Le 25/07/2021 à 11:45, Andreas Messer a écrit :
> Why I'm so critical about letting it crash: I typically deal with stack
> sizes of no more around 2-8kB in automation devices and have to be careful
> with that. You can't simply let a newspaper printing machine's motor control
> crash, 1000's of newspaper pages would be trashed. Once we had a crash in
> simple limit switch device. As a result the high-rack robot pushed a
> pallet in 15m height out of the rack. Fortunately, it was just another
> robot which was destroyed (stood just below) - not a human being. Still
> a very expensive case for the company. So I'm used implement a lot of
> checks :-). (Actually we even don't use heap allocation after booting
> the firmware)

    Note that not only a crash might cause this effect. C (and libc) is
a language where "undefined behaviour" may happen at the corner of every
streets, as mentionned everywhere in the mans.

    With all respect due to your work, I tend to think that with such
expensive and dangerous machines, more investment should be put into
hardware so as to get controllers with a decent ram. And maybe the
firmware could take safety action when software crashes.

    Similarly, more investment should be put in software so as to make a
review of available languages suited for mssion-critical applications
and invest in learning the chosen language. C and C++ are so error-prone
that they are really not suited.

    This went far off topic. I have more on the initial topic but am
getting tired (~:

    -- Didier