You are on page 1of 74

Summary of the course Preparing for the exam Infamous real-time systems

Embedded Systems Programming
Lecture 13

Verónica Gaspes
www2.hh.se/staff/vero

Center for Research on Embedded Systems
School of Information Science, Computer and Electrical Engineering
Summary of the course Preparing for the exam Infamous real-time systems

Embedded Systems Programming

Course Goals – from lecture 1
On completion of the course students will be able to
1 program embedded applications
2 program and use a kernel to support concurrency, real-time
and reactivity
3 design, structure and analyze programs for embedded systems
4 explain different mechanisms for communication and
synchronization between processes
5 explain characteristics of real-time systems and constructions
to deal with them in programs
6 compare, select and apply programming language constructs
designed for concurrency and real-time
Summary of the course Preparing for the exam Infamous real-time systems

Embedded Systems Programming

Course Goals – from lecture 1
On completion of the course students will be able to
1 program embedded applications
2 program and use a kernel to support concurrency, real-time
and reactivity
3 design, structure and analyze programs for embedded systems
4 explain different mechanisms for communication and
synchronization between processes
5 explain characteristics of real-time systems and constructions
to deal with them in programs
6 compare, select and apply programming language constructs
designed for concurrency and real-time
Summary of the course Preparing for the exam Infamous real-time systems

Embedded Systems Programming

Course Goals – from lecture 1
On completion of the course students will be able to
1 program embedded applications
2 program and use a kernel to support concurrency, real-time
and reactivity
3 design, structure and analyze programs for embedded systems
4 explain different mechanisms for communication and
synchronization between processes
5 explain characteristics of real-time systems and constructions
to deal with them in programs
6 compare, select and apply programming language constructs
designed for concurrency and real-time
Summary of the course Preparing for the exam Infamous real-time systems

Embedded Systems Programming

Course Goals – from lecture 1
On completion of the course students will be able to
1 program embedded applications
2 program and use a kernel to support concurrency, real-time
and reactivity
3 design, structure and analyze programs for embedded systems
4 explain different mechanisms for communication and
synchronization between processes
5 explain characteristics of real-time systems and constructions
to deal with them in programs
6 compare, select and apply programming language constructs
designed for concurrency and real-time
Summary of the course Preparing for the exam Infamous real-time systems

Embedded Systems Programming

Course Goals – from lecture 1
On completion of the course students will be able to
1 program embedded applications
2 program and use a kernel to support concurrency, real-time
and reactivity
3 design, structure and analyze programs for embedded systems
4 explain different mechanisms for communication and
synchronization between processes
5 explain characteristics of real-time systems and constructions
to deal with them in programs
6 compare, select and apply programming language constructs
designed for concurrency and real-time
Summary of the course Preparing for the exam Infamous real-time systems

Embedded Systems Programming

Course Goals – from lecture 1
On completion of the course students will be able to
1 program embedded applications
2 program and use a kernel to support concurrency, real-time
and reactivity
3 design, structure and analyze programs for embedded systems
4 explain different mechanisms for communication and
synchronization between processes
5 explain characteristics of real-time systems and constructions
to deal with them in programs
6 compare, select and apply programming language constructs
designed for concurrency and real-time
Summary of the course Preparing for the exam Infamous real-time systems

Embedded Systems Programming

Course Goals – from lecture 1
On completion of the course students will be able to
1 program embedded applications
2 program and use a kernel to support concurrency, real-time
and reactivity
3 design, structure and analyze programs for embedded systems
4 explain different mechanisms for communication and
synchronization between processes
5 explain characteristics of real-time systems and constructions
to deal with them in programs
6 compare, select and apply programming language constructs
designed for concurrency and real-time
Summary of the course Preparing for the exam Infamous real-time systems

Yet another programming course?

from lecture 1
The programming techniques we learn about in this course address
the fact that embedded computer systems are interfaced to
physical equipment that they monitor and control.
Summary of the course Preparing for the exam Infamous real-time systems

Yet another programming course?

