1574 IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 69, NO.

7, JULY 2022

Hybrid Lockstep Technique for Soft

Error Mitigation
M. Peña-Fernández , A. Serrano-Cases , A. Lindoso , Member, IEEE, S. Cuenca-Asensi ,
L. Entrena , Member, IEEE, Y. Morilla , Pedro Martín-Holgado , Student Member, IEEE,
and A. Martínez-Álvarez

Abstract— This work presents the evaluation of a new
dual-core lockstep hybrid approach aimed to improve the fault
tolerance in microprocessors. Our approach takes advantage of
modern multicore processor resources to combine software-based
lockstep with a custom hardware observer. The first is used to
duplicate data and instruction flows; meanwhile, the second is
in charge of the control-flow monitoring. The proposal has been
implemented in a dual-core ARM microprocessor and validated
with low-energy proton irradiation and emulated fault injection
campaigns. The results show an improvement of one order of
magnitude in the cross section of the benchmarks tested, even
considering the worst case scenario.
Index Terms— Dual cores, fault tolerance, lockstep, multi-
threading, proton irradiation, soft errors.
I. I NTRODUCTION
C OMMERCIAL processors are becoming a commodity
for the implementation of critical electronic systems in
a multitude of industrial domains: from traditional aerospace
and military sectors to emerging markets, such as high-
performance computing, autonomous vehicles, or medical
appliances. The superior flexibility and performance offered
by their advanced multicore architectures make those devices
a promising alternative to other specifically designed circuits.
Unfortunately, the progressive miniaturization of the electronic
components jointly with the high clock frequencies demanded
by new applications is making the cores more vulnerable
to radiation-induced faults. Therefore, providing some kind
of fault tolerance to the microprocessors, i.e., the ability to
Manuscript received 20 December 2021; revised 30 January 2022; accepted
31 January 2022. Date of publication 7 February 2022; date of current version
18 July 2022. This work was supported in part by the Spanish Ministry of
Science and Innovation under Project PID2019-106455GB-C22 and Project
PID2019-106455GB-C21 and in part by the Community of Madrid under
Grant IND2017/TIC-7776.
M. Peña-Fernández is with Arquimea ADS, 28918 Leganés, Spain (e-mail:
[email protected]).
A. Serrano-Cases, S. Cuenca-Asensi, and A. Martínez-Álvarez are with the
Computer Technology Department, University of Alicante, 03690 Alicante,
Spain (e-mail: [email protected]; [email protected]; [email protected]).
A. Lindoso and L. Entrena are with the Department of Electronic Tech-
nology, Universidad Carlos III de Madrid, 28911 Leganés, Spain (e-mail:
[email protected]; [email protected]).
Y. Morilla and Pedro Martín-Holgado are with the Centro Nacional
de Aceleradores (CNA), Centro Nacional de Aceleradores, CSIC, JA,
Universidad de Seville, 41092 Seville, Spain (e-mail: [email protected];
[email protected]).
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TNS.2022.3149867.
Digital Object Identifier 10.1109/TNS.2022.3149867
continue the operation even in the presence of faults, is a key
to enable these devices for safety-critical applications.
This work is focused on the enhancement of proces-
sors fault tolerance to soft errors, i.e., transient faults on
memory cells that eventually can lead to system failures.
Traditionally, the protection of microprocessors is addressed
by means of spatial and/or temporal redundancy to detect
and/or correct radiation-induced faults. Depending on how
they are implemented, the techniques are usually categorized
as hardware- or software-based. Hardware techniques are
those based on the replication of processing by means of
redundant hardware blocks: registers, memories, or even entire
processing units. Dual- and triple-redundant core locksteps
(DCLS/TCLS) [1], [2] replicate the whole processor and
compare the system output every clock cycle to detect any
mismatch during the execution of the code. TCLS, in addition,
offers the ability to recover the system using the third core
state.
Generally, only output data are checked for errors [2], [3].
However, control-flow errors may cause one of the proces-
sors to lose synchronization and eventually hang or get lost.
Control-flow errors are not easy to detect as they may not have
an immediate observable effect in the computed data. More-
over, it is common in dual cores that one of the processors
acts as primary and the other as secondary. In such a case, the
hang of the primary can lead to the crash of the entire system.
Software techniques are aimed to protect the code execution on
unreliable hardware, mostly commercial off-the-shelf (COTS)
devices. Similar to the hardware techniques, they introduce
replication at different software levels: programs, functions,
loops, instructions, and so on. Although their implementations
have a lower impact on development costs compared with
hardware techniques, their application presents relevant over-
heads, in terms of performance and memory footprint, which
should be taken into consideration.
Unlike related works, this proposal tries to reduce the
impact of the unavoidable unreliable software to achieve
a reliable and efficient computation. In fact, no operating
system (OS) nor external threading libraries are used at all.
Our approach exploits the multithreading capability of modern
microprocessors by means of multiple instances of the same
program running in parallel on separate cores and without any
communication between them, excluding a little piece of code
for stall and synchronization purposes.

0018-9499 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: FUDAN UNIVERSITY. Downloaded on November 10,2022 at 13:29:17 UTC from IEEE Xplore. Restrictions apply.
