### Bachelor Thesis

### Benchmark of RISC-V in BTOR2

# Jan Krister Möller

Examiner: Dr. Mathias Fleury

University of Freiburg
Faculty of Engineering
Department of Computer Science
Chair of Computer Architecture

September 13, 2025

### Writing Period

 $24.\,06.\,2025 - 24.\,09.\,2025$ 

#### Examiner

Dr. Mathias Fleury

# Declaration

| I hereby declare that I am the sole author and o    | composer of my thesis and that no     |
|-----------------------------------------------------|---------------------------------------|
| other sources or learning aids, other than those li | sted, have been used. Furthermore,    |
| I declare that I have acknowledged the work of oth  | ners by providing detailed references |
| of said work.                                       |                                       |
| I hereby also declare that my Thesis has not been   | n prepared for another examination    |
| or assignment, either wholly or excerpts thereof.   |                                       |
|                                                     |                                       |
|                                                     |                                       |
|                                                     |                                       |
|                                                     |                                       |
| Place, Date Sig                                     | nature                                |

# Declaration on Usage of Generative AI

| I hereby declare that, with the approval of my examiner, I have employed the         |
|--------------------------------------------------------------------------------------|
| generative AI tool "GitHub Copilot" during the preparation of this thesis solely for |
| spellchecking and enhancing the formality of my written expression. Furthermore,     |
| I expressly confirm that this tool was not used to generate data or as a source of   |
| factual information or content for this thesis.                                      |
|                                                                                      |
|                                                                                      |
|                                                                                      |
| <del></del>                                                                          |
| Place, Date Signature                                                                |

# Abstract

foo bar [1] [2] [3]

### Contents

| 1 | Mot  | ivation | l                                            | 1  |
|---|------|---------|----------------------------------------------|----|
| 2 | RIS  | RISC-V  |                                              | 3  |
|   | 2.1  | Overv   | iew                                          | 3  |
|   | 2.2  | The R   | RV64I ISA                                    | 4  |
|   | 2.3  | Simula  | ation of RISC-V                              | 8  |
|   |      | 2.3.1   | Representing the State of a RISC-V Processor | 9  |
|   |      | 2.3.2   | Running an instruction                       | 9  |
|   |      | 2.3.3   | Saving the State of a RISC-V Processor       | 10 |
| 3 | вто  | DR2     |                                              | 13 |
|   | 3.1  | Model   | Checking                                     | 13 |
|   | 3.2  | The B   | TOR2 Language                                | 13 |
|   | 3.3  | The B   | BTOR2 Witness                                | 14 |
| 4 | Trai | nsformi | ing RISC-V to BTOR2                          | 15 |
|   | 4.1  | The C   | Concept                                      | 15 |
|   | 4.2  | Encod   | ling                                         | 17 |
|   |      | 4.2.1   | Constants                                    | 17 |
|   |      | 4.2.2   | State Representation                         | 19 |
|   |      | 4.2.3   | Initialization                               | 20 |
|   |      | 4.2.4   | Fetching the current instruction             | 20 |
|   |      | 4.2.5   | Deconstruction of the instruction            | 20 |

| Bi | bliography 47 |         |                       |    |  |
|----|---------------|---------|-----------------------|----|--|
| 6  | Con           | clusion |                       | 45 |  |
|    | 5.2           | Result  | s                     | 42 |  |
|    | 5.1           | Tests   |                       | 37 |  |
| 5  | Ben           | chmark  | s                     | 37 |  |
|    | 4.3           | Testin  | g for Correctness     | 33 |  |
|    |               | 4.2.8   | Constraints           | 32 |  |
|    |               | 4.2.7   | Next-State Logic      | 28 |  |
|    |               | 4.2.6   | Instruction Detection | 26 |  |

# List of Figures

| 1  | RV64I encoding formats                                        | 5  |
|----|---------------------------------------------------------------|----|
| 2  | State representation of RISC-V in c                           | 9  |
| 3  | Construction of .state files                                  | 11 |
| 4  | Sorts and non-progressive Constants                           | 18 |
| 5  | State representation for transforming RISC-V to ${\tt BTOR2}$ | 19 |
| 6  | Fetching instruction                                          | 22 |
| 7  | Extraction (without immediate)                                | 24 |
| 8  | Extraction of immediate types                                 | 25 |
| 9  | Finding the correct immediate                                 | 26 |
| 10 | Examples for instruction detection                            | 26 |
| 11 | Examples for instruction execution                            | 28 |
|    | 11.1 AUIPC                                                    | 28 |
|    | 11.2 JALR                                                     | 29 |
|    | 11.3 BEQ                                                      | 29 |
|    | 11.4 LHU                                                      | 29 |
|    | 11.5 SD                                                       | 30 |
|    | 11.6 ANDI                                                     | 30 |
|    | 11.7 SLLIW                                                    | 30 |
|    | 11.8 SLT                                                      | 31 |
|    | 11.9 SUBW                                                     | 31 |
| 12 | Next-State logic for memory                                   | 31 |

| 13 | Next-State logic for pc                   | 32 |
|----|-------------------------------------------|----|
| 14 | Iterations counter constraint             | 33 |
| 15 | Unknown Instruction constraints           | 34 |
| 16 | Instruction address misaligned constraint | 34 |
| 17 | Base test cases                           | 38 |
| 18 | State of benchmark add 0256               | 38 |

# List of Tables

| 1 | RV64I Instruction Subset                   | 6  |
|---|--------------------------------------------|----|
| 2 | Behavior of RV64I operations               | 7  |
| 3 | Times of iterations based benchmarks       | 43 |
| 4 | Times of extended address space benchmarks | 43 |
| 5 | Relative runtime of benchmarks             | 43 |

# List of Algorithms

| 1 | progressive constants               | 19 |
|---|-------------------------------------|----|
| 2 | Generating initialisation constants | 21 |
| 3 | Initialising states                 | 22 |
| 4 | Value extraction from $rs1$         | 24 |
| 5 | Instruction detection               | 27 |
| 6 | Next-state logic for rd             | 32 |

# 1 Motivation

This is a template for an undergraduate or master's thesis. The first sections are concerned with the template itself. If this is your first thesis, consider reading.

### 2 RISC-V

As the first foundation for my benchmarks and, consequently, this thesis, I will discuss RISC-V and its operational principles.

#### 2.1 Overview

RISC-V is an open-source instruction set architecture first published in May 2011 by A. Waterman et al. [4]. As indicated by its name, it is based on the RISC design philosophy. (TODO: Explain RISC (compare wiki)) Since 2015, the development of RISC-V has been coordinated by the RISC-V International Association, a non-profit corporation based in Switzerland since 2020 [5]. Its objectives include providing an *open* ISA that is freely available to all, a *real* ISA suitable for native hardware implementation, and an ISA divided into a *small* base integer ISA usable independently, for example in educational contexts, with optional standard extensions to support general-purpose software development [1, Chapter 1].

Currently, RISC-V comprises four base ISAs: RV32I, RV64I, RV32E, and RV64E, which can be extended with one or more of the 47 ratified extension ISAs [1, Preface].

(EXTEND: Additional content may be required here)

For the purposes of this work, I will focus on a subset of the RV64I ISA.

#### 2.2 The RV64I ISA

RV64I is not overly complex, but its structure is essential for understanding the subsequent work presented in this thesis. Therefore, I will explain all elements relevant to my work.

RV64I features 32 64-bit registers, labeled x0-x31, where x0 is hardwired to zero across all bits. Registers x1-x31 are general-purpose and may be interpreted by various instructions as collections of booleans, two's complement signed binary integers, or unsigned integers. Additionally, there is a non-accessible register called pc, which serves as the program counter and holds the address of the current instruction [1, Chapters 4.1, 2.1].

In RV64I, memory addresses are 64 bits in size. As the memory model is defined to be single-byte addressable, the address space of RV64I encompasses 2<sup>64</sup> bytes [1, Chapter 1.4]. The format of the memory is little endian, so the lower bits of number are placed on lower addresses.

Like nearly all standard ISAs of RISC-V, RV64I employs a standard instruction encoding length of 32 bits, or one *word*. Only the compressed extension named C introduces instructions with a length of 16 bits [1, Chapter 1.5], but we will not encounter this special case. All RV64I instructions are encoded in one of the six formats illustrated in Figure 1. These formats may consist of

#### • The opcode:

The opcode is used to differ between groups of instructions. It also defines the format type of the instruction.

#### • rd:

This is the destination register.

| 31             | 25 24  | 20 19    |      | 15 14  | 12 11        | 7          | 6   |        | 0      |
|----------------|--------|----------|------|--------|--------------|------------|-----|--------|--------|
| funct7         | rs2    |          | rs1  | fund   | t3           | rd         | L . | opcode | R-Type |
| 31             |        | 20 19    |      | 15 14  | 12 11        | 7          | 6   |        | 0      |
| imm            | [11:0] |          | rs1  | fund   | t3           | rd         | L . | opcode | I-Type |
| 31             | 25 24  | 20 19    |      | 15 14  | 12 11        | 7          | 6   |        | 0      |
| imm[11:5]      | rs2    |          | rs1  | fund   | t3 ir        | mm[4:0]    |     | opcode | S-Type |
| 31 30          | 25 24  | 20 19    |      | 15 14  | 12 11        | 8 7        | 6   |        | 0      |
| [12] imm[10:5] | rs2    |          | rs1  | fund   | t3 im        | m[4:1]  11 | 1 . | opcode | B-Type |
| 31             |        |          |      |        | 12 11        | 7          | 6   |        | 0      |
|                | imm[3  | 1:12]    |      |        |              | rd         |     | opcode | U-Type |
| 31 30          |        | 21 20 19 |      |        | 12 11        | 7          | 6   |        | 0      |
| [20] imm       | [10:1] | 11)      | imm[ | 19:12] | <u>.   .</u> | rd         |     | opcode | J-Type |

Figure 1: RV64I encoding formats, used in [1, Chapter 2.3]

#### • *funct*3:

This is used to differ between instructions with the same opcode.

#### • rs1 & rs2:

These are the source registers.

