Re: [SystemSafety] Stupid Software Errors [was: Overflow......]

From: Heath Raftery < >
Date: Tue, 05 May 2015 08:47:23 +1000


On 5/05/2015 1:41 AM, Daniel Kästner wrote:
> some performance figures about an Astrée analysis for a Level A avionics
> application:
> - code size > 700.000 lines of C code
> - analysis duration: 6 hours
> - hardware: Intel Core2Duo 2.66 GHz, 8GB RAM.
> - result: 0 alarms
> I.e. the absence of run-time errors was proven, including arithmetic
> overflows.

Is the implicit assumption that zero run-time errors is better, actually sound? Here's a "run time error":

<code>
uint16_t buttonPressTime = 0, timeInMilliseconds = 0;

while(1)
{

   wait(1);

   timeInMilliseconds++;

   if(buttonPressed)
     buttonPressTime = timeInMilliseconds;

   if(buttonPressTime && (timeInMilliseconds-buttonPressTime > 300))    {

     printf("A button was pressed 0.3s ago.");
     buttonPressTime = 0;

   }
}
</code>

Eventually timeInMilliseconds will wrap - apparently a run time error. But this code will "work" forever, even after the wrap occurs.

Here's a "fix" for the run-time error:

<code>
uint16_t buttonPressTime = 0, timeInMilliseconds = 0;

while(1)
{

   wait(1);

   if(timeInMilliseconds < SHRT_MAX)
     timeInMilliseconds++;

   if(buttonPressed)
     buttonPressTime = timeInMilliseconds;

   if(buttonPressTime && (timeInMilliseconds-buttonPressTime > 300))    {

     printf("A button was pressed 0.3s ago.");
     buttonPressTime = 0;

   }
}
</code>

Tada! No run-time errors! Of course, it stops working after a minute.

Yes, the tools are great, and not using them would take extraordinary justification. But to cry that "integer overflow was fixed 30 years ago!" may be missing the point.

Heath



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue May 05 2015 - 00:47:37 CEST

This archive was generated by hypermail 2.3.0 : Thu Apr 25 2019 - 23:17:07 CEST