1. 04 Feb, 2022 1 commit
  2. 27 Oct, 2021 1 commit
  3. 23 Aug, 2021 1 commit
  4. 18 Aug, 2021 8 commits
  5. 17 Aug, 2021 4 commits
    • Christian Dietrich's avatar
    • Christian Dietrich's avatar
      import-trace: derive dynamic instruction from time · 45319118
      Christian Dietrich authored
      Until now we assumed that all memory event followed the instruction
      pointer event. However, since sail register tracing outputs register
      R/W event in an arbitarty order, MEMTYPE_REGISTER events can happen
      before and after the actual instruction pointer event.
      However, they all trace events have in common that they have the same
      time (t=). Therefore, we no derive the dynamic instruction (instr)
      from the time_delta.
    • Christian Dietrich's avatar
      SAIL: Smooth the Register Tracing Support · b219a410
      Christian Dietrich authored
      As SAIL register tracing is expensive, we only want to enable it for
      generating the golden run. For this, FAIL* communicates this wish to
      the simulator by setting the callback-function pointer
      `fail_onRegisterAccess` to !nullptr.
      We only enable this tracing, when a full trace is requsted.
    • Yannick Loeck's avatar
      SAIL: Dynamic register tracing · 211e518f
      Yannick Loeck authored
      This commit introduces dynamic register tracing in Sail targets. For
      this, we modified the Sail compiler to produce fail_onRegisterAccess()
      functions calls within the compiled emulator when Sail registers and
      bitfields are accessed.
      In FAIL*, we record those accesses in the trace as MEMTYPE_REGISTER
      memory accesses. Thereby, we can use the whole downstream of importing
      and tracing without too much effort.
      Dynamic register tracing is enabled for the generic-tracing
          fail-generic-tracing -Wf,--full-trace ...
      If the user does not use the modified Sail compiler, we gracefully
      degrade to not use dynamic register accesses.
      Co-authored-by: Christian Dietrich's avatarChristian Dietrich <dietrich@sra.uni-hannover.de>
      Co-authored-by: Yannick Loeck's avatarYannick Loeck <yannick.loeck@gmail.com>
  6. 16 Aug, 2021 2 commits
  7. 12 Aug, 2021 1 commit
  8. 09 Aug, 2021 7 commits
    • Christian Dietrich's avatar
      [SAIL] Integration of RISC-V and CHERI-RISCV · 3f03f916
      Christian Dietrich authored
      With this (large) patch, we integrate the riscv and cheri-riscv model
      as potential tracing and injection targets. This change also
      introduces the infratstructure to integrate other models with a
      relatively low overhead.
      Mixed into this patch are a few changes that are unrelated. I'm aware
      of this, but I have no desire to pull everything appart. The effort
      was large enough.
      - llvmdisassembler: bump version to 11.0.0
        With 11.0.0, the llvmdisassemble broke FAIL*, since the LLVM's ELF.h
        used enums to define constants, while the system elf.h used
        preprocessor #define to define the same constants. Depending on the
        inclusion order, this broke horribly.
      Co-authored-by: Christian Dietrich's avatarChristian Dietrich <dietrich@sra.uni-hannover.de>
      Co-authored-by: default avatarMalte Bargholz <malte@screenri.de>
      Co-authored-by: default avatarMarcel Budoj <marcel.budoj@googlemail.com>
    • Christian Dietrich's avatar
    • Christian Dietrich's avatar
      Virtual Fault Space Abstraction · 7fffccf9
      Christian Dietrich authored
      This is a large change that will break your traces and your database
      layouts. However, it repairs a lot of ad-hoc hacks that came into
      FAIL* over the years.
      What has changed?
      The Virtual Fault Space Abstraction
      Files: sal/faultspace/*
      Instead of mapping registers ad-hoc into the virtual address space in
      order to smuggle the bit-packed register-id from import-trace through
      prune-trace and DatabaseCampaign to the DatabaseExperiment, we make
      this mapping now official and adaptable to more complex architectures.
      From now on the data_address field in the database is a fsp_address_t.
      These addresses are translated by the FS abstraction within the
      importer, which uses the architecture specific description of the
      virtual fault space.
      Within our whole tool chain, we now only work with fault-space
      addresses, which are the Y-axis of our fault space.
      When the fault-space address is about to be injected, we decode the
      numerical address to a FaultSpaceElement*, which knows how to inject a
      fault into itself. Thereby, we can unify the injection over different
      types of machine state and support multiple memory types.
      Furthermore, this simplifies import-trace and the DatabaseExperiment
      A detailed description of can be found in Malte Bargholz' Master thesis[1]
      Bit-Wise Pruning
      Files: tools/import-trace/Importer.cc
      Until now, every state (register/memory) access had to be at least 8
      bits wide. While this is good for memory reads, which always access at
      least a whole byte, this is not properly working for register
      accesses. Especially, for our integration of more complex CPU
      architectures (i.e., CHERI), we have to have bit-wise pruning to
      inject only single tag bits instead of injecting always 8 tag bits.
      Therefore, this change introduces bit-wise pruning for our importer.
