Outline

Introduction
Reliability Coding Guidelines
Applications
Further readings

Misra C Software Development Standard

Vittorio Giovara

Politecnico di Torino

Software Engineering

03/10/2008

Vittorio Giovara Misra C Software Development Standard

 Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings

Creative Common Licence v3.0 Attribution - ShareAlike

You are free
to copy, distribute, display, and perform the work
to make derivative works
to make commercial use of the work
Under the following conditions
Attribution. You must give the original author credit.
Share Alike. If you alter, transform, or build upon this work,
you may distribute the resulting work only under a license
identical to this one.
For any reuse or distribution, you must make clear to oth-
ers the license terms of this work.
Any of these conditions can be waived if you get permission from
the copyright holder.
Vittorio Giovara Misra C Software Development Standard
 Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings

You can read more about this licence here

http://creativecommons.org/licenses/by-sa/3.0/

Corrections, suggestions, contributions and

translations are welcome!

Document revision 1.0

Vittorio Giovara Misra C Software Development Standard

 Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings

1 Introduction
What is MISRA C
Software Reliability Program
2 Reliability Coding Guidelines
Overview
Rules in Practice
Extract from the guidelines
Code Examples
3 Applications
Tools
Criticsm
4 Further readings

Vittorio Giovara Misra C Software Development Standard

 Outline
Introduction
What is MISRA C
Reliability Coding Guidelines
Software Reliability Program
Applications
Further readings

MISRA Mission Statement

To provide assistance to the automotive industry in the

application and creation within vehicle systems of safe and
reliable software.

Vittorio Giovara Misra C Software Development Standard

 Outline
Introduction
What is MISRA C
Reliability Coding Guidelines
Software Reliability Program
Applications
Further readings

Association and Purposes

MISRA C
It is a software development standard for the C programming
language. Its aims are to facilitate code portability and reliability
in the context of embedded systems, specifically those systems
programmed in ANSI C.

Standards and reliability

Even though there is not a MISRA certification process, MISRA
guidelines are thoroughly followed, expecially in automotive
industry, as they represent one of the most popular standards
for developing secure software.

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Guidelines main targets

MISRA has developed a set of coding guidelines for the

programming language C while other languages (like C++)
are under discussion.
The C guidelines are intended to be applied during the
development of software used in safety-critical
applications.
Even if these guidelines are produced for the automotive
industry, they are often applied to other industries (like
medical devices).
Most of the guidelines can be enforced by performing static
code analysis on application source code.

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Versions

There are two different versions of the MISRA C guidelines

(while a third is to be released in 2010)
1 MISRA-C:1998 - Guidelines for the use of the C language
in vehicle based software - 127 rules (93 compulsory, 34
advisory)
2 MISRA-C:2004 - Guidelines for the use of the C language
in critical systems -141 rulse (121 compulsory, 20
advisory)

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Versions

Supported standards
Only ANSI C90 standard is supported, there is no plan for an
update to the more modern standard C99.

Why update MISRA C?

MISRA C was originally developed to support the language
requirements of the 1994 MISRA Guidelines, that specify the use of
"a restricted subset of a standardized structured language" at SIL 2
and above in automotive applications. Since that time, however,
MISRA C has been adopted and used across a wide variety of
industries and applications including the rail, aerospace, military and
medical sectors. Furthermore, a significant number of tools are
available that support enforcing the MISRA C rules.a
a
from the MISRA C2 FAQ
Vittorio Giovara Misra C Software Development Standard
 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

General point

The guidelines specify that all of the rules apply equally to

human and machine generated code. Some rules have their
basis in psychological findings (i.e. how developers read the
source). Such issues are not important in machine generated
code (because such code is never read by humans). Those
rules that are motivated by how humans process source code
are flagged as such, so that they may be allowed in machine
generated code.

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Rules examples

5 Use of characters are required to be in the source character set.

This excludes the characters $ and @, among others.
22 Declarations of identifiers denoting objects should have the
narrowest block scope unless a wider scope is necessary.
34 The operands of the && and || operators shall be enclosed in
parenthesis unless they are single identifiers.
67 Identifiers modified within the increment expression of a loop
header shall not be modified inside the block controlled by that
loop header.
103 Relational operators shall not be applied to objects of pointer
type except where both operands are of the same type and both
point into the same object.

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Character encoding

Use of characters are required to be in the source character set. This

excludes the characters $ and @, among others.

signed char dollar = ’$’;

signed char esc_m = ’\m’;

Undefined behaviour for a not defined escape sequence.

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Object Identifiers

Declarations of identifiers denoting objects should have the narrowest

block scope unless a wider scope is necessary.

typedef int MY_INT;

void MISRA_version_2(void){
static MY_INT use_me;
MY_INT local = 3;
extern MY_INT abuse_me;
if (ei_1){
extern func(MY_INT *);
local+=ei_1;
extern MY_INT ei_1, ei_2;
ei_2=local;
func(&local);
void f(void){
ei_1+=local;
use_me++;
}
}
ei_1=33;
void g(void){
}
abuse_me++;
}
Vittorio Giovara Misra C Software Development Standard
 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

f() is the only function that references a file scope static. The
definition of use_me could be moved to a file scope static.

g() might be the only function in the translation unit that accesses a
file scope object. But the linkage is external, so functions in other
translation units might access it Define it within the function as an
extern int you say. Nope. This has all sorts of potentially nasty
undefined behaviours (interestingly not covered by the MISRA C
document).

