Journal of Systems Architecture 131 (2022) 102710

Contents lists available at ScienceDirect

Journal of Systems Architecture

journal homepage: www.elsevier.com/locate/sysarc

SOFIA: An automated framework for early soft error assessment,

identification, and mitigation
Jonas Gava a , Vitor Bandeira a , Felipe Rosa a , Rafael Garibotti b , Ricardo Reis a , Luciano Ost c ,∗
a
PGMicro - Federal University of Rio Grande do Sul, UFRGS, Brazil
b
School of Technology, PUCRS, Brazil
c
Wolfson School, Loughborough University, UK

ARTICLE INFO ABSTRACT

Keywords: The occurrence of radiation-induced soft errors in electronic computing systems can either affect non-essential
Fault injection system functionalities or violate safety–critical conditions, which might incur life-threatening situations. To
Fault mitigation techniques reach high safety standard levels, reliability engineers must be able to explore and identify efficient mitigation
Soft error
solutions to reduce the occurrence of soft errors at the initial design cycle. This paper presents SOFIA, a
Reliability
framework that integrates: (i) a set of fault injection techniques that enable bespoke inspections, (ii) machine
learning methods to correlate soft error results and system architecture parameters, and (iii) mitigation
techniques, including: full and partial triple modular redundancy (TMR) as well as a register allocation
technique (RAT), which allocates the critical code (e.g., application’s function, machine learning layer) to
a pool of specific processor registers. The proposed framework and novel variations of the RAT are validated
through more than 1739k fault injections considering a real Linux kernel, benchmarks from different domains
and a multi-core Arm processor.

1. Introduction
Electronic computing systems are incorporating more functionalities
and new technologies into their software stacks (e.g., kernels, drivers
and heavy applications). Software stacks running on such architec-
tures differ in terms of security, reliability, performance and power
requirement. While supercomputer software development considers
performance as primary criteria, software stacks embedded in cars
must comply with strict safety and reliability requirements, defined
by specific standards such as the ISO 26262 Road vehicles Functional
Safety [1]. Such standards will undoubtedly impose more restrictions,
mainly due to the advance of autonomous vehicles, which will make
decisions that can put human lives at risk. Such systems are expected
to integrate artificial intelligence (AI) and machine learning (ML) tech-
niques that will be just as complex as those found in today’s data
centres. With the constant growth of software stack code size and
complexity, designing fast, flexible and cost-effective tools that enable
in-depth soft error susceptibility analysis of complex software stacks
has become of utmost importance.
With this in mind, researchers and market leaders are investigating
new alternatives, such as the use of virtual platform fault injection
(FI) frameworks [2–10]. Such frameworks allow enormous productivity
gains over the hardware-based approaches, mainly at the cost of ignor-
ing the impact of new technologies on soft error rates. The majority
of such FI frameworks are reasonable environments to base detailed
soft error assessment and identification. However, to ensure the fail-
safe functionality of emerging electronic computing systems, designers
should be able to assess, identify and promote efficient alternatives to
mitigate the occurrence of soft errors.
This paper, therefore, mainly contributes by describing a pioneering
fully automated framework, called SOFIA, which supports fast and
early soft error assessment, diagnosis and susceptibility reduction eval-
uation through the application of software-based mitigation techniques.
SOFIA offers a wide range of soft error evaluation opportunities, which
go beyond the classical toolsets, thereby furthering potential advan-
tages that fill the gap between the available tools and the industry
requirements. Another novelty of this paper is the soft error assessment
considering, for the first time, variations of the register allocation
technique (RAT) and its joint use with more established mitigation
techniques (e.g., triple modular redundancy—TMR) when varying the
number of processor cores.
The other contributions of this work are as follows:

∗ Corresponding author.
E-mail addresses: [email protected] (J. Gava), [email protected] (V. Bandeira), [email protected] (F. Rosa), [email protected]
(R. Garibotti), [email protected] (R. Reis), [email protected] (L. Ost).

