MISRA Discussion Forums

Welcome, Guest

You have to register before you can post on our site.

Rule 10.5

Posted by: Lundin - 15-02-2008, 09:14 AM - Forum: 6.10 Arithmetic Type Conversions - Replies (4)

First of all, in the explaining text to Chapter 6.10 you can read the following below \"Balancing conversions\":

\"Notice that the operands of the bitwise shift operators (>) are not balanced. The type of the result is the promoted type of the first operand.\"

The balancing refers to the \"usual arithmetic conversions\" and I believe that the text is correct.

Then in the example for rule 10.5 the following code is posted:

Code:
uint8_t port = 0x5aU;

uint8_t result_8;

uint16_t result_16;

result_8 = (~port) >> 4;  /* not compliant */

...

result_8 = ((uint8_t)(~port)) >> 4; /* compliant */

result_16 = ((uint16_t)(~(uint16_t)port)) >> 4; /* compliant */

The last line with result_16 is incorrect and not compliant to rule 10.5 nor rule 10.3. The result of that line will be 0x0FFA and not 0x000A.

The rule 10.5 states that the result of an expression shall be immediately cast to the underlying type. Underlying type is defined as the type an expression would have if not for the integer promotions. If not for the integer promotions, the type of the expression (~port) would be uint8_t and the type of the expression (~port) >> 4 would be also be uint8_t, since the usual arithmetic conversions aren't used, see the text on top of this post.

First error in that line:

~(uint16_t)port

The operand is casted instead of the result.

Second error on that line:
The result is not casted to the underlying type which is uint8_t.

Third error on that line:
result_16 = (uint16_t) ...

The result is not casted to the underlying type of the expression
\"uint8_t result\" >> 4
which is uint8, since the usual arithmetic conversions aren't used on shift operators.

So not only does the line break rule 10.5, it also breaks rule 10.3 in MISRA C:2004 TC1: \"The value of a complex expression of integer type shall only be cast to a type of the same signedness that is no wider than the underlying type of the expression\".

I believe that the correct line will look like this:

Code:
result_16 = (uint8_t) ( ((uint8_t)~port) >> 4U ); /* compliant */

However, that line looks quite horrible. I suggest that the following code is used instead:

Code:
result_8  = (uint8_t) ~port;

result_16 = (uint8_t) (result_8 >> 4U);

Rule 16.4

Posted by: Lundin - 04-02-2008, 02:22 PM - Forum: 6.16 Functions - Replies (3)

I wonder if rule 16.4 fills a purpose, as it seems to be well-covered by several other MISRA rules.

\"16.4 The identifiers used in the declaration and definition of a function shall be identical.\"

\"8.3 For each function parameter the type given in the declaration and definition shall be identical, and the return types shall also be identical.\"

8.3 has both the parameters and the return type covered, all is fine there. Therefore I assume that rule 16.4 only applies to the function name itself. Ie it would be interpreted as \"the function identifier used in declaration and definition shall be identical\".

So as far as I understand it, rule 16.4 would only apply when the names in the function definition and the declaration are different, ie the scenario where the function definition is \"apples\" but the function declaration is \"bananas\" (although their parameters and return types are identical, as covered by rule 8.3):

Code:
static void apples  (uint8_t n);

static void bananas (uint8_t n)

{

}

int main()

{

  apples(x);  /* A linker error will occur, apples() isn't found and the program won't be executed. */

  bananas(x); /* This will work fine but the prototype \"apples\" is redundant. */

}

The above behavior is the same if the function definition is placed in a h-file and the function is called from another file.

The \"bananas\" case will never result in faulty program behavior, assuming rule 8.3 is fulfilled. Also, this case would violate rule 8.1 \"Functions shall have a prototype...\". And if the bananas function had been placed below main() instead of above, the code wouldn't even compile.

So I fail to see the point of rule 16.4, it seems redundant to me.

Incorrect example for rule 6.3?