PEÑA-FERNÁNDEZ et al.: HYBRID LOCKSTEP TECHNIQUE FOR SOFT ERROR MITIGATION
Usually, mitigation techniques are conceived, assuming that
memory chips are protected with some kind of error detection
and correction (EDAC) mechanism. In our case, no assump-
tions are made and the proposal includes procedures to miti-
gate soft errors even for nonprotected memories. In addition,
errors that affect the control flow in any core can be detected
by a custom hardware observer (IP observer) connected to the
trace subsystem. This IP core decodes on-the-fly the program
traces and checks the obtained information.
Our hybrid and multithreaded DCLS lockstep-based
approach have shown improvements in error mitigation, even
for applications with high resilience to radiation. The tech-
nique has been validated with low-energy proton irradiation
and tested by means of emulated injection campaigns.
The paper is organized as follows. Section II introduces the
software and hardware mechanism combined in our proposal.
Section II makes a review of works related to multithreading
and lockstep mitigation techniques. Section III describes the
fault injection campaigns performed and the previous results’
analysis to estimate the contribution of the technique to the
system reliability. Section IV reports the radiation experiments
and their results. Finally, Section V summarizes the conclu-
sions of this work.
II. R ELATED W ORKS
The emergence of multicore processors has enabled the
execution of multiple copies of the same instruction flow on
separated execution units. The technique known as redundant
multithreading (RMT) along with the concept of sphere of
replication was proposed in [4] for detection and recov-
ery of soft errors. Basically, the sphere-of-replication (SoR)
defines the set of resources, hardware or software, which are
replicated. This way, the values entering the SoR must be
replicated, and the values leaving the SoR must be checked
to assure their integrity. Initial RMT approaches included the
processor pipeline and the register file in the SoR boundaries,
relaying the correctness of the execution on helper structures,
such as store buffers, load, and branch queues, not present on
real processors [5], [6]. Those proposals were tested on simula-
tors with promising results but never evaluated on real devices.
Other approaches deal with soft errors considering their
effect on the software running on the system. They address
the problem from either the compiler, OS, or application
level. Most of them make the assumption that memories are
protected by an error detection mechanism. In [7] and [8],
a custom compiler transforms the application code into two
communicating threads: the leading thread performs all the
load/store operations and sends the data to the trailing thread
that replicates the ALU operations and compare the results.
The SoR only includes computations; therefore, they suffer
from the vulnerable input replication and output compari-
son processes. Another approach [9] suggests duplicating the
memory read/write operation values to solve this problem;
however, it increases the synchronization and performance
overheads up to 5× given the low granularity of the memory
operations.
Other authors [10] propose specific OS services to support
RMT execution providing error detection and recovery. In that
Authorized licensed use limited to: FUDAN UNIVERSITY. Downloaded on November 10,2022 at 13:29:17 UTC from IEEE Xplore. Restrictions apply.
1575
work, the OS service transparently replicates the execution of
applications at the binary level by creating redundant threads in
separate address spaces. Some studies propose the use of stan-
dard libraries, such as OpenMP and Pthreads [11], to generate
redundancy programmatically. Furthermore, authors in [12]
and [13] propose the use of custom application programming
interfaces (API) and language directives to allow the program-
mer to define redundant threads and selectively decide the code
regions and variables to be protected. Also, software tools,
such as Trikaya [14], have been proposed to automatically
transform the source and produce a DMR version with rollback
reexecution. All those high-level approaches suffer from two
main problems. The first is the performance overhead pro-
duced by the additional software layers. The second is the
increment in the susceptibility to errors due to the complexity
introduced by the software stack and the OS itself. That is
expressed by a higher number of both silent data corruption
events and OS crashes, as pointed in [15].
There are a lower number of approaches based on hardware
redundancy as they usually apply architectural modifications
to real devices or include custom modules in programmable
SoCs. In [16], authors add a hardware module to a standard
implementation of a lockstep mechanism over two PowerPC
processors hardwired on an FPGA. The module reduces
the checkpoint overhead by comparing only the modified
addresses and values. A different approach is presented in [17]
where two FPGA-based boards are used to implement a
rollback recovery method to protect periodic tasks running on
two LEON processors. Softcore processors are also employed
in [18]. In this case, Microblaze processors are configured in
DMR to detect errors in the application outputs; meanwhile,
a TMR Picoblaze continuously reads the configuration mem-
ory looking for errors. Finally, the work [2] implements a roll-
back/recovery mechanism using the programmable resources
of an FPGA. The application is manually divided into several
blocks delimited by verification points, and it is executed
simultaneously in both cores of an ARM cortex-A9 processor.
Every time a verification point is reached, the context and
data are saved in a dual-port private memory and compared
to detect some mismatch by custom hardware.
In our approach, a single program multiple data (SPMD)
scheme has been adopted for bare metal applications (without
OS), which renders a reduced number of race conditions and
lower control overhead compared to traditional solutions. This
technique is combined with a custom IP that leverages the
information provided by the on-chip debugging facilities to
detect on-the-fly any control flow error. It results in an efficient
implementation with a very low area usage.
