## **Precise Exceptions in Relaxed Architectures**

Ben Simner<sup>1</sup> Alasdair Armstrong<sup>1</sup> Thomas Bauereiss<sup>1</sup> Brian Campbell<sup>2</sup> Ohad Kammar<sup>2</sup> Jean Pichon-Pharabod<sup>3</sup> Peter Sewell<sup>1</sup>

...in collaboration with Arm

<sup>1</sup>University of Cambridge <sup>2</sup>University of Edinburgh <sup>3</sup>Aarhus University 2025-06

*Precision* (à la Hennessy & Patterson): exceptions appear to execute **between** instructions

sequential definition incompatible?

w/ relaxed architectures (e.g. Arm)

## Relaxed memory — Observably out-of-order on Arm

Arm, RISC-V, and POWER allow observable outof-order and speculative execution



[A tree of partially and completely executed fetch-decode-execute instances, on a single hardware thread, in real-hardware or operational-model execution.]







## Precision: not just a fence?

- · out-of-order execution across exceptions?
- · speculation?
- · store forwarding?
- · context synchronisation?

- external aborts: might-raise-exception?
- interrupts? ...and the GIC?
- how to specify all this, w.r.t. the architectural intent, hardware behaviour, and system-software requirements?

## **Contributions**

Testing hardware: Custom test harness with over 60 hand-written litmus tests.



rpi5 \$ ./harness\_kvm SB+svc-erets -n500k -q
Test SB+svc-erets Allowed
States 4
229760:>0:X2=1;1:X2=1;
95467:>0:X2=0;1:X2=1;
174771:>0:X2=1;1:X2=0;
2:>0:X2=0;1:X2=0;
0k
Witnesses
Positive: 2 Negative: 499998
Observation SB+svc-erets Sometimes 2 499998
Time SB+svc-erets 214.449

| Name                  | m6g                             | m7g                             | m8g                             | odroid                           | m2                   | pi3                             | pi4                              | pi5                              |
|-----------------------|---------------------------------|---------------------------------|---------------------------------|----------------------------------|----------------------|---------------------------------|----------------------------------|----------------------------------|
| MP+dmb+ctrl-svc       | 0/ <sub>16M</sub>               | 0/ <sub>24M</sub>               | $\theta/_{12M}$                 | θ/ <sub>329M</sub>               | θ/ <sub>368M</sub>   | θ/ <sub>10M</sub>               | θ/ <sub>23θM</sub>               | θ/ <sub>136M</sub>               |
| MP+dmb+ctrlelr        | 0/ <sub>16M</sub>               | θ/ <sub>24M</sub>               | θ/ <sub>12M</sub>               | θ/ <sub>329M</sub>               | θ/ <sub>366M</sub>   | θ/ <sub>30M</sub>               | θ/ <sub>318M</sub>               | θ/ <sub>130M</sub>               |
| MP+svc-eret+addr      | U <sub>0</sub> / <sub>16M</sub> | U0/24M                          | U <sub>0</sub> / <sub>12M</sub> | 149K/ <sub>328M</sub>            | U <sub>0</sub> /360M | 376/ <sub>9M</sub>              | U <sub>0</sub> / <sub>228M</sub> | 12/ <sub>136M</sub>              |
| MP.EL1+dmb+dataesrsvc | 0/ <sub>16M</sub>               | 0/ <sub>24M</sub>               | θ/ <sub>12M</sub>               | 0/ <sub>16M</sub>                | ⁰/₀                  | θ/ <sub>4M</sub>                | 0/ <sub>14M</sub>                | θ/ <sub>27M</sub>                |
| S+dmb+svc             | U0/16M                          | U0/24M                          | $^{U_{\theta}}/_{12M}$          | U <sub>0</sub> / <sub>328M</sub> | U <sub>0</sub> /360M | U <sub>0</sub> / <sub>41M</sub> | U <sub>0</sub> / <sub>222M</sub> | U <sub>0</sub> / <sub>101M</sub> |
| SB+dmb+eret           | 60/ <sub>16M</sub>              | 120/ <sub>24M</sub>             | <sup>213</sup> / <sub>12M</sub> | <sup>262</sup> / <sub>328M</sub> | 12K/ <sub>366M</sub> | 203K/ <sub>41M</sub>            | 946K/ <sub>222M</sub>            | 4K/ <sub>100M</sub>              |
| SB+dmb+rfisvc-addr    | 4/ <sub>16M</sub>               | <sup>235</sup> / <sub>24M</sub> | 1K/ <sub>12M</sub>              | 305K/ <sub>328M</sub>            | 12/ <sub>368M</sub>  | 1M/ <sub>30M</sub>              | 7K/ <sub>316M</sub>              | 197K/ <sub>128M</sub>            |
| MP+dmb+fault          | 0/ <sub>16M</sub>               | θ/ <sub>24M</sub>               | θ/ <sub>12M</sub>               | 0/ <sub>74M</sub>                | θ/θ                  | θ/ <sub>2M</sub>                | 0/ <sub>46M</sub>                | θ/ <sub>80M</sub>                |
|                       |                                 |                                 |                                 |                                  |                      |                                 |                                  |                                  |

[Selected results. Observations/total runs.  $^{\mathrm{U}}$  =Allowed-but-unseen.]

A Model for Arm: OoO over exceptions.

Runnable in the Isla symbolic evaluator for Sail:

 $\$  isla-axiomatic [...] -model exn.cat SB+svc-erets.litmus.toml SB+svc-erets allowed (1 of 1) 2785ms ....... ?

Acknowledgements We thank Richard Grisenthwaite (Arm EVP, Chief Architect, and Fellow), Martin Weidmann (Director of Product Management, Arm Architecture and Technology Group), and Will Deacon (Google) for detailed discussions about the Arm architecture. We thank Ben Laurie and Sarah de Haas (Google) for their support. We thank Jonathan Woodruff and others at the CL for their insightful discussions. This work was funded in part by Google. This work was funded in part by Arm. This work was funded in part by a funded in part by the Amazon Research Awards (Pichon-Pharabod; Sewell and Simner). This work was funded in part by UK Research and Innovation (UKRI) under the UK government's Horizon Europe funding guarantee for ERC-AdG-2022, EP/Y035976/1 SAFER. This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 789108, ERC-AdG-2017 ELVER). This work is supported by ERC-2024-POC grant ELVER-CHECK, 101189371. Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Union nor the granting authority can be held responsible for them. This work was supported by the Innovate UK project Digital Security by Design (DSbD) Technology Platform Prototype, 105694. The authors would like to thank the Isaac Newton Institute for Mathematical Sciences, Cambridge, for support and hospitality during the programme Big Specification, where work on this paper was undertaken. This work was supported by EPSRC grant EP/Z000580/1. This work was funded in part by a Royal Society University Research Fellowship. One of the authors has received funding from the UK Advanced Research and Innovation Agency (ARIA) as part of the project Obs4Safety: Core Representation Underlying Safeguarded AI.