Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
MISRA-C++:2008 Standards Model Summary for C++
The LDRA tool suite® is developed and certified to BS EN ISO 9001:2015, TÜV SÜD and SGS-TÜV Saar.
This information is applicable to version 10.0.3 of the LDRA tool suite®.
It is correct as of 26th April 2022.
© Copyright 2022 LDRA Ltd. All rights reserved.
Compliance is measured against
"MISRA C++:2008 Guidelines for the use of the C++ language in critical systems"
June 2008
Copyright © MISRA
Further information is available at http://www.misra.org.uk
Classification
Required
Advisory
Document
Total
Enhanced
Enforcement
11
2
0
13
Fully
Implemented
170
14
2
186
Partially
Implemented
12
1
2
15
Not yet
Implemented
4
1
0
5
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Not statically
Checkable
1
0
8
9
Total
198
18
12
228
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
MISRA-C++:2008 Standards Model Compliance for C++
Rule
Classification
Rule Description
0-1-1
Required
A project shall not contain unreachable code.
0-1-2
Required
A project shall not contain infeasible paths.
0-1-3
Required
A project shall not contain unused variables.
0-1-4
Required
0-1-5
Required
0-1-6
Required
0-1-7
Required
0-1-8
Required
A project shall not contain non-volatile POD
variables having only one use.
A project shall not contain unused type
declarations.
A project shall not contain instances of nonvolatile variables being given values that are
never subsequently used.
The value returned by a function having a nonvoid return type that is not an overloaded operator
shall always be used.
All functions with void return type shall have
external side effect(s).
0-1-9
Required
There shall be no dead code.
0-1-10
Required
Every defined function shall be called at least
once.
0-1-11
Required
0-1-12
Required
0-2-1
Required
There shall be no unused parameters (named or
unnamed) in non-virtual functions.
There shall be no unused parameters (named or
unnamed) in the set of parameters for a virtual
An object shall not be assigned to an overlapping
object.
LDRA
LDRA Standard Description
Standard
28 D Potentially infinite loop found.
Procedure is not called or referenced in code
76 D
analysed.
1 J Unreachable Code found.
3 J All internal linkage calls unreachable.
Static procedure is not explicitly called in code
35 S
analysed.
631 S Declaration not reachable.
139 S Construct leads to infeasible code.
140 S Infeasible loop condition found.
94 D Named variable declared but not used in code.
70 D DU anomaly, variable value is not used.
DU anomaly dead code, var value is unused on
105 D
all paths.
3 X Variable has only one use.
User type declared but not used in code
analysed.
70 D DU anomaly, variable value is not used.
DU anomaly dead code, var value is unused on
105 D
all paths.
560 S Scope of variable could be reduced.
413 S
382 S (void) missing for discarded return value.
65 D Void function has no side effects.
70 D DU anomaly, variable value is not used.
DU anomaly dead code, var value is unused on
105 D
all paths.
57 S Statement with no side effect.
Procedure is not called or referenced in code
76 D
analysed.
2 U Procedure not called anywhere in system.
1 D Unused procedure parameter.
15 D Unused procedural parameter.
1 D Unused procedure parameter.
15 D Unused procedural parameter.
480 S String function params access same variable.
545 S Assignment of overlapping storage.
647 S Overlapping data items in memcpy.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
43 D
45 D
48 D
49 D
51 D
82 D
83 D
84 D
87 D
89 D
98 D
113 D
123 D
Divide by zero found.
Pointer not checked for null before use.
Attempt to write to unopened file.
File pointer not closed on exit.
Attempt to read from freed memory.
fsetpos values not generated by fgetpos.
Potentially repeated call to ungetc.
No fseek or flush before I/O.
Illegal shared object in signal handler.
Illegal use of raise in signal handler.
Attempt to write to file opened read only.
File closed more than once.
File pointer not checked for null before use.
Var set by std lib func return not checked before
124 D
use.
125 D free called on variable with no allocated space.
Local or member denominator not checked
127 D
before use.
128 D Global pointer not checked within this procedure.
129 D
130 D
131 D
135 D
136 D
0-3-1
Document
Minimization of run-time failures shall be ensured
by the use of at least one of: (a) static analysis
tools/techniques; (b) dynamic analysis
tools/techniques; (c) explicit coding of checks to
handle run-time faults.
137 D
64 S
65 S
113 S
157 S
248 S
407 S
412 S
465 S
482 S
483 S
484 S
486 S
487 S
489 S
573 S
576 S
587 S
589 S
590 S
591 S
608 S
Global file pointer not checked within this
procedure.
Global set by std lib func return not checked
before use.
Global denominator not checked within this
procedure.
Pointer assigned to NULL may be dereferenced.
Global pointer assigned to NULL may be
dereferenced.
Parameter used as denominator not checked
before use.
Void procedure used in expression.
Void variable passed as parameter.
Non standard character in source.
Modification of string literal.
Divide by zero in preprocessor directive.
free used on string.
Undefined behaviour, \ before E-O-F.
Struct/union not completely specified.
Incomplete structure referenced.
Freed parameter is not heap item.
Attempt to use already freed object.
Incorrect number of formats in output function.
Insufficient space allocated.
Insufficient space for operation.
Macro concatenation of uni char names.
Function pointer is of wrong type.
Const local variable not immediately initialised.
Format is not appropriate type.
Mode fault in fopen.
