

# Formalizing SPARCv8 Instruction Set Architecture in Coq

*Jiawei Wang*<sup>1</sup> Ming Fu<sup>1</sup>  
Lei Qiao<sup>2</sup> Xinyu Feng<sup>1</sup>

October 24, 2017

University of Science and Technology of China<sup>1</sup>  
Beijing Institute of Control Engineering<sup>2</sup>

# Motivations



# Motivations

Computer System

widely used in many safety critical areas

# Motivations

Computer System



Operating System

widely used in many safety critical areas

implemented in C + assembly language

# Motivations

Computer System



Operating System

widely used in many safety critical areas

implemented in C + assembly language

verified

not verified

# Motivations

Computer System



Operating System



SpaceOS

widely used in many safety critical areas

implemented in C + assembly language



verified



not verified

C + **SPARCv8** assembly language

# Motivations

Computer System



Operating System



SpaceOS

widely used in many safety critical areas

implemented in C + assembly language

verified



not verified



C + **SPARCv8** assembly language



To verify SpaceOS, it is inevitable to formally verify the assembly code

# Verification

# Verification



# Verification



# Formalize a Language?

# Formalize a Language?

- Syntax

C ::= while e do C |  
if e then C1 else C2 | ...

# Formalize a Language?

- Syntax

$C ::= \text{while } e \text{ do } C \mid$   
 $\quad \text{if } e \text{ then } C_1 \text{ else } C_2 \mid \dots$

- Machine State

$\text{state} ::= (M, \dots)$

# Formalize a Language?

- Syntax

$C ::= \text{while } e \text{ do } C \mid$   
 $\quad \text{if } e \text{ then } C_1 \text{ else } C_2 \mid \dots$

- Machine State

$\text{state} ::= (M, \dots)$

- Operational Semantics

$(C, \text{state}) \rightarrow (C', \text{state}')$

# Contributions

## □ Modeling SPARCv8 ISA

- Syntax
- Machine State
- Operational Semantics

# Contributions

## □ Modeling SPARCv8 ISA

- Syntax
- Machine State
- Operational Semantics

## □ Properties of the Model

- Determinacy Property
- Isolation Property

# Contributions

## □ Modeling SPARCv8 ISA

- Syntax
- Machine State
- Operational Semantics

## □ Properties of the Model

- Determinacy Property
- Isolation Property

## □ Verifying a Window Overflow Trap Handler

# Contributions

- Modeling SPARCv8 ISA

- Syntax
- Machine State
- Operational Semantics

- Properties of the Model

- Determinacy Property
- Isolation Property

- Verifying a Window Overflow Trap Handler

- In Coq (11,000 lines of code)

# Challenges

# Challenges

SPARCv8 has the following unique mechanisms:

- Delayed-transfer instruction
- Register windows

# Example: Add Three Variables

caller:

```
mov    1, %o0  
mov    2, %o1  
call   sum3  
mov    3, %o2  
...
```

sum3:

```
save   %sp, -64, %sp  
add    %i0, %i1, %l7  
add    %l7, %i2, %l7  
ret  
restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
mov    1, %o0  
mov    2, %o1  
call   sum3  
mov    3, %o2  
...
```

place the argument 3

place the arguments 1 and 2

call sum3

sum3:

```
save   %sp, -64, %sp  
add    %i0, %i1, %l7  
add    %l7, %i2, %l7  
ret  
restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
mov    1, %o0  
mov    2, %o1  
call   sum3  
mov    3, %o2  
...
```

sum3:

```
save   %sp, -64, %sp  
add    %i0, %i1, %l7  
add    %l7, %i2, %l7  
ret  
restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
PC  mov    1,  %o0  
nPC mov    2,  %o1  
call   sum3  
mov    3,  %o2  
...
```

sum3:

```
save   %sp, -64, %sp  
add    %i0, %i1, %l7  
add    %l7, %i2, %l7  
ret  
restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
    mov    1, %o0  
PC  mov    2, %o1  
nPC call    sum3  
    mov    3, %o2
```

...

sum3:

```
    save   %sp, -64, %sp  
    add    %i0, %i1, %l7  
    add    %l7, %i2, %l7  
    ret  
    restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
    mov    1, %o0
PC  ➔ mov    2, %o1
nPC ➔ call   sum3
    mov    3, %o2
...

