Modelling the CPU State

Before diving into the details of a theorem, we briefly review how the RISC-V CPU is currently modelled in the above transpilation. At the centre of the modelling decision is the SailM Monad.

The Sail Monad

SailM is the monad that all transpiled RISC-V instructions live in. Under the hood, it leverages Lean's built-in error-state monad, with the error and state types defined below. Note that EStateM ε σ α is just a function σ → Result ε σ α that takes a state and returns either .ok value newState or .error e newState.¹ So what it really models is the step function of a single fetch-decode-execute cycle.

pure v constructs an EStateM computation that, when run, always returns .ok v s — it cannot error, the value is v, and the state s passes through unchanged.

See the official EStateM documentation for further details.

The Sail library defines a generic version called PreSailM, leaving the register types, choice source, and user-exception type as parameters:

479abbrev PreSailM (RegisterType : Register → Type) (c : ChoiceSource) (ue : Type) :=
480  EStateM (Error ue) (SequentialState RegisterType c)

SailM is just PreSailM instantiated with the RISC-V RegisterType, trivialChoiceSource, and exception:

1928abbrev SailM := EStateM (Error exception) SailState

State

26abbrev SailState := SequentialState RegisterType trivialChoiceSource

SequentialState is the full machine state from the Sail model. It is parameterised by a function RegisterType : Register → Type and a ChoiceSource:

467structure SequentialState (RegisterType : Register → Type) (c : ChoiceSource) where
468  regs : Std.ExtDHashMap Register RegisterType
469  choiceState : c.α
470  mem : Std.ExtHashMap Nat (BitVec 8)
471  tags : Unit
472  cycleCount : Nat
473  sailOutput : Array String

The regs field models the register file of the CPU. It is modelled in Lean as an Std.ExtDHashMap Register RegisterType — a hash map where the keys are of type Register and the value type depends on the key. That is, if the key is k : Register, the corresponding value has type RegisterType k. This is what makes it a dependent hash map rather than an ordinary one.

Register is an inductive with ~180 variants — one for every named register in the RISC-V spec:

1526inductive Register : Type where
1527  | hart_state
1528  | satp
1529  | PC
1530  | nextPC
1531  | x1 | x2 | x3 | ... | x31   -- general-purpose registers
1532  -- ... CSRs, vector registers, debug state, ~170 variants total ...

RegisterType is the function that tells the hash map what the type of the value is for each key:

1708abbrev RegisterType : Register → Type
1709  | .hart_state => HartState
1710  | .mhpmcounter => (Vector (BitVec 64) 32)
1711  | .tlb => (Vector (Option TLB_Entry) (2 ^ 6))
1712  | .PC => (BitVec 64)
1713  | .x1 => (BitVec 64)   -- all x1–x31 map to BitVec 64
1714  | .x2 => (BitVec 64)
1715  -- ...

So regs[.PC] has type RegisterType .PC = BitVec 64, while regs[.tlb] has type RegisterType .tlb = Vector (Option TLB_Entry) (2 ^ 6). Each register gets exactly the type it needs.

The mem field models byte-addressable memory as a hash map from Nat addresses to BitVec 8 bytes. The second parameter c : ChoiceSource provides a way to pick default values for primitive types when the spec needs to make a choice:

291structure ChoiceSource where
292  (α : Type)
293  (nextState : Primitive → α → α)
294  (choose : ∀ p : Primitive, α → p.reflect)

296def trivialChoiceSource : ChoiceSource where
297  α := Unit
298  nextState _ _ := ()
299  choose p _ :=
300    match p with
301    | .bool => false
302    | .bit => 0
303    | .int => 0
304    | .nat => 0
305    | .string => ""
306    | .fin _ => 0
307    | .bitvector _ => 0

We use trivialChoiceSource, which returns zeros, false, and empty strings for everything.

Errors

These are all the error variants. Error is from the Sail library:

351inductive Error (ue : Type) where
352  | Exit
353  | Unreachable
354  | OutOfMemoryRange (n : Nat)
355  | Assertion (s : String)
356  | User (e : ue)

The User constructor wraps a user-exception type ue, which is instantiated with exception from the RISC-V model:

87inductive exception where
88  | Error_not_implemented (_ : String)
89  | Error_internal_error (_ : String)
90  | Error_reserved_behavior (_ : String)

Execution Results

1464inductive ExecutionResult where
1465  | Retire_Success (_ : Unit)
1466  | ExecuteAs (_ : instruction)
1467  | Enter_Wait (_ : WaitReason)
1468  | Illegal_Instruction (_ : Unit)
1469  | Virtual_Instruction (_ : Unit)
1470  | Trap (_ : (Privilege × ctl_result × xlenbits))
1471  | Memory_Exception (_ : (virtaddr × ExceptionType))
1472  | Ext_CSR_Check_Failure (_ : Unit)
1473  | Ext_ControlAddr_Check_Failure (_ : ext_control_addr_error)
1474  | Ext_DataAddr_Check_Failure (_ : ext_data_addr_error)
1475  | Ext_XRET_Priv_Failure (_ : Unit)

In the happy path, instructions return RETIRE_SUCCESS (which is Retire_Success ()).

Register Indices

31inductive regidx where
32  | Regidx (_ : BitVec 5)

A 5-bit index into the 32 general-purpose RISC-V registers.

Jolt Monad

Jolt has virtual registers that are not present in the above state definition. So to model Jolt state we just define SailJoltState which is the Sail state with extra virtual registers:

29structure SailJoltState where
30  sail : SailState
31  vregs : BitVec 7 → BitVec 64 := fun _ => 0

35abbrev JoltMonad (α : Type) := EStateM (Error exception) SailJoltState α

Finally the Jolt Monad is just the same as SailM but with SailJoltState as state instead of SailState.

Helpers

Below are some helpers that we use to relate the Jolt Monad and the Sail Monad.

`liftSail`

liftSail takes a SailM α computation and runs it as a JoltMonad α computation:

63def liftSail (m : SailM α) : JoltMonad α := fun js =>
64  match m js.sail with
65  | .ok a ss' => .ok a { js with sail := ss' }
66  | .error e ss' => .error e { js with sail := ss' }

It takes the current SailJoltState (js), extracts the Sail state (js.sail), and runs the Sail computation m on it — m js.sail is direct function application, the same as m.run js.sail. Then it pattern matches on the result:

.ok a ss' — the computation succeeded with value a and new Sail state ss'. It rebuilds the SailJoltState by updating the sail field with ss' while keeping vregs unchanged.
.error e ss' — same, but propagates the error.

In other words, liftSail lets Jolt reuse Sail instructions directly — it runs them on the embedded Sail state and leaves the virtual registers untouched.

`projectResult`

projectResult strips the Jolt-specific state from an EStateM.Result, keeping only the SailState component:

53def projectResult (r : EStateM.Result (Error exception) SailJoltState α) :
54    EStateM.Result (Error exception) SailState α :=
55  match r with
56  | .ok a js' => .ok a (project js')
57  | .error e js' => .error e (project js')

It pattern matches on the result — whether .ok or .error — and replaces the SailJoltState with just project js' (i.e. js'.sail), discarding the virtual registers.