial CISC microprocessor. The effort put in the complete verification was over 3000 hours.
Sawada and Hunt [1997] use the ACL2 theorem prover [Kaufmann andMoore, 1997] to verify an
out-of-order microprocessor with dynamic resolution of data hazards. The toplevel correctness is
stated using flushing. The decomposition of the proof is based enhancing the execution trace of the
microprocessor with a table of history variables called MAETT. The MAETT facilitates the proof
of invariants.
28
There are also approaches that use a mix of theorem proving for proofdec mposition and model
checking for the verification of the control. McMillan [1998] extends the SMV model checker
[McMillan, 1992] with support for compositional reasoning and assume-guarantee style proofs. His
approach leverages symmetric data types [Norris IP and Dill, 1996]. A mix ofthe rem proving and
model checking with uninterpreted functions is also used by Berezin et al. [1998], Jacobi [2002].
2.4.2 Hazard-Based Verification Techniques
Validation methods that use pipeline hazards fall into several categories: poperty specification and
correctness statements, decomposition and abstraction, and automatic test pattern generation.
Aagaard [2003] describes a correctness statement that refers at thetoplevel only to the three types of
hazard correctness: datapath, control and structural. Aagaard shows t at hazard correctness implies
the widely accepted Burch-Dill flushing correctness criterion. Windley and Coe [1995] uses HOL
[Gordon and Melham, 1993] to define a general theory for the specification nd verification of
pipelined microprocessors. Ho et al. [1998] use temporal logic to specifyproperties about structural
and control hazards. They call such properties transmission properties. Their method abstracts
the pipeline datapath using generalized OR gates that output the collection of all the input values.
Transmission properties are then verified using an off-the-shelf model checker.
Mishra et al. [2002] observe that microprocessor verification is made morchallenging due to the
adhoc creation of the specification model, usually by reverse engineeringthe RTL design. They
propose a top down approach whereby a ‘golden model’ is created in an architecture description
language (ADL). The ADL specifies how the implementation should handle hazards: e.g. by stalling
the pipeline or by restoring the program counter. The ADL model is then used to generated state
machine like specifications against which which they verify the control circuitry. A similar approach
is described in Higgins and Aagaard [2005].
Due to the fact that pipeline hazards manifest when multiple instructions interact in the pipeline,
coverage of such scenarios using automated test generation is challenging since crafting a suitable
sequence of instructions must take into account instruction dependencies, latency through the exe-
cution units and the structure of the pipeline. Iwashita et al. [1994] propose a methodology for test
case generation using symbolic image computation, similar to reachability analysis inmodel check-
ing. They first perform a reduction of the pipelined design with respect tothe type of properties
mentioned in the test cases. The abstract model has fewer instruction types,and only the latency
of execution units is preserved. Symbolic reachability on the abstract modelis used to derive input
sequences for the original design. Gupta et al. [1997] analyze the conditions under which a test
generation approach based on an abstract model achieves coverageof the original design. Diep and
Shen [1995] use architectural annotations to compute all possible read-aft r-write (RAW) hazard
29
in a pipeline. The need for automated test case generation is further advocated with the use of the
SPEC benchmarks that is found to achieve poor coverage of the hazards. A similar approach using
ADL specifications is taken by Mishra and Dutt [2004], Kohno and Matsumoto [2001].
2.4.3 Datapath Abstraction
There are several approaches to datapath abstraction in formal verification. Exact abstractions [Ho-
jati and Brayton, 1995, Namjoshi and Kurshan, 2000] exploit certain desirable conditions on the
transformations and predicates applied to the data values by the control circuitry. The conditions
under which the abstraction is exact are identified by syntactic examination ofthe circuit. Approx-
imate abstractions vary in the degree of the precision they provide. Ho et al.[1998] replace the
datapath with union gates that preserve the propagation of inputs into outputsbut nothing else. Data
predicates become non-deterministic. Datapaths are abstracted with uninterpreted functions and are
incrementally improved using counterexamples in Andraus et al. [2006]. Other approaches [Paruthi
et al., 1998, Zaraket et al., 2005] aim at preserving the data predicatesbut restrict the data domain
to representative values.
Hojati and Brayton [1995] identify sufficient separation conditions betwen datapath and control to
ensure that the datapath can be abstracted exactly. When the datapath is restricted to perform only
data movement operations, the controller is called data independent. Data independent controllers
cannot examine any data predicates. With data independent controllers it issound to reduce datapath
variables to a single bit. An extension that generalizes previous work [Norris IP and Dill, 1996] is
to allow both data movement and data equality tests. In their terminology, the circuitis sa d to have
a data comparison controller. Hojati and Brayton prove negative results for heir model in the case
when more than equality tests is allowed.
Bjesse [2008] partitions a word-level netlist into subnets that behave as dat comparison controllers.
Data-comparison controller nodes (e.g. , equality, multiplexers, etc. ) are left as word-level opera-
tors. Sub-word operators (e.g. , concatenation, extraction with constant indices, etc. ) are decom-
posed into sub-words. All other operators are exploded into bit-level operations.
A method that generalizes the approach by Hojati and Brayton is presentedby Namjoshi and Kur-
shan [2000]. Their technique calculates the transition relation of each predicat that needs to be
preserved using Dijkstra’s weakest precondition. This in turn leads to thediscovery of new pred-
icates that need to be preserved. Rewrite rules are used to decide if a newpredicate is expressed
using Boolean connectives in terms of the ones discovered previously.
Paruthi et al. [1998] verify datapath and mixed control/datapath properties. They identify three
classes of variables: datapath, control, and mixed. Mixed and control variables are preserved. As
with Hojati and Brayton, control circuitry is allowed only to move the datapath variables. However,
30
in this model, the value of datapath variables is allowed to be computed from the value of other
variables using arbitrary operators. They use an interval propagationalg rithm to reduce the width
of numeric signals to the minimum necessary to preserve exactness (i.e. , no underflow or overflow).
Their method does not handle loops with a dynamic count of iterations.
Zaraket et al. [2005] describe an abstraction framework based on bisimulation minimization. Their
algorithm uses graph optimization heuristics to identify suitable components of a bit-level netlist
for which minimization is desirable. The algorithm computes the classes of an input equivalence
that preserves bisimilarity of the subcomponent. Filters of combinational logic are pl ced to restrict
inputs to selected representatives of the equivalence classes. Their method r duces the size of the
netlist that propagates datapath values to the bitwidth needed to tranfer and store representative
values. The minimized circuit still contains the datapath blocks that transform data values.
Ho et al. [1998] are interested in the verification of parcel-flow properties s milar to some aspects
of our work: loss, duplication, and ordering. The main idea is to replace thedatapath circuitry with
wires, replace feedback signals from datapath to control with non-deterministic inputs, and then
verify properties about how “tokens” travel through the pipeline. Theyautomatically separate dat-
apath and control based on manually selected seed control signals. Theyuse abstract interpretation
to show that parcel-flow properties are preserved on the abstracted circuit.
Andraus et al. [2006] use a language of terms with uninterpreted functions. Heuristics are em-
ployed to identify datapath variables based on their width. They use an SMT solver to perform the
verification and refine their abstraction in a counterexample-guided refineme t loop.
The pipeline model that we propose shares similarities with the token net approach [Ho et al., 1998].
Our pipeline model consists of a network of parcel variables and a controller that steers the parcels
through the network. In both models, the toplevel movement of the parcels throug the network
obeys the rules of data independent controllers identified by Hojati and Brayton [1995], i.e. only
copying is allowed. The properties that are likely to be verfied using our abst action methodology
are also similar to the ones in the work by Ho et al.. Both our abstraction and theirs ar conservative
with respect to parcel flow properties. We differ in how we approach datapath abstraction. They
perform a syntactic transformation of the circuit by replacing datapaths withtoken union gates.
Datapath predicates in the abstract circuit take nondeterministic values, which can influence parcel
flow. Our approach is aimed at preserving datapath predicates and thus less likely to produce false
counterexamples.
Our datapath abstraction technique is based on identifying the equivalences classes of parcel values
as they move through the pipeline, under the various combinations of datapathpredicates. Because
the equivalence holds inductively as the parcels transfer through the pipeline this approach bears
similarity to that of Namjoshi and Kurshan that uses bisimulation minimization. While theirap-
proach works at the program level, ours exploits the pipeline structure ofthe circuit. One difficulty
31
in applying the method in Namjoshi and Kurshan [2000] is convergence of the algorithm. Their
algorithm starts with a set of predicates to be preserved and then adds further predicates inductively
until the next-state value of each predicate is expressible in terms of the current state value of the set
of predicates. In the case of pipelined circuits, their method, which uses Dijktra’s weakest precon-
dition, generates predicates that contain in their definition the datapaths to be abstracted. Identifying




This chapter presents our model for pipelined circuits. The definition of thepipeline model is given
in Section 3.1. In Section 3.2 we instantiate the concepts of simulation and language containment
for the verification of control properties of pipeline models. In Section 3.3 we discuss abstract
interpretation of pipeline models.
3.1 Pipeline Models
This section describes our formalization of pipelined circuits as pipeline models. Conceptually, a
pipeline model consists of a network of parcel variables and datapath instance . In the network,
parcels are either copied between variables or transformed by datapath inst nces. The parcel flow
through the network is coordinated by a state machine that represents the control. The datapath
instances are modeled as circuits with annotations describing the parcel andcontrol variables. The
network of variables and datapath modules is formalized using if-then-else parc l expressions.
Our presentation of concepts is illustrated using a pipelined circuit calledDiffAddMult. The struc-
ture of the circuit is described in Figure 3.1.DiffAddMult has one inputvi and two outputsvo1
andvo2. It has four combinational datapath instances:Sub, Neg , Add andMult . There are four
registers to hold the intermediate parcel values:rNeg , rAdd , rMult1 andrMult2. The input values
are tuples of form〈i, j, k,⊙〉 and the output values that are produced correspond to the operation
|i − j| ⊙ k, where⊙∈ {+, ∗ }. According to their values, inputs to the pipeline follow one of
several paths:
• Sub → Neg → Add






























Figure 3.1: Block Diagram ofDiffAddMult
• Sub → Add
• Sub → Mult
The datatypes of an 8-bit version ofDiffAddMultare described in Figure 3.2.
The Sub instance, described in Figure 3.3 performs the operationi − j. The tuple〈i, j, k,⊙〉 is
encoded in the variablepclP . The valuesi, j are integers represented in 2’s complement andk is
a natural. The circuit produces two datapath outputs in the variablespclN 1 andpclN 2. The output
pclN 1 is meant for theNeg instance and therefore it encodes the operation⊙. On the other hand,
34
type op ty is { add, mult };





op : op ty
};




op : op ty
};






1 ckt sub (pclP : sub in ty)(pclN 1 : neg in ty, pclN 2 : addmult in ty, selN : bitvec[3])
2 var
3 diff : bitvec[8];
4 assign
5 diff := pclP .i − pclP .k;
6 pclN 1 := tuple { i = diff , j = pclP .k, op = pclP .op};
7 pclN 2 := tuple { i = diff , j = pclP .k };
8 selN := if diff < 0 then 001





pclN 2 is meant to reach directly one of the instancesAdd or Mult and therefore it does not have
to represent⊙. The control outputselN uses a one-hot representation to encodes the next instance
to process the parcel: ifi − j is negative the parcel goes to theN g instance, otherwise toAdd or
Mult as required by⊙. In our example the path of parcels through the pipeline is encoded by the
selN outputs of theSub andNeg instances. TheselN signals are used by the control circuitry to
drive the muxes of the parcel variables.
PclP
PclN
control inputs control outputs
Figure 3.4: Datapath Module
Datapath modules are annotated combinational circuits. The block diagram foa generic datapath
module is shown in Figure 3.4. The setsPclPandPclNdenote the input and output parcel variables.
The variables inPclPandPclNare defined by the annotated circuit.
3.1.1 Definition (Datapath Module). A datapath moduledp is a tuple〈C,PclP,PclN,Vctrl 〉 such
that:
• C is a combinational circuit
• PclP⊆ C.Vi is the set of input parcel variables
• PclN⊆ C.Vo is the set of output parcel variables
• Vctrl ⊆ C.Vi ∪ C.Vo is the set of control variables
The datapath module forSub is defined as follows:
dpSub = 〈C,PclP,PclN,Vctrl 〉
C = Csub
PclP = { pclP }
PclN = { pclN 1, pclN 2 }
Vctrl = { selN }
36
1 ckt neg (pclP : neg in ty)(pclN : addmult in ty, selN : bitvec[2])
2 var
3 abs : bitvec[8];
4 assign
5 abs := 0− pclP .i;
6 pclN := tuple { i = abs, j = pclP .j };
7 selN := if pclP .op = add then01else10;
8 end
dpNeg = 〈C,PclP,PclN,Vctrl 〉
C = Cneg
PclP = { pclP }
PclN = { pclN }
Vctrl = { selN }
Figure 3.5:Neg Datapath Module
TheNeg instance is described in Figure 3.5. Its input parcel variable encodes thetuple〈(i− j), k,⊙〉,
wherei− j < 0. The resulting output parcel is sent toAdd orMult depending on the operation⊙.
1 ckt add (pclP : addmult in ty)(pclN : bitvec[8])
2 assign
3 pclN := pclP .i + pclP .j ;
4 end
dpAdd = 〈C,PclP,PclN,Vctrl 〉
C = Cadd
PclP = { pclP }
PclN = { pclN }
Vctrl = ∅
Figure 3.6:Add Datapath Module
TheAdd instance is described in Figure 3.6. Its input parcel variable encodes thetuple〈|i− j|, k〉.
It produces the result of the operation|i− j|+ k.
The Mult instance is described in Figure 3.7. It works in several stages. The argumentpclP1
holds the parcel received from a previous datapath instance and represents the tuple〈|i− j|, k〉.
The argumentpclP2 holds the result of partial products. The operation interprets the operands as
37
1 type mult pp ty is tuple { pp1 : bitvec[4], pp2 : bitvec[4] };
2
3 ckt mult (pclP1 : addmult in ty, pclP2 : mult pp ty, stateIn : bitvec[3])





dpMult = 〈C,PclP,PclN,Vctrl 〉
C = Cmult
PclP = { pclP1, pclP2 }
PclN = { pclN }
Vctrl = { stateIn, stateOut }
Figure 3.7:Mult Datapath Module
2-digit hex numbers and multiplies them according to the standard algorithm, which corresponds to
the multiplication of two polynomials:(bx + a) × (dx + c). Each polynomial represents an 8-bit
positive number in the formn = high(n)x + low(n) wherehigh(n) = n ÷ 24 and low(n) = n
mod 24. Multiplying the two polynomials we getbdx2+(bc+ad)x+ac which represents a 16-bit
number. The 8-bit result is thus given by(low(bc+ad)+high(ac))x+ low(ac). Figure 3.8 presents
the implementation of the multiplication operation. Figure 3.8a describes the decisiontree used to
choose the order in which a succession of 4-bit multiplications and additions are performed. The
nodes of the decision tree denote the state of the computation. Thus000 denotes the initial state
and111denotes the final state. The labels on the edges denote the partial arithmetic operations that
are performed and the corresponding condition. The results of the partial operations are returned
in pclN . The current state and the next state are in the control variablesstateIn and stateOut .
Figure 3.8b represents in more detail the operations performed by each step.
A pipeline model defines two types of variables: parcel and control. The modeling enforces a
separation between parcel and control variables according to the view of the pipeline as a network
of parcel variables and datapath instances through which parcels flow as steered by the control.
Parcel values influence control through the control outputs that datapaths roduce.
The set of control variables of a pipeline model is denoted byVctrl . In theDiffAddMultexample, the
existence of a valid parcel in one of the parcel registers,rNeg , rAdd , rMult1, rMult2, is represented



























adx+ ac bcx+ ac
(bc+ ad)x+ ac
Fig. 3.8a.Decision Tree
State Condition Operations Next State
000
a = 0 b × c 001
a 6= 0 a × c 010
001
b = 0 111
b 6= 0 111
010
b = 0 a × d 011
b 6= 0 b × c 100
011 low(ad) + high(ac) 111
100
d = 0 low(bc) + high(ac) 111
d 6= 0 a × d ∧ low(bc) + high(ac) 110




Figure 3.8: Sequential Multiplication
39
Variable Value
req i ,Sub input variable
reqSub,Neg req i,Sub ∧ selN Sub = 00
reqSub,Add req i,Sub ∧ selN Sub = 01
reqSub,Mult req i,Sub ∧ selN Sub = 10
reqNeg ,Add validNeg ∧ selNNeg = 0
reqNeg ,Mult validNeg ∧ selNNeg = 0
reqAdd ,o1 validAdd
reqMult ,Mult validMult1 ∧ stateOut 6= 111
reqMult ,o2 validMult1 ∧ stateOut = 111
Table 3.1: Request variables.
Variable Value
accSub,i req i ,Sub
accNeg ,Sub reqSub,Neg ∧ ¬stallNeg
accAdd ,Sub reqSub,Add ∧ ¬(reqNeg ,Add ∨ stallAdd )
accAdd ,Neg reqNeg ,Add ∧ ¬stallAdd
accMult ,Sub reqSub,Mult ∧ ¬(reqNeg ,Mult ∨ reqMult ,Mult ∨ stallMult)
accMult ,Neg reqNeg ,Mult ∧ ¬(reqMult ,Mult ∨ stallMult)
accMult ,Mult reqMult ,Mult
acco1,Add input variable
acco2,Mult input variable
Table 3.2: Accept variables.
transfer of parcels forDiffAddMult is performed through a handshake mechanism. The two parts of
the handshake are requests and accepts. Both accepts and requests are modeled using combinational
variables. Requests denote where parcels need to transfer in the next cycl and are calculated using
control outputs of the datapaths such as theselN output ofSub andNeg or stateOut of Mult .
Table 3.1 describes the request variables used byDiffAddMult. Accepts confirm the request for the
transfer of a parcel and the transfer happens in the current cycle. There is an accept-request pair of
variables for each edge along which parcels can transfer. Table 3.2 describes the accept variables. To
model the stalling of parcels in the parcel registers we use three more variables: stallNeg , stallAdd
andstallMult . Parcels processed byAdd orMult stall if the environment does not accept or in order
to satisfy an ordering property by waiting until an older instruction is done. Aparcel stalls inNeg
if it makes a request that is not granted:




















































Fig. 3.9b.WhenA is done both instructions exit.
Figure 3.9:B waits untilA finishes processing.
The control circuitry is responsible for ensuring that parcel flow through the pipeline obeys certain
desired properties. Figure 3.9 and Figure 3.10 describe pipeline behaviours in which two instruc-
tions,A andB, have a constrained flow. Figure 3.10 describes an ordering propertyof theDiffAd-
dMult pipeline. InstructionB enters the pipeline after instructionA, in other words, it is younger
thanB, and it must wait for instructions older than it to complete before it can exit thepip line.
Solid arrows denote that requests are made and granted, dotted arrows denote that requests are made
but not granted. Figure 3.9a describes a first step in which both instructions transfer which is then
followed by a sequence of steps in which instructionB is stalled whileA continues processing.





















































Fig. 3.10b.Second cycle:B transfers.
Figure 3.10:B stalls becauseA has higher priority.
the prioritization of requests for theAdd datapath. Figure 3.10a describes both instructionsA and
B requesting to transfer toAdd : the request ofB is not granted and it stalls. Figure 3.10b describes
the immediately following cycle whenB is allowed to tranfer toAdd .
42
We gather the actual parcel arguments to the datapath instances into two sets:
PclP ≡ { pclPSub , pclPNeg , pclPAdd , pclPMult1, pclPMult2 }
PclN ≡ { pclN Sub , pclNNeg , pclNAdd , pclNMult1, pclNMult2 }
ForDiffAddMult the set of parcel variables is described by
Vpcl ≡ { vi , vo1, vo2, rNeg , rAdd , rMult1, rMult2 } ∪ PclP∪ PclN
We use the following notation for the interesting subsets of parcel variables. The set of constants
that appear in if-then-else expressions are denoted byConstantPcl.
Set Definition Meaning
CombPcl { vi , vo1, vo2 } ∪ PclP∪ PclN Combinational Variables
RegPcl { rNeg , rAdd , rMult1, rMult2 } Register Variables
NextRegPcl { rNeg ′, rAdd ′, rMult1′, rMult2′ } Next State Variables
InputPcl { vi } Input Parcel Variables
OutputPcl { vo1, vo2 } Output Parcel Variables
ConstantPcl { resetMult } Parcel Constants
Because of the separation between datapath and control, the value of a non-input parcel variable
is updated using only the value of another parcel variable. The expressions that can be assigned
to parcel variables are called if-then-else (ITE) parcel expressions. A ITE parcel expression is
identical to a mux tree, the nodes of which represent parcel variables and with select signals given by
expressions over control variables. The simplest type of ITE parcel expressions are parcel variables,
constant andchoice expressions. Inductively, ifb is a Boolean control expression andt1 andt2 are
ITE parcel expressions, thenif b then t1 else t2 is an ITE parcel expression.
Let BExpr(Vctrl ) denote the set of Boolean expressions over the set of control variablesVctrl .
3.1.2 Definition (If-then-else Parcel Expressions). The set of if-then-else parcel expressions over
Vpcl andBExpr(Vctrl ), denoted byITEParcelExpr(Vpcl ,Vctrl ), is defined inductively:
• If v ∈ Vpcl thenv is an ITE parcel expression.
• If w ∈ B+ thenw is an ITE parcel expression.
• choice is an ITE parcel expression.






accMult ,Sub ¬accMult ,Sub
accMult ,Neg ¬accMult ,Neg
accMult ,Mult ∨ stallMult ¬accMult ,Mult ∨ stallMult
Figure 3.11: Mux tree corresponding to the expression in Equation 3.1.
An example for the expression
if accMult ,Sub then pclN Sub
else if accMult ,Neg then pclNNeg
else if accMult ,Mult ∨ stallMult then rMult1
else choice
(3.1)
is shown in Figure 3.11. In the figure, each internal node corresponds tothe ccurrence of an
if-then-elseoperator. The leafs of the tree are either parcel variables or the nondeterministicchoice
operator. The edges of the tree are labeled by the conditions under whichthe orresponding subtree
is selected.
The transition relation ofDiffAddMult contains the following assignments to parcel variables:
pclPSub := vi (3.2)
rNeg
′ := if accNeg ,Sub then pclN Sub else if stallNeg then rNeg else choice (3.3)
pclPNeg := rNeg (3.4)
rAdd
′ := if accAddSub then pclN Sub (3.5)
else if accAdd ,Neg then pclNNeg
else if stallAdd then rAdd
else choice
pclPAdd := rAdd (3.6)
vo1 := pclNAdd (3.7)
pclPMult1 := rMult1 (3.8)
44
rMult1
′ := if accMult ,Sub then pclN Sub (3.9)
else if accMult ,Neg then pclNNeg
else if accMult ,Mult ∨ stallMult then rMult1
else choice
vo2 := pclNMult (3.10)
pclPMult2 := rMult2 (3.11)
rMult2
′ := if accMult ,Mult then pclNMult2 (3.12)
else if stallMult then rMult2
else if accMult ,Sub ∨ accMult ,Neg then resetMult
else choice (3.13)
When registers do not hold valid parcel values they are assigned nondeterministically, i.e.choice.
When a new parcel transfers in theMult stage the partial product register is reset to a constant value.
A pipeline model is an annotated circuit with syntactic restrictions. The annotations describe the
types of variables of the pipeline and its datapath instances.
3.1.3 Definition(Pipeline Model). A pipeline modelPipe is a tuple〈C,Vpcl ,Vctrl ,Dps〉 such that:
• C is a circuit.
• Vpcl is the set of parcel variables.
• Vctrl is the set of control variables.
• Dps is the set of datapath modules.
We useCDiffAddMult to denote the circuit for theDiffAddMult pipeline. The pipeline model for
DiffAddMult is the tuple
PipeDiffAddMult = 〈C,Vpcl ,Vctrl ,Dps〉
C = CDiffAddMult
The sets of control and parcel variables are disjoint. Parcel variablesre assigned ITE parcel terms,
control variables are assigned arbitrary expressions over control variables.
∀ ‘v := e’ ∈ C.Tr. v ∈ Vpcl ∪ Vpcl
′ =⇒ e ∈ ITEParcelExpr(Vpcl ,Vctrl )
∀ ‘v := e’ ∈ C.Tr. v ∈ Vctrl ∪ Vctrl
′ =⇒ varse ⊆ Vctrl
45
Arguments to datapath parcel inputs and outputs are combinational parcel viables of the pipeline
model. Arguments to control inputs of datapaths are control variables.
∀ dp ∈ Dps. Arg(dp.Vctrl ) ⊆ Vctrl
∀ dp ∈ Dps. Arg(dp.Vpcl ) ⊆ Vpcl
3.2 Abstraction For Control Properties
In this section we specialize the general concepts of simulation and languagecontainment for the
verification of control properties of pipeline models. Simulation and languagecontainment are
defined with respect to the control variables of the pipeline model. Language containment is weaker
than simulation. However, because language containment between parcelautomata carries over to
pipeline models we prove separate results for both simulation and language containment. Simulation
preservesACTL∗ properties and language containment preservesLTL properties.
The definitions of simulation and language containment that preserve control properties are given
with respect to a concrete pipeline modelPipec and an abstract onePipea . In the remainder of the
thesis the concrete pipeline modelPipec is subject to our datapath abstraction methodology and the
abstract model plays the role of a suitable abstraction. The semantics of the two models are defined
by their circuits. We denote the corresponding labeled transitions as follows:
LTS(Pipec .C) = 〈QPc ,RPc ,TPc , IPc〉
LTS(Pipea .C) = 〈QPa ,RPa ,TPa , IPa〉
Since our abstraction is for control properties, the pipeline modelsPipec andPipea are to be defined
over the same set of control variables.
Pipec .Vctrl = Pipea .Vctrl
In the remainder of the thesis,Pipe = 〈C,Vpcl ,Vctrl ,Dps〉 is a pipeline model with its labeled
transition system denoted by:
LTS(Pipe.C) = 〈QP,RP,TP, IP〉
46
3.2.1 Simulation
The concept of pipeline model simulation is an instantiation of general simulation (Definition 2.1.2)
to pipeline models by requiring that control variables be preserved in the commuting diagram.
3.2.1 Definition(Pipeline Simulation). A pipeline simulation is a simulation relationSP ⊆ QPc ×
QPa that preserves control variables.
• Related states agree on register control variables.
∀ (qPc , qPa) ∈ SP. qPc =Vctrl qPa (3.14)
• Commuting diagrams preserve combinational control variables.
∀ (qPc , tPc , q
′
Pc) ∈ RPc . ∀ qPa ∈ QPa .
(qPc , qPa) ∈ SP =⇒
∃ tPa ∈ TPa . ∃ qPa



















