#### A Tour of the RISC-V ISA Formal Specification

#### RISC-V Foundation ISA Formal Spec Technical Committee



At RISC-V Summit, San Jose December 12, 2019



Dear reader, *Caveat!* we must confess, This slide deck remains a work in progress, We suggest, until the target date, please take a recess, Your cognitive serenity so as not to distress.

Please come back on December 12, 2019.

## Objectives for this tutorial

- Primary objective: To give you a basic reading literacy of the RISC-V ISA Formal Specification, i.e., where you are comfortable reading and consulting the formal spec on your own on a daily basis.
- Secondary objective: To show you how to execute the formal spec on RISC-V binaries, such as standard ISA tests, the Compliance Suite, and your own compiled programs. Typically, you'd do this to compare a RISC-V implementation (simulator, architectural model, actual hardware implementation) to see if the implementation's behavior matches the formal spec accurately.

Target audience: Working RISC-V engineers (e.g., CPU designers, compiler writers, simulator/emulator writers, ...) who consult the spec to clarify understanding of instruction semantics. We do not assume any prior experience with formal languages or formal methods.

This tutorial may not be suitable for afficionados of formal methods, except as an initial familiarization with SAIL and the RISC-V formal spec.

#### Outline

- Intro
- Reading the ISA to understand semantics of each RISC-V instruction
  - Preliminaries
  - Registers and values
  - "Scattered" organization of instruction specs
  - Instruction fields
  - Some base instructions
  - Exceptions
- Secuting ISA and Compliance tests
  - Executing standard RISC-V ISA tests
  - Executing Compliance tests
- Extra material

#### Context, briefly

#### What is it?

- The formal spec of the RISC-V ISA is intended to be the *definitive* reference for RISC-V instructions:
  - Encoding
  - Execution semantics (what executing each instruction is supposed to do)

More authoritative than the English prose spec (complete, precise, unambiguous).

- Excutable: can be run as a simulator executing RISC-V binaries, providing definitive execution behaviors
- Readable and usable by, and useful to, ordinary mortals who don't do formal stuff for a living.
  - Casual reading, as a reference guide to RISC-V instructions.
  - Executable "golden reference model" to check implementation correctness.
- For those who do formal stuff for a living, usable with formal tools for proofs of correctness of compilers,
   CPU implementations, automatic generation of tests, test coverage, etc.

# Downloading and Installing

#### Downloading and Installing

Please see the separate slide deck Slides\_Installation.pdf for instructions on how to download the spec, and optionally to build an executable version of the spec.

#### Preliminaries

Registers and values
"Scattered" organization of instruction specs
Instruction fields
Some base instructions
Exceptions

#### About SAIL, and the RISC-V ISA Formal Spec written in SAIL

- The RISC-V ISA Formal Spec is written in the language SAIL, which is a DSL (Domain-Specific Language) designed for purpose, i.e., for writing ISA specs.
- SAIL has been used to describe ISAs for RISC-V, ARMv8 (complete spec!), MIPS, parts
  of x86 and IBM POWER, and more.
- The SAIL manual can be found in the main SAIL repository https://github.com/rems-project/sail
- In this tutorial we won't study SAIL separately; we'll jump into studying the RISC-V Spec written in SAIL, explaining the SAIL notation as we go along.
- The RISC-V spec in SAIL has its own repository: https://github.com/rems-project/sail-riscv
   We will be studying the code in the model/ directory.

#### Preliminaries

Registers and values
"Scattered" organization of instruction specs
Instruction fields
Some base instructions
Exceptions

