5 research outputs found
Instruction-Level Abstraction (ILA): A Uniform Specification for System-on-Chip (SoC) Verification
Modern Systems-on-Chip (SoC) designs are increasingly heterogeneous and
contain specialized semi-programmable accelerators in addition to programmable
processors. In contrast to the pre-accelerator era, when the ISA played an
important role in verification by enabling a clean separation of concerns
between software and hardware, verification of these "accelerator-rich" SoCs
presents new challenges. From the perspective of hardware designers, there is a
lack of a common framework for the formal functional specification of
accelerator behavior. From the perspective of software developers, there exists
no unified framework for reasoning about software/hardware interactions of
programs that interact with accelerators. This paper addresses these challenges
by providing a formal specification and high-level abstraction for accelerator
functional behavior. It formalizes the concept of an Instruction Level
Abstraction (ILA), developed informally in our previous work, and shows its
application in modeling and verification of accelerators. This formal ILA
extends the familiar notion of instructions to accelerators and provides a
uniform, modular, and hierarchical abstraction for modeling software-visible
behavior of both accelerators and programmable processors. We demonstrate the
applicability of the ILA through several case studies of accelerators (for
image processing, machine learning, and cryptography), and a general-purpose
processor (RISC-V). We show how the ILA model facilitates equivalence checking
between two ILAs, and between an ILA and its hardware finite-state machine
(FSM) implementation. Further, this equivalence checking supports accelerator
upgrades using the notion of ILA compatibility, similar to processor upgrades
using ISA compatibility.Comment: 24 pages, 3 figures, 3 table
Towards Porting Operating Systems with Program Synthesis
The end of Moore's Law has ushered in a diversity of hardware not seen in
decades. Operating system (and system software) portability is accordingly
becoming increasingly critical. Simultaneously, there has been tremendous
progress in program synthesis. We set out to explore the feasibility of using
modern program synthesis to generate the machine-dependent parts of an
operating system. Our ultimate goal is to generate new ports automatically from
descriptions of new machines. One of the issues involved is writing
specifications, both for machine-dependent operating system functionality and
for instruction set architectures. We designed two domain-specific languages:
Alewife for machine-independent specifications of machine-dependent operating
system functionality and Cassiopea for describing instruction set architecture
semantics. Automated porting also requires an implementation. We developed a
toolchain that, given an Alewife specification and a Cassiopea machine
description, specializes the machine-independent specification to the target
instruction set architecture and synthesizes an implementation in assembly
language with a customized symbolic execution engine. Using this approach, we
demonstrate successful synthesis of a total of 140 OS components from two
pre-existing OSes for four real hardware platforms. We also developed several
optimization methods for OS-related assembly synthesis to improve scalability.
The effectiveness of our languages and ability to synthesize code for all 140
specifications is evidence of the feasibility of program synthesis for
machine-dependent OS code. However, many research challenges remain; we also
discuss the benefits and limitations of our synthesis-based approach to
automated OS porting.Comment: ACM Transactions on Programming Languages and Systems. Accepted on
August 202
Recommended from our members
Engineering with logic: Rigorous test-oracle specification and validation for TCP/IP and the Sockets API
Conventional computer engineering relies on test-and-debug development processes, with the behavior of common interfaces described (at best) with prose specification documents. But prose specifications cannot be used in test-and-debug development in any automated way, and prose is a poor medium for expressing complex (and loose) specifications.
The TCP/IP protocols and Sockets API are a good example of this: they play a vital role in modern communication and computation, and interoperability between implementations is essential. But what exactly they are is surprisingly obscure: their original development focused on “rough consensus and running code,” augmented by prose RFC specifications that do not precisely define what it means for an implementation to be correct. Ultimately, the actual standard is the de facto one of the common implementations, including, for example, the 15 000 to 20 000 lines of the BSD implementation—optimized and multithreaded C code, time dependent, with asynchronous event handlers, intertwined with the operating system, and security critical.
