Robert Adsett wrote:> In article <130p2dpjc2qgdaa@corp.supernews.com>, msg says... > >>CBFalconer wrote: >> >>>msg wrote: >>>I frequently write for 'SCDE' >>> >>>>(Standard C Development Environment') on SVR4 (C 90) and also >>>>port stuff developed by others on GCC which often produces lots >>>>of warnings about "explicit cast required" for assignments and >>>>logical comparisons which the original authors failed to qualify >>>>with a cast. Evidently these things pass 'lint' and compile in >>>>GCC with no warnings (even at a high warning level). Most >>>>authors are dumbstruck by the need to explicitly cast (sometimes >>>>even numeric constants). >>> >>> >>>Any compiler. This shows the dangers of both using peculiar types >>>(such as u8 and u16) and of casting. In general any cast is >>>suspicious in C code. >> >>I should have provided an example. Here is a line from a popular >>opensource X10 automation package developed by its author on linux/gcc:<snip>> > I thought I'd try PC-Lint on some of these and see what popped out. > Some overhead left out but here is what I ran along with the resulting > messages and some of my own commentary.<snip> Thanks for the tests and results. Regards, Michael
shame on MISRA
Started by ●March 26, 2007
Reply by ●March 31, 20072007-03-31
Reply by ●March 31, 20072007-03-31
Hans-Bernhard Br�ker wrote:> msg wrote: > >> I should have provided an example. Here is a line from a popular >> opensource X10 automation package developed by its author on linux/gcc:(excerpt from system header):>> typedef uint_t size_t; (unsigned int on both SVR4 and linux) >> In a nutshell: typedef'ing size_t yourself is suicide for any program > that tries to be portable. >As to portability, very few authors of linux-targeted software (which for the most part is claimed to be portable) ever consider an int size < 32 bits unfortunately and never ever consider that their code would be ported beyond their parochial world. Regards, Michael
Reply by ●March 31, 20072007-03-31
msg wrote:> Hans-Bernhard Br�ker wrote:>> That only demonstrates you don't know how to ask GCC for warnings. In >> particular, you failed to enable -Wsign-compare.> Thanks for pointing out that switch. As I said, these are packages from > authors who don't properly consider the implications of precedence of > operators and typing (and that includes a lot of well-known code). In general I > clean up the code to at least build without warnings on my SVR4 target and > submit patches which are usually ignored.Not meaning any disrespect: if the patches you submit are of the same type as this one:>>> The line should have been written: >>> >>> if ( space < (int)strlen(message) + 1 ) {I find it hard to blame the recipients for not taking them at face value. There are at least three ways this line might best have been written. You discard all but one for no good reason to be seen.> I don't make the _impossible_to_debug_ autoconf scripts which are > usually the culprit in setting compiler warning switches.They're not. The autoconf machinery is for _creating_ the makefile, and as part of that job, it has to set up a generally usable default set of compiler switches. But that's in no way limiting your flexibility in using them. 'make CFLAGS="-g -O2 -Wall -W"' works just fine.>> Not based on the evidence you presented it shouldn't. It should >> rather be redesigned from the ground up, by answering the following >> questions:>> 1) why is "space" typed int instead of size_t? > (it is used in calls to other library functions that expect type int)But should this same "space" be used _here_? Or is it maybe those library functions' design that really is at fault here, for having arguments of class "size of something" with a signed type?>> 2) what is supposed to happen if "space" turns negative? > (admittedly not handled in the code but only possible by a catastrophe) >> 3) what is supposed to happen if (strlen(message) > INT_MAX)? > (only possible by catastrophe) >> 4) what is supposed to happen if (strlen == SIZE_MAX)? > (only possible by catastrophe)So you've just judged all those case in which it would make any difference at all whether you put this cast as "catastrophic" ones, which apparently you're not going to bother with. Why then would you be bothered about getting the cast right? If "space" really can't be negative, the original comparison without the cast is perfectly OK. You'll have to make up your mind: either you're worried about extreme, "catastrophic" cases, or you're not.
