Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Random Testing of Interrupt-Driven Software John Regehr University of Utah

advertisement 
Random Testing of
Interrupt-Driven Software
John Regehr
University of Utah
Integrated stress testing and debugging
Random
interrupt
testing
Source-source
transformation
Static
stack
analysis
Semantics
of interrupts
Delta
debugging
Genetic
algorithms
‹
‹
Goal: Stress testing and
debugging for interrupt-driven
embedded software
Why?
Interrupts hard to get right
¾ Regular testing typically exercises
small part of state space
¾ Stress testing tends to improve
software quality
¾ Interrupt-driven software used in
safety-critical applications
¾
‹
Specific case: Sensor network
nodes running TinyOS
Strongly interrupt-driven
¾ Application code runs in interrupt
mode
¾ Highly resource constrained
¾ Distributed and opaque –
magnifies effects of bugs
¾
‹
Obvious stress testing
technique:
¾
‹
Random interrupt testing – fire
interrupts at random times
Potential show stoppers:
Random interrupts can violate
application semantics
¾ Interrupts can reenter and overflow
the stack
¾
request
ADC
time
ADC
int.
random
ADC
int.
a
r
c
!
sh
aberrant interrupt
random
network
interrupts
time
a
r
c
!
h
s
stack overflow
‹
Many embedded systems permit
reentrant interrupts
‹
‹
‹
Problem: Interrupts arriving at
inconvenient times break
applications
Solution: Restrict interrupt
arrivals
First classify each interrupt
vector
Requested – arrives in response to
an action taken by the system
¾ Spontaneous – may arrive at any
time
¾
‹
Restricted Interrupt Discipline
(RID):
Requested interrupts – only permit
when a request is outstanding
¾ Spontaneous interrupts – only
permit when the interrupt isn’t
already running
¾
Implementing RID
1.
2.
3.
Annotate interrupt requests
Ensure that device initialization
code leaves each interrupt
disabled
Run system through a sourceto-source translator
¾
¾
¾
Enable interrupt upon request
Disable requested interrupts
upon interrupt
Suppress reentrant interrupts
RID in TinyOS
‹
‹
Implemented RID for five
interrupt vectors
Only bottom-level device driver
files modified
A few LOC modified per vector
¾ Normal developers don’t touch
these files
¾
‹
Use custom CIL extension for
src-src translation of C code
output by nesC compiler
With RID
Without RID
RID Benefits
‹
‹
Enables random testing by
suppressing aberrant and
reentrant interrupts
Hardens embedded system with
respect to unexpected interrupts
after deployment
SW bugs can cause these
¾ So can loose wires, EMI, or other
HW problems
¾
Back to Random Testing
Generate interrupt schedule
Cycle accurate simulation with
interrupt scheduling support
No
Problem?
Yes
Debug!
Interrupt Schedules
‹
List of pairs
¾
‹
(vector #, firing time)
Schedule generator
parameterized by density for
each interrupt vector
Simulator Support
‹
We hacked Avrora – sensor net
simulator from UCLA
¾
Our interrupt scheduling patches
now included in the distribution
Detecting Failure
1.
2.
Ask the application – See if it
responds to network packets
Ask the simulator – Avrora
reports illegal memory access
and illegal instructions
TinyOS Oscilloscope Bug
ADC
request
and int.
time
‹
‹
‹
dataTask
Interrupt stores data into array
dataTask resets buffer pointer
No interlock between interrupt
and task
TinyOS Oscilloscope Bug
random ADC
requests
and interrupts
time
‹
a
r
c
!
h
s
Buffer overrun kills the system
unless dataTask runs on time
‹
Original interrupt schedule that
triggers bug is > 300,000
interrupts
¾
‹
Hard to tell what went wrong!
Used “delta debugging”
algorithm to minimize schedule
Can trigger bug with just 75
interrupts
¾ Bug much easier to find now
¾
‹
Fixing the bug: Easy – add array
bounds check
‹
stack
a
r
c
‹
!
sh
‹
Problem: Stack overflow
kills sensor network
programs
Solution: Compute WC
stack depth through
static analysis of
binaries
Lingering questios:
Is the bound actually
conservative?
¾ If so, how pessimistic is
the bound?
¾
data,
BSS
‹
Answer: Testing
Stack Depth w/o Random
Stack Depth w/Random
Finding Deep Stacks
‹
Pure random testing doesn’t cut it
Program behavior surprisingly
sensitive to interrupt schedule
density and structure
¾ Even running overnight did not find
schedules that make deep stacks
¾
‹
Solution: Genetic algorithm
evolves better interrupt schedules
About 100 generations to find
deepest stack
¾ 3 hours CPU time
¾
Revising a Stack Depth Bound
Conclusions
‹
‹
Random interrupt testing: Good
Restricted Interrupt Discipline
makes it work
Src-src transformation makes RID
easy to implement
¾ GA does directed search for
interesting schedules
¾ Delta finds interesting subsets of
large interrupt schedules
¾
Related documents
lect07
lect07
Profiling I/O Interrupts in Modern Architectures UUCS-99-022 Department of Computer Science
Profiling I/O Interrupts in Modern Architectures UUCS-99-022 Department of Computer Science
Ch3-Example
Ch3-Example
HW1-Answer
HW1-Answer
Learning to Slow Down and Pay Attention
Learning to Slow Down and Pay Attention
CSCI1600: Embedded and Real Time Software
CSCI1600: Embedded and Real Time Software
Download
advertisement