Transcript Fault Injection Tool Pavel Čírtek Fault injection tool

Fault Injection Tool
Pavel Čírtek
Fault injection tool
Contents
•
•
•
•
2
Introduction
C-Sim based components
Fault injector component
Conclusion
Fault injection tool
Definitions
3
• Fault tolerant systems are used in safety
critical applications.
• Fault tolerant (FT) system – a system that
provides required functionality even in the
presence of faults.
• Safety critical application – the cost of a
failure is much higher than the price of the
system, e.g. human lives are in danger, a
production plant is stopped.
• Real-time (RT) system – the system
responds to events immediately as they
occur. Hard RT systems provide guaranteed
deadlines.
Fault injection tool
4
Fault Tolerance
• A fault is a random or malicious defect
introduced to the system. A fault may
cause an error state of the system.
• A system enters error state if its normal
operation can not be performed
anymore (due to a fault). A recognized
error does not mean a failure of the
system.
• The system fails if it no longer meets
the requirements for proper functions.
Fault injection tool
C-Sim based components
•
•
•
•
5
Simulation library
Simulation world
Simulation model
Simulation program
Fault injection tool
6
Simulation library
• A simulation library is a set of object types
definitions and it is not executable itself.
• Object type can be:
– passive (LINK, HEAD)
– active (PROCESS)
• Construction for creating object type:
– typedef struct {…} TYPE_NAME;
• Types methods can be created as C
language functions with one parameter
typed as TYPE_NAME*.
Fault injection tool
Simulation world
7
• Simulation world is on object type that
describes an activity, i.e. it is a process type
or it contains at least one attribute of a
process type or it contains an attribute of
another world type
• Public methods:
– Constructor
– Interaction(s) - functions to exchange data
– Execution - specializad constructor.
Creates a separate event list.
Fault injection tool
Sim. model and program
8
• Simulation model (SM) is a statically
structured set of simulation worlds.
• Sim. model instance is interconnected set of
simulation worlds instances.
• Sim. program (SP) executes sim. model.
• Functions in sim. program:
– init -creates a model instance
– some form of main - simulation loop
(because of present C-Sim doesn’t
support a world execution constructor)
Fault injection tool
9
Fault injector component
• Problem of construction of an universal
fault-injector component (world FIC)
• It should be attached to any C-Sim
based simulation model of FT system
(world MFTC)
• Two basic types of fault injection:
– asynchronous – FI emits fault whenever
– synchronous – FI emits fault according to
model-time value and/or its internal state
Fault injection tool
10
Simulation world of FI
• Constructor (if any) only prepare
environment for creating faults
• Type of fault is a class that have its
own constructor and attributes
• A fault is an instance of this class
• State of fault:
– active – fault injection already running
– passive – fault is waiting for an activation
Fault injection tool
Fault types
11
• Single-bit fault – random setting of a bit
within a continuous memory array
• Multiple fault – group of M single-bit
faults in one model time-point
• Burst of faults – Poisson stream of K
multiple faults
• Stream of bursts – Poisson stream of
events, where one event means one
burst of faults
Fault injection tool
12
FIC config table
• FIC config table (FICC)– one row
describes one fault:
– pointer to fault
– state
– index (key)
• One instance of FICC should “interconnect” both worlds FIC and MFTC
Fault injection tool
13
Interaction (MFTC to FIC)
• FIC have to have method
run_fault(). This function is called
from an instance of MFTC world
whenever it wants to “trigger fault”
• Parameters:
– Pointer to FICC instance – identifies the
interconnection object
– Index (key) into FICC – selects the fault
Fault injection tool
14
Interaction (FIC to MFTC)
• MFTC should have methods:
– fi_result() – returns a result of (a
previous) fault injection. Parameter of
function should be a pointer to FICC
instance and index into FICC
– init_fi() – should be called during SM
construction. Parameter is pointer to FICC
instance.
Fault injection tool
15
Interaction
• Three main ways of interaction:
– From FIC to MFTC:
• the fault injection itself (asynchronous faults)
• the test of injection result
– From MFTC to FIC
• calling a fault (synchronous faults)
Fault injection tool
16
Inicialization
• initialization function should do
following steps:
– create instance of MFTC (using its
constructor)
– create instance of FIC (i.e. create all
necessary faults instances)
– create instance of FICC and fill fault
parameters into rows of table
– call MFTC init_fi() function
Fault injection tool
17
Conclusion
• current version of FIC is customized for
a TTP/C protocol based on FT systems
• advantages of this solutions:
– universal FI component
– synchronous fault calling
• disadvantages:
– no easy way for massive faults injection
experiments
Fault injection tool