Sei sulla pagina 1di 19

Top 10 Bug Killing Coding Standard Rules

Copyright Barr Group, LLC. Page 1


June 2014
Top 10 8ugKIllIng
CodIng Standard Fules
|Ichael 8arr E 0an SmIth

WebInar: June J, 2014
#8ugKIllers

CopyrIght 2014 8arr Croup. All rIghts reserved.

2
#8ugKIllers
|CHAEL 8AFF, CTD
ElectrIcal EngIneer (8SEE/|SEE)

ExperIenced Embedded Software 0eveloper

Consultant E TraIner (1999present)
Embedded software process and archItecture Improvement
7arIous IndustrIes (e.g., medIcal devIces, IndustrIal controls)

Former !"#$%&' )*+,-..+*
UnIversIty of |aryland 2000200J (0esIgn and Use of DperatIng Systems)
Johns HopkIns UnIversIty 2012 (Embedded Software ArchItecture)

Served as /"0'+*10%1230-,, 2+4$5%0.'6 2+%,-*-%&- 2370*

Expert wItness (e.g., In re: Toyota unIntended acceleratIon)

Author of J books and over 70 artIcles/papers


Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 2
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

3
#8ugKIllers
8DDK: /89/::/: 2 2;:<=> ?@!=:!A:
8ugs are expensIve to fInd/kIll
Its cheaper/easier to keep a bug out
8Ias toward checkable bugkIllers
Coals: Safety, securIty, and relIabIlIty

These 10 bugkIllIng rules + more
Complementary to |SFAC guIdelInes
ncludIng our Internal stylIstIc rules

http://barrgroup.com/codIngstandard

CopyrIght 2014 8arr Croup. All rIghts reserved.

4
#8ugKIllers
8AFF CFDUP
The Embedded Systems Experts

8arr Croup helps companIes make theIr
embedded systems safer and more secure.

BARRGROUP.COM
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 3
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

5
#8ugKIllers
UPCD|NC PU8LC TFANNCS
/5B-""-" ?;C@D!A/ 9++' 275E
F
Dctober 2024 In 0etroIt, |IchIgan

Embedded ANDROID Boot Camp
Dctober 27J1 In Costa |esa, CalIfornIa

Embedded SECURITY Boot Camp
November J7 In Cermantown, |aryland

http://barrgroup.com/traInIngcalendar

CopyrIght 2014 8arr Croup. All rIghts reserved.

6
#8ugKIllers
OVERVIEW OF TODAYS WEBINAR
Coal
EstablIsh that sImple codIng rules can reduce bugs

Key Takeaways
10 easytofollow bugkIllIng rules for codIng standards

PrerequIsItes
FamIlIarIty wIth embedded programmIng In C or C++


Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 4
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

7
#8ugKIllers
0AN S|TH, PFNCPAL ENCNEEF
8SEE (comp.eng), PrInceton

ExperIenced fIrmware developer
20+ years of embedded systems desIgn
Control systems, telecom/datacom,
medIcal devIces, defense, transportatIon
Numerous FTDSes, processors, platforms
EngIneer, Instructor, speaker, consultant

Focus on secure, safe, faulttolerant systems

webInars@barrgroup.com

CopyrIght 2014 8arr Croup. All rIghts reserved.

8
#8ugKIllers
WHY A0DPT A CD0NC STAN0AF0:
Several good reasons engineers talk about
FeadabIlIty, when all of the code looks a certaIn way
@30. *-.$4'. G3-% '3-*- 0. 7 ,+&$. +% .'H40.'0& *$4-.
Portability, when Cs inconsistencies are managed

An even better reason is not talked about enough
CertaIn codIng standard rules can keep bugs out!
FIndIng bugs Is hard and tImeconsumIng
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 5
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

9
#8ugKIllers
WHEFE 8UCS CD|E FFD|
The orIgInal programmer(s)
Programming is the step of bugging the code
|aIntenance programmer(s)
8y breakIng assumptIons of the orIgInal programmer
By misunderstanding the original programmers intent

Both types of bugs can be reduced
by following a set of bugreducIng codIng rules!

CopyrIght 2014 8arr Croup. All rIghts reserved.

