automated bug detection for pointers and memory accesses ... · ease development and deployment of...
TRANSCRIPT
Automated Bug Detection for Pointers and MemoryAccesses in High-Level Synthesis Compilers
Pietro [email protected]
Fabrizio [email protected]
Dipartimento di Elettronica, Informazione e BioingegneriaPolitecnico di Milano
Milano, Italy
FPL 2016 – Lausanne – 01/09/2016
Outline
Introduction and Motivation
Background and Assumptions
Automated Bug Detection for Pointers
Evaluated Tools, Experiments and Results
Conclusion and Future Work
Motivation
Adoption of High-Level Synthesis is increasingHLS tools are becoming increasingly complexMemory optimizations bring substantial improvementsMemory bugs introduced by HLS tools are hard to debug
A methodology to automatically find memory bugs introduced by the compiler would:
• Make existing memory allocation and optimizations more reliable
• Ease development and deployment of new memory architectures in HLS
• Speed up testing of new memory optimizations in HLS
• Make easier for HLS developers and users to isolate the cause of bugs
P.Fezzardi – [email protected] 1 FPL 2016 – Lausanne – 01/09/2016
Goals
General Ideas
• Take advantage of HLS information to support all compiler optimizations• Automatically isolate the wrong signal, failing operation and component• Automatically backtrack the error to the original source code• Avoid user interaction to enable massive automated testing in production
Goals Related to Pointers
• Specifically target memory bugs involving pointers and addresses• Completely support C standard pointer based descriptions• Support different memory technologies and partitioning patterns• Independent of memory optimizations
P.Fezzardi – [email protected] 2 FPL 2016 – Lausanne – 01/09/2016
Discrepancy Analysis Debug Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofaddress operations
SW memory locationsSW Call Context IDs
ASTS
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
start and end timeof the failed operation
value of therelated C variable SW call stack trace
P.Fezzardi – [email protected] 3 FPL 2016 – Lausanne – 01/09/2016
Discrepancy Analysis Debug Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofaddress operations
SW memory locationsSW Call Context IDs
ASTS
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
start and end timeof the failed operation
value of therelated C variable SW call stack trace
P.Fezzardi – [email protected] 3 FPL 2016 – Lausanne – 01/09/2016
Discrepancy Analysis Debug Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofaddress operations
SW memory locationsSW Call Context IDs
ASTS
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
start and end timeof the failed operation
value of therelated C variable SW call stack trace
P.Fezzardi – [email protected] 3 FPL 2016 – Lausanne – 01/09/2016
Discrepancy Analysis Debug Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofaddress operations
SW memory locationsSW Call Context IDs
ASTS
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)
DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
start and end timeof the failed operation
value of therelated C variable SW call stack trace
P.Fezzardi – [email protected] 3 FPL 2016 – Lausanne – 01/09/2016
Discrepancy Analysis Debug Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofaddress operations
SW memory locationsSW Call Context IDs
ASTS
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
start and end timeof the failed operation
value of therelated C variable SW call stack trace
P.Fezzardi – [email protected] 3 FPL 2016 – Lausanne – 01/09/2016
Discrepancy Analysis Debug Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofaddress operations
SW memory locationsSW Call Context IDs
ASTS
