Professional Documents
Culture Documents
Baraza 2005
Baraza 2005
Abstract Fault injection techniques based on the use of VHDL the model is modified, either inserting saboteurs [3], [8], [9]
as design language offer important advantages with regard to or mutating the model components [3], [10], [11].
other fault injection techniques. First, as they can be applied Signals
during the design phase of the system, they allow reducing the Simulator
commands
time-to-market. Second, this type of techniques present high VHDL-based Variables
controllability and reachability. Among the different techniques, fault injection Saboteurs
VHDL code
those based on the use of saboteurs and mutants are especially modification
Mutants
attractive due to their high capability of fault modelling. Other techniques
However, it is difficult to implement automatically these Figure 1. VHDL-based fault injection techniques
techniques in a fault injection tool, mainly the insertion of
saboteurs and the generation of mutants. In this paper we The techniques labelled as Other techniques are
present new models of saboteurs and mutants that can be easily implemented extending the VHDL language, either by adding
applicable in VFIT, a fault injection tool developed by the Fault- new data types and signals, or modifying the VHDL
Tolerant Systems Research Group (GSTF) of the Technical resolution functions [4], [12]. The new data types and signals
University of Valencia.
defined include the fault behaviour description. Nevertheless,
Index Terms VHDL-based fault injection, Saboteurs, Mutants.
these techniques require developing ad-hoc compilers and
I. INTRODUCTION simulators, and introducing control algorithms to manage the
language extensions.
During last years, the utilisation of Fault-Tolerant Systems Our research group has developed VFIT [13], [14], a
has been continuously growing. As the use of these systems is VHDL-based fault injection tool that applies several of the
generalising, a diagnosis in early phases of the design cycle techniques described above. In fact, only the Other
allows saving time and money during their development. A techniques group have not been implemented due to their
common experimental method for diagnosis is Fault Injection excessive complexity.
[1]. The objective of this work is to present new designs of
Fault injection techniques can be classified in three main saboteurs and mutants, and to show how these new designs
categories [2]: physical (or Hardware Implemented Fault can be automatically inserted in a model in order to perform a
Injection, HWIFI), software implemented (SWIFI) and fault injection campaign. Some models of saboteurs and
simulation-based. mutants [15] will be discussed and revised, and new models
Simulation-based fault injection is a useful experimental will be proposed.
way to evaluate the dependability of a system during the The distribution of the paper is as follows. In Section II we
design phase. An early diagnosis allows saving costs in the explain summarily VHDL-based fault injection techniques.
design process, avoiding redesigning in case of error, and thus Section III describes VFIT, the fault injection tool developed.
reducing the time-to-market [3]–[5]. Another interesting In Section IV, the models of saboteurs included in VFIT are
advantage of this group of techniques with regard to others is discussed, and a new set of models are proposed. Section V
that those based on simulation offer both high observability analyses the models of mutants currently used in VFIT, and
and controllability of all the modelled components [6]. presents a new implementation method. Some results of
Particularly, there exist a group of fault injection implementing the new methods proposed are shown in
techniques based on the use of VHDL [7] as modelling Section VI. Finally, both a discussion of the results and a
language. These techniques are widely applied, due to the proposal of future work are provided in Section VII.
advantages of employing a standard hardware description
language. This work is framed in this group of techniques. II. VHDL-BASED FAULT INJECTION TECHNIQUES
Fig. 1 shows a classification of VHDL-based fault injection
techniques. A. Fault Injection Using Simulator Commands
Simulator commands technique is based on the use of This fault injection technique is based on using the
simulator commands to modify the value or timing of the commands of the simulator at simulation time, in order to
model signals and variables, without altering the VHDL code modify the value or timing of the signals and variables of the
[3]. In the remaining techniques, the original VHDL code of model [15]. Moreover, VHDL generic parameters are
managed as special variables. This enables the injection of conditions of if and case statements (called stuck-then,
some non-usual fault models, such as delay faults [5]. stuck-else, dead clause, etc.), disturbing assignment
Using simulator commands permits injecting transient, statements (assignment control, global stuck-data, etc.),
permanent and intermittent faults. Though, there exists one disturbing operators in expressions (micro-operation, local
restriction: due to the special nature of variables in VHDL, it stuck-data), etc.
is not possible to inject permanent faults in variables.
