A Theoretical Framework for Symbolic Quick Error Detection by Lonsing, Florian et al.
A Theoretical Framework for Symbolic
Quick Error Detection
Florian Lonsing, Subhasish Mitra, and Clark Barrett
Computer Science Department, Stanford University, Stanford, CA 94305, USA
E-mail: {lonsing, subh, barrett}@stanford.edu
Abstract—Symbolic quick error detection (SQED) is a formal
pre-silicon verification technique targeted at processor designs.
It leverages bounded model checking (BMC) to check a design
for counterexamples to a self-consistency property: given the
instruction set architecture (ISA) of the design, executing an
instruction sequence twice on the same inputs must always
produce the same outputs. Self-consistency is a universal, design-
independent property. Consequently, in contrast to traditional
verification approaches that use design-specific assertions (often
generated manually), SQED does not require a formal design
specification or manually-written properties. Case studies have
shown that SQED is effective on commercial designs and substan-
tially improves design productivity. However, until now there has
been no formal characterization of its bug-finding capabilities. We
aim to close this gap by laying a formal foundation for SQED.
We use a transition-system processor model and define the notion
of a bug using an abstract specification relation. We prove the
soundness of SQED, namely that any bug reported by SQED
is in fact a real bug in the processor. Importantly, this result
holds regardless of what the actual specification relation is. We
next describe conditions under which SQED is complete, that is,
what kinds of bugs it is guaranteed to find. We show that for a
large class of bugs, SQED can always find a trace exhibiting the
bug. Our results enable a rigorous understanding of SQED and
its bug-finding capabilities and give insights on how to optimize
implementations of SQED in practice.
I. INTRODUCTION
Pre-silicon verification of HW designs given as models in
some HW description language (e.g., Verilog) is a critical step
in hardware design. Due to the steadily increasing complexity
of designs, it is crucial to detect logic design bugs before
fabrication to avoid more difficult and costly debugging in
post-silicon validation.
Formal techniques such as bounded model checking
(BMC) [1] have an advantage over traditional pre-silicon
verification techniques such as simulation in that they are
exhaustive up to the considered BMC bound and hence provide
valuable formal guarantees about the correctness of a design
under verification (DUV) with respect to the checked properties.
However, in traditional assertion-based formal verification
techniques, these properties are design-specific and must be
written manually based on expert knowledge about the DUV.
Moreover, it is a well-known, long-standing challenge that
sets of manually-written, design-specific properties might be
insufficient to detect all bugs present in a DUV, cf. [2]–[6].
This work was supported by the Defense Advanced Research Projects
Agency, grant FA8650-18-2-7854.
Symbolic quick error detection (SQED) [7]–[10] is a formal
pre-silicon verification technique targeted at processor designs.
In sharp contrast to traditional formal approaches, SQED does
not require manually-written properties or a formal specification
of the DUV. Instead, it checks whether a self-consistency [11]
property holds in the DUV.
The self-consistency property employed by SQED is univer-
sal and design-independent. Each instruction in the instruction
set architecture (ISA) of the DUV is interpreted as a function in
a mathematical sense. The self-consistency check then amounts
to checking whether the outputs produced by executing a par-
ticular instruction sequence match if the sequence is executed
twice, assuming the inputs to the two sequences also match.
SQED leverages BMC to exhaustively explore all possible
instruction sequences up to a certain length starting from a
set of initial states. Several case studies have demonstrated
that SQED is highly effective at producing short bug traces
by finding counterexamples to self-consistency in a variety of
processor designs, including industrial designs [9]. Moreover,
SQED substantially increases verification productivity.
However, until now there has been no rigorous theoretical un-
derstanding of (A) whether counterexamples to self-consistency
found by SQED always correspond to actual bugs in the DUV—
the soundness of SQED—and (B) whether for each bug in the
DUV there exists a counterexample to self-consistency that
SQED can find—the completeness of SQED. This paper makes
significant progress towards closing this gap.
We model a processor as a transition system. This model
abstracts away implementation-level details, yet is sufficiently
precise to formalize the workings of SQED. To prove soundness
and (conditional) completeness of SQED, we need to establish
a correspondence between counterexamples to self-consistency
and bugs in a DUV. In our formal model we achieve this
correspondence by first defining the correctness of instruction
executions by means of a general, abstract specification. A
bug is then a violation of this specification. The abstract
specification expresses the following general and natural
property we expect to hold for actual DUVs: an instruction
writes a correct output value into a destination location and
does not modify any other locations.
As our main results, we prove soundness and conditional
completeness of SQED. For soundness, we prove that if SQED
reports a counterexample to the universal self-consistency
property then the processor has a bug. This result shows that
SQED does not produce spurious counterexamples Importantly,
1
ar
X
iv
:2
00
6.
05
44
9v
1 
 [c
s.L
O]
  9
 Ju
n 2
02
0
this result holds regardless of what the actual specification is,
confirming that SQED does not depend on such design-specific
details. For completeness, we prove that if the processor has
a bug then, under modest sets of assumptions, there exists
a counterexample to self-consistency that can be found by
SQED. Our soundness and completeness results enable a
rigorous understanding of SQED and its bug-finding capabilities
in actual DUVs and provide insight on how to optimize
implementations of SQED in practice.
In the following, we first present an overview of SQED
from a theoretical perspective (Section II). Then we define
our transition system model of processors (Section III) and
formalize the correctness of instruction executions in terms of
an abstract specification relation (Section IV). After establishing
a correspondence between the abstract specification and the
self-consistency property employed by SQED (Section V),
we prove soundness and conditional completeness of SQED
(Section VI). We conclude with a discussion of related work
and future research directions (Sections VII and VIII).
II. OVERVIEW OF SQED
We introduce the basic concepts and terminology related to
SQED informally before providing formal definitions. Fig. 1
presents an overview of the SQED workflow.
Given a processor design P , i.e., the DUV, SQED is based
on symbolic execution of instruction sequences using BMC.
We assume that an instruction i = (op, l, (l′, l′′)) consists
of an opcode op, an output location l, and a pair (l′, l′′) of
input locations.1 Locations are an abstraction used to represent
architectural state, including registers and memory locations.
The self-consistency check is based on executing two in-
structions that should always produce the same result. The two
instructions are called an original and a duplicate instruction,
respectively. The duplicate instruction has the same opcode as
the original one, i.e., it implements the same functionality, but it
operates on different input and output locations. The locations
on which the duplicate instruction operates are determined
by an arbitrary but fixed bijective function LD : LO → LD
between two subsets LO, the original locations, and LD, the
duplicate locations, that form a partition of the set L of all
locations in P . An original instruction can only use locations
in LO. An instruction duplication function Dup then maps
any original instruction iO to its duplicate iD by copying the
opcode and then applying LD to its locations.
