pnp-software / fwprofile Goto Github PK
View Code? Open in Web Editor NEWC Implementation of UML State Machines and Activity Diagrams for Safety-Critical, Real-Time and Embedded Applications.
License: Mozilla Public License 2.0
C Implementation of UML State Machines and Activity Diagrams for Safety-Critical, Real-Time and Embedded Applications.
License: Mozilla Public License 2.0
This issue was first raised as Mantis 297.
The text in the FAQ refers to "success" as the value of the error code in the absence of any errors. In fact, the value is either "smSuccess" or "prSuccess".
I saw that all index variables (e.g. to access action array, nodes, etc) are of type "signed char", so are in the range 0..127. What is the reason for this limitation ? For a big procedure or state machine you would run into problems...
Also, I think it would be much better to use normal "unsigned int" for index variables as the generated code runs much faster (unless you have an 8-bit processor) and requires less code (no masking on variable access).
This ticket was initially raised as Mantis Issue 759:
At present, the activation thread decrements the notification counter immediately after having detected it to be greater than zero and just before executing the Activation Procedure. It might make sense to move the decrement after the Activation Procedure. This would have the advantage that, in the "normal" case where notification are processed one at a time, the notification counter remains different from zero for as long as the Activation Procedure has not finished running. Users can therefore check the value of the Notification Counter if they wish to know whether the processing of the notification is still under way.
This issue was first raised as Mantis Issue 307.
The FW Profile Definition Document currently informally defines a number of "execution constraints" for state machines (such as the "nesting rule"). It would be preferable if the definition were made more formal (as was already done for the constraints C1 to C8 and D1 to D3).
first i hope this is the right place for problems with the editor
I'm working with STM32 microcontrollers and the SW4STM32 IDE with STMCubeMX for configuration of the devices.
the onlineEditor is great i've only to download the zip, extract it in the right place ..
then i have to edit some files.
I created a FSMnameMain.h
in FSMnameMain.c i delete the main() function
in stm32 main.c i include FSMnameMain.h so the functions are available
... ???
An option bottom With or without main() would be nice
so my first real issue is the limitation of the global variable definitions
int and uint ...
this results in static unsigned int and these are located in FSMname.c
so they are NOT global with respect to the main() function is in FSMnameMain.c
uint32_t uint_16_t ... are standard with STM32 microcontrollers
so there is no such global variable xy available.
why is there no ** extern uint ,,,** in the FSMname.c and the global variable in FSMnameMain.c
in some cases in special programming microcontrollers we need to use volatile for some vars i.e for IRQ handling and some parts of code, where the compiler shouldn't optimise out peace's of code.
So i think it makes sense when the user is able to edit REALLY globals in FSMnameMain.c
and NOT semiglobals in the FSMname.c file
This is also the case for the so called global #include "file.h"
And the limitation of only 8 semi global variables is definitive the killer for bigger StateMachines
The static analysis performed by ESA has shown the following potential memory leaks: in FwPrCreateDer, there are two malloc
calls; if the first one succeeds but the second one fails, then there will be a memory leak.
This finding is correct but, if there is a malloc
failure in this or any other functions in module FwPrDCreate
then the function where the failure occurred returns NULL and the user should simply stop operation because nothing will work. We regard it as the user's task to handle the memory leak (but, really, what needs to be handled is the failure of the malloc
operation).
We are therefore not going to change the code but we will add a comment to the doxygen documentation so that users are aware of the issue.
Figure 8 of the FW Profile Definition Document defines the behaviour to perform a transition in a state machine. According to the figure, when the transition is a state, then the Current State is updated and then its execution counter is reset. The implementation of this logic in function ExecTrans in module FwSmCore performs these two operations in the opposite order. As far as I can tell, this has no impact on the externally visible behaviour of a state machine but, for consistency with the design, the order of the two operations should be inverted.
The rules for embedded state machines and state machine extension are not very clear in the FW Profile Definition Document and need to be clarified. I propose to do it as described below.
Let S be a state of state machine SM_A and let SM_B be a state machine derived from SM_A. The rules for adding embedded state machines to SM_B are as follows:
The basic idea is that, during the state machine extension process, you are allowed either to add new embedded state machine or to replace existing embedded state machines with their children (i..e when you extend a state machine, you can also extend its embedded state machines - see figure below).
NB: Marcel points out to me that the current implementation of the FW Profile does not allow an embedded state machine in a base state machine to be overridden.
NB#2 This issue was initially and mistakenly submitted in the cordetfw project.
