Welcome to the MISRA discussion forum

We are using an ARM development suite where standard libraries are provided with the tool suite. Looking at the MISRA rules, I found quite a few which prohibit using such and such function (atoi, etc...). Which means that implicitly, the other functions can be used.
However, rule 3.6 requires that all libraries (including the ones provided with the compiler) be "subjected to appropriate validation".
Could you expand on what this means in regards to standard libraries? Do we need to require the vendor to certify he is MISRA compliant? If not possible, does this means we have to write our own version, so that we are sure it is compliant?
Thanks
Michel Campmas
Cypress Semiconductor

//Example 1:

struct xyz {
unsigned char bit:1;
}abc={0} ; // Is this assignment to bit-field is compliant to MISRA rule10.1 and Why?

TC1 introduced the concept of rule 15.0.
However it does not explicitly state if this rule is "Required" or "Advisory"
Is rule 15.0 "required" or "advisory"?

The code in the normative text of rule 16.9 is:

In rule 14.10 (all if..... else if constructs shall be terminated with an else clause":

is the /* no else needed */ comment on the single if block with no else a suggestion for use in code, where seems useful?

I am aware that Simulink already has Model Advisor rules for checking against the MAAB guidelines ... as well as MISRA-C, IEC 61508 and DO-178B.

Does anyone know if The Mathworks plan to introduce similar rule checking for this guideline document? (or others)
... and if so, would they be linked to any particular tool license?

Would there be any plan for MISRA to be involved in their formulation? ... or any kind of formal or informal 'approval' process of them?

This rule seems to be commonly deviated from by most people I have spoken to. I have given it thought, but I still cannot understand how it would lead to more secure programs.

The only argument provided by MISRA for this rule is that “the type of an integer constant is a potential source of confusion”. Yes it is confusing, but only from a theoretical point-of-view, namely when you are determining what implicit type conversions that are done on the integer constant. That is, during a "scratch your head while learning C" session. During actual programming, you don't need to think about this.

I can't come up with one single scenario where leaving out the “U” suffix will lead to bugs or unintended behavior. Can anyone make such an example? If one integer in the operation is signed and the other is unsigned, and they are both of the same size, the "usual arithmetic conversions" will make sure both are unsigned. Consider the following example:

result = -1 - 10;

In this example, the type of -1 is "signed int" and the type of 10 is "int". If "int" is treated as signed by the compiler, there will not be any problems as both operands are then signed.
If "int" is treated as unsigned, then the operand -1 will be converted to unsigned, that is, to the value 65535 (assuming 16-bit system). The result of the expression will then be 655535 - 10 = 65525, which may not be the result the programmer expected. However, this will not lead to a bug! Because we aren't done with that line.

If "result" is of signed type, then the result 65525 will be converted to signed during the assignment, making it -11, which is the expected result.
If "result" is of unsigned type, the code does not make sense. If you try to stuff signed constants into a unsigned variable, no U suffix will save you.

MISRA fails to name a case where the lack of a “U” suffix would cause bugs. Integer constants are by their nature constant, and therefore deterministic. ISO C ensures that they are of the right size and signedness. It all boils down to what type the result is stored inside. If the type of the expression happens to be of different type than the variable, an implicit typecast will be done upon assignment to correct this.

Rule 10.6 also states that the implemented sizes of integer types is a reason why the U suffix should be used. I fail to see how this is relevant to the use of the U suffix. The example says that 40000 will be int or long depending on system... this has nothing to do with signedness at all. The example says that 0x8000 is possible signed in a 32-bit environment... so what? It is still a positive number in 32 bit. And you won't notice the signedness of a hex number until you represent it in a decimal format, and then it is up to you whether you want to display it as signed or unsigned.

Also, integer constants are never subject to the integer promotions, as they are always "int" or "long", so no need to worry about that either.

Further, writing “U” all over the source code is not common practice among programmers. It causes much more confusion than the hidden signedness of integer constants and worst of all, it makes the code harder to read. In addition, the MISRA-C document in itself is filled with examples where MISRA themselves do not even follow this rule. I can easily come up with countless examples, just open a random page and you will likely find it. The rule is simply too rigid and not practical to use in reality.

Though perhaps there exists a case when the lack of this suffix will lead to bugs? If not, I don't see any reasons keeping this rule.

I ran into an issue with a static analysis tool the other day.

In my example:
pool_ptr->list = *((UCHAR **) work_ptr); /*violates MISRA 11.4 */
Both pointers are UCHAR *. The first location in the buffer is being used to hold another pointer.

Adding an intermediate cast to void * clears the warning.
pool_ptr -> tx_list = *((UCHAR **) (void *)work_ptr);

Regardless that this clears the message, I believe it is still a violation of the intent of MISRA 11.4. Do you agree?
-----------------------------------------------------------------------
Scott Nowell
Validated Software Corporation

I would be interested in comments on the following simplified fragment.

switch (err) {
case 0:
...
break;

case 1:
case 2:
case 3:
default:
...
break;
}

I am seeing code examples like this where multiple cases are being combined with default. Most compiler will simply optimize this out to a simple test for case 0. The programmers are using this as a way to identify the results they might expect. I think having the other cases in a comment would serve this as well. MISRA C does not seem to mention this.
From a test perspective I feel it is necessary to test all declared cases.
Can anyone offer a comment on this?

Scott
Validated Software

According to the rationale of required rule 3-1-1 a header file should not contain or produce definitions of objects or functions.

Does this mean that the following definition of the null-pointer-constant NULL is non-compliant?