SP with tPc =Vctrl tPa
(3.15)
• The condition on initial states remains unchanged.
∀ qPc ∈ IPc . ∃ qPa ∈ IPa . (qPc , qPa) ∈ SP (3.16)
We use the notation
Pipec P Pipea
to denote the existence of a relation satisfying Equation 3.14 up to Equation 3.16.
As an example, consider the concrete pipeline model described in Figure 3.12. The domain of the
parcel variables consists of tuples of two bit numbers of form〈a, b〉. The two datapaths test the
two numbers in their operand for equality and, respectively, inequality. The parcel input is passed
unchanged to the output. The concrete model is defined by:
Vpcl = { i , r , t , o }
Vctrl = { v1, v2 }










type pcl ty is tuple { a : 0 .. 3,b : 0 .. 3};
ckt Dp=(pclP : pcl ty)(pclN : pcl ty, v : bool)
assign
pclN := pclP ;
v := pclP .a = pclP .b;
end
ckt Dp 6=(pclP : pcl ty)(pclN : pcl ty, v : bool)
assign
pclN := pclP ;
v := not (pclP .a = pclP .b);
end
ckt Pipec (i : pcl ty)(o : pcl ty, v1, v2 : bool)
var
r , t : pcl ty;
inst
dp= : Dp=(i )(t ,v1)
dp 6= : Dp 6=(r )(o,v2)
assign
r ′ := t ;
end
Fig. 3.12b.Implementation
Figure 3.12: Concrete Pipeline Model.
An abstraction for the concrete model is described in Figure 3.13. The abstract model has no input
or output parcel variables and the datapathDp= a produces a nondeterministic parcel output without
reading any input. The pipeline modelPipea has identically defined control variables, however, the
parcel variables differ:
Vpcl = { t , r }
Vctrl = { v1, v2 }








type pcl ty is bool;
ckt Dp= a ()(pclN : pcl ty, v : bool)
assign
pclN := choice;
v := pclN ;
end
ckt Dp 6= a (pclP : pcl ty)(v : bool)
assign
v := not pclP ;
end
ckt Pipea ()(v1, v2 : bool)
var
r , t : pcl ty;
inst
dp= : Dp= a ()(t ,v1)
dp 6= : Dp 6= a (r )(v2)
assign
r ′ := t ;
end
Fig. 3.13b.Implementation
Figure 3.13: Abstract Pipeline Model.
We defineSP as follows:
SP ≡{ (qPc , qPa) | ∃ a ∈ { 0, . . . , 3 }. qPc(r) = 〈a, a〉 ∧ qPa(r) = true }
∪ { (qPc , qPa) | ∃ a ∈ { 0, . . . , 3 }. ∃ b ∈ { 0, . . . , 3 }. qPc(r) = 〈a, b〉
∧ qPa(r) = false ∧ a 6= b }
(3.17)
The commuting diagram in Equation 3.15 is shown to hold for our example for each of the two cases
that defineSP in Equation 3.17. The case whenqPc(r) = 〈a, a〉 andqPa(r) = true is described
in Figure 3.14. There are two types of transitions that the concrete pipeline can make from such a
state. In each of the two, there exists a corresponding transition of the abstract model. Figure 3.15
describes how the transitions of a concrete state of formqPc(r) = 〈a, b〉 with a 6= b are matched by
the simulating abstract state withqPa(r) = false.
49
r = 〈a, a〉
r = true






r = 〈b, b〉
r = true
r = 〈a, a〉
r = true






r = 〈b, c〉
r = false
Figure 3.14: Commuting diagrams for the caseqPc(r) = 〈a, a〉.
3.2.2 Language Containment
A run of the pipeline modelPipe is a run ofLTS(Pipe.C), as described in Section 2.1. We denote
such runs byσP : N → QP × TP and use the notationσP(n) = (qnP, t
n
P). According to the definition
of the run, we have:




P ) ∈ RP
The language of a pipeline model is the set of its runs:
L(Pipe) = {σP | σP is a run ofPipe }
Equivalence on runs is defined with respect to a concrete modelPip c and an abstract onePipea .
50
r = 〈a, b〉
r = false






r = 〈c, c〉
r = true
r = 〈a, b〉
r = false






r = 〈c, d〉
r = false
Figure 3.15: Commuting diagrams for the caseqPc(r) = 〈a, b〉 with a 6= b.
ConsiderσPc ∈ L(Pipec) andσPa ∈ L(Pipea). Run equality over control variables is denoted by










Language containment of pipeline models is defined by
L(Pipec) ⊆P L(Pipea) ≡ ∀ σPc ∈ L(Pipec). ∃ σPa ∈ L(Pipea). σPc =P σPa
Figure 3.16 describes an abstractionPipea of the concrete pipeline modelPipec from Figure 3.12.
The abstract pipeline model has the property thatL(Pipec) ⊆P L(Pipea). However,Pipec P
Pipea does not hold because in each of its states, the model described in Figure 3.16 can perform
exactly one transition with labelv1 = b, for someb ∈ { true, false }, since the parcel input todp= a











type pcl ty is bool;
ckt Dp= a (pclP : pcl ty)(pclN : pcl ty, v : bool)
assign
pclN := pclP ;
v := pclP ;
end
ckt Dp 6= a (pclP : pcl ty)(pclN : pcl ty, v : bool)
assign
pclN := pclP ;
v := not pclP ;
end
ckt Pipea (i : pcl ty)(o : pcl ty, v1, v2 : bool)
var
r1, r2, t1, t2 : pcl ty;
inst
dp= : Dp= a (r1)(t1,v1)
dp 6= : Dp 6= a (r2)(o, v2)
assign
r1





Figure 3.16: Abstract Pipeline Model.
the parcel input todp= is an input variable of the pipeline model.
In Figure 3.17 we sketch the proof of language containment. The run of theabstract model is chosen











Pa(v1). Because the value oft
n
Pc(v1) is
eithertrue or false based on whether the input valuesan+1 andbn+1 are equal, while the value of
tnPa(v1) is fixed and equal toq
n
Pa(r1), no abstract state can simulate a concrete state.
3.3 Abstract Interpretation Of Pipeline Datapath
Abstract interpretation [Cousot and Cousot, 1977] is an abstraction techique that replaces the con-
crete data types of a program with abstract data types and the concrete operations with abstract
52
r = 〈an, bn〉

































Figure 3.17: Proof Of Language Containment.
ones.
In this section we present the general form of abstract pipeline models created by our abstraction
methodology. Abstractions of the concrete pipeline models have the same structure as the concrete
ones. By structure we mean variable names and variable use in expressions. Abstract pipelines
instantiate abstract datapaths and therefore the domain of the parcel variab es is allowed to change.
Intuitively, abstract interpretation of a circuit corresponding to a pipelinemodel allows only for
the modification of the declared types of the parcel variables, the name of theins antiated datapath
modules and the replacement of a constant’s occurrence in an ITE term withthe occurrence of
another.
We define the equivalence ‘≈ai ’ on ITE parcel expressions so that two ITE parcel expressions are
equivalent if they differ only by occurrences of constants:
• e ≈ai e for any ITE expression.
• If e1 ande2 are constants thene1 ≈ai e2.
• If e1 ≈ai e3, e2 ≈ai e4 andb ∈ BExpr(Vctrl ) then
(if b then e1 else e2) ≈ai (if b then e3 else e4)
53
For the remainder of the thesis we use the following notation for the concrete and abstract datapaths:
Dpsc ≡ Pipec .Dps
Dpsa ≡ Pipea .Dps






if the following conditions hold:
1. The two pipeline models have the same control and parcel variables.
Pipea .Vctrl = Pipec .Vctrl
Pipea .Vpcl = Pipec .Vpcl
2. There exists a bijective mappingφ : Pipea .C .Insts→ Pipec .C .Instssuch that
∀ inst ∈ Pipea .C .Insts.
inst .id = φ(inst).id ∧
inst .InputArg = φ(inst).InputArg ∧
inst .OutputArg = φ(inst).OutputArg
3. There exists a bijective mappingψ : Pipea .C .Tr → Pipec .C .Tr such that
∀ ‘v := e’ ∈ Pipea .C .Tr.
v ∈ Vctrl ∪ Vctrl
′ =⇒ ψ(‘v := e’) = ‘v := e’
∧
v ∈ Vpcl ∪ Vpcl
′ =⇒ ∃ e′. e ≈ai e
′ ∧ ψ(‘v := e’) = ‘v := e′’
4. Initial conditions on control variables are the same.
∀ v ∈ Vctrl . ‘v := e’ ∈ Pipec .C .Init ⇐⇒ ‘v := e’ ∈ Pipea .C .Init




then the circuits of the two pipelines assign the same variables.
Therefore, anyv ∈ Vpcl ∪ Vctrl is either combinational in both circuits or register in both.
Consider the concrete pipeline model described in Figure 3.12. The abstract pipeline model in
Figure 3.13 is not an abstract interpretation because it does not have theparcel variablesi ando.
54
On the other hand, the abstract model in Figure 3.16 is a proper abstract inerpretation.
3.4 Summary
We describe the model of pipelined circuits as a network of parcel variables nd datapath instances
through which parcels flow as coordinated by the control circuitry. The variables of the circuit are
divided into datapath and control. The separation is enforced by syntacticrestrictions on the type of
expressions that can be assigned to each of the two kinds of variables. Astract interpretation of the
datapath is performed by replacing the concrete datapaths by abstract ones. The type of the pipeline




In this chapter we present a computation model of the pipeline datapath. The model for the pipeline
datapath is a labeled transition system, called a parcel automaton, that describes the behaviour of
the pipeline datapath with respect to the control inputs and outputs of the datapath instances as
parcels move through the pipeline. Abstractions of parcel automata are defin using simulation
or language containment and are shown to preserve the control visible behavior of the datapath.
Abstract parcel automata are used to define abstract datapaths.
A parcel represents a group of related values which are held in parcelvariables during a pipeline
computation. Both the values of the parcel and the corresponding variables change during the
computation of the pipeline model. In a particular pipeline step, the parcel is identified by its
variables, which can be both register and combinational. We define parcelss non-empty subsets of
Vpcl ∪ NextRegPcl.
During a pipeline computation, the parcel propagates through parcel variables and datapaths. This
execution trace is called a parcel computation. The parcel computation records the transformation
of the parcel’s variables and its interaction with the control circuitry.
In a pipeline computation, multiple parcel computations take place simultaneously. Avery im-
portant characteristic of the parcel computations that coexist during a computation of the pipeline
model is that within a pipeline step, they do not share parcel variables or datapaths. This property
of pipeline computations is called parcel independence and is formalized in thenext chapter.
Section 4.1 describes a complete example for using parcel automata for datapath abstraction. In
Section 4.2 we describe fan-out graphs which model the propagation of aparcel’s variables through
combinational variables and datapaths into next state registers. Section 4.3 illustrates parcel com-
putations with theDiffAddMult example. The definition of parcel automata is given in Section 4.5.
56
Section 4.6 adapts the concepts of simulation and language containment to parcel automata. Sec-
tion 4.7 shows how abstract interpretation is performed using abstract parcel automata.











Figure 4.1:AndOr Block Diagram.
We introduce a simple example calledAndOr and use it to provide a high-level description of the
methodology of using parcel automata for datapath abstraction. Our exampledescribes a pipeline
computation and the contained parcel computations, a parcel automaton that models all the possible
parcel computations, and an abstract parcel automaton and an abstractpipeline model obtained by
abstract interpretation using the abstract parcel automaton.
TheAndOr pipeline consists of three parcel registers and two datapaths as shown in Figure 4.1.
There are two control variables, a two-bit registerc and a one-bit combinational variablev. The
implementation of the circuit is given in Figure 4.2. The first datapath,Dp1, is described on lines
1–7. Its input arguments are a two-bit input parcel and a two-bit controlvariable. It produces an
output parcel that consists of four bits obtained by the concatenation of fur bit-and operations. The
second datapath,Dp2, is described on lines 9–13. The resulting two-bit parcel value is the bit-or
of the two-bit halves of its input parcel.Dp2 produces a one-bit control output that consists of the
bit-or of the two bits of the output parcel. The pipeline circuit instantiates the twodatapaths. The
state of the control circuitry consists of the two-bit registerc. Its value is updated using the control
output ofDp2. The current value ofc is the control argument provided toDp1.
57
1 ckt Dp1(pclP : bitvec[2], v : bitvec[2])(pclN : bitvec[4])
2 assign
3 pclN [0] := pclP [0] and v [0];
4 pclN [1] := pclP [1] and v [0];
5 pclN [3] := pclP [0] and v [1];
6 pclN [4] := pclP [1] and v [1];
7 end
8
9 ckt Dp2(pclP : bitvec[4])(pclN : bitvec[2], v : bitvec[1])
10 assign
11 pclN := pclP [0:1] or pclP [2:3];
12 v := pclN [0] or pclN [1];
13 end
14
15 ckt Pipec (vi : bitvec[2])(vo : bitvec[2])
16 var
17 v : bitvec[1];
18 r1, r3, c, pclP1, pclN 2 : bitvec[2];
19 r2, pclN 1, pclP2 : bitvec[4];
20 inst
21 dp1 : Dp1(pclP1,c)(pclN 1);
22 dp2 : Dp2(pclP2)(pclN 2,v );
23 assign
24 pclP1 := r1;
25 pclP2 := r2;
26 c′ := v :: (not v );
27 r1′ := vi ;
28 r2′ := pclN 1;
29 r3′ := pclN 2;
30 vo := r3;
31 init
32 c := 01;
33 r1 := 00;
34 r2 := 0000;
35 r3 := 00;
36 end
Figure 4.2:AndOr Implementation.
An example of a pipeline computation ofAndOr is provided in Figure 4.3. The top half of the
figure displays a sequence of pipeline model states. Each state is represented by the values of the






































c = 01 v = 0
c = 01 v = 1
c = 01 v = 1
c = 10 v = 1
Figure 4.3:AndOr Computation.




The bottom half of the figure lays out the states of the pipeline computation on a diagonal, with the
effect that from left to right one can trace each parcel through the pipeline. For instance, the parcels
in the first state of the computation have the following traces:
r1 = 00 −→ r2 = 0000 −→ r3 = 00
r2 = 0000 −→ r3 = 00
r3 = 00
A more accurate description of the trace of a parcel is to include the controlvalues that influence its
computation. For each parcel, there are two such values,c when the parcel passes throughDp1 and
59
v when the parcel goes throughDp2. Two enhanced traces from Figure 4.3 are as follows:
r1 = 00
c = 01
−→ r2 = 0000
v = 0
−→ r3 = 00
r1 = 10
c = 10
−→ r2 = 1000
v = 1
−→ r3 = 10
r2 = 0000 r2 = 0001 r2 = 0100
r3 = 01
r2 = 0010 r2 = 1000
r3 = 10
r1 = 10


















v = 1v = 1
v = 1
v = 1
Figure 4.4:AndOr Parcel Automaton.
A parcel automaton models the traces of parcels through the pipeline as a labeled transition system.
The states of the automaton correspond to parcel values in given parcelregisters and the transitions
correspond to the transfer of parcels from one register to the next. Thetransition labels give the
60
control values that influence the parcel during a transition. The parcelutomaton forAndOr is
shown in Figure 4.4. It describes the traces through the pipeline of all possible input parcel values.
The empty state∅ denotes the state of the parcel before entering the pipeline. The final statefinalPAc
represents the parcel after it has exited the pipeline. After a transition from the empty state, the state
of the parcel may be any of the four two-bit values in registerr1. For each such value, and for each
value of the control variablec, the automaton makes a transition to a state that represents the parcel
in registerr2. From such a state the automaton makes a transition to a state representing the parcel
in registerr3. The label of such a transition shows the value of the control variablev cause it is
produced by the datapathDp2 based on the value of parcel. A transition to the final state completes
the computation of the parcel automaton.
Datapath abstraction is based on identifying parcel values that have the same control visible be-
haviour through the pipeline. The parcel automaton representation of the da apath allows us to
formulate this problem as a relationship between parcel automaton states. Thereduction of the dat-
apath is performed by collapsing together equivalent states of the parcelautomaton. In our example,
the parcel automaton shows that the states corresponding to three of the input values,01, 10and11
are equivalent. After the reduction step that preserves only the stater1 = 01 and discards the other
two equivalent ones, the automaton is shown in Figure 4.5. The reduced automaton has two more
equivalent statesr2 = 0001andr2 = 0100. After performing a second reduction and representing
the reduced data domain using the abstract values{α1, α2, β1, β2 } we obtain the abstract parcel
automaton shown in Figure 4.6.
Our example showed how a parcel automaton is created to represent the datapath computations.
Conversely, given an abstract parcel automaton we can derive the pipeline datapath that it repre-
sents. Corresponding to the abstractAndOr parcel automaton, the implementations of the abstract
datapaths are shown in Figure 4.7. The abstract datapathDp1 a , shown on lines 4–9, corresponds to
the transitions of the parcel automaton from a state with registerr1 to a state with registerr2. Dp1 a
transformsα1 intoα2 andβ1 into β2. The value of the control input does not influence its computa-
tion. The second abstract datapath is shown on lines 11–19. It, too, encodes two separate transitions
of the parcel automaton, corresponding to parcels moving from registerr2 o r3. Both the value of
the parcel outputpclN and the control outputv are sensitive to the value of the input parcel. The
two datapaths are used to give an abstract interpretation of the original pipeline as shown on lines
21–42 of the listing in Figure 4.7. The abstract pipeline circuit differs fromthe concrete one in the
types of parcel variables, the two datapaths that it instantiates and the initial condition. Figure 4.8









r2 = 0001 r2 = 0100
r3 = 01
r1 = 01
c = 10c = 01
v = 1v = 1















Figure 4.6:AndOr Abstract Parcel Automaton.
63
1 type pcl ty is { α1, α2, β1, β2 };
2 type pcl in ty is { α1, β1 };
3
4 ckt Dp1 a (pclP :pcl in ty, v : bitvec[2])(pclN : pcl ty)
5 assign
6 pclN := if pclP == α1 then α2




11 ckt Dp2 a (pclP : pcl ty)(pclN : pcl ty, v : bitvec[1])
12 assign
13 pclN := if pclP == α2 then α1
14 else ifpclP == β2 then β1
15 elsepclP ;
16 v := if pclP == α2 then 0




21 ckt Pipea (vi : pcl in ty)(vo : pcl ty)
22 var
23 v : bitvec[1];
24 r1, r3, c, pclP1, pclN 2 : pcl ty;
25 r2, pclN 1, pclP2 : pcl ty;
26 inst
27 dp1 : Dp1(pclP1,c)(pclN 1);
28 dp2 : Dp2(pclP2)(pclN 2,v );
29 assign
30 pclP1 := r1;
31 pclP2 := r2;
32 c′ := v :: (not v );
33 r1′ := vi ;
34 r2′ := pclN 1;
35 r3′ := pclN 2;
36 vo := r3;
37 init
38 c := 01;
39 r1 := α1;
40 r2 := α2;
41 r3 := α2;
42 end






































c = 01 v = 0
c = 01 v = 1
c = 01 v = 1
c = 10 v = 1
Figure 4.8: AbstractAndOr Computation.
65
4.2 Fan-Out Graphs
We use fan-out graphs to give a precise definition of the propagation ofa parcel’s values through
parcel variables and datapaths. A fan-out graph is a directed acyclic graph. The nodes of the graph
are parcel variables and the edges denote the transfer of a value fromthe source of the edge to its
destination. The labels on the edges of the graph stand for the condition under which the transfer
takes place.
4.2.1 Definition(Fan-out Graph). A fan-out graph is a tuple〈Nodes,Succ〉 where:
• Nodesis the set of nodes.
• Succis the successor relation.
• Nodes⊆ Vpcl ∪ NextRegPcl∪ ConstantPcl







Figure 4.9: Fan-out Graph
Figure 4.9 represents a fan-out graph for the transfer of an input parcel into the registerNeg . Solid
edges in the figure represent parcel copying from one variable to anoher. Dotted lines denote parcel
transformations by datapaths. The label on an edge denotes the condition under which the transfer
occurs. The omission of a label implies its condition is always true.
Given a fan-out graphfg we refer to the datapaths it references by
datapathsfg ≡ { dp ∈ Dps | Arg(dp.Vpcl ) ∩ fg .Nodes6= ∅ }
66
For the example in Figure 4.9 we havedatapathsfg = {Sub }.
The fan-out of a parcel is represented by a fan-out graphf nOut(qP, tP, q′P) p that has as roots the
variables inp and as nodes all variables that derive their value transitively from the variables in the
parcel in the pipeline step(qP, tP, q′P). When the pipeline step is known from context, we omit it,
and writefanOutp.
4.2.2 Definition(Parcel Fan-out). The fan-out graph of a parcelp in (qP, tP, q′P) is the fan-out graph
fg = 〈Nodes,Succ〉 defined inductively:
Base Case
• p ⊆ Nodes
• If w is a constant,v ∈ p, and(w, b, v) ∈ FanOutEdges such that(qP ∪ tP) |= b then
w ∈ Nodes.
Inductive Case If vl ∈ Nodes and there exists a fan-out edge(vl, b, vk) such that(qP ∪ tP) |= b
thenvk ∈ Nodes and(vl, b, vk) ∈ Succ.
Formally, the roots of the fan-out graphfg is the set of variables defined as follows:
rootsfg = { v ∈ fg .Nodes|6 ∃ (v1, b, v) ∈ FanOutEdges. (v1, b, v) ∈ fg .Succ}
They are the roots of the fan-out digraph with the addition of the variables that have an incoming
edge from a constant.
The variables in the fan-out of a parcelp are denoted byp∗:
p∗ ≡ (fanOutp).Nodes∩ (Vpcl ∪ NextRegPcl)
Parcel variables receive their value either by assignment of an ITE parcel expression or by being an
actual parameter for an output of a datapath instance. The meaning of an ITE parcel expression is a
set of pairs of form(expr , cond), whereexpr is a parcel variable, a constant orchoice andcond
is a Boolean control expression, with mutually exclusive conditions, such that expr is the value
of the expression whencond is true. The support function returns the set of expression-condition
pairs for a given expression. Because edges of a fan-out graph ae derived using the support of an
expressiont, the definition of the support function ensures that every variable occurs at most once
in the support of an expression.
4.2.3 Definition(Support function). The support of an ITE parcel expressiont is defined using the
auxiliary functionsupport1 t. The functionsupport1 is defined inductively:
67
• t = w with w constant thensupport1 t = { (w, true) }.
• t = choice thensupport1 t = { (choice, true }.
• If t = v with v ∈ Vpcl thensupport1 t = { (v , true) }.
• If t = if b then t1 else t2 then
support1 t = { (v , b ∧ b1) | (v , b1) ∈ support1 t1 } ∪ { (v , (¬b) ∧ b2) | (v , b2) ∈ support1 t2 }
• supportjoins the multiple occurrences of the same expressione in support1 t:
supportt ≡ { (e,
∨
(e,b)∈support1 t







Figure 4.10: Mux tree for the expressionif b1 then v1 else if b2 then v2 else if b3 then v3 else v1.
For the expression
t = if b1 then v1 else if b2 then v2 else if b3 then v3 else v1
described in Figure 4.10,supportt contains only one occurrence of the variablev1:
(v1, b1 ∨ ¬b1 ∧ ¬b2 ∧ ¬b3)
For the expression in Equation 3.1 on page 44 we have:
supportt = { (pclN Sub , accMult ,Sub),
(pclNNeg ,¬accMult ,Sub ∧ accMult ,Neg),
68
(rMult1,¬accMult ,Sub ∧ ¬accMult ,Neg ∧ (accMult ,Mult ∨ stallMult)) }
Since accepts or stalls are mutually exclusive the example above simplifies to:
supportt = { (pclN Sub , accMult ,Sub), (pclNNeg , accMult ,Neg), (rMult1, accMult ,Mult ∨ stallMult) }
Fan-out graphs are inferred from assignments to parcel variables in the transition relation and from
the arguments of parcel inputs and outputs of the datapath instances. Corresponding to each such
case we have a type of fan-out edge. The set of fan-out edges is denote byFanOutEdges.
Assignments
(e, b, vk) ∈ FanOutEdges =⇒ ∃ t ∈ ITEParcelExpr(Pipe).
‘vk := t’ ∈ C .Tr ∧ (e, b) ∈ supportt
Datapath transformations
∀ dp ∈ Dps.
∀ pclP ∈ Arg(dp.PclP). ∀ pclN ∈ Arg(dp.PclN).
(pclP , true, pclN ) ∈ FanOutEdges
























∅ ∅ ∅ ∅






In this section we recall theDiffAddMult example introduced in Figure 3.1 from Section 3.1.
DiffAddMult uses valid bits to represent whether data held by a parcel register is valid.Invalid
data does not move through the pipeline. In the first state of the run, the parc l registers contain
invalid data:
q0P |= (validNeg = false ∧ validAdd = false ∧ validMult1 = false ∧ validMult2 = false)
As described in Section 3.1, in theDiffAddMult pipeline invalid register values do not generate
requests and therefore do not propagate.
We consider a computation of theDiffAddMult pipeline, the first step of which is described in
Figure 4.11. In this step the pipeline receives an input value that represents parcelpA such that
pA = { vi }. The parcel propagates through theSub instance, the result of which is stored in








vi 〈−30, 10, 5, mult〉
pclPSub 〈−30, 10, 5, mult〉
pclN Sub1 〈−40, 5, mult〉
pclN Sub2 〈−40, 5〉
rNeg
′ 〈−40, 5, mult〉
selN Sub 001
Fig. 4.12b.Parcel and control
environments.





