On Embedded.com, a real "doozie":
8 – The undisciplined use of C and C++
Worth the few minutes it takes to read, IMHO! Does not knock C/C++ but points out some of the ways we misuse it.
https://www.embedded.com/electro...
Jim
gchapman 
Thanks for that was a good read!
When there’s no choice but to use dynamic memory, a disciplined use of C is to check malloc’s return value and take some action if malloc was unable to do its job. Yet I almost never see that test performed.
Jack may state use assert for that malloc check and strongly recommend use of a linter.
A linter may detect some memory leaks; that's more so for a whole program linter though a file-scope linter might catch such.
Plenty of other people have recognized that flamboyant C/C++ use is dangerous and have proposed rules to tame the languages, and to make them reasonable for use in safety-critical applications.
One of the software development best practices for safety-critical is use of a static analyzer.
Some are implementing safety-critical functionality in memory-safe embedded computer languages (these have built-in static analysis)
assert, lint :
The Ganssle Group
Adding Automatic Debugging to Firmware for Embedded Systems
by Jack Ganssle
Major rewrite: May, 2014
Initial release: February, 2007
http://www.ganssle.com/item/automatically-debugging-firmware.htm
a whole program C linter :
Gimpel Software
PC-lint/FlexeLint for C
Representative Checks
http://www.gimpel.com/html/lintchks.htmhttps://web.archive.org/web/20180222210813/http://www.gimpel.com/html/lintchks.htm
...
from value tracking information we can detect under many circumstances:
- ...
- inappropriate deallocation
- memory leaks
- ...
...
statically detectable memory leaks
...
a file-scope C/C++ linter :
Microsoft Docs
-analyze (Code Analysis)
https://docs.microsoft.com/en-us/cpp/build/reference/analyze-code-analysis
https://docs.microsoft.com/en-us/cpp/build/reference/analyze-code-analysis#remarks
best practices :
Barr Group
Firmware Update v18.03
2018-03-13
https://barrgroup.com/resources/firmware-update/v1803
...
The State of Embedded Systems Safety
...
memory-safe computer languages :
https://www.avrfreaks.net/forum/memory-safe-computer-languages
Edit: old gimpel.com
On Embedded.com, a real "doozie":
8 – The undisciplined use of C and C++
And I immediately thought
8 – The undisciplined use of nitroglycerin
I haven't looked into this at all, but apparently there is a new Ada offering from AdaCore that outputs C as intermediate code, so it can be used on any architecture that has a C compiler. I'm a C programmer from the 8086 days, but I am by no means blind to its dangers and limitations.
gchapman ... but apparently there is a new Ada offering from AdaCore that outputs C as intermediate code, so it can be used on any architecture that has a C compiler.
Inside AdaCore is published twice a year simultaneously in New York and Paris by AdaCore
January-June 2018
https://www.adacore.com/uploads/newsletter/01-10-2018_pages.pdf
(page 5, next to last article)
GNAT Pro CCG Expands Ada Availability
The new GNAT Pro CCG product (Common Code Generator) is a compiler that takes a SPARK-like subset of Ada—basically excluding features that require run-time support—and generates C source code. It thus allows customers to use Ada for any target processor that has a C compiler even if no Ada compiler is available. The C program that is output is not meant as maintainable source code, but rather serves as a portable intermediate representation (which will be input to a C compiler) during the building of an executable. With GNAT Pro CCG, Ada programs complying with the supported subset can run on virtually any target processor. For more information please contact info@adacore.com.
via https://www.adacore.com/newsletter/january-june-2018
Appears that GNAT Pro CCG is a product'ized instance of what the ones at Vermont Technical College (VTC) created for a LEO CubeSat.
COTS CubeSat MCU are mostly 16b (MSP430TM and PIC24); IIRC, at that time VTC didn't have available FSF MSP430 GCC and therefore its Ada/SPARK front-end.
Intersil (now Renesas) has geostationary-rated 80C86 ; AdaCore GNAT Pro Assurance would be a fit for that MPU.
