Towards Accurate Estimation of Error Sensitivity in Computer Systems

Fault injection is an increasingly important method for assessing, measuringand observing the system-level impact of hardware and software faults in computer systems. This thesis presents the results of a series of experimental studies in which fault injection was used to investigate the impact of bit-flip errors on program execution. The studies were motivated by the fact that transient hardware faults in microprocessors can cause bit-flip errors that can propagate to the microprocessors instruction set architecture registers and main memory. As the rate of such hardware faults is expected to increase with technology scaling, there is a need to better understand how these errors (known as ‘soft errors’) influence program execution, especially in safety-critical systems.Using ISA-level fault injection, we investigate how five aspects, or factors, influence the error sensitivity of a program. We define error sensitivity as the conditional probability that a bit-flip error in live data in an ISA-register or main-memory word will cause a program to produce silent data corruption (SDC; i.e., an erroneous result). We also consider the estimation of a measure called SDC count, which represents the number of ISA-level bit flips that cause an SDC.The five factors addressed are (a) the inputs processed by a program, (b) the level of compiler optimization, (c) the implementation of the program in the source code, (d) the fault model (single bit flips vs double bit flips) and (e)the fault-injection technique (inject-on-write vs inject-on-read). Our results show that these factors affect the error sensitivity in many ways; some factors strongly impact the error sensitivity or SDC count whereas others show a weaker impact. For example, our experiments show that single bit flips tend to cause SDCs more than double bit flips; compiler optimization positively impacts the SDC count but not necessarily the error sensitivity; the error sensitivity varies between 20% and 50% among the programs we tested; and variations in input affect the error sensitivity significantly for most of the tested programs

Fallos intermitentes: análisis de causas y efectos, nuevos modelos de fallos y técnicas de mitigación