Reply by ●March 31, 20072007-03-31
Hans-Bernhard Br�ker wrote:> msg wrote: > >> Hans-Bernhard Br�ker wrote: > > >>> That only demonstrates you don't know how to ask GCC for warnings. >>> In particular, you failed to enable -Wsign-compare. > > >> Thanks for pointing out that switch. As I said, these are packages from >> authors who don't properly consider the implications of precedence of >> operators and typing (and that includes a lot of well-known code). In >> general I clean up the code to at least build without warnings on my >> SVR4 target and submit patches which are usually ignored.I should also have mentioned 'and also pass functional and regression tests on my target'.> > > Not meaning any disrespect: if the patches you submit are of the same > type as this one: > >>>> The line should have been written: >>>> >>>> if ( space < (int)strlen(message) + 1 ) { > > I find it hard to blame the recipients for not taking them at face > value. There are at least three ways this line might best have been > written. You discard all but one for no good reason to be seen. >Actually, this particular one came _from_ the author, not me; I merely provided the diagnostics to him. My references to patches was not related to this issue necessarily and when it is I _do_ take care to analyze the logic and rework where necessary, not just typecast to avoid warnings ;) The point of my original post was that this issue is hardly considered by authors of many well-known programs developed using GCC, with warning levels in common use, and those authors are usually disinterested in rectifying what they feel is not broken. Regards, Michael
Reply by ●March 31, 20072007-03-31
In news:pKROh.17989$NK3.11439@newsfe6-win.ntli.net timestamped Thu, 29 Mar 2007 16:23:49 GMT, ChrisQuayle <nospam@devnul.co.uk> posted: "Colin Paul Gloster wrote:> The Ada standard is available for gratis.The point being ?." The Ada standard with unsuitable aspects prohibited (such as by using pragma Profile (RAVENSCAR); ( WWW.AdaIC.org/standards/05rm/html/RM-D-13-1.html )) is better than the MISRA standard. (Disclaimer: I claim this without actually having read the MISRA standard.) One can check that the Ada standard is good for free. " Would you expect to get a usefull book for nothing that someone has spent considerable time and effort to produce," Yes: the Ada 2005 standard is available for gratis. I had already stated that and you quoted that. " or should everything be open source and free ?." Arguably not everything. " Of course, including all your own work." I am paid entirely by taxes as a researcher, so of course all of my current work should be available for no extra charge and subject to peer review and criticism. My tutors do not agree. Other work I had done was for a private former employer which has the right to choose whether or not that work is open source and whether or not that work is free to others. One thing such a former employer can not do is choose for that work to be free to the former employer because I had already been paid. "Now that it's a sane price, have just downloaded the misra pdf version and am almost disappointed in that there's almost nothing that I can disagree with. Having seen so much controversy about it etc. In fact, it seems a bit lightweight, just good common sense practice that one would expect from any experienced embedded engineer." So perhaps I have misjudged MISRA standards from rumors. As you like paying for things so much, may I charge you for reading this post? "The C++ version should be quite interesting..." Should a sane embedded engineer use C++?
