10/12/2019 Keep in mind A good program is not one that just works A good program is not one that just works Just working is not enough. A good software program is one that is Well organized Well commented and documented Easy to read Easy to understand Coding standards Safety Integrity Levels Code for safety-critical systems must be certified by a Code for safety-critical systems must be certified by a The safety level associated with a safety-critical code is The safety level associated with a safety-critical code is certification authority that certifies that a software product certification authority that certifies that a software product measured by a Safety Integrity Level ( SIL ) in terms of measured by a Safety Integrity Level ( SIL ) in terms of complies with the requirements. complies with the requirements. probability of failure per hour ( PFH ) probability of failure per hour ( PFH ) Safety-critical means that a failure or a design error could SIL PFH cause a risk to human life. SIL0 > 10 -5 10 -5 - 10 -6 SIL1 In order to be certified, safety-critical software must comply 10 -7 - 10 -8 SIL2 with given coding standards. For example: 10 -9 - 10 -10 SIL3 DO-178 10 -11 - 10 -12 is used for avionic/aerospace applications SIL4 EN 50128 is used for railway systems Most safety-critical systems require a SIL4 MISRA is used for automotive systems certification for the control software. Code complexity Complexity metrics Source code complexity can be measured in several ways. “The complexity of a object is a measure of the mental effort “The complexity of a object is a measure of the mental effort required to understand and create that object.” [Myers, 1976] required to understand and create that object.” [Myers, 1976] It is important to distinguish between the natural complexity of the problem and “Code complexity is a major cause of unreliability in software” “Code complexity is a major cause of unreliability in software” the actual complexity of the solution [McCabe, 1976]. [McCabe, 1976]. Ideally, we would like the actual complexity to be no greater than the natural complexity. Programmers writing safety-critical software should contain code complexity. Unfortunately, most often, software solutions are much more Unfortunately, most often, software solutions are much more complex than they could be, hence we have that complex than they could be, hence we have that actual complexity >> natural complexity actual complexity >> natural complexity 1
10/12/2019 Simple vs. complex Complexity metrics Source code complexity can be measured in several ways: #include <stdio.h> <stdio.h> #include Number of lines of code ( LOC ) MAX_SIZE 50 #define int main() Program Volume ( V ): V = (N v + N o ) * log 2 (D v + D o ) { main() int printf("Hello World\n"); D v = # of distinct variables { It counts the number of bits It counts the number of bits return 0; D o = # of distinct operators s[MAX_SIZE] = "Hello World"; char } required for a uniform binary required for a uniform binary i; int N v = # of variable occurrencies encoding of the program text. encoding of the program text. N o = # of operator occurrencies i = 0; while (s[i] != '\0') { Cyclomatic printf("%c", s[i]); complexity : is the number of linearly i = i + 1; independent paths. High cyclomatic complexity is an } indication of inadequate modularization or too much logic in printf("\n"); one function. return 0; } Maximum Nesting of Control Structures : any statement inside another increments the metric by one. Coding standards Coding Rules To produce software that has to be certified SIL4, C can be used to write well structured and expressive C can be used to write well structured and expressive programmers must follow some specific guidelines. programs, but can also be used to write perverse and programs, but can also be used to write perverse and extremely hard-to-understand code. extremely hard-to-understand code. They can be distinguished in: The latter is not acceptable in a safety-related system. The latter is not acceptable in a safety-related system. Coding rules they limit the use of language constructs that can be dangerous (e.g., MISRA-C 2012). Coding styles they are meant to improve code readability and maintainability. The M otor I ndustry S oftware R eliability A ssociation (MISRA) provided some guidelines for the use of C language in safety-critical systems. Example of MISRA rules Example of MISRA rules 4.7: If a function returns an error code, then that code 6.4.5: Every non ‐ empty case clause in a switch statement shall be tested. shall be terminated with a break statement. 4.11: The validity of values passed to library functions 6.4.6: All switch statements shall contain a final default shall be checked. clause. 4.12: Dynamic memory allocation shall not be used. 6.4.7: A switch condition should not be of Boolean type. 9.3: Arrays shall not be partially initialized. 7.5.4: Functions should not call themselves. 14.1: Loop counters shall not be floating point variables. 8.4.3: All exit paths from a function shall have an explicit return statement. 15.1: The goto statement shall not be used. 2
10/12/2019 Coding Styles Coding Styles Style rules concern the following aspects: Programming style is fundamental for many reasons: 1. Horizontal spacing 1. It simplifies program reading & comprehension; 2. Vertical spacing 2. It facilitates program maintenance; 3. Indentation 3. It reduces the possibility of making mistakes; 4. Comments 4. It allows quickly identifying syntactic and 5. Code organization semantic errors; 5. It avoids irritating project reviewers. Hence, adopt these rules since the beginning! Hence, adopt these rules since the beginning! Horizontal spacing Horizontal spacing It refers to a set of rules to follow to separate objects Declarations Declarations contained in the same line of code. Insert a TAB after each type identifier. Insert a TAB after each type identifier. A TAB is not equivalent to a set of spaces!!! A TAB is not equivalent to a set of spaces!!! int i; float x; ···|···|···|···|···|···|···|···|···| int i; char c; Multiple declarations Multiple declarations float x; Use an editor that does not Use an editor that does not Insert a SPACE after each comma. Insert a SPACE after each comma. replace TAB s with spaces. replace TAB s with spaces. int int ····k; i,·j,·k; float char ····a; x,·y,·z; float ····y; Horizontal spacing Horizontal spacing Expressions Expressions Semicolons (;) Semicolons (;) Never put a space before a semicolon; Never put a space before a semicolon; operators with 2 operands must have a space in operators with 2 operands must have a space in Always put a space after a semicolon if it is not Always put a space after a semicolon if it is not both sides: both sides: the last character of the line. the last character of the line. x = (a + 2) * (b - 1); for ( i= 0;i <10 ;i++ ) // AVOID Parentheses Parentheses Never put a space after a left parenthesis or before Never put a space after a left parenthesis or before a right one. a right one. for (i=0; i<10; i++) // CORRECT a=( a+5)*( b- 2 ); // AVOID a = (a + 5) * (b - 2); // CORRECT 3
Recommend
More recommend