Example 1. Let L = {0, . . . , 31} be the identifiers of
32 registers of a processor P and consider the partition
LO = {0, 1, . . . , 15} and LD = {16, 17, . . . , 31}. Let iO =
(ADD, l12, (l4, l8)) be an original register-type ADD instruction
operating on registers 4, 8, and 12. Using LD(k) = k + 16,
we obtain Dup(iO) = iD = (ADD, l28, (l20, l24)).
Consider a different partition L′O = {0, 2, 4, . . . , 30} and
L′D = {1, 3, 5, . . . , 31} and function L′D(k) = k + 1. For this
function, Dup(iO) = (ADD, l13, (l5, l9)).
1This model is used for simplicity, but it could easily be extended to allow
instructions with additional inputs or outputs.
Fig. 1. SQED workflow from a theoretical perspective.
Self-consistency checking is implemented using QED tests.
A QED test is an instruction sequence i = iO :: iD consisting
of a sequence iO of n original instructions followed by a corre-
sponding sequence iD = Dup(iO) of n duplicate instructions
(where operator “::” denotes concatenation). A QED test i is
symbolically executed from a QED-consistent state, that is, a
state where the value stored in each original location l is the
same as the value stored in its corresponding duplicate location
LD(l). The resulting final state after executing i should then
also be QED-consistent. Fig. 1 illustrates the workflow. A QED
test i succeeds if the final state that results from executing i
is QED-consistent; otherwise it fails. Starting the execution in
a QED-consistent state guarantees that original and duplicate
instructions receive the same input values. Thus, if the final
state is not QED-consistent, then this indicates that some pair
of original and duplicate instructions behaved differently.
Example 2. Consider Fig. 2 and the QED test i = iO :: iD
consisting of one original instruction iO and its duplicate
Dup(iO) = iD for some function LD . Suppose that i is exe-
cuted in a QED-consistent state s0 (denoted by QEDcons(s0)
and s0(LO) = s0(LD)) and both iO and iD execute correctly.
Instruction iO produces state s1, where the values at duplicate
locations remain unchanged, i.e., s0(LD) = s1(LD), because
iO operates on original locations only. When instruction iD is
executed in state s1, it modifies only duplicate locations. The
final state s2 is QED-consistent (denoted by QEDcons(s2)
and s2(LO) = s2(LD)), and thus QED test i succeeds.
QED-consistency is the universal, design-independent prop-
erty that is checked in SQED. BMC is used to symbolically
and exhaustively generate all possible QED tests up to a certain
length 2n, i.e., the BMC bound. The use of BMC also ensures
that SQED will find the shortest possible failing QED test first.
III. INSTRUCTION AND PROCESSOR MODEL
We model a processor as a transition system containing
an abstract set of locations which correspond to software-
visible architectural state elements (e.g., registers and memory
locations). Instructions are functions that take inputs from
locations and write an output to a location. We abstract away
2
Fig. 2. Related to QED test i = iO :: iD in Example 2.
implementation details like pipelining, assuming instead that
every instruction produces its results in one transition. This
is for ease of presentation and reasoning, but a refinement
argument can be used to lower our results to more detailed
models, such as those described in [7], [8].
Definition 1 (Transition System). A processor is a transition
system [12], [13] P = (V,L, Sa , sa,I ,Op, I, T ), where
• V is a set of abstract data values,
• L is a set of memory locations (from which we define the
set Sa of architectural states as the set of total functions
from locations to values, i.e. Sa = {sa | sa : L → V}),
• Sa is a set of non-architectural states (from which we
further define the set of all states as S = Sa × Sa ),
• sa,I ∈ Sa is a unique initial non-architectural state (from
which we define the set of initial states as SI = Sa ×
{sa,I},
• Op is a set of operation codes (opcodes),
• I ⊆ Op × L× L2 is the set of instructions, and
• T : S × I → S is the transition function, which is total.
A state s ∈ S with s = (sa , sa) consists of an architectural
part sa ∈ Sa and a non-architectural (also called microarchi-
tectural) part sa ∈ Sa . In the architectural part sa : L → V ,
L represents all possible registers and memory locations, i.e.,
in practical terms, L is the address space of P . An initial
state sI ∈ SI with sI = (sa , sa,I) is defined by a unique
non-architectural part sa,I ∈ Sa and an arbitrary architectural
part sa ∈ Sa . The number |L| of memory locations is arbitrary
but fixed. For simplicity, we write v = s(l) to denote the value
v = sa(l) at location l ∈ L in state s = (sa , sa). We also write
(v, v′) = s(l, l′) as shorthand for v = s(l) and (v′) = s(l′).
To formally define instruction duplication, we need to reason
about original and duplicate memory locations. To this end, we
partition the set L of memory locations into two equal sets, the
original and duplicate locations LO and LD, respectively, i.e.,
LO ∩ LD = ∅, LO ∪ LD = L, and |LO| = |LD|. Given LO
and LD, we define an arbitrary but fixed bijective function
LD : LO → LD that maps an original location lO ∈ LO
to its corresponding duplicate location lD = LD(lO). The
inverse of LD is denoted by LD−1 and is uniquely defined. We
write (lD, l′D) = LD(lO, l
′
O) as shorthand for lD = LD(lO)
and l′D = LD(l
′
O). Function LD implements a correspondence
between original and duplicate locations, which we need to
define QED-consistency (Definition 11 below, cf. Section II).
An instruction i ∈ I with i = (op, l, (l′, l′′)) is defined by
an opcode op ∈ Op, an output location l ∈ L, and a pair of
input locations (l′, l′′) ∈ L2. Function op : I → Op maps an
instruction to its opcode op(i). Functions Lout : I → L and
Lin : I → L2 map an instruction i to its output and input
locations Lout(i) = l and Lin(i) = (l′, l′′), respectively. Given
a state s = (sa , sa), instruction i reads values in s from its
input locations Lin(i) and writes a value to its output location
Lout(i), resulting in a transition to a new state s′ = (s′a , s
′
a),
written as s′ = T (s, i). The transition function T is total, i.e.,
for every instruction i and state s, there exists a successor state
s′ = T (s, i). As mentioned above, we have kept the model
simple in order to make the presentation more accessible, but
our results can be lifted to many extensions, including, e.g.,
more complicated kinds of instructions or instructions with
enabledness conditions cf. [14].
We write i ∈ In and s ∈ Sn to denote sequences i =
〈i1, . . . , in〉 and s = 〈s1, . . . , sn〉 of n instructions and n
states, respectively. We will use :: for sequence concatenation
and extend the transition function T to sequences as follows.
Definition 2 (Path). Given sequences i = 〈i1, . . . , in〉 and s =
〈s1, . . . , sn〉 of n instructions and states, s is a path from s0 to
sn via i, written s = T (i, s0), iff
∧n−1
k=0 sk+1 = T (sk, ik+1).
If s = T (i, s0), then for convenience we also write sn =
T (i, s0) to denote the final state sn.
