ARMv8-A System Semantics: Instruction Fetch in Relaxed Architectures

Simner, Ben; Flur, Shaked; Pulte, Christopher; Armstrong, Alasdair; Pichon-Pharabod, Jean; Maranget, Luc; Sewell, Peter

doi:10.1007/978-3-030-44914-8_23

Cited by 12 publications

(16 citation statements)

References 38 publications

(73 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By handling the full authoritative Armv8-A ISA, we automatically support litmus tests that use arbitrary instructions, and we enable research on systems concurrency, with high confidence that the ISA follows the vendor specification. We demonstrate this by applying our tool to the model and examples for self-modifying code by Simner et al [27], and our integration has also identified several places where the ISA specification needs modifications to correctly give the intended behaviour in a concurrent setting, e.g. to remove or enforce additional ordering.…”

Section: Introductionmentioning

confidence: 84%

“…For the instruction-semantics part of such a tool, the most direct approach would be to translate the ISA semantics (for the instructions that occur in a litmus test) directly into SMT and combine that with the axiomaticmodel constraints, roughly along the lines of Alglave et al [3]. That approach was followed by Simner et al [27], who compiled Sail directly into SMT to test an axiomatic model for instruction-fetch tests, but using a small handwritten Arm fragment, rather than the full Sail model derived from the Arm-internal model. The problem with this direct approach is one of scale: as one covers more of the Arm semantics, the resulting SMT problem simply becomes too large to be practicable.…”

Section: Methodsmentioning

confidence: 99%

“…As mentioned previously, one advantage of our tool is that, because it supports the full sequential ISA, it enables easy experimentation with tests and models [27]. Consider the litmus test in Fig.…”

Section: System Litmus Testsmentioning

confidence: 99%

“…cam.ac.uk and https://github.com/rems-project/isla. An extended version of the paper [11], available at https://www.cl.cam.ac.uk/~pes20/isla/, includes appendices showing the main parts of the full Sail/ASL semantics of a sample Armv8-A instruction (add x4, x3, #1); the Armv8-A axiomatic concurrency model (combining the official Arm specification for user concurrency [9,13] with the additions for instruction fetch semantics by Simner et al [27]); and examples of the latter.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

Armstrong,

Campbell,

Simner

et al. 2021

Computer Aided Verification

Self Cite

View full text Add to dashboard Cite

Architecture specifications such as Armv8-A and RISC-V are the ultimate foundation for software verification and the correctness criteria for hardware verification. They should define the allowed sequential and relaxed-memory concurrency behaviour of programs, but hitherto there has been no integration of full-scale instruction-set architecture (ISA) semantics with axiomatic concurrency models, either in mathematics or in tools. These ISA semantics can be surprisingly large and intricate, e.g. 100k+ lines for Armv8-A. In this paper we present a tool, Isla, for computing the allowed behaviours of concurrent litmus tests with respect to full-scale ISA definitions, in Sail, and arbitrary axiomatic relaxed-memory concurrency models, in the Cat language. It is based on a generic symbolic engine for Sail ISA specifications, which should be valuable also for other verification tasks. We equip the tool with a web interface to make it widely accessible, and illustrate and evaluate it for Armv8-A and RISC-V. By using full-scale and authoritative ISA semantics, this lets one evaluate litmus tests using arbitrary user instructions with high confidence. Moreover, because these ISA specifications give detailed and validated definitions of the sequential aspects of systems functionality, as used by hypervisors and operating systems, e.g. instruction fetch, exceptions, and address translation, our tool provides a basis for developing concurrency semantics for these. We demonstrate this for the Armv8-A instruction-fetch model and self-modifying code examples of Simner et al.

show abstract

Section: Introductionmentioning

confidence: 84%

Section: Methodsmentioning

confidence: 99%

Section: System Litmus Testsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

Armstrong,

Campbell,

Simner

et al. 2021

Computer Aided Verification

Self Cite

View full text Add to dashboard Cite

show abstract

“…Researches have been made to improve the ARM/Thumb instruction set architecture [5]- [27]. However, little attentions have been paid to the extension of specific modes such as addressing mode and sign/zero extension for the ARM instruction architectures.…”

Section: Introductionmentioning

confidence: 99%

Addressing Mode and Bit Extensions to the Thumb-2 Instruction Set Architecture

Kim¹

2021

EJECE

View full text Add to dashboard Cite

Thumb-2 is the most recent instruction set architecture for ARM processors which are one of the most widely used embedded processors. In this paper, two extensions are proposed to improve the performance of the Thumb-2 instruction set architecture, which are addressing mode extensions and sign/zero extensions combined with data processing instructions. To speed up access to an element of an aggregated data, the proposed approach first introduces three new addressing modes for load and store instructions. They are register-plus-immediate offset addressing mode, negative register offset addressing mode, and post-increment register offset addressing mode. Register-plus-immediate offset addressing mode permits two offsets and negative register offset allows offset to be a negative value of a register content. Post-increment register offset mode automatically modifies the offset address after the memory operation. The second is the sign/zero extension combined with a data processing instruction which allows the result of a data processing operation to be sign/zero extended to accelerate a type conversion. Several least frequently used instructions are reduced to provide the encoding space for the new extensions. Experiments show that the proposed approach improves performance by an average of 8.6% when compared to the Thumb-2 instruction set architecture.

show abstract

Relaxed virtual memory in Armv8-A

Simner

Armstrong

Pichon-Pharabod

et al. 2022

Programming Languages and Systems

View full text Add to dashboard Cite

Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions.We explore the design space for relaxed virtual memory semantics in the Armv8-A architecture, to support future system-software verification. We identify many design questions, in discussion with Arm; develop a test suite, including use cases from the pKVM production hypervisor under development by Google; delimit the design space with axiomatic-style concurrency models; prove that under simple stable configurations our architectural model collapses to previous “user” models; develop tooling to compute allowed behaviours in the model integrated with the full Armv8-A ISA semantics; and develop a hardware test harness.This lays out some of the main issues in relaxed virtual memory bringing these security-critical systems phenomena into the domain of programming-language semantics and verification with foundational architecture semantics.

show abstract

ARMv8-A System Semantics: Instruction Fetch in Relaxed Architectures

Cited by 12 publications

References 38 publications

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

Addressing Mode and Bit Extensions to the Thumb-2 Instruction Set Architecture

Relaxed virtual memory in Armv8-A

Contact Info

Product

Resources

About