The fan-out graph of parcelpA and the parcel and control environments are described in Figure 4.12.
The parcel corresponds to the operation| − 30 − 10| × 5. It should therefore take the following
path through the pipeline:
Sub → Neg → Mult → Mult . . .
The fan-out graph shows that the parcel propagates from the input variablevi , through theSub
datapath and into the registerrNeg . There are two environments that describe the parcel step. The
parcel environment valuates the variables in the fan-out of the parcel and expresses the datapath
transformation of the parcel’s values. The control environment valuatesthe control variables that
appear as arguments to the datapaths that process the parcel. In this case, the transformation through









































rNeg 〈−40, 5, mult〉







Fig. 4.14b.Parcel and control
environments.





In the second step, described in Figure 4.13, the pipeline transfers parcel A from rNeg to rMult1
and inputs a new parcelpB into registerrAdd . The two parcels and the control outputs they generate
are described in Figure 4.14 and Figure 4.15. The newly received parcel B represents the operation
|12− 10| + 2 and takes the pathSub → Add . In the current step the registerrMult2 is reset. Since
this value is not actually used in the next cycle we display it as*** . Also, note that because the
value assigned torMult2 is not dependent on the parcel’s current values, to reflect its inclusionint
pA in the next step, we addrMult2′ to the parcel in the current step.
In the next step, the pipeline computation progresses as described in Figure 4.16. ParcelpC enters
the pipeline and propagates through theSub datapath intorNeg , as described in Figure 4.17. Parcel










vi 〈12, 10, 2, add〉
pclPSub 〈12, 10, 2, add〉
pclN Sub1 〈2, 2, add〉




Fig. 4.15b.Parcel and control
environments.



































proceeds through one round of the multiplication operation. ParcelpB undergoes the addition and
is ready to tranfer out. To preserve ordering betweenpA andpB, the pipeline control stalls parcel
pB. The computation steps of the two parcels are represented in Figure 4.18 and Figure 4.19. The
algorithm described in Section 3.1 performs the 8-bit multiplication by 4-bit multiplications and
additions. For parcelpA, using the notation in Figure 3.8, we havea × c = low(40) × low(5) =
8 × 5. The partial results of the multiplication are stored inrMult2. The fan-out graph of parcelpA
shows that the multiplication uses registersrMult1 andrMult2 as arguments, and in the next state, the
value of register Mult1 remains unchanged whilerMult2 gets updated with a new value produced
by the multiplier. The parcel environment corresponding topA valuates all variables in the parcel’s









vi 〈2, 3, 5, add〉
pclPSub 〈2, 3, 5, add〉
pclN Sub1 〈−1, 5, add〉
pclN Sub2 〈−1, 5〉
rNeg
′ 〈−1, 5, add〉
selN Sub 001
Fig. 4.17b.Parcel and control
environments.





denote them by*** . The control environment shows the current and the next control states of he
multiplication.
The fourth step of the pipeline computation is shown in Figure 4.20. In this step the Sub datapath
processes the newly input parcelpD. ParcelpD is a multiplication operation and its request to
the multiplier datapath is not accepted. ParcelpB is once again stalled to preserve ordering with
parcelpA which progresses through another step of the multiplication operation, as described in
Figure 4.22. Because ofpC, pB also stalls, as shown in Figure 4.21.
In the fifth step of the pipeline computation, described in Figure 4.23, parcelpA completes the
multiplication, as shown in Figure 4.25, and therefore, both it and parcelpB transfer out of the
pipeline. The progress of parcelpC is described in Figure 4.24. Since theMult datapath is free,



























Fig. 4.18b.Parcel and control
environments.



















Fig. 4.19b.Parcel and control
environments.










































rNeg 〈−1, 5, add〉
pclPNeg 〈−1, 5, add〉
pclNNeg 〈1, 5〉
rNeg
′ 〈−1, 5, add〉
selNNeg 01
Fig. 4.21b.Parcel and control environments.































Fig. 4.22b.Parcel and control
environments.











































rNeg 〈−1, 5, add〉





Fig. 4.24b.Parcel and control environments.
























Fig. 4.25b.Parcel and control
environments.






Our example illustrates the concept of parcel step. The parcel is a groupof parcel variables, register,
combinational and next-state — in the case when the parcel incorporates a registe variable that is
being assigned a constant orchoice. The parcel step is a record of the parcel’s transformation in
one pipeline step. The fan-out graph of the parcel shows the propagation of the parcel’s values and
the two environments, parcel and control, document the computations of the datapaths.
4.4 Parcel Steps
A parcel computation consists of a sequence of parcel steps, each such step occurring within a
corresponding pipeline step. A parcel step consists of the parcel’s current state, transition label and
next state.
The state of a parcel is a substate of the pipeline model. It is defined as an environment over parcel
registers. The state ofp is qPA ∈ PEnv(RegPcl) such that:
qPA = qP | p ∩ RegPcl
Since the domain ofqP does not contain combinational variables, we haveqP | p ∩ RegPcl= qP | p
and therefore we can write
qPA = qP | p
If a parcel contains no registers then its state is the empty environment∅.
4.4.1 Definition(Parcel Step). A parcel step of parcelp ⊆ Vpcl ∪ NextRegPclis a triplet(qPA, tPA, qPA′):
• qPA ∈ PEnv(RegPcl) is the parcel’s current state.
• qPA
′ ∈ PEnv(RegPcl) is the parcel’s next state.
• tPA = 〈〈Nodes,Succ〉, epcl , ectrl 〉 is the step label.
• 〈Nodes,Succ〉 is a fan-out graph.
• roots〈Nodes,Succ〉 = p
• epcl ∈ Env(Nodes ∩ CombPcl)
• ectrl ∈ PEnv(Vctrl )
• domqPA = Nodes ∩ RegPcl
• domqPA′ = { v | v ′ ∈ Nodes ∩ NextRegPcl}
80
• Nodes contains all the parcel arguments of the referenced datapaths.
⋃
dp∈datapaths〈Nodes,Succ〉
Arg(dp.Vpcl ) ⊆ Nodes (4.1)





A parcel step corresponds to the propagation and transformation of the parc l’s values through the
variables and datapath instances in its fan-out. Propagation consists of copying through variables
and datapath transformations. The transition label of the parcel step describes the parcel between the
two endpoints, its current and next state and captures the behaviour of the datapaths that transform
the parcel. The label consists of a tuple〈fanOutp, epcl , ectrl 〉 whereepcl andectrl are parcel, and
respectively, control environments over the variables in the fan out of the parcel. The transition label














Figure 4.26: Parcelp = { r1, r2 } can have up to 8 distinct fan-out graphs.
We use the pipeline model in Figure 4.26 to illustrate the need to have the parcel’sfan-out graph
on the transition label. The parcelp = { r1, r2 } can propagate into registerr3 in 2 × 2 × 2 = 8
different ways, given that for each datapath there are two differentways to select its input argument.
At a minimum, the label of the parcel’s transition should describe the arguments toeach datapath in
81
terms of values derived transitively from the parcel’s values. In our example, the conditions on the
edges of the fan-out graph of the parcel, i.e. the mux select signals, may depen on control variables
that are not derived from the parcel.
In a pipeline step, the parcel’s values move through combinational datapathsand parcel variables,
the results of which propagate into next state parcel registers, which in turn, denote the next state
of the parcel parcel. For a parcelp the parcel step contained in the pipeline model step is a triplet
(qPA, tPA, qPA
′) such that:
• qPA is the parcel’s current state.
• tPA is the step label.
• qPA
′ is the parcel’s next state:
qPA
′ = qP
′ | { v | v ′ ∈ p∗ ∩ NextRegPcl}
• tPA = 〈fanOutp, epcl , ectrl 〉 where:
– epcl ∈ Env(p∗ ∩ CombPcl) is defined by:
epcl = tP | p∗ ∩ CombPcl= tP | CombPcl





ectrl (v) = (qP ∪ tP)(v)
The parcel’s next state is obtained by projecting out the pipeline’s next state over the next-state
registers in the parcel’s fan-out. The parcel environment is obtained byprojecting out the pipeline
transition label with respect to the combinational variables in the parcel’s fan-out. The control
environment is defined over the actual parameters for input and output control variables of the
datapaths referenced by the fan-out graph. For each variable in its domain, the control environment
returns its value in the pipeline step.
Given a parcelp, we denote its next state bypclNextStatep. The transition label of the correspond-
ing parcel step is denoted bypclTransp. The step itself is denoted bypclStepp.




P), shown in Figure 4.27.













rNeg 〈−1, 5, add〉





Fig. 4.27b.Parcel and control environments.
rNeg = 〈−1, 5, add〉






Figure 4.27: Parcel step for parcelpC.
tPA = 〈fanOutp, epcl , ectrl 〉
qPA
′ = q5P | rAdd
= 〈1, 5〉
epcl (pclPNeg) = 〈−1, 5, add〉
epcl (pclNNeg) = 〈1, 5〉
ectrl (selNNeg) = 01
The parcel step forpC is described graphically in Figure 4.27c. The transition label is described
by a set of assignments that can be used to infer the fan-out graph, the parc l and the control
environments.
The natural generalization of a parcel step contained in a pipeline step is to remove the context of
the pipeline step(qP, tP, q′P) and use standalone environmentsepcl andectrl . The parcel environment
83





) must implement value copying correctly:
∀ (vl, b, vk) ∈ (fanOutp).Succ. vl 6∈ PclP
=⇒













A parcel automaton is a labeled transition system defined by parcel steps. The transitions of the
parcel automaton have form(qPA, tPA, qPA′) for a parcel step(qPA, tPA, qPA′′) such thatqPA′ ⊆ qPA′′.
4.5.1 Definition(Parcel Automaton). A parcel automaton is a labeled transition system〈QPA,RPA,TPA, IPA〉
such that:
• QPA ⊆ PEnv(RegPcl) ∪ { finalPA }.
• TPA consists of a subset of parcel step labels and the empty transition label∅.
• RPA ⊆ QPA × TPA × QPA consists of a set of parcel transitions:
{ (qPA, tPA, qPA
′) | qPA
′ 6= ∅ ∧ ∃ qPA
′′. qPA
′ ⊆ qPA
′′ ∧ (qPA, tPA, qPA
′′) is a parcel step} ∪
{ (qPA, tPA, finalPA) | ∃ qPA′. (qPA, tPA, qPA′) is a parcel step}
• (finalPA, ∅, finalPA) ∈ RPA
• IPA ⊆ QPA.
We denote the set of parcel automata for a given pipeline modelPip by Pa(Pipe).
The parcel automaton described in Figure 4.28 and Figure 4.29 models the parcel computation for
parcelpA in our example. In the first step, we havepA = { vi }. Since the parcel consists of a
combinational variable, its state is∅. By reading the label on the outgoing transition from state
∅ we infer that the parcel propagates through theSub datapath into registerrNeg . The datapath
control inputs and outputs are highlighted on the transition label. TheSub datapath has the control
outputselN Sub = 001. The second transition describes the movement of the parcel through the
Neg datapath intorMult1. The assignmentrMult2′ := resetMult assigns〈0, 0〉 that denotes an 8-bit
number and a 4-bit one. The remaining two transitions of the parcel automatonconclude the parcel
computation. In the last transition, the automaton reaches the final state denoted by finalPA, from










rMult1 = 〈40, 5〉









rMult1 = 〈40, 5〉
rMult2 = 〈a × c = 8 × 5, low(bc) = 10〉
rNeg = 〈−40, 5, mult〉
∅
rMult1 = 〈40, 5〉
rMult2 = 〈0, 0〉
vi = 〈−30, 10, 5, mult〉
pclPSub = vi
selN Sub = 001
rNeg





Figure 4.28: Parcel automaton for parcelpA.





P), previously described in Figure 4.21. During a stall, the state of the parcelutomaton
does not change.
85
rMult1 = 〈40, 5〉















rNeg 〈−1, 5, add〉
pclPNeg 〈−1, 5, add〉
pclNNeg 〈1, 5〉
rNeg
′ 〈−1, 5, add〉
selNNeg 01
Fig. 4.30b.Parcel and control environments.





Fig. 4.30c.Parcel transition for a stall.






rAdd = 〈246, 5〉
∅
vi = 〈10, 20, 5, add〉
pclPSub = vi
selN Sub = 001
rAdd




Figure 4.31: Parcel automaton illustrating an unreachable parcel computation.
87
Parcel automata can also describe computations that do not correspond to actual p rcel computa-
tions in the pipeline model. In parcel computations embedded in pipeline computations control
dependencies between control variables are determined by assignments.In the computations of a
parcel automaton, control variables are free and such dependenciesmay not be preserved. The par-
cel automaton in Figure 4.31 describes a parcel computation that is not reachable inDiffAddMult.
The condition on the fan-out edge(pclN Sub , accAdd ,Sub , rAdd
′) is not true whenselN Sub = 001. In
the parcel automaton the variableaccAdd ,Sub appears to be independent ofselN Sub . The addition
operation interprets the tuple〈−10, 5〉 as a pair of two positive 8-bit numbers. In two’s complement
−10 is represented as256− 10 which leads to the addition producing the result246 + 5.
We can characterize parcel steps(qPA, 〈fanOutp, epcl , ectrl 〉, qPA′) that are consistent with the be-
haviour of the pipeline datapath. The inputs and output arguments of each datapath instance that
appears in a parcel step must be transformed according to a step of the corresponding datapath. For
each datapath instance there exists a step such that the input and output variables on its transition
label are the same as the arguments provided by the environmentepcl ∪ ectrl .
∀ dp ∈ datapaths(fanOutp).
∃ (qD, tD, q
′
D) ∈ LTS(dp.C).RC.
∀ v ∈ dp.Vpcl ∪ dp.Vctrl .
(ectrl ∪ epcl )(Arg(v)) = tD(v)
(4.4)
When Equation 4.4 holds, we say the transition satisfies value propagation through the datapath.
4.5.2 Definition. Consistent Parcel Automaton We call a parcel automatonconsistentif its transi-
tions satisfy value propagation through the pipeline datapaths.
Inconsistent parcel automata are also possible. For instance, the parcel automaton in Figure 4.32 is
perfectly legal even though the subtraction produces the incorrect resul 〈4, 2〉 instead of〈5, 2〉.
4.6 Abstractions Of Parcel Automata
Datapath abstraction replaces the concrete datapaths with abstract ones that r tain the control visible
behaviour of the datapath. The partial orders on parcel automata such asimulation and language
containment provide our definition of control visible datapath behaviour.
When comparing concrete values to abstract values we must provide the same context. The context
is given by the registers that hold the parcel’s values and the fan-out graph that specifies how the
values propagate. We define the label of parcel automaton states and transitions so that the con-
texts of the values and behaviours they represent are the same. Since thecontrol visible datapath
88
rAdd = 〈4, 2〉
∅
vi = 〈10, 5, 2, add〉
pclPSub = vi
selN Sub = 010
rAdd




Figure 4.32: Parcel automaton showing inconsistent datapath behaviour.
behaviour that we are abstracting for appears on the edges of the parcel automaton, the label of the
parcel automaton edge must also contain the values of the control variablesthat appear on the edges
the fan-out of the parcel.
In the remainder of the thesis we use the following notation for the concrete and abstract parcel
automata:
pac = 〈QPAc ,RPAc ,TPAc , IPAc〉
paa = 〈QPAa ,RPAa ,TPAa , IPAa〉
Therefore, parcel states have the same label if they are defined over the same set of register vari-
ables. Transitions have the same label if their fan-out graphs and control e vironments coincide.
According to the definition of abstract interpretation of pipeline models present d i Section 3.3,
the ITE expressionsec and respectively,ea that are assigned to a parcel variablev satisfy the con-
dition ec ≈ai ea: occurrences of concrete constants inec may be replaced by abstract constants in
ea. We employ ‘≈ai ’ to define equivalence of fan-out graphs.
We use the notation
tPAc = 〈fgc , epclc , ectrlc〉
tPAa = 〈fga , epcla , ectrla〉
89
We denote label equality for both states and transitions using the operator ‘=PA’:
qPAc =PA qPAa ≡ (domqPAc = domqPAa) ∨ (qPAc = finalPAc ∧ qPAa = finalPAa) (4.5)





∀ (ec, b, v) ∈ fgc .Succ. ∃ (ea, b, v) ∈ fgc .Succ. ec ≈ai ea
∧










In Equation 4.6 the comparison of the fan-out graphs is made modulo ‘≈ai ’: the fan-out graphs
are identical with the exception of constants. In that equationec andea may only be constants or
variables.
We say an abstract parcel automaton is consistent with respect to constants if he abstract fan-out
edges corresponding to a concrete fan-out edge(wc, b, v) are all identical to(wa, b, v). If the parcel
automaton is consistent with respect to constants, then in abstract interpretation, the constantwc is
replaced bywa.
Figure 4.33 and Figure 4.34 describe an abstract parcel automaton that represents parcel compu-
tations of an abstraction of theDiffAddMult pipeline model. The abstract modelDiffAddMulta
is defined as an abstract interpretation of the concrete one. We denote theabstract datapaths by
Suba, Nega, Adda, Multa. From the parcel automaton we infer that the datapathSuba is non-
deterministic:
pclPSub selN Sub pclN Sub1 pclN Sub2
α0 010 α2 α2
α0 001 α1 α1
α0 100 α4 α4
Abstract multiplication is also non-deterministic. We use ‘*** ’ to denote any constant inB3. When
the parcel automaton is in the abstract stateqPAa defined by
qPAa(rMult1) = α6
qPAa(rMult2) = α7
it can non-deterministically remain in the same state for an arbitrary number of transitions under





selN Sub = 001
rNeg
′ = pclN Sub1








selN Sub = 010
rAdd
′ = pclN Sub2
pclN Sub1 = α2
vi = α0
pclPSub = vi
selN Sub = 100
rMult1
′ = pclN Sub2















































′ = rAddrAdd = α2
Figure 4.34: Abstract parcel automaton (continuation).
the end of the multiplication. Intuitively, the abstract parcel automaton has equivalent computations
to each of the parcel computations described in Section 4.3.
Simulation on parcel automata is a simulation between labeled transition systems that preserves
label equality on states and transitions.
4.6.1 Definition (Simulation Of Parcel Automata). A simulation relationSPA ⊆ QPAc × QPAa
between the two labeled transition systems is a parcel automata simulation relation if:
• SPA respects the state labeling:
∀ qPAc . ∀ qPAa . (qPAc , qPAa) ∈ SPA =⇒ qPAc =PA qPAa (4.7)




















SPA =⇒ tPAc =PA tPAa (4.8)
• SPA satisfies the property:
∀ qPAc . ∀ qPAa . (qPAc , qPAa) ∈ SPA =⇒
∀ vars ⊆ domqPAc . (qPAc | vars, qPAa | vars) ∈ SPA
(4.9)
92
Equation 4.9 in the definition of simulation of parcel automata is demanded by the fact that parcel
automata states are composites. A transition(qPA1, tPA, qPA′) ∈ RPA corresponds to a parcel step
which uses only the current state registers inqPA1. It is therefore semantically correct to have the
transition(qPA2, tPA, qPA′) for any superstateqPA1 ⊆ qPA2. It is also possible that given a substate
qPA2 ⊆ qPA1 the transition(qPA2, tPA, qPA′) is still well defined. In both cases, such transitions,
though allowed under the definition of the parcel step, might not be part ofRPA. This is exactly the
reason for which Equation 4.9 compensates.
4.6.2 Definition. We call a parcel automatonclosedif it satisfies the following two conditions:
• For each transition(qPA1, tPA, qPA′) ∈ RPA, the transition relationRPA contains all the similar
well-defined transitions of both substates and superstatesqPA2 of qPA1:
∀ (qPA1, tPA, qPA
′) ∈ RPA.(
∀ qPA2 ∈ QPA.
qPA2 ⊆ qPA1 ∧ (qPA2, tPA, qPA
′) is legal =⇒ (qPA2, tPA, qPA′) ∈ RPA)
)
∧(
∀ qPA2 ∈ QPA.




• For each transition(qPA, tPA, qPA′) ∈ RPA, the transition relationRPA contains all transitions






′′ 6= ∅ ∧ qPA
′′ ⊆ qPA
′ =⇒ (qPA, tPA, qPA
′′) ∈ RPA
Closing a parcel automaton is a syntactic operation. It does not add new datapath behaviours.
The following proposition states that we do not need Equation 4.9 in the definition of simulation for
parcel automata if the parcel automata satisfy Equation 4.10.
4.6.3 Proposition. If pac andpaa satisfy Equation 4.10 and there exists a simulation relationSPA
that satisfies Equation 4.7 and Equation 4.8 from the definition of simulation for parcel automata,
then we can defineSPA1 by extendingSPA such thatSPA1 is a simulation for parcel automata.
Proof. We defineSPA1 as follows:
‘
SPA1 ≡ SPA ∪ { (qPAc , qPAa) |∃ (qPAc 1, qPAa 1) ∈ SPA. ∃ vars ⊆ domqPAc 1.
vars 6= ∅ ∧ qPAc = qPAc 1 | vars ∧ qPAa = qPAa 1 | vars }
(4.11)
93
By construction,SPA satisfies Equation 4.9. It also preserves labeling of states (Equation 4.7).We





















Case 1(qPAa , qPAc) ∈ SPA. Equation 4.12 is equivalent to Equation 4.13 which holds becauseSPA





















Case 2According to Equation 4.11 there existqPAc 1 ∈ QPAc , qPAa 1 ∈ QPAa andvars ⊆ domqPAc 1
such thatqPAc = qPAc 1 | vars andqPAa = qPAa 1 | vars. Sincepac is closed we have(qPAc 1, tPAc , qPAc
′) ∈























(qPAc , tPAc , qPAc
′) ∈ RPc
(qPAa 1, tPAa , qPAa
′) ∈ RPa
qPAa ⊆ qPAa 1
it follows that the transition(qPAa , tPAa , qPAa ′) is well defined and sincepaa is closed we have
(qPAa , tPAa , qPAa
′) ∈ RPAa (4.15)
Combining Equation 4.15 with the fact thatSPA ⊆ SPA1 we obtain Equation 4.12.
94
Simulation holds between the abstract parcel automaton and the concrete parcel automaton in Fig-
ure 4.28 and Figure 4.29 that models the concrete parcelpA. The simulation relationSPA is defined
by the following concrete-abstract pairs:
Concrete Abstract
∅ ∅
rNeg = 〈−40, 5, mult〉 rNeg = α1
rMult1 = 〈40, 5〉 rMult1 = α4
rMult2 = 〈0, 0〉 rMult1 = α5
rMult1 = 〈40, 5〉 rMult1 = α6
rMult2 = 〈a × c = 8 × 5〉 rMult2 = α7
rMult1 = 〈40, 5〉 rMult1 = α6
rMult2 = 〈a × c = 8 × 5, low(bc) = 10〉 rMult2 = α7
finalPA finalPA
Language containment is defined with respect to the state and transition labelsof the parcel au-






Two runsσPAc ∈ L(pac) andσPAa ∈ L(paa) are equivalent if they specify states and transitions
that have the same label. We overload the ‘=PA’ operator to denote equivalent runs:









Language containment is defined using run equivalence:
L(pac) ⊆PA L(paa)
≡
∀ σPAc ∈ L(pac). ∃ σPAa ∈ L(paa). σPAc =PA σPAa
Recalling the example used for simulation between parcel automata, for the runof the parcel au-






selN Sub = 001
rNeg

































Figure 4.35: Abstract equivalent run corresponding topA.
96
4.7 Abstract Interpretation Using Parcel Automata
In this section, we describe how we can obtain abstract interpretations of the concrete pipeline model
using abstract parcel automata. In the previous sections, parcel automata were used to represent
datapath behaviour of the pipeline model. In this section, we examine how the datapath behaviour
represented by parcel automata can be used to define datapath circuits. As a direct application,
abstract interpretations of the concrete pipeline model can be obtained by driving abstract datapaths
from abstract parcel automata.
We recall the equation that was used to define a consistent parcel step(qPA, 〈fanOutp, epcl , ectrl 〉, qPA′):
∀ dp ∈ datapaths(fanOutp).
∃ (qD, tD, q
′
D) ∈ LTS(dp.C).RC.
∀ v ∈ dp.Vpcl ∪ dp.Vctrl .
(ectrl ∪ epcl )(Arg(v)) = tD(v)
(4.16)
Equation 4.16 characterizes parcel automaton transitions in terms of datapathbeh viour. By refor-
mulating it, we characterize datapath behaviour in terms of the parcel automaton. We use the parcel
automaton to define the transition relationRD of a labeled transition system that corresponds to a
combinational datapathdp. The transition relationRD is the union of all datapath behaviours that
are specified in the parcel transitions of the parcel automaton:
RD ≡{(∅, tD, ∅) |
∃ (qPA, 〈fg , epcl , ectrl 〉, qPA
′) ∈ RPA.
dp ∈ datapaths(fanOutp) ∧ ∀ v ∈ dp.Vpcl ∪ dp.Vctrl .
tD(v) = (ectrl ∪ epcl )(Arg(v)) }
(4.17)
We illustrate Equation 4.17 using the abstract parcel automaton in Figure 4.33.There are three
transitions of the abstract parcel automaton that mention arguments to theSub datapath. We write
RSub ≡ { (∅, t1, ∅), (∅, t2, ∅), (∅, t3, ∅) }




t1(selN Sub) = 010
t1(pclN Sub1) = α2







t2(selN Sub) = 001
t2(pclN Sub1) = α1







t3(selN Sub) = 100
t3(pclN Sub1) = α4




1 type in ty is {α0 };
2 type out ty is {α1, α2, α4 };
3
4 ckt Suba(pclP : in ty)(pclN 1 : out ty, pclN 2 : out ty, selN : bitvec[2])
5 var
6 case : 1 .. 3;
7 assign
8 case :=choice;
9 pclN 1 :=
10 if case == 1then α2
11 else ifcase == 2then α1
12 elseα4;
13 pclN 2 :=
14 if case == 1then α2
15 else ifcase == 2then α1
16 elseα4;
17 selN :=
18 if case == 1then 010
19 else ifcase == 2then 001
20 else100;
21 end
Figure 4.36: Circuit equivalent toRSub .
The transition relationRSub is represented by the circuit in Figure 4.36. We can similarly obtain
the circuitsNega, Adda andMulta that are characterized by the transitions of the abstract parcel
automaton. We have arrived at the point where we can use the abstract pa cel automaton to give an
abstract interpretation of the concrete pipeline datapath. We denote the datapaths created from the





The abstract parcel automaton defines the abstract datapaths. To perform an abstract interpretation
we also replace occurrences of constants in the concrete expressionsby ab tract counterparts. If the




Parcel automata formalize the behaviour of groups of related data values,called parcels, with re-
spect to the pipeline datapath. Abstract parcel automata lead to the definition of abstract datapaths
which are used to create abstract pipeline models using abstract interpretation. The conditions and




Section 5.1 presents parcel maps and the concept of parcel independenc that allows the runs of
the pipeline model to be decomposed into runs of the parcel automaton. Section5.2 describes the
obligations needed to prove a parcel map satisfies the conditions of parcelindependence. Section 5.3
presents additional requirements that must hold of the concrete pipeline model in order to apply
abstraction using parcel automata. The soundness of abstraction using parcel automata is proven in
Section 5.4.
5.1 Parcel Independence
In the previous chapter we described parcel automata as a formalism for the representation of parcel
computations. One of the examples showed the simultaneous parcel computations that were taking
place in the first few steps of a pipeline computation of theDiffAddMult model. Parcel indepen-
dence is a property of pipeline computations that states that the computations can be decomposed
into parcel computations that interact only through control variables. Theparcel computations are
independent of each other if they do not simultaneously use the same parcel variables or datapaths.
In the following we formalize the decomposition of pipeline runs into independent parcel compu-
tations. We first define the decomposition of a pipeline step into parcel steps and then state the
condition under which the parcel steps form parcel computations. Our appro ch uses a function
PclMap : RP → P(P(Vpcl ∪ NextRegPcl))
that returns the set of disjoint parcels at each step of the pipeline model. There are three properties
that the parcel map must satisfy.
100
• Every parcel variable belongs to a parcel’s fan-out.
∀ (qP, tP, q
′
P) ∈ RP.
∀ v ∈ Vpcl ∪ NextRegPcl. ∃ p ∈ PclMap (qP, tP, q
′
P). v ∈ p
∗
(5.1)
• Datapaths transform only one parcel at a time.
∀ (qP, tP, q
′
P) ∈ RP.
∀ dp ∈ Dps. ∀ p1 ∈ PclMap (qP, tP, q
′
P). ∀ p2 ∈ PclMap (qP, tP, q
′
P).
Arg(dp.PclP) ∩ p∗1 6= ∅ ∧ Arg(dp.PclP) ∩ p
∗
2 6= ∅ =⇒ p1 = p2
(5.2)
• The state of a parcel in the current step is part of the next state of a parcel in the previous step.












