Important From Last Time

Similar documents
MISRA-C. Subset of the C language for critical systems

Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

CODE TIME TECHNOLOGIES. Abassi RTOS MISRA-C:2004. Compliance Report

18-642: Code Style for Compilers

18-642: Code Style for Compilers

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

IAR Embedded Workbench MISRA C:2004. Reference Guide

Axivion Bauhaus Suite Technical Factsheet MISRA

Important From Last Time

Important From Last Time

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Page 1. Today. Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right? Compiler requirements CPP Volatile

Motor Industry Software Reliability Association (MISRA) C:2012 Standard Mapping of MISRA C:2012 items to Goanna checks

CS 261 Fall C Introduction. Variables, Memory Model, Pointers, and Debugging. Mike Lam, Professor

C Introduction. Comparison w/ Java, Memory Model, and Pointers

MISRA-C:2012 Standards Model Summary for C / C++

Programming in C and C++

Dynamic Allocation in C

September 10,

C++ Undefined Behavior What is it, and why should I care?

Ch. 3: The C in C++ - Continued -

Guidelines for Writing C Code

Short Notes of CS201

C Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:

CS201 - Introduction to Programming Glossary By

CMPE-013/L. Introduction to C Programming

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Pierce Ch. 3, 8, 11, 15. Type Systems

Pointers in C/C++ 1 Memory Addresses 2

Structure of Programming Languages Lecture 10

CS 330 Lecture 18. Symbol table. C scope rules. Declarations. Chapter 5 Louden Outline

C++ Undefined Behavior

Preface... (vii) CHAPTER 1 INTRODUCTION TO COMPUTERS

CS3157: Advanced Programming. Outline

Programming in C and C++

Operating Systems CMPSCI 377, Lec 2 Intro to C/C++ Prashant Shenoy University of Massachusetts Amherst

Axivion Bauhaus Suite Technical Factsheet AUTOSAR

In Java we have the keyword null, which is the value of an uninitialized reference type

C Programming Review CSC 4320/6320

C Language Part 1 Digital Computer Concept and Practice Copyright 2012 by Jaejin Lee

CS Programming In C

Undefined Behaviour in C

CSE 303: Concepts and Tools for Software Development

CSCE 314 Programming Languages. Type System

CSE 374 Programming Concepts & Tools. Hal Perkins Spring 2010

Advanced use of the C language

CodeWarrior Development Studio for Microcontrollers V10.0 MISRA-C:2004 Compliance Exceptions for the HC(S)08, RS08 and ColdFire Libraries Reference

CMSC 330: Organization of Programming Languages. Memory Management and Garbage Collection

Writing an ANSI C Program Getting Ready to Program A First Program Variables, Expressions, and Assignments Initialization The Use of #define and

Summer May 11, 2010

INITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS

Procedures, Parameters, Values and Variables. Steven R. Bagley

Introduction to Programming in C Department of Computer Science and Engineering. Lecture No. #43. Multidimensional Arrays

CSE 374 Programming Concepts & Tools. Hal Perkins Fall 2015 Lecture 19 Introduction to C++

Binding and Variables

Physics 2660: Fundamentals of Scientific Computing. Lecture 3 Instructor: Prof. Chris Neu

Review of the C Programming Language

Review of the C Programming Language for Principles of Operating Systems

CS61C : Machine Structures

Dynamic Allocation in C

CS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver

Deep C (and C++) by Olve Maudal

Variables Data types Variable I/O. C introduction. Variables. Variables 1 / 14

CS61C : Machine Structures

A Short Summary of Javali

Basic Types and Formatted I/O

STUDY NOTES UNIT 1 - INTRODUCTION TO OBJECT ORIENTED PROGRAMMING

Lecture 2: C Programm

CMSC 330: Organization of Programming Languages

QUIZ. What is wrong with this code that uses default arguments?

