Re: [SystemSafety] OpenSSL Bug

From: Heath Raftery < >
Date: Wed, 16 Apr 2014 07:57:26 +1000


On 16/04/2014 2:23 AM, Dewi Daniels wrote:
> C Worst 2 500
> Average 6 38 167 26
> Best 80 12.5
> Pascal Worst 6 167
> Average/Best 20 50

 >
> 3. While a significant difference was found in the anomaly rates
> resulting from the use of different programming languages, there was an
> even greater difference between the anomaly rates discovered in software
> developed by different vendors. While the average C program had a higher
> anomaly rate than the average Ada program, the best C programs had a
> lower anomaly rate than the worst Ada programs.

Yes, a few interesting conclusions could be drawn, with caveats about extrapolation. The interesting part for me is from the section of the table I've reproduced. For all the talk of the suitability of strongly-typed languages (ref, for example, IEC 61508 Part 3 and its strong stance), why do we not see a significant difference between C and Pascal? Could it be that contributing factors of programming style, time allocated, competence, interfaces to existing code, mindset, priorities, etc., etc., are much stronger factors than the strongly-typedness of the language, or indeed, the language at all?

More to the point, *what is it* about SPARK that leads to lower defect rates? Could it be that the team preparation necessary to implement something in SPARK necessarily requires more training/consideration than to implement the same thing in C? Put another way, if you had a team of C developers ready to start a new project, would you train them in SPARK, or would you just enforce a coding standard including safe use of memcpy (eg. have a DEBUG version that bounds checks like the OpenSSL team had at one point)?

Heath



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue Apr 15 2014 - 23:57:44 CEST

This archive was generated by hypermail 2.3.0 : Mon Feb 18 2019 - 11:17:06 CET