Bipartite graph-based control flow checking for COTS-based small satellites  by Wang, Honghao et al.
Chinese Journal of Aeronautics, (2015), 28(3): 883–893Chinese Society of Aeronautics and Astronautics
& Beihang University
Chinese Journal of Aeronautics
cja@buaa.edu.cn
www.sciencedirect.comBipartite graph-based control ﬂow checking for
COTS-based small satellites* Corresponding author. Tel.: +86 571 87952042.
E-mail address: hqwang@zju.edu.cn (H. Wang).
Peer review under responsibility of Editorial Committee of CJA.
Production and hosting by Elsevier
http://dx.doi.org/10.1016/j.cja.2015.04.010
1000-9361 ª 2015 The Authors. Production and hosting by Elsevier Ltd. on behalf of CSAA & BUAA.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).Wang Honghao, Wang Huiquan *, Jin ZhongheMicro-satellite Research Center, Zhejiang University, Hangzhou 310027, ChinaReceived 23 June 2014; revised 3 February 2015; accepted 8 March 2015
Available online 16 April 2015KEYWORDS
Bipartite graph;
Control ﬂow checking;
Commercial-off-the-shelves
(COTS);
Error injection;
Fault tolerant;
Illegal branch;
Small satellitesAbstract Single event upset (SEU) effect, caused by highly energized particles in aerospace, threatens
the reliability and security of small satellites composed of commercial-off-the-shelves (COTS). SEU-
induced control ﬂow errors (CFEs)may cause unpredictable behavior or crashes of COTS-based small
satellites. This paper proposes a generic software-based control ﬂow checking technique (CFC) and
bipartite graph-based control ﬂow checking (BGCFC). To simplify the types of illegal branches, it
transforms the conventional control ﬂow graph into the equivalent bipartite graph. It checks the legal-
ity of control ﬂow at runtime by comparing a global signature with the expected value and introduces
consecutive IDs andbitmaps to reduce the time andmemory overhead.Theoretical analysis shows that
BGCFC can detect all types of inter-node CFEs with constant time and memory overhead. Practical
tests verify the result of theoretical analysis. Comparedwith previous techniques, BGCFCachieves the
highest error detection rate, lower time and memory overhead; the composite result in evaluation fac-
tor shows that BGCFC is themost effective one among all these techniques. The results in both theory
and practice verify the applicability of BGCFC for COTS-based small satellites.
ª 2015 The Authors. Production and hosting by Elsevier Ltd. on behalf of CSAA & BUAA. This is an
open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).1. Introduction
The increasing popularity of commercial-off-the-shelves
(COTS) in modern small satellites, such as pico- and nano-
satellites,1 calls for the high reliability within the limits of
low cost and weight. Due to the lack of radiation hardened
schemes of COTS components, radiation in aerospaceenvironment like highly energized solar particles, photons,
and electrons may cause transient and permanent errors in
both software and hardware of COTS-based satellites.
Among these radiation effects, the single event upset (SEU)
effect caused by highly energized particles has been proven
as one of the major threats to the space borne semiconductor
devices and their host satellites.2 SEU results in bit ﬂips in
memory cells, registers, or ﬂip-ﬂops.3 Bit ﬂips may introduce
transient errors in both data and control ﬂows. Data errors
may cause unexpected results, while control ﬂow errors
(CFEs) are generally more serious than data errors since they
can cause the program jump to unexpected locations and lead
to unpredictable behavior and system crashes, which are secu-
rity breaches of satellites. Additionally, experiments show
that 33–77% (depending on the type of the processor) of
884 H. Wang et al.SEU-induced errors are CFEs.4,5 Therefore, to improve the
reliability and security of small satellites, fault tolerant tech-
niques are necessary for detecting and blocking CFEs before
damages occur.6
Several fault tolerant techniques for detecting and blocking
CFEs have been reported, which would fall into two cate-
gories: hardware redundancy and control ﬂow checking
(CFC). Furthermore, CFC techniques can be classiﬁed into
hardware-based and software-based according to the imple-
mentation. In general, hardware redundancy techniques
employ two or more identical processors to execute the same
programs and detect CFEs (along with other errors) by com-
paring their outputs. Hardware redundancy techniques have
a better fault tolerant capability and lower time overhead
but impose higher cost, weight and complexity7 so that they
are viable for large satellites but infeasible for small satellites
due to the strict containment of their cost and weight. The gen-
eral approach adopted by CFC techniques is to divide the
source code into basic blocks (a block with no branching
instructions except the last one, which is described in
Section 2.1) and insert extra instructions to check the control
ﬂows running inside blocks and between them. CFEs analyzed
by CFC techniques are classiﬁed into three categories:
(1) Intra-node CFEs: caused by illegal branches within a
basic block.
(2) Inter-node CFEs: caused by illegal branches between
basic blocks.
(3) Out-of-memory CFEs: caused by illegal branches to the
unused memory space.
CFC techniques aim to detect all the categories of CFEs
with low time and memory overhead. Hardware-based CFC
techniques conform to this demand but impose external
devices or hardware modiﬁcation. For example, an approach
called control ﬂow checking using execution tracing
(CFCET)8 employed an external watchdog processor (a copro-
cessor attached to the main processor via the address bus) to
trace the execution of the target program in the main proces-
sor, detected CFEs by validating each branching address. A
hardware assisted preemptive CFC method9 modiﬁed the pro-
cessors to insert extra checking instructions for detecting
CFEs. Compared to hardware redundancy, hardware-based
CFC techniques are cheaper due to the lower complexity of
watchdog processors and hardware modiﬁcation. They have
good CFE detection rates but are unsuitable for the circum-
stance that hardware changes are not permitted. Moreover,
watchdog processors are difﬁcult to be attached to modern
processors whose address buses are internal, processors modi-
ﬁcation are also infeasible because most modern COTS proces-
sors are close-sourced. Therefore, hardware-based CFC
techniques are unﬁt for small satellites.
Instead of introducing extra hardware or hardware modiﬁ-
cation, software-based CFC techniques just insert extra check-
ing instructions into the source code of the target program at
compile time so as to have the target program do checking jobs
itself. Preeminent software-based CFC techniques proposed in
the recent and past years include software-based control ﬂow
checking (SCFC),10 graph-tree-based control ﬂow checking
(GTCFC),11 relationship signatures for control ﬂow checking
(RSCFC),12 yet another control ﬂow checking using assertions
(YACCA),13 control ﬂow checking by software signatures(CFCSS)14 and enhanced control ﬂow checking by assertions
(ECCA)15 etc., which are listed in chronological order. All
these techniques except CFCSS can detect all inter-node
CFEs; they are useful in industrial environments but restrictive
or impractical to small satellites. Details of their drawbacks are
described as follows.
Both SCFC and RSCFC employed an N-bit bitmap (repre-
sented as an integer) to store the successors for each basic
block, where N is the total number of basic blocks in the target
program. Each basic block is assigned an ID from 1 to N
respectively and the basic block with ID i corresponds to the
ith bit in the bitmap. The bitmap is effective in exploiting
bit-level parallel operation. Nevertheless, in practice, N is usu-
ally larger than the word length of the processor (usually 8, 16
or 32), so that a bitmap consists of multiple registers, then a
single operation on the bitmap decomposes to multiple
operations on registers, which increases the time and memory
overhead. GTCFC, which claimed to be dedicated for pico-
satellites, introduced virtual basic blocks for the basic blocks
that have multiple predecessors to ensure that each basic block
has only one predecessor, and introduced an array to store the
predecessors for each (virtual) basic block. The array occupies
a linear memory space, which is considerable for resource con-
strained small satellites. The inserted checking instructions in
virtual basic blocks consume extra time and memory.
Moreover, element access in the array needs indirect address-
ing, which is the slowest one among addressing modes of pro-
cessors. Thus, GTCFC is restrictive to small satellites.
YACCA and ECCA represent predecessors of each basic block
as the product P of their IDs, and then expose CFEs by check-
ing the divisibility of P and divided-by-zero exception respec-
tively. In practice, P may be a big integer and exceed the
word length, so the operation and storage may lead to extra
time and memory overhead. Furthermore, multiplication and
division will cause a huge performance decay for processors
without multipliers like ADuC841, which is adopted by
ZDPS-1A pico-satellite.16,17 Thus, YACCA and ECCA may
be time and memory consuming in practice. CFCSS performed
simple XOR and AND operations at the beginning of each
basic block to check CFEs, so it has a low time and memory
overhead. However, the detection rate is low due to the lack
of checking instructions at the end of basic blocks and the
aliasing problem.14
To overcome the drawbacks of previous techniques in small
satellite applications, we propose a generic high-performance
and low-overhead SCFC technique named bipartite graph-
based control ﬂow checking (BGCFC). BGCFC partitions the
target program into basic blocks and builds its control ﬂow
graph as previous techniques.10–15 A conventional basic block
consists of a cluster of instructions, and the illegal jump can start
from or end at any instruction of the basic block. So illegal
branches, start from or end at the beginning, inside and end of
the basic block are different. To simplify illegal branches,
BGCFC transforms the control ﬂow graph into an equivalent
bipartite graph by splitting each basic block into two sub-
blocks, so that only illegal branches between sub-blocks need
to be handled. BGCFC employs a bitmap to store the predeces-
sors of each basic block in the corresponding bits as SCFC and
RSCFC. However, because usually one basic block has only a
few predecessors, storing all basic blocks in a single bitmap
causes most bits in the bitmap wasted. Hence, BGCFC only
stores the predecessors of the basic block with multiple
Bipartite graph-based control ﬂow checking for COTS-based small satellites 885predecessors into the bitmap to reduce the length. Furthermore,
to increase the storage density of the bitmap, BGCFC assigns
IDs to predecessors of each basic block as consecutive as possi-
ble. Along with the execution of the target program, BGCFC
does check at each sub-blocks by merely performing XOR,
AND, SUB and SHIFT operations, which are the fastest among
the instruction set and ubiquitous in processors. BGCFC inher-
its the advantages of SCFC, RSCFC and CFCSS, and over-
comes their shortages. As a result, BGCFC is not only capable
of detecting all inter-node CFEs with low time and memory
overhead, but also generic among arbitrary COTS processors,
and independent of any speciﬁc hardware. Consequently,
BGCFC is applicable and useful in COTS-based small satellites.
2. Bipartite graph
To reduce the types of illegal branches for further CFC,
BGCFC transforms the original control ﬂow graph into the
equivalent bipartite graph. This section presents the details
of the bipartite graph, including the motivation of introducing
it and the effects that it brings on.
2.1. Deﬁnition
Deﬁnitions of the relevant concepts are provided as follows
(some of them are adopted commonly by previous techniques).
Basic block:11 A maximal set of ordered instructions that
execute from the ﬁrst to the last sequentially, with no branch-
ing except possibly the last. The branching destination is
always the ﬁrst instruction of the basic block. Basic blocks
are denoted as vertices vi (i 2 f0; 1; . . . ;N 1g). The zero-
based index i conforms to the convention in the C program-
ming language, which is widely adopted in small satellite
developments.18
Control ﬂow:12 A branch from vertex vi to vj represents that
vi possibly branches to vj in the error-free state. Control ﬂows
are denoted as directed edges ek (k 2 f0; 1; . . . ;M 1g), where
M is the total number of edges. The edge is also denoted as brij
if it is from vi to vj.
Predecessor/Successor: If there is an edge brij from vi to vj,
then vi is a predecessor of vj. Equivalently, vj is a successor of
vi. The set of predecessors of v is denoted as pred(v). The set of
successors of v is denoted as succ(v).
Control ﬂow graph:12 A program can be represented by a
graph G= {V, E}, which is composed of a set of basic blocks
V= {vi, i 2 {0,1, . . .,N  1}} and a set of control ﬂows
E= {ei, i 2 {0,1, . . .,M  1}}.
Bipartite graph:19 A graph’s vertices can be divided into two
sets U andW, and U\W= B. Vertices in the same set are not
connected. i.e.,"v1u, v2u 2 U, and there are no edges between v1u
and v2
u. Also,"v1w, v2w 2W, there are no edges between v1w and
v2
w. If U „ B W „ B, then "vu 2 U, $vw 2W, and an extra
edge euw from vu to vw. The set of all euw is denoted as Euw.
We denote a bipartite graph as BG= {U [W,Euw [ E}. This
deﬁnition is derived from graph theory.
Illegal branch: A branch that fails to meet the deﬁnition of
basic blocks (e.g., not from the end of a basic block or not to
the beginning of a basic block), or represents an edge that is
inexistent in the set of edges E (e.g., not to the legal successor).
Sub-block: Split a basic block vi into two sub-blocks vi
u and
vi
w, where vi
u corresponds to the beginning of vi and vi
w the endof vi. An extra directed edge ei
uw from vi
u to vi
w is generated.
Obviously, succ(vi
u) = {vi
w}, pred(vi
w) = {vi
u}.
Atomic: If all branches from vi to vj are considered identi-
cally, there is no need to consider whether the branches start
from or end at the beginning, inside or end of vi and vj, then
both vi and vj are atomic, otherwise, they are not atomic.
Cardinality:19 Number of elements of a set. The cardinality
of a set U is denoted as |U|.
2.2. Effects of bipartite graph
According to the legality of error-free control ﬂows, illegal
branches can be further categorized into six types as follows:10
(1) Type 1: the illegal branch starts from any instruction of
a basic block and ends at any other instruction of the
same basic block. It skips or re-executes intermediate
instructions within the basic block and causes an intra-
node CFE.
(2) Type 2: the illegal branch starts from any instruction
excluding the last one of a basic block and ends at the
ﬁrst instruction of its legal successor. It skips the instruc-
tions including the last one of the former basic block and
causes an inter-node CFE.
(3) Type 3: the illegal branch starts from the last instruction
of a basic block and ends at any instruction excluding
the ﬁrst one of its legal successor. It skips the instruc-
tions including the ﬁrst one of the latter basic block
and causes an inter-node CFE.
(4) Type 4: the illegal branch starts from any instruction
excluding the last one of a basic block and ends at any
instruction excluding the ﬁrst one of its legal successor.
It skips both the instructions including the last one of
the former basic block and the instructions including
the ﬁrst one of the latter basic block, and causes an
inter-node CFE.
(5) Type 5: the illegal branch starts from a basic block and
ends at an illegal successor. It generates an extra edge
that is inexistent in the edge set E and causes an inter-
node CFE.
(6) Type 6: the illegal branch starts from a basic block and
ends at the unused memory space. It causes an out-of-
memory CFE.
Type 2–Type 4 correspond to the illegal branches from a
basic block to its legal successor and Type 5 corresponds to
the illegal branch from a basic block to its illegal successor.
