Welcome to the MISRA discussion forum

Hi there. We are working on the automotive framework for programming of autonomous cars. Our framework has features that are very similar to those in Adaptive Autosar: https://www.autosar.org/standards/adaptive-platform/. We plan to certify this framework as a Safety Element Out of Context according to ISO 26262.

The framework is written in C++ and makes rather heavy use of constructs implemented in Standard Library (see below for the full list). Many C++ keywords like throw or lambdas use the C++ standard library. So removing the C++ standard library would lead to a dysfunctional compiler.

We are aware of 3 Standard Library implementations:
1. LLVM libc++: https://libcxx.llvm.org/docs/
2. GCC libstdc++: https://gcc.gnu.org/
3. Dinkumware: https://www.dinkumware.com/

Now the problem is that none of the above libraries are certified according to ISO 26262.

Questions:
1. **Are you aware of any ISO 26262 certified Standard Library? Or anybody that is working on it?**
2. **Would any of the above implementations qualify for a “proven in use” argument?**


Constructs in our framework used from the Standard Library:
```cpp
std::string
std::vector
std::map
std::unordered_map
std::allocator
std::allocator_traits

std::shared_ptr
std::make_shared
std::unique_ptr
std::make_unique
std::weak_ptr

std::enable_shared_from_this

std::move

std::ostream
std::ostringstream

std::lock_guard
std::mutex
std::shared_future
std::thread::hardware_concurrency
std::this_thread::yield()

std::enable_if
std::false_type
std::is_same
std::declval

std::function
std::bind

std::chrono*

std::numeric_limits

std::shared_future

std::runtime_error
std::invalid_argument

std::int32_t
std::type_index
std::snprintf
```

Hello,
I have the following piece of code for which I get a MISRA Rule 2.1 error. I am considering a deviation for this - All possible error status from a function call can be checked even if the function does not return all possible error statuses. Can you please provide feedback on if this is a reasonable deviation?

(Btw, this is my first post - please feel free to let me know if this is outside the scope here)

Example:

Hi,

MISRA C-2012 Rule 5.3 (which is of the same title as 2-10-2) has this additional amplification about an identifier declared in an inner scope shall be distinct from *any* id declared in an outer scope.

So the following code shall be a violation for 5.3 although the inner "i" is not hiding the outer "i" (still confusing though).

I have the folowing code :

Good day. To analyze a finding supported by this rule in a project I'd like to understand the intention of the rule. Specifically, in the context of C99 I fail to find an appropriate rationale to disallow converting between intptr_t/uintptr_t and void *:

1. Quote:Conversion of an integer into a pointer to void may result in a pointer that is not correctly aligned, resulting in undefined behaviour.

   Would you, please, explain how this rationale is compatible with the following statement in the C90/C99 standards:
   

   C99. 6.2.5 Types. §27 Wrote:A pointer to void shall have the same representation and alignment requirements as a pointer to a character type.

   As character pointers contain addresses of individual bytes, they cannot be unaligned. Hence pointers to void cannot be unaligned too, right?
   Moreover, for the cases, in which the alignment problem indeed may occur, the restriction you define (rule 11.4) is, in contrast to 11.6, only advisory.
   

2. Quote:Conversion of a pointer to void into an integer may produce a value that cannot be represented in the chosen integer type resulting in undefined behaviour.

   This rationale does not apply to intptr_t/uintptr_t.
   

3. Quote:Conversion between any non-integer arithmetic type and pointer to void is undefined.

   This rationale looks like it would deserve a separate rule, as the limitations of these conversions for integers and non-integer arithmetic types are very different.

Hi there,
I humbly ask for help with compliance to Dir 4.8.
(Borrowing from cxlin, thx)

Hi,

I am facing the MISRA.VAR.HIDDEN error.

When i defined the function prototype with parameters and using the same parameters name while calling the function.

Can any one give me suggestion how can it will be modified to avoid the error.

Thanks in advance.

Hi,

as far as i know, there is no explicit rule to deal with that.
12-8-1 comes close but is for copy constructors only.

An implementation is permitted to perform the initialization of an object of namespace scope with static
storage duration as a static initialization even if such initialization is not required to be done statically, provided
that
— the dynamic version of the initialization does not change the value of any other object of namespace
scope with static storage duration prior to its initialization, and
— the static version of the initialization produces the same value in the initialized object as would be produced
by the dynamic initialization if all objects not required to be initialized statically were initialized
dynamically.
[Note: as a consequence, if the initialization of an object obj1 refers to an object obj2 of namespace
scope with static storage duration potentially requiring dynamic initialization and defined later in the same
translation unit, it is unspecified whether the value of obj2 used will be the value of the fully initialized
obj2 (because obj2 was statically initialized) or will be the value of obj2 merely zero-initialized. For
example,
44
ï›™ ISO/IEC ISO/IEC 14882:2003(E)
3 Basic concepts 3.6.2 Initialization of non-local objects
inline double fd() { return 1.0; }
extern double d1;
double d2 = d1; // unspecified:
// may be statically initialized to 0.0 or
// dynamically initialized to 1.0
double d1 = fd(); // may be initialized statically to 1.0
—end note]
3 It is implementation-defined whether or not the dynamic initialization (8.5, 9.4, 12.1, 12.6.1) of an object of
namespace scope is done before the first statement of main. If the initialization is deferred to some point
in time after the first statement of main, it shall occur before the first use of any function or object defined
in the same translation unit as the object to be initialized.31) [Example:
// – File 1 –
#include "a.h"
#include "b.h"
B b;
A::A(){
b.Use();
}
// – File 2 –
#include "a.h"
A a;
// – File 3 –
#include "a.h"
#include "b.h"
extern A a;
extern B b;
int main() {
a.Use();
b.Use();
}
It is implementation-defined whether either a or b is initialized before main is entered or whether the
initializations are delayed until a is first used in main. In particular, if a is initialized before main is
entered, it is not guaranteed that b will be initialized before it is used by the initialization of a, that is,
before A::A is called. If, however, a is initialized at some point after the first statement of main, b will
be initialized prior to its use in A::A. ]

13.1 indicates that an initializer list shall not contain persistent side effects, and gives an example of initializing with a volatile variable access. I believe there would be general agreement that

what is the method of defining infinite loop according to MISRA C-2012 compalince ?


Thank you.