https://doi.org/10.1016/j.sysarc.2022.102710
Received 6 April 2022; Received in revised form 8 August 2022; Accepted 17 August 2022
Available online 23 August 2022
1383-7621/© 2022 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
J. Gava et al.
• completely automated soft error analyses flow, which leverages
the high simulation performance to acquire representative
error/failure-related data efficiently;
• integration of soft error mitigation techniques from literature
(e.g., TMR), enabling susceptibility analyses of real soft stacks
considering different configurations;
• extensive framework validation through more than 1739k fault
injections considering a Linux kernel, different benchmarks and a
multicore processor.
The rest of this paper is organised as follows. Section 2 presents
basic concepts of soft error reliability assessment and related works in
virtual platform FI simulators. Section 3 describes the main features
of SOFIA and introduces its new hardening module. Section 4 uses
examples to validate the SOFIA’s flow. In Section 5, the efficiency
of the adopted mitigation techniques is evaluated considering distinct
software stacks. Furthermore, the RAT is evaluated in a specific case
study analysing the registers criticality. Section 6 presents the final
remarks and future works.
2. Basic concepts and related works
This Section presents basic concepts and terminologies related to
the assessment and mitigation of soft errors. Further, a comparison
between the proposed framework and those available in the literature
is presented.
2.1. Basic concepts and adopted fault classification
This work considers the definitions from [11] for fault, error, and
failure. A fault is an event that may cause a system’s internal state to
change, e.g., a radiation particle strike. When a fault affects the system’s
internal state, it becomes an error. If the error causes a deviation of
at least one of the system’s external states, it is considered a failure.
These events are evaluated through fault injection campaigns, which
comprises a set of simulations affected by faults with well-defined
configurations.
This work uses the Cho’s et al. [12] five classes classification to
group the faults resulting from the fault injection campaigns. Appli-
cation Output Memory Mismatch (OMM), the application terminates
without any error indication; however, the resulting memory is af-
fected (equivalent to SDC). Application Output Not Affected (ONA), the
resulting memory is not modified; nevertheless, one or more remaining
bits of the architectural state is incorrect. Unexpected termination (UT),
the application terminates abnormally with an error indication. Hang,
the application does not finish, requiring a preemptive removal after a
threshold execution time. Vanished, if no fault traces are left.
2.2. Reliability metrics
The adoption of adequate reliability metrics is crucial to guide the
experiments’ analysis. This work uses two metrics: the Mean Work To
Failure (MWTF) [13] and the Architectural Vulnerability Factor (AVF).
The MWTF is defined in Eq. (1) as the workload that a system can
complete before failing.
1 techniques can range from low-level (e.g., modifying or adding as-
𝑀𝑊 𝑇 𝐹 = (1)
𝐴𝑉 𝐹 𝑂𝑀𝑀 ∗ 𝑒𝑥𝑒𝑐𝑢𝑡𝑖𝑜𝑛 𝑡𝑖𝑚𝑒
This work uses the application’s runtime gathered from the gem5
simulator [14] to calculate the MWTF and the fault injection results to
measure the AVF. In general, the most critical vulnerability is presented
by the occurrence of OMM. For example, in safety–critical applications,
such as autonomous cars, an OMM error can alter the detection of an
obstacle in front of the vehicle, which can lead to an accident. For this
reason, this work employs the OMM to measure the AVF (𝐴𝑉 𝐹 𝑂𝑀𝑀 ).
2
Journal of Systems Architecture 131 (2022) 102710
2.3. Soft error assessment capable VP frameworks
Table 1 summarises the related works in virtual platform FI simu-
lators. The work described in [5] performs fault injections on the NAS
Parallel Benchmarks; however, their instrumentation can add up to 30×
on top of the tenfold overhead added by QEMU [5]. Another QEMU-
based FI framework is presented in [10]. However, it only considers
simple benchmarks and single-core processors.
Except for Hari et al. [3] that proposed a hybrid simulation frame-
work (i.e., Simics [18] and GEMS [19] simulators), the remaining
works rely on a single VP simulator. In [4], the authors present two FI
tools: MaFIN (MARSSx86) and GeFIN (gem5) that support the injection
of faults in micro-components such as cache memory control, load-
store queue and other SRAM-based arrays. Nonetheless, the validation
of both frameworks only considers ten applications [20] running on
single-core processors. Other gem5-based FI framework is reported
in [6], which fails to consider complex software stacks and OSs in their
experiments.
While authors in [8,21] employ machine learning to reduce the time
needed for the fault injection campaigns, Rosa et al. [9] promote a
module that uses ML algorithms to correlate large subsets of application
profiles and architecture characteristics with fault injection results. The
developed ML-based module reduces user intervention and enables the
identification of relevant relationships or associations between appli-
cation profiling and specific single or multicore platform parameters.
The developed module was integrated into the first version of the
SOFIA framework, which supports an extensive range of fault injection
techniques as well as bespoke soft error classification and analysis.
The authors in [8] report a 3x slowdown to simulate the application
without FI and 35x or more depending on the metrics extracted with
FI. In turn, SOFIA presents an worst case of 4x slowdown with FI.
Although it does not use a virtual platform to operate, the well-known
LLFI fault injector [22] uses the LLVM compiler to instrument the code
with fault points, which are considered during its execution on a target
architecture.
The authors in [15–17] presented CLEAR, ReDO, and SyRA. These
frameworks focus on early cross-layer soft error reliability analysis. The
CLEAR framework uses the BEE3 FPGA emulation and RTL simulation
for the soft error assessment, while the other two use the GeFIN
fault injector (microarchitectural-level) and the LIFILL (software-level).
It is noteworthy that previous works do not present any feature to
apply soft error mitigation techniques, except for Cheng et al. [15],
which includes a resilience library with several software and hardware
mitigation techniques. However, due to its level of detail, this work
does not consider complex processors and software stacks on conducted
experiments. In turn, ReDO and SyRA do not implement any mitigation
technique, but they exploit a Bayesian model to describe the target
system and estimate the protection impact using the average reliability
improvement reported by different works.
2.4. Fault mitigation techniques
The fault mitigation problem can be tackled both in hardware and
software. Hardware-based techniques led to area overhead, thus in-
creasing the system cost. On the other hand, software-based techniques
usually incur extra execution time and memory overhead. Software
sembly code) to high-level approaches (e.g., C/C++ libraries, function
wrappers). The former may lead to less overhead, but it is architecture
and application dependent, while the latter is application dependent.
Considering the high-level software-based approach, authors in [23,
24] proposed tools that apply fault mitigation techniques in C/C++
applications. Supported transformations are architecture-independent,
but the language is fixed, and the compiler may remove redundant
code during the optimisation phases. Serrano et al. [25] uses genetic
J. Gava et al.
Table 1
Related works in fault injection frameworks developed on the basis of virtual platforms (VPs).
Works Year Virtual platforms
Hari et al. [2,3] 2014 Simics + GEMS
Kaliorakis et al. [4] 2015 MARSSx86 + gem5
Tanikella et al. [6] 2016 gem5
Guan et al. [5] 2016 QEMU
Cheng et al. [15] 2016 BEE3
Khosrowjerdi et al. [8] 2018 QEMU
Savino et al. [16] 2018 gem5
Vallero et al. [17] 2018 gem5
da Rosa et al. [9] 2019 M*DEV + gem5
Hauschild et al. [10] 2021 QEMU
This work 2021 M*DEV + gem5
a Worksthat do not support the automatic application of mitigation techniques but rather estimate their impact based on results presented by
other works.
algorithms to find a combination of optimisation parameters (i.e., com-
pilation flags) that increase the final binary’s reliability and present
a reasonable trade-off in terms of performance and memory size. Ro-
drigues et al. [26] implements two mitigation techniques in C code:
the Triple Modular Redundancy (TMR) and the Conditional Modular
Redundancy (CMR). Their results show that both techniques do not
provide reasonable protection to a complex system executing Linux
kernel. According to the authors, the OS itself is an enormous source of
errors and need to be protected if employed on safety–critical systems.
James et al. [27] extended the COAST (COmpiler Assisted Software
fault Tolerance) tool to automatically insert redundancies (DMR and
TMR) in the program’s intermediate code through an LLVM plugin.
The latest version added support for new processor platforms such as
RISC-V and Xilinx SoC-based products. Their mitigation tool is similar
to ours, but their soft error experiments only assess the impact of using
redundancy-based mitigation techniques in two simple applications.
The main downside of the approaches mentioned above is that parts
of the protected code may be wrongly removed during the compiler
optimisations. A solution is to modify the assembly code, which can
be done using an existing compiler infrastructure or by building a sepa-
rate tool to manage the code. Regarding the techniques implemented
inside compilers, the most relevant ones use either GCC [13,28] or
LLVM [7,29–31]. Some focus on error detection by duplicating in-
structions (i.e., DMR) [13] or symptom-based mechanisms [29]. In
contrast, other works focus on error recovery by instruction tripli-
cation with majority voters (i.e., TMR) [7,31] or duplication with
checkpoints [30]. Moreover, few works rely on their own tools to
manage the application code [32,33]. The authors in [32] developed a
generic intermediate code for the hardening process and a compilation
infrastructure (frontend and backend) to transform the high-level code
language to generic instructions (GI) and later to the target architecture
code. In this direction, the authors in [33] proposed the CFT-tool, a
framework that modifies assembly code by applying different data-flow
and control-flow protection techniques. Compared to our work, the
lower level language tends to have higher efficiency in the reliability
result. However, working at this level is not feasible when applied to
complex software stacks, thus limiting its usability.
Hybrid mechanisms are complementary and try to achieve better
efficiency by combining both hardware and software approaches. Kasap
et al. [34] presents a hybrid mitigation technique called triple-core
lockstep with roll-back and roll-forward recovery. This technique works
by running the same application simultaneously in three CPUs (2 Arm
and 1 MicroBlaze) and a checker module that monitors the application
execution to detect and correct inconsistencies. The monitor module
and the MicroBlaze processor have TMR applied in hardware, and
the application is partitioned in blocks and combined with redundant
code and recovery routines. Although this technique seeks the best of
both mechanisms, it still suffers from hardware limitations (e.g., area)
and demands a bespoke development for each specific device, which
reduces its usability.
Journal of Systems Architecture 131 (2022) 102710
Target architecture Features
Single-core Multicore Profiling ML Mitigation
✓
✓
✓
✓ ✓
✓ ✓
✓ ✓
✓ ✓ ✓ ✓ a
a
✓ ✓ ✓ ✓
✓ ✓ ✓ ✓
✓
✓ ✓ ✓ ✓ ✓
Reviewed works either consider simple in-house applications or do
not present any feature to apply fault mitigation technique (Section 2.3)
or propose and evaluate them on an individual basis—they are stan-
dalone solutions not attached to an automated framework (e.g., [26,
34]). In summary, SOFIA distinguishes from the previous works in four
main aspects:
1. SOFIA is a ‘‘one-stop-shop’’ to assess, identify, and protect ap-
plications with support for fast simulation, in-depth analysis,
multiple architectures, and different programming languages.
2. During the soft error identification process, users can leverage
machine learning techniques to identify the correlation between
fault injection results and multi-parameters (i.e., application and
platform characteristics), which is missing in previous works.
3. It includes an automated mitigation flow that can be used early
in the design process to reduce applications susceptibility to soft
errors by applying various system-level mitigation techniques.
4. It supports a lightweight technique (i.e., RAT), which can be
tuned according to application needs and the available hardware
resources.
3. SOFIA framework
SOFIA framework1 has many features that can work independently
or as part of a complex workflow. The framework generates an ex-
tensive and detailed soft error analysis for a given application and
protects it by applying mitigation techniques, such as TMR, P-TMR and
RAT. This Section describes the modules currently integrated into our
automated framework, as shown in Fig. 1.
3.1. Cross-compilation module
SOFIA integrates a cross-compilation module that supports both
the GCC and the Clang/LLVM2 compilers. While GCC is the default
compiler available on most GNU/ Linux distributions, LLVM has many
valuable resources to enhance our framework, as LLVM aims to make
program analysis and transformation available for arbitrary software in
a manner that is transparent to programmers [35].
3.2. Framework simulation module
The framework simulation module supports two well-known simula-
tors. The gem5 [14] simulator provides a cycle-accurate simulation and
many insightful metrics of the underlying architecture at simulation
cost. In turn, the Multicore Developer (M*DEV) virtual platform [36]
1
Available at: https://github.com/ManyCoreResearchTeam/SOFIA
2
Note that the Application Hardening Module only works with code
compiled with LLVM.
3
J. Gava et al.
Fig. 1. Automated modular framework, highlighting the new hardening module that includes three mitigation techniques: TMR, P-TMR and RAT.
sacrifices cycle accuracy in favour of speed by simulating instructions’
behaviour. For best results, the users can leverage the accuracy of
gem5 to perform application and architecture profiling, while M*DEV
is better suited for massive fault injection campaigns and soft error
assessment. Note that the same application binary and Linux kernel can
be used in both simulators.
The framework simulation module also presents two important fea-
tures to speed up fault injection simulation: checkpoint and distributed
simulation. The first technique is used to reduce the execution time of
a FI simulation. During flawless execution, several checkpoints are cre-
ated by collecting the software context of platform components. Then,
before starting a new FI simulation, this module restores the software
context by choosing the checkpoint closest to the fault injection time,
avoiding re-executing the initial faultless code.
The second technique reduces the time spent on large fault cam-
paigns by parallelising each FI simulation across jobs on computers
with multiprocessing capabilities (e.g., data centres). For example, con-
sider an FI campaign having a distributed fault injection process across
hundreds or thousands of parallel executions. First, jobs responsible for
the fault injection are submitted to the scheduler queue. According to
the system resource availability, these jobs are assigned to the com-
pute nodes independently. Note that the entire fault injection process
and the classification analysis occur locally at each node. Finally, all
