I ran LINT version 9, configured to report the violations of the rules in the MISRA C++ 2008 coding standard, on a C++ source file. LINT is perhaps the most famous tool for statically checking C and C++ source code. MISRA stands for the Motor Industry Software Reliability Association, mandating adherence to its coding standards throughout the automotive industry.
The source file I tried has several KLOC worth of code, and the output of the preprocessor takes about 1M – pretty normal for C++ where a "Hello, world!" program generates 3/4M of preprocessed output. The output of LINT takes 38M. That's 38x more errors than code.
We're not finished parsing this output so I'm not sure which rules cause most violations and whether they can be clustered somehow to compress the 38M into something resembling comprehensible narrative in contents and size. The only thing basic attempts at parsing revealed at this point is that the distribution of the violations is roughly geometric, with the majority of the errors reporting violations of a minority of the rules.
Therefore, my only way of conveying some insight into the MISRA rules enforced by LINT is to look at a toy example. My example will be a Hello, world program – 2 LOC or 3/4M worth of code depending on your perspective. I'll assume LINT is told to ignore standard libraries, so it will actually be closer to 2 LOC.
#include <iostream>
int main() { std::cout << "Hello, world" << std::endl; }
From this program, LINT will produce 4 error messages when configured to enforce MISRA C++ 2008:
- The "int" in "int main" violates an advisory rule to avoid using built-in types and instead use typedefs indicating the size and signedness of the type, such as int32_t, INT or signed32T. Many an automotive project use a mixture of 2 or 3 of these conventions, which is compliant with the MISRA guidelines and presumably results from the history of merging or integrating code bases and/or teams. (I believe that in the particular case of main, the C and C++ standards both mandate the use of int; I didn't check if you can use a typedef to spell int but I'm certain that you can't have main() return an int32_t on a platform where int is 16b. Anyway, it appears that LINT doesn't bother to special-case main() – but you can do that yourself in its configuration file or right there in the source code, as you will have to do in many other cases.)
- The first left shift operator violates a MISRA rule disallowing the use of bitwise shift on signed types, or so it does according to LINT, which presumably checks whether the operands are of an unsigned integral type and reports an error if they are not (the other option is that it figures an output stream or a literal character array are "signed", but I can't see how they can be unless it's a signature we're talking about rather than signedness). The MISRA rule is based on the fact that the behavior of bitwise shift is implementation-defined and thus not portable. I do believe that there does not exist a 32b machine which does not use the 2's complement representation for integers and is a target of an automotive application. A notable share of automotive applications use signed integers to represent fixed point numbers, and I believe all of them rely on the 2's complement semantics of bitwise shifts to emulate multiplication and division.
- The second left shift operator is reported as violating the same rule.
- The two left shift operators as a whole are reported to violate the rule disallowing dependence on C operator precedence. That is, in order to correctly understand this program, a reader would have to know that (std::cout << "Hello, world!") would be evaluated first and then its output would be shifted to the left by std::endl. MISRA strives to prevent confusion, based on a well-founded assumption that few programmers know the rules of operator precedence and evaluation order, and LINT enforces the rules defined based on these premises.
I hope this gives some insight on the general code/errors ratio.
125 comments ↓
Those are not errors in code; those are design flaws in either the spec for the standard or LINT.
1. main(int,char**) returns an int. Not an int32_t or an int16_t depending on the platform, but an int, which happens to be an int16_t, an int32_t or an int64_t depending on the platform. This is Unix semantics. The resulting value is an error code, not an integer meant to be calculated upon and subject to overflow. At worst it's a small binary set, again not subject overflow. It has been so since C and Unix exist. Ignoring it is just strange.
2. Next, ostream & operator<< (const char *) is not the bit shift operator. It is an operator alright. It does not, however, perform a bit shift. Therefore, it is not the bit shift operator. The bit shift operator is (for example) int operator<<(int).
