0 Verifying reliability properties using the Hyperball ...

0

Verifying reliability properties using the Hyperball abstract domain

JACOB LIDMAN and SALLY A. MCKEE, Chalmers University of Technology

Modern systems are increasingly susceptible to soft errors that manifest themselves as bit flips and possiblyalter the semantics of an application. We would like to measure the quality degradation on semantics dueto such bit flips, and thus we introduce a Hyperball abstract domain that allows us to determine the worst-case distance between expected and actual results. Similar to intervals, hyperballs describe a connected anddense space. The semantics of low-level code in the presence of bit flips is hard to accurately describe in sucha space. We therefore combine the Hyperball domain with an existing affine system abstract domain thatwe extend to handle bit flips, which are introduce as disjunctions. Bit-flips can reduce the precision of ouranalysis and we therefor introduce the Scale domain as a disjunctive refinement to minimize precision loss.This domain bounds the number of disjunctive elements by quantifying the over-approximation of differentpartitions and uses submodular optimization to find a good partitioning (within a bound of optimal). Weevaluate these domains to show benefits and potential problems. For the application we examine here,adding the Scale domain to the Hyperball abstraction improves accuracy by up to two orders of magnitude.Our initial results demonstrate the feasibility of this approach, although we would like to further improveexecution efficiency.

CCS Concepts: rTheory of computation → Program analysis; Abstraction; rComputer systems or-ganization→ Reliability; Embedded software;

General Terms: Algorithms, Performance, Reliability, Theory

Additional Key Words and Phrases: Reliability Analysis, Abstract Interpretation, Numerical Abstraction,Disjunctive Refinement

ACM Reference Format:Jacob Lidman and Sally A. McKee, 2017. Verifying reliability properties using the Hyperball abstract do-main. ACM Trans. Program. Lang. Syst. 0, 0, Article 0 ( 0), 28 pages.DOI: 0000001.0000001

1. INTRODUCTIONReliability has become a first-order constraint in designing and deploying comput-ing systems. Smaller transistors running at lower voltages increase the probabilityof switches or storage elements flipping due to thermal and voltage variations or ra-diation, all of which increase the occurrence of soft errors. For instance, experiencewith the ASCI Q supercomputer revealed that the machine encountered more single-node failures than anticipated, and these were likely due to “cosmic-ray-induced neu-trons” [Michalak et al. 2005]. Data from subsequent neutron beam testing coincidedwith the field data: experiments showed 22.6 node failures per week, whereas thefield data showed 27.7 failures per week. Soft errors are often handled by introducingredundancy, but the cost of using checkpointing, redundant execution, or some combi-nation thereof can be high. Thus it is valuable to know just how resilient a program isto bit flips.

Such vulnerability analyses are often performed by fault injection, where a bit isflipped at a random position in a randomly selected instruction, and the executionoutput is noted and/or a quality metric is tracked. When performed repeatedly, these

Author’s addresses: J. Lidman and S. A. McKee, Department of Computer Science and Engineering,Chalmers University of Technology, Gothenburg, Sweden.Permission to make digital or hard copies of part or all of this work for personal or classroom use is grantedwithout fee provided that copies are not made or distributed for profit or commercial advantage and thatcopies bear this notice and the full citation on the first page. Copyrights for third-party components of thiswork must be honored. For all other uses, contact the owner/author(s).c© 0 Copyright held by the owner/author(s). 0164-0925/0/-ART0 $15.00DOI: 0000001.0000001

ACM Transactions on Programming Languages and Systems, Vol. 0, No. 0, Article 0, Publication date: 0.

0:2 Lidman et al.

analyses provide statistics on software failure modes. Designers and users need (worst-case) measures describing the impact of these failures, but such measures are hard toderive via statistical sampling.

On the other hand, static program analysis holds promise for deriving more rigor-ous bounds. Static analysis has long been used in the Programming Languages com-munity to compute conservative answers for complex/undecidable dynamic properties.Abstract interpretation is a static analysis framework for relating sound results be-tween a semantic domain (the concrete domain) and an approximation (the abstractdomain) with respect to a class of properties. The soundness of this approach makesusing abstractions interesting when evaluating safety-critical properties. More expres-sive abstract domains make it possible to compute more complex properties, but oftenat considerable cost. At one extreme, computing abstract properties can be intractable.At the other extreme, the result of an analysis might be inconclusive because the com-puted abstract properties are too weak to determine whether a specification is sat-isfied. Successful analysis requires finding the right balance between expressivenessand tractability. We elaborate on abstract domains related to our problem/approach inSection 2.

For our concrete domain we use the semantics of an embedded MIPS system alteredaccording to a set of fault assumptions. These assumptions are expressed in a faultmodel that can be categorized according to the number of faults encountered in anexecution. In this work we restrict ourselves to models with a finite number of faults(as opposed to probabilistic fault models); such models are commonly used in practice.We discuss analyses related to reliability in Section 2.

Our contributions include defining three abstract domains and evaluating them inrelation to software resilience:

(1) The k-fault domain (Section 4.1) extends the King-Søndergaard (KS) domain [El-der et al. 2014] for abstracting low-level semantics with a finite number of bit flips(k).

(2) The Hyperball domain (Section 4.2) lets us quantify the quality degradation fromthe impact of bit flips. We show how it can be combined in a reduced product withthe k-fault domain to yield a stronger analysis.

(3) The Scale domain (Section 4.3) introduces a parameterized disjunctive domain.We show how it uses Sotin’s idea of measures of abstract elements [Sotin 2010] tominimize degradation in analysis precision due to disjunctions.

We first evaluate the Scale domain to understand tractability/expressiveness trade-offs. To understand these trade-offs for the complete approach, we then evaluate amin-n kernel (for n ∈ [1, 8]) running in an fault-susceptible environment on our RISCmodel. Finally, we demonstrate the feasibility of our approach by evaluating the qual-ity degradation of sorting networks in the same environment and how a recently pro-posed transformation of linear feedback shift registers performs under a common at-tacker model.

2. RELATED WORKWe first discuss reliability analyses that do not employ abstract interpretation. Wethen elaborate on abstract domains and their intrinsic trade-offs, focusing particularlyon domains for low-level semantics and disjunctive domain refinements.

Analyzing/verifying reliability properties has always been important for applica-tions that work in extreme environments like outer space. Demonstrating that safety-critical applications satisfy their specifications (given a semantics) is crucial for suchdomains. Whether or not it is possible to have a well defined semantics in extremeenvironments is not always obvious. As noted, simulation and statistical sampling


Verifying reliability properties using the Hyperball abstract domain 0:3

via fault injection (which are commonly used in analyzing fault susceptibility) mayrequire excessively many samples to reach justifiable conclusions. Guan et al. [Guanet al. 2015] show that to achieve a 99.8% confidence interval, a Mergesort kernel wouldneed 1,513,603 fault injections to reach a margin of error of 0.1%. For this reason Wanget al.[Wang et al. 2015] propose a method based on the Probabilistic Transfer Matrixframework [Krishnaswamy et al. 2005]. They compare their approach to fault injec-tion on six kernels and show a best-case speedup of 27000× (i.e., 4.4 seconds versus33.3 hours) and a 25000x average speedup. Neither of these approaches provides aworst-cast estimate of fault impact, though.

In contrast, Faulty Logic [Meola and Walker 2010] can be used to validate an ap-plication’s correctness in the presence of a bounded number of faults, but it does notallow any notion of quality to be associated to the results. Some applications associatea quality metric (as opposed to a binary discriminant) with their output. With a proba-bilistic semantics, we can optimize the cost of reliable execution subject to a reliabilitythreshold [Lidman et al. 2014] or a quality threshold [Misailovic et al. 2014]. Sta-tistical measures such as mean squared error (MSE) or application-specific measureslike peak-signal-to-noise ratio (PSNR) for image processing applications are commonlyused as quality metrics. The latter often depend on statistical error measures. MSE is

defined in terms of the l2-norm√∑(

Y − Y)2

, where Y is the expected output, and

Y is the actual output. Note the definition’s resemblance to a hypersphere. We limitour study to quality metrics that conform to this geometric shape. In approximatingthe faulty semantics, we may need to represent multiple possible quality degradations(i.e., hyperspheres), and so we rely on a hyperball to contain all of these. Section 4.2presents this Hyperball abstraction that quantifies worst-case quality value.

Abstractions can be categorized according to the class of properties they describe.On a coarse granularity, we can group properties as numerical and non-numerical.Numerical abstractions approximate the powerset of some (vector of a) numerical setS (e.g., Rn,Nn,Zn2W ). Relational abstractions approximate relations between symbols ofsome vocabulary V . Abstractions that approximate state transformers (i.e., S → S), asopposed to states (S), use a vocabulary V = X ′ ∪ X, where X ′ are symbols in thepost-state and X are symbols in the pre-state. Possible numerical abstractions in-clude intervals (e.g., {⊥} ∪ {[a, b] |a ≤ b}) [Cousot and Cousot 1977], disjunctive hy-percubes (e.g.,

∨i

⊗j [ci,j − wi, ci,j + wi]) [Costantini et al. 2013], convex polyhedra

(e.g., {∧m−1i=0 ai~x ≤ b |m ∈ N}) [Cousot and Halbwachs 1978], affine expressions (e.g.,∑

i aixi = bi) [Karr 1976], affine congruence systems (e.g.,∧i

∑j ai,jxj ≡Z2W

bi) [Elderet al. 2014; Sharma et al. 2013], octahedra (e.g., {

∧m−1i=0 ai~x ≤ b

∣∣m = 3|~x| }) [Claris andCortadella 2004] and ellipsoid (

∑i(xi−ci)2

a2i≤ r2) [Roux et al. 2012]. The problem of ex-

pressiveness/tractability mentioned in Section 1 can be made more concrete with thesedomains. Any interval, octahedron, or affine expression can be considered a templatepolyhedron [Sankaranarayanan et al. 2005], e.g., a polyhedron with a priori fixed direc-tions. Looking at tractability, an analysis using a template polyhedron is often fasterthan one using any polyhedra but slower than one using intervals. Since spheres andballs have no faces, they can only be approximated by a polyhedra (or any of its specialcases). It is important to consider the functions that generate the states and the shapeof the assertions in the specification when deciding on an approximation[Amato et al.2010]. An analysis in a more expressive abstract domain does not neccesarily yieldmore accurate results [Sharma et al. 2014]. More specifically, an analysis iterativelybuilds an approximation of the collecting semantics. Each iteration generalizes (viajoins/meets or widening/narrowing) local information until a fixed point is reached


0:4 Lidman et al.

where all concrete elements have been accounted for. Performing the generalizationstep in a more expressive domain allows for more possible transitions towards a fixedpoint and is more sensitive to the parameters that control the analyzer (e.g., wideningstrategy). For this reason, Sharma et al. [Sharma et al. 2014] recommend starting withthe most imprecise abstraction and gradually increasing the expressiveness. Balls (andspheres) form a special case of ellipsoids, and hence the ellipsoid domain could expressthe invariants we consider. However, considering the high computational complexityof the ellipsoid lattice operations1 and the challenges of increased expressiveness, weleave it to future work to compare the Hyperball with the Ellipsoid abstractions (andthe Polyhedron abstraction). In this initial work we focus on the complete approach ofusing abstract interpretation to prove reliability properties rather than on optimizingspecific parts of this approach.

To approximate machine states in contemporary systems, we need the underlyingnumerical set to be Z2W (for some W ∈ N). Elder et al. [Elder et al. 2014] use affinecongruence systems to approximate state transformers over this set. Section 3 brieflyreview some definitions from this domain that we use in our extension of it. We usethat extension, the k-fault domain (in Section 4.1), to approximate the semantics afterk faults to a set of instructions.

