Christopher Pulte's research while affiliated with University of Cambridge and other places

Publications (15)

Article
Despite significant progress in the verification of hypervisors, operating systems, and compilers, and in verification tooling, there exists a wide gap between the approaches used in verification projects and conventional development of systems software. We see two main challenges in bringing these closer together: verification handling the complex...
Preprint
Full-text available
Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions. We...
Chapter
Full-text available
Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions. We...
Chapter
Architecture specifications such as Armv8-A and RISC-V are the ultimate foundation for software verification and the correctness criteria for hardware verification. They should define the allowed sequential and relaxed-memory concurrency behaviour of programs, but hitherto there has been no integration of full-scale instruction-set architecture (IS...
Preprint
Modern JavaScript includes the SharedArrayBuffer feature, which provides access to true shared memory concurrency. SharedArrayBuffers are simple linear buffers of bytes, and the JavaScript specification defines an axiomatic relaxed memory model to describe their behaviour. While this model is heavily based on the C/C++11 model, it diverges in some...
Chapter
Computing relies on architecture specifications to decouple hardware and software development. Historically these have been prose documents, with all the problems that entails, but research over the last ten years has developed rigorous and executable-as-test-oracle specifications of mainstream architecture instruction sets and “user-mode” concurre...
Article
Full-text available
Architecture specifications notionally define the fundamental interface between hardware and software: the envelope of allowed behaviour for processor implementations, and the basic assumptions for software development and verification. But in practice, they are typically prose and pseudocode documents, not rigorous or executable artifacts, leaving...
Article
ARM has a relaxed memory model, previously specified in informal prose for ARMv7 and ARMv8. Over time, and partly due to work building formal semantics for ARM concurrency, it has become clear that some of the complexity of the model is not justified by the potential benefits. In particular, the model was originally non-multicopy-atomic: writes cou...
Conference Paper
Previous work on the semantics of relaxed shared-memory concurrency has only considered the case in which each load reads the data of exactly one store. In practice, however, multiprocessors support mixed-size accesses, and these are used by systems software and (to some degree) exposed at the C/C++ language level. A semantic foundation for softwar...
Article
Previous work on the semantics of relaxed shared-memory concurrency has only considered the case in which each load reads the data of exactly one store. In practice, however, multiprocessors support mixed-size accesses, and these are used by systems software and (to some degree) exposed at the C/C++ language level. A semantic foundation for softwar...
Conference Paper
In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concur...
Conference Paper
In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concur...
Conference Paper
Full-text available
Weakly consistent multiprocessors such as ARM and IBM POWER have been with us for decades, but their subtle programmer-visible concurrency behaviour remains challenging, both to implement and to use; the traditional architecture documentation, with its mix of prose and pseudocode, leaves much unclear. In this paper we show how a precise architectur...

Citations

... Operational semantics furthermore can be divided into those following a microarchitectural style (providing formalizations of the actual hardware architecture) and those trying to abstract from architectures. Most notably, view-based semantics [14,21,31] avoid modelling specific hardware components and instead define the semantics in terms of views of thread on the shared state. Promises [22,24] are employed in operational semantics as a way of capturing out-of-order writes while still executing operations in thread order. ...
... There has been much work on developing axiomatic (declarative) models for memory consistency in parallel systems, at the ISA level [2], [36], [37], the microarchitectural level [12], [16], [38], and the programming language level [19], [39], [40], [41], [42]. There has also been work on constructing equivalent operationalizations for these models, e.g., for Power [2], ARMv8 [10], RA [8], C++ [7], and TSO [18], [9]. ...
... Consequently, integrating generalpurpose cores or FPGA units in memory substrates presents significant challenges. Further, programming such systems requires complex instructions that are generally not a part of memory ISAs [184]. ...
... Соответственно, актуальной задачей является повышение надежности таких систем. В связи с этим активно развивается теория моделей памяти [1]: появляются спецификации моделей памяти процессоров, например, Intel [2], POWER [3], ARM [4], языков программирования C/C++ [5], Java [6,7], LLVM [8], JavaScript [9], а также моделей памяти распределенных систем [10][11][12]. Подобные спецификации известны своей сложностью, а в доказательствах их ключевых свойств «на бумаге» нередко находятся существенные ошибки [13,14]. ...
... As explored in recent work [Flur et al. 2017], mixed size guarantees are under-explored, and surprisingly weak on hardware, so Wasm, like JavaScript, picks a maximally weak (but defined) semantics. However, as discussed by [Flur et al. 2017], some hyper-optimised low-level data structures rely on mixed-size consistency guarantees which our model does not currently provide. ...
... There is extensive previous work on "user" relaxed-memory semantics of modern architectures, but very little extending this to cover systems aspects such as virtual memory. We build on the approaches established in "user" models for x86, IBM Power, Arm, and RISC-V, combining executable-as-test-oracle models, discussion with architects, and experimental testing [54,5,7,47,55,53,21,52,46,9,36,31,32,49,65]. ...
... Today, weak memory models exist for a number of different architectures (e.g. TSO [32], PSO and Power [2], ARM [17]) as well as for programming languages (e.g. C11 [8]). ...
... A further key property is that for ordinary relaxed-memory litmus tests which do not involve virtual memory, our model should give the same results as the published Armv8-A [26,49,13] axiomatic memory model. To validate this (and our tools) we test our strong model on an existing library of tests, comparing to reference results from Herd and RMEM [31]. We ran an additional 1927 such litmus tests, which all returned the expected results. ...
... Making relaxed-memory semantics exhaustively executable is essential for exploring their behaviour on examples [67,54,53,20,9,36,66,23,64,49,57]. Handling relaxed virtual memory 8 Experimental testing of hardware 50 brings several new challenges. ...