First Steps towards the Certification of an ARM Simulator Using Compcert

Shi, Xiaomu; Monin, Jean-François; Tuong, Frédéric; Blanqui, Frédéric

doi:10.1007/978-3-642-25379-9_25

Cited by 5 publications

(6 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The ARM ARM is relatively good in these respects: the pseudocode used is reasonably complete and close to something that could be executed, as least for sequential code (Shi et al build a simulator based on pseudocode extracted from an ARMv7 pdf [24]). We therefore want to follow it closely, both to avoid introducing errors and to keep our definitions readable by engineers who are already familiar with the ARM ARM.…”

Section: Isa Modelmentioning

confidence: 99%

Modelling the ARMv8 architecture, operationally: concurrency and ISA

et al. 2016

View full text Add to dashboard Cite

In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concurrent ARM software and hardware.Establishing such models with high confidence is intrinsically difficult: it involves capturing the vendor's architectural intent, aspects of which (especially for concurrency) have not previously been precisely defined. We therefore first develop a concurrency model with a microarchitectural flavour, abstracting from many hardware implementation concerns but still close to hardwaredesigner intuition. This means it can be discussed in detail with ARM architects. We then develop a more abstract model, better suited for use as an architectural specification, which we prove sound w.r.t. the first.The instruction semantics involves further difficulties, handling the mass of detail and the subtle intensional information required to interface to the concurrency model. We have a novel ISA description language, with a lightweight dependent type system, letting us do both with a rather direct represention of the ARM reference manual instruction descriptions.We build a tool from the combined semantics that lets one explore, either interactively or exhaustively, the full range of architecturally allowed behaviour, for litmus tests and (small) ELF executables. We prove correctness of some optimisations needed for tool performance.We validate the models by discussion with ARM staff, and by comparison against ARM hardware behaviour, for ISA singleinstruction tests and concurrent litmus tests.

show abstract

Section: Isa Modelmentioning

confidence: 99%

Modelling the ARMv8 architecture, operationally: concurrency and ISA

et al. 2016

View full text Add to dashboard Cite

show abstract

“…This has been done for a sequential ARM description by Shi et al [25], from PDF to a model complete enough to boot a kernel and theoremprover definitions in Coq.…”

Section: From Vendor Document To Sailmentioning

confidence: 99%

An integrated concurrency and core-ISA architectural envelope definition, and test oracle, for IBM POWER multiprocessors

Gray

Kerneis

Mulligan

et al. 2015

Proceedings of the 48th International Symposium on Microarchitecture

View full text Add to dashboard Cite

Weakly consistent multiprocessors such as ARM and IBM POWER have been with us for decades, but their subtle programmer-visible concurrency behaviour remains challenging, both to implement and to use; the traditional architecture documentation, with its mix of prose and pseudocode, leaves much unclear.In this paper we show how a precise architectural envelope model for such architectures can be defined, taking IBM POWER as our example. Our model specifies, for an arbitrary test program, the set of all its allowable executions, not just those of some particular implementation. The model integrates an operational concurrency model with an ISA model for the fixedpoint non-vector user-mode instruction set (largely automatically derived from the vendor pseudocode, and expressed in a new ISA description language). The key question is the interface between these two: allowing all the required concurrency behaviour, without overcommitting to some particular microarchitectural implementation, requires a novel abstract structure.Our model is expressed in a mathematically rigorous language that can be automatically translated to an executable test-oracle tool; this lets one either interactively explore or exhaustively compute the set of all allowed behaviours of intricate test cases, to provide a reference for hardware and software development.

show abstract

“…SimSoC-Cert [3,14] aims at certifying the simulator SimSoC, which is a complex hardware simulator written in C and C++. SimSoC is able to simulate various architectures including ARM and SH4 and is efficient enough to run Linux on them at a realistic speed.…”

Section: Application To Simsoc-certmentioning

confidence: 99%

“…The work described here is motivated by an experiment reported in [3,14], called SimSoc-Cert (a certified simulator of Systems on Chips) where we develop proofs of C programs using the operational semantics of a large subset of the C language as defined in the CompCert project [6]. An important characteristic of our framework is the large complexity of the specification, driving us to use powerful features such as higher-order functions, dependent types, modules, not only for convenience, but in order to keep the specification as readable and reusable as possible.…”

Section: Introductionmentioning

confidence: 99%

“…This poses a very serious problem of robustness: updating the inductive relation or even minor modifications in another part of the development may result in a complete renaming inside a proof script, which has then to be debugged line by line. In the previous stage of our work reported in [14], we could perform a proof on a single instruction of the ARM processor. So in theory, everything was solved.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Handcrafted Inversions Made Operational on Operational Semantics

Monin

Shi

2013

Interactive Theorem Proving

Self Cite

View full text Add to dashboard Cite

Abstract. When reasoning on formulas involving large-size inductively defined relations, such as the semantics of a real programming language, many steps require the inversion of a hypothesis. The built-in "inversion" tactic of Coq can then be used, but it suffers from severe controllability, maintenance and efficiency issues, which makes it unusable in practice in large applications.To circumvent this issue, we propose a proof technique based on the combination of an antidiagonal argument and the impredicative encoding of inductive data-structures. We can then encode suitable helper tactics in LTac, yielding scripts which are much shorter (as well as corresponding proof terms) and, more importantly, much more robust against changes in version changes in the background software. This is illustrated on correctness proofs of non-trivial C programs according to the operational semantics of C defined in CompCert.

show abstract

First Steps towards the Certification of an ARM Simulator Using Compcert

Cited by 5 publications

References 7 publications

Modelling the ARMv8 architecture, operationally: concurrency and ISA

Modelling the ARMv8 architecture, operationally: concurrency and ISA

An integrated concurrency and core-ISA architectural envelope definition, and test oracle, for IBM POWER multiprocessors

Handcrafted Inversions Made Operational on Operational Semantics

Contact Info

Product

Resources

About