To improve performance and reduce power, processor designers employ advances that shrink feature sizes, lower voltage levels, reduce noise margins, and increase clock rates. However, these advances make processors more susceptible to transient faults that can affect correctness. While reliable systems typically employ hardware techniques to address soft-errors, software techniques can provide a lower-cost and more flexible alternative. This paper presents a novel, software-only, transient-fault-detection technique, called SWIFT. SWIFT efficiently manages redundancy by reclaiming unused instruction-level resources present during the execution of most programs. SWIFT also provides a high level of protection and performance with an enhanced control-flow checking mechanism. We evaluate an implementation of SWIFT on an Itanium 2 which demonstrates exceptional fault coverage with a reasonable performance cost. Compared to the best known single-threaded approach utilizing an ECC memory system, SWIFT demonstrates a 51% average speedup.

SWIFT: Software Implemented Fault Tolerance

This paper presents a new signature monitoring technique, CFCSS (control flow checking by software signatures); CFCSS is a pure software method that checks the control flow of a program using assigned signatures. An algorithm assigns a unique signature to each node in the program graph and adds instructions for error detection. Signatures are embedded in the program during compilation time using the constant field of the instructions and compared with run-time signatures when the program is executed. Another algorithm reduces the code size and execution time overhead caused by checking instructions in CFCSS. A "branching fault injection experiment" was performed with benchmark programs. Without CFCSS, an average of 33.7 % of the injected branching faults produced undetected incorrect outputs; however, with CFCSS, only 3.1 % of branching faults produced undetected incorrect outputs. Thus it is possible to increase error detection coverage for control flow errors by an order of magnitude using CFCSS. The distinctive advantage of CFCSS over previous signature monitoring techniques is that CFCSS is a pure software method, i.e., it needs no dedicated hardware such as a watchdog processor for control flow checking. A watchdog task in multitasking environment also needs no extra hardware, but the advantage of CFCSS over a watchdog task is that CFCSS can be used even when the operating system does not support multitasking.

Control-flow checking by software signatures

Experimental evaluation

This paper focuses on the integration of the fault injection methodology within the design process of fault-tolerant systems. Due to its wide spectrum of application and hierarchical features, VHDL has been selected as the simulation language to support such an integration. Suitable techniques for injecting faults into VHDL models are identified and depicted. Then, the main features of the MEFISTO environment aimed at supporting these techniques are described. Finally, some preliminary results obtained with MEFISTO are presented and analyzed. >

Fault injection into VHDL models: the MEFISTO tool

An important step in the development of dependable systems is the validation of their fault tolerance properties Fault injection has been widely used for this purpose, however with the rapid increase in processor complexity, traditional techniques are also increasingly more difficult to apply This paper presents a new software-implemented fault injection and monitoring environment, called Xception, which is targeted at modern and complex processors Xception uses the advanced debugging and performance monitoring features existing in most modern processors to inject quite realistic faults by software, and to monitor the activation of the faults and their impact on the target system behavior in detail Faults are injected with minimum interference with the target application The target application is not modified, no software traps are inserted, and it is not necessary to execute the target application in special trace mode (the application is executed at full speed) Xception provides a comprehensive set of fault triggers, including spatial and temporal fault triggers, and triggers related to the manipulation of data in memory Faults injected by Xception can affect any process running on the target system (including the kernel), and it is possible to inject faults in applications for which the source code is not available Experimental, results are presented to demonstrate the accuracy and potential of Xception in the evaluation of the dependability properties of the complex computer systems available nowadays

Xception: a technique for the experimental evaluation of dependability in modern computers

An error-detecting 32-b reduced instruction set computer (RISC) designed in a 1.2- mu m CMOS technology with an on-chip watchdog using embedded signature monitoring is presented. It was evaluated through simulation-based fault injection, using a register level model written in VHDL (very high-speed IC (VHSIC) description language). A chip area increase of 4.7% was caused by the watchdog. Two application programs were executed to study workload dependencies. The insertion of watchdog instructions resulted in a memory overhead of between 13% and 25% as well as a performance overhead of between 9% and 19%. A total of 2779 faults were injected into the processor during execution of the application programs. Only 23% of these resulted in effective errors. A minimum detection coverage of 95% was reached for effective errors classified as control flow errors with a median latency of one clock cycle. Few effective data errors, between 22% and 50%, were detected. >

A study of the effects of transient fault injection into a 32-bit RISC with built-in watchdog

Proposes a control flow checking method that assigns unique initial signatures to each basic block in a program by using the block's start address. Using this strategy, implicit signature checking points are obtained at the beginning of each basic block, which results in a short error detection latency (2-5 instructions). Justifying signatures are embedded at each branch instruction, and a watchdog timer is used to detect the absence of a signature checking point. The method does not require the building of a program flow graph and it handles jumps to destinations that are not fixed at compile/link-time, e.g. subroutine calls using function pointers in the C language. This paper includes a generalized description of the control flow checking method, as well as a description and evaluation of an implementation of the method. >

Implicit signature checking

A microprocessor error behavior function (EBF) is introduced, mapping faults into errors on the functional level. The errors are obtained using a functional model of the processor. By applying the EBF to a fault and instruction distribution, it is possible to obtain the corresponding error distribution. A case study is described, in which (i) the EBFs for simulated bit-flip and pin-level faults are designed and used to compare the bit-flip and pin-level fault models, and (ii) the obtained error distribution for the bit-flip faults is used in an error injection experiment on the functional level to emulate these faults. For the processor used in the case study, it was found that only 9-12% of the bit-flip faults could be emulated using pin-level faults, while a tentative evaluation of the possibility to emulate bit-flip faults with software-implemented fault injection showed that 98-99% could be emulated. Finally, the results of the emulated bit-flip errors corresponded well to the real results obtained using bit-flip faults, thus indicating that the injected errors are good approximations of the faults. >

On microprocessor error behavior modeling

Two main trends characterize recent work on fault injection: (i) apply fault injection as early as possible in the design process of fault-tolerant systems, i.e., into simulation models of the target fault-tolerant system and (ii) when dealing with the implementation of the target fault-tolerant system, favor software-implemented fault injection, i.e., based on the mutation of the executing software or of the data.

J. Ohlsson

Papers

Fault injection into VHDL models: the MEFISTO tool

A study of the effects of transient fault injection into a 32-bit RISC with built-in watchdog

Implicit signature checking

On microprocessor error behavior modeling

Fault Injection Into VHDL Models: A Fault Injection Tool And Some Preliminary Experimental Results