C Tutorial, Rinker and Wall
C/C++ C
Programming Tutorial
C Programming Made Easy
C for Beginners
Software State Machines
Simple Methods
for Zero Crossing Detection
Power of 10 – Rules for Developing Safety Critical Code
Nutshell version:
- Restrict all code to very
simple control flow constructs — do not use goto statements, setjmp
or longjmp constructs, or direct or indirect recursion.
- Give all loops a fixed
upper bound. It must be trivially possible for a checking tool to prove statically
that a loop cannot exceed a preset upper bound on the number of
iterations.
- Do not use dynamic memory
allocation after initialization.
- No function should be
longer than what can be printed on a single sheet of paper in a standard
format with one line per statement and one line per declaration. Typically
this means no more than about 60 lines of code per function.
- The code’s assertion
density should average to minimally two assertions per function.
- Declare all data objects at
the smallest possible level of scope.
- Each calling function must
check the return value of non-void functions, and each called function
must check the validity of all parameters provided by the caller.
- The use of the preprocessor
must be limited to the inclusion of header files and simple macro
definitions. Token pasting, variable argument lists (ellipses), and
recursive macro calls are not allowed.
- The use of pointers must be
restricted. Specifically, no more than one level of dereferencing should
be used.
- All code must be compiled,
from the first day of development, with all compiler warnings enabled at
the most pedantic setting available. All code must compile without
warnings. All code must also be checked daily with t least one, but
preferable more than one, strong static source code analyzer and should
pass all analyses with zero warnings.