# Technical Design: VM The content of this section is largely copied from the Valida [Working ISA Spec](https://github.com/valida-xyz/valida-compiler/issues/2). This is a work in progress. ### Architecture A Valida zkVM consists of a CPU and several coprocessors, which are connected with communication buses. A basic example of a machine layout, omitting some standard chips for simplicity, would be

Communication buses are implemented in permutation arguments (either grand product or multi-set checks), and may be multiplexed for efficiency when only one of a subset of buses will be used in a given cycle. There are multiple VM configurations. The "Core" configuration is always present, and provides instructions for basic control flow and memory access. Additional configurations, such as "Field Arithmetic" or "Additional Jump" build upon the core configuration and offer additional instructions. #### Instruction format Instructions are encoded in groups of 6 field elements. The first element in the group contains the opcode, followed by three elements representing the operands and two immediate value flags: $$\text{opcode}, \text{op}\_a$$, $$\text{op}\_b$$, $$\text{op}\_c$$, $$\text{imm}\_b$$, $$\text{imm}\_c$$. #### Program ROM Our VM operates under the Harvard architecture, where program code is stored separately from main memory. Code is addressed by any field element, starting from $$0$$. The program counter `pc` stores the location (a field element) of the instruction that is being executed. #### Memory Memory is comprised of word-addressable cells. A given cell contains 4 field elements, each of which are typically used to store a single byte (arbitrary field elements can also be stored). All core and ALU-related instructions operate on cells (i.e. any operand address is word aligned -- a multiple of 4). In the VM compiler, the address of newly added local variables in the stack is word aligned. For example, a U32 is represented in memory by its byte decomposition (4 elements). To initialize a U32 from an immediate value, we use the `SETL16` instruction (see the complete instruction list below), which sets the first two bytes in memory. To initialize a U32 value greater than 16 bits, we can also call the `SETH16` instruction to set the upper two bytes. #### Immediate Values Our VM cannot represent operand values that are greater than the prime $$p$$, and cannot distinguish between $$0$$ and $$p$$. Therefore, any immediate values greater than or equal to $$p$$ need to be expanded into smaller values. #### Registers Our zkVM does not operate on general purpose registers. Instead, instructions refer to variables local to the call frame, i.e. relative to the current frame pointer `fp`. #### Notation The following notation is used throughout this document: **Operand values**: `opa`, `opb`, `opc` denote the value encoded in the operand a, b, or c of the current instruction. **CPU registers**: `fp`, `pc` denote the value of the current frame pointer and program counter, respectively. **Relative addressing**: `[a]` denote the cell value at address `a` offset from `fp`, i.e. `fp + a`. Variables local to the call frame are denoted in this form. *Note that we are omitting `fp` in the expression here*, but that the first dereference of an operand is always relative to the frame pointer. **Absolute addressing:** `[[a]]` denotes the cell value at absolute address `[a]`. Heap-allocated values are denoted in this form. To refer to relative or absolute element values, we use the notation $$\[a]*\text{elem}$$ or $$\[\[a]]*\text{elem}$$ respectively. ### Instruction list Each instruction contains 5 field element operands, $$a, b, c, d, e$$. Often, $$d$$ and $$e$$ are binary flags indicating whther operands $$a$$ and $$b$$ are immediate values or relative offets. Listed below are the instructions offered in each configuration. #### Core | Mnemonic | Operands(asm) | Description | | -------------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **LW** / **LOAD32** | `a(fp), c(fp)` | Follow the pointer stored at offset $$c$$ from the current frame pointer and write the next 4 byte values to those beginning at offset a. Operand $$b$$ is unused, but is constrained to $$\[c]$$ in the trace. LOAD32 is used to load 4 bytes from the heap, and is aligned (i.e. the address at offset $$c$$ is assumed to be a multiple of $$4$$). | | **SW** / **STORE32** | `b(fp), c(fp)` | Write the 4 byte values beginning at the address stored at offset $$c$$ to those beginning at offset $$b$$. Operand $$a$$ is unused, but is constrained to $$\[c]$$ in the trace. STORE32 is used to write 4 bytes to the heap, and is aligned. | | **LOADFP** | `a(fp), b` | Load the value of *fp* + *b* into local stack variable at offset *a*. | | **JAL** | `a(fp), b, c` | Jump to address and link: Store the $$pc+1$$ to local stack variable at offset $$a$$, then set $$pc$$ to field element $$b$$. Set $$fp$$ to $$fp + c$$. | | **JALV** | `a(fp), b(fp), c(fp)` | Jump to variable and link: Store the $$pc+1$$ to local stack variable at offset $$a$$, then set $$pc$$ to the field element $$\[b]\_{elem}$$. Set $$fp$$ to fp+$$\[c]$$. | | **BEQ** | `a, b(fp), c(fp)` | If $$\[b] = \[c]$$, then set the program counter $$\text{pc}$$ to $$a$$ | | **BEQI** | `a, b(fp), c` | If $$\[b] = c$$, then set the program counter $$\text{pc}$$ to $$a$$ | | **BNE** | `a, b(fp), c(fp)` | If $$\[b] \neq \[c]$$, then set the program counter $$\text{pc}$$ to $$a$$ | | **BNEI** | `a, b(fp), c` | If $$\[b] \neq c$$, then set the program counter $$\text{pc}$$ to $$a$$ | | **IMM32** | `a(fp), b, c, d, e` | Write the immediate values $$b, c, d, e$$ to the cell located at offset $$a$$. | | **STOP** | No operands | Halt the program. | | **FAIL** | No operands | Halt the program with exit code 1. | | **READ\_ADVICE** | `a(fp)` | Read the next byte on the input tape into the cell located at offset *a*. | #### Field arithmetic | Mnemonic | Operands(asm) | Description | | ------------ | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FEADD** | `a(fp), b(fp), c(fp)` | $$d$$ and $$e$$ are a flags denoting whether $$a$$ and $$b$$ are interpreted as an immediate or offset. Let $$A = a$$ if $$d = 1$$ and $$\[a]*{elem}$$ otherwise. Let $$B = b$$ if $$e = 1$$ and $$\[b]*{elem}$$ otherwise. The instruction compute $$A + B$$, and write the result to offset $$c$$ | | **FEMUL** | `a(fp), b(fp), c(fp)` | $$d$$ and $$e$$ are a flags denoting whether $$a$$ and $$b$$ are interpreted as an immediate or offset. Let $$A = a$$ if $$d = 1$$ and $$\[a]*{elem}$$ otherwise. Let $$B = b$$ if $$e = 1$$ and $$\[b]*{elem}$$ otherwise. The instruction compute $$A \cdot B$$, and write the result to offset $$c$$ | | **TO\_FE** | `a(fp), b(fp)` | Convert an U32, represented by 4 field elements starting at offset b, to a field element stored to the first field element at offset $$a$$. $$a$$ is assumed to be a multiple of $$4$$. | | **FROM\_FE** | `a(fp), b(fp)` | Convert a field element $$\[b]\_{elem}$$ to an U32 stored at offset a, which is assumed to be a multiple of $$4$$. | Note