Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.6. Implementation<br />
8.6.6. Error Handling<br />
Since faults [78, pp. 12-14] not only can occur in concrete hardware components, which means<br />
in the PSM, but neither can be avoided completely in the implementation of the PIM, error<br />
handling is also an issue for the openETCS domain framework. An error is the incarnation<br />
of a fault as a deviation from the normal operation of the framework [78, pp. 12-14]. For<br />
fault detection or rather error propagation, exceptions [79] are used. This means if in a<br />
method of the domain framework a fault is detected that cannot be handled by the method<br />
itself, a corr<strong>es</strong>ponding exception is thrown. Mostly, exceptions may occur in data and control<br />
flows, which must be handled by the parent CEVCStateMachine object. The ETCS SRS<br />
already defin<strong>es</strong> EVC Mod<strong>es</strong> and procedur<strong>es</strong> [88] in the case of an error that lead to a system<br />
failure [78, pp. 12-14]. Thus, the error handling is part of the concrete openETCS model<br />
while only the propagation is part of the openETCS domain framework. Furthermore, from<br />
the view of the domain framework, a system failure 11 may never occur because all errors<br />
r<strong>es</strong>pectively all thrown exceptions in the execution of CEVCState objects are handled by the<br />
parent CEVCStateMachine instance. Of course, from the view of the EVC, those errors lead to<br />
system failur<strong>es</strong> because in the r<strong>es</strong>ulting failure Mod<strong>es</strong> the EVC cannot perform its required<br />
function.<br />
The most relevant origin of possible faults is the PSM or rather the HWSpecificImplementations<br />
sourc<strong>es</strong> because obviously not any possible specific implementation can be for<strong>es</strong>een. On<br />
the one hand, faults may occur in the hardware itself. Those faults can be propagated to any<br />
connected proxy by a D-Bus signal while the r<strong>es</strong>ulting error can be then thrown by the related<br />
function block object. This kind of error propagation pr<strong>es</strong>um<strong>es</strong> a correct implementation of<br />
the HWSpecificImplementations source code. As already discussed in detail in Chapter 6, this<br />
pr<strong>es</strong>umption is not valid for the PSM and any supplier implementations in general, which was<br />
the reason for the separation of PIM and PSM in different execution environments. A grave<br />
issue for the execution of the openETCS domain framework data flow is the execution time<br />
of calls to platform specific adaptors since a constant sample time may not be exceeded (see<br />
Subsection 8.6.2). To avoid a dead-lock situation in the data flow thread caused by infinite<br />
r<strong>es</strong>ponse tim<strong>es</strong> of platform-specific implementations, all D-Bus calls are done with a certain<br />
time-out value. If this value is overrun, the waiting for the call is aborted and an exception is<br />
thrown.<br />
There is a minor set of errors that cannot be handled by CEVCStateMachine class. Those<br />
may occur in methods that are called by an external actor, which mainly means the EVC.<br />
Neverthel<strong>es</strong>s, those are limited to methods of CEVCStateMachine for starting and stopping<br />
the execution, and methods used during the instantiation of the domain framework class<strong>es</strong> by<br />
the generated code from the openETCS model. The latter on<strong>es</strong> must be avoided by a correct<br />
generator implementation and the checking of the static semantics.<br />
In the domain framework, each method is declared with the exception typ<strong>es</strong> it can raise [79]<br />
to provide a transparent chain for error propagation. This is also done for methods that cannot<br />
throw any exception type at all. Additionally, for certain fault and error categori<strong>es</strong>, different<br />
C++ typ<strong>es</strong> as class<strong>es</strong> are defined. Those are shown in Figure 8.23 as UML class diagram.<br />
CException is the parent class for all concrete exceptions typ<strong>es</strong> in the domain framework.<br />
11 in the meaning of a unexpected and unwanted proc<strong>es</strong>s termination<br />
155