How come Misra C checker is such a prestigious tool?

Question

Professional compilers such as IAR Embedded Workbench offer Misra C checkers only in their premium versions. Isn't Misra C checker a style checker on elements like indentation, variable names? Why does it seem to be so highly sought after?

Answer 1

A MISRA-C checker is much more than just a style checker; it enforces a set of software development guidelines for the C programming language developed by MISRA (Motor Industry Software Reliability Association in the UK).

These guidelines are intended to facilitate code safety, portability and reliability regarding the use of ISO C in embedded systems.

There have been three versions; MISRA-C 1998, 2004, and 2012. The latter supports C99 and contains 143 rules and 16 directives, each of which is classified as mandatory, required, or advisory. In order for a piece of firmware to claim to be MISRA-C compliant, all mandatory rules must be met and all required rules and directives must either be met or documented as a formal deviation.

The rules are things like:

• Avoid possible compiler or host differences, for example, the size of a C integer may vary but an INT16 is always 16 bits.
• Avoid using functions and constructs that are prone to failure, for example, malloc may fail.
• Limit potentially dangerous practices such as non-constant pointers to functions.
• Produce maintainable code, by for example, using naming conventions and commenting. (This would be part of the style checking the OP is referring to.)

In some ways, MISRA-C can be thought of as a safe subset of C. MISRA-C guidelines are not only applicable to vehicular firmware, but also firmware in other mission critical areas as aerospace, nuclear, and medical.

MISRA-C compliance checking is performed by a number of stand-alone third party tools (such as PC-Lint among many others), and compilers (like Green Hills Software and IAR). To perform MISRA-C compliance checking, both static and dynamic code analysis must be performed. The latter in particular is fairly complex, and is probably why programs with MISRA-C compliance checking go for a premium price. It also appeals to a fairly limited market, which also drives up the price.

There are also a set of MISRA rules for C++.

Answer 2

To answer the question more directly, MISRA compliance is often required if you're writing software for safety-critical applications like Automotive. If you're writing safety-critical software, it implies that you're a relatively high-end user who can afford to pay more for development tools. This is standard market segmentation, just like pin count limits on different versions of the same schematic capture software.

Answer 3

The purpose of the original question is unclear : does knowing the reasoning behind charging money for MISRA-C checkers help the questioner? Or is the intent really to ask : is there any lower cost alternative? This answer addresses the latter. If the questioner clarifies the former, I'll delete this answer.

If you're interested in high integrity software but you're not forced to use C, there are alternatives.

SPARK is more rigorous than MISRA-C.

The fact that it's based on Ada helps achieve software reliability because the base language allows fewer grey areas, undefined or ambiguous behaviour. The strong type system helps a lot in ways that may be difficult to appreciate at first. For example, the famous buffer overflow problem becomes a simple type error which can always be caught before it happens, and in many cases, eliminated by the compiler.

SPARK builds on the basic Ada language by proving the buffer overflow will not happen, even before compilation.

It's not magic; like MISRA-C it does involve restrictions on programming style, and more work up front, but there is some evidence that the upfront cost saves more expense later in the development process.

If you can live with a GPL licence, there is a GPL edition available.

Much more information from one satisfied user