Quantifying Robustness by Symbolic Model Checking S. Baarir C. - PowerPoint PPT Presentation

Quantifying Robustness by Symbolic Model Checking S. Baarir C. Braunstein E Encrenaz J-M. Ilié T. Li I. Mounier D. Poitrenaud S. Younes HWVW 2010, July 15, 2010 Quantifying Robustness - HWVW 2010 1 / 28

Outline Motivation 1 Preliminaries 2 Our robustness proposition 3 Fault Model Repairing model Quantification Experiments 4 Conclusion and ongoing work 5 Quantifying Robustness - HWVW 2010 2 / 28

Motivation Motivation 1 Preliminaries 2 Our robustness proposition 3 Fault Model Repairing model Quantification Experiments 4 Conclusion and ongoing work 5 Quantifying Robustness - HWVW 2010 3 / 28

Dependability Analysis Dependable circuit to transient faults Soft error (SET or SEU) is and will be even more a major concern of embedded hardware designers. • Critical applications(space mission ...) submitted to particle strikes or electromagnetic interferences • Many other applications (video stream, phones ...) submitted to crosstalk coupling and/or high temperature Early analyses to evaluate the impact of faults • Improve the confidence of a design • Early identification ⇒ less $ or e for modifications ➢ Identify the precise locations to be protected ➢ Choose between different architectures of a design Quantifying Robustness - HWVW 2010 4 / 28

Robustness evaluation Analysing robustness with respect to soft errors Huge state-space exploration • soft error may come for bit-flip or erroneous latched signals • bit-flip may occurred different location and time • circuits have hundred of thousands flip-flops Fault occurrences may cause tons of possible error configurations Our approach • Working at RTL level • Handling time and space multiple faults simultaneously (vs. simulation/injection) • Relaxing the strict equivalence to a golden model or a specification Quantifying Robustness - HWVW 2010 5 / 28

Self-stabilization evaluation After a period of particles strikes, how to insure that the circuit returns to a safe configuration ? Analysing the self-healing capabilities of circuits Concerns of our measures: 1 Rates of reparation ability ➙ Number of potentially and eventually repairable states 2 Reparation velocity ➙ Bounds of the reparations sequences This allows designers to • Choose part of design to be hardened • Choose between implementations of the same design Quantifying Robustness - HWVW 2010 6 / 28

Preliminaries Motivation 1 Preliminaries 2 Our robustness proposition 3 Fault Model Repairing model Quantification Experiments 4 Conclusion and ongoing work 5 Quantifying Robustness - HWVW 2010 7 / 28

Circuit Reachable States and Sequences C • r ∈ 2 R : a state of C g Primary inputs • R 0 : the set of initial state: I O • i 1 . i 2 . . . i n − 1 : an input Outputs sequence • f ( i 1 . i 2 . . . i n − 1 , r ) : a state R f sequence Present state Next state • g ( r , i 1 . i 2 . . . i n − 1 ) : an output sequence • reach ( C ) : the set of reachable states of C from R 0 Quantifying Robustness - HWVW 2010 8 / 28

Our robustness proposition Motivation 1 Preliminaries 2 Our robustness proposition 3 Fault Model Repairing model Quantification Experiments 4 Conclusion and ongoing work 5 Quantifying Robustness - HWVW 2010 9 / 28

Fault Model Motivation 1 Preliminaries 2 Our robustness proposition 3 Fault Model Repairing model Quantification Experiments 4 Conclusion and ongoing work 5 Quantifying Robustness - HWVW 2010 10 / 28

Fault Model Type of faults • Errors appear as bit-flips on register elements. • There exists a set of protected register elements P ⊆ R (this set may be empty). Fault occurrences • Occurrence of Multiple Faults – Multiple Units, except in protected registers. • Several faults may occur at different time instants. Quantifying Robustness - HWVW 2010 11 / 28

Circuit functioning with fault occurrences reg 0 reg 1 reg 2 reg 3 reg 4 Reachability set with fault occurrences 0 1 0 1 1 Error ( C , P ) , is the smallest subset of 2 R satisfying: • R o ⊆ Error ( C , P ) • r ∈ Error ( C , P ) ⇒ { r ′ ∈ 2 R | ∀ p ∈ P , r ′ [ p ] = r [ p ] } ⊆ Error ( C , P ) Quantifying Robustness - HWVW 2010 12 / 28

Circuit functioning with fault occurrences reg 0 reg 1 reg 2 reg 3 reg 4 Reachability set with fault occurrences 0 1 0 1 1 Error ( C , P ) , is the smallest subset of 2 R satisfying: • R o ⊆ Error ( C , P ) 0 0 0 1 1 • r ∈ Error ( C , P ) ⇒ { r ′ ∈ 2 R | ∀ p ∈ P , r ′ [ p ] = r [ p ] } ⊆ Error ( C , P ) • r ∈ Error ( C , P ) ⇒ { r ′ ∈ 2 R | ∃ i ∈ 2 I , r ′ = f ( i , r ) } ⊆ Error ( C , P ) Quantifying Robustness - HWVW 2010 12 / 28

