Ada on ARM Cortex

Go To Last Post
85 posts / 0 new

Pages

Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

AdaCore recently released a GPL version of their ARM bare board Ada eco-system.

A how to:

Libre: Free Software and Open-Source Development with Ada (AdaCore)

Select "GNAT GPL" Expected: Download GNAT GPL and SPARK GPL Editions

Select the "Free Software or Academic Development" button.

Select the "Build Your Download Package" button at page bottom. Expected: "Select Configurations ..." in the title bar.

At mid-page, "Select your platform:" pull-down menu, select a combination of target (ARM ELF) and host (Linux or Windows) for "GNAT GPL 2014" (next pull-down menu). Expected: GNAT Ada GPL 2014

Select "GNAT Ada GPL 2014". Expected: Possible files in your download. These files are a readme, the install, and multiple source code archive files.

For each file in the download, select the box next to its file name. Expected: Each box contains a check mark.

At the page's bottom, select the download's "Bundle format:" radio button then select the "Download Selected Files" button. Expected: dependent on the web browser.

Notes: Based on GCC 4.7

Targets: ARM Cortex-M3, ARM Cortex-M4F, ARM Cortex-R4F.

Further information in the ARM Cortex-M4F part of the GNAT Cross User's Guide:

Q. Tutorial: Embedded ARM Ada Project (AdaCore, documentation, GNAT Pro User's Guide Supplement for Cross Platforms)

More:

GNAT GPL for Bare Board ARM (AdaCore, Libre)

Though 2 years old this demonstrates some of this post: Installing GNAT GPL Edition (AdaCore05 on YouTube)

"Dare to be naïve." - Buckminster Fuller

Last Edited: Sat. Nov 6, 2021 - 08:48 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thanks, have you tried that? Any forums, experiences, discussions?

What I am especially interested in is debugging.
Or rather - writing Ada (on uC) is pointless without a decent debugger.
Unfortunately avr-ada does not debug at all..

I would like to know what kind of GDB-arm is there and what is/is not supported. The FAQ suggests some st-util to be used as GDB server, also only their GPS IDE is mentioned. The ideal scenario would be if I could just download the raw toolchain itself and use my own IDE with Mi (Eclipse + CDT), my own gdb server (OpenOCD) and any Cortex that lies around here.

No RSTDISBL, no fun!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Brutte wrote:
Thanks, have you tried that?
No.
Reason is current effort is for AVR with an eventual 32 bit remote support MCU; that was AVR32 UC3 but now considering SAM3 or SAM4 (programming in the large, etc., etc.)
So, you lead me by a kilometer or a mile!
Brutte wrote:
Any forums, experiences, discussions?
A review; though it's of the commercial version, the GPL version is likely close.
Ada 2012 Comes to ARM Cortex M3/M4 by Michael Silva (EmbeddedRelated, Apr 25 2014)
Operator support - for the commercial version there's GNAT Tracker.
Though I haven't interacted with AdaCore in quite sometime (some projects ago), AdaCore's commercial support was excellent; Q&A, problems identified as either bugs I created or in the compiler and such, RTOS/GNAT runtime "burp" oddity investigation (a defect somewhere, a relatively infrequent fault, but not a failure).
Don't know how it's done for GNAT GPL.
Brutte wrote:
Or rather - writing Ada (on uC) is pointless without a decent debugger.
:twisted:
Worked on one Ada on a MPU where the target was the equivalent of buttoned up behind cast aluminum.
Didn't even consider using a debugger; if so it would of been via a bus riser card, etc. (iow a headache in the making).
Did see the value of a debugger but via a target simulator that was created to run on the PC.
Used AdaCore GPS and their version of GDB on Windows.
Got the app working well on a PC, replaced the stubs with the target's code, rebuilt, burned it, ran.
Well ... almost; forgot a bus endian swap that was the obvious educated guess.
Brutte wrote:
Unfortunately avr-ada does not debug at all..
Here's a different take that uses GNAT GPL for AVR on an Arduino Mega 2560; it's GCC 4.5 though instead of AVR-Ada's GCC 4.7:
Adaino (GitHub)
In the readme that's displayed, go to the page bottom for " Using the Atmel mkII debugger to Arduino Mega".
Will add to Torby's AVR Ada thread.
Brutte wrote:
I would like to know what kind of GDB-arm is there and what is/is not supported.
Don't know how to answer that.
Could try downloading
gdb-7.7-gpl-2014-src.tar.gz 47.5 MB Mar 17, 2014
and browsing that.
Might be quicker to ask an GNAT ARM ELF operator like Michael Silva.
Brutte wrote:
... also only their GPS IDE is mentioned. The ideal scenario would be if I could just download the raw toolchain itself and use my own IDE with Mi (Eclipse + CDT),
I could not locate gnatbench in the list of GNAT ARM ELF source code files.
GNATbench is a part of GNAT GPL for platforms Linux and Windows.
GNATbench – Ada Plug-in for Eclipse (Libre, AdaCore)
Brutte wrote:
... my own gdb server (OpenOCD) and any Cortex that lies around here.
I can see the appeal.
GDB support usually appears first from the MCU manufacturers by their eco-systems.
An example is Atmel Studio's use of GDB for ARM Cortex-M.

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

Quote:
A review; though it's of the commercial version, the GPL version is likely close.

(After some 4h struggling) I am finally debugging my first bare-metal STM32 blinky in Ada!

No RSTDISBL, no fun!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Well done!
And, thank you for this information.
IDE: Eclipse / GNATbench, or, AdaCore GPS?
If Eclipse, which plug-in(s)?
TIA

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

gchapman wrote:
Well done!

I had to run through examples for native compiler first just to have some basic experience on how all the Ada stuff works (although I do know Ada a little bit).
After that - there is an STM32F4-Discovery blinky example with tutorial included and it "blinks out of the box"!

gchapman wrote:
IDE: Eclipse / GNATbench, or, AdaCore GPS?

Unfortunately it is GPS right now. GPS is not that bad (it is usable) but it lacks tons of plug-ins and features that Eclipse offers.

I have downloaded the GNATBench (Eclipse plug-in for Ada, 163MB) and I have plans to give it a go in the evening.
vzgzb

EDIT: I have successfully installed and tried GNATBench for CDT, version 2.8.1.20140109.

My first step was to "Hello World" with native x86 compiler, I did some testing, debugging, etc.
Works very much like with any other toolchains I have tried.

    Compiling: no problems, Debugging: gdb, no surprises,
    Call stack: works,
    watch variables:checked,
    registers: a lot of them,
    memory view: fine,
    disassembly: looks ok,
    breakpoins: sure,
    stepping: F6,
    ..

I could not find any tutorials on GNATBench so I am currently trying to figure out how to control all the available settings/features.

I didn't try any cross compilers under Eclipse yet as I realized I have to (re)gain some Ada experience with x86 before I jump to embedded stuff with that.
l4djk

EDIT2: Ok, so the GNATBench plug-in comes with the tutorial :oops: It is integrated with Eclipse help system.
vjc4j

No RSTDISBL, no fun!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Brutte wrote:
I didn't try any cross compilers under Eclipse yet ...
http://docs.adacore.com/gnatbench-docs/src/running/executing_embedded_apps.html
That is sparse.

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

Well, I am sure my STM32 would work under Eclipse more or less the same way as under GPS as this is just IDE but you know - embedded stuff is more challenging than x86. I think that simple Ctrl+C/V from GPS to Eclipse wouldn't work (or: I wouldn't learn much) as it requires at least a basic understanding of the toolchain.

The most problematic is debugging - Cortex M needs some Text.IO (semihosted or UARTed), exceptions must end up with some meaningful message on a console (or at least must halt a uC in a violating location when something went wrong). Add to that all toolchain settings, CRT, linker and alike.. I want to understand how underlying layer works, at least to the same extent as with gcc-arm-embedded toolchain I use.

Right now I have no bloody idea what a definite subtype is nor at what circumstances a constraint exception is raised..

This Ada compiler is very picky and verifies absolutely everything that can be verified. And even when the compilation passes - uC verifies everything again at run-time (that part is configurable).
rdzn5

EDIT: Here it is, a GDB session of Ada/Ravenscar running on STM32 under Eclipse (windoze version).

Attachment(s): 

No RSTDISBL, no fun!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

A press release:
AdaCore releases GNAT GPL for Bare Board ARM by Toni McConnel (embedded.com; July 30, 2014)
Two profiles: small footprint, Ravenscar.
Small footprint appears to be a subset of Ravenscar.
From a read of the complete press release (by "More information" at above URL):
- Dr. Pat Rogers (AdaCore) and the 20USD ARM boards.
- Dr. Uwe R. Zimmer (Australian National University) and "academia-affordable".

Runtime Profiles (AdaCore)
3. The Predefined Profiles (AdaCore, High Integrity Edition, Documentation)
Q. Tutorial: Embedded ARM Ada Project (AdaCore, GNAT Pro User's Guide Supplement for Cross Platforms)

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I would have thought that Ravenscar is to 'fluffy' to run on embedded (real life application)? As far as I remember from my uni days, Ravenscar includes select and tasks?

:: Morten

 

(yes, I work for Microchip, yes, I do this in my spare time, now stop sending PMs)

 

