Modular Injection System and Sampling Template (M.I.S.S.T)
Design Report
Computer Engineering
California Polytechnic State University, San Luis Obispo

Froylan Aguirre
June 2018

Abstract
Digital systems are ubiquitous throughout modern life and their applications continue to grow. Thus system
designers engineer and test modular systems to mitigate error rates. Smaller systems and their increasing importance in many applications demand the utmost reliability. Fault injection is the most common
method used by researchers and engineers to test system reliability. However, most hardware fault injection implementations are ad hoc and only used to test a specific system or for specific tests. There is also
software-implemented fault injection that adds overhead in the benchmark source code. The aim of this
project is to develop a general use, fault injection hardware module that can be integrated into a digital
system. This module would be easy to use and flexible for most reliability testing. This document explains
the design of such a system.

Chapter 1

Overview
1.1

Introduction

The Modular Injection System and Sampling Template (M.I.S.S.T) is intended to be used as a SoC fault
injector for a bus-based system architecture like most micro-processors today. MISST is able to run fault
campaigns composed of a series of fault injections to a target DUT followed by sampling data from the DUT.
After every sampling event, MISST resets the DUT to repeat the process with different faults. Users can
configure MISST fault injection and sampling behavior via a memory mapped interface.

1.2

High Level Structural Overview

A high level view of a MISST core use case is shown in Figure 1.1. The MISST system is intended to be
system independent, that is, not tied to any particular development board. However, the manner in which
the MISST system communicates with a terminal device (generally a PC) will be board dependent and
specific to a use case. Therefore the adapter module’s responsibility is to act as an adapter between the
MISST and the PC and DUT.
For most use cases, the MISST system will be connected to an adapter that handles communication with
a DUT, usually an AMBA-based digital system, and a PC. A user configures the MISST system through
the PC by writing to configuration registers on the MISST core. During a fault injection campaign, a user
will receive sample data on the PC.

1

Figure 1.1: High Level View of a Use Case

1.3

Original Implementation

The MISST was originally developed on a PYNQ-Z1 Digilent development board using Vivado Xilinx tools.
The PYNQ-Z1 board contains a ZYNQ 7000 family IC with a Cortex-A9 processor integrated with an Artix-7
equivalent FPGA [1]. See chapter 7 for PYNQ-Z1 board implementation details.

2

Chapter 2

MISST Module Overview
Overall system design schematics shown in Figure 2.1. The MISST core and supplemental modules are
implemented in the FPGA fabric, and the Cortex hard processor being outside of the fabric. The AXI slave
interface is not part of the core system modules, but specific to the PYNQ implementation. However, how
the AXI slave connects to the system core and its required functionality are part of a standard explained
in 7.3. The AXI slave interface is an example of an adapter module used to communicate with the MISST
system independent of implementation.

Figure 2.1: High Level Implementation Architecture for Original Implementation

3

The MISST core logic is responsible for timing injections and sampling. It has three main modules:
the Fault Parameters, an ALU, and the Control Unit. The Fault Parameters module is essentially memory
holding information used to generate faults. The ALU is directly connected to the Fault Parameters module.
The ALU is in charge of random number generation and changing the values saved in Fault Parameters.
The Control Unit communicates with external modules and controls the ALU and Fault Parameter modules.
The Control Unit is where MISST’s basic behavior is implemented. Figure 2.2 shows how the three modules
are connected.

Figure 2.2: MISST Core System Interconnect. The AXI Slave is not part of the core system.

4

2.1

Task Flow

After the core and Adapter module have been implemented on an FPGA, the MISST system enters setup
mode. In this state, the user can configure system registers listed in Table 2.1. Once the user has configured
MISST registers, the fault campaign begins. The general task flow for MISST is detailed in Figure 2.3. An
injection or sample occurs when certain timers (see section 5.2) timeout. If the injection and sampling timers
timeout at the same time, sampling has priority.

Figure 2.3: General Task Flow for MISST

5

2.1.1

Fault Generation

Injecting a fault involves three main steps:
1. Retrieve DUT ADDR value from Fault Parameters module.
2. Sample data at address DUT ADDR in the DUT memory space.
3. Create fault data to inject from sampled data.
4. Change fault parameters and save new INJ TIME value in fault timer register.
5. Inject fault.
6. Once acknowledgment from Adapter module has been received, resume the counters.
In this section, step 5 will be explained. Every time a fault injection occurs, new parameters for the next
injection are generated by using deterministic or random operations provided by the ALU. Fault parameters
can change between every injection or change between a certain number of injections. Adding another layer
of complexity, multiple fault parameters can be scheduled to change in different ways. For example, all
three fault parameters can be configured to change for every fault request. Another possible scenario is that
the dut addr fault parameter changes on every fault request and the flt oprnd changes every three times
dut addr has been changed. When dut addr has been changed three times, it will revert to an initial value
or ’initialized’. When a fault parameter changes, but not initialized, it has been ’updated’. In this example,
flt oprnd would be on level 2, and dut addr on level 1.
Each fault parameter is assigned a level that represents how it changes. Level 2 fault parameters update
every time an injection occurs. Level 1 fault parameters update every time level 2 fault parameters are
initialized. Level 0 fault parameters update every time level 1 parameters are initialized. It is crucial that
if a level is meant to change throughout a fault campaign, that its lower levels (level 2 is the lowest level)
are not constants.
A level’s cycle length is the number of values in an initialize-update cycle. For example, a cycle length
of 3 means that a fault parameter is initialized, updated, updated, and then the cycle is repeated again. A
cycle length of two means that the fault parameter is initialized every other change. A cycle length of 1
means that the parameter does not change. A cycle length of 0 means that the parameter updates every
time a fault generation is requested, like level 2. A cycle length of 0 should be used for randomly generated
fault parameters.
Randomly Generated Injection Time
Extra caution should be taken when injection time is configured to be generated randomly. Since injection
time can’t be predicted in advance, not all faults within a set can be injected before sampling occurs. All
faults in a set must be injected before sampling to avoid injection and sampling at the same time. The
MISST system doesn’t explicitly enforce each set to have the same number of injects before sampling so the
MISST system should be configured with that in mind.
It’s recommended that if injection time is randomly generated, sets be limited to only one fault. Configure
the appropriate bounds for this injection time so that it occurs before sampling time. If multiple randomly
generated injection time faults are desired, set the maximum value to the quotient of the sampling time and
the number of injections per set. This should avoid any sampling or injection collisions.

6

Fault Generation Example
To illustrate fault generation, we will provide the following example.
A MISST system is configured as follows:
• Level 2 is dut addr parameter with a cycle length of 2. It is initialized to a value A0 .
• Level 1 is flt oprnd parameter with a cycle length of 3 also. It is initialized to a value B0 .
• Level 0 is inj time parameter with a cycle length of 1 so it stays constant at a value C.
As the fault parameters are changed during every injection process, the pattern in Figure 2.4 emerges.
In this example, the fifth fault would inject at address A0 using value B2 for flt oprnd, C clock cycles after
the previous injection.

Figure 2.4: Fault Generation Example Timeline
Actual test cases won’t be as repetitive, and would involve longer cycle lengths.

2.1.2

Fault Generation and Sampling Synchronization

MISST considers a set to have completed after a successful sampling process initiated by the sampling timer
timeout (see section 5.2). MISST does not check if during a set any faults were injected, and does not enforce
that each set have the same number of fault injections. Between DUT resets, the fault and sampling timer’s
count is reset to 0, but each timer’s timeout value is left the same.
Generating faults in this manner allows the user flexibility to configure which faults are included within
sets. Referring back to the example in section 2.1.1, if a user wants each set to have two faults so that the
level 1 parameter changes after a sampling event, the user should set C (the inj time) no less than a third
the sampling time and no more than half the sampling time. Another possibility is that each set contains
three faults. In that case, faults 1 to 3 would be in the first set, faults 4 to 5 in the seconds, and so on.

7

2.1.3

Sampling-based Shutdown

Sampling-based shutdown refers to ending a fault injection campaign based on the value of sampled data.
If two locations are sampled, then the decision to shut down is based on the first sample. If MISST is
configured to sample two locations, but sampling-based shutdown occurs, the second sample data will not be
sent to the user. With the sampled value and the value in register sample shutdown value, there are three
ways MISST evaluates sampling-based shutdown:
• MISST shutdowns if sampled value equals sample shutdown value.
• MISST shutdowns if result of bitwise AND between sampled value and sample shutdown value is zero.
• MISST shutdowns if result of bitwise XOR between sampled value and sample shutdown value is zero.

2.2

Memory Organization

MISST memory uses byte length addressing to write to different registers spread throughout the system
core and the adapter module. There are three places where MISST addressable registers are implemented;
in Fault Parameters, in Control Unit, and in the Adapter module. Table 2.1 explains each register’s role in
MISST. The address structure of Fault Parameters is different from the registers implemented in Control
Unit and Adapter modules. See Section 3.2 for more details on the Fault Parameter addresses.
Table 2.1: Complete Register Summary.
In the Read/Write column, 0 means used internally by system.
Address: Name Read/Write
Description
0x01 start inj W
If the value 0xAABBCCDD is written to this register, a fault injection campaign will start.
0x02 stop inj W
If the value 0xFFEEDDCC is written to this register, the fault injection campaign will stop.
0x03 fault timer W
The number of clock cycles until a fault is injected into the DUT.
0x04 sampling timer W
The time to sample after the last DUT reset measured in DUT clock cycles.
0x05 setNumCounter W
Maximum number of sets. This register is incremented after every sampling. Mainly used as a fail safe to
stop MISST system after some failure has caused it to continue execution longer than expected.
0x06 triggerPosCU W
Holds trigger position inputs for cyc cnt modules. See Figure 5.1 for reference.
0x07 dut addr init W
Initialization DUT ADDR value. The value that DUT ADDR is set to after an initialization event. In the
case that the DUT ADDR fault parameter is constant, this register is unused.
0x08 inj time init W
Initialization INJ TIME value. The value that INJ TIME is set to after an initialization event. In the case
that the INJ TIME fault parameter is constant, this register is unused.

