

# Reasoning about Translation Lookaside Buffers (TLBs)

LPAR-21

<u>Hira T. Syeda</u> and Gerwin Klein Trustworthy Systems @ Data61

May 2017

www.ts.data61.csiro.au





### What is a TLB





### What is a TLB





- TLB
  - dedicated cache for page table walks
  - architecture specific



## TLB Effects on Program Execution [ [ ] ATA | [ ]



- TLB being cache
  - has *no* functional effects
  - only makes execution faster, if maintained correctly
  - is an assumption in seL4 proofs



- TLB being cache
  - has *no* functional effects
  - only makes execution faster, *if* maintained correctly
  - is an assumption in seL4 proofs
- Programs must avoid accessing
  - incoherent entries
  - inconsistent entries



- TLB being cache
  - has no functional effects
  - only makes execution faster, *if* maintained correctly
  - is an assumption in seL4 proofs
- Programs must avoid accessing
  - incoherent entries
  - inconsistent entries
- Deserves support by the hardware model



- TLB being cache
  - has no functional effects
  - only makes execution faster, if maintained correctly
  - is an assumption in seL4 proofs
- Programs must avoid accessing
  - incoherent entries
  - inconsistent entries
- Deserves support by the hardware model
- Extend seL4 program logic for TLB reasoning
  - a formal TLB model for ARMv7 architecture



- Formal model of ARMv7-style TLB in Isabelle/HOL
  - lookup function



- Formal model of ARMv7-style TLB in Isabelle/HOL
  - lookup function
- Extension to MMU model
  - mmu\_translate, mmu\_read, mmu\_write
  - integration to ARMv7 formalised ISA



- Formal model of ARMv7-style TLB in Isabelle/HOL
  - lookup function
- Extension to MMU model
  - mmu\_translate, mmu\_read, mmu\_write
  - integration to ARMv7 formalised ISA
- Data refinement for
  - abstracting hardware details
  - easier reasoning







- Formal model of ARMv7-style TLB in Isabelle/HOL
  - lookup function
- Extension to MMU model
  - mmu\_translate, mmu\_read, mmu\_write
  - integration to ARMv7 formalised ISA
- Data refinement for
  - abstracting hardware details
  - easier reasoning

















































- TLB maintenance operations
  - flush entries after write to page table
  - lazy invalidation
    - Address Space IDentifier ASID



 $lookup :: tlb \Rightarrow asid \Rightarrow vaddr \Rightarrow lookup_type$ 



```
lookup :: tlb \Rightarrow asid \Rightarrow vaddr \Rightarrow lookup_type
```



```
	ext{lookup} :: 	ext{tlb} \Rightarrow 	ext{asid} \Rightarrow 	ext{vaddr} \Rightarrow 	ext{lookup\_type} 	ext{datatype lookup\_type} = 	ext{Miss | Incon | Hit tlb\_entry}
```



```
\label{eq:lookup} \begin{tabular}{ll} lookup :: & tlb &\Rightarrow asid &\Rightarrow vaddr &\Rightarrow lookup\_type \\ & & datatype & lookup\_type &= Miss &| Incon &| Hit tlb\_entry \\ \end{type\_synonym} \begin{tabular}{ll} tlb\_entry &= tlb\_entr
```



```
lookup :: tlb \Rightarrow asid \Rightarrow vaddr \Rightarrow lookup\_type datatype \ lookup\_type = Miss \mid Incon \mid Hit \ tlb\_entry type\_synonym \ tlb = tlb\_entry \ set
```

tlb\_entry
format

| ASID | virtual base | physical base | permission |
|------|--------------|---------------|------------|
|      | address      | address       | bits       |



```
lookup :: tlb \Rightarrow asid \Rightarrow vaddr \Rightarrow lookup\_type datatype \ lookup\_type = Miss \mid Incon \mid Hit \ tlb\_entry type\_synonym \ tlb = tlb\_entry \ set
```

| tlb_entry | ASID | virtual base | physical base | permission |
|-----------|------|--------------|---------------|------------|
| format    | ASID | address      | address       | bits       |



```
lookup :: tlb \Rightarrow asid \Rightarrow vaddr \Rightarrow lookup\_type datatype \ lookup\_type = Miss \mid Incon \mid Hit \ tlb\_entry type\_synonym \ tlb = tlb\_entry \ set
```

| tlb_entry | ASID | virtual base | physical base | permission |
|-----------|------|--------------|---------------|------------|
| format    | ASID | address      | address       | bits       |

#### flush operations

- selective invalidation
- asid\_invalidation
- va invalidation



- Formal model of ARMv7-style TLB in Isabelle/HOL
  - lookup function
- Extension to MMU model
  - mmu\_translate, mmu\_read, mmu\_write
  - integration to ARMv7 formalised ISA
- Data refinement for
  - abstracting hardware details
  - easier reasoning









- ARM Instruction Set Architecture (ISA) semantics
  - L3 specification language for ISAs
  - detailed but
    - no address translation



- ARM Instruction Set Architecture (ISA) semantics
  - L3 specification language for ISAs
  - detailed but
    - no address translation

- State extension - tlb



- ARM Instruction Set Architecture (ISA) semantics
  - L3 specification language for ISAs
  - detailed but
    - no address translation

- State extension tlb
- mmu\_translate function



- ARM Instruction Set Architecture (ISA) semantics
  - L3 specification language for ISAs
  - detailed but
    - no address translation

- State extension tlb
- mmu\_translate function
- Update mem\_write and mem\_read functions



- ARM Instruction Set Architecture (ISA) semantics
  - L3 specification language for ISAs
  - detailed but
    - no address translation

- State extension tlb
- mmu\_translate function
- Update mem\_write and mem\_read functions
- Virtualize the subsequent memory accesses

### MMU and Memory Functions



```
mmu translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                  TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                        Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                  TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                        Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                  TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                        Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                  TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                        Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                   TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                        Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(|tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                   TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                         Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(|tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                   TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                         Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(|tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                   TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                         Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(|tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                   TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                         Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(|tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                   TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                         Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(|tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s());
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                              MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                         Hit x
                                                                                                    PA
                                                                                                             рa
                                                                                                  Retrieval
                                                                        ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                                   TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                                XXXXXXX
       else do {
                                                                                  Eviction
                                                                                         Incon
                                                                                                  Exception
                                                                                                            exc
                                                                                                  Generator
              update_state (\lambdas. s(|tlb := tlb \cup {entry}));
                                                                                      Miss
              return (va_to_pa va entry)
                                                                                               Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                                   Page
                                                                                                   Table
                                                                                         entrv
       else return (va_to_pa va entry)
```



```
mmu_translate va = do {
  update_state (\lambdas. s(tlb := tlb s - tlb_evict s));
  (mem, asid, ttbr0, tlb) ← read_state (MEM, ASID, TTBR0, tlb);
                                                                          MMU
  case lookup tlb asid (addr_val va) of
  \mathtt{Miss} \Rightarrow
                                                                                     Hit x
                                                                                                PA
                                                                                                        рa
                                                                                              Retrieval
                                                                     ASID
    let entry = pt_walk asid mem ttbr0 va
                                                                               TLB
    in if is_fault entry then raise PAGE_FAULT
                                                                             XXXXXXX
       else do {
                                                                              Eviction
                                                                                     Incon
                                                                                                        exc
                                                                                             Exception
                                                                                             Generator
              update_state (\lambdas. s(|tlb := tlb \cup {entry}));
                                                                                  Miss
              return (va_to_pa va entry)
                                                                                           Memory
    Incon ⇒ raise IMPLEMENTATION_DEFINED
    Hit entry \Rightarrow
      if is_fault entry then raise PAGE_FAULT
                                                                                               Page
                                                                                               Table
                                                                                     entrv
      else return (va_to_pa va entry)
                                                     mmu_read (va, sz) = do {
 mmu_write (val, va, sz) = do {
                                                       pa ← mmu_translate va;
    pa ← mmu_translate va;
    mem_write (val, pa, sz)
                                                       mem_read (pa, sz)
```





- Concrete MMU introduces



- Concrete MMU introduces
  - unspecified entry replacement
    - can result in TLB miss and reloading



- Concrete MMU introduces
  - unspecified entry replacement
    - can result in TLB miss and reloading
  - state change during
    - memory read
    - memory write outside the page table



- Concrete MMU introduces
  - unspecified entry replacement
    - can result in TLB miss and reloading
  - state change during
    - memory read
    - memory write outside the page table
  - potential inconsistencies



- Concrete MMU introduces
  - unspecified entry replacement
    - can result in TLB miss and reloading
  - state change during
    - memory read
    - memory write outside the page table
  - potential inconsistencies
- Programs



- Concrete MMU introduces
  - unspecified entry replacement
    - can result in TLB miss and reloading
  - state change during
    - memory read
    - memory write outside the page table
  - potential inconsistencies
- Programs
  - must avoid inconsistencies



#### - Concrete MMU introduces

- unspecified entry replacement
  - can result in TLB miss and reloading
- state change during
  - memory read
  - memory write outside the page table
- potential inconsistencies

#### Programs

- must avoid inconsistencies
- should not require reasoning about eviction and state change

## **Contributions**



- Formal model of ARMv7-style TLB in Isabelle/HOL
  - lookup function
- Extension to MMU model
  - mmu\_translate, mmu\_read, mmu\_write
  - integration to ARMv7 formalised ISA
- Data refinement for
  - abstracting hardware details
  - easier reasoning





## MMU Abstraction



- Stepwise data refinement for
  - abstracting eviction
  - state invariance in case of
    - memory read
    - memory write outside of page tables
  - complete abstraction for TLB



### MMU Abstraction



- Stepwise data refinement for
  - abstracting eviction
  - state invariance in case of
    - memory read
    - memory write outside of page tables
  - complete abstraction for TLB





Any program that is safe with abstracted MMU will be safe with concrete MMU





- TLB with fewer entries is always more consistent than one with more entries

```
\label{eq:miss} \begin{array}{l} \text{Miss} < \text{Hit} < \text{Incon} \\ \text{t} \subseteq \text{t'} \Longrightarrow \text{lookup t a v} \leq \text{lookup t' a v} \end{array}
```



- TLB with fewer entries is always more consistent than one with more entries

```
\label{eq:miss} \begin{array}{l} \text{Miss} < \text{Hit} < \text{Incon} \\ \text{t} \subseteq \text{t'} \Longrightarrow \text{lookup t a v} \leq \text{lookup t' a v} \end{array}
```

- noevict\_mmu\_translate
  - identical to mmu\_translate except it doesn't evict entries



- TLB with fewer entries is always more consistent than one with more entries

```
Miss < Hit < Incon

t \subseteq t' \implies lookup t a v \le lookup t' a v
```

- noevict\_mmu\_translate
  - identical to mmu translate except it doesn't evict entries



invariant: consistent w.r.t va

## MMU Abstraction



- Stepwise data refinement for
  - abstracting eviction
  - state invariance in case of
    - memory read
    - memory write outside of page tables
  - complete abstraction for TLB





Any program that is safe with abstracted TLB will be safe with concrete TLB

## State Invariance



- fc mmu translate
  - fc stands for fully-cached
  - caching page table entirely in TLB (no TLB miss)

## State Invariance



- fc mmu translate
  - fc stands for fully-cached
  - caching page table entirely in TLB (no TLB miss)







- Memory read

```
fc_mmu_read va

fully_cached_pt s

TLB t = TLB s
```



- Memory read

- Memory write outside of the page table



- Memory read

```
fc_mmu_read va

fully_cached_pt s

TLB t = TLB s
```

- Memory write outside of the page table

- user-level programs
- seL4 static address mappings

## MMU Abstraction



- Stepwise data refinement for
  - abstracting eviction
  - state invariance in case of
    - memory read
    - memory write outside of page tables
  - complete abstraction for TLB

```
abs_mmu_translate

fc_mmu_translate

noevict_mmu_translate

mmu_translate
```



Any program that is safe with abstracted TLB will be safe with concrete TLB

## Completely Abstracted TLB



- No TLB lookup is required
  - extend state with (ASID  $\times$  32 bit) instead of tlb

# Completely Abstracted TLB



- No TLB lookup is required
  - extend state with (ASID  $\times$  32 bit) instead of tlb

```
mmu_translate_set va = do {
   (mem, asid, ttbr0, incon_set) ← read_state (MEM, ASID, TTBR0, incon_set);
   if (asid, addr_val va) ∈ incon_set then raise IMPLEMENTATION_DEFINED
   else let entry = pt_walk asid mem ttbr0 va
        in if is_fault entry then raise PAGE_FAULT else return (va_to_pa va entry)
}
```



- No TLB lookup is required
  - extend state with (ASID  $\times$  32 bit) instead of tlb

```
mmu_translate_set va = do {
   (mem, asid, ttbr0, incon_set) 
    if (asid, addr_val va) 
        incon_set then raise IMPLEMENTATION_DEFINED
        else let entry = pt_walk asid mem ttbr0 va
            in if is_fault entry then raise PAGE_FAULT else return (va_to_pa va entry)
}
```