The postings on this site are my own and do not represent Microchip’s positions, strategies, or opinions.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

meolsen wrote:
I would have thought that Ravenscar is to 'fluffy' to run on embedded (real life application)?
Yes and no.
Worked on one embedded Ada application that used the zero footprint profile (ZFP) as that was more than adequate and was the best match amongst the available profiles at that time.
If a POSIX OS interface is available then a run-time that implements the complete profile, or the Ravenscar profile, can be relatively easy to create or port.
Otherwise, multiple instances of the Ravenscar profile have been created without POSIX, RTOS, or an operating system.
Two (or three) instances of ZFP for AVR and now two instances of Ravenscar for ARM Cortex (M3, M4, R4); no need to pull on one's bootstraps.
Now likely not enough demand for this on AVR32 UC3.
P.2 Porting the ZFP run-time library (AdaCore, P. Customized Ravenscar Library Topics, GNAT Pro User's Guide Supplement for Cross Platforms)
P.4 Porting the Ravenscar run-time library (AdaCore, ibid)
meolsen wrote:
As far as I remember from my uni days, Ravenscar includes select and tasks?
No and mostly yes.
"No select statements"
"No task entries (and thus no accept statements)"
and some more linked to possible characteristics of tasks.
3.5.1 Ada Restrictions in the Ravenscar Profiles (AdaCore, GNAT Pro User's Guide Supplement for GNAT Pro Safety-Critical and GNAT Pro High-Security, 3.5 The Ravenscar Profiles)

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

No RSTDISBL, no fun!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

And from there to:

http://www.ganssle.com/rants/ada...
http://www.ganssle.com/rants/ada...
http://www.ganssle.com/rants/ada...

Perhaps someone who knows and uses Ada on an AVR could show an LED flasher using a timer interrupt (say) as an example and point out what in it makes Ada "better" than C.

I have to admit it's not something I've ever really explored much beyond a Wiki page:

http://en.wikipedia.org/wiki/Ada...

and the examples.

Jack Ganssle seems to be suggesting the runtime range checking is a/the major plus. Is there more? And if range checking is the big plus then what's the overhead in generated assembly?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
Perhaps someone who knows and uses Ada on an AVR could show an LED flasher using a timer interrupt (say) as an example ...
tkoskine, arduino-blog / examples / deep-sleep / main.adb by Tero Koskinen (on Bitbucket)
Browsing there to 'sleeper.adb' shows use of CTC.
Tero uses and modifies AVR-Ada (a variant of AVR GCC 4.7).

avr-timers.adb by Rego (on GitHub)
Rego's examples though are only USART.
Rego uses AdaCore GPL Ada for AVR (a variant of AVR GCC 4.5) in ...
"Adaino is a toolset written in Ada, to develop Ada applications on Arduinos on a host Windows machine."

clawson wrote:
... Ada "better" than C.
I agree with your use of quotes.
Each has its place.
Ada has a C interface package if one wants to use or reuse C; if one has a working wheel it's usually better (by fit/form/function/price/cost/schedule) to use it.
clawson wrote:
Is there more?
Technical Benefits (AdaCore, Libre, Ada Answers, Benefits and Features[/url]
One language not mentioned there is Python; an ARM Cortex-M instance of that is Micro Python.
Python is not for real-time but Python does have a C API.
Python/C API Reference Manual (Python 3)
clawson wrote:
And if range checking is the big plus then what's the overhead in generated assembly?
Which MCU architecture?
Which, if any, RTOS or OS?
Is POSIX available?
There is a sizing overhead and a timing overhead.
For timing, some Ada run-times use the architecture's hardware "exceptions" and some don't; some use interrupts and some don't; etc.
Zero-cost exceptions may be available and may be used.
Else, the fallback is usually what one uses in C (longjmp, etc.).
Multiple ways to create an Ada run-time.
"With 32 bits and many of these controllers have gobs of memory on board, Ada makes an awful lot of sense even for relatively small control applications." - Jack Ganssle
by the link in Brutte's post.
May be a moot point with 1 to 2 MB of flash and a core clock of 120 MHz (Atmel; faster by competitors).
Looks like a major Atmel competitor will have to keep up with the Jones' (come on MIPS / Imagination Technologies / you know who)
But not a Who as in Horton Hears a Who! (2008) (IMDb)

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

In particular I read

http://libre.adacore.com/adaansw...

but you could say almost all of that about C++. I'm still looking for what the "Ada advantage" is - is it purely this range checking thing or what?

I also looked at the example code but apart from the different syntax (which is quite "readable" in fact) I'm still looking for what would motivate one to make a move from C to Ada. Ganssle said it would reduce programming errors to 1/10th. That's a bold claim. I'm just not seeing how. He seemed to be suggesting that because the syntax is so "fussy" that getting something that will actually compile is such a challenge that you expend so much thought getting it right that the code itself is just bound to work. Is that it?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Quote:
is it purely this range checking thing or what?

What I have noticed is that there is a whole set of static(compile time) link(link time)and dynamic(run time) tricks that make Ada exceptional.
In theory you could also implement strict type checking, static range checking, exceptions on overruns, divisions by zero, interprocess communication, dynamic priorities, asynchronous change of flow, solve priority inversion etc in C/C++ but the point is that this is not standardised. With Ada that is a part of the language so you do not have to worry about those details.
So if you are looking for one definite advantage of Ada over C/C++ then you won't find it I am afraid.
The size of the Ada application is bigger than C? It uses more flash? Runs slower? I have heard that before when we were discussing advantages of asm over C..

No RSTDISBL, no fun!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
I'm still looking for what the "Ada advantage" is - is it purely this range checking thing or what?
Brutte wrote:
So if you are looking for one definite advantage of Ada over C/C++ then you won't find it I am afraid.
A computer language standard for concurrency; likely more if I searched.
Though the following is dated (it's based on Ada95 instead of Ada 2012) it may be worth a browse:
Ada-95: A guide for C and C++ programmers (Ada Home, Intellectual Ammunition Department)
As you can see, Ada aficionados can be a bit touchy having to break out the ammunition and such ;-)
C++11 and Ada 2012 - renaissance of native languages? by Quentin Ochem (Electronic Design; Jun 22, 2012)
is less dated and appears to be a summary.
Ada as a Second Language, Second Edition (December 1995) by Norman Cohen (McGraw-Hill Higher Education) is a great, though big, read; has excellent exercises.
Personally, 3 months of part-time reading and doing most of the exercises and I was up on Ada95.

"The following chart provides an overview of evolution of the major features of the Ada programming language." - Ada Comparison Chart (Ada 2012)

Most or maybe all of the features of Ada 2012 are present and standardized in other computer languages with Python being one of those.

Ada 2012 redux by Jack Ganssle (embedded.com; January 14, 2013) might answer some questions.

clawson wrote:
I'm still looking for what would motivate one to make a move from C to Ada. Ganssle said it would reduce programming errors to 1/10th. That's a bold claim. I'm just not seeing how.
For defects/KSLOC it's 1/7 per
Comparing Development Costs of C and Ada by Stephen F. Zeigler, Ph.D. (Rational Software Corporation; March 30, 1995; archive of Ada Information Clearinghouse); try "Why Does Ada Work Better Than C?".
The US's Ada Information Clearinghouse has EOL'd; seems that function, and Ada activity, has moved to Europe.
That's appropriate since the creator of Ada is in Europe and there's a lot of Ada development in Europe.
clawson wrote:
Is that it?
You REALLY need a language-sensitive editor for Ada.
You'll remember the well used parts of Ada but likely not the less used parts.
One reason for Ada is programming-in-the-large and Ada is large.
Your preferred Ada textbook will become well worn ;-)

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Brutte wrote:
... that make Ada exceptional.
Another is SPARK that's Ada used for formal methods.
Toyota has had an awful experience in US courts with their more recent ECUs.
Toyota is researching use of SPARK in Toyota ECUs.
If one doesn't want to use SPARK there's Frama-C.
Brutte wrote:
With Ada that is a part of the language so you do not have to worry about those details.
Still do because some of those problems are still possible; one problem is task starvation can occur.
A solution is to reduce the solution space by using a Ravenscar profile.
Brutte wrote:
The size of the Ada application is bigger than C? It uses more flash? Runs slower? I have heard that before when we were discussing advantages of asm over C.
Bemchmarking is iffy.
The best benchmark is of the algorithm that's the long pole in one's tent.
My experience with benchmarking Ada is dated (MPU instead of MCU, vehicle batteries instead of a coin cell, an old Ada compiler) and showed a wide variablilty in timing; iow sometimes significantly less and sometimes significantly more.

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:
Ada 2012 Comes to ARM Cortex M3/M4 by Michael Silva (EmbeddedRelated, Apr 25 2014)
Ada 2012 for ARM M3/M4 Released for Download by Mike Silva (EmbeddedRelated, Aug 4 2014)

Note:

  • Mike's custom motherboard

  • LED and LCD source code

  • Source code for registers and GPIO

  • Source code with an Ada task

 

 

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Thu. Sep 11, 2014 - 10:33 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Brutte wrote:
Any forums, experiences, discussions?
gchapman wrote:
Don't know how it's done for GNAT GPL.
"One can't get the level of support with the free versions of GNAT, but there is support on /r/ada, StackOverflow, and comp.lang.ada." by marc-kd at Boeing Flies on 99% Ada (reddit).

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

Brutte wrote:

Thanks, have you tried that? Any forums, experiences, discussions?

I've got a couple of blog posts up about it, starting with this one:

http://www.embeddedrelated.com/s...

 

I saw further on that you got it running - congrats.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:

...Ganssle said it would reduce programming errors to 1/10th. That's a bold claim. I'm just not seeing how. 

I can add a very personal datapoint.  I've done almost all of my embedded work in C, and encountered some vicious bugs during that time.  When I learned about Ada (not available on the HW I was using), I started tracking in my head "would this bug have happened in Ada?".  My conclusion over a large number of bugs is that the great majority would not have gotten past the Ada compiler (e.g. if a variable foo is defined as range 1..5, writing foo := 6 will generate a compiler error).  Those that did get past would almost always have been caught by the Ada runtime checking (which you can turn on and off on a per-variable basis, so it's not an all-or-nothing thing).  I had nasty pointer indirection bugs that took days or weeks to track down, that the Ada runtime would have identified in minutes.  My own data would easily support the 1/10 figure, especially as a figure of time spent fixing bugs.

 

On my embeddedrelated.com blog, mentioned in a previous post, I'm going to next post an example of this runtime checking.  The runtime catches a value going out of range and indicates on the device LCD the file name and line number where the error happens.  Pretty easy to debug after that!  In C or C++ you'd have to manually code all of those checks, and you'd never get them all right (not to mention that they would horribly clutter up the code, leading to even more errors).

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I have to disagree... compile-time checks like this (with a constant)

 (e.g. if a variable foo is defined as range 1..5, writing foo := 6

Treat a tiny few cases. The real time-wasting bugs occur at run-time with variables. And our small memory embedded (even on ARM M0/M3) prohibit run time bounds checking and exceptions. As does code speed needs.

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

stevech wrote:

I have to disagree... compile-time checks like this (with a constant)

 (e.g. if a variable foo is defined as range 1..5, writing foo := 6

Treat a tiny few cases.

What are you disagreeing with?  Of course I gave a ridiculously simple example, but it is certainly the case that most Ada bugs are caught at compile time.

 

Quote:
The real time-wasting bugs occur at run-time with variables. And our small memory embedded (even on ARM M0/M3) prohibit run time bounds checking and exceptions. As does code speed needs.

And yet I have in front of me just such checking and exceptions, writing out file name and line number of the error-generating statement on the LCD display.  BTW, the compiler had first warned me that the statement could generate an error, but the compiler will not be able to determine that in every case.  And again, you don't HAVE to enable any runtime checking.  All, none, or something in between - it's all up to the programmer.

 

Ada has been used in military and space systems that had much less memory than the parts we can now buy for a few dollars.

 

Having another good embedded language available is a GOOD thing.  Having more choices is a GOOD thing.

 

Last Edited: Thu. Sep 11, 2014 - 05:15 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Having more languages is a very good thing.

I used Ada way back, when working in Defense - in the era where the US DoD was close to a mandate, subsequently dropped. The run time overhead was just too much. Perhaps OK when doing unit test.

 

I think Pascal is a good compromise in terms of computer science, but it never really escaped Academia. It was my first exposure to strongly typed languages.

Last Edited: Thu. Sep 11, 2014 - 05:35 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

stevech wrote:

Having more languages is a very good thing.

I used Ada way back, when working in Defense - in the era where the US DoD was close to a mandate, subsequently dropped. The run time overhead was just too much. Perhaps OK when doing unit test.

Unfortunately the technology wasn't up to the promise of the language back then.  I heard stories of unbelievably long compilation times, terrible code generation, etc.  Those stories (and the high cost of Ada tools then) put a hurt on the language that still hasn't gone away.  But that was 20-30 years ago - so much has changed.  Do people judge modern C++ based on C++ from 1983?

Quote:

I think Pascal is a good compromise in terms of computer science, but it never really escaped Academia. It was my first exposure to strongly typed languages.

Ada without runtime checks (ZFP - zero footprint) is a Really Modern Pascal-like Language. :)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

kk6gm wrote:
In C or C++ you'd have to manually code all of those checks, and you'd never get them all right (not to mention that they would horribly clutter up the code, leading to even more errors).
"Apart from generating tests to ensure coverage, PathCrawler can be used to detect all run-time errors, anomalies such as uninitialized variables or integer overflows and unreachable code." - Frama-C

Try a snippet of some C in their on-line version.

What is Frama-C

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

In my experience, the toughest run-time bugs in embedded are related to preemption and concurrency - atomicity, deadlocks in semaphores/queues, and so on.

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

kk6gm wrote:
Ada has been used in military and space systems that had much less memory than the parts we can now buy for a few dollars.
ESA contractors are using Ada on a hardened, and sometimes also fault tolerant, 32-bit application processor.

GNAT Pro Safety-Critical, Platforms, Bare Board ERC32 / LEON (AdaCore)

Leon3 (Aeroflex Gaisler)

Compilers (Aeroflex Gaisler)

Ada is on one CubeSat but as a host-to-host then a cross compiler; this because Ada is not available on that 16-bit MCU.

2013.B.1.1 Interplanetary High Reliability CubeSat Software with SPARK/Ada by Carl Brandon and Peter Chapin (Vermont Technical College, USA)

Note the peaceful use of Minuteman ICBM parts.

Software Components (CubeSat Laboratory, Vermont Technical College)

CubeSat Kit, Datasheets (I don't recall any Ada compilers for any of the MCUs there)

Edit: added "Software Components".

"Dare to be naïve." - Buckminster Fuller

Last Edited: Thu. Sep 18, 2014 - 02:23 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

stevech wrote:
I used Ada way back, when working in Defense - in the era where the US DoD was close to a mandate, subsequently dropped. The run time overhead was just too much.
An opposite experience but that was on 32-bit MPUs, DRAM, SCSI mass storage, hardware watchdogs, mechatronics, etc.

stevech wrote:
Perhaps OK when doing unit test.
Similar.

Ported a non-Ada application from a 16-bit MPU to Ada on a 32-bit MicroVAX, ran tests with the goal of identiying common bugs, found some bugs, fixed the original application.

stevech wrote:
... escaped Academia.
Like herding cats.

"Herding Cats" Super Bowl Sunday Super Bowl Ad NFL (YouTube)

Seriously, there's a need for the research that won't see day light for a decade to two; the principle of the incubator.

"Dare to be naïve." - Buckminster Fuller

Last Edited: Thu. Sep 11, 2014 - 11:31 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

kk6gm wrote:
Ada without runtime checks (ZFP - zero footprint) ...

It is possible to raise the predefined Ada exceptions, as well as user-defined exceptions and handle them locally.

3.2.6 Exceptions and the Last Chance Handler - ZFP and Ravenscar SFP (AdaCore, GNAT Pro User's Guide Supplement for GNAT Pro Safety-Critical and GNAT Pro High-Security: The Predefined Profiles)

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:

 

kk6gm wrote:

Ada has been used in military and space systems that had much less memory than the parts we can now buy for a few dollars.

ESA contractors are using Ada on a hardened, and sometimes also fault tolerant, 32-bit application processor.

 

GNAT Pro Safety-Critical, Platforms, Bare Board ERC32 / LEON (AdaCore)

Leon3 (Aeroflex Gaisler)

Compilers (Aeroflex Gaisler)

Ada is on one CubeSat but as a host-to-host then a cross compiler; this because Ada is not available on that 16-bit MCU.

2013.B.1.1 Interplanetary High Reliability CubeSat Software with SPARK/Ada by Carl Brandon and Peter Chapin (Vermont Technical College, USA)

Note the peaceful use of Minuteman ICBM parts.

CubeSat Kit, Datasheets (I don't recall any Ada compilers for any of the MCUs there)

As well as the then-ubiquitous MIL-STD-1750A, a 16-bit design that could directly address only 64k words, more with bank switching.  Ada 83 and 95 was often used on this device.

Last Edited: Fri. Sep 12, 2014 - 12:36 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

had nasty pointer indirection bugs that took days or weeks to track down, that the Ada runtime would have identified in minutes.

Can you give more detail of that - I'd really like to understand more about this?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:

had nasty pointer indirection bugs that took days or weeks to track down, that the Ada runtime would have identified in minutes.

Can you give more detail of that - I'd really like to understand more about this?

Well, it's been about 15 years now, but it was a specialized PLC that took a downloaded program and generated lots of pointers to functions and data objects.  In Ada you don't use pointers nearly so much, you tend to use array indexes, and like all discrete types you can specify the valid range of array indexes, and any attempt to access an array with an index out of bounds will generate (if you have enabled this) a runtime exception.  Catch that exception and you know immediately where the bad access originated, before you've fetched and worked with invalid data and gone down the rabbit hole.

 

In Ada you almost never just work with an Integer, you specify the bounds of integers and work with those types (and subtypes of those types, which may be constrained even further).  The compiler will generate checks wherever such a value is assigned or used, if it cannot already know that the value is legal.

 

Another type of check performed is for integer overflow/underflow.  I've seen bugs where intermediate values overflowed/underflowed, thus trashing the results.  Sometimes those bugs can live in code for years because the values that cause the OVF/UNF are unusual, and all you get from the field is a report that the software screwed up.  In Ada you'd see (or the field guys would tell you) that suddenly the software reported a constraint error in file goober.adb, line 345, and that line would be where the OVF/UNF occurred, not far later when the bad resultant value caused a crash.

 

Sometimes people respond with "yeah, but you can put those checks in C or C++ code too."  Well, they don't.  Maybe for space/military code, but not for any code I've ever seen.  In addition, manually writing code for checking just opens you up to more sources of programming error, which the compiler is not subject to (ignoring the rare case that the compiler check-writing code itself may have a bug it it).  Further, cluttering the code with checks everywhere leads to very hard to read code.  I've seen code e.g. for an RTOS that had so many #ifdefs and #asserts that it was nearly impossible to follow the flow of the code.

 

And none of this even touches on the contracts now available on Ada 2012, or on SPARK, which is built on top of Ada.

 

A British MoD study that found that code certified to DO-178B written in Ada had 1/10 the "significant safety-critical errors" of DO-178B certified code written in C, and code written in SPARK had 1/100 the errors of DO-178B certified code written in C.  This included code developed to the highest level, Level A.

 

There was an ACM article about "My Hariest Bug War Stories" and of the 17 bugs discussed, an analysis showed that 15 of them could not have happened in Ada.

 

I'll just finish by saying that I much prefer writing code in Ada.  It feels more like writing pseudo-code, where you just express what should happen, rather than trying to convert what should happen into instructions for the portable assembler known as C.  This is often discussed as working in the problem space vs. working in the solution space.  Ada lets programmers work much more in the problem space, and that is far more enjoyable.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

kk6gm wrote:
In C or C++ you'd have to manually code all of those checks, and you'd never get them all right (not to mention that they would horribly clutter up the code, leading to even more errors).

Q: What is a typical error that can be detected with runtime analysis? 
A: Out of bounds, arithmetical errors and memory inconsistency errors.

http://www.iar.com/Products/C-RUN/C-RUN-FAQ/

This is for IAR EWARM.

"Dare to be naïve." - Buckminster Fuller

Last Edited: Sat. Sep 13, 2014 - 06:47 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:

 

kk6gm wrote:

In C or C++ you'd have to manually code all of those checks, and you'd never get them all right (not to mention that they would horribly clutter up the code, leading to even more errors).

 

Q: What is a typical error that can be detected with runtime analysis? 
A: Out of bounds, arithmetical errors and memory inconsistency errors.

http://www.iar.com/Products/C-RUN/C-RUN-FAQ/

This is for IAR EWARM.

 

Also from the FAQ: 

By inserting test code into an application, a runtime analysis tool can find real and potential errors in the code...

So, you put the checks in yourself, or you buy an app that puts them in as an additional step.  OK.  Nobody is arguing that you can't bolt stuff onto C/C++, using additional apps and additional steps, that helps detect additional errors.  As a longtime user of C and C++, it's still lipstick on a pig, IMO.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:

 

kk6gm wrote:

In C or C++ you'd have to manually code all of those checks, and you'd never get them all right (not to mention that they would horribly clutter up the code, leading to even more errors).

 

Q: What is a typical error that can be detected with runtime analysis? 
A: Out of bounds, arithmetical errors and memory inconsistency errors.

http://www.iar.com/Products/C-RUN/C-RUN-FAQ/

This is for IAR EWARM.

 

Also from the FAQ: 

By inserting test code into an application, a runtime analysis tool can find real and potential errors in the code...

So, you put the checks in yourself, or you buy an app that puts them in as an additional step.  OK.  Nobody is arguing that you can't bolt stuff onto C/C++, using additional apps and additional steps, that helps detect additional errors.  As a longtime user of C and C++, it's still lipstick on a pig, IMO.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Umm, stupid forum software won't let me delete an accidental double post...

Last Edited: Sat. Sep 13, 2014 - 07:17 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Off by one error?

 

<innocent whistling>

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

barnacle wrote:

Off by one error?

 

<innocent whistling>

Dunno, give some real world examples...

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Sometimes people respond with "yeah, but you can put those checks in C or C++ code too."  Well, they don't.

You pre-empted what I was going to say. You can use arrays rather than pointers in C and you can bounds check the array indices with assert() or validate().

 

You say "they don't" - on the whole, we do ;-)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:

Sometimes people respond with "yeah, but you can put those checks in C or C++ code too."  Well, they don't.

You pre-empted what I was going to say. You can use arrays rather than pointers in C and you can bounds check the array indices with assert() or validate().

 

You say "they don't" - on the whole, we do ;-)

Well, on the whole...

 

I don't think it's humanly possible to put proper checks in all the required places in any but the most trivial piece of software.  I think only a compiler or other tool could hope to get that right.

 

EDIT: And when the programmer is in charge of putting in such checks, that is a loss of productivity, another potential source of error, and a cluttering of the code.

 

Last Edited: Mon. Sep 15, 2014 - 05:34 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Well surely the Ada programmer thinks just as equally hard when he writes:

define x = 1 .. 5;

(or whatever the actual syntax is) as the C programmer does when he writes:

assert((x > 0) && (x < 6));

in fact the C programmer could wrap this up in something like:

#define check_range(x, lo, hi) assert((x > (lo -1)) && ((x < (hi + 1)))

then just use:

check_range(x, 1, 5);

(well, OK, I haven't thought too hard or tested that - I need to stringify x or something - but I think you get the idea?).

 

However I do see the difference in the C programmer having to explicitly add the checks while in Ada it's implicit. I guess that's nice. (bit like _flash versus PROGMEM ;-)

Last Edited: Tue. Sep 16, 2014 - 12:54 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:
Ada is on one CubeSat but ...

Vermont Tech's CubeSat is in orbit and sending down photos and data

http://www.adacore.com/uploads/newsletter/spring-summer-2014.pdf (721KB, go to page 2)

 Photo of earth from Vermont Technical College’s CubeSat - Ada Resource Association

http://www.adaic.org/2014/03/photo-vtc-cubesat/

"Dare to be naïve." - Buckminster Fuller

Last Edited: Tue. Sep 23, 2014 - 11:07 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
Is there more?
Not an answer but a creation.

The Muen Separation Kernel

via http://www.adacore.com/uploads/newsletter/spring-summer-2014.pdf (721KB, page 1, Muen Separation Kernel developed using SPARK and GNAT)

An alternative to Muen Separation Kernel is OKL4 from Open Kernel Labs.

http://www.ok-labs.com/faq#whatProcessorsAreSupported

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Brutte wrote:
Right now I have no bloody idea what a definite subtype is nor at what circumstances a constraint exception is raised..

“Programming in Ada 2012″ is now available

brukardt

http://www.adaic.org/2014/06/programming-in-ada-2012/

"(of ever expanding size!)"

It's shipped at 4.4lb (2kg).