Reply by ●April 1, 20072007-04-01
In article <eun74d$vpv$1@newsserver.cilea.it>, Colin Paul Gloster <Colin_Paul_Gloster@ACM.org> writes>" Would you expect to get a usefull book for nothing >that someone has spent considerable time and effort to produce," > >Yes: the Ada 2005 standard is available for gratis. I had already > stated that and you quoted that.Ada was NOT FREE It cost the US government several million pounds. The only reason it was "Free" is because the US government wanted everyone to use this language on US military projects. It costs a lot of money to make a standard like MISRA-C are you going to fund it?>" Of course, including all >your own work." > >I am paid entirely by taxes as a researcher,That explains a hell of a lot :-)> so of course all of my >current work should be available for no extra charge and subject to peer review >and criticism. My tutors do not agree.Available to who for free?>So perhaps I have misjudged MISRA standards from rumors.SO you are arguing about something you have not yet seen?>"The C++ version should be quite interesting..." > >Should a sane embedded engineer use C++?Is this a philosophical, social, engineering or commercial question? Ask yourself why MISRA is doing a C++ standard For some years I said "over our dead bodies" Yet one is being done. Unfortunately I can only ask the question. I can't supply the answer. -- \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \/\/\/\/\ Chris Hills Staffs England /\/\/\/\/ /\/\/ chris@phaedsys.org www.phaedsys.org \/\/\ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Reply by ●April 1, 20072007-04-01
Chris Hills wrote:> In article <eun74d$vpv$1@newsserver.cilea.it>, Colin Paul Gloster > <Colin_Paul_Gloster@ACM.org> writes > >> Yes: the Ada 2005 standard is available for gratis. I had already >> stated that and you quoted that.It happens somehow that the free cheese exists only in the mouse traps.> > Ada was NOT FREE It cost the US government several million pounds. The > only reason it was "Free" is because the US government wanted everyone > to use this language on US military projects.I don't mind using Ada, but where are the compilers? This looks like another perfectly designed still born thing.>> Should a sane embedded engineer use C++? > Is this a philosophical, social, engineering or commercial question?It is not a question. The sane embedded engineer must use C++. VLV
Reply by ●April 1, 20072007-04-01
Chris Hills wrote:> Ask yourself why MISRA is doing a C++ standard > For some years I said "over our dead bodies" Yet one is being done.By design, C is the assembler of higher level. And C++ is the macro assembler. Then what is going to be used as the main application development language after C++ ? I guess that would be an interpeter like LabView. Vladimir Vassilevsky DSP and Mixed Signal Design Consultant http://www.abvolt.com
Reply by ●April 1, 20072007-04-01
In article <KFPPh.4279$YL5.1826@newssvr29.news.prodigy.net>, Vladimir Vassilevsky <antispam_bogus@hotmail.com> writes>Chris Hills wrote: >> In article <eun74d$vpv$1@newsserver.cilea.it>, Colin Paul Gloster >><Colin_Paul_Gloster@ACM.org> writes >>> Yes: the Ada 2005 standard is available for gratis. I had already >>> stated that and you quoted that. >It happens somehow that the free cheese exists only in the mouse traps.Those in industry, or in fact anywhere outside a sheltered environment will know there is no such thing as a free lunch.>> Ada was NOT FREE It cost the US government several million pounds. >>The only reason it was "Free" is because the US government wanted >>everyone to use this language on US military projects. > >I don't mind using Ada, but where are the compilers? This looks like >another perfectly designed still born thing.This is the other point there are many languages "better" than C but without wide spread tool support they will not gain wide spread use. So these languages are not universally available for many hosts or targets.>>> Should a sane embedded engineer use C++? >> Is this a philosophical, social, engineering or commercial question? > >It is not a question. The sane embedded engineer must use C++.Please expand... this is not a troll but I am interested in your reasoning though I am assuming you are not suggesting C++ for PIC's and 8051's etc -- \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \/\/\/\/\ Chris Hills Staffs England /\/\/\/\/ /\/\/ chris@phaedsys.org www.phaedsys.org \/\/\ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Reply by ●April 1, 20072007-04-01
In article <KFPPh.4279$YL5.1826@newssvr29.news.prodigy.net>, Vladimir Vassilevsky <antispam_bogus@hotmail.com> writes:> > I don't mind using Ada, but where are the compilers? This looks like > another perfectly designed still born thing. >Ada is available as part of GCC. You can either use a FSF distribution of GCC, which has no restrictions on what you can use the Ada compiler for, or you can use a packaged distribution from ACT, which is restricted to GPL only projects. See https://libre.adacore.com/ for the packaged version. Note that I've no experience with this distribution because I prefer to use the FSF distributions so that I'm not restricted in what I can use the compiler for. Note also that the RTEMS RTOS has support for using Ada, but the support level appears to vary by architecture. Simon. -- Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP Microsoft: Bringing you 1980's technology to a 21st century world
