[C-safe-secure-studygroup] On MISRA C:2012 Rule 14.1
Martin Sebor
msebor at gmail.com
Wed Apr 18 16:45:46 BST 2018
On 04/18/2018 01:38 AM, Clive Pygott wrote:
> My thought on this is that the example Martin suggests shouldn't be
> implemented as a for loop. I'd expect it to be implemented as a while loop
>
> void converge_on (double requiredPrecision)
> { double error = requiredPrecision +1.0; //
> anything > requiredPrecision
> while (error > requiredPrecision)
> error = iterate();;
> }
By my understanding of 8.14 this loop would also violate the rule
because the /loop counter/ (i.e., the variable that's involved
in a decision to exit the loop) doesn't have a scalar type.
I can't think of a way to write a loop like the one above under
these constraints.
Martin
>
> Clive
>
> On Wed, Apr 18, 2018 at 6:31 AM, Roberto Bagnara <bagnara at cs.unipr.it
> <mailto:bagnara at cs.unipr.it>> wrote:
>
> On 18/04/2018 04:15, Martin Sebor wrote:
> > On 04/17/2018 05:54 AM, Roberto Bagnara wrote:
> >> MISRA C:2012 Rule 14.1:
> >> A loop counter shall not have essentially floating type
> >>
> >> This is a required rule. The aim is to avoid that the
> complication and non-determinism of floating-point computations is
> reflected into the number of times loops are executed.
> >>
> >> By "complication" I mean that the limitations of floating-point
> types are not well understood by many programmers; for instance
> many do not know that 0.1 is not exactly representable as a binary
> floating-point number and many of those who do know would not be
> able to say how it will be rounded and upon what conditions.
> >>
> >> By "non-determinism" I mean that, even if the C implementation at
> hand is based on, say, IEEE~754, obtaining deterministic behavior
> (that is, behavior that is reproducible on different systems, even
> using the very same compiler) is a challenging task.
> >>
> >> Being able to reliably predict the number of iterations of a
> numerically-controlled loop is important both for safety and
> security: for such loops, integer numbers should be used.
> >
> > Not to dispute the validity of the rule in the (I suspect rare)
> > instances when a floating type is misused for the counter but
> > what about the cases where the number of iterations isn't known
> > ahead of time and the loop terminates only when the computation
> > converges on some predetermined floating result? How does one
> > write a loop like that so it doesn't violate the rule?
> >
> > For instance:
> >
> > void converge_on (double z)
> > {
> > for (double x = 0; x < z; )
> > x = foo (x);
> > }
> >
> > Based on the definitions in 8.14 Control statement expressions,
> > it seems impossible to write a loop like that. The concern that
> > the loop may not terminate is no different than with a scalar
> > counter:
> >
> > void converge_on (int z)
> > {
> > for (int x = 0; x < z; )
> > x = foo (x);
> > }
> >
> > I wonder if it might be worthwhile to distill the underlying
> > problem that rule 14.1 is trying to prevent and formulate
> > a rule aimed at avoiding it instead.
>
> Sorry, I should have clarified that "loop counter" is a technical
> term in MISRA C: it is defined in Section 8.14. The overall idea
> is to be able to express determinate iteration in MISRA C, that is,
> iteration whereby the maximum number of iterations can be known
> before the first iteration begins. In Pascal, the FOR construct
> plays this role; in MISRA C we have well-formed for loops.
> For indeterminate iteration you can use while or do-while loops,
> or you can deviate the relevant 14.* rules if you want to use
> for loops for that purpose as well.
>
> If you prefer semantic restrictions, you may consider
> Rule 3 of NASA JPL Institutional Coding Standard
> for the C Programming Language:
>
> Rule 3 (loop bounds)
> All loops shall have a statically determinable upper-bound on the
> maximum number of loop iterations. It shall be possible for a static
> compliance checking tool to affirm the existence of the bound. An
> exception is allowed for the use of a single non-terminating loop
> per task
> or thread where requests are received and processed. Such a server loop
> shall be annotated with the C comment: /* @non-terminating@ */.
> [Power of Ten Rule 2]
>
>
> --
> Prof. Roberto Bagnara
>
> Applied Formal Methods Laboratory - University of Parma, Italy
> mailto:bagnara at cs.unipr.it <mailto:bagnara at cs.unipr.it>
> BUGSENG srl - http://bugseng.com
> mailto:roberto.bagnara at bugseng.com
> <mailto:roberto.bagnara at bugseng.com>
>
>
> _______________________________________________
> C-safe-secure-studygroup mailing list
> C-safe-secure-studygroup at lists.trustable.io
> <mailto:C-safe-secure-studygroup at lists.trustable.io>
> https://lists.trustable.io/cgi-bin/mailman/listinfo/c-safe-secure-studygroup
> <https://lists.trustable.io/cgi-bin/mailman/listinfo/c-safe-secure-studygroup>
>
>
>
>
> _______________________________________________
> C-safe-secure-studygroup mailing list
> C-safe-secure-studygroup at lists.trustable.io
> https://lists.trustable.io/cgi-bin/mailman/listinfo/c-safe-secure-studygroup
>
More information about the C-safe-secure-studygroup
mailing list