#### • funct7

:This is used for further distinctions between instructions if there are more than 8 instructions in an opcode group and funct3 does not suffice.

#### • *imm*:

This is an immediate value. In square brackets after *imm* is designated a subfield of the immediate which is represented by these bits. From these subfields, non-defined lower bits are filled with zeros whereas the highest defined bit is sign extended to fill all non-defined higher bits.

The design of these formats results in the following features:

• Due to RISC-V's little-endian nature, the *opcode*, which encodes the general instruction, is always read first. Further specification of the instruction via funct3 and funct7 is consistently located at the same positions.

| Instr | opcode     | Type | Instr | opcode                 | Type      | Instr | opcode | Type |
|-------|------------|------|-------|------------------------|-----------|-------|--------|------|
| LUI   | lui        | U    | SB    |                        |           | ADD   |        |      |
| AUIPC | auipc      |      | SH    | store                  | $_{ m S}$ | SUB   |        |      |
| JAL   | jal        | J    | SW    | 51016                  | b         | SLT   |        |      |
| JALR  | jalr       | I    | SD    |                        |           | SLTU  |        |      |
| BEQ   |            |      | ADDI  |                        |           | XOR   | op     | R    |
| BNE   |            |      | SLTI  |                        |           | OR    |        |      |
| BLT   | branch     | В    | SLTIU |                        | I         | AND   |        |      |
| BGE   | Oranch<br> | В    | XORI  |                        | 1         | SLL   |        |      |
| BLTU  |            |      | ORI   | $op	ext{-}imm$         |           | SRL   |        |      |
| BGEU  |            |      | ANDI  |                        |           | SRA   |        |      |
| LB    |            |      | SLLI  |                        |           | ADDW  |        |      |
| LH    |            |      | SRLI  |                        | $I^*$     | SUBW  |        |      |
| LW    |            |      | SRAI  |                        |           | SLLW  | op-32  | R    |
| LD    | load       | I    | ADDIW |                        | I         | SRLW  |        |      |
| LBU   |            |      | SLLIW | op-imm-32              |           | SRAW  |        |      |
| LHU   |            |      | SRLIW | <i>0p-inini-32</i><br> | I**       |       |        |      |
| LWU   |            |      | SRAIW |                        |           |       |        |      |

Table 1: Subset of RV64I instructions (TODO: Maybe rework, not happy yet)

- If utilized by the instruction, rd, rs1 and rs2 are also always found in the same locations, simplifying decoding.
- The highest bit of *imm* is always bit 31, making it straightforward to sign-extend the immediate value.

The instructions relevant to my work are listed in Table 1

I have divided the instructions in Table 1 into nine groups based on their operations.

LUI and AUIPC move a high immediate into rd. In case of AUIPC, the pc is added onto this.

JAL and JALR instructions are unconditional jumps, where on JAL imm is added onto pc and on JALR imm is added onto rs1 and set as pc. Both link to the next instruction (current pc + 4) in rd.

| Behavior                                              |
|-------------------------------------------------------|
| rd := rs1 + rs2                                       |
| rd := rs1 - rs2                                       |
| rd := 1 if $rs1 < rs2$ else $rd := 0$                 |
| $rd := rs1 \oplus rs2$ , bitwise                      |
| $rd := rs1 \vee rs2$ , bitwise                        |
| $rd := rs1 \wedge rs2$ , bitwise                      |
| rd := rs1 shifted left by $rs2$ , new bits are zeros  |
| rd := rs1 shifted right by $rs2$ , new bits are zeros |
| rd := rs1 shifted right by $rs2$ , sign extend        |
|                                                       |

**Table 2:** All suffix free operations in RV64I and their behavior. All values are handled either bitwise or as signed twos complement integers

branch instructions are conditional jumps. rs1 is compared to rs2 and if the comparison holds, imm is added onto pc. The comparison are = for BEQ,  $\neq$  for BNE, < for BLT and  $\geq$  for BGE. In these instructions, the values in rs1 and rs2 are handled as twos complement integers. The suffix \*U in an instruction generally designates an unsigned operation. In this case the values in rs1 and rs2 are handled as unsigned integers. Apart from this, they work as their counterpart without the suffix.

load instructions load values from memory at address (rs1 + imm) into rd, either at Byte, Halfword, Word, or Doubleword length. Again the standard is a sign-extended value and the suffix \*U designates the loading of a non sign extended value.

Conversely, store instructions write values from rs2 at the address (rs1 + imm) to memory. Here also the distinction between the different lengths is made and the lowest byte, halfword, word or the whole doubleword is stored at the address.

All further instructions can be seen as generic operations, differentiated by their suffixes. To simplify the explanation process, all operations without any suffix and their behavior are listed in Table 2. This is almost exactly the group with opcode op, except the SLTU instruction, which is not suffix free. But as all other instructions with the unsigned suffix it behaves as its signed counterpart except from handling both rs1 and rs2 as unsigned integers.

These operations can be extended by the \*I suffix which is designated by the opcode op-imm. This exchanges rs2 with imm in the behavior. Again, SLTI can be extended to an unsigned version SLTIU, which behaves as expected. A SUBI instruction does not exist as it is redundant. Its behavior can be reached by using ADDI with a negative immediate.

Also, the operations ADD, SUB, SLL, SRL and SRA can be extended with the \*W suffix. This forms the group with the opcode op-32. In contrast to the base instructions these new ones behave as if the registers are only 32bit. The result is placed in the low 32 bits of rd and sign extended to full 64bit. Overflows are ignored.

The last group left is the combination of both suffixes \*IW with the opcode op-imm-32. The behavior differs from the base instructions, as expected, by a replacement of rs2 with imm and only operating on 32bit. Again, a SUBIW instruction is redundant as a negative immediate with ADDIW archives the same.

Compared to the full RV64I ISA, I left out FENCE, ECALL and EBREAK instructions as without I/O interaction or an environment like an OS or a debugger, these are not needed.

#### 2.3 Simulation of RISC-V

In a previous project, I have written a simulation of this subset of RV64I in C [6]. As I will use it to later on test my BTOR2 model, I explain the inner working of the program here.

First I implemented a structure to represent a simple RISC-V processor

Figure 2: State representation of a RISC-V processor in the simulation [6]

#### 2.3.1 Representing the State of a RISC-V Processor

Of course the state needs a representation for all registers. pc is defined as a 64bit integer, the other 32 registers are implemented as an array, as so each register can be referenced by its number. Also, I implemented an array of flags, one for each register, to be able to differ between initialized and non initialized registers. The memory is build from single memory cells holding each an address and its byte of content. These are cumulated in a hash table "memorytable", hashing on the address. If adding a new cell causes a collision, it is appended to the cells already in the bucket forming a linked list. These structs are shown in Figure 2.

#### 2.3.2 Running an instruction

After fetching the current instruction from the hash table, it must be decoded. The easiest way to do this is using a decision tree. First I mask out the opcode and match it over all implemented opcodes. From there, either this is an endpoint and the instruction is identified, or funct3 must be masked and matched. A final differentiation over funct7 might be needed, but after this every Leaf in the tree

coincides with an instruction. So, at every leaf the state can be changed in regard to the corresponding instruction. (TODO: Graph of the decision tree?)

#### 2.3.3 Saving the State of a RISC-V Processor

To preserve the current state of a RISC-V processor, both the registers and memory must be stored. For this purpose, I have devised the format shown in Figure 3. The RISC-V simulation uses this format as input and output. The minimal file consists only of the two designators "REGISTERS:" and "MEMORY:" and one empty line between them. Under "REGISTERS:", all registers can be listed with their corresponding value. Of course, x0 can not be different from 0. I included the option to reference it nonetheless to have the complete state included. Under "MEMORY:", after giving an address, the memory can be filled with 1-, 2-, 4- or 8-byte sized memory content. The given address is the starting address of the content, of course with every byte after the first, the next higher address is filled.

```
\langle 64bitHex \rangle
                                              up to 16 digits of [0-9a-fA-F]
                                   ::=
                                              up to 8 digits of [0-9a-fA-F]
\langle 32bitHex \rangle
                                   ::=
\langle 16bitHex \rangle
                                             up to 4 digits of [0-9a-fA-F]
                                   ::=
\langle 8bitHex \rangle
                                           up to 2 digits of [0-9a-fA-F]
                                  ::=
\langle memContent \rangle
                                              \langle 8bitHex \rangle
                                  ::=
                                              \mid \langle 16bitHex \rangle
                                              \mid \langle 32bitHex \rangle
                                              \mid \langle 64bitHex \rangle
\langle cell \rangle
                                              \langle 64bitHex \rangle : \langle memContent \rangle
                                  ::=
                                              |\langle cell \rangle \langle cell \rangle
\langle regNum \rangle
                                             0 |...| 31
                                  ::=
\langle reg \rangle
                                             \mathtt{PC}: \langle 64bitHex \rangle \setminus \mathtt{n}
                                              \mid \mathbf{x}\langle regNum \rangle : \langle 64bitHex \rangle \setminus \mathbf{n}
                                              |\langle reg \rangle \langle reg \rangle
\langle memory \rangle
                                   ::=
                                             \texttt{MEMORY:} \backslash \texttt{n} \langle cell \rangle
                                             \texttt{REGISTERS:} \backslash \texttt{n} \langle reg \rangle
\langle registers \rangle
                                  ::=
\langle state \rangle
                                              \langle registers \rangle \ (memory) \ n
                                   ::=
```

Figure 3: Construction of .state files

3 BTOR2

The second foundation of my benchmarks is BTOR2, a word-level model checking

format published by A. Niemetz et al. [2].

3.1 Model Checking

(TODO: Write something about model checking...)

3.2 The BTOR2 Language

Generally in BTOR2, every line represents either a sort or a node, where normally the

line number acts as an identifier. A sort behaves similar to a type as with it, either

the length of a bitvector or the size of an array of bitvectors is defined. Nodes on the

other hand represent a value of a defined sort and come as constants, operations or

constraints. These values can later on be referenced by the node identifier, so the

line number. The syntax of BTOR2 can be found at [2, figure 1] and corresponding

operators in [2, table 1]

Key features of BTOR2 include its ability to operate sequentially, which makes

the implementation of a RISC-V structure highly convenient. The main feature is

the state operator, which defines a node that is sequentially updated. With an

init node, this state can be assigned an initial value, and with a next node, the

13

sequentially next state can be defined. Finally, constraints can be used to specify endpoints for a model. These endpoints may indicate that something unintended has occurred or that the intended information has been found. In either case, the resulting model is provided as a witness.

