Languages like Python and C++ are not even mentioned for the lowest safety levels, so between the lines they are dismissed as entirely unsuitable. A bunch of other old languages like Modula-2, Pascal and Fortran are also mentioned, but the tool support for these in the context of modern safety MCUs is non-existent.
In practice, for the highest safety levels it means that you are pretty much restricted to C with safe subset (MISRA C) or Ada with safe subset (SPARK). These are exclusively old languages proven in use for a long time, where all flaws and poorly-defined behavior is regarded as well-known and execution can be regarded as predictable.
#KEEP TALKING AND NOBODY EXPLODES MANUAL CODE SOFTWARE#
Top layer safety standards for "functional safety" like IEC 61508 (industrial), ISO 26262 (automotive) or DO-178 (aerospace) etc come with a software part (for example IEC 61508-3), where they list a number of suitable programming languages. Changing the order of the operands to maxval * brightness / 100 and possibly using more explicit values and variable names might help the reader: Whether this process should be documented in a comment or verified with debugging assertions is a matter of local coding rules. If brightness is a percentage in the range 0 to 100, the result is in the range 0 to 25500, which the C Standard guarantees to be in the range of type int, and dividing this number by 100 produces a value in the range 0 to 100, in the range of int, and also in the range of the destination type uint8_t, so the operation is fully defined.
In your particular case, both brightness and maxval have a type smaller than int so they are promoted to int with the same value and the multiplication produces an int value. This requires a good understanding of the integer promotion and conversion rules, which vary from one language to another and are somewhat tricky in C, especially with operands mixing signed and unsigned types. It is the programmer's responsibility to ascertain that the range of the operands ensures that the multiplication does not overflow. In Python and some other languages, this is not an issue because integers do not have a restricted range, but in C, C++, java, javascript and many other languages, integer types have a fixed number of bits so the multiplication can exceed this range. The expression (brightness * maxval) / 100 computes an intermediary value brightness * maxval that may exceed the range of the type used to compute it. Your question raises an important issue in C programming and in programming in general: does the program behave as expected in all cases?
0 kommentar(er)