This technique is the easiest one to implement, and its III. THE FAULT INJECTION TOOL
temporal cost (to perform the simulation) is by far the lowest. The Fault Tolerant Systems Research Group (GSTF) has
B. Fault Injection with Saboteurs developed a fault injection tool called VFIT (VHDL-based
A saboteur is a special VHDL component added to the Fault Injection Tool) [13], [14], whose main features are:
original model [9], [5]. When activated, the mission of this • It runs on PC computers (or compatible) under
component is to alter the value, or timing characteristics, of Windows.
one or more signals when a fault is injected. During the • It is model-independent.
normal operation of the system, instead, the component • It has been built around a commercial simulator,
remains inactive. Saboteurs affect to the ports of the ModelSim [17], by Model Technology. The reason
components in the model. Thus, this technique is applicable is that ModelSim allows controlling the simulation by
only to structural descriptions. using Tcl1 commands, being possible to inject faults.
Attending to how saboteurs are inserted in the model, two • It is able to inject faults automatically applying
types can be distinguished: serial and parallel [3]. As Fig. 2-a simulator commands technique. It also allows injecting
shows, a serial saboteur interposes between a component port faults using saboteurs and mutants, but in this case the
and its source signal, whereas a parallel saboteur (Fig. 2-b) is injection process needs the intervention of the user
added as an additional source of a given signal. because the insertion of the saboteurs and the
O I
generation of mutants are not automatic.
Original model O I • It can inject permanent, transient and intermittent faults.
O I • As Table I shows, it has a wide set of fault models that
n
try to be representative of deep submicron technologies.
Control
This set surpasses the classical stuck-at (for permanent
O I
faults) and bit-flip (for transient faults). The model
Sabotaged model O S I O I
called pulse represents transient faults in combinational
n logic (i.e. Single Event Transients, SETs).
S An injection experiment is performed in three phases:
(a) (b)
• Set-up, where the parameters of the experiment are
Control specified. These parameters are related to the model
Figure 2. Types of saboteurs. (a) Serial. (b) Parallel (i.e. workload file, workload duration, etc.), the
injection of the faults (i.e. injection technique, number
Parallel saboteurs have two important drawbacks respect to of faults, fault target selection, fault duration, fault
serial: first, implementing them is noticeably more complex, models, selection of injection instant, etc.), and the type
because it is necessary to modify the data type of the signal of analysis to carry out (error syndrome or validation of
affected, as well as the resolution function associated to the a Fault-Tolerant System).
type. And second, they allow injecting fewer fault models. • Simulation. Here, the model is simulated in presence of
For these reasons, their implementation has no special faults, generating a golden run and a number of faulty
interest. So, in this work, only serial saboteurs will be simulation traces.
considered.
• Analysis. In this phase, every faulty trace is compared
C. Fault Injection with Mutants to the golden run, extracting different measures
A mutant is a component that replaces another component. depending on the type of analysis selected.
While inactive, it works like the original component, but The main elements of VFIT, shown in Fig. 3, are:
when it is activated, it behaves like the component in • Tool Configuration. The mission of this module is to
presence of faults. The mutation can be made in three ways: configure the tool, considering the simulator as a part of
• By adding saboteurs to structural model descriptions. it, setting both the tool and simulator parameters.
• By modifying structural descriptions replacing sub- • Graphic Interface. With this utility, the user can specify
components (i.e., a NAND gate can be replaced by a the injection parameters and analysis conditions needed
NOR gate). to perform an injection campaign. To allow the user to
• By modifying syntactical structures of behavioural select the injection targets, it uses the syntactic tree of
descriptions. the model, generated by the Syntactical and
There could exist lots of possible mutations in a VHDL Lexicographical Analyser.
model, but representative subsets of faults at logical and RT
levels can be considered [10], [11]: replacement of values of
1
Tool Command Language, it is a standard macro language.