Concurrency – from lecture 1
A major issue is that external real-world elements
exist and evolve in parallel , so we will deal with how to express
concurrency in our programs.

Time constrained reactions – from lecture 1
Another issue is the need for
timely reaction to the physical environment , we will thus deal
with how to express time constraints and achieve reactivity in our
programs.
Summary of the course Preparing for the exam Infamous real-time systems

Yet another programming course?

Concurrency – from lecture 1
A major issue is that external real-world elements
exist and evolve in parallel , so we will deal with how to express
concurrency in our programs.

Time constrained reactions – from lecture 1
Another issue is the need for
timely reaction to the physical environment , we will thus deal
with how to express time constraints and achieve reactivity in our
programs.
Summary of the course Preparing for the exam Infamous real-time systems

Yet another programming course?

Concurrency – from lecture 1
A major issue is that external real-world elements
exist and evolve in parallel , so we will deal with how to express
concurrency in our programs.

Time constrained reactions – from lecture 1
Another issue is the need for
timely reaction to the physical environment , we will thus deal
with how to express time constraints and achieve reactivity in our
programs.
Summary of the course Preparing for the exam Infamous real-time systems

But also . . .

from lecture 1
In embedded systems it is often the case that the programs we
write have to directly access the hardware that is conected to the
processor.

In order to be able to practice
with embedded systems, we start
the course from this end! The
next two lectures are about using
C and programming close to
hardware!
Summary of the course Preparing for the exam Infamous real-time systems

But also . . .

from lecture 1
In embedded systems it is often the case that the programs we
write have to directly access the hardware that is conected to the
processor.

In order to be able to practice
with embedded systems, we start
the course from this end! The
next two lectures are about using
C and programming close to
hardware!
Summary of the course Preparing for the exam Infamous real-time systems

Focus

Concurrency
How to write programs using parallel threads of execution

Reactivity
How to write programs whose purpose is to react to events
(ultimately in the form of interrupts)

Real-time
How to write programs whose correctness depends on their
real-time behaviour
Summary of the course Preparing for the exam Infamous real-time systems

Things to think about

Input - output to registers. Bit patterns.
The cyclic executive and busy waiting.
Threads, time slicing, interrupts, critical sections.
Reactive objects, methods and messages.
Real time, timed reactions. Scheduling for the future, periodic
tasks, tasks with deadlines.
Priority based scheduling, RM and EDF, preemptive vs non
preemptive, schedulability analysis.
Ada (tasks, select, accept, when, delay until) and Java
(threads, monitors, condition variables).
Summary of the course Preparing for the exam Infamous real-time systems

Things to think about

Input - output to registers. Bit patterns.
The cyclic executive and busy waiting.
Threads, time slicing, interrupts, critical sections.
Reactive objects, methods and messages.
Real time, timed reactions. Scheduling for the future, periodic
tasks, tasks with deadlines.
Priority based scheduling, RM and EDF, preemptive vs non
preemptive, schedulability analysis.
Ada (tasks, select, accept, when, delay until) and Java
(threads, monitors, condition variables).
Summary of the course Preparing for the exam Infamous real-time systems

Things to think about

Input - output to registers. Bit patterns.
The cyclic executive and busy waiting.
Threads, time slicing, interrupts, critical sections.
Reactive objects, methods and messages.
Real time, timed reactions. Scheduling for the future, periodic
tasks, tasks with deadlines.
Priority based scheduling, RM and EDF, preemptive vs non
preemptive, schedulability analysis.
Ada (tasks, select, accept, when, delay until) and Java
(threads, monitors, condition variables).
Summary of the course Preparing for the exam Infamous real-time systems

Things to think about

Input - output to registers. Bit patterns.
The cyclic executive and busy waiting.
Threads, time slicing, interrupts, critical sections.
Reactive objects, methods and messages.
Real time, timed reactions. Scheduling for the future, periodic
tasks, tasks with deadlines.
Priority based scheduling, RM and EDF, preemptive vs non
preemptive, schedulability analysis.
Ada (tasks, select, accept, when, delay until) and Java
(threads, monitors, condition variables).
Summary of the course Preparing for the exam Infamous real-time systems

