Introduction
MISRA -Motor Industry Software Reliability Association. This is a comite that defines rules that ‘C’ (or ‘C++’) programmers need to follow to increase the safety and reliability of their code.
A customer asked me about Rhapsody and MISRA compliance, hence the BLOG entry…
There are multiple MISRA standards, for ‘C’ and ‘C++’. For ‘C’ there is 1998, 2004 and 2012, for ‘C++’ there is the 2008 standard.
Rhapsody has 2 profiles “out-of-the-box”, 1998 for ‘C’ and 2008 for ‘C++’. We (Willert) have created our own profile for MISRA ‘C’ 2004. It is delivered with our RXF Frameworks.
Is Rhapsody generated code MISRA compliant?
Yes and No. (In German they have the word: “Jein” which is a combination of Yes (Ja) and No (Nein). Beautiful word.)
First: there is no such thing as 100% MISRA compliant embedded code. It is almost impossible to write all code exactly as MISRA tells you, alone the code you need to control your hardware will violate multiple rules. The code that Rhapsody generates is created in a way that it is more or less compliant with some important rules.
If you load the MISRA profile, the generated code will contain comments to tell your checker tools that a rule is violated and why that is OK. But again: you have to check yourself and the MISRA part only applies to code that Rhapsody has generated by itself. The code that you type in yourself is as MISRA compliant as you want….
Restrictions
Code from relations with * multiplicity are not MISRA compliant, as is dynamic behaviour like instantiation at run-time and dynamic memory allocation.
Code for Ports in Rhapsody in ‘C’ is using recursion, code for interfaces uses pointer arithmetic. Both are not MISRA compliant and very difficult to prove right.
It is not compliant so it can not be used?
No, that is not how it works, Let me give you an example that I once learned from Günther Glöe from Tüv.
Suppose that you want to drive a nail into a wall. The only tool you have available is an old hammer that has a failure: the head is pretty loose and can fly of if used.
So… according to popular belief you have to refrain from using the hammer and drive the nail in the wall using your fist. I would personally not do that…. it hurts…
I would use the hammer but take precautions to minimize the risk of injuries and other collateral damage. I would remove objects from the vicinity of the place I want to drive the nail in the wall, warn all people in the neighbourhood to stay away and then carefully use the old hammer.
This is exactly what MISRA says: “Use with care”. If you have to violate a rule, then take care that you prevent this from causing disaster.
How To use Rhapsody and MISRA
- Load the MISRA profile
- check as soon as possible. If you wait with checking for MISRA, you will be flooded with error messages.
- distinguish between mandatory and advisory rules. You should comply with the first and try to comply with the latter.
- Document the violations as defined so that you can do a check run without warnings.
- create documentation that documents all the decisions you took and the measurements you took to prevent problems
How to test for MISRA compliance
You can (and should…) test if your stuff is following the rules of MISRA by using a checker. Some compilers (a.o. Tasking and IAR) have checkers built-in.
We always use PC-Lint because it is pretty good and very cheap. Other static checkers offer a lot more comfort and more but are way more expensive.
PC-Lint
Compiler
Polyspace
Many more check: Wikipedia.
Leave a Reply