MISRA C++ 2008 Checklist

MISRA, the Motor Industry Software Reliability Association, provides world-leading best practice guidelines for the safe application of both embedded control systems and standalone software. The association is a collaboration between manufacturers, component suppliers and engineering consultancies which seeks to promote best practices in developing safety-related embedded electronic systems and other software-intensive applications.

The Imagix MISRA C++ 2008 checklist provides guided checklist review of the rules in the current version of the standard MISRA C++:2008. This review supports all rules except the rules in chapter 14 (Rule 14-[5678]-[123]), and is fully automated with the following exceptions. The ⚯ symbol indicates rules that have no automated steps but ask users to attach documentation. Compliance with rules identified by the ☑ symbol is not fully decidable so the corresponding checks require a user review step to eliminate potential false positives.

Software being reviewed with this checklist should be loaded into Imagix 4D with the -nosys option disabled and the -nosysbodies option enabled.

"MISRA", "MISRA C" and the triangle logo are registered trademarks owned by HORIBA MIRA Ltd, held on behalf of the MISRA Consortium.

MISRA C++ Rules

Rule 0-1-1A project shall not contain unreachable code.
Rule 0-1-2A project shall not contain infeasible paths.
Rule 0-1-3A project shall not contain unused variables.
Rule 0-1-4A project shall not contain non-volatile POD variables having only one use.
Rule 0-1-5A project shall not contain unused type declarations.
Rule 0-1-6A project shall not contain instances of non-volatile variables being given values that are never subsequently used.
Rule 0-1-7The value returned by a function having a non-void return type that is not an overloaded operator shall always be used.
Rule 0-1-8All functions with void return type shall have external side effect(s).
Rule 0-1-9There shall be no dead code.
Rule 0-1-10Every defined function shall be called at least once.
Rule 0-1-11There shall be no unused parameters (named or unnamed) in non-virtual functions.
Rule 0-1-12There shall be no unused parameters (named or unnamed) in the set of parameters for a virtual function and all the functions that override it.
Rule 0-2-1An object shall not be assigned to an overlapping object.
Rule 0-3-1Minimization of run-time failures shall be ensured.
Rule 0-3-2If a function generates error information, then that error information shall be tested.
Rule 0-4-1Use of scaled-integer or fixed-point arithmetic shall be documented.
Rule 0-4-2Use of floating-point shall be documented.
Rule 0-4-3Floating-point implementations shall comply with a defined floating-point standard.
Rule 1-0-1All code shall conform to ISO/IEC 14882:2003 "The C++ Standard Incorporating Technical Corrigendum 1".
Rule 1-0-2Multiple compilers shall only be used if they have a common, defined interface.
Rule 1-0-3The implementation of integer division in the chosen compiler shall be determined and documented.
Rule 2-2-1The character set and the corresponding encoding shall be documented.
Rule 2-3-1Trigraphs shall not be used.
Rule 2-5-1Digraphs should not be used.
Rule 2-7-1The character sequence /* shall not be used within a C-style comment.
Rule 2-7-2Sections of code shall not be "commented out" using C-style comments.
Rule 2-7-3Sections of code should not be "commented out" using C++ comments.
Rule 2-10-1Different identifiers shall be typographically unambiguous.
Rule 2-10-2Identifiers declared in an inner scope shall not hide an identifier declared in an outer scope.
Rule 2-10-3A typedef name (including qualifications, if any) shall be a unique identifier.
Rule 2-10-4A class, union or enum name (including qualifications, if any) shall be a unique identifier.
Rule 2-10-5The identifier name of a non-member object or function with static storage duration should not be reused.
Rule 2-10-6If an identifier refers to a type, it shall not also refer to an object or a function in the same scope.
Rule 2-13-1Only those escape sequences that are defined in ISO/IEC 14882:2003 shall be used.
Rule 2-13-2Octal constants (other than zero) and octal escape sequences (other than "\0") shall not be used.
Rule 2-13-3A "U" suffix shall be applied to all octal or hexadecimal integer literals of unsigned type.
Rule 2-13-4Literal suffixes shall be upper case.
Rule 2-13-5Narrow and wide string literals shall not be concatenated.
