[SystemSafety] Stupid Software Errors [was: Overflow......]

[Heath Raftery]

On 5/05/2015 1:41 AM, Daniel Kästner wrote:
> some performance figures about an Astrée analysis for a Level A avionics
> application:
> - code size > 700.000 lines of C code
> - analysis duration: 6 hours
> - hardware: Intel Core2Duo 2.66 GHz, 8GB RAM.
> - result: 0 alarms
> I.e. the absence of run-time errors was proven, including arithmetic
> overflows.

Is the implicit assumption that zero run-time errors is better, actually 
sound? Here's a "run time error":

<code>
uint16_t buttonPressTime = 0, timeInMilliseconds = 0;

while(1)
{
   wait(1);

   timeInMilliseconds++;

   if(buttonPressed)
     buttonPressTime = timeInMilliseconds;

   if(buttonPressTime && (timeInMilliseconds-buttonPressTime > 300))
   {
     printf("A button was pressed 0.3s ago.");
     buttonPressTime = 0;
   }
}
</code>

Eventually timeInMilliseconds will wrap - apparently a run time error. 
But this code will "work" forever, even after the wrap occurs.

Here's a "fix" for the run-time error:

<code>
uint16_t buttonPressTime = 0, timeInMilliseconds = 0;

while(1)
{
   wait(1);

   if(timeInMilliseconds < SHRT_MAX)
     timeInMilliseconds++;

   if(buttonPressed)
     buttonPressTime = timeInMilliseconds;

   if(buttonPressTime && (timeInMilliseconds-buttonPressTime > 300))
   {
     printf("A button was pressed 0.3s ago.");
     buttonPressTime = 0;
   }
}
</code>

Tada! No run-time errors! Of course, it stops working after a minute.

Yes, the tools are great, and not using them would take extraordinary 
justification. But to cry that "integer overflow was fixed 30 years 
ago!" may be missing the point.

Heath