Presented by: © 2015 Jacob Beningo All Rights Reserved Writing Portable and Robust Firmware in C September 4, 2015 Jacob Beningo, CSDP Class 5: Robust Firmware Concepts Embedded System Design Techniques™

Presented by: © 2015 Jacob Beningo All Rights Reserved Course Overview Portable C Concepts Doxygen and PC-Lint Uart Driver and Stm32CubeMx Assertions and printf Robust Firmware Concepts 2

Presented by: © 2015 Jacob Beningo All Rights Reserved Session Overview Watchdog Timers Watchdog API Watchdogs use Stack Monitor Cyclomatic Complexity Robust application features 3

Presented by: © 2015 Jacob Beningo All Rights Reserved Watchdog Overview Watchdog and subsystem being monitored should have separate clocks Watchdog refresh should be done such that the changes of run-a-way code refreshing the watchdog are minimized Run-away code should be detected quickly to prevent system damage Critical control and configuration registers should have write protection so that once set they cannot be changed Should be able to detect what has caused the time-out Task flagging for proper operation 4 Characteristics of a Good Watchdog

Presented by: © 2015 Jacob Beningo All Rights Reserved Watchdog Types Internal – Timer Based External – Heartbeat – Smart – Dumb 5 MCU COMMS eWatchdog HB COMMS RST "A Review of Watchdog Architectures"

Presented by: © 2015 Jacob Beningo All Rights Reserved Watchdog API 6

Presented by: © 2015 Jacob Beningo All Rights Reserved Watchdog Firmware 7

Presented by: © 2015 Jacob Beningo All Rights Reserved Watchdog Firmware 8

Presented by: © 2015 Jacob Beningo All Rights Reserved Watchdog Firmware 9

Presented by: © 2015 Jacob Beningo All Rights Reserved Watchdog Firmware 10

Presented by: © 2015 Jacob Beningo All Rights Reserved Watchdog Firmware 11

Presented by: © 2015 Jacob Beningo All Rights Reserved Stack Monitor Design What is on the stack? Creating a stack monitor / guard manually – Write known pattern into the Guard area – Monitor the Guard area for changes Alternatively use the MPU 12 Calculating stack size can be difficult! GUARD_SIZE = DEFINED(__guard_size__) ? __guard_size__ : 0x ;.guard: {. = ALIGN(8); FILL(0xC0DE);. += GUARD_SIZE - 1; BYTE(0xE) } > m_data void main(void) { uint32_t * GuardPtr = (uint32_t *) GUARD_START; for(Index = 0; Index < GUARD_SIZE; Index++) { if(*GuardPtr == 0xC0DE) {//DO NOTHING} else { //flag error! Attempt recovery }

Presented by: © 2015 Jacob Beningo All Rights Reserved Cyclomatic Complexity Helps to ensure readability Bounds number of test cases Forces breaking up into smaller more manageable pieces Reduces bugs 13 Limiting Function Complexity

Presented by: © 2015 Jacob Beningo All Rights Reserved Filling ROM Buffer overrun occurs? Dereference a bad pointer? System upset occurs? What is the status of none programmed ROM? 14.fillsection : { FILL(0xAA55AA55);. = ORIGIN(m_text) + LENGTH(m_text) – 1; BYTE(0xAA) } > m_text What happens if …

Presented by: © 2015 Jacob Beningo All Rights Reserved Robust Application Features ROM Checksum and validation RAM check performed periodically Robust watchdog system 1 – 3 % code are assertions Empty ROM is filled Validating inputs/outputs and error conditions 15

Presented by: © 2015 Jacob Beningo All Rights Reserved Additional Resources Download Course Material for – Updated C Doxygen Templates (May 2015) – Example source code – Templates Microcontroller API Standard EDN Embedded Basics Articles Embedded Bytes Newsletter From underwww.beningo.com - Blog and Articles > Software Techniques > CEC Writing Portable and Robust Firmware in C 16

Presented by: © 2015 Jacob Beningo All Rights Reserved Jacob Beningo Principal Consultant P.O. Box 400 Linden, Michigan : : : Jacob_Beningo : Beningo Engineering : JacobBeningo : Embedded Basics Newsletters Embedded Bytes Training MicroPython Bootloaders Low Power Design Real-time Software C/C++ Embedded 17