Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Misra C Software Development Standard
1. Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings
Misra C Software Development Standard
Vittorio Giovara
Politecnico di Torino
Software Engineering
03/10/2008
Vittorio Giovara Misra C Software Development Standard
2. Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings
Creative Common Licence v3.0 Attribution - ShareAlike
You are free
to copy, distribute, display, and perform the work
to make derivative works
to make commercial use of the work
Under the following conditions
Attribution. You must give the original author credit.
Share Alike. If you alter, transform, or build upon this work,
you may distribute the resulting work only under a license
identical to this one.
For any reuse or distribution, you must make clear to oth-
ers the license terms of this work.
Any of these conditions can be waived if you get permission from
the copyright holder.
Vittorio Giovara Misra C Software Development Standard
3. Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings
You can read more about this licence here
http://creativecommons.org/licenses/by-sa/3.0/
Corrections, suggestions, contributions and
translations are welcome!
Document revision 1.0
Vittorio Giovara Misra C Software Development Standard
4. Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings
1 Introduction
What is MISRA C
Software Reliability Program
2 Reliability Coding Guidelines
Overview
Rules in Practice
Extract from the guidelines
Code Examples
3 Applications
Tools
Criticsm
4 Further readings
Vittorio Giovara Misra C Software Development Standard
5. Outline
Introduction
What is MISRA C
Reliability Coding Guidelines
Software Reliability Program
Applications
Further readings
MISRA Mission Statement
To provide assistance to the automotive industry in the
application and creation within vehicle systems of safe and
reliable software.
Vittorio Giovara Misra C Software Development Standard
6. Outline
Introduction
What is MISRA C
Reliability Coding Guidelines
Software Reliability Program
Applications
Further readings
Association and Purposes
MISRA C
It is a software development standard for the C programming
language. Its aims are to facilitate code portability and reliability
in the context of embedded systems, specifically those systems
programmed in ANSI C.
Standards and reliability
Even though there is not a MISRA certification process, MISRA
guidelines are thoroughly followed, expecially in automotive
industry, as they represent one of the most popular standards
for developing secure software.
Vittorio Giovara Misra C Software Development Standard
7. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Guidelines main targets
MISRA has developed a set of coding guidelines for the
programming language C while other languages (like C++)
are under discussion.
The C guidelines are intended to be applied during the
development of software used in safety-critical
applications.
Even if these guidelines are produced for the automotive
industry, they are often applied to other industries (like
medical devices).
Most of the guidelines can be enforced by performing static
code analysis on application source code.
Vittorio Giovara Misra C Software Development Standard
8. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Versions
There are two different versions of the MISRA C guidelines
(while a third is to be released in 2010)
1 MISRA-C:1998 - Guidelines for the use of the C language
in vehicle based software - 127 rules (93 compulsory, 34
advisory)
2 MISRA-C:2004 - Guidelines for the use of the C language
in critical systems -141 rulse (121 compulsory, 20
advisory)
Vittorio Giovara Misra C Software Development Standard
9. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Versions
Supported standards
Only ANSI C90 standard is supported, there is no plan for an
update to the more modern standard C99.
Why update MISRA C?
MISRA C was originally developed to support the language
requirements of the 1994 MISRA Guidelines, that specify the use of
"a restricted subset of a standardized structured language" at SIL 2
and above in automotive applications. Since that time, however,
MISRA C has been adopted and used across a wide variety of
industries and applications including the rail, aerospace, military and
medical sectors. Furthermore, a significant number of tools are
available that support enforcing the MISRA C rules.a
a
from the MISRA C2 FAQ
Vittorio Giovara Misra C Software Development Standard
10. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
General point
The guidelines specify that all of the rules apply equally to
human and machine generated code. Some rules have their
basis in psychological findings (i.e. how developers read the
source). Such issues are not important in machine generated
code (because such code is never read by humans). Those
rules that are motivated by how humans process source code
are flagged as such, so that they may be allowed in machine
generated code.
Vittorio Giovara Misra C Software Development Standard
11. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Rules examples
5 Use of characters are required to be in the source character set.
This excludes the characters $ and @, among others.
22 Declarations of identifiers denoting objects should have the
narrowest block scope unless a wider scope is necessary.
34 The operands of the && and || operators shall be enclosed in
parenthesis unless they are single identifiers.
67 Identifiers modified within the increment expression of a loop
header shall not be modified inside the block controlled by that
loop header.
103 Relational operators shall not be applied to objects of pointer
type except where both operands are of the same type and both
point into the same object.
Vittorio Giovara Misra C Software Development Standard
12. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Character encoding
Use of characters are required to be in the source character set. This
excludes the characters $ and @, among others.
signed char dollar = ’$’;
signed char esc_m = ’m’;
Undefined behaviour for a not defined escape sequence.
Vittorio Giovara Misra C Software Development Standard
13. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Object Identifiers
Declarations of identifiers denoting objects should have the narrowest
block scope unless a wider scope is necessary.
typedef int MY_INT;
void MISRA_version_2(void){
static MY_INT use_me;
MY_INT local = 3;
extern MY_INT abuse_me;
if (ei_1){
extern func(MY_INT *);
local+=ei_1;
extern MY_INT ei_1, ei_2;
ei_2=local;
func(&local);
void f(void){
ei_1+=local;
use_me++;
}
}
ei_1=33;
void g(void){
}
abuse_me++;
}
Vittorio Giovara Misra C Software Development Standard
14. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
f() is the only function that references a file scope static. The
definition of use_me could be moved to a file scope static.
g() might be the only function in the translation unit that accesses a
file scope object. But the linkage is external, so functions in other
translation units might access it Define it within the function as an
extern int you say. Nope. This has all sorts of potentially nasty
undefined behaviours (interestingly not covered by the MISRA C
document).
In the codeblock the object local is only accessed within one block.
The definition could be moved to the start of that block; such
movement would be consistent with the intent of this rule in reducing
the visibility of identifiers.
Vittorio Giovara Misra C Software Development Standard
15. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Logical operators
The operands of the && and || operators shall be enclosed in
parenthesis unless they are single identifiers.
if ((var++) || (num == 11)){...} /* OK */
if (var++ || num == 11){...} /* NOT OK */
if ((vect[num]) && (num == 11)){...} /* OK */
if ((structure.field != 0) && (num < 11)){...} /* OK */
if (vect[num] == 4 && (num == 11)){...} /* NOT OK */
Primary-expressions don’t exist, as such, in the preprocessor. If we assume
the same syntactic forms as semantics expressions we need to know the
status of the define preprocessor operator. Note that unary operators create
a unary-expression, while arrays and structure references are
postfix-expression.
Vittorio Giovara Misra C Software Development Standard
16. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Loop blocks
Identifiers modified within the increment expression of a loop header
shall not be modified inside the block controlled by that loop header.
int flag, si,array[10];
char *pc;
flag=1;
for (si=0; (si<5) && (flag==1); si++){
flag=0; /* OK, even if it is a loop control variable */
si=si+3; /* NOT OK, it is involved in the loop variables */
}
for (pc=array; pc<array+10; pc++){
pc++; /* OK, MISRA says numeric, not scalar */
}
Vittorio Giovara Misra C Software Development Standard
17. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
for (si=0; si<ei; si++){
si++; /* NOT OK */
ei++; /* NOT OK, it is involved with iteration counting */
}
flag=0;
for (si=0; flag==0 ; ei++){
si += 2; /* OK */
if (si < ei){
flag = 1; /* OK */
}
}
for (array[si]=0; array[si] < 10; array[si]++){
array[ei]--; /* NOT OK, array[si] has different elements*/
}
Vittorio Giovara Misra C Software Development Standard
18. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Relational operators
Relational operators shall not be applied to objects of pointer type
except where both operands are of the same type and both point into
the same object.
Starting conditions:
extern int *pi_1, *pi_2;
extern int ai_1[10],ai_2[20];
extern char *pc;
Vittorio Giovara Misra C Software Development Standard
19. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Not passing code: Passing code:
if (pi_1 > (int *)pc){ if (pi_1 == pi_2){
si++; si++;
} }
if (pi_1 == pc){ if (pi_1 < pi_1+1){
si++; si++;
} }
if (pi_1 >= pc){ if (pi_1 >= pc){
si++; si++;
} }
if (pi_1 == (int *)pc){
si++;
}
The Not passing code is also not C compliant, the C complier should print
warnings.
Vittorio Giovara Misra C Software Development Standard
20. Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings
Let’s make sure we know what we are pointing at.
pi_1=ai_1+2;
pi_2=ai_1+si;
Not passing code: Passing code:
if (pi_2 > ai_2){ if (pi_1 < pi_2){
si--; si--;
} }
pi_2=ai_2+si; if (pi_1 != pi_2){
si--;
if (pi_1 > pi_2){ }
si++;
}
Vittorio Giovara Misra C Software Development Standard
21. Outline
Introduction
Tools
Reliability Coding Guidelines
Criticsm
Applications
Further readings
Static Analyzers
The Static Analyzers check the code by parsing the source code of
the program and applying MISRA rules over it. Most of them support
both version 1998 and 2004 of the MISRA C guidelines.
QA-C by Programming Research, is a full feartured MISRA C1 and
C2 validator.
Testbed by LDRA, offers a static and dynamic analysis.
PC-Lint by Gimpel, is one of the fastest and least expensive validtors.
DAC by Ristan-CASE, provides a reverse engineering,
documentation and code analyzer.
Vittorio Giovara Misra C Software Development Standard
22. Outline
Introduction
Tools
Reliability Coding Guidelines
Criticsm
Applications
Further readings
Compile Analyzers
The Compile Analyzers check the code dinamically, while compiling
the program, and notify MISRA warnings in a separete list from
normal compilation errors. They are available for many different target
platforms.
IAR for multiple platform devices.
Keil for ARM and 166/7 processors.
TASKING for Tricore, 166/ST10, 8051, XA and M16C cpus.
Vittorio Giovara Misra C Software Development Standard
23. Outline
Introduction
Tools
Reliability Coding Guidelines
Criticsm
Applications
Further readings
Some common problems
Even though MISRA provides a very high quality set of guidelines,
there are yet some basic problems involved.
Some technical inaccuracies involving the C language
Problems with the C Standard clause used as the source of
coding guidelines.
Wording of some rules sometimes causes misunderstandings.
No support for C99 standard or other languages.
Vittorio Giovara Misra C Software Development Standard
24. Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings
Please visit as reference
http://www.misra.org.uk/
http://www.misra-c2.com/
http://www.knosof.co.uk/misracom.html
http://en.wikipedia.org/wiki/MISRA_C
Original document localized at
http://www.scribd.com/people/view/59403
Vittorio Giovara Misra C Software Development Standard