Guidelines for the use of the C++14 language in critical and
safety-related systems Sample code compile list(29)
https://www.autosar.org/fileadmin/user_upload/standards/adaptive/17-03/AUTOSAR_RS_CPP14Guidelines.pdf
目的(purpose)
AutosarのC++ GuidelineをOS, 制御のプログラムで利用するにあたって、(1)hosted, freestandingのどちらを基本にすべきか。(2)C++2014,C++2017, C++202aのどれを用いると良いか, (3)どの処理系を併用すると良いかを検討するため、-std=c++14, -std=c++17, -std=c++2aの3種類で、複数のコンパイラでコンパイルすることにより、誤(error)、警告(warning)、関数・変数連携(link)、出力(output)、にどのような影響があるかを確認する。
#成果(outcome)
複数の処理系の特徴が明確になるとともに、各標準段階, hosted, freestandingの特徴と課題を明確にする。
A4-7-1.cpp
算譜(source code)
A4-7-1.cpp
//Guidelines for the use of the C++14 language in critical and safety-related systems
const char* msg="Rule A4-7-1 (required, implementation, automated)An integer expression shall not lead to data loss.(29)A4-7-1.cpp";
//https://www.autosar.org/fileadmin/user_upload/standards/adaptive/17-03/AUTOSAR_RS_CPP14Guidelines.pdf
// There is no description about Autosar declear hosted or freestanding.
// If the Autosar intended both depending on the cases, autosar.h can choose one.
// Compile with -DHOSTED work as hosted environment, -DFREESTANDING work as freestanding.
#include "autosar.h"/// @line add header file https://qiita.com/kaizen_nagoya/items/4bde8f21ab059b96cf2a
#include <cstdint>
using namespace std;/// @line add using
///start AUTOSAR: From here to the "///end AUTOSAR" is from AUTOSAR without code having /// comment in line.
// $Id: A4-7-1.cpp 271687 2017-03-23 08:57:35Z piotr.tanski $
#include <cstdint>
#include <stdexcept>
std::int8_t fn1(std::int8_t x, std::int8_t y) noexcept
{
cout << "fn1(x+y) x="<<x<<" y="<<y<<endl;/// @ line add output
return (x + y); // Non-compliant - may lead to overflow
}
std::int8_t fn2(std::int8_t x, std::int8_t y)
{
cout << "fn2(x,y) x="<<x<<" y="<<y<<endl;/// @ line add output
if (x > 100 || y > 100) // Range check
{
throw std::logic_error("Preconditions check error");
}
return (x + y); // Compliant - ranges of x and y checked before the
// arithmetic operation
}
std::int16_t fn3(std::int8_t x, std::int8_t y) noexcept
{
cout << "fn3(x,y) x="<<x<<" y="<<y<<endl;/// @ line add output
return (static_cast<std::int16_t>(x) + y); // Compliant - std::int16_t type
// is enough for this arithmetic
// operation
}
std::uint8_t fn4(std::uint8_t x, std::uint8_t y) noexcept
{
cout << "fn4(x,y) x="<<x<<" y="<<y<<endl;/// @ line add output
return (x * y); // Non-compliant - may lead to wrap-around
}
std::int8_t fn5(std::int16_t x)
{
cout << "fn5(x) x="<<x<<endl;/// @ line add output
return static_cast<std::int8_t>(x); // Non-compliant - data loss
}
std::int8_t fn6(std::int16_t x)
{
cout << "fn6(x) x="<<x<<endl; /// @ line add output
return x; // Non-compliant - data loss by implicit conversion
}
void f()
{
std::int8_t x1 =
fn1(5, 10); // Compliant - overflow will not occur for these values
std::int8_t x2 = fn1(250, 250); // Non-compliant - Overflow occurs
try
{
std::int8_t x3 =
fn2(250, 250); // Compliant - No overflow, range checks
// inside fn2() function
cout <<"x3="<<x3<<endl;/// @ line add output
}
catch (std::logic_error&)
{
// Handle an error
}
std::int16_t x4 = fn3(250, 250); // Compliant - No overflow, arithmetic
// operation underlying type is wider than
// std::int8_t
std::uint8_t x5 = fn4(50, 10); // Non-compliant - Wrap-around occurs
std::int8_t x6 = fn5(100); // Compliant - data loss will not occur
std::int8_t x7 = fn5(300); // Non-compliant - Data loss occurs
std::int8_t x8 = fn6(300); // Non-compliant - Data loss occurs
std::int8_t x9 = 150;
std::int16_t x10 = static_cast<std::int16_t>(x9 + x9); // Non-compliant
x10 = x9 + x9; // Non-compliant
x10 = static_cast<std::int16_t>(x9) + x9; // Compliant
std::int8_t x11 = x9 << 5; // Non-compliant
std::int8_t x12 = 127;
++x12; // Non-compliant
std::uint8_t x13 = 255;
++x13; // Non-compliant
cout <<"x1="<<x1 <<" x2="<<x2<<" x4="<<x4<<" x5="<<x5<<" x6="<<x6<<" x7="<<x7<<" x8="<<x8<<" x9="<<x9<<" x10="<<x10<<" x11="<<x11<<" x12="<<x12<<" x13="<<x13<<endl; /// @ line add output
}
///end AUTOSAR
int start() { /// @{} for start
f();
cout<< msg << endl;
ShutdownOS() EXIT_SUCCESS;
/// Autosar OS 3.1.1, 2009: 7.1.2.2 Undefined Behaviour in OSEK OS
/// OS425 If ShutdownOS is called and ShutdownHook() returns then the operating system shall disable all interrupts and enter an endless loop.
}
##編纂・実行結果(compile and go)
cpa.sh
$ ../cpa.sh a4-7-1
$ clang++ a4-7-1.cpp -I./ -std=c++14 -Wall
a4-7-1.cpp:59:23: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int8_t x2 = fn1(250, 250); // Non-compliant - Overflow occurs
~~~ ^~~
a4-7-1.cpp:59:28: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int8_t x2 = fn1(250, 250); // Non-compliant - Overflow occurs
~~~ ^~~
a4-7-1.cpp:63:6: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
fn2(250, 250); // Compliant - No overflow, range checks
~~~ ^~~
a4-7-1.cpp:63:11: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
fn2(250, 250); // Compliant - No overflow, range checks
~~~ ^~~
a4-7-1.cpp:71:24: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int16_t x4 = fn3(250, 250); // Compliant - No overflow, arithmetic
~~~ ^~~
a4-7-1.cpp:71:29: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int16_t x4 = fn3(250, 250); // Compliant - No overflow, arithmetic
~~~ ^~~
a4-7-1.cpp:79:19: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 150 to -106
[-Wconstant-conversion]
std::int8_t x9 = 150;
~~ ^~~
7 warnings generated.
fn1(x+y) x= y=
fn1(x+y) x=? y=?
fn2(x,y) x=? y=?
x3=?
fn3(x,y) x=? y=?
fn4(x,y) x=2 y=
fn5(x) x=100
fn5(x) x=300
fn6(x) x=300
x1= x2=? x4=-12 x5=? x6=d x7=, x8=, x9=? x10=-212 x11=? x12=? x13=
Rule A4-7-1 (required, implementation, automated)An integer expression shall not lead to data loss.(29)A4-7-1.cpp
$ clang++ a4-7-1.cpp -I./ -std=c++17 -Wall
a4-7-1.cpp:59:23: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int8_t x2 = fn1(250, 250); // Non-compliant - Overflow occurs
~~~ ^~~
a4-7-1.cpp:59:28: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int8_t x2 = fn1(250, 250); // Non-compliant - Overflow occurs
~~~ ^~~
a4-7-1.cpp:63:6: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
fn2(250, 250); // Compliant - No overflow, range checks
~~~ ^~~
a4-7-1.cpp:63:11: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
fn2(250, 250); // Compliant - No overflow, range checks
~~~ ^~~
a4-7-1.cpp:71:24: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int16_t x4 = fn3(250, 250); // Compliant - No overflow, arithmetic
~~~ ^~~
a4-7-1.cpp:71:29: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int16_t x4 = fn3(250, 250); // Compliant - No overflow, arithmetic
~~~ ^~~
a4-7-1.cpp:79:19: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 150 to -106
[-Wconstant-conversion]
std::int8_t x9 = 150;
~~ ^~~
7 warnings generated.
fn1(x+y) x= y=
fn1(x+y) x=? y=?
fn2(x,y) x=? y=?
x3=?
fn3(x,y) x=? y=?
