Presentation is loading. Please wait.

Presentation is loading. Please wait.

PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University."— Presentation transcript:

1 PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University of Illinois at Urbana Champaign

2 2 Motivation We have plenty of methods to detect software bugs – Assertions – Software (CCured, Purify) – Hardware (iWatcher) However, these tools only check part of the total code – Only the part that is actually exercised

3 3 Motivation Checking the entire code is really hard – Impossible to check all paths, or even all branches – Too difficult to create complete test cases – State dependent on external factors File system, system load, date etc – Too much time required for the tools to run We must find a way to check as much of the code as possible, with as few runs as possible

4 4 PathExpander Idea When arriving at a branch execute BOTH paths – The Non-Taken (NT) path will not commit A dynamic checker – NOT PathExpander – will monitor the program execution and detect bugs in any of the two paths This can happen in Software or Hardware – We will mainly talk about the H/W

5 5 PathExpander Operation All memory operations of the NT path are sandboxed – The NT path must not permanently alter the program’s state The NT path may execute branches – But only the taken path will be followed – Otherwise, this can grow exponentially

6 6 PathExpander Operation The NT path will be killed – If a number of instructions is normally executed for resource contention reasons – If an unsafe event occurs I/O, which cannot be sandboxed – If it raises an exception load NULL, etc The NT path can be executed on an idle core, if we have CMP processor

7 7 Architecture Overview

8 8 Basic Architecture Overview 2 4-bit exercise counters in the BTB for the two edges – An NT path will be spawned if that edge has exercise counter below a threshold – Periodically reset to zero, to support long-running programs 1-bit V(volatile)Tag per L1 cache line – All NT path writes set the VTag – When the NT path is squashed, invalidate these lines

9 9 Basic Architecture Overview Monitor_Memory_Area: pointer to NON volatile memory, that will remain after the NT path is killed – Used by the monitoring tool Predicate Register – Used for consistency fixes (in a few slides…)

10 10 CMP Architecture Overview NT paths are spawned to idle cores, to hide the delay Vtag now becomes 8-bit – ID of the path that wrote in the line – Allows memory versioning Fast register copy mechanism is required

11 11 CMP PathExpander Data Dependencies

12 12 CMP PathExpander Data Dependencies A path must read data that it or its parents wrote. A taken path cannot commit before – Its father commits – Its siblings have been killed Kill siblings immediately to limit the delay if the taken path must commit to displace lines to the L2

13 13 State Inconsistency Example of state inconsistency problem: If (x >= 2) { use x; assume we have lot of data } Else { use x; we have few data }; The predicate register will inform us if this is a T or NT path – If we are on an NT path, we must somehow ‘fix’ these inconsistencies.

14 14 State Inconsistency fixing

15 15 State Inconsistency fixing The compiler will insert predicated fix instructions. If a pointer must be fixed, the compiler will have a dummy variable of the same type for the pointer to point at – Will that be correct always? What will happen if we have unions?

16 16 PathExpander Implementation Software – In PIN Hardware – With and without CMP 4 cores for the CMP case Dynamic Checkers – CCured (dynamic software) – iWatcher (dynamic hardware-assisted) – Assertions NON bug-triggering inputs

17 17 Simulation Parameters

18 18 Applications Tested

19 19 Experimental Results Bug Detection Bugs Detected with NON triggering inputs 21:17 Detected to False Negatives

20 20 Experimental Results: Effect of Consistency Fixing on False Positives Fixing reduces from 13:0.75 to 4:1 False to True Positives

21 21 Experimental Results Coverage Improvement Branch coverage increases from 40% to 65%

22 22 Experimental Results Cumulative Coverage Improvement Random Inputs Last 5 Inputs are given by programmers

23 23 Crash- and Unsafe-Event-Latency 65% - 99% of spawned NT execute for 1000 instructions without crashing or causing unsafe events

24 24 Evaluation: Software Implementation Overhead DANGER: do not attempt this at home (or during this lifetime anyway)

25 25 Evaluation: Hardware Implementation Overhead CMP overhead < 10% If SEQ overhead small, thread spawning and squashing will worsen performance

26 26 Conclusion PathExpander is NOT a dynamic checker – It simply improves coverage by checking both paths – And increases the false positives (4:1 ratio) Software Implementation is waaaaaaaaaaay toooooooooooooooo sloooooooooooooow

27 27 Conclusion A lot of things remain untouched – Where’s the tech report??? – What do they do with speculative L1 lines under eviction? – Fixing is really naïve. A lot of interesting things happen is queues, lists etc that cannot be fixed by the compiler – What kind of ISA? Is it worth it? Thank you! Questions?

