Learning embedded systems - Page 2

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View
Re: Learning embedded systems

Quoted text here. Click to load it

Considering that there are quite well known projects, that used Ada, that
still failed (some in quite spectacular fashion) I would have thought would
have constituted sufficient evidence that the proogramming language used
has little to do with the final system safety.

There are constructs in every language that, if used, are probably
potentially lethal in a system. What seems to be evident, though, is that
using an inadequately rigourously applied development process leads to
important facets of the system being missed. Such development processes
should include plenty of reviews, unit, integration and system level
testing and reviews of the results obtained.

I am not sure of the current distribution of languages in automotive
projects at present but I am sure that you will find quite a wide range,
including assemblers are still in there.

--
********************************************************************
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems
On Sat, 05 Mar 2005 09:53:45 +0000, "Paul E. Bennett"

Quoted text here. Click to load it

Yes, these include the assignment statement in most high level
languages, various "move", store" and "out" in various assembly
languages. With a detonator connected to a PC port can be quite
lethal, if an out instruction is executed on that port address. Thus,
all such instructions and constructs should be banned from all
environments :-) :-).

Paul
 

Re: Learning embedded systems
Quoted text here. Click to load it
... snip ...

Of course a language is not a panacea.  But the appropriate choice
does avoid many errors.  How many C installations do overflow
checking, for example.  How many check a pointer range?  These
things can all produce fatal (in the larger sense) errors without
warning, and the sequences leading to them are easily missed even
by experienced programmers.  I want all the help I can get.

In the particular case under discussion I can envision the
plaintiff showing that previous practice would have detected the
error, and that sloppy programming, penny-pinching, and elimination
of the checks let it go through.  All that remains is to make it
clear to the jury, and the punitive awards should at least match
the potential savings.  The plaintiff can even show that modern
implementations such as Ada are available.  The results will
obviously vary with jurisprudence.

C has its place in critical software, but it is at the periphery,
not at the heart.

--
"If you want to post a followup via groups.google.com, don't use
 the broken "Reply" link at the bottom of the article.  Click on
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems

Quoted text here. Click to load it

From my sig you will have gathered that I use Forth for most of the systems
I design and build. Many of them are very mission critical. Yet, Forth does
not have the incumberance of type checking, is fairly free of syntax
(except for that which you build in yourself) and will permit you to make
the biggest mess imagineable. However, because of the development process I
use, the care that I take in executing that development process and the
level of review that is incorporated within the design process I can
readily produce fully certifiable embedded systems. I have also produced
high integrity systems with languages other than Forth, including
assembler, so choice of language is very little to do with the resultant
system safety. It means that I will probably consume less system resource
with my implementations than if I had used tools that cossset you.

Naturally, when choosing a compiler you should always verify that it
behaves as documented and examine the output code from samples that you
know what you would expect from the resultant. That means that many will
choose compiler products from companies that have a proven track record of
known good compiler writing.
 
Quoted text here. Click to load it

Some of the language selection process will revolve around the availability
of programmers with appropriate domain experience or something close to it.
Those who develop critical systems should be aware of suitable constructs
in their chosen language (eg the MISRA-C guidelines) and have tuned their
checking tools to issue warnings when the code uses such constructs. Also,
as I have stated before, reviews are so important to the development
process (and I include testing as though it is a review - with a review of
its own results) that missing them should be avoided at all costs.

--
********************************************************************
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems
Quoted text here. Click to load it

I am sure you can do so in Forth and assembly, and I can do so in C
and assembly.  But you and I are not writing that critical code for
the braking system, or the medical machinery.  Even if we were, we
are not quite as infallible as we like to think (but close).  At
the same time a well designed system will perform most checks at
compile time, and detect what run-time checks are useless, thus
approach the resource usage of the unchecked system.  Especially
when the input is generated by such paragons as you and I are, who
know what the system can and cannot catch, and act accordingly.  We
will even deliberately install "can't happen" code blocks, whose
primary purpose is to catch hardware failures, since our logical
processes are perfect by definition.

I would rather trust my code written in C than Foo Q. Bars code
written in Ada.  But I will be even more trusting of my code
written in Pascal.  In general, though, I distrust all computers
and other drivers on the road.

--
"If you want to post a followup via groups.google.com, don't use
 the broken "Reply" link at the bottom of the article.  Click on
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems
Quoted text here. Click to load it

The implementation of the tools and the Sw Engineering process are more
important than the language.

I knew someone who said the same until we discovered his Modula 2
compiler was written (badly) in x86 assembler and the library was full
of holes.  The Modula2 system was bug written and unreliable. Of no use
for safety critical code.

The SW process and the standard of the tools is more important than the
language.

Quoted text here. Click to load it

That seems fair enough...  I left my Horse in the car park :-)

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Learning embedded systems

Quoted text here. Click to load it

Petro-chemical process plant, Nuclear Power Stations, Railway Signalling
and Safety Monitoring Systems, Anaesthesia Ventillators, Banking Smart
Cards and various robotics equipment performing very critical functions
have been in my remit. I have spent over 30 years constructing such systems
and have always used a decent engineering process approach to achieve the
system safety goals. So, yes I have been involved in the critical code
generation segment. Be sure though, that there has always been a means, in
hardware, to mitigate any remaining failures within the software. I am not
saying that the software has ever gone wrong though (my first software, 4k
of hand crafted machine code, ran 25 years with no failures and no need for
modification).