CS11 Advanced C++ Fall Lecture 7

The Foundation of C++: The C Subset An Overview of C p. 3 The Origins and History of C p. 4 C Is a Middle-Level Language p. 5 C Is a Structured


C++ for Java Programmers

Introduction to C. Systems Programming Concepts

ET156 Introduction to C Programming

[0569] p 0318 garbage

Writing Program in C Expressions and Control Structures (Selection Statements and Loops)

Part I Part 1 Expressions

Slide Set 2. for ENCM 335 in Fall Steve Norman, PhD, PEng

Deep C by Olve Maudal

CS558 Programming Languages

A Fast Review of C Essentials Part I

QUIZ. What are 3 differences between C and C++ const variables?

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

CS527 Software Security

C Refresher, Advance C, Coding Standard, Misra C Compliance & Real-time Programming

CSC C69: OPERATING SYSTEMS

Creating a String Data Type in C

Arrays. Returning arrays Pointers Dynamic arrays Smart pointers Vectors

C Fundamentals & Formatted Input/Output. adopted from KNK C Programming : A Modern Approach

Fast Introduction to Object Oriented Programming and C++

Topics Covered Thus Far. CMSC 330: Organization of Programming Languages. Language Features Covered Thus Far. Programming Languages Revisited

COMP322 - Introduction to C++ Lecture 02 - Basics of C++

C#: framework overview and in-the-small features

Computer Science & Information Technology (CS) Rank under AIR 100. Examination Oriented Theory, Practice Set Key concepts, Analysis & Summary

Fundamentals of Programming

CSE 307: Principles of Programming Languages

Fundamental of Programming (C)

LECTURE 18. Control Flow

Transcription:

Important From Last Time Volatile is tricky To write correct embedded C and C++, you have to understand what volatile does and does not do Ø What is the guarantee that it provides? Don t make the 8 mistakes shown in lecture Ø What were they?

Today MISRA-C Ø Subset of C language for critical systems Interesting MISRA rules MISRA-aware tools MISRA limitations Other language subsets

Safety-Critical Systems System is safety-critical if people might die due to software bugs Examples: Ø Automobile stability / traction control Ø Medical automation Ø Many military applications You develop safety-critical software differently from non-critical software We ll cover this topic in more detail later

MISRA-C MISRA Motor Industry Software Reliability Association Their bright idea: Ø Can t avoid C Ø But can force developers to avoid features of C that are known to be problematic Ø Some language flaws Ø Some legitimate features that happen to be bad for embedded software Most of MISRA-C is just good common sense for any C programmer

Terminology Execution error: Something illegal done by a program Ø Out-of-bounds array reference Ø Divide by zero Ø Uninitialized variable usage Trapped execution error: Immediately results in exception or program termination Untrapped execution error: Program keeps running Ø But may fail in an unexpected way later on Ø E.g., due to corrupted RAM Ø In C, operations with undefined behavior are not trapped

Safety A safe language does not allow untrapped execution errors A statically safe language catches all execution errors at compile time Useful languages can t be completely statically safe Ø Java is dynamically safe Ø C and C++ are very unsafe Ø MISRA C is not safe either However, adherence to MISRA-C can largely be statically checked Ø This eliminates or reduces the likelihood of some kinds of untrapped execution errors

MISRA-C Rule 1.2 No reliance shall be placed on undefined or unspecified behavior. Ø Lots of things in C have undefined behavior Ø Divide by zero Ø Out-of-bounds memory access Ø Signed integer overflow Ø Lots of things in C have implementation-defined and unspecified behavior Ø printf ( a ) + printf ( b ); Both of these hard to detect at compile time, in general Implementation-defined behavior is fine in MISRA-C Ø Why?

MISRA-C Rule 5.2 Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that identifier. int total; int foo (int total) { } return 3*total; What does this code mean? Why is it bad?

More MISRA-C Rule 6.3: Typedefs that indicate size and signedness should be used in place of the basic types. Ø For example uint32_t or int8_t Ø Why? Ø Good idea in general? Rule 9.1: All automatic variables shall have been assigned a value before being used. Ø Data segment: Initialized by programmer Ø BSS segment: Initialized to zero Ø Stack variables: Initialized to garbage

More MISRA-C Rule 11.1: Conversions shall not be performed between a pointer to a function and any type other than an integral type. Ø Discuss Rule 11.5: A cast shall not be performed that removes any const or volatile qualification from the type addressed by a pointer. Ø Discuss

More MISRA-C Rule 12.1: Limited dependence should be placed on C s operator precedence rules in expressions. What does this program print? int main (void) { int x = 0; } if (x & 1 == 0) { printf ("t\n"); } else { printf ("f\n"); }

More MISRA-C Rule 12.2: The value of an expression shall be the same under any order of evaluation that the standard permits. Rule 12.3: The sizeof operator shall not be used on expressions that contain side effects. Ø E.g. sizeof(x++); Ø What does this code mean? Ø Absurd that this is permissible in the first place

More MISRA-C Rule 12.4: The right-hand operand of a logical && or operator must not contain side effects. Ø && and are short-circuited in C Ø Evaluation terminates as soon as the truth of falsity of the expression is definite Ø if (x y++) { } Ø Can this be verified at compile time? Ø What is a side effect anyway? Ø Page fault? Ø Cache line replacement?

More MISRA-C 12.10: The comma operator shall not be used. Ø Some of the most unreadable C makes use of commas (C-=Z=!Z) (printf("\n "), C = 39, H--); 13.3: Floating-point expressions shall not be tested for equality or inequality. Ø Why?

More MISRA-C 14.1: There shall be no unreachable code. Ø Good idea? 14.7: A function shall have a single point of exit at the end of the function. Ø Good idea?

More MISRA-C 16.2: Functions shall not call themselves, either directly or indirectly. Ø Good idea? 16.10: If a function returns error information, then that error information shall be tested. Ø Good idea? Ø What does scanf() return? printf()? fclose()?

More MISRA-C 17.6: The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist. int * foo (void) { int x; int *y = &x; return y; } Ø This is a common (and nasty) C/C++ error Ø How is this avoided in Java?

More MISRA-C 18.3: An area of memory shall not be reused for unrelated purposes. Ø No overlays! 19.4: C macros shall only expand to a braced initializer, a constant, a parenthesized expression, a type qualifier, a storage class specifier, or a do-while-zero construct. Ø Avoids some problems we talked about earlier 20.4: Dynamic heap memory allocation shall not be used. Ø Woah!

MISRA Limitations What cannot be accomplished within the MISRA framework? Ø Ø Ø Safety Eliminating the preprocessor Generics A shack built on a swamp

Tool Support for MISRA Goals: Ø Compiler should emit warning or error for any MISRA rule violation Ø Should not emit warnings or errors for code not violating the rules Tools: Ø Compilers from Green Hills, IAR, Keil Ø PC-Lint Reportedly there is considerable variation between tools

Other Language Subsets SPARK Ada Ø Subset of Ada95 Ø Probably the most serious attempt to date at a safe, statically checkable language for critical software Ø Too bad Ada is so uncool Embedded C++ Ø No multiple inheritance Ø No RTTI Ø No exceptions Ø No templates Ø No namespaces Ø No new-style type casts

More Subsets J2ME Ø Not actually a language subset Ø Restricted Java runtime environment that has far smaller memory footprint Ø Popular on cell phones, etc. JavaCard Ø Very small targets 8-bit processors Basic ideas: Ø A good language subset restricts expressiveness a little and restricts potential errors a lot Ø All languages have warts (at least in the context of embedded systems) Ø Simpler compilers may be better

Summary C has clear advantages and disadvantages for building safety-critical embedded software Ø MISRA-C mitigates some of the disadvantages Language subsetting can be a good idea

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback