Re: [SystemSafety] OpenSSL Bug

From: Heath Raftery < >
Date: Wed, 16 Apr 2014 08:28:01 +1000


On 15/04/2014 10:11 PM, Derek M Jones wrote:
> MISRA-C is a mishmash that is a lot better than most (ok, the bar
> is not that high) and is slowly converging towards something useful.
> If you have to pick a guideline document it is the best one publicly
> available (I would rate a blank page as the second best) and I would
> be surprised if you could produce something better without spending
> a lot of time or having lots of prior guideline experience.

FWIW, I offer a document to place before MISRA-C in your list.

The Power of Ten: http://spinroot.com/p10/

I actually think rules 7 and 8 are less valuable but the Rationale text provides excellent justification to consider when breaking the rule. I would also replace Rule 4 with 2 rules: limit case statements and if clauses to 30 lines; and never duplicate more than 4 lines of code.

The justification for 10 rules instead of MISRA-C's 143 has been laid out more effectively by others than I could do, but ultimately it comes does to two things: 1) programmers are (or believe they are) artists and to take their most expressive tools away may not always lead to better quality (more pragmatically, they will never agree on 143 rules) and 2) there is greater value in considering the ramifications of violating a rule than there is in blindly following it. That's significantly easier to do with 10 rules than 143.

Not checking the length passed to memcpy is really a distinct human mistake. Mistakes like that should be expected and always corrected with testing and analysis. A blanket rule that tries to prevent mistakes like that from ever happening is a whack-a-mole game that results in a lot of headaches. The rules should lead to code than lends itself well to testing and analysis.

Heath



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Wed Apr 16 2014 - 00:28:14 CEST

This archive was generated by hypermail 2.3.0 : Thu Apr 25 2019 - 11:17:06 CEST