#### 3.3 The BTOR2 Witness

After receiving a witness, it must be interpreted. On the second line of a witness, the constraint that was triggered is specified. Subsequently, for each sequential iteration, the witness first presents—marked with #x, where x is the iteration number—a representation of all states in the current iteration. Second, marked with @x, all inputs for the iteration are listed.

(TODO: Maybe a bit more, it's a bit of bare bones)

### 4 Transforming RISC-V to BTOR2

#### (TODO: Explain naming conventions for the model nodes)

This chapter addresses the main problem of the thesis: transforming a RISC-V state into the BTOR2 format for benchmarking purposes. F. Schrögendorfer did similar in his master's thesis "Bounded Model Checking in Lockless Programs" [3], in which he describes, among other topics, an encoding concept for a minimal machine in a multiprocessor context [3, Chapter 2]. For this, in [3, Chapter 8] he describes a way to encode programs for his machine model into a BTOR2 model. This can not be replicated by me though, as in his model the full program is known at encoding whilst I want to hold the property of RISC-V that the program could self modify and change during execution. If the property was to be dropped, it would be possible to parse over the memory and analyse the complete behavior of a program within, but this is for others to explore.

### 4.1 The Concept

To successfully execute a RISC-V instruction, three fundamental steps must occur in sequence:

- Fetch the current instruction from memory
- Identify the instruction

#### • Execute the instruction

Due to the fixed instruction length of RISC-V, as mentioned in Section 2.2, fetching the current instruction is straightforward. Ultimately, we want a node that retrieves a word from memory at the location specified by pc.

For basic identification, the opcode must be extracted and checked. Depending on the opcode, further distinctions between instructions require extracting and checking funct3 and, if necessary, funct7. Ultimately, we want a node for each instruction, which holds a boolean value indicating whether this instruction was fetched.

To execute the instruction, we need to extract the values of the immediate imm and, if used, the registers rs1 and rs2. All instructions only modify rd, pc, or memory. Therefore, the next-state logic can be generalized for these three cases.

Memory is only modified when a store instruction is identified. As all store instructions share the same type, computing the memory address is consistent across them. The final step is overwriting the memory at this address.

For the pc, except for jump commands, it always increments to point to the next instruction. The two unconditional jumps, JAL and JALR, must be handled separately. For branch instructions, after determining whether the relevant condition for the instruction holds, we can generalize, as all branch instructions execute the same operation from this point onward.

With rd, generalization across instructions is not feasible. However, we can generalize across all possible registers by adding a check in each register's update function to determine whether the register in question is rd.

### 4.2 Encoding

For better visualization in the BTOR2 code I will mark all sort-IDs in gray, all node-IDs in red and all non-ID numbers blue. As described in the BTOR2 syntax [2, Figure 1], each line can get an accompanying symbol. Sadly those cant be used as an alias to the line numbers, but for increased clarity, in the following figures I will use them as such aliases. With this I can also start each new figure with the relative line number n, and it makes it feasible to describe processes with algorithms. It is implied that n is sufficiently incremented after adding to the model so that IDs will not overlap. In the following, I will describe how I construct a BTOR2 model for a RISC-V state file.

#### 4.2.1 Constants

First off, I added the sorts and non-progressive constants needed into the BTOR2 model as seen in Figure 4. This is extended by a set of progressive constants used for comparison e.g. against the register number. Algorithm 1 describes how they are added.

Of note is the Representation of the memory as an array of addressable memory cells of each 1byte. Obviously, the set address space of 16bit is magnitudes away of the expected address space of 64bit, but representing a 64bit addressable memory with its resulting  $2^{64}B \approx 18Exabyte$  is not implementable. Therefore, as I needed a feasible amount of memory space, I artificially chose a 16bit address space as a soft minimum. With 65kB and therefore programs with possibly > 10000 instructions I deemed this memory sufficient for most use cases. Despite this, the encoding is implemented in such a way that the address space can be altered with. (TODO: Change code to make address space modifiable by an option)

| 1  | sort   | bitvec       | 1      |   | Bool                  |
|----|--------|--------------|--------|---|-----------------------|
| 2  | sort   | bitvec       | 16     |   | AS                    |
| 3  | sort   | bitvec       | 8      |   | В                     |
| 4  | sort   | bitvec       | 16     |   | Н                     |
| 5  | sort   | bitvec       | 32     |   | W                     |
| 6  | sort   | bitvec       | 64     |   | D                     |
| 7  | sort   | array        | 2      | 3 | Mem                   |
|    |        |              |        |   |                       |
| 8  | one    | Bool         |        |   | true                  |
| 9  | zero   | Bool         |        |   | false                 |
| 10 | one    | AS           |        |   | addressInc            |
| 11 | constd | AS           | 4      |   | pcInc                 |
| 12 | zero   | В            |        |   | emptyCell             |
| 13 | one    | W            |        |   | bitPicker             |
| 14 | zero   | D            |        |   | emptyReg              |
|    |        |              |        |   |                       |
| 15 | consth | W            | 01F    |   | 5Bitmask              |
| 16 | consth | W            | 03F    |   | 6Bitmask              |
| 17 | consth | W            | 07F    |   | 7Bitmask              |
| 18 | consth | W            | OFFF   |   | 12Bitmask             |
| 19 | consth | W            | OFFFFF |   | 20Bitmask             |
|    |        |              |        |   |                       |
| 20 | constd | $\mathbb{W}$ | 7      |   | ${\it shiftToRd}$     |
| 21 | constd | W            | 15     |   | shiftToRs1            |
| 22 | constd | W            | 20     |   | shiftToRs2            |
| 23 | constd | $\mathbb{W}$ | 12     |   | ${\it shiftToFunct3}$ |
| 24 | constd | $\mathbb{W}$ | 25     |   | ${\it shiftToFunct7}$ |
| 25 | constd | $\mathbb{W}$ | 5      |   | shiftBy5              |
| 26 | constd | $\mathbb{W}$ | 11     |   | shiftBy11             |
|    |        |              |        |   |                       |
| 27 | constd | $\mathbb{W}$ | 3      |   | load                  |
| 28 | constd | $\mathbb{W}$ | 19     |   | opImm                 |
| 29 | constd | $\mathbb{W}$ | 23     |   | auipc                 |
| 30 | constd | $\mathbb{W}$ | 27     |   | opImm32               |
| 31 | constd | $\mathbb{W}$ | 35     |   | store                 |
| 32 | constd | $\mathbb{W}$ | 51     |   | op                    |
| 33 | constd | $\mathbb{W}$ | 55     |   | lui                   |
| 34 | constd | $\mathbb{W}$ | 59     |   | op32                  |
| 35 | constd | $\mathbb{W}$ | 99     |   | branch                |
| 36 | constd | $\mathbb{W}$ | 103    |   | jalr                  |
| 37 | constd | $\mathbb{W}$ | 111    |   | jal                   |
|    |        | -            |        |   |                       |

(TODO: Maybe neusortieren, andere constanten aufnehmen. Explain )

 $\textbf{Figure 4:} \ \, \textbf{Sorts and non-progressive Constants for encoding RISC-V in BTOR2}$ 

```
for i from 0 to 31 do

add to model:

n constd W i iConst

end
```

Algorithm 1: progressive constants for encoding RISC-V in BTOR2

|   | (n + 0) | state | D | х0         | (n + 17) | state | D   |
|---|---------|-------|---|------------|----------|-------|-----|
|   | (n + 1) | state | D | x1         | (n + 18) | state | D   |
|   | (n + 2) | state | D | x2         | (n + 19) | state | D   |
|   | (n + 3) | state | D | х3         | (n + 20) | state | D   |
|   | (n + 4) | state | D | x4         | (n + 21) | state | D   |
|   | (n + 5) | state | D | x5         | (n + 22) | state | D   |
|   | (n + 6) | state | D | х6         | (n + 23) | state | D   |
|   | (n + 7) | state | D | <i>x</i> 7 | (n + 24) | state | D   |
|   | (n + 8) | state | D | х8         | (n + 25) | state | D   |
|   | (n + 9) | state | D | х9         | (n + 26) | state | D   |
| ( | n + 10) | state | D | x10        | (n + 27) | state | D   |
| ( | n + 11) | state | D | x11        | (n + 28) | state | D   |
| ( | n + 12) | state | D | x12        | (n + 29) | state | D   |
| ( | n + 13) | state | D | x13        | (n + 30) | state | D   |
| ( | n + 14) | state | D | x14        | (n + 31) | state | D   |
| ( | n + 15) | state | D | x15        | (n + 32) | state | AS  |
| ( | n + 16) | state | D | x16        | (n + 33) | state | Men |

Figure 5: State representation for encoding

#### 4.2.2 State Representation

The next logical step is defining a representation of a RISC-V state. This is straightforward as shown in Figure 5. I also introduced a flag for each register in my code. They track if the register was written to and makes it possible to shorten a state file transformed from a witness to only the relevant registers. As they have no impact on the operation of the BTOR2 model, I will not mention them again.

#### 4.2.3 Initialization

To initialize a state in BTOR2 from a RISC-V state file, the values in the registers must be loaded as constants, and for each memory address mentioned in the state file, the value and address has to be loaded as constants. Due to the inability to represent a full 64bit address space, the shrinking of the address space from state file to BTOR2 model must be handled. I decided to just initialize the addresses up to the BTOR2 model address space maximum and cut all others in the state file as I deem this the most predictable behavior. Everything not mentioned in the state file will be zero initialized. At last these constants must be used to initialize the state. For the registers this is straight forward, for the memory we must first write all memory addresses into a placeholder array which then we can use to initialize the real memory. Due to constraints in BTOR2, these constants have to be defined before the states, but initialization with the values must happen after the states. This means that this initialization process wraps around the state representation. The generation of constants is shown in Algorithm 2, whereas the actual initialization is shown in Algorithm 3.

