sail
sail-riscv
sail | sail-riscv | |
---|---|---|
2 | 9 | |
546 | 396 | |
6.0% | 4.0% | |
9.5 | 8.2 | |
4 days ago | 2 days ago | |
Isabelle | Coq | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sail
-
How to improve the RISC-V specification
Sail is pretty similar to ASL (both current ASL and ASL 1.0) except that (1) it has a more expressive type system, so that bitvector lengths can all be statically checked, (2) it has proper tagged unions and pattern matching, and (3) there's a wide range of open-source tooling available, for execution, specification coverage, generating emulators, integrating with relaxed concurrency models, generating theorem-prover definitions, etc. We've recently updated the Sail README, which spells some of this out: https://github.com/rems-project/sail .
As Alastair Reid says, one of the main things missing in the current RISC-V specification documents is simply that the associated Sail definitions are not yet interspersed with the prose instruction descriptions. The infrastructure to do that has been available for some time, in the Sail AsciiDoc support by Alasdair Armstrong (https://github.com/Alasdair/asciidoctor-sail/blob/master/doc...) and older LaTeX versions by Prashanth Mundkur and Alasdair (https://github.com/rems-project/riscv-isa-manual/blob/sail/r...).
-
Candy – a minimalistic functional programming language
That's completely feasible and there are languages that do this. It doesn't really eliminate the need to run your program unless the inputs to your program are also completely restricted types like One, Two, Three. In which case yeah, you don't need to run it and the type system can just tell you the answer.
I believe you can do that sort of thing in loads of type systems, e.g. Typescript, but there are languages that intentionally support it. I use a niche DSL that has fancy types like this called Sail. https://github.com/rems-project/sail
In my experience the downsides of these fancy "first class type systems" are
1. More incomprehensible error messages.
2. The type checker moves from a deterministic process that either succeeds or fails in an understandable way, to SMT solvers which can just say "yep it's ok" or "nope, couldn't prove it", semi-randomly, and there's little you can do about it.
Still my experience of Sail is that it's very comfortable to go a little bit further into SMT land, and my experience of Dafny is that it's very unpleasant to go full formal-verification at the moment.
I've done a fair bit of hardware formal verification too and that's a different story - very easy and very powerful. I'm hoping one day that software formal verification is like that.
sail-riscv
-
How to improve the RISC-V specification
I've been doing a lot of work with Sail (not SAIL btw) and I'm not sure I agree with the points about it.
There's already a way to extract functions into asciidoc as the author noted. I've used it. It works well.
The liquid types do take some getting used to but they aren't actually used in most of the code; mostly for utility function definitions like `zero_extend`. If you look at the definition for simple instructions they can be very readable and practically pseudocode:
https://github.com/riscv/sail-riscv/blob/0aae5bc7f57df4ebedd...
A lot of instructions are more complex or course but that's what you get if you want to precisely define them.
Overall Sail is a really fantastic language and the liquid types really help avoid bugs.
The biggest actual problems are:
1. The RISC-V spec is chock full of undefined / implementation defined behaviour. How do you capture that in code, where basically everything is defined. The biggest example is probably WARL fields which can do basically anything. Another example is decomposing misaligned accesses. You can decompose them into any number of atomic memory operations and do them in any order. E.g. Spike decomposes them into single byte accesses. (This problem isn't really unique to Sail tbf).
2. The RISC-V Sail model doesn't do a good job of letting you configure it currently. E.g. you can't even set the spec version at the moment. This is just an engineering problem though. We're hoping to fix it one day using riscv-config which is a YAML file that's supposed to specify all the configurable behaviour about a RISC-V chip.
I definitely agree about the often wooly language in the spec though. It doesn't even use RFC-style MUST/SHOULD/MAY terms.
-
RISC-V Vector benchmark results
The official formal specification of the Vector Extension has just been merged into the Golden RISC-V model:
https://github.com/riscv/sail-riscv/commit/c90cf2e6eff5fa4ef...
-
Cascade: CPU Fuzzing via Intricate Program Generation
the retired instruction counters when written by software.
Funnily enough the Sail model had this bug too! https://github.com/riscv/sail-riscv/issues/256
-
Arm’s Cortex A510: Two Kids in a Trench Coat
> loose specification of the RISC-V ISA.
This is being worked on with the Sail model [1]. In order for a RISC-V extension to be ratified it ought to be implemented in Sail. The understanding is also that the RISC-V ISA manual should be built with code snippets from the Sail model (similar to how the Arm Arm is build from ASL definition). The main issue is a lack of people willing and able to write Sail for RISC-V. But that is beginning to change, since RISC-V member companies are increasingly use Sail. As an example, the RISC-V exception type is defined in [2]. Is that precise enough for you?
[1] https://github.com/riscv/sail-riscv
[2] https://github.com/riscv/sail-riscv/blob/master/model/riscv_...
-
RISC-V CPU formal specification F# edition
>it allows to formally verify the correctness of a particular ISA
That must be hypothetical. Functionalness of the language doesn't make anything that is written in it automatically subject to formal verification. (mechanized or pen and paper). What kind of correctness properties does it actually allow to formally verify? I understand if it was the F* language, which is a full blown dependently typed proof checker, but with F#, which is defined by the implementation and 300 page English spec, I don't think you can verify anything interesting. As far as I know F# itself doesn't have mechanized formal semantics and its type system could be unsound.
https://github.com/mit-plv/riscv-coq and https://github.com/riscv/sail-riscv (don't know how complete they are) approaches actually allow to formally (mechanically) verify riscv properties.
- 64-bit Arm ∩ 64-bit RISC V
- C++17 RISC-V RV32/64/128 userspace emulator library
-
Starting up with RISC-V
I guess you will also use Spike and the Sail model for RISC-V.
-
Areas to contribute in RISC-V RTL verification
Doing something leveraging the SAIL model would be valuable, as that's the official formal model: https://github.com/rems-project/sail-riscv
What are some alternatives?
litmus-tests-riscv - RISC-V architecture concurrency model litmus tests
riscv-isa-sim - Spike, a RISC-V ISA Simulator
riscv-dv - Random instruction generator for RISC-V processor verification
riscv-coq - RISC-V Specification in Coq
libriscv - C++20 RISC-V RV32/64/128 userspace emulator library
force-riscv - Instruction Set Generator initially contributed by Futurewei
Forvis_RISCV-ISA-Spec - Formal specification of RISC-V Instruction Set
riscv-fs - F# RISC-V Instruction Set formal specification
sandsifter - The x86 processor fuzzer
riscv-config - RISC-V Configuration Validator
rtasm - Runtime Assembler for C++
riscv-isa-manual - RISC-V Instruction Set Manual