A GCC-based Compliance Checker for Single-translation-unit,

Identifier-related MISRA-C Rules

Guan-Ren Wang Peng-Sheng Chen∗
guanjen375@yahoo.com.tw pschen@cs.ccu.edu.tw
Department of Computer Science and Information Department of Computer Science and Information
Engineering Engineering and
National Chung Cheng University Advanced Institute of Manufacturing for High-tech
ChiaYi, Taiwan, R.O.C. Innovations
National Chung Cheng University
ChiaYi, Taiwan, R.O.C.
ABSTRACT MISRA-C [7, 12] is a well-defined software specification for the C
MISRA-C is a well-defined software specification for the C pro- programming language. Following its set of guidelines is expected
gramming language that gives programmers criteria to develop to reduce the frequency of program mistakes. MISRA-C was initially
reliable programs. This paper implements a MISRA-C compliance developed for automotive software, but has since become widely
checker based on the GCC compiler infrastructure. It focuses on used in software systems requiring high reliability. The third edition
identifier-related rules that are single-translation-unit-labeled. We of the specification, MISRA-C:2012, was developed based on ISO
describe and develop strategies for implementing the checking C99 [2] while retaining compatibility with C90 [1]. The guidelines
codes. We also discuss the rules that can be detected by existing GCC in MISRA-C:2012 are classified as being either rules or directives. To
options. For the tested benchmark programs, the modified GCC check compliance with a directive requires additional information
compiler can correctly assess compliance with the target MISRA- (e.g., design documents or specifications), while compliance with
C rules. rules can be assessed by analyzing solely the source code. Consider
the scope of analysis. If rule violations can be detected in a single
CCS CONCEPTS translation unit, the rules are labeled as “single translation unit”.
Otherwise, the rules are labeled as “system”, for which the whole
• Software and its engineering → Compilers.
program needs to be analyzed to detect violations. MISRA-C:2012
contains 143 rules: 40 system rules and 103 single translation unit
KEYWORDS rules. Each rule is further classified as being mandatory, required,
reliability, compiler, GCC, MISRA-C or advisory. MISRA-C tells programmers what aspects of the source
ACM Reference Format: code are harmful to the program’s stability and require revising.
Guan-Ren Wang and Peng-Sheng Chen. 2020. A GCC-based Compliance GCC (GNU Compiler Collection) [5, 10] is an open source (under
Checker for Single-translation-unit, Identifier-related MISRA-C Rules. In the GPL; General Public License) and popular compiler. It generates
49th International Conference on Parallel Processing - ICPP : Workshops (ICPP stable and high-quality code, and is almost a de-facto standard com-
Workshops ’20), August 17–20, 2020, Edmonton, AB, Canada. ACM, New York, piler for Linux and open source communities. If GCC has the capa-
NY, USA, 4 pages. https://doi.org/10.1145/3409390.3409396 bility of detecting compliance with MISRA-C rules, users can easily
avoid writing vulnerable programs. This paper mainly considers
1 INTRODUCTION single-translation-unit-labeled, identifier-related rules, and designs
The recent rapid development of computer hardware and software a checking algorithm for these rules. The algorithm is implemented
brings ever-more computing systems (e.g., smart phones and smart and integrated with the GCC compiler infrastructure. For the tested
home devices) into our daily life. Some of them (e.g., self-driving benchmark programs, experiments show that the modified GCC
vehicles and robots) require high reliability to maintain their normal compiler can successfully detect non-compliant cases.
operation, and failure can lead to serious problems or even endanger
lives [3]. In a computer system, software controls the behavior of
hardware in most situations. Therefore, enhancing the reliability 1.1 Contributions
of software systems is a safety-critical issue.
This paper makes the following contributions:
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation • A static checker for MISRA-C’s variable declaration
on the first page. Copyrights for components of this work owned by others than ACM rules. It adds functions to GCC to allow checking of MISRA-
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a C’s rules related to identifier declaration.
fee. Request permissions from permissions@acm.org. • GCC implementation and experience. It discloses how
ICPP Workshops ’20, August 17–20, 2020, Edmonton, AB, Canada to trace GCC frontend and find the program points requir-
© 2020 Association for Computing Machinery.
ACM ISBN 978-1-4503-8868-9/20/08. . . $15.00 ing modification. It also describes the implementation and
https://doi.org/10.1145/3409390.3409396 experience in detail.
ICPP Workshops ’20, August 17–20, 2020, Edmonton, AB, Canada Guan-Ren Wang and Peng-Sheng Chen
ICPP Workshops ’20, August 17–20, 2020, Edmonton, AB, Canada Guan-Ren Wang and Peng-Sheng Chen

• Experiment. The modified compiler is evaluated in bench- Table 1: GCC (7.3.0) options for checking MISRA-C rules.
ICPP • Experiment.
Workshops ’20, August The2020,
17–20, modified compiler
Edmonton, AB, is evaluated in bench- Table 1: GCC (7.3.0)Guan-Ren options for checking MISRA-C rules.
ICPPmark tests.’20,
Workshops The results
August show
17–20, 2020,that AB, Canada
the modified
Edmonton, GCC can cor-
Canada Guan-Ren Wang
Wang and
and Peng-Sheng
Peng-Sheng Chen
Chen
mark tests. The results show that the modified GCC can cor-
rectly detect compliance with MISRA-C’s identifier-related,
rectly detect compliance with MISRA-C’s identifier-related, Table 1: Rule Rule GCC
GCCoption
option
•• Experiment. The
The modified
single-translation-unit-labeled
Experiment. modified compiler rules.is
compiler evaluated
evaluated in
isrules. in bench-
bench- Table 1: GCC GCC (7.3.0)
(7.3.0) options
options for for checking
checking MISRA-C
MISRA-C rules. rules.
mark
single-translation-unit-labeled
tests. The results show that the modified GCC can cor- 2.6 2.6 -Wunused-label
-Wunused-label
mark
The remainder tests. The results
of this paper show that
is organized the modified
as follows. GCC can cor-
Section Section
2 de- 2
rectly The remainder
rectly detect
detect compliance
of this
compliance with
paper is organized
with MISRA-C’s
MISRA-C’s identifier-related,
as follows.
identifier-related, Rule 2.72.7 GCC -Wunused-parameter
GCC option
-Wunused-parameter
scribes thesingle-translation-unit-labeled
MISRA-Cthe
describes rules that arerules
MISRA-C therules.
subject
that are the of this
subjectstudy. study.3 Sec- Rule 3.13.1
Section
of this option
-Wcomment,
-Wcomment, -Wcomments
-Wcomments
single-translation-unit-labeled rules. 2.6 -Wunused-label
describes
The in
tiondetail the
3 describes implementation
in detail the implementation of the GCC ofmodification
the GCC modifi- 2.6
4.2 4.2 -Wunused-label
-Wtrigraphs
-Wtrigraphs
The remainder
remainder of this
this paper
andofevaluation
is
is organized
paperresults. organized as follows.
follows. Section
asconcluding Section 22 are pre- 2.7 2.7 -Wunused-parameter
-Wunused-parameter
anddescribes
evaluationcationresults. Finally, concludingFinally,remarks areremarks
presented 5.3
3.1 5.38.1
the -Wshadow
describessented the MISRA-C
MISRA-C
in Section
rules
rules
4.
that
that are
are the
the subject
subject of of this
this study.
study. Sec-Sec- 3.1 -Wshadow
-Wcomment,
-Wcomment, -Wcomments
-Wcomments
in Section
tion 4.
tion 33 describes
describes in
in detail
detail thethe implementation
implementation of of the
the GCCGCC modifi-
modifi- 4.2 8.1 -Wimplicit
-Wimplicit
-Wtrigraphs
4.2 8.4 -Wtrigraphs-Wmissing-declarations
cation
cation and 2 evaluation
and evaluation
MISRA-C results.
results.RULES Finally,
Finally, concluding
concluding remarks remarks are are pre-
pre- 5.3 8.416.4
5.3 -Wshadow
-Wshadow -Wmissing-declarations
2 sented
MISRA-C in SectionRULES
in Section 4. -Wswitch-default
This section describes the MISRA-C rules relevant to this paper. 8.1 16.4
sented 4. 8.1 -Wimplicit
-Wswitch-default
-Wimplicit
This section Thedescribes the MISRA-C
identifier-related, rules relevant to thisrules
single-translation-unit-labeled paper.are the 8.4 8.4 -Wmissing-declarations
-Wmissing-declarations
2 MISRA-C RULES
The2identifier-related,
MISRA-C RULES
rule 5.2, 5.3, 5.4, single-translation-unit-labeled
and 5.5. Rule 5.2 says “ identifiers rules are thein the 16.4
declared 16.4be in prototype-Wswitch-default
form with named parameters”. The function func
-Wswitch-default
ruleThis
5.2,section
This 5.3,
section
same 5.4,describes
and 5.5.
describes
scope
the MISRA-C
andtheRule
name 5.2
MISRA-Cspace
rules
saysshall relevant to
“ identifiers
rules berelevant
distinct”.
this
this paper.
declared
to The in standard
paper.
C90 the no parameter,
in Figure 3 does void should
not have abe used. The
complete function
prototype form. in Figure
If there
func1 is no 3
The identifier-related, single-translation-unit-labeled rules are the
sameThescope and name
identifier-related,
considers space
significant shall
the firstbe31distinct”.
charactersThe
single-translation-unit-labeled of an C90
rules standard
are
identifer; thestandard
be in has a missing
parameter,
prototype form parameter
void
with
should name.
named
be used.Providing
The function
parameters”. The thefunc1
parameter
function func name
in Figure 3 in
rule 5.2, 5.3,
rule 5.2,significant 5.4,
5.3, extends and
5.4, and 5.5.
5.5. Rule 5.2 says “ identifiers declared in the be in prototype form with named parameters”. The the
function funcname in
considers C99 the
this toRule
first 31
63. 5.2
Rule says
5.4“isidentifiers
characters of
similaran todeclared
identifer; inbut
rule 5.2,standardtheit applies
the has a missing
declaration parameter
can improve name. Providing
the readability andparameter
aid further analysis.
same
same scope and
and name
name spacespaceAshallshall be distinct”. The C90 standard in
in Figure
Figurethe 33 does
does not
not have
have a complete prototype form. If there is
is no
C99considers
extends
scope
to this
macro to identifiers.
63. the
Rule 5.431islong
be
similar
distinct”.
toofrule
identifier mightThebe C90
5.2, but
standard
itstandard
harmful applies to parameter,
to readabil- declaration cana improve
completethe prototype form.
readability andIfaid
there
furthernoanalysis.
considers significant
significant the first
first 31 characters
characters of an
an identifer;
identifer; standard Mismatches
parameter, void
void between
should
should be
be aused.
declaration
used. The
The and the
function
function func1
func1corresponding
in
in Figure
Figure 33 definition
ity and maintainability. Rulemight5.5 states “identifiers shall be distinct Mismatches between a declaration and the corresponding definition
macro
C99identifiers.
C99 extends
extends this
this Ato
to long
63.
63. identifier
Rule
Rule 5.4
5.4 is
is similar
similar berule
to
to harmful
rule 5.2,
5.2, toititreadability
but
but applies
applies has
has aaindicate
missing
missing possible
parameter
parameter programmer
name.
name. errors.
Providing
Providing the
the parameter
parameter name
name in
in
from macro names”. Figure 1 shows an example in which the decla- indicate possible programmer errors.
andto
tomaintainability.
macro
macroration identifiers.
identifiers. Rule
A 5.5 states
A long
long identifier
identifier “identifiers
might
might be shall beto
beasharmful
harmful distinct
to readabil-
readabil- from the the declaration
declaration can can improve
improve the the readability
readability and
and aid
aid further
further analysis.
analysis.
of a variable mean is the same the macro name mean, in
macro
ity names”.
ity and
and Figure
maintainability.
maintainability. 1 shows
Rule
Rule an
5.5
5.5 example
states
states in
“identifiers
“identifiers which
violation of rule 5.5. Rule 5.3 is “An identifier declared in an inner
the
shall
shall be
be declaration
distinct
distinct Mismatches
Mismatches between
between aa declaration
declaration and
and the
the corresponding
corresponding definition
definition
of afrom
variable
from macro
macro
scopemean is the
names”.
names”.
shall same
Figure
Figure
not
1 as
hide1an
shows
showsthe an macro
an
identifier
example
example name
declared
in
in which
mean,
which in violation
the
the
in an outer
decla-
decla-
scope”. The
indicate
indicate possible
possibleint programmer
func();
programmer
char func1(int);
errors.
errors. /* Non-compliant */
/* Non-compliant */
ration
of rule
ration5.5.of aa variable
Rule
ofexample 5.3 in
variable ismean
“An
mean is
is the
identifier
the same
same as
declared
as the
the macro
in
macro an name
inner
name scope
mean,
mean, in
shall
in void func2(int a, int b); /* Compliant */
Figure 2 has the declarations of variables a and b in
violation of rule 5.5. Rule 5.3 is “An identifier declared in an inner
notviolation
hide an theofidentifier
rule 5.5.
inner scope declared
Rule 5.3 isthe
hiding in
“An anidentifier
outerdeclared
variables scope”.
declared inThe
in example
theanouter,
innerbreaking int func();
int func();char func1(int c) /* Non-compliant */
/* Non-compliant */
scope
scope shall not hide an identifier declared in an
anaouter scope”. The
in Figure 2this
has the declarations of variables and bscope”.in theThe inner
shall not hide an 5.3
identifier declared inpotentially
outer char
char func1(int); /*
/* Non-compliant
Non-compliant */
rule. Rules and 5.5 describe confusing cases, so void
{
func1(int);
func2(int a, int b); /* Compliant */
*/
example
example in
in Figure
Figure 2
2 has
has the
the declarations
declarations of
of variables
variables a
a and
and b
b in
in void func2(int... a, int b); /* Compliant */
scope
the hidingscope the variables
following them can declared in
improve a the outer,
program’s breaking
readability this rule.
and reduce the }
the inner
innerrisk scope hiding
hiding the
the variables
variables declared
declared in in the
the outer,
outer, breaking
breaking char
char func1(int
func1(int c)
Rules
this5.3 and
rule. 5.5
Rules
of adescribe
5.3 and 5.5potentially
misunderstanding.
describe confusing
potentially cases, socases,
confusing following
so {
c)
this rule. Rules 5.3 and 5.5 describe potentially confusing cases, so {
them can improve
following
following them
them can a program’s
can improve
improve aa program’sreadability
program’s and reduce
readability
readability and the risk
and reduce
reduce theof a
the
...
...
}
} Figure3:3:Example
Figure Example of ofrule
rule8.2.
8.2.
misunderstanding.
risk of a misunderstanding.
#define mean(a,b) ((a+b)/2) /* compliant */
risk of a misunderstanding.
int result; /* compliant */

int main(void) Figure 3: Example of rule 8.2.

Figure 3:support
Examplein
of GCC
rule 8.2.
#define
#define {mean(a,b)
mean(a,b) ((a+b)/2)
((a+b)/2) /*
/* compliant
compliant */
*/ 2.1 Existing
int
int result;
result;int mean; /*
/* compliant
compliant */
/* Non-compliant
*/ */ 2.1HereExisting support in GCC
we describe the MISRA-C rules thtat can be detected by GCC
int
int main(void)
2.1 Here weexisting
with describe the MISRA-C
options. rules
In addition thtat can
to target codebe detected GCC
generation, by GCC
2.1 Existing support
support in in GCC
result = mean(1,2);
main(void) /* compliant */
{ Existing GCC
{
int
return 0;
mean; /*
/* Non-compliant */
Non-compliant with existing options. In addition to target code generation, GCC
supports the analysis of programs, and issues warning or error mes-
}
int mean; */ Here we
Heresupportsdescribe
wesages
describe the MISRA-C rules thtat can be
be detected by GCC
result with existing thetheanalysis
regarding
options.
MISRA-C
In ofrules
vulnerable
addition
code
to
thtatfragments.
programs,
target
canand
code
detected
Some by
issues
generation,
GCC or
warning
MISRA-C
GCC error
rules
result = = mean(1,2);
mean(1,2); /*
/* compliant
compliant */ */ with existing options. In addition to target code generation, GCC
return
return 0;0; messages
supports
are
the regarding
already
analysis
checked
of vulnerable
by
programs,
existing
and codewarning
GCC
issues fragments.
options.
or
For
error Some
example,
mes- MISRA-C
rule
} Figure 1: Example of rule 5.5. supports2.6, the which
analysis of programs,
states “A function and issuesnot warning orunused
error mes-
}
sagesrules
sages are already
regarding
regarding vulnerable checked
code byshould
code fragments.existing Some
contain
GCC options.
MISRA-C
label decla-
For example,
rules
rations”,vulnerable
can be detected fragments.
by the GCC Someoption MISRA-C rules
-Wunused-label.
are rule 2.6,checked
are already
already which by states “A function
existing GCC should
options. Fornot
For containrule
example, unused label
Figure Tablechecked
?? listsby theexisting
currently GCC options.
checkable rules example,
and rule
the corresponding
Figure1:1:
Figure Example
Example of
1:Example ofrule
of rule5.5.
rule 5.5.
5.5. 2.6, declarations”,
2.6, which
which states
states “A
“A can be
function
function detected
should
should by
not
not the
contain
contain GCC option
unused
unused label
label decla-
-Wunused-label.
decla-
GCC options.
Tablecan 1 lists the currently checkable rules and the corresponding
int a; rations”, be
float b;
"float b" is hidden by "char* b". rations”, can be detected
detected by
by the
the GCC
GCC option
option -Wunused-label.
-Wunused-label.
TableGCC
Table ?? options.
??3lists
lists the
the currently
currently
IMPLEMENTATION checkable
checkable rules
rulesAND and
and the the corresponding
corresponding
EVALUATION
int a;
void func(char* b) GCC
GCC options.
options.
int
float
a;{ "float b" is hidden by "char*
"float b" is hidden by "char* b". b". Our work is based on GCC 7.3.0. The principle of the implementa-
float b;b; short a;
"int a" is hidden by "short a".
3 3IMPLEMENTATION
IMPLEMENTATION
tion is not to interfere with AND ANDGCC
the original
EVALUATION EVALUATION
compilation process.
void
void func(char*
... b)
3 IMPLEMENTATION AND EVALUATION
func(char* b)
Our Our Ourwork is based
modification on GCC
is designed 7.3.0. The
to identify principle of thenot
code locations implementa-
follow-
Our work is based on GCC 7.3.0. The principle of
of the
the implementa-
{
{ } working isthe
based
rules onand
GCC 7.3.0.the
to give Therulesprinciple
being violated. implementa-
If the source process.
code
short
short a;a; "int a" is hidden by "short a". tion tion
is not
tion is not
istonot to
interfere interfere
with thewith the
original original
GCC GCC
compilation compilation
process.
"int a" is hidden by "short a".
cantobeinterfere
compiled with the originalbyGCC
successfully the compilation
original GCC process.
compiler, the
...
... Figure 2: Example of rule 5.3. Our Our
Our modification
modification
modification is
modified compiler
is designed
is designed
designed to identify
cantoalso
to identify
identify
compile
code
code code locations
locations
it, locations
even if thenot
not follow-
codefollow- not follow-
breaks some
ingrules
the rules
and toand giveto thegive
rulesthe rules being violated. If the
codesource code
}
} ing
ing the
the rules being violated. If the source
rules.and to give the rules being violated. If the source code
can
can becan be compiled
be compiled
compiled successfully
successfully
successfully by
by the by the original
the original
original GCC
GCC compiler, GCC compiler,
compiler, the
the the
Rules 8.1 and 8.2Example
Figure are related torule declarations and definitions. Rule
Figure2:2:
Figure Example of
2:Example of
of rule
rule
5.3.
5.3.
5.3. modified
modified
modified compiler
compiler
3.1 compiler
GCC can
can also can
also also
compile
compile compile
it,
it, even
even if ifit,the
theevencodeif breaks
code the
breaks code
some
some breaks some
8.1 says “Types shall be explicitly specified”. In some circumstances, rules.
C language allows implicit specification of type information, but ex- rules.
rules.
The basic structure of GCC consists of three parts: front-end, middle-
Rules 8.1 and 8.2 are related to declarations and definitions. Rule
Rules 8.1
Rules and
8.1 and
plicitly 8.2 are
8.2 arerelated
specifying typetoinformation
related to declarations
declarations can and
and definitions.
definitions.
avoid RuleRule
mistakes rising from
3.1 end, and back-end, as shown in Figure 4. The middle-end contains
GCC
8.1
8.1 says
says “Types shall
a“Types shallbebe explicitly
beexplicitly
explicitly specified”.
specified”. In
In some circumstances, 3.1 GCCmajor intermediate forms: GIMPLE [6] and RTL [4]. Here
types shall 3.1two GCC
8.1 C
says “Types
language shall
misunderstanding.
allows implicit
Rulespecified”.
specification of typeInsome
8.2 is as follows: somecircumstances,
circumstances,
“Function
information, but ex- The
C language allows implicit specification of type information, but ex- The basic structure
basic structure of of GCC
GCC consists
consists ofof three
three parts:
parts: front-end,
front-end, middle-
middle-
C language
plicitly allows implicit
specifying type specification
information can of type
avoid information,
mistakes rising from but end, The basic structure of GCC consists of three parts: front-end, middle-
plicitly specifying type information can avoid mistakes rising from end, and back-end, as shown in Figure 4. The middle-end contains
and back-end, as shown in Figure 4. The middle-end contains
explicitly specifying type
aa misunderstanding.
misunderstanding. Rule information
Rule 8.2
8.2 is
is as
as follows:
follows:can “Function
avoid mistakes
“Function types rising two
types shall
shall two end,
majorand
major back-end,forms:
intermediate
intermediate as shown
forms: GIMPLE
GIMPLEin Figure [6]
[6] and 4. The
and RTLmiddle-end
RTL [4]. Here contains
[4]. Here
from a misunderstanding. Rule 8.2 is as follows: “Function types two major intermediate forms: GIMPLE [6] and RTL [4]. Here we
shall be in prototype form with named parameters”. The function focus on the GCC C compiler. A C source code first enters the front-
func in Figure 3 does not have a complete prototype form. If there is end of the C language parser and is converted into an intermediate
 A GCC-based Compliance Checker for Single-translation-unit, Identifier-related MISRA-C Rules ICPP Workshops ’20, August 17–20, 2020, Edmonton, AB, Canada
A GCC-based Compliance Checker for Single-translation-unit, Identifier-related MISRA-C Rules ICPP Workshops ’20, August 17–20, 2020, Edmonton, AB, Canada
A GCC-based Compliance
we focus Checker
on the GCCforCSingle-translation-unit,
compiler. A C source Identifier-related enters Rules3.2
code first MISRA-C Strategy’20, August 17–20, 2020, Edmonton, AB, Canada
ICPP Workshops
A GCC-based Compliance Checker for Single-translation-unit, Identifier-related MISRA-C Rules ICPP Workshops ’20, August 17–20, 2020, Edmonton, AB, Canada
A GCC-basedwe
the focus onChecker
front-end
Compliance the GCC
of the for C compiler.
C language parserA and
C source
Single-translation-unit, is code first
converted enters
intoMISRA-C
Identifier-related 3.2 are
an in- RulesThere Strategy
fewICPP Workshops
documents [9,’20,
14]August 17–20, GCC’s
describing 2020, Edmonton,
internal AB, Canada
design,
theonfront-end
we focustermediate the GCC of Cthecompiler.
representation, C language A Cparser
GENERIC. source andcode
Next isentering
converted
first enters theinto an in-
gimplify 3.2 Strategy
There
especially are few the documents
front-end part [9, 14]
[8, describing
11]. To identify GCC’s the internal
properdesign,
pro-
we
the focus
front-end on the
termediate
stage. ofIntheGCC
this C compiler.
representation,
Cstage,
language the GENERIC
parser A and
GENERIC. C sourceform Next
be
is converted code first
into enters
entering
simplified an the
toin- gimplify
GIMPLE 3.2 Strategy
especially
gram point thein GCCfront-endto part [8,
check the 11].
rules, Towe identify
create the proper
adesign,
test programpro-
representation,
the front-end GENERIC.
ofInthe Cstage, Next
language the entering
parser and the gimplify
isentering
converted stage. Inin-this Theretested
There are fewprogram
documents needs [9, notdescribing
14] only to trigger
describing GCC’s warning/error
internal messages,
termediate stage.
form. Afterthisseveral
representation, GENERIC. GENERIC
target-independent Nextform theinto
be simplified
analyses and anto GIMPLE
optimizations,
gimplify arethat
especially few
gram the documents
point
makesfront-endin GCC
GCC [9, 14]
issue
part to[8,
thecheck
11]. the
diagnostic
To GCC’s
rules, internal
wethe
messages
identify create
of design,
a test
interest
proper pro- program
here. The
stage, theInthe
termediate GENERIC
form. representation,
After the
GIMPLE form
several
form be
GENERIC.simplified
is lowered formNext
target-independent to
tobeRTL. GIMPLE
entering
analyses
Finally, the
toandform.
thegimplify After
optimizations,
target code is buttested
especially alsomakes
thatthe
to have needs
front-end characteristics
part [8, following the rulespro- we want to
stage. this stage, GENERIC simplified GIMPLE gram point GCCGCC
in program issue
to check the 11].
the
not onlyTo
diagnostic
rules, toweidentify
messages
trigger the proper
of
createwarning/error
a test interest
program here. The
messages,
several
form.target-independent
stage. Ingenerated
thisGIMPLE
the
After stage,from
several theformGENERIC
RTL. analyses
is In
target-independent lowered form
GCC’s andtobe
analysesoptimizations,
simplified
RTL.
front-end, Finally, to the
GIMPLE
anda optimizations,
tree the
target
structure GIM-code
is used is
gram check.
point
tested
but Then
in
also GCC
program
to we
haveto trace
check
needs thethe
not
characteristicssource
rules,
only tocode
we tothe
create
trigger
following understand
a test program
warning/error
rules we wantthe execution
messages,
to check.
that makes GCC issue the diagnostic messages of interest here. The
PLEform.
form
the GIMPLEis
After
to lowered
several
generated
store form to
is RTL.
