Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
MISRA C makes SW "robust" against compiler failures
#1
As known, EN 50128:2011 standard asks for evidence that a tool failure might not impact the software safety. In particular, emphasis is placed upon tools that might generate outputs which can directly or indirectly contribute to the executable code (including data) of the safety-related system. Therefore compilers are the first to be assessed in this respect. In case of C language, regardless if certain evidence is available of a compiler full conformance with ISO/IEC 9899:1999 (C99) standard, I was wondering if, at least based on gathered experience, the source code full compliance with MISRA C:2012 makes the source code itself more "robust" against possible residual failures of the compiler. In other words, if it can be said that upon fully complying with MISRA C:2012, the largest part of current compilers does not exhibit failures.
<t></t>
Reply
#2
This could get interesting - i assume that is the same like tool qualification in ISO 26262 (e.g. https://www.jnovel.co.jp/en/service/comp...26262.html)?

Anyways, i personally divide MISRA rules in three big categories:
  • Purely about code style (e.g. writing 1U instead 1u, using unique identifiers, etc.)
  • Purely about avoiding implementation defined behavior (e.g. size of an integer)
  • Purely about avoiding undefined behavior (e.g. casting away const)
While the last two items greatly increase portability and safety of the code they do not protect you in any way from a buggy optimizer in your compiler which in turn messes up your binary (after all, a compiler is just another piece of software and software has bugs).
So, based on my experience i would answer your question about robustness against compiler failures with no, but i am very much interested in other people's opinions on this subject.
<t></t>
Reply
#3
Hi all.
In a previous ASIL D experiment, we reinforced the MISRA rules to make explicit all that can be generated implicitly.
In another word: Don't let compiler behave alone.

A simple exemple: A computation inside a test:
Code:
if (((Var >> 3) & 1) == 0)]
Generated code can/will use a temporary ram register to store computation result and use it in the test.
Instead of letting the compiler behave like this, we had to create a local variable to perform computations.
<t></t>
Reply
#4
MISRA C:2012 contains a disclaimer "Adherence to the requirements of this document does not in itself ensure error-free robust software or guarantee portability or reuse".

The guidelines of MISRA C are intended to define a subset of the C language in which the opportunity to make mistakes is either removed or reduced.

However, even fully compliant MISRA C code can not protect you against compiler failures.
Posted by and on behalf of the MISRA C Working Group
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)