Men conquer the world, women conquer the world by conquering men; hardware and rivers, software controls the rivers and lakes by controlling hardware. In today's world, there are embedded software in places where there are electronics, and places with electronic faults, and there are shadows of embedded software design flaws. Today we list the mistakes and evasive methods that software can make and provide a response. The biggest feature of embedded software is control. The combination of soft and hard is more, the functional operation is more, the modules are called more than each other, the external working environment is complex and easily interfered with or interfered with other devices, and the execution error The consequences are not only data errors but may lead to immeasurable disasters. Therefore, in summary, there are four aspects to be considered in the design of embedded software reliability: Let me talk about the problems in the software interface that are prone to problems and the errors that programmers are likely to make. Software interface calls generally have data assignments, and data types of assignment variables may have mandatory data conversions; they need to be checked. If you want to prevent problems, you can add a check on the data range and data type. The number of assigned data is not right. If it is too small, it will be bad. There will be unexpected assignment results, but fortunately, this error is better to check. In software programming, there will be multiplexing of a certain function operation code. For example, data checking and control of a certain port will only occur twice in the entire program. In order to save trouble, the code may be directly inserted directly. The actual program module has gone, so that in the source code, there are two identical sections that complete the same function and only serve the code of different modules. According to the truth, this design is actually no problem, yes. You are right, but your actions will cause others to make mistakes inadvertently. Just like young men and women get along, the girls simply want to fully enjoy the warm atmosphere and mood with the boys, and do not want to go deeper, but the girl invites the boys to go to her home and put on the pajamas at home. The window was closed, and the music was still smashed. Then I said infinitely, "I didn't expect the result to be like this." Who is the stranger? In terms of code, your approach is no different from a girl who seems to seduce a boy. Some people will say, how can I be tempted to write code like this? The reason is that the program may be upgraded. You can't guarantee that these lines of code are perfect in the actual application process. If you find the imperfect place, it will be revised. If you can think of it, you may not miss it. This code is for someone else, changed a place, did not change elsewhere, is there still a hidden danger? How to do it? The method is not difficult. The function can be made into a single module. The reading and control assignment of this port is completed by the independent module. If the correctness of the data has a large impact, the correctness of the port data is also required. Check and judge. The four purposes of the embedded software reliability programming method are error prevention, error judgment, error correction, and fault tolerance. The judgment of the port data is the content of the error. If the data is wrong, the design method of error correction and fault tolerance should not be explained in depth. Hardware, such as men, relies on it to achieve external implementation. Once a problem arises, the consequences of execution will be uncontrollable. Premier Zhou said that "diplomatic is no small matter." But how do you pay attention? Check the authenticity of the data of the incoming hardware interface; The execution effect of the output data is to be detected; The possible consequences of the output data should be preventive design, the process of data output, we have to do an analysis from the design, the analysis of the idea is generally easy to be limited to the steady state process, ignoring the transition process. For example, if we control the power supply of a branch, from the software control, directly give the relay a start signal, and let the contact of the open state be closed. It is not "off" or "on", it is a controlled relay. Two steady state states, but in fact, during the process from open to closed, the voltage supplied by the branch is not a simple 0V-24V (24V is an example) transition state, but a jitter, with a shock signal. The process, the protection of this situation on the hardware is indispensable, but in the software is not something that can be unrelated and high. In addition, logically, the interference control actions that are easily interfered and easily generated should be controlled from the timing and separated separately. For example, the process of controlling the relay is easy to generate jitter spikes and interfere with the data bus and the control signal bus. At this time, it is not appropriate to implement data transmission and reception at the same time from control, and it is not appropriate to make other control actions. Can you afford to escape this interference? The reliability of software is gradually increasing with the passage of time, which is different from electronic reliability and mechanical reliability. The electronic reliability obeys the exponential distribution, and its failure rate is constant throughout the life cycle; the reliability of the mechanical reliability decreases with the existence of factors such as wear, corrosion, and motion. Therefore, there is a specific law and precautions for software reliability design. Since it takes time to pass, and through continuous improvement, software reliability is improved. Then the maintainability of the software is a big problem. This is why software engineering management pays special attention to software documentation and comments. But the people who make these demands are just like people, and don't understand the real motivation for doing so. As for how annotations are done, how variables are named, and how software configuration management works, there are both very conventional methods and some that we are commonplace but wrong. The letter gives a few notable details for reference. Variables should be defined in the variable name of the variable type; such as AD_result_int, Cal_result_float, etc. This is a good check to prevent data type errors when forcing a data type or forcing a value; The comments should be sufficient; The layout style of the code should be uniform, easy to read and find; The uncontrolled default process cannot occur. All values ​​and variables, whether given by the calling function, read by the read interface, or calculated by intermediate variables, should be judged for data validity before application. All possible outcomes of the decision are handled in a controlled manner. Articles on software maintainability programming methods are overwhelming on the Internet, and will not be described in detail. Many articles recommend the software maintainability programming specification to the enterprise's embedded software reliability design specification. It is a bit biased and biased. In the words of entertainment, "love is an important part of life." , but it is not the whole of life," is the software maintainability programming method. The next problem that software code is prone to in execution is runaway, the program pointer is disturbed, jumps to an uncontrolled location, and executes code that should not be executed. If you execute code that should not be executed, if you add enough variable judgment, reading value judgment, state detection judgment, etc. in the program, it will be fine, the consequences will not be too serious, and even you may eventually run back. . But there is a kind of runaway is quite terrible. Generally, the program target code stored in the ROM is 1-3 bytes of instructions, that is, the target code of up to 3 fields constitutes the execution action, if the program pointer runs to somewhere When the second byte of the 3-byte instruction is on, what is the consequence of the execution, but no one really knows it, even if there are enough data judgment errors and logical jump prevention measures on the program, the result is also Not good. And ROM is generally not all filled with program code, there is always a surplus space, the default content in the surplus space is 啥, will these default bytes also lead to some operations? The default space in the MCU is 0FFH. I haven't checked the DSP. Everyone is interested in checking it. Jumping into these fields is also easy to get into trouble. Well, no longer arrogant, directly give a solution, that is, every other program code or control area, put a few NOP instructions artificially, put a long jump ERR handler after the NOP instruction. Note that the NOP is placed at least 3, so that any runaway can only occupy 2 NOPs. The third NOP can still pick up the program code, and then execute the ERR handler after returning. If you encounter a program with high security and reliability requirements, the recommended processing method can use the hot backup method, that is, use the two pieces of code to execute the same function at the same time, and compare the results of the execution. If they are consistent, pass the release. If the results are inconsistent, the processing will look at your flaws. But...there are methods for the Chinese people. In order to save trouble, your leader is not asking me to compile the hot backup program. Well, I will copy the original code and re-insert it into a place. You and the Ming Dynasty era Feng Bao eunuch (Is it still strict, Zhang Juzheng? I am not sure, everyone is interested in looking at the "Ming Dynasty things" check)) Nothing to play, write their own chapters, and give yourself approval to play the chapter. Since it is a backup to prevent a person from having problems, the best way is naturally to have different people to compile this paragraph. If the principle calculation method is different, and the data collection channel is different, then the Chinese New Year will bring a wife. Finished adding. There are still a lot of precautions about the safety and reliability of the programming details. It’s hard to see the whole leopard, and the dear friends have worked hard together. Variables are defined to avoid confusion, confusion between data and data within the same program, ambiguity in visual understanding of variables when reading programs, and visually accommodating errors (letter "o" and