8  

I would say that a lot if it comes down to how the system designer(s) are handling system safety at an architectural level.

如果归结为系统设计师如何在架构级别处理系统安全性,我会说很多。

Triplication

For instance if the approach taken is triplicate redundancy with a trusted voter then system trials/testing is going to be the major step in approving the implementation. Suppose that one of the triplicates' development team chose to use Boost. If the system as a whole passed all its test vectors then one could argue that one didn't need to trawl through Boost itself looking for implementation errors. Obviously if all three triplicates had chosen to use Boost then that would be cause for concern, because then the scope of the test vectors becomes unmanageable.

例如,如果所采用的方法是与受信任的选民一起重复三次冗余,那么系统试验/测试将是批准实施的主要步骤。假设其中一个三次开发团队选择使用Boost。如果整个系统通过了所有测试向量,那么人们可能会争辩说,不需要通过Boost本身搜索实现错误。显然,如果所有三个一式三份都选择使用Boost,那么这将引起关注,因为那时测试向量的范围变得难以管理。

Triplication is a standard approach to handling the problem of using software resources like compilers, libraries and programmers all of which are at risk of error. Boost is just another one of these. One could argue that Boost shared pointers are clearly a way of reducing the risk of programmer error. That in the round is most likely to be beneficial to the system as a whole.

Triplication是处理使用软件资源(如编译器,库和程序员)的问题的标准方法,所有这些都存在错误风险。 Boost只是其中之一。有人可能认为Boost共享指针显然是一种降低程序员错误风险的方法。这一轮最有可能对整个系统有利。

Important, but Not Safety Critical

重要但不安全

Where it gets interesting is when triplication is not being used, and one is now in the realms of really having to trust stuff. Interestingly the way a lot of systems seem to get round the problem is to say that ultimately there is a human in control who is supervising and able to intervene in the event of system error.

它变得有趣的地方在于没有使用三元组时,现在一个人真的不得不信任。有趣的是,许多系统似乎解决问题的方式是说最终有一个人在控制谁监督并能够在系统错误的情况下进行干预。

For example the car industry has a set of programming rules called MISRA. The software for an ABS system is supposed to be written to this rule set, and the development tools are supposed to be set to enforce those rules on the source code. The idea is that this will reduce the risk of undetected bugs to an acceptable level. And because ultimately there is a driver driving the car they can always do their own cadence braking. And thus the car industry has avoided having to have a triplicate implementation of ABS.

例如,汽车行业有一套称为MISRA的编程规则。应该将ABS系统的软件写入此规则集,并且应该设置开发工具以对源代码强制执行这些规则。这个想法是,这将把未检测到的错误的风险降低到可接受的水平。而且因为最终有一个驾驶汽车的司机,他们总是可以做自己的节奏制动。因此,汽车行业避免了必须实施一式三份的ABS。

They are extending the same philosophy to more complex car systems like adaptive cruise control and self driving cars. Personally I think that such an extension is unreasonable for self driving cars. The relevant legislation makes it clear that it is the 'drivers' fault if such a vehicle has a crash (ie you are still 'driving' it), but the glossy advertising won't dwell on that important aspect.

他们将相同的理念扩展到更复杂的汽车系统,如自适应巡航控制和自动驾驶汽车。就个人而言,我认为这种延伸对于自驾车是不合理的。相关立法明确指出,如果这样的车辆发生碰撞(即你仍在“驾驶”它),那就是“司机”错误,但光鲜的广告不会纠缠于这个重要方面。

It's the same in the world of medical devices; there's supposed to be a nurse or someone monitoring the patient anyway, so the occasional blip is covered by that supervision. The whole thing is very poor anyway; whilst the software for a medical device may have been written tested and approved, quite often these things run on embedded Windows XP. They all get networked up and end up being infested with computer viruses, etc. The FDA won't let you have an auto update system inplace, only the device vendor can update it, and of course they can't ever hope to keep up. So you end up with a nicely written well tested and good piece of medical software running on top of an OS installation which has had all the world's hackers running around inside it doing god knows what. I think that the use of Boost in these circumstances is not going to add much to the overall system risk.

在医疗设备领域也是如此;无论如何应该是一名护士或有人监视病人,因此偶尔的监督会受到监督。反正整件事情都很糟糕;虽然医疗设备的软件可能已经过测试和批准,但这些东西通常都是在嵌入式Windows XP上运行的。他们都联网并最终被计算机病毒等侵扰。美国食品和药物管理局不会让你有一个自动更新系统,只有设备供应商可以更新它,当然他们也不能希望跟上。因此,你最终得到了一个经过良好编写的经过良好测试且运行良好的医疗软件,它运行在一个操作系统安装之上,让所有世界上的黑客都在里面运行,上帝知道什么。我认为在这些情况下使用Boost不会增加整体系统风险。

So if a MISRA compliant toolchain offered Boost as part of that toolchain then I don't see why that would be any different to a toolchain offering a standard C library. If the toolchain vendor is certifying it then it's no different to the situation with anything else.

