Ascertaining Uncertainty for Efficient Exact Cache Analysis (1709.10008v2)

Abstract: Static cache analysis characterizes a program's cache behavior by determining in a sound but approximate manner which memory accesses result in cache hits and which result in cache misses. Such information is valuable in optimizing compilers, worst-case execution time analysis, and side-channel attack quantification and mitigation.Cache analysis is usually performed as a combination of must' andmay' abstract interpretations, classifying instructions as either always hit',always miss', or unknown'. Instructions classified asunknown' might result in a hit or a miss depending on program inputs or the initial cache state. It is equally possible that they do in fact always hit or always miss, but the cache analysis is too coarse to see it.Our approach to eliminate this uncertainty consists in (i) a novel abstract interpretation able to ascertain that a particular instruction may definitely cause a hit and a miss on different paths, and (ii) an exact analysis, removing all remaining uncertainty, based on model checking, using abstract-interpretation results to prune down the model for scalability.We evaluated our approach on a variety of examples; it notably improves precision upon classical abstract interpretation at reasonable cost.

• The paper introduces a novel abstract interpretation technique that distinctly classifies cache hits, misses, and uncertain cases.
• It refines analysis by computing minimal and maximal ages for hit/miss decisions, thereby reducing false alarms in WCET and security assessments.
• Model checking is applied post-interpretation to resolve remaining uncertainties, enhancing overall precision and efficiency.

Efficient Exact Cache Analysis through Uncertainty Reduction

This paper, authored by Valentin Touzeau, Claire Maïza, David Monniaux, and Jan Reineke, addresses the issue of improving the precision of static cache analysis for programs. Static cache analysis is imperative in optimization processes such as worst-case execution time (WCET) analysis and side-channel attack quantification. The key challenge lies in correctly classifying memory accesses into cache hits, cache misses, and undecidable cases ("unknowns"). Traditional methods often result in coarse classifications, leading to overestimation of WCETs and numerous false alarms in security analysis.

Contributions

The paper makes two main contributions:

1. Novel Abstract Interpretation Technique:
   • This technique improves certainty around cache behavior by ascertaining definitive cases where an instruction results in a cache hit or miss.
   • It introduces an abstract interpretation that determines minimal ages for "hit" classifications and maximal ages for "miss" classifications.
2. Exact Analysis via Model Checking:
   • The exact analysis reduces any remaining uncertainty post-abstract interpretation.
   • Model checking techniques are used to perform exact classifications, leveraging the results of the novel abstract interpretation for improved scalability.

Methodology

Static cache analysis typically involves "may" and "must" analyses that classify memory accesses into "always hit", "always miss", or "unknown". The unknown category often stems from the limitations in precision of the classical analyses. The novel approach presented addresses this by refining the unknown classifications into:

• $\exists$Hit: Exists a path where an instruction hits the cache.
• $\exists$Miss: Exists a path where an instruction misses the cache.
• $\exists$Hit $\wedge$ $\exists$Miss: Exists both hit and miss paths, termed "definitely unknown".

The innovation here is two-fold. First, by identifying when an instruction can definitely cause both hits and misses, providing a "definitely unknown" classification. Second, by using model checking to definitively resolve all remaining uncertainties, dramatically improving precision.

Experimental Evaluation

Empirical evaluation was conducted using the TACLeBench suite, focusing on measuring the improvements in precision and the associated computational costs. The notable results include:

• Precision Gains: The proportion of accesses classified as "always hit" or "always miss" increased significantly, with model checking refining numerous initially unknown classifications.
• Efficiency: The novel abstract interpretation successfully reduced the number of model-checking calls, leading to substantial speedups in total analysis time.

Theoretical and Practical Implications

Theoretically, this method provides a nearly optimal classification of cache behavior, under the assumption of feasible control paths. Practically, this has crucial implications:

• WCET Analysis: More precise cache analysis yields tighter WCET bounds, which are critical in hard real-time systems.
• Security: Reduces false positives in detecting potential side-channel attacks, allowing more reliable security assessments.

Future Directions

Several avenues for future research emerge:

1. Integrating Program Semantics: Refining models to consider the feasibility of control paths based on program semantics can further improve precision.
2. Application to Other Replacement Policies: Extending the approach to cache replacement policies beyond LRU, such as PLRU or FIFO.
3. Enhanced WCET Tools: Integrating with state-of-the-art WCET analysis tools to evaluate the end-to-end improvements in both precision and analysis time.

This paper substantially improves static cache analysis methods, establishing a more refined framework that employs both abstract interpretation and model checking, paving the way for advancements in both performance analysis and security verification of real-time systems.