that field arithmetic instructions only operate on the first element in a cell, which represents a field element instead of a single byte. #### U32 Arithmetic | Mnemonic | Operands(asm) | Description | | ------------ | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **ADD** | `a(fp), b(fp), c(fp)` | Compute the unchecked addition of the U32 values at cell offsets $$b$$ and $$c$$ and write the sum to cell offset $$a$$. Note that because a full 32-bit value does not fit within one field element, we assume that values have been decomposed into 4 8-byte elements. The summed output is stored at cell offset $$a$$. The same limb decomposition is used for the other U32 operations listed below. | | **ADDI** | `a(fp), b(fp), c` | Compute the unchecked addition of the U32 variable at cell offsets $$b$$ and an immediate $$c$$, and write the sum to cell offset $$a$$. | | **SUB** | `a(fp), b(fp), c(fp)` | Unchecked subtraction | | **SUBI** | `a(fp), b(fp), c` | Unchecked subtraction | | **MUL** | `a(fp), b(fp), c(fp)` | Unchecked multiplication | | **MULI** | `a(fp), b(fp), c` | Unchecked multiplication | | **MULHU** | `a(fp), b(fp), c(fp)` | High bits of unsigned multiplication | | **MULHUI** | `a(fp), b(fp), c` | High bits of unsigned multiplication | | **MULHS** | `a(fp), b(fp), c(fp)` | High bits of signed multiplication | | **MULHSI** | `a(fp), b(fp), c` | High bits of signed multiplication | | **DIV** | `a(fp), b(fp), c(fp)` | Unsigned division | | **DIVI** | `a(fp), b(fp), c` | Unsigned division | | **SDIV** | `a(fp), b(fp), c(fp)` | Signed division | | **SDIVI** | `a(fp), b(fp), c` | Signed division | | **SH{L,R}** | `a(fp), b(fp), c(fp)` | Bitwise shift \[b] left/right by \[c] and write to offset $$a$$. | | **SH{L,R}I** | `a(fp), b(fp), c` | Bitwise shift \[b] left/right by *c* and write to offset $$a$$. | | **SRA** | `a(fp), b(fp), c(fp)` | Arithmetic shift b right by \[*c*] and write to offset $$a$$. | | **SRAI** | `a(fp), b(fp), c` | Arithmetic shift b right by c and write to offset $$a$$ | | **LT** | `a(fp), b(fp), c(fp)` | Set local variable $$a$$ to $$1$$ if $$\[b] < \[c]$$ and $$0$$ otherwise. Uses unsigned comparison. | | **LTI** | `a(fp), b(fp), c` | Set local variable $$a$$ to $$1$$ if $$\[b] < c$$ and $$0$$ otherwise. Uses unsigned comparison. | | **NE** | `a(fp), b(fp), c(fp)` | Set local variable *a* to 0 if \[*b*] = \[*c*] and 1 otherwise. | | **NEI** | `a(fp), b(fp), c` | Set local variable *a* to 0 if \[*b*] = *c* and 1 otherwise. | | **EQ** | `a(fp), b(fp), c(fp)` | Set local variable *a* to 1 if \[*b*] = \[*c*] and 0 otherwise. | | **EQI** | `a(fp), b(fp), c` | Set local variable *a* to 1 if \[*b*] = *c* and 0 otherwise. | #### Bitwise | Mnemonic | Operands(asm) | Description | | -------- | --------------------- | --------------------------------------------- | | **AND** | `a(fp), b(fp), c(fp)` | Set $$\[a]$$ to $$\[b]$$ bitwise-and $$\[c]$$ | | **ANDI** | `a(fp), b(fp), c` | Set $$\[a]$$ to $$\[b]$$ bitwise-and *c* | | **OR** | `a(fp), b(fp), c(fp)` | Set $$\[a]$$ to $$\[b]$$ bitwise-or $$\[c]$$ | | **ORI** | `a(fp), b(fp), c` | Set $$\[a]$$ to $$\[b]$$ bitwise-or *c* | | **XOR** | `a(fp), b(fp), c(fp)` | Set $$\[a]$$ to $$\[b]$$ bitwise-xor $$\[c]$$ | | **XORI** | `a(fp), b(fp), c` | Set $$\[a]$$ to $$\[b]$$ bitwise-xor *c* | #### Output | Mnemonic | Operands(asm) | Description | | --------- | ------------- | --------------------------------- | | **WRITE** | `b(fp)` | Write byte $$\[b]$$ to the output | #### Byte Manipulation **Note**: These will not be