AVR Freaks

Inside AdaCore is published twice a year simultaneously in New York and Paris by AdaCore

January-June 2018

https://www.adacore.com/uploads/newsletter/01-10-2018_pages.pdf

(page 5, next to last article)

GNAT Pro CCG Expands Ada Availability

The new GNAT Pro CCG product (Common Code Generator) is a compiler that takes a SPARK-like subset of Ada—basically excluding features that require run-time support—and generates C source code. It thus allows customers to use Ada for any target processor that has a C compiler even if no Ada compiler is available.  The C program that is output is not meant as maintainable source code, but rather serves as a portable intermediate representation (which will be input to a C compiler) during the building of an executable. With GNAT Pro CCG, Ada programs complying with the supported subset can run on virtually any target processor. For more information please contact info@adacore.com.

via https://www.adacore.com/newsletter/january-june-2018

Appears that GNAT Pro CCG is a product'ized instance of what the ones at Vermont Technical College (VTC) created for a LEO CubeSat.

COTS CubeSat MCU are mostly 16b (MSP430^TM and PIC24); IIRC, at that time VTC didn't have available FSF MSP430 GCC and therefore its Ada/SPARK front-end.

Intersil (now Renesas) has geostationary-rated 80C86 ; AdaCore GNAT Pro Assurance would be a fit for that MPU.

P.S.

One can still get themselves wrapped around the axle with Ada as Ada shares the same kind memory-unsafe operations as C.

An Ada compiler's front-end does the equivalent of lint and Ada's predefined STORAGE_ERROR exception would make apparent a heap exhaustion that could be caught by a C assert.

http://www.adaic.org/2014/03/photo-vtc-cubesat/

https://www.renesas.com/us/en/products/space-harsh-environment/rad-hard-digital/rh-microprocessors-peripherals.html

The Wages of Fear (1953) - IMDb

https://www.imdb.com/title/tt0046268/

https://www.rogerebert.com/reviews/the-wages-of-fear-1992

But, even higher on the list:

Which is seen all too often right here!

EDIT

I misunderstood his ordering:

"almost"?  A youngster, then!

What is an embedded application supposed to do if malloc() fails?  Typically there is no "screen" or "keyboard" available to warn the user (which may be a toaster and not a human).

That's why I always specifically use "uint32_t" or "int16_t" or whatever so that I KNOW how many bits I have.

That won't save you if an expression relies on rules of promotion instead of explicit casting.  It is not enough to cast to a built-in type, you must cast to a stdint type.

Some system and/or safety specifications and/or standards would require a safe before reset; an example would be to apply a winch's brake.

Some systems have a PCBA watchdog in addition to the MCU's watchdog; part of an active assertion is to make certain the PCBA's watchdog bites.

Now :

https://en.wikipedia.org/wiki/Assert.h

Was :

https://en.wikibooks.org/wiki/C_Programming/Preprocessor_directives_and_macros#Compile-time_assertions

in

https://en.wikibooks.org/wiki/C_Programming/Preprocessor_directives_and_macros#Useful_Preprocessor_Macros_for_Debugging

assertions are expanded on in "Adding Automatic Debugging to Firmware for Embedded Systems" by Jack Ganssle :

http://www.ganssle.com/item/automatically-debugging-firmware.htm

https://www.dialog-semiconductor.com/greenpak-application-notes?combine=watchdog

H6006 Failsafe Watchdog

https://www.soemtron.org/downloads/disposals/h6006.pdf

Edit : strikethru and corrections

Edit1 : H6006

Krupski wrote:

What is an embedded application supposed to do if malloc() fails?

An assertion or an exception

More on assertions and exceptions at 18m24s for about 12m in

Vimeo

Webinar: Inexpensive Firmware Process Improvements for Small Teams

by Susan McCord, Principal Engineer at Barr Group

June 28, 2017

https://vimeo.com/223539610 (almost 54m)

Webinar: Inexpensive Firmware Process Improvements for Small Teams - YouTube (48m56s)

Are you a member of a small design team? Does your team struggle to use industry best practices for software development because they are believed to be too costly or difficult to setup and use? In this webinar, learn practical and easy-to-apply process improvements that even the smallest design teams can use to make firmware easier to code, debug and test, with a tools cost of less than $600.