Even if we were, we
Quoted text here. Click to load it

I perform most of my checks well before the code is compiled (design
reviews, static code inspections etc). You would be amazed at how many of
the silly errors can be found this way.

--
********************************************************************
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems

Quoted text here. Click to load it

C or assembly coding with a good coding standard and thorough code
reviews will catch much more problems than an Ada compiler alone.

This can be quite critical especially if the Ada users are
overconfident due to "it compiles, it is ready for shipping" attitude.

Paul


Re: Learning embedded systems
Quoted text here. Click to load it

I would expect that attitude to be less prevalent with average Ada
programmers than with average C programmers.  The reason being that
the Ada programmer probably has an idea why he or she is using the
language in the first place.

--
"If you want to post a followup via groups.google.com, don't use
 the broken "Reply" link at the bottom of the article.  Click on
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems
Quoted text here. Click to load it

"Because the DoD contract says so."

Ed


Re: Learning embedded systems
Quoted text here. Click to load it
... snip ...
Quoted text here. Click to load it

Are you seriously suggesting that Misra-C can rival Ada in
security?  All it can do is mitigate some of the more common
failings and misuse of C.  I have never read it, since they seem to
want real money for a copy.

--
"If you want to post a followup via groups.google.com, don't use
 the broken "Reply" link at the bottom of the article.  Click on
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems
Quoted text here. Click to load it

Since you have not read it I would suggest heresy is inadmissible.
Beside, my friend said it was perfect.

What is wrong with paying for a copy. You buy other tools I assume.

 

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Learning embedded systems
Quoted text here. Click to load it

As I look around this machine I have a hard time finding anything
in regular use that required actual money.  Apart from the OS,
which came with the hardware, the only things I can think of are
the editor (Textpad), the shell (4dos), and the printer utility
(fineprint).  I am renowned for my tight grasp on the currency of
the realm and the size of the moths that breed in my wallet.

--
"If you want to post a followup via groups.google.com, don't use
 the broken "Reply" link at the bottom of the article.  Click on
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems
Quoted text here. Click to load it


Hold on to those tools -- they'll be valuable antiques any day now.

Ed


Re: Learning embedded systems
Quoted text here. Click to load it

NOT so

What about the bus specs?

Quoted text here. Click to load it

Fare enough.

However you have not given any reason why MISRA-C should be free. There
were costs in producing it.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Learning embedded systems
Quoted text here. Click to load it
... snip ...
Quoted text here. Click to load it

There were costs in producing the specifications for Pascal and for
Ada, not to mention the costs of implementing them.  IMO both are
superior to MISRA in catching errors, yet both are available free
of charge.  The result is that I (and I suspect others) have very
little urge to pay for MISRA specifications.  I also conjecture
that I can write sounder C code while ignoring MISRA than can most
while adhering to MISRA.

--
"If you want to post a followup via groups.google.com, don't use
 the broken "Reply" link at the bottom of the article.  Click on
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems
Quoted text here. Click to load it

So? Who paid costs for Pascal and ADA. BTW I thought the US Gov.
bankrolled Ada

Will you sump up the costs for doing MISRA-C so others can have it free?


Quoted text here. Click to load it

OK... you won't pay for the tools of your trade.

Quoted text here. Click to load it

Please prove that.  IE prove that in a way that would be usable in a
court of law. For example:-

MISRA-C has been approved by the SAE and JSAE and all the main auto
manufacturers. I can run automatic test tools on C code to show it is
MISRA-C complaint.  The contract requires MISRA-C compliance.
Sorted.

Your option is?
BTW You option must be as cost effective as the MISRA-C option is.



/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Learning embedded systems
Quoted text here. Click to load it
... snip ...
Quoted text here. Click to load it

You did note that I said conjecture?

Quoted text here. Click to load it

But I have no contract or other reason, apart from curiousity, to
investigate MISRA.  Whether or not some code is MISRA compliant
means very little to me.  If it uses C I expect it is either so
emasculated as to be fairly pointless, or has the fundamental
faults of C.  The moment I can create and use an arbitrary pointer
into the midst of some object reliability is out the window.

Of course I may be totally mistaken.  Without actual knowledge of
what the thing really is I cannot be sure, only opinionated.  What
I do know is that C (and assembly) are unsafe languages without any
real hope of being made both 'safe' and recognizable.  'Safe' is a
relative term anyhow, closely related to frozen flying pigs in
hell.  To me attempts to so enhance C are isomorphic to finding the
largest prime or an exact rational solution to x*x == 2.

--
"If you want to post a followup via groups.google.com, don't use
 the broken "Reply" link at the bottom of the article.  Click on
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems

Quoted text here. Click to load it

[%X]

Curiosity is OK at times. If you need to know what the MISRA-C guidelines
suggest for making C a safer programming language then you should get hold
of the pdf version at the very least (it is cheap enough, though not free).

Quoted text here. Click to load it

I consider that making the investment in a copy would enable you to argue
your point of view with much more authority.

Quoted text here. Click to load it

All programming languages are unsafe without a decent development process
behind them to support the design decisions being made. However, with such
a decent development process in place that applies tests and reviews at
frequent intervals, then a safe system can be produced with any language.
It is true that you may only use a subset of some of the languages but
selecting the subset is part of the development process.

--
********************************************************************
We've slightly trimmed the long signature. Click to see the full one.
Re: Learning embedded systems
Quoted text here. Click to load it



/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Site Timeline