Rule 3-1-1It shall be possible to include any header file in multiple translation units without violating the One Definition Rule.
Rule 3-1-2Functions shall not be declared at block scope.
Rule 3-1-3When an array is declared, its size shall either be stated explicitly or defined implicitly by initialization.
Rule 3-2-1All declarations of an object or function shall have compatible types.
Rule 3-2-2The One Definition Rule shall not be violated.
Rule 3-2-3A type, object or function that is used in multiple translation units shall be declared in one and only one file.
Rule 3-2-4An identifier with external linkage shall have exactly one definition.
Rule 3-3-1Objects or functions with external linkage shall be declared in a header file.
Rule 3-3-2If a function has internal linkage then all re-declarations shall include the static storage class specifier.
Rule 3-4-1An identifier declared to be an object or type shall be defined in a block that minimizes its visibility.
Rule 3-9-1The types used for an object, a function return type, or a function parameter shall be token-for-token identical in all declarations and re-declarations.
Rule 3-9-2typedefs that indicate size and signedness should be used in place of the basic numerical types.
Rule 3-9-3The underlying bit representations of floating-point values shall not be used.
Rule 4-5-1Expressions with type bool shall not be used as operands to built-in operators other than the assignment operator =, the logical operators &&, ||, !, the equality operators == and !=, the unary & operator, and the conditional operator.
Rule 4-5-2Expressions with type enum shall not be used as operands to built-in operators other than the subscript operator [ ], the assignment operator =, the equality operators == and !=, the unary & operator, and the relational operators <, <=, >, >=.
Rule 4-5-3Expressions with type (plain) char and wchar_t shall not be used as operands to built-in operators other than the assignment operator =, the equality operators == and !=, and the unary & operator.
Rule 4-10-1NULL shall not be used as an integer value.
Rule 4-10-2Literal zero (0) shall not be used as the null-pointer-constant.
Rule 5-0-1The value of an expression shall be the same under any order of evaluation that the standard permits.
Rule 5-0-2Limited dependence should be placed on C++ operator precedence rules in expressions.
Rule 5-0-3A cvalue expression shall not be implicitly converted to a different underlying type.
Rule 5-0-4An implicit integral conversion shall not change the signedness of the underlying type.
Rule 5-0-5There shall be no implicit floating-integral conversions.
Rule 5-0-6An implicit integral or floating-point conversion shall not reduce the size of the underlying type.
Rule 5-0-7There shall be no explicit floating-integral conversions of a cvalue expression.
Rule 5-0-8An explicit integral or floating-point conversion shall not increase the size of the underlying type of a cvalue expression.
Rule 5-0-9An explicit integral conversion shall not change the signedness of the underlying type of a cvalue expression.
Rule 5-0-10If the bitwise operators ~ and << are applied to an operand with an underlying type of unsigned char or unsigned short, the result shall be immediately cast to the underlying type of the operand.
Rule 5-0-11The plain char type shall only be used for the storage and use of character values.
Rule 5-0-12signed char and unsigned char type shall only be used for the storage and use of numeric values.
Rule 5-0-13The condition of an if-statement and the condition of an iteration-statement shall have type bool.
Rule 5-0-14The first operand of a conditional-operator shall have type bool.
Rule 5-0-15Array indexing shall be the only form of pointer arithmetic.
Rule 5-0-16A pointer operand and any pointer resulting from pointer arithmetic using that operand shall both address elements of the same array.
Rule 5-0-17Subtraction between pointers shall only be applied to pointers that address elements of the same array.
Rule 5-0-18>, >=, <, <= shall not be applied to objects of pointer type, except where they point to the same array.
Rule 5-0-19The declaration of objects shall contain no more than two levels of pointer indirection.
Rule 5-0-20Non-constant operands to a binary bitwise operator shall have the same underlying type.
Rule 5-0-21Bitwise operators shall only be applied to operands of unsigned underlying type.
Rule 5-2-1Each operand of a logical && or || shall be a postfix-expression.
Rule 5-2-2A pointer to a virtual base class shall only be cast to a pointer to a derived class by means of dynamic_cast.