RTL.Finally,
target-independent
thefromprogram
lowered RTL.the
IntoGCC’s
information. analysestarget
Figureand
front-end,
Finally, the5code treeisstructure
target generated
optimizations,
ashows acode is used
treeisrepresen- that
tested
flow
makes butwhen
Then
programGCC
also issuing
issue
to
weneeds havethe
trace the
not
the messages.
diagnostic
characteristics
source
only messages
code
to trigger
Finally,
following ofthe we
interest
towarning/error
understand rulesdesign
here. thetochecking
The
weexecution
the want
messages, check.
flow
fromthe GIMPLE
RTL. tation
generated Infrom
to GCC’s
store formthe
ofRTL. is lowered
thefront-end,
In GCC’saint
program
expression to RTL.
tree structure
information.
front-end, Finally,
A[100]. Figure the
a treeVAR_DECL 5 target
isstructure
used toisstore
shows code
a tree is
usedthe that
indicatesrepresen- testedalgorithm
program
Then we and
needs
traceimplement
notthe only
sourcetoit. For
trigger
code example,
towarning/error
understand if we want
messages,
the to
executionunderstand
flow
but also when
to have issuing the
characteristics messages.
following Finally,
the we
rules design
we want the
to checking
check. algo-
generated thefrom ofRTL. InnodeGCC’s front-end, 5ashowstreeVAR_DECL
structure is indicates
used
program
to storeinformation.
tation
the type
program thetree
of Figure
expression
information. 5is shows
variable
int Figure a declaration.
tree
A[100]. representationThe represen-
a tree tree of the
node that
furtherbut
Then where
alsowe to
when
rithm GCC
have
trace and checks
characteristics
issuing
the redefined
the messages.
implement
source codefollowing
it. toFor macros,
the rules
Finally,
example,
understand wethe
thewetested
ifdesign
we want
want
executionprogram
to
the check.
checking
toflow may
algo-con-
understand
to storeoflinks
the
the
thetypeprogram of tree
toA[100].
other information.
tree nodenodes isA[100].FigureVAR_DECL
variable
recording 5the shows
declaration. a tree
information The represen-
tree
suchnode astreefurther
variable
expression
tation int expression int
VAR_DECL indicates that the type
indicates of
that whentain
Then we tracethe
rithm
where
#define
issuing and
GCC a 3 and
themessages.
source
implement
checks code it.toFor
redefined
#define
Finally, understand
weexample,
macros, a 6;the
design GCC
the
if tested
the we issues
execution
want the
flow
toalgo-
program
checking diagnostic
understand
may con-
tation ofname,
thetree
links expression
totype,
other tree
array int nodes
minimal A[100].index,VAR_DECL
recording and thearray
information indicates
maximum such that
index. as variable
GCC’s when issuing the messages. Finally, we design the checking algo-
nodethe
theis variable
type
type
of
of tree declaration.
node
node
is variable
is (e.g.,
variable The tree
declaration.
declaration. node further
The
Theand
tree
tree links
node
node to
further
further other rithm message
where shown
GCC
tainimplement
and #define in
checks
it. Figure
a For3redefined
and 6. We
#define
example, macros,
if can
we use
athe the
6;tested
want GCC to utility
program
issues
understand the may
grep and
con-the
diagnos-
links to name,
built-in
other type,
treemacros array
nodes minimal
recording index,
TREE_OPERAND
the and array
information maximum
TREE_TYPE)
such as index. can
variable GCC’stra-
rithm andtain
tic implement
message
#define shownit.a For
in
3 example,
and
Figure 6.
#define if
We we
cana want
use6; GCC
the to understand
issues
utility the diagnos-
and thehow
treelinks
nodesotherrecording the information such as variable name, type, where functions
GCC checks macros, the testedand
redefineddebug_tree(),
fprintf(), program
inform() grep
may con-to clarify
name,totype,
built-in
verse tree
array nodes
themacros
tree
minimal recording
(e.g.,
nodes and
index, andthearray
extract
TREE_OPERAND information
themaximum andsuch
information. asIn
TREE_TYPE)
index. variable
additioncan
GCC’s tra-
to the
where GCC checks
tic message
functions redefined
shown
fprintf(), macros,
in Figure 6.the
We
debug_tree(), tested
can use program
the may
andutility con- and
grep
inform() the
to clar-
array minimal
name, index, treeand array maximum index. GCC’s built-in tain GCC handles
#define a the
3 and macro
#define re-declaration.
a 6; GCC Figure
issues 7 shows
the diagnos- the program
built-intype,
treearray
verse
macros minimal
the(e.g.,
structure, nodes index,
location_t
TREE_OPERAND and and extract array the
isand maximum
information.
another
TREE_TYPE) index.
internal GCC’s
Indataaddition
can type
tra- thatto the
is
tain
tic #define
messagefunctions
ify how
shown a
GCC 3 and
fprintf(),
in Figure#define
handles 6.the
We a use
macro 6;
debug_tree(),
can GCC issues
re-declaration.
the utility and the diagnos-
Figure
inform()
and 7the
showsto clar-
the
macros (e.g.,
built-in
verse themacros
tree TREE_OPERAND
commonly (e.g.,
treestructure,
nodes usedTREE_OPERAND
and in andimplementation.
the
location_t
extract
TREE_TYPE) isand
the information.
can
TREE_TYPE)
another ItIn traverse
internal
represents
addition can
data the
which
to tra-
typetree
the partthat of
is
tic andprogram
message itshowoutput
shown
ifyfprintf(), GCC
andinmessage
Figure
handles
its output
for
6.the
We ruleuse
can
macro
message
8.2.the utility
grep
8.2. grep
re-declaration.
for rule and
Figure 7the
shows the
functions debug_tree(), and inform() to clar-
nodes and
verse theextract
thetree
commonlyuser the
nodes information.
and
used
program extract
in the
GCC the In addition
information.
implementation.
is processing.
tree structure, location_t is another internal data type that is to
TheItIn the tree
addition
represents
location structure,
to
whichthe
information part of
is
functions fprintf(),
program and its debug_tree(),
output message for and
ruleinform()
8.2. 7 shows to clar-
ify how GCC handles the macro re-declaration. Figure the
tree
location_t
commonly theisused
structure,
useful another
user location_t
whenprogram
in the internal
outputting
implementation. data
GCCiswarning
isanother type
processing. thatThe
internal
Itmessages
representsis commonly
data
about type
location
which that
codepart used is in not
information
locations
of is
ify how GCC handles
test.c:2:0: the macro
warning: "a"re-declaration.
redefined Figure 7 shows the
commonly used in the implementation. It represents which part of program and#define
its outputa 6 message for rule 8.2.
the the
implementation.
useful
following
user program GCC when theIt represents
outputting
rules.
is processing. which
warning Thepart
messages
location of theabout user program
code
information locations
is not
program andtest.c:2:0:
its outputwarning: message"a"forredefined
rule 8.2.
#define a 6note: this is the location of the previous definition
the
GCC isuser program
processing.
following GCC
Therules.
the is processing.
location Theabout
information location
is information
useful when is
out-
test.c:1:0:
useful when outputting warning messages code locations not test.c:2:0: warning:
#define a 3 "a" redefined
useful when outputting warning messages about code locations not #define test.c:1:0:
a 6warning: "a" note: this is the location of the previous definition
putting warning messages about code locations not following the
test.c:2:0: redefined
following the rules. #define a #define
6 a 3
following theC rules. Target-independent analyses Target-dependent optimizations /
rules. Parser and optimizations code generation test.c:1:0: note: this is the location of the previous definition
C Target-independent analyses Target-dependent optimizations / #define a 3note: this is the location of the previous definition
test.c:1:0:
Figure
Parser
Parser
and optimizations code generationtarget #define a Figure
3 6: 6: Messageregarding
Message regarding redefinedredefined macro.
macro.
C C++ GENERICTarget-independent GIMPLE
analyses RTL
Target-dependent optimizations / Figure 6: Message regarding redefined macro.
C Parser Parser and optimizations code generation target
code
C++ Parser GENERIC GIMPLE
Target-independent analyses
RTL
Target-dependent optimizations /

target code
Parser and optimizations code generation
Figure 6: Message regarding redefined macro.
C++ Parser JavaGENERIC
Parser Front-end GIMPLE Middle-end
Parser RTL Back-end
target Figure Tested program regarding redefined
6: Message Output message
macro.
C++ JavaGENERIC Front-endGIMPLE Middle-end RTL code
Back-end Tested program 10.c: In function Output message
‘test’:
Parser code 10.c:1:1: error: parameter name omitted
void test(int) { } 10.c: In function
Java Parser Front-endFigure 4: GCC compiler infrastructure.
