MISRA 是否检查数组索引是否越界?
[英]Does MISRA check if array index out of bounds?
问题描述
In the MISRA-C standard 2012 I could not find an explicit rule that says that the implementer needs to check that the array is not accessed with an index out of bounds.
在 MISRA-C 标准 2012 中,我找不到一条明确的规则,该规则表明实施者需要检查数组是否未使用超出范围的索引进行访问。
So an array out of index / boundaries could be there.因此可能存在超出索引/边界的数组。
Maybe this is nothing MISRA-C cares about or maybe I missed something?也许这不是 MISRA-C 关心的,或者我错过了什么?
1 个解决方案
解决方案1
3 已采纳 2020-11-12 09:20:07
In MISRA-C:2012 there is the advisory rule 17.5 which requires that array parameters to functions should have bounds specified, to enable out-of-bounds checking of the array inside that function.在 MISRA-C:2012 中,有建议规则 17.5,它要求函数的数组参数应该指定边界,以启用对该函数内部数组的越界检查。
There was a rule in earlier MISRA-C that favoured the use of array syntax notation ( int [] ) over pointer notation ( int* ) for function parameters, but it was a bit misguided since all array parameters get adjusted ("decay") into pointers to the first element anyhow, so the array syntax in itself doesn't add anything unless the bounds are specified.早期的 MISRA-C 中有一条规则支持对函数参数使用数组语法表示法( int [] )而不是指针表示法( int* ),但由于所有数组参数都被调整(“衰减”),因此有点误导无论如何都指向第一个元素的指针,因此除非指定了边界,否则数组语法本身不会添加任何内容。 That rule was rewritten into what's currently advisory rule 17.5.该规则被改写为当前的建议规则 17.5。
Rule 18.1 (required) says that any pointer arithmetic should result in a pointer that points at the same array as the original operand.规则 18.1(必需)规定,任何指针算术都应产生一个指向与原始操作数相同的数组的指针。 This should (arguably) be used to cover the out of bounds case too, since arr[i] is equivalent to *(arr+i) and you can't actually access an array with the array subscripting [] operator, only a pointer (see Do pointers support "array style indexing"? ).这也应该(可以说)用于覆盖越界情况,因为arr[i]等效于*(arr+i)并且您实际上无法使用数组下标 [] 运算符访问数组,只能访问一个指针(请参阅指针是否支持“数组样式索引”? )。
There's also the general rule 1.3 stating that the program should not contain any form of undefined behavior, which is meant to cover all cases of UB that aren't handled by other more specific rules.还有一般规则 1.3 规定程序不应包含任何形式的未定义行为,这旨在涵盖其他更具体规则未处理的所有 UB 情况。
But in the end, this will be a quality of implementation matter for the static analyser.但最终,这将是静态分析器的实施质量问题。 When they are able to, most such tools perform out-of-bounds checks anyway, regardless of MISRA-C.如果能够,大多数此类工具无论如何都会执行越界检查,而不管 MISRA-C。
Unfortunately, MISRA-C is suffering from the same misguided ideas as the C11 committee when it comes to VLA - C11 made VLA optional and MISRA-C bans them completely.不幸的是,在 VLA 方面,MISRA-C 正遭受与 C11 委员会相同的误导性想法 - C11 将 VLA 设为可选,而 MISRA-C 完全禁止它们。 Both committees failed to take modern C programming in account, where you can use a pointer to VLA to increase type safety and static analysis possibilities, namely:两个委员会都没有考虑现代 C 编程,您可以使用指向 VLA的指针来增加类型安全和静态分析的可能性,即:
void func (size_t n, int arr[n])
This tells a static analyser that it can check that access of arr inside func does not exceed n .这告诉静态分析器它可以检查func中arr访问不超过n 。 Wheras (size_t n, int* arr) doesn't tell the stack analyser jack. Wheras (size_t n, int* arr)不会告诉堆栈分析器插孔。
This defensive programming method that creates better static analysis and safer programs is banned by MISRA-C:2012 and made optional by C11/C17.这种可以创建更好的静态分析和更安全程序的防御性编程方法被 MISRA-C:2012 禁止,并被 C11/C17 设为可选。 While allocated VLA objects are mildly useful, pointers to VLA are very useful in modern C programming.虽然分配的 VLA 对象有点用处,但指向 VLA 的指针在现代 C 编程中非常有用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.