- Important information
- New features
- Known problems
- Program corrections
- User guide corrections
- Miscellaneous
- Release history
Important information
- None
New features
MISRA C:2012 Amendment 1
- The Static analysis tool C-STAT has extended its coverage of the MISRA C:2012 Coding Standard and now fully supports MISRA C:2012 Amendment 1. This Amendment adds 14 additional rules to MISRA C:2012 with a focus on security concerns highlighted by the ISO C Secure Guidelines. Several of these address specific issues pertaining to the use of untrustworthy data, a well-known security vulnerability.
Known problems
None
Program corrections
-
[CSTAT-552] The checks MEM-stack-param, MISRAC2012-Rule-1.3_s, MISRAC2012-Rule-18.6_d, and CERT-DCL30-C_e erroneously consider the address of a pointer parameter that is accessed with the subscript operator to be a stack address.
-
[CSTAT-551] Initializing an aggregate or union with a struct or union field can incorrectly generate a MISRA2012-Rule-9.2 message, even if the initializer is properly enclosed in braces.
-
[CSTAT-549] The check MISRAC++2008-6-4-3 incorrectly requires switch statements to have a default clause.
-
[CSTAT-545] The check MISRAC++2008-6-5-4 incorrectly requires that the loop counter is incremented or decremented by a constant value rather than by a value that is constant for the duration of the loop.
-
[CSTAT-544] MISRAC++2008-6-5-5 interprets a loop counter to be only variables assigned in the init statement of a for loop. It should also include any variable assigned prior to the loop.
-
[CSTAT-543] Using the offsetof macro generates a message for MISRAC2012-Rule-7.2.
-
[CSTAT-541]
This code generate a message for MISRAC2012-Rule-18.8 regarding the usage of variable length arrays.
extern struct { int m; } a[];
-
[CSTAT-539] Taking the address of a variable declared as a reference does not count as a potential modification of that variable. This can lead to false positives for the check MISRAC++2008-7-1-1, stating that the variable should be declared as const.
-
[CSTAT-538]
In cases like the example, the size of the underlying array of the *p statement can be calculated incorrectly by C-STAT.
int (*p)[3]; *p;
-
[CSTAT-537] The checks MEM-stack-global, MISRAC++2008-7-5-2_a, MISRAC2004-17.6_b, MISRAC2012-Rule-18.6_b, and CERT-DCL30-C_c consider saving the address of a static variable as if it were a local variable that was saved.
-
[CSTAT-534] When running C-STAT from within the Embedded Workbench IDE or by using the commands command from the command line, the first object file sent to the link analysis is not included in the analysis.
-
[CSTAT-533] The MISRAC2012-Rule-21.16 check can cause C-STAT to terminate with an internal error when the memcmp function is called with arguments of type const void *.
-
[CSTAT-532] Using the C-STAT comment directive //cstat +<tag> reenables all currently disabled checks instead of only the matching tag.
-
[CSTAT-531] The check CERT-EXP40-C_a erroneously reports modifications on non-const structure fields as const modifications.
-
[CSTAT-530] Calling standard library functions that take a pointer and a size argument (for example memset and strncat), when the size argument is a number larger than 31 bits, can cause C-STAT to terminate with an internal error.
-
[CSTAT-525] If a source file generated 0 messages In the C-STAT analysis report, it is listed twice in the Messages table.
-
[CSTAT-516] C-STAT exits with an ambiguous error if the compiler command line for a source file is longer than 32,768 characters.
-
[CSTAT-515] The check MISRAC2012-Rule-14.4_c does not consider array members of a struct to be able to have essentially Boolean type.
-
[CSTAT-514] The checks MISRAC2004-15.0, MISRAC2012-Rule-16.1, and MISRAC++2008-6-4-3 consider switch statements that have default as the first case label to be ill-formed switches.
-
[CSTAT-512] The check MISRAC2012-Rule-9.2 generates a message when an aggregate initialization has a designated initializer of type struct or union, and the initializer expression has a compatible type.
-
[CSTAT-511]
Using the !tag comment directive does not suppress messages if there are multiline comments following the directive. For example:
/*cstat !MISRAC2012-Dir-4.6_a */ /* This is * a multiline comment */ int a; /* Suppression not enabled */
-
[CSTAT-510] The argument given to the --exclude option is treated as being appended with the wildcard (*) character, which can make it match more source files than intended.
-
[CSTAT-509] The checks MISRAC2004-15.0, MISRAC2012-Rule-16.1, and MISRAC++2008-6-4-3 consider switch statements with nested blocks inside a case clause to be ill-formed switches.
-
[CSTAT-507] If a file has generated messages from one analysis pass and is being analyzed again (without clearing the analysis results first), the --exclude option has no effect.
-
[CSTAT-503]
The checks ARR-inv-index-ptr-pos, MISRAC++2008-5-0-16_f, MISRAC2012-Rule-18.1_d, and CERT-ARR30-C_d: Dereferencing the address of a field access of a struct pointer can lead to an Internal error if the field access is considered to be out of bounds. An example:
typedef struct { int arr[2] } S; S *s; *(&s->arr[3]) = 10;
-
[CSTAT-502] The check MISRAC2012-Rule-16.3 issues a message when the default label is not the last case label and is declared as a fall-through.
-
[CSTAT-501]
The check MISRAC2012-Dir-4.6_a can report false positives when there are implicit or explicit casts on basic types in array definitions. For example:
#include <stdint.h> uint8_t arr[ (uint8_t) 8u ];
-
[CSTAT-500] In the C-STAT Static Analysis Guide, some checks that are identical do not have the same set of matching coding standards listed.
-
[CSTAT-499] The checks LIB-sprintf-overrun and SEC-BUFFER-sprintf-overrun use the length of the unformatted second argument to the function sprintf for comparison with the first argument, instead of using the length after it has been formatted.
-
[CSTAT-496] Analyzing a module with several thousand globally defined variables can cause C-STAT to run out of memory.
-
[CSTAT-489] C-STAT check CERT-ARR38-C_d looks for C library functions that manipulate arrays or objects. These functions take the number of elements to manipulate as one of their arguments. If C-STAT cannot determine this value, it can cause an internal error.
-
[CSTAT-488] The checks MEM-stack-param, MISRAC++2008-7-5-2_c, MISRAC2004-17.6_d, MISRAC2012-Rule-1.3_s, MISRAC2012-Rule-18.6_d and CERT-DCL30-C_e identify stack addresses assigned to pointer parameters. In some cases where the local variable is declared as static, this is wrongly considered as a violation. Moreover, the checks incorrectly do not consider taking the address of a non-static local array to be a violation.
-
[CSTAT-483] The check MISRAC++2008-5-0-8 incorrectly interprets explicit casts of a single variable in a return expression as a cvalue, for example, return static_cast<type>(var);
-
[CSTAT-482] The check MISRAC2012-Rule-1.3_u calculates the underlying type's size of an array of pointers incorrectly.
-
[CSTAT-465] The check MISRAC++2008-2-10-6 incorrectly reports conflicting names for the same template if it is instantiated more than once.
-
[CSTAT-454]
The checks MISRAC++2008-0-2-1, MISRAC2004-18.2, MISRAC2012-Rule-19.1, and UNION-overlap-assign can produce a false positive regarding overlapping assignments if a union access is inside a subscript operator.
For example:
void fn() { union { int a; int b; } U; int arr[5]; arr[U.a] = U.b; /* False positive here */ }
-
[CSTAT-453] The check MISRAC++2008-0-1-7 incorrectly gives a warning when the return value of an overloaded operator is discarded.
-
[CSTAT-451] The check SEC-BUFFER-tainted-index can fail to identify a possible violation when a tainted value is sent as a function parameter and the function uses the tainted value as an array index.
-
[CSTAT-450] The checks MISRAC++2008-5-0-15_a and MISRAC2004-17.4_a incorrectly allow pointer arithmetic to be used on structure members declared as pointers.
-
[CSTAT-449] For the checks MISRAC++2008-5-0-13_c, MISRAC2004-13.2_c, and MISRAC2012-Rule-14.4_c, using a function pointer as a controlling expression generates a message even if the return type of the function is essentially Boolean.
-
[CSTAT-440] Re-analyzing an unchanged source file in C-STAT can result in a lower number of messages reported compared to the previous analysis.
-
[CSTAT-439] The checks CONST-member-ret and MISRAC++2008-9-3-1 generate a message when a const member function returns a pointer-to-const to class-data, even if the member variable is declared as a pointer-to-const.
-
[CSTAT-434] C-STAT can calculate the size for function parameters of type void * incorrectly, which leads to misleading results of the analysis.
-
[CSTAT-433] The check MISRAC2012-Dir-4.6_a triggers erroneously if expr in int8_t arr[expr]; is a composite expression and consists of implicit or explicit casts.
-
[CSTAT-432] The check MISRAC2012-Rule-18.8 erroneously reports a problem with the declaration of a variable length array if expr in int arr[expr] is something other than a constant integer.
-
[CSTAT-430] In the report of the analysis results, the table "Project wide enabled checks" incorrectly lists the enabled checks and all of their identical equivalents from other packages. Only the enabled checks should be listed.
-
[CSTAT-427] Performing a re-analysis on a project that has messages in a header file, which in turn is included by more than one source file, can cause C-STAT to crash.
-
[CSTAT-426] The check PTR-null-cmp-bef will only give one warning, regardless of how many violations against the rule it finds.
-
[CSTAT-425] If C-STAT analyzes the same code a second time, and the only change in the code is an added comment directive, the directive does not have any effect.
