3.

Revised Edition

Embedded System development

Coding Reference guide
[C Language Edition]

Written and edited by

Software Reliability Enhancement Center,
Technology Headquarters,
Information-technology Promotion Agency, Japan

i
 This document is the English edition of ESCR (Embedded System development Coding
Reference) [C language edition] Version 3.0 published by IPA/SEC* in Japan. It is the revised
English edition of ESCR [C language edition] Version 2.0 made available in July 2014 in
pdf format. Aimed at improving the quality of the source code written in C language, ESCR
collects the important points to be noted as part of the know-how for coding and organizes
them as practices and rules.
The purpose of this document is to be used as a reference guide for establishing coding
conventions in organizations and groups developing embedded software using C language,
and for promoting the standardization of coding styles and uniformity of source code quality.

March 2018
Software Reliability Enhancement Center, Technology Headquarters,
Information-technology Promotion Agency, Japan

C opyrigh t © 20 1 8 , I P A / S E C
P erm ission to copy an d distrib ute th is docum en t is h ereb y gran ted prov ided th at th is n otice is retain ed on all copies, th at
copies are n ot altered, an d th at I P A / S E C is credited wh en th e m aterial is used to f orm oth er copyrigh t policies.

* S of tware R eliab ility E n h an cem en t C en ter, T ech n ology Headquarters, I n f orm ation - tech n ology P rom otion A gen cy, J apan

ii
P reface
O n p ublication of E SCR [ C lang uag e edition] V er. 3 . 0

This document is the English edition of ESCR (Embedded System development Coding Reference) [C
language edition] Version 3.0, with the aim to improve the quality of the source code written in C language
by collecting the important points to be noted as a part of the know-how for coding and organizing them as
practices and rules.
ESCR was first released in June 2006. Exactly a year later (in June 2007), Version 1.1 was released with
minor changes to reflect the feedback from various users and reviewers who pointed out some areas that
lacked in accuracy or clarity. Then in March 2014, Version 2.0 was released mainly to comply with C99, the
most widely used C language standard at the time, as well as to align with the extensively revised version of
MISRA C (MISRA C:2012) issued in March 2013.
ESCR Version 3.0 is the immediate successor of Version 2.0. Along with supplementary explanatory texts,
additional compliant and non-compliant coding examples, and warnings specifically focused on reminding
the coders about the growing importance of taking security into consideration more carefully when they
write the code, Version 3.0 contains new rules and descriptions that mainly consist of the following:
・R ules on C E R T C C odin g S tan dard th at h av e b een dev eloped b y th e S of tware E n gin eerin g I n stitute in
C arn egie M ellon U n iv ersity ( C M U / S E I )
・R ules proposed b y I P A I T S ecurity C en ter as im portan t poin ts to k eep in m in d to elim in ate v uln erab ilities
durin g dev elopm en t

Furthermore, the rules and descriptions revised in ESCR C++ Version 2.0 (the latest ESCR edition for
C++ language) that also apply to C language have been updated in this document.
To maintain the continuity from the previous release, ESCR Version 3.0 follows the same 3-part structure
as Version 2.0, including the same numbering system applied to practices and rules carried over from the
previous version.
The primary purpose of this document remains consistent from the initial release in 2006. It is intended
to be used as a reference guide for establishing coding conventions in organizations and groups developing
embedded software using C language, and for promoting the standardization of coding styles and uniformity
of source code quality. In addition to that, Version 3.0 has introduced a set of new rules and descriptions
that mainly address the growing need for more security-conscious implementation in embedded products
and solutions that could effectively help eliminate vulnerabilities in software at the coding level for safer
deployment and adoption of IoT that is becoming increasingly widespread.
We sincerely hope that the effective use of ESCR Version 3.0 will lead to the improvement of embedded
software productivity and contribute to the attainment of high-quality software development.

Spring of 2018
Yukihiro Mihara, Keisuke Toyama
Software Reliability Enhancement Center, Technology Headquarters
Information-technology Promotion Agency, Japan
Fusako Mitsuhashi
Coding Practice Guide Revision Working Group

Preface iii
 Table of Contents

P ref ace .................................................................................................................. iii

Part
1 How to Read the Coding Practices Guide 1
1 O ve rvi ew. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 W h at are C odin g P ractices? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 P urpose an d P osition of C odin g P ractices an d th e T arget U sers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 C h aracteristics of th e C odin g P ractices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 N otes on U sin g th is G uide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 U n derstan din g S ource C ode Q uality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1 Q uality C h aracteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2 Q uality C h aracteristics, C odin g P ractices an d R ules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6

3 How to U se th is G uide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 8
3.1 S cen arios f or U sin g th is G uide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 8

3.2 C reatin g a N ew C odin g C on ve n tion ............................................................................. 1 9

3.3 E n h an cin g E xi stin g C odin g C on ve n tion s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.4 S ervi n g as a L earn in g M aterial f or P rogram m ers' T rain in g an d S elf - S tudy . . . . . . . . . . . . . . . . . . . 22

Part
2 Coding Practices for Embedded Software: Practices Chart 23
How to R ead th e P ractices C h art .............................................................. 24
T erm in ology U sed in th e P ractices C h art ................................................... 28
C odin g P ractices f or E m b edded S of tware .................................................. 29
● R eliab ility .................................................................................................................. 3 1

● M ain tain ab ility ........................................................................................................... 7 1

● P ortab ility ................................................................................................................ 1 3 1

● E f f icien cy ................................................................................................................ 1 4 7

iv T ab le of C on ten ts
Part
3 Typical Coding Errors in Embedded Software 1 5 1
T ypical C odin g E rrors in E m b edded S of tware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 2
1 M ean in gless exp ression s an d statem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 2

2 W ron g exp ression s an d statem en ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 4

3 W ron g m em ory usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 6

4 E rrors due to m isun derstan din gs in logical operation s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 8

5 M istake s due to typos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 9

6 W ron g description s th at do n ot cause errors in som e com pilers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 9

Appendices 1 6 1
A ppen dix A L ist of practices an d rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6 2
A ppen dix B R ule classif ication b ased on C lan guage gram m ar . . . . . . . . . . . . . . . . . . . 1 7 6
A ppen dix C R egardin g th e im plem en tation - def in ed b eh avi ors . . . . . . . . . . . . . . . . . . . . . 1 8 9

C itation s an d R ef eren ces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 9 6

T ab le of C on ten ts v
 Part 1
How to Read the
Coding Practices Guide

1 O v erv iew
1 .1 W hat are Coding Practices?
1 .2 Purpose and Position of Coding Practices and the Target U sers
1 .3 Characteristics of the Coding Practices
1 .4 N otes on U sing this Guide

2 U nderstanding Source Code Q uality

2. 1 Q uality Characteristics
2. 2 Q uality Characteristics, Coding Practices and Rules

3 How to U se this Guide

3 . 1 Scenarios for U sing this Guide
3 . 2 Creating a N ew Coding Conv ention
3 . 3 Enhancing Ex isting Coding Conv entions
3 . 4 Serv ing as a L earning M aterial for Programmers’
Training and Self- Study
 1O v erv iew

1.1 W
1.1 hat
W h aare
t aCoding
r e c o d iPractices?
n g p r a c t i c e s?

Creating source code (code implementation) is an inevitable task for developing embedded soft-
ware. Success or failure of this task greatly affects the quality of the resulting software. C language,
the most commonly used programming language for embedded software development, is said to
give the programmers a relatively extensive writing flexibility. The uality of programs written in
C thus tends to reflect uite clearly the difference in coding skill level between seasoned and less-
ex perienced programmers. It is undesirable to have source code varying largely in quality, depending
on the programmers individual coding skills and experience. To prevent this risk from leading into
serious quality issues, forward-thinking companies are working proactively toward standardization
of their source codes by establishing coding standards or conventions to be followed organization-
wide or group-wide.

I ssues Regarding Coding Conv entions

Coding convention is generally regarded as the organized set of “ styles of (or rules in) writing
code that need to be followed to maintain quality.” However, it is becoming a common understand-
ing that various issues ex ist in the current usage of coding conventions, including those mentioned
below.

1 ) T h e n ecessity of rules is n ot un derstood. T h e appropriate m eth ods to deal with rule v iolation s are
also n ot widely sh ared.
2) T h ere are too m an y rules to learn . Y et, th e ex istin g rules are n ot com pr eh en siv e en ough to cov er
th e en tire scope of codin g.
3 ) S in ce h igh ly reliab le tools th at can th orough ly an d accurately ch eck wh eth er th e written code is
com plyin g with th e relev an t rules or n ot are un av ailab le, th e en gin eers h av e to rev iew th e code
m an ually th rough v isual ch eck , wh ich is a h eav y b urden f or th em .

D ue to such circumstances, there are, in fact, some coding conventions established at the organi-
ation or department level that have lost their significance and are no longer strictly observed.
N evertheless, organizations that have coding conventions, no matter what kind of format they

2 P art1 How to R ead th e C odin g P ractices G uide

prepare them in, are at least better than those without any. There are still uite a few that cannot
reach a consensus of the coding convention to be followed internally, and are relying largely on the
programmers’ individual j udgments to decide how the source code should be written.

W hat are Coding Practices?

This guide aims at solving on-site issues related to coding conventions, by providing a collection
of practical coding techniques considered important from the standpoint of software quality that
conform to the basic way of thinking (concept) to be followed in various coding situations. They are
referred to as “ coding practices” in this guide, and are presented with detailed description and spe-
cific examples of related coding conventions (or rules) for reference.
This guide is intended to enable the users to solve the above-mentioned issues in coding conven-
tions by “ establishing a concrete and effective coding convention for their own organization” , using
the set of relevant information provided herein as their reference.

1.2 Purpose and Position of Coding Practices and

Target U sers

Purpose and Position of Coding Practices

ESCR Ver. 3.0 is a guide on coding practices intended to help enable those who create and/or
operate the coding conventions to establish them in their companies or pro ects. This document is
characteristic for regarding coding conventions as “ ways of writing code that should be followed by
all the programmers in a given proj ect to maintain quality” and organizing the basic rule concepts
as practices. These practices are broken down into outline and details, based on the uality concept
that complies with “ ISO /IEC 25 010:2011 Systems and software engineering -- Systems and software
uality Re uirements and Evaluation (S uaRE) -- System and software uality models . They are
respectively ex plained with corresponding C programming rules and the rationale for using them.
Through these practices and rules, ESCR Ver. 2.0 aims at enabling the users to easily establish their
own “ coding convention” that meets their practical needs and also clearly ex plain why the included
practices and rules are significant and necessary.

1 ●O ve rvi ew 3
 Target U sers
This guide has been written on the assumption that it will be read by the following types of users

Creators of the Coding Conv entions

This document can be used as a reference guide to create a new coding convention or to review
and reorganize ex isting coding conventions.

Programmers and Program Rev iewers

Highly reliable and maintainable code can be produced with reasonable effort by learning and un-
derstanding the practices and rules provided in this guide.

B enefits Gained
The benefits that the users can expect to gain directly from using this guide are as mentioned
above. oreover, as a result of these benefits, the users may also be able to expect the following
positive effects:
- Can remove the bottleneck in maintaining software quality caused by inconsistent performance of
implementation engineers;
- Can eliminate obvious errors in the source code at an early stage, such as, during the coding phase
or in subsequent reviews.

1.3 Characteristics
1.3 Ch a r a c t e r i s tof
i cthe
s o Coding
f t h e C Practices
o d i n g Pr a c t i c e

The coding practices in this guide have the following characteristics.

Systematically O rganize d Practices and Rules

This guide considers that code uality can also be classified like software uality, according to
quality characteristics, such as, “ reliability” , “ maintainability” and “ portability” , and organizes the
coding practices and rules systematically based on “ ISO /IEC 25 010:2011 Systems and software en-
gineering -- Systems and software Q uality Requirements and Evaluation (SQ uaRE) -- System and

4 P art1 How to R ead th e C odin g P ractices G uide

software uality models . The coding practices described in this guide are customs and ideas on
implementation that have been developed to maintain source code uality, and they reflect the basic
concepts of individual coding rules. The coding rules included in this guide have been selected based
on the needs of the current conditions (actual situation with the language specifications and process-
ing systems) after closely ex amining the various coding conventions ex isting in the world, and are
presented in the form of established information that supports the corresponding practices. Classi-
fication of practices and rules according to uality characteristics makes it easy for the users of this
guide to understand their respective purpose of use in terms of which aspect of quality each of them
is primarily focused on maintaining.
The coding conventions referenced in this guide range from local conventions used in companies
to which the writers and reviewers of this guide belong, to sets of coding rules established and used
widely in different industries, including “ MISRA C” and “ Indian Hill C Style and Coding Stan-
dards” . For details, refer to “ Citations and References” at the end of this document.

Ready- to- use Reference Rules

This guide presents specific rules for C language as reference information for creating coding
conventions. These rules can be used directly as coding conventions. y referring to 3. ow to se
this Guide” , the users of this guide can easily create their own coding conventions for C language by
choosing the rules that meet their respective needs and adding any other rules that they feel are also
necessary to cover the areas that are not sufficiently addressed.

Presenting the N ecessity of Each Rule

The coding rules covered in this guide are respectively described with explanation of correspond-
ing practices and ex amples of how the code should be written (to be compliant with the given rule)
or should not be written (because that would be non-compliant), to enable the users of this guide
to understand clearly why each of them is necessary. Rules considered to be already well-known
among ex perienced programmers are so indicated in the “ Preference guide” to help the users of this
guide determine whether they need to include these rules in their conventions or not.

Correspondence with O ther Coding Conv entions

Where applicable, this guide indicates the relationship of each coding rule provided herein with
corresponding coding conventions used widely in the world to make it easy for the users of this
guide to check the inclusive relations, among others. Corresponding coding conventions referenced
in this guide include “ MISRA C” and “ Indian Hill C Style and Coding Standards” .

1 ●O ve rvi ew 5
 1.4 N
1.4 otes onon
N otes U sing
usingthis
thisGuide
guide

Keep the following points in mind when using this guide.

Scope of the Rules

In this guide, the rules related to any of the following are considered out of scope of C language
reference rules:

- L ib rary f un ction s
- M etrics ( n um b ers of lin es in f un ction s/ com plex ity of f un ction s, etc. )

Although Errors in writing possibly classified as coding errors have been excluded from the ref-
erence rules, some frequently observed coding errors collected while preparing this guide are ex em-
plified in art 3 Typical Coding Errors in Embedded Software. This section ( art 3) is especially
recommended to those who are still new to C language and prone to many of these errors. Moreover,
it should also be a useful reference to pro ect teams that find it meaningful to establish rules to pre-
vent coding errors from being caused by such common pitfalls in programming.

Cited or Referenced Standards in this Guide

In this guide, the following standards have been cited or referenced.

C9 0
This is the C language standard defined in IS IEC 1 0 rogramming anguage C . It is
often called C 0, where 0 stands for the year IS IEC 1 0 was published. The C language
standard has been revised and is now C , making C 0 an older version.

6 P art1 How to R ead th e C odin g P ractices G uide

C9 9
This is the C language standard defined in IS IEC 1 rogramming anguage C . It is
the current standard widely used. Since IS IEC 1 was published in 1 , it is often called
C .

C11
This is the most recent C language standard defined in IS IEC 2011 rogramming an-
guage C and thereby is the current C language standard. Since IS IEC 2011 was published
in 2011, it is often called “ C11” .

C+ +
This is the C language standard defined in IS IEC 1 2 2003 rogramming language C .

M I SRA C
It refers collectively to the coding guidelines for C language defined by The otor Industry Soft-
ware Reliability Association ( ISRA) in , which include ISRA C 1 , ISRA C 200 and
MISRA C:2012.

M I SRA C:19 9 8
The convention in Citations and References .

M I SRA C:20 0 4
The convention in Citations and References 6 . This is the revised version of ISRA C 1 .

M I SRA C:20 12
The convention in Citations and References 7 . This is the revised version of ISRA C 200 .

N aming Conv entions for V ariables and F unctions

For the names of variables and functions used in code ex amples, this guide uses notations that are
as simple as possible to prevent the users from becoming confused or misunderstanding the rules un-
necessarily.

1 ●O ve rvi ew 7
 U sing static code analysis tools

The method of using static code analysis tools designed to detect bugs through the static analysis
of the source code is not included in the scope of this guide. ut this is an effective means to ensure
that coding rules are fully met while coding, and is therefore highly recommended as a reliable tool
to prevent coding errors. In ISRA C and CERT C, which are both referenced in this guide, there
are descriptions indicating the rules where the static code analysis tools can report the violations.
A compiler can be considered as the simplest form of static code analysis tool available. Many
compilers can detect problems in the source code if the warning levels are appropriately set. y uti-
lizing the warnings generated from the compiler, the programmers can often eliminate problems in
the source code at an early stage.

D ifference from V er. 2.0

This document (Ver. 3.0) has been updated from the previous version (Ver. 2.0) primarily by add-
ing rules on secure coding. Along with supplementary ex planatory tex ts, additional compliant and
non-compliant coding examples, and warnings specifically focused on reminding the programmers
about the growing importance of taking security into consideration more carefully when they write
the code, Version 3.0 contains new rules and descriptions that mainly address the growing need for
more security-conscious implementation in embedded products and solutions that could effectively
help eliminate vulnerabilities in software at the coding level. Furthermore, the revisions made in
ESCR C Version 2.0 (the latest ESCR edition for C language) that are common to both C and
C are also updated in this document. There are also descriptions that deal with the same matters
ex plained in Ver. 2.0 but have been rewritten in this document with more clarity or in a way that
would be easier to understand.
The rules carried over from Ver. 2.0 without any changes in the description are numbered the
same in this document so that the ESCR users who are already familiar with the structure of the pre-
vious version can find this updated version easy to use.

The practices and rules that have been newly added to this document are R3.1. , R3.11, R3.11.1,
R3.11.2 and P1.5 .2.

8 P art1 How to R ead th e C odin g P ractices G uide

 2 U nderstanding Source Code Q uality

2.1 Q
2.1 uality Characteristics
Q uality Characteristics

or many, speaking of software uality would remind them of bugs. owever, in the field of
software engineering, the uality of software as a product is grasped in a broader perspective. This
concept of software product quality is defined in detail and organized systematically in ISO /IEC
2 010 2011 1 .

I SO / I EC 250 10 and Source Code Q uality

IS IEC 2 010 2011 defines the uality of software product by breaking it down into eight char-
acteristics ( uality characteristics) reliability , maintainability , portability , efficiency , secu-
rity” , “ functionality” , “ usability” and “ compatibility”
Among them, “ functionality” , “ usability” and “ compatibility” are considered to be the three qual-
ity characteristics that should be addressed at an early stage, preferably before moving on to the
design phases in the upstream process. Whereas, “ reliability” , “ maintainability” , “ portability” , and
efficiency are considered to be the uality characteristics that have close relevance with the devel-
opment of high-quality source code and should therefore be ex amined in depth during the coding
phase. Security , which has been defined as the uality subcharacteristic of functionality in the
previous standard, IS IEC 126-1, is considered basically as a uality characteristic that is relevant
in the design phase, but coding such as for avoiding stack overflow can also affect security. or more
information on coding practices related to security, please refer to the outline of the column below
and CERT C Coding Standard 1 .
ased on the above broad categori ation, this guide has adopted the latter four uality charac-
teristics - “ reliability” , “ maintainability” , “ portability” , and “ efficiency” - as the main focus, and
gathered the coding practices that are primarily concerned with any of these four. Table 1 shows the
relationship between the uality characteristics defined in IS IEC 2 010 and the code uality
proposed in this guide, along with the “ quality subcharacteristics” .

2●How to grasp source codes quality 9

 Column: Points to k eep in mind in coding when
tak ing security into consideration
Software vulnerabilities, often associated with security concerns, may be generated by program-
ming flaws, including buffer overflow, insufficient input validation and race condition. Careful valida-
tion is necessary when writing code for handling data that may not be trusted, such as, some R or
sensitive information like the password.
In this column, the points to keep in mind in secure coding are ex plained in the contex t of when the
programmers (1) use the string libraries, (2) handle sensitive information and (3) handle data that may
not be trusted.
In the following explanations, some paragraphs end with a number like (STR07-C) . They are rule
numbers that correspond with CERT C.

● Using string libraries

A program that allows some kind of input to be entered may receive an inappropriate data that
ex ceeds the region in the physical memory storage known as buffer and overwrites the data in other
region. This state is called the buffer overflow. If a region next to the buffer that stores the address of
an ex ecution code, such as, the return address of a function is overwritten with a start address of a dif-
ferent function due to buffer overflow, it may lead to the execution of an illegal code.
The input may often be a string. uffer overflow may occur when a string handling function is writ-
ten in a program, since string length check mechanism is not incorporated in many of these functions
used to handle the strings in conventional libraries. For ex ample, strcpy function writes the string of
the copy source as it is. There is a risk of buffer overflow being caused by this string when it is longer
than the size of the destination of strcpy. The programmers should avoid the use of standard string
handling functions in C language standards that are older than C11 and use bounds-checking interface
for string manipulation. (STR07-C)
C11 defines alternative functions that are designed to be safer to use than these old standard string
handling functions. For ex ample, strcpy_s() is introduced in C11 as a replacement for strcpy().
In CERT C, the use of anaged String ibrary is recommended as a library of strings that are safer to
use, as they are more likely to prevent buffer overflow from occurring. (STR0 -C)

● Handling sensitive information

Sensitive information must be handled carefully to prevent it from leaking or being falsified. A rep-
resentative example of sensitive information handled by program code is password. ut depending on
what the program is intended to process, sensitive information can range widely, including confiden-
tial data of an organization and personal data of an individual.
It is important to keep the following points in mind when writing code to manipulate sensitive in-
formation.
・D o not store sensitive information in plain tex t. (If you need to store sensitive information, en-
crypt it first. ( E 06-C)
・Ensure that sensitive information that the program has finished using is not written out to disk.
( E 06-C)

10 P art1 How to R ead th e C odin g P ractices G uide

 ・Clear sensitive information stored in reusable resources (e.g. dynamic memory). (MEM03-C,
SC06-C)
Moreover, if a function to clear sensitive information is going to be prepared, it should be de-
clared as volatile, since there is a risk of its call being optimized out. (Refer to M1.11.2)

●Handling data that may not be trusted

When you need to receive and process input from an information source that is not under your man-
agement and therefore cannot be trusted, there is a risk of buffer overflow being caused, for example,
by an incoming value that ex ceeds the upper bound of an array index . When you acquire an integer
value from an ex ternal input source that cannot be trusted, you would need to take precautionary mea-
sures, such as, to determine the range if the incoming value is an integer or normalize the pathname if
the incoming value is a pathname. Keep the following points in mind when the input is:
・I nteger v alue: All integer values originating from tainted sources should be evaluated to deter-
mine if they have identifiable upper and lower bounds. (I T0 -C)
・F ormat string: When an ex ternally controllable format string is called as an argument like
printf function, it may be a cause of buffer overflow. or example, %n specifies the conversion
of a value for defining the number of bytes of the data to be written through output formatting
into an integer variable. This can be used to specify the address of a malicious code to a variable
that has the address of an exception handler. e careful not to process the input as it is and output
it as a format string. (FIO 30-C)
e sure also to check that all the format string functions are static strings that cannot be con-
trolled by the user, and that an argument of an appropriate value is always passed to these func-
tions. ( I 7-C)
If possible, use a function that does not support %n in format strings. In C11, %n format has been
abolished.
・F ilename or pathname: Specifying by relative path or access through a symbolic link may
lead to the access to an unintended file. To prevent it, there is a need to normali e the ac uired
pathname and use this pathname after verifying its validity. (FIO 12-C)
・F ile identity There is no guarantee that a file opened as a read-only file is always the same as
the file opened as a file for writing. The sameness of the file can be determined with more cer-
tainty by saving the file attributes gained when the file is opened and comparing them with the
attributes of the file when it is opened again. ( I 0 -C)

It is important not to mis udge whether the data is under your control or not. The cookies of a da-
tabase ( ) or website that can be manipulated by other systems as well or data that has once being
placed outside your control may be overlooked by misunderstanding it to be still under your control.

2●How to grasp source codes quality 11

 Table 1 Quality Characteristics of Software and Code Quality

Q uality Characteristics Q uality Subcharacteristics Code Q uality

( I SO / I EC 250 10 ) ( I SO / I EC 250 10 )
D egree to which a Maturity D egree to which a system meets needs for reli- ow oc-
Reliability

system, product or ability under normal operation currence of

component performs bugs through
specified functions continued use
under specified condi-
tions for a specified Availability D egree to which a system, product or component
period of time
is operational and accessible when required for
use

ault Toler- D egree to which a system, product or component Tolerance for

ance operates as intended despite the presence of hard- bugs and inter-
ware or software faults face violations,
etc

Recoverability D egree to which, in the event of an interruption

or a failure, a product or system can recover the
data directly affected and re-establish the desired
state of the system

12 P art1 How to R ead th e C odin g P ractices G uide

 Q uality Characteristics Q uality Subcharacteristics Code Q uality
( I SO / I EC 250 10 ) ( I SO / I EC 250 10 )
D egree of effective- Modularity D egree to which a system or computer program D egree to
M aintainability

ness and efficiency is composed of discrete components such that a which the
with which a prod- change to one component has minimal impact on components
uct or system can other components are composed
be modified by the such that a
intended maintainers change to one
component of
the code has
minimal im-
pact on other
components.

Reusability D egree to which an asset can be used in more D egree to

than one system, or in building other assets which a code
can be used in
other pro-
grams

Analysability egree of effectiveness and efficiency with Easiness of

which it is possible to assess the impact on a understanding
product or system of an intended change to one the code
or more of its parts, or to diagnose a product for
deficiencies or causes of failures, or to identify
parts to be modified

odifiability D egree to which a product or system can be Easiness of

effectively and efficiently modified without modifying
introducing defects or degrading ex isting product the code, and
quality lowness of
impact from
modifications

Testability egree of effectiveness and efficiency with Easiness of

which test criteria can be established for a testing and
system, product or component and tests can be debugging the
performed to determine whether those criteria modified code
have been met

2●How to grasp source codes quality 13

 Q uality Characteristics Q uality Subcharacteristics Code Q uality
( I SO / I EC 250 10 ) ( I SO / I EC 250 10 )
D egree of Adaptability D egree to which a product or system can effec- Easiness of
Portability

effectiveness and tively and efficiently be adapted for different or adapting to

efficiency with which evolving hardware, software or other operational different
a system, product or or usage environments environments
component can be *Including
transferred from one conformance
hardware, software or to standards
other operational or
usage environment to
another Installability egree of effectiveness and efficiency with
which a product or system can be successfully
installed and or uninstalled in a specified envi-
ronment

Replaceability D egree to which a product can be replaced by

another specified software product for the same
purpose in the same environment

Performance relative Time ehav- D egree to which the response and process- Efficiency
Performance Efficiency

to the amount of iour ing times and throughput rates of a product or with regard
resources used under system, when performing its functions, meet to processing
stated conditions requirements time

Resource tili- D egree to which the amounts and types of Efficiency

zation resources used by a product or system when with regard to
performing its functions meet requirements resources

Capacity D egree to which the max imum limits of a prod-

uct or system parameter meet requirements

14 P art1 How to R ead th e C odin g P ractices G uide

 Q uality Characteristics Q uality Subcharacteristics Code Q uality
( I SO / I EC 250 10 ) ( I SO / I EC 250 10 )
D egree to which a Confidentiality D egree to which a product or system ensures that D egree of cer-
Security

product or system data are accessible only to those authorized to tainty that data
protects information have access are accessible
and data so that persons only to those
authorized to
or other products or
have access
systems have the
degree of data access
Integrity D egree to which a system, product or component D egree of
appropriate to their
prevents unauthori ed access to, or modification prevention of
types and levels of
of, computer programs or data unauthorized
authorization access to, or
modification
of, computer
programs or
data

N on- D egree to which actions or events can be proven

repudiation to have taken place, so that the events or actions
cannot be repudiated later

Accountability D egree to which the actions of an entity can be

traced uniquely to the entity

Authenticity D egree to which the identity of a subj ect or

resource can be proved to be the one claimed

2●How to grasp source codes quality 15

 2.2 Q
2.2 uality
H o w t o t h Characteristics,
i n k q u a l i t y c h a r a c t e r i s t i c s , aCoding
n d c o d e p r a cPractices
t i c e s a n d r u l e s and

Rules

O v erall Structure

In this guide, the basic matters to be followed when creating source code are organized as “ prac-
tices . or each practice , this guide introduces rules that are more specific reference information
to keep in mind at the time of coding.
These practices and rules provided in this guide are classified and arranged in order, accord-
ing to their association to any of the four uality characteristics described earlier in 2.1. The follow-
ing section defines what practice and rule actually mean in this guide (see also igure 1)

Practice
A “ practice” is a custom or a set of ideas on implementation to maintain source code quality. Each
practice reflects the basic concept of individual coding rule. These practices are broken down into
outline and details.

Rule
A rule is a specific agreement that must be followed and constitutes a part of coding convention.
This guide presents these rules as reference information. In this guide, a rule is also sometimes
used as a collective term that represents a group of relevant rules.

Correspondence of Practices and Rules

Most practices and rules are related to multiple quality characteristics, but in this guide, they are
respectively discussed in the section of the characteristic to which they are most strongly related.
Associating each practice with a particular quality characteristic makes it possible and easy for the
users of this guide to understand how each practice strongly affects which aspect of quality.

16 P art1 How to R ead th e C odin g P ractices G uide

 Quality Concepts Reliability Maintainability Portability Efficiency

(with the exception of some partially dependent)

Language independent
Practices Overview
Practices: Initialize areas and use them Write in a style that is not Write in a style that takes
Specific way of by taking their sizes into dependent on the compiler. account of resource and time
consideration. efficiencies.
thinking
constantly
applied in Write in a style that can Write in a unified style.
implementation to prevent modification errors. ・
・・
improve quality.
in details
Practices

Clarify the grouping of Localize access ranges and

structured data and blocks. related data. ・
・・

Language dependent
Rules:
The body of if, else if, else, Variables used only in one
Reference while, do, for, and switch function shall be declared within
information of statements shall be enclosed into the function.
blocks.
specific coding
rules that take
language Functions that are called only by
dependency into ・
・・ functions defined in the same file ・
・・
shall be static.
consideration.

Use the rules as reference to establish...

A coding convention for each project

Variables used only in one

function shall be declared
within the function.

Functions called only from

the functions defined in the
identical file shall be static

The number of lines per file Added as

shall be within 1000 lines.
project-specific rule

F igure1. Relationship B etween Q uality Concepts, Practices, and Rules

2●How to grasp source codes quality 17

 3 How to U se this Guide

3.1 Scenarios for U sing this Guide

U sage Scenarios

This guide intends to support the creation of coding conventions, and assumes that it will be used
in the following three scenarios:

1 ) C reatin g a n ew codin g con v en tion ;

2) E n h an cin g ex istin g codin g con v en tion s;
3 ) S erv in g as a learn in g m aterial f or program m ers’ train in g an d self - study.

Creating a N ew Coding Conv ention

O rganizations or departments that have not been able to organize any coding conventions
to be followed internally can use this guide for reference to establish their own coding con-
vention that suits their respective needs.

Enhancing Ex isting Coding Conv entions

Even in organizations and departments that have already established their coding conventions,
it is effective to maintain them regularly. sing this guide as a reference will help them review the
contents of their existing coding conventions more efficiently.

Serv ing as a L earning M aterial for Programmers’ Training and Self- Study
There are many books published on C language. nlike those existing ones, this guide focuses on
implementation quality, and provides an organized set of information on how to create source code
that can maintain and improve its quality. In this sense, this guide can also be an ex cellent material
for the users to learn about source code quality from a more practical point of view.

18 P art1 How to R ead th e C odin g P ractices G uide

 3.2 Creating a N ew Coding Conv ention
This section presents the procedure for creating a new coding convention by using this guide. It is
intended for proj ects that do not have any coding conventions of their own.

W hen to Create
Create the coding convention before proceeding to the program design stage. While a coding
convention is a group of rules that are referred to during coding, some rules, such as, the naming
convention applied to function names are associated with program design, and therefore need to be
decided before starting the program design.

How to Create
Proj ects creating a new coding convention of their own are recommended to follow the procedure
described below, step by step:

S tep- 1 D ecide on th e policy f or creatin g a codin g con v en tion .

S tep- 2 C h oose th e rules b ased on th e creation policy th at h as b een decided.
S tep- 3
S tep- 4 D eterm in e th e procedure f or settin g ex ception s to th e rules if n ecessary.

After following these steps in order, add any other rules as needed.

Step- 1 D ecide on the policy for creating a coding conv ention

In creating a coding convention, the first thing to do is to decide on its policy. A creation policy
defines how the code should be written for the pro ect, based on, such as, the characteristics of the
software developed in the proj ect and the members of the proj ect. For ex ample, should the prior-
ity be placed on safety and write code that avoids using features that are not safe, even if they are
convenient to use? O r, should the code be written in a way that makes careful use of such unsafe but
convenient features These are some of the uestions that need to be addressed in the creation poli-
cy. When deciding on the creation policy, each proj ect should consider which quality characteristics
are particularly important for its software development, and ex amine what kind of coding practices
it should adopt from the following perspectives:
- C odin g th at tak es accoun t of f ail- saf e;
- C odin g th at im prov es th e program readab ility;
- C odin g th at m ak es deb uggin g easy, etc.

3 ●How to use th is guide 19

 Also consider using the static code analysis tool for preventing rule violations. Static code analy-
sis tools are effective means to ensure that the code is written according to coding rules. It would
be beneficial to think at this point about which static code analysis tool would be most effective and
helpful to prevent writing any code against the set rules.

Step- 2 Choose the rules based on the creation policy that has been decided
The next step is to choose the suitable rules from the ractices Chart in art 2, based on the cre-
ation policy decided in Step-1. If the proj ect decides on the policy that prioritizes on portability, for
ex ample, efforts should be made to include many rules that address the portability issues in its cod-
ing convention.
In “ Part 2 - Coding Practices for Embedded Software” of this guide, some rules are marked with
either or as a guide to facilitate the selection process. A rule marked with indicates that
it is regarded so important for the particular quality characteristic it addresses, that if this rule is not
adopted as a part of the coding convention, that quality aspect may be seriously impaired. Whereas,
indicates that it is a rule that is already so well-known among those who are very knowledgeable
about C language specifications that it may not necessarily be included in the coding convention.
The simplest way of creating a coding convention would therefore be to choose only the rules indi-
cated with , which would result in a set of widely applied rules.

Step-3 Define the project-dependent parts of the rules

In this guide, the rules are treated as one of the following three types:

1 ) R ules th at can b e used as a part of th e codin g con v en tion with out m ak in g an y ch an ges ( I n th e

The rules treated either as type 2) or type 3) cannot be included in the coding convention as they
are. For rules treated as type 2) to be adopted as a part of the newly created coding convention, they
must be first chosen from the multiple alternatives presented in this guide. To adopt the rules treated
as type 3) as a part of the coding convention, they must be more fine-tuned so that they can address
the specific needs of each pro ect. In doing so, the supplementary explanation provided to each prac-
tice described in this guide should serve as a useful reference on rule definition.

20 P art1 How to R ead th e C odin g P ractices G uide

Step- 4 D etermine the procedure for setting ex ceptions to the rules
The uality characteristics that should be focused at the time of coding may differ, depending on
the feature the proj ect is intending to realize through implementation. (For ex ample, “ In this proj ect,
efficiency should be prioriti ed over maintainability... ). There may be cases when writing code that
is fully compliant with a certain rule included in the coding convention causes difficulty in achieving
the pro ect-specific ob ective. To deal with such cases, it is necessary to have a procedure to allow
partial ex ceptions to this rule
The important points to be covered in this procedure are as follows

- D escrib e wh at prob lem s m ay occur b y writin g code th at is com plian t with th e rule;
- Hav e ex perts rev iew th e prob lem s an d possib le solution s;
- R ecord th e rev iew result.

e sure not to allow exceptions too easily. The substance of the rule will be lost when there
are too many ex ceptions.
The following is an example of the procedure for allowing exceptions.

[ Ex ample procedure]
( 1 ) P repare a f orm describ in g th e reason f or th e ex ception .
( T h is f orm sh ould, f or ex am ple, con tain th e f ollowin g item s. ) - R ule n um b er;

- P rob lem ( s) caused b y com plyin g with th e rule;

- I m pact of dev iation f rom th e rule.

f orm .

3.3 Enhancing
3.3 E n h a n c iEx
n gisting
ex i s tCoding
i n g c oConv
d i n g entions
c o nv e n t i o n s

For proj ects where coding conventions already ex ist, this guide can be a useful reference to re-
view and enhance the contents of their coding conventions.

Prev enting O v ersights and O missions

y sorting the rules in existing coding conventions based on the concept of practices described in

3 ●How to use th is guide 21

 this guide, the proj ect members will be able to identify and supplement the elements that have been
overlooked or omitted, and see in a fresh light which tasks they have been placing importance on in
their proj ect.

Clarifying the N ecessity for Rules

For those who have been feeling compelled to follow some rules without knowing why, this guide
will serve as a useful tool to understand clearly why they are necessary by referring to the practices
and compliant ex amples showing how they should be used.

3.4 ServL earning

3.4 ing as material
a L earning M aterial
for trand for
for self-
mers’ Training and Self- Study
Program-
s tudy

This guide is a good learning material for programmers who have studied C language but are still
not used to or have little ex perience in practical coding.

Target U sers

This guide is targeted at the following group of programmers

- P rogram m ers wh o h av e studied an d acquired th e b asic sk ills in C lan guage

- P rogram m ers wh o h av e ex perien ce in oth er program m in g lan guages b ut are b egin n ers in C
lan guage

W hat The U sers Can L earn

y reading this guide, which is organi ed from the standpoint of uality characteristics like reli-
ability, maintainability and portability, the users can learn:

- How to write code th at can im prov e reliab ility;

- How to write code th at can prev en t b ugs f rom b ein g produced;
- How to write code th at can f acilitate deb uggin g an d testin g;
- How to write code th at is easy to read, an d th e reason s wh y good readab ility is n ecessary.

22 P art1 How to R ead th e C odin g P ractices G uide

 Part 2
Coding Practices
for Embedded Software:
Practices Chart

- How to Read the Practices Chart

- Terminology Used in the Practices Chart

- Coding Practices for Embedded Software

● Reliability
● Maintainability
● Portability

● Efficiency
 H owtotRead
How o Rethe
a dPractices
t h e PrChart
a c t i c e s Ch a r t
O rganiz ational Structure of the Practices
Coding practices shown in art 2 are classified according to four software uality characteristics
(reliability, maintainability, portability, efficiency).

Practices in O utline
ractices closely related to each characteristic are largely divided into practices in outline .
or example, the practices closely related to maintainability are largely divided into five practices
in outline from aintainability 1 eep in mind that others will read the program to
aintainability rite in a style that makes testing easy .

Practices in D etail
Each practice in outline is broken down into more specific subsets called practices in detail . or
example, the practice in outline aintainability 3 rite programs simply has four practices in
detail, which are

M aintainability 3.1 D o structured programming.

M aintainability 3.2 L imit the number of side effects per statement to one.
M aintainability 3.3 W rite ex pressions that differ in purpose separately.
M aintainability 3.4 D o not use complicated pointer operation.

L ayout of the Practices Chart

or each practice, reference information on rules to be noted during actual coding is provided in
a chart form. The following diagram shows the layout of a sample chart, which is followed by the
description of each field composing the chart

24 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 ① Q uality concept ② Practice in detail
② Practice in outline ③ Rule number ④ Rule

⑤ Preference guide
Reliability Reliability
I nitializ e areasI nitializande use
areas them
and byuse them by U se areasR afterU initializ
se areas ingafter
them.initializ ing them.
1 1
ReliabilityReliability

ReliabilityReliability
R 1 .1 1 .1

ReliabilityReliability

ReliabilityReliability
Reliability
tak Reliability
ing their siztak es
inginto
their
consideration.
siz es into consideration.
I nitializ e areasI nitializ
ande use
areas and by
them use them by R1.1.1 U se
R1.1.1
areasR after U initializ
se areas ingafter
them. initializ ing them.

1 1
R 1 .1 Automatic 1 v . ariables
1 Automatic
shall be initializ
v ariables
ed atshall
the be
time P ref eren
initializ edceat the● time P ref eren ce
●
guide guide
tak ing their siz tak es
inginto
their siz es into consideration.
consideration. of declaration, or theofinitial declaration,
v alues shall or thebeinitial
assigned
v alues shall R ule
be assigned R ule
j ust before using them. j ust before using them.
Various variables are Various
used in programs
variables are
written
usedininCprograms
language.written
Without in considering
C language.the Without considering the R1.1.1 R1.1.1
Automatic v ariablesAutomatic v ariables
shall be initializ ed atshall
the betime initializ edceat the● time
P ref eren
guide
P ref eren ce
guide
●
1

1
areas to be reserved inareas
the computer
to be reserved
and ensuring
in the computer
that theseand
areas
ensuring
are already
that these
initialized
areas are
by already initialized by
⑥ ule specification
of declaration, or theofinitial declaration,
v alues shallor thebeinitial
assignedv alues shall be assigned
R ule R ule
the time these variablesthe aretime
used,
these
unexvariables
pected malfunctions
are used, unexmaypected
occur.
malfunctions may occur. Compliant ex j ust beforeCompliant
ample using them. j ust before using
ex ample them.ex ample
N on- compliant N on- compliant ex ample
Various variables are Various variables are
used in programs usedininCprograms
written language.written
Without in considering
C language.the Without considering the void func() { void func() {
Moreover, the pointersMoreover,
in C language
the pointers
need to inbeCused
language
carefully
needbytobeing
be used
conscious
carefully
of by
thebeing conscious of the void func() { void func() {
1

1
1

1
intthe var1; int var1;
areas to be reserved inareas to be reserved
the computer in the computer
and ensuring that theseand ensuring
areas that these
are already areas are
initialized by already initialized by int var1 = 0; // Initializeint at var1
the time
= 0; //
of Initialize at time of
areas they point to. Sinceareasthethey
misuse
pointofto.pointers
Since the
may misuse
causeofserious
pointers
problems
may cause
to the
serious
entireproblems to the entire // declaration // declaration var1++; var1++;
the time these variablesthe aretime these
used, unexvariables are used, unexmay
pected malfunctions pected malfunctions may occur.
occur. Compliant Compliant
int i; ex at
int i; ex ample// Do not initialize ample
the N on-… compliant
// Do not initialize ex ample
at the N on-… compliant ex ample
system, particular cautionsystem,
is necessary
particular
when
caution
usingis them.
necessary when using them. // time of declaration }
// time of declaration
void func() {
}
void func() {
Moreover, the pointersMoreover, the pointers
in C language need to inbeCused
language needbytobeing
carefully be used carefully
conscious of by
thebeing conscious of the void func() {
...
void func() {
...
“ Reliability 1” consists“ of
Reliability
the following
1” consists
three practices.
of the following three practices. int var1 = 0; // Initializeint
var1++;
at var1
var1++;
= 0; //
the time of Initialize atintthe var1;
time of int var1;
areas they point to. Sinceareasthethey pointofto.pointers
misuse Since the
may misuse
causeofserious
pointers may cause
problems serious
to the entireproblems to the entire // declaration
// Assign the initial value // just
Assign
before
// declaration var1++;
the initial value just
… before
var1++;
…
int i; int i;
// Do not initialize at the// Do not initialize at the
system, particular cautionsystem, particular
is necessary caution
when usingis them.
necessary when using them. // using it // using it
// time of declaration
for (i = 0; i < 10; i++) {for (i = 0; i < 10; i++) {
}
// time of declaration }

⑦ Compliant ex ample
... ...
“ Reliability 1” consists“ of
Reliability 1” consists
the following of the following three practices.
three practices. …
var1++;
…
var1++;
} }
Reliability 1.1 U se areas after
Reliability 1.1 initializ
U se ingareasthem.
after initializ ing them. }
// Assign the initial value
// using it
}
// just
Assign
// using it
the initial value just before
before

for (i = 0; i < 10; i++) {for (i = 0; i < 10; i++) {

… …
Reliability 1.2
Reliability 1.1
Describe initiali
Reliability
U se
1.2 ations
areas after
Reliability
Describe
U se ing
1.1 initializ
ithout
areas
initiali
e cess
ations
or deficiency
ithout e cess or deficiency
after initializ ing them.
them.
If} automatic variables are If}notautomatic
initiali ed,
} differ depending
} differ depending on the environment.
variables
their values
are not
The initialization
become
initialiundefined
on the environment.
must be The
ed, their values
either
and thebecome
initialization
operation
at the time must
undefined
results may
of declaration
be either or
and the operation results may
at the
j usttime of declaration or j ust ⑧ N on- compliant
1.3
Reliability 1.2
Pay attention to thePay
Describe initiali
Reliability
a pointer.
1.2
range
attention
Describe
1.3 ations
of the to
a pointer.
area
initiali
ithout
thepointed
range of
ations
e cess
bythe area pointed by
ithout e cess or deficiency
or deficiency
before using the variable. before using the variable.
If automatic variables are Ifnotautomatic variables
initiali ed, are not
their values initialiundefined
become ed, their values
and thebecome undefined
operation and the operation results may
results may ex ample
differ depending
differ depending on the environment. on the environment.
The initialization must be The initialization
either at the time must be either or
of declaration at the
j usttime of declaration or j ust

⑨ Remark s
Pay attention to thePay attention
range of the to thepointed
area range of
bythe area pointed by before using the variable. before using the variable.
Reliability 1.3 Reliability 1.3
a pointer. a pointer. R1.1.2 R1.1.2
const v ariables shall be initializ
const v ariables
ed at
shall
the be
time
initializ
of ed guide
●
at the time of
P ref eren ce P ref eren ce
guide
●

declaration. declaration. R ule R ule

R1.1.2 R1.1.2 const

const v ariables shall v ariables
be initializ shall
ed at the be initializ
time of ed guide
●
at the time of
P ref eren ce P ref eren ce
guide
●

declaration. declaration. R ule R ule

Compliant ex ample Compliant ex ample N on- compliant ex ample N on- compliant ex ample
const int N = 10; const int N = 10; const int N; const int N;

const variables
Compliant ex ample must be initialized
const variables
Compliant ex at the time
ample mustofbedeclaration
initialized as
at values
theex time
N on- compliant cannot
ampleof declaration
beN on-
assigned
as values
toexthem
compliant cannot
sub-
ample be assigned to them sub-
se uently.
const int N If not
= 10; initiali ed,
se0 uently.
const will
int be
N If
=assigned
not initiali
10; for external
ed,const
0 will variables
be N;
int assigned
and the
for values
externalare
const variables
undefined
int N; andfor theau-
values are undefined for au-
tomatic variables, which may tomatic
cause
variables,
unex pected
whichbehavior.
may cause
N oteunexthatpected
missingbehavior.
initialization
N ote atthatdeclaration
missing initialization at declaration
does notvariables
const does notvariables
must be error.
cause a compile initialized
const mustofbedeclaration
at theatime
cause compile initialized as
error. at values
the time of declaration
cannot be assigned as values
to themcannot
sub- be assigned to them sub-
se uently. If not initiali se0 uently.
ed, will be If not initiali
assigned for ed, 0 will
external be assigned
variables and for values
the externalare variables
undefinedandfor
theau-
values are undefined for au-
Note With C++, uninitialized Note With
const is aC++,
compile
uninitialized
error. const is a compile error.
tomatic variables, which may tomatic variables,
cause which
unex pected may cause
behavior. N oteunex
thatpected
missingbehavior. N ote at
initialization thatdeclaration
missing initialization at declaration
does not cause a compile error.
does not cause a compile error.
［Related rules］ M1.11.1，［Related rules］ M1.11.1， M1.11.3
M1.11.3
Note
Note With C++, uninitialized With
const is aC++, uninitialized
compile error. const is a compile error.

［Related rules］ M1.11.1，

［Related rules］ M1.11.1， M1.11.3
M1.11.3

32 P art2 C odin g P ractices f or E m b edded 32

P art2
S of tware:
C odin P gractices
P ractices
C h f or
artE m b edded S of tware: P ractices C h art R eliab ility1 ● R 1 n itializ e areas an dR use
eliabth ility1
em in ●conR 1 sid
n itializ
eratione areas
of th eir
an dsiz use
es. th em 33
in con sid eration of th eir siz es. 33

32 P art2 C odin g P ractices f or E m b edded 32

P art2 C odin P gractices
S of tware: P ractices
C h f or
artE m b edded S of tware: P ractices C h art R eliab ility1 ● R 1 n itializ e areas an dR use
eliabth ility1
em in ●conR 1 sid
n itializ
eratione areas an d
of th eir siz use
es. th em 33
in con sid eration of th eir siz es. 33

① Q uality concept
uality concepts are related to the main uality characteristics of IS IEC 2 010 . This guide
uses the following four uality concepts

Reliability M aintainability Portability Efficiency

② Practice
escribes the practice to be followed by programmers during coding
- I n outline

- I n detail

③ Rule number
Identification number of each rule

25
 ④ Rules
Specific reference rule or rules for C language corresponding to the practice that must be
followed. The rules cited from ISRA C are written in the following format.
[ M I SRA C:20 0 4 1.3] , [ M I SRA C:20 12 R8 .14]

⑤ Preference guide

rovides supportive information (marks) to indicate whether the corresponding rule described
under eachpractice should be chosen as a part of the newly created coding convention or not.

N o mark :
●

⑥ ule specification
rovides supportive information (verbal indicators) to indicate which rule need to be defined
more specifically in detail or not, depending on the pro ect policy, or should be prescribed in
a document, such as, when it is recommended to record the behavior and usage of compiler-
dependent language specification as a document (the latter is referred to as the documentation
rule which can be used as it is, but is strongly recommended to be documented in more detail for
various reasons).

N o mark

Choose

Define
《》

D ocument
《》

26 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

⑦ Compliant ex ample
Example of source code written in compliance with the rule.

⑧ N on- compliant ex ample

Example of source code violating the rule.

⑨ Remark s
rovides notes pertaining to C language specification, and explanation on why the particular rule
is necessary and what kind of problem(s) may be caused by violation of that rule, among others.

27
 Terminology U sed in the Practices Chart

The meaning of the terms used in the chart is as respectively explained in the table below

Term M eaning
Access

ype specifier
char int

ype ualifier const restric

volatile
Storage class specifier auto
register static extern.

B oundary alignment
int

Trigraph seq uence ??= ??/ ??(

??= ??/ ??( # \ [

L ifetime

M ultibyte character

N ull pointer

N ull character \0

Scope

Side effect

B lock { }

Enumeration type

Enumerator enum

28 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 Coding Practices for Embedded Software

This part presents coding practices for embedded software. As explained carlier, The coding
practices are categori ed according to the perspective of four characteristics ( uality concepts)
reliability , maintainability , portability and efficiency , which have been adopted from
the software uality characteristics defined in IS IEC 2 010. lease note, however, that these
practices have been categori ed in this way basically for the sake of convenience of the users of this
guide, and that there are actually some useful practices and corresponding rules that can be applied
to improve more than one characteristic (e.g. both reliability and maintainability).
oreover, the coding practices respectively related to these uality characteristics and the
reference rules that support the correct ways of executing these practices are also described in this
part of the guide.

Reliability R

M aintainability M

Portability P

Efficiency E

29
 Reliability
A large number of embedded software is incorporated into prod-
ucts and used to support our daily liv es in v arious situations. Con-
seq uently, the lev el of reliability demanded to q uite a number of
embedded software is ex tremely high. Software reliability req uires
the software to be capable of not behav ing wrongly ( not causing
failure) , not affecting the functionality of the entire software and
system in case of malfunction, and promptly restoring its normal
behav ior after a malfunction occurs.
At the source code lev el, the point to be noted in regard to soft-
ware reliability is the need of contriv ing methods to av oid coding
that may cause such malfunctions as much as possible.

● Reliability 1: I nitializ e areas and use them by tak ing

their siz es into consideration.

●Reliability 2: U se data by tak ing their ranges, siz es

and internal representations into
consideration.

● Reliability 3: W rite in a way that ensures intended be-

hav ior.
 Reliability
I nitializ e areas and use them by
1
Reliability

tak ing their siz es into consideration.

Various variables are used in programs written in C language. ithout considering the
1

areas to be reserved in the computer and ensuring that these areas are already initiali ed by
the time these variables are used, unexpected malfunctions may occur.
oreover, the pointers in C language need to be used carefully by being conscious of the
areas they point to. Since the misuse of pointers may cause serious problems to the entire
system, particular caution is necessary when using them.
Reliability 1 consists of the following three practices.

Reliability 1.1 U se areas after initializi ng them.

Reliability 1.2 Describe initiali ations ithout e cess or deficiency

Pay attention to the range of the area pointed by

Reliability 1.3
a pointer.

32 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 U se areas after initializ ing them.

Reliability
R1.1.1 Automatic v ariables shall be initializ ed at the time
of declaration, or the initial v alues shall be assigned
●

j ust before using them.

1
Compliant ex ample N on- compliant ex ample

void func() { void func() {

int var1 = 0; // Initialize at the time of int var1;
// declaration var1++;
int i; // Do not initialize at the …
// time of declaration }
...
var1++;
// Assign the initial value just before
// using it
for (i = 0; i < 10; i++) {
…
}
}

If automatic variables are not initiali ed, their values become undefined and the operation results may
differ depending on the environment. The initiali ation must be either at the time of declaration or ust
before using the variable.

R1.1.2 const v ariables shall be initializ ed at the time of ●

declaration.

Compliant ex ample N on- compliant ex ample

const int N = 10; const int N;

const variables must be initiali ed at the time of declaration as values cannot be assigned to them sub-
se uently. If not initiali ed, 0 will be assigned for external variables and the values are undefined for au-
tomatic variables, which may cause unexpected behavior. ote that missing initiali ation at declaration
does not cause a compile error.
Note ith C , uninitiali ed const is a compile error.

［Related rules］ M1.11.1， M1.11.3

R eliab ility1 ● R 1 n itialize areas an d use th em in con sid eration of th eir size s. 33
 Describe initializations
D escribe initializ expressed
ations without without
ex cess or ex
deficiency.
Reliability

R1.2.1 rrays ith specified number of elements shall be

initializ ed with v alues that match the number of the
●

elements.

Compliant ex ample N on- compliant ex ample

1

char var[] = "abc"; char var[3] = "abc";

- or -
char var[4] = "abc";

Initiali ing an array with a string will not cause an error at declaration even if a space for a null charac-
ter is not ensured in the array si e. This is not a problem if described intentionally. owever, when the
array is used as an argument for a string handling function etc., the absence of a null character indicating
the end of the string is more likely to cause unexpected behavior. hen initiali ing a string, it is neces-
sary to ensure a space for the null character at the end. It would be also helpful to refer to STR31-C in
CERT C regarding the points to keep in mind when using the null character.

［Related rule］ M2.1.1

R1.2.2 I nitializ ation of enumeration type ( enum type) mem-

bers shall be by either: not specifying any con-
stants; specifying all the constants; or specifying
only the first member

Compliant ex ample N on- compliant ex ample

// A different value is assigned respectively // Both E3 and E4 become 11 unintentionally

// from E1 to E4 enum etag { E1, E2=10, E3, E4=11 };
enum etag { E1=9, E2, E3, E4 }; enum etag var1;
enum etag var1; var1 = E3;
var1 = E3; // It will be true despite the intention
// E3 and E4 in var1 will never be equal // because E3 and E4 are equal
if (var1 == E4) if (var1 == E4)

If an initial value is not specified to a member of an enumeration type, the value of the immediately
preceding member plus 1 (the value of the first member is 0) will be specified to this member. If some
initial values are specified while others are not, the same value may unintentionally be assigned to dif-
ferent members and may become the cause of unexpected behavior. To prevent the same value from
being assigned to different members, initiali ation of the members must be by either not specifying any
constants, specifying all the constants, or specifying only the first member, depending on the usage.

34 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

信頼性

1.3 ポインタの指す範囲に気を付ける。
Pay attention to the range of the area pointed by a pointer.

Reliability
R1.3.1 ( 1) I nteger addition to or subtraction from ( includ-
ing ++ and --) pointers shall not be made; Array
●

oo e
format with [] shall be used for references and
assignments to the allocated area.
( 2) I nteger addition to or subtraction from ( including ++ and --) point-

1
ers shall be made only when the pointer points to the array and the
result must be pointing within the range of the array.

Compliant ex ample N on- compliant ex ample

#define N 10 #define N 10
char buf[N]; char buf[N];
char *p = buf; char *p = buf;
int i = 1;
Non-compliant example of (1)
Compliant example of (1) and (2) *(p + 1) = 'a'; // Non-compliant
buf[i] = 'a'; // Compliant p += 2; // Non-compliant
buf[i+3] = 'c'; // Compliant
Non-compliant example of (2)
Compliant example of (2), non-compliant to (1) *(p + 20) = 'z'; // Non-compliant
for (; p < buf+N && *p != '\0'; p++) {
*p = 'z'; // Compliant
...
}

erforming operations on pointers can blur the destinations pointed by the pointers. It raises the pos-
sibility of implanting bugs that is likely to refer or write to unsecured areas. Rather, using an array name
that points to the beginning of the area and to access elements of the array with indices will make the
program safer. A dynamic memory area obtained by malloc should be treated as an array, and a pointer
to the starting address of the area should be handled as the array name.
or multi-dimensional array, this rule applies to each partial array.
Regarding rule (2), it is permissible to point to the area directly after the last element of the array as long
as the array element is not accessed. In other words, in the case where int data[N] and p=data, p+N
complies with the rule as long as it is not used for accessing the array elements, whereas, using, such as,
*(p+N) that accesses an array element is non-compliant.

R eliab ility1 ● R 1 n itialize areas an d use th em in con sid eration of th eir size s. 35
 R1.3.2 Subtraction between pointers shall only be applied
Reliability

●
to pointers that address elements of the same array.
【M I SRA C:20 12 R18 .2】

Compliant ex ample N on- compliant ex ample

#define N 10 #define N 10
ptrdiff_t off; // ptrdiff_t is a type of result of ptrdiff_t off; // ptrdiff_t is a type of result of
1

// subtraction between pointers // subtraction between pointers

// defined in <stddef.h> // defined in <stddef.h>
int var1[N]; int var1[N];
int *p1 = &var1[0]; int var2[N];
int *p2 = &var1[N-1]; int *p1 = &var1[0];
int *p2 = &var2[N-1];
// Process that includes the change in where p1, p2
// point at (within the range of var1[N]) // Process that includes the change in where p1, p2
... // point at (within the range of var1[N], var2[N]
off = p2 - p1; // respectively)
...
off = p2 - p1;

In C language, subtraction between pointers expresses how many elements exist between the two ele-
ments pointed by each pointer. In this case, if each pointer points to a different array, the way the vari-
ables are laid out between them is implementation-dependent and the execution result is not guaranteed.
This implies that subtraction between pointers is meaningful only when both pointers are pointing to
elements in the same array. Therefore, before subtracting one pointer from another pointer, the program-
mer must ensure that both pointers are addressing elements of the same array.

［Related rule］ 1.3.3

36 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

R1.3.3 Comparison between pointers shall be used only

Reliability
●
when the two pointers are both pointing at either the
elements in the same array or the members of the
same structure.

Compliant ex ample N on- compliant ex ample

#define N 10 #define N 10

1
char var1[N]; char var1[N];
char* p = var1; char var2[N];
char* p = var1;
... // Operations performed on p
... // Operations performed on p
if (p < var1+N) { ... } // Compliant
if (p < var2+N) { ... } // Non-compliant

Comparing addresses of different variables does not cause a compile error, but is meaningless because
the address of the variable is implementation-dependent. In addition, the behavior of such a comparison
is not defined (undefined behavior).

［Related rules］ 1.3. ， . .3

R1.3.4 The restrict type ualifier shall not be used

【M I SRA C:20 12 R8 .14】

Compliant ex ample N on- compliant ex ample

void f(int n, int * restrict p,
int * restrict q) {
while (n-- > 0) {
*p++ = *q++;
}
}

void g(void) {
extern int d[100];

f(50, d+1, d); // Undefined behavior

y using restrict type ualifier, efficient code can be generated by a compiler and the accuracy of
static analysis by using such as the code checker will improve. owever, the use of restrict type
ualifier will re uire the programmer to guarantee that the targeted areas will not overlap, and there is a
risk involved because the compiler will not output an error.

R eliab ility1 ● R 1 n itialize areas an d use th em in con sid eration of th eir size s. 37
 Reliability
U se data by tak ing their ranges, siz es
2 a n d in t e r n a l r e p r e s e n t a t i o n s in t o
Reliability

consideration.

The data used in programs vary in how they are represented internally and in the range they
can be operated, depending on their types. hen using these different types of data for opera-
tion, they must be written carefully by paying attention to various aspects, including precision
1

and si e. therwise, unexpected malfunctions may occur when they are processed in, such
as, arithmetic operations. Therefore, there is a need to handle data with care, by taking their
ranges, si es and internal representations, among others, into consideration.

Reliability 2.1
M ak e comparisons that do not depend on internal
representations.

hen values such as logical values are defined as a

range do not ma e a judgment by finding hether or not
Reliability 2.2 a v alue is eq uiv alent to any v alue ( representativ e v alue
that is implemented) within this range

Reliability 2.3 U se the same data type to perform operations or

comparisons.

Reliability 2.4
D escribe code by tak ing operation precision into
consideration.

Reliability 2.5
D o not use operations that hav e the risk of information
loss.

Reliability 2.6 U se types that can represent the target data.

Reliability 2.7 Pay attention to pointer types.

W rite in a way that will enable the compiler to check

Reliability 2.8 that there are no con icting declarations usages and
definitions

38 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

信頼性 M ak e comparisons that do not depend on internal

Reliability
Make comparisons that do not depend on internal representations.

eliability
2.1 representations.

R2.1.1 F loating- point ex pressions shall not be used to per-

●

form eq uality or ineq uality comparisons.

1
Compliant ex ample N on- compliant ex ample
#define LIMIT 1.0e-4 void func(double d1, double d2) {
void func(double d1, double d2) { if (d1 == d2) {
double diff = d1 - d2; …
if (-LIMIT <= diff && diff <= LIMIT) {
…

In case of a floating-point type, values written in the source code do not exactly match with those actu-
ally implemented. Therefore, the comparison results must be udged by taking account of tolerance.

Reference materials for those wanting to know more in detail about this rule
・ CERT C 00-C

［Related rule］ R2.1.2

R2.1.2 F loating- point v ariable shall not be used as a loop

●

counter.

Compliant ex ample N on- compliant ex ample

void func() { void func() {
int i; double d;
for (i = 0; i < 10; i++) { for (d = 0.0; d < 1.0; d += 0.1) {
… …

If operations are repeatedly performed to a floating-point variable used as a loop counter, the
intended result may not be achieved due to accumulated calculation errors. Therefore, inte-
ger type (int type) should be used for loop counters.

Reference materials for those wanting to know more in detail about this rule
・ CERT C 00-C

［Related rule］ R2.1.1

Reliability2 ● R 2 U se data in con sideration of ran ges, size s an d in tern al represen tation s. 39
 R2.1.3
Reliability

●
memcmp shall not be used to compare structures
and unions.

Compliant ex ample N on- compliant ex ample

struct TAG { struct TAG {

char c; char c;
long w; long w;
1

}; };
struct TAG var1, var2; struct TAG var1, var2;
void func() { void func() {
if (var1.c == var2.c && var1.w == var2.w) { if (memcmp(&var1, &var2, sizeof(var1)) == 0) {
… …

emories for structures and unions may contain unused areas. Since the values in the areas are un-
known, memcmp should not be used. hen making comparisons of structures or unions, they should be
made between the corresponding members.

［Related rule］ M1.6.2

W hen v alues such as logical v alues are defined as a

range, do not mak e a j udgment by finding whether or
Donot
notaexamine
v alue is eq uiv aalent
whether value to any particular
is equivalent v alue ( rep-
to true value
resentativ e v alue) within this range

R2.2.1 Comparison with a v alue defined as true shall not

be made in ex pressions that ex amine true or false.

