Few questions on embedded stuff

Hi Paul,

Yes. I guess Guy was pretty much to the point here and I assume his thoughts are similar to mine: A WDT is a good line of last defense but relying on it to "clean up messes" is not good. If it ever had to come on this event should be logged and somebody should then get to work and find out why it came on. It's the same with airbags. If one ever was activated that usually means a crash has occurred and we can be pretty certain that the police will want to find out why that happened.

Regards, Joerg

Hi Guy

the use of Ps to cover up inadequate aircraft design is not.

So how about using them for sports activities? Or should I feel guilty now that I ever used one for non-emergencies?

Regards, Joerg

Joerg wrote: ...A WDT is a good line of last defense but

Right. But a complex system with lots of resource locks can get into unanticipated states, and one of those might require an automatic reboot - by the WDT. - RM

That's the answer, that horrifies me.

Andreas

--
It's not the things you don't know what gets you into trouble. It's
the things you do know that just ain't so.
- Will Rogers

Hi Rick,

Those complex systems require thorough documentation including resource locks, extensive design reviews and most of all strict discipline. I have seen very complicated systems that really never locked up but others mainly in the consumer software area that lock up all the time. One of the common problems whenever I was participating in SW reviews used to be that people grabbed memory space but forgot to release it back after their routines had completed. That is the stuff that leads to freezes.

A good version control system helps a lot but it won't do it all.

Regards, Joerg

You could try jumping out of an airplane with and without a parachute and see which way you like it better....

Take a couple of lawyers with you.

Wouldn't that mean that you have race condition(s) in your design, and that you are relying on the automatic reboot to correct the deficiency?

Missing in this discussion is an analysis of what SORT of WDOG to use :) I have worked on systems where a device reset pin was better called a Reset-request (sic), and where a pin RESET was NOT enough to cause system recovery from deliberate induce crashes. These were NOT SW lost-state failures, but were external electrical energy events. If you have a chip with a "reset-request" pin, then full power removal/recycle is needed. I have also seen time-window watchdog devices, and also Wdogs with boot-stretch timeouts .....

-jg

Here's a scenario: The device in question is thoroughly documented and carefully designed. All timings, memory, and other system resources have been carefully constructed so as to assure that no locking contention is possible. It is working very nicely, and a particularly energetic gamma particle flips just one single bit in RAM from a zero to a one. That single bit happens to be the return address from the interrupt that is now running, and so instead of returning to address

0xfe320, it now attempts to return to 0xfe300, which is in the middle of an instruction.

There are a number of possible valid approaches to countering this kind of flaw, and one of them is the use of a WDT. Bad things can happen even in very well designed systems.

OTOH, poorly designed systems will probably have poor operating characteristics whether or not a WDT is used.

Ed

This has some interesting info on the content-reliability of SRAM:

.. Funny how the vendors are quiet on soft-errors, until they have a structure that reduces it by some 4 digits....

-jg

Suppose you have 5 processes and 5 resources used (let's say) by each process: how many permutations would that be, and can you think of a way to check out all those timing possibilities? - RM

Excellent example: for a sky diver the WDT is an altimeter!!! (Really and Truly) - RM

the use of Ps to cover up inadequate aircraft design is not.

Huh? You jumped out of a perfectly good, operating airplane??? Or was it the airplane described at the end of Ganssle's WDT article?

What chips have a "reset-request" pin instead of reset?

Yes it does, which is why all the remote robots have a WDT: sometimes nature's timing is out of spec (or at least out of the range that you thought was sensible to test!) - RM

It is, of course, not labeled as such, (and the IC manufacturers will usually not clearly describe it as such!), but you can find hints in the data, and aggressive testing (ESD and non-monotonic brown outs) can readily show such devices. Quite often, digital chips have a simple, FET+CAP power on reset internally, and that can deliver different reset signals from the RST pin.

-jg

If you let each process lock multiple resources at a time and different processes do this in a random order, you sooner or later end up in a deadlock situation. Using a WDT to cover this up is IMHO a design flaw.

You can often get a much cleaner design e.g. by allocating a separate "owner" process for each resource (e.g. for each hardware device) and do all the hardware access (or at least do the arbitration) in this owner process. There are far less permutations that needs to be tested and as such, might even be tested :-) before releasing the product.

Paul

Why don't blind people like to go skydiving?

(Answer is in tnext post. please try to guess the answer first...)

. . . . .

It scares the dog.