Certified C compilers for safety-critical embedded systems - Page 11

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View
Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it

Could you tell me why is C language inherently unsafe? And why Ada or
Pascal are considered safer?


P.Krumins


Re: Certified C compilers for safety-critical embedded systems


Quoted text here. Click to load it

  Mostly it is historical: C has always allowed 'enough rope to hang
yourself', whilst other languages are more strict in type declaration,
paramater checking, and scope control as examples.
  Modern C's CAN (by option), of course, get close to the same, but the
problem is that they do not REQUIRE it - so the issue becomes
one of programming discipline, and that's not a good place to put
all your safety critical eggs.
  The best recipe is a structured language AND strong programming & Test
discipline.
  Included in that is the version control practice of mking sure you
freeze the compiler version you developed/tested with.

-jg



Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it
Indeed.  For safety critical systems it's essential that the subset of
the language you intend to use is clearly specified.  Using a decent
lint tool with strong type checking and the warning level set high can
also significantly improve type checking.

I think that the using a validated compiler can also provide a false
sense of security.  Throw in a few unchecked conversions and you can
easily make an inherently unsafe Ada program.  Plus a validated
compiler will only do what you tell it, rather than what you want it
to do.

Quoted text here. Click to load it
Agreed.

Andy


Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

Basically because of redundancy.  In Pascal you can say you are
dealing with a limited subset of things, and the compiler will
enforce this.  In C you are always dealing with integers, to all
practical purposes.  Ignoring floating point, everything else in C
is made up of integers with no restrictions, or pointers, again
with no real restrictions.

People can write Pascal (and Ada) code in terms of integers, and
avoid all the checks.  But this is pure foolishness.

In C you can fling pointers about with total abandon, and
sometimes make some sense out of the usage.  In Pascal such usage
is closely controlled, and a misused variable is very likely to be
uncovered early, rather than by its effects hours later.

Underneath the languages are very similar.

--
Chuck F ( snipped-for-privacy@yahoo.com) ( snipped-for-privacy@worldnet.att.net)
   Available for consulting/temporary embedded and systems.
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

This is fine in theory. However good C compilers are VERY good.  I once
had to work in Modular2 because it was a "safe" language but the
compilers were so buggy and inconsistent it made a complete mockery of a
"safe" language.

The other thing is because C is the most popular language on the planet
there are many high quality testing tools for it. Unlike Pascal etc.

People use a subset of C , Ada etc for safety critical. When you come
down to subsets most languages are OK for safety critical.
 

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it

I would -love- to be able to use Modula-2 today, but sadly it died the death
of the obscure ( I guess having a non-buggy M2 compiler spoiled me).  Having
to write "safe" code (isn't that the goal for all of us, whether it's for
life-support applications or not?) in C scares me to death.

Given the choice of the language looking out for you or not, I'll take the
language looking out for you.  What else is all this CPU horsepower for?

-MG.



Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it
It's not for providing excuses. Telling the boss "it's not my fault,
the compiler should have fixed it" won't wash in my business.

--
Al Balmer
Balmer Consulting
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

Who said anything about compilers *fixing* things?  Who said anything
about providing excuses?  Would you argue against using lint for the
same reasons?  In spite of what we all read on usenet, there are no
perfect programmers.  We should welcome any tools we can use to catch
mistakes, even though no tool will catch every mistake.

I tell my boss all the time that C is a garbage language, and that
using it (with imperfect programmers, the only kind they've been able
to hire) costs the company time and money.  Inertia is a powerful
thing, but they're starting to listen, just a bit.

Mike

Re: Certified C compilers for safety-critical embedded systems
On 19 Dec 2003 11:03:07 -0800, snipped-for-privacy@yahoo.com (Mike Silva)

Quoted text here. Click to load it

I may be mis-interpreting you, but it seems you are saying that the
tools and the process are more important to safe code than the people
using them. I disagree.

Quoted text here. Click to load it

It's not the language that's garbage, but your programmers. As it
happens, I have an excellent example in hand - a project which has
several components on Unix, written in C, and one component on
Windows, written with Delphi. For the last couple of weeks, the
project has been beating its head against problems in the Delphi code,
whereas the C code is WAD.

I'm not blaming Delphi. Don't expect your programmers to start
producing good code because you give them a different language.

--
Al Balmer
Balmer Consulting
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it
... snip ...
Quoted text here. Click to load it

However Delphi is effectively Cified Pascal, with most of the C
insecurities reinserted and most of the C shorthand removed.  It's
main claim to fame IMHO is a relatively clean way of creating
Windows GUI interfaces.  I consider it requires a great deal of
expertise to use both cleanly and accurately, although not as much
as C or C++.

--
Chuck F ( snipped-for-privacy@yahoo.com) ( snipped-for-privacy@worldnet.att.net)
   Available for consulting/temporary embedded and systems.
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

No, I'm simply arguing (along with others here, it appears) that all
the above have an impact.  And I am agreeing that CPU horsepower (in
the form of  better compilers for better languages) should be used to
catch as many problems as possible, as early as possible in the
development cycle, irrespective of any other factor such as process or
programmer ability.
Quoted text here. Click to load it

We'll just have to disagree on this one. :)  Our programmers are the
same as all the millions of programmers who have, by their imperfect
human nature, nurtured the lint band-aid on top of the C sore.  C
simply makes too many wrong choices to be a good tool for use by
normal human beings.  That it has been used heroically in many cases
is a tribute to the heroes, not the language.