Among all the reviewed works, only a few were tested in
accelerated radiation experiments [2], [11], [14]. More com-
prehensive surveys about multithreading and lockstep-based
mitigation techniques can be found in the respective sur-
veys [19], [20].
III. H YBRID L OCKSTEP A PPROACH
Our approach combines hardware and software techniques
that exploit common resources available in modern micro-
processors. It is intended to be directly applied to them with
1576
Fig. 1. Architecture overview.
minimum additions. Fig. 1 shows the architecture resources
that support the proposal. Two redundant threads run simulta-
neously in two separate cores of a multicore processor sharing
the on-chip memory to store a single copy of the code and
private copies of the data. A software infrastructure was devel-
oped to endow the dual-core system with the ability of running
redundant threads on bare metal. It is composed of three
elements: first, a modified board support package (BSP) able to
boot up the processor in the SPMD mode; second, a memory
map and the associated linker scripts to build separate memory
sections for each core; finally, a thread support library that
includes the synchronization and communication mechanisms,
and the implementation of different macros and preprocessing
directives to define the region of the code to be protected and
the context that has to be restored in the case of error.
The synchronization mechanism follows the spinlock
method by means of exclusive load/store on shared variables
(locks). Also, shared variables jointly with interrupts are
used to implement minimal communication to notify events
between threads.
The on-chip trace modules, called program trace macro-
cells (PTMs), are used to extract execution information, one
for each core. The trace information, containing program
counter (PC) values related to the executed application of each
core, is sent to a custom IP implemented in the programmable
logic of the SoC, which is in charge of the decodification and
monitorization of the cores activity.
On the one hand, the software part of the technique is able
to detect soft errors affecting the data during the computa-
tion. The detection of an error triggers a rollback recovery
mechanism and can additionally be notified externally for
further actions. The hardware IP, on the other hand, reports
any anomalous behavior of the instruction flows. Using that
information, specific recovery actions may be implemented.
Authorized licensed use limited to: FUDAN UNIVERSITY. Downloaded on November 10,2022 at 13:29:17 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 69, NO. 7, JULY 2022
A. Software Implemented Data Protection
Taking advantage of the parallel computing that multiple
cores can offer to improve data protection, the multithreaded
mitigation technique called duplication with comparison and
reexecution (DWC-R), first presented in [21], is also proposed
and demonstrated under radiation here. This technique is
based on the concept of SoR [22], in which boundaries
define the region of the code whose computation must be
under protection. Within the SoR, the instruction flow and
the involved variables are replicated using lightweight threads.
The verification of the correctness of data is only needed when
an instruction sends the data outside the SoR. In any other
case, the replicated threads progress in parallel working on
their own data replica.
The implementation of the aforementioned technique
requires some instrumentation of the source code (C or C++).
This is undertaken by means of custom C++ macros and
preprocessing directives, which are used to annotate what data
variables belong to the SoR and, thus, must be under pro-
tection, and the source code region (containing all read/write
accesses to the SoR) where the mitigation will take place.
The user just has to manually include the primitives in the
original code, and the compiler automatically produces the
multithread version of the executable. The annotation of each
data resource distinguishes the functional context of each
variable, which means that those variables belonging to the
.rodata (read-only data), .bss (uninitialized variables), and .data
(initialized variables) data sections are indicated and processed
conveniently.
Fig. 2 shows an example of code instrumented with our
technique. SoR boundaries are defined by the SYNC macro.
It is also used to declare the context restoration and validation
points by means of the variables that cross the SoR limits.
All variables within the SoR (e.g., fooVar) are duplicated in
its own core address space. Additional variables involved in
the critical computation region (e.g., global variables) need
to be explicitly replicated using the XHARD macro, which
is overloaded depending on the memory section where the
variables will be allocated. Each thread accesses its copy
using a pointer created and initialized with the PTR and
THREAD_REPLICA_VAR primitives, respectively.
Threads operation and synchronization can be seen in Fig. 3.
In order to achieve detection and recovery capability, the
SoR is triplicated by means of the replication of each data
section. Two copies of each data section (.bss0, .bss1, .data0,
.data1, .rodata0, and .rodata1) are automatically generated
when spawning the two threads (primary and shadow). The
corresponding addresses for each data section are automati-
cally managed by a custom linker script. In addition, DWC-R
allocates a third copy of data sections (.bss2, .data2, and
.rodata2) to allow the restoration of the SoR variables in the
case of error.
When the program starts, two bare-metal threads (primary
and shadow) are spawned in parallel using both indepen-
dent shared memory processing units (Core0 and Core1) to
replicate the full program computation. In case the program
enters a protected region, the threads are synchronized using a
PEÑA-FERNÁNDEZ et al.: HYBRID LOCKSTEP TECHNIQUE FOR SOFT ERROR MITIGATION
Fig. 2. Snippet of C/C++ code instrumentation.
spinlock barrier, and then the context is automatically updated
by the primary thread (SoR-input checkpoint), which notifies
the shadow to start the computation of the critical region.