Domains often lose precision due to disjunctions. Disjunctive refinements can be usedto extend a base domain to cope with loss of precision. One class of such approachesis to duplicate code, unrolling loops or otherwise extending the set of locations thatidentify properties. Another class uses a bounded number of disjunctions. Particularoptimizations (e.g., region sharing or efficient data structure encodings) may be appli-cable in the context of some base domains, such as the boxes domain [Gurfinkel andChaki 2010] for intervals or the disjunctive hypercube domain. More generally, we cancreate refinements that extend a larger set of (sometimes arbitrary) base domains, e.g.,the finite powerset construction domain [Bagnara 1998] (if the base domain is finite),the trace partitioning domain [Mauborgne and Rival 2005], or the segmented decisiontree domain [Cousot et al. 2010]. Finite powersets can become unreasonably large,however, which can make an analysis intractable. The latter two domains require usto specify a mechanism by which to discriminate regions (i.e., to identify differencesbetween elements or to differentiate regions based on an expression), which can bedifficult to do a priori in our case, as the consequence of faults is hard to predict. OurScale domain in Section 4.3 does not identify regions but instead relies on a notion ofmeasure between domain elements to differentiate them.

3. BACKGROUNDThis section clarifies our notation and recalls definitions from the KS domain as well asquality metrics and basic fault models that are central to understanding the approachwe present in Section 4.

3.1. NotationWe use Z2W , for someW ∈ N, to denote the congruence domain {0, ..., 2W }. In designingan arithmetic for this domain, we note that it contains zero-divisors (i.e., an elementthat does not have a multiplicative inverse s.t. x×x−1 = 1 but instead satisfies x×x−1 =0), and hence this domain cannot be embedded in a field (as opposed to R, for instance).Let A be a m × n matrix, x a n × 1 matrix, and b a m × 1 matrix. Then we denote the

1These operations are defined as semi-define programming operations, which are intractable, in general



affine system by the augmented matrix [A|b]:

A =

[a00 a01 ...a10 a11 ......

]x = [ 1 x0 x1 ... ]

T

b = [ b0 b1 b2 ... ]T

⇒ [A|b] =

{a00 + a01x0 + ... = b1a10 + a11x0 + ... = b2...

More specifically, we refer to an affine system over Z2W as an affine congruence sys-tem. Affine (congruence) systems admit a normal form. For Z2W , this form is referredto as Howell normal form [Elder et al. 2014]. Hence the affine envelope2 of any set ofpoints in Z2W is a unique affine (congruence) system. Geometrically, the set of pointsthat satisfies an affine (congruence) system describes an intersection of hyperplanes(i.e.,

⋂m−1i=0

{~x|ai,0 +

∑n−1j=1 Ai,jxj = bj

}). Furthermore, we can compute the intersection

of two affine congruence systems using an algorithm similar to Gauss-Jordan elimina-tion [Elder et al. 2014].

3.2. Approximating machine semanticsContemporary computer systems operate on discrete domains where registers holdvalues in Z2W (i.e., bit vectors) with the corresponding arithmetic defined in terms ofBoolean algebra. An assignment of all registers is called a state. We denote the set ofstates by S and consider a program P as a control-flow graph in which nodes repre-sent blocks that hold a sequence of instructions. An instruction is a bit-vector functionthat relates a priori defined, pre-state variables (V ) to the corresponding post-statevariables (V ′). The semantics of a program is, by hypothesis, given by a transition sys-tem T = 〈S,→〉, i.e., a relation between (pre and post) states. Similarly, the semanticsof an individual instruction I ∈ P is [[I]] ⊆ S → S (and by extension the semanticsof a block) is the composition of the semantics of its instructions. Although general,our model ignores many components of computer systems. In this first study we keepthe model simple to focus on the approximation itself. The complexity of the computersystem has implications for the masking of faults, and a simpler model has fewer pos-sible locations where faults can occur. Here we study implications of faults that occurin the output of execution units, and we leave other fault locations (e.g., control-flow,memory) for future work. We return to this issue in Section 7.

The KS abstraction [Elder et al. 2014] is an numerical abstraction that approxi-mates the semantics of an instruction (or block of instructions) by an affine congru-ence system in Z2W . The concretization of [A|b] is defined as the set of states x thatsatisfies the affine system. Similarly, the abstraction function converts an instruc-tion into an SMT expression3, and the satisfying models are iteratively joined to anaffine congruence system. The abstract domain of the KS abstraction is a completelattice of height 2W |V ∪ V ′| + 1 where ⊥ = [0|1] and > = [0|0] [Elder et al. 2014].The Howell normal form of affine systems can be ordered: the set of points satisfy-ing a system A is contained in a system B if the intersection of A & B is equal toA (i.e., [A1|b1] ≤ [A2|b2] ⇔ [A1|b1] = [A2|b2] ∧ [A1|b1]) and is closed under meet (i.e.,intersection for numerical abstraction) but not join (where the KS-domain uses over-approximation).

2The affine envelope or affine hull of a set of points X is the smallest affine set that contains X.3Satisfiability Modulo Theory, such as that of bit vectors, provides a generalization for the SAT problem infirst-order logic.


0:6 Lidman et al.

s = 0x7 ;for ( ; ; )

s = ( ( s << 1) & 0x7 ) ˆ( ( s >> 2) & 0x1 ) ˆ( ( s >> 1) & 0x1 ) ;

f0 f1 f2s = 0x7 s =((s� 1) & 0x7)⊕

((s� 2) & 0x1)⊕((s� 1) & 0x1)

Fig. 1. Source (left) and flowchart (right) of a LFSR from Saraf et al.[Saraf and Bazargan 2015]

111

011001

100

010

101110

000

f0 =>f1 =ρv′,v(πv′ (f0 ∧ [[s = 7]]))

f2 =ρv′,v(πv′ (f1))∨

ρv′,v(πv′ (f2 ∧ [[s = ((s� 1) & 0x7)⊕ ((s� 2) & 0x1)⊕ ((s� 1) & 0x1)]]))

Fig. 2. Semantics of LFSR flow-chart as a transition diagram (left) and recursive equations (right)

King et al. [King and Søndergaard 2008] define an analysis that iteratively buildsan affine congruence system for all blocks in a program in a bottom-up approach. Theanalysis starts from the bottom element on each node but the entry node, which in-stead is assigned an affine over-approximation of a given set of input states (e.g., the> element for all input states). Nodes are visited as the solution to any of their prede-cessors is updated. When visiting a node an SMT solver is used to extract models thatsatisfies their instructions and has an pre-state (from a predecessor) that has not beenadded to the solution of the node. The analysis terminates when no more nodes can beupdated. The analysis uses πv′ to project a function on a subset of variables and ρv′,vto rename variables. We illustrate the functionality of these operators on boolean func-tions rather than affine systems for simplicity. If we let f = (x0 ↔ x′1)∧ (x′1 ↔ x1), thenπ{x0,x1}(f) = x1 ↔ x2 and ρ{x′0},{x0}(f) = (x′0 ↔ x′1)∧ (x′1 ↔ x1). Together they are usedto propagate contributions (i.e., satisfying models) from predecessor blocks. We use�(x) to describe this functionality and later simplify notation. IfG = 〈B,E〉 , E ⊆ B×Bis a flowchart where edges represent constraints on the semantics of each block, then�(x) =

∨e=〈x′,x〉∈E ρv,v′(πv′(�(x′) ∧ [[e]])).

Compared to an analysis that abstracts each block independently and then computesthe global meet or join, this analysis is faster and more precise when few input vectorsare used [King and Søndergaard 2008]. This is the case in our approach, which oftenstarts from a concrete state and over-approximates the non-deterministic semanticsdue to bit-flips.

To exemplify the analysis we consider the linear feedback shift register (LFSR) inFigure 1 (left). LFSRs are a basic primitive in many stream ciphers. Some of practicalimportance include A5/1 for GSM communication and E0 for bluetooth communication.The LFSR is a linear state machine4 with a single input and output bit from an n-bitshift register that is shifted one bit at each step. The input is formed by an exclusiveor of a subset of the state bits. The state bits belonging to this subset are called “taps”.The transition diagram of Figure 1 (left) is shown in Figure 2 (left). Given a program,we create a flow chart representation such as in Figure 1 (right). Equivalently, we canrepresent the flow-chart by the recursive system in Function 2 (right).

4A state machine with a linear state update function, i.e. xn+1 = Axn where A is a transition matrix andxn+1 and xn are the next and current state, respectively



Table I. Analysis of LFSRIteration Block Input Additional models Output1 f0 [0|0] - [0|0]

2 f1 [0|1] {s′ = 〈1, 1, 1〉}

100000 1010000 1001000 1

3 f2 [0|1] {s′ = 〈1, 1, 0〉 , s = 〈1, 1, 1〉}

100000 1010000 1001000 0000100 1000010 1000001 1

4 f2

100000 1010000 1001000 0000100 1000010 1000001 1

{s′ = 〈1, 0, 0〉 , s = 〈1, 1, 0〉}

100000 1010001 0001000 0000100 1000010 1

5 f2

100000 1010001 0001000 0000100 1000010 1

{s′ = 〈0, 1, 1〉 , s = 〈1, 0, 1〉}{s′ = 〈0, 0, 1〉 , s = 〈1, 0, 0〉}

100010 0010001 0001010 1000100 1

6 f2

100010 0010001 0001010 1000100 1

{s′ = 〈1, 1, 1〉 , s = 〈0, 1, 1〉}{s′ = 〈0, 1, 0〉 , s = 〈0, 0, 1〉}{s′ = 〈1, 0, 1〉 , s = 〈0, 1, 0〉}

100010 0010001 0001110 0

We consider an analysis to approximate the least upper bound of the semantics ofthe LFSR from an arbitrary input state. In the current example we use the state wheres = 7. We initialize the analysis with f0 = >, f1 = ⊥ and f2 = ⊥. The results computedby each iteration of the analysis are shown in Table I.

(1) The entry node f0 is visited in the first iteration. Since the node does not have anypredecessors, no new models are added, and the input and output affine congruencesystems are hence the same.

(2) The second iteration visits node f1 (being the successor to f0). The block of thisnode assigns a constant (7) to the variable s, and the corresponding model (s′ = 7)is not part of the input affine congruence system (⊥). The result for f1 is henceupdated to ⊥ ∨ [s′ = 7]⇔ (s′[2] = 1) ∧ (s′[1] = 1) ∧ (s′[0] = 1).

(3) The third iteration visits node f2 and adds the model from f1, where s is 7 in theinput state and s is 6 in the output state. The resulting system [A|b] has an identitymatrix, since A and b = 〈1, 1, 0, 1, 1, 1〉.

(4) Node f2 is contained in a self loop, and so any post state should be a possible prestate. The previous iteration added a post state where s is 6, which is not a prestate. The model (s = 6) ∧ (s′ = 4) is added, and the resulting system includes theaffine equation s′[1]⊕ s[0] = 0⇔ s′[1] = s[0], which is an over-approximation of themodels added so far.

(5) Because of the equation s′[1] = s[0] the forth iteration adds two new models, onewhere s′[1] = s[0] = 0 and one where s′[1] = s[0] = 1. The resulting system is againan over approximation of the added models and includes the equations s′[2]⊕s[1] =0⇔ s′[2] = s[1] and s′[0]⊕ s[1] = 0⇔ s′[0] = s[1].

(6) The final iteration adds three models, and the final system is:{s′[2] = s[1]s′[1] = s[0]s′[0] = s[2]⊕ s[1]


0:8 Lidman et al.

