![Page 1: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/1.jpg)
©2017ArmLimited
Specifications:TheNextVerificationBottleneck
AlastairReid
ArmResearch
@alastair_d_reid
![Page 2: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/2.jpg)
©2017ArmLimited2
Overview
1. Whatspecificationsdoweneed?
2. ARM’sformalprocessorspecifications
3. ThreestepsItooktocreategoodspecifications
![Page 3: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/3.jpg)
©2017ArmLimited3
ARM
Designsprocessors,designsarchitecture,licensesarchitecture
16Bprocessors/year
(alsoGPUs,IoT,…)
SecurityResearchGroup
-Developandanalysesecurityextensions
-Createframeworkforverifyingproducts
-Wearehiring:fulltime,researchinternships
![Page 4: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/4.jpg)
©2017ArmLimited4
Applications
Libraries
Runtimes
SecureServices CCompiler/Linker
MicroKernel
HAL
Architecture
MicroArchitecture
RTLD
![Page 5: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/5.jpg)
©2017ArmLimited5
Specificationsweneed
LinuxsyscallsCstdlib
ISOCGcc/LLVMextensionsInlineassemblyELF/linkerscriptWeakmemorymodel
ProcessorpagetablesInterrupthandlerDevicedriverAPIFilesystemformat
TCP/IP,UDP,…TSLNTP,DNS,NFS,…WiFi,Bluetooth,Zigbee,…USB,SDcard,…
X11/Gtk+/…Javascript,CSS,SVG,…PHP,…
![Page 6: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/6.jpg)
©2017ArmLimited6
TrustedComputingBase(!=TrustworthyComputingBase)
a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security
— Lampson
the totality of protection mechanisms within it, including hardware, firmware, and software, the combination of which is responsible for enforcing a computer security policy
— Orange Book (US DoD)
![Page 7: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/7.jpg)
©2017ArmLimited7
Specificationsforrealworldsoftware/hardware
Unavoidable
Multipleimplementations
Multipleversionsofeachimplementation
Specmustincludeallquirksofrecentversionsofmajorimplementationstobeuseful
Existingspecification=English+Tables+Pseudocode
Existingcommunitymaynotvalueformalspecatfirst
![Page 8: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/8.jpg)
©2017ArmLimited
Creatingtrustworthyspecifications
“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016
![Page 9: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/9.jpg)
©2017ArmLimited9
Thestateofmostprocessorspecifications
Large(1000sofpages)
Broad(10+yearsofimplementations,multiplemanufacturers)
Complex(exceptions,weakmemory,…)
Informal(mostlyEnglishprose)
Wearealljustlearninghowto(retrospectively)formalizespecifications
![Page 10: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/10.jpg)
©2017ArmLimited10
ArmProcessorSpecifications
A-class(phones,tablets,servers,…) M-class(microcontrollers,IoT)
6,000pages40,000lineformalspecification
Instructions(32/64-bit)Exceptions/InterruptsMemoryprotectionPagetablesMultipleprivilegelevelsSystemcontrolregistersDebug/trace
1,200pages15,000lineformalspecification
Instructions(32-bit)Exceptions/InterruptsMemoryprotectionPagetablesMultipleprivilegelevelsSystemcontrolregistersDebug/trace
![Page 11: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/11.jpg)
©2017ArmLimited11
Englishprose
![Page 12: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/12.jpg)
©2017ArmLimited12
Pseudocode
![Page 13: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/13.jpg)
ARMResearch
System Architecture Specification
13
![Page 14: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/14.jpg)
©2017ArmLimited14
ArmArchitectureSpecificationLanguage(ASL)
Indentation-basedsyntax
Imperative
First-order
Stronglytyped(typeinference,polymorphism,dependenttypes)
Bit-vectors
Unboundedintegers
Infiniteprecisionreals
Arrays,Records,Enumerations
Exceptions
![Page 15: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/15.jpg)
ARMResearch 15
v8-A v8-MInstructions
Int/FP/SIMD26,000 6,000
Exceptions 4,000 3,000Memory 3,000 1,000Debug 3,000 1,000Misc 5,500 2,000
(Test support) 1,500 2,000Total 43,000 15,000
ARM Spec (lines of code)
![Page 16: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/16.jpg)
ARMResearch
System Register Spec
16
v8-A v8-M
Registers 586 186Fields 3951 622 Constant aoe
985 177 Reserved 940 208 Impl. Defined 70 10 Passive 1888 165 Active 68 62Operations 112 10
![Page 17: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/17.jpg)
ARMResearch
Trustworthiness
17
![Page 18: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/18.jpg)
ARMResearch
Trustworthiness
ARM’s specification is correct by definition
17
![Page 19: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/19.jpg)
ARMResearch
Trustworthiness
ARM’s specification is correct by definition
17
![Page 20: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/20.jpg)
ARMResearch
Trustworthiness
Does the specification match the behaviourof all ARM processors?
