symbolic simulation based transient fault injection methodology

Symbolic Simulation basedTransient Fault Injection

Methodology

Ashish Darbari and Bashir Al HashimiTechnical Report No. 15376

Electronics and Computer Science Dept. University of Southampton

EPSRC Grant No: EP/D057663/1For Project on: Reliable Low Power Embedded Computing System

Industrial Partner: ARM Ltd Cambridge, UK

Motivation

• We draw inspiration from some of the limitations of existing work on transient fault injection especially in the context of a CPU [Civera01, Gonna05,Leveugle05,Krautz06].

• Do we know a solution that is efficient – Time – Labour – Computation– Re-usablity

• Three crucial dimensions, one of which has been specifically overlooked.– Spatial – covering all paths in the design, and all circuit nodes.– Temporal – when to inject fault and how often– Data – which benchmark programs

Conventional simulation based fault injection is inadequate.

} no free lunch however !

A 32-bit RISC CPU

Traditional Fault InjectionGolden RTL is instrumented [Civera01,Leveugle05,Krautz06], to incorporate fault injection hardware, and a chosen set ofbenchmark programs is loadedonto the intrumented RTL.

Faults are then injected via anAPI from a set of library, and itseffect on the instrumented RTLis then compared to the fault-freeGolden RTL.

But how do we know which programs would best expose thevulnerability of the design (data).

How do we know where to injectfaults in the design (space)And lastly, when and how often (temporal)?

Given the random nature of an SEUthese factors become even morepertinent.

Our Approach

Given RTLGiven RTL

Fault free propertychecking

Fault free propertychecking

Counter examples

Refine properties and RTL

yes

no

Golden Properties

Golden RTL

{

Develop propertiesDevelop properties

Verification ofGolden RTL

against faulty properties

FaultyProperties

Golden RTL

Counter examples

Benefits of our approach include a program-independentmethod of assessing vulnerability due to faults, at all pointsin the circuit, at all times.

Benefits of our approach include a program-independentmethod of assessing vulnerability due to faults, at all pointsin the circuit, at all times.

Coverage vs. scale(David Dill et al. ICCAD 1999)

Scale (gates)

Coverage

1 FSM 50K 250K 2M

Modelchecking

Random simulation

Manual testw/ coverage

FSM-basedgeneration

Symbolicsimulation

Combination of Symbolic simulation,Model checking and Deductive Inferenceprovides maximum coverage and alsoposes no limits on scale.

Symbolic Simulation -Two input MUX

out = if c then a else b

a, b, c and outare “symbols” thatdenote Booleanvariables a

bout

c

Benefits

• More coverage per simulation• One expression covers a huge set of values. • Get a lot of coverage from a few simulations.

Symbolic Simulation Using Properties

• Provides a structured approach to capture the run-time behaviour of a design through simulation.

• The structure of the circuit is mirrored by a property, which can then be simulated to evaluate run-time behaviour of the circuit, and all of this – symbolically.

• Properties can be composed and decomposed (syntax), thus providing ability to compose and decompose the behaviour (semantics) of the circuit.

• All of this happens without compromising soundness, due to a deductive inference system based in STE logic.

Symbolic Trajectory Evaluation - STE

• STE [Seger95] extends the domain of simulation from Boolean to Ternary {0,1,X}, and incorporates symbolic simulation, over time, using Binary Decision Diagrams (BDDs).

• The framework of STE enables a seamless combination of symbolic simulation and model checking.

• Simple syntax, easy to write properties, compared to some others

who have used PSL [Leveugle05,Krautz06].

• A light-weight theorem prover adds inference capabilities.

• Has been used extensively at Intel, Motorola and IBM.

STE – An Overview

• STE provides specification and verification framework.

• Specification is done by developing properties, which are expressed in terms of trajectory formulas.

• A property has the shape A ) C, where both A and C are trajectory formulas.

• Intuitively A can be seen to provide a stimuli to the circuit, and C denotes the expected values.

• STE model checking engine computes sequences and trajectories for C and A respectively, and checks for their containment.

STE – Trajectory Formula

f := n is 0 node n has a value | n is 1 node n has a value 1 | f1 and f2 conjunction of formulas

| f when P f is asserted only when P is true

| N f f holds in the next time step

f from i to j = Ni f and Ni+1 f and … Nj-1 f where N0 f = f

“a” is (p Æ q) = (“a” is 1) when (pÆ q) and (“a” is 0) when (: (p Æ q))

Revisiting the MUX ExampleFault free

` mux ² (“a” is a from 0 to 5) and (“b” is b from 0 to 5)

and (“c” is c from 0 to 5)

) (“out” is (c ! a j b) from 0 to 5)

Fault at “a” at time point 1mux ² (“a” is a from 0 to 1) and (“a” is :a from 1 to 2) and

(“a” is a from 2 to 5) and (“b” is b from 0 to 5) and

(“c” is c from 0 to 5) ) (“out” is (c ! a j b) from 0 to 5)

STE running in trace mode WARNING: Consequent failure at time 1 on node out

Current value: (:c Æ b) Ç (b Æ :a) Ç (c Æ :a)Expected value: (b Æ a) Ç (c Æ a) Ç (:c Æ b)Strong disagreement when: c`

` :c ¾ (mux ² (“a” is a from 0 to 1) and (“a” is :a from 1 to 2) and (“a” is a from 2 to 5) and (“b” is b from 0 to 5) and

(“c” is c from 0 to 5) ) (“out” is (c ! a j b) from 0 to 5))

“a”

“b”

“out”

“c”

A 32-bit RISC CPU

Property checking is decomposed correspondingto each functional unit such as Fetch, Decode,Control, Execute, and Data Memory.

