Chris Hills wrote:
> In article <461b53f3$0$24628$8...@news.wineasy.se>, David Brown 
> <d...@westcontrol.removethisbit.com> writes
>> Chris Hills wrote:
>>> In article <oLSPh.494$r...@newsfe1-gui.ntli.net>, ChrisQuayle 
>>> <n...@devnul.co.uk> writes
>>>>>   "The C++ version should be quite interesting..."
>>>>>  Should a sane embedded engineer use C++?
>>>>
>>>> Open to debate I guess. C++ may have a role for consumer electronics 
>>>> applications, where recovery is usually power off and reboot, but is 
>>>> it really ready or appropriate for mission critical work ?...
>>>  The US Joint Strike Fighter uses C++ not Ada
>>>
>>
>> Isn't that the project which overran its development costs by several 
>> hundred percent, almost entirely due to software costs?
> 
> Quite probably. My understanding is that C++ was used instead of Ada 
> because of the lack of Ada programmers available. (They needed 30,000 SW 
> people)
> 

Any project that needs that many programmers is doomed from the start, 
regardless of the language chosen.

> Personally I would have though it would have been more cost effective to 
> train a bunch of SW engineers on Ada in the environment they were going 
> to use.  Also you could train on the coding standard/style guide you 
> wanted and had them all coding the same way from day 1 with no 
> preconceived ideas on style  that usually  cause problems.
> 

Absolutely - and the same would apply even with C++, Java, or any other 
language that they may have known from before.

> 
>> And there are several countries dropping out, or threatening to do so, 
>> because they can't get access to the software in question?
> 
> That has nothing to do with C++ or Ada. More to do with US paranoia on 
> SECURITY AND THE END OF CIVILISATION AS WE KNOW IT! . The JSF++ standard 
> was initially not released on security grounds! It was then released 
> with bits edited out!
> 
> However enough people know what was in both versions so that most people 
> know what was edited out of the public version.
> 

The US may have wanted to keep the software secret through paranoia, or 
perhaps just because they were embarrassed to show what a mess they have 
made after so long, with so many people, and costing so much (I don't 
*know* that it's a mess, but I think it's a fair guess).  Similarly, the 
Europeans and other customers might want to see the software (and be 
able to modify and update it) due to paranoia (who knows what backdoors 
the Americans have added...), or due to concerns about its qualities.

In article <461b851b$0$24605$8...@news.wineasy.se>, David Brown 
<d...@westcontrol.removethisbit.com> writes
>Chris Hills wrote:
>> In article <461b53f3$0$24628$8...@news.wineasy.se>, David Brown 
>><d...@westcontrol.removethisbit.com> writes
>>> Chris Hills wrote:
>>>> In article <oLSPh.494$r...@newsfe1-gui.ntli.net>, ChrisQuayle 
>>>><n...@devnul.co.uk> writes
>>>>>>   "The C++ version should be quite interesting..."
>>>>>>  Should a sane embedded engineer use C++?
>>>>>
>>>>> Open to debate I guess. C++ may have a role for consumer 
>>>>>electronics  applications, where recovery is usually power off and 
>>>>>reboot, but is  it really ready or appropriate for mission critical work ?...
>>>>  The US Joint Strike Fighter uses C++ not Ada
>>>>
>>>
>>> Isn't that the project which overran its development costs by 
>>>several hundred percent, almost entirely due to software costs?
>>  Quite probably. My understanding is that C++ was used instead of Ada 
>>because of the lack of Ada programmers available. (They needed 30,000 
>>SW  people)
>>
>
>Any project that needs that many programmers is doomed from the start, 
>regardless of the language chosen.

Hope springs eternal :-)

>> Personally I would have though it would have been more cost effective 
>>to  train a bunch of SW engineers on Ada in the environment they were 
>>going  to use.  Also you could train on the coding standard/style 
>>guide you  wanted and had them all coding the same way from day 1 with 
>>no preconceived ideas on style  that usually  cause problems.
>
>Absolutely - and the same would apply even with C++, Java, or any other 
>language that they may have known from before.

Agreed but I would have thought in the long term it would have been 
better to train Sw Engineers on Ada (+ coding guide + any project 
specific requirements) than use C++ and still spend a small fortune on 
getting JFS++ and still have to train them in it's use.

