[C-safe-secure-studygroup] On MISRA C:2012 Rule 10.7

Roberto Bagnara bagnara at cs.unipr.it
Wed Sep 6 06:17:55 UTC 2017


MISRA C:2012 Rule 10.7:
If a composite expression is used as one operand of an operator in
which the usual arithmetic conversions are performed then the other
operand shall not have wider essential type.

I assume familiarity with the MISRA C notion of "essential type"
(see Section 8.10 and Appendix D of MISRA-C:2012).
I also assume familiarity with the notion of "usual arithmetic
conversion" (see section 6.3.1.8 of C11).

A "composite operator" is any one of the following:
binary *, /, %, binary +, binary -, &, |, ^, <<, >>;
in addition, a conditional operator (?:) is composite if either the second
or third operand is a composite expression,
and a compound assignment is, for the purpose of this rule,
equivalent to an assignment of the result of its corresponding composite
operator.
A "composite expression" is any non-constant expression that is
the direct result of a composite operator, possibly parenthesized.

The rationale of the rule is that C programmers make frequent mistakes
due to misunderstanding of the language semantics, in which implicit
conversions play a crucial role.  This specific rule is devised to
mitigate very common misconceptions regarding the type in which
arithmetic and bitwise operations are performed.  This is done by
restricting implicit conversions on composite expressions, thereby
imposing that sequences of arithmetic/bitwise operations within an
expression are conducted in exactly the same essential type.

I routinely see programmers (even seasoned programmers) making
dangerous mistakes that can be prevented by imposing this rule (and
other related rules).  I thus recommend its inclusion tout court (*).
Kind regards,

   Roberto

(*) Going through my gigantic email backlog, I got the impression
    that the distinction between the safety and security profiles
    (something I was never convinced about) is going away.
    If this is impression is wrong, please replace "tout court"
    with "for both profiles" above.

P.S./O.T. On September 6th, at the time of the meeting, I will
          be seeing a doctor.  I apologize for my absence.

-- 
     Prof. Roberto Bagnara

Applied Formal Methods Laboratory - University of Parma, Italy
mailto:bagnara at cs.unipr.it
                              BUGSENG srl - http://bugseng.com
                              mailto:roberto.bagnara at bugseng.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2093 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.trustable.io/pipermail/c-safe-secure-studygroup/attachments/20170906/fb00339f/attachment.bin>


More information about the C-safe-secure-studygroup mailing list