Compliant ex ample N on- compliant ex ample

#define FALSE 0 #define TRUE 1
// func1 may return a value other than 0 and 1 // func1 may return a value other than 0 and 1
void func2() { void func2() {
if (func1() != FALSE) { if (func1() == TRUE) {
- or -
if (func1()) {

In C language, true is represented by any non- ero value, not necessarily 1.

［Related rule］ M1.5.2

40 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

信頼性 U se the same data type to perform operations or

Reliability
eliability
2.3 comparisons.
Use the same data type to carry out operations or make

R2.3.1 Unsigned integer constant ex pressions shall be

described within the range that can be represented
with the result type.

1
Compliant ex ample N on- compliant ex ample

#define MAX 0xffffUL // Specify long type #define MAX 0xffffU

unsigned int i = MAX; unsigned int i = MAX;
if (i < MAX + 1) if (i < MAX + 1)
// If long is 32 bits, there is no problem even // The result varies depending on whether the int is
// when the number of bits of int is not 32. // 16bits or 32bits. If int is 16bits, the operation
// result will wrap around and the comparison result
// will be false. If int is 32bits, the operation
// result will be within the range of int and the
// comparison result will be true

nsigned integer operations in C language wrap around without overflow (the result will be the re-
mainder of the maximum representable value). ecause the overflow is not flagged, there is a risk of
not noticing when the operation result differs from the intended result. or example, when there are two
environments that differ in the number of bits of int, the same constant expression produces different
operation results, depending on whether they exceed the representable value range or not.

R2.3.2 W hen using conditional operator ( ?: operator) , the

logical ex pression shall be enclosed in parentheses
( ) and both return v alues shall be the same type.

Compliant ex ample N on- compliant ex ample

void func(int i1, int i2, long w1) { void func(int i1, int i2, long w1) {
i1 = (i1 > 10) ? i2 : (int)w1; i1 = (i1 > 10) ? i2 : w1;

hen writing code using different types, perform a cast to specify which type is expected as
the result.

［Related rule］ M1.4.1

Reliability2 ● R 2 U se data in con sideration of ran ges, size s an d in tern al represen tation s. 41
 R2.3.3
Reliability

●
L oop counters and v ariables used for comparison
of loop iteration conditions shall be the same type.

Compliant ex ample N on- compliant ex ample

void func(int arg) { void func(int arg) {

int i; unsigned char i;
1

for (i = 0; i < arg; i++) { for (i = 0; i < arg; i++) {

sing comparison between variables with different ranges of representable values as a loop iteration
condition may produce unintended results and end up in an infinite loop.

信頼性 D escribe code by tak ing operation precision into con-

2.4 Describe
sideration.code in consideration of operation

R2.4.1 W hen the type of an operation and the type of the

destination to which the operation result is assigned
●

( assignment destination) are different, the operation

shall be performed after casting them to the type of
ex pected operation precision.

Compliant ex ample N on- compliant ex ample

int i1, i2; int i1, i2;
long w; long w;
double d; double d;
void func() { void func() {
d = (double)i1 / (double)i2; // floating-point d = i1 / i2; // integer division
// division w = i1 << i2; // Shift using int
w = ((long)i1) << i2; // Shift using long

The type used in operation is determined by the type of the expression (operand) used for the operation,
and the type of the assignment destination is not taken into consideration at compile time. Therefore, do
not expect the operation to output its result in the type of the assignment destination if the operating type
differs from the destination type. hen there is a need to execute an operation in the type that differs
from the operand type, perform a cast to convert the type of operand to the intended type before opera-
tion.

［Related rule］ R2.5.1

42 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

R2.4.2 W hen performing arithmetic operations or com-

Reliability
eliability
parisons of ex pressions mix ed with signed and
unsigned, an ex plicit cast to the ex pected type shall
be performed.

Compliant ex ample N on- compliant ex ample

int i; int i;

1
unsigned int ui; unsigned int ui;
void func( ) { void func( ) {
i = i / (int) ui; i = i / ui;
if (i < (int) ui) { if (i < ui) {
... ...

Some operations, such as, si e comparison, multiplication and division output different results, depend-
ing on whether they are performed with signed or unsigned. If an operation is written for a mixture
of signedness, unsigned operation is not always executed because it is the compiler that determines
which type to execute the operation in (whether with signed or unsigned) by taking account of the
respective data si es. Therefore, when performing an arithmetic operation of mixed signedness, there is
a need to check whether the intended operation is with signed or unsigned, and perform an explicit
cast to change the operating type to the desired type before operation so that the intended operation re-
sult can be expected.

N ote: If there are data types that may have to be changed for use in intended operation, it is often
better to change them rather than performing a cast mechanically. Therefore, in such a situation,
first consider changing the data type.

Reliability2 ● R 2 U se data in con sideration of ran ges, size s an d in tern al represen tation s. 43
 信頼性
D o not use operations that hav e the risk of informa-
Reliability

Do not use operations that have a risk of information loss.

2.5 tion loss.

R2.5.1 W hen performing assignments ( =operation, actual

arguments passing of function calls, function re-
turn) or operations to data types that may cause
information loss they shall be first confirmed that
1

there are no problems, and a cast shall be described to ex plicitly

state that they are problem- free.

Compliant ex ample N on- compliant ex ample

// Assignment examples // Assignment examples

short s; // 16 bits short s; // 16 bits
long w; // 32 bits long w; // 32 bits
void func() { void func() {
s = (short)l; s = w;
s = (short)(s + 1); s = s + 1;
} }
// Operation examples // Operation examples
unsigned int var1, var2; // int size is 16 unsigned int var1, var2; // int size is 16
// bits // bits
var1 = 0x8000; var1 = 0x8000;
var2 = 0x8000; var2 = 0x8000;
if ((long)var1 + var2 > 0xffff) { // The result if (var1 + var2 > 0xffff) { // The result is
// is true // false

hen a value is assigned to a variable that differs in type, the value may change (i.e. information may
be lost). The assignment destination, therefore, should be the same type whenever possible. hen a
value is assigned to a different type intentionally in cases, such as, where there is no risk of information
loss or no impact even if information is lost, perform a cast to explicitly state the intention.
hen performing an operation that outputs a result that exceeds the representable value range of the
type used, the result may become an unintended value. Therefore, for safety, carry out the operation
after verifying that the operation result is within the representable value range of the type used, or after
converting it to the type that could ade uately accommodate larger values.

N ote: In many cases, it is better to change data types used rather than casting mechanically.
Changing data types should be considered first.

［Related rule］ R2.4.1

44 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

R2.5.2

Reliability
●
U nary operator ' -' shall not be used in unsigned

eliability
ex pressions.

Compliant ex ample N on- compliant ex ample

int i; unsigned int ui;
void func() { void func() {

1
i = -i; ui = -ui;

If a unary operator - is used in unsigned expression and the operation result falls out of represent-
able value range of the original unsigned type, unintended behavior may occur.
or example, writing if ( - ui < 0 ) in the non-compliant example will not make this if
true.

R2.5.3 W hen one’ s complement ( ~) or left shift ( <<) is ap-

plied to unsigned char or unsigned short type
data, an ex plicit cast to the type of the operation
result shall be performed.

Compliant ex ample N on- compliant ex ample

uc = 0x0f; uc = 0x0f;
if((unsigned char)(~uc) >= 0x0f) if((~uc) >= 0x0f) // It is not true

The result of operation using unsigned char or unsigned short type will be signed int type.
hen the sign bit turns on due to operation, the intended result may not be achieved. This is why cast-
ing to the type of the intended operation is necessary. The above non-compliant example shows that ~uc
always becomes false as it produces a negative value.

［Related rule］ R2.5.4

Reliability2 ● R 2 U se data in con sideration of ran ges, size s an d in tern al represen tation s. 45
 R2.5.4 The right- hand side of a shift operator shall be z ero
Reliability

●
or more, and less than the bit width of the left- hand
side.

Compliant ex ample N on- compliant ex ample

unsigned char a; // 8 bits unsigned char a; // 8 bits

unsigned short b; // 16 bits unsigned short b; // 16 bits
1

b = (unsigned short)a << 12; // Clearly b = a << 12; // There may be an error in the
// indicated that the operation is 16 bits // shift count

The behavior of a shift operator whose right-hand side (shift count) specifies a negative value or a value
e ual to or larger than the bit width at the left-hand side (value to be shifted) is not defined in C lan-
guage standard and will vary depending on the compiler used. ( This bit width will be that of int type
if the si e is smaller than int .)
The intention of specifying a value up to the bit width of int type as the shift count will be unclear if
the left-hand side (value to be shifted) is of a type that is smaller in si e, even though its behavior is de-
fined in the language standard.

［Related rule］ . .3

Use types
U se with
types which
that canthe target data
represent thecan be reprenseted.
target data.

R2.6.1 he types used for bit field shall only be signed

int or unsigned int f a bit field of bit idth is
req uired, unsigned int type shall be used, and
not the unsigned int type.

he types used for bit field shall be signed int, unsigned int or
_Bool f a bit field of bit idth is re uired unsigned int type or
_Bool type shall be used.
3 he types used for bit field shall be signed int, unsigned int, _
Bool, or those allowed by the compiler that are either enum or the
type that specifies signed or unsigned f a bit field of bit idth
is re uired the type that specifies unsigned or _Bool type shall
be used.

46 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 Reliability
eliability
Compliant ex ample N on- compliant ex ample

Compliant example of (1) Non-compliant example of (1)

struct S { struct S {
signed int m1:2; int m1:2; // Non-compliant: (1)(2)(3)
unsigned int m2:1; // Without sign specification
unsigned int m3:4; signed int m2:1; // Non-compliant: (1)(2)(3)
};
// Use of signed int type of
Compliant example of (2) // 1-bit width
struct S { unsigned char m3:4; // Non-compliant:(1)(2)

1
_Bool m1:1; // Use of char type.
}; // Compliant in (3) if char type
// is allowed by the compiler
Compliant example of (3) enum E m4:2; // Non-compliant:(1)(2)
struct S { // Use of enum type.
unsigned char m1:2; // If char is defined by the
// Compliant in (3) if enum type
// compiler as allowable:
// conpliant // is allowed by the compiler
enum E m2:2; // If enum is defined by the _Bool m5:1; // Non-compliant: Use of _Bool
// compiler as allowable: // type. Compliant in (2),(3)
// conpliant };

}; Non-compliant example of (2)

struct S {
int m1:2; // Non-compliant: (1)(2)(3)
// Without sign specification
signed int m2:1; // Non-compliant: (1)(2)(3)
// Use of signed int type of
// 1-bit width
unsigned char m3:4; // Non-compliant:(1)(2)
// Use of char type.
// Compliant in (3) if char type
// is allowed by the compiler
enum E m4:2; // Non-compliant:(1)(2)
// Use of enum type.
// Compliant in (3) if enum type
// is allowed by the compiler
};

Non-compliant example of (3)

struct S {
int m1:2; // Non-compliant: (1)(2)(3)
// Without sign specification
signed int m2:1; // Non-compliant: (1)(2)(3)
// Use of signed int type of
// 1-bit width
};

Reliability2 ● R 2 U se data in con sideration of ran ges, size s an d in tern al represen tation s. 47
 (1) To be compatible with C 0, use only the int type defined in C 0, which is the int type that has
specified the signedness to either signed or unsigned . o not use the signedness-unspecified int
Reliability

type that may become signed or unsigned, depending on the compiler used.

(2) se only the int type that specifies the signedness as signed or unsigned defined in C , or the
_Bool type, and do not use the int type that does not specify the signedness because the interpreta-
tion of signedness or unsignedness may vary depending on the compiler used.

(3) In addition to the types defined in C language specification, the types defined in processing systems
1

can also be used. owever, do not the integer type that does not specify the signedness, because the
interpretation of signedness and unsignedness may vary depending on the compiler. oreover, for
the bitfield of 1-bit integer type, specify unsigned because the values that can be expressed by 1-bit
signed integer type are only -1 and 0.

［Related rules］ 3.11. 1.3.3

R2.6.2 D ata used as bit seq uences shall be defined with

unsigned type, and not with the signed type.

Compliant ex ample N on- compliant ex ample

unsigned int flags; signed int flags;
void set_x_on() { void set_x_on() {
flags |= 0x01; flags |= 0x01;

The result of bitwise operation ( ~, << , >> , & , ^ , | to signed type may vary, depending on the compiler used.

48 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 Pay attention to pointer types.

Reliability
eliability
R2.7.1 ( 1) Pointer type shall not be conv erted to other
pointer type or integer type, and v ice v ersa, with
the ex ception of mutual conv ersion between
“ pointer to data” type and “ pointer to void* ”

1
type.

( 2) Pointer type shall not be conv erted to other pointer type or integer
type with less data width than that of the pointer type, with the ex -
ception of mutual conv ersion between “ pointer to data” type and
“ pointer to void* ” type.

( 3) Pointer type shall not be conv erted to other pointer type or integer
type with less data width than that of the pointer type, with the ex -
ception of mutual conv ersion between “ pointer to data” type and
“ pointer to other data” type, and between “ pointer to data” type
and “ pointer to void* ” type.

Compliant ex ample N on- compliant ex ample

int *ip; int *ip;
int (*fp)(void) ; int (*fp)(void) ;
char *cp; char c;
int i; char *cp;
void *vp;
Non-compliant example of (1)
Compliant example of (1) ip = (int*)cp;
ip = (int*)vp;
Non-compliant example of (2)
Compliant example of (2) c =(char) ip;
i = (int)ip;
Non-compliant example of (2)
Compliant example of (3) ip =(int*) fp;
i = (int)fp;
cp = (char*)ip;

Reliability2 ● R 2 U se data in con sideration of ran ges, size s an d in tern al represen tation s. 49
 If a pointer type variable is casted or assigned to another pointer type, it is difficult to identify what
Reliability

kind of data is contained in the area the pointer points to. ith some s, runtime errors occur if the
destination of a pointer that is not at word boundaries is accessed as int type thus changing pointer
types may cause a risk of unexpected bugs. It is safer not to cast or assign pointer type variables to
other pointer types. Converting pointer types to integral types is also risky, involving the same problem
stated above. Such conversions, therefore, should be reviewed with experts, whenever deemed neces-
sary. oreover, attention must also be given to the value ranges of int type and pointer type. e sure
to check the specifications of the compiler beforehand, because there may be cases where the si e of the
1

pointer type is 6 bits even though the si e of int type is 32 bits.

<stdint.h> defines intptr_t and uintptr_t, which respectively represents signed and unsigned
integral types with data width capable of holding a value converted from a pointer type and be converted
back to that type with a value that e uals to the original pointer. These types should be used when con-
verting between pointer type and integrer type.

Pointer conv ersion rules

As explained in the rule under R.2.7.1, it is a risk to convert (assign) pointer type variable to other pointer
type more than is necessary, because the intended result may not gained. The rules on pointer conversion
have been organi ed in the form of a table, as shown below.

In the following table, the origin to convert from are listed in the rows, and the destination to convert to
are listed in the columns. indicates that the conversion can be made, and indicates that the conversion
should not be performed.

50 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

etails (1)

Reliability
eliability
Conerted to
Pointer to Pointer to P oin t e r t o
Other type
data type function type void type
Pointer to data type × × ○ ×
C o n ­
Pointer to function type × × × ×
verted
Pointer to void type ○ × － ×
from

1
Other type × × ×

etails (2)
Conerted to
Integrer type
Pointer to P o i n t e r
Pointer to With less data With more data
function t o v oid
data type width than that of width that than of
type type
the pointer type the pointer type
Pointer to data type × × ○ × ○
Pointer to function type × × × × ○
Pointer to void type ○ × － × ○
Con­ With less data
verted width than that of × × ×
from Integrer the pointer type
type With more data
width that than of ○ ○ ○
the pointer type
etails (3)
Converted to
Pointer to Pointer to P o i n t e r With less data With more data
data type f u n c t i o n t o v o i d width than that of width that than of
type type the pointer type the pointer type
Pointer to data type ○ × ○ × ○
Pointer to function type × × × × ○
Pointer to void type ○ × － × ○
Con­ With less data
verted width than that of × × ×
from Integrer the pointer type
type With more data
width that than of ○ ○ ○
the pointer type

Reliability2 ● R 2 U se data in con sideration of ran ges, size s an d in tern al represen tation s. 51
 R2.7.2 A cast shall not be performed that remov es any
Reliability

const or volatile q ualification from the type ad-

dressed by a pointer.【M I SRA C:20 12 R11.8 】

Compliant ex ample N on- compliant ex ample

void func(const char *); void func(char *);
1

const char *str; const char *str;

void x() { void x() {
func(str); func((char*)str);
… …
} }

e careful when accessing the areas ualified by const or volatile, because they are only for refer-
ence and must not be optimi ed. If a cast that removes any const or volatile ualification from the
type addressed by a pointer is performed, the compiler will not be able to check and detect error descrip-
tions in the program even if there are any, or may perform an unintended optimi ation.

R2.7.3 Comparison of whether a pointer is larger or small-

●

er than 0 shall not be performed.

Compliant ex ample N on- compliant ex ample

— int * func1() {
…
return -1;
}
int func2() {
…
if (func1() < 0) { // Comparison intended to
// check whether negative or
// not
…
}
return 0;
}

It is meaningless to compare whether a pointer is larger or smaller than 0.

hen the sub ect of comparison is a pointer, the compiler will convert 0 into a null pointer. Therefore,
even when the comparison of pointer against 0 is intended, the comparison will actually be between two
pointers, and the intended behavior may not be achieved.
As shown in the non-compliant example, error check should not be performed by comparing whether
the pointer is negative or not when a function that returns a pointer returns a negative value other than a
null pointer as an error.

［Related rule］ 1.3.3

52 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 W rite in a way that will enable the compiler to check that

Reliability
eliability
there are no conflicting declarations, usages and defini-
tions.

R2.8.1 F unctions with no parameters shall be declared

with a void type parameter.

1
Compliant ex ample N on- compliant ex ample

int func(void) ; int func();

The declaration int func() does not mean that a function has no parameters. It is an old-styled ( R
style) declaration that means that a function has unknown number and types of parameter. Therefore,
when declaring functions with no parameters, write void explicitly.

［Related rule］ . .3

R2.8.2 ( 1) F unctions shall not be defined with a v ariable

number of arguments.【M I SRA C:20 0 4 16.1】
( 2) W hen using functions with a v ariable number of
arguments, 《they shall be used after document-
ing the intended behav iors based on the com-
piler used.》

Compliant ex ample N on- compliant ex ample

Compliant example of (1) Non-compliant example of (1)
int func(int a, char b); int func(int a, char b, ... );

ithout understanding the behavior of functions with a variable number of arguments in the processing
system, their use may cause stack overflow or other unexpected results.
In addition, when the number of arguments is variable, the number and the types of the arguments are
not explicitly specified, and it will lower readability of the code.
ISRA C 2012 prohibits the use of functions defined in <stdarg.h>.
hen defining a variadic function that uses va_list type variable to reference an argument, there is a
need to be careful not to make the va_list type variable an indeterminate value. If you want to learn
more about this warning, SC3 -C in CERT C should serve as a good source of reference.

［Related rule］ . .3

Reliability2 ● R 2 U se data in con sideration of ran ges, size s an d in tern al represen tation s. 53
 R2.8.3
Reliability

O ne prototype declaration shall be made at one

place from where it can be referenced by both the
function calls and function definition

Compliant ex ample N on- compliant ex ample

-- file1.h -- -- file1.c --
1

void f(int i); void f(int i); // Declared in each file

void f(int i) { … }
-- file1.c --
#include "file1.h" -- file2.c --
void f(int i) { … } void f(int i); // Declared in each file
void g(void) { f(10); }
-- file2.c --
#include "file1.h"
void g(void) { f(10); }

This rule is for preventing the prototype declaration and function definition from becoming inconsistent.

［Related rules］ . .1， . .

54 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 Reliability
W rite in a way that ensures intended
3

Reliability
behav ior.

It is essential to be consistent with the description on how to handle all the potential errors,
by also taking account of unexpected events that may occur in cases that are even conceived

1
as highly unlikely from the standpoint of program specifications. oreover, writing code in
ways that do not rely on language specifications, such as, explicit indication of operator prece-
dence can also improve safety. To achieve high reliability, it is desirable to make every effort
to avoid coding that leads to malfunction and write in a way that ensures intended behavior
and safety as much as possible.

Reliability 3.1 W rite in a way that is conscious of area size .

Prev ent operations that may cause runtime error

Reliability 3.2
from falling into error cases.

Check the interface restrictions when a function is

Reliability 3.3
called.

Reliability 3.4 D o not perform recursiv e calls.

Pay attention to branch conditions and describe

Reliability 3.5 ho to handle cases that do not follo the predefined
conditions when they occur.

Reliability 3.6 Pay attention to the order of ev aluation.

B e careful with how to access the shared data in

Reliability 3.11
programs that use threads or signals.

R3.7 R3.10 described in ESCR C edition are deleted from C language edition as they are not applicable as C language rules.

R eliab ility3 ● R 3 W rite in a way to en sure b eh av ior. 55

 信頼性
W rite in a way that is conscious of area siz e.
Reliability

3.1 Write code in consideration of sizes of areas

R3.1.1 ( 1) I n an ex tern declaration of an array, the number
of elements shall al ays be specified
( 2) I n an ex tern declaration of an array, the number
of elements shall al ays be specified e cept for
1

ex tern declarations of arrays that correspond to

the array definition that includes initiali ation and has omitted the
number of elements.

Compliant ex ample N on- compliant ex ample

Compliant example of (1) Non-compliant example of (1)
extern char *mes[3]; extern char *mes[];
… …
char *mes[] = {"abc", "def", NULL}; char *mes[] = {"abc", "def", NULL};

Compliant example of (2) Non-compliant example of (1) and (2)

extern char *mes[]; extern int var1[];
… …
char *mes[] = {"abc", "def", NULL}; int var1[MAX];

Compliant example of (1) and (2)

extern int var1[MAX];
…
int var1[MAX];

aking an extern declaration without specifying the si e of an array will not cause an error. owever, if
the si e is not specified, it may cause problems in checking outside the array range. Therefore, it is bet-
ter to explicitly specify the array si e in its declaration. owever, there are cases where it is better not to
specify the array si e in the declaration, such as, when the si e of the array is determined by the number
of initial values and is not fixed in the declaration.

［Related rule］ 3.1.

56 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

R3.1.2 I teration conditions for a loop to seq uentially ac-

Reliability
cess array elements shall include the decision to
whether the access is within the range of the array
or not.

Compliant ex ample N on- compliant ex ample

char var1[MAX]; char var1[MAX];

1
for (i = 0; i < MAX && var1[i] != 0; i++) { for (i = 0; var1[i] != 0; i++) {
// Even if 0s are not set in the var1 array, // If 0s are not set
// there is no risk of accessing outside the // in the var1 array, there is a risk
// array range // of accessing outside the array range
… …

This rule is to prevent accessing outside the range.

［Related rule］ 3.1.1

R3.1.3 The siz e of the array initializ ed with a designated

initializ er shall be clearly indicated.

Compliant ex ample N on- compliant ex ample

int a[ 5 ] = { [ 0 ] = 1 }; int b[ ] = { [ 0 ] = 1 };

nless the si e of the array is clearly indicated when defining the array, the largest index among the ele-
ments that will be initiali ed will be determined as the si e. hen a designated initiali er is used, there
are times when it is not clear which index is the largest and should be initiali ed.

［Related rule］ 3.1.1

R eliab ility3 ● R 3 W rite in a way to en sure b eh av ior. 57

 R3.1.4
Reliability

V ariable length array type shall not be used.

【M I SRA C:20 12 R18 .8 】

Compliant ex ample N on- compliant ex ample

#define MAX 1024 void func(int n) {
void func(void) { int a[n]; // Non-compliant Variable
1

int a[MAX]; // Compliant Secured an array of // length array

// largest length

The use of variable length array type has the following problems
・Risk of stack overflow
Variable length array can be assigned to a stack area. Therefore, if the variable length array si e is big,
there is a risk of stack overflow.
・ ehavior that is not defined in C language standard
The behavior when the variable length array si e is not a positive value is not defined in C language
standard.
・ isconceived array si e
int y = 10;
typedef int INTARRAY[y];
y = 20;
INTARRAY z; // Array size of z is 10, and not 20.

CERT C also provides a warning regarding the need to be careful when using the variable length array
type. If you find it inevitable to use the variable length array type, the warning described in ARR32-C
shou

R3.1.5 ( 1) sizeof operator shall not be applied to pointer-

type v ariable.
●

( 2) sizeof operator shall not be applied to array- type oo e

argument.

Compliant ex ample N on- compliant ex ample

Compliant examples of (1) and (2) Non-compliant example of (1)
void func1(char *cp) { void func1(char *cp) {
size_t x; size_t x;
x = sizeof(*cp); // Compliant: *cp is not x = sizeof(cp); // Non-compliant: cp is
// pointer-type variable // pointer-type variable
size_t y; // (argument)
y = sizeof(int *); // Compliant: int* is not
// pointer-type variable Non-compliant examples of (1) and (2)
void func2(int arg[MAX], size_t n) {
void func2(int arg[MAX], size_t n) { size_t argsize;
size_t argsize; argsize = sizeof(arg); // Non-compliant:
argsize = sizeof(arg[0]) * n; // Compliant: // arg is array-type argument
// arg[0] is not array-type argument

58 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 The first rule (1) is for preventing the misconception that sizeof(pointer-type variable) yields the si e

Reliability
of the space the pointer points to.
Since sizeof(array-type variable) yields the si e of the array, it is sometimes misconceived as
sizeof(pointer-type variable) also yields the si e of the space the pointer points to. ut actually, it
yields the si e of a pointer. The use of this rule will also be helpful, for example, to prevent the program-
mers from writing sizeof(p) by mistake, by misconceiving p in p[0] = 0 to be a type of array
without checking the variable declaration.
The second rule (2) is for preventing the misconception that sizeof(array-type argument) yields the

1
si e of an array.
Since the array-type argument is treated as pointer type, sizeof(array-type argument) yields the si e
of a pointer.

Reference materials for those wanting to know more in detail about this rule
・CERT ARR01-C
・C E- 67
・ ISRA C 2012 Amendment 12.

［Related rules］ 3. .3 1. .

Prev ent operations that may cause runtime error

from falling into error cases.

R3.2.1 perations shall be performed after confirming that

the right- hand side ex pression of div ision or remain-
der operation is not 0 .

Compliant ex ample N on- compliant ex ample

if (y != 0) { ans = x/y;
ans = x/y;
}

Apart from when the value is obviously not 0, the operations should be performed after checking that
the right-hand side expression of division or remainder is not 0. therwise, division by ero error may
occur at runtime.

［Related rules］ 3. . ， 3.3.1

R eliab ility3 ● R 3 W rite in a way to en sure b eh av ior. 59

 R3.2.2
Reliability

M emory pointed by a pointer shall be referenced to

after check ing that the pointer is not the null pointer.

Compliant ex ample N on- compliant ex ample

if (p != NULL) { *p = 1;
*p = 1;
1

ardware trap or memory corruption will occur when the memory is accessed via a null pointer or a
pointer that points to an invalid memory. They can be prevented, such as, by
(1) Assigning a null pointer to a pointer that has already been used. y making it a rule to find out
where the pointer will point to before it is referenced, you can prevent the memory from being used
after it is freed or from being double freed.
(2) In recent years, some embedded operating systems, such as, A T SAR S, provide a system ser-
vice that checks whether the value of the pointer is valid or not. If such type of S is used, be sure
to always use this system service. y confirming that the value of the pointer is valid before the
memory is accessed through the pointer, you can prevent the memory from being accessed un ustly.
［Related rules］ 3. .1 3.3.1

Check the interface restrictions when a function is

called.

R3.3.1 I f a function returns error information, then that er-

ror information shall be tested.【M I SRA C:20 12 D 4.7 】

Compliant ex ample N on- compliant ex ample

p = malloc(BUFFERSIZE); p = malloc(BUFFERSIZE);
if (p == NULL) { *p = '\0';
// Error handling
}
else {
*p = '\0';
}

hen a function returns a value, the code that does not use that return value may cause an error. If it is
not necessary to reference the return value, consider setting a pro ect-specific rule to clearly indicate the
unnecessity of referencing, such as, by casting to void.
Regarding the rules on standard library errors, CERT C ERR30-C and ERR32-C explain about how to
use errno and ERR33-C provides a list of return values in the library and explains how to handle them
properly. These rules should serve as a good source of reference.
［Related rules］ 3. .1 3. . 3. .1 3. .
60 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art
R3.3.2

Reliability
The function shall check if there are constraints
on parameters before starting to process.

Compliant ex ample N on- compliant ex ample

int func(int para) { int func(int para) {
if (!((MIN <= para) && (para <= MAX))) // Normal processing

1
return range_error; ...
// Normal processing }
...
}

hether the constraints on parameters are checked by the function that calls or the function that is called
depends on how the interface is designed. owever, in order to prevent checking from being over-
looked, the same check should be performed in one place. Therefore, the check should be performed by
the function that is called. As another guideline, CERT C also recommends checking at the side that is
called. (See CERT C A I00-C.)
In case the function that is called cannot be changed, such as, when it is in a library, create a wrapper
function.

int func_with_check(int arg) {

// If arg is violating the parameter constraints, return range_error
// If not, call func and return the result
}
// Use a wrapper function to make the function call
if (func_with_check(para) == range_error) {
// Error processing
}

C allows the specification of the lower limit of array si e by using a static ualifier in an array decla-
ration of a formal parameter. or example, in the following function declaration, the lower limit of ele-
ments of an argument of array a is specified as 3.

void func(int a[static 3]);

y specifying such constraints on parameters, tools like the compiler would uite likely check the re-
strictions applied to arguments.

R eliab ility3 ● R 3 W rite in a way to en sure b eh av ior. 61

 D o not perform recursiv e calls.
Reliability

R3.4.1 F unctions shall not call themselv es, either directly

or indirectly.【M I SRA C:20 12 R17 .2】
1

Compliant ex ample N on- compliant ex ample

— unsigned int calc(unsigned int n)
{
if (n <= 1) {
return 1;
}
return n * calc(n-1);
}

Since the stack si e used at runtime for recursive calls cannot be predicted, there is a risk of stack over-
flow.

62 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 Pay attention to branch conditions and describe how

Reliability
to handle cases that do not follow the predefined
conditions when they occur.

R3.5.1 The else clause shall be written at the end of an

if-else if statement. I f it is k nown that the else
condition does not normally occur, the description

1
of the else caluse shall be either one of the follow-
ing:
《 ( i) An ex ception handling process shall be written in the else clause.
ii comment specified by the project shall be ritten in the else
clause.》

Compliant ex ample N on- compliant ex ample

// else clause of an if-else if statement where // if-else if statement without the else clause
// the else condition does not normally occur if (var1 == 0) {
if (var1 == 0) { …
… } else if (0 < var1) {
} else if (0 < var1) { …
… }
} else {
// Write an exception handling process
…
}
…
if (var1 == 0) {
…
} else if (0 < var1) {
…
} else {
// NOT REACHED
}

If there is no else clause in an if-else if statement, it is not clear whether the programmer has for-
gotten to write the else clause or deliberately left out the else clause be cause the else condition dose
not occur. Even if it is known that the else condition does not normally occur, the behavior of the pro-
gram when an unexpected condition occurs can be specified by writing the else clause as follows
(i) rite the behavior under unexpected conditions in the else condition ( ow program behaves
in case of occurrence of the else condition should be determined.)
r, the program is much easier to understand by ust writing a comment that the else condition does
not occur.
(ii) rite a comment specified by the pro ect such as // NOT REACHED clearly indicating that the
else condition does not occur to express that the else clause has not been forgotten.

［Related rules］ 3.3.1， 3. .

