Institute for Software Systems

Menu

Annotation

Let us consider the following example for demonstrating the use of FITIn: a control software of a passenger elevator where one section takes care of the cleared weight. For the sake of the example, the elevator is described by three bits of the variable state: for indicating power supply, the operating
state, and overload. We also assume a sensor measuring the weight, using negative values to report a failure. In this case, the elevator will stop its service for safety reasons. In this section, we walk the reader through two fault-injection experiments; a video is available from the FITIn website.

As the bits for power and operating are decoupled, a hardware error could lead to an invalid live-lock situation if the operating-bit was cleared independently from the power-bit. Furthermore, corrupting the overload-bit could cause a falsealarm for too much weight.

The source code subject to this FITIn presentation is shown in Fig. 1. We are interested in the reaction of the program if we manipulated any bit of state at an arbitrary time.


                Fig. 1:  An elevator control

 

     
By including fi_client.h, the following macros become available:

  • FITIN_MONITOR_VARIABLE(var)
    After the occurrence of this macro, FITIn will start looking for use-after-loads of var.
     
  • FITIN_MONITOR_MEMORY(mem, size)
    As in the previous case, but instead of giving a variable, one can specify the memory address mem and the original size size manually.
     
  • FITIN_UNMONITOR_VARIABLE(var)
    After the occurrence, FITIn will no longer count accesses to var.
     
  • FITIN_UNMONITOR_MEMORY(mem, size)
    After the occurrence, FITIn will no longer count accesses to mem.

Next, we take the original code, include the header file fi_client.h and place the annotation FITIN_MONITOR_ VARIABLE(state) right after the variable’s declaration in line 14; the resulting modified source code is shown in Fig. 2.
Once all variables of interest have been annotated, the program needs to be recompiled. It is strongly recommended to disable compiler-side optimizations so that the counted accesses at source-code level and internally are kept in sync.

Please note that these annotations only assist you in selecting the target. In your Lua control script, in the callback monitor_address, you can either respect or ignore the annotation. Thus, you do not necessarily need the annotation at all.


             Fig.2: Annotation of the example