18
![Page 21: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/21.jpg)
©2017ArmLimited19
Interpreter
CBackend
ASLSpecLexerParser
Typechecker
![Page 22: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/22.jpg)
©2017ArmLimited20
ArchitecturalConformanceSuite
Processorarchitecturalcompliancesign-off
Large
• v8-A11,000testprograms,>2billioninstructions
• v8-M3,500testprograms,>250millioninstructions
Thorough
• Testsdarkcornersofspecification
![Page 23: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/23.jpg)
©2017ArmLimited21 ©2017ArmLimited
ProgressintestingArmspecification
- Doesnotparse,doesnottypecheck
- Can’tgetoutofreset
- Can’texecutefirstinstruction
- Can’texecutefirst100instructions
- …
- Passes90%oftests
- Passes99%oftests
- …
0
50
100
![Page 24: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/24.jpg)
©2017ArmLimited22
Measuringarchitecturecoverageoftests
Untested: op1*op2 == -3.0, FPCR.RND=-Inf
![Page 25: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/25.jpg)
ARMResearch
Creating a Virtuous Cycle
23
ARMSpec
FuzzingFirmware
ARMConformanceTestSuite
ProcessorVerificanon
BootOS
InformanonFlow
Analysis
RandomInstrucnonSequences
TestcaseGeneranon
SpecificanonVerificanon
![Page 26: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/26.jpg)
©2017ArmLimited
Formalvalidationofprocessors
“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016
![Page 27: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/27.jpg)
ARMResearch
Checkinganinstrucnon
25
ADD
![Page 28: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/28.jpg)
ARMResearch
Checkinganinstrucnon
25
ADDCMP LDR STR BNE
Context
![Page 29: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/29.jpg)
©2017ArmLimited26
Memory
R0-
R15DecodeFetch
EX MEM WBIF ID
R0-
R15
![Page 30: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/30.jpg)
©2017ArmLimited26
Memory
R0-
R15DecodeFetch
EX MEM WBIF ID
R0-
R15
πpre
πpost
![Page 31: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/31.jpg)
©2017ArmLimited26
Memory
R0-
R15DecodeFetch
EX MEM WBIF ID
R0-
R15
πpre
πpost
Pre Post_spec
Post_cpu
Spec ==?
![Page 32: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/32.jpg)
ARMResearch
Errors ISA-Formal can catch
• Errors in decode
• Errors in data path
• Errors in forwarding logic
• Errors in register renaming
• Errors in exception handling
• Errors in speculative execution
27
NoContext
Context
{{
![Page 33: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/33.jpg)
ARMResearch
Specifying ADD
assign ADD_retiring = (pre.opcode & 16'b1111_1110_0000_0000) == 16'b0001_1000_0000_0000;assign ADD_result = pre.R[pre.opcode[8:6]] + pre.R[pre.opcode[5:3]];assign ADD_Rd = pre.opcode[2:0];
assert property (@(posedge clk) disable iff (~reset_n) ADD_retiring |-> (ADD_result == post.R[ADD_Rd]));
28
![Page 34: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/34.jpg)
ARMResearch
ISA Formal
• Finds complex bugs in processor pipelines
• Applied to wide range of μArchitectures
• Uses translation of ARM’s internal ISA specification
29
![Page 35: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/35.jpg)
ARMResearch 30
![Page 36: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/36.jpg)
ARMResearch 30
![Page 37: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/37.jpg)
ARMResearch
Challenges
• Complex Functional Units• FP• Memory
• Dual Issue• Instruction Fusion• Register Renaming• Out-of-order Retire
31
![Page 38: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/38.jpg)
ARMResearch 32
Memory
R0-
R15DecodeFetch
EX MEM WBIF ID
R0-
R15
![Page 39: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/39.jpg)
ARMResearch 33
![Page 40: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/40.jpg)
ARMResearch 33
MemoryTLB
Prefetch
PTW
Coherence
Cache
![Page 41: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/41.jpg)
ARMResearch 33
MemoryTLB
Prefetch
PTW
Coherence