Next, a new synchronization is needed to guarantee that both
threads have finished the computation before the SoR output
checkpoint is reached. At this point, SoR computed variables
are compared by the primary thread. In the case of a mismatch,
both threads go back to the first checkpoint and perform a
context restoration (using the third copy) to reexecute the pro-
tected section. Conversely, the program continues the normal
execution flow. It is worth mentioning that the minimal needed
code instrumentation (green boxes) does not interfere with the
original program flow.
B. Hardware Implemented Control-Flow Protection
To provide control-flow protection, we leverage the informa-
tion available at the trace interface of the processor. The trace
Authorized licensed use limited to: FUDAN UNIVERSITY. Downloaded on November 10,2022 at 13:29:17 UTC from IEEE Xplore. Restrictions apply.
1577
Fig. 3. Duplication with comparison and reexecution (DWC-R) with two
threads. Code program (.text memory section) is shared among both threads,
while .data, .bss, and .rodata memory sections are distributed.
interface is a very common resource in modern microproces-
sors, enabling debug and profiling tasks during application
development. However, the trace interface is usually left
unused once the application is released, so it can be reused
for other purposes. The trace interface is, by design, capable
of providing relevant information about processor execution
without disturbing it in a nonintrusive manner and with low
latency. In a multicore system, the trace interface is typically
shared between all cores, and it can be effectively used to
gather execution information of all of them.
A custom observer IP core has been developed based on the
trace interface specification and implemented in VHDL [23].
The IP can receive raw data packets from the trace interface,
decode them, and use that information to check the correctness
of the execution flow of one or more processors in the system.
The decoding and checking processes are performed online
along with processor execution, and the latency of the IP
is less than 30 clock cycles to determine whether an error
has occurred. The time that the trace takes to output the
information about execution is also known to be low [24],
so the overall detection latency can be as low as 500 ns in a
typical implementation.
The program trace macrocells (PTM0 and PTM1) available
at the trace subsystem of the SoC processing system have been
configured to export trace information related to the PC value
of each core during execution. The amount of information
exported by the PTM modules is not exhaustive since it is
compressed to optimize the bandwidth of the trace interface.
However, it is enough to infer the execution flow of each core,
as it includes information about all the branches taken by each
processor. In the absence of branch information in the trace,
1578
sequential execution is assumed. The observer IP leverages
trace information to gather the PC value of both processors in
the system and continuously check that value against a set of
allowed ranges configured by the user, where the application
code is stored. If at any moment any of the processors present
a PC value outside the allowed ranges, then the processor
control flow is wrong, and the application is about to fail,
so the IP sets a signal to trigger a system reset with much lower
latency than a common watchdog. In addition, the PC value is
used to perform an additional check by the use of a PC-based
watchdog. For the PC-based watchdog, the IP is continuously
looking for a specific user-configurable PC value in the trace
information. If the configured PC value does not appear in a
configurable time because of a possible hang condition, the
IP sets a signal indicating it. The PC-based watchdog has the
advantage over a traditional watchdog that it is not relying
on all in the application to reload it, but it will be reloaded
using the trace information every time the application reaches
a particular point in execution, which can be commonly set as
the first instruction of the main application loop.
IV. S OFT E RROR M ITIGATION A NALYSIS
To assess our hybrid approach, two fault injection cam-
paigns were carried out. The first campaign was designed
to observe the impact of the software-based part of the
technique (multithreading DWC-R) applied at different levels
of granularity. The second was conceived to estimate the
overall contribution of the complete hybrid technique to the
applications’ reliability.
The matrix multiplication code of the project BEEBS [25]
was selected as the benchmark to operate on 20 × 20 32-bit
integer matrices. The structure of the code, basically three
nested loops, allowed us to analyze the tradeoffs between
the granularity of the protection and the reliability obtained.
The index of the first loop (the outer loop) runs through
the rows of the first matrix. Defining here the boundaries
of the SoR means a unique point of checking but a large
amount of data to be verified (the whole matrix). The second
index runs through the columns of the second matrix (inner
loop). This boundary defines multiple checkpoints to verify
the correctness of each resultant row. Finally, the innermost
loop computes the multiplication of one row and one column
to obtain the corresponding element of the result matrix.
At this point, every element must be checked increasing the
number of synchronizations between threads but significantly
reducing the amount of data to be verified. The output matrix
is initialized to zero on each run, and a golden matrix is used
to verify correctness. The output initialization ensures that the
whole computation is performed and committed to memory,
detecting possible masked errors due to intermediate cached
calculations.
A. Simulated Fault Injection Campaign
In the multithreading DWC-R analysis, we employed an
instruction accurate simulator, WindRiver Simics [26], con-
figured to inject bit-flips in the register files and memory
sections of an ARM Cortex-A9 dual-core processor. Besides
Authorized licensed use limited to: FUDAN UNIVERSITY. Downloaded on November 10,2022 at 13:29:17 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 69, NO. 7, JULY 2022
the unprotected version of the code (Original), four hardened
versions were built to run on the dual-core: StackH, DatH-
Outer, DatH-Inner, and DatH-Acc. In the StackH version,
the matrix multiplication is protected using two threads, one
per processor core, and triplicating the automatic variables.
This benchmark performs the same computation as the code
without protection, except for the inner loop checks performed
on the automatic variables. These checks aim to verify that
the computation is being performed with the same data and
are achieved by checking the indexes that control the loops.
Once each value from the output matrix has been calculated,
the result is verified with the other thread output before
committing the result to memory and exiting the SoR.
Finally, in the Dat-x versions, the SoR is extended from
the calculation of each element of the resulting matrix (DatH-
Acc) to the data residing on memory, resulting in the triplica-
tion of all involved matrices (DatH-Outer). In this case, the
verification is carried out once each core has calculated the
output matrix, resulting in a coarse grain check. At this point,
only two copies of the output matrix are completed. Therefore,
to complete the data triplication, the calculated matrices are
compared and saved into the third copy if no errors are found.
Otherwise, the matrices are restored to the initial state to restart
the calculus from an error-free state.
The fault injector was configured to perform 1800 injections
per core at the register file (100 · 18 registers), 800 injections
per memory section and core (200 injections per data replica
at .rodata, .data, .bss, and .stack sections), and 200 injection
at .text section per core. Thus, 5200 injections of faults have
been injected at the single-core original version and 10 400
at multithreaded DWC-R versions. Faults were labeled as
unnecessary for architectural correct execution (unACE) when
an injection is made, and they do not affect the result of
the program’s output, silent data corruption (SDC), when the
result is not correct but the program ends, and HANG, if it
does not end or exceeds a time limit. The programs have
been evaluated having as a reference a faultless (ground truth)
execution of themselves and adding a recovery time equal to
the faultless execution duration. If this temporal restriction is
exceeded, the program is considered that does not meet the
valid requirements, and the fault is labeled as HANG.
Raw event rates (SDC and HANG) from simulated fault
injection campaign are shown in Fig. 4. Results demonstrate
that the unprotected version presents a high rate of SDC,
above 30%, and a very low percentage of HANG. These
results are in accordance with the data-intensive nature of the
algorithm. This way, the successive multithreading versions
clearly decrease the SDC occurrence depending on the amount
of data protected and the granularity of the checkpoints. The
StackH version only protects the automatic variables (the
indexes of the loops), so it gets a modest improvement of 2×
but at the cost of increasing the HANG rate up to 8×. The
DatH-Acc version protects every result individually; therefore,
it offers the best SDC rate (0.8%) improving the baseline rate
by 38×. However, it involves a high number of checkpoints
and threads synchronization, which makes the code more
prone to control flow errors. As a consequence, the HANG rate
is still increased by 5.7×. The DatH-Outer version presents
PEÑA-FERNÁNDEZ et al.: HYBRID LOCKSTEP TECHNIQUE FOR SOFT ERROR MITIGATION
Fig. 4. Error rates for multithreading DCW-R technique.
the most balanced results due to the low control overhead
with a very reduced SDC percentage (1%, i.e., improvement
of 29.7×) and the lower HANG rate at the same time (1.8%).
In terms of unACE faults, it reaches up to 96.1%.
B. Emulated Fault Injection Campaign
The analysis of the proposed technique (data and control
flow protection) was complemented with one additional fault
injection campaign over those versions showing the most
uneven behavior, i.e., StackH and DatH-Outer. The faults were
emulated on a Zybo board [27] connected to an external host
(single-board computer), which was in charge of generating
random seeds for injection and retrieving test results. In the
event of any error during fault emulation, the external host
power cycled the Zybo board. The campaigns were focused
on the injection on the register file and are triggered randomly
inside the processor itself by software emulated upsets [28]
using timer interrupts. Upon each timer interrupt, the current
state of the register file is saved on the processor stack before
attending the interrupt service routine. Inside the routine, the
software randomly introduces a bit-flip in a random bit of a
random register of the saved stack state and returns. When the
content of the stack is restored into the processor registers, the
injected fault becomes effective. Only one fault is injected per
benchmark execution, following a single error model, and in
the case that reexecution is needed, no additional faults are
injected.
The results obtained with this emulated fault injection
campaign are shown in Table I. In addition to the recovery
capability exposed by the multithread part of the technique, the
control-flow protection is able to identify conditions that would
lead the dual-core system to lose synchronization and get
stuck, such as the triggering of a nonmanaged exception. The
observer IP can detect that events, which commonly cannot
be corrected, with low latency to trigger a system reset, thus
increasing the overall availability of the system. A new cate-
gory, named potential hang detected (PotHDetected), is used
to classify those events. In addition, the label corrected was
assigned to cases where data errors were detected and recov-
ered. Columns of Table I show the number (N) and its relative
percentage (%) of TotalEvents (total amount of faults that
Authorized licensed use limited to: FUDAN UNIVERSITY. Downloaded on November 10,2022 at 13:29:17 UTC from IEEE Xplore. Restrictions apply.
1579
TABLE I
E MULATED I NJECTION R ESULTS
TABLE II
T IME OVERHEADS AND R ELATIVE I MPROVEMENT OF THE MWTF M ETRIC
were able to be labeled), HANGs, PotHDetected, SDC, and
Corrected events for the Original, StackH, and DataH-Outer
versions of the software. In addition, the third column (%
TotalInj) indicates the percentage of the labeled faults taking
into account the total number of emulated faults.
