This repository has been archived by the owner on Dec 13, 2022. It is now read-only.
When is it safe to omit features in a state machine modeling a hardware device? #841
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
in a state machine modeling a hardware device, but got stuck on turning an `execution` of the extended state machine into an `execution` of the simplified state machine
|
Closing this as it's not needed in the end-to-end proofs that we're currently focusing on, and it's already tracked as a TODO item in #840. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here's an attempt (not successful yet) to formalize what I meant in #840 by "omitting features safely": I define a predicate
state_machine_extends SM1 SM2, intended to capture the fact that state machineSM1is an extended (ie, having more features) version of state machineSM2, and that any program proven correct againstSM2would also run correctly on a device implementingSM1.If we do end-to-end proofs, we will not need this: We can just prove the software and hardware against the same state machine and have the state machine, which is an intermediate specification, cancel out.
The reason I still started this experiment is for the case where we prove a bedrock2 program against some state machine, but omit some features in this state machine, and we need to argue why it is safe to omit these features. In any case, this argument will not be carried out in Coq (because if we had actually modeled all features, we could just prove the bedrock2 program against the complete state machine), but I still wanted to try to formally state the notion of "a state machine extends another state machine", and to see if it preserves bedrock2 program logic proofs, so that part of the non-Coq argument could be supported by a Coq proof.
However, I got stuck on details for which I don't quite know whether they are technical details or more fundamental, and since this is not needed for end-to-end proofs, and also not needed if we model hardware devices fully, I decided to stop working on it and just post it here FYI.