P) ∈ RP =⇒











The first two properties of parcel maps ensure that the datapath computations in a pipeline step
decompose into disjoint parcel steps. Since parcels are disjoint, the only way their fan-outs could
not be disjoint is if two input arguments of a datapath were to be in the fan-outof distinct parcels.
The inductive application of the third property ensures that parcel stepsar connected into parcel
computations.
parcel condition
{ vi } ¬accMult ,Sub
{ vi , rMult2
′ } accMult ,Sub
{ rNeg } ¬accMult ,Neg
{ rNeg , rMult2
′ } accMult ,Neg
{ rNeg
′ } ¬(accNeg ,Sub ∨ stallNeg)
{ rAdd } true
{ rAdd
′ } ¬(accAdd ,Sub ∨ accAdd ,Neg ∨ stallAdd )
{ rMult1, rMult2 } true
{ rMult1
′, rMult2
′ } ¬(accMult ,Sub ∨ accMult ,Neg ∨ accMult ,Mult)
Figure 5.1: Parcel map forDiffAddMult.
For DiffAddMult the parcel map is defined in Figure 5.1. In the figure, a given parcelp belongs
101










P) |= (¬accMult ,Sub) ∧ (accMult ,Neg) ∧ (¬(accNeg ,Sub ∨ stallNeg))





P) = { { vi }, { rNeg , rMult2
′ }, { rNeg
′ }, { rAdd }, { rMult1, rMult2 } }
Examining the three properties satisfied by parcel maps we notice that the lasttwo hold vacuously
for singleton parcels. Thus they are automatically satisfied by parcel maps that only return singleton
parcels. In addition, if every datapath has at most one input parcel variable, then the pipeline model
is guaranteed to have a parcel map. We define a parcel map which returnssingleton parcels and thus
only needs to satisfy the first property. The singleton{ v } is a parcel if it is not in the fan-out of
another parcel variable:



















The existence of a parcel map for a pipeline model allows us to perform datapath bstraction using
parcel automata. A parcel map induces a parcel automaton which we use to reason about datapath
abstractions. The transitions of the automaton correspond to the parcel steps induced by the parcel
map.
5.1.1 Definition (Parcel Automaton Induced by Parcel Map). A parcel mapPclMap induces a
parcel automatonpa(Pipe,PclMap) = 〈QPA,RPA,TPA, IPA〉 as follows:
QPA = { qPA | qPA ∈ PEnv(RegPcl) } (5.5)
RPA = { (finalPA, ∅, finalPA) } ∪
{ (qPA, tPA, qPA
′) |
∃ (qP, tP, q
′
P) ∈ RP. ∃ p ∈ PclMap (qP, tP, q
′
P).
qPA = qP | p ∧ tPA = pclTransp ∧ qPA
′ ⊆ pclNextStatep } (5.6)
IPA = { ∅ } ∪ { qPA | ∃ (qP, tP, q
′
P) ∈ RP. qP ∈ IP ∧
102
∃ p ∈ PclMap (qP, tP, q
′
P). qPA = pclStatep } (5.7)
5.2 Verification Of Parcel Independence
In this section we describe how we can state the three properties of well-define maps into proposi-
tional logic. For each property, we describe a propositional formula thatis a autology if and only if
the property is true.
We use an equivalent representation of the parcel map
PclMapalt : RP → Vpcl ∪ NextRegPcl→ { 0, . . . , |Vpcl ∪ NextRegPcl| }
so that a parcel variable maps to a non-zero value if it belongs to a parcel
∀ (qP, tP, q
′
P) ∈ RP.
∀ v ∈ Vpcl ∪ NextRegPcl.
PclMapalt (qP, tP, q
′
P) v 6= 0 ⇐⇒ ∃ p ∈ PclMap (qP, tP, q
′
P). v ∈ p
and two parcel variables map to the same non-zero value if they belong to the same parcel.
∀ (qP, tP, q
′
P) ∈ RP.
∀ v1 ∈ Vpcl ∪ NextRegPcl. ∀ v2 ∈ Vpcl ∪ NextRegPcl.
PclMapalt (qP, tP, q
′
P) v1 6= 0 ∧ PclMapalt (qP, tP, q
′
P) v1 = PclMapalt v2
⇐⇒
∃ p ∈ PclMap (qP, tP, q
′
P). { v1, v2 } ⊆ p
Recall from Section 2.3 that the transition relationRC of a circuitC is represented by a propositional
formula formula(Elab(C ).Tr). For a pipeline model its transition relationRP is represented by the
formula formula(Elab(Pipe.C).Tr) which we designate by[RP]bool . This formula is defined over
current-state register variables, combinational variables and next-state registe variables, denoted in
order asVreg , Vcomb , VnextReg . To make explicit the variables that appear in the formula we write
it as[RP]bool (Vreg ,Vcomb ,VnextReg). Note that the set of variablesVcomb subsumes the set of input
parcel variablesInputPcl. We also letVstep stand forVreg ∪ Vcomb ∪ VnextReg .
The propositional formula that represents the parcel map is given by[PclMapalt ]bool (Vstep ,VpclMap),
whereVpclMap is in bijection with Vpcl ∪ NextRegPcland each variablepclMapv ∈ VpclMap
represents the valuePclMapalt (qP, tP, q
′
P) v . The semantics of the propositional representation is
103
summarized by the equation below:
∀ qP ∈ QP. ∀ tP ∈ TP. ∀ qP
′ ∈ QP. ∀ epclMap ∈ Env(VpclMap).





∪ epclMap) |= [RP]bool (Vstep) ∧ [PclMapalt ]bool (Vstep ,VpclMap)
⇐⇒
(qP, tP, qP
′) ∈ RP ∧ ∀ v ∈ Vpcl ∪ NextRegPcl. PclMapalt (qP, tP, q
′
P) v = epclMap(pclMapv )
Next, we describe how we represent the fan-out of parcels in propositional logic. We use the set of
fan-out variablesVfanOut in bijection with the setVpcl ∪ NextRegPclto represent for each parcel
variable the parcel that contains it in its fan-out. Thus,fanOutv = 0 means that the parcel variable
v is not in the fan-out of any parcel, whilefanOutv = n, with n 6= 0 means thatv ∈ p
∗ with
p = { v1 | PclMapalt (qP, tP, q
′
P) v1 = n }.
A parcel’s fan-out is derived transitively using fan-out edges. A fan-out edge(vl, b, vk) ∈ FanOutEdges
corresponds to the assignmentfanOutvk := fanOutvl . Since the assignment is performed only
whenb holds, the propositional formula for the fan-out edge becomes
b =⇒ (fanOutvk := fanOutvl)
Similarly, edges of form(w, b, vk), with w constant, and(choice, b, vk) are encoded as
b =⇒ (fanOutvk := pclMapvk)
Since every combinational and next-state register parcel variable is assigned, for each such variable
there must exist an incoming fan-out edge that is satisfied under any control e vironment.
The propositional formula that describes the fan-out of parcels is defined as follows:

























We formulate the first two properties of a well-defined parcel map as formulas of propositional
logic.
• Every parcel variable belongs to a parcel’s fan-out.






• Datapaths transform only one parcel at a time.









The third property, stated in Equation 5.3 can be reformulated as follows:
















∀ v1 ∈ RegPcl. ∀ v2 ∈ RegPcl.






P). { v1, v2 } ⊆ p2
=⇒








In order to state Equation 5.10 into an equivalent propositional logic formula, we need two copies
of each of the following sets of variables:Vstep , VpclMap andVfanOut . We will denote the two
copies ofV by V 1 andV 2. For v ∈ V we denote its two copies asv1 ∈ V 1 andv2 ∈ V 2. The
propositional formula for Equation 5.10 is defined below.
105















































5.3 Concrete Pipeline Models And Abstract Interpretation
In Section 3.3 we describe the general form of abstract interpretation ofpipeline models and in
Section 4.7 we explain how abstract parcel automata are used to derive abstract datapaths suitable
for abstract interpretation. In this section we examine the relationship between concrete and abstract
pipeline model states and transitions.
5.3.1 Assumptions About Initial States
We write the initial conditions of the concrete and abstract models as disjoint unions between the
set of assignments to control variables and the set of assignments to parcel variables.
Pipec .Init = Initctrl ⊎ Initpcl c
Pipea .Init = Initctrl ⊎ Initpcl a
In the abstract pipeline model any state that is a disjoint union of initial states ofhe parcel automaton
satisfies the initial parcel variable constraint.
∀ qPa ∈ QPa .(
∃ P ∈ P(RegPcl). RegPcl=
⊎
p∈P
p ∧ ∀ p ∈ P . qPa | p ∈ IPAa
)
=⇒ qPa |= Initpcl a
(5.12)
We require all abstract interpretations to satisfy Equation 5.12. We note thatEqu tion 5.12 holds
trivially if Initpcl a is empty.
106
The concept of induced parcel states is used to describe a property ofthe parcel map with respect
to initial concrete model states. It will also appear when we construct the simulat on between the
concrete and abstract pipeline models. Given a concrete pipeline model step(qPc , tPc , q′Pc) ∈ RPc
the parcel map induces a set of parcel automaton statesPclStates(qPc , tPc , q′Pc) ⊆ QPAc . We use
PclStatesqPc to denote the set of states defined as the union ofPclStates(qPc , tPc , q′Pc) over all steps
(qPc , tPc , q
′
Pc) from qPc .
PclStates(qPc , tPc , q′Pc) ≡ {pclStatep | p ∈ PclMap (qPc , tPc , qPc






PclStates(qPc , tPc , q′Pc)
We say that the parcel states are fixed in a stateqPc ∈ QPc if in all steps from stateqPc the parcel
map induces the same set of states:
∀ tPc 1. ∀ qPc 1. ∀ tPc 2. ∀ qPc 2.
(qPc , tPc 1, qPc 1) ∈ RPc ∧ (qPc , tPc 2, qPc 2) ∈ RPc
=⇒
PclStates(qPc , tPc 1, qPc 1) = PclStates(qPc , tPc 2, qPc 2)
(5.13)
Our proof of simulation between the abstract and concrete pipeline models reli s on Equation 5.13
to hold for initial states. We therefore provide a way to verify it by giving a translation into propo-
sitional logic. Equation 5.13 rewrites alternatively as follows:
∀ (qPc 1, tPc 1, q
′
Pc 1) ∈ RPc . ∀ (qPc 2, tPc 2, q
′
Pc 2) ∈ RPc .




∀ p1 ∈ PclMap (qPc 1, tPc 1, q
′
Pc 1).
p1 ∩ RegPcl6= ∅
=⇒
∃ p2 ∈ PclMap (qPc 2, tPc 2, q
′
Pc 2).




Equation 5.14 states that, for any two pipeline model steps from an initial stateqPc , the set of parcel
states of the former is a subset of the set of parcel states of the latter. Thisis equivalent to stating
that the sets of parcel states of any two pipeline model steps are the same andequ l toPclStatesqPc .
We show how Equation 5.14 expresses in term of the alternate representation of he parcel map
107
PclMapalt :
∀ (qPc 1, tPc 1, q
′
Pc 1) ∈ RPc . ∀ (qPc 2, tPc 2, q
′
Pc 2) ∈ RPc .








PclMapalt (qPc 1, tPc 1, q
′




PclMapalt (qPc 2, tPc 2, q
′




















































Theorem 5.3.1 states the mechanism by which a step of the concrete pipeline model is matched by
a step of the abstract model. We recall theAndOr example from Section 4.1. Figure 5.2 shows
a pipeline model commuting diagram that is derived on the basis of parcel autom ta commuting
diagrams. The parcel commuting diagrams describe abstract parcel stepsthat match the concrete
parcel steps that happen within one concrete pipeline model step. Given aconcrete pipeline model
state and a control equivalent abstract pipeline model state such that the prcel diagrams commute,
we can construct a matching abstract pipeline model step. The abstract pipeline model step is
constructed using the abstract pipeline automaton steps.











































Fig. 5.2b.Parcel commuting diagrams.
Figure 5.2:AndOr example.
Given
• (qPc , tPc , q
′
Pc) ∈ RPc
• qPa ∈ QPa
• paa ∈ Pa(Pipea)
• pclTransa : PclMap (qPc , tPc , q
′
Pc) → TPAa




• The pipeline statesqPc andqPa are control equivalent.
qPc =Vctrl qPa (5.18)
109
• The following diagram commutes:
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
qPa | p pclNextStateap






























Furthermore,tPa andqPa ′ are constructed usingpclTransa , andpclNextStatea . LetpclTransa p =
(fga p , epcla p , ectrla p). The construction has the following properties:
∀ p ∈ PclMap (qP, tP, q
′
P).
∀ v ∈ p∗ ∩ CombPcl. tPa(v) = epcla p(v)
(5.21)
∀ p ∈ PclMap (qP, tP, q
′
P).
∀ v ′ ∈ p∗ ∩ NextRegPcl. qPa ′(v) = (pclNextStatea p)(v)
(5.22)
Proof. Equation 5.21 definestPa over parcel variables. Similarly, Equation 5.22 definesqPa ′ over
parcel variables. Since the diagram in Equation 5.20 commutes we also have:




Equation 5.21 and Equation 5.23 definetPa ∈ TPa over the combinational pipeline variables. Equa-
tion 5.22 and Equation 5.24 defineqPa ′ over the entirety of its domain. We must show thattPa
can be defined over the combinational instance variables so that(qPa , Pa , qPa ′) ∈ RPa . We apply
Proposition 2.3.16. Accordingly, we have two obligations:






)(v) = [[expra ]]qPa∪tPa
(5.25)
110
∀ dpa ∈ Pipea .Dps.
∃ (qDa , tDa , qDa
′) ∈ LTS(dpa .C).RC.
∀ v ∈ dpa .C.Vi ∪ dpa .C.Vo . tDa(v) = tPa(Arg(v))
(5.26)
Part 1 Consider ‘v := expra ’ ∈ Pipea .C.Tr. There are two cases depending on whetherv is a
control variable or a parcel variable.
Part 1a v ∈ (Vctrl ∩ Vc) ∪ (Vctrl ∩ Vr )′. SincePipea is an abstract interpretation andv is a
control variable we have
‘v := expra ’ ∈ Pipec .C.Tr (5.27)













[[expra ]]qPa∪tPa = [[expra ]]qPc∪tPc (5.29)






)(v) = [[expra ]]qPc∪tPc (5.30)
Equation 5.25 follows from Equation 5.28, Equation 5.29 and Equation 5.30.
Part 1b v ∈ CombPcl∪ NextRegPcl. According to Section 4.7,expra is an ITE parcel expression
that is either equal to a constant or contains onlychoice and parcel variables. Considerp ∈
PclMap (qPc , tPc , q
′
Pc) such thatv ∈ p
∗. We apply the commuting diagram in Equation 5.19 to
parcelp. Letting
pclTransp = (fgc p , epclc p , ectrlc p)
pclTransa p = (fga p , epcla p , ectrla p)
we have
fgc p = fga p (5.31)
ectrlc p = ectrla p
Case 1If expra reduces to a constantwa then the assignmentv := wa corresponds to an abstract
fan-out edge(wa, b, v) on the transitionpclTransa p such thatv ∈ p. Therefore


















which implies Equation 5.25.
Case 2If expra reduces tochoice
[[expra ]](qPa∪tPa )|Vctrl
= choice
then any environment satisfies the assignment ‘v := choice’.
Case 3The final case is whenexpra reduces tou ∈ Vpcl :
[[expra ]](qPa∪tPa )|Vctrl
= u
Consider the assignment ‘v := exprc ’ ∈ Pipec .C.Tr. Since(qPc ∪ tPc) | Vctrl
= (qPa ∪ tPa) |
Vctrl
andexprc ≈ai expra thenexprc must also reduce tou.
[[exprc ]](qPc∪tPc)|Vctrl
= u
Therefore,fgc p contains an edge of form(u, b, v) such that(qPc ∪ tPc) | Vctrl
|= b. Equation 5.31
implies that the same edge exists infga p . According to Equation 4.3 in the definition of a parcel
step we must have
epcla p(v) = epcla p(u) (5.32)






)(v) = epcla p(v) (5.33)
SincepclTransa p labels the transition from the parcel stateqPa | p we also have:
(qPa ∪ tPa)(u) = epcla p(u) (5.34)






)(v) = (qPa ∪ tPa)(u)
Part 2 Considerdpa ∈ Pipea .Dps. Let dpc ∈ Pipec .Dpsbe the corresponding datapath given by
the rules of abstract interpretation. There must exist a parcelp ∈ PclMap (qPc , tPc , q′Pc) such that
112
the input and output arguments ofdpc belong top
∗. The parcel’s step expresses as:
pclStepp =
(
qPc | p, pclTransp, pclNextStatea p
)
(5.35)
Applying the commuting diagram in Equation 5.19 to parcelp we have the matching step:
(




pclTransp = (fgc p , epclc p , ectrlc p)
pclTransa p = (fga p , epcla p , ectrla p)
we have
fgc p = fga p (5.37)
ectrlc p = ectrla p (5.38)
The parcel step in Equation 5.35, satisfies Equation 4.1 and Equation 4.2 in thedefinition of the
parcel step. Therefore, its fanout graphfgc p contains the parcel arguments ofdpc and the domain
of ectrlc p contains the control arguments ofdpc . Equation 5.37 and Equation 5.38 imply thatfga p
contains the parcel arguments ofdpa and that the domain ofectrla p contains the control arguments
of dpa . Therefore, the step in Equation 5.36 contains a computation ofdpa . Sincepaa is consistent
with respect toDpspaa , applying Equation 4.4 we get:
∃ (qDa , tDa , q
′
Da) ∈ LTS(dpa .C).RC.
∀ v ∈ dpa .Vpcl ∪ dpa .Vctrl .
(ectrla p ∪ epcla p)(Arg(v)) = tDa(v)
(5.39)
Since the parcel step in Equation 5.35 is part of(qPc , tPc , q′Pc) we have
ectrlc p ⊆ tPc | Vctrl
and also
ectrla p = ectrlc p
tPc | Vctrl
= tPa | Vctrl
113
Combining the last two steps we get
ectrla p ∪ epcla p ⊆ tPAa
which is used to rewrite Equation 5.39 to
∃ (qDa , tDa , q
′
Da) ∈ LTS(dpa .C).RC.
∀ v ∈ dpa .Vpcl ∪ dpa .Vctrl .
tPa(Arg(v)) = tDa(v)
which is the desired conclusion.
5.4 General Correctness
We present two correctness theorems that link abstraction of parcel autom ta to abstraction of
pipeline models. Theorem 5.4.1 states that simulation of parcel automata transfers to simulation
of pipeline models and Theorem 5.4.8 states the similar result for language containment.
5.4.1 Simulation








• The abstract automaton simulates the induced parcel automaton:
pa(Pipec ,PclMap) PA paa (5.41)
then
Pipec P Pipea (5.42)
Figure 5.3 describes the intuition behind Theorem 5.4.1. A pair of concrete and abstract states are
in the simulation relationSP if for each parcel state in the concrete pipeline model state, there exists
a corresponding abstract parcel state in the abstract pipeline model thatsimulates it. The parcel






































Fig. 5.3b.Parcel commuting diagrams.
Figure 5.3:AndOr example (simulation).
Proof. We defineSP by the equation
(qPc , qPa) ∈ SP ≡
(qPc =Vctrl qPa) ∧ (∀ qPAc ∈ PclStatesqPc . qPAc PA qPa | domqPAc
)
(5.43)
We need to showSP satisfies the commuting diagram in Equation 3.15 and the condition on initial
states in Equation 3.16 of Definition 3.2.1.
Commuting Diagram










































We then show that
(∀ qPAc
′ ∈ PclStatesqPc ′. qPAc ′ PA qPa






In order to apply Theorem 5.3.1 we need to provide
pclTransa : PclMap (qPc , tPc , q
′
Pc) → TPAa
pclNextStatea : PclMap (qPc , tPc , q
′
Pc) → QPAa
so that the following diagram commutes:
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
qPa | p pclNextStateap









∀ p ∈ PclMap (qPc , tPc , q
′
Pc).(








Using Equation 5.43 and Equation 5.48 we infer that the following diagram commutes:
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
qPc | p 6= ∅ =⇒


∃ tPAa ∈ TPAa .
∃ qPAa
′ ∈ QPAa .
qPa | p qPAa
′












Since∅ ∈ IPAc , using Equation 5.41 and Equation 5.48 we infer that the following diagram com-
mutes:
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
qPc | p = ∅ =⇒


∃ tPAa ∈ TPAa .
∃ qPAa
′ ∈ QPAa .
∅ qPAa
′












SinceqPc | p = ∅ it means thatp contains no registers
qPAa = qPa | p = ∅ (5.51)
and therefore we can rewrite Equation 5.50:
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
qPc | p = ∅ =⇒


∃ tPAa ∈ TPAa .
∃ qPAa
′ ∈ QPAa .
qPAa | p qPAa
′













Combining Equation 5.49 and Equation 5.52 we get:
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
∃ tPAa ∈ TPAa . ∃ qPAa
′ ∈ QPAa .
qPa | p qPAa
′







Using Equation 5.53 we can definepclTransa andpclNextStatea so that Equation 5.47 holds.
Initial States
Let qPc ∈ IPc . We show there existsqPa ∈ IPa so thatqPc P qPa .
On control variables, we must defineqPa so that the following equation holds:
qPc =Vctrl qPa (5.54)
SincePipea is an abstract interpretation ofPipec , in the two models the initial conditions with
respect to control variables are the same.
On parcel variables, we must defineqPa so that
∀ qPAc ∈ PclStatesqPc . qPAc PA qPa | domqPAc
(5.55)
SinceqPc ∈ IPc we havePclStatesqPc ⊆ IPAc . Therefore
∀ qPAc ∈ PclStatesqPc . ∃ qPAa ∈ IPAa . qPAc PA qPAa
Denoting the Skolem constant byf∃, the previous equation expresses as
∀ qPAc ∈ PclStatesqPc . qPAc PA f∃(qPAc)
Due to the condition that parcel states in initial states are fixed, as stated in Equation 5.14,PclStatesqPc
is a partition ofqPc . We can therefore defineqPa by the following equation:
∀ qPAc ∈ PclStatesqPc . qPa | domqPAc
= f∃(qPAc) (5.56)
118
Given that all abstract interpretations satisfy Equation 5.12, using Equation 5.56 we infer that
qPa |= Initpcl a (5.57)
Equation 5.54 and Equation 5.57 imply thatqPa |= Pipea .Init.
5.4.2 Language Containment
We say parcels duplicate if two distinct parcels at the current step are continuations of the same
parcel at the previous step.












P) ∈ RP ∧(
∃ p1 ∈ PclMap (qP, tP, q
′













p2 6= p3 ∧ pclStatep2 ⊆ pclNextStatep1 ∧ pclStatep3 ⊆ pclNextStatep1
)
(5.58)
Equation 5.58 is reformulated equivalently to Equation 5.59.












