undefined unspecified non deterministic and
play

Undefined, Unspecified, Non-deterministic, and Implementation - PowerPoint PPT Presentation

Sep 26, 2022 •369 likes •604 views

Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs Clifford Wolf Symbiotic EDA 8 th RISC-V Workshop Barcelona 7-10 May, 2018 Why and how to not specify something? It is quite usual for a

  1. Undefined, Unspecified, Non-deterministic, and Implementation Defined Behavior in Verifiable Specs Clifford Wolf Symbiotic EDA 8 th RISC-V Workshop Barcelona 7-10 May, 2018

  2. Why and how to not specify something? ● It is quite usual for a specification to have “holes”, cases for which the specification does not specify a behavior. – If the concrete behavior is deemed irrelevant because “nobody should do that anyways”. – And if it might complicate implementations to restrict the range of valid behaviors in certain weird corner cases. ● But: There are many ways not to specify something. – Each spec has it’s own definitions and nomenclature for this. – We do not have that right now for RISC-V. – This presentation aims at starting that conversation. ● A specification in the context of this presentation is one concrete specification, such as RV64G or RV32IC.

  3. Users of an ISA Specification ● Software engineers – Assembler programmers, Compiler writers – Just don’t do anything that’s not specified ● Software security engineers – What can we expect from the hardware if we do the not specified thing anyways? ● Hardware design engineers – Just do something safe and simple for anything that’s not specified – But what exactly does “safe” mean? ● Hardware verification engineers – For HW security reasons we need definitions for what not specified behavior can do – For verification purposes that definition must be falsifiable, or it is meaningless – In many cases (e.g. bounded model checking) it must be falsifiable with short execution traces

  4. Taxonomy of not specified stuff ● Rest of this presentation: – A taxonomy of types of not specified behavior – Using nomenclature borrowed from different domains ● Please don’t be angry at me for using different nomenclature than the one you are used to. ● Example used in the rest of the presentation: – Division by zero (Spoiler: Division by zero is fully defined in RISC-V)

  5. Undefined Behavior ● Undefined behavior is the “just don’t do that!”– approach to not specifying behavior. “software must never divide by zero” “this spec is only valid for programs that do not attempt to divide by zero” “division by zero is undefined” ● This usually means that the spec as a whole is void for any program as a whole if the program attempts to do the not specified thing! ● Undefined behavior is usually the default when the spec just does not mention a specified behavior.

  6. Undefined Behavior: Can a correct implementation produce the following trace? ... ← xor a1, a0, a0 ; a1 0x12345678 ← mv a2, a1 ; a2 0xffffffff bgeu a2, zero, <label> ; does not branch ...

  7. Undefined Behavior: Can a correct implementation produce the following trace? div t1, t0, zero ... ← xor a1, a0, a0 ; a1 0x12345678 ← mv a2, a1 ; a2 0xffffffff bgeu a2, zero, <label> ; does not branch ...

  8. Undefined Behavior: Can a correct implementation produce the following trace? div t1, t0, zero mv t1, zero no data dependency! ... ← xor a1, a0, a0 ; a1 0x12345678 ← mv a2, a1 ; a2 0xffffffff bgeu a2, zero, <label> ; does not branch ...

  9. Undefined Behavior: Can a correct implementation produce the following trace? ... ← xor a1, a0, a0 ; a1 0x12345678 ← mv a2, a1 ; a2 0xffffffff bgeu a2, zero, <label> ; does not branch ... div t1, t0, zero

  10. Undefined Behavior: Can a correct implementation produce the following trace? ... ← xor a1, a0, a0 ; a1 0x12345678 ← mv a2, a1 ; a2 0xffffffff bgeu a2, zero, <label> ; does not branch ... Conclusion: Specs that contain any Undefined Behavior are extremely hard to falsify and therefore a big problem in verification.

  11. Undefined Value ● Formally introduce a special “undefined” value that is used as the result of not specified operations. – Undefined values propagate to the results when used as arguments to operations. – Think: x-state in Verilog or VHDL “division by zero returns an undefined value” “the result of division by zero is undefined” ● When tracing a real implementation, an undefined value can be observed as any concrete value. ● Much better than undefined behavior from a security perspective. ● Still very problematic in terms of falsifiability.

