Proofs for translating memory instructions between different CPU architectures, written in Agda.
- Install Agda (v.2.6.2) with its standard library
- Make sure Agda can find the standard library (see the
~/.agda/librariesand~/.agda/defaultsfiles in the installation instructions)
⚠️ The proofs were developed with standard library version 1.7.1. Other versions may be incompatible.
There are multiple ways of type-checking the proofs; Two are listed below.
The easiest way of checking the proofs is through a terminal.
- Run
agda src/Main.agda --safe.
Once a proof type-checks, it's correct. Also check the "Code Navigation" section below to understand what it is proving.
Another way of checking the proofs is with the agda-mode in Emacs.
- Install Emacs
- Install
agda-modeas described in Agda's install instructions (above). - Load an
.agdafile in Emacs, and pressC-c C-lto type-check the file.
If a proof type-checks, it's correct. Also check the "Code Navigation" section below to understand what it is proving.
The proofs consists of several parts (in src/):
Main.agda- Links to all proofsArch/- Memory model specifications for architecturesMap*to*.agda- The specification of mapping executions between architecturesTransform*.agda- The specificaton of elimination and reordering transformations on LIMMProof/- Contains all the proofs (also referenced byMain.agda)Framework.agda- A general framework for memory model proofsMapping/- The mapping proofs between architecturesFramework.agda- A framework for architecture-mapping proofs. Extends the general frameworkX86toLIMM.agdaLIMMtoArmv8.agdaArmv8toLIMM.agdaLIMMtoX86.agda
Elimination/- The elimination proofsFramework.agda- A framework for elimination proofs. Extends the general frameworkRAR.agda/RAW.agda/WAW.agda- Proofs for elimination without fencesFRAR.agda/FRAW.agda/FWAW.agda- Proofs for eliminations with fences
Reorder/- Reordering proofs (also see the table insrc/TransformReorder.agda)Single.agda- Provesa ; b -> b ; a(for somea,b)Reorder12.agda- Provesa ; (b ; c) -> (b ; c) ; a(for somea,b,c)Reorder21.agda- Proves(a ; b) ; c -> c ; (a ; b)(for somea,b,c)
Note that some transformations follow from others. Examples of these are eliminations over some fences:
- FRAR (over
F_WW)a = X ; F_WW ; b = X--reorder-->a = X ; b = X; F_WW--RAR-->a = X ; b = a ; F_WW
- FWAW (over
F_RM)X = a ; F_RM ; X = b--reorder-->F_RM ; X = a ; X = b--WAW-->F_RM ; X = b
- FRAW (over
F_WWandF_RM)X = a ; F_WW ; b = X--reorder-->X = a ; b = X; F_WW--RAW-->X = a ; b = a ; F_WWX = a ; F_RM ; b = X--reorder-->F_RM ; X = a ; b = X--RAW-->F_RM ; X = a ; b = a
All proofs follow a similar structure, whose intuition I will give here.
When mapping instructions from a source program S to target program T, program T must show no new behavior w.r.t. program S. That is, every behavior of T must be also be observable on S. Given an execution X_T of T (which is wellformed and consistent in the target architecture), we produce a corresponding execution X_S of S. We then show:
- X_S relates to X_T, by the mapping from S to T
- The behaviors of X_S and X_T are equal
- X_S is wellformed
- X_S is consistent in the source architecture
On terminology, intuitively:
- Behavior: The memory state upon termination
- Wellformed: Everything "makes sense". E.g., every read event reads-from a single write, all orders are transitive, etc. (See
WellformedinArch/General/Execution.agdafor details) - Consistent: Satisfies architecture-specific consistency axioms. These enforce the ordering of events in an execution; For instance, the effects of fences on ordering. (E.g., see
IsLIMMConsistentinArch/LIMM.agda)
- [1] Christopher Pulte, Shaked Flur, Will Deacon, Jon French, Susmit Sarkar, and Peter Sewell. 2017. Simplifying ARM concurrency: multicopy-atomic axiomatic and operational models for ARMv8.
- [2] Jade Alglave, Luc Maranget, and Michael Tautschnig. 2014. Herding Cats: Modelling, Simulation, Testing, and Data Mining for Weak Memory.