Isla: Integrating full-scale ISA semantics and axiomatic concurrency models

,


Introduction
A processor architecture should define, for any initial machine state, the set of all architecturally allowed observable executions -thus specifying the basic assumptions for programming and for software verification, and the correctness criterion for hardware verification.Architecture specifications have two main parts: the sequential and relaxed-memory concurrent aspects of instruction behaviour, each of which have been studied in previous work.For Armv8-A and RISC-V, Armstrong et al. have established full-scale sequential models in Sail [10,15], a domain-specific language for instruction-set architecture (ISA) specification, that are complete enough to boot real-world operating systems such as Linux.For Armv8-A this model is automatically derived from the authoritative Arm-internal specification [24], while for RISC-V it has been hand-written and adopted by RISC-V International.On the concurrency side, relaxed-memory semantics can be specified in two main styles: either as abstractmicroarchitectural operational models, characterising observable behaviour with explicit out-of-order execution and buffering, or as axiomatic models, expressed as a predicate over complete candidate executions represented as graphs of memory events.For Armv8-A and RISC-V "user" concurrency, both exist [22,7,1,8], along with a "Promising ARM" variant [23].For Armv8-A they have been proved equivalent [22,21]; the authoritative vendor definition is the axiomatic one.
However, while an architecture should define the set of allowed executions for arbitrary programs, hitherto there has been no integration of full-scale ISA definitions with axiomatic concurrency models, either in mathematics or in tools (for operational models, this has only been done for RISC-V; other operational models have used small ISA fragments).Research and industry practice for relaxed memory semantics rely on making the semantics executable as a test oracle: not just a paper definition (in prose or mathematics), but tool-supported definitions that for small litmus-test examples can compute the set of all allowed executions, that can then be compared against experimental data.Many tools have been developed for operational and axiomatic architectural concurrency models [32,20,30,31,26,19,25,14,17,6,4,8,12,29,28,18], with axiomatic tools notably including the Herd tool of Alglave and Maranget [6,4,8], that can evaluate litmus tests w.r.t.axiomatic memory models specified in a relational-algebra style in the Cat language [2].However, all of these previous tools for axiomatic models have (at best) used hard-coded ISA semantics that cover only small fragments of the complete architecture.For example, Zhang et al [32] use a SMT solver based approach for SoC verification, with a user-specified memory model (TSO or SC), however the instruction level abstractions (ILAs) they use are much more abstract than the ISA semantics we consider.
In this paper we describe a tool, Isla, that integrates full-scale ISA specifications, in Sail, with arbitrary axiomatic models, in the Cat language.We first build a generic symbolic execution library for Sail specifications-which should also be valuable for other verification tasks.We use this to construct a tool for symbolically running binary litmus tests for any Sail ISA under any (non-recursive) Cat axiomatic memory model, using an SMT solver.We equip it with a web interface to make it widely accessible, and illustrate and evaluate all this for Armv8-A and RISC-V.Isla is available at https://isla-axiomatic.cl.cam.ac.uk and https://github.com/rems-project/isla.An extended version of the paper [11], available at https://www.cl.cam.ac.uk/~pes20/isla/, includes appendices showing the main parts of the full Sail/ASL semantics of a sample Armv8-A instruction (add x4, x3, #1); the Armv8-A axiomatic concurrency model (combining the official Arm specification for user concurrency [9,13] with the additions for instruction fetch semantics by Simner et al. [27]); and examples of the latter.
Our approach has several key advantages, which all follow from the fact that mainstream industry ISAs are surprisingly large and intricate.The Armv8-A ISA specification is around 100k lines.It defines the sequential behaviour of the full instruction set in all its detail, including e.g.instruction decoding, behaviour at each exception level, register banking, floating-point, vector instructions, system registers, exceptions, address translation, virtualisation, security extensions, and a host of optional architectural features.Simple litmus tests developed to investigate user concurrency have historically used only very few instructions and very little of this, and hand-written ISA models have sufficed, but even a 'simple' ADD instruction can, in reality, involve surprisingly much of the specification.If one wants to examine arbitrary compiler-generated code one needs many more instructions; and to develop systems concurrency semantics, e.g.covering the concurrency behaviour of instruction fetch, exceptions, or address translation, one might need any of the specification -and it would be exceedingly laborious and error-prone to reproduce it by hand in a hard-coded semantics.By handling the full authoritative Armv8-A ISA, we automatically support litmus tests that use arbitrary instructions, and we enable research on systems concurrency, with high confidence that the ISA follows the vendor specification.We demonstrate this by applying our tool to the model and examples for self-modifying code by Simner et al. [27], and our integration has also identified several places where the ISA specification needs modifications to correctly give the intended behaviour in a concurrent setting, e.g. to remove or enforce additional ordering.Because this is based on authoritative Arm and RISC-V ISA specifications, the work should enable relaxed-memory behaviour to be included in the standard test-edit-debug cycle used in the development of such large and critical specifications.