Posted by: pkruk - 28-01-2008, 03:39 PM - Forum: MISRA-C:2004 Exemplar Suite - Replies (1)

Hello,

TC1 has following sentence:

Quote:This rule is inappropriate (plain) char

But the mc2_0603.c has following example:

Quote:char character63; /* Not Compliant */

In my opinion this code is compliant with TC1?

Where to get ISO C90 9899:1990

Posted by: MMouse - 28-01-2008, 01:29 PM - Forum: General Questions - Replies (1)

Re 9899:1990
I asked ISO and their reply is below. (In theory you can get it from BSI inthe UK but there is more chance of hell freezing over due the the way they work)

See http://www.open-std.org/JTC1/SC22/WG14/
for the TC's

Please note that the withdrawn standard [9899:19900 is available for sale and costs CHF 64.00 (Swiss Franc) + shipping costs. If you wish to receive a proforma invoice, please let us know your full name, address, phone and fax numbers and we will send it to you.

Best regards,
ISO Central Secretariat
Marketing & Communication
Case Postale 56
1, ch. de la Voie-Creuse
CH-1211 Geneva 20

[email protected]

Tel: +41 22 749 03 37
Fax: +41 22 749 09 47

http://www.iso.org/ISOstore

Rule 3.5: bitfields and basic types

Posted by: Reggi - 25-01-2008, 10:00 AM - Forum: 6.3 Documentation - Replies (4)

Hi,

i have a question about the type in bitfields.

In the example in rule 3.5 there is the note \"Note: use of basic types is required\"

In rule 6.3 it says: \"typedefs are not considered necessary in the specification of bit-field types.\"

So typedefs are not forbidden for bitfields.

I don't anderstand the stÃ¤tement in the example of rule 3.5.

Why are basic types required here?

Do you have an explanation, why i should write

unsigned int x_set:1

and not

uint32_t ? x_set:1?

Thanks,
Regine

MISRA-C:2004 references to ISO/IEC 9899

Posted by: cschol - 12-01-2008, 12:07 AM - Forum: General Questions - Replies (1)

Hello,

I just received the MISRA-C:2004 edition and I have a question regarding the references to the C-Standard documentation. The MISRA-C:2004 references explicitely to the ISO/IEC 1990 version and specifically to Annex G. I have a copy of the IEC/ISO 1999 version and Annex G deals with complex numbers, not undefined behavior (which is Annex J). Did the ISO/IEC standard change that much between the 1990 version and the 1999 version that I really need to hunt down a 1990 copy?

Thanks,
Chris

Rule 6.5 and unnamed 0-length bit field

Posted by: pkruk - 08-01-2008, 02:44 PM - Forum: 6.6 Types - Replies (4)

What about following case:

Code:
struct s {

    signed int : 0;        /* Is Rule 6.5 violated? */

  };

Rule 6.5 explicitly says that \"Bit fields of type signed int shall be at least 2 bits long.\" (or \"Bit fields of signed type shall be at least 2 bits long.\" in TC1).

This bit field is clearly smaller than 2 bits, but it serves other purpose than \"normal\" positive-size bit fields.

Should the code be changed to use \"unsigned int\" type (the rule would not apply), or is the 0-size bit field an exception to this rule?

Rule 11.2 and example from Exemplar Suite

Posted by: pkruk - 08-01-2008, 12:35 PM - Forum: 6.11 Pointer Type Conversions - Replies (1)

In the mc2_1102.c file there is a following example:

Code:
float32_t float32_1102;

   void *void_ptr = ( void * ) get_int32_ptr ( );

   float32_1102 = ( float32_t ) void_ptr;           /* Not Compliant */

Is the conversion between void pointer and a float type object disallowed by the 11.2 rule?

According to my understanding the rule 11.2 disallows conversions only if we are converting to or from a pointer to object.
float type is clearly not a pointer to object type.
Pointer to void is not a pointer to object type, because void is not an object (it's an incomplete type).

Please correct me if my understanding is not correct.