# Spec source files (there are a lot of them!)

```
--12:50:52--Dell-mation: ~/git_clones/sail-riscv/model
$ 1s
main sail
                               riscy insts aext.sail
                                                         riscy platform.sail
                                                                                        riscy termination duo.sail
prelude_mapping.sail
                               riscy insts base.sail
                                                         riscy pmp control.sail
                                                                                        riscy termination rv32.sail
prelude_mem_metadata.sail
                                                         riscv_pmp_regs.sail
                               riscv_insts_begin.sail
                                                                                        riscv_termination_rv64.sail
prelude mem.sail
                               riscy insts cext.sail
                                                         riscy pte.sail
                                                                                        riscy types ext.sail
prelude.sail
                               riscv_insts_end.sail
                                                         riscv_ptw.sail
                                                                                        riscv_types.sail
README.md
                               riscy insts mext.sail
                                                         riscv_regs.sail
                                                                                        riscy vmem common sail
riscy addr checks common.sail
                               riscy insts next.sail
                                                         riscy reg type.sail
                                                                                        riscv vmem rv32.sail
riscy addr checks.sail
                               riscy insts rmem.sail
                                                         riscy step common.sail
                                                                                        riscv vmem rv64.sail
riscv_analvsis.sail
                               riscv_insts_zicsr.sail
                                                         riscv_step_ext.sail
                                                                                        riscv_vmem_sv32.sail
                                                         riscv_step_rvfi.sail
riscv_csr_ext.sail
                               riscv_jalr_rmem.sail
                                                                                        riscv_vmem_sv39.sail
riscy csr map.sail
                               riscy jalr seg.sail
                                                         riscy step.sail
                                                                                        riscy vmem sv48.sail
riscy decode ext.sail
                               riscv mem.sail
                                                         riscv_svnc_exception.sail
                                                                                        riscy vmem tlb.sail
riscv_duopod.sail
                               riscy misa ext.sail
                                                         riscv_svs_control.sail
                                                                                        riscv_vmem_tvpes.sail
riscy ext regs.sail
                               riscy next control.sail
                                                         riscy sys exceptions.sail
                                                                                        riscv xlen32.sail
riscv fetch rvfi.sail
                                                                                        riscy xlen64.sail
                               riscv_next_regs.sail
                                                         riscv_svs_regs.sail
riscv_fetch.sail
                               riscv_pc_access.sail
                                                         riscv_termination_common.sail
                                                                                        rvfi_dii.sail
```

SAIL does not have a package/module structure—the full SAIL program is just the concatenation of the source files.

We organize them into files according to our convenience.

In this tutorial we will look at excerpts of some of these files.



#### Preliminaries

Registers and values "Scattered" organization of instruction specs Instruction fields Some base instructions Exceptions

# A word about types and type-checking

- SAIL is a strongly-typed language, and does its type-checking statically (i.e., on the source code, without running the code).
- Many types are familiar from other languages (particularly functional programming languages): vectors. structs, algebraic types/tagged unions, ...
- Perhaps the most unfamiliar for many people will be the use of numbers as types.
  - In ISAs (unlike most software programming languages) we deal with representations (e.g., bit-vectors) of many different sizes, and the precise size is important.
  - Moreover, sizes of various entities are often related. E.g., the shift amount in RV32 (respectively. RV64) should be a 5-bit value (respectively, a 6-bit value). In SAIL, such relationships can be expressed in types, and are type-checked.
- SAIL also statically keeps track of effects (for example, does a certain expression read any registers, write any registers. ...). More about this later.

## Let's start with some small, easy files

2

2

We'd use one of these two files, depending on whether we are considering RV32 or RV64.

```
/* Define the XLEN value for the architecture. */

type xlen : Int = 32
type xlen_bytes : Int = 4
type xlenbits = bits(xlen)
```

```
File riscv_xlen64.sail

/* Define the XLEN value for the architecture. */

type xlen : Int = 64

type xlen_bytes : Int = 8

type xlenbits = bits(xlen)
```

In lines 3-4, we are defining new types that are numeric.

In line 5 we are defining a new type for bit-vectors of size xlen. The type bits(t) represents the type of bit-vectors of size t. It's parameter t must be a numeric type (here, we instantiate it as xlen).

**4** 🗇 ト **4** 😑 ト

< ∃ →

#### Values in integer registers

3

5

```
File riscv_reg_type.sail
/* default register type */
type regtype = xlenbits
/* default zero register */
let zero_reg : regtvpe = EXTZ(0x0)
```

In line 2 we're defining the type of values in registers; it's the same type as xlenbits.

In line 5 we're defining a specific value of this type, using the library function EXTZ to zero-extend the constant 0x0 to the appropriate length. Because of strong type-checking (including some amount of type inference). SAIL knows exactly how much extension is needed.

Note: the keyword type introduces a type definition, the keyword let introduces a value definition.

#### Integer registers

```
register PC : xlenbits

register x1 : regtype
register x2 : regtype
...
register x31 : regtype
```

In line 1 with keyword register we declare PC to be a register, and we specify the type of values it can contain, xlenbits. The remaining lines similarly declare registers x1...x31.

(There's no x0 register because it's a constant 0.)

# Reading from integer registers

```
File riscv_regs.sail
     val rX : forall 'n, 0 <= 'n < 32. regno('n) -> xlenbits effect {rreg, escape}
     function rX r = {
       let v : regtype =
3
         match r {
           0 => zero_reg,
           1 => x1.
            . . .
           31 => x31.
              => {assert(false, "invalid register number"); zero_reg}
9
         }:
10
11
       regval_from_reg(v)
12
```

This defines a function rX that takes a register number r as argument and returns the value contained in that register. Line 1, introduced by the val keyword, specifies the *type* of the function. It can be read as:

For all n in the range 0..31, it takes an argument n that is a register number, and returns a value of type xlenbits. Executing this function can have two possible effects, rreg (reading a register) and escape (abort due to illegal register number).