Fetch Unit

AddResult

Branch

Zero

Faults in the PC1. Multiple bits of the PC2. Single bit 3. Fault in AddResult

Faults in Instruction Memory1. Any single bit2. Multiple bits in a row

PC works correctly in the absence of fault

` clock and (“IFetch_IFE_PC[7:2]” is PC[7:2]) and Reset_is_low and

(“Execute_EXE_ADDResult[7:2]” is AddResult[7:2]) and

(“Execute_EXE_Zero” is Zero from 0 to 10) and

(“control_CTL_Branch” is Branch from 0 to 10)

)

((“IFetch_IFE_NextPC[7:2]” is AddResult[7:2] when (Zero Æ Branch))

and

((“IFetch_IFE_NextPC[7:2]” is (PC[7:2] + 4) when (:Zero Ç :Branch))

Multiple bits in the PC are faulty

` clock and (“IFetch_IFE_PC[7:2]” is (map NOT PC[7:2])) and Reset_is_low and




)((“IFetch_IFE_NextPC[7:2]” is AddResult[7:2] when (Zero Æ Branch))

and


` (Branch and Zero) ¾

clock and (“IFetch_IFE_PC[7:2]” is PC[7:2]) and Reset_is_low and




) ((“IFetch_IFE_NextPC[7:2]” is AddResult[7:2] when (Zero Æ Branch))

and


Multiple bits in the PC are faulty

Single bit in the PC is faulty

The impact of fault in the PC can be tolerated if thereis a branch instruction in the pipeline.

` (Branch and Zero) ¾

8i. (clock and (“IFetch_IFE_PC[7:2]” is (fault i PC[7:2])) and

Reset_is_low and




) ((“IFetch_IFE_NextPC[7:2]” is AddResult[7:2] when (Zero Æ Branch))

and

((“IFetch_IFE_NextPC[7:2]” is (PC[7:2] + 4) when (:Zero Ç :Branch)))

Fault in Branch Address

` (:Zero Ç :Branch) ¾ clock and (“IFetch_IFE_PC[7:2]” is PC[7:2]) and Reset_is_low and

(“Execute_EXE_ADDResult[7:2]” is (map NOT AddResult[7:2])) and



)((“IFetch_IFE_NextPC[7:2]” is AddResult[7:2] when (Zero Æ Branch))

and


Instruction Memory (IM) functions correctlyRead after write works correctly

` clock and (“IFetch_IFE_WriteAddress[7:0]” is WriteAddress[7:0] from 0 to 1) and (“MemWrite” is we from 0 to 1) and (“MemWrite” is F from 1 to 10) and (“WriteData[31:0]” is WD from 0 to 1) and(“ IFetch_IFE_ReadAddress[7:2]” is ReadAddress[7:2] from 1 to 10) and (“MemRead” is F from 0 to 1) and (“MemRead” is T from 1 to 10) and InitialStateofMemory )“Instr[31:0]” is ((ReadAddress=Zero) ! ((we Æ (WriteAddress=Zero)) ! WriteData jmem0)j (ReadAddress=One)! ((we Æ (WriteAddress=One)) ! WriteData j mem1)(ReadAddress=TwoFifytfive) !

(we Æ (WriteAddress=Twofiftyfive)) ! WriteData j mem255) from 3 to 5

Fault in row 255 of IM at time 0We get a counter-example

clock and (“IFetch_IFE_WriteAddress[7:0]” is WriteAddress[7:0] from 0 to 1) and (“MemWrite” is we from 0 to 1) and (“MemWrite” is F from 1 to 10) and (“WriteData[31:0]” is WriteAddress from 0 to 1) and(“ IFetch_IFE_ReadAddress” is ReadAddress from 1 to 10) and (“MemRead” is F from 0 to 1) and (“MemRead” is T from 1 to 10) and (faultRow 255 InitialStateofMemory) )“Instr[31:0]” is ((ReadAddress=Zero) !

((we Æ (WriteAddress=Zero)) ! WriteData j mem0) j (ReadAddress=One) !

((we Æ (WriteAddress=One)) ! WriteData j mem1)(ReadAddress=TwoFifytfive) !

(we Æ (WriteAddress=Twofiftyfive)) ! WD j mem255) from 3 to 5

ReadAddress gets updated on every clock cycle, with the PC values, and these can then be instantiated in the expression below to get impact of fault in Memory in terms of PC.

(WriteAddress[7] Æ WriteAddress[6] Æ WriteAddress[5] Æ WriteAddress[4] Æ WriteAddress[3] Æ WriteAddress [2] Æ WriteAddress[1] Æ WriteAddress[0] Æ we)Ç:ReadAddress[7] Ç :ReadAddress[6] Ç :ReadAddress[5] Ç :ReadAddress[4] Ç :ReadAddress [3] Ç :ReadAddress[2] Ç:ReadAddress[1] Ç :ReadAddress[0]

Between 1 and 2The values of ReadAddress

ReadAddress[7] =(:PC[2] Æ PC[7]) Ç (:PC[6] Æ PC[7]) Ç (:PC[5] Æ PC[7]) Ç (: PC[4] Æ PC[7]) Ç (:PC[3] Æ PC[7]) Ç ( PC[2] Æ PC[6] Æ PC[5] Æ PC[4] Æ PC[3] Æ :PC[7])

ReadAddress[6] = (:PC[2] Æ PC[6]) Ç (PC[2] Æ :PC[6] Æ PC[5] Æ PC[4] Æ PC[3]) Ç (PC[6] Æ :PC[5]) Ç (PC[6] Æ :PC[4]) Ç (PC[6] Æ :PC[3])

ReadAddress[5] = (:PC[2] Æ PC[5]) Ç (PC[2] Æ :PC[5] Æ PC[4] Æ PC[3]) Ç (PC[5] Æ :PC[4]) Ç ( PC[5] Æ :PC[3])

ReadAddress[4] = (: PC[2] Æ PC[4] Ç PC[2] Æ :PC[4] Æ PC[3] Ç PC[4] Æ :PC[3])

ReadAddress[3] =(:PC[2] Æ PC[3] Ç PC[2] Æ :PC[3])

ReadAddress[2] = (:PC[2])

Fault in row 255 of IMwe get a counter-example

Decode

Decode

RegDest

Decode Properties

1. Verifying that the read_data1 port of the register bank always gets the data from the register indexed by the address placed on read_register 1 port of the bank.

2. Verifying that the read_data2 port of the register bank always gets the data from the register indexed by the address placed on the read_register 2 port of the bank.

3. WriteAddress port of the register bank takes on an address value selected by the RegDst.

4. WriteData port of the register bank takes on the data value selected by MemtoReg.

5. Registers get updated correctly on a write.

6. Read-After-Write works correctly for read_data1 port of the register bank.

7. Read-After-Write works correctly for read_data2 port of the register bank.

8. Sign-extension is correct.

Decode Properties I

1. Verifying that the read_data1 port of the register bank always gets the data from the register indexed by the address placed on read_register 1 port of the register bank

` (clock and (“Instr[25:21]” is Instr[25:21] from 3 to 7) and RegisterBankInitialised)

) RegDataOut1

“Idecode_ID_read_data1[31:0]” is R0 from 3 to 5 when (Instr[25:21] = 0)

and“Idecode_ID_read_data1[31:0]” is R1 from 3 to 5

when (Instr[25:21] = 1)and..“Idecode_ID_read_data1[31:0]” is R31 from 3 to 5

when (Instr[25:21] = 31)

2. Verifying that the read_data2 port of the register bank always gets the data from the register indexed by the address placed on the read_register2 port of the bank

` (clock and (“Instr[20:16]” is Instr[20:16] from 3 to 7) and RegisterBankInitialised) ) ) ) RegDataOut2


and“Idecode_ID_read_data2[31:0]” is R1 from 3 to 5


when (Instr[20:16] = 31)

Decode Properties II

Decode Properties III

3. WriteAddress Port of the RegisterBank takes on an address value selected by the RegDst

` (clock and (“Instr[20:16]” is Instr[20:16] from 3 to 7) and (“Instr[15:11]” is Instr[15:11] from 3 to 7) and (“control_CTL_RegDst” is RegDst from 3 to 7) ) ) (((“IdecodeIDWriteRegisterAddress[4:0]” is

Instr[15:11] from 3 to 7) when RegDst) and

(“IdecodeIDWriteRegisterAddress[4:0]” is Instr[20:16] from 3 to 7) when :RegDst))

Decode Properties IV

4. WriteData port of the RegisterBank takes on the data value selected by MemtoReg

` (clock and ALUResult_asserted and ReadData_Asserted and

MemtoReg_Asserted) ) Idecode_ID_WritePort_Asserted

5. Registers get updated correctly on a write

` (clock and reset_is_low and RegisterBankInitialised and RegWrite_Asserted and

MemtoReg_Asserted and RegDest_Asserted and WriteRegisterAddress and

ALUResult_asserted and ReadData_Asserted) ) (NewStateReg When (RegWrite=F)))

Decode Properties V

6. Read data from register bank after the initial state of the register bank has been modified - Read from Port 1

` (clock and reset_is_low and RegisterBankInitialised and RegWrite_Asserted and MemtoReg_Asserted and RegDest_Asserted and WriteRegisterAddress and

ALUResult_Asserted and ReadData_Asserted and AddrForReadReg1_Asserted)) (RegisterDataOut1 When (RegWrite=F))

7. Read data from register bank after the initial state of the register bank has been modified - Read from Port 2

` (clock and reset_is_low and RegisterBankInitialised and RegWrite_Asserted and MemtoReg_Asserted and RegDest_Asserted and WriteRegisterAddress and ALUResult_Asserted and ReadData_Asserted and AddrForReadReg2_Asserted)

) (RegisterDataOut2 When (RegWrite=F))

Decode Properties VI

8. Sign Extension is okay

` (clock and (“Instr[15:0]” is Instr_Imm from 0 to 7))

) (“Idecode_ID_Extend[31:0]” is

((replicate 16 (el 1 Instr_Imm))@Instr_Imm) from 0 to 7)

1(a). Fault in a single bit of “Instr[25:21]”

Each one is done by decomposing the consequent - 32 smaller properties. The same process is repeated for fault in all the other bits thus a total of 160 properties.

Instr[25] Ç Instr[24] Ç Instr[23] Ç Instr[22] Ç Instr[21] Ç …

¾ ` (clock and (fault_bit 1 (“Instr[25:21]” is Instr[25:21] from 3 to 7)) and RegisterBankInitialised) ) ) (el 1 RegDataOut1)


} make sure at least one of the address pins is a logic 0, so that we can still read correctly from Location 0 of the register bank

1(b). Fault in all bits of “Instr[25:21]”

Instr[25] Ç Instr[24] Ç Instr[23] Ç Instr[22] Ç Instr[21] Ç …

¾ ` (clock and (“Instr[25:21]” is (map NOT Instr[25:21]) from 3 to 7) and RegisterBankInitialised) ) ) (el 1 RegDataOut1)

} make sure at least one of the address pins is a logic 0, so that we can still read correctly from Location 0 of the register bank


1(c). Fault in a row of Register Bank Case similar to IMem

` Instr[25] Ç Instr[24] Ç Instr[23] Ç Instr[22] Ç Instr[21] Ç

¾ ` (clock and (“Instr[25:21]” is (Instr[25:21]) from 3 to 7) and (fault 1 RegisterBankInitialised)) ) ) RegDataOut1

32 properties like this Each one is done by decomposing the consequent - 32 smaller properties. The same process is repeated for fault in all the other bits thus a total of 1024 properties.