Rule 5-2-3Casts from a base class to a derived class should not be performed on polymorphic types.
Rule 5-2-4C-style casts (other than void casts) and functional notation casts (other than explicit constructor calls) shall not be used.
Rule 5-2-5A cast shall not remove any const or volatile type of a pointer or reference.
Rule 5-2-6A cast shall not convert a pointer to a function to any other pointer type, including a pointer to function type.
Rule 5-2-7An object with pointer type shall not be converted to an unrelated pointer type, either directly or indirectly.
Rule 5-2-8An object with integer type or pointer to void type shall not be converted to an object with pointer type.
Rule 5-2-9A cast should not convert a pointer type to an integral type.
Rule 5-2-10The increment (++) and decrement (--) operators should not be mixed with other operators in an expression.
Rule 5-2-11The comma operator, && operator and the || operator shall not be overloaded.
Rule 5-2-12An identifier with array type passed as a function argument shall not decay to a pointer.
Rule 5-3-1Each operand of the ! operator, the logical && or the logical || operators shall have type bool.
Rule 5-3-2The unary minus operator shall not be applied to an expression whose underlying type is unsigned.
Rule 5-3-3The unary & operator shall not be overloaded.
Rule 5-3-4Evaluation of the operand to the sizeof operator shall not contain side effects.
Rule 5-8-1The right hand operand of a shift operator shall lie between zero and one less than the width in bits of the underlying type of the left hand operand.
Rule 5-14-1The right hand operand of a logical && or || operator shall not contain side effects.
Rule 5-17-1The semantic equivalence between a binary operator and its assignment operator form shall be preserved.
Rule 5-18-1The comma operator shall not be used.
Rule 5-19-1Evaluation of constant unsigned integer expressions should not lead to wrap-around.
Rule 6-2-1Assignment operators shall not be used in sub-expressions.
Rule 6-2-2Floating-point expressions shall not be directly or indirectly tested for equality or inequality.
Rule 6-2-3Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment, provided that the first character following the null statement is a white-space character.
Rule 6-3-1The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement.
Rule 6-4-1An if ( condition ) construct shall be followed by a compound statement. The else keyword shall be followed by either a compound statement, or another if statement.
Rule 6-4-2All if ... else if constructs shall be terminated with an else clause.
Rule 6-4-3A switch statement shall be a well-formed switch statement.
Rule 6-4-4A switch-label shall only be used when the most closely-enclosing compound statement is the body of a switch statement.
Rule 6-4-5An unconditional throw or break statement shall terminate every non-empty switch-clause.
Rule 6-4-6The final clause of a switch statement shall be the default-clause.
Rule 6-4-7The condition of a switch statement shall not have bool type.
Rule 6-4-8Every switch statement shall have at least one case-clause.
Rule 6-5-1A for loop shall contain a single loop-counter which shall not have floating type.
Rule 6-5-2If loop-counter is not modified by -- or ++, then, within condition, the loop-counter shall only be used as an operand to <=, <, > or >=.
Rule 6-5-3The loop-counter shall not be modified within condition or statement.
Rule 6-5-4The loop-counter shall be modified by one of --, ++, -=n, or +=n; where n remains constant for the duration of the loop.
Rule 6-5-5A loop-control-variable other than the loop-counter shall not be modified within condition or expression.
Rule 6-5-6A loop-control-variable other than the loop-counter which is modified in statement shall have type bool.
Rule 6-6-1Any label referenced by a goto statement shall be declared in the same block, or in a block enclosing the goto statement.
Rule 6-6-2The goto statement shall jump to a label declared later in the same function body.
Rule 6-6-3The continue statement shall only be used within a well-formed for loop.
Rule 6-6-4For any iteration statement there shall be no more than one break or goto statement used for loop termination.
Rule 6-6-5A function shall have a single point of exit at the end of the function.
Rule 7-1-1A variable which is not modified shall be const qualified.
Rule 7-1-2A pointer or reference parameter in a function shall be declared as pointer to const or reference to const if the corresponding object is not modified.
Rule 7-2-1An expression with enum underlying type shall only have values corresponding to the enumerators of the enumeration.
Rule 7-3-1The global namespace shall only contain main, namespace declarations and extern "C" declarations.
Rule 7-3-2The identifier main shall not be used for a function other than the global function main.
Rule 7-3-3There shall be no unnamed namespaces in header files.
Rule 7-3-4using-directives shall not be used.
Rule 7-3-5Multiple declarations for an identifier in the same namespace shall not straddle a using-declaration for that identifier.
Rule 7-3-6using-directives and using-declarations (excluding class scope or function scope using-declarations) shall not be used in header files.
Rule 7-4-1All usage of assembler shall be documented.
Rule 7-4-2Assembler instructions shall only be introduced using the asm declaration.
Rule 7-4-3Assembly language shall be encapsulated and isolated.
Rule 7-5-1A function shall not return a reference or a pointer to an automatic variable (including parameters), defined within the function.
Rule 7-5-2The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist.
Rule 7-5-3A function shall not return a reference or a pointer to a parameter that is passed by reference or const reference.
Rule 7-5-4Functions should not call themselves, either directly or indirectly.
Rule 8-0-1An init-declarator-list or a member-declarator-list shall consist of a single init-declarator or member-declarator respectively.
Rule 8-3-1Parameters in an overriding virtual function shall either use the same default arguments as the function they override, or else shall not specify any default arguments.
Rule 8-4-1Functions shall not be defined using the ellipsis notation.
Rule 8-4-2The identifiers used for the parameters in a re-declaration of a function shall be identical to those in the declaration.
Rule 8-4-3All exit paths from a function with non-void return type shall have an explicit return statement with an expression.
Rule 8-4-4A function identifier shall either be used to call the function or it shall be preceded by a &.
Rule 8-5-1All variables shall have a defined value before they are used.
Rule 8-5-2Braces shall be used to indicate and match the structure in the non-zero initialization of arrays and structures.
Rule 8-5-3In an enumerator list, the = construct shall not be used to explicitly initialize members other than the first, unless all items are explicitly initialized.
Rule 9-3-1const member functions shall not return non-const pointers or references to class-data.
Rule 9-3-2Member functions shall not return non-const handles to class-data.
Rule 9-3-3If a member function can be made static then it shall be made static, otherwise if it can be made const then it shall be made const.
Rule 9-5-1Unions shall not be used.
Rule 9-6-1When the absolute positioning of bits representing a bit-field is required, then the behaviour and packing of bit-fields shall be documented.
Rule 9-6-2Bit-fields shall be either bool type or an explicitly unsigned or signed integral type.
Rule 9-6-3Bit-fields shall not have enum type.
Rule 9-6-4Named bit-fields with signed integer type shall have a length of more than one bit.
Rule 10-1-1Classes should not be derived from virtual bases.
Rule 10-1-2A base class shall only be declared virtual if it is used in a diamond hierarchy.
Rule 10-1-3An accessible base class shall not be both virtual and non-virtual in the same hierarchy.
Rule 10-2-1All accessible entity names within a multiple inheritance hierarchy should be unique.
Rule 10-3-1There shall be no more than one definition of each virtual function on each path through the inheritance hierarchy.
Rule 10-3-2Each overriding virtual function shall be declared with the virtual keyword.
Rule 10-3-3A virtual function shall only be overridden by a pure virtual function if it is itself declared as pure virtual.
Rule 11-0-1Member data in non-POD class types shall be private.
Rule 12-1-1An object's dynamic type shall not be used from the body of its constructor or destructor.
Rule 12-1-2All constructors of a class should explicitly call a constructor for all of its immediate base classes and all virtual base classes.
Rule 12-1-3All constructors that are callable with a single argument of fundamental type shall be declared explicit.
Rule 12-8-1A copy constructor shall only initialize its base classes and the non-static members of the class of which it is a member.
Rule 12-8-2The copy assignment operator shall be declared protected or private in an abstract class.
Rule 15-0-1Exceptions shall only be used for error handling.
Rule 15-0-2An exception object should not have pointer type.
Rule 15-0-3Control shall not be transferred into a try or catch block using a goto or a switch statement.
Rule 15-1-1The assignment-expression of a throw statement shall not itself cause an exception to be thrown.
