Rules for Developing Safety-Critical Code (From latest IEEE Computer) 节选 Author: Gerard J. Holzmann, NASA/JPL Laboratory for Reliable Software 1. Restrict all code to very simple fontrol flow constructs --do not use goto statements, setjmp or longjmp constructs, or direct or indirect recursion. 2. Give all loops a fixed upper bound. 3. Do not use dynamic memory allocation after initialization. 4. No function should be longer than what can be printed on a single sheet of paper in a standard format which one line per statement and one line per declaration. 5. The code's assertion density should average to minimally two assertions per function. 6. Declare all data objects at the smallest possible level of scope. 7. Each calling function must check the return value of nonvoid functions, and eac called function must check the validity of all parameters provided by the caller. 8. The use of the preprocessor must be limited to the inclusion of header files and simple macro definitions. 9. The use of pointers must be restricted. 10. All code must be compiled, from the first day of development, with all compiler warnings enabled at the most pedantic setting available. ================================================================= 也许我的经验还不足以让我对以上rules进行评价，不过虽然看起来很好，有些貌似不容易实现，如3 and 9，8没看懂…… -_- 以后还是多贴些code吧……这么high level的东西过几年再说……