汽车专用软件的C语言编程指南-his_图文

HIS AK SoftwaretestGemeinsames Subset der MISRA C GuidelinesStand:Version:Autor:Verteiler:20.04.20041.0.3Stefan Anderlik, VWAudiBMWDaimlerChryslerPorscheVolkswagenErwin HaunschildDr. Bernhard KaluscheHelmar KuderDr. Rüdiger Dorn, Jesper HanssonStefan AnderlikHIS_SubSet_MISRA_C_© 2004 Volkswagen AGDistribution allowed for all HIS members. Copyright protection enforced.S. 1 / 7

Gemeinsames Subset der MISRA C GuidelinesHIS .31.2Abkü32ÜBERSICHT ÜBER DAS VERBINDLICHE REGELSUBSET GEMÄ4HIS_SubSet_MISRA_C_fan Anderlik, VW

Version: 1.0.3S. 2 / 720.04.2004© 2004 Volkswagen AGDistribution allowed for all HIS members. Copyright protection enforced.

Gemeinsames Subset der MISRA C GuidelinesHIS AK Softwaretest1Einleitung1.1AllgemeinIm Folgenden werden alle Regeln der

MISRA „Guidelines For The Use Of The C Language In Vehicle Based Software“aufgelistet, die im HIS Arbeitskreis Softwaretest abgestimmt, bei der Neuentwicklung vonSteuergerätesoftware für Kraftfahrzeuge berücksichtigt werden mü gilt, alle Regeln sind grundsätzlich einzuhalten. Abweichungen davon sind nur in äußerstenAusnahmefällen zulässig. Diese sind einzeln und schriftlich zu begründen.1.2HISAbkürzungenHerstellerinitiative Software – ein Gremium bestehend aus folgenden Firmen:

Audi AG,

BMW AG,

DaimlerChrysler AG,

Porsche AG,

Volkswagen AGMISRAMotor Industry Software Reliability Association(„MISRA“ ist ein eingetragenes Wahrenzeichen der MISRA Ltd., gehalten im Namen desMISRA Konsortiums.)1.3QuellenMISRA „Guidelines For The Use Of The C Language In Vehicle Based Software“MISRA Konsortium, April 1998, ISBN 0 9524156 9 01.4HistoryVersionAutor1.0Stefan Anderlik, VW1.0.1Stefan Anderlik, VWÄnderung1. Version des DokumentesUnter dieser Versionsnummer nichtveröffentlichte Version. Es handelt sich um dieV1.0a, die nun in die Versionisierung richtigaufgenommen wurde.

Einzige Änderung in der V1.0a: Es wurde eineCopyright-Info der HIS hinzugefübfehler in der Regel 102. („not“ zuviel!)Anpassung des 09.04.200322.03.200422.03.200420.04.20041.0.21.0.3Stefan Anderlik, VWStefan Anderlik, VWHIS_SubSet_MISRA_C_fan Anderlik, VW

Version: 1.0.3S. 3 / 720.04.2004© 2004 Volkswagen AGDistribution allowed for all HIS members. Copyright protection enforced.

Gemeinsames Subset der MISRA C GuidelinesHIS AK Softwaretest2Übersicht über das verbindliche Regelsubset gemäß HISRegel1257891011ErläuterungAll code shall conform to ISO 9899 standard C, with no extensions permittedCode written in languages other then C should only be used if there is a defined interfacestandard for object code to which the compilers/assemblers for both languages conformOnly those characters and escape sequences which are defined in the ISO C standardshall be usedTrigraphs shall not be usedMultibyte characters and wide string literals shall not be usedComments shall not be nestedSections of code should not be commented outIdentifiers (internal and external) shall not rely on significance of more then 31characters. Furthermore the compiler/linker shall be checked to ensure that 31 charactersignificance and case sensitivity are supported for external identifiersThe basic type of char, int, short, long, float and double should not be used, but specific-length equivalents should be typedef'd for the specific compiler, and these type namesused in the codeThe type char shall always be declared as unsigned char or signed charThe underlaying bit representations of floating point numbers shall not be used in anyway by the programmertypdef names shall not be reusedNumeric constants should be suffixed to indicate type, where an appropriate suffix isavailableOctal constants (other thatn zero) shall not be usedAll object and function identifiers shall be declared before useIdentifiers in an inner scope shall not use the same name as an identifier in an outerscope and therefore hide that identifierDeclarations of objects should be at function scope unless a wider scope is necessaryAll declarations at file scope should be static where possibleIdentifiers shall not simultaneously have both internal and external linkage in the sametranslation unitAn identifier with external linkage shall have exactly one external definitionIf objects or functions are declared more then once they shall have compatibledeclarationsExternal objects should not be declared in more then one fileThe use of a tag shall agree with ist declarationAll automatic variables shall have been assigned a value before being usedBraces shall be used to indicate and match the structure in the non-zero initialisation ofarrays and structuresIn an enumerator list, the "=" construct shall not be used to explicitly initialise membersother than the first, unless all items are explicitly initiatsedThe right hand operand of a && or || operator shall not contain side effectsThe operands of a logical && or || shall be primary expressionsAssignment operators shall not be used in expressions which return Boolean valuesLogical operators should not be confused with bitwise operatorsBitwise operations shall not be performed on signed integer typesVersion: 1.0.3S. 4 / 720.04.287HIS_SubSet_MISRA_C_fan Anderlik, VW

© 2004 Volkswagen AGDistribution allowed for all HIS members. Copyright protection enforced.

Gemeinsames Subset der MISRA C GuidelinesRegel38394748565758596667686970717273HIS AK SoftwaretestErläuterungThe right hand operand of a shift operator shall lie between zero and one less than thewidth in bits of the lefthand operand (inclusive)The unary minus operator shall not be applied to an unsigned expressionThe sizeof operator should not be used on expressions that contain side effectsThe implementation of integer division in the chosen compiler should be determined,documented and taken into accountThe comma operator shall not be used, except in the control expression of a for loopImplicit conversions which may result in a loss of information shall not be usedType casting from any type to or from pointers shall not be usedThe value of an expression shall be the same under any order of evaluation that thestandard permitsNo dependence should be placed on C's operator procedence rules in expressionsMixed precision arithmetic should use explicit casting to generate the desired resultFloating point variables shall not be tested for exact equality or inequalityEvaluation of constant unsigned integer expressions should not lead to wrap-aroundThere shall be no unreachable codeAll non-null statements shall have a side-effectA null statement shall only occur on a line by itself, and shall not have any other text onthe same lineLabels should not be used, except in switch statementsThe goto statement shall not be usedThe continue statement shall not be usedThe break statement shall not be used (except to terminate the case of a switchstatement)The statements forming the body of an if, else if, else, while, do... while or for statementshall always be enclosed in bracesAll if, else if constructs should contain a final else clauseEvery non-empty case clause in a switch statement shall be terminated with a breakstatementAll switch statements should contain a final default clauseA switch expression should not represent a Boolean valueEvery switch statement shall have at least one caseFloating point variables shall not be used as loop countersOnly expressions concerned with loop control should appear within a for statementNumeric variables being used within a for loop for iteration counting should not bemodified in the body of the loopFunctions shall always be declared at file scopeFunctions with variable numbers of arguments shall not be usedFunctions shall not call themselves, either directly or indirectlyFunctions shall always have prototype declarations and the prototype shall be visible atboth the function definition and callFor each function parameter the type given in the declaration and definition shall beidentical, and the return types shall also be identicalIdentifiers shall either be given for all of the parameters in a function prototypedeclaration, or for noneVersion: 1.0.3S. 5 / 720.04.2004HIS_SubSet_MISRA_C_fan Anderlik, VW

© 2004 Volkswagen AGDistribution allowed for all HIS members. Copyright protection enforced.

Gemeinsames Subset der MISRA C GuidelinesRegel747576777879808183HIS AK SoftwaretestErläuterungIf identifiers are given for any of the parameters, then the identifiers used in thedeclaration and definition shall be identicalEvery function shall have an explicit return typeFunctions with no parameters shall be declared with parameter type voidThe unqualified type of parameters passed to a function shall be compatible with theunqualified expected types defined in the funcion prototypeThe number of parameters passed to a function shall match the function prototypeThe values returned by void functions shall not be usedVoid expressions shall not be passed as function parametersconst qualification should be used on function parameters which are passed by reference,where it is intended that the function will not modify the parameterFor functions with non-void return typei, there shall be one return statement for every exit branch (including the end ofprogram)ii, each return shall have an expressioniii, the return expression shall match the declared return typeFor functions with void return type, return statements shall not have an expressionFunctions called with no parameters should have empty parenthesesIf a function returns error information, then that error information should be tested#include statements in a file shall only be preceded by other preprocessor directives orcommentsNon-standard characters shall not occur in header file names in #include directivesThe #include directive shall be followed by either a or "filename" sequence84858687888990C macros shall only be used for symbolic constants, function-like macros, typ qualifiersand storage class specifiers91Macros shall not be #define'd and #undef'd within a block93A function should be used in preference to a function-like macro94A function-like macro shall not be 'called' without all of its arguments95Arguments to a function-like macro shall not contain tokens that look like pre-processingdirectives96In the definition of a function-like macro the whole definition, and each instance of aparameter, shall be enclosed in parantheses97Identifiers in pre-processor directives should be defined before use98There shall be at most one occurance of the # or ## pre-processor operators in a singlemacro definition99All uses of the #pragma directive shall be documented and explained100The defined pre-processor operator shall only be used in one of the two standard forms101Pointer arithmetic should not be used102No more than 2 levels of pointer indirection should be used103Relational operators shall not be applied to pointer types except where both operands areof the same type and point to the same array, structure or union104Non-constant pointers to functions shall not be used105All the functions pointed to by a single pointer to function shall be identical in the numberand type of parameters and the return typeHIS_SubSet_MISRA_C_fan Anderlik, VW

Version: 1.0.3S. 6 / 720.04.2004© 2004 Volkswagen AGDistribution allowed for all HIS members. Copyright protection enforced.

Gemeinsames Subset der MISRA C GuidelinesHIS AK SoftwaretestRegelErläuterung106The address of an object with automatic storage shall not be assigned to and objectwhich may persist after the object has ceased to exist107The null pointer shall not be de-referenced108In the specification of a structure or union type, all members of the structure or unionshall be fully specified109Overlapping variable storage shall not be used112Bit fileds of type signed int shall be at least 2 bits long113All the members of a structure (or union) shall be named and shall only be accessed viatheir name114Reserved words and standard libary function names shall not be redefined or undefined115Standard libary function names shall not be reused116All libraries used in production code shall be written to comply with the provisions of thisdocument, and shall have been subject to appropriate validation4125The validity of values passed to library functions shall be checkedDynamic heap memory allocation shall not be usedThe error indicator errno shall not be usedThe macro offsetof, in library shall not be used and the setlocale function shall not be usedThe setjmp macro and the longjmp function shall not be usedThe signal handling facilities of shall not be usedThe inpul/output library shall not be used in production codeThe library functions atof, atoi and atol from library shall not be used126The library functions abort, exit, getenv and system from library shall not beused127The time handling functions of library shall not be usedHIS_SubSet_MISRA_C_fan Anderlik, VW

Version: 1.0.3S. 7 / 720.04.2004© 2004 Volkswagen AGDistribution allowed for all HIS members. Copyright protection enforced.