The C++ standard for the F-35 Fighter Jet [video]

(www.youtube.com)

327 points AareyBaba | 2 comments | 07 Dec 25 18:07 UTC | HN request time: 0.424s | source

PDF: https://www.stroustrup.com/JSF-AV-rules.pdf

Show context

time4tea ◴[07 Dec 25 19:31 UTC] No.46184345[source]▶

>>46183657 (OP) #

a = a; // misra

Actual code i have seen with my own eyes. (Not in F-35 code)

Its a way to avoid removing an unused parameter from a method. Unused parameters are disallowed, but this is fine?

I am sceptical that these coding standards make for good code!

replies(11): >>46184442 #>>46184460 #>>46184571 #>>46185232 #>>46185373 #>>46186276 #>>46186377 #>>46186457 #>>46186510 #>>46186705 #>>46189488 #

1. qart ◴[08 Dec 25 07:38 UTC] No.46189488[source]▶

>>46184345 #

You're right. MISRA is a cult. Actual studies[1][2] have shown many of their rules to be harmful rather than helpful. I have worked in multiple safety-critical industries. MISRA is almost always enforced by bureaucrats who don't understand source code at all, or by senior developers who rose up ranks as code monkeys. One such manager was impressed with Matlab because Matlab-generated C code was always MISRA compliant, whereas the code my company was giving them had violations. Never mind the fact that every function of the generated, compliant code had variables like tmp01, tmp02, tmp03, etc.

There are many areas of software where bureaucracy requires MISRA compliance, but that aren't really safety-critical. The code is a hot mess. There are other areas that require MISRA compliance and the domain is actually safety-critical (e.g. automotive software). Here, the saving grace is (1) low complexity of each CPU's codebase and (2) extensive testing.

To people who want actual safety, security, portability, I tell them to learn from examples set by the Linux kernel, SQLite, OpenSSL, FFMpeg, etc. Modern linters (even free ones) are actually valuable compared to MISRA compliance checkers.

[1] https://ieeexplore.ieee.org/abstract/document/4658076

[2] https://repository.tudelft.nl/record/uuid:646de5ba-eee8-4ec8...

replies(1): >>46189933 #

2. sam_bristow ◴[08 Dec 25 08:48 UTC] No.46189933[source]▶

>>46189488 (TP) #

One key point that people overlook with that paper is that they were applying the coding standards retroactively. Taking an existing codebase, running compliance tools, and trying to fix the issues which were flagged. I think they correctly identified the issue with this approach in that you have all the risks of introducing defects as part of reworking the existing code. I don't think they have much empirical evidence for the case where coding standards were applied from the beginning of a project.

In my opinion, the MISRA C++ 2023 revision is a massive improvement over the 2008 edition. It was a major rethink and has a lot more generally useful guidance. Either way, you need to tailor the standards to your project. Even the MISRA standards authors agree:

"""

  Blind adherence to the letter without understanding is pointless.

  Anyone who stipulates 100% MISRA-C coverage with no deviations does not understand what the are asking for.
  
  In my opionion they should be taken out and... well... Just taken out.
    - Chris Hill, Member of MISRA C Working Group (MISRA Matters Column, MTE, June 2012

"""

↑