#### 4.2.4 Fetching the current instruction

To fetch the current instruction, I read the 4 bytes of the instruction and concatenate them as seen in Figure 6

#### 4.2.5 Deconstruction of the instruction

Now having the instruction, we can deconstruct it to extract the opcode, rd, rs1, rs2, funct3, funct7 and imm. For everything apart from imm, this can be done by a shift and a masking. This is shown in Figure 7.

```
truePc \leftarrow value of pc in state file
maxPc \leftarrow \text{number of addresses in BTOR2 model}
pcValue \leftarrow truePc \text{ modulo } maxPc
add to model:
                                 pcConst
                     pcValue
     constd
for every register x_i do
   if register is initialised in state file then
       registerValue \leftarrow value of x_i
       if registerValue \neq 0 then
           add to model:
                 constd D registerValue
                                                  x_i Const
       end
   end
end
add to model:
                                                    memPH
 (n + 0)
                      Mem
             state
 (n + 1)
                             memPH (n + 0)
             init
                      Mem
\overline{lastPH \leftarrow memPH}
allInitialCells \leftarrow all initialised memory cells in the state file
cutInitialCells \leftarrow remove all cells with address over maxPc
for every cell c in cutInitialCells do
   address \leftarrow address of c
   value \leftarrow \text{value of } c
   add to model:
                                  \overline{address}
     (n + 0)
                 constd
     (n + 1)
                                  value
                 constd
                           В
     (n + 2)
                                  lastPH (n + 0) (n + 1)
                                                                  PHAfterC
                 write
                           Mem
   \overline{lastPH \leftarrow PHAfterC}
end
keep lastPH for initialisation
```

Algorithm 2: Generating initialisation constants from state file in BTOR2

```
add to model:
               AS
                     pc pcConst
      init
for every register x_i do
    if x_iConst was defined then
         add to model:
                             x_i \quad \overline{x_i Const}
               init
    \quad \text{end} \quad
\quad \mathbf{end} \quad
add to model:
                       memory lastPh
      init
 n
               Mem
```

Algorithm 3: Initialising states in the BTOR2 model

| (n + 0) | read   | В  | memory     | pc       | instrB1  |
|---------|--------|----|------------|----------|----------|
| (n + 1) | add    | AS | addressInc | pc       | $pc{+}1$ |
| (n + 2) | read   | В  | memory     | $pc{+}1$ | instrB2  |
| (n + 3) | add    | AS | addressInc | $pc{+}1$ | pc+2     |
| (n + 4) | read   | В  | memory     | pc+2     | instrB3  |
| (n + 5) | add    | AS | addressInc | pc+2     | $pc{+}3$ |
| (n + 6) | read   | В  | memory     | pc+3     | instrB4  |
|         |        |    |            |          |          |
| (n + 7) | concat | Н  | instrB2    | instrB1  | instrH1  |
| (n + 8) | concat | Н  | instrB4    | instrB3  | instrH2  |
| (n + 9) | concat | W  | instrH2    | instrH1  | instr    |

Figure 6: Fetching the current instruction from memory

The immediate on the other hand must be first constructed from its subfields, which can be referenced in Figure 1. In the BTOR2 model this looks like in Figure 8. (TODO: Reference to same method in riscvsim) There are three things I want to point out:

First, some immediate subfields overlap exactly. I made use of this fact in lines (n + 1) with the overlap of imm[11:5] of I- and S-type, and (n + 21) with J- and B-types imm[10:5] overlap. Second, as described in Section 2.2 the immediate is always sign-extended. To archive this we make arithmetic right shifts, which do sign extension for us and with this pull our highest immediate bit to its correct place. Third, at line (n + 8), for sign extension we must shift right by 19. As this matches the opcode for arithmetic instructions with immediate, I used this and did not create a new constant.

Now I have *iTypeImm*, *sTypeImm*, *bTypeImm*, *uTypeImm* and *jTypeImm*. But it would be easier to just have one node *imm* where we can reference the immediate value regardless of the instruction. This is done in Figure 9, where first I defined booleans which check all opcodes that are neither R-type nor I-type. Then I chained if-then-else nodes to catch instructions that are of J-type, U-Type, B-Type or S-type. If the instruction is none of them, I can safely default to I-type as R-type does not handle with an immediate value. At the end I extend *imm* to the 64bit RV64I demands.

At this point I can also extract the values of the designated rs1 and rs2 registers. I show this for rs1 in Figure 4, it is the same for rs2 except that the names must be changed to rs2. Also, the comparison constants can be left out as they are already defined for rs1 and can be referenced from there.

| (n + 0) | and | W            | instr       | 7Bitmask         | opcode      |
|---------|-----|--------------|-------------|------------------|-------------|
| (n + 1) | srl | $\mathbb{W}$ | instr       | shiftToRd        | rdPre       |
| (n + 2) | and | $\mathbb{W}$ | rdPre       | 5Bitmask         | rd          |
| (n + 3) | srl | $\mathbb{W}$ | instr       | shift ToRs1      | rs1Pre      |
| (n + 4) | and | $\mathbb{W}$ | rs1Pre      | 5Bitmask         | rs1         |
| (n + 5) | srl | $\mathbb{W}$ | instr       | shift ToRs2      | rs2Pre      |
| (n + 6) | and | $\mathbb{W}$ | rs2Pre      | 5Bitmask         | rs2         |
| (n + 7) | srl | $\mathbb{W}$ | instr       | shift To Funct 3 | funct 3 Pre |
| (n + 8) | and | $\mathbb{W}$ | funct 3 Pre | shiftRd          | funct3      |
| (n + 9) | srl | W            | instr       | shift To Funct 7 | funct7      |

Figure 7: Extraction of values from the instruction without imm

```
for i from 1 to 31 do
    add to model:
                              iConst
                                            isRs1Xi
               Bool
                        rs1
\quad \text{end} \quad
add to model:
     ite
                 isRs1X1
                             x1
                                   x0
                                         checkX1
for i from 2 to 30 \mathbf{do}
    add to model:
                     isRs1Xi
                                                        checkXi
                                      checkX(i-1)
         ite
\quad \text{end} \quad
add to model:
                                                   rs1val
                 isRs1X31
                               x31
                                      check X30
```

**Algorithm 4:** Extracting the value of the register designated by rs1

| (n + 0)  | sra | W                       | instr       | shift ToRs2      | iTypeImm    |
|----------|-----|-------------------------|-------------|------------------|-------------|
| (n + 1)  | and | W                       | iTypeImm    | -5Bitmask        | s[11:5]     |
| (n + 2)  | add | W                       | s[11:5]     | rd               | sTypeImm    |
| (n + 3)  | and | W                       | rd          | -bitPicker       | b[4:0]      |
| (n + 4)  | and | $\overline{\mathbb{W}}$ | funct7      | 6Bitmask         | b[10:5]Pre  |
| (n + 5)  | sll | $\mathbb{W}$            | b10.5Pre    | shiftBy5         | b[10:5]     |
| (n + 6)  | and | $\mathbb{W}$            | bitPicker   | rd               | b[11]Pre    |
| (n + 7)  | sll | $\mathbb{W}$            | b[11]Pre    | shiftBy11        | b[11]       |
| (n + 8)  | sra | $\mathbb{W}$            | instr       | mathI            | b[31:12]Pre |
| (n + 9)  | and | $\mathbb{W}$            | b[31:12]Pre | 12Bitmask        | b[31:12]    |
| (n + 10) | add | $\overline{\mathbb{W}}$ | b[10:5]     | b[4:0]           | b[10:0]     |
| (n + 11) | add | $\mathbb{W}$            | b[11]       | b[10:0]          | b[11:0]     |
| (n + 12) | add | W                       | b[31:12]    | b[11:0]          | bTypeImm    |
| (n + 13) | and | W                       | instr       | -12Bitmask       | uTypeImm    |
| (n + 14) | and | W                       | rs2         | -bitPicker       | j[4:0]      |
| (n + 15) | and | $\overline{\mathbb{W}}$ | rs2         | bitPicker        | j[11]Pre    |
| (n + 16) | sll | $\overline{\mathbb{W}}$ | j[11]Pre    | shiftBy11        | j[11]       |
| (n + 17) | sll | $\overline{\mathbb{W}}$ | funct3      | shift To Funct 3 | j[14:12]    |
| (n + 18) | sll | $\overline{\mathbb{W}}$ | rs1         | shift ToRs1      | j[19:15]    |
| (n + 19) | sra | $\overline{\mathbb{W}}$ | instr       | shiftBy11        | j[31:20]Pre |
| (n + 20) | and | $\mathbb{W}$            | j[31:20]Pre | -20 Bitmask      | j[31:20]    |
| (n + 21) | add | $\mathbb{W}$            | b[10:5]     | j[4:0]           | j[10:0]     |
| (n + 22) | add | $\mathbb{W}$            | j[11]       | j[10:0]          | j[11:0]     |
| (n + 23) | add | $\mathbb{W}$            | j[14:12]    | j[11:0]          | j[14:0]     |
| (n + 24) | add | $\mathbb{W}$            | j[19:15]    | j[14:0]          | j[19:0]     |
| (n + 25) | add | W                       | j[31:20]    | j[19:0]          | jTypeImm    |

Figure 8: Extraction of all imm types from the instruction

| (n + 0)  | eq   | Bool           | opcode   | store    |          | isSType  |
|----------|------|----------------|----------|----------|----------|----------|
| (n + 1)  | eq   | Bool           | opcode   | branch   |          | is BType |
| (n + 2)  | eq   | Bool           | opcode   | auipc    |          | uType1   |
| (n + 3)  | eq   | Bool           | opcode   | lui      |          | uType2   |
| (n + 4)  | or   | Bool           | uType1   | uType2   |          | is UType |
| (n + 5)  | eq   | Bool           | opcode   | jal      |          | is JType |
|          |      |                |          |          |          |          |
| (n + 6)  | ite  | W              | is SType | sTypeImm | iTypeImm | checkS   |
| (n + 7)  | ite  | $\overline{W}$ | is BType | bTypeImm | checkS   | checkB   |
| (n + 8)  | ite  | $\overline{W}$ | is UType | uTypeImm | checkB   | checkU   |
| (n + 9)  | ite  | $\overline{W}$ | is JType | jTypeImm | checkU   | imm32    |
|          |      |                |          |          |          |          |
| (n + 10) | sext | D              | imm32    | 32       |          | imm      |

