Virtual Fault Space Abstraction

This is a large change that will break your traces and your database
layouts. However, it repairs a lot of ad-hoc hacks that came into
FAIL* over the years.

What has changed?
=================

The Virtual Fault Space Abstraction
-----------------------------------
Files: sal/faultspace/*
       sal/x86/X86Faultspace.*
       sal/arm/ArmFaultSpace.*

Instead of mapping registers ad-hoc into the virtual address space in
order to smuggle the bit-packed register-id from import-trace through
prune-trace and DatabaseCampaign to the DatabaseExperiment, we make
this mapping now official and adaptable to more complex architectures.

From now on the data_address field in the database is a fsp_address_t.
These addresses are translated by the FS abstraction within the
importer, which uses the architecture specific description of the
virtual fault space.

Within our whole tool chain, we now only work with fault-space
addresses, which are the Y-axis of our fault space.

When the fault-space address is about to be injected, we decode the
numerical address to a FaultSpaceElement*, which knows how to inject a
fault into itself. Thereby, we can unify the injection over different
types of machine state and support multiple memory types.

Furthermore, this simplifies import-trace and the DatabaseExperiment
significantly.

A detailed description of can be found in Malte Bargholz' Master thesis[1]

Bit-Wise Pruning
----------------
Files: tools/import-trace/Importer.cc

Until now, every state (register/memory) access had to be at least 8
bits wide. While this is good for memory reads, which always access at
least a whole byte, this is not properly working for register
accesses. Especially, for our integration of more complex CPU
architectures (i.e., CHERI), we have to have bit-wise pruning to
inject only single tag bits instead of injecting always 8 tag bits.

Therefore, this change introduces bit-wise pruning for our importer.
Instead of tracking only a single left margin for every fault-space
address, we now track up to 8 different margins that are associated
with an access mask. Thereby, the importer (which is effectively a
def-use pruner) has to handle up to 8 left margins when accessing a
byte with an access mask of 0xff.

A detailed description of can be found in Malte Bargholz' Master thesis[1]

Unification of Disassembler Interface
-------------------------------------
The integration of the capstone disassembler into the RegisterImporter
was more or less a clone-and-own integration. However, as both
disassemblers basically perform the same task, a common interface is
possible.

Furthermore, the *FailTo*Translator* classes are no longer used for
injecting registers as the dissassembler has nothing to do with the
injector. This task is no performed by the virtual fault space.

This change was tested with:
 - The integrated test-suite
 - The fail-target repo and injection of register,memory,EIP,randomjump
 - Both disassemblers

Currently untested:
 - Gem5

[1] Quantifying Soft-Error Resilience of Embedded RISC-V Systems with Capability-based Memory Protection
    https://www.sra.uni-hannover.de/Theses/2020/bargholz_20_ma.pdf

Co-authored-by: Christian Dietrich <dietrich@sra.uni-hannover.de>
Co-authored-by: Malte Bargholz <malte@screenri.de>

Author: stettberger

.editorconfig

@@ -8,7 +8,7 @@ root = true
 end_of_line = lf
 insert_final_newline = true
 
-[{**/*.cc,**/*.hpp,**/*.ah,**/*.ah.in,**/*.proto}]
+[{**/*.cc,**/*.cpp,**/*.hpp,**/*.ah,**/*.ah.in,**/*.proto}]
 indent_style = tab
 indent_size = 4
 

src/core/comm/DatabaseCampaignMessage.proto.in

@@ -22,14 +22,12 @@ message DatabaseCampaignMessage {
 
     required InjectionPointMessage injection_point	= 10 [(sql_ignore) = true];
 
-    required bool inject_bursts				= 11 [default = false];
-    enum RegisterInjectionMode {
-        OFF = 0;
-        AUTO = 1;
-        FORCE = 2;
-        RANDOMJUMP = 3;
+    enum InjectionMode {
+        BITFLIP    = 0;
+        BURST      = 1;
+        RANDOMJUMP = 2;
     }
-    optional RegisterInjectionMode register_injection_mode = 12 [default = OFF];
+    optional InjectionMode injection_mode = 11 [default = BITFLIP];
 }
 
 message DatabaseExperimentMessage {

src/core/cpn/DatabaseCampaign.cc

@@ -49,13 +49,7 @@ bool DatabaseCampaign::run() {
 	CommandLine::option_handle BURST =
 		cmd.addOption("","inject-bursts", Arg::None,
 			"--inject-bursts \tinject burst faults (default: single bitflips)");
-	CommandLine::option_handle REGISTERS =
-		cmd.addOption("","inject-registers", Arg::None,
-			"--inject-registers \tinject into ISA registers (default: memory)");
-	CommandLine::option_handle REGISTERS_FORCE =
-		cmd.addOption("","force-inject-registers", Arg::None,
-			"--force-inject-registers \tinject into ISA registers only, ignore high addresses");
-	CommandLine::option_handle REGISTERS_RANDOMJUMP =
+	CommandLine::option_handle RANDOMJUMP =
 		cmd.addOption("","inject-randomjumps", Arg::None,
 			"--inject-randomjumps \tinject random jumps (interpret data_address as jump target, as prepared by RandomJumpImporter)");
 
