Hi - On Sun, Mar 02, 2008 at 10:20:30AM -0500, Robert Dewar wrote: > [...] > >(Off topic, but I'd expect that avionics software is engineered with > >enough layers of protection, including catching traps, so that a > >-ftrapv hit would not cause a deep impact.) > > As I say, it is more usual in avionics software to rely on proving > or demonstrating during the certification process that the code > is correct. [... and exception trapping is sometimes disabled on > deployed code ...]
Wow. This gives one the impression of eschewing of defense in depth, but I suppose the overall record (positive and negative) speaks for itself. > >>[...] However, in practice, it is hard to imagine a > >>security-critical piece of software that would not take equal care > >>to avoid any possibility of exceptional conditions at run time. > > > >Maybe, but we just don't live in that world. > > I am not sure who "we" is here, those of us who live in the > DO-178B and MILS worlds definitely do take that kind of care. If you're saying that security-related software written by people working in DO-178B workflows tends to be as well cared-for as saftery-related software, OK. But most security-related software we normal folks use is not written by such people / processes. > [...] Again, the issue is whether such things are for finding bugs > during development, or defending against bugs that make it through > the entire development process. Those decisions may be made by separate people or even organizations. An OS distributor can decide to use different compiler flags than the code author - whether that be for extra trustworthiness, speed, portability, compatibility. Ideally, protective measures should be usable for either subject. > Even in the Ada world, it is normal to turn off exceptions in > safety-critical code for the final delivered software that runs on > planes. (Drifting farther off topic onto my personal curiosity: are exception handling paths just not considered powerful & robust enough to design in and rely on? Do these machines have e.g. watchdog timers? Run -O2 vs. -O0 code?) - FChE