3.3. Fault modelsA fault model describes how and when faults affect the semantics of an operation. Thelocation where a fault can occur is often called the fault site. In this work we onlyconsider fault models in which the number of faults are bounded. Common examplesinclude Single Event Upset (SEU), Single Word Corruption (SWC), Multiple Event Up-set (MEU) models [Meola and Walker 2010]. The SEU model flips one bit per run in aarbitrarily selected register5. The SWC model extends this to an arbitrary change in asingle word (i.e., multiple bits). The MEU model extends the SEU model to allow mul-tiple bit flips (still bounded), but, in contrast to the SWC model, at possibly differentlocations. The domains we present in Section 4 could be used with any of the abovefault models. We use the SEU fault model in our evaluations in Section 5 because it ismore commonly used than the others.

3.4. Quality measuresFaulty transitions do not necessarily cause incorrect program behavior, since the faultmay be masked (e.g., a bit-flip occurring in unused memory). A quality measure quan-tifies the severity of a faulty transition. Application-specific quality measures weightvarious aspects of the output data. The aim of this section is to briefly present somewell known quality measures that can be related to (euclidean) hyperballs and thuscan be verified by our framework. We also give an example showing how perceivedquality degradation corresponds to increased radius of the hyperball. We extend thisdiscussion in Section 7 and consider a more general class of quality measures — shapedas hyperballs — in which distance is induced from a Minkowski norm (i.e., lp-normsfor 1 ≤ p <∞).

— Root Mean Square Error (RMSE) measures the difference between observed andpredicted value. It is commonly used as a performance measure in statistics/ma-chine learning where it quantifies accuracy of a regression model. RMSE retainsthe unit of the dependent variable of the predictor (in contrast to SNR discussedbelow). As such, an appropriate thresholds for RMSE is highly application depen-dent. RMSE of two vectors of length N , y the predicted value and y observed value,

is given by√

1N

∑Ni=1 (yi − yi)

2. RMSE is hence the radius of a euclidean hyperballcentered at observed values y.

— Peak Signal to Noise Ratio (PSNR) measures the maximal possible value relativeto the mean squared error (i.e., squared RMSE). PSNR is used as a error measurein image processing, in particularly image compression and reconstruction but lessso in image enhancement and compute graphics where subjective quality measures(e.g., structural similarity index) are employed since PSNR disregard assumed prop-erties of human visual perception. Given two vectors, y and y, of length N denotingthe corrupted and correct values over a domain where the maximal value is MAX,(logarithmic) PSNR is defined as PSNR = 20log

(MAX2

MSE

)where MSE is the mean

squared error 1N

∑Ni=1 (yi − yi)

2. A PSNR of 20dB is considered acceptable. Figure 3show an example where 20-10dB noise have been added to a common test image.Note that 102log(MAX)−0.1PSNR is a radius of a euclidean hyperball centered at thecorrect value y. As the images in Figure 3 have a depth of 24-bits 20-10dB noisecorresponds to hyperballs with radii 2.815× 1012 − 2.815× 1013.

— Signal-to-Noise Ratio (SNR) measures the signal strength relative to the amountof noise. SNR is used in audio and image processing to measure detectability of an

5In practice, researchers tend to select the bit randomly, often based on a uniform distribution.



object relative to background noise, e.g. Rose criterion in medical imaging whereSNR ≥ 5 is required for reliable detection of object. The SNR of a vector ~x of lengthN is defined as SNRx = µx

σxwhere µx = 1

N

∑Ni=1 xi and σx =

√1

N−1∑Ni=1(xi − µx)2

is the mean and standard deviation of ~x respectively. The evaluation in Section 5.4presents an application where SNR is computed using two analyzes using the Hy-perball abstraction.

Fig. 3. Original image (left), Noisy image with PSNR 20 dB (middle left), Noisy image with PSNR 15 dB(middle right), Noisy image with PSNR 10 dB (right)

In the approach and evaluation sections we will abstract away the details of thequality measure and only consider the hyperballs, in particular the radius.

4. APPROACHWe are interested in understanding how results degrade due to flipped bits. For thispurpose, we present a framework composed of two new domains and an extension.The extension to the KS domain (Section 4.1) allows us to find a representation ofthe semantics (i.e., the state transformer), assuming a bounded number of bit flips.The Hyperball abstraction (Section 4.2) describes the maximum distance between theexpected and actual results, i.e., the quality degradation. This abstraction is ratherweak in itself, and so we introduce a reduced product to transport invariants from thek-fault domain to strengthen the hyperball. As mentioned in Section 2, introducing bitflips as disjunctions can reduce precision. To minimize the impact of such disjunctions,we introduce the Scale domain (Section 4.3).

Our framework use the Scale domain over a reduced product of the k-fault domainand the Hyperball domain. Although this framework may appear complex, it is definedin terms of standard concepts (e.g., reduced products) in the abstract interpretation lit-erature. To keep the presentation manageable and not introduce unnecessary detailsthat have been presented elsewhere, we instead refer the reader to Nielson et al. [Niel-son et al. 1999] for information on reduced products, Sharma et al. [Sharma et al. 2013]for information on the quasi-reduced products, and King et al. [King and Søndergaard2008] for information and pseudo-code of the modified fixed-point iterator used in ourapproach and illustrated with an example in Section 3.2.

4.1. k-Fault domainWe extend the KS domain to quantify the semantics after k faults. To describe faultsites, we assume F maps locations l to a set of pairs 〈v, i〉 where v is a symbol and i is abit in v describing where faults can occur. Elements in our domain are vectors of k + 1affine congruence systems. The jth vector element (j ∈ [0, k]) denotes the semanticsafter j faults. The operations and our analysis method are defined in terms of the


0:10 Lidman et al.

ALGORITHM 1: Flip(xi, [A|bi]) = [A|bo]Input: xi

Input: A~x ≡Z2 biOutput: A~x ≡Z2 bo

1 foreach Row rj = 〈a0, . . .〉 ∈ A do2 if ai 6= 0 then3 bo [j] = 1− bi [j];4 else5 bo [j] = bi [j];

Example 4.1. Applying Algorithm 1 toflip x2 of [A|bi] gives [A|bo] where:

x = 〈x3, x2, x1, x0〉

A =

[1 0 1 00 1 0 1

]bi = [ 0 0 ]T

bo = [ 0 1 ]T

Note that:

γKS([A|bi]) = {〈0000〉 , 〈1010〉 , 〈1111〉 , 〈0101〉}γKS([A|bo]) = {〈0100〉 , 〈1110〉 , 〈1011〉 , 〈0001〉}

corresponding operations in the KS domain. We use the subscript KS to indicate thatwe mean an operation in the KS domain, e.g., ∧KS for the ∧ operator in the KS domain.

4.1.1. Abstraction operations. The operations of the k-fault domain are point-wise exten-sions of those used in the KS domain with the exception of the abstraction function (α)and the concretization function (γ). The concretization function is defined as the unionof the concrete state transformers of each component, i.e. the set of all possible trans-formers after at most k fault. The result from the abstraction function of an instructionx at location l is a vector where the first component is defined by the abstraction func-tion of the KS domain. If s is fault free (i.e., F (l) = ∅) the remaining k componentsrepresent the emptyset (i.e., ⊥KS) as no faulty transformation exist in this case. If sis not fault free we use Algorithm 1 to inject faults. The algorithm flips a specifiedbit in each concrete state transformer by operating on their corresponding abstractelement. Example 4.1 illustrates its operation on a simple, four-bit example. Specifi-cally, A~x ≡Z2

bi and A~x ≡Z2bo represent the abstract element before and after the bit

flip, respectively, and the concretization function γ returns the corresponding four-bitwords in the concrete domain (flipped bits are shown in red).Theorem 4.2 proves thatAlgorithm 1 indeed flips the specified bit in all concrete states represented by a givenabstract element.k-fault abstraction 〈C,≤〉 −−→←−−α

γ ⟨[A |b]k+1,v,∨,∧,>,⊥

⟩

α(x, l) =

〈αKS(x),⊥KS , . . .〉 F (l) = ∅〈f0, f1, . . . , fk〉 F (l) = {〈v0, i0〉 , . . .}

where f0 = αKS(x)f1 =

∨j Flip(vj [ij ], f0)

. . .fk =

∨j Flip(vj [ij ], fk−1)

γ(X) =⋃i γKS(xi)

k-fault domain⟨[A |b]k+1,v,∨,∧,>,⊥

⟩X v Y ⇔ [x0 ≤KS y0] ∧ . . . ∧ [xk ≤KS yk]∨(X,Y ) = 〈∨KS(x0, y0), . . . ,∨KS(xk, yk)〉∧(X,Y ) = 〈∧KS(x0, y0), . . . ,∧KS(xk, yk)〉> = 〈>KS , . . . ,>KS〉⊥ = 〈⊥KS , . . . ,⊥KS〉



THEOREM 4.2. For some [A|bi], let Si = γ([A|bi]) and So =γ(Algorithm 1(xf , [A|bi])) then So = {〈si[x0], . . . , 1− si[xf ], . . .〉 |si ∈ Si}

PROOF. :

So = γ(Algorithm 1(xf , Si))

= {~x|∧k

∑l

Ak,lxl ≡Z2bo(k)}

= {~x|∧k

1× xf +∑l 6=f

Ak,lxl ≡Z2bo(k)} ∩ {~x|

∧k

0× xf +∑l 6=f

Ak,lxl ≡Z2bo(k)}

= {~x|∧k

1× xf +∑l 6=f

Ak,lxl ≡Z21− bi(k)} ∩ {~x|

∧k

0× xf +∑l 6=f

Ak,lxj ≡Z2bi(k)}

= {~x|∧k

xf⊕l 6=f

Ak,lxl ⊕ 1⊕(1⊕ bi(k)

)} ∩ {~x|

∧k

⊕l 6=f

Ak,lxl ⊕ 1⊕ bi(k)}

= {~x|∧k

1⊕ xf⊕l 6=f

Ak,lxl ⊕ 1⊕ bi(k)} ∩ {~x|∧k

⊕l 6=f

Ak,lxl ⊕ 1⊕ bi(k)}

= {~x|∧k

1× (1− xf ) +∑l 6=f

Ak,lxl ≡Z2bi(k)} ∩ {~x|

∧k

0× xf +∑l 6=f

Ak,lxl ≡Z2bi(k)}

= {〈si[x0], . . . , 1− si[xf ], . . .〉 |si ∈ Si}

As the lattice operations are point-wise extensions of the corresponding ones of theKS-domain we can reuse previous established complexity results.

THEOREM 4.3. Let |V ∪ V ′| be the size of the vocabulary and w the word size ofeach symbol in the vocabulary. Given two vectors with k + 1 affine congruence systems,[A1|b1]k+1 and [A2|b2]k+1, we can compute [A1|b1]k+1 ∧ [A2|b2]k+1

, [A1|b1]k+1 ∨ [A2|b2]k+1

and [A1|b1]k+1 ≤ [A2|b2]k+1 in O(k (|V ∪ V ′|w)3) for each operation.

PROOF. : The complexity for ∧KS is, similarly to Gaussian elimination, cubic in thenumber of rows/columns of the matrix, i.e. O(|V ∪ V ′|3w3)[Elder et al. 2014, Section2.1]. As elements in the k-fault domain are vectors of k + 1 affine congruence systemswe apply this operation k+ 1 times and hence the complexity is O(k (|V ∪ V ′|w)3). The∨KS operation is defined in terms ∧KS with a constant number of additional rows andcolumns to compute the affine closure of two affine congruence systems. As such thecomplexity for ∨KS is same as ∧KS and in extension ∧ for two k-fault elements can becomputed in O(k (|V ∪ V ′|w)3). As mentioned in Section 3.2 affine congruence systemsadmit a normal form and hence we can compute enclosure using ∧KS . The complexityfor enclosure of k-fault elements can thus be decided in O(k (|V ∪ V ′|w)3).