In the codeblock the object local is only accessed within one block.
The definition could be moved to the start of that block; such
movement would be consistent with the intent of this rule in reducing
the visibility of identifiers.

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Logical operators

The operands of the && and || operators shall be enclosed in

parenthesis unless they are single identifiers.

if ((var++) || (num == 11)){...} /* OK */

if (var++ || num == 11){...} /* NOT OK */

if ((vect[num]) && (num == 11)){...} /* OK */

if ((structure.field != 0) && (num < 11)){...} /* OK */
if (vect[num] == 4 && (num == 11)){...} /* NOT OK */

Primary-expressions don’t exist, as such, in the preprocessor. If we assume

the same syntactic forms as semantics expressions we need to know the
status of the define preprocessor operator. Note that unary operators create
a unary-expression, while arrays and structure references are
postfix-expression.

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Loop blocks

Identifiers modified within the increment expression of a loop header

shall not be modified inside the block controlled by that loop header.

int flag, si,array[10];

char *pc;

flag=1;
for (si=0; (si<5) && (flag==1); si++){
flag=0; /* OK, even if it is a loop control variable */
si=si+3; /* NOT OK, it is involved in the loop variables */
}

for (pc=array; pc<array+10; pc++){

pc++; /* OK, MISRA says numeric, not scalar */
}

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

for (si=0; si<ei; si++){

si++; /* NOT OK */
ei++; /* NOT OK, it is involved with iteration counting */
}

flag=0;
for (si=0; flag==0 ; ei++){
si += 2; /* OK */
if (si < ei){
flag = 1; /* OK */
}
}

for (array[si]=0; array[si] < 10; array[si]++){

array[ei]--; /* NOT OK, array[si] has different elements*/
}

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Relational operators

Relational operators shall not be applied to objects of pointer type

except where both operands are of the same type and both point into
the same object.

Starting conditions:

extern int *pi_1, *pi_2;

extern int ai_1[10],ai_2[20];
extern char *pc;

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Not passing code: Passing code:

if (pi_1 > (int *)pc){ if (pi_1 == pi_2){
si++; si++;
} }
if (pi_1 == pc){ if (pi_1 < pi_1+1){
si++; si++;
} }
if (pi_1 >= pc){ if (pi_1 >= pc){
si++; si++;
} }
if (pi_1 == (int *)pc){
si++;
}

The Not passing code is also not C compliant, the C complier should print
warnings.

Vittorio Giovara Misra C Software Development Standard

 Outline
Overview
Introduction
Rules in Practice
Reliability Coding Guidelines
Extract from the guidelines
Applications
Code Examples
Further readings

Let’s make sure we know what we are pointing at.

pi_1=ai_1+2;
pi_2=ai_1+si;

Not passing code: Passing code:

if (pi_2 > ai_2){ if (pi_1 < pi_2){
si--; si--;
} }
pi_2=ai_2+si; if (pi_1 != pi_2){
si--;
if (pi_1 > pi_2){ }
si++;
}

Vittorio Giovara Misra C Software Development Standard

 Outline
Introduction
Tools
Reliability Coding Guidelines
Criticsm
Applications
Further readings

Static Analyzers

The Static Analyzers check the code by parsing the source code of
the program and applying MISRA rules over it. Most of them support
both version 1998 and 2004 of the MISRA C guidelines.

QA-C by Programming Research, is a full feartured MISRA C1 and

C2 validator.

Testbed by LDRA, offers a static and dynamic analysis.

PC-Lint by Gimpel, is one of the fastest and least expensive validtors.
DAC by Ristan-CASE, provides a reverse engineering,
documentation and code analyzer.

Vittorio Giovara Misra C Software Development Standard

 Outline
Introduction
Tools
Reliability Coding Guidelines
Criticsm
Applications
Further readings

Compile Analyzers

The Compile Analyzers check the code dinamically, while compiling

the program, and notify MISRA warnings in a separete list from
normal compilation errors. They are available for many different target
platforms.
IAR for multiple platform devices.
Keil for ARM and 166/7 processors.
TASKING for Tricore, 166/ST10, 8051, XA and M16C cpus.

Vittorio Giovara Misra C Software Development Standard

 Outline
Introduction
Tools
Reliability Coding Guidelines
Criticsm
Applications
Further readings

Some common problems

Even though MISRA provides a very high quality set of guidelines,

there are yet some basic problems involved.

Some technical inaccuracies involving the C language

Problems with the C Standard clause used as the source of
coding guidelines.
Wording of some rules sometimes causes misunderstandings.
No support for C99 standard or other languages.

Vittorio Giovara Misra C Software Development Standard

 Outline
Introduction
Reliability Coding Guidelines
Applications
Further readings

Please visit as reference

http://www.misra.org.uk/
http://www.misra-c2.com/
http://www.knosof.co.uk/misracom.html
http://en.wikipedia.org/wiki/MISRA_C

Original document localized at

http://www.scribd.com/people/view/59403

Vittorio Giovara Misra C Software Development Standard