Figure 9: Finding the correct immediate by opcode

| (isJALR a | already ex | rists) |              |              |             |
|-----------|------------|--------|--------------|--------------|-------------|
| n         | and        | Bool   | isLoad       | is 5 Funct 3 | isLHU       |
| (n + 0)   | consth     | W      | 20           |              | SUBWf7      |
| (n + 1)   | eq         | Bool   | funct7       | SUBWf7       | fits F7SUBW |
| (n + 2)   | and        | Bool   | is 0 Funct 3 | fits F7SUBW  | fits F3SUBW |
| (n + 3)   | and        | Bool   | isLoad       | fits F3SUBW  | is SUBW     |

(TODO: Use subfigs)

Figure 10: Instruction detection of JALR, LHU and SUBW as described in Algorithm 5

# 4.2.6 Instruction Detection

For the next-state logic, the only thing left that we need to know is the actual current command. So I defined a check is Instruction for each instruction. As this is quite repetitive, Algorithm 5 describes a generalized approach to reach these booleans. An example for each instruction subgroup in Algorithm 5 can be found in Figure 10. Of course the funct7 checks from the needsf7 subgroup can be reused if multiple instructions use the same funct7.

```
add to model:
  (n + 0)
                          opcode
                                    load
                                                   isLoad
              eq
                  Bool
  (n + 1)
                          opcode
                                    opImm
                                                   isOpImm
              eq
                  Bool
  (n + 2)
                                                   isAUIPC
                  Bool
                          opcode
                                    auipc
              eq
  (n + 3)
                          opcode
                                    opImm32
                                                   isOpImm32
                   Bool
  (n + 4)
                                                   isStore
                  Bool
                          opcode
                                    store
  (n + 5)
                          opcode
                                                   isOp
                  Bool
              eq
                                    op
                                                   isLUI
  (n + 6)
              eq
                  Bool
                          opcode
                                    lui
  (n + 7)
                          opcode
                                    op32
                                                   isOp32
              eq
                  Bool
  (n + 8)
                                                   isBranch
                   Bool
                          opcode
                                    branch
              eq
                                                   is JALR
  (n + 9)
                          opcode
                                    jalr
              eq
                  Bool
 (n + 10)
                                                   isJAL
                          opcode
                  Bool
                                    jal
              eq
for i from 0 to 7 do
   add to model:
                     funct3
                              iConst
                                          isiFunct3
             Bool
        eq
end
onlyOp \leftarrow [LUI, AUIPC, JAL, JALR]
needsf7 \leftarrow [SRL, SRA, SRLI, SRAI, SRLW, SRAW, SRLWI, SRAWI, ADD,
SUB, ADDW, SUBW]
rest \leftarrow [ all other instructions ]
for all instructions I in onlyOp do
|isI| is already defined
end
for all instructions I in rest do
   opname \leftarrow opcode name of I
   f3val \leftarrow \text{expected funct3 of I as digit}
   add to model:
                                   isf3valFunct3
        and
                       <mark>is</mark>opname
                                                      isI
end
for all instructions I in needs f7 do
   opname \leftarrow opcode name of I
   f3val \leftarrow \text{expected funct3 of I as digit}
   f7hex \leftarrow \text{expected funct7 of I as hexadecimal number}
   add to model:
                                  f7hex
                                                              If7
     (n + 0)
                          W
                consth
                                  funct7
                                                  If7
                                                              fitsF7I
     (n + 1)
                          Bool
                eq
     (n + 2)
                          Bool
                                  isf3valFunct3
                                                  fitsF7I
                                                              fitsF3I
                and
     (n + 3)
                                  isopname
                                                  fitsF3I
                and
                          Bool
                                                              isI
end
```

Algorithm 5: Generalised approach to instruction detection



Figure 11: Instruction execution for chosen instructions

# 4.2.7 Next-State Logic

The next state logic is basically the core of the model. Almost everything else works towards this point. The Goal is to create the changes each instruction would make and then only inserting the changes specific to the instruction in the state. Each state node in the model must have an accompanying next node to work as intended. But first the changed values are needed.

### Creating all Values of Instruction execution

It would be too long and unnecessary to go through all instructions, as this is simply following the RV64I ISA, but I want to give an example for each group of instructions as they were divided in Table 1. I show this for AUIPC, JALR, BEQ, LHU, SD, ANDI, SLLIW, SLT and SUBW in Figure 11. In this examples one can see multiple overlaps which can be used, e.g. the addresses for load and store instructions or the 32bit versions of the word instructions. Also, I took SD to show that all other store instructions happen as interim results of preparing SD. It is similar with load instructions, but here we only get overlapping pre-results which each have to be sign extended to the expected 64bit on their own.

With this done we can sort each change to its instruction.

#### The next Memory

Defining the next memory array is simple. I just cascade through all store instructions with if-then-else nodes and by setting the final 'else' as the current memory array, if

| (n + 0) | add   | AS | pc       | pcInc       | nextPc      |
|---------|-------|----|----------|-------------|-------------|
| (n + 1) | add   | D  | imm      | rs1val      | pcJALR64pre |
| (n + 2) | and   | D  | -1Const  | pcJALR64pre | pcJALR64    |
| (n + 3) | slice | AS | pcJALR64 | 15          | pcJALR      |
| (n + 4) | uext  | D  | nextPc   | 48          | rdJALR      |

(TODO: pc overflow erwähnen)

**11.2:** JALR

Figure 11: Instruction execution for chosen instructions

| (n + 0) | add   | AS   | pc          | pcInc    |        | nextPc      |
|---------|-------|------|-------------|----------|--------|-------------|
| (n + 1) | slice | AS   | imm         | 15       | 0      | ImmAS       |
| (n + 2) | add   | AS   | pc          | ImmAS    |        | pcBranch    |
| (n + 3) | eq    | Bool | rs1val      | rs2val   |        | is BEQ cond |
| (n + 4) | ite   | AS   | is BEQ cond | pcBranch | nextPc | pcBEQ       |

**11.3:** BEQ

Figure 11: Instruction execution for chosen instructions

| (n + 0) | add    | D  | rs1val     | imm        |   | 1stAddrPre |
|---------|--------|----|------------|------------|---|------------|
| (n + 1) | slice  | AS | 1stAddrPre | 15         | 0 | 1stAddr    |
| (n + 2) | add    | AS | 1stAddr    | addressInc |   | 2ndAddr    |
| (n + 3) | read   | В  | memory     | 1stAddr    |   | loadB1     |
| (n + 4) | read   | В  | memory     | 2ndAddr    |   | loadB2     |
| (n + 5) | concat | Η  | loadB2     | loadB1     |   | loadB2B1   |
| (n + 6) | uext   | D  | loadB2B1   | 48         | 0 | rdLHU      |

**11.4:** LHU

Figure 11: Instruction execution for chosen instructions

| (n + 0)  | add   | D   | rs1val     | imm        |          | 1stAddrPre |
|----------|-------|-----|------------|------------|----------|------------|
| (n + 1)  | slice | AS  | 1stAddrPre | 15         | 0        | 1stAddr    |
| (n + 2)  | add   | AS  | 1stAddr    | addressInc |          | 2ndAddr    |
| (n + 3)  | add   | AS  | 2ndAddr    | addressInc |          | 3rdAddr    |
| (n + 4)  | add   | AS  | 3rdAddr    | addressInc |          | 4thAddr    |
| (n + 5)  | add   | AS  | 4thAddr    | addressInc |          | 5thAddr    |
| (n + 6)  | add   | AS  | 5thAddr    | addressInc |          | 6thAddr    |
| (n + 7)  | add   | AS  | 6thAddr    | addressInc |          | 7thAddr    |
| (n + 8)  | add   | AS  | 7thAddr    | addressInc |          | 8thAddr    |
|          |       |     |            |            |          |            |
| (n + 9)  | slice | В   | rs2val     | 7          | 0        | store B1   |
| (n + 10) | slice | В   | rs2val     | 15         | 8        | store B2   |
| (n + 11) | slice | В   | rs2val     | 23         | 16       | store B3   |
| (n + 12) | slice | В   | rs2val     | 31         | 24       | store B4   |
| (n + 13) | slice | В   | rs2val     | 39         | 32       | store B5   |
| (n + 14) | slice | В   | rs2val     | 47         | 40       | store B6   |
| (n + 15) | slice | В   | rs2val     | 55         | 48       | storeB7    |
| (n + 16) | slice | В   | rs2val     | 63         | 56       | store B8   |
|          |       |     |            |            |          |            |
| (n + 17) | write | Mem | memory     | 1stAddr    | storeB1  | memorySB   |
| (n + 18) | write | Mem | memorySB   | 2ndAddr    | storeB2  | memorySH   |
| (n + 19) | write | Mem | memorySH   | 3rdAddr    | storeB3  | memoryB3   |
| (n + 20) | write | Mem | memoryB3   | 4thAddr    | store B4 | memorySW   |
| (n + 21) | write | Mem | memorySW   | 5thAddr    | store B5 | memoryB5   |
| (n + 22) | write | Mem | memoryB5   | 6thAddr    | store B6 | memoryB6   |
| (n + 23) | write | Mem | memoryB6   | 7thAddr    | storeB7  | memoryB7   |
| (n + 24) | write | Mem | memoryB7   | 8thAddr    | storeB8  | memorySD   |

**11.5:** SD

Figure 11: Instruction execution for chosen instructions

| n | and | D | rs1val  | imm  | rdANDI |
|---|-----|---|---------|------|--------|
|   |     |   | 11.6: / | ANDI |        |

Figure 11: Instruction execution for chosen instructions

| (n + 0) | and   | W                       | imm32    | 5Bitmask |   | shamtIW     |
|---------|-------|-------------------------|----------|----------|---|-------------|
| (n + 1) | slice | $\overline{\mathbb{W}}$ | rs1val   | 31       | 0 | rs1val32    |
| (n + 2) | sll   | $\overline{\mathbb{W}}$ | rs1val32 | shamtIW  |   | rdSLLIW pre |
| (n + 3) | sext  | D                       | rs1val32 | 32       |   | rdSLLIW     |

**11.7:** SLLIW

Figure 11: Instruction execution for chosen instructions

| ( , 4)                       |       |
|------------------------------|-------|
| (n + 1) uext D $rdSLTpre$ 63 | rdSLT |

**11.8:** SLT

Figure 11: Instruction execution for chosen instructions

| (n + 0) | slice | W                       | rs1val    | 31       | 0 | rs1val32  |
|---------|-------|-------------------------|-----------|----------|---|-----------|
| (n + 1) | slice | $\mathbb{W}$            | rs2val    | 31       | 0 | rs2val32  |
| (n + 2) | sub   | $\overline{\mathbb{W}}$ | rs1val32  | rs2val32 |   | rdSUBWpre |
| (n + 3) | sext  | D                       | rdSUBWpre | 32       |   | rdSUBW    |

**11.9:** SUBW

Figure 11: Instruction execution for chosen instructions

no 'if' catches, the array is not changed. All this is shown in Figure 12.