# Reading from integer registers (contd.)

```
File riscv_regs.sail

val rX : forall 'n, 0 <= 'n < 32. regno('n) -> xlenbits effect {rreg, escape}

function rX r = {

let v : regtype =

match r {

0 => zero_reg,

1 => x1,

...

31 => x31,

= => {assert(false, "invalid register number"); zero_reg}

};

regval_from_reg(v)
}
```

Line 2, introduced by the function keyword, defines the function rX itself, with argument r.

The let binding in line 3 introduces a local variable v and binds it to the value of the "pattern-matching" expression in Lines 4-10. This matches the value v with each of the subsequent patterns 0, 1, 2, ... 31, returning the value of the right-hand side on first match.

**4** 🗇 ▶

< 注 → < 注 →

< 4 → 1 ×

4 ∄ ▶

 $\equiv$ 

15 / 50

# Reading from integer registers (contd.)

8

9

11

```
File riscv_regs.sail
     val rX : forall 'n, 0 <= 'n < 32. regno('n) -> xlenbits effect {rreg, escape}
     function rX r = {
       let v : regtvpe =
3
         match r {
           0 => zero reg.
           1 => x1.
           2 => x2
              => {assert(false, "invalid register number"); zero_reg}
         }:
10
       regval_from_reg(v)
12
```

The type of v is regtype, i.e., it is a register, and so in Line 11 the regval\_from\_reg(v) application reads out the register value, of type xlenbits.

In SAIL, a block is a series of expressions in in braces, and the value of the last expression is treated as the value of the whole block: here that is also the result of the function.

Observation: improved type-checking and pattern analysis in the SAIL compiler should allow us to omit the assert statement. This in turn should allow us to omit the escape effect.

## Writing integer registers

```
File riscv_regs.sail
     val wX : forall 'n, 0 <= 'n < 32. (regno('n), xlenbits) -> unit effect {wreg, escape}
     function wX (r, in_v) = {
2
       let v = regval_into_reg(in_v);
       match r {
         0 => ().
         1 => x1 = v.
         . . .
         31 => x31 = v.
            => assert(false, "invalid register number")
9
       };
10
11
```

This is similar to the rX read-function. The function type-declaration in line 1 says it takes two arguments, one a register number and the second a value of type xlenbits, and its result type is unit which is like the "void" type in C, indicating a value of no particular interest, since this is a pure side effect. Its effects include wreg (writing a register) and escape.

**4** 🗇 ▶

# Using SAIL overloading to simplify notation

```
overload X = {..., rX, wX}
```

This allows "X(r)" to be used to read a register (invoking the function "rX()"), and "X(r)=v" to write a register (invoking the function "wX()").

#### "Scattered" organization of instruction specs

In a traditional programming language, we might have:

- A type definition showing all the different variants of instructions (opcodes, register fields, immediate fields, ...).
- A decode function that describes how to take a 32-bit value into into each of the different instruction variants.
- An execute function that describes how to execute each variant of instruction.

Traditional instruction set manuals "scatter" this same information differently—a page (or a few) per instruction variant, showing:

- Its fields (opcode, register fields, immediate fields, ...).
- How a 32-bit instruction is decoded/encoded.
- How it is executed.

SAIL supports the latter more traditional, familiar organization. For each type of instruction, all its relevant information is collected in one place.

1

3

5

Preliminaries
Registers and values
"Scattered" organization of instruction specs
Instruction fields
Some base instructions
Exceptions

**4** 🗇 ▶

< E → E

#### Introducing things whose clauses will be scattered

We must first introduce the generic information about entities whose individual definition-clauses will given later in scattered fashion; specifically, types:

```
scattered mashion, specifically, types:

scattered union ast

val encdec : ast <-> bits(32)
scattered mapping encdec

val assembly : ast <-> string
scattered mapping assembly
```

Line 1 introduces the type "ast" which is a *union* of all the different variants of instructions. Each variant will follow later, in a scattered fashion. Here, "ast" stands for Abstract Syntax Tree, the decoded view of an instruction.

Line 3 declares the type of the "encdec" mapping, which is a pair of functions converting from a 32-bit value (instruction) to is decoded view (ast), and vice versa.

Line 6 declares the type of the "assembly" mapping that converts from a string to a decoded instruction and vice versa

The "scattered" annotation and lines indicate that the clauses of each of these entities will follow later, in a 19/50

2

Preliminaries Registers and values "Scattered" organization of instruction specs Instruction fields Some base instructions Exceptions

## Introducing things whose clauses will be scattered (contd.)

```
File riscv_insts_begin.sail ____
val execute : ast -> Retired effect {escape, wreg, rreg, rmem, ...}
scattered function execute
```

Line 1 declares the type of the "execute" function, which takes a decoded instruction (ast) and returns a "Retired" result which indicates whether it should be counted as a retired instruction or not. It also specifies all the possible effects of an instruction, such as aborting ("escape"), writing and reading registers ("wreg, rreg"), reading memory, and so on.

