Top10Bug KillingCodingStandardRulesCLanguge

Top 10 Bug Killing Coding Standard Rules
Copyright Barr Group, LLC. Page 1

June 2014
Top 10 8ugKIllIng
CodIng Standard Fules
|Ichael 8arr E 0an SmIth

WebInar: June J, 2014
#8ugKIllers

CopyrIght 2014 8arr Croup. All rIghts reserved.

2
#8ugKIllers
|CHAEL 8AFF, CTD
ElectrIcal EngIneer (8SEE/|SEE)

ExperIenced Embedded Software 0eveloper

Consultant E TraIner (1999present)
Embedded software process and archItecture Improvement
7arIous IndustrIes (e.g., medIcal devIces, IndustrIal controls)

Former !"#$%&' )*+,-..+*
UnIversIty of |aryland 2000200J (0esIgn and Use of DperatIng Systems)
Johns HopkIns UnIversIty 2012 (Embedded Software ArchItecture)

Served as /"0'+*10%1230-,, 2+4$5%0.'6 2+%,-*-%&- 2370*

Expert wItness (e.g., In re: Toyota unIntended acceleratIon)

Author of J books and over 70 artIcles/papers

June 2014


3
#8ugKIllers
8DDK: /89/::/: 2 2;:<=> ?@!=:!A:
8ugs are expensIve to fInd/kIll
Its cheaper/easier to keep a bug out
8Ias toward checkable bugkIllers
Coals: Safety, securIty, and relIabIlIty

These 10 bugkIllIng rules + more
Complementary to |SFAC guIdelInes
ncludIng our Internal stylIstIc rules

http://barrgroup.com/codIngstandard


4
#8ugKIllers
8AFF CFDUP
The Embedded Systems Experts

8arr Croup helps companIes make theIr
embedded systems safer and more secure.

BARRGROUP.COM
June 2014


5
#8ugKIllers
UPCD|NC PU8LC TFANNCS
/5B-""-" ?;C@D!A/ 9++' 275E
F
Dctober 2024 In 0etroIt, |IchIgan

Embedded ANDROID Boot Camp
Dctober 27J1 In Costa |esa, CalIfornIa

Embedded SECURITY Boot Camp
November J7 In Cermantown, |aryland

http://barrgroup.com/traInIngcalendar


6
#8ugKIllers
OVERVIEW OF TODAYS WEBINAR
Coal
EstablIsh that sImple codIng rules can reduce bugs

Key Takeaways
10 easytofollow bugkIllIng rules for codIng standards

PrerequIsItes
FamIlIarIty wIth embedded programmIng In C or C++

June 2014


7
#8ugKIllers
0AN S|TH, PFNCPAL ENCNEEF
8SEE (comp.eng), PrInceton

ExperIenced fIrmware developer
20+ years of embedded systems desIgn
Control systems, telecom/datacom,
medIcal devIces, defense, transportatIon
Numerous FTDSes, processors, platforms
EngIneer, Instructor, speaker, consultant

Focus on secure, safe, faulttolerant systems

webInars@barrgroup.com


8
#8ugKIllers
WHY A0DPT A CD0NC STAN0AF0:
Several good reasons engineers talk about
FeadabIlIty, when all of the code looks a certaIn way
@30. *-.$4'. G3-% '3-*- 0. 7 ,+&$. +% .'H40.'0& *$4-.
Portability, when Cs inconsistencies are managed

An even better reason is not talked about enough
CertaIn codIng standard rules can keep bugs out!
FIndIng bugs Is hard and tImeconsumIng
June 2014


9
#8ugKIllers
WHEFE 8UCS CD|E FFD|
The orIgInal programmer(s)
Programming is the step of bugging the code
|aIntenance programmer(s)
8y breakIng assumptIons of the orIgInal programmer
By misunderstanding the original programmers intent

Both types of bugs can be reduced
by following a set of bugreducIng codIng rules!


10
#8ugKIllers
|SFAC CU0ELNES
Guidelines for use of the C language
in critical systems
A carefullyratIonalIzed subset of C
We hIghly recommend followIng It
8ut |SFAC Is a set of guIdelInes
NDT a codIng standard
?'H4- 0. %+' 7""*-..-" 7' 744

Barr Groups standard is compatible with MISRAC
June 2014


11
#8ugKIllers
CD0NC STAN0AF0 ENFDFCE|ENT
To be effectIve, codIng standards must be both:
ENFDFCEA8LE
C7I+* +B#-&'0I-6 -%,+*&-7B4- *$4-. +I-* $%-%,+*&-7B4- +%-.
/%,+*&- 7$'+57'0&744H G0'3 '++4. G3-%-I-* E+..0B4-
And ENFDFCE0
9H '3- -%'0*- '-756 7%" 0'. .'7%"7*" E*+&-..-.
C-G6 0, 7%H6 -J&-E'0+%. 744+G-" K7%" "+&$5-%'-"L


12
#8ugKIllers
Fule #1 always use braces
Fule: 8races ({ }) shall always surround the blocks
of code (also known as compound statements)
followIng if, else, switch, while, do, and for
keywords.
SIngle statements and empty statements followIng
these keywords shall also always be surrounded by
braces.
June 2014


13
#8ugKIllers
ALWAYS8FACES EXA|PLE CD0E
DONT
!" $% && "''(
)*+$(, "" #$%&$'($) $*' +,--(.(&$'/ ,+& 012.&+ 23+*4
*-.*/01+23$(,

!" $% && "''(
)*+$(,
*-.*/01+23$(, "" 5(33 0& &6&.,'&% *$37 89&$ -** :: ; <<

!" $% && "''(
)*+$(,
"+45$(, "" 5(33 23827+ 0& &6&.,'&%
*-.*/01+23$(,


14
#8ugKIllers
ALWAYS8FACES EXA|PLE CD0E
0D
!" $% && "''(
6
"" =33 .*%& ($+(%& '9& 012.&+ .*$%('(*$2337 &6&.,'&%4
)*+$(,
7
*-.*/01+23$(,
0D
.8!-4 $9:!;4+<)15'34(
!
"" >?&$ 2$ &@A'7 +'2'&@&$' +9*,3% 92?& 012.&+4
"
June 2014


15
#8ugKIllers
Fule #2 whenever possible const
Fule: The const keyword shall be used whenever
possIble, IncludIng:
To declare varIables that should not be changed after
InItIalIzatIon
To defIne callbyreference functIon parameters that
should not be modIfIed
To defIne fIelds In structs and unIons that cannot be
modIfIed (e.g., In a struct overlay for memorymapped
/D regIster)
As a strongly typed alternatIve to #define for numerIcal
constants


16
#8ugKIllers
|AX|ZECDNST EXA|PLE CD0E
0D
// Variables that wont be changed & can be stored in ROM.
=8*+ $%&'( > ?@1;'54-13*;4 = Acme 9000;
!3: $%&'( ?1)2!-5132;)4+ & ABCCDEF1GBHIJ1EBKGDC$(,

"" B,$.'(*$ A212@&'&1+ '92' @,+' $*' 0& @*%(-(&%4
=8*+ >
0:+3=@/$=8*+ > @1540:L =8*+ $%&'( > @10+=L 0!M41: ='23:(
{ }

NN O:+'3?-/P:/@45 *-:4+3*:!Q4 :' R54"!34<
0!M41: $%&'( SDTU1OHVD & WXYZ,

June 2014


17
#8ugKIllers
Fule #J whenever possible static
Fule: The static keyword shall be used to declare all
functIons and varIables that do not need to be
vIsIble outsIde of the module In whIch they are
declared.

ncreases encapsulatIon and data protectIon
Protects longlIved data from crossmodule access
Feduces couplIng, Improves maIntaInabIlIty


18
#8ugKIllers
|AX|ZESTATC EXA|PLE CD0E
0D
(tImer.c)

R!3=-254 :!;4+<8

"" C21(203& 8('9 ?(+(0(3('7 *$37 8('9($ '9(+ -(3&4
'()(*$ 2!3:[Z1: ?134\:1:!;4'2: & ],

"" D&3A&1 -,$.'(*$ $*' .233203& -1*@ *,'+(%& '9(+ -(3&4
'()(*$ 2!3:[Z1: *551:!;4+1:'1*=:!Q41-!0:()
6
^^?134\:1:!;4'2: = ;

7
June 2014


19
#8ugKIllers
Fule #4 whenever necessary volatile
Fule: The volatile keyword shall be used whenever
approprIate, IncludIng:
To declare a global varIable accessIble (by current use
or scope) by any Interrupt servIce routIne
To declare a global varIable accessIble (by current use
or scope) by two or more tasks
To declare a poInter to a memorymapped /D
perIpheral regIster set
ElImInates a whole class of dIffIcult bugs!


20
#8ugKIllers
DPT|ZATDN: FE0UN0ANT FEA0S
What your code says
(*+,-.$%/&( 0 12
(*+,-.$%&(-%3 0 1451112
67*3, 8(*+,-.$%/&( 9 :11; ! << =% '(/>> "
<< =% +%-, '(/>>
What the optImIzer does
(*+,-.$%/&( 0 12
(*+,-.$%&(-%3 0 1451112
67*3, 8:; ! << =% '(/>> "
[saves time and code space]
June 2014


21
#8ugKIllers
DPT|ZATDN: UNNECESSAFY WFTES
What your code says
3,=?-,@ 0 14A52 << B5C1D E)(*,&( =F*&@
<< $%=, (7)( &,G,- -,)=' 3,=?-,@
3,=?-,@ 0 14AA2 << B5C1D E)(*,&( '()H3,

What the optImIzer does
I')G,' (*+, )&= $%=, 'E)$,J
<< $%=, (7)( &,G,- -,)=' 3,=?-,@
3,=?-,@ 0 14AA2 << B5C1D E)(*,&( '()H3,


22
#8ugKIllers
|DFE DN 7DLATLE
If working code fails first at optimizer enable
missing volatile keywords are the likely culprits
SolutIon: revIew all declaratIons for mIssIng volatile
volatile rarely used outsIde embedded software
Creat questIon to ask prospectIve fIrmware hIres!

Dther uses of volatile
0ata that must be wIped (e.g., plaIntext, keys, etc.)
Sequencing of operations
June 2014


23
#8ugKIllers
7DLATLE USACE EXA|PLE CD0E
0D
// Every shared global object is volatile
2!3:X_1: G%3)(*3, ?10:*:4 & O`OFDK1OFTCFBU,

// as is every hardware register.
:/@454" 0:+2=:
6

7 ;/1"@?*1:,
;/1"@?*1: G%3)(*3, > ='30: @1:!;4+ = ;

"" >?&$ +*@& '7A&+ *- $*$Eshared data should be
2!3:W1: G%3)(*3, @-*!3:4\:aKTb1UITHEFDbFc,


24
#8ugKIllers
Fule #5 dont disable code with comments
Fule: Comments shall not be used to dIsable
a block of code, even temporarIly.
Use the preprocessors conditional compilation feature.
Nested comments not part of C standard
Supported on some compIlers, not on others
Use versIon control for experImental code changes
Dont leave commented out code for next developer
June 2014


25
#8ugKIllers
CD||ENTE0DUT CD0E EXA|PLE
DONT
"# $%&'( )$**'+&
* & * ^ X,
"F $&+'&% .*@@&$' F"
) & ) ^ X,

#"
0D
K*> 1
* & * ^ X,
"F $&+'&% .*@@&$' F"
) & ) ^ X,

K,&=*>


26
#8ugKIllers
Fule #6 FIxedwIdth data types
Fule #6: Whenever the wIdth, In bIts or bytes, of
an Integer value matters In the program, a fIxed
wIdth data type shall be used In place of char,
short, int, long, or long long.
Use C99s signed and unsigned fixedwIdth data types.

CorollarIes
Keywords short and long shall never be used.
Keyword char shall only be used for strings.
June 2014


27
#8ugKIllers
FECD||EN0E0 FXE0W0TH TYPE NA|ES
0efIned In C99 Include fIle d0:5!3:<8e

Adopt these names even If not a C99 compIler!
Integer Width Signed Type Unsigned Type
8 bits / 1 byte *&(L?( /*&(L?(
16 bits / 2 bytes *&(:M?( /*&(:M?(
32 bits / 4 bytes *&(NO?( /*&(NO?(
64 bits / 8 bytes *&(MP?( /*&(MP?(


28
#8ugKIllers
Fule #7 bItwIse operators
Fule: None of the bItwIse operators (&, |, ~, <<,
and >>) shall be used to manIpulate sIgned types.
Doesnt even really make sense
mplementatIon defIned UndefIned behavIor

The C standard does not specIfy the underlyIng
format of signed data (e.g., 2s complement).
8ItwIse operatIons rely on assumptIons!
June 2014


29
#8ugKIllers
ND 8TWSE SCNE0 EXA|PLE CD0E
DONT
"" G(?(+(*$ ?(2 0('Eshift doesnt work when negative.
!3:W1: 0!?34515*:* & Pf,
0!?34515*:* QQ& X, "" $*' $&.&++21(37 EH

"" I&-'E+9(-'+ *- +()$&% %2'2 21& ,$%&-($&% J($ #KL MN4
!3:[Z1: 0!?34515*:* & PX]],
0!?34515*:* 99& X,

"" O9& @&2$($) *- 0(' -3(A+ 23+* ?21(&+ -*1 +()$&% %2'24
2!3:W1: ;*\1230!?345 & R], "" H;; J@26 ,$+()$&%N
!3:W1: ;*\10!?345 & R], "" EP J$*' @26 +()$&%N


30
#8ugKIllers
Fule #8 dont mix signed & unsigned
Fule: SIgned Integers shall not be combIned wIth
unsIgned Integers In comparIsons or expressIons.
0ecImal constants meant to be unsIgned should be
declared with a u at the end.
Several detaIls of manIpulatIon of bInary data In
sIgned Integer contaIners are ImplementatIon
defIned aspects of the SD C language standard.
Fesults of mIxIng sIgned and unsIgned data can lead to
datadependent bugs.
Dften encountered durIng IntegratIon
June 2014


31
#8ugKIllers
ND |XSCNE0 EXA|PLE CD0E
DONT
!3: 0 & PY,
230!?345 !3: 2 & _,

"" 5=QR#RS< G2$)&1*,+ @(6 *- +()$&% 2$% ,$+()$&%4
!" $0 ^ 2 d f(
6
"" O9(+ .*11&.' A2'9 +9*,3% 0& &6&.,'&%
"" (- JET U VN (+ EW X YZ 2+ 9,@2$+ &6A&.'4
7
4-04
6
"" O9(+ ($.*11&.' A2'9 (+ 2.',2337 &6&.,'&%
7


32
#8ugKIllers
Fule #9 favor InlIne over macros
Fule: ParameterIzed macros shall not be used If an
inline functIon can be wrItten to accomplIsh the
same task.

C++ compIlerhInt keyword inline was added to C as
part of C99.
June 2014


33
#8ugKIllers
NLNE 7S. |ACFDS EXA|PLE CD0E
DONT
"" R* '7A& .9&.[($)/ A*++(03& ,$($'&$%&% +(%& &--&.'+4
R54"!34 OgBTCD$T( $$T(>$T((

0D
"" #$3($& -,$.'(*$+ 21& +2-&1Z 8('9 $* 1,$E'(@& .*+'4
!3-!34 2!3:[Z1: 0h2*+4$2!3:X_1: *(
6
+4:2+3 $* > *(,
7


34
#8ugKIllers
Fule #10 one varIable declaratIon per lIne
Fule: 0eclare each varIable on Its own lIne
The comma separator shall not be used wIthIn varIable
declaratIons.
Cenerated code Is IdentIcal
Compilation isnt any slower either
8Iggest benefIt:
mproved readabIlIty
DONT
=8*+ > \L /, "" 52+ 7 +,AA*+&% '* 0& 2 A*($'&1 '**\
June 2014


35
#8ugKIllers
KEY TAKEAWAYS
0Ifferent sources of fIrmware bugs
The orIgInal programmer creates some
|aIntenance programmers create others
The orIgInal programmer has Influence over both!
Keep bugs out by adoptIng codIng standard rules
FIrst, by enforcIng buglImItIng rules
Enforced automatIcally, whenever possIble
mproved portabIlIty, readabIlIty and maIntaInabIlIty


36
#8ugKIllers
QUESTDN E ANSWEF
June 2014


37
#8ugKIllers
A00TDNAL FESDUFCES
Paper: @+E MN 9$O1P0440%O 2+"0%O ?'7%"7*" A$4-.
barrgroup.com/EmbeddedSystems/HowTo/8ugKIllIngStandardsforEmbeddedC

8ook: /5B-""-" 2 2+"0%O ?'7%"7*"
barrgroup.com/codIngstandard

KIt: /5B-""-" ?+,'G7*- @*70%0%O 0% 7 9+J
barrgroup.com/bootcampbox

Training: Barr Groups Upcoming Public Courses
barrgroup.com/traInIngcalendar

Top10Bug KillingCodingStandardRulesCLanguge

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Top10Bug KillingCodingStandardRulesCLanguge

Uploaded by

Copyright:

Available Formats

Top 10 Bug Killing Coding Standard Rules

Copyright Barr Group, LLC. Page 1

You might also like