supported in the initial version. | Instruction | Operands(asm) | | | ----------- | -------------- | --------------------------------------------------------------------------------------------------------- | | **LOAD8** | `a(fp), b(fp)` | Load a byte at the address specified by local variable at offset $$b$$ to local variable at offset $$a$$. | | **STORE8** | `b(fp), c(fp)` | Store a byte encoded at offset $$c$$ to the address encoded in offset $$b$$ | | **STORE8I** | `b(fp), c` | Store a byte encoded in the field element $$c$$ to the address encoded in offset $$b$$ | ### Heap allocation Notes: * Fixed configurable stack size (e.g. 8MB), growing in opposite direction of the heap. * Allocate-only malloc (no de-allocation using `free`) ### Assembly #### Instructions We will closely follow RISC-V assembly, making modifications as necessary. The most important difference between our zkVM assembly and RV32IM is that instead of registers `x0-31`, we only have two special-purpose registers `fp` and `pc`. However, we have (up to $$2^{31}-1$$) local variables, addressed relative to the current frame point `fp`. #### Calling convention / stack frame | Stack (grows downwards, i.e. address decreases from top row to bottom row) | | -------------------------------------------------------------------------- | | Arg 2 | | Arg 1 | | Return FP offset | | Return value | | Return address | | Local 1 **(<- Current fp)** | | Local 2 | | ... | | Local N | We follow the RISC-V convention and grow the stack downwards. For a function call, the arguments are pushed onto the stack in reverse order. **We only allow statically sized allocation on the stack**, unlike traditional architectures where `alloca` can be used to allocate dynamically. All dynamic allocation will be compiled to heap allocations. We have a special-purpose register dedicated to holding the frame pointer, but not a special-purpose register dedicated to holding the stack pointer. Note that: * Functions arguments are stored at fp+16, fp+20, ... * Return FP offset (the value to add to FP to get to the value of FP before the call) is stored at fp+12 * Return value is stored at fp+8 * Return address is stored at fp+4 * Local variables are stored at fp, fp-4, fp-8, ... #### Pseudo instructions | Pseudo Instruction | Instruction | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | | call label | `jal 0(fp), -b, label; addifp b`, where b is size of the current stack frame plus the call frame size for instantiate a call to lable | | ret | `jalv 4(fp), 0(fp), 12(fp)`, set pc to \[fp] where the return address is stored | #### Implementing MEMCPY/SET/MOVE Memcpy will require roughly 2 cycles per word. We can follow [this memcpy implementation on RISC-V](https://github.com/westerndigitalcorporation/RISC-V-Linux/blob/master/linux/arch/riscv/lib/memcpy.S). #### Heap allocations #### Example programs **Multiply stored immediates and return** ```llvm= define i32 @main() { %1 = alloca i32, align 4 %2 = alloca i32, align 4 %3 = alloca i32, align 4 store i32 24, i32* %1, align 4 store i32 7, i32* %2, align 4 %4 = load i32, i32* %1, align 4 %5 = load i32, i32* %2, align 4 %6 = mul nsw i32 %4, %5 store i32 %6, i32* %3, align 4 %7 = load i32, i32* %1, align 4 ret i32 %7 } ``` ```assembly= main: sub -4(fp), 0(fp), 0(fp) # Setup the 0 local variable at fp - 4 add -8(fp), -4(fp), 24, # Set [fp - 8] to 24 add -12(fp), -4(fp), 7, # Set [fp - 12] to 7 mul -16(fp), 8(fp), 12(fp) # Set [fp - 16] to 24 * 7 add 4(fp), -8(fp), 0 # Set return value at [fp + 4] to [fp - 