All bits of first row is faulty

1(d). Fault in a random bit of Register Bank

1024 properties like this for each possible bit of the bank,And for each case we decompose the verification into 32smaller runs – total of 1024 X 32 properties

Instr[25] Ç Instr[24] Ç Instr[23] Ç Instr[22] Ç Instr[21] Ç

¾ ` (clock and (“Instr[25:21]” is (Instr[25:21]) from 3 to 7) and (fault_bit 1 RegisterBankInitialised)) ) ) RegDataOut1

2. Fault in all bits of “Instr[20:16]”

Verifying that the read_data2 port of the register bank always gets the data from the register indexed by the address placed on the read_register2 port of the bank

Similar to the “Instr[25:21]” case

` (clock and (“InstrMemory[20:16]” is (map NOT Instr[20:16]) from 3 to 7)

and RegisterBankInitialised) ) ) ) RegDataOut2

3(a). Fault in “Instr[20:16]”

WriteAddress Port of the RegisterBank takes on an address value selected by the RegDst

RegDst ¾ ` (clock and (“Instr[20:16]” is Instr[20:16] from 3 to 7) and

(“Instr[15:11]” is Instr[15:11] from 3 to 7) and (“control_CTL_RegDst” is RegDst from 3 to 7) )

) (((“IdecodeIDWriteRegisterAddress[4:0]” is

Instr[15:11] from 3 to 7) when RegDst) and (“IdecodeIDWriteRegisterAddress[4:0]” is Instr[20:16] from 3 to 7) when :RegDst))

3(b). Fault in “Instr[15:11]”


:RegDst ¾ ` (clock and

(“Instr[20:16]” is Instr[20:16] from 3 to 7) and (“Instr[15:11]” is Instr[15:11] from 3 to 7) and

(“control_CTL_RegDst” is RegDst from 3 to 7) ) )

(((“IdecodeIDWriteRegisterAddress[4:0]” is Instr[15:11] from 3 to 7) when RegDst)

and (“IdecodeIDWriteRegisterAddress[4:0]” is Instr[20:16] from 3 to 7)

when :RegDst))

3(c). Fault in “control_CTL_RegDst”


(Instr[20:16]=Instr[15:11]) ¾` (clock and

(“Instr[20:16]” is Instr[20:16] from 3 to 7) and (“Instr[15:11]” is Instr[15:11] from 3 to 7) and

(“control_CTL_RegDst” is (NOT RegDst) from 3 to 7) ) )

(((“IdecodeIDWriteRegisterAddress[4:0]” is Instr[15:11] from 3 to 7) when RegDst)

and (“IdecodeIDWriteRegisterAddress[4:0]” is Instr[20:16] from 3 to 7)

when :RegDst))

MemtoReg ¾ ` (clock and ALUResult_asserted and ReadData_Asserted and

MemtoReg_Asserted) ) ) Idecode_ID_WritePort_Asserted

4. Fault in “ALUResult”, “ReadData”and “MemtoReg”

:MemtoReg ¾ ` (clock and ALUResult_asserted and ReadData_Asserted and

MemtoReg_Asserted) ) ) Idecode_ID_WritePort_Asserted

(ALUResult[31:0] = ReadData[31:0]) ¾ ` (clock and ALUResult_asserted and ReadData_Asserted and MemtoReg_Asserted) ) ) Idecode_ID_WritePort_Asserted

WriteData port of the RegisterBank takes on the data value selected by MemtoReg

Registers get updated correctly on a write

RegWrite ¾

` (clock and reset_is_low and RegisterBankInitialised and RegWrite_Asserted and MemtoReg_Asserted and RegDest_Asserted and WriteRegisterAddress and ALUResult_asserted and ReadData_Asserted)

) NewStateReg When (RegWrite=F))

5(a). Fault in “RegisterBank”

5(b). Fault in “WriteRegister Address”

Registers still get updated correctly on a write

` (clock and reset_is_low and RegisterBankInitialised and RegWrite_Asserted and MemtoReg_Asserted and RegDest_Asserted and

ALUResult_asserted and ReadData_Asserted and WriteRegisterAddress) ) NewStateReg When (RegWrite=F))

“Idecode_ID_write_register_address[4:0]” is Instr[15:11] from 3 to 5 when RegDst

and“Idecode_ID_write_register_address[4:0]” is

Instr[20:16] from 3 to 5 when :RegDst

5(c). Fault in “ALUResult” and “ReadData”







5(d). Fault in “RegDst” and “MemtoReg”


` (clock and reset_is_low and RegisterBankInitialised and RegWrite_Asserted and MemtoReg_Asserted and RegDest_Asserted and ALUResult_asserted and ReadData_Asserted and WriteRegisterAddress)





5(e). Fault in “RegWrite”

Registers get updated on a write

RegWrite ¾



Control Unit

• RegDst

• Lw

• Sw

• Beq

• MemWrite

• MemRead

• RegWrite

• ALUSrc

• Branch

• ALUop1

• ALUop0

Control Unit

1. RegDst takes on the appropriate value

` (clock and (“Instr[31:26]” is Instr[31:26] from 3 to 5)) )