P) ∈ RP ∧(













P) v2) ∧ v1
















































We can therefore verify parcel separation using a Boolean solver.
119
We formalize the parcel automaton runs that occur within a pipeline model runσP ∈ L(Pipe). In
order to find the parcels that belong to the same run we define the partial order ‘≪
σP
’ on the parcels
of the pipeline run so that ‘≪
σP
’ corresponds to the transitive closure of the relationship of a parcel
continuing another. When parcels do not duplicate, every parcel in the pipeline run belongs to a
unique maximal chain (totally ordered subset) of ‘≪
σP
’. Each such maximal chain in turn corresponds
to a run of the parcel automaton.
5.4.2 Definition(Parcel Order). We define the relation<
σP
over the set(P(Vpcl ) \ ∅) × N:
(pn, n) <
σP
(pn+1, n+ 1) ≡




P ) ∧ p














’ is by definition transitive and reflexive. To show the relation is also antisymmetric,
consider
(pn1 , n1) ≪
σP
(pn2 , n2) (5.62)
(pn2 , n2) ≪
σP
(pn1 , n1) (5.63)
We must haven1 ≤ n2 andn2 ≤ n1 and son1 = n2. The only possibility is to also havepn1 = pn2 .
Given the run in Figure 5.4 of theAndOr example, first described in Section 4.1, we have:
({ r1 }, 0) <
σP
({ r2 }, 1)
({ r2 }, 0) <
σP
({ r3 }, 1)
({ vi }, 0) <
σP
({ r1 }, 1)
({ vi }, 0) ≪
σP
({ r2 }, 2)
Let (pn, n) ∈ (P(Vpcl ) \ ∅) × N. We make the following two observations.
1. If parcels do not duplicate then(pn, n) has at most one successor in Equation 5.61.











































c = 01 v = 0
c = 01 v = 1
c = 01 v = 1
c = 01 v = 1
Figure 5.4:AndOr Computation.
5.4.3 Definition (Chain). C ⊆ P((P(Vpcl ) \ ∅) × N) is a chain of≪
σP
if any two elements are
comparable:
∀ (pn1 , n1) ∈ C . ∀ (p
n2 , n2) ∈ C . (p
n1 , n1) ≪
σP
(pn2 , n2) ∨ (p
n2 , n2) ≪
σP
(pn1 , n1) (5.64)
A chainC is maximal if it does not occur as a strict subset of another chain.
For our example in Figure 5.4, some examples of maximal chains are:
({ r1 }, 0) <
σP
({ r2 }, 1) <
σP
({ r3 }, 2)
({ r2 }, 0) <
σP
({ r3 }, 1)
({ vi }, 0) <
σP
({ r1 }, 1) <
σP
({ r2 }, 2) <
σP
({ r3 }, 3)
121
5.4.4 Proposition. If parcels do not duplicate then every element of the set(P(Vpcl ) \ ∅) × N
belongs to a unique maximal chain of ‘≪
σP
’. For (pn, n) ∈ (P(Vpcl ) \ ∅) × N we denote the
corresponding maximal chain bychain(pn, n).
Proof. ExistenceWe define:
chain(pn, n) ≡{ (pn−k, n− k) | (pn−k, n− k) ≪
σP
(pn, n) }
∪ { (pn+k, n+ k) | (pn, n) ≪
σP
(pn+k, n+ k) }
(5.65)
We need to showchain(pn, n) is a chain. Consider two distinct elements
(pn1 , n1) ∈ chain(pn, n)
(pn2 , n2) ∈ chain(pn, n)
We have to show that either of the following holds:
(pn1 , n1) ≪
σP
(pn2 , n2)

















by transitivity we get the desired conclusion. Consider the case when
(pn1 , n1) ≪
σP
(pn, n)




Therefore, we must have:
(pn1 , n1) = a0 <
σP






(pn2 , n2) = b0 <
σP






We show that eithera0 ∈ { b0, . . . , bj } or b0 ∈ { a0, . . . , ai }. Assume by contradiction that that
















is treated similarly, arriving to a contradiction of our second observation.
UniquenessIf C is a chain containing(pn, n) then according to Equation 5.65 we must have
C ⊆ chain(pn, n). SinceC is maximal we must haveC = chain(pn, n).
For our example, the set of maximal chains to which every element(pn, n) belongs to is described
as follows:
({ r1 }, 0) <
σP
({ r2 }, 1) <
σP
({ r3 }, 2)
({ r2 }, 0) <
σP
({ r3 }, 1)
({ r3 }, 0)
({ vi }, n) <
σP
({ r1 }, n+ 1) <
σP
({ r2 }, n+ 2) <
σP
({ r3 }, n+ 3) , n ≥ 0
5.4.5 Proposition. If C ⊆ P((P(Vpcl ) \ ∅) × N) is a maximal chain of≪
σP
then:
• If C is finite thenC has form
C = { (pn, n), . . . , (pn+k, n+ k) } (5.66)
and
∀ j ∈ {n, . . . , n+ k − 1 }. (pj , j) <
σP
(pj+1, j + 1) (5.67)
123
• If C is infinite thenC has form
C = { (pn+k, n+ k) | k ∈ N } (5.68)
and
∀ k ∈ N. (pn+k, n+ k) <
σP
(pn+k+1, n+ k + 1) (5.69)
Proof. Since any two elements are comparable by≪
σP
and since the definition of<
σP
implies that if
(pn1 , n1) <
σP
(pn2 , n2) thenn1 < n2 thenC must have form:
(pn, n) ≪
σP
(pn+k1 , n+ k1) ≪
σP




k1 < k2 · · ·




5.4.6 Definition(Associated Parcel Automaton Run). Let
C = (pn, n) <
σP




runPA C : N → QPA × TPA
• C is infinite
runPA C j ≡ (q
n+j
P | pn+j , pclTransp
n+j) (5.70)
• C = (qnPA, n) <σP
· · ·<
σP
(qn+kPA , n+ k)




(qn+jP | pn+j , pclTransp
n+j) : j ≤ k










Figure 5.5: Associated parcel automaton run.
The associated run for the chain
({ vi }, 0) <
σP
({ r1 }, 1) <
σP
({ r2 }, 2) <
σP
({ r3 }, 3)
is shown in Figure 5.5.
5.4.7 Proposition. If C = (pn, n) <
σP
(pn+1, n + 1) <
σP
· · · is a maximal chain thenrunPA C ∈
L(pa(Pipe,PclMap)).
125









PA ) ∈ RPA (5.72)
q0PA ∈ IPA (5.73)
If C is infinite, runPA C is defined by Equation 5.70. Therefore, Equation 5.72 is equivalent to
(
qn+jP | pn+j , pclTransp
n+j , qn+j+1P | pn+j+1
)
∈ RPA
which holds because(pn+j , n+ j) <
σP
(pn+j+1, n+ j + 1).
If C = (qnPA, n) <σP
· · ·<
σP
(qn+kPA , n+ k) is finite thenrunPA C is defined according to Equation 5.71.
• j < k Equation 5.72 is equivalent to
(
qn+jP | pn+j , pclTransp
n+j , qn+j+1P | pn+j+1
)
∈ RPA
which holds because(pn+j , n+ j) <
σP
(pn+j+1, n+ j + 1).
• j = k Equation 5.72 is equivalent to
(




which holds because any parcel automaton state can transition to the final state.
• j > k Equation 5.72 is equivalent to
(finalPA, ∅, finalPA) ∈ RPA
which holds according to the definition of parcel automata.
Equation 5.73 is equivalent to
qnP | pn ∈ IPA (5.74)
We consider two cases:
• n = 0. In this caseq0P ∈ IP and thereforeq
0
P | p0 ∈ IPA according to the definition of the
induced parcel automaton.
• n > 0. We consider two subcases:
– pn ∩ RegPcl= ∅ It follows thatqnP | pn = ∅. Since∅ ∈ IPA, Equation 5.74 holds.
126
– pn ∩ RegPcl6= ∅ This leads to a contradiction sincepn must continue a parcelpn−1 in




P). We therefore have(p
n−1, n − 1) <
σP
(pn, n) which
contradicts the fact thatC is maximal sinceC ∪ { (pn−1, n− 1) } is a chain.







If the following conditions are met
1. Parcels do not duplicate inPipec .
2. Language containment of parcel automata.
L(pa(Pipec ,PclMap)) ⊆PA L(paa) (5.76)
then language containment of pipeline model holds:
L(Pipec) ⊆P L(Pipea) (5.77)
Figure 5.6 describes the construction we use in the proof of Theorem 5.4.8. We first identify the
maximal chains of≪
σP
, then, corresponding to each chain we have a concrete parcel automaton run.
For each such run there exists an equivalent abstract run. The abstract pa cel runs are used to create
the abstract pipeline model run.
Proof. Let σPc ∈ L(Pipec).
We need to show there existsσPa ∈ L(Pipea) such that
σPc =P σPa (5.78)
We will defineσPa : N → QPa × TPa by induction. We recall the notation


































c = 01 v = 1 finalPAc∅
<
σP





c = 01 v = 101 0001 01 finalPAc∅
<
σP






c = 01 v = 1 finalPAc∅
<
σP






c = 01 v = 0 finalPAc






v = 0 finalPAc




({ r3 }, 5)
α1 finalPAa
α2 α1
v = 0 finalPAa
α2α1 α1
c = 01 v = 0 finalPAa
β1 β2 β1
c = 01 v = 1
∅ finalPAa
c = 01 v = 1β1 β2 β1∅ finalPAa
β1 β2 β1
















({ vi }, 4) ({ r1 }, 5)
∅ α1
Figure 5.6: Construction in Theorem 5.4.8.
Forn ≥ 0 we will be applying Theorem 5.3.1 toqnPa and derivet
n
Pa ∈ TPa andq
n+1
Pa ∈ QPa such
128






















If Equation 5.79 holds inductively andq0Pa ∈ IPa thenσPa ∈ L(Pipea) and Equation 5.78 holds.




Pc ) we denote the parcel automaton run associated
with chainpn by σPAc pn :
σPAc pn ≡ runPA (chainpn)
According to Definition 5.4.6, if(pn, n) occurs on positionjn in its chain then
(σPAc pn)(jn) = (q
n
Pc | pn, pclTransp
n) (5.80)
SinceL(pa(Pipec ,PclMap)) ⊆P L(paa) there existsσPAa pn ∈ L(pa(Pipea)) so that
σPAc pn =PA σPAa pn (5.81)
We use the notation:
(σPAc pn)(k) = (q
k
PAc pn , t
k
PAc pn)
(σPAa pn)(k) = (q
k
PAa pn , t
k
PAa pn)
























Fork = jn we have:
qjnPAc pn = q
n
Pc | pn
tjnPAc pn = pclTransp
n
qjn+1PAc pn = pclNextStatep
n
129














We will defineqnPAa so that:








On parcel variablesq0Pa is defined according to Equation 5.84:






Pa | p0 = q
j0
PAa p0 (5.86)
Since parcel automaton runs begin at index0 we have






PAa p0 = q
0
PAa p0 ∧ q
0
PAa p0 ∈ IPAa (5.87)
Since abstract interpretations satisfy Equation 5.12, using Equation 5.86 and Equation 5.87 we infer
that
q0Pa |= Initpcl a (5.88)
Equation 5.85 and Equation 5.88 imply thatq0Pa |= Pipea .Init.
Inductive case
We assume the following inductive hypothesis:












In order to apply Theorem 5.3.1 we need to define






Pc ) → TPAa
130






Pc ) → QPAa
so that the following diagram commutes:





qnPa | pn pclNextStateap
n










Using the inductive hypothesis, the diagram in Equation 5.91 becomes:

















We definepclTransa andpclNextStatea as follows:
pclTransa p
n = tjnPAa pn (5.93)
pclNextStatea p
n = qjn+1PAa pn (5.94)
With this definition, the diagram in Equation 5.92 commutes because it is identical to the one in
Equation 5.83.
Applying Theorem 5.3.1 we obtaintnPa ∈ TPa andq
n+1
Pa ∈ QPa so that the diagram in Equation 5.79
commutes. It remains to show that we maintain our inductive hypothesis:






Pa | pn+1 = q
jn+1
PAa pn+1 (5.95)




Pc ) are either combinational or continue continue a parcel at the
previous step. Ifpn+1 is combinational then
qn+1Pa | pn+1 = ∅
q
jn+1
PAa pn+1 = ∅
131
and therefore Equation 5.95 holds.
One of the postconditions of Theorem 5.3.1 (Equation 5.22) implies the following:





pn+1 ∩ RegPcl6= ∅ =⇒


















which implies that that the two parcels belong to the same run ofpa(Pipea) and therefore
q
jn+1
PAa pn+1 = q
jn+1
PAa pn (5.97)
Equation 5.96 and Equation 5.97 imply that Equation 5.95 holdspn+1 ∩ RegPcl6= ∅.
5.5 Summary
Parcel independence is used to prove Theorem 5.3.1 that states that commuting diagrams between
the concrete and abstract parcel automaton states imply a commuting diagram between the contain-
ing concrete and abstract pipeline states. Theorem 5.3.1 is used to prove soundness of abstraction




Abstraction Of Parcel Automata
This chapter describes an algorithm that abstracts the parcel automatonpac = pa(Pipec ,PclMap)
induced by the parcel map to a parcel automatonpaa such that
pac PA paa (6.1)
L(pac) ⊆PA L(paa) (6.2)
The abstract parcel automatonpaa is used to produce an abstract interpretation of the pipeline data-






Applying Theorem 5.4.1 to Equation 6.1 and Theorem 5.4.8 to Equation 6.2 we get:
Pipec P Pipea
L(Pipec) ⊆P Pipea
Thus the datapath abstraction algorithm preserves control properties.
Section 6.1 formalizes path abstraction and proves that it implies simulation between parcel au-
tomata. In Section 6.2 we define inductively the parcel automatonpac 1 that is an an approximation
of the induced parcel automaton. The parcel automatonpac 1 may also represent unreachable datap-
ath behaviours but is more practical to represent than the induced parcel automaton. Path abstraction
is based on the systematic exploration of the paths through the parcel automaton pac 1. For each
such path there is an equivalent one in the the abstract parcel automaton.
The encoding of the approximate parcel automaton in propositional logic is presented in Section 6.3
133
and Section 6.4. An abstraction algorithm that is based on path abstraction ofthe approximate parcel
automaton is presented in Section 6.5. We present experimental results in Section 6.6.
6.1 Path Abstraction
In this section, an abstraction that maps concrete paths to abstract states is shown to be conservative,
i.e. implies simulation, in Lemma 6.1.1. The notion of paths that are not distinguishableby the
control is captured using path equivalence. Finite paths and infinite runs ae connected through the
concept of terminating run, which requires that a run consist of a finite prefix in which all state
updating datapath computations are confined, followed by an infinite suffix that contains only value
copying transitions. Lemma 6.1.4 gives sufficient conditions under which path abstraction preserves
language containment.
Given a parcel automaton runσPA ∈ L(pa), we use the following notation for the finite path from
stateq0PA to stateq
k






Whenk = 0 the pathπkPA reduces toq
0
PA. The set of all such paths is denoted byΠ(pa):
Π(pa) ≡ {πkPA | k ∈ N ∧ ∃ σPA ∈ L(pa). π
k
PA is a prefix ofσPA }









Lemma 6.1.1 describes path abstraction and states its correctness.
6.1.1 Lemma(Correctness Of Path Abstraction). If the abstraction functionψ : Π(pac) → QPAa
satisfies the following properties:
• ψ preserves the label of the last state on the path:
ψ(πkPAc) = qPAa k =⇒ q
k
PAc =PA qPAa k (6.5)
134
• ψ makes the diagram commute:






















• ψ preserves initial states:
q0PAc ∈ IPAc =⇒ ψ(q
0
PAc) ∈ IPAa (6.7)
• ψ has the additional property, related to simulation on parcel automata:






tk−1PAc−→ qkPAc 1 ∧




tk−1PAc−→ qkPAc 2 ∧









L(pac) ⊆PA L(paa) (6.9)
pac PA paa (6.10)
Path abstraction is driven by exploration of concrete paths in the parcel autom ton. Therefore the
abstraction function is defined on the set of concrete paths onto abstractstates:ψ : Π(pac) → QPAa .
In Figure 6.1 we recall the parcel automaton of theAndOr example that we first presented in
Section 4.1. We use this example to illustrate path abstraction. Figure 6.2 describes an abstract
automaton that satisfies the conditions of Lemma 6.1.1. The abstract automaton has a tree like
structure — with the exception of the transitions leading to its final state, corresp nding to the
depth-first-search tree of paths through the concrete parcel automaton.
Table 6.1 describes the mappingψ that maps the paths through the concrete parcel automaton to
abstract states. For instance, line 13 in the table describes the pathπ3 that is composed of the path
π2
∅ −→ r1 = 00
c = 01
−→ r2 = 0000




r2 = 0000 r2 = 0001 r2 = 0100
r3 = 01
r2 = 0010 r2 = 1000
r3 = 10
r1 = 10


















v = 1v = 1
v = 1
v = 1
Figure 6.1:AndOr Parcel Automaton.
leading to the state
r3 = 00
The pathπ2 in Equation 6.1 is described at line 5 in the table. The mapping of the pathπ3 o an









v = 0v = 0
r1 = α0
c = 10c = 01
v = 1 v = 1
Figure 6.2: An abstractAndOr parcel automaton.
diagram:










Proof. We prove Equation 6.10 holds. This implies Equation 6.9 also holds. For simplicity we
assume all states inQPAc are reachable from an initial state. Non-reachable states do not affectthe
behaviour of the parcel automaton so we can safely ignore them.
137
# Concrete Path Transition Next StateAbstract State Predecessor
0 ∅ ∅
1 ∅ −→ r1 = 00 r1 = α0 0
2 ∅ −→ r1 = 01 r1 = α0 0
3 ∅ −→ r1 = 10 r1 = α0 0
4 ∅ −→ r1 = 11 r1 = α0 0
5 ∅ −→ r1 = 00
c = 01
−→ r2 = 0000 r2 = α1 1
6 ∅ −→ r1 = 00
c = 10
−→ r2 = 0000 r2 = α4 1
7 ∅ −→ r1 = 01
c = 01
−→ r2 = 0001 r2 = α1 2
8 ∅ −→ r1 = 01
c = 10
−→ r2 = 0100 r2 = α4 2
9 ∅ −→ r1 = 10
c = 01
−→ r2 = 0010 r2 = α1 3
10 ∅ −→ r1 = 10
c = 10
−→ r2 = 1000 r2 = α4 3
11 ∅ −→ r1 = 11
c = 01
−→ r2 = 0011 r2 = α1 4
12 ∅ −→ r1 = 11
c = 10
−→ r2 = 1100 r2 = α4 4
13 ∅ −→ r1 = 00
c = 01
−→ r2 = 0000
v = 0
−→ r3 = 00 r3 = α2 5
14 ∅ −→ r1 = 00
c = 10
−→ r2 = 0000
v = 0
−→ r3 = 00 r3 = α5 6
15 ∅ −→ r1 = 01
c = 01
−→ r2 = 0001
v = 1
−→ r3 = 01 r3 = α3 7
16 ∅ −→ r1 = 01
c = 10
−→ r2 = 0100
v = 1
−→ r3 = 01 r3 = α6 8
17 ∅ −→ r1 = 10
c = 01
−→ r2 = 0010
v = 1
−→ r3 = 10 r3 = α3 9
18 ∅ −→ r1 = 10
c = 10
−→ r2 = 1000
v = 1
−→ r3 = 10 r3 = α6 10
19 ∅ −→ r1 = 11
c = 01
−→ r2 = 0011
v = 1
−→ r3 = 11 r3 = α3 11
20 ∅ −→ r1 = 11
c = 10
−→ r2 = 1100
v = 1
−→ r3 = 11 r3 = α6 12
21 ∅ −→ r1 = 00
c = 01
−→ r2 = 0000
v = 0
−→ r3 = 00 −→ finalPAc r1 = finalPAa 13
23 ∅ −→ r1 = 00
c = 10
−→ r2 = 0000
v = 0
−→ r3 = 00 −→ finalPAc r1 = finalPAa 14
23 ∅ −→ r1 = 01
c = 01
−→ r2 = 0001
v = 1
−→ r3 = 01 −→ finalPAc r1 = finalPAa 15
24 ∅ −→ r1 = 01
c = 10
−→ r2 = 0100
v = 1
−→ r3 = 01 −→ finalPAc r1 = finalPAa 16
25 ∅ −→ r1 = 10
c = 01
−→ r2 = 0010
v = 1
−→ r3 = 10 −→ finalPAc r1 = finalPAa 17
26 ∅ −→ r1 = 10
c = 10
−→ r2 = 1000
v = 1
−→ r3 = 10 −→ finalPAc r1 = finalPAa 18
27 ∅ −→ r1 = 11
c = 01
−→ r2 = 0011
v = 1
−→ r3 = 11 −→ finalPAc r1 = finalPAa 19
28 ∅ −→ r1 = 11
c = 10
−→ r2 = 1100
v = 1
−→ r3 = 11 −→ finalPAc r1 = finalPAa 20
Table 6.1: The path mapψ.
We consider the relationχ ⊆ QPAc × Π(pac) defined by







We show thatψ ◦ χ is a parcel automata simulation relation.
138
Commuting Diagram We show the following diagram commutes:






















The diagram in Equation 6.12 is obtained by combining the two diagrams in Equation6.13. The
lower part commutes according to the definition ofχ and the upper part according to Equation 6.11.









































Additional Property The relationψ ◦ χ must satisfy Equation 4.9 in the definition of simulation
on parcel automata. For this purpose we use Equation 6.8 satisfied byψ. Consider
(qkPAc 2, qPAa k 2) ∈ ψ ◦ χ (6.14)
qkPAc 1 ⊆ q
k
PAc 2 (6.15)
We must show there existsqPAa k 1 so that:
qPAa k 1 ⊆ qPAa k 2 (6.16)
(qkPAc 1, qPAa k 1) ∈ ψ ◦ χ (6.17)
From Equation 6.14 we infer there must existπkPAc 2 ∈ Π(pac) such that:
(qkPAc 2, π
k
PAc 2) ∈ χ




tk−1PAc−→ qkPAc 2 (6.18)
ψ(πkPAc 2) = qPAa k 2
139
Equation 6.18 implies that there existsπkPAc 1 ∈ Π(pac) such that:
(qkPAc 1, π
k
PAc 1) ∈ χ





Applying Equation 6.8 toπkPAc 1 andπ
k
PAc 2 we have that




qPAa k 1 = ψ(π
k
PAc 1)
then both Equation 6.16 and Equation 6.17 hold.
Initial States Let q0PAc ∈ IPAc . We must show that there existsqPAa 0 ∈ IPAa so that
(q0PAc , qPAa 0) ∈ ψ ◦ χ
Sinceπ0PAc = q
0






Applying Equation 6.7 toq0PAc we have:
ψ(q0PAc) ∈ IPAa
For qPAa 0 = ψ(q0PAc) we get the desired conclusion.
We say two parcel transitions are equivalent if they have equivalent transi ion labels.
(qPA1, tPA1, qPA1
′) =PA (qPA2, tPA2, qPA2
′) ≡ (tPA1 =PA tPA2)
We define path equivalence between two paths if they both start from equivalent states, have the
140





(k = l) ∧ (domq0PA1 = domq
0
PA2) ∧(












Path equivalence is related to run equivalence. However, because weuse path equivalence in the
context of closed parcel automata we do not require in its definition that the sates at the same index
be equivalent.
Parcel computations are infinite. Termination of the abstraction algorithm we pres nt in Section 6.5
depends on whether the datapath computations that affect the parcel’s stat are confined to a finite
prefix of the parcel run . From a point on in the run, a parcel’s state is updated only by copying of
values from the previous state.










∀ (v1, b, v2) ∈ fg
k.Succ. v1 ∈ StateFanOutk ∧ v2 6∈ PclN=⇒ v2 ∈ StateFanOutk
6.1.2 Definition (Terminating Run). The runσPA is terminating if it either contains the final state




PA ) only current state
values are copied into next-state parcel registers.





We can think of Equation 6.19 to cover termination when the parcel exits the pipeline and its state
becomes empty since we can define the domain of the final state to be the empty set.If the runσPA
contains the final state then there existsn ≥ 1 so that
∀ k ≥ n. qkPA = finalPA
∀ k ≥ n. tkPA = ∅






Equation 6.19 states that datapath computed values, constants,choice and inputs do not propagate
into the parcel’s next state. For instance, a computation in which a parcel stalls indefinitely is
terminating. As a generalization, the definition could be relaxed to allow propagation of constants.
The notion of the driver of a variable at stepk is used to analyze terminating runs. We define
driver (v2, k) to be(v1, n) such that variablev1 at stepn propagates through copying into the value
of v2 at stepk. The definition is inductive.
6.1.3 Definition(Driver). Base Casek = 0 ∧ v ∈ domq0PA
∀ v ∈ domq0PA. driver (v , 0) = (v , 0)
Inductive Case k ≥ 0
∀ v ∈ (rootsfgk) \ RegPcl. driver (v , k) = (v , k)
∀ (v1, b, v2) ∈ fg
k.Succ. v2 6∈ PclN=⇒ driver (v2, k) = driver (v1, k)
∀ (w, b, v) ∈ fgk.Succ. driver (v , k) = driver (v , k)
∀ v ∈ PclN. driver (v , k) = (v , k)
∀ v ∈ domqkPA. driver (v , k + 1) = driver (v
′, k)






PA) ∧ ∀ v ∈ domq
k1
PA. driver (v , k1) = driver (v , k2)



















































Before we present the next lemma, we recall the concept of closed parcel automaton (Defini-
tion 4.6.2). The closure of a parcel automaton does not influence the datapath behaviours it specifies.
Our proofs rely in some cases on the parcel automata to be closed. Since theend result of obtaining
an abstract parcel automaton is to perform abstract interpretation of the datapath, the closure of the
parcel automaton is not implemented. Instead, the closure performed only in proofs.
Lemma 6.1.4 shows that under sufficient conditions, path abstraction preserves language equality.
The essential condition is that for each path in the abstract parcel automaton there exists an equiva-
lent one in the concrete automaton.
6.1.4 Lemma. If the following conditions hold:
• The parcel automatonpac is closed.
• All runs of pac are terminating.
• For every prefix inΠ(paa) there exists an equivalent one inΠ(pac):
∀ πkPAa ∈ Π(paa). ∃ π
k






L(paa) ⊆PA L(pac) (6.21)
Proof. ConsiderσPAa ∈ L(paa). We need to show there existsσPAc ∈ L(pac) so that
σPAa =PA σPAc (6.22)
Case 1σPAa is non-terminating. We prove this leads to a contradiction.








such that the number of parcel transitions that contain datapath computations isat lea ti.










