Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Download as PPTX, PDF0 likes287 views
The document discusses the importance of coding standards for writing reliable C/C++ code in embedded systems, focusing on MISRA and AUTOSAR. It highlights key reasons for their necessity, outlines the categories of rules, and provides practical guidance for implementing these standards in projects. The presentation emphasizes the significance of static code analysis and compliance documentation to enhance software safety.
![…and all the rest:
The ‘L’ suffix must be always capitalized (42L)
Do not use address arithmetic (except for [] and ++)
Do not use the ‘comma’ operator
Do not change a function’s parameter inside the function’s
body
…
Rule Examples
27](https://image.slidesharecdn.com/2019-210615182720/85/Safety-on-the-Max-How-to-Write-Reliable-C-C-Code-for-Embedded-Systems-27-320.jpg)
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
- 1. Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems Presenter: George Gribkov
- 2. A C++ developer, one of PVS-Studio's static code analyzer developers. Develops a set of diagnostic rules that check code for compliance with the MISRA C and MISRA C ++ standards gribkov@viva64.com Presenter: George Gribkov George Gribkov 2
- 3. 1.Coding standards: reasons why they are required 2.MISRA and AUTOSAR: what’s under the hood 3.Standards in your projects Contents 3
- 4. Reasons 4
- 5. Popularity of C Problems 5
- 6. Popularity of C POPULARITY of C Problems 6
- 7. Popularity of C POPULARITY of C Popularity of С++ Problems 7
- 8. Popularity of C POPULARITY of C Popularity of С++ Imperfections in these languages Problems 8
- 9. Available compilers Standardization Portability Long use experience Efficiency Support from analysis tools What Caused the Popularity 9
- 10. Incomplete standardization Undefined, unspecified, implementation-defined behavior Incorrect language use if ( i = 0 ) or if ( i == 0 )? Weaknesses of C and C++ 10
- 11. Weaknesses of C and C++ 11
- 12. When It Comes to Big Responsibility… 12
- 13. On June 4, 1996, Ariane 5, a European launch vehicle, turned into confetti on 37th second after liftoff. A Very Expensive Error 13
- 14. The investigation revealed that the accident was caused by a programmatic error (an integer overflow). The rocket carried 4 satellites. The financial losses amounted to 370 000 000 $. A Very Expensive Error 14
- 15. 15 It’s time to do something!!!
- 16. Coding Standards: What’s Under the Hood? 16
- 17. MISRA is a set of guidelines Current versions: MISRA C:2012 – 143 rules MISRA C++:2008 – 228 rules MISRA: What Is This? 17
- 18. MISRA means «Motor Industry Software Reliability Association»: MISRA: What Is This? 18 Bentley Motor Cars Ford Motor Company Jaguar Land Rover Delphi Diesel Systems HORIBA MIRA Protean Electric Visteon Engineering Services The University of Leeds Ricardo UK ZF TRW
- 19. AUTOSAR means AUTomotive Open System ARchitecture A Few Words About AUTOSAR 19
- 20. AUTOSAR means AUTomotive Open System ARchitecture A Few Words About AUTOSAR 20 BMW Group Bosch Continental Daimler AG Ford General Motors PSA Peugeot Citroën Toyota Volkswagen …and over 200 more partners
- 21. AUTOSAR means AUTomotive Open System ARchitecture AUTOSAR is a development methodology. AUTOSAR C++ is a part of this methodology. The current version: AUTOSAR C++: 19-03 – over 350 rules A Few Words About AUTOSAR 21
- 22. MISRA C++ and AUTOSAR C++ 22 MISRA C++ AUTOSAR C++ C++03 ✓ ✓ C++11 ☓ ✓ C++14 ☓ ✓
- 23. Industries that Use MISRA and AUTOSAR 23
- 24. 1.Mandatory – no deviations are permissible 2.Required – deviations are acceptable 3.Advisory – optional to follow Rule Categories: 24
- 25. Mandatory rules: Do not use an uninitialized variable’s value Do not use a pointer to FILE after the stream is closed Do not write unreachable code A loop’s counter must not be of a floating-point type … Rule Examples 25
- 26. Required rules: Do not use goto and longjmp Each switch must end with default if, else, for, while, do, and switch operator bodies must be enclosed in braces Do not use variadic functions … Rule Examples 26
- 27. …and all the rest: The ‘L’ suffix must be always capitalized (42L) Do not use address arithmetic (except for [] and ++) Do not use the ‘comma’ operator Do not change a function’s parameter inside the function’s body … Rule Examples 27
- 28. Philosophy 28
- 29. There’s a lot! Rules are classified according to different criteria Rules are applicable to generated code A complete list of undefined/unspecified/etc… behaviors Check-lists that detail how to set up analyzers, checks etc. A matrix that shows intersections with other standards Documentation examples What Else Is There Aside From Rules? 29
- 30. Using Standards in Your Projects 30
- 31. Do you check code manually? It must be a nightmare! Use static code analysis tools. Static analysis is automated code review. Checking Code for Compliance 31
- 32. Start using a standard BEFORE you start a project. If you’ve already started your project – think twice. How to Start 32
- 33. Hide old errors to work at the usual pace. This way you will see only warnings for new code. You benefit from the analyzer IMMEDIATELY. Remember the old errors! Come back and fix them one by one. Use Warning Suppression! 33
- 34. How to Work with Suppress Base 34
- 35. Locally on each developer’s computer (plugins for IDEs and compilation monitoring systems are available) How and When Do You Check Code 35
- 36. Continuous integration systems (command-line utilities, plugions for CI systems, monitoring systems) How and Where Can You Check Code 36
- 37. How and Where Can You Check Code 37
- 38. You need: Code that complies with the Mandatory and Required rules; A guide enforcement plan; Documentation for all deviations; Documentation for all warnings from compilers and static analyzers; A guideline compliance summary. How to Prove Your Project’s Compliance? 38
- 39. A sample guide enforcement plan: A Guide Enforcement Plan 39 Rule Compiler Analyzer Code review “A” “B” “A” “B” … 5.1 No errors No errors --- --- Procedure x 5.2 No errors No errors Warning V2561 No messages … 10.4 Warning 458 No errors No warnings No messages …
- 40. Sometimes it’s impossible to follow a standard precisely. Example: const unsigned char *PORT = 0x10u; Different deviations have different specifics. Document Deviations Well 40
- 41. Deviation documentation must contain: The broken rule’s number The violation’s location Reasons for the deviation Safety proof Possible consequences Document Deviations Well 41
- 42. A sample guideline compliance summary A Guideline Compliance Summary 42 Rule The MISRA Category Compliance … 5.1 Mandatory Compliant 5.2 Required With deviations … 10.4 Advisory Not used …
- 43. All C/C++ code complies with Mandatory and Required rules The compliance plan is fully filled-out All deviations are documented All compiler and analyzer warnings are The compliance summary is fully filled out Congratulations! You have set safety to the max!!! Summary: 43
- 44. MISRA Compliance: 2016 Achieving compliance with MISRA Coding Guidelines More Details on MISRA Standard Compliance 44
- 45. 1. Remove complex branching, goto and recursion. 2. All loops must have a limit. 3. Give up allocating memory dynamically. 4. Any given function must not exceed a letter-sized sheet of paper. 5. Use no more than two runtime assertions per function. The Power of 10: NASA’s Golden Rules 45
- 46. The Power of 10: NASA’s Golden Rules 46 6. Declare data at the lowest scope. 7. Does the function return anything? Do check! 8. Do not use preprocessing. 9. Do not use nested pointers. 10. «A zero-warning rule».
- 47. A related article: The Power of 10: NASA’s Golden Rules 47
- 48. Conclusion 48
- 49. Sometimes classic quality assurance methods are insufficient. What do MISRA and AUTOSAR C++ offer? Using standards in your code. Summary 49
- 50. END Q&A50