>>> And there are several countries dropping out, or threatening to do 
>>>so, because they can't get access to the software in question?
>>  That has nothing to do with C++ or Ada. More to do with US paranoia 
>>on  SECURITY AND THE END OF CIVILISATION AS WE KNOW IT! . The JSF++ 
>>standard  was initially not released on security grounds! It was then 
>>released  with bits edited out!
>>  However enough people know what was in both versions so that most 
>>people  know what was edited out of the public version.
>>
>
>The US may have wanted to keep the software secret through paranoia,

Well that is more believable given their stance over JSF++ and other 
similar things. It all points to it.

>or perhaps just because they were embarrassed to show what a mess they 
>have made after so long, with so many people, and costing so much

No, I don't think so

> (I don't *know* that it's a mess, but I think it's a fair guess).

Probably.

>  Similarly, the Europeans and other customers might want to see the 
>software (and be able to modify and update it) due to paranoia (who 
>knows what backdoors the Americans have added...), or due to concerns 
>about its qualities.

:-) Again quite likely (Remember the Chinook FADEC)


-- 
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ c...@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

In article <evfs4o$n2o$1...@newsserver.cilea.it>, Colin Paul Gloster 
<C...@ACM.org> writes
>In news:2...@phaedsys.demon.co.uk timestamped Tue, 10 Apr
>2007 08:25:32 +0100, Chris Hills <c...@phaedsys.org> posted:
>   "[..]
>   No one said MISRA-C was as good as Ada.
>   [..]"
>Thank you for the tip.

They are different.  I suggest you read the Rational in MISRA-C



>In article <evegjr$gn7$1...@newsserver.cilea.it>, Colin Paul Gloster
><C...@ACM.org> writes
>   "[..]
>   >Chris Hills wrote:
>   >"  You are disagreeing with many experts."
>   >Truth is not a popularity contest.
>
>   True but where the majority of experts lean one way and a few
>   non-experts the other I know which way I would prefer."
>
>I do not agree with everything Les Hatton has said. Do you have a
>refutation of his criticisms of MISRA C 2004?

No. I did do one for Derek's though some years ago.    I will ask Les 
about his paper though,

>    ">">True. MISRA C contains something worth hiding,
>    >What?"
>    >C.
>    C is in title. What is MSRA-C hiding?"
>Okay, you have got me there.

Read the Rational... We also say that there are other more suitable 
languages than C but if you must use c.......

No one has ever claimed C was the best for high integrity though several 
well known experts have said that with the right tools and processes C 
can be as safe as Ada (according to their published statistics and 
surveys.)

>    "[..]
>    >
>    >[..] people like you who decry MISRA-C but
>    >use the cost as an excuse for not having read the standard they are
>    >de-crying."
>    >
>    >That is one of many excuses I have. I provide another: no one has
>    >shown that MISRA C has a good feature which none of Ada and VHDL
>    >has.
>
>    Ada and VHDL are different tools for use in different places."
>
>They can be used in the same places sometimes. VHDL is used in cars.

So are iPods.

>Chris Hills wrote:
>   "[..]
>
>   Why did the use C++ instead of Ada for the JSF?  Why did thety bas the
>   JSF++ standard on MISRA-C?"
>I do not know.

There wasn't anything better perhaps?  :-)

>Chris Hills wrote:
>   ">Is MISRA C available for SIL 4 yet (not that I work at
>   >that level myself)?
>
>   MISRA-C makes no reference to suitability as you well know. Unless of
>   course your arguing for your "religion" whilst not having read MISRA-C"
>
>Perhaps I had known that sometime, but I am not an expert on SIL nor
>MISRA, and I did not know that "MISRA-C makes no reference to suitability
> [..]"
>when I wrote that. WWW.MISRA.org.UK/intro.htm contains:
>"[..]
>The MISRA Guidelines provide important advice to the automotive
>industry for the creation and application of safe, reliable software
>within vehicles.
>[..]"

There are 5 SIL in MISRA which are not the same as and pre-date the 4 
SIL   in 61508

MISRA-C makes no recommendation to suitability for any SIL (MISRA or 
61508)  It depends on your project on which language you use and how you 
go about it.

>Thank you for replying, it is appreciated and was a surprise.