Circuit functioning with fault occurrences Reachability set with fault occurrences reg 0 reg 1 reg 2 reg 3 reg 4 Error ( C , P ) , is the smallest subset of 2 R satisfying: 0 1 0 1 1 • R o ⊆ Error ( C , P ) • r ∈ Error ( C , P ) ⇒ { r ′ ∈ 2 R | 0 0 0 1 1 ∀ p ∈ P , r ′ [ p ] = r [ p ] } ⊆ Error ( C , P ) • r ∈ Error ( C , P ) ⇒ { r ′ ∈ 2 R | f ∃ i ∈ 2 I , r ′ = f ( i , r ) } ⊆ Error ( C , P ) 0 1 1 0 0 Each state in Error ( C , P ) is called an error state. Quantifying Robustness - HWVW 2010 12 / 28

Repairing model Motivation 1 Preliminaries 2 Our robustness proposition 3 Fault Model Repairing model Quantification Experiments 4 Conclusion and ongoing work 5 Quantifying Robustness - HWVW 2010 13 / 28

Repairing sequences Introduction Requirements When faults do not occur anymore, we want to characterize the set of error state that are "repairable": • Reach a state considered as "correct" • The path between the error state and the correct state is "constrained" Definition (Repairing sequence) A repairing sequence is a sequence from an error state up to a correct state • when faults do not occur anymore, • when the sequence respects a repairing pattern . Quantifying Robustness - HWVW 2010 14 / 28

Repairing Sequences Repairing Pattern Repairing path The way to go from an error state to a "correct" configuration ( safe ) may be constrained. • Some configuration may be avoided ( forbidden ) • Some configuration may be mandatory ( required ) Repairing automaton • Usual way to express constraints on paths: an automaton. • A Repairing automaton for C is defined by � S , T , S 0 , F � where : • S a finite set of states. • T ⊆ S × 2 R × S a finite set of labeled transitions. • S 0 a finite set of initial states. • F a finite set of accepting states. Quantifying Robustness - HWVW 2010 15 / 28

Repairing automaton example 1/2 ¬ required ∧ ¬ forbidden required ∧ ¬ forbidden ∧ ¬ safe required ∧ ¬ forbidden ∧ safe ¬ forbidden ∧ ¬ safe ¬ forbidden ∧ safe Quantifying Robustness - HWVW 2010 16 / 28

Repairing automaton example 2/2 How to express set of states ? safe ( C ) , required ( C ) , forbidden ( C ) . . . can be easily characterized as CTL properties: • φ = reach ( C ) : the whole set of reachable states. • φ = AG ( AFR 0 ) : set of states returning unavoidably into the initial state. • φ = ¬ ( r 1 ∨ r 2 ) : a given configuration of registers. Quantifying Robustness - HWVW 2010 17 / 28

Quantification Motivation 1 Preliminaries 2 Our robustness proposition 3 Fault Model Repairing model Quantification Experiments 4 Conclusion and ongoing work 5 Quantifying Robustness - HWVW 2010 18 / 28

Robustness State-based quantification Error ( C , P ) required ( C ) safe ( C ) forbidden ( C ) σ a σ b σ c σ e σ g σ d σ h σ i σ j σ k σ f To quantify the circuit’s robustness, we compute : • The number of Error states. • Potentiality: The number of Error states from which at least one infinite fair sequence is a repairing sequence. • Eventuality: The number of Error states from which all infinite fair sequences are repairing sequences. Quantifying Robustness - HWVW 2010 19 / 28

Computing potentially and eventually repara- ble states Computation Set of repaired configuration : gC IC Repaired = { ( r C , r AC ) ∈ 2 R C × 2 R AC | I OC g AC ( r AC ) = 1 } fC RC O C ν pot = | EF fair Repaired ∩ R 0 | IAC | R 0 | gAC oAC fAC ν ev = | AF fair Repaired ∩ R 0 | RAC | R 0 | AC Quantifying Robustness - HWVW 2010 20 / 28

Robustness Sequence-based quantification The velocity of the circuits is characterized by: • Minimal and maximal length of repairing sequences • The number of repairing sequences for each length between the bounds Hypothesis • We focus on the first repairing state along a repairing sequence. • The environment reacts as soon as possible. k0 Error(C,P) safe(C) k1 k2 k3 s1 s2 s3 s4 s5 s6 s7 s8 Quantifying Robustness - HWVW 2010 21 / 28

Robustness Sequence-based quantification The velocity of the circuits is characterized by: • Minimal and maximal length of repairing sequences • The number of repairing sequences for each length between the bounds Hypothesis • We focus on the first repairing state along a repairing sequence. • The environment reacts as soon as possible. k0 Error(C,P) safe(C) k1 k2 k3 s1 s2 s3 s4 s5 s6 s7 s8 Quantifying Robustness - HWVW 2010 21 / 28