Simplifying ARM concurrency: Multicopy-atomic axiomatic and operational models for ARMv8

ARM has a relaxed memory model, previously specified in informal prose for ARMv7 and ARMv8. Over time, and partly due to work building formal semantics for ARM concurrency, it has become clear that some of the complexity of the model is not justified by the potential benefits. In particular, the model was originally non-multicopy-atomic : writes could become visible to some other threads before becoming visible to all — but this has not been exploited in production implementations, the corresponding potential hardware optimisations are thought to have insufficient benefits in the ARM context, and it gives rise to subtle complications when combined with other ARMv8 features. The ARMv8 architecture has therefore been revised: it now has a multicopy-atomic model. It has also been simplified in other respects, including more straightforward notions of dependency, and the architecture now includes a formal concurrency model. In this paper we detail these changes and discuss their motivation. We define two formal concurrency models: an operational one, simplifying the Flowing model of Flur et al., and the axiomatic model of the revised ARMv8 specification. The models were developed by an academic group and by ARM staff, respectively, and this extended collaboration partly motivated the above changes. We prove the equivalence of the two models. The operational model is integrated into an executable exploration tool with new web interface, demonstrated by exhaustively checking the possible behaviours of a loop-unrolled version of a Linux kernel lock implementation, a previously known bug due to unprevented speculation, and a fixed version.</jats:p

Repairing and mechanising the JavaScript relaxed memory model

© 2020 ACM. Modern JavaScript includes the SharedArrayBuffer feature, which provides access to true shared memory concurrency. SharedArrayBuffers are simple linear buffers of bytes, and the JavaScript specification defines an axiomatic relaxed memory model to describe their behaviour. While this model is heavily based on the C/C++11 model, it diverges in some key areas. JavaScript chooses to give a well-defined semantics to data-races, unlike the "undefined behaviour" of C/C++11. Moreover, the JavaScript model is mixed-size. This means that its accesses are not to discrete locations, but to (possibly overlapping) ranges of bytes. We show that the model, in violation of the design intention, does not support a compilation scheme to ARMv8 which is used in practice. We propose a correction, which also incorporates a previously proposed fix for a failure of the model to provide Sequential Consistency of Data-Race-Free programs (SC-DRF), an important correctness condition. We use model checking, in Alloy, to generate small counter-examples for these deficiencies, and investigate our correction. To accomplish this, we also develop a mixed-size extension to the existing ARMv8 axiomatic model. Guided by our Alloy experimentation, we mechanise (in Coq) the JavaScript model (corrected and uncorrected), our ARMv8 model, and, for the corrected JavaScript model, a "model-internal" SC-DRF proof and a compilation scheme correctness proof to ARMv8. In addition, we investigate a non-mixed-size subset of the corrected JavaScript model, and give proofs of compilation correctness for this subset to x86-TSO, Power, RISC-V, ARMv7, and (again) ARMv8, via the Intermediate Memory Model (IMM). As a result of our work, the JavaScript standards body (ECMA TC39) will include fixes for both issues in an upcoming edition of the specification

Cancer survival discrepancies in developed and developing countries: comparisons between the Philippines and the United States

Despite the availability of population-based cancer survival data from the developed and developing countries, comparisons remain very few. Such comparisons are important to assess the magnitude of survival discrepancies and to disentangle the impact of ethnic background and health care access on cancer survival. Using the SEER 13 database and databases from the Manila and Rizal Cancer Registries in the Philippines, a 5-year relative survival for 9 common cancers in 1998–2002 of Filipino-American cancer patients were compared with both cancer patients from the Philippines, having the same ethnicity, and Caucasians in the United States, being exposed to a similar societal environment and the same health care system. Survival estimates were much higher for the Filipino-Americans than the Philippine resident population, with particularly large differences (more than 20–30% units) for cancers with good prognosis if diagnosed and treated early (colorectal, breast and cervix), or those with expensive treatment regimens (leukaemias). Filipino-Americans and Caucasians showed very similar survival for all cancer sites except stomach cancer (30.7 vs 23.2%) and leukaemias (37.8 vs 48.4%). The very large differences in the survival estimates of Filipino-Americans and the Philippine resident population highlight the importance of the access to and utilisation of diagnostic and therapeutic facilities in developing countries. Survival differences in stomach cancer and leukaemia between Filipino-Americans and Caucasians in the United States most likely reflect biological factors rather than the differences in access to health care

Modelling the ARMv8 architecture, operationally: Concurrency and ISA

Copyright is held by the owner/author(s). In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concurrent ARM software and hardware. Establishing such models with high confidence is intrinsically difficult: it involves capturing the vendor's architectural intent, aspects of which (especially for concurrency) have not previously been precisely defined. We therefore first develop a concurrency model with a microarchitectural flavour, abstracting from many hardware implementation concerns but still close to hardware-designer intuition. This means it can be discussed in detail with ARM architects. We then develop a more abstract model, better suited for use as an architectural specification, which we prove sound w.r.t. the first. The instruction semantics involves further difficulties, handling the mass of detail and the subtle intensional information required to interface to the concurrency model. We have a novel ISA description language, with a lightweight dependent type system, letting us do both with a rather direct representation of the ARM reference manual instruction descriptions. We build a tool from the combined semantics that lets one explore, either interactively or exhaustively, the full range of architecturally allowed behaviour, for litmus tests and (small) ELF executables. We prove correctness of some optimisations needed for tool performance. We validate the models by discussion with ARM staff, and by comparison against ARM hardware behaviour, for ISA single-instruction tests and concurrent litmus tests.This work was partly funded by the EPSRC Programme Grant REMS: Rigorous Engineering for Mainstream Systems, EP/K008528/1, the Scottish Funding Council (SICSA Early Career Industry Fellowship, Sarkar), an ARM iCASE award (Pulte), and ANR grant WMC (ANR-11-JS02-011, Maranget)

ISA semantics for ARMV8-A, RISC-V, and ChERI-MIPs

Architecture specifications notionally define the fundamental interface between hardware and software: the envelope of allowed behaviour for processor implementations, and the basic assumptions for software development and verification. But in practice, they are typically prose and pseudocode documents, not rigorous or executable artifacts, leaving software and verification on shaky ground. In this paper, we present rigorous semantic models for the sequential behaviour of large parts of the mainstream ARMv8-A, RISC-V, and MIPS architectures, and the research CHERI-MIPS architecture, that are complete enough to boot operating systems, variously Linux, FreeBSD, or seL4. Our ARMv8-A models are automatically translated from authoritative ARM-internal definitions, and (in one variant) tested against the ARM Architecture Validation Suite. We do this using a custom language for ISA semantics, Sail, with a lightweight dependent type system, that supports automatic generation of emulator code in C and OCaml, and automatic generation of proof-assistant definitions for Isabelle, HOL4, and (currently only for MIPS) Coq. We use the former for validation, and to assess specification coverage. To demonstrate the usability of the latter, we prove (in Isabelle) correctness of a purely functional characterisation of ARMv8-A address translation. We moreover integrate the RISC-V model into the RMEM tool for (user-mode) relaxed-memory concurrency exploration. We prove (on paper) the soundness of the core Sail type system. We thereby take a big step towards making the architectural abstraction actually well-defined, establishing foundations for verification and reasoning.</jats:p

Amifostine reduces the seminiferous epithelium damage in doxorubicin-treated prepubertal rats without improving the fertility status

<p>Abstract</p> <p>Background</p> <p>Amifostine is an efficient cytoprotector against toxicity caused by some chemotherapeutic drugs. Doxorubicin, a potent anticancer anthracycline, is known to produce spermatogenic damage even in low doses. Although some studies have suggested that amifostine does not confer protection to doxorubicin-induced testicular damage, schedules and age of treatment have different approach depending on the protocol. Thus, we proposed to investigate the potential cytoprotective action of amifostine against the damage provoked by doxorubicin to prepubertal rat testes (30-day-old) by assessing some macro and microscopic morphometric parameters 15, 30 and 60 days after the treatment; for fertility evaluation, quantitative analyses of sperm parameters and reproductive competence in the adult phase were also carried out.</p> <p>Methods</p> <p>Thirty-day-old male rats were distributed into four groups: Doxorubicin (5 mg/kg), Amifostine (400 mg/kg), Amifostine/Doxorubicin (amifostine 15 minutes before doxorubicin) and Sham Control (0.9% saline solution). "Standard One Way Anova" parametric and "Anova on Ranks" non-parametric tests were applied according to the behavior of the obtained data; significant differences were considered when p < 0.05.</p> <p>Results</p> <p>The rats killed 30 and 60 days after doxorubicin treatment showed diminution of seminiferous epithelium height and reduction on the frequency of tubular sections containing at least one type of differentiated spermatogonia; reduction of sperm concentration and motility and an increase of sperm anomalous forms where observed in doxorubicin-treated animals. All these parameters were improved in the Amifostine/Doxorubicin group only when compared to Doxorubicin group. Such reduction, however, still remained below the values obtained from the Sham Control group. Nevertheless, the reproductive competence of doxorubicin-treated rats was not improved by amifostine pre-administration.</p> <p>Conclusions</p> <p>These results suggest that amifostine promotes a significant reduction of the doxorubicin long-term side effects on the seminiferous epithelium of prepubertal rats, which is reflected in the epidydimal fluid parameters in the adult phase. However, fertility status results suggest that such protection may not be effective against sperm DNA content damage. Further investigation of sperm DNA integrity must be carried out using amifostine and doxorubicin-treated experimental models.</p