Shaked Flur, Christopher Pulte, Luc Maranget, Will Deacon, Susmit Sarkar, Ben Simner, Jean Pichon-Pharabod, Jeehoon Kang, Sung-Hwan Lee, Chung-Kil Hur, Alasdair Armstrong, Ohad Kammar, Jon French, Kathryn E. Gray, Ali Sezgin, Peter Sewell

Five years ago the concurrency semantics of the ARM processor architecture, while pervasive in practice, was poorly documented, understudied, and hard to reliably program, let alone formally reason about. Since then, partly due to our extended collaboration with Arm, its concurrency architecture has received a major revision, clarifying the semantics, simplifying and restricting the allowed concurrency behaviour, and including in the architecture an official formal concurrency specification co-developed and proved-equivalent with ours. RISC-V has recently adopted a semantics closely following that of ARMv8. In this talk we present three formal models of the ARMv8 and RISC-V concurrent architectures: (1) an abstract micro-architectural operational model, (2) an axiomatic model, and (3) a Promising-style operational model, together with their equivalence proofs, executable tools for exploring the semantics and checking the correctness of small concurrent data structure implementations, and ongoing work to extend the concurrency semantics to cover more features (the concurrency semantics of instruction fetches, synchronous exceptions, and virtual memory).

The rmem web interface http://www.cl.cam.ac.uk/users/pes20/rmem supports interactive exploration of these operational models, and the isla-axiomatic web interface https://isla-axiomatic.cl.cam.ac.uk/ supports exploration of the axiomatic models.