A kind of error detection of embedded system and restorative procedure
Technical field
The invention belongs to field of computer technology, particularly a kind of error detection and restorative procedure of embedded system.
Background technology
Because the fast development of embedded system, the embedded system development trend is the system architecture of the communication module and the low power supply of System on chip, low power consumption at present.Just stride forward towards Embedded System Design littler and more power saving, and the embedded system that wireless senser derives out just under this trend.Wireless sensor node has detecting and the ability of calculating, and communicates by letter by wireless mode, and the hardware of each sensor node is made up of embedded microprocessor, storer, sensor, wireless communication module and battery.
Wireless sensor node is resource-constrained embedded system, and microprocessor does not thereon have memory management unit.On radio sensing network, how to avoid memory error and cause system to make mistakes, certainly will become a major issue.Especially when dynamically insmoding storage space, easier generation mistake.Each application module that can dynamically be written into all has own accessible memory space ranges, and the place beyond it attempts the access legal range then is considered as mistake.
In actual applications, it is the place that is difficult to arrive that most wireless sensor node is dispersed in the people, replaces the human information of collecting needs in the place that is difficult to arrive.Because this characteristic, after the radio sensing network hardware device set up and finishes, the user just was not easy to arrive these in artificial mode and is dispersed in the action of doing wrong reparation on the outer node.When some system above the node occurs wrong and loses its function, the user of this system can't learn these mistakes at once, can only wait initiatively the take a walk data of detecting information or passback by the time of user wrong could the discovery to occur.Mistake appears in these passback data also can have influence on the correctness that gathers information.Microprocessor major part on the wireless sensor node does not have memory management unit at present, therefore the system on wireless sensor node can't avoid application program the storage space of the system core to be done the action of access, this dangerous play meeting has influence on the normal operation of this node, may allow system produce the mistake that can not expect.
Summary of the invention
Purpose of the present invention just provides a kind of error detection and restorative procedure of embedded system, avoids application program to occupy the affiliated storage space of operating system, or occupies the storage space under other application program.
The method of detecting embedded system mistake comprises static check and dynamic chek among the present invention.The concrete grammar of static check is:
Check the memory store instruction of all static given storage space address, described memory store instruction comprises direct call instruction and relative skip instruction; Function call in the same module adopts relative skip instruction, and the function call in the disparate modules adopts direct call instruction; Directly call instruction is as follows with relative skip instruction form:
Instruction |
Operation |
Call k |
PC=k |
Jmp.+k |
PC=PC+k |
Jmp.-k |
PC=PC-k |
If any one address that directly calls in the given address in back is not one of them legal value of system call skip list the inside, then this module is illegal, can not upload on the sensor node; If all directly calling all is legal value in the skip list, then this module is legal.
The concrete grammar of dynamic chek is:
Step (1). rewrite module contents, increase instruction, exactly the storage space address is passed in the precession attitude check system in order to calling as parameter; In when compiling, if the purpose address can't insert before given instruction and check and instruct, then will desire access the storage space address be made as parameter, be used for checking the legitimacy of this address; These instructions comprise three forms, are respectively indirect call, are written into and store, and order format is as follows:
Instruction |
Operation |
icall |
PC=Z(R31:R30) |
ld Rd,X |
Rd=[X(R27:R26)] |
ld Rd,Y |
Rd=[Y(R29:R28)] |
ld Rd,Z |
Rd=[Z(R31:R30)] |
st X,Rr |
[X(R27:R26)]=Rr |
st Y,Rr |
[Y(R29:R28)]=Rr |
st Z,Rr |
[Z(R31:R30)]=Rr |
Be written into continuously or storage instruction when occurring when one section, and its purpose address is continuous, the centre is not modified, then before first access instruction of this section consecutive access instruction, add the inspection of two address, it is respectively the beginning and end of this consecutive access storage space address, if determine that the inspection of two address is all legal, then the continuous access of this section is all legal.
Step (2). check and call the storage space address and check that storer is written into storing process that when an address that calls was imported into, this function was at first obtained the numbering of this module, the system function that originally provides in the using system; Check in regular turn then whether this address is the inlet point of system call, other modularity function inlet point or the inner jump of preengaging to system of module itself, if the inlet point of system call, in the jump of other modularity function inlet point of system reservation or module inside itself any one, then access is legal, returns; If not the inlet point of system call, in the jump of other modularity function inlet point of system's reservation or module inside itself any one, then for making a mistake.
The method of repairing built-in system mistake is specifically among the present invention:
Step (1) if. detect wrongly, then wrong module quits work immediately;
Step (2). send the request of replacing the module of makeing mistakes to server, after server is received request, check whether other version is arranged,, then another version is loaded on the sensor node, be used for replacing the work of original module if having; If no, then transmit original version and try again, if make mistakes once more, and do not find other version, it is invalid then to repair, and server stays record and informs the user.
