Christopher Pulte's research while affiliated with University of Cambridge and other places
What is this page?
This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
Publications (15)
Despite significant progress in the verification of hypervisors, operating systems, and compilers, and in verification tooling, there exists a wide gap between the approaches used in verification projects and conventional development of systems software. We see two main challenges in bringing these closer together: verification handling the complex...
Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions. We...
Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions.
We...
Architecture specifications such as Armv8-A and RISC-V are the ultimate foundation for software verification and the correctness criteria for hardware verification. They should define the allowed sequential and relaxed-memory concurrency behaviour of programs, but hitherto there has been no integration of full-scale instruction-set architecture (IS...
Modern JavaScript includes the SharedArrayBuffer feature, which provides access to true shared memory concurrency. SharedArrayBuffers are simple linear buffers of bytes, and the JavaScript specification defines an axiomatic relaxed memory model to describe their behaviour. While this model is heavily based on the C/C++11 model, it diverges in some...
Computing relies on architecture specifications to decouple hardware and software development. Historically these have been prose documents, with all the problems that entails, but research over the last ten years has developed rigorous and executable-as-test-oracle specifications of mainstream architecture instruction sets and “user-mode” concurre...
Architecture specifications notionally define the fundamental interface between hardware and software: the envelope of allowed behaviour for processor implementations, and the basic assumptions for software development and verification. But in practice, they are typically prose and pseudocode documents, not rigorous or executable artifacts, leaving...
ARM has a relaxed memory model, previously specified in informal prose for ARMv7 and ARMv8. Over time, and partly due to work building formal semantics for ARM concurrency, it has become clear that some of the complexity of the model is not justified by the potential benefits. In particular, the model was originally non-multicopy-atomic: writes cou...
Previous work on the semantics of relaxed shared-memory concurrency has only considered the case in which each load reads the data of exactly one store. In practice, however, multiprocessors support mixed-size accesses, and these are used by systems software and (to some degree) exposed at the C/C++ language level. A semantic foundation for softwar...
Previous work on the semantics of relaxed shared-memory concurrency has only considered the case in which each load reads the data of exactly one store. In practice, however, multiprocessors support mixed-size accesses, and these are used by systems software and (to some degree) exposed at the C/C++ language level. A semantic foundation for softwar...
In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concur...
In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concur...
Weakly consistent multiprocessors such as ARM and IBM POWER have been with us for decades, but their subtle programmer-visible concurrency behaviour remains challenging, both to implement and to use; the traditional architecture documentation, with its mix of prose and pseudocode, leaves much unclear.
In this paper we show how a precise architectur...
Citations
... Operational semantics furthermore can be divided into those following a microarchitectural style (providing formalizations of the actual hardware architecture) and those trying to abstract from architectures. Most notably, view-based semantics [14,21,31] avoid modelling specific hardware components and instead define the semantics in terms of views of thread on the shared state. Promises [22,24] are employed in operational semantics as a way of capturing out-of-order writes while still executing operations in thread order. ...
... There has been much work on developing axiomatic (declarative) models for memory consistency in parallel systems, at the ISA level [2], [36], [37], the microarchitectural level [12], [16], [38], and the programming language level [19], [39], [40], [41], [42]. There has also been work on constructing equivalent operationalizations for these models, e.g., for Power [2], ARMv8 [10], RA [8], C++ [7], and TSO [18], [9]. ...
... Consequently, integrating generalpurpose cores or FPGA units in memory substrates presents significant challenges. Further, programming such systems requires complex instructions that are generally not a part of memory ISAs [184]. ...
... Соответственно, актуальной задачей является повышение надежности таких систем. В связи с этим активно развивается теория моделей памяти [1]: появляются спецификации моделей памяти процессоров, например, Intel [2], POWER [3], ARM [4], языков программирования C/C++ [5], Java [6,7], LLVM [8], JavaScript [9], а также моделей памяти распределенных систем [10][11][12]. Подобные спецификации известны своей сложностью, а в доказательствах их ключевых свойств «на бумаге» нередко находятся существенные ошибки [13,14]. ...
... As explored in recent work [Flur et al. 2017], mixed size guarantees are under-explored, and surprisingly weak on hardware, so Wasm, like JavaScript, picks a maximally weak (but defined) semantics. However, as discussed by [Flur et al. 2017], some hyper-optimised low-level data structures rely on mixed-size consistency guarantees which our model does not currently provide. ...
Reference: Weakening WebAssembly
... There is extensive previous work on "user" relaxed-memory semantics of modern architectures, but very little extending this to cover systems aspects such as virtual memory. We build on the approaches established in "user" models for x86, IBM Power, Arm, and RISC-V, combining executable-as-test-oracle models, discussion with architects, and experimental testing [54,5,7,47,55,53,21,52,46,9,36,31,32,49,65]. ...
... Today, weak memory models exist for a number of different architectures (e.g. TSO [32], PSO and Power [2], ARM [17]) as well as for programming languages (e.g. C11 [8]). ...
![[object Object]](https://i1.rgstatic.net/ii/profile.image/338475850190849-1457710339399_Q64/Kathryn-Gray.jpg)
... A further key property is that for ordinary relaxed-memory litmus tests which do not involve virtual memory, our model should give the same results as the published Armv8-A [26,49,13] axiomatic memory model. To validate this (and our tools) we test our strong model on an existing library of tests, comparing to reference results from Herd and RMEM [31]. We ran an additional 1927 such litmus tests, which all returned the expected results. ...
... Making relaxed-memory semantics exhaustively executable is essential for exploring their behaviour on examples [67,54,53,20,9,36,66,23,64,49,57]. Handling relaxed virtual memory 8 Experimental testing of hardware 50 brings several new challenges. ...
![[object Object]](https://i1.rgstatic.net/ii/profile.image/1094330735427586-1637920187504_Q64/Gabriel-Kerneis.jpg)
![[object Object]](https://i1.rgstatic.net/ii/profile.image/296338295148545-1447663963703_Q64/Dominic-Mulligan.jpg)
