| 1.1 |
All code shall conform to ISO/IEC 9899:1990 C programming language, ISO 9899, amended and corrected by ISO/IEC 9899/COR1:1995,ISO/IEC
9899/AMD1:1995, and ISO/IEC 9899/COR2: 1996192
|
Required |
No |
|
| 1.2 |
No reliance shall be placed on undefined or unspecified behaviour. |
Required |
No |
|
| 1.3 |
Multiple compilers and/or languages shall only be used if there is a common defined interface standard for object code to
which the languages/compilers/assemblers conform.
|
Required |
No |
|
| 1.4 |
The compiler/linker shall be checked to ensure that 31 character significance and case sensitivity are supported for external
identifiers.
|
Required |
No |
|
| 1.5 |
Floating-point implementations should comply with a defined floating-point standard. |
Advisory |
No |
|
| 2.1 |
Assembly language shall be encapsulated and isolated. |
Required |
Yes |
MISRA.ASM.ENCAPS |
| 2.2 |
Source code shall only use C-style comments. |
Required |
Yes |
MISRA.TOKEN.CPCOM |
| 2.3 |
The character sequence /* shall not be used within a comment. |
Required |
Yes |
MISRA.TOKEN.BADCOM |
| 2.4 |
Sections of code should not be 'commented out'. |
Advisory |
Yes |
MISRA.TOKEN.COMMENTED.CODE |
| 3.1 |
All usage of implementation-defined behaviour shall be documented. |
Required |
No |
|
| 3.2 |
The character set and the corresponding encoding shall be documented. |
Required |
No |
|
| 3.3 |
The implementation of integer division in the chosen compiler should be determined, documented and taken into account. |
Advisory |
No |
|
| 3.4 |
All uses of the #pragma directive shall be documented and explained. |
Required |
Yes |
MISRA.PRAGMA |
| 3.5 |
If it is being relied upon, the implementation-defined behaviour and packing of bitfields shall be documented. |
Required |
No |
|
| 3.6 |
All libraries used in production code shall be written to comply with the provisions of this document, and shall have been
subject to appropriate validation.
|
Required |
No |
|
| 4.1 |
Only those escape sequences that are defined in the ISO C standard shall be used. |
Required |
Yes |
MISRA.TOKEN.WRONGESC.C.2004 |
| 4.2 |
Trigraphs shall not be used. |
Required |
Yes |
MISRA.CHAR.TRIGRAPH |
| 5.1 |
Identifiers (internal and external) shall not rely on the significance of more than 31 characters. |
Required |
Yes |
MISRA.DEFINE.LONGNAME
MISRA.IDENT.LONG
|
| 5.2 |
Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that identifier. |
Required |
Yes |
MISRA.VAR.HIDDEN |
| 5.3 |
A typedef name shall be a unique identifier. |
Required |
Yes |
MISRA.TYPEDEF.NOT_UNIQUE |
| 5.4 |
A tag name shall be a unique identifier. |
Required |
Yes |
MISRA.CT.UNIQUE.ID |
| 5.5 |
No object or function identifier with static storage duration should be reused. |
Advisory |
Yes |
MISRA.VAR.UNIQUE.STATIC |
| 5.6 |
No identifier in one name space should have the same spelling as an identifier in another name space, with the exception of
structure member and union member names.
