MISRA C rules for Xen¶
Note
IMPORTANT All MISRA C rules, text, and examples are copyrighted by the MISRA Consortium Limited and used with permission.
Please refer to https://www.misra.org.uk/ to obtain a copy of MISRA C, or for licensing options for other use of the rules.
The following is the list of MISRA C rules that apply to the Xen hypervisor.
It is possible that in specific circumstances it is best not to follow a rule because it is not possible or because the alternative leads to better code quality. Those cases are called “deviations”. They are permissible as long as they are documented as an in-code comment using the following format:
/*
* MISRA_DEV: Rule ID
* Justification text.
*/
Other documentation mechanisms are work-in-progress.
The existing codebase is not 100% compliant with the rules. Some of the violations are meant to be documented as deviations, while some others should be fixed. Both compliance and documenting deviations on the existing codebase are work-in-progress.
Dir number |
Severity |
Summary |
Notes |
|---|---|---|---|
Required |
All source files shall compile without any compilation errors |
||
Required |
If a function returns error information then that error information shall be tested |
||
Required |
Precautions shall be taken in order to prevent the contents of a header file being included more than once |
||
Required |
The validity of values received from external sources shall be checked |
Rule number |
Severity |
Summary |
Notes |
|---|---|---|---|
Required |
There shall be no occurrence of undefined or critical unspecified behaviour |
||
Required |
Line-splicing shall not be used in // comments |
||
Required |
External identifiers shall be distinct |
The Xen characters limit for identifiers is 40. Public headers (xen/include/public/) are allowed to retain longer identifiers for backward compatibility. |
|
Required |
Identifiers declared in the same scope and name space shall be distinct |
The Xen characters limit for identifiers is 40. Public headers (xen/include/public/) are allowed to retain longer identifiers for backward compatibility. |
|
Required |
An identifier declared in an inner scope shall not hide an identifier declared in an outer scope |
Using macros as macro parameters at invocation time is allowed even if both macros use identically named local variables, e.g. max(var0, min(var1, var2)) |
|
Required |
Macro identifiers shall be distinct |
The Xen characters limit for macro identifiers is 40. Public headers (xen/include/public/) are allowed to retain longer identifiers for backward compatibility. |
|
Required |
Single-bit named bit fields shall not be of a signed type |
||
Required |
Types shall be explicitly specified |
||
Required |
A compatible declaration shall be visible when an object or function with external linkage is defined |
||
Required |
An external object or function shall be declared once in one and only one file |
||
Required |
An identifier with external linkage shall have exactly one external definition |
Declarations without definitions are allowed (specifically when the definition is compiled-out or optimized-out by the compiler) |
|
Required |
The static storage class specifier shall be used in all declarations of objects and functions that have internal linkage |
||
Required |
An inline function shall be declared with the static storage class |
gnu_inline (without static) is allowed. |
|
Required |
Within an enumerator list the value of an implicitly-specified enumeration constant shall be unique |
||
Mandatory |
The value of an object with automatic storage duration shall not be read before it has been set |
Rule clarification: do not use variables before they are initialized. An explicit initializer is not necessarily required. Try reducing the scope of the variable. If an explicit initializer is added, consider initializing the variable to a poison value. |
|
Required |
The initializer for an aggregate or union shall be enclosed in braces |
||
Mandatory |
The operand of the sizeof operator shall not contain any expression which has potential side effects |
||
Required |
A loop counter shall not have essentially floating type |
||
Required |
A switch-expression shall not have essentially Boolean type |
||
Mandatory |
A function shall not be declared implicitly |
||
Mandatory |
All exit paths from a function with non-void return type shall have an explicit return statement with an expression |
||
Required |
Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses |
||
Required |
A line whose first token is # shall be a valid preprocessing directive |
||
Required |
All #else #elif and #endif preprocessor directives shall reside in the same file as the #if #ifdef or #ifndef directive to which they are related |