R eliab ility3 ● R 3 W rite in a way to en sure b eh av ior. 63

 R3.5.2
Reliability

《The default clause shall be written at the end of

a switch statement. I f it is k nown that the default
condition does not normally occur, the description
of the default clause shall be either one of the following:
《( i) An ex ception handling process shall be written in the default
clause.
ii comment specified by the project shall be ritten in the default
1

clause. 》

Compliant ex ample N on- compliant ex ample

// Default clause in a switch statement where // Switch statement without the default clause
// the default condition does not normally occur switch(var1) {
switch(var1) { case 0:
case 0: …
… break;
break; case 1:
case 1: …
… break;
break; }
default:
/* Write an exception handling process */
…
break;
}
…
switch(var1) {
case 0:
…
break;
case 1:
…
break;
default:
// NOT REACHED
break;
}

64 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 If there is no default clause in a switch statement, it is not clear whether the programmer has for-

Reliability
gotten to write the default clause or deliberately left out the default clause because the default
condition does not occur. Even if it is known that the default condition does not normally occur, the
behavior of the program when an unexpected condition occurs can be specified by writing the default
clause as follows
(i) rite the behavior under unexpected conditions in the default condition ( redefine the behavior of
theprogram if by any chance the default condition occurs).
r, the program is much easier to understand by ust writing a comment that the default condition

1
does not occur.
(ii) rite a comment like // NOT REACHED that clearly indicates that the default condition does not
occur to express that the default clause was not written because it was forgotten. Such comment
will improve the readability of the program.

［Related rules］ 3.3.1， 3. .1， M3.1.

R3.5.3 Eq uality operators ( ==, ! =) shall not be used for

comparisons of loop counters.

Compliant ex ample N on- compliant ex ample

void func() { void func() {
int i; int i;
for (i = 0; i < 9; i += 2) { for (i = 0; i != 9; i += 2) {
… …

If the amount of change for the loop counter is not 1, an infinite loop may occur. Therefore, for compari-
son to determine the number of loop iterations, do not use the e uality operators (==, !=). (Instead use
<=, >=, < , > .)

R eliab ility3 ● R 3 W rite in a way to en sure b eh av ior. 65

 Pay attention to the order of ev aluation
Reliability

R3.6.1 V ariables whose v alues are changed in an ex pres-

sion shall not be referred to or modified in the
●

same ex pression.
1

Compliant ex ample N on- compliant ex ample

f (x, x); f (x, x++);
x++;
- or -
f (x + 1, x);
x++;

Compilers do not guarantee the execution (evaluation) order of each actual argument in functions with
multiple parameters. The arguments may be executed from the right or from the left. In addition, com-
pilers do not guarantee the execution order of the left-hand and the right-hand side of binary operations
such as operation. Therefore, if the same ob ect is updated and referenced in a se uence of arguments
or binary operation expressions, the execution result is not guaranteed. Such a problem, where the ex-
ecution result is not guaranteed, is called a side effect problem. o not write code that causes such side
effect problems.
This rule, however, does not prohibit descriptions, such as, those shown below which do not cause the
side effect problem.
x = x + 1;
x = f(x);

［Related rules］ 3. . ， M1. .1

66 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

R3.6.2 F unction calls with side effects and volatile v ari-

Reliability
ables shall not be described more than once in a
seq uence of actual arguments or binary operation
ex pressions.

Compliant ex ample N on- compliant ex ample

1. 1.

1
extern int G_a; extern int G_a;
x = func1(); x = func1() + func2(); // With side effect
x += func2(); // problem
… …
int func1(void) { int func1(void) {
G_a += 10; G_a += 10;
… …
} }
int func2(void) { int func2(void) {
G_a -= 10; G_a -= 10;
… …
} }

2. 2.
volatile int v; volatile int v;
y = v; f(v, v);
f(y, v);

Compilers do not guarantee the execution (evaluation) order of each actual argument for functions with
multiple parameters. The arguments may be executed from the right or flom the left. In addition, com-
pilers do not guarantee the execution order of the left-hand and the right-hand side of binary operations
such as operation. Therefore, the execution results of two or more function calls with side effects and
volatile variables in a se uence of arguments or binary operation expressions may not be guaranteed.
Such unsafe descriptions must be avoided.

［Related rules］ 3. .1， M1. .1

R eliab ility3 ● R 3 W rite in a way to en sure b eh av ior. 67

 R3.6.3
Reliability

●
sizeof operator shall not be used in ex pressions
that hav e side effect.

Compliant ex ample N on- compliant ex ample

x = sizeof(i); x = sizeof(i++);
1

i++; y = sizeof(int[i++]);
y = sizeof(int[i]);
i++;

ntil C 0, the expression in parenthesis of sizeof operator was used only for finding the si e of the
expression type, and was not executed.
Therefore, even when ++ operator like sizeof(i++) was described, i was not incremented. owever,
in C , if the type is a variable length array, there are cases when the expression is evaluated. In those
cases, i in sizeof(int[i++ ) will be incremented by ++ operator. Such description should not be used
because it can easily be misunderstood.

［Related rules］ 3.1. 1. .

B e careful with how to access the shared data in

programs that use threads or signals.

R3.11.1 F or concurrent processing, volatile shall not be

used as synchroniz ation primitiv e.

Compliant ex ample N on- compliant ex ample

In case of C11 volatile int v = 0; // Non-compliant

#include <threads.h> ...
v++; // Not processed indivisibly.
int v = 0; ...
mtx_t flag; // mutex is used for exclusive
// control
...
mtx_lock(&flag);
v++; // In the critical section.
// Processed indivisibly
mtx_unlock(&flag);
...

68 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 or concurrent processing or asynchronous signal processing, there is a need to properly reflect the result
of updated data to other threads. sing volatile to guarantee the indivisibility and visibility of data

Reliability
refreshed by other threads is a mistake. volatile is used for preventing the compiler from optimi ing
the data and does not guarantee indivisibility, etc., in concurrent processing. To guarantee the indivisibil-
ity of a single data, use mutex, etc., as the synchroni ation primitive.
It is preferable to ac uire and release synchroni ation primitives at the same level of abstraction in the
same translation unit.

1
R3.11.2 The bit fields that may be allocated in the same
memory space shall not be accessed by multiple
threads or shall be ex clusiv ely controlled properly.

Compliant ex ample N on- compliant ex ample

In case of C11 struct {

#include <threads.h> unsigned int flag1 : 1;
unsigned int flag2 : 1;
struct { } s;
unsigned int flag1 : 1;
unsigned int flag2 : 1; // Non-compliant: Not exclusively controlled
} s; // properly
void func1() {
mtx_t lock; // mutex is used for exclusive s.flag1 = 1;
control }

void func1() { void func2() {

mtx_lock(&lock); // Compliant: Exclusively s.flag2 = 1;
// controlled properly }
s.flag1 = 1;
mtx_unlock(&lock); // func1 and func2 are executed by different
} // threads

void func2() {
mtx_lock(&lock); // Compliant: Exclusively
// controlled properly
s.flag2 = 1;
mtx_unlock(&lock);
}

// func1 and func2 are executed by different

// threads

If multiple threads access bit fields allocated in the same memory space, the result of data referenced or
refreshed in the ad acent bit fields may become incorrect. To avoid this problem, allocate the data sepa-
rately in different memory spaces or perform the exclusive control or mutual exclusion properly.

Reference materials for those wanting to know more in detail about this rule
・ CERT C C 32-C

［Related rules］ . .1 1.3.3

R eliab ility3 ● R 3 W rite in a way to en sure b eh av ior. 69

 Maintainability
Many embedded software developments require mainte-
nance tasks, including the modification of the software that
has already been developed.
There are various reasons for maintenance. For example,
maintenance becomes necessary:
・When a bug is found in one part of the released software
and must be modified;
・When a new function is added to existing software in re-
When any kind of additional work is carried out on the
already developed software as in the above examples, it
is important to perform such work as accurately and effi-
ciently as possible to maintain the quality of the software.
This is called “maintainability” in the field of system devel-
opment.
This section clarifies the practices to keep and improve the
maintainability of embedded software source code.

● Maintainability 1: Keep in mind that others will read the

program.
● Maintainability 2: Write in a style that can prevent
modification errors.
● Maintainability 3: Write programs simply.
● Maintainability 4: Write in a unified style.
● Maintainability 5: Write in a style that makes testing
easy.
 M aintainability
K eep in mind that others will read
1 the program.

It is easily conceivable that source code is reused and maintained by engineers who are not
the original creators. Therefore, it is necessary to write source code that is easy to understand
by taking account of others who will read it later.

M aintaiability 1.1 D o not leav e unused descriptions.

M aintainability

M aintaiability 1.2 D o not writing confusingly.

M aintaiability 1.3 D o not write in an unconv entional style.

M aintaiability 1.4 rite in a style that clearly specifies the operator pre-
cedence.
1

M aintaiability 1.5 Ex plicitly describe the operations that are lik ely to
cause misunderstanding when they are omitted.

M aintaiability 1.6 U se one area for one purpose.

M aintaiability 1.7 D o not reuse names.

M aintaiability 1.8 Do not use language specifications that are li ely to

cause misunderstanding.

M aintaiability 1.9 W hen writing in an unconv entional style, ex plicitly

state its intention.

M aintaiability 1.10 D o not embed magic numbers.

M aintaiability 1.11 Ex plicitly state the area attributes.

Correctly describe the statements ev en if they are not

M aintaiability 1.12
compiled.

72 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M 1 .1 D o not leav e unused descriptions.

M1.1.1 U nused functions, v ariables, parameters, typedefs,

tags, labels or macros shall not be declared ( de-
P ref eren ce
guide
R ule
fined

Compliant ex ample N on- compliant ex ample

void func(void) { void func(int arg) {
... // arg is unused
} ...

M aintainability
When necessary in case of callback function }
int cbfunc2(int arg1, int);
// In case the callback function types are fixed
// to be int(*)(int,int), the second argument
// is necessary even when it is not used

eclarations (definitions) of unused functions, variables, parameters labels, etc. impairs maintainability
because it makes it difficult to determine whether the programmer has forgotten to delete them or has
made a description error.

1
owever, when writing a call back function, make it explicit that parameter is not used, by not describ-
ing the name of the parameter to keep the function types consistent.
［Related rules］ M1. .1， M . .

M1.1.2 Sections of code should not be “ commented

out” .【M I SRA C:20 12 D 4.4】
P ref eren ce
guide

or commenting out sections of code 《the coding R ule

rule shall be specified

Compliant ex ample N on- compliant ex ample

Compliant example of (2)（ Non-compliant example of ( )
n ）
... ...
// i = i * i; // i = i * i;
j = j * ; j = j * ;
... ...

ormally, invalidated sections of the code should not be left in the code as it may impair the code read-
ability.
However, if there is a need to invalidate certain sections of the code by commenting them out, set a rule,
for example, to use only comment for commenting out. Any section of the code can also be invali-
dated without using comment out by specifying that section in between #if 0 and endif#.
［Related rules］ M1.1 .1， M . .

M ain tain ab ility1 ● M 1 C on sider th at oth ers will read th e program . 73

 M 1 . 2 紛らわしい書き方をしない。
1.2 D o not writing confusingly.

M1.2.1 1 O nly one v ariable shall be declared in one

declaration statement ( av oid multiple declara-
P ref eren ce
guide

tions R ule

2 Automatic v ariables of the same type used for

the similar purposes may be declared in one declaration
statement, but v ariables with initializ ation and v ariables
without initializ ation shall not be mix ed.
M aintainability

Compliant ex ample N on- compliant ex ample

Compliant example of (1) Non-compliant example of (1)
int i; int i, j;
int j;
Non-compliant example of (2)
Compliant example of (2) int i, j, k = 0;
int i, j; // Non-compliant: A variable with initialization
int k = 0; // and variables without initialization are mixed

int *p; int *p, i;

1

int i; // Non-compliant: Variables of different types

// are mixed

If the declaration is int *p;, the type of p is int*. However, if the declaration is int *p, q;, the type
of q becomes int instead of int*.

［Related rule］ M1.6.1

74 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M1.2.2 Suffixes shall be added to constant descriptions that
can use them to indicate appropriate types. Only an
Preference
guide
Rule
uppercase letter “L” shall be used for a suffix indi- specification
cating a long type integer constant.

Compliant example Non-compliant example

void func(long int); void func(long int);
… …
float f; float f;
long int w; long int w;
unsigned int ui; unsigned int ui;

f = f + 1.0F; // Explicitly state that it is a f = f + 1.0;

Maintainability
// float operation func(1l); // 1l (numeral 1 and letter l) can get
func(1L); // Description of L should be an // confused with 11 (number 11)
// uppercase letter if ( ui < 0x8000) {
if (ui < 0x8000U) { // Explicitly state that it …
// is an unsigned comparison
…

Basically, when there is no suffix, an integer constant will be an int type and a floating constant will be

1
a double type. However, when an integer constant value that cannot be expressed with an int type is
described, its type will be the one that can express that value. Therefore, 0x8000 will be unsigned int
if int is 16 bits, and signed int if int is 32 bits. If you would like to use it as unsigned, it is neces-
sary to explicitly describe “U” as the suffix. In addition, in case of a target system where the operation
speed differs between floating point number of float type and that of double type, when performing
operations between a float type variable and a floating constant without a suffix “F,” constant, it should
be noted that the operation will be a double type.
For floating constants, writing at least one digit on both sides of the decimal point will make them easily
recognizable as floating constants.

［Related rule］ M1.8.5

M1.2.3 When expressing a long string literal, successive

string literals shall be concatenated without using
Preference
guide
Rule
newlines within the string literal. specification

Compliant example Non-compliant example

char abc[] = "aaaaaaaa¥n" char abc[] = "aaaaaaaa¥n¥

"bbbbbbbb¥n" bbbbbbbb¥n¥
"ccccccc¥n"; ccccccc¥n";

Long strings that extend to multiple lines will become easier to read by describing them as concatena-
tion of multiple string literals.

Ma int a ina b ilit y1 ● M1 C o nsi der t h a t o t h ers w ill rea d t h e p ro gra m . 75

 性
M 1 .3
1.3 特殊な書き方はしない。
D o not write in an unconv entional style.

M1.3.1 Ex pressions ev aluating to true or false shall not be

described in switch (ex pression ).
P ref eren ce
guide
R ule
●

Compliant ex ample N on- compliant ex ample

switch (i_var1 == 0) {
case 0:
i_var2 = 1;
break;
default:
M aintainability

i_var2 = 0;
break;
}

hen an expression evaluating to true or false is used in a switch statement, the number of branch
directions will be two, and the necessity of using the switch statement as a multiway branch command
becomes low. Compared to if statements, switch statements have a higher possibility of errors, such as,
writing the default clause wrongly or missing break statements. Therefore, it is recommended to use
if statements unless the number of branch directions is three or more. When there will be two branch
directions like in case of the non-compliant example, write the if statement in the way shown below.
1

if (i_var1 == 0) {
i_var2 = 0;
} else {
i_var2 = 1;
}

[Related rule］ 1.1.

M1.3.2 The case labels and default label in a switch state-

ment shall be described only in the compound state-
P ref eren ce
guide
ment e cluding nested compound statements ith- R ule
in the body of the switch statement.

Compliant ex ample N on- compliant ex ample

switch (x) { switch (x) { // Compound statement of the
case 1: // switch statement body
{ case 1:
… { // Nested compound statement
} case 2: // Do not describe case label in
… // nested compound statement
break; …
case 2: }
… …
break; break;
default: default:
… …
break; break;
} }

【Reference materials for those wanting to know more in detail about this rule】
・ ISRA C 2012 R16.2
・CERT C SC20-C

76 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M1.3.3 he types shall be e plicitly described for definitions
P ref eren ce
guide

and declarations of functions and v ariables. R ule

Compliant ex ample N on- compliant ex ample

extern int global; extern global;

int func(void) { func(void) {

… …
} }

If data types are not described in definitions and declarations of functions or variables, they are inter-

M aintainability
preted as int type. Explicitly specifying data types improves readability. In C language standard,
these descriptions that do not explicitly specify the data types are prohibited and will be detected as error
by the compiler.

[Related rule］ M . .1

M 1 . 4 演算の優先順位がわかりやすいように記述する。
W rite in a style that clearly specifies the operator

1
1.4 precedence.

M1.4.1 Ex pressions described at the right hand and left

hand of && and || operations shall be either simple
P ref eren ce
guide
R ule
v ariables or ex pressions enclosed with ( ). How-
ev er, if only && operations or only || operations are
successiv ely combined, it is not necessary to en-
close each && and || ex pression with ( ).

Compliant ex ample N on- compliant ex ample

if ((x > 0) && (x < 10)) if (x > 0 && x < 10)
if ((x != 1) && (x != 4) && (x != 10)) if (x != 1 && x != 4 && x != 10)
if (flag_tb[i] && status)
if (!x || y)

The ob ective of this rule is to write an expression that prevents confusion in understanding the order of
precedence of each operand in && or ||. Its aim is to highlight the operation of each operand in && or ||
to improve the readability by enclosing the expression that contains an operator other than unary, postfix
and cast operators with ( ) . Another rule that may be considered is to enclose ! operation with ( ) be-
cause the order of precedence may be confusing to beginners.

[Related rules］ .3. M1. .

M ain tain ab ility1 ● M 1 C on sider th at oth ers will read th e program . 77

 M1.4.2 《U sage of parentheses to ex plicitly indicate operator
P ref eren ce
guide
R ule
precedence shall be defined

Compliant ex ample N on- compliant ex ample

a = (b << 1) + c; a = b << 1 + c; // There is a possibility that
- or - // the operator precedence is
a = b << (1 + c); // misunderstood

perator precedence in C language is difficult to capture. Therefore, set a rule as exemplified below to
improve its readability. If an expression contains multiple binary operators that differs in the order of
operation priority, parentheses () shall be used to explicitly indicate the operator precedence, provided
M aintainability

that the parentheses () may be omitted in four arithmetic operations.

To learn more about the operator precedence and its interpretation, refer to ISRA C 2012 Rule 12.1
(p.103).
[Related rule］ M1.5.1

M 1 . 5 関数のアドレス取得の演算や比較演算を省略しない。
Ex plicitly describe operations that may lead to mis-
1.5
1

understanding when omitted.

M1.5.1 function identifier function name shall only be

used with either a preceding “ &” , or with a parenthe-
P ref eren ce
guide

siz ed parameter list, which may be empty. R ule

【M I SRA C:20 0 4 16.9 】

Compliant ex ample N on- compliant ex ample

void func(void); void func(void);
void (*fp)(void) = &func; void (*fp)(void) = func; // Non-compliant:
// There is no &
if (func()) { if (func) { // Non-compliant: Address is
// obtained rather than calling the
// function. It might be mistakenly
// written as afunction call without
// arguments.

In C language, if a function name is written alone, it means obtaining the function address, and not call-
ing the function. This means that, for obtaining the function address, there is no need of placing & in
front of the function name. owever, the function name without a preceding &, in some cases, may be
misunderstood that it is for a function call (for example, when using languages like Ada and Ruby that
write only the name to call a subprogram without arguments). y following the rule to add & when ob-
taining the function address, it will become easier to detect mistakes in function names written as they
are without & and subsequent () .
[Related rule］ M1. .

78 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M1.5.2 omparisons ith ero shall be e plicitly ritten
P ref eren ce
guide
R ule
in conditional ex pressions.

Compliant ex ample N on- compliant ex ample

int x = 5; int x = 5;

if (x != 0) { if (x) {
… …
} }

M aintainability
In conditional expressions, when the result of the expression is ero (0), it is treated as false, and non-
zero is treated as true. Therefore, comparative operations may be omitted in conditional expressions.
owever, such description may cause unintended behavior. or this reason, the comparisons should not
be omitted to make the intention of the program explicit. oreover,since bool, true and false are
defined as macros in <stdbool.h>, any of them should be used to describe a type that represents true
or false, or a constant that represents a true or false value.

1
[Related rules］ . .1 M1. .1

性
M 1 .6
1.6 領域は 1 つの利用目的に使用する。
U se one area for one purpose.

M1.6.1 V ariables shall be prepared for each purpose.

P ref eren ce
guide
R ule

Compliant ex ample N on- compliant ex ample

// Counter variable and work variable for // Counter variable and work variable for
// replacement are different // replacement are the same
for (i = 0; i < MAX; i++) { for (i = 0; i < MAX; i++) {
data[i] = i; data[i] = i;
} }
if ( > x) { if ( > x) {
wk = ; i = x;
x = ; x = ;
= wk; = i;
} }

M ain tain ab ility1 ● M 1 C on sider th at oth ers will read th e program . 79

 Reusing variables should be avoided as it impairs readability and increases the risk of causing errors
during modification.

[Related rule］ M1. .1

M1.6.2 Unions shall not be used【M I SRA C:20 0 4 18 .4】

f unions are used the same members that are
P ref eren ce
guide
R ule
assigned v alues shall be referenced.
M aintainability

Compliant ex ample N on- compliant ex ample

compliant example of (2) Non-compliant example of (2)
// When the typ is INT, i_var is valid // When the typ is INT, i_var is valid
// When the type is CHAR, c_var[4] is valid // When the type is CHAR, c_var[4] is valid
struct stag { struct stag {
int type; int type;
union utag { union utag {
char c_var[4]; char c_var[4];
int i_var; int i_var;
} u_var; } u_var;
1

} s_var; } s_var;
… …
int i; int i;
… …
if (s_var.type == INT) { if (s_var.type == INT) {
s_var.u_var.i_var = 1; s_var.u_var.c_var[0] = 0;
} s_var.u_var.c_var[1] = 0;
… s_var.u_var.c_var[2] = 0;
i = s_var.u_var.i_var; s_var.u_var.c_var[3] = 1;
}
…
i = s_var.u_var.i_var;

nion allows the same memory space to be declared with areas of different si es. owever, since the
way bits of data overlap among members is implementation-dependent, unexpected behavior may occur.
Therefore, if union is going to be used, follow rule (2) as a precautionary measure.

[Related rule］ .1.3

80 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性

1.7 名前を再使用しない。
D o not reuse names.
M 1 .7

M1.7.1 The rules below shall be followed for name uniq ue-
P ref eren ce
guide
R ule
ness.

1. n identifier declared in an inner scope shall not hide an identifier

declared in an outer scope.【M I SRA C:20 12 R5.3】
typedef name shall be a uni ue identifier 【M I SRA C:20 13 R5.6】
3 tag name shall be a uni ue identifier 【M I SRA C:20 12 R5.7 】

M aintainability
4. I dentifiers that define obj ects or functions with ex ternal link age
shall be uniq ue.【M I SRA C:20 12 R5.8 】
5. I dentifiers that define obj ects or functions with internal link age
should be uniq ue.【M I SRA C:20 12 R5.9 】
o identifier in one name space should have the same spelling as
an identifier in another name space ith the e ception of structure
member and union member names.【M I SRA C:20 0 4 5.6】

1
Compliant ex ample N on- compliant ex ample

int var1; int var1;

void func(int arg1) { void func(int arg1) {
int var2; int var1; // The same name of a variable
var2 = arg1; // outside the function is used
{ var1 = arg1;
int var3; {
var3 = var2; int var1; // The same name of a variable
… // in the outer scope is used
} …
} var1 = 0; // Intention of which var1 is
// assigned is unclear
…
}
}

The program will become easier to read by using uni ue names within the program, except for cases like
automatic variables where the scope is limited.
In C language, in addition to the scope defined by file and block, names have the following four name
spaces that vary according to the category they belong to
1. L abel 2.Tag 3. Member of structure or union . ther identifiers
* acro has no name space.
The language specification allows using the same name to different identifiers if their name spaces dif-
fer, but this rule restricts such usage for the purpose of improving the readability of the program.

M ain tain ab ility1 ● M 1 C on sider th at oth ers will read th e program . 81

 As the exception of rule 2., the typedef name may be the same as the name of the structure member,
union member or tag related to that typedef. As the exception of rule 3., the tag name may be the same
as the name of the typedef related to that tag.

[Related rule］ M .3.1

M1.7.2 N ames for functions, v ariables and macros in the

P ref eren ce
guide
standard library shall not be redefined or reused n R ule
M aintainability

addition those macro names shall not be undefined

Compliant ex ample N on- compliant ex ample

#include <string.h> #undef NULL
void *my_memcpy(void *arg1, const void *arg2, #define NULL ((void *)0)
size_t size) {
… #include <string.h>
1

} void *memcpy(void *arg1, const void *arg2, size_

t size) {
…
}

Redefining names for functions, variables and macros defined in the standard library degrades the read-
ability of the program.

[Related rule］ M1. .

82 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M1.7.3 ames variables that start ith an underscore shall
P ref eren ce
guide
not be defined R ule

Compliant ex ample N on- compliant ex ample

— int _Max1; // Reserved

int __max2; // Reserved
int _max3; // Reserved

struct S {
int _mem1; // Not reserved, but shall not be
// used

M aintainability
};

C language standard defines the following names as reserved.

1 ame that starts with an underscore and is followed by either an uppercase letter or another
underscore;
Examples _Abc, __abc
2 N ames that start with an underscore

1
These names are reserved for variables or functions with file scope and for tag names.
hen the reserved names are redefined, the behavior of the compiler will not be guaranteed.
N ames that start with an underscore and are followed by a lowercase letter are not reserved for use
outside the file scope. ut to make it easy to remember, this rule restricts the use of all names
starting with an underscore.

[Related rule］ M1. .

M ain tain ab ility1 ● M 1 C on sider th at oth ers will read th e program . 83

 性 D o not use language specifications that are lik ely
1.8 勘違いしやすい言語仕様を使用しない。
M 1 .8
to cause misunderstanding.

M1.8.1 The right- hand operand of a logical && or || operator

P ref eren ce
guide
shall not contain side effects.【M I SRA C:20 12 R13.5】 R ule

Compliant ex ample N on- compliant ex ample

volatile int *io_port = ...; // Address for volatile int *io_port = ...; // Address for
// memory mapped I/O // memory mapped I/O
int io_result = *io_port; // Whether I/O is processed or not varies,
M aintainability

// I/O is processed, regardless of the // depending on the conditions of the if

// conditions of the if statement // statement
if ((x != 0) && (io_result > 0)) { if ((x != 0) && (*io_port > 0)) {
… …
} }

The right-hand side of && or || operators may not be executed, depending on the result of the condi-
tion of their left-hand side. Take, for example, an expression with a side effect of incrementing. It this
expression is written on the right-hand side, whether the increment is executed or not will be difficult to
understand, because it depends on the condition of the left-hand side. Therefore, expressions with side
1

effects shall not be described on the right-hand side of && or || operators.

[Related rules］ 3. .1 3. .

M1.8.2 C macros shall only ex pand to a braced initializ er, a

constant, a parenthesised ex pression, a type q uali-
P ref eren ce
guide

fier a storage class specifier or a do- hile- ero con- R ule

struct.【M I SRA C:20 0 4 19 .4】

Compliant ex ample N on- compliant ex ample

#define START 0x0410 #define BIGIN {
#define STO 0x0401 #define END }
#define LOO _STAT for(;;) {
#define LOO _END }

acro definitions can be leveraged to make the code look like it is written in a language other than C, or
greatly reduce the amount of code. owever, using macros for these purposes will degrade readability.
It is important to use macros only where coding and modification errors can be avoided. or do-while-
ero, see ISRA C 200 .
urthermore, in CERT C, there is a rule that says, o not conclude macro definitions with a semicolon
( RE11-C). The programmers should also keep this recommendation in mind when defining the macros
since inserting a semicolon at the end of a macro definition may unexpectedly change the control flow of
the program.

[Related rule］ M1. .

84 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M1.8.3 #line shall not be used, unless it is automatically
P ref eren ce
guide
R ule
generated by a tool.

#line serves as the means to intentionally modify file names or line numbers of warning or error mes-
sages output from the compiler. It is provided under the assumption that code is generated by tools, and
is not intended to be used directly by the programmers.

M1.8.4 P ref eren ce

M aintainability
guide
Seq uences of three or more characters starting with
R ule
?? and alternativ e tok ens shall not be used.

Compliant ex ample N on- compliant ex ample

s = "abc?(x)"; s = "abc??(x)"; // Compilers that can process

// trigraph sequences interpret

1
Compliant ex ample N on- compliant ex ample
// this as abc[x)

C language standard defines trigraph se uences and alternative tokens, assuming that there may be cases
where some characters cannot be used for coding, depending on the environment used for development.
The following nine three-character patterns, known as trigraph se uences
??= ??( ??/ ??) ?? ??< ??! ??> ??-
can be replaced respectively at the beginning of preprocessing with the following corresponding single-
character counterparts
# [ ] { | } ~
The following two-character patterns, known as digraph se uences
< > <: :> : : :
are handled respectively as e uivalent to
{ } [ ] # ##
in the lex ical analysis.
C defines the following macros in the header iso6 6.h
and and_eq bitand bitor compl
not not_e or or_e xor xor_e
as alternative spellings that correspond respectively to the following tokens.
&& &= & | ~ ! != || |= =
Since trigraph se uences and alternative tokens are not fre uently used, many compilers support them as
an optional feature.

M ain tain ab ility1 ● M 1 C on sider th at oth ers will read th e program . 85

 M1.8.5 se uence starting ith ero that is t o or
P ref eren ce
guide
R ule
more digits long shall not be used as a constant.

Compliant ex ample N on- compliant ex ample

// Digits are not aligned for better appearance // Examples of aligning the digits for better
a = 0; // appearance
b = ; a = 000; // Interpreted as zero (0) in octal
c = 100; // notation
b = 010; // Interpreted as eight ( ) and not as
// ten (10) in decimal notation
c = 100; // Interpreted as hundred (100) in
// decimal notation
M aintainability

Constants starting with ero (0) are interpreted as octal. o ero (0) can be added in front of decimal
numbers to align their digits for the purpose of appearance (i.e. ero padding is not allowed).

[Related rule］ M1. .

1

性
M 1 . 9 特殊な書き方は意図を明示する。
W hen writing in an unconv entional style, ex plicitly
1.9 state its intention.

M1.9.1 I f statements that do nothing need to be intentionally

described, comments or empty macros shall be used
P ref eren ce
guide
R ule
to mak e them noticeable.

Compliant ex ample N on- compliant ex ample

for (;;) { for (;;) {
// Waiting for interruption }
}
i = COUNT;
#define NO_STATEMENT while ((--i) > 0);
i = COUNT;
while ((--i) > 0) {
NO_STATEMENT;
}

[Related rule］ M1.1.1

86 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M1.9.2 《The unified style of writing infinite loops shall be
P ref eren ce
guide

defined R ule

efine the unified style of writing infinite loops, for example, by selecting from one of the following
・ rite the infinite loops uniformly as for(;;); .
・ rite the infinite loops uniformly as while(1); .
・ se the macro defined for the infinite loop.

M aintainability
性
D o not embed magic numbers.
1.10 マジックナンバーを埋め込まない。
M 1 .1 0

M1.10.1 meaningful constant shall be used after defining it

P ref eren ce
guide
as a macro.

1
R ule

Compliant ex ample N on- compliant ex ample

#define MAXCNT if (cnt == ) {

if (cnt == MAXCNT) { …
…

y defining a constant as a macro, its meaning can be stated explicitly. hen modifying a program
where the same constant is used in multiple places, modification errors can be prevented much more
easily if this same constant is defined as a macro, because then, there will only be a need to modify one
macro.
For data size, however, use sizeof instead of using a macro.

[Related rule］ M . .

M ain tain ab ility1 ● M 1 C on sider th at oth ers will read th e program . 87

 性

1.11 領域の属性は明示する。
Ex plicitly state the area attributes.
M 1 .1 1

M1.11.1 Read- only areas shall be declared as const type.

P ref eren ce
guide
R ule

Compliant ex ample N on- compliant ex ample

const volatile int read_only_mem; int read_only_mem; // Read-only memory

// Read-only memory int constant_data = 10;
M aintainability

const int constant_data = 10; // Read-only data that does not

// Read-only data that does not // require memory allocation
// require memory allocation // Only reads the contents pointed by arg
// Only reads the contents pointed by arg
void func(const char *arg, int n) { void func(char *arg, int n) {
int i; int i;
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
put(*arg++); put(*arg++);
} }
} }
1

hen a variable is only referenced and not modified, declaring it as const- ualified variable makes
it clear that it is not modified.That is why read-only variables should be const- ualified. oreover, a
memory that is only referenced by the program but modified by other execution units should be declared
with const volatile ualification so that the compiler can check and prevent the program from re-
newing it by mistake. Furthermore, function interfaces can be clearly stated by adding consts to param-
eters when the memory spaces indicated by the parameters are only referenced in function processing.