The types mentioned above are cumbersome because basic
blocks are not atomic so that we have to handle with illegal
branches that start from or end at the beginning, inside and
end of basic blocks separately. To eliminate this cumbersome-
ness, we split the basic blocks into two atomic sub-blocks.
Thus, the original control ﬂow graph can be transformed into
a bipartite graph, and all branches between sub-blocks are
considered the same.
Fig. 1 shows an example of a control ﬂow graph that contains
basic blocks with a unique predecessor (v3 and v4) and with mul-
tiple predecessors (v1, v2, v5), and the transformed bipartite
graph. In Fig. 1, circles represent the original basic blocks and
rectangles represent the sub-blocks. Basic blocks and their cor-
responding sub-blocks are placed horizontally.
886 H. Wang et al.Theorem 1. Any control ﬂow graph can be transformed into an
equivalent bipartite graph by splitting each basic block into two
sub-blocks.
Proof. Given a control ﬂow graph G= {V, E}, three possible
numbers of vertices are analyzed below
(1) |V| = 0.
If |V| = 0, then V= B, E= B. Obviously, the corre-
sponding sub-block sets U= B and W= B, vertices
in the same set are not connected because both of sets
are empty. In addition, U\W=B, Euw =B. Thus
G= {B,B} can be transformed into the equivalent
bipartite graph BG = {U [W,Euw [ E} = {B,B}.
(2) |V| = 1.
If |V| = 1, then V= {v}, E= B. Split v into sub-blocks
vu and vw, then we have U= {vu}, W= {vw},
Euw = {euw}. Obviously, vertices in the same set are
not connected since each set contains only one element,
U\W= B and an extra edge euw starts from vu and ends
at vw. Thus, G= {{v},B} can be transformed into the
equivalent bipartite graph BG= {{vu,vw}, {euw}}.
(3) |V| > 1.
If |V| > 1, then V= {vi|i 2 {0,1, . . .,N  1}},
E= {ej|j 2 {0,1, . . .,M  1}}. In this case, each single
vertex vi can be treated as a sub graph
G_vi = {{vi},B}; apply the proof result of Case (2) so
that G_vi can be transformed into the equivalent bipar-
tite graph BG_vi = {{vi
u,vi
w}, {ei
uw}}. "ej 2 E, $va,
vb 2 V, that ej is from va to vb, then for the equivalent
bipartite graph BG_va= {{va
u,va
w}, {ea
uw}} and
BG_vb = {{vb
u,vb
w}, {eb
uw}}. ej starts from va
w 2W and
ends at vb
u 2 U, thus "ej 2 E connects vertices in different
sets. "eiuw 2 Euw, eiuw is from viu 2 U to viw 2W, so no
edges connect the vertices in the same set. Therefore a
sub bipartite graph BG_vab = {{va
u,va
w} [ {vbu,vbw},
{ea
uw} [ {ebuw} [ ej} is obtained by combining BG_va
and BG_vb. Inductively, BG = {¨{viu,viw},¨{eiuw}[
E|i 2 {0,1, . . .,N  1}} is obtained by combining sub
bipartite graph. Therefore, G= {V,E} can be trans-
formed into the equivalent bipartite graph BG. hFig. 1 An example of bipartite graph transformation.To sum up, any control ﬂow graph can be transformed into
an equivalent bipartite graph.
Because no vertices in the same set are connected in BG, we
evidently have four formulas below:
predðvui Þ ¼ predðviÞ#W ð1Þ
succðvwi Þ ¼ succðviÞ#U ð2Þ
succðvui Þ ¼ fvwi g ð3Þ
predðvwi Þ ¼ fvui g ð4ÞTheorem 2. After the bipartite graph transformation, four types
of illegal branches that cause inter-node CFEs can be reduced to
the illegal branches between two sub-blocks.
Proof. Illegal branches only exist between two basic blocks, so
a control ﬂow graph whose vertices contain both legal and ille-
gal successors is sufﬁcient for this proof. Suppose a control
ﬂow graph G= {{v0,v1,v2}, {e0,e1}}, where e0 is from v0 to
v1, e1 is from v1 to v2, thus succ(v0) = {v1,v2}, succ(v1) =B,
succ(v2) =B. The transformed bipartite graph is
BG= {{v0
u,v0
w,v1
u,v1
w,v2
u,v2
w}, {e0
uw,e1
uw,e2
uw,e0,e1}}, and
succ(v0
u) = {v0
w}, succ(v0
w) = {v1
u
, v2
u}, succ(v1
u) = {v1
w},
succ(v1
w) = B, succ(v2
u) = {v2
w}, succ(v2
w) = B. Fig. 2 illus-
trates an example of types of illegal branches reduction for
G. In Fig. 2, dashed lines represent illegal branches and solid
lines represent legal branches. The four types of illegal
branches that cause inter-node CFEs are analyzed below.
(1) Type 2: suppose an illegal branch br0 starts from the
inside of v0 and ends to the beginning of v1, which skips
the end of v0. Correspondingly, in BG, br0 starts from
v0
u, skips over the v0
w and directly jumps to v1
u. Then
v0
u 2 U and v1u 2 U are connected, which fails to meet
the deﬁnition of bipartite graph. {v1 2 succ(v0), by
Eqs. (2) and (3), )v1u R succ(v0u), thus this type can be
reduced to the illegal branch between the two sub-
blocks v0
u and v1
u.Fig. 2 An example of types of illegal branches reduction.
Bipartite graph-based control ﬂow checking for COTS-based small satellites 887(2) Type 3: suppose an illegal branch br1 starts from the end
of v0 and ends at the inside of v1, which skips the begin-
ning of v1. Correspondingly, in BG, br1 starts from v0
w,
skips over the v1
u and directly jumps to v1
w. Then
v0
w 2W and v1w 2W are connected, which fails to meet
the deﬁnition of bipartite graph.{v1 2 succ(v0), by Eqs.
(2) and (3), )v1w R succ(v0w), thus this type can be
reduced to the illegal branch between the two sub-
blocks v0
w and v1
w.
(3) Type 4: suppose an illegal branch br2 starts from the
inside of v0 and ends at the inside of v1, which skips both
the end of v0 and the beginning of v1. Correspondingly,
in BG, br2 starts from v0
u, skips over the v0
w and v1
u,
directly jumps to v1
w. {v1 2 succ(v0), by Eqs. (2) and
(3), )v1w R succ(v0u), thus this type can be reduced to
the illegal branch between the two sub-blocks v0
u and
v1
w.
(4) Type 5: {v2 R succ(v1), )v2u R succ(v1u), v2u R succ(v1w),
v2
w R succ(v1u) and v2w R succ(v1w). Thus illegal branches
from any position of v1 to any position of v2 lead to four
illegal branches in BG, which are from v1
u to v2
u, from
v1
w to v2
u, from v1
u to v2
w and from v1
w to v2
w respec-
tively. In Fig. 2, br3 exempliﬁes the illegal branch from
v1
w to v2
u. Thus, this type can be reduced to the illegal
branch between either of v1
u, v1
w and either of v2
u, v2
w.
(5) To sum up, after the bipartite graph transformation,
because the sub-blocks are atomic, four types of illegal
branches can be reduced to just one type: the illegal
branch between two sub-blocks. h
A side effect of the bipartite graph is that intra-node CFEs
cannot be detected, because intra-node CFEs will lead to legal
branches along with ei
uw (i 2 {0,1, . . .,N  1}). Actually, almost
no previous SCFC techniques attempted to detect intra-node
CFEs because intra-node CFEs skip no checking instructions.