```

sum3:

```
    save   %sp, -64, %sp
    add    %i0, %i1, %l7
    add    %l7, %i2, %l7
    ret
    restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
mov    1, %o0
mov    2, %o1
PC   call    sum3
nPC  mov    3, %o2
...
...
```

sum3:

```
save   %sp, -64, %sp
add    %i0, %i1, %l7
add    %l7, %i2, %l7
ret
restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
mov    1, %o0
mov    2, %o1
PC   call    sum3
nPC  mov    3, %o2
...
...
```



sum3:

```
save    %sp, -64, %sp
add     %i0, %i1, %l7
add     %l7, %i2, %l7
ret
restore %l7,    0, %o0
```

# Example: Add Three Variables

caller:

```
mov    1, %o0  
mov    2, %o1  
call   sum3  
PC → mov    3, %o2  
...
```



sum3:

```
nPC → save    %sp, -64, %sp  
          add     %i0, %i1, %l7  
          add     %l7, %i2, %l7  
          ret  
          restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
mov    1, %o0  
mov    2, %o1  
call   sum3  
PC → mov    3, %o2  
...
```



sum3:

```
nPC → save    %sp, -64, %sp  
          add      %i0, %i1, %l7  
          add      %l7, %i2, %l7  
          ret  
          restore %l7, 0, %o0
```

# Example: Add Three Variables

caller:

```
mov    1, %o0  
mov    2, %o1  
call    sum3  
mov    3, %o2  
...
```

sum3:

|       |         |               |
|-------|---------|---------------|
| PC →  | save    | %sp, -64, %sp |
| nPC → | add     | %i0, %i1, %l7 |
|       | add     | %l7, %i2, %l7 |
|       | ret     |               |
|       | restore | %l7, 0, %o0   |

# Example: Add Three Variables

caller:

```
mov    1, %o0  
mov    2, %o1  
call   sum3  
mov    3, %o2  
...
```

sum3:

|     |         |               |
|-----|---------|---------------|
| PC  | save    | %sp, -64, %sp |
| nPC | add     | %i0, %i1, %l7 |
|     | add     | %l7, %i2, %l7 |
|     | ret     |               |
|     | restore | %l7, 0, %o0   |

# Example: Add Three Variables

caller:

```
mov    1, %o0  
mov    2, %o1  
call  
mov    3, %o2  
...
```

Delayed-Transfer:

**call** is placed in front of **mov 3**,  
but it's executed after **mov 3**.

sum3:

|     |         |               |
|-----|---------|---------------|
| PC  | save    | %sp, -64, %sp |
| nPC | add     | %i0, %i1, %l7 |
|     | add     | %l7, %i2, %l7 |
|     | ret     |               |
|     | restore | %l7, 0, %o0   |

## caller's window



### caller:

```
mov    1,  %o0  
mov    2,  %o1  
call   sum3  
mov    3,  %o2  
...
```

### sum3:

```
PC    save    %sp, -64, %sp  
nPC   add     %i0, %i1, %l7  
      add     %l7, %i2, %l7  
      ret  
      restore %l7, 0, %o0
```

## sum3's window



### caller:

```
mov    1,  %o0  
mov    2,  %o1  
call   sum3  
mov    3,  %o2  
...
```

### sum3:

|       |              |               |
|-------|--------------|---------------|
| PC →  | save         | %sp, -64, %sp |
| nPC → | add          | %i0, %i1, %l7 |
|       | add          | %l7, %i2, %l7 |
|       | ret          |               |
|       | restore %l7, | 0, %o0        |

## caller's window



caller:

```
mov    1,  %o0  
mov    2,  %o1  
call   sum3  
mov    3,  %o2  
...
```

sum3:

```
PC    save    %sp, -64, %sp  
nPC   add     %i0, %i1, %l7  
      add     %l7, %i2, %l7  
      ret  
      restore %l7, 0, %o0
```

