[SystemSafety] Critical systems Linux

Olwen Morgan olwen at phaedsys.com
Thu Nov 22 14:32:13 CET 2018


David,

I agree that proof up to "well understood" semantics is valuable - as 
is, IMO, using a language subset of draconian severity (you and I, of 
course, have had some quite civil disagreements on this one). And you're 
right, IMO, that fitness-for-purpose or lack of it for s/w 
specifications is a bigger problem.

Much of my uber-quibbling arises from experience in testing compilers. A 
few years ago, I said to someone that it would be perverse of a compiler 
to evaluate an operator in two different orders at different points of a 
program - only to find that a simple test demonstrates just that. And 
having seen some of the results that John Regehr gets using Csmith to 
mount "Battle-of-Stalingrad" assaults on C compilers, I find it 
dispiriting that modern compilers can still be found to be so flaky. One 
hopes that by using LLVM, clang might (ultimately) exhibit fewer 
problems than gcc has in this respect.

Olwen


On 22/11/2018 13:11, David Crocker wrote:
> Olwyn,
>
> While it's true that C doesn't have a formal semantics, in practice the
> semantics of C is well-understood by experts, who write static analysis
> tools to help ordinary users avoid the undefined and unspecified bits
> and most of the implementation-defined bits (including of course order
> of evaluation). So formal proof that the software specification has been
> mapped accurately to the semantics of C as understood by tool vendors
> and compiler writers is still very valuable.
>
> A much bigger problem IMO is ensuring that the formal (or other)
> specification of the software is fit for purpose.
>
> David Crocker, Escher Technologies Ltd.
> http://www.eschertech.com
> Tel. +44 (0)20 8144 3265 or +44 (0)7977 211486


More information about the systemsafety mailing list