Re: [SystemSafety] OpenSSL Bug

From: Derek M Jones < >
Date: Tue, 15 Apr 2014 13:11:28 +0100


> But the most direct work I know of on the value of MISRA-C in non-safety-critical software is a study that attempted to correlate the locations of defects in video playback software with MISRA-C rule violations found an overall *slightly negative* correlation (i.e. the rules were worse than useless) [boogerd2008assessing]. Is there any specific evidence that would outweigh this**?

I think the main thrust of this paper is correct, there is a positive correlation between rule violations and reported defects for some rules and not for others (in fact negative in some cases). Least squares regression is not the technique to use for proportional data, but using a more appropriate technique will not change the overall results.

Creating coding guidelines involves getting agreement from those involved and in a voluntary project those involved are not always the most knowledgeable and sometimes heavily driven by personal experiences (e.g., this bug caused me to loose a week, we should have a rule prohibiting that use [when the case is very rare or the alternatives are even worse]).

An attempt to remove a 'useless' rule:

MISRA-C is a mishmash that is a lot better than most (ok, the bar is not that high) and is slowly converging towards something useful. If you have to pick a guideline document it is the best one publicly available (I would rate a blank page as the second best) and I would be surprised if you could produce something better without spending a lot of time or having lots of prior guideline experience.

Derek M. Jones                  tel: +44 (0) 1252 520 667
Knowledge Software Ltd
Software analysis     
The System Safety Mailing List
Received on Tue Apr 15 2014 - 14:11:37 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST