NASA writes mission-critical flight software in C. And the rules are absolutely INSANE. > No recursion. Ever. > Every loop must have a provable upper bound. > No dynamic memory allocation after initialization. > Max ~60 lines per function. > Minimum 2 assertions per function. > Every return value must be checked. > Zero compiler warnings allowed. > Daily static analysis. Zero warnings there too. > No function pointers. > Restricted pointer dereferencing. This is how they write code at NASA / JPL for mission-critical systems.