Definition 3 (Reachable State). A state s is reachable, written
reach(s), iff s = T (i, s0) for some s0 ∈ SI and instruction
sequence i.
The set I of instructions contains as proper subsets the sets
of original and duplicate instructions, IO and ID, respectively.
Original (duplicate) instructions operate only on original (dupli-
cate) locations, i.e., ∀iO ∈ IO. Lin(iO) ∈ L2O∧Lout(iO) ∈ LO
and ∀iD ∈ ID. Lin(iD) ∈ L2D ∧ Lout(iD) ∈ LD. Given these
definitions, we formalize instruction duplication as follows.
Definition 4 (Instruction Duplication). Let Dup : IO → ID
be an instruction duplication function that maps an original
instruction iO = (op, lO, (l′O, l
′′
O)) to a duplicate instruction
iD = Dup(iO) = (op,LD(lO),LD(l
′
O, l
′′
O)) with respect to
the bijective function LD .
An original instruction and its duplicate have the same opcode.
We write iO ∈ InO and iD ∈ InD to denote sequences iO =
〈iO,1, . . . , iO,n〉 and iD = 〈iD,1, . . . , iD,n〉 of n original and
duplicate instructions, respectively. We lift Dup in the natural
way also to sequences of instructions as follows.
Definition 5 (Instruction Sequence Duplication). Let iO =
〈iO,1, . . . , iO,n〉 be a sequence of original instructions. Then
Dup(iO) = 〈Dup(iO,1), . . . ,Dup(iD,n)〉.
IV. FORMALIZING CORRECTNESS
We formalize the correctness of instruction executions in a
processor P using an abstract specification relation. We then
link this abstract specification to QED-consistency, the self-
consistency property employed by SQED (Section V below).
For our formalization, we assume that every opcode op ∈ Op
has a specification function Specop : V2 → V that specifies
3
how the opcode computes an output value from input values.
Using this family of functions, we define an overall abstract
specification relation Spec ⊆ S×I×S, which expresses when
an instruction i ∈ I can transition to a state s′ ∈ S from a
state s ∈ S while respecting the opcode specification.
Definition 6 (Abstract Specification). ∀ s, s′ ∈ S, i ∈ I.
Spec(s, i, s′)↔ ∀l ∈ L.
(l 6= Lout(i)→ s(l) = s′(l)) ∧ (1)
(l = Lout(i)→ s′(l) = Specop(i)(s(Lin(i))))
Equation (1) states general and natural properties that we
expect to hold for a processor P . If an instruction i executes
according to its specification, then the values at locations that
are not output locations of i are unchanged. Additionally, the
value produced at the output location of the instruction must
agree with the value specified by function Specop(i). Note
that the specification relation Spec specifies only how the
architectural part of a state is updated by a transition (not the
non-architectural part). Consequently, there might exist multiple
states whose non-architectural parts satisfy the right-hand side
of (1). This is why Spec is a relation rather than a function.
As special cases of (1), original and duplicate instructions have
the following properties:
∀s, s′ ∈ S, iO ∈ IO, lO ∈ LO, iD ∈ ID, lD ∈ LD.
(Spec(s, iO, s
′)→ s(lD) = s′(lD)) ∧ (2)
(Spec(s, iD, s
′)→ s(lO) = s′(lO)) (3)
Equations (2) and (3) express that the execution of an original
(duplicate) instruction does not change the values at duplicate
(original) locations if the instruction executes according to its
specification. The following functional congruence property of
instructions also follows from (1):
∀ s0, s1, s′, s′′ ∈ S. i, i′ ∈ I.[
op(i) = op(i′) ∧ Spec(s0, i, s′) ∧ Spec(s1, i′, s′′) ∧ (4)
s0(Lin(i)) = s1(Lin(i
′))
]→ s′(Lout(i)) = s′′(Lout(i′))
By functional congruence, if two instructions with the same
opcode are executed on inputs with the same values, then the
output values are the same. We next define the correctness of
a processor P based on the abstract specification Spec.
Definition 7 (Correctness). A processor P is correct with
respect to specification Spec iff ∀ i ∈ I, s ∈ S. reach(s) →
Spec(s, i, T (s, i)).
Correctness requires every instruction to execute according to
the abstract specification Spec in every reachable state of P .
A bug in P is a counterexample to correctness, i.e., an
instruction that fails in at least one (not necessarily initial)
reachable state and may or may not fail in other states.
Definition 8 (Bug). A bug with respect to specification Spec
in a processor P is defined by a pair B = 〈i, Sb〉 consisting
of an instruction i ∈ I and a non-empty set Sb ⊆ S of states
such that Sb = {s ∈ S | reach(s) ∧ ¬Spec(s, i, T (s, i))}.
A bug 〈i, Sb〉 is precisely characterized by the set Sb of all
reachable states in which i fails. The following proposition
follows from Definitions 7 and 8.
Proposition 1. A processor P has a bug with respect to
specification Spec iff it is not correct with respect to Spec.
As special cases of processor correctness and bugs, re-
spectively, we define correctness and bugs with respect to
instructions that are executed in an initial state only.
Definition 9 (Single-Instruction Correctness). Processor P is
single-instruction correct iff:
∀ i ∈ I, s0 ∈ SI . Spec(s0, i, T (s0, i)).
Single-instruction correctness implies that all instructions, i.e.,
all opcodes and all combinations of input and output locations,
execute correctly in all initial states. A single-instruction bug
is a counterexample to single-instruction correctness.
Definition 10 (Single-Instruction Bug). Processor P has a
single-instruction bug with respect to specification Spec iff
∃ i ∈ I, s0 ∈ SI . ¬Spec(s0, i, T (s0, i)).
Several approaches exist for single-instruction checking of a
processor, which is complementary to SQED (cf. Section VII).
V. SELF-CONSISTENCY AS QED-CONSISTENCY
We now define QED-consistency (cf. Section II) as a property
of states of a processor P based on function LD . Then we
formally define the notion of QED test and show that for
correct processors, QED tests preserve QED-consistency. This
result is key to the proof of the soundness in Section VI below.
Definition 11 (QED-Consistency). A state s is QED-consistent,
written QEDcons(s), iff ∀lO ∈ LO. s(lO) = s(LD(lO)).
Note that an equivalent condition can be formulated in terms
of duplicate locations: ∀lD ∈ LD. s(lD) = s(LD−1(lD)).
Definition 12 (QED test). An instruction sequence i is a QED
test if i = iO :: Dup(iO) for some sequence iO of original
instructions.
We link the abstract specification Spec to the semantics
of original and duplicate instructions. This way, we obtain
a notion of functional congruence that readily follows as a
special case from (4).
Corollary 1 (Functional Congruence: Duplicate Instructions).