The "scattered" line indicates that the clauses of this function will follow later, in a scattered manner,

#### Type definitions for instruction fields

The top of each page in The RISC-V Instruction Set Manual Volume I: Unprivileged ISA, Chapter 25 Instruction Set Listings shows the RISC-V formats:

| 31 | 27                    | 26  | 25  | $^{24}$ | 20  | 19 | 15  | 14  | 12       | 11   | 7       | 6      | 0      |        |
|----|-----------------------|-----|-----|---------|-----|----|-----|-----|----------|------|---------|--------|--------|--------|
|    | funct7                |     |     |         | rs2 | rs | 1   | fun | ct3      | 1    | rd      | opco   | ode    | R-type |
|    | imm[11:0]             |     |     |         | rs1 |    | fun | ct3 | rd       |      | opco    | ode    | I-type |        |
| j  | imm[11:               | 5]  | rs2 |         | rs1 |    | fun | ct3 | imm[4:0] |      | opco    | ode    | S-type |        |
| in | nm[12 10]             | :5] |     |         | rs2 | rs | 1   | fun | ct3      | imm[ | 4:1 11] | opco   | ode    | B-type |
|    | imm[31:12]            |     |     |         |     |    |     | 1   | rd       | opco | ode     | U-type |        |        |
|    | imm[20 10:1 11 19:12] |     |     |         |     |    |     | 1   | rd       | opco | ode     | J-type |        |        |

- The least-significant 7 bits provide a major opcode.
- The funct3 and funct7 fields (and sometimes the immediate fields) often specify sub-opcodes.
- The "rs1", "rs2" and "rd" fields are 5-bit values specifying source and destination registers.
- Immediate values are often composed from non-trivial permutation of "imm" instruction fields.



#### Type definitions for instruction fields (contd.)

We declare convenient types for instruction fields.

```
File riscv_types.sail
            = bits(5)
type regidx
type csreg
            = bits(12) /* CSR addressing */
type opcode = bits(7)
type imm12 = bits(12)
type imm20 = bits(20)
. . .
```

These are definitions for register indexes, CSR register addresses, major opcodes, and 12-bit and 20-bit immediates.

#### Decoded view of LUI and AUIPC

Earlier we declared "ast" to be a "union" type, i.e., a type with several variants. We also declared that the variants would be provided later in scattered clauses.

We now provide one of those clauses, for U-format instructions (LUI and AUIPC):



File riscv\_insts\_base.sail union clause ast = UTYPE : (bits(20), regidx, uop)

This says: one variant of the ast type is called UTYPE. It contains 3 fields (identified positionally, not with keywords) whose types are, respectively, a bit-vector of 20 bits, a register index, and a upp (which identifies whether it's an LUI or AUIPC).

Note: SAIL unions are similar to "algebraic types" or "tagged unions" in other programming langauges. Each value of a tagged union carries a way (a "tag") by which we can query which variant this value encodes.

In SAIL, as is common in functional programming languages, values of union type are usually analyzed in "patternmatching" statements, which are like case/switch statements where each clause matches a variant of the union.

**4** 🗇 ▶

#### Decoding LUI and AUIPC

2

5

6

7

Earlier, we declared a mapping (a function and its inverse) "encdec" with this type.

val encdec : ast <-> bits(32)

and further declared that the mapping body would be provided later in scattered clauses.

We now provide one such clause, showing how to encode/decode LUI and AUIPC instructions.

Lines 1-4 define a new, local mapping between the bit-encodings of the 7-bit opcode in a U-format instruction to a value of uop type, i.e., the symbolic names for the corresponding instructions.

Lines 6-7 add a scattered clause to the "encdec" mapping. The left-hand-side of "<->" in Line shows the decoded view. The right-hand side shows a bit-concatenation. The prior declarations allow SAIL to infer that "imm", "rd", and "encddec\_op(op)" are are 20-bit, 5-bit and 7-bit fields, respectively, and that the concatenation is a 32-bit value.

#### Executing LUI and AUIPC

```
Earlier, we declared a function "execute" with this type.
```

```
val execute: ast -> Retired effect {escape, wreg, rreg, rmem, ...}
and further declared that the function body would be provided later in scattered clauses. Here is the definition
of the Retired type:
```

```
File riscv_types.sail _____
enum Retired = {RETIRE_SUCCESS, RETIRE_FAIL}
```

We could have used the "bool" type for this, but (a) these provide more readable names, and (b) this prevents accidental confusion of random booleans where an Retired value is expected.