Only SCFC claimed to be able to detect the intra-node CFEs
by inserting a checking instruction in the middle of the basic
block,10 but the detection performance is limited because not
all intra-node CFEs skip that checking instruction. The essence
of the intra-node CFE detection of SCFC is to divide the basic
blocks into multiple sub basic blocks (not sub-blocks in
BGCFC) and these sub basic blocks can be used as individual
basic blocks in the CFC technique. More sub basic blocks lead
to better detection rates but couple with more overhead.
According to the experimental results of previous tech-
niques,10–12 the high detection rate (>90%) shows that the
ratio of intra-node CFEs is so low (<10%) that BGCFC does
not detect them explicitly. If the detection for the intra-node
CFE is necessary, then the tradeoff between the basic blocks
division and the overhead needs to be considered.
3. Algorithm for CFC
After transforming the original control ﬂow graph into its
equivalent bipartite graph, various illegal branches are reduced
to the illegal branch between two sub-blocks. BGCFC checks
the control ﬂow by validating whether the last visited sub-
block is the predecessor of the current visited sub-block.
BGCFC employs a bitmap to store the predecessors for each
sub-block that has multiple predecessors. The consecutive
IDs of predecessors help to reduce the bitmap length.BGCFC performs an ID assignment algorithm to ensure that
the IDs of predecessors of every basic block that has multiple
predecessors are as consecutive as possible. This section elabo-
rates on the ID assignment algorithm and control ﬂow check-
ing principle.
3.1. ID assignments
For a control ﬂow graph G= {V,E}, where
V= {vi|i 2 {0,1, . . .,N  1}}. In its equivalent bipartite graph
BG, vi corresponds to two sub-blocks vi
u 2 U, viw 2W. We
change the notation vi
u to v2i and vi
w to v2i + 1 for mapping
the indices. Thus, all elements in U have even numbered
indices; all elements in W have odd numbered indices. By
Eq. (1), we have pred(v2i) = pred(vi) ˝W; by Eq. (4), we have
pred(v2i+1) = {v2i}. Thus, the bitmap only needs to store the
sub-blocks in W, which are indexed as 2i+ 1. For simplicity,
the bitmap only contains the basic block index i.
Furthermore, for the basic block vi, we usually have
|pred(vi)| « |V|, otherwise the target program is highly cohesive.
Thus, if we assign the IDs of basic blocks as consecutive as
possible, then we will reduce the bitmap length dramatically
and increase the storage density. Let us denote the ID of the
basic block vi as id(vi), bearing in mind that IDs of vi are dis-
tinct unsigned integers and range from 0 to |V|  1. For
instance, suppose a basic block v4 has ﬁve predecessors, which
are v0, v3, v5, v10 and v16. If we store the indices of the prede-
cessors into the bitmap directly, the bitmap length is 17 bits
while only 5 bits are effective. If we assign consecutive IDs
for the predecessors, then id(v0) = 6, id(v3) = 7, id(v5) = 8,
id(v10) = 9 and id(v16) = 10. The bitmap only needs 5 bits if
we store 6 in bit0, 7 in the bit1, . . ., 10 in bit4 respectively.
Therefore, consecutive IDs help to reduce the bitmap length.
The ID assignment algorithm includes two steps: perform a
breadth-depth-ﬁrst search to obtain the predecessors of each
basic block; enumerate all ID permutations to ﬁnd the most
consecutive one. The details of the algorithm are described
as follows.
Algorithm assign_consecutive_id_for_basic_blocks
Input: the set of basic blocks V;
Output: the most consecutive IDs for V id(V);
Find the basic block v0 2 V that represents the entry point of
the target program.
Push v0 into a queue Q.
while Q is not empty do // (1) Perform a breadth ﬁrst search to
obtain the predecessors
Let v be the front element of Q. Popup the front element.
for each vi that can be reached from v do
Add v to pred(vi). Push vi to Q.
Assign an unsigned integer array id = {0,1, . . ., |V|  1}
for each permutation idp of id do // (2) Find the most
consecutive IDs
for i= 0 to |V|  1 do
Assign id(vi) = idp(i).
Let diﬀ = 0.
for each vi 2 V that satisﬁes |pred(vi)| > 1 do
Find the maximal ID maxId among pred(vi), minimal ID
minId among pred(vi).
diﬀ = diﬀ + maxId  minId.
Find the permutation idp with the minimum diﬀ. Assign it back
to the id(V).
888 H. Wang et al.After performing the algorithm listed above, we make sure
the IDs of predecessors of each basic block are assigned as
consecutive as possible. IDs of basic blocks correspond to
the IDs of sub-blocks, that is id(v2i) = 2 · id(vi) and
id(v2i+1) = 2 · id(vi) + 1.
3.2. Checking instructions
In a valid transformed bipartite graph BG, except for the entry
point of the target program v0
u, we have |pred(v)| > 0 for all
sub-blocks v, otherwise v is unreachable in the execution of
the target program, and we should remove it from BG.
Once the bipartite graph BG of the target program is estab-
lished, BGCFC inserts checking instructions into each sub-
block v at compile time. BGCFC checks the control ﬂows by
employing a global signature S (stored in a register) that is
continuously updated under the execution of the program at
runtime. Each basic block vi is assigned a unique ID id(vi)
according to the ID assignment algorithm presented in the
previous section. For the corresponding sub-blocks, we have
id(vi
u) = 2 · id(vi), id(viw) = 2 · id(vi) + 1. When the control
ﬂow is transferred from one sub-block to another, S is updated
to a new value. Under the legal execution of the target pro-
grams, S should be equal to id(v) after visiting the sub-block
v. If S „ id(v), then a CFE occurs. Initially, S= id(v0u), where
v0
u is the entry point of the target program.
A parameter d(v) is designated for every sub-block v. d(v)
contains a value that is calculated in advance at compile time,
which is used to update S when v is being visited.
BGCFC divides the sub-blocks v into two types and handle
them differently. For the type of |pred(v)| = 1, BGCFC inserts
simple checking instructions; because v has a unique predeces-
sor, the legal control ﬂow is determinate. For the type of
|pred(v)| > 1, BGCFC inserts more complex checking instruc-
tions; because v has multiple predecessors, the legal control
ﬂow may have multiple legal source sub-blocks so that it is
indeterminate. The checking instructions for these two types
are described in detail below. For convenience of description,
we introduce the symbols in C programming language ‘‘^’’,
‘‘&’’, ‘‘>>’’ to represent the XOR, AND, SHIFT RIGHT
operations respectively. We denote the previous visited sub-
block as vprev. Before executing the checking instructions,
S= id(vprev).
If |pred(v)| = 1, we denote the unique predecessor as vp,
that pred(v) = {vp}. The checking instructions are
01. S= S ^ d(v)
02. if S „ id(v) then call Error ()
where d(v)=id(vp)^id(v). Under the legal control ﬂow,
id(vprev) = id(vp), then in the Statement 01, we have
S= id(vp)^id(vp)^id(v) = id(v). Thus, S is updated to the ID
of the current sub-block v and no CFE is detected.
Otherwise, id(vprev) „ id(vp) since the control ﬂow is illegal, so
S „ id(v). The CFE will be detected by the Statement 02, and
the common function Error() is invoked for handling CFEs.
Let us analyze which of sub-blocks in BGmay have a unique
predecessor. By Eq. (4), "viw 2W, $viu 2 U, then pred(viw) =
{vi
u}. So for all vi
w 2W, we have |pred(viw)| = 1. "viu 2 U, by
Eq. (1), |pred(vi
u)| = 1 if and only if |pred(vi)| = 1. In conclu-
sion, all elements in W have a unique predecessor; some ofelements in U have a unique predecessor depending on the
structure of BG.
If |pred(v)| > 1, then v has multiple predecessors and v 2 U.
By Eq. (1), pred(v) ˝W. Therefore, the IDs of the predecessors
are all odd numbers, which can be represented as 2i+ 1,
where i is the ID of the corresponding basic block in G. We
sort the IDs of pred(v) in ascending order, then we represent
pred(v) = {vpi|i= {0,1, . . .,K}}, and id(vp0) < id(vp1) < . . .
< id(vpK), where K= |pred(v)|  1. The checking instructions
are:
03. if S & 1 „ 1 then call Error()
04. else if (bm(v) >> ((S>> 1)  off(v))) & 1 „ 0 then
S= id(v)
05. else call Error()
The Statement 03 checks whether S is an odd number, if it
is not, then a CFE occurs. The Statement 04 checks whether
vprev 2 pred(v) by checking the bitmap bm(v), and the constant
off(v) = id(vp0)/2 is calculated at compile time for reducing
unnecessary calculations at runtime. The Statement 04 is so
complicated that we decompose it step by step: (a) S>> 1
is to calculate the index i of the corresponding basic block in
G; (b) (S>> 1)  off(v) is to calculate the bit number n
(zero-based, counted from the least signiﬁcant bit) in
the bitmap of the possible predecessor; (c)
bm(v) >> ((S>> 1)  off(v)) is to shift the bit n of the bit-
map right to the least signiﬁcant bit; The whole Statement
04 is to check whether the bit n is 0; if it is not 0, then
vprev 2 pred(v) and we update S to the ID of current sub-
block; else, the Statement 05 is executed, that a CFE occurs.
Take an instance to describe the bitmap bm(v). Suppose
id(pred(v)) = {3,4,6,7}, then
bmðvÞ ¼ 11011|ﬄﬄ{zﬄﬄ}
7;6;5;4;3
ð5Þ
The ID 3, 4, 6, 7 are represented from the least signiﬁcant bit
to the most signiﬁcant bit of bm(v) respectively, where the cor-
responding bit is set to 1.
The sample program in Fig. 1 is G= {V,E}, where
V= {v0,v1,v2,v3,v4,v5}, E= {e0,e1,e2,e3,e4,e5,e6,e7,e8}, and
e0 = br01, e1 = br12, e2 = br12, e3 = br23, e4 = br24,
e5 = br42, e6 = br35, e7 = br45 and e8 = br25, wherein brij is
the edge from vi to vj. So v1, v2, v5 has multiple predecessors.
After performing the ID assignment algorithm in the previous
section, the IDs for V are id(V) = {0,1,3,4,2,5}. And for the
basic blocks with multiple predecessors, pred(v1) = {v0,v1},
id(v0) = 0, id(v1) = 1; pred(v2) = {v1,v4}, id(v1) = 1,
id(v4) = 2; pred(v5) = {v2,v3,v4}, id(v2) = 3, id(v3) = 4,
id(v4) = 2. Therefore, the IDs of v2, v3, v4 are consecutive
enough to reduce the bitmap length. For U, W 2 BG,
id(U) = 2 · id(V) = {0,2,6,8,4,10}, id(W) = 2 · id(V) + 1=
{1,3,7,9,5,11}. Fig. 3 illustrates the CFC instructions in the
BG of Fig. 1. In Fig. 3, numbers inside the solid rectangles
represent the IDs of sub-blocks, and dashed rectangles contain
the checking instructions for each sub-block. Note that in
practice, the bitmap length equal to the word length, which
is usually 8, 16 or 32. In this example, the bitmap length is
8. The statements outside the dashed rectangles elaborate on
the update process of S that follows a legal control ﬂow path
v0ﬁ v1ﬁ v2ﬁ v4ﬁ v2ﬁ v5 step by step.
Fig. 3 Example of CFC instructions.
Bipartite graph-based control ﬂow checking for COTS-based small satellites 8894. Error detection rate and overhead evaluation
In the aerospace, SEU affects the binary machine code instead
of the higher level programming language. This section ana-
lyzes the machine code of checking instructions to evaluate
the error detection rate, time and memory overhead of
BGCFC respectively, and proves the applicability of BGCFC
in COTS-based small satellites theoretically.
4.1. Error detection rate
SEU-induced transient errors include data errors and CFEs.
Data errors are not covered by BGCFC since BGCFC is a con-
trol ﬂow checking technique. The incorrect conditional
branching is considered as the data error.11,12,15 Data errors
can be detected by dedicated techniques.20,21 The intra-node
CFE is not detected by BGCFC explicitly, and the reason is
explained in detail at the end of Section 2.2. To tackle the
out-of-memory CFE, BGCFC ﬁlls all the unused memory
space with instructions ‘‘call Error()’’, so once illegal branches
jump to the unused memory space, the common error handler
Error() is invoked. Therefore, the analysis of error detection
rate mainly focuses on the detection of inter-node CFEs.
Theorem 3. BGCFC is able to detect all types of illegal branches
that cause the inter-node CFE.
Proof. From Theorem 2, various types of illegal branches that
cause inter-node CFEs can be reduced to the illegal jump
between two sub-blocks. Because sub-blocks are atomic, if a
branch brij from sub-block vi to vj is illegal, then we must have
vi R pred(vi). BGCFC divides the sub-blocks v into two types:
|pred(v)| = 1 and |pred(v)| > 1 and inserts different checking
instructions accordingly. These two types are analyzed in this
proof.(1) |pred(vj)| = 1. Assume pred(vj) = {vp}. {vi R pred(vj)
and all IDs are distinct, )id(vi) „ id(vp).{d(vj) =
id(vp)^id(vj), ) before the statement 01 is executed,
S= id(vi) „ id(vp). Because the three IDs are distinct,
S= id(vi)^id(vp)^id(vj) „ id(vj), which causes the
Statement 02 to detect the illegal branch and handle
the CFE.
(2) |pred(vj)| > 1. By Eqs. (1) and (4), pred(vj) ˝W, vj 2 U.
"vp R pred(vj), so id(vp) is odd number. {vi R pred(vj)
and all IDs are distinct, )id(vi) „ id(vp). If vi 2 U, then
id(vi) is even, and the Statement 03 will detect and han-
dle such a CFE. Otherwise, if vi 2W, then id(vi) is odd
and it will pass the Statement 03. Statement 04 checks
whether the id(vi) is in bm(vj). Let us consider two cases:
(a) If 2 · id(vi) < off(v), then the operand of shift right is
negative; the ID is an unsigned integer, so the negative
operand becomes a huge positive integer. After the shift
operation, the result of bm(v) >> ((S>> 1) – off(v)) in
Statement 04 must be 0 and causes Statement 05 to
detect the illegal branch and handle the CFE; (b) If
2 · id(vi)P off(v), then the operand of shift right is
non-negative. Because bm(vj) does not contain the id(vi)
in the corresponding bit, after the shift operation, the
least signiﬁcant bit of bm(vj) in Statement 04 must be
0, otherwise bm(vj) contains the id(vi), then the ‘‘&1’’
operation will lead the result to 0 and causes
Statement 05 to detect the illegal branch and handle
the CFE. h
To sum up, BGCFC is able to detect all types of illegal
branches caused inter-node CFEs.
Therefore, BGCFC achieves high-error detection rate
because it is able to detect all types of inter-node CFEs.
