17/8/2015

Topic:ExceptionHandling

ExceptionHandling
CarnegieMellonUniversity
18849bDependableEmbeddedSystems
Spring1999
Author:CharlesP.Shelton

Abstract:
Exceptionalconditionsarethingsthatoccurinasystemthatarenotexpectedorarenotapartofnormal
systemoperation.Whenthesystemhandlestheseexceptionalconditionsimproperly,itcanleadto
failuresandsystemcrashes.Exceptionfailuresareestimatedtocausetwothirdsofsystemcrashesand
fiftypercentofcomputersystemsecurityvulnerabilities.Exceptionhandlingisespeciallyimportantin
embeddedandrealtimecomputersystemsbecausesoftwareinthesesystemscannoteasilybefixedor
replaced,andtheymustdealwiththeunpredictabilityoftherealworld.Robustexceptionhandlingin
softwarecanimprovesoftwarefaulttoleranceandfaultavoidance,butnostructuredtechniquesexistfor
implementingdependableexceptionhandling.However,manyexceptionalconditionscanbeanticipated
whenthesystemisdesigned,andprotectionagainsttheseconditionscanbeincorporatedintothesystem.
Traditionalsoftwareengineeringtechniquessuchascodewalkthroughsandsoftwaretestingcan
illuminatemoreexceptionalconditionstobecaught,suchasbadinputforfunctionsandmemoryand
dataerrors.However,itisimpossibletocoverallexceptionalcases.Itisalsodifficulttodesigna
dependablesystemthatcantoleratetrulyunexpectedconditions.Inthesecases,someformofgraceful
degradationisnecessarytosafelybringdownthesystemwithoutcausingmajorhazards.

Contents:
Introduction
KeyConcepts
ProgrammedExceptionHandling
DefaultExceptionHandling
RealTimeSystemConstraints
Availabletools,techniques,andmetrics
DependabilityCases
Xept
Ballista
Relationshiptoothertopics
Conclusions
AnnotatedReferenceList

http://users.ece.cmu.edu/~koopman/des_s99/exceptions/

1/7

17/8/2015

Topic:ExceptionHandling

Introduction
Exceptionhandlingisthemethodofbuildingasystemtodetectandrecoverfromexceptionalconditions.
Exceptionalconditionsareanyunexpectedoccurrencesthatarenotaccountedforinasystem'snormal
operation.Itisdifficulttoprotectasystemfromtheeffectsofexceptionalconditionsbecause,bynature,
allunusualoccurrencescannotbeanticipatedwhenthesystemisdesigned.Someexamplesof
exceptionalconditionsareincorrectinputsfromtheuser,bitlevelmemoryordatacorruption,software
designdefectsthatcauseasystemtoenteranundefinedstate,andenvironmentalanomalies.Ifthese
exceptionalconditionsarenotproperlycaughtandhandled,theycancauseanerrororfailureinthe
system.Failuresduetoexceptionsareestimatedtoaccountfortwothirdsofsystemcrashesandfifty
percentofsystemsecurityvulnerabilities[Maxion98].
Exceptionhandlingisdifferentfromfaulttolerance.Faulttolerancefocusesonkeepingknownerror
statesfromcausingsystemfailures.Exceptionhandlingdealswiththeundefinedandunanticipated
conditionsthat,ifleftunchecked,canpropagatethroughthesystemandcauseafault.Exception
handlingismorelikefaultavoidanceorfaultcontainment.Isubmitthatexceptionhandlingismore
difficultthanfaulttolerancebecauseitmustdealwithalltheunpredictabilitiesofthesystem.
Whendesigninganembeddedsystem,exceptionhandlingisusuallyfocusedonsoftware.Infact,more
thantwothirdsofcodewrittenforsystemsisdevotedtoproperlydetectingandhandlingexceptions.
However,mostsoftwaretestingeffortsfocusonexercisingthecorrectoperationofcode,andnot
determininghowrobustitistoexceptionalconditions[Cristian80].Therefore,exceptionhandlingcodeis
theleasttestedandmostsusceptibletobugs.
Exceptionhandlingshouldalsonotbeignoredinsystemcomponentsotherthansoftware.Hardwareand
userinterfacecomponentsshouldalsohavesomebuiltinprotectionfromexceptionalconditionsaswell
ashavingsomesystemlevelprotection.ThiswasoneoftheproblemswiththeTherac25medical
device.TheTherac20hadhardwareinterlockstopreventlethaldosesofradiationthatwereremovedin
theTherac25.Thus,unknownsoftwaredefectsthatwereeffectivelyneutralizedintheTherac20were
exposedintheTherac25andcausedseveraldeaths(bothmachinesusedthesamebasicsoftware).This
illustratestheneedforsystemlevelaswellascomponentlevelexceptionhandlingmechanisms.
Unfortunately,nowelldefinedtechniquesexistforbuildingrobustexceptionhandlingintoasystem.
Mostmethodsareadhocandlimitedtowhatthedesignteamcananticipatethesystemwillencounter.
Luckily,manyofthemostcommonproblemscaneasilybeavoidedaslongascodeiswrittentocheck
forthem.Manyexceptionfailuresincommerciallibrariesarelinkedtosimpleconditionssuchas
checkingthatapointerisnotnullbeforedereferencingit,orcheckingthatafileisopenbefore
attemptingtoreadorwritetoit.Goodsoftwareengineeringpracticessuchascodereviews,code
walkthroughs,andthoroughtestingcanilluminatemanyoftheseexceptionalconditions,butarelimited
tothesoftwareofthesystem.Itisalsodifficulttomodelthecomplexinteractionsofsystemcomponents
atthedesignphasetodeterminewhereotherproblemslie.
Itisunrealistictobuildasystemthatiscompletelybulletprooftoexceptionalconditionsbecausewe
cannotanticipateallpossiblesituations.Thereforeitisnecessarytobuildindefaultexceptionhandlers
thatwillattempttorecoverfromanyoftheseunanticipatedconditions.Iftheapplicationissomewhat
safetycriticalorhasrealtimedeadlines,someformofgracefuldegradationmustbeputinplaceto
reducetheharmordamagedonebyanysystemfailures.