Implementation
Axiomatic relaxed-memory concurrency models, being expressed as logical constraints over candidate execution graphs, lend themselves to solver-based tool implementations.For the instruction-semantics part of such a tool, the most direct approach would be to translate the ISA semantics (for the instructions that occur in a litmus test) directly into SMT and combine that with the axiomaticmodel constraints, roughly along the lines of Alglave et al. [3].That approach was followed by Simner et al. [27], who compiled Sail directly into SMT to test an axiomatic model for instruction-fetch tests, but using a small handwritten Arm fragment, rather than the full Sail model derived from the Arm-internal model.The problem with this direct approach is one of scale: as one covers more of the Arm semantics, the resulting SMT problem simply becomes too large to be practicable.For example, for a load instruction, the virtual address must be translated into a physical address, which is a complex process with a great deal of configurability-there may be zero, one, or two stages of address translation, the page size may vary, the number of levels used in the page table may differ, etc.This approach also required the top level fetch-execute-decode loop to be handled specially, as one cannot translate such an unbounded loop directly into SMT, which imposes significant constraints on the shape of allowable tests.
In contrast, here we build and use a generic symbolic evaluation for Sail definitions using the Z3 SMT solver, which lets us compute the possible symbolic thread-local traces of each instruction, and hence of each thread (treating memory read values as unknowns, left to the concurrency model constraints).It also lets us use the same fetch-decode-execute loop that is used for emulation and co-simulation (which embodies various architecture-specific subtleties).

Symbolic execution for Sail
Sail is attractive for symbolic execution for several reasons.First, it is an intentionally simple language, lacking many of the features found in general-purpose languages.Second, it has to support very few programs, just the specifications of major ISAs, so (unlike tools for conventional programming languages) we can tune the execution to them.Third, almost all of the loops in these programs are bounded.Our starting point is the translation of Sail to C, for emulation, by Armstrong et al [10].This goes via a simple goto-language intermediate representation which is already well-suited for this task.

Static function linearisation
Our symbolic execution always creates a new task when we hit a branch, and we do not ever merge these tasks at join points.This is a good strategy for instruction semantics, as it simplifies the symbolic execution engine significantly, but it does mean some code can cause unnecessary branching.To avoid this we have a static rewrite that can take a function with if statements and rewrite it into a 'linear' form, e.g. as below: This works by translating the body of the function into SSA form, then replacing the φ-functions with if-then-else (ite) functions that translate into the SMT ite.This results in a more complex SMT expression, but less branching in the symbolic execution, so it is a trade-off, but often worthwhile.
Per-thread candidate executions For each litmus-test thread this symbolic execution will produce a number of candidate executions, each of which is a sequence of memory events (memory reads and writes, fences, register accesses, and so on) with the symbolic values of these events potentially being constrained by some SMT formula for the overall execution.For example, consider the Armv8-A instruction add x4, x3, #1.For this instruction, our symbolic evaluator generates an execution: where the SMTLIB formula is defined by the declare-const and define-const statements, with read-reg and write-reg effects indicating which variables in the SMT formula correspond to the values read and written to registers (which are otherwise just global variables) by the instruction.We simplify here for brevity, omitting the negative, zero, carry and overflow flags that the model computes.For more complex instructions, there are additional effects for memory accesses, cache maintenance events, barriers, and so on.

