Shaked Flur

• University of Cambridge

Formal verification of software is a bit of a niche activity: it is only applied to the most safety-critical or security-critical software and it is typically only performed by specialized verification engineers. This paper considers whether it would be possible to increase adoption of formal methods by integrating formal methods with developers' e...

Modern JavaScript includes the SharedArrayBuffer feature, which provides access to true shared memory concurrency. SharedArrayBuffers are simple linear buffers of bytes, and the JavaScript specification defines an axiomatic relaxed memory model to describe their behaviour. While this model is heavily based on the C/C++11 model, it diverges in some...

Computing relies on architecture specifications to decouple hardware and software development. Historically these have been prose documents, with all the problems that entails, but research over the last ten years has developed rigorous and executable-as-test-oracle specifications of mainstream architecture instruction sets and “user-mode” concurre...

Architecture specifications notionally define the fundamental interface between hardware and software: the envelope of allowed behaviour for processor implementations, and the basic assumptions for software development and verification. But in practice, they are typically prose and pseudocode documents, not rigorous or executable artifacts, leaving...

ARM has a relaxed memory model, previously specified in informal prose for ARMv7 and ARMv8. Over time, and partly due to work building formal semantics for ARM concurrency, it has become clear that some of the complexity of the model is not justified by the potential benefits. In particular, the model was originally non-multicopy-atomic: writes cou...

Previous work on the semantics of relaxed shared-memory concurrency has only considered the case in which each load reads the data of exactly one store. In practice, however, multiprocessors support mixed-size accesses, and these are used by systems software and (to some degree) exposed at the C/C++ language level. A semantic foundation for softwar...

Previous work on the semantics of relaxed shared-memory concurrency has only considered the case in which each load reads the data of exactly one store. In practice, however, multiprocessors support mixed-size accesses, and these are used by systems software and (to some degree) exposed at the C/C++ language level. A semantic foundation for softwar...

In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concur...

In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concur...

Phase abstraction may be utilized to increase efficiency of model checking techniques. A liveness property may be checked in respect to a phase abstracted model by modifying the liveness property in accordance with the phase abstracted model. A fairness property may be modified to ensure that the fairness property is held by the model checker. A co...

Augmented-domain simulation, such as ternary-based simulation may be utilized to approximate a reachability analysis of a model being model checked. The approximated reachability analysis may be utilized to detect design redundancies and modify the model to remove such redundancies. Design redundancies may include unobservable variables, mergeable...

Formal verification of models using concurrent model-reduction and model-checking. For example, a system for formal verification of models includes: one or more model reducers to reduce a model; one or more model checkers to check the model, wherein at least one of the model reducers is to run concurrently with at least one of the model checkers; a...

Analysis of termination and other liveness properties of an imperative program can be reduced to termination proof synthesis for simple loops, i.e., loops with only variable updates in the loop body. Among simple loops, the subset of Linear Simple Loops (LSLs) is particular interesting because it is common in practice and expressive in theory. Exis...

Standard EDA ABV tools fall short of verifying multiple clock domain systems on chip (MCD SoC), asynchronous systems and Globally Asynchronous Locally Synchronous (GALS) systems. This paper describes a method for verifying asynchronous and multi-clock behavior in such systems using PSL and standard ABV tools. We convert STG (signal transition graph...