#48 Assertions and Design by Contract, Part-2

There is a lot to unpack in this question. But first, I recommend leaving assertions ON *especially* in safety-critical systems. However, that does NOT mean "crashing the system." On the contrary: leaving assertions ON provides the last line of defense against "dangerous modes of failure" (a term from IEC 61508) to put the system in Fail-Safe mode (whatever that means in the particular case). You lose this chance when you disable assertions. Second, there seems to be a misunderstanding of what "defensive programming" means. Behavior like "limp mode" requires very *deliberate* design as part of handling this exceptional condition. Such deliberate design is the exact opposite of "defensive programming," which just hides problems (like returning a bogus value instead of dividing by zero). It is somewhat naive to believe that any coherent behavior (like the "limp" mode) can somehow emerge from such "defensive programming." --MMS

Embedded programming is a *deep* subject, and you got to stick with it for longer to get good at it. It takes 10,000 hours to become good at anything. --MMS

Eh, really appreciate the videos, but they didn't come out over 10 years because of perseverance or something..

@@damiengates7581 Actually, the "Modern Embedded Programming" video course is a result of frustration. In the embedded programming community almost every term means completely different things to different people. For example, you say "state machine", and everyone means something else. You say "event-driven", and again, there is no common understanding. Same goes for "assertion-based programming", "concurrency hazards", "encapsulation", etc.

Yes, exactly. Assertions seem to be one of the most misunderstood, unappreciated, and underutilized techniques in programming (not just embedded). That's precisely why I made these videos. I hope that at the very least developers will become *aware* that such a technique even exists. --MMS

Assertions (as part of Design by Contract philosophy) are applicable to any software, not just embedded and not just "small" systems. However, the effective use of assertions requires two critically important considerations. First, assertions must be used only for errors (bugs) and never for "exceptional conditions". Second, assertion failure handler must be carefully designed and *tested* to bring the system to a "safe state" (whatever that means for a given system).
Also, assertions *are* the recommended practice, and indeed a cornerstone, of safety-critical systems (e.g., IEC 61508 standard recommends "Failure Assertion Programming" practice). Safe software must either operate correctly, or fail *safely*. The worst possible (and unacceptable) scenario is when the software keeps operating unsafely. Unfortunately, this is precisely what happens when assertions are turned off in the production release.
Finally, regarding Nim/Swift, there is a discussion of the QP frameworks on the Nim forum: forum.nim-lang.org/t/5137 .
--MMS

This reminds me of the quote from Tony Hoare (one of the founding fathers of computer science), who used to say: "Disabling assertions in production is like using a lifebelt during exercise but not bothering with it for the real thing".

Sure, do whatever helps you during development. But in the *production* version you release to customers, assertions become as important as the rest of the code. (This assumes that you leave assertions enabled in the production release.) In my programming practice, I actually spend more time thinking about assertions and *testing* that they actually catch errors than the regular code. In my mind, treating assertions as second-class, throw-away code misses a huge opportunity. I hope that these comments make sense to you. --MMD

@@StateMachineCOM yes, this makes a lot of sense. Thank you.

Yes, I agree that many developers believe that assertions add a lot of overhead to the code. But in practice, the overhead is quite small and often pays for itself because (as mentioned in the video) assertions *eliminate* a lot of "defensive code". --MMS

As I said in the other comments, do whatever helps you in debugging. But from my experience, introducing "debug assertions" alongside "production assertions" is a slippery slope. (The next level is adding a "severity level" in assertions and then disabling assertions only up to a given level.) The problem with this approach is that assertions stop being taken seriously but rather as some temporary and throw-away code. With this attitude, people lose confidence in assertions and don't trust them to really perform drastic actions. Also, developers are confused as to which assertions are really "worthy" leaving in the production code and which to turn off. I hope you see my point. --MMS

Good point that needs to be explained. So, if the assertions can bring down the whole system, they are apparently important. Such code needs to be TESTED. To do so, you need to make the assertion fail (e.g., by "failure injection") and then you must verify that the *right* assertion has failed. Now, how do you identify the *right* assertion in your test? If you identify it by the line number, you'd have to change the test every time the lines shift in your code. Such tests would be then very unstable. The use of the assertion-IDs helps in writing *stable* tests because these IDs don't shift. I hope this makes more sense now. --MMS

A comparison like this would be tricky and necessarily biased. But such comparisons have been already done. Here, I would recommend a blog post "Are all RTOSes the Same?" by Michael Barr: embeddedgurus.com/barr-code/2008/01/are-all-rtoses-the-same . Having said that, I do plan some future lessons in this course to cover various types of schedulers, but these would not be the traditional RTOSes or embedded Linux offerings you're requesting. (Traditional RTOSes have been discussed in lessons 22-28, see ruclips.net/p/PLPW8O6W-1chyrd_Msnn4LD6LBs2slJITs ). --MMS

Yes, I've seen the distinct "debug-assertions" and "release-assertions". I've also seen a "severity-level" parameter added to assertions and then an option to disable assertions only up to a certain level. All of this is a bit slippery slope leading to low-quality assertions that people don't take seriously. Could you give me an example of a "debug-assertion" that would NOT be good enough as a "release-assertion"? In my opinion, assertions are an inherent part of the code (the design contracts). They should be developed and *tested* along with the code they protect. Then they should be released, exactly as they've been tested. --MMS

@@StateMachineCOM - Here are some examples of debug asserts. 1. a routine checking the 32byte alignment of address that is returned by another routine.
2. checking the command/packet size. 3. Checking the execution time of a routine. The data point is, during the product qualification.
The main reason for removing debug assert from release code is - the asserts add cpu overhead and data shows that system never hit these asserts during hours of qualification and some of them are purely debug purpose.

In the next segment of lessons, I plan to go back to the fundamentals and real-time architectures. Specifically, I'd like to explain the various real-time kernels that can be used to run event-driven systems, because the traditional RTOS is not the only option here. It turns out that the non-blocking, run-to-completion characteristics of event-driven systems allow us to use *simpler* and more efficient real-time kernels than the traditional RTOS. Stay tuned! --MMS

@@StateMachineCOM Many thanks for your reply.
That sounds interesting.
If I may, I would recommend to also revisit the Event driven design pattern and QP framework
with more relatable projects rather than the Time bomb we had.
Although I am keen on adapting that pattern at my team, I really still struggle to start, even with projects I already made
I have the flat State Machines for them, the modules, everything.
but I don't know how to start
creating the Active Objs
what is difference between signals and events
and so
Huge part is because I didn't read the Docs yet.
but I am sure this part needs revisit on the channel.
and if you can spare advise here on comments
it would be appreciated

How can it be so difficult?

@@damiengates7581 did you try it?
If you did successfully
I would like to hear your experience

The concept of "real-time" has been explained in lesson#26 "What is real-time?" ruclips.net/video/kLxxXNCrY60/видео.html . But regarding the distinction between "firmware" and "embedded software", I don't quite see the difference, so I can't explain this aspect. --MMS

Good question. First of all, I see the mechanism of throwing and catching exceptions (if this is what you mean) as part of handling *exceptional conditions* with the intent to continue execution. As I explained in the video at 8:50, in my view throwing exceptions should *NOT* be used to "handle" errors/bugs because it's overkill and additional risk for that. Now, throwing exceptions in exceptional conditions has obviously value when you have deep function call trees, so unwinding the call stack gives you a chance to reasonably "handle" an exception. This has some merit, perhaps, in sequentially written code (e.g., with traditional RTOS). But in *event-driven* code, you don't have much stack to deal with because the stack is constantly discarded after processing each event. In other words, there is no much *context* on the stack and instead the context is in the *state* of the state machine. For that, throwing exceptions is not that helpful. instead, an exceptional condition should be handled as a separate *state* of the state machine. Also, please google for the article "Exception Handling: A False Sense of Security" by Tom Cargill. --MMS

​@@StateMachineCOM thank you. i will read that referenced article

@@StateMachineCOM yeah, and the bubbling up of unhandled events in hierarchical SM is somewhat similar to throwing exceptions.

Thanks for reporting. I corrected the download link in the video description. The links on the companion page ( www.state-machine.com/video-course ) seem to be correct. --MMS

I plan to add the ARM/KEIL uVision projects to all downloads, including the older lessons released originally with IAR. This will allow anybody interested to use ARM/KEIL toolset instead of IAR. This work will be completed soon. The downloads will be available in the usual locations:
- www.state-machine.com/video-course
- github.com/QuantumLeaps/modern-embedded-programming-course