Jack Ganssle's "Reason #8" on why embedded software projects run into trouble

Go To Last Post
28 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

On Embedded.com, a real "doozie": 

 

8 – The undisciplined use of C and C++

 

Worth the few minutes it takes to read, IMHO! Does not knock C/C++ but points out some of the ways we misuse it.

 

https://www.embedded.com/electro...

 

Jim

 

 

Jim Wagner Oregon Research Electronics, Consulting Div. Tangent, OR, USA http://www.orelectronics.net

Last Edited: Thu. Aug 23, 2018 - 04:58 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thanks for that was a good read!

 

When there’s no choice but to use dynamic memory, a disciplined use of C is to check malloc’s return value and take some action if malloc was unable to do its job. Yet I almost never see that test performed.

Jack may state use assert for that malloc check and strongly recommend use of a linter.

A linter may detect some memory leaks; that's more so for a whole program linter though a file-scope linter might catch such.

 

Plenty of other people have recognized that flamboyant C/C++ use is dangerous and have proposed rules to tame the languages, and to make them reasonable for use in safety-critical applications.

One of the software development best practices for safety-critical is use of a static analyzer.

Some are implementing safety-critical functionality in memory-safe embedded computer languages (these have built-in static analysis)

 


assert, lint : 

The Ganssle Group logo

The Ganssle Group

Adding Automatic Debugging to Firmware for Embedded Systems

by Jack Ganssle

Major rewrite: May, 2014

Initial release: February, 2007

http://www.ganssle.com/item/automatically-debugging-firmware.htm

a whole program C linter : 

Gimpel Software

Gimpel Software

PC-lint/FlexeLint for C

Representative Checks

http://www.gimpel.com/html/lintchks.htm

https://web.archive.org/web/20180222210813/http://www.gimpel.com/html/lintchks.htm

...

from value tracking information we can detect under many circumstances:

  • ...
  • inappropriate deallocation
  • memory leaks
  • ...

...

statically detectable memory leaks

...

a file-scope C/C++ linter : 

Microsoft Docs

-analyze (Code Analysis)

https://docs.microsoft.com/en-us/cpp/build/reference/analyze-code-analysis

https://docs.microsoft.com/en-us/cpp/build/reference/analyze-code-analysis#remarks

best practices :

Barr Group

Firmware Update v18.03

2018-03-13

https://barrgroup.com/resources/firmware-update/v1803

...

The State of Embedded Systems Safety

...

memory-safe computer languages :

https://www.avrfreaks.net/forum/memory-safe-computer-languages

 

Edit: old gimpel.com

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Thu. Sep 6, 2018 - 07:07 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ka7ehk wrote:

On Embedded.com, a real "doozie": 

 

8 – The undisciplined use of C and C++

 

And I immediately thought

 

8 – The undisciplined use of nitroglycerin

 

I haven't looked into this at all, but apparently there is a new Ada offering from AdaCore that outputs C as intermediate code, so it can be used on any architecture that has a C compiler.  I'm a C programmer from the 8086 days, but I am by no means blind to its dangers and limitations.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

kk6gm wrote:
... but apparently there is a new Ada offering from AdaCore that outputs C as intermediate code, so it can be used on any architecture that has a C compiler.

Inside AdaCore is published twice a year simultaneously in New York and Paris by AdaCore

January-June 2018

https://www.adacore.com/uploads/newsletter/01-10-2018_pages.pdf

(page 5, next to last article)

GNAT Pro CCG Expands Ada Availability

The new GNAT Pro CCG product (Common Code Generator) is a compiler that takes a SPARK-like subset of Ada—basically excluding features that require run-time support—and generates C source code. It thus allows customers to use Ada for any target processor that has a C compiler even if no Ada compiler is available.  The C program that is output is not meant as maintainable source code, but rather serves as a portable intermediate representation (which will be input to a C compiler) during the building of an executable. With GNAT Pro CCG, Ada programs complying with the supported subset can run on virtually any target processor. For more information please contact info@adacore.com.

via https://www.adacore.com/newsletter/january-june-2018

Appears that GNAT Pro CCG is a product'ized instance of what the ones at Vermont Technical College (VTC) created for a LEO CubeSat.

COTS CubeSat MCU are mostly 16b (MSP430TM and PIC24); IIRC, at that time VTC didn't have available FSF MSP430 GCC and therefore its Ada/SPARK front-end.

Intersil (now Renesas) has geostationary-rated 80C86 ; AdaCore GNAT Pro Assurance would be a fit for that MPU.

 

P.S.

One can still get themselves wrapped around the axle with Ada as Ada shares the same kind memory-unsafe operations as C.

An Ada compiler's front-end does the equivalent of lint and Ada's predefined STORAGE_ERROR exception would make apparent a heap exhaustion that could be caught by a C assert.

 


http://www.adaic.org/2014/03/photo-vtc-cubesat/

https://www.renesas.com/us/en/products/space-harsh-environment/rad-hard-digital/rh-microprocessors-peripherals.html

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

PS - That's 'GanSsle', not GanNsle'.  S.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

kk6gm wrote:
And I immediately thought

 

8 – The undisciplined use of nitroglycerin

IIRC, one of the best movies :

The Wages of Fear (1953) - IMDb

https://www.imdb.com/title/tt0046268/

https://www.rogerebert.com/reviews/the-wages-of-fear-1992

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Ooopsie on the name. Ganssle. Subject line corrected.

 

Jim

 

Jim Wagner Oregon Research Electronics, Consulting Div. Tangent, OR, USA http://www.orelectronics.net

Last Edited: Thu. Aug 23, 2018 - 04:59 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

But, even higher on the list:

Which is seen all too often right here!

 

EDIT

 

I misunderstood his ordering:

In #10, Jack Ganssle wrote:
Going forward each item gets progressively more effective at project-killing.

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
Last Edited: Thu. Aug 23, 2018 - 07:09 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

C is an ancient language dating back to prehistoric 1972.

Damn, I'm almost prehistoric toosad

 

Then there int. What does that mean? No one really knows; it depends on the compiler, the processor, and the wind direction.

Yup, that's why stdint.h exists. Problem is, the C standard mandates that int is used by default in intermediate computations and that sometimes leads to very insidious problems.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

"almost"?  A youngster, then!

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

El Tangas wrote:
No one really knows

I guess that's a classic example of lack of discipline!

 

The meaning is clearly specified: you just have to understand that it is implementation defined - and all that entails.

 

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

The problem is when you have to deal with other people's lack of discipline, who for example assumed int is 32 bit, then you port to a platform where int is 16 bit and everything blows up.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

El Tangas wrote:
The problem is when you have to deal with other people's lack of discipline

Indeed.

 

who for example assumed int is 32 bit

and call it, "WORD"

 

angry

 

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:

Thanks for that was a good read!

 

When there’s no choice but to use dynamic memory, a disciplined use of C is to check malloc’s return value and take some action if malloc was unable to do its job. Yet I almost never see that test performed.

 

 

What is an embedded application supposed to do if malloc() fails?  Typically there is no "screen" or "keyboard" available to warn the user (which may be a toaster and not a human).

Gentlemen may prefer Blondes, but Real Men prefer Redheads!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

El Tangas wrote:

The problem is when you have to deal with other people's lack of discipline, who for example assumed int is 32 bit, then you port to a platform where int is 16 bit and everything blows up.

 

That's why I always specifically use "uint32_t" or "int16_t" or whatever so that I KNOW how many bits I have.

Gentlemen may prefer Blondes, but Real Men prefer Redheads!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

That's why I always specifically use "uint32_t" or "int16_t" or whatever so that I KNOW how many bits I have.

That won't save you if an expression relies on rules of promotion instead of explicit casting.  It is not enough to cast to a built-in type, you must cast to a stdint type.

"Experience is what enables you to recognise a mistake the second time you make it."

"Good judgement comes from experience.  Experience comes from bad judgement."

"Wisdom is always wont to arrive late, and to be a little approximate on first possession."

"When you hear hoofbeats, think horses, not unicorns."

"Fast.  Cheap.  Good.  Pick two."

"We see a lot of arses on handlebars around here." - [J Ekdahl]

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

Krupski wrote:
What is an embedded application supposed to do if malloc() fails? 
surely that depends on the app and its use of RAM? Say something was being logged you might choose, when malloc() returns 0 to decide to start reusing existing storage cyclically on an LRU basis. While in another app the paucity of RAM may be entirely fatal and you have no option but to reset everything and start over. The key thing is that SOME remedial strategy is considered by the author and programmed in. Too often people just use malloc like it's an infinite resource that can never fail and they never check for 0.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Krupski wrote:
What is an embedded application supposed to do if malloc() fails?
assert() or static_assert

Krupski wrote:
Typically there is no "screen" or "keyboard" available to warn the user (which may be a toaster and not a human).
reset and/or reset after output (file and line of the assert) on a spare UART or USB or Ethernet (or etc)

Some system and/or safety specifications and/or standards would require a safe before reset; an example would be to apply a winch's brake.

Some systems have a PCBA watchdog in addition to the MCU's watchdog; part of an active assertion is to make certain the PCBA's watchdog bites.

 


Now :

https://en.wikipedia.org/wiki/Assert.h

 

Was :

https://en.wikibooks.org/wiki/C_Programming/Preprocessor_directives_and_macros#Compile-time_assertions

in

https://en.wikibooks.org/wiki/C_Programming/Preprocessor_directives_and_macros#Useful_Preprocessor_Macros_for_Debugging

 

assertions are expanded on in "Adding Automatic Debugging to Firmware for Embedded Systems" by Jack Ganssle :

http://www.ganssle.com/item/automatically-debugging-firmware.htm

 

https://www.dialog-semiconductor.com/greenpak-application-notes?combine=watchdog

H6006 Failsafe Watchdog

https://www.soemtron.org/downloads/disposals/h6006.pdf

 

Edit : strikethru and corrections

Edit1 : H6006

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Sun. Aug 26, 2018 - 06:47 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

possibly flagged by PC-lint

http://www.gimpel.com/html/lintchks.htm

https://web.archive.org/web/20180222210813/http://www.gimpel.com/html/lintchks.htm

...

  • wide variety of loss of precision errors such as int to char featuring our exclusive precision tracking

...

 

Edit: old gimpel.com

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Thu. Sep 6, 2018 - 07:10 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Krupski wrote:

What is an embedded application supposed to do if malloc() fails?

An assertion or an exception

More on assertions and exceptions at 18m24s for about 12m in

Vimeo

Webinar: Inexpensive Firmware Process Improvements for Small Teams

by Susan McCord, Principal Engineer at Barr Group

June 28, 2017

https://vimeo.com/223539610 (almost 54m)

Webinar: Inexpensive Firmware Process Improvements for Small Teams - YouTube (48m56s)

Are you a member of a small design team? Does your team struggle to use industry best practices for software development because they are believed to be too costly or difficult to setup and use? In this webinar, learn practical and easy-to-apply process improvements that even the smallest design teams can use to make firmware easier to code, debug and test, with a tools cost of less than $600.

  • Susan is on at 3m17s
  • Outline at 5m59s
  • Obstacles at 45m43s
  • How to effort the obstacles at 48m27s
  • Toolmakers at 50m31s
  • Susan's 600USD tools BOM at 51m00s

 


https://en.wikibooks.org/wiki/C_Programming/setjmp.h#Exception_handling

https://vimeo.com/barrgroup

http://www.gimpel.com/html/pcl.htm (PC-lint)

https://web.archive.org/web/20180628005621/http://www.gimpel.com/html/pcl.htm

https://msquaredtechnologies.com/Resource-Standard-Metrics.html

https://barrgroup.com/Embedded-Systems/Books/Embedded-C-Coding-Standard

 

Edit: old gimpel.com

 

edit2 : Vimeo URL gone; replaced with YouTube URL

Barr Group - YouTube

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Fri. Aug 9, 2019 - 03:19 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
Too often people just use malloc like it's an infinite resource

Indeed.

 

And they seem to think that it can somehow, magically, create extra memory.

 

In an embedded system (certainly of the type relevant to this site), the heap size has to be defined at build time anyhow - so there is seldom any real advantage over static allocation anyhow.

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:

Krupski wrote:

What is an embedded application supposed to do if malloc() fails?

An assertion or an exception

Doesn't answer the question!

 

It just moves it on to: what should the assertion or exception handler do?

 

Which, as Cliff said, "depends on the app and its use of RAM".

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Micro Digital

eheap vs. dlmalloc

by Ralph Moore, smx Architect

February 2016

http://www.smxrtos.com/articles/eheapvdlmalloc.htm

...

 

(about 3/4 page)

This [heap failure by fragmentation] is not necessarily catastrophic, especially in embedded systems. The task requesting the large block could be rescheduled to run at a later time, then try again. Another approach is for less important tasks to free their heap blocks, with merging enabled. Obviously, mission-critical tasks should not use the heap or they should only request small blocks, which are always available.
...

[merge control, eheap recovery, eheap extension, partial shutdown then partial restart, complete shutdown then eheap re-initialization then complete restart]

 

...

via http://www.smxrtos.com/eheap/index.html

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

One of the software development best practices for safety-critical is use of a static analyzer.

Some are implementing safety-critical functionality in memory-safe embedded computer languages (these have built-in static analysis)

A possible follow-on to C is Checked C.

Checked C may be an embedded memory-safe computer language.

Electronic Design

Electronic Design

It’s Time to Use a Safer C

C and C++ remain the leading languages employed in embedded systems, but challenges persist when it comes to safety-related applications.

by William Wong

Sep 13, 2018

https://www.electronicdesign.com/automotive/it-s-time-use-safer-c

...

