Goanna 3.1.

0 Standards Data Sheet for MISRA C:2004

misrac2004-datasheet.pdf

Motor Industry Software Reliability Association (MISRA) C:2004 Standard Mapping of MISRA C:2004 items to Goanna checks
The following table lists all the MISRA C:2004 items that are identied by Goanna. MISRAC C:2004 ID 1.1 MISRAC C:2004 Description (Required) All code shall conform to ISO 9899 standard, with no extensions permitted. Goanna Checks Not implemented Goanna Check Description This rule requires manual checking.

Partly implemented ATH-div-0-assign ATH-div-0-cmp-aft (Required) No reliance shall be placed on undened or unspecied behavior. ATH-div-0-cmp-bef ATH-div-0-interval ATH-div-0-pos ATH-div-0-unchk-global ATH-div-0-unchk-local ATH-div-0 EXP-main-ret-int SPC-uninit-arr-all SPC-uninit-struct 1.3 (Required) Multiple compilers and/or languages shall only be used if there is a common dened interface standard for object code to which the language/compilers/assemblers conform. (Required) The compiler/linker shall be checked to ensure that 31 character signicance and case sensitivity are supported for external identiers. (Required) Floating-point implementations should comply with a dened oating-point standard. (Required) Assembler language shall be encapsulated and isolated. (Required) Source code shall only use /* ... */ style comments. (Required) The character sequence /* shall not be used within a comment. (Advisory) Sections of code should not be commented out. Document

1.2

Some cases require manual checking. A variable is assigned the value 0, then used as a divisor. After a successful comparison with 0, a variable is used as a divisor. A variable used as a divisor is subsequently compared with 0. Interval analysis determines a value is 0, then it is used as a divisor. An expression that may be 0 is used as a divisor. A global variable is not checked against 0 before it is used as a divisor. A local variable is not checked against 0 before it is used as a divisor. An expression resulting in 0 is used as a divisor. The return type of main() should always be int. Checks reads from local buffers are preceded by writes. In all executions, a struct has one or more elds read before they are initialized. This rule requires manual documentation.

1.4

Document

This rule requires manual documentation.

1.5

Document

This rule requires manual documentation.

2.1 2.2 2.3 2.4

ASM-mixed COMMENT-cpp-style COMMENT-nested COMMENT-code

Inline asm statements that are not encapsulated in functions Uses of // comments Appearances of /* inside comments To allow comments to contain pseudocode or code samples, only comments that end in ;, , or characters are considered to be commented-out code.

3.1

(Advisory) All usage of implementation-dened behavior shall be documented. (Advisory) The character set and the corresponding encoding shall be documented. (Advisory) The implementation of integer division in the chosen compiler should be determined, documented, and taken into account. (Required) All uses of the #pragma directive shall be documented and explained. (Required) If it is being relied upon, the implementation-dened behavior and packing of bitelds shall be documented. (Required) All libraries used in production code shall be written to comply with the provisions of this document, and shall have been subject to appropriate validation. (Required) Only those escape sequences that are dened in the ISO C standard shall be used. (Required) Tri-graphs shall not be used (Required) Identiers (internal and external) shall not rely on the signicance of more than 31 characters. (Required) Identiers in an inner scope shall not use the same name as an identier in an outer scope, and therefore hide that identier.

Document

This rule requires manual documentation.

3.2

Document

This rule requires manual documentation.

3.3

Document

This rule requires manual documentation.

3.4

Document

This rule requires manual documentation.

3.5

Document

This rule requires manual documentation.

3.6

Document

This rule requires manual documentation.

4.1

Not implemented

This rule requires manual checking.

4.2 5.1

STR-trigraph Not implemented

Uses of trigraphs (in string literals only) This rule requires manual checking.

RED-local-hides-global RED-local-hides-local RED-local-hides-param

5.2

5.3 5.4

(Required) A typedef name shall be a unique identier. (Required) A tag name shall be a unique identier. (Advisory) No object or function identier with static storage duration should be reused. (Advisory) No identier in one namespace should have the same spelling as an identier in another namespace, with the exception of structure member and union member names. (Advisory) No identier name should be reused. (Required) The plain char type shall be used only for the storage and use of character values. (Required) signed and unsigned char type shall be used only for the storage and use of numeric values. (Advisory) typedefs that indicate size and signedness should be used in place of the basic types.

Partly implemented IDENT-clash-typedef Not implemented Partly implemented IDENT-clash-static Not implemented

The denition of a local variable hides a global denition. The denition of a local variable hides a previous local denition. A variable declaration hides a parameter of the function Some cases require manual checking. Typedef with this name already declared in this scope. This rule requires manual checking. Some cases require manual checking. A identier is used that can clash with another static identier. This rule requires manual checking.

5.5 5.6

5.7 6.1

Not implemented CHAR-arith

This rule requires manual checking. Arithmetic on objects of type plain char, without an explicit signed or unsigned qualier This rule requires manual checking.

6.2

Not implemented

6.3

TYPE-basic

Uses of basic types char, int, short, long, double, and oat without typedef

6.4

(Required) Bitelds shall only be dened to be of type unsigned int or signed int. (Required) Bitelds of signed type shall be at least 2 bits long. (Required) Octal constants shall not be used. Zero is okay (Required) Functions shall have prototype declarations and the prototype shall be visible at both the function denition and call. (Required) Whenever an object or function is declared or dened, its type shall be explicitly stated. (Required) For each function parameter, the type given in the declaration and denition shall be identical and the return types shall also be identical. (Required) If objects or functions are declared more than once, their types shall be compatible. (Required) There shall be no denitions of objects or functions in a header le. (Required) Functions shall be declared at le scope. (Required) Objects shall be dened at block scope if they are only accessed from within a single function. (Required) An external object or function shall be declared in one and only one le. (Required) An identier with external linkage shall have exactly one external denition. (Required) All declarations and denitions of objects or functions at le scope shall have internal linkage unless external linkage is required. (Required) The static storage class specier shall be used in denitions and declarations of objects and functions that have internal linkage. (Required) When an array is declared with external linkage, its size shall be stated explicitly or dened implicitly by initialization. (Required) All automatic variables shall have been assigned a value before being used.

STRUCT-int-biteld

Bitelds with plain int type

6.5

STRUCT-signed-bit Partly implemented INT-octal Partly implemented FUNC-no-prototype

Signed single-bit elds (excluding anonymous elds) Some cases require manual checking. Uses of octal integer constants Some cases require manual checking. Functions used without prototyping, or declared with an empty () parameter list that does not form a valid prototype Whenever an object or function is declared or dened, its type shall be explicitly stated. This rule requires manual checking.

7.1 8.1

8.2

DECL-implicit-int

8.3

Not implemented

8.4

PARSE

Parse errors are generated for this rule

8.5 8.6 8.7

Partly implemented FUNC-in-header-le Not implemented Not implemented

Some cases require manual checking. Non-inline functions dened in header les This rule requires manual checking. This rule requires manual checking.

8.8

Not implemented

This rule requires manual checking.

8.9

Not implemented

This rule requires manual checking.

8.10

Not implemented

This rule requires manual checking.

8.11

Not implemented

This rule requires manual checking.

8.12

ARR-incomplete

External arrays declared without size stated explicitly or dened implicitly by initialization. Dereference of an uninitialized or NULL pointer. In all executions, a variable is read before it is assigned a value. In some execution, a variable is read before it is assigned a value. This rule requires manual checking.

PTR-uninit SPC-uninit-var-all SPC-uninit-var-some

9.1

9.2

(Required) Braces shall be used to indicate and match the structure in the non-zero initialization of arrays and structures. (Required) In an enumerator list, the "=" construct shall not be used to explicitly initialize members other than the rst, unless all items are explicitly initialized.

Not implemented

9.3

Not implemented

This rule requires manual checking.

