Nothing Special   »   [go: up one dir, main page]

Featured Webinar: Simplify Compliance Workflows With New C/C++test 2024.2 & AI-Driven Automation Watch Now

MISRA C++ 2023 Guide: Everything You Need to Know

Headshot of Michal Rozenau, active member of the MISRA C and MISRA C++ Working group and a project lead engineer at Parasoft
January 4, 2024
5 min read

Dive into MISRA C++ 2023! Learn about its history, why it's so important, the guidelines, and how Parasoft provides complete MISRA support for safety- and security-critical software development.

MISRA C++ 2023 helps organizations using the modern C++ language develop safety-critical software. Using the new MISRA standard, developers can fulfill the static analysis requirements given by functional safety standards like IEC 6108 or ISO 26262 by ensuring and documenting MISRA compliance for their software applications.

What Is MISRA C++ 2023?

Working together, AUTOSAR and MISRA prepared a set of coding guidelines to enable safe and secure programming using C++17. This published document is MISRA C++ 2023.

MISRA C++ is a set of coding guidelines that define a subset of the C++ language to use in critical systems to reduce the risk of making mistakes and minimize the danger of having a nonconforming program.

The C++ standard does not define the language completely. There are situations when the behavior is undefined, unspecified, or implementation-defined. If a C++ program relies on these, there’s no guarantee it will behave in a predictable way or that it will be portable.

MISRA guidelines are intended to detect such situations to ensure the safety and reliability of the software. Additionally, conformant programs may be written in a way that clearly suggests a mistake in the code or may highly likely be misinterpreted by the developers. MISRA guidelines target such situations.

The Evolution of MISRA C++

The first release of MISRA C++ in 2008 focused on C++03. It gained a lot of popularity, but with C++ advancements and the new features added in C++11, it became outdated. To bridge this gap, in March 2017, AUTOSAR consortium released AUTOSAR C++ guidelines as part of their Adaptive Platform.

Adaptive AUTOSAR uses C++14 as the language of choice, and the platform required a safety and security-oriented coding standard to support developers. Approximately 70% of unmodified MISRA C++2008 guidelines were included in the AUTOSAR C++.

But with continuous language evolution, new language features were added in C++ 17, generating a need for new coding guidelines. MISRA and AUTOSAR decided to merge standards into one publication, and MISRA took over the work on the new edition of the standard with all the updates required for C++17. The result of this work is MISRA C++ 2023, published in October 2023.

MISRA C++ 2023 Guidelines and Rules

MISRA C++ 2023 guidelines are classified as Rules or Directives. Rules are those guidelines that contain a complete definition of compliance and noncompliance. For Directives, it’s not possible to provide the full description necessary to perform a compliance check, as it depends, for example, on the design decisions made in the context of a specific project.

Each guideline is categorized as one of the following:

  • Mandatory
  • Required
  • Advisory

Rules are additionally classified for Decidability and Scope analysis.

Mandatory guidelines must be followed without the possibility of deviation. Required guidelines may be deviated, assuming the formal deviation procedure is followed and all the potential issues have been otherwise mitigated. Advisory guidelines are a sort of recommendation that should be followed as far as it is practical.

The Decidability attribute defines whether the rule is generally analyzable by the automated tool or not. The Scope attribute defines whether a guideline should be checked by analyzing a single translation unit or the whole system.

There are 179 MISRA C++ 2023 guidelines, four Directives, and 175 Rules that are grouped into sections corresponding to the sections of the C++ standard, including the following:

  • Basic concepts
  • Standard conversions
  • Expressions
  • Statements
  • Special member functions
  • Exception handling

Some of these rules are derived from the AUTOSAR Coding Guidelines or the old MISRA C++ 2008. However, MISRA guidelines focused on implementation only, whereas AUTOSAR also provided recommendations related to design, toolchain infrastructure, or documentation. Generally, MISRA C++ 2023 is oriented on the semantics of the code and on avoiding mistakes without giving too much stylistic guidance.