Equation 6.28 implies that the pathπkiPAc also has at leasti transitions that contain datapath com-
putations. Fori > |QPAc | there exists one stateq
j
PAc that performs two different transitions both of






tjPAc−→· · · qj+lPAc
tj+lPAc−→· · · with qjPAc = q
j+l
PAc




tjPAc−→· · · qjPAc
tjPAc−→· · ·
Case 2σPAa is terminating.
If it contains the statefinalPAa , then by selecting a prefixπnPAa so thatq
n
PAa = finalPAa and applying




PAa . This concrete path is trivially extended to a
concrete run matchingσPAa .
Consider now the case whenfi alPAa does not appear in the runσPAa . The run then consists of the













Since theRPAa is finite, in the infinite suffix
qnPAa
tnPAa−→ qn+1PAa
tn+1PAa−→ qn+2PAa · · ·
we have
∀ k2 ≥ n. ∀ v2 ∈ domqkPAa . ∃ k1 ≤ n. ∃ v1. driver (v2, k2) = (v1, k1)
Since the indicesk1 are bounded byn, there exists an indexs > n such that from then on, all
transitions are ‘=driver’ equivalent to transitions at an index betweenn ands− 1:
∃ s > n.
























Sincepac is closed we can assume that the pathπ
s
PAc has the property that
∀ k ∈ { 0, . . . , s }. qkPAc =PA q
k
PAa
We prove by induction that fork ≥ n, πkPAc can be extended to a pathπ
k+1
PAc that is equivalent to the
prefix path of lengthk + 1 of σPAa .
First, we prove a helping result:





















the same copying effect as the transitions fromqnPAc to q
l
PAc . Since ‘=driver’ captures the make up
of statesql1PAa andq
l2
PAa in terms of the values in stateq
n








Base Casek = n. SinceπsPAc =PA π
s
PAa andn < s, π
k
PAc is a prefix ofπ
s
PAc and it therefore




If k < s thenπkPAc is still a strict prefix ofπ
s
PAc and therefore the extension is done as in the base
case.











































We use the set of paths{πiPAc | i ≥ 0 } to defineσPAc so thatσPAc =PA σPAa .
6.2 Approximating The Induced Parcel Automaton
The parcel automaton induced by the parcel map contains all parcel stepsthat occur in pipeline com-
putations and it describes exactly the datapath computations that arise duringpipeline computations.
Since the steps of the induced parcel automaton are defined by the steps ofthe pipeline, its definition
needs the inductive run of the entire pipeline which is not practical. We therefor approximate the
induced parcel automaton with another one that is defined inductively usingapproximations of the
parcel steps of the induced parcel automaton. This definition is simple and efficient and can be used
in the abstraction algorithm.
The approximate parcel automaton is conservative since its set of states and transitions include the
ones of the induced parcel automaton. Given two parcel automata
pa1 = 〈QPA1,RPA1,TPA1, IPA1〉
pa2 = 〈QPA2,RPA2,TPA2, IPA2〉
We define
pa1 ⊆ pa2 ≡ (RPA1 ⊆ RPA2) ∧ (IPA1 ⊆ IPA2)
6.2.1 Proposition. If pa1 ⊆ pa2 then
pa1 PA pa2
L(pa1) ⊆PA L(pa2)
A parcel automatonpa ∈ Pa(Pipe) coversthe datapath computations of the pipeline modelPipe if
pa(Pipe,PclMap) ⊆ pa. A parcel automaton that covers the datapath computations is a conserva-
tive approximation according to Proposition 6.2.1. Our approximation is basedon approximations
146
of the parcel map and of the parcel steps that occur in the pipeline model computations.
In the remainder of the section we describe a technique to define the approximate parcel automaton
pac 1 that covers the datapath computations:
pa(Pipec ,PclMap) ⊆ pac 1
A parcel step is determined by the parcel’s representation as a set of variables, the parcel’s cur-
rent state, the fan-out graph and the parcel and control environments.A parcel step is executed
within a pipeline step. The control variables that determine the parcel’s execution are constrained
by control assignments and datapath computed control values. In the definition of the states and
steps of the automatonpac 1 we substitute, for the control environment contained in the step of the
pipeline model, an environment that is easier to compute. We denote it in the following equations by
ectrl step ∈ PEnv(Vctrl ∪ NextRegCtrl). The environmentectrl step should respect the assignments
to control variables:
ectrl step |= (Pipec .Tr) | domectrl step
(6.26)
If parcelp has the parcel step(qPAc , 〈fgc , ectrlc , epclc〉, qPAc
′) in the pipeline model step(qPc , tPc , q′Pc),
then the fan-out graphfgc is maximal. There are no fan-out edges(vl, b, vk) such thatvl ∈
fgc .Nodesand (qPc ∪ tPc) |= b but vk 6∈ fgc .Nodes. The fan-out graphfgc is maximal under
the environmentqPc ∪ tPc . The following predicate represents maximality of the fan-out graph on
the transition label of the parcel step.
IsMaximalFanOut (qPAc , 〈fgc , ectrlc , epclc〉, qPAc
′) ectrl step ≡
∀ (vl, b, vk) ∈ FanOutEdges.
(vl, b, vk) ∈ fgc .Succ⇐⇒ vl ∈ fgc .Nodes∧ ectrl step |= b
(6.27)
The control environmentectrl step that determines the fan-out graph of the parcel and influences its
datapath computations may contain register variables that in a pipeline computationare influenced
by the previous step of the parcel. If such variables are not constrained in the definition ofectrl step ,
then the automatonpac 1 may have parcel steps and computations that are not reachable in the
induced (precise) parcel automaton. These non-reachable computations do not affect the datapath
circuits thatpac 1 specifies, however they do affect an abstraction algorithm: first, by enlargi g the
search space and second, by affecting termination, ifpac 1 has non-terminating runs that are not
possible in the induced automaton.
Figure 6.3 describes two different pipeline models that both have unreachable datapath computa-
tions. In both cases a parcel produces in the current parcel step a control value that later influences



























Figure 6.3: Pipeline models with unreachable datapath computations.
148
trol outputvc1 produced bydp1 and corresponding to a parcelp = { r1 } is saved into the control
registervc2. At the next step, the value ofvc2 influences the parcel step of parcelp = { r2 } as it
propagates throughdp2. Therefore, in a parcel computation, the outputvc1 of dp1 and the inputvc2
of dp2 are the same. The example in Figure 6.3b describes a pipeline model in which thedatapath
performs an iterative operation. Datapathdp1 has both a control input and output. As the schemat-
ics of the pipeline control describe, the output of the datapath in the current step influences both the
the control input in the next step and the fan-out graph, i.e. whether the parc l stalls. The variable
vc2 represents the control state of the datapath computation. In a pipeline computation the variable
converges to a final control state that ends the parcel computation.
The abstraction algorithm requires a set of parcelsParcels ⊆ P(P(Vpcl ∪ NextRegPcl)) that
approximates the parcel map:
∀ (qPc , tPc , q
′
Pc) ∈ RPc . PclMap (qPc , tPc , q
′
Pc) ∈ Parcels (6.28)
We define the parcel step predicatePclStep to be used in the definition ofpac 1. In the defini-
tion below we use the predicateWellDefinedPclStep that stands for the definition of parcel steps
(Definition 4.4.1). Consistency with respect to datapath behaviour (Equation 4.4) is represented by
ConsistentPclStep. The parcel step predicate states whether the triplet(qPAc , 〈fgc , ectrlc , epclc〉, qPAc
′)
is a parcel step that can execute under a control environment that satisfie control assignment con-
straints and maximality of fan-out graphs. The predicate also takes in consideration the propagation
of the parcel’s control state, that represents the control values generat d by the parcel’s step.
PclStep (qPAc , 〈fgc , ectrlc , epclc〉, qPAc
′) ectrl step ≡

ectrl step |= (Pipec .Tr) | domectrl step
∧






WellDefinedPclStep (qPAc , 〈fg , ectrl , epclc〉, qPAc
′)
∧
ConsistentPclStep (qPAc , 〈fg , ectrl , epclc〉, qPAc
′)
∧(
∃ p ∈ Parcels. p ∩ RegPcl⊆ domqPAc ∧ rootsfg = p
)
∧






The definition of the parcel automaton
pac 1 = 〈QPAc 1,RPAc 1,TPAc 1, IPAc 1〉
is done by induction. The resulting parcel automaton depends on a functionControlEnvDom that
stands for the heuristical choice of the control variables that affect theparcel. When the definition of
PclStep is implemented in the abstraction algorithm,ControlEnvDom will be chosen heuristically
to trim the search space or to provide termination.
We prove thatpac 1 covers the datapath computations independently of the particular heuristic used.
The set of reachable pairs of parcel and control states are denoted by PclStatePairs.
Base CaseThe set of initial states consists of all unconstrained parcel states.
IPAc 1 = { qPAc | ∃ p ∈ Parcels. domqPAc = p ∩ RegPcl} (6.30)
PclStatePairs ⊆ IPAc 1 × { true } (6.31)
Inductive Case The set of states and transitions is defined inductively using the predicateP lStep.




(qPAc , qctrl ) ∈ PclStatePairs ∧
∃ ectrl step ∈ PEnv(Vctrl ∪ NextRegCtrl).
domectrl step = ControlEnvDom (qPAc , qctrl , tPAc) ∧
PclStep (qPAc , tPAc , qPAc












′) ∈ PclStatePairs ∧ (qPAc , tPAc , qPAc
′) ∈ RPAc 1 ∧ qPAc
′ ∈ QPAc 1
(6.32)
The domain of the control environmentectrl step is chosen so that
domqctrl ⊆ ControlEnvDom (qPAc , qctrl , tPAc) (6.33)
As defined by Equation 6.32, the transition relation ofpac 1 contains only parcel steps. The closure
pac 1 of pac 1 includes the parcel transitions for such steps. We use the following notationfor the
closed automaton:
pac 1 = (QPAc 1, RPAc 1, TPAc 1, IPAc 1)
Lemma 6.2.2 states thatpac 1 covers the datapath computations.
150
6.2.2 Lemma.
pa(Pipec ,PclMap) ⊆ pac 1
Proof. The claim is proved by induction. We show that for any pipeline step and anyp rcel within
that step, there exists a control state so that the parcel and control state pair is inPclStatePairs.
∀ qPc ∈ QPc .
∀ tPc ∈ TPc . ∀ qPc
′ ∈ QPc .
(qPc , tPc , q
′
Pc) ∈ RPc =⇒


∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
∃ qPAc 1 ∈ QPAc 1. ∃ qctrl ∈ PEnv(RegCtrl).
(qPAc 1 ⊆ qPc) ∧ (qctrl ⊆ qPc) ∧ (pclStatep ⊆ qPAc 1)




The other claim we prove by induction is thatRPAc ⊆ RPAc 1.
∀ qPc ∈ QPc .
∀ tPc ∈ TPc . ∀ qPc
′ ∈ QPc .
(qPc , tPc , q
′
Pc) ∈ RPc =⇒
(
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
(pclStatep, pclTransp, pclNextStatep) ∈ RPAc 1
)
(6.35)
Base CaseqPc ∈ IPc . From Equation 6.30 and Equation 6.31 we have
IPAc ⊆ IPAc 1
IPAc 1 × { true } ⊆ PclStatePairs
Since the parcel states of parcels within pipeline steps from initial pipeline states are initial, it
follows that Equation 6.34 holds whenqPc ∈ IPc .
Inductive CaseLet (qPc , tPc , q′Pc) ∈ RPc . By induction, Equation 6.36 holds ofqPc .
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
∃ qPAc 1 ∈ QPAc 1. ∃ qctrl ∈ PEnv(RegCtrl).
(qPAc 1 ⊆ qPc) ∧ (qctrl ⊆ qPc) ∧ (pclStatep ⊆ qPAc 1)
∧ (qPAc 1, qctrl ) ∈ PclStatePairs
(6.36)
151
We prove Equation 6.37 holds for the step(qPc , tPc , q′Pc).
∀ p ∈ PclMap (qPc , tPc , q
′
Pc).
(pclStatep, pclTransp, pclNextStatep) ∈ RPAc 1
(6.37)
And that Equation 6.34 holds inductively forqPc ′.
∀ tPc
′ ∈ TPc . ∀ qPc





Pc) ∈ RPc =⇒





















Part 1 We prove Equation 6.37.
Considerp ∈ PclMap (qPc , tPc , q′Pc). Applying Equation 6.36, there existqPAc 1 andqctrl so that
(qPAc 1 ⊆ qPc) ∧ (qctrl ⊆ qPc) ∧ (pclStatep ⊆ qPAc 1) ∧ (qPAc 1, qctrl ) ∈ PclStatePairs (6.39)
We let
dom = ControlEnvDom qPAc 1 qctrl (pclTransp) (6.40)
ectrl step =
(







′ ≡ ectrl step | Vr ′
(6.42)
and show that
PclStep (qPAc 1, pclTransp, pclNextStatep) ectrl step = true (6.43)
We prove the following conjunct ofPclStep. The remaining ones are trivial to prove.
∃ p ∈ Parcels. p ∩ RegPcl⊆ domqPAc 1 ∧ roots((pclTransp).fg) = p
We havep ∩ RegPcl⊆ domqPAc 1 sincepclStatep ⊆ qPAc 1.
Equation 6.43 together with Equation 6.32 in the inductive definition ofpac 1 imply
(qPAc 1, pclTransp, pclNextStatep) ∈ RPAc 1 (6.44)
Noting thatroots((pclTransp).fg) ∩ RegPcl= dom(pclStatep) and sincepac 1 is the closure of
152
pac 1, Equation 6.44 implies
(pclStatep, pclTransp, pclNextStatep) ∈ RPAc 1
Part 2




Pc) ∈ RPc . ∀ p

















To prove Equation 6.45 we use the continuity property (Equation 5.3 on page101) in the definition




Pc) ∈ RPc andp





exists a parcelp at step(qPc , tPc , q′Pc) so thatpclStatep
′ ⊆ pclNextStatep. Using the induction
hypothesis, there existqPAc 1 andqctrl such that:
qPAc 1 ⊆ qPc
qctrl ⊆ qPc
(qPAc 1, qctrl ) ∈ PclStatePairs
We perform the construction in Equation 6.40 to Equation 6.42. Equation 6.43 together with
Equation 6.32 in the inductive definition ofPclStatePairs imply that (pclNextStatep, qctrl ′) ∈
PclStatePairs. We therefore setqPAc 1′ = pclNextStatep.






Proof. The parcel automatonpac 1 differs from the induced parcel automaton by representing un-
reachable datapath behaviours. Its closure does not add new behaviours. Unreachable behaviours
are already specified by the datapath circuits and therefore do not change the datapath when per-
forming abstract interpretation.
153
6.3 Parcel Steps In Propositional Logic
A path through the concrete parcel automaton consists of a sequence of parcel transitions. Since the
parcel automata we work with are closed we consider only parcel transitions that are parcel steps.
Each such step satisfies the predicatePclStep described in Equation 6.29. The essential part of the





a constrained stateqkPAc , where the constraint requires that the stateq
k
PAc be reachable by a pathπ
k
PAc
equivalent to the abstract pathπkPAa .
In order to define the representation ofPclStep in proposition logic, we observe that the span of




PAc ) (i.e. the parcel variables, datapaths and control variables that it
mentions), is limited by the domain ofqkPAc and by the set of all possible parcelsParcels. We







{ p | p ∈ Parcels ∧ p ∩ RegPcl⊆ domqkPAc } (6.46)
The cone of influence of a set of pipeline variablesV is a set of pipeline variablesconeV that
consists of the variables that can be assigned transitively fromV .
6.3.1 Definition(Cone Of Influence). The cone of influence of a parcel is the smallest set satisfying:
Base CaseV ⊆ coneV
Inductive Case
• If vl ∈ coneV and there exists ‘vk := e’ ∈ Pipec .Tr such thatvl ∈ varse thenvk ∈
coneV .
• If dp ∈ Dps andArg(dp.PclP) ∩ (coneV ) 6= ∅ thenArg(dp.PclN) ∪ OutputArg(dp.Vctrl ) ⊆
coneV .
We extend the notation and writedp ∈ conep if any of the input parcel parameters of the datapath
dp is in the cone of the parcel, i.e.Arg(dp.PclP) ∩ (conep) 6= ∅. Similarly, for fan-out edges we
write (vl, b, vk) ∈ conep if vl ∈ conep.
The parcel at stepk is denoted bypk ⊆ p̃k. The representation ofPclStep in propositional logic
requires that variables encode the current state, transition label and next stat of parcelpk. In addi-
tion, we also need to represent the associated current and next control states and the fan-out graph
of the parcel. Consistency with the datapath behaviour is specified by the propositional formula
[Rdp ]bool that represents the transition relation for each datapathdp ∈ conep̃
k. We denote the set
of variables corresponding to a datapath instance byVdp .
154
The variables that make up the parcel step variables̃Vstep are defined below:
R̃egPcl ≡ domqkPAc
˜CombPcl ≡ CombPcl∩ conep̃k













P̃arcel ≡ { pclv | v ∈ p̃
k }
ṼfanOut ≡ { fanOutv | v ∈ (conep̃
k) ∩ (Vpcl ∪ NextRegPcl) }
where
• R̃egPclrepresents the current state of the parcel.
• ˜CombPcldenotes the combinational parcel variables in the cone.
• ˜NextRegPclare the next state parcel registers in the cone ofp̃k.
• ˜ControlVars denotes the upper bound on the domain of possible environmentsekctrl step . This
is chosen heuristically.
• The set of datapath instance variables in the cone of the parcel is denotedby ṼDps .
• The set of variables̃Parcel encode the parcelpk as a subset of̃pk. Forv ∈ p̃k we have that
pclv = true if the parcelp
k containsv .
• The set of fan-out variables̃VfanOut represent whetherv ∈ (conep̃k) ∩ (Vpcl ∪ NextRegPcl)















































The description ofPclStep in propositional logic consists of four subformulas. The variables that
could occur in the parcel step are constrained by the relevant assignments and datapaths of the
pipeline model. The formula in Equation 6.48 consists of the assignments to parcel and control
variables in the cone of the parcel. The formula in Equation 6.49 ensures theconsistency of the
parcel step with respect to datapath behaviour.
[Assignments]bool ≡
[












The following formula propagates the fan-out of the parcel through the fan-out edges in the cone.
The first conjunct represents the base case: the variables that are part of the parcel are also in its fan-
out. The second conjunct corresponds to the inductive case, as the fan-out propagates transitively.






























The last subformula ensures the parcel step is well defined. A datapath mus have either all argu-












Finally, we provide the semantics of our encoding by defining the satisfiability of [PclStep]bool (Ṽstep
k
)
by a parcel step. We use the notationtkPAc = 〈fg
k, ekctrl c , e
k
pcl c〉.





PAc ) |= [PclStep]bool (Ṽstep
k
)
if there exists an environmentekstep ∈ Env(Ṽstep
k
) such that:





































true : v ∈ rootsfgk








true : v ∈ fgk.Succ
false : v 6∈ fgk.Succ
(6.57)





















Given an environmentekstep that satisfies[PclStep]bool (Ṽstep
k
) we can define the corresponding






















fgk.Nodes = { v | ekstep(fanOut
k
v ) = true } (6.60)
fgk.Succ = { (v1, b, v2) ∈ FanOutEdges |
157
(fanOutkv1 = true) ∧ (fanOut
k
v2
= true) ∧ ekstep |= b } (6.61)
ekpcl c = (e
k





































consists of two parts, one subformula for the parcel step and another for that encodes the equivalence


































































v = ekctrl c(v)
The encoding of the equivalence class of the transition labeltkPAc consists of two parts, correspond-
ing to the fan-out graphfgk and respectively, to the control environmentkctrl c .










if there exists an environmentekstep c 1 ∈ Env(Ṽstep
k
) satisfying Equation 6.52 up to Equation 6.57
and




























Path formulas are propositional formulas that represent equivalence classes of concrete paths in the
parcel automatonpac 1. A path formula is satisfiable if and only if it stands for such an equivalence
class. A path formulafkpath corresponds to pathsπ
k
PAc of lengthk. The path formula describes each





































PAc ) |= f
k
step






⇐⇒ πkPAc 1 |= f
k
path
The parcel automatonpac 1 described in Section 6.2 is defined inductively. The inductive definition
is exploited in the use of path formulas which are used to explore the control-visible datapath be-
haviours represented by the parcel automaton. The control state associated with the parcel state is
propagated along the path formula by sharing variables between consecutive steps.
159

























To propagate the control stateqk+1ctrl to thek+1-th step, we perform variable substitution in the step
formulafkstep :





















The basic abstraction algorithm constructs an abstract parcel automaton st te for each equivalence
class of the set of pathsΠ(pac 1) with respect to the equivalence on paths ‘=PA’. The abstract initial
states correspond to paths of length one, that consist of a single state. The equivalence classes of
such paths correspond to sets of initial states that have the same domain. Theset of domains of
initial states is denoted byInitParcels.
InitParcels ≡ {domqPAc | qPAc ∈ IPAc 1 }
Accordingly, the set of abstract initial statesIPAa is in bijection with the set of domains of the
concrete initial states:
IPAa ↔ InitParcels (6.66)







The pathπkPAa stands for the non-empty set of concrete statesCurrentStates reachable along equiv-
alent concrete paths:
CurrentStates ≡ { qPAc | ∃ π
k
PAc ∈ Π(pac 1). IPAc 1
πkPAc





The equivalence class of concrete states thatπkPAa denotes is represented by the path formulaf
k
path .
At any given time,fkpath is satisfiable.




PAa . For each




































Concrete pathsπk+1PAc 1 of lengthk + 1 extend paths of lengthk that are equivalent toπ
k
PAa if
πk+1PAc 1 |= f
k
path ∧ [PclStep]bool (Ṽstep
k
) (6.70)
Equation 6.70 is the basis of the path extension algorithm in Algorithm 6.1.
Each iteration of the while loop in Algorithm 6.1 solves a constrained path formulaof form fkpath ∧
Constraint . Initially, Constraint = [PclStep]bool (Ṽstep
k
). The solution to the path formula is




PAc ) (lines 5–6). At the end of the iteration, the equiv-








to the constrained path formula (line 19).


























a (equality modulo constants)
161
Input : 〈qkPAa , f
k
path〉










PAa 2), . . .




while f is satisfiabledo3
epath c := solve(f)4
ekstep := epath c | Ṽstep
k
5










ctrl c , e
k
pcl c〉 := t
k
PAc7
pk := parcel(ekstep | P̃arcel
k)8
ekctrl a := e
k
ctrl c // must be equal9
ekpcl a 1 := createAbstractValues(〈p
k, fgkc〉)10
ekpcl a := e
k
pcl a 1 | Vc11







ctrl a , e
k
pcl a〉12
if ekpcl a 1 | NextRegPcl6= ∅ then13
qk+1PAa := (e
k












PAa ) to result18









Algorithm 6.1: Path Extension Algorithm
ekctrl a = e
k
ctrl c
We defineqk+1PAa over the next-state registers that appear in the fan-out graphfg :
domqk+1PAa = { v | v
′ ∈ fg .Nodes}
It remains to describe howekpcl a andq
k+1
PAa evaluate the combinational variables and, respectively,
the next-state parcel variables (lines 2–19) of Algorithm 6.2. The edges of the fan-out graphfgkc
describe value copying or datapath transformations. For each parameterof a datapath output par-
cel variablepclN we create a new abstract value that denotes the corresponding transformation
(line 10). Similarly, a new value is used for inputs (line 3) orchoice assigned variables (line 18).
For each constant variablev we choose an advance an abstract valuewa which we assign tov at
162
Input : 〈pk, fgkc〉
Output : Abstract parcel environment:ekpcl a 1
ekpcl a 1 := ∅ // e
k





foreachv ∈ InputPcl∩ pk do2
ekpcl a 1 (v) := newAbstractValue()3
end4
foreach (v1, b, v2) ∈ fgkc .Succdo5
markv26
if v1 6∈ PclN then7
ekpcl a 1 (v2) := (e
k




ekpcl a 1 (v2) := newAbstractValue()10
end11
end12
foreachv ∈ pk ∩ Vc do13
if v is unmarkedthen14
if v is assigned a constant infgkc then15
ekpcl a 1 (v) := wa // wa is the abstract constant for the edge16








Algorithm 6.2: Abstract Value Propagation
line 16.







• If v ∈ RegPclthenekpcl a 1 (v) = q
k
PAa(v).
• If v ∈ InputPclthenekpcl a 1 (v) = newAbstractValue()
• If v is assigned a constantwc thenekpcl a 1 (v) = wa , wherewa is the abstract constant
corresponding to the edge(wc, b, v) ∈ fgkc .
• Otherwise,v is assignedchoice, soekpcl a 1 (v) = newAbstractValue().
Inductive Case
• If v 6∈ PclN then there exists(vl, b, vk) ∈ fg .Succso thatv = vk. We setekpcl a 1 (v) =
ekpcl a 1 (vl).
163
• If v ∈ PclN thenv = newAbstractValue().
Usingekpcl a 1k we define:
epcla = e
k









: ekpcl a 1 | NextRegPcl6= ∅
finalPAa : ekpcl a 1 | NextRegPcl= ∅
(6.72)
The abstraction algorithm is represented in Algorithm 6.3. It performs a depth-first-search ex-
ploration of the paths in the concrete parcel automatonpac 1. The algorithm maintains a stack
of concrete paths to be explored. The concrete pathπkPAc that is currently explored is repre-









path〉, where the abstractq
k
PAa is on the frontier of the on-the-fly construction of the
abstract parcel automaton. It is reached in the abstract parcel automaton by a pathπkPAa equivalent
to πkPAc . For each possible extension of the pathπ
k






PAc ), the algorithm
creates a new equivalent transition in the parcel automaton (lines 19–29).
The test at line 23 fails if the stack contains an already visited abstract stateqPAa that subsumes the
newly constructed stateqk+1PAa . This check ensures termination of the algorithm when the runs of
pac 1 are terminating (Definition 6.1.2). If the abstract stateq
k+1
PAa has not been visited before, a new
entry is added to the stack. It is possible the stateqk+1PAa has been visited before, but it is not on the




PAa ) is called a cross edge. To be sound, the algorithm
must visitqk+1PAa under the current path constraint.
The abstraction algorithm explores the paths of the concrete parcel automaton pac 1 according to
the inductive definition ofpac 1 on page 150. At line 23 the abstraction algorithm checks whether
the pair of abstract state, control state has been visited on the current path. The termination of the
algorithm is proven if the heuristic functionControlEnvDom has the property that for transitions
that only copy the parcel state, the next control state is empty. This requirement is justifiable since
the purpose of of the next-state control variables inControlEnvDom is to prevent unreachable
computations due to datapath transformations that propagate into the parcel’snext state.
The proof of correctness of Algorithm 6.3 is based on showing that the algorithm performs path
abstraction of the concrete parcel automatonpac 1. From Lemma 6.1.1 we get
L(pac 1) ⊆ L(paa)
pac 1 PA paa
We begin by showing termination. We show that the algorithm explores a finite number of equiva-
164
Input : Pipec
Output : 〈QPAa ,RPAa ,TPAa , IPAa〉
〈QPAa ,RPAa ,TPAa , IPAa〉 := 〈{ finalPAa }, ∅, ∅, ∅〉1
Stack := ∅2
Visited := ∅3
foreachp ∈ InitParcels do4
q0PAa := newAbstractState(p)5
IPAa := IPAa ∪ { q
0
PAa }6














path〉 := topStack // If k = 0 then f
k
path ≡ true13
// The successors of qkPAa have been visited?.
