# The next pc

For the next pc it looks mostly the same as shown in Figure 13. Only the behavior if no 'if' catches is different as pc must point to the next instruction to execute. This nextPc was already computed for the JAL and JALR instructions, so I reused it. The unconditional jumps also change the value in rd, but this is done in the next subsection.

### The next rd

At last the x registers must be updated. The procedure is defined in Figure 6. With exception to x0 this is the same for all these registers. Also, it is similar in its

| (n + 0) | ite  | Mem | isSB   | memorySB | memory  | newMem3 |
|---------|------|-----|--------|----------|---------|---------|
| (n + 1) | ite  | Mem | isSH   | memorySH | newMem3 | newMem2 |
| (n + 2) | ite  | Mem | isSW   | memorySW | newMem2 | newMem1 |
| (n + 3) | ite  | Mem | isSD   | memorySD | newMem1 | newMem  |
| (n + 4) | next | Mem | memory | newMem   |         |         |

Figure 12: Next-State logic for the memory array

```
newPc7
(n + 0)
                    isBGEU
                              pcBGEU
                                         nextPc
         ite
                AS
(n + 1)
                AS
                    isBLTU
                              pcBLTU
                                         newPc7
                                                  newPc6
         ite
(n + 2)
                                         newPc6
                                                  newPc5
         ite
                AS
                    isBGE
                              pcBGE
(n + 3)
         ite
                AS
                    isBLT
                              pcBLT
                                         newPc5
                                                  newPc4
(n + 4)
                AS
                    isBNE
                              pcBNE
                                         newPc4
                                                  newPc3
         ite
(n + 5)
         ite
                AS
                    isBEQ
                              pcBEQ
                                         newPc3
                                                  newPc2
(n + 6)
                    isJALR
                              pcJALR
                                         newPc2
                                                  newPc1
         ite
                AS
(n + 7)
                AS
                    isJAL
                              pcJAL
                                         newPc1
                                                  newPc
         ite
(n + 8)
         next
                AS
                    pc
                              newPc
```

Figure 13: Next-State logic for the pc register

procedure as defining the next memory or pc but instead of a handful of instructions, I have to go over 39 of them as only branch and store instructions do not change rd. Because of this, I took the liberty to not exactly show the cascade for all relevant instructions in Algorithm 6 but only indicate it.

```
add to model:
                    x0
    next
                x0
for i from 1 to 31 do
   add to model:
                                                                newXi-49
                                isLUI
                                          rdLUI
       (n + 0)
                                                      xi
                  ite
                         D
                  ite
                         D
      (n + 47)
                                isSRAW
                                          rdSRAW
                                                      newXi-2
                                                                newXi-1
                 ite
                         D
      (n + 48)
                 eq
                         Bool
                                rd
                                          iConst
                                                                isRdXi
      (n + 49)
                  ite
                         D
                                isRdXi
                                          newX_{i-1}
                                                      хi
                                                                newXi
      (n + 50)
                 next
                         D
                                xi
                                          newXi
end
```

**Algorithm 6:** Next-state logic for all x registers

#### 4.2.8 Constraints

The only thing left is to define constraints to end the model checker. First is the intended end of reaching a set number of Iterations. It is shown in Figure 14.

After this I defined some extra constraints to check for bad instructions. First is

| (n + 0) | one    | D    |             |               | counterInc    |
|---------|--------|------|-------------|---------------|---------------|
| (n + 1) | constd | D    | nIterations |               | maxIterations |
| (n + 2) | state  | D    |             |               | counter       |
| (n + 3) | init   | D    | counter     | emptyReg      |               |
| (n + 4) | add    | D    | counter     | counterInc    | newCounter    |
| (n + 5) | next   | D    | counter     | newCounter    |               |
| (n + 6) | eq     | Bool | counter     | maxIterations | is Max Iter   |
| (n + 7) | bad    |      | is Max Iter |               |               |

Figure 14: Constraining the model by iteration count

checked if the opcode is valid for my model. The second constraint catches if the instruction can not be detected even whilst the opcode is valid. This is shown in Figure 15. The constraint in Figure 16 handles instruction-address-misaligned exceptions for jump instructions.

Of course other constraints can be defined. Options would be to stop on a specific pc or if a register reaches a specified value.

```
(TODO: Maybe add examples on how to do?)
(TODO: Maybe internal references in figures should be numbers...)
```

# 4.3 Testing for Correctness

To test my model, I compared its results to my RISC-V simulators (Section 2.3) results.

With a given state, both the simulation and the BTOR2 model are run. For both the iteration maximum is set to 1. The resulting BTOR2 witness can not be directly compared to the resulting state of the simulation. So I also implemented a simple converter from witness to state [7, src/restate\_witness.c]. These two states now can be compared. I have written a shell script for this at [7, sh\_utils/compare\_iterations.sh]

| (n + 0)       | or  | Bool | isLoad          | isOpImm           | isOpcodeValid9    |
|---------------|-----|------|-----------------|-------------------|-------------------|
| (n + 1)       | or  | Bool | is AUIPC        | is Opcode Valid 9 | is Opcode Valid 8 |
| (n + 2)       | or  | Bool | isOpImm32       | is Opcode Valid 8 | is Opcode Valid 7 |
| (n + 3)       | or  | Bool | isStore         | is Opcode Valid 7 | is Opcode Valid 6 |
| (n + 4)       | or  | Bool | isOp            | is Opcode Valid 6 | is Opcode Valid 5 |
| (n + 5)       | or  | Bool | is LUI          | is Opcode Valid 5 | isOpcodeValid4    |
| (n + 6)       | or  | Bool | isOp32          | is Opcode Valid 4 | isOpcodeValid3    |
| (n + 7)       | or  | Bool | is Branch       | is Opcode Valid 3 | isOpcodeValid2    |
| (n + 8)       | or  | Bool | is JALR         | is Opcode Valid 2 | is Opcode Valid 1 |
| (n + 9)       | or  | Bool | is JAL          | is Opcode Valid 1 | isOpcodeValid     |
| (n + 10)      | bad |      | -isOpcodeValid  |                   |                   |
|               |     |      |                 |                   |                   |
| (n + 11)      | or  | Bool | is LUI          | is AUIPC          | is Instr Valid 47 |
| (n + 12)      | or  | Bool | is JAL          | is Instr Valid 47 | is Instr Valid 46 |
| :             | or  | Bool | :               | :                 | :                 |
| ·<br>(-   E0) |     |      | ·<br>:aCD AW    | isInstrValid1     | isInstrValid      |
| (n + 58)      | or  | Bool | is SRAW         |                   | isinstr vand      |
| (n + 59)      | and | Bool | -is Instr Valid | isOpcodeValid     | unknownInstr      |
| (n + 60)      | bad |      | unknownInstr    |                   |                   |

Figure 15: Constraining the model on unknown instructions

| ro<br>tmask<br>itsJAL<br>itsJALR |
|----------------------------------|
| its JAL                          |
| its IALR                         |
| UDUALLI                          |
| itsBEQ                           |
| •                                |
| itsBGEU                          |
| wange (                          |
| saJAL                            |
| saJALR                           |
| saBEQ                            |
| ADE Q                            |
|                                  |
| saBGEU                           |
|                                  |
| sa6                              |
| sa5                              |
|                                  |
| sa                               |
|                                  |
| i                                |

 $\textbf{Figure 16:} \ \ \textbf{Constraining the model on misaligned addresses} \\$ 

To generate RISC-V states, I implemented a fuzzer [7, src/state\_fuzzer.c] to generate randomized states with one valid instruction at the address of pc. The fuzzer first chooses an instruction to test, on this basis it fills all variable parts of the instruction, e.g. rd or imm. Now all registers relevant to the instruction are filled with a random 64bit value. Also, a pc value is generated so that the instruction still fits in the limited address space of the BTOR2 model. At last if a jump instruction was chosen, a possible address misalignment is fixed and an address overflow prevented. The second part is for simplifying later comparison on the resulting states, as now a correct execution of the instruction always results in the exact same resulting state although the differences between simulation and the BTOR2 model.

With this it is possible to start a series of test. For this I implemented a shell script, too [7, sh\_utils/test\_btor2\_model.sh]. Also, as with big amounts of tests, it becomes harder to keep an overview over failed tests. To counter this I also have written a script to unite all failed tests into one file and also add some not so easy to access information like instruction name or immediate value [7, sh\_utils/diff\_logger.sh].

I have run around 5,000,000 tests on this model without one failing, so I assume that my implementation is correct.

