I agree with almost all of it except for one thing: gotos have pretty much one legitimate use, as C's equiv to finally {} as part of a try {} block, ie, that specific form of cleanup after error management. NASA implies they have no legitimate use.
longjmp banning is also slightly questionable (although I can see why because it is very easy to do wrong). I use it inside of my code as part of an STM implementation (so begin_tx() setjmps[1], abort_tx() longjmps; its faster than manually unwinding with if(tx error) { return; } spam in deep call stacks.)
Using longjmp for this makes writing code much easier (no needing to error check every single tx function call), so less chance for bugs to slip in.
1: The only ugly part of that is begin_tx() is a function macro, which I prefer never to use in code that is executed; I tolerate it in "fancy template-like generator" setups, though.
Anything that makes it "very easy to do wrong" is not a good idea in flight software. A missing semi-colon in FORTRAN once completely killed a space mission.
I remember reading semi-colon in the report ;-) . I can't find the PDF that I believe I read this in, unfortunately, and I'm not sure if it's publicly available. However, this wikipedia article points to a hypen and suggests that there's some folklore involved, and that revisions have been made in the past: http://en.wikipedia.org/wiki/Mariner_1 .
Edit: Andrew, thanks for pointing out my ignorance, I've never coded FORTRAN, and have been thinking it's a semicolon this entire time. What fitting irony. Sort of makes for an even better story now. >_<
this seems like it may be definitive (well, it's a quote that gives a reference; it also fits with what i remember from the news at the time, which is that it was a do statement and related to the parsing of spaces, but i have no idea how reliable that is): http://catless.ncl.ac.uk/Risks/5.66.html#subj2
if it's correct than it was actually a decimal point instead of a comma.
longjmp banning is also slightly questionable (although I can see why because it is very easy to do wrong). I use it inside of my code as part of an STM implementation (so begin_tx() setjmps[1], abort_tx() longjmps; its faster than manually unwinding with if(tx error) { return; } spam in deep call stacks.)
Using longjmp for this makes writing code much easier (no needing to error check every single tx function call), so less chance for bugs to slip in.
1: The only ugly part of that is begin_tx() is a function macro, which I prefer never to use in code that is executed; I tolerate it in "fancy template-like generator" setups, though.