Inappropriate use of file pointer.
Use of explicitly undefined language feature.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
0-3-2
Required
0-4-1
Document
0-4-2
Document
0-4-3
Document
1-0-1
Required
1-0-2
Document
1-0-3
Document
2-2-1
Document
2-3-1
2-5-1
Required
Advisory
2-7-1
Required
2-7-2
Required
2-7-3
Advisory
2-10-1
Required
If a function generates error information, then that
error information shall be tested.
629 S Divide by zero found.
642 S Function return type with array field.
realloc ptr does not originate from allocation
644 S
function.
645 S realloc ptr type does not match target type.
Object created by malloc used before
652 S
initialisation.
66 X Insufficient array space at call.
70 X Array has insufficient space.
71 X Insufficient space for copy.
79 X Size mismatch in memcpy/memset.
80 X Divide by zero found.
91 D Function return value potentially unused.
DU anomaly dead code, var value is unused on
105 D
all paths.
Var set by std lib func return not checked before
124 D
use.
Global set by std lib func return not checked
130 D
before use.
Use of scaled-integer or fixed-point arithmetic
shall be documented.
Use of floating-point arithmetic shall be
documented.
Floating-point implementations shall comply with
a defined floating-point standard.
All code shall conform to ISO/IEC 14882:2003
"The C++ Standard Incorporating Technical
Corrigendum 1".
Multiple compilers shall only be used if they have
a common, defined interface.
The implementation of integer division in the
chosen compiler shall be determined and
documented.
The character set and the corresponding
encoding shall be documented.
Trigraphs shall not be used.
Digraphs should not be used.
The character sequence /* shall not be used
within a C-style comment.
Sections of code shall not be "commented out"
using C-style comments.
Sections of code should not be "commented out"
using C++ comments.
Different identifiers shall be typographically
unambiguous.
145 S
293 S
324 S
387 S
404 S
481 S
580 S
582 S
615 S
646 S
#if has invalid expression.
Non ANSI/ISO construct used.
Macro call has wrong number of parameters.
Enum init not integer-constant-expression.
Array initialisation has too many items.
Array with no bounds in struct.
Macro redefinition without using #undef.
const object reassigned.
Conditional operator has incompatible types.
Struct initialisation has too many items.
81 S Use of trigraph.
295 S Use of digraph.
119 S Nested comment found.
302 S Comment possibly contains code.
302 S Comment possibly contains code.
217 S Names only differ by case.
67 X Identifier is typographically ambiguous.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
2-10-2
Required
Identifiers declared in an inner scope shall not
hide an identifier declared in an outer scope.
2-10-3
Required
A typedef name (including qualification, if any)
shall be a unique identifier.
17 D
128 S
131 S
61 X
112 S
16 X
17 X
18 X
Identifier not unique within *** characters.
Parameter has same name as global variable.
Name reused in inner scope.
Identifier match in *** chars.
Typedef name redeclared.
Identifier reuse: typedef vs variable.
Identifier reuse: typedef vs label (MR).
Identifier reuse: typedef vs typedef.
19 X Identifier reuse: typedef vs procedure parameter.
20 X
21 X
22 X
23 X
24 X
Identifier reuse: persistent var vs typedef.
Identifier reuse: typedef vs macro.
Identifier reuse: typedef vs component.
Identifier reuse: typedef vs enum constant.
Identifier reuse: typedef vs procedure.
552 S Class, enum, struct or union name reused (MR).
2-10-4
Required
A class, union or enum name (including
qualification, if any) shall be a unique identifier.
2-10-5
Advisory
The identifier name of a non-member object or
function with static storage duration should not be
reused.
4X
5X
6X
7X
8X
9X
10 X
11 X
12 X
13 X
14 X
15 X
7X
15 X
20 X
24 X
25 X
26 X
27 X
28 X
29 X
30 X
32 X
33 X
34 X
35 X
36 X
37 X
38 X
Identifier reuse: struct/union tag repeated.
Identifier reuse: struct vs union.
Identifier reuse: struct/union tag vs enum tag.
Identifier reuse: tag vs procedure.
Identifier reuse: tag vs procedure parameter.
Identifier reuse: tag vs variable.
Identifier reuse: tag vs label (MR).
Identifier reuse: tag vs typedef.
Identifier reuse: tag vs macro.
Identifier reuse: tag vs component.
Identifier reuse: tag vs enum constant.
Identifier reuse: persistent var vs tag.
Identifier reuse: tag vs procedure.
Identifier reuse: persistent var vs tag.
Identifier reuse: persistent var vs typedef.
Identifier reuse: typedef vs procedure.
Identifier reuse: procedure vs procedure param.
Identifier reuse: persistent var vs label (MR).
Identifier reuse: persist var vs persist var.
Identifier reuse: persistent var vs var.
Identifier reuse: persistent var vs procedure.
Identifier reuse: persistent var vs proc param.
Identifier reuse: procedure vs var.
Identifier reuse: procedure vs label (MR).
Identifier reuse: proc vs macro.
Identifier reuse: proc vs component.
Identifier reuse: proc vs enum constant.
Identifier reuse: persistent var vs macro.
Identifier reuse: persistent var vs component.
39 X Identifier reuse: persistent var vs enum constant.
2-10-6
Required
If an identifier refers to a type, it shall not also
refer to an object or a function in the same scope.
9 X Identifier reuse: tag vs variable.
11 X Identifier reuse: tag vs typedef.
24 X Identifier reuse: typedef vs procedure.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
2-13-1
Required
2-13-2
Required
2-13-3
Required
2-13-4
Required
2-13-5
Required
3-1-1
Required
3-1-2
Required
3-1-3
Required
Only those escape sequences that are defined in
ISO/IEC14882:2003 shall be used.
Octal constants (other than zero) and octal
escape sequences (other than "\0") shall not be
A "U" suffix shall be applied to all octal or
hexadecimal integer literals of unsigned type.
Literal suffixes shall be upper case.
Narrow and wide string literals shall not be
concatenated.
It shall be possible to include any header file in
multiple translation units without violating the One
Functions shall not be declared at block scope.
When an array is declared, its size shall either be
stated explicitly or defined implicitly by
initialization.
176 S Non standard escape sequence in source.
83 S Octal number found.
376 S Use of octal escape sequence.
550 S Unsuffixed hex or octal is unsigned, add U.
252 S Lower case suffix to literal number.
450 S Wide string and string concatenated.
286 S Functions defined in header file.
287 S Variable definition in header file.
296 S Function declared at block scope.
127 S Array has no bounds specified.
36 D Prototype and definition name mismatch.
102 S Function and prototype return inconsistent (MR).
3-2-1
Required
All declarations of an object or function shall have
compatible types.
1 X Declaration types do not match across a system.
62 X
63 X
3-2-2
Required
The One Definition Rule shall not be violated.
3-2-3
Required
A type, object or function that is used in multiple
translation units shall be declared in one and only
one file.
3-2-4
Required
An identifier with external linkage shall have
exactly one definition.
3-3-1
Required
3-3-2
Required
3-4-1
Required
Objects or functions with external linkage shall be
declared in a header file.
If a function has internal linkage then all redeclarations shall include the static storage class
specifier.
An identifier declared to be an object or type shall
be defined in a block that minimizes its visibility.
26 D
34 D
4X
18 X
60 D
110 D
172 S
354 S
26 D
33 D
Function prototype/defn return type mismatch
(MR).
Function prototype/defn param type mismatch
(MR).
Variable should be defined once in only one file.
Procedure name re-used in different files.
Identifier reuse: struct/union tag repeated.
Identifier reuse: typedef vs typedef.
External object should be declared only once.
More than one prototype for same function.
Variable declared multiply.
Extern declaration is not in header file.
Variable should be defined once in only one file.
No real declaration for external variable.
63 D No definition in system for prototyped procedure.
27 D
61 D
354 S
461 S
553 S
575 S
25 D
560 S
Variable should be declared static.
Procedure should be declared static.
Extern declaration is not in header file.
Identifier with ambiguous linkage.
Function and proto should both be static.
Linkage differs from previous declaration.
Scope of variable could be reduced.
Scope of variable could be reduced.
102 S Function and prototype return inconsistent (MR).
3-9-1
Required
The types used for an object, a function return
type, or a function parameter shall be token-fortoken identical in all declarations and redeclarations.
3-9-2
Advisory
typedefs that indicate size and signedness should
be used in place of the basic numerical types.
2 X Ambiguous declaration of variable.
Function prototype/defn return type mismatch
62 X
(MR).
Function prototype/defn param type mismatch
63 X
(MR).
90 S Basic type declaration used.
495 S Typedef name has no size indication.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
3-9-3
Required
4-5-1
Required
4-5-2
Required
4-5-3
Required
4-10-1
Required
4-10-2
Required
5-0-1
5-0-2
5-0-3
5-0-4
Required
The underlying bit representations of floatingpoint values shall not be used.
Expressions with type bool shall not be used as
operands to built-in operators other than the
assignment operator =, the logical operators &&,
||, !, the equality operators == and !=, the unary &
operator, and the conditional operator.
Expressions with type enum shall not be used as
operands to built-in operators other than the
subscript operator [ ], the assignment operator =,
the equality operators == and !=, the unary &
operator, and the relational operators <, <=, >,
>=.
Expressions with type (plain) char and wchar_t
shall not be used as operands to built-in
operators other than the assignment operator =,
the equality operators == and !=, and the unary &
operator.
NULL shall not be used as an integer value.
Literal zero (0) shall not be used as the nullpointer-constant.
The value of an expression shall be the same
under any order of evaluation that the standard
permits.
Advisory
Limited dependence should be placed on C++
operator precedence rules in expressions.
Required
A cvalue expression shall not be implicitly
converted to a different underlying type.
Required
An implicit integral conversion shall not change
the signedness of the underlying type.
345 S
554 S
114 S
136 S
249 S
389 S
506 S
Bit operator with floating point operand.
Cast to an unrelated type.
Expression is not Boolean.
Bit operator with boolean operand.
Shift operator with boolean operand.
Bool value incremented/decremented.
Use of boolean with relational operator.
123 S Use of underlying enum representation value.
329 S Operation not appropriate to plain char.
530 S NULL used in integer context.
531 S Literal zero used in pointer context.
22 D Function has global variable side effects.
35 D Expression has side effects.
72 D Potential side effect problem in expression.
1 Q Call has execution order dependant side effects.
9S
30 S
134 S
49 S
361 S
451 S
452 S
434 S
101 S
104 S
107 S
109 S
331 S
Assignment operation in expression.
Deprecated usage of ++ or -- operators found.
Volatile variable in complex expression.
Logical conjunctions need brackets.
Expression needs brackets.
No cast for widening complex float expression
(MR).
No cast for widening complex int expression
(MR).
Signed/unsigned conversion without cast.
Function return type inconsistent.
Struct field initialisation incorrect.
Type mismatch in ternary expression.
Array subscript is not integral.
Literal value requires a U suffix.
458 S Implicit conversion: actual to formal param (MR).
5-0-5
Required
There shall be no implicit floating-integral
conversions.
101 S
104 S
107 S
109 S
435 S
Function return type inconsistent.
Struct field initialisation incorrect.
Type mismatch in ternary expression.
Array subscript is not integral.
Float/integer conversion without cast.
458 S Implicit conversion: actual to formal param (MR).
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
5-0-6
Required
5-0-7
Required
5-0-8
Required
5-0-9
Required
An implicit integral or floating-point conversion
shall not reduce the size of the underlying type.
There shall be no explicit floating-integral
conversions of a cvalue expression.
An explicit integral or floating-point conversion
shall not increase the size of the underlying type
An explicit integral conversion shall not change
the signedness of the underlying type of a cvalue
101 S Function return type inconsistent.
445 S Narrower float conversion without cast.
446 S Narrower int conversion without cast.
458 S Implicit conversion: actual to formal param (MR).
488 S
441 S
444 S
332 S
333 S
442 S
443 S
Value outside range of underlying type.
Float cast to non-float.
Integral type cast to non-integral.
Widening cast on complex integer expression.
Widening cast on complex float expression.
Signed integral type cast to unsigned.
Unsigned integral type cast to signed.
334 S
No cast when ~ or << applied to small types
(MR).
5-0-10
Required
If the bitwise operators ~ and << are applied to an
operand with an underlying type of unsigned char
or unsigned short, the result shall be immediately
cast to the underlying type of the operand.
5-0-11
Required
The plain char type shall only be used for the
storage and use of character values.
329 S Operation not appropriate to plain char.
433 S Type conversion without cast.
5-0-12
Required
signed char and unsigned char type shall only be
used for the storage and use of numeric values.
433 S Type conversion without cast.
5-0-13
Required
The condition of an if-statement and the condition
of an iteration-statement shall have type bool.
114 S Expression is not Boolean.
5-0-14
Required
5-0-15
Required
5-0-16
Required
5-0-17
Required
5-0-18
Required
5-0-19
Required
5-0-20
Required
5-0-21
Required
The first operand of a conditional-operator shall
have type bool.
Array indexing shall be the only form of pointer
arithmetic.
A pointer operand and any pointer resulting from
pointer arithmetic using that operand shall both
address elements of the same array.
Subtraction between pointers shall only be
applied to pointers that address elements of the
same array.
>, >=, <, <= shall not be applied to objects of
pointer type, except where they point to the same
array.
The declaration of objects shall contain no more
than two levels of pointer indirection.
Non-constant operands to a binary bitwise
operator shall have the same underlying type.
Bitwise operators shall only be applied to
operands of unsigned underlying type.
114 S Expression is not Boolean.
436 S
567 S
47 S
436 S
692 S
64 X
68 X
69 X
72 X
Declaration does not specify an array.
Pointer arithmetic is not on array.
Array bound exceeded.
Declaration does not specify an array.
Array index is negative.
Array bound exceeded at call.
Parameter indexing array too big at call.
Global array bound exceeded at use.
Parameter indexing array too small at call.
438 S Pointer subtraction not addressing one array.
437 S < > <= >= used on different object pointers.
80 S Pointer indirection exceeds 2 levels.
535 S Binary bitwise op with different types.
50 S Use of shift operator on signed type.
120 S Use of bit operator on signed type.
345 S Bit operator with floating point operand.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
5-2-1
Required
5-2-2
Required
5-2-3
Advisory
5-2-4
Required
5-2-5
Required
5-2-6
Required
5-2-7
Required
5-2-8
Required
5-2-9
Advisory
5-2-10
Advisory
5-2-11
Required
5-2-12
Required
5-3-1
Required
5-3-2
Required
5-3-3
Required
5-3-4
Required
5-8-1
Required
5-14-1
Required
5-17-1
Required
5-18-1
Required
5-19-1
Advisory
6-2-1
Required
6-2-2
Required
Each operand of a logical && or || shall be a
postfix-expression.
A pointer to a virtual base class shall only be cast
to a pointer to a derived class by means of
dynamic_cast.
Casts from a base class to a derived class should
not be performed on polymorphic types.
C-style casts (other than void casts) and
functional notation casts (other than explicit
constructor calls) shall not be used.
A cast shall not remove any const or volatile
qualification from the type of a pointer or
reference.
A cast shall not convert a pointer to a function to
any other pointer type, including a pointer to
An object with pointer type shall not be converted
to an unrelated pointer type, either directly or
indirectly.
An object with integer type or pointer to void type
shall not be converted to an object with pointer
A cast should not convert a pointer type to an
integral type.
The increment (++) and decrement (--) operators
should not be mixed with other operators in an
expression.
The comma operator, && operator and the ||
operator shall not be overloaded.
An identifier with array type passed as a function
argument shall not decay to a pointer.
Each operand of the ! operator, the logical && or
the logical || operators shall have type bool.
The unary minus operator shall not be applied to
an expression whose underlying type is unsigned.
The unary & operator shall not be overloaded.
Evaluation of the operand to the sizeof operator
shall not contain side effects.
The right hand operand of a shift operator shall lie
between zero and one less than the width in bits
The right hand operand of a logical && or ||
operator shall not contain side effects.
The semantic equivalence between a binary
operator and its assignment operator form shall
be preserved.
The comma operator shall not be used.
Evaluation of constant unsigned integer
expressions should not lead to wrap-around.
Assignment operators shall not be used in subexpressions.
Floating-point expressions shall not be directly or
indirectly tested for equality or inequality.
49 S Logical conjunctions need brackets.
448 S Base class pointer cast to derived class.
551 S Cast from base to derived for polymorphic type.
306 S Use of C type cast.
203 S
242 S
344 S
576 S
606 S
Cast on a constant value.
Use of const_cast.
Cast on volatile value.
Function pointer is of wrong type.
Cast involving function pointer.
554 S Cast to an unrelated type.
440 S Cast from integral type to pointer.
540 S Cast from pointer to void to pointer.
439 S Cast from pointer to integral type.
30 S Deprecated usage of ++ or -- operators found.
211 S Overloaded &&, || or comma.
459 S Array passed as actual parameter.
534 S Array has decayed to pointer.
114 S Expression is not Boolean.
52 S Unsigned expression negated.
508 S Operator & overloaded.
54 S Sizeof operator with side effects.
51 S Shifting value too far.
403 S Negative (or potentially negative) shift.
35 D Expression has side effects.
1 Q Call has execution order dependant side effects.
406 S Use of ++ or -- on RHS of && or || operator.
408 S Volatile variable accessed on RHS of && or ||.
53 S Use of comma operator.
493 S Numeric overflow.
9 S Assignment operation in expression.
132 S Assignment operator in boolean expression.
56 S Equality comparison of floating point.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
6-2-3
Required
6-3-1
Required
6-4-1
Required
6-4-2
Required
6-4-3
Required
6-4-4
Required
6-4-5
Required
6-4-6
Required
6-4-7
Required
6-4-8
Required
6-5-1
Required
6-5-2
Required
6-5-3
Required
6-5-4
Required
6-5-5
Required
6-5-6
Required
6-6-1
Required
6-6-2
Required
6-6-3
Required
6-6-4
Required
6-6-5
Required
Before preprocessing, a null statement shall only
occur on a line by itself; it may be followed by a
comment, provided that the first character
following the null statement is a white-space
character.
The statement forming the body of a switch,
while, do...while or for statement shall be a
An if ( condition ) construct shall be followed by a
compound statement. The else keyword shall be
followed by either a compound statement, or
another if statement.
All if ... else if constructs shall be terminated with
an else clause.
A switch statement shall be a well-formed switch
statement.
A switch-label shall only be used when the most
closely-enclosing compound statement is the
body of a switch statement.
An unconditional throw or break statement shall
terminate every non-empty switch-clause.
The final clause of a switch statement shall be the
default-clause.
The condition of a switch statement shall not have
bool type.
Every switch statement shall have at least one
case-clause.
A for loop shall contain a single loop-counter
which shall not have floating type.
If loop-counter is not modified by -- or ++, then,
within condition, the loop-counter shall only be
used as an operand to <=, <, > or >=.
The loop-counter shall not be modified within
condition or statement.
The loop-counter shall be modified by one of: --,
++, -=n, or +=n; where n remains constant for the
duration of the loop.
A loop-control-variable other than the loopcounter shall not be modified within condition or
expression.
A loop-control-variable other than the loopcounter which is modified in statement shall have
Any label referenced by a goto statement shall be
declared in the same block, or in a block
The goto statement shall jump to a label declared
later in the same function body.
The continue statement shall only be used within
a well-formed for loop.
For any iteration statement there shall be no more
than one break or goto statement used for loop
termination.
A function shall have a single point of exit at the
end of the function.
58 S Null statement found.
11 S No brackets to loop body (added by Testbed).
428 S No {} for switch (added by Testbed).
12 S No brackets to then/else (added by Testbed).
59 S
477 S
323 S
385 S
Else alternative missing in if.
Empty else clause following else if.
Switch has more than one default case.
MISRA switch statement syntax violation.
245 S Case statement in nested block.
62 S Switch case not terminated with break.
48 S No default case in switch statement.
322 S Default is not last case of switch.
410 S Switch empty default has no comment (MR).
121 S Use of boolean expression in switch.
60 S
61 S
39 S
542 S
Empty switch statement.
Switch contains default only.
Unsuitable type for loop variable.
Extra loop control variable is not bool.
510 S Loop counter increment and operator defect.
55 D Modification of loop counter in loop body.
73 D Predicate variable modified in condition.
271 S For loop incrementation is not simple.
537 S Extra loop control variable changed.
66 D
542 S
1J
511 S
Non boolean control variable modified in loop.
Extra loop control variable is not bool.
Unreachable Code found.
Jump into nested block.
509 S goto label is backwards.
32 S Use of continue statement.
65 X continue in ill-formed loop (MR).
409 S More than one break or goto statement in loop.
7 C Procedure has more than one exit point.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
7-1-1
Required
7-1-2
Required
7-2-1
Required
7-3-1
Required
7-3-2
Required
7-3-3
Required
7-3-4
Required
7-3-5
Required
7-3-6
Required
7-4-1
Document
7-4-2
Required
7-4-3
Required
7-5-1
Required
7-5-2
Required
7-5-3
Required
7-5-4
Advisory
8-0-1
Required
8-3-1
Required
8-4-1
Required
8-4-2
Required
A variable which is not modified shall be const
qualified.
A pointer or reference parameter in a function
shall be declared as pointer to const or reference
to const if the corresponding object is not
modified.
An expression with enum underlying type shall
only have values corresponding to the
enumerators of the enumeration.
The global namespace shall only contain main,
namespace declarations and extern "C"
declarations.
The identifier main shall not be used for a
function other than the global function main.
There shall be no unnamed namespaces in
header files.
using-directives shall not be used.
Multiple declarations for an identifier in the same
namespace shall not straddle a using-declaration
for that identifier.
using-directives and using-declarations
(excluding class scope or function scope usingdeclarations) shall not be used in header files.
All usage of assembler shall be documented.
Assembler instructions shall only be introduced
using the asm declaration.
Assembly language shall be encapsulated and
isolated.
A function shall not return a reference or a pointer
to an automatic variable (including parameters),
The address of an object with automatic storage
shall not be assigned to another object that may
persist after the first object has ceased to exist.
A function shall not return a reference or a pointer
to a parameter that is passed by reference or
const reference.
Functions should not call themselves, either
directly or indirectly.
An init-declarator-list or a member-declarator-list
shall consist of a single init-declarator or memberdeclarator respectively.
Parameters in an overriding virtual function shall
either use the same default arguments as the
function they override, or else shall not specify
any default arguments.
Functions shall not be defined using the ellipsis
notation.
The identifiers used for the parameters in a redeclaration of a function shall be identical to
those in the declaration.
59 D
78 D
93 D
119 D
603 S
Parameter should be declared const.
Global variable should be declared const.
Local variable should be declared const.
Pointer param should be declared const pointer.
Parameter should be declared * const.
120 D
Pointer param should be declared pointer to
const.
411 S Inappropriate value assigned to enum.
517 S At least one declaration in global namespace.
362 S main program in a namespace.
512 S Use of unnamed namespace.
513 S Use of using directive.
518 S Using declaration is straddled by declarations.
514 S Using directive or declaration in header.
17 S Code insert found.
516 S Assembler does not use asm declaration.
88 S Procedure is not pure assembler.
42 D
564 S
77 D
71 S
565 S
Local pointer returned in function result.
Reference assignment to wider scope.
Local structure returned in function result.
Pointer assignment to wider scope.
Assignment to wider scope.
519 S Return of reference parameter.
6 D Recursion in procedure calls found.
1 U Inter-file recursion found.
515 S More than one variable in declaration (MR).
364 S Inherited default parameter redefined.
41 S Ellipsis used in procedure parameter list.
36 D Prototype and definition name mismatch.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
All exit paths from a function with non-void return
type shall have an explicit return statement with
an expression.
A function identifier shall either be used to call the
function or it shall be preceded by & .
2 D Function does not return a value on all paths.
36 S Function has no return statement.
66 S Function with empty return expression.
8-4-3
Required
8-4-4
Required
8-5-1
Required
All variables shall have a defined value before
they are used.
8-5-2
Required
Braces shall be used to indicate and match the
structure in the non-zero initialization of arrays
8-5-3
Required
In an enumerator list, the = construct shall not be
used to explicitly initialize members other than the
first, unless all items are explicitly initialized.
9-3-1
Required
9-3-2
Required
9-3-3
Required
9-5-1
Required
9-6-1
Document
9-6-2
Required
9-6-3
Required
Bit-fields shall not have enum type.
9-6-4
Required
Named bit-fields with signed integer type shall
have a length of more than one bit.
10-1-1
Advisory
Classes should not be derived from virtual bases.
10-1-2
Required
10-1-3
Required
10-2-1
Advisory
10-3-1
Required
10-3-2
Required
10-3-3
Required
11-0-1
Required
12-1-1
Required
An object's dynamic type shall not be used from
the body of its constructor or destructor.
92 D C'tor/d'tor calls virtual function.
467 S Virtual member called in ctor/dtor.
561 S Use of dynamic type in c'tor/d'tor.
12-1-2
Advisory
All constructors of a class should explicitly call a
constructor for all of its immediate base classes
and all virtual base classes.
528 S
const member functions shall not return nonconst pointers or references to class-data.
Member functions shall not return non-const
handles to class-data.
If a member function can be made static then it
shall be made static, otherwise if it can be made
Unions shall not be used.
When the absolute positioning of bits
representing a bit-field is required, then the
Bit-fields shall be either bool type or an explicitly
unsigned or signed integral type.
A base class shall only be declared virtual if it is
used in a diamond hierarchy.
An accessible base class shall not be both virtual
and non-virtual in the same hierarchy.
All accessible entity names within a multiple
inheritance hierarchy should be unique.
There shall be no more than one definition of
each virtual function on each path through the
inheritance hierarchy.
Each overriding virtual function shall be declared
with the virtual keyword.
A virtual function shall only be overridden by a
pure virtual function if it is itself declared as pure
virtual.
Member data in non-POD class types shall be
private.
99 S Function use is not a call.
53 D
69 D
631 S
105 S
397 S
Attempt to use uninitialised pointer.
UR anomaly, variable used before assignment.
Declaration not reachable.
Initialisation brace { } fault.
Array initialisation has insufficient items.
85 S Incomplete initialisation of enumerator.
392 S Class data accessible thru non const member.
671 S Class data accessible thru non const handle.
46 D
79 D
74 S
42 S
328 S
Member function may be declared const.
Member function may be declared static.
Union declared.
Use of bit field in structure declaration.
Non bit field member in bitfield struct.
520 S Bit field is not bool or explicit integral.
520 S Bit field is not bool or explicit integral.
536 S Enum type in bit field.
72 S Signed bit field less than 2 bits wide.
521 S Class derived from virtual base class.
543 S Virtual base not in diamond hierarchy.
357 S Base class is mixed virtual and non virtual.
555 S Base class member name not unique.
559 S Virtual member defined more than once.
214 S Member not declared virtual.
544 S Member re-declared pure.
202 S Class data is not explicitly private.
Base class constructor omitted (added by
Testbed).
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
12-1-3
Required
12-8-1
Required
12-8-2
Required
All constructors that are callable with a single
argument of fundamental type shall be declared
explicit.
A copy constructor shall only initialize its base
classes and the non-static members of the class
of which it is a member.
The copy assignment operator shall be declared
protected or private in an abstract class.
393 S Single parameter constructor not 'explicit'.
529 S Static member initialised/assigned in constructor.
522 S Public assign operator in abstract class.
14-7-2
Required
14-7-3
Required
14-8-1
Required
14-8-2
Advisory
15-0-1
Document
A non-member generic function shall only be
declared in a namespace that is not an
associated namespace.
A copy constructor shall be declared when there
is a template constructor with a single parameter
that is a generic parameter.
A copy assignment operator shall be declared
when there is a template assignment operator
with a parameter that is a generic parameter.
In a class template with a dependent base, any
name that may be found in that dependent base
shall be referred to using a qualified-id or this->
The function chosen by overload resolution shall
resolve to a function declared previously in the
translation unit.
All class templates, function templates, class
template member functions and class template
static members shall be instantiated at least
once.
For any given template specialization, an explicit
instantiation of the template with the templatearguments used in the specialization shall not
render the program ill-formed.
All partial and explicit specializations for a
template shall be declared in the same file as the
declaration of their primary template.
Overloaded function templates shall not be
explicitly specialized.
The viable function set for a function call should
either contain no function specializations, or only
contain function specializations.
Exceptions shall only be used for error handling.
15-0-2
Advisory
An exception object should not have pointer type.
523 S Exception type is pointer.
15-0-3
Required
Control shall not be transferred into a try or catch
block using a goto or a switch statement.
524 S Jump into try or catch statement.
15-1-1
Required
The assignment-expression of a throw statement
shall not itself cause an exception to be thrown.
557 S Function call can generate throw exception.
15-1-2
Required
15-1-3
Required
15-3-1
Required
14-5-1
Required
14-5-2
Required
14-5-3
Required
14-6-1
Required
14-6-2
Required
14-7-1
Required
NULL shall not be thrown explicitly.
An empty throw (throw;) shall only be used in the
compound-statement of a catch handler.
Exceptions shall be raised only after start-up and
before termination of the program.
532 S No copy ctor for templated copy ctor.
533 S No assgnmt optor for templated assgmnt op.
547 S Base member not qualified.
546 S Overload resolution could be forward.
76 D
Procedure is not called or referenced in code
analysed.
538 S Template class/function/member not instantiated.
558 S Template may lead to ill-formed program.
539 S Specialised overloaded templated function.
525 S throw with explicit NULL.
526 S Empty throw is not in catch statement.
557 S Function call can generate throw exception.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
15-3-2
Advisory
15-3-3
Required
15-3-4
Required
15-3-5
Required
15-3-6
Required
15-3-7
Required
15-4-1
Required
15-5-1
Required
There should be at least one exception handler to
catch all otherwise unhandled exceptions
Handlers of a function-try-block implementation of
a class constructor or destructor shall not
reference non-static members from this class or
its bases.
Each exception explicitly thrown in the code shall
have a handler of a compatible type in all call
A class type exception shall always be caught by
reference.
Where multiple handlers are provided in a single
try-catch statement or function-try-block for a
derived class and some or all of its bases, the
handlers shall be ordered most-derived to base
class.
Where multiple handlers are provided in a single
try-catch statement or function-try-block, any
ellipsis (catch-all) handler shall occur last.
If a function is declared with an exceptionspecification, then all declarations of the same
function (in other translation units) shall be
declared with the same set of type-ids.
A class destructor shall not exit with an exception.
Where a function's declaration includes an
exception-specification, the function shall only be
capable of throwing exceptions of the indicated
type(s).
The terminate() function shall not be called
implicitly.
#include directives in a file shall only be preceded
by other preprocessor directives or comments.
Macros shall only be #define'd or #undef'd in the
global namespace.
15-5-2
Required
15-5-3
Required
16-0-1
Required
16-0-2
Required
16-0-3
Required
#undef shall not be used.
16-0-4
Required
16-0-5
Required
16-0-6
Required
16-0-7
Required
16-0-8
Required
Function-like macros shall not be defined.
Arguments to a function-like macro shall not
contain tokens that look like preprocessing
directives.
In the definition of a function-like macro, each
instance of a parameter shall be enclosed in
parentheses, unless it is used as the operand of #
or ##.
Undefined macro identifiers shall not be used in
#if or #elif preprocessor directives, except as
operands to the defined operator.
If the # token appears as the first token on a line,
then it shall be immediately followed by a
preprocessing token.
The defined preprocessor operator shall only be
used in one of the two standard forms.
All #else, #elif and #endif preprocessor directives
shall reside in the same file as the #if or #ifdef
16-1-1
Required
16-1-2
Required
527 S No master exception handler.
549 S Catch in c'tor/d'tor references nonstatic member.
56 D Throw found with no catch in scope.
71 D No matching catch for throw in called function.
455 S Catch is not by reference.
556 S Wrong order of catches for derived class.
541 S Catch-all is not last catch.
453 S Throw found in destructor.
75 S
338 S
67 S
426 S
68 S
426 S
340 S
Executable code before an included file.
#include preceded by non preproc directives.
#define used in a block.
#undef used in a block.
#undef used.
#undef used in a block.
Use of function like macro.
341 S Preprocessor construct as macro parameter.
78 S Macro parameter not in brackets.
337 S Undefined macro variable in #if.
147 S Spurious characters after preprocessor directive.
342 S
335 S
336 S
126 S
343 S
Extra chars after preprocessor directive.
Operator defined contains illegal items.
#if expansion contains define operator.
A #if has no #endif in the same file.
#else has no #if, etc in the same file.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
16-2-1
Required
16-2-2
Required
16-2-3
Required
16-2-4
Required
16-2-5
Advisory
16-2-6
Required
16-3-1
Required
16-3-2
Advisory
16-6-1
Document
17-0-1
Required
17-0-2
Required
17-0-3
Required
17-0-4
Document
17-0-5
Required
18-0-1
Required
18-0-2
Required
18-0-3
Required
18-0-4
Required
18-0-5
Required
18-2-1
Required
18-4-1
Required
18-7-1
Required
19-3-1
Required
27-0-1
Required
The pre-processor shall only be used for file
inclusion and include guards.
C++ macros shall only be used for include
guards, type qualifiers, or storage class
specifiers.
Include guards shall be provided.
The ', ", /* or // characters shall not occur in a
header file name.
The \ character should not occur in a header file
name.
The #include directive shall be followed by either
a <filename> or "filename" sequence.
255 S
272 S
273 S
307 S
340 S
Found #if, #ifdef, #else, #elif .
Found #ifndef (ref. removed).
Found #define.
Use of #line, #error preprocessor directives.
Use of function like macro.
79 S Macro contains unacceptable items.
243 S Included file not protected with #define.
100 S #include filename is non conformant.
100 S
339 S
292 S
339 S
427 S
#include filename is non conformant.
#include directive with illegal items.
No space between #include and filename.
#include directive with illegal items.
Filename in #include not in < > or " ".
There shall be at most one occurrence of the # or
## operators in a single macro definition.
The # and ## operators should not be used.
All uses of the #pragma directive shall be
documented.
125 S Use of ## or # in a macro.
Reserved identifiers, macros and functions in the
standard library shall not be defined, redefined or
undefined.
44 S
68 S
86 S
156 S
219 S
The names of standard library macros and
objects shall not be reused.
The names of standard library functions shall not
be overridden.
All library code shall conform to MISRA C++.
The setjmp macro and the longjmp function shall
not be used.
The C library shall not be used.
The library functions atof, atoi and atol from
library <cstdlib> shall not be used.
The library functions abort, exit, getenv and
system from library <cstdlib> shall not be used.
The time handling functions of library <ctime>
shall not be used.
The unbounded functions of library <cstring>
shall not be used.
The macro offsetof shall not be used.
Dynamic heap memory allocation shall not be
used.
The signal handling facilities of <csignal> shall
not be used.
The error indicator errno shall not be used.
The stream input/output library <cstdio> shall not
be used.
76 S More than one of # or ## in a macro.
69 S #pragma used.
Use of banned function, type or variable.
#undef used.
Attempt to define reserved word.
Use of 'defined' keyword in macro body.
User name starts with underscore.
218 S Name is used in standard libraries.
218 S Name is used in standard libraries.
43 S Use of setjmp/longjmp.
130 S Included file is not permitted.
44 S Use of banned function, type or variable.
122 S Use of abort, exit, etc.
130 S Included file is not permitted.
130 S Included file is not permitted.
44 S Use of banned function, type or variable.
44 S Use of banned function, type or variable.
130 S Included file is not permitted.
44 S Use of banned function, type or variable.
130 S Included file is not permitted.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.
Version 10.0.3 Copyright © 2022 LDRA Ltd.
Copies of this document are not to be made or distributed.
General Compliance Notes
Enhanced Enforcement: LDRA checks additional cases to those specified by the mapped rule for enhanced safety and security.
Fully Implemented: LDRA checks all statically checkable aspects of the mapped rule.
Partially Implemented: LDRA checks certain aspects of the rule.
The assessment of whether a rule is fully or partially implemented is based on whether the mapped LDRA standards cover all statically checkable aspects of the rule with a high level of
coverage or only cover certain statically checkable aspects of the rule. If a rule is undecidable then this assessment is based on what it is deemed reasonable for a static analysis tool to
check.
LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice.
The document was deemed correct at time of distribution.