[SystemSafety] systemsafety Digest, Vol 74, Issue 8

Rod Chapman roderick.chapman at googlemail.com
Thu Sep 13 13:02:43 CEST 2018


 > I'm not suggesting MISRA C is perfect... but IMHO it is the best we
> have -
> and I'd rather make it even better, than entertain ideas of scrapping
> it.
More crazy talk I'm afraid. Compare with SPARK Ada - there's really no
contest at all.

As for making MISRA "better", there is very little room for improvement to
make unless
you can push major changes to C through WG14, which will never happen while
WG14
favours backward-compatibility over all else.
 - Rod




On Thu, 13 Sep 2018 at 10:03, <
systemsafety-request at lists.techfak.uni-bielefeld.de> wrote:

> Send systemsafety mailing list submissions to
>         systemsafety at lists.techfak.uni-bielefeld.de
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety
> or, via email, send a message with subject or body 'help' to
>         systemsafety-request at lists.techfak.uni-bielefeld.de
>
> You can reach the person managing the list at
>         systemsafety-owner at lists.techfak.uni-bielefeld.de
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of systemsafety digest..."
>
>
> Today's Topics:
>
>    1. Re: Relationship of reliability and safety (was Re: New paper
>       on MISRA C) (Paul Sherwood)
>    2. Re: New paper on MISRA C (Paul Sherwood)
>    3.  New paper on MISRA C (Mario Gleirscher)
>    4. Re: New paper on MISRA C (Andrew Banks)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 13 Sep 2018 09:20:22 +0100
> From: Paul Sherwood <paul.sherwood at codethink.co.uk>
> To: Stefan Winter <swi at deeds.informatik.tu-darmstadt.de>
> Cc: systemsafety at lists.techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] Relationship of reliability and safety
>         (was Re: New paper on MISRA C)
> Message-ID: <65e496a98bd0479da2473c9f667bbcc8 at codethink.co.uk>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On 2018-09-13 08:35, Stefan Winter wrote:
> > On 09/13/2018 07:57 AM, Paul Sherwood wrote:
> >> On 2018-09-12 16:05, Peter Bernard Ladkin wrote:
> >>> I suggest the following characterisation is somewhat misleading:
> >>>> MIT and others have successfully debunked the notion that system
> >>>> safety is correlated with component reliability
> >>
> >> OK, I'll try to be clearer. Engineering A Safer World states, with
> >> clear examples and justification:
> >>
> >> "High reliability is neither necessary nor sufficient for safety."
> >
> > could you please state where? The PDF search is highly unreliable for
> > that document. ;)
>
> It's stated after justification on Page 13, and re-stated along with
> several other old vs new assumptions on Page 48. I'm going to ask Nancy
> if the work can be converted into something text-searchable.
>
> > To rebut a statement of such generality as "reliability is
> > necessary/sufficient for safety" is easy if you read it as meaning
> > "for all possible systems". One counterexample and you're done. I
> > wonder, though, if such a statement is really meaningful, because the
> > rebuttal also works in the opposite direction: "For any possible
> > system reliability is never necessary for safety". I would assume that
> > this is easier to disprove than to prove.
>
> Fair enough. However while the theoretical and philosophical discussion
> is interesting, I'm ultimately trying to understand the practical
> engineering implications :-)
>
> br
> Paul
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 13 Sep 2018 09:26:21 +0100
> From: Paul Sherwood <paul.sherwood at codethink.co.uk>
> To: andrew at andrewbanks.com
> Cc: systemsafety at lists.techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] New paper on MISRA C
> Message-ID: <89df912d0077e7e89f70e24a0660cba4 at codethink.co.uk>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On 2018-09-13 08:49, Andrew Banks wrote:
> >> AFAIK MISRA C is all about improving determinism of software, i.e.
> >> increasing software component reliability. As of 2018 are ws still at
> >> the
> >> point where we can't deliver designed-in safety without heavy reliance
> >> on
> >> deterministic behaviour of microcontroller-scale components?
> >>
> >
> > The real problem we have in the software world is that, frankly, most
> > are
> > just enthusiastic amateurs - something that Professor Martin Thomas of
> > the
> > Royal Academy of Engineering has written about in Tuesday's Financial
> > Times.
>
> I agree - terrifying but true.
>
> > We have little (often no) engineering discipline, and we have become
> > accustomed to regular bug-fixes as being perfectly normal... FFS,
> > Microsoft now have a WEEKLY bug-fix for Windows.
> >
> > That in 2018 "Just write the code" is deemed an acceptable life-cycle
> > is a
> > blight on our profession.  Any suggestion that we should relax any of
> > the
> > few controls, or best-practices, we have is, IMHO little more than
> > crazy-talk!
>
> People have called me crazy before :-)
>
> But to be clear, I'm trying to figure out what works, not proposing to
> relax anything at this point.
>
> > I'm not suggesting MISRA C is perfect... but IMHO it is the best we
> > have -
> > and I'd rather make it even better, than entertain ideas of scrapping
> > it.
>
> I believe it may be the best we have for microcontroller-scale C
> software. I can't be sure, because it remains a minority sport and I am
> aware of many expert C programmers who deliver extremely reliable
> microcontroller solutions without ever having read it.
>
> I don't think I've ever said I would like to scrap it. I'm mainly hoping
> to see it become a public domain or CC document, so that it can be more
> widely referenced, understood, critiqued, improved and used.
>
> br
> Paul
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 13 Sep 2018 09:55:28 +0100
> From: Mario Gleirscher <mario.gleirscher at tum.de>
> Cc: systemsafety at lists.techfak.uni-bielefeld.de
> Subject: [SystemSafety]  New paper on MISRA C
> Message-ID: <876905a0-6f21-2a46-413e-e8814a43d731 at tum.de>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
>
> I like to follow this discussion a lot, but I am missing a few important
> aspects:
>
> What Nancy Leveson is basically saying: Look at what control engineers
> have been doing for the last 50-60 years. They have developed an art out
> of control stability, if you like, the dealing with emergent properties
> without looking at every last f****g part of a machine.
>
> Then in addition, you have to deal with reliability, i.e. that parts of
> a machine do with an expected probability what they are supposed to do.
>
> And you need to align both, Nancy's view and the component reliability
> view. Of course, it gets dramatically nastier if software is in the game.
>
> Anyway, we are a lot talking about SW and I am convinced that high-end
> coding guidlines (such as what commercial C compilers have long started
> to do while compiling or add-on rule sets such as MISRA C) generally
> make a lot of sense to maintain a good "level of determinism".
>
> But, please, let me oppose two IMHO too general statements that have
> been made here:
>
> On 13/09/18 08:49, Andrew Banks wrote:
> > We have little (often no) engineering discipline, and we have become
> > accustomed to regular bug-fixes as being perfectly normal
>
> 100s of academians have been contributing over the last 60 years or so
> to make software development an engineering discipline, many nice
> results have actually been transferred into practice (look at what
> Google and FB do in their core systems to avoid extremely expensive
> faults, this is remarkable), and many many more are waiting to be
> transferred, some of them with clear evidence of effectiveness. However,
> there are many factors posing obstacles to the maturation of SW as a
> engineering discipline and as a sophisticated and professional
> craftmenship. Many are not at all technical.
> And I am not saying that SW engineering is as mature as mechanical or
> civil engineering. Not at all! But sometimes we might be comparing
> apples with pears, frankly.
>
> > I'm not suggesting MISRA C is perfect... but IMHO it is the best we have
> -
> > and I'd rather make it even better, than entertain ideas of scrapping it.
>
> I doubt that this is true. MISRA C (and I don't even know it in every
> detail) might be really good for C-based MC dev and some DO178-like
> settings. However, some academic tools (like model checkers) go far
> beyond what MISRA C is requiring. To say that something is "the best" to
> me seems really inadequate. It can most of the times only be a
> combination of several complementary approaches that make up the whole
> thing to be "fit for the purpose".
>
> If you think, by using a static checking tool claiming to cover all of
> automatable MISRA C and you are fine, then I would say: You are lost!
>
> Have a good day!
>
> Mario
>
> --
> Dr. Mario Gleirscher
> Visiting Researcher . +44 (0)1904 325442 . CSE/013-6
> High Integrity Systems Engineering . http://gleirscher.de
> Department of Computer Science . University of York
> Deramore Lane, Heslington, York YO10 5GH, United Kingdom
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 5053 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <
> https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20180913/dd75858c/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 4
> Date: Thu, 13 Sep 2018 10:02:35 +0100
> From: "Andrew Banks" <andrew at andrewbanks.com>
> To: "Paul Sherwood" <paul.sherwood at codethink.co.uk>
> Cc: andrew at andrewbanks.com,
>         systemsafety at lists.techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] New paper on MISRA C
> Message-ID:
>         <95b4ecfb34cc9876969d58dbc9c020a8.squirrel at webmail.andrewbanks.com
> >
> Content-Type: text/plain;charset=utf-8
>
> On Thu, September 13, 2018 9:26 am, Paul Sherwood wrote:
> >
> > I don't think I've ever said I would like to scrap it. I'm mainly hoping
> > to see it become a public domain or CC document, so that it can be more
> > widely referenced, understood, critiqued, improved and used.
> >
>
> Many people write C without ever reading the C standard...
>
> Matters regarding the publication mechanism are above my pay-grade...
> although I'd have a problem with the idea of MISRA C becoming an ISO
> standard (with an extra zero or two added to the price)
>
> However, should you, or anyone else for that matter, have any suggestions
> for improving it, then you can either email them to me, post on the MISRA
> Bulletin Board or via any other means.
>
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> systemsafety mailing list
> systemsafety at lists.techfak.uni-bielefeld.de
> https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety
>
>
> ------------------------------
>
> End of systemsafety Digest, Vol 74, Issue 8
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20180913/4f4de5c4/attachment.html>


More information about the systemsafety mailing list