8

Table 2.1: Complete Register Summary continued.
Address: Name Read/Write
Description
0x09 flt oprnd init W
Initialization FLT OPRND value. The value that FLT OPRND is set to after an initialization event. In the
case that the FLT OPRND fault parameter is constant, this register is unused.
0x0A sample dataA 0
Sampled data is saved here.
0x0B cont after inj 0
When 0x1F1F1F1F is written here, MISST is ready to continue after a fault injection.
0x0C sys status R
MISST system status. This register resides in the Adapter module (see chapter 6).
• bit 0: Set if system is executing an injection campaign, otherwise zero.
• bit 1: Set if system is sampling data that must be sent to user. Cleared after write to sample dataA
register.
• bit 2: Set if system is sampling data that will not be sent to user. Cleared after write to sample dataA
register.
• bit 3: Set if system requests a fault injection. Cleared after the correct value is written to cont after inj.
• bit 4: Set if DUT must be reset.
• bit 5: Set if two samples are taken. Otherwise zero.
• bit 6: Set if MISST is in setup mode.
• Other bits remain unused.
0x0D dut addr cyc len W
The cycle length of DUT ADDR. At the beginning of each cycle, DUT ADDR will be set to its initial
value. A value of 1 means that DUT ADDR will never change. A value of 0 means that for every new
fault generated, DUT ADDR will always be changed to a new value (this setting mainly used with random
changes).
0x0E inj time cyc len W
The cycle length of INJ TIME. At the beginning of each cycle, INJ TIME will be set to its initial value. A
value of 1 means that INJ TIME will never change. A value of 0 means that for every new fault generated,
INJ TIME will always be changed to a new value (this setting mainly used with random changes).
0x0F flt oprnd cyc len W
The cycle length of FLT OPRND. At the beginning of each cycle, FLT OPRND will be set to its initial
value. A value of 1 means that FLT OPRND will never change. A value of 0 means that for every new
fault generated, FLT OPRND will always be changed to a new value (this setting mainly used with random
changes).
0x10 sampling addrA W
Address to sample in DUT memory space.

9

Table 2.1: Complete Register Summary continued.
Address: Name Read/Write
Description
0x11 sampling addrB W
Address to sample in DUT memory space.
0x12 general config W
General system configuration. Configures MISST high level behavior.
• bit[1:0] Selects fault parameter for Level 2. See (2.1.1) for level explanation. See Table 3.1 for fault
parameter values (the two least significant bits).
• bit[3:2] Selects fault parameter for Level 1. See (2.1.1) for level explanation. See Table 3.1 for fault
parameter values (the two least significant bits).
• bit[5:4] Selects fault parameter for Level 0. See (2.1.1) for level explanation. See Table 3.1 for fault
parameter values (the two least significant bits).
• bit[6] If set, two locations will be sampled every time the sampling timer timeouts.
• bit[7] If set, MISST shutdowns if ALU experiences a non-random range violation during fault generation.
• bit[9:8] Determines how MISST will shutdown based on sample taken. If two samples are taken, the
decision is based on first sample.
– b00 Shutdown is not based on sample value.
– b01 MISST shutdowns if sample equals value stored in sample shutdown value register.
– b10 MISST shutdowns if the resulting value of a bitwise AND between sample value and sample shutdown value register is 0.
– b11 MISST shutdowns in a similar fashion as the previous, but with a bitwise XOR operation.
0x13 sample shutdown value W
Value used for sample based shutdown.
0xC0 dut sample addr 0
Address to be sampled. This is implemented in the Adapter module. See Table 7.1.
0xC1 dut inj addr 0
Address of injection. This is implemented in the Adapter module. See Table 7.1.
0xC2 dut data out 0
Data to be written to DUT. This is implemented in the Adapter module. See Table 7.1.
0xC3 w reg addr W
MISST register address. This is implemented in the Adapter module. See Table 7.1.
0xC4 w data W
Write data for MISST core. This is implemented in the Adapter module. See Table 7.1.

10

Chapter 3

Fault Parameters Module
The main role of this module is to store the fault parameters, and provide associated data to the ALU for
fault generation (see section 2.1.1). There are three fault parameters and they are listed in Table 3.1. How
fault parameters affect a set of faults is shown by Figure 3.1.

Figure 3.1: Fault Parameters on Set Timeline

11

3.1

Structure

The Fault Parameters module is a collection of three submodules (one for each fault parameter) called a
grouping. Each grouping contains five registers related to the fault parameter referred to as an element.
Table 3.1 explains each fault parameter, and Table 3.2 describes each element in a grouping. Figure 3.2
details how groupings are connected.

Figure 3.2: Fault Parameters Structure

12

3.2

Address Scheme

When the three most significant bits are b100, the address refers to memory in the Fault Parameters. The
address has two parts: the two least significant bits refer to a fault parameter, and the next three bits refer
to a fault parameter element. Tables 3.1 and 3.2 explain the possible addresses.
Table 3.1: Fault Characteristic Registers. The ’X’ denote ”don’t cares”.
Address
0b100X-XX00
0b100X-XX01

Name
DUT ADDR
INJ TIME

0b100X-XX10

FLT OPRND

Description
Current value of injection address in DUT memory space.
Current value of injection time. Injection time is measured
as the number of DUT clock cycles since the previous fault
injection or DUT reset if this will be first fault in a set.
Short for fault operand. Depends on type of fault. For a
SEU, it’s the bit mask of bits to invert. For additive error
model, it’s the additive error.

Table 3.2: Fault Parameter Element Summary. The ’X’ denote ”don’t cares”.
Address
0b1000-00XX
0b1000-01XX

Suffix
NAME
OPRND

0b1000-10XX

OP

0b1000-11XX
0b1001-00XX

MIN
MAX

Description
Value of associated fault parameter.
Operand for arithmetic operation used when changing the
value of the fault parameter.
Arithmetic operation to change fault parameter. Unlike
the other elements which are 4 bytes, this element is a nibble. NOP (no operation) function denotes a constant fault
parameter.
Minimum possible value of fault parameter, inclusive.
Maximum possible value of fault parameter, inclusive.

13

3.3

Port Descriptions
Table 3.3: Fault Parameters Port Descriptions
Port Name
data in [31:0]
addr [4:0]
wr en
wr
var out [31:0]
oprnd out [31:0]
alu op out [3:0]
min val out [31:0]
max val out [31:0]

Description
Write input data bus.
Address input bus. Addresses explained in section 3.2.
A chip enable. Must be high for element values to output.
Write enable on rising edge.
NAME element for currently selected grouping.
OPRND element for currently selected grouping.
OP element for currently selected grouping.
MIN element for currently selected grouping.
MAX element for currently selected grouping.

14

Chapter 4

The ALU
4.1

Mathematical Operations

The ALU changes fault parameters based on a fault parameter’s elements. Other than providing common
arithmetic operations, the ALU provides random number generation. The operation is chosen through the
func sel input port as a nibble. These values are shown in Table 4.1.
Table 4.1: ALU Op-Codes
Code
0x0
0x1
0x2
0x3
0x4
0x5
0x6
0x7
0x8
0x9
0xA
0xB
0xC
0xD

Operation
no operation
addition
increment
decrement
left shift
right shift
OR
AND
subtraction
unimodal Gaussian
uniform uniform
uniform average
bimodal Gaussian
random bit flip

Result
Outputs input to oprnd a port.
The sum of oprnd a and selected second operand.
The value of oprnd a incremented by one.
The value of oprnd a decremented by one.
Single left shift of oprnd a.
Single right shift of oprnd a.
Bitwise OR of oprnd a and selected second operand.
Bitwise AND of oprnd a and selected second operand.
Difference between oprnd a and selected second operand.
A random number with a unimodal, Gaussian distribution.
A random number with a uniform distribution with no variance.
A random number with a uniform distribution with some variance.
A random number with a bimodal, Gaussian distribution.
Inverts a single, randomly selected bit in the least significant byte of oprnd a.

15

4.2

Random Number Generation

The ALU contains a module called noise gen to generate random numbers with specified distributions. The
VHDL source code for this module is originally from [2]. The noise gen module generates random values
using linear feedback shift registers. The four possible distributions generated are shown in Figure 4.1 for
16-bit random numbers.
The noise gen module has two outputs, Gaussian and uniform, that produce random numbers. Each of
these outputs have two subtypes. To produce all four possible distributions, the ALU has two noise gen
modules. However, at the moment they produce 16-bit numbers. Unfortunately, noise gen is not scalable
because of the properties of linear feedback shift registers.

Figure 4.1: Distribution Tests for 16-bit Random Number Generation

16

4.3

Port Descriptions
Table 4.2: ALU Port Descriptions
Port Name
oprnd a in [31:0]
oprnd b in [31:0]
oprnd c in [31:0]
min res in [31:0]
max res in [31:0]
func sel in [3:0]
oprnd sel in
clk in
range vio out
rand range vio out
op res out [31:0]

Description
Operand A. This operand is used in single operand operations.
Operand B.
Operand C. The optional operand selected by setting oprnd sel in.
Lower bound (inclusive) for ALU result.
Upper bound (inclusive) for ALU result.
Selects ALU operation. See Table 4.1 for op-codes.
If set, oprnd c in is the second operand, otherwise the second operand is
oprnd b in.
Clock input.
Set if ALU result for a non-random operation is not between the values of
min res in and max res in.
Set if ALU result for a random operation is not between the values of
min res in and max res in.
Result of selected operation.

17

Chapter 5

The Control Unit
The Control Unit is responsible for MISST high level behavior. This includes:
• Fault parameter generation.
• Sampling scheduling.
• Injection scheduling.
• External communication via Adapter module.
• Writing to registers.

5.1

Structure

To carry out the aforementioned tasks, the Control Unit is implemented using three modules; the register
control, the memory interconnect, and the injection campaign finite state machine (ICF). These modules and
their interconnections are detailed in Figure 5.1. Note that registers are represented as rectangles labeled
with the register’s name. All these registers are implemented in the memory interconnect submodule. Figure
5.1 also shows three cycle counter modules (labeled cyc cnt#). Cycle counter modules count cycles of a signal
and are further explained in section 5.1.1. Cycle counter 0 counts DUT clock cycles until a fault injection
occurs. Cycle counter 1 counts DUT clock cycles until a sampling event occurs. Cycle counter 2 counts the
number of sets (essentially the number of sample events) until the maximum number of sets to shut down.

18

Figure 5.1: Control Unit Implementation

19

5.1.1

Cycle Counter Module

The cycle counter module is especially designed for use in MISST. The cycle counter module simply counts
rising edges of the input signal on clk in port until the number of rising edges hits a given value. Table 5.1
explains the role of each port.
Table 5.1: Cycle Counter Ports
Port
max count in [31:0]
trigger pos in [1:0]

Polarity
input
input

Description
Maximum number of cycles to count.
When the counter hits the maximum cycle count, this value determines on which edge of clk in the port trigger out asserts. See
Figure 5.2 for a timing diagram.
• b00 trigger out asserts on first rising edge (aka front edge)
of clk in.
• b01 trigger out asserts on first falling edge (aka middle edge)
of clk in.
• b10 trigger out asserts on last rising edge (aka back edge)
of clk in. This option essentially delays trigger out by one
clock cycle.
• b11 trigger out never asserts

start count in
clk in

input
input

trigger out

output

Resets count to zero.
A rising edge increments count. Named clk in because this module
is generally used to count clock cycles.
A rising edge indicates that the number of counts exceeds the
value of man count in.

The trigger pos in port controls on which edge of the clk in signal the trigger out port will assert. Figure
5.2 shows the timing diagram of a counter with a max count value of three. Note that the start cnt in input
doesn’t have to be kept high, but in this instance it is. The cycle counter multiplexes between the three
internal signals front edge s, back edge s, and middle edge s for the trigger out output. All three signals
assert during the third cycle of clk in, but they differ during which edge of that cycle they assert. For
example, middle edge s asserts on the middle edge (the falling edge) of the third cycle of clk in.

5.1.2

Register Control

The register control module is responsible for processing incoming and outgoing data between the MISST
core and the Adapter module. Table 5.2 describes the ports of the register control module.
The register control module receives data from the Adapter module and forwards it to the memory
interconnect. Register control also receives data from the ICF module (see section 5.1.4) for fault injection
and sampling. Note than in Table 5.2 the module distinguishes between two types of sampling: sampling
data to corrupt and use in upcoming fault injection (sample inject), and sampling data to send to user
(simply referred to as sampling).

20

Figure 5.2: Different Types of Trigger Position
Table 5.2: Register Control Port Descriptions
Port Name
p data in [31:0]
p addr in [7:0]
p read in
campaign done in
data ICF in [31:0]
addr ICF in [31:0]
ICF sample in
ICF samp inj in
ICF inject in
clk in
reset in
p data out [31:0]
p addr out [7:0]
p write out
data to regs out [31:0]
addr to regs out [7:0]

Description
Data bus for incoming data to MISST core. Part of the Adapter-Core
Interface (see section 7.3).
Address bus for incoming data to MISST core. Part of the Adapter-Core
Interface (see section 7.3).
A logic high during a rising edge of clk in initiates a read of address and
data buses from Adapter module (see section 7.3).
Rising edge signals end of fault campaign.
Data from the ICF module (see section 5.1.4) to be sent to Adapter
module.
Address in DUT address space for injection or sampling from the ICF
module (see section 5.1.4) to be sent to Adapter module.
Initiates a sampling operation on a rising edge. Sampled data is sent to
the user via the Adapter module.
Initiates a sampling operation on a rising edge. Sampled data is not sent
to the user. This port used when retrieved data for a fault injection.
Initiates a fault injection on the rising edge.
Clock input.
Initializes registers to zero on rising edge.
Data bus for outgoing data to MISST core. Part of the Adapter-Core
Interface (see section 7.3).
Address bus for outgoing data to MISST core. Part of the Adapter-Core
Interface (see section 7.3).
A logic high during a rising edge of clk in initiates a write of address and
data buses to Adapter module (see section 7.3).
Data bus to memory interconnect module.
Address bus to memory interconnect module.

21

Table 5.2: Register Control Port Descriptions Continued
Port Name
write data out
campaign status out
sampling out

samp inj out

injection out

resume out

5.1.3

Description
Rising edge enables write to MISST registers.
High during a fault injection campaign, and low when MISST is idle or
during setup.
A high value signals that sampling is in progress and that MISST is waiting for incoming data. Part of the Adapter-Core Interface (see section
6). Cleared when sampling data received.
A high value signals that sampling (specifically for retrieving data in
preparation for a fault injection) is in progress and that MISST is waiting
for incoming data. Part of the Adapter-Core Interface (see section 6).
Cleared when sampling data received.
A high value signals that MISST is in the process of injecting a fault
and that MISST is waiting for incoming data. Part of the AdapterCore Interface (see section 6). Cleared when the cont after inj register
is written with proper value signaling injection process completion and
DUT execution resume (see section 2.1).
A rising edge signals that MISST can resume execution after sampling
(for user data or for injection data), DUT reset, or fault injection.

