MISRA Discussion Forums

Welcome, Guest

You have to register before you can post on our site.

MISRA C++ 2008 Rule 6-1-1 Clarification

Posted by: mshawa - 27-05-2025, 08:10 PM - Forum: 6.6 Statements (C++) - No Replies

Given the headline text of MISRA C++ 2008 Rule 6-1-1, MISRA C++ 2023 Rule 9.6.2 seems to be the equivalent rule in this case. MISRA C++ 2023 Rule 9.6.2 includes the following non-compliant example:

Code:
switch(i)

{

    case 0:

      if(x < y)

        goto L3;            // Non-compliant

      break;

    case 1:

    L3:

      break;

}

This example seems to echo an amplification made in the MISRA C 2012 Rule 15.3 (that has the same headline text as MISRA C++ 2008 Rule 6-1-1), which states:

Quote:For the purposes of this rule, a switch-clause that does not consist of a compound statement is treated as if it were a block.

It would be greatly appreciated if you could clarify whether the above example was also intended to violate MISRA C++ Rule 6-1-1.

11.9 and function calls and returned pointers

Posted by: danielmarjamaki2 - 26-05-2025, 07:22 AM - Forum: 8.11 Pointer type conversions - No Replies

Could you please clarify to me if this violates 11.9:

Code:
int* f1(void) {

    return 0;  // 11.9 ?

}

And does this violate 11.9:

Code:
void f2(int* ptr);

void f3(void) {

    f2(0);

}

Do you consider returns and function calls to be "assignments" otherwise it seems to me that the Amplification says these are compliant?

The last example in the PDF does suggest that function calls should be considered to be "assignments" however there is no non-compliant example code that I can rely on.

Thank you

9.4.2 - Requirement about the default clause

Posted by: cgpzs - 20-05-2025, 10:03 AM - Forum: 4.9 Statements - No Replies

Hi,

Rule 9.4.2 requires every switch statement to have a default clause, to match handling of if/else. However, unlike an if/else statement, this has a very serious implication: it prevents the compiler from warning about explicitly unhandled enumerators:

Code:
enum class Enum

{

  A,

  B,

  C  // newly added

};

// some client code, far away from the Enum declaration

int process(Enum e)

{

  switch(e)

  {

    case Enum::A: { return 123; }

    case Enum::B: { return 321; }

    // Oops, client code does not realize they should handle Enum::C, compiler didn't warn!

    default: { return 0; }

  }

}

One could put a runtime assertion in the `default` clause, but it only shifts the problem to the right. A problem that would have been caught at compile time can now only be caught at runtime. We should catch as many defects as possible at compile time.

One can also enable -Wswitch-enum, but this is not always desirable. Sometimes one explicitly wants the switch to be non-exhaustive, and can express that via the "default" clause. With the warning, one needs to introduce non-compliant inline suppressions with compiler-specific pragmas. Or one must explicitly list all the unwanted labels and fall-through the default case, polluting the code with non-interesting code paths.

Here we are balancing two risks:

1. The risk of not handling a valid enumerator (as above).
2. The risk of not handling an non-enumerator int casted into an Enum (as per the Rationale), in the spirit of defensive programming.

Questions: has Risk 1 been considered by MISRA? Is there evidence suggesting that Risk 2 is more likely to happen than Risk 1, and we should therefore prioritize it instead?

Thanks!

21.2.2 Why shall std::strerror not be used?

Posted by: cgpzs - 13-05-2025, 06:26 PM - Forum: 4.21 Language support library - Replies (2)

The rationale of the rule says:

> Also, some string handling functions only report errors through the use of errno

But that't not the case for std:: strerror, it does not report any errors through errno, nor is it possible for it to "read beyond the bounds of an object passed as a parameter", so it's perfectly safe to use it.

An alternative is to use std::make_error_condition(static_cast<std::errc>(errno)).message(), but it seems like overkill just to achieve the same thing, making the code far less readable.

It's also worth noting that MISRA does not ban the usage of errno (besides the restriction from 22.4.1), which is required for using POSIX functions that don't have any equivalent in the Standard Library.

Would you agree?