10.1

(Required) The value of an expression of integer type shall not be implicitly converted to a different underlying type if: a. it is not a conversion to a wider integer type of the same signedness, or b. the expression is complex, or c. the expression is not constant and is a function argument, or d. the expression is not constant and is a return expression. (Required) The value of an expression of oating type shall not be implicitly converted to a different underlying type if: a. it is not a conversion to a wider oating type, or b. the expression is complex, or c. the expression is a function argument, or d. the expression is a return expression. (Required) The value of a complex expression of integer type shall only be cast to a type that is not wider and of the same signedness as the underlying type of the expression. (Required) The value of a complex expression of oating type shall only be cast to a oating type which is narrower or of the same size. (Required) If the bitwise operators ~ and are applied to an operand of underlying type unsigned char or unsigned short, the result shall be immediately cast to the underlying type of the operand. (Required) A U sufx shall be applied to all constants of unsigned type. (Required) Conversions shall not be performed between a pointer to a function and any type other than an integral type. (Required) Conversions shall not be performed between a pointer to object and any type other than an integral type, another pointer to object type, or a pointer to void. (Advisory) A cast should not be performed between a pointer type and an integral type. (Advisory) A cast should not be performed between a pointer to object type and a different pointer to object type. (Required) A cast shall not be performed that removes any const or volatile qualication from the type addressed by a pointer. (Advisory) Limited dependence should be placed on the C operator precedence rules in expressions. (Required) The value of an expression shall be the same under any order of evaluation that the standard permits. (Required) The sizeof operator shall not be used on expressions that contain side effects.

Not implemented

This rule requires manual checking.

10.2

FLOAT-implicit-conv

An expression of oating point type is implicitly converted where the result may be confusing.

10.3

CAST-widening-int-expr

Integral expressions should only be cast to narrower or equal sized integral types, preserving signed-ness.

10.4

CAST-widening-oat-expr

Floating point expressions should only be cast to narrower or equal sized oating point types. Bitwise operation on unsigned char or unsigned short, that are not immediately cast to this type to ensure consistent truncation

10.5

INT-bitwise-short

10.6 11.1

INT-missing-u CAST-func-ptr

A U sufx shall be applied to all constants of unsigned type. Conversions shall not be performed between a pointer to a function and any type other than an integral type. Parse errors are generated for this rule

11.2

PARSE

11.3

CAST-ptr-to-int

A cast should not be performed between a pointer type and an integral type. A pointer to object type is cast to a pointer to different object type

11.4

CAST-ptr-to-ptr

11.5

CAST-away-const

Casts that remove any const or volatile qualication.

12.1

Not implemented

This rule requires manual checking.

12.2

SPC-order

Expressions which depend on order of evaluation Sizeof expressions containing side effects

12.3

SIZEOF-side-effect

12.4

(Required) The right-hand operand of a logical && or || operator shall not contain side effects. (Required) The operands of a logical && or || shall be primary expressions. (Advisory) The operands of logical operators (&&, ||, and !) should be effectively boolean. Expressions that are effectively boolean should not be used as operands to operators other (Required) operators than (&&, ||, Bitwise !, =, ==, !=, and ?:). shall not be applied to operands whose underlying type is signed. (Required) The right-hand operand of a shift operator shall lie between zero and one less than the width in bits of the underlying type of the left-hand operand. (Required) The unary minus operator shall not be applied to an expression whose underlying type is unsigned. (Required) The comma operator shall not be used. (Advisory) Evaluation of constant unsigned integer expressions should not lead to wrap-around. (Required) The underlying bit representations of oating-point values shall not be used.

LOGIC-side-effect

Right hand operands of && or || that contain side effects This rule requires manual checking. Uses of arithmetic operators on boolean operands. Operands of logical operators (&&, ||, and !) that are not effectively Boolean. This rule requires manual checking.

12.5

Not implemented BOOL-arith LOGIC-non-bool Not implemented

12.6

12.7

12.8

ATH-shift-bounds

Out of range shifts

12.9

INT-neg-unsigned

Uses of unary - on unsigned expressions

12.10 12.11

COMMA-use EXPR-const-overow

Uses of the comma operator A constant unsigned integer expression overows An expression provides access to the bitrepresentation of a oating point variable. Reading from a eld of a union following a write to a different eld, effectively reinterpreting the bit pattern with a different type. Uses of increment (++) and decrement () operators mixed with other operators in an expression. Assignment operators shall not be used in expressions that yield a boolean value. Non-boolean operands to the conditional ( ? : ) operator Non-boolean termination conditions in do ... while statements. Non-boolean termination conditions in for loops. Non-boolean conditions in if statements. Non-boolean termination conditions in while statements. Floating point comparisons using == or !=

12.12

CAST-oat-ptr UNION-type-punning

12.13

(Advisory) The increment (++) and decrement () operators should not be mixed with other operators in an expression. (Required) Assignment operators shall not be used in expressions that yield a boolean value. (Advisory) Tests of a value against zero should be made explicit, unless the operand is effectively boolean.

EXPR-mixed-incr

13.1

BOOL-assign

COND-non-bool 13.2 DO-non-bool FOR-non-bool IF-non-bool WHILE-non-bool 13.3 (Required) Floating-point expressions shall not be tested for equality or inequality. (Required) The controlling expression of a for statement shall not contain any objects of oating type. (Required) The three expressions of a for statement shall be concerned only with loop control. (Required) Numeric variables being used within a for loop for iteration counting shall not be modied in the body of the loop. (Required) Boolean operations whose results are invariant shall not be permitted. ATH-cmp-oat

13.4

FOR-oat

Floating-point values in the controlling expression of a for statement. Some cases require manual checking. A for loop counter variable is not initialized in the for loop. A for loop counter variable is modied in the body of the loop.

13.5 13.6

Partly implemented EXP-loop-var-uninit EXP-loop-var-mod

RED-cmp-always 13.7 RED-cmp-never

A comparison using ==, <, <=, >, or >= is always true. A comparison using ==, <, <=, >, or >= is always false.

RED-cond-const-assign RED-cond-const-expr RED-cond-const 14.1 14.2 (Required) There shall be no unreachable code. (Required) All non-null statements shall either have at least one side effect however executed, or cause control ow to change. (Required) Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment, provided that the rst character following the null statement is a whitespace character. (Required) The goto statement shall not be used. (Required) The continue statement shall not be used. (Required) For any iteration statement, there shall be at most one break statement used for loop termination. (Required) A function shall have a single point of exit at the end of the function. (Required) The statement forming the body of a switch, while, do ... while, or for statement shall be a compound statement. (Required) An if expression construct shall be followed by a compound statement. The else keyword shall be followed by either a compound statement or another if statement. (Required) All if ... else if constructs shall be terminated with an else clause. (Required) The MISRA C switch syntax shall be used. (Required) A switch label shall only be used when the most closely-enclosing compound statement is the body of a switch statement. (Required) An unconditional break statement shall terminate every nonempty switch clause. (Required) The nal clause of a switch statement shall be the default clause. (Required) A switch expression shall not represent a value that is effectively boolean. (Required) Every switch statement shall have at least one case clause. (Required) Functions shall not be dened with a variable number of arguments. (Required) Functions shall not call themselves, either directly or indirectly. RED-dead RED-no-effect

A constant assignment in a conditional expression A conditional expression with a constant value A constant value is used as the condition for a loop or if statement. In all executions, a part of the program is not executed. A statement that potentially contains no side effects.

14.3

EXP-stray-semicolon

Stray semicolons on the same line as other code

14.4 14.5 14.6

GOTO-use CONTINUE-use BREAK-multiple

Uses of goto. Uses of continue. Multiple break points from loop.

14.7

RETURN-multiple

A function shall have a single point of exit at the end of the function. Missing braces in do ... while statements Missing braces in for statements Missing braces in switch statements Missing braces in while statements Missing braces in if, else, and else if statements

14.8

14.9

DO-missing-braces FOR-missing-braces SWITCH-missing-braces WHILE-missing-braces IF-missing-braces

14.10

IF-no-nal-else

If ... else if constructs that are not terminated with an else clause. Switch statements that do not conform to the MISRA C switch syntax. Switch labels in nested blocks.

