Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

Similar documents
Important From Last Time

MISRA-C. Subset of the C language for critical systems

CODE TIME TECHNOLOGIES. Abassi RTOS MISRA-C:2004. Compliance Report

Important From Last Time

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

Axivion Bauhaus Suite Technical Factsheet MISRA

IAR Embedded Workbench MISRA C:2004. Reference Guide

Important From Last Time

Page 1. Today. Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right? Compiler requirements CPP Volatile

18-642: Code Style for Compilers

18-642: Code Style for Compilers

Motor Industry Software Reliability Association (MISRA) C:2012 Standard Mapping of MISRA C:2012 items to Goanna checks

Ch. 3: The C in C++ - Continued -

MISRA-C:2012 Standards Model Summary for C / C++

Operating Systems CMPSCI 377, Lec 2 Intro to C/C++ Prashant Shenoy University of Massachusetts Amherst

Short Notes of CS201

C Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:

CS201 - Introduction to Programming Glossary By

Structure of Programming Languages Lecture 10

September 10,

Physics 2660: Fundamentals of Scientific Computing. Lecture 3 Instructor: Prof. Chris Neu

CS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver

Guidelines for Writing C Code

CS 261 Fall C Introduction. Variables, Memory Model, Pointers, and Debugging. Mike Lam, Professor

Programming in C and C++

Review of the C Programming Language for Principles of Operating Systems

Review of the C Programming Language

Advanced use of the C language

Undefined Behaviour in C

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

C Introduction. Comparison w/ Java, Memory Model, and Pointers

QUIZ. What are 3 differences between C and C++ const variables?

Arrays. Returning arrays Pointers Dynamic arrays Smart pointers Vectors

Axivion Bauhaus Suite Technical Factsheet AUTOSAR

CS 330 Lecture 18. Symbol table. C scope rules. Declarations. Chapter 5 Louden Outline

CSCE 314 Programming Languages. Type System

CS Programming In C

A Fast Review of C Essentials Part I

CSE 303: Concepts and Tools for Software Development

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

C Language Part 1 Digital Computer Concept and Practice Copyright 2012 by Jaejin Lee

Deep C (and C++) by Olve Maudal

10. Functions (Part 2)

CodeWarrior Development Studio for Microcontrollers V10.0 MISRA-C:2004 Compliance Exceptions for the HC(S)08, RS08 and ColdFire Libraries Reference

Preface... (vii) CHAPTER 1 INTRODUCTION TO COMPUTERS

Pierce Ch. 3, 8, 11, 15. Type Systems

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

Please refer to the turn-in procedure document on the website for instructions on the turn-in procedure.

Dynamic Allocation in C

C++ Undefined Behavior What is it, and why should I care?

QUIZ. What is wrong with this code that uses default arguments?

CS 11 C track: lecture 5

Procedures, Parameters, Values and Variables. Steven R. Bagley

A Short Summary of Javali

Tokens, Expressions and Control Structures

C Programming Review CSC 4320/6320

Deep C by Olve Maudal

Summer May 11, 2010

C++ Undefined Behavior

Names, Scope, and Bindings

ET156 Introduction to C Programming

Names, Scope, and Bindings

Programming Languages Third Edition. Chapter 9 Control I Expressions and Statements

Semantic Analysis. Lecture 9. February 7, 2018

CS3157: Advanced Programming. Outline

1 Lexical Considerations

The Foundation of C++: The C Subset An Overview of C p. 3 The Origins and History of C p. 4 C Is a Middle-Level Language p. 5 C Is a Structured

What are the characteristics of Object Oriented programming language?

CS61C : Machine Structures

Names, Scope, and Bindings

#include <stdio.h> int main() { printf ("hello class\n"); return 0; }

ANITA S SUPER AWESOME RECITATION SLIDES

In Java we have the keyword null, which is the value of an uninitialized reference type

Interview Questions of C++

C Refresher, Advance C, Coding Standard, Misra C Compliance & Real-time Programming

Review: C Strings. A string in C is just an array of characters. Lecture #4 C Strings, Arrays, & Malloc

Computer Components. Software{ User Programs. Operating System. Hardware

HW1 due Monday by 9:30am Assignment online, submission details to come

Binding and Variables

Writing an ANSI C Program Getting Ready to Program A First Program Variables, Expressions, and Assignments Initialization The Use of #define and

STUDY NOTES UNIT 1 - INTRODUCTION TO OBJECT ORIENTED PROGRAMMING

CSE 374 Programming Concepts & Tools. Hal Perkins Spring 2010

Topics Covered Thus Far. CMSC 330: Organization of Programming Languages. Language Features Covered Thus Far. Programming Languages Revisited

COMP322 - Introduction to C++ Lecture 02 - Basics of C++

CMPE-013/L. Introduction to C Programming

CS11 Advanced C++ Fall Lecture 7

G Programming Languages - Fall 2012

Variables Data types Variable I/O. C introduction. Variables. Variables 1 / 14

Static Analysis in C/C++ code with Polyspace

C#: framework overview and in-the-small features

COMP6771 Advanced C++ Programming

Page 1. Last Time. Today. Embedded Compilers. Compiler Requirements. What We Get. What We Want

BLM2031 Structured Programming. Zeyneb KURT

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

CSE450. Translation of Programming Languages. Lecture 11: Semantic Analysis: Types & Type Checking

QUIZ on Ch.5. Why is it sometimes not a good idea to place the private part of the interface in a header file?