8] ret ``` **Multiply arguments and return** ```llvm= define i32 @main() { %1 = alloca i32, align 4 store i32 0, i32* %1, align 4 %2 = call i32 @mul(i32 938253, i32 7) ret i32 %2 } define i32 @mul2(i32 %0, i32 %1) { %3 = alloca i32, align 4 %4 = alloca i32, align 4 store i32 %0, i32* %3, align 4 store i32 %1, i32* %4, align 4 %5 = load i32, i32* %3, align 4 %6 = load i32, i32* %4, align 4 %7 = mul nsw i32 %5, %6 ret i32 %7 } ``` ```c= main: imm32 -4(fp), 938253 imm32 -8(fp), 7 call mul2 # call translates to # jal 0(fp), -16, mul2 " store pc + 1 to [fp], add -16 to fp, set pc to mul2 # addifp 16 ret mul2: mul 4(fp), 8(fp), 12(fp) ret ``` The stack at the time of executing `mul` inside `mul` (line 11) looks like: | Stack | | --------------------------------------- | | .. **(<- fp of main)** | | 7 | | 938253 | | 0 (before mul2) -> 6567771 (after mul2) | | main:7 **(<- fp of mul2)** | ### Trace #### Main CPU | Columns | Configuration | Description | | ------------------ | ------------- | ------------------------------------------------------------------- | | $$\text{clk}$$ | Core | Clock cycle | | $$\text{pc}$$ | Core | Program counter | | $$\text{fp}$$ | Core | Frame pointer | | $$\text{opcode}$$ | Core | Instruction opcode | | $$\text{op}\_a$$ | Core | Operand $$a$$ | | $$\text{op}\_b$$ | Core | Operand $$b$$ | | $$\text{op}\_c$$ | Core | Operand $$c$$ | | $$\text{op}\_d$$ | Core | Operand $$d$$, flag for if $$\text{op}\_a$$ is immediate or offset. | | $$\text{op}\_e$$ | Core | Operand $$e$$, flag for if $$\text{op}\_b$$ is immediate or offset. | | $$\text{addr}\_a$$ | Core | $$\text{fp} + \text{op}\_a$$ (if $$\text{op}\_d$$ is not set) | | $$\text{addr}\_b$$ | Core | $$\text{fp} + \text{op}\_b$$ (if $$\text{op}\_e$$ is not set) | | $$\text{addr}\_c$$ | Core | $$\text{fp} + \text{op}\_c$$ | Columns $$\text{opcode}, \text{op}\_a, \text{op}\_b, \text{op}\_c, \text{op}\_d, \text{op}\_e$$ are specified by the program code (see the "Instruction Trace" section below). Trace cells are also allocated to hold buffered read memory values for $$\text{addr}\_a$$ and $$\text{addr}\_b$$, and buffered write values for $$\text{addr}\_c$$. We read and write 4 elements from memory at a time to the main trace. These elements are only constrained when the immediate value flags are not set (see the "Instruction Decoding" section below): | Cell | Configuration | Description | | ------------ | ------------- | ------------------------------------- | | $$v\_{a,0}$$ | Core | $$\[\text{addr}*a]*\text{elem}$$ | | $$v\_{a,1}$$ | Core | $$\[\text{addr}*a+1]*\text{elem}$$ | | $$v\_{a,2}$$ | Core | $$\[\text{addr}*a+2]*\text{elem}$$ | | $$v\_{a,3}$$ | Core | $$\[\text{addr}*a+3]*\text{elem}$$ | | $$v\_{b,0}$$ | Core | $$\[\text{addr}*b]*\text{elem}$$ | | $$v\_{b,1}$$ | Core | $$\[\text{addr}*b+1]*\text{elem}$$ | | $$v\_{b,2}$$ | Core | $$\[\text{addr}*b+2]*\text{elem}$$ | | $$v\_{b,3}$$ | Core | $$\[\text{addr}*b+3]*\text{elem}$$ | | $$v\_{c,0}$$ | Core | Value written to $$\text{addr}\_c$$ | | $$v\_{c,1}$$ | Core | Value written to $$\text{addr}\_c+1$$ | | $$v\_{c,2}$$ | Core | Value written to $$\text{addr}\_c+2$$ | | $$v\_{c,3}$$ | Core | Value written to $$\text{addr}\_c+3$$ | #### Memory | Cell | Description | | ----------------- | -------------------------------------------------------- | | $$\text{addr}$$ | Address | | $$\text{clk}$$ | Clock cycle | | $$\text{val}\_0$$ | Value 0 | | $$\text{val}\_1$$ | Value 1 | | $$\text{val}\_2$$ | Value 2 | | $$\text{val}\_3$$ | Value 3 | | $$d\_0$$ | Lower 16 bits