All programming languages contain aspects that are incompletely specified, poorly defined, or defined in ways that permit compiler implementations to exhibit different behaviors for a specific language construct. Any of these issues, known as insecurities, may lead to unpredictable program behavior.
C++ is no exception and, due to its current popularity, is becoming widely used in safety-related and safety-critical systems. However, the insecurities within the C++ language require an in-depth verification process to ensure that they do not adversely affect program integrity. Such processes have traditionally been developed on an ad-hoc, project-by-project basis, which is both time consuming and costly.
This article will demonstrate how the MISRA C++ language subset mitigates the insecurities within the C++ language in an efficient, cost-effective manner. The advantages and disadvantages of subsets will be discussed and guidance given to show how some basic up front work ensures its successful deployment within a project.
An example using the LDRA tool suite will be presented to show how it can be used to demonstrate compliance with the MISRA C++ subset.
Language Subsets
A language subset aims to improve one or more of the portability, safety and security aspects of a program. The MISRA C++ subset was specifically designed to improve program safety, but it also indirectly addresses some portability and security issues.
As MISRA C++ targets the safety aspects of a program, its prime objective is to mitigate those insecurities within the C++ language that are likely to affect program safety.
To that end, the subset was designed to ensure that it does not include the insecurities contained within the full language. The insecurities are eliminated by either excluding or restricting the use of the language construct(s) with which they are associated.
It is worth noting that the characteristics of a language subset are such that it is simply a restricted version of the full language. The attributes of a subset guarantee that any program written under it will have the same semantics when run under any strictly conforming implementation of the full language.
Adopting a widely-used subset like MISRA C++ to mitigate language insecurities has many advantages:
1. The subset is still part of a standard language, meaning standard off-the-shelf tool chains can be used.
2. The necessary skills are widely available and are re-useable. Additionally, training/learning is worth while if the skills aren't available in-house.
3. Off-the-shelf tools that enforce the standard are available.
4. Customer confidence and buy-in increases with familiarity.
However, subsets also have disadvantages, including:
1. Prohibited or restricted features may increase code complexity (e.g. banning dynamic memory allocation requires implementation of some other memory management strategy).
2. Some safe constructs may have been excluded or restricted as a consequence of eliminating a specific insecurity.
3. Restrictions may require a more verbose stating of what would otherwise have been a terse construct (e.g. extra parenthesis to reinforce operator precedence).
4. Program efficiency may be reduced, especially as language extensions (e.g. object memory placement) are prohibited.