  12. Undefined Value: Can a correct implementation produce the following trace? ... ← xor a1, a0, a0 ; a1 0x12345678 ← mv a2, a1 ; a2 0xffffffff bgeu a2, zero, <label> ; does not branch ...

  13. Undefined Value: Can a correct implementation produce the following trace? div a0, t0, zero ... ← xor a1, a0, a0 ; a1 0x12345678 ← mv a2, a1 ; a2 0xffffffff bgeu a2, zero, <label> ; does not branch ...

  14. Non-deterministic Behavior Unpredictable Behavior ● Allow more than one behavior, and which behavior is used is determined at runtime in a unpredictable manner. – This means the same program run twice might not return the same result each time. – Usually used for things like ordering of concurrent events, such as concurrent memory accesses from multiple hearts. “division by zero returns an unpredictable result”

  15. Unspecified Value Unspecified Behavior ● Unspecified Value: The instruction will not do anything crazy and just return a value, the spec just doesn’t say which value “division by zero returns an unspecified value” ● Unspecified Behavior: The instruction will not do anything crazy and behave within reasonable bounds outlined somewhere in the spec. Usually a spec contains a chapter or appendix for that. – This might include options like not writing to the destination register. – The “reasonable bounds” for unspecified behavior should be specified in terms of architectural state. Otherwise it is not verifiable. – Handwavy bounds such as “must not compromise security” are useless!

  16. Implementation Defined Behavior / Value ● Similar to Unspecified Value / Behavior, but the implementation must document which behavior is implemented. “division by zero returns an implementation defined value” ● The spec must describe what the bounds for implementation defined behavior are

  17. Fully Specified Behavior ● In many cases the best choice is to just specify a behavior, even in cases that are rarely hit by software. “division by zero returns -1 (all bits set)”

  18. Specification holes in RISC-V Spec ● Volume I: User-Level ISA, Version 2.2 – Almost everything is fully specified – Exceptions: ● Non-determinism used as necessary in memory model ● Support for unaligned memory access is implementation defined behavior . ● V-extension vector length is implementation defined . ● F/D/Q-extensions used to have more implementation defined behavior, but that has been eliminated in recent revisions of the specification. ● Volume II: Privileged Architecture, Version 1.10 – CSRs contain many optional (thus implementation defined ) bits and features. – Especially in M-mode there are a couple of instances of undefined behavior , mostly implicit by omission of specified behavior.

  19. Conclusion (1/2) ● Undefined Behavior, Undefined Value – Leads to incredibly hard to falsify specs! – Therefore they should not be used in specs for verifiable systems! ● Non-determinism – Leads to non-reproducible test results – Complicates verification if some cases are rare – Should only be used when absolutely necessary – For example for multi-threaded memory access

  20. Conclusion (1/2) ● Undefined Behavior, Undefined Value – Leads to incredibly hard to falsify specs! – Therefore they should not be used in specs for verifiable systems! ● Non-determinism – Leads to non-reproducible test results – Complicates verification if some cases are rare – Should only be used when absolutely necessary – For example for multi-threaded memory access

  21. Conclusion (2/2) ● Unspecified – No definitive “known good” reference to compare against – Complicates testing and formal verification – Usually leads to “unofficial implementation defined behavior” ● Implementation defined – In many cases as good as fully specified – Just need to make the reference implementation parameterizable ● Fully specified behavior – Should be preferred whenever there is no good reason for any of the above

  22. Conclusion (2/2) ● Unspecified – No definitive “known good” reference to compare against – Complicates testing and formal verification – Usually leads to “unofficial implementation defined behavior” ● Implementation defined – In many cases as good as fully specified – Just need to make the reference implementation parameterizable ● Fully specified behavior – Should be preferred whenever there is no good reason for any of the above

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
Conditional Inference Functions for Mixed-Effects Models with Unspecified Random-Effects

Conditional Inference Functions for Mixed-Effects Models with Unspecified Random-Effects

Conditional Inference Functions for Mixed-Effects Models with Unspecified Random-Effects Distribution Annie Qu Joint Work with Peng Wang and Cindy Tsai Department of Statistics University of Illinois at Urbana-Champaign International Workshop

772 views • 33 slides
STI, BBV and HIV Epidemiology Update Period Ending 2 nd Quarter 2020 Byron Minas and Kellie

STI, BBV and HIV Epidemiology Update Period Ending 2 nd Quarter 2020 Byron Minas and Kellie

STI, BBV and HIV Epidemiology Update Period Ending 2 nd Quarter 2020 Byron Minas and Kellie Mitchell Communicable Disease Control Directorate Department of Health Number of chlamydia, gonorrhoea, unspecified hepatitis B &amp; unspecified

162 views • 14 slides
From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer

From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer

Outline Chaotic maps Deterministic diffusion End From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer Klages Queen Mary University of London, School of Mathematical Sciences Sperlonga, 20-24

465 views • 29 slides
Epidemiology Update Period Ending 1st Quarter 2019 Byron Minas and Kellie Mitchell Communicable

Epidemiology Update Period Ending 1st Quarter 2019 Byron Minas and Kellie Mitchell Communicable

STI, BBV &amp; HIV Epidemiology Update Period Ending 1st Quarter 2019 Byron Minas and Kellie Mitchell Communicable Disease Control Directorate Department of Health Number of chlamydia, gonorrhoea, unspecified hepatitis B &amp; unspecified

733 views • 14 slides
If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics

If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics

If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics Spoilers GPUs/FPGAs/CPUs/ASICs ad nauseum AMBER Molecular Dynamics Determinism Matters Multi-GPU Servers Neural Networks

1.04k views • 68 slides
Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a

Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a

Euclidean Geometry Introduction Undefined Terms A point is like a dot, only smaller. It has a location but no size. A line is like a drawn line, only thinner, straighter and longer. It extends through all space along a specific direction but

784 views • 49 slides
ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined

ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined

C ARBON ON M ARKE TS VE SUS J UST ST KETS VERSU T RANSITI ON NSITION By: KENFACK Chrislain Eric I DEAS ABOUT NATURE Nature as an external undefined entity, associated to the idea of transcendence Williams calls primitive condition before

571 views • 12 slides
Chilean Jack Mackerel, Jack Mackerel and Unspecified Mackerel and Vessel Data Received by the

Chilean Jack Mackerel, Jack Mackerel and Unspecified Mackerel and Vessel Data Received by the

CHJMWS pap #26 CHILEAN JACK MACKEREL WORKSHOP Chilean Jack Mackerel, Jack Mackerel and Unspecified Mackerel and Vessel Data Received by the Interim Secretariat to Date (as at 1 July 08) Susie Iball, Interim Secretariat of SPRFMO Table 1:

618 views • 8 slides
Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim Seoul National Univ. Youngju

Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim Seoul National Univ. Youngju

PLDI 2017 Barcelona Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim Seoul National Univ. Youngju Song Chung-Kil Hur Sanjoy Das Azul Systems Google David Majnemer University of Utah John Regehr Nuno P. Lopes Microsoft

843 views • 65 slides
Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation of deterministic approaches Continuous, deterministic models cant cope with: 1. Sensitivity to a very small number of molecules 2. Protein

1.14k views • 66 slides
Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in

Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in

Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in non-deterministic We can define a Deterministic PDA (DPDA) as follows: Determinism Let M = (Q, , , , q 0 , Z 0 , F) be a PDA M is

159 views • 3 slides
A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel

A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel

A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel programming models Deterministic Non-deterministic Implicit FDIP par/pseq Strategies ??? Concurrent Haskell Explicit The Par Monad Par is a monad for

1.2k views • 35 slides
Probability Theory Probability Models for random phenomena Phenomena Non-deterministic

Probability Theory Probability Models for random phenomena Phenomena Non-deterministic

Probability Theory Probability Models for random phenomena Phenomena Non-deterministic Deterministic Deterministic Phenomena There exists a mathematical model that allows perfect prediction the phenomenas outcome.

