MISRA.FUNC.VARARGFunction with variable number of arguments.
MISRA 2012 Rule 17.1: The features of <stdarg.h> shall not be usedC90 [Undefined 45, 70–76], C99 [Undefined 81, 128–135] Category: Required Analysis: Decidable, Single Translation Unit Applies to: C90, C99 AmplificationNone of va_list, va_arg, va_start, va_end and, for C99, va_ copy shall be used. RationaleThe Standard lists many instances of undefined behaviour associated with the features of <stdarg.h>, including:
Example
#include <stdarg.h>
void h ( va_list ap ) /* Non-compliant */
{
double y;
y = va_arg ( ap, double ); /* Non-compliant */
}
void f ( uint16_t n, ... )
{
uint32_t x;
va_list ap; /* Non-compliant */
va_start ( ap, n ); /* Non-compliant */
x = va_arg ( ap, uint32_t ); /* Non-compliant */
h ( ap );
/* undefined - ap is indeterminate because va_arg used in h ( ) */
x = va_arg ( ap, uint32_t ); /* Non-compliant */
/* undefined - returns without using va_end ( ) */
}
void g ( void )
{
/* undefined - uint32_t:double type mismatch when f uses va_arg ( ) */
f ( 1, 2.0, 3.0 );
}
MISRA-C 2004 Rule 16.1 (required): Functions shall not be defined with a variable number of arguments.Function with variable number of arguments. [Unspecified 15; Undefined 25, 45, 61, 70—76] There are a lot of potential problems with this feature. Users shall not write additional functions that use a variable number of arguments. This precludes the use of use of stdarg.h, va_arg, va_start and va_end. MISRA-C++ 2008 Rule 8-4-1 (required): Functions shall not be defined using the ellipsis notation.[Undefined 5.2.2(7), 18.7(3)] RationalePassing arguments via an ellipsis bypasses the type checking performed by the compiler. Additionally, passing an argument with non-POD class type leads to undefined behaviour. Note that the rule specifies "defined" (and not "declared") so as to permit the use of existing library functions. Examplevoid MyPrintf ( char_t * pFormat, ... ); // Non-compliant |