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
start and end timeof the failed operation
value of therelated C variable SW call stack trace
P.Fezzardi – [email protected] 3 FPL 2016 – Lausanne – 01/09/2016
Memory Locations
Memory LocationA Memory Location 〈Mi , Bi , Si〉 is an unambiguous representation of a position in memory
In HW In SW◦ Mi : unique identifier for a memory module ◦ Mi : can be omitted◦ Bi : an offset in the memory module identified by Mi ◦ Bi : address in main memory◦ Si : size of the memory location ◦ Si : size of the memory location
Similar to Location Sets [Wilson and Lam; PLDI’95] [Semeria and De Micheli; TCAD’01]
Abstract concepts, independent of the target memory architecture
HW Memory Locations are not addresses but can be directly translated to addresses
Evaluated HLS compilers (Bambu, LegUp, Commercial Tool) use equivalent representations
P.Fezzardi – [email protected] 4 FPL 2016 – Lausanne – 01/09/2016
Memory Allocation
For memory allocation, HLS tools take mainly two decisions:
which variables have to be allocated in memory
• usually global, static, volatile, arrays, and structs
• possibly others, according to alias analysis
the location where every memory-mapped variable is stored
• depends on HLS implementation
• depends on memory architecture of the generated design
• depends on the memory optimizations and partitioning
P.Fezzardi – [email protected] 5 FPL 2016 – Lausanne – 01/09/2016
Assumptions for Address Discrepancy Analysis
General Assumption IEvery HW Memory Location must be associated to a single memory-mapped variable
The inverse mapping of high-level variables onto HW Memory Locations must be known
It is simply the inverse of the mapping computed by memory allocation in HLS X
General Assumption IIIt has to be possible to identify the signals representing pointer variables in HW
Previous results show that this is possible X
P.Fezzardi – [email protected] 6 FPL 2016 – Lausanne – 01/09/2016
Address Space Translation Scheme
Address Space Translation Scheme (ASTS)
Hardware Address Table (HAT) Software Address Table (SAT)
i 〈Mi , Bi , Si〉 j 〈CBi , CSi〉 i
i: variable identifier j: SW Call Context ID
〈Mi , Bi , Si〉: HW Memory Location 〈CBi , CSi〉: SW Memory Location
i: variable identifier
P.Fezzardi – [email protected] 7 FPL 2016 – Lausanne – 01/09/2016
The Software Call Context Identifier
In HWThe HAT is computed by memory allocation during HLS
Memory Locations in HW are defined once ahead of time
In SWLocal variables are allocated on the stack
Different Memory Location at every function call
An ID is necessary to distinguish between calls
An ID uniquely identifies a path on the call graph
Function calls are instrumented in the C code
Context ID and memory mapping are printed at runtime
fun a
fun b
fun cint d;
&d =0xFFFF1234
&d =0xFFFF4321
P.Fezzardi – [email protected] 8 FPL 2016 – Lausanne – 01/09/2016
The Extended Address Discrepancy Analysis Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofpointer operations
SW memory locationsSW Call Context IDs
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)
ASTS
DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
wrong variableis a pointer
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
SW memory locationof the wrong pointer
start and end timeof the failed operation
value of therelated C variable SW call stack trace
HW memory locationaddressed by wrong signal
P.Fezzardi – [email protected] 9 FPL 2016 – Lausanne – 01/09/2016
The Extended Address Discrepancy Analysis Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofpointer operations
SW memory locationsSW Call Context IDs
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)
ASTS
DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
wrong variableis a pointer