4.1.2. Contribution function. To allow an analysis similar to King et al. [King andSøndergaard 2008] we need to lift the contribution function �(x)KS to our setting.


0:12 Lidman et al.

We therefore define �(x, l) since a location l can be a fault site:

�(x, l) =

〈�KS(x0), . . . ,�KS(xk)〉 F (l) = ∅〈f0, f1, . . . , fk〉 F (l) = {〈v0, i0〉 , . . .}

where f0 = �KS(x0)f1 = �KS(x1)

∨j Flip(vj [ij ], x0)

. . .fk = �KS(xk)

∨j Flip(vj [ij ], xk−1)

Note the resemblance to the abstraction function above. Similarly to the abstractionfunctions the contribution of a fault free instruction (i.e., F (l) = ∅) is a point-wiseextension of the KS domain. For an instruction where faults can occur we need toconsider the semantics after one fault, two fault etc. This to make sure that the numberof faults stays bounded (by k) even if we would execute an instruction an unboundednumber of times. We do this by flipping any faulty bit (given by F (l)) in the semanticsafter m faults and adding the result to the semantics after m+ 1 faults. We do this forall m ≤ k KS elements. The abstraction function can hence be defined as a contributionfunction where we let �KS(x0) = αKS(x0) and �KS(x1) = ... = �KS(xk) = ⊥KS , i.e.the faulty state transformer with no constraints on the pre set.

4.2. Hyperball domainNext we turn to the Hyperball abstract domain. In this work we specialize the domainfor the set Z2W and define two modes of the domain, the fixed center and varying centermodes. In applications where the expected output is known a priori (e.g., an imageprocessing application where PSNR is given as part of the specification), the fixedcenter mode may prove sufficient, whereas other applications (e.g., an incrementalfixed-point algorithm such as Newton’s method) may need the varying center mode.In the fixed-center mode, all abstract elements (i.e., n-balls) have a center specified apriori which is not needed in the varying center mode. The Hyperball domain sharemany characteristics with the intervals domain, especially when operated in the fixedcenter mode. Section 4.2.2 define a reduced product between the Hyperball domainand the k-fault domain. We rely on the reduced product in our experiments to improvethe precision of an analysis.

Let 〈M,d〉 be a metric space. Then Br[c] , {x ∈ M |d(x, c) ≤ r} is a closed n-ballwith radius r at center c. A closed n-ball is made up of an open n-ball Br(c) , {x ∈M |d(x, c) < r} and a bounding sphere Sr(c) = {x ∈ M |d(x, c) = r}. Given two met-ric spaces 〈X, dX〉 and 〈Y, dY 〉, a transformation f : X 7→ Y is distance-preserving if∀a, b ∈ X : dY (f(a), f(b)) = dX(a, b). The translation transformation fδ(x) = x + δmoves each point a constant distance. Similarly, the (uniform) scaling transformationgδ(x) = δ × x increases/decreases the size of objects by a factor δ. An n-ball B1[0] iscalled unit. Any n-ball Br[c] can be transformed to a unit n-ball by an appropriatetranslation and scaling transform f−c ◦ g1/r. Note that a distance-preserving transfor-mation do not change containment of two closed n-balls (i.e., Br1 [c1] ≤ Br2 [c2] ⇔ ∀x :x ∈ Br1 [c1]⇒ x ∈ Br2 [c2]⇔ ∀x : d(c1, x) ≤ r1 ⇒ d(c2, x) ≤ r2).In this work we limit ourselves to n-balls from the normed vector space 〈Rn, ||x||2〉 forsome n ∈ N, where ||x||2 is the Euclidean norm that induces a metric d2(x, y)6. Wediscuss an possible extension and its benefits in Section 7.

6That is, ||x||2 ,√∑n

i=0 |xi|2 and d2(x, y) , ||x− y||2



4.2.1. Abstraction operations. Finding the union (with minimal radius) of two n-balls isknown as the minimal enclosing ball problem [Fischer 2005]. We define two abstrac-tion functions that both use an SMT solver to extract the set of satisfying models,similarly to the abstraction function used in the KS domain.

— αEXACT extracts all O(2kw) models and then uses Fischer’s algorithm for points [Fis-cher 2005, Chapter 4] to create the hyperball.

— αINT uses the algorithm of Barret and King [Barrett and King 2010] to form andinterval for each (pre and post) state variable using O(kw models). The function thencreates a hyperball from the resulting hyperrectangle7, as in Algorithm 3, steps 1-9.

We also define an widening operator that increment the radius exponentially until afixed threshold R ∈ R has been reached and > is used. This is similar to the wideningoperator used with the interval domain.

The lattice operations of the Hyperball domain with the fixed-center c can be per-formed in constant amount of time as they only need to work with the radius while theyhave polynomial/subexponential complexity for the varying center mode. With a fixedcenter a hyperball is enclosed by another hyperball if it has a smaller or equal radius.In extension the union/intersection of two hyperballs can be computed by the mini-mum/maximum of the two radii. With different centers, as in the varying center mode,we determine enclosure by considering the extremal points in both directions (i.e.,which is given by translating the centers +r and −r points). Fischer’s algorithm [Fis-cher 2005, Chapter 5] finds the smallest bounding ball (i.e. the least upper bound ina domain of hyperballs) using an “almost” linear program in subexponential time. Wepresent Algorithm 2 to compute the greatest lower bound of two hyperballs. The al-gorithm exploit the fact that Euclidean hyperspheres (i.e., the bounding sphere of ahyperball) are closed under intersection. The algorithm offers a intuitive geometric in-terpretation in Figure 4 where Pc refers to the center of the intersecting hypersphereswith radius h.

THEOREM 4.4. Let d be the size of the vocabulary (i.e., the dimension ofthe hyperballs) then given two hyperballs, Br1 [c1] and Br2 [c2], we can compute

Br1 [c1] ∧Br1 [c1], Br1 [c1] ∨Br2 [c2] and Br1 [c1] ≤ Br2 [c2] inO(d),O(d2)+eO(√

d log(d))

andO(d) respectively.

PROOF. : For ∧ the complexity is bounded by the computation of the norm ||x||2which can be performed O(d). This is similar to ≤ where instead scalar-vector addi-tion/subtraction operations are used, the complexity is still O(d) however. The prooffor ∨ was presented by Fischer [Fischer 2005, Corollary 6.17].

7The Cartesian product of a set of intervals is a hyperrectangle.


0:14 Lidman et al.

Let B be the of all n-balls of 〈Rn, ||x||2〉, ⊥ and > are special elements such that ∀r, c :⊥ v Br[c] v >. The Hyperball abstraction and domain is concisely defined as:

Hyperball abstraction 〈C,≤〉 −−−→←−−−α∗

γ〈{⊥,>} ∪ B,v,∨,∧,>,⊥〉

αEXACT (s) by Fischer’s algorithm for points [Fischer 2005, Chapter 4]

αINT (s) by the algorithm of Barret et al. [Barrett and King 2010] and Algorithm 3

γ(s) =

∅ s = ⊥Rn s = >{~x|d(x, c) ≤ r} otherwise

Br1 [c1]∇Br2 [c2] ={Br[c] r ≤ R> otherwise where

c = 12 (c1 + c2)

r = 10×max(||c− c1||2 + r1,||c− c2||2 + r2)

Hyperball domain 〈{⊥,>} ∪ B,v,∨,∧,>,⊥〉Fixed center (c) mode

Br1 [c] v Br2 [c] = r1 ≤ r2∨(Br1 [c], Br2 [c]) = Bmax(r1,r2)[c]

∧(Br1 [c], Br2 [c]) = Bmin(r1,r2)[c]

Varying center modeBr1 [c1] v Br2 [c2] = [c1 − r1 ≤ c2 − r2] ∧ [c1 + r1 ≥ c2 + r2]

∨(Br1 [c1], Br2 [c2]) by Fischer’s algorithm for balls [Fischer 2005, Chapter 5]

∧(Br1 [c1], Br2 [c2]) by Algorithm 2Finally we prove that the meet operation of the varying center Hyperball domain com-putes the intersection of two hyperballs.

THEOREM 4.6. Algorithm 2 computes Br1 [c1] ∩Br2 [c2] = Br[c].

PROOF. Given two closed n-balls Br1 [c1] and Br2 [c2] and an arbitrary dimensioni ∈ [0, n− 1]. Using the same notation as in Figure 4, let d = x+ y = ||c1 − c2||2. Applya distance-preserving transformation such that c1 = 〈0, ..., 0〉 and c2 = 〈0, .., d, ...0〉 (i.e.,the ith coordinate equals d). Compute the intersection of the bounding spheres Sr1(c1)and Sr2(c2) [Weisstein 2002, p. 2777] as:{∑

0≤j≤n−1,j 6=i x2j + x2i = r21∑

0≤j≤n−1,j 6=i x2j + (xi − d)2 = r22.

⇔ r22 − (xi − d)2 = r21 − x2i ⇔ xi =r21 − r22 + d2

2d

Letting h =

√r21 −

(r21−r22+d2

2d

)2, the result is a (n − 1)-sphere

∑0≤j≤n−1,j 6=i x

2j = h2.

The center point between c1 and c2 is given by Pc = c1 + xd (c2 − c1). Applying these

results, the intersection of the bounding spheres is a sphere Sh(Pc). However, Bh[Pc]cannot be used as the intersecting n-ball, as this will be incorrect when h < ||Px−Pc||2or h < ||Py−Pc||2. The condition holds when at least a majority of the points in at leastone n-ball is shared with the other n-ball. When either of the inequalities holds, weinstead choose the smallest of the two input n-balls.

4.2.2. Reduced product over k-fault and Hyperball domain. Similarly to the bit vector in-equality domain of Elder et al. [Elder et al. 2014], we combine the k-fault and Hyper-ball domains using a quasi-reduced product. Our reduce function over-approximatesthe affine congruence system as a hyperrectangle. For this we use the same reduction



ALGORITHM 2: ∧ for 〈Rn, ||x||2〉Input: Br1 [c1]Input: Br2 [c2]Output: Br[c]

1 if Br1 [c1] = ⊥ ∨Br1 [c1] = ⊥ then2 return ⊥;3 if Br1 [c1] = > then4 return Br2 [c2];5 if Br2 [c2] = > then6 return Br1 [c1];7 d = ||c1 − c2||2;8 if d ≥ r1 + r2 then9 return ⊥;

10 else11 x =

r21−r22+d2

2d;

12 h =√

r21 − x2;

13 Pc = c1 + x c2−c1d

;14 Px = c2 + r2

c1−c2d

;15 Py = c1 + r1

c2−c1d

;16 if (h ≥ ||Px − Pc||2)∧17 (h ≥ ||Py − Pc||2) then18 return Bh(Pc);19 else if r2 ≥ r1 then20 return Br1(c1);21 else22 return Br2(c2);

c1 c2PcPx Py

r1 r2h

d

x y

Fig. 4. Relations of variables in Algorithm 2

Example 4.5. Let c1 = 〈0, 0〉 , c2 = 〈1, 1〉 ,c3 = 〈1, 0〉 and r1 = 1, r2 = 0, r3 = 0 thenBr1 [c1] ∩ Br2 [c2] = ⊥, Br1 [c1] ∩ Br3 [c3] =B0[〈1, 0〉] and Br2 [c2] ∩Br3 [c3] = ⊥.

as Elder et al., in which each row is interpreted by interval arithmetic to yield a set ofintervals; we refer to this function as ReduceAffSys. The center of the hyperrectangleand the point p furthest away from the center is used to build a hyperball. Intervalsplay a critical part in combining the k-fault and the Hyperball domains. In Section 5we refer to this combination as the bit vector domain.

