19 research outputs found
The Community of Solitude
This paper re-examines the egos of Edmund Husserl and Max Scheler with reference to Friedrich Nietzsche and the psychologist, James Hillman, and in the process also confronts the ego in other of its many manifestations, misappropriations, and mystifications. The ego is a multi-headed enigma which defies phenomenological description, and only reaches the status of concept by virtue of the gropings of an epistemology which is not up to the task. The goal of this paper is twofold: firstly, to come to terms with what is commonly spoken of as ego, and secondly, to devise a scheme which does justice to it as phenomenon
Recommended from our members
The Semantics of Multicopy Atomic ARMv8 and RISC-V
Previous work has established precise operational concurrency models
for Power and ARMv8, in an abstract micro-architectural style based on
detailed discussion with IBM and ARM staff and extensive hardware
testing. To account for the precise architectural behaviour these
models are complex. This thesis aims to provide a better understanding
for the relaxed memory concurrency models of the architectures ARMv8,
RISC-V, and (to a lesser degree) Power.
Power and early versions of ARMv8 have non-multicopy-atomic (non-MCA)
concurrency models. This thesis provides abstraction results for
these, including a more abstract non-MCA ARMv8 storage subsystem
model, and characterisations of the behaviour of mixed-size Power and
non-MCA ARMv8 programs when using barriers or release/acquire
instructions for all memory accesses, with respect to notions of
Sequential Consistency for mixed-size programs.
During the course of this PhD project, and partly due to our extended
collaboration with ARM, ARM have shifted to a much simplified
multicopy-atomic concurrency architecture that also includes a formal
axiomatic concurrency model. We develop a correspondingly simplified
operational model based on the previous non-MCA models, and, as the
main result of this thesis, prove equivalence between the simplified
operational and the reference axiomatic model.
We have also been actively involved in the RISC-V Memory Model Task
Group. RISC-V has adopted a multicopy atomic model closely following
that of ARMv8, but which incorporates some changes motivated by issues
raised in our operational modelling of ARMv8. We develop an adapted
RISC-V operational concurrency model that is now part of the official
architecture documentation.
Finally, in order to give a simpler explanation of the MCA ARMv8 and
RISC-V concurrency models for programmers, we develop an equivalent
operational concurrency model in a different style. The
\promisingarmriscv model, based on the C11 Promising model, gives up
the micro-architectural intuition the other operational models offer
in favour of providing a more abstract model. We prove it equivalent
to the MCA ARMv8 and RISC-V axiomatic models in Coq.This work was funded by a Computer Laboratory and Qualcomm Premium Studentship, an EPSRC and Arm Ltd. Industrial CASE Studentship (grant no. EP/L505389/1), and the EPSRC Programme Grant âREMS: Rigorous Engineering for Mainstream Systemsâ (grant no. EP/K008528/1)
Modelling the ARMv8 architecture, operationally: Concurrency and ISA
Copyright is held by the owner/author(s). In this paper we develop semantics for key aspects of the ARMv8 multiprocessor architecture: the concurrency model and much of the 64-bit application-level instruction set (ISA). Our goal is to clarify what the range of architecturally allowable behaviour is, and thereby to support future work on formal verification, analysis, and testing of concurrent ARM software and hardware. Establishing such models with high confidence is intrinsically difficult: it involves capturing the vendor's architectural intent, aspects of which (especially for concurrency) have not previously been precisely defined. We therefore first develop a concurrency model with a microarchitectural flavour, abstracting from many hardware implementation concerns but still close to hardware-designer intuition. This means it can be discussed in detail with ARM architects. We then develop a more abstract model, better suited for use as an architectural specification, which we prove sound w.r.t. the first. The instruction semantics involves further difficulties, handling the mass of detail and the subtle intensional information required to interface to the concurrency model. We have a novel ISA description language, with a lightweight dependent type system, letting us do both with a rather direct representation of the ARM reference manual instruction descriptions. We build a tool from the combined semantics that lets one explore, either interactively or exhaustively, the full range of architecturally allowed behaviour, for litmus tests and (small) ELF executables. We prove correctness of some optimisations needed for tool performance. We validate the models by discussion with ARM staff, and by comparison against ARM hardware behaviour, for ISA single-instruction tests and concurrent litmus tests.This work was partly funded
by the EPSRC Programme Grant REMS: Rigorous Engineering for
Mainstream Systems, EP/K008528/1, the Scottish Funding Council (SICSA Early Career Industry Fellowship, Sarkar), an ARM
iCASE award (Pulte), and ANR grant WMC (ANR-11-JS02-011,
Maranget)
Mixed-size concurrency: ARM, POWER, C/C++11, and SC
Previous work on the semantics of relaxed shared-memory concurrency has only considered the case in which each load reads the data of exactly one store. In practice, however, multiprocessors support mixed-size accesses, and these are used by systems software and (to some degree) exposed at the C/C++ language level. A semantic foundation for software, therefore, has to address them.