# Executing LUI and AUIPC (contd.)

We now provide one of the clauses for execute, for LUI and AUIPC instructions.

```
file riscv_insts_base.sail

function clause execute UTYPE(imm, rd, op) = {
    let off : xlenbits = EXTS(imm @ 0x000);
    let ret : xlenbits = match op {
        RISCV_LUI => off,
        RISCV_AUIPC => get_arch_pc() + off
    };
    X(rd) = ret;
    RETIRE_SUCCESS
}
```

In Line 1, the argument to the "execute" function is given as a pattern "UTYPE(imm, rd, op)". Remember execute can be applied to any value of type ast. The pattern here ensures that this clause will only be relevant to those ast values that are of the UTYPE variant. On a successful match, it also binds the names imm, rd and op to the three fields of the decoded instruction, so we can use these variables in the body of the function.

< 4 → 1 ×

# Executing LUI and AUIPC (contd.)

```
function clause execute UTYPE(imm, rd, op) = {

let off : xlenbits = EXTS(imm @ 0x000);

let ret : xlenbits = match op {

RISCV_LUI => off,

RISCV_AUIPC => get_arch_pc() + off

};

X(rd) = ret;

RETIRE_SUCCESS

}
```

Strong-typing assures us that imm is of type bits(20), i.e., a bit-vector of length 20. In Line 2, we concatenate this with the 12-bit value 0x000, giving us a 32-bit value. Then, we use EXTS to sign-extend it as necessary. This does nothing in RV32, since it's already a 32-bit value, and it sign-extends it to 64 bits in RV64. The result is bound to the local variable off of type xlenbits.

# Executing LUI and AUIPC (contd.)

```
File riscv_insts_base.sail

function clause execute UTYPE(imm, rd, op) = {

let off : xlenbits = EXTS(imm @ 0x000);

let ret : xlenbits = match op {

RISCV_LUI => off,

RISCV_AUIPC => get_arch_pc() + off

};

X(rd) = ret;

RETIRE_SUCCESS

}
```

Line 3 binds local variable ret, of type xlenbits, to the right-hand side, which is a pattern-matching expression examining op. When it matches RISCV\_LUI, the value is just off. When it matches RISCV\_AUIPC, the value is added to get\_arch\_pc(), which retrieves the value of the program counter in the current machine state.

Line 7 assigns this value to register rd, using the overloading of X we saw earlier.

Finally, Line 8 is the constant expression RETIRE\_SUCCESS. Being the last expression in the block, and the block being the body of the function, this is the value returned by the function.

**4** 🗇 ト **4** 😑 ト

**4 ∄** ▶

2

Preliminaries Registers and values "Scattered" organization of instruction specs Instruction fields Some base instructions Exceptions

#### Assembly language parsing and printing for LUI and AUIPC

We first define a mapping (function and its inverse) to convert the sub-opcode uop to a string and back: File riscy insts base sail \_\_\_\_\_

```
mapping utype_mnemonic : uop <-> string = {
      RISCV_LUI <-> "lui",
      RISCV AUIPC <-> "auipc"
3
```

Then, we add a scattered clause to our previously introduced assembly mapping:

```
File riscy insts base sail
mapping clause assembly = UTYPE(imm, rd, op)
  <-> utype_mnemonic(op) ^ spc() ^ reg_name(rd) ^ sep() ^ hex_bits_20(imm)
```

- the caret operator concatenates strings; spc() and sep() return strings for spaces and commas;
- reg\_name(r) returns the string name for its register-number argument:
- hex\_bits\_20() returns a string showing a hex printing of a 20-bit value.

#### Conditional branch instructions: ast clause

Conditional branch instructions include BEQ, BNE, BLT, BGE, BLTU, and BGEU: we define symbolic names:

```
enum bop = {RISCV_BEQ, RISCV_BNE, RISCV_BLT,
RISCV_BGE, RISCV_BLTU, RISCV_BGEU} /* branch ops */
```

Branch instructions are encoded in the B-format:

| imm[12 10:5] | rs2 | rs1 | funct3 | imm[4:1 11] | opcode | B-type |
|--------------|-----|-----|--------|-------------|--------|--------|
|--------------|-----|-----|--------|-------------|--------|--------|

Our abstract (decoded) ast view is:

```
union clause ast = BTYPE : (bits(13), regidx, regidx, bop)
```

#### Note:

2

- The branch offset immediate value is 13 bits composed from 12 bits in the instruction, with 0 appended as the least-significant bit.
- The 12 bits come from non-contiguous 7-bit and 5-bit fields in the instruction.
- Our ast (decoded) view holds the 13-bit offset (computed in the encdec function to be shown shortly).

## Conditional branch instructions: encoding/decoding

We define a mapping converting the 3-bit "funct3" field in the instruction to its abstract names:

Then, we add a scattered clause to the encdec mapping:

```
File riscv_types.sail

mapping clause encdec = BTYPE(imm7_6 @ imm5_0 @ imm7_5_0 @ imm5_4_1 @ 0b0, rs2, rs1, op)

<-> imm7_6 : bits(1) @ imm7_5_0 : bits(6)

@ rs2 @ rs1 @ encdec_bop(op)

@ imm5_4_1 : bits(4) @ imm5_0 : bits(1)

@ 0b1100011
```

Observe 13-bit offset is composed by extracting bits from various places in the instruction.

4 A >

4 厘 →

#### Conditional branch instructions: execution

We add a scattered clause to the execute function. The first part is straightforward:

```
File riscv_types.sail
     function clause execute (BTYPE(imm, rs2, rs1, op)) = {
       let rs1_val = X(rs1);
       let rs2_val = X(rs2);
       let taken : bool = match op {
         RISCV_BEQ => rs1_val == rs2_val.
                                                RISCV_BNE => rs1_val != rs2_val,
5
         RISCV_BLT => rs1_val <_s rs2_val.
                                                RISCV BGE => rs1 val >= s rs2 val.
         RISCV BLTU => rs1 val < u rs2 val.
                                                RISCV BGEU => rs1 val >= u rs2 val
       }:
       let t : xlenbits = PC + EXTS(imm):
Q
10
       . . .
11
```

- Line 4 computes "taken", indicating whether the branch is taken or not. It does a pattern-match on the sub-opcode op. Note that BLT and BLTU are supposed to interpret their argument as signed and unsigned values, respectively. This is encoded by using different SAIL pre-defined comparison operators <\_s and <\_u, respectively.</li>
- Line 9 computes the branch target, adding a sign-extension of the immediate to the PC.

#### Conditional branch instructions: execution (contd.)

The second part of the execute function clause performs different actions depending on whether the branch is taken or not:

```
File riscv_types.sail
function clause execute (BTYPE(imm, rs2, rs1, op)) = {
  . . .
  if taken then {
    . . .
  } else RETIRE_SUCCESS
```

If the branch is not taken, there is no further action and the result is RETIRE SUCCESS.

#### Conditional branch instructions: execution (contd.)

If the branch would be taken, we first check that the branch target PC is valid.

```
File riscv_types.sail _
      if taken then {
        ... <some code elided> ...
            if bit_to_bool(target[1]) & (~ (haveRVC())) then {
              handle_mem_exception(target, E_Fetch_Addr_Align());
                                                                       RETIRE_FAIL:
            } else {
              set_next_pc(target);
                                       RETIRE_SUCCESS
7
```

- Line 3 checks the requirement that, without the "C" ISA extension (compressed instructions), the branch target must be 4-byte aligned, i.e., bit [1] must be 0. bit\_to\_bool converts a value of bits(1) type to bool type (we could have also used "==1"). haveRVC checks if the C extension is active. If the target is not ok, on Line 4 we invoke function handle\_mem\_exception to perform exception actions and return failure. If the target is ok. Line 6 assigns it to the next PC and we return success.
- Our "<some code elided>" on Line 2 contains additional checks for target validity that may be required by any other extensions.

2

3

Preliminaries
Registers and values
"Scattered" organization of instruction specs
Instruction fields
Some base instructions
Exceptions

#### Conditional branch instructions: Assembly language parsing and printing

We first define a mapping (function and its inverse) to convert the sub-opcode bop to a string and back:

```
mapping btype_mnemonic : bop <-> string = {

RISCV_BEQ <-> "beq", RISCV_BNE <-> "bne",

RISCV_BLT <-> "blt", RISCV_BGE <-> "bge",

RISCV_BLTU <-> "bltu", RISCV_BGEU <-> "bgeu"

}
```

Then, we add a scattered clause to our previously introduced assembly mapping:

- the caret operator concatenates strings; spc() and sep() return strings for spaces and commas;
- reg\_name(r) returns the string name for its register-number argument;
- hex\_bits\_13() returns a string showing a hex printing of a 13-bit value.

4 A >

#### Taking stock ...

The general scheme for adding a new instruction, or new class of instructions, should be clear by now:

- Define an enum and mapping for any sub-opcodes in the class (if the class contains more than one instruction)
- Augment the "ast" type by adding a scattered clause to describe this new class
- Augment the "encdec" mapping by adding a scattered clause to describe this new class
- Augment the "execute" function by adding a scattered clause to describe this new class
- Augment the "assembly" mapping by adding a scattered clause to describe this new class

It is a stylistic judgement call whether you define a class with sub-opcodes, or just define a separate clause for each instruction in the class. E.g., we could have defined separate "ast", "encdec", "execute" and "assembly" clauses for BEQ, BNE, BLT, ...