[EN] From the first integrated circuit was developed to very large scale integration (VLSI) technology, the hardware of computer systems has had an immense evolution. Moore's Law, which predicts that the number of transistors that can be integrated on a chip doubles every year, has been accomplished for decades thanks to the aggressive reduction of transistors size. This has allowed increasing its frequency, achieving higher performance with lower consumption, but at the expense of a reliability penalty. The number of defects are raising due to variations in the increasingly complex manufacturing process. Intermittent faults, one of the fundamental issues affecting the reliability of current and future digital VLSI circuits technologies, are studied in this thesis. In the past, intermittent faults have been considered the prelude to permanent faults. Nowadays, the occurrence of intermittent faults caused by variations in the manufacturing process not affecting permanently has increased. Errors induced by intermittent and transient faults manifest similarly, although intermittent faults are usually grouped in bursts and they are activated repeatedly and non-deterministically in the same place. In addition, intermittent faults can be activated and deactivated by changes in temperature, voltage and frequency. In this thesis, the effects of intermittent faults in digital systems have been analyzed by using simulation-based fault injection. This methodology allows introducing faults in a controlled manner. After an extensive literature review to understand the physical mechanisms of intermittent faults, new intermittent fault models at gate and register transfer levels have been proposed. These new fault models have been used to analyze the effects of intermittent faults in different microprocessors models, as well as the influence of several parameters. To mitigate these effects, various fault tolerance techniques have been studied in this thesis, in order to determine whether they are suitable to tolerate intermittent faults. Results show that the error detection mechanisms work properly, but the error recovery mechanisms need to be improved. Error correction codes (ECC) is a well-known fault tolerance technique. This thesis proposes a new family of ECCs specially designed to tolerate faults when the fault rate is not equal in all bits in a word, such as in the presence of intermittent faults. As these faults may also present a fault rate variable along time, a fault tolerance mechanism whose behavior adapts to the temporal evolution of error conditions can use the new ECCs proposed.[ES] Desde la invención del primer circuito integrado hasta la tecnología de muy alta escala de integración (VLSI), el hardware de los sistemas informáticos ha evolucionado enormemente. La Ley de Moore, que vaticina que el número de transistores que se pueden integrar en un chip se duplica cada año, se ha venido cumpliendo durante décadas gracias a la agresiva reducción del tamaño de los transistores. Esto ha permitido aumentar su frecuencia de trabajo, logrando mayores prestaciones con menor consumo, pero a costa de penalizar la confiabilidad, ya que aumentan los defectos producidos por variaciones en el cada vez más complejo proceso de fabricación. En la presente tesis se aborda el estudio de uno de los problemas fundamentales que afectan a la confiabilidad en las actuales y futuras tecnologías de circuitos integrados digitales VLSI: los fallos intermitentes. En el pasado, los fallos intermitentes se consideraban el preludio de fallos permanentes. En la actualidad, ha aumentado la aparición de fallos intermitentes provocados por variaciones en el proceso de fabricación que no afectan permanentemente. Los errores inducidos por fallos intermitentes se manifiestan de forma similar a los provocados por fallos transitorios, salvo que los fallos intermitentes suelen agruparse en ráfagas y se activan repetitivamente y de forma no determinista en el mismo lugar. Además, los fallos intermitentes se pueden activar y desactivar por cambios de temperatura, tensión y frecuencia. En esta tesis se han analizado los efectos de los fallos intermitentes en sistemas digitales utilizando inyección de fallos basada en simulación, que permite introducir fallos en el sistema de forma controlada. Tras un amplio estudio bibliográfico para entender los mecanismos físicos de los fallos intermitentes, se han propuesto nuevos modelos de fallo en los niveles de puerta lógica y de transferencia de registros, que se han utilizado para analizar los efectos de los fallos intermitentes y la influencia de diversos factores. Para mitigar esos efectos, en esta tesis se han estudiado distintas técnicas de tolerancia a fallos, con el objetivo de determinar si son adecuadas para tolerar fallos intermitentes, ya que las técnicas existentes están generalmente diseñadas para tolerar fallos transitorios o permanentes. Los resultados muestran que los mecanismos de detección funcionan adecuadamente, pero hay que mejorar los de recuperación. Una técnica de tolerancia a fallos existente son los códigos correctores de errores (ECC). Esta tesis propone nuevos ECC diseñados para tolerar fallos cuando su tasa no es la misma en todos los bits de una palabra, como en el caso de los fallos intermitentes. Éstos, además, pueden presentar una tasa de fallo variable en el tiempo, por lo que sería necesario un mecanismo de tolerancia a fallos cuyo comportamiento se adapte a la evolución temporal de las condiciones de error, y que utilice los nuevos ECC propuestos.[CA] Des de la invenció del primer circuit integrat fins a la tecnologia de molt alta escala d'integració (VLSI), el maquinari dels sistemes informàtics ha evolucionat enormement. La Llei de Moore, que vaticina que el nombre de transistors que es poden integrar en un xip es duplica cada any, s'ha vingut complint durant dècades gràcies a l'agressiva reducció de la mida dels transistors. Això ha permès augmentar la seua freqüència de treball, aconseguint majors prestacions amb menor consum, però a costa de penalitzar la fiabilitat, ja que augmenten els defectes produïts per variacions en el cada vegada més complex procés de fabricació. En la present tesi s'aborda l'estudi d'un dels problemes fonamentals que afecten la fiabilitat en les actuals i futures tecnologies de circuits integrats digitals VLSI: les fallades intermitents. En el passat, les fallades intermitents es consideraven el preludi de fallades permanents. En l'actualitat, ha augmentat l'aparició de fallades intermitents provocades per variacions en el procés de fabricació que no afecten permanentment. Els errors induïts per fallades intermitents es manifesten de forma similar als provocats per fallades transitòries, llevat que les fallades intermitents solen agrupar-se en ràfegues i s'activen repetidament i de forma no determinista en el mateix lloc. A més, les fallades intermitents es poden activar i desactivar per canvis de temperatura, tensió i freqüència. En aquesta tesi s'han analitzat els efectes de les fallades intermitents en sistemes digitals utilitzant injecció de fallades basada en simulació, que permet introduir errors en el sistema de forma controlada. Després d'un ampli estudi bibliogràfic per entendre els mecanismes físics de les fallades intermitents, s'han proposat nous models de fallada en els nivells de porta lògica i de transferència de registres, que s'han utilitzat per analitzar els efectes de les fallades intermitents i la influència de diversos factors. Per mitigar aquests efectes, en aquesta tesi s'han estudiat diferents tècniques de tolerància a fallades, amb l'objectiu de determinar si són adequades per tolerar fallades intermitents, ja que les tècniques existents estan generalment dissenyades per tolerar fallades transitòries o permanents. Els resultats mostren que els mecanismes de detecció funcionen adequadament, però cal millorar els de recuperació. Una tècnica de tolerància a fallades existent són els codis correctors d'errors (ECC). Aquesta tesi proposa nous ECC dissenyats per tolerar fallades quan la seua taxa no és la mateixa en tots els bits d'una paraula, com en el cas de les fallades intermitents. Aquests, a més, poden presentar una taxa de fallada variable en el temps, pel que seria necessari un mecanisme de tolerància a fallades on el comportament s'adapte a l'evolució temporal de les condicions d'error, i que utilitze els nous ECC proposats.Saiz Adalid, LJ. (2015). Fallos intermitentes: análisis de causas y efectos, nuevos modelos de fallos y técnicas de mitigación [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/59452TESI

