Using template in safety-critical system (flight critical system)

[aeromarine]

Hi.

I want to know whether I can use template in safety-critical system or
not.
From googling I fount below from http://gotw.ca/sands3.htm. and I was
astonished at "You must use template".

1:30-2:45pm C++ In Safety-Critical Systems (Bjarne Stroustrup)
C++ is widely used in embedded systems programming and even in safety-
critical and hard-real-time systems. This presentation discusses how
to write code in these highly demanding application areas. First the
mapping of C++ code to hardware resources is reviewed and the basics
abstraction mechanisms (classes and templates) are reviewed from the
perspective of this kind of code. Then, the JSF++ coding rules are
examined as an example of a set of domain specific rules. These rules
have been and are being used for the development of millions of lines
of C++. Questions addressed include: "Can I use templates in safety-
critical code?" (yes, you can and must) and "Can I use exceptions in
hard-real time code?" (sadly no, not with the current level of tool
support). Predictability of language features and minimization of
programmer mistakes are key notions.

If anyone has more detail information about the seminar or
presentation file, please send to me.
It would be very appreciated for me.

And if anyone has experience developing safety-critical system using
template, especially experienced with DO-178 please tell me about
your experience.

Thanks.

 

[Ian Collins]

Hi.

I want to know whether I can use template in safety-critical system or
not.

Give a good reason why you shouldn't use them.

 

[jalina]

aeromarine a écrit :

Hi.

I want to know whether I can use template in safety-critical system or
not.
From googling I fount below from http://gotw.ca/sands3.htm. and I was
astonished at "You must use template".

1:30-2:45pm C++ In Safety-Critical Systems (Bjarne Stroustrup)
C++ is widely used in embedded systems programming and even in safety-
critical and hard-real-time systems. This presentation discusses how
to write code in these highly demanding application areas. First the
mapping of C++ code to hardware resources is reviewed and the basics
abstraction mechanisms (classes and templates) are reviewed from the
perspective of this kind of code. Then, the JSF++ coding rules are
examined as an example of a set of domain specific rules. These rules
have been and are being used for the development of millions of lines
of C++. Questions addressed include: "Can I use templates in safety-
critical code?" (yes, you can and must) and "Can I use exceptions in
hard-real time code?" (sadly no, not with the current level of tool
support). Predictability of language features and minimization of
programmer mistakes are key notions.

If anyone has more detail information about the seminar or
presentation file, please send to me.
It would be very appreciated for me.

And if anyone has experience developing safety-critical system using
template, especially experienced with DO-178 please tell me about
your experience.

Thanks.

Templates in C++ are roughly speaking just macros. Saying that, if your
concern is that template adds extra stuff under the hoods, you should
just not worry.

J.

 

[Ian Collins]

Templates in C++ are roughly speaking just macros. Saying that, if your
concern is that template adds extra stuff under the hoods, you should
just not worry.

Nonsense. Ever specialised a macro?

 

[jalina]

Ian Collins a écrit :

Nonsense. Ever specialised a macro?

My point was to suggest why template should not be feared if it is about
adding extra stuff - like e.g. adding a lot of hidden code (sic "roughly
speaking")

I DID NOT say templates were just macros. Please try and understand when
someone post an *answer* to a particular question.

(yes i have already speciliase a macro)

Thanks
J.

 

[jalina]

jalina a écrit :

Ian Collins a écrit :

My point was to suggest why template should not be feared if it is about
adding extra stuff - like e.g. adding a lot of hidden code (sic "roughly
speaking")

I DID NOT say templates were just macros. Please try and understand when
someone post an *answer* to a particular question.

(yes i have already speciliase a

template

(of course)

macro)

 

[HongWoo]

Do you have experience developing hard real-time, safety-critical
system with c++ template ?

I'm worrying about testing of code using template and stl.

Thanks.

 

[Ian Collins]

Do you have experience developing hard real-time, safety-critical
system with c++ template ?

I'm worrying about testing of code using template and stl.

Why, don't you trust your tests?

I would be way more concerned about process that the use of templates
when testing a safety-critical system.

Give some specific problems you envisage with templates.

 

[Hans]

Do you have experience developing hard real-time, safety-critical
system with c++ template ?

I'm worrying about testing of code using template and stl.

Thanks.

To answer the question, I will need to split it up into several
questions. Hard real-time is not necessarily related to safety-
critical systems, and templates and stl can have very different
implications.

