MISRA C makes SW "robust" against compiler failures

Questions and discussions about MISRA not specific to a particular publication

Moderator: david ward

andream
Posts: 10
Joined: Tue Apr 23, 2013 9:59 am
Company: INTECS
Contact:

MISRA C makes SW "robust" against compiler failures

Postby andream » Wed Dec 05, 2018 5:04 pm

As known, EN 50128:2011 standard asks for evidence that a tool failure might not impact the software safety. In particular, emphasis is placed upon tools that might generate outputs which can directly or indirectly contribute to the executable code (including data) of the safety-related system. Therefore compilers are the first to be assessed in this respect. In case of C language, regardless if certain evidence is available of a compiler full conformance with ISO/IEC 9899:1999 (C99) standard, I was wondering if, at least based on gathered experience, the source code full compliance with MISRA C:2012 makes the source code itself more "robust" against possible residual failures of the compiler. In other words, if it can be said that upon fully complying with MISRA C:2012, the largest part of current compilers does not exhibit failures.

dg1980
Posts: 107
Joined: Wed Apr 27, 2016 2:33 pm
Company: Elektrobit Automotive GmbH

Re: MISRA C makes SW "robust" against compiler failures

Postby dg1980 » Wed Dec 05, 2018 6:52 pm

This could get interesting - i assume that is the same like tool qualification in ISO 26262 (e.g. https://www.jnovel.co.jp/en/service/compiler/iso26262.html)?

Anyways, i personally divide MISRA rules in three big categories:
  • Purely about code style (e.g. writing 1U instead 1u, using unique identifiers, etc.)
  • Purely about avoiding implementation defined behavior (e.g. size of an integer)
  • Purely about avoiding undefined behavior (e.g. casting away const)
While the last two items greatly increase portability and safety of the code they do not protect you in any way from a buggy optimizer in your compiler which in turn messes up your binary (after all, a compiler is just another piece of software and software has bugs).
So, based on my experience i would answer your question about robustness against compiler failures with no, but i am very much interested in other people's opinions on this subject.

Francois
Posts: 9
Joined: Thu Jul 13, 2017 2:22 pm
Company: TE CONNECTIVITY

Re: MISRA C makes SW "robust" against compiler failures

Postby Francois » Thu Dec 06, 2018 8:12 am

Hi all.
In a previous ASIL D experiment, we reinforced the MISRA rules to make explicit all that can be generated implicitly.
In another word: Don't let compiler behave alone.

A simple exemple: A computation inside a test:

Code: Select all

 if (((Var >> 3) & 1) == 0)]

Generated code can/will use a temporary ram register to store computation result and use it in the test.
Instead of letting the compiler behave like this, we had to create a local variable to perform computations.


Return to “General Questions”

Who is online

Users browsing this forum: No registered users and 0 guests