misra-cpp-2023
October 10, 2023

What You Need to Know About the Next MISRA® Standard: Introduction to MISRA C++:2023®

Coding Standards

MISRA C++:2023® is the widely anticipated next version of the MISRA C++ standard. The new version integrates the AUTOSAR C++ 14 guidelines and support more recent versions of C++.

The MISRA® set of C and C++ coding guidelines are some of the best standards not just for the Automotive industry, but any industry that uses embedded systems. 

To help you prepare for the recent release, we’re kicking off a blog series with an overview of MISRA C++:2023 by our MISRA expert, Dr. Frank van den Beuken, who contributed to the public review.

Read along or jump ahead to the section that interests you most:

Back to top

MISRA C++® Background

The last version of MISRA C++ was first published in 2008. It provides expert guidance for the development of safety-related software written in ISO C++ 2003. This set of guidelines has been widely adopted and compliance has become mandatory in many safety-critical projects. However, since then, the C++ language has changed considerably, with new versions introducing new language features and changing existing ones.

Projects using more recent C++ language versions may not comply with all MISRA C++:2008 rules, and new features may not be covered by them. To provide guidelines for these later versions, AUTOSAR developed new guidance for C++14, based on MISRA C++:2008 but enhanced with rules from other standards. The MISRA C++ Working Group is currently working on an update to MISRA C++ applicable to C++17 based on the AUTOSAR guidelines but encompassing MISRA’s established best practices for safety-related C++ development. 

There is much interest in the new MISRA C++ guidelines. However, as MISRA C++:2008 has been adopted by many projects, there are some concerns regarding the effects of switching to the new guidelines.

Back to top

MISRA C++:2023® Blog Series Preview

In this blog series we will discuss a number of aspects of the new standard.

History of C++ and MISRA C++

We will start with an overview of the history of the C++ programming language from its conception by Bjarne Stroustrup at Bell Labs in 1979, through the start of its standardization in 1991, and to the current version C++20.

It is interesting to see that some major features added in C++20 were already being discussed much earlier. This is the case with modules and concepts, which are novel features, to provide library implementations and coroutines for a standardized feature for concurrent programming. Only now concurrency support is part of the standard, even though together with program organization these were the Simula programming language features to be combined with the efficiency of C.

It must be noted, however, that it appears that MISRA C++ will be based on C++17. A possible reason for this is that it takes time for compiler implementers to provide support for all language features, and then such implementations also need to be certified for use in safety-critical projects.

Over time, many different C++ coding standards have been written. We already mentioned the AUTOSAR guidelines, but there are also many other popular coding standards in use. This year's State of Automotive Software Development Report presents the responses of 400 automotive development professionals to questions regarding current practices and emerging trends within the automotive software industry. With the continued growth in the development of electric and semi-autonomous vehicles, as well as the subsequent increase in software components, the findings continue to show that security is as important as safety as a major concern. This is reflected in the increasing requirements to comply with security standards.   

The report also shows that MISRA still is the most popular coding standard in the automotive industry, with 42% of the respondents using MISRA coding standards. Given the long history of MISRA and its automotive roots, this is not surprising. AUTOSAR came third with 36%. The C++ Core Guidelines standard is the surprise coming in second with 39%, even though this standard has no apparent relation with the automotive industry. Its popularity probably is explained by the fact that it covers the latest C++ language features which developers want to use.  

 

Graph showing responses to the question, "Which coding standards do you currently use?"

Which Coding Standards Do You Currently Use? Responses from the 2023 State of Automotive Software Development Report

Aspects of C++ Coding Standards

The C++ Core Guidelines, launched by Bjarne Stroustrup and Herb Sutter, is a living document under continuous improvement. The standard was also used as an input to AUTOSAR because of its coverage of the latest C++ language features. AUTOSAR includes a comparison between the two standards that shows that 30% of the C++ Core Guidelines conflict with AUTOSAR rules. MISRA C++:2023 covers most of the issues from AUTOSAR, and the C++ Core Guidelines were not used directly in the new guidelines. 

 

📕 Related Resource: Brush Up on AUTOSAR Basics: Introduction to AUTOSAR Coding Guidelines

 

We will devote a blog to compare various aspects of these C++ coding standards including philosophy, guidelines, enforcement and claiming compliance. As it appears unlikely that MISRA C++:2023 will integrate all AUTOSAR rules, we will evaluate the proportion of the new MISRA C++:2023 rules that conflict with C++ Core Guidelines and compare this with AUTOSAR. 

Novel Guidelines for MISRA C++:2023

Finally, we will devote some blogs to a number of novel guidelines.

 MISRA C++:2023 will provide rules with guidance for defining the interface of class types. It promotes the "Rule of Zero," meaning that it prefers not to specify special member functions for which the language standard already guarantees that the compiler already provides the intended implementation.

This contradicts other guidance like the “Rule of Five” (or "Six" if you also count the default constructor separately), which states that you need to always explicitly specify all special member functions. We will discuss how the new rule addresses the vulnerabilities covered by existing guidance. 

However, there is also a risk to that, as can be seen with the compliant example that is provided for AUTOSAR Rule A12-0-1:

class A // Compliant - the class A follow the "Rule of six" rule 
    { 
    public: 
      A(); // Non-default constructor 
      ~A() = default; 
      A(A const&) = default; 
      A& operator=(A const&) = default; 
      A(A&&) = delete; 
      A& operator=(A&&) = delete; 
    }; 

We can see that only the move functions are deleted, and the copy functions and destructor are defaulted. Code like this may be the result of a developer extending code that followed the “Rule of Three” to “Rule of Five”, but attempting to preserve old behavior by deleting the new move functions. This combination of special member functions will not be allowed by MISRA C++; if a class provides copy functions, it must also provide move functions. The problem with the class is that it cannot be used with containers, e.g., when attempting to declare a vector of the type, a compilation error will occur because of the missing move functions. Note that this example was corrected in the 18-03 release of the AUTOSAR standard, and the wording of the rule was also changed but does not explicitly require move functions to be provided when copy functions are available. 

MISRA C++:2023 will have guidelines that restrict the use of standard conversions. Developers who are familiar with MISRA C:2012 may expect to have similar type conversion rules as defined with MISRA C essential types—but that is not the case. 

MISRA C++:2023 is much stricter, and for a reason: As opposed to C, C++ provides function overloading, which depends on the exact type of expression and the auto placeholder type specifier, where the type is derived from an expression. When the rules are not obeyed, it may be that including a header file contributes a function overload that matches better than the function matched before, which is probably unexpected. There is a safe way to avoid implicit conversion by using a type-safe enumeration type with an integral underlying type. Values of such strong types are not subject to an implicit conversion.

Back to top

Ensure MISRA Compliance with Helix QAC

Perforce’s Helix QAC is a static analysis tool at the forefront of delivering MISRA C and MISRA C++ compliance checking as well as a host of other valuable analysis capabilities.  

Helix QAC provides Compliance Modules for the enforcement of all editions and revisions of MISRA C and MISRA C++, including MISRA C:2023. Perforce plans to have the full MISRA C++:2023 Compliance Module available on the release of the standard. 

See why Helix QAC is the best static code analyzer for MISRA C and MISRA C++.

➡️ Sign Up for a Free 7-Day Trial

Back to top