Checking Programs for Compliance with MISRA C Standard Using the Clang Framework

MISRA C is a collection of rules and recommendations for C programming language that is the de facto standard in industries where security plays the key role. The standard was developed by the MISRA (Motor Industry Software Reliability Association) consortium and includes a set of recommendations that allow the C language to be used to develop safe, reliable and portable software. MISRA is widely used in many industries with high reliability requirements, including aerospace, defense, automotive and medical.

We have developed static checkers to check code for compliance with MISRA C 2012 secure coding standard. The developed checkers are based on the LLVM/clang compiler infrastructure. This paper describes the strategies underlying the design and implementation of checkers. Using MISRA C 2012 example suite, the proposed checkers determine compliance or violation of the recommendations with high accuracy. The checkers also show greater coverage and better performance than Cppcheck, a popular open-source static analyzer.

1. MIRSA official website. https://www.misra.org.uk/, accessed 01.11.2023.

2. SEI CERT C Coding Standard. https://wiki.sei.cmu.edu/confluence/display/c, accessed 01.11.2023.

3. AUTOSAR official website. https://www.autosar.org/, accessed 01.11.2023.

4. The LLVM Compiler Infrastructure. https://llvm.org/, accessed 01.11.2023.

5. Clang Tidy. https://clang.llvm.org/extra/clang-tidy/, accessed 01.11.2023.

6. Clang Static Analyzer. https://clang.llvm.org/docs/ClangStaticAnalyzer.html, accessed 01.11.2023.

7. Introduction to the Clang AST. https://clang.llvm.org/docs/IntroductionToTheClangAST.html, accessed 01.11.2023.

8. Cppcheck A tool for static C/C++ code analysis. http://cppcheck.net/, accessed 01.11.2023.

9. SonarQube. https://www.sonarsource.com/products/sonarqube/, accessed 01.11.2023.

10. Coverity Static Analysis. https://www.synopsys.com/software-integrity/static-analysis-tools-sast/coverity.html, accessed 01.11.2023.

11. Klocwork static analyzer. https://www.perforce.com/products/klocwork, accessed 01.11.2023.

12. PVS-Studio static analysis system. https://pvs-studio.com/en/, accessed 01.11.2023.

13. Motor Industry Software Reliability Association, MISRA-C:1998, Guidelines for the use of the C language in vehicle based software. Nuneaton, Warwickshire CV10 0TU, UK: MIRA Ltd, Jul. 1998.

14. The Motor Industry Research Association, Development Guidelines For Vehicle Based Software. Nuneaton, Warwickshire CV10 0TU, UK: The Motor Industry Research Association, Nov. 1994.

15. MISRA, MISRA C:2012 Amendment 1 – Additional security guidelines for MISRA C:2012. Nuneaton, Warwickshire CV10 0TU, UK: HORIBA MIRA Ltd, Apr. 2016.

16. MISRA, MISRA C:2012 Addendum 2 – Coverage of MISRA C:2012 (including Amendment 1) against ISO/IEC TS 17961:2013 “C Secure”

17. AST Matcher Reference, https://clang.llvm.org/docs/LibASTMatchersReference.html, accessed 01.11.2023.

18. CRTP pattern. https://en.cppreference.com/w/cpp/language/crtp, accessed 01.11.2023.

19. LLVM Alias Analysis Infrastructure, https://llvm.org/docs/AliasAnalysis.html, accessed 01.11.2023.

20. MISRA-C-2012 Example Suite, https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite, accessed 01.11.2023.

21. Библиотека zlib. http://zlib.net/, accessed 01.11.2023.

22. Библиотека openjpeg. http://www.openjpeg.org/, accessed 01.11.2023.

23. Библиотека openssl. https://www.openssl.org/, accessed 01.11.2023.

24. Библиотека coreJSON. https://github.com/freertos/corejson, accessed 01.11.2023.

25. Инфраструктура статического анализа CodeChecker. https://codechecker.readthedocs.io/en/latest/, accessed 01.11.2023.

26. coreJSON: MISRA Compliance, https://github.com/FreeRTOS/coreJSON/blob/main/MISRA.md, accessed 01.11.2023.

27. coreJSON: Fix short-circuiting operations with side-effects,

28. htps://github.com/FreeRTOS/coreJSON/pull/148, accessed 01.11.2023.