-
[CSTAT-424] C-STAT estimates the size of an array of pointers incorrectly.
-
[CSTAT-421] The check for MISRAC++2008-6-5-4 incorrectly produces a message if the loop counter in a function is an iterator.
-
[CSTAT-420] Checks for the rules MISRAC++2008-6-2-1 and MISRAC2012-Rule-13.4_b incorrectly generate a message for compiler-generated code with assignments in sub-expressions. (Such code patterns can be introduced by, for instance, range-based for loops.)
-
[CSTAT-419] The directive in a comment for disabling a check for the immediately following function (//cstat #tag) can sometimes fail to disable the specified check.
-
[CSTAT-418] The --exclude option does not work when the path is absolute.
-
[CSTAT-417] In some cases, C-STAT interprets the result of the addition operators + or += as to be of unsigned type, even if none of the operands are of unsigned type.
-
[CSTAT-415] The check MISRAC2012-Dir-4.8 incorrectly warns when there is no pointer to a visible struct or union that can be dereferenced.
-
[CSTAT-413] MISRAC2012-Rule-1.3_t: The message incorrectly says "copying x bytes to..." instead of "copying x bytes to/from..." while the size of both the source and the destination of the memcpy function call are checked.
-
[CSTAT-412] Using the wildcard character (*) in C-STAT comment directives has no effect.
-
[CSTAT-411] When using comment characters and operators to disable or enable C-STAT messages for specific checks, /*cstat op [op op...]*/, the last op and */ must be separated with a whitespace.
-
[CSTAT-409] C-STAT can in some cases report an incorrect size for objects that are accessed via either the . (dot) or -> (arrow) operator.
-
[CSTAT-408] For MISRAC2012-Rule-8.7, a function definition is incorrectly not considered as a reference of a function.
-
[CSTAT-407] MISRAC2012-Rule-14.1_a and MISRAC++2008-6-5-1_a incorrectly warn when any object in the controlling expression is of type float. These checks should only warn if the loop counter is of type float.
-
[CSTAT-406] C-STAT can generate messages that incorrectly refer to line '0' (MISRAC2004-1.1 is an exception to this).
-
[CSTAT-404] A typedef in a header file can incorrectly be seen as non-unique when the header file is included from multiple source files. This can make MISRAC2012-Rule-5.6 report a false positive.
-
[CSTAT-403] Declarations in a header file can incorrectly be seen as multiple declarations, when the header file is included from multiple source files, and make MISRAC2012-Rule-8.5_b generate a false positive.
-
[CSTAT-402] Certain declarations, break and continue statements inside if, for and while statements, can make rule CERT-EXP19-C produce false positives.
-
[CSTAT-401] MISRAC2012-Rule-13.1 yields a false positive. Taking the address of a volatile object is considered as an operation with a side-effect.
-
[CSTAT-400] Using NULL in assert macros triggers false positives for MISRAC2012-Rule-11.9.
-
[CSTAT-399] C-STAT considers accessing a volatile object through the -> (arrow) or . (dot) operators as a volatile write operation.
-
[CSTAT-398] It is not possible to suppress link analysis messages in C-STAT.
-
[CSTAT-396] Using a section operator, for example __segment_begin, as a function parameter causes an internal error in C-STAT.
-
[CSTAT-393] Running an analysis on an unchanged file with the check MISRAC2012-Dir-4.6_a enabled can in rare cases cause C-STAT to report an internal error.
-
[CSTAT-392] The check MISRAC2012-Rule-13.1 reports a false positive when the right-hand side of an assignment is cast from a non-volatile value to a pointer-to-volatile value.
-
[CSTAT-391] In some rare cases, C-STAT can misidentify how function parameters are used.
-
[CSTAT-389] Arrays with more than 100 elements can cause C-STAT to crash if the check MISRAC2012-Rule-10.3 is enabled.
-
[CSTAT-387] C-STAT does incorrectly not consider returning a struct from a function to be a use of the struct.
-
[CSTAT-386] Source files larger than 16 MBytes can cause C-STAT to crash.
-
[CSTAT-382] Specifying the C-STAT option --exclude with the parameter dir, only works when all letters in dir are lower case.
-
[CSTAT-377] Saving a function address is considered as a function call. This can lead to false positives for checks which look for recursion, such as MISRAC2012-Rule-17.2_b.
-
[CSTAT-375] If an analysis of a source file only consists of suppressed messages, IAR Embedded Workbench will not output "Analyzing xxxx" in the Build window.
-
[CSTAT-372] Array indices are calculated incorrectly when the array is a field (but not the first field) of a struct.
-
[CSTAT-364] The severity level for the checks MISRAC2012-Rule-8.9_a and MISRAC2012-Rule-8.9_b is incorrect. It should be Low, not Medium.
User guide corrections
None
Miscellaneous
- None
Release history
None