I had one case (the InCmd component of the CORDET FW) where the declaration of one state had too many out-going transitions but this error was not caught by the configuration check. I need to verify whether this point to a gap in the configuration check.
Feedback from ESA after execution of static code analysis.
Dead code has been found in module CrFwAux. The finding is correct but this module implements a generic consistency check for the framework data structures. Since the check is generic, it may contain dead code for some specific instantiation of the framework. Also, as explained in its docygen documentation, this module is not intended to be included in the final application executable.
To facilitate future runs of the static code analyzer, we will add a comment in the source code of the following kind: // The following can be dead code, depending on the specific instantiation of the FW Profile.
This is a finding from the ESA static analysis:
In FwSmAux.c
, lines 81 and 82 specify a ‘%d’ when in fact their arguments are unsigned integers – so in principle they should be using the ‘%u’ specifier.
I think that there is a minor inconsistency in the Release script for the FW Profile. At one point, the comment states: "Run the Demo Application and tutorials with Valgrind". However, Valgrind is only run on the demo application. Later in the script, where the headers are added to the test reports, the following commands are attempted:
sed -i -e "1i${H_L1}${H_ML6}${H_DATE}${H_CP}${H_VER}${H_L1}" ${OUT_LOG}/PR_Example1_Valgrind_Report.txt sed -i -e "1i${H_L1}${H_ML6}${H_DATE}${H_CP}${H_VER}${H_L1}" ${OUT_LOG}/RT_Example1_Valgrind_Report.txt sed -i -e "1i${H_L1}${H_ML3}${H_DATE}${H_CP}${H_VER}${H_L1}" ${OUT_LOG}/SM_Example1_Valgrind_Report.txt sed -i -e "1i${H_L1}${H_ML4}${H_DATE}${H_CP}${H_VER}${H_L1}" ${OUT_LOG}/SM_Example2_Valgrind_Report.txt sed -i -e "1i${H_L1}${H_ML5}${H_DATE}${H_CP}${H_VER}${H_L1}" ${OUT_LOG}/SM_Example3_Valgrind_Report.txt
These commands actually fail because the test reports do not exist. I assume that the intention was that these commands be commented out. If this is, please update the release script accordingly.
I tried running the Release script from a directory other than the /fwprofile
directory and I get a number of error messages. I did not investigate the matter in detail but I have the impression that the script expects the Makefile
to be present in the directory from which it is run.
For the record, the command I used is:
~/Projects/fwprofile/Release.sh 1.3.1 /home/ap/Projects/fwprofile-examples /home/ap/Projects/fwprofile
PS: a constraint that the Release script can only be run from the /fwprofile
directory is for me acceptable.
In view of the fact that the "Stop RT Container" operation also increments the notification counter, We need a new property which states that the number of times the Activation Procedure has been executed is the same as the number of times the container has been externally notified.
One feedback from the CHEOPS Project is that it would often be useful to keep track of the previous state of a state machine. This would require extending the size of the State Machine Descriptor and would add a small overhead to execution of a state transition but allow, for instance, a transition action or a state entry action to query the descriptor for the source state of a transition.
With certain node topologies, it may happen that, as part of the same execution of a procedure, the same guard is evaluated twice. This should not have any consequence because guards are required to be free of side-effects but it might be inefficient and it makes the validation of the behaviour shown in figure 4 of the FW Profile Definition Document harder. For these reasons, I should consider changing the implementation of function FwPrExecute in module FwPrCore to avoid the double call and to be easier to map to the behaviour of figure 4.
I am not totally sure if this is a bug, but I cannot explain the behaviour otherwise.
I had a quick look at the code, but find it difficult to understand. However, line 81 in FwPrCore.c seems a bit odd as the comment for the loop indicates "Execute loop until guard ... is true" while the (pseudo-) code is "while (trueGuardFound == true) {"...
The doxygen comment for the FwPrGetCurNode function includes the following statement: "If the procedure is in the STARTED state but has not yet executed the any action (because the guard from the initial node is still false), this function returns -1". This should be changed to: "If the procedure is in the STARTED state but has not yet executed the any action (either because it has not yet been executed or because it has been executed but the guard from the initial node is false), this function returns -1".
The fwprofile source code is automatically built and linked to a library every time the master branch advances by Travis CI. However, the examples and tests which are actually included are neither built nor run.
The header files are detected as C++ instead of C. It's just a cosmetic issue, but it can lead to misleading for the users. Here is the proposed solution: https://github.com/github/linguist#overrides
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.