[SystemSafety] Stupid Software Errors [was: Overflow......]

Heath Raftery heath.raftery at restech.net.au
Tue May 5 00:47:23 CEST 2015


On 5/05/2015 1:41 AM, Daniel Kästner wrote:
> some performance figures about an Astrée analysis for a Level A avionics
> application:
> - code size > 700.000 lines of C code
> - analysis duration: 6 hours
> - hardware: Intel Core2Duo 2.66 GHz, 8GB RAM.
> - result: 0 alarms
> I.e. the absence of run-time errors was proven, including arithmetic
> overflows.

Is the implicit assumption that zero run-time errors is better, actually 
sound? Here's a "run time error":

<code>
uint16_t buttonPressTime = 0, timeInMilliseconds = 0;

while(1)
{
   wait(1);

   timeInMilliseconds++;

   if(buttonPressed)
     buttonPressTime = timeInMilliseconds;

   if(buttonPressTime && (timeInMilliseconds-buttonPressTime > 300))
   {
     printf("A button was pressed 0.3s ago.");
     buttonPressTime = 0;
   }
}
</code>

Eventually timeInMilliseconds will wrap - apparently a run time error. 
But this code will "work" forever, even after the wrap occurs.

Here's a "fix" for the run-time error:

<code>
uint16_t buttonPressTime = 0, timeInMilliseconds = 0;

while(1)
{
   wait(1);

   if(timeInMilliseconds < SHRT_MAX)
     timeInMilliseconds++;

   if(buttonPressed)
     buttonPressTime = timeInMilliseconds;

   if(buttonPressTime && (timeInMilliseconds-buttonPressTime > 300))
   {
     printf("A button was pressed 0.3s ago.");
     buttonPressTime = 0;
   }
}
</code>

Tada! No run-time errors! Of course, it stops working after a minute.

Yes, the tools are great, and not using them would take extraordinary 
justification. But to cry that "integer overflow was fixed 30 years 
ago!" may be missing the point.

Heath



More information about the systemsafety mailing list