Skip to main content
Log in

An Isabelle/HOL Formalisation of the SPARC Instruction Set Architecture and the TSO Memory Model

  • Published:
Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

The SPARC instruction set architecture (ISA) has been used in various processors in workstations, embedded systems, and in mission-critical industries such as aviation and space engineering. Hence, it is important to provide formal frameworks that facilitate the verification of hardware and software that run on or interface with these processors. In this work, we give the first formal model for multi-core SPARC ISA and Total Store Ordering (TSO) memory model in Isabelle/HOL. We present two levels of modelling for the ISA: The low-level ISA model, which is executable, covers many features specific to SPARC processors, such as delayed-write for control registers, windowed general registers, and more complex memory access. We have tested our model extensively against a LEON3 simulation board, the test covers both single-step executions and sequential execution of programs. We also prove some important properties for our formal model, including a non-interference property for the LEON3 processor. The high-level ISA model is an abstraction of the low-level model and it provides an interface for memory operations in multi-core processors. On top of the high-level ISA model, we formalise two TSO memory models: one is an adaptation of the axiomatic SPARC TSO model (Sindhu et al. in Formal specification of memory models, Springer, Boston, 1992; SPARC in The SPARC architecture manual version 8, 1992. http://gaisler.com/doc/sparcv8.pdf), the other is a new operational TSO model which is suitable for verifying execution results. We prove that the operational model is sound and complete with respect to the axiomatic model. Finally, we give verification examples with two case studies drawn from the SPARCv9 manual.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Source: [50]

Fig. 3

Source: [50]

Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. We thank Charles Zhang for his help with our experiment setup.

  2. Isabelle/HOL code for proofs is at https://github.com/CompSoftVer/SPARCv8-Models.

References

  1. Alglave, J., Maranget, L., Sarkar, S., Sewell, P.: Fences in Weak Memory Models, pp. 258–272. Springer, Berlin (2010)

    MATH  Google Scholar 

  2. Alglave, J., Maranget, L., Tautschnig, M.: Herding cats: modelling, simulation, testing, and data mining for weak memory. ACM Trans. Program. Lang. Syst. 36(2), 1–74 (2014)

    Article  Google Scholar 

  3. Aspinall, D., Ševčík, J.: Formalising Java’s Data Race Free Guarantee, pp. 22–37. Springer, Berlin (2007)

    MATH  Google Scholar 

  4. Atkey, R.: CoqJVM: an executable specification of the Java virtual machine using dependent types. In: TYPES, LNCS, pp. 18–32. Springer (2005)

  5. Boudol, G., Petri, G.: Relaxed memory models: an operational approach. In: Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, 21–23 January 2009, pp. 392–403 (2009)

  6. Burckhardt, S., Musuvathi, M.: Effective Program Verification for Relaxed Memory Models, pp. 107–120. Springer, Berlin (2008)

    MATH  Google Scholar 

  7. Campbell, B., Stark, I.: Randomised testing of a microprocessor model using SMT-solver state generation. In: FMICS 2014, pp. 185–199. Springer (2014)

  8. Cock, D., Klein, G., Sewell, T.: Secure microkernels, state monads and scalable refinement. In: Theorem Proving in Higher Order Logics, volume 5170 of LNCS, pp. 167–182. Springer (2008)

  9. Crary, K., Sullivan, M.J.: A calculus for relaxed memory. In: Proceedings of the 42Nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’15, pp. 623–636. ACM (2015)

  10. Dasgupta, S., Park, D., Kasampalis, T., Adve, V.S., Roşu, G.: A complete formal semantics of x86-64 user-level instruction set architecture. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, New York, NY, USA, pp. 1133–1148. Association for Computing Machinery (2019)

  11. El Kady, S., Khater, M., Alhafnawi, M.: MIPS, ARM and SPARC-an architecture comparison. In: Proceedings of the World Congress on Engineering, vol. 1 (2014)

  12. ESA. ESA LEON processor. http://www.esa.int/Our_Activities/Space_Engineering_Technology/LEON_the_space_chip_that_Europe_built (2017). Accessed 19 June 2016

  13. Flur, S., Gray, K.E., Pulte, C., Sarkar, S., Sezgin, A., Maranget, L., Deacon, W., Sewell, P.: Modelling the armv8 architecture, operationally: concurrency and ISA. SIGPLAN Not. 51(1), 608–621 (2016)

