Professional Documents
Culture Documents
Conformance Checking
AbstractDirect Memory Access (DMA) interfaces are a com- HW/SW interfaces and automatically detect and analyze inter-
mon and important component of Hardware/Software (HW/SW) face bugs. For most peripheral devices, I/O interfaces based
interfaces between peripheral devices and their device drivers. on Direct Memory Access (DMA) are a critical part of their
We present a HW/SW co-validation framework to validate DMA HW/SW interfaces. For example, in Intel EERPO100 Ethernet
interface implementations of a device and its driver. This frame- adapter specication [11], 25% of all pages describe the
work employs a virtual prototype of the device as a reference
DMA interface implementations. Therefore, DMA interface
model and performs co-validation in two stages: (1) conformance
checking which checks the DMA interface conformance between validation is a critical task in HW/SW co-validation.
the device and its virtual prototype; (2) property checking which Recently, virtual prototyping has emerged as a promising
checks device/driver interactions across the DMA interface. In
conformance checking, the virtual prototype infers the device
technique to enable early software development. A virtual
state transitions by taking the same driver request sequence to prototype is a system-level, executable software model of a
the device. Property checking veries system properties over the hardware device with full observability. The device interface
device state transitions exposed through the virtual prototype. modeled by the virtual prototype is required to be functionally
This framework assists HW/SW integration validation by detect- equivalent to that of the silicon device. Thus, virtual prototypes
ing DMA interface bugs in both devices and drivers. Furthermore, have major potential in facilitating HW/SW co-validation.
we have developed three key techniques: capture-on-write policy,
partial capture, and environmental input prediction, to address In this paper, we present a HW/SW co-validation frame-
two major challenges in scaling the framework: DMA capture work for validating the DMA interface of a device and its
overhead and imprecise environmental input simulation. We have driver. We utilize the virtual prototype of the device as a refer-
applied this approach to four Ethernet adapters, discovering ence model in validating the DMA interface. The framework
12 serious DMA interface bugs from the devices, their virtual conducts co-validation in two stages: conformance checking
prototypes and their drivers. The results demonstrate that our ap- and property checking. Conformance checking checks the
proach has major potential in facilitating HW/SW co-validation. DMA interface conformance between the device and its vir-
tual prototype, thereby validating the DMA interface imple-
I. I NTRODUCTION mentations of both. The general work ow of conformance
Post-silicon validation is a critical stage in the development checking has three steps: (1) recording the driver requests to
cycle of computing systems. In this stage, not only hardware the device and the device interface state before each request;
silicon validation is conducted, but also hardware/software (2) executing the virtual prototype with the recorded driver
(HW/SW) integration validation. A recent study [2] indicates request sequence; (3) checking if there are any inconsistencies
that the cost of HW/SW integration validation has increased in interface states between the device and the virtual prototype.
signicantly. As the complexities of systems grow, there are Through conformance checking, the virtual prototype shadows
several key challenges in the post-silicon integration validation: the device execution. Property checking leverages the virtual
prototype to expose the device state transitions and veries
1) Lack of HW/SW interface observation. HW/SW the properties related to the device/driver interactions across
integration validation often relies on testing the en- the DMA interface. By checking the properties, invalid driver
tire system with high-level application test scenarios. inputs to the DMA interface are detected.
However, HW/SW interfaces are often not sufciently
observed and certain interface bugs escape detection. In general, a device interface includes interface regis-
2) Difculty in attributing HW/SW interface bugs. ters and the DMA interface. Previous work [15] present
When a bug is discovered in HW/SW integration an approach to conformance checking over device interface
validation, it is often unclear if it is a hardware bug registers. In our framework, we extend this approach to
or a software bug due to the close involvement and conformance checking over both interface registers and the
interaction of both hardware and software. DMA interface. Our extended approach detects not only DMA
3) Difculty in debugging HW/SW interfaces. Hard- interface bugs but also new bugs in interface registers whose
ware interacts with its control software frequently, values have dependencies on DMA interface state. However,
producing a huge number of I/O events. To trou- the straightforwardly extended conformance checking is not
bleshoot, the engineers usually have to sift through scalable to complicated device designs due to two limitations:
thousands of I/O events and analyze them manually.