## sum3's window



### caller:

```
mov    1,  %o0  
mov    2,  %o1  
call   sum3  
mov    3,  %o2  
...
```

### sum3:

```
PC    save    %sp, -64, %sp  
nPC   add     %i0, %i1, %l7  
      add     %l7, %i2, %l7  
      ret  
      restore %l7, 0, %o0
```

# sum3's window

caller:

```
mov    1, %o0  
mov    2, %o1  
call  sum3  
mov    3, %o2  
...
```

sum3:

```
    save    %sp, -64, %sp  
PC  add    %i0, %i1, %l7  
nPC add    %l7, %i2, %l7  
ret  
restore %l7, 0, %o0
```

# sum3's window



caller:

```
mov    1, %o0  
mov    2, %o1  
call   sum3  
mov    3, %o2  
...
```

sum3:

```
save    %sp, -64, %sp
add    %i0, %i1, %l7
PC    add    %l7, %i2, %l7
nPC   ret
      restore %l7,    0, %o0
```

## sum3's window



### caller:

```
mov    1,  %o0  
mov    2,  %o1  
call   sum3  
mov    3,  %o2  
...
```

### sum3:

```
save   %sp, -64, %sp  
add    %i0, %i1, %l7  
add    %l7, %i2, %l7  
ret  
nPC   restore %l7, 0, %o0
```

## sum3's window



### caller:

```
mov    1,  %o0  
mov    2,  %o1  
call   sum3  
mov    3,  %o2
```

nPC → ...

### sum3:

```
save  %sp, -64, %sp  
add   %i0, %i1, %l7  
add   %l7, %i2, %l7  
ret  
restore %l7, 0, %o0
```

PC →

## sum3's window



caller:

```
mov    1,  %o0
mov    2,  %o1
call   sum3
mov    3,  %o2
```

nPC

...

sum3:

```
save   %sp, -64, %sp
add    %i0, %i1, %l7
add    %l7, %i2, %l7
ret
restore %l7, 0, %o0
```

PC

# caller's window



# caller:

```
mov    1, %o0  
mov    2, %o1  
call   sum3  
mov    3, %o2
```

nPC ...

sum3:

```
save    %sp, -64, %sp
add    %i0, %i1, %l7
add    %l7, %i2, %l7
ret
restore %l7, 0, %o0
```

PC

## caller's window



### caller:

```
mov    1,  %o0
mov    2,  %o1
call   sum3
mov    3,  %o2
```

PC ➔ ...

### sum3:

```
save   %sp, -64, %sp
add    %i0, %i1, %l7
add    %l7, %i2, %l7
ret
restore %l7, 0, %o0
```

# Challenges

SPARCv8 has the following unique mechanisms:

- Delayed-transfer instruction
- Register windows

# Challenges

SPARCv8 has the following unique mechanisms:

- Delayed-transfer instruction
- Register windows
- Annulled delay instruction

# Annulled Instruction

foo:

beq bar

xxx

yyy

yyy

...

bar:

xxx

xxx

xxx

...

# Annulled Instruction

foo:

beq bar

xxx

yyy

yyy

...

bar:

xxx

xxx

xxx

...

# Annulled Instruction

foo:

beq bar

xxx

yyy

yyy

...



If the conditional branch is taken

bar:

xxx

xxx

xxx

...



# Annulled Instruction

foo:

beq bar

xxx

yyy

yyy

...



If the conditional branch is taken

bar:

xxx

xxx

xxx

...



# Annulled Instruction



# Annulled Instruction



# Annulled Instruction



# Challenges

SPARCv8 has the following unique mechanisms:

- Delayed-transfer instruction
- Register windows
- Annulled delay instruction

# Challenges

SPARCv8 has the following unique mechanisms:

- Delayed-transfer instruction
- Register windows
- Annulled delay instruction
- Delayed-write mechanism

# Delayed-Write

foo:

  wr y 0x22

  xxx

  xxx

  xxx

  xxx

  ...

