Sign Iowa Banking Business Letter Template Safe

Industry sign banking iowa business letter template safe

so first of all thank you everyone for joining this webinar today we will focus on Miss Rossi's key role for the competence to industrial safety standards my name is Lavinia battalion I'm amongst other things the customer service representative here at Bob Jack let me now introduce our speaker prepared the Vanara Roberto is our CTO and chief scientist at Fox and other than a very passionate computer science professor at the University of Parma now only Robert is also a member of the mr. C working group and of the international standardization working group of the C programming language before turning it over to Roberto please note that you can write all of your questions in the Q&A section here on the left of your screen we will leave 10-15 minutes at the end to try and reply to as many of us with that all right then Roberto are you new to the world okay thank you very much for the introduction so let's get started here is a plan of today's webinar I will first talk about some important aspects about the C language and then I will introduce miss Rossi and I will focus on important points that should be taken into account if one wants to properly understand and successfully adopt Misra C first of all a small disclaimer I am a member of the miss Rossi working group and of Izod working group for team that standardizes the C programming language however these working groups and committees have official way of tolkien to the public so today I am speaking in a personal capacity okay so first the question do you want to program in massively and reason about your programs in assembly or would you prefer using C instead so if you are here I take it for granted that you want to reason in C so C is a very popular language it still after almost 50 years from its invention it will be 50 years in 2022 it's still the most used programming language overall and in particular for embedded systems and there are very strong economic reason for this success first one is that C compilers exist for almost any processor from the tiny biases to supercomputers C compile it code is very efficient and without hidden costs without hidden cost I mean that setting aside that important topic of multi-core AC program looking at the code can more or less guess how much it takes to execute a fragment C allows writing compote there are many built-in operators and with limited velocity you can express quite complicate things C is defined by an ISO standard and what is important for programming embedded systems is that C possibly using a compiler extensions allows easy access to the hardware C has a long history of usage also in critical systems and there are lots and lots of tools that assist people developing software in see many of these things however as we will see are in sharp contrast with safety and security requirements in this slide a little bit by joke we express what is the spirit of the standard to which working group 14 has always been faithful trust the programmer let the programmer do what it wants keep it fast even if it is not portable so this is problematic and why is it problematic so let us introduce the notion of behavior in C I am referring here to see 99 technical courage engine 3 but it's the same ol since 11 at C 18 first of all behavior is some pea or action that is externally visible so if it is not visible to the external word then it's as if it doesn't happen and in fact the compiler is allowed to systematically adopt the circled as if rule which means the compiler can do any transformation that preserves the observable behavior okay notice that this is not a peculiarity just of C it's also true for C++ and for other programming languages it is true for all programming languages that admit an optimized compilation implementation because in this as if rule we have almost all opportunities for optimization so let us go through the behaviors which are not fully defined in C there are several kinds of them so the most dangerous one is called undefined behavior it is defined by the standard as something that occurs when you use some non portable on row news program constructs or erroneous data and the important thing to be understood is that when the program engages in - in defining behavior there is no guarantee at all absolutely no requirement the program can do just anything may crash it may exhibit erratic behavior it may even format your are discs okay and what it happens is that the compiler assumes on the finite behavior does not happen so it is responsibility of the programmer to ensure that you don't have undefined behavior and if the program does have undefined behavior it is a fault of the programmer let us see a few examples of undefined behavior it is undefined behavior when a program attempts to modify a string literal so a constant of type string so here we have an example we have a string literal hello with three exclamation marks and the smart programmer believes okay I will be less emphatic let's erase two of these question marks so the programmer writes a null terminator in position six of the string however this is on the finite behavior okay it is undefined behavior so the program can do just anything why is it undefined behavior we will see a couple of reasons so the first reason I can give it to you now because string literals may be stored in read-only memory and if you try to write on read-only memory some other exception will occur which is completely out of control for from the program in a poor way so anything can happen another example is when you use an automatic variable so a variable that is allocated on the stack without having initialized it first okay this is under funny behavior and why because the C standard leaves it open for each data type apart from the character types to possess a trap representation so beat patterns that are not valid that close for example another exception when you try to read them for example if you have a memory with parity bits okay so here we