Download ppt "PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University."

Similar presentations

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Review of the MIPS Instruction Set Architecture. RISC Instruction Set Basics All operations on data apply to data in registers and typically change the.

Review of the MIPS Instruction Set Architecture. RISC Instruction Set Basics All operations on data apply to data in registers and typically change the.
Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.

Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.
Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.

Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.
IMPACT Second Generation EPIC Architecture Wen-mei Hwu IMPACT Second Generation EPIC Architecture Wen-mei Hwu Department of Electrical and Computer Engineering.

IMPACT Second Generation EPIC Architecture Wen-mei Hwu IMPACT Second Generation EPIC Architecture Wen-mei Hwu Department of Electrical and Computer Engineering.
Anshul Kumar, CSE IITD CSL718 : VLIW - Software Driven ILP Hardware Support for Exposing ILP at Compile Time 3rd Apr, 2006.

Anshul Kumar, CSE IITD CSL718 : VLIW - Software Driven ILP Hardware Support for Exposing ILP at Compile Time 3rd Apr, 2006.
Data Dependencies Describes the normal situation that the data that instructions use depend upon the data created by other instructions, or data is stored.

Data Dependencies Describes the normal situation that the data that instructions use depend upon the data created by other instructions, or data is stored.
1 Advanced Computer Architecture Limits to ILP Lecture 3.

1 Advanced Computer Architecture Limits to ILP Lecture 3.
A look at interrupts What are interrupts and why are they needed.

A look at interrupts What are interrupts and why are they needed.
Sim-alpha: A Validated, Execution-Driven Alpha 21264 Simulator Rajagopalan Desikan, Doug Burger, Stephen Keckler, Todd Austin.

Sim-alpha: A Validated, Execution-Driven Alpha Simulator Rajagopalan Desikan, Doug Burger, Stephen Keckler, Todd Austin.
Slides 8d-1 Programming with Shared Memory Specifying parallelism Performance issues ITCS4145/5145, Parallel Programming B. Wilkinson Fall 2010.

Slides 8d-1 Programming with Shared Memory Specifying parallelism Performance issues ITCS4145/5145, Parallel Programming B. Wilkinson Fall 2010.
Nested Transactional Memory: Model and Preliminary Architecture Sketches J. Eliot B. Moss Antony L. Hosking.

Nested Transactional Memory: Model and Preliminary Architecture Sketches J. Eliot B. Moss Antony L. Hosking.
S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, B. Calder UCSD and Microsoft PLDI 2007.

S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, B. Calder UCSD and Microsoft PLDI 2007.
PARALLEL PROGRAMMING with TRANSACTIONAL MEMORY Pratibha Kona.

PARALLEL PROGRAMMING with TRANSACTIONAL MEMORY Pratibha Kona.
Continuously Recording Program Execution for Deterministic Replay Debugging.

Continuously Recording Program Execution for Deterministic Replay Debugging.
Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.

Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.
Chapter 14 Superscalar Processors. What is Superscalar? “Common” instructions (arithmetic, load/store, conditional branch) can be executed independently.

Chapter 14 Superscalar Processors. What is Superscalar? “Common” instructions (arithmetic, load/store, conditional branch) can be executed independently.
CS510 Advanced OS Seminar Class 10 A Methodology for Implementing Highly Concurrent Data Objects by Maurice Herlihy.

CS510 Advanced OS Seminar Class 10 A Methodology for Implementing Highly Concurrent Data Objects by Maurice Herlihy.
Yuanyuan ZhouUIUC-CS Architectural Support for Software Bug Detection Yuanyuan (YY) Zhou and Josep Torrellas University of Illinois at Urbana-Champaign.

Yuanyuan ZhouUIUC-CS Architectural Support for Software Bug Detection Yuanyuan (YY) Zhou and Josep Torrellas University of Illinois at Urbana-Champaign.
1  2004 Morgan Kaufmann Publishers Chapter Six. 2  2004 Morgan Kaufmann Publishers Pipelining The laundry analogy.

1  2004 Morgan Kaufmann Publishers Chapter Six. 2  2004 Morgan Kaufmann Publishers Pipelining The laundry analogy.

Similar presentations

Ads by Google