-----  
| ... |  
-----  
y register

# Delayed-Write



# Challenges

SPARCv8 has the following unique mechanisms:

- Delayed-transfer instruction
- Register windows
- Annulled delay instruction
- Delayed-write mechanism

# Challenges

SPARCv8 has the following unique mechanisms:

- Delayed-transfer instruction
- Register windows
- Annulled delay instruction
- Delayed-write mechanism
- User mode and supervisor mode
- A variety of traps

# Trap and Mode

foo:

ld r0 0x123

...

ticc 5

...

save

...

# Trap and Mode

```
foo:  
may cause  
an error    ld r0 0x123
```

```
...  
ticc 5
```

```
...  
save
```

```
...
```

# Trap and Mode

foo:

may cause  
an error

ld r0 0x123

system call

...  
ticc 5

...

save

...

# Trap and Mode

foo:

may cause  
an error

ld r0 0x123

system call

...  
ticc 5

may cause  
an exception

...  
save  
...

# Trap and Mode

foo:

may cause  
an error

ld r0 0x123

system call

...  
ticc 5

may cause  
an exception

...  
save

...

an interrupt

# Trap and Mode



# Trap and Mode



# Challenges

SPARCv8 has the following unique mechanisms:

- Delayed-transfer instruction
- Register windows
- Annulled delay instruction
- Delayed-write mechanism
- User mode and supervisor mode
- A variety of traps

# Outline

# Outline

## □ Modeling SPARCv8 ISA

- Syntax
- Operational Semantics
- Machine State

# Syntax

(SparcIns)  $i ::= \text{bicca } \eta \beta | \text{save } rs a rd | \text{ticc } \eta \gamma | \text{restore } rs a rd | \text{rett } \beta | \text{wr rd } a \varsigma | \dots$

(OpExp)  $a ::= r | w$

operand expressions

(AddrExp)  $\beta ::= a | r + a$

address expressions

(TrapExp)  $\gamma ::= a | r + a$

trap expressions

(Word)  $w \in \text{Int32}$

32-bit integers

(GenReg)  $r ::= r0 | \dots | r31$

general registers

(TestCond)  $\eta ::= al | nv | ne | eq | \dots$

test conditions

(Symbol)  $\varsigma ::= psr | wim | tbr | y | asr$

symbol registers

(AsReg)  $asr ::= asr0 | \dots | asr31$

ancillary state registers

SPARC instructions

# Syntax in Coq

Inductive SparIns: Type :=

- | bicca: TestCond -> AddrExp -> SparIns
- | jmpl: AddrExp -> GenReg -> SparIns
- | ld: AddrExp -> GenReg -> SparIns
- | st: GenReg -> AddrExp -> SparIns
- | save: GenReg -> OpExp -> GenReg -> SparIns
- | restore: GenReg -> OpExp -> GenReg -> SparIns
- | ticc: TestCond -> TrapExp -> SparIns
- | rett: AddrExp -> SparIns
- | rd: Symbol -> GenReg -> SparIns
- | wr: GenReg -> OpExp -> Symbol -> SparIns
- | ...

# Syntax in Coq

**Inductive Symbol: Type :=**

- | psr: Symbol
- | wim: Symbol
- | tbr: Symbol
- | y: Symbol
- | Sasr: AsReg -> Symbol.

**Inductive GenReg: Type :=**

- | r0: GenReg
- | ...

**Inductive AsReg: Type :=**

- | asr0: AsReg
- | ...

**Inductive AddrExp: Type :=**

- | Ao: OpExp -> AddrExp
- | Aro: GenReg -> OpExp -> AddrExp.

**Inductive TrapExp: Type :=**

- | Tr: GenReg -> TrapExp
- | Trr: GenReg -> GenReg -> TrapExp
- | Trw: GenReg -> Word -> TrapExp
- | Tw: Word -> TrapExp.

**Inductive OpExp: Type :=**

- | Or: GenReg -> OpExp
- | Ow: Word -> OpExp.

...