因此,如果符合MISRA标准的工具链将Boost作为该工具链的一部分提供,那么我不明白为什么与提供标准C库的工具链有任何不同。如果工具链供应商正在对其进行认证,那么它与其他任何情况都没有区别。

There are weaknesses with that approach. In my experience I have come across a MISRA compliant tool chain in widespread use whose compiler turned out junk object code when all optimisations were turned on. I was actually able to verify this in the disassembly. I then took a look at the source code for toolchains's standard C library, and it clearly wasn't in itself written to the MISRA rule set, and furthermore it contained glaring, horrible bugs.

这种方法存在缺陷。根据我的经验,我遇到了一个广泛使用的MISRA兼容工具链,当所有优化都打开时,编译器会编译垃圾对象代码。我实际上能够在反汇编中验证这一点。然后我看了一下工具链标准C库的源代码,它显然本身没有写入MISRA规则集,而且它包含了明显的,可怕的错误。

And yet there is no regulatory block to building, testing and selling a car ABS system using this tool chain so long as you tick the MISRA checkbox in the project settings. Adding Boost to that toolchain would hardly make matters worse.

然而,只要勾选项目设置中的MISRA复选框,就不会使用此工具链来构建,测试和销售汽车ABS系统。将Boost添加到该工具链几乎不会让事情变得更糟。

Safety Critical Without Triplication

安全至关重要,无三重

The final approach is no triplication and no human supervision. This is really hard because you then need formal proof of the correctness of every component of the tool chain, OS, drivers, chips, etc. AFAIK it's never been done for a truly safety critical system like nuclear reactors, flight control avionics, or other systems that really will definitely kill people if they go wrong.

最后的方法是没有三重并且没有人为监督。这真的很难,因为您需要正式证明工具链,操作系统,驱动程序,芯片等各个组件的正确性.AFAIK从未为核反应堆,飞行控制航空电子设备或其他真正的安全关键系统做过系统如果出错就真的会杀人。

The only thing that comes close so far as I can tell is Greenhill's compiler suite and their INTEGRITY operating system. They can give you (for a large fee) formal testing and verification evidence for every single line of the OS, all their libraries and their compiler, everything. If one were ever to attempt a truly safety critical system without triplication that would be a starting point.

到目前为止,我唯一能说的就是Greenhill的编译器套件和他们的INTEGRITY操作系统。他们可以为您提供(大笔费用)正式的测试和验证证据,用于操作系统的每一行,所有库以及编译器,所有内容。如果有人试图建立一个真正的安全关键系统而不会出现三重作用,那将是一个起点。

I don't think they've done a C++11 yet, though I have added Boost to their toolchain and it worked just fine (it wasn't in a safety critical system I hasten to add).

我不认为他们已经完成了C ++ 11,虽然我已经将Boost添加到他们的工具链中并且它运行得很好(它不是在我必须添加的安全关键系统中)。

Conclusion

Certainly if outfits like Greenhills with a well deserved and good reputation for reliable and thoroughly tested toolchains offer Boost then I think one would be in good position to use it in an regulated system. However I doubt that the whole of Boost would be offered that way; they are more likely to follow the compiler standards.

当然,如果Greenhills这样的服装具有当之无愧的良好声誉,并且可靠且经过全面测试的工具链提供了Boost,那么我认为在受监管的系统中使用它会很有用。但是我怀疑整个Boost会以这种方式提供;他们更有可能遵循编译器标准。

I also know that GCC has in the past been put through formal compiler validation testing so that it could be used in Stuff That Matters. I expect that that will get repeated sooner of later for the more recent incarnations that have taken on aspects of Boost.

我也知道GCC过去已经通过正式的编译器验证测试,因此它可以在Stuff That Matters中使用。我预计,对于Boost方面的最新版本,我会更快地重复这一过程。

11  

I think the best answer we can have here is "yes and no." I will try to explain why.

我认为我们在这里可以得到的最好答案是“是的,不是。”我会尝试解释原因。

Boost is a huge umbrella for many constituent libraries. Some of them depend on each other in various ways (e.g. when a higher-level library needs features provided by a lower-level part of Boost like Type Traits). This raises questions about the usefulness of a simple answer to the question, because if three parts of Boost have been used in a regulated project, but they are different parts than you want to use, it is of no little value to know this. And we will never know the full answer regarding all parts, because you cannot prove a negative (and there are too many parts to ever expect a "100% yes" answer).

