[SystemSafety] OpenSSL Bug

Heath Raftery hraftery at restech.net.au
Wed Apr 16 00:28:01 CEST 2014


On 15/04/2014 10:11 PM, Derek M Jones wrote:
> MISRA-C is a mishmash that is a lot better than most (ok, the bar
> is not that high) and is slowly converging towards something useful.
> If you have to pick a guideline document it is the best one publicly
> available (I would rate a blank page as the second best) and I would
> be surprised if you could produce something better without spending
> a lot of time or having lots of prior guideline experience.

FWIW, I offer a document to place before MISRA-C in your list.

The Power of Ten: http://spinroot.com/p10/

I actually think rules 7 and 8 are less valuable but the Rationale text 
provides excellent justification to consider when breaking the rule. I 
would also replace Rule 4 with 2 rules: limit case statements and if 
clauses to 30 lines; and never duplicate more than 4 lines of code.

The justification for 10 rules instead of MISRA-C's 143 has been laid 
out more effectively by others than I could do, but ultimately it comes 
does to two things: 1) programmers are (or believe they are) artists and 
to take their most expressive tools away may not always lead to better 
quality (more pragmatically, they will never agree on 143 rules) and 2) 
there is greater value in considering the ramifications of violating a 
rule than there is in blindly following it. That's significantly easier 
to do with 10 rules than 143.

Not checking the length passed to memcpy is really a distinct human 
mistake. Mistakes like that should be expected and always corrected with 
testing and analysis. A blanket rule that tries to prevent mistakes like 
that from ever happening is a whack-a-mole game that results in a lot of 
headaches. The rules should lead to code than lends itself well to 
testing and analysis.

Heath



More information about the systemsafety mailing list