Middle-end Back-end Tested program void Output message
test(int) { ‘test’:
}
10.c:1:1:
^~~~ Outputerror: parameter name omitted
Java Front-end Middle-end Back-end Tested program
void test(int) { } message
Figure 4: GCC compiler infrastructure. void test(int)
10.c: In function ‘test’:{ }
10.c:1:1:
10.c: ^~~~
error: parameter
In function ‘test’: name omitted
void test(int) { }
Figure 4: GCC compiler infrastructure. void test(int) {
}
void test(int)
10.c:1:1: error: {parameter
} name omitted
Figure
Figure 4:4:GCC
GCCcompiler
compiler infrastructure.
infrastructure. Figure 7: Tested program and output
^~~~ test(int)
void { } message for breaking rule
^~~~
Figure
8.2.
Figure 7: 7: Testedprogram
Tested program and andoutput message
output for breaking
message rule
for breaking
CODE=VAR_DECL
Figure 8.2.
rule
7: 8.2.
Tested program and output message for breaking rule
CODE=VAR_DECL
Decl.minimal.name Figure
8.2. 7: Tested program and output message for breaking rule
Decl.minimal.name
Common.type 8.2.
CODE=VAR_DECL
CODE=VAR_DECL
3.3 Implementation
Common.type
Decl.minimal.name
Decl.minimal.name ...
...
3.3 Implementation
Consider rules 5.2, 5.3, 5.4, and 5.5. First, for rules 5.2 and 5.4,
CODE=IDENTIFIER_NODECommon.type
Common.type
CODE=INTERGER_TYPE 3.3 3.3GCC Implementation
Implementation
Consider
can rules 5.2, detect
not only 5.3, 5.4, and 5.5.
whether First, foridentify
a duplicate rules 5.2 and 5.4,
declaration
CODE=IDENTIFIER_NODE
Identifier.str ... CODE=INTERGER_TYPE
Type.name
3.3 Consider
Implementation
GCC can
exists, rules
but not5.2,
also 5.3,
only 5.4,re-declaration.
detect
a macro and 5.5. aFirst,
whether for rules
duplicate
However, 5.2 declaration
identify and 5.4,
compliance GCC
with
... Consider rules 5.2, 5.3, 5.4, and 5.5. First, for rules 5.2 and 5.4,
CODE=IDENTIFIER_NODEIdentifier.str CODE=INTERGER_TYPEType.name
Type.value Consider
GCCcan can therules
not
exists,
ISO
not only5.2,
but
only 5.3,a5.4,
detect
also
C standard
detect macro andre-declaration.
whether 5.5.
specification
whether First,
a aduplicate
duplicate foridentify
is also rules
identify
However,
required. 5.2 and 5.4,standard
declaration
compliance
The C90
declaration exists,
with
A
CODE=IDENTIFIER_NODE CODE=INTERGER_TYPE GCC can not only detect whether a duplicate identify declaration
Identifier.str A Type.name
CODE=IDENTIFIER_NODE
Type.value
exists,
CODE=INTERGER_TYPE but also a macro re-declaration. However, compliance with the ISO
the
states
but ISO
also aC
that standard
the
macro first specification
31 characters
re-declaration. is also
of
However, an required.
identifier
compliance The
name C90
with standard
are signif-
Identifier.str Type.name exists, but alsothat
states
icant; a macro
this the
is re-declaration.
first
extended 31 characters
tois
is63 However, compliance
of an identifier
characters in the C99name with are signif-
standard. The
A
Type.value
CODE=IDENTIFIER_NODE
Identifier.str
the ISO
CODE=INTERGER_TYPE
Type.minval C standard
C standard specification
specification also
also required.
required. TheThe C90 C90 standard
standard states
Type.value the ISOthat C standard
icant;
GCC this specification
is
preprocessor extended and to Cisof
also
63 required.
characters
compiler have inThe
no theC90
limitC99standard
standard.
the lengthThe
onsignif- of
A
Identifier.str states
Type.minval
Type.maxval
states that
that the
the
the first
first 31
31
firstnames. characters
characters
31 characters ofan an identifier
identifier name nameare are significant;
CODE=IDENTIFIER_NODE
int
CODE=INTERGER_TYPE
icant;this GCC
identifier
this is preprocessor
extended to and
Even
63 C of
using
characters an
theidentifier
compiler haveC99
options
in the name
no
-std= limitareonsignif-
or
standard. the
-ansi,
The lengthGCC of
CODE=IDENTIFIER_NODE CODE=INTERGER_TYPE
Type.maxval
icant; this isisextended
extended toEven
to 63 characters in re-declaration
the C99 standard. The GCC
C 63 characters theinoptions
nothe C99 onstandard. The
Identifier.str Type.minval
int 0 99 identifier
still
GCC preprocessor cannot names.
detect
and whether
compilerusingidentifier
have limit -std= or complies
the length -ansi, of GCC with
Identifier.str Type.minval
Type.maxval
0 GCC preprocessor
99preprocessor
still
the cannot
length and
and
detect
limit C
Cof compiler
compiler
whether
the ISO haveno
have
identifier
standard. nolimit
limit onthe
on thelength
re-declaration length
complies of identifier
of with
int identifier names. Even using the options -std= or -ansi, GCC
still names. Even using of the options oror-ansi, GCC withstill withcannot
Type.maxval
Figure int 5: Exampe GCC tree structure.
0 99
identifier
cannot names.
the length
For Even
rule
detect limit
5.5,
whetherusing
GCC the the
ISO
cannot options
identifier standard.
check-std=
-std=
variable
re-declaration -ansi,
names
complies GCC
conflicting
Figure 5: Exampe 0GCC tree structure. 99still detect
cannotmacro whether
detect
For rule
names. 5.5,
the length limit of the ISO standard.identifier
whether GCC
Figure cannot
8 re-declaration
identifier
shows re-declaration
check
the variable
calling complies
complies
names
sequence with
with
conflicting
of checking the length
with
rede-
Figure
Figure 5: Exampe
5:5:Exampe GCC
GCC tree structure.
treestructure.
structure.
theFor limit
lengthrule of
limit
macro
fined the of
macros
5.5, GCCISO
thein
names. standard.
ISO
Figure
GCC.
cannot standard.
8 shows
The
check the
function
variable calling sequence
_cpp_create_definition()
names conflicting of checking
with rede-
There
Figureare two important
Exampe GCCbuilt-in
tree functions that are commonly For rule in5.5, GCC cannot check variable names
macro names.For
fined
is rule
macros
charge 5.5,ofin
Figure 8GCC GCC.
parsing
shows cannot
The
macros.
the check
function
calling Checkingvariable ofconflicting
re-definition
_cpp_create_definition()
sequence checking with
names conflicting
is handled by
rede- with
usedThere
duringaretracing
two important
and verifying built-in GCC functions
front-end. that are commonly macro names. Figure 8The
shows the calling sequencere-definition
of checking rede-
used during tracing and verifying GCC front-end. fined macro is innames.
the
macros charge
function
in GCC. Figure
of parsing 8 shows
macros.
warn_of_redefinition().
function the calling
Checking sequence
_cpp_create_definition() Figureof is9checking
handled
shows the byrede-
There areare
There two
•two important
important built-in
debug_tree() built-inMuchfunctions
functions
information thatare
that is are commonly
commonly
obtainable from tree fined macros
is in fined calling
charge ofinparsing
themacros GCC.
function
sequence The function
for checking
inwarn_of_redefinition().
GCC.
macros. The
_cpp_create_definition()
re-declared
function
Checking re-definition isFigure
identifiers
handled
_cpp_create_definition()in9 byshowsThe
GCC. the
There aretracing
two important built-in functions that are commonly
used during
used duringtracing and
and verifying
• structures.
debug_tree() verifying
However, GCC
GCC
used during tracing and verifying GCC front-end. front-end.
it is front-end.
Much information
not is obtainable
easy to fully understand from is
the tree
theinfunction
charge ofwarn_of_redefinition().
calling
function
is in charge
parsing
sequence macros. Checkingre-declared
for checking
duplicate_decls()
of parsing macros. Checking
re-definition
called is9handled
byidentifiers
pushdecl()
re-definition
Figure shows intheby
GCC. The
handles
is handled by
structures.
structure. However,
This functionit iscan
notdump
easy totree
fully understand
information. the
the tree function
function
the warn_of_redefinition().
issue of identifier re-declared called
checkingre-declaration.
duplicate_decls() Figure
During in9 GCC.
shows The
by pushdecl()
compilation, theGCChandles
first
• debug_tree()
• debug_tree()
• debug_tree()
Much Much
Much
information
information
information
is
is obtainable
is
obtainable
obtainable
from
from
from
treetree
tree
calling
callingthe sequence
function
sequence
for
warn_of_redefinition().
for checking re-declared
identifiers
identifiersFigurein 9
GCC.shows The the first
calling
• inform()
structure. This
This function
functioncan dump
can tree
output information.
the program location the
checksissue of identifier re-declaration.
macro re-definition called and then During
checks compilation,
identifierhandles GCC
re-declaration.
structures.
structures.
structures. However,
However,
However,
ititis
itThisisnot
iscan
not not
easy
easy easyto to
fully fully understand
understand the tree the function duplicate_decls()
sequence for checking re-declared
by pushdecl()
identifiers in GCC. The func-
• and
structure. a suitable
inform()
This function message. dump It to
function fully
can
needs
tree twounderstand
output parameters:
information. the location_t,
the programtree locationfunction duplicate_decls()
the issuechecks macro
ofInidentifier
order not to interferecalled
re-definition
re-declaration. andwith
During bycompilation
then pushdecl()
checks identifier
compilation, runGCChandles
byre-declaration.
the original
first
tree structure.
structure.andThis
a This
the function
function
suitable
required can
message.
messagecan
dump It dump
tree
needs
to be twotree
output. information.
information.
parameters:
This function outputs
location_t, the tion
issue duplicate_decls()
of
GCC, identifier
In order
we use re-declaration.
not
an to interfere
additional called
During
with
data by pushdecl()
compilation,
compilation
structure, a hash GCC
run handles
by
table, first
the
to the
original
record issue
in-
• inform() This function can output the program location checks macro re-definition and then checks identifier re-declaration.
• inform() Thisthefunction canwith
output the program location
locationand
• inform() and
warning
and a suitable This function
required
messages
message. can
Itmessage
needs output
location
two bethe
toparameters: program
output. This
information. function
location_t, outputs Inoforder
checks identifier
macro
GCC,
formation
not re-declaration.
re-definition
wetouse
for an and
theadditional
interfere macros
withthenand During
checks
data compilation,
identifier
structure,
identifiers.
compilation Aahash
run hash
by GCC
re-declaration.
table,
table
the has first
to an
original record checks
almostin-
a suitable
and a message.
suitable
warning message.It
messagesneeds
It needstwo
with two parameters:
parameters:
location
and the required message to be output. This function outputs location_t,
location_t,
information. macro re-definition
formation to interfere
for the andwith
macros then
GCC, we use an additional data structure, a hash table, the
In order not checks
compilation
and identifiers. identifier
run
A by
hash re-declaration.
original
totable
recordhasin- an almost
andand
thethe
warningrequired
required
messages message
message to
with location be output.
to be output.
information.Thisfunction
This function outputs GCC,
outputs formationwe Inuseorder
for an
theadditional
not to and
macros data
interfere structure,
withAacompilation
identifiers. hashtable
hash table,has torun
record
an byin-
almost the original
warning
warningmessages
messages with locationinformation.
with location information. formation for the macros and identifiers. A hash table has an almost
GCC, we use an additional data structure, a hash table, to record in-
formation for the macros and identifiers. A hash table has an almost
3.2 Strategy constant lookup time, which makes checking duplication efficient.
There are few documents [9, 14] describing GCC’s internal design, Following ISO C, only the significant characters are recorded. For
especially the front-end part [8, 11]. To identify the proper program example, using C90, the first 31 characters of an identifier name
point in GCC to check the rules, we create a test program that are used as a lookup key, and only these characters are stored. We
makes GCC issue the diagnostic messages of interest here. The also record a variable’s scope information for checking rule 5.3,
ICPPICPP
Workshops ’20, August
Workshops 17–20,
’20, August 2020,2020,
17–20, Edmonton, AB, Canada
Edmonton, AB, Canada Guan-Ren
Guan-Ren Wang Wang and Chen
and Peng-Sheng Peng-Sheng Chen
ICPP Workshops ’20, August 17–20, 2020, Edmonton, AB, Canada Guan-Ren Wang and Peng-Sheng Chen
ICPP Workshops ’20, August 17–20, 2020, Edmonton, AB, Canada Guan-Ren Wang and Peng-Sheng Chen

_cpp_create_definition warn_of_redefinition and 4 CONCLUSION

and codes
codes from [13]
from [13] are
are selected
selected asas the
the tested
tested benchmark
benchmark programs.
programs.
and codes
The from [13]
evaluation areshow
results selected
thatasthe
themodified
the tested benchmark programs.
GCC compiler
compiler can
Computer systems affect our daily lives and ensuring their stability
_cpp_create_definition warn_of_redefinition
_cpp_create_definition warn_of_redefinition The evaluation results show that modified GCC can
The evaluation
successfully results
check rulesshow
5.2, that 5.4,
5.3, the modified
5.5, and GCC compiler can
8.2.
cpp_pedwarning_with_line is important.
successfully The
check rules MISRA-C
5.2, 5.3, 5.4,specification
5.5, and 8.2. provides rules for pro-
successfully check rules 5.2, 5.3, 5.4, 5.5, and 8.2.
4 grammers that reduce the likelihood of codes being incorrectly
cpp_pedwarning_with_line
cpp_pedwarning_with_line
CONCLUSION
cpplib/macro.c
cpplib/macro.c Warning: macro re-definition
Warning: macro re-definition
44Computer
CONCLUSION
written or
CONCLUSION behaving in daily
systems affect our unintended
lives andways. This
ensuring paper
their implements
stabil-
cpplib/macro.c Computer systemscompliance
affect our daily lives and ensuring their stabil-
isaimportant.
MISRA-C checker based on the GCC compiler in-
Warning: macro re-definition
Computer
ity is systems
important. Theaffect
MISRA-C our daily lives and
specification ensuring
provides their
rules stabil-
for pro-
Figure 8: Calling
Calling sequencefor
for checking
checking redefined
redefined macros in in ity The MISRA-C specification provides rules for pro-
Figure 8: Calling
Figure 8: sequence
sequence for checking redefined macros
macros in ity isfrastructure.
grammersimportant.
that TheWe
reduce thefocus
MISRA-C onspecification
likelihood single-translation-unit-labeled,
of codes provides
being rules forwrit-
incorrectly pro- identify-
Figure
GCC. 8: Calling sequence for checking redefined macros in grammers that reduce the likelihood of codes being incorrectly writ-
GCC.
GCC. ten orrelated
grammers
or behavingrules.
that Forthe
reduce thelikelihood
in unintended
unintended tested
ways.benchmark
of codes
This paper programs,
being incorrectly
implements the modified GCC
writ-
GCC. ten behaving in ways. This paper implements aa MISRA-
MISRA-
orcompiler
behavingcan correctly
based assess
on the compliance with the target MISRA-C
ten
C compliance in unintended
checker based ways.
on This
the GCC paper implements
compiler a MISRA-
infrastructure.
C compliance checker GCC compiler infrastructure.
C compliance
We rules.on
focus checker based on the GCC compiler
on single-translation-unit-labeled,
single-translation-unit-labeled, infrastructure.
identify-related rules.
We focus identify-related rules.
pushdecl duplicate_decls diagnose_mismatched_decls
We focus on single-translation-unit-labeled, identify-related rules.
For theFuture
For the tested work will continue
benchmark programs,totheenhance
programs, the modifiedGCC
modified GCCfor
GCC supporting more
compiler
pushdecl duplicate_decls diagnose_mismatched_decls
pushdecl duplicate_decls diagnose_mismatched_decls tested benchmark compiler
For the testedassess
can correctly
correctly benchmark
complianceprograms,
with thethetarget
the modified
MISRA-CGCC compiler
rules.
gcc/c/c-decl.c
gcc/c/c-decl.c Warning: identifier re-declaration
can
can
MISRA-C
correctly
rules.
assess
assess
GCC is widely
compliance
compliance
with
with the
used
targetbyMISRA-C
target
individuals
MISRA-C
rules.
rules.
and industries
Future work will continue to enhance GCC for supporting more
gcc/c/c-decl.c Warning: identifier re-declaration
Warning: identifier re-declaration during
Future
Future
work
worksoftware
will
will development.
continue
continue
to
to
enhance
enhance Although
GCC
GCC
for
for the main
supporting
supporting goal
more
more of its orig-
MISRA-C rules. rules. GCC
GCC is is widely
widely used
used byby individuals
individuals and and industries
industries
Figure
Figure 9:
9: Calling sequence
Calling sequence for for checking
checking redeclared
redeclared identifiers
identifiers
inal
MISRA-C
MISRA-C design
during software was not
rules. development.
software for
GCC is widelyAlthough static
used by the checking,
individuals
main goal
goalif GCC perform
andofindustries
its origi-
origi- static
Figure
Figure
in 9: 9:
GCC. Calling
Callingsequence
sequence for forchecking
checking redeclared
redeclared identi- during
identifiers duringchecking
software
development.
(e.g., checking
development.
Although
MISRA-C
Although
the rules),
the
main
main it
goal
of its
would
of its help
origi- program-
in GCC. nal design
nal design was
was not
not for
for static
static checking,
checking, if if GCC
GCC perform
perform staticstatic check-
check-
fiers
in in GCC.
GCC. nal mers checking
develop software that is less error-prone or makecheck-it easier to
ing design
ing (e.g.,
(e.g.,
was not for static checking,
MISRA-C
checking MISRA-C rules),
rules),
ifit GCC
would
it would
perform static
help programmers
help programmers
struct c_declarator {
struct c_declarator {
ing track
(e.g.,
develop
develop
errors that
checking
software
software
and
that isthereby
MISRA-C
is
aid the
rules),
less error-prone
less error-prone development
it would
or make
or make help
it easier
it easierof to
programmersreliable
to track software
track
... c_declarator
struct
...
struct
...
struct
{
c_declarator *declarator;
c_declarator *declarator;
errorssystems.
develop software
and thereby that
aid is less
the error-prone
development of or makesoftware
reliable
errors and thereby aid the development of reliable software systems.
it easier systems.
to track
...
struct
... c_declarator *declarator; errors and thereby aid the development of reliable software systems.
.../* For functions. */
/*
/*
For functions.
struct */
c_arg_info *arg_info;
For functions.
struct */
c_arg_info *arg_info;
ACKNOWLEDGMENTS
ACKNOWLEDGMENTS
ACKNOWLEDGMENTS
...
struct c_arg_info *arg_info;
...
};...
ACKNOWLEDGMENTS
This work was supported by the Taiwan Ministry of Science and
}; ThisThis
workwork was supported
was supported by the Taiwan
by the Taiwan Ministry Ministry
of Scienceofand
Science and
}; This work was
Technology supported
under by the
grant MOST
MOST Taiwan Ministry of Science
105-2221-E-194-056-MY3. Theand
au-
/* Information about the parameters in a function declarator. */
/* Information about
{ the parameters in
in a function declarator. */ Technology
Technology
Technology
under
under under
grant
grant grant105-2221-E-194-056-MY3.
MOST MOST 105-2221-E-194-056-MY3.
105-2221-E-194-056-MY3. The
The
au-
au- The au-
struct
/* c_arg_info
Information about
{ the parameters a function declarator. */ thors are
are grateful
grateful to
to the
the National
National Center
Center for
for High-Performance
High-Performance Com-
Com-
struct
struct
/*
tree
c_arg_info
/* A c_arg_info
list of parameter
A list
parms;
{
of parameter
decls. */
decls. */ thors
thors
thors
putingare
for are grateful
grateful to the
computer time to
andthe
National National
Center
facilities. Center for High-Performance
for High-Performance Com-
/*
treeA list
parms;of parameter decls. */ puting for computer
Computing time
fortime and facilities.
computer time and facilities.
... parms;
tree puting for computer and facilities.
};...
};...
}; REFERENCES
REFERENCES
REFERENCES
[1] REFERENCES
1991. Programming languages - C. Standards Australia.
[1] 1991. Programming languages - C. Standards Australia.
Figure 10:
Figure 10: Structures
Structures c_declarator and c_arg_info.
c_declarator and c_arg_info. [2]
[1]
[2]
2007. WG14/N1256
1991. Programming
[1] 1991.
2007. WG14/N1256ProgrammingCommittee
languages
Committee
Draft
-Draft — Septermber
C. Standards
languages 7, 2007 ISO/IEC 9899:TC3
Australia.
C. Standards
—-Septermber Australia.
7, 2007 ISO/IEC 9899:TC3
Figure 10:
Figure 10: Structures
Structures c_declaratorand
c_declarator andc_arg_info.
c_arg_info. [2] Contents.
2007.
[2]
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf.
WG14/N1256
2007.
Contents. WG14/N1256 Committee Draft — Septermber 7, 2007 ISO/IEC 9899:TC3
Committee Draft — Septermber
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf.
Ac-
7, 2007 ISO/IEC
Ac- 9899:TC3
cessed: 2019-06-30.
Contents. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf. Ac-
cessed:Contents.
2019-06-30. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf. Ac-
[3] R. C. Baumann.
cessed: 2019-06-30. 2005. Radiation-induced soft errors in advanced semiconductor
constant lookup
lookup time, time, which
which makesmakes checking
checking duplication
duplication efficient.
efficient. [3]
[3] cessed:IEEE
R. C. Baumann.
technologies.
R. C. Baumann. 2019-06-30.
2005. Radiation-induced soft errors in advanced semiconductor
2005.Transactions on Devicesoft
Radiation-induced anderrors
Materials Reliability
in advanced 5, 3 (2005),
semiconductor
constant technologies. IEEE Transactions on Device and Materials Reliability 5, 3 (2005),
event though
constant
Following it
lookup
ISO canC, be
time,
only detected
which
the by
makes the
significant option
checking
charactersduplication
are
-Wshadow. This infor-
efficient.
recorded. For [3] R. C. Baumann.
305–316.
technologies. 2005. Radiation-induced
IEEE Transactions on Device and Materialssoft errors in advanced
Reliability 5, 3 (2005),semiconductor
Following ISO C, only the significant characters are recorded. For 305–316.
Following ISO C, only [4] Sameeratechnologies.
305–316. Deshpande and IEEEUday
Transactions
P. Khekdker. on 2007.
Device Incremental
and Materials Machine De- 5, 3 (2005),
Reliability
mation is obtained
example, using C90,from thethefirstsignificant
the field
31 characterscharacters
characters of an
current_scope are inrecorded.
an identifier
identifierthe
name For
structure
are [4] Sameera Deshpande and Uday P. Khekdker. 2007. Incremental Machine De-
example, using C90, the first 31 of name are [4] Sameera305–316.
scriptions for GCC. GREPS:
Deshpande International
and UdayInternational Workshop
P. Khekdker.Workshop on GCC for ResearchDe-
2007. Incremental
on GCC forMachine
in
example, using C90, the first 31these
characters of an are
identifier name are scriptions for GCC. GREPS: Research in
used aswhich
used
c_scope, as a lookup
a lookup records
key,
key, andand depth
only information.
only these charactersThe
characters depth We
stored.
are stored. value
We alsoof a
also [4] Sameera
Embedded
scriptions
Embedded Deshpande
and Parallel
for
andGCC.
Parallel and
Systems
GREPS:
Systems Uday P. Khekdker.
(2007).
International
(2007). Workshop 2007.
on GCC Incremental
for Research Machine
in Descrip-
used
record asaa variable’s
lookup key, and information
scope only these characters
for checkingare stored.
checking rule Weevent
5.3, also [5] Brian J.
Brian tions
Embedded Gough and
forParallel
and GCC. Richard M.
Systems Stallman.
(2007). 2004. An Introduction to GCC. Net-
global
recordvariable
a variable’sis 1, and
scope the depth
information value
for of a local variable
rule 5.3, starts [5]
event [5] J. Gough
work Theory
Brian J. Gough Ltd.
and
and
GREPS:
Richard
Richard
M.International
M.
Stallman. 2004.
Stallman.
Workshop
2004.
on GCCtoforGCC.
An Introduction
An Introduction to
Research
GCC.
Net- in Embedded
Net-
record
though aitvariable’s
can be scope by
detected information
the option for checking rule
-Wshadow. This5.3, event
informa- work Theory Ltd. Systems (2007).
and Parallel
at 2though
and increases
though it can be according
it can be from
detected byto
detected theits scope.
the option We implement
-Wshadow. and insert [6]
This informa- [6] JasonTheory
work Merrill.Ltd.
[5] Brian
Jason Merrill.
2003. GENERIC and GIMPLE: A new tree representation for
J. Gough and Richard
2003. GENERIC andM.GIMPLE:
Stallman. A 2004. An171–180.
new tree Introduction
representationtofor GCC. Network
tion isis obtained
obtained the by field option -Wshadow.
current_scope inThis informa-
the structure
structure [6] entire functions.
Jason Merrill. In in Proceedings
2003. GENERIC and GCC Developers
GIMPLE: Summit.
A new tree 171–180.
representation for
the tion
proposed
tion
is obtained
c_scope, codes
which
from
fromfor checking
the field
the field
records rules 5.2,
current_scope
depthcurrent_scope 5.3,
information. The 5.4,inand
the 5.5
in thevalue
The depth
depth into
structure
of aathe [7]
entire Theory
MISRA.
entire
functions.Ltd.
2013. MISRA
functions.
In in Proceedings
In in
GCC
C:2012 Guidelines
Proceedings GCC
Developers Summit.
for the use Summit.
Developers of the C language
171–180. in critical
which records depth information. value of [7] [6] Jason
MISRA. 2013.Merrill.
MISRA2003.
MISRA C:2012 GENERIC
Guidelines andforGIMPLE: A new
for the use of the tree representation
C language in critical for entire
functions
c_scope,
c_scope,
global _cpp_create_definition()
variablewhich is records
1, and depth
the depth value and
information.
of a pushdecl().
The
localdepth valuestarts
variable of a [7]
[8]
systems.
MISRA.
systems.
Joachim
MISRA.
2013.
MISRA.
functions.
Nadler and In in
C:2012
Tim
Guidelines
Proceedings
the use of the
GCC Developers
Josling. [n.d.].