Rule 15-1-2NULL shall not be thrown explicitly.
Rule 15-1-3An empty throw (throw;) shall only be used in the compound-statement of a catch handler.
Rule 15-3-1Exceptions shall be raised only after start-up and before termination of the program.
Rule 15-3-2There should be at least one exception handler to catch all otherwise unhandled exceptions.
Rule 15-3-3Handlers of a function-try-block implementation of a class constructor or destructor shall not reference non-static members from this class or its bases.
Rule 15-3-4Each exception explicitly thrown in the code shall have a handler of a compatible type in all call paths that could lead to that point.
Rule 15-3-5A class type exception shall always be caught by reference.
Rule 15-3-6Where multiple handlers are provided in a single try-catch statement or function-try-block for a derived class and some or all of its bases, the handlers shall be ordered most-derived to base class.
Rule 15-3-7Where multiple handlers are provided in a single try-catch statement or function-try-block, any ellipsis (catch-all) handler shall occur last.
Rule 15-4-1If a function is declared with an exception-specification, then all declarations of the same function (in other translation units) shall be declared with the same set of type-ids.
Rule 15-5-1A class destructor shall not exit with an exception.
Rule 15-5-2Where a function's declaration includes an exception-specification. the function shall only be capable of throwing exceptions of the indicated type(s).
Rule 15-5-3The terminate() function shall not be called implicitly.
Rule 16-0-1#include directives in a file shall only be preceded by other preprocessor directives or comments.
Rule 16-0-2Macros shall only be #define'd or #undef'd in the global namespace.
Rule 16-0-3#undef shall not be used.
Rule 16-0-4Function-like macros shall not be defined.
Rule 16-0-5Arguments to a function-like macro shall not contain tokens that look like preprocessing directives.
Rule 16-0-6In the definition of a function-like macro, each instance of a parameter shall be enclosed in parentheses, unless it is used as the operand of # or ##.
Rule 16-0-7Undefined macro identifiers shall not be used in #if or #elif preprocessor directives, except as operands to the defined operator.
Rule 16-0-8If the # token appears as the first token on a line, then it shall be immediately followed by a preprocessing token.
Rule 16-1-1The defined preprocessor operator shall only be used in one of the two standard forms.
Rule 16-1-2All #else, #elif and #endif preprocessor directives shall reside in the same file as the #if or #ifdef directive to which they are related.
Rule 16-2-1The pre-processor shall only be used for file inclusion and include guards.
Rule 16-2-2C++ macros shall only be used for: include guards, type qualifiers, or storage class specifiers.
Rule 16-2-3Include guards shall be provided.
Rule 16-2-4The ', ", /* or // characters shall not occur in a header file name.
Rule 16-2-5The \ character should not occur in a header file name.
Rule 16-2-6The #include directive shall be followed by either a <filename> or "filename" sequence.
Rule 16-3-1There shall be at most one occurrence of the # or ## operators in a single macro definition.
Rule 16-3-2The # and ## operators should not be used.
Rule 16-6-1All uses of the #pragma directive shall be documented.
Rule 17-0-1Reserved identifiers, macros and functions in the standard library shall not be defined, redefined or undefined.
Rule 17-0-2The names of standard library macros and objects shall not be reused.
Rule 17-0-3The names of standard library functions shall not be overridden.
Rule 17-0-4All library code shall conform to MISRA C++.
Rule 17-0-5The setjmp macro and the longjmp function shall not be used.
Rule 18-0-1The C library shall not be used.
Rule 18-0-2The library functions atof, atoi and atol from library <cstdlib> shall not be used.
Rule 18-0-3The library functions abort, exit, getenv and system from library <cstdlib> shall not be used.
Rule 18-0-4The time handling functions of library <ctime> shall not be used.
Rule 18-0-5The unbounded functions of library <cstring> shall not be used.
Rule 18-2-1The macro offsetof shall not be used.
Rule 18-4-1Dynamic heap memory allocation shall not be used.
Rule 18-7-1The signal handling facilities of <csignal> shall not be used.
Rule 19-3-1The error indicator errno shall not be used.
Rule 27-0-1The stream input/output library <cstdio> shall not be used.