Robert Adsett wrote:

> In article <1...@corp.supernews.com>, msg says...
> 
>>CBFalconer wrote:
>>
>>>msg wrote:
>>>I frequently write for 'SCDE'
>>>
>>>>(Standard C Development Environment') on SVR4 (C 90) and also
>>>>port stuff developed by others on GCC which often produces lots
>>>>of warnings about "explicit cast required" for assignments and
>>>>logical comparisons which the original authors failed to qualify
>>>>with a cast. Evidently these things pass 'lint' and compile in
>>>>GCC with no warnings (even at a high warning level).  Most
>>>>authors are dumbstruck by the need to explicitly cast (sometimes
>>>>even numeric constants).
>>>
>>>
>>>Any compiler.  This shows the dangers of both using peculiar types
>>>(such as u8 and u16) and of casting.  In general any cast is
>>>suspicious in C code.
>>
>>I should have provided an example.  Here is a line from a popular
>>opensource X10 automation package developed by its author on linux/gcc:
<snip>
> 
> I thought I'd try PC-Lint on some of these and see what popped out.  
> Some overhead left out but here is what I ran along with the resulting 
> messages and some of my own commentary.
<snip>

Thanks for the tests and results.

Regards,

Michael

Hans-Bernhard Bröker wrote:

> msg wrote:
> 
>> I should have provided an example.  Here is a line from a popular
>> opensource X10 automation package developed by its author on linux/gcc:

(excerpt from system header):
>> typedef uint_t  size_t; (unsigned int on both SVR4 and linux)
> 

> In a nutshell: typedef'ing size_t yourself is suicide for any program 
> that tries to be portable.
> 

As to portability, very few authors of linux-targeted software (which
for the most part is claimed to be portable) ever consider an int size
< 32 bits unfortunately and never ever consider that their code would
be ported beyond their parochial world.

Regards,

Michael

msg wrote:
> Hans-Bernhard Bröker wrote:

>> That only demonstrates you don't know how to ask GCC for warnings.  In 
>> particular, you failed to enable -Wsign-compare.

> Thanks for pointing out that switch.  As I said, these are packages from
> authors who don't properly consider the implications of precedence of 
> operators and typing (and that includes a lot of well-known code).  In general I 
> clean up the code to at least build without warnings on my SVR4 target and
> submit patches which are usually ignored.  

Not meaning any disrespect: if the patches you submit are of the same 
type as this one:

>>> The line should have been written:
>>>
>>>    if ( space < (int)strlen(message) + 1 ) {

I find it hard to blame the recipients for not taking them at face 
value.  There are at least three ways this line might best have been 
written.  You discard all but one for no good reason to be seen.

> I don't make the _impossible_to_debug_ autoconf scripts which are 
> usually the culprit in setting compiler warning switches.

They're not.  The autoconf machinery is for _creating_ the makefile, and 
as part of that job, it has to set up a generally usable default set of 
compiler switches.  But that's in no way limiting your flexibility in 
using them.  'make CFLAGS="-g -O2 -Wall -W"' works just fine.

>> Not based on the evidence you presented it shouldn't.  It should 
>> rather be redesigned from the ground up, by answering the following 
>> questions:

>> 1) why is "space" typed int instead of size_t?
> (it is used in calls to other library functions that expect type int)

But should this same "space" be used _here_?  Or is it maybe those 
library functions' design that really is at fault here, for having 
arguments of class "size of something" with a signed type?

>> 2) what is supposed to happen if "space" turns negative?
> (admittedly not handled in the code but only possible by a catastrophe)
>> 3) what is supposed to happen if (strlen(message) > INT_MAX)?
> (only possible by catastrophe)
>> 4) what is supposed to happen if (strlen == SIZE_MAX)?
> (only possible by catastrophe)

So you've just judged all those case in which it would make any 
difference at all whether you put this cast as "catastrophic" ones, 
which apparently you're not going to bother with.  Why then would you be 
bothered about getting the cast right?