# Machine State

# Machine State

world

# Machine State



# Machine State



# Machine State



# Machine State



# Machine State



# Machine State



# Machine State

(World)  $W ::= (\Delta, S)$

(RState)  $Q ::= (R, F)$

(CodePair)  $\Delta ::= (Cu, Cs)$

(RegFile)  $R \in \text{RegName} \rightarrow \text{Word}$

(CodeHeap)  $C \in \text{Label} \rightarrow \text{SparIns}$

(RegName)  $q ::= r \mid \varsigma \mid pc \mid npc \mid \kappa \mid \tau$

(Label)  $l \in \text{Word}$

(FrameList)  $F ::= \text{nil} \mid f :: F$

(State)  $S ::= (\Phi, Q, D)$

(Frame)  $f ::= [w_0, \dots, w_7]$

(MemPair)  $\Phi ::= (\text{Mu}, \text{Ms})$

(Memory)  $M \in \text{Address} \rightarrow \text{Word}$

(Address)  $a \in \text{Word}$

# Machine State in Coq

Definition RegFile := RegMap.t Word.

Definition Frame: Type := list Word.

Definition FrameList: Type := list Frame.

Definition DelayCycle := nat.

Definition DelayItem: Type := DelayCycle \* Symbol \* Word.

Definition DelayList: Type := list DelayItem.

Definition RState: Type := RegFile \* FrameList.

Definition Memory := WordMap.t (option Word).

Definition CodeHeap := WordMap.t (option SparcIns).

Definition CodePair: Type := CodeHeap \* CodeHeap.

Definition MemPair: Type := Memory \* Memory.

Definition State: Type := MemPair \* RState \* DelayList.

Definition World: Type := CodePair \* State.

# Operational Semantics

# Operational Semantics



# Operational Semantics

$$(M, R) \xrightarrow{i} (M', R')$$

Simple Instructions



# Operational Semantics

$$(M, R) \xrightarrow{i} (M', R')$$

similar to x86

Simple Instructions



# Operational Semantics

$$(M, R) \xrightarrow{i} (M', R')$$
  
$$(M, Q, D) \xrightarrow{i} (M', Q', D')$$

similar to x86

Simple Instructions

Window Registers  
and Delayed Write



# Operational Semantics

similar to x86

$$(M, R) \xrightarrow{i} (M', R')$$

Simple Instructions

$$(M, Q, D) \xrightarrow{i} (M', Q', D')$$

Window Registers  
and Delayed Write

$$C \vdash (M, Q, D) \xrightarrow{\bullet} (M', Q', D')$$

Executing Delay and  
Handling Annuling Flag

# Operational Semantics



# Operational Semantics

# Operational Semantics

$$\frac{\text{[[}\beta\text{]]}_R = w \quad \text{word\_aligned}(w) \quad \text{save\_pc}(r_d, R) = R'}{(M, R) \xrightarrow{\text{jmpl } \beta \text{ } r_d} (M, \text{djmp}(w, R'))}{\text{JMPL}}$$

save the value of pc to register  $r_d$



# Operational Semantics

$$\frac{\begin{array}{c} [[\beta]]_R = w \quad \text{word\_aligned}(w) \quad \text{save\_pc}(r_d, R) = R' \\ \hline \end{array}}{(M, R) \xrightarrow{\text{jmpl } \beta \ r_d} (M, \text{djmp}(w, R'))} \text{ JMPL}$$

save the value of pc to register  $r_d$   


$$\frac{\begin{array}{c} \text{dec\_win}(R, F) = (R', F') \quad [[a]]_R = a \\ R'' = R' \{r_d \rightarrow [[r_s]]_R + a\} \\ \hline \end{array}}{(M, (R, F), D) \xrightarrow{\text{save } r_s \ a \ r_d} (M', (\text{next}(R''), F'), D)} \text{ SAVE}$$

# Operational Semantics



# Operational Semantics

$$[[\beta]]_R = w \quad \text{word\_aligned}(w) \quad \text{save_pc}(r_d, R) = R'$$

save the value of pc to register  $r_d$

$$(M, R) \xrightarrow{\text{jmpl } \beta \text{ } r_d} (M, \text{djmp}(w, R'))$$

$$\text{dec\_win}(R, F) = (R', F') \quad [[a]]_R = a$$

$$R'' = R' \{ r_d \rightarrow [[r_s]]_R + a \}$$

$$(M, (R, F), D) \xrightarrow{\text{save } r_s \text{ a } r_d} (M', (\text{next}(R')), F'), D)$$

```
-----  
| ...  
| save %sp, -64, %sp  
| ...  
-----
```

# Operational Semantics

$$\frac{\begin{array}{c} [[\beta]]_R = w \quad \text{word\_aligned}(w) \quad \text{save\_pc}(r_d, R) = R' \\ \hline \end{array}}{(M, R) \xrightarrow{\text{jmpl } \beta \text{ } r_d} (M, \text{djmp}(w, R'))} \text{ JMPL}$$
$$\frac{\begin{array}{c} \text{dec\_win}(R, F) = (R', F') \quad [[a]]_R = a \\ R'' = R' \{r_d \rightarrow [[r_s]]_R + a\} \\ \hline \end{array}}{(M, (R, F), D) \xrightarrow{\text{save } r_s \text{ } a \text{ } r_d} (M', (\text{next}(R''), F'), D)} \text{ SAVE}$$

Others can be found in our  
paper or technical report.

```
|-----|
| ... |
| call sum3 |
| ... |
|-----|
```

  

```
|-----|
| ... |
| save %sp, -64, %sp |
| ... |
|-----|
```

# Operational Semantics in Coq

Inductive ArrowB:

Memory \* RState \* DelayList ->

SparIns ->

Memory \* RState \* DelayList ->

Prop :=

| MR:

forall i M R M' R' F D,

ArrowA (M,R) i (M',R') ->

ArrowB (M,(R,F),D) i (M',(R',F'),D)

| Save:

forall ri o rj i a M R R' R'' F F' D,

i = save ri o rj ->

dec\_win (R,F) = Some (R',F') ->

eval\_OpExp o R = Some a ->

R'' = R'#rj <- ((R#ri) +<sub>i</sub> a) ->

ArrowB (M,(R,F),D) i (M,(next R'',F'),D)

| Restore:

forall ri o rj i a M R R' R'' F F' D,

i = restore ri o rj ->

inc\_win (R,F) = Some (R',F') ->

eval\_OpExp o R = Some a ->

R'' = R'#rj <- ((R#ri) +<sub>i</sub> a) ->

ArrowB (M,(R,F),D) i (M,(next R'',F'),D)

| Rett:

forall addr i w M R R' F F' D,

i = rett addr ->

trap\_disabled\_R R ->

sup\_mode\_R R ->

eval\_AddrExp addr R = Some w ->

word\_aligned\_R w ->

rett\_f (R,F) = Some (R',F') ->

ArrowB (M,(R,F),D) i (M,(djmp w R',F'),D)

# Outline

## □ Modeling SPARCv8 ISA

- Syntax
- Operational Semantics
- Machine State

# Outline

## □ Modeling SPARCv8 ISA

- Syntax
- Operational Semantics
- Machine State

## □ Properties of the Model

- Determinacy Property
- Isolation Property

# Properties

# Properties

## Theorem 1 (Determinacy)

S

S

two executions  
start from the  
same initial states

# Properties

## Theorem 1 (Determinacy)



two executions  
start from the  
same initial states

both of them  
produce the same  
sequence of traps

# Properties

## Theorem 1 (Determinacy)



two executions  
start from the  
same initial states

both of them  
produce the same  
sequence of traps

they should arrive  
at the same  
final states.

# Properties

Theorem 1 (Determinacy)

$$\begin{array}{ccccccccc} S & \xrightarrow{e} & S_1' & \xrightarrow{\perp} & \dots & \xrightarrow{e'} & S_1'' & \xleftarrow{\perp} & S_1 \\ & & & & & & & & \\ S & \xrightarrow{e} & S_2' & \xrightarrow{\perp} & \dots & \xrightarrow{e'} & S_2'' & \xleftarrow{\perp} & S_2 \end{array}$$

||

If  $\Delta \vdash S \xrightarrow{E}^* S_1$ ,  $\Delta \vdash S \xrightarrow{E}^* S_2$ , then  $S_1 = S_2$ .

where  $\Delta \vdash S \xrightarrow{E}^* S'$  is defined as:

$\exists n, \Delta \vdash S \xrightarrow{E}^n S'$ .

