24-03-2011, 05:15 PM
I have recently come across code similar to the following:
It seems to me perverse that the first call violates a MISRA rule (even though casting any pointer to a char* does not give rise to alignment issues, see 6.3.4 in the standard), whereas the second contains a potentially dangerous implicit type conversion from void* to another pointer type (imagine that the parameter to serialize had been declared as "const uint32[]" instead).
One possibility is to declare the parameter to serialize as having type const void* instead, but I'm not sure I like this, and it would be necessary to convert it to uint8* anyway inside serialize.
I would prefer to see MISRA C3 amend the rules along the following lines:
1. Explicit casts from an object pointer type to signed or unsigned char* are permitted;
2. Implicit casts from void* to any other type are not permitted. [I don't understand why the MISRA standard ever allowed them.]
3. Maybe a rule along the lines of "A pointer of type void* may only be converted to the same pointer type that it was originally derived from" (with the usual permission to add cv-qualifiers). Perhaps also permitting void* to be converted to signed/unsigned char*.
Any comments?
Code:
void serialize(const uint8 data[], size_t length);
int16 myData;
...
serialize((const uint8*)&myData, sizeof(myData)); /* violates MISRA 11.4 */
serialize((const void*)&myData, sizeof(myData)); /* obscures what is going on, but allowed by MISRA */It seems to me perverse that the first call violates a MISRA rule (even though casting any pointer to a char* does not give rise to alignment issues, see 6.3.4 in the standard), whereas the second contains a potentially dangerous implicit type conversion from void* to another pointer type (imagine that the parameter to serialize had been declared as "const uint32[]" instead).
One possibility is to declare the parameter to serialize as having type const void* instead, but I'm not sure I like this, and it would be necessary to convert it to uint8* anyway inside serialize.
I would prefer to see MISRA C3 amend the rules along the following lines:
1. Explicit casts from an object pointer type to signed or unsigned char* are permitted;
2. Implicit casts from void* to any other type are not permitted. [I don't understand why the MISRA standard ever allowed them.]
3. Maybe a rule along the lines of "A pointer of type void* may only be converted to the same pointer type that it was originally derived from" (with the usual permission to add cv-qualifiers). Perhaps also permitting void* to be converted to signed/unsigned char*.
Any comments?
<r>David Crocker<br/>
Escher Technologies Ltd.<br/>
<URL url="http://www.eschertech.com">http://www.eschertech.com</URL></r>
Escher Technologies Ltd.<br/>
<URL url="http://www.eschertech.com">http://www.eschertech.com</URL></r>