P.S.
One can still get themselves wrapped around the axle with Ada as Ada shares the same kind memory-unsafe operations as C.
An Ada compiler's front-end does the equivalent of lint and Ada's predefined STORAGE_ERROR exception would make apparent a heap exhaustion that could be caught by a C assert.
http://www.adaic.org/2014/03/photo-vtc-cubesat/
PS - That's 'GanSsle', not GanNsle'. S.
gchapman And I immediately thought
8 – The undisciplined use of nitroglycerin
The Wages of Fear (1953) - IMDb
https://www.rogerebert.com/reviews/the-wages-of-fear-1992
Ooopsie on the name. Ganssle. Subject line corrected.
Jim
awneil 
But, even higher on the list:
9 - Jumping into coding too quickly
Which is seen all too often right here!
EDIT
I misunderstood his ordering:
Going forward each item gets progressively more effective at project-killing.
C is an ancient language dating back to prehistoric 1972.
Damn, I'm almost prehistoric too
Then there int. What does that mean? No one really knows; it depends on the compiler, the processor, and the wind direction.
Yup, that's why stdint.h exists. Problem is, the C standard mandates that int is used by default in intermediate computations and that sometimes leads to very insidious problems.
awneil "almost"? A youngster, then!
awneil No one really knows
I guess that's a classic example of lack of discipline!
The meaning is clearly specified: you just have to understand that it is implementation defined - and all that entails.
The problem is when you have to deal with other people's lack of discipline, who for example assumed int is 32 bit, then you port to a platform where int is 16 bit and everything blows up.
awneil The problem is when you have to deal with other people's lack of discipline
Indeed.
who for example assumed int is 32 bit
and call it, "WORD"
Krupski 
Thanks for that was a good read!
When there’s no choice but to use dynamic memory, a disciplined use of C is to check malloc’s return value and take some action if malloc was unable to do its job. Yet I almost never see that test performed.
What is an embedded application supposed to do if malloc() fails? Typically there is no "screen" or "keyboard" available to warn the user (which may be a toaster and not a human).
Krupski The problem is when you have to deal with other people's lack of discipline, who for example assumed int is 32 bit, then you port to a platform where int is 16 bit and everything blows up.
That's why I always specifically use "uint32_t" or "int16_t" or whatever so that I KNOW how many bits I have.
That's why I always specifically use "uint32_t" or "int16_t" or whatever so that I KNOW how many bits I have.
That won't save you if an expression relies on rules of promotion instead of explicit casting. It is not enough to cast to a built-in type, you must cast to a stdint type.
|
"Experience is what enables you to recognise a mistake the second time you make it." "Good judgement comes from experience. Experience comes from bad judgement." "Wisdom is always wont to arrive late, and to be a little approximate on first possession." "When you hear hoofbeats, think horses, not unicorns." "Fast. Cheap. Good. Pick two." "We see a lot of arses on handlebars around here." - [J Ekdahl] |
 |
clawson 
What is an embedded application supposed to do if malloc() fails?
gchapman What is an embedded application supposed to do if malloc() fails?
Typically there is no "screen" or "keyboard" available to warn the user (which may be a toaster and not a human).
Some system and/or safety specifications and/or standards would require a safe before reset; an example would be to apply a winch's brake.
Some systems have a PCBA watchdog in addition to the MCU's watchdog; part of an active assertion is to make certain the PCBA's watchdog bites.
Now :
https://en.wikipedia.org/wiki/Assert.h
Was :
in
assertions are expanded on in "Adding Automatic Debugging to Firmware for Embedded Systems" by Jack Ganssle :
http://www.ganssle.com/item/automatically-debugging-firmware.htm
https://www.dialog-semiconductor.com/greenpak-application-notes?combine=watchdog
H6006 Failsafe Watchdog
Edit : strikethru and corrections
Edit1 : H6006
gchapman possibly flagged by PC-lint
http://www.gimpel.com/html/lintchks.htmhttps://web.archive.org/web/20180222210813/http://www.gimpel.com/html/lintchks.htm
...
- wide variety of loss of precision errors such as int to char featuring our exclusive precision tracking
...
Edit: old gimpel.com
gchapman Krupski wrote:
What is an embedded application supposed to do if malloc() fails?
An assertion or an exception
More on assertions and exceptions at 18m24s for about 12m in
Vimeo
Webinar: Inexpensive Firmware Process Improvements for Small Teams
by Susan McCord, Principal Engineer at Barr Group
June 28, 2017
https://vimeo.com/223539610 (almost 54m)Webinar: Inexpensive Firmware Process Improvements for Small Teams - YouTube (48m56s)
Are you a member of a small design team? Does your team struggle to use industry best practices for software development because they are believed to be too costly or difficult to setup and use? In this webinar, learn practical and easy-to-apply process improvements that even the smallest design teams can use to make firmware easier to code, debug and test, with a tools cost of less than $600.
https://en.wikibooks.org/wiki/C_Programming/setjmp.h#Exception_handling
http://www.gimpel.com/html/pcl.htm (PC-lint)
https://web.archive.org/web/20180628005621/http://www.gimpel.com/html/pcl.htm
https://msquaredtechnologies.com/Resource-Standard-Metrics.html
https://barrgroup.com/Embedded-Systems/Books/Embedded-C-Coding-Standard
Edit: old gimpel.com
edit2 : Vimeo URL gone; replaced with YouTube URL
awneil Too often people just use malloc like it's an infinite resource
Indeed.
And they seem to think that it can somehow, magically, create extra memory.
In an embedded system (certainly of the type relevant to this site), the heap size has to be defined at build time anyhow - so there is seldom any real advantage over static allocation anyhow.
awneil gchapman
Micro Digital
eheap vs. dlmalloc
by Ralph Moore, smx Architect
February 2016
http://www.smxrtos.com/articles/eheapvdlmalloc.htm
...
(about 3/4 page)
This [heap failure by fragmentation] is not necessarily catastrophic, especially in embedded systems. The task requesting the large block could be rescheduled to run at a later time, then try again. Another approach is for less important tasks to free their heap blocks, with merging enabled. Obviously, mission-critical tasks should not use the heap or they should only request small blocks, which are always available.
...[merge control, eheap recovery, eheap extension, partial shutdown then partial restart, complete shutdown then eheap re-initialization then complete restart]
...
via http://www.smxrtos.com/eheap/index.html
gchapman One of the software development best practices for safety-critical is use of a static analyzer.
Some are implementing safety-critical functionality in memory-safe embedded computer languages (these have built-in static analysis)
A possible follow-on to C is Checked C.
Checked C may be an embedded memory-safe computer language.
Electronic Design
It’s Time to Use a Safer C
C and C++ remain the leading languages employed in embedded systems, but challenges persist when it comes to safety-related applications.
by William Wong
Sep 13, 2018
https://www.electronicdesign.com/automotive/it-s-time-use-safer-c
...
Checked C is a combination of static- and dynamic-analysis techniques designed to support spatial safety.
...
(in the first paragraph after the first source code snippet)
Unlike many other research papers, though, this technology, in some form, is more likely to eventually wind up in a product or open-source project because of the backer [Microsoft Research].
...
https://www.microsoft.com/en-us/research/project/checked-c/
Edit: Checked C URL
gchapman Two instances of CCG (Ada to C) for mega328 (mini sumo robot) and mega32U4 (Tetris) in
https://blog.adacore.com/tag/AVR
gchapman Ada Compiler Generates C Source
AdaCore’s latest GNAT Pro Ada compiler can generate C source code, delivering portability to most platforms with a C compiler.
by William Wong
Nov 16, 2018
...
It was originally done to support the popular 8-bit Microchip AVR that AdaCore doesn’t support with its native code support targeting platforms, such as the 32- and 64-bit x86, ARM, RISC-V, and Power architectures.
...