If "space" really can't be negative, the original comparison without the 
cast is perfectly OK.  You'll have to make up your mind: either you're 
worried about extreme, "catastrophic" cases, or you're not.

Hans-Bernhard Bröker wrote:

> msg wrote:
> 
>> Hans-Bernhard Bröker wrote:
> 
> 
>>> That only demonstrates you don't know how to ask GCC for warnings.  
>>> In particular, you failed to enable -Wsign-compare.
> 
> 
>> Thanks for pointing out that switch.  As I said, these are packages from
>> authors who don't properly consider the implications of precedence of 
>> operators and typing (and that includes a lot of well-known code).  In 
>> general I clean up the code to at least build without warnings on my 
>> SVR4 target and submit patches which are usually ignored.

I should also have mentioned 'and also pass functional and regression
tests on my target'.

> 
> 
> Not meaning any disrespect: if the patches you submit are of the same 
> type as this one:
> 
>>>> The line should have been written:
>>>>
>>>>    if ( space < (int)strlen(message) + 1 ) {
> 
> I find it hard to blame the recipients for not taking them at face 
> value.  There are at least three ways this line might best have been 
> written.  You discard all but one for no good reason to be seen.
> 

Actually, this particular one came _from_ the author, not me;
I merely provided the diagnostics to him.  My references to patches
was not related to this issue necessarily and when it is
I _do_ take care to analyze the logic and rework where necessary,
not just typecast to avoid warnings ;)

The point of my original post was that this issue is hardly considered
by authors of many well-known programs developed using GCC, with warning
levels in common use, and those authors are usually disinterested in
rectifying what they feel is not broken.

Regards,

Michael

In news:pKROh.17989$N...@newsfe6-win.ntli.net timestamped Thu, 29
Mar 2007 16:23:49 GMT, ChrisQuayle <n...@devnul.co.uk> posted:
"Colin Paul Gloster wrote:

> The Ada standard is available for gratis.

The point being ?."

The Ada standard with unsuitable aspects prohibited (such as by using
pragma Profile (RAVENSCAR);
(
WWW.AdaIC.org/standards/05rm/html/RM-D-13-1.html
)) is better than the MISRA standard. (Disclaimer: I claim this
without actually having read the MISRA standard.) One can check that
the Ada standard is good for free.


" Would you expect to get a usefull book for nothing
that someone has spent considerable time and effort to produce,"

Yes: the Ada 2005 standard is available for gratis. I had already
 stated that and you quoted that.


" or
should everything be open source and free ?."

Arguably not everything.


" Of course, including all
your own work."

I am paid entirely by taxes as a researcher, so of course all of my
current work should be available for no extra charge and subject to peer review
and criticism. My tutors do not agree. Other work I had done was for a
private former employer which has the right to choose whether or not that work
is open source and whether or not that work is free to others. One
thing such a former employer can not do is choose for that work to be
free to the former employer because I had already been paid.




"Now that it's a sane price, have just downloaded the misra pdf version
and am almost disappointed in that there's almost nothing that I can
disagree with. Having seen so much controversy about it etc.  In fact,
it seems a bit lightweight, just good common sense practice that one
would expect from any experienced embedded engineer."

So perhaps I have misjudged MISRA standards from rumors.

As you like paying for things so much, may I charge you for reading
this post?


"The C++ version should be quite interesting..."

Should a sane embedded engineer use C++?

In article <eun74d$vpv$1...@newsserver.cilea.it>, Colin Paul Gloster 
<C...@ACM.org> writes
>" Would you expect to get a usefull book for nothing
>that someone has spent considerable time and effort to produce,"
>
>Yes: the Ada 2005 standard is available for gratis. I had already
> stated that and you quoted that.

Ada was NOT FREE It cost the US government several million pounds. The 
only reason it was "Free" is because the US government wanted everyone 
to use this language on US military projects.


It costs a lot of money to make a standard like MISRA-C are you going to 
fund it?


