Open
Description
As mentioned in #2215 I'm compiling a list of lints based on MISRA rules. For the C language MISRA 2004 defines C90 should be used so there are numerous rules forbidding certain C99 features, C++ features. And there are also rules written for machines which provide FPUs that don't use IEEE754 for floats. So I'm going to attempt to remove all the irrelevant rules and keep it to rules which are relevant to rust 😄
So here it goes. All the relevant rules, a lot of these are probably already covered. And a number are actually already caught by the rust compiler!
- No reliance on undefined or unspecified behaviour
- Only interface with code from another language if the object code follow the same standard (so no rust-java interfaces)
- Assembly language should be isolated from main code
- No commented out sections of code
- Manually specified struct packing should be documented
- All third party libraries should conform to MISRA as well
- Identifiers in different namespaces should not share the same name (with exception of struct elements)
- Identifier names should not be reused
- Only use char for characters, use u8 or i8 for numeric values
- static variables should only be referenced in the file they are defined in
- array size must be defined at compile time
- (required) if first enum element is not 0, all elements must be explicitly assigned a value
- a value of a "complex" expression of integer type may only be cast to a narrower type if it is the same signedness
- a value of a "complex" expression of float type may only be cast to a smaller float type
- result of shift operators must be explicitly cast to type of result before the shift i.e.
let x:u8 = (8 as u8) >> 2; - No casting pointers to void* or pointer to other object type
- casts should not remove volatile or constness from what a pointer points to
- No dependency on operator precedence rules. Use brackets etc.
- a value of an expression shall be the same under any order of evaluation the standard allows
- right hand operator of
&&and||may not contain side effects -
&&and||can only be primary expressionsa && b && cis good,a && (b && c)is bad - do not mix logical and non-logical operators
- bitwise operators can only be applied to unsigned values
- right hand side of shift must be between 0 and "element width" - 1
- floating point values cannot be loop counters in loops
- invariant boolean operations are not permitted (i.e.
true == false) - no unreachable code
- no use of
gotoorcontinue - a loop may not have more than one
breakstatement - a function shall have a single point of exit at the end of the function
- no recursion (directly or indirectly)
- all results must be tested
- only use pointer arithmetic on arrays
- only use two levels of indirection maximum
- imports should only be preceded by other imports
- do not redefine things defined in the standard library
- dynamic memory allocation must not be used
- errno, stdio, unix signals and functions that interact with the environment (getenv, system etc) must not be used (MISRA assumes embedded applications only).
- all if statements must have an else
else_if_without_else
Already solved by clippy
- do not test floating point values for equality or inequality
- Identifiers in an inner scope must not share a name with identifiers in a higher scope (no masking)
- all statements must have at least one side-effect or cause control flow to change. No null statements
- no_effect
Already solved by the language
- pointers may only be cast to integral types
- conditions should be explicitly checked against true and false
- sizeof operator should not be used on expressions with side effects
- No bitwise operations on floating point values
- unsigned must only be used for numeric types
- functions must have a fixed number of arguments