• Susan is on at 3m17s
• Outline at 5m59s
• Obstacles at 45m43s
• How to effort the obstacles at 48m27s
• Toolmakers at 50m31s
• Susan's 600USD tools BOM at 51m00s

https://en.wikibooks.org/wiki/C_Programming/setjmp.h#Exception_handling

https://vimeo.com/barrgroup

http://www.gimpel.com/html/pcl.htm (PC-lint)

https://web.archive.org/web/20180628005621/http://www.gimpel.com/html/pcl.htm

https://msquaredtechnologies.com/Resource-Standard-Metrics.html

https://barrgroup.com/Embedded-Systems/Books/Embedded-C-Coding-Standard

Edit: old gimpel.com

edit2 : Vimeo URL gone; replaced with YouTube URL

Barr Group - YouTube

Doesn't answer the question!

It just moves it on to: what should the assertion or exception handler do?

Which, as Cliff said, "depends on the app and its use of RAM".

One of the software development best practices for safety-critical is use of a static analyzer.

Some are implementing safety-critical functionality in memory-safe embedded computer languages (these have built-in static analysis)

A possible follow-on to C is Checked C.

Checked C may be an embedded memory-safe computer language.

Electronic Design

It’s Time to Use a Safer C

C and C++ remain the leading languages employed in embedded systems, but challenges persist when it comes to safety-related applications.

by William Wong

Sep 13, 2018

https://www.electronicdesign.com/automotive/it-s-time-use-safer-c

...

Checked C is a combination of static- and dynamic-analysis techniques designed to support spatial safety. 

...

(in the first paragraph after the first source code snippet)

Unlike many other research papers, though, this technology, in some form, is more likely to eventually wind up in a product or open-source project because of the backer [Microsoft Research].

...

https://www.microsoft.com/en-us/research/project/checked-c/

Edit: Checked C URL

Ada Compiler Generates C Source

AdaCore’s latest GNAT Pro Ada compiler can generate C source code, delivering portability to most platforms with a C compiler.

by William Wong

Nov 16, 2018

...

It was originally done to support the popular 8-bit Microchip AVR that AdaCore doesn’t support with its native code support targeting platforms, such as the 32- and 64-bit x86, ARM, RISC-V, and Power architectures.

...

AdaCore has Ada on AVR at GCC 4.5 (no XMEGA) though that may be legacy or NRND or EOL.

Third parties have taken Ada on AVR to GCC 4.9 (XMEGA) and a relative few others have gone further to GCC 8 or 9.

It handles a subset of Ada, but this still includes features like fixed-point support and the minimal standard library. Features not supported are ones that would be hard to implement or those not supported by C compilers like overflow checks. 

assertions are one work-around for lack of overflow checks :

1. Getting Started — GNAT Pro Common Code Generator User's Guide Supplement 20.0w documentation, Enabling/Disabling Runtime Assertions

Support for 8-bit platforms is just one reason to use CCG. It can handle other platforms that don’t support Ada and SPARK compilers.

CCG documentation has a few mentions of C99 enabling some Ada; MPLAB XC8 is up to C99 so PIC in addition to AVR.

16-bit MCU :

• MSP430^TM is in FSF GCC so simply build GCC given GCC's Ada front-end
• Xstormy16 is likewise
• H8/300 is likewise
• RL78 is likewise
• PIC24, dsPIC - CCG would be easier than re-building MPLAB XC16

Atmel® AVR® 8-bit microcontroller | Embedded Development | GNAT Pro | AdaCore

Downloads - Adacore (Select your platform pull-down menu, AVR)

I didn't know you could get Ada for AVR | AVR Freaks

MPLAB- XC Compilers | Microchip Technology

https://www.onsemi.com/PowerSolutions/search.do?searchType=others&query=Xstormy16

H8 Family | Renesas Electronics

8/16-bit Ultra-low energy MCUs (RL78) | Renesas Electronics

Edit: H8, RL78

Ten Years of Using SPARK to Build CubeSat Nano Satellites With Students - The AdaCore Blog

by Peter Chapin (software director of the CubeSat Laboratory at Vermont Technical College)

Mar 01, 2019

(last paragraph)

In November 2013 we launched a low Earth orbiting CubeSat. ...

Ours worked for two years until it reentered Earth's atmosphere as planned in November 2015. 

...

Arctic Sea Ice Buoy and CubeSat Projects - GAP Member Projects - Adacore

GAP - GNAT Academic Program, Academia - Adacore