lookiog.blogg.se - The power of ten rules for developing safety critical code

THE POWER OF TEN RULES FOR DEVELOPING SAFETY CRITICAL CODE SOFTWARE
THE POWER OF TEN RULES FOR DEVELOPING SAFETY CRITICAL CODE CODE

This means that there should rarely be justification for more than one or two conditional compilation directives even in large software development efforts, beyond the standard boilderplate that avoids multiple inclusion of the same header file. The use of conditional compilation directives is often also dubious, but cannot always be avoided. Token pasting, variable argument lists, and recursive macro calls are not allowed. The use of preporcessor must be limited to the inclusion of header files and simple macro definitions. The return value of non-void functions must be checked by each calling function, and the validity of parameters must be checked inside each function Rule 8. The rule discourages the re-use of variables for multiple, incompatible purposes, which can complicated fault diagnosis. Prefer local and static rather than Global Data object must be declared at the smallest possible level of scope When an assertion fails, an explict recovery action must be taken(returning error condition to the caller of the function) Rule 6.

THE POWER OF TEN RULES FOR DEVELOPING SAFETY CRITICAL CODE CODE

Rule 4 No function should be longer than what can be printed on a single sheet of paperĦ0 lines of code per function Rule 5 The assertion density of the code should average to a minimum of two assertions per functionĪssertions must always be side-effect free and should be defined as Boolean tests. Memory allocator and garbage collectors often have unpredictable behavior that can significantly impact performance. 향상된 code clarity Rule 2 All loops must have a fixed upper-bound Rule 3 Do not use dynamic memory allocation after initialization Some rules especially those that try to stipulate the use of white-space in programs, may have been introduced by personal preference others are meants to prevent very specific and unlikely types of error from eariler coding efforts within the same organization. doi: 10.1109/MC. result is that most existing guidelines contain well over a hundred rules, sometimes with questionable justification.

"The Power of 10: Rules for Developing Safety-Critical Code". The NASA study of the Toyota electronic throttle control firmware found at least 243 violations of these rules. Compile with all possible warnings active all warnings should then be addressed before release of the software.

Limit pointer use to a single dereference, and do not use function pointers.

Check the return value of all non-void functions, or cast to void to indicate the return value is useless.

Restrict the scope of data to the smallest possible.

Use a minimum of two runtime assertions per function.

Restrict functions to a single printed page.

Avoid complex flow constructs, such as goto and recursion.

These rules are a complement to the MISRA C guidelines and have been incorporated into the greater set of JPL coding standards. The rules are intended to eliminate certain C coding practices which make code difficult to review or statically analyze. Holzmann of the NASA/JPL Laboratory for Reliable Software. The Power of 10 Rules were created in 2006 by Gerard J.