24 research outputs found
C-rusted: The Advantages of Rust, in C, without the Disadvantages
C-rusted is an innovative technology whereby C programs can be (partly)
annotated so as to express: ownership, exclusivity and shareability of
language, system and user-defined resources; dynamic properties of objects and
the way they evolve during program execution; nominal typing and subtyping. The
(partially) annotated C programs can be translated with unmodified versions of
any compilation toolchain capable of processing ISO C code. The annotated C
program parts can be validated by static analysis: if the static analyzer flags
no error, then the annotations are provably coherent among themselves and with
respect to annotated C code, in which case said annotated parts are provably
exempt from a large class of logic, security, and run-time errors.Comment: 7 pages, 4 figure
Coding Guidelines and Undecidability
The C and C++ programming languages are widely used for the implementation of
software in critical systems. They are complex languages with subtle features
and peculiarities that might baffle even the more expert programmers. Hence,
the general prescription of language subsetting, which occurs in most
functional safety standards and amounts to only using a "safer" subset of the
language, is particularly applicable to them. Coding guidelines are the
preferred way of expressing language subsets. Some guidelines are formulated in
terms of the programming language and its implementation only: in this case
they are amenable to automatic checking. However, due to fundamental
limitations of computing, some guidelines are undecidable, that is, they are
based on program properties that no current and future algorithm can capture in
all cases. The most mature and widespread coding standards, the MISRA ones,
explicitly tag guidelines with undecidable or decidable. It turns out that this
information is not of secondary nature and must be taken into account for a
full understanding of what the guideline is asking for. As a matter of fact,
undecidability is a common source of confusion affecting many users of coding
standards and of the associated checking tools. In this paper, we recall the
notions of decidability and undecidability in terms that are understandable to
any C/C++ programmer. The paper includes a systematic study of all the
undecidable MISRA C:2012 guidelines, discussing the reasons for the
undecidability and its consequences. We pay particular attention to undecidable
guidelines that have decidable approximations whose enforcement would not
overly constrain the source code. We also discuss some coding guidelines for
which compliance is hard, if not impossible, to prove, even beyond the issue of
decidability.Comment: 12 pages, 5 figures, 1 tabl
The MISRA C Coding Standard and its Role in the Development and Analysis of Safety- and Security-Critical Embedded Software
The MISRA project started in 1990 with the mission of providing world-leading
best practice guidelines for the safe and secure application of both embedded
control systems and standalone software. MISRA C is a coding standard defining
a subset of the C language, initially targeted at the automotive sector, but
now adopted across all industry sectors that develop C software in safety-
and/or security-critical contexts. In this paper, we introduce MISRA C, its
role in the development of critical software, especially in embedded systems,
its relevance to industry safety standards, as well as the challenges of
working with a general-purpose programming language standard that is written in
natural language with a slow evolution over the last 40+ years. We also outline
the role of static analysis in the automatic checking of compliance with
respect to MISRA C, and the role of the MISRA C language subset in enabling a
wider application of formal methods to industrial software written in C.Comment: 19 pages, 1 figure, 2 table
The ACPATH Metric: Precise Estimation of the Number of Acyclic Paths in C-like Languages
NPATH is a metric introduced by Brian A. Nejmeh in [13] that is aimed at
overcoming some important limitations of McCabe's cyclomatic complexity.
Despite the fact that the declared NPATH objective is to count the number of
acyclic execution paths through a function, the definition given for the C
language in [13] fails to do so even for very simple programs. We show that
counting the number of acyclic paths in CFG is unfeasible in general. Then we
define a new metric for C-like languages, called ACPATH, that allows to quickly
compute an very good estimation of the number of acyclic execution paths
through the given function. We show that, if the function body does not contain
backward gotos and does not contain jumps into a loop from outside the loop,
then such estimation is actually exact
Correct Approximation of IEEE 754 Floating-Point Arithmetic for Program Verification
Verification of programs using floating-point arithmetic is challenging on
several accounts. One of the difficulties of reasoning about such programs is
due to the peculiarities of floating-point arithmetic: rounding errors,
infinities, non-numeric objects (NaNs), signed zeroes, denormal numbers,
different rounding modes, etc. One possibility to reason about floating-point
arithmetic is to model a program computation path by means of a set of ternary
constraints of the form z = x op y and use constraint propagation techniques to
infer new information on the variables' possible values. In this setting, we
define and prove the correctness of algorithms to precisely bound the value of
one of the variables x, y or z, starting from the bounds known for the other
two. We do this for each of the operations and for each rounding mode defined
by the IEEE 754 binary floating-point standard, even in the case the rounding
mode in effect is only partially known. This is the first time that such
so-called filtering algorithms are defined and their correctness is formally
proved. This is an important slab for paving the way to formal verification of
programs that use floating-point arithmetics.Comment: 64 pages, 19 figures, 2 table
Correct Approximation of IEEE 754 Floating-Point Arithmetic for Program Verification
