A dynamic control mechanism of interrupt stack overflow on real-time embedded monitor (REMON)

For embedded systems, it is important to detect changes in the real world and continuing processing properly. The changes are represented by external interrupts, and proper processes are implemented by nested interrupt service routines (hereafter ISRs). Here, a necessity of mutual exclusion arises. In a software execution environment without any real time OS (hereafter RTOS), a traditional mutual exclusion approach was to disable/enable interrupts in a CPU-specific manner. However, this method typically degrades the real time performance because it defers execution of the mutual-exclusion-free part of the system. Considering this situation, we have been studying a realtime embedded monitor (REMON) which provides a novel mutual exclusion method that can maintain real-time performance without RTOS. For in-service embedded systems, one major runtime fault is ISR stack overflow (SOF). It is extremely difficult to test all conditions where ISRs are called from various external conditions. Note that the ISR stack holds not only data but also program instruction addresses, and consequently a SOF may cause a fatal system error. In summary, ISR SOF is a significant issue, but it has not previously been addressed by REMON. This paper proposes two safety extension methods for embedded systems using REMON. The first method detects ISR overflow and safely stops the system before triggering a systemdown or a malfunction. The second method reallocates the ISR stack and resumes system execution automatically.