Posts Tagged ‘programming’

« Older Entries
Newer Entries »

Beer and Boards at ESC Silicon Valley

Wednesday, April 6th, 2011 Michael Barr

It really looks like I’ve picked the wrong year to miss ESC Silicon Valley (due to a schedule conflict). (The last time I wasn’t at ESC, it was 1997 and White Zombie was still together. The first thing I’d really liked to have seen is Steve Wozniak‘s keynote speech. The second thing I’m really sad to miss is the just announced “Beer and Boards” party/giveaway.

Beer and Boards sounds really fun. Here’s how it works: Every “All Access” attendee will get to choose one of three free development kits to take home:

Once you select your preferred kit you will receive information on the time and place for the relevant Beer and Boards party, at which you will get to drink free beer at a special meet-and-greet with one of your kit’s designers to talk about your new kit and its capabilities. Three boards spread out over three days.

Nerds drinking beer! I love it. What will they think of next?

Before you register for this year’s ESC, be sure to check out my earlier post Save Big on Embedded Systems Conference Registration. Also, remember to use the promo code BARR20 to save an additional 20% off registration and be entered to win a free seat at a future Embedded Software Boot Camp or one of 20 free copies of the Embedded C Coding Standard.

Tags: , , , ,
Posted in Uncategorized | 2 Comments »

Do Inline Function Bodies Belong in C Header Files?

Monday, March 21st, 2011 Michael Barr

Earlier today I received the following question by e-mail from Brazil:

I am trying to conform to the rules in your Embedded C Coding Standard book and I just ran into what may be a problem with Rule 6.3.a. Instead of using function-like macros, I’m using inline functions, as you recommend. However, my compiler (avr-gcc) gives an error when I declare a function to be inline at both header and source file. If I put both the inline declaration and function body inside the header file it works fine. This fixes my compiler problem, but isn’t it a bad practice to place code inside the header file?

This is a good question, as it seems at first to be about a conflict between the Embedded C Coding Standard and what I refer to as “Generally Accepted Programming Principles” (i.e., GAPP not GAAP). It’s also approaching a frequently asked question, so I thought it’d also be good to share my e-mailed answer here.

The inline keyword is a part of the C++ programming language that was added late to C (in C99). In C++, most programs are built out of classes–with best practice dictating one header file per class definition. Any C++ function may be declared inline. But if the inline function is a public member function (a.k.a., public method) of the class it is necessary to place the code for the inline function inside the header file. This is so that all of the other modules that use the class can see the code they need to have placed inline by the compiler.

Of course, placing the body of any function inside a header file conflicts with GAPP for the C programming language. Here’s how you should decide what to do:

IF the inline function is a “helper” function that’s only used inside one C module, THEN put it in that .c file only and don’t mention it in the header file. This is consistent with Rule 4.2.c, which says that “The header file shall identify only the [functions] … about which it is strictly necessary for other modules to know.”

IF, however, the inline function operates on the abstract data type defined in the header file and must be visible to two or more modules, THEN put the body of the inline function inside the header file. There is no rule in the Embedded C Coding Standard that strictly prohibits this, so there is no conflict.

See my earlier post What Belongs in a C .h Header File? for additional suggestions concerning header file contents.

Tags: ,
Posted in Coding Standards | 10 Comments »

What NHTSA/NASA Didn’t Consider re: Toyota’s Firmware

Wednesday, March 2nd, 2011 Michael Barr

In a blog post yesterday (Unintended Acceleration and Other Embedded Software Bugs), I wrote extensively on the report from NASA’s technical team regarding their analysis of the embedded software in Toyota’s ETCS-i system. My overall point was that it is hard to judge the quality of their analysis (and thereby the overall conclusion that the software isn’t to blame for unintended accelerations) given the large number of redactions.

I need to put the report down and do some other work at this point, but I have a few other thoughts and observations worth writing down.

