• Top
    • Documentation
    • Books
    • Boolean-reasoning
    • Projects
    • Debugging
    • Std
    • Proof-automation
    • Macro-libraries
    • ACL2
    • Interfacing-tools
    • Hardware-verification
    • Software-verification
      • Kestrel-books
      • X86isa
        • Program-execution
        • Sdm-instruction-set-summary
        • Tlb
        • Booting-linux
        • Introduction
        • Asmtest
        • X86isa-build-instructions
        • Publications
        • Contributors
        • Machine
          • X86isa-state
          • Syscalls
          • Cpuid
          • Linear-memory
          • Rflag-specifications
          • Characterizing-undefined-behavior
          • Top-level-memory
          • App-view
            • Linear-memory-in-app-view
          • X86-decoder
          • Physical-memory
          • Decoding-and-spec-utils
          • Instructions
          • Register-readers-and-writers
          • X86-modes
          • Segmentation
          • Other-non-deterministic-computations
          • Environment
          • Paging
        • Implemented-opcodes
        • To-do
        • Proof-utilities
        • Peripherals
        • Model-validation
        • Modelcalls
        • Concrete-simulation-examples
        • Utils
        • Debugging-code-proofs
      • Axe
      • Execloader
    • Math
    • Testing-utilities
  • Machine

App-view

Application-level view of the x86 model

The x86 model can be used in the application-level view when the value of the field app-view is T.

Some supervisor-level features are neither used nor required for the analysis of application software. In most cases, a user cares about the correctness of his application program while assuming that services like paging and I/O operations are provided reliably by the operating system. The application-level view of our model attempts to provide the same environment to an application for reasoning as is provided by an OS for programming. In this mode, our memory model provides the 2^48-byte linear address space specified for modern 64-bit Intel machines.

A 64-bit canonical address can be in either of the two ranges below:

0 to 2^47-1 or 2^64-2^47 to 2^64-1

Note that this address space is 2^48 bytes of memory. So I can use the addresses

0 to 2^47-1

to map the first range, and the addresses

-2^47 to -1

to map the second range.

0 to 2^47-1 | 0 to 2^47-1
2^64-2^47 to 2^64-1 | -2^47 to -1

The advantage of doing so is that we will avoid bignum creation during address computations.

We define some linear memory read and write functions, like rvm08 and wvm08. These functions are called by the top-level functions, like rml08 and wml08 when app-view is true.

The guards of the linear memory functions are stricter than those of memi and !memi, because the latter allow reading from and writing to an address anywhere in the range 0 to 2^52-1, and rvm08 and wvm08 allow reads and writes only to the range 0 to 2^48-1 of physical memory: they take as argument a signed 48-bit integer that represents a canonical address, they convert it to an unsigned 48-bit integer, and they use that to access the mem field. Basically, we're overloading the mem field in x86 --- when app-view is set, mem refers to the linear memory; otherwise, it refers to the physical memory.

Subtopics

Linear-memory-in-app-view
Definition of linear memory accessor and updater functions, used when app-view = T