numbers) The "0", the letter "l" and the number "1"). Here we must follow a basic rule of "either the same, or weird". This rule is applied in many fields. The most important thing to use is Zhu Yuanzhang. To treat corrupt officials, or ignore you, consciously point out that you are greedy. Hand, if you don’t stop, you will kill it directly, and you will have several families, so in the Ming Dynasty, Zhu Yuanzhang was the most murdered emperor; in the structure of the foolproof design, the selection of connectors is also the same. If a milky white and a light gray similar connector, the best choice is to have a very intuitive visual difference or structural difference, or simply the same, the same must be based on a premise, interchangeability is better. Use explicit symbols to name variables and statement labels. The naming of identifiers has a clear meaning and is a complete word or an abbreviated abbreviation. Short words form abbreviations by removing "vowels"; long words take the first few letters to form abbreviations; some words have recognized abbreviations. Such as: Temp — tmp; Flag — flg; StaTIsTIc — stat; Increment — inc; Message — msg. Special appointments or abbreviations, with notes. At the beginning of the source file, abbreviations or convention notes are used. Your own unique naming style should be consistent from beginning to end. For variable naming, it is forbidden to take a single character (such as i, j, k..); meaning + variable type, data type, etc., i, j, k as local loop variables are allowed, but easy to confuse the letters with caution. For example, int Liv_Width, L stands for local variable (Local) (g global variable Global), i stands for data type (Interger), v stands for variable (Variable) (c constant Const), Width stands for variable meaning, this naming can prevent The local variable has the same name as the global variable. Disable confusing identifiers (R1 and Rl, DO and D0, etc.) to represent different variables, file names, and statement labels. In addition to compiling special applications such as switch/header files, avoid using the definitions of the beginning and end of the underscore such as _EXAMPLE_TEST_. Global variables are strategic resources, which determine the degree of coupling between modules and modules. They need to be raised to a high enough height on the project. Use global variables with caution. When you have to use them, you should write separate for each global variable. To manipulate a module or function, when modifying a global variable, check to see if any other function is calling it and it needs to be stable. When a variable represents a specific meaning, try not to use a bit to represent anything. For example, use the zeroth digit of a variable to represent a certain state (0000 0001, where only 1 is used to represent a certain content, so 01H, 03H, 05H ... There will be many combinations that represent this state); bits are susceptible to interference being modified, and the chances of information errors are much greater. Also don't use 00H, FFH and other data to represent, just like we interview a group of people, the first interviewee and the last interviewee are easy to remember, 00H and FFH are also the same, the system default state is 00 and FF More, they are easily reset or set to such values. It is recommended to use a median of the four-digit binary code as a state variable, such as 1001. Variable data should be judged by data type and value range before application; Data is also prone to problems in the storage process, and EEPROM, RAM, etc. have had similar cases. If the data is wrong, it can't be avoided. The solution is to learn from American financial companies such as Citibank. The reason why they can resume business quickly after 9/11 is basically no data loss. What are the reasons? Because they have a remote disaster recovery data backup system, there are two keywords in the knowledge, offsite, backup. Our information is also the same, first choose to exist in different media, or the same media but in a different storage environment and location, the double backup ending is inconsistent when the two sides, the data is suspected and refused to reflect the implementation, but many embedded software Time is to rely on data to promote the executive agency, even if it finds that the data has problems, it does not allow administrative inaction. In this case, it is difficult for us to do it. Two different data, there are obvious problems, but they are all excluded. How can I judge Ha in a limited range? At this time, there is no way to have three backups, and the majority of the majority is the only choice. The method of stone scissors cloth is not easy to use. Ge You's different terminal machine is not suitable. You have to choose the most original and most effective method. The only thing to note is that the data should be stored in three different backup environments, otherwise 岂It’s not your brother, you’re taking advantage of the votes. The above is only a few categories in terms of the reliability of embedded software, and has a basic description. In practical applications, there are still many points to be concerned. If you are preparing to design your own specifications, the above ideas should also be Can give some enlightenment. Newmax Electronics Co.,Limited , https://www.advvape.com