Random Testing of Interrupt-Driven Software. John Regehr University of Utah

Similar documents
Static Analysis of Embedded C

Static Analysis of Embedded C Code

Last Time. Think carefully about whether you use a heap Look carefully for stack overflow Especially when you have multiple threads

Eliminating Stack Overflow by Abstract Interpretation

Data-flow Analysis for Interruptdriven Microcontroller Software

Software Quality. What is Good Software?

Sensors Network Simulators

Analysis of MS Multiple Excel Vulnerabilities

C++ Undefined Behavior What is it, and why should I care?

Chapter 8: Main Memory

Chapter 8: Memory-Management Strategies

Programming Sensor Networks

CHAPTER 8 - MEMORY MANAGEMENT STRATEGIES

CHAPTER 8: MEMORY MANAGEMENT. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Chapter 8: Main Memory. Operating System Concepts 9 th Edition

Buffer overflow background

Chapter 8: Main Memory

Comprehensive Kernel Instrumentation via Dynamic Binary Translation

ECE/CS 5780/6780: Embedded System Design

Random Testing of Interrupt-Driven Software

COS 318: Operating Systems

Verification & Validation of Open Source

Lecture 4 September Required reading materials for this class

CSE 374 Programming Concepts & Tools. Brandon Myers Winter 2015 Lecture 11 gdb and Debugging (Thanks to Hal Perkins)

Hardening LLVM with Random Testing

An Interrupt is either a Hardware generated CALL (externally derived from a hardware signal)

Computer Science 50: Introduction to Computer Science I Harvard College Fall Quiz 0 Solutions. Answers other than the below may be possible.

Dataflow Languages. Languages for Embedded Systems. Prof. Stephen A. Edwards. March Columbia University

Job Posting (Aug. 19) ECE 425. ARM7 Block Diagram. ARM Programming. Assembly Language Programming. ARM Architecture 9/7/2017. Microprocessor Systems

C++ Undefined Behavior

Memory management. Last modified: Adaptation of Silberschatz, Galvin, Gagne slides for the textbook Applied Operating Systems Concepts

QUIZ on Ch.5. Why is it sometimes not a good idea to place the private part of the interface in a header file?

EE 457 Unit 8. Exceptions What Happens When Things Go Wrong

18-642: Code Style for Compilers

COS 320. Compiling Techniques

Introduction to Embedded Systems. Lab Logistics

Test Driven Development (TDD)

Configuring attack detection and prevention 1

18-600: Recitation #3

Towards a Resilient Operating System for Wireless Sensor Networks

White paper. ARM Cortex -M system crash analysis

1 Execution of main program is suspended. 2 All registers are pushed onto the stack. 3 The ISR, or background thread, is executed.

CS307: Operating Systems

Chapter 7: Main Memory. Operating System Concepts Essentials 8 th Edition

What are Exceptions? EE 457 Unit 8. Exception Processing. Exception Examples 1. Exceptions What Happens When Things Go Wrong

Interrupts and Low Power Features

Group Members: Chetan Fegade Nikhil Mascarenhas. Mentor: Dr. Yann Hang Lee

The Instruction Set. Chapter 5

CS61C Machine Structures. Lecture 4 C Pointers and Arrays. 1/25/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

Process Synchronization and Communication

How to Power Tune a Device Running on a Linux Kernel for Better Suspend Battery Life ELC2011

Dynamic Control Hazard Avoidance

Outline. Computer programming. Debugging. What is it. Debugging. Hints. Debugging

Configuring attack detection and prevention 1

CSCI0330 Intro Computer Systems Doeppner. Lab 02 - Tools Lab. Due: Sunday, September 23, 2018 at 6:00 PM. 1 Introduction 0.

GDB Tutorial. A Walkthrough with Examples. CMSC Spring Last modified March 22, GDB Tutorial

Tolerating Hardware Device Failures in Software. Asim Kadav, Matthew J. Renzelmann, Michael M. Swift University of Wisconsin Madison

Scientific Programming in C IX. Debugging

Memory Analysis tools

18-642: Code Style for Compilers

Creating a String Data Type in C

6.828: OS/Language Co-design. Adam Belay

Investigating IO Interrupts

Hardware, Modularity, and Virtualization CS 111

Chap.6 Limited Direct Execution. Dongkun Shin, SKKU

High Reliability Systems. Lloyd Moore, President

Remedial Java - Excep0ons 3/09/17. (remedial) Java. Jars. Anastasia Bezerianos 1

CSE 153 Design of Operating Systems Fall 18

Low level security. Andrew Ruef

Chapter 8: Memory- Management Strategies. Operating System Concepts 9 th Edition

Improving Linux development with better tools

Memory Safety (cont d) Software Security

Process Coordination and Shared Data

Chapter 8: Memory- Management Strategies. Operating System Concepts 9 th Edition

Chapter 8: Memory- Management Strategies

CSE 333 Lecture 1 - Systems programming

Elements of Transport Protocols

// Initially NULL, points to the dynamically allocated array of bytes. uint8_t *data;

Programming with MPI

Finding Firmware Defects Class T-18 Sean M. Beatty

Testing. Unit, integration, regression, validation, system. OO Testing techniques Application of traditional techniques to OO software

QUIZ Friends class Y;

An Interrupt is either a Hardware generated CALL (externally derived from a hardware signal)

Adding Preemption to TinyOS

Summer 2003 Lecture 12 06/26/03

How projects fail, why they fail and how to prevent failure. All in one easy lecture! DuRant Lewis, Atmel Corporation

Timers and Counters. LISHA/UFSC Prof. Dr. Antônio Augusto Fröhlich Fauze Valério Polpeta Lucas Francisco Wanner.

CSE 374 Programming Concepts & Tools

Process Context & Interrupts. New process can mess up information in old process. (i.e. what if they both use the same register?)

CS370 Operating Systems

Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

Yielding, General Switching. November Winter Term 2008/2009 Gerd Liefländer Universität Karlsruhe (TH), System Architecture Group

Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology

Time-Awareness in the Internet of Things. ITSF 2014 Marc Weiss, NIST Consultant

Sendmail crackaddr - Static Analysis strikes back

2. Introduction to Software for Embedded Systems

Pointers, Arrays and Parameters

POLITECNICO DI MILANO. Exception handling. Donatella Sciuto:

Memory Safety for Embedded Devices with nescheck

Transcription:

Random Testing of Interrupt-Driven Software John Regehr University of Utah

Integrated stress testing and debugging Random interrupt testing Source-source transformation Static stack analysis Semantics of interrupts Delta debugging Genetic algorithms

Goal: Stress testing and debugging for interrupt-driven embedded software Why? Interrupts hard to get right Regular testing typically exercises small part of state space Stress testing tends to improve software quality Interrupt-driven software used in safety-critical applications

Specific case: Sensor network nodes running TinyOS Strongly interrupt-driven Application code runs in interrupt mode Highly resource constrained Distributed and opaque magnifies effects of bugs

Obvious stress testing technique: Random interrupt testing fire interrupts at random times Potential show stoppers: Random interrupts can violate application semantics Interrupts can reenter and overflow the stack

request ADC ADC int. random ADC int. time crash! aberrant interrupt

random network interrupts time crash! stack overflow Many embedded systems permit reentrant interrupts

Problem: Interrupts arriving at inconvenient times break applications Solution: Restrict interrupt arrivals First classify each interrupt vector Requested arrives in response to an action taken by the system Spontaneous may arrive at any time

Restricted Interrupt Discipline (RID): Requested interrupts only permit when a request is outstanding Spontaneous interrupts only permit when the interrupt isn t already running

Implementing RID 1. Annotate interrupt requests 2. Ensure that device initialization code leaves each interrupt disabled 3. Run system through a sourceto-source translator Enable interrupt upon request Disable requested interrupts upon interrupt Suppress reentrant interrupts

RID in TinyOS Implemented RID for five interrupt vectors Only bottom-level device driver files modified A few LOC modified per vector Normal developers don t touch these files Use custom CIL extension for src-src translation of C code output by nesc compiler

With RID Without RID

RID Benefits Enables random testing by suppressing aberrant and reentrant interrupts Hardens embedded system with respect to unexpected interrupts after deployment SW bugs can cause these So can loose wires, EMI, or other HW problems

Back to Random Testing Generate interrupt schedule Cycle accurate simulation with interrupt scheduling support No Problem? Yes Debug!

Interrupt Schedules List of pairs (vector #, firing time) Schedule generator parameterized by density for each interrupt vector

Simulator Support We hacked Avrora sensor net simulator from UCLA Our interrupt scheduling patches now included in the distribution

Detecting Failure 1. Ask the application See if it responds to network packets 2. Ask the simulator Avrora reports illegal memory access and illegal instructions

TinyOS Oscilloscope Bug ADC request and int. time datatask Interrupt stores data into array datatask resets buffer pointer No interlock between interrupt and task

TinyOS Oscilloscope Bug random ADC requests and interrupts time crash! Buffer overrun kills the system unless datatask runs on time

Original interrupt schedule that triggers bug is > 300,000 interrupts Hard to tell what went wrong! Used delta debugging algorithm to minimize schedule Can trigger bug with just 75 interrupts Bug much easier to find now Fixing the bug: Easy add array bounds check

stack crash! data, BSS Problem: Stack overflow kills sensor network programs Solution: Compute WC stack depth through static analysis of binaries Lingering questios: Is the bound actually conservative? If so, how pessimistic is the bound? Answer: Testing

Stack Depth w/o Random

Stack Depth w/random

Finding Deep Stacks Pure random testing doesn t cut it Program behavior surprisingly sensitive to interrupt schedule density and structure Even running overnight did not find schedules that make deep stacks Solution: Genetic algorithm evolves better interrupt schedules About 100 generations to find deepest stack 3 hours CPU time

Revising a Stack Depth Bound

Conclusions Random interrupt testing: Good Restricted Interrupt Discipline makes it work Src-src transformation makes RID easy to implement GA does directed search for interesting schedules Delta finds interesting subsets of large interrupt schedules

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback