Christopher Pulte’s research while affiliated with University of Cambridge and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (17)


Fulminate: Testing CN Separation-Logic Specifications in C
  • Article

January 2025

·

1 Read

Proceedings of the ACM on Programming Languages

Rini Banerjee

·

Kayvan Memarian

·

Dhruv Makwana

·

[...]

·

Peter Sewell

Separation logic has become an important tool for formally capturing and reasoning about the ownership patterns of imperative programs, originally for paper proof, and now the foundation for industrial static analyses and multiple proof tools. However, there has been very little work on program testing of separation-logic specifications in concrete execution. At first sight, separation-logic formulas are hard to evaluate in reasonable time, with their implicit quantification over heap splittings, and other explicit existentials. In this paper we observe that a restricted fragment of separation logic, adopted in the CN proof tool to enable predictable proof automation, also has a natural and readable computational interpretation, that makes it practically usable in runtime testing. We discuss various design issues and develop this as a C+CN source to C source translation, Fulminate. This adds checks – including ownership checks and ownership transfer – for C code annotated with CN pre- and post-conditions; we demonstrate this on nontrivial examples, including the allocator from a production hypervisor. We formalise our runtime ownership testing scheme, showing (and proving) how its reified ghost state correctly captures ownership passing, in a semantics for a small C-like language.


Message passing (MP) test for Armv8
Overview of process for checking the allowed executions of a litmus test
Web interface for the tool
Self-modifying code litmus test SM+cachesync-isb
Address translation process

+3

Isla: integrating full-scale ISA semantics and axiomatic concurrency models (extended version)
  • Article
  • Full-text available

May 2023

·

41 Reads

·

2 Citations

Formal Methods in System Design

Architecture specifications such as Armv8-A and RISC-V are the ultimate foundation for software verification and the correctness criteria for hardware verification. They should define the allowed sequential and relaxed-memory concurrency behaviour of programs, but hitherto there has been no integration of full-scale instruction-set architecture (ISA) semantics with axiomatic concurrency models, either in mathematics or in tools. These ISA semantics can be surprisingly large and intricate, e.g. 100k++ lines for Armv8-A. In this paper we present a tool, Isla, for computing the allowed behaviours of concurrent litmus tests with respect to full-scale ISA definitions, in the Sail language, and arbitrary axiomatic relaxed-memory concurrency models, in the Cat language. It is based on a generic symbolic engine for Sail ISA specifications. We equip the tool with a web interface to make it widely accessible, and illustrate and evaluate it for Armv8-A and RISC-V. The symbolic execution engine is valuable also for other verification tasks: it has been used in automated ISA test generation for the Arm Morello prototype architecture, extending Armv8-A with CHERI capabilities, and for Iris program-logic reasoning about binary code above the Armv8-A and RISC-V ISA specifications. By using full-scale and authoritative ISA semantics, Isla lets one evaluate litmus tests using arbitrary user instructions with high confidence. Moreover, because these ISA specifications give detailed and validated definitions of the sequential aspects of systems functionality, as used by hypervisors and operating systems, e.g. instruction fetch, exceptions, and address translation, our tool provides a basis for developing concurrency semantics for these. We demonstrate this for the Armv8-A instruction-fetch and virtual-memory models and examples of Simner et al.

Download

CN: Verifying Systems C Code with Separation-Logic Refinement Types

January 2023

·

24 Reads

·

13 Citations

Proceedings of the ACM on Programming Languages

Despite significant progress in the verification of hypervisors, operating systems, and compilers, and in verification tooling, there exists a wide gap between the approaches used in verification projects and conventional development of systems software. We see two main challenges in bringing these closer together: verification handling the complexity of code and semantics of conventional systems software, and verification usability. We describe an experiment in verification tool design aimed at addressing some aspects of both: we design and implement CN, a separation-logic refinement type system for C systems software, aimed at predictable proof automation, based on a realistic semantics of ISO C. CN reduces refinement typing to decidable propositional logic reasoning, uses first-class resources to support pointer aliasing and pointer arithmetic, features resource inference for iterated separating conjunction, and uses a novel syntactic restriction of ghost variables in specifications to guarantee their successful inference. We implement CN and formalise key aspects of the type system, including a soundness proof of type checking. To demonstrate the usability of CN we use it to verify a substantial component of Google's pKVM hypervisor for Android.


