Pruning of Soft-Error Fault Spaces by Dynamic Register-Usage Tracing in a Formal Instruction-Set Model

Fault injection mimics either physical causes for single event upsets (by exposing the system to e.g. heat or radiation) or their effects (by changing logic signals). For the fault injection, we use the simulation-based fault injection framework FAIL*, which extracts program traces and simulates the representative faults. In general, our FI campaign inject all possible faults into a specific run of a program (the golden run) in order to cover the whole fault space.

One problem of fault injection is the availability of an instruction-set--architecture (ISA) emulator that can be used to emulate the behavior of a given software under the presence of faults. Therefore, we have built an semi-automatic integration of SAIL models into the FAIL* plattform. SAIL is an imperative language that is used to describe the instruction semantics of a processor architecture and can be translated with the SAIL compiler to a C emulator. During the translation, the model is transformed and optimized by the SAIL compiler, which is written in OCaml.

This main topic of this thesis is the injection of faults into registers, especially CPU state registers. In general, register values are injected (bit-flipped) upon read accesses to minimize the number of injections. For general purpose registers, the assembler includes enough information to determine which register is accessed by a given instruction (mov r0, r2 reads r0 and writes r2). However, for state registers, the dynamic machine state determines if a register is read. For example, the trap-table pointer is only read if the instruction provokes a trap.

In this thesis, the SAIL compiler should be extended to allow the C-emulator to record all dynamic register reads and writes to these state registers. This information should then be integrated into the FAIL* toolchain to inject only those state registers that are actually used by a given executed instruction.

Further Reading