Things to think about

Input - output to registers. Bit patterns.
The cyclic executive and busy waiting.
Threads, time slicing, interrupts, critical sections.
Reactive objects, methods and messages.
Real time, timed reactions. Scheduling for the future, periodic
tasks, tasks with deadlines.
Priority based scheduling, RM and EDF, preemptive vs non
preemptive, schedulability analysis.
Ada (tasks, select, accept, when, delay until) and Java
(threads, monitors, condition variables).
Summary of the course Preparing for the exam Infamous real-time systems

Things to think about

Input - output to registers. Bit patterns.
The cyclic executive and busy waiting.
Threads, time slicing, interrupts, critical sections.
Reactive objects, methods and messages.
Real time, timed reactions. Scheduling for the future, periodic
tasks, tasks with deadlines.
Priority based scheduling, RM and EDF, preemptive vs non
preemptive, schedulability analysis.
Ada (tasks, select, accept, when, delay until) and Java
(threads, monitors, condition variables).
Summary of the course Preparing for the exam Infamous real-time systems

Things to think about

Input - output to registers. Bit patterns.
The cyclic executive and busy waiting.
Threads, time slicing, interrupts, critical sections.
Reactive objects, methods and messages.
Real time, timed reactions. Scheduling for the future, periodic
tasks, tasks with deadlines.
Priority based scheduling, RM and EDF, preemptive vs non
preemptive, schedulability analysis.
Ada (tasks, select, accept, when, delay until) and Java
(threads, monitors, condition variables).
Summary of the course Preparing for the exam Infamous real-time systems

Things to think about

Input - output to registers. Bit patterns.
The cyclic executive and busy waiting.
Threads, time slicing, interrupts, critical sections.
Reactive objects, methods and messages.
Real time, timed reactions. Scheduling for the future, periodic
tasks, tasks with deadlines.
Priority based scheduling, RM and EDF, preemptive vs non
preemptive, schedulability analysis.
Ada (tasks, select, accept, when, delay until) and Java
(threads, monitors, condition variables).
Summary of the course Preparing for the exam Infamous real-time systems

Bits and bytes

Question
The segments of an LCD are controlled via 8-bit registers
LCDDRx. The lower bits of LCDDRx are used to control 4 of the
segments used to build a character in one position, while the
higher bits are used to control the same segments but at another
position. If you know that variable nibble contains the bit
configuration needed for turning on some segments, show what
you have to assign to LCDDRx in order to turn on these segments
in each of the two positions.

Answer
LCDDRx = LCDDRx & 0xF0 | nibble -- lower part
LCDDRx = LCDDRx & 0x0F | (nibble<<4) -- higher part
Summary of the course Preparing for the exam Infamous real-time systems

Bits and bytes

Question
The segments of an LCD are controlled via 8-bit registers
LCDDRx. The lower bits of LCDDRx are used to control 4 of the
segments used to build a character in one position, while the
higher bits are used to control the same segments but at another
position. If you know that variable nibble contains the bit
configuration needed for turning on some segments, show what
you have to assign to LCDDRx in order to turn on these segments
in each of the two positions.

Answer
LCDDRx = LCDDRx & 0xF0 | nibble -- lower part
LCDDRx = LCDDRx & 0x0F | (nibble<<4) -- higher part
Summary of the course Preparing for the exam Infamous real-time systems

The cyclic executive
Question
Below you find the definition of two functions that use busy
waiting to detect changes in ports A and B respectively. You are
asked to implement a program that has to wait for changes from
either port A or port B, whichever comes first. Solve this in a
platform with no support for concurrency. Explain and motivate!

Question
The busy waiting functions are

void waitForA(){
while(!PORTA_READY);
}
void waitForB(){
while(!PORTB_READY);
}
Summary of the course Preparing for the exam Infamous real-time systems

The cyclic executive
Question
Below you find the definition of two functions that use busy
waiting to detect changes in ports A and B respectively. You are
asked to implement a program that has to wait for changes from
either port A or port B, whichever comes first. Solve this in a
platform with no support for concurrency. Explain and motivate!

