转载请注明出处
作者:小马
以下是本人花了很长时间整理的misra-c的笔记, 网上只此一份, 对misra-c的每条规则都有说明, 有些还有示例代码, 稍复杂的还附有中文解释.
MISRA于1998年发布了一个针对汽车工业软件安全性的C语言编程规范——《汽车专用软件的C语言编程指南》 (Guidelines for the Use of the C Language in Vehicle Based Software),共有127条规则,称为MISRA C:1998。目前MISRA C:2004版已有141条规则,21个类别,每一条规则对应一条编程准则. 如今MISRA C已经被越来越多的企业接受,成为用于嵌入式系统的C语言标准,特别是对安全性要求极高的嵌入式系统,软件应符合MISRA标准. 规则如下:
1 All code shall conform to ISO 9899:1990 “Programming languages – C”, amended and corrected by ISO/IEC 9899/COR1:1995, ISO/IEC 9899/AMD1:1995, and ISO/IEC 9899/COR2:1996.
2 No reliance shall be placed on undefined or unspecified behaviour.
3 Multiple compilers and/or languages shall only be used if there is a common defined interface standard for object code to which the languages/compilers/assemblers conform.
4 The compiler/linker shall be checked to ensure that 31 character significance and case sensitivity are supported for external identifiers.
5 Floating-point implementations should comply with a defined floating-point standard.
这句话的意思是不用直接用float, 可以用typedef 给float定义一个别名, 再引用,如:
Typedef float MY_FLOAT
MY_FLOAT fv;
6 Assembly language shall be encapsulated and isolated.
7 Source code shall only use /* … */ style comments
8 The character sequence /* shall not be used within a comment.
9 Sections of code should not be “commented out”.
这句话的意思是发布的代码里不要留有被注释掉的代码.
10 All usage of implementation-defined behavior shall be documented.
11 The character set and the corresponding encoding shall be documented.
12 The implementation of integer division in the chosen compiler should be determined, documented and taken into account.
13 All uses of the #pragma directive shall be documented and explained.
14 If it is being relied upon, the implementation defined behaviour and packing of bitfields shall
be documented.
15 All libraries used in production code shall be written to comply with the provisions of this document, and shall have been subject to appropriate validation.
上面从第10到第15条是建议把所有和编译器或处理器相关的C语言行为记录下来, 这样移植的时候可以减少风险.
16 Only those escape sequences that are defined in the ISO C standard shall be used.
17 Trigraphs shall not be used.
这句意思是 三字母序列是不建议使用的, 三字母序列,比如”??=”, iso c里三字母序列是允许的,编译器会把它替换为相应的标点符号,有如下的三字母词
??=
??(
??/
??)
??'
??<
??!
??>
??-
例如printf( "What??!/n" );会输出what|
18 Identifiers (internal and external) shall not rely on the significance of more than 31 characters
19 Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that identifier.
20 A typedef name shall be a unique identifier.
这句说用typedef定义的别名必须是唯一的
21 A tag name shall be a unique identifier.
22 No object or function identifier with static storage duration should be reused.
23 No identifier in one name space should have the same spelling as an identifier in another name space, with the exception of structure and union member names.
24 No identifier name should be reused.
25 The plain char type shall be used only for the storage and use of character values
26 Signed and unsigned char type shall be used only for the storage and use of numeric values.
27 Typedefs that indicate size and signedness should be used in place of the basic types
这句是说不要用C的基本数据类型, 最好用typedef 重定义.
28 Bit fields shall only be defined to be of type unsigned int or signed int.
29 Bit fields of type signed int shall be at least 2 bits long.
30 Octal constants (other than zero) and octal escape sequences shall not be used.
31 Functions shall have prototype declarations and the prototype shall be visible at both the function
definition and call.
32 Whenever an object or function is declared or defined, its type shall be explicitly stated.
33 For each function parameter the type given in the declaration and definition shall be identical, and
the return types shall also be identical.
34 If objects or functions are declared more than once their types shall be compatible.
35 There shall be no definitions of objects or functions in a header file.
为了不引起重定义的错误,不要在头文件里定义变量和函数.
36 Functions shall be declared at file scope.
37 Objects shall be defined at block scope if they re only accessed from within a single function.
38 An external object or function shall be declared in one and only file
39 An identifier with external linkage shall have xactly one external definition.
40 All declarations and definitions of objects or unctions at file scope shall have internal linkage
unless external linkage is required.
41 The static storage class specifier shall be used indefinitions and declarations of objects and unctions that have internal linkage.
40, 41 说明不需要外部引用的函数和变量可以用static隐藏其可见性.
42 When an array is declared with external linkage,its size shall be stated explicitly or defined
implicitly by initialisation.
43 All automatic variables shall have been assigned a value before being used.
44 Braces shall be used to indicate and match the structure in the non-zero initialisation of arrays
and structures.
45 In an enumerator list, the “=” construct shall not be used to explicitly initialise members other than
the first, unless all items are explicitly initialised.