Nearly didn't because the system you use for quoting makes your posts 
almost unreadable.
-- 
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ c...@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Chris Hills <c...@phaedsys.org> writes:
> David Brown <d...@westcontrol.removethisbit.com> writes
> >Chris Hills wrote:
> >> ChrisQuayle <n...@devnul.co.uk> writes
> >>>>   "The C++ version should be quite interesting..."
> >>>>  Should a sane embedded engineer use C++?
> >>>
> >>> Open to debate I guess. C++ may have a role for consumer electronics 
> >>>applications, where recovery is usually power off and reboot, but is 
> >>>it really ready or appropriate for mission critical work ?...
> >>  The US Joint Strike Fighter uses C++ not Ada
> >
> >Isn't that the project which overran its development costs by several 
> >hundred percent, almost entirely due to software costs?
> 
> Quite probably. My understanding is that C++ was used instead of Ada 
> because of the lack of Ada programmers available. (They needed 30,000 SW 
> people)

30K people is a formula for disaster in any endeavor.
That'll translate to 3,000 people doing the work and
27,000 getting in the way of getting it done.

In article <r...@phaedsys.demon.co.uk>, Chris Hills says...
> No one has ever claimed C was the best for high integrity though several 
> well known experts have said that with the right tools and processes C 
> can be as safe as Ada (according to their published statistics and 
> surveys.)

Have you any references to those stats and surveys Chris?

Robert

-- 
Posted via a free Usenet account from http://www.teranews.com

In article <M...@free.teranews.com>, Robert Adsett 
<s...@aeolusdevelopment.com> writes
>In article <r...@phaedsys.demon.co.uk>, Chris Hills says...
>> No one has ever claimed C was the best for high integrity though several
>> well known experts have said that with the right tools and processes C
>> can be as safe as Ada (according to their published statistics and
>> surveys.)
>
>Have you any references to those stats and surveys Chris?
>
>Robert

AFAIR "Safer C"  was one I am sure one of the Pressman books had some 
in.   We were up to our necks in builders until 2 days ago and most of 
the office, books, papers etc are in storage. I will dig them out over 
the nextr fw  days as we set up the new office.

If I haven't reply in 10 days remind me


-- 
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ c...@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Chris Hills wrote:

> In article <M...@free.teranews.com>, Robert Adsett
> <s...@aeolusdevelopment.com> writes
>>In article <r...@phaedsys.demon.co.uk>, Chris Hills says...
>>> No one has ever claimed C was the best for high integrity though several
>>> well known experts have said that with the right tools and processes C
>>> can be as safe as Ada (according to their published statistics and
>>> surveys.)
>>
>>Have you any references to those stats and surveys Chris?
>>
>>Robert
> 
> AFAIR "Safer C"  was one I am sure one of the Pressman books had some
> in.   We were up to our necks in builders until 2 days ago and most of
> the office, books, papers etc are in storage. I will dig them out over
> the nextr fw  days as we set up the new office.

Gosh Chris, those builders have taken their time. Considering they were in
when we met in February. Must have allowed them to have too many
tea-breaks ;>
 
> If I haven't reply in 10 days remind me
> 
> 
> --
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
> \/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
> /\/\/ c...@phaedsys.org      www.phaedsys.org \/\/\
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

-- 
********************************************************************
Paul E. Bennett ....................<email://p...@amleth.demon.co.uk>
Forth based HIDECS Consultancy .....<http://www.amleth.demon.co.uk/>;
Mob: +44 (0)7811-639972
Tel: +44 (0)1235-811095
Going Forth Safely ..... EBA. www.electric-boat-association.org.uk..
********************************************************************

In article <evl0kk$ans$2$8...@news.demon.co.uk>, Paul E. Bennett 
<p...@amleth.demon.co.uk> writes
>Chris Hills wrote:
>
>> In article <M...@free.teranews.com>, Robert Adsett
>> <s...@aeolusdevelopment.com> writes
>>>In article <r...@phaedsys.demon.co.uk>, Chris Hills says...
>>>> No one has ever claimed C was the best for high integrity though several
>>>> well known experts have said that with the right tools and processes C
>>>> can be as safe as Ada (according to their published statistics and
>>>> surveys.)
>>>
>>>Have you any references to those stats and surveys Chris?
>>>
>>>Robert
>>
>> AFAIR "Safer C"  was one I am sure one of the Pressman books had some
>> in.   We were up to our necks in builders until 2 days ago and most of
>> the office, books, papers etc are in storage. I will dig them out over
>> the nextr fw  days as we set up the new office.
>
>Gosh Chris, those builders have taken their time. Considering they were in
>when we met in February. Must have allowed them to have too many
>tea-breaks ;>

Nearly 3 months (including a brick paved 5 car drive )  the tiler will 
finish the last floor tomorrow & we have one small item for the 
plasterer.