A class with sub-opcodes makes sense when the instructions share structure and semantics. For example, BEQ/BNE/BLT/... differ only in the particular comparison operator; using a class with sub-opcodes captures this similarity.

For the remaining examples we'll focus on the "execute" function.

#### **Exceptions**

#### RISC-V has

2

3

2

3

- interrupts (asynchronous exceptions, conceptually "between" any two instructions)
- traps (synchronous exceptions, due to execution of an instruction)

The different kinds of interrupts:

```
File riscv_types.sail

enum InterruptType = { I_U_Software, I_S_Software, I_M_Software, I_U_Timer, I_S_Timer, I_M_Timer, I_U_External, I_S_External, I_M_External }
```

The file also contains a function to convert bit-encodings to these symbolic names:

Comment: A mapping would be more expressive than a function, but since we don't decode interrupts/exceptions, we don't need the inverse function.

4 AP >

#### Exceptions (contd.)

1

2

3

7

8

9

10

11

12

The different kinds of traps, and converting to bits:

```
File riscv_types.sail
union ExceptionType = { E_Fetch_Addr_Align
                                             : unit,
                                                        E Fetch Access Fault : unit.
                       E_Illegal_Instr
                                                        E_Breakpoint
                                            : unit,
                                                                              : unit,
                        E_Load_Addr_Align
                                             : unit.
                                                        E_Load_Access_Fault
                                                                              : unit.
                        E_SAMO_Addr_Align
                                             : unit.
                                                        E_SAMO_Access_Fault
                                                                              : unit.
                        E U EnvCall
                                             : unit.
                                                        E S EnvCall
                                                                              : unit,
                        E Reserved 10
                                             : unit,
                                                        E M EnvCall
                                                                              : unit,
                        E_Fetch_Page_Fault
                                             : unit.
                                                        E_Load_Page_Fault
                                                                              : unit.
                        E Reserved 14
                                                        E_SAMO_Page_Fault
                                                                              : unit }
                                             : unit.
val exceptionType_to_bits : ExceptionType -> exc_code
function exceptionType_to_bits(e) = match (e) { E_Fetch_Addr_Align()
                                                                      => 0x00.
                                               E Fetch Access Fault() => 0x01. ...}
```

Comment: I think this could also have been written as an enum. The "unit" type is like void, so these union variants don't contain any interesting data with each tag.

4 ∄ ▶

### Exceptions (contd.)

Some traps may carry additional information. In SAIL (and OCaml), optional information is usually expressed using the "option" predefined type:

```
___ predefined .
    union option ('a : Type) = { Some : 'a,
                                   None : unit }
2
```

i.e., the "Some" variant carries some additional information (generic/polymorphic type 'a), and the "None" variant carries no additional information.

```
File riscv_sync_exception.sail
    struct sync_exception = { trap
                                      : ExceptionType,
                              excinfo : option(xlenbits),
2
                                      : option(ext_exception) /* for extensions */ }
3
                              ext
```

The "trap" field is necessary information. The other two fields carry optional information, for standard traps (such as an address that provoked a trap), and also for future standard or non-standard ISA extensions.

### Handling certain exceptions

3

5 6 The "handle\_mem\_exception" action function we saw earlier in conditional branches with illegal branch targets is:

Lines 1-3 construct a "sync\_exception" value, filling in the address as optional exception info, and binds it to the local variable "t".

In Line 4 we invoke a more general "exception\_handler" (next slide).

< A →

## Handling exceptions (contd.)

```
File riscv_sys_control.sail
     function exception_handler(cur_priv : Privilege, ctl : ctl_result,
                                 pc: xlenbits) -> xlenbits = {
2
       match (cur_priv, ctl) {
         ( . CTL_TRAP(e)) \Rightarrow {
           let del_priv = exception_delegatee(e.trap, cur_priv);
5
           trap_handler(del_priv, false, exceptionType_to_bits(e.trap), pc, e.excinfo, e.ext)
         },
         ( . CTL MRET()) => { ... }
Q
         (_, CTL_SRET()) => { ... }
10
         (_, CTL_URET()) => { ... } }
11
```

Line 5 checks if the current trap, at the current privilege level, is being delegated to be handled at a different privilege level (returning that, or the current, privilege level).

Line 7 invokes an even more general trap handler (next slide).

Lines 9-11 handle exception returns from the Machine, Supervisor and User privilege levels, respectively.

