skip to main content
research-article

Will My Program Break on This Faulty Processor?: Formal Analysis of Hardware Fault Activations in Concurrent Embedded Software

Authors Info & Claims
Published:08 October 2019Publication History
Skip Abstract Section

Abstract

Formal verification is approaching a point where it will be reliably applicable to embedded software. Even though formal verification can efficiently analyze multi-threaded applications, multi-core processors are often considered too dangerous to use in critical systems, despite the many benefits they can offer. One reason is the advanced memory consistency model of such CPUs. Nowadays, most software verifiers assume strict sequential consistency, which is also the naïve view of programmers. Modern multi-core processors, however, rarely guarantee this assumption by default. In addition, complex processor architectures may easily contain design faults. Thanks to the recent advances in hardware verification, these faults are increasingly visible and can be detected even in existing processors, giving an opportunity to compensate for the problem in software. In this paper, we propose a generic approach to consider inconsistent behavior of the hardware in the analysis of software. Our approach is based on formal methods and can be used to detect the activation of existing hardware faults on the application level and facilitate their mitigation in software. The approach relies heavily on recent results of model checking and hardware verification and offers new, integrative research directions. We propose a partial solution based on existing model checking tools to demonstrate feasibility and evaluate their performance in this context.

References

  1. Parosh Aziz Abdulla, Mohamed Faouzi Atig, Bengt Jonsson, and Tuan Phong Ngo. 2018. Optimal stateless model checking under the release-acquire semantics. PACMPL 2, OOPSLA (2018), 135:1--135:29. DOI:https://doi.org/10.1145/3276505Google ScholarGoogle Scholar
  2. Jade Alglave. 2012. A formal hierarchy of weak memory models. Form. Methods Syst. Des. 41, 2 (Oct. 2012), 178--210. DOI:https://doi.org/10.1007/s10703-012-0161-5Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Jade Alglave, Luc Maranget, and Michael Tautschnig. 2014. Herding cats: Modelling, simulation, testing, and data-mining for weak memory. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI’14, Edinburgh, United Kingdom - June 09-11, 2014. ACM, 40. DOI:https://doi.org/10.1145/2594291.2594347Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. ARM Limited. 2011. Cortex--A9 MPCore™ Programmer Advice Notice: Read-after-read Hazards (Arm Reference 761319) (1 ed.). ARM Limited. http://infocenter.arm.com/help/topic/com.arm.doc.uan0004a/UAN0004A_a9_read_read.pdf.Google ScholarGoogle Scholar
  5. ARM Limited. 2011. Cortex™--A9 MPCore®: Technical Reference Manual (7 ed.). ARM Limited. http://infocenter.arm.com/help/topic/com.arm.doc.ddi0407g/DDI0407G_cortex_a9_mpcore_r3p0_trm.pdf.Google ScholarGoogle Scholar
  6. James Bornholt and Emina Torlak. 2017. Synthesizing memory models from framework sketches and Litmus tests. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, Spain, June 18-23, 2017. ACM, 467--481. DOI:https://doi.org/10.1145/3062341.3062353Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Jerry R. Burch, Edmund M. Clarke, Kenneth L. McMillan, David L. Dill, and L. J. Hwang. 1992. Symbolic model checking: 1020 states and beyond. Inf. Comput. 98, 2 (1992), 142--170. DOI:https://doi.org/10.1016/0890-5401(92)90017-AGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  8. Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, Andrea Micheli, Sergio Mover, Marco Roveri, and Stefano Tonetta. 2014. The nuXmv symbolic model checker. In Computer Aided Verification - 26th International Conference, CAV 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings. Springer, 334--342. DOI:https://doi.org/10.1007/978-3-319-08867-9_22Google ScholarGoogle Scholar
  9. Soham Chakraborty and Viktor Vafeiadis. 2019. Grounding thin-air reads with event structures. PACMPL 3, POPL (2019), 70:1--70:28. DOI:https://doi.org/10.1145/3290383Google ScholarGoogle Scholar
  10. Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. 2001. Model Checking. MIT Press. http://books.google.de/books?id=Nmc4wEaLXFEC.Google ScholarGoogle Scholar
  11. Michel Dubois, Christoph Scheurich, and Faye A. Briggs. 1986. Memory access buffering in multiprocessors. In Proceedings of the 13th Annual Symposium on Computer Architecture, Tokyo, Japan, June 1986. IEEE Computer Society, 434--442. https://dl.acm.org/citation.cfm?id=17406Google ScholarGoogle Scholar