Cache
FPUFMUL
FADD FDIV
FSQRT
![Page 42: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/42.jpg)
ARMResearch 34
Memory
R0-
R15DecodeFetch
R0-
R15
Memory
FPU
![Page 43: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/43.jpg)
ARMResearch
FP Subset Behaviour
35
-∞ -1 0 1 ∞-∞ -∞ -∞ -∞ -∞
-1 -∞ -1 0 ∞0 -∞ -1 0 1 ∞1 -∞ 0 1 ∞∞ ∞ ∞ ∞ ∞
FPAdd
![Page 44: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/44.jpg)
ARMResearch
ISA Formal
• Finds complex bugs in processor pipelines
• Applied to wide range of μArchitectures
• Uses translation of ARM’s internal ISA specification
36
![Page 45: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/45.jpg)
ARMResearch
ISA-Formal Properties
37
ADC ADD B … YIELDR[] ✔
NZCVSPPC
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
![Page 46: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/46.jpg)
ARMResearch
ISA-Formal Properties
38
ADC ADD B … YIELDR[] ✔
NZCVSP ✔
PCS[],D[],V[]
FPSRMemReadMemWriteSysRegRW
ELRESR…
![Page 47: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/47.jpg)
ARMResearch
ISA-Formal Properties
39
ADC ADD B … YIELDR[] ✔ ✔
NZCVSP ✔
PC ✔
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
![Page 48: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/48.jpg)
ARMResearch
ISA-Formal Properties
40
ADC ADD B … YIELDR[] ✔ ✔ ✔
NZCV ✔
SP ✔ ✔
PC ✔
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
![Page 49: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/49.jpg)
ARMResearch
But this is slowand inconsistent
41
![Page 50: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/50.jpg)
ARMResearch
ISA-Formal Properties
42
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCVSPPC
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
![Page 51: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/51.jpg)
ARMResearch
ISA-Formal Properties
43
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCV ✔ ✔ ✔ ✔ ✔
SP ✔ ✔ ✔ ✔ ✔
PC ✔ ✔ ✔ ✔ ✔
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
![Page 52: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/52.jpg)
ARMResearch
ISA-Formal Properties
44
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCV ✔ ✔ ✔ ✔ ✔
SP ✔ ✔ ✔ ✔ ✔
PC ✔ ✔ ✔ ✔ ✔
S[],D[],V[] ✔ ✔ ✔ ✔ ✔
FPSR ✔ ✔ ✔ ✔ ✔
MemReadMemWriteSysRegRW
ELRESR…
![Page 53: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/53.jpg)
ARMResearch
ISA-Formal Properties
45
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCV ✔ ✔ ✔ ✔ ✔
SP ✔ ✔ ✔ ✔ ✔
PC ✔ ✔ ✔ ✔ ✔
S[],D[],V[] ✔ ✔ ✔ ✔ ✔
FPSR ✔ ✔ ✔ ✔ ✔
MemRead ✔ ✔ ✔ ✔ ✔
MemWrite ✔ ✔ ✔ ✔ ✔
SysRegRWELRESR…
![Page 54: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/54.jpg)
ARMResearch
ISA-Formal Properties
46
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCV ✔ ✔ ✔ ✔ ✔
SP ✔ ✔ ✔ ✔ ✔
PC ✔ ✔ ✔ ✔ ✔
S[],D[],V[] ✔ ✔ ✔ ✔ ✔
FPSR ✔ ✔ ✔ ✔ ✔
MemRead ✔ ✔ ✔ ✔ ✔
MemWrite ✔ ✔ ✔ ✔ ✔
SysRegRW ✔ ✔ ✔ ✔ ✔
ELR ✔ ✔ ✔ ✔ ✔
ESR ✔ ✔ ✔ ✔ ✔
…
![Page 55: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/55.jpg)
ARMResearch 47
CombinationalVerilog
ASL to Verilog
ArchitectureSpecification
SpecializeMonomorphize
ConstantPropagationWidthAnalysis
ExceptionHandling…
![Page 56: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/56.jpg)
ARMResearch 48
![Page 57: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/57.jpg)
©2017ArmLimited49
ArmCPUsverifiedwithISA-Formal
A-class
Cortex-A53
Cortex-A32
Cortex-A35
Cortex-A55
Nextgeneration
R-class
Cortex-R52
Nextgeneration
M-class
Cortex-M4
Cortex-M7
Cortex-M33
Nextgeneration
CambridgeProjects
Rollingoutgloballytootherdesigncentres
Sophia,France-Cortex-A75(partial)
Austin,USA-TBA
Chandler,USA-TBA
![Page 58: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/58.jpg)
©2017ArmLimited
Formalvalidationofspecifications
“Whoguardstheguards?FormalValidationofARMv8-MSpecifications”OOPSLA2017
![Page 59: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/59.jpg)
©2017ArmLimited51
OneSpecificationtorulethemall?