10
#8ugKIllers
|SFAC CU0ELNES
Guidelines for use of the C language
in critical systems
A carefullyratIonalIzed subset of C
We hIghly recommend followIng It
8ut |SFAC Is a set of guIdelInes
NDT a codIng standard
?'H4- 0. %+' 7""*-..-" 7' 744

Barr Groups standard is compatible with MISRAC
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 6
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

11
#8ugKIllers
CD0NC STAN0AF0 ENFDFCE|ENT
To be effectIve, codIng standards must be both:
ENFDFCEA8LE
C7I+* +B#-&'0I-6 -%,+*&-7B4- *$4-. +I-* $%-%,+*&-7B4- +%-.
/%,+*&- 7$'+57'0&744H G0'3 '++4. G3-%-I-* E+..0B4-
And ENFDFCE0
9H '3- -%'0*- '-756 7%" 0'. .'7%"7*" E*+&-..-.
C-G6 0, 7%H6 -J&-E'0+%. 744+G-" K7%" "+&$5-%'-"L

CopyrIght 2014 8arr Croup. All rIghts reserved.

12
#8ugKIllers
Fule #1 always use braces
Fule: 8races ({ }) shall always surround the blocks
of code (also known as compound statements)
followIng if, else, switch, while, do, and for
keywords.
SIngle statements and empty statements followIng
these keywords shall also always be surrounded by
braces.
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 7
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

13
#8ugKIllers
ALWAYS8FACES EXA|PLE CD0E
DONT
!" $% && "''(
)*+$(, "" #$%&$'($) $*' +,--(.(&$'/ ,+& 012.&+ 23+*4
*-.*/01+23$(,

!" $% && "''(
)*+$(,
*-.*/01+23$(, "" 5(33 0& &6&.,'&% *$37 89&$ -** :: ; <<

!" $% && "''(
)*+$(,
"+45$(, "" 5(33 23827+ 0& &6&.,'&%
*-.*/01+23$(,



CopyrIght 2014 8arr Croup. All rIghts reserved.

14
#8ugKIllers
ALWAYS8FACES EXA|PLE CD0E
0D
!" $% && "''(
6
"" =33 .*%& ($+(%& '9& 012.&+ .*$%('(*$2337 &6&.,'&%4
)*+$(,
7
*-.*/01+23$(,
0D
.8!-4 $9:!;4+<)15'34(
!
"" >?&$ 2$ &@A'7 +'2'&@&$' +9*,3% 92?& 012.&+4
"
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 8
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

15
#8ugKIllers
Fule #2 whenever possible const
Fule: The const keyword shall be used whenever
possIble, IncludIng:
To declare varIables that should not be changed after
InItIalIzatIon
To defIne callbyreference functIon parameters that
should not be modIfIed
To defIne fIelds In structs and unIons that cannot be
modIfIed (e.g., In a struct overlay for memorymapped
/D regIster)
As a strongly typed alternatIve to #define for numerIcal
constants





CopyrIght 2014 8arr Croup. All rIghts reserved.

16
#8ugKIllers
|AX|ZECDNST EXA|PLE CD0E
0D
// Variables that wont be changed & can be stored in ROM.
=8*+ $%&'( > ?@1;'54-13*;4 = Acme 9000;
!3: $%&'( ?1)2!-5132;)4+ & ABCCDEF1GBHIJ1EBKGDC$(,

"" B,$.'(*$ A212@&'&1+ '92' @,+' $*' 0& @*%(-(&%4
=8*+ >
0:+3=@/$=8*+ > @1540:L =8*+ $%&'( > @10+=L 0!M41: ='23:(
{ }

NN O:+'3?-/P:/@45 *-:4+3*:!Q4 :' R54"!34<
0!M41: $%&'( SDTU1OHVD & WXYZ,



Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 9
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

17
#8ugKIllers
Fule #J whenever possible static
Fule: The static keyword shall be used to declare all
functIons and varIables that do not need to be
vIsIble outsIde of the module In whIch they are
declared.

ncreases encapsulatIon and data protectIon
Protects longlIved data from crossmodule access
Feduces couplIng, Improves maIntaInabIlIty

CopyrIght 2014 8arr Croup. All rIghts reserved.

18
#8ugKIllers
|AX|ZESTATC EXA|PLE CD0E
0D
(tImer.c)

R!3=-254 :!;4+<8

"" C21(203& 8('9 ?(+(0(3('7 *$37 8('9($ '9(+ -(3&4
'()(*$ 2!3:[Z1: ?134\:1:!;4'2: & ],

"" D&3A&1 -,$.'(*$ $*' .233203& -1*@ *,'+(%& '9(+ -(3&4
'()(*$ 2!3:[Z1: *551:!;4+1:'1*=:!Q41-!0:()
6
^^?134\:1:!;4'2: = ;

7
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 10
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

19
#8ugKIllers
Fule #4 whenever necessary volatile
Fule: The volatile keyword shall be used whenever
approprIate, IncludIng:
To declare a global varIable accessIble (by current use
or scope) by any Interrupt servIce routIne
To declare a global varIable accessIble (by current use
or scope) by two or more tasks
To declare a poInter to a memorymapped /D
perIpheral regIster set
ElImInates a whole class of dIffIcult bugs!

CopyrIght 2014 8arr Croup. All rIghts reserved.

20
#8ugKIllers
DPT|ZATDN: FE0UN0ANT FEA0S
What your code says
(*+,-.$%/&( 0 12
(*+,-.$%&(-%3 0 1451112
67*3, 8(*+,-.$%/&( 9 :11; ! << =% '(/>> "
<< =% +%-, '(/>>
What the optImIzer does
(*+,-.$%/&( 0 12
(*+,-.$%&(-%3 0 1451112
67*3, 8:; ! << =% '(/>> "
[saves time and code space]
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 11
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

21
#8ugKIllers
DPT|ZATDN: UNNECESSAFY WFTES
What your code says
3,=?-,@ 0 14A52 << B5C1D E)(*,&( =F*&@
<< $%=, (7)( &,G,- -,)=' 3,=?-,@
3,=?-,@ 0 14AA2 << B5C1D E)(*,&( '()H3,

What the optImIzer does
I')G,' (*+, )&= $%=, 'E)$,J
<< $%=, (7)( &,G,- -,)=' 3,=?-,@
3,=?-,@ 0 14AA2 << B5C1D E)(*,&( '()H3,

CopyrIght 2014 8arr Croup. All rIghts reserved.

22
#8ugKIllers
|DFE DN 7DLATLE
If working code fails first at optimizer enable
missing volatile keywords are the likely culprits
SolutIon: revIew all declaratIons for mIssIng volatile
volatile rarely used outsIde embedded software
Creat questIon to ask prospectIve fIrmware hIres!

Dther uses of volatile
0ata that must be wIped (e.g., plaIntext, keys, etc.)
Sequencing of operations
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 12
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

23
#8ugKIllers
7DLATLE USACE EXA|PLE CD0E
0D
// Every shared global object is volatile
2!3:X_1: G%3)(*3, ?10:*:4 & O`OFDK1OFTCFBU,

// as is every hardware register.
:/@454" 0:+2=:
6

7 ;/1"@?*1:,
;/1"@?*1: G%3)(*3, > ='30: @1:!;4+ = ;

"" >?&$ +*@& '7A&+ *- $*$Eshared data should be
2!3:W1: G%3)(*3, @-*!3:4\:aKTb1UITHEFDbFc,


CopyrIght 2014 8arr Croup. All rIghts reserved.

24
#8ugKIllers
Fule #5 dont disable code with comments
Fule: Comments shall not be used to dIsable
a block of code, even temporarIly.
Use the preprocessors conditional compilation feature.
Nested comments not part of C standard
Supported on some compIlers, not on others
Use versIon control for experImental code changes
Dont leave commented out code for next developer
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 13
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

25
#8ugKIllers
CD||ENTE0DUT CD0E EXA|PLE
DONT
"# $%&'( )$**'+&
* & * ^ X,
"F $&+'&% .*@@&$' F"
) & ) ^ X,

#"
0D
K*> 1
* & * ^ X,
"F $&+'&% .*@@&$' F"
) & ) ^ X,

K,&=*>


CopyrIght 2014 8arr Croup. All rIghts reserved.

26
#8ugKIllers
Fule #6 FIxedwIdth data types
Fule #6: Whenever the wIdth, In bIts or bytes, of
an Integer value matters In the program, a fIxed
wIdth data type shall be used In place of char,
short, int, long, or long long.
Use C99s signed and unsigned fixedwIdth data types.

CorollarIes
Keywords short and long shall never be used.
Keyword char shall only be used for strings.
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 14
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

27
#8ugKIllers
FECD||EN0E0 FXE0W0TH TYPE NA|ES
0efIned In C99 Include fIle d0:5!3:<8e





Adopt these names even If not a C99 compIler!
Integer Width Signed Type Unsigned Type
8 bits / 1 byte *&(L?( /*&(L?(
16 bits / 2 bytes *&(:M?( /*&(:M?(
32 bits / 4 bytes *&(NO?( /*&(NO?(
64 bits / 8 bytes *&(MP?( /*&(MP?(

CopyrIght 2014 8arr Croup. All rIghts reserved.

