2

In the MISRA-C standard 2012 I could not find an explicit rule that says that the implementer needs to check that the array is not accessed with an index out of bounds.

So an array out of index / boundaries could be there.

Maybe this is nothing MISRA-C cares about or maybe I missed something?

Lundin
  • 195,001
  • 40
  • 254
  • 396
Peter
  • 1,629
  • 2
  • 25
  • 45
  • 1
    Does MISRA say you should avoid doing anything that causes undefined behavior? Access outside array bounds is UB. – Barmar Nov 12 '20 at 09:11

1 Answers1

3

In MISRA-C:2012 there is the advisory rule 17.5 which requires that array parameters to functions should have bounds specified, to enable out-of-bounds checking of the array inside that function.

There was a rule in earlier MISRA-C that favoured the use of array syntax notation (int []) over pointer notation (int*) for function parameters, but it was a bit misguided since all array parameters get adjusted ("decay") into pointers to the first element anyhow, so the array syntax in itself doesn't add anything unless the bounds are specified. That rule was rewritten into what's currently advisory rule 17.5.

Rule 18.1 (required) says that any pointer arithmetic should result in a pointer that points at the same array as the original operand. This should (arguably) be used to cover the out of bounds case too, since arr[i] is equivalent to *(arr+i) and you can't actually access an array with the array subscripting [] operator, only a pointer (see Do pointers support "array style indexing"?).

There's also the general rule 1.3 stating that the program should not contain any form of undefined behavior, which is meant to cover all cases of UB that aren't handled by other more specific rules.

But in the end, this will be a quality of implementation matter for the static analyser. When they are able to, most such tools perform out-of-bounds checks anyway, regardless of MISRA-C.

Unfortunately, MISRA-C is suffering from the same misguided ideas as the C11 committee when it comes to VLA - C11 made VLA optional and MISRA-C bans them completely. Both committees failed to take modern C programming in account, where you can use a pointer to VLA to increase type safety and static analysis possibilities, namely:

void func (size_t n, int arr[n])

This tells a static analyser that it can check that access of arr inside func does not exceed n. Wheras (size_t n, int* arr) doesn't tell the stack analyser jack.

This defensive programming method that creates better static analysis and safer programs is banned by MISRA-C:2012 and made optional by C11/C17. While allocated VLA objects are mildly useful, pointers to VLA are very useful in modern C programming.

Lundin
  • 195,001
  • 40
  • 254
  • 396
  • +1... But in defence of MISRA (see profile) VLAs are poorly defined, poorly implemented, and even more poorly understood... I suspect that future versions of MISRA may provide more targetted guidance ;-) – Andrew Nov 14 '20 at 11:55
  • @Andrew The guidelines could have a rule against creating an instance of a VLA, while allowing pointers to them. As for poorly implemented, every compiler I've ever seen implements them pretty much in the same manner. You need a better rationale than various loose opinions before you ban a certain language feature. The whole of C11 was treated pretty much the same, no rationale over why something is so "poor" and "dangerous". What exactly is so poor about these features? – Lundin Nov 16 '20 at 07:22
  • AMD2 added C11/C18 to scope of MISRA, but restricts the newer features... this is only while we complete guidance for it. Further enhancements will reduce the scope of the new R.1.4 as guidance to those features are added. Eventually, R1.4 will be removed (or extended for C23 ;-) ) – Andrew Nov 25 '20 at 18:11