How can you avoid the C/C++ traps and pitfalls
In our previous blog, we looked at the complexities of MISRA C compliance and the necessity of robust verification tools. However, simply installing a tool is not sufficient. The MISRA compliance documents specifically state that, in order to describe a project as "MISRA Compliant", staff must be competent and fully understand the issues underlined by each guideline. This is especially important for personnel involved in the approval of deviations from the guidelines.
Ensuring your developers and quality assessors are effectively trained is also crucial to the smooth and effective adoption of the tool. Developers can make mistakes (and lose significant time) when they don’t fully understand the rationale behind each of the MISRA guidelines. This blog looks at some of those potential misunderstandings.
A worthwhile investment
Over 50% of the developers who come on our courses are unaware of many of the traps and pitfalls of C/C++. Even though they are highly qualified and experienced, this is not something they have studied in-depth, either at university or in their industry training. This is a global issue; it’s not specific to any one country or industry.
That is why we spend the first half-day of our two day course really drilling down into the traps and pitfalls. We’ll give them real-world examples of seemingly reasonable and innocuous pieces of code and how they can go horribly wrong. Here are just two of the simplest examples that many programmers are surprised to see:
- The following code violates the MISRA C rule that you must not mix signed and unsigned expressions (this prescription is formulated using the often-misunderstood concept of "essential type"):
uint32_t MAX_TEMP = 90; _Bool is_overheated(int32_t temp) { return temp > MAX_TEMP; }The problem here is that the callis_overheated(-1)returns true – even though the temperature is minus. - This snippet violates a MISRA C rule that forbids line splicing in
//comments:... // see critical.* in c:\project\src\ critical_function(); ...In this example, the developer did something seemingly innocuous. But the critical_function(); becomes part of the comments and therefore is not executed. This is potentially very dangerous.
Once developers see these examples, they quickly appreciate the importance of each MISRA rule in preventing potential disasters. They will also see the value of effectively using a tool that reliably flags the MISRA C/C++ violations. Taking time to gain a solid grounding in MISRA C is a worthwhile investment because developers should not rely completely on the output of verification tools.
For example, verification tools may produce false positives and flag violations that don’t exist. Developers need the expertise to judge such situations. Otherwise, they will probably feel compelled to change the code in order to silence the tool. This, more often than not, creates significantly poorer code. Or, they may erroneously think that a tool message is a false positive, when in fact it is a true positive, and change the tool configuration not to show that message anymore (a case of ‘shooting the messenger because you don’t like the message’).
Good quality training is a logical step
Understanding why the MISRA rules are there and the importance of using a verification tool to detect code violations is a good start. But, of course, developers also need to know how to correct any problems the tool flags. Without effective training, they will probably use a trial and error approach – wasting time and reducing code quality.
Effective MISRA C training will show them how they can configure ECLAIR and give them time for hands-on practice. Sometimes it is even possible to use your own code from real live projects (subject to confidentiality). This is the best way to show your developers how to solve any violations.
Ensuring smooth and effective implementation
EGICON is an award-winning developer of mission-critical embedded and Automated Testing Solutions (ATS) across the automotive, industrial, medical, aerospace and defence sectors. When they bought a site license for our ECLAIR/MISRA tool, they also asked us to train a team of 12 developers and quality assessors.
“We are committed to excellence in all our products and processes,” says Paolo Monari, CTO at EGICON. “We know we need to be proactive in ensuring our people continue to develop their skills. After all, it is their expertise that drives our innovation.
“Working with BUGSENG was a logical step for us. With their highly-qualified instructors and formal training, tailored specifically to our needs, we have implemented MISRA C into our software production and verification process smoothly and successfully. We’ve also significantly strengthened the skills and competences of our development and verification teams.”
For more details of BUGSENG’s MISRA C training please see https://www.bugseng.com/services/education
Roberto Bagnara, Ph.D is CTO of BUGSENG, a leading provider of solutions and services for static code analysis. He is also a member of the ISO/IEC JTC1/SC22/WG14 - C Standardization Working Group and the MISRA C Working Group.
Meet us at the Embedded World Conference in Nuremberg, 26-28 February 2019
The BUGSENG team will be exhibiting at the Embedded World Conference in Nuremberg. We’d love to meet you and answer any questions you may have about our verification services, education and training. You’ll find us on stand 4-545.
Our CTO, Roberto Bagnara, will also be speaking at the conference. His presentation: "The MISRA C Coding Standard: A Key Enabler for the Development of Safety and Security Critical Embedded Software" is at 10:30AM on Tuesday 26 February 2019.
For more details visit https://www.embedded-world.eu/home.html