QPAa := QPAa ∪ { q
k+1
PAa }20
TPAa := TPAa ∪ { t
k
PAa }21







// Is (qk+1PAa , q
k+1
ctrl ) visited on the current path?
// The test holds vacuously for finalPAa
if ¬(domk+1ctrl = ∅ ∧ ∃ q
l






ctrl = ∅) then23































Algorithm 6.3: Abstraction Algorithm
165
lences of concrete parcel automaton paths. The algorithm pushes a new abstract stateqk+1PAa onto the




step is satisfiable and
¬(domk+1ctrl = ∅ ∧ ∃ q
l






ctrl = ∅) (6.73)





step that implies that the negation of Equation 6.73 holds. We show that the
number of concrete paths that do not satisfy this condition is finite. Therefor , Equation 6.73 is true
only for a finite number of cases.
We recall the notion of a variable’s driver introduced on page 142. Thedriv r of a variablev2 at
stepk is a variablev1 at stepn such that variablev1 at stepn propagates through copying into the
value ofv2 at stepk.















∃ n0 ≤ k. ∃ n0 + 1 ≤ n1 < k.








∀ v ∈ domqn1+1PAc . driver (v , n1 + 1) = driver (v , n0 + 1)


We define the dual predicateNotExploredPath that characterizes the paths that are not explored:
NotExploredPath πk+1PAc ≡

∃ n0 ≤ k. ∃ n0 + 1 ≤ n1 < k.








∀ v ∈ domqn1+1PAc . driver (v , n1 + 1) = driver (v , n0 + 1)


6.5.2 Lemma(Termination Of Abstraction Algorithm). If the runs of the concrete parcel automaton
pac 1 are terminating then Algorithm 6.3 terminates.
Proof. Part 1 We show that if a path satisfies theNotExploredPath predicate then it is not visited.
To show a path is not visited it suffices to show it has a prefix that is not visited. Therefore, assume
166
πk+1PAc is minimal to satisfyNotExploredPath, i.e. has no strict prefixes that satisfy it. If


∃ n0 ≤ k. ∃ n0 + 1 ≤ n1 < k.








∀ v ∈ domqn1+1PAc . driver (v , n1 + 1) = driver (v , n0 + 1)


then sinceπn1+1PAa is by construction equivalent toπ
n1+1
PAc we have thatπ
n1+1




∃ n0 ≤ k. ∃ n0 + 1 ≤ n1 < k.


















we obtain thatqn1+1PAa ⊆ q
n0
PAa . And therefore the pathπ
n1+1
PAa is not visited and sinceπ
n1+1
PAa is a
prefix ofπk+1PAa , the latter is not visited either.
Part 2 We show that the set of paths that do not satisfyNotExploredPath is finite:
ExploredPaths ≡ {πkPAc | k ∈ N ∧ ExploredPath π
k
PAc }
|ExploredPaths| < ∞ (6.75)
The proof of Equation 6.75 is based on showing the claim below, which implies thatExploredPaths
contains only paths of length up to a constantk0 and therefore it is finite.




To prove Equation 6.76 we observe that a pathπk+1PAc may contain at most|QPAc 1| transitions that
do not exclusively copy the parcel’s state into the next state:




6⊆ StateFanOut i }
|NonCopyTrans| ≤ |QPAc 1| (6.77)
167
Equation 6.77 is proven by contradiction. If it does not hold we can construct a runσPAc that
does not terminate. If|NonCopyTrans| > |QPAc 1| then there must be two indicesi1 < i2 in
NonCopyTrans such thatqi1PAc = q
i2







ti2−1PAc−→ qi1PAc · · ·
We now return to Equation 6.76. We need to findk0 large enough so thatπ
k+1
PAc admits a large
enough subsequence of transitions that only copy the parcel’s state:
∃ n < m ≤ k.






For i ∈ {n+ 1, . . . , m } we define the function
driver i = { (v, driver (v , i)) | v ∈ domqiPAc }
Since for all states at indices betweenn+ 1 andm the parcel registers take their value from parcel
values at stepn+ 1, the number of different values thatdriver can take is bounded by
2|QPAc 1|×|QPAc 1|×|domq
n+1
PAc | ≤ 2|QPAc 1|×|QPAc 1|×|RegPcl|
Therefore whenm−n−1 is large enough there will existn0 andn1 such thatdriver n0 = driver n1
which implies
∀ v ∈ domqn1+1PAc . driver (v, n1 + 1) = driver (v , n0)
Denote byt the number of non-copying transitions inπk+1PAc and bys the largest subsequence of
copying transitions inπk+1PAc . There are at mostt+1 copying subsequences inπ
k+1
PAc because copying
subsequences are separated by at least one non-copying transition.We therefore obtain:





k − |QPAc 1|
|QPAc 1|+ 1
(sincet ≤ QPAc 1)
The longest subsequence is at least
k − |QPAc 1|
|QPAc 1|+ 1
. Therefore, we choosek0 so that
k0 − |QPAc 1|
|QPAc 1|+ 1
> 2|QPAc 1|×|QPAc 1|×|RegPcl|
168
The following theorem states correctness of the abstraction algorithm.
6.5.3 Theorem(Path Abstraction). If the runs of the concrete parcel automatonpac 1 are terminat-
ing then Algorithm 6.3 performs path abstraction of the concrete parcel autom tonpac 1.
Proof. We use Lemma 6.5.2 that states that the algorithm visits a finite number of concrete paths,
which implies that if a stateqkPAa is on the stack then there is a point in the execution of the algorithm
whenqkPAa is popped off the stack and extended by Algorithm 6.1.
We prove the following two claims by induction.
(i) If ExploredPath πkPAc then the algorithm creates the abstract stateq
k
PAa that is reachable along
a pathπkPAa =PA π
k










(ii) For anyπkPAc the abstraction algorithm constructs an abstract stateq
k
PAa which is reachable
along a pathπkPAa equivalent toπ
k
PAc .
Base Casek = 0. The concrete pathπ0PAc consists of a single initial stateq
0
PAc . At lines 4–11 the







Inductive CaseWe assume that the two claims are true fori ≤ k and prove it fork + 1.
Claim (i) We need to show that ifExploredPath πk+1PAc then the algorithm creates the abstract














SinceExploredPath πk+1PAc holds, its prefixπ
k
PAc also satisfies the predicateExploredPath. By









˜fk−1step . And further,q
k









path〉 is eventually popped
off the stack at line 13. The stateqkPAa is then extended by abstract steps corresponding to the equiva-









path ∧ [PclStep]bool (Ṽstep
k
). The path extension algorithm there-
fore constructs an abstract steptkPAa that is equivalent tot
k
PAc and an abstract stateq
k+1
PAa reachable
by a path equivalent toπk+1PAc . The abstraction algorithm then performs the check at line 27 which













step is then pushed onto the stack.
169
Claim (ii) If πk+1PAc satisfiesExploredPath then this case reduces to the previous one.
Consider the maximal prefixπnPAc of π
k+1
PAc such thatExploredPath π
n
PAc holds. By induction the






However, the pathπn1+1PAc is not visited because


∃ n0 ≤ k. ∃ n0 + 1 ≤ n1 < k.












Equation 6.79 implies thatqn1+1PAc ⊆ q
n0+1
PAc , therefore
πPAc 1 = π
n0+1
PAc
tn1+1PAc−→ · · ·
tkPAc−→ qk+1PAc
is a path inpac 1 of length less equal tok. By induction there exists an equivalent abstract path
πPAa 1 =PA πPAc 1. Since the equivalence class of a concrete path is visited only once, the path
πPAa 1 continues the pathπ
n0+1
PAa .
πPAa 1 = π
n0+1
PAa
tn1+1PAa−→ · · ·
tkPAa−→ qk+1PAa
We modify the pathπPAa 1 by splicing in the path segment
qn0+1PAa
tn0+1PAa−→ · · · qn1PAa
tn1PAa−→ qn1+1PAa
The resulting pathπPAa 2 is equivalent toπ
k+1
PAc .
πPAa 2 = π
n0+1
PAa
tn0+1PAa−→ · · · qn1PAa
tn1PAa−→ qn1+1PAa
tn1+1PAa−→ · · ·
tkPAa−→ qk+1PAa
Because abstract states could be reached on different paths in the DFSalgorithm, due to either back
edges or cross edges, it is not generally the case that














Figure 6.4: Pipeline model with stall and exclusive paths.
We use the example in Figure 6.4 to illustrate the result produced by the abstraction lgorithm.
There are two possible paths through the pipeline:
vi −→ r1 −→ r2 −→ r3 −→ vo
vi −→ r1 −→ r3 −→ vo
When the parcel inr1 produces outputvc1 = 0, it transfers tor2. Whenvc1 = 1 it should transfer
to r3. If both the parcel inr1 andr2 need to transfer tor3, the one inr2 is given priority. This means
the parcel inr1 stalls.
The concrete parcel automatonpac 1 is succinctly described in Figure 6.5. The figure represents the
two types of paths that are possible through the pipeline and uses symbolic values. Transition labels
that such thatectrlc = ∅ are not shown. The result of Algorithm 6.3 is shown in Figure 6.6. The two
concrete paths∅ −→ { r1 = a0 } and∅ −→ { r1 = b0 } are indistinguishable during abstraction
and are therefore represented by the same abstract path∅ −→ { r1 = α0 }. The abstract valueα0








vc1 = 1vc1 = 0
vc1 = 0
r3 = a2 r3 = b1
Figure 6.5: Partial representation ofpac 1 using symbolic values.
satisfied bya0 and another two satisfied byb0. Because of the self loops{ r1 = α0 }
vc1 = 0−→ { r1 =
α0 } and{ r1 = α0 }
vc1 = 1−→ { r1 = α0 } the abstract automaton can represent paths that are a mix
of distinct paths of the concrete automaton:
∅ −→ { r1 = α0 }
vc1 = 0−→ { r1 = α0 }




vc1 = 1vc1 = 0
r3 = α1 r3 = β1
r1 = α0
∅
vc1 = 1vc1 = 0
Figure 6.6: Partial representation ofpaa constructed by Algorithm 6.3.
173
In the rest of the section we generalize the idea behind Algorithm 6.3 so thatL(p a) = L(pac 1).
The abstract parcel automaton contains paths that are not possible in the concr te one due to the fact
that constraints corresponding to paths that have a common prefix are solved independently. The
constraint the algorithm uses when expanding an abstract state corresponds to the conjunction of
the step formulas that represent the path currently explored. The natural generalization is to replace
path formulas by a conjunction of formulas representing all the abstract transitions discovered so
far by the DFS procedure.
We recall the representation of parcel steps in propositional logic introduced in Section 6.3. The set

















and the formula that encodes a parcel step from a stateqkPAc is given by[PclStep]bool (Ṽstep
k
). The
equivalence class of a parcel step was represented by the formula below:






















if there exists an environmentekstep c ∈ Env(Ṽstep
k
) satisfying Equation 6.52 up to Equation 6.57
and





Given a propositional formulaf , v a variable andV = { v1, . . . , vn } a set of variables, we use the
following standard notation:







(∃V ) v ≡ (∃ v1) (· · · (∃ vn) f)




PAc ) from stateq
k
PAc is equivalent

















The path extension procedure (Algorithm 6.1) uses the satisfiability solver toextract all the concrete
174
parcel steps











that are possible from a concrete stateqkPAc constrained byConstraintk, whereConstraintk =
fkpath in the first version of the abstraction algorithm.
We say the non-empty set of steps
{ (qkPAc , t
k
PAc i1 , q
k




PAc ir , q
k
PAc ir) }






































Note that to represent an exact set of parcel steps in a formulaConstraintk we must have multiple
































The generalized abstraction algorithm is shown in Algorithm 6.4. The actual abstraction is per-
formed by the recursive procedureAbstractRecdescribed in Algorithm 6.5.
The idea in algorithm in Algorithm 6.5 is similar to the one in Algorithm 6.3. The generaliz d
algorithm finds exact sets of parcel steps that continue the abstract statehat was popped off the
stack. For each such subset it makes a recursive call that passes theupdat d DFS state of the current
instance ofAbstractRec. The algorithm makes use of a functionCopyPclthat returns a fresh copy
of the DFS digraph (partially constructed abstract parcel automaton). Ifa recursive call is made the
current instance returns since the recursive calls cover all the possible cases.




Output : 〈QPAa ,RPAa ,TPAa , IPAa〉
〈QPAa ,RPAa ,TPAa , IPAa〉 := 〈{ finalPAa }, ∅, ∅, ∅〉1
foreachp ∈ InitParcels do2
q0PAa := newAbstractState(p)3
dom0ctrl := ∅4
IPAa 0 := { q
0
PAa }5
QPAa 0 := { q
0
PAa }6
RPAa 0 := ∅7
TPAa := ∅8
Constraint0 := ∅9






AbstractRec〈〈IPAa 0,QPAa 0,RPAa 0,TPAa 0〉,Constraint0,Stack0,Visited0〉12
end13
Algorithm 6.4: Abstraction Algorithm II
Proof. The same technique used in Lemma 6.5.2 to prove termination of Algorithm 6.3 is also
applicable here.
6.5.5 Theorem.If the runs of the concrete parcel automatonpac 1 are terminating then the abstract
parcel automatonpaa has the same language as the concrete parcel automatonpac 1.
Proof. The abstract parcel automaton consists of the union of the parcel automatareturned at
lines 25–28 in Algorithm 6.5. These parcel automata can only share the set of sta es{ ∅, finalPAa }.
When such a parcel automaton is returned, all the edges of the finite paths thit represents are
encoded in the global constraintConstraintn in the procedureAbstractRec. The invariant of the
algorithm is that the global constraint is always satisfiable. It therefore follows that for each finite
path throughpaa there exists an equivalent one inpac 1. We can apply Lemma 6.1.4 on page 143 to
prove the inclusionL(paa) ⊆PA L(pac 1). The other inclusion holds since the algorithm performs
path abstraction.
It is possible that for the abstract parcel automatonpaa returned by Algorithm 6.4 language equality
between the concrete and abstract pipelines does not hold. This happens wh parcel input variables
and parcel variables that are assignedchoice occur in several parcel steps of the abstract parcel
automaton. In this case,Dpspaa returnschoice for a combination of values that does not show up
on the edges of the parcel automaton.
To solve this problem, we need to modify the parcel automata returned at lines 25–28. Instead of a
parcel automaton with abstract valuesAbstractRecreturns one based on a solution to the constraint
176
Input : 〈〈IPAa n,QPAa n,RPAa n,TPAa n〉,Constraintn,Stackn,Visitedn〉
Output : updates〈IPAa ,QPAa ,RPAa ,TPAa〉
while Stackn 6= ∅ do1
〈qkPAa , dom
k
ctrl 〉 := popStackn2
foreachset of exact stepsExactStepskn of 〈q
k
PAa ,Constraintn〉 do3
〈IPAn+1,QPAn+1,RPAn+1,TPAa n+1〉 := CopyPcl〈IPAn,QPAn,RPAn,TPAa n〉 (n+ 1)4
Stackn+1 := CopyPclStackn (n+ 1)5




foreach (qkPAa , t
k
PAa j , q
k+1
PAa j) ∈ ExactSteps
k
n+1 do8
QPAa n+1 := QPAa n+1 ∪ { q
k+1
PAa j }9
TPAa n+1 := TPAa n+1 ∪ { t
k
PAa j }10




PAa j , q
k+1
PAa j) }11

















// Perform the substitution in Equation 6.65
f̃kstep j := update(f
k
step j , dom
k+1
ctrlj)14
Constraintn+1 := Constraintn ∧ f̃kstep j15
// Is qk+1PAa j visited on the current path?
// The test holds vacuously for finalPAa
if ¬(dom k+1ctrlj = ∅ ∧ ∃ q
l
PAa ∈ Stackn+1 ∩ Visitedn+1. q
k+1
















// Recursive call for the current set of successors.
AbstractRec〈〈QPAa n+1,RPAa n+1,TPAa n+1〉,Constraintn+1,Stackn+1,Visitedn+1〉21
end22
// The DFS algorithm was finished by the recursive calls.
return23
end24
// There were no recursive calls
IPAa := QPAa ∪ IPAa n25
QPAa := QPAa ∪ QPAa n26
RPAa := RPAa ∪ RPAa n27
TPAa := TPAa ∪ TPAa n28
Algorithm 6.5: Recursive Abstraction ProcedureAbstractRec.
177
Constraintn. We then use a simulator to find out the values produced by datapaths underparc l
input combinations that are not known from the parcel steps.
6.6 Case Studies
This section describes our implementation results in the Bluenose II design andverification tool.
Our abstraction algorithm was tested with several designs: theDiffAddMult arithmetic pipeline, an
edge detector and a two-wide superscalar OpenRISC microprocessor.









Figure 6.7: Pipeline stage template.
Our case studies were designed using a library of reusable design components calledPipeNet[Hig-
gins and Aagaard, 2005]. The main building block thatPipeNetuses is the pipeline stage. With
PipeNet, the design consists of a collection of interconnected blocks that represent the pipeline cir-
cuit and associated memories, register files and other design components such as hazard detection
units. Within a stage,PipeNetprovides a clean separation between datapath and control. The struc-
ture of a stage is described in Figure 6.7. The parcel that enters the stageis sel cted by the mux
InterfacePrevand is stored in the stage register. When it eventually exits, its value is copied through
the demuxInterfaceNext.
178
Parcel flow through the stage and through the pipeline is coordinated usinga request-accept pro-
tocol. Parcels move from one stage to another by generating requests which, if granted an accept,
lead to the parcel transferring to one of the requested stages. The request-accept protocol has a
distributed implementation. Requests and accepts propagate through the pipeline, without the need
of global control.
Inside a stage, the request accept protocol is implemented by the three remaining blocks:Arbiter,
MakeReqAcc, andInterfaceNextReqAcc. The role of the arbiter is to prioritize the incoming requests
and drive the select signal of theInterfacePrevmux. TheMakeReqAccblock maintains the occupa-
tion status of the stage and calculates whether the stage will be able to accept the request of another
based on whether its own request has been granted. The request thatthe p rcel in the current stage
makes, originates as a control output of the stage datapath, which by convention is calledselN .
InterfaceNextReqAccacts as the relay for the request-accept protocol with the downstream stages.
The concept of pipeline models presented in Chapter 3 is a natural generalization of PipeNet. The
PipeNettemplate provides clear boundaries between datapath and control. Betweenstag s, parcel
values are only copied through muxes or demuxes, which corresponds tothe assignment of if-then-
else parcel expressions in the pipeline model. Among the generalizations brought by the pipeline
model are the dissolution of stage boundaries and the hiding of the request-accept protocol. The
stage datapaths are replaced by combinational datapath modules with multiple input and output
parcel variables. Datapaths are allowed to consume both primary parcel input variables and parcel
registers. The protocol used byPipeNetto synchronize multicycle datapaths has also been hidden
away.
Stage datapaths can take multiple cycles to compute their result. During this time the pipeline stage
is busy, and it will not generate or accept requests and the enable signal of the stage register is not
asserted. Multicyle datapaths use a simple protocol to start their computation and to signal when
the result is available. An input control signal of the datapath is used to start the computation, and
respectively, an output signal of the datapath is asserted in the cycle when the computation is done.
In the pipeline model, multicycle datapaths are represented by combinational datapaths that take
as additional input and output parameters the registers corresponding tothe internal state of the
multicyle datapath.
In a PipeNetdesign, the parcel map is defined using the pipeline stages or primary input variables.
For combinational datapaths, parcels are singletons that consist of a stage register. For sequential
datapaths, the parcel consists of both the stage register and the additionalparcel registers of the
multicycle datapath. The proof obligations for the parcel map (Section 5.1) are simplified by the
fact that parcels are singletons when they transfer into a stage. The stateof multicycle datapaths is




The abstraction algorithm is implemented in Bluenose II [Chan et al., 2007], a tool for the design
and verification of pipelined circuits. The high-level description of a pipeline design is input into the
tool using block diagrams in a visual editor based on the Eclipse Graphical Modeling Framework
or textually using the Groovy Builder syntax [Koenig et al., 2007].
PipeStage(name: ’sub stage’,next : [’neg stage’, ’addstage’, ’multstage’]){
BlkInterface () {
Parcel(name: ’pclIn’, vhdlType : ’pcl sub ty’, direction : ’IN’)
Parcel(name: ’pclOut’, vhdlType : ’pcl neg ty’, direction : ’OUT’)
}








Figure 6.8: Combinational stage.
We recall theDiffAddMultexample first introduced in Chapter 3. Figure 6.8 and Figure 6.9 illustrate
how a combinational and, respectively, a sequential stage are represented in Bluenose II. The user
describes the parcel ports of the stage and provides annotations for thedatapath. The datapaths have
standalone user provided VHDL implementations which are referenced from m del file. Multicycle
datapaths have additional annotations describing the start and finish control por s.
Bluenose II generates hierarchical VHDL for the pipeline model and uses the Mentor Graphics Pre-
cision RTL synthesis tool to create a hierarchical gate-level netlist of the design. At this stage, the
netlist contains black boxes that in a design flow are implemented using the target FPGA technol-
ogy. We have reverse engineered using trial and error close to twenty such black box operators for
which we have provided generic gate-level VHDL implementations. Further rounds of synthesis
are performed to rewrite recursively all the black box operators with gatelevel implementations. A
translation to the NuSMV model checker [Cimatti et al., 2002] is made available byproviding se-
mantics of the primitive gates in the model checker’s language. Identifying thecorr ct semantics of
the various types of flip-flops was the most challenging aspect in adding support for NuSMV.




Parcel(name: ’pclIn’, vhdlType : ’pcl neg ty’, direction : ’IN’)
Parcel(name: ’pclOut’, vhdlType : ’pcl mult res ty’, direction : ’OUT’)
}












Figure 6.9: Sequential Stage
gorithm exploits theselN andfinished signals produced by the pipeline datapaths to compute the
possible parcel steps for the abstract state at the top of the stack. TheselN signal uses a one hot-
encoding to represent the stage the parcel needs to go next. The successor states of the parcel state
correspond to the stages that are encoded by a1 in the selN vector. For multicycle stages, when
the value of thefinished signal is0, the next parcel automaton state consists of the current parcel’s
value and the next datapath state. Once abstraction is done, the tool generates VHDL for abstract
datapaths represented by the parcel automaton. Control properties of the resulted pipeline are then
verified using a model checker.
The path formula corresponding to a multiply operation in theDiffAddMult example is shown in
Figure 6.10. The path formula is satisfied by computations of the concrete parc l automaton of
form
Sub
selN Sub = 001−→ Neg
selN Sub = 10−→ Mult
finishedMult = 0−→
Mult
finishedMult = 0−→ Mult
finishedMult=1
selNMult = 0−→
In the path formula the first instance of theMult datapath is used to put the datapath in the reset
state. Corresponding to the internal registers of the datapath, the formula contains constraints that
181
Neg




































Figure 6.10: Example of path formula forDiffAddMult.
ensure updates to the registers in the current cycle propagate into the copy of the registers in the
next cycle.
The abstract parcel automaton forDiffAddMult is represented in Figure 6.11. Our implementation
uses the MiniSat solver [Een and Sorensson]. The datapath of the 32-bit version ofDiffAddMult
has a total of 22881 gates. After abstraction, the total becomes 148. The path problems require 56
SAT problems with a cumulative time of 94 seconds. The maximum memory used is 39.8MB and
maximum time is 5 seconds.
Another example that we used illustrates the ease of applying abstraction with Bluenose II to circuits
that were not designed with verification in mind. We imported with minimal effort thedesign of
a Kirsch edge detector that was originally created for a course project. The circuit consists of a






















































f in ished=1,  selN=1
Figure 6.11:DiffAddMultabstract parcel automaton.
in Figure 6.12. The concrete datapath had 2200 gates and was reduced toonly 144 gates, with a
cumulative time of 33 seconds for 32 SAT problems, using less than 3.5MB of memory.
6.6.3 Abstraction Of The OpenRisc Processor
Our OpenRISC processor is a two-wide superscalar pipeline for the ORBIS32 32-bit integer RISC
instruction set; it contains a cyclic path, uses bubble squashing, and execut s instructions in program
order. Our OpenRISC design implements 47 of the 52 instructions — all instructions except those
that require operating system support or special-purpose registers.The ORBIS32 instruction set
architecture uses a load/store approach and defines a flag condition code register that is used for
conditional branch operations.
In Figure 6.13, parcel connections are shown as thick lines and normal sign ls are shown as thin
lines. The three grey parcel connections are secondary paths that can be used to squash bubbles in
the event that the primary path is stalled. For example,IF0 will use the secondary pathIF0 −→ ID1
































f in ished=1,  selN=1
Figure 6.12: Abstract parcel automaton of edge-detector
184
Instruction Class Instruction Listing
Arithmetic add, addc, addi, mul, muli, mulu, sub
Logical and, andi, or, ori, rori, sll, slli, sra, srai, srl, srli, xor, xori
Control flow bf, bnf, j, jal, jalr, jr
Flag set sfeq, sfges, sfgeu, sfgts, sfgtu, sfles, sfleu, sflts, sfltu, sfne
Load/Store lbs, lbz, lhs, lhz, lws, lwz, sb, sh, sw
Misc nop, movhi
Not implemented trap, rfe, mfspr, mtspr, sys















Parcel connection Normal signal
Secondary parcel connection
Figure 6.13: OpenRisc pipeline
tions: multiply instructions use a sequential datapath inside the stage and shift/rotate instructions
loop through the stage multiple times. We chose these two different methods of doing multi-cycle
operations to illustrate that our abstraction supports both. Latencies through the ALU vary from one
clock cycle for simple instructions to four clock cycles for multiplications.
Structural reduction [Beer et al., 1994] removes the register file, instruction memory, data memory,
185
and program counter. The source end of the parcel connections from the program counter toIF0
andIF1 become unconnected. Similarly, the target end of the parcel connections from the writeback
stages become unconnected. Each unconnected source end is then conn cted to a top pseudo stage
and each unconnected target end is connected to a bottom pseudo stage.The grey control circuits
are preserved, because they are connected to control circuits within stages, not to the datapaths.
The unconnected source ends on non-parcel data signals to datapaths(e.g. , data outputs from the
register file and memory) become non-deterministic inputs to the datapaths. We then apply our
abstraction algorithm (Algorithm 6.3) to the pipeline, replace the datapaths in thepipeline with the
abstractions, and generate an abstract pipeline.
Figure 6.14: OpenRisc abstract parcel automaton
Figure 6.14 shows the abstract operation graph for OpenRisc. There are a total of 35 paths through
the operation graph, representing the 35 paths through the pipeline. It mayseem surprising that
there are so many distinct paths in this processor, but they really do all exist. The paths include all
possible combinations of an instruction being fetched into IF0 or IF1, primaryand secondary paths
through ID and IF, and multi-cycle operations through ALU.
There are 35183 gates in the concrete processor and only 2047 gates after abstraction. The concrete
186
datapath accounts for 30341 gates and the abstract one for 1458 gates. The abstraction algorithm
generated 334 SAT problems. Cumulative SAT solver time is 536 seconds with amaximum of
51.7MB of memory used.
6.7 Summary
Path abstraction performs an implicit DFS like traversal of the concrete parcl utomaton using a
SAT solver. The algorithm uses propositional formulas called path formulasthat stand for equiva-
lence classes of finite path prefixes in the concrete automaton. The algorithmmaps a set of equiva-
lent paths of the concrete automaton to an abstract state. Our methodology has been validated with
several datapath intensive pipelined designs. The most complex design is atwo-wide superscalar





Formal methods are techniques that use mathematical reasoning to prove correctness of hardware
and software systems. The main challenges to their wide adoption are automationand capacity.
There are two main directions in formal methods that differ with respect to howt ey represent the
behaviour of the system. In the deductive approach the behaviour of thesystem is described by logic
terms that are derived syntactically from the the text of the program. Such methods support reason-
ing about very general implementations, proving correctness about programs that use unbounded
memory or have parameterized implementations with an unbounded number of components. The
difficulty in applying deductive techniques is often due to the fact that the und rlying logic is not
decidable and thus algorithmic approaches are not complete. They instead rely on the user to guide
the proof. The other approach in formal verification is to apply automatic reasoning to the finite ex-
plicit representation of the program. This representation is often given asa state machine or Kripke
structure. Automatic verification is performed by exploring the state space ofthe system. In this
approach the challenge is to overcome the state space explosion problem due to the size of the state
space being exponentially larger than the text of the program. In automatic approaches the state
explosion problem is alleviated using abstraction and decomposition.
The most complex hardware designs are found in today’s microprocessors. C mmonly encountered
optimizations are out-of-order speculative execution, register renaming and dynamic scheduling.
Pipelining is a ubiquitous technique in these designs whereby the execution ofinstructions is de-
composed into a sequence of operations performed at different stagesin the pipeline. Pipelining
increases the utilization of the circuit and the throughput of instructions, i.e.the rate at which in-
structions come out of the pipeline. Pipelining brings challenges to both designand verification.
Pipeline hazards are the equivalent of race conditions in multi-threaded software. The hazards are
denoted by conditions related to the concurrent execution of instructions. Data and control hazards
refer to the requirement that the overlapped execution of the instructions inthe pipeline have the
188
same effect as if the instructions were executed one at a time in program order. Structural hazards
occur due to resource contention in the pipeline. Their incorrect resolution may lead to resource
starvation or deadlocks.
The challenges in the formal verification of pipelined circuits arise in both specification of correct-
ness and verification. The definitions of correctness statements for pipelined c rcuits, such as the
ones based on simulation, must relate a pipeline state to a specification state. Due topipelining, the
implementation variables that correspond to the specification reflect the overlapp d updates made
by the various instructions in the pipeline. It is therefore not straightforward to relate the imple-
mentation with a sequential specification that executes one instruction at a time. Flushing based
correctness [Burch and Dill, 1994] mitigates this factor using a pipeline specific form of abstraction
called flushing. Flushing transforms an implementation state by completing all in-flight instructions
without fetching new ones. Another approach to pipeline correctness is formulated in terms of the
correct resolution of hazards [Aagaard, 2003]. This approach is proven to imply the commuting
diagram based on flushing. Hazard based correctness has the advantage that correctness can be
formulated more easily in terms of pipeline specific behaviour. The state explosion problem in the
automatic verification of pipelined circuits arises mainly due to the presence of wide datapaths and
memories. Abstraction of memories and datapath is the natural approach to the verification of the
control.
Model checking is an automated approach to formal verification. With model checking, correctness
properties are defined in temporal logic and verified by state space exploration. To verify systems
with large state spaces model checking uses symbolic representations of thetate space [Burch et al.,
1992], abstraction and decomposition.
Our work is concerned with datapath abstraction for the verification of the control circuitry of
pipelined circuits using model checking. Due to the interaction between datapath nd control, data-
path abstraction must be precise enough so that control properties that are sensitive to the paths and
latencies through the pipeline are satisfied by the abstract pipeline.
In Chapter 4 we formalize the pipeline datapath as a state machine called a parcel automaton. The
parcel automaton describes the execution of a parcel by the pipeline. It captures the paths parcels
take through the pipeline, the transformations that they undergo and the control visible effects they
produce. Consequently, the parcel automaton is a representation of the pipeline datapath and its
abstraction induces an abstraction of the datapath. Parcel automata allow usto rea on about abstrac-
tions of the pipeline datapath in terms of simulation and language containment for parcel automata.
Conversely, abstract parcel automata can be thought of representingabstract datapaths. Substitution
of the concrete datapath by the abstract one induced by the abstract parcel automaton is a form of
abstract interpretation. In Chapter 5 we show the soundness of abstraction using parcel automata is
proven by showing that simulation and language containment on parcel autom ta transfer to sim-
189
ulation and language containment between the concrete pipeline and the abstract one obtained by
abstract interpretation.
Chapter 3 describes the model of pipelined circuits as a network of parcelvariables and datapath
instances through which parcels flow as coordinated by the control circuitry. The variables of the
circuit are divided into datapath and control. The separation is enforcedby syntactic restrictions
on the type of expressions that can be assigned to each of the two kinds ofvariables. Control
variables can be assigned only expressions over control variables. Parcel variables on the other
hand, act as output parameters to the datapath instances or can be assignd if-then-else expressions
that correspond to mux trees, the leaves of which are parcel variables,constants or non-deterministic
choice, and the select signals of the mux nodes are Boolean control expressions. The datapath
instances are modeled as combinational circuits with annotations describing theparcel and control
variables. The control and the datapath interact through the control input a d output variables of the
datapaths. Abstract interpretation of the datapath is performed by replacing the concrete datapaths
by abstract ones. The type of the pipeline parcel variables is adjusted accordingly. The control is
left unchanged.
A parcel represents a group of related values which propagate togetherduring a pipeline computa-
tion. Both the values of the parcel and the variables that hold them change during the computation
of the pipeline. In a particular pipeline step, the parcel is identified by its variables, which can
be register and combinational. We define parcels as non-empty subsets of parcel variables. Parcel
automata are labeled transition systems that describe parcel computations. The tate of a parcel is
an environment over the parcel’s registers. The transitions denote the movement of the parcel from
the current state variables into the the next-state variables in one pipeline step. The transition label
captures the value transformation through the datapaths, the effect on thecontrol variables and the
path through the combinational circuitry.
In a pipeline computation multiple parcel computations take place simultaneously. A very important
characteristic of the parcel computations that coexist during a computation ofthe pipeline model,
is that within a pipeline step they do not share parcel variables or datapaths. Thi property of
pipeline computations is called parcel independence, or parcel separation and is formalized using
parcel maps. Parcel separation is an inductive property that states thatthe parcel arguments of
each datapath belong to the same parcel. Parcel separation implies that the runs of the pipeline
model decompose into runs of the parcel automaton. The proof obligations for parcel independence
are based on propositional formulas that unfold the pipeline model for oneor two consecutive
steps. Parcel independence is used to prove Theorem 5.3.1 that states that commuting diagrams
between the concrete and abstract parcel automaton states imply a commuting diagram between
the containing concrete and abstract pipeline states. Theorem 5.3.1 is usedto prove soundness of
abstraction using parcel automata for simulation in Theorem 5.4.1 and respectively, for language
190
containment in Theorem 5.4.8.
The technique for abstracting parcel automata is called path abstraction andis defined in Chap-
ter 6. Path abstraction performs an implicit DFS like traversal of the concreteparcel automaton
using a SAT solver. The algorithm uses propositional formulas called path formulas that stand for
equivalence classes of finite path prefixes in the concrete automaton. Thealgorithm maps a set of
equivalent paths of the concrete automaton to an abstract state. The abstract state represents all the
concrete states that are reachable by concrete paths in the corresponding equ valence class. The
main property of this construction is stated in Lemma 6.1.1: the abstract automaton thus defined
simulates the concrete parcel automaton. At each iteration, the algorithm findsall extensions of the
path formula at the top of the stack that stands for an equivalence class ofpaths of lengthk. In the
DFS traversal this corresponds to visiting the successors of the currently r ached abstract state. If
a variable in the domain of a newly created abstract state is in the fan-out of adatapath, it receives
a fresh abstract value. Otherwise the variable gets its value from a variable in the previous abstract
state. The algorithm terminates if at some point during abstraction new abstract values are no longer
created. This corresponds to the concept of terminating paths in the concrete parcel automaton. A
path is terminating if it has an infinite suffix in which datapath outputs do not fan-out into next state
variables.
Our methodology has been validated with several datapath intensive pipelined designs. The most
complex design is a two-wide superscalar OpenRISC microprocessor. There are 35183 gates in the
concrete processor and only 2047 gates after abstraction. The concrete datapath accounts for 30341
gates and the abstract one for 1458 gates. The abstraction algorithm generated 334 SAT problems.
Cumulative SAT solver time is 536 seconds with a maximum of 51.7MB of memory used.
191
Bibliography
Mark Aagaard. A hazards-based correctness statement for pipelinedcircuits. InCHARME, pages
66–80, 2003.
Mark D. Aagaard, Vlad C. Ciubotariu, Jason T. Higgins, and Farzad Khalvati. Combining equiva-
lence verification and completion functions. In Alan J. Hu and Andrew K. Martin, editors,Formal
Methods in Computer-Aided Design, volume 3312 ofLecture Notes in Computer Science, pages
98–112. Springer Berlin / Heidelberg, 2004.
Zaher S. Andraus and Karem A. Sakallah. Automatic abstraction and verification of verilog models.
Design Automation Conference, 0:218–223, 2004.
Zaher S. Andraus, Mark H. Liffiton, and Karem A. Sakallah. Refinement strategies for verification
methods based on datapath abstraction. InASP-DAC ’06: Proceedings of the 2006 conference
on Asia South Pacific design automation, pages 19–24, Piscataway, NJ, USA, 2006. IEEE Press.
ISBN 0-7803-9451-8.
D.P. Appenzeller and A. Kuehlmann. Formal verification of a powerpc microprocessor. InCom-
puter Design: VLSI in Computers and Processors, 1995. ICCD ’95. Proceedings., 1995 IEEE
International Conference on, pages 79 –84, October 1995.
Ilan Beer, Shoham Ben-David, Daniel Geist, Raanan Gewirtzman, and Michael Yoeli. Methodology
and system for practical formal verification of reactive hardware. InDavid Dill, editor,Computer
Aided Verification, volume 818 ofLecture Notes in Computer Science, pages 182–193. Springer
Berlin / Heidelberg, 1994.
B. Bentley. Validating the IntelR© PentiumR© 4 microprocessor. InDesign Automation Conference,
2001. Proceedings, pages 244 – 248, 2001.
Sergey Berezin, Armin Biere, Edmund Clarke, and Yunshan Zhu. Combining symbolic model
checking with uninterpreted functions for out-of-order processor verification. In Ganesh
Gopalakrishnan and Phillip Windley, editors,Formal Methods in Computer-Aided Design, vol-
ume 1522 ofLecture Notes in Computer Science, pages 528–528. Springer Berlin / Heidelberg,
1998.
192
V. Bhagwati and S. Devadas. Automatic verification of pipelined microprocessors. InDesign
Automation, 1994. 31st Conference on, pages 603 – 608, 1994.
Per Bjesse. A practical approach to word level model checking of industrial netlists. InCAV ’08:
Proceedings of the 20th international conference on Computer Aided Verification, pages 446–
458, Berlin, Heidelberg, 2008. Springer-Verlag. ISBN 978-3-540-70543-7.
R.E. Bryant. Graph-based algorithms for boolean function manipulation.C mputers, IEEE Trans-
actions on, C-35(8):677 –691, 1986. ISSN 0018-9340.
Jerry Burch and David Dill. Automatic verification of pipelined microprocessor control. In David
Dill, editor, Computer Aided Verification, volume 818 ofLecture Notes in Computer Science,
pages 68–80. Springer Berlin / Heidelberg, 1994.
J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic model checking:
1020 states and beyond.Information and Computation, 98(2):142–170, 1992. ISSN 0890-5401.
Ca Bol Chan, V. Ciubotariu, and M. Aagaard. Pipeline design and verification in Bluenose II. In
Electrical and Computer Engineering, 2007. CCECE 2007. Canadian Conference on, pages 1405
–1408, 2007.
Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco
Roveri, Roberto Sebastiani, and Armando Tacchella. Nusmv 2: An opensource tool for symbolic
model checking. In Ed Brinksma and Kim Larsen, editors,Computer Aided Verification, volume
2404 ofLecture Notes in Computer Science, pages 241–268. Springer Berlin / Heidelberg, 2002.
E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent
systems using temporal logic specifications.ACM Trans. Program. Lang. Syst., 8:244–263, April
1986. ISSN 0164-0925.
Edmund M. Clarke and Jeannette M. Wing. Formal methods: state of the art and future directions.
ACM Comput. Surv., 28:626–643, December 1996. ISSN 0360-0300.
Edmund M. Clarke, Orna Grumberg, Hiromi Hiraishi, Somesh Jha, David E. Long, Kenneth L.
McMillan, and Linda A. Ness. Verification of the futurebus+ cache coherence protocol.Formal
Methods in System Design, 6:217–232, 1995. ISSN 0925-9856. 10.1007/BF01383968.
E.M. Clarke and R.P. Kurshan. Computer-aided verification.Spectrum, IEEE, 33(6):61 –67, June
1996. ISSN 0018-9235.
Patrick Cousot and Radhia Cousot. Abstract interpretation: a unified latticemod l for static anal-
ysis of programs by construction or approximation of fixpoints. InProceedings of the 4th ACM
193
SIGACT-SIGPLAN symposium on Principles of programming languages, POPL ’77, pages 238–
252, New York, NY, USA, 1977. ACM. doi: http://doi.acm.org/10.1145/512950.512973. URL
http://doi.acm.org/10.1145/512950.512973.
T.A. Diep and J.P. Shen. Systematic validation of pipeline interlock for superscalar microarchitec-
tures.Fault-Tolerant Computing, International Symposium on, 0:0100, 1995.
David L. Dill and John Rushby. Acceptance of formal methods: Lessonsfr m hardware design.
IEEE Computer, 29(4):23–24, apr 1996.
D.L. Dill, A.J. Drexler, A.J. Hu, and C.H. Yang. Protocol verification as a hardware design aid.
In Computer Design: VLSI in Computers and Processors, 1992. ICCD ’92. Proceedings., IEEE
1992 International Conference on, pages 522 –525, October 1992.
N. Een and N. Sorensson. The minisat page. URL
http://www.cs.chalmers.se/Cs/Research/FormalMethods/MiniSat/.
M. J. C. Gordon and T. F. Melham, editors.Introduction to HOL: a theorem proving environment
for higher order logic. Cambridge University Press, New York, NY, USA, 1993. ISBN 0-521-
44189-7.
Aarti Gupta, Sharad Malik, and Pranav Ashar. Toward formalizing a validation methodology using
simulation coverage.Design Automation Conference, 0:740, 1997.
Anthony Hall. Seven myths of formal methods.IEEE Software, 7:11–19, 1990. ISSN 0740-7459.
A. Hartstein and Thomas R. Puzak. The optimum pipeline depth for a microprocess r. InPro-
ceedings of the 29th annual international symposium on Computer architecture, ISCA ’02, pages
7–13, Washington, DC, USA, 2002. IEEE Computer Society. ISBN 0-7695-1605-X.
Jason T. Higgins and Mark D. Aagaard. Simplifying the design and automatingthe verification of
pipelines with structural hazards.ACM Trans. Des. Autom. Electron. Syst., 10:651–672, October
2005. ISSN 1084-4309.
Pei-Hsin Ho, Adrian J. Isles, and Timothy Kam. Formal verification of pipelinecontrol using con-
trolled token nets and abstract interpretation. InICCAD ’98: Proceedings of the 1998 IEEE/ACM
international conference on Computer-aided design, pages 529–536, New York, NY, USA, 1998.
ACM. ISBN 1-58113-008-2.
C. A. R. Hoare. An axiomatic basis for computer programming.Commun. ACM, 12:576–580,
October 1969. ISSN 0001-0782.
194
Ramin Hojati and Robert K. Brayton. Automatic datapath abstraction in hardware systems. In
Proceedings of the 7th International Conference on Computer Aided Verification, pages 98–113,
London, UK, 1995. Springer-Verlag. ISBN 3-540-60045-0.
Ravi Hosabettu, Mandayam Srivas, and Ganesh Gopalakrishnan. Decomposing the proof of cor-
rectness of pipelined microprocessors. In Alan Hu and Moshe Vardi, editors, Computer Aided
Verification, volume 1427 ofLecture Notes in Computer Science, pages 122–134. Springer Berlin
/ Heidelberg, 1998. 10.1007/BFb0028739.
James K. Huggins and David Van Campenhout. Specification and verificationof pipelining in the
arm2 risc microprocessor.ACM Trans. Des. Autom. Electron. Syst., 3:563–580, October 1998.
ISSN 1084-4309.
Hiroaki Iwashita, Satoshi Kowatari, Tsuneo Nakata, and Fumiyasu Hirose. Automatic test program
generation for pipelined processors. InProceedings of the 1994 IEEE/ACM international con-
ference on Computer-aided design, ICCAD ’94, pages 580–583, Los Alamitos, CA, USA, 1994.
IEEE Computer Society Press. ISBN 0-89791-690-5.
Christian Jacobi. Formal verification of complex out-of-order pipelines bycombining model-
checking and theorem-proving. In Ed Brinksma and Kim Larsen, editors,Computer Aided Ver-
ification, volume 2404 ofLecture Notes in Computer Science, pages 211–226. Springer Berlin /
Heidelberg, 2002.
M. Kaufmann and J.S. Moore. An industrial strength theorem prover fora l gic based on common
lisp. Software Engineering, IEEE Transactions on, 23(4):203 –213, April 1997. ISSN 0098-5589.
doi: 10.1109/32.588534.
Dierk Koenig, Andrew Glover, Paul King, Guillaume Laforge, and Jon Skeet. Groovy in Action.
Manning Publications Co., Greenwich, CT, USA, 2007. ISBN 1932394842.
K. Kohno and N. Matsumoto. A new verification methodology for complex pipeline behavior. In
Design Automation Conference, 2001. Proceedings, pages 816 – 821, 2001.
Shuvendu Lahiri, Sanjit Seshia, and Randal Bryant. Modeling and verification of out-of-order mi-
croprocessors in uclid. In Mark Aagaard and John OLeary, editors,F mal Methods in Computer-
Aided Design, volume 2517 ofLecture Notes in Computer Science, pages 142–159. Springer
Berlin / Heidelberg, 2002.
Leslie Lamport. The hoare logic of concurrent programs.Acta Informatica, 14:21–37, 1980. ISSN
0001-5903.
195
Jeremy Levitt and Kunle Olukotun. Verifying correct pipeline implementation for microproces-
sors. InProceedings of the 1997 IEEE/ACM international conference on Computer-aid d de-
sign, ICCAD ’97, pages 162–169, Washington, DC, USA, 1997. IEEE Computer Society. ISBN
0-8186-8200-0.
Panagiotis Manolios and Sudarshan K. Srinivasan. Automatic verification of safety and liveness
for xscale-like processor models using web refinements.Design, Automation and Test in Europe
Conference and Exhibition, 1:10168, 2004. ISSN 1530-1591.
K. McMillan. Symbolic model checking: an approach to the state explosion problem. PhD thesis,
Pittsburgh, PA, USA, 1992. UMI Order No. GAX92-24209.
K. McMillan. Verification of an implementation of tomasulo’s algorithm by compositional model
checking. In Alan Hu and Moshe Vardi, editors,Computer Aided Verification, volume 1427
of Lecture Notes in Computer Science, pages 110–121. Springer Berlin / Heidelberg, 1998.
10.1007/BFb0028738.
K. McMillan. Parameterized verification of the flash cache coherence protocol by compositional
model checking. In Tiziana Margaria and Tom Melham, editors,Correct Hardware Design
and Verification Methods, volume 2144 ofLecture Notes in Computer Science, pages 179–195.
Springer Berlin / Heidelberg, 2001.
Steven P. Miller and Mandayam Srivas. Formal verification of the AAMP5 microprocessor: A case
study in the industrial use of formal methods. InWIFT ’95: Workshop on Industrial-Strength
Formal Specification Techniques, pages 2–16, Boca Raton, FL, April 1995. ieeecs.
Robin Milner. An algebraic definition of simulation between programs. Technical report, 1971.
P. Mishra, N. Dutt, A. Nicolau, and H. Tomiyama. Automatic verification of in-order execution in
microprocessors with fragmented pipelines and multicycle functional units. InProceedings of the
conference on Design, automation and test in Europe, DATE ’02, pages 36–, Washington, DC,
USA, 2002. IEEE Computer Society.
Prabhat Mishra and Nikil Dutt. Graph-based functional test program generation for pipelined pro-
cessors. InProceedings of the conference on Design, automation and test in Europe- Volume 1,
DATE ’04, pages 10182–, Washington, DC, USA, 2004. IEEE ComputerSociety. ISBN 0-7695-
2085-5-1.
Kedar Namjoshi and Robert Kurshan. Syntactic program transformations for automatic abstraction.
In E. Emerson and A. Sistla, editors,Computer Aided Verification, volume 1855 ofLecture Notes
in Computer Science, pages 435–449. Springer Berlin / Heidelberg, 2000.
196
C. Norris IP and David L. Dill. Better verification through symmetry.Formal Methods in System
Design, 9:41–75, 1996. ISSN 0925-9856. 10.1007/BF00625968.
V. Paruthi, N. Mansouri, and R. Vemuri. Automatic data path abstraction for verification of large
scale designs. InICCD ’98: Proceedings of the International Conference on Computer Design,
page 192, Washington, DC, USA, 1998. IEEE Computer Society. ISBN 0-8186-9099-2.
Amir Pnueli. The temporal logic of programs.Foundations of Computer Science, Annual IEEE
Symposium on, 0:46–57, 1977. ISSN 0272-5428.
Jun Sawada and Warren Hunt. Trace table based approach for pipelined m croprocessor verifica-
tion. In Orna Grumberg, editor,Computer Aided Verification, volume 1254 ofLecture Notes in
Computer Science, pages 364–375. Springer Berlin / Heidelberg, 1997.
Jens Skakkebak, Robert Jones, and David Dill. Formal verification of out-of-order execution using
incremental flushing. In Alan Hu and Moshe Vardi, editors,Computer Aided Verification, volume
1427 ofLecture Notes in Computer Science, pages 98–109. Springer Berlin / Heidelberg, 1998.
10.1007/BFb0028737.
Sudarshan K. Srinivasan and Miroslav N. Velev. Formal verification ofan intel xscale processor
model with scoreboarding, specialized execution pipelines, and impress data-memory exceptions.
Formal Methods and Models for Co-Design, ACM/IEEE International Confere ce on, 0:65, 2003.
Moshe Vardi. An automata-theoretic approach to linear temporal logic. In Faron Moller and Graham
Birtwistle, editors,Logics for Concurrency, volume 1043 ofLecture Notes in Computer Science,
pages 238–266. Springer Berlin / Heidelberg, 1996.
Miroslav Velev. Automatic abstraction of memories in the formal verification of superscalar micro-
processors. In Tiziana Margaria and Wang Yi, editors,Tools and Algorithms for the Construction
and Analysis of Systems, volume 2031 ofLecture Notes in Computer Science, pages 252–267.
Springer Berlin / Heidelberg, 2001.
Miroslav N. Velev and Randal E. Bryant. Formal verification of superscale microprocessors with
multicycle functional units, exception, and branch prediction. InProceedings of the 37th Annual
Design Automation Conference, DAC ’00, pages 112–117, New York, NY, USA, 2000. ACM.
ISBN 1-58113-187-9.
Miroslav N. Velev and Randal E. Bryant. Effective use of boolean satisfi bility procedures in the
formal verification of superscalar and vliw microprocessors.Journal of Symbolic Computation,
35(2):73–106, 2003. ISSN 0747-7171.
197
Phillip Windley and Michael Coe. A correctness model for pipelined microprocessors. In Ramayya
Kumar and Thomas Kropf, editors,Theorem Provers in Circuit Design, volume 901 ofLecture
Notes in Computer Science, pages 33–51. Springer Berlin / Heidelberg, 1995.
P.J. Windley. Formal modeling and verification of microprocessors.Computers, IEEE Transactions
on, 44(1):54 –72, January 1995. ISSN 0018-9340.
F. Zaraket, J. Baumgartner, and A. Aziz. Scalable compositional minimization via static analysis.
In ICCAD ’05: Proceedings of the 2005 IEEE/ACM International conference on Computer-aided
design, pages 1060–1067, Washington, DC, USA, 2005. IEEE Computer Society. ISBN 0-7803-
9254-X.
198
