# Just because you can doesn't mean you should... TypeStates for Increased Driver Correctness **Tyler Potyondy**, Anthony Tarbinian, Leon Schuermann, Eric Mugnier, Adin Ackermann, Amit Levy, Pat Pannuto #### Hello! PhD Student at UC San Diego Involved with Tock since 2023 (~2.5 years) My research centers around making systems secure-by-default (Last weekend in the Sierra's!) ## Rust will fix our problems! **Buffer overflows** Use-After-Free **Data Races** **Uninitialized Accesses** ## Rust will fix our problems! **Buffer overflows** Use-After-Free **Device Protocol Bugs** FFI Bugs <del>Data Races</del> **Uninitialized Accesses** ## What is a device protocol violation? When software issues commands to hardware that violate the hardware specification Specification / reference manual #### RM0461 Reference manual STM32WLEx advanced Arm®-based 32-bit MCUs with sub-GHz radio solution #### Introduction This document is addressed to application developers. It provides complete information on how to use the STM32WLEx microcontrollers memory and peripherals. STM32WLEx MCUs with integrated sub-GHz radio operating in the 150 - 960 MHz ISM band, belong to a family of microcontrollers with different memory sizes, packages and peripherals. For ordering information, mechanical and electrical device characteristics, refer to the corresponding datasheets. For information on the Arm<sup>®</sup> Cortex<sup>®</sup>-M4 core, refer to the corresponding Arm<sup>®</sup> Technical Reference Manuals available on http://infocenter.arm.com. STM32WLEx microcontrollers include ST state-of-the-art patented technology. #### Related documents STM32WLE5xx STM32WLE4xx datasheet (DS13105) For information on the device errata with respect to the datasheet and reference manual, refer to the STM32WLE5xx STM32WLE4xx errata sheet (ES0506). ``` /// An 12C master device. /// An 'NU' instance wraps a 'registers::TWI' together with /// additional data necessary to implement an asynchronous interface. /// additional data necessary to implement an asynchronous interface. /// additional data necessary to implement an asynchronous interface. // amplementations // pregisters: StaticRef<NwRegisters>, client: OptionalCell // slave cleent: OptionalCell // slave cleent: OptionalCell // slave cleent: OptionalCell // slave cleent: OptionalCell // stave cleent: OptionalCell // IZC bus speed. speed ``` ## Why is this challenging? Validity of a given MMIO operation depends on the current hardware state. ## Why is this challenging? Validity of a given MMIO operation depends on the current hardware state. Modern hardware may transition the hardware state without input from the driver. ### Why is this challenging? 9 Validity of a given MMIO operation depends on the current hardware state. Modern hardware may transition the hardware state without input from the driver. - may result in a buggy driver. - 1 at worst, may cause systematic failures (e.g. hanging the system's bus). Q: Can we enforce, <u>at compile time</u>, that the implemented driver will <u>always</u> comply with the developer's hw mental model? Q: Can we enforce, <u>at compile time</u>, that the implemented driver will <u>always</u> comply with the developer's hw mental model? software driver adheres to hardware's specification ## **Key Insight: Software** talks to hardware through a "narrow waist" — memory-mapped I/O ## We present a framework that statically (compile-time) prevents device protocol violations - software driver adheres to hardware's specification i.e., only performs MMIO operations valid for the given hw state Statically eliminate device protocol violations with minimal-to-no overheads in runtime and code size. **TypeStates** DSL #### Outline - Introducing device protocol violations - How do we build drivers today? - TypeState programming - Our System - Evaluation & Closing Thoughts #### DATA WriteOnly 7 6 5 4 3 2 1 0 Byte **STATUS** ReadOnly reserved 7 6 5 4 3 2 1 0 Write a byte to transmit. Bytes are placed in an internal FIFO queue. The UART transmits whenever queue is non-empty and pops entries once sent. **Read hardware status.