Hard real-time
Templates cause no additional problems. Since it is hard real-time you
will somehow need to ensure that your code meets your deadline. This
is equally difficult with or without templates.
If you want to use STL within that code, you will have to be careful.
They usually rely on dynamic memory allocation. Maybe you can get
around that by using your own allocators; I have never tried it
myself.

Safety-critical
Again, templates should cause no additional problems. One thing you
will have to consider is what to test. The JSF C++ coding
guidelines(see for example rules 101 and 102) state that you should
test all your template instantiations. Thus, if you define your own
vector template, testing vector<int> is not enough - it does not tell
you if vector<void*> or vector<float> works.
Using stl in a safety-critical system will, again, require some care.
Do your safety guidelines allow the use of dynamic memory? If not, can
you still use stl? Also, do your guidelines state that the code
running in your system should be tested? Then that applies to any
libraries you use, including stl. Can you get a stl version that the
vendor provides tests for, or can you yourself define and test a
subset of stl? That might prove cheaper than developing (and still
having to test) similar functionality in-house...

 

[Lionel B]

Hi.

I want to know whether I can use template in safety-critical system or
not.

Why not, if they're useful to the task at hand? They're part of the
language and thus behave - like any other language construct - according
to how the language specifies they should.

Perhaps some years ago there might have been an argument that templates
could prove unreliable since some compilers implemented them incorrectly
(MSVC++ 6 springs to mind...), but you can probably assume that "modern"
compilers implement templates as well as they do any other basic language
construct - and if you can't trust your compiler you're screwed anyway.

It's also worth remarking that templates per se generally introduce zero
"hidden overheads", unlike some other abstraction mechanisms (e.g.
virtual functions), so there's no reason not to use them in real-time
programming.

From googling I fount below from http://gotw.ca/sands3.htm. and I was
astonished at "You must use template".

yes... or the template police will get you ;-)

Couldn't find a transcript of Bjarne's talk on the site, but I'm sure he
has his reasons...

[...]

 

[Sam]

Hi.

I want to know whether I can use template in safety-critical system or
not.

"Safety-critical" is a meaningless buzzword. Unless further qualified, no
two people will come away with the same interpretation.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBHmH9dx9p3GYHlUOIRAhi2AJ9YInz1TYJuLfNblXkIzJyCa7BL9ACfRdU8
GNcI/uoQyNYgRYRK1qJ566Y=
=fFHD
-----END PGP SIGNATURE-----

 

[bjarne]

Hi.

I want to know whether I can use template in safety-critical system or
not.
From googling I fount below fromhttp://gotw.ca/sands3.htm. and I was
astonished at "You must use template".

1:30-2:45pm C++ In Safety-Critical Systems (BjarneStroustrup)
C++ is widely used in embedded systems programming and even in safety-
critical and hard-real-time systems. This presentation discusses how
to write code in these highly demanding application areas. First the
mapping of C++ code to hardware resources is reviewed and the basics
abstraction mechanisms (classes and templates) are reviewed from the
perspective of this kind of code. Then, the JSF++ coding rules are
examined as an example of a set of domain specific rules. These rules
have been and are being used for the development of millions of lines
of C++. Questions addressed include: "Can I use templates in safety-
critical code?" (yes, you can and must) and "Can I use exceptions in
hard-real time code?" (sadly no, not with the current level of tool
support). Predictability of language features and minimization of
programmer mistakes are key notions.

If anyone has more detail information about the seminar or
presentation file, please send to me.
It would be very appreciated for me.

And if anyone has experience developing safety-critical system using
template, especially experienced with DO-178 please tell me about
your experience.

Thanks.

You can look at two written sources:

B. Stroustrup: Abstraction and the C++ machine model. Proc. ICESS'04.
December 2004. Also in Springer LNCS 3605. Enbedded software and
systems. 2005. http://www.research.att.com/~bs/abstraction-and-machine.pdf

JSF++: The JSF air vehicle C++ coding standard:
http://www.research.att.com/~bs/JSF-AV-rules.pdf

In addition, The ISO C++ committee's TR on performance may be of use
to you: http://www.research.att.com/~bs/performanceTR.pdf

-- Bjarne Stroustrup; http://www.research.att.com/~bs

PS You could have found those references on my "C++ links" page.

 

[Erik Wikström]

Do you have experience developing hard real-time, safety-critical
system with c++ template ?

I'm worrying about testing of code using template and stl.

