Using template in safety-critical system (flight critical system)

Discussion in 'C++' started by aeromarine, Jan 24, 2008.

  1. aeromarine

    aeromarine Guest

    Hi.

    I want to know whether I can use template in safety-critical system or
    not.
    From googling I fount below from http://gotw.ca/sands3.htm. and I was
    astonished at "You must use template".

    1:30-2:45pm C++ In Safety-Critical Systems (Bjarne Stroustrup)
    C++ is widely used in embedded systems programming and even in safety-
    critical and hard-real-time systems. This presentation discusses how
    to write code in these highly demanding application areas. First the
    mapping of C++ code to hardware resources is reviewed and the basics
    abstraction mechanisms (classes and templates) are reviewed from the
    perspective of this kind of code. Then, the JSF++ coding rules are
    examined as an example of a set of domain specific rules. These rules
    have been and are being used for the development of millions of lines
    of C++. Questions addressed include: "Can I use templates in safety-
    critical code?" (yes, you can and must) and "Can I use exceptions in
    hard-real time code?" (sadly no, not with the current level of tool
    support). Predictability of language features and minimization of
    programmer mistakes are key notions.

    If anyone has more detail information about the seminar or
    presentation file, please send to me.
    It would be very appreciated for me.

    And if anyone has experience developing safety-critical system using
    template, especially experienced with DO-178 please tell me about
    your experience.

    Thanks.
    aeromarine, Jan 24, 2008
    #1
    1. Advertising

  2. aeromarine

    Ian Collins Guest

    aeromarine wrote:
    > Hi.
    >
    > I want to know whether I can use template in safety-critical system or
    > not.


    Give a good reason why you shouldn't use them.

    --
    Ian Collins.
    Ian Collins, Jan 24, 2008
    #2
    1. Advertising

  3. aeromarine

    jalina Guest

    aeromarine a écrit :
    > Hi.
    >
    > I want to know whether I can use template in safety-critical system or
    > not.
    > From googling I fount below from http://gotw.ca/sands3.htm. and I was
    > astonished at "You must use template".
    >
    > 1:30-2:45pm C++ In Safety-Critical Systems (Bjarne Stroustrup)
    > C++ is widely used in embedded systems programming and even in safety-
    > critical and hard-real-time systems. This presentation discusses how
    > to write code in these highly demanding application areas. First the
    > mapping of C++ code to hardware resources is reviewed and the basics
    > abstraction mechanisms (classes and templates) are reviewed from the
    > perspective of this kind of code. Then, the JSF++ coding rules are
    > examined as an example of a set of domain specific rules. These rules
    > have been and are being used for the development of millions of lines
    > of C++. Questions addressed include: "Can I use templates in safety-
    > critical code?" (yes, you can and must) and "Can I use exceptions in
    > hard-real time code?" (sadly no, not with the current level of tool
    > support). Predictability of language features and minimization of
    > programmer mistakes are key notions.
    >
    > If anyone has more detail information about the seminar or
    > presentation file, please send to me.
    > It would be very appreciated for me.
    >
    > And if anyone has experience developing safety-critical system using
    > template, especially experienced with DO-178 please tell me about
    > your experience.
    >
    > Thanks.


    Templates in C++ are roughly speaking just macros. Saying that, if your
    concern is that template adds extra stuff under the hoods, you should
    just not worry.

    J.
    jalina, Jan 24, 2008
    #3
  4. aeromarine

    Ian Collins Guest

    jalina wrote:
    >
    > Templates in C++ are roughly speaking just macros. Saying that, if your
    > concern is that template adds extra stuff under the hoods, you should
    > just not worry.
    >

    Nonsense. Ever specialised a macro?

    --
    Ian Collins.
    Ian Collins, Jan 24, 2008
    #4
  5. aeromarine

    jalina Guest

    Ian Collins a écrit :
    > jalina wrote:
    >> Templates in C++ are roughly speaking just macros. Saying that, if your
    >> concern is that template adds extra stuff under the hoods, you should
    >> just not worry.
    >>

    > Nonsense. Ever specialised a macro?
    >


    My point was to suggest why template should not be feared if it is about
    adding extra stuff - like e.g. adding a lot of hidden code (sic "roughly
    speaking")

    I DID NOT say templates were just macros. Please try and understand when
    someone post an *answer* to a particular question.