** Busy indicates when a transmission is active. Full indicates when the FIFO transmit queue is full; **DATA** must not be written when Full is asserted. (Hypothetical UART Hardware Specification) #### DATA WriteOnly 7 6 5 4 3 2 1 0 Byte Write a byte to transmit. Bytes are placed in an internal FIFO queue. The UART transmits whenever queue is non-empty and pops entries once sent. #### **STATUS** ReadOnly reserved 7 6 5 4 3 2 1 0 **Read hardware status.** Busy indicates when a transmission is active. Full indicates when the FIFO transmit queue is full; **DATA** must not be written when Full is asserted. (Hypothetical UART Hardware Specification) #### DATA WriteOnly 7 6 5 4 3 2 1 0 Byte STATUS ReadOnly 7 6 5 4 3 2 1 0 reserved E Write a byte to transmit. Bytes are placed in an internal FIFO queue. The UART transmits whenever queue is non-empty and pops entries once sent. **Read hardware status.** Busy indicates when a transmission is active. Full indicates when the FIFO transmit queue is full; **DATA** must not be written when Full is asserted. QueueNotFull QueueFull (Hypothetical UART Hardware Specification) #### DATA WriteOnly 7 6 5 4 3 2 1 0 Byte **STATUS** ReadOnly 7 6 5 4 3 2 1 0 reserved Write a byte to transmit. Bytes are placed in an internal FIFO queue. The UART transmits whenever queue is non-empty and pops entries once sent. transmission is active. Full indicates when the FIFO transmit queue is full; DATA must not be written Read hardware status. Busy indicates when a when Full is asserted. (Hypothetical UART Hardware Specification) QueueNotFull OueueFull #### DATA WriteOnly 7 6 5 4 3 2 1 0 Byte **STATUS** ReadOnly 7 6 5 4 3 2 1 0 reserved **Write a byte to transmit.** Bytes are placed in an internal FIFO queue. The UART <u>transmits whenever</u> queue is non-empty and pops entries once sent. **Read hardware status.** Busy indicates when a transmission is active. Full indicates when the FIFO transmit queue is full; **DATA** must not be written when Full is asserted. (write to data reg) QueueNotFull (hw transmits & pops queue) OueueFull (Hypothetical UART Hardware Specification) #### **DATA** WriteOnly 7 6 5 4 3 2 1 0 Byte #### **STATUS** ReadOnly 7 6 5 4 3 2 reserved in **Write a byte to transmit.** Bytes are placed in an internal FIFO queue. The UART <u>transmits whenever</u> queue is non-empty and pops entries once sent. **Read hardware status.** Busy indicates when a transmission is active. Full indicates when the FIFO transmit queue is full; **DATA** must not be written when Full is asserted. (Hypothetical UART Hardware Specification) #### **DATA** WriteOnly 7 6 5 4 3 2 1 0 Byte #### **STATUS** ReadOnly 7 6 5 4 3 2 reserved In **Write a byte to transmit.** Bytes are placed in an internal FIFO queue. The UART <u>transmits whenever</u> queue is non-empty and pops entries once sent. **Read hardware status.** Busy indicates when a transmission is active. Full indicates when the FIFO transmit queue is full; **DATA** must not be written when Full is asserted. (Hypothetical UART Hardware Specification) (Implemented UART driver – based on our mental model) (Implemented UART driver – based on our mental model) Do you see the bug? (Implemented UART driver – based on our mental model) #### Recall... DATA must not be written when FULL is asserted. #### Do you see the bug? #### **Violate device protocol!** We assume that the hw transmit queue is NOT full when calling this function (Implemented UART driver – based on our mental model) #### Recall... DATA must not be written when FULL is asserted. #### Do you see the bug? ## How might we prevent this bug? Standard approaches for enforcing system properties (generally)... #### **Testing** (only proves the absence of tested bugs). #### **Formal Verification** (challenging; requires domain specific expertise). ## How might we prevent this bug? Standard approaches for enforcing system properties (generally)... #### **Testing** (only proves the absence of tested bugs). #### **TypeState Programming** #### **Formal Verification** (challenging; requires domain specific expertise). #### Outline - Introducing device protocol violations - How do we build drivers today? - TypeState