To further add robustness to the system, REXIS uses the watchdog timer which resets the system if the watchdog has not been “petted” for more than 2-3 seconds. Normally, the null task, which is a task defined in REXIS and is always runnable, will pet the watchdog whenever it is run.
To use the watchdog:
1. Enable the user watchdog functions (see below).
2. Make sure that you do not have any task that is always runnable (i.e. a task that never makes a blocking kernel call or never blocks is a task that is always runnable), or
3. If you have to have tasks that are always runnable, make sure to “pet the watchdog” periodically.
If the watchdog has not been petted for a while, it can therefore only mean that the system has been corrupted and is no longer functioning properly. The watchdog reset is a hardware reset. NOTE: Using the watchdog is not a foolproof method of ensuring system integrity. For one thing, by definition, when a watchdog resets the system, it means that the system most likely has failed, which should never happen. Here are some of the situations to consider, regardless of whether your system is reset by the watchdog:
If your system has been reset, it maybe because the
watchdog period was set too short, resulting in the watchdog
resetting the system even though the system is 100% functional.
Solution: be sure to set the watchdog period to the
appropriate amount. There is no magic formula to compute the
correct amount, as it depends on your system’s behavior.
Your firmware has become non-functional (e.g.
deadlock’ed), but the watchdog may still be getting petted by the
· Your firmware has become corrupted (e.g. memory corruption), but the watchdog may still be getting petted by the null task. (This is less likely than previous scenario, as in the case of memory corruption, it’s likely that REXIS will fail as well.)
Bottom line: Test, Test, and Test. The watchdog is not a 100% reliable last resort of resetting your system in case of catastrophic errors.