Boost是许多组成图书馆的巨大保护伞。它们中的一些以各种方式相互依赖(例如,当更高级别的库需要由类型特征的Boost的较低级别部分提供的特征时)。这引发了对问题简单答案的有用性的质疑,因为如果Boost的三个部分已用于受监管的项目中,但它们与您想要使用的部分不同,那么了解这一点并没有什么价值。而且我们永远不会知道关于所有部分的完整答案,因为你不能证明是负面的(并且有太多部分期望“100%是”答案)。

Boost is (and always has been) rapidly evolving. Entirely new libraries are added all the time. ASIO is a big one that didn't exist at all until somewhat recently. This makes it even more difficult to answer the question, because over time there are parts of Boost which are young and not as well tested as others. Additionally, existing libraries sometimes go through backward-incompatible revisions (e.g. "Boost Filesystem 3" not too long ago).

Boost(并且一直都是)迅速发展。全部都会添加全新的库。 ASIO是一个很大的东西,直到最近才出现。这使得回答这个问题变得更加困难,因为随着时间的推移,Boost的某些部分很年轻,而且没有其他部分经过测试。另外,现有的库有时会经历向后不兼容的修订(例如,不久前的“Boost Filesystem 3”)。

Many parts of Boost end up in projects not by a traditional dependency but rather by copy-pasting code from Boost, and perhaps modifying it to taste (e.g. adding or removing support for specific compilers). Likewise, many parts of Boost end up in projects via the fact that Boost is sort of a proving ground for many new C++ standard library features, such as shared_ptr (C++11) and unordered_map (TR1). Some features which are part of the language today were originally part of Boost, so many people have used "Boost code" without even knowing it.

Boost的许多部分最终不是通过传统的依赖项目而是通过复制粘贴来自Boost的代码,并且可能将其修改为品味(例如,添加或删除对特定编译器的支持)。同样,Boost的许多部分最终都在项目中,因为Boost是许多新的C ++标准库特性的试验场,例如shared_ptr(C ++ 11)和unordered_map(TR1)。今天语言的一部分功能原本是Boost的一部分,因此许多人在不知情的情况下使用了“Boost代码”。

Note that code does not somehow become safer when it transitions to official status within the language--GCC has had bugs which did not exist in the Boost equivalent implementations of the same concepts. This matters when considering practical questions like "Should we allow the use of Boost in our project or should we restrict ourselves to what the compiler vendor gives us?" If you are thinking of using a feature which has been implemented very recently by your compiler vendor (say, within the past year), you may well be better off using a third-party (e.g. Boost) implementation which is more mature.

请注意,当代码转换为语言中的官方状态时,代码不会以某种方式变得更安全 - GCC具有在相同概念的Boost等效实现中不存在的错误。在考虑诸如“我们是否应该允许在我们的项目中使用Boost或者我们是否应该限制编译器供应商为我们提供的内容”这样的实际问题时,这很重要。如果您正在考虑使用最近由编译器供应商实现的功能(例如,在过去一年内),那么使用更成熟的第三方(例如Boost)实现可能会更好。

Finally, since it seems that the impetus for this question is to gain some reassurance that using Boost is not a bad idea for a production project: I would certainly say that in general using Boost is fine and good, with the huge caveat that you need a local expert in Boost who knows which parts of Boost should not be used in your domain. For example, Boost Spirit, Phoenix, and Wave are examples of libraries which have been in Boost for a while but which very few people truly, deeply understand. It's one thing to use library code you don't fully understand (we all do), but quite another to use code which almost no person on earth understands.

最后,因为看起来这个问题的动力是要获得一些保证,使用Boost对于一个生产项目来说并不是一个坏主意:我当然会说通常使用Boost是好的和好的,需要你需要的巨大警告Boost的当地专家,他知道Boost的哪些部分不应该在您的域中使用。例如,Boost Spirit,Phoenix和Wave是图书馆的例子,这些图书馆已经在Boost工作了一段时间,但很少有人真正,深刻理解。使用你不完全理解的库代码(我们都这样做)是一回事,但是使用几乎没有人理解的代码是另一回事。

In summary, I don't think anyone will be able to give you the reassurance that you seek that Boost is OK for safety-critical systems. You need to evaluate it on your own, the same as you need to evaluate your own compiler vendor's software, your other third-party dependencies, and the code you write yourself. I have used all four categories of software quite a lot, and in my experience Boost had fewer critical bugs than any of the others, and fewer regressions than either GCC or my own code.

总而言之,我认为任何人都无法向您保证,您认为Boost适用于安全关键系统。您需要自己评估它,就像您需要评估自己的编译器供应商的软件,其他第三方依赖项以及您自己编写的代码一样。我已经相当多地使用了所有四类软件,根据我的经验,Boost比其他任何软件都有更少的关键错误,并且回归数比GCC或我自己的代码少。