# 5 Benchmarks

With a model implemented, I can test how good it runs. I run my benchmarks on an Intel Core i5-6200U with the btormc model checker published with the BTOR2 format [2]. Each test was run five times and the resulting times averaged. I also tried to run the tests with the model checkers avr and pono (TODO: cite) as they placed first and second in the hardware model checking competition of 2024, but I will talk about them at the results.

# 5.1 Tests

I devised two base tests formed from four RISC-V instructions as shown in Figure 17. I chose to implement one test with and one without memory operation to be able to measure the impact memory operations have in the model. For this reason the program for these tests are very similar. Both have three instructions forming a loop and one instruction as a "workhorse". My naming for these also derive from this instruction as add and write\_mem. This program is set into a state. An example for this is found in Figure 18, where the add program is set up for 256 loops. In this, x1 acts as a loop limiter, x2 as a loop counter and x3 as an accumulator. The instructions are set in the first bytes of the memory. In difference to this, the memory operation test uses x2 also as an address to store the first byte of a register and x3 as this register. Both tests are also implemented with rising loop counts up to 2048 to form a reference on how they behave with more iterations to process.

```
bge x2 x1 0x10 jump out of program if x1 = x2
add x3 x3 x2 either (add counter onto x3)
sb x3 0x14(x2) or (store the first byte of x3 at counter + 0x14)
addi x2 x2 0x1 increment counter in x2
jalr x0 x0 0x0 jump back to address 0
```

Figure 17: Base test cases for the benchmarks

```
REGISTERS:
PC:0
x1:100
x2:0

MEMORY:
0:001158E3 # BGE x2 x1 0x10
4:002181B3 # ADD x3 x3 x2
8:00110113 # ADDI x2 x2 1
c:00000067 # JALR x0 x0 0
```

Figure 18: Example state for benchmark add 0256

Further on I tested the impact of initialized memory on the runtime of the test. For this I added tests with the prefix fullmem, where I filled the memory addresses 0x18 to 0xfff with the pattern '0101'. The first four words of the memory are not filled for there lies the program of the test. The fifth could also be filled instead of being left zero-initialized, but I decided against it because the test is designed to terminate by jumping to this address and not finding a valid instruction there. Leaving it zero-initialized guarantees this. To further extend on this test, I also added some tests on double the initialized memory, so filled to the address 0x1fff. (TODO: benchmark them, add times)

# I also tested on the impact of the address space size. For this I generated models from add\_0256, add\_1024, write\_mem\_0256 and write\_mem\_1024 with extended address space. These tests have the prefix "extaddr\_x", where x is the maximum

Finally, I also implemented the base add tests similar to the BTOR2 model that

length of an address in this model in bits.

F.Schrögendorfer describes in his master thesis [3, Chapter 8]. These tests have the prefix "nopc", as the pc is abstracted to activation flags for each instruction. I show the generation of the model on the example of nopc\_add\_0256. First of, we need the sorts necessary for RISC-V and the constants necessary for the model:

```
1
                             bool
    sort
             bitvec
                       1
2
                       8
                             memcell
    sort
             bitvec
3
             bitvec
                       16
                             addressspace
    sort
4
             bitvec
                       64
                             register
    sort
                             Memory
5
                       3 2
    sort
             array
6
                             false
    zero
    one
                             true
8
              2
                             emptymem
    zero
             4
9
                             emptyreg
    zero
              3
10
                             pcinit
    zero
11
    consth
             3
                       4
                             pcinc
12
    consth
                       10
                             instr1_pcmod
13
    consth
                       100
                             nloops
```

With this now the registers and memory can be defined:

```
x21
99
     state
                            110
                                  state
                                              x10
                                                         121
                  pc
                                                               state
100
     state
                  \bar{x}0
                            111
                                  state
                                              x11
                                                         122
                                                               state
                                                                       4
                                                                           x22
                                                                           x23
              4
                                                         123
                                                                       4
101
      state
                  x1
                            112
                                  state
                                              x12
                                                               state
102
              4
                            113
                                          4
                                              x13
                                                         124
                                                                       4
                  x2
                                  state
                                                               state
                                                                           x24
     state
                                                                           x25
103
     state
              4
                  x3
                            114
                                  state
                                          4
                                              x14
                                                         125
                                                               state
                                                                       4
              4
                            115
                                          4
                                                         126
                                                                       4
                                                                           x26
104
                                              x15
     state
                  x4
                                  state
                                                               state
105
                            116
                                                         127
     state
                  x5
                                  state
                                              x16
                                                               state
                                                                           x27
106
     state
              4
                  x6
                            117
                                  state
                                          4
                                              x17
                                                         128
                                                               state
                                                                       4
                                                                           x28
                                          4
                                              x18
                                                         129
                                                                       4
                                                                           x29
107
              4
                            118
                                  state
     state
                  x7
                                                               state
108
              4
                  x8
                            119
                                          4
                                                         130
                                                                       4
                                                                           x30
     state
                                  state
                                              x19
                                                               state
                  x09
                            120
                                          4
109
     state
              4
                                  state
                                              x20
                                                         131
                                                               state
                                                                           x31
```

Note that I skipped the node IDs of 14-98. As BTOR2 needs unique but not continuous node IDs, I took this liberty so each register node ID equals the register nuber plus 100. By this it becomes easier to write a model by hand.

Next the initial memory is placed in the model:

```
144
                                       169
                                                          166 167 168
     state
               5
                                            write
145
               5
                   14 8
                                       170
                                                      3
     init
                                            consth
                                                          8
               3
                                                      2
146
     consth
                  0
                                       171
                                            consth
                                                          13
               2
                                                      5
147
                  e3
                                       172
                                                          169 170 171
     consth
                                            write
               5
                                                      3
148
                   144 146 147
                                       173
     write
                                            consth
                                                      25
               3
                                       174
                                                          01
149
                  1
     consth
                                            consth
150
               2
                  58
                                       175
                                                          172 173 174
     consth
                                            write
                                                      3
               5
                   148 149 150
151
     write
                                       176
                                            consth
               3
                  2
                                                      2
152
     consth
                                       177
                                                          11
                                            consth
153
     consth
               2
                  11
                                       178
                                            write
                                                      5
                                                          175 176 177
                                                      3
               5
                   151 152 153
154
     write
                                       179
                                            consth
                                                          b
                                                      25
155
     consth
               3
                  3
                                       180
                                                          00
                                            consth
156
                  00
                                       181
                                                          178 179 180
     consth
                                            write
               5
                                                      3
157
                   154 155 156
                                       182
     write
                                            consth
                                                      25
               3
                                                          67
158
                  4
                                       183
                                            consth
     consth
               2
                                                          181 182 183
159
     consth
                  b3
                                       184
                                            write
                                                      3
160
     write
               5
                  157 158 159
                                       185
                                                          d
                                            consth
161
               3
                  5
                                       186
                                                      2
                                                          00
     consth
                                            consth
                                                      5
               2
                  81
                                                          184 185 186
162
     consth
                                       187
                                            write
163
               5
                  16 161 162
                                       188
                                                      3
     write
                                            consth
                                                      2
164
     consth
               3
                   6
                                       189
                                            consth
                                                          00
                                                      5
               2
                  21
                                       190
                                                          187 188 189
165
     consth
                                            write
               5
                      164 165
                                                      3
166
     write
                   16
                                       191
                                            consth
                                                          f
                                                      2
167
      consth
               3
                  7
                                       192
                                            consth
                                                          00
                                                      5
168
     consth
                  00
                                       193
                                            write
                                                          190 191 192
```

Due to constraints in BTOR2, the initial memory must be placed before the intended memory state node. Node 144 is again a state only for initializing the memory, as I previously did in the initialisation for my own model found in Section 4.2.3.

Now the real memory state can be defined. With this I also define the flags for each instruction. I changed their name from stmt (Schrögendorfer) to instr for increased clarity. An exit code is not necessary as I do not need differentiation between terminations of the model, more so I am only interested when the model terminates.

```
199
              5
      state
                  memory
200
               1
                  instr0
      state
201
      state
               1
                  instr1
202
               1
                  instr2
      state
203
               1
                   instr3
      state
               1
204
      state
                   endflag
```

Next up would be the inputs and constraints for these. Both are not needed for the RISC-V model because neither are threads needed as I do not model parallel processing, nor is flushing as I use a naive memory model. And without inputs, the constraints are also nonexistent. So really, next up is initialization and transitions of the states. First is pc:

```
300
             3
                 99
                                   pc is zero initialized
      init
                       10
301
      add
             3
                 99
                       11
                                   normal pc operation
302
             3
                 99
      add
                       12
                                   instr1 jump
303
             1
                 101
                       102
                                   instr1 branch condition
      eq
                                   \it IF\ condition\ THEN\ jump\ ELSE\ increment
             3
304
                       302
                             301
      ite
                 303
305
             3
                 200
                                   IF instr1 THEN check £LSE leave pc
                       304
                             99
      ite
306
      or
                 201
                       202
                                   instr2-3
             3
                                   IF instr2-3 THEN increment ELSE instr1
307
      ite
                 306
                       301
                             305
308
             3
                                   IF instr4 THEN jump0 ELSE try instr2-3
                 203
                       10
      ite
                             307
             3
309
                 99
                       308
      next
```

As the transition for pc are quite possibly the most complex I added some explanation. x0 and x1 are skipped for now, so next registers x2 and x3:

```
314
      init
              4
                  102
                                          319
                                                init
                                                            103
315
              4
                                          320
                                                        4
                                                           102
                                                                  103
                                                add
      one
              4
                  102
                                                        4
                                                            201
                                                                  320
                                                                        103
316
      add
                        315
                                          321
                                                ite
                                                        4
              4
                  202
                        316
                              102
                                          322
                                                                  321
317
      ite
                                                next
                                                            103
318
             4
                  102
                        317
      next
```

x2 increments by one each time the third instruction is run and x3 adds x2 every time the second instruction is run. All other registers and the memory do not change during execution, so I show them in one big block:

```
310
     init 4 100 9
                            340
                                  next 4 112 112
                                                        361
                                                              init 4 123 9
311
     next
           4
              100 100
                            341
                                  init 4
                                          113 9
                                                                    4
                                                                      123 123
                                                        362
                                                              next
           4
                                  next 4
                                          113 113
312
     init
              101 13
                            342
                                                              init 4 124 9
                                                        363
313
     next
           4
              101
                  101
                            343
                                  init 4
                                          114 9
                                                        364
                                                              next 4
                                                                      124 124
      \mathtt{init}\ 4
                                  next 4
                                          114 114
323
              104 9
                            344
                                                                       125 9
                                                        365
                                                              init 4
324
           4
              104
                   104
                            345
                                  \mathtt{init}\ 4
                                          115 9
     next
                                                              next 4
                                                        366
                                                                       125
                                                                           125
325
      init
           4
              105
                   9
                            346
                                  next
                                        4
                                          115
                                               115
                                                              init 4
                                                        367
                                                                       126
                                                                           9
                                          116 9
326
           4
                            347
                                  \mathtt{init}\ 4
              105
                  105
     next
                                                        368
                                                              \mathtt{next} 4
                                                                       126
                                                                           126
327
     init 4
                            348
              106
                  9
                                  next 4
                                          116
                                               116
                                                        369
                                                              init 4
                                                                       127
328
     next
           4
              106
                  106
                            349
                                  init 4
                                          117 9
                                                        370
                                                              \mathtt{next}\ 4
                                                                       127
                                                                           127
                                  \mathtt{next} 4
                                               117
329
           4
                            350
                                          117
              107
                   9
     init
                                                        371
                                                              init 4
                                                                       128
330
           4
              107
                   107
                            351
                                  \mathtt{init}\ 4
                                          118
     next
                                                        372
                                                              next
                                                                    4
                                                                       128
                                                                           128
331
           4
              108
                   9
                            352
                                  next 4
                                               118
      init
                                          118
                                                        373
                                                              \mathtt{init}\ 4
                                                                       129
332
                                  init 4
     next
           4
              108
                  108
                            353
                                          119 9
                                                        374
                                                              next 4
                                                                       129
                                                                           129
333
      init
           4
              109 9
                            354
                                  next 4
                                          119 119
                                                        375
                                                              init 4
                                                                       130 9
334
           4
              109 109
                            355
                                  init 4
                                          120 9
     next
                                                                       130
                                                        376
                                                              next 4
                                                                           130
335
           4
              110 9
                            356
                                  \mathtt{next} 4
     init
                                          120
                                               120
                                                        377
                                                                    4
                                                                       131
                                                              init
336
     next
           4
              110
                  110
                            357
                                  init 4
                                          121
                                               9
                                                                    4
                                                        378
                                                                       131
                                                                           131
                                                              next
              111 9
                                  \mathtt{next} 4
           4
                            358
                                          121 121
337
     init
                                                        379
                                                              init 5 199 193
338
     next 4
              111 111
                            359
                                  init 4 122 9
                                                              next 5 199 199
                                                        380
      init 4 112 9
                            360
                                  next 4 122 122
339
```

Now only the instruction flags are left to handle:

```
200 7
381
      init
                                instr0 executes initally
382
                   200 203
                                instr0 only after instr3
     next
                   201 6
      init
                   200 -303
                                instr0 and no branch
384
      and
                                instr1 only after non-branching instr0
385
      next
                   201 384
386
                   202 6
      init
387
                    202 201
                                instr2 only after instr2
      next
                   203 6
388
      init
389
                   203 202
                                instr3 only after instr3
      next
390
                   204 6
                   200 303
391
      and
392
                   204 391
                                endflag if instr0 branches
      next
400
      bad
             204
                                endflag terminates
```

And with this, the model is can be run. The whole suite of add tests can be derived from this model by changing the constant value of node 13 to the appropriate loop count.

# 5.2 Results

To start I placed all iterations based benchmarks with btormc into Table 3 and the benchmarks of extended address space into Table 4. From Table 4 one can assume that the extension of address space does not impact the runtime of the model checker in a meaningful way. As seen in Table 5, with rising loop counts, memory operations need increasingly more time in comparison to their respective non-memory operation benchmarks. Also with rising loop counts the impact of large amounts of memory initialised is reduced, which was to be expected.

The nopc benchmark is significantly faster than my model. This was to be expected, as Schrögendorfer models one RISC-V program specifically whereas I model the processor and feed it different programs by initialization. In this perspective, it is not surprising that a specialised model is faster than a generalised one. (TODO: Add example for finding an instruction?)

I also wanted to benchmark with the model checkers avr and pono, as they made first and second place in the hardware model checking competition 2024. but sadly avr did not terminate in over 15 minutes when tasked to check the add 0256 benchmark.

| loong |        | base     | fu     | nopc     |       |
|-------|--------|----------|--------|----------|-------|
| loops | add    | writemem | add    | writemem | add   |
| -0256 | 2.635  | 2.877    | 9.759  | 13.344   | 0.136 |
| 0512  | 6.195  | 7.306    | 16.402 | 24.209   | 0.268 |
| 0768  | 10.802 | 13.283   | 24.093 | 36.388   | 0.414 |
| 1024  | 16.306 | 21.004   | 32.732 | 50.376   | 0.569 |
| 1280  | 23.032 | 30.200   | 42.410 | 65.746   | 0.728 |
| 1536  | 30.669 | 41.262   | 52.961 | 83.036   | 0.898 |
| 1792  | 39.463 | 53.940   | 64.598 | 101.475  | 1.075 |
| 2048  | 48.944 | 68.521   | 77.084 | 122.189  | 1.276 |

 Table 3: Times of iterations based benchmarks

| bits of address space | 16     | 17     | 18     | 19     | 20     |
|-----------------------|--------|--------|--------|--------|--------|
| add $0256$            | 2.635  | 2.632  | 2.626  | 2.626  | 2.624  |
| $add^{-}1024$         | 16.306 | 16.464 | 16.511 | 16.452 | 16.460 |
| $writemem^-0256$      | 2.877  | 2.88   | 2.890  | 2.889  | 2.890  |
| $writemem^{-}1024$    | 21.004 | 21.131 | 21.215 | 21.181 | 21.163 |

Table 4: Times of extended address space benchmarks

| loops | $\frac{add}{writemem}$ | $\frac{fullmem\_add}{fullmem\_writemem}$ | $\frac{add}{fullmem\_add}$ | $\frac{writemem}{fullmem\_writemem}$ | $rac{add}{nopc\_add}$ |
|-------|------------------------|------------------------------------------|----------------------------|--------------------------------------|------------------------|
| 0256  | 0.92                   | 0.73                                     | 0.27                       | 0.22                                 | 19.38                  |
| 0512  | 0.85                   | 0.68                                     | 0.38                       | 0.3                                  | 23.12                  |
| 0768  | 0.81                   | 0.66                                     | 0.45                       | 0.37                                 | 26.09                  |
| 1024  | 0.78                   | 0.65                                     | 0.5                        | 0.42                                 | 28.66                  |
| 1280  | 0.76                   | 0.65                                     | 0.54                       | 0.46                                 | 31.64                  |
| 1536  | 0.74                   | 0.64                                     | 0.58                       | 0.5                                  | 34.15                  |
| 1792  | 0.73                   | 0.64                                     | 0.61                       | 0.53                                 | 36.71                  |
| 2048  | 0.71                   | 0.63                                     | 0.63                       | 0.56                                 | 38.36                  |

 Table 5: Relative runtime of benchmarks

Pono found that this benchmark is satisfiable but also in a non-competitive time of almost exactly six minutes when using the option <code>-smt-solver</code> cvc5. With the option <code>-smt-solver</code> bzla, pono always took more time but worked, other solvers said that they can not handle arrays. From this I concluded that seemingly better model checkers are not the best option to run my model but btormc, which even is no longer maintained since August 2024. My best guess for newer model checker beeing worse at my model is that my model does not handle inputs at all but only handles with already known constants, whilst probing through the benchmarks for the model checking competition, they all seem to involve at least one input apart from a clock signal. So state of the art model checker are possibly better at handling those inputs but not at iterating to the next state as fast as possible.

There is also another problem with avr and pono. In Section 4.3 I already wrote about transitioning from a witness back to a state, but for this, a "complete" witness as generated by the btormc option -trace-gen-full, which shows the values of all states in the last frame, is needed. avr and pono have no option to generate a complete witness and by this, after they have run it is not possible to generate a state from their output.

# 6 Conclusion

I have explained RISC-V and BTOR2, described a way to hold a state of a 64bit RISC-V processor and a BTOR2 model of a subset of RV64I, and wrote tools to transition from state to a model and from a witness of this model back to a state. Furthermore, I wrote a fuzzer for the states to test the correct functioning of the model and some simple tests to benchmark the model. Finally I presented the results of the benchmarks and discussed them, finding that seemingly better model checkers are actually not better for this special case.

# **Bibliography**

- [1] The RISC-V Instruction Set Manual Volume I: Unprivileged ISA, 2025, version 20250508. [Online]. Available: https://lf-riscv.atlassian.net/wiki/spaces/HOME/pages/16154769/RISC-V+Technical+Specifications
- [2] A. Niemetz, M. Preiner, C. Wolf, and A. Biere, "Btor2, BtorMC and Boolector 3.0," in *Computer Aided Verification*, H. Chockler and G. Weissenbacher, Eds. Cham: Springer International Publishing, 2018, pp. 587–595.
- [3] F. Schrögendorfer, "Bounded Model Checking of Lockless Programs," Master's thesis, Johannes Kepler University Linz, August 2021. [Online]. Available: https://epub.jku.at/obvulihs/download/pdf/6579523
- [4] A. Waterman, Y. Lee, D. A. Patterson, and K. Asanović, "The risc-v instruction set manual, volume i: Base user-level isa," UC Berkeley, Tech. Rep. UCB/EECS-2011-62, May 2011. [Online]. Available: http://www2.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-62.html
- [5] "History of RISC-V," https://riscv.org/about/, accessed: 15.08.2025.
- [6] "RISC-V-Simulator," https://github.com/Kr1mo/Risc-V-Simulator.
- [7] "RISC-V\_to\_BTOR2," https://github.com/Kr1mo/RISC-V\_to\_BTOR2.

(TODO: Add repo versions)