Insufficient Explanations

First, some of the explanations offered by Toyota, and apparently accepted by NASA, strike me as insufficent. For example, at pages 129-132 of Appendix A to the NASA Report there is a discussion of recursion in the Toyota firmware. “The question then is how to verify that the indirect recursion in the ETCS-i does in fact terminate (i.e., has no infinite recursion) and does not cause a stack overflow.”

“For the case of stack overflow, [redacted phrase], and therefore a stack overflow condition cannot be detected precisely. It is likely, however, that overflow would cause some form of memory corruption, which would in turn cause some bad behavior that would then cause a watchdog timer reset. Toyota relies on this assumption to claim that stack overflow does not occur because no reset occurred during testing.” (emphasis added)

I have written about what really happens during stack overflow before (Firmware-Specific Bug #4: Stack Overflow) and this explains why a reset may not result and also why it is so hard to trace a stack overflow back to that root cause. (From page 20, in NASA’s words: “The system stack is limited to just 4096 bytes, it is therefore important to secure that no execution can exceed the stack limit. This type of check is normally simple to perform in the absence of recursive procedures, which is standard in safety critical embedded software.”)

Similarly, “Toyota designed the software with a high margin of safety with respect to deadlines and timeliness. … [but] documented no formal verification that all tasks actually meet this deadline requirement.” and “All verification of timely behavior is accomplished with CPU load measurements and other measurement-based techniques.” It’s not clear to me if the NASA team is saying it buys those Toyota explanations or merely wanted to write them down. However, I do not see a sufficient explanation in this wording from page 132:

“The [worst case execution time] analysis and recursion analysis involve two distinctly different problems, but they have one thing in common: Both of their failure modes would result in a CPU reset. … These potential malfunctions, and many others such as concurrency deadlocks and CPU starvation, would eventually manifest as a spontaneous system reset.” (emphasis added)

Might not a deadlock, starvation, priority inversion, or infinite recursion be capable of producing a bit of “bad behavior” (perhaps even unintended acceleration) before that “eventual” reset? Or might not a stack overflow just corrupt one or a few important variables a little bit and that result in bad behavior rather than or before a result? These kinds of possibilities, even at very low probabilities, are important to consider in light of NASA’s calculation that the U.S.-owned Camry 2002-2007 fleet alone is running this software a cumulative one billion hours per year.

Paths Not Taken

My second observation is based upon reflection on the steps NASA might have taken in its review of Toyota’s ETCS-i firmware, but apparently did not. Specifically, there is no mention anywhere (unless it was entirely redacted) of:

  • rate monotonic analysis, which is a technique that Toyota could have used to validate the critical set of tasks with deadlines and higher priority ISRs (and that NASA could have applied in its review),
  • cyclomatic complexity, which NASA might have used as an additional winnowing tool to focus its limited time on particularly complex and hard to test routines,
  • hazard analysis and mitigation, as those terms are defined by FDA guidelines regarding software contained in medical devices, nor
  • any discussion or review of Toyota’s specific software testing regimen and bug tracking system.

Importantly, there is also a complete absence of discussion of how Toyota’s ETCS-i firmware versions evolved over time. Which makes and models (and model years) had which versions of that firmware? (Presumably there were also hardware changes worthy of note.) Were updates or patches ever made to cars once they were sold, say while at the dealer during official recalls or other types of service?

Tags: , , , , , , , , , , ,
Posted in Coding Standards, Firmware Bugs | 9 Comments »

Is a Smartphone an Embedded System?

Thursday, January 27th, 2011 Michael Barr

When I wrote my first book about embedded programming, back in the late 1990’s, I carefully defined the term embedded system as follows:

An embedded system is a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some cases, embedded systems are part of a larger system or product, as is the case of an anti-lock braking system in a car. Contrast with general-purpose computer.

I think this language still does a good job of capturing the difference between embedded and general-purpose computers. (In a sign of the times that is simultaneously uplifting and depressing to me, this exact language has been literally copied all over the Internet, mostly without any citation whatsoever.) But there have always been gray areas in the middle and the consumer electronics market is moving toward even greater blur.