[Related rule］ 1.1.

88 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M1.11.2 Areas that may be updated by other ex ecution units
P ref eren ce
guide

shall be declared as volatile. R ule

Compliant ex ample N on- compliant ex ample

volatile int x = 1; int x = 1;

while (x == 1) { while (x == 1) {
// x is not modified within the loop and is // x is not modified within the loop and is
// modified by other execution units // modified by other execution units
} }

M aintainability
Areas ualified as volatile prohibit the compiler from optimi ing them. rohibition of optimi ation
means that executable ob ect is generated strictly to every description, including even those considered
logically as unnecessary of processing. Suppose there is a description x;” that has no meaning logically
except for only referencing variable x. If it is not ualified as volatile , the compiler will normally ig-
nore such statement and will not generate an executable ob ect. hereas, if it is ualified as volatile
, the compiler will generate an executable ob ect that only references variable x (loads it to the register).
This description can be assumed to have meaning in indicating the interface to I registers (mapped to

1
the memory) that are reset when the memory is read. Embedded software has I registers for controlling
hardware that should be ualified as volatile when considered appropriate, based on their characteristics.

M1.11.3 《Rules for v ariable declaration and definition for P ref eren ce
guide

i ation shall be defined R ule

Compliant ex ample N on- compliant ex ample

const int x = 100; // Allocate to ROM int x = 100;

Variables ualified as const can be allocated to R i ation target areas. or example, when developing
a program where R i ation is applied, ualify the read-only variables as const , and specify the name
of the section to which these variables are allocated by, such as, #pragma.

[Related rule］ 1.1.

M ain tain ab ility1 ● M 1 C on sider th at oth ers will read th e program . 89

 性

M 1 . 1 2 コンパイルされない文でも正しい記述を行う。
1.12 Correctly describe the statements ev en if they are
not compiled.

M1.12.1 Correct code shall be described ev en if it is going to

P ref eren ce
guide
be deleted by the preprocessor. R ule

Compliant ex ample N on- compliant ex ample

#if 0 #if 0
/* */ /*
#endif #endif
M aintainability

#if 0 #if 0
… …
#else #else1
int var; int var;
#endif #endif

#if 0 #if 0
/* I don't know */ I don't know
#endif #endif
1

[Related rule］ M1.1.

90 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 W rite in a style that can prev ent
M aintainability

2 modification errors

ne of the patterns that allows bugs to slip into a program easily is when other bugs are
created by mistake while fixing detected bugs. Especially if it has been a while since the
source code was written or if an engineer other than the creator modifies the source code,
unexpected misunderstanding may occur.
Efforts to reduce such modification errors as much as possible are strongly desired.

M aintainability
M aintaiability 2.1 Clarify the grouping of structured data and block s.

M aintainability 2.2 L ocalize access ranges and related data.

M ain tain ab ility2 ● 91

 性
M 2. 1 Clarify the grouping of structured data and block s.
構造化されたデータやブロックは、まとまりを明確化する。

2.1
M2.1.1 I f arrays and structures are initializ ed with v alues
P ref eren ce
guide
other than 0 , their structural form shall be indicated R ule
by using braces ‘ { }’ . D ata shall be described without
any omission, ex cept when all v alues are 0 .
M aintainability

Compliant ex ample N on- compliant ex ample

int arr1[2][3] = {{0, 1, 2}, {3, 4, 5}}; int arr1[2][3] = {0, 1, 2, 3, 4, 5};
int arr2[3] = {1, 1, 0}; int arr2[3] = {1, 1};

In initiali ation of arrays and structures, at least a pair of braces { }’ is required, but in this case, it is
difficult to see how the data for initiali ation are assigned. It is safer to create blocks according to the
structure, and fully describe the data for initialization without omitting any.
1

[Related rules］ 1. .1 M . .3

M2.1.2 The body of if, else if, else, while, do, for, and
P ref eren ce
guide

switch statements shall be enclosed into block s. R ule

Compliant ex ample N on- compliant ex ample

if (x == 1) { if (x == 1)
func(); func();
}

If there is only one statement that is controlled by, such as, an if statement, there is no need to enclose
this statement into a block. owever, when the program is modified and this single statement is changed
into multiple statements, there is a possibility of forgetting to enclose these multiple statements into a
block. To prevent such modification errors, enclose the body of each controlled statement into a block
In CERT C, there is a rule that says, o not place a semicolon on the same line as an if, for, or while
statement (E 1 -C). y following this recommendation, unexpected insertion of a semicolon, such
as, the following
if (x==b); {
...
}
can be prevented. This kind of code can be detected by using a code checker..

92 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性
M 2. 2 アクセス範囲や関連するデータは局所化する。
2.2 L ocaliz e access ranges and related data.

M2.2.1 V ariables used only in one function shall be declared

P ref eren ce
guide
●

within the function. R ule

Compliant ex ample N on- compliant ex ample

void func1(void) int x = 0; // x is accessed only from func1
{ int y = 0; // y is accessed only from func2
static int x = 0; void func1(void) {

M aintainability
if (x != 0) { // Refer to the value in the if ( x != 0 ) { // Refer to the value in the
// immediately preceding call // immediately preceding call
x++; x++;
} }
… …
} }
void func2(void) void func2(void) {
{ y = 0; // Initialize each time
int y = 0; // Initialize each time …
… }
}

1
To declare variables in functions, it is sometimes effective to declare them with static storage class
specifiers. The following positive effects can be expected if static is specified

・Static memory space is reserved and the space is valid until the end of the program ( ithout static,
generally, stack memory is used and is valid until the end of the function.)
・Initiali ation occurs only once after the program is started and if a function is called more than once,
the value assigned in the previous call is retained.

Therefore, among the variables accessed only within a function, the variables with values that are re-
tained even after the function terminates should be declared with static storage class specifiers.
In addition, declaring a large memory space for an automatic variable may cause stack overflow. hen
there is such risk, one preventive measure is to use static to reserve static memory space even if the
values do not need to be retained after the function terminates. However, when using static for such
purpose, its intention should be explicitly stated by, such as, comments (to prevent potential misunder-
standing that static has been used by mistake).

[Related rule］ M . .

M ain tain ab ility2 ● 93

 M2.2.2 V ariables accessed by sev eral functions defined in
the same file shall be declared ith static in the file
P ref eren ce
guide
R ule
scope.

Compliant ex ample N on- compliant ex ample

// x is not accessed by other files // x is not accessed by other files
static int x; int x;
void func1(void) { void func1(void) {
… …
x = 0; x = 0;
… …
} }
void func2(void) { void func2(void) {
M aintainability

… …
if (x == 0) { if (x==0) {
x++; x++;
} }
… …
} }

The fewer the global variables, the higher the readability of the entire program becomes. To prevent the
1

number of global variables from increasing, static storage class specifiers should be used as much as
possible.

[Related rules］ M . .1， M . .3

M2.2.3 unctions that are called only by functions defined in

P ref eren ce
guide

the same file shall be static. R ule

Compliant ex ample N on- compliant ex ample

// func1 is not called from functions in other // func1 is not called from functions in other
// files // files
static void func1(void) { void func1(void) {
… …
} }
void func2(void) { void func2(void) {
… …
func1(); func1();
… …
} }

94 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 The fewer the global functions, the higher the readability of the entire program becomes. To prevent the
number of global functions from increasing, static storage class specifiers should be used as much as
possible.

[Related rule］ M . .

M2.2.4 enum shall be used rather than #define hen defining

P ref eren ce
guide

related constants. R ule

M aintainability
Compliant ex ample N on- compliant ex ample
enum ecountry { #define ENGLAND 0
ENGLAND, FRANCE, #define FRANCE 1
} country; #define SUNDAY 0
enum eweek { #define MONDAY 1
SUNDAY, MONDAY, int country, day;
} day; …

1
… if ( country == ENGLAND ) {
if ( country == ENGLAND ) { if ( day == MONDAY ) {
if ( day == MONDAY ) { if ( country == SUNDAY ) { // It is impossible
if ( country == SUNDAY ) { // It is possible // to check by tools
// to check by tools

To define the constants that are related like a set, use the enumeration type. y defining related constants
as enum type, and using this type, mistakes caused by the use of incorrect values can be prevented.
hile macro names defined by #define are expanded at the preprocessing stage and the compiler does
not process those names, enum constants defined by enum declaration will be the names processed by
the compiler. The names processed by the compiler are easier to debug, becouse they can be referenced
during symbolic debugging.

[Related rules］ M1.1 .1 1.3.

M ain tain ab ility2 ● 95

 M aintainability

3 W rite programs simply.

rom the standpoint of software maintainability, there is no better software than those
created from simply written programs.
C language enables the structuring of software by, such as, dividing the program into
separate source files and functions. Structured programming that represents program
M aintainability

structure through three forms se uence, selection and repetition, is also one of the applicable
techni ues to write simple software programs. riting simple software descriptions through
effective use of software structuring is strongly desired. oreover, particular attention should
also be given to writing styles applied to describe, such as, iteration processing, assignment
and operations, as some may make the program difficult to maintain.
1

M aintaiability 3.1 D o structured programming.

M aintaiability 3.2 L imit the number of side effects per statement to

one.

M aintaiability 3.3 W rite ex pressions that differ in purpose separately.

M aintaiability 3.4 D o not use complicated pointer operations.

96 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性
M 3 .1
3.1 構造化プログラミングを行う。
D o structured programming.

M3.1.1 There should be no more than one break or goto

statement used to terminate any iteration statement.
P ref eren ce
guide
R ule
【M I SRA C:20 12 R15.4】

Compliant ex ample N on- compliant ex ample

end = 0; for (i=0; loop iteration condition; i++) {
for (i=0; loop iteration condition && !end; i++) Iterated processing 1;

M aintainability
{ if (termination condition1) {
Iterated processing 1; break;
if (termination condition1 || termination }
condition2) { if (termination condition1) {
end = 1; break;
} else { }
Iterated processing 2; Iterated processing 2;
} }
}
-or-
for (i=0; loop iteration condition; i++) {
Iterated processing 1;

1
if (termination condition1 || termination
condition2) {
break;
}
Iterated processing 2;
}

This rule is to prevent the program logic from becoming complex. If a flag has to be prepared only for
eliminating the break statement, sometimes it is better not to prepare the flag and to use a break state-
ment. ( e careful, however, when using an end flag like in the case shown above as compliant example,
because it may complicate the program.)

M ain tain ab ility3 ● M 3 W rite program s in a sim ple way. 97

 M3.1.2 1 The goto statement shall not be used.
P ref eren ce
guide
2 W hen using a goto statement, the destination to R ule
j ump to shall be the label declared after the goto
statement that is within the block enclosing the
goto statement.

Compliant ex ample N on- compliant ex ample

Compliant example of (1) and (2) Non-compliant example of (1) and (2)
for (i = 0; loop iteration condition; i++) { i = 0;
Iterated processing; // goto is not LOO :
M aintainability

// included Iterated processing;

} i++;
if (loop iteration condition) {
Compliant example of (2) goto LOO ;
{ }
if (err != 0) {
goto ERR_RET;
}
…
ERR_RET:
end_proc();
1

return err;
}

These rules are to prevent the program logic from becoming complex. The purpose is not to eliminate
all the goto statements. The important point is to eliminate unnecessary goto statements to prevent the
program from becoming complicated (i.e., not being able to read it straightforwardly from top to bot-
tom). In some cases, the readability can actually be improved by writing goto statements. Therefore,
when programming, keep in mind how simply the logic can be expressed.
or example, goto statement can be useful to make the program simple, such as, when it is used to
ump to error processing or exit from multiple loops. or more information, CERT C E 12-C should
also serve as a good source of reference.

98 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M3.1.4 1 Each case clause and default clause in a switch
statement shall always end with a break state-
P ref eren ce
guide
R ule
ment.
2 I f the case clause or default clause in a switch
statement is not going to be ended with a break statement,
《a project-specific comment shall be defined》and that comment
shall instead be inserted.

Compliant ex ample N on- compliant ex ample

M aintainability
Compliant example of (1) and (2) Non-compliant example of (1) and (2)
switch (week) { // No matter what the value of week is, the
case A: // code will be ELSE ==> bug
code = MON; switch (week) {
break; case A:
case B: code = MON;
code = TUE; case B:
break; code = TUE;
case C: case C:
code = WED; code = WED;
break; default:

1
default: code = ELSE;
code = ELSE; }
break;
} // This This is a case where processing of case
// B is continued after dd++, but it is non-
Compliant example of (2) // compliant not only to (1) but also to (2)
dd = 0; // because there is no comment
switch (status) { dd = 0;
case A: switch (status) {
dd++; case A:
// FALL THROUGH dd++;
case B: case B:

ne of the typical examples of coding error is caused by forgetting to write the break statement in a
switch statement in C language. To prevent it, avoid writing a case statement without the break state-
ment unnecessarily. If the code is intended to continue processing to the next case without the break
statement, always insert a comment to explicitly indicate that the absence of the break statement is not
a problem. efine what kind of comment to insert in such case in the coding convention. As one ex-
ample, // FALL THROUGH is a comment that is frequently used.

[Related rule］ 3. .

M ain tain ab ility3 ● M 3 W rite program s in a sim ple way. 99

 M3.1.5 1 A function shall end with one return statement.
2 A return statement to return in the middle of
P ref eren ce
guide
R ule
processing shall be written only in case of recov -
ery from abnormality.

This rule is to prevent the program logic from becoming complex. hen a program has many entry or
exit points, they will not only complicate the program but will also make it difficult to set break points
during debugging. In C language, there is only one entry point for a function but the exit points are
where the return statements are written.
M aintainability

L imit the number of side effects per statement to

M 3 性. 2
3.2 One
one.statement should have one side effect.

M3.2.1 1）Comma ex pressions shall not be used.

2）Comma ex pressions shall not be used, other
P ref eren ce
guide
1

R ule
than in ex pressions for initializ ing or updating in
for statements.

Compliant ex ample N on- compliant ex ample

Compliant example of (1) and (2) Non-compliant example of (1) and (2)
a = 1; a = 1, b = 1;
b = 1;
Non-compliant example of (1)
j = 10; for (i = 0, j = 10; i < 10; i++, j--) {
for (i = 0; i < 10; i++) { …
… }
j--;
}

Compliant example of (2)

for (i = 0, j = 10; i < 10; i++, j--) {
…
}

In general, the use of comma expressions make the program complicated. owever, the progam may
sometimes become easier to understand in expressions for initiali ing and updating in for statements by
using comma expressions to collectively describe all the pre-loop operations as one set and all the loop-
end operations as another set.

[Related rule］ M3.3.1

100 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M3.2.2 M ultiple assignments shall not be written in one
statement, ex cept when the same v alue is assigned
P ref eren ce
guide
R ule
to multiple v ariables.

Compliant ex ample N on- compliant ex ample

x = y = 0; y = (x += 1) + 2;
y = (a++) + (b++);

Assignments include the compound assignments (+= -=, etc) beside the simple assignment (=). ultiple
assignments may be written in one statement, but since they impair readability, one statement should

M aintainability
contain only one assignment.
owever, commonly used conventional descriptions shown below do not impair readability in many
cases. They may be treated as exceptions of this rule.
c = *p++;
*p++ = *q++;

1
性

3.3 目的の違う式は、分離して記述する。
W rite ex pressions that differ in purpose separately.
M 3 .3

M3.3.1 The three ex pressions of a for statement shall be

concerned only with loop control.
P ref eren ce
guide
R ule
【M I SRA C:20 0 4 13.5】

Compliant ex ample N on- compliant ex ample

for (i = 0; i < MAX; i++) { for (i = 0; i < MAX; i++, j++) {
… …
j++; }
}

In ISRA C 2012, rules 13. and 13.6 in ISRA C 200 have been consolidated into R1 .2, which
states that a for loop shall be well-formed . According to this rule, the first clause of a for statement,
for example, shall either be empty, assign a value in the loop counter or define and initiali e the loop
counter (C ).

[Related rules］ M3. .1， M3.3.

M ain tain ab ility3 ● M 3 W rite program s in a sim ple way. 101

 M3.3.2 N umeric v ariables being used within a for loop for
iteration counting shall not be modified in the body of
P ref eren ce
guide
R ule
the loop.【M I SRA C:20 0 4 13.6】

Compliant ex ample N on- compliant ex ample

for (i = 0; i < MAX; i++) { for (i = 0; i < MAX; ) {
… …
} i++;
}

See M3.3.1.
M aintainability

[Related rule］ M3.3.1

M3.3.3 1 Assignment operators shall not be used in P ref eren ce

1

guide
ex pressions to ex amine true or false.
R ule
2 Assignment operators shall not be used in
ex pressions to ex amine true or false, ex cept for
conv entionally used notations.

Compliant ex ample N on- compliant ex ample

Compliant example of (1) and (2) Non-compliant example of (1) and (2)
p = top_p; if (p = top_p) {
if (p != NULL) { …
… }
}
Non-compliant example of (1)
Compliant example of (1) while (c = *p++) {
c = *p++; …
while (c != 0 ) { }
… // Since this is an expression used
c = *p++; // conventionally, it is compliant to (2).
} // (However, be careful of its usage, because its
// readability depends on the programmer’s coding
// skills.)

The following are the expressions to examine true or false

if (expression ), for ( ; expression ; ), while ( expression ), ( expression )?:,
expression && expression , expression || expression

102 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性

3.4 複雑なポインタ演算は使用しない。
D o not use complicated pointer operations.
M 3 .4

M3.4.1 Three or more pointer indirections shall not be used.

P ref eren ce
guide
R ule

Compliant ex ample N on- compliant ex ample

int **p; int ***p;
typedef char **strptr_t; typedef char **strptr_t;

M aintainability
strptr_t q; strptr_t *q;

Since it is difficult to understand the changes in the pointer values in three or more levels, multiple
pointer indirections impair maintainability.

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 103

 M aintainability

4 rite in a unified style

Recently, developing programs under the shared efforts of multiple programmers has become a
widely accepted approach in software pro ects. If these programmers apply different coding styles
to write their assigned portion of the source code, the reviewers or other programmers may later
face difficulty checking what each programmer has written. oreover, if the naming of variables,
M aintainability

information to be described in a file, and the order to describe the information, among others, are
not uniform, unexpected misunderstanding or errors may arise from such inconsistencies. This is
why writing the source code as much as possible according to a unified coding style in a single
pro ect or within the organi ation is often said to be desirable.
1

M aintaiability 4.1 U nify the coding styles.

M aintaiability 4.2 U nify the style of writing comments.

M aintaiability 4.3 U nify the naming conv entions.

M aintaiability 4.4
Unify the contents to be described in a file and the
order of describing them.

M aintaiability 4.5 U nify the style of writing declarations.

M aintaiability 4.6 U nify the style of writing null pointers.

M aintaiability 4.7 U nify the style of writing preprocessor directiv es.

104 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性
M 4 .1
4.1 コーディングスタイルを統一する。
U nify the coding styles.

M4.1.1 《Conv entions regarding the style of using, such as,

the braces‘ { }’ , indentation and space shall be de-
P ref eren ce
guide
R ule
fined

To make the code easier to read, it is important to unify the coding style applied in the pro ect.
hen defining a new style convention to be followed in the pro ect, the recommended approach would
be to select from already existing coding styles. Existing coding styles have been developed from vari-
ous schools, and many programmers create their programs based on any one or more of these pre-

M aintainability
established styles. ne of the benefits of selecting from these existing coding styles is that the format
can be easily specified by the format commands available in editors and other tools. If no coding style is
clearly specified in the existing pro ect, the recommendation would be to define a coding convention that
matches most closely with the current source code.
hat is most important in deciding on the style convention is not in deciding what kind of style to de-
fine, but is in defining a unified style to be followed .
Explained below are the set of style-related items to be defined

1
1 Position of braces ‘ { }’
nify the position to place the braces { }’ so that the beginning and end of a block will become easier
to read (see Representative styles).

2 I ndentation
Indentation makes a group of declarations and operations easier to read. or unified use of indentation,
define the following

hether to use spaces or tabs for indentation

If spaces are used, how many space characters are set for one indent If tabs are used, how many
characters are set for each tab

3 How to use spacing

Spacing makes the code easier to read. or example, define the following rules

Add a space before and after binary and ternary operators, except for the following operators.
[ ], ->, . (period), , (comma operator)
o not add a space between unary operator and its operand.

y applying these rules, coding errors that are attributable to compound assignment operators will be-
come easier to detect.

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 105

 [ Ex amples]
x=-1; /* Intended to write x-=1, but made a mistake => difficult to distinguish */
x =- 1; /* Intended to write x-=1, but made a mistake => easy to distinguish */
esides those stated above, the following rules are also defined in some cases

Add a space after a comma (except for commas for parameters in macro definitions)
Add a space before the left parenthesis enclosing control statements such as, if and for. D o not
add a space before the left parenthesis of a function call. This rule makes it easier to identify
function calls. This rule makes it easier to identify function calls.

4 Position to place a new line character for line continuation

hen an expression becomes lengthy and extends beyond the length of an easily readable line, a new
M aintainability

line character shall be placed at an appropriate position. In placing a new line character, the recom-
mended approach is to apply either one of the following two methods. hat is important is to write the
continuation line after indenting.

[ M ethod 1]

x = var1 + var2 + var3 + var4 +

1

var5 + var + var + var + var ;

if (var1 == var2 &&
var3 == var4)

[ M ethod 2]

x = var1 + var2 + var3 + var4

+ var5 + var + var + var + var ;
if (var1 == var2
&& var3 == var4)

● Representativ e styles
1 K & R style
This is a coding style used in The C rogramming anguage (widely known as R). R used as
the acronym of this book derives from the initials of the two authors. In the R style, the braces { }’
and indentation are placed in the positions described below

Position of braces: lace the braces { } for function definition on the new line at the column
aligned with the beginning of the previous line. lace the braces { }’ for oth-
ers (including structures and control statements, such as, if, for and while) on
the same line without continuing to a new line (see Example of R style).
I ndentation: 1 tab. In the first edition of The C rogramming anguage , the width
of a tab was set to spaces, but in the second edition (A SI compliant),
the number of spaces is set to .

106 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 2 B SD style
This is a description style adopted by Eric Allman who wrote many S utilities. It is also called the
Allman style. In the S style, the braces { } and indentation are placed in the positions described
below

Position of braces: Start all the function definitions, if , for and while , etc, from a new line
and place the braces { }’ at the column aligned with the beginning of the
previous line (see Example of S style).
I ndentation: enerally defined as spaces, but is also common.

3 GN U style

M aintainability
This is a coding style for writing packages. It is defined in Coding Standards written by
Richard Stallman and volunteers in the pro ect. In the style, the braces { }’ and indentation
are placed in the positions described below

Position of braces: Start all the function definitions, if , for and while , etc, from a new
line. Place the braces { } for function definitions at column 0, and braces
{ } for others after indenting 2 spaces (see Example of style).
I ndentation: 2 spaces. Indent 2 spaces for both the braces { }’ and their body.

1
1 Example of &R style 2 Example of BSD style
void func(int arg1) void
{ // Write the { of a function on a func(int arg1)
// new line { // Write the { of a function on a
// Indent is 1 tab // newline
if (arg1) { if (arg1)
… {
} …
… }
} …
}

3 Example of GNU style

void
func(int arg1)
{ // Write the { of a function on a
// new line at column 0
if (arg1)
{
…
}
…
}

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 107

 M 4 .2 コメン
U nifyトの書き方を統一する。
the style of writing comments.

M4.2.1 《 onvention regarding the style of riting file header

comments, function header comments, end of line
P ref eren ce
guide
R ule
comments, block comments and copyright shall be
defined

riting good comments makes the program easier to read. To improve the readability further, a unified
style of writing is necessary.
There are document generation tools that create documents for maintenance and ex amination from
M aintainability

the source code. When utilizing such tools, they can be most effectively used by writing in a style that
conforms to their specifications. In general, when the explanation of the variables and functions are
described according to certain comment conventions, the document generation tools enable these de-
scriptions to be extracted from the source code and reflected in the generated documents. Therefore, it is
important to examine the specifications of these tools and define the comment conventions accordingly.
Presented below are some established styles of writing comments that have been ex tracted from ex isting
coding conventions and related literature.
1

● Representativ e styles of writing comments

1 I ndian Hill coding conv entions
The following comment rules are described in Indian ill C Style and Coding Standards

B lock comments
Comments that describe data structures, algorithms, etc., should be in block comment form with the
opening / in column 1, a * in column 2 before each line of comment tex t, and the closing */ in col-
umns 2-3. (N ote that grep ’^.\* ’ will catch all block comments in the file.)

/* Write a comment.
* Write a comment.
*/

Position of comments
B lock comments inside a function
Should be tabbed over to the same tab setting as the code that they describe.
- End-of-line comments
Start them apart from the statement by using the tab. If there are more than one of such
comments, align them all to the same tab setting.

2 GN U coding standards
The following comment rules are described in the Coding Standards
L anguage English.

108 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 Position and contents
-
rite a comment that briefly explains what the program does at the beginning of every
program.
-
rite comments that provide the following information for each function.
hat the function does, explanation of parameters (values, meaning, usage), return value
- #endif
Except for short conditions that are not nested, add comments to explicitly state the conditions
at the end of line of every #endif.
-
lace two spaces at the end of each comment sentence.

M aintainability
3 “ The Practices of Programming”
The following comment rules are described in The ractices of rogramming.
Position D escribe comments for functions and global data.
O ther practices
- D on’ t belabor the obvious.
- D on’ t contradict the code.

1
- Clarify, don t confuse
4 O thers
efine the policy on when to use /* */ comment and // comment.
Example 1 se // for the comment at the end of statement, and /* */ for block comment.
Example 2 se only //, because there is a risk of forgetting to close /* */.
Example 3 o not use /* or // within a comment, provided that // may be used within a //
comment.
escribe the copyright notice in the comment.
efine the comment for the switch statements without break.
Example
switch (status) {
case CASE1:
rocessing;
// FALL THROUGH
case CASE2:
・・・
efine the comment for no processing.
Example
if (Condition 1) {
rocessing;
} else if (Condition 2) {
rocessing;
} else {
// NOT REACHED
}

ine-splicing shall not be used in // comments. ( ISRA C 2012 R3.2)

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 109

 性

4.3 名前の付け方を統一する。
U nify the naming conv entions.
M 4 .3

M4.3.1 《Conv ention for naming ex ternal v ariables and inter-

P ref eren ce
guide

nal variables shall be defined R ule

See ☆ Rules on naming conv entions below.

[Related rules］ M1. .1 M1. . M1. .3 M .3. 1.1. 1. .1

M aintainability

M4.3.2 《 onvention for naming files shall be defined

P ref eren ce
guide
R ule

See ☆ Rules on naming conv entions below.

1

[Related rules］ M .3.1 1.1. 1. .1

☆ Rules on naming conv entions

Readability of programs is greatly affected by naming. There are various methods for naming but im-
portant points are to be consistent and to make the names easy to understand.
or naming, the following items shall be defined
Guidelines for names in general
ow to name files (including folders and directories)
How to name globally and locally
How to name macros, etc.
Presented in the following are some naming guidelines and rules introduced in ex isting coding conven-
tions and related literature. They are useful as reference when creating a pro ect-specific naming con-
vention newly. If no naming convention is explicitly defined in the existing pro ect, the recommendation
would be to create a naming convention that is closest to the current source code.

● Typical naming conv entions

1 I ndian Hill coding conv entions
ames with leading and trailing underscores are reserved for system purposes and should not be
used.
#define constants should be in all CA S.
enum constants should either have the initial character or all the characters capitali ed.
It is best to avoid names that differ only in case, like foo and Foo.

110 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 lobal names should have a common prefix identifying the module that they belong with.
A file name should be eight characters or less (excluding the extension), starting with an alphabetic
character and followed by alphanumeric characters.
ile names that are the same as library header filenames should be avoided.

O v erall

foo Foo
V ariable and Global
function L ocal
names

M aintainability
O ther
#define MACRO
enum

2 GN U coding standards
D on’ t choose terse names instead, look for names that give useful information about the meaning

1
of the variable or function. ames should be English.
se underscores to separate words in a name.
Stick to lower case reserve upper case for macros and enum constants, and for name-prefixes that
follow a uniform convention.

O v erall
get_name
enum

V ariable and Global

function
names
L ocal
O ther
#define MACRO
enum

3 “ The Practice of Programming”

se descriptive names for globals, short names for locals.
ive related things and related names that show their relationship and highlight their difference.
unction names should be based on active verbs, perhaps followed by nouns.

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 111

 O v erall
V ariable and Global
function L ocal
names
O ther

4 O thers
hen naming files, variables and other ob ects, use only the following
- etters in the English alphabet (A through and a through )
- igits (0 through )
- Space
M aintainability

- , - .
(See CERT C SC0 -C for related information.)

Identifiers will not differ by

- The presence absence of the underscore character
- The interchange of the letter , or with the digit 0
- The interchange of the letter I , with the letter l (lower case of ) or the digit 1
1

- The interchange of the letter S with the digit

- The interchange of the letter with the digit 2
- The interchange of the letter n with the letter h .
- The interchange of the letter with the digit
- The interchange of the letter m with the string rn .

How to separate a name: A name that consists of multiple words should be either separated with
underscore or delimited using an uppercase letter for the first letters of the
words. etermine which style to adopt.
Hungarian notation: There is a notation called ungarian notation that explicitly indicates the
type of variable.
Ho to name files ive a name with a prefix, for example, that expresses the subsystem.

The validity of file names is also dependent on the environment, such as, the file system. Some file sys-
tems do not allow the use of characters like comma (,) and colon ( ) for file names, while some others
have a special meaning defined for space ( ) and underscore ( ). The programmers need to watch out for
these local restrictions and definitions applied to specific characters to prevent what they write as the file
name using any of these characters from behaving unexpectedly.

[Related rules］ 1.1. 1. .1

112 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 U nify the contents to be described in a file and the
M 4性
.4
4.4 ファイル内の記述内容と記述順序を統一する。
order of describing them.

M4.4.1 《The descriptiv e contents of header files ( declara-

tions definitions etc and the order they are de-
P ref eren ce
guide
R ule
scribed in shall be defined

Items commonly used in a program shall be described in header files to prevent the risk of modification
errors when they are scattered in different places. eader files should contain macro definitions, tag dec-

M aintainability
larations for structures, unions and enumeration types, typedef declarations, external variable declara-
tions and function prototype declarations that are commonly used in multiple source files.
or example, they should be described in the following order

1 File header comment

2 Inclusion of system headers
3 Inclusion of user defined headers

1
4 #define macros
#define function macros
6 typedef definitions (type definitions for basic types such as int or char)
7 enum tag definitions (together with typedef )
struct/union tag definitions (together with typedef)
extern variable declarations
10 unction prototype declarations
11 Inline function

B y using typedef or macro, the readability of the program at first sight can be improved and coding
changes can be locali ed. They should, however, be used according to a specific rule or rules that define
their usage. r else, they may lead to an adverse result, such as, when a different definition is established
for the macro with the same description (making the program more difficult to read or easier to overlook
the coding changes). Therefore, the specific usage of typedef and macros in a pro ect should be de-
fined before starting the pro ect, and such pro ect-specific rule or rules should be consistently followed
throughout the pro ect to mitigate the aforesaid risk of adverse effects.

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 113

 M4.4.2 《The descriptiv e contents of source files ( declara-
tions definitions etc and the order they are de-
P ref eren ce
guide
R ule
scribed in shall be defined

In a source file, definitions of variables and functions, definitions or declarations of macros, tags, and
types (typedef types) used only in the individual source file should be described.
or example, they should be described in the following order

1 File header comment

2 Inclusion of system headers
M aintainability

3 Inclusion of user-defined headers

4 #define macros used only in this file
#define function macros used only in this file
6 typedef definitions used only in this file
7 enum tag definitions used only in this file
struct/union tag definitions used only in this file
static variable declarations shared in this file
1

10 static function declarations

11 Variable definitions
12 unction definitions

Regarding (2) and (3), be careful not to include unnecessary items.

