Intermittently-powered, energy-harvesting devices operate on
energy collected from their environment
and must operate
intermittently
as energy is available.

Runtime systems for such devices often rely on
checkpoints or redo-logs to save execution state between power
cycles, causing arbitrary code regions
to re-execute on
reboot. Any \emph{non-idempotent} program behavior—behavior that
can change on each execution—can lead to
incorrect results.

This work investigates non-idempotent behavior caused by repeating
I/O operations, not addressed by prior work. If such
operations affect a control statement or address of a memory update, they can cause programs to take different paths or write to different memory locations on re-executions, resulting in inconsistent memory states. We provide the
first characterization of input-dependent idempotence bugs and develop
IBIS-S, a program analysis tool for detecting such bugs at compile time, and IBIS-D, a dynamic information flow tracker to detect bugs at runtime.

These tools use taint propagation to determine the reach of input. IBIS-S
searches for code patterns leading to
inconsistent memory updates, while IBIS-D detects concrete memory inconsistencies. We evaluate IBIS on
embedded system drivers and applications. IBIS
can detect
I/O-dependent idempotence bugs, giving few (IBIS-S) or no (IBIS-D) false
positives and providing actionable bug reports.
These bugs are common in sensor-driven applications and are
not fixed by existing intermittent systems.