Question
The busy waiting functions are

void waitForA(){
while(!PORTA_READY);
}
void waitForB(){
while(!PORTB_READY);
}
Summary of the course Preparing for the exam Infamous real-time systems

The cyclic executive

Answer
while(1){
sleepUntilNextTimerInterrupt();
if(PORTA READY){// record it is port A}
if(PORTB READY){// record it is port B}
// do what has to be done.
}

Answer
The busy-waiting functions had to be destroyed to be able to
detect either of them (a sequence of two busy waiting functions
imposes an order and might shadow one of the events). The timer
is used to avoid using all CPU cycles while waiting. Its period
should be set to trade power againstresponsiveness.
Summary of the course Preparing for the exam Infamous real-time systems

The cyclic executive

Answer
while(1){
sleepUntilNextTimerInterrupt();
if(PORTA READY){// record it is port A}
if(PORTB READY){// record it is port B}
// do what has to be done.
}

Answer
The busy-waiting functions had to be destroyed to be able to
detect either of them (a sequence of two busy waiting functions
imposes an order and might shadow one of the events). The timer
is used to avoid using all CPU cycles while waiting. Its period
should be set to trade power againstresponsiveness.
Summary of the course Preparing for the exam Infamous real-time systems

Threads, timeslicing, interrupts, critical sections
Question
Give two program fragments that cannot be arbitrarily interleaved;
meaning that running them concurrently may produce a result that
is different from running them sequentially in either order. Show
how to protect from arbitrary interleaving using a mutex.

Answer
global variable int x;
fragment A: fragment B:
x++; x++;
**************************************************
global variable int x;
global variable mutex m;
lock(&m) lock(&m)
x++; x++;
unlock(&m) unlock(&m)
Summary of the course Preparing for the exam Infamous real-time systems

Threads, timeslicing, interrupts, critical sections
Question
Give two program fragments that cannot be arbitrarily interleaved;
meaning that running them concurrently may produce a result that
is different from running them sequentially in either order. Show
how to protect from arbitrary interleaving using a mutex.

Answer
global variable int x;
fragment A: fragment B:
x++; x++;
**************************************************
global variable int x;
global variable mutex m;
lock(&m) lock(&m)
x++; x++;
unlock(&m) unlock(&m)
Summary of the course Preparing for the exam Infamous real-time systems

Reactive objects, methods and messages

Question
Define a (TinyTimber) class that turns a port into a reactive object
(might be needed if there are several threads trying to read/write
to the same port in one program: it is a critical section!).

Answer
typedef struct{
Object super;
unsigned char *port;
}Proxy;

#define initProxy(port) {initObject(),port}
Summary of the course Preparing for the exam Infamous real-time systems

Reactive objects, methods and messages

Question
Define a (TinyTimber) class that turns a port into a reactive object
(might be needed if there are several threads trying to read/write
to the same port in one program: it is a critical section!).

Answer
typedef struct{
Object super;
unsigned char *port;
}Proxy;

#define initProxy(port) {initObject(),port}
Summary of the course Preparing for the exam Infamous real-time systems

Reactive objects, methods and messages

Question
Define a (TinyTimber) class that turns a port into a reactive object
(might be needed if there are several threads trying to read/write
to the same port in one program: it is a critical section!).

Answer
typedef struct{
Object super;
unsigned char *port;
}Proxy;

#define initProxy(port) {initObject(),port}
Summary of the course Preparing for the exam Infamous real-time systems

Reactive objects, methods and messages

Answer
int set(Proxy *self, unsigned char bits){
*self->port = *self->port|bits;
}

int clr(Proxy *self, unsigned char bits){
*self->port=*self->port&~bits;
}
Summary of the course Preparing for the exam Infamous real-time systems

Timed reactions, baselines, deadlines, periods
Question
Implement the class of a reactive object that
calls a function doA every T milliseconds (periodically)
calls a function doB every T milliseconds (periodically), but
delayed D milliseconds relative to the activation of doA (D is
the phase)
can react to a message setPhase that can change the phase.