Checked C is a combination of static- and dynamic-analysis techniques designed to support spatial safety. 

...

(in the first paragraph after the first source code snippet)

Unlike many other research papers, though, this technology, in some form, is more likely to eventually wind up in a product or open-source project because of the backer [Microsoft Research].

...

https://www.microsoft.com/en-us/research/project/checked-c/

 

Edit: Checked C URL

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Sat. Sep 15, 2018 - 10:48 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Two instances of CCG (Ada to C) for mega328 (mini sumo robot) and mega32U4 (Tetris) in

https://blog.adacore.com/tag/AVR

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Ada Compiler Generates C Source

AdaCore’s latest GNAT Pro Ada compiler can generate C source code, delivering portability to most platforms with a C compiler.

by William Wong

Nov 16, 2018

...

It was originally done to support the popular 8-bit Microchip AVR that AdaCore doesn’t support with its native code support targeting platforms, such as the 32- and 64-bit x86, ARM, RISC-V, and Power architectures.

...

AdaCore has Ada on AVR at GCC 4.5 (no XMEGA) though that may be legacy or NRND or EOL.

Third parties have taken Ada on AVR to GCC 4.9 (XMEGA) and a relative few others have gone further to GCC 8 or 9.

It handles a subset of Ada, but this still includes features like fixed-point support and the minimal standard library. Features not supported are ones that would be hard to implement or those not supported by C compilers like overflow checks. 

assertions are one work-around for lack of overflow checks :

1. Getting Started — GNAT Pro Common Code Generator User's Guide Supplement 20.0w documentation, Enabling/Disabling Runtime Assertions

Support for 8-bit platforms is just one reason to use CCG. It can handle other platforms that don’t support Ada and SPARK compilers.

CCG documentation has a few mentions of C99 enabling some Ada; MPLAB XC8 is up to C99 so PIC in addition to AVR.

16-bit MCU :

  • MSP430TM is in FSF GCC so simply build GCC given GCC's Ada front-end
  • Xstormy16 is likewise
  • H8/300 is likewise
  • RL78 is likewise
  • PIC24, dsPIC - CCG would be easier than re-building MPLAB XC16

 


Atmel® AVR® 8-bit microcontroller | Embedded Development | GNAT Pro | AdaCore

Downloads - Adacore (Select your platform pull-down menu, AVR)

I didn't know you could get Ada for AVR | AVR Freaks

MPLAB- XC Compilers | Microchip Technology

https://www.onsemi.com/PowerSolutions/search.do?searchType=others&query=Xstormy16

H8 Family | Renesas Electronics

8/16-bit Ultra-low energy MCUs (RL78) | Renesas Electronics

 

Edit: H8, RL78

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Mon. Nov 26, 2018 - 03:42 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

C language update puts backward compatibility first | InfoWorld

A first working draft proposal for the next version of C clarifies and refines existing features, rather than adding new ones

by 

NOV 12, 2018

[C2x]

...

C is the foundation for many popular software projects such as the Linux kernel and it remains a widely used language, currently second in the Tiobe index

...

Previous revisions to the C standard added features to help with memory management—including the “Annex K” bounds-checking feature. However, one of the proposals on the table for C2x is to deprecate or remove the Annex K APIs, because their in-the-field implementations are largely incomplete, non-conformant, and non-portable. Alternative proposals include replacing these APIs with third-party bounds-checking systems like Valgrind or the Intel Pointer Checker, introducing refinements to the memory model, or adding new ways to perform bounds checking for memory objects.

Aside from revisions to the official C standard, other projects have bubbled up to offer better ways to write C. Microsoft’s Checked C extension adds checks to prevent many common errors with memory handling. Jens Gustedt, a core contributor to the C standard, has his own Modular C proposal that gives C a module system akin to those found in higher-level languages. 

...

Valgrind Home

Pointer Checker | Intel® Software

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Ten Years of Using SPARK to Build CubeSat Nano Satellites With Students - The AdaCore Blog

by Peter Chapin (software director of the CubeSat Laboratory at Vermont Technical College)

Mar 01, 2019

(last paragraph)

In November 2013 we launched a low Earth orbiting CubeSat. ...

Ours worked for two years until it reentered Earth's atmosphere as planned in November 2015. 

...

Arctic Sea Ice Buoy and CubeSat Projects - GAP Member Projects - Adacore

GAP - GNAT Academic Program, Academia - Adacore

 

"Dare to be naïve." - Buckminster Fuller