TABLE I. FAULT MODELS INJECTED BY VFIT
USS
i1 o1
i2 o2 4
4 4 4
nUSS nUSS
Insertio
n of sa
boteur
declara
ti ons
Inte
rpos
it ion
o f sa
bot e
ur s
It is possible to distinguish in the figure the three actions The first approach to implement mutant-based fault
mentioned. Remark that in the signal declaration, not only the injection consisted on generating multiple replicas of the
control and selection signals are included, but also those architectures of all the components in the model, where every
required to connect the saboteurs. replica includes one modification (or mutation) in the VHDL
With the new set of models proposed, automating the code [15]. By means of the VHDL configuration mechanism
insertion of saboteurs in a model (in previously selected (that is, the configuration statement), multiple versions
locations) will be relatively easy. (mutations) of the model can be generated. Also, there exists
another configuration that includes all the original versions of
V. AUTOMATING THE GENERATION OF MUTANTS all the model components.
Injecting faults using mutants is quite more difficult than The injection consists on selecting and simulating one of
with the other two techniques described in Section II. The the multiple mutated configurations of the model. Due to the
main problem lies on the spatial overhead introduced due to static nature of the configurations, only permanent faults can
the generation of the mutations of the model. Nevertheless, in be injected using this approach, and moreover, from the very
modern computers the storage is not actually a problem, so beginning of the simulation.
implementing this technique is nowadays more feasible. To fix this problem, a dynamic approach was developed.
In this Section, after discussing the drawbacks of two It was based on the use of guarded signals together with
approaches of implementation of mutants, a new method is the configuration mechanism [15]. In this way, at simulation
presented. Also, an example of automatic generation is time it is possible to stop the simulation of the original
shown. version of the model, and restart it simulating a faulty
A. Previous Approaches configuration. By using a number of simulator commands, it
is possible to save on a file the status of the simulation (that
VFIT can inject faults using mutants inserted manually in
includes the simulation time and the value of all the signals
the design (see Section III). In this subsection, the methods
and variables of the model) of the original version of the
followed to implement this technique are described.
model, and restore the same status in the simulation of the
faulty configuration. With the dynamic approach it is possible As mentioned earlier, Fig. 8 represents the mutation of a
to inject (at any injection time) permanent, transient and component inserted in a given model. At the left side we can
intermittent faults. see the original VHDL code of the component, and at the
However, this implementation has a serious drawback: the right side, the mutated code. Here, the text in bold types
synchronisation (that is, saving and restoring the simulation represents the modifications introduced. The arrows labelled
status) between two simulations involves an enormous with (1) correspond to modifications in the interface, and
temporal cost. In [15], a comparison of the temporal cost of those labelled with (2) to the mutation of statements. In the
the three fault injection techniques implemented in VFIT was example, a signal assignment and an if statement have been
presented. The results showed that the average simulation mutated. The signal assignment has been replaced with a
time (that is, the duration of simulation phase) was more than conditional signal assignment, and to mutate the if, a case
100 times longer when using mutants than when using statement has been inserted. Both operations will be easy to
simulator commands, evidently due to the synchronisation perform automatically.
between the simulations. The modifications in the top level of the design are not
B. A New Proposal to Implement Mutants shown, as they have been already explained before.
To avoid synchronising simulations, we suggest a brute
VI. COMPARISON OF THE INJECTION TECHNIQUES USING THE
force implementation. What we propose is simple: to generate
NEW MODELS OF SABOTEURS AND MUTANTS
a unique mutated version of every architecture used in the
model, that includes all the possibilities of mutation To compare the performance of the new methods proposed
considered previously in the configuration phase [21]. to implement saboteurs and mutants, we have repeated some
Obviously, if no statement is selected to be mutated in a of the experiments described in [15]. The most relevant
particular architecture, no mutation is required. injection parameters are the following:
In most cases, the modifications in the code are included 1. System model: An academic fault-tolerant micro-
by using if and case statements, although there are other computer system, duplex with cold stand-by sparing,
possibilities, as shown in the example in Fig. 8. The aim of parity detection and watchdog timer based on MARK2
this type of modifications is to allow choosing among the microprocessor [22].
correct statement and multiple wrong versions. For this 2. Injection technique: Simulator commands, saboteurs
purpose, a new input port (called Selection) must be and mutants.
inserted in the interface of the entity. The mission of Selection 3. Number of faults: 3000 single faults per experiment.