generated individual reports are further merged and analysed by other
modules (i.e., Machine Learning Module and Analysis and Visualisation
Module).
3.3. Profiling module
The tracing and profiling of SOFIA enable the collection of crucial
information about the applications’ behaviour executing under the pres-
ence of faults. For instance: (i) the number of each executed instruction
by its opcode (add, bneq) or its class (e.g., arithmetic, branch); (ii) the
processor registers’ utilisation percentage that allows the evaluation of
different instructions reliability and register criticality. To execute the
target platform binary on the host machine in the M*DEV, the simulator
needs to translate the opcode from the target machine into a host
machine code. It uses a call-back to perform this translation. This call-
back is responsible for fetching an instruction, decoding it and then
calling the routines that describe its behaviour. During the call-back, a
user-defined routine changes the instruction’s behaviour, which enables
the generation of a bespoke profile.
3.4. Fault injection module (FIM)
The developed fault injection module emulates the occurrence of
single-bit-upsets (SBUs) and multiple-bit-upsets (MBUs) by injecting
flipped bit(s) in registers or memory addresses during the execution
of a given soft stack. It is also possible to define whether the MBUs
will affect sequential or random bits of the same word. In our setup,
4
Journal of Systems Architecture 131 (2022) 102710
bit-flips target only storage elements due to their higher susceptibility
to radiation events when compared with logic elements [37]. The
fault injection configuration (e.g., bit location, injection time) relies
on a random uniform function, which is a well-accepted fault injection
technique since it covers the majority of possible faults on a system
at a low computation cost. Fault injections occur during the target
application lifespan, i.e., the OS startup is not subject to faults but
includes OS system calls and parallelisation API subroutines arising
during this period. This approach allows identifying unexpected appli-
cation execution errors (e.g., segmentation fault), which correlate with
adopted OS components or API libraries.
The FIM module is also responsible for generating the reference in-
formation obtained through the golden execution and the configuration
and execution of the fault injection campaigns. In addition, this module
has support for distributed (several hosts within the same network)
and parallel (multiple processors and cores in the same host) fault
injection simulations [9]. The FIM module is available for gem5 and
M*DEV, providing high fault injection controllability, considering real
and complex software stacks including applications, operating system
and API structure/functionality. All done without any modifications on
the target software.
3.5. Machine Learning Module
Converting fault injection explorations into actual system reliabil-
ity improvements is not straightforward. SOFIA includes a ML-based
module [9] — i.e., a cross-layer investigation toolset that uses su-
pervised and unsupervised techniques and methods (e.g., linear re-
gression) to recognise patterns in sizeable data sets obtained from
large fault campaigns while guiding the target application development
towards a more dependable execution. The underlying toolset can
effectively boost the soft error assessment, allowing users to explore
trends quickly, considering complex data sets while avoiding human
bias.
SOFIA’s ML module provides engineers with automatic and appro-
priate means to investigate the soft error reliability of complex software
stacks, considering state-of-art ISAs and compilers. Conducting the soft
error analysis of such complex systems is impractical at lower levels,
time-consuming and error-prone when manually conducted, mainly
due to the complexity and size of failure-related data sets that might
be involved. Underlying process involves multiple files/spreadsheets
and manual report generation but trusting the results depends on how
attentive and accurate operators are at process. Finally, identifying
correlations may require hours of manually data analysis and plowing
through large files of simulation records to show that results are
consistent, etc. The automated ML data analysis may provide engineers
with reasonable and adequate results that can guide them to select
an existing (e.g., device hardening, redundant execution) or investi-
gate a proper fault mitigation technique to improve the entire system
reliability at early design phases.
J. Gava et al.
3.6. Analysis and visualisation module
SOFIA also integrates a module to analyse and visualise the data
either gathered from the fault injection campaigns or resulting from the
ML-based module. The framework can perform soft error analysis using
well-established (Section 2.1) or user-customised classifications. The
availability of this visualisation feature can increase the productivity of
application/reliability engineers, making raw data easy to understand
and find patterns.
3.7. Application hardening module
A processor-based system can be affected by two main types of
soft errors: control-flow and data-flow. While a control-flow error oc-
curs when an error causes a deviation from the correct program flow
(e.g., incorrect branch), a data-flow soft error refers to the occurrence
of a bit-flip in a storage element, such as a register or memory block.
The application hardening module integrates data-flow mitigation tech-
niques because most soft errors affect data-flow rather than the system’s
control-flow [38]. The underlying software-based mitigation techniques
are architecture-independent, and their development is underpinned
by a set of rules proposed in [39], which target data-flow strategies
that aim to detect faults affecting values stored in register banks and
memory elements.
The promoted hardening module relies on the LLVM compiler to
implement the mitigation techniques without modifying the original
application source code, as demonstrated by Bohman et al. [40].
First, the LLVM compiler receives the high-level language source code
(e.g., C/C++) and outputs the LLVM IR instructions, which describes
a program using an abstract RISC-like instruction set. Based on LLVM
IR, this module applies code optimisations (e.g., -O3) and implements
the chosen mitigation technique. Lastly, it transforms the IR code into
assembly code for a given target (e.g., x86, ARM, RISC-V). Note that
modifications related to the mitigation techniques are performed before
assembly code generation to ensure architecture independence.
The new hardening module incorporates three soft error mitigation
techniques, which are described as follows.
3.7.1. Full and partial triple modular redundancy
SOFIA supports two selective TMR variants based on the VAR3+
technique [41]. These techniques were chosen due to their capabil-
ity of increasing reliability while maintaining a low overhead w.r.t.
other TMR-based solutions. The first version has the original VAR3+
definition, where all instructions, except for branches and stores, are
replicated three times (rules G1, D2). In this regard, majority voters
check the replicas before every load, store, or branch instruction (rules
C3, C4, C5, C6). This approach usually incurs a reasonable performance
penalty, which might restrict its adoption under resource-constrained
devices. In the second version, the VAR3+ technique can be applied to
one or more critical functions instead of the entire application code.
This approach can considerably reduce code size and execution time
while maintaining similar reliability. In this work, these techniques are
named TMR and P-TMR, respectively.
3.7.2. Register Allocation Technique (RAT)
SOFIA also incorporates a lightweight technique called Register
Allocation Technique (RAT) [42], which restricts the number of avail-
able registers for specific functions aiming to minimise the number
of vulnerable registers. RAT can be fine-tuned to achieve the highest
level of relative trade-off in terms of performance and reliability. For
instance, the software engineer can set the registers’ pool parame-
ter, aiming to restrict the application’s register allocation considering
the minimum number of registers demanded by each application and
their availability in the target architecture. For example, the standard
instruction ADD R0, R1, R2 presented in most ISAs, needs three
registers to work. If the registers’ pool is set to {R0, R1}, the compiler
5
Journal of Systems Architecture 131 (2022) 102710
will generate an error. Moreover, even when the application compiles
correctly, restricting the pool’s size causes the allocator to spill more
registers values into memory, significantly reducing the application’s
performance.
The software engineer can also set the list of application functions
(e.g., the critical ones) that must be hardened. Functions are limited
to those available in the program’s source code; that is, functions from
external libraries do not suffer any effect as they are already in the
machine code format. After setting the parameters, the LLVM static
compiler (LLC) produces the assembly code, and finally, the binary
is generated by any compatible linker (e.g., LLD, GOLD, GNU LD).
Note that the RAT mitigation technique does not work properly on
modern out-of-order processors that use register renaming. However,
RAT can increase the soft error reliability of applications running on
resource-constrained devices that employ simple in-order microproces-
sors [43,44]. For instance, results presented in [44] show that RAT
significantly reduces the occurrence of soft errors when applied to
the MobileNet CNN model. Furthermore, the preliminary results from
neutron radiation tests also suggest that RAT can improve the soft
error resiliency of a CNN application running on an Arm Cortex-M4
processor [45].
4. SOFIA validation
This Section shows the SOFIA’s flow and presents a case study used
to validate the proposed framework.
4.1. SOFIA’s automated flow
Fig. 2 shows the automated flow supported by SOFIA, which com-
prises eleven steps distributed between the seven modules. The first
step is the (1) Software Stack Configuration, where the software
engineer configures the software stack and selects the cross-compiler
based on the target platform. Then, the (2) Cross-Compilation step
is responsible for compiling the application’s source files to the target
platform using the parameters defined in the previous step. This step
generates the unprotected binary version of the application. If the
LLVM compiler was previously selected, it also generates the LLVM
intermediate representation (LLVM IR), which describes a program
using an abstract RISC-like instruction set.
The (3) Function Profile step has two responsibilities. First, it
simulates the unprotected binary using gem5 and M*Dev, aiming to
verify its correctness execution. Second, it also runs the profiling tool
with the trace flag enabled to capture the execution time of each
application’s function, revealing the critical one. Note that some data
profiles might be used to feed the Machine Learning Module.
The (4) Hardening Configuration step is used to set whether the
application or its function must be protected or not. If positive, this step
will generate LLVM parameters to apply one or a combination of the
chosen hardening techniques. If no protection is chosen, the flow goes
to the fault injection steps. If the TMR mitigation technique is selected,
the flow goes to the LLVM compilation step. Otherwise, the function
to be protected must be chosen, and the flow goes to step (5). Note
that step (6) will only be covered if the RAT mitigation technique is
the user’s option.
The (5) Critical Function Selection is the next step for P-TMR
or RAT hardening protection. Here the software engineer can either
manually determine the most critical application function (s) or use the
default option, which selects the most executed one (i.e., the function
with the higher probability of being struck by a fault). For RAT, the (6)
Register Profile step is performed, and the register’s usage is obtained.
The (7) LLVM Compilation is a mandatory step for any of SOFIA’s
hardening protection. First, the LLVM optimiser transforms the LLVM
IR code, generated in step (2), and applies a hardening technique to
the target application. For example, in the case of RAT, the compila-
tion is performed considering the critical function and a register pool
J. Gava et al.
Fig. 2. Proposed automated flow for early soft error assessment, identification and mitigation.
(i.e., least used registers). Then, the LLVM static compiler transforms
the IR code into an assembly code for the target architecture. The code
optimisation is disabled in this step to carry inserted instructions to the
final assembly code. Finally, the LLD linker is used to link the assembly
code and generate the hardened binary code. However, if the software
engineer decides on combined protection, the flow returns to step (5)
once before generating the hardened binary code.
After generating the binaries, the software engineer configures the
fault injection parameters in the (8) Fault Injection Configuration
step, such as the number of fault injection campaigns. Then, the (9)
Fault Injection Framework executes the binary and emulates the
occurrence of bit-flips into the registers. All fault injection reports are
saved for later analysis. Furthermore, steps (8) and (9) are iterated by
the number of binaries generated.
Data from profile and FI reports feed into the Machine Learning
Module in the (10) ML Applied Techniques step. This step uses
machine learning techniques to perform multi-variable and statistical
analysis using the provided data to find correlations that can help
choose the correct hardening technique. In addition, this step also
generates graphics to further assist software engineers in the results’
analysis.
Finally, the (11) Fault Injection Analysis step provides a soft error
reliability assessment of the generated binaries. It includes the Analysis
and Visualisation Module that helps software engineers to examine the
data obtained from the fault injection campaign by facilitating the raw
data understanding and the recognition of patterns.
6
Journal of Systems Architecture 131 (2022) 102710
4.2. Case study
This Section uses the OpenMP version of the Integer Sort (IS)
application from NAS Parallel Benchmarks (NPB) [46] to validate the
efficiency of SOFIA’s flow. For the first two steps, CMake configuration
scripts are used to set compiler-related ISA flags. After this initial setup,
the application is compiled using the template CMake script with op-
tional specific compilation flags (e.g., -O2, -mcpu, -mfloat-abi), which
are passed through the command line in step (1). After generating the
unprotected binary for the target platform, the application is simulated
without faults, and the profiling in step (3) is performed using gem5
and M*Dev simulators. Data from these initial simulations are then used
by both Application Hardening and ML modules.
Fig. 3 shows the application’s unhardened function profile when
running on a quad-core Arm Cortex-A72 processor. The most per-
formed function is .omp_outlined.6, created by the OpenMP li-
brary. There are dozens of functions in the ‘‘others’’ category, of which
more than 90% belong to Linux routines. In addition, the thread man-
agement routines (e.g., kmp_fork_barrier, kmp_join_barrier,
kmp_hyper_barrier) represent the majority of the total execution
time. These thread synchronisation functions are more sensitive to
register bit-flips.
For an initial soft error assessment, three fault injection campaigns
were performed varying only the number of processor cores (i.e., 1, 2,
and 4). Each FI campaign injects 3.1𝑘 random bit-flips in the general-
purpose registers of the Cortex-A72 processor, i.e., 99% confidence
level and a 2.3% error margin according to [47]. Table 2 shows the
J. Gava et al. Journal of Systems Architecture 131 (2022) 102710

Fig. 3. Sub-figures (a–d) show the function profile for each core on a quad-core processor for the unhardened program version. Function A: .omp_outlined.6, B: randlc, C:
kmp_hyper_barrier, D: kmp_fork_barrier, E: kmp_join_barrier, F: kmp_barrier, G: others.

Table 2
NAS parallel fault injection campaign results.
Core variant Van. ONA OMM UT Hang MWTF
Single 91.45 0.03 1.32 7.10 0.10 88.45
Dual 79.16 0 9.35 11.35 0.13 4.56
Quad 74.68 0.29 13.42 11.35 0.26 1.99

Soft error values are in %.

overall results of the FI campaigns. The more cores, the higher the op-
erating system thread management routines, which leads to an increase
in OMMs and a decrease in the occurrence of Vanishes. Consequently,
the MWTF is also severely affected with a 19.40× reduction from single
to dual-core and a further 2.29× reduction from dual to quad-core.
The ML module was used to speed up the analysis of the applica-
tion’s behaviour considering different configurations and parameters.
Fig. 4 shows four ML correlations generated from the case study FI
reports. Each circle indicates a FI campaign that considers different
parameters such as the number of CPU cores, compiler optimisation
level, among others. Fig. 4(a) shows that the increase in branch in-
structions is directly related to the higher incidence of Hangs. Fig. 4(b)
illustrates that the increase in the number of writes in the integer
register is related to the decrease in UTs. In Fig. 4(c), it is possible
to see that the rise in the number of accesses to ALU is associated
with the reduction of ONA. Lastly, Fig. 4(d) shows a direct relationship
between the number of readings from control registers and the increase
in OMMs. Note that proposed ML-based soft error correlation module
has the ability to compare hundreds or even thousands of variable
combinations automatically, providing the user with a list of possible Fig. 4. Sub-figures (a–d) show ML analysis examples generated using FI reports. The
solutions using multiple correlation indexes. Nevertheless, the correla- circles are FI campaigns, and the lines are distinct ML regression techniques: red, poly;
tion does not prove causality by itself. Therefore, the software engineer green, linear; and, blue, rbf regression. (For interpretation of the references to colour
in this figure legend, the reader is referred to the web version of this article.)
can rely on the resulting correlations to understand where application
vulnerabilities lie and take more appropriate decisions to mitigate the
occurrence of soft errors.
After the ML-based soft error analysis, the flow is used to protect the With the data collected from the unprotected binary and the two hard-
application by applying the TMR and the P-TMR mitigation techniques. ened versions (TMR and P-TMR) — in step (9) –, software engineers can

7
J. Gava et al.
Fig. 5. Comparison between mitigation techniques, values are normalised by
unhardened version.
use the Analysis and Visualisation Module to compare the reliability
and performance trade-offs, aiming to define which protection strategy
suits best to the target application.
Fig. 5 shows the system reliability and the overhead for runtime
and code size, with all values normalised by the unhardened version.
The program code size presents an increase of 44% when applying TMR
compared to a 16% increase with P-TMR, which is an exciting finding
for memory-constrained projects. On the other hand, considering the
reliability metrics, Fig. 5 shows that the MWTF for TMR and P-TMR
is reduced by 79% and 66%, respectively. The reduction shows that
both mitigation techniques present inefficient protection for single-core
due to the high natural fault-masking rate (+90%). In addition, the two
mitigation techniques are also inadequate to protect external functions
and OS routines that use the most susceptible registers. However, the
more cores, the less is the application susceptibility to the occurrence
of soft errors. This improvement is due to a significant increase in
the execution of OpenMP functions, making the protection worthwhile
in this case. For example, the MWTF gain is ∼16% for the dual-core
protected with P-TMR and ∼13% for the quad-core protected with TMR.
Like most of applications, this case study uses a small fraction of
the 31 general-purpose registers available in the ARMv8 ISA, while the
operating system handles them more evenly. Thus, even if a register
fault occurs during the execution of an application function, the effect
of this fault can impact on other functions of the OS (e.g., threads man-
agement), which are more likely to use long-lived registers. Note that in
addition to this case study, initial versions of SOFIA flow have already
been validated with RISC-V [48] and different Arm processors [43,44].
Furthermore, the SOFIA’s flow validation also considers the joint use
of mitigation techniques. In this regard, it investigates the application
protection with the RAT alone and in conjunction with both TMR and
P-TMR solutions.
Fig. 6 shows that the hardened RAT version increases the MWTF
by 2%, 16%, and 8% for single-core, dual-core, and quad-core, respec-
tively. Note that a minimal addition of runtime and code size overhead
(∼1%) exists and that all scenarios are normalised by the unprotected
version (Ref). In turn, the joint use of RAT with the TMR technique
leads to a higher MWTF gain, i.e., an increase around 2.54× and 2.75×
for dual-core and quad-core, respectively. The higher MWTF is due to
the more significant number of registers used by the program since
all its functions have redundant code. In this regard, it is possible to
distribute the use of registers more evenly. However, no significant
effect on P-TMR (+RAT) has been identified in these experiments,
meaning that choosing the least used registers strategy does not work
in all cases.
8
Journal of Systems Architecture 131 (2022) 102710
Fig. 6. Results applying RAT for unhardened, TMR, and P-TMR versions. All data points
are normalised with the unhardened version without RAT.
4.3. Benefits of SOFIA’s design space exploration
While simulation-based soft error analysis is expected to produce
accurate results at RTL or gate levels, they are restricted to rela-
tively small systems and experimental fault campaigns due to their
low simulation performance and availability of platform components.
Therefore, the SOFIA framework enables the soft error analysis of
complex systems comprising not only real software stacks but also in-
struction set architectures (ISAs) and state-of-the-art processor models,
which are rarely available to users. The soft error analysis consis-
tency of SOFIA’s M*DEV module has been investigated against RTL-
based simulations considering Arm Cortex-M0 and M3 processors [49].
Results show that the SOFIA M*DEV module presents a worst-case
mismatch of 7.5% when faults are injected into general-purpose regis-
ters. The mismatch between fault injection approaches remains similar
even when different ISAs, software stacks, and cross-compilers are
employed. SOFIA’s M*DEV module has some limitations due to the lack
of micro-components, but the framework also integrates a gem5-based
module that enables more detailed FI explorations, considering other
components such as processor pipeline, cache, among others.
SOFIA offers an unmatched performance (e.g., 10 to 100 thousand
times faster than an RTL or gate-level simulator) and design flexi-
bility, allowing the evaluation of realistic self-driven software stack
(i.e., billion of executed instructions for each simulation [9]) previously
impossible when using cycle-accurate or RTL simulation engines. Con-
cerning the simulation time, the fault injection process does not change
the target application source; instead, the fault injector interrupts the
simulator (i.e., gem5 or M*DEV) a single time to change a single bit in
the application execution, having an unnoticeable impact on the overall
simulation time compared to the unmodified application execution.
Finally, we believe that SOFIA provides a beneficial approach that
provides engineers with automatic and appropriate means to investi-
gate the soft error reliability of complex software stacks. Conducting
the soft error analysis of such complex systems is time-consuming and
error-prone when manually performed, mainly due to the complexity
and size of failure-related data sets that might be involved. The under-
lying process involves multiple files/spreadsheets and manual report
generation but trusting the results depends on how attentive and accu-
rate operators are in the process. Thus, identifying the most unreliable
software configurations and their correlations with the target platform
may require hours of manual data analysis and plowing through large
files of simulation records to show consistent results. In this regard,
SOFIA enables software engineers to obtain initial results to eliminate
not suitable solutions at early design phases, thus reducing the number
of future investigations that might be conducted at a lower level.
J. Gava et al. Journal of Systems Architecture 131 (2022) 102710

Table 3 Table 4
Experimental setup. Reference WCET benchmark suite.
Framework setup # Application Description
Processor Arm Cortex A72 1 adpcm Adaptive pulse code modulation algorithm.
Compiler Clang/LLVM 6.0 2 binary_search Binary search for an array of integer elements.
Fault model Random Single Bit-Flip 3 bit_manipulation Complex embedded code.
Fault injection per scenario 3100 4 blowfish Encryption algorithm.
WCET benchmark
5 bubble Bubblesort program.
6 compress Data compression program.
Core variants Single-Core 7 counts Counts non-negative numbers in a matrix.
OS None 8 crc Cyclic redundancy check computation.
Mitigation techniques TMR, P-TMR 9 edn Finite Impulse Response (FIR) filter calculations.
Number of applications 25 10 expint Series expansion for computing an integral function.
Rodinia benchmark 11 factorial Calculates the factorial function.
12 fdct Fast Discrete Cosine Transform.
Core variants Single, Dual and Quad-Core
13 fibonacci Simple iterative Fibonacci calculation.
OS Linux (kernel 4.3)
14 hanoi Tower of Hanoi puzzle game.
Mitigation techniques RAT, TMR (+RAT), P-TMR (+RAT)
15 harm Harmonic calculations with recursive calls.
Number of applications 13
16 insert_sort Insertion sort on a reversed array.
17 jfdct_int Discrete-cosine transformation.
18 matrix_mult Matrix Multiplication 20 × 20.
19 mdc Calculates the greatest common divisor.
5. Soft error assessment considering different mitigation tech- 20 peakspeed Memory bounded program.
niques 21 petri_net Simulate an extended Petri Net.
22 prime Calculates whether numbers are prime.
This Section evaluates the effectiveness of the mitigation techniques 23 switch_cases Control bounded program.
24 ud Linear Equations by LU Decomposition.
for two distinct sets of benchmarks: WCET and Rodinia. The WCET
25 usqrt Sqrt calculation without multiplications or divisions.
benchmark suite considers bare metal applications running on a single-
core processor. These applications are simple but comprise the basis
for more complex ones—for example, matrix multiplication and linear Table 5
equation solver are the core of many machine learning routines. On the WCET benchmark results for runtime, code-size, and MWTF, normalised with the
reference application.
other hand, the Rodinia benchmark suite leverages external libraries to
manage multicore processing in parallel, thus adding a new layer of # Runtime CodeSize MWTF
P-TMR TMR P-TMR TMR P-TMR TMR
complexity on top of the Linux kernel.
Table 3 shows the experimental setup, which includes 3.1k fault 1 2.33 2.93 1.02 1.21 5.08 3.63
injections per campaign, resulting in a 99% confidence level and a 2.3% 2 2.67 2.78 1.10 1.12 4.66 6.90
error margin, according to Leveugle et al. [47]. This work assumes 3 2.28 2.33 1.12 1.21 0.56 0.74
that an error-correcting code protects the main memory; thus, the fault 4 2.02 2.70 1.03 1.16 1.47 1.95
injection targets only the X0-X30 general-purpose registers. 5 2.31 2.31 1.09 1.12 12.97 14.43
6 2.50 2.88 1.03 1.30 0.33 0.33
7 1.83 2.50 1.08 1.13 5.04 1.97
5.1. Bare metal applications 8 3.00 3.85 1.09 1.24 0.60 1.02
9 1.67 2.67 1.02 1.40 2.50 2.36
The applications selected for this Section comes from the real-time 10 3.41 3.41 1.29 1.32 7.15 8.55
benchmark suite WCET [50]. Table 4 shows a brief description of 11 2.55 2.65 1.03 1.09 0.18 0.18
each benchmark application. They are concise applications with dis- 12 2.75 2.75 1.45 1.46 0.60 0.67
tinct behaviours (e.g., loop, recursion, arrays) and no external library 13 3.69 3.69 1.08 1.08 5.82 5.82
14 1.62 1.62 1.01 1.07 0.31 0.21
dependencies (e.g., string.h, math.h). Due to the lack of operating
15 2.22 2.28 1.03 1.10 2.38 1.78
system and external calls, SOFIA can trace almost 100% of the executed 16 2.64 2.64 1.09 1.09 5.29 5.12
code, ensuring a fine-grain control over the fault injection and the 17 3.00 3.00 1.43 1.47 0.57 0.66
application of the mitigation techniques. 18 2.24 2.35 1.06 1.11 2.76 3.10
Table 5 shows the soft error results for the (P-TMR and TMR) 19 2.00 2.20 1.03 1.12 3.26 2.64
techniques when normalised by the unhardened binary. Although the 20 4.00 4.00 1.19 1.19 1.95 2.11
21 3.42 3.42 1.99 1.99 26.66 29.13
TMR generally offers a better MWTF, the difference to the P-TMR 22 2.28 2.94 1.09 1.17 19.26 33.71
results is minimal in most cases, demonstrating the benefit of lighter 23 1.08 1.13 1.27 1.46 1.33 0.89
TMR solutions. 24 2.16 2.68 1.28 1.37 2.48 2.00
The average normalised runtime, code size, and MWTF are about 25 3.15 3.31 1.09 1.13 5.79 16.43
2.76×, 1.24×, and 5.97×, respectively for TMR; and 2.51×, 1.16×, and Avg 2.51 2.76 1.16 1.24 4.76 5.97
4.76×, for P-TMR. However, on a few applications (highlighted in
blue), protecting only the critical function (P-TMR) has an even better
reliability/performance trade-off than TMR. Also, applications 6 and
11 highlighted in grey and 14 in blue had worse results in terms of 5.2. Parallel applications on Linux
MWTF for both mitigation techniques. These results indicate that the
additional code inherent to TMR protection can lead to new points Rodinia [51] targets heterogeneous computing systems with sup-
of failure. The TMR majority voters implementation for the ARMv8- port to multicore architectures, thus adding complexity w.r.t. WCET
A ISA uses four additional instructions, making the application more
applications. This Section considers applications that use the OpenMP
vulnerable if there are a significant number of voters in the code.
parallelisation library and are executed on top of a Linux kernel.
For instance, the TMR protection of application 11 (worst MWTF)
includes more than 30% of dynamic instructions that are used for Table 6 shows each application’s domain.
checking. One way to solve this problem would be to use a protected Figs. 7 and 8 show the normalised runtime and the MWTF for
majority voter implementation. This would significantly increase the the two mitigation techniques considering single-core, dual-core, and
performance penalty, but the reliability improvement can be worth it quad-core processors. A slight difference can be seen when comparing
in some specific cases. the average runtime (1.11× vs 1.04×), and the MWTF (1.08× vs 1.07×)

9
J. Gava et al. Journal of Systems Architecture 131 (2022) 102710

Table 6
Rodinia applications domain.
# Application Domain
A Backprop Pattern Recognition
B BFS Graph Algorithms
C HeartWall Medical Imaging
D HotSpot Physics Simulation
E HotSpot3D Physics Simulation
F Kmeans Data Mining
G LUD Linear Algebra
H Myocyte Biological Simulation
I NN Data Mining
J ParticleFilter Medical Imaging
K PathFinder Grid Traversal
L SradV1 Image Processing
M SradV2 Image Processing
Fig. 8. P-TMR reliability comparison with the reference.

Table 7
Comparison between Rodinia’s applications code size increase for each mitigation
technique.
A B C D E F G
TMR 1.36 1.35 1.85 1.36 1.43 1.36 1.41
P-TMR 1.03 1.11 1.47 1.21 1.05 1.01 1.07
H I J K L M
TMR 1.35 1.36 1.54 1.35 1.59 1.33
P-TMR 1.21 1.10 1.00 1.14 1.05 1.09

scope, which restricts software stack hardening. Possible solutions to

Fig. 7. TMR reliability comparison with the reference.
results between the TMR and the P-TMR techniques. Note that there
are discrepancies in some isolated cases. For instance, the application
F running on a quad-core processor presented a MWTF of 1.82× for
the TMR and 0.90× for the P-TMR protection. This behaviour shows
that partial protection may be insufficient in some cases. In turn, when
executing the application K in a single-core processor, a MWTF of 1.36×
and 1.67× for TMR and P-TMR were obtained, respectively. The above
discrepancies demonstrate the importance of providing software engi-
neers with appropriate means that support identifying the occurrence
of soft errors in complex software stacks and enhancing the system
reliability by applying a soft error mitigation technique that meets the
requirements of each application.
Note that in some cases (D, H), the protected program’s execution
time is less than the reference version. This occurs because most of the
execution of the applications (D, H) is to handle I/O communication
from external libraries. In this regard, the TMR protection is applied
to an application’s portion that runs less than 1% of the total appli-
cation execution time, making the protection ineffective. A possible
solution would be the implementation of the mitigation technique in
the compiler linking phase. However, this restricts the technique to
single processors.
Table 7 shows the impact of TMR and P-TMR on the object code size
for the Rodinia benchmark. For instance, application K has the highest
reliability gain overall. The resulting code size increases 14.15% when
applying the P-TMR technique, while TMR presents a code size increase
of 35.23% with a similar reliability gain in a single-core processor.
Similar behaviour occurs for all other applications, whereas the P-
TMR technique presents a better trade-off between reliability and code
size.
When comparing the WCET and Rodinia reliability results, a mas-
sive reduction can be seen in the average normalised MWTF gain from
5.97× (WCET) to 1.08× (Rodinia). This occurs due to a large number
of external function calls (e.g., math/physics libraries). The applied
mitigation techniques cover only the functions inside the application’s
this problem are: (i) replicating the application’s function calls. How-
ever, aside from the considerable performance overhead, this approach
might lead to possible collateral damages (e.g., modifying the same
data structure multiple times); (ii) compiling the library using the LLVM
extension integrated into SOFIA.
In addition, faults injected during OS routines can significantly
impact the system reliability. Some Rodinia applications have a thread
management overhead surpassing 50% of the total execution time in
specific cores. Taking application L as an example: more than 99% of
the execution time is used for application IO functions for single-core.
When running on quad-core, we have the main core with 95% of the
execution time for application functions; the other three cores stay idle
or run some thread barrier function for more than 95% of the time.
This means that when a fault is injected into one of the cores that is
not the main one, we have an almost 100% chance of affecting an OS
routine. Thus, software protection is ineffective in these cases because
it does not reach OS-specific functions and the external libraries that
use IO operations.
5.3. RAT custom parameters reliability evaluation
A series of tests are conducted to investigate the impact of RAT’s
customisation parameters on the soft error reliability. In this regard,
Table 8 defines six sets of registers. The first two (S1 and S2) are
limited to the lower and upper half of the Arm Cortex-A72 processor’s
register file. Next, the registers are divided into four parts (i.e., S3-S6),
aiming to explore how applications behave when the compiler forces
a configuration rather than using the default calling convention. The
question is: how do these parameters impact the application’s soft error
reliability?
Fig. 9 shows the average normalised MWTF results for each mitiga-
tion technique grouped by CPU core configuration. Each bar shows the
average of the 13 applications of the Rodinia benchmark. The RAT-
s2 mitigation technique is the one that stands out in Fig. 9, showing
superior soft error reliability w.r.t. the other techniques. This behaviour
corroborates along with our previous work [42], which indicates that
the top registers (x15-x29) are, in general, more susceptible to the
occurrence of soft errors. It is also possible to notice that the RAT-s3

10
J. Gava et al.
Table 8
Defined register pools for RAT.
Name Register pool
RAT-s1 X0-X14
RAT-s2 X15-X29
RAT-s3 X0-X6
RAT-s4 X7-X13
RAT-s5 X14-X20
RAT-s6 X21-X27
Fig. 9. Average normalised MWTF results per CPU core configuration for the Rodinia
benchmark.
generates results significantly inferior to the other techniques. In other
words, allocating the X0-X6 registers to the most performed function
is more likely to decrease the protection efficiency. One possible justi-
fication for this is because the underlying registers are highly used to
handle input and output functions’ data. Most hardened applications
with TMR present an overall lower resilience to soft errors due to their
high use of external libraries, which are not protected.
Figs. 10(a) and 10(b) show a more detailed and individual analysis
of the two most resilient applications: Kmeans and Pathfinder. While the
Kmeans application shows similar reliability results when running in
single and quad-core processors, there are notable differences when it
is executed in a dual-core processor. This behaviour comes from the OS
thread management and the unbalanced workload distribution among
the processor cores.
Another point to be investigated is that the MWTF values for the
TMR and TMR+RAT techniques differ significantly from the general
average of the applications. For single-core, an improvement can be
observed in the normalised MWTF of 1.87× and 1.44× for TMR+RAT
and RAT-s2, respectively—and of 1.86× and 1.79× for quad-core con-
figuration. However, the results are quite different from the Pathfinder
application. For this case, the number of cores does not significantly
affect the system’s reliability. Note that the P-TMR is more effective
than the other techniques, showing an increase of 1.67×, 1.73×, 1.57×
in the normalised MWTF to single-core, dual-core, and quad-core, re-
spectively. Another curiosity in this example is that it was not possible
to compile the application using the RAT-s3 configuration. This prob-
lem may have occurred due to ISA restrictions, since some particular
instructions can only use an specific set of registers. Therefore, as
mentioned before, each application should be tested and evaluated
individually, taking into account the different mitigation options as
well as the target system requirements and constraints.
Regarding execution time and code size overhead, there is an in-
crease in memory access instructions (load/store) when changing the
register allocation according to the defined restriction level. However,
the RAT is applied in one function of the target application, and
as the applications are significantly large, the proportional impact is
negligible (< 0.1%) compared to the reference version. In contrast,
11
Journal of Systems Architecture 131 (2022) 102710
Fig. 10. Sub-figures a and b show the MWTF normalised with the unhardened
version for 11 mitigation techniques for two specific Rodinia applications (Kmeans
and Pathfinder) grouped by the number of cores.
P-TMR and especially TMR greatly impact execution time and code
size through instruction redundancy, which can easily exceed 30%
overhead (Section 5.2).
6. Conclusions
To boost the design space exploration and reduce the development
effort, this work promotes an automated framework, called SOFIA,
which supports early soft error assessment, identification and suscep-
tibility reduction evaluation by applying different soft error mitigation
techniques. Proposed framework has been validated with 1.74 million
fault injections, covering the equivalent of up to 9.66k hours of sim-
ulation, which has been reduced to 301 h due to the parallelisation
capabilities provided by the SOFIA framework. SOFIA integrates well-
established replication-like mitigation techniques such as TMR and
partial-TMR. Results show that code replication techniques may not
always give the best result in terms of soft error reliability and perfor-
mance trade-off. In this regard, SOFIA also supports a novel lightweight
mitigation technique, called RAT, which explores different ways to
allocate the critical application function to a pool of registers. Results
demonstrate that RAT increases the soft error reliability at a lower
performance and memory usability costs.
For future works, we plan to improve SOFIA with an automatic
soft error mitigation technique selection that would consider specific
application/platform characteristics and vulnerabilities extracted from
the fault injection campaigns and correlation reports.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
Data will be made available on request.
Acknowledgements
The authors would like to thank Duncan Graham, Larry Lapides,
Simon Davidmann, and the Imperas Software Ltd. for their technical
support and access to their models and simulator.
J. Gava et al. Journal of Systems Architecture 131 (2022) 102710

References [27] B. James, H. Quinn, M. Wirthlin, J. Goeders, Applying compiler-automated

software fault tolerance to multiple processor platforms, IEEE Trans. Nucl. Sci.
[1] ISO, Road vehicles – functional safety, 2011. 67 (1) (2019) 321–327.
[2] S.K.S. Hari, S.V. Adve, H. Naeimi, P. Ramachandran, Relyzer: Exploiting [28] G.A. Reis, J. Chang, D.I. August, Automatic instruction-level software-only
application-level fault equivalence to analyze application resiliency to transient recovery, IEEE Micro 27 (1) (2007) 36–47.
faults, ACM SIGPLAN Notices 47 (4) (2012) 123–134. [29] S. Feng, S. Gupta, A. Ansari, S. Mahlke, Shoestring: Probabilistic soft error
[3] S.K.S. Hari, R. Venkatagiri, S.V. Adve, H. Naeimi, GangES: Gang error simulation reliability on the cheap, ACM SIGARCH Comput. Archit. News 38 (1) (2010)
for hardware resiliency evaluation, ACM SIGARCH Comput. Archit. News 42 (3) 385–396.
(2014) 61–72. [30] S. Feng, S. Gupta, A. Ansari, S.A. Mahlke, D.I. August, Encore: Low-cost,
[4] M. Kaliorakis, S. Tselonis, A. Chatzidimitriou, N. Foutris, D. Gizopoulos, Differ- fine-grained transient fault recovery, in: IEEE Micro, 2011, pp. 398–409.
ential fault injection on microarchitectural simulators, in: IEEE IISWC, 2015, pp. [31] M. Didehban, S.R.D. Lokam, A. Shrivastava, Incheck: An in-application recovery
172–182. scheme for soft errors, in: IEEE DAC, 2017, pp. 1–6.
[5] Q. Guan, N. BeBardeleben, P. Wu, S. Eidenbenz, S. Blanchard, L. Monroe, E. [32] A. Martinez-Alvarez, S. Cuenca-Asensi, F. Restrepo-Calle, F.R. Palomo Pinto,
Baseman, L. Tan, Design, use and evaluation of P-FSEFI: A parallel soft error H. Guzman-Miranda, M.A. Aguirre, Compiler-directed soft error mitigation for
fault injection framework for emulating soft errors in parallel applications, in: embedded systems, IEEE Trans. Dependable Secure Comput. 9 (2) (2012)
SIMUTOOLS, 2016, pp. 9–17. 159–172.
[6] K. Tanikella, Y. Koy, R. Jeyapaul, K. Lee, A. Shrivastava, gemV: A validated [33] E. Chielle, R.S. Barth, A.C. Lapolli, F.L. Kastensmidt, Configurable tool to protect
toolset for the early exploration of system reliability, in: IEEE ASAP, 2016, pp. processors against SEE by software-based detection techniques, in: IEEE LATW,
159–163. 2012, pp. 1–6.
[7] M. Didehban, A. Shrivastava, nZDC: A compiler technique for near zero silent [34] S. Kasap, E.W. Wächter, X. Zhai, S. Ehsan, K.D. McDonald-Maier, Novel
data corruption, in: IEEE DAC, 2016, pp. 1–6. lockstep-based fault mitigation approach for SoCs with roll-back and roll-forward
recovery, Microelectron Reliab 124 (2021) 114297.
[8] H. Khosrowjerdi, K. Meinke, A. Rasmusson, Virtualized-fault injection testing: A
[35] C. Lattner, V. Adve, LLVM: A compilation framework for lifelong program
machine learning approach, in: IEEE ICST, 2018, pp. 297–308.
analysis & transformation, in: CGO, 2004, pp. 75–86.
[9] F.R. da Rosa, R. Garibotti, L. Ost, R. Reis, Using machine learning techniques
[36] Imperas, Open virtual platforms (OVP), 2021, URL http://www.ovpworld.org.
to evaluate multicore soft error reliability, IEEE Trans. Circuits Syst. I 66 (6)
[37] N. Seifert, B. Gill, S. Jahinuzzaman, J. Basile, V. Ambrose, Q. Shi, R. Allmon, A.
(2019) 2151–2164.
Bramnik, Soft error susceptibilities of 22 nm tri-gate devices, IEEE Trans. Nucl.
[10] F. Hauschild, K. Garb, L. Auer, B. Selmke, J. Obermaier, ARCHIE: A QEMU-based
Sci. 59 (6) (2012) 2666–2673.
framework for architecture-independent evaluation of faults, in: IEEE FDTC,
[38] A. Rhisheekesan, R. Jeyapaul, A. Shrivastava, Control flow checking or not? (for
2021, pp. 20–30.
soft errors), ACM Trans. Embedded Comput. Syst. 18 (1) (2019) 1–25.
[11] A. Avižienis, J.-C. Laprie, B. Randell, Dependability and its threats: A taxonomy,
[39] E. Chielle, F. Rosa, G.S. Rodrigues, L.A. Tambara, J. Tonfat, E. Macchione,
in: Building the Information Society, 2004, pp. 91–120.
F. Aguirre, N. Added, N. Medina, V. Aguiar, M.A.G. Silveira, L. Ost, R. Reis,
[12] H. Cho, S. Mirkhani, C.-Y. Cher, J.A. Abraham, S. Mitra, Quantitative evaluation
S. Cuenca-Asensi, F.L. Kastensmidt, Reliability on ARM processors against soft
of soft error injection techniques for robust system design, in: IEEE DAC, 2013,
errors through sihft techniques, IEEE Trans. Nucl. Sci. 63 (4) (2016) 2208–2216.
pp. 1–10.
[40] M. Bohman, B. James, M.J. Wirthlin, H. Quinn, J. Goeders, Microcontroller
[13] G.A. Reis, J. Chang, N. Vachharajani, R. Rangan, D.I. August, S.S. Mukherjee,
compiler-assisted software fault tolerance, IEEE Trans. Nucl. Sci. 66 (1) (2019)
Software-controlled fault tolerance, ACM Trans. Archit Code Optim 2 (4) (2005)
223–232.
366–396.
[41] J.R. Azambuja, A. Lapolli, M. Altieri, F.L. Kastensmidt, Evaluating the efficiency
[14] N. Binkert, B. Beckmann, G. Black, S.K. Reinhardt, A. Saidi, A. Basu, J. Hestness,
of data-flow software-based techniques to detect SEEs in microprocessors, in:
D.R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M.D.
IEEE LATW, 2011, pp. 1–6.
Hill, D.A. Wood, The gem5 simulator, ACM SIGARCH Comput. Archit. News 39
[42] J. Gava, R. Reis, L. Ost, RAT: A lightweight architecture independent system-level
(2) (2011) 1–7.
soft error mitigation technique, in: IEEE VLSI-SoC, 2020, pp. 235–253.
[15] E. Cheng, S. Mirkhani, L.G. Szafaryn, C.-Y. Cher, H. Cho, K. Skadron, M.R.
[43] G. Abich, J. Gava, R. Garibotti, R. Reis, L. Ost, Applying lightweight soft error
Stan, K. Lilja, J.A. Abraham, P. Bose, et al., Clear: Cross-layer exploration for
mitigation techniques to embedded mixed precision deep neural networks, IEEE
architecting resilience: Combining hardware and software techniques to tolerate
Trans. Circuits Syst. I 68 (11) (2021) 4772–4782.
soft errors in processor cores, in: IEEE DAC, 2016, pp. 1–6.
[44] G. Abich, R. Garibotti, R. Reis, L. Ost, The impact of soft errors in memory units
[16] A. Savino, A. Vallero, S. Di Carlo, Redo: Cross-layer multi-objective design-
of edge devices executing convolutional neural networks, IEEE Trans. Circuits
exploration framework for efficient soft error resilient systems, IEEE Trans.
Syst. II 69 (3) (2022) 679–683.
Comput. 67 (10) (2018) 1462–1477.
[45] J. Gava, G. Abich, R. Garibotti, S. Cuenca-Asensi, R.P. Bastos, R. Reis, A
[17] A. Vallero, A. Savino, A. Chatzidimitriou, M. Kaliorakis, M. Kooli, M. Riera, M.
lightweight mitigation technique for resource-constrained devices under neutron
Anglada, G. Di Natale, A. Bosio, R. Canal, A. Gonzalez, D. Gizopoulos, R. Mariani,
radiation, in: RADECS, 2022, pp. 1–4.
S. Di Carlo, SyRA: Early system reliability analysis for cross-layer soft errors
[46] NASA, NAS parallel benchmarks, 2021, URL https://www.nas.nasa.gov/
resilience in memory arrays of microprocessor systems, IEEE Trans. Comput. 68
publications/npb.html.
(5) (2018) 765–783.
[47] R. Leveugle, A. Calvez, P. Maistri, P. Vanhauwaert, Statistical fault injection:
[18] P.S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. Hallberg, J.
Quantified error and confidence, in: IEEE DATE, 2009, pp. 502–506.
Hogberg, F. Larsson, A. Moestedt, B. Werner, Simics: A full system simulation
[48] N. Lodéa, W. Nunes, V. Zanini, M. Sartori, L. Ost, N. Calazans, R. Garibotti, C.
platform, Computer 35 (2) (2002) 50–58.
Marcon, Early soft error reliability analysis on RISC-V, IEEE Latin Am. Trans.
[19] M.M. Martin, D.J. Sorin, B.M. Beckmann, M.R. Marty, M. Xu, A.R. Alameldeen,
100 (2022) 1–7.
K.E. Moore, M.D. Hill, D.A. Wood, Multifacet’s general execution-driven multi-
[49] G. Abich, R. Garibotti, V. Bandeira, F. da Rosa, J. Gava, F. Bortolon, G. Medeiros,
processor simulator (GEMS) toolset, ACM SIGARCH Comput. Archit. News 33
F.G. Moraes, R. Reis, L. Ost, Evaluation of the soft error assessment consistency of
(4) (2005) 92–99.
a JIT-based virtual platform simulator, IET Comput. Digital Tech. 15 (2) (2021)
[20] M.R. Guthaus, J.S. Ringenberg, D. Ernst, T.M. Austin, T. Mudge, R.B. Brown,
125–142.
MiBench: A free, commercially representative embedded benchmark suite, in:
[50] J. Gustafsson, A. Betts, A. Ermedahl, B. Lisper, The mälardalen WCET
IEEE WWC, 2001, pp. 3–14.
benchmarks: Past, present and future, in: WCET, 2010, pp. 136–146.
[21] D.R. Falcó, A. Serrano-Cases, A. Martinez-Alvarez, S. Cuenca-Asensi, Soft error
[51] S. Che, M. Boyer, J. Meng, D. Tarjan, J.W. Sheaffer, S.-H. Lee, K. Skadron,
reliability predictor based on a deep feedforward neural network, in: IEEE LATS,
Rodinia: A benchmark suite for heterogeneous computing, in: IEEE IISWC, 2009,
2020, pp. 1–5.
pp. 44–54.
[22] Q. Lu, M. Farahani, J. Wei, A. Thomas, K. Pattabiraman, LLFI: An intermediate
code-level fault injection tool for hardware faults, in: IEEE QRS, 2015, pp. 11–16.
[23] A. Benso, S. Chiusano, P. Prinetto, L. Tagliaferri, A C/C++ source-to-source
compiler for dependable applications, in: IEEE DSN, 2000, pp. 71–78. Jonas Gava received a bachelor’s degree in computer
[24] B. Nicolescu, R. Velazco, Detecting soft errors by a purely software approach: engineering from the Federal University of Rio Grande do
Method, tools and experimental results, in: IEEE DATE, 2003, pp. 57–62. Sul (UFRGS) in 2019. In 2020 started as an M.Sc. Student
[25] A. Serrano-Cases, Y. Morilla, P. Martín-Holgado, S. Cuenca-Asensi, A. Martínez- in Microelectronics and followed his Ph.D. in 2021 at the
Álvarez, Nonintrusive automatic compiler-guided reliability improvement of same institution. For the past three years, he has been
embedded applications under proton irradiation, IEEE Trans. Nucl. Sci. 66 (7) researching and developing tools involving the implementa-
(2019) 1500–1509. tion and evaluation of software-based soft error mitigation
[26] G.S. Rodrigues, F.L. Kastensmidt, R. Reis, F. Rosa, L. Ost, Analyzing the impact of techniques.
using pthreads versus OpenMP under fault injection in ARM cortex-A9 dual-core,
in: RADECS, 2006, pp. 1–6.

12
J. Gava et al. Journal of Systems Architecture 131 (2022) 102710

Vitor Bandeira received a bachelor’s degree in computer Ricardo Reis (M’81–SM’06) received the Electrical Engi-
science from the Federal University of Rio Grande do Sul neering degree from the Federal University of Rio Grande
(UFRGS) in 2019 and is currently a Ph.D. Student in do Sul (UFRGS), Brazil, in 1978, and the Ph.D. degree
Microelectronics at the same university. For the past four in informatics, option microelectronics from the Institut
years, he has been researching and developing tools for National Polytechnique de Grenoble, France, in 1983. He
reliability and soft error analysis using virtual platforms. received the Doctor Honoris Causa from University of Mont-
His current research involves applying machine learning pellier, France, in 2016. He has been a Full Professor with
techniques to improve the soft error investigations and the UFRGS since 1981. He is at research level 1A of the CNPq
development of multiprocessor platforms. (Brazilian National Science Foundation), and the head of
several research projects supported by government agencies
and industry. He has published over 700 papers in journals
Felipe Rocha da Rosa received the bachelor’s degree
and conference proceedings and authored or co-authored
in computer engineering and the Ph.D. degree in mi-
several books. His current research interests include physical
croelectronics from the Federal University of Rio Grande
design, physical design automation, design methodologies,
do Sul. For the past six years, he has been research-
digital design, EDA, circuits tolerant to radiation, and micro-
ing and developing tools for performance and reliability
electronics education. Prof. Reis was a recipient of the IEEE
analysis of arm-based processors. His current research
Circuits and Systems Society (CASS) Meritorious Service
involves applying data science and machine learning tech-
Award 2015. He was the Vice President of the IEEE CASS
niques to improve the soft error investigations during
representing Region 9 (Latin America) and president of the
early design space explorations process, simulation, system
Brazilian Computer Society (SBC).
design, computer architecture, multi/many-core systems,
network-on-chip, fault tolerance, and soft errors.
Luciano Ost is currently a Faculty Member with Lough-
borough University’s Wolfson School - UK. He received his
Rafael Garibotti (M’14–SM’22) is an Associate Professor
Ph.D. in Computer Science from PUCRS, Brazil, in 2010.
at PUCRS University. Former Visiting Scholar at Univer-
During his Ph.D., Dr. Ost worked as an invited researcher
sité Grenoble Alpes, France. Former Postdoctoral Fellow
at the Microelectronic Systems Institute of the Technische
at both the prestigious School of Engineering and Applied
Universitaet Darmstadt (from 2007 to 2008) and at the
Sciences of Harvard University and UFRGS, Brazil. He
University of York (October 2009). After completing his
received his Ph.D. and M.Sc. Degree in Microelectronics,
doctorate, he worked as a research assistant (2 years) and
respectively from the University of Montpellier and EMSE,
then as an assistant professor (2 years) at the University
France and his B.Sc. Degree in Computer Engineering from
of Montpellier II in France. He has authored more than 90
PUCRS University, Brazil. He is a distinguished Brazilian
papers, and his research is devoted to advancing hardware
researcher with a CNPq PQ-2 grant. His research activity
and software architectures to improve the performance,
focuses on AI safety, robotics and autonomous systems,
security, and reliability of machine learning and life-critical
multicore architectures, hardware accelerator and robust
embedded systems.
deep learning.

13