15.0 15.1

SWITCH-misra SWITCH-labels-in-block

15.2

SWITCH-fall-throughmisra SWITCH-no-nal-default

Non-empty switch cases not terminated by break Switch statements with no default clause, or a default clause that is not the nal clause. A switch expression shall not represent a value that is effectively boolean. Switch statements with no cases. Functions dened using ellipsis (...) notation Some cases require manual checking. Functions that call themselves directly.

15.3

15.4

SWITCH-bool

15.5 16.1

SWITCH-no-cases FUNC-varargs

16.2

Partly implemented FUNC-direct-recursion

16.3

(Required) Identiers shall be given for all of the parameters in a function prototype declaration. (Required) The identiers used in the declaration and denition of a function shall be identical. (Required) Functions with no parameters shall be declared and dened with the parameter list void. (Required) The number of arguments passed to a function shall match the number of parameters. (Required) A pointer parameter in a function prototype should be declared as pointer to const if the pointer is not used to modify the addressed object. (Required) All exit paths from a function with non-void return type shall have an explicit return statement with an expression. (Required) A function identier shall only be used with either a preceding &, or with a parenthesized parameter list, which may be empty. (Required) If a function returns error information, then that error information shall be tested. (Required) Pointer arithmetic shall only be applied to pointers that address an array or array element.

FUNC-unnamed-param

Function prototypes must name all parameters This rule requires manual checking.

16.4

Not implemented

16.5

FUNC-no-prototype

Functions used without prototyping, or declared with an empty () parameter list that does not form a valid prototype Parse errors are generated for this rule

16.6

PARSE

16.7

Not implemented

This rule requires manual checking.

16.8

SPC-return

For some execution, no return statement is executed in a function with a

16.9

FUNC-implicit-addr

Function addresses taken without explicit &

16.10

LIB-return-error

The return value for a library function that may return an error value is not used. Some cases require manual checking. Direct access to a eld of a struct using an offset from the address of the struct. Invalid pointer arithmetic with an automatic variable that is neither an array nor a pointer. This rule requires manual checking.

17.1

Partly implemented PTR-arith-eld PTR-arith-var

17.2

(Required) Pointer subtraction shall only be applied to pointers that address elements of the same array. (Required) >, >=, <, <= shall not be applied to pointer types except where they point to the same array. (Required) Array indexing shall be the only allowed form of pointer arithmetic. (Required) The declaration of objects should contain no more than two levels of pointer indirection. (Required) The address of an object with automatic storage shall not be assigned to another object that may persist after the rst object has ceased to exist.

Not implemented

17.3

Not implemented

This rule requires manual checking.

17.4

PTR-arithmetic PTR-array-indexing PTR-triple

17.5

Array indexing shall be the only allowed form of pointer arithmetic. Array indexing shall only be applied to objects dened as an array type. The declaration of objects should contain no more than two levels of pointer indirection. Store a stack address in the eld of a global struct. Store a stack address in a global pointer. Store stack address via reference parameter. Store stack address outside function via parameter. May return address on the stack. Structs and unions that are used without being dened. Assignments from one eld of a union to another. Some cases require manual checking. Reading from a eld of a union following a write to a different eld, effectively reinterpreting the bit pattern with a different type.

MEM-stack-global-eld MEM-stack-global MEM-stack-param-ref MEM-stack-param MEM-stack STRUCT-incomplete

17.6

18.1

(Required) All structure and union types shall be complete at the end of the translation unit. (Required) An object shall not be assigned to an overlapping object. (Required) An area of memory shall not be used for unrelated purposes.