The pre-processor (cpp for C-Pre-Processor). Treats all # s. 2 The compiler itself (cc1) this one reads text without any #include s

G52CPP C++ Programming Lecture 9

Transcription:

Stuff Last Time Homework due next week Lab due two weeks from today Questions? Interrupts Inline assembly Intrinsics Today Safety-Critical Systems MISRA-C Subset of C language for critical systems System is safety-critical if people might die due to software bugs Interesting MISRA rules MISRA-aware tools MISRA limitations Other language subsets Examples: Vehicle control Medical automation Many military applications You develop safety-critical software differently from non-critical software We ll cover this topic in more detail later MISRA-C Terminology MISRA Motor Industry Software Reliability Association Their bright idea: Can t avoid C Can force developers to avoid features of C that are known to be problematic Some language flaws Some legitimate features that happen to be bad for embedded software Most of MISRA-C is just good common sense for any C programmer Execution error: Something illegal done by a program Out-of-bounds array reference Divide by zero Uninitialized variable usage Trapped execution error: Immediately results in exception or program termination Untrapped execution error: Program keeps running But may fail in an unexpected way later on E.g., due to corrupted RAM Technically, the behavior of the program after the execution error is undefined anything might happen Page 1

Safety MISRA-C Rule 1.2 A safe language does not allow untrapped execution errors A statically safe language catches all execution errors at compile time Useful languages can t be completely statically safe Java is safe C and C++ are very unsafe MISRA C is not safe either However, adherence to MISRA-C can largely be statically checked This eliminates or reduces the likelihood of some kinds of untrapped execution errors No reliance shall be placed on undefined or unspecified behavior. Lots of things in C have undefined behavior Divide by zero Out-of-bounds memory access Signed integer overflow (!) Lots of things in C have implementation-defined behavior Side-effecting function arguments printf ( %d %d\n, a++, a++); Side-effecting subexpressions i = a++ + a++; Both of these hard to detect at compile time Undefined vs. Implementation-Defined Undefined behavior means that your program can legally do anything Launch a missile, mail your password to Bill Gates, Meaning: You broke the rules, you pay the price Implementation defined behavior means that the compiler can choose from a set of alternatives Optimistic meaning: Language designers felt that specifying a particular implementation would rule out some useful optimizations Pessimistic meaning: Language designers misguided MISRA-C Rule 5.2 Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that identifier. int total; int foo (int total) { return 3*total; Now what happens if we change the name of the argument but forget to change the reference to total? Rule 6.3: Typedefs that indicate size and signedness should be used in place of the basic types. Why? Good idea in general? Rule 11.1: Conversions shall not be performed between a pointer to a function and any type other than an integral type. Discuss Rule 9.1: All automatic variables shall have been assigned a value before being used. Data segment: Initialized by programmer BSS segment: Initialized to zero Stack variables: Initialized to garbage Rule 11.5: A cast shall not be performed that removes any const or volatile qualification from the type addressed by a pointer. Discuss Page 2

Rule 12.1: Limited dependence should be placed on C s operator precedence rules in expressions. What does this program print? int main (void) { int x = 0; if (x & 1 == 0) { printf ("t\n"); else { printf ("f\n"); Rule 12.2: The value of an expression shall be the same under any order of evaluation that the standard permits. x = i++ + i++; Can you figure out what this does? Neither can the compiler Rule 12.3: The sizeof operator shall not be used on expressions that contain side effects. E.g. sizeof(x++); Absurd that this is permissible in the first place Rule 12.4: The right-hand operand of a logical && or operator must not contain side effects. && and are short-circuited in C Evaluation terminates as soon as the truth of falsity of the expression is definite if (x y++) { Can this be verified at compile time? What is a side effect anyway? Page fault? Cache line replacement? 12.10: The comma operator shall not be used. Some of the most unreadable C makes use of commas (C-=Z=!Z) (printf("\n "), C = 39, H--); 13.3: Floating-point expressions shall not be tested for equality or inequality. Why? 14.1: There shall be no unreachable code. 14.7: A function shall have a single point of exit at the end of the function. 16.2: Functions shall not call themselves, either directly or indirectly. 16.10: If a function returns error information, then that error information shall be tested. Page 3

17.6: The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist. int * foo (void) { int x; int *y = &x; return y; This is a common (and nasty) C/C++ error How is this avoided in Java? 18.3: An area of memory shall not be reused for unrelated purposes. No overlays! 19.4: C macros shall only expand to a braced initializer, a constant, a parenthesized expression, a type qualifier, a storage class specifier, or a do-while-zero construct. Avoids some problems we talked about earlier 20.4: Dynamic heap memory allocation shall not be used. Woah! MISRA Limitations Tool Support for MISRA What cannot be accomplished within the MISRA framework? Safety Eliminating the preprocessor Generics A shack built on a swamp Goals: Compiler should emit warning or error for any MISRA rule violation Should not emit warnings or errors for code not violating the rules Tools: Compilers from Green Hills, IAR, Keil PC-Lint Reportedly there is considerable variation between tools Other Language Subsets More Subsets SPARK Ada Subset of Ada95 Probably the most serious attempt to date at a safe, statically checkable language for critical software Too bad Ada is so uncool Embedded C++ No multiple inheritance No RTTI No exceptions No templates No namespaces No new-style type casts J2ME Not actually a language subset Restricted Java runtime environment that has far smaller memory footprint Popular on cell phones, etc. JavaCard Very small targets 8-bit processors Basic ideas: A good language subset restricts expressiveness a little and restricts potential errors a lot All languages have warts (at least in the context of embedded systems) Simpler compilers may be better Page 4

Summary C has clear advantages and disadvantages for building safety-critical embedded software MISRA-C mitigates some of the disadvantages Language subsetting can be a good idea Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback