对于从事关键安全应用的C程序员,确保安全编码实践的限制和准则可能会很痛苦。该语言的功能旨在使您的工作更轻松或更高效,或者为障碍提供工作的功能通常只是准则不允许的功能。但是,如果您正在开发用于汽车,医疗,MIL/AERO或其他关键生活申请的应用程序,则无力获得机会。在某些情况下,例如航空电子,遵守公认的编码最佳实践可能是严格保证(例如DO-178B/c)的可追溯性。即使您的申请不需要认证,您仍然需要证明您的代码是根据最严格的质量标准而开发的,以减轻责任和风险。对于这些类型的应用程序,Misra C的最新版本为程序员提供了新的希望。
Spend More Time Coding, And Less Time On Compliance Efforts
Misra C是一种软件开发语言子集,最初是为了促进C编程语言在汽车行业内的安全至关重要的嵌入式应用中的使用而创建的。原始版本于1998年(Misra C:1998)发布给Target C90,2004年版本(Misra-C:2004)包括对原始版本的大量扩展和改进。
While MISRA C is actually a language subset, not a coding standard, it provides a sound basis for coding best practises. Over the years, MISRA C has gained widespread acceptance as a de facto standard for safety-, life-, and mission-critical applications in aerospace, telecom, medical, defense, railway, and other industries, and is widely referred to as the MISRA standard.
新的Misra版本的意图是使开发在没有解释错误的情况下,在项目或代码中尽可能可预测。可重复性和可预测性是关键驱动力。即使是一个分散的开发团队,例如与许多分包商的主要承包商”,遵循Misra规则也可以确信所有代码在整个项目中都将保持一致。遵循新规则将帮助程序员减轻与软件关键应用程序相关的风险,同时使他们能够花费更多的时间编码,而花费更少的时间进行合规工作。
Reasons For A New MISRA Version
任何更新的编码实践或标准都要求开发人员学习新规则并更新其工具和编程方法。但是,这种短期不便超过了更新的优势,这些更新的优势改善了现有规则,扩展了对该语言的最新版本的支持,并总体上减少了开发工作。Misra C:2012年旨在:
- 在保留C90支持的同时,增加对C99的支持
- Correct issues found in the 2004 version
- Provide backwards compatibility as much as possible to make it unnecessary to modify code when moving from MISRA C:2004 to MISRA C:2012
- 确保所有的包括一个详细的原理和规则remove rules without strong rationale
- 增加可决定规则的数量,以允许更好的工具执行并减少手动检查的量,节省时间和金钱
- Include guidance on the applicability of rules to automatically generated code
What Has MISRA Done For You Lately?
In MISRA C:2012, rules have been made more precise so that the standard will not prevent reasonable uses orbehaviours that have no undesirable consequences. This will be good news for developers who may have been frustrated in the past by rules that were more restrictive than necessary, or that were too general. For instance, many developers hated the old rule about macros. It is possible to get into all sorts of difficulty using macros, so the simple approach was to say do not use them. Unfortunately, that prevents them from being used in circumstances where they provide a neat, convenient and technically sound solution. The new MISRA rules limit the use of macros to make sure they are only used properly.
In addition, developers now have better guidance on rules enforcement, such as whether a rule defines a general behavior across the project, or only specific cases. And all rules now include detailed rationale, which should help developers understand the need for the rule, rather than lead them to try to second-guess its intent.
The updated version also tells developers if a rule is “decidable”—those against which an analysis tool can always determine compliance or non-compliance— versus undecidable, in which this is not the case generally due to pointer or data values affecting control flow(Fig. 1). Undecidable rules can result in false-positive or false-negative test results simply because the tool has inadequate information available to it during analysis. This improvement in rules definition can significantly help reduce manual code-review requirements, and lets developers know ahead of time if another method of testing should be used.
支持C99
MISRA C:2012 explicitly covers C99 as well as C90, maintaining backwards compatibility and making an effort to establish rules to cover both versions of the language as much as possible (very few rules may only be applicable to one or the other). In previous MISRA versions, some behaviour was implicitly undefined or unspecified in C90. Because developers may not have been aware of the existence or whereabouts of these “holes” in the language, they sometimes found it hard not to fall into them. These have now been explicitly defined in C99 so that developers know what circumstances to avoid.
MISRA C:2012 Offers A Reasoned Approach
Let us look at some specific examples of programming approaches that are now addressed with the more reasoned approach of MISRA C:2012.
Freeing Memory: AKA, Being Too Clever For Your Own Good
In some instances, developers have freed memory that is automatically allocated to variables for use elsewhere. This is legitimate C syntax, but is dangerous and unnecessary. The new MISRA rule is designed to prevent developers from being too clever for their own good. In this case, the rule states that a block of memory shall only be freed if it was allocated by means of a standard library function.
void fn ( void ) { int32_t a; free ( &a ); /* Non-compliant - a does not point to allocated storage */ }
MISRA C:2012 defines rules as “Required,” “Advisory” or as a new “Mandatory” category, which includes rules such as the above that must never be broken(Fig. 2). The first two categories can be broken with varying degrees of justification required, so that an “Advisory” rule might be at a programmer’s discretion, while “Required” might require the approval of a manager.
The Rationale Behind The Rules
The previous versions of MISRA may have seemed dictatorial in approach due to a lack of complete rationale. The new version enhances the concept of “rationale”—descriptions that explain why each rule is a good idea.
For instance, it is now a requirement that typedefs that indicate size and signedness should be used in place of the basic numerical types. For example, on a 32-bit C90 implementation the following definitions might be suitable:
typedef signed char int8_t; typedef signed short int16_t; typedef signed int int32_t; typedef signed long int64_t;
From the perspective of portability, the rationale debunks the possible false perception that adherence to this guideline guarantees portability because the size of the int type may determine whether or not an expression is subject to integral promotion. For example, an expression with type int16_t will not be promoted if int is implemented using 16 bits but will be promoted if int is implemented using 32 bits. In other words, the rationale helps guide the developer around a common pitfall.
Not All Goto Statements Patch Up Wooly Thinking!
通常,Goto陈述被用来修补羊毛思维或定义不明的算法。但是,在某些情况下,使用goto语句是合理的。例如,如果过程控制应用程序中存在紧急情况,那么设置标志并在算法中进行检查是否比通过GOTO进行直接路线更好?现在,“不应使用goto陈述”规则是咨询而不是要求的,另外两个规则缩小了可接受的情况:
- The goto statement shall jump to a label declared later in the same function.
- Any label referenced by a goto statement shall be declared in the same block, or in any block enclosing the goto statement.
System-wide Analysis Sees The Big Picture
The new MISRA standard defines rules as applying to a “system-wide” or “single translation unit” analysis. A good example is the rule which prevents the same file from being open for read and write access at the same time on different streams. It is unlikely that anyone would do this deliberately, but a raised violation will help prevent mistakes. A tool may help confirm or deny a violation if it can reference all source code in that system through system-wide analysis.
MISRA Helps Meet Coding Best Practices
Misra在所有口味中都开发出来,以帮助软件开发团队创建具有最高质量的软件应用程序,这意味着缺陷较少,并且更可维护,可读,一致和可验证。本质上,Misra是在编码中运用最佳实践。了解和满足Misra C:2012的要求可以帮助您满足高软件质量的保证要求,同时允许您更好地决定编程语言的功能,优化编译器使用并更好地利用硬件。支持MISRA合规性的测试工具应使您可以轻松地在标准和适当子集的版本之间进行选择(对于旧项目和新项目),并应允许您选择完整的合规性或符合内部的用户定义的规则子集模板或要求。