Furthermore, the meaning of said operator is clearly defined for signed integers. Why not disallow substraction on unsigned types, while they're at it? That should prevent underflow!
4. This is simply crazy. This kind of blanket rules are completely, utterly idiotic. '<<' here is much more readable without parenthesis, esp. considering that there is no other operator that could preempt it.
And anyone who's graduated grad school, even last of his class, knows that 1+2*3 == 1+(2*3) != (1+2)*3. And anyone who's graduated from junior high knows that 1/2/3 is fishy. And what about expressions with just one commutative operator? Are we to add parenthesis to 1+2+3?
I don't know who's to blame here, if the LINT tool is really that clueless or if the MISRA standard mandates this behaviour, but I can't begin to understand how you can ignore long standing (25+ years!) C and C++ idioms. If they don't like operator overloading, why don't they remove them altogether and call it Java?
Is it really fair to test a standard designed without STL streams in mind against code exclusively made up of STL stream usage? Although the in thing is pretty stupid.
> Is it really fair to test a standard designed without STL streams in mind against code exclusively made up of STL stream usage?
Writing C++ without the STL (or a substitute) is quite silly. I have to deal with such code, and there is only one reason for it: the devs are morons and insist on reinventing the wheel … a square, broken wheel. The number of bugs is staggering.
@niczar in #3:
Yeah, but writing C++ with the *iostreams part of the STL* is just stupid. std::vector is great, but std::ostream (std::ofstream, std::iob, std::hex, std::dec, et cetera et cetera) is just a dangerous and bloated wrapper on top of C's FILE pointers. Stick to FILE pointers for I/O and you'll be much happier.
As for MISRA, yes, many of its rules are stupid. For example, it completely disallows the use of , which means I'm surprised your program compiled at all (since presumably #includes ). As for lint: warnings 2 or 3 are false positives, because the operator is overloaded. Warning 4 is also a false positive, because MISRA C++ Rule 5-0-2 specifically states that an unparenthesized expression is okay if all the operators in it are the same.
I'm astonished that of your four comments so far, the first one restates what you said in your text and the others all refer to nonexistent "STL streams".
Very amusing.
The idea of MISRA is very much to define a safer subset of C (and apparently C++). It wouldn't surprise me at all if it outlawed operator overloading, for example.
It would be interesting to see what a new "safe" programming language designed without the compromises inherent in C compatibility would look like.
> others all refer to nonexistent “STL streams”.
What's your point, that iostream is part of the standard C++ lib and not the STL stricto sensu?
> It wouldn’t surprise me at all if it outlawed operator overloading, for example.
Even in standard libraries?
> What’s your point, that iostream is part of the standard C++ lib and not the STL stricto sensu?
Yeah. It pretty much has nothing in common with the STL. Its interface is full of inheritance, which the STL shuns. It needs funky adaptors to give it an interface the STL can cope with. It was around for at least ten years before the STL was written. Ten years! That's probably longer than your entire programming career.
the standard C++ lib is a significantly different beast from the STL in my experience.
I don't agree that it is a useless bloated wrapper around FILE* operations (or other C operations for that matter). The streams are extremely useful and important because they provide compile-time type-safety for conversions! Woot!
The use of the ',' operator should be banned. It's got its uses but they are far and few between, and lead to unmaintainable code. Similarly, operator overloading has its uses, but also is quickly abused and leads to implementations which are difficult to maintain.
Lint is a big hassle to use, I will agree with that. You have to weigh the benefits–namely, it does help you detect errors–versus the problems. It depends a lot on context. If you're writing code for the airline industry, please use lint! If you're writing an app for a mobile phone, it's really not such a big deal.
> It would be interesting to see what a new “safe” programming language designed without the compromises inherent in C compatibility would look like.
It's called Ada.
@#5:
> The idea of MISRA is very much to define a safer subset of C (and apparently C++). It wouldn’t surprise me at all if it outlawed operator overloading, for example.