|
Advisory |
Yes |
MISRA.TYPE.NAMECLASH.C.2004 |
| 5.7 |
No identifier name should be reused. |
Advisory |
Yes |
MISRA.VAR.UNIQUE |
| 6.1 |
The plain char type shall be used only for the storage and use of character values. |
Required |
Yes |
MISRA.CHAR.NOT_CHARACTER |
| 6.2 |
Signed and unsigned char type shall be used only for the storage and use of numeric values. |
Required |
Yes |
MISRA.SIGNED_CHAR.NOT_NUMERIC |
| 6.3 |
Typedefs that indicate size and signedness should be used in place of the basic numerical types. |
Advisory |
Yes |
MISRA.BUILTIN_NUMERIC |
| 6.4 |
Bit fields shall only be defined to be of type unsigned int or signed int. |
Required |
Yes |
MISRA.BITFIELD.TYPE |
| 6.5 |
Bit fields of signed type shall be at least 2 bits long. |
Required |
Yes |
MISRA.BITFIELD.SIGNED
MISRA.BITFIELD.SIGNED.UNNAMED
|
| 7.1 |
Octal constants (other than zero) and octal escape sequences shall not be used. |
Required |
Yes |
MISRA.TOKEN.OCTAL.ESCAPE
MISRA.TOKEN.OCTAL.INT
|
| 8.1 |
Functions shall have prototype declarations and the prototype shall be visible at both the function definition and call. |
Required |
Yes |
MISRA.FUNC.NOPROT.CALL
MISRA.FUNC.NOPROT.DEF
|
| 8.2 |
Whenever an object or function is declared or defined, its type shall be explicitly stated. |
Required |
Yes |
MISRA.DECL.NO_TYPE |
| 8.3 |
For each function parameter the type given in the declaration and definition shall be identical, and the return types shall
also be identical.
|
Required |
Yes |
MISRA.OBJ.TYPE.IDENT |
| 8.4 |
If objects or functions are declared more than once their types shall be compatible. |
Required |
Yes |
MISRA.OBJ.TYPE.COMPAT |
| 8.5 |
There shall be no definitions of objects or functions in a header file. |
Required |
Yes |
MISRA.ONEDEFRULE.FUNC
MISRA.ONEDEFRULE.VAR
|
| 8.6 |
Functions shall be declared at file scope. |
Required |
Yes |
MISRA.DECL.FUNC_LOCAL |
| 8.7 |
Objects shall be defined at block scope if they are only accessed from within a single function |
Required |
Yes |
MISRA.VAR.MIN.VIS |
| 8.8 |
An external object or function shall be declared in one and only one file. |
Required |
Yes |
MISRA.DECL.EXTERNAL.MULTIPLE |
| 8.9 |
An identifier with external linkage shall have exactly one external definition. |
Required |
Yes |
MISRA.DEFINE.EXTERNAL.MULTIPLE |
| 8.10 |
All declarations and definitions of objects or functions at file scope shall have internal linkage unless external linkage
is required.
|
Required |
No |
|
| 8.11 |
The static storage class specifier shall be used in definitions and declarations of objects and functions that have internal
linkage.
|
Required |
Yes |
MISRA.FUNC.STATIC.REDECL |
| 8.12 |
When an array is declared with external linkage, its size shall be stated explicitly or defined implicitly by initialisation. |
Required |
Yes |
MISRA.DECL.ARRAY_SIZE |
| 9.1 |
All automatic variables shall have been assigned a value before being used. |
Required |
Yes |
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST
UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MIGHT
UNINIT.STACK.MUST
|
| 9.2 |
Braces shall be used to indicate and match the structure in the non-zero initialisation of arrays and structures. |
Required |
Yes |
MISRA.INIT.BRACES |
| 9.3 |
In an enumerator list, the '=' construct shall not be used to explicitly initialise members other than the first, unless all
items are explicitly initialised.
|
Required |
Yes |
MISRA.ENUM.INIT |
| 10.1 |
The value of an expression of integer type shall not be implicitly converted to a different underlying type if: a) it is not
a conversion to a wider integer type of the same signedness, or b) expression is complex, or c) the expression is not constant
and is a function argument, or d) the expression is not constant and is a return expression
|
Required |
Yes |
MISRA.CVALUE.IMPL.CAST |
| 10.2 |
The value of an expression of floating type shall not be implicitly converted to a different type if: a) it is not a conversion
to a wider floating type, or b) the expression is complex, or c) the expression is a function argument, or d) the expression
is a return expression
|
Required |
Yes |
MISRA.CVALUE.IMPL.CAST |
| 10.3 |
The value of a complex expression of integer type shall only be cast to a type of the same signedness that is no wider than
the underlying type of the expression.
|
Required |
Yes |
MISRA.CAST.INT |
| 10.4 |
The value of a complex expression of floating type shall only be cast to a floating type that is narrower or of the same size. |
Required |
Yes |
MISRA.CAST.FLOAT |
| 10.5 |
If the bitwise operators ~ and << are applied to an operand of underlying type unsigned char or unsigned short, the result
shall be immediately cast to the underlying type of the operand.