Answer
typedef struct{
Object super;
int T;
int D;
}Wave;
#define initWave(t,d) = {initObject,t,d}
Summary of the course Preparing for the exam Infamous real-time systems

Timed reactions, baselines, deadlines, periods
Question
Implement the class of a reactive object that
calls a function doA every T milliseconds (periodically)
calls a function doB every T milliseconds (periodically), but
delayed D milliseconds relative to the activation of doA (D is
the phase)
can react to a message setPhase that can change the phase.

Answer
typedef struct{
Object super;
int T;
int D;
}Wave;
#define initWave(t,d) = {initObject,t,d}
Summary of the course Preparing for the exam Infamous real-time systems

Timed reactions, baselines, deadlines, periods
Answer
int turnOn(Wave * self, int nothing){
ASYNC(self,doA,0);
}
int setPhase(Wave * self, int phase){
self->D = phase;
}
// not int .h! private!
int doA(Wave * self, int nothing){
AFTER(MSEC(D),self,doB,0);
AFTER(MSEC(T),self,doA,0);
// do A!
}
int doB(Wave * self, int nothing){
// do B!
}
Summary of the course Preparing for the exam Infamous real-time systems

Priority based scheduling, schedulability analysis

Question
Explain RM and EDF priority scheduling.

Answer
Rate monotonic assigns priorities according to the period: the
shorter the period, the higher the priority. With the typical
inverted priority scale, the period might be the priority value. Only
the relative priorities are relevant. It is a static method.
EDF assigns priorities according to time to (absolute) deadline: the
shorter the time to deadline, the higher the priority. Different
activations of the same task might get different pririties. It is a
dynamic method.
Summary of the course Preparing for the exam Infamous real-time systems

Priority based scheduling, schedulability analysis

Question
Explain RM and EDF priority scheduling.

Answer
Rate monotonic assigns priorities according to the period: the
shorter the period, the higher the priority. With the typical
inverted priority scale, the period might be the priority value. Only
the relative priorities are relevant. It is a static method.
EDF assigns priorities according to time to (absolute) deadline: the
shorter the time to deadline, the higher the priority. Different
activations of the same task might get different pririties. It is a
dynamic method.
Summary of the course Preparing for the exam Infamous real-time systems

Ada and Java

Question
Show how to implement a bounded buffer in Ada using tasks with
entries.

Answer
task type Bounded_Buffer is
entry Deposit(N : in Integer);
entry Fetch(N : out Integer);
end Bounded_Buffer;
Summary of the course Preparing for the exam Infamous real-time systems

Ada and Java

Question
Show how to implement a bounded buffer in Ada using tasks with
entries.

Answer
task type Bounded_Buffer is
entry Deposit(N : in Integer);
entry Fetch(N : out Integer);
end Bounded_Buffer;
Summary of the course Preparing for the exam Infamous real-time systems

Ada

Answer
task body Bounded_Buffer is
SIZE : Positive := 10;Count : Natural := 0;
Front : Natural := 0; Rear : Natural := 0;
Buffer : array (0..SIZE-1) of Integer;
begin
loop
select
when Count < SIZE =>
accept Deposit(N : in Integer) do
Buffer(Rear):=N; Rear := (Rear + 1) mod SIZE;Count := Count + 1;
end Deposit;
or
when Count > 0 =>
accept Fetch(N: out Integer) do
N := Buffer(Front); Front := (Front + 1) mod SIZE;Count := Count-1;
end Fetch;
end select;
end loop;

end Bounded_Buffer;
Summary of the course Preparing for the exam Infamous real-time systems

Therac 25

You can find more information about it on the Wikipedia under

http://en.wikipedia.org/wiki/Therac-25
Summary of the course Preparing for the exam Infamous real-time systems

Therac 25

Background
The Therac-25 was a computer controlled therapeutic
radiation machine for the treatment of tumors
Deployed in the mid 80’s, it was a modernized successor to a
highly successful, but slow and bulky machine: the Therac-20
Massive radiation overdozes generated by the machine
resulted in deaths or severe injuries for at least six people in
the USA and Canada 1985-1987
The machine was redesigned in 1987 as the result of multiple
federal investigations
Summary of the course Preparing for the exam Infamous real-time systems

Therac 25

Background
The Therac-25 was a computer controlled therapeutic
radiation machine for the treatment of tumors
Deployed in the mid 80’s, it was a modernized successor to a
highly successful, but slow and bulky machine: the Therac-20
Massive radiation overdozes generated by the machine
resulted in deaths or severe injuries for at least six people in
the USA and Canada 1985-1987
The machine was redesigned in 1987 as the result of multiple
federal investigations
Summary of the course Preparing for the exam Infamous real-time systems

Therac 25

Background
The Therac-25 was a computer controlled therapeutic
radiation machine for the treatment of tumors
Deployed in the mid 80’s, it was a modernized successor to a
highly successful, but slow and bulky machine: the Therac-20
Massive radiation overdozes generated by the machine
resulted in deaths or severe injuries for at least six people in
the USA and Canada 1985-1987
The machine was redesigned in 1987 as the result of multiple
federal investigations
Summary of the course Preparing for the exam Infamous real-time systems

Therac 25

Background
The Therac-25 was a computer controlled therapeutic
radiation machine for the treatment of tumors
Deployed in the mid 80’s, it was a modernized successor to a
highly successful, but slow and bulky machine: the Therac-20
Massive radiation overdozes generated by the machine
resulted in deaths or severe injuries for at least six people in
the USA and Canada 1985-1987
The machine was redesigned in 1987 as the result of multiple
federal investigations
Summary of the course Preparing for the exam Infamous real-time systems

Therac 25

Background
The Therac-25 was a computer controlled therapeutic
radiation machine for the treatment of tumors
Deployed in the mid 80’s, it was a modernized successor to a
highly successful, but slow and bulky machine: the Therac-20
Massive radiation overdozes generated by the machine
resulted in deaths or severe injuries for at least six people in
the USA and Canada 1985-1987
The machine was redesigned in 1987 as the result of multiple
federal investigations
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 functionality

Two modes: low energy
electron beam and high
energy electron mode.
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 computer

DEC PDP-11 responsible for
Scanning operator input
Positioning the turntable with the tungsten shield
Setting up the electron gun, bending magnets, and various
other devices
Performing treatment timing
Executing extensive safety checks

Controlled via an ASCII-based terminal in a remote room, using
cursor keys for moving between input fields.
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 computer

DEC PDP-11 responsible for
Scanning operator input
Positioning the turntable with the tungsten shield
Setting up the electron gun, bending magnets, and various
other devices
Performing treatment timing
Executing extensive safety checks

Controlled via an ASCII-based terminal in a remote room, using
cursor keys for moving between input fields.
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 computer

DEC PDP-11 responsible for
Scanning operator input
Positioning the turntable with the tungsten shield
Setting up the electron gun, bending magnets, and various
other devices
Performing treatment timing
Executing extensive safety checks

Controlled via an ASCII-based terminal in a remote room, using
cursor keys for moving between input fields.
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 computer

DEC PDP-11 responsible for
Scanning operator input
Positioning the turntable with the tungsten shield
Setting up the electron gun, bending magnets, and various
other devices
Performing treatment timing
Executing extensive safety checks

Controlled via an ASCII-based terminal in a remote room, using
cursor keys for moving between input fields.
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 computer

DEC PDP-11 responsible for
Scanning operator input
Positioning the turntable with the tungsten shield
Setting up the electron gun, bending magnets, and various
other devices
Performing treatment timing
Executing extensive safety checks

Controlled via an ASCII-based terminal in a remote room, using
cursor keys for moving between input fields.
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 computer

