MISRA C makes SW "robust" against compiler failures

Questions and discussions about MISRA not specific to a particular publication

Moderator: david ward

Post Reply
Posts: 11
Joined: Tue Apr 23, 2013 9:59 am
Company: INTECS

MISRA C makes SW "robust" against compiler failures

Post by andream » Wed Dec 05, 2018 5:04 pm

As known, EN 50128:2011 standard asks for evidence that a tool failure might not impact the software safety. In particular, emphasis is placed upon tools that might generate outputs which can directly or indirectly contribute to the executable code (including data) of the safety-related system. Therefore compilers are the first to be assessed in this respect. In case of C language, regardless if certain evidence is available of a compiler full conformance with ISO/IEC 9899:1999 (C99) standard, I was wondering if, at least based on gathered experience, the source code full compliance with MISRA C:2012 makes the source code itself more "robust" against possible residual failures of the compiler. In other words, if it can be said that upon fully complying with MISRA C:2012, the largest part of current compilers does not exhibit failures.

Posts: 109
Joined: Wed Apr 27, 2016 2:33 pm
Company: Elektrobit Automotive GmbH

Re: MISRA C makes SW "robust" against compiler failures

Post by dg1980 » Wed Dec 05, 2018 6:52 pm

This could get interesting - i assume that is the same like tool qualification in ISO 26262 (e.g. https://www.jnovel.co.jp/en/service/com ... 26262.html)?

Anyways, i personally divide MISRA rules in three big categories:
  • Purely about code style (e.g. writing 1U instead 1u, using unique identifiers, etc.)
  • Purely about avoiding implementation defined behavior (e.g. size of an integer)
  • Purely about avoiding undefined behavior (e.g. casting away const)
While the last two items greatly increase portability and safety of the code they do not protect you in any way from a buggy optimizer in your compiler which in turn messes up your binary (after all, a compiler is just another piece of software and software has bugs).
So, based on my experience i would answer your question about robustness against compiler failures with no, but i am very much interested in other people's opinions on this subject.

Posts: 9
Joined: Thu Jul 13, 2017 2:22 pm

Re: MISRA C makes SW "robust" against compiler failures

Post by Francois » Thu Dec 06, 2018 8:12 am

Hi all.
In a previous ASIL D experiment, we reinforced the MISRA rules to make explicit all that can be generated implicitly.
In another word: Don't let compiler behave alone.

A simple exemple: A computation inside a test:

Code: Select all

 if (((Var >> 3) & 1) == 0)]
Generated code can/will use a temporary ram register to store computation result and use it in the test.
Instead of letting the compiler behave like this, we had to create a local variable to perform computations.

Posts: 572
Joined: Thu Jan 05, 2006 1:11 pm

Re: MISRA C makes SW "robust" against compiler failures

Post by misra-c » Wed Jun 12, 2019 8:23 am

MISRA C:2012 contains a disclaimer "Adherence to the requirements of this document does not in itself ensure error-free robust software or guarantee portability or reuse".

The guidelines of MISRA C are intended to define a subset of the C language in which the opportunity to make mistakes is either removed or reduced.

However, even fully compliant MISRA C code can not protect you against compiler failures.
Posted by and on behalf of
the MISRA C Working Group

Post Reply

Return to “General Questions”