程序示例:
enum en1 {
a,b,c,d
}; 正确
enum en2 {
a=1,b,c,d
}; 正确
enum en3 {
a=0,b=1,c=2,d=3
}; 正确
enum en4 {
a,b=1,c,d
}; 错误
enum en5 {
a,b=1,c=2,d
}; 错误
enum en6 {
a,b=1,c=2,d=3
}; // 错误
46 The value of an expression of integer type shall not be implicitly converted to a different
underlying type if:
a) it is not a conversion to a wider integer type of
the same signedness, or
b) the expression is complex, or
c) the expression is not constant and is a function
argument, or
d) the expression is not constant and is a return
expression
47 The value of an expression of floating type shall
not be implicitly converted to a different type if:
a) it is not a conversion to a wider floating type, or
b) the expression is complex, or
c) the expression is a function argument, or
d) the expression is a return expression
46, 47 是说明隐性数据类型转换的问题, 其实在实际编码过程中, 与其花很大力气去区分一个隐式表达式是否在MISRA—C规则的“黑名单”中,还不如用强制转换符显式地标识出每个操作数的实际数据类型,这是最为稳妥的方法. 规则的目的就是让程序员明确每一个操作数的实际类型
48 The value of a complex expression of integer type may only be cast to a type that is narrower
and of the same signedness as the underlying type of the expression.
49 The value of a complex expression of floating type may only be cast to a narrower floating type.
50 If the bitwise operators ~ and <<(or >>) are applied to an operand of underlying type unsigned char orunsigned short, the result shall be immediately cast to the underlying type of the operand.
如下面的例子:
执行以下程序,result_8的值是多少?
uint8_t port = 0x5a ;
uint8_t result_8 ;
result_8 = (~port) > > 4 ; /*注:uint8_t表示8位无符号整型*/
我们期望的结果是resuIt_8=0xof。然而,由于整型的位扩充原则,在16位编译器中,~port的值是Oxffa5;在32位编译器中,~pott的值是Oxffffffa5。无论哪种情况,最后结果(右移4位后 赋值给result_8的时候有一个截断操作)都是resuIt_8=Oxfa,而非预期的result_8=OxOf。 倘若将最后一行代码改成result一8=((uin8_t)(~port))>>4,则result_8可取得预期的值. 注意一点: 逻辑操作符不遵循上述“平衡”原则。此外左移(<<)和右移(>>)运算符也不遵循“平衡”原则.
51 A “U” suffix shall be applied to all constants of unsigned type.
52 Conversions shall not be performed between a pointer to a function and any type other than an
integral type.
53 Conversions shall not be performed between a pointer to object and any type other than an
integral type, another pointer to object type or a pointer to void.
54 A cast should not be performed between a pointer type and an integral type.
55 A cast should not be performed between a pointer to object type and a different pointer to
object type
56 A cast shall not be performed that removes any const or volatile qualification from the type
addressed by a pointer.
57 Limited dependence should be placed on C’s operator precedence rules in expressions.
用”()” 显示说明每一个优先级.
58 The value of an expression shall be the same under any order of evaluation that the standard
permits.
59 The sizeof operator shall not be used on expressions that contain side effects.
如下面的代码是不允许的
if ( sizeof ( a++ ) == 4 ) 不能++
{
c = 1;
}
60 The right hand operand of a logical && or || operator shall not contain side effects.
如下面的代码不是允许的
if ( ( a == 3 ) && b++ )
{
c = 1;
}
if ( ( a == 3 ) || b++ )
{
c = 1;
}
if ( ( a == 3 ) || func33 ( ) )
{
c = 1;
}
61 The operands of a logical && or || shall be primary-expressions.
用”()” 显示说明每一个优先级.
62 The operands of logical operators (&&, || and !) should be effectively Boolean. Expressions that are effectively Boolean should not be used as operands to operators other than (&&, || and !).
63 bitwise operators shall not be applied to exprands whose underlying type is signed
64 The right hand operand of a shift operator shall lie between zero and one less than the width in
bits of the underlying type of the left hand operand.
65 The unary minus operator shall not be applied to an expression whose underlying type is unsigned.
66 The comma operator shall not be used.
67 Evaluation of constant unsigned integer expressions should not lead to wrap-around.
68 The underlying bit representations of floatingpoint values shall not be used.
69 The increment (++) and decrement (--) operators should not be mixed with other operators in an
expression.
经常在网上或书上看到类似于下面的题目:
x = y+++z; x = ?
看到misra-c标准后, 我不由的感叹:这个世界还有很多有意义的事等着我们程序员去做.
70 Assignment operators shall not be used in expressions that yield a Boolean value
如:
if ( ( a = b ) != 0 )
{
c = 1;
}
71 Tests of a value against zero should be made explicit, unless the operand is effectively Boolean.
72 Floating-point expressions shall not be tested for equality or inequality.
73 The controlling expression of a for statement shall not contain any objects of floating type.
74 The three expressions of a for statement shall be concerned only with loop control
75 Numeric variables being used within a for loop for iteration counting shall not be modified in the
body of the loop.