1) Large overheads of recording DMA interface
Given the ubiquity and seriousness of these challenges, it states. A DMA interface is essentially a shared
is highly desired to develop systematic methods to validate memory between the device and its driver. The size of
the DMA interface can be fairly large. For example, excerpts from the QEMU virtual device of Intel eepro100
the Intel e1000 Ethernet adapter has 8 MB DMA Ethernet adapter. Function eepro100 write1 and function
memory. Therefore, recording the DMA interface nic receive are module functions, modeling how the device
state, i.e., DMA memory state, under each driver responds to the driver request and receives packets respectively.
request may heavily degrade system performance.
2) Missed bugs due to imprecise environmental input typedef struct EEPRO100State_st {
PCIDevice dev;
simulation. A large part of DMA-based I/O involves uint8_t mem[PCI_MEM_SIZE];
handling the environmental inputs, e.g., receiving ......
data in an Ethernet adapter. As conformance checking } EEPRO100State;
does not record environmental inputs, it cannot simu-
static void
late the DMA operations under environmental inputs eepro100_write1(EEPRO100State * s,
precisely on the virtual prototype. As a result, some uint64_t addr, uint8_t val)
DMA interface bugs are often missed (cf. Section IV). {
s->mem[addr] = val;
We present three key techniques, addressing the challenges eepro100_write_command(s, val);
above: (1) record-on-write policy which records the DMA ......
}
interface state only when it is updated; (2) partial record
which records part of a FIFO ring-based DMA memory instead static ssize_t
of the complete ring; (3) environmental input prediction nic_receive(VLANClientState *nc,
which predicts when the device receives inputs from its ex- const uint8_t *buf, size_t size)
ternal environment, thereby facilitating precise simulation of {
... ...
the device behaviors on the virtual prototype. The rst two }
techniques reduce recording overheads. The last helps discover
DMA interface bugs related to environmental inputs. Fig. 1: Excerpts from QEMU eepro100 virtual device
We have applied our framework to four Ethernet adapters
Categories of Device Modules. The modules in a virtual
and their drivers using their virtual prototypes from QEMU [4].
prototype fall into two categories: (1) the modules responding
Our approach has discovered 12 bugs in DMA interface
to driver requests; (2) the modules handling external environ-
implementations of the devices, their virtual prototypes, and
ment inputs. We refer to them as Command Module (CM)
their drivers. Moreover, the techniques for reducing recording
and Environment Module (EM) respectively, e.g., function
overheads make our framework applicable to two devices with
eepro100 write4 is a CM and function nic receive an EM.
complicated designs.
In summary, this paper makes following key contributions: B. Conformance Checking over Interface Registers
1) The paper presents a HW/SW co-validation frame- This section reviews a previous approach [15] to con-
work for DMA interface implementations of devices formance checking over device interface registers between a
and their drivers using their virtual prototypes. device and its virtual prototype. Our new framework follows a
2) Besides validating the DMA interface implementa- similar work ow and extends it to checking DMA interfaces.
tions, our extended conformance checking further 1) Symbolic execution: Conformance checking utilizes
validates interface registers related to the DMA in- symbolic execution [13] to simulate the virtual prototype. It
terface (see details in Section III-C). leverages symbolic execution to overcome the limited observ-
3) The three key optimizing techniques make our frame- ability of hardware silicon. In HW/SW integration validation,
work scalable and effective on real industry designs. the device internal registers are usually not observable. Con-
Outline. The balance of this paper is organized as follows. Sec- formance checking models them using variables with symbolic
tion II introduces the relevant background concepts. Section III values when replaying the recorded driver request sequence on
and Section IV present our approach and three optimizations. the virtual prototype. In this way, symbolic execution covers
Section V reports our experiment results. Section VI discusses all the possible values of internal registers.
related work. Section VII concludes and discusses future work. 2) Conformance denitions: The device interface state is
dened as a set of interface registers with their values and the
II. BACKGROUND device internal state is dened as a set of internal registers with
their values. A virtual prototype state V is modeled as a pair
A. QEMU Virtual Devices VI , VN , where VI is the interface state and VN is the internal
A virtual prototype is the software implementation of a state. A device state S has a same structure: SI , SN , where
hardware peripheral device and is usually integrated into a SI and SN are the device interface and internal states. The
virtual platform, e.g., QEMU virtual machine [4]. In this paper, registers in SN and VN are assigned as symbolic values since
we use QEMU virtual devices as virtual prototype examples; their values are unknown. The values in SI are all concrete
nonetheless, other virtual prototypes have similar structures. while the values in VI can be either symbolic or concrete.
A QEMU virtual device is composed of the device state Denition 1 (Interface state conformance): a device inter-
and device module functions. The device state models the in- face state SI and a virtual prototype interface state VI conform
terface and internal registers of the device. The device module to each other if SI VI where SI is concrete while VI
functions simulate the device functionalities. Figure 1 shows symbolic and is considered as a set of concrete states.