Smartphones and tablet computers–like the Apple (Nasdaq:AAPL) iPhone and iPad, as well as the many Android-powered devices–clearly lie somewhere between embedded system and general purpose computer. Indeed, it has been helpful to me at times to think of Apple as a company that has profited by moving away from designing configurable and openable general purpose computers and toward designing more restricted and clearly physically closed embedded systems faster than its competitors.

So far this year, I’ve been finding time to play around with iPhone programming. (My first app has nothing to do with embedded systems, so won’t rate a mention in this blog even after it releases.) And I’m happy to report that in several ways the experience of writing iOS applications is similar to embedded programming. You program mostly in C (wrapped in a layer of Objective-C). And you must worry about writing code that uses the processor and memory efficiently. I feel right at home!

However, programming for iOS is also like programming for big general-purpose computers in that there are vast API libraries available to separate you from the hardware and low-level driver details. And there’s more memory and CPU available than in the vast majority of embedded systems.

Smartphones and tablet computers truly are at the crossroads between embedded systems and general purpose computers. If you are coming to them from the perspective of a firmware developer, you can think of them as merely very high end embedded systems. Or if you are coming from the world of general-purpose computing, you can think of them as resource-constrained computers reminiscent of an earlier era. Either way, you’re bound to find some things you like about these new programming platforms and others that you don’t.

P.S. I’ll have lots more to say about Objective-C in a later post.

Tags: , ,
Posted in Uncategorized | 3 Comments »

Embedded Software Boot Camp in a Box

Wednesday, December 15th, 2010 Michael Barr

Whether you are new to embedded software development in C or looking for ways to improve your skills, the Embedded Software Boot Camp in a Box will provide you the hands-on education you need. Exercises are based around an ARM processor board (shown below), the MicroC/OS-II real-time operating system, and the IAR Embedded Workbench compiler/debugger, all of which are included in the box.

STR912-SK

Learn Embedded Programming on an ARM Processor

Netrino’s popular Embedded Software Boot Camp (see upcoming dates), on which this kit is based, is an intense in-person training experience that requires attendees to be able to check out of normal work and life routines for a week—sometimes also travelling a great distance. The Embedded Software Boot Camp in a Box is a way to learn the same skills at your own pace. You’ll do the same exercises and have access to the same materials, just won’t have a “drill instructor” or the clock to prod you.

Here’s how you’ll use the Embedded Software Boot Camp in a Box to learn embedded programming:

  • Read the 350 page “Field Manual” book, which contains the slides from the in-person Boot Camps, in order.
  • If you want to dig deeper, watch the video of Michael Barr‘s acclaimed “How to Prioritize RTOS Tasks and Why it Matters” lecture on DVD, or read the three books and numerous articles provided as PDFs on the USB drive.
  • As you read, you will come to slides titled “Exercise: …”. These slides mark the best points to attempt each exercise.
  • In all there are ten programming exercises: one to test your compiler/debugger/board setup; two concerning hardware interfacing in C; six concerning multithreaded programming with uC/OS-II; and one capstone project to build a scuba dive computer. These involve hardware interactions such as blinking LEDs, debouncing pushbuttons, reading A/D converters, working with programmable timer/counters, and generating audio tones via PWM signals.
  • Detailed instructions for each exercise can be found in the printed “Exercise Manual”.
  • Solutions for each of the exercises are provided on the USB drive.
  • After you finish with the included exercises, you’ll know your way around most of your ARM processor board and be ready to explore the rest of its hardware (RS-232, CAN, Ethernet, USB, etc.) on your own.

For more details or to order your kit now, browse on over to http://www.netrino.com/Boot-Camp-Box.

Tags: , , , , , ,
Posted in Efficient C/C++, RTOS Multithreading | No Comments »

« Older Entries
Newer Entries »