Rule 7.0.5, example non-compliant with 7.0.6?

Posted by: cgpzs - 17-04-2025, 12:10 PM - Forum: 4.7 Standard conversions - Replies (2)

Rule 7.0.5 presents this example:

Code:
u8a += static_cast< uint32_t >( u8b ) // Compliant - u8a -> unsigned int

Yes, compliant with 7.0.5. But this code then violates 7.0.6, since there is an implicit narrowing conversion from uint32_t to uint8_t in the assignment, right?

Code:
u8a = (uint32_t)(u8a) + (uint32_t)(u8b);

So, how are we supposed to write this type of code? Like this?

Code:
u8a = static_cast<std::uint8_t>(static_cast<std::uint32_t>(u8a) + static_cast<std::uint32_t>(u8b));

Does that really make the code safer?

Rule 9.3.1 - iteration statement followed by 'try'

Posted by: mstaron - 28-03-2025, 06:19 AM - Forum: 4.9 Statements - Replies (1)

It is possible to add the 'try' statement directly after 'while', for example:

class Exception{};
void f(int i)
{
while(i) try { // Non-compliant
//...
} catch(Exception e){
}
}

I think this is non-compliant with the Rule 9.3.1, because 'try' is not a compound statement. However, accordingly to the standard 'try' should be always followed by a compound statement if it is inside a function. This code seems to be clear, so maybe this case could be added as an exception in the future versions of MISRA C++ standard.

16.6.1 clarification

Posted by: cgpzs - 26-03-2025, 02:36 PM - Forum: 4.16 Overloading - Replies (2)

Hi,

Rule 16.6.1 marks this example as non-compliant:

Code:
C operator+( int32_t rhs ) const;  // Non-compliant

However it does not provide a compliant alternative. It's unclear if rule 16.6.1 wants us to:

a) Duplicate the function and create 2 versions for each order of the parameters, in order to guarantee symmetry (even if it may not be useful for the user, potentially being dead code):

Code:
C operator+(C       lhs, int32_t rhs );

C operator+(int32_t lhs, C       rhs );

b) Implement only 1 overload, but as a non-member function. This still does not solve the problem of "operator+ must be symmetrical", i.e that "1 + c" and "c + 1" must be supported.

Code:
friend C operator+(C lhs, int32_t rhs );

Could you clarify?

Thanks!

Rule 8.2.8 - why aren't aliases allowed?

Posted by: cgpzs - 18-03-2025, 01:19 PM - Forum: 4.8 Expressions - Replies (1)

The rule provides this example as Non-Compliant:

Code:
    using hashPtr_t = std::uintptr_t;

    auto p2 = reinterpret_cast< hashPtr_t >( s );  // Non-compliant

However, there's nowhere in the Rule Text, Rationale or Amplification that explains why aliases are not allowed. Can you clarify?

Aliases are good for removing code duplication and ensuring the correct type is used in all contexts where it's needed; having to remove the alias and spell std::uintptr_t everywhere hurts code readability and maintainability, without any clear benefit.

Static analyzers can easily detect the usage of std::uintptr_t even if it's behind an alias.

Typo in Appendix C of MISRA C:2023

Posted by: Yordan Naydenov - 17-03-2025, 02:58 PM - Forum: 8.10 The essential type model - Replies (1)

Appendix C (C.1.1, p. 270 (hard copy) / p. 271 (pdf)*) of MISRA C:2023 (3rd Edn, 2nd Rev., April 2023) reads:
"... as the examples below show (si and ui are 32-bit signed and unsigned integers and u8 is an 8-bit unsigned char):"

However, there is a lack of correspondence between the above-introduced unsigned char object identifier of u8 and the naming of an operand of unsigned char type in the table that follows immediately (viz. uc, columns Expression and Notes). On page 273(274) (C.2.4, a distinct sub-section of the Appendix) such an unsigned char object of similar name is indeed used (u8a), in line with the exemplary non-specific object names used in code fragments throughout the Guidelines' body of text (the naming convention introduced on p. 14).

For the sake of ease of visually perceiving the types involved in the expressions and following through the implicit conversions they undergo, it is a good decision that concise, plain names such as si, ui, and uc are used, instead of operand identifiers cluttered with numeric characters (as would be in s32(i32), u32 and u8).

