vol 8, issue 2

Analysis: safe-code revision grapples with automated checking

28 February 2013
By Chris Edwards
Share |
Stock view of a Rover electric vehicle driving a muddy track.

Engineers from Rover developed the MISRA guidelines that have now been adopted across the automotive industry.

The Motor Industry Software Reliability Association (MISRA), a group that developed one of the most widely-used coding standards for safe, reliable software, launched at Embedded World, Nuremberg this week, marking the first major update to the standard for almost a decade.

The Motor Industry Software Reliability Association (MISRA), a group that developed one of the most widely-used coding standards for safe, reliable software, launched at the Embedded World show in Nuremberg this week the first major update to the standard for almost a decade.

The process has, however, questioned the nature of coding standards and the ability to verify that code follows them. The MISRA-C standard provides programmers with a set of coding rules that prevent the use of coding constructs that are more likely to lead to errors. Chris Hills, MISRA-C team member and CTO of tools vendor Phaedrus Systems, said the shortcomings of C were realised early on with one of its creators Dennis Ritchie calling a number of its constructs “legal but dubious”.

To try to make C safer for use in their systems, engineers from car manufacturers Ford and Rover developed the initial MISRA guidelines that have now not just been adopted across the automotive industry but sectors that include military, aerospace, and the nuclear industry.

The first revision of the standard took place in the early 2000s, resulting in MISRA-C:2004. The forthcoming update follows a complete overhaul of the standard by a close-knit team of around ten UK-based engineers, initially to add rules that covered the most recent version of the C language.

“The driving force was the C99 standard,” said Mark Pitchford, field applications engineer at code-analysis tool vendor LDRA, “but the process used the feedback from MISRA C:2004 to address peoples’ concerns and dislikes.”

Paul Burden, technical consultant at Programming Research, another supplier of static code analysis software, agreed: “We could see there were improvements to be made.”

For the new version of the standard, the committee has implemented the concept of 'decidability' to determine which rules can be checked automatically by a static-analysis tool versus those that identify good practice but which do not have clear-cut distinctions and are difficult or impossible to verify without human involvement.

“One of the troubles for the big motor manufacturers is that they have suppliers shipping in software that are supposed to be MISRA C-compliant – but how do they verify it?” said Programming Research’s Paul Burden. “If rules are not well-defined, it makes life very difficult. How do you audit compliance?”

Pitchford added: “With decidable rules, if the rule says it’s wrong then it’s wrong”.

Undecidable rules, on the other hand, rely on interpretation. For example, one rule demands that no code be put into comments – largely to prevent developers from commenting-out segments of code to disable it. However, it is very difficult for a tool to determine whether a comment contains potentially executable code.

“This work has exposed the limitations of coding rules, which are often swept under the carpet when devising coding standards,” Paul Burden believes. “So the whole concept of compliance has been exposed as a debatable area. If you are claiming compliance the best you can do is say: ‘I am testing compliance with these tools’. It’s not black and white. It’s a best-effort process.”

Despite the problem of verifiability, much of the effort in developing MISRA C:2012 was aimed at reducing the level of doubt in static code analysis. “The other key coding standard is Cert C, which is more oriented towards the security industry rather than the safety-critical market,” Paul Burden at Programming Research said. “One of the key contrasts between the two, apart from Cert C being three times the size, its ratio of decidability is far, far lower than MISRA C. Although it contains very good advice, it’s very difficult to enforce… One of the reasons why MISRA C is being used is because it fits in very closely with the use of tool-based enforcement.”

An analysis from 2011 by market watcher VDC Research found that, after in-house coding standards, MISRA C was the one most commonly in use. Burden said: “What I would say is that if you look at most in-house coding standards, generally speaking, they tend to pick up MISRA C and modify it,” said Paul Burden at Programming Research. “I would say that MISRA C today is largely dominant even though it isn’t the biggest bar on the VDC graph.”

Pitchford argued that rewriting the rules to be more descriptive is likely to propel MISRA C further into mainstream programming: “This narrowing and focusing of the standard has also seen changes in terms of the English so that’s much more descriptive. It has become an educational document and not just ‘do as you’re told’. Although MISRA C has been used widely across the safety-critical sectors, it did tend to be something that people had to use because they were being certified to it – but the change in emphasis towards ‘use this rule because it’s a good idea’ opens it out to people who just want software to work.”