    (yes i have already speciliase a macro)

    Thanks
    J.
    jalina, Jan 24, 2008
    #5
  6. aeromarine

    jalina Guest

    jalina a écrit :
    > Ian Collins a écrit :
    >> jalina wrote:
    >>> Templates in C++ are roughly speaking just macros. Saying that, if your
    >>> concern is that template adds extra stuff under the hoods, you should
    >>> just not worry.
    >>>

    >> Nonsense. Ever specialised a macro?
    >>

    >
    > My point was to suggest why template should not be feared if it is about
    > adding extra stuff - like e.g. adding a lot of hidden code (sic "roughly
    > speaking")
    >
    > I DID NOT say templates were just macros. Please try and understand when
    > someone post an *answer* to a particular question.
    >
    > (yes i have already speciliase a


    template

    (of course)

    macro)
    >
    > Thanks
    > J.
    >
    >
    jalina, Jan 24, 2008
    #6
  7. aeromarine

    HongWoo Guest

    Do you have experience developing hard real-time, safety-critical
    system with c++ template ?

    I'm worrying about testing of code using template and stl.

    Thanks.
    HongWoo, Jan 24, 2008
    #7
  8. aeromarine

    Ian Collins Guest

    HongWoo wrote:
    > Do you have experience developing hard real-time, safety-critical
    > system with c++ template ?
    >
    > I'm worrying about testing of code using template and stl.
    >

    Why, don't you trust your tests?

    I would be way more concerned about process that the use of templates
    when testing a safety-critical system.

    Give some specific problems you envisage with templates.

    --
    Ian Collins.
    Ian Collins, Jan 24, 2008
    #8
  9. aeromarine

    Hans Guest

    On 24 Jan, 10:31, HongWoo <> wrote:
    > Do you have experience developing hard real-time, safety-critical
    > system with c++ template ?
    >
    > I'm worrying about testing of code using template and stl.
    >
    > Thanks.


    To answer the question, I will need to split it up into several
    questions. Hard real-time is not necessarily related to safety-
    critical systems, and templates and stl can have very different
    implications.

    Hard real-time
    Templates cause no additional problems. Since it is hard real-time you
    will somehow need to ensure that your code meets your deadline. This
    is equally difficult with or without templates.
    If you want to use STL within that code, you will have to be careful.
    They usually rely on dynamic memory allocation. Maybe you can get
    around that by using your own allocators; I have never tried it
    myself.

    Safety-critical
    Again, templates should cause no additional problems. One thing you
    will have to consider is what to test. The JSF C++ coding
    guidelines(see for example rules 101 and 102) state that you should
    test all your template instantiations. Thus, if you define your own
    vector template, testing vector<int> is not enough - it does not tell
    you if vector<void*> or vector<float> works.
    Using stl in a safety-critical system will, again, require some care.
    Do your safety guidelines allow the use of dynamic memory? If not, can
    you still use stl? Also, do your guidelines state that the code
    running in your system should be tested? Then that applies to any
    libraries you use, including stl. Can you get a stl version that the
    vendor provides tests for, or can you yourself define and test a
    subset of stl? That might prove cheaper than developing (and still
    having to test) similar functionality in-house...
    Hans, Jan 24, 2008
    #9
  10. aeromarine

    Lionel B Guest

    Re: Using template in safety-critical system (flight criticalsystem)

    On Wed, 23 Jan 2008 23:42:44 -0800, aeromarine wrote:

    > Hi.
    >
    > I want to know whether I can use template in safety-critical system or
    > not.


    Why not, if they're useful to the task at hand? They're part of the
    language and thus behave - like any other language construct - according
    to how the language specifies they should.

    Perhaps some years ago there might have been an argument that templates
    could prove unreliable since some compilers implemented them incorrectly
    (MSVC++ 6 springs to mind...), but you can probably assume that "modern"
    compilers implement templates as well as they do any other basic language
    construct - and if you can't trust your compiler you're screwed anyway.

    It's also worth remarking that templates per se generally introduce zero
    "hidden overheads", unlike some other abstraction mechanisms (e.g.
    virtual functions), so there's no reason not to use them in real-time
    programming.

    > From googling I fount below from http://gotw.ca/sands3.htm. and I was
    > astonished at "You must use template".


    yes... or the template police will get you ;-)

    Couldn't find a transcript of Bjarne's talk on the site, but I'm sure he
    has his reasons...

    [...]

    --
    Lionel B
    Lionel B, Jan 24, 2008
    #10
  11. aeromarine

    Sam Guest

    Re: Using template in safety-critical system (flight criticalsystem)

    aeromarine writes:

    > Hi.
    >
    > I want to know whether I can use template in safety-critical system or
    > not.


    "Safety-critical" is a meaningless buzzword. Unless further qualified, no
    two people will come away with the same interpretation.



