

# arm



# Specifications: The Next Verification Bottleneck

Alastair Reid

Arm Research  
[@alastair\\_d\\_reid](https://twitter.com/alastair_d_reid)

# Overview

1. What specifications do we need?
2. ARM's formal processor specifications
3. Three steps I took to create good specifications

Designs processors, designs architecture, licenses architecture

16B processors / year

(also GPUs, IoT, ...)

## Security Research Group

- Develop and analyse security extensions
- Create framework for verifying products
- We are hiring: full time, research internships



# Specifications we need

Linux sys calls

C stdlib

TCP/IP, UDP, ...

TSL

NTP, DNS, NFS, ...

WiFi, Bluetooth, Zigbee, ...

USB, SD card, ...

Processor page tables

Interrupt handler

Device driver API

Filesystem format

ISO C

Gcc/LLVM extensions

Inline assembly

ELF / linkerscript

Weak memory model

X11/Gtk+/...

Javascript, CSS, SVG, ...

PHP, ...

# Trusted Computing Base (!= Trustworthy Computing Base)

*a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security*

— Lampson

*the totality of protection mechanisms within it, including hardware, firmware, and software, the combination of which is responsible for enforcing a computer security policy*

— Orange Book (US DoD)

# Specifications for real world software/hardware

Unavoidable

Multiple implementations

Multiple versions of each implementation

Spec must include all quirks of recent versions of major implementations to be useful

Existing specification = English + Tables + Pseudocode

Existing community may not value formal spec at first

# Creating trustworthy specifications

# The state of most processor specifications

Large (1000s of pages)

Broad (10+ years of implementations, multiple manufacturers)

Complex (exceptions, weak memory, ...)

Informal (mostly English prose)

We are all just learning how to (retrospectively) formalize specifications

# Arm Processor Specifications

## A-class (phones, tablets, servers, ...)

**6,000 pages**

**40,000 line formal specification**

Instructions (32/64-bit)

Exceptions / Interrupts

Memory protection

Page tables

Multiple privilege levels

System control registers

Debug / trace

## M-class (microcontrollers, IoT)

**1,200 pages**

**15,000 line formal specification**

Instructions (32-bit)

Exceptions / Interrupts

Memory protection

~~Page tables~~

Multiple privilege levels

System control registers

Debug / trace

# English prose

R<sub>JRJC</sub>

Exit from lockup is by any of the following:

- A Cold reset.
- A Warm reset.
- Entry to Debug state.
- Preemption by a higher priority exception.

R<sub>VGNW</sub>

Entry to lockup from an exception causes:

- Any Fault Status Registers associated with the exception to be updated.
- No update to the exception state, pending or active.
- The PC to be set to 0xFFFFFFFF.
- EPSR.IT to become UNKNOWN.

In addition, HFSR.FORCED is not set to 1.

# Pseudocode

**Encoding A1** ARMv4\*, ARMv5T\*, ARMv6\*, ARMv7

ADC{S}<C> <Rd>, <Rn>, <Rm>{, <shift>}

|      |    |    |    |    |    |    |    |    |    |    |      |      |    |    |    |    |    |    |    |    |    |   |   |   |   |   |   |   |   |   |   |  |
|------|----|----|----|----|----|----|----|----|----|----|------|------|----|----|----|----|----|----|----|----|----|---|---|---|---|---|---|---|---|---|---|--|
| 31   | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20   | 19   | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |  |
| cond | 0  | 0  | 0  | 0  | 1  | 0  | 1  | S  | Rn | Rd | imm5 | type | 0  | Rm |    |    |    |    |    |    |    |   |   |   |   |   |   |   |   |   |   |  |

```
if Rd == '1111' && S == '1' then SEE SUBS PC, LR and related instructions;  
d = UInt(Rd); n = UInt(Rn); m = UInt(Rm); setflags = (S == '1');  
(shift_t, shift_n) = DecodeImmShift(type, imm5);
```

```
if ConditionPassed() then  
    EncodingSpecificOperations();  
    shifted = Shift(R[m], shift_t, shift_n, APSR.C);  
    (result, carry, overflow) = AddWithCarry(R[n], shifted, APSR.C);  
    if d == 15 then          // Can only occur for ARM encoding  
        ALUWritePC(result); // setflags is always FALSE here  
    else  
        R[d] = result;  
        if setflags then  
            APSR.N = result<31>;  
            APSR.Z = IsZeroBit(result);  
            APSR.C = carry;  
            APSR.V = overflow;
```

# System Architecture Specification

```
AArch64.DataAbort(bits(64) vaddress, FaultRecord fault)

route_to_el3 = HaveEL(EL3) && SCR_EL3.EA == '1' && IsExternalAbort(fault);
route_to_el2 = (HaveEL(EL2) && !IsSecure() && PSTATE.EL IN {EL0,EL1} &&
                (HCR_EL2.TGE == '1' || IsSecondStage(fault)));

bits(64) preferred_exception_return = ThisInstrAddr();
vect_offset = 0x0;

exception = AArch64.AbortSyndrome(Exception_DataAbort, fault, vaddress);

if PSTATE.EL == EL3 || route_to_el3 then
    AArch64.TakeException(EL3, exception, preferred_exception_return, vect_offset);
elseif PSTATE.EL == EL2 || route_to_el2 then
    AArch64.TakeException(EL2, exception, preferred_exception_return, vect_offset);
else
    AArch64.TakeException(EL1, exception, preferred_exception_return, vect_offset);
```

# Arm Architecture Specification Language (ASL)

Indentation-based syntax

Imperative

First-order

Strongly typed (type inference, polymorphism, dependent types)

Bit-vectors

Unbounded integers

Infinite precision reals

Arrays, Records, Enumerations

Exceptions

# ARM Spec (lines of code)

|                                    | v8-A          | v8-M          |
|------------------------------------|---------------|---------------|
| <b>Instructions</b><br>Int/FP/SIMD | 26,000        | 6,000         |
| <b>Exceptions</b>                  | 4,000         | 3,000         |
| <b>Memory</b>                      | 3,000         | 1,000         |
| <b>Debug</b>                       | 3,000         | 1,000         |
| <b>Misc</b>                        | 5,500         | 2,000         |
| <b>(Test support)</b>              | 1,500         | 2,000         |
| <b>Total</b>                       | <b>43,000</b> | <b>15,000</b> |

# System Register Spec

|                      | v8-A | v8-M |
|----------------------|------|------|
| <b>Registers</b>     | 586  | 186  |
| <b>Fields</b>        | 3951 | 622  |
| <b>Constant</b>      | 985  | 177  |
| <b>Reserved</b>      | 940  | 208  |
| <b>Impl. Defined</b> | 70   | 10   |
| <b>Passive</b>       | 1888 | 165  |
| <b>Active</b>        | 68   | 62   |
| <b>Operations</b>    | 112  | 10   |

# Trustworthiness

# Trustworthiness

ARM's specification is correct *by definition*

# Trustworthiness

ARM's specification is correct by definition

# Trustworthiness

Does the specification match the behaviour  
of all ARM processors?



# Architectural Conformance Suite

Processor architectural compliance sign-off

Large

- v8-A 11,000 test programs, > 2 billion instructions
- v8-M 3,500 test programs, > 250 million instructions

Thorough

- Tests dark corners of specification

# Progress in testing Arm specification



- Does not parse, does not typecheck
- Can't get out of reset
- Can't execute first instruction
- Can't execute first 100 instructions
- ...
- Passes 90% of tests
- Passes 99% of tests
- ...

# Measuring architecture coverage of tests

Untested:  $op1 * op2 == -3.0$ , FPCR.RND=-Inf

```
bits(N) FPRSqrtStepFused(bits(N) op1, bits(N) op2)
    assert N IN {32, 64};
    bits(N) result;
    op1 = FPNeg(op1); // per FMSUB/FMLS
    (type1,sign1,value1) = FPUnpack(op1, FPCR);
    (type2,sign2,value2) = FPUnpack(op2, FPCR);
    (done,result) = FPProcessNaNs(type1, type2, op1, op2, FPCR);
    if !done then
        inf1 = (type1 == FPType_Infinity);
        inf2 = (type2 == FPType_Infinity);
        zero1 = (type1 == FPType_Zero);
        zero2 = (type2 == FPType_Zero);
        if (inf1 && zero2) || (zero1 && inf2) then
            result = FPOnePointFive('0');
        elseif inf1 || inf2 then
            result = FPInfinity(sign1 EOR sign2, N);
        else
            // Fully fused multiply-add and halve
            result_value = (3.0 + (value1 * value2)) / 2.0;
            if result_value == 0.0 then
                // Sign of exact zero result depends on rounding mode
                sign = if FPCRounding() == FPRounding_NEGINF then '1' else '0';
                result = FPZero(sign, N);
            else
                result = FPRound(result_value, FPCRounding());
    return result;
```

The diagram illustrates the execution flow of the provided C code. The code handles floating-point multiplication and rounding. A green bar indicates tested code, a red bar indicates unexecuted code, and a grey bar indicates code that is both unexecuted and untested. The code starts with assertions for N (32 or 64 bits) and initializes variables. It then unpacks the floating-point numbers (op1 and op2) into their type, sign, and value components. It checks for NaNs and handles them by setting the result to either infinity or zero based on the rounding mode. For non-NaN cases, it performs a fully fused multiply-add and halve operation to calculate the result value. Finally, it rounds the result value according to the current rounding mode and returns the result. The code is annotated with 'TESTED' in green boxes and 'UNEXECUTED' in red boxes.

# Creating a Virtuous Cycle



“End to End Verification of ARM processors with ISA Formal,” CAV 2016

# Formal validation of processors

# Checking an instruction

ADD

# Checking an instruction



**IF**



**ID**



**EX**

**MEM**

**WB**





# Errors ISA-Formal can catch

- Errors in decode
  - Errors in data path
  - Errors in forwarding logic
  - Errors in register renaming
  - Errors in exception handling
  - Errors in speculative execution
- 
- No Context {
- Context {

# Specifying ADD

|    |    |    |    |    |    |   |   |    |   |    |   |    |   |   |   |
|----|----|----|----|----|----|---|---|----|---|----|---|----|---|---|---|
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7  | 6 | 5  | 4 | 3  | 2 | 1 | 0 |
| 0  | 0  | 0  | 1  | 1  | 0  | 0 |   | Rm |   | Rn |   | Rd |   |   |   |

```
assign ADD_retiring = (pre.opcode & 16'b1111_1110_0000_0000)
                      == 16'b0001_1000_0000_0000;
assign ADD_result   = pre.R[pre.opcode[8:6]] + pre.R[pre.opcode[5:3]];
assign ADD_Rd       = pre.opcode[2:0];

assert property (@(posedge clk) disable iff (~reset_n)
    ADD_retiring |-> (ADD_result == post.R[ADD_Rd]));
```

# ISA Formal

- Finds complex bugs in processor pipelines
- Applied to wide range of μArchitectures
- Uses translation of ARM's internal ISA specification





# Challenges

- Complex Functional Units
  - FP
  - Memory
- Dual Issue
- Instruction Fusion
- Register Renaming
- Out-of-order Retire

**IF**



**ID**



**MEM**

**WB**









# FP Subset Behaviour

| <i>FPAAdd</i> | $-\infty$ | -1        | 0         | 1         | $\infty$  |
|---------------|-----------|-----------|-----------|-----------|-----------|
| $-\infty$     | $-\infty$ | $-\infty$ | $-\infty$ | $-\infty$ | $-\infty$ |
| -1            | $-\infty$ |           | -1        | 0         | $\infty$  |
| 0             | $-\infty$ | -1        | 0         | 1         | $\infty$  |
| 1             | $-\infty$ | 0         | 1         |           | $\infty$  |
| $\infty$      |           | $\infty$  | $\infty$  | $\infty$  | $\infty$  |

# ISA Formal

- Finds complex bugs in processor pipelines
- Applied to wide range of μArchitectures
- **Uses translation of ARM's internal ISA specification**

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         |     | ✓   |   |     |       |
| NZCV        |     |     |   |     |       |
| SP          |     |     |   |     |       |
| PC          |     |     |   |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         |     | ✓   |   |     |       |
| NZCV        |     |     |   |     |       |
| SP          |     | ✓   |   |     |       |
| PC          |     |     |   |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         |     | ✓   | ✓ |     |       |
| NZCV        |     |     |   |     |       |
| SP          |     | ✓   |   |     |       |
| PC          |     |     | ✓ |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ |     |       |
| NZCV        | ✓   |     |   |     |       |
| SP          | ✓   | ✓   |   |     |       |
| PC          |     |     | ✓ |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

But this is slow  
and inconsistent

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        |     |     |   |     |       |
| SP          |     |     |   |     |       |
| PC          |     |     |   |     |       |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        | ✓   | ✓   | ✓ | ✓   | ✓     |
| SP          | ✓   | ✓   | ✓ | ✓   | ✓     |
| PC          | ✓   | ✓   | ✓ | ✓   | ✓     |
| S[],D[],V[] |     |     |   |     |       |
| FPSR        |     |     |   |     |       |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        | ✓   | ✓   | ✓ | ✓   | ✓     |
| SP          | ✓   | ✓   | ✓ | ✓   | ✓     |
| PC          | ✓   | ✓   | ✓ | ✓   | ✓     |
| S[],D[],V[] | ✓   | ✓   | ✓ | ✓   | ✓     |
| FPSR        | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemRead     |     |     |   |     |       |
| MemWrite    |     |     |   |     |       |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        | ✓   | ✓   | ✓ | ✓   | ✓     |
| SP          | ✓   | ✓   | ✓ | ✓   | ✓     |
| PC          | ✓   | ✓   | ✓ | ✓   | ✓     |
| S[],D[],V[] | ✓   | ✓   | ✓ | ✓   | ✓     |
| FPSR        | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemRead     | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemWrite    | ✓   | ✓   | ✓ | ✓   | ✓     |
| SysRegRW    |     |     |   |     |       |
| ELR         |     |     |   |     |       |
| ESR         |     |     |   |     |       |
| ...         |     |     |   |     |       |

# ISA-Formal Properties

|             | ADC | ADD | B | ... | YIELD |
|-------------|-----|-----|---|-----|-------|
| R[]         | ✓   | ✓   | ✓ | ✓   | ✓     |
| NZCV        | ✓   | ✓   | ✓ | ✓   | ✓     |
| SP          | ✓   | ✓   | ✓ | ✓   | ✓     |
| PC          | ✓   | ✓   | ✓ | ✓   | ✓     |
| S[],D[],V[] | ✓   | ✓   | ✓ | ✓   | ✓     |
| FPSR        | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemRead     | ✓   | ✓   | ✓ | ✓   | ✓     |
| MemWrite    | ✓   | ✓   | ✓ | ✓   | ✓     |
| SysRegRW    | ✓   | ✓   | ✓ | ✓   | ✓     |
| ELR         | ✓   | ✓   | ✓ | ✓   | ✓     |
| ESR         | ✓   | ✓   | ✓ | ✓   | ✓     |
| ...         |     |     |   |     |       |





---

|           |     |
|-----------|-----|
| FP/SIMD   | 25% |
| Memory    | 21% |
| Branch    | 21% |
| Integer   | 18% |
| Exception | 8%  |
| System    | 7%  |

---

## Defect Detection by Area

# Arm CPUs verified with ISA-Formal

## A-class

Cortex-A53

Cortex-A32

Cortex-A35

Cortex-A55

Next generation

## R-class

Cortex-R52

Next generation

## M-class

Cortex-M4

Cortex-M7

Cortex-M33

Next generation

**Cambridge Projects**

## Rolling out globally to other design centres

Sophia, France - Cortex-A75 (partial)

Austin, USA - TBA

Chandler, USA - TBA

# Formal validation of specifications

# One Specification to rule them all?



# Creating a redundant specification

Where to get a list of redundant properties from?

How to formalise this list?

How to formally validate specification against properties?

(This may look familiar from formal specification of software)

## Rule JRJC

Exit from lockup is by any of the following:

- A Cold reset.
- A Warm reset.
- Entry to Debug state.
- Preemption by a higher priority processor exception.

## Rule R

State Change X is by any of the following:

- Event A
- Event B
- State Change C
- Event D

## Rule R

State Change X is by any of the following:

- Event A
- Event B
- State Change C
- Event D

And cannot happen any other way

## Rule R

State Change X is by any of the following:

- Event A
- Event B
- State Change C
- Event D

And cannot happen any other way

Rule R:  $X \rightarrow A \vee B \vee C \vee D$

## State Change X

Exit from lockup

Fell(LockedUp)

## Event A

A Cold reset

Called(TakeColdReset)

## Event B

A Warm reset

Called(TakeReset)

## State Change C

Entry to Debug state

Rose(Halted)

## Event D

Preemption by a higher priority processor exception

Called(ExceptionEntry)

Fell(LockedUp) → Called(TakeColdReset)

- ∨ Called(TakeReset)
- ∨ Rose(Halted)
- ∨ Called(ExceptionEntry)

## Rule VGNW

Entry to lockup from an exception causes

- Any Fault Status Registers associated with the exception to be updated.

Out of date

- No update to the exception state, pending or active.

Misleading

- The PC to be set to 0xFFFFFFFFE.

Untestable

- EPSR.IT to become UNKNOWN.

Ambiguous

- In addition, HFSR.FORCED is not set to 1.



## Temporal Operators

Fell(LockedUp)

$\rightarrow$  Called(TakeColdReset)

$\vee$  Called(TakeReset)

$\vee$  Rose(Halted)

$\vee$  Called(ExceptionEntry)

## Event Operators

# Temporal Operators

Fell(e)



$\text{Past}(e) > e$

Stable(e)



$\text{Past}(e) = e$

Rose(e)



$\text{Past}(e) < e$

# Temporal Operators

Fell(LockedUp)



```
__Past_LockedUp = LockedUp;  
FunctionUnderTest();  
... __Past_LockedUp > LockedUp ...
```

# Event Operators

Called(TakeReset)



```
TakeReset ()  
{  
    __Called_TakeReset = TRUE;  
    ...  
}
```

```
    __Called_TakeColdReset      = FALSE;  
    __Called_TakeReset        = FALSE;  
    __Called_TakeExceptionEntry = FALSE;  
    __Past_LockedUp = LockedUp;  
    __Past_Halted   = Halted;
```

### **FunctionUnderTest();**

```
assert( ( __Past_LockedUp > LockedUp)  
       ==>  
         ( __Called_TakeColdReset  
         || __Called_TakeReset  
         || __Past_Halted < Halted  
         || __Called_ExceptionEntry) );
```

## Rule JRJC

Exit from lockup is by any of the following:

- A Cold reset.
  - A Warm reset.
  - Entry to Debug state.
  - Preemption by a higher priority processor exception.

Fell(LockedUp) → Called(TakeColdReset)

✓ Called(TakeReset)

∨ Rose(Halted)

✓ Called(ExceptionEntry)

# Arm Specification Language



# SMT

Arithmetic operations

Boolean operations

Bit Vectors

Arrays

Functions

Local Variables

Statements

Assignments

If-statements

Loops

Exceptions

Arithmetic operations

Boolean operations

Bit Vectors

Arrays

Functions

Local Variables

Statements

Assignments

If statements

Loops

Exceptions

## Results (more in OOPSLA paper)

Most properties proved in under 100 seconds

Found 12 bugs in specification:

- debug, exceptions, system registers, security

Found bugs in English prose:

- ambiguous, imprecise, incorrect, ...



# Public release of machine readable Arm specification

Enable formal verification of software and tools

Releases

April 2017: v8.2

July 2017: v8.3

Working with Cambridge University REMS group to convert to SAIL

Backends for HOL, OCaml, Memory model, (hopefully Coq too)

Specification: <https://developer.arm.com/products/architecture/a-profile/exploration-tools>

Tools: [https://github.com/alastairreid/mra\\_tools](https://github.com/alastairreid/mra_tools)

(See also: <https://github.com/herd/herdtools7/blob/master/herd/libdir/aarch64.cat>)

Talk to me about how I can help you use it

# Specifications: The next bottleneck

We will need a lot of specs

Of real world s/w + h/w

Specs are a large part of TCB

How are we going to create them?

How are we going to trust them?

Test the specifications you depend on

Formally validate/verify implementations

Create redundant specifications

Ensure specifications have many uses

Don't write spec in Coq/HOL/ACL2/...



# Thanks

Alasdair Armstrong (Cambridge U.)  
Alex Chadwick (ARM)  
Ali Zaidi (ARM)  
Anastasios Deligiannis (ARM)  
Anthony Fox (Cambridge U.)  
Ashan Pathirane (ARM)  
Belaji Venu (ARM)  
Bradley Smith (ARM)  
Brian Foley (ARM)  
Curtis Dunham (ARM)  
David Gilday (ARM)  
David Hoyes (ARM)  
David Seal (ARM)  
Daniel Bailey (ARM)  
Erin Shepherd (ARM)  
Francois Botman (ARM)

George Hawes (ARM)  
Graeme Barnes (ARM)  
Isobel Hooper (ARM)  
Jack Andrews (ARM)  
Jacob Eapen (ARM)  
Jon French (Cambridge U.)  
Kathy Gray (Cambridge U.)  
Krassy Gochev (ARM)  
Lewis Russell (ARM)  
Matthew Leach (ARM)  
Meenu Gupta (ARM)  
Michele Riga (ARM)  
Milosch Meriac (ARM)  
Nigel Stephens (ARM)  
Niyas Sait (ARM)  
Peng Wang (ARM)

Peter Sewell (Cambridge U.)  
Peter Vrabel (ARM)  
Richard Grisenthwaite (ARM)  
Rick Chen (ARM)  
Simon Bellew (ARM)  
Thomas Grocott (ARM)  
Will Deacon (ARM)  
Will Keen (ARM)  
Wojciech Meyer (ARM)  
(and others)

Thank You!

Danke!

Merci!

谢谢!

ありがとう!

Gracias!

Kiitos!

@alastair\_d\_reid

arm

“Trustworthy Specifications of the ARM v8-A and v8-M architecture,” FMCAD 2016

“End to End Verification of ARM processors with ISA Formal,” CAV 2016

“Who guards the guards? Formal Validation of ARM v8-M Specifications,” OOPSLA 2017