# Angr Riscv

Interop between cbmc and angr?
frama-C?


In [None]:
import angr
import claripy

# Load the binary
project = angr.Project('your_binary', auto_load_libs=False)

# Create an initial state with symbolic registers and memory
state = project.factory.blank_state()

# Symbolize registers if needed
eax = state.solver.BVS('eax', 32)
ebx = state.solver.BVS('ebx', 32)
state.regs.eax = eax
state.regs.ebx = ebx

# Symbolically execute the block of instructions
block = project.factory.block(state.addr)
irsb = block.vex
state = project.factory.entry_state(addr=state.addr)
simgr = project.factory.simgr(state)
simgr.step()

# Extract the final state and its constraints
final_state = simgr.active[0]
constraints = final_state.solver.constraints

# Print out the constraints (Z3 format)
for constraint in constraints:
    print(constraint)


# emulator

https://fmash16.github.io/content/posts/riscv-emulator-in-c.html
https://book.rvemu.app/index.html

https://github.com/cvut/qtrvsim
https://comparch.edu.cvut.cz/
https://www.iaik.tugraz.at/course/computer-organization-and-networks-inb06000uf-wintersemester-2023-24/
https://www.eit.lth.se/sprapport.php?uid=1361 customization of ibex
https://extgit.iaik.tugraz.at/con/examples-2021/-/blob/main/con06/riscv32-ibex-newlib-nano.cmake

eventually add bus for mmio



In [7]:
fibs = """
        .data
fibs:   .space 56

        .text
main:
        addi    s1, zero, 0     ; storage index
        addi    s2, zero, 56    ; last storage index
        addi    t0, zero, 1     ; t0 = F_{i}
        addi    t1, zero, 1     ; t1 = F_{i+1}
        ebreak                  ; launch debugger
loop:
        sw      t0, fibs(s1)    ; save
        add     t2, t1, t0      ; t2 = F_{i+2}
        addi    t0, t1, 0       ; t0 = t1
        addi    t1, t2, 0       ; t1 = t2
        addi    s1, s1, 4       ; increment storage pointer
        blt     s1, s2, loop    ; loop as long as we did not reach array length
        ebreak                  ; launch debugger
        ; exit gracefully
        addi    a0, zero, 0
        addi    a7, zero, 93
        scall                   ; exit with code 0
"""

hello_world = """
; hello-world.asm
; print "hello world" to stdout and exit
        .data
msg:    .ascii "Hello world\n"
        .text
        addi    a0, zero, 1             ; print to stdout
        addi    a1, zero, msg           ; load msg address
        addi    a2, zero, 12            ; write 12 bytes
        addi    a7, zero, SCALL_WRITE   ; write syscall code
        scall
        addi    a0, zero, 0             ; set exit code to 0
        addi    a7, zero, SCALL_EXIT    ; exit syscall code
        scall
"""

__
#from .core import CPU, ProgramLoader, Program, UserModeCPU
#from .instructions import InstructionSet, InstructionSetDict
#from .config import RunConfig
#from .helpers import FMT_GRAY, FMT_NONE
from riscemu.parser import AssemblyFileLoader
#from .instructions.float_base import FloatArithBase
#UserModeCpu
import io
f = io.StringIO(hello_world)
AssemblyFileLoader(f).load()

TypeError: ProgramLoader.__init__() missing 2 required positional arguments: 'source' and 'options'

https://github.com/AntonLydike/riscemu

run unicorn?


# Calude emu
Nikhil haskell https://claude.ai/chat/798b4a64-db90-4ca7-a2c2-fdbe866233a4



In [1]:
from typing import Dict, Tuple, List, Callable
from dataclasses import dataclass

