[SystemSafety] New paper on MISRA C

Mario Gleirscher mario.gleirscher at tum.de
Thu Sep 13 10:55:28 CEST 2018


Hi all,

I like to follow this discussion a lot, but I am missing a few important
aspects:

What Nancy Leveson is basically saying: Look at what control engineers
have been doing for the last 50-60 years. They have developed an art out
of control stability, if you like, the dealing with emergent properties
without looking at every last f****g part of a machine.

Then in addition, you have to deal with reliability, i.e. that parts of
a machine do with an expected probability what they are supposed to do.

And you need to align both, Nancy's view and the component reliability
view. Of course, it gets dramatically nastier if software is in the game.

Anyway, we are a lot talking about SW and I am convinced that high-end
coding guidlines (such as what commercial C compilers have long started
to do while compiling or add-on rule sets such as MISRA C) generally
make a lot of sense to maintain a good "level of determinism".

But, please, let me oppose two IMHO too general statements that have
been made here:

On 13/09/18 08:49, Andrew Banks wrote:
> We have little (often no) engineering discipline, and we have become
> accustomed to regular bug-fixes as being perfectly normal

100s of academians have been contributing over the last 60 years or so
to make software development an engineering discipline, many nice
results have actually been transferred into practice (look at what
Google and FB do in their core systems to avoid extremely expensive
faults, this is remarkable), and many many more are waiting to be
transferred, some of them with clear evidence of effectiveness. However,
there are many factors posing obstacles to the maturation of SW as a
engineering discipline and as a sophisticated and professional
craftmenship. Many are not at all technical.
And I am not saying that SW engineering is as mature as mechanical or
civil engineering. Not at all! But sometimes we might be comparing
apples with pears, frankly.

> I'm not suggesting MISRA C is perfect... but IMHO it is the best we have -
> and I'd rather make it even better, than entertain ideas of scrapping it.

I doubt that this is true. MISRA C (and I don't even know it in every
detail) might be really good for C-based MC dev and some DO178-like
settings. However, some academic tools (like model checkers) go far
beyond what MISRA C is requiring. To say that something is "the best" to
me seems really inadequate. It can most of the times only be a
combination of several complementary approaches that make up the whole
thing to be "fit for the purpose".

If you think, by using a static checking tool claiming to cover all of
automatable MISRA C and you are fine, then I would say: You are lost!

Have a good day!

Mario

-- 
Dr. Mario Gleirscher
Visiting Researcher . +44 (0)1904 325442 . CSE/013-6
High Integrity Systems Engineering . http://gleirscher.de
Department of Computer Science . University of York
Deramore Lane, Heslington, York YO10 5GH, United Kingdom

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5053 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20180913/dd75858c/attachment.bin>


More information about the systemsafety mailing list