Microcode with Embedded Timing Constraints

Abstract: Watchdogs are a well-known and widespread means to increase the safety of microprocessors. The programmer or the compiler must insert instructions to reset the watchdog. If the programmer or compiler chose the wrong timing values or forgot to insert instructions to reset the timer, the processor will never be able to fulfill its task, because it will be set back to an initial (known) state each time it encounters a timing violation. We eliminate the need to insert special instructions and dedicated external watchdog hardware. Our strategy is able to detect transient control-flow faults in state automata and faulty BUSY-signals of execution units in microcode-based microprocessors. The innovation is to introduce fixed timings for each microcode so explicit instruction sequences to reset the watchdog timer are not necessary any more. Each execution unit receives a timing value from the microcode ROM. A unit-specific cycle counter is set to the timing from the microcode (µcode) when the execution starts. Due to possible different execution runtimes (e.g. floating point division), we include the possibility to select the timing accuracy. If the timing is not accurate, the timing value is set to the maximal timing of the concerned operation. Then, a fault will only be signaled if the cycle-counter value is greater than the maximal timing. The scheme can be implemented very fast at small additional hardware cost. An FPGAbased implementation of microcode timing as an extension of a multi-cycle 32 bit microprocessor with support for forwarding showed a hardware increase of less than 1.3 % using normal place and route effort with a maximal execution time of 16 cycles for each microcode.