Certified C compilers for safety-critical embedded systems - Page 6

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View
Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

It's "too" and "an" and "safety". If you are too lazy to use a spelling and
grammar checker, you should not be writing comments criticizing other peoples'
writing.


Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it

:-)

Well said, Hyman.

It's true that Ada is correctly spelt "Ada", not "ADA" or "ADa", but
come on.  Why do we need to make a big deal about it?  Ada has some
advantages over C, but beating people up over the spelling isn't going
to convince anybody of anything.

- Bob

P.S. for those interested in Ada trivia: In the December 22 issue of
Newsweek, there's a photo of Tony Blair standing in front of a portrait
of Ada.  That's the Ada for whom the language was named.  Page 32.

Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

[plain] char is a character
singed and unsigned char are integer types.

Quoted text here. Click to load it

there are no C99 compilers bar the (apparently) the Tasking Tricore
compiler.




/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Certified C compilers for safety-critical embedded systems

[...]
Quoted text here. Click to load it

Plain character is an abomination.  It is particularly unsuited for
character data.  You can get singed.  ;-)

All three are integer types.  All three are 1 byte wide ("byte" does
not mean "8 bits").

Quoted text here. Click to load it

I'm not sure what you mean.  There's no such thing as "byte."
uint8_t?  Not guaranteed to exist.  unint_least8_t?  That would work,
but I fear relatively few even know it exists, let alone how to use
it...

Quoted text here. Click to load it

Comeau?

Regards,

                               -=Dave
--
Change is inevitable, progress is not.

Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it

Grin. But most C programmers are to lazy for to type unsigned.

Quoted text here. Click to load it

That is why Ada 'Size gives you the size in bits. No misunderstanding here.

Quoted text here. Click to load it

You allwas learn something new. But unint_least8_t is not helpfull for
safety-critical embedded systems. You might need exaclty 8 bit.

Which brings me back to the original Question. How will you do this in C:

type Month is new Integer range 1 .. 12;
for Month'Size is 8;

Or even better:

type Display_Element is Interger range 0 .. 9;
for Display_Element'Size use 4;

type Display_Array is array (Integer range 1 .. 6) of Display_Element;
pragma Pack (Display_Array);

Display : Display_Array;
for Display'Address use 16#12_3456#;

We are talking "safety-critical embedded systems". The Plane might crash if
11 is ever stored in a Display_Element.

With Regards

Martin.
--
mailto:// snipped-for-privacy@users.sourceforge.net
http://www.ada.krischik.com


Re: Certified C compilers for safety-critical embedded systems
On Tue, 30 Dec 2003 11:18:55 +0100, Martin Krischik

Quoted text here. Click to load it
[...re: plain, signed, and unsigned char...]
Quoted text here. Click to load it

In C, CHAR_BIT gives you the number of bits in [[un]signed] char.  It
must be >= 8.

Quoted text here. Click to load it

If a platform supports uint8_t (unsigned integer exactly 8 bits wide)
the compiler must provide the type.  If the platform does not support
the type, you have to choose another platform.

Quoted text here. Click to load it

You could do something like

   typedef struct month{
      value:8;
   } Month;

Quoted text here. Click to load it

   typedef struct display_element{
      value:4;
   } Display_Element;

Quoted text here. Click to load it

   typedef struct display_array{
      elt0: 4;
      elt1: 4;
      elt2: 4;
      elt3: 4;
      elt4: 4;
      elt5: 4;
   } Display_Array;

Quoted text here. Click to load it

   Display_Array *Display = (Display_Array *) 0x123456;

Though in no case would the ranges be enforced.  Heck, enumerations
aren't enforced in any way either:

   enum { Red, Green, Blue } color;
   int number;

   color = 42;
   number = Red;

Is perfectly fine as far as the compiler is concerned.

Quoted text here. Click to load it

Then don't do that.  ;-)

Regards,

                               -=Dave
--
Change is inevitable, progress is not.

Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it


I had my array start at 1 not 0. In C all numbers start with 0 but in the
real world they usualy start with 1.

Quoted text here. Click to load it

Display_Array *const Display = (Display_Array *) 0x123456;
 
Quoted text here. Click to load it

But is it not much better if the compiler stoped you from doing that
mistake?

Anyway, all above is is just plain C and it is not at all as save as the Ada
code. Nor is it as easy to read (safety-critical software in my book should
be code reviewed). And this is just

The claim here in the group is that by use of a static analysis tool the C
code can be made as secure as the Ada code. So let me expand my question:
How with the static analysis tool find out the the follwing might lead to
the plane crashing.

Ada:

Display (1) = 11;                --  Compiler will warn you compile time
Display (2) = Value + 2;   --  exeption if Value is greater 7

C:

Display->elt0 = 11;
Display->elt1 = Value + 2;  

This example might be over primitive but humans somtimes make this little
mistakes.


With Regards

Martin
--
mailto:// snipped-for-privacy@users.sourceforge.net
http://www.ada.krischik.com


Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

The "real world" doesn't have arrays. Only computer programs do.


Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it

The "real world" does not have numbers as well.

--
Regards,
Dmitry A. Kazakov
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

You live in a highly peculiar world. :-)

Martin means array indices, not numbers, IMO.

--
Chuck F ( snipped-for-privacy@yahoo.com) ( snipped-for-privacy@worldnet.att.net)
   Available for consulting/temporary embedded and systems.
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

Counting in the real world is done in many peculiar ways.
For example, at least in the US, house numbers tend to be
even on one side of the street and odd on the other.

Counting in computer programs should be done in a way most
convenient for the programs to do their work.


Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it

Here you hit the main difference between the Pascal/Modula-2/Ada fraction
and the C/C++ fraction.

