A Effective Verification for Low-Level Software with Competing Interrupts

Interrupts are a key design primitive for embedded software that interacts closely with hardware. The interrupt mechanism enables timely response to outside stimuli in a power-efficient way. Interrupts are common in all styles of computing platforms, including safety-critical embedded software, low-power mobile platforms, and high-end information systems. But interrupt-driven code is difficult to engineer. Device drivers, typical examples of software that use interrupts heavily, are known as the “fault-hotspots” of the Linux Kernel [Chou et al. 2001; Palix et al. 2011]. The crux of the problem is the non-determinism inherent in systems that use interrupts; the hardware can divert control to the interrupt service routine (ISR) at any time, resulting in surprising interactions between the code that is interrupted and the ISR. The problem is exacerbated by interrupt nesting, where the ISR itself can be preempted by interrupts with higher priority. Most existing approaches to validating interrupt-driven software rely on testing. But testing is particularly unreliable in the case of nested interrupts, as the number of possible interleavings—i.e. interspersions of interrupt arrivals into a run of the code—grows exponentially in the number of interrupts that occur. Bugs are therefore easily missed, and any errors that are observed are hard to reproduce.