28
#8ugKIllers
Fule #7 bItwIse operators
Fule: None of the bItwIse operators (&, |, ~, <<,
and >>) shall be used to manIpulate sIgned types.
Doesnt even really make sense
mplementatIon defIned UndefIned behavIor

The C standard does not specIfy the underlyIng
format of signed data (e.g., 2s complement).
8ItwIse operatIons rely on assumptIons!
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 15
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

29
#8ugKIllers
ND 8TWSE SCNE0 EXA|PLE CD0E
DONT
"" G(?(+(*$ ?(2 0('Eshift doesnt work when negative.
!3:W1: 0!?34515*:* & Pf,
0!?34515*:* QQ& X, "" $*' $&.&++21(37 EH

"" I&-'E+9(-'+ *- +()$&% %2'2 21& ,$%&-($&% J($ #KL MN4
!3:[Z1: 0!?34515*:* & PX]],
0!?34515*:* 99& X,

"" O9& @&2$($) *- 0(' -3(A+ 23+* ?21(&+ -*1 +()$&% %2'24
2!3:W1: ;*\1230!?345 & R], "" H;; J@26 ,$+()$&%N
!3:W1: ;*\10!?345 & R], "" EP J$*' @26 +()$&%N

CopyrIght 2014 8arr Croup. All rIghts reserved.

30
#8ugKIllers
Fule #8 dont mix signed & unsigned
Fule: SIgned Integers shall not be combIned wIth
unsIgned Integers In comparIsons or expressIons.
0ecImal constants meant to be unsIgned should be
declared with a u at the end.
Several detaIls of manIpulatIon of bInary data In
sIgned Integer contaIners are ImplementatIon
defIned aspects of the SD C language standard.
Fesults of mIxIng sIgned and unsIgned data can lead to
datadependent bugs.
Dften encountered durIng IntegratIon
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 16
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

31
#8ugKIllers
ND |XSCNE0 EXA|PLE CD0E
DONT
!3: 0 & PY,
230!?345 !3: 2 & _,

"" 5=QR#RS< G2$)&1*,+ @(6 *- +()$&% 2$% ,$+()$&%4
!" $0 ^ 2 d f(
6
"" O9(+ .*11&.' A2'9 +9*,3% 0& &6&.,'&%
"" (- JET U VN (+ EW X YZ 2+ 9,@2$+ &6A&.'4
7
4-04
6
"" O9(+ ($.*11&.' A2'9 (+ 2.',2337 &6&.,'&%
7


CopyrIght 2014 8arr Croup. All rIghts reserved.

32
#8ugKIllers
Fule #9 favor InlIne over macros
Fule: ParameterIzed macros shall not be used If an
inline functIon can be wrItten to accomplIsh the
same task.

C++ compIlerhInt keyword inline was added to C as
part of C99.
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 17
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

33
#8ugKIllers
NLNE 7S. |ACFDS EXA|PLE CD0E
DONT
"" R* '7A& .9&.[($)/ A*++(03& ,$($'&$%&% +(%& &--&.'+4
R54"!34 OgBTCD$T( $$T(>$T((

0D
"" #$3($& -,$.'(*$+ 21& +2-&1Z 8('9 $* 1,$E'(@& .*+'4
!3-!34 2!3:[Z1: 0h2*+4$2!3:X_1: *(
6
+4:2+3 $* > *(,
7


CopyrIght 2014 8arr Croup. All rIghts reserved.

34
#8ugKIllers
Fule #10 one varIable declaratIon per lIne
Fule: 0eclare each varIable on Its own lIne
The comma separator shall not be used wIthIn varIable
declaratIons.
Cenerated code Is IdentIcal
Compilation isnt any slower either
8Iggest benefIt:
mproved readabIlIty
DONT
=8*+ > \L /, "" 52+ 7 +,AA*+&% '* 0& 2 A*($'&1 '**\
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 18
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

35
#8ugKIllers
KEY TAKEAWAYS
0Ifferent sources of fIrmware bugs
The orIgInal programmer creates some
|aIntenance programmers create others
The orIgInal programmer has Influence over both!
Keep bugs out by adoptIng codIng standard rules
FIrst, by enforcIng buglImItIng rules
Enforced automatIcally, whenever possIble
mproved portabIlIty, readabIlIty and maIntaInabIlIty

CopyrIght 2014 8arr Croup. All rIghts reserved.

36
#8ugKIllers
QUESTDN E ANSWEF
Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 19
June 2014

CopyrIght 2014 8arr Croup. All rIghts reserved.

37
#8ugKIllers
A00TDNAL FESDUFCES
Paper: @+E MN 9$O1P0440%O 2+"0%O ?'7%"7*" A$4-.
barrgroup.com/EmbeddedSystems/HowTo/8ugKIllIngStandardsforEmbeddedC

8ook: /5B-""-" 2 2+"0%O ?'7%"7*"
barrgroup.com/codIngstandard

KIt: /5B-""-" ?+,'G7*- @*70%0%O 0% 7 9+J
barrgroup.com/bootcampbox

Training: Barr Groups Upcoming Public Courses
barrgroup.com/traInIngcalendar