The campaigns were run up to get a significant number
of events (about 100). As expected, the original benchmark
presents the lower reliability in terms of SDC, and in this case,
no HANGs were produced. Similar to simulated campaigns,
StackH version improves the SDC and presents an important
number of corrected events even higher than DatH-Outer
benchmark. Some specific registers are exclusively used to
access the stack (where the automatic variables are stored),
and the majority of the faults are detected and corrected by
the technique. On the contrary, DatH-Outer uses massively the
memory to operate with the data, which may explain the dif-
ference in terms of corrected errors, since the register file is the
only target of the faults injected in this campaign. In summary,
the hardware-implemented control-flow protection provides an
important reduction in the error rate associated with HANG
events without interfering with the recovery capability of the
data protection.
Finally, in order to estimate the overall reliability improve-
ment of our hybrid approach, the mean work to fail-
ure (MWTF) metric is provided. MWTF takes into account
not only the fault coverage but also the period of time that
the code is exposed to faults. Table II shows the execution
time of each benchmark and the relative MWTF, taking the
original unprotected code as the baseline. The protected codes
present time overheads of 2.9× and 2.5× for StackH and
DatH-Outer, respectively. In the case of protecting the stack,
the technique produces a large number of checking points and
threads synchronization, which is the main cause of the shown
overhead. On the contrary, the coarser granularity protection
of DatH-Outer reduces notably the number of checkpoints but
1580
introduces a large number of memory accesses to verify and
restore the matrices, which explains the excess in the execution
time. Even though the performance penalty incurred by our
proposal, the gain in MWTF is remarkable being of one order
of magnitude when only the stack is hardened and reaching
up to 97.7× when all data are triplicated.
V. R ADIATION E XPERIMENTS
The original and DatH-Outer benchmarks have been tested
in the external beamline of the 18/9 ion beam applications
compact cyclotron located at the Centro Nacional de Aceler-
adores (CNA), Seville, Spain. The device under test (DUT)
was a Xilinx Zynq-7010 System on a Chip (SoC) [29] that
integrates a hard-core dual-core ARM Cortex-A9 proces-
sor [30] along with programmable logic, interconnections, and
peripherals. The DUT was mounted on a commercial board
(Zybo) [27] and irradiated in open air with 15.2-MeV protons.
The energy of the protons in the active area of the silicon
is about 10 MeV, which is considered enough to produce
single event effects on the 28-nm technology device with no
thinning [31].
The DUT configuration is stored in an SD card, which is
inserted in the receptacle of the board. Upon power-on, the
DUT loads the code from the SD card to on-chip-memory
(OCM) using a two-stage bootloader to initialize the program-
mable logic and boot the application. Because we use OCM
for the benchmarks, we used a two-stage bootloader scheme.
It is important to mention that all the benchmarks are executed
using only OCM memory, which is inside the SoC, so all
computing hardware, including the memory, is irradiated.
The external observer IP has been implemented in the
programmable logic of the device and connected to the trace
interface over the extended multiplexed input–output (EMIO)
interface available on the Zynq device. The IP leverages
the information produced by the PTM of each core, which
provides relevant PC values during execution. The processors
are running at the nominal 650-MHz clock frequency.
An external host, placed outside the beam and connected to
the DUT through a serial communication interface, was used to
control the experiment. The benchmarks provide a periodical
message if no error is present, and the code is instrumented
to provide different codes depending on the observed error.
In the case of any error, the host performs a power cycle to
restart the DUT.
We distinguish the following error categories.
1) Exception Error: The processor execution flow has been
abruptly interrupted by an unexpected exception, proba-
bly caused by forbidden memory access. If not handled,
this type of error would become a timeout error.
2) Timeout Error: The processor has become unresponsive.
3) Communication Error: The serial communication with
the processor has become corrupted, thus making it
impossible to identify further errors.
4) Silent Data Corruption (SDC): The benchmark execu-
tion has finished with errors in the result matrix.
To test our technique under the worst case scenario, all
program memory sections (.rodata, .data, .bss, and .text) were
Authorized licensed use limited to: FUDAN UNIVERSITY. Downloaded on November 10,2022 at 13:29:17 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 69, NO. 7, JULY 2022
Fig. 5. Cross section (cm2 ) and 95% confidence intervals for DatH-Outer
and unprotected Original benchmarks.
statically linked within the executable, loaded to the OCM,
and therefore exposed to the beam. This way, the boundaries
of the SoR were extended up to the OCM. To do this,
it was necessary to insert routines to verify and restore the
three copies of the input data. Also included in the .rodata
section were three copies of the golden results and routines to
periodically refresh their values to avoid the accumulation of
errors between successive runs of the benchmark.
The results obtained from the irradiation campaign are
presented in Fig. 5. It shows the cross section of the aforemen-
tioned error classification and the cross section of all observed
errors (total errors) for the benchmarks tested under radiation.
Note that even the algorithm without protection (original),
which represents our starting point, presents high resilience to
radiation (a low cross section). However, our technique is able
to improve the cross section and, therefore, the vulnerability
to soft errors.
As expected, the cross section of the original benchmark
throws the worst results in terms of total errors and SDC.
