Watchdog timer

A watchdog timer (or computer operating properly (COP) timer) is a computer hardware or software timer that triggers a system reset or other corrective action if the main program, due to some fault condition, such as a hang, neglects to regularly service the watchdog (writing a "service pulse" to it, also referred to as "kicking the dog", “petting the dog”, "feeding the watchdog"[1] or "waking the watchdog"). The intention is to bring the system back from the unresponsive state into normal operation.

Watchdog timers can be more complex, attempting to save debug information onto a persistent medium; i.e. information useful for debugging the problem that caused the fault. In this case a second, simpler, watchdog timer ensures that if the first watchdog timer does not report completion of its information saving task within a certain amount of time, the system will reset with or without the information saved. The most common use of watchdog timers is in embedded systems, where this specialized timer is often a built-in unit of a microcontroller.

Even more complex watchdog timers may be used in running untrusted code in a sandbox by placing an upper bound on the CPU time available to the untrusted code and thus preventing some types of denial-of-service attack.[2]

Watchdog timers may also trigger fail-safe control systems to move into a safety state, such as turning off motors, high-voltage electrical outputs, and other potentially dangerous subsystems until the fault is cleared.

For those embedded systems that cannot be constantly watched by a human, watchdog timers may be the solution. For example, most embedded systems need to be self-reliant, and it is not usually possible to wait for someone to reboot them if the software hangs. Some embedded designs, such as space probes, are simply not accessible to human operators. If their software ever hangs, such systems are permanently disabled. In cases similar to these, a watchdog timer can help in solving the problem.

The watchdog timer is a chip external to the processor. However, it could also be included within the same chip as the CPU; this is done in many microcontrollers. In either case, the watchdog timer is tied directly to the processor's reset signal. Expansion card based watchdog timers exist and can be fitted to computers without an onboard watchdog.

References

  1. ^ United States Patent 5694444
  2. ^ "The Grenade Timer: Fortifying the Watchdog Timer Against Malicious Mobile Code" by Frank Stajano and Ross Anderson (2000) -- gives most of the benefits of "protected mode" hardware to "very low-cost microcontrollers" that don't have protected mode hardware, using "very frugal hardware resources".

See also

External links