Random testing of interrupt-driven software

ManuscriptInterrupt-driven embedded software is hard to thoroughly test since it usually contains a very large number of executable paths. Developers can test more of these paths using random interrupt testing-firing random interrupt handlers at random times. Unfortunately, na¨ıve application of random testing to interrupt-driven software does not work: some randomly generated interrupt schedules violate system semantics, causing spurious failures. The contribution of this paper is the design, implementation, and experimental evaluation of RID, a restricted interrupt discipline that hardens embedded software with respect to unexpected interrupts, making it possible to perform random interrupt testing and also protecting it from spurious interrupts after deployment. We evaluate RID by implementing it in TinyOS and then using random interrupt testing to find bugs and also to drive applications toward their worst-case stack depths

Thread verification vs. interrupt verification

Journal ArticleInterrupts are superficially similar to threads, but there are subtle semantic differences between the two abstractions. This paper compares and contrasts threads and interrupts from the point of view of verifying the absence of race conditions. We identify a small set of extensions that permit thread verification tools to also verify interrupt-driven software, and we present examples of source-to-source transformations that turn interrupt-driven code into semantically equivalent thread-based code that can be checked by a thread verifier

Моделирование компьютерных систем с FIFO-дисциплиной обработки прерываний

The FIFO (First In First Out) discipline of interrupt processing is widely used in Von Neumann type computers of informational and digital control systems. The goal of implementing such modes of operation - optimization time to data access - is achievable only when there is an adequate model, which describes data processing in the system. The analytical model is worked out with use the fundamental mathematical apparatus of Petri-Markov nets. The initial Petri-Markov model is divided into hierarchical levels in accordance with the number of interrupts in queue for processing. It is shown, that from the current level it is possible to switch both to the previous and to the next interrupt. Dependencies for determine the time of residence on the current level, and the probabilities of switching to conjugate levels are obtained. The method of Petri-Markov model transformation into the semi-Markov process is proposed. It is shown, that semi-Markov process obtained has the binary tree structure. Dependences for determining the time and probabilistic characteristics of wandering through a binary tree, are obtained.Дисциплина FIFO (First In First Out) обработки прерываний достаточно широко используется в ЭВМ Фон Неймановского типа, применяемых в информационных и цифровых управляющих системах. Цель реализации подобного режима работы — оптимизация времени доступа к данным — достижима только при наличии адекватной модели, описывающей систему. Аналитическая модель построена с использованием фундаментального математического аппарата сетей Петри-Маркова. Первичная Петри-Марковская модель разделена на иерархические уровни, соответствующие количеству заявок на обработку прерываний в очереди. Показано, что с текущего уровня возможно переключение, как на предыдущий, так и на последующий уровни прерываний. Получены зависимости для определения времени пребывания на текущем уровне и вероятностей переключения на сопряженные уровни. Предложен метод преобразования Петри-Марковской модели в полумарковский процесс. Показано, что структура подобного полумарковского процесса представляет собой бинарное дерево. Получены зависимости для определения временных и вероятностных характеристик блужданий по бинарному дереву

Detecting and Mitigating Network Packet Overloads on Real-Time Devices in IoT Systems

Manufacturing, automotive, and aerospace environments use embedded systems for control and automation and need to fulfill strict real-time guarantees. To facilitate more efficient business processes and remote control, such devices are being connected to IP networks. Due to the difficulty in predicting network packets and the interrelated workloads of interrupt handlers and drivers, devices controlling time critical processes stand under the risk of missing process deadlines when under high network loads. Additionally, devices at the edge of large networks and the internet are subject to a high risk of load spikes and network packet overloads. In this paper, we investigate strategies to detect network packet overloads in real-time and present four approaches to adaptively mitigate local deadline misses. In addition to two strategies mitigating network bursts with and without hysteresis, we present and discuss two novel mitigation algorithms, called Budget and Queue Mitigation. In an experimental evaluation, all algorithms showed mitigating effects, with the Queue Mitigation strategy enabling most packet processing while preventing lateness of critical tasks.Comment: EdgeSys '2