Note that our technique is able to detect the exception and
timeout events before they become errors, so they are not
accounted for in the total errors category for the DatH-Outer
experiment. It results in 4.29e-11-cm2 cross section for the
unprotected benchmark and 3.31e-12 cm2 for the DatH-Outer,
showing an improvement of one order of magnitude. It is
worth noting that our proposal was tested under the worst
case scenario; thus, presumably further improvements would
be obtained using EDAC protected memories.
Remarkably, most errors are tagged as SDC due to the
different matrices’ corruption (input, calculated, and golden).
It is remarkable that this protection can reduce the propagation
of erroneous outcomes (SDC). More precisely, during the
irradiation campaign, the technique was able to correct up to
144 errors, which is a good demonstration of the mitigation
capabilities of the proposed technique.
Regarding the timeout errors, results show that the harden-
ing approaches are more prone to hang the platform, which
PEÑA-FERNÁNDEZ et al.: HYBRID LOCKSTEP TECHNIQUE FOR SOFT ERROR MITIGATION
can be caused by one of the threads missing synchronization.
In such a case, the system can enter an abnormal waiting state
where both cores are waiting for each other to finish and can-
not synchronize. Although undesirable, it can be considered
less critical than SDC since this situation may be detected
with common processor mechanisms (e.g., watchdog).
VI. C ONCLUSION
We have presented a new hybrid soft error mitigation
technique for multicore processors based on multithreaded
lockstep and a custom hardware IP that uses the trace port
of the microprocessor to observe the control flow. The tech-
nique has been validated with low-energy proton irradiation
and tested by means of emulated injection campaigns. Both
campaigns show insights of reliability improvements. On the
one hand, fault injection campaigns have demonstrated the
detection and recovery capabilities of the proposed approach.
On the other hand, the irradiation campaign has validated the
reliability improvements observed in the analysis of the fault
injection results. Therefore, error mitigation is improved by
using our hybrid multithreaded lockstep-based approach for
soft error mitigation.
R EFERENCES
[1] X. Iturbe, B. Venu, E. Ozer, and S. Das, “A triple core lock-step
(TCLS) ARM Cortex-R5 processor for safety-critical and ultra-reliable
applications,” in Proc. 46th Annu. IEEE/IFIP Int. Conf. Dependable Syst.
Netw. Workshop (DSN-W), Jun. 2016, pp. 246–249.
[2] Á. B. de Oliveira et al., “Lockstep dual-core ARM A9: Implementation
and resilience analysis under heavy ion-induced soft errors,” IEEE Trans.
Nucl. Sci., vol. 65, no. 8, pp. 1783–1790, Aug. 2018.
[3] F. Abate, L. Sterpone, and M. Violante, “A new mitigation approach for
soft errors in embedded processors,” IEEE Trans. Nucl. Sci., vol. 55,
no. 4, pp. 2063–2069, Aug. 2008.
[4] S. K. Reinhardt and S. S. Mukherjee, “Transient fault detection via
simultaneous multithreading,” ACM SIGARCH Comput. Archit. News,
vol. 28, no. 2, pp. 25–36, 2000.
[5] J. Smolens, B. Gold, B. Falsafi, and J. Hoe, “Reunion: Complexity-
effective multicore redundancy,” in Proc. 39th Annu. IEEE/ACM Int.
Symp. Microarchitecture (MICRO), Dec. 2006, pp. 223–234.
[6] C. LaFrieda, E. Ipek, J. F. Martinez, and R. Manohar, “Utilizing
dynamically coupled cores to form a resilient chip multiprocessor,” in
Proc. 37th IEEE Int. Conf. Dependable Syst. Netw. (DSN), Edinburgh,
Scotland, Apr. 2007, pp. 317–326.
[7] K. Mitropoulou, V. Porpodas, and T. M. Jones, “COMET:
Communication-optimised multi-threaded error-detection technique,” in
Proc. Int. Conf. Compil., Architectures Synth. Embedded Syst. (CASES),
2016, pp. 2.3.1–2.3.10.
[8] Y. Zhang, J. W. Lee, N. P. Johnson, and D. I. August, “DAFT:
Decoupled acyclic fault tolerance,” in Proc. 19th Int. Conf. Parallel
Archit. Compilation Techn. (PACT), 2010, pp. 87–97.
[9] H. So, M. Didehban, Y. Ko, A. Shrivastava, and K. Lee, “EXPERT:
Effective and flexible error protection by redundant multithreading,”
in Proc. Design, Autom. Test Eur. Conf. Exhib. (DATE), Mar. 2018,
pp. 533–538.
[10] B. Döbel and H. Härtig, “Can we put concurrency back into redundant
multithreading?” in Proc. 14th Int. Conf. Embedded Softw. (EMSOFT),
2014, pp. 1–10.
Authorized licensed use limited to: FUDAN UNIVERSITY. Downloaded on November 10,2022 at 13:29:17 UTC from IEEE Xplore. Restrictions apply.
1581
[11] G. S. Rodrigues, F. Rosa, Á. B. de Oliveira, F. L. Kastensmidt, L. Ost,
and R. Reis, “Analyzing the impact of fault-tolerance methods in ARM
processors under soft errors running Linux and parallelization Apis,”
IEEE Trans. Nucl. Sci., vol. 64, no. 8, pp. 2196–2203, Aug. 2017.