@dataclass
class State:
    pc: int
    regs: Dict[int, int]
    mem: Dict[int, int]

def execute(state: State, instr: int) -> State:
    opcode = instr & 0x7F
    rd = (instr >> 7) & 0x1F
    rs1 = (instr >> 15) & 0x1F
    rs2 = (instr >> 20) & 0x1F
    funct3 = (instr >> 12) & 0x7
    funct7 = (instr >> 25) & 0x7F
    imm_i = (instr >> 20) & 0xFFF
    imm_s = ((instr >> 25) & 0x7F) << 5 | ((instr >> 7) & 0x1F)
    imm_b = ((instr >> 31) & 0x1) << 12 | ((instr >> 7) & 0x1) << 11 | ((instr >> 25) & 0x3F) << 5 | ((instr >> 8) & 0xF) << 1
    imm_u = instr & 0xFFFFF000
    imm_j = ((instr >> 31) & 0x1) << 20 | ((instr >> 12) & 0xFF) << 12 | ((instr >> 20) & 0x1) << 11 | ((instr >> 21) & 0x3FF) << 1

    def sign_extend(x: int, bits: int) -> int:
        if x & (1 << (bits - 1)):
            return x | (-1 << bits)
        return x

    def update_reg(reg: int, val: int) -> Dict[int, int]:
        return {**state.regs, reg: val & 0xFFFFFFFF}

    def update_mem(addr: int, val: int) -> Dict[int, int]:
        return {**state.mem, addr: val & 0xFF}

    def load(addr: int) -> int:
        return state.mem.get(addr, 0)

    if opcode == 0x33:  # R-type
        if funct3 == 0x0 and funct7 == 0x00:  # ADD
            return State(state.pc + 4, update_reg(rd, state.regs[rs1] + state.regs[rs2]), state.mem)
        elif funct3 == 0x0 and funct7 == 0x20:  # SUB
            return State(state.pc + 4, update_reg(rd, state.regs[rs1] - state.regs[rs2]), state.mem)
        # Add more R-type instructions as needed

    elif opcode == 0x13:  # I-type
        if funct3 == 0x0:  # ADDI
            return State(state.pc + 4, update_reg(rd, state.regs[rs1] + sign_extend(imm_i, 12)), state.mem)
        # Add more I-type instructions as needed

    elif opcode == 0x23:  # S-type
        if funct3 == 0x0:  # SB
            addr = state.regs[rs1] + sign_extend(imm_s, 12)
            return State(state.pc + 4, state.regs, update_mem(addr, state.regs[rs2]))
        # Add more S-type instructions as needed

    elif opcode == 0x63:  # B-type
        if funct3 == 0x0:  # BEQ
            if state.regs[rs1] == state.regs[rs2]:
                return State(state.pc + sign_extend(imm_b, 13), state.regs, state.mem)
            else:
                return State(state.pc + 4, state.regs, state.mem)
        # Add more B-type instructions as needed

    elif opcode == 0x37:  # U-type (LUI)
        return State(state.pc + 4, update_reg(rd, imm_u), state.mem)

    elif opcode == 0x6F:  # J-type (JAL)
        return State(state.pc + sign_extend(imm_j, 21), update_reg(rd, state.pc + 4), state.mem)

    # Default case: return unchanged state
    return state

def run(program: List[int], initial_state: State) -> State:
    def step(state: State) -> State:
        if state.pc >= len(program) * 4:
            return state
        instr = program[state.pc // 4]
        return execute(state, instr)

    def run_helper(state: State) -> State:
        new_state = step(state)
        if new_state == state:
            return state
        return run_helper(new_state)

    return run_helper(initial_state)

# Example usage
initial_state = State(0, {i: 0 for i in range(32)}, {})
program = [
    0x00500093,  # addi x1, x0, 5
    0x00300113,  # addi x2, x0, 3
    0x002081B3,  # add x3, x1, x2
]

final_state = run(program, initial_state)
print(f"Final state: PC = {final_state.pc}, Registers = {final_state.regs}")

Final state: PC = 12, Registers = {0: 0, 1: 5, 2: 3, 3: 8, 4: 0, 5: 0, 6: 0, 7: 0, 8: 0, 9: 0, 10: 0, 11: 0, 12: 0, 13: 0, 14: 0, 15: 0, 16: 0, 17: 0, 18: 0, 19: 0, 20: 0, 21: 0, 22: 0, 23: 0, 24: 0, 25: 0, 26: 0, 27: 0, 28: 0, 29: 0, 30: 0, 31: 0}