|
Required |
Yes |
MISRA.CAST.UNSIGNED_BITS |
| 10.6 |
A "U" suffix shall be applied to all constants of unsigned type. |
Required |
Yes |
MISRA.LITERAL.UNSIGNED.SUFFIX |
| 11.1 |
Conversions shall not be performed between a pointer to a function and any type other than an integral type. |
Required |
Yes |
MISRA.CAST.FUNC_PTR |
| 11.2 |
Conversions shall not be performed between a pointer to object and any type other than an integral type, another pointer to
object type or a pointer to void.
|
Required |
Yes |
MISRA.CAST.PTR.UNRELATED |
| 11.3 |
A cast should not be performed between a pointer type and an integral type. |
Advisory |
Yes |
MISRA.CAST.PTR_TO_INT |
| 11.4 |
A cast should not be performed between a pointer to object type and a different pointer to object type. |
Advisory |
Yes |
MISRA.CAST.PTR |
| 11.5 |
A cast shall not be performed that removes any const or volatile qualification from the type addressed by a pointer. |
Required |
Yes |
MISRA.CAST.CONST |
| 12.1 |
Limited dependence should be placed on C's operator precedence rules in expressions. |
Advisory |
Yes |
MISRA.EXPR.PARENS.INSUFFICIENT
MISRA.EXPR.PARENS.REDUNDANT
|
| 12.2 |
The value of an expression shall be the same under any order of evaluation that the standard permits. |
Required |
Yes |
PORTING.VAR.EFFECTS |
| 12.3 |
The sizeof operator shall not be used on expressions that contain side effects. |
Required |
Yes |
MISRA.SIZEOF.SIDE_EFFECT |
| 12.4 |
The right hand operand of a logical && or || operator shall not contain side effects. |
Required |
Yes |
MISRA.LOGIC.SIDEEFF
MISRA.LOGIC.SIDEEFF.COND
|
| 12.5 |
The operands of a logical && or || shall be primary-expressions. |
Required |
Yes |
MISRA.LOGIC.PRIMARY |
| 12.6 |
The operands of logical operators (&&, || and !) should be effectively Boolean. Expressions that are effectively Boolean
should not be used as operands to operators other than (&&, ||, !, =, ==, != and ?:).
|
Advisory |
Yes |
MISRA.LOGIC.OPERAND.NOT_BOOL
MISRA.LOGIC.OPERATOR.NOT_BOOL
|
| 12.7 |
Bitwise operators shall not be applied to operands whose underlying type is signed. |
Required |
Yes |
MISRA.BITS.NOT_UNSIGNED
MISRA.BITS.NOT_UNSIGNED.PREP
|
| 12.8 |
The right hand operand of a shift operator shall lie between zero and one less than the width in bits of the underlying type
of the left hand operand.