programming - Our System - Evaluation & Closing Thoughts ## A TypeStated Queue Encode system properties into the type-system. ``` 1 struct Full {} // 3 items in queue 2 struct Two {} // 2 items in queue 3 struct One {} // 1 item in queue 4 struct Empty {} // 0 items in queue 5 6 struct Queue<S: State> { 7 queue: [u8; 3] 8 } ``` ## A TypeStated Queue - Encode system properties into the type-system. - Define valid operations as functions on respective type. ``` 1 struct Full {} // 3 items in queue 2 struct Two {} // 2 items in queue 3 struct One {} // 1 item in queue 4 struct Empty {} // 0 items in queue 5 6 struct Queue<S: State> { queue: [u8; 3] 10 impl Queue<Empty> { fn push(self) -> Queue<One> 12 } 14 impl Queue<One> { fn push(self) -> Queue<Two> fn pop(self) -> Queue<Empty> 19 // similar form to Queue<One> 20 impl Queue<Two> { ... } 22 impl Queue<Full> { 23 fn pop(self) -> Queue<Two> ``` (Using typestates to statically enforce a correct implementation for a queue of size 3) ## A TypeStated Queue - Encode system properties into the type-system. - Define valid operations as functions on respective type. - <u>Incorrect usages result in a compilation error!</u> ``` 1 struct Full {} // 3 items in queue 2 struct Two {} // 2 items in queue 3 struct One {} // 1 item in queue 4 struct Empty {} // 0 items in queue 5 6 struct Queue<S: State> { queue: [u8; 3] 10 impl Queue<Empty> { fn push(self) -> Queue<One> 12 } 14 impl Queue<One> { fn push(self) -> Queue<Two> fn pop(self) -> Queue<Empty> 19 // similar form to Queue<One> 20 impl Queue<Two> { ... } 22 impl Queue<Full> { 23 fn pop(self) -> Queue<Two> ``` (Using typestates to statically enforce a correct implementation for a queue of size 3) #### A TypeStated Queue #### Recall from hw spec... The UART transmits whenever queue is non-empty and pops entries once sent. ### Out-of-the-box typestates cannot model this state transition! (Using typestates to *statically enforce a correct implementation for a queue* of size 3) ``` 1 struct Full {} // 3 items in queue 2 struct Two {} // 2 items in queue 3 struct One {} // 1 item in queue 4 struct Empty {} // 0 items in queue 6 struct Queue<S: State> { queue: [u8; 3] impl Queue<Empty> { fn push(self) -> Queue<One> 11 12 } 13 14 impl Queue<One> { fn push(self) -> Queue<Two> fn pop(self) -> Oueue<Empty> 17 } 18 // similar form to Oueue<One> impl Queue<Two> { ... } 21 impl Oueue<Full> { fn pop(self) -> Queue<Two> 24 } ``` #### Outline - Introducing device protocol violations - How do we build drivers today? - TypeState programming - Our System - Evaluation & Closing Thoughts ## We present a framework that statically (at compile time) prevents device protocol violations Achieve device protocol enforcement with <u>minimal to no overheads in</u> <u>runtime and code size.</u> **TypeStates** DSL Primary contribution: Introduce a refinement to type-states and principled approach to model hardware-software concurrency using type-states. Software-initiated - Software-initiated - Hardware-initiated - Software-initiated - Hardware-initiated Categorize hardware states into two mutually exclusive families - transient state - stable state Hw state that <u>can only be</u> exited with a software-initiated state transition. Hw state that <u>can only be</u> exited with a software-initiated state transition. Hw state that <u>can only be</u> exited with a software-initiated state transition. #### **Transient State** - Hw state with <u>at least one</u> hw-initiated state transition. - Transition from transient state without explicit software involvement. Hw state that <u>can only be</u> exited with a software-initiated state transition. #### **Transient State** - Hw state with <u>at least one</u> hw-initiated state transition. - Transition from transient state without explicit software involvement. Stable states can be modeled with out-of-the-box typestates. - Stable states can be modeled with out-of-the-box typestates. - Transient states cause typestates to no longer accurately model hw (violate static invariance). - Stable states can be modeled with out-of-the-box typestates. - Transient states cause typestates to no longer accurately model hw (violate static invariance). Typestates + restrict transient state operations & re-synchronization mechanism - Stable states can be modeled with out-of-the-box typestates. - Transient states cause typestates to no longer accurately model hw (violate static invariance). Typestates + restrict transient state operations & re-synchronization mechanism Careful: Transient states have potential for TOCTOU bugs! (Recall) Key Insight: Software talks to hardware through a "narrow waist" — memory-mapped I/O Annotations for updated UART driver Label states and mark transient states ``` 1 +#[(states=[ QueueReady<Idle>, QueueReady<Busy>(*T*), OueueMaybeFull(*T*) struct UartRegisters { #[attribute(SC(QueueReady<Any>, QueueMaybeFull))] data: WriteOnly<u8, Data::Register>, // No attributes are required for `Status` status: ReadOnly<u8, Status::Register>, 9 + #[attribute(SC(Any, QueueReady<Idle>))] flush: WriteOnly<u8, Flush::Register>, 10 11 + #[attribute(QueueReady<Idle>)] config: ReadWrite<u8m Config::Register>, 12 13 } ``` Annotations for updated UART driver. - Label states and mark transient states - 2. Add constraints to registers ``` 1 +#[(states=[ QueueReady<Idle>, QueueReady<Busy>(*T*), OueueMaybeFull(*T*) 7)7 struct UartRegisters { #[attribute(SC(QueueReady<Any>, QueueMaybeFull))] data: WriteOnly<u8, Data::Register>, // No attributes are required for `Status status: ReadOnly<u8, Status::Register>, #[attribute(SC(Any, QueueReady<Idle>))] flush: WriteOnly<u8, Flush::Register>, 10 11 + #[attribute(QueueReady<Idle>)] config: ReadWrite<u8m Config::Register>, 12 13 } ``` Annotations for updated UART driver. - Label states and mark transient states - 2. Add constraints to registers ``` 1 +#[(states=[ QueueReady<Idle>, 2 + QueueReady<Busy>(*T*), 3 + QueueMaybeFull(*T*) ])] 4 struct UartRegisters { 5 + #[attribute(SC(QueueReady<Any>, QueueMaybeFull))] 6 data: WriteOnly<u8, Data::Register>, 7 // No attributes are required for `Status` 8 status: ReadOnly<u8, Status::Register>, 9 + #[attribute(SC(Any, QueueReady<Idle>))] 10 flush: WriteOnly<u8, Flush::Register>, 11 + #[attribute(QueueReady<Idle>)] 12 config: ReadWrite<u8m Config::Register>, 13 } ``` #### Annotations for updated UART driver. #### Enforce device protocols by constraining MMIO using type-states. ``` 1 // Hardware object made generic over device state. struct UartRegisters<S: State> { data: SCRegisterWO<S, u8>, status: ReadOnly<u8, Status>, reset: SCRegisterWO<S, u8>, config: RWRegister<N, S, u8>, 7 8 // Wrapper around state changing registers. struct SCRegisterWO<S: State, T> { reg: WriteOnly<T>, 11 associated_state: PhantomData<S>, 12 13 } 14 // Wrapper around constrained MMIO. struct RWRegister<N, S: State, T> { reg: ReadWrite<T>, associated_name: PhantomData<N>, 19 associated_state: PhantomData<S>, 20 } 21 // This impl is only generated for S==QueueReady<Idle>, // which enforces config's device protocol invariants. impl <T> RWRegister<Config, QueueReady<Idle>, T> { fn read(&self) -> T {..} 25 fn write(&self, T) {..} 26 19 27 } ``` #### 1. Modified MMIO register struct ``` status: ReadOnly<u8, Status>, reset: SCRegisterWO<S, u8>, config: RWRegister<N, S, u8>, 7 } // Wrapper around state changing registers. struct SCRegisterWO<S: State, T> { reg: WriteOnly<T>, 11 associated_state: PhantomData<S>, 12 13 } 14 // Wrapper around constrained MMIO. struct RWRegister<N, S: State, T> { reg: ReadWrite<T>, associated_name: PhantomData<N>, associated_state: PhantomData<S>, 19 20 } 21 // This impl is only generated for S==QueueReady<Idle>, // which enforces config's device protocol invariants. impl <T> RWRegister<Config, QueueReady<Idle>, T> { fn read(&self) -> T {..} 25 fn write(&self, T) {..} 26 19 27 } ``` Hardware object made generic over device state. struct UartRegisters<S: State> { data: SCRegisterWO<S, u8>, ### Modified MMIO register struct ``` reg: WriteOnly<T>, associated_state: PhantomData<S>, } ``` 7 19 25 26 27 } 20 } 21 // Wrapper around constrained MMIO. struct RWRegister<N, S: State, T> { reg: ReadWrite<T>, associated\_name: PhantomData<N>, associated\_state: PhantomData<S>, // Wrapper around state changing registers. 1 // Hardware object made generic over device state. struct UartRegisters<S: State> { data: SCRegisterWO<S, u8>, status: ReadOnly<u8, Status>, struct SCRegisterWO<S: State, T> { reset: SCRegisterWO<S, u8>, config: RWRegister<N, S, u8>, } // This impl is only generated for S==QueueReady<Idle>, // which enforces config's device protocol invariants. impl <T> RWRegister<Config, QueueReady<Idle>, T> { fn read(&self) -> T {..} fn write(&self, T) {..} 19 - Modified MMIO register struct - Wrap tock registers in type-state ``` data: SCRegisterWO<S, u8>, status: ReadOnly<u8, Status>, reset: SCRegisterWO<S, u8>, ``` 1 // Hardware object made generic over device state. config: RWRegister<N, S, u8>, 7 19 27 } struct UartRegisters<S: State> { - // Wrapper around state changing registers. - struct SCRegisterWO<S: State, T> { reg: WriteOnly<T>, - associated\_state: PhantomData<S>, 13 - // Wrapper around constrained MMIO. struct RWRegister<N, S: State, T> { - reg: **ReadWrite**<T>, associated\_name: **PhantomData**<N>, - associated\_state: **PhantomData**<S>, 20 21 - // This impl is only generated for S==QueueReady<Idle>, // which enforces config's device protocol invariants. - impl <T> RWRegister<Config, QueueReady<Idle>, T> { fn read(&self) -> T {..} 25 fn write(&self, T) {..} 26 - 1. Modified MMIO register struct - 2. Wrap tock registers in type-state - 3. Only define valid transitions ``` status: ReadOnly<u8, Status>, reset: SCRegisterWO<S, u8>, config: RWRegister<N, S, u8>, ``` 7 17 // Wrapper around state changing re struct UartRegisters<S: State> { data: SCRegisterWO<S, u8>, // Wrapper around state changing registers. struct SCRegisterWO<S: State, T> { reg: WriteOnly<T>, 1 // Hardware object made generic over device state. reg: WriteOnly<T>, associated\_state: PhantomData<S>, } // Wrapper around constrained MMIO. struct RWRegister<N, S: State, T> { reg: ReadWrite<T>, associated\_name: PhantomData<N>, associated\_state: PhantomData<S>, // This impl is only generated for S==QueueReady<Idle>, // which enforces config's device protocol invariants. impl <T> RWRegister<Config, QueueReady<Idle>, T> { fn read(&self) -> T {...} fn write(&self, T) {...} } ``` // Driver object holds hardware reference & driver-specific state struct UartDriver { registers: &UartRegisters, registers: MMIOCell<UartStates>, 5 impl UartDriver { pub fn transmit(&self, buf: &[u8]) { for data in buf.iter() { self.registers.data.write(data); while self.registers.status.is_set(Status::FULL) {}; 10 - self.registers.map(|state| { 11 + match state { 12 + 13 + UartStates::QueueReadyIdle(regs) => { 14 + regs.data.write(data).sync_state() 15 + UartStates::QueueReadyBusy(regs) => { 16 + 17 + regs.data.write(data).sync_state() 18 + 19 + UartStates::QueueMaybeFull(regs) => { regs.sync_state() /* no regs.data.write() exists */ 20 + }}}); 21 + 22 }}} ``` ``` Driver object holds hardware reference & driver-specific state struct UartDriver { registers: &UartRegisters, registers: MMIOCell<UartStates>, impl UartDriver { pub fn transmit(&self, buf: &[u8]) { for data in buf.iter() { self.registers.data.write(data); while self.registers.status.is_set(Status::FULL) {}; 10 - self.registers.map(|state| { 11 + match state { 12 + 13 + UartStates::QueueReadyIdle(regs) => { regs.data.write(data).sync_state() 14 + 15 + UartStates::QueueReadyBusy(regs) => { 16 + regs.data.write(data).sync_state() 17 + 18 + 19 + UartStates::QueueMaybeFull(regs) => { regs.sync_state() /* no regs.data.write() exists */ 20 + }}}); 21 + 22 }}} ``` ``` // Driver object holds hardware reference & driver-specific state struct UartDriver { registers: &UartRegisters, registers: MMIOCell<UartStates>, 5 impl UartDriver { pub fn transmit(&self, buf: &[u8]) { for data in buf.iter() { self.registers.data.write(data); while self.registers.status.is_set(Status::FULL) {}; 10 - 11 + self.registers.map(|state| { match state { 12 + 13 + UartStates::QueueReadyIdle(regs) => { regs.data.write(data).sync_state() 14 + 15 + UartStates::QueueReadyBusy(regs) => { 16 + 17 + regs.data.write(data).sync_state() 18 + 19 + UartStates::QueueMaybeFull(regs) => { regs.sync_state() /* no regs.data.write() exists */ 20 + }}}); 