[12] S. Hukerikar, K. Teranishi, P. C. Diniz, and R. F. Lucas, “RedThreads:
An interface for application-level fault detection/correction through
adaptive redundant multithreading,” Int. J. Parallel Program., vol. 46,
no. 2, pp. 225–251, Apr. 2018.
[13] Y.-S. Chen and P.-S. Chen, “A software-based redundant execution
programming model for transient fault detection and correction,” in
Proc. 45th Int. Conf. Parallel Process. Workshops (ICPPW), Aug. 2016,
pp. 66–71.
[14] H. Quinn, Z. Baker, T. Fairbanks, J. L. Tripp, and G. Duran, “Soft-
ware resilience and the effectiveness of software mitigation in micro-
controllers,” IEEE Trans. Nucl. Sci., vol. 62, no. 6, pp. 2532–2538,
Dec. 2015.
[15] J. S. Monson, M. Wirthlin, and B. Hutchings, “Fault injection results of
Linux operating on an FPGA embedded platform,” in Proc. Int. Conf.
Reconfigurable Comput. (FPGAs), Dec. 2010, pp. 37–42.
[16] F. Abate, L. Sterpone, C. A. Lisboa, L. Carro, and M. Violante, “New
techniques for improving the performance of the lockstep architecture
for SEEs mitigation in FPGA embedded processors,” IEEE Trans. Nucl.
Sci., vol. 56, no. 4, pp. 1992–2000, Aug. 2009.
[17] M. Violante, C. Meinhardt, R. Reis, and M. S. Reorda, “A low-cost
solution for deploying processor cores in harsh environments,” IEEE
Trans. Ind. Electron., vol. 58, no. 7, pp. 2617–2626, Jul. 2011.
[18] H.-M. Pham, S. Pillement, and S. J. Piestrak, “Low-overhead fault-
tolerance technique for a dynamically reconfigurable softcore processor,”
IEEE Trans. Comput., vol. 62, no. 6, pp. 1179–1192, Jun. 2013.
[19] I. Oz and S. Arslan, “A survey on multithreading alternatives for soft
error fault tolerance,” ACM Comput. Surveys, vol. 52, no. 2, pp. 1–38,
Mar. 2020.
[20] E. W. Wachter, S. Kasap, X. Zhai, S. Ehsan, and K. McDonald-Maier,
“Survey of lockstep based mitigation techniques for soft errors in
embedded systems,” in Proc. 11th Comput. Sci. Electron. Eng. (CEEC),
Sep. 2019, pp. 124–127.
[21] A. Serrano-Cases, F. Restrepo-Calle, S. Cuenca-Asensi, and
A. Martínez-Álvarez, “Multi-threaded mitigation of radiation-induced
soft errors in bare-metal embedded systems,” J. Electron. Test., vol. 36,
no. 1, pp. 47–57, Dec. 2019.
[22] G. A. Reis, J. Chang, N. Vachharajani, R. Rangan, and D. I. August,
“SWIFT: Software implemented fault tolerance,” in Proc. Int. Symp.
Code Gen. Optimiz., Mar. 2005, pp. 243–254.
[23] M. Pena-Fernandez, A. Lindoso, L. Entrena, and M. Garcia-Valderas,
“The use of microprocessor trace infrastructures for radiation-induced
fault diagnosis,” IEEE Trans. Nucl. Sci., vol. 67, no. 1, pp. 126–134,
Jan. 2020.
[24] M. Peña-Fernandez, A. Lindoso, L. Entrena, M. Garcia-Valderas,
Y. Morilla, and P. Martín-Holgado, “Online error detection through trace
infrastructure in ARM microprocessors,” IEEE Trans. Nucl. Sci., vol. 66,
no. 7, pp. 1457–1464, Jul. 2019.
[25] J. Pallister, S. J. Hollis, and J. Bennett, “BEEBS: Open benchmarks for
energy measurements on embedded platforms,” 2013, arXiv:1308.5174.
[26] P. S. Magnusson et al., “Simics: A full system simulation platform,”
IEEE Comput., vol. 35, no. 2, pp. 50–58, Feb. 2002.
[27] Zybo Reference Manual, Digilent, Pullman, WA, USA, 2014.
[28] M. Peña-Fernandez et al., “PTM-based hybrid error-detection archi-
tecture for ARM microprocessors,” Microelectron. Rel., vols. 88–90,
pp. 925–930, Sep. 2018.
[29] Zynq-7000 All Programmable SoC: Technical Reference Manual, docu-
ment UG585, Xilinx, San Jose, CA, USA, 2016.
[30] Cortex-A9 Technical Reference Manual r4p1, ARM, Cambridge, U.K.,
2012.
[31] A. Lindoso, M. García-Valderas, L. Entrena, Y. Morilla, and P. Martín-
Holgado, “Evaluation of the suitability of NEON SIMD microprocessor
extensions under proton irradiation,” IEEE Trans. Nucl. Sci., vol. 65,
no. 8, pp. 1835–1842, Aug. 2018.