[slides] Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Misra C Software Development Standard Vittorio Giovara Politecnico di Torino

Software Engineering 03/10/2008

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Creative Common Licence v3.0 Attribution - ShareAlike You are free to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

You can read more about this licence here http://creativecommons.org/licenses/by-sa/3.0/

Corrections, suggestions, contributions and translations are welcome! Document revision 1.0

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

1

Introduction What is MISRA C Software Reliability Program

2

Reliability Coding Guidelines Overview Rules in Practice Extract from the guidelines Code Examples

3

Applications Tools Criticsm

4

Further readings Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

What is MISRA C Software Reliability Program

MISRA Mission Statement

To provide assistance to the automotive industry in the application and creation within vehicle systems of safe and reliable software.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

What is MISRA C Software Reliability Program

Association and Purposes MISRA C It is a software development standard for the C programming language. Its aims are to facilitate code portability and reliability in the context of embedded systems, specifically those systems programmed in ANSI C. Standards and reliability Even though there is not a MISRA certification process, MISRA guidelines are thoroughly followed, expecially in automotive industry, as they represent one of the most popular standards for developing secure software.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Guidelines main targets MISRA has developed a set of coding guidelines for the programming language C while other languages (like C++) are under discussion. The C guidelines are intended to be applied during the development of software used in safety-critical applications. Even if these guidelines are produced for the automotive industry, they are often applied to other industries (like medical devices). Most of the guidelines can be enforced by performing static code analysis on application source code.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Versions

There are two different versions of the MISRA C guidelines (while a third is to be released in 2010) 1

MISRA-C:1998 - Guidelines for the use of the C language in vehicle based software - 127 rules (93 compulsory, 34 advisory)

2

MISRA-C:2004 - Guidelines for the use of the C language in critical systems -141 rulse (121 compulsory, 20 advisory)

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Versions Supported standards Only ANSI C90 standard is supported, there is no plan for an update to the more modern standard C99. Why update MISRA C? MISRA C was originally developed to support the language requirements of the 1994 MISRA Guidelines, that specify the use of "a restricted subset of a standardized structured language" at SIL 2 and above in automotive applications. Since that time, however, MISRA C has been adopted and used across a wide variety of industries and applications including the rail, aerospace, military and medical sectors. Furthermore, a significant number of tools are available that support enforcing the MISRA C rules.a a

from the MISRA C2 FAQ Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

General point

The guidelines specify that all of the rules apply equally to human and machine generated code. Some rules have their basis in psychological findings (i.e. how developers read the source). Such issues are not important in machine generated code (because such code is never read by humans). Those rules that are motivated by how humans process source code are flagged as such, so that they may be allowed in machine generated code.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Rules examples 5 Use of characters are required to be in the source character set. This excludes the characters $ and @, among others. 22 Declarations of identifiers denoting objects should have the narrowest block scope unless a wider scope is necessary. 34 The operands of the && and || operators shall be enclosed in parenthesis unless they are single identifiers. 67 Identifiers modified within the increment expression of a loop header shall not be modified inside the block controlled by that loop header. 103 Relational operators shall not be applied to objects of pointer type except where both operands are of the same type and both point into the same object. Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Character encoding

Use of characters are required to be in the source character set. This excludes the characters $ and @, among others. signed char dollar = ’$’; signed char esc_m = ’\m’;

Undefined behaviour for a not defined escape sequence.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Object Identifiers Declarations of identifiers denoting objects should have the narrowest block scope unless a wider scope is necessary. typedef int MY_INT; static MY_INT use_me; extern MY_INT abuse_me; extern func(MY_INT *); extern MY_INT ei_1, ei_2; void f(void){ use_me++; }

void MISRA_version_2(void){ MY_INT local = 3; if (ei_1){ local+=ei_1; ei_2=local; func(&local); ei_1+=local; } ei_1=33; }

void g(void){ abuse_me++; } Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

f() is the only function that references a file scope static. The definition of use_me could be moved to a file scope static. g() might be the only function in the translation unit that accesses a file scope object. But the linkage is external, so functions in other translation units might access it Define it within the function as an extern int you say. Nope. This has all sorts of potentially nasty undefined behaviours (interestingly not covered by the MISRA C document). In the codeblock the object local is only accessed within one block. The definition could be moved to the start of that block; such movement would be consistent with the intent of this rule in reducing the visibility of identifiers. Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Logical operators The operands of the && and || operators shall be enclosed in parenthesis unless they are single identifiers. if ((var++) || (num == 11)){...} /* OK */ if (var++ || num == 11){...} /* NOT OK */ if ((vect[num]) && (num == 11)){...} /* OK */ if ((structure.field != 0) && (num < 11)){...} /* OK */ if (vect[num] == 4 && (num == 11)){...} /* NOT OK */ Primary-expressions don’t exist, as such, in the preprocessor. If we assume the same syntactic forms as semantics expressions we need to know the status of the define preprocessor operator. Note that unary operators create a unary-expression, while arrays and structure references are postfix-expression. Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Loop blocks Identifiers modified within the increment expression of a loop header shall not be modified inside the block controlled by that loop header. int flag, si,array[10]; char *pc; flag=1; for (si=0; (si= pc){ si++; } if (pi_1 == (int *)pc){ si++; }

The Not passing code is also not C compliant, the C complier should print warnings.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Overview Rules in Practice Extract from the guidelines Code Examples

Let’s make sure we know what we are pointing at. pi_1=ai_1+2; pi_2=ai_1+si; Not passing code:

Passing code:

if (pi_2 > ai_2){ si--; }

if (pi_1 < pi_2){ si--; }

pi_2=ai_2+si;

if (pi_1 != pi_2){ si--; }

if (pi_1 > pi_2){ si++; }

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Tools Criticsm

Static Analyzers The Static Analyzers check the code by parsing the source code of the program and applying MISRA rules over it. Most of them support both version 1998 and 2004 of the MISRA C guidelines. QA-C by Programming Research, is a full feartured MISRA C1 and C2 validator.

Testbed by LDRA, offers a static and dynamic analysis. PC-Lint by Gimpel, is one of the fastest and least expensive validtors. DAC by Ristan-CASE, provides a reverse engineering, documentation and code analyzer.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Tools Criticsm

Compile Analyzers

The Compile Analyzers check the code dinamically, while compiling the program, and notify MISRA warnings in a separete list from normal compilation errors. They are available for many different target platforms. IAR for multiple platform devices.

Keil for ARM and 166/7 processors. TASKING for Tricore, 166/ST10, 8051, XA and M16C cpus.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Tools Criticsm

Some common problems

Even though MISRA provides a very high quality set of guidelines, there are yet some basic problems involved. Some technical inaccuracies involving the C language Problems with the C Standard clause used as the source of coding guidelines. Wording of some rules sometimes causes misunderstandings. No support for C99 standard or other languages.

Vittorio Giovara

Misra C Software Development Standard

Outline Introduction Reliability Coding Guidelines Applications Further readings

Please visit as reference http://www.misra.org.uk/ http://www.misra-c2.com/ http://www.knosof.co.uk/misracom.html http://en.wikipedia.org/wiki/MISRA_C Original document localized at http://www.scribd.com/people/view/59403

Vittorio Giovara

Misra C Software Development Standard