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBHmH9dx9p3GYHlUOIRAhi2AJ9YInz1TYJuLfNblXkIzJyCa7BL9ACfRdU8
    GNcI/uoQyNYgRYRK1qJ566Y=
    =fFHD
    -----END PGP SIGNATURE-----
    Sam, Jan 24, 2008
    #11
  12. aeromarine

    bjarne Guest

    On Jan 24, 1:42 am, aeromarine <> wrote:
    > Hi.
    >
    > I want to know whether I can use template in safety-critical system or
    > not.
    > From googling I fount below fromhttp://gotw.ca/sands3.htm. and I was
    > astonished at "You must use template".
    >
    > 1:30-2:45pm C++ In Safety-Critical Systems (BjarneStroustrup)
    > C++ is widely used in embedded systems programming and even in safety-
    > critical and hard-real-time systems. This presentation discusses how
    > to write code in these highly demanding application areas. First the
    > mapping of C++ code to hardware resources is reviewed and the basics
    > abstraction mechanisms (classes and templates) are reviewed from the
    > perspective of this kind of code. Then, the JSF++ coding rules are
    > examined as an example of a set of domain specific rules. These rules
    > have been and are being used for the development of millions of lines
    > of C++. Questions addressed include: "Can I use templates in safety-
    > critical code?" (yes, you can and must) and "Can I use exceptions in
    > hard-real time code?" (sadly no, not with the current level of tool
    > support). Predictability of language features and minimization of
    > programmer mistakes are key notions.
    >
    > If anyone has more detail information about the seminar or
    > presentation file, please send to me.
    > It would be very appreciated for me.
    >
    > And if anyone has experience developing safety-critical system using
    > template, especially experienced with DO-178 please tell me about
    > your experience.
    >
    > Thanks.


    You can look at two written sources:

    B. Stroustrup: Abstraction and the C++ machine model. Proc. ICESS'04.
    December 2004. Also in Springer LNCS 3605. Enbedded software and
    systems. 2005. http://www.research.att.com/~bs/abstraction-and-machine.pdf

    JSF++: The JSF air vehicle C++ coding standard:
    http://www.research.att.com/~bs/JSF-AV-rules.pdf

    In addition, The ISO C++ committee's TR on performance may be of use
    to you: http://www.research.att.com/~bs/performanceTR.pdf

    -- Bjarne Stroustrup; http://www.research.att.com/~bs

    PS You could have found those references on my "C++ links" page.
    bjarne, Jan 24, 2008
    #12
  13. On 2008-01-24 10:31, HongWoo wrote:
    > Do you have experience developing hard real-time, safety-critical
    > system with c++ template ?
    >
    > I'm worrying about testing of code using template and stl.


    There is nothing different about testing template code from normal code
    (as long as you instantiate the templates with the same types that will
    be used in the real code). One nice thing about templates is that they
    do not instantiate stuff that you do not need. That means that you will
    have no dead code, so you can actually get smaller code than what you
    would get without using templates. To demonstrate this consider the
    following (bad) code:

    template<class T>
    class Test
    {
    public:
    T& foo(T i)
    {
    return i;
    }

    T& bar(T i)
    {
    return i;
    }
    };

    int main()
    {
    Test<int> t;
    t.foo(1);
    }

    If you compile this with a good compiler you should get a warning about
    returning a reference to a local variable, but only in function foo()
    and not bar() since that is not used and thus not compiled. If you add a
    call to bar() too you should a warning for bar() too.

    --
    Erik Wikström
    Erik Wikström, Jan 24, 2008
    #13
  14. aeromarine

    James Kanze Guest

    On Jan 24, 10:36 am, Ian Collins <> wrote:
    > HongWoo wrote:
    > > Do you have experience developing hard real-time,
    > > safety-critical system with c++ template ?


    > > I'm worrying about testing of code using template and stl.


    > Why, don't you trust your tests?


    Because a test can only prove that the code is wrong; it can
    never prove it correct. In safety-critical systems, it is usual
    to use some sort of code validation process, in addition to
    tests. Complex template meta-programming can definitely make
    code validation more difficult. If additional tools are used to
    support validation, you have to obey any restrictions introduced
    by those tools, and if your validation team does not feel
    comfortable with templates, or certain uses of templates, then
    you have to take that into account as well. (Personally, I
    don't see any problem with simple straight-forward templates,
    but I would eschew any complex meta-programming.)

    --
    James Kanze (GABI Software) email:
    Conseils en informatique orientée objet/
    Beratung in objektorientierter Datenverarbeitung
    9 place Sémard, 78210 St.-Cyr-l'École, France, +33 (0)1 30 23 00 34
    James Kanze, Jan 25, 2008
    #14
  15. aeromarine

    Grizlyk Guest

    Lionel B wrote:
    >
    > aeromarine wrote:
    >
    > > I want to know whether I can use template in safety-critical
    > > system or not.