There is nothing different about testing template code from normal code
(as long as you instantiate the templates with the same types that will
be used in the real code). One nice thing about templates is that they
do not instantiate stuff that you do not need. That means that you will
have no dead code, so you can actually get smaller code than what you
would get without using templates. To demonstrate this consider the
following (bad) code:

template<class T>
class Test
{
public:
T& foo(T i)
{
return i;
}

T& bar(T i)
{
return i;
}
};

int main()
{
Test<int> t;
t.foo(1);
}

If you compile this with a good compiler you should get a warning about
returning a reference to a local variable, but only in function foo()
and not bar() since that is not used and thus not compiled. If you add a
call to bar() too you should a warning for bar() too.

 

[James Kanze]

Why, don't you trust your tests?

Because a test can only prove that the code is wrong; it can
never prove it correct. In safety-critical systems, it is usual
to use some sort of code validation process, in addition to
tests. Complex template meta-programming can definitely make
code validation more difficult. If additional tools are used to
support validation, you have to obey any restrictions introduced
by those tools, and if your validation team does not feel
comfortable with templates, or certain uses of templates, then
you have to take that into account as well. (Personally, I
don't see any problem with simple straight-forward templates,
but I would eschew any complex meta-programming.)

 

[Grizlyk]

Why not, if they're useful to the task at hand?

you can probably assume that "modern" compilers implement
templates as well as they do any other basic language
construct

Ideally.

Templates with template<> look like useful and any code is better to
write with templates, than without.

If you have an interest with OOD/OOP, you can see, that with
template<> you can declare for C++ pure-like obj-oriented, abstract
template (implementation independed template).

Abstract template is a way to write reusable components of software.
Any abstract template implies polymorphic behaviour for all things
called as template parameters.

You can select concrete implementation of an abstract template as
compile time template (abstract template will be implemeted as
multiple copies of code), or as run time template (abstract template
will be implemeted as singe copy of code and multimple function
calls). In most cases runtime template implies at least one virtual
function call.

You can also refuse from polymorphic behaviour of abstract template
and turn your template into plain code. In the case, you will not see
any differences between templated or non-templated code, but correctly
designed templated components of code can be reused in future.

namespace Ncomponents
{
template<typename VeryLongClassName, typename EvenMoreLongClassName >
class A;

template<
typename VeryLongClassName,
typename EvenMoreLongClassName,
typename MoreThanEvenMoreLongClassName

>

class B;

B< TerTerTer, int, B< TerTerTer, int > > b;
}

namespace Nnon_polymorphic
{
typedef Ncomponents::A< TerTerTer, int > A;
typedef Ncomponents::B< TerTerTer, int, A > B;

B b;
}

Really.

1. template's syntax looks worse than C/C++ traditional one

template<typename VeryLongClassName, typename EvenMoreLongClassName >
class B;
template<typename VeryLongClassName, typename EvenMoreLongClassName,
typename MoreThanEvenMoreLongClassName>
class A;
A<TerTerTer, int, B<TerTerTer, int> >

is not better than

class B;
class A;
A;

The long declarations make understanding the code more difficult, that
leads to errors due to human confusions.


2. abstract templates are not completely supported by C++ (at least
now): there are no enough "sintaxic sugar" and C++ compiler supports
only trivial operations with abstract templates at compile time.

"Concepts", for example, will try to add some stuffs for the support,
but we need real compiler with concepts to test the stuffs.

3. abstract templates are inclined to remove some detectable during
compile-time errors to end-user rather to desiner of the component.

4. some real compilers has limitations to work with templated source -
they are hard to trace, hard to see output, hard to link, etc.

So, you can select

By the way, C++ has no enough stuffs to control implementation of
abstract code.

Ideally, when we declare function, we do absract code; means that from
implementation point of veiw, even C-style function is abstract
function; means once declared, function must be able to be implemented
in different manner, as template<> do.

For example:

//my_function declaration
//default implementation
extern "C++, inline, register, nothrow"
void
my_function(int, int);

//usage of my_function

//some times per execution
//compiler makes outline copy of my_function
my_function:extern "outline, stdcall")(0,0);

for(int i=1000000; i; --i)
{
//by default
my_function(i,0);
//force fast copy for unknown defaults of my_function
my_function:extern "inline, register")(0,i);
}

Maksim A. Polyanin
http://grizlyk1.narod.ru/cpp_new

 

[Martin]

Have you read this: http://www.assconline.co.uk/documents/MoDASSCMISRA.pps

This is written by QinetiQ (similar to the USA's DARPA). In the end
they recommend that C++ not be used for systems requiring the highest
level of safety (approximately Do-178B levels A & B).

Interestingly, it was (again) down to lack of tools support rather
than language deficiency that they make this recommendation.

I'm still looking forward to getting hold of MISRA c++ though