@@ -105,27 +99,16 @@ bool DatabaseCampaign::run() {
 	}
 
 	if (cmd[BURST]) {
-		m_inject_bursts = true;
+		m_injection_mode = DatabaseCampaignMessage::BURST;
 		log_send << "fault model: burst" << std::endl;
+	} else if (cmd[RANDOMJUMP]) {
+		m_injection_mode = DatabaseCampaignMessage::RANDOMJUMP;
+		log_send << "fault model: randomjump" << std::endl;
 	} else {
-		m_inject_bursts = false;
+		m_injection_mode = DatabaseCampaignMessage::BITFLIP;
 		log_send << "fault model: single-bit flip" << std::endl;
 	}
 
-	if (cmd[REGISTERS] && !cmd[REGISTERS_FORCE]) {
-		m_register_injection_mode = DatabaseCampaignMessage::AUTO;
-		log_send << "register injection: auto" << std::endl;
-	} else if (cmd[REGISTERS_FORCE]) {
-		m_register_injection_mode = DatabaseCampaignMessage::FORCE;
-		log_send << "register injection: on" << std::endl;
-	} else if (cmd[REGISTERS_RANDOMJUMP]) {
-		m_register_injection_mode = DatabaseCampaignMessage::RANDOMJUMP;
-		log_send << "register injection: randomjump" << std::endl;
-	} else {
-		m_register_injection_mode = DatabaseCampaignMessage::OFF;
-		log_send << "register injection: off" << std::endl;
-	}
-
 	if (cmd[PRUNER]) {
 		m_fspmethod = std::string(cmd[PRUNER].first()->arg);
 	} else {
@@ -219,8 +202,6 @@ bool DatabaseCampaign::run_variant(Database::Variant variant) {
 	MYSQL_ROW row = mysql_fetch_row(count);
 	experiment_count = strtoul(row[0], NULL, 10);
 
-
-
 	MYSQL_RES *pilots = db->query_stream ((sql_select + sql_body).c_str());
 	if (!pilots) {
 		exit(1);
@@ -237,7 +218,7 @@ bool DatabaseCampaign::run_variant(Database::Variant variant) {
 	ConcreteInjectionPoint ip;
 
 	unsigned sent_pilots = 0, skipped_pilots = 0;
-    unsigned long long expected_injections = 0;
+	unsigned long long expected_injections = 0;
 	while ((row = mysql_fetch_row(pilots)) != 0) {
 		unsigned pilot_id        = strtoul(row[0], NULL, 10);
 		unsigned injection_instr = strtoul(row[1], NULL, 10);
@@ -246,13 +227,17 @@ bool DatabaseCampaign::run_variant(Database::Variant variant) {
 		unsigned instr1          = strtoul(row[5], NULL, 10);
 		unsigned instr2          = strtoul(row[6], NULL, 10);
 
-        unsigned expected_results = m_inject_bursts ? 1 : __builtin_popcount(data_mask);
+		unsigned expected_results = __builtin_popcount(data_mask);
+		if (m_injection_mode == DatabaseCampaignMessage::BURST
+			|| m_injection_mode == DatabaseCampaignMessage::RANDOMJUMP)
+			expected_results = 1;
+
 		if (existing_results_for_pilot(pilot_id) == expected_results) {
 			skipped_pilots++;
 			campaignmanager.skipJobs(1);
 			continue;
 		}
-        expected_injections += expected_results - existing_results_for_pilot(pilot_id);
+		expected_injections += expected_results - existing_results_for_pilot(pilot_id);
 
 
 		DatabaseCampaignMessage pilot;
@@ -271,16 +256,15 @@ bool DatabaseCampaign::run_variant(Database::Variant variant) {
 		}
 		pilot.set_data_address(data_address);
 		pilot.set_data_mask(data_mask);
-		pilot.set_inject_bursts(m_inject_bursts);
-		pilot.set_register_injection_mode(m_register_injection_mode);
+		pilot.set_injection_mode(m_injection_mode);
 
 		this->cb_send_pilot(pilot);
 
 		if ((++sent_pilots) % 10000 == 0) {
 			log_send << "pushed " << sent_pilots << " pilots into the queue" << std::endl;
 		}
 	}
-    log_send << "expecting " << expected_injections << " injections to take place." << std::endl;
+	log_send << "expecting " << expected_injections << " injections to take place." << std::endl;
 
 	if (*mysql_error(db->getHandle())) {
 		log_send << "MYSQL ERROR: " << mysql_error(db->getHandle()) << std::endl;

src/core/cpn/DatabaseCampaign.hpp

@@ -39,8 +39,7 @@ class DatabaseCampaign : public Campaign {
 	id_map completed_pilots; // !< map: Pilot IDs -> result count
 #endif
 
-	bool m_inject_bursts; // !< inject burst faults?
-	DatabaseCampaignMessage::RegisterInjectionMode m_register_injection_mode; // !< inject into registers? OFF, ON, AUTO (= use registers if address is small)
+	DatabaseCampaignMessage::InjectionMode m_injection_mode; // !< How should we inject?
 
 public:
 	DatabaseCampaign() {};