of $$\text{clk}'-\text{clk}-1$$ | | $$d\_1$$ | Upper 16 bits of $$\text{clk}'-\text{clk}-1$$ | | $$t$$ | Nondeterministic inverse of $$\text{addr}'-\text{addr}$$ | The memory table is sorted by ($$\text{addr}, \text{clk}$$) #### U32 Arithmetic TODO: Replace this trace table and associated constraints with more efficient nondeterministic methods | Cell | Description | | -------------------------- | --------------------------------------------------------------------------------------- | | $$\text{clk}$$ | Clock cycle | | $$s\_\text{instr}$$ | Requested instruction (constrained by communication bus) | | $$s\_\text{add}$$ | Selector flag for addition | | $$s\_\text{sub}$$ | Selector flag for subtraction | | $$s\_\text{mul}$$ | Selector flag for multiplication | | $$s\_\text{div}$$ | Selector flag for division | | $$s\_\text{checked\_add}$$ | Selector flag for checked addition (requires $$s\_\text{add}$$ to be set as well) | | $$s\_\text{checked\_mul}$$ | Selector flag for checked multiplication (requires $$s\_\text{mul}$$ to be set as well) | | $$a$$ | Address of input 1 | | $$b$$ | Address of input 2 | | $$c$$ | Address of output | | $$a\_0$$ | Input 1 (12-bit limb) | | $$a\_1$$ | Input 1 (12-bit limb) | | $$a\_2$$ | Input 1 (12-bit limb) | | $$b\_0$$ | Input 2 (12-bit limb) | | $$b\_1$$ | Input 2 (12-bit limb) | | $$b\_2$$ | Input 2 (12-bit limb) | | $$c\_0$$ | Output (12-bit limb) | | $$c\_1$$ | Output (12-bit limb) | | $$c\_2$$ | Output (12-bit limb) | | $$c\_3$$ | Output (12-bit limb) | | $$c\_4$$ | Output (12-bit limb) | There are also 5 helper value cells: $$h\_0$$ through $$h\_{4}$$. #### Instruction Trace Each instruction is encoded as 6 field elements **Core** | Mnemonic | Operands(asm) | Encoded | | -------------------- | ----------------- | ---------------------------------------------------------- | | **LW** / **LOAD32** | `a(fp), c(fp)` | $$\text{OP}\_{LW}$$, $$a$$, \_, $$c$$, $$0$$, $$0$$ | | **SW** / **STORE32** | `b(fp), c(fp)` | $$\text{OP}\_{SW}$$, \_, $$b$$, $$c$$, $$0$$, $$0$$ | | **JAL** | `a(fp), b, c` | $$\text{OP}\_{jump}$$, $$a$$, $$b$$, $$c$$, $$1$$, $$1$$ | | **JALV** | `a(fp), b(fp), c` | $$\text{OP}\_{jump}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$1$$ | | **BEQ** | `a, b(fp), c(fp)` | $$\text{OP}\_{branch}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$0$$ | | **BEQI** | `a, b(fp), c` | $$\text{OP}\_{branch}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$1$$ | | **BNE** | `a, b(fp), c(fp)` | $$\text{OP}\_{branch}$$, $$a$$, $$b$$, $$c$$, $$1$$, $$0$$ | | **BNEI** | `a, b(fp), c` | $$\text{OP}\_{branch}$$, $$a$$, $$b$$, $$c$$, $$1$$, $$1$$ | | **IMM32** | `a, b, c, d, e` | $$\text{OP}\_{IMM}$$, $$a$$, $$b$$, $$c$$, $$d$$, $$e$$ | | **READ\_ADVICE** | `a(fp)` | OP\_{READ\_ADVICE}, *a*, 0, 0, 0, 0 | | **STOP** | No operands | OP\_STOP, 0, 0, 0, 0, 0 | | **FAIL** | No operands | OP\_FAIL, 0, 0, 0, 0, 0 | | **LOADFP** | `a(fp), b` | OP\_LOADFP, *a*, *b*, 0, 0, 0 | **Field arithmetic** | Mnemonic | Operands(asm) | Encoded | | ------------ | --------------------- | ------------------------------------------------- | | **FEADD** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{FEADD}$$, $$a$$, $$b$$, $$c$$, 0, 0 | | **FEADDI** | `a(fp), b(fp), c` | $$\text{OP}\_{FEADD}$$, $$a$$, $$b$$, $$c$$, 0, 1 | | **FEMUL** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{FEMUL}$$, $$a$$, $$b$$, $$c$$, 0, 0 | | **FEMULI** | `a(fp), b(fp), c` | OP\_FEMULI, *a, b, c,* 0, 1 | | **TO\_FE** | `a(fp), b(fp)` | OP\_{TO\_FE}, a, b, 0, 0, 0 | | **FROM\_FE** | `a(fp), b(fp)` | OP\_{FROM\_FE}, a, b, 0, 0, 0 | **U32 Arithmetic** | Mnemonic | Operands(asm) | Encoded | | ------------ | --------------------- | ------------------------------------------------------------- | | **ADD** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{ADD}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$0$$ | | **ADDI** | `a(fp), b(fp), c` | $$\text{OP}\_{ADD}$$, $$a$$, $$b$$, $$c\_0$$, $$1$$, $$c\_1$$ | | **SUB** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{SUB}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$0$$ | | **SUBI** | `a(fp), b(fp), c` | $$\text{OP}\_{SUB}$$, $$a$$, $$b$$, $$c\_1$$, $$1$$, $$c\_2$$ | | **MUL** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{MUL}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$0$$ | | **MULI** | `a(fp), b(fp), c` | $$\text{OP}\_{MUL}$$, $$a$$, $$b$$, $$c\_1$$, $$1$$, $$c\_2$$ | | **DIV** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{MUL}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$0$$ | | **SH{L,R}** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{SHIFT}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$0$$ | | **SH{L,R}I** | `a(fp), b(fp), c` | $$\text{OP}\_{SHIFT}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$1$$ | | **ISH{L,R}** | `a(fp), b, c(fp)` | $$\text{OP}\_{SHIFT}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$1$$ | | **SLT** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{SLT}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$0$$ | | **SLT** | `a(fp), b(fp), c` | $$\text{OP}\_{SLT}$$, $$a$$, $$b$$, $$c$$, $$0$$, $$1$$ | #### Bitwise | Mnemonic | Operands(asm) | Encoded | | -------- | --------------------- | ---------------------------------------------------- | | **AND** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{AND}$$, $$a$$, $$b$$, $$c$$, $$0$$, \_ | | **OR** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{OR}$$, $$a$$, $$b$$, $$c$$, $$0$$, \_ | | **XOR** | `a(fp), b(fp), c(fp)` | $$\text{OP}\_{XOR}$$, $$a$$, $$b$$, $$c$$, $$0$$, \_ | #### Instruction decoding Trace cells are also allocated for each selector. In each cycle, the opcode is decoded into selector flags, including but not limited to the following, which are grouped by type (not configuration) below for convenience. All flags are binary values, except for the instruction code. **Instruction code** | Selector | Configuration | Description | | ------------------- | ------------- | ---------------- | | $$s\_\text{instr}$$ | Core | Instruction code | **Operand modifiers** | Selector | Configuration | Description | | ---------------------- | ------------- | -------------------------------------------------------------------------------------------- | | $$s\_{\text{imm}\_a}$$ | Core | Immediate value flag for operand $$a$$ ($$0$$ denotes offset, $$1$$ denotes immediate value) | | $$s\_{\text{imm}\_b}$$ | Core | Immediate value flag for operand $$b$$ ($$0$$ denotes offset, $$1$$ denotes immediate value) | **Field arithmetic** | Selector | Configuration | Description | | ----------------- | ---------------- | -------------- | | $$s\_\text{add}$$ | Field Arithmetic | Addition | | $$s\_\text{mul}$$ | Field Arithmetic | Multiplication | **Memory** | Selector | Configuration | Description | | --------------------- | ------------- | ------------------------------------ | | $$s\_\text{store32}$$ | Core | Store 4 bytes at at a memory address | | $$s\_\text{load32}$$ | Core | Load 4 bytes from a memory address | | $$s\_\text{store8}$$ | Core | Store a byte