Spent most of this evening building book shelves and moving filling 
cabinets in the new office.

-- 
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ c...@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Hi,

On Mon, 26 Mar 2007 22:46:14 +0000, Vladimir Vassilevsky wrote:

> d...@rootshell.be wrote:
> 
>> sample2 (another catch 22):
>> void f(void)
>> {
>>     u8 X;
>>     .... performing some calculations, that guarantee X<2
>>     switch(X)
>>     {
>>          case 0: doSomething(); break;
>>          case 1: SomethingElse(); break;
>>   // choose between the following warning:
>> //   1. inaccessible default statement
>> //   2. case without default statement
>>          default: assert(0); break;
>>     }
>> }
> 
> Yes, this is correct. First of all, an integer should not be used as the 
> switch argument; switches should be used with enums only.

Which boils to the same- try and put an enum that have two values (0 and 1),
and see what happens. From my experience- there will be no difference. 

>> sample3 (senseless code damage due to MISRA):
>> u8 *u8Ptr1,u8Ptr2;
>> u32 N;
>> .... some calculations
>> 
>> // Misra warning: performing pointer arithmetic
>> u8Ptr1 = u8Ptr2+N;
> 
> Yes, this is correct. You should not modify, alias or copy the pointers. 
> Work with arrays and indexes only.

And the point for that is? You can circumvent it in no time, result being
clumsy, unreadable _and_ unsafe. So you just added maintenance pain-in-the-ass
to unsafeness. Good job. 
By the way - I wonder, what will MISRA-C check say about
u8Ptr1 = &(N[u8Ptr2]);
Can't check it right now.

>> It is a set of rules, defined by not very clever people (especially
>> the older MISRA version) and used
>> by automotive software producers, because it looks nice for the
>> bureaucratic high-level managment.
> 
> It is better then nothing, anyway.

So- bad rules are better, than none at all? I disagree.

>> please, for those who do not code using strict misra checker: do not
>> argue that MISRA is good.
> 
> I had to write MISRA compliant code, and yes, it is too restrictive and 
> very annoying at times. Nevertheless it does a good job on extirpating 
> the hackery.

No. It doesn't. One of the rules states (I don't have them in front of me),
that you can't use signed constants (like -1U) to set unsigned variables. -1U
is a nice value of all 1s binary, convenient for masking. Well, you can get
rid of complaints in two ways:
- write 0xFFFFFFFFU instead of -1U (how many Fs do you see? 8? 7? 9? If someone
  removes one F will you be able to spot it easily? IMHO- no, you will not.
  Even, if you have it #defined),
- add a signed variable, initialise it with -1U, and convert it explicitly to
  unsigned in expression (superfluous variable does not add to visibility). 
Now, both ways are clumsy, hard to read and look like a dirty hack IMHO.
What would you say?

>> And do not wonder if you see buggy embedded software!
> 
> Unfortunately, there is no replacement for the common sense, experience, 
> good taste and intelligence (Stroustrup).

MISRA-management sometimes removes all that :(. I'd say that stating 'full
MISRA-C compliance (including advisory rules)' in the light of contradicting
rules (see MISRA-C preface) hurts common sense irreparably. Wouldn't you?

M.

On Wed, 28 Mar 2007 08:10:32 +0200, Ulf Samuelsson wrote:

>> N = /* complicated expression */
>> a = u8Ptr2[N];
>>
> 
> 
> This can of course be made safer by a compiler if it is transformed to
> 
>     N = /* complicated expression */
>     ASSERT(N >= &u8Ptr2[0]);

:O You actually compare an index with a pointer! Is it meant to be an example
of writing broken code in spite of MISRA?

>     ASSERT(N <   &u8Ptr2[MAX]);
>     a = u8Ptr2[N];
> 
> Much harder to do with a pointer

Definitely... Especially, that pointers should (IMHO) be tested only for
equality.

M.