Mike
(C programmer for 25 years)

Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it
... snip ...
Quoted text here. Click to load it

I suspect one of the important reasons that C has won out over
Pascal as the primary application language is that it simply
complains less.  This allows the sub-standard programmer to write
things, and get error free compiles.  The fact that the result
doesn't work, or isn't portable, is not his fault.  After all, it
compiled, didn't it?

Of course the fact that the most popular so-called Pascal system
did not implement Pascal may also be connected.  This lost the
Pascal portability advantage.

--
Chuck F ( snipped-for-privacy@yahoo.com) ( snipped-for-privacy@worldnet.att.net)
   Available for consulting/temporary embedded and systems.
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems

[...]
Quoted text here. Click to load it
[...]

I don't think so (though that doesn't mean you're wrong ;-)

I did most of my academic programming (from around 1979-1983) in
Pascal.  I had studied other languages (as required by the curriculum)
and liked nothing else as well (though Lisp was fun).

My earliest embedded programming projects were in assembler (various
8- and 16-bit processors), PLM/80, and Jovial (J73B).

*The* number one thing that led me to prefer C for embedded
programming was the explicit bit manipulation operators.  In
particular, I remember a terribly frustrating (non-embedded)
application (written in Pascal) where I needed to mask out bits in
unsigned values.  There were no standard operators or library
functions.  I vaugely remember a horrible collection of case
statements and looping constructs.  It wasn't pretty.

The number two thing was the (mostly illusory) "efficiency" of the
language -- the "fact" that it was really a "high-level assembly
language.

The number one reason I've stuck with it is the ubiquity of C.  The
only processors I can think of that don't have at least two sorta-C
compilers targetting them are 4-bitters.

Quoted text here. Click to load it

Another problem I had with Pascal was the loss of modularity.  The
entire program resides in a single text file.  That may no longer be
true, but it was back in the early '80s.

I would have liked to have tried Modula-2, but I haven't ever had the
chance.  The only "Modula-2" compiler I had was FST for DOS, and
(IIRC) it wasn't really suitable for embedded use.

Regards,

                               -=Dave
--
Change is inevitable, progress is not.

Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it
... snip ...
Quoted text here. Click to load it

In many (but not all) cases those things are best handled with
sets.  In my systems I did define an additional function
mask(integer, integer) : integer; for just that purpose.  Proper
definition of subranges and multiplications could combine bit
fields perfectly well.  The compiler converted most
multiplications by constants into shifts.

...snip ...
Quoted text here. Click to load it

That no longer applies to extended (ISO10206) Pascal, and was
avoided by non-standardized extensions in most systems back when.
Mine handled separate compilation by leaving out the main program
block, but not the final period.  Global data was handled by an
include file, since only the outer block did any space assignment
for globals.  Kludgy, but it worked.

--
Chuck F ( snipped-for-privacy@yahoo.com) ( snipped-for-privacy@worldnet.att.net)
   Available for consulting/temporary embedded and systems.
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems

[...]
Quoted text here. Click to load it
[...]

That reminded me of a saying I once heard:

  Pascal makes you say "please", while C makes you say "I'm sorry".


-Robert Scott
 Ypsilanti, Michigan
(Reply through this forum, not by direct e-mail to me, as automatic reply
address is fake.)


Re: Certified C compilers for safety-critical embedded systems
On Mon, 22 Dec 2003 17:39:54 GMT, no-one@dont-mail-me.com (Robert

Quoted text here. Click to load it

It's well-known that it's easier to ask forgiveness than permission.

Regards,

                               -=Dave
--
Change is inevitable, progress is not.

Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it

I think you'll find that Airbus, Boeing etc. disagree with you.
Which would you rather fly on - an aircraft whose fly-by-wire code was
written by a single genius with no process or tools, or a group of
well-drilled dullards whose every step was automatically checked and
double-checked through a rigorous process.

These are the two ends of the scale, obviously, but I know which plane
I'd prefer to fly on.

Cheers
TW

Re: Certified C compilers for safety-critical embedded systems
On 20 Dec 2003 04:53:32 -0800, snipped-for-privacy@ornette.freeserve.co.uk (Ted

Quoted text here. Click to load it

Me too. One where the man sitting up front can override the
bloody software if he wants to! :)

Mike Harding


Re: Certified C compilers for safety-critical embedded systems

[...]
Quoted text here. Click to load it

There are a few still out there, e.g.,
http://www.designtools.co.nz/mod51.htm for the 8051.  You can probably
find more if you poke around the Modual-2 webring,
http://www.modulaware.com/m2wr/ though I'm not sure what you'll find
targetting embedded processors...

Regards,

                               -=Dave
--
Change is inevitable, progress is not.

Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

You must belong to the Microsoft school of applications
development -- if some is good, a /lot/ more is better!  8-)

As with all work of this nature, there are tradeoffs.  It's
nice to have a lot of processing power, but if it's wasted
mostly "looking out for you" and little is left for doing
some real work, then you've missed the target.

Site Timeline