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
SW memory locationof the wrong pointer
start and end timeof the failed operation
value of therelated C variable SW call stack trace
HW memory locationaddressed by wrong signal
P.Fezzardi – [email protected] 9 FPL 2016 – Lausanne – 01/09/2016
The Extended Address Discrepancy Analysis Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofpointer operations
SW memory locationsSW Call Context IDs
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)
ASTS
DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
wrong variableis a pointer
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
SW memory locationof the wrong pointer
start and end timeof the failed operation
value of therelated C variable SW call stack trace
HW memory locationaddressed by wrong signal
P.Fezzardi – [email protected] 9 FPL 2016 – Lausanne – 01/09/2016
The Extended Address Discrepancy Analysis Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofpointer operations
SW memory locationsSW Call Context IDs
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)
ASTS
DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
wrong variableis a pointer
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
SW memory locationof the wrong pointer
start and end timeof the failed operation
value of therelated C variable SW call stack trace
HW memory locationaddressed by wrong signal
P.Fezzardi – [email protected] 9 FPL 2016 – Lausanne – 01/09/2016
The Extended Address Discrepancy Analysis Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofpointer operations
SW memory locationsSW Call Context IDs
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)
ASTS
DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
wrong variableis a pointer
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
SW memory locationof the wrong pointer
start and end timeof the failed operation
value of therelated C variable SW call stack trace
HW memory locationaddressed by wrong signal
P.Fezzardi – [email protected] 9 FPL 2016 – Lausanne – 01/09/2016
The Extended Address Discrepancy Analysis Flow
ORIGINALSOURCE
CODE(C)
FRONTEND
CONTROLDATAFLOW
GRAPH(CDFG)
HLS
FINITESTATE
MACHINE(FSM)
DATAPATH(DP)
BACKEND
HARDWAREDESCRIPTION
LANGUAGE(HDL)
EXT
RA
CT
EDIN
FOR
MAT
ION source level
information
instrumentedC code in SSAafter frontendoptimizations
memory layoutmemory allocation
memory partitioning
FSM optimizationschaining
pipeliningresource sharing
schedulingbinding
allocation
list of signalsto collect
HW traces
DEB
UG
GIN
GST
EPS
compilation+
execution
SW Traces ofpointer operations
SW memory locationsSW Call Context IDs
SW Traces
cycle accurateRTL simulation
HW Traces (VCD)
ASTS
DISCREPANCY ANALYSIS
DEB
UG
INFO
RM
ATIO
N
first mismatch betweenHW and SW executions
faulty modulein HW design state of FSM
wrong variableis a pointer
hierachical path andname of the wrong signal
value of thewrong signal failed operation in C
SW memory locationof the wrong pointer
start and end timeof the failed operation
value of therelated C variable SW call stack trace
HW memory locationaddressed by wrong signal
P.Fezzardi – [email protected] 9 FPL 2016 – Lausanne – 01/09/2016
Address Discrepancy AlgorithmShared Data: ASTS = (SAT, HAT)
1 bool discrepancy (j, s, h)Input : j: SW Call Context ID
s: SW address assignedto a pointer p in j
h: value of the signalrelated to p in HW
Result : true if s and h mismatch,false otherwise
2 i = search (j, s) in SAT;3 if (i is not found) then4 // s is not in range for any variable5 return false;6 else7 〈Mi , Bi , Si〉 = search(i) in HAT;8 if (〈Mi , Bi , Si〉 is not found) then9 // not memory-mapped in HW
10 return true;11 else12 h’ = decodeHW (〈Mi , Bi , Si〉);13 if h 6= h’ then14 return true;15 else16 return false;