DEC PDP-11 responsible for
Scanning operator input
Positioning the turntable with the tungsten shield
Setting up the electron gun, bending magnets, and various
other devices
Performing treatment timing
Executing extensive safety checks

Controlled via an ASCII-based terminal in a remote room, using
cursor keys for moving between input fields.
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 computer

DEC PDP-11 responsible for
Scanning operator input
Positioning the turntable with the tungsten shield
Setting up the electron gun, bending magnets, and various
other devices
Performing treatment timing
Executing extensive safety checks

Controlled via an ASCII-based terminal in a remote room, using
cursor keys for moving between input fields.
Summary of the course Preparing for the exam Infamous real-time systems

Therac-25 software design
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 1

The operator erroneously enters X-ray mode, realizes the mistake,
and switches back to electron mode - all within 8 seconds

During that time window, the treatment phase task is ignoring the
keyboard entry flag because it is delaying in a busy-wait loop while
bending magnets are being set up.
Thus the new mode is never copied over to the variable read by
the gun emission control task

The other tasks register the edit, though, so the turntable is
moved and the screen updated accordingly

This results in the patient being exposed to unshielded, high
energy radiation, with no indication to the operator
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 1

The operator erroneously enters X-ray mode, realizes the mistake,
and switches back to electron mode - all within 8 seconds

During that time window, the treatment phase task is ignoring the
keyboard entry flag because it is delaying in a busy-wait loop while
bending magnets are being set up.
Thus the new mode is never copied over to the variable read by
the gun emission control task

The other tasks register the edit, though, so the turntable is
moved and the screen updated accordingly

This results in the patient being exposed to unshielded, high
energy radiation, with no indication to the operator
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 1

The operator erroneously enters X-ray mode, realizes the mistake,
and switches back to electron mode - all within 8 seconds

During that time window, the treatment phase task is ignoring the
keyboard entry flag because it is delaying in a busy-wait loop while
bending magnets are being set up.
Thus the new mode is never copied over to the variable read by
the gun emission control task

The other tasks register the edit, though, so the turntable is
moved and the screen updated accordingly

This results in the patient being exposed to unshielded, high
energy radiation, with no indication to the operator
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 1

The operator erroneously enters X-ray mode, realizes the mistake,
and switches back to electron mode - all within 8 seconds

During that time window, the treatment phase task is ignoring the
keyboard entry flag because it is delaying in a busy-wait loop while
bending magnets are being set up.
Thus the new mode is never copied over to the variable read by
the gun emission control task

The other tasks register the edit, though, so the turntable is
moved and the screen updated accordingly

This results in the patient being exposed to unshielded, high
energy radiation, with no indication to the operator
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 1

The operator erroneously enters X-ray mode, realizes the mistake,
and switches back to electron mode - all within 8 seconds

During that time window, the treatment phase task is ignoring the
keyboard entry flag because it is delaying in a busy-wait loop while
bending magnets are being set up.
Thus the new mode is never copied over to the variable read by
the gun emission control task

The other tasks register the edit, though, so the turntable is
moved and the screen updated accordingly

This results in the patient being exposed to unshielded, high
energy radiation, with no indication to the operator
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 2

When input parameters are unverified or inconsistent, the
treatment monitor task periodically runs a procedure that
increments a counter

This counter is used as a flag by the housekeeping task, indicating
whether gun firing should be enabled or not

However, as the counter is only 8 bits, it will overflow every 256
ticks, and the ”flag” will temporarily indicate a zero condition!

If the ”set” command is given at that instant, inconsistencies are
not checked, and unshielded highenergy radiation may result
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 2

When input parameters are unverified or inconsistent, the
treatment monitor task periodically runs a procedure that
increments a counter

This counter is used as a flag by the housekeeping task, indicating
whether gun firing should be enabled or not

However, as the counter is only 8 bits, it will overflow every 256
ticks, and the ”flag” will temporarily indicate a zero condition!