C language
Summit.and
Using, Maintaining
in critical
171–180.
Enhancing
global variable is 1, and the depth value of a local variable starts systems.
Joachim MISRA.
Regarding
global andvariable
at 22 and ruleis8.2,
increases 1, GCC
and the
according options
depth
to -Wmissing-parameter-
value
its scope.
scope. of aimplement
We local variable starts
and insert
insert
[8]
type, [8] [7] MISRA.
COBOL
Joachim
COBOL
Nadler and Tim Josling. [n.d.]. Using, Maintaining and Enhancing
for the 2013.
Nadler
for
GNU
the GNUand TimMISRA
Compiler C:2012 Guidelines
Collection
Josling.
Compiler [n.d.].
Collection
(GCC). for theavailable
Online
Using, Maintaining
(GCC).
use of
Online available andthe
at C language in critical
atEnhancing
at increases according to its We implement and MISRA.
at
the2proposed
and increases
-Wmissing-prototypes,
proposed codesaccording and -Wstrict-prototypes
for checking
checking to itsrules
scope.
5.2,We and can
5.3,implement
5.4, and detect
andinto
5.5 the some [9]
insert http://cobolforgcc.sourceforge.net/cobol_toc.html.
COBOL systems.
for the GNU Compiler Collection (GCC). Online available at
http://cobolforgcc.sourceforge.net/cobol_toc.html.
the codes for rules 5.2, 5.3, 5.4, 5.5 into the [8] Joachim
Richard Nadler
M. Stallman
andand
and theTim
the GCCJosling.
GCC Developer
http://cobolforgcc.sourceforge.net/cobol_toc.html. [n.d.].
Community. [n.d.]. GNU Compiler
Using, Maintaining
[n.d.]. GNU and Enhancing COBOL
cases
the of non-compliant
proposed
functions codes forcode, checking
_cpp_create_definition() but
functions _cpp_create_definition() and pushdecl(). cannot
rules 5.2,handle 5.4,missing
5.3, and and 5.5 parameter
pushdecl().into the [9]
[9]
Richard
Collection
Richard
M. Stallman
forM.the
Collection
Internals.
Stallman GNU
and
GNU Compiler
Internals. GNU
Press.
thePress.
GCC
Developer Community.
Online available
Developer
Collection at
Online
Community.
(GCC).
Online available at available
[n.d.]. GNU at
Compiler
Compiler
functions
names.Regarding
Regarding _cpp_create_definition()
The structure rule 8.2,
8.2, optionscontains
GCC options
c_arg_info and pushdecl().
a field parms that has [10]
-Wmissing-parameter- http://gcc.gnu.org/onlinedocs.
Collection Internals. GNU
http://gcc.gnu.org/onlinedocs. Press. Online available
http://cobolforgcc.sourceforge.net/cobol_toc.html. at
rule GCC -Wmissing-parameter- Richard M. Stallman and the GCC Developer Community. [n.d.]. Using the GNU
http://gcc.gnu.org/onlinedocs.
Regarding rule 8.2, GCC options -Wmissing-parameter- [9] Richard M. Stallman and the GCC Developer
Community.Community. [n.d.].
information
type,
type, for function parameters,and
-Wmissing-prototypes,
-Wmissing-prototypes, andas-Wstrict-prototypes
shown in Figure 10. We [10]
-Wstrict-prototypes [10] Richard
Compiler
Richard
Compiler
M. Stallman
Collection.
M.Collection.
Stallman and
Collection
and the GCC
GNU
GNU
Press.
thePress.
Internals.
Developer
Online
GCC Developer
GNU Online
available
Press. available
Online
at
Community.
Online available
available at
[n.d.]. Using the
[n.d.]. Using the GNU
at
GNUGNU Compiler
type,
can -Wmissing-prototypes,
detect some cases of non-compliant and -Wstrict-prototypes
code, but cannot handle
use can
the detect
can macrosome
detect DECL_NAME()
some to check whether
cases of non-compliant code, abutparameter name is [11]
cannot handle
http://gcc.gnu.org/onlinedocs.
Compiler Collection. GNU Press.
http://gcc.gnu.org/onlinedocs.
http://gcc.gnu.org/onlinedocs. at
missing parametercases names. of non-compliant
The structure code, but cannot
structure c_arg_info
c_arg_info handlea
contains Website. [n.d.]. GCC tiny. https://thinkingeek.com/gcc-tiny/. Accessed: 2019-
http://gcc.gnu.org/onlinedocs.
missing.
missing
missing Inparameter
addition,names.
parameter the macro
names. The
The DECL_CHAIN()
structure c_arg_info is usedcontains
to traverse
contains a
a
[11]
[11]
Website.
[10]
Website.
[n.d.]. GCC tiny. https://thinkingeek.com/gcc-tiny/. Accessed: 2019-
06-30.Richard M. Stallman and the GCC Developer Community. [n.d.]. Using the GNU
06-30. [n.d.]. GCC tiny. https://thinkingeek.com/gcc-tiny/. Accessed: 2019-
field parms that has information for function parameters, as shown [12] Compiler
Website. GNU Press. Online available
Collection.https://www.misra.org.uk/.
[n.d.]. MISRA-C. Accessed:at 2019-06-30.
the field
listFigure
field
in of parameter
parms
parms
that hasdeclarations.
10. that
We useuse
information for function parameters, as shown
has the
information for function parameters,
macro DECL_NAME()
DECL_NAME() to check as showna
check whether
whether
[12]
[13]
[12]
06-30.
Website. [n.d.]. MISRA-C. https://www.misra.org.uk/. Accessed: 2019-06-30.
http://gcc.gnu.org/onlinedocs.
Website. [n.d.].
[n.d.]. MISRA-C. MISRA-C:
https://www.misra.org.uk/. Example-Suite.
Accessed:Example-Suite.
2019-06-30.
in Figure 10. We the macro to a [13] Website. [n.d.]. MISRA-C:
in Figure 10.
parameter nameWeisuse the macro
missing. DECL_NAME()
In addition,
addition, macrotoDECL_CHAIN()
the macro check whether a
DECL_CHAIN() [13] [11] Website. [n.d.].
Website. [n.d.]. GCC tiny. https://thinkingeek.com/gcc-tiny/.
https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite.
MISRA-C:
https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite. Accessed:
Example-Suite. Ac-
Ac- 2019-06-
parameter
3.4parameter
Experiment name is missing. In the cessed:30.2019-06-30.
https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/Example-Suite. Ac-
is used
used name is missing.
to traverse
traverse the list ofInparameter
list of addition, the
parameter macro DECL_CHAIN()
declarations. [14]
cessed: 2019-06-30.
Website.2019-06-30.
cessed: 2012. GCC C Compiler Internals.
is to the declarations. [14] [12] Website.2012.
Website. [n.d.]. MISRA-C. https://www.misra.org.uk/.
GCC C Compiler Accessed: Internals.2019-06-30.
is used to traverse the list of parameter
The modified GCC compiler is evaluated on a platform with an [14]declarations. https://en.wikibooks.org/wiki/GNU_C_Compiler_Internals.
Website.
[13] 2012. GCC C Accessed: 2019-06-
Compiler
Accessed: Internals.
30. Website. [n.d.]. MISRA-C: Example-Suite. https://gitlab.com/MISRA/MISRA-
https://en.wikibooks.org/wiki/GNU_C_Compiler_Internals. 2019-06-
https://en.wikibooks.org/wiki/GNU_C_Compiler_Internals. Accessed: 2019-06-
3.4
Intel
3.44 GHzExperiment
Corei7 6770 processor and 8GB RAM running 64-bit
Experiment 30. C/MISRA-C-2012/Example-Suite. Accessed: 2019-06-30.
30.
3.4 Experiment [14] Website. 2012. GCC C Compiler Internals. https://en.wikibooks.org/wiki/GNU_
Ubuntu
The modified16.04.
The Linux
modified GCCExamples
GCC compiler isfrom
compiler is the MISRA-C
evaluated
evaluated specification
on aa platform
on platform with an
with In-and
an In- C_Compiler_Internals. Accessed: 2019-06-30.
The 4modified GCC6770
compiler is evaluated on aRAM
platform with 64-bit
an In-
codes
tel 4from
tel GHz[13]
GHz are 6770
Corei7
Corei7 selected as theand
processor
processor andtested
8GB
8GB benchmark
running
RAM running programs.
64-bit
tel 4 GHz
Ubuntu Corei7
Linux 6770
16.04. processorfrom
Examples andthe
8GB RAM running
MISRA-C 64-bit
specification
TheUbuntu
evaluation
Linuxresults
16.04. show thatfrom
Examples the modified
the MISRA-C GCCspecification
compiler can
Ubuntu Linux 16.04. Examples from the MISRA-C specification
successfully check rules 5.2, 5.3, 5.4, 5.5, and 8.2.