Safety-critical computer systems must be engineered to meet system and software safety requirements. Many devlopers have been caught in the assumption that a warning was surely invalid, only to realize much later that the message was in fact valid for less obvious reasons.Software Safety Risk in Legacy Safety-Critical Computer Systems It should be considered routine practices, even for non-critical code development. There simply is no excuse for any software development effort not to make use of this readily available technology. All code must be compiled, from the fist day of development, with all compiler warnings enabled at the compiler’s most pedantic settings. Specifically, no more one level of dereference is allowed. The use of pointers should be restricted. The c preprocessor is a powerful obfuscation tool that can destroy code clarity and befubble many text based checkers.ġ0 conditional compilation directives, there could be up to 2^10 possible versions of the code Rule 9. (boilerplate : Boilerplate (spaceflight), non-functional craft, system, or payload which is used to test various configurations and basic size, load, and handling characteristics) This means that there should rarely be justification for more than one or two conditional compilation directives even in large software development efforts, beyond the standard boilderplate that avoids multiple inclusion of the same header file. The use of conditional compilation directives is often also dubious, but cannot always be avoided. Token pasting, variable argument lists, and recursive macro calls are not allowed. The use of preporcessor must be limited to the inclusion of header files and simple macro definitions. The return value of non-void functions must be checked by each calling function, and the validity of parameters must be checked inside each function Rule 8. The rule discourages the re-use of variables for multiple, incompatible purposes, which can complicated fault diagnosis. Prefer local and static rather than Global Data object must be declared at the smallest possible level of scope When an assertion fails, an explict recovery action must be taken(returning error condition to the caller of the function) Rule 6. Rule 4 No function should be longer than what can be printed on a single sheet of paperĦ0 lines of code per function Rule 5 The assertion density of the code should average to a minimum of two assertions per functionĪssertions must always be side-effect free and should be defined as Boolean tests. Memory allocator and garbage collectors often have unpredictable behavior that can significantly impact performance. 향상된 code clarity Rule 2 All loops must have a fixed upper-bound Rule 3 Do not use dynamic memory allocation after initialization Some rules especially those that try to stipulate the use of white-space in programs, may have been introduced by personal preference others are meants to prevent very specific and unlikely types of error from eariler coding efforts within the same organization. The result is that most existing guidelines contain well over a hundred rules, sometimes with questionable justification.
0 Comments
Leave a Reply. |