## Handling exceptions (contd.)

```
File riscv_sys_control.sail
     function trap_handler(del_priv : Privilege, intr : bool, c : exc_code,
2
                          pc : xlenbits, info : option(xlenbits), ext : option(ext_exception))
                         -> xlenbits = {
3
       cancel reservation(): /* for LR/SC */
       match (del_priv) {
         Machine => { mcause->IsInterrupt() = bool_to_bits(intr);
                     mcause->Cause()
                                           = EXTZ(c):
                     mstatus->MPTE()
                                           = mstatus.MIE(); mstatus->MIE() = 0b0;
                     mstatus->MPP()
                                           = privLevel_to_bits(cur_privilege);
9
                                           = tval(info):
                     mtval
10
                                                               mepc
                                                                              = pc:
                                           = del_priv;
11
                     cur_privilege
                     prepare_trap_vector(del_priv. mcause) }.
12
         Supervisor => { ... }
13
         User => { ... }
14
```

This is an intricate but otherwise unremarkable assignment of certain values to certain CSRs.

Line 15 invokes "prepare\_trap\_vector" (in file "riscv\_sys\_extensions.sail") which returns the PC that is in "mtvec", "stvec", or "utvec", as appropriate.

< A →

< 注 → < 注 → Reading the ISA to understand semantics of each RISC-V instruction

Executing ISA and Compliance tests

Extra material

Preliminaries
Registers and values
"Scattered" organization of instruction specs
Instruction fields
Some base instructions
Exceptions

#### **TEMPLATE**

We'd use one of these two files, depending on whether we are considering RV32 or RV64.

File filename.sail

foo

General text

## $\label{eq:linear_linear_linear} Intro \\ Reading the ISA to understand semantics of each RISC-V instruction \\$

Executing ISA and Compliance tests
Extra material

Preliminaries
Registers and values
"Scattered" organization of instruction specs
Instruction fields
Some base instructions
Exceptions



Overview of module dependencies in the SAIL RISC-V spec.

(Original: doc/figs/riscvspecdeps.svg in repo https://github.com/rems-project/sail-riscv )

### Executing standard RISC-V ISA tests

sail-riscv/test/riscv-tests/ has a full suite of pre-compiled standard RISC-V ISA tests. Each has an ELF file (RISC-V binary) and a disassembly (text file) of the test:

#### Example of ISA test ELF file and disassembly text file

```
$ ls -1 test/riscv-tests/rv64ui-p-add* test/riscv-tests/rv64ui-p-add.elf test/riscv-tests/rv64ui-p-add.dump test/riscv-tests/rv64ui-p-addi.elf test/riscv-tests/rv64ui-p-addi.dump test/riscv-tests/rv64ui-p-addiw.elf test/riscv-tests/rv64ui-p-addiw.dump test/riscv-tests/rv64ui-p-addiw.dump test/riscv-tests/rv64ui-p-addw.elf test/riscv-tests/rv64ui-p-addw.dump
```

RISC-V executable Disassembly text file

## Executing standard RISC-V ISA tests (contd.)

#### Using the C-based simulator:

```
Example: executing the rv64ui-p-add standard ISA test
 $ ./c_emulator/riscv_sim_RV64 rv64ui-p-add
 tohost located at 0x80001000
 Running file test/riscv-tests/rv64ui-p-add.elf.
 ELF Entry @ 0x80000000
     [M]: 0x0000000000001000 (0x00000297) auipc t0, 0
     [M]: 0x0000000000001004 (0x02028593) addi a1. t0. 32
     [M]: 0x0000000000001008 (0xF1402573) csrrs a0, zero, mhartid
 [477] [M]: 0x00000000080000044 (0xFC3F2023) sw gp, 4032(t5)
 SUCCESS
```

During execution of the RISC-V binary, it prints out a trace of instructions executed.

### Executing standard RISC-V ISA tests (contd.)

#### Using the OCaml-based simulator:

```
$ ./ocaml_emulator/riscv_ocaml_sim_RV64 rv64ui-p-add
$ .i/RISC-V: running ELF file test/riscv-tests/rv64ui-p-add.elf
...
[0] [M]: 0x0000000000001000 (0x00000297) auipc t0, 0
...
[1] [M]: 0x0000000000001004 (0x02028593) addi a1, t0, 32
...
[2] [M]: 0x0000000000001008 (0xF1402573) csrrs a0, zero, mhartid
...
[477] [M]: 0x000000000000044 (0xFC3F2023) sw gp, 4032(t5)
...
SUCCESS
```

## Executing Compliance tests

... to be written ...

# Adding new ISA Extensions

... to be written ...

49 / 50

## How people are using the spec in formal methods

... to be written ...

50 / 50