Question

Passing a function argument of the wrong type is allowed by MISRA?

I'm working on a bare-metal software on STM32H7 which is controled by a coding rules analyser (HELIX QAC) following MISRA-C 2012 standard.

The use case is the following:

   void function1(unsigned int i)
    {
        ...
    }
    
    
    void function2(void)
    {
        ...
        function1(1);
    }

The call to function1 is done with a signed integer but apparently there is no MISRA rule to forbid that. I know conversion from signed to unsigned is perfectly defined in C but it's still surprising because usually MISRA is very strict regarding implicit conversion (even if well defined in the C standard).

For example the following (not really a conversion by the way) returns an error:

unsigned long l = 0xFFFFFFFF;

because there is no U prefix (or explicit cast).

Is there a reason for that / a specificity in the C standard regarding function parameter implicit conversion ?

 3  46  3
1 Jan 1970

Solution

 0

This implicit conversion has to do with MISRA 10.1 which has changed over different versions of MISRA standards. In MISRA C 2004, rule 10.1 prohibited a larger subset of implicit casts, including this one. MISRA C 2012 relaxed this rule to allow implicit casts in more situations.

Is there a reason for that / a specificity in the C standard regarding function parameter implicit conversion ?

To preface, I only have access to MISRA C 2023 now and I couldn't find official justification for the change. IMO, I suspect the rule was changed with the 2012 standard because the 2004 version of rule 10.1 resulted in a lot of explicit casts that may have made the code more difficult to read and only marginally safer. I'm basing that opinion on a few forum posts with confusion about 10.1 violations.

2024-07-24
GandhiGandhi