have an example we have a main program with a local variable a which is not initialized so trying to read it is on the file behavior okay maybe there is a trap representation in the portion of the stack used to store a and this will have a behavior which is undefined let us move to another class of behavior which is called unspecified behavior it's better than on the final behavior because it happens when there are two or more choices to do one thing and the standard does not specify which one it is okay it will be one of the sensible options but you don't know which one and the standard says that the compiler need not document the choice and need not be consistent with the choice here is an example it is a specified behavior whether the sub expression in an expression are evaluated in one order or the other so here we have main program that returns hello plus word so there are two function calls whether whether the first to be evaluated will be hello or word it is unspecified so this program has two possible outputs one is hello world which is probably what was intended by the programmer but the program may well print word question mark hello Bank and this is also possible notice that the program the compiler might choose n ordering.if optimizations are enabled another ordering.if optimization are disabled and you can have many identical lines in your program and the compiler is no obligation whatsoever to be consistent with how it compiles these lines in different parts of the program okay another class of non completely defining behavior this is surely known by all of you its implementation defiant behavior its behavior that is unspecified but in this case the compiler has to document the choice that is made so all of you know that in C it is implementation define it whether int is I don't know 16 bits or 32 bits or another and there are many many other implementation define an aspect of the language so in c99 there are 112 of them here we see an example it's a implementation defined at whether a plain character meaning a char which child type which is not preceded by sine at or ensign it its implementation define it whether it has sign or not so this program tries and succeeds to understand this by using the standard macro charm in which is provided by the limits dot H adder file defined by the standard to understand whether the minimal value for char is zero which case it is unsigned or any other value in which case it is sign it is C not fully define it there are so many undefined unspecified implementation the final behaviors on in the language we are talking about hundreds of those and we facet over locale specific behavior which is not very relevant to this to this talk so I will skip it completely so the reason why the standardized language is not fully define it is because implementing compilers is much easier this way and most importantly because implementing efficient compilers so compilers that generate faster fast code is much easier so let's try to understand why is this the case so undefined behavior and another undefined behavior is when an exceptional condition occurs during the evaluation of an expression and for example an exceptional condition is overflow in the computation of sign an integer so here is an example a person reasoning in assembly code could write this function this function is meant to return one if value pastured envy is the maximum possible integer okay and it works in the mind of a programmer thinking in assembly this way so if B plus one is greater than V it's not the maximum integer but if it is a maximum one I know what happens in the machine V plus one will wrap around and I will end up with a negative number and so I will return one because it is really the maximum integer no this reasoning is wrong in C because overflow in sign it integer is undefined behavior so the compiler can well compile and it does come file if you try your compiler and your compiler as a strong optimization option you would see that it does compile this as if it was return zero okay because the compiler assumes B plus 1 cannot overflow ok another example we have already seen it so the program attempts to modify string literal we have seen already one reason because the string literal might be stored in read-only memory here we see another reason the point is that the compiler can merge the memory representation of string literals for example if we have a program where we have two literals one is tail and the other is head tail then the compiler can store in memory only head tail and return a pointer to the fifth character when it needs a representation of tail so if you change one string you change also the other okay and this these why the compiler assumes this will never happen the compiler will reserve the right to merge the representation so two reasons we have seen already why this is undefined behavior if read are stored in read-only memory another exception that is completely defined by other things that are not that are external to the C language okay or the compiler might merge the string literals and you by changing one you would change also other string literals let's see another example which is very interesting it's undefined behavior when an expression is shifted by a negative number or by an amount greater than or equal to the width of the promoted expression if you plan to attend the webinar next week please take this in mind because we will see an example of this so well let's divide the thing into two parts so shifting by a negative number what would mean shifting a quantity right by minus 2 position it might mean we shifted left by 2 position but if the language was defined this way then the compiler would have to insert an instruction to test the negativity of the shift count in case of negativity it should take the opposite and reverse the direction of the shift this is not in the spirit of the language okay so the spirit of the language is if you want to play with negative shift counts you write the code to do the thing it's a little bit more difficult to understand what might be the problem in shifting a 32 bit quantity 32 positions to the left so if one reasons I don't know in the way we're shift instruction is taught in university or at school one might say if I push 32 or more zeros from the right of a result I should get little right no why this and because there are very popular architectures for example Intel 64 on which I'm running right now and intel architecture 32 well the machine instruction that implements shifts well the first thing they do is they mask is a shift count by retaining only the five lower their bits why did they do this because they want to have a hard limit to the execution time of the shift instructions we don't want to spend milliseconds waiting for a million position shift that we program it by mistake so shifting by 32 is the same thing as shifted by 32 mask it which is the same as shifting by zero position which is the same as doing nothing so again same language leave this behavior on the file for speed and ease of implementation okay so pretty the spirit of the language whenever it is possible a high-level concept of the language should be map it to one machine instruction okay and since there is a variety between the machine instructions in different architectures this is one of the reason where we have behaviors that are not specified okay so it's now time to introduce Misra C so but before doing this let's go with the first poll so do you know already Misra C I just launched the ball okay a couple of second yeah while you express your choice I take the occasion to tell you that the paper upon which this webinar is base will be sent to you after the webinar okay so we've got a good 30% even more of that who is using it right now and the same amount knows it meaning they used it in the past and another 30% heard a bit but nothing more than that and a pretty tiny minority has never heard of it okay so this is very good very very good it it gives me incentive to introduce Misra C in the best possible way I can so Misra C let's start with misra project so Misra C is one of the activities of the mr. project which started in the 1990 it was an emanation of a research program funded by the UK government called safe IT the mission has always been to provide were leading best practices for safe and secure programming the project is since many years self-supported there is a private company that provides a project management sport by this I mean that they make little money by selling PDFs of mr. C and also art copies and they use these little money they make to run the meetings five times per year of the mrs. C and mrs. C + + working group and the other working groups that are present in the major project so here are the two original misra publications the first one are the misra guideline so development guidelines for vehicle based software misra started in the automotive sector even though the misra standards now are completely independent from automotive application however in the 1994 this was published and for many many years they were the only guidelines available in the automotive sector so they were published more than 10 years before work started on ISO 26262 and the second publication the one on the right is the first version of MS receipts dated April 1998 so here is a picture showing a little bit of the history of miss Rossi at the beginning for the end Rover were working on their own in development guidelines for 4c for the C programming language and they put forces together under the umbrella of the major project and this resulted in mr. C 1998 and mr. C pretty much influenced that all the coding standards that have been developed afterwards for example JSF another proprietary coding standard for C++ by Lockheed Martin and of course influenced at all the subsequent version of Misra C ok so let's introduce mr. C 2012 the latest revision why we have me as a seal oh let me connect to what we have just seen so what is very important to understand is that the weakness of the C language comes from its strengths so the good points are tired - the bad points so there is basically they come from the same sources for example the fact that it is easier writing efficient compilers for almost any architecture as I explained is one of the reasons behind non definite behavior the fact that it is possible to write efficient code with no hidden costs this is also because there is no runtime error checking at all if you want to check access to an array new program the checks but the language is not adding any code to do runtime error checking the fact that there are many compilers the fact that there is an iso standard and the fact that iso standardized existing practice is another reason why we have known definite behavior if we have two existing compilers that implement the same thing in two different ways well in the pragmatic view which is proper of the eyes of working groups you cannot tell two to one of the two you are doing it wrong you should read it so having non definite behavior is sometimes the only way forward to make progress in the standard easy of the language the fact that is easy to access the artwork it's the same reason why it is so easy to corrupt the program state for example to overwrite the stack and the fact that you can write comfort code is the same reason behind the fact that the language can be easily misunderstood and misuse it ok people doesn't know for example what are the precedence and associativity rules of several of the operators that are provided by the line so several features of C conflict with safety and security what is the solution the solution that industry adopted is very pragmatical one it's called language subsetting you don't program your systems in c you program them in a subset of c were the chances of committing critical mistakes are very much reduced ok language subsetting is mandated or highly recommended by all safety and security related industry standards right and today the most authoritative language subset for the c programming language is mr. C and that is why this is a topic