3) Conformance checking framework: As illustrated in 1) The driver builds a descriptor d which contains a
Figure 2, the conformance checking framework has two stages, command c. The driver puts d into the DMA interface
runtime recording and ofine checking. In the runtime record- and updates a special interface register Reg of the
ing stage, the trace recorder records a device trace: a driver device to notify the device that there is a command
request sequence to the device and the device interface state in the DMA interface.
before each driver request is issued. In the ofine checking 2) Once Reg is updated, the device reads the descriptor
stage, the conformance checker symbolically executes the d from the DMA interface and executes the task
virtual prototype by taking the recorded device trace, checks specied by c.
the interface register conformance after processing each driver 3) When the device completes the task, it updates the
request, and reports the interface register inconsistencies. status of d and writes d back to the DMA interface.
It may also update some relevant interface registers.
OS
From this work ow, it can be observed that two aspects of the
'ULYHU
DMA interface are validated: (1) the device implementation of
the DMA interface that handles the DMA inputs; (2) the driver
7UDFH 7UDFH &RQIRUPDQFH ,QFRQVLVW implementation that produces DMA inputs.
5HFRUGHU )LOH &KHFNHU 5HSRUWV
TABLE II: Summary of Devices for Case Studies TABLE III: Summary of Test Cases
Virtual Device Test Cases Description
Devices Basic Description
Size (LoC) Ping Ping another network interface
RealTek rtl8139 3544 RealTek 10/100M Ethernet Adapter Small transfer Transfer a small le with size 2.4 MB
Intel eepro100 2178 Intel 10/100M Ethernet Adapter Large transfer Transfer a large le with size 3.2 GB
Intel e1000 2099 Intel Gigabit Ethernet Adapter
Broadcom bcm5751 4519 Broadcom Gigabit Ethernet Adapter
Our work is related to post-silicon validation, HW/SW This research received nancial support from National Sci-
interface assurance, and DMA validation. Post-silicon vali- ence Foundation (Grant #: 0916968). A patent (No. 8,666,723)
dation is performed on silicon prototypes and test devices. led on this research by Portland State University has been
A signicant amount of research has focused on detecting licensed to Virtual Device Technologies (VDTech) where Fei
and localizing bugs in silicon chips. Several approaches [1], Xie is a partner.
[18], [20] have built hardware on-chip monitors to collect
R EFERENCES
hardware execution traces with internal signals. Assertion-
based verication [5], [10] and formal method [6] have been [1] M. Abramovici, P. Bradley, K. Dwarakanath, P. Levin, G. Memmi, and
D. Miller, A recongurable design-for-debug infrastructure for SoCs,
used to analyze and debug the execution traces from on- in Proc. of DAC, 2006.
chip monitors. Our approach also works on detecting and [2] R. Avinun, Concurrent hardware/software development platforms
troubleshooting post-silicon bugs. Instead of validating internal speed system integration and bring-up, White Paper. [Online].
implementations of silicon hardware, we focus on validating Available: https://www.cadence.com/rl/resources/white papers/system
HW/SW interfaces. dev wp.pdf
[3] D. Becker, R. K. Singh, and S. G. Tell, An engineering environment
There has been a lot of work on HW/SW interface for hardware/software co-simulation, in Proc. of DAC, 1992.
assurance at pre-silicon stage. HW/SW co-verication and [4] F. Bellard, QEMU, a fast and portable dynamic translator, in Proc.
HW/SW co-simulation are two main streams of techniques. In of ATEC, 2005.
HW/SW co-verication, model checking [14], [16], [25], [17] [5] M. Boule, J. Chenard, and Z. Zilic, Adding Debug Enhancements to
Assertion Checkers for Hardware Emulation and Silicon Debug, in
is widely used. It veries properties by analyzing the interface Proc. of ICCD, 2006.
implementation statically; however, it often encounters the
[6] F. M. De Paula, M. Gort, A. J. Hu, S. Wilton, and J. Yang, BackSpace:
state explosion problem. Our co-validation framework con- Formal Analysis for Post-Silicon Debug, in Proc. of FMCAD, 2008.
ducts verication over the execution trace generated at runtime [7] A. Ghosh, M. Bershteyn, R. Casley, C. Chien, A. Jain, M. Lipsie,
which largely avoids the state explosion problem. Research on D. Tarrodaychik, and O. Yamamo, A hardware-software co-simulator
co-simulation [3], [7], [8], [9], [19], [21], [23] typically utilizes for embedded system design and debugging, in ASP-DAC, 1995.
design models of the hardware and does not directly work with [8] R. Gupta, C. Coelho, and G. D. Micheli, Synthesis and simulation of
the implementation of the hardware/software implementation. digital systems containing interacting hardware and software compo-
nents, in Proc. of DAC, 1992.