at a memory address | | $$s\_\text{load8}$$ | Core | Load a byte from a memory address | **Call** | Selector | Configuration | Description | | ------------------ | ------------- | ------------------------ | | $$s\_\text{call}$$ | Core | Update the frame pointer | **Jumps** | Selector | Configuration | Description | | ----------------------- | ---------------- | ---------------------------------- | | $$s\_\text{jump\_eq}$$ | Core | Jump equal flag | | $$s\_\text{jump\_neq}$$ | Additional Jumps | Jump not equal flag | | $$s\_\text{jump\_ge}$$ | Additional Jumps | Jump greater than or equal to flag | | $$s\_\text{jump\_lt}$$ | Additional Jumps | Jump less than flag | **U32 arithmetic** | Selector | Configuration | Description | | ------------------------------- | -------------- | ----------- | | $$s\_\text{u32\_add}$$ | U32 Arithmetic | | | $$s\_\text{u32\_sub}$$ | U32 Arithmetic | | | $$s\_\text{u32\_mul}$$ | U32 Arithmetic | | | $$s\_\text{u32\_div}$$ | U32 Arithmetic | | | $$s\_\text{u32\_checked\_add}$$ | U32 Arithmetic | | | $$s\_\text{u32\_checked\_mul}$$ | U32 Arithmetic | | **Binary operations** | Selector | Configuration | Description | | -------------------------- | ------------- | ----------- | | $$s\_\text{bitwise\_and}$$ | Bitwise | | | $$s\_\text{bitwise\_or}$$ | Bitwise | | | $$s\_\text{bitwise\_xor}$$ | Bitwise | | ### Design notes #### Frontend target We are writing a [compiler](https://github.com/lita-xyz/valida-toolchain/tree/main/llvm-valida) from LLVM IR to our ISA. #### ZK stack This is a STARK-based zkVM. We are using [Plonky3](https://github.com/Plonky3/Plonky3) to implement the polynomial IOP and PCS. #### Field choice We plan to use the 32-bit field defined by `p = 2^31 - 1`, which should give very good performance on GPUs or with most vector instruction sets. #### Registers Our VM has no general purpose registers, since memory is cheap. #### Memory We will use a conventional R/W memory. #### Tables The CPU can do up to three memory operations per cycle, to support binary operations involving two reads and one write. If we used a single-trace model, we could support this by adding columns for 6 memory operations in each row of our trace: 3 for the chronological memory log and 3 for the `(address, timestamp)` ordered memory log. Instead, we make the memory a separate table (i.e. a separate STARK which gets connected with a permutation argument). We also use multi-table support to implement other coprocessors that are wasteful to include in the main CPU, as their operations may not be used during most cycles (e.g. Keccak). #### Continuations TODO: Explain the permutation-based continuation implementation. #### Lookups Initially, we will support lookups only against prover-supplied tables. The main use case is range checks. To perform a 16-bit range check, for example, we would have the prover send a table containing `[0 .. 2^16 - 1]` in order. (If the trace was not already 2^16, we would pad it. If it was longer than 2^16, the prover would include some duplicates.) We would then use constraints to enforce that this table starts at 0, ends at 2^16 - 1, and increments by 0 or 1. Preprocessed tables can also be useful, particularly for bitwise operations like xor. However, we will not support them initially because they require non-succinct preprocessing. #### Floating point arithmetic Fast floating point arithmetic doesn't seem important for our anticipated use cases, so we do not plan to support compiling source programs which use floating point primitives.