Nathan Cooprider

Efficient memory safety for TinyOS

Reliable sensor network software is difficult to create: applications are concurrent and distributed, hardware-based memory protection is unavailable, and severe resource constraints necessitate the use of unsafe, low-level languages. Our work improves this situation by providing efficient memory and type safety for TinyOS 2 applications running on the Mica2, MicaZ, and TelosB platforms. Safe execution ensures that array and pointer errors are caught before they can corrupt RAM. Our contributions include showing that aggressive optimizations can make safe execution practical in terms of resource usage; developing a technique for efficiently enforcing safety under interrupt-driven concurrency; extending the nesC language and compiler to support safety annotations; finding previously unknown bugs in TinyOS; and, finally, showing that safety can be exploited to increase the availability of sensor networks applications even when memory errors are left unfixed.

Interrupt Verification via Thread Verification

Most of the research effort towards verification of concurrent software has focused on multithreaded code. On the other hand, concurrency in low-end embedded systems is predominantly based on interrupts. Low-end embedded systems are ubiquitous in safety-critical applications such as those supporting transportation and medical automation; their verification is important. Although interrupts are superficially similar to threads, there are subtle semantic differences between the two abstractions. This paper compares and contrasts threads and interrupts from the point of view of verifying the absence of race conditions. We identify a small set of extensions that permit thread verification tools to also verify interrupt-driven software, and we present examples of source-to-source transformations that turn interrupt-driven code into semantically equivalent thread-based code that can be checked by a thread verifier. Finally, we demonstrate a proof-of-concept program transformation tool that converts interrupt-driven sensor network applications into multithreaded code, and we use an existing tool to find race conditions in these applications.

Eliminating the call stack to save RAM

Most programming languages support a call stack in the programming model and also in the runtime system.We show that for applications targeting low-power embedded microcontrollers (MCUs), RAM usage can be significantly decreased by partially or completely eliminating the runtime callstack. We present flattening, a transformation that absorbs a function into its caller, replacing function invocations and returns with jumps. Unlike inlining, flattening does not duplicate the bodies of functions that have multiple callsites. Applied aggressively, flattening results in stack elimination. Flattening is most useful in conjunction with a lifting transformation that moves global variables into a local scope. Flattening and lifting can save RAM. However, even more benefit can be obtained by adapting the compiler to cope with properties of flattened code. First, we show that flattening adds false paths that confuse a standard live variables analysis. The resulting problems can be mitigated by breaking spurious live-range conflicts between variables using information from the unflattened callgraph. Second, we show that the impact of high register pressure due to flattened and lifted code, and consequent spills out of the register allocator, can be mitigated by improving a compilers stack layout optimizations. We have implemented both of these improvements in GCC, and have implemented flattening and lifting as source-to-source transformations. On a collection of applications for the AVR family of 8-bit MCUs, we show that total RAM usage can be reduced by 20% by compiling flattened and lifted programs with our improved GCC.

Offline compression for on-chip ram

We present offline RAM compression, an automated source-to-source transformation that reduces a programs data size. Statically allocated scalars, pointers, structures, and arrays are encoded and packed based on the results of a whole-program analysis in the value set and pointer set domains. We target embedded software written in C that relies heavily on static memory allocation and runs on Harvard-architecture microcontrollers supporting just a few KB of on-chip RAM. On a collection of embedded applications for AVR microcontrollers, our transformation reduces RAM usage by an average of 12%, in addition to a 10% reduction through a dead-data elimination pass that is also driven by our whole-program analysis, for a total RAM savings of 22%. We also developeda technique for giving developers access to a flexible spectrum of tradeoffs between RAM consumption, ROM consumption, and CPU efficiency. This technique is based on a model for estimating the cost/benefit ratio of compressing each variable and then selectively compressing only those variables that present a good value proposition in terms of the desired tradeoffs.

Efficient type and memory safety for tiny embedded systems

We report our experience in implementing type and memory safety in an efficient manner for sensor network nodes running TinyOS: tiny embedded systems running legacy, C-like code. A compiler for a safe language must often insert dynamic checks into the programs it produces; these generally make programs both larger and slower. In this paper, we describe our novel compiler toolchain, which uses a family of techniques to minimize or avoid these run-time costs. Our results show that safety can in fact be implemented cheaply on low-end 8-bit microcontrollers.

Extension of star coordinates into three dimensions

Traditional Star Coordinates displays a multi-variate data set by mapping it to two Cartesian dimensions. This technique facilitates cluster discovery and multi-variate analysis, but binding to two dimensions hides features of the data. Three-dimensional Star Coordinates spreads out data elements to reveal features. This allows the user more intuitive freedom to explore and process the data sets. Three-dimensional Star Coordinates is implemented by extending the data structures and transformation facilities of traditional Star Coordinates. We have given high priority to maintaining the simple, traditional interface. We simultaneously extend existing features, such as scaling of axes, and add new features, such as system rotation in three dimensions. These extensions and additions enhance data visualization and cluster discovery. We use three examples to demonstrate the advantage of three-dimensional Star Coordinates over the traditional system. First, in an analysis of customer churn data, system rotation in three dimensions gives the user new insight into the data. Second, in cluster discovery of car data, the additional dimension allows the true shape of the data to be seen more easily. Third, in a multi-variate analysis of cities, the perception of depth increases the degree to which multi-variate analysis can occur.

Atomicity and visibility in tiny embedded systems

Visibility is a property of a programming languages memory model that determines when values stored by one concurrent computation become visible to other computations. Our work exploits the insight that in nesC, a C-like language with explicit atomicity, the traditional way of ensuring timely visibility---volatile variables---can be entirely avoided. This is advantageous because the volatile qualifier is a notorious source of programming errors and misunderstandings. Furthermore, the volatile qualifier hurts performance by inhibiting many more optimizations than are necessary to ensure visibility. In this paper we extend the semantics of nesCs atomic statements to include a visibility guarantee, we show two ways that these semantics can be implemented, and we also show that our better implementation has no drawbacks in terms of resource usage.

Using sequencing to trigger a better analysis

We improve the static analysis of control flow in programs running on embedded microcontrollers. Our new techniques, called sequencing and triggering analysis, can sometimes determine that the scheduler always runs a collection of tasks in a certain order or that some interrupt handlers are dead or at least cannot fire at certain times. Triggering identifies root causes of indirect control flow through system idioms and programmer annotations. Sequencing propagates the results of triggers through system execution in order to refine our estimate of the program control flow graph. We show that triggering and sequencing improve the effectiveness of static analyses of sensor network applications. Improved static analyses result in better optimizations, increased verification power, and more accurate worst-case-execution time estimations.