of today's seminar ok so let me start to present the guidelines they see a Misra C is a book in essence ok a book and the recommendations are presented in the form of guidelines and guidelines are presented in this way so the reason first there is a pink strip were on the Left we have a unique identifier for the guideline which is composed by a word which may be a rule or directive many of you maybe are more used about the expression coding rule okay whether the rule are only a part of the guidelines of Misra C there are also directives we will see this in a second and then there is a short very short summary of the rule which is called the headline okay so what is a directive a directive is a guideline such that not all the information to judge on compliance is contained in the source code so it is necessary to refer to requirements specification designs or even the programmer intention in order to decide whether a directive is satisfied or not whereas when a guideline is called rule then it means that compliance only depends on the source code so in principle if you know the source code you are able to decide whether there is a violation or not so this is of course if influence on what static analysis tool can do or cannot do so for directive static analysis tool may assist a lot in checking compliance but you have to provide them with further information that they require because as I said the code is not sufficient whereas for a rule module undecidability static analysis tools will in principle be able of doing the check all by themselves an important word about the headline the headline is just a short summary of the guideline it is not the guideline so it's a compromise rule five point six we'll say little too many people even people working misra see everyday but if they read the headlines they will understand what the guideline is about so in order to properly understand a guideline you have to study the full guideline description and we now see how this information is structured into Misra C 2012 first below the pink strip there are three attributes category is one of mandatory required or advisory analysis is a pair the first element maybe decidable or undecidable and the second one is system or single translation unit the final attribute which is called applies to it is a set of versions of the C standard so it's C 90 and c 99 and with the publication around the months ago of Misra C 2012 amendment 2 now we can also have c11 and c11 comprises also C 18 because C 18 has no new features with respect to C 11 so it is considered as a technical courage and doom of C another okay so let's see what is the category mandatory required or advisory mandatory means that if you want to make a frame of compliance to Misra C you must comply to every mandatory guideline so deviation is not permitted no matter what whereas if the rule is as category required then the code must comply or a formal deviation is required what is a formal deviation is an argumentation where someone explains why the rule or or directive can be not followed in a specific situation for certain reason and the reason should be given why safety is not impacted by not applying the rule in a specific instance then there are advisory rules these are recommendation so they should be for as far as reasonable practical so formal deviation is not required but at the end of a project if you want to make a sound claim of means that are compliance you should list all the violation of the Advisory rule so you need not give a justification but you have to list them okay there is no other grading of importance of the guidelines in Misra C so it's not true that rules are more important that directives or the other way around mandatory are the most important then required then advisory these is the only grading of importance that is mandated by Misra C so this doesn't mean that any organization may have its own grading of importance and it is also possible to Rea categorize the guidelines following certain rules now we have seen we have seen that there is a decidability attribute a guideline is market as decidable if there exists an algorithm that for each source programs is able to give a yes or no answer in finite time so and it is market undecidable if such an algorithm does not and will never exist so unfortunately as you probably know most interesting program properties are undecidable for example division by zero is undecidable buffer overflow is undecidable and of course limitation of available resources might be such that a static analyzer employs in non exact algorithm even when an exact algorithm exists so it's always important to manage the complexity precision trade-off then scope of the analysis a guideline can be market as single translation unit if it can be checked by one translation unit at a time so a translation unit is basically a dot c file along with the header files it includes okay and otherwise the ruler will be tagged as system if this means that it's not sufficient to consider one translation unit at a time you have to consider more than one translation unit at a time and most frequently you have to consider the entire system you can see that all the undecidable rules are also market system for this reason okay so I have said that the headline of the rule is just a summary the rule is explained in depth in the following sections the most important one is the amplification this is a more precise description of the guideline and it is normative so if you believe there is a contrast between the headline and application the amplification wins okay as I said the headline is just a short summary then reason rationale and explanation of why the guideline exists sometimes rules have exceptions and so when there is an exception there is a section that describes under what conditions the guideline does not apply there always are examples both positive example and negative example sometimes the guidelines are related to one another and when this is the case there is a see also section that points you to the related guidelines and below the pink strip on the right hand side sometimes there are references to the sea stander for example here we are examined directive 1.1 which says any implementation define a behavior which the output of the program depends shall be documented and understood and the list of implementation the final behaviors in c90 is contained in annex II subsection 3 whereas in c99 is an exception 3 okay so this gives me the occasion of emphasizing what I said so for a directive the information about compliance is not completely contained in the code so here is a very good example because the directive says that they find a behavior on which the output of program depends this is the part that static analysis tool can tell you static analysis tool can tell you if you depend on some implementation defining behavior however the tool can say nothing about the fact whether you documented them properly or if you understand them so that's why this is a directive so let me present you just a few example of of mister guidelines so let's start with the rule rule 1.1 it is required so if you want to deviate it you have to do so formally and it's decidable it's single translation unit and it applies to all version of the language it says that the program shall contain no violation of the standard C syntax and constraints and shall not exceed the implementation translation limits so this might be surprising for someone one might think eh but the compiler will give me a parse error if I am going beyond the syntax or the constraint of the of the language this is not true so not only language features that are outside the supported version of C have not been considered when developing the major guidelines the point is that a conforming implementation so a conforming compiler does not have an obligation to generate a Diagnostics or warning or an error when a translation limit is exceeded what is a translation limit for example I don't know how deeply you can nest conditional compilation directive like sharp if or sharp if def okay so the standard says that for example for C 90 that the compiler has to support at least nine levels of nesting if you do ten you are on your own okay so and the compiler needs not give you a warning about this so you might be in trouble we Sauter a way of no wind that is why it's very important to have a separate tool to check for misra compliance not only this there are several compilers around that technically speaking are not fully conforming where they do not diagnose constant violations so they compile code that they should not compile they should give an error and they don't give it so you end up with illegal or surprising object code let us see another another rules I will only show a few of them because time is is limited I've chosen a guideline concerning comments because some people might think hey what might be the problem with comments the problem is is that in the language the interaction between double slash comment and the ordinary slash star star slash comments and line splicing it is very intricate so not many people know the details and it is perfectly possible to do serious damage with this so here is an example so the programmer thought writing simply a path the path of a directory here however since this ends in a backslash this is called line splicing line splicing means that is as if the call to critical function was written here so was part of the comment at the very early stage in the translation done by the compiler physical source lines are merged in two logical source line and all this program all this fragment you see is a single logical source line which is commented out so critical function is not even seen by subsequent stages of the compiler so it was critical to call it it will not be call it and you will not know that's why it's important to have a tool that warns you about this kind of another rule this time is advisory as to do is conversion between pointer to object and integer types so the advice is not to use them why because integer pointer conversion may result in truncation when the pointer is not wide enough you can end up with misaligned at pointers so pointer that to address some quantities should be on some architecture be aligned at the own amount although I don't know over for and if it is misaligned then bad things can happen and the other conversion so pointer to integer this can result into integer overflows again in producing undefined behavior nonetheless it is recognized that especially for programming embedded system it is sometimes necessary to convert integers to pointer when you have to deal with fixed address for the access to memory method registers or other other features okay last rule I will present as to do with unspecified behavior it says the value of an expression and it's persistent side-effect should be the same under all permitted evaluation or this is undecidable its system and it has to do with unspecified behavior and also with undefined behavior because as I said there are ordering of things that are not define it but if you within to sequence points modify an object more than once or you modify it a tree and read it at the same time then it is undefined behavior and for the unspecified behavior here is an example so it is unspecified whether in function calls the ordering in which the arguments are evaluated the - right right to left or any other possible ordering okay so and in this case since we are accessing volatile variables it is unspecified whether we prepare the tea cnt1 a side effect before or after the other one okay what is the solution so in this case the solution it's simple so if you want to comply with the miso guideline you introduce temporary variables and you sequentialized the events in the a way in the way you want any decent compiler will not let you pay a price for having introduced at this two temporary variables okay so let's move to the next section of the talk so understanding means receipts there are a couple of points I want to emphasize so the first one is that Misra C is part of a process okay apply Misra C is not simply having a tool so Misra C is a process it's a process that requires that you have done or you do certain things so software requirements should be complete unambiguous and correct you have to have a design specification you have to check several things and another point that is very important that means C ideally should be used before code reaches review and unit testing phase because otherwise you have to expect a lot of lis working and retesting because if you think about Misra C compliance too late then in order to have misra compliance you will have to modify the code and so you may have to redo the review some reviews you have to redo testing okay so four requirements for the process are outside the scope of mr. C and rule details about development processes can be found in the functional safety standards that each industry sector has to comply to products Paul I don't know yen 5:01 to wait for railways okay or ISO 26262 for automotive oh here is that the second poll so which are the functional safety standards that are more relevant to your work okay I just launched it while you express your evaluation let me draw your attention to the fact that on April 28th we will be a webinar especially dedicated to an important point in ISO 26262 which I hope is relevant to at least some of you okay so now the vast majority has to comply with ISO 26262 you know automotive and we have many in all the options we provided and some of them attend a good 20 percent express other so there is something that we have input envisions good ok so another point which is very important miss Rossi is not bad finding so as I said Misra C cannot be separated from the process of documented software development it is part of ok so it has very very little to do with bug finding so what is bug finding but finding I use a tool the tool find some bugs and I am happy so it's not a bad thing to do it is always good to remove bugs we also add bugs and produce a bug finder however misra is a different thing why is it different first of all because violation of a guideline is not necessarily a software error ok miss receives prevention for example there is nothing intrinsically wrong about converting an integer to a pointer especiall when I need this to address memory map that registers however since this conversion our implementation define it and have undefined behavior that is rule 11.4 that suggests avoiding this conversion everywhere are far from the very specific instances where this conversion are both required and safe and this is a general point about miss Rossi okay the deviation process is an essential part of miss Rossi the point of a guideline is not you should not do that the point is to warn you look this is dangerous you can do this only if it is needed if it is safe and if your peer can easily and quickly be convinced that of one and two that it is both needed and safe if it takes half an hour to explain to your colleague why this is safe it's not good for mr. okay it must take a few seconds to understand that it is okay so one utiful way to think about Misra C and the processes that are around it is to consider them as an effective way of conducting a guided peer review okay in an ordinary peer review you would be sitting with your colleagues and you will be pointing fingers to the screen and you will ask questions are you sure here we are protected against this possibility well with Misra C and the good tool it is the tool that will guide you to this peer review and if you follow mr. C you will rule out most of the C language traps and pitfalls on the finite heavier implementation the final behavior possible in comprehension about aspects of the language another difference between bug finding and Misra C is the attitude with respect to incompleteness so bug finders are usually tolerant about false negatives and intolerant about false positives if you watch closely as I do the developments of the GNU C compiler and of Salang you will see that as soon as there is a false positive report they will do anything to switch it off even though if they - by doing so introduce false negatives okay false negatives means there is an issue but the tool doesn't report it so this is not the right mindset for mr. C mr. C has to do with the development of safety critical system or or systems that are critical in other way missing critical security critical okay so false positives are in noises expect especially if the tool is bad quality and it has lots of them but if you have false negatives in a tool it means you have to do other things in order to make sure that you you are safe okay so final difference between Misra C and bug finding is is the importance that Misra C assigns to reviews reviews of all kind code reviews reviews of the code again design document reviews of the desired documents against requirement so many misra rules have to do with code readability and understand ability for this reason it is not the mindset of the audience who look at bug finders so this kind of audience as a difference philosophy your program as you want and the bug finders will find some bugs ok so successful adoption of Misra C so tools are essential of course it is theoretically possible to manually check everything but doings for mr. C is of course enormous so tools are highly recommended to at least semi automate the check for compliance of course there are manual activities that remain so you have to configure the tool correctly and then you have to configure the tool to capture the deviations had said that deviation is an essential part of mr. C so let's start with the tool configuration so as I said there are hundreds 112 implementation defining behavior in c99 so this means that the number of seeds dialects is enormous an implementation defining behavior by definition can be decided in at least two ways so this means only with this estimation five times ten to the power of thirty three possible dialects in reality we can reach a very large number a larger number and by comparison the Alexander star so this more complicated version of the Rubik's Cube as less different positions so and what is the problem with this is that not only there are many implementation defining behaviors but many compilers can implement higher options different choices for the implementation the final behavior for next in case the compiler on the machine where I'm giving the presentation implements via a command-line option more than 100 thousand dialects of see so many things can be set via command-line option and the important conceit is that if your tool is not configured to capture exactly the dialect you are using of the language then they result of the analysis are completely worthless we have seen many project where due to miss configuration of the tool the analysis result meant absolutely nothing so one important aspect for example our predefined macros so all compilers have a complex set of predefined macros that may be influenced by compiler options and compiler option may be given on the common line on environment variables or on file and if you fail to capture this in the tool configuration then you may well result in having the wrong code being analyzed okay so your compiler pre defines a certain marker so it confides a certain section of the code the tool has not been adapted to this and so you analyze a different section of the course okay so I skip this because it's it's late I had in mind demonstration what we will give it webinar precisely is because it is a very interesting topic so configuring the tool in a way the food chain is an important issue that are in theories are a possibility the first possibility that the tool is integrated in the compiler and the linker so this in principle is an interesting possibility because certainly the compiler has all the required information whether if you look at compilers that every means they're checking capability you will see that they are not very good actually they are very bad and there are several reason part of which are economic and the most important reason is that for the analysis they you reuse the same algorithm used for optimization and the algorithm used for optimization in the compiler are governed by heuristics for example they would not even consider aligning a function that is longer and I don't know five lines okay so and the heuristics are such that certain analyses are not even run on on certain parts of the code because of this heuristic served in the end you will see these tools have lots of false positives and false negative the other possibility is that the tool assumes that you carefully configure it so this is very error-prone it's a very difficult configuration and if someone's and changes the compiler option for the project you have to redo the configuration and there is a third possibility of course in that the tool is smart enough to completely avoid this problem so to configure itself in a completely automatic way and transparent to the user to take into account of the peculiarity of the tool chain in the way you are using it so this is of course the direction we have chosen and we have been very successful at this but this is not the topic of this what enough ok final thing competence so the importance of training in fact if you if you look at Mimi's recei you will see that stuff competence is a crucial requirement and it is also mandated by several functional safety standards so it is very important that the personal has been trained because without proper understanding of the sea' pitfalls and of the misra guidelines developers risk to perceived adoption of misra as a useless burden so they may well misunderstand the messages output by the tool and ask themselves what are they supposed to do or not they will not be able to recognize false positive unless they have received proper training and they in the worst case they may engage in to trial and error changing of the code in a desperate attempt to silence the tool and this will typically decrease the quality of the code okay so third and last fall do you have plans in your organization to adopt miss receive your mr. C++ in the future or you are doing it now and I why do you why do you express your situation I draw your attention on a seminar that is similar to the ones that we have done today but it will be based on mr. C++ and it will talk also about the ongoing merge with outers our c plus past 2014 so if you are interested in c++ or if you have colleagues that might be interested please share the word that we have a webinar on days on May 14th okay in the meantime the 55% so the vast majority expressed that they are working now on projects that are meant to comply with mr. C and the other greater percentage is the 15% that will have to comply within twelve or more months and the other ones are split between three months and six months okay for those who have chosen no maybe for your organization mr. C's too much so please consider the adoption of barsy 2018 in the post webinar mailing you will receive the link of a webinar we did on Bar C 2018 which you can see in order to understand whether Bar C might be the option for your organization so conclusion C is the mostly user language for programming of embedded system for very good reasons the language has advantages and corresponding disadvantages so the only sensible way to deal with it is by language subsetting okay Misra C is the most authoritative subset of C for the development of high integrity embedded system and it is an integral part of a software development process that has very little to do with both finding good tools and proper formal training of personnel is essential for a smooth and successful adoption of Misra C into any organization and I'm ready for your questions if you have all right I'm going to answer one question because Manfred asked if it's possible to watch this webinar again so if you miss one of our previous webinars or if you want to watch this again or just to share them with your colleagues all our webinars will be available and at the previous one already are on our YouTube channel so I'll make sure I'll send you the link in the post webinar mailing another question mr. C is addressing mainly the human factor related to human error prone programmers but what about automatically is named a software producing software okay so this is a very good question I do not completely agree with the fact that mr. C addresses mainly the human factor however there are several rules that have to do with code readability and understandability and this of course does not does not apply to how to generated code however auto generators F bugs and in fact in the safety critical sectors you have to subject auto-generated code to Misra see compliance and it is not so uncommon to find that a bug in an auto generator generated for example an instance of undefined behavior so said that there are two things misra see as special provisions for auto-generated code so when you have a portion of code that is auto-generated you are facilitated in providing deviation for this code and also there is the notion of deviation permit which is a topic I couldn't explore however you can have deviation permits that you can develop in a user or or that you can take from for example Misra C 2004 the Mississip working group is working at permits for Misra C 2012 in which the fact that code is out generator an important role said that you need not wait for the Misra C working group to produce the Misra C 2012 deviation permits you can write your deviations yourself for example if you have to do with a misra guideline that does not result in on the final behavior or unspecified behavior and whose rationale is about code readability understandability possible developer confusion you can write very easily your deviation explaining that the code generated automatically is not required to be read or maintained by any human all right Thank You Roberta now the question is is it possible to get the full set of design yeah of course to those who require the slides we can provide them confidentially so we would like to avoid people re distributing them but it's ok you want to present them in your organization please let us know all right another question is from Clayton can I program in C 11 or C 18 and still claim Misra C conference yes in February this year the MS receive working group has published the Misra C 2012 amendment 2 which extends the language support to c11 and c18 so in the post webinar may linger we will send you a pointer to where you can download your copy of Misra C 2012 amendment 2 and it is immediately usable concerning tools as I said this this amendment was published in February so less than 2 months ago the next version of Eclair which is our static analysis tool will have full support for this amendment starting from the next release which is due to be out in early May what's the old it flow for mistress a compliance I'm not sure I I fully understand the question honest so let me try to give an answer there is a process that has to be followed in order to do a proper claim of misra compliance the document is called misra compliance it was released the first time in 2016 in 2020 miss Rossi working group has published a revision so in the post webinar mailing we will send a pointer also to this document that explains how you can produce a defensible argument of mr. compliance ok just another one and then we'll wrap this up is it common to lose flexibility see and have troubles to implement some functionalities when using misra see no the mandatory restrictions of Misra C so the one you cannot deviate or take nothing out of the language they prevent engaging into sure and the final behavior into big troubles but all the other rules which are required and advisory can either be followed or defensively deviated in a way that you can really program anything but in a safe way all right Christopher asked however what is with using the heat using the HIPAA is argument of two guidelines of Miss Rossi's so one says don't use a dynamic allocation and it is something that you may deviate if you want however that what you have to take into account that is the dynamic memory comes with a lot of problems so the problems have to do with what do you do when you ran out of memory how do you ensure a predictable time of the memory location and the location function no there are several problems with dynamically allocated memory that I have to be taken care of so it is possible to deviate the rules which tell you not to use dynamic memory location and particularly not to use the memory location facilities in the standard library so malloc free and so on because malloc and free are plagued by very severe problems due to the fact that they are very general purpose so they have to accommodate any allocation de-allocation taught and so many small blocks big blobs and so on so in particular they are not easily predictable in their timing in their timing so it is technically possible to deviate the guidelines that recommend against using dynamic memory allocation but it will be challenging not because misra says it because you have to have a defensible argument on how you deal with all the drawbacks okay what is your plan B so what what if you if you run out of memory what will your application do okay do you have a hard real-time deadlines how do you ensure that that your allocation and their location functions will allow you to meet such deadlines all right Thank You Roberto and thank you again everybody for joining us today let me just quickly remind you that on April 23rd so next week we will learn about a revolutionary webinar the boxing team has in fact come up with the right technology to properly interface eclair with IDs and extensible editors and Roberto will demonstrate these new exciting features in this next web video so make sure you don't miss it if you follow us on LinkedIn you will easily find the registration link because it's in our last post so as always feel free to reach out to us anytime or if you have more questions feel free to send us an email at info box ENCOM so thank you again and I hope to see you all next time bye bye bye everybody