  12. Cormac Flanagan and Patrice Godefroid. 2005. Dynamic partial-order reduction for model checking software. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2005, Long Beach, California, USA, January 12-14, 2005. ACM, 110--121. DOI:https://doi.org/10.1145/1040305.1040315Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Kourosh Gharachorloo. 1995. Memory Consistency Models for Shared-Memory Multiprocessors. Technical Report. Stanford, CA, USA.Google ScholarGoogle Scholar
  14. Micha Hofri. 1990. Proof of a mutual exclusion algorithm — A classic example. SIGOPS Oper. Syst. Rev. 24, 1 (Jan. 1990), 18--22. DOI:https://doi.org/10.1145/90994.91002Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Gerard J. Holzmann. 2004. The SPIN Model Checker - Primer and Reference Manual. Addison-Wesley.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Intel Corporation. 2015. Intel 64 and IA-32 Architectures Software Developer’s Manual. Intel Corporation.Google ScholarGoogle Scholar
  17. ISO/IEC. 2010. Programming Languages --- C - Committee Draft. ISO/IEC. ISO/IEC 9899:201x.Google ScholarGoogle Scholar
  18. Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre attacks: Exploiting speculative execution. meltdownattack.com (2018). https://spectreattack.com/spectre.pdf.Google ScholarGoogle Scholar
  19. Michalis Kokologiannakis, Ori Lahav, Konstantinos Sagonas, and Viktor Vafeiadis. 2018. Effective stateless model checking for C/C++ concurrency. PACMPL 2, POPL (2018), 17:1--17:32. DOI:https://doi.org/10.1145/3158105Google ScholarGoogle Scholar
  20. Ori Lahav, Viktor Vafeiadis, Jeehoon Kang, Chung-Kil Hur, and Derek Dreyer. 2017. Repairing sequential consistency in C/C++11. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, Spain, June 18-23, 2017. ACM, 618--632. DOI:https://doi.org/10.1145/3062341.3062352Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Daniel Lustig, Michael Pellauer, and Margaret Martonosi. 2014. Pipe check: Specifying and verifying microarchitectural enforcement of memory consistency models. In 47th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2014, Cambridge, United Kingdom, December 13-17, 2014. IEEE Computer Society, 635--646. DOI:https://doi.org/10.1109/MICRO.2014.38Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Daniel Lustig, Geet Sethi, Margaret Martonosi, and Abhishek Bhattacharjee. 2016. COATCheck: Verifying memory ordering at the hardware-OS interface. In Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS’16, Atlanta, GA, USA, April 2-6, 2016. ACM, 233--247. DOI:https://doi.org/10.1145/2872362.2872399Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Daniel Lustig, Andrew Wright, Alexandros Papakonstantinou, and Olivier Giroux. 2017. Automated synthesis of comprehensive memory model litmus test suites. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2017, Xi’an, China, April 8-12, 2017. ACM, 661--675. DOI:https://doi.org/10.1145/3037697.3037723Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Yatin A. Manerkar, Daniel Lustig, Michael Pellauer, and Margaret Martonosi. 2015. CCICheck: Using hb graphs to verify the coherence-consistency interface. In Proceedings of the 48th International Symposium on Microarchitecture, MICRO 2015, Waikiki, HI, USA, December 5-9, 2015. ACM, 26--37. DOI:https://doi.org/10.1145/2830772.2830782Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Anton Podkopaev, Ori Lahav, and Viktor Vafeiadis. 2019. Bridging the gap between programming languages and hardware weak memory models. PACMPL 3, POPL (2019), 69:1--69:31. DOI:https://doi.org/10.1145/3290382Google ScholarGoogle Scholar
  26. Azalea Raad, Marko Doko, Lovro Rozic, Ori Lahav, and Viktor Vafeiadis. 2019. On library correctness under weak memory consistency: Specifying and verifying concurrent libraries under declarative consistency models. PACMPL 3, POPL (2019), 68:1--68:31. DOI:https://doi.org/10.1145/3290381Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Pradeep S. Sindhu, Jean-Marc Frailong, and Michel Cekleov. 1992. Formal specification of memory models. In Scalable Shared Memory Multiprocessors, Michel Dubois and Shreekant Thakkar (Eds.). Springer US, Boston, MA, 25--41. DOI:https://doi.org/10.1007/978-1-4615-3604-8_2Google ScholarGoogle Scholar
  28. Caroline Trippel, Yatin A. Manerkar, Daniel Lustig, Michael Pellauer, and Margaret Martonosi. 2017. TriCheck: Memory model verification at the trisection of software, hardware, and ISA. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2017, Xi’an, China, April 8-12, 2017. ACM, 119--133. DOI:https://doi.org/10.1145/3037697.3037719Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Will My Program Break on This Faulty Processor?: Formal Analysis of Hardware Fault Activations in Concurrent Embedded Software

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Article Metrics

        • Downloads (Last 12 months)3
        • Downloads (Last 6 weeks)0

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!