4. Fault types and duration: Transient, with a duration
port is to specify the particular mutation to be activated, by
defined according to a Uniform distribution function in
asking its value in every “branch” of the mutated code. We
the range [0.1Tcycle, 10.0Tcycle], where Tcycle is the CPU
call “branch” to every statement inserted to select between the
clock cycle.
correct operation and the wrong ones. The condition to
5. Fault models: See Table I.
activate one of the options is that the value of Selection
6. Workload: Arithmetic series of 5 integer numbers.
coincides with the value specified in the selection statement.
Respect to original experiments, we have changed only the
Another modification required is to declare a
computer where the simulations have been run. In the original
Fault_Selection signal in the upper level of the model, which
will be associated (mapped) to every local Selection port of experiments, the computer had a Pentium II microprocessor
at 350 MHz and 192 Mbytes of RAM. In the experiments
the mutated components inserted, replacing the original ones.
With this approach, also injecting faults becomes very easy. described here, the computer used has a Pentium 4
By using simulator commands, the value of Fault_Selection microprocessor at 2.80 GHz and 1 Gbyte of RAM.
signal can be modified at simulation time. In this way, it is We have inserted the equivalent new models of saboteurs
possible to inject faults of the same time characteristics than in the same places as in the original experiments. Also, we
with simulator-commands technique: transient, permanent have introduced in the model all the same mutations as in the
and intermittent. original experiments. Finally, we have performed an
Remark that, respect to prior approaches, the new method experiment using simulator commands technique to be used
reduces not only the temporal overhead, but also the spatial, as reference in the comparisons.
as multiple entire replicas of each architecture are replaced by In order to make a complete comparison of the injection
only one that includes all the modifications. However, some techniques (and of the different versions), we have measured
temporal overhead could be expected in the simulation time the following parameters in all cases:
due to the higher complexity of the mutated model. • The average simulation time (of one experiment).
• The average analysis time (of one experiment). It is the
C. Automatic Generation of Mutants
duration of the analysis phase.
This new proposal to implement mutants is so simple that • The average size of the simulation traces. We have
automating the generation of mutants of a given model is not included it to see if the new methods provoke a
complicated at all. Assuming that an injection tool has a significant growth in the number of simulation events.
parser, locating in the code the target statements to be Table II shows the comparison of the values obtained for
mutated and replacing them with new ones is very easy. Next all the injection techniques and versions. From the table we
we show a practical example.
can observe significant differences between the new and the number of mutations introduced in the model is not very high
old implementations. (about 60). The average analysis time is also of the same
A. Comparison of Saboteur Approaches order as with simulator commands. Considering the results of
both groups of fault injection experiments, the outcomes
In the case of saboteurs, we can observe on the one hand,
obtained are statistically comparable. This means that these
that the average simulation time is similar to the one with
preliminary data confirm our forecasts.
simulator commands in both cases, although the new models
are slightly slower. The reason can be their higher functional C. Comparison of the Injection Techniques
complexity. However, the average analysis time is a bit lower Comparing only the injection techniques, and considering
in the new models. It may be due to a reduction in the number exclusively the new methods proposed, one could assert that
of simulation events in the traces, respect to the old approach. fault injection with mutants has now the same complexity as
On the other hand, the results obtained in both groups of with simulator commands. However, this affirmation is true
experiments are statistically equivalent. under the conditions of these test experiments. Perhaps when
With respect to the trace size, it is slightly bigger than for applied to more complex models (or simply inserting more
simulator commands because of the increment of simulation mutations) it could be expected a higher temporal cost in both
events. If we consider that the new set enlarges the fault the simulation and analysis times.