AdaCore has Ada on AVR at GCC 4.5 (no XMEGA) though that may be legacy or NRND or EOL.
Third parties have taken Ada on AVR to GCC 4.9 (XMEGA) and a relative few others have gone further to GCC 8 or 9.
It handles a subset of Ada, but this still includes features like fixed-point support and the minimal standard library. Features not supported are ones that would be hard to implement or those not supported by C compilers like overflow checks.
assertions are one work-around for lack of overflow checks :
Support for 8-bit platforms is just one reason to use CCG. It can handle other platforms that don’t support Ada and SPARK compilers.
CCG documentation has a few mentions of C99 enabling some Ada; MPLAB XC8 is up to C99 so PIC in addition to AVR.
16-bit MCU :
Atmel® AVR® 8-bit microcontroller | Embedded Development | GNAT Pro | AdaCore
Downloads - Adacore (Select your platform pull-down menu, AVR)
I didn't know you could get Ada for AVR | AVR Freaks
MPLAB- XC Compilers | Microchip Technology
https://www.onsemi.com/PowerSolutions/search.do?searchType=others&query=Xstormy16
H8 Family | Renesas Electronics
8/16-bit Ultra-low energy MCUs (RL78) | Renesas Electronics
Edit: H8, RL78
gchapman C language update puts backward compatibility first | InfoWorld
A first working draft proposal for the next version of C clarifies and refines existing features, rather than adding new ones
NOV 12, 2018
[C2x]
...
C is the foundation for many popular software projects such as the Linux kernel and it remains a widely used language, currently second in the Tiobe index.
...
Previous revisions to the C standard added features to help with memory management—including the “Annex K” bounds-checking feature. However, one of the proposals on the table for C2x is to deprecate or remove the Annex K APIs, because their in-the-field implementations are largely incomplete, non-conformant, and non-portable. Alternative proposals include replacing these APIs with third-party bounds-checking systems like Valgrind or the Intel Pointer Checker, introducing refinements to the memory model, or adding new ways to perform bounds checking for memory objects.
Aside from revisions to the official C standard, other projects have bubbled up to offer better ways to write C. Microsoft’s Checked C extension adds checks to prevent many common errors with memory handling. Jens Gustedt, a core contributor to the C standard, has his own Modular C proposal that gives C a module system akin to those found in higher-level languages.
...
Pointer Checker | Intel® Software
gchapman Ten Years of Using SPARK to Build CubeSat Nano Satellites With Students - The AdaCore Blog
by Peter Chapin (software director of the CubeSat Laboratory at Vermont Technical College)
Mar 01, 2019
(last paragraph)
In November 2013 we launched a low Earth orbiting CubeSat. ...
Ours worked for two years until it reentered Earth's atmosphere as planned in November 2015.
...
Arctic Sea Ice Buoy and CubeSat Projects - GAP Member Projects - Adacore
GAP - GNAT Academic Program, Academia - Adacore
gchapman AdaCore Toolchain for Ada, SPARK and C Now Qualified for ISO 26262 and IEC 61508 - AdaCore
New York and Paris
February 18, 2020
...
- The Common Code Generator (CCG), which compiles from a SPARK-like Ada subset to C code. CCG allows projects to cross-compile Ada and SPARK applications to any hardware target that provides a C compiler, including targets that do not come with off-the-shelf Ada support.
...
Both the GNAT Pro compiler and CCG received TCL3 qualification under ISO 26262, and T3 qualification under IEC 61508.
...
About ISO 26262 and IEC 61508
ISO 26262 is a functional safety standard for automotive systems and a derivative of the generic IEC 61508 standard for electrical/electronic/programmable electronic ("E/E/PE") systems....
... Tool Confidence Level (TCL) ...
...
Software-related requirements are defined in Part 3 of IEC 61508, with the identification of techniques and measures for software development/verification; the specific requirements are based on the SIL [safety integrity level]. The standard specifies three tool qualification categories:
...
- T3: the tool can produce output that is part of the executable (e.g., a compiler).
...