ASTS
HAT SATi 〈Mi , Bi , Si〉 j 〈CBi , CSi〉 i
f()
struct{int b,int c} A;
g(&A.c);
g(int * d)(context j)
void * p = d;struct A
bc
main memory
〈CBi , CSi〉0xFFFF1234sizeof(int)
struct A
bc
Mi
Bi = 0x4Si = sizeof(int)
module g
signal p
module f
P.Fezzardi – [email protected] 10 FPL 2016 – Lausanne – 01/09/2016
Evaluated HLS Tools
Bambu [Pilato et al; CODES+ISSS’11]
◦ Developed at Politecnico di Milano ◦ Based on GCC (4.5 up to 6)◦ Free Software (GPLv3)
Commercial Tool
◦ Production-ready ◦ Recent version (late 2015 - early 2016)◦ Targets Xilinx FPGAs ◦ Closed source proprietary license
LegUp [Canis at al.; TECS’13]
◦ Developed at University of Toronto ◦ Based on LLVM◦ Free for non-commercial not-for-profit use
P.Fezzardi – [email protected] 11 FPL 2016 – Lausanne – 01/09/2016
Benchmarks
CHStone [Hara et al.; ISCAS’08]
◦ Well known benchmark suite for HLS ◦ 12 self-contained C programs◦ Both contol- and data-oriented examples ◦ Try to settle a common ground for HLS tools
GCC C-torture
◦ More than 800 tests from GCC test suite ◦ Designed to stress test compilers◦ Designed to test obscure corner-cases ◦ Selected 216 cases to test pointers
P.Fezzardi – [email protected] 12 FPL 2016 – Lausanne – 01/09/2016
Test Matrix
CHStone GCC C-torture
Bambu X
fully automated
X
fully automated(several bugs found)
Commercial Tool
use partitioning directivesmanual bug insertionimitate known bugs found in Bambumanual reconstruction of ASTSmanual execution
56/216 failed HLSmanual on a short list
LegUp X
partially automated
X
partially automated(on a short list)
P.Fezzardi – [email protected] 13 FPL 2016 – Lausanne – 01/09/2016
Significance of Pointer Operations
adpc
mO
0ad
pcm
O3
aesO
0ae
sO3
bfO
0bf
O3
dfad
dO0
dfad
dO3
dfdi
vO0
dfdi
vO3
dfm
ulO
0df
mul
O3
dfsin
O0
dfsin
O3
gsm
O0
gsm
O3
jpeg
O0
jpeg
O3
mip
sO0
mip
sO3
mpe
gO0
mpe
gO3
shaO
0sh
aO3
C-to
rtur
e
0%
20%
40%
60%
80%
100%
static % of pointer operations on the total
% of pointers with fully resolved alias analysis
P.Fezzardi – [email protected] 14 FPL 2016 – Lausanne – 01/09/2016
Significance of Pointer Operations
adpc
mO
0ad
pcm
O3
aesO
0ae
sO3
bfO
0bf
O3
dfad
dO0
dfad
dO3
dfdi
vO0
dfdi
vO3
dfm
ulO
0df
mul
O3
dfsin
O0
dfsin
O3
gsm
O0
gsm
O3
jpeg
O0
jpeg
O3
mip
sO0
mip
sO3
mpe
gO0
mpe
gO3
shaO
0sh
aO3
C-to
rtur
e
0%
20%
40%
60%
80%
100%
static % of pointer operations on the total% of pointers with fully resolved alias analysis
P.Fezzardi – [email protected] 14 FPL 2016 – Lausanne – 01/09/2016
Detected Bugs
Compiler FrontendWrong static analysis or IR manipulations
ExampleStatic bit-width analysis to reduce the bits of addressesA bug caused a wrong number of bits to be computedWrong values were used to address the memory
SchedulingWrong construction of the FSM
• missing dependencies
• wrong computation of execution times
ExampleMissing information about data dependenciesScheduling decided to compute an address in advanceData necessary for the computation was not ready yetAgain generating wrong addresses
Memory AllocationMemories with wrong ports, size, latency, etc.
Memory too smallLOAD: read a corrupted data or hangSTORE: out-of-bound access
Memory too largeLOAD/STORE: wrong offset calculation; data corruption
Wrong latencyLOAD: use data before they are readySTORE: release memory before data is stored
InterconnectionConnection of wrong modulesWrong size of buses and other wirings
ExampleBug in bit-width analysis caused wrong size of address bus
P.Fezzardi – [email protected] 15 FPL 2016 – Lausanne – 01/09/2016
Conclusions and Future Work
ConclusionX Extend Discrepancy Analysis to support pointers
X Effectively fill a considerable blank in Discrepancy Analysis
X Independent of compiler optimizations, memory technology and partitioning patterns
