Download presentation
Presentation is loading. Please wait.
Published byLynne Heath Modified over 8 years ago
1
On the Threat of Metastability in an Asynchronous Fault-Tolerant Clock Generation Scheme Gottfried Fuchs, Matthias Függer and Andreas Steininger Vienna University of Technology Embedded Computing Systems Group {fuchs, fuegger, steininger}@ecs.tuwien.ac.at
2
2 Outline 1.Asynchronous fault-tolerant algorithm 2.Investigate its susceptibility to metastability 3.In this context: study Sutherland’s micropipeline
3
3 Clocking in SoCs (-) single point of failure (Seifert et al.) (+) common time across chip (< 1 tick) (+) no single point of failure (-) no common time across chip (+) no single point of failure (+) common time across chip (< small # of ticks) synchronous SoC GALS DARTS
4
4 SoC with Common Time precision: at any t, π(t) bounded tick(3)tick(4)tick(5) tick(2)tick(3)tick(4)tick(5) p q π(t) = 2#ticks( Δ ) = 3 accuracy: l(Δ) < #ticks in any Δ < u(Δ) p q Common time eases solving other problems (replica determinism, …). q’s local clock domain
5
DARTS Hardware Implementation Common time property proved in [EDCC06, PODC09]. (1)Initially: (2)send tick(0) to all; clock:= 0; (3)If received tick(m) from at least f+1 remote nodes and m > clock: (4)send tick(clock+1),…, tick(m) to all; clock:= m; (5)If received tick(m) from at least 2f+1 remote nodes and m >= clock: (6)send tick(m+1) to all; clock:= m+1; 5
6
DARTS Hardware Implementation Common time property proved in [EDCC06, PODC09]. But: Proofs cover digital behavior, only. What about metastability (during non-normal operation)? 6
7
Potential for metastability (1) TG-Alg has (a) stable state (b) fault non-closed (unrestricted) environment (no stability condition as in QDI) exists a malicious input pulse. Make sure metastability does not propagate across ECR boundary 7
8
Existence of metastability barrier? (Sutherland) 8
9
Does a micropipeline “synchronize”? Critical pulse window size (2 stages) = t E2 -t E1 in(t)out(t) malicious out (t) t E1 t E2 9
10
Does a micropipeline “synchronize”? Critical pulse window size (4 stages) 10 in(t)out(t) malicious out (t)
11
Metastability decay in a C-Element (1) Model MTBU formula Do equivalent formulas exist? LatchC-Element Decay towards LO/HI 11
12
Metastability decay in a C-Element (2) a(t), f(a,b,x)(t) tEtE For t > t E : Consider homogenous solution f(a,b,x)(t) = x(t) a,b inputs (b = armed) z output x feedback x0x0 12
13
Metastability decay in a C-Element (2) Near metastability point: strong indication for synchronizing behavior with assumption x 0 = “midway” yields 13 Remember the latch:
14
Simulation Setup choose T maxcorr = 3T nom 4 stage pipeline, MATLABs stiff ODE parameters: CMOS 180nm, but G = 1.66 (numeric resolution) 14 malicious out (t)
15
Simulation Results (1) Dependence on RC constants approx. linear dependence only 15 critical windowcritical window size
16
Simulation Results (2) Dependence on #stages ~10 -1 /stage 16 critical windowcritical window size
17
Simulation Results (3) Dependence on G ~10 -7 /1 17 In case of DARTS Simulation indicates that critical pulse window size < 1fs.
18
Conclusions Example for fault-tolerant asynchronous algorithm: DARTS. Identified micropipeline as metastability barrier. Characterized its synchronizing behavior. Open research: Refined C-Element models (yield results for larger G). Extend analysis to incorporate masking effects and calculate metastability upset probability. 18
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.