We investigate the mixed-size behaviour of ARMv8 and IBM POWER architectures and implementations: by experiment, by developing semantic models, by testing the correspondence between these, and by discussion with ARM and IBM staff. This turns out to be surprisingly subtle, and on the way we have to revisit the fundamental concepts of coherence and sequential consistency, which change in this setting. In particular, we show that adding a memory barrier between each instruction does not restore sequential consistency. We go on to extend the C/C++11 model to support nonatomic mixed-size memory accesses, and prove the standard compilation scheme from C11 atomics to POWER remains sound.
This is a necessary step towards semantics for real-world shared-memory concurrent code, beyond litmus tests
Recommended from our members
Simplifying ARM concurrency: Multicopy-atomic axiomatic and operational models for ARMv8
ARM has a relaxed memory model, previously specified in informal prose for ARMv7 and ARMv8. Over time, and partly due to work building formal semantics for ARM concurrency, it has become clear that some of the complexity of the model is not justified by the potential benefits. In particular, the model was originally
non-multicopy-atomic
: writes could become visible to some other threads before becoming visible to all â but this has not been exploited in production implementations, the corresponding potential hardware optimisations are thought to have insufficient benefits in the ARM context, and it gives rise to subtle complications when combined with other ARMv8 features. The ARMv8 architecture has therefore been revised: it now has a multicopy-atomic model. It has also been simplified in other respects, including more straightforward notions of dependency, and the architecture now includes a formal concurrency model.
In this paper we detail these changes and discuss their motivation. We define two formal concurrency models: an operational one, simplifying the Flowing model of Flur et al., and the axiomatic model of the revised ARMv8 specification. The models were developed by an academic group and by ARM staff, respectively, and this extended collaboration partly motivated the above changes. We prove the equivalence of the two models. The operational model is integrated into an executable exploration tool with new web interface, demonstrated by exhaustively checking the possible behaviours of a loop-unrolled version of a Linux kernel lock implementation, a previously known bug due to unprevented speculation, and a fixed version.</jats:p
Recommended from our members
Repairing and mechanising the JavaScript relaxed memory model
© 2020 ACM. Modern JavaScript includes the SharedArrayBuffer feature, which provides access to true shared memory concurrency. SharedArrayBuffers are simple linear buffers of bytes, and the JavaScript specification defines an axiomatic relaxed memory model to describe their behaviour. While this model is heavily based on the C/C++11 model, it diverges in some key areas. JavaScript chooses to give a well-defined semantics to data-races, unlike the "undefined behaviour" of C/C++11. Moreover, the JavaScript model is mixed-size. This means that its accesses are not to discrete locations, but to (possibly overlapping) ranges of bytes. We show that the model, in violation of the design intention, does not support a compilation scheme to ARMv8 which is used in practice. We propose a correction, which also incorporates a previously proposed fix for a failure of the model to provide Sequential Consistency of Data-Race-Free programs (SC-DRF), an important correctness condition. We use model checking, in Alloy, to generate small counter-examples for these deficiencies, and investigate our correction. To accomplish this, we also develop a mixed-size extension to the existing ARMv8 axiomatic model. Guided by our Alloy experimentation, we mechanise (in Coq) the JavaScript model (corrected and uncorrected), our ARMv8 model, and, for the corrected JavaScript model, a "model-internal" SC-DRF proof and a compilation scheme correctness proof to ARMv8. In addition, we investigate a non-mixed-size subset of the corrected JavaScript model, and give proofs of compilation correctness for this subset to x86-TSO, Power, RISC-V, ARMv7, and (again) ARMv8, via the Intermediate Memory Model (IMM). As a result of our work, the JavaScript standards body (ECMA TC39) will include fixes for both issues in an upcoming edition of the specification
Recommended from our members
CN: Verifying Systems C Code with Separation-Logic Refinement Types
Despite significant progress in the verification of hypervisors, operating systems, and compilers, and in verification tooling, there exists a wide gap between the approaches used in verification projects and conventional development of systems software. We see two main challenges in bringing these closer together: verification handling the complexity of code and semantics of conventional systems software, and verification usability.
We describe an experiment in verification tool design aimed at addressing some aspects of both: we design and implement CN, a separation-logic refinement type system for C systems software, aimed at predictable proof automation, based on a realistic semantics of ISO C. CN reduces refinement typing to decidable propositional logic reasoning, uses first-class resources to support pointer aliasing and pointer arithmetic, features resource inference for iterated separating conjunction, and uses a novel syntactic restriction of ghost variables in specifications to guarantee their successful inference. We implement CN and formalise key aspects of the type system, including a soundness proof of type checking. To demonstrate the usability of CN we use it to verify a substantial component of Google's pKVM hypervisor for Android.a European Research Council (ERC) Consolidator Grant for the project âTypeFoundryâ, funded under the European Unionâs Horizon 2020 Framework Programme (grant agreement no. 101002277);
a European Research Council (ERC) Advanced Grant âELVERâ under the European Unionâs Horizon 2020 research and innovation programme (grant agreement no. 789108);
an EPSRC Doctoral Training studentship;
funding from Google Researc