model set injected, as pointed in Section IV, we can conclude The advantages of new saboteurs are not so noticeable,
that the new set of saboteurs has enhanced the performance of because their improvements are not numeric, but related to
the technique respect to former models. the easiness of their automatic insertion, as well as to the
B. Comparison of Mutant Approaches number of fault models. This technique introduces a strong
overhead in the model, due to the insertion of new
In the new mutant implementation, the average simulation
components (the saboteurs) and signals required to connect
time has reduced dramatically down to the same order as
them. In any case, the temporal cost is completely affordable
when using simulator commands technique. In these
with modern computers, so the technique still remains
experiments, the temporal overhead is negligible. The reasons
attractive.
are two: (i) the model is quite simple, and (ii) the total
(1)
(1)
(1)
(2)
(2)
(2
)
Figure 8. Example of mutation of a model. Modification of the VHDL code of a component [21]
TABLE II. COMPARISON OF THE INJECTION TECHNIQUES USING THE NEW MODELS OF SABOTEURS AND MUTANTS
[5] D. Gil, J. Gracia, J.C. Baraza, P.J. Gil, “A Study of the effects of
VII. CONCLUSIONS Transient Fault Injection into the VHDL Model of a Fault-Tolerant
Microcomputer System”, in Proceedings 6th IEEE International On-
In this paper, new methods to implement and use saboteurs Line Testing Workshop (IOLTW'2000), pp. 73-79, Palma de Mallorca,
and mutants into VHDL models in an automatic way have Spain, 2000.
been proposed. [6] D. Gil, J. Gracia, J.C. Baraza, P.J. Gil, “Impact of faults in
combinational logic of commercial microcontrollers”, Lecture Notes in
The new models of saboteurs fix some problems of Computer Science: Dependable Computing EDCC-5, no. 3463,
ambiguity that the previous approach had. These problems pp. 379–390, Springer-Verlag, 2005.
prevented their automatic insertion. Moreover, the new models [7] Institute of Electric and Electronic Engineers (IEEE), “IEEE Standard
have been implemented in such a way that they diminish the VHDL Language Reference Manual”, IEEE Std 1076-1993.
overhead, by reducing the number of signals required to [8] A.M. Amendola, A. Benso, F. Corno, L. Impagliazzo, P. Marmo,
P. Prinetto, M. Rebaudengo, M. Sonza Reorda, “Fault Behavior
manage bi-directional saboteurs. Another enhancement respect Observation of a Microprocessor System through a VHDL Simulation-
to prior models is that they allow injecting more fault models. Based Fault Injection Experiment”, in Proceedings 1996 European
The results of comparing both proposals do not reflect these Design Automation Conference with EURO-VHDL (EURO-
improvements. Instead, a little temporal overhead has been DAC'96/EURO-VHDL'96), pp. 536-541, Geneva, Switzerland, 1996.
introduced. [9] J. Boué, P. Pétillon, Y. Crouzet, “MEFISTO-L: A VHDL-Based Fault
Injection Tool for the Experimental Assessment of Fault Tolerance”, in
The advantages of the new method to implement mutants Proceedings 28th International Symposium on Fault-Tolerant
are specially relevant: it is easy to automate and reduces Computing (FTCS-28), pp. 168-173, Munich, Germany, 1998.
considerably the spatial overhead. But its main success is to [10] S. Ghosh, T.J. Chakraborty, “On behavior fault modeling for digital
reduce dramatically the temporal overhead. In the results design”, Journal of Electronic Testing, no. 2, pp. 135-151, Kluwer
Academic Press, 1991.
obtained, the duration of the simulation and analysis phases
[11] J.R. Armstrong, F.-S. Lam, P.C. Ward, “Test generation and Fault
are equivalent to the ones when using simulator commands. Simulation for Behavioural Models”, in Performance and Fault
Now, it is necessary to confirm the results obtained in these Modelling with VHDL (J. M: Schoen ed.), pp. 240-303, Englewood
preliminary experiments, continuing on testing the techniques Cliffs, Prentice Hall, 1992.
by both inserting more saboteurs and mutations, and injecting [12] T.A. DeLong, B.W. Johnson, J.A. Profeta III, “A Fault Injection
Technique for VHDL Behavioral-Level Models”, IEEE Design & Test
faults into more complex models. of Computers, vol. 13, no. 4, pp. 24-33, Winter 1996.
