MISRA C

MISRA Cis a set of software development guidelines for theCprogramming languagedeveloped byThe MISRA Consortium.Its aims are to facilitate codesafety,security,portabilityand reliability in the context ofembedded systems,specifically those systems programmed inISO C/ C90 /C99.^[1]

There is also a set of guidelines for MISRA C++ not covered by this article.

• Draft: 1997^[2]
• First edition: 1998 (rules, required/advisory)
• Second edition: 2004 (rules, required/advisory)
• Third edition: 2012 (directives; rules, Decidable/Undecidable)
• MISRA compliance: 2016, updated 2020
• MISRA C:2023 (MISRA C Third edition, Second revision)

For the first two editions of MISRA-C (1998 and 2004) all Guidelines were considered as Rules. With the publication of MISRA C:2012 a new category of Guideline was introduced - theDirectivewhose compliance is more open to interpretation, or relates to process or procedural matters.

Although originally specifically targeted at the automotive industry, MISRA C has evolved as a widely accepted model for best practices by leading developers in sectors including automotive, aerospace, telecom, medical devices, defense, railway, and others. For example:

• TheJoint Strike Fighterproject C++ Coding Standards^[3]are based on MISRA-C:1998.
• TheNASAJet Propulsion LaboratoryC Coding Standards^[4]are based on MISRA-C:2004.
• IEC 81001-5-1:2021Health software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product lifecyclecites MISRA C as an example of secure coding best practices.
• ISO 26262Functional Safety - Road Vehiclescites MISRA C as being an appropriate sub-set of the C language:
  • ISO 26262-6:2011Part 6: Product development at the software level^[5]cites MISRA-C:2004 and MISRA AC AGC.
  • ISO 26262-6:2018Part 6: Product development at the software level^[6]cites MISRA C:2012.
• TheAUTOSARGeneral Software Specification (SRS_BSW_00007) likewise cites MISRA C:
  • The AUTOSAR 4.2 General Software Specification^[7]requires thatIf the BSW Module implementation is written in C language, then it shall conform to the MISRA C:2004 Standard.
  • The AUTOSAR 4.3 General Software Specification^[8]requires thatIf the BSW Module implementation is written in C language, then it shall conform to the MISRA C:2012 Standard.

When a new software project is started, the latest MISRA standard should be used. Previous standards are still available for use with legacy software projects that need to refer to it.^[9]

Each Guideline is classified^[10]asMandatory(new for MISRA C:2012),RequiredorAdvisory.Furthermore, the MISRA Compliance document permitsAdvisoryguidelines to beDisapplied.

• Mandatoryguidelines shall always be complied with
• Requiredguidelines shall be complied with, unless subject to aDeviation
• Advisoryguidelines are considered good practice, but compliance is less formal.

The rules can be divided logically into a number of categories:

• Avoiding possible compiler differences, for example, the size of C'sinttype may vary butint16_t(standardized in C99) is always 16 bits.
• Avoiding using functions and constructs that are prone to failure, for example,mallocmay fail.
• Produce maintainable and debuggable code, for example, naming conventions and commenting.
• Best practice rules.
• Complexity limits.

MISRA C:2012 separately classifies each guideline as eitherSingleTranslation UnitorSystem.^[10]

MISRA C:2012 classifies therules(but not thedirectives) asDecidableorUndecidable.

MISRA published documents to provide additional guidance to understand and achieve MISRA compliance.

• MISRA Compliance:2016,was released by MISRA in April 2016.^[11]
• MISRA Compliance:2020,revised edition, was released in February 2020.^[12]

In order for a piece of software to claim to be compliant to the MISRA C Guidelines, allmandatoryrules shall be met and allrequiredrules and directives shall either be met or subject to a formal deviation.Advisoryrules may be disapplied without a formal deviation, but this should still be recorded in the project documentation.

Note: For compliance purposes, there is no distinction betweenrulesanddirectives.

Many MISRA Crulescan be characterized asguidelinesbecause under certain condition software engineers may deviate from rules and still be considered compliant with the standard. Deviations must be documented either in the code or in a file. In addition; proof must be provided that the software engineer has considered the safety of the system and that deviating from the rule will not have a negative impact, requirements for deviations also include:

• The rule deviated from.
• Rationale for deviation.^[13]

The first edition of MISRA C, "Guidelines for the use of the C language in vehicle based software", which was published in 1998 and is officially known asMISRA-C:1998.^[14]

MISRA-C:1998 has 127 rules, of which 93 are required and 34 are advisory; the rules are numbered in sequence from 1 to 127.

In 2004, a second edition "Guidelines for the use of the C language incritical systems",orMISRA-C:2004was produced, with many substantial changes to the guidelines, including a complete renumbering of the rules.

MISRA-C:2004 contains 142 rules, of which 122 are "required" and 20 are "advisory"; they are divided into 21 topical categories, from "Environment" to "Run-time failures".

In 2013, the third edition, MISRA C:2012, was published. MISRA C:2012 extends support to theC99version of the C language (while maintaining guidelines for C90), in addition to including a number of improvements that can reduce the cost and complexity of compliance, whilst aiding consistent, safe use of C in critical systems.^[15]

MISRA-C:2012 contains 143 rules and 16 "directives" (that is, rules whose compliance is more open to interpretation, or relates to process or procedural matters); each of which is classified asmandatory,required,oradvisory.They are separately classified as eitherSingle Translation UnitorSystem.Additionally, the rules are classified asDecidableorUndecidable.