ALGORITHM 3: Reduce for k-fault and hyperballInput: [A|b], BrI [cI]Output: BrO[cO]

1 Rect = {v0 = [l0, u0], . . .} =ReduceAffSys([A|b]);2 c = 1

2〈u0 − l0, u1 − l1, ...〉;

3 r = Distance(c, p) where p is the point furthest away from c in Rect;4 if Br[c] ≤ BrI [cI] then5 rO = r;6 cO = c;7 else8 rO = rI;9 cO = cI;


0:16 Lidman et al.

4.3. Scale domainSotin [Sotin 2010] introduces a notion of quality between abstract elements based onmeasures8. We define the Scale domain as a parametrized domain where elements aredisjunctions of a set of abstract elements from an underlying domain.

Measures map real values to each subset of a set denoting the subsets “size”. Mea-sures provides a generalization of common concepts such as length and mass and isheavily used in modern probability theory. We define measures as per Definition 4.7.

Definition 4.7. Let X be a set of abstract elements and P (X) be an σ-algebra overX9 then a measure µ : P (X) 7→ R∞ satisfies:

(1) µ(∅) = 0(2) For all collections {Si}i∈N of pairwise disjoint sets of P (X): µ (

⊎i Si) =

∑i (Si)

(3) For all x ∈ P (X) : µ(x) ≥ 0

Abstract elements over-approximate a set of concrete elements. By using measures,we can hence assess the size of the abstract elements — the smaller the size the finerthe approximation. In a disjunctive domain the number of disjunctive componentsgrows as operations are performed on the elements. Deciding which of an arbitrarynumber (N ) of possible abstract elements to combine to minimize the size of the re-sulting elements can be formulated as a discrete optimization problem. We consideran approach that admit a solution that is (bounded within a factor of) the globally op-timal value, based on submodular optimization [Krause 2010]. Submodular set func-tions (Definition 4.8) are considered the discrete analogue of convex functions. It iswell-known that convex functions has the property that any local minima is also aglobal minima. Submodular set functions admit efficient minimization due to theirLovasz extension f , which is convex [Krause 2010].

Definition 4.8. A set function f : P (X) 7→ R is submodular if it satisfies ∀A,B ⊆X : f(A) + f(B) ≥ f(A ∩B) + f(A ∪B)10.

Using submodular optimization we phrase our problem as a clustering problem —finding a partition of the set of all join or meet combinations of two sets of N elements.We next give a formal account of this problem. Given a system 〈V, T, f, k〉, where Vis a finite ground set, T ⊆ V is a set of terminals, f : P(V ) 7→ R is a submodularfunction, and k ≥ 2 an integer, we define the Multiway Partition Problem (MPP) asper Zhao et al. [Zhao et al. 2005]. The MPP asks us to find a k-partition {V1, . . . , Vk}of V where Vi ∩ T 6= ∅ that minimizes

∑i f(Vi). For our purposes T = V .If f is a

non-negative submodular function then a MPP can be solved within an approximationfactor k−1 of the optimal values in time O(kn3θ), where θ is the complexity of queryingf . Similarly, let G = 〈V,E〉 be a hypergraph11 with |V | = n and a weight function w :E 7→ R+ that assigns a positive real value to each hyperedge. The k-partition problemasks us to find the minimum k-partition of G. Zhao et al. [Zhao et al. 2005] show thatthis can be solved as an MPP 〈V, V, fCut, k〉 where fCut(S) ,

∑∅⊂e∩S⊂e w(e) within

an approximation factor 2 − 2k of the optimal value in time O(kn(nlogn + D)), where

8Note that the more general concept signed measures (sometimes called “charge”) used by Sotin [Sotin 2010]does not necessarily possess the non-negativity property.9A set of subsets that include ∅ and is closed under complement and intersection/union of countable infinitemany subsets.10Equivalently a submodular function is defined by its diminishing return property: ∀A ⊆ B ⊆ X,x ∈X −B : f(A ∪ {x})− f(A) ≥ f(B ∪ {x})− f(B).11V is a finite set of vertices, and E ⊆ P(V ) is a set of hyperedges. |e| for e ∈ E denotes the degree of ahyperedge. In particular, if |e| = 2 for all e ∈ E, then G is a graph.



D =∑e∈E |e|. They show that various types of MPPs can be solved by an algorithm

that starts from a 2-partition and greedily splits an equivalence class by solving asubmodular optimization problem in each iteration until the result is a k-partition.

As future work, Sotin [Sotin 2010] mentions the opportunity to define a best dis-junctive abstract element (with respect to a measure µ). We use the relationship tosubmodular optimization to find this element.

4.3.1. Abstraction operations. Elements of the Scale domain are finite sets(representing finite disjunctions) of abstract elements from a arbitrary ab-stract domain. As such the Scale abstraction is parametrized by an abstrac-tion 〈C,≤〉 −−−−→←−−−−

αD

γD 〈D,vD,tD,uD,>D,⊥D〉 with the same concrete domain.

Scale abstraction 〈C,≤〉 −−→←−−αγ ⟨

{∨Ni=0 xi | xi ∈ D},v,t,u,⊥,>

⟩α(x) = αD(x) ∨

(∨N−1i=0 ⊥

)γ(∨Ni=0 xi) =

⋃j γD(xi)⟨

{∨Ni=0 xi | xi ∈ A},≤,∧,∨,⊥,>

⟩(∨Ni=0 xi

)v(∨N

i=0 yi

)⇔ ∀xi,∃yi : xi v yi(∨N

i=0 xi

)t(∨N

i=0 yi

)= k-partition(N, {xy | i, j ∈ [0, N ], xy = xi tD yj})(∨N

i=0 xi

)u(∨N

i=0 yi

)= k-partition(N, {xy | i, j ∈ [0, N ], xy = xi uD yj})

> =∨Ni=0>D

⊥ =∨Ni=0⊥D

The lattice operations t and u rely on a function k-partition(n, X) to compute aequivalence partition of the set X with n equivalence classes. As previously mentionedthis function can be implemented using submodular optimization. In particular, givena (arbitrary) measure µ that deduce the “size” of an abstract element, we can introducea hypergraph where elements of X are vertexes and any subset of X forms a hyper-edge. k-partition(n, X) can then be implemented by solving the MPP of 〈X,X, fCut, n〉,where the weight function in fCut is defined as w(S) = µ(S). The complexity of solvingsuch a problem is however O(2|X|) as the number of subsets of X is exponential in thenumber of elements of X. We next consider the special case where the measure is anon-negative submodular function.

4.3.2. Measures. Many abstract domains admit a function that can count the numberof points covered by an abstract element (i.e., count(x) = |γ(x)|). For instance, givena set of intervals {[li, ui] |, li, ui ∈ R, li ≤ ui} we can compute the number of coveredelements by

∑i(ui − li). Elder et al. [Elder et al. 2014, Section 5.1.6] describe such a

function for affine congruence systems. We use such a counting operation to constructa measure µSUB as per Definition 4.9. µSUB is an over-approximation of a coveragefunction, a classic example of a submodular function. The coverage function of a setreturns the number of elements in that set. µSUB of a finite set of abstract elementsreturn the number of concrete elements in the result of the join operation of the ab-


0:18 Lidman et al.

stract elements. This should not be confused with∣∣∣γ(∨Ni=0 xi)

∣∣∣ = ∑Ni=0 |γD(xi)| which

compute the sum of the number of concrete elements in the abstract elements xi.

Definition 4.9. µSUB measure of a scale domain element (i.e., a set S of N abstractelements from D) is defined by µSUB(S) = |γD(s1 tD ... tD sN )|We show in Theorem 4.10 that µSUB is a non-negative submodular function. With µSUBwe can solve the MPP in O(kn3θ).

THEOREM 4.10. µSUB is a non-negative submodular function

PROOF. : µSUB is non-negative as the number of elements of a set is never negative.We proceed by proving that µSUB is also a submodular function. Let S = B − A andµSUB(A ∪ S) = µSUB(A) + µSUB(P ), i.e. γ(

∨u∈A u) ∩ γ(

∨u∈P ) = ∅. As lattice operators

in abstract interpretation compute an over-approximation γ(x) ∪ γ(y) ⊆ γ(x tD y) itfollows that µSUB(A ∪ S) ≥ µSUB(A) + µSUB(S) and hence µSUB(P ) ≥ µSUB(S).f(A ∪ {x})− f(A) ≥ f(B ∪ {x})− f(B)⇔µSUB(A ∪ {x})− µSUB(A) ≥ µSUB(B ∪ {x})− µSUB(B)⇔µSUB(A ∪ {x})− µSUB(A) ≥ µSUB(A ∪ S ∪ {x})− µSUB(A ∪ S)⇔µSUB(A ∪ {x})− µSUB(A) ≥ µSUB(A ∪ S ∪ {x})− µSUB(A)− µSUB(P )⇔µSUB(A ∪ {x}) ≥ µSUB(A ∪ S ∪ {x})− µSUB(P )⇔µSUB(A ∪ {x}) ≥ µSUB(A ∪ S ∪ {x})− µSUB(P ) ≥ µSUB(A ∪ {x}) + µSUB(S)− µSUB(P )⇔µSUB(A ∪ {x}) ≥ µSUB(A ∪ {x}) + µSUB(S)− µSUB(P )⇔µSUB(P ) ≥ µSUB(S)

5. EVALUATIONWe mention in Section 1 that the Scale domain do not need a mechanism to discrim-inate regions in the same way as other disjunctive refinement domains. Nonetheless,we show that a priori knowledge of regions improves both analysis time and precision.This is comparable to a clustering instance where feature extraction is often used as apreprocessing step to remove redundant information which can improve the accuracyof the classification. Section 5.1 therefore considers execution time and worst-case (i.e.,largest) radius under two scenarios: the worst case, when the regions are random, andthe best case, when the regions are fully predictable. In all Scale domain experimentswe use the submodular measure from Section 4.3.2. We use the greedy splitting al-gorithm from the SFO framework of Krause [Krause 2010] for solving MPPs. Thislibrary has not been optimized for speed but rather to test submodular optimizationalgorithms in Matlab. We use the CGAL [The CGAL Project 2015] implementation ofboth Fischer’s algorithms used by the Hyperball domain.

To evaluate the combination of our proposed domains we return to the original prob-lem in Section 5.2 — computing the set of reachable states for a fixed number of faultsand quantifying the severity of their impact. We do this on a parametrized corner case,min-n, that illustrates how the costs increase with the number of fault sites and livesymbols.

Finally we use our framework to compare the reliability of six sorting network inSection 5.3 and evaluate a recently proposed approach to improve the randomness ofLFSRs in Section 5.4.

We elaborate on the choice of examples, restrictions and possible future work inSection 6 and Section 7.



5.1. Scale domain evaluationThis evaluation considers and compares two extreme scenarios w.r.t. the performanceof the Scale domain. In the first scenario, we compute the least upper bound of asequence of random numbers from a Park-Miller-Carta pseudo-random number gen-erator. In the second scenario, we choose n ∈ {2, 4, 8, 16} random points and pick asequence containing a subset of these points (in random order, possibly with repe-titions). In both scenarios we use 400 points total, dividing them into blocks of size#Block ∈ {1, 2, 4, 8, 16} to feed to the Scale domain. A lower #Block forces the Scaledomain to choose more greedily.

We use the Scale domain with the Hyperball domain and set the number of disjunc-tive components, #∨, to n. We compare these results to those of using the Hyperballdomain alone with the same sequence of points. We seed the random number gener-ator with the value one to generate the same results for the Hyperball domain in allexperiments using random points, whereas results for experiments using predictablepoints depend on #∨. The number of MPPs we must solve is given by 400−#∨

#Block , witheach MPP solving #∨ submodular optimization problems of O(2#Block) elements.

Tables II and III show the worst-case radii from both scenarios. Each table entry hasthe format S/H, where S is the result of the Scale domain andH the Hyperball domain.These results show that knowing the distribution of regions results in a smaller worst-case radius, i.e., improved precision. Furthermore, when using random points, the radiidecrease with increasing #Block (from making decisions that are less greedy) and #∨(from having more alternatives from which to choose when adding points).

Table II. Worst-case radius from Scale domain experiments with fully predictable pointsXXXXXXX#Block

#∨ 2 4 8 16

1 0.00e0/6.78e8 0.00e0/1.34e9 0.00e0/1.46e9 0.00e0/1.59e92 0.00e0/6.78e8 0.00e0/1.34e9 8.56e8/1.46e9 9.64e8/1.59e94 0.00e0/6.78e8 0.00e0/1.34e9 8.56e8/1.46e9 0.00e0/1.59e98 0.00e0/6.78e8 0.00e0/1.34e9 8.56e8/1.46e9 0.00e0/1.59e916 0.00e0/6.78e8 0.00e0/1.34e9 8.56e8/1.46e9 9.97e8/1.59e9

Table III. Worst-case radius from Scale domain experiments with random pointsXXXXXXX#Block

#∨ 2 4 8 16

1 1.85e9/1.77e9 2.16e9/1.77e9 1.75e9/1.77e9 2.36e9/1.77e92 2.34e9/1.77e9 2.54e9/1.77e9 2.04e9/1.77e9 2.01e9/1.77e94 2.20e9/1.77e9 2.30e9/1.77e9 1.75e9/1.77e9 1.46e9/1.77e98 1.92e9/1.77e9 1.96e9/1.77e9 1.56e9/1.77e9 1.68e9/1.77e916 1.59e9/1.77e9 1.59e9/1.77e9 1.45e9/1.77e9 1.48e9/1.77e9

Tables IV show the execution time costs of increasing #Block and/or #∨.Execution time is higher in the random case because of the higher number of re-

quests to calls to the weight function of the MPP. In both cases, a low #Block and high#∨ take the most time due to the high number of submodular optimization problems,each using the most elements.

Table IV. Execution times (in seconds) for the Scale domain using fully predictable points (left) and random points(right)XXXXXXX#Block

#∨ 2 4 8 16

1 9.0 35.0 187.2 1222.12 7.4 28.4 143.4 946.44 9.7 30.9 115.1 565.28 19.4 48.2 134.9 501.116 49.5 98.1 213.8 621.4

XXXXXXX#Block#∨ 2 4 8 16

1 9.1 37.7 242.6 2,873.92 7.6 32.4 192.7 1,853.84 9.8 40.6 195.3 1,122.58 19.7 72.4 281.7 1,360.416 53.5 162.2 405.5 2,130.4


0:20 Lidman et al.

Table V. Execution times (in seconds) of analysis evaluating min-n kernelXXXXXXXDomain(s)

n 1 2 3 4 5 6 7 8

BV 2.5 10.8 31.6 74.4 154.2 291.1 513.9 856.30-fault+HB 2.5 10.7 31.4 73.9 153.1 290.8 511.4 849.91-fault+HB 131.4 1,146.9 4,352.8 11,822.1 26,454.9 53,529.6 - -1-fault+HB+Scale(#∨l = 1, #∨∗ = 2) 145.4 1,298.7 5,255.8 14,765.1 33,673.8 68,171.1 - -1-fault+HB+Scale(#∨l = 3, #∨∗ = 32) 209.6 8,669.9 40,040.6 - - - - -

Table VI. Worst-case radius of hyperball from evaluation of min-n kernelXXXXXXXDomain(s)

n 1 2 3 4 5 6 7 8

1-fault+HB 798,679.0 419,036.0 404,390.0 404,390.0 404,390.0 414,068.0 - -1-fault+HB+Scale(#∨l = 1, #∨∗ = 2) 798,679.0 419,036.0 404,390.0 404,390.0 404,390.0 414,068.0 - -1-fault+HB+Scale(#∨l = 3, #∨∗ = 32) 8,192.1 413,184.0 398,325.0 - - - - -

5.2. Case study: min-nTo evaluate the impact of faults, we let k = 1 (i.e., the SEU fault model) for a min-nkernel (for n ∈ [1, 8]) that computes the pair-wise minimum of two arrays of lengthn. We start in a concrete state where the arrays to be sorted is picked to be a ran-dom sequence12. We use a branch-less implementation in which any bit output froman arithmetic operation can flip, i.e., min(x, y) = y ⊕ ((x ⊕ y)& − (x < y)), where thenegation (i.e., subtraction) is faulty. Our target RISC architecture uses 32-bit registers(the number of bits of each operand). Computations in the min-n application are in-dependent in that computing the minimum of two elements does not affect computingthe minimum of any other two elements. One would therefore expect the precision ofthe hyperballs to increase with increasing n for a fixed k. This expectation does nothold for our abstract analysis in the general case due to the limited number of disjunc-tive components. In experiments that include the Scale domain we need a strategy forassigning #∨ at each location. We want to keep this low enough to avoid unnecessaryperformance costs but high enough not to incur unreasonable precision degradation.To do this we need to consider the set of possible values an abstract operation canproduce given some abstract operands and, in particular, how operations produce thesame output for different input values. In our case, we use the fact that the logicaloperations mask many differences due to bit flips. The faulty subtraction outputs 32possible values, and the differences between these values will be masked away; afterthe last logical operation, these (fewer than 32 distinct values) will be combined intothree values. We perform a sensitivity analysis on different assignments where we let#∨ ∈ {2, 4, 8, 16, 32} for all logical operations (denoted by #∨l) and #∨ ∈ {1, 2, 3} forother operations (denoted by #∨∗).

Table V shows the execution time of an analysis using the bit vector domain (BV),the k-fault domain with and without the Hyperball domain (HB), and the fastest andslowest run with the Scale domain with the k-fault domain and the Hyperball domain.The fastest and slowest run also correspond to the least and most accurate results re-spectively. The complete results from using the Scale domain is shown in Table VII,VIII and IX for #∨∗ = 1, #∨∗ = 2 and #∨∗ = 3 respectively. We restrict the analysis to24 hours and use “-” to indicate timeout. In a fault-free environment, the overhead ofincluding the Hyperball domain is negligible compared to using the bit vector domainalone. The overhead increases by two orders of magnitude when faults are allowed.The reason is the increased number of models we need to extract using the SMT solver(and the subsequent number of least-upper-bound operations). This does not scale lin-

12We used 〈1, 2789, 56732, 675, 789672, 1334, 48879, 3203334144〉 and 〈798678, 124235, 34, 3, 786782, 89756, 48879, 3203334144〉in our experiments



Table VII. Execution time from evaluation of min-n kernel with the Scale domain and the num-ber of disjunctive components for non-logical operations set to 1XXXXXXX#∨∗

n 1 2 3 4 5 6 7 8

2 145.4 1,298.7 5,255.8 14,765.1 33,673.8 68,171.1 - -4 164.1 1,579.6 7,065.9 20,637.0 48,011.3 - - -8 193.2 2,139.8 10,918.6 34,977.9 - - - -16 234.6 3,272.1 18,596.8 60,771.4 - - - -32 191.9 5,587.6 37,379.4 - - - - -

Table VIII. Execution time from evaluation of min-n kernel with the Scale domain andthe number of disjunctive components for non-logical operations set to 2XXXXXXX#∨∗

n 1 2 3 4 5 6 7 8

2 141.5 1,929.5 7,605.0 20,673.8 46,807.5 - - -4 162.3 2,128.5 7,577.0 20,150.5 44,632.4 - - -8 193.2 2,766.6 8,942.6 23,252.4 51,284.7 - - -16 234.2 3,824.7 17,903.4 56,935.8 - - - -32 202.7 6,262.5 34,248.3 - - - - -

Table IX. Execution time from evaluation of min-n kernel with the Scale domain and thenumber of disjunctive components for non-logical operations set to 3XXXXXXX#∨∗

n 1 2 3 4 5 6 7 8

2 143.8 1,932.5 7,607.3 20,682.1 46,832.7 - - -4 169.8 3,790.1 12,094.3 30,257.6 65,377.9 - - -8 190.8 5,865.8 16,025.0 37,710.2 77,463.2 - - -16 229.1 5,530.3 20,951.5 61,458.9 - - - -32 209.6 8,669.9 40,040.6 - - - - -

early because of the increase in matrix size due to the larger memory footprints withincreasing n.

Table VI shows that using the Scale domain can improve the quality of the analysesby up to 97.5× in all completed instances. In this case, due to the high overhead, thereare more instances that reach timeout when the Scale domain is used. The completeresults from using the Scale domain is shown in Table X, XI and XII for #∨∗ = 1,#∨∗ = 2 and #∨∗ = 3 respectively.

5.3. Case study: Sorting networksMedian filtering is a well-known image processing technique to remove salt-and-pepper noise that manifest as pixels turned to the lowest (i.e., white or salt) or highest(i.e., black or pepper) intensity. Median filtering restore the pixel by changing it tothe median of a neighborhood centered at the pixel. Often a 4-neighborhood is used.The underlying assumption is that a low spatial distance often imply high similarityin intensity. We rely on this assumption to show how median filtering provide faultmasking. Median filtering can be implemented using sorting networks (or selectionnetworks which implement a subset of the swaps of sorting networks).

Sorting networks are constructed by compare-and-swap (CAS) blocks that sort twoelements. The position and number of CAS functions determine the type of sortingnetwork. Different types maximize parallel operations, maximize throughput etc. Fur-thermore the implementation of the CAS block can be either based on branches orbranch-less:


0:22 Lidman et al.

Table X. Worst-case radius of hyperball from evaluation of min-n kernel with the Scale domain anddefault number of disjunctive components set to 1XXXXXXX#∨∗

n 1 2 3 4 5 6 7 8

2 798679.0 419036.0 404390.0 404390.0 404390.0 414068.0 - -4 798679.0 419036.0 404390.0 404390.0 404390.0 - - -8 798679.0 419036.0 404390.0 404390.0 404390.0 - - -16 524288.0 419036.0 404390.0 404390.0 - - - -32 524288.0 404870.0 405717.0 - - - - -

Table XI. Worst-case radius of hyperball from evaluation of min-n kernel with the Scale domainand default number of disjunctive components set to 2XXXXXXX#∨∗

n 1 2 3 4 5 6 7 8

2 798679.0 419036.0 404390.0 404390.0 404390.0 - - -4 798679.0 419036.0 404390.0 404390.0 404390.0 - - -8 798679.0 419036.0 404390.0 404390.0 404390.0 - - -16 262144.0 413184.0 398323.0 398323.0 - - - -32 262144.0 413184.0 399670.0 - - - - -

Table XII. Worst-case radius of hyperball from evaluation of min-n kernel with the Scale domainand default number of disjunctive components set to 3XXXXXXX#∨∗

n 1 2 3 4 5 6 7 8

2 798679.0 419036.0 404390.0 404390.0 404390.0 - - -4 798679.0 419036.0 404390.0 404390.0 404390.0 - - -8 798679.0 419036.0 404390.0 404390.0 404390.0 - - -16 12247.0 413184.0 398323.0 398323.0 - - - -32 8192.1 413184.0 398325.0 - - - - -

CAS Branch(x, y) 7→ (x′, y′) :i f (x ≤ y )

x′ = x

y′ = ye lse

x′ = y

y′ = x

CAS Branchless(x, y) 7→ (x′, y′) :k = (x⊕ y)&− (x < y) ;x′ = y ⊕ k ;y′ = x⊕ k ;

The branch implementation is commonly used in the fault tolerance communitywhere the fault model often considers a faulty comparison operation. However in thisimplementation either output is always one of the inputs, i.e. the CAS function doesnot erroneously set/clear any output bit that is not set/clear in the input. This is nolonger true for the branch-less implementation where a fault in the comparator maynot be masked.