In [2]:
from typing import Dict, List
from dataclasses import dataclass
from enum import Enum, auto

class Opcode(Enum):
    R_TYPE = 0x33
    I_TYPE = 0x13
    S_TYPE = 0x23
    B_TYPE = 0x63
    U_TYPE_LUI = 0x37
    J_TYPE_JAL = 0x6F

class Funct3(Enum):
    ADD_SUB = 0x0
    SLL = 0x1
    SLT = 0x2
    SLTU = 0x3
    XOR = 0x4
    SRL_SRA = 0x5
    OR = 0x6
    AND = 0x7

class Funct7(Enum):
    ADD = 0x00
    SUB = 0x20

@dataclass
class State:
    pc: int
    regs: Dict[int, int]
    mem: Dict[int, int]

@dataclass
class Instruction:
    raw: int
    opcode: Opcode
    rd: int
    rs1: int
    rs2: int
    funct3: Funct3
    funct7: int
    imm_i: int
    imm_s: int
    imm_b: int
    imm_u: int
    imm_j: int

def decode(instr: int) -> Instruction:
    opcode = Opcode(instr & 0x7F)
    rd = (instr >> 7) & 0x1F
    rs1 = (instr >> 15) & 0x1F
    rs2 = (instr >> 20) & 0x1F
    funct3 = Funct3((instr >> 12) & 0x7)
    funct7 = (instr >> 25) & 0x7F
    imm_i = (instr >> 20) & 0xFFF
    imm_s = ((instr >> 25) & 0x7F) << 5 | ((instr >> 7) & 0x1F)
    imm_b = ((instr >> 31) & 0x1) << 12 | ((instr >> 7) & 0x1) << 11 | ((instr >> 25) & 0x3F) << 5 | ((instr >> 8) & 0xF) << 1
    imm_u = instr & 0xFFFFF000
    imm_j = ((instr >> 31) & 0x1) << 20 | ((instr >> 12) & 0xFF) << 12 | ((instr >> 20) & 0x1) << 11 | ((instr >> 21) & 0x3FF) << 1

    return Instruction(instr, opcode, rd, rs1, rs2, funct3, funct7, imm_i, imm_s, imm_b, imm_u, imm_j)

def sign_extend(x: int, bits: int) -> int:
    if x & (1 << (bits - 1)):
        return x | (-1 << bits)
    return x

def update_reg(regs: Dict[int, int], reg: int, val: int) -> Dict[int, int]:
    return {**regs, reg: val & 0xFFFFFFFF}

def update_mem(mem: Dict[int, int], addr: int, val: int) -> Dict[int, int]:
    return {**mem, addr: val & 0xFF}

def execute(state: State, instr: Instruction) -> State:
    if instr.opcode == Opcode.R_TYPE:
        if instr.funct3 == Funct3.ADD_SUB:
            if instr.funct7 == Funct7.ADD.value:
                new_val = state.regs[instr.rs1] + state.regs[instr.rs2]
            elif instr.funct7 == Funct7.SUB.value:
                new_val = state.regs[instr.rs1] - state.regs[instr.rs2]
            else:
                return state  # Unsupported funct7
            return State(state.pc + 4, update_reg(state.regs, instr.rd, new_val), state.mem)

    elif instr.opcode == Opcode.I_TYPE:
        if instr.funct3 == Funct3.ADD_SUB:  # ADDI
            new_val = state.regs[instr.rs1] + sign_extend(instr.imm_i, 12)
            return State(state.pc + 4, update_reg(state.regs, instr.rd, new_val), state.mem)

    elif instr.opcode == Opcode.S_TYPE:
        if instr.funct3 == Funct3.ADD_SUB:  # SB
            addr = state.regs[instr.rs1] + sign_extend(instr.imm_s, 12)
            return State(state.pc + 4, state.regs, update_mem(state.mem, addr, state.regs[instr.rs2]))

    elif instr.opcode == Opcode.B_TYPE:
        if instr.funct3 == Funct3.ADD_SUB:  # BEQ
            if state.regs[instr.rs1] == state.regs[instr.rs2]:
                return State(state.pc + sign_extend(instr.imm_b, 13), state.regs, state.mem)
            else:
                return State(state.pc + 4, state.regs, state.mem)

    elif instr.opcode == Opcode.U_TYPE_LUI:
        return State(state.pc + 4, update_reg(state.regs, instr.rd, instr.imm_u), state.mem)

    elif instr.opcode == Opcode.J_TYPE_JAL:
        return State(state.pc + sign_extend(instr.imm_j, 21), update_reg(state.regs, instr.rd, state.pc + 4), state.mem)

    # Default case: return unchanged state
    return state

def run(program: List[int], initial_state: State) -> State:
    def step(state: State) -> State:
        if state.pc >= len(program) * 4:
            return state
        instr = decode(program[state.pc // 4])
        return execute(state, instr)

    def run_helper(state: State) -> State:
        new_state = step(state)
        if new_state == state:
            return state
        return run_helper(new_state)

    return run_helper(initial_state)

# Example usage
initial_state = State(0, {i: 0 for i in range(32)}, {})
program = [
    0x00500093,  # addi x1, x0, 5
    0x00300113,  # addi x2, x0, 3
    0x002081B3,  # add x3, x1, x2
]

final_state = run(program, initial_state)
print(f"Final state: PC = {final_state.pc}, Registers = {final_state.regs}")

Final state: PC = 12, Registers = {0: 0, 1: 5, 2: 3, 3: 8, 4: 0, 5: 0, 6: 0, 7: 0, 8: 0, 9: 0, 10: 0, 11: 0, 12: 0, 13: 0, 14: 0, 15: 0, 16: 0, 17: 0, 18: 0, 19: 0, 20: 0, 21: 0, 22: 0, 23: 0, 24: 0, 25: 0, 26: 0, 27: 0, 28: 0, 29: 0, 30: 0, 31: 0}


In [3]:
from z3 import *
from enum import Enum, auto
from typing import List

class Opcode(Enum):
    R_TYPE = 0x33
    I_TYPE = 0x13
    S_TYPE = 0x23
    B_TYPE = 0x63
    U_TYPE_LUI = 0x37
    J_TYPE_JAL = 0x6F

class Funct3(Enum):
    ADD_SUB = 0x0
    SLL = 0x1
    SLT = 0x2
    SLTU = 0x3
    XOR = 0x4
    SRL_SRA = 0x5
    OR = 0x6
    AND = 0x7

class Funct7(Enum):
    ADD = 0x00
    SUB = 0x20

# Create Z3 sorts
BitVec32 = BitVecSort(32)
Memory = ArraySort(BitVec32, BitVecSort(8))

# Create Z3 datatype for State
State = Datatype('State')
State.declare('state', ('pc', BitVec32), ('regs', ArraySort(BitVec32, BitVec32)), ('mem', Memory))
State = State.create()

def decode(instr: BitVecRef) -> Tuple[int, int, int, int, int, int, BitVecRef, BitVecRef, BitVecRef, BitVecRef, BitVecRef]:
    opcode = Extract(6, 0, instr)
    rd = Extract(11, 7, instr)
    rs1 = Extract(19, 15, instr)
    rs2 = Extract(24, 20, instr)
    funct3 = Extract(14, 12, instr)
    funct7 = Extract(31, 25, instr)
    imm_i = SignExt(20, Extract(31, 20, instr))
    imm_s = SignExt(20, Concat(Extract(31, 25, instr), Extract(11, 7, instr)))
    imm_b = SignExt(19, Concat(Extract(31, 31, instr), Extract(7, 7, instr), Extract(30, 25, instr), Extract(11, 8, instr), BitVecVal(0, 1)))
    imm_u = Concat(Extract(31, 12, instr), BitVecVal(0, 12))
    imm_j = SignExt(11, Concat(Extract(31, 31, instr), Extract(19, 12, instr), Extract(20, 20, instr), Extract(30, 21, instr), BitVecVal(0, 1)))
    
    return opcode, rd, rs1, rs2, funct3, funct7, imm_i, imm_s, imm_b, imm_u, imm_j

def execute(state: State.constructor, instr: BitVecRef) -> State.constructor:
    opcode, rd, rs1, rs2, funct3, funct7, imm_i, imm_s, imm_b, imm_u, imm_j = decode(instr)
    
    new_state = state
    
    # R-TYPE
    r_type_cond = opcode == Opcode.R_TYPE.value
    add_cond = And(r_type_cond, funct3 == Funct3.ADD_SUB.value, funct7 == Funct7.ADD.value)
    sub_cond = And(r_type_cond, funct3 == Funct3.ADD_SUB.value, funct7 == Funct7.SUB.value)
    
    # I-TYPE
    i_type_cond = opcode == Opcode.I_TYPE.value
    addi_cond = And(i_type_cond, funct3 == Funct3.ADD_SUB.value)
    
    # S-TYPE
    s_type_cond = opcode == Opcode.S_TYPE.value
    sb_cond = And(s_type_cond, funct3 == Funct3.ADD_SUB.value)
    
    # B-TYPE
    b_type_cond = opcode == Opcode.B_TYPE.value
    beq_cond = And(b_type_cond, funct3 == Funct3.ADD_SUB.value)
    
    # U-TYPE
    lui_cond = opcode == Opcode.U_TYPE_LUI.value
    
    # J-TYPE
    jal_cond = opcode == Opcode.J_TYPE_JAL.value
    
    # Update PC
    new_pc = If(Or(add_cond, sub_cond, addi_cond, sb_cond, lui_cond),
                state.pc + 4,
                If(beq_cond,
                   If(state.regs[rs1] == state.regs[rs2],
                      state.pc + imm_b,
                      state.pc + 4),
                   If(jal_cond,
                      state.pc + imm_j,
                      state.pc)))
    
    # Update registers
    new_regs = Store(state.regs, rd,
                     If(add_cond, state.regs[rs1] + state.regs[rs2],
                     If(sub_cond, state.regs[rs1] - state.regs[rs2],
                     If(addi_cond, state.regs[rs1] + imm_i,
                     If(lui_cond, imm_u,
                     If(jal_cond, state.pc + 4,
                        state.regs[rd]))))))
    
    # Update memory
    new_mem = If(sb_cond,
                 Store(state.mem, state.regs[rs1] + imm_s, Extract(7, 0, state.regs[rs2])),
                 state.mem)
    
    return State.state(new_pc, new_regs, new_mem)

def run_symbolic(program: List[int], num_steps: int) -> State.constructor:
    s = Solver()
    
    # Initialize state
    initial_state = State.state(BitVec('initial_pc', 32),
                                Array('initial_regs', BitVecSort(32), BitVecSort(32)),
                                Array('initial_mem', BitVecSort(32), BitVecSort(8)))
    
    current_state = initial_state
    
    for i in range(num_steps):
        if i < len(program):
            instr = BitVecVal(program[i], 32)
        else:
            instr = BitVec(f'instr_{i}', 32)
        
        current_state = execute(current_state, instr)
    
    return current_state

# Example usage
program = [
    0x00500093,  # addi x1, x0, 5
    0x00300113,  # addi x2, x0, 3
    0x002081B3,  # add x3, x1, x2
]

final_state = run_symbolic(program, 3)

s = Solver()
s.add(final_state.pc == 12)  # PC should be 12 (3 instructions * 4 bytes)
s.add(final_state.regs[1] == 5)  # x1 should be 5
s.add(final_state.regs[2] == 3)  # x2 should be 3
s.add(final_state.regs[3] == 8)  # x3 should be 8 (5 + 3)

print(s.check())
if s.check() == sat:
    m = s.model()
    print(f"Final PC: {m.evaluate(final_state.pc)}")
    print(f"x1: {m.evaluate(final_state.regs[1])}")
    print(f"x2: {m.evaluate(final_state.regs[2])}")
    print(f"x3: {m.evaluate(final_state.regs[3])}")
else:
    print("No solution found")

