SemTracter extracted most of the RISC-V 32-bit integer base user-level ISA (RV32I) instructions that the RTL implements, and it took 9 hours to extract the semantics. Compared to general purpose architectures, DSAs show higher performance, power and energy efficiency in the target domain (e.g. Deep Neural Network (DNN) [2]), by taking advantage of the parallelism found from the domain. This shows the necessity of the error detection techniques [6,7], which have been found to be highly effective in finding errors of CPU programs, for the programs running on DSAs.
One way to allow DSA programs to benefit from such debugging tools is to have a formal description of the instruction set architecture (ISA) that a DSA implements. Second, most of the manuals are handwritten in natural language, which is not suitable for managing and writing precise specifications. For example, a recent attempt to obtain formal semantics of the x86 ISA [15] discovered several new errors in Intel's manual.
Third, the task of learning and writing formal semantics in the language designed for the purpose has proven challenging. SemTracter takes the processor RTL and some developer annotations as input and generates the formal semantics of ISA in Sail [13]. We show that concholic simulation is a viable means of extracting the instruction semantics from a processor implementation.
We have defined the concept of reset semantics and have shown that the semantics are likely to match the exact semantics of the instruction.
Automatically Extracting ISA Semantics
Symbolic execution
It takes as input the processor in RTL, a set of instruction bit patterns that the processor accepts, and the list of conditions appearing on the instruction semantics along with the desired name. The first and second are used for symbolic simulation, and the last is used to match the name of each state element in the code generator. To identify the set of instructions that the processor implements and extract their semantics, SemTracter follows three steps.
First, it simulates the RTL using the known-up instruction and illegal instruction to learn the corresponding state changes. Second, SemTracter executes on the simulated processor RTL the symbolic instructions it obtains from the instruction patterns one by one, just after the reset, as in the first step (see § 3.4). Finally, SemTracter compiles the semantics represented in tuples of the state name and bit vector expression into the corresponding Sail Description (see § 3.8).
In particular, SemTracter generates three code snippets representing the instruction syntax, encoding and behavior of each instruction, following the common idiom for describing instruction semantics in Sail [13]. The generated code snippets are added to the handwritten skeleton that defines state names or procedures to interact with environments (eg memory). The remainder of this section describes each step in more detail with the corresponding challenges and our design choices to overcome them.
Running Example
Reset Semantics
We use processor reset to ensure that the processor's pipeline is cleared when the target instruction is fetched. Right after the reset, we feed the processor with no instructions to avoid the semantics of an arbitrary instruction being mixed in with that of the target instruction.
Symbolic Simulator
Third, the memory model selectively records the symbolic addresses from which the processor fetches the instruction. Our heuristic of simulating an instruction immediately after reset instantiates the value of the program counter from which the processor first fetches the instruction. For this reason, any address seen from the instruction memory interface that is not linearly larger than the previous one can be considered the result of multiple jumps.
The memory model records such non-linear symbolic addresses and SemTracter uses them to determine whether an instruction causes jumps or not.
Instruction Patterns
Steady state
Illegal instruction behavior
Composing Semantics in Bit-Vector Expressions
Compiling to Sail specification
We delete the existing navigation spec and use the remainder which is memory, fetch, etc.
Evaluation Setup
Coverage
This includes all the arithmetic and memory access instructions that are the heart of DSAs, as well as some unconditional jump instructions. The instructions whose semantics SemTracter failed to extract are classified into four classes. Riscv-sodor Machined-level ISA support privilege, but we haven't tested these instructions yet.
Correctness
The ast mapping is not the same because the reference model handles multiple arithmetic instructions using the same set of code snippets unlike us. The execution function accordingly describes the behavior of multiple arithmetic instructions in the ground truth model. As an example of control flow instructions, we compare the derived semantics of the JAL (jump and link) instruction with the ground truth.
The code snippets with a shaded background are those that represent the semantics of the jal instruction. The yellow parts are jumped value ()PC + EXTS(imm)) By comparing them, we can conclude that the generated semantics match the ground truth. The left side of Figure 9 is the ground truth model found from the sail riscv model which has a complex memory structure.
Apart from these, the generated semantics on the right side of Figure 9 matches the ground truth. To describe memory accesses, Sail requires each model to define its own helper function that represents the memory access and use it. In this comparison, the ground truth model uses the mem_write_vlauefunction and the generated one uses the write function taking address and value as arguments.
Given these, we can conclude that the generated semantics match the ground truth from the matching arguments used to call the functions.
Execution Time
SemTracteris extracts the reset semantics which may not match the exact semantics of the instruction the processor implements. The reset semantics that SemTracter extracted for the sodor-5 matches the exact semantics, but there are at least two scenarios where this may not be the case. The reset semantics for such instructions will either be insufficient or reflect only a subset of the semantics.
That is, if a symbolic instruction to use a state remains concrete in our simulator, the corresponding semantics will not be reflected in our reset semantics. Given instruction patterns that define a symbolic instruction set, SemTracter automatically determined the instruction set that the processor implements and extracted the corresponding semantics into bit vector expressions. SemTracter also compiled the semantics into a Sail description which can be translated into a large set of software analysis tools.
Our evaluation using a simple processor RTL example, sodor-5, shows that through symbolic simulation we can automatically obtain the correct semantics of the instructions. Kaeli et al., “Characterization and exploitation of soft fault vulnerability phase behavior in gpu applications,” IEEE Transactions on Dependable and Secure Computing, 2020. Jeon, “Understanding gpu architectural vulnerability for deep learning workloads,” in 2019 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT).
Kaeli, “A complete key recovery timing attack on a gpu,” in 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2016, pp. Kim, “QSYM: A practical concholic execution engine adapted for hybrid fuzzing,” in 27th USENIX Security Symposium (USENIX Security 18). Pretschner, "Improving function coverage with munch: a hybrid fuzzing and directed symbolic execution approach," in Proceedings of the 33rd Annual ACM Symposium on Applied Computing, 2018, pp.
Engler et al., "Klee: unassisted and automatic generation of high-coverage tests for complex systems programs." in OSDI, vol. Jha, “FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution,” in 22nd USENIX Security Symposium (USENIX Security 13). Norton-Wright, "The sail instruction-set semantics specification language," Technical report published by Cambridge University, Tech.
Aiken, "Stratificeret syntese: automatisk læring af x86-64 instruktionssættet," i Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2016, s. Sekar, "Extracting instruction semantics via symbolic execution of code generators, ” i Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2016, s.
