blob: d43982107ec4f0455d61bedb050023b4d75109b0 [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<title>MISRA C:2012 Compliance</title>
<title>CMSIS-RTOS2: MISRA C:2012 Compliance</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<link href="cmsis.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<script type="text/javascript" src="printComponentTabs.js"></script>
<link href="navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="resize.js"></script>
<script type="text/javascript" src="navtree.js"></script>
<script type="text/javascript">
$(document).ready(initResizable);
$(window).load(resizeHeight);
</script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/search.js"></script>
<script type="text/javascript">
$(document).ready(function() { searchBox.OnSelectItem(0); });
</script>
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 46px;">
<td id="projectlogo"><img alt="Logo" src="CMSIS_Logo_Final.png"/></td>
<td style="padding-left: 0.5em;">
<div id="projectname">CMSIS-RTOS2
&#160;<span id="projectnumber">Version 2.1.3</span>
</div>
<div id="projectbrief">Real-Time Operating System: API and RTX Reference Implementation</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<div id="CMSISnav" class="tabs1">
<ul class="tablist">
<script type="text/javascript">
<!--
writeComponentTabs.call(this);
//-->
</script>
</ul>
</div>
<!-- Generated by Doxygen 1.8.6 -->
<script type="text/javascript">
var searchBox = new SearchBox("searchBox", "search",false,'Search');
</script>
<div id="navrow1" class="tabs">
<ul class="tablist">
<li><a href="index.html"><span>Main&#160;Page</span></a></li>
<li class="current"><a href="pages.html"><span>Usage&#160;and&#160;Description</span></a></li>
<li><a href="modules.html"><span>Reference</span></a></li>
<li>
<div id="MSearchBox" class="MSearchBoxInactive">
<span class="left">
<img id="MSearchSelect" src="search/mag_sel.png"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
alt=""/>
<input type="text" id="MSearchField" value="Search" accesskey="S"
onfocus="searchBox.OnSearchFieldFocus(true)"
onblur="searchBox.OnSearchFieldFocus(false)"
onkeyup="searchBox.OnSearchFieldChange(event)"/>
</span><span class="right">
<a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
</span>
</div>
</li>
</ul>
</div>
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
<div id="nav-tree">
<div id="nav-tree-contents">
<div id="nav-sync" class="sync"></div>
</div>
</div>
<div id="splitbar" style="-moz-user-select:none;"
class="ui-resizable-handle">
</div>
</div>
<script type="text/javascript">
$(document).ready(function(){initNavTree('misraCompliance5.html','');});
</script>
<div id="doc-content">
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&#160;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&#160;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&#160;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&#160;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&#160;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&#160;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&#160;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&#160;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&#160;</span>Macros</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(9)"><span class="SelectionMark">&#160;</span>Groups</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(10)"><span class="SelectionMark">&#160;</span>Pages</a></div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div class="header">
<div class="headertitle">
<div class="title">MISRA C:2012 Compliance </div> </div>
</div><!--header-->
<div class="contents">
<div class="textblock"><p>The RTX5 C source files use <b><a href="http://www.misra.org.uk/" class="el" target="_blank">MISRA C:2012</a></b> guidelines as underlying coding standard.</p>
<p>For MISRA validation, <b><a href="http://www.gimpel.com/" class="el" target="_blank">PC-lint</a></b> V9.00L is used with configuration for Arm Compiler V6.9. The PC-Lint validation setup is part of the project file <b>.\CMSIS\RTOS2\RTX\Library\ARM\MDK\RTX_CM.uvprojx</b> as shown below. Refer to <b><a href="http://www.keil.com/support/man/docs/uv4/uv4_ut_pclint_validation.htm" class="el" target="_blank">Setup for PC-Lint</a></b> for more information.</p>
<div class="image">
<img src="PC-Lint.png" alt="PC-Lint.png"/>
<div class="caption">
Running PC-Lint within MDK - uVision</div></div>
<p> The PC-Lint configuration uses the following Options under <b>Tools - PC-Lint Setup...</b>:</p>
<ul>
<li>Config File: co-ARMCC-6.lnt (20-Mar-2017) with additional options: <div class="fragment"><div class="line">+rw(__restrict)</div>
<div class="line">-esym(526,__builtin_*) -esym(628,__builtin_*)</div>
<div class="line">-sem(__builtin_clz, pure)</div>
<div class="line">+doffsetof(t,m)=((size_t)&amp;((t*)0)-&gt;m) -emacro((413,923,9078),offsetof)</div>
<div class="line">-ecall(534,__disable_irq)</div>
</div><!-- fragment --></li>
<li>Included Project Information:<ul>
<li>Enable: Add 'Include' paths</li>
<li>Enable: Add 'Software Packs' paths</li>
<li>Enable: Verify 'Software Packs' includes</li>
<li>Enable: Add 'Preprocessor' symbols</li>
<li>Enable: Add 'Define' symbols</li>
</ul>
</li>
<li>MISRA Rules Setup and Configuration:<ul>
<li>MISRQ_C_2012_Config.lnt; all rules enabled</li>
<li>includes definition file: au-misra3.lnt (12-Jun-2014)</li>
</ul>
</li>
<li>Additional Lint Commands (for both single and multiple files): <div class="fragment"><div class="line">- emacro(835,<a class="code" href="rtx__os_8h.html#a0eb4da5bed45820d732e23483b870152">osRtxConfigPrivilegedMode</a>)</div>
</div><!-- fragment --></li>
</ul>
<p>The C source code is annotated with PC-Lint control comments to allows MISRA deviations. These deviations with the underlying design decisions are described in the following.</p>
<h2>Deviations </h2>
<p>The RTX source code has the following deviations from MISRA:</p>
<ul>
<li><a class="el" href="misraCompliance5.html#MISRA_1">[MISRA Note 1]: Return statements for parameter checking</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_2">[MISRA Note 2]: Object identifiers are void pointers</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_3">[MISRA Note 3]: Conversion to unified object control blocks</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_4">[MISRA Note 4]: Conversion from unified object control blocks</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_5">[MISRA Note 5]: Conversion to object types</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_6">[MISRA Note 6]: Conversion from user provided storage</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_7">[MISRA Note 7]: Check for proper pointer alignment</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_8">[MISRA Note 8]: Memory allocation management</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_9">[MISRA Note 9]: Pointer conversions for register access</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_10">[MISRA Note 10]: SVC calls use function-like macros</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_11">[MISRA Note 11]: SVC calls use assembly code</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_12">[MISRA Note 12]: Usage of exclusive access instructions</a></li>
<li><a class="el" href="misraCompliance5.html#MISRA_13">[MISRA Note 13]: Usage of Event Recorder</a></li>
</ul>
<p>All source code deviations are clearly marked and in summary these deviations affect the following MISRA rules:</p>
<ul>
<li>[MISRA 2012 Directive 4.9, advisory]: A function should be used in preference to a function-like macro where yet are interchangeable</li>
<li>[MISRA 2012 Rule 1.3, required]: There shall be no occurrence of undefined or critical unspecified behavior</li>
<li>[MISRA 2012 Rule 10.