890 H. Wang et al.4.2. Time overhead
Although BGCFC only performs simple XOR, AND, SUB
and SHIFT operations which are independent from speciﬁc
hardware, the time overhead is still variable among different
COTS processors due to the difference of their traits involving
speed, cache and pipelines.22 The time overhead is deﬁned as
the increasing ratio of execution time of the hardened program
with respect to the original one. For the sake of fair, we eval-
uate the execution time by measuring the number of instruc-
tion cycles, which is regardless of the traits of processors.
BGCFC employs a register to store S and represents other
constants as immediate operands within instructions, so the
addressing mode is immediate addressing which is the fastest
one. In this addressing mode, the XOR, AND, SUB and
SHIFT operation all take only one cycle in most COTS proces-
sors. Besides, the auxiliary instructions CMP, CALL and
MOV also take one cycle.
In the best case, the branch is legal and the CALL in
Statement 02 is not executed. In the worst case, the branch is
illegal and the CALL is executed additionally. So the checking
instructions in the sub-block with a unique predecessor take
two cycles in the best case and three cycles in the worst case.
If statements in Statements 03–05 are mutual exclusive, in
the best case, the branch is illegal because S is an even number,
only Statement 03 is executed. In the worst case, Statement 04
is executed with regardless of the execution of Statement 05, it
takes six additional cycles and the CALL in Statement 03 is
not executed. The checking instructions in the sub-block with
multiple predecessors take three cycles in the best case and
eight cycles in the worst case.
Assume the target program contains N basic blocks, while x
of them have multiple predecessors and a basic block is divided
into two sub-blocks, then in the worst case, the additional
instruction cycle of checking instructions is
Te ¼ ð8þ 3Þxþ ð3þ 3ÞðN xÞ ¼ 5xþ 6N ð6Þ
The time overhead is
toverhead ¼ Te
Tori
 100% ð7Þ
where Tori is the instruction cycles of the original program. The
coefﬁcient of x and N in Te is constant, which means for each
basic block, the time complexity of inserted checking instruc-
tions is constant, i.e., O(1). Therefore, the time overhead is
low.
4.3. Memory overhead
Memory overhead is deﬁned as the increasing ratio of memory
size of the hardened program with respect to the original one.
We evaluate the memory size by the number of the checking
instructions in the machine code instead of the bytes of instruc-
tions because it depends on the word length of processors. The
checking instructions in the sub-block with a unique predeces-
sor take three instructions and the checking instructions in the
sub-block with multiple predecessors take 10 instructions.
Assume the target program contains N basic blocks, while x
of them have multiple predecessors and a basic block is divided
into two sub-blocks, then in the worst case, the additional
number of instructions isMe ¼ ð10þ 3Þxþ ð3þ 3ÞðN xÞ ¼ 7xþ 6N ð8Þ
The memory overhead is
moverhead ¼ Me
Mori
 100% ð9Þ
where Mori is the memory size of the original program. The
coefﬁcient of x and N inMe is constant, which means for each
basic block, the memory complexity of inserted checking
instructions is also constant, i.e., O(1). Therefore, the memory
overhead is low.
As to the resource constrained small satellites, we hope the
CFC techniques are able to detect more CFEs but take less
time and memory. Therefore, in theory, BGCFC is applicable
for COTS-based small satellites due to the high error detection
rate, low time and memory overhead.
5. Test results and discussion
For verifying the proof in theory from the perspective of prac-
tice, this section brings tests and analysis based on the onboard
computer (OBC) of the in-service ZDPS-1A pico-satellite,17
which are researched and developed by our institute. The
OBC utilizes an 8-bit 8052-compatible Harvard architecture
COTS processor ADuC841 from Analog Devices, which con-
tains a 2 KB random access memory (RAM) for data storage
and a 64 KB read only memory (ROM) for code storage. The
program code is executed in the ROM directly. ADuC841 is a
simple controller and lacks the speciﬁc hardware for calcula-
tion, such as multipliers. One of the successive products of
ZPDS-1A utilizes a more powerful 32-bit COTS digital signal
processor (DSP) TMS320C6747 from Texas Instruments,
which features the Harvard architecture too. TMS320C6747
equips various controllers, multipliers and signal processing
units; it is much more powerful than ADuC841. However,
we still choose the ADuC841 instead of TMS320C6747 as
the test bench based on the following reasons. Firstly, the main
purpose of this paper is to supply a generic high-performance
and low-overhead SCFC techniques for COTS-based small
satellites, not just limited to our own products. However,
TMS320C6747 is powerful and may hide the shortages of
the propose method, because not all processors in small satel-
lites are as powerful as TMS320C6747. Secondly, according to
the survey,1,23 mainstream small satellites adopted Harvard
architecture processors, such as ARM, PIC controller, DSP
etc. ADuC841 is generally less powerful than them, so if
BGCFC is veriﬁed to be applicable for ADuC841, then we
believe it will be generally adequate for most processors of
mainstream small satellites. Thirdly, ZDPS-1A has successfully
fulﬁlled all the missions and been functionally well in aero-
space for more than three years,17 so we believe the OBC of
ZDPS-1A is reliable and it will not introduce extra unsafe fac-
tors to affect the accuracy of test results. Finally yet impor-
tantly, the goal of BGCFC is to extend the lifecycle of the
small satellites in real projects, not only limited to the aca-
demic research.
We perform the test on four benchmarks: insertion sort
(IS), quick sort (QS), matrix multiplication (MM) and fast
Fourier transformation (FFT). These benchmarks are widely
used by other SCFC techniques, and they represent different
patterns of control ﬂow graph. IS and QS take a lot of
branches among relatively simple calculations, while FFT
Bipartite graph-based control ﬂow checking for COTS-based small satellites 891and MM carry out lots of time-consuming multiplications and
relatively few branches. The benchmarks can cover all patterns
of control ﬂow graphs of real programs. Therefore, the bench-
marks are adequately representative for the real programs in
such senses. Besides, FFT and MM are commonly adopted
in real missions of satellites, which make the benchmarks be
more representative.
In order to simulate the SEU effects on the ground, we uti-
lize an external complex programmable logic device (CPLD) to
ﬂip the bit randomly in the ROM and RAM for error injec-
tions. After injecting an error, the ﬂipped bits are recovered
immediately for the next error injection. Once the CFC tech-
nique detects a CFE, the Error() function increases the counter
in CPLD to record the number of successful detections. We
choose four preeminent previous software-based CFC tech-
niques SCFC, GTCFC, CFCSS and ECCA for comparison
tests. SCFC is the latest technique that is proposed in this year
(2014). GTCFC is a dedicated CFC technique for pico-
satellites presented by our institute in 2013. CFCSS and
ECCA are classical techniques proposed in 2002 and 1999
respectively, which have been compared in many previous
papers. Therefore, these techniques are representative.
We generate six versions for each benchmark, which are:
(1) The original code.
(2) The code hardened by BGCFC (the proposed technique
in this paper).
(3) The code hardened by SCFC.
(4) The code hardened by GTCFC.
(5) The code hardened by CFCSS.
(6) The code hardened by ECCA.
We evaluate the time and memory overhead by comparing
the increasing ratio of the execution time and memory size of
the hardened programs and with respect to the original ones.
Table 1 shows the comparison results of the time and mem-
ory overhead for each version of benchmark.
Note that the results of MM and FFT hardened by CFCSS
are much lower than the results in the original paper14 because
the ADuC841 lacks the multiplier while MM and FFT employ
heavy multiplications, both the execution time and memoryTable 1 Comparison results of time and memory overhead.
Benchmark x N Time overhead (%)
BGCFC SCFC GTCFC CFCSS
IS 8 12 51.24 134.35 60.73 49.27
QS 8 21 54.35 123.21 59.67 52.13
MM 3 9 14.90 31.76 19.33 14.35
FFT 3 12 13.17 37.54 18.58 12.29
Table 2 Comparison results of error detection rate.
Benchmark Error detection rate (%)
BGCFC SCFC
IS 95.12 93.78
QS 94.51 93.37
MM 93.79 93.06
FFT 93.37 93.44size increase, but the MIPS processor adopted by the original
paper contains a multiplier. Checking instructions inserted by
CFCSS contain only simple XOR and AND operations which
does not increase the execution time and memory size.
Therefore, the increasing ratio of execution time and memory
size decreases accordingly, resulting in that CFCSS has both
low time and memory overhead. SCFC gets large time and
memory overhead because the number of basic blocks N is lar-
ger than 8 (word length of ADuC841), a single operation of the
bitmap needs to be divided into multiple operations, which
increases the time and memory overhead. ECCA leads to large
performance decay due to the numerous multiplications in the
checking instructions, which shows obviously in IS and QS
because these two benchmarks contain no multiplication.
The results of MM and FFT seem better because both bench-
marks and checking instructions contain numerous multiplica-
tions so that the ratios are pulled down. The time overhead of
GTCFC is a little bit larger than CFCSS due to the slow indi-
rect addressing and the extra overhead of virtual basic blocks,
but the memory overhead is signiﬁcantly large due to the linear
memory space complexity. BGCFC is the only one that is com-
parable with CFCSS in both time and memory overhead.
Table 2 shows the comparison results of error detection rate
of each software-based CFC technique. Each version of bench-
mark is injected 10000 errors. Even though the injected errors
are randomized in spite of their classiﬁcations, the large num-
ber of injected errors guarantees that all types of CFEs have
appeared due to the large amount of tests. Actually in the real
aerospace, SEUs also ﬂip the bit randomly so this test is good
for simulating the real environment.6 We have obtained the
results from the counter in CPLD.
The comparison results show that BGCFC can detect over
93% of all injected errors. The undetected injected errors,
which are minority, are data errors or intra-node CFEs.11
BGCFC does not detect them explicitly. In the results,
BGCFC, SCFC and GTCFC achieve high error detection rate,
the detection rate of ECCA is variable and CFCSS manifests
the lousiest result. The reason is explained as follows. For
ECCA, the memory size of inserted checking instructions
exceeds the memory size of the original code. Due to the ran-
domness, bit ﬂips are much more possible to occur in insertedMemory overhead (%)
ECCA BGCFC SCFC GTCFC CFCSS ECCA
319.02 65.45 132.75 222.56 63.75 595.49
302.17 60.28 111.52 214.53 56.21 564.04
54.50 14.80 32.33 26.75 13.45 40.86
51.26 9.93 41.45 25.62 9.33 38.43
GTCFC CFCSS ECCA
89.73 58.13 78.78
91.52 60.35 90.17
91.33 57.71 85.65
92.38 41.39 91.26
Fig. 4 Comparison results of average evaluation factor.
892 H. Wang et al.checking instructions than in the original code, so the result is
unstable. CFCSS lacks checking instructions at the end of
basic blocks, and the XOR operation leads to aliasing problem
for the basic block with multiple predecessors (named branch-
fan-in node in CFCSS14), so the result is lousy. Theoretically,
the error detection capabilities of BGCFC, SCFC and GTCFC
are the same. However, BGCFC, which is proposed in this
paper, achieves the highest error detection rate. There are
two reasons to explain this phenomenon. First, the memory
overhead of BGCFC is the lowest among these three tech-
niques, because of the randomness, the possibility of bit ﬂips
in inserted checking instructions is lower than the others.
Hence, the error detection rate of BGCFC is the highest.
Second, BGCFC ﬁlls the unused memory space with instruc-
tions ‘‘call Error()’’ while others are not, so it further increases
the error detection rate. SCFC manifests better than GTCFC
in the similar result, because the former’s memory overhead
is less than the latter’s and the checking instructions in the
middle of basic blocks help to increase the error detection rate.
Therefore, we can conclude that even though the error detec-
tion rates are the same in theory, the result is inversely propor-
tional to the memory overhead in practice.
Resource constrained small satellites need to detect more
CFEs with less time and memory, so neither the error detection
rate nor time and memory overhead involved alone can reﬂect
the effectiveness of the CFC techniques. We employ an evalu-
ation factor to evaluate the entire effectiveness of the CFC
techniques, which considers all the three factors. Evidently,
both higher error detection rate and lower time and memory
overhead should lead to higher evaluator factor. However,
error detection rate should have a higher weight than time
and memory overhead because the primary goal of CFC tech-
niques is to detect CFEs. Therefore, we set the ratio of weight
of error detection rate rdetection, time overhead toverhead and
memory overhead moverhead to 2:1:1. Note that rdetection is in
the range 0%–100%, whereas toverhead and moverhead are in
the range 0 1, so we cannot simply add rdetection, toverhead
and moverhead. Therefore, we introduce normalized factors for
rdetection, toverhead and moverhead respectively to evaluate their
effectiveness contribution. These factors should positively con-
tribute to the effectiveness and be normalized to the range 0%–
100%. The deﬁnitions of normalized factors are
fðrdetectionÞ ¼ rdetection
fðtoverheadÞ ¼ 1 toverhead=maxðtoverhead;moverheadÞ
fðmoverheadÞ ¼ 1moverhead=maxðtoverhead;moverheadÞ
8><
>: ð10Þ
where max(toverhead,moverhead) is the maximum value of time
and memory overhead in test results. According to the results
in Table 1, max(toverhead,moverhead) = 595.49%. Then we deﬁne
the evaluation factor feval as
feval ¼ 2fðrdetectionÞ þ fðtoverheadÞ þ fðmoverheadÞ ð11Þ
Fig. 4 shows the comparison results of the average evalua-
tion factor of these CFC techniques adopted in test, wherein
BGCFC achieves the highest average evaluation factor. Such
results suggest that BGCFC not only offers a high error detec-
tion rate and performs steadily well for different patterns of
control ﬂows, but also achieves both low time and memory
overhead, so it is applicable for COTS-based small satellites
in practice.Nevertheless, two problems exist in BGCFC in practice.
The ﬁrst one is that time complexity of the ID assignment algo-
rithm presented in Section 3.1 is O(N!), which means a facto-
rial time complexity. Because it obtains the consecutive IDs
by enumerating all permutations of ID 0 to N  1, the total
number of all permutation is N’s factorial. In practice, N is
large (usually >300) so it is very time-consuming.
Fortunately, this algorithm runs on the personal computer
(PC) on ground instead of the OBC of the small satellite.
Thanks to the high performance of current PCs, we can wait
for several hours to obtain the consecutive IDs without affect-
ing the effectiveness of BGCFC. However, it is still inconve-
nient and inﬂexible for this algorithm. Suppose if we run the
algorithm on a large program with thousands of basic blocks,
then probably it will take us several days to obtain the result.
Therefore the main task of future work is to decrease the time
complexity of the ID assignment algorithm to quadratic O(N2)
or linear O(N). The second problem is potential. In case that
there exists a target program whose control ﬂow graph is so
special that IDs are not consecutive enough, the storage den-
sity of the bitmap will be quite low and the bitmap length
may exceed the word length, then the performance of
BGCFC may decay to the level of SCFC and RSCFC.