FWIW, MISRA C++ 2008 does not outlaw operator overloading in general. It does specifically outlaw overloading of the unary & operator (5-3-3) and the binary && || and comma operators (5-2-11); it also puts [Halting-Problem-level unenforceable] constraints on the semantics of overloaded assignment operators (5-17-1). Please, never start your point by assuming that MISRA isn't written by a bunch of stupidheads, because if you assume that, you're building your entire argument on sand.
@#8: printf() itself is type-safe if your compiler type-checks the format string. This is done by default in GNU GCC and in any commercial compiler based on the EDG front-end. So type-safety is a boogeyman here. My biggest complaint is that C++ streams are stateful; the behavior of e.g. (std::cout << x) depends not just on the static type of x; not just on the *dynamic* type of x at runtime [due to inheritance]; but on the things which have been output to that iostream in the past [e.g., std::hex]. I could also bitch about trying to mix wide character output with "narrow" character output, but C streams have about as many problems with wchars as C++ iostreams, so that part wouldn't be fair.
@#8: You'll be glad to know that MISRA C++ does ban the comma operator outright (5-18-1). This is *in addition* to forbidding operator overloading on it.
Darren: Ada is not "safe" in the same way as MISRA C. SPARK may be what you're thinking of; it's a set of constraints on Ada analogous to the constraints MISRA puts on C. Ada is what caused the Ariane 5 catastrophe.
Anonymoose: Thank you for the additional information about operator overloading. I did not make any claim about the stupidheadness of the authors of the spec, either positive or negative.
Sitaker: IMO Ada is evidently much safer than C in a lot of ways. As a consequence SPARK and MISRA are two really different beasts.
SPARK provides, among other things, a sublanguage to implement and verify design-by-contract, MISRA-C, IIRC, doesn't.
In the MISRA-C specs the authors themselves advise the use of better-suited languages in place of C/C++, I strongly believe they were considering (SPARK)Ada.
Finally, the Ariane 5 disaster. It's not clear to me how it can be relevant to the discussion, anyway, as far as I know, it was caused by an engineering error. Programmers plugged a 16bit version of a module, used for Ariane 4, within the 32bit shuttle system and disabled the appropriate run-time check. Hence the "boom".
Andy: Yes, Ada omits many of C's pitfalls, but it has some of its own. Thank you for the information about SPARK. I did not know that.
I'm not sure what you're talking about with regard to "a 16-bit version of a module…within the 32bit shuttle system". The proximate cause of the disaster was an uncaught integer overflow exception, thrown by code that didn't need to be running in the first place because nothing was using its output at that point in the flight, and furthermore was using integer variables whose ranges were more appropriate to the lower G-forces in the Ariane 4.
I claim that the failure was caused by Ada in the sense that I know of no implementation of any other language that might be considered in this context (C, C++, assembly, VHDL, Pascal, etc.) that has an integer overflow exception. Instead, in all of these languages, integer overflow silently gives a mathematically absurd result, which would have been a dramatic improvement. Java's checked-exception mechanism (a failed experiment) appears to me to have been a response to Ariane 5.
(The only other language I know of that has an integer overflow exception is old versions of Python, which presumably means that ABC did the same thing.)
niczar: while you are correct on much of what you say, the way you say it leaves much to be desired.
MISRA bans bitwise ops on signed integers because bitwise ops on signed integers are implementation dependent in C/C++. The notable case is what happens when you >> a negative number. Popular implementation choices are logical shift (zero-fill) and arithmetic shift (value divides by a power of 2). Later languages added the >>> operator to make the choice programmer explicit.
You mention "Are we to add parenthesis to 1+2+3?". Floating point math is not associative. Any "idiot" who has taken a scientific computing class, undergrad or grad, knows that (A+B)+C is not the same as A+(B+C).
Having been an advocate of Embedded C++ at several previous positions, I was hoping for a lot more than what MISRA C++ 2008 delivered. It was too thin, and the recommendations missed way too much.
For example, the ban on C++ exceptions without further guidance (like how to do a two-phase init correctly) left much to be desired. Not giving guidance on OO anti-patterns was another. I seem to recall it missing the rule-of-thumb to "make non-leaf classes abstract", which is precisely the thing a high-safety/high-security standard should be mentioning.
At a minimum, MISRA C++ should have been a super-set of Scott Meyer's 3 books. It should have had additional gems from Sutter and Stroustrup. It sadly, did not.
What almost everyone misses when talking about MISRA is that it is a coding standards PROCESS, not (just) a collection of style rules. Dev teams are free to pick and choose and modify which style rules they follow. They just have to follow the process defined by MISRA to justify/document their deviations from the standard ones.
The MISRA standard document is mostly a collection of style rules, with a small preamble telling how you could deviate from rules (presumably since otherwise its acceptance would be largely impossible) and strongly advising you not to.
Have you advocated for Embedded C++ as a part of a committee working on its definition, or as a developer or manager inside an organization which you wanted to adopt that standard?
Please let me know if you're looking for a author for your blog.
You have some really good posts and I believe
I would be a good asset. If you ever want to take some of
the load off, I'd really like to write some material for your
blog in exchange for a link back to mine. Please shoot me an e-mail if interested.
Kudos!
Quality articles is the important to interest the people to visit the site, that's what this site is providing.
Thanks for sharing your thoughts. I truly appreciate
your efforts and I am waiting for your further post thank you once again.
Hello there! Do you know if they make any plugins to safeguard against hackers?
I'm kinda paranoid about losing everything
I've worked hard on. Any tips?
Hi there very cool website!! Guy .. Beautiful .. Superb ..
I'll bookmark your site and take the feeds additionally?
I'm glad to seek out numerous helpful info here in the post,
we need work out more strategies in this regard, thank you for sharing.
. . . . .
I am not rattling great with English but I get hold this really easygoing to read .
5/15/2019 @ 9:34:36 PM In my estimation, yosefk.com does a good job of dealing with subjects of this sort. While frequently intentionally contentious, the information is generally well-written and stimulating.
Respect to website author , some wonderful entropy.
I’m impressed, I have to admit. Genuinely rarely should i encounter a weblog that’s both educative and entertaining, and let me tell you, you may have hit the nail about the head. Your idea is outstanding; the problem is an element that insufficient persons are speaking intelligently about. I am delighted we came across this during my look for something with this.
I work for the The Harvardwriters.com and I don’t agree with Barb Nefer who says “A writer isn’t going to get very far if she’s
crushed by rejection slips or intimidated by everyone else out there who might be a better writer.”
Intresting, will come back here once in a while.
I love reading through and I believe this website got some genuinely utilitarian stuff on it! .
I am not rattling great with English but I get hold this really easygoing to read .
I must say got into this web. I found it to be interesting and loaded with unique points of view.
Very interesting points you have remarked, appreciate it for putting up.
This is cool!
Excellent read, Positive site, where did u come up with the information on this posting.really awesome guys.
Visit me here just click it.
I conceive this web site holds some real superb information for everyone : D.
Cheers, great stuff, I like.
Hey would you mind stating which blog platform you're using?
I'm looking to start my own blog soon but I'm having a tough time
making a decision between BlogEngine/Wordpress/B2evolution and
Drupal. The reason I ask is because your layout seems different then most blogs
and I'm looking for something unique. P.S Sorry for being off-topic but I had to ask!
I like this site because so much useful stuff on here : D.
I must say, as a lot as I enjoyed reading what you had to say, I couldnt help but lose interest after a while.
Yeah bookmaking this wasn’t a risky decision outstanding post! .
This is awesome!
I’m impressed, I have to admit. Genuinely rarely should i encounter a weblog that’s both educative and entertaining, and let me tell you, you may have hit the nail about the head. Your idea is outstanding; the problem is an element that insufficient persons are speaking intelligently about. I am delighted we came across this during my look for something with this.
Respect to website author , some wonderful entropy.
Yeah bookmaking this wasn’t a risky decision outstanding post! .
very Great post, i actually like this web site, carry on it
I have interest in this, thanks.
Yeah bookmaking this wasn’t a risky decision outstanding post! .
Great, google took me stright here. thanks btw for post. Cheers!
Hey, yahoo lead me here, keep up great work.
Yes! Finally something about gamefly free trial.
I like this page, useful stuff on here : D.
Your site has proven useful to me.
Yeah bookmaking this wasn’t a risky decision outstanding post! .
Hi there, I discovered your site by means of Google even as searching for a comparable topic, your website got here up, it seems
to be good. I have bookmarked it in my google bookmarks.
Hi there, just became aware of your blog through Google, and found that it is really informative.
I am gonna watch out for brussels. I will appreciate in the event you continue this in future.
Numerous folks might be benefited from your writing.
Cheers!
I dugg some of you post as I thought they were very beneficial invaluable
Your site has proven useful to me.
very Great post, i actually like this web site, carry on it
I am glad to be one of the visitors on this great website (:, appreciate it for posting .
Do you have any video of that? I'd love to find out some
additional information.
Appreciate it for this howling post, I am glad I observed this internet site on yahoo.
I visited multiple websites however the audio feature for audio songs existing at this website is really marvelous.
I am not rattling great with English but I get hold this really easygoing to read .
I consider something really special in this site.
Have you ever considered about including a little bit more than just your articles?
I mean, what you say is important and all. However think of if you added some great pictures or videos to give
your posts more, "pop"! Your content is excellent but with pics and
videos, this blog could definitely be one of the very best in its niche.
Excellent blog!
Enjoyed reading through this, very good stuff, thankyou .
Good Day, happy that i found on this in google. Thanks!
Great, yahoo took me stright here. thanks btw for this. Cheers!
Wow, superb blog layout! How long have you been blogging for?
you made blogging look easy. The overall look of your site is magnificent, as
well as the content!
I wanted to thank you for this very good read!!
I certainly enjoyed every little bit of it. I've got you saved as
a favorite to look at new stuff you post…
This is a topic that is close to my heart…
Many thanks! Where are your contact details though?
You made some good points there. I checked on the web for more information about the issue and found
most individuals will go along with your views on this web
site.
It's actually a great and useful piece of info. I am glad that you just shared this useful information with us.
Please stay us informed like this. Thank you
for sharing.
Wow, this piece of writing is fastidious, my sister is analyzing such
things, thus I am going to let know her.
I am actually thankful to the holder of this web site who has shared this fantastic post at here.
It is the best time to make some plans for the future and it is time to be happy.
I've read this post and if I could I desire
to suggest you few interesting things or advice. Perhaps you
can write next articles referring to this article. I wish
to read even more things about it!
This is my first time go to see at here and i am really happy
to read all at alone place.
I believe everything posted made a bunch of sense. However,
consider this, what if you composed a catchier post title?
I ain't saying your content is not solid, but what if you added
a title that makes people desire more? I mean Coding standards: having more errors in code
than code is a little plain. You might glance at Yahoo's front
page and see how they create news titles to get viewers
to click. You might add a related video or a related pic or two to get readers excited about what
you've written. In my opinion, it might make your website a little bit more interesting.
You got yourself a new rader.
google bring me here. Cheers!
Deference to op , some superb selective information .
I like this site because so much useful stuff on here : D.
Excellent blog here! Also your website loads up fast!
What host are you using? Can I get your affiliate link to your host?
I wish my web site loaded up as fast as yours lol
I am not rattling great with English but I get hold this really easygoing to read .
I like this site because so much useful stuff on here : D.
very nice post, i actually like this web site, carry on it
Thanks again for the blog post.Thanks Again. Cool.
Me like, will read more. Cheers!
I was looking at some of your articles on this site and I believe this internet site is really instructive! Keep on posting .
Good Morning, bing lead me here, keep up great work.
very Great post, i actually like this web site, carry on it
Yeah bookmaking this wasn’t a risky decision outstanding post! .
I am glad to be one of the visitors on this great website (:, appreciate it for posting .
Thank You for this.
Some truly great stuff on this web site , appreciate it for contribution.
Thank You for this.
I consider something really special in this site.
Great article to check out, glad that bing led me here, Keep Up great job
Parasite backlink SEO works well :)
This is cool!
Good Day, glad that i found on this in yahoo. Thanks!
Respect to website author , some wonderful entropy.
Me enjoying, will read more. Thanks!
Very interesting points you have remarked, appreciate it for putting up.
I love reading through and I believe this website got some genuinely utilitarian stuff on it! .
Enjoyed examining this, very good stuff, thanks .
Hey I am so grateful I found your blog, I really found you by mistake, while
I was looking on Bing for something else, Nonetheless I am here now and
would just like to say kudos for a remarkable post and a all round interesting blog (I also love the
theme/design), I don't have time to read it all at the minute but I
have bookmarked it and also included your RSS feeds, so when I
have time I will be back to read much more, Please do
keep up the fantastic work.
very interesting post, i actually like this web site, carry on it
What i do not realize is if truth be told how you're
not actually much more neatly-liked than you might be now. You are so intelligent.
You understand therefore significantly with
regards to this subject, produced me in my view
believe it from so many various angles. Its like women and men don't seem to be interested
unless it's one thing to do with Girl gaga! Your own stuffs great.
Always take care of it up!
great advice you give
You really make it appear really easy with your presentation but I find this matter to be really something that I think I
would never understand. It sort of feels too complex and extremely wide for me.
I am having a look forward on your next put up, I'll attempt to get the cling of it!
May I simply just say what a comfort to discover someone who really
understands what they're discussing on the internet.
You actually realize how to bring a problem to light and make
it important. A lot more people have to read this and
understand this side of the story. I was
surprised you're not more popular because you surely possess the
gift.
Hello there! Quick question that's completely off topic.
Do you know how to make your site mobile friendly? My web site looks
weird when browsing from my iphone. I'm trying to find a theme or plugin that might be able to resolve this problem.
If you have any recommendations, please share. Thank you!
Hi there! I just wanted to ask if you ever have any problems
with hackers? My last blog (wordpress) was hacked and I
ended up losing months of hard work due to no back up.
Do you have any methods to prevent hackers?
Aw, this was a really nice post. Finding the time
and actual effort to make a very good article… but what can I say… I hesitate a lot and
don't seem to get anything done.
Enjoyed examining this, very good stuff, thanks .
It's remarkable to go to see this web site and reading the views of all mates about this article, while
I am also keen of getting experience. pof natalielise
I do not even know the way I ended up here, however I assumed this publish used to be
great. I don't recognize who you're but certainly you are going to a well-known blogger in the event you are not already.
Cheers!
This does interest me
Hi there Dear, are you actually visiting this web site regularly, if so then you will without doubt get good experience.
I conceive this web site holds some real superb information for everyone : D.
Spot on with this write-up, I actually believe this site
needs a lot more attention. I'll probably be returning to see more, thanks for the advice!
stays on topic and states valid points. Thank you.
Hello! I know this is somewhat off topic but I was wondering which blog platform are you using
for this site? I'm getting sick and tired of WordPress because I've had
issues with hackers and I'm looking at alternatives for another platform.
I would be awesome if you could point me in the direction of a good platform.
Hello excellent website! Does running a blog such as this take a massive amount work?
I've very little expertise in computer programming however I had been hoping
to start my own blog in the near future. Anyhow, if you have
any recommendations or techniques for new blog owners please
share. I know this is off subject nevertheless I just needed to
ask. Many thanks! natalielise plenty of fish
Intresting, will come back here more often.
Awesome issues here. I am very happy to look your article. Thank
you so much and I’m having a look forward to touch you.
Will you kindly drop me a mail?