LLExec has two optional watchdog systems which can be used to protect a target PLC from the process abnormal termination, or locks and starvation conditions.
The two mechanism are the Hardware Watchdog and the Software Watchdog.

Hardware Watchdog

The hardware Watchdog depends on having a controller with a watchdog hardware cicrcuit on the board, and it is realized by a software component - LLSupportDaemon - which is extern to the LLExec process and performs some diagnostic tasks and collaborates with the LLExec process to handle the hardware circuit.
It works on realtime systems, where, on a given processor, an higher priority task could preempt a lower priority task on the system and and cannot be preempted by a lower priority task.
The Watchdog task in the LLSupportDaemon is a realtime task running at a certain priority which must be lower of the priority of all the LLExec realtime tasks it wants to protect, it wakes up ciclically and, if there is a mark value given by LLExec in a location on a shared memory, feeds the hardware circuit.
The mark value in the shared memory is written by the LLExec's highest priority task.
If the hardware circuit is not fed by the LLSupportDaemon, the system reboots.

Many behaviour could be configured and set in the configuration in the case a watchdog reboot is detected at the start of the system: for example the last PLC code would not be loaded, or a secondary application could be loaded, or the PLC could be loaded delayed by a certain period to allow user actions before the system is started.

Example critical conditions

LLExec process could crash because of a pointer error or a division by zero in the PLC code: in this case the mark value would not be written in the shared memory and the system reboots.
Moreover LLExec support daemon can be configured to collect many diagnostic informations which could be logged on permanent storage.

A second hypothesis: the LLExec higher priority task can incour in an infinite loop condition: in this case, it couldn't write the mark on the shared location and system will reboot.

In an another case LLSupport daemon could, unprobably, crash for some operating system unpredictable reason: it wouldn't fed the hardware circuit and the target will reboot.

Finally an LLExec realtime task, above the priority of the watchdog task, con enter in an unlimited loop condition: in this case the LLExec's higher priority task will sign the mark in the shared memory, but the watchdog task would not be able to preempt the locked task to feed the watchdog - again the target would reboot.

Software Watchdog

Software watchdog is based on a controller task that run at the highest priority. Control task period is set with the same period of the I/O task.

Every time is executed, Control task check if scheduled timed tasks execution are exceeding their nominal period.

If everything is running fine Control task signal I/O task for its execution, otherwise a LLNOTIFY_OVERTIME with PLCERR_WATCHDOG event is raised then stop the PLC execution (eventually killing the task that does not terminate).

LLNOTIFY_OVERTIME event can be managed by LLExec plugins for example to stop fieldbus.

Background task execution time can be also monitored.

Software watchdog is able to recover from infinite loop conditions or tasks that exceeds execution period but it is not able to restart target when hardfault occurs.