If the ”set” command is given at that instant, inconsistencies are
not checked, and unshielded highenergy radiation may result
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 2

When input parameters are unverified or inconsistent, the
treatment monitor task periodically runs a procedure that
increments a counter

This counter is used as a flag by the housekeeping task, indicating
whether gun firing should be enabled or not

However, as the counter is only 8 bits, it will overflow every 256
ticks, and the ”flag” will temporarily indicate a zero condition!

If the ”set” command is given at that instant, inconsistencies are
not checked, and unshielded highenergy radiation may result
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 2

When input parameters are unverified or inconsistent, the
treatment monitor task periodically runs a procedure that
increments a counter

This counter is used as a flag by the housekeeping task, indicating
whether gun firing should be enabled or not

However, as the counter is only 8 bits, it will overflow every 256
ticks, and the ”flag” will temporarily indicate a zero condition!

If the ”set” command is given at that instant, inconsistencies are
not checked, and unshielded highenergy radiation may result
Summary of the course Preparing for the exam Infamous real-time systems

Reconstructed accident cause 2

When input parameters are unverified or inconsistent, the
treatment monitor task periodically runs a procedure that
increments a counter

This counter is used as a flag by the housekeeping task, indicating
whether gun firing should be enabled or not

However, as the counter is only 8 bits, it will overflow every 256
ticks, and the ”flag” will temporarily indicate a zero condition!

If the ”set” command is given at that instant, inconsistencies are
not checked, and unshielded highenergy radiation may result
Summary of the course Preparing for the exam Infamous real-time systems

Additional facts

The Therac-25 software was written in assembly language by a
single person, who also wrote the context-switching ”kernel”

Few people seem to have had any clear idea of how the software
really worked

Safety analyses for the machine never took timing errors into
account

It turned out that the Therac-20 also contained the same bugs,
but there hardware sensors and fuses were used as an extra safety
net against high radiation

Basic lesson
Never synchronize using flags!
Summary of the course Preparing for the exam Infamous real-time systems

Additional facts

The Therac-25 software was written in assembly language by a
single person, who also wrote the context-switching ”kernel”

Few people seem to have had any clear idea of how the software
really worked

Safety analyses for the machine never took timing errors into
account

It turned out that the Therac-20 also contained the same bugs,
but there hardware sensors and fuses were used as an extra safety
net against high radiation

Basic lesson
Never synchronize using flags!
Summary of the course Preparing for the exam Infamous real-time systems

Additional facts

The Therac-25 software was written in assembly language by a
single person, who also wrote the context-switching ”kernel”

Few people seem to have had any clear idea of how the software
really worked

Safety analyses for the machine never took timing errors into
account

It turned out that the Therac-20 also contained the same bugs,
but there hardware sensors and fuses were used as an extra safety
net against high radiation

Basic lesson
Never synchronize using flags!
Summary of the course Preparing for the exam Infamous real-time systems

Additional facts

The Therac-25 software was written in assembly language by a
single person, who also wrote the context-switching ”kernel”

Few people seem to have had any clear idea of how the software
really worked

Safety analyses for the machine never took timing errors into
account

It turned out that the Therac-20 also contained the same bugs,
but there hardware sensors and fuses were used as an extra safety
net against high radiation

Basic lesson
Never synchronize using flags!
Summary of the course Preparing for the exam Infamous real-time systems

Additional facts

The Therac-25 software was written in assembly language by a
single person, who also wrote the context-switching ”kernel”

Few people seem to have had any clear idea of how the software
really worked

Safety analyses for the machine never took timing errors into
account

It turned out that the Therac-20 also contained the same bugs,
but there hardware sensors and fuses were used as an extra safety
net against high radiation

Basic lesson
Never synchronize using flags!
Summary of the course Preparing for the exam Infamous real-time systems

Additional facts

The Therac-25 software was written in assembly language by a
single person, who also wrote the context-switching ”kernel”

Few people seem to have had any clear idea of how the software
really worked

Safety analyses for the machine never took timing errors into
account

It turned out that the Therac-20 also contained the same bugs,
but there hardware sensors and fuses were used as an extra safety
net against high radiation

Basic lesson
Never synchronize using flags!