Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 43
Текст из файла (страница 43)
A Bohrbug is a software error that can be reproducedL-deterministically in the data domain by providing a specific input pattern tothe routine that contains the Bohrbug, i.e., a specific pattern of input data thatalways leads to the activation of the underlying Bohrbug. A Heisenbug is asoftware error that can only be observed if the input data and the exact timing ofthe input data – in relation to the timing of all other activities in the computer – arereproduced precisely.
Since the reproduction of a Heisenbug is difficult, manysoftware errors that pass the development and testing phase and show up inoperational systems are Heisenbugs. Since the temporal control structure inevent-triggered systems is dynamic, Heisenbugs are more probable in eventtriggered systems than in time-triggered systems, which have a data-independentstatic control structure.Example: A typical example for a Heisenbug is an error in the synchronization of the dataaccesses in a concurrent system. Such an error can only be observed, if the temporalrelationships between the tasks that access the mutually exclusive data are reproducedprecisely.An error is detected, when a computation accesses the error and finds out thatthe results of the computation deviates from the expectations or the intentions ofthe user, either in the domain of value or the domain of time.
For example, a simple6.1 Basic Concepts139parity check detects an error if it can be assumed that the fault has corrupted only asingle bit of a data word. The time interval between the instant of error ( fault)occurrence and the instant of error detection is called the error-detection latency.The probability that an error is detected is called error-detection coverage. Testing isa technique to detect design faults (software errors and hardware errata) in a system.An error is wiped-out, if a computation overwrites the error with a new valuebefore the error has been activated or detected. An error that has neither beenactivated, detected, or wiped-out is called a latent error. A latent error in the state ofa component results in a silent data corruption (SDC), which can lead to seriousconsequences.Example: Let us assume that a bitflip occurs in a memory cell that is not protected by aparity bit and that this memory cell contains sensory input data about the intended acceleration of an automotive engine.
The consequent silent data corruption can result in anunintended acceleration of the car.6.1.3FailuresA failure is an event that denotes a deviation between the actual behavior andthe intended behavior (the service) of a component, occurring at a particularinstant. Since, in our model, the behavior of a component denotes the sequence ofmessages produced by the component, a failure manifests itself by the productionof an unintended (or no intended) message. Figure 6.3 classifies the failure ofa component:Domain. A failure can occur in the value domain or in the temporal domain.A value failure means that an incorrect value is presented at the component-userinterface.
(Remember, the user can be another system). A temporal failure meansthat a value is presented outside the intended interval of real-time. Temporalfailures only exist if the system specification contains information aboutthe intended temporal behavior of the system. Temporal failures can be subdividedinto early temporal failures and late temporal failures. A component that containsinternal error detection mechanisms in order to detect any error and suppressesa result that contains a value error or an early temporal failure will only exhibit alate temporal failure, i.e., an omission, at the interface to its users.
We call sucha failure an omission failure. A component that only makes omission failures iscalled a fail-silent component. If a component stops working after the firstfailuredomainseverityvaluetemporalFig. 6.3 Classification of failuresfrequencybenign<severity class>malignviewonce (transient)repeatedpermanentconsistentinconsistent1406 Dependabilityomission failure, it is called a fail-stop component. The corresponding failure issometimes called a clean failure or a crash failure.Example: A self-checking component is a component that contains internal failuredetection mechanisms such that it will only exhibit omission failures (or clean failures)at the component-user interface.
A self-checking component can be built out of twodeterministic FCUs that produce two results at about the same time and where thetwo results are checked by a self-checking checker.Example: Fault-injection experiments of the MARS architecture have shown that between1.9% and 11.6% of the observed failures were temporal failures, meaning that a messagewas produced at an unintended instant. An independent time-slice controller, a guardian,has detected all of these temporal failures [Kar95, p. 326].Severity.
Depending on the effect a failure has on its environment, we distinguishbetween two extreme cases, benign and malign failures (see also Sect. 1.5). Thecost of a benign failure is of the same order of magnitude as the loss of the normalutility of the system, whereas a malign failure can result in failure costs that are ordersof magnitude higher than the normal utility of a system, e.g., a malign failure cancause a catastrophe such as an accident. We call applications where malign failurescan occur, safety-critical applications. The characteristics of the application determinewhether a failure is benign or malign. In between these two extreme cases ofbenign and malign, we can assign a severity class to a failure, e.g., based on themonetary impact of a failure or the impact of the failures on the user experience.Example: In a multimedia system, e.g., a digital television set, the failure of a single pixelthat is overwritten in the next cycle is masked by the human perception system.
Such afailure is thus of negligible severity.Frequency. Within a given time interval, a failure can occur only once or repeatedly. If it occurs only once, it is called a single failure. If a system continues tooperate after the failure, we call the failure a transient failure. A frequentlyoccurring transient failure is called a repeated failure. A special case of a singlefailure is a permanent one, i.e., a failure after which the system ceases to provide aservice until an explicit repair action eliminates the cause of the failure.View.
If more than one user looks at a failing component, two cases canbe distinguished: all users see the same failing behavior – we call this a consistentfailure – or different users see different behaviors – we call this an inconsistent failure.In the literature, different names are used for an inconsistent failure: two-facedfailure, Byzantine failure, or malicious failure. Inconsistent failures are most difficultto handle, since they have the potential to confuse the correct components (seeSect. 3.4.1). In high-integrity systems, the occurrence of Byzantine failures mustbe considered [Dri03].Example: Let us assume that a system contains three components.
If one of them fails in aninconsistent failure mode, the other two correct components will have different views of thebehavior of the failing component. In an extreme case, one correct component classifies thefailing component as correct, while the other correct component classifies the failing component as erroneous, leading to an inconsistent view of the failed component among the correctcomponents.6.2 Information Security141Example: A slightly-out-of-specification (SOS) failure is a special case of a Byzantine.SOS failures can occur at the interface between the analog level and the logical level of thefour-universe model (see Sect.
2.3.1). If, in a bus system, the voltage of the high-leveloutput of a sender is slightly below the level specified for the high-level state, then somereceivers might still accept the signal, assuming the value of the signal is high, while othersmight not accept the signal, assuming the value is not high.
SOS failures are of seriousconcern if signals are marginal w.r.t. voltage or timing.Propagation. If an error inside a component is activated and propagates outside theconfines of the component that has been affected by the fault then we speak of errorpropagation. Let us make the simplifying assumption that a component communicates with its environment solely by the exchange of messages and there is noother means of interaction of components (such as a common memory).
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
