diff options
| author | John Wickerson <j.wickerson@imperial.ac.uk> | 2021-04-14 13:38:37 +0000 |
|---|---|---|
| committer | overleaf <overleaf@localhost> | 2021-04-14 13:39:14 +0000 |
| commit | ccc1cd93aa993302b55e6e073cdca9a16c2fa478 (patch) | |
| tree | 1ec8d9978c03d3d03a34ceb039b382e0c56ef6ac /proof.tex | |
| parent | 9dd23d1c135d4663d85c1e274ee4dd510c9cf4f2 (diff) | |
| download | oopsla21_fvhls-ccc1cd93aa993302b55e6e073cdca9a16c2fa478.tar.gz oopsla21_fvhls-ccc1cd93aa993302b55e6e073cdca9a16c2fa478.zip | |
Update on Overleaf.
Diffstat (limited to 'proof.tex')
| -rw-r--r-- | proof.tex | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -173,7 +173,7 @@ The final lemma we need is that the Verilog we generate is deterministic. This r \label{tab:proof_statistics} \end{table*} -The lines of code for the implementation and proof of \vericert{} can be found in Table~\ref{tab:proof_statistics}. Overall, it took about 1 person-year to build \vericert{} -- about two person-months on implementation and ten person-months on proofs. The largest proof is the correctness proof for the HTL generation, which required equivalence proofs between all integer operations supported by \compcert{} and those supported in hardware. From the 3349 lines of proof code in the HTL generation, 1189 are for the correctness proof of just the load and store instructions. These were tedious to prove correct because of the substantial difference between the memory models used, and the need to prove properties such as stores outside of the allocated memory being undefined, so that a finite array could be used. In addition to that, since pointers in HTL and Verilog are represented as integers, whereas there is a separate pointer value in the \compcert{} semantics, it was painful to reason about them and many new theorems had to be proven about integers and pointers in \vericert{}. +The lines of code for the implementation and proof of \vericert{} can be found in Table~\ref{tab:proof_statistics}. Overall, it took about 1 person-year \JW{This still true?} to build \vericert{} -- about two person-months on implementation and ten person-months on proofs. The largest proof is the correctness proof for the HTL generation, which required equivalence proofs between all integer operations supported by \compcert{} and those supported in hardware. From the 3349 lines of proof code in the HTL generation, 1189 are for the correctness proof of just the load and store instructions. These were tedious to prove correct because of the substantial difference between the memory models used, and the need to prove properties such as stores outside of the allocated memory being undefined, so that a finite array could be used. In addition to that, since pointers in HTL and Verilog are represented as integers, whereas there is a separate pointer value in the \compcert{} semantics, it was painful to reason about them and many new theorems had to be proven about integers and pointers in \vericert{}. \JW{Can we include a comment about the size of the trusted base, in case we get that reviewer again?} %%% Local Variables: %%% mode: latex |