What are some excellent examples of open source code bases from which to learn?
1: https://www.misra.org.uk/ 2: https://yurichev.com/mirrors/C/JPL_Coding_Standard_C.pdf 3: https://nasa.github.io/fprime/UsersGuide/dev/code-style.html
Second, give up on C. It simply has not got the resources to help you with safety. It is a wholly lost cause.
In C++, you can package semantics in libraries in ways hard to misuse accidentally. In effect, your library provides the safety that Rust reserves to its compiler. C++ offers more power to the library writer than Rust offers. Use it!
Step 1. NO CONSTANT NUMBERS! All constants should be a define macro or a constant. This will allow you to change code without overflows and having to update the number in 20 places and not knowing what number to use when looping through.
Step 2. SESE(RAII in c++, but most use SESE even in c++). SINGLE ENTRY SINGLE EXIT. Your code should look like
" int *ptr = foo(); if(ptr == nullptr) DEBUG_PRINT("FAILED ALLOCATING PTR IN __FILE__ @ __LINE__) goto exit;
EXIT: if(ptr) free(ptr); .... "
So any allocations you cleanup in exit. This way you won't miss it with wierd control flows. This is reccomended by all cert c standards.
Step 3: If you can, there's analyzers you can use that will point out all bugs by annotating your code. SAL is arguable the best in the industry and you can catch pretty much all bugs.
Step 4: Even without an analyzer, you should be looking at all warnings and either adding a compiler macro to ignore it, or fixing whats causing it.
The most popular answer in this thread is "you can only write safe C++" which is bullshit. The language that you use will likely be dictated by the toolchain you're forced to use to meet whatever standard your org has adopted. For example, if you're in the automotive realm and following something like ISO-26262, you'll only be able to use a qualified toolchain that's compatible with your safety MCU – so you'll likely be limited to C or C++, and then FURTHER limited by MISRA standards to a subset of those languages. There is no version of Rust that may be used for safety-critical systems, currently – despite the fact that it's arguably a better language, the rigorous verification/documentation work hasn't been done yet. If you're looking for an alternative to C or C++ for use in safety-critical domains, look at Ada.
You will likely not find any example of an open source codebase for safety critical systems. Rigorously-developed safety-critical systems cost millions of dollars to produce, document, run through V&V, etc. They don't tend to get released as OSS.
For the rest of the folks in this thread: type safety, memory safety, etc. are awesome features – but having a language with these features doesn't allow you to build a safety-critical system. It doesn't even begin to. If you're curious, you can start to look at the roadmap for the Ferrocene project – the company behind it is working with the folks from AdaCore (AFAICR?) to make a version of Rust for safety-critical systems a reality (one that I'm very much looking forward to!)
[1] https://www.cppstories.com/2022/embracing-modern-cpp-book/
In automotive, where I've done ISO26262 work (Functional Safety standards), there are MISRA and Cert C static checkers and guidelines to make them not scream too much, not to mention the fact that you'll be following the style of the code you modify. Beyond that, you can find the industry guidelines for whatever standards you're responsible to follow. It gets worse as you get more strict -- brake controller code in the safety critical path has to meet the strictest formal methods checking as well as a bunch of in-use, on-controller testing. Generally, no one gets thrown into that without any training on the grounds of safety and liability alone.
Maybe stricter than you're looking for, but no memory is allocated or deallocated after the plane takes off and until it lands!
If your job is safety critical software I guess they'd pay for relevant training. If not, looking at the course outlines at least lets you know what trainers think are important topics, for example
https://www.feabhas.com/content/robust-software-embedded-sys...
One training course I had talked about how to design a system with integrity while integrating open source code of unknown integrity. Since software quality and safety critical software depends so much on process, then open source by default isn't built to any integrity level. If a system needs two independent implementations of a calculation, an open source code base would never show that.
If you have an experienced safety engineer, ask them about how typically to design the system and software to make the safety case easier and they'll have some ideas of what needs to commonly be done. It depends on the integrity level what strategy and process needs to be followed.
It's not just the code style, but there's a broader mindset that you need to develop.
There's also good presentations and lectures that come up from time to time here or on YouTube where the failure of safety critical software is studied. These can be excellent case studies: Such as: https://news.ycombinator.com/item?id=31236303
Pro tip, standards can be hard to find and expensive but you can rent or buy them cheaply from the Latvian Standards website (https://www.lvs.lv/), most are harmonised and exactly the same as IEC or ISO parent standards, just with an LVS cover sheet.
This book ,Embedded Software Development for Safety-Critical Systems by Chris Hobbs gives a great overview of safety software development in general and the key standards, I found it easy to read.
https://www.routledge.com/Embedded-Software-Development-for-...
On a practical note if using C or C++ get familiar with commonly used language subsets such as MISRA (https://www.misra.org.uk) or CERT C, again which is more relevant will depend on industry.
Gimpel's PC-Lint is a commonly used static analyser for MISRA compliance, and you can try with it on their website (https://gimpel.com/demo.html), I haven't come across a free tool complete checker but you can do a lot with clang and GCC.
Some mention of Rust here but I think that would be a hard language to get through a certification process due to the limited options for qualified tools. That said there is work being done there, https://ferrous-systems.com/ferrocene
I agree with the posters who emphasize that C and C++ are not similar languages and shouldn't be lumped together, fwiw.