[Cryptography] cryptography Digest, Vol 47, Issue 1

[Nemo]

On Tue, 28 Feb 2017 10:57:31 -0700 John Denker <jsd at av8n.com> wrote:

> On the other edge of the same sword, one could argue that those
> standards are not nearly restrictive enough.  They allow and
> even require the use of local automatic variables (Rule 13),
> but nowadays you can run out of room on the stack 1000 times
> more easily than you can run out of room in the heap.

No, you cannot, because of Rule 4:

    Rule 4 (recursion) 

    There shall be no direct or indirect use of recursive function
    calls. [MISRA-C:2004 Rule 16.2; Power of Ten Rule 1]

    The presence of statically verifiable loop bounds and the absence of
    recursion prevent runaway code, and help to secure predictable
    performance fo r all tasks.  The absence of recursion also
    simplifies the task of deriving reliable bounds on stack use. The
    two rules combined secure a strictly acyclic function call graph and
    control-flow structure, which in turn enhances the capabilities for
    static checking tools to catch a broad range of coding defects.

In the absence of recursion, any decent static checker will compute a
bound on the stack use. I know Coverity does.

Well, technically you do also need to avoid alloca() and variable-length
arrays (VLAs).

alloca() is non-standard and is anyway called out as verboten in Rule 5.

VLAs are part of the C99 standard, which Rule 1 identifies as the source
language. It would be consistent with this spec to forbid them, but at
first glance I do not see it. This might be an oversight.

Anyway, I would say the authors of these rules have thought things
through pretty carefully. I would not want to code under these
restrictions, but then my code does not need to run a billion miles out
of my reach for several years.

 - Nemo