AttributeError: 'DatatypeRef' object has no attribute 'pc'

# Knuckle riscv

In [6]:
import knuckledragger as kd
from z3 import *

RVInsn = Datatype("RVInsn")
RVInsn.declare("ADD", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn = RVInsn.create()

RVState = Datatype("RVState")
RVState.declare("mk", ("reg", ArraySort(BitVecSort(5), BitVecSort(32))), ("pc", BitVecSort(32)), ("mem", ArraySort(BitVecSort(32), BitVecSort(8))))
RVState = RVState.create()

insn = Const("insn", RVInsn)
st = Const("st", RVState)
addr = Const("addr", BitVecSort(32))

load32 = kd.define("load32", [st, addr], 
  Concat(Select(st.mem, addr + i) for i in range(4))
)
reg = Const("reg", )

regwrite = kd.define("regwrite", [st, reg, addr],
                       If(reg == 0, st, # r0 is not a real register.
                       
                       )
  Store(st.reg, insn.rd, load32(st, st.reg[insn.rs1]) + load32(st, st.reg[insn.rs2]))
)

exec_insn = kd.define("exec_insn", [insn,st],
  If(insn.is_ADD, 
                RVState.mk(
                Store(st.reg, insn.rd, st.reg[insn.rs1] + st.reg[insn.rs2]),
                st.pc + 1,
                st.mem
                ),
)

state0 = RVState.mk(K(0, BitVecSort(32)), K(0, BitVecSort(32)), K(0, BitVecSort(8)))

#st := If(insn.is_ADD, )






SyntaxError: '(' was never closed (488137330.py, line 21)

In [None]:
RVInsn = Datatype("RVInsn")
RVInsn.declare("ADD", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn.declare("SUB", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn.declare("AND", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn.declare("OR", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn.declare("XOR", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn.declare("SLL", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn.declare("SRL", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn.declare("SRA", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)))
RVInsn.declare("ADDI", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("imm", BitVecSort(12)))
RVInsn.declare("LW", ("rd", BitVecSort(5)), ("rs1", BitVecSort(5)), ("imm", BitVecSort(12)))
RVInsn.declare("SW", ("rs1", BitVecSort(5)), ("rs2", BitVecSort(5)), ("imm", BitVecSort(12)))
RVInsn = RVInsn.create()

# Pcode knuckle

In [None]:
# https://spinsel.dev/assets/2020-06-17-ghidra-brainfuck-processor-1/ghidra_docs/language_spec/html/pcoderef.html
# pcode2c
# angre code?

PcodeOp = EnumSort("PCodeOp", ["COPY", "LOAD", "STORE", "BRANCH", "INT_ADD" ...])

BinOp = EnumSort("PCodeBinOp", ["INT_EQUAL", ])
# I am very tempted to make size statically determined.
VarNode = kd.Record("VarNode", ("space", IntSort()), ("offset", IntSort()), ("size", IntSort()))


Insn = Datatype("Insn")
Insn.declare("binop", ("op", binop), ("out", Varnode), ("v1", VarNode), ("v2", VarNode))
Insn.declare("unop", ...)

Insns.create()

State = ArraySort(IntSort(), IntSort(), BitVecSort(8))

op = Const("op", PCodeOp)
exec_binop = kd.define(If(op == PCodeOp.COPY, 
   








In [None]:
fetch = load32(state0, state0.pc)
state = 

In [None]:
step = kd.define(
fetch = None;
decode = None;
pc += 4;
exec_insn(st)

In [8]:
print(x := 1 + 2; x + 3)

SyntaxError: invalid syntax (431848137.py, line 1)

In [None]:
 1. a basic riscv python ionterpreter

Op = Enum("ADDI SLTI ANDI ORI XORI")

class Insn(op, a, b):



def biop(insn, a, b):
    match opcode:
        case Op.ADD:
            return a + b
        case Op.ANDI:
            return a & b
        case Op.ORI:
            return a | b

def step(pc, reg, mem, insn):
    res[insn.out] = biop(insn.op, reg[insn.a], reg[insn.b])
    pc += 1
    insn = mem[pc]