Don't drop it on your foot wink

http://www.cambridge.org/be/academic/subjects/computer-science/software-engineering-and-development/programming-in-ada-2012

"Dare to be naïve." - Buckminster Fuller

Last Edited: Tue. Sep 23, 2014 - 11:52 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:
... though it's of the commercial version, the GPL version is likely close.
The press release for the commercial version:

AdaCore Releases GNAT Pro Safety-Critical for ARM Processors

Ada now available for popular bareboard platform

NEW YORK, PARIS and NUREMBERG, Germany, February 27, 2013 – Embedded World Conference

https://www.adacore.com/press/gnat-pro-safety-critical-for-arm/

The following tools are in GNAT Pro and not in GNAT GPL:

  • Static analysis (stack, metrics, coding standard)
  • Unit testing that extends GPL AUnit (Ada unit testing framework)
  • Ada source code to XML
  • SQA
  • Customer support

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Brutte wrote:
The ideal scenario would be if I could just download the raw toolchain itself and use my own IDE with Mi (Eclipse + CDT), my own gdb server (OpenOCD) and any Cortex that lies around here.
OpenOCD on Windows and Atmel SAM4S Xplained Pro are mentioned in

AdaCore

GNAT Pro Insider

Autumn-Winter 2015

...

  • Newsflash

http://www.adacore.com/uploads/newsletter/GNAT_Pro_Insider_Autumn-Winter_2014-2015.pdf (866kB, go to page 6)

GNAT Industrial User Day 2014

...

Topics included Ada 2012, Ravenscar and SPARK running on an Atmel ARM M4 using a Tetris example, ...

...

The slides from the event are available online at https://www.adacore.com/gnatpro-day/2014-gnatpro-day-slides

  • Go to the second presentation titled "Ada 2012, Ravenscar and SPARK running on an Atmel ARM M4 (Tetris Example)" presented by Quentin Ochem.
  • First 9 of 31 slides for SAM4S and Tetris.

http://www.atmel.com/tools/ATSAM4S-XPRO.aspx 

http://www.atmel.com/tools/ATOLED1-XPRO.aspx

SourceForge

OpenOCD 0.8.0 release « Open On-Chip Debugger

April 27th, 2014 at 12:39 pm

http://openocd.sourceforge.net/2014/04/openocd-0-8-0-release/

...

Flash Layer:

  • ...
  • Atmel SAM4L, SAMG5x support.
  • Atmel AT91SAM3SD8[a,b], AT91SAM3S8[a,b,c], AT91SAM4S, AT91SAM3N0[a,b,0a,0b] support, bugfixes.
  • Atmel SAMD support.
  • ...
  • More ATmega parts supported.
  • ...

Board, Target, and Interface Configuration Scripts:

  • ...
  • Atmel Xplained initial support.
  • ...

Server Layer:

  • Auto-generation of GDB target description for ARMv7-M (XML support in GDB is mandatory for this architecture now), ARM4, nds32, OR1K, Quark.
  • GDB File-I/O Remote Protocol extension support.
  • Default GDB flashing events handlers to initialise and reset the target automatically when “load” is used.

...

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
Is there more?
In the context of security for medical devices and the importance of selecting a computer language :

AdaCore

GNAT Pro Insider

Autumn-Winter 2015

http://www.adacore.com/newsletter/autumn-winter-2015

...

  • Workshop on Medical Device Software Security

http://www.adacore.com/uploads/newsletter/GNAT_Pro_Insider_Autumn-Winter_2014-2015.pdf (866kB, go to the bottom of page 4, right column)

...

The workshop identified a number of memory safety errors: buffer overflow, null pointer dereference, pointer usage after being freed (“dangling reference”), use of uninitialized memory, and illegal free (i.e., freeing an already-freed pointer or a non-malloced pointer).

The full Ada language prevents the first two errors and with appropriate encapsulation of uses of Unchecked_Deallocation can also prevent dangling references and illegal free.
...

Edit : additional URL.

"Dare to be naïve." - Buckminster Fuller

Last Edited: Fri. Mar 6, 2015 - 05:30 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

 

No malloc()/free() on small/embedded micros, in most professional endeavors.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

True though seems most medical devices software is no longer small and no longer on typical embedded MCUs;

can recall an article about porting a medical device application from multiple 8bit MCUs (IIRC Z80) to a single MCU.

If an application works on Linux or OS X or Windows, port it (different OS, different CPU).

Re-use of the data protocols and security protocols means more memory, I/O, and CPU.

Severe reliability and security requirements may move an application onto proven micro-kernels; therefore, away from no memory protection unit (MPU), no MMU, and onto some compute iron.

Wouldn't be surprised if most medical devices have been re-ported well away from 8 bit and 16 bit MCUs.

The medical device security aspect is a concern due to the required connectivity with operators.

Most physicians, physician assistants, and nurses can or do operate medical devices by a remote data stream.

Nurses really need that data stream to and from their workstation.

"Dare to be naïve." - Buckminster Fuller

Pages