Those Pascal/Modula-2/Ada fraction belive that computer programs should
reseble the real word as much as possible and translating beween real world
and computer world should be done by the compiler and the optimizer.

Because once the compiler and optimizer have learned to do that will do it
right every time. Unlike humans.

I have a lot more experience in C++ then in Ada jet I make a lot more little
mistakes in C++ then in Ada. Most of which are type convertions where there
is no type is to be converted.

And of course I use warning level 4 to tell me about unsuitable type
convertions but it does not help. Mostly because the 3rd party libraries
(incl. the STL) are not compatible with warning level 4.

From my experience 10 to 1 (10 times as many silly little mistakes in C++)
is realistic.

And, unlike the normal C/C++ developer, who take these bugs K&R given, I
know that an Ada compiler would have told me that I am doing something
silly.

With Regards

Martin

--
mailto:// snipped-for-privacy@users.sourceforge.net
http://www.ada.krischik.com


Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it
the

I must remember to tell my radar building biddies, who have (various types
of) antenna arrays... ;-)



Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it

Interesting point. Apparently 0 is the first positive integer.
Everything starts at 0. Otherwise things would start with 1 or -1  there
would be nothing (not 0) between them :-)

Zero is a valid number.

runs for cover and turns off email system :-)
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it

Zero is the first natural number, positive numbers do not include zero.

Quoted text here. Click to load it


All numbers are valid. What could be an "invalid" number?

Quoted text here. Click to load it

Just start receiving the answer number zero! (:-))

--
Regards,
Dmitry A. Kazakov
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it
Is that in maths, computing or philosophy?

Quoted text here. Click to load it

My phone bill :-)


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England    /\/\/\/\/\
/\/\/ snipped-for-privacy@phaedsys.org       www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Re: Certified C compilers for safety-critical embedded systems

Quoted text here. Click to load it
GNP
Consumer Satisfaction Index
any election year stat
women's ages
etc etc ...

Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it
... snip ...
Quoted text here. Click to load it

I don't think anyone knowledgeable is seriously making such a
claim.  However, nobody knowledgeable would make the claim that
assembly language is unnecessary either, and similarly C is
extremely useful as a lingua franca extending over many systems.

As has been pointed out elsethread, it is possible to translate
Ada to C, which immediately takes advantage of the de facto
portability, but gives up some compile time efficiency and
convenience.  After all, the usual function of a C compiler is to
translate a C program to assembly language, except that that
destination is not standardized.

Implementation of run-time checks may require that the C code make
extensive use of system subroutines.  It may not be possible to
use "a = b + c;" statements.  At the same time the full C library
is probably not needed, and can be heavily pruned for Ada use.

--
Chuck F ( snipped-for-privacy@yahoo.com) ( snipped-for-privacy@worldnet.att.net)
   Available for consulting/temporary embedded and systems.
We've slightly trimmed the long signature. Click to see the full one.
Re: Certified C compilers for safety-critical embedded systems
On Tue, 30 Dec 2003 18:08:23 +0100, Martin Krischik

Quoted text here. Click to load it
[...]
Quoted text here. Click to load it

Of course.  Thus the smiley.  I freely admit that Ada does checking
that no C compiler does.  I even admit it may (may!) be a better
langauge than C (for appropriate values of "better").

But with the possible exception of the Atmel AVR (GNAT?), there is
_no_ Ada compiler for _any_ of the microprocessors I'm using today.
For me, that makes C a better language.

Quoted text here. Click to load it

No, it's not the same, it's just as close as I could get.  But
"easy-to-read" is in the eye of the reader.  I learned Pascal and
Modula-2 years ago, so Ada doesn't look too bad.  But other than the
variable declaration syntax and some of the strange precedence rules,
I find C very easy to read.

Many consider the terseness of C to be a problem or even a
disadvantage.  But sometimes it helps in comprehension.  Consider:

   int key;
   extern int get_key(void);
   extern void process(int);
   #define EXIT_KEY  'X'

   while ( (key = get_key()) != EXIT_KEY )
      process(key);

How do you do that in Ada?  

Even the canonical strcpy function is obvious and has a certain
beauty.  Perhaps you think it looks more like line noise:

   char *strcpy(char *dest, char *src)
   {
      char *retval = dest;

      while (*dest++ = *src++)
         continue;

      return retval;
   }

But it's "safe" only when used properly.

Quoted text here. Click to load it

I wouldn't make that claim.  Mine would be that the proper use of a
static analysis tool will make C code much better than if you didn't
use a static analysis tool at all.  Substituting "Ada" for "C" in the
previous statement would probably leave it true.

Quoted text here. Click to load it

Exceptions are valuable only if handled (think Ariane 5).  How would
you handle this one?

Quoted text here. Click to load it

True.  But I don't think even Ada will catch them all.  And it
certainly does no better than C for e.g. sensor failures.  

Regards,

                               -=Dave
--
Change is inevitable, progress is not.

Re: Certified C compilers for safety-critical embedded systems
Quoted text here. Click to load it
... snip ...
Quoted text here. Click to load it

I won't answer that, but here is how I would do it in Pascal:

   FUNCTION nextkey(VAR keyval : char) : boolean;

      BEGIN
      keyval = get_key;
      nextkey = keyval <> EXIT_KEY;
      END;

   BEGIN
   ....
   WHILE nextkey(key) DO process(key);
   ....

I have no qualms about factoring out baby subroutines.

--
Chuck F ( snipped-for-privacy@yahoo.com) ( snipped-for-privacy@worldnet.att.net)
   Available for consulting/temporary embedded and systems.
We've slightly trimmed the long signature. Click to see the full one.

Site Timeline