Given iO ∈ IO and iD ∈ ID with iD = Dup(iO), the following
holds for all states s0, s1, s′, and s′′:[
Spec(s0, iO, s
′) ∧ Spec(s1, iD, s′′) ∧
s0(Lin(iO)) = s1(LD(Lin(iO)))
]→
s′(Lout(iO)) = s′′(LD(Lout(iO)))
Corollary 1 states that an original instruction iO produces the
same value at its output location as its duplicate instruction
iD = Dup(iO), provided that these instructions execute in
states where the values at the respective input locations match.
4
We generalize Corollary 1 to show that after executing
a pair of original and duplicate instructions, the values at
all original locations match the values at the corresponding
duplicate locations, assuming those values also matched before
executing the instructions.
Lemma 1 (cf. Corollary 1). Given iO ∈ IO and iD ∈ ID with
iD = Dup(iO), the following holds for all states s0, s1, s′,
and s′′:[
Spec(s0, iO, s
′) ∧ Spec(s1,iD, s′′) ∧
∀lO ∈ LO. s0(lO) = s1(LD(lO))
]→
∀lO ∈ LO. s′(lO) = s′′(LD(lO))
Proof. See appendix.
Lemma 1 leads to the main result of this section: executing a
QED test i starting in a QED-consistent state results in a QED-
consistent final state if all instructions in i execute according
to the abstract specification Spec (cf. Fig. 2).
Lemma 2 (QED-Consistency and QED tests). Let i =
〈i1, . . . , i2n〉 be a QED test, let 〈s0, . . . , s2n〉 be a sequence
of 2n+ 1 states, and let Spec be some abstract specification
relation. Then,
QEDcons(s0) ∧
( 2n−1∧
j:=0
Spec(sj , ij+1, sj+1)
)→
QEDcons(s2n)
Proof. Assuming the antecedent, let lO ∈ LO be arbitrary but
fixed with lD = LD(lO). By repeated application of (2), we
derive s0(lD) = s1(lD) = . . . = sn(lD), and hence:
s0(lD) = sn(lD) (5)
by transitivity. By repeated application of (3), we derive:
sn(lO) = s2n(lO) (6)
Now, QEDcons(s0) implies s0(lO) = s0(LD(lO)), from
which it follows by (5) that s0(lO) = sn(LD(lO)). By
repeated application of Lemma 1, we can next derive
sj(lO) = sn+j(LD(lO)) for 1 ≤ j ≤ n, and in particular,
sn(lO) = s2n(LD(lO)). Finally, by applying (6), we get
s2n(lO) = s2n(LD(lO)). Since lO was chosen arbitrarily,
QEDcons(s2n) holds.
VI. SOUNDNESS AND CONDITIONAL COMPLETENESS
SQED checks a processor P for self-consistency by execut-
ing QED tests and checking QED-consistency (cf. Fig 1). We
now define the correctness of P in terms of QED tests that,
when executed, always result in QED-consistent states. This
way, we establish a correspondence between counterexamples
to QED-consistency and bugs in P . We then prove our main
results (Theorem 1) related to the bug-finding capabilities of
SQED, i.e., soundness and conditional completeness.
Definition 13 (Failing and Succeeding QED Tests). Let i be
a QED test, s0 ∈ SI an initial state such that QEDcons(s0)
holds, and let s = T (s0, i). We say that:
• QED test i fails if ¬QEDcons(s).
• QED test i succeeds if QEDcons(s).
Definition 14 (Processor QED-Consistency). A processor P
is QED-consistent if all possible QED tests succeed.
Definition 15 (Processor QED-Inconsistency). A processor P
is QED-inconsistent if some QED test fails.
Lemma 3. Let P be a processor. If P is QED-inconsistent,
then P is not correct with respect to any abstract specification
relation.
Proof. Let i be a failing QED test for P and assume that proces-
sor P is correct with respect to some abstract specification rela-
tion Spec. By Lemma 2, we conclude QEDcons(s2n), which
contradicts the assumption that i is a failing QED test.
Importantly, Lemma 3 holds regardless of what the actual
specification relation Spec is, i.e., it is independent of Spec
and the opcode specification function Specop (Definition 6).
Lemma 3 shows that SQED is a sound technique: any error
reported by a failing QED test is in fact a real bug in the system.
It is more challenging to determine the degree to which SQED
is complete, that is, for which bugs do there exist failing QED
tests? We address this question next.
Suppose that B = 〈ib, Sb〉 is a bug with respect to a specifica-
tion Spec in a processor P , where ib = (opb, lbout, (lbin1, lbin2)).
A bug-specific QED test for B is a QED test that sets up
the conditions for and includes the activation of the bug.
By Definition 8, if ib is executed in P starting from any
state in Sb, the specification is violated. That is, for each
sb ∈ Sb, ¬Spec(sb, i,T (ib, sb)). According to (1), there are
two ways this can happen. Either: (A) the value in the output
location of ib is different from that required by Spec, i.e.:
s(lbout) 6= Specopb(sb(lbin1), sb(lbin2)) (let’s call this a type-A
bug); or (B) the value in some other location is not preserved,
i.e.: s(lbad) 6= sb(lbad) for some lbad 6= lbout (let’s call this a
type-B bug). We now define a bug-specific QED test formally.
Definition 16 (Bug-Specific QED Test). Let B =
〈ib, Sb〉 be a bug in P with respect to Spec, where
ib = (opb, l
b
out, (l
b
in1, l
b
in2)). The instruction sequence i =
〈i1, . . . , in, in+1, . . . , i2n〉 is a bug-specific QED test for B if
the following conditions hold:
1) in+1 = ib,
2) i is a QED test for some LD , i.e. for 1 ≤ k ≤ n, in+k =
Dup(ik). In particular, i1 = (opb, lout, (lin1, lin2)), with
(lin1, lin2, lout) = L
−1
D ((l
b
in1, l
b
in2, l
b
out)).
3) There exists a path s ∈ S2n from s0 ∈ SI
with QEDcons(s0), such that s = T (s0, i) =
〈s1, . . . , sn, sn+1, . . . , s2n〉, where sn ∈ Sb.
4) Spec(s0, i1, s1),
5) Additionally, we need three more conditions that depend
on the bug types:
Case A: If ib is a type-A bug with respect to sn, i.e.
sn+1(l
b
out) 6= Specopb(sn(lbin1), sn(lbin2)), then let
lorig = lout and ldup = lbout.
5
• We then require:
– sn+1(ldup) = s2n(ldup),
– s1(lorig) = s2n(lorig),
– s0(Lin(ib)) = sn(Lin(ib)).
Case B: If ib is a type-B bug with respect to sn, i.e.
sn(lbad) 6= sn+1(lbad) for some lbad 6= lbout, then let
lorig = L
−1
D (lbad) with lorig 6= lout and ldup = lbad .
• We then require:
– sn+1(ldup) = s2n(ldup),
– s1(lorig) = s2n(lorig).
– s1(ldup) = sn(ldup),
Clearly, it is always possible to satisfy the first two conditions
by declaring the bug instruction ib to be the duplicate of i1
with respect to some function LD . Moreover, if we restrict our
attention to single-instruction correct processors, then the fourth
condition always holds as well. This fits in well with the stated
intended role of SQED which is to find sequence-dependent
bugs, rather than single-instruction bugs.
Understanding when the other conditions hold is more
complicated. Basically, it must be possible to find some
sequence of instructions i∗ = 〈i2 . . . in〉 that can transition
the processor from the state s1 following the execution of i1 to
one of the states in Sb, i.e., sn. Often it is reasonable to assume
that a processor is strongly connected, that is, that there always
exists a sequence of instructions that can transition from one
reachable state to another. This is almost enough to ensure the
existence of i∗. However, there are a few other restrictions on
this sequence of instructions in order to satisfy Definition 16.
First, i∗ must consist of only original instructions. We are
free to choose LD to be anything that works, so the main
restriction is that i∗ cannot use any instructions referencing
locations lbin1,l
b
in2, or l
b
out. This ends up being the most severe
restriction on i∗ because it means that instructions in i∗ cannot
write to the locations used as inputs by ib. We discuss some
mitigations to this restriction in Section VI-A below.
Somewhat surprisingly, the three requirements in condition 5
are not very severe, as we now explain. Locations lorig and
ldup are an original location and its duplicate, respectively.
For type-A bugs, lorig holds the correct output value of i1
and ldup holds the incorrect output value of ib. For type-B
bugs, ldup holds the value of location lbad that is incorrectly
modified when ib is executed in state sn, and lorig is the original
location that corresponds to ldup = lbad . The first requirement
is sn+1(ldup) = s2n(ldup). This means that i∗ cannot modify
L−1D (ldup), but as this is just one original location, it’s unlikely
that every possible i∗ that we might come up with would need
to modify it to get to the bug-triggering state. The second
requirement is s1(lorig) = s2n(lorig). For similar reasons, it’s
unlikely that i∗ would need to modify lorig , and the duplicate
version of i∗ should not modify it either, since it is an original
location and original locations should be left alone by duplicate
instructions (note: ib might modify it if it has more than one bug
effect, but then we may be able to choose i1 and LD differently
to avoid this). Finally, the last requirement of condition 5 is
different depending on the two cases, but in both cases, it is
a requirement that i∗ not modify a duplicate location, which
it should not do as it is composed of original instructions.
Note that in the above discussion, we do not have to make the
strong assumption that i∗ actually executes according to its
specification, only that it avoids corrupting a few key locations.
Given that we have a lot of freedom in choosing LD and
i1, these requirements are likely to be satisfiable if there are
some degrees of freedom in choosing a path to one of the
bug-triggering states.
We now prove our conditional completeness property, namely
that if a bug-specific QED test i exists, then i fails.
Lemma 4. Let P be a processor with a bug B = 〈i, Sb〉
with respect to specification Spec, for which there exists a
bug-specific QED test i. Then i fails.
Proof. Let B = 〈i, Sb〉 be a bug and i be a bug-
specific QED test for B. By Definition 16 we have
i = 〈i1, . . . , in, in+1, . . . , i2n〉 and s = T (s0, i) =
〈s0, s1, . . . , sn, sn+1, . . . , s2n〉, where sn ∈ Sb and ib = in+1,
and QEDcons(s0) holds. We show that ¬QEDcons(s2n)
holds by showing that s2n(lorig) 6= s2n(ldup). We distinguish
the two cases A and B in Definition 16.
Case A. Since QEDcons(s0) and Dup(i1) = ib, we have
s0(Lin(i1)) = s0(Lin(ib)) (7)
From the third requirement of Case A in Definition 16, we
have s0(Lin(ib)) = sn(Lin(ib)), so it follows that,
s0(Lin(i1)) = sn(Lin(ib)) (8)
By (8) and since op(i1) = op(ib), also
Specop(i1)(s0(Lin(i1))) = Specop(ib)(sn(Lin(ib))) (9)
Since Spec(s0, i1, s1) by Definition 16, we have
s1(Lout(i1)) = Specop(i1)(s0(Lin(i1))) (10)
Since we are in Case A, we have from Definition 16 that
lorig = Lout(i1), and from the second requirement of Case A,
we have s1(lorig) = s2n(lorig), so it follows that,
s2n(lorig) = Specop(i1)(s0(Lin(i1))) (11)
Since ib fails in state sn, we have that,
sn+1(Lout(ib)) 6= Specop(ib)(sn(Lin(ib))) (12)
Again, from Case A in Definition 16, we have ldup =
Lout(ib), and from the first requirement of Case A, we have
sn+1(ldup) = s2n(ldup), so it follows that,
s2n(ldup) 6= Specop(ib)(sn(Lin(ib))) (13)
Finally, (9) and (11) give us,
s2n(lorig) = Specop(ib)(sn(Lin(ib))) (14)
But then (13) and (14) imply s2n(lorig) 6= s2n(ldup), and
hence ¬QEDcons(s2n).
Case B. See appendix.
6
Theorem 1.
• SQED is sound (Lemma 3).
• SQED is complete for bugs for which a bug-specific QED
test exists (Lemma 4).
A. Extensions
As mentioned above, the main limitation of the conditional
completeness argument above is that there must exist a sequence
of instructions to a bug-triggering state that does not include
references to the locations used by the buggy instruction. For
some classes of bugs, such as forwarding-logic bugs, this
limitation makes it impossible to find a bug-specific QED
test. This is because the argument above relies on setting up
a bug during the original sequence and then triggering it at
the beginning of the duplicate sequence. Fortunately, there is
another argument that can be made in which the bug occurs
during the original sequence, but not during the duplicate
sequence. This second argument is much more effective with
a simple extension to the definition of QED tests to allow
no-operation instructions (a trick also employed in [11] -
see Section VII). First, we define a set N of no-operation
instructions.
Definition 17. Let N be the set of instructions such that, for
every state (sa , sa), if in ∈ N , then T (in, (sa , sa)) = (sa , s′a)
for some s′a .
An instruction in N may change the microarchitectural state,
but not the architectural state.
Definition 18. An extended QED test is any sequence of
instructions obtained from a standard QED test by inserting
zero or more instructions from N anywhere in the sequence.
It is easy to see that extended QED tests enjoy the same
properties as standard QED tests. In particular an appropriately
lifted version of Lemma 2 holds and the notions of failing and
succeeding QED tests can be lifted to extended QED tests in
the obvious way.
Definition 19 (Bug-Hunting Extended QED Test). Let P be a
single-instruction correct processor with at least one bug. The
instruction sequence i is a bug-hunting extended QED with a
bug-prefix of size k and initial state s0 for P if the following
conditions hold:
1) There is some bug B = 〈ib, Sb〉 in P such that
T (〈i1, . . . , ik−1〉, s0) ∈ Sb and ik = ib
2) i is an extended QED test
3) ik is an original instruction, and ik+1 = Dup(i1)
Unlike the bug-specific QED test defined above, a bug-hunting
extended QED test is not guaranteed to fail. It starts with a
bug-triggering sequence of length k, and then finishes with
a modified duplicate sequence which may add (or subtract)
instructions from N . The no-operation instructions can be used
to change the timing between any interdependent instructions,
making it more likely that the duplicate sequence will produce
a correct result, especially if the bug depends on forwarding-
logic. Though we omit it for lack of space, one can show that
for a general class of forwarding-logic bugs, there does always
exist an extended QED test that fails.
Another QED test extension is to allow original and duplicate
instructions to be interleaved, rather than requiring that all
original instructions precede all duplicate instructions. Again,
it is straightforward to show that this extension preserves
Lemma 2. Clearly, the set of bugs that can be found by adding
interleaving are a strict superset of those that can be found
without. In practice, implementations of SQED search for all
possible extended QED tests with interleaving. Empirically,
case studies have not turned up any (non-single-instruction)
bugs that cannot be found with this combination. However,
one can construct pathological systems with bugs that cannot
be found by such QED tests.
B. Hardware Extensions
With some hardware support, even stronger guarantees can
be achieved. We first introduce a soft reset instruction, which
transitions the processor back to the initial microarchitectural
state without changing the architectural state.
Definition 20. ir is a soft reset instruction for P if for every
state (sa , sa), T (ir, (sa , sa)) = (sa , sa,I).
It is easy to see that ir ∈ N .
Definition 21 (Bug-Specific Soft-Reset QED Test). Let P be a
single-instruction correct processor with at least one bug. The
instruction sequence i = 〈i1, . . . in〉 is a bug-specific soft-reset
QED test for P if the following conditions hold:
1) i is a bug-hunting extended QED test for P with a
minimal bug-prefix of size k ≥ 2 and initial state s0
2) Let s = T (s0, i). Then, ∀ l ∈ LD. sk−1(l) = sk(l) (i.e.
the buggy instruction does not corrupt any duplicate
location)
3) n = 3k
4) For each 1 ≤ j ≤ k, ik+2j−1 = ir
Lemma 5. If P has a bug-specific soft-reset QED test i, then
i fails.
Proof. See appendix.
There are still a few (pathological) ways in which a bug may
be missed by searching for all possible soft-reset QED tests.
First, there may be no triggering sequence starting from any
QED-consistent state. Second, it could be that the triggering
sequence for a bug requires using more than half of all the
locations, making it impossible to divide the locations among
original and duplicate instructions. Finally, it could be that
the bug always corrupts duplicate locations for every possible
candidate sequence. These can all be remedied by adding hard
reset instructions. The goal of a hard reset instruction is to
reset P to a specific starting state. We model this as a family
of hard reset instructions.
Definition 22. The set {iR,sI |sI ∈ SI} is a family of hard
reset instructions for P if for every state s, T (iR,sI , s) = sI .
7
Definition 23. Let P be a processor. Then i = 〈i1 . . . i2k+2〉
is a bug-specific hard-reset QED test with bug-prefix size k
and initial state sI for P if the following conditions hold:
1) k ≥ 2
2) 〈i1 . . . ik〉 reach and trigger a bug in P starting from sI
3) ik+1 = iR,sI
4) 〈ik+2 . . . i2k〉 = 〈i1 . . . ik−1〉
5) i2k+1 = ir
6) i2k+2 = ik
Notice that there is no notion of duplication for a hard-reset
QED test. Instead, the exact same sequence is executed twice
except that there is a hard reset in between and a soft reset
right before the last instruction. Hard-reset QED tests also use
a slightly different notion of success and failure.
Definition 24. Let i be a hard-reset QED test with bug-prefix
size k and initial state sI , and let s = T (sI , i).
• i succeeds if sk(l) = s2k+2(l) for every location l.
• i fails if sk(l) 6= s2k+2(l) for some location l.
The combination of single-instruction correctness checking and
exhaustive search for hard-reset QED tests is complete.
Theorem 2. If P is single-instruction correct and has no
failing hard-reset QED tests, then it is correct.
Proof. See appendix.
VII. RELATED WORK
Assertion-based formal verification techniques using theorem
proving or (bounded) model checking, e.g., [1], [15]–[17],
require design-specific, manually-written properties. In contrast
to that, symbolic quick error detection (SQED) [7]–[10] is
based on a design-independent self-consistency property.
In an early application of self-consistency checking for pro-
cessor verification without a specification [11], given instruction
sequences are transformed by, e.g., inserting NOPs. The original
and the modified instruction sequence are expected to produce
the same result. As a formal foundation, this approach relies on
formulating and explicitly computing an equivalence relation
over states, which is not needed with SQED.
SQED originates from quick error detection (QED), a post-
silicon validation technique [18]–[20]. QED is highly effective
in reducing the length of existing bug traces (i.e., instruction
sequences) in post-silicon debugging of processor cores. To
this end, existing bug traces are systematically transformed into
QED tests by techniques that (among others) include instruction
duplication [21]. SQED exhaustively searches for minimal-
length QED tests using BMC for pre-silicon verification. It is
also applicable to post-silicon validation. SQED was extended
to operate with symbolic initial states [22], [23] to overcome
the potential limitations of BMC when unrolling the transition
relation of a design starting in a concrete initial state.
SQED employs the principle of self-consistency based on a
mathematical interpretation of instructions as functions. That
principle is also applied by accelerator quick error detection (A-
QED) [24], a formal pre-silicon verification technique for HW
accelerator designs. A-QED checks the functions implemented
by an accelerator for functional consistency and, like SQED,
does not require a formal specification.
Unique program execution checking [25] relies on a particular
variant of self-consistency to check security vulnerabilities of
processor designs for covert channel attacks. In the context
of security, self-consistency is also applied to verify secure
information flow by self-composition of programs [26]–[29].
Several approaches, including both formal and simulation-
based approaches, exist for checking single-instruction (SI)
correctness cf. [9], [23], [30]. Checking SI correctness is
complementary to checking self-consistency using SQED and
is also much more tractable. In a formal approach, a property
corresponding to Specop (based on the ISA) is written for each
opcode op ∈ Op, and the model checker is used to ensure that
the property holds when starting from any initial state. Because
the approach is restricted to initial states and only a single
instruction execution, it is much simpler to specify and check
than would be a property specifying the full correctness of P .
Efficient specialized approaches exist for checking multiplier
units [31]–[34], which is computationally hard.
VIII. CONCLUSION AND FUTURE WORK
We laid a formal foundation for symbolic quick error
detection (SQED) and presented a theoretical framework to
reason about its bug-finding capabilities. In our framework,
we proved soundness as well as (conditional) completeness,
thereby closing a gap in the theoretical understanding of SQED.
Soundness implies that SQED does not produce spurious
counterexamples, i.e., any counterexample to QED-consistency
reported by SQED corresponds to an actual bug in the design.
For completeness, we characterized a large class of bugs that
can be detected by failing QED tests under modest assumptions
about these bugs. We also identified several extensions that
can ensure even stronger completeness guarantees.
As future work, it would be valuable to extend our framework
to consider variants of SQED that operate with more fully
symbolic initial states [22], [23]. The challenge will be to
identify how this can be done while guaranteeing no spurious
counterexamples. For practical applications of SQED, our
theoretical results provide valuable insights. For example, in
present implementations of SQED [9], [10], the flexibility
to partition register/memory locations into sets of original
and duplicate locations and to select the bijective mapping
between these two sets has not yet been explored. Similarly,
it is promising to combine standard QED tests and the
specialized extensions we presented in a uniform practical tool
framework. Features like soft/hard reset instructions could either
be implemented in HW in a design-for-verification approach
or in software inside a model checker. In another research
direction, we plan to extend our framework to model the
detection of deadlocks using SQED, cf. [7], and prove related
theoretical guarantees.
Acknowledgments. We thank Karthik Ganesan and John
Tigar Humphries for helpful initial discussions.
8
REFERENCES
[1] A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu, “Symbolic Model
Checking without BDDs,” in Proc. TACAS, ser. LNCS, vol. 1579.
Springer, 1999, pp. 193–207.
[2] S. Katz, O. Grumberg, and D. Geist, “"Have I written enough Properties?"
- A Method of Comparison between Specification and Implementation,”
in Proc. CHARME, ser. LNCS, vol. 1703. Springer, 1999, pp. 280–297.
[3] H. Chockler, O. Kupferman, and M. Y. Vardi, “Coverage Metrics for
Temporal Logic Model Checking,” in Proc. TACAS, ser. LNCS, vol. 2031.
Springer, 2001, pp. 528–542.
[4] K. Claessen, “A Coverage Analysis for Safety Property Lists,” in
Proc. FMCAD. IEEE, 2007, pp. 139–145.
[5] D. Große, U. Kühne, and R. Drechsler, “Estimating functional coverage
in bounded model checking,” in Proc. DATE. EDA Consortium, San
Jose, CA, USA, 2007, pp. 1176–1181.
[6] H. Chockler, D. Kroening, and M. Purandare, “Coverage in interpolation-
based model checking,” in Proc. DAC. ACM, 2010, pp. 182–187.
[7] D. Lin, E. Singh, C. Barrett, and S. Mitra, “A structured approach to
post-silicon validation and debug using symbolic quick error detection,”
in Proc. ITC. IEEE, 2015, pp. 1–10.
[8] E. Singh, D. Lin, C. Barrett, and S. Mitra, “Logic bug detection and
localization using symbolic quick error detection,” IEEE Transactions
on Computer-Aided Design of Integrated Circuits and Systems, pp. 1–1,
2018.
[9] E. Singh, K. Devarajegowda, S. Simon, R. Schnieder, K. Ganesan, M. R.
Fadiheh, D. Stoffel, W. Kunz, C. W. Barrett, W. Ecker, and S. Mitra,
“Symbolic QED Pre-Silicon Verification for Automotive Microcontroller
Cores: Industrial Case Study,” in Proc. DATE. IEEE, 2019, pp. 1000–
1005.
[10] F. Lonsing, K. Ganesan, M. Mann, S. S. Nuthakki, E. Singh, M. Srouji,
Y. Yang, S. Mitra, and C. W. Barrett, “Unlocking the Power of Formal
Hardware Verification with CoSA and Symbolic QED: Invited Paper,”
in Proc ICCAD. ACM, 2019, pp. 1–8.
[11] R. B. Jones, C. H. Seger, and D. L. Dill, “Self-Consistency Checking,”
in Proc. FMCAD, ser. LNCS, vol. 1166. Springer, 1996, pp. 159–171.
[12] R. M. Keller, “A Fundamental Theorem of Asynchronous Parallel Com-
putation,” in Parallel Processing, Proc. Sagamore Computer Conference,
ser. LNCS, vol. 24. Springer, 1974, pp. 102–112.
[13] R. M. Keller, “Formal Verification of Parallel Programs,” Commun. ACM,
vol. 19, no. 7, pp. 371–384, 1976.
[14] B. Huang, H. Zhang, P. Subramanyan, Y. Vizel, A. Gupta, and S. Malik,
“Instruction-Level Abstraction (ILA): A Uniform Specification for System-
on-Chip (SoC) Verification,” ACM Trans. Design Autom. Electr. Syst.,
vol. 24, no. 1, pp. 10:1–10:24, 2019.
[15] W. A. Hunt Jr., “Microprocessor design verification,” J. Autom. Reasoning,
vol. 5, no. 4, pp. 429–460, 1989.
[16] J. R. Burch and D. L. Dill, “Automatic Verification of Pipelined
Microprocessor Control,” in Proc. CAV, ser. LNCS, vol. 818. Springer,
1994, pp. 68–80.
[17] A. Biere, E. M. Clarke, R. Raimi, and Y. Zhu, “Verifiying Safety
Properties of a Power PC Microprocessor Using Symbolic Model
Checking without BDDs,” in Proc. CAV, ser. LNCS, vol. 1633. Springer,
1999, pp. 60–71.
[18] T. Hong, Y. Li, S. Park, D. Mui, D. Lin, Z. A. Kaleq, N. Hakim,
H. Naeimi, D. S. Gardner, and S. Mitra, “QED: Quick Error Detection
tests for effective post-silicon validation,” in Proc. ITC. IEEE, 2010,
pp. 154–163.
[19] D. Lin, T. Hong, Y. Li, F. Fallah, D. S. Gardner, N. Hakim, and
S. Mitra, “Overcoming post-silicon validation challenges through quick
error detection (QED),” in Proc. DATE. EDA Consortium San Jose,
CA, USA / ACM DL, 2013, pp. 320–325.
[20] D. Lin, T. Hong, Y. Li, E. S, S. Kumar, F. Fallah, N. Hakim, D. S.
Gardner, and S. Mitra, “Effective Post-Silicon Validation of System-on-
Chips Using Quick Error Detection,” IEEE Trans. on CAD of Integrated
Circuits and Systems, vol. 33, no. 10, pp. 1573–1590, 2014.
[21] N. Oh, P. P. Shirvani, and E. J. McCluskey, “Error detection by duplicated
instructions in super-scalar processors,” IEEE Trans. Reliability, vol. 51,
no. 1, pp. 63–75, 2002.