A number of changes reflect the growing diversity of systems being built in the embedded space. Some of the rules are considered mandatory by the new standard for the first time. “There are a few rules that we consider to be so common-sense and uncontroversial that there can be no sensible reason to deviate from them,” argues Paul Burden at Programming Research.

Other situations are more complex. “When you can implement critical systems on anything from an 8bit [Microchip Technology] PIC to a 64bit processor, it’s hard to find a rule that’s universal,” said Phaedrus Systems’ Chris Hills. “You can’t have 100 per cent MISRA-C compliance without deviation. It’s highly impractical for embedded systems because of the different architectures of the processors.”

Some industries cannot apply some of the rules because of the way their systems operate. “Originally we banned C unions. The trouble is that if you are doing communications systems, you normally need to use unions to get things in and out of the packet stream. For the most part, you should not use unions but if you deviate from that rule in one or two functions, that’s fine,” Hills concludes.

More information:
http://www.misra.org.uk/

http://www.phaedsys.com/

http://www.ldra.com/

http://www.programmingresearch.com/

Share |
Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1605

"We visit Barcelona, one of the smartest cities in the world, to find out what makes it so special. What does it look like and what is the future?"

E&T jobs

  • Senior Development Engineer, Electronics

    Premium job

    Helmet Integrated Systems / Gentex Corporation
    • Letchworth Garden City, Hertfordshire
    • Competitive

    We are an innovative, robust and fast growing business, whose main focus is to deliver continues improvement to existing products and offer new sol..

    • Recruiter: Helmet Integrated Systems / Gentex Corporation

    Apply for this job

  • Smart Grid Research Engineer

    Premium job

    University of Strathclyde
    • Cumbernauld, Glasgow
    • Grade: 6/7* £26,537 - £37,768*

    Work as part of a growing dynamic team on a wide range of technical projects with particular emphasis on experimental validation and testing

    • Recruiter: University of Strathclyde

    Apply for this job

  • Electrical Asset Specialist

    Affinity Water
    • Hatfield, Hertfordshire

    Responsible for updating and writing electrical engineering standards, approved codes of practice and safe systems of work

    • Recruiter: Affinity Water

    Apply for this job

  • Senior Electronics Engineer

    York Instruments
    • York, North Yorkshire

    Senior electronics engineer to work as part of a team developing an MEG imaging system; working with the engineering team and external contractors.

    • Recruiter: York Instruments

    Apply for this job

  • Manufacturing Engineer - Circuit Card Assembly

    MBDA
    • Lostock Junction
    • Competitive Salary & Benefits

    What’s the opportunity?   Manufacturing UK is an integral part of the Operations Directorate whose principal mission is to ensure that MBDA’s deliverable commitments are met...

    • Recruiter: MBDA

    Apply for this job

  • High Voltage Engineer

    Premium job

    Essex X-Ray & Medical Equipment
    • Great Dunmow, Essex

    This High Voltage Engineer will provide design leadership for high voltage cable assemblies up to one megavolt.

    • Recruiter: Essex X-Ray & Medical Equipment

    Apply for this job

  • Team Leader - Flank Arrays

    BAE Systems
    • Barrow-In-Furness, Cumbria, England
    • Negotiable

    Team Leader - Flank Arrays Would you like to work in a unique role within the construction of the Astute Class submarines? We currently have a vacancy for a Team Leader - Flank Arrays at our site in Barrow-in-Furness. As a Team Leader - Flank Arrays, you

    • Recruiter: BAE Systems

    Apply for this job

  • Electronics and Software Engineer

    Copley Scientific Ltd
    • Nottingham
    • circa £35,000 per annum + bonus

    Develop new test equipment for the pharmaceutical industry. Good opportunities to grow and develop. Successful family-owned and managed business.

    • Recruiter: Copley Scientific Ltd

    Apply for this job

  • Bridge Test Facility Manager

    BAE Systems
    • Shropshire, Telford, England
    • Negotiable

    Bridge Test Facility ManagerWe currently have a vacancy for a Bridge Test Facility Manager at our site in Telford with our Land UK business.As the Bridge Test Facility Manager, you will be part of our Test & Trials team, working closely with the Mili

    • Recruiter: BAE Systems

    Apply for this job

  • Intelligent Transport Systems Engineer - Highways Technology

    Premium job

    Mott MacDonald
    • Birmingham, West Midlands

    Our transport technology team in Birmingham is currently growing a highly skilled and customer-focused team to...

    • Recruiter: Mott MacDonald

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T