KeyConcepts
http://users.ece.cmu.edu/~koopman/des_s99/exceptions/

2/7

17/8/2015

Topic:ExceptionHandling

Exceptionhandlingtechniquescanbeseparatedintotwobroadcategories:programmedexception
handlinganddefaultexceptionhandling.Insomecasesprogrammedexceptionhandlingiscapableof
doingforwarderrorrecovery,butbothprogrammedanddefaultexceptionhandlingmethodscanperform
backwarderrorrecovery.Forwarderrorrecoverycanmaskanyexceptionaloccurrencesandcontinue
normaloperation.Backwarderrorrecoverymusthaltnormalsystemexecutionandattempttoreturntoa
previousnormalstatetocontinueexecutionandretrytheoperation.Checkpointingandrecoveryisa
techniqueofbackwarderrorrecoveryfortoleratingtransientorinternittentconditions.

ProgrammedExceptionHandling
Programmedexceptionhandlingmodulesaremechanismsbuiltintosoftwareforspecificexceptional
casesthatareknownarelikelytooccur.Sincetheseoccurrencesarerelativelywellunderstood,
protectionforthemcanbeincorporatedintothesystem.Whenaprogramisexecuting,ifoneofthe
exceptionalconditionsisdetected,controlispassedfromthemainprocessblocktothespecialexception
handlingblock.Thiscodewilldeviatefromnormalexecutiontocompensatefortheexceptional
conditionandwillattempttomaskittopreventpropagatinganerrorconditiontohigherlevelsinthe
softwarehierarchy.
Iftheconditioncannotberecovered,theexceptionhandlermaycallcheckpointingrecoverycodeto
returnthesystemtoaknownstatebeforetheexceptionoccurrenceandretrytheoperation.

