[C-safe-secure-studygroup] Rule 11.5 review
msebor at gmail.com
Wed Oct 4 14:36:09 UTC 2017
Rule 11.5 - A conversion should not be performed from pointer
to void into pointer to object
This advisory rule prohibits both implicit and explicit conversions
from void pointers to pointers to object types. The rule allows for
an unspecified set of exceptions. The set is meant to include memory
allocation functions (presumably the C standard allocation functions
are meant here but it's not clear).
The motivation for the rule is preventing casts between pointers
to objects with different alignment requirements.
I have no experience with safety-critical software but I have a hard
time envisioning any system software written in either C or C++ that
doesn't cast between void* and other pointers.
Since the rule allows for an unspecified and thus unbounded set of
exceptions it's also not enforceable. Does a user-defined wrapper
function around malloc qualify as a memory allocation function?
Does a similar function that allocates memory from a statically
allocated pool qualify?
In addition, since other MISRA rules rely on whole program analysis,
I find the rule unnecessary. A static analyzer that has visibility
into the entire system can track most object alignments across
translation unit boundaries and discover assignments that increase
With that, I recommend against adopting the rule. Instead, if one
doesn't already exist, I suggest creating a rule with a whole
program scope (i.e., System in MISRA classification) against
converting a pointer to more strictly-aligned object type to one
to a less strictly-aligned type. This rule would be Undecidable
(again, according to MISRA).
I also propose considering doing the same for the other rules in
subsection 8.11 that prohibit conversions between incompatible
pointers or between object pointers and integers.
More information about the C-safe-secure-studygroup