Relaxed virtual memory in Armv8-A

March 2022

·

60 Reads

·

10 Citations

Lecture Notes in Computer Science

Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions. We explore the design space for relaxed virtual memory semantics in the Armv8-A architecture, to support future system-software verification. We identify many design questions, in discussion with Arm; develop a test suite, including use cases from the pKVM production hypervisor under development by Google; delimit the design space with axiomatic-style concurrency models; prove that under simple stable configurations our architectural model collapses to previous “user” models; develop tooling to compute allowed behaviours in the model integrated with the full Armv8-A ISA semantics; and develop a hardware test harness. This lays out some of the main issues in relaxed virtual memory bringing these security-critical systems phenomena into the domain of programming-language semantics and verification with foundational architecture semantics.


Figure 1
Figure 5: pKVM.host _ handle _ trap.stage2 _ idmap.l3: forbidden candidate execution
Relaxed virtual memory in Armv8-A (extended version)

March 2022

·

140 Reads

Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions. We explore the design space for relaxed virtual memory semantics in the Armv8-A architecture, to support future system-software verification. We identify many design questions, in discussion with Arm; develop a test suite, including use cases from the pKVM production hypervisor under development by Google; delimit the design space with axiomatic-style concurrency models; prove that under simple stable configurations our architectural model collapses to previous "user" models; develop tooling to compute allowed behaviours in the model integrated with the full Armv8-A ISA semantics; and develop a hardware test harness. This lays out some of the main issues in relaxed virtual memory bringing these security-critical systems phenomena into the domain of programming-language semantics and verification with foundational architecture semantics. This document is an extended version of a paper in ESOP 2022, with additional explanation and examples in the main body, and appendices detailing our litmus tests, models, proofs, and test results.


Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

July 2021

·

15 Reads

·

13 Citations

Lecture Notes in Computer Science

Architecture specifications such as Armv8-A and RISC-V are the ultimate foundation for software verification and the correctness criteria for hardware verification. They should define the allowed sequential and relaxed-memory concurrency behaviour of programs, but hitherto there has been no integration of full-scale instruction-set architecture (ISA) semantics with axiomatic concurrency models, either in mathematics or in tools. These ISA semantics can be surprisingly large and intricate, e.g. 100k+ lines for Armv8-A. In this paper we present a tool, Isla, for computing the allowed behaviours of concurrent litmus tests with respect to full-scale ISA definitions, in Sail, and arbitrary axiomatic relaxed-memory concurrency models, in the Cat language. It is based on a generic symbolic engine for Sail ISA specifications, which should be valuable also for other verification tasks. We equip the tool with a web interface to make it widely accessible, and illustrate and evaluate it for Armv8-A and RISC-V. By using full-scale and authoritative ISA semantics, this lets one evaluate litmus tests using arbitrary user instructions with high confidence. Moreover, because these ISA specifications give detailed and validated definitions of the sequential aspects of systems functionality, as used by hypervisors and operating systems, e.g. instruction fetch, exceptions, and address translation, our tool provides a basis for developing concurrency semantics for these. We demonstrate this for the Armv8-A instruction-fetch model and self-modifying code examples of Simner et al.