How to Achieve MISRA C++ 2023 Compliance

MISRA C++ 2023 imposes requirements to follow compliance processes defined in the MISRA Compliance document. It’s a separate document shared between MISRA C and MISRA C++ standards. The most recent version was released in 2020 and supersedes the earlier version from 2016.

MISRA Compliance introduces a collection of requirements regarding compliance process and reporting. It defines special reports expected as compliance artifacts.

  • Guidelines Enforcement Plan is a document that specifies all of the technical means that will be used to enforce guidelines.
  • Guidelines Recategorization Plan is a document that describes all the changes in the guidelines categories introduced for the specific project.
  • Guidelines Compliance Summary is a report documenting the level of compliance for every guideline.

In addition, the Compliance document recommends a complete process for handling deviations that include requirements for deviation records, use of deviation permits, and a list of reasons for which deviations are acceptable.

Having a standardized set of requirements for claiming projects to be MISRA-compliant helps organizations to ensure an appropriate level of confidence and to have the ability to combine the compliance reports when integrating multiple modules provided by contractors, assuming that MISRA C/C++ code checking has been performed for each of them.

Some of the guidelines could be checked using the code review process, although it would be cumbersome. Others, especially those that require whole system analysis, including guidelines that require data and control flow analysis to be performed on the complete set of the application source code, are practically impossible to check manually. Therefore, it’s important to use automated static code analysis tools, like Parasoft C/C++test, that provide complete support for MISRA C++ 2023 to analyze the code against MISRA guidelines and generate the appropriate set of compliance documents.

Why Is MISRA C++ 2023 Critical for Safe & Secure Software?

MISRA C++ aims to provide a safe subset of the C++ language. This is achieved by several requirements and limitations on the C++ source code to enhance the safety and security of the applications.

Error Prevention

The C++ Standard specifies certain situations as undefined behavior, mostly to allow compilers to generate more efficient code. Compilers are allowed to assume that the undefined behavior situation will never occur and to perform additional optimizations based on that assumption. This comes with a risk that, if the situation occurs, the behavior of the program is unpredictable. And in some cases, it means that the program behaves perfectly fine when running the tests and fails in production, which may cause the whole verification process to be futile. MISRA C++ provides guidelines that directly or indirectly guard against undefined behavior. An example case would be evaluating the indeterminate value of an object, which is guarded against by Rule 11.6.2 The value of an object must not be read before it has been set.

Code Maintainability

Certain aspects of the abstract machine are described in the C++ Standard as implementation-defined. That means the behavior of the code is well-defined and needs to be documented, but it may differ between implementations.

A program that depends on the implementation-defined behavior may be hard to port to another target. An example of such behavior would be the sizeof(int), which affects the behavior of the arithmetic operations, such as all operands with narrower types being promoted before the actual operation occurs. That in the end may result in different outcomes of the arithmetic operation depending on the compilation target. MISRA C++ guidelines guard against such problems with their Standard conversion rules, like the following:

  • Rule 7.0.5 Integral promotion and the usual arithmetic conversions shall not change the signedness or the type category of an operand.
  • Rule 7.0.6 Assignment between numeric types shall be appropriate.

Risk Management

MISRA guidelines also address a class of potential risks caused by the developer’s confusion or incorrect understanding of the valid C++ source code. For example, the code if (x = y) is perfectly valid C++ but is very likely to be a result of a typing error where the assignment operator has been accidentally used instead of the equality operator. Rule 8.18.2 The result of an assignment operator should not be used ensures that such code will be reported and reviewed for correctness.

Conclusion

Using a reasonable set of coding guidelines and a safe language subset is required by the functional safety standards for a reason. Organizations that can claim MISRA C++ 2023 compliance enhance the safety and security of their modern C++ applications.

Check out our MISRA C++ 2023 webinar for more details about the contents of the MISRA C++ 2023 document and the differences between AUTOSAR and MISRA C++ guidelines.

Learn how your development team can get the most extensive MISRA coverage.

“MISRA”, “MISRA C” and the triangle logo are registered trademarks of The MISRA Consortium Limited. ©The MISRA Consortium Limited, 2021. All rights reserved.