>" Of course, including all
>your own work."
>
>I am paid entirely by taxes as a researcher,

That explains a hell of a lot :-)

> so of course all of my
>current work should be available for no extra charge and subject to peer review
>and criticism. My tutors do not agree.

Available to who for free?

>So perhaps I have misjudged MISRA standards from rumors.

SO you are arguing about something you have not yet seen?

>"The C++ version should be quite interesting..."
>
>Should a sane embedded engineer use C++?

Is this a philosophical, social, engineering or commercial question?

Ask yourself why MISRA is doing a C++ standard

For some years I said "over our dead bodies"  Yet one is being done.

Unfortunately I can only ask the question. I can't supply the answer.

-- 
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ c...@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Chris Hills wrote:

> In article <eun74d$vpv$1...@newsserver.cilea.it>, Colin Paul Gloster 
> <C...@ACM.org> writes
> 
>> Yes: the Ada 2005 standard is available for gratis. I had already
>> stated that and you quoted that.

It happens somehow that the free cheese exists only in the mouse traps.

> 
> Ada was NOT FREE It cost the US government several million pounds. The 
> only reason it was "Free" is because the US government wanted everyone 
> to use this language on US military projects.

I don't mind using Ada, but where are the compilers? This looks like 
another perfectly designed still born thing.


>> Should a sane embedded engineer use C++?
> Is this a philosophical, social, engineering or commercial question?

It is not a question. The sane embedded engineer must use C++.

VLV

Chris Hills wrote:


> Ask yourself why MISRA is doing a C++ standard
> For some years I said "over our dead bodies"  Yet one is being done.

By design, C is the assembler of higher level. And C++ is the macro 
assembler. Then what is going to be used as the main application 
development language after C++ ? I guess that would be an interpeter 
like LabView.


Vladimir Vassilevsky

DSP and Mixed Signal Design Consultant

http://www.abvolt.com

In article <KFPPh.4279$Y...@newssvr29.news.prodigy.net>, Vladimir 
Vassilevsky <a...@hotmail.com> writes
>Chris Hills wrote:
>> In article <eun74d$vpv$1...@newsserver.cilea.it>, Colin Paul Gloster 
>><C...@ACM.org> writes
>>> Yes: the Ada 2005 standard is available for gratis. I had already
>>> stated that and you quoted that.
>It happens somehow that the free cheese exists only in the mouse traps.

Those in industry, or in fact anywhere outside a sheltered environment 
will know there is no such thing as a free lunch.

>>  Ada was NOT FREE It cost the US government several million pounds. 
>>The  only reason it was "Free" is because the US government wanted 
>>everyone  to use this language on US military projects.
>
>I don't mind using Ada, but where are the compilers? This looks like 
>another perfectly designed still born thing.

This is the other point there are many languages "better" than C but 
without wide spread tool support they will not gain wide spread use. So 
these languages are not universally available for many hosts or targets.

>>> Should a sane embedded engineer use C++?
>> Is this a philosophical, social, engineering or commercial question?
>
>It is not a question. The sane embedded engineer must use C++.

Please expand... this is not a troll but I am interested in  your 
reasoning though I am assuming you are not suggesting C++ for PIC's and 
8051's etc

-- 
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ c...@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

In article <KFPPh.4279$Y...@newssvr29.news.prodigy.net>, Vladimir Vassilevsky
<a...@hotmail.com> writes:
> 
> I don't mind using Ada, but where are the compilers? This looks like 
> another perfectly designed still born thing.
> 

Ada is available as part of GCC.

You can either use a FSF distribution of GCC, which has no restrictions
on what you can use the Ada compiler for, or you can use a packaged
distribution from ACT, which is restricted to GPL only projects.

See https://libre.adacore.com/ for the packaged version. Note that I've no
experience with this distribution because I prefer to use the FSF
distributions so that I'm not restricted in what I can use the compiler for.

Note also that the RTEMS RTOS has support for using Ada, but the support
level appears to vary by architecture.

Simon.

-- 
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980's technology to a 21st century world