Repairing and Mechanising the JavaScript Relaxed Memory Model

May 2020

·

18 Reads

Modern JavaScript includes the SharedArrayBuffer feature, which provides access to true shared memory concurrency. SharedArrayBuffers are simple linear buffers of bytes, and the JavaScript specification defines an axiomatic relaxed memory model to describe their behaviour. While this model is heavily based on the C/C++11 model, it diverges in some key areas. JavaScript chooses to give a well-defined semantics to data-races, unlike the "undefined behaviour" of C/C++11. Moreover, the JavaScript model is mixed-size. This means that its accesses are not to discrete locations, but to (possibly overlapping) ranges of bytes. We show that the model, in violation of the design intention, does not support a compilation scheme to ARMv8 which is used in practice. We propose a correction, which also incorporates a previously proposed fix for a failure of the model to provide Sequential Consistency of Data-Race-Free programs (SC-DRF), an important correctness condition. We use model checking, in Alloy, to generate small counter-examples for these deficiencies, and investigate our correction. To accomplish this, we also develop a mixed-size extension to the existing ARMv8 axiomatic model. Guided by our Alloy experimentation, we mechanise (in Coq) the JavaScript model (corrected and uncorrected), our ARMv8 model, and, for the corrected JavaScript model, a "model-internal" SC-DRF proof and a compilation scheme correctness proof to ARMv8. In addition, we investigate a non-mixed-size subset of the corrected JavaScript model, and give proofs of compilation correctness for this subset to x86-TSO, Power, RISC-V, ARMv7, and (again) ARMv8, via the Intermediate Memory Model (IMM). As a result of our work, the JavaScript standards body (ECMA TC39) will include fixes for both issues in an upcoming edition of the specification.


ARMv8-A System Semantics: Instruction Fetch in Relaxed Architectures

April 2020

·

85 Reads

·

11 Citations

Lecture Notes in Computer Science

Computing relies on architecture specifications to decouple hardware and software development. Historically these have been prose documents, with all the problems that entails, but research over the last ten years has developed rigorous and executable-as-test-oracle specifications of mainstream architecture instruction sets and “user-mode” concurrency, clarifying architectures and bringing them into the scope of programming-language semantics and verification. However, the system semantics , of instruction-fetch and cache maintenance, exceptions and interrupts, and address translation, remains obscure, leaving us without a solid foundation for verification of security-critical systems software. In this paper we establish a robust model for one aspect of system semantics: instruction fetch and cache maintenance for ARMv8-A. Systems code relies on executing instructions that were written by data writes, e.g. in program loading, dynamic linking, JIT compilation, debugging, and OS configuration, but hardware implementations are often highly optimised, e.g. with instruction caches, linefill buffers, out-of-order fetching, branch prediction, and instruction prefetching, which can affect programmer-observable behaviour. It is essential, both for programming and verification, to abstract from such microarchitectural details as much as possible, but no more. We explore the key architecture design questions with a series of examples, discussed in detail with senior Arm staff; capture the architectural intent in operational and axiomatic semantic models, extending previous work on “user-mode” concurrency; make these models executable as test oracles for small examples; and experimentally validate them against hardware behaviour (finding a bug in one hardware device). We thereby bring these subtle issues into the mathematical domain, clarifying the architecture and enabling future work on system software verification.



Citations (13)


... Specifically, ( ) defines the set of concrete constructs that refine abstraction . The notion of refinement type in the recent works [59,64,65] corresponds to SL predicates in our theory. To emphasize this correspondence and to be intuitive, we introduce the notation ⦂ to abbreviate predicate application ( ), i.e., ⦂ ≜ ( ). ...

Reference:

Generically Automating Separation Logic by Functors, Homomorphisms and Modules
CN: Verifying Systems C Code with Separation-Logic Refinement Types
  • Citing Article
  • January 2023

Proceedings of the ACM on Programming Languages

... We sketch this in an axiomatic model. This is an essential part of the necessary foundation for confidently programming systems code, building on previous work that has clarified 'user' relaxed concurrency [1-3, 6-8, 12, 19, 24-28, 31, 48, 49, 51-53, 55, 58] and complementing recent work on the systems aspects of instruction fetch [57] and virtual memory [4,56]. It helps put processor architecture specifications such as Arm-A on an unambiguous footing, where the allowed behaviour of systems-code idioms can be computed from a precise and executable-as-test-oracle definition of the architecture. ...

Relaxed virtual memory in Armv8-A

Lecture Notes in Computer Science

... • We develop an axiomatic model for Arm-A precise exceptions ( §5). We extend Isla [12] to support both ISA and relaxed-memory concurrency aspects of exceptions, and we use it to evaluate the axiomatic model on tests. • We identify and discuss the substantial open problem of what it means for exceptions to be precise in relaxed setting ( §6). ...

