Safe ANSI C Subset 
Author Message
 Safe ANSI C Subset

Does anyone know of any ANSI C subsets defined for safety critical
real-time applications?

The purpose of any such subset would be to:
* produce applications that are possible to analyze for run time properties
* reduce human factor related errors
* highlight or ban specific error prone or less-defined constructs
* increase maintainability
* etc.

I'm looking for defined subsets, applicable style guides, tools;
preprocessors, compilers etc, as well as papers regarding this matter.
I guess there are both academic and corporate standards on this?

Thankful for any comment or hint where to find more information.

Jan Soderberg
--




Sat, 22 May 1999 03:00:00 GMT  
 Safe ANSI C Subset

Quote:

>Does anyone know of any ANSI C subsets defined for safety critical
>real-time applications?
>The purpose of any such subset would be to:
>* produce applications that are possible to analyze for run time properties
>* reduce human factor related errors
>* highlight or ban specific error prone or less-defined constructs
>* increase maintainability
>* etc.

IMHO that's hopeless. First of all you would have to remove pointers.
But what remains ?
C is in no means a language for safety critical applications.
Without strong type checking and modular programming support, you are
lost.
Look at Modula2, Oberon, Ada ...

Best regards,
Wolfgang Kynast



Sun, 23 May 1999 03:00:00 GMT  
 Safe ANSI C Subset

: C is in no means a language for safety critical applications.
: Without strong type checking and modular programming support, you are
: lost.

it is possible to `retrofit' these to c by the use of some kind of static
checker such as lc-lint.

: Look at Modula2, Oberon, Ada ...

is it better to write safety critcal systems in

o       a language that helps you do so

        or

o       a language you know the weaknesses of.

i trust my c programs far more than anything i'd write in modula, simply
because i'm a better c programmer.  and understand better where errors
are likely to be introduced.

i'd recommend Les Hatton's `Safer C', which discusses this (and other)
issue(s).

stephen



Tue, 25 May 1999 03:00:00 GMT  
 Safe ANSI C Subset


Quote:
>Does anyone know of any ANSI C subsets defined for safety critical
>real-time applications?

We are checking a safe subset of C in the ESPRIT project
OMI/ANTICRASH.  Our checkers are integrated in to the ANDF compiler
technology ( a source filter for software metrics and an ANDF tool for
intermodular and linkage checking) and we developed a model that fits
well into the software development life-cycle.

First of all you should check out Les Hatton's book 'Safer C',
McGraw-Hill 1995.  You will find there most aspects of C in the safety
-critical software development environment.

Our customer defined a 'presumed' safe subset of C for implementing a braking
system as an embedded hard real-time system, just because they need
certification credit by RCTA (DO178B safety standard).

1. They defined _some_ internal development guidelines
2. In these guidelines they required totally uncertain things like
   enough and precise comments and source layouts but they also excluded
   goto and union keywords. Non-reentrant code, dynamic data and recursive
   routines are also forbidden. No standard headers or standard libraries
   are allowed, except of certified ones.
3. Traceability is of major concern for the certification so naming conventions
   for files and routines are prescribed.

They defined a lot of things more (I am not permitted to post them all
because the document is confidential) but these things have been very
uncertain similar to the commenting item.  However, I wrote a paper
called 'Applying the ANDF technology for hard real-time systems' for
the EMSYS96 conference in Berlin (Embedded Microprocessor Systems,
Mueller-Schloer, IOS Press about that topic.

I want to emphasise that standards without checking are completely
useless. Certain aspects of C subsets have to be checked during code
reviews which might increase the costs for such activities. Our
approach was to map these uncertain standard phrases to concrete
checkable topics.  Most of them are strict API checking but we
incorporate also software metrics and demanded for example to have 30
% comments in the code, a limit of 15 for McCabe's cyclomatic
complexity, a limit of 100 of executable lines of code and only one
exit in a routine.

We experienced that:
1. You will need more than just ANSI C compliance
2. You have to control the whole tool chain : Preprocessing, codegeneration,
    linking and running.
3. There are always some assumptions in code, but they have to be explicit
    e.g. data conversion.

Best regards
Heiner
------------- URL http://www.uni-karlsruhe.de/~ae59 ---------------------
Heinrich Berlejung                       |Institut f. Angewandte Mathematik
Tel.:+49 721 377936 / Fax:+49 721 385979 |P.O. Box 6980,D-76128 Karlsruhe

--




Wed, 26 May 1999 03:00:00 GMT  
 Safe ANSI C Subset

Quote:

> Does anyone know of any ANSI C subsets defined for safety critical
> real-time applications?

Short answer ;

Yes, there's a 'subset' called C++

A bit longer answer ;

I am not aware of any subsets of 'C' wich handle this sort of thing, I
do know that most military applications (at least in this country) are
written in plain 'C' - although they do use specific libraries wich
were made for some critical operations (but even those are mainly
system-dependant parts wich deal with stuff like atomic timers,
etc). This is actually quite an interesting thing, Maybe it would be
an idea to ask around at NASA - they probably know more about this
sort of thing - although I'm not even sure if they use 'C' ... but
then again, maybe they do, e.g.

 int i;

 for( i = 10 ; i > -1 ; i--)
    do_countdown(i);

 boost_rockets();

 while(not_crashed)
  {
    g_force++;

    if(!doors_closed)
        shout("oh dear...");

    if(out_of_orbit)
     {
      if(landed)
       {
         if(aliens_present)
           notify_mulder_and_scully();
         else
           play_some_weightless_basketball();
       }
    }
  }

;)

Cheers, flux.
--




Wed, 26 May 1999 03:00:00 GMT  
 Safe ANSI C Subset

Quote:

>Does anyone know of any ANSI C subsets defined for safety critical
>real-time applications?


software"; they are currently obsessing about the impact of Ada on
automobile safety.

--
Craig

Manchester, NH
--




Wed, 26 May 1999 03:00:00 GMT  
 Safe ANSI C Subset

|> Does anyone know of any ANSI C subsets defined for safety critical
|> real-time applications?

You might check the book "Safer C" by Dr. Les Hatton. The ISBN is
0-07-707640-0, published by McGraw-Hill in 1995. There's probably
a reference to it on the web page of Programming Research Limited
(where Les is the research director) at
http://www.prqa.co.uk/

I haven't read it, but it sounds like it might be what you're looking for.

--

Environmental Research Institute of Michigan
Ann Arbor, MI
--




Wed, 26 May 1999 03:00:00 GMT  
 Safe ANSI C Subset

Quote:

> Does anyone know of any ANSI C subsets defined for safety critical
> real-time applications?

Perhaps way off base, but LCLint (a lint-like tool, capable of handling
many other "unsafe" things if guided by comments) might be a useful tool:
http://www.lcs.mit.edu:8001:/larch/lclint/
--

Departamento de Informatica                     Fono: +56 32 626364 x 431
Universidad Tecnica Federico Santa Maria        Fax:  +56 32 625217
Casilla 110-V, Valparaiso, Chile
--




Sat, 29 May 1999 03:00:00 GMT  
 Safe ANSI C Subset

Quote:

> Does anyone know of any ANSI C subsets defined for safety critical
> real-time applications?

You might try dcc.  We've used it a bit for introductory teaching.
Seems well put together and thought out.  Here is from the readme:

/* DCC.README */
                        dcc version 0.19, December 22th, 1995

Introduction

dcc is a C checker program, described in the December 1995 issue of
ACM SIGPLAN Notices.

Copyright

//  Copyright Ecole Superieure d'Electricite, France, 1995.
//  All Rights Reserved.

 The SIGPLAN Notices article is also good, and gives an ftp address of:

        ftp://ftp.supelec.fr/pub/lang/dcc

which I just checked and it works.  dcc appears to now be at version 0.33.

Good luck.

../Dave
--




Mon, 28 Jun 1999 03:00:00 GMT  
 
 [ 9 post ] 

 Relevant Pages 

1. Safe ANSI C Subset

2. Safe C subsets

3. Safe subset of C

4. A safe subset of C?

5. Newbie: separate big .cs file into small .cs files

6. ANSI Safe itoa?

7. ANN: sigslot - C++ Portable, Thread-Safe, Type-Safe Signal/Slot Library

8. Safe Copy and Safe Calloc

9. C language subset for safety critical systems

10. C language subset for safety critical systems

11. Compiling a subset of C++ to C

12. C Subset

 

 
Powered by phpBB® Forum Software