- 04 Feb, 2022 1 commit
-
-
Christian Dietrich authored
-
- 27 Oct, 2021 1 commit
-
-
Christian Dietrich authored
-
- 23 Aug, 2021 1 commit
-
-
Christian Dietrich authored
-
- 18 Aug, 2021 8 commits
-
-
Christian Dietrich authored
-
Christian Dietrich authored
Althought minstret isn't an model specific register, whereby it is not traced anymore. The problem is, that the increment of PC and time should be done atomic. However, due to our SAIL register tracing, it isn't.
-
Christian Dietrich authored
-
Christian Dietrich authored
-
Christian Dietrich authored
The translation from Sail register pointers should be done within the SailFailInterface as this is the correct place in the hierarchy of abstraction.
-
Christian Dietrich authored
-
Christian Dietrich authored
-
Christian Dietrich authored
-
- 17 Aug, 2021 4 commits
-
-
Christian Dietrich authored
-
Christian Dietrich authored
Until now we assumed that all memory event followed the instruction pointer event. However, since sail register tracing outputs register R/W event in an arbitarty order, MEMTYPE_REGISTER events can happen before and after the actual instruction pointer event. However, they all trace events have in common that they have the same time (t=). Therefore, we no derive the dynamic instruction (instr) from the time_delta.
-
Christian Dietrich authored
As SAIL register tracing is expensive, we only want to enable it for generating the golden run. For this, FAIL* communicates this wish to the simulator by setting the callback-function pointer `fail_onRegisterAccess` to !nullptr. We only enable this tracing, when a full trace is requsted.
-
Yannick Loeck authored
This commit introduces dynamic register tracing in Sail targets. For this, we modified the Sail compiler to produce fail_onRegisterAccess() functions calls within the compiled emulator when Sail registers and bitfields are accessed. In FAIL*, we record those accesses in the trace as MEMTYPE_REGISTER memory accesses. Thereby, we can use the whole downstream of importing and tracing without too much effort. Dynamic register tracing is enabled for the generic-tracing experiment: fail-generic-tracing -Wf,--full-trace ... If the user does not use the modified Sail compiler, we gracefully degrade to not use dynamic register accesses. Co-authored-by:
Christian Dietrich <dietrich@sra.uni-hannover.de> Co-authored-by:
Yannick Loeck <yannick.loeck@gmail.com>
-
- 16 Aug, 2021 2 commits
-
-
Christian Dietrich authored
-
Yannick Loeck authored
-
- 12 Aug, 2021 1 commit
-
-
Christian Dietrich authored
-
- 09 Aug, 2021 7 commits
-
-
Christian Dietrich authored
With this (large) patch, we integrate the riscv and cheri-riscv model as potential tracing and injection targets. This change also introduces the infratstructure to integrate other models with a relatively low overhead. Mixed into this patch are a few changes that are unrelated. I'm aware of this, but I have no desire to pull everything appart. The effort was large enough. - llvmdisassembler: bump version to 11.0.0 With 11.0.0, the llvmdisassemble broke FAIL*, since the LLVM's ELF.h used enums to define constants, while the system elf.h used preprocessor #define to define the same constants. Depending on the inclusion order, this broke horribly. Co-authored-by:
Christian Dietrich <dietrich@sra.uni-hannover.de> Co-authored-by:
Malte Bargholz <malte@screenri.de> Co-authored-by:
Marcel Budoj <marcel.budoj@googlemail.com>
-
Christian Dietrich authored
-
Christian Dietrich authored
This is a large change that will break your traces and your database layouts. However, it repairs a lot of ad-hoc hacks that came into FAIL* over the years. What has changed? ================= The Virtual Fault Space Abstraction ----------------------------------- Files: sal/faultspace/* sal/x86/X86Faultspace.* sal/arm/ArmFaultSpace.* Instead of mapping registers ad-hoc into the virtual address space in order to smuggle the bit-packed register-id from import-trace through prune-trace and DatabaseCampaign to the DatabaseExperiment, we make this mapping now official and adaptable to more complex architectures. From now on the data_address field in the database is a fsp_address_t. These addresses are translated by the FS abstraction within the importer, which uses the architecture specific description of the virtual fault space. Within our whole tool chain, we now only work with fault-space addresses, which are the Y-axis of our fault space. When the fault-space address is about to be injected, we decode the numerical address to a FaultSpaceElement*, which knows how to inject a fault into itself. Thereby, we can unify the injection over different types of machine state and support multiple memory types. Furthermore, this simplifies import-trace and the DatabaseExperiment significantly. A detailed description of can be found in Malte Bargholz' Master thesis[1] Bit-Wise Pruning ---------------- Files: tools/import-trace/Importer.cc Until now, every state (register/memory) access had to be at least 8 bits wide. While this is good for memory reads, which always access at least a whole byte, this is not properly working for register accesses. Especially, for our integration of more complex CPU architectures (i.e., CHERI), we have to have bit-wise pruning to inject only single tag bits instead of injecting always 8 tag bits. Therefore, this change introduces bit-wise pruning for our importer. Instead of tracking only a single left margin for every fault-space address, we now track up to 8 different margins that are associated with an access mask. Thereby, the importer (which is effectively a def-use pruner) has to handle up to 8 left margins when accessing a byte with an access mask of 0xff. A detailed description of can be found in Malte Bargholz' Master thesis[1] Unification of Disassembler Interface ------------------------------------- The integration of the capstone disassembler into the RegisterImporter was more or less a clone-and-own integration. However, as both disassemblers basically perform the same task, a common interface is possible. Furthermore, the *FailTo*Translator* classes are no longer used for injecting registers as the dissassembler has nothing to do with the injector. This task is no performed by the virtual fault space. This change was tested with: - The integrated test-suite - The fail-target repo and injection of register,memory,EIP,randomjump - Both disassemblers Currently untested: - Gem5 [1] Quantifying Soft-Error Resilience of Embedded RISC-V Systems with Capability-based Memory Protection https://www.sra.uni-hannover.de/Theses/2020/bargholz_20_ma.pdf Co-authored-by:
Christian Dietrich <dietrich@sra.uni-hannover.de> Co-authored-by:
Malte Bargholz <malte@screenri.de>
-
Christian Dietrich authored
This reverts commit 8d1657a4.
-
Malte Bargholz authored
With this *breaking* change, FAIL* does no longer use widths of data accesses in its database schema, but bit masks. Thereby it is possible to prevent or focus on the injection of individual bits. For this change, the following database tables use masks with the following meanings: - trace.data_mask: given bits were accessed - fspgroup.data_mask: complete or partial match of a trace-table entries data-mask - fsppilot.data_mask: given bits are to be injected with this pilot In order to reflect these database changes, you should add (fspgroup.data_mask & trace.data_mask) to your join between trace and fspgroup table to record for a cardinalty mismatch between both tables. However, for the basic pruner (def-use pruner), this is not necessary, as the data mask is in both cases 255. Co-authored: Christian Dietrich <dietrich@sra.uni-hannover.de>
-
Christian Dietrich authored
-
Christian Dietrich authored
Many architectures have different types of memory (flash, RAM, EEPROM, etc), which is currently not well supported in the FAIL* toolchain. Therefore, this change introduces memory types. A memory type is a simple tag that is attached to memory events and memory listeners. Furthermore, the generic-tracing experiment records memory types and dump-trace displays them. Currently, they are not yet used in importing. However, with SAIL integration, we require this kind of disambiguation between different memory types. Furthermore, MemoryAccessEvents now carry the memory area that was accessed. This change should not break previous experiments and/or results. Co-authored-by:
Malte Bargholz <malte@screenri.de>
-
- 01 Aug, 2021 1 commit
-
-
Horst Schirmeier authored
- replace danceos.org links (danceos.org is permanently out of service) - add dissertation link This fixes #10. Change-Id: I27278db1b36f94727a710ea7998374ecf5a60297
-
- 27 Jul, 2021 3 commits
-
-
Horst Schirmeier authored
Enabling --catch-trap makes sure tracing aborts with an error message in case a CPU exception/trap is observed in the fault-free golden run. In most cases, this is an indication the analyzed program is broken in the first place, which should be detected early in the FI process. This is a refurbished version of a commit by Marcel Johannfunke. Change-Id: I50cc8e12e0986d3623a1be78259cfad13dc56205
-
Horst Schirmeier authored
If the analyzed program does not read any memory, or the reading memory accesses are filtered out in the import step (import-trace -m), the trace table may hold no entries for the program. This commit makes sure the SamplingPruner and FESamplingPruner deal properly with this situation. Change-Id: I6bb5da23f345fa97cf8ab0b688cce5d00945249a
-
Horst Schirmeier authored
This compatibility-breaking change introduces the --cover-memorymap switch to import-trace. It makes a previous behavior optional, which enforces DB entries for addresses covered by the --memorymap that don't occur in the trace. This creates a continuous and potentially very large fault space in the DB, which never made any real sense. Change-Id: I47e412bb621b595748c1772e02d2577308be8664
-
- 13 Jul, 2021 1 commit
-
-
Robin Thunig authored
-
- 26 Mar, 2021 1 commit
-
-
Horst Schirmeier authored
This fixes a bug (uninitialized member variable check_bounds) introduced in commit 43ebf3ee, which led to bounds checking sometimes being accidentally enabled. Change-Id: Ia2992a38dd83416ce0ec2a9d845d7827617cbd89
-
- 24 Mar, 2021 2 commits
-
-
Robin Thunig authored
Upstream SVN r10223 Backport was neccessary, because the CRC32 assambly instruction did not work as expected in bochs.
-
Robin Thunig authored
Some benchmarks need this space for the function name, because of name mangling.
-
- 18 Dec, 2020 7 commits
-
-
Christian Dietrich authored
-
Christian Dietrich authored
This is a breaking change. However, the name is and always was misleading. Therefore, we change it to the correct name.
-
Christian Dietrich authored
As the outerspace listeners catch read and write accesses, this must be documented in the help message. The old parameter name is now marked as deprecated and can be removed in 2022. Furthmore, the experiment now has the combined command line argument --catch-outerspace, which enables catching accesses below and above the ELF.
-
Christian Dietrich authored
-
Malte Bargholz authored
During the trace generation, we can enable the bounds check, which catches all events that are monitored by the generic-experiement options: --catch-write-textsegment --catch-upper-outerspace --catch-lower-outerspace
-
Malte Bargholz authored
The generic experiment set the TriggerAccessType not the WatchAccessType. Therefore, the text segment listener fired on write AND read events. The watch access type can only be set in the constructor.
-
Malte Bargholz authored
This patch uses ELF segments instead of section for determining the extent of the binary in memory. Consequently, the outerspace listener was modified to use these new bounds. Additionally, the generic experiment was changed to include a lowerspace listener, which listens for write access below the physical memory location of the ELF.
-