MISRA C Rules

Go To Last Post
15 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

After a bit of curiosity about what the MISRA C rules are, I found one that really puzles me. I a pretty sure there is a logical explanation but I have no clue what it might be. To wit:

 

MISRA C 2012 Amendment 2:

 

Rule 21.21

The Standard Library function system of <stdlib.h> shall not be used

OK, many of us (including me) don't really know what is in stdlib.c, or where the particular implementation for our compiler of choice might have originated. That much is fairly clear. But, for me, the BIG question is: What is one to do instead of using stdlib.h ?

 

Thanks

Jim 

 

Until Black Lives Matter, we do not have "All Lives Matter"!

 

 

Last Edited: Fri. Nov 27, 2020 - 07:52 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I have a copy of MISRA in my cupboard somewhere - I'll have to see if I can find it. But the fact is that the proper MISRA book (when you buy it) not only gives the rules but each has a detailed explanation of why it was implemented by the MISRA committee.

 

Equally if you have a paid for MISRA checking tool like Klockwork, QAC or similar then not only do they scan and flag your code but for each, when you select it they, equally, will have chapter and verse from the MISRA guide as to why the restriction exists.

 

Just out of interest where are you seeing your MISRA list of requirements anyway? If you found it on the internet "for free" then it almost certainly is not sanctioned by MISRA because you don't normally get to see this stuff without paying MISRA some money!

 

EDIT: just googling myself it seems that while the rule says <stdlib.h> should not be used it's really just one thing within it that they have an objection to and that is the function system() which is how you invoke OS commands on operating systems like Windows and Linux. The "command" you pass can actually be mutiple (piped) commands. This is (obviously) a security vulnerability.

 

(usually when trying to achieve MISRA compliance you and the customer can agree some "waivers" for specific instances where you must break the MISRA rules as there's no alternative)

 

EDIT2: Actually the Klockwork site is pretty good at explaining rationale. If you search "Misra.stdlib" on this page:

 

https://bullwhip.physio-control....

 

then you will see that most things in stdlib.h were already blocked anyway. For example:

 

https://bullwhip.physio-control....

 

So you can't use atof(), atoi(), atol() anyway - the rationale is "These functions have undefined behaviour associated with them when the string cannot be converted. ". Also in stdlib is malloc/free. One of the biggest MISRA rules is:

 

https://bullwhip.physio-control....

The identifiers calloc, malloc, realloc and free shall not be used and no macro with one of these names shall be expanded.

Rationale

Use of dynamic memory allocation and deallocation routines provided by The Standard Library can lead to undefined behaviour, for example:

  • Memory that was not dynamically allocated is subsequently freed;
  • A pointer to freed memory is used in any way;
  • Accessing allocated memory before storing a value into it. 

The fact is that when you start to remove the atoX() functions and malloc()/free() (and other rules) from stdlib what are you actually left with anyway?

Last Edited: Fri. Nov 27, 2020 - 09:38 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ka7ehk wrote:
many of us (including me) don't really know what is in stdlib.c

Apart from the 'C' standard itself, my first point of reference would be:

 

https://en.cppreference.com/w/c/header

 

Don't be put off by the "cpp" in the domain name - it covers plain 'C'.

 

Specifically: https://en.cppreference.com/w/cpp/header/cstdlib

 

Also good ol' Wikipedia: 

 

https://en.wikipedia.org/wiki/C_standard_library#Header_files

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 1

As this is about AVRs I'd start here:

 

https://www.nongnu.org/avr-libc/...

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
But the fact is that the proper MISRA book (when you buy it) not only gives the rules but each has a detailed explanation of why it was implemented by the MISRA committee.

 

A single user copy of MISRA C:2012 is £12 these days, so well worth a copy ka7ehk.

 

On the issue of implementation-defined behavior, note also one of the required directives, Dir 1.1, reads "Any implementation-defined behavior on which the output of the program depends shall be documented and understood", further increasing the documentation requirements.

 

Note the implementation-defined documentation pack is in addition to the waiver pack, of course.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ka7ehk wrote:
What is one to do instead of using stdlib.h ?
Copy what's needed.

 

P.S.

ka7ehk wrote:
... or where the particular implementation for our compiler of choice might have originated.
That may be an issue with proprietary C toolchains.

C's namespace is wide open ... invoke the function ... specify the directory where the function's object code is stored.

 


http://svn.savannah.gnu.org/viewvc/avr-libc/trunk/avr-libc/libc/stdlib/?sortby=file&pathrev=2551

http://svn.savannah.gnu.org/viewvc/avr-libc/trunk/avr-libc/include/stdlib.h?revision=2524&view=markup&sortby=file&pathrev=2551

AVR Libc Home Page

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:

 

 

That may be an issue with proprietary C toolchains.

 

 

This is an important point; note the toolchain is not excluded from the requirements of MISRA C. The document contains specific guidelines on how to claim compliance in the areas of compilers/toolchains; the most realistic option being use an ISO 26262 (and similar industry standards) functional-safety certified toolchain.

 

I'd suggest you'd be in for much less pain ($$$ aside...) using the MPLAB XC toolchain, rather than avr-gcc -  MPLAB Development Ecosystem for Safety Applications | Microchip Technology

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

jtw_11 wrote:
($$$ aside...)
Not as expensive as other toolchains with a functional safety rating.

Part Number: SW006021-FS - MPLAB XC8 Functional Safety License via MPLAB® XC Compilers | Microchip Technology

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Indeed, perpetual licensing too!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Copy what's needed.

Better is to not invoke that which is an issue.

#include <stdlib.h>

typedef double longF;
void out(longF value);

int main() {
    longF it = atof("3.14");
    out(it);
    srand(25);
}

Enabling MISRA in a kind of static analyzer flagged only

    longF it = atof("3.14");

 

 


PC-lint Plus Online Demo - Gimpel Software - The Leader in Static Analysis for C and C++ with PC-lint Plus

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

gchapman wrote:
Enabling MISRA in a kind of static analyzer flagged only
Yeah, even with the 2012 update I only see the rules about some (many!) of the functions in <stdlib.h> being verbooten - not that the entire header file is. I wonder if this was simply a proposal. I can't find reference to a "21.21" either.

 

(If I could find my printed copy then, because it is 10+ years old, I suspect it will have no knowledge either!)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I found that reference on a site that appears to be promoting a static analyzer: https://www.perforce.com/resourc...

 

Was just looking to see what the general rules are. Seems to me that if one of our coding goals is (execution) reliability, that those rules ought to be more readily available for even us grunts. Some of them, I see, could be considered "style" (quite a few around structuring if(), while(), and other looping constructs). To me, most of those appear to be simply "good practice", having gotten caught, a number of times, with loops that looped differently than what I thought I was writing. That is one of the things that I like about the code editor I use (TextWrangler, though I am sure others also offer it), where it marks out where IT thinks that the loops loop (it can also collapse loop blocks, which is useful).

 

I was a bit dismayed that such an important set of rules is available only by payment. But, I guess that is the way the world is, these days.

 

Thanks

Jim

 

Until Black Lives Matter, we do not have "All Lives Matter"!

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ka7ehk wrote:
that those rules ought to be more readily available for even us grunts.
Well the above says that these days the entrance price for writing quality/reliable code is now just £12 (I think the books used to be £25+) so it seems cheap to me!

 

Be warned about what it says things about things like the C preprocessor!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I have to agree with Jim: if there is a generally accepted set of standards to writing better code (note that MISRA doesn't stop you getting things completely screwed up, but it mostly forbids methods and structures that have been shown in the past to result frequently in disaster) it would seem sensible to make them freely available to encourage their use. On the other hand, the people doing the work need to be paid!

 

In a similar manner, BSI or ISO or EN standards are often *requirements* and they are expensive... BSI 3103 (Method for preparation of a liquor of tea for use in sensory tests) costs £110 for non members and £55 for members, though the main points can be seen here: https://neatorama.com/trivia/201...

 

I can't help feeling that tax payer funded standards, particularly where they are legal requirements, should be freely available to the tax payers. But it seems its considered a cost of doing business. I suppose they're tax deductible, along with membership of the standards organisation.

 

Neil

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

barnacle wrote:

...(note that MISRA doesn't stop you getting things completely screwed up, but it mostly forbids methods and structures that have been shown in the past to result frequently in disaster)...

 

Just like ISO9001...as long as your manual says that the products you make are utter rubbish, and you make them consistently rubbish, then you can hold 9001 certification.

#1 Hardware Problem? https://www.avrfreaks.net/forum/...

#2 Hardware Problem? Read AVR042.

#3 All grounds are not created equal

#4 Have you proved your chip is running at xxMHz?

#5 "If you think you need floating point to solve the problem then you don't understand the problem. If you really do need floating point then you have a problem you do not understand."