<https://riscv.org/wp-content/uploads/2017/05/riscv-spec-v2.2.pdf>

- Using define-fun-rec gives a first class handle on instructions.
- To curry or not.
-

```clojure
;re
; let's just stick to 32 bit operations
; 32 = 2^5 registers of 32 bits a piece
(define-sort REG () (_ BitVec 5))
(define-sort BV32 () (_ BitVec 32))
(define-sort REGFILE () (Array REG BV32))
(define-sort Addr () BV32)

(define-const r0 REG (_ bv0 5))
(define-const bv0 BV32 (_ bv0 32))
(define-const bv1 BV32 (_ bv1 32))


(declare-datatype State (
 (State
    (mem (Array Addr BV32))
    (regfile REGFILE)
    (pc BV32)
  ))
)

; r0 is always all zeros
(define-fun valid ((s State)) Bool
  (= (select (regfile s) r0) bv0)
)

; similarly for sub,and,or,xor
(define-fun add ((dst REG) (src1 REG) (src2 REG)) (Array REGFILE REGFILE Bool)
  (lambda ((in REGFILE) (out REGFILE))
      (= out (store in dst (bvadd (select in src1) (select in src2))))
  )
) 


(define-fun nop () (Array REGFILE REGFILE Bool)
  (lambda ((in REGFILE) (out REGFILE))
      (= out in)
  )
) 

```

```python
from z3 import *
from dataclasses import dataclass
REG = BitVecSort(5)
BV32 = BitVecSort(32)
MEM = ArraySort(BV32, BitVecSort(8))
REGFILE = ArraySort(REG, BV32) # could make this a python list. statically structured.


# Z3 records vs python records. An eternal battle.
# The state record is total static though. Shouldn't be a problem.
@dataclass
class RVState:
  mem: Array
  regfile: Array
  pc: BitVec

def FreshState():
  return RVState(FreshConst(MEM), FreshConst(REGFILE), FreshConst(BV32))

def add(dst,src1,src2):
  def res(in_,out):
    return out == Store(in_,dst, in_[src1] + in_[src2])
  return res

# functional style.
def add(dst,src1,src2):
  def res(s):
    return Store(s,dst, in_[src1] + in_[src2])
  return res

# relation composition.
# temporal compositin.
def comp(f,g):
  def res(in_,out):
    s = FreshState()
    return Exists([s.mem, s.regfile, s.pc], And( f(in_,s), g(s, out)))
  return res

def hcomp(f,g):
  def res(in_, out):
    return And(f(in_out), g(in_,out))
  return res

#foo = Array("foo", IntSort(),IntSort())
#print(foo["a"])
```

So what do I want to do with this model? WP? CHC? Model checking? Symbolic execution? Hoare Logic?
Bit accurate assembly modelling can be interesting too.

<https://github.com/mit-plv/riscv-coq/blob/master/src/riscv/Spec/Decode.v>

```z3
;re
(define-sort BV12 () (_ BitVec 12))
(define-sort BV32 () (_ BitVec 32))
(define-sort Reg  () (_ BitVec 5)) ; 32 = 2 ^ 5 registers
(declare-datatype IOp (
  (ADDI) (SLLI) (SLTI) (SLTIU) (XORI) (SRLI) (SRAI) (ORI) (ANDI)
))

(declare-datatype ROp (
  (ADD) (SLL) (SLT) (SLTU) (XOR) (SRL) (SRA) (OR) (AND)
))

(declare-datatype Instruction (
 (IInsn (opI IOp) (rdI Reg) (rs1I Reg) (immI BV12))
 (RInsn (opR ROp) (rdR Reg) (rs1R Reg) (rs2R Reg))
 ))

;(simplify (IInsn AddI #b00000 #b00000 #b000000000000))

(define-const opcode_OP_IMM (_ BitVec 7) #b0010011)
(define-const opcode_OP  (_ BitVec 7) #b0110011)
(define-fun funct3 ((op IOp)) (_ BitVec 3)
 (match op (
      (ADDI   #b000)
      (SLLI   #b001)
      (SLTI   #b010)
      (SLTIU  #b011)
      (XORI   #b100)
      (SRLI   #b101)
      (SRAI   #b101)
      (ORI    #b110)
      (ANDI   #b111)
   ))
)


(define-fun funct3 ((op ROp)) (_ BitVec 3)
 (match op (
      (ADD   #b000)
      (SUB   #b000)
      (SLL   #b001)
      (SLT   #b010)
      (SLTU  #b011)
      (XOR   #b100)
      (SRL   #b101)
      (SRA   #b101)
      (OR    #b110)
      (AND   #b111)
   ))
)

(define-fun funct7 ((op ROp)) (_ BitVec 7)
 (match op (
      (ADD   #b0000000)
      (SUB   #b0100000)
      (SLL   #b0000000)
      (SLT   #b0000000)
      (SLTU  #b0000000)
      (XOR   #b0000000)
      (SRL   #b0000000)
      (SRA   #b0100000)
      (OR    #b0000000)
      (AND   #b0000000)
   ))
)

; encode is also decode since SMT is declarative. That's nices.
(define-fun encode ((insn Instruction)) BV32
  (match insn (
    ((IInsn op dst src imm) (concat imm src (funct3 op) dst opcode_OP_IMM))
    ((RInsn op rd rs1 rs2)  (concat (funct7 op) rs2 rs1 (funct3 op) rd opcode_OP))
  ))
)

(define-sort REGFILE () (Array Reg BV32))
(declare-datatype State (
 (State
    ;(mem (Array Addr BV32))
    (regfile REGFILE)
    (pc BV32)
  ))
)


(define-fun execI ((op IOp) (rs1 BV32) (imm BV12)) BV32
(let (
       (imm ((_ zero_extend 20) imm))
     )
 (match op (
  ; todo fill in correctly
      (ADDI   (bvadd rs1 imm))
      (SLLI   imm)
      (SLTI   imm)
      (SLTIU  imm)
      (XORI   (bvxor rs1 imm))
      (SRLI   imm)
      (SRAI   imm)
      (ORI    (bvor rs1 imm))
      (ANDI   (bvand rs1 imm))
   ))
))

(define-fun execR ((op ROp) (rs1 BV32) (rs2 BV32)) BV32
 (match op (
  ; todo fill in correctly
      (ADD   (bvadd rs1 rs2))
      (SUB   (bvsub rs1 rs2))
      (SLL   rs1)
      (SLT   rs1)
      (SLTU  rs1)
      (XOR   (bvxor rs1 rs2))
      (SRL   rs1)
      (SRA   rs1)
      (OR    (bvor rs1 rs2))
      (AND   (bvand rs1 rs2))
   ))
)

(define-fun inc-pc ((st State)) State
  ((_ update-field pc) st (bvadd (pc st) (_ bv1 32)))
)

(define-fun set-reg ((st State) (reg Reg) (v BV32)) State
  ((_ update-field regfile) st (store (regfile st) reg v))
)

(define-fun get-reg ((st State) (reg Reg)) BV32
  (select (regfile st) reg)
)

(define-fun execute ((insn Instruction) (st State)) State
    (match insn (
    ((IInsn op dst src imm)  (inc-pc (set-reg st dst (execI op (get-reg st src) imm))))
    ((RInsn op rd rs1 rs2)   (inc-pc (set-reg st rd (execR op (get-reg st rs1) (get-reg st rs2)))))
  ))
)

(define-const zero32 BV32 (_ bv0 32))

(define-const init-regfile (Array Reg BV32)
((as const (Array Reg BV32)) zero32))

(define-const init-state State 
  (State init-regfile (_ bv0 32))
)

(define-const r0 Reg #b00000)
(define-const r1 Reg #b00001)
(define-const r2 Reg #b00010)
(simplify (execute (IInsn ADDI r2 r1 (_ bv4 12)) init-state))
```

```z3
; scratch pad
(simplify (concat #xf0 #x00))
```