(“control_CTL_RegDst” is (:Instr[31] Æ :Instr[30] Æ :Instr[29] Æ :Instr[28] Æ:Instr[27] Æ :Instr[26]))

from 3 to 5)

We will show later on

Fault in any of the bits of Instr[31:26] – six propertiesFault in all the bits of Instr[31:26] - one property

Control Unit - Lw

2. Lw takes on the appropriate value


(“control_CTL_Lw” is (Instr[31] Æ :Instr[30] Æ :Instr[29] Æ :Instr[28] ÆInstr[27] Æ Instr[26]))

from 3 to 5)

Control Unit – Sw

3. Sw takes on the appropriate value


(“control_CTL_Sw” is (Instr[31] Æ :Instr[30] Æ Instr[29] Æ :Instr[28] ÆInstr[27] Æ Instr[26]))

from 3 to 5)

Control Unit – Beq

4. Beq takes on the appropriate value


(“control_CTL_Beq” is (:Instr[31] Æ :Instr[30] Æ :Instr[29] Æ Instr[28] Æ :Instr[27] Æ :Instr[26]))

from 3 to 5)

Control Unit – ALUSrc,RegWrite

5. ALUSrc takes on the appropriate value

` (clock and

(“control_CTL_Lw” is lw from 3 to 5) and (“control_CTL_Sw” is sw from 3 to 5))

)

(“control_CTL_ALUSrc” is (lw Ç sw) from 3 to 5)

6. RegWrite takes on the appropriate value

` (clock and (“control_CTL_Rformat” is Rformat from 3 to 5) and

(“control_CTL_Lw” is lw from 3 to 5)) )

(“control_CTL_RegWrite” is (lw Ç Rformat) from 3 to 5)

Control Unit – MemRead, MemWrite

7. MemRead takes on the appropriate value

` (clock and (“control_CTL_Lw” is lw from 3 to 5)) )

(“control_CTL_MemRead” is lw from 3 to 5)

8. MemWrite takes on the appropriate value

` (clock and (“control_CTL_Sw” is sw from 3 to 5)) )

(“control_CTL_MemWrite” is sw from 3 to 5)

9. Branch takes on the appropriate value

` (clock and (“control_CTL_Beq” is Branch from 3 to 5)) )


Control Unit – Branch,ALUOp1,ALUOp0

10. ALUOp1 takes on the appropriate value

` (clock and (“control_CTL_Rformat” is rformat from 3 to 5)) )

(“control_CTL_ALUop1” is rformat from 3 to 5)

11. ALUOp0 takes on the appropriate value

` (clock and (“control_CTL_Beq” is Branch from 3 to 5)) )

(“control_CTL_ALUop0” is Branch from 3 to 5)

` (clock and (“Instr[31:26]” is (fault_bit 1 Instr[31:26]) from 3 to 5)) )

(“control_CTL_RegDst” is

(:Instr[31] Æ :Instr[30] Æ :Instr[29] Æ :Instr[28] Æ :Instr[27] Æ :Instr[26])) from 3 to 5)

Instr[26] Ç Instr[27] Ç Instr[28] Ç Instr[29] Ç Instr[30] ¾

Control Unit – RegDst – Fault in Instr[31]


(“control_CTL_Rformat” is







(:Instr[27] Æ Instr[31]) Ç (:Instr[30] Æ Instr[31]) Ç (:Instr[26] Æ Instr[31]) Ç (:Instr[29] Æ Instr[31]) Ç (:Instr[28] Æ Instr[31]) Ç ( Instr[28] Æ :Instr[31] ) Ç ( Instr[29] Æ :Instr[31]) Ç ( Instr[26] Æ :Instr[31] ) Ç ( Instr[30] Æ :Instr[31]) Ç ( Instr[27] Æ :Instr[31]) ¾

Control Unit – RegDst Fault in Instr[31:26]

Instr[31] ¾

((Instr[26] Æ (:Instr[31])) ¾` (clock and (“Instr[31:26]” is Instr[31:26] from 3 to 5))

)


(:Instr[31] Æ :Instr[30] Æ

:Instr[29] Æ :Instr[28] Æ

:Instr[27] Æ :Instr[26])) from 3 to

5) ))

Control Unit – RegDst All seven types of faults are masked

This can be used to devise suitable tolerance

Execute Properties

1. Verifying that the ReadData1 inputs are copied onto the Ainput.

2. Verifying that the ReadData2 inputs are copied onto the Binput depending upon which source is selected by the ALUSrc control pin.

3. Verifying if ALUctl gets correct values

a. ALUctl(0) ( (Func_op(0) OR Func_op(3)) AND ALUOp1

b. ALUctl(1) ( (NOT Func_op(2)) OR (NOT ALUOp1)

c. ALUctl(2) ( (Func_op(1) AND ALUOp1) OR ALUOp0

4. Zero gets a logic 1 on ALUResult being 0.

5. Branch Adder works correctly.

6. The output of branch adder gets transferred to AddResult of the Fetch Unit.

7. Arithmetic and Logic operations such as Addition, Subtraction, AND, OR, NOT work correctly.

Execute Properties – I

1. ReadData1 output is copied to Ainput

` (clock and (“Execute_EXE_ReadData1[31:0]” is RD1[31:0] from 3 to 5)) )

(“Execute_EXE_Ainput[31:0]” is RD1[31:0] from 3 to 5)

