如何创建在MISRAC模块:2012跟随风向4.12和4.8? [英] How do I create a module in MISRAC:2012 that follows Dir 4.12 and 4.8?
问题描述
这个问题涉及到编码ISO C99的MISRAC如下:2012指南
This question relates to coding in ISO C99 following the MISRAC:2012 guidelines.
我要寻找指导目录4.8结合迪尔4.12如果一个指向结构或联合从来都不是一个翻译单元内的间接引用,那么对象的实现应该被隐藏,动态内存分配不得拿来主义。
I am looking for guidance on Dir 4.8 "If a pointer to a structure or union is never dereferenced within a translation unit, then the implementation of the object should be hidden" in conjunction with Dir 4.12 "Dynamic memory allocation shall not be used".
当用C实现一个抽象数据类型,通常使用的句柄是指向一个结构描述ADT的内部状态来指ADT。这可以用一个不透明的指针按目录4.8与内部细节保持对用户隐藏的利益来完成。
When implementing an Abstract Data Type in C it is common to refer to the ADT using a handle that is a pointer to a structure describing the internal state of the ADT. This can be done using an opaque pointer as per Dir 4.8 with the benefit that the internal details remain hidden from the user.
一般来说,这些的ADT的多于一个可能存在所以必须有以创建多张手柄的方法。这可以通过分配用于通过在初始化函数手柄引用的内部细节存储器来解决,然而,这不是风向4.12下允许
Generally more than one of these ADTs could exist so there must be a way to create mulitple handles. This can be solved by allocating memory for the internal details referenced by the handle in an initialisation function, however, this is not allowed under Dir 4.12.
另一种选择是,该初始化例程接收指向由用户提供一个静态分配处理,但是,这不能用不透明的指针来实现的。
Another option is that the initialisation routine receives a pointer to a statically allocated handle provided by the user, however, this cannot be accomplished using opaque pointers.
我说明下面的问题。
Module.h
struct module;
typedef struct module module_t; /* Module handle is only available to the world as an incomplete type. This allows us to satisfy MISRAC 2012 Dir 4.8.*/
Module.c
#include "module.h"
struct module
{
uint8_t value;
};
module_t* module_get_a_handle(void)
{
return (module_t*)malloc(sizeof(struct module)); /* MISRAC 2012 Dir 4.12 disallows dynamic memory allocation.*/
}
User.c
#include "module.h"
module_t* module_handle;
module_handle = module_get_a_handle();
这个问题也是在这个问题上所描述
The issue is also described in this question Static allocation of opaque data types , however it is not discussed with respect to the MISRAC:2012 guidelines.
描述的一个解决方案是使用被提供给客户端code句柄的静态分配池。该解决方案似乎是符合技术要求;然而,似乎动态内存分配的概念仍然在这里存在。我认为,虽然手柄静态分配,它不能由编译器编译时判断是否存在将提供足够的手柄的软件才能正常工作。
One solution described is to use a statically allocated pool of handles that are made available to client code. This solution seems to be technically compliant; however, it seems that the concept of dynamic memory allocation still exists here. I would argue that although the handles are statically allocated, it cannot be determined by the compiler during compilation whether there will be enough handles available for the software to function correctly.
我对这个问题的解决办法是写周围迪尔4.8的偏差,并使用非不透明的指针和强大的命名约定,使得它清楚用户的ADT的内部细节一定不能改变。
My solution to this problem would be to write a deviation around Dir 4.8 and use non-opaque pointers and a strong naming convention that makes it clear to users that the internal details of the ADT must not be changed.
我很好奇是否有解决这个问题,满足迪尔4.8和4.12迪尔良好接受的方法,并且不破坏任何其他MISRAC:2012规则。任何评论都将大大AP preciated。
I am curious whether there is a well accepted method to solve this issue that satisfies Dir 4.8, and Dir 4.12, and does not break any other MISRAC:2012 rules. Any comments would be greatly appreciated.
推荐答案
看来你已经明白这两个问题和解决方案:使用静态内存池从每个ADT在
It seems you have understood both the problem and the solution: use a static memory pool from inside each ADT.
这池需要,虽然受到限制,在一定上限,这应该是硬codeD。从本质上讲,你将实现池作为静态缓冲在文件范围,并跟踪了分配的大小与一个计数器变量。对于添加的每个项目,您核对最大极限的计数器。
This pool needs to be restricted though, to a certain maximum limit, which should be hard-coded. Essentially you will implement the pool as a static buffer at file scope and keep track of the "allocated" size with a counter variable. For each item you add, you check the counter against the max limit.
在情况下,你会跑出来的空间,你的程序将知道它,将能够处理错误以安全的方式。应该永远是你为什么运行的空间,虽然有原因的。这将意味着你有一个设计错误。你应该几乎肯定能保证你不会在编译时运行的空间。如果还是不行,在期间code覆盖测试最起码的。
In case you would run out of space, your program will know it and will be able to handle that error in a safe manner. There should never be a reason why you run out of space though. That would mean that you have a design bug. You should almost certainly be able to ensure that you won't run out of space at compile-time. Or if not, at the very least during code coverage tests.
4.12指令关心在堆上动态内存分配与的malloc /免费。使用这些函数和堆,是一届动态内存分配的C-事实上的标准定义。这并不意味着任何东西。
Directive 4.12 is concerned about dynamic memory allocation on the heap with malloc/free. Using those functions and the heap, is the C de facto standard definition of the term dynamic memory allocation. It does not mean anything else.
有与动态分配多个问题:非确定性的分配时间,分割,内存泄漏等等。
There are multiple issues with dynamic allocation: non-deterministic allocation time, segmentation, memory leaks etc etc.
在动态性本身不是一个问题,只要程序的行为仍然确定性。安全标准总是关注在堆上动态内存分配,因为这意味着非deterministc的行为,这在安全关键软件设计一个大忌。
The "dynamicness" in itself is not a concern, as long the program behaviour remains deterministic. Safety standards are always concerned about dynamic memory allocation on the heap, because it implies non-deterministc behavior, which is a cardinal sin in safety-critical software design.
对于很多常见的嵌入式系统,如裸机/ RTOS微控制器应用,<一个href=\"http://electronics.stackexchange.com/questions/171257/realloc-wasting-lots-of-space-in-my-mcu/171581#171581\">dynamic配置根本就不在所有任何意义。
For many common embedded systems such as bare metal/RTOS microcontroller applications, dynamic allocation simply doesn't make any sense at all.
因此,静态内存池是不是动态内存分配。否则,使用栈也将被视为动态内存,它不可能在所有写任何有用的软件。
So the static memory pool is not "dynamic memory allocation". Otherwise the use of the stack would too count as "dynamic memory" and it would not be possible to write any useful software at all.
这篇关于如何创建在MISRAC模块:2012跟随风向4.12和4.8?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
