Instruction Cache Faults & Mitigation

• Instruction cache faults are events where the CPU requests an instruction block missing from the L1-I cache, resulting in pipeline stalls and diminished throughput.
• Static analysis methods, including abstract interpretation and model checking, classify cache accesses to predict and manage fault occurrences with measurable coverage improvements.
• Mitigation strategies combine advanced prefetching, replacement policies, and both hardware and software countermeasures to enhance system resilience against fault attacks.

Instruction cache faults are events in which a CPU’s fetch unit requests an instruction block not present in the processor's local instruction cache (L1-I), resulting in pipeline stalls and diminished system throughput. These faults manifest both as architectural-level phenomena due to cache miss events and, in adversarial contexts, as deliberately induced faults via techniques such as electromagnetic fault injection (EMFI). The topic encompasses microarchitectural mechanisms, static and dynamic fault analysis, side-channel and fault attack surfaces, mitigation strategies, and the ongoing evolution of prefetching and replacement policies in modern CPUs.

1. Architectural Mechanisms and Manifestation of Instruction Cache Faults

An instruction cache fault typically occurs when a requested block is missing in the L1-I cache or its associated prefetch buffer, causing the CPU’s frontend to stall until the missing line is refilled from a lower memory hierarchy (Ansari et al., 2021). In ARMv7-M architectures (e.g., Cortex-M4), the L1 instruction cache has 64 lines of 128 bits, each line holding four 32-bit instructions, managed via least-recently-used (LRU) replacement. Prefetch buffers (PFQ) hold up to four instructions and serve every fetch. The cache miss penalty for this pipeline, which includes Harvard-style bus separation for instructions and data, is six CPU cycles to refill a cache line from Flash into the PFQ. Notably, the CPU never executes directly from Flash, indicating that PFQ occupancy is essential for correct program execution (Rivière et al., 2015).

Table: Cache Fault Manifestation in ARMv7-M

Location	Mechanism	Pipeline Effect
L1-I cache	LRU miss	6-cycle stall, PFQ refill
PFQ (prefetch buffer)	Stale/absent instructions	Replay/skip phenomenon (EMFI)

The impact at the processor level includes increased frontend stall cycles, reduced instructions-per-cycle (IPC), and elevated bandwidth and energy consumption through repeated memory accesses (Ansari et al., 2021).

2. Formal Modeling and Static Analysis of Faults

Static cache analysis applies abstract interpretation to classify instruction accesses as "always hit," "always miss," or "unknown," employing must/may domains (Touzeau et al., 2017). In the LRU-managed cache model, each block's age within a set is tracked to determine the likelihood of its presence. The domains are defined as:

• $A_{Must}: M_S \to \{0, ..., k\}$ (upper bounds on ages)
• $A_{May}: M_S \to \{0, ..., k\}$ (lower bounds on ages)

Hyperproperty-style analyses extend this approach:

• EH: "Exists Hit" (upper-bound on minimal age)
• EM: "Exists Miss" (lower-bound on maximal age)

Definitive classification as “always hit,” “always miss,” or "definitely unknown" (i.e., both hit and miss on different paths) ensures sound and precise analysis. Model checking refines the unknown cases by constructing a focused transition system for each block, allowing exact semantic labeling of accesses. Experimentally, classical AI classifies about 75% of accesses, with targeted EH/EM analyses improving coverage and drastically reducing model-checking invocations (Touzeau et al., 2017).

3. Physical and Adversarial Fault Injection

Electromagnetic fault injection attacks precisely target microarchitectural structures during vulnerable timing windows. On ARMv7-M, a high-control, high-reproducibility EMFI platform can induce a "replay-and-skip" fault with up to 96% success probability when the Flash-to-PFQ transfer is disrupted at nanosecond resolution (Rivière et al., 2015). Formally:

• At time $t_0$, EMFI blocks PFQ update:
  • Replay previous four instructions $\{i_{n-4},...,i_{n-1}\}$
  • Skip intended instructions $\{i_n,...,i_{n+3}\}$
  • Next executed: $i_{n+4}$

In SoC targets (e.g., BCM2837 Cortex-A53), EMFI on the L1I data RAM during the cache-fill window yields "sticky instruction skip" faults, i.e., instruction blocks that, after invalidation and refill, persistently serve corrupted opcodes until the next invalidate. Under bare-metal conditions, faults are observable directly as cache line corruption; with an OS, effects appear as ISA-level unexpected instruction replacements due to broader timing jitter and cache maintenance interventions (Trouchkine et al., 2019).

4. Prefetching and Fault Avoidance Strategies

Instruction cache faults due to miss events motivate advanced instruction prefetchers which predict access patterns beyond sequential control-flow (Ansari et al., 2021). Legacy designs—such as simple next-line prefetchers—fail to cover non-sequential jumps, while more advanced proposals (RDIP, Shotgun) suffer metadata misses or high per-entry storage overhead.

MANA (Microarchitecting AN Instruction Prefetcher) achieves near-PIF performance with only ~15 KB storage using spatial-region footprints, partial tags, a high-order-bits index, pointer chains for temporal correlation, and a stream-address buffer for fixed lookahead and duplicate filtering. MANA records combine a compact partial tag (2 bits), high-order-bits pattern index (7 bits), 8-bit footprint, and 12-bit successor pointer, yielding 29 bits per entry—an order-of-magnitude reduction in hardware storage compared to PIF (∼236 KB) (Ansari et al., 2021).

Table: Prefetcher Storage vs. Coverage

Prefetcher	Storage Overhead	Fault Coverage	Speedup vs. No PF
RDIP	~83 KB	60%	+22%
Shotgun	~6 KB	70%	+6.5%
PIF	~236 KB	85%	+42%
MANA	~15 KB	80%	+38%

5. Replacement Policies and Software-Aware Mitigation

Conventional LRU and RRIP (Re-Reference Interval Prediction) fail in workloads exhibiting high code reuse distances, evicting hot code before it can be reused. TRRIP (Temperature-based RRIP) introduces a software/hardware co-design exploiting compiler-driven profile-guided optimization (PGO): the compiler classifies code regions as hot, warm, or cold and communicates this temperature via page table entry (PTE) attributes. The hardware cache controller modifies insertion and update rules based on temperature, retaining hot lines preferentially:

• Insert hot: $RRPV_{ins}(hot) = 0$
• Insert warm: $RRPV_{ins}(warm) = 1$
• Insert cold/none: $RRPV_{ins}(cold/none) = 3$

Quantitatively, TRRIP reduces L2 instruction MPKI by 26.5% and yields a geomean speedup of 3.9%, requiring only a minor hardware change and no ISA or cache-array modification (Kao et al., 17 Sep 2025).

6. Advanced Admission Control and Bypass Strategies

Burstiness in instruction accesses, especially in datacenter or large footprint workloads, challenges monolithic cache policies. ACIC (Admission-Controlled Instruction Cache) introduces a two-tiered approach: a front-end i-Filter (16-entry fully associative buffer) intercepts short-term spatial/temporal bursts, while a two-level predictor (HRT + PT trained via a comparison status holding register, CSHR) decides selective admission to the LRU cache based on observed future reuse (Wang et al., 2022). Only blocks predicted to outlive the displaced main-cache block are admitted, sharply reducing pollution:

• i-Filter shields the main cache from short-lived blocks
• Admission predictor captures historical reuse patterns
• CSHR tracks fetch-order between filter-victim and cache-contender blocks
• Hardware overhead: ≈2.67 KB, negligible power/critical-path impact

Empirical results across datacenter workloads:

• MPKI reduction: –18.14% (ACIC), –4.0% (i-Filter only)
• Geometric mean speedup: ACIC yields 1.0223× over LRU+fetch-prefetcher baseline (bridging 55.85% of the gap to OPT) (Wang et al., 2022)

7. Countermeasures against Fault Attacks and Integrity Violations

A spectrum of hardware and software countermeasures addresses integrity and correctness of instruction delivery:

• EM shielding and on-die loop detectors: mitigates EMFI-induced faults by sensing rapid voltage transients (Rivière et al., 2015)
• Randomized prefetch timing: adds jitter to PFQ line refills, making EMFI less precise
• Integrity checks: parity or CRC per cache line; ECC augmentation secures each word (Trouchkine et al., 2019)
• Cryptographic MAC (message authentication code) on cache lines: block-level MACs computed and checked on each cache refill (Trouchkine et al., 2019)
• Dual-core lockstep: concurrent execution on two cores with cycle-by-cycle instruction and result comparison
• Software-level strategies: instruction-level redundancy, random NOP insertion, control-flow integrity with hashed PC progressions, and masked data/instruction updates (Rivière et al., 2015)

These defense mechanisms collectively increase the cost and observability of practical fault injection attacks against instruction caches, particularly under conditions where the attacker seeks to replay, skip, or corrupt contiguous instruction streams.

---

Instruction cache faults represent both a fundamental bottleneck for performance and a significant security vulnerability under physical fault injection attacks. Modern mitigation strategies span hardware innovations, predictive admission control, compiler-assisted memory management, robust analytical frameworks, and rigorous runtime integrity checks, underpinning the resilience of contemporary processor architectures.