2. Binput takes on a value depending on ALUSrc

` (clock and (“Execute_EXE_ALUSrc” is ALUSrc from 3 to 5) and

(“Execute_EXE_Extend” is Extend[31:0] from 3 to 5) and

(“Execute_EXE_ReadData2[31:0]” is RD2[31:0] from 3 to 5)) )

((“Execute_EXE_Binput[31:0]” is RD2[31:0] from 3 to 5) When (:ALUSRC))

and ((“Execute_EXE_Binput[31:0]” is Extend[31:0] from 3 to 5) When (ALUSRC))

Execute Properties – II

3. ALUctl works correctly

` (clock and (“Execute_EXE_FuncOp[3:0]” is FuncOp[3:0] from 3 to 5)

and (“control_CTL_ALUop0” is aluop0 from 3 to 5)

and (“control_CTL_ALUop1” is aluop1 from 3 to 5)) )

(“Execute_EXE_ALUctl[0]” is

((FuncOp[0] Ç FuncOp[3]) Æ aluop1) from 3 to 5)

and


((:FuncOp[2]) Ç (:aluop1)) from 3 to 5)

and


((FuncOp[1] Æ aluop1) Ç aluop0) from 3 to 5)

Execute Properties – III

4. Zero gets a logic 1 on ALUResult being 0

` (clock and (“Execute_EXE_ALUResult[31:0]” is ALUResult[31:0] from 3 to 5)))(((“Execute_EXE_Zero” is T from 3 to 5) When (ALUResult[31:0]=0)) and

(“Execute_EXE_Zero” is F from 3 to 5) When (:(ALUResult[31:0]= 0)))

6. AddResult gets the value of Branch Adder

` (clock and (“Execute_EXE_BranchAdder[7:0]” is AddResult[7:0] from 3 to 5))) (Execute_EXE_ADDResult[7:0] is AddResult[7:0] from 3 to 5);

5. Branch Adder works correctly.` (clock and (“IFetch_IFE_PC_plus4[7:2]” is (PC[7:2]) from 3 to 5) and(“Execute_EXE_Extend[7:2]” is (Extend[5:2]) from 3 to 5)))(BranchAdder is (ADD (PC[7:2])(Extend[7:2])) from 3 to 5)

Execute Properties – IV7. ALU operations are correct` (clock and (“Execute_EXE_Ainput[31:0]” is Ainput[31:0] from 3 to 5) and(“Execute_EXE_Binput[31:0]” is Binput[31:0] from 3 to 5) and(“Execute_EXE_ALU_CTL[2:0]” is ALUctl[2:0] from 3 to 5)))((“Execute_EXE_ALUResult[31:0]” is (Ainput AND Binput) from 3 to 5)

When ALUctl=[F,F,F])and ((“Execute_EXE_ALUResult[31:0]” is (Ainput OR Binput) from 3 to 5)

When ALUctl=[F,F,T])and((“Execute_EXE_ALUResult[31:0]” is (map NOT Ainput) from 3 to 5)

When ALUctl=[T,F,F])and ((“Execute_EXE_ALUResult[31:0]” is (Ainput + Binput) from 3 to 5)

When ALUctl=[F,T,F])and ((“Execute_EXE_ALUResult[31:0]” is (Ainput + Binput) from 3 to 5)

When ALUctl=[F,T,T])

Execute Unit - Faults

1. ReadData1 output is copied to Ainput – fault in RD1

F ¾ ` (clock and

(“Execute_EXE_ReadData1[31:0]” is RD1[31:0] from 3 to 5)) ) (“Execute_EXE_Ainput[31:0]” is RD1[31:0] from 3 to 5)

2. Binput takes on a value depending on ALUSrc three separate faults in ALUSrc, Extend and RD2

` (clock and (“Execute_EXE_ALUSrc” is ALUSrc from 3 to 5) and

(“Execute_EXE_Extend” is Extend[31:0] from 3 to 5) and

(“Execute_EXE_ReadData2[31:0]” is RD2[31:0] from 3 to 5)) )

((“Execute_EXE_Binput[31:0]” is RD2[31:0] from 3 to 5) When (:ALUSRC))

and ((“Execute_EXE_Binput[31:0]” is Extend[31:0] from 3 to 5) When (ALUSRC))

3a. ALUctl works correctly – first decomposition – fault is in FuncOp

((FuncOp[0] xor FuncOp[3]) Ç (:aluop1)) ¾




((FuncOp[0] Ç FuncOp[3]) Æ aluop1) from 3 to 5);

3a. ALUctl works correctly – first decomposition – fault is in aluop1

(:FuncOp[0] Æ :FuncOp[3]) ¾




((FuncOp[0] Ç FuncOp[3]) Æ aluop1) from 3 to 5)


3b. ALUctl works correctly – second decomposition – fault is in FuncOp

aluop1 ¾



(“Execute_EXE_ALUctl[1]” is (:FuncOp[2] Ç :aluop1) from 3 to 5);

3b. ALUctl works correctly – second decomposition – fault is in aluop1

FuncOp[2] ¾



(“Execute_EXE_ALUctl[1]” is (:FuncOp[2] Ç :aluop1) from 3 to 5)


3c. ALUctl works correctly – third decomposition – fault is in FuncOp

(aluop0 Ç :aluop1) ¾




(“Execute_EXE_ALUctl[2]” is ((FuncOp[1] Æ aluop1) Ç aluop0) from 3 to 5)

3c. ALUctl works correctly – third decomposition – fault is in aluop0

(aluop1 Ç :FuncOp[1]) ¾




(“Execute_EXE_ALUctl[2]” is ((FuncOp[1] Æ aluop1) Ç aluop0) from 3 to 5);