# Properties

# Properties

Theorem 2 (In User Mode)

If  $\Delta \vdash S \xrightarrow{n} S'$ , then  $\text{usr\_mode}(S')$ .

where  $\Delta \vdash S \xrightarrow{n} S' \dots$

# Properties

## Theorem 2 (In User Mode)

If  $\Delta \vdash S \xrightarrow{n} S'$ , then  $\text{usr\_mode}(S')$ .

where  $\Delta \vdash S \xrightarrow{n} S' \dots$

the conditions we need  
to maintain to keep the  
system in the user mode

# Properties

shows the sufficiency  
of that definition

## Theorem 2 (In User Mode)

If  $\Delta \vdash S \xrightarrow{n} S'$ , then  $\text{usr\_mode}(S')$ .

where  $\Delta \vdash S \xrightarrow{n} S' \dots$

the conditions we need  
to maintain to keep the  
system in the user mode

# Properties

# Properties

Theorem 3 (Write Isolation)

If  $\Delta \vdash S \xrightarrow{n} S'$ , then  $\text{sup\_part\_eq}(S', S')$ .

# Properties

## Theorem 3 (Write Isolation)

If  $\Delta \vdash S \xrightarrow{n} S'$ , then  $\text{sup\_part\_eq}(S', S')$ .

The system does not modify  
the resource that belongs  
to the supervisor mode

# Properties

# Properties

## Theorem 4 (Read Isolation)

If  $\text{usr\_code\_eq}(\Delta_1, \Delta_2)$ ,  $\text{usr\_state\_eq}(S_1, S_2)$ ,

$\Delta_1 \vdash S_1 \xrightarrow{n} S_1'$ ,  $\Delta_2 \vdash S_2 \xrightarrow{n} S_2'$ , then

$\text{usr\_state\_eq}(S_1', S_2')$ .

# Properties

## Theorem 4 (Read Isolation)

If  $\text{usr\_code\_eq}(\Delta_1, \Delta_2)$ ,  $\text{usr\_state\_eq}(S_1, S_2)$ ,

$\Delta_1 \vdash S_1 \xrightarrow{n} S_1'$ ,  $\Delta_2 \vdash S_2 \xrightarrow{n} S_2'$ , then

$\text{usr\_state\_eq}(S_1', S_2')$ .



The system is only affected  
by part of the state

# Properties in Coq

Theorem Determinacy:

```
forall n E CP S S1 S2,  
ArrowT CP S E n S1 ->  
ArrowT CP S E n S2 ->  
S1 = S2.
```

Theorem InUserMode:

```
forall CP S n S',  
ArrowWR CP S n S' ->  
usr_mode_S S'.
```

Theorem Writelsolation:

```
forall CP S n S',  
ArrowWR CP S n S' ->  
sup_mem_eq S S'.
```

Theorem ReadIsolation:

```
forall n CP1 CP2 S1 S1' S2 S2',  
usr_code_eq CP1 CP2 ∧  
low_eq S1 S2 ->  
ArrowWR CP1 S1 n S1' ∧  
ArrowWR CP2 S2 n S2' ->  
low_eq S1' S2'.
```

# Outline

## □ Modeling SPARCv8 ISA

- Syntax
- Operational Semantics
- Machine State

## □ Properties of the Model

- Determinacy Property
- Isolation Property

# Outline

## □ Modeling SPARCv8 ISA

- Syntax
- Operational Semantics
- Machine State

## □ Properties of the Model

- Determinacy Property
- Isolation Property

## □ Verifying a Window Overflow Trap Handler

# Verifying a Window Overflow Trap Handler

# Verifying a Window Overflow Trap Handler

```
-----  
|window overflow:  
|  mov  %wim,  %l3  
|  mov  %g1,  %l7  
|  srl  %l3,  1,  %g1  
|  sll  %l3,  N-1, %l4  
|  or   %l4,  %g1, %g1  
|  save  
|  mov  %g1,  %wim  
|  nop  
|  nop  
|  nop  
|  st   %l0, [%sp+0]  
|  ...  
|  st   %i7, [%sp+60]  
|  restore  
|  mov  %l7,  %g1  
|  jmp  %l1  
|  rett %l2  
-----
```