In April 2016, MISRA published (as a free download)MISRA C:2012 - Amendment 1: Additional Security Guidelines^[16]which added fourteen newsecurityguidelines.

In February 2020, MISRA published (as a free download)MISRA C:2012 - Amendment 2: Updates for ISO/IEC 9899:2011/18 Core functionality^[17]which adds mapping for the undefined, unspecified and implementation defined behaviours within C11/C18.

MISRA have published the following addenda to support MISRA C:2012:

• MISRA C:2012 - Addendum 1: Rule Mappings,^[18]which contains bi-directional rule mappings between MISRA C:2004 and the new version. It is intended to assist users in migration.
• MISRA C:2012 - Addendum 2: Coverage of MISRA C:2012 against ISO/IEC TS 17961:2013 "C Secure"^[19]
• MISRA C:2012 - Addendum 3: Coverage of MISRA C:2012 against CERT C^[20]

In May 2023 MISRA published MISRA C:2023 (MISRA C Third edition, Second revision) which incorporates Amendments 2 – 4 (AMD2, AMD3, AMD4) and Technical Corrigendum 2 (TC2) and incorporates support forC11andC17language features.^[21]

An exemplar suite (for MISRA-C:2004 and MISRA C:2012) is available from the MISRAGitLab^[22]repository (login required). This allows tool-users to evaluate and compare the checking support provided by the various MISRA tools; additionally, it gives tool-implementers some guidance as to the intent of the MISRA Guidelines.

While there exist many software tools that claim to check code for "MISRA conformance", there is no MISRA certification process.^[23]

Most of the guidelines can be checked using tools that performstatic code analysis.The remaining guidelines require the use ofdynamic code analysis.

Tools that check code for MISRA conformance include:

• AstréebyAbsInt
• Axivion Bauhaus Suiteby Axivion GmbH.MISRA C:2004, C:2012, C:2012 Amendment 1, C++:2008, Compliance:2016.
• CodeSonarbyGrammaTech
• CoveritybySynopsys- Static Analysis
• Cppcheck- Open source Static Analysis tool for C/C++
• ECLAIRby BUGSENG srl.MISRA C:2004, C:2012, C:2012 Amendment 1, C++:2008.
• Helix QACbyPerforce Software.MISRA C:1998, C:2004, C:2012, C++:2008.^[24]
• KlocworkbyRogue Wave Software(now owned by Perforce Software^[25]).MISRA C:2012, C:2012 Amendment 1, C++:2008.^[26]
• LDRA TestbedbyLiverpool Data Research Associates
• Parasoft C/C++testby Parasoft.MISRA C 1998, MISRA C 2004, MISRA C 2012 AMD1, AMD2 and AMD3, MISRA C++ 2008, Draft version of MISRA C++ 202x.^[27]
• PC-Lintby Gimpel Software (now owned by Vector Informatik GmbH).MISRA C:1998, C:2004, C:2012, C++:2008.^[28]
• PolyspacebyMathWorks
• PVS-Studioby Program Verification Systems
• SonarQubebySonarSource(open sourcewith some commercial plug-in components)
• SQuOREby Squoring Technologies
• Understandby SciTools

C/C++ compilers that support MISRA conformance include:

• Green Hills Software
• IAR Systems-MISRA C:1998, C:2004, C:2012, C++:2008.^[29]
• TASKING-MISRA C:1998, C:2004, C:2012.

Some research results question the effectiveness of MISRA C 2004.

In a paper that compares earlier work on MISRA C:1998 with MISRA C:2004,Les Hattoncomes to the conclusion that:^[30]

In view of the apparent widening influence of the MISRA C standard, this paper attempts to assess whether important deficiencies in the original standard have been addressed satisfactorily. Unfortunately, they have not and the important real to false positive ratio is not much better in MISRA C 2004 than it was in MISRA C 1998 and it is unacceptably low in both.

He goes on to state:^[30]

In its present form, the only people to benefit from the MISRA C 2004 update would appear to be tool vendors and it is to be hoped that steps will be taken both to simplify the wording and to reduce the false positive ratio in future revisions by taking a little more notice of published experimental data and being less tempted to invent rules on the basis that they seem a good idea.

A study at theTU Delft,by Cathal Boogerd and Leon Moonen, empirically assesses the value of MISRA C:2004. It comes to similar results:^[31]

From the data obtained, we can make the following key observations. First, there are 9 out of 72 rules for which violations were observed that perform significantly better (α = 0.05) than a random predictor at locating fault-related lines. The true positive rates for these rules range from 24-100%. Second, we observed a negative correlation between MISRA rule violations and observed faults. In addition, 29 out of 72 rules had a zero true positive rate. Taken together with Adams' observation that all modifications have a non-zero probability of introducing a fault, this makes it possible that adherence to the MISRA standard as a whole would have made the software less reliable.

• Programming style

• Official website
• "Introduction to MISRA C".embedded. July 2002.^{[dead link]}
• "MISRA C: Safer Is Better".Electronic Design magazine. 3 February 2003.
• "Commentary on the first edition of the MISRA C guidelines".knosof.co.uk.
• "New Version of MISRA C: Why Should You Care?".Electronic Design magazine. 25 February 2013.
• "MISRA C:2012: Plenty Of Good Reasons To Change".Electronic Design magazine. 25 February 2013.
• "MISRA C:2012 fact sheet"(PDF).programmingresearch.
• "MISRA C:2012 ensures automotive software safety".EE Times magazine.
• "Compliance to MISRA C: Code Generation".Mathworks.