1.47k views • 113 slides
Defined and Undefined Roles for Taiwans Legislative Yuan Chung-li Wu Part 1 The Relationship

Defined and Undefined Roles for Taiwans Legislative Yuan Chung-li Wu Part 1 The Relationship

Defined and Undefined Roles for Taiwans Legislative Yuan Chung-li Wu Part 1 The Relationship between the Legislative and the Executive Yuan (1) Consent of Appointment From Article 55 of ROC Constitution The Prime Minister of the

843 views • 28 slides
Impact on the region Capt. Sukhjit Singh, MTCC Caribbean Estimated Mix Unspecified Plans, 2%

Impact on the region Capt. Sukhjit Singh, MTCC Caribbean Estimated Mix Unspecified Plans, 2%

Summary of options and Impact on the region Capt. Sukhjit Singh, MTCC Caribbean Estimated Mix Unspecified Plans, 2% Alternative Fuels, Low Sulphur Fuel Oil 5% Scrubber, 19% Scrubber Alternative Fuels Low Sulphur Fuel Oil, 74%

433 views • 7 slides
Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles

Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles

Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles St-Quentin en Yvelines Antoine Vigneron INRA Jouy-en-Josas Lower Bounds for Geometric Diameter Problems p.1/40 Outline Review of previous work on

563 views • 40 slides
Data-Flow Based Detection of Loop Bounds Christoph Cullmann Florian Martin AbsInt GmbH

Data-Flow Based Detection of Loop Bounds Christoph Cullmann Florian Martin AbsInt GmbH

Data-Flow Based Detection of Loop Bounds Christoph Cullmann Florian Martin AbsInt GmbH Motivation Most time-critical programs on embedded systems contain loops We need WCET calculations for them Loop bounds are needed to calculate the WCET

626 views • 27 slides
I/O Lower Bounds and Algorithms for Matrix-Matrix Multiplication Tyler M. Smith July 5, 2017 1

I/O Lower Bounds and Algorithms for Matrix-Matrix Multiplication Tyler M. Smith July 5, 2017 1

I/O Lower Bounds and Algorithms for Matrix-Matrix Multiplication Tyler M. Smith July 5, 2017 1 / 69 Introduction Dense matrix-matrix multiplication (MMM) Goal: Reduce I/O cost for machines with hierarchical memory Novel

926 views • 69 slides
Memory Hierarchy Optimizations and Performance Bounds for Sparse Richard Vuduc, Attila

Memory Hierarchy Optimizations and Performance Bounds for Sparse Richard Vuduc, Attila

Memory Hierarchy Optimizations and Performance Bounds for Sparse Richard Vuduc, Attila Gyulassy, James Demmel, Katherine Yelick Monday, June 2, 2003 Berkeley Benchmarking and OPtimization (BeBOP) Project

732 views • 43 slides
Theory of Computer Science B4. Predicate Logic I Gabriele R oger University of Basel March

Theory of Computer Science B4. Predicate Logic I Gabriele R oger University of Basel March

Theory of Computer Science B4. Predicate Logic I Gabriele R oger University of Basel March 9, 2020 Motivation Syntax Semantics Free/Bound Variables Summary Logic: Overview Propositional Logic Logic Predicate Logic Motivation

594 views • 57 slides
Parametric LTL Games Martin Zimmermann RWTH Aachen University February 25th, 2010 AlMoTh 2010

Parametric LTL Games Martin Zimmermann RWTH Aachen University February 25th, 2010 AlMoTh 2010

Parametric LTL Games Martin Zimmermann RWTH Aachen University February 25th, 2010 AlMoTh 2010 Frankfurt am Main, Germany Martin Zimmermann RWTH Aachen University Parametric LTL Games 1/18 Motivation We consider infinite games with winning

628 views • 38 slides
Pure Type Systems without Explicit Contexts Robbert Krebbers Joint work with Herman Geuvers,

Pure Type Systems without Explicit Contexts Robbert Krebbers Joint work with Herman Geuvers,

Pure Type Systems without Explicit Contexts Robbert Krebbers Joint work with Herman Geuvers, James McKinna and Freek Wiedijk Institute for Computing and Information Science Faculty of Science, Radboud University Nijmegen and Faculty of

990 views • 41 slides
Reasoning in Abella about Structural Operational Semantics Specifications Andrew Gacek 1 Dale

Reasoning in Abella about Structural Operational Semantics Specifications Andrew Gacek 1 Dale

Reasoning in Abella about Structural Operational Semantics Specifications Andrew Gacek 1 Dale Miller 2 Gopalan Nadathur 1 1 Department of Computer Science and Engineering University of Minnesota 2 INRIA Saclay - le-de-France &amp; LIX/cole

314 views • 17 slides

More recommend