Skip to content

Testable Models for SIMD Intrinsics #423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Testable Models for SIMD Intrinsics #423

wants to merge 8 commits into from

Conversation

karthikbhargavan
Copy link

@karthikbhargavan karthikbhargavan commented Jul 25, 2025
edited
Loading

Solution to challenge 15, resolves #173.

This PR provides testable models for core::arch intrinsics, including abstractions to streamline the process of implementing these intrinsics and their tests.

Currently there are 384 x86 intrinsics modelled, and 181 aarch64 intrinsics modelled.

The methodology for writing the models is decribed in testable-simd-models/README.md.
First, we model the SIMD types as bitvectors that can be converted to and from arrays of machine integers.
Then, we model the raw operations on these types as functions over bitvectors, while keeping as much code as possible unchanged from the Rust code in rust-lang/stdarch/crates/core_arch.
Finally, we write tests (using a generic macro) to compare the behaviour of our models with the corresponding intrinsic implementations in Rust core.

Interestingly, in the process of modeling these intrinsivcs, we found bugs in the implementation of two intrinsics, _mm256_bsrli_epi128 and _mm512_bsrli_epi128. These bugs were fixed by our PR in the 2025-06-30 version of the library. In a small way, this shows off the impact of writing testable models of the SIMD intrinsics.

The model of intrinsics defined here is also used as the basis of formal proofs of Rust programs that use intrinsics. In particular, the libcrux cryptographic library uses these models in its proofs of the post-quantum cryptographic algorithms.

As next steps, we intend to extend these testable models to a larger subset of core (beyond SIMD) and then translate these Rust models to models in F*, Rocq, and Lean, to enable proofs using our models in these backends. This work is being done as part of the hax project.

The work in this PR was primarily done by Aniket Mishra, under the supervision of Karthikeyan Bhargavan and Maxime Buyse at Cryspen.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@karthikbhargavan karthikbhargavan requested a review from a team as a code owner July 25, 2025 13:59
@karthikbhargavan karthikbhargavan mentioned this pull request Jul 25, 2025
Closed
@tautschnig
Copy link
Member

Thank you very much! I am yet to read the full PR, but can you please explain how the testing is actually done (as also required by the challenge spec)? I see there is a test.sh script, but I don't see it being invoked anywhere.

tautschnig
tautschnig reviewed Jul 25, 2025
View reviewed changes
@karthikbhargavan
Copy link
Author

Thanks for the quick comments. We will do another pass on this PR in the next few days.

@karthikbhargavan
Make models closer to upstream core (#3)
22385cc 
* Provided more detailed description for how to model and test intrinsics
* Restored static asserts which were in the upstream code
* Switched the use of u64 back to u32 to make it closer to upstream
* Defined functions like `transpose` to reduce visual diffs
@karthikbhargavan
Merge branch 'main' into main
41d930b
tautschnig
tautschnig reviewed Aug 1, 2025
View reviewed changes
Copy link
Member

@tautschnig tautschnig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the documentation updates, this is really helpful. Some more comments below, but also one larger request: please include a CI job so that those tests that you created are actually run in our CI.

This was referenced Aug 19, 2025
Closed
Merged
maximebuyse and others added 2 commits September 2, 2025 11:35
@maximebuyse @karthikbhargavan
Address review comments (added seed for RNG, improved README)
adeb400 
* Add ci job for simd models tests, with logging of rng seed.

* Fix testable simd models CI job.

* Use LAzyLock instead of lazy_static.

* edited readme

* revert to working neon intrinsics

---------

Co-authored-by: karthikbhargavan <[email protected]>
@karthikbhargavan
Merge branch 'main' into main
c8cc7ff
@feliperodri
Copy link

@karthikbhargavan could you solve the compilation failures to pass CI tests?

@feliperodri feliperodri removed their assignment Sep 9, 2025
tautschnig
tautschnig requested changes Sep 10, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tautschnig tautschnig tautschnig approved these changes

Assignees

@feliperodri feliperodri

@thanhnguyen-aws thanhnguyen-aws

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Challenge 15: High-Assurance SIMD Intrinsics for Rust
5 participants
@karthikbhargavan @tautschnig @feliperodri @thanhnguyen-aws @maximebuyse