21 + 22 }}} ``` ``` // Driver object holds hardware reference & driver-specific state struct UartDriver { registers: &UartRegisters, registers: MMIOCell<UartStates>, impl UartDriver { pub fn transmit(&self, buf: &[u8]) { for data in buf.iter() { self.registers.data.write(data); while self.registers.status.is_set(Status::FULL) {}; 10 - 11 + self.registers.map(|state| { match state { 12 + 13 + UartStates::QueueReadyIdle(regs) => { regs.data.write(data).sync_state() 14 + 15 + UartStates::QueueReadyBusy(regs) => { 16 + 17 + regs.data.write(data).sync_state() 18 + 19 + UartStates::QueueMaybeFull(regs) => { regs.sync_state() /* no regs.data.write() exists = 20 + 21 + }}}); 22 }}} ``` #### Outline - Introducing device protocol violations - How do we build drivers today? - TypeState programming - Our System - Evaluation & Closing Thoughts #### Implementation with TockOS #### What's the catch... - Code size? - Developer effort? - Runtime performance? | Driver | Platform | Binary Size (B) | Diff (B) | Percent Diff | | |---------------------|----------|-----------------|-----------------|--------------|--| | Baseline | Nrf52840 | 218594 | 3 <del>-3</del> | | | | UART | Nrf52840 | 218594 | +0 | 0.00% | | | Temperature Sensor | Nrf52840 | 218594 | +0 | 0.00% | | | IEEE 802.15.4 Radio | Nrf52840 | 218602 | +8 | 0.00% | | | Baseline | STM | 107482 | - | _ | | | TRNG | STM | 107490 | +8 | 0.00% | | | UART | STM | 107490 | +8 | 0.00% | | Code size of total kernel binary image for a baseline kernel image and kernel integrating our system into drivers. #### Our system adds no code size overhead! Our system adds negligible runtime overheads. MacroBenchmark Performance (in CPU cycles). | Driver | States | Original LoC | Annotations | Integration | |-------------------|--------|--------------|-------------|-----------------| | nRF52 UARTE | 5 | 526 | 43 (+) | 492 (+) 110 (-) | | nRF5x Temperature | 2 | 151 | 4 (+) | 53 (+) 17 (-) | | nRF52 15.4 Radio | 8 | 1352 | 33 (+) | 518 (+) 157 (-) | | STM USART | 5 | 743 | 45 (+) | 351 (+) 79 (-) | | STM TRNG | 2 | 159 | 13 (+) | 69 (+) 25 (-) | | xHCI PortSC | 5 | 6748 | 14 (+) | 330 (+) 194 (-) | #### Our system adds some developer overheads (improving the usability is ongoing!) Add SW ACKs to radio driver **July 2023** August 2023 3 possible HW "shortcuts" to enable faster radio TX Add SW ACKs to radio driver **July 2023** August 2023 3 possible HW "shortcuts" to enable faster radio TX Unable to get all 3 working (~2 weeks of development) **July 2023** Add SW ACKs to radio driver August 2023 Integrate our system into 15.4 driver **March 2025** Unable to get all 3 shortcuts working (~2 weeks of development) Add SW ACKs to radio driver Integrate our system into 15.4 driver March 2025 **July 2023** August 2023 Unable to get all 3 shortcuts working (<u>~2 weeks of development</u>) Updated our state machine in DSL to use all 3 TX HW shortcuts Add SW ACKs to radio driver Integrate our system into 15.4 driver March 2025 **July 2023** August 2023 Unable to get all 3 shortcuts working (~2 weeks of development) - Updated our state machine in DSL to use all 3 TX HW shortcuts - Compiler identifies sections of driver that must be updated (errors) Add SW ACKs to radio driver Integrate our system into 15.4 driver July 2023 August 2023 March 2025 Unable to get all 3 shortcuts working (<u>~2 weeks of development</u>) - Updated our state machine in DSL to use all 3 TX HW shortcuts - Compiler identifies sections of driver that must be updated (errors) Updated and working driver in ~2 hours! Add SW ACKs to radio driver Integrate our system into 15.4 driver March 2025 **July 2023** August 2023 Unable to get all 3 shortcuts working (<u>~2 weeks of development</u>) - Updated our state machine in DSL to use all 3 TX HW shortcuts - Compiler identifies sections of driver that must be updated (errors) Updated and working driver in ~2 hours! 50% decrease in driver interrupts; 8% runtime improvement ## Our system statically prevents device protocol violations using typestates. Imposes minimal to no code size and runtime overheads. Crate coming soon! (will be a counterpart to tock-registers)