Checking a litmus test
Fig. 1 shows the overall process of checking a litmus test.Tests can be supplied either in the .litmusformat of previous axiomatic and operational tools [5,4,14], reusing the parser from [4], or as a TOML file (a standard configuration file format, with libraries available for most languages).We first assemble the test with a conventional assembler into an ELF binary and load it into the representation of memory that will be used, before initialising the model with the program counter set to the entry point for each thread, then we symbolically execute the instructions in each thread separately, using the Sail semantics for each instruction, plus the same fetch-execute-decode loop in Sail we would use for emulation, to produce sets of per-thread traces as above.Treating litmus tests essentially as binaries, rather than the more-or-less ad hoc fragments of assembly abstract syntax used by earlier tools, accommodates the fact that the Armv8-A model does not define an abstract syntax, and reduces the gap between what the tool evaluates and what is run in experimental testing.Note that the Arm assembly in Fig. 1, as well as subsequent assembly snippets in this paper, use the standard Arm convention that x0 and w0 refer to the same register, where w0 refers to the lower 32-bits of the register, and x0 refers to the full 64-bit width.
We then generate an SMT problem for every combination of the candidate executions of each thread.This problem consists of the per-thread SMT formulae concatenated together (renaming variables as necessary to avoid name-clashes), combined with the axiomatic memory model (described in more detail below).
Finally, we need to generate some 'glue' SMT that connects the per-thread semantics with the memory model.For every effect in the per-thread SMT semantics we generate an enumeration of events, e.g. for an execution with two reads and two writes: The event IW is a special write event that represents the initial state.We generate relations such as value-of that relate events to their values as determined by the effects in the per-thread semantics, so if the second read event R2 read the value #xABCD, (value-of R2 #xABCD) would be true.We generate syntactic dependency relations for address, data, and control dependencies, discussed in more detail in Section 2.3.Finally, there is a constraint on the final state of each test which specifies values expected in registers and memory after all threads have executed.The Cat language represents axiomatic memory models as definitions of relations over the above events, and constraints over those relations, e.g. that specific relations are irreflexive, acyclic, or empty (or the negation of any of these).Relations are defined in a point-free relation-algebraic style, in terms of standard relational operators such as composition, intersection and union.The memory models we consider are all multi-copy-atomic, and all recursion in their definitions can trivially be replaced with (reflexive)-transitive closure.Herd's let rec construct computes the least solution to a set of equations [2], which is tricky to represent in SMT, so we do not support it.We believe even relations such as Power's (mutually recursive) preserved program order are nevertheless representable as SMT, so this limitation is mostly in our translation from Cat-we would likely want to use a different syntax to represent these relations for Isla.
A satisfiable solution to the overall SMT problem described above thus represents an execution permitted by the architecture.Parsing the model generated by the SMT solver allows us to generate a graph of the execution by instantiating each relation in the model with the various events.If all generated SMT problems are unsatisfiable for every combination of per-thread candidate executions then there are no permitted executions.If desired we can repeatedly ask the SMT solver for additional distinct models until we have all permitted executions.

Syntactic Dependency Analysis
Axiomatic memory models for relaxed hardware architectures rely heavily on notions of address, data, and control dependencies between instructions.For example, consider the following assembly: Here there is a control dependency between the load (ldr) and the store (str), as the value read by the load is used to determine whether the branch instruction cbnz that precedes the store is taken or not.This control dependency exists irregardless of whether the branch is taken or not-its existence is purely determined by the syntactic structure of the above code.
In general, existing ISA descriptions do not cover this aspect of the architecture well, as they are principally developed only to describe the sequential behaviour.Previous tools have either hand-coded dependency information, which is acceptable for cut-down ISA models but too laborious and error-prone at the scale of the ISA models we use, or used a heavyweight taint-tracking interpreter [15].Our approach avoids both of these.It is similar to the latter, computing dependencies from the ISA specification, but building the footprint analysis atop our symbolic execution library requires only around 500 LoC.
To express dependencies, we need to associate each event in our candidate executions with the syntactic instruction/opcode that generated them.To do this we use a Sail function __ instr _ announce(opcode), called in each architecture's fetch-decode-execute loop just after fetching an instruction; this adds a special effect to the candidate execution recording the instruction opcode.We also have another special effect that delimits each fetch-decode-execute cycle, so each effect such as read-mem and write-mem that would give rise to an event can be associated with an opcode, as well as an index in the program order relation for its thread.
For each instruction we also need to know its footprint: data about the instruction including which input registers it reads, which output registers it writes, whether it is a branch instruction, and so on.It also contains taint information-we need to know which registers writes may contain data 'tainted' by a memory read performed by a load, or which input registers 'taint' data written to memory.The Sail ISA specifications do not explicitly describe this footprint, so we are forced to derive it from the specification.
To do this we symbolically evaluate each opcode independently in a suitably unconstrained environment so as to capture all its possible behaviours.This can be computationally expensive due to the number of possible behaviours some instructions have, so we build a footprint cache to avoid re-computing this where possible.It turns out to be hard to distinguish ordinary branches from instructions that can cause an exception to occur, so we add a special branch address announce effect, created by a Sail function __ branch _ address _ announce that we call in branch instructions.This also enables the taint tracking for branch addresses we need for control dependencies as described above.The taint tracking is achieved simply by looking at what sub-expressions in the generated SMT problem contain variables that also appear in the various effects in each trace.
Once we have this footprint information we can analyse it for the opcodes between each read and write effect and derive the necessary dependency relations over their events.Note that this dependency relation must be exact.If we underapproximate, we will allow executions that should be forbidden, and if we overapproximate we will forbid executions that should be allowed.
In some cases the current Arm-provided ISA specification does not include enough information to identify the architecturally respected dependencies, and our dependency analysis would identify a dependency when there should not be one.To solve this we add some special Sail functions that give fine-grained control of the dependency calculation.For example, in indirect branches we ignore any dependency between the target register Xn and the link register X30 by including a function in the Sail definition that tells the footprint analysis to ignore any relation it finds between the two registers.This works by adding a special annotation in the candidate execution trace which can be used by the footprint analysis-for all other purposes it is a no-op.This information should properly become part of the architecture specification, as mistakes in the dependency calculations could be a source of soundness bugs.The lack of support for this information in existing ISA specifications can partly be explained by the lack of tooling to properly explore the integration of ISA specifications with concurrency, something we hope a tool such as ours can address.

Web Interface
Fig. 2 shows the web interface we have developed for our tool, based on the web interface for the C memory model tool Cerberus-BMC by Lau et al. [16].This can either be run locally, or via a website, https://isla-axiomatic.cl.cam.ac.uk.

System Litmus Tests
As mentioned previously, one advantage of our tool is that, because it supports the full sequential ISA, it enables easy experimentation with tests and models outside the scope of previous tools, e.g.involving new systems features.For example, Simner et al. developed semantics for Arm instruction fetch and I/D cache maintenance [27].Consider the litmus test in Fig. 3 [27, §3.3], a simple Fig. 2. Web interface for the tool test involving self-modifying code.In order to run this test and the others in [27] our tool required only minimal changes: we had to add support for data-cache and instruction-cache maintenance events and relations for them in our Cat to SMT translation.Additionally we needed to generalise how we generated the rf (reads-from) relation to generate both the regular rf relation and the new irf (instruction-reads-from) relation.Because our tool already runs tests using a fetch-execute-decode loop, all the instruction fetch events were already available-we in fact filter them out when running user-mode tests.
When generating candidate executions for a thread we normally do not assume anything about what other threads may be doing, but for self-modifying code this would clearly be problematic, as it would imply that any other thread could modify any of this thread's instructions arbitrarily.We therefore mark the memory locations that contain instructions that can be modified and provide in advance all the possible values they might take.

Results and Comparisons
We evaluate our tool for correctness and performance with respect to Herd using previous corpora of tests.
We select 3798 litmus tests for both Armv8-A and RISC-V to compare between our tool and Herd-these tests include a representative set of features such as barriers and atomics, while exercising all of the basic litmus test shapes.All tests were run on a 2.6GHz Intel Xeon Gold 6240 CPU with 36 physical cores and 400GB of RAM.The tests are split into rough categories based on In the initial state register x1 contains the address of the label f, and register w0 contains the opcode for the branch instruction b l1.Without the highlighted cache-maintenance and barrier instructions on lines 2-6, the write of that opcode to f performed by the store on line 1 may or may not be observed before the instruction fetch for f, so at the end of the test the register w2 can contain either 1 or 2, depending on whether we branched to l1 or l0.
The highlighted instructions on lines 2-6 are a sequence of data-cache (dc) and instruction-cache (ic) maintenance instructions with requisite data and instruction barriers that must occur to guarantee that the write is observed by the instruction fetch, as documented by the Armv8-A architecture reference manual [7] and captured by the axiomatic model of Simner et al. [27] Fig. 3. Self-modifying code litmus test SM+cachesync-isb the contents of the tests.We ran 36 concurrent instances of both our tool and Herd across each set of tests, running Herd with the -speedcheck fast flag which causes it to stop enumerating executions when it resolves the final assertion in each test, which is the closest behaviour to how our tool behaves by default.
To assess correctness, we use a set of golden references for these above tests, for all of which the previous operational RMEM [14] and axiomatic Herd models and tools agree, and which have been extensively validated against hardware implementations.We confirm that our tool produces the same expected results as those models for all the litmus tests, including when run in exhaustive mode.
To assess performance, the table below gives the total real execution time for each batch of tests.In general Herd is faster for nearly all tests, but this is not surprising given the amount of detail in the full-scale instruction semantics that we are using, particularly for Armv8-A.Our goal is not to be faster, but to support those full-scale ISA semantics while remaining fast enough for practical purposes.We achieve this: most tests take only a second or so to run, which is perfectly usable interactively.For example, given the Armv8-A basic 3-thread tests, for a single sequential run of the tests, the shortest took 872ms to run, while the longest took 1231ms.The above batch times are similarly perfectly usable for (e.g.) regression testing while editing a model.
We also evaluate our tool with respect to that of Simner et al., for the instruction-fetch tests (which are currently not supported by Herd) in Section 6 of their paper.Our tool returns the expected results for all these tests, including the two tests (FOW and SM.F+ic) that were unsupported by their tool.In terms of performance, we note that their tool took 30 minutes to run just 90 of the 1377 basic 2-thread tests above, which is awkwardly slow for using a tool in practice, whereas when limiting our tool to 8 cores (to more closely match their experimental setup) our tool will execute all 1377 in under 3 minutes.We were additionally able to provide further validation that the Simner et al. model behaves as the standard Armv8-A model for non-self-modifying tests by showing that it behaves identically for all 3798 of the non-self-modifying tests above.