[SystemSafety] C for OSs
Olwen Morgan
olwen at phaedsys.com
Fri Sep 6 20:49:16 CEST 2019
This might ruffle a few feathers ... but here goes ...
I often wonder whether RTOSs or hypervisors are solutions looking for
problems. Albeit on small systems, I've found that modelling required
behaviour using Coloured Petri-Nets leads to verifiable designs that do
not actually need RTOS capabilities. If you're paying close attention to
avoiding unnecessary complexity, you find very few control applications
that cannot be implemented robustly with rate-monotonic time-triggered
loops. Naturally, however, these are much easier to implement on small
microcontroller architectures (comparable with Cortex M and Cortex R)
than on x86_64 targets. Once you need the power of x86_64, the RTOS is
there to manage the metal much more than it is actually to support the
application. In such cases, my inclination would be to ask whether some
might not be simpler to implement using several Cortex R level
controllers rather than a single x86_64 monstrosity. COTS industrial
x86-64 boards are, IMO, a very mixed blessing.
And BTW, significant parts of the UK ATC s/w infrastructure are written
in C owing to the use of X libraries to paint radar display screens. Use
of C in IFACTS was subsetted to an (unavoidably) less-strict-than-MISRA
level. And, when I last looked at it, it still generated over 12,000
MISRA C violation warnings for which technical concessions were approved
and for which controlled suppressions had been put into the code at my
suggestion. After the suppressions were in, there remained around 300
unsuppressed MISRA C violation messages - mainly to do with X macros -
that were avoidable but were, reasonably IMO, deemed less risky to leave
in place with concessions than to change.
regards,
Olwen
On 06/09/2019 16:42, Roderick Chapman wrote:
> On 06/09/2019 16:17, Martyn Thomas wrote:
>
>> SFAIK, the iFACTS air traffic control tools were written in SPARK and
>> run on the bare hardware.
>
> No... iFACTS runs on the same infrastructure as NERC, which is IBM
> hardware running AIX (albeit a _very_ stable and well-controlled
> release of AIX). For SPARK, this is something of an oddity, since most
> SPARK system do indeed run bare-metal or on some sort of small RTOS.
>
> The Muen hypervisor is an interesting an example - an entire x86_64
> hypervisor, that is written in SPARK, and has been subject to proofs
> of type-safety and so on. It's open source and here
>
> https://muen.codelabs.ch
>
> - Rod
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
> Manage your subscription:
> https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety
More information about the systemsafety
mailing list