GitLab

Althought minstret isn't an model specific register, whereby it is not
traced anymore. The problem is, that the increment of PC and time
should be done atomic. However, due to our SAIL register tracing, it isn't.

The translation from Sail register pointers should be done within the
SailFailInterface as this is the correct place in the hierarchy of
abstraction.

Until now we assumed that all memory event followed the instruction
pointer event. However, since sail register tracing outputs register
R/W event in an arbitarty order, MEMTYPE_REGISTER events can happen
before and after the actual instruction pointer event.

However, they all trace events have in common that they have the same
time (t=). Therefore, we no derive the dynamic instruction (instr)
from the time_delta.

As SAIL register tracing is expensive, we only want to enable it for
generating the golden run. For this, FAIL* communicates this wish to
the simulator by setting the callback-function pointer
`fail_onRegisterAccess` to !nullptr.

We only enable this tracing, when a full trace is requsted.

This commit introduces dynamic register tracing in Sail targets. For
this, we modified the Sail compiler to produce fail_onRegisterAccess()
functions calls within the compiled emulator when Sail registers and
bitfields are accessed.

In FAIL*, we record those accesses in the trace as MEMTYPE_REGISTER
memory accesses. Thereby, we can use the whole downstream of importing
and tracing without too much effort.

Dynamic register tracing is enabled for the generic-tracing
experiment:

    fail-generic-tracing -Wf,--full-trace ...

If the user does not use the modified Sail compiler, we gracefully
degrade to not use dynamic register accesses.
Co-authored-by: Christian Dietrich <dietrich@sra.uni-hannover.de>
Co-authored-by: Yannick Loeck <yannick.loeck@gmail.com>

With this (large) patch, we integrate the riscv and cheri-riscv model
as potential tracing and injection targets. This change also
introduces the infratstructure to integrate other models with a
relatively low overhead.

Mixed into this patch are a few changes that are unrelated. I'm aware
of this, but I have no desire to pull everything appart. The effort
was large enough.

- llvmdisassembler: bump version to 11.0.0

  With 11.0.0, the llvmdisassemble broke FAIL*, since the LLVM's ELF.h
  used enums to define constants, while the system elf.h used
  preprocessor #define to define the same constants. Depending on the
  inclusion order, this broke horribly.
Co-authored-by: Christian Dietrich <dietrich@sra.uni-hannover.de>
Co-authored-by: Malte Bargholz <malte@screenri.de>
Co-authored-by: Marcel Budoj <marcel.budoj@googlemail.com>

This is a large change that will break your traces and your database
layouts. However, it repairs a lot of ad-hoc hacks that came into
FAIL* over the years.

What has changed?
=================

The Virtual Fault Space Abstraction
-----------------------------------
Files: sal/faultspace/*
       sal/x86/X86Faultspace.*
       sal/arm/ArmFaultSpace.*

Instead of mapping registers ad-hoc into the virtual address space in
order to smuggle the bit-packed register-id from import-trace through
prune-trace and DatabaseCampaign to the DatabaseExperiment, we make
this mapping now official and adaptable to more complex architectures.

From now on the data_address field in the database is a fsp_address_t.
These addresses are translated by the FS abstraction within the
importer, which uses the architecture specific description of the
virtual fault space.

Within our whole tool chain, we now only work with fault-space
addresses, which are the Y-axis of our fault space.

When the fault-space address is about to be injected, we decode the
numerical address to a FaultSpaceElement*, which knows how to inject a
fault into itself. Thereby, we can unify the injection over different
types of machine state and support multiple memory types.

Furthermore, this simplifies import-trace and the DatabaseExperiment
significantly.

A detailed description of can be found in Malte Bargholz' Master thesis[1]

Bit-Wise Pruning
----------------
Files: tools/import-trace/Importer.cc

Until now, every state (register/memory) access had to be at least 8
bits wide. While this is good for memory reads, which always access at
least a whole byte, this is not properly working for register
accesses. Especially, for our integration of more complex CPU
architectures (i.e., CHERI), we have to have bit-wise pruning to
inject only single tag bits instead of injecting always 8 tag bits.

Therefore, this change introduces bit-wise pruning for our importer.
Instead of tracking only a single left margin for every fault-space
address, we now track up to 8 different margins that are associated
with an access mask. Thereby, the importer (which is effectively a
def-use pruner) has to handle up to 8 left margins when accessing a
byte with an access mask of 0xff.

A detailed description of can be found in Malte Bargholz' Master thesis[1]

Unification of Disassembler Interface
-------------------------------------
The integration of the capstone disassembler into the RegisterImporter
was more or less a clone-and-own integration. However, as both
disassemblers basically perform the same task, a common interface is
possible.