|
Required |
Yes |
MISRA.SHIFT.RANGE |
| 12.9 |
The unary minus operator shall not be applied to an expression whose underlying type is unsigned. |
Required |
Yes |
MISRA.UMINUS.UNSIGNED |
| 12.10 |
The comma operator shall not be used. |
Required |
Yes |
MISRA.COMMA |
| 12.11 |
Evaluation of constant unsigned integer expressions should not lead to wrap-around. |
Advisory |
Yes |
MISRA.COMP.WRAPAROUND
MISRA.ELIF.WRAPAROUND
MISRA.IF.WRAPAROUND
NUM.OVERFLOW.DF
|
| 12.12 |
The underlying bit representations of floating-point values shall not be used. |
Required |
Yes |
MISRA.FLOAT.BIT.REPR |
| 12.13 |
The increment (++) and decrement (--) operators should not be mixed with other operators in an expression |
Advisory |
Yes |
MISRA.INCR_DECR.OTHER |
| 13.1 |
Assignment operators shall not be used in expressions that yield a Boolean value. |
Required |
Yes |
MISRA.ASSIGN.COND |
| 13.2 |
Tests of a value against zero should be made explicit, unless the operand is effectively Boolean |
Advisory |
Yes |
MISRA.ZERO_EQ.IMPLICIT |
| 13.3 |
Floating-point expressions shall not be tested for equality or inequality. |
Required |
Yes |
MISRA.FLOAT_EQUAL |
| 13.4 |
The controlling expression of a for statement shall not contain any objects of floating type. |
Required |
Yes |
MISRA.FOR.COND.FLT |
| 13.5 |
The three expressions of a for statement shall be concerned only with loop control. |
Required |
Yes |
MISRA.FOR.COND
MISRA.FOR.INCR.CHANGE
|
| 13.6 |
Numeric variables being used within a for loop for iteration counting shall not be modified in the body of the loop. |
Required |
Yes |
MISRA.FOR.STMT.CHANGE |
| 13.7 |
Boolean operations whose results are invariant shall not be permitted. |
Required |
Yes |
INVARIANT_CONDITION.GEN
INVARIANT_CONDITION.UNREACH
|
| 14.1 |
There shall be no unreachable code. |
Advisory |
Yes |
UNREACH.ENUM
UNREACH.GEN
UNREACH.RETURN
|
| 14.2 |
All non-null statements shall either (i) have at least one side effect however executed, or (ii) cause control flow to change. |
Required |
Yes |
MISRA.STMT.NO_EFFECT |
| 14.3 |
Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment provided that
the first character following the null statement is a white-space character.
|
Required |
Yes |
MISRA.NULL.STMT |
| 14.4 |
The goto statement shall not be used. |
Required |
Yes |
MISRA.GOTO |
| 14.5 |
The continue statement shall not be used. |
Required |
Yes |
MISRA.CONTINUE |
| 14.6 |
For any iteration statement there shall be at most one break statement used for loop termination. |
Required |
Yes |
MISRA.ITER.ONETERM |
| 14.7 |
A function shall have a single point of exit at the end of the function. |
Required |
Yes |
MISRA.RETURN.NOT_LAST |
| 14.8 |
The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement |
Required |
Yes |
MISRA.STMT.NO_COMPOUND |
| 14.9 |
An if (expression) construct shall be followed by a compound statement. The else keyword shall be followed by either a compound
statement, or another if statement
|
Required |
Yes |
MISRA.IF.NO_COMPOUND |
| 14.10 |
All if ... else if constructs shall be terminated with an else clause. |
Required |
Yes |
MISRA.IF.NO_ELSE |
| 15 |
The MISRA C switch syntax shall be used. |
Required |
No |
|
| 15.1 |
A switch label shall only be used when the most closely-enclosing compound statement is the body of a switch statement. |
Required |
Yes |
MISRA.SWITCH.LABEL |
| 15.2 |
An unconditional break statement shall terminate every non-empty switch clause. |
Required |
Yes |
MISRA.SWITCH.NO_BREAK |
| 15.3 |
The final clause of a switch statement shall be the default clause. |
Required |
Yes |
MISRA.SWITCH.NODEFAULT |
| 15.4 |
A switch expression shall not represent a value that is effectively Boolean. |
Required |
Yes |
MISRA.SWITCH.BOOL |
| 15.5 |
Every switch statement shall have at least one case clause. |
Required |
Yes |
MISRA.SWITCH.NO_CASE |
| 16.1 |
Functions shall not be defined with a variable number of arguments. |
Required |
Yes |
MISRA.FUNC.VARARG |
| 16.2 |
Functions shall not call themselves, either directly or indirectly. |
Required |
Yes |
MISRA.FUNC.RECUR |
| 16.3 |
Identifiers shall be given for all of the parameters in a function prototype declaration. |
Required |
Yes |
MISRA.FUNC.UNNAMED.PARAMS |
| 16.4 |
The identifiers used in the declaration and definition of a function shall be identical. |
Required |
Yes |
MISRA.FUNC.PARAMS.IDENT |
| 16.5 |
Functions with no parameters shall be declared and defined with the parameter list void. |
Required |
Yes |
MISRA.FUNC.NO_PARAMS |
| 16.6 |
The number of arguments passed to a function shall match the number of parameters. |
Required |
Yes |
MISRA.FUNC.UNMATCHED.PARAMS |
| 16.7 |
A pointer parameter in a function prototype should be declared as pointer to const if the pointer is not used to modify the
addressed object.
