[SystemSafety] OpenSSL Bug

Chris Hills safetyyork at phaedsys.com
Tue Apr 15 12:40:28 CEST 2014 

Patriclk

Re "Leaving the religions of libre and gratis aside, does anyone know of any
evidence that shows that adhering to MISRA-C specifically would improve the
quality of FOSS? "  

How is FOSS code different to any other code?  
As for using MISRA-C on non-critical code... is this code you don't want or
expect to work reliably? :-) 
Which has been my argument all along.   Source code is source code it either
works correctly and reliably or it doesn't
Why would you want code that does not work correctly and reliably? 

Since the Hatton reports in 2007 we have moved on to MISRA C:2012. 

The big problem is that   90% of programmers think they are the 10% who know
what they are doing. MISRA-C rules can be deviated if you can show a valid
reason and take responsibility for that deviation.  

MISRA-C rules work to reduce the "problem areas" for C that if used without
care can cause problems. Especially if in the vicinity of other problem
areas used without care.  

MISRA-C for example insists on {} for single line If constructs apparently a
real PITA to those who "know what they are doing".   However that rule would
have caused a query with the Apple SSL goto problem in their if statements
before it got as far as compilation. 

Actually my understanding re the MISRA-C rules introducing a critical
defect, from memory and discussions within the MISRA-C group the problems
tend to be by "cleaning" some code it uncovers problems in another area.
E.G. one error masks or negates another.  Thus removing one uncovers and
"activates" the other. 

I would like to see the [boogerd2008assessing] paper as AFAIK no one on the
MISRA-C team has seen it.  

Regards
 Chris

-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de
[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
Patrick Graydon
Sent: 15 April 2014 10:35
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] OpenSSL Bug

Leaving the religions of libre and gratis aside, does anyone know of any
evidence that shows that adhering to MISRA-C specifically would improve the
quality of FOSS*?  Les Hatton's work has been critical of many of the rules
in the standard [hatton2004saferlanguagesubsets,hatton2007language].  But
the most direct work I know of on the value of MISRA-C in
non-safety-critical software is a study that attempted to correlate the
locations of defects in video playback software with MISRA-C rule violations
found an overall *slightly negative* correlation (i.e. the rules were worse
than useless) [boogerd2008assessing].  Is there any specific evidence that
would outweigh this**?

- Patrick

*  There are  good reasons to adhere to a coding standard that have nothing
to do with code quality.  For example, developers using a tool that is
incompatible with a language construct must strictly avoid use of that
construct.

**  Precluding certain coding constructs because someone finds them suspect
and no-one has showed them beneficial might actually be harmful.  For
example, developers changing code to fix a rule violation might actually
introduce a critical defect.  Before we tell developers to *never* tolerate
the use of a given construct (as opposed to avoid its use in new code where
practicable) we should have evidence that the construct's use brings dangers
that are worse than the probably consequences of modifying code to eliminate
it.


@article{hatton2007language,
	Author = {Hatton, Les},
	Journal = {Information and Software Technology},
	Pages = {475--482},
	Title = {Language subsetting in an industrial context: {A}
comparison of {MISRA C 1998} and {MISRA C 2004}},
	Volume = {49},
	Year = {2007}}

@article{hatton2004saferlanguagesubsets,
	Author = {Hatton, Les},
	Journal = {Information and Software Technology},
	Number = {7},
	Pages = {465--472},
	Title = {Safer language subsets: an overview and a case history,
{MISRA C}},
	Volume = {46},
	Year = {2004}}

@inproceedings{boogerd2008assessing,
	Author = {Boogerd, Cathal and Moonen, Leon},
	Booktitle = {Proceedings of the IEEE International Conference on
Software Maintenance (ICSM)},
	Month = {October},
	Pages = {277--286},
	Title = {Assessing the value of coding standards: An empirical
study},
	Year = {2008}}

_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE

More information about the systemsafety mailing list