This article reports on work done in the
Netsem
project to develop lightweight mathematically rigorous techniques that can be applied to such systems: to specify their behavior precisely (but loosely enough to permit the required implementation variation) and to test whether these specifications and the implementations correspond with specifications that are
executable as test oracles
. We developed post hoc specifications of TCP, UDP, and the Sockets API, both of the service that they provide to applications (in terms of TCP bidirectional stream connections) and of the internal operation of the protocol (in terms of TCP segments and UDP datagrams), together with a testable abstraction function relating the two. These specifications are rigorous, detailed, readable, with broad coverage, and rather accurate. Working within a general-purpose proof assistant (HOL4), we developed
language idioms
(within higher-order logic) in which to write the specifications: operational semantics with nondeterminism, time, system calls, monadic relational programming, and so forth. We followed an
experimental semantics
approach, validating the specifications against several thousand traces captured from three implementations (FreeBSD, Linux, and WinXP). Many differences between these were identified, as were a number of bugs. Validation was done using a special-purpose
symbolic model checker
programmed above HOL4.
Having demonstrated that our logic-based engineering techniques suffice for handling real-world protocols, we argue that similar techniques could be applied to future critical software infrastructure at design time, leading to cleaner designs and (via specification-based testing) more robust and predictable implementations. In cases where specification looseness can be controlled, this should be possible with lightweight techniques, without the need for a general-purpose proof assistant, at relatively little cost.EPSRC Programme Grant EP/K008528/1 REMS: Rigorous Engineering for Mainstream Systems
EPSRC Leadership Fellowship EP/H005633 (Sewell)
Royal Society University Research Fellowship (Sewell)
St Catharine's College Heller Research Fellowship (Wansbrough),
EPSRC grant GR/N24872 Wide-area programming: Language, Semantics and Infrastructure Design
EPSRC grant EP/C510712 NETSEM: Rigorous Semantics for Real
Systems
EC FET-GC project IST-2001-33234 PEPITO Peer-to-Peer Computing: Implementation and Theory
CMI UROP internship support (Smith)
EC Thematic Network IST-2001-38957 APPSEM 2
NICTA was funded by the Australian Government's Backing Australia's Ability initiative, in part through the Australian Research Council
Recommended from our members
The Semantics of Multicopy Atomic ARMv8 and RISC-V
Previous work has established precise operational concurrency models
for Power and ARMv8, in an abstract micro-architectural style based on
detailed discussion with IBM and ARM staff and extensive hardware
testing. To account for the precise architectural behaviour these
models are complex. This thesis aims to provide a better understanding
for the relaxed memory concurrency models of the architectures ARMv8,
RISC-V, and (to a lesser degree) Power.
Power and early versions of ARMv8 have non-multicopy-atomic (non-MCA)
concurrency models. This thesis provides abstraction results for
these, including a more abstract non-MCA ARMv8 storage subsystem
model, and characterisations of the behaviour of mixed-size Power and
non-MCA ARMv8 programs when using barriers or release/acquire
instructions for all memory accesses, with respect to notions of
Sequential Consistency for mixed-size programs.
During the course of this PhD project, and partly due to our extended
collaboration with ARM, ARM have shifted to a much simplified
multicopy-atomic concurrency architecture that also includes a formal
axiomatic concurrency model. We develop a correspondingly simplified
operational model based on the previous non-MCA models, and, as the
main result of this thesis, prove equivalence between the simplified
operational and the reference axiomatic model.
We have also been actively involved in the RISC-V Memory Model Task
Group. RISC-V has adopted a multicopy atomic model closely following
that of ARMv8, but which incorporates some changes motivated by issues
raised in our operational modelling of ARMv8. We develop an adapted
RISC-V operational concurrency model that is now part of the official
architecture documentation.
Finally, in order to give a simpler explanation of the MCA ARMv8 and
RISC-V concurrency models for programmers, we develop an equivalent
operational concurrency model in a different style. The
\promisingarmriscv model, based on the C11 Promising model, gives up
the micro-architectural intuition the other operational models offer
in favour of providing a more abstract model. We prove it equivalent
to the MCA ARMv8 and RISC-V axiomatic models in Coq.This work was funded by a Computer Laboratory and Qualcomm Premium Studentship, an EPSRC and Arm Ltd. Industrial CASE Studentship (grant no. EP/L505389/1), and the EPSRC Programme Grant “REMS: Rigorous Engineering for Mainstream Systems” (grant no. EP/K008528/1)