Misra fix or suppress remaining violations #529
Conversation
alfred2g
force-pushed
the
misra_remaining
branch
2 times, most recently
from
8d2dcf3 to
2b59b8a
Compare
alfred2g
changed the title
| #define ipconfigNETWORK_MTU 1500 | ||
| #else | ||
| /* A sanity check to avoid a possible overflow of size_t. */ | ||
| #if ipconfigNETWORK_MTU > ( SIZE_MAX >> 1 ) |
There was a problem hiding this comment.
This should just trigger a #error.
alfred2g
force-pushed
the
misra_remaining
branch
from
4debf6f to
e3156cc
Compare
Co-authored-by: Aniruddha Kanhere <[email protected]>
| #### Rule 8.13 | ||
| _Ref 8.13.1_ | ||
|
|
||
| - MISRA C-2012 Rule 8.13 Parameter passed is never used, should be declared as |
There was a problem hiding this comment.
This should be re-worded to be more generic. Something like:
MISRA C-2012 Rule 8.13 encourages the use of const-qualified types whenever possible. However, the FreeRTOS API requires that all task entry functions conform to the same function signature (TaskFunction_t) which includes a single void * pointer argument. Due to this restriction, it is not possible to use a const qualifier for the entry point function to any FreeRTOS task.
There was a problem hiding this comment.
IMO: It's too specific to the particular instance. We're likely to run into this exact violation quite frequently.
There was a problem hiding this comment.
it is ok to be specific might be even desirable, we do support multiple References for specific cases
Co-authored-by: Aniruddha Kanhere <[email protected]>
Co-authored-by: Aniruddha Kanhere <[email protected]>
Co-authored-by: Aniruddha Kanhere <[email protected]>
Co-authored-by: Aniruddha Kanhere <[email protected]>
| #### Rule 21.6 | ||
| _Ref 21.6.1_ | ||
|
|
||
| - MISRA C-2012 Rule 21.6 warns about the use of standard library input/output |
There was a problem hiding this comment.
This justification should mention how we prevent misuse of printf-style functions. Mentioning "-Wformat-security" and/or specific Wformat options that are used when building unit tests would be helpful here.
|
|
||
| #### Rule 11.3 | ||
| _Ref 11.3.1_ | ||
|
|
There was a problem hiding this comment.
What about for 64-bit targets that do not allow 32-bit aligned access?
There was a problem hiding this comment.
We currently do not support any hardware with that feature/drawback the only 64 bit we currently support is RiscV and they do support unaligned access (if i am not mistaken)
when we support more 64bit hardware we will have to add code to cover that case.
There was a problem hiding this comment.
@paulbartell wrote:
What about for 64-bit targets that do not allow 32-bit aligned access?
A 64-bit target that do not allow 32-bit aligned access? I am not sure what you mean here.
@Alfred2 wrote:
We currently do not support any hardware with that feature/drawback the only 64 bit we currently support is RiscV
As for FreeRTOS+TCP, we also support the 64-bit UltraScale platform with a Cortex-A53.
I have never seen alignment problems with the casting of types.
There was a problem hiding this comment.
The Cortex-A53 is only strict about alignment when configured such in the SCTLR. It's pretty common to configure it to allow unaligned access.
In contrast, a Cortex-M0 (ARMv6-M) will always fail unaligned accesses.. but is 4-byte aligned.
SPARC and MIPS are both example of a 64bit architectures that do not support unaligned access... So de-referencing a 32-bit aligned pointer as a 64bit type could cause a fault at runtime.
In the case of FR+TCP, we're unlikely to run into this problem in particular.
alfred2g
force-pushed
the
misra_remaining
branch
from
0fc6dc7 to
464ff7b
Compare
|
|
||
| #### Rule 11.3 | ||
| _Ref 11.3.1_ | ||
|
|
There was a problem hiding this comment.
@paulbartell wrote:
What about for 64-bit targets that do not allow 32-bit aligned access?
A 64-bit target that do not allow 32-bit aligned access? I am not sure what you mean here.
@Alfred2 wrote:
We currently do not support any hardware with that feature/drawback the only 64 bit we currently support is RiscV
As for FreeRTOS+TCP, we also support the 64-bit UltraScale platform with a Cortex-A53.
I have never seen alignment problems with the casting of types.
| /* MISRA Ref 11.3.1 [Misaligned access] */ | ||
| /* More details at: https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/blob/main/MISRA.md#rule-113 */ | ||
| /* coverity[misra_c_2012_rule_11_3_violation] */ | ||
| *( ( NetworkBufferDescriptor_t ** ) ( pxReturn->pucEthernetBuffer ) ) = pxReturn; |
There was a problem hiding this comment.
*( ( NetworkBufferDescriptor_t ** ) ( pxReturn->pucEthernetBuffer ) ) = pxReturn;
In other places in the library, I have put asserts before assuming that a pointer can be written at a byte address. In this case, the character pointer was returned by pvPortMalloc(), and it is assumed that it is 4-byte aligned.
On my Xilinx UltraScale, the size of a pointer is 8 and pvPortMalloc() will make sure that only 64-bit aligned pointers are returned, see the portBYTE_ALIGNMENT macros for ARM_CA53_64_BIT:
#define portBYTE_ALIGNMENT 16
#define portBYTE_ALIGNMENT_MASK 0x000f
In case of a 64-bit platform, the macro ipconfigBUFFER_PADDING will be checked with asserts: it must be at least 14, and it must be a multiple of 4 plus 2 bytes:
/* This is a 64-bit platform, make sure there is enough space in
* pucEthernetBuffer to store a pointer. */
configASSERT( ( sizeof( uintptr_t ) != 8U ) || ( ipconfigBUFFER_PADDING >= 14 ) );
/* But it must have this strange alignment: */
configASSERT( ( sizeof( uintptr_t ) != 8U ) || ( ( ( ( ipconfigBUFFER_PADDING ) + 2 ) % 4 ) == 0 ) );
When ipconfigBUFFER_PADDING is defined, it will be assigned to ipBUFFER_PADDING.
5 participants
Fix Remaining Misra violations
Description
Fix Remaining and new misra violations
Test Steps
Misra checker + unit tests
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.