The branch-less implementation of the CAS function is very similar to the min(x, y)function from Section 5.2. Note that as the Hamming distance between x and y de-creases the operation x ⊕ y approaches ~0 and the effect of bit-flips to x < y decreases.As such we can expect the CAS function to mask many faults the more similar theinputs x and y are. Even so its may be hard to predict the fault masking without per-forming the operation. This case is ideal for the Scale domain as it will combine resultsonline.

We evaluate the reliability, as measured by the radius of the hyperball, of the six5x5 sorting-networks, illustrated by their Knuth diagrams in Figure 5. In contrastto the previous evaluation we instead start from the concrete state where the inputvalues are more similar: 〈45, 50, 45, 48, 45〉. Faults occur in the comparator of a CASfunction. As sorting networks include different number of CAS functions we presentthe min/max/median hyperball radius for any scenario when the comparator of oneCAS function is a potential fault site.



Fig. 5. Bubblesort, Insertionsort, Bose-Nelson, Hibbard, Batcher and Odd-Even sorting networks

Table XIII. Radius of hyperball from evaluation of sorting networks with branch-less CAS using 1-fault+HB domains(left) and 1-fault+HB+Scale domains (right)````````Network

Order statistic Minimum Median Maximum

Bubblesort 0 30.422 45.105Insertion 0 16.211 45.105Bose-Nelson 0 13 47.776Hibbard 0 2 49.015Batcher 0 0 47.143Odd-Even 0 37.053 49.015

````````NetworkOrder statistic Minimum Median Maximum

Bubblesort 0 0 39.064Insertion 0 0 39.064Bose-Nelson 0 0 24Hibbard 0 0 20.249Batcher 0 0 30.814Odd-Even 0 0 49.015

Table XIV. Radius of hyperball from evaluation of sortingnetworks with branch CAS using 1-fault+HB domains````````Network

Order statistic Minimum Median Maximum

Bubblesort 0 0 3Insertion 0 0 3Bose-Nelson 0 0 3Hibbard 0 0 0Batcher 0 0 4.3589Odd-Even 0 0 3

Table XIII and XIV shows the results when using the branch-less and branch imple-mentation of the CAS function respectively. From the results we see that the branchimplementation is more reliable even when we use the scale domain in the analysis.

5.4. Case study: Linear Feedback Shift RegistersCryptographic attacks targeting the software implementation rather than the mathe-matical design are referred to side-channel attacks. Fault attacks[Bar-El et al. 2006] iscommon type of side-channel attack where a fault is injected into a critical signals (e.g.,clock signal, power supply). Boneh et al. [Boneh et al. 2001] showed how a common im-plementation of RSA and Fiat-Shamir identification was compromised using one or few(mathtt∼10) fault injections respectively. Differential Power Analysis (DPA) [Kocheret al. 1999] uses the correlation between two executions (one normal and one underattack) to compute the internal state of an hardware implementation. The approachis extended to software implementations of cryptographic algorithms by means of apower model, commonly the hamming distance between the post and pre state of anexecuted instruction is used[Kocher et al. 1999]. For instance, if an instruction uses thevalue ~x = 〈0, 0, 1, 1〉 to produce the value ~x′ = 〈0, 1, 1, 0〉 then power consumed is givenby the hamming distance between ~x and ~x′:

∑i xi⊕x′i = (0⊕0)+(0⊕1)+(1⊕1)+(1⊕0) =

0 + 1 + 0 + 1 = 2.Signal-to-noise ratio has been suggested as a metric of an applications susceptibility

to DFA [Guilley et al. 2011]. Saraf [Saraf and Bazargan 2015] suggested an approachto improve the randomness of LFSR:s using similarity transformations. Given a LFSR,represented by its transition matrixA, the similarity transform ofA is given by PAP−1where P is a square invertible matrix. Randomness is important when generatingtest vectors for fault testing. Saraf [Saraf and Bazargan 2015] et al. evaluate theirapproach by comparing the test length between the original and transformed LFSRto reach 90 % of total faults on nine ISCAS89 circuits. They pick P as a permutationmatrix chosen from Monte Carlo simulations.


0:24 Lidman et al.

Here we consider their approach with permutation matrices in the context of im-proving a LFSR to DPA attacks using the SNR measure and hamming distance aspower model. The number of feasible transitions in a (maximum-length) LFSR is ex-ponential in the number of bits and the LFSR:s used in practice have a high number ofbits. Hence we can not compute the SNR exactly and must instead use an approxima-tion where the approximative SNR ≤ real SNR. For this we use the Hyperball domainto compute the SNR of two LFSR:s related by a similarity transform. The vocabularyused in our analyses describe the Hamming distance between a pre and post variable(e.g., x∗ = x ⊕ x′)13. Given M variables that are updated in N transitions we computethe mean and standard deviation from two separate analyses:

(1) The mean µ can be related to a scaled and square root transformed Hyperball withcenter ~0:

r2 =

M∑i=1

N∑j=1

(yi,j − ci,j)2yi,j =

√xi,j

ci,j = 0←−−−−−−−−−→ r2 =

M∑i=1

N∑j=1

xi,j

r=√MN×µ←−−−−−−−→ µ =

1

MN

M∑i=1

N∑j=1

xi,j

We perform an analysis using the fixed-center hyperball with center~0 and applyingthe square root to the lower/upper bounds of the intervals in between Step 1-2 ofthe reduction algorithm in Algorithm 3. Using the resulting radius r we computethe mean by 1

MN r2.

(2) Similarly, given a mean µ we can relate the standard deviation σ to a scaled hyper-ball with center 〈µ, ..., µ〉:

r2 =

M∑i=1

N∑j=1

(xi,j − ci,j)2ci,j=µ←−−−→ r2 =

M∑i=1

N∑j=1

(xi,j − µ)2

r=√MN−1×σ←−−−−−−−−→ σ =

√√√√ 1

MN − 1

M∑i=1

N∑j=1

(xi,j − µ)2

We perform an analysis using the fixed-center hyperball with center set to theresulting mean µ from the previous analysis for each variable. The standard devi-ation is computed from the resulting radius by σ = 1

MN−1r.

Finally the SNR is computed from above two analyses by µσ .

As an example we revisit the LFSR used in Section 3, i.e. the example fromSaraf [Saraf and Bazargan 2015]. Referring to its adjacency matrix as S we computethe transformed LFSR, represented by its adjacency matrix T using a permutationmatrix P:

S =

[0 1 00 0 11 1 0

]P =

[0 1 01 0 00 0 1

]⇒ T = PSP−1 =

[0 0 11 0 01 1 0

]The transition diagram of T is shown in Figure 6 (left) and the program of the origi-

nal LFSR and the permutation is shown in Figure 6 (right). Table XV show the result

13This in contrast to (for instance) the sorting network evaluation where the vocabulary consisted of preand post state variables (e.g., x and x′)



111

101001

010

100

011110

000

f0 = >f1 = ρv′,v(πv′ (f0 ∧ [[s = A]])) ∨ ρv′,v(πv′ (f2))

f2 = ρv′,v(πv′ (f1 ∧ [[s = ((s� 1) & 0x07)⊕ ((s� 2) & 1)⊕ ((s� 1) & 1);

t = (s & 0x4)⊕ ((s & 0x1)� 1)⊕ ((s & 0x2)� 1)]]))

Fig. 6. Semantics of transformed LFSR flow-chart as a transition diagram (left) and recursive equations(right)

Table XV. Consumed powerLFSR State sequence Consumed power µ σ SNR Approx. SNR

S 111→ 011→ 001→ 100→ 010→ 101→ 110→ 111 1 + 1 + 2 + 2 + 3 + 2 + 1 1.7143 0.7559 2.2678 1.000T 111→ 101→ 001→ 010→ 100→ 011→ 110→ 111 1 + 1 + 2 + 2 + 3 + 2 + 1 1.7143 0.7559 2.2678 1.000

of computing the SNR for both the original and transformed LFSR when starting instate 〈1, 1, 1〉. In particular note that the hamming distance for any transition is thesame and hence the SNR is equal.

Next we consider a realistic example. A5/1 contains three LFSR:s with 19, 22 and23 state bits and 4, 2 and 4 taps respectively. The number of possible permutationmatrices for each LFSR is then

(194

)= 3876,

(222

)= 231 and

(234

)= 8854 respectively.

Following the approach above we computed the SNR of14...

— 16 of all transformed LFSR:s of size 19 bits with 4 taps, i.e. 646 of the total 3876. Theresulting SNR for each was 0.00138.

— All transformed LFSR:s of size 22 bits with 2 taps, i.e., 231. The resulting SNR foreach was 0.000488.

— 120 of all transformed LFSR:s of size 23 bits with 4 taps, i.e. 449 of the total 8854.The resulting SNR for each was 0.000488.

From above we see that transforming a LFSR through a similarity transform doesnot seem to harden it to DPA attacks. The identical SNR values is not a coincidence.Similarity transforms with a permutation matrix will preserve all symmetries, i.e. letA and be B be matrices related by such a transform then if ~y = A~x and ~z = B~w then∀i : yi = xi ⇔ zi = wi. Note that yi and zi (xi and wi) does not have to be identical. Ifsymmetries are preserved then the hamming distance will also be preserved (0 ⊕ 0 =1⊕ 1 = 0 and 0⊕ 1 = 1⊕ 0 = 1).

Hence using our framework we were able to show that LFSR generated by a simi-larity transform of a permutation matrix is not hardened against DPA.

6. DISCUSSIONThis paper introduces a framework for analyzing the quality degradation (when themetric conform to a hyperball) of an application affected by a finite number of faults.As far as we know this is the only approach that can guarantee worst-case verificationfor this case. We elaborate on potential problems that we encountered in Section 5 andpossible solutions. Orthogonal to this Section 7 considers extensions of our frameworkand the potential benefit.

The main concern of an analysis in our framework is the high running time. Section5.2 showed that the execution time increased drastically when enabling faults in thesemantics (i.e., 0-fault+HB versus 1-fault+HB) and when using the Scale domain (withhigh number of disjunctive components).

14Our experiments were constrained to one month in time


0:26 Lidman et al.

— Faulty transitions drastically increase the set of reachable states in general. For thisreason we have favored extending a domain with limited expressiveness (i.e., lowerlattice height) when approximating the machine semantics. Rather then extendingthe KS-domain, we could have extended the finite powerset domain. Lower expres-siveness means fewer levels to describe the set of reachable states and in extensionfewer iterations till reaching a fixed-point. But it also results in a higher degreeof over-approximation. For our evaluation the limited expressiveness is consideredan advantage. For some programs limited expressiveness may incur additional run-ning time. Analyzing some programs with loops using the KS-domain could meanextra running time as additional states need to be explored in the loop cycle dueto over-approximation. We have assumed that the extra cost of over-approximationwould be lower than that of following all paths due to bit flips as would be requiredif we used the finite powerset domain. For applications where faulty traces does notconverge or are not close to one another value-wise, this may not necessarily be thecase. We leave it to future work to investigate this trade-off.

— In this initial work we have used a submodular optimization framework that hasnot been optimized for speed. More specialized frameworks could likely alleviatethe problem with high running time for the Scale domain. For instance by loweringthe number of invocations to the oracle[Goemans et al. 2009] (i.e., µSUB in our casewhich imply computing a large number of join operations) or implement the frame-work as a highly-optimized parallel application. As these improvement fall outsideour scope of our work we have not considered them further.

7. FUTURE WORKIn this work we restrict ourselves to statistical measures defined in terms of Euclideandistance. The more general Minkowski distance15 would further allow measures suchas least absolute deviation (i.e., l1-norm). Furthermore, an n-ball in l1 (rectilinear/Manhattan norm) is a (regular) n-octahedron, and an n-ball in l∞ (Chebychev norm)is an n-cube. A Minkowski hyperball domain would thus be related to the octahedrondomain [Claris and Cortadella 2004] and, with an appropriate disjunctive refinement,would generalize the disjunctive hypercube domain [Costantini et al. 2013].

In extending/applying our approach to other examples, we see a few potential prob-lems besides execution time. Our domains currently can not represent memory ele-ments. The bitvector memory equality domain of Elder et al. [Elder et al. 2014] in-troduces a symbol per memory operation and uses two sets of descriptions to enablethis capability. The address description tracks the addresses that are being used bya memory operation. The value description expresses the relationship between valuesthat read from/written to memory and the memory symbol. It is, however, importantto keep the association between memory address and values for applications wheremany accesses take place at one location (such as in a memory-intensive loop).

Finally, to use the scale domain, we also need a policy for how to assign the number ofversions used at a location. In the min-n kernel we use masking of faults due to logicaloperations, to find such a policy. In general we likely need a policy that is adaptable orat least not statically assign N per each location.

8. CONCLUSIONThe problem of analysing the implications of bit flips is troublesome, given the largenumber of possible outcomes. Previously statistical sampling has been used to deducereliability of an implementation. With such an approach its always possible to miss a

15The Minkowski distance lp is defined as p

√∑(Y − Y

)p, where 1 ≤ p ≤ ∞



rare but crucial example. In this work we present a family of abstract domains thatprovide a sound over-approximation to this problem. The k-fault domain computes theset of reachable states given a set of locations where a finite number of bit flips canoccur. The Hyperball domain measures the degradation in the output due to these bitflips. Finally, the Scale domain minimizes the negative implications of disjunctions onthe precision of the analysis.

Our initial study show empirically how the performance of the Scale domain im-proves as the disjunctive components conform to an a priori predictable pattern andhow the execution time varies with parameter values. We also evaluate how our do-mains, when combined, solve the original problem. We show how analysis time in-creases as the number of fault sites and registers increase and how the Scale domaincan improve the precision of the analysis by up to two orders of magnitude.

ACKNOWLEDGMENTS

We would like to thank Josef Svenningson for feedback on drafts of this work.

REFERENCESGianluca Amato, Maurizio Parton, and Francesca Scozzari. 2010. Deriving Numerical Abstract Domains via

Principal Component Analysis. In Proceedings of the 17th International Conference on Static Analysis(SAS’10). 134–150.

R. Bagnara. 1998. A Hierarchy of Constraint Systems for Data-Flow Analysis of Constraint Logic-BasedLanguages. Science of Computer Programming 30, 1–2 (1998), 119–155.

H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. 2006. The Sorcerer’s Apprentice Guide toFault Attacks. Proc. IEEE 94, 2 (Feb 2006), 370–382. DOI:http://dx.doi.org/10.1109/JPROC.2005.862424

Edd Barrett and Andy King. 2010. Range and Set Abstraction Using SAT. Electron. Notes Theor. Comput.Sci. 267, 1 (Oct. 2010), 17–27.

Dan Boneh, Richard A. Demillo, and Richard J. Lipton. 2001. On the Importance of Eliminating Errors inCryptographic Computations. Journal of Cryptology 14 (2001), 101–119.

R Claris and J. Cortadella. 2004. The octahedron abstract domain. In Static Analysis Symposium. Springer-Verlag, 312–327.

G. Costantini, P. Ferrara, G. Maggiore, and A. Cortesi. 2013. The Domain of Parametric Hypercubes forStatic Analysis of Computer Games Software. In Formal Methods and Software Engineering. LectureNotes in Computer Science, Vol. 8144. Springer Berlin Heidelberg, 447–463.

P. Cousot and R. Cousot. 1977. Abstract interpretation: a unified lattice model for static analysis of pro-grams by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages. 238–252.

P. Cousot, R. Cousot, and L. Mauborgne. 2010. A Scalable Segmented Decision Tree Abstract Domain. InTime for Verification. Lecture Notes in Computer Science, Vol. 6200. Springer Berlin Heidelberg, 72–95.

P. Cousot and N. Halbwachs. 1978. Automatic Discovery of Linear Restraints Among Variables of a Pro-gram. In Conference Record of the Fifth Annual ACM SIGPLAN-SIGACT Symposium on Principles ofProgramming Languages. ACM Press, 84–97.

M. Elder, J. Lim, T. Sharma, T. Andersen, and T. Reps. 2014. Abstract Domains of Affine Relations. ACMTrans. Program. Lang. Syst. 36, 4, Article 11 (Oct. 2014), 73 pages.

K. Fischer. 2005. Smallest enclosing balls of balls: Combinatorial structure & algorithms. Ph.D. Dissertation.Swiss Federal Institute of Technology, ETH Zurich.

Michel X Goemans, Nicholas JA Harvey, Satoru Iwata, and Vahab Mirrokni. 2009. Approximating submod-ular functions everywhere. In Proceedings of the twentieth annual ACM-SIAM symposium on Discretealgorithms. Society for Industrial and Applied Mathematics, 535–544.

Qiang Guan, Nathan DeBardeleben, Sean Blanchard, and Song Fu. 2015. Empirical Studies of the Soft ErrorSusceptibility ofSorting Algorithms to Statistical Fault Injection. In Proceedings of the 5th Workshop onFault Tolerance for HPC at eXtreme Scale (FTXS ’15). 35–40.

Sylvain Guilley, Houssem Maghrebi, Youssef Souissi, Laurent Sauvage, J. Danger, and Secure-IC SAS.2011. Quantifying the quality of side-channel acquisition. COSADE (Febrary 2011).


0:28 Lidman et al.

A. Gurfinkel and S. Chaki. 2010. Boxes: A Symbolic Abstract Domain of Boxes. In Static Analysis. LectureNotes in Computer Science, Vol. 6337. Springer Berlin Heidelberg, 287–303. http://dx.doi.org/10.1007/978-3-642-15769-1 18

M. Karr. 1976. Affine relationships among variables of a program. Acta Informatica 6 (1976), 133–151. Issue2.

A. King and H. Søndergaard. 2008. Inferring Congruence Equations Using SAT. In Computer Aided Verifi-cation. Lecture Notes in Computer Science, Vol. 5123. Springer Berlin Heidelberg, 281–293.

Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. 1999. Differential Power Analysis. In Proceedings of the19th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO ’99). Springer-Verlag, London, UK, UK, 388–397. http://dl.acm.org/citation.cfm?id=646764.703989

A. Krause. 2010. SFO: A Toolbox for Submodular Function Optimization. Journal of Machine LearningResearch (JMLR) 11 (2010), 1141–1144.

S. Krishnaswamy, G. F. Viamontes, I. L. Markov, and J. P. Hayes. 2005. Accurate reliability evaluationand enhancement via probabilistic transfer matrices. In Design, Automation and Test in Europe, Vol. 1.282–287.

J. Lidman, S. A. McKee, D. J. Quinlan, and C. Liao. 2014. An Automated Performance-Aware Approach toReliability Transformations. In Euro-Par 2014: Parallel Processing Workshops. Lecture Notes in Com-puter Science, Vol. 8805. Springer International Publishing, 523–534.

L. Mauborgne and X. Rival. 2005. Trace Partitioning in Abstract Interpretation Based Static Analyzers.In European Symposium on Programming (ESOP’05) (Lecture Notes in Computer Science), Vol. 3444.Springer-Verlag, 5–20.

M. L. Meola and D. Walker. 2010. Faulty Logic: Reasoning about Fault Tolerant Programs. In ProgrammingLanguages and Systems. Lecture Notes in Computer Science, Vol. 6012. Springer Berlin Heidelberg,468–487.

S.E. Michalak, K.W. Harris, N.W. Hengartner, B.E. Takala, and S.A. Wender. 2005. Predicting the numberof fatal soft errors in Los Alamos National Laboratory’s ASC Q supercomputer. IEEE Transactions onDevice and Materials Reliability 5, 3 (Sept 2005), 329–335.

S. Misailovic, M. Carbin, S. Achour, Z. Qi, and M. C. Rinard. 2014. Chisel: Reliability- and Accuracy-awareOptimization of Approximate Computational Kernels. In Proceedings of the 2014 ACM InternationalConference on Object Oriented Programming Systems Languages and Applications. ACM, 309–328.

Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer-Verlag New York, Inc., Secaucus, NJ, USA.

Pierre Roux, Romain Jobredeaux, Pierre-Loıc Garoche, and Eric Feron. 2012. A Generic Ellipsoid AbstractDomain for Linear Time Invariant Systems. In Proceedings of the 15th ACM International Conferenceon Hybrid Systems: Computation and Control (HSCC ’12). 105–114.

S. Sankaranarayanan, H. B. Sipma, and Z. Manna. 2005. Scalable Analysis of Linear Systems Using Math-ematical Programming. In Verification, Model Checking, and Abstract Interpretation. Lecture Notes inComputer Science, Vol. 3385. Springer Berlin Heidelberg, 25–41.

N. Saraf and K. Bazargan. 2015. Improving linear feedback shift registers using similar-ity transformations. In Circuits and Systems Conference (DCAS), 2015 IEEE Dallas. 1–4.DOI:http://dx.doi.org/10.1109/DCAS.2015.7356604

Rahul Sharma, Aditya V. Nori, and Alex Aiken. 2014. Bias-variance Tradeoffs in Program Analysis. InProceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages(POPL ’14). 127–137.

T. Sharma, A. Thakur, and T. Reps. 2013. An abstract domain for bit-vector inequalities. Technical ReportTR-1789. Computer Sciences Department, University of Wisconsin, Madison, WI.

P. Sotin. 2010. Quantifying the Precision of Numerical Abstract Domains. Research Report Inria-00457324.Inria. 20 pages.

The CGAL Project. 2015. CGAL User and Reference Manual (4.5.2 ed.). CGAL Editorial Board. http://doc.cgal.org/4.5.2/Manual/packages.html

Z. Wang, H. Xie, S. Chafekar, and A. Chattopadhyay. 2015. Architectural error prediction using probabilisticerror masking matrices. In 2015 6th Asia Symposium on Quality Electronic Design (ASQED). 31–36.

E. W. Weisstein. 2002. CRC Concise Encyclopedia of Mathematics. Chapman and Hall/CRC.L. Zhao, H. Nagamochi, and T. Ibaraki. 2005. Greedy splitting algorithms for approximating multiway par-

tition problems. Mathematical Programming 102, 1 (2005), 167–183.


0 Verifying reliability properties using the Hyperball ...

Documents

Transcript of 0 Verifying reliability properties using the Hyperball ...