SLIDE 1
ARMResearch
ARMResearch
2
Applica'on Library OS Compiler Processor
Trusting Large Specifications: The Virtuous Cycle Alastair Reid - - PowerPoint PPT Presentation
Trusting Large Specifications: The Virtuous Cycle Alastair Reid - - PowerPoint PPT Presentation
Trusting Large Specifications: The Virtuous Cycle Alastair Reid alastair.reid@arm.com @alastair_d_reid ARM Research Applica'on Library OS Compiler Processor ARM Research 2 Qualities of a Specification Applicability Scope
SLIDE 2
SLIDE 3
ARMResearch
Qualities of a Specification
Applicability Scope Trustworthiness
3
SLIDE 4
ARMResearch
Applicability
A-class (phones/tablets/servers) R-class (real-time, lock-step support) M-class (microcontroller)
4
v6 (1997) v7 (2005) v8.0 (2013) v8.1 (2015) v8.2 (2016)
SLIDE 5
ARMResearch
Scope
Compiler targeted instructions? User-level instructions? User+Supervisor? User+Supervisor+Hypervisor+Secure Monitor?
5
SLIDE 6
ARMResearch
ISA Specification - ASL
6
Check Validity Get Operands Set Result Register Set Flags Opcode
SLIDE 7
ARMResearch
System Architecture Specification
7
SLIDE 8
ARMResearch
8
v8-A v8-M Instructions
Int/FP/SIMD
26,000 6,000 Exceptions 4,000 3,000 Memory 3,000 1,000 Debug 3,000 1,000 Misc 5,500 2,000 (Test support) 1,500 2,000 Total 43,000 15,000
ARM Spec (lines of code)
SLIDE 9
ARMResearch
System Register Spec
9
v8-A v8-M Registers 586 186 Fields 3951 622 Constant aoe 985 177 Reserved 940 208
- Impl. Defined
70 10 Passive 1888 165 Active 68 62 Operations 112 10
SLIDE 10
ARMResearch
Trustworthiness
10
SLIDE 11
ARMResearch
Trustworthiness
ARM’s specification is correct by definition
10
SLIDE 12
ARMResearch
Trustworthiness
ARM’s specification is correct by definition
10
SLIDE 13
ARMResearch
Trustworthiness
Does the specification match the behaviour
- f all ARM processors?
11
SLIDE 14
ARMResearch
12
ARM Spec Oracle
Test S'mulus =?=
SLIDE 15
ARMResearch
13
ARM Spec Oracle
Directed Tests Random Tests … Memory Tests IRQ Generators =?=
SLIDE 16
ARMResearch
14
ARM Spec Oracle
Directed Tests Random Tests … Memory Tests IRQ Generators Self-checking Bus monitors Trace compare
SLIDE 17
ARMResearch
Architecture Conformance Suite
Processor architectural compliance sign-off Large
v8-A 11,000 test programs, > 2 billion instructions v8-M 3,500 test programs, > 250 million instructions
Thorough
Tests dark corners of specification
15
SLIDE 18
ARMResearch
16
0% 25% 50% 75% 100%v8-A v8-M
0% 25% 50% 75% 100% SLIDE 19
ARMResearch
17
ASL Interpreter ARM Spec ELF Test
Pass / Fail Implementa'on Defined
Trustworthy Specifica'ons of ARM v8-A and v8-M System Level Architecture, FMCAD 2016
SLIDE 20
ARMResearch
18
Model Checker ARM Spec ARM CPU
Counterexample Counterexample
End to End Verifica'on of ARM Processors with ISA-Formal, CAV 2016
SLIDE 21
ARMResearch
19
ASL Interpreter ARM Spec mbedOS
Implementa'on Defined
(Work by Jon French and Nathan Chong)
SLIDE 22
ARMResearch
20
AFL Fuzzer ARM Spec mbedOS
Bugs
(Work by Jon French and Nathan Chong)
SLIDE 23
ARMResearch
Creating a Virtuous Cycle
21
ARM Spec
AFL Fuzzer ARM Conformance TestSuite Processor Verifica'on Boot OS Informa'on Flow Analysis Random Instruc'on Sequences Testcase Genera'on So_ware Verifica'on
SLIDE 24
ARMResearch
Preparing public release of ARM v8-A specification
- Enable formal verification of software and tools
- Public release planned for 2016 Q4
- Liberal license
- REMS group currently translating to SAIL
Talk to me about how I can help you use it
22
SLIDE 25
ARMResearch
CPU Specifications
Basis of a lot of formal verification Too large to be “obviously correct” Reusable specs enable “virtuous cycle” Greater effort to produce Share testing / maintenance effort More likely to be correct Preparing public release of machine readable ARM Specification
23
SLIDE 26