pathexpander: architectural support for increasing the path coverage of dynamic bug detection s. lu,...
Post on 21-Dec-2015
217 views
TRANSCRIPT
![Page 1: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/1.jpg)
PathExpander: Architectural Support for Increasing the Path Coverage of
Dynamic Bug Detection
S. Lu, P. Zhou, W. Liu, Y. Zhou, J. TorrellasUniversity of Illinois at Urbana Champaign
![Page 2: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/2.jpg)
2
Motivation
We have plenty of methods to detect software bugs– Assertions– Software (CCured, Purify)– Hardware (iWatcher)
However, these tools only check part of the total code– Only the part that is actually exercised
![Page 3: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/3.jpg)
3
Motivation
Checking the entire code is really hard– Impossible to check all paths, or even all
branches– Too difficult to create complete test cases– State dependent on external factors
File system, system load, date etc
– Too much time required for the tools to run
We must find a way to check as much of the code as possible, with as few runs as
possible
![Page 4: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/4.jpg)
4
PathExpander Idea
When arriving at a branch execute BOTH paths
– The Non-Taken (NT) path will not commit
A dynamic checker – NOT PathExpander – will monitor the program execution and detect bugs in any of the two paths
This can happen in Software or Hardware
– We will mainly talk about the H/W
![Page 5: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/5.jpg)
5
PathExpander Operation
All memory operations of the NT path are sandboxed– The NT path must not permanently alter the
program’s state
The NT path may execute branches– But only the taken path will be followed– Otherwise, this can grow exponentially
![Page 6: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/6.jpg)
6
PathExpander Operation
The NT path will be killed – If a number of instructions is normally executed
for resource contention reasons
– If an unsafe event occurs I/O, which cannot be sandboxed
– If it raises an exception load NULL, etc
The NT path can be executed on an idle core, if we have CMP processor
![Page 7: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/7.jpg)
7
Architecture Overview
![Page 8: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/8.jpg)
8
Basic Architecture Overview
2 4-bit exercise counters in the BTB for the two edges– An NT path will be spawned if that edge has exercise
counter below a threshold– Periodically reset to zero, to support long-running
programs
1-bit V(volatile)Tag per L1 cache line– All NT path writes set the VTag– When the NT path is squashed, invalidate these lines
![Page 9: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/9.jpg)
9
Basic Architecture Overview
Monitor_Memory_Area: pointer to NON volatile memory, that will remain after the NT path is killed– Used by the monitoring tool
Predicate Register– Used for consistency fixes
(in a few slides…)
![Page 10: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/10.jpg)
10
CMP Architecture Overview
NT paths are spawned to idle cores, to hide the delay
Vtag now becomes 8-bit– ID of the path that wrote in the line– Allows memory versioning
Fast register copy mechanism is required
![Page 11: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/11.jpg)
11
CMP PathExpander Data Dependencies
![Page 12: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/12.jpg)
12
CMP PathExpander Data Dependencies
A path must read data that it or its parents wrote.
A taken path cannot commit before– Its father commits– Its siblings have been killed
Kill siblings immediately to limit the delay if the taken path must commit to displace lines to the L2
![Page 13: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/13.jpg)
13
State Inconsistency
Example of state inconsistency problem:
If (x >= 2) { use x; assume we have lot of data }
Else { use x; we have few data }; The predicate register will inform us if this is
a T or NT path– If we are on an NT path, we must somehow ‘fix’
these inconsistencies.
![Page 14: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/14.jpg)
14
State Inconsistency fixing
![Page 15: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/15.jpg)
15
State Inconsistency fixing
The compiler will insert predicated fix instructions.
If a pointer must be fixed, the compiler will have a dummy variable of the same type for the pointer to point at– Will that be correct always? What will happen if
we have unions?
![Page 16: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/16.jpg)
16
PathExpander Implementation
Software– In PIN
Hardware– With and without CMP
4 cores for the CMP case
Dynamic Checkers– CCured (dynamic software)– iWatcher (dynamic hardware-assisted)– Assertions
NON bug-triggering inputs
![Page 17: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/17.jpg)
17
Simulation Parameters
![Page 18: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/18.jpg)
18
Applications Tested
![Page 19: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/19.jpg)
19
Experimental ResultsBug Detection
Bugs Detected with NON triggering inputs
21:17 Detected to False Negatives
![Page 20: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/20.jpg)
20
Experimental Results: Effect of Consistency Fixing on False Positives
Fixing reduces from 13:0.75 to 4:1 False to
True Positives
![Page 21: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/21.jpg)
21
Experimental ResultsCoverage Improvement
Branch coverage increases from 40% to 65%
![Page 22: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/22.jpg)
22
Experimental ResultsCumulative Coverage Improvement
Random InputsLast 5 Inputs are given by programmers
![Page 23: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/23.jpg)
23
Crash- and Unsafe-Event-Latency
65% - 99% of spawned NT execute for 1000 instructions without crashing or causing unsafe events
![Page 24: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/24.jpg)
24
Evaluation: Software Implementation Overhead
DANGER: do not attempt this at home (or during this lifetime
anyway)
![Page 25: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/25.jpg)
25
Evaluation:Hardware Implementation Overhead
CMP overhead < 10%
If SEQ overhead small, thread spawning and squashing will worsen performance
![Page 26: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/26.jpg)
26
Conclusion
PathExpander is NOT a dynamic checker– It simply improves coverage by checking both paths– And increases the false positives (4:1 ratio)
Software Implementation is waaaaaaaaaaay toooooooooooooooo sloooooooooooooow
![Page 27: PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University](https://reader030.vdocuments.site/reader030/viewer/2022032704/56649d5f5503460f94a3f5b4/html5/thumbnails/27.jpg)
27
Conclusion
A lot of things remain untouched– Where’s the tech report???– What do they do with speculative L1 lines under eviction?– Fixing is really naïve.
A lot of interesting things happen is queues, lists etc that cannot be fixed by the compiler
– What kind of ISA?
Is it worth it?
Thank you!
Questions?