fn4(x,y) x=2 y=
fn5(x) x=100
fn5(x) x=300
fn6(x) x=300
x1= x2=? x4=-12 x5=? x6=d x7=, x8=, x9=? x10=-212 x11=? x12=? x13=
Rule A4-7-1 (required, implementation, automated)An integer expression shall not lead to data loss.(29)A4-7-1.cpp
$ clang++ a4-7-1.cpp -I./ -std=c++2a -Wall
a4-7-1.cpp:59:23: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int8_t x2 = fn1(250, 250); // Non-compliant - Overflow occurs
~~~ ^~~
a4-7-1.cpp:59:28: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int8_t x2 = fn1(250, 250); // Non-compliant - Overflow occurs
~~~ ^~~
a4-7-1.cpp:63:6: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
fn2(250, 250); // Compliant - No overflow, range checks
~~~ ^~~
a4-7-1.cpp:63:11: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
fn2(250, 250); // Compliant - No overflow, range checks
~~~ ^~~
a4-7-1.cpp:71:24: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int16_t x4 = fn3(250, 250); // Compliant - No overflow, arithmetic
~~~ ^~~
a4-7-1.cpp:71:29: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 250 to -6
[-Wconstant-conversion]
std::int16_t x4 = fn3(250, 250); // Compliant - No overflow, arithmetic
~~~ ^~~
a4-7-1.cpp:79:19: warning: implicit conversion from 'int' to 'std::int8_t' (aka 'signed char') changes value from 150 to -106
[-Wconstant-conversion]
std::int8_t x9 = 150;
~~ ^~~
7 warnings generated.
fn1(x+y) x= y=
fn1(x+y) x=? y=?
fn2(x,y) x=? y=?
x3=?
fn3(x,y) x=? y=?
fn4(x,y) x=2 y=
fn5(x) x=100
fn5(x) x=300
fn6(x) x=300
x1= x2=? x4=-12 x5=? x6=d x7=, x8=, x9=? x10=-212 x11=? x12=? x13=
Rule A4-7-1 (required, implementation, automated)An integer expression shall not lead to data loss.(29)A4-7-1.cpp
$ g++-8 a4-7-1.cpp -I./ -std=c++14 -Wall
fn1(x+y) x= y=
fn1(x+y) x=? y=?
fn2(x,y) x=? y=?
x3=?
fn3(x,y) x=? y=?
fn4(x,y) x=2 y=
fn5(x) x=100
fn5(x) x=300
fn6(x) x=300
x1= x2=? x4=-12 x5=? x6=d x7=, x8=, x9=? x10=-212 x11=? x12=? x13=
Rule A4-7-1 (required, implementation, automated)An integer expression shall not lead to data loss.(29)A4-7-1.cpp
$ g++-8 a4-7-1.cpp -I./ -std=c++17 -Wall
fn1(x+y) x= y=
fn1(x+y) x=? y=?
fn2(x,y) x=? y=?
x3=?
fn3(x,y) x=? y=?
fn4(x,y) x=2 y=
fn5(x) x=100
fn5(x) x=300
fn6(x) x=300
x1= x2=? x4=-12 x5=? x6=d x7=, x8=, x9=? x10=-212 x11=? x12=? x13=
Rule A4-7-1 (required, implementation, automated)An integer expression shall not lead to data loss.(29)A4-7-1.cpp
$ g++-8 a4-7-1.cpp -I./ -std=c++2a -Wall
fn1(x+y) x= y=
fn1(x+y) x=? y=?
fn2(x,y) x=? y=?
x3=?
fn3(x,y) x=? y=?
fn4(x,y) x=2 y=
fn5(x) x=100
fn5(x) x=300
fn6(x) x=300
x1= x2=? x4=-12 x5=? x6=d x7=, x8=, x9=? x10=-212 x11=? x12=? x13=
Rule A4-7-1 (required, implementation, automated)An integer expression shall not lead to data loss.(29)A4-7-1.cpp
#検討事項(agenda)
###1. 自律(freestanding)環境. 接待(hosted)環境
C++N4606 1.4 Implementation compliance p.4
###2. 対応OSの水準、対応通信規約、応用機能による分類
freestanding用の関数、ライブラリ等
###3. C++2014, C++2017, C++202aの比較項目
本件なし
###4. clang++, g++の比較検討項目
clang++警告あり、g++警告なし。
###5 役立つまたは意味のある出力
値未代入変数あり。
#参考文献(reference)
###C++N4741 2018
Working Draft, Standard for Programming Language C++
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2017/n4741.pdf
C++N4741, 2018 Standard Working Draft on ISO/IEC 14882 sample code compile list
https://qiita.com/kaizen_nagoya/items/3294c014044550896010
###N4606 2016
Working Draft, Standard for Programming Language C++
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/n4606.pdf
C++N4606, 2016符号断片編纂一覧(example code compile list)
Working Draft 2016, ISO/IEC 14882(1)
https://qiita.com/kaizen_nagoya/items/df5d62c35bd6ed1c3d43/
文書履歴
ver 0.10 初稿 20180609
最後までおよみいただきありがとうございました。
いいね 💚、フォローをお願いします。
Thank you very much for reading to the last sentence.
Please press the like icon 💚 and follow me for your happy life.