The AWS IoT Over-the-air Update library files conform to the MISRA C:2012 guidelines, with some noted exceptions. Compliance is checked with Coverity static analysis. Deviations from the MISRA standard are listed below:
To find the violation references in the source files run grep on the source code with ( Assuming rule 21.3 violation; with justification in point 2 ):
grep 'MISRA Ref 21.3.2' . -rI
Ref 8.6.1
- MISRA C-2012 Rule 8.6 requires identifier with external linkage to have exact one external definition. However, this variable is defined in OTA platform abstraction layer implementation, which is not in this repository but in C-SDK and amazon-freertos repo, so it's a false positive.
Ref 8.13.1
- MISRA C-2012 Rule 8.13 There are multiple functions that all use the same function header so that they can be assigned to function pointers in a seamless manner. There are a few that modify the OtaAgentContext_t that gets passed in. In order to allow convienent assignment of these function pointers we supress this rule on this function that can't have const added.
Ref 10.1.1
- MISRA C-2012 Rule 10.1 requires bitwise operand to be unsigned type. However, O_CREAT and O_RDWR flags are from standard linux header, and this is the normal way of using them. Hence we silence the warning here.
Ref 10.8.1
- MISRA C-2012 Rule 10.8 requires not casting a value from an unsigned to signed type. Since OTA_PAL_SUB_ERR() ands the input with 0xffffffuL, it removes the possibility of there being any bits in the first byte of the variable, removing the ability for the cast to lead to integer overflow.
Ref 11.8.1
- Misra C-2012 Rule 11.8 will raise an error if certain variables are not marked as const, even if the variables do get modified in that function. As such there are two occurences where to get around that error, we supress these.
Ref 19.2.1
- MISRA C-2012 Rule 19.2 Unions are used to reduce the memory footprint and to represent packet formats in the FreeRTOS network stack.
Ref 21.5.1
- MISRA rule 21.5 prohibits the use of signal.h because of undefined behavior. However, this implementation is on POSIX, which has well defined behavior. We're using the timer functionality from POSIX so we deviate from this rule.
Ref 21.10.1
- MISRA rule 21.10 prohibits the use of time.h because it is implementation dependent or unspecified. However, this implementation is on POSIX, which has well defined behavior.
Ref 21.3.1
- MISRA C-2012 Rule 21.3 prohibits the use of malloc and free from stdlib.h because of undefined behavior. The library has checks in place to make sure that the memory is allocated before accessing it. Additionally, the library makes sure that the memory is written to before it is read from thereby not returning garbage data. Furthermore, the library is tested with address sanitizer to verify that memory being freed has been dynamically allocated and that there is no memory leak. After free-ing the memory pointed to by a pointer, the pointer is changed to NULL to prevent use-after-free bugs.
Ref 21.3.2
- MISRA C-2012 Rule 21.3 prohibits the use of malloc and free from stdlib.h, however, we're only defining the interface here. On FreeRTOS this is implemented with pvPortMalloc and vPortFree, and on Linux it's implemented with standard C malloc and free. This is a false positive.
Ref 21.8.1
- MISRA C-2012 Rule 21.8 Does not allow the use of some of the functions in stdlib.h. One of the OTA platform
abstraction layer interfaces
abort
is flagged for this violation. This is implemented by a platform abstraction layer and always called through the OTA PAL interface.