OEM&Lieferant Ausgabe 1/2018

102 Over the last forty years, C has become the de facto language for developing embedded software. C is simple, small, fast, and portable and has extensive tool support. But C has a dark side. It is too easy for errors to creep into the code that can be extreme- ly difficult to find. Problems start with the syntax because it makes writing code vulner- able to error. For example, optional braces, assignment in expressions, and automatic switch/case fall through, etc. Then there are semantically dubious or complex features that are difficult to use correctly and encourage “programming on the edge of safety.“ For ex- ample, goto statements, pointers, and integral promotion. These aspects can also interact in dangerous ways. Using C programming guidelines, for example MISRA-C or CERT-C, helps to avoid many of these risks. Even when following guidelines, C programming remains prone to errors. Guidelines do not prevent runtime problems like the “buffer overflow” or numeric prob- lems like underflow/overflow and division by zero. Nor can guidelines fix problems of pro- gram meaning such as increasing a speed past a limit, reducing a temperature below abso- lute zero, or accidentally adding distance to a pressure. C is not expressive enough to capture this in- formation so preventing these problems re- quires additional measures like static analysis and testing to identify and remove bugs from the code. This is inefficient: it would be more effective to stop bugs from being created in the first place. A better language for development ETAS is rising to all these challenges with a new language to engineer safe and secure software effectively: Embedded Software De- velopment Language (ESDL). ESDL eliminates typical C pitfalls and, in addition, enables software reuse, simplifies maintenance, and supports product line variant engineering. ESDL enables developers to spend time solv- ing problems instead of programming around the inadequacies of C. Using code generation to create C Efficient use of ESDL in development is en- abled with ETAS ASCET-DEVELOPER 7, an Eclipse-based Integrated Development Envi- ronment (IDE) and a C code generator. The IDE provides modern editing features like language templates, content assistance proposals and quick fixes for problems. This makes ESDL easy to learn for beginners. ASCET-DEVELOPER 7 also continually checks for ESDL programming violations, calculates quality metrics, and offers best-practice rec- ommendations. Feedback is provided to devel- opers “on-the-fly” during edit time, therefore reducing the time between making a coding error and its detection to zero. The C code generator translates ESDL to MISRA-conformant C. ASCET-DEVELOPER 7 automatically adds defensive coding checks where they are essential to ensure runtime safety so they do not need to be built and maintained by hand. The generated C easily integrates into any existing C-based develop- ment process. Securing the language against potential errors ESDL incorporates many of the aspects in- cluded in C programming guidelines into the language. Furthermore, ESDL’s design in- cludes features that make it easy to satisfy the requirements on language selection in stan- dards like ISO 26262 and IEC 61508. Integrating these concepts into ESDL enables the ASCET- DEVELOPER 7 tools to check more error cases at editing time than is possible with classic C development. ESDL has a similar syntax to C so that develop- ers can feel comfortable immediately. However, ESDL removes the dangerous C features that Safety and Security in Code ESDL as a basis for more secure software By Dr. Darren Buttle, Senior Product Manager ASCET, ETAS GmbH In the field of embedded software, the C programming language still reigns supreme. Making sure that C code is safe and secure however, is not so easy. Increased vehicle autonomy will require an even greater reliance on vehicle software integrity than today. To meet this challenge, ETAS has developed the Embedded Software Development Language (ESDL). ESDL helps software engineers meet the challenge of building more software in less time while still satisfying the constraints of ISO 26262, IEC 61508, or related standards. IT and Automotive Bilder: © ETAS