- No TLB lookup is required
  - extend state with (ASID  $\times$  32 bit) instead of tlb

```
mmu_translate_set va = do {
    (mem, asid, ttbr0, incon_set) ← read_state (MEM, ASID, TTBR0, incon_set);
    if (asid, addr_val va) ∈ incon_set then raise IMPLEMENTATION_DEFINED
    else let entry = pt_walk asid mem ttbr0 va
        in if is_fault entry then raise PAGE_FAULT else return (va_to_pa va entry)
}
```



- No TLB lookup is required
  - extend state with (ASID  $\times$  32 bit) instead of tlb

```
mmu_translate_set va = do {
    (mem, asid, ttbr0, incon_set) ← read_state (MEM, ASID, TTBR0, incon_set);
    if (asid, addr_val va) ∈ incon_set then raise IMPLEMENTATION_DEFINED
    else let entry = pt_walk asid mem ttbr0 va
        in if is_fault entry then raise PAGE_FAULT else return (va_to_pa va entry)
}
```



- No TLB lookup is required
  - extend state with (ASID  $\times$  32 bit) instead of tlb

```
mmu_translate_set va = do {
   (mem, asid, ttbr0, incon_set) ← read_state (MEM, ASID, TTBR0, incon_set);
   if (asid, addr_val va) ∈ incon_set then raise IMPLEMENTATION_DEFINED
   else let entry = pt_walk asid mem ttbr0 va
        in if is_fault entry then raise PAGE_FAULT else return (va_to_pa va entry)
}
```



- No TLB lookup is required
  - extend state with (ASID  $\times$  32 bit) instead of tlb

```
mmu_translate_set va = do {
  (mem, asid, ttbr0, incon_set) ← read_state (MEM, ASID, TTBR0, incon_set);
 if (asid, addr_val va) ∈ incon_set then raise IMPLEMENTATION_DEFINED
 else let entry = pt_walk asid mem ttbr0 va
     in if is_fault entry then raise PAGE_FAULT else return (va_to_pa va entry)
}
                                     va abs_mmu_translate pa _,
                                                                    incon set s' ⊆
                  incon set s ⊆
                   incon set t
                                                                      incon set t'
                                     va fc mmu translate pa
                                   invariant: va ∉ incon set t
```



- No TLB lookup is required
  - extend state with (ASID  $\times$  32 bit) instead of tlb

```
mmu_translate_set va = do {
  (mem, asid, ttbr0, incon_set) ← read_state (MEM, ASID, TTBR0, incon_set);
 if (asid, addr_val va) ∈ incon_set then raise IMPLEMENTATION_DEFINED
 else let entry = pt_walk asid mem ttbr0 va
     in if is_fault entry then raise PAGE_FAULT else return (va_to_pa va entry)
}
                                      va abs mmu translate pa
                                                                      incon set s' ⊆
                  incon set s ⊆
                    incon set t
                                                                       incon set t'
                                      va fc mmu translate pa
```

invariant: va ∉ incon set t

No state change at all, apart from potentially raising exceptions

## Taken Together



- TLB should be transparent to programs if maintained correctly
- Refinement chain

- Cached page table walks in ARMv7-A



- Abstraction
  - hides low-level hardware TLB details
  - easy to reason about
  - reduction theorems

#### **Future Direction**





#### Thank You











- Hardware caching of partial page table walks
  - ARMv7-A





- Hardware caching of partial page table walks
  - ARMv7-A





- Hardware caching of partial page table walks
  - ARMv7-A
- State extension
  - TLB and PDC





- Hardware caching of partial page table walks
  - ARMv7-A
- State extension
  - TLB and PDC





- Hardware caching of partial page table walks
  - ARMv7-A
- State extension
  - TLB and PDC
- MMU functions
  - concrete, saturated





- Hardware caching of partial page table walks
  - ARMv7-A
- State extension
  - TLB and PDC
- MMU functions
  - concrete, saturated





- Hardware caching of partial page table walks
  - ARMv7-A
- State extension
  - TLB and PDC
- MMU functions
  - concrete, saturated



- Saturation
  - Cache hierarchy
  - Step-wise refinement to fully abstract PDC and TLB