After confirming the trends, it will be time to incorporate [13] J.C. Baraza, J. Gracia, D. Gil, P.J. Gil, “A Prototype of a VHDL-Based
the enhanced versions of saboteurs and mutants to VFIT fault Fault Injection Tool: Description and Application”, Journal of Systems
injection tool. Architecture, vol. 47, no. 10, pp. 847-867, 2002.
[14] D. Gil, J.C. Baraza, J. Gracia, P.J. Gil, “VHDL simulation-based fault
AKNOWLEDGEMENT injection techniques”, Chapter 4.1 in [2], pp. 159-176, 2003.
[15] D. Gil, J. Gracia, J.C. Baraza, P.J. Gil, “Study, Comparison and
This work has been sponsored by the Spanish research Application of different VHDL-Based Fault Injection Techniques for
project “Mejora de las técnicas de inyección de fallos en the Experimental Validation of a Fault-Tolerant System”,
modelos VHDL”, TIC2002-02491. Microelectronics Journal, vol. 34, no. 1, pp. 41-51, 2003.
[16] E. Jenn, “Sur la validation des systèmes tolérant les fautes: injection de
REFERENCES fautes dans des modèles de simulation VHDL”, Ph. D. Thesis
Dissertation, LAAS Reserche Rapport N. 94-361, Laboratoire
[1] J. Arlat, M. Aguera, L. Amat, Y. Crouzet, J.C. Fabre, J.C. Laprie, d’Analyse et d’Architecture des Systèmes du CNRS, Toulouse, France,
E. Martins, D. Powell, “Fault Injection for Dependability Validation: A 1994.
Methodology and Some Applications”, IEEE Transactions on Software
[17] Model Technology, “ModelSim SE User’s Manual. Version 5.5e”,
Engineering, vol. 16, no. 2, pp. 166-182, 1990.
2001.
[2] A. Benso and P. Prinetto, eds., “Fault Injection Techniques and Tools
[18] TTTech Computertechnik GmbH, “TTP/C C1 Controller. Specification
for VLSI reliability evaluation”, Kluwer Academic Publishers, 2003.
of the TTP/C C1 Controller”, available at http://www.tttech.com.
[3] E. Jenn, J. Arlat, M. Rimén, J. Ohlsson, J. Karlsson, “Fault injection [19] J. Gracia, J.C. Baraza, D. Gil, P.J. Gil. “Using VHDL-based fault
into VHDL models: the MEFISTO tool”, in Proceedings 24th injection for the early diagnosis of a TTP/C controller, IEICE Trans. on
International Symposium on Fault-Tolerant Computing (FTCS-24), Information and Systems, vol. E86, no. 12, pp. 2634-2641. 2003.
pp. 356-363, Austin, TX, USA, 1994.
[20] P.J. Gil et al., “Fault Representativeness”, Deliverable ETIE2 of
[4] V. Sieh, O. Tschäche, F. Balbach, “VERIFY: Evaluation of Reliability Dependability Benchmarking Project, IST-2000-25245, 2002.
Using VHDL-Models with Embedded Fault Descriptions”, in
Proceedings 27th International Symposium on Fault Tolerant [21] J.C. Baraza, “Contribución a la Validación de Sistemas Complejos
Computing (FTCS-27), pp. 32-36, Seattle, WA, USA, 1997. Tolerantes a Fallos. Nuevos modelos de fallos y técnicas de inyección
de fallos”, Ph. D. Thesis Dissertation, DISCA-UPV, Spain, 2003.
[22] J.R. Armstrong, “Chip-Level Modelling with VHDL”, Prentice Hall,
1989.