    Article  Google Scholar 

  14. Fox, A.: Formal specification and verification of ARM6. In: Theorem Proving in Higher Order Logics, volume 2758 of LNCS, pp. 25–40. Springer (2003)

  15. Fox, A.: Directions in ISA Specification. Interactive Theorem Proving, volume 7406 of LNCS, pp. 338–344. Springer, Berlin (2012)

    Google Scholar 

  16. Fox, A.: Improved tool support for machine-code decompilation in HOL4. Interact. In: Interactive Theorem Proving, pp. 187–202 (2015)

  17. Fox, A., Myreen, M.O.: A trustworthy monadic formalization of the ARMv7 instruction set architecture. In: Interactive Theorem Proving, pp. 243–258 (2010)

  18. Fujitsu. K computer. http://www.top500.org/system/177232 (2017). Accessed 19 June 2016

  19. Gaisler. LEON3 processor. http://www.gaisler.com/index.php/products/processors/leon3 (2017). Accessed 19 June 2017

  20. Goel, S.: Formal verification of application and system programs based on a validated x86 ISA model. Ph.D. Thesis, The University of Texas at Austin (2016)

  21. Goel, S., Hunt, W.A., Kaufmann, M.: Abstract Stobjs and their application to ISA modeling. In: ACL2 2013, pp. 54–69 (2013)

  22. Gray, K.E., Kerneis, G., Mulligan, D., Pulte, C., Sarkar, S., Sewell, P.: An integrated concurrency and core-ISA architectural envelope definition, and test oracle, for IBM POWER multiprocessors. In: Proceedings of the 48th International Symposium on Microarchitecture, MICRO-48, pp. 635–646. ACM (2015)

  23. Hangal, S., Vahia, D., Manovit, C., Lu, J.-Y.J.: Tsotool: a program for verifying memory systems using the memory consistency model. SIGARCH Comput. Archit. News 32(2), 114 (2004)

    Article  Google Scholar 

  24. Higham, L., Kawash, J., Verwaal, N.: Defining and comparing memory consistency models. In: Proceedings of the 10th International Conference on Parallel and Distributed Computing Systems, pp. 349–356 (1997)

  25. Hou, Z., Sanán, D., Tiu, A., Liu, Y., Hoa, K.C.: An executable formalisation of the sparcv8 instruction set architecture: a case study for the LEON3 processor. In: FM 2016: Formal Methods—21st International Symposium, 2016, Proceedings, pp. 388–405 (2016)

  26. Khakpour, N., Schwarz, O., Dam, M.: Machine assisted proof of ARMv7 instruction level isolation properties. In: Certified Programs and Proofs, vol. 8307, pp. 276–291. LNCS (2013)

  27. Leroy, X.: Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In: In Proceedings. 33rd ACM Symposium on Principles of Programming Languages (2006)

  28. Leroy, X.: The CompCert C verified compiler. http://compcert.inria.fr/man/manual.pdf (2015). Accessed 29 January 2016

  29. Lim, J., Reps, T.: Tsl: a system for generating abstract interpreters and its application to machine-code analysis. ACM Trans. Program. Lang. Syst. 35(1), 1–59 (2013)

    Article  Google Scholar 

  30. Liu, H., Moore, J.S.: Executable JVM model for analytical reasoning: a study. In: Proceedings of the 2003 Workshop on Interpreters, Virtual Machines and Emulators, pp. 15–23. ACM (2003)

  31. Loewenstein, P., Chaudhry, S.: Multiprocessor memory model verification. In: Proceedings Automated Formal Methods. FLoC Workshop (2006)

  32. Lustig, D., Pellauer, M., Martonosi, M.: Pipecheck: specifying and verifying microarchitectural enforcement of memory consistency models. In: 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), Los Alamitos, CA, USA, pp. 635–646. IEEE Computer Society (2014)

  33. L3 specification language for ISAs. http://www.cl.cam.ac.uk/~acjf3/l3/. Accessed 9 December 2015

  34. Mulligan, D.P., Owens, S., Gray, K.E., Ridge, T., Sewell, P.: Lem: reusable engineering of real-world semantics. In: Proceedings of the 19th ACM SIGPLAN International Conference on Functional Programming, pp. 175–188 (2014)

  35. Owens, S.: Reasoning about the implementation of concurrency abstractions on x86-tso. In: Proceedings of the 24th European Conference on Object-Oriented Programming, ECOOP’10, pp. 478–503 (2010)

