# Experiments with the Huffman Decoder/Encoder (VIS bench)

Cécile Braunstein

December 13, 2012

## 1 Original platform from VIS

## 1.1 Model architecture



Figure 1: Architecture of Huffman original



The Huffman circuit describes the implementation of static (English) Huffman encoder/decoder.

- Encoder: Read a character and return the encoding form bit by bit
- Decoder: Explore the encoding tree and return the character when it reaches a leaf.

## 1.2 Robustness Analysis

The robustness analysis has been performed for usut and msmt faults only. The set of safe states for robustness 4 is the reach set of states. The table 1 shows the robustness analysis of the original circuit in

| Rob  | Fault      | Err                  | $ u_{ev}$           | $ u_{pot}$     | time                 |
|------|------------|----------------------|---------------------|----------------|----------------------|
| Rob4 | SEU<br>MEU | 61810<br>2.68e+08    | $48\% \\ 7\%$       | 99.5%<br>99.8% | 0<br>0               |
| Rob3 | SEU<br>MEU | 1.53e+06<br>2.36e+11 | $44.7\%\ 0.6\%$     | 99.6%<br>99.8% | $1 \min$<br>$1 \min$ |
| Rob1 | SEU<br>MEU | 1.43e+06<br>2.36e+11 | ${30.4\%} \\ {0\%}$ | -              | 0<br>0               |

Originaly reachable states : 878

#### Table 1: Robustness of the Huffman circuit from the VIS bench

VIS bench. There exists *eds* from where the circuits will never recover. After analyzing these path (by producing counterexample), we were able to avoid them path by modifying the encoder automaton. The case were **shiftreg** equals 0 is not taken into account on this automaton. This can be solved by replacing the guard transition from SHIFT to INIT.

From this point, we will considered only this modified version of the Huffman circuit.

| Rob  | Fault      | Err                  | $ u_{ev}$        | $ u_{pot}$       | $\operatorname{time}$        |
|------|------------|----------------------|------------------|------------------|------------------------------|
| Rob4 | SEU<br>MEU | 61654<br>2.68e+08    | $48\% \\ 7\%$    | $100\% \\ 100\%$ | 0<br>0                       |
| Rob3 | SEU<br>MEU | 1.43e+06<br>2.36e+11 | $45\% \\ 0.6\%$  | $100\% \\ 100\%$ | $1 { m min}$<br>$1 { m min}$ |
| Rob1 | SEU<br>MEU | 1.43e+06<br>2.36e+11 | ${30.5\%} \ 0\%$ | -                | 0<br>0                       |

Originaly reachable states : 878

### Table 2: Robustness of the corrected Huffman circuit from the VIS bench

This circuit is not completely robust due to the desynchronization between the encoder and the decoder machine. The fault may have change the code of character in the encoder while the decoder where decoding it. The original circuit does not have a mechanism to prevent such desynchronization such as handshake protocol.

## 2 Huffman decoder/encoder synchronization

We synchronized the behavior of the decoder and the encoder device. The decoder starts only when the encoder said so. The encoder may restarts the decoder even when the decoding part is not over.

This mechanism ensure the robustness level 4 with the set of reachable states considered as safe states. Nevertheless this does not ensure the synchronization with the golden behavior. The non-robustness 3 comes from the fact that the environment does not have constraints. Moreover, it comes also from the lack of synchronization between the environment and the model under test.

## 3 Huffman with a constraint environment

### 3.1 Environment: a given text

We build an environment synchronized with the encoder. The environment send the letter A and E alternatively when it received the acknowledgment from the encoder saying that the character code is sent.

| Protected              | Fault                 | Rob                | 4                | Roł               | Rob 1               |                        |
|------------------------|-----------------------|--------------------|------------------|-------------------|---------------------|------------------------|
| registers              | $\operatorname{type}$ | $ u_{ev}$          | $ u_{pot}$       | $ u_{ev}$         | $ u_{pot}$          | $\nu_{ev} = \nu_{pot}$ |
| character              | SEU<br>MEU            | 25.34%<br>7.07%    | $100\% \\ 100\%$ | $22.78\%\ 0.59\%$ | $100 \ \% \\ 100\%$ | $2.72\% \ 0\%$         |
| state                  | SEU<br>MEU            | 58.32%<br>24.78%   | $100\% \\ 100\%$ | 55.30%<br>2.22%   | $100\% \\ 100\%$    | $44.61\% \\ 0.10\%$    |
| shiftreg               | SEU<br>MEU            | $62.80\%\ 10.92\%$ | $100\% \\ 100\%$ | 58.90%<br>13.86%  | $100\% \\ 100\%$    | $47.30\% \\ 0.62\%$    |
| character/<br>state    | SEU<br>MEU            | 25.87%<br>24.78%   | $100\% \\ 100\%$ | $19.54\%\ 2.12\%$ | $100\% \\ 100\%$    | $0.30\% \\ 0\%$        |
| character/<br>shiftreg | SEU<br>MEU            | 24.62%<br>7.47%    | $100\% \\ 100\%$ | 26.02%<br>13.79%  | $100\% \\ 100\%$    | $5.14\% \\ 0.623\%$    |
| state/<br>shiftreg     | SEU<br>MEU            | $100\% \\ 100\%$   | 100%<br>100%     | $100\% \\ 100\%$  | $100\% \\ 100\%$    | $100\% \\ 100\%$       |

Table 3: Register grading of the corrected Huffman circuit from the VIS bench



| Rob  | Fault | Err                   | $ u_{ev}$ | $ u_{pot}$ | time |
|------|-------|-----------------------|-----------|------------|------|
| Rob4 | SEU   | 25  633               | 100%      | 100%       | 0    |
|      | MEU   | $5.37\mathrm{e}{+08}$ | 100%      | 100%       | 0    |
| Rob3 | SEU   | $334 \ 248$           | 83.5%     | 100%       | 0.5  |
|      | MEU   | $4.72e{+}11$          | 8.5%      | 100%       | 0.5  |
| Rob1 | SEU   | $334 \ 248$           | 32.7%     | -          | 0.7  |
|      | MEU   | $4.72e{+}11$          | 0%        | -          | 2    |

Originaly reachable states : 879

Table 4: Robustness Huffman circuit with internal synchronization

| Protected   | Fault                 | Rob       | Rob 1      |                        |
|-------------|-----------------------|-----------|------------|------------------------|
| registers   | $\operatorname{type}$ | $ u_{ev}$ | $ u_{pot}$ | $\nu_{ev} = \nu_{pot}$ |
|             | SEU                   | 77%       | $100 \ \%$ | 7%                     |
| cnaracter   | MEU                   | 8.5%      | 100%       | 0%                     |
|             | SEU                   | 74.77~%   | 100%       | 46.64%                 |
| state       | MEU                   | 8.5%      | 100%       | 0%                     |
| 1.0         | SEU                   | 100%      | 100%       | 49.73%                 |
| snittreg    | MEU                   | 100%      | 100%       | 1.96%                  |
|             | SEU                   | 82.88%    | 100%       | 30.89%                 |
| start       | MEU                   | 100%      | 100%       | 0%                     |
| character/  | SEU                   | 56.42%    | 100%       | 7.84%                  |
| state       | MEU                   | 8.56%     | 100%       | 0%                     |
| character/  | SEU                   | 100%      | 100%       | 13.16%                 |
| shiftreg    | MEU                   | 100%      | 100%       | 1.96%                  |
| state/      | SEU                   | 100%      | 100%       | 98.12%                 |
| shiftreg    | MEU                   | 100%      | 100%       | 15%                    |
| state/      | SEU                   | 73.37%    | 100%       | 44.62%                 |
| start       | MEU                   | 8.53%     | 100%       | 0%                     |
| character/  | SEU                   | 76%       | 100%       | 3.25%                  |
| start       | MEU                   | 7.8%      | 100%       | 0%                     |
| shiftreg/   | SEU                   | 100%      | 100%       | 47.87%                 |
| start       | MEU                   | 100%      | 100%       | 3.45%                  |
| shiftreg/   | SEU                   | 100%      | 100%       | 100%                   |
| state/start | MEU                   | 100%      | 100%       | 100%                   |

Table 5: Register grading Huffman circuit with internal synchronization



We perform a robustness analysis with a new rob3 :

The faulty and the golden have got the same inputs from the environment. The environment only reacts to the outputs from the faulty circuits.

| The s | et of | safe | states | are | the c | ones | where | the | golden | and | the | faulty | <sup>·</sup> states | are | observa | ably | equival | lent. |
|-------|-------|------|--------|-----|-------|------|-------|-----|--------|-----|-----|--------|---------------------|-----|---------|------|---------|-------|
|       |       |      |        |     |       |      |       |     | ()     |     |     | •/     |                     |     |         | •/   |         |       |

| Rob  | Fault      | Err                 | $ u_{ev}$        | $ u_{pot}$       | $\mathbf{time}$                           |
|------|------------|---------------------|------------------|------------------|-------------------------------------------|
| Rob4 | SEU<br>MEU | $270 \\ 4.29e + 09$ | $100\% \\ 100\%$ | $100\% \\ 100\%$ | 0<br>0                                    |
| Rob3 | SEU<br>MEU | 270<br>8.27e+10     | $100\% \\ 100\%$ | $100\% \\ 100\%$ | $\begin{array}{c} 0.5 \\ 0.5 \end{array}$ |
| Rob1 | SEU<br>MEU | 270<br>8.27e+10     | $47.7\% \\ 0\%$  | -                | $\begin{array}{c} 0.7 \\ 2 \end{array}$   |

Originaly reachable states : 90

Self stabilized after 10 steps, there is not healthy states before. Just checking the AX:9 AG (golend-Out == faultyOut) and AX:10 AG (golendOut == faultyOut)

## 3.2 Synchronized with the decoder

Our goal is to model the basis functionnalities that an environment should at least have. In this experiments any character may be encode. The environment is waiting that the encoder is ready to take a letter (ack = 1) and send a letter in a non deterministic time (free input *i\_val*). This modeling implies that we need to add fairness constraints to avoid the infinite path where the environment never asks for a new encoding.



Figure 2: Less constraint environment

#### 3.3 Separate study for decoder and encoder

The encoder is completely robust (rob3 and rob4) under the fairness constraint that the environment should ask for a new computation from time to time.

The decoder has got the same characteristic. It is robust iff his environment always need a new computation. The encoder verifies this property (AG(AF(start = 1))), hence the composition of the decoder and encoder is 100% robust.

| Rob  | Fault      | Err                      | $ u_{ev}$        | $ u_{pot}$       | $\mathbf{time}$                       |
|------|------------|--------------------------|------------------|------------------|---------------------------------------|
| Rob4 | SEU<br>MEU | 6.42e + 05<br>1.03e + 11 | $100\% \\ 100\%$ | $100\% \\ 100\%$ | 0<br>0                                |
| Rob3 | SEU<br>MEU | 6.42e+05<br>7.32e+13     | $100\% \\ 100\%$ | $100\% \\ 100\%$ | 7<br>7                                |
| Rob1 | SEU<br>MEU | 6.42e+05<br>7.32e+13     | $0\% \\ 0\%$     | -                | $\begin{array}{c} 0 \\ 2 \end{array}$ |

Originaly reachable states : 21 121

Table 6: Robustness with any text environment