Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
1. Safety on the Max: How to Write
Reliable C/C++ Code for Embedded
Systems
Presenter:
George Gribkov
2. A C++ developer, one of PVS-Studio's
static code analyzer developers.
Develops a set of diagnostic rules that
check code for compliance with the
MISRA C and MISRA C ++ standards
gribkov@viva64.com
Presenter: George Gribkov
George Gribkov
2
3. 1.Coding standards: reasons why they
are required
2.MISRA and AUTOSAR: what’s under the hood
3.Standards in your projects
Contents
3
7. Popularity of C
POPULARITY of C
Popularity of С++
Problems
7
8. Popularity of C
POPULARITY of C
Popularity of С++
Imperfections in these languages
Problems
8
9. Available compilers
Standardization
Portability
Long use experience
Efficiency
Support from analysis tools
What Caused the Popularity
9
10. Incomplete standardization
Undefined, unspecified, implementation-defined
behavior
Incorrect language use
if ( i = 0 ) or if ( i == 0 )?
Weaknesses of C and C++
10
13. On June 4, 1996, Ariane 5, a European launch vehicle, turned
into confetti on 37th second after liftoff.
A Very Expensive Error
13
14. The investigation revealed that the accident was caused by a
programmatic error (an integer overflow).
The rocket carried 4 satellites.
The financial losses amounted to 370 000 000 $.
A Very Expensive Error
14
17. MISRA is a set of guidelines
Current versions:
MISRA C:2012 – 143 rules
MISRA C++:2008 – 228 rules
MISRA: What Is This?
17
18. MISRA means «Motor Industry Software Reliability Association»:
MISRA: What Is This?
18
Bentley Motor Cars
Ford Motor Company
Jaguar Land Rover
Delphi Diesel Systems
HORIBA MIRA
Protean Electric
Visteon Engineering Services
The University
of Leeds
Ricardo UK
ZF TRW
19. AUTOSAR means AUTomotive Open System ARchitecture
A Few Words About AUTOSAR
19
20. AUTOSAR means AUTomotive Open System ARchitecture
A Few Words About AUTOSAR
20
BMW Group
Bosch
Continental
Daimler AG
Ford
General Motors
PSA Peugeot Citroën
Toyota
Volkswagen
…and over 200 more
partners
21. AUTOSAR means AUTomotive Open System ARchitecture
AUTOSAR is a development methodology.
AUTOSAR C++ is a part of this methodology.
The current version:
AUTOSAR C++: 19-03 – over 350 rules
A Few Words About AUTOSAR
21
22. MISRA C++ and AUTOSAR C++
22
MISRA C++ AUTOSAR C++
C++03 ✓ ✓
C++11 ☓ ✓
C++14 ☓ ✓
24. 1.Mandatory – no deviations are permissible
2.Required – deviations are acceptable
3.Advisory – optional to follow
Rule Categories:
24
25. Mandatory rules:
Do not use an uninitialized variable’s value
Do not use a pointer to FILE after the stream is closed
Do not write unreachable code
A loop’s counter must not be of a floating-point type
…
Rule Examples
25
26. Required rules:
Do not use goto and longjmp
Each switch must end with default
if, else, for, while, do, and switch operator bodies must be
enclosed in braces
Do not use variadic functions
…
Rule Examples
26
27. …and all the rest:
The ‘L’ suffix must be always capitalized (42L)
Do not use address arithmetic (except for [] and ++)
Do not use the ‘comma’ operator
Do not change a function’s parameter inside the function’s
body
…
Rule Examples
27
29. There’s a lot!
Rules are classified according to different criteria
Rules are applicable to generated code
A complete list of undefined/unspecified/etc… behaviors
Check-lists that detail how to set up analyzers, checks etc.
A matrix that shows intersections with other standards
Documentation examples
What Else Is There Aside From Rules?
29
31. Do you check code manually? It
must be a nightmare!
Use static code analysis tools.
Static analysis is automated code
review.
Checking Code for Compliance
31
32. Start using a standard BEFORE you start a project.
If you’ve already started your project – think twice.
How to Start
32
33. Hide old errors to work at the usual pace.
This way you will see only warnings for new code.
You benefit from the analyzer IMMEDIATELY.
Remember the old errors! Come back and fix them one by
one.
Use Warning Suppression!
33
38. You need:
Code that complies with the Mandatory and Required rules;
A guide enforcement plan;
Documentation for all deviations;
Documentation for all warnings from compilers and static
analyzers;
A guideline compliance summary.
How to Prove Your Project’s Compliance?
38
39. A sample guide enforcement plan:
A Guide Enforcement Plan
39
Rule Compiler Analyzer Code review
“A” “B” “A” “B”
…
5.1 No errors No errors --- --- Procedure x
5.2 No errors No errors Warning V2561 No messages
…
10.4 Warning 458 No errors No warnings No messages
…
40. Sometimes it’s impossible to follow a standard precisely.
Example:
const unsigned char *PORT = 0x10u;
Different deviations have different specifics.
Document Deviations Well
40
41. Deviation documentation must contain:
The broken rule’s number
The violation’s location
Reasons for the deviation
Safety proof
Possible consequences
Document Deviations Well
41
42. A sample guideline compliance summary
A Guideline Compliance Summary
42
Rule
The MISRA
Category
Compliance
…
5.1 Mandatory Compliant
5.2 Required With deviations
…
10.4 Advisory Not used
…
43. All C/C++ code complies with Mandatory and Required rules
The compliance plan is fully filled-out
All deviations are documented
All compiler and analyzer warnings are
The compliance summary is fully filled out
Congratulations! You have set safety to the max!!!
Summary:
43
45. 1. Remove complex branching, goto and recursion.
2. All loops must have a limit.
3. Give up allocating memory dynamically.
4. Any given function must not exceed a letter-sized
sheet of paper.
5. Use no more than two runtime assertions per
function.
The Power of 10: NASA’s Golden Rules
45
46. The Power of 10: NASA’s Golden Rules
46
6. Declare data at the lowest scope.
7. Does the function return anything? Do check!
8. Do not use preprocessing.
9. Do not use nested pointers.
10. «A zero-warning rule».