# Verifying a Window Overflow Trap Handler

```
-----  
|window overflow:  
|  mov  %wim,  %l3  
|  mov  %g1,  %l7  
|  srl  %l3,  1,  %g1  
|  sll  %l3,  N-1, %l4  
|  or   %l4,  %g1, %g1  
|  save  
|  mov  %g1,  %wim  
|  nop  
|  nop  
|  nop  
|  st   %l0, [%sp+0]  
|  ...  
|  st   %i7, [%sp+60]  
|  restore  
|  mov  %l7,  %g1  
|  jmp  %l1  
|  rett %l2  
-----
```

- `overflow_pre_cond (W) ==`  
`next window is not available`  $\wedge \dots$
- `overflow_post_cond (W) ==`  
`next window is available`  $\wedge \dots$

# Verifying a Window Overflow Trap Handler

```
-----  
|window overflow:  
|  mov  %wim,  %l3  
|  mov  %g1,  %l7  
|  srl  %l3,  1,  %g1  
|  sll  %l3,  N-1, %l4  
|  or   %l4,  %g1, %g1  
|  save  
|  mov  %g1,  %wim  
|  nop  
|  nop  
|  nop  
|  st   %l0, [%sp+0]  
|  ...  
|  st   %i7, [%sp+60]  
|  restore  
|  mov  %l7,  %g1  
|  jmp  %l1  
|  rett %l2  
-----
```

- `overflow_pre_cond (W) ==`  
`next window is not available  $\wedge$  ...`
- `overflow_post_cond (W) ==`  
`next window is available  $\wedge$  ...`

# Verifying a Window Overflow Trap Handler

```
-----  
| window overflow:  
| mov %wim, %l3  
| mov %g1, %l7  
| srl %l3, 1, %g1  
| sll %l3, N-1, %l4  
| or %l4, %g1, %g1  
| save  
| mov %g1, %wim  
| nop  
| nop  
| nop  
| st %l0, [%sp+0]  
| ...  
| st %i7, [%sp+60]  
| restore  
| mov %l7, %g1  
| jmp %l1  
| rett %l2  
-----
```

- `overflow_pre_cond (W) ==`  
`next window is not available  $\wedge \dots$`
- `overflow_post_cond (W) ==`  
`next window is available  $\wedge \dots$`
- **Theorem 5 (Correctness of the Window Overflow Trap Handler)**  
  
If `overflow_pre_cond( $\Delta, S$ )`, then forall  $S'$  and  $E$ , if  $\Delta \vdash S \xrightarrow{30} S'$ , then `overflow_post_cond( $\Delta, S'$ )` and `no_trap_event(E)`.

# Verifying a Window Overflow Trap Handler

```
-----  
| window overflow:  
| mov %wim, %l3  
| mov %g1, %l7  
| srl %l3, 1, %g1  
| sll %l3, N-1, %l4  
| or %l4, %g1, %g1  
| save  
| mov %g1, %wim  
| nop  
| nop  
| nop  
| st %l0, [%sp+0]  
| ...  
| st %i7, [%sp+60]  
| restore  
| mov %l7, %g1  
| jmp %l1  
| rett %l2  
-----
```

- $\text{overflow\_pre\_cond}(W) ==$   
next window is not available  $\wedge \dots$
- $\text{overflow\_post\_cond}(W) ==$   
next window is available  $\wedge \dots$
- Theorem 5 (Correctness of the Window Overflow Trap Handler)  
  
If  $\text{overflow\_pre\_cond}(\Delta, S)$ , then forall  $S'$  and  $E$ , if  $\Delta \vdash S \xrightarrow{30} S'$ , then  $\text{overflow\_post\_cond}(\Delta, S')$  and  $\text{no\_trap\_event}(E)$ .

Details can be found in our paper or technical report.

# Summary

# Summary

SPARCv8 ISA

# Summary

SPARCv8 ISA



Determinacy &  
Isolation Properties

# Summary

SPARCv8 ISA

Determinacy &  
Isolation Properties

Verified a Window  
Overflow Trap Handler



# Summary



Thank you !