If any illegal transition is found, the low-level analysis
scrutinizes the PC register with the instruction that made an
illegal transition.
3. 3. Low-level analysis
The low-level analysis involves asking a series of micro-architectural-specific questions according to the decision
diagram. We present a simple example by tracing one of
the paths in the decision diagram.
Consider an example where a segfault (Section 2. 2)
during instruction access was detected, and the fourth
illegal transition of the control-flow analysis was identified. We also assume that R5 shown in Figure 5 was
the register used for the register-indirect transition.
Instructions B and C have producer–consumer relationship: B writes its result in to register R0, and C uses a
value from register R0.
The first question in the decision diagram is whether
C consumed the value B produced. The execute-stage
recorder contains the residues of results and the issue-stage recorder contains the residues of operands of
instructions. Comparing the two values during post-analysis shows that they do not match; i.e., B produced a value
with residue of 5, while C received a value with residue of
3. This is clearly a problem.
The second question in the decision diagram is
whether C and B used the same physical register to pass
along the value. Analysis of the contents of the dispatch-stage recorder, which records the physical register name,
reveals that B wrote its results into physical register P2,
while C read its operand value from physical register P5,
and they are not the same as shown in Figure 6.
There is again a problem, and the third question in the
decision diagram asks whether C used a value produced
by the previous producer (instruction that wrote its result
into register R0 prior to the immediate producer) of register R0. Instruction A in Figure 7 is the previous producer
of register R0 and analysis of the contents of the dispatch-stage recorder reveals that indeed that is the case.
Asking several more questions leads to the bug location and the exposing stimulus shown in Figure 8. The
instruction trace between instruction A and instruction
B is responsible for stimulating the bug, and the trace
figure 5. first question in the low-level analysis example: Did c
consume the value B produced? Answer: no
Execute-stage
recorder
R0 = 5
(A)
Producer of R0
Issue-stage
recorder
R0 = 3
(B)
(C)
… … ……
R0 fl R0 + R6
R0 fl R3 + R6
R0 fl R1 + R2
Consumer of R0
Serial execution trace
afterwards is responsible for propagating the bug to an
observation point such as a soft post-trigger.
4. ResuLts
We evaluated IFRA by injecting errors into a microarchitectural simulator2 augmented with IFRA. For an Alpha
21264 configuration (4-way pipeline, 64 maximum
instructions in-flight, 2 ALUs, 2 multipliers, 2 load/store
figure 6. second question asked in the low-level analysis example:
Did c and B use the same physical register to pass along the value?
Answer: no
Dispatch-stage
recorder (A)
R0 ‡ P2
R0 fl P5
(C)
…………
R0 fl R0 + R6
R0 fl R1 + R2
(B) R0 fl R3 + R6
Producer of R0
Consumer of R0
Serial execution trace
figure 7. third question asked in the low-level analysis example:
Did c and A use the same physical register to pass along the value?
Answer: Yes
Dispatch-stage
recorder (A)
(B)
(C)
…………
R0 fl R0 + R6
R0 fl R3 + R6
R0 fl R1 + R2
Serial execution trace
Previous producer of R0
R0 ‡ P5
R0 fl P5
Producer of R0
Consumer of R0
figure 8. Bug location (enclosed in grey area – includes part of the
decoder responsible for decoding the architectural destination
register, the write circuitry into a register mapping table, and all the
pipeline registers in between) shown on the left and the exposing
stimulus shown on the right.
Pipeline register
(A)
Pipeline register
Decoder
Arch. Dest. Reg
…
R0 P5
P3
-
(B)
R1