3c. ALUctl works correctly – third decomposition – fault is in aluop1

(aluop0 Ç :FuncOp[1]) ¾




(“Execute_EXE_ALUctl[2]” is ((FuncOp[1] Æ aluop1) Ç aluop0) from 3 to 5);



4a. Zero gets a logic 1 on ALUResult being 0

(ALUResult[0] Ç ALUResult [1] … Ç ALUResult[31]) ¾` (clock and (“Execute_EXE_ALUResult[31:0]” is ALUResult[31:0] from 3 to 5))

)((“Execute_EXE_Zero” is T from 3 to 5) When (ALUResult[31:0]=0)))

4b. Zero gets a logic 1 on ALUResult being 0

(: ALUResult[0] Ç : ALUResult[1] Ç…: ALUResult[31]) ¾ ` (clock and (“Execute_EXE_ALUResult[31:0]” is ALUResult[31:0] from 3 to 5))

)((“Execute_EXE_Zero” is F from 3 to 5) When (:(ALUResult[31:0]= 0)))

5a. Branch Adder works correctly – fault is in PC

F ¾ ` (clock and (“IFetch_IFE_PC_plus4[7:2]” is PC[7:2] from 3 to 5) and (“Execute_EXE_Extend[7:2]” is Extend[5:2] from 3 to 5)))(BranchAdder is (ADD (PC[7:2])(Extend[7:2])) from 3 to 5)


5b. Branch Adder works correctly – fault is in Extend

F ¾ ` (clock and (“IFetch_IFE_PC_plus4[7:2]” is PC[7:2] from 3 to 5) and (“Execute_EXE_Extend[7:2]” is Extend[5:2] from 3 to 5)))(BranchAdder is (ADD (PC[7:2])(Extend[7:2])) from 3 to 5)

6. AddResult gets the value of Branch Adder – fault in AddResult

F ¾ ` (clock and (“Execute_EXE_BranchAdder[7:0]” is AddResult[7:0] from 3 to 5))

) (Execute_EXE_ADDResult[7:0] is AddResult[7:0] from 3 to 5);


7. ALU operations are correct – decompose into 5 then analyse The effect of each fault in each of the 5 properties.

` (clock and (“Execute_EXE_Ainput[31:0]” is Ainput[31:0] from 3 to 5) and(“Execute_EXE_Binput[31:0]” is Binput[31:0] from 3 to 5) and(“Execute_EXE_ALU_CTL[2:0]” is ALUctl[2:0] from 3 to 5)))((“Execute_EXE_ALUResult[31:0]” is (Ainput AND Binput) from 3 to 5)

When ALUctl=[F,F,F])and ((“Execute_EXE_ALUResult[31:0]” is (Ainput OR Binput) from 3 to 5)

When ALUctl=[F,F,T])and((“Execute_EXE_ALUResult[31:0]” is (map NOT Ainput) from 3 to 5)

When ALUctl=[T,F,F])and ((“Execute_EXE_ALUResult[31:0]” is (Ainput + Binput) from 3 to 5)

When ALUctl=[F,T,F])and ((“Execute_EXE_ALUResult[31:0]” is (Ainput - Binput) from 3 to 5)

When ALUctl=[F,T,T])

Data Memory

• Our Data Memory is designed identical to Instruction Memory. So the fault analysis is exactly similar to the case of Instruction Memory.

• Only the names of read and write ports and control signals change.

• We don’t have to redo the verification and fault analysis again.

STE Inference System

M ² A ) B M ² B ) C

M ² A ) C

Transitive

G1 ¾ (M ² A1 ) B1) G2 ¾ (M ² (B1 and A2) ) C))

(G1 Æ G2 ) ¾ (M ² (A1 and A2) ) C)

Cut

G1 ¾ (M ² A1 ) B1) G2 ¾ (M ² A2 ) B2)

(G1 Æ G2) ¾ (M ² (A1 and A2 ) ) (B1 and B2 ))

Guard Conjunction

G ¾ (M ² A ) B)

M ² (A ) (B when G))

Constraint Implication 1

M ² (A ) (B when G))

G ¾ (M ² A ) B)

Constraint Implication 2

Other rules include Reflexivity, Antecedent Stregthening, Time Shift,Consequent Weakening, Guard Disjunction [Hazelhurst95,Darbari06]

Other rules include Reflexivity, Antecedent Stregthening, Time Shift,Consequent Weakening, Guard Disjunction [Hazelhurst95,Darbari06]

II. Read after write works correctly for Instruction Memory` clock and (“IFetch_IFE_WriteAddress[7:0]” is WriteAddress[7:0] from 0 to 1) and (“MemWrite” is we from 0 to 1) and (“MemWrite” is F from 1 to 10) and (“WriteData[31:0]” is WD from 0 to 1) and(“ IFetch_IFE_ReadAddress[7:2]” is ReadAddress[7:2] from 1 to 10) and (“MemRead” is F from 0 to 1) and (“MemRead” is T from 1 to 10) and InitialStateofMemory )

“Instr[31:0]” is ((ReadAddress=Zero) ! ((we Æ (WriteAddress=Zero)) ! WriteData j mem0)j (ReadAddress=One) ! ((we Æ (WriteAddress=One)) ! WriteData j mem1)(ReadAddress=TwoFifytfive) !

(we Æ (WriteAddress=Twofiftyfive)) ! WriteData j mem255) from 3 to 5

I. Register Bank’s ReadData1 Port gets the data located at address given by Instr[25:21]

` (clock and (“Instr[25:21]” is Instr[25:21] from 3 to 7) and RegisterBankInitialised) ) RegDataOut1

Using inference rules in practice I

III. Using Cut Inference Rule on I and II ` clock and (“IFetch_IFE_WriteAddress[7:0]” is WriteAddress[7:0] from 0 to 1) and (“MemWrite” is we from 0 to 1) and (“MemWrite” is F from 1 to 10) and (“WriteData[31:0]” is WD from 0 to 1) and (“ IFetch_IFE_ReadAddress[7:2]” is ReadAddress[7:2] from 1 to 10) and (“MemRead” is F from 0 to 1) and (“MemRead” is T from 1 to 10) and InitialStateofMemory and RegisterBankInitialised ) “Idecode_ID_read_data1[31:0]” is R0 from 3 to 5

when (Instr[25:21] = 0)and“Idecode_ID_read_data1[31:0]” is R1 from 3 to 5


when (Instr[25:21] = 31)

Using inference rules in practice II

}RegDataOut1

Using Transitive Inference Rule on (IV) and (V) we get (VI)

(IV) ` “Idecode_ID_read_data1[31:0]” is RD1 )“Execute_EXE_ReadData1[31:0]” is RD1from 3 to 5

(V) ` (clock and (“Execute_EXE_ReadData1[31:0]” is RD1[31:0]

from 3 to 5)) )


(VI) ` (clock and (“Idecode_ID_read_data1[31:0]” is RD1[31:0]

from 3 to 5)) )


Using inference rules in practice III

Using Transitive Inference Rule on III and VI we get` clock and (“IFetch_IFE_WriteAddress[7:0]” is WriteAddress[7:0] from 0 to 1) and (“MemWrite” is we from 0 to 1) and (“MemWrite” is F from 1 to 10) and (“WriteData[31:0]” is WD from 0 to 1) and(“ IFetch_IFE_ReadAddress[7:2]” is ReadAddress[7:2] from 1 to 10) and (“MemRead” is F from 0 to 1) and (“MemRead” is T from 1 to 10) and InitialStateofMemory and RegisterBankInitialised) “Execute_EXE_Ainput[31:0]” is R0 from 3 to 5

when (Instr[25:21] = 0)and“Execute_EXE_Ainput[31:0]” is R1 from 3 to 5

when (Instr[25:21] = 1)and..“Execute_EXE_Ainput[31:0]” is R31 from 3 to 5

when (Instr[25:21] = 31)

Using inference rules in practice IV

• Straight-line properties – values get transferred across interfaces

• Control properties - involving multiplexer- other combinational logic

• Memory properties – involving memories, register banks, caches

General classes of properties

Conclusion

• Property checking and symbolic simulation based methodology provides a systematic method of conducting fault injection.

• Though this technique cannot provide tolerance to the effect of fault in all parts of the CPU, it provides tolerance strategies which in many cases is useful.

• Many of the findings discovered as a result of our study seem intuitive, but how many of these can one find by using a traditional fault injection approach?

• Due to symbolic simulation, exponential test space is cut down to linear. By using a property checking approach, one is able to capture the spatio-data-temporal nature of the bit-flip effectively in the form of small number of properties.

• Use of STE properties enables ease-of-use since they are simple to write, and STE model checking together with the inference rules enables effective decomposition and modularity. • Fault being captured in properties rather than in the RTL [Civera01, Gonna05,Leveugle05, Krautz06] means efficient model checking, and the RTL being checked for faults remains identical to the original RTL.

[Gonna05] M. A. Gomaa and T. N. Vijaykumar, “Opportunistic Transient-Fault Detection,” in

ISCA ’05: Proceedings of the 32nd Annual International Symposium on Computer

Architecture, Washington, DC, USA: IEEE Comp. Soc., 2005, pp. 172–183.

[Civera01] P. Civera, L. Macchiarulo, M. Rebaudengo, M. Sonza Reorda, and M.Violante,“Exploiting FPGA for

Accelerating Fault Injection Experiments,” in IOLTW 2001. IEEE Comp. Soc., 2001, p. 9.

[Seger95] C.-J. H. Seger and R. E. Bryant, “Formal Verification by Symbolic Evaluation of Partially-Ordered

Trajectories,” Journal of FMSD, vol. 6, no. 2, pp. 147–189, 1995.

[Hazelhurst02] S. Hazelhurst and J. Arlat, “Specifying and Verifying Fault-Tolerant Systems,” in Proceedings of

DCC’02, M. Sheeran and T. Melham, Eds., 2002.

[Leveugle05] R. Leveugle, “A New Approach for Early Dependability Evaluation Based on Formal Property

Checking and Controlled Mutations,” IOLTS 2005, vol. 00, pp. 260–265, 2005.

[Krautz06] U. Krautz, M. Pflanz, C. Jacobi, H. W. Tast, K. Weber, and H. T. Vierhaus, “Evaluating Coverage of

Error Detection logic for Soft Errors using Formal Methods,” in Proceedings of the DATE 2006

conference, 2006, pp. 176–181.[Hazelhurst95] S. Hazelhurst and C.-J. H. Seger, “A Simple Theorem Prover Based on Symbolic Trajectory

Evaluation and BDDs,” IEEE Tran. on CAD of Integrated Circuits, vol. 14, no. 4, pp. 413–422, 1995.

[Darbari06] A. Darbari, “Symmetry Reduction for STE Model Checking” in FMCAD 2006, pp 97-105

References

symbolic simulation based transient fault injection methodology

Documents

domain of simulation

faultfreegolden rtl

fault injection hardware

intrumented rtl

circuit nodes

lot of coverage

runtime behaviour

design spaceand