X Avoid user interaction to enable massive automated testing in production
X Find several bugs in different compiler steps not found by normal Discrepancy Analysis
Future Work◦ Support for speculation
◦ Support for synthesis of dynamic allocation malloc()/free()
P.Fezzardi – [email protected] 16 FPL 2016 – Lausanne – 01/09/2016
Backup Slides
Example where Commercial Tool fails HLS
int w( struct sockq *q, void *src , int len) {
char *sptr = src;
while (len --) {q->buf[q->head ++] = *src ++;
if (q->head == NET_SKBUF_SIZE )q->head = 0;
}
return len;}
False Positive
int main () {
int *p, a[32] , b[32] , res = 0;
for (p = a; p < a + 32; p++)res += something (p);
for (p = b; p < a + 32; p++)res += something (p);
return res;}
Solution to False Positives
Address SANitizer (ASAN)
• SW memory error detector• Deployed both in GCC (from 4.8) and LLVM (from 3.1)
◦ compiler instrumentation pass◦ run-time library to replace malloc()/free()
• Adds redzones around every variable
• If a redzone is accessed triggers an error
Address Discrepancy Analysis do not check out-of-bound addressesWild pointers operations are allowed in C
If a wild pointer is dereferenced in C ASAN catch itEven if out-of-bounds pointers are not checked ASAN ensures everything is ok
Performance Overhead
adpc
mO
0ad
pcm
O3
aesO
0ae
sO3
bfO
0bf
O3
dfad
dO0
dfad
dO3
dfdi
vO0
dfdi
vO3
dfm
ulO
0df
mul
O3
dfsin
O0
dfsin
O3
gsm
O0
gsm
O3
jpeg
O0
jpeg
O3
mip
sO0
mip
sO3
mpe
gO0
mpe
gO3
shaO
0sh
aO3
C-to
rtur
e
0%
50%
100%
150%
200%
Performance overhead compared to simulation
Coverage Metrics
Instruction Coverage (icov)
icov = # of checked static operations# of static operations
Statement Coverage (scov)
scov = # of statements executed at least once at runtime# of static statements
ccov: C statement coverage — vcov: Verilog statement coverage
Instruction Coverage 6= Statement Coverage◦ scov is dynamic while icov is static◦ icov has a much finer granularity (operations not statements)◦ icov is meant to check how many operations can be checked even if they are not executed
Coverage Results
adpc
mO
0ad
pcm
O3
aesO
0ae
sO3
bfO
0bf
O3
dfad
dO0
dfad
dO3
dfdi
vO0
dfdi
vO3
dfm
ulO
0df
mul
O3
dfsin
O0
dfsin
O3
gsm
O0
gsm
O3
jpeg
O0
jpeg
O3
mip
sO0
mip
sO3
mpe
gO0
mpe
gO3
shaO
0sh
aO3
C-to
rtur
e
0%
20%
40%
60%
80%
100%
ccov (gcov 4.9) vcov (Mentor Modelsim SE-64 10.3) icov (computed by our method)
Control Flow Traces (FCT)
Software and Hardware ExecutionsCDFG and a FSM are typical IRs for HLS compilers
Consider a CDFG and a FSM for a high-level function
From a control-flow standpoint, for a given input, theyrepresent SW and HW executions respectively
Definition: Software Control Flow Trace (SCFT)The SCFT on a given input I is the ordered sequenceof BBs representing the execution of the CDFG
Definition: Hardware Control Flow Trace (HCFT)The HCFT on the same input I the ordered sequenceof states describing the execution of the FSM
Control DataFlow Graph
(CDFG)Finite State
Machine(FSM)
BB0
BB1
BB2
BB3
S0 0
S0 1
S0 2
S1 0
S1 1
S2
S3
SCH
EDU
LING
OpTraces (OT)
Software and Hardware OperationsControl Flow information is not enough
Cannot spot bugs that do not alter the execution path
A finer granularity is necessary
Definition: Software Op Trace (SOT)Given a Basic Block BBi and its associated list ofstates S1, . . . , Sk , the Software OpTrace of BBi is thelist of results of the statements in that BB.
Definition: Hardware Control Flow Trace (HOT)Let Sj be a state in the FSM. The Hardware OpTraceof a state Sj the set of results of the operationsscheduled in that state.
CDFGFSM
DATAPATH
BB1statement 0statement 1statement 2statement 3statement 4
S1 0operation 0operation 1
S1 1operation 2operation 3operation 4
HW component 0
HW component 1
HW component 2
HW component 3
SCH
EDU
LING
BIN
DIN
GA
LLOC
ATIO
N