[22] M. R. Fadiheh, J. Urdahl, S. S. Nuthakki, S. Mitra, C. Barrett, D. Stoffel,
and W. Kunz, “Symbolic quick error detection using symbolic initial state
for pre-silicon verification,” in Proc. DATE. IEEE, 2018, pp. 55–60.
[23] K. Devarajegowda, M. R. Fadiheh, E. Singh, C. Barrett, S. Mitra,
W. Ecker, D. Stoffel, and W. Kunz, “Gap-free Processor Verification by
S2QED and Property Generation,” in Proc. DATE. IEEE, 2020.
[24] E. Singh, F. Lonsing, S. Chattopadhyay, M. Strange, P. Wei, X. Zhang,
Y. Zhou, D. Chen, J. Cong, P. Raina, Z. Zhang, C. Barrett, and S. Mitra,
“A-QED Verification of Hardware Accelerators,” in Proc. DAC, to appear.
ACM, 2020.
[25] M. R. Fadiheh, D. Stoffel, C. W. Barrett, S. Mitra, and W. Kunz,
“Processor Hardware Security Vulnerabilities and their Detection by
Unique Program Execution Checking,” in Proc. DATE. IEEE, 2019,
pp. 994–999.
[26] G. Barthe, P. R. D’Argenio, and T. Rezk, “Secure Information Flow by
Self-Composition,” in Proc. CSFW-17. IEEE, 2004, pp. 100–114.
[27] G. Barthe, J. M. Crespo, and C. Kunz, “Relational Verification Using
Product Programs,” in Proc. FM, ser. LNCS, vol. 6664. Springer, 2011,
pp. 200–214.
[28] J. B. Almeida, M. Barbosa, G. Barthe, F. Dupressoir, and M. Emmi,
“Verifying Constant-Time Implementations,” in Proc. USENIX. USENIX
Association, 2016, pp. 53–70.
[29] W. Yang, Y. Vizel, P. Subramanyan, A. Gupta, and S. Malik, “Lazy
Self-composition for Security Verification,” in Proc. CAV, ser. LNCS,
vol. 10982. Springer, 2018, pp. 136–156.
[30] A. Reid, R. Chen, A. Deligiannis, D. Gilday, D. Hoyes, W. Keen,
A. Pathirane, O. Shepherd, P. Vrabel, and A. Zaidi, “End-to-End
Verification of Processors with ISA-Formal,” in Proc. CAV, ser. LNCS,
vol. 9780. Springer, 2016, pp. 42–58.
[31] U. Krautz, M. Wedler, W. Kunz, K. Weber, C. Jacobi, and M. Pflanz,
“Verifying full-custom multipliers by Boolean equivalence checking and
an arithmetic bit level proof,” in ASP-DAC. IEEE, 2008, pp. 398–403.
[32] A. A. R. Sayed-Ahmed, D. Große, U. Kühne, M. Soeken, and R. Drech-
sler, “Formal verification of integer multipliers by combining Gröbner
basis with logic reduction,” in Proc. DATE, 2016, pp. 1048–1053.
[33] D. Ritirc, A. Biere, and M. Kauers, “Column-wise verification of
multipliers using computer algebra,” in Proc. FMCAD, 2017, pp. 23–30.
[34] D. Kaufmann, A. Biere, and M. Kauers, “Verifying Large Multipliers
by Combining SAT and Computer Algebra,” in Proc. FMCAD. IEEE,
2019, pp. 28–36.
9
APPENDIX A
PROOFS
Proof of Lemma 1.. Assume that the antecedent of the im-
plication holds, and let lO ∈ LO be an arbitrary original
memory location. If lO = Lout(iO), then s′(Lout(iO)) =
s′′(LD(Lout(iO))) by Corollary 1.
Suppose, on the other hand, that lO 6= Lout(iO). Let
lD = LD(lO) be the corresponding duplicate location. By
the injectivity of LD , we have lD 6= LD(Lout(iO)), and
thus lD 6= Lout(iD). We can thus conclude from (1) that
s0(lO) = s
′(lO) and s1(lD) = s′′(lD).
Finally, since s0(lO) = s1(lD) by assumption, we derive
s′(lO) = s′′(lD), that is, s′(lO) = s′′(LD(lO)).
Proof of Case B of Lemma 4.. Since QEDcons(s0), we have
s0(lorig) = s0(ldup) (15)
Since Spec(s0, i1, s1) by Definition 16, we have s0(lorig) =
s1(lorig) and s0(ldup) = s1(ldup), and so it follows that,
s1(lorig) = s1(ldup) (16)
Due to the requirements in Case B of Definition 16, we have
sn+1(ldup) = s2n(ldup) (17)
s1(lorig) = s2n(lorig) (18)
s1(ldup) = sn(ldup) (19)
Now, because we are in Case B, we know that sn(ldup) 6=
sn+1(ldup), so by (17),
s2n(ldup) 6= sn(ldup) (20)
But (16), (18) and (19) give us:
sn(ldup) = s2n(lorig) (21)
Thus, by (20) and (21),
s2n(ldup) 6= s2n(lorig) (22)
and hence ¬QEDcons(s2n).
Proof of Lemma 5.. Because k is minimal, we know that
i1 . . . ik−1 all execute according to their specification. For ik+j ,
if j is odd, then it is a no-operation and therefore it changes
no location values, and if j is even, then it executes according
to specification because it is executing in an initial state. Let
l be some original location whose value is incorrect after ik
executes (we know the buggy instruction corrupts an original
location because it does not corrupt a duplicate location), with
lD = LD(l). Since s0 is QED-consistent, s0(l) = s0(lD). Since
instructions 1 through k do not change duplicate locations, we
have s0(l) = sk(lD). By repeated application of Lemma 1
and by definition of no-operation instructions, we can then
conclude that sk−1(l) = s3k−1(lD). Then, because of the bug,
it follows that sk(l) 6= s3k(lD). Finally, because none of the
instructions after ik modify duplicate locations, sk(l) = s3k(l),
so ¬QEDcons(s3k).
Proof of Theorem 2.. Suppose P is not correct. Let ib =
〈i1, . . . , ik〉 be a sequence required to reach a state sb ∈ Sb
starting from some initial state sI , for some bug B = 〈i, Sb〉.
We know k ≥ 2 since P is single-instruction correct. Let i be
the unique bug-specific hard-reset QED test with initial state
sI whose prefix is ib. Let s = T (sI , i). It is easy to see that
sk−1 = s2k, because both are the result of executing the same
instructions from the same initial state. Furthermore, because
i2k+1 is a no-operation instruction, all locations in s2k+1 have
the same values as those in s2k. let l be some location whose
value is incorrect in sk after ik executes. The same location
must have the correct value in s2k+2 because i2k+2 executes
from the same architectural state and must execute correctly
because it is an initial state and P is single-instruction correct.
Thus sk(l) 6= s2k+2(l), and the hard-reset QED test fails, which
is a contradiction. Therefore, P must be correct.
10
