The first action when developing safety-critical software is to add automatic commit checks for compiler warnings and reject the commit if any warnings are present. Enable the highest warning level and treat all warnings as errors.
Common Visual C++ warnings relevant to safety critical systems:
- C26451: Arithmetic overflow: Using operator 'op' on a value that may overflow the result (comes from Code Analysis with /analyze). Example: uint64_t c = a + b where a and b are of type uint32_t
- C4244: Conversion from ‘type1’ to ‘type2’, possible loss of data. Example: int → char or double → float
- C4018: Signed/unsigned mismatch. Can cause logic bugs and unsafe comparisons.
- C4701: Potentially uninitialized variable
- C4715: Not all control paths return a value
- C4013: 'function' undefined; assuming extern returning int
Of course, there is much more that needs to be done; in this blog post, I just wanted to focus on the first step from the perspective of a tech lead.
No comments:
Post a Comment