[SystemSafety] A small taste of what we're up against

Olwen Morgan olwen at phaedsys.com
Thu Oct 25 14:02:11 CEST 2018 

@all:

Is it me or are some of us, to reverse the metaphor, not seeing the 
trees for the wood. It seems to me that the variable quality of 
available data and studies means that we could go round in circles 
arguing about how much the use measures to ensure code quality improves 
dependability To my mind one does not need a big-picture argument here. 
What do we actually agree on?

1.    Do people agree that finding and correcting errors is cheaper the 
earlier it is done in the development process?

2.    Do people agree that detecting errors by static analysis is 
significantly cheaper than detecting them by testing? (I've seen claims 
that the per error detection cost is from 30% to 150% higher for testing 
than for static analysis.)

If the answer to *either* of these questions is yes, then *any* system 
development process should be using static analysis. Even if it does not 
improve dependability, surely making s/w at lower cost makes sense 
financially.

@David Crocker: Sorry you've felt the need to shelve your work but I 
agree with you entirely about the lack of interest in fixing C within 
the C standards community. It always amazes me that the C standard 
refers to "the abstract machine" but never actually defines it. If the 
standard were to define it rigorously, many of C's problems would go away.

While it is true that language design strongly influences the complexity 
of static analysis, I don't entirely share your pessimism over C. To 
compensate for it's dilapidations, my approach has always been to use a 
paranoiacally draconian subset and throw the best tools at the static 
analysis problem. I still think that approach is viable because, 
although the subset has to be severe, if you write code that way, 
*existing* tools can do a pretty good job of error detection - although 
it is often no trivial task to configure them to get things right.

The need to subset things is not confined to language. People work with 
cut-down UML, or, as I do, a chopped-off-at-the-knees-and-adapted subset 
of SSADM. Cutting things down is forced upon us by the lousy state of 
current standards but I continue to think it a workable strategy - 
possibly the only strategy - until the standardisation processes becomes 
less dysfunctional.


Olwen

More information about the systemsafety mailing list