Apparently, this lack of correspondence between the operand names in the table and their prior introduction in the text is inherited from the previous versions of the Guidelines (MISRA C:2012 – 3rd Edn, March 2013; 3rd Edn, 1st Rev., February 2019). Never corrected by subsequent Technical Corrigenda or Amendments to those. It is now present in MISRA C:2025 as well.

Please, consider appending the erratum, reported in this separate forum thread†, to the dedicated MISRA C Errata list maintained on the MISRA website, to keep it up-to-date and indeed a readily available single source of reference for all misprints found in MISRA C:2023, 3rd Edn, 2nd Rev.

_____

(*) Note that the text starts to disagree with the page numbering of the two documents (the electronic one and the hard copy) beginning from p. 229 onwards! This does not make favour to coherently referencing parts of the Guidelines and may lead to confusion and misunderstanding.

(†) This thread is considered the most relevant one as Appendix C is referenced mostly in there, and as there are no dedicated threads specifically aimed at the appendices, or some other general means for reporting typographical and other errors.

A3-3-2 Contradictory examples?

Posted by: cgpzs - 17-03-2025, 09:58 AM - Forum: AUTOSAR C++:2014 rules - Replies (2)

In Rule A3-3-2, there's an example with "class A" which has a non-constexpr, user-defined constructor.

On line 31, we have a compliant example:

Code:
A instance{}; // Compliant - constant (value) initialization

However, on line 37 it's no longer compliant:

Code:
static A a{}; // Non-compliant - A’s default c’tor is not constexpr

There seems to be a contradiction here. Either the code is doing value initialization, or it's calling a constructor, but not both. Which one is it?

In other words, it seems like both examples are doing the same thing, so both should either be compliant or non-compliant. Would you agree?

Pages (102): 1 2 3 4 5 … 102 Next »

Search Forums

(Advanced Search)

Forum Statistics

» Members: 6,218
» Latest member: usorbo
» Forum threads: 1,021
» Forum posts: 2,809

Full Statistics

Online Users

There are currently 183 online users.
» 0 Member(s) | 180 Guest(s)
Bing, Google, UptimeRobot

Latest Threads

MISRA C++ 2008 Rule 6-1-1...
Forum: 6.6 Statements (C++)
Last Post: mshawa
27-05-2025, 08:10 PM
» Replies: 0
» Views: 107

11.9 and function calls a...
Forum: 8.11 Pointer type conversions
Last Post: danielmarjamaki2
26-05-2025, 07:22 AM
» Replies: 0
» Views: 125

9.4.2 - Requirement about...
Forum: 4.9 Statements
Last Post: cgpzs
20-05-2025, 10:03 AM
» Replies: 0
» Views: 131

21.2.2 Why shall std::str...
Forum: 4.21 Language support library
Last Post: cgpzs
20-05-2025, 09:45 AM
» Replies: 2
» Views: 322

Rule 7.0.5, example non-c...
Forum: 4.7 Standard conversions
Last Post: cgpzs
20-05-2025, 09:30 AM
» Replies: 2
» Views: 443

About MISRA-C 2023 Permit
Forum: General Questions
Last Post: cgpzs
19-05-2025, 01:06 PM
» Replies: 2
» Views: 1,068

MISRA 2023 Test Suite
Forum: General Questions
Last Post: misra-c
08-05-2025, 08:35 AM
» Replies: 1
» Views: 970

Roadmap to c23 support
Forum: General Questions
Last Post: misra-c
08-05-2025, 08:34 AM
» Replies: 1
» Views: 412

Typo in Appendix C of MIS...
Forum: 8.10 The essential type model
Last Post: misra-c
08-05-2025, 08:21 AM
» Replies: 1
» Views: 351

A3-3-2 Contradictory exam...
Forum: AUTOSAR C++:2014 rules
Last Post: cgpzs
31-03-2025, 09:30 AM
» Replies: 2
» Views: 532

Login
Username:
Password:
	Remember me Lost Password?

Welcome to the MISRA discussion forum