DefaultExceptionHandling
Foralltheexceptionalconditionsthatarenotanticipatedbythesystemdesigners,defaultexception
handlersmustbebuilt.Thedefaulthandlersmaybewithintheprogramminglanguageoroperating
environmentitself,transparenttotheapplicationdeveloper.Theymustbeacatchallforanyunexpected
exceptions,andmustalsoberesponsibleforcontainingexceptionsduetodesigndefects.
Exceptionalconditionsduetodesigndefectsareespeciallydangerousbecausetheywillalwaysbe
present.Ifyouknewaboutalldesigndefectsinasystemapriori,theywouldhavebeeneliminated
beforebuildingthesystem.Sincewehavenotyetlearnedhowtodesignperfectsystems,itisimportant
thatexceptionhandlerscanreducetheimpactofdesigndefectsasmuchaspossible.
Inmostcases,defaultexceptionhandlerscannotdomuchtocontinuesystemoperation.Inthebestcases
theycanusethecheckpointingandrecoverysystemtomasktransienterrors,butfortrulyexceptional
conditionsthatcauseerrorstates,thebestthatcanbehopedforisagracefulprogramtermination.
Inordertoachieverobustoperation,asmuchexceptionhandlingaspossibleisdesired.However,
exceptionhandlingoverheadmaybetoogreatforrealtimesystemsandmaketimingandscheduling
difficult.

RealTimeSystemConstraints
Inrealtimesystems,timingandmeetingdeadlinesarethefirstpriority,especiallyforsafetycritical
systems.However,ifexceptionalconditionsoccur,theremustbesomedetectionandrecovery
mechanismsinplacetopreventerrorpropagation.Theextentandcomplexityoftheexceptionhandling
mechanismswillmakeitdifficulttocalculateandmeettimingconstraints[Colnaric93].Eitherthe
schedulingwillhavetobeworstcase,makingperformanceworstcase,orexceptionhandlingwillhave
tobesacrificed.Thisisatradeoffbetweengettingresultsontime,orgettingcorrectresults.Some
researchisbeingdoneinconstructingmodelsthatuseobjectorientedtechniquestoaccountforboth
http://users.ece.cmu.edu/~koopman/des_s99/exceptions/

3/7

17/8/2015

Topic:ExceptionHandling

realtimeconstraintsandexceptionhandlingmechanisms,sothattheycanbemoreeasilyandcompatibly
designed[Romanovsky98].

Availabletools,techniques,andmetrics
Asdiscussedabove,therearenomaturemethodsforgeneratingrobustexceptionhandlersorensuring
thatallexceptionshavebeenaccountedfor,butthereisresearchbeingdoneintheseareas.Extending
traditionalsoftwareengineeringpracticestousedependabilitycasesforgeneratingexceptional
conditionsisonetechnique.AnothertechniquecalledXeptprovidesaninstrumentationlanguagefor
structuredgenerationofwrappersforexceptionalinputstosoftwarelibrarymodules.Anotherproblemis
thattherearenoacceptedwaysofmeasuringhowrobustasystemistoexceptionalconditions.The
Ballistaprojecthasdevelopedamethodologyforautomaticallytestingandcomparingtherelative
robustnessofsoftwaremodules.

DependabilityCases
Itishypothesizedthatexceptionalconditionsarenotguardedinsoftwarebecausedesignersdonotthink
ofthem.Dependabilitycasesaimtoprovideageneralframeworkandmethodologyforgenerating
scenariosofexceptionalconditionssothesystemdesignercanbuildexceptionhandlersforthemintothe
system.Thistechnique,whenusedinconjunctionwithgoodsoftwareengineeringprocesses,issupposed
toimprovesoftwarerobustness.Hazardanalysistechniquessuchasfaulttreesandfishbonediagramsare
usedtoaidthedesignerinanticipatingexceptionalconditions.Usingdependabilitycases,ataxonomyof
exceptionalconditionscanbedeveloped.Forexample,[Maxion98]describestheCHILDRENmnemonic
forexceptions:
Computationalproblem
Hardwareproblem
I/Oandfileproblems
Libraryfunctionproblem
Datainputproblem
Returnvalueproblem:functionorprocedurecall
Externaluser/clientproblem
Nullpointerandmemoryproblems
However,sinceitisimpossibletoanticipateandcoverallexceptionalconditions,itisunclearhowmuch
ofanimprovementdependabilitycasescanmakeinthesystem'ssoftware.Whatevertaxonomyof
exceptionalconditionswedevelop,itmayexcludeakeyclassofexceptions,leavingthesystem
vulnerable.However,thismorestructuredapproachisbetterthanadhocmethods.