Furthermore, the *FailTo*Translator* classes are no longer used for
injecting registers as the dissassembler has nothing to do with the
injector. This task is no performed by the virtual fault space.

This change was tested with:
 - The integrated test-suite
 - The fail-target repo and injection of register,memory,EIP,randomjump
 - Both disassemblers

Currently untested:
 - Gem5

[1] Quantifying Soft-Error Resilience of Embedded RISC-V Systems with Capability-based Memory Protection
    https://www.sra.uni-hannover.de/Theses/2020/bargholz_20_ma.pdf

Co-authored-by: Christian Dietrich <dietrich@sra.uni-hannover.de>
Co-authored-by: Malte Bargholz <malte@screenri.de>

This reverts commit 8d1657a4.

With this *breaking* change, FAIL* does no longer use widths of data
accesses in its database schema, but bit masks. Thereby it is possible
to prevent or focus on the injection of individual bits.

For this change, the following database tables use masks with the
following meanings:

- trace.data_mask:    given bits were accessed
- fspgroup.data_mask: complete or partial match of a trace-table
                      entries data-mask
- fsppilot.data_mask: given bits are to be injected with this pilot

In order to reflect these database changes, you should
add (fspgroup.data_mask & trace.data_mask) to your join between trace
and fspgroup table to record for a cardinalty mismatch between both
tables. However, for the basic pruner (def-use pruner), this is not
necessary, as the data mask is in both cases 255.

Co-authored: Christian Dietrich <dietrich@sra.uni-hannover.de>

Many architectures have different types of memory (flash, RAM, EEPROM,
etc), which is currently not well supported in the FAIL* toolchain.
Therefore, this change introduces memory types.

A memory type is a simple tag that is attached to memory events and
memory listeners. Furthermore, the generic-tracing experiment records
memory types and dump-trace displays them. Currently, they are not yet
used in importing. However, with SAIL integration, we require this
kind of disambiguation between different memory types.

Furthermore, MemoryAccessEvents now carry the memory area that was accessed.

This change should not break previous experiments and/or results.
Co-authored-by: Malte Bargholz <malte@screenri.de>

- replace danceos.org links (danceos.org is permanently out of
  service)
- add dissertation link

This fixes #10.

Change-Id: I27278db1b36f94727a710ea7998374ecf5a60297

Enabling --catch-trap makes sure tracing aborts with an error message
in case a CPU exception/trap is observed in the fault-free golden run.
In most cases, this is an indication the analyzed program is broken in
the first place, which should be detected early in the FI process.

This is a refurbished version of a commit by Marcel Johannfunke.

Change-Id: I50cc8e12e0986d3623a1be78259cfad13dc56205

If the analyzed program does not read any memory, or the reading
memory accesses are filtered out in the import step (import-trace -m),
the trace table may hold no entries for the program.  This commit
makes sure the SamplingPruner and FESamplingPruner deal properly with
this situation.

Change-Id: I6bb5da23f345fa97cf8ab0b688cce5d00945249a

This compatibility-breaking change introduces the --cover-memorymap
switch to import-trace.  It makes a previous behavior optional, which
enforces DB entries for addresses covered by the --memorymap that
don't occur in the trace.  This creates a continuous and potentially
very large fault space in the DB, which never made any real sense.

Change-Id: I47e412bb621b595748c1772e02d2577308be8664

This fixes a bug (uninitialized member variable check_bounds)
introduced in commit 43ebf3ee, which led to bounds checking sometimes
being accidentally enabled.

Change-Id: Ia2992a38dd83416ce0ec2a9d845d7827617cbd89

Upstream SVN r10223
Backport was neccessary, because the CRC32 assambly instruction
did not work as expected in bochs.

Some benchmarks need this space for the function name, because of name mangling.

This is a breaking change. However, the name is and always was
misleading. Therefore, we change it to the correct name.

As the outerspace listeners catch read and write accesses, this must
be documented in the help message. The old parameter name is now marked as
deprecated and can be removed in 2022.

Furthmore, the experiment now has the combined command line argument
--catch-outerspace, which enables catching accesses below and above
the ELF.

During the trace generation, we can enable the bounds check, which
catches all events that are monitored by the generic-experiement
options:

  --catch-write-textsegment
  --catch-upper-outerspace
  --catch-lower-outerspace

The generic experiment set the TriggerAccessType not the
WatchAccessType. Therefore, the text segment listener fired on write
AND read events. The watch access type can only be set in the constructor.

This patch uses ELF segments instead of section for determining the
extent of the binary in memory. Consequently, the outerspace listener
was modified to use these new bounds. Additionally, the generic
experiment was changed to include a lowerspace listener, which listens
for write access below the physical memory location of the ELF.