Memory Interconnect

The memory interconnect module has two roles: implement Control Unit registers, and pass on Fault
Parameter data. The memory interconnect module receives data from the register control and ICF modules.
If a write to the same address at the same time occurs, the data from the ICF takes precedence. Table 5.3
describes the ports of the memory interconnect module, but the register outputs are excluded. The only
registers not implemented in the memory interconnect module are listed below:
• Fault Parameter registers (see section 3.2).
• start inj implemented in register control module.
• stop inj implemeneted in register control module.
• cont after inj implemeneted in register control module.
• sys status implemented in Adapter module.
The registers implemented in the register control module do not store data to be used at a later time,
but are used to signal specific events. For example, the start inj register is used to signal the start of a fault
campaign.

22

Table 5.3: Memory Interconnect Port Descriptions
Port Name
data from reg cntrl in [31:0]
addr from reg cntrl in [7:0]
data from ICF in [31:0]
addr from ICF in [7:0]
w en ICF in
w en cntrl regs in
reset in
clk in
ato fp out [4:0]
dto fp out [31:0]
w en fp out

Description
Data bus from register control module.
Address bus from register control module.
Data bus from ICF module.
Address bus from ICF module.
Write enable on rising edge for ICF data.
Write enable on rising edge for control register data.
Resets all registers to 0.
Clock input.
Fault Parameter address bus. Connected to the Fault Parameter’s input
address bus (see chapter 3).
Fault Parameter data bus. Connected to the Fault Parameter’s input
data bus (see chapter 3).
Write enable in rising edge for data bound to Fault Parameter module.

23

5.1.4

Injection Campaign FSM (ICF)

The Injection Campaign FSM (ICF) is responsible driving other modules to implement high level logic. It
implements the logic for the following processes:
• Fault injection.
• Data sampling for user.
• Data sampling in preparation for fault injection.
• Timer reset after timeout (for both sampling and injection timers).
• Fault generation using fault gen module. Refer to section 2.1.1 for high level description of fault
generation. Refer to section 5.1.5 for information on fault gen module.
Essentially, this module is a finite state machine that transitions between states when sampling timer
timeouts, injection timer timeouts, or on rising edge of resume in port. The FSM that controls a fault
campaign is shown in Figure 5.3. Table 5.4 describes ICF IO ports.

Figure 5.3: ICF Control State Diagram
A description of each state are listed below.
• SETUP: MISST registers are configured with desired values by user.
• WAIT INJ OR SAMP: DUT runs while MISST waits for the injection and the sampling timers to
timeout.
• FIRST SAMPLE: Retrieves the first sample. Value based shutdown is also evaluated here (see section
2.1.3 for more information).
24

• SECOND SAMPLE: Retrieves the second sample if two samples will be taken.
• DUT RESET: DUT is reseted in preparation for a new run with a different group of faults.
• FAULT SAMP: Sample the fault location.
• FAULT GEN: Generate a new fault and calculate corrupted data to inject. This process mainly takes
place in the fault gen module.Refer to section 2.1.1 for high level description of fault generation. Refer
to section 5.1.5 for information on fault gen module.
• FAULT INJ: Injecting fault into target DUT.
Table 5.4: ICF Port Descriptions
Port Name
start campaign in
resume in
alu data in [31:0]
alu range vio in
alu rand range vio in
reset in
fault trigger in
sampling trigger in
set cnt trigger in
clk in
samp inj start out

sample start out
inj start out

data to regs out [31:0]

addr to regs out [31:0]

write data out

Description
A rising edge starts a fault injection campaign.
A rising edge signals state transition after an injection or sampling.
Output from ALU module.
High if ALU experiences a range violation on a non-random operation
(see Table 4.2).
High if ALU experiences a range violation on a random operation (see
Table 4.2).
Resets registers and ICF state.
A rising edge initiates a fault injection.
A rising edge initiates sampling a single address on DUT. The data
sampled is sent to user.
A rising edge signals that the maximum number of sets has been met
and to end the current fault injection campaign.
Clock input.
Rising edge initiates data sampling without sending data sampled to
user. Kept high during sampling and cleared on rising edge of resume in.
This is used for reading data at injection location.
Rising edge initiates data sampling to send data to user. Kept high
during sampling and cleared on rising edge of resume in.
Rising edge initiates data injection using current fault parameters. Kept
high during sampling and cleared on rising edge of resume in. This is
used for reading data at injection location.
Data bus to register control and memory interconnect. Data headed to
register control module will be injected into DUT during fault injection.
Data headed to memory interconnect will be written to a Control Unit
register.
Address bus to register control and memory interconnect. Addresses
sent to memory interconnect only use least significant byte and represents address of register. Addresses sent to register control represent an
address in the DUT for injection or sampling.
A write enable on rising edge for memory interconnect.

25

Table 5.4: ICF Port Description Continued.
Port Name
fp wr out
fp wr en out
mux0 sel out

alu oprnd sel out
mux1 data out [31:0]
mux1 sel out

reset fault cnt out
reset sampling cnt out
reset set cnt out
dut clk disable out
campaign done out

Description
A write enable on rising edge for Fault Parameter module.
An active high chip enable for Fault Parameter module.
Output to mutliplexer. If low, alu op out of Fault Parameter module
outputs to func sel of the ALU. If set, func sel is connected to ALU-Fault
Parameter bus. This bus can be driven by mux1 data out if mux1 sel out
is set.
Drives oprnd sel input of the ALU (see Table 4.2).
Data input for mux1(see Figure 2.2).
Drives selection input of mux1 (see Figure 2.2). When low, the ALU
output op res drives the ALU-Fault Parameters bus. When high,
mux1 sel out drives the ALU-Fault Parameters bus.
Resets fault timer after a successful fault injection.
Resets sampling timer after a successful sampling.
Resets set counter after a timeout, but before MISST enters setup mode.
If high, disables DUT clock input to fault and sampling timers.
Rising edge signals end of injection campaign.

26

5.1.5

The fault gen Module

This module implements the logic described in section 2.1.1. The module is implemented as three cycle
counters in series and the first cycle counter in the chain being incremented for every generation request.
Initializations are started when a level’s associated timer timeouts. Updates are started when a level’s
associated cycle counter increments.
Table 5.5: fault gen Port Descriptions
Port Name
gen request in
reset in
clk in
rand range vio in
lvl2 cyc len in [31:0]
lvl1 cyc len in [31:0]
lvl0 cyc len in [31:0]
lvl2 addr in [7:0]
lvl1 addr in [7:0]
lvl0 addr in [7:0]
done out
addr out [7:0]
w fp out
wen fp out
init on out
mux sel out [1:0]

5.2

Description
Initiates fault generation on rising edge.
Resets counters and registers on rising edge.
Clock input.
Connected from rand range vio output of ALU (see Table 4.2).
Cycle length of level 2.
Cycle length of level 1.
Cycle length of level 0.
Level 2 fault parameter name address (see section 3.2).
Level 1 fault parameter name address (see section 3.2).
Level 0 fault parameter name address (see section 3.2).
Rising edge signals to ICF that fault generation is complete.
Current fault parameter being updated.
Connected to write enable for Fault Parameter module.
Connected to chip enable for Fault Parameter module.
Set during an initialization operation. Cleared when operation is complete.
Level being initialized. Outputs 0b00 (level 1), 0b01 (level 2), 0b10 (level
3), and 0b11 (nothing selected) sequentially as each level is updated.

Fault Timer, Sampling Timer, and Set Counter

During a fault campaign, the Control Unit responds to the timeouts of the three timers shown in Figure 5.1.
Module cyc cnt0 counts the number of DUT clock cycles until a fault injection, and is reset by the ICF after
fault injection is completed. Module cyc cnt1 counts the number of DUT clock cycles until sampling, and is
reset by the ICF after sampling is completed. Module cyc cnt3 counts the number of sets completed so far.
When this timer reaches its maximum value, the fault campaign is over. Whenever any of these counters
timeout, the ICF takes the appropriate actions to execute the timer’s associated action.
All three modules are instances of the cycle counter module. Refer to section 5.1.1 for more information
on the cycle counter.

27

Chapter 6

Adapter Module
The main purpose of the Adapter module is to provide an interface for the MISST core to communicate
externally with a DUT or an intermediary module. In the case of the Original Implementation, for example,
the Adapter module consists of an AXI slave module controlled by a Cortex processor. It is the user’s
responsibility to implement this module for their specific DUT.
For any implementation, the Adapter module is required to have certain ports and functional requirements. The required ports are listed in Table 6.1. Using these ports, the adapter module can fill in the
required bit-fields for the required register sys status. The bit-fields of sys status are shown in Table 6.2. The
reasoning for requiring sys status is that the adapter class needs to be aware of MISST high level behavior
to properly coordinate traffic between the PC, MISST, and target DUT. For instance, the Adapter module
needs to be aware if MISST is configured to send one or two samples to the user.
Table 6.1: Required Adapter Ports
Port Name
data in
addr in
read in
campaign in
is sampling in
is inj in
samp inj in

I/O
input
input
input
input
input
input
input

data out
addr out
write out

output
output
output

Description
Data from MISST core.
Destination address of incoming data.
Writes incoming data at incoming address on rising edge.
A high value signals system executing fault campaign.
A high value indicates system during sampling process.
A high value indicates system during injection process.
A high value indicates that the value at the injection location is being read for
corruption and injection.
Data to MISST core.
Destination address of outgoing data to MISST.
Rising edge signals write enable for outgoing data at outgoing address to the
Control Unit.

28

Table 6.2: Register sys status Bit Fields
Bit Position
0
1
2
3
4
5

6

Description
Set if campaign in port is high, low otherwise.
Set if is sampling in port is high, low otherwise.
Set if samp inj in port is high, low otherwise.
Set if is inj in port is high, low otherwise.
Set if DUT must be reset. Clear after DUT operation has been performed and
MISST is signaled to continue.
Set if MISST is configured to sample two locations, clear otherwise. This value
should be assigned when the Adapter module receives a write to general config[6]
(see Table 2.1).
Set if MISST is in setup mode, clear otherwise.

29

Chapter 7

Original Implementation Details
In this chapter we will primarily focus on the Adapter module implementation on the PYNQ board because
the MISST system core does not change between implementations. For the original implementation, the
adapter module includes the AXI slave interface, the Cortex hard processor, and a bridge from Xilinx IP
library. The relevant ones are AXI AHBLite Bridge and the AXI APB Bridge. The IP library doesn’t have
an AXI to JTAG Bridge, but it does include a JTAG to AXI Master Bridge.

