ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS

Armstrong, Alasdair; Bauereiss, Thomas; Campbell, B. K.; Reid, Alastair; Gray, Kathryn E.; Norton, Robert M.; Mundkur, Prashanth; Wassell, Mark P.; French, Jon; Pulte, Christopher; Flur, Shaked; Stark, Ian; Krishnaswami, Neel; Sewell, Peter

doi:10.1145/3290384

Cited by 76 publications

(45 citation statements)

References 51 publications

(56 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fox and Myreen (2010) developed formal specifications (semantics) of the ISA for ARMv7 in HOL4. Armstrong et al (2019) later used a domain-specific language to provide ISA specifications for Isabelle/HOL, HOL4, and Coq for the ARMv8, RISC-V, and CHERI-MIPS architectures. Morrisett et al (2012) modeled a subset of the x86 ISA in Coq, and used it to build a verified checker for a sandbox policy.…”

Section: Proof Engineering For Program Verificationmentioning

confidence: 99%

QED at Large: A Survey of Engineering of Formally Verified Software

Ringer

Palmskog

Sergey

et al. 2019

FNT in Programming Languages

View full text Add to dashboard Cite

Development of formal proofs of correctness of programs can increase actual and perceived reliability and facilitate better understanding of program specifications and their underlying assumptions. Tools supporting such development have been available for over 40 years, but have only recently seen wide practical use. Projects based on construction of machine-checked formal proofs are now reaching an unprecedented scale, comparable to large software projects, which leads to new challenges in proof development and maintenance. Despite its increasing importance, the field of proof engineering is seldom considered in its own right; related theories, techniques, and tools span many fields and venues. This survey of the literature presents a holistic understanding of proof engineering for program correctness, covering impact in practice, foundations, proof automation, proof organization, and practical proof development.

show abstract

Section: Proof Engineering For Program Verificationmentioning

confidence: 99%

QED at Large: A Survey of Engineering of Formally Verified Software

Ringer

Palmskog

Sergey

et al. 2019

FNT in Programming Languages

View full text Add to dashboard Cite

show abstract

“…Secondly, while the Coq model formalises the small imperative language, the executable model integrates definitions for user-mode ARMv8 and RISC-V instructions, meaning it needs logic for computing the views of loads and stores of the ISA definitions [13,22]. (Like Flat, our Sail model does not yet include ARM's weaker load acquire LDAPR introduced in ARMv8.3.…”

Section: Executable Toolmentioning

confidence: 99%

“…In contrast to Flat, this model executes an instruction in a single step and -except early writes -in order, and does not speculate branches. The exploration tool integrates models for large parts of the user-mode ARMv8 [22] and RISC-V [13] ISAs written in Sail [13,24] (the same as those used by Flat). This provides a significant advantage over the axiomatic models that do not include a substantial ISA model.…”

Section: Introductionmentioning

confidence: 99%

Promising-ARM/RISC-V: a simpler and faster operational concurrency model

Pulte

Pichon-Pharabod

Kang

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

For ARMv8 and RISC-V, there are concurrency models in two styles, extensionally equivalent: axiomatic models, expressing the concurrency semantics in terms of global properties of complete executions; and operational models, that compute incrementally. The latter are in an abstract microarchitectural style: they execute each instruction in multiple steps, out-of-order and with explicit branch speculation. This similarity to hardware implementations has been important in developing the models and in establishing confidence, but involves complexity that, for programming and modelchecking, one would prefer to avoid.We present new more abstract operational models for ARMv8 and RISC-V, and an exploration tool based on them. The models compute the allowed concurrency behaviours incrementally based on thread-local conditions and are significantly simpler than the existing operational models: executing instructions in a single step and (with the exception of early writes) in program order, and without branch speculation. We prove the models equivalent to the existing ARMv8 and RISC-V axiomatic models in Coq. The exploration tool is the first such tool for ARMv8 and RISC-V fast enough for exhaustively checking the concurrency behaviour of a number of interesting examples. We demonstrate using the tool for checking several standard concurrent datastructure and lock implementations, and for interactively stepping through model-allowed executions for debugging.

show abstract

“…This is chiefly a problem of scale: modern industrial architectures such as Arm or x86 have large instruction sets, and each instruction involves many details, including its behaviour at different privilege levels, virtual-to-physical address translation, and so on -a single Arm instruction might involve hundreds of auxiliary functions. Recent work by Reid et al within Arm [40,41,42] transitioned their internal ISA description into a mechanised form, used both for documentation and testing, and with him we automatically translated this into publicly available Sail definitions and thence into theorem-prover definitions [11,10]. Other related work is in §7.…”

Section: Introductionmentioning

confidence: 99%

“…We make the operational model executable as a test oracle by integrating it into the RMEM tool and its web interface [17], introducing optimisations that make it possible to exhaustively execute the examples. We make the axiomatic model executable as a test oracle with a new tool that takes litmus tests and uses a Sail [11] definition of a fragment of the ARMv8-A ISA to generate SMT problems for the model. We then compare hardware and the two models for the handwritten tests (modulo two tests not supported by the axiomatic checker), compare hardware and the operational model on a suite of 1456 tests, automatically generated with an extension of the diy tool [3], and check the operational and axiomatic models against sets of previous non-ifetch tests.…”

Section: Introductionmentioning

confidence: 99%

ARMv8-A System Semantics: Instruction Fetch in Relaxed Architectures

Simner

Flur

Pulte

et al. 2020

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

Computing relies on architecture specifications to decouple hardware and software development. Historically these have been prose documents, with all the problems that entails, but research over the last ten years has developed rigorous and executable-as-test-oracle specifications of mainstream architecture instruction sets and "user-mode" concurrency, clarifying architectures and bringing them into the scope of programming-language semantics and verification. However, the system semantics, of instruction-fetch and cache maintenance, exceptions and interrupts, and address translation, remains obscure, leaving us without a solid foundation for verification of security-critical systems software. In this paper we establish a robust model for one aspect of system semantics: instruction fetch and cache maintenance for ARMv8-A. Systems code relies on executing instructions that were written by data writes, e.g. in program loading, dynamic linking, JIT compilation, debugging, and OS configuration, but hardware implementations are often highly optimised, e.g. with instruction caches, linefill buffers, out-of-order fetching, branch prediction, and instruction prefetching, which can affect programmer-observable behaviour. It is essential, both for programming and verification, to abstract from such microarchitectural details as much as possible, but no more. We explore the key architecture design questions with a series of examples, discussed in detail with senior Arm staff; capture the architectural intent in operational and axiomatic semantic models, extending previous work on "user-mode" concurrency; make these models executable as test oracles for small examples; and experimentally validate them against hardware behaviour (finding a bug in one hardware device). We thereby bring these subtle issues into the mathematical domain, clarifying the architecture and enabling future work on system software verification.

show abstract

ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS

Cited by 76 publications

References 51 publications

QED at Large: A Survey of Engineering of Formally Verified Software

QED at Large: A Survey of Engineering of Formally Verified Software

Promising-ARM/RISC-V: a simpler and faster operational concurrency model

ARMv8-A System Semantics: Instruction Fetch in Relaxed Architectures

Contact Info

Product

Resources

About