Verification of programs using floating-point arithmetic is challenging on
several accounts. One of the difficulties of reasoning about such programs is
due to the peculiarities of floating-point arithmetic: rounding errors,
infinities, non-numeric objects (NaNs), signed zeroes, denormal numbers,
different rounding modes, etc. One possibility to reason about floating-point
arithmetic is to model a program computation path by means of a set of ternary
constraints of the form z = x op y and use constraint propagation techniques to
infer new information on the variables' possible values. In this setting, we
define and prove the correctness of algorithms to precisely bound the value of
one of the variables x, y or z, starting from the bounds known for the other
two. We do this for each of the operations and for each rounding mode defined
by the IEEE 754 binary floating-point standard, even in the case the rounding
mode in effect is only partially known. This is the first time that such
so-called filtering algorithms are defined and their correctness is formally
proved. This is an important slab for paving the way to formal verification of
programs that use floating-point arithmetics.Comment: 64 pages, 19 figures, 2 table
Formal Verification of Software Architectural Constraints
In the development of high-integrity software, all interactions between components must satisfy design constraints. Hierarchical levels must not be bypassed: if the design prescribes that software layer A cannot interact directly with layer C without the intermediation of layer B, this is something that must be verified. If components with different criticalities have to coexist on the same ECU, huge savings are possible if we can prove that lower-criticality components cannot interfere with higher-criticality ones. Effectiveness of monitoring safety mechanisms crucially depends on the independence between the monitored element and the monitor. In this paper, after recollecting the basic ideas and methodologies of software decomposition, we introduce the notions of independence and interference in ISO 26262 and other functional safety standards. We then show how architectural constraints at the software level can be formally verified by means of control and data flow static analyses. This technique allows for the formal verification of the design restricting all interactions between user-defined software elements: this includes dynamic, run-time dependencies such as read or write accesses to shared memory, function calls, passing and returning of data, as well as static dependencies due to header file inclusion and macro expansion. The formalization we present does not rely on complex logic formalisms and its implementation in the tool ECLAIR has been certified by TÜV SÜD
A Rationale-Based Classification of MISRA C Guidelines
MISRA C is the most authoritative language subset for the C programming language that is a de facto standard in several industry sectors where safety and security are of paramount importance. While MISRA C is currently encoded in 175 guidelines (coding rules and directives), it does not coincide with them: proper adoption of MISRA C requires embracing its preventive approach (as opposed to the "bug finding" approach) and a documented development process where justifiable non-compliances are authorized and recorded as deviations. MISRA C guidelines are classified along several axes in the official MISRA documents. In this paper, we add to these an orthogonal classification that associates guidelines with their main rationale. The advantages of this new classification are illustrated for different kinds of projects, including those not (yet) having MISRA compliance among their objectives
A Rationale-Based Classification of MISRA C Guidelines
MISRA C is the most authoritative language subset for the C programming language that is a de facto standard in several industry sectors where safety and security are of paramount importance. While MISRA C is currently encoded in 175 guidelines (coding rules and directives), it does not coincide with them: proper adoption of MISRA C requires embracing its preventive approach (as opposed to the "bug finding" approach) and a documented development process where justifiable non-compliances are authorized and recorded as deviations. MISRA C guidelines are classified along several axes in the official MISRA documents. In this paper, we add to these an orthogonal classification that associates guidelines with their main rationale. The advantages of this new classification are illustrated for different kinds of projects, including those not (yet) having MISRA compliance among their objectives
The MISRA C Coding Standard: A Key Enabler for the Development of Safety- and Security-Critical Embedded Software
Building embedded control systems that embody industry
best practices for safety and security is a challenging
task: doing so in unrestricted C is even more
challenging. C~is a general-purpose programming
language, partially defined by an ISO standard written
in natural language with a slow evolution over the last
40+ years. Its many strong points make it the most used
language for the development of embedded systems.
Unfortunately, the origin of C's strength is also the
origin of C's weakness: the language has many aspects
that are not fully defined, it has some rather obscure
aspects that can easily induce programmers into error,
and it has no run-time error detection facilities.
MISRA C is a coding standard defining a subset of the C
language, initially targeted at the automotive sector,
but now adopted across all industry sectors that develop
C software in safety- and/or security-critical contexts.
In this talk, we introduce MISRA C, its key role in the
development of critical embedded systems' software and
its relevance to industry safety and security standards.
We explain why and how MISRA C retains 95% of the
advantages of C and eradicates 95% of its drawbacks:
with the right tools, training and professional
expertise, the adoption of MISRA C, besides satisfying
some important requirements imposed by safety standards,
can significantly decrease development times and
costs