Currently, we have no way to prove which patterns of control
ﬂow graphs may result in the worst case of the consecutive IDs
theoretically, so it is potential. Fortunately, by far we have not
suffered this problem while performing BGCFC to various real
programs of satellites. Both of the problems are related to
graph theory and we will attempt to resolve them referring
to this theory in future work.
6. Conclusions
(1) The proposed SCFC techniques, BGCFC, simpliﬁes the
types of illegal branches by transforming the control
ﬂow graph into the equivalent bipartite graph. It intro-
duces a bitmap to exploit effective bit-level parallel oper-
ations for verifying the last visited sub-blocks of control
ﬂow at runtime and assigns the consecutive IDs to
reduce the bitmap length.
(2) The effects of bipartite graph, error detection rate, time
and memory overhead of BGCFC are detailedly ana-
lyzed in theory, which manifests that BGCFC can detect
all types of inter-node CFEs with O(1) time complexity
Bipartite graph-based control ﬂow checking for COTS-based small satellites 893and O(1) memory complexity for each basic block. The
results verify the applicability of BGCFC for COTS-
based small satellites in theory.
(3) Test results show that BGCFC can detect more than
93% of randomly injected errors with low time and
memory overhead. Statistics11 show that the minor
undetected errors are data errors or intra-node CFEs.
To consider error detection rate, time and memory over-
head comprehensively, we employ an evaluation factor
to evaluate the effectiveness of CFC techniques.
Compared with the previous preeminent software CFC
techniques, BGCFC achieves the highest score in evalu-
ation factor. The results verify the applicability of
BGCFC for COTS-based small satellites in practice.
(4) In future work, two problems of BGCFC need to be
resolved: the large time complexity of the ID assignment
algorithm and the proof for the worst case of ID assign-
ments in graph theory.
Acknowledgment
The authors would like to give their acknowledgement to the
support from the National Natural Science Foundation of
China and the Fundamental Research Funds for the Central
Universities of China.
References
1. Bouwmeester J, Guo J. Survey of worldwide pico-and nanosatel-
lite missions, distributions and subsystem technology. Acta
Astronaut 2010;67(7):854–62.
2. Baumann RC. Radiation-induced soft errors in advanced semi-
conductor technologies. IEEE Trans Device Mater Reliab
2005;5(3):305–16.
3. Benso A, Di Carlo S, Di Natale G, Prinetto P. Static analysis of
SEU effects on software applications. Proceedings of international
test conference; 2002 Oct 10; Baltimore, MD, USA; 2002. p.500–8.
4. Ohlsson J, Rimen M, Gunneﬂo U. A study of the effects of
transient fault injection into a 32-bit RISC with built-in watchdog.
Proceedings of 22nd international symposium on fault-tolerant
computing; 1992 Jul 8–10; Boston, MA, USA; 1992. p. 316–25.
5. Schuette MA, Shen JP. Processor control ﬂow monitoring using
signatured instruction streams. IEEE Trans Comput
1987;100(3):264–76.
6. Sinclair D, Interplanetary S, Dyer J. Radiation effects and COTS
parts in smallsats. Proceedings of 27th annual AIAA/USU confer-
ence on small satellites; 2013 Aug 10–15; Logan, UT, USA; 2013.
p. 1–12.
7. Austin TM. DIVA: a reliable substrate for deep submicron
microarchitecture design. Proceedings of 32nd annual international
symposium on microarchitecture; 1999 Nov 16–18; Haifa; 1999. p.
196–207.
8. Rajabzadeh A, Miremadi SG. CFCET: a hardware-based control
ﬂow checking technique in COTS processors using execution
tracing. Microelectron Reliab 2006;46(5):959–72.
9. Ragel RG, Parameswaran S. Hardware assisted pre-emptive
control ﬂow checking for embedded processors to improvereliability. Proceedings of the 4th international conference on
hardware/software codesign and system synthesis; Seoul, Korea;
2006. p. 100–5.
10. Asghari SA, Taheri H, Pedram H, Kaynak O. Software-based
control ﬂow checking against transient faults in industrial
environments. IEEE Trans Indust Inf 2014;10(1):481–90.
11. Yang M, Wang H, Zheng Y, Jin Z. Graph-tree-based software
control ﬂow checking for COTS processors on pico-satellites. Chin
J Aeronaut 2013;26(2):413–22.
12. Li A, Hong B. On-line control ﬂow error detection using
relationship signatures among basic blocks. Comput Electr Eng
2010;36(1):132–41.
13. Goloubeva O, Rebaudengo M, Reorda MS, Violante M. Soft-
error detection using control ﬂow assertions. Proceedings of 18th
IEEE international symposium on defect and fault tolerance in VLSI
systems; 2003 Nov 3–5; 2003. p. 581–8.
14. Oh N, Shirvani PP, McCluskey EJ. Control-ﬂow checking by
software signatures. IEEE Trans Reliab 2002;51(1):111–22.
15. Alkhalifa Z, Nair VS, Krishnamurthy N, Abraham JA. Design
and evaluation of system-level checks for on-line control
ﬂow error detection. IEEE Trans Parallel Distrib 1999;10(6):
627–41.
16. Zhang Y, Zheng Y, Yang M, Li H, Jin Z. Design and
implementation of the highly-reliable, low-cost housekeeping
system in the ZDPS-1A pico-satellite. J Zhejiang Univ Sci C
2012;13(2):83–9.
17. Yang M, Wang H, Wu C, Wang C, Ding L, Zheng Y, et al. Space
ﬂight validation of design and engineering of the ZDPS-1A pico-
satellite. Chin J Aeronaut 2012;25(5):725–38.
18. Olivieri SJ, Aarestad J, Pollard LH, Wyglinski AM, Kief C, Erwin
RS. Modular FPGA-based software deﬁned radio for
CubeSats. Proceedings of IEEE international conference on
communications (ICC); 2012 Jun 10–15; Ottawa, ON, Canada;
2012. p. 3229-33.
19. Golumbic MC. Algorithmic graph theory and perfect graphs. New
York: Elsevier; 2004.
20. Oh N, Shirvani PP, McCluskey EJ. Error detection by duplicated
instructions in super-scalar processors. IEEE Trans Reliab
2002;51(1):63–75.
21. Oh N, Mitra S, McCluskey EJ. ED4I: error detection by diverse
data and duplicated instructions. IEEE Trans Comput
2002;51(2):180–99.
22. Ferdinand C, Heckmann R, Langenbach M, Martin F, Schmidt
H, Theiling H, et al. Reliable and precise WCET determination
for a real-life processor. In: Henzinger TAKC, editor. Embedded
software lecture notes in computer science. Tahoe City,
CA: Springer; 2001. p. 469–85.
23. Heidt H, Puig-Suari J, Moor A, Nakasuka S, Twiggs R. CubeSat:
A new generation of pico-satellite for education and industry low-
cost space experimentation. Proceedings of the 14th annual AIAA/
USU conference on small satellites; 2000 Aug 21–24; Logan, Utah;
2000. p.113–6.
Wang Honghao is currently a Ph.D. candidate in Micro-satellite
Research Center, Zhejiang University. His main research interests are
software architecture, on-orbit software maintenance and software
reliability for composite electronic system of small satellites.
Wang Huiquan is currently an associate professor in Micro-satellite
Research Center, Zhejiang University. His main research interests are
MEMS, NEMS and micro-satellite technology.
