2. RESUMEN DE LA EJECUCIÓN DEL PROGRAMA OPERATIVO
2.2. Información sobre conformidad con la legislación comunitaria
2.2.4. Reglas de la competencia
Faults in the dataflow could result into different architectural errors. We classify them by error location, and depict some possible faults that caused them.
1. Selection of wrong inputs: The input multiplexors and the selection logic that chooses the input operands from the bypass/register file and feeds the functional units may select a wrong input, causing an incorrect data to be consumed. 2. Wrong register file access: A read access to the register file may provide a wrong
5.2. Register Dataflow Failures
·
63 wrong entry, (b) a “register write” access that writes into a wrong register (in this case, the readers will suffer the consequences), or any other cause.3. Premature issue: A prematurely issued instruction will consume a wrong data value. Some causes are: (a) incorrect operation of the wake-up logic, (b) incor- rect operation of the select logic, (c) incorrect assignment of the latency of a producer instruction (the consumers suffer the effects), etc.
4. Wrong tag: An instruction may depend on a wrong instruction (i.e. through a wrong register tag) and consume its data. The causes might be: (a) incorrect contents in the rename table, (b) wrong access to the rename table, (c) faults in the rename dependence checking inside the rename bundle, or (d) corruption of a tag tracking a register dependence in the issue queue.
5. Data stall in the bypass network : If the latches placed in the different levels of the bypass do not latch a new value (e.g. due to a missing or delayed clock signal) it may happen that it gets stalled with an old data value.
6. Register free-list misuse: If the register free list does not operate correctly (including wrong register release and allocation), the register tags might get corrupted. We also consider the situation when the old or current mapping in the ROB may get corrupted. The net result is that a physical register may simultaneously be the destination location for two different instructions. 7. Load replay errors: If the replay logic does not work properly, it may neither
identify nor reissue all the instructions that depend on a load that misses in the data cache.1 As a consequence, there could be silent commitment of bogus values, potentially corrupting the architectural state.
8. Deadlock : A deadlock will happen if the oldest instruction waits (incorrectly) for a tag that is not in-flight and, hence, cannot trigger a wake-up. This is a sub-case of a “wrong tag” with a different microarchitectural result.
Faults that result in a deadlock can be easily detected by means of a watchdog timer, already implemented in many current microprocessors [7, 78] and in our base- line processor (Appendix A). However, the other faults result in instructions operat- ing with a wrong data value, and require more sophisticated detection mechanisms. These faults are the target of our protection mechanism.
1
Also, these instructions could be replayed due to a TLB miss, bank conflicts in the data cache, or write port conflicts in the register file
64
·
Chapter 5. Register Dataflow Validation 5.3 End-to-End Dataflow ValidationThis section describes our proposal for an efficient mechanism to perform online val- idation of the register dataflow logic. We first explain the signature-based protection scheme and the different high-level steps it is composed of. We then comment on how register dataflow faults can be recovered when detected by our technique. We finally analyze the required hardware changes needed to support our proposed solution.
5.3.1 Signature-Based Protection: General Idea
We propose a novel technique that is based on marking every data value flowing through the pipeline with a signature. A signature is a token associated to a chunk of information. Whereas codes such as residue, parity or ECC are a function of the data they are associated with, signatures in its general definition do not depend on any property of the protected information.
lmn opqrs lm n t ouv opq rsouv t
wxyz{|}~
{llz{ |}z{| z{| o~
{llz|}z{ | z{| o
Fig. 5.1: Register signature assignment among dependent instructions: an example
Our online validation technique is exemplified in Figure 5.1, which shows three in- structions with their corresponding destination and source signatures. Each operand, including sources and destination, receives a signature that allows tracking the dataflow. Each a priori source signature is compared with a posteriori signature obtained dur- ing execution. The signature obtained during execution can be considered as the result of the control logic that is protected, potentially faulty. If both signatures mis- match, an error is detected. Otherwise, the destination signature is written back and forwarded along with the data to any potential consumer. This way, the producer- consumer loop is continuously monitored through a hand-shake mechanism.
We now precisely describe the main signature-based protection scheme dividing it into three steps: signature assignment, signature flow and signature check. The complete flow is depicted in Figure 5.2.
5.3. End-to-End Dataflow Validation
·
65 ¡ ¢ £ ¤ ¡ ¢ £ ¥ ¦ § ¨©ª« ¬®¯°±²³´ µ¬ ¬±²³´ ¨© ª«¬®¯°¶µ¬ ¬±² ³´ · ¸¹º ¸¹º Fig. 5.2: End-to-end signature checking: extensions in the core dataflow
Signature Assignment
Signature assignment is performed in two steps, similar to register allocation. All instructions that generate a register value obtain a destination signature. Immediate values are also assigned a signature. Since the number of immediate operands is low, we will concentrate in the rest of the chapter on register operands.
Destination signature assignment can be performed as soon as the logical registers destinations have been identified. Without loss of generality we assume this is per- formed during the rename stages, although this could be done during decode time. Once instructions have been renamed, the destination signatures are stored into the rename table together with the allocated register physical tags. Since signatures can be arbitrarily generated for destination registers, the hardware in charge of gener- ating them is independent of the proposed design framework. Different signature assignment policies will be discussed in Section 5.5, and it will be shown that they have a direct impact in complexity and coverage.
Source operands receive their corresponding signatures at rename time from the rename table. 2 In a fault-free scenario, the rationale is that such signatures must match the destination signature of the producer instruction of that operand. Overall, every instruction flows after the rename stage with 3 signatures (as shown in Fig- ure 5.3 and Figure 5.2): the signature of the data it will produce (Sign(Dst)), and the signatures of the producers of its two operands (Sign(Src1) and Sign(Src2)).
2