Xept
Xeptisamethodofgeneratingwrappersforsoftwaremodules.Usinganinstrumentationlanguage,you
cangeneratecodetocheckforexceptionalinputsbeforepassingparameterstolibraryfunctions[Vo97].
ThisisparticularlyusefulforCommercialOffTheShelf(COTS)softwarewheresourcecodemaynot
beavailableandtheprogrammeronlyhasaccesstothemoduleinterface.ManyCOTSsoftwaremodules
arenotasrobustastheycanbe,andextraprotectionmustbebuiltintothesystemifyouusethese
componentsinyoursoftware.Xeptprovidesastructuredmethodofinstrumentingapplicationcodeto
maskandhandleexceptionsinlibrarycode.However,inordertogeneratetheseexceptionhandlers,the
http://users.ece.cmu.edu/~koopman/des_s99/exceptions/

4/7

17/8/2015

Topic:ExceptionHandling

conditionstobeprotectedagainstmustalreadybeknown.Xeptdoesnotdetectexceptionalconditions,it
onlyprovidesawayofcorrectingforthem.

Ballista
TheBallistasoftwaretestingmethodologyfocusesonpassingexceptionalinputsatthemoduleleveland
recordingtheresults.Ballistaiscompletelyautomatedandcandemonstraterepeatable,atomicresponses
toexceptionalconditionsfromunexpectedparameters.Itisscalablebecausetestingisbasedofthe
parameterspassedtothefunction,notthefunction'soperation[Kropp98].Therefore,oncetestcasesfor
datatypesaredeveloped,anyfunctionthatusesthosedatatypescanbetested.Thisisidealfortesting
COTSsoftwareandmakingcomparisonsbetweendifferentimplementationsofthesameapplication
programminginterface(API).SinceBallistafocusesofrepeatableresults,itisonlyusefulforcomponent
testingandcannotdetectexceptionalconditionsduetocomplexinteractionsbetweensystem
components.Also,whentestingmodules,thetestermustcomeupwiththeexceptionalinputsforthedata
typestobetested.However,asthesystemgrows,adatabaseofexceptionalvaluesisbeingkeptandcan
bereusedforthesamedatatype.

Relationshiptoothertopics
Exceptionhandlingisamethodofachievingsystemrobustness,andisalsorelatedtofaulttoleranceand
errorrecovery.
RobustnessExceptionhandlingisatechniquefordesigningarobustsystem.Robustnessis
definedasthedegreetowhichasystemcanfunctioninthepresenceofinvalidinputsorstressful
environmentalconditions.Theseareexceptionalconditions.
SoftwareTestingTestingiscurrentlytheonlymetricwehaveformeasuringhowwellasystem
canhandleexceptionalconditions.Itisalsousedtouncoveranycasespreviouslyunanticipated.
Unfortunately,theproblemofcompletelytestinganysystemforallpossibleoccurrencesis
intractable.
FaultTolerantComputingFaulttolerantcomputingissimilartorobustnessandexception
handling,butdealswithcontrollingandcontainingsystemorcomponenterrorsaftertheyhave
occurred.Exceptionhandlingattemptstokeepunanticipatedconditionsfromcausingfaults.
SoftwareFaultToleranceFaulttoleranceinsoftwareisespeciallyimportantsincesoftwareis
quicklybecomingthemostcomplexandintegralpartofanyembeddedsystem.Software
exceptionhandlingcanimprovesoftwarefaulttolerancebypreventingexceptionalconditionsfrom
becomingsoftwarefaults.
Checkpoint/RecoveryCheckpoint/Recoveryisamethodthatcanrecoverfromsometransientand
intermittentfailuresandcanmaskexceptionaloccurrences.
SecurityManysecurityvulnerabilitiesarecausedbynotproperlycontainingexceptional
conditions.Forexample,manysecurityholesarecausedbyraceconditionsandnotdetectinga
memorybufferoverflow.Thesevulnerabilitiescanbeexploitedbypeopletogainaccesstoand
tamperwithrestrictedsystems.
HumanInterface/HumanErrorSinceinputfromahumanuserisoneofmostlikelyplacesthat
exceptionalandinvalidinputscanbegeneratedinanembeddedsystem,theuserinterfaceshould
beabletopreventtheoperatorfromcausingafaultcondition.Theinterfaceshouldconstrainthe
usertoonlyenteringvalidinputsintothesystem.

http://users.ece.cmu.edu/~koopman/des_s99/exceptions/

5/7

17/8/2015

Topic:ExceptionHandling

Conclusions
Thefollowingideasaretheimportantonestotakeawayfromreadingaboutthistopic:
Exceptionhandlingdiffersfromfaulttolerance,buttheyarerelated.Faulttolerancedealswith
correctingforknownerrorconditions.Exceptionhandlingcanbeseenasfaultavoidanceorfault
containment.Unexpectedconditionsmustbemaskedbeforetheycancauseafaultinthesystem.
Itisnotpossibletocovereveryexceptionwithinaclosedsystem.Thereareunanticipated
situationsthatthesystemcannotcompensatefor.
Whereyoudrawthesystemboundarydeterminesthelevelofexceptionhandlingyoucando.For
example,ifyouonlylookatthesoftware,environmentalexceptionalconditionscannotbe
sufficientlyhandled.Ifahumanoperatorispartofthesystem,theremaybemoreexceptionsthat
canbecovered,butwithlesscertainty.
Coverageisamajorproblem.Itisunrealistictocoverallexceptionalconditionsbecausetheyare
notpredictable
Itisdifficulttodevelopstrategiestosafelyhandleexceptionsforunanticipatedsituations.Most
methodsareadhocandbasedonpreviousexperience.
Inrealtimesystems,thereisatensionbetweendevelopingrobustexceptionhandlersforsafety
andcorrectness,andmeetingtimingconstraints.

AnnotatedReferenceList
[Colnaric93]Colnaric,MatjazHalang,WolfgangA.,"ExceptionHandlingandPredictabilityin
HardRealTimeSystems."SAFECOMP93.12thInternationalConferenceonComputerSafety,
ReliabilityandSecurity,October1993,p.371378.
Thispaperdiscussestheconcernsofimplementingexceptionhandlingandaccountingfor
unpredictabilityinthefaceofthetimingconstraintsinhardrealtimesystems.

[Cristian80]Cristian,Flaviu,"ExceptionHandlingAndSoftwareFaultTolerance."10th
InternationalSymposiumonFaultTolerantComputing,October1980,p.97103.
Basicconceptsinsoftwareexceptionhandlingandmathematicaldefinitions.

[Kropp98]Kropp,NathanP.Koopman,PhilipJ.Siewiorek,DanielP.,"Automatedrobustness
testingofofftheshelfsoftwarecomponents."TwentyEighthAnnualInternationalSymposiumon
FaultTolerantComputing,June1998,p.230239.
Motivation,methodology,andresultsofapplyingtheBalistasoftwaretestingtechnologyto
POSIXoperatingsystems.

[Maxion98]Maxion,RoyA.Olszewski,RobertT.,"ImprovingSoftwareRobustnessWith
DependabilityCases."TwentyEighthAnnualInternationalSymposiumonFaultTolerant
Computing,June1998,p.346355.
Introducestechniqueofdependabilitycasesandhowitcanhelpimproveexceptionhandling.

[Romanovsky98]Romanovsky,AlexanderXu,JieRandell,Brian,"ExceptionHandlingin
http://users.ece.cmu.edu/~koopman/des_s99/exceptions/

6/7

17/8/2015

Topic:ExceptionHandling

ObjectOrientedRealTimeDistributedSystems."FirstInternationalSymposiumonObject
OrientedRealTimeDistributedComputing(ISORC'98),April1998,p.3242.
Researchintousingobjectorientedprogrammingtechniquestobuildstructedexceptionhandling
intorealtimesystems.

[Vo97]Vo,KiemPhengWang,YiMinChung,P.EmeraldHuang,Yennun,"Xept:ASoftware
InstrumentationMethodForExceptionHandling."EighthInternationalSymposiumonSoftware
ReliabilityEngineering,November1997,p.6069.
InformationaboutXept,themotivation,methodolgy,andtheinstrumentationlanguagedeveloped.
Indexofothertopics
Homepage

http://users.ece.cmu.edu/~koopman/des_s99/exceptions/

7/7