Safe c++ in mission critical realtime apps

Question

I'd want to hear various opinions how to safely use c++ in mission critical realtime applications.

More precisely, it is probably possible to create some macros/templates/class library for safe data manipulation (sealing for overflows, zerodivides produce infinity values or division is possible only for special "nonzero" data types), arrays with bound checking and foreach loops, safe smartpointers (similar to boost shared_ptr, for instance) and even safe multithreading/distributed model (message passing and lightweight processes like ones are defined in Erlang languge).

Then we prohibit some dangerous c/c++ constructions such as raw pointers, some raw types, native "new" operator and native c/c++ arrays ( for application programmer, not for library writer, of course). Ideally, we should create a special preprocessor/checker, at least we must have some formal checking procedure, which can be applyed to sources using some tool or manualy by some person.

So, my questions:

1) Are there any existing libraries/projects that utilize such an idea? (Embedded c++ is apparently not of desired kind) ?

2) Is it a good idea at all or not? Or it may be useful only for prototyping some another hipothetical language? Or it is totally unusable?

3) Any other thoughts (or links) on this matter also welcome

Sorry if this question is not actually a question, offtopic, duplicate, etc., but I haven't found more appropriate place to ask it

Answer 1

For good rules on how to write C++ for mission critical real-time applications have a look at the Joint Strike Fighter coding standards. Many of the rules there are based on the MISRA C coding standards, which I believe are proprietary. PC-Lint is a C++ code checker with rule sets like what you want (including the MISRA rules). I believe you can customize your own rules as well.

Answer 2

We use C++ in mission-critical real-time applications, although I suppose we have it easy (in theory) because we have to only provide real-time guarantees as good as the hardware our clients use. Thus, sufficient profiling lets us get by without mlockall() or stack pre-loading or any other RT traditions. As for the language itself, I think everyday modern C++ coding practices (ones that discourage C concepts) are entirely sufficient to write robust applications that can be used in RT contexts, given 21st century hardware.

Unit tests and QA should be the main focus of effort, instead of in-house libraries that duplicate existing language features.

Answer 3

If you're writing critical high-performance realtime S/W in C++, you probably need every microsecond you can get out of the hardware. As such, I wouldn't necessarily suggest implementing all the extra checks such as ones that you mentioned, at least the ones with overhead implications on program execution. You can obviously mask floating point exceptions to prevent divide by zero from crashing the program.

Some observations:

• Peer review all code (possibly multiple reviewers). This will go a long way to improving quality without requiring lots of runtime checks.
• DO make use of diagnostic tools and non-release-only asserts.
• Do make use of simulation systems to test on non-embedded hardware.
• C++ was specifically designed without things like bounds checking for performance reasons.

In general I don't suggest arbitrarily restricting the language, although making use of RAII and smart pointers should have minimal overhead and provides a nice benefit.

Someone else pointed out that if you want Ada, just use Ada.