ArchitectureSpec
ComplianceTests
Processors
ReferenceSimulator
![Page 60: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/60.jpg)
©2017ArmLimited52
Creatingaredundantspecification
Wheretogetalistofredundantpropertiesfrom?
Howtoformalisethislist?
Howtoformallyvalidatespecificationagainstproperties?
(Thismaylookfamiliarfromformalspecificationofsoftware)
![Page 61: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/61.jpg)
©2017ArmLimited53
Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
![Page 62: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/62.jpg)
©2017ArmLimited53
Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
StateChangeXEventAEventB
StateChangeCEventD
R
![Page 63: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/63.jpg)
©2017ArmLimited53
Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
StateChangeXEventAEventB
StateChangeCEventD
R
Andcannothappenanyotherway
![Page 64: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/64.jpg)
©2017ArmLimited53
Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
StateChangeXEventAEventB
StateChangeCEventD
R
RuleR:X→A∨B∨C∨D
Andcannothappenanyotherway
![Page 65: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/65.jpg)
©2017ArmLimited54
StateChangeX Exit from lockup Fell(LockedUp)
EventA A Cold reset Called(TakeColdReset)
EventB A Warm reset Called(TakeReset)
StateChangeC Entry to Debug state Rose(Halted)
EventD Preemption by a higher priority processor exception
Called(ExceptionEntry)
![Page 66: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/66.jpg)
©2017ArmLimited55
Fell(LockedUp)→Called(TakeColdReset)∨Called(TakeReset)∨Rose(Halted)∨Called(ExceptionEntry)
![Page 67: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/67.jpg)
©2017ArmLimited56
Rule VGNW Entry to lockup from an exception causes • Any Fault Status Registers associated with the exception
to be updated. • No update to the exception state, pending or active. • The PC to be set to 0xEFFFFFFE. • EPSR.IT to become UNKNOWN.
In addition, HFSR.FORCED is not set to 1.
OutofdateMisleading
AmbiguousUntestable
![Page 68: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/68.jpg)
©2017ArmLimited57
Counterexample
v8-M Spec
Rules
ProofZ3SMTSolver
![Page 69: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/69.jpg)
©2017ArmLimited58
Fell(LockedUp)→Called(TakeColdReset)∨Called(TakeReset)∨Rose(Halted)∨Called(ExceptionEntry)
TemporalOperators EventOperators
![Page 70: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/70.jpg)
©2017ArmLimited59
TemporalOperators
Fell(e)
Past(e)>e
Stable(e)
Past(e)=e
Rose(e)
Past(e)<e
![Page 71: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/71.jpg)
©2017ArmLimited60
TemporalOperators
__Past_LockedUp = LockedUp;
FunctionUnderTest();
… __Past_LockedUp > LockedUp …
Fell(LockedUp)
![Page 72: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/72.jpg)
©2017ArmLimited61
EventOperators
TakeReset() { __Called_TakeReset = TRUE; … }
Called(TakeReset)
![Page 73: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/73.jpg)
©2017ArmLimited62
__Called_TakeColdReset = FALSE; __Called_TakeReset = FALSE; __Called_TakeExceptionEntry = FALSE; __Past_LockedUp = LockedUp; __Past_Halted = Halted;
FunctionUnderTest();
assert((__Past_LockedUp > LockedUp) ==> ( __Called_TakeColdReset || __Called_TakeReset || __Past_Halted < Halted || __Called_ExceptionEntry));
![Page 74: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/74.jpg)
©2017ArmLimited63
Fell(LockedUp)→Called(TakeColdReset)∨Called(TakeReset)∨Rose(Halted)∨Called(ExceptionEntry)
Rule JRJC Exit from lockup is by any of the following:
• A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
__Called_TakeColdReset = FALSE; __Called_TakeReset = FALSE; __Called_TakeExceptionEntry = FALSE; __Past_LockedUp = LockedUp; __Past_Halted = Halted;
assert((__Past_LockedUp > LockedUp) ==> ( __Called_TakeColdReset || __Called_TakeReset || __Past_Halted < Halted || __Called_ExceptionEntry));
![Page 75: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/75.jpg)
©2017ArmLimited64
ArithmeticoperationsBooleanoperationsBitVectorsArraysFunctionsLocalVariablesStatements
AssignmentsIf-statementsLoopsExceptions
ArmSpecificationLanguage SMT
ArithmeticoperationsBooleanoperationsBitVectorsArraysFunctionsLocalVariablesStatements
AssignmentsIf-statementsLoopsExceptions
![Page 76: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/76.jpg)
©2017ArmLimited65
Results(moreinOOPSLApaper)
Mostpropertiesprovedinunder100seconds
Found12bugsinspecification:
-debug,exceptions,systemregisters,security
FoundbugsinEnglishprose:
-ambiguous,imprecise,incorrect,…
![Page 77: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/77.jpg)
©2017ArmLimited66
LexerParser
Typechecker
Interpreter
VerilogBackend
CBackend
TestCoverage
SimulationTrace
ASLSpec
SMTBackend
ARMTestSuite
ArchitectureProperties
BoundedModelChecker
SMTSolver
ArmProcessor
![Page 78: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/78.jpg)
©2017ArmLimited67
PublicreleaseofmachinereadableArmspecification
Enableformalverificanonofsotwareandtools
Releases
April2017:v8.2
July2017:v8.3
WorkingwithCambridgeUniversityREMSgrouptoconverttoSAIL
BackendsforHOL,OCaml,Memorymodel,(hopefullyCoqtoo)
Specificanon:hvps://developer.arm.com/products/architecture/a-profile/exploranon-tools
Tools:hvps://github.com/alastairreid/mra_tools
(Seealso:hvps://github.com/herd/herdtools7/blob/master/herd/libdir/aarch64.cat)
TalktomeabouthowIcanhelpyouuseit
![Page 79: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/79.jpg)
©2017ArmLimited68
Specifications:Thenextbottleneck
Testthespecificationsyoudependon
Formallyvalidate/verifyimplementations
Createredundantspecifications
Ensurespecificationshavemanyuses
Don’twritespecinCoq/HOL/ACL2/…
Trytoinfluenceofficialspecification
Spec
Wewillneedalotofspecs
Ofrealworlds/w+h/w
SpecsarealargepartofTCB
Howarewegoingtocreatethem?
Howarewegoingtotrustthem?
![Page 80: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/80.jpg)
©2017ArmLimited69
Thanks
Alasdair Armstrong (Cambridge U.)Alex Chadwick (ARM)Ali Zaidi (ARM)Anastasios Deligiannis (ARM)Anthony Fox (Cambridge U.)Ashan Pathirane (ARM)Belaji Venu (ARM)Bradley Smith (ARM)Brian Foley (ARM)Curtis Dunham (ARM)David Gilday (ARM)David Hoyes (ARM)David Seal (ARM)Daniel Bailey (ARM)Erin Shepherd (ARM)Francois Botman (ARM)
George Hawes (ARM)Graeme Barnes (ARM)Isobel Hooper (ARM)Jack Andrews (ARM)Jacob Eapen (ARM)Jon French (Cambridge U.)Kathy Gray (Cambridge U.)Krassy Gochev (ARM)Lewis Russell (ARM)Matthew Leach (ARM)Meenu Gupta (ARM)Michele Riga (ARM)Milosch Meriac (ARM)Nigel Stephens (ARM)Niyas Sait (ARM)Peng Wang (ARM)
Peter Sewell (Cambridge U.)Peter Vrabel (ARM)Richard Grisenthwaite (ARM)Rick Chen (ARM)Simon Bellew (ARM)Thomas Grocutt (ARM)Will Deacon (ARM)Will Keen (ARM)Wojciech Meyer (ARM)(and others)
![Page 81: Specifications: The Next Verification Bottleneck · © 2017 Arm Limited Specifications: The Next Verification Bottleneck Alastair Reid Arm Research @alastair_d_reid](https://reader033.vdocuments.mx/reader033/viewer/2022041417/5e1c4b4d542ffb624d438d73/html5/thumbnails/81.jpg)
ThankYou!Danke!Merci!谢谢!ありがとう!Gracias!Kiitos!
©2017ArmLimited70
@alastair_d_reid
“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016
“Whoguardstheguards?FormalValidationofARMv8-MSpecifications,”OOPSLA2017
“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016