{"id":18293739,"url":"https://github.com/kaist-cp/view-hw","last_synced_at":"2025-10-14T11:40:56.003Z","repository":{"id":98019815,"uuid":"216705291","full_name":"kaist-cp/view-hw","owner":"kaist-cp","description":"Mechanized Proof for Article: \"Revamping Hardware Persistency Models: View-Based and Axiomatic Persistency Models for Intel-x86 and Armv8\" (PLDI 2021)","archived":false,"fork":false,"pushed_at":"2021-04-14T08:06:58.000Z","size":1480,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-09T08:17:42.269Z","etag":null,"topics":["armv8","coq-formalization","persistency","pldi","proof","semantics","theorem","x86"],"latest_commit_sha":null,"homepage":"https://cp.kaist.ac.kr/pmem","language":"Coq","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kaist-cp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-22T02:21:09.000Z","updated_at":"2024-04-08T01:02:59.000Z","dependencies_parsed_at":"2023-05-11T01:45:16.799Z","dependency_job_id":null,"html_url":"https://github.com/kaist-cp/view-hw","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kaist-cp/view-hw","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kaist-cp%2Fview-hw","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kaist-cp%2Fview-hw/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kaist-cp%2Fview-hw/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kaist-cp%2Fview-hw/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kaist-cp","download_url":"https://codeload.github.com/kaist-cp/view-hw/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kaist-cp%2Fview-hw/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279019060,"owners_count":26086517,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["armv8","coq-formalization","persistency","pldi","proof","semantics","theorem","x86"],"created_at":"2024-11-05T14:25:57.346Z","updated_at":"2025-10-14T11:40:55.988Z","avatar_url":"https://github.com/kaist-cp.png","language":"Coq","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!---\nThis file was generated from `meta.yml`, please do not edit manually.\nFollow the instructions on https://github.com/coq-community/templates to regenerate.\n---\u003e\n\n# View-based semantics for hardware\n\n[![CI][docker-action-shield]][docker-action-link]\n\n[docker-action-shield]: https://github.com/kaist-cp/view-hw/workflows/Docker%20CI/badge.svg?branch=master\n[docker-action-link]: https://github.com/kaist-cp/view-hw/actions?query=workflow:\"Docker%20CI\"\n\n\nRelated publications:\n\n- Christopher Pulte, Jean Pichon-Pharabod, Jeehoon Kang, Sung-Hwan Lee, Chung-Kil Hur.  Promising-ARM/RISC-V: a simpler and faster operational concurrency model.  PLDI 2019.\n\n  This repository is a fork of [this paper's artifact](https://github.com/snu-sf/promising-arm).\n\n- Kyeongmin Cho, Sung-Hwan Lee, Azalea Raad, and Jeehoon Kang.  Revamping Hardware Persistency Models: View-Based and Axiomatic Persistency Models for Intel-x86 and Armv8.  PLDI 2021.\n\n\n## Installation\n\nWe assume you use **Ubuntu 20.04** and **Coq 8.13.1 or later**.\n\n\n### Requirements\n\n- [opam](https://opam.ocaml.org/)\n  ```\n  sudo apt install -y build-essential rsync opam\n  opam init\n  opam switch create 4.10.0  # or later. If your system OCaml version is \u003e= 4.10.0, you can use it.\n  eval $(opam env)\n  opam update\n  ```\n\n- [Coq 8.13.1](https://coq.inria.fr/)\n  ```\n  opam install coq.8.13.1\n  ```\n\n\n### Build\n\n- `make -j`: quickly build without checking the proofs.\n\n- `./build.sh`: build with checking all the proofs.  It will incrementally copy the development to `.build` sub-directory, and then build there.\n\n- `./status.sh`: check if there is any `admit` in the proofs. (It will print a single result, which is tactic in the library used for development and has nothing to do with the proofs.)\n\n- Interactive Theorem Proving: use [ProofGeneral](https://proofgeneral.github.io/) or\n  [CoqIDE](https://coq.inria.fr/download).  Note that `make` creates `_CoqProject`, which is then\n  used by ProofGeneral and CoqIDE. To use it:\n    + ProofGeneral: use a recent version.\n    + CoqIDE: configure it to use `_CoqProject`: `Edit` \u003e `Preferences` \u003e `Project`: change\n      `ignored` to `appended to arguments`.\n\n\n### Our results\n\nOur proofs are based on [a prior work](https://github.com/snu-sf/promising-arm) for Armv8-view, originally named \"Promising-ARMv8\". The prior work contains:\n\n- the proof of the equivalence between Armv8-view and Armv8-axiom\n- some proofs about certification\n\nWe extend the existing proofs for Armv8 to persistency. In addition, we newly define Px86-view/Px86-axiom and prove the theorems of it mentioned in the paper.\n\n\n#### Model\n\n- `lib`(open source) and `src/lib` contain libraries not necessarily related to relaxed-memory concurrency and persistency.