External linkage of objects

Posted by: Lundin - 07-01-2008, 02:40 PM - Forum: 6.8 Declarations and Definitions - Replies (3)

I'm sitting here and writing a code standard for our company which includes MISRA-C. Among the first things I did was to ban external linkage of objects (ie variables) entirely, as it is one of the most common causes of \"spaghetti-code\". After doing this, I found myself having an easy time to make my rules conform to the whole chapter \"Declarations and Definitions\". Plenty of the issues addressed won't be any issues at all, if external linkage of objects is forbidden. (External linkage of functions will naturally be allowed, since the prototypes should be in the h-file and the definitions in the c-file.)

If external linkage of objects was forbidden, it would smoothen plenty of the rules, as they would then only apply to functions and not objects. 8.4 and 8.12 could probably be removed entirely.

So I am curious why MISRA didn't forbid it?

No matter how hard I try, I can't come up with a situation where external linkage of objects is motivated. Since the proper way to pass variables between files in C is like this:

Code:
/* module.h */

extern uint8 get_x (void);

extern void set_x (uint8 x_val);

Code:
/* module.c */

#include \"module.h\"

static uint8 x;

uint8 get_x (void)

{

  return x;

}

void set_x (uint8 x_val)

{

  x = x_val;

}

Code:
/* main.c */

#include \"module.h\"

uint8 something = get_x();

set_x (something_else);

This enables the only part of object orientation that ISO C supports, namely private variable encapsulation.

The only argument I can think of against the above method is efficiency. But that is not a good argument, as most compilers support inlining of functions, which will make the above code as efficient as it gets, with direct memory access to the variable. And since that can be done, even hardware registers can be declared this way.

Perhaps there is some case I didn't think of? I would be most curious to know whether MISRA has had this in mind, or perhaps if external linkage was allowed \"to avoid programmer shrieks\", as it is a commonly used syntax?

Deviation from rule 1.1 in mc2_types.h?

Posted by: mhabermann - 31-12-2007, 04:44 AM - Forum: MISRA-C:2004 Exemplar Suite - Replies (1)

	mc2_types.h states: typedef signed long int64_t; /* ... / typedef unsigned long uint64_t; / ... */ typedef long double float128_t; Violate these three types Rule 1.1 (C90 - compliance)?

Pages (100): « Previous 1 … 83 84 85 86 87 … 100 Next »

Search Forums

(Advanced Search)

Forum Statistics

» Members: 6,171
» Latest member: stephanmuench
» Forum threads: 998
» Forum posts: 2,752

Full Statistics

Online Users

There are currently 232 online users.
» 0 Member(s) | 230 Guest(s)
Bing, Google

Latest Threads

Rule 6.2.1: non-inline co...
Forum: 4.6 Basic concepts
Last Post: cgpzs
22-11-2024, 10:11 AM
» Replies: 0
» Views: 37

Rule 0.1.2
Forum: 4.0 Language independent issues
Last Post: stephanmuench
21-11-2024, 01:12 PM
» Replies: 0
» Views: 46

A18-9-4
Forum: AUTOSAR C++:2014 rules
Last Post: cgpzs
23-10-2024, 12:04 PM
» Replies: 2
» Views: 399

A8-4-5: are partial moves...
Forum: AUTOSAR C++:2014 rules
Last Post: misra cpp
22-10-2024, 02:03 PM
» Replies: 1
» Views: 339

model information blocks ...
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
22-10-2024, 01:27 PM
» Replies: 1
» Views: 4,459

MISRA AL SLSF - Rule 043I
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
22-10-2024, 01:11 PM
» Replies: 1
» Views: 8,876

MISRA AC EC guidelines
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
21-10-2024, 08:21 AM
» Replies: 4
» Views: 15,525

News on future releases
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
21-10-2024, 08:05 AM
» Replies: 1
» Views: 5,707

Signal naming convention ...
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
21-10-2024, 07:57 AM
» Replies: 1
» Views: 7,258

Rule 7.0.2: operator cons...
Forum: 4.7 Standard conversions
Last Post: karos
14-10-2024, 08:52 PM
» Replies: 2
» Views: 449

Login
Username:
Password:
	Remember me Lost Password?

Welcome to the MISRA discussion forum