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models
  • Citing Chapter
  • July 2021

Lecture Notes in Computer Science

... In these cases, split-RW hurt the optimality and thus incurred considerable overhead. [23,24] chase-lev An implementation of the Chase-Lev deque adapted from [23,24] dq An implementation of the Chase-Lev deque adapted from [25] linuxrwlocks A reader-writer lock ported from the Linux kernel adapted from [23,24] mcs spinlock An implementation of the MCS lock extracted from the Linux kernel [17] mpmc-queue A multiple-producer multiple-consumer queue adapted from [23,24] ms-queue An implementation of the Michael-Scott queue adapted from [23,24] qspinlock Queued spinlocks (1.2 KLOC) extracted from the Linux kernel [17] qu An implementation of the Michael-Scott queue adapted from [25] seqlock Sequential locks (1.0 KLOC) extracted from the Linux kernel [17] stc An implementation of the Treiber stack adapted from [25] * The race detection was disabled because of intentionally racy non-atomic accesses. ...

Promising-ARM/RISC-V: a simpler and faster operational concurrency model
  • Citing Conference Paper
  • June 2019

... The implication of language consistency models was only later identified, facing along with informal prose, the non-trivial effects on compilation [27], [7], [17], [33], [14]. Earlier criticisms of Java were primarily based on informal/unclear specifications that were hard to understand, naturally leading to most JVMs violating them [28]. ...

Repairing and mechanising the JavaScript relaxed memory model
  • Citing Conference Paper
  • June 2020

... We sketch this in an axiomatic model. This is an essential part of the necessary foundation for confidently programming systems code, building on previous work that has clarified 'user' relaxed concurrency [1-3, 6-8, 12, 19, 24-28, 31, 48, 49, 51-53, 55, 58] and complementing recent work on the systems aspects of instruction fetch [57] and virtual memory [4,56]. It helps put processor architecture specifications such as Arm-A on an unambiguous footing, where the allowed behaviour of systems-code idioms can be computed from a precise and executable-as-test-oracle definition of the architecture. ...

ARMv8-A System Semantics: Instruction Fetch in Relaxed Architectures

Lecture Notes in Computer Science

... Muitas metodologias de teste acabaram se tornando proprietárias e muito específicas da implementação [Jones et al. 1995]. Apesar de esforços na direção de generalização [Sawada 2000, Bertran et al. 2012, Schubert et al. 2018, Bruns et al. 2023, uma nova geração de trabalhos só se tornou visível com o advento de arquiteturas e implementações abertas em larga escala, especialmente proporcionadas pela arquitetura RISC-V [Armstrong et al. 2019, Herdt et al. 2020, bem como geradores auxiliados por IA [Orenes-Vera et al. 2023]. ...

ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS

Proceedings of the ACM on Programming Languages

... One can visualise the state of a single core abstractly as a tree of partially and completely executed instances, as in Fig. 1 (top). Abstract-microarchitectural operational models use this abstraction [24,25,28,49,51,52]. We depict the retired (committed) FDX instances as solid dark green, and partially/tentatively executed in-flight instances as light green. ...

Simplifying ARM concurrency: multicopy-atomic axiomatic and operational models for ARMv8
  • Citing Article
  • December 2017

Proceedings of the ACM on Programming Languages

... As explored in recent work [Flur et al. 2017], mixed size guarantees are under-explored, and surprisingly weak on hardware, so Wasm, like JavaScript, picks a maximally weak (but defined) semantics. However, as discussed by [Flur et al. 2017], some hyper-optimised low-level data structures rely on mixed-size consistency guarantees which our model does not currently provide. ...

Mixed-size concurrency: ARM, POWER, C/C++11, and SC
  • Citing Article
  • May 2017

ACM SIGPLAN Notices

... There is extensive previous work on "user" relaxed-memory semantics of modern architectures, but very little extending this to cover systems aspects such as virtual memory. We build on the approaches established in "user" models for x86, IBM Power, Arm, and RISC-V, combining executable-as-test-oracle models, discussion with architects, and experimental testing [54,5,7,47,55,53,21,52,46,9,36,31,32,49,65]. ...

Mixed-size concurrency: ARM, POWER, C/C++11, and SC
  • Citing Conference Paper
  • May 2017

ACM SIGPLAN Notices