-
-
From the article:
For a safety critical app it should be an unbreakable rule that it compiles at the maximum warning level with zero warnings.# The standard gcc compiler version 4″ generated a redacted number of warnings (probably larger than 100) about the code, in 11 different warning categories. (p. 25)
# “Coverity version 4.2″ generated a redacted number of warnings (probably larger than 154) about the code, in 10 different warning categories. (p. 27)
# “Codesonar version 3.6p1″ generated a redacted number of warnings (probably larger than 136) about the code, in 10 different warning categories.
# “Uno version 2.12″ generated a redacted number of warnings (probably larger than 72) about the code, in 9 different warning categories.
# The code contained at least 347 deviations from a subset of 14 of the MISRA-C rules.
# The code contained at least 243 violations of a subset of 9 of the 10 “Power of 10–Rules for Developing Safety Critical Code,” which was published in IEEE Computer in 2006 by NESC team member Gerard Holzmann.
The slight snag is that to some extent lazy or incompetent programmers can "mask" potential problems just to achieve a clean compile.Work in the public sector? Read the IR35 FAQ here -
Because of the sign bit?Originally posted by zeitghostComment
-
Nah.
Coz it's got 12 bits not 8.
But apart from that, it's perfect.
The Power of Ten -- Rules for Writing Safety Critical Code -- Rule Ten
It gets better:
What NHTSA/NASA Didn’t Consider re: Toyota’s Firmware « Barr Code
Recursion in a real time embedded system?
Are they mad?
Last edited by zeitghost; 26 April 2017, 14:07.Comment
-
Remember the good old days of cables? If the cable broke you stopped accelerating.Originally posted by zeitghostIt gets better:
What NHTSA/NASA Didn’t Consider re: Toyota’s Firmware « Barr Code
Recursion in a real time embedded system?
Are they mad?Comment
-
And if the return spring broke, you got a wide open throttleOriginally posted by Doggy Styles View Post
In those days, the ignition switch actually switched stuff off, rather than using a microcontroller & a CAN bus to tell something else to switch off.
It's all madness, I tell you, madness.
So, to sum up, there's 64Mb of this tulipe to control the throttle, using two processors in the pedal, complete with a shedload of compiler warnings that no one has bothered to fix and "to save space" it uses recursion.
Magic.
I'll stick to an Austin 7.
It's just struck me why stack corruption is A Very Bad Thing.
Auto variables.
Wot live on the stack.
I'd forgotten that.
(Like much else, sadly).
Which is why the PIC12/PIC16 is a pain for C compiler writers, since you don't have access to the stack.
At all.
Much like the MC6805 in that respect.Last edited by zeitghost; 26 April 2017, 14:11.Comment
-
Also, some warnings are to check you know what's going on... they are called warnings for a reason.Originally posted by OwlHoot View PostOriginally posted by MaryPoppinsOriginally posted by vetranComment
-
I had the carburettor return spring break on me once. The engine soared to full revs.Originally posted by Doggy Styles View Post
Unintended acceleration on a Morris Minor!
I switched off and coasted to a halt.
No steering lock in those days, fortunately.
I managed to jam the throttle half way open and got home that way.
Modern technology.
Pah!Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
-
Something like that happened to one of my friends in a moggy minor. He used a piece of string to operate the throttle to get home, so I'm not sure what broke or came loose. Sounds like the cable.Originally posted by Sysman View Post
On another occasion he had a wheel fall off it while driving down the road. A bolt sheared or something. He used string to hold that back on too.
His entire emergency toolkit appeared to consist of a ball of string.
Modern technology, pah!Comment
-
I lubricate my trunnions vigorously.Originally posted by zeitghost
I think he also used string when his wipers stopped working, but that might have been someone else.Comment
Comment