We are not aware of work closely related to DMA interface [9] A. Hoffmann, T. Kogel, and H. Meyr, A framework for fast hardware-
validation on the device side. Nevertheless, some research on software co-simulation, in Proc. of DATE, 2001.
driver testing/verication [12], [22] validates DMA interfaces [10] A. J. Hu, J. Casas, and J. Yang, Efcient Generation of Monitor
Circuits for GSTE Assertion Graphs, in Proc. of ICCAD, 2003.
from the driver side. A previous work [24] detects malwares
[11] Intel 8255x 10/100 Mbps Ethernet Controller Family Open Source
residing in DMA interface by verifying specic DMA oper- Software Developer Manual, 1st ed., Intel, January 2006.
ation properties. All these methods validate DMA interfaces [12] A. Kadav, M. J. Renzelmann, and M. M. Swift, Fine-grained fault
without considering device behaviors. Our approach is the rst tolerance using device checkpoints, in Proc. of ASPLOS, 2013.
attempt to validate the DMA interface implementations of both [13] J. C. King, Symbolic execution and program testing, Commun. ACM,
hardware and software. vol. 19, pp. 385394, July 1976.
[14] R. P. Kurshan, V. Levin, M. Minea, D. Peled, and H. Yenigun, Com-
bining software and hardware verication techniques, Formal Methods
in System Design (FMSD), vol. 21, no. 3, pp. 251280, November 2002.
VII. C ONCLUSIONS AND F UTURE W ORK [15] L. Lei, F. Xie, and K. Cong, Post-silicon Conformance Checking with
Virtual Prototypes, in Proc. of DAC, 2013.
We have presented a HW/SW co-validation framework to [16] J. Li, X. Sun, F. Xie, and X. Song, Component-based abstraction and
validating the DMA interface implementations. Our two-staged renement, in Proc. of ICSR, 2008.
checking infrastructure helps detect errors in DMA interface [17] J. Li, F. Xie, T. Ball, V. Levin, and C. McGarvey, Formalizing
implementations of both a device and its device driver. We hardware/software interface specications, in Proc. of ASE, 2011.
discovered many bugs from devices, their virtual prototypes, [18] S.-B. Park and S. Mitra, IFRA: instruction footprint recording and
and their driver. Our validation framework has major potential analysis for post-silicon bug localization in processors, in DAC, 2008.
in addressing the key challenges of HW/SW integration vali- [19] C. Passerone, L. Lavagno, M. Chiodo, and A. L. Sangiovanni-
Vincentelli, Fast hardware/software co-simulation for virtual prototyp-
dation. First, the framework records and validates the DMA ing and trade-off analysis, in Proc. of DAC, 1997.
interface state; thus the errors in the DMA interface are
[20] S. Ray and W. A. Hunt, Jr., Connecting Pre-silicon and Post-silicon
detected effectively. Second, the framework identies both the Verication, in Proc. of FMCAD, 2009.
device and driver errors over the DMA interface thereby it can [21] J. A. Rowson, Hardware/software co-simulation, in DAC, 1994.
easily attribute device/driver interface bugs as device or driver [22] L. Ryzhyk, J. Keys, B. Mirla, A. Raghunath, M. Vij, and G. Heiser,
bugs. Finally, our framework only requires minimum manual Improved device driver reliability through hardware verication reuse,
efforts, which signicantly saves validation human efforts. in Proc. of ASPLOS 2011.
[23] L. Semeria and A. Ghosh, Methodology for hardware/software co-
Our future work will explore the following directions: (1) verication in C/C++, in Proc. of ASP-DAC, 2000.
extending property checking to validate both DMA driver [24] P. Stewin, J.-P. Seifert, and C. Mulliner, Poster: Towards detecting
inputs and driver requests updating interface registers; (2) DMA malware, in Proc. of CCS, 2011.
adapting our framework to be an on-line monitoring approach, [25] F. Xie, G. Yang, and X. Song, Component-based hardware/software
instead of the ofine checking approach that we have so far. co-verication for building trustworthy embedded systems, JSS, 2007.