\n\n- `src/lib/Lang.v`: Definition of assembly-like language and its interpretation for both x86 and Armv8 (corresponding to Figure 13)\n\n- `src/promising/TsoPromising.v`: Definition of Px86-view and Px86-prom (corresponding to Figure 11 and 12)\n\n- `src/axiomatic/TsoAxiomatic.v`: Definition of Px86-axiom (corresponding to Figure 7)\n\n- `src/promising/Promising.v`: Definition of PArmv8-view without\n  certification (corresponding to Figure 14, 15 and 16)\n\n- `src/axiomatic/Axiomatic.v`: Definition of PArmv8-axiom (corresponding to Figure 9)\n\n- `src/lcertify`: Thread-local certification\n\n#### Results\n\n- Background definitions\n\n    + A **behavior** is either (1) post-crash image of memory or (2) non-crash terminal image of memory.\n      This is the simplest possible definition of behaviors for NVM; we may refine the concept by incorporating I/O or other kinds of externally visible interactions.\n      We believe it is straightforward to incorporate such interactions in the definition of behaviors as future work.\n    + The **behaviors** of a program is (1) the set of **post-crash memories** and (2) the set of **non-crash terminal memories** resulting from an execution of the program.\n    + A behavior is **allowed** in a program iff the behavior---either post-crash or non-crash terminal image---is in the corresponding set of memories of the program's behaviors.\n    + A model, say X, **refines** another model, say Y, iff the set of behaviors according to X, is a subset of that according to Y.\n    + A model, say X, is **equivalent** to another model, say Y, iff the set of behaviors according to X coincides with that according to Y.\n\n- Theorem 5.3: Equivalence between Px86-view and Px86-axiom\n  + Theorem `axiomatic_to_promising` in `src/equiv/TsoAtoP.v`:\n    Px86-axiom refines Px86-prom.\n  + Theorem `promising_to_axiomatic` in `src/equiv/TsoPFtoA.v`:\n    Px86-prom refines Px86-axiom.\n    * `TsoPFtoA1.v`: construction of axiomatic execution from promising execution\n    * `TsoPFtoA2.v`, `TsoPFtoA3.v`: definitions and lemmas for main proof\n    * `TsoPFtoA4*.v`: proof for validity of constructed axiomatic execution\n    * `TsoPFtoA4SL.v`: simulation between promising and axiomatic execution\n    * `TsoPFtoA4OBR.v`, `TsoPFtoA4OBW.v`, `TsoPFtoA4FR.v`, `TsoPFtoA4FOB.v`, `TsoPFtoA4FP.v`: proof for \"external\" axiom\n\n  + Lemma 5.1: Equivalence between Px86-prom and Px86-view\n    * The paper says that after the x86-prom and x86-view have been proven to be equivalent (Theorem 5.2)\n      and then extended to persistency, the proof in Coq was done right away.\n    * Theorem `promising_to_view` in `src/equiv/TsoPFtoV.v`:\n      Px86-prom refines Px86-view.\n    * Theorem `view_to_promising` in `src/equiv/TsoVtoP.v`:\n      Px86-view refines Px86-prom.\n\n- Theorem 6.2: Equivalence between PArmv8-view and PArmv8-axiom\n  + Theorem `axiomatic_to_promising` in `src/equiv/AtoP.v`:\n    PArmv8-axiom refines PArmv8-view without certification.\n  + Theorem `promising_to_axiomatic` in `src/equiv/PFtoA.v`:\n    PArmv8-view without certification refines PArmv8-axiom.\n    * `PFtoA1.v`: construction of axiomatic execution from promising execution\n    * `PFtoA2.v`, `PFtoA3.v`: definitions and lemmas for main proof\n    * `PFtoA4*.v`: proof for validity of constructed axiomatic execution\n    * `PFtoA4SL.v`: simulation between promising and axiomatic execution\n    * `PFtoA4OBR.v`, `PFtoA4OBW.v`, `PFtoA4FR.v`, `PFtoA4FOB.v`, `PFtoA4FP.v`: proof for \"external\" axiom\n    * `PFtoA4Atomic.v`: proof for \"atomic\" axiom\n  + Theorem `certified_exec_equivalent` in `src/lcertify/CertifyComplete.v`:\n    PArmv8-view and PArmv8-view without certification are equivalent.\n\n### Results of prior work\n\nTheorems included in the code but not directly related to what we did are:\n- Theorem `certified_deadlock_free` in `src/lcertify/CertifyProgressRiscV.v`:\n    Promising-RISC-V is deadlock-free.\n- Theorem `certified_promise_correct` in `src/lcertify/FindCertify.v`:\n    `find_and_certify` is correct.\n    + Theorem `certified_promise_sound` in `src/lcertify/FindCertify.v`:\n        Assume the thread configuration `\u003cT, M\u003e` is certified, and promising\n        `p` leads to `\u003cT', M'\u003e`. Then `\u003cT'. M'\u003e` is certified if `p` is in\n        `find_and_certify \u003cT, M\u003e`.\n    + Theorem `certified_promise_complete` in `src/lcertify/FindCertify.v`:\n        Assume the thread configuration `\u003cT, M\u003e` is certified, and promising\n        `p` leads to `\u003cT', M'\u003e`. Then `p` is in `find_and_certify \u003cT, M\u003e` if\n        `\u003cT', M'\u003e` is certified.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkaist-cp%2Fview-hw","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkaist-cp%2Fview-hw","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkaist-cp%2Fview-hw/lists"}