|
Advisory |
Yes |
MISRA.PPARAM.NEEDS.CONST |
| 16.8 |
All exit paths from a function with non-void return type shall have an explicit return statement with an expression |
Required |
Yes |
FUNCRET.GEN
FUNCRET.IMPLICIT
|
| 16.9 |
A function identifier shall only be used with either a preceding &, or with a parenthesised parameter list, which may be empty |
Required |
Yes |
MISRA.FUNC.ADDR |
| 16.10 |
If a function returns error information, then that error information shall be tested |
Required |
Yes |
SV.RVT.RETVAL_NOTTESTED |
| 17.1 |
Pointer arithmetic shall only be applied to pointers that address an array or array element |
Required |
Yes |
MISRA.PTR.ARITH |
| 17.2 |
Pointer subtraction shall only be applied to pointers that address elements of the same array. |
Required |
Yes |
MISRA.PTR.SUB
MISRA.PTR.SUB.OBJECT
|
| 17.3 |
>, >=, <, <= shall not be applied to pointer types except where they point to the same array. |
Required |
Yes |
MISRA.PTR.CMP.2008
MISRA.PTR.CMP.OBJECT.2008
|
| 17.4 |
Array indexing shall be the only allowed form of pointer arithmetic. |
Required |
Yes |
MISRA.PTR.ARITH |
| 17.5 |
The declaration of objects should contain no more than 2 levels of pointer indirection. |
Advisory |
Yes |
MISRA.PTR.TO_PTR_TO_PTR |
| 17.6 |
The address of an object with automatic storage shall not be assigned to another object that may persist after the first object
has ceased to exist.
|
Required |
Yes |
LOCRET.ARG
LOCRET.GLOB
LOCRET.RET
|
| 18.1 |
All structure and union types shall be complete at the end of a translation unit. |
Required |
Yes |
MISRA.INCOMPLETE.STRUCT
MISRA.INCOMPLETE.STRUCT.UNNAMED
MISRA.INCOMPLETE.UNION
MISRA.INCOMPLETE.UNION.UNNAMED
|
| 18.2 |
An object shall not be assigned to an overlapping object. |
Required |
Yes |
MISRA.ASSIGN.OVERLAP |
| 18.3 |
An area of memory shall not be reused for unrelated purposes. |
Required |
No |
|
| 18.4 |
Unions shall not be used. |
Required |
Yes |
MISRA.UNION |
| 19.1 |
#include statements in a file should only be preceded by other preprocessor directives or comments. |
Advisory |
Yes |
MISRA.INCL.INSIDE |
| 19.2 |
Non-standard characters should not occur in header file names in #include directives. |
Advisory |
Yes |
MISRA.INCL.SYMS |
| 19.3 |
The #include directive shall be followed by either a <filename> or "filename" sequence. |
Required |
Yes |
MISRA.INCL.BAD |
| 19.4 |
C macros shall only expand to a braced initialiser, a constant, a string literal, a parenthesised expression, a type qualifier,
a storage class specifier, or a do-while-zero construct.
|
Required |
Yes |
MISRA.DEFINE.BADEXP |
| 19.5 |
Macros shall not be #define'd or #undef'd within a block. |
Required |
Yes |
MISRA.DEFINE.NOTGLOBAL
MISRA.UNDEF.NOTGLOBAL
|
| 19.6 |
#undef shall not be used. |
Required |
Yes |
MISRA.UNDEF |
| 19.7 |
A function should be used in preference to a function-like macro. |
Advisory |
Yes |
MISRA.DEFINE.FUNC |
| 19.8 |
A function-like macro shall not be invoked without all of its arguments. |
Required |
Yes |
MISRA.EXPANSION.NARGS |
| 19.9 |
Arguments to a function-like macro shall not contain tokens that look like preprocessing directives. |
Required |
Yes |
MISRA.EXPANSION.DIRECTIVE |
| 19.10 |
In the definition of a function-like macro each instance of a parameter shall be enclosed in parentheses unless it is used
as the operand of # or ##.
|
Required |
Yes |
MISRA.DEFINE.NOPARS |
| 19.11 |
All macro identifiers in preprocessor directives shall be defined before use, except in #ifdef and #ifndef preprocessor directives
and the defined() operator.
|
Required |
Yes |
MISRA.ELIF.UNDEF
MISRA.IF.UNDEF
|
| 19.12 |
There shall be at most one occurrence of the # or ## preprocessor operators in a single macro definition. |
Required |
Yes |
MISRA.DEFINE.SHARP.MANY |
| 19.13 |
The # and ## preprocessor operators should not be used. |
Advisory |
Yes |
MISRA.DEFINE.SHARP |
| 19.14 |
The defined preprocessor operator shall only be used in one of the two standard forms. |
Required |
Yes |
MISRA.ELIF.DEFINED
MISRA.IF.DEFINED
|
| 19.15 |
Precautions shall be taken in order to prevent the contents of a header file being included twice |
Required |
Yes |
MISRA.INCGUARD |
| 19.16 |
Preprocessing directives shall be syntactically meaningful even when excluded by the preprocessor. |
Required |
No |
|
| 19.17 |
All #else, #elif and #endif preprocessor directives shall reside in the same file as the #if or #ifdef directive to which
they are related.
|
Required |
Yes |
MISRA.ELIF.OTHERFILE
MISRA.ELSE.OTHERFILE
MISRA.ENDIF.OTHERFILE
|
| 20.1 |
Reserved identifiers, macros and functions in the standard library, shall not be defined, redefined or undefined. |
Required |
Yes |
MISRA.DEFINE.WRONGNAME
MISRA.DEFINE.WRONGNAME.UNDERSCORE
MISRA.EXPANSION.UNSAFE
MISRA.INCL.UNSAFE
|
| 20.2 |
The names of standard library macros, objects and functions shall not be reused. |
Required |
Yes |
MISRA.STDLIB.WRONGNAME
MISRA.STDLIB.WRONGNAME.UNDERSCORE
MISRA.UNDEF.WRONGNAME
MISRA.UNDEF.WRONGNAME.UNDERSCORE
|
| 20.3 |
The validity of values passed to library functions shall be checked. |
Required |
No |
|
| 20.4 |
Dynamic heap memory allocation shall not be used. |
Required |
Yes |
MISRA.STDLIB.MEMORY |
| 20.5 |
The error indicator errno shall not be used. |
Required |
Yes |
MISRA.EXPANSION.UNSAFE
MISRA.STDLIB.ERRNO
|
| 20.6 |
The macro offsetof, in library <stddef.h>, shall not be used. |
Required |
Yes |
MISRA.EXPANSION.UNSAFE |
| 20.7 |
The setjmp macro and the longjmp function shall not be used. |
Required |
Yes |
MISRA.EXPANSION.UNSAFE
MISRA.STDLIB.LONGJMP
|
| 20.8 |
The signal handling facilities of <signal.h> shall not be used. |
Required |
Yes |
MISRA.EXPANSION.UNSAFE
MISRA.INCL.UNSAFE
MISRA.STDLIB.SIGNAL
|
| 20.9 |
The input/output library <stdio.h> shall not be used in production code. |
Required |
Yes |
MISRA.INCL.UNSAFE
MISRA.STDLIB.STDIO
|
| 20.10 |
The library functions atof, atoi and atol from library <stdlib.h> shall not be used. |
Required |
Yes |
MISRA.STDLIB.ATOI |
| 20.11 |
The library functions abort, exit, getenv and system from library <stdlib.h> shall not be used. |
Required |
Yes |
MISRA.STDLIB.ABORT |
| 20.12 |
The time handling functions of library <time.h> shall not be used. |
Required |
Yes |
MISRA.INCL.UNSAFE
MISRA.STDLIB.TIME
|
| 21.1 |
Minimisation of run-time failures shall be ensured by the use of at least one of (a) static analysis tools/techniques; (b)
dynamic analysis tools/techniques; (c) explicit coding of checks to handle run-time faults
|
Required |
No |
|