The present invention in the modification system architecture mode of minimum, has proposed a kind of storage access mistake of detecting in the SOS system, and the mode that can use module the to replace method of being repaired.Can increase the availability of radio sensing network effectively, making the storage access mistake produce chance reduces, the information of collecting also can be more profitable, easy especially on maintenance system, needn't worry whether the wireless sensor node on this detecting network when makes mistakes, even if the sensor node that may make mistakes also can be detected and initiatively reparation, do not need the people and wait at server end at any time.
Embodiment
The present invention is used on the SOS operating system, and selected sensor node is Mica2 Mote, and the microprocessor on it is Atmega128L, and the instruction set of using is AVR Instruction Set.
The method of detecting embedded system mistake comprises static check and dynamic chek.
The concrete grammar of static check is:
Check the memory store instruction of all static given storage space address, described memory store instruction comprises direct call instruction and relative skip instruction; Function call in the same module adopts relative skip instruction, and the function call in the disparate modules adopts direct call instruction; Directly call instruction is as follows with relative skip instruction form:
Instruction |
Operation |
Call k |
PC=k |
Jmp.+k |
PC=PC+k |
Jmp.-k |
PC=PC-k |
If any one address that directly calls in the given address in back is not one of them legal value of system call skip list the inside, then this module is illegal, can not upload on the sensor node; If all directly calling all is legal value in the skip list, then this module is legal.Concrete grammar is: the beginning address of skip list is added that the order in skip list multiply by 2, after its value of checked address cuts the beginning address of skip list, should be worth again divided by 2, if integer is legal address; Otherwise it is illegal.
The concrete grammar of dynamic chek is:
Step (1). rewrite module contents, increase instruction, exactly the storage space address is passed in the precession attitude check system in order to calling as parameter; In when compiling, if the purpose address can't insert before given instruction and check and instruct, then will desire access the storage space address be made as parameter, be used for checking the legitimacy of this address; These instructions comprise three forms, are respectively indirect call, are written into and store, and order format is as follows:
Instruction |
Operation |
icall |
PC=Z(R31:R30) |
ld Rd,X |
Rd=[X(R27:R26)] |
ld Rd,Y |
Rd=[Y(R29:R28)] |
ld Rd,Z |
Rd=[Z(R31:R30)] |
st X,Rr |
[X(R27:R26)]=Rr |
st Y,Rr |
[Y(R29:R28)]=Rr |
st Z,Rr |
[Z(R31:R30)]=Rr |
Be written into continuously or storage instruction when occurring when one section, and its purpose address is continuous, the centre is not modified, then before first access instruction of this section consecutive access instruction, add the inspection of two address, it is respectively the beginning and end of this consecutive access storage space address, if determine that the inspection of two address is all legal, then the continuous access of this section is all legal.
Step (2). check and call the storage space address and check that storer is written into storing process that when an address that calls was imported into, this function was at first obtained the numbering of this module, the system function that originally provides in the using system; Check in regular turn then whether this address is the inlet point of system call, other modularity function inlet point or the inner jump of preengaging to system of module itself, if the inlet point of system call, in the jump of other modularity function inlet point of system reservation or module inside itself any one, then access is legal, returns; If not the inlet point of system call, in the jump of other modularity function inlet point of system's reservation or module inside itself any one, then for making a mistake.Concrete grammar is: at first check system is called inlet point, and earlier with the value of last inlet point and the address comparison of importing into, fiducial value is big leaps to next comparison domain.If it is also littler than the skip list beginning to import address into, then is mistake.Secondly check other modularity function, revise the loader on the node earlier, when insmoding to system's reservation, from the archives of module, obtain this module and preengage which function, information is noted, carry out when checking to system, if the function call that write down is then legal; Otherwise, illegal.Check the program area of module then, be stored in which section of system from the program area of loader acquisition module, obtain the beginning address and the program area size of this module, determine with these information whether this address that calls drops in the program area of this module itself, if it is drop in this program area, then legal; Otherwise, illegal.
The method of repairing built-in system mistake is specifically:
Step (1) if. detect wrongly, then wrong module quits work immediately;
Step (2). send the request of replacing the module of makeing mistakes to server, and flow process is jumped in the scheduling, avoid carrying out next wrong instruction.Server is the information of receiving that comprises module No., version number and node number, and operating platform is passed in packing.Receive server info when operating platform, judging whether can corresponding other version that uses, if do not pass a master earlier, and remembers repeat sign one time.If another version is arranged in the system, server sends a command to sensor node, the module that unloading is wrong.After server is finished the original module of unloading, then upload another identical function but the different module of version to this sensor node.If repeat request for the second time and still have only a version, that just notes this sensor node number and module No., informs the user.