A UNIFIED HARDWARE/SOFTWARE PRIORITY SCHEDULING MODEL FOR GENERAL PURPOSE SYSTEMS

Migrating functionality from software to hardware has historically held the promise of enhancing performance through exploiting the inherent parallel nature of hardware. Many early exploratory efforts in repartitioning traditional software based services into hardware were hampered by expensive ASIC development costs. Recent advancements in FPGA technology have made it more economically feasible to explore migrating functionality across the hardware/software boundary. The flexibility of the FPGA fabric and availability of configurable soft IP components has opened the potential to rapidly and economically investigate different hardware/software partitions. Within the real time operating systems community, there has been continued interest in applying hardware/software co-design approaches to address scheduling issues such as latency and jitter. Many hardware based approaches have been reported to reduce the latency of computing the scheduling decision function itself. However continued adherence to classic scheduler invocation mechanisms can still allow variable latencies to creep into the time taken to make the scheduling decision, and ultimately into application timelines. This dissertation explores how hardware/software co-design can be applied past the scheduling decision itself to also reduce the non-predictable delays associated with interrupts and timers. By expanding the window of hardware/software co-design to these invocation mechanisms, we seek to understand if the jitter introduced by classical hardware/software partitionings can be removed from the timelines of critical real time user processes. This dissertation makes a case for resetting the classic boundaries of software thread level scheduling, software timers, hardware timers and interrupts. We show that reworking the boundaries of the scheduling invocation mechanisms helps to rectify the current imbalance of traditional hardware invocation mechanisms (timers and interrupts) and software scheduling policy (operating system scheduler). We re-factor these mechanisms into a unified hardware software priority scheduling model to facilitate improvements in performance, timeliness and determinism in all domains of computing. This dissertation demonstrates and prototypes the creation of a new framework that effects this basic policy change. The advantage of this approach lies within it's ability to unify, simplify and allow for more control within the operating systems scheduling policy

Composition and synchronization of real-time components upon one processor

Many industrial systems have various hardware and software functions for controlling mechanics. If these functions act independently, as they do in legacy situations, their overall performance is not optimal. There is a trend towards optimizing the overall system performance and creating a synergy between the different functions in a system, which is achieved by replacing more and more dedicated, single-function hardware by software components running on programmable platforms. This increases the re-usability of the functions, but their synergy requires also that (parts of) the multiple software functions share the same embedded platform. In this work, we look at the composition of inter-dependent software functions on a shared platform from a timing perspective. We consider platforms comprised of one preemptive processor resource and, optionally, multiple non-preemptive resources. Each function is implemented by a set of tasks; the group of tasks of a function that executes on the same processor, along with its scheduler, is called a component. The tasks of a component typically have hard timing constraints. Fulfilling these timing constraints of a component requires analysis. Looking at a single function, co-operative scheduling of the tasks within a component has already proven to be a powerful tool to make the implementation of a function more predictable. For example, co-operative scheduling can accelerate the execution of a task (making it easier to satisfy timing constraints), it can reduce the cost of arbitrary preemptions (leading to more realistic execution-time estimates) and it can guarantee access to other resources without the need for arbitration by other protocols. Since timeliness is an important functional requirement, (re-)use of a component for composition and integration on a platform must deal with timing. To enable us to analyze and specify the timing requirements of a particular component in isolation from other components, we reserve and enforce the availability of all its specified resources during run-time. The real-time systems community has proposed hierarchical scheduling frameworks (HSFs) to implement this isolation between components. After admitting a component on a shared platform, a component in an HSF keeps meeting its timing constraints as long as it behaves as specified. If it violates its specification, it may be penalized, but other components are temporally isolated from the malignant effects. A component in an HSF is said to execute on a virtual platform with a dedicated processor at a speed proportional to its reserved processor supply. Three effects disturb this point of view. Firstly, processor time is supplied discontinuously. Secondly, the actual processor is faster. Thirdly, the HSF no longer guarantees the isolation of an individual component when two arbitrary components violate their specification during access to non-preemptive resources, even when access is arbitrated via well-defined real-time protocols. The scientific contributions of this work focus on these three issues. Our solutions to these issues cover the system design from component requirements to run-time allocation. Firstly, we present a novel scheduling method that enables us to integrate the component into an HSF. It guarantees that each integrated component executes its tasks exactly in the same order regardless of a continuous or a discontinuous supply of processor time. Using our method, the component executes on a virtual platform and it only experiences that the processor speed is different from the actual processor speed. As a result, we can focus on the traditional scheduling problem of meeting deadline constraints of tasks on a uni-processor platform. For such platforms, we show how scheduling tasks co-operatively within a component helps to meet the deadlines of this component. We compare the strength of these cooperative scheduling techniques to theoretically optimal schedulers. Secondly, we standardize the way of computing the resource requirements of a component, even in the presence of non-preemptive resources. We can therefore apply the same timing analysis to the components in an HSF as to the tasks inside, regardless of their scheduling or their protocol being used for non-preemptive resources. This increases the re-usability of the timing analysis of components. We also make non-preemptive resources transparent during the development cycle of a component, i.e., the developer of a component can be unaware of the actual protocol being used in an HSF. Components can therefore be unaware that access to non-preemptive resources requires arbitration. Finally, we complement the existing real-time protocols for arbitrating access to non-preemptive resources with mechanisms to confine temporal faults to those components in the HSF that share the same non-preemptive resources. We compare the overheads of sharing non-preemptive resources between components with and without mechanisms for confinement of temporal faults. We do this by means of experiments within an HSF-enabled real-time operating system

Reliable Multicast transport of the video over the WiFi network

Le transport multicast est une solution efficace pour envoyer le même contenu à plusieurs récepteurs en même temps. Ce mode est principalement utilisé pour fournir des flux multimédia en temps réel. Cependant, le multicast classique de l IEEE 802.11 n'utilise aucun mécanisme d acquittement. Ainsi, l échec de réception implique la perte définitive du paquet. Cela limite la fiabilité du transport multicast et impact la qualité des applications vidéo. Pour résoudre ce problème, 802.11v et 802.11aa sont définis récemment. Le premier amendement propose Direct Multicast Service (DMS). D'autre part, le 802.11aa introduit GroupCast with Retries (GCR). GCR définit deux nouvelles politiques de retransmission : Block Ack (BACK) et Unsolicited Retry (UR).Dans cette thèse, nous évaluons et comparons les performances de 802.11v/aa. Nos résultats montrent que tous les nouveaux protocoles multicast génèrent un overhead de transmission important. En outre, DMS a une scalabilité très limitée, et GCR-BACK n'est pas approprié pour des grands groupes multicast. D autre part, nous montrons que DMS et GCR-BACK génèrent des latences de transmission importantes lorsque le nombre de récepteurs augmente. Par ailleurs, nous étudions les facteurs de pertes dans les réseaux sans fil. Nous montrons que l'indisponibilité du récepteur peut être la cause principale des pertes importantes et de leur nature en rafales. En particulier, nos résultats montrent que la surcharge du processeur peut provoquer un taux de perte de 100%, et que le pourcentage de livraison peut être limité à 35% lorsque la carte 802.11 est en mode d économie d'énergie.Pour éviter les collisions et améliorer la fiabilité du transport multicast, nous définissons le mécanisme Busy Symbol (BS). Nos résultats montrent que BS évite les collisions et assure un taux de succès de transmission très important. Afin d'améliorer davantage la fiabilité du trafic multicast, nous définissons un nouveau protocole multicast, appelé Block Negative Acknowledgement (BNAK). Ce protocole opère comme suit. L AP envoi un bloc de paquets suivi par un Block NAK Request (BNR). Le BNR permet aux membres de détecter les données manquantes et d envoyer une demande de retransmission, c.à.d. un Block NAK Response (BNAK). Un BNAK est transmis en utilisant la procédure classique d accès au canal afin d'éviter toute collision avec d'autres paquets. En plus, cette demande est acquittée. Sous l'hypothèse que 1) le récepteur est situé dans la zone de couverture du débit de transmission utilisé, 2) les collisions sont évitées et 3) le terminal a la bonne configuration, très peu de demandes de retransmission sont envoyées, et la bande passante est préservée. Nos résultats montrent que BNAK a une très grande scalabilité et génère des délais très limités. En outre, nous définissons un algorithme d'adaptation de débit pour BNAK. Nous montrons que le bon débit de transmission est sélectionné moyennant un overhead très réduit de moins de 1%. En plus, la conception de notre protocole supporte la diffusion scalable de lavvidéo. Cette caractéristique vise à résoudre la problématique de la fluctuation de la bande passante, et à prendre en considération l'hétérogénéité des récepteurs dans un réseau sans fil.The multicast transport is an efficient solution to deliver the same content to many receivers at the same time. This mode is mainly used to deliver real-time video streams. However, the conventional multicast transmissions of IEEE 802.11 do not use any feedback policy. Therefore missing packets are definitely lost. This limits the reliability of the multicast transport and impacts the quality of the video applications. To resolve this issue, the IEEE 802.11v/aa amendments have been defined recently. The former proposes the Direct Multicast Service (DMS). On the other hand, 802.11aa introduces Groupcast with Retries (GCR) service. GCR defines two retry policies: Block Ack (BACK) and Unsolicited Retry (UR).In this thesis we evaluate and compare the performance of 802.11v/aa. Our simulation results show that all the defined policies incur an important overhead. Besides, DMS has a very limited scalability, and GCR-BACK is not appropriate for large multicast groups. We show that both DMS and GCR-BACK incur important transmission latencies when the number of the multicast receivers increases. Furthermore, we investigate the loss factors in wireless networks. We show that the device unavailability may be the principal cause of the important packet losses and their bursty nature. Particularly, our results show that the CPU overload may incur a loss rate of 100%, and that the delivery ratio may be limited to 35% when the device is in the power save mode.To avoid the collisions and to enhance the reliability of the multicast transmissions, we define the Busy Symbol (BS) mechanism. Our results show that BS prevents all the collisions and ensures a very high delivery ratio for the multicast packets. To further enhance the reliability of this traffic, we define the Block Negative Acknowledgement (BNAK) retry policy. Using our protocol, the AP transmits a block of multicast packets followed by a Block NAK Request (BNR). Upon reception of a BNR, a multicast member generates a Block NAK Response (BNAK) only if it missed some packets. A BNAK is transmitted after channel contention in order to avoid any eventual collision with other feedbacks, and is acknowledged. Under the assumption that 1) the receiver is located within the coverage area of the used data rate, 2) the collisions are avoided and 3) the terminal has the required configuration, few feedbacks are generated and the bandwidth is saved. Our results show that BNAK has a very high scalability and incurs very low delays. Furthermore, we define a rate adaptation scheme for BNAK. We show that the appropriate rate is selected on the expense of a very limited overhead of less than 1%. Besides, the conception of our protocol is defined to support the scalable video streaming. This capability intends to resolve the bandwidth fluctuation issue and to consider the device heterogeneity of the group members.BORDEAUX1-Bib.electronique (335229901) / SudocSudocFranceF

A Many-Core Platform with Run-Time Monitoring to Support Separation of Mixed-Criticality Applications

Mehr- und Vielkernplattformen bieten ausreichend Ressourcen für eine weitere Steigerung der Rechenleistung, zum einen für aufwendigere Anwendungen und zum anderen für die Integration mehrerer Anwendungen, welche sonst auf mehreren separaten Plattformen ausgeführt würden. Die große Anzahl an Ressourcen kann weiterhin dafür verwendet werden, einer Anwendung mehr Ressourcen als nötig redundant zuzuweisen oder zunächst unbenutzte Komponenten dazu zu verwenden, fehlerhafte Komponenten zur Laufzeit zu ersetzen, um so die Zuverlässigkeit und Verfügbarkeit von Anwendungen zu erhöhen. Hierfür muss eine Vielkernplattform eine transparente und flexible Zuordnung von Anwendungen erlauben, welche sich auch zur Laufzeit ändern lässt. Dasselbe gilt für die Kommunikationsverbindungen der Anwendungen mit verteilten Komponenten. Die vorliegende Arbeit präsentiert eine parametrisierbare und synthetisierbare Vielkernplattform, welche die genannten Bedingungen durch Virtualisierung erfüllt. Weiterhin bietet die Plattform Mechanismen zur Separierung unterschiedlich kritischer Anwendungen. Ohne eine ausreichende Separierung müssen alle Anwendungen die Anforderungen der Anwendung mit der höchsten Kritikalität erfüllen. Dies würde den Aufwand für weniger kritische Anwendungen stark erhöhen. Eine ausreichende Separierung ermöglicht die unabhängige Entwicklung und Zertifizierung einzelner Anwendungen. Die Separierung betrifft hierbei nicht nur die Unabhängigkeit einzelner Anwendungen in Bezug auf ihr Zeitverhalten und ihren Raumbedarf, sondern muss auch auf ihren Energieverbrauch erweitert werden, da die verfügbare Energie ebenfalls von allen Anwendungen gemeinsam genutzt wird. Ein erhöhter Energieverbrauch einer Anwendung kann die verfügbare Energie für andere Anwendungen einschränken und durch eine erhöhte thermische Belastung die Verfügbarkeit und Lebensdauer des gesamten Chips reduzieren. Neben der statischen Separierung durch eine exklusive Zuweisung von Ressourcen bietet die Plattform eine skalierbare Laufzeitüberwachung mit einer kurzen Reaktionszeit, welche eine sichere und effiziente gemeinsame Nutzung von Ressourcen erlaubt. Die Laufzeitüberwachung ermöglicht die Überwachung des spezifizierten Verhaltens einzelner Anwendungen und kann dieses bei Bedarf zur Laufzeit erzwingen. Insgesamt ist die Arbeit ein weiterer Schritt, um Vielkernplattformen für unterschiedlich kritische Anwendungen effizient nutzbar zu machen.Modern multi- and many-core platforms offer sufficient resources for further increasing the performance of advanced applications. Moreover they allow integrating multiple applications that formerly ran on multiple chips. The large amount of resources can additionally be used to map applications redundantly to more resources than required to increase reliability. Spare parts can be used to replace faulty components at run time for higher availability. A suitable platform must allow remapping of applications and replacement of peripherals dynamically. Mapping to distributed resources but also communication among resources ideally is transparent and flexible to allow changes at run time. In this thesis, a parameterizable and synthesizable many-core platform is presented, which realizes the requirements above by virtualizing all resources that are available on the platform. The platform is used as a research vehicle to develop mechanisms for separating applications of different criticalities on a shared platform. On a many-core platform that runs mixed-criticality applications, all applications have to be sufficiently separated. Otherwise all applications have to fulfill the requirements of the highest level of criticality, even low critical ones. This would significantly increase the costs of a shared platform. Separation enables individual development and certification of applications and cost-efficient recertification of single applications after an update. Separation does not only include independence in terms of time and space, but also in terms of power consumption as the available energy for a many-core system is shared between all running applications. Increased power consumption of one application may reduce the available energy for other applications or the reliability and lifetime of the complete chip. Beside static separation of mixed-criticality applications by assigning them to separate resources, a fast and scalable monitoring and control mechanism allows safe and efficient sharing of resources by enforcing specified behavior of applications at run time. All in all, this thesisÕ contribution is a step towards exploiting the benefits of multi- and many-core platforms for mixed-criticality applications