Avoid describing ( ) through ( ) as much as possible.

114 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M4.4.3 o use or define e ternal variables or functions e -
cept for functions used only in the file the header
P ref eren ce
guide
R ule
file describing their declarations shall be included

Compliant ex ample N on- compliant ex ample

--- my_inc.h --- // Declaration of variable x and function func
extern int x; // are missing
int func(int); int x;
int func(int in)
-------------- {
#include "my_inc.h" ...
int x; // Declaration of variable x and function func

M aintainability
int func(int in) // are written in the same file and not included
{ // from the header file
… extern int x;
int func (int);
...
int x;
int func (int in) {
...

In C language, variables must either be declared or defined before being used. n the other hand, func-

1
tions can be used without declarations or definitions. owever, to ensure that declarations and defini-
tions are consistent, the declarations should be described in the header file, and that header file should be
included.

M4.4.4 E ternal variables shall not be defined in multiple lo-

P ref eren ce
guide
●

cations. R ule

Compliant ex ample N on- compliant ex ample

int x; // Definition of one external variable int x;
// shall be only once int x; // Definition of an external variable
// in multiple locations does not cause
// a compile error

efinitions without initiali ation for external variables can be described more than once. owever, the
behavior is not guaranteed when an external variable is initiali ed in multiple files.

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 115

 M4.4.5 V ariable definitions or function definitions shall not
P ref eren ce
guide
be described in a header file R ule

Compliant ex ample N on- compliant ex ample

--- file1.h --- --- file1.h ---

extern int x; // ariable declaration int x; // External variable definition
int func(void); // Function declaration static int func(void) // Function definition
{
--- file1.c --- …
#include "file1.h" }
int x; // ariable definition
int func(void) // Function definition
{
M aintainability

…
}

eader files might be included into several source files. Therfore, describing variable definitions and
function definitions in a header file may unnecessarily enlarge ob ect code si e generated after compila-
tion. asically, only declarations or type definitions should be described in a header file.
1

M4.4.6 Header files shall be descriptiv ely capable of han-

dling redundant inclusions.《The descriptiv e method
P ref eren ce
guide
R ule
to achieve this capability shall be defined

Compliant ex ample N on- compliant ex ample

--- myheader.h --- --- myheader.h ---
#ifndef MYHEADER_H void func(void);
#define MYHEADER_H // end of file
Contents of the header file
#endif // MYHEADER_H

The descriptive contents of header files should be organi ed to avoid redundant inclusions. owever,
there are cases when redundant inclusions become unavoidable. To prepare for such cases, header files
should be written in such a way that will make them possible of handling multiple inclusions.
As an example, the following may be defined as the rule for writing header files that are capable of han-
dling redundant inclusions
Ex ample of the rule:
#ifndef macro that j udges whether the header has already been included or not shall be written at the
beginning of the header file, so that the descriptions that follow will not be compiled in subse uent in-
clusions. In this case, the macro name should be the same as the header file name but replacing all the
lowercase letters to uppercase letters, and the period . to underscore _ ’ .

116 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性
M 4 .5
4.5 宣言の書き方を統一する。
U nify the style of writing declarations.

M4.5.1 1 I n a function prototype declaration, all the pa-

rameters shall not be named types only
P ref eren ce
guide
R ule
2 I n a function prototype declaration, all the pa-
rameters shall be named. I n addition, the types of the parameters,
their names and the type of the return v alue shall be literally the
same as those of the function definition

M aintainability
Compliant ex ample N on- compliant ex ample

Compliant example of (1) Non-compliant example of (1) and (2)

int func1(int, int); int func1(int x, int y);
int func2(float x, int y);
int func1(int x, int y)
{ int func1(int y, int x) // The parameter
// rocess the function // name differs from
} // the name in the
// prototype

1
Compliant example of (2) // declaration
int func1(int x, int y); {
int func2(float x, int y); // rocess the function
}
int func1(int x, int y)
{ typedef int INT;
// rocess the function int func2(float x, INT y) // The type of y is
} // not literally the
// same as in the
int func2(float x, int y) // prototype
{ // declaration
// rocess the function {
} // rocess the function
}

In a function prototype declaration, parameter names can be omitted, but describing appropriate param-
eter names is useful as function interface information. hen describing parameter names, use the same
name as in the definition to avoid unnecessary confusion. As for the parameter type name, making it
literally the same as the function definition is also recommended to make the code easier to read.
oreover, if the parameter is an array of specific si e, it is desirable to specify the number of its ele-
ments.
Ex ample: void func(int a[4]) { ... }
void func2(size_t n, int arr[n]) { ... } // In case of variable length array

See also CERT C A I0 -C for related information.

[Related rule］ M1. .1

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 117

 M4.5.2 Structure tags and v ariables shall be declared sepa-
P ref eren ce
guide

rately. R ule

Compliant ex ample N on- compliant ex ample

struct TAG { struct TAG {
int mem1; int mem1;
int mem2; int mem2;
}; } x;
struct TAG x;

M4.5.3
M aintainability

1 “ ,” shall not be placed before the last “ }” in the P ref eren ce

guide
list of initial v alue ex pressions for structures, R ule
unions and arrays, nor in the list of enumerators.

2 “ ,” shall not be placed before the last “ }” in the list of initial v alue
ex pressions for structures, unions and arrays, nor in the list of
enumerators. Howev er, placing “ ,” before the last “ }” in the list of
1

initial v alues for array initializ ation is allowed.

Compliant ex ample N on- compliant ex ample

Compliant example of (1) Non-compliant example of (1) and (2)
struct tag data[] = { struct tag x = { 1, 2, };
{ 1, 2, 3 }, // Not clear whether there are only two members
{ 4, 5, }, // or there are three or more
{ , , } // There is no comma after the
// last element
};
Compliant example of (2)
struct tag data[] = {
{ 1, 2, 3 },
{ 4, 5, },
{ , , }, // There is a comma after the
// last element
};

The usage of comma in descriptions for initiali ing multiple data is generally divided into two schools of
coding rules. ne school follows the tradition of not placing a comma after the last initial value in order
to indicate the end of initiali ation explicitly. Another school follows the tradition of placing a comma at
the end by considering the easiness of adding or deleting initial values. D ecide on which rule to follow
by weighing the importance of the usage of comma for such descriptions in your specific cases.
In C 0 standard, it was not acceptable to have , ust before }” that indicates the end of an enumera-
tor list, but this became acceptable in C standard.

[Related rule］ M .1.1

118 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性
M 4 .6
4.6 ナルポインタの書き方を統一する。
U nify the style of writing null pointers.

M4.6.1 1 0 shall be used for the null pointer. NULL shall not
be used in any case.
P ref eren ce
guide
R ule
2 NULL shall be used for the null pointer. NULL shall
not be used for anything other than the null point-
er.

Compliant ex ample N on- compliant ex ample

M aintainability
Compliant example of (1) Non-compliant example of (1)
char *p; char *p;
int dat[10]; int dat[10];

p = 0; p = NULL;
dat[0] = 0; dat[0] = NULL;

Compliant example of (2) Non-compliant example of (2)

char *p; char *p;
int dat[10]; int dat[10];

1
p = NULL; p = 0;
dat[0] = 0; dat[0] = NULL;

NULL has been conventionally used to express the null pointer, but the expression of the null pointer var-
ies, depending on the execution environment. or this reason, some people think that it is safer to use 0.

M ain tain ab ility4 ● M 4 W rite in a con sisten t way. 119

 性
M 4 . 7 前処理指令の書き方を統一する。
4.7 U nify the style of writing preprocessor directiv es.

M4.7.1 The body and parameters of a macro that includes

P ref eren ce
guide
operators shall be enclosed with parentheses ( ). R ule

Compliant ex ample N on- compliant ex ample

#define M_SAM LE(a, b) ((a)+(b)) #define M_SAM LE(a, b) a+b

M aintainability

If the body and parameters of a macro are not enclosed with parentheses ( ) , there is a risk of bug be-
ing produced when the operations are not performed in the expected order, since the operation order
depends on the order of precedence of operators that come next to the macro after expanding the macro
and the operators in the macro.
1

M4.7.2 #else, #elif or #endif that correspond to #ifdef,

#ifndef or #if shall be described in the same file,
P ref eren ce
guide
R ule
and《their correspondence relationship shall be
clearly stated with a comment defined in the proj -
ect .

Compliant ex ample N on- compliant ex ample

#ifdef AAA #ifdef AAA

// rocess when AAA is defined // rocess when AAA is defined
… …
#else // not AAA #else
// rocess when AAA is not defined // rocess when AAA is not defined
… …
#endif // end AAA #endif

If #else or #endif is described in a distant location or nested in a partitioned process by macros, such
as, #ifdef , their correspondence becomes difficult to understand. Therefore, add a pro ect-defined
comment to #else or #endif that corresponds with, such as, #ifdef to make their correspondence
easier to understand.

[Related rules］ M1.1.1， M1.1.

120 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M4.7.3 defined(macro_ name ) or defined macro_ name shall
be used to check whether the macro name has al-
P ref eren ce
guide
●

R ule
ready been defined by #if or #elif.

Compliant ex ample N on- compliant ex ample

#if defined(AAA) #if AAA
… …
#endif #endif
- or - - or -
#if defined AAA #defined DD(x) defined(x)
… #if DD(AAA)
#endif …

M aintainability
#endif

#if macro name does not determine whether a macro is defined or not. or example, when #if AAA
is written, it will be evaluated as false not only when macro AAA is not defined, but also when the
value of macro AAA is 0. The C language standard does not define how to process defined operator.
Therefore, to check whether a macro is defined or not, defined operator should be used.
defined operator should not be described other than by defined(macro name ) or defined macro
name , because they are the only two ways of describing defined that are supported in C language

1
standard, and any other descriptions of defined may cause an error or may be interpreted differently,
depending on the compiler used.

[Related rule］ M . .

M4.7.5 M acros shall not be #define’ d or #undef’ d within a

P ref eren ce
guide

block 【M
. I SRA C:20 0 4 19 .5】 R ule

Compliant ex ample N on- compliant ex ample

#define AAA 0 // Members with restriction on the assignable

#define BBB 1 // values exist
#define CCC 2 struct stag {
struct stag { int mem1; // The following values are
int mem1; // assignable:
char *mem2; #define AAA 0
}; #define BBB 1
#define CCC 2
char *mem2;
};

M ain tain ab ility5 ● M 5 W rite in a way easy to test. 121

 In general, macro definitions (#define) are all described together at the beginning of the file. If they are
scattered in various parts of the file, for example, by describing them in blocks, they will become dif-
ficult to read. oreover, cancellation of definitions (#undef ) within a block will also degrade the read-
ability. Also note that, unlike the scope of variables, macro definitions are valid only up to the end of the
file. The description below shows how the program in the above non-compliant example can be rewrit-
ten to make it compliant

enum etag { AAA, BBB, CCC };

struct stag {
enum etag mem1;
char *mem2;
};

[Related rule］ M . .
M aintainability

M4.7.6 #undef shall not be used.【M I SRA C:20 12 R19 .6】

P ref eren ce
guide
R ule
1

#undef can change the state of #define d macro name to undefined. ut the use of #undef involves
the risk of degrading the readability, because the interpretation of #undef may differ, depending on
where the macro name is referred to.

[Related rule］ M . .

122 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

M4.7.7 Controlling ex pression of #if or #elif preprocess-
P ref eren ce
guide
ing directiv e shall be ev aluated as 0 or 1. R ule
【M I SRA C:20 12 R20 .8 】

Compliant ex ample N on- compliant ex ample

#define TRUE 1 #define ABC 2
#define FALSE 0 #if ABC
#if TRUE …
…
#if defined(AAA)
…

M aintainability
#if VERSION == 2
…
#if 0 // Invalidated due to ∼
…

In case of #if or #elif controlling expression, true or false is evaluated by the controlling expres-
sion. Therefore, the controlling expression should be described in a way that would make it easy to
evaluate true or false, thus making the program easy to read.

1
[Related rule］ M . .3

M ain tain ab ility5 ● M 5 W rite in a way easy to test. 123

 W rite in a style that mak es testing
M aintainability

5 easy.

ne of the essential tasks in embedded software development is to check the behaviors

(through testing). owever, with recent complex embedded software, it is becoming
increasingly challenging to fulfill this task when faced with difficulties caused by, such as,
bugs and malfunctions detected during tests that cannot be reproduced. Therefore, when
M aintainability

writing the source code, it is desirable to be more conscious of writing in a style that will
make the root cause analysis easy to perform when problem arises. oreover, particular
attention must also be given to descriptions that involve, such as, the use of dynamic
memory, by keeping in mind the risk of memory leak, among other points of concern.
1

M aintaiability 5.1
W rite in a style that mak es it easy to inv estigate the
causes of problems when they occur.

M aintaiability 5.2 B e careful when using dynamic memory allocations.

124 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性 W rite in a style that mak es it easy to inv estigate the
5.1 問題発生時の原因を調査しやすい書き方にする。
M 5 .1
causes of problems when they occur.

M5.1.1 《The rules for writing the code for setting debug op-
tions and for recording logs in release modules shall
P ref eren ce
guide
R ule
be defined

esides implementing the specified functionalities correctly, a good program re uires coding that also
takes account of the easiness to debug and investigate into the causes of problems when they occur. e-
scriptions that make investigation of problems easy to conduct can be achieved by writing descriptions

M aintainability
for debugging that are not reflected in the release modules and descriptions for outputting logs after re-
lease that are reflected in the release modules. Explained below are the points to take into consideration
when determining the rules to be followed in writing each of these descriptions.

D escriptions for debugging

escriptions for debugging, including print statements used during program development, need to be

1
written as isolated descriptions that are not reflected in the release module. Explained below are two
ways of writing the descriptions for debugging (a) by isolating the debug descriptions using macro defi-
nitions and (b) by using assert macros for debugging purpose.

a Using macro definitions to isolate debug descriptions

se the macro definitions to identify the code parts to be compiled so that the debug descriptions are not
reflected in the provided release module. Strings, such as, DEBUG and MODULEA DEBUG” that contain
DEBUG as part of the name are commonly used as those macro names.

#ifdef DEBUG shall be used to isolate the debug code. (DEBUG macro shall be specified at compile
time.)

[Code example]
#ifdef DEBUG
fprintf(stderr, "var1 = %d/n", var1);
#endif

The following macro definitions can also be used.

#ifdef DEBUG shall be used to isolate the debug code. (DEBUG macro shall be specified at compile
time). In addition, the following macro shall be used to output debug information.

DEBUG_ RINT(str); // Output str to standard output

M ain tain ab ility5 ● M 5 W rite in a way easy to test. 125

 Since this macro is defined in the common header of the pro ect, debug_macros.h , this header shall
be
included when using this macro.

-- debug_macros.h --
#ifdef DEBUG
#define DEBUG_ RINT(str) fputs(str, stderr)
#else
#define DEBUG_ RINT(str) ((void) 0) // no action
#endif // DEBUG

[Code example]
void func(void) {
DEBUG_ RINT(">> func n");
M aintainability

DEBUG_ RINT("<< func n");

}
b Using the assert macro
In C language standard, assert macro is provided as a macro for program diagnosis. It is useful for
making coding errors easier to detect during debugging. To facilitate debugging, define where to use the
assert macro and follow this defined usage throughout the pro ect. y doing so, it will be possible to
collect consistent debug information during, such as, the integration test, and such information, as a re-
sult, will help make debugging easier.
1

The following is a brief explanation on how to use the assert macro, using a coding example that
shows how this macro is used in a function definition written under the precondition that the null pointer
is never passed as the argument.

void func(int *p) {

assert(p != NULL);
*p = INIT_DATA;

If the NDEBUG macro is defined at compile time, the assert macro does nothing. O n the other hand, if
the NDEBUG macro is not defined and the expression passed to the assert macro is false, the program
abends after outputting the file name and the line number of the source to the standard error. ote that
the macro name is NDEBUG, not DEBUG.
assert macro is a macro provided by the compiler in <assert.h>. y using the following example as
a reference, examine how to abort the program and determine whether to use the macro provided by the
compiler or to provide your own assert function.

#ifdef NDEBUG
#define assert(exp) ((void) 0)
#else
#define assert(exp) (void) ((exp)) || (_assert(#exp, __FILE__, __LINE__)))
#endif
void _assert(char *mes, char *fname, unsigned int lno) {
fprintf(stderr, "Assert:%s:%s(%d)¥n", mes, fname, lno);
fflush(stderr);
abort();
}

126 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 C11 allows embedding static assert that can be evaluated by the compiler in the source code, confirming
the offset of a structure member and the length of a string constant, and detecting, such as, the type si es
and internal representations that differ depending of the compiler used, at the time the code is compiled.

_Static_assert( sizeof(t) <= 4, "The size of t is exceeding 4 bytes.");

O utputting logs after release

It is also useful to include descriptions for problem investigation in the release module that dose not
contain descriptions for debug. ne common method is to record the result of the investigation as log
information. og information is helpful for validation testing of the release module as well as for inves-
tigation of problems that occurred in the system provided to the customer.
In case of recording the log information, the following items should be determined in advance and de-

M aintainability
fined as the coding convention.

W hen to output logs

ogs should be output not only when an abnormal condition is detected, but also at the timing of,
such as, data communication with an external system. The point is to output logs at appropriate
timing (such as, when key events occur) that will make it easier to trace the history and faster to
identify the root cause of the detected abnormality.

1
W hat to output in logs
Information on the process executed immediately before the occurrence of the abnormal condition,
the data values processed at that time, and information for tracing memory usage are some of the
log information that should be recorded to enhance the traceability of the history and facilitate the
investigation of the cause of the abnormality.
M acro or function for outputting log information
ocali e the log information output as a macro or a function. It is often preferable to make the
log output destination changeable.

M5.1.2 he # and ## preprocessor operators should not

be used.【M I SRA C:20 12 R20 .10 】
P ref eren ce
guide

macro parameter immediately follo ing a # op- R ule

erator shall not immediately be followed by a ##

operator.【M I SRA C:20 12 R20 .11】

Compliant ex ample N on- compliant ex ample

Compliant example of (2) Non-compliant example of (1) and (2)
#define AAA(a, b) a#b #define XXX(a, b, c) a#b##c
#define BBB(x, y) x##y

The evaluation order of # operator and ## operator is not defined. Therefore, # and ## operators should
not be mix ed, nor used twice or more.

M ain tain ab ility5 ● M 5 W rite in a way easy to test. 127

 M5.1.3 F unction shall be used rather than using function-
P ref eren ce
guide

lik e macro. R ule

Compliant ex ample N on- compliant ex ample

int func(int arg1, int arg2) #define func(arg1, arg2) (arg1 + arg2)
{
return arg1 + arg2;
}

sing functions rather than function-like macros facilitates tracking processes by stopping at the begin-
M aintainability

ning of a function during debugging etc.

In addition, the compiler performs type checking with the functions and helps to detect coding mistakes.
The functions can be inline functions. or more information about the performance of inline functions
and ob ect code si e, see E1.1.1.

[Related rules］ 1.1.1 .1.1

1

5.2 動的なメモリ割り当ての使用に気を付ける。
B e careful when using dynamic memory allocations.
M 5 .2

M5.2.1 Dynamic memory shall not be used

f dynamic memory is used 《the means to allo-
P ref eren ce
guide
R ule
cate and free the memory, the max imum
amount of memory that can be used, process to
be tak en when running out of memory, and
debugging procedure shall be defined

sing dynamic memory involves the risk of memory corruption caused by invalid memory access as
well as the risk of memory leak that leads to depletion of system resources, which may be caused by
forgetting to return the obtained memory space to the system. The use of dynamic memory should be
avoided, but there are unavoidable cases, such as, when middleware is used, and these cases are, in fact,
not that rare. In case the use of dynamic memory is unavoidable, specific rule or rules, including those
exemplified below, should be established to prevent the aforesaid risks from arising and facilitate the
debugging process

Example 1 rite the code for allocating the memory and freeing the allocated memory symmetrically
in the same translation unit.
Example 2 Assign a new value to the pointer that points to the freed memory.

128 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

Example 3 efine in advance the maximum si e of the dynamic memory to be used.
Example efine the process to be taken when running out of memory.
Example To allocate or free dynamic memories, do not use standard functions, such as, malloc or
free. Instead, prepare for the pro ect one or more functions that facilitates the debugging
process, as shown in the example below.

Since some compilers already provide functions for debug, consider using them as well. pen source
software also has pieces of source code for debug and should serve as useful references when creating
your own.

-- X_MALLOC.h --

M aintainability
#ifdef DEBUG
void *log_malloc(size_t size, char*, char*);
void log_free(void*);
#define X_MALLOC(size) log_malloc(size, __FILE__, __LINE__)
#define X_FREE(p) do {log_free(p, __FILE__, __LINE__); p=NULL;} while(0)
#else
#include <stdlib.h>
#define X_MALLOC(size) malloc(size)
#define X_FREE(p) do {free(p); p=NULL;} while(0)
#endif
[Use of those functions]

1
#include X_MALLOC.h
...
p = X_MALLOC(sizeof(*p) * NUM);
if (p == NULL) {
return (MEM_NOTHING);
}
...
X_FREE(p);
return (O );

[Related rule］ 3. .

● eference Problems hen using dynamic memory

escribed below are problems that you should watch out when using dynamic memory.
uffer over o
This occurs as a result of referencing or updating areas beyond the range of obtained memory. In
particular, when an area outside the range is accidentally updated, this failure does not occur at the
time of update but will occur when the memory destroyed by the update is referenced.
F orgetting to initializ e
emories obtained by typical dynamic memory functions are not initiali ed (there are some dy-
namic memory obtaining functions perform initiali ation). ike automatic variables, the memories
should be initiali ed in the program before using them.
unctions for initiali ing the obtained memory space, such as, calloc, can be used.
M emory leak
There is a risk of this problem being caused by forgetting to free the obtained memory space. This

M ain tain ab ility5 ● M 5 W rite in a way easy to test. 129

 problem does not occur with programs that terminate each time after running once. owever, with
programs that keep running, memory leak can occur and become the cause of memory depletion
and system malfunction.
U sing freed memory
There are cases when the freed memory is used. hen the obtained memory space is freed with
functions, such as, free or realloc, the freed memory space may be reused later, such as, when
malloc function is called. In case a pointer that points to the freed memory (also known as dan-
gling pointer) is used to update the memory, the memory space will be destroyed if it is already be-
ing reused for other purpose.
D ouble free
This term refers to freeing the allocated memory more than once with functions, such as, free or
M aintainability

realloc. Since the behavior after double free is undefined, the behavior of the program that uses
double freed memory is not guaranteed. ne of the methods to prevent this problem from occurring
is to assign a null pointer as the pointer that points to this memory, immediately after freeing this
memory.
The behavior of the program that specifies a null pointer as the argument of free or realloc
function is guaranteed. ouble free can therefore be prevented by making it a rule to assign a null
pointer as the pointer that points to the freed memory,
1

The code that leads to these problems does not cause a compile error. In addition, problems do not occur
at the location where the bugs were implanted, making them undetectable in tests that are ust for check-
ing the normal specifications. They cannot be discovered unless the code is carefully reviewed or tests
are performed after inserting a test code specifically written to detect such problems or after adding a
special library to the program for similar purpose.

130 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 Portability
One of the distinctive aspects of embedded software is that
there are diverse options in the platform used for software op-
eration. This also means that there are many possible combina-
tions of MPU options and OS options to select the hardware and
software platforms from. As the number of functionalities real-
ized by the embedded software increases, opportunities to port
the existing software to other platforms by modifying or remod-
eling it to make it compatible with multiple platforms are also on
the rise.
Due to this trend, software portability is becoming an extremely
important element also at the source code level. In particular,
writing in a style that is implementation-dependent is one of the
most common mistakes made on a regular basis.

● Portability 1: Write in a style that is not dependent on

the compiler.

● Portability 2: Localize the code that has a problem with

portability.
 W rite in a style that is not
Portability

1 dependent on the compiler.

U se of compilers is unavoidable when programming in C++ language. Various compilers

are available in the world and each has its own features. If the source code is written poorly,
the code may become dependent on the features of the compiler used, and may cause
unex pected results when a different compiler is used.
For this reason, programming must be performed carefully with an awareness that the code
must be written in a style that is not implementation-dependent.

D o not use functionalities that are adv anced features or

Portability 1.1
implementation-defined

Use only the characters and escape se uences defined in

Portability 1.2
the language standard.
Portability

onfirm and document data type representations behav-

Portability 1.3 ioral specifications of advanced functionalities and imple-
mentation- dependent parts.

or source file inclusion confirm the implementation-

dependent parts and write in a style that is not implementa-
1

Portability 1.4
tion- dependent.

Portability 1.5
W rite in a style that does not depend on the env ironment
used for compiling.

132 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性
P 1 . 1 拡張機能や処理系定義の機能は使用しない。
D o not use functionalities that are adv anced fea-
1.1 tures or implementation- defined.

P1.1.1 unctionalities not specified in the language

standard shall not be used.
P ref eren ce
guide
R ule
f functionalities not specified in the language
standard are used, 《the functionalities used and
their usage shall be documented.

At present, while C99 is the widely used C language standard, the latest version is C11. In addition, there
are still many compilers that also support the older version, C90.
ne way of thinking would be to choose rule (2) and allow the use of functionalities defined in the latest
language standard, C11, that are specifically supported by the compiler used.
Regarding the acceptable ways of using the functionalities that are not specified in the language stan-
dard, the details are provided in the following related rules.

［Related rules］ 1.1.3， 1. .1， 1. . ， 1.3. ， .1.1， .1.

Portability
P1.1.2 《 ll usage of implementation-defined behavior shall
P ref eren ce
guide

be documented. 【M I SRA C:20 0 4 3.1】 R ule

In the language standard, there are implementation-defined items whose behavior varies depending on
the compiler used. or example, the following are implementation-defined and should be documented if

1
they are used.
ow to represent floating-point numbers
For C90, how to handle signs of remainders for integer division
The search order of files for the #include directive
#pragma

P ortab ility1 ● P 1 W rite in a com piler in depen den t way. 133

 P1.1.3 To use a program written in another language, 《its
interface shall be documented and its usage shall
P ref eren ce
guide
R ule
be defined

The C language standard does not define the interface for making programs written in other languages
available from a C language program. In other words, using a program written in another language re-
quires the use of an advanced functionality, which means that portability will be impaired. Therefore,
when using such a program, document the specifications of the compiler used and define its usage, re-
gardless of the possibility of porting.

［Related rules］ 1.1.1， .1.1

性
U se only the characters and escape seq uences de-
P 1 . 2 言語規格で定義されている文字や拡張表記のみを使用する。
1.2 fined in the language standard.

P1.2.1 o use characters other than those defined in the

language standard for writing a program, the com-
P ref eren ce
guide
R ule
Portability

piler specifications shall be confirmed and《their

usage shall be defined

Compliant ex ample N on- compliant ex ample

const char * table[MAX]; // table of names const char * table[MAX];// 名前表
// Compliant // Non-compliant: In Shift_JIS, the second byte of
// a double-byte character“ 表 ”is '\' in ASCII,
1

// and may be misinterpreted as

// comment line-splicing

The basic character set defined in the language standard as usable for source code are upper and lower
case letters of the L atin alphabet, decimal digits, graphic characters ( ! “ # % & ‘ ( ) * + , -
. / : ; < = > ? [ \ ] ^ _ { | } ~ ), space character, and control characters that represent the
horizontal tab, vertical tab and form feed. However, a part of these graphic characters varies in countries
and are therefore implementation-dependent. As a result, they may not be correctly processed.
International characters and multibyte characters (like Japanese) can be used as identifiers and charac-
ters, but they may not be supported by some compilers. Therefore, if these characters are going to be
used, check beforehand that they can be used in the following locations and define their usage.

134 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 - Processing when \ ex ists in the character codes of the string (whether special care is required or
whether options are required at the time the code is compiled, etc.)
- The necessity to write using wide string literals (with the prefix L such as L“string”.)
- The necessity to write using char16 t string literals (with the prefix u such as u“string”.) (in case
of C11)
- The necessity to write using char32 t string literals (with the prefix U such as U“string”.) (in case
of C11)

- The bit length of the character constant

- Process when \ ex ists in the character code of character constants (whether special consideration is
necessary or whether option is specified at the time the code is compiled, etc.)
- The necessity to write using wide character constants (with the prefix L such as L‘ ’)
- The necessity to write using char16 t character constants (with the prefix u such as u‘ ’) (in case
of C11)
- The necessity to write using char32 t character constants (with the prefix U such as U‘ ’) (in case
of C11)
#include

or example, define the following rules.

Portability
As the identifier, only the alphanumeric characters and underscore should be used.
Comments can be written in Japanese. The character code used should be U TF-8. Halfwidth Katakana
shall not be used.
Japanese shall not be used in strings, string constants and file names of #include.

Many compilers these days support U nicode to process multibyte character set that includes Japanese. In
Japan, Shift_ JIS has long and often been used as the character code for processing Japanese characters.

1
B ut recently, there are increasing number of development proj ects using open source that are adopting
U TP-8 as the character code.

［Related Rules］ M .3.1 M .3. 1.1.1

P ortab ility1 ● P 1 W rite in a com piler in depen den t way. 135

 P1.2.2 nly escape se uences defined in the language
P ref eren ce
guide
standard shall be used R ule

Compliant ex ample N on- compliant ex ample

char c = '\t'; // compliant char c = '\e'; // Non-compliant: The escape sequence
// is not defined in the
// language standard
// It is not portable

The language standard defines the following seven nongraphic characters as escape se uences

\a (alert) \b (backspace) \f (form feed) \n (new line)

\r (carriage return) \t (horizontal tab) \v (vertical tab)

［Related rule］ P1.1.1

Portability

Confirm and document data type representations, behav ioral

P 1 .3 specifications of adv anced functionalities and implementa-
tion- dependent parts.

P1.3.1 Simple char type ( that does not specify the signed- P ref eren ce
1

guide
ness) shall be used only for storing character v al-
R ule
ues. I f a process that depends on signedness ( im-
plementation-defined is re uired unsigned char or
signed char that specifies its signedness shall be used

Compliant ex ample N on- compliant ex ample

char c = 'a'; // Used to store characters char c = -1;
int8_t i8 = -1; // To use it as 8-bit data, if (c > 0) { … }
// use a type defined, for // Non-compliant: char can be signed or unsigned
// example, with typedef // depending on the compiler, and this difference
// affects the result of the comparison

136 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 U nlike other integer types like int , char that does not specify its signedness will be either signed or
unsigned depending on the compiler (int type is the same as signed int type.) Therefore, using char
that depends on the signedness is not portable. This is because char that does not specify its signed-
ness is an independent type provided for storing characters (comprised of three types char , unsigned
char and signed char ) and the language standard assumes such usage. For using char as a small
integer type, such as, when a process that depends on signedness is required, use either unsigned char
or signed char that specifies its signedness. In this case, it is desirable to use typedef as the type to lo-
cali e the range of modification during porting.
A problem similar to this rule ex ists with the returned type of the standard function getc that is int and
must not be received by char . However, this is rather a problem pertaining to function interface (as-
signment that may cause information loss).

Reference materials for those wanting to know more in detail about this rule
・ ISRA C 2012 Rule 10.1

［Related rule］ .1.3

P1.3.2 The members of an enumeration type ( enum) shall

be defined ith values that can be represented as
P ref eren ce
guide
R ule
int type.

Portability
Compliant ex ample N on- compliant ex ample

// If int is 16bits and long is 32bits // If int is 16bits and long is 32bits
enum largenum { enum largenum {
LARGE = INT_MAX LARGE = INT_MAX+1
}; };

1
In the C language standard, the members of an enumeration type must have values that can be repre-
sented as int type. However, some compilers that support this functionality ex tendedly may not cause
an error even if the value ex ceeds the range of int type for the members of an enumeration type.
Reference C++ allows values in the range of long type for the members of an enumeration type.

［Related rule］ P1.1.1

P ortab ility1 ● P 1 W rite in a com piler in depen den t way. 137

 P1.3.3 1
2
it fields shall not be used
it fields shall not be used for data hose bit
P ref eren ce
guide
R ule
positions are meaningful.
( 3) 《I f it is being relied upon, the implementation-
defined behavior and pac ing of bit fields shall be documented
【M I SRA C:20 0 4 3.5】

Compliant ex ample N on- compliant ex ample

Compliant example of (2) Non-compliant example of (2)
struct S { struct S {
unsigned int bit1:1; unsigned int bit1:1;
unsigned int bit2:1; unsigned int bit2:1;
}; };
extern struct S * p; // Compliant if p points extern struct S * p;
// to a date that is, for // If the bit positions are meaningful, for
// example, just a set of // example, when p points at IO ports; in
// flags and bit1 can be // other words, if there is a meaning for bit1
// any bit in that data // to point at either the lowest bit or the
// highest bit of the data, the program is non-
p->bit1 = 1; // portable

p->bit1 = 1; // As to which bit of the data,

// p will point at, is
// implementation-dependent
Portability

The following behaviors of bit field vary depending on the compiler used

(1) hether the bit field of an int type that does not specify its signedness will be handled as signed ;
(2) Assignment order of the bit fields within a unit
(3) oundary of a bit field in a storage unit
1

If bit fields are used to access data whose bit positions are meaningful, such as, the I ports, portability
problem arises due to rules (2) and (3). Therefore, in such cases, do not use bit fields, but instead, use
bitwise operations, such as, & and | .

［Related rules］ . .1， 3.11.

138 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 F or source file inclusion, confirm the implementation-
P 1 .4 dependent parts and write in a style that is not implemen-
tation- dependent.

P1.4.1 The #include directiv e shall be followed by either a

<filename> or “filename” seq uence.
P ref eren ce
guide
●

R ule
【M I SRA C:20 12 R20 .3】

Compliant ex ample N on- compliant ex ample

#include <stdio.h> #include stdio.h
#include "myheader.h" // Neither <> nor “ ” is placed
#if VERSION == 1 #include "myheader.h" 1
#define INCFILE "vers1.h" // 1 is specified at the end
#elif VERSION == 2
#define INCFILE "vers2.h"
#endif
#include INCFILE

In C language standard, the behavior is not defined for cases where the format of the header name does
not match with neither of the two styles (< > or “ ”) after macro-ex pansion of the # include directive.
Most compilers will output an error if it cannot match the format with neither of the two styles, while

Portability
some others may not handle it as an error. Therefore, write the header name format in either of the two
styles to ensure safety.

P1.4.2 《The usage of <> format and “” format for #include

P ref eren ce
guide

1
file specification shall be defined R ule

Compliant ex ample N on- compliant ex ample

#include <stdio.h> #include "stdio.h"
#include "myheader.h" #include <myheader.h>

There are two ways of writing include . To unify the writing style, define rules, for example, that in-
clude the following
Specify the header provided by the compiler by enclosing it with < > ;
Specify the header created in the proj ect by enclosing it with “ ” ;
Specify the header provided by the purchased software by enclosing it with “ ” .

P ortab ility1 ● P 1 W rite in a com piler in depen den t way. 139

 P1.4.3 Characters ‘, \, “, /*, // and : shall not be used
P ref eren ce
guide

for file specification in #include. R ule

Compliant ex ample N on- compliant ex ample

#include "inc/my_header.h" // Compliant #include "inc\my_header.h" // Non-compliant

The language standard does not define the behavior when the characters mentioned above are used (more
specifically, in the following cases) that is to say, the operation result is not certain when these charac-
ters are used in the following cases, which conse uently make the code non-portable .
When characters ’\” or /* appear in the string enclosed with < > ;
When characters ’\” or /* appear in the string enclosed with “ ” .
Also, the behavior of the character : (colon) differs depending on the compiler, and makes the code
nonportable.

W rite in a style that does not depend on the env i-

P 1 .5
ronment used for compiling.
Portability

P1.5.1 The absolute path shall not be written for #include

P ref eren ce
guide

file specification R ule

Compliant ex ample N on- compliant ex ample

1

#include "h1.h" #include "/project1/module1/h1.h"

If an absolute path is written in the code, there will be a need to modify the path when the program is
compiled after changing the directories.

140 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

P1.5.2 sizeof shall be used to determine the siz e of a type
PP ref
ref eren
eren ce
guide
guide
ce

or v ariable. RR ule
ule

Compliant
Compliant ex
ex ample
ample NN on-
on- compliant
compliant ex
ex ample
ample
#define LEN 10 #define LEN 10
... #define INT_SIZE 4
int *p = (int *)malloc(sizeof(int)*LEN); ...
int *p = (int *)malloc(INT_SIZE*LEN);

Since the size of a type or variable varies depending on the complier used, use the sizeof operator to
find out the si e of a type or variable that are implementation-defined.

［Related rules］ 3.1. 3. .3

Portability
1

P ortab ility1 ● P 1 W rite in a com piler in depen den t way. 141

 L ocaliz e the code that has a
Portability

2 problem with portability.

The principle is not to write implementation-dependent source code as much as possible.

B ut in some cases, this may be unavoidable. A typical ex ample is when an assembly
language program is called from C language. In such case, it is recommended to localize the
implementation-dependent parts of the code as much as possible.

Portability 2.1 L ocaliz e the code that has a problem with portability.
Portability
1

142 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 L ocaliz e the code that has a problem with portabil-
P 2. 1
ity.

P2.1.1 W hen assembly language programs are called guide

P ref eren ce

from C language, 《how to localiz e such parts shall R ule

be defined , such as, by ex pressing them as func-
tions of C language that contain only inline assembly language
code or describing them using macros.

Compliant ex ample N on- compliant ex ample

#define SET_ ORT1 asm(" st.b 1, port1") void f() {
void f() { …
… asm(" st.b 1,port1");
SET_ ORT1; …
… }
} // asm and other processes are mixed

In C99, inline-specified functions can be written. Many compilers provide ex tended support
to (string ) format as a method to include the assembly language code. However, there
are some compilers that do not provide such support. Moreover, the same format may lead to

Portability
different behavior depending on the compiler used, thus making it non-portable.

［Related rules］ M .1.3， 1.1.1， 1.1.3， 1.1.1

P2.1.2 K eywords ex tended by the compiler shall be used

P ref eren ce
guide

1
by localiz ing them after《defining the macros R ule

Compliant ex ample N on- compliant ex ample

// interrupt is defined as a keyword extended by // interrupt is defined as a keyword extended
// a specific compiler // by a specific compiler. It is used without
#define INTERRU T interrupt // being defined by a macro
INTERRU T void int_handler (void) { interrupt void int_handler(void) {
… …
} }

P ortab ility2 ● P 2 L ocaliz e code with portab ility issues. 143

 Some compilers provide ex tended keywords instead of using the #pragma directive, B ut the code will
become non-portable when these keywords are used. Therefore, when using them, localize them, such
as, by defining them as macros. or the macro name, use the keyword written in uppercase letters, as
shown above in the compliant ex ample.

［Related rule］ P1.1.1

P2.1.3 ( 1) The basic types ( char, int, long, long long,

float, double and long double) shall not be
P ref eren ce
guide

used. I nstead, the types defined by typedef R ule

shall be used.《 he types defined by typedef

that are used in the project shall be defined
( 2) W hen using any of the basic types ( char, int, long, long long,
, double and long double) in a form that is dependent on
its si e the type defined by typedef for each of these basic
types shall be used.《 he types defined by typedef that are
used in the project shall be defined
Portability

Compliant ex ample N on- compliant ex ample

Compliant example of (1) and (2) Non-compliant example of (1) and (2)
uint32_t flag32; // Use unit32_t if 32bits is unsigned int flag32; // used by assuming int as
// assumed // 32bits

Compliant example for (2)

int i;
for (i = 0; i < 10; i++) { … }
// i is used as an index. It can be 8bits,
// 16bits or 32bits and a basic type in the
// language specification can be used for i
1

The si e and internal representation of integer types and floating point types vary depending on the com-
piler. C specifies the following typedefs to be provided as the language standard. Therefore, these
type definitions should be used. hen using C 0, it is advisable to refer to them as the typedef names
for these basic types.

Si e-specific types int8_t, int16_t, int32_t, int 4_t, uint8_t, uint16_t, uint32_t, uint 4_t
east-width integer types int_least8_t, uint_least8_t, … , int_least 4_t, uint_least 4_t
astest least-width integer types int_fast8_t, uint_fast8_t, … , int_fast 4_t, uint_fast 4_t
aximum-width integer types intmax_t, uintmax_t

Moreover, use size_t for size or length resulting from, such as, the use of sizeof, ptrdiff_t for the
result from pointer subtraction, and wchar_t for wide character.

144 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 In case of C11, rsize_t should be used rather than size_t. Runtime error occurs if rsize_t type
variable exceeds the maximum si e defined by RSIZE_MAX.

【Reference materials for those wanting to know more in detail about this rule】
・CERT IN T01-C

［Related rule］ P1.3.1

Portability
1

P ortab ility2 ● P 2 L ocaliz e code with portab ility issues. 145

 Efficiency
Embedded software is characteristic for being embedded
in a product and operating together with hardware to serve
its purposes in the real world. The increasing demand for
further product cost reduction has imposed various restric-
tions, not only on, such as, MPU or memory, but also on
software.
In addition, requirements, such as, on real-time property
have placed stricter time constraints that need to be met.
Embedded software must therefore be coded with particular
attention on resource efficiency like efficient use of memory
and time efficiency that takes account of time performance.

● Efficiency1: Write in a style that takes account of re-

source and time efficiencies.
 Efficiency
rite in a style that ta es account
1 of resource and time efficiencies

D epending on how the source code is written, the obj ect size may increase and the
ex ecution speed may slow down. If there are restrictions on memory size and processing
time, the code must be written thoughtfully with additional considerations given to these
restrictions.

Efficiency
rite in a style that ta es account of resource and
time efficiencies.
Efficiency
1

148 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 性 rite in a style that ta es account of resource and
E 1 .1 資源や時間の効率を考慮した書き方にする。
1.1 time efficiencies.

E1.1.1 M acro functions shall be used only in parts related

P ref eren ce
guide
●

to speed performance. R ule

Compliant ex ample N on- compliant ex ample

extern void func1(int,int); // func1: called #define func1(arg1, arg2) // func1: called only
// only once // once
#define func2(arg1, arg2) // func2: called extern void func2(int, int); // func2: called
// many times // many times

func1(arg1, arg2); func1(arg1, arg2);

for (i = 0; i < 10000; i++) { for (i = 0; i < 10000; i++) {
func2(arg1, arg2); // Speed performance is func2(arg1, arg2); // Speed performance is
// critical for this // critical for this
// process // process
} }

Function is safer than macro function. So, use function as much as possible (see M5 .1.3).
However, processing of function calls and returns may slow down the speed performance.
The use of inline function can be one way of preventing the processsing speed from slowing
down. B ut since inlining is implementation-dependent, inline function may not be ex panded
as intended, depending on the complier used. Therefore, if speed performance is an issue that
has to be improved, use macro function instead.
Yet, the frequent use of macro function may increase the obj ect size because the code will be
spread to wherever the macro function is used.

［Related rule］ M5.1.3

E1.1.2 P ref eren ce

Efficiency
●
O perations that remain unchanged shall not be per- guide

formed within an iterated process. R ule

Compliant ex ample N on- compliant ex ample

var1 = func(); // Function func returns the same result

for (i = 0; (i + var1) < MAX; i++) { for (i = 0; (i + func()) < MAX; i++) {
1

… …
} }

● 149
 Repeating the same process that returns the same result is inefficient. Although optimi ation of the com-
piler is often reliable for preventing such inefficiency, attention is still necessary in some cases, like in
the non-compliant ex ample shown above, where the compiler used cannot determine the invariance..

E1.1.3 I nstead of structures, pointers to structures shall be

P ref eren ce
guide

used as function parameters. R ule

Compliant ex ample N on- compliant ex ample

typedef struct stag { typedef struct stag {
int mem1; int mem1;
int mem2; int mem2;
… …
} STAG; } STAG;
int func (const STAG *p) { int func (STAG x) {
return p->mem1 + p->mem2; return x.mem1 + x.mem2;
} }

If a structure is passed as a function argument, all the structure data are copied into the area for storing
arguments when the function is called. If the size of the structure is large, it will become the cause of
speed performance degradation.
If a structure passed is read-only, not only pass it as a pointer to the structure, but also qualify it with
const.

E1.1.4 《The policy of selecting either switch or if state-

ment shall be determined and defined by ta ing
P ref eren ce
guide
R ule
readability and efficiency into consideration

switch statements often provide higher readability than if statements. In addition, recent compilers
tend to output optimized code using, such as, table j ump or binary search when they process switch
statements. Take these matters into consideration when defining this rule.
Efficiency

switch statement shall be used instead of if statement when:

- a process branches according to the value of the ex pression (integer value), and
- the number of branches is three or more.
However, this rule shall not apply if:
- using the switch statement causes an efficiency issue that impedes the improvement of program per-
formance.
1

［Related rule］ M1.3.1

150 P art2 C odin g P ractices f or E m b edded S of tware: P ractices C h art

 Part 3
Typical Coding Errors
in Embedded Software

1 Meaningless expressions and statements

2 Wrong expressions and statements

3 Wrong memory usage

4 Errors due to misunderstanding in logical expressions

5 Mistakes due to typos

6 Wrong descriptions that do not cause errors in some compilers

 Typical Coding Errors in Embedded Software
This section focuses on showing some typical ex amples of coding errors that are easily made,
not only by C language beginners, but even by skilled programmers as well. Some recent compil-
ers provide enhanced warning functions as options, and some of the ex amples taken up here can be
captured by means of compiler warnings or static analysis tools. In particular, compiler warnings are
easy for anyone to use. B y using the compiler warnings and being careful not to make such coding
errors during the coding stage, the amount of corrective work in later processes can be reduced.
Some ex isting coding conventions provide rules for preventing such coding errors. The members
of software development proj ects or organizations are recommended to ex amine whether to include
such rules into their coding conventions or not, by taking account of the skill levels of those in-
volved in the development of software programs.
In this section, the following six error-prone points are highlighted and ex plained with ex amples.

M ean in gless ex pression s an d statem en ts

W ron g ex pression s an d statem en ts
W ron g m em ory usage
E rrors due to m isun derstan din g in logical operation s
M istak es due to typos
W ron g description s th at do n ot cause errors in som e com pilers

1M eaningless ex pressions and statements

L eaving statements or ex pressions that are not ex ecuted in the source code is likely to create mis-
understanding that often leads to problems as a result. It is said that confusion tends to be caused es-
pecially when the source code is modified by engineers who are not the originator of that particular
code.

Ex ample 1: W riting statements that are not ex ecuted

return ret;
ret = ERROR;

This problem is caused either by putting a statement to branch the program control flow (return,
continue, break, goto statement) into the wrong place, or forgetting to delete unnecessary state-
ments when putting such a branch statement.

152 P art3 T ypical C odin g E rrors in E m b edded S of tware

Ex ample 2: W riting statements whose ex ecution result is not used
void func( ) {
int cnt;

cnt = 0;
return;

Automatic variables and formal parameters cannot be referenced after the function return. There-
fore, if the updated variables are not referenced between the update and the return statement, the
update becomes an unnecessary expression (statement). There is a possibility that some operations
have been missed or unnecessary statements may have been left undeleted due to slippage during
program modification.

Ex ample 3: W riting ex pressions whose ex ecution result is not used

int func( ) {
int cnt;

return cnt++;

The postfix ++ operation updates the value of the variable after it is referenced, so increments as
shown in the above ex ample are meaningless. If there is a need to return the incremented value to
the caller, the prefix increment must be used.

Ex ample 4: V alues passed as arguments are not used

int func(int in) {
in = 0; // Overwriting the parameter

O verwriting a parameter without referencing its value, as shown in the above ex ample, means that
the value of the argument set by the caller is ignored. This may be a coding error.

T ypical C odin g E rrors in E m b edded S of tware 153

 2W rong ex pressions and statements
To write proper source code, it must be written according to the grammar of the programming
language being used. B ut even programmers who are familiar with the programming language be-
ing used can make careless mistakes. Presented below are some ex amples of wrong ex pressions and
statements that are often seen.

E ample ncorrect range specification

if (0 < x < 10)

if (x == y == z)

The program shown in the above example appears to be a correct description at first sight. ut in
C language, such description is not interpreted mathematically and is treated as a conditional ex pres-
sion that always becomes true.

Ex ample 2: Comparing outside the range

unsigned char uc;
unsigned int ui;

if (uc == 256)

switch (uc) {
case 256:

}
if (ui < 0)

The variable is compared with a value beyond the range it can ex press. uc can only ex press values
between 0 and 25 5 . ui can never be negative.

Ex ample 3: String comparisons cannot be performed with == operation

if (str == "abc")

The condition shown in the above ex ample compares addresses, and is not a condition for evaluat-
ing whether the string “ abc” is equal to the string pointed by str or not.

154 P art3 T ypical C odin g E rrors in E m b edded S of tware

Ex ample 4: I nconsistency between a function type and return statement of
the function
int func1(int in) {
if (in < 0) return; // Non-compliant
return in ;
}

int func2(int in) {

if (in < 0) return 0;
} // Non-compliant

int func3(void) {// Non-compliant

return;
}

In the definition of a function that returns a value, all the return statements must describe the value
to be returned in return expression (function func1). The function that returns a value must not
end the ex ecution with anything other than the return statement (function func2). If a value is not
returned with return, the return value of the function is undefined. In addition, the type of function
with one or more return statements that respectively do not return a value should be void (function
func3). In C99, the inconsistency between such type of function and return statement is detected
as an error by the compiler.

Ex ample 5: Pointer addition or subtraction error

#define N 10

int data[N];
int *p;

p = data;
p += sizeof(data); // p points to 160 bytes ahead and not 40 bytes ahead.

A value for addition or subtraction of integer to or from a pointer variable is automatically scaled
to the size of the type of the obj ect pointed-to. The sizeof operator returns the number of the data
in bytes. Therefore, if the result of sizeof is used as the value for pointer addition or subtraction,
the pointer after the arithmetic may point to an unintended destination.
If the number of data bytes of int type in the above ex ample is 4, sizeof(data) will be 40
( 10). If the result of this sizeof is added to p, which is a pointer that points to int type, the
pointer will point to 160 bytes ( 0 ) ahead, scaling the result of 0 by a factor of prior to the ad-
dition. Pointer p, as a result, will point at an unintended destination.

T ypical C odin g E rrors in E m b edded S of tware 155

 3W rong memory usage
O ne of the characteristics of C language is that memory can be handled directly. While this is a
very useful feature when creating embedded software, it also often causes incorrect operations and
must therefore be used carefully.

Ex ample 1: Reference and update outside the array bounds

char var1[N];

for (i = 1; i <= N; i++) {/* Accessing outside the array bounds (error) */
var1[i] = i;
}
var1[-1] = 0; // error
var1[N] = 0; // error

The array index in C language starts with 0 and its maximum value is 1 less than the element
count.

Ex ample 2: Passing the address of an automatic v ariable to the caller mistak enly
int *func(tag *p) {
int x;
p->mem = &x; // The automatic variable memory area is referenced after the
// function return (risky)
return &x; // The automatic variable memory area is referenced after the
// function return (risky)
}

tag y;
int *p;
p = func(&y);
*p = 10; // Destroying invalid memory area
*y.mem = 20; // Destroying invalid memory area

Areas for automatic variables or parameters are freed to the system when the function ends, and
may be reused for other purposes. If the address of an automatic variable is specified as a function
return value or set in an area that can be referenced by the caller, as shown in the above ex ample,
unex pected faults may occur when the area that has been returned to the system is referenced or up-
dated.
The area for compound literal introduced in C99 is freed and may be reused for other purposes

156 P art3 T ypical C odin g E rrors in E m b edded S of tware

when the ex ecution proceeds outside the enclosing block of the compound literal.

void f ()
｛
…
int *p;
｛
p = (int []) {2, 4};
…
｝
x = p[0]; // The memory area may be referenced after it is freed (risky)
…
｝

Ex ample 3: Referencing memory after being freed as dynamic memory

struct stag { // A list structure
struct stag *next;
...
};
struct stag *wkp; // Pointer to the list structure
struct stag *top; // Start pointer to the list structure
...
// Process to free the list structure by its elements one after another
// No good: It will access to an already freed area at the third control
// expression in the for statement
for (wkp = top; wkp != NULL; wkp = wkp-> next) {
free(wkp);
}

Memories obtained with, such as, malloc function need to be freed to the system by using free
function. The areas that have been freed by free function must not be referenced because they may
be reused by the system.

Ex ample 4: W riting into string literals mistak enly

char *s;
s = "abc"; // The string literal may be in ROM area
s[0] = 'A'; // Cannot be written

D epending on the compiler, string literals may be allocated in the const area. Programmers must
therefore be careful not to overwrite string literals.

T ypical C odin g E rrors in E m b edded S of tware 157

 Ex ample 5: Specifying copy size s mistak enly
#define A 10
#define B 20
char a[A];
char b[B];

memcpy(a, b, sizeof(b));

When one array is copied to another, it will corrupt the memory area if the copy is made in the
size of the source that is larger than the size of the destination. The best way to copy from one array
to another is to use arrays of the same size. O r specifying the size of the destination as the copy size
will at least prevent the memory from corrupting.

4 Errors due to misunderstanding in logical ex pressions

The use of logical operators is relatively error-prone. In situations where they are used, close at-
tention must be given especially to the operation results, since in many cases, they lead to different
subsequent processes.

Ex ample 1: U sing a logical product mistak enly instead of a logical sum

if (x < 0 && x > 10)

The above ex ample shows a logical product written mistakenly instead of a logical sum. In C lan-
guage, conditions must be written carefully because they will not be processed as compile error even
if it is not possible to fulfill them.

Ex ample 2: U sing a logical sum mistak enly instead of a logical product

int i, data[10], end = 0;
for (i = 0; i < 10 || !end; i++) {
data[i] = Value_assigned ; // risk of corrupting outside the area
if (termination_condition ) {
end = 1;
}
}

When a different condition is added as a condition for an iteration statement that sequentially ref-
erences or updates the array elements to a condition for ensuring that array bounds are not ex ceeded,

158 P art3 T ypical C odin g E rrors in E m b edded S of tware

these conditions must be specified with a logical product. The logical sum, as shown in the above
ex ample, may cause the system to access outside the array bounds.

Ex ample 3: U sing a bitwise operation mistak enly instead of a logical operation

if (len1 & len2)

This is an example showing that bitwise A operator (&) has been written mistakenly instead
of a logical product operator (&&). The bitwise AN D operator does not mean that the conditions
are processed to gain a logical product. Make sure that the intention of the program is correctly de-
scribed.

5M istak es due to typos

Some operators in C language like = and == have completely different meaning even though they
do not differ that much. hen writing these operators, sufficient attention must be given to prevent
careless mistakes or typos.

Ex ample 1: W riting = operator instead of == operator

if (x = 0)

To check whether two values are equal or not, == must be written as the operator instead of =.
Rules to prevent such errors caused by typos include “ Assignment operators shall not be used in ex -
pressions to ex amine true or false.”
There are also reverse cases like a==b; where == operator is written mistakenly instead of = op-
erator. Easy mistake like this must also be carefully avoided.

6W rong descriptions that do not cause errors in some compilers

Each compiler has various characteristics of its own. N ote that some compilers do not cause com-
pile errors during compilation even if the program contains inappropriate descriptions.

E ample acro ith the same name that has multiple definitions
// Depending on where AAA is referenced, what is expanded varies

T ypical C odin g E rrors in E m b edded S of tware 159

 #define AAA 100
a = AAA; // 100 is assigned
#define AAA 10
b = AAA; // 10 is assigned

acro name defined by define will not become a compile error in some compilers even when it
is redefined without applying undef beforehand. acro name that may be processed differently de-
pending on where it is used should be avoided since it has the risk of impairing the readability of the
program.

Ex ample 2: W riting into the const area mistak enly

void func(const int *p) {
*p = 0; // Writing into the const area (error)

Some compilers do not cause a compile error even if the const area is rewritten. Programmers
should be careful not to rewrite the const area.

160 P art3 T ypical C odin g E rrors in E m b edded S of tware

 Appendices

Appendix A List of practices and rules

Appendix B Rule classification based on C language grammar

Appendix C Regarding the implementation-defined behaviors

 Appendix
Appendix A A
L istL of
istpractices
of practices and rules
and rules

[ eliability ] nitiali e areas and use them by ta ing their si es into consideration
P ractice in detail R ule P age

R 1 .1 U se areas af ter in itializ in g th em . R 1 .1 .1 A utom atic v ariab les sh all b e in itializ ed at th e tim e of 3 3
declaration , or th e in itial v alues sh all b e assign ed j ust
b ef ore usin g th em .

R 1 .1 .2 con st v ariab les sh all b e in itializ ed at th e tim e of decla- 3 3

ration .

R 1 .2 D escrib e in itializ ation s with out R 1 . 2. 1 3 4

in itializ ed with v alues th at m atch th e n um b er of th e ele-
m en ts.

R 1 . 2. 2 - 3 4

m em b er.

R 1 .3 R 1 .3 .1 3 5

sh all b e used f or ref eren ces an d assign m en ts to th e

allocated area.

R 1 .3 .2 3 6

R 1 .3 .3 3 7
-

structure.

R 1 .3 .4 3 7
【 】

162 A ppen dices

[ eliability ] Use data by ta ing their ranges si es and internal representations into consideration
P ractice in detail R ule P age
R 2. 1 - R 2. 1 . 1 3 9

R 2. 1 . 2 3 9
coun ter.

R 2. 1 . 3
un ion s.

R 2. 2 W h en v alues such as logical R 2. 2. 1

ran ge.

R 2. 3 - R 2. 3 . 1 - 4 1

R 2. 3 . 2 - 4 1

R 2. 3 . 3 4 2

R 2. 4 R 2. 4 . 1 4 2

R 2. 4 . 2 4 3

R 2. 5 R 2. 5 . 1 4 4
th e risk of in f orm ation loss.
-

A ppen dix A L ist of practices an d rules 163

 [ eliability ] Use data by ta ing their ranges si es and internal representations into consideration
P ractice in detail R ule P age
R 2. 5 R 2. 5 . 2 - 4 5
th e risk of in f orm ation loss. sion s.

R 2. 5 . 3 - 4 5

R 2. 5 . 4 4 6
m ore, an d less th an th e b it width of th e lef t- h an d side.

R 2. 6 R 2. 6 . 1 4 6
target data.
-

used.

R 2. 6 . 2

R 2. 7 R 2. 7 . 1 4 9
-

164 A ppen dices

[ eliability ] Use data by ta ing their ranges si es and internal representations into consideration
P ractice in detail R ule P age
R 2. 7 R 2. 7 . 2 5 2

【 】

R 2. 7 . 3 5 2

5 3

5 3
of argum en ts.【 】
-
gum en ts,《
》

5 4

[ eliability 3] 3 rite in a ay that ensures intended behavior

P ractice in detail R ule P age
R 3 .1 R 3 .1 .1 5 6
area siz e.

th e n um b er of elem en ts.

R 3 .1 .2 - 5 7

R 3 .1 .3 - 5 7

R 3 .1 .4
【 】

R 3 .1 .5
v ariab le.

argum en t.

A ppen dix A L ist of practices an d rules 165

 [ eliability 3] 3 rite in a ay that ensures intended behavior
P ractice in detail R ule P age
R 3 .2 R 3 . 2. 1 5 9
cause run tim e error f rom f allin g
in to error cases.

R 3 . 2. 2

R 3 .3 C h eck th e in terf ace restriction s R 3 .3 .1 I f a f un ction return s error in f orm ation , th en th at error
wh en a f un ction is called. in f orm ation sh all b e tested. 【 】

R 3 .3 .2 T h e f un ction sh all ch eck if th ere are con strain ts on 6 1

R 3 .4 R 3 .4 .1 6 2
【 】

R 3 .5 R 3 .5 .1 T h e else clause sh all b e written at th e en d of an if - else 6 3

an d describ e h ow to h an dle cases if statem en t. I f it is k n own th at th e else con dition does

sh all b e eith er on e of th e f ollowin g

《
th e else clause.

in th e else clause. 》

R 3 .5 .2 《T h e def ault clause sh all b e written at th e en d of 6 4

a switch statem en t. I f it is k n own th at th e def ault

th e def ault clause sh all b e eith er on e of th e f ollowin gs.

《
th e def ault clause.

in th e def ault clause. 》

R 3 .5 .3 6 5

R 3 .6 R 3 .6 .1 6 6
ev aluation . -
sion .

R 3 .6 .2 F un ction calls with side ef f ects an d v olatile v ariab les 6 7

166 A ppen dices

[ eliability 3] 3 rite in a ay that ensures intended behavior
P ractice in detail R ule P age
R 3 .6 R 3 .6 .3
ev aluation . h av e side ef f ect.

R 3 .1 1 B e caref ul with h ow to access th e R 3 . 1 1 . 1

th reads or sign als.

R 3 .1 1 .2 - 6 9

[ aintainability ] eep in mind that others ill read the program

P ractice in detail R ule P age
M 1 .1 M 1 .1 .1 7 3

M 1 .1 .2 7 3
【 】
《th e codin g
》

M 1 .2 M 1 . 2. 1 - 7 4

-
tion statem en t, b ut v ariab les with in itializ ation an d
v ariab les with out in itializ ation sh all n ot b e m ix ed.

M 1 . 2. 2 7 5

M 1 . 2. 3 7 5
literals sh all b e con caten ated with out usin g n ewlin es
with in th e strin g literal.

M 1 .3 D o n ot write in an un con v en tion al M 1 .3 .1 7 6

M 1 .3 .2 T h e case lab els an d def ault lab el in a switch statem en t 7 6

-

of th e switch statem en t.

A ppen dix A L ist of practices an d rules 167

 [ aintainability ] eep in mind that others ill read the program
P ractice in detail R ule P age
M 1 .3 D o n ot write in an un con v en tion al M 1 .3 .3 7 7
an d declaration s of f un ction s an d v ariab les.

M 1 .4 - M 1 .4 .1 7 7

M 1 .4 .2 《
》

M 1 .5 M 1 .5 .1
-
【
1 6 .9 】

M 1 .5 .2 7 9

M 1 .6 M 1 .6 .1 7 9

M 1 .6 .2

assign ed v alues sh all b e ref eren ced.

M 1 .7 D o n ot reuse n am es. M 1 .7 .1 -
n ess.

【 】

【 】

【 】
-
【 】
-
【 】

un ion m em b er n am es. 【 】

168 A ppen dices

[ aintainability ] eep in mind that others ill read the program
P ractice in detail R ule P age
M 1 .7 D o n ot reuse n am es. M 1 .7 .2 N am es f or f un ction s, v ariab les an d m acros in th e

M 1 .7 .3

-
sh all n ot con tain side ef f ects. 【 】
m isun derstan din g.

【 】

an d altern ativ e tok en s sh all n ot b e used.

digits lon g sh all n ot b e used as a con stan t.

M 1 .9 W h en writin g in an un con v en tion al M 1 . 9 . 1

to m ak e th em n oticeab le.

M 1 .9 .2 《 -

D o n ot em b ed m agic n um b ers.
a m acro.

M 1 .1 1 M 1 .1 1 .1

M 1 .1 1 .2
sh all b e declared as v olatile.

M 1 .1 1 .3 《

M 1 .1 2 M 1 . 1 2. 1 C orrect code sh all b e describ ed ev en if it is goin g to b e

A ppen dix A L ist of practices an d rules 169

 [ aintainability ] rite in a style that can prevent modification errors
P ractice in detail R ule P age
M 2. 1 M 2. 1 . 1 9 2
data an d b lock s.
-

M 2. 1 . 2 9 2
statem en ts sh all b e en closed in to b lock s.

M 2. 2 L ocaliz e access ran ges an d M 2. 2. 1 9 3

related data. with in th e f un ction .

M 2. 2. 2 9 4
..

M 2. 2. 3 9 4

M 2. 2. 4 9 5
related con stan ts.

[ aintainability3] 3 rite programs simply

P ractice in detail R ule P age
M 3 .1 M 3 .1 .1 9 7
【M I S R A
】

M 3 .1 .2

statem en t th at is in th e sam e b lock or with in th e

b lock en closin g th e goto statem en t.

M 3 .1 .4 9 9

I f th e case clause or def ault clause in a switch

statem en t is n ot goin g to b e en ded with a b reak
statem en t, 《 -
》an d th at com m en t sh all in stead b e in serted.

M 3 .1 .5
-

170 A ppen dices

[ aintainability3] 3 rite programs simply
P ractice in detail R ule P age
M 3 .2 O n e statem en t sh ould h av e on e M 3 . 2. 1
side ef f ect.
-
m en ts.

M 3 . 2. 2 -

M 3 .3 M 3 .3 .1 -
【 】

M 3 .3 .2 -

.【 】

M 3 .3 .3

-
-

M 3 .4 M 3 .4 .1

[ aintainability ] rite in a unified style

P ractice in detail R ule P age
M 4 .1 M 4 .1 .1 《

M 4 .2 - M 4 . 2. 1 《
m en ts. com m en ts, f un ction h eader com m en ts, en d of lin e

M 4 .3 M 4 .3 .1 《C on v en tion f or n am in g ex tern al v ariab les an d in tern al

M 4 .3 .2 《

M 4 .4 M 4 .4 .1 《 1 1 3
-
in g th em .

A ppen dix A L ist of practices an d rules 171

 [ aintainability ] rite in a unified style
P ractice in detail R ule P age
M 4 .4 M 4 .4 .2 《 1 1 4
-
in g th em .

M 4 .4 .3 1 1 5
-
scrib in g th eir declaration s sh all b e in cluded.

M 4 .4 .4 - 1 1 5
tion s.

M 4 .4 .5 1 1 6

M 4 .4 .6 1 1 6
redun dan t in clusion s. 《

M 4 .5 - M 4 .5 .1 - 1 1 7
tion s.
-

M 4 .5 .2 -

M 4 .5 .3

M 4 .6 - M 4 .6 .1 1 1 9
ers.

M 4 .7 - M 4 .7 .1
cessor directiv es.

172 A ppen dices

[ aintainability ] rite in a unified style
P ractice in detail R ule P age
M 4 .7 - M 4 .7 .2
cessor directiv es. 《th eir

M 4 .7 .3 1 21

M 4 .7 .5 1 21
b lock .【 】

M 4 .7 .6 # un def sh all n ot b e used. 【 】 1 22

M 4 .7 .7 1 23
【
】

[ aintainability ] rite in a style that ma es testing easy

P ractice in detail R ule P age
M 5 .1 M 5 .1 .1 《 - 1 25
to in v estigate th e - tion s an d f or recordin g logs in release m odules sh all b e

M 5 .1 .2 1 27
b e used. 【 】

【 】

M 5 .1 .3 F un ction sh all b e used rath er th an usin g f un ction - lik e

m acro.

M 5 .2 M 5 . 2. 1
《T h e m ax im um

[ Portability ] P rite in a style that is not dependent on the compiler

P ractice in detail R ule P age
P 1 .1 D o n ot use f un ction alities th at are P 1 .1 .1 - 1 3 3
- dard sh all n ot b e used.
-
dard are used,《th e f un ction alities used an d th eir
usage sh all b e docum en ted.

A ppen dix A L ist of practices an d rules 173

 [ Portability ] P rite in a style that is not dependent on the compiler
P ractice in detail R ule P age
P 1 .1 D o n ot use f un ction alities th at are P 1 .1 .2 《 1 3 3
- docum en ted. 【 】

P 1 .1 .3 《its 1 3 4
in terf ace sh all b e docum en ted an d its usage sh all b e
》

P 1 .2 P 1 . 2. 1 1 3 4

lan guage stan dard. 《th eir usage

》

P 1 . 2. 2 - 1 3 6
dard sh all b e used.

P 1 .3 P 1 .3 .1 - 1 3 6

- -

P 1 .3 .2 1 3 7

P 1 .3 .3

docum en ted. 【 】

P 1 .4 P 1 .4 .1 - 1 3 9

【 】

P 1 .4 .2 《 1 3 9

P 1 .4 .3

P 1 .5 P 1 .5 .1

174 A ppen dices

[ Portability ] P rite in a style that is not dependent on the compiler
P ractice in detail R ule P age
P 1 .5 P 1 .5 .2 1 4 1
v ariab le.

[ Portability ] P ocali e the code that has a problem ith portability

P ractice in detail R ule P age
P 2. 1 - P 2. 1 . 1 1 4 3
lan guage,《 》

P 2. 1 . 2 1 4 3
localiz in g th em af ter《 》.

P 2. 1 . 3 - 1 4 4

[ Efficiency ] E rite in a style that ta es account of resource and time efficiencies

P ractice in detail R ule P age
E 1 .1 E 1 .1 .1 1 4 9

E 1 .1 .2 - 1 4 9

E 1 .1 .3

E 1 .1 .4 《

A ppen dix A L ist of practices an d rules 175

 ppendi ule classification based on the language grammar

The rules are classified according to the C language grammar shown below.

N o. R ule
on th e gram m ar

1 .1 M 4 .1 .1 《

1 .2 C om m en ts M 4 . 2. 1 《

1 .3 N am in g M 1 .7 .1

【 】
【 】
【 】

un ion m em b er n am es.

M 1 .7 .2 N am es f or f un ction s, v ariab les an d m acros in th e

M 1 .7 .3

M 4 .3 .1 《C on v en tion f or n am in g ex tern al v ariab les an d in tern al v ariab les sh all b e

M 4 .3 .2 《

1 .4 M 4 .4 .1 《

M 4 .4 .2 《

M 4 .4 .3

M 4 .4 .5

176 A ppen dices

 N o. R ule
on th e gram m ar

1 .4 M 4 .4 .6
《

1 .5 C on stan ts M 1 . 2. 2
-

M 1 . 2. 3 -
en ated with out usin g n ewlin es with in th e strin g literal.

used as a con stan t.

1 .6 M 1 .1 .2

sh all n ot b e used.

M 1 .9 .1

M 5 .1 .3 F un ction sh all b e used rath er th an usin g f un ction - lik e m acro.

2. 1 R 2. 6 . 2

P 1 .3 .1
-

sign edn ess sh all b e used.

P 2. 1 . 3
《T h e

A ppen dix B 177

 N o. R ule
on th e gram m ar

2. 2 R 2. 1 . 3

M 1 .6 .2

ref eren ced.

M 1 .7 .2

M 4 .5 .2

2. 3 R 2. 6 . 1

used.

R 3 .1 1 .2

P 1 .3 .3

2. 4 R 1 . 2. 2

M 2. 2. 4

P 1 .3 .2

3 .1 I n itializ ation R 1 .1 .1 A utom atic v ariab les sh all b e in itializ ed at th e tim e of declaration , or th e in itial
v alues sh all b e assign ed j ust b ef ore usin g th em .

R 1 .1 .2 con st v ariab les sh all b e in itializ ed at th e tim e of declaration .

178 A ppen dices

 N o. R ule
on th e gram m ar

3 .1 I n itializ ation R 1 . 2. 1
m atch th e n um b er of th e elem en ts.

R 3 .1 .3
in dicated.

M 2. 1 . 1

M 4 .5 .3 -

in itializ ation is allowed.

3 .2 R 3 .1 1 .1 -
tiv e.

M 1 . 2. 1

2
b e declared in on e declaration statem en t, b ut v ariab les with in itializ ation
an d v ariab les with out in itializ ation sh all n ot b e m ix ed.

M 1 .6 .1

M 1 .1 1 .1

M 1 .1 1 .2 -
tile.

M 1 .1 1 .3 《

M 2. 2. 1

M 2. 2. 2 -

M 4 .4 .4

A ppen dix B 179

 N o. R ule
on th e gram m ar

3 .3

M 2. 2. 3
static.

M 4 .5 .1

3 .4 R 3 .1 .1

-
m en ts.

R 3 .1 .4 【 】

3 .5 M 1 .1 .1

M 1 .3 .3 -
tion s an d v ariab les.

4 .1 F un ction call R 3 .3 .1 I f a f un ction return s error in f orm ation , th en th at error in f orm ation sh all b e
tested 】

R 3 .3 .2

R 3 .4 .1

180 A ppen dices

 N o. R ule
on th e gram m ar

4 .2 P oin ter R 1 .3 .1

to th e allocated area.

R 1 .3 .2

R 1 .3 .3

sam e structure.

R 2. 7 . 1

R 2. 7 . 3 -
f orm ed.

R 3 . 2. 2

M 3 .4 .1

M 4 .6 .1

4 .3 C ast R 2. 4 . 2
-
f orm ed.

R 2. 7 . 2

A ppen dix B 181

 N o. R ule
on th e gram m ar

4 .4 R 2. 5 . 2

R 3 .1 .5

R 3 .6 .3 th at h av e side ef f ect.

M 1 .5 .1

4 .5 T h e f our arith m etic R 3 . 2. 1 -

4 .6 S h if t R 2. 5 . 4
b it width of th e lef t- h an d side.

4 .7 R 2. 1 . 1

R 2. 2. 1
ex am in e true or f alse.

M 1 .5 .2

R 2. 5 . 3

4 .9 M 1 .4 .1

-
f ects.

R 2. 3 . 2

4 .1 1 A ssign m en t R 2. 4 . 1
-

182 A ppen dices

 N o. R ule
on th e gram m ar

4 .1 1 A ssign m en t R 2. 5 . 1 -
-

M 3 .3 .3 
f alse.
《
》

4 . 1 2 C om m a M 3 . 2. 1
-

4 .1 3 R 3 .6 .1
ef f ect

R 3 .6 .2 F un ction calls with side ef f ects an d v olatile v ariab les sh all n ot b e describ ed
-
sion s.

M 1 .4 .2 《

4 .1 4 R 2. 3 . 1

5 . S tatem en t
5 .1 if statem en t R 3 .5 .1 T h e else clause sh all b e written at th e en d of an if - else if statem en t. I f it is

else caluse sh all b e eith er on e of th e f ollowin g

《
》

5 .2 switch statem en t R 3 .5 .2 《T h e def ault clause sh all b e written at th e en d of a switch statem en t. I f it is

def ault clause sh all b e eith er on e of th e f ollowin g.

《

M 1 .3 .1 -

A ppen dix B 183

 N o. R ule
on th e gram m ar
5 . S tatem en t
5 .2 switch statem en t M 1 .3 .2

M 3 .1 .4
en d with a b reak statem en t.

b e en ded with a b reak statem en t,

an d th at com m en t sh all in stead b e in serted

5 .3 R 2. 1 . 2

R 2. 3 . 3

R 3 .1 .2

n ot.

R 3 .5 .3 -

M 1 .9 .2 《

M 3 .1 .1

M 3 .3 .1
con trol.

M 3 .3 .2
.

5 .4 M 2. 1 . 2 -
closed in to b lock s.

M 3 .1 .2

declared af ter th e goto statem en t th at is in th e sam e b lock or with in th e

b lock en closin g th e goto statem en t.

M 3 .1 .5 A f un ction sh all en d with on e return statem en t.

184 A ppen dices

 N o. R ule
on th e gram m ar
5 . S tatem en t
5 .4 M 3 . 2. 2

6
6 .1 # if related M 4 .7 .2

M 4 .7 .3

M 4 .7 .7
【 】.

6 .2 # in clude P 1 .4 .1

P 1 .4 .2 《
》

P 1 .4 .3

P 1 .5 .1

6 .3 M acro
-
struct.

M 4 .7 .1 -

M 4 .7 .5
1 9 .5

M 4 .7 .6 # un def sh all n ot b e used.

6 .4

M 1 . 1 2. 1 -
cessor.

A ppen dix B 185

 N o. R ule
on th e gram m ar

6 .4 M 5 .1 .2

7 .1 P 1 .1 .1
th e
f un ction alities used an d th eir usage sh all b e docum en ted.

P 1 .1 .2 《
【 】

P 1 .1 .3 its in terf ace sh all b e docu-

P 1 . 2. 1
th eir

P 1 . 2. 2

P 1 .5 .2            

P 2. 1 . 1 h ow to lo-

code or describ in g th em usin g m acros.

P 2. 1 . 2
n in g th e m acros.

7 .2 P erf orm an ce R 1 .3 .4 【 】.

E 1 .1 .1

E 1 .1 .2

E 1 .1 .3 -
eters.

E 1 .1 .4 《

186 A ppen dices

 N o. R ule
on th e gram m ar

7 .3 - M 5 .1 .1 《
b ug

7 .4 O th er M 5 . 2. 1

A ppen dix B 187

 ppendi egarding the implementation-defined behaviors

C language standard has behaviors that are unspecified or undefined in its language specifications.
(Refer to Column nspecified ehavior and ndefined ehavior below.) Some of the
unspecified behaviors are defined by the compiler, and they are referred to as implementation-defined
behaviors . Every implementation-defined behavior is compiler-specific. In other words, it always
behaves the same way when it is processed by the same type of compiler.
hat this also means is that the behavior may not always be the same when it is processed by a
different type of compiler, even if the code written in the source program is the same. Therefore,
attention is necessary when the program is ported or when the compiler is changed. oreover, if the
programmers are used to working in an environment that only uses a specific type of compiler, they
may incorrectly assume that implementation-defined parts of the code used in their development
pro ect tare all specified in the C language standard and do not consider the possibility of changes
in their implementation-defined behaviors when a different type of compiler is used to process the
program that they write. To prevent them from causing any unexpected errors, it is desirable to check
and keep in mind which behaviors are implementation-defined before starting the programming
process.
Implementation-defined behaviors are normally listed in the manual of each compiler. Some of
the widely-known implementation-defined behaviors are outlined below.

epresentative implementation-defined behavior E ecution environment

A term that often appears in descriptions about implementation-defined behavior is freestanding

environment . Simply put, freestanding environment is an environment that does not have an
operating system. In such environment, the name and type of the function called at program startup
are implementation-defined. ormally, main function is called, but which function (invisible to
programmers) is called before the main function is called after program startup depends on the
compiler that is used.
oreover, when the main function is terminated or when the program is suspended because the
exit function is called, the subse uent behavior is implementation-defined. Although writing a
program that does not behave differently depending on the compiler used comes first and foremost,
it is also necessary for programmers to understand the different kinds of behaviors that can be
expected when they are implementation-defined and how they may affect the program execution.

epresentative implementation-defined behavior haracter code

Character codes are a set of values assigned respectively to the characters, symbols, etc. processed
in a computer. Each character coding system has one or more charts that show which character
corresponds to which character code in tabular form. In Table 1, the hori ontal axis of the chart
shows the upper 3-bit and the vertical axis shows the lower -bit. As to which character code system
will be used is implementation-defined. In case of alphabetic character A , for example, upper 3-bit

A ppen dix C 189

 is and lower -bit is 1 , which mean that the corresponding code is 0x 1 .
The explanation of the above example is based on ASCII (American Standard Code for
Information Interchange) 7-bit coding system. ut in case of E C IC (Extended inary Coded
ecimal Interchange Code), which is an -bit coding system as shown below in Table 2, the
corresponding code for alphabetic character A would be 0xC1 , and not 0x 1 as in ASCII.
High order bits High order bits
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 8 9 A B C D E F
0 NUL DLE SP 0 @ P ` p 0 NUL DLE DS SP ＆ － ｛ ｝ ＼ 0
Lower order bits

Lower order bits

1 SOH DC1 ! 1 A Q a q 1 SOH DC1 SOS ／ ａ ｊ ～ Ａ Ｊ 1
2 STX DC2 " 2 B R b r 2 STX DC2 FS SYN ｂ ｋ ｓ Ｂ Ｋ Ｓ 2
3 ETX DC3 ♯ 3 C S c s 3 ETX TM ｃ ｌ ｔ Ｃ Ｌ Ｔ 3
4 EOT DC4 $ 4 D T d t 4 PF RES BYP PN ｄ ｍ ｕ Ｄ Ｍ Ｕ 4
5 ENQ NAK ％ 5 E U e u 5 HT NL LF RS ｅ ｎ ｖ Ｅ Ｎ Ｖ 5
6 ACK SYN ＆ 6 F V f v 6 LC BS ETB UC ｆ ｏ ｗ Ｆ Ｏ Ｗ 6
7 BEL ETB ´ 7 G W g w 7 DEL IL ESC EOT ｇ ｐ ｘ Ｇ Ｐ Ｘ 7
8 BS CAN ( 8 H X h x 8 CAN ｈ ｑ ｙ Ｈ Ｑ Ｙ 8
9 HT EM ) 9 I Y i y 9 EM ` ｉ ｒ ｚ Ｉ Ｒ Ｚ 9
A LF SUB * : J Z j z A SMM CC SM ￠ ！ ｜ ：
B VT ESC + ; K [ k { B VT CU1 CU2 CU3 ・ ＄ ， ＃
C FF FS , < L ＼ l | C FF IFS DC4 ＜ ＊ ％ ＠
D CR GS - = M ] m } D CR IGS ENQ NAK （ ） ＿ ’
E SO RS . > N ^ n ~ E SO IRS ACK ＋ ； ＞ ＝
F SI US / ? O ＿ o DEL F SI IUS BEL SUB │ ┐ ？ ”
Table 1 ASCII code chart Table 2 EBCDIC code chart

As you can see, the code used for representing each character varies with each character coding
system. Therefore, close attention is re uired on how the compiler processes the characters when
the character coding system used in the translation environment (environment where the source
program is processed) differs from the character coding system used in the execution environment
(environment where the execution files are processed for operation).
In case of Japanese characters (hiragana, kan i, etc.), a character code composed of 2 bytes or
more is assigned to each character. There are multiple character coding systems that handle Japanese
characters. At present, many personal computers in Japan use the character coding system called
Shift JIS that expresses each Japanese character as a double-byte character. Since the value assigned
to each Japanese character varies with each character coding system, close attention is necessary on
how the compiler handles the Japanese characters.
Another character coding system that began to be widely used in recent years is nicode, which
has been developed to handle the characters of different languages in the world including Japanese
in a unified manner. In nicode, one character may be expressed with 1 byte or multiple bytes (up
to 6 bytes). There are mainly three coding systems in nicode that define the method of expressing
each character (encoding method), which are as follows

1. T - All the characters covered in ASCII are expressed with 1 byte. The rest are expressed in
variable length (from 2 bytes to 6 bytes).
2. T -16 ses 16-bit as a unit to express each character. All the characters are expressed either in
one unit (16-bit) or two units (32-bit).
3. T -32 All the characters are expressed in a fixed length of 32-bit only.

190 A ppen dices

 C language has been extending its features by using wide character , which has been introduced
to handle the characters expressed in multiple bytes in specific character coding systems respectively
with an integer of a fixed bit length. or example, in C , wchar t has been introduced as a type for
wide character, and libraries that supports wide characters have been added.
Example of a library that supports wide characters

int vwprintf (const wchar_t * restrict format, va_list arg);

// A version of printf that supports wide character

In C11, char16_t (2-byte length) and char32_t ( -byte length) have been added as types that
support wide characters.
The si e of wchar t and the character codes that correspond respectively to wide character types
are implementation-defined. In C11, however, two macros, __STDC_UTF_16__ and __STDC_
UTF_32__ have been introduced, and when these macros are defined, char16_t and char32_t are
encoded respectively according to T -16 and T -32.

eside the behavioral differences expected with the character coding system used, attention is also
necessary, for example, when kan i characters are expressed in Shift JIS. In Shift JIS, each Japanese
character is encoded in two bytes. ut there are some Japanese characters whose second byte is the
same as (back slash or ¥ ) in ASCII. or example, the character code that corresponds to the
kan i character 表 is 0x c in Shift JIS. The second byte 0x c in Shift JIS corresponds to
in ASCII. (See Table 1).
If the compiler used does not support Shift JIS, double-byte characters will be recogni ed as
single-byte characters. In case of double-byte kan i character 表 , it will be processed as escape
se uence since the compiler will recogni e this character as . As a result, the character may be
displayed differently from the intended representation (making it garbled, etc.)

Example
Source code printf(" 表 \n"); // Byte sequence: 0x95 0x5c 0x5c 0x6e
// → 0x5c 0x5c(\\) becomes 0x5c(\).
utput 表n // Byte sequence: 0x95 0x5c 0x6e
// Actually intended to begin a new line after " 表 "

epresentative implementation-defined behavior 3 Pointer and address

Address with an absolute value is often written in the program for embedded software. A pointer
is used to access a specific address. In the following case, for example, the calculation re uires an
integer to be assigned to a pointer (or vice versa).

unsigned char *addrp = (unsigned char *)0xffff0123L;

The execution code actually used for such conversion between an integer and pointer is
implementation-defined. oreover, the si e of the address value is also implementation-defined.
These behaviors not only depend on the compiler used, but are also largely dependent on the actual
architecture of the processor used for program execution.

A ppen dix C 191

 epresentative implementation-defined behavior rray

The si e resulting after subtraction of two pointers to the element in the same array is not
necessarily guaranteed as the si e (bit length) applied to the address. It is implementation-defined.
C language standard IS IEC 1 defines ptrdiff_t in <stddef.h> as the type of the
result of subtracting two pointers.

epresentative implementation-defined behavior nteger

hether the signed integer type will be expressed as sign and magnitude representation, ones
complement representation or two s complement representation is implementation-defined.
Therefore, in the following example,
if (( int al & 0x 0000000 ) == 0x 0000000 ) { // if the most significant bit is 1

expected behavior will occur only if the compiler processes the most significant bit of the signed
integer type as representation of the sign bit ( 1 if the value is negative).
oreover, whether the extraordinary value is a trap representation or an ordinary value is also
implementation-defined. Extraordinary value refers to the calculation result that is a value that
does not fit in the si e of the variable. If the variable is unsigned, and the calculation result exceeds
the variable representation range, the actual result in that variable will be the remainder of the
calculation result divided by the maximum representable value of that variable 1. Take an unsigned
-bit variable for example. If the calculated value is 2 7, the remainder of the value 2 7 divided by
2 6 (the maximum representable value of -bit variable 1) that is 1 will be the calculation result.
This behavior is called wrap around .
n the other hand, if the variable is signed, and the calculation result exceeds the variable
representation range, an overflow will occur. In this case, the compiler may either represent the
calculation result in the same way as the case with unsigned variable (as the value left in the
variable) or process it as trap representation, which is a bit pattern specially defined in the system for
internal processing. If the system is using two s complement, the most significant bit of the pattern
defined as trap representation will be 1 and the rest will all be 0.

epresentative implementation-defined behavior it field

The so-called embedded C compiler can use the bit field of a si e of unsigned -bit. It is fre uently
used to access the processor registers where bits are assigned to microcontroller functions.
owever, how the bit field is used is implementation-defined. There is no guarantee that a
behavior that was normal with a specific compiler will be the same when a different compiler is
used. oreover, whether the bit se uence will be in the ascending order from 0 set as the most
significant bit or as the least significant bit is also implementation-defined.
urthermore, even when the bit field is used, whether the actual execution code will command bit
access to, such as, internal registers or not is also implementation-defined. The execution code may
command a read-modify-write operation that accesses the byte that includes that bit, and cause an
unexpected failure.

192 A ppen dices

 epresentative implementation-defined behavior ccess to volatile ualified type object

volatile ualifier is used to suppress the optimi ation of the compiler. or example, to wait for
interrupt, there is a code somewhere in the interrupt handler that sets InterruptFlag to 1, as shown
below in the while loop, which does the polling.

while ( InterruptFlag == 0 ) { ; }

In this case, the process to make the variable, InterruptFlag, a value of 1 is not in this loop.
The compiler may optimi e and transform the loop into a simple infinite loop. volatile ualifier
can prevent the compiler from optimi ing in this way.
volatile ualified ob ect implicitly indicates that it may be processed without being recogni ed
by the compiler. ow the execution code configures the access to volatile ualified ob ect is
implementation-defined.

epresentative implementation-defined behavior Preprocessing directives

There are various preprocessing directives that are implementation-defined, as outlined below.
• ethod of corresponding each of the header names specified in series by or to either
the header or the name of the external source file
• hether the value of the character constant of the constant e uation that controls the
conditional include matches with the value of the same character constant in the execution
character set
• hether the character constant of a single character of the constant e uation controls the
conditional include takes a negative value or not
• ethod of forming the header name from the preprocessing token in the include directive
(which may also be generated from macro expansion)
• esting limitation when processing #include
• hether is inserted in front of that is the first character of a universal character name
or not when operator is in the character constant or string constant
• ehavior of non-ST C #pragma
rom C (IS IEC 1 ), a specific #pragma directive was defined additionally as a
standard directive in C language. This is called ST C (standard C) #pragma directive .
Any #pragma that is not ST C is implementation-defined.
• ow the __DATE__ and __TIME__ are processed when the translated date and time are not
known.

A ppen dix C 193

 epresentative implementation-defined behavior thers

Even when inline instruction or register ualifier is specified, whether it will be forced or not is
implementation-defined.
To learn about other implementation-defined behaviors that have not been mentioned above, refer
to the manual of the compiler (of the precise version) used in the development.

194 A ppen dices

 olumn Unspecified behavior and undefined behavior

In C language, there are four kinds of behavior that re uire particular attention.
Unspecified behavior
Undefined behavior
3 mplementation-defined behavior
ocale-specific behavior
( or details, refer to C language standard IS IEC 1 rogramming anguage
C Annex J.)

nspecified behavior and undefined behavior are alike, but do not mean the same, as
explained below.

Unspecified behavior
There are some behaviors that are grammatically correct (and therefore will not be
processed as error) but have alternative execution results depending on which alternative
the compiler chooses to process. These behaviors are collectively referred to as unspecified
behavior . or example, the order of evaluating the actual argument to a function may differ
depending on the choice made by the compiler.

printf("%d %d ¥n", i, i++);

In case of the above code, the result displayed will differ depending on whether i or i++ is
evaluated first. To gain an overall knowledge about what kind of behavior is unspecified, refer
to the list under J.1 in IS IEC 1 . escriptions that will cause unspecified behavior
should be avoided as much as possible.

Undefined behavior
ndefined behavior refers to a set of behaviors that are not defined in C language standard.
or example, the behavior of division by ero is undefined. To gain an overall knowledge
about what kind of behavior is unspecified, refer to the list under J.2 in IS IEC 1 .
Any descriptions that cause undefined behavior must be avoided by all means, since the
behavior resulting from any of such descriptions is not defined in the language standard.
There is a need to know beforehand which undefined behavior can be detected or not by the
static analysis tool that is going to be used for the development.

195
 Ci t a t i o n s a n d Re f e r e n c e s

[1] ISO /IEC 25 010:2011, Systems and software enginieering -- Systems and software Q uality Requirements and
Evaluation (SQ uaRE) -- System and software quality models.
[2] ISO /IEC 9899:1990, Programming languages – C, ISO /IEC 9899:1990/Cor 1:1994, ISO /IEC 9899:1990/Cor 2:1996 ,
ISO /IEC 9899:1990/Amd 1:1995 , C Integrity
[3] ISO /IEC 9899:1999, Programming languages – C, ISO /IEC 9899/Cor1:2001
[4] ISO /IEC 14882:2003, Programming languages – C++
[5 ] “ MISRA Guidelines for the U se of the C L anguage in Vehicle B ased Software” , The Motor Industry Software
Reliability Association, ISB N 0-95 2415 6 -9-0, Apr. 1998, https://www.misra.org.uk
[6 ] “ MISRA-C:2004 Guidelines for the U se of the C L anguage in Critical Systems” , The Motor Industry Software
Reliability Association, ISB N 0-95 2415 6 -2-3, O ct. 2004, https://www.misra.org.uk
[7 ] “ MISRA C:2012 Guidelines for the U se of the C L anguage in Critical Systems” ,March. 2013, ISB N 97 8-1-906 400-
10-1 / Amendment 1, April 2016 / Addendum 2, April 2016 / Technical Corrigendum 1, June 2017 , https://www.
misra.org.uk
[8] “ Indian Hill Style and Coding Standards” , ftp://ftp.cs.utoronto.ca/doc/programming/ihstyle.ps
[9] “ comp.lang.c Frequently Asked Q uestions” , http://www.eskimo.com/~ scs/C-faq/top.html
[10] “ GN U coding standards” , Free Software Foundation, http://www.gnu.org/prep/standards/
[11] “ The C Programming L anguage, Second Edition” , B rian W. Kernighan and D ennis M. Ritchie, ISB N 0-13-11036 2-
8, Prentice Hall PTR, Mar. 1988
[12] “ Writing Solid Code: Microsoft' s Techniques for D eveloping B ug-Free C Programs” , Steve Maguire, ISB N
1-5 5 6 15 -5 5 1-4, Microsoft Press, May. 1993
[13] “ The Practice of Programming” , B rian W. Kernighan and Rob Pike, ISB N 0-201-6 15 86 -X , Addison-Wesley
Professional, Feb. 1999
[14] “ L inux kernel coding style” , http://www.kernel.org/doc/D ocumentation/CodingStyle
[15 ] “ C Style Standards and uidelines efining rogramming Standards for rofessional C rogrammers” , D avid
Straker, ISB N 0-1311-6 898-3, Prentice Hall, Jan. 1992
[16 ] “ C Programming FAQ s:Frequently Asked Q uestions” , Addison-Wesley Professional, N ov. 1995 . ISB N
97 80201845 198, Steve Summit
[17 ] “ C STYL E GU ID E (SO FTWARE EN GIN EERIN G L AB O RATO RY SERIES SEL -94-003)” , N ASA, Aug. 1994,
http://sel.gsfc. nasa.gov/website/documents/online-doc/94-003.pdf
[18] “ The CERT® C Secure Coding Standard” , Robert C. Seacord, ISB N 97 8-03215 6 3217 , Addison-Wesley Professional,
O ct. 2008 (SEI CERT C Coding Standard, 2016 Edition)

196
V er. 1. 0 & V er. 1. 1 A uthors and editors ( in alp habetical order)
AO KI N ao IPA/SEC
EN D O Arisa IPA/SEC
EN D O U Ryuj i Mitsubishi Space Software Co., L td.
FU RU YAMA Hisaki Matsushita Electric Industrial Co., L td.
FU TAGAMI Takao TO YO Corporation
HACHIYA Shouichi GAIA System Solutions Inc.
HAYASHID A Seij i TO SHIB A CO RPO RATIO N
HIRAYAMA Masayuki IPA/SEC
MITSU HASHI Fusako N EC Electronics Corporation
MU RO Shuj i IPA/SEC
N AMIKI Rieko O GIS-RI Co., L td.
O HN O Katsumi IPA/SEC
O HSHIMA Kenj i Ricoh Company, L td.
SHISHID O Fumio eSO L Co., L td.
U ED A N aoko Fuj itsu L imited
U N O Musubi Matsushita Electric Industrial Co., L td.

V er. 2 . 0 & V er. 3 . 0 A uthors and editors ( in alp habetical order)

FU TAGAMI Takao TO YO Corporation
ITO H Masako Fuj itsu L imited
MIHARA Yukihiro IPA/SEC
MITSU HASHI Fusako N EC Corporation
N ISHIYAMA Hiroyasu Hitachi, L td.
SHU KU GU CHI Masahiro eSO L Co., L td. / eSO L TRIN ITY Co., L td.
TACHI N obuyuki N agoya U niversity
TO YAMA Keisuke IPA/SEC
( rgani ational affiliations are as of the publication of Japanese edition.)

Contributors to E ng lish translation v ersion

SHIMIZ U Tatsuo Shimizu International
TO YAMA Keisuke IPA/SEC

Written and edited by Software Reliability Enhancement Center,

Technology Headquarters, Information-technology Promotion Agency, Japan

R ef eren ces 197

ESCR
【Rev ised edition】
Embedded System dev elopment Coding Reference guide [ C language edition]
V er. 3.0

M arch 28 , 20 1 8

W ritten an d edited b y S of tware R eliab ility E n h an cem en t C en ter,

T ech n ology Headquarters, I n f orm ation - tech n ology P rom otion A gen cy, J apan

B un k yo G reen C ourt C en ter O f f ice

2- 28 - 8 Hon k om agom e, B un k yo- k u, T ok yo, 1 1 3 - 6 5 9 1 J apan
h ttps: / / www. ipa. go. j p/ en glish / sec/

© 20 1 8 , I P A / S E C