HardwareTeams.com - The #1 job board and blog for electrical and computer engineers

’s

10 rules for developing safety-critical code

The Power of 10 Rules were created in 2006 by Gerard J. Holzmann of the NASA/JPL Laboratory for Reliable Software. The rules are intended to eliminate C coding practices which make code difficult to review or statically analyze.

  1. Restrict all code to very simple control flow constructs

    • ❌ goto
    • ❌ setjmp
    • ❌ longjmp
    • ❌ recursion

  2. Give all loops a fixed upper bound.

    • all loops should be bound by a hard upper bound that is an integer not a pointer (i.e. do not break out of a loop with a logical check for a null)

  3. Do not use dynamic memory allocation after initialization.

    • ❌ heap
    • ✅ stack - can easily predict how much memory your program is going to use

  4. No function should be longer than what can be printed on a single sheet of paper in a standard format with one line per statement and one line per declaration.

    • keep it small enough to easily test

  5. The code’s assertion density should average to minimally two assertions per function.

  6. Declare all data objects at the smallest possible level of scope.

    • reduce amount of code that can access a variable thus reducing things that can go wrong

  7. Each calling function must check the return value of nonvoid functions, and each called function must check the validity of all parameters provided by the caller.

    • i.e. printf(...) failure is something we dont typically care about
    • power of 10 says we should wrap returns we dont care about, i.e. (void)printf(...) to be explicit. If its not explicitly cast, it means the return value was meant to be checked.

  8. The use of the preprocessor must be limited to the inclusion of header files and simple macro definitions.

    • conditional compilation can create exponential amount of compilation targets

  9. Limit pointer use to a single dereference, and do not use function pointers.

int good_pointer_use(A *a){
    B* b = &a->b;
    C* c = &b->c;
}
  1. Compile with all possible warnings active; all warnings should then be addressed before the release of the software.
gcc -Wall -Werror -Wpedantic

More rules can be found in the JPL Institutional Coding Standard for the C Programming Language

comments powered by Disqus