76 Boolean operations whose results are invariant shall not be permitted.
77 There shall be no unreachable code.
78 All non-null statements shall either :
a) have at least one side-effect however
executed, or
b) cause control flow to change.
79 Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment provided that the first character following the null statement is a white space character.
78和79的意思是
非空语句必须要么产生副作用( side-effect) (副作用是指表达式执行后对程序运行环境造成的影响。赋值语句、自 增操作等都是典型的具有副作用的操作。) ;或者使程序流程改变。 例如,下面的代码是不允许的: ? x > = 3 ;
错误在于x 和3 比较的结果被丢弃了
80 The goto statement shall not be used.
81 The continue statement shall not be used.
82 For any iteration statement there shall be at most one break statement used for loop termination.
83 A function shall have a single point of exit at the end of the function.
84 The statement forming the body of a switch, while, do ... while or for statement shall be a
compound statement.
85 An if (expression) construct shall be followed by a compound statement. The else keyword shall be
followed by either a compound statement, or another if statement.
84和85的意思是 if,while等语句要加括号
86 All if … else if constructs shall be terminated with an else clause.
87 A switch label shall only be used when the most closely-enclosing compound statement is the body of a switch statement.(switch语句的主体要有括号)
88 An unconditional break statement shall terminate every non?empty switch clause.
89 The final clause of a switch statement shall be the default clause.
90 A switch expression shall not represent a value that is effectively Boolean.
91 Every switch statement shall have at least one case clause.
92 Functions shall not be defined with a variable number of arguments.
如下面的代码是不允许的
static void rule69 ( SC_8 *fmt, ... ) ;
93 Identifiers shall be given for all of the parameters in a function prototype declaration
94 The identifiers used in the declaration and definition of a function shall be identical.
95 Functions with no parameters shall be declared with parameter type void.
96 The number of arguments passed to a function shall match the number of parameters.
97 All exit paths from a function with non-void return type shall have an explicit return statement with
an expression.
98 A function identifier shall only be used with either a preceding &, or with a parenthesised parameter list, which may be empty.
99 If a function returns error information, then that error information shall be tested
100 Pointer arithmetic shall only be applied to pointers that address an array or array element.
101 Pointer subtraction shall only be applied to pointers that address elements of the same array.
指向同一个数组的两个指针才两以运算. 同一类型也不行
102 >, >=, <, <= shall not be applied to pointer types except where they point to the same array.
103 Array indexing shall be the only allowed form of pointer arithmetic.
104 The declaration of objects should contain no more than 2 levels of pointer indirection.
不要用指向指针的指针
105 The address of an object with automatic storage shall not be assigned to another object that may
persist after the first object has ceased to exist.
106 An object shall not be assigned to an overlapping object.
107 An area of memory shall not be reused for unrelated purposes.
108 Unions shall not be used.
109 #include statements in a file should only be preceded by other preprocessor directives or comments
Include 语句应该在一个文件的最初始位置
110 Non-standard characters should not occur in header file names in #include directives.
111 The #include directive shall be followed by either a
112 C macros shall only expand to a braced initialiser, a constant, a parenthesised
expression, a type qualifier, a storage class specifier, or a do-while-zero construct.
如下面的代码是不允许的
#define AAA long
113 Macros shall not be #define’d or #undef’d within a block.
114 #undef shall not be used.
115 A function should be used in preference to a function-like macro.
尽量不用宏代替函数
116 A function-like macro shall not be invoked without all of its arguments.
117 Arguments to a function-like macro shall not contain tokens that look like preprocessing
directives.
118 In the definition of a function-like macro each instance of a parameter shall be enclosed in
parentheses unless it is used as the operand of # or ##.
119 All macro identifiers in preprocessor directives shall be defined before use, except in #ifdef and
#ifndef preprocessor directives and the defined() operator.
120 There shall be at most one occurrence of the # or ## operators in a single macro definition.
121 The defined preprocessor operator shall only be used in one of the two standard forms.
122 Precautions shall be taken in order to prevent the contents of a header file being included twice.
123 Preprocessing directives shall be syntactically meaningful even when excluded by the
preprocessor.
124 All #else, #elif and #endif preprocessor directives shall reside in the same file as the #if or #ifdef
directive to which they are related.
125 Reserved identifiers, macros and functions in the standard library, shall not be defined, redefined
or undefined.
126 The names of standard library macros, objectsand functions shall not be reused.
127 The validity of values passed to library functions shall be checked.
128 Dynamic heap memory allocation shall not be used.
129 The error indicator errno shall not be used.
130 The macro offsetof, in library
131 The setjmp macro and the longjmp function shall not be used.
132 The signal handling facilities of
133 The input/output library
134 The library functions atof, atoi and atol from library
135 The library functions abort, exit, getenv and system from library
136 The time handling functions of library
137 Minimisation of run-time failures shall be ensured
by the use of at least one of
a) static analysis tools/techniques;
b) dynamic analysis tools/techniques;
c) explicit coding of checks to handle run-time
faults.