7.1

Serial Communication

The only way to access the UART port for PC serial communication is through the Cortex-A9 processor.
The UART from the PYNQ board arrives at 115200 baud. If the MISST is implemented on a development
board whose FPGA was direct access to a serial port, two design approaches could be:
• Use adapter module as an interface between MISST system core and the PC.
• Include a soft processor in the adapter module to process communication between board elements and
a PC.

7.2

Role of Cortex Processor

The Cortex processor receives user input and sends data to MISST via AXI-Lite protocol to the AXI slave
interface. The processor can read and write from/to the AXI slave interface, but the MISST system can’t
send data directly to the Cortex. The only way MISST can notify the processor of anything is via a single
wire connection that triggers an interrupt on the processor (this is implemented as an output pin on the
AXI slave).
MISST triggers an interrupt whenever it has to sample data from the DUT or inject a fault into the
DUT. The processor evaluates what to do based on the value of the sys status register at the time of the
interrupt. Figure 7.1 outlines how the processor keeps track of tasks.
• WAITING FOR INTT: Processor is waiting for interrupt.
• SAMPLE N SEND: Processor reads from the DUT’s memory and sends data to MISST and user
through UART.
30

• DUT RESET: Processor resets and then restarts DUT. Shortly after restarting DUT, processor writes
data to sampling register to resume fault campaign.
• SAMPLE INJ: Processor reads from DUT’s memory and only sends sample data to MISST.
• INJECT: Processor reads dut inj addr and dut data out registers, and writes dut data out data at
address dut inj addr in DUT memory.

Figure 7.1: Processor Interrupt Task States

31

7.3

AXI Slave Interface

During setup, the user is simply writing data to registers in MISST core. In order to write to MISST
registers, the processor first writes the data to the AXI slave’s w data register. Then the processor writes
the write address to w reg addr register. The write is automatically executed upon a write to the w reg addr
register. Table 7.1 lists registers implemented on the AXI slave interface. All AXI slave interface registers
are four bytes wide, but not all registers use four bytes.
Table 7.1: AXI Slave Interface Registers
Address
0x0C

Register Name
sys status

0xC0
0xC1
0xC2
0xC3

dut sample addr
dut inj addr
dut data out
w reg addr

0xC4

w data

Description
Required register. Used by processor to choose correct course of action. See Table
2.1.
Sampling address.
Injection address.
Data to write to DUT. Only used during fault injection.
Write address of register in MISST. Writing to this register starts writing transaction to selected MISST register. Only uses least significant byte since register
addresses are a byte long.
Write data.

The AXI slave interface is also responsible for asserting the interrupt input of the processor. The AXI
slave sets the interrupt pin if is sampling in, samp inj in, or is inj in are high. Most importantly, the AXI
slave interface must conform to the Adapter-Core interface. Table 7.2 describes the AXI slave’s ports and
points out which ones are required by the Adapter-Core interface.

32

Table 7.2: AXI Slave Interface Port Descriptions
Port Name
data in [31:0]
addr in [7:0]
read in
is sampling in
samp inj in
is inj in
campaign in
S AXI
pause intt out
reset out
data out [31:0]
addr out [7:0]
write out

Description
Input data bus. Part of the Adapter-Core interface.
Input address bus. Part of the Adapter-Core interface.
Reads address and bus lines on rising edge.
A high value represents that MISST is in the process of sampling. The data
sampled will be sent to the user. Part of the Adapter-Core interface.
A high value represents that MISST is in the process of sampling. The data
sampled will not be sent to the user. Part of the Adapter-Core interface.
A high value represents that MISST is in the process of fault injection. Part of
the Adapter-Core interface.
A high value represents that MISST is running a fault campaign. Part of the
Adapter-Core interface.
Name for all signals of the AXI-LITE protocol. The processor sends data and
reads data to/from here.
Connected to the processor’s interrupt inputs. Referred to as the interrupt pin.
Resets MISST core.
Data bus to Control Unit. Part of the Adapter-Core interface.
Address bus to Control Unit. Part of the Adapter-Core interface.
Write enable for data sent to Control Unit. Part of the Adapter-Core interface.

The Adapter-Core interface provides rules on how the MISST core and the Adapter module exchange
data. The Adapter-Core interface requires the ports with the following functionality:
• A pair of data bus, address bus, and enable signals for read and write with the Control Unit. The read
or write operation is executed on a rising edge of the enable signal.
• A signal that goes high during the sampling process and clears when sampling data has been received.
Sampled data is sent to the user.
• A signal that goes high during the sampling process and clears when sampling data has been received.
Sampled data is not sent to the user.
• A signal that goes high during the injection process and clears when fault injection process is complete.

33

Bibliography
[1] PYNQ-Z1
Board
Reference
Manual.
(2018).
[ebook]
Pullman.
Available
https://reference.digilentinc.com/ media/reference/programmable-logic/pynq-z1/pynq-rm.pdf
cessed 24 Feb. 2018].

at:
[Ac-

[2] T. Storey. ”Pseudo Random Number Generator with Linear Feedback Shift Registers (VHDL).” Internet:
https://eewiki.net/pages/viewpage.action?pageId=10125438, Sept. 8, 2017 [March 1, 2018].

34