18.2

UNION-overlap-assign Partly implemented UNION-type-punning

18.3

18.4 19.1

(Required) Unions shall not be used. (Advisory) #include statements in a le should only be preceded by other preprocessor directives or comments. (Advisory) Non-standard characters should not occur in header le names in #include directives. (Required) The #include directive shall be followed by either a <lename> or "lename" sequence. (Required) C macros shall only expand to a braced initializer, a constant, a string literal, a parenthesized expression, a type qualier, a storage class specier, or a do-while-zero construct. (Required) Macros shall not be #dened or #undefd within a block. (Required) #undef shall not be used. (Advisory) A function should be used in preference to a function-like macro. (Required) A function-like macro shall not be invoked without all of its arguments. (Required) Arguments to a functionlike macro shall not contain tokens that look like preprocessing directives. (Required) In the denition of a function-like macro, each instance of a parameter shall be enclosed in parentheses unless it is used as the operand of # or ##. (Required) All macro identiers in preprocessor directives shall be dened before use, except in #ifdef and #ifndef preprocessor directives and the dened() operator. (Required) There shall be at most one occurrence of the # or ## preprocessor operators in a single macro denition. (Advisory) The # and ## preprocessor operators should not be used. (Required) The dened preprocessor operator shall only be used in one of the two standard forms. (Required) Precautions shall be taken in order to prevent the contents of a header le being included twice. (Required) Preprocessing directives shall be syntactically meaningful even when excluded by the preprocessor. (Required) All #else, #elif, and #endif preprocessor directives shall reside in the same le as the #if or #ifdef directive to which they are related. (Required) Reserved identiers, macros, and functions in the standard library shall not be dened, redened, or undened.

UNION-use Not implemented

All unions This rule requires manual checking.

19.2

INCLUDE-bad-char

Illegal characters in header le names

19.3

PARSE

Parse errors are generated for this rule

19.4

Not implemented

This rule requires manual checking.

19.5 19.6 19.7 19.8

Not implemented UNDEF-use DEFINE-function-like PARSE

This rule requires manual checking. All #undefs Function-like macros Parse errors are generated for this rule

19.9

Not implemented

This rule requires manual checking.

19.10

Not implemented

This rule requires manual checking.

19.11

Not implemented

This rule requires manual checking.

19.12

DEFINE-hash-multiple

Multiple # or ## operators in a macro denition

19.13 19.14

DEFINE-hash-use Not implemented

# or ## operator used in a macro denition This rule requires manual checking.

19.15

INCLUDE-unguarded

Header les without #include guards

19.16

Not implemented

This rule requires manual checking.

19.17

Not implemented

This rule requires manual checking.

20.1

DEFINE-reserved

#dene or #undef of a reserved identier in the standard library

20.2

(Required) The names of Standard Library macros, objects, and functions shall not be reused. (Required) The validity of values passed to library functions shall be checked. (Required) Dynamic heap memory allocation shall not be used. (Required) The error indicator errno shall not be used. (Required) The macro offsetof in the stddef.h library shall not be used. (Required) The setjmp macro and the longjmp function shall not be used. (Required) The signal handling facilities of signal.h shall not be used. (Required) The input/output library stdio.h shall not be used in production code. (Required) The functions atof, atoi, and atol from the library stdlib.h shall not be used. (Required) The functions abort, exit, getenv, and system from the library stdlib.h shall not be used. (Required) The time handling functions of time.h shall not be used. (Required) Minimization of runtime failures shall be ensured by the use of at least one of: a. static analysis tools/techniques b. dynamic analysis tools/techniques c. explicit coding of checks to handle runtime faults.

Not implemented

This rule requires manual checking.

20.3

Not implemented

This rule requires manual checking.

20.4 20.5 20.6 20.7 20.8 20.9

LIB-malloc LIB-errno LIB-offsetof LIB-setjmp LIB-signal LIB-stdio

All uses of malloc, calloc, realloc, and free All uses of errno All uses of the offsetof built-in function All uses of <setjmp.h> All uses of <signal.h> All uses of <stdio.h>

20.10

LIB-atoi

All uses of atof, atoi, and atol

20.11

LIB-system

All uses of abort, exit, getenv, and system

20.12

LIB-time

21.1

Static analysis

All uses of <time.h> functions: asctime, clock, ctime, difftime, gmtime, localtime, mktime, strftime, and time Correct use of Goanna static analysis assists in compliance with this rule

For more information:

http://redlizards.com mailto:info@redlizards.com
c 20082013 Red Lizard Software Pty Ltd.