Operating System Contribution to Composable Timing Behaviour in High-Integrity Real-Time Systems

The development of High-Integrity Real-Time Systems has a high footprint in terms of human, material and schedule costs. Factoring functional, reusable logic in the application favors incremental development and contains costs. Yet, achieving incrementality in the timing behavior is a much harder problem. Complex features at all levels of the execution stack, aimed to boost average-case performance, exhibit timing behavior highly dependent on execution history, which wrecks time composability and incrementaility with it. Our goal here is to restitute time composability to the execution stack, working bottom up across it. We first characterize time composability without making assumptions on the system architecture or the software deployment to it. Later, we focus on the role played by the real-time operating system in our pursuit. Initially we consider single-core processors and, becoming less permissive on the admissible hardware features, we devise solutions that restore a convincing degree of time composability. To show what can be done for real, we developed TiCOS, an ARINC-compliant kernel, and re-designed ORK+, a kernel for Ada Ravenscar runtimes. In that work, we added support for limited-preemption to ORK+, an absolute premiere in the landscape of real-word kernels. Our implementation allows resource sharing to co-exist with limited-preemptive scheduling, which extends state of the art. We then turn our attention to multicore architectures, first considering partitioned systems, for which we achieve results close to those obtained for single-core processors. Subsequently, we shy away from the over-provision of those systems and consider less restrictive uses of homogeneous multiprocessors, where the scheduling algorithm is key to high schedulable utilization. To that end we single out RUN, a promising baseline, and extend it to SPRINT, which supports sporadic task sets, hence matches real-world industrial needs better. To corroborate our results we present findings from real-world case studies from avionic industry

From Safety Analysis to Experimental Validation by Fault Injection—Case of Automotive Embedded Systems

En raison de la complexité croissante des systèmes automobiles embarqués, la sûreté de fonctionnement est devenue un enjeu majeur de l’industrie automobile. Cet intérêt croissant s’est traduit par la sortie en 2011 de la norme ISO 26262 sur la sécurité fonctionnelle. Les défis auxquelles sont confrontés les acteurs du domaine sont donc les suivants : d’une part, la conception de systèmes sûrs, et d’autre part, la conformité aux exigences de la norme ISO 26262. Notre approche se base sur l’application systématique de l’injection de fautes pour la vérification et la validation des exigences de sécurité, tout au long du cycle de développement, des phases de conception jusqu’à l’implémentation. L’injection de fautes nous permet en particulier de vérifier que les mécanismes de tolérance aux fautes sont efficaces et que les exigences non-fonctionnelles sont respectées. L’injection de faute est une technique de vérification très ancienne. Cependant, son rôle lors de la phase de conception et ses complémentarités avec la validation expérimentale, méritent d’être étudiés. Notre approche s’appuie sur l’application du modèle FARM (Fautes, Activations, Relevés et Mesures) tout au long du processus de développement. Les analyses de sûreté sont le point de départ de notre approche, avec l'identification des mécanismes de tolérance aux fautes et des exigences non-fonctionnelles, et se terminent par la validation de ces mécanismes par les expériences classiques d'injection de fautes. Enfin, nous montrons que notre approche peut être intégrée dans le processus de développement des systèmes embarqués automobiles décrits dans la norme ISO 26262. Les contributions de la thèse sont illustrées sur l’étude de cas d’un système d’éclairage avant d’une automobile. ABSTRACT : Due to the rising complexity of automotive Electric/Electronic embedded systems, Functional Safety becomes a main issue in the automotive industry. This issue has been formalized by the introduction of the ISO 26262 standard for functional safety in 2011. The challenges are, on the one hand to design safe systems based on a systematic verification and validation approach, and on the other hand, the fulfilment of the requirements of the ISO 26262 standard. Following ISO 26262 recommendations, our approach, based on fault injection, aims at verifying fault tolerance mechanisms and non-functional requirements at all steps of the development cycle, from early design phases down to implementation. Fault injection is a verification technique that has been investigated for a long time. However, the role of fault injection during design phase and its complementarities with the experimental validation of the target have not been explored. In this work, we investigate a fault injection continuum, from system design validation to experiments on implemented targets. The proposed approach considers the safety analyses as a starting point, with the identification of safety mechanisms and safety requirements, and goes down to the validation of the implementation of safety mechanisms through fault injection experiments. The whole approach is based on a key fault injection framework, called FARM (Fault, Activation, Readouts and Measures). We show that this approach can be integrated in the development process of the automotive embedded systems described in the ISO 26262 standard. Our approach is illustrated on an automotive case study: a Front-Light system