    >
    > Why not, if they're useful to the task at hand?
    >
    > you can probably assume that "modern" compilers implement
    > templates as well as they do any other basic language
    > construct


    Ideally.

    Templates with template<> look like useful and any code is better to
    write with templates, than without.

    If you have an interest with OOD/OOP, you can see, that with
    template<> you can declare for C++ pure-like obj-oriented, abstract
    template (implementation independed template).

    Abstract template is a way to write reusable components of software.
    Any abstract template implies polymorphic behaviour for all things
    called as template parameters.

    You can select concrete implementation of an abstract template as
    compile time template (abstract template will be implemeted as
    multiple copies of code), or as run time template (abstract template
    will be implemeted as singe copy of code and multimple function
    calls). In most cases runtime template implies at least one virtual
    function call.

    You can also refuse from polymorphic behaviour of abstract template
    and turn your template into plain code. In the case, you will not see
    any differences between templated or non-templated code, but correctly
    designed templated components of code can be reused in future.

    namespace Ncomponents
    {
    template<typename VeryLongClassName, typename EvenMoreLongClassName >
    class A;

    template<
    typename VeryLongClassName,
    typename EvenMoreLongClassName,
    typename MoreThanEvenMoreLongClassName
    >

    class B;

    B< TerTerTer, int, B< TerTerTer, int > > b;
    }

    namespace Nnon_polymorphic
    {
    typedef Ncomponents::A< TerTerTer, int > A;
    typedef Ncomponents::B< TerTerTer, int, A > B;

    B b;
    }

    Really.

    1. template's syntax looks worse than C/C++ traditional one

    template<typename VeryLongClassName, typename EvenMoreLongClassName >
    class B;
    template<typename VeryLongClassName, typename EvenMoreLongClassName,
    typename MoreThanEvenMoreLongClassName>
    class A;
    A<TerTerTer, int, B<TerTerTer, int> >

    is not better than

    class B;
    class A;
    A;

    The long declarations make understanding the code more difficult, that
    leads to errors due to human confusions.


    2. abstract templates are not completely supported by C++ (at least
    now): there are no enough "sintaxic sugar" and C++ compiler supports
    only trivial operations with abstract templates at compile time.

    "Concepts", for example, will try to add some stuffs for the support,
    but we need real compiler with concepts to test the stuffs.

    3. abstract templates are inclined to remove some detectable during
    compile-time errors to end-user rather to desiner of the component.

    4. some real compilers has limitations to work with templated source -
    they are hard to trace, hard to see output, hard to link, etc.

    So, you can select :)

    By the way, C++ has no enough stuffs to control implementation of
    abstract code.

    Ideally, when we declare function, we do absract code; means that from
    implementation point of veiw, even C-style function is abstract
    function; means once declared, function must be able to be implemented
    in different manner, as template<> do.

    For example:

    //my_function declaration
    //default implementation
    extern "C++, inline, register, nothrow"
    void
    my_function(int, int);

    //usage of my_function

    //some times per execution
    //compiler makes outline copy of my_function
    my_function::(extern "outline, stdcall")(0,0);

    for(int i=1000000; i; --i)
    {
    //by default
    my_function(i,0);
    //force fast copy for unknown defaults of my_function
    my_function::(extern "inline, register")(0,i);
    }

    Maksim A. Polyanin
    http://grizlyk1.narod.ru/cpp_new
    Grizlyk, Jan 26, 2008
    #15
  16. aeromarine

    Martin Guest

    Have you read this: http://www.assconline.co.uk/documents/MoDASSCMISRA.pps

    This is written by QinetiQ (similar to the USA's DARPA). In the end
    they recommend that C++ not be used for systems requiring the highest
    level of safety (approximately Do-178B levels A & B).

    Interestingly, it was (again) down to lack of tools support rather
    than language deficiency that they make this recommendation.

    I'm still looking forward to getting hold of MISRA c++ though :)
    Martin, Feb 18, 2008
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rick Curry

    SessionID Changing 'In Flight!"

    Rick Curry, Oct 23, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    328
    Rick Curry
    Oct 23, 2003
  2. George Sakkis

    Flight search automation

    George Sakkis, Jun 23, 2006, in forum: Python
    Replies:
    3
    Views:
    279
    mkPyVS
    Jun 23, 2006
  3. jawdoc
    Replies:
    1
    Views:
    390
    Christopher
    Feb 19, 2008
  4. Marc
    Replies:
    16
    Views:
    591
    Michael Doubez
    Dec 20, 2010
  5. Marc
    Replies:
    11
    Views:
    580
    Michael Doubez
    Dec 20, 2010
Loading...

Share This Page