  36. Owens, S., Sarkar, S., Sewell, P.: A Better x86 Memory Model: x86-TSO, pp. 391–407. Springer, Berlin (2009)

    Google Scholar 

  37. Park, S., Dill, D.L.: An executable specification, analyzer and verifier for RMO (relaxed memory order). In: Proceedings of the Seventh Annual ACM Symposium on Parallel Algorithms and Architectures, SPAA ’95, pp. 34–41. ACM (1995)

  38. Petri, G.: Operational semantics of relaxed memory models (2010). Thesis

  39. Pulte, C., Flur, S., Deacon, W., French, J., Sarkar, S., Sewell, P.: Simplifying arm concurrency: multicopy-atomic axiomatic and operational models for armv8. In: Proceedings ACM Programming Languages, 2(POPL) (2017)

  40. RISC-V architecture. https://riscv.org/. Accessed 10 August 2016

  41. Roşu, G., Şerbănuţă, T.F.: An overview of the K semantic framework. J. Log. Algebr. Program. 79(6), 397–434 (2010)

    Article  MathSciNet  Google Scholar 

  42. Roşu, G., Ştefănescu, A.: Towards a unified theory of operational and axiomatic semantics. In: Czumaj, A., Mehlhorn, K., Pitts, A., Wattenhofer, R. (eds.) Automata, Languages, and Programming, pp. 351–363. Springer, Berlin (2012)

    Chapter  Google Scholar 

  43. Roy, A., Zeisset, S., Fleckenstein, C.J., Huang, J.C.: Fast and Generalized Polynomial Time Memory Consistency Verification, pp. 503–516. Springer, Berlin (2006)

    Google Scholar 

  44. Santoro, A., Park, W., Luckham, D.: SPARC-V9 architecture specification with Rapide. Technical Report, Stanford, CA, USA (1995)

  45. Sarkar, S., Sewell, P., Nardelli, F.Z., Owens, S., Ridge, T., Braibant, T., Myreen, M.O., Alglave, J.: The semantics of x86-CC multiprocessor machine code. In: Proceedings of the 36th Annual ACM Symposium on Principles of Programming Languages, pp. 379–391. ACM (2009)

  46. Securify. Securify: micro-kernel verification. http://securify.scse.ntu.edu.sg/MicroVer/. Accessed 20 March 2020

  47. Sewell, P., Sarkar, S., Owens, S., Nardelli, F.Z., Myreen, M.O.: X86-tso: a rigorous and usable programmer’s model for x86 multiprocessors. Commun. ACM 53(7), 89–97 (2010)

    Article  Google Scholar 

  48. Sindhu, P.S., Frailong, J.-M., Cekleov, M.: Formal Specification of Memory Models, pp. 25–41. Springer, Boston (1992)

    Google Scholar 

  49. Smith, G.: Principles of secure information flow analysis. In: Malware Detection, pp. 291–307 (2007)

  50. SPARC. The SPARC architecture manual version 8. http://gaisler.com/doc/sparcv8.pdf (1992). Accessed 27 October 2015

  51. SPARC. The SPARC architecture manual version 9. https://cr.yp.to/2005-590/sparcv9.pdf (1994). Accessed 12 June 2017

  52. Tianhe-2. http://top500.org/system/177999. Accessed 27 January 2016

  53. XtratuM. Xtratum hypervisor. http://www.xtratum.org/ (2017). Accessed 19 June 2017

  54. Yang, Y., Gopalakrishnan, G., Lindstrom, G., Slind, K.: Nemos: a framework for axiomatic and executable specifications of memory consistency models. In: 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings (2004)

  55. Zhao, Y., Sanán, D., Zhang, F., Liu, Y.: Reasoning about information flow security of separation kernels with channel-based communication. In: TACAS 2016, vol. 9636, pp. 791–810. Springer (2016)

Download references

Acknowledgements

This work has been partially supported by the National Satellite of Excellence in Trustworthy Software Systems (Award No. NRF2018NCR-NSOE003), and award NRF Investigatorship NRFI06-2020-0022, funded by NRF Singapore under National Cyber-security R&D (NCR) programme.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Zhé Hóu.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hóu, Z., Sanan, D., Tiu, A. et al. An Isabelle/HOL Formalisation of the SPARC Instruction Set Architecture and the TSO Memory Model. J Autom Reasoning 65, 569–598 (2021). https://doi.org/10.1007/s10817-020-09579-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10817-020-09579-4

Keywords

Navigation