      Instead of tracking only a single left margin for every fault-space
      address, we now track up to 8 different margins that are associated
      with an access mask. Thereby, the importer (which is effectively a
      def-use pruner) has to handle up to 8 left margins when accessing a
      byte with an access mask of 0xff.
      A detailed description of can be found in Malte Bargholz' Master thesis[1]
      Unification of Disassembler Interface
      The integration of the capstone disassembler into the RegisterImporter
      was more or less a clone-and-own integration. However, as both
      disassemblers basically perform the same task, a common interface is
      Furthermore, the *FailTo*Translator* classes are no longer used for
      injecting registers as the dissassembler has nothing to do with the
      injector. This task is no performed by the virtual fault space.
      This change was tested with:
       - The integrated test-suite
       - The fail-target repo and injection of register,memory,EIP,randomjump
       - Both disassemblers
      Currently untested:
       - Gem5
      [1] Quantifying Soft-Error Resilience of Embedded RISC-V Systems with Capability-based Memory Protection
      Co-authored-by: Christian Dietrich's avatarChristian Dietrich <dietrich@sra.uni-hannover.de>
      Co-authored-by: default avatarMalte Bargholz <malte@screenri.de>
    • Christian Dietrich's avatar
      Revert "cmake: use -std=c++11 instead of c++14" · e2bf7e37
      Christian Dietrich authored
      This reverts commit 8d1657a4.
    • Malte Bargholz's avatar
      Use bit masks instead of access widths · e18be8e8
      Malte Bargholz authored
      With this *breaking* change, FAIL* does no longer use widths of data
      accesses in its database schema, but bit masks. Thereby it is possible
      to prevent or focus on the injection of individual bits.
      For this change, the following database tables use masks with the
      following meanings:
      - trace.data_mask:    given bits were accessed
      - fspgroup.data_mask: complete or partial match of a trace-table
                            entries data-mask
      - fsppilot.data_mask: given bits are to be injected with this pilot
      In order to reflect these database changes, you should
      add (fspgroup.data_mask & trace.data_mask) to your join between trace
      and fspgroup table to record for a cardinalty mismatch between both
      tables. However, for the basic pruner (def-use pruner), this is not
      necessary, as the data mask is in both cases 255.
      Co-authored: Christian Dietrich <dietrich@sra.uni-hannover.de>
    • Christian Dietrich's avatar
    • Christian Dietrich's avatar
      [SAL] Introduce support for multiple memory types · 9444dc09
      Christian Dietrich authored
      Many architectures have different types of memory (flash, RAM, EEPROM,
      etc), which is currently not well supported in the FAIL* toolchain.
      Therefore, this change introduces memory types.
      A memory type is a simple tag that is attached to memory events and
      memory listeners. Furthermore, the generic-tracing experiment records
      memory types and dump-trace displays them. Currently, they are not yet
      used in importing. However, with SAIL integration, we require this
      kind of disambiguation between different memory types.
      Furthermore, MemoryAccessEvents now carry the memory area that was accessed.
      This change should not break previous experiments and/or results.
      Co-authored-by: default avatarMalte Bargholz <malte@screenri.de>
  9. 01 Aug, 2021 1 commit
    • Horst Schirmeier's avatar
      README updates · e52ece5a
      Horst Schirmeier authored
      - replace danceos.org links (danceos.org is permanently out of
      - add dissertation link
      This fixes #10.
      Change-Id: I27278db1b36f94727a710ea7998374ecf5a60297
  10. 27 Jul, 2021 3 commits
    • Horst Schirmeier's avatar
      generic-tracing: --catch-trap aborts when a trap is observed · 7bdefb68
      Horst Schirmeier authored
      Enabling --catch-trap makes sure tracing aborts with an error message
      in case a CPU exception/trap is observed in the fault-free golden run.
      In most cases, this is an indication the analyzed program is broken in
      the first place, which should be detected early in the FI process.
      This is a refurbished version of a commit by Marcel Johannfunke.
      Change-Id: I50cc8e12e0986d3623a1be78259cfad13dc56205
    • Horst Schirmeier's avatar
      prune-trace: correctly handle 0 trace entries · 67f1be84
      Horst Schirmeier authored
      If the analyzed program does not read any memory, or the reading
      memory accesses are filtered out in the import step (import-trace -m),
      the trace table may hold no entries for the program.  This commit
      makes sure the SamplingPruner and FESamplingPruner deal properly with
      this situation.
      Change-Id: I6bb5da23f345fa97cf8ab0b688cce5d00945249a
    • Horst Schirmeier's avatar
      import-trace: add --cover-memorymap switch · 3b7404de
      Horst Schirmeier authored
      This compatibility-breaking change introduces the --cover-memorymap
      switch to import-trace.  It makes a previous behavior optional, which
      enforces DB entries for addresses covered by the --memorymap that
      don't occur in the trace.  This creates a continuous and potentially
      very large fault space in the DB, which never made any real sense.
      Change-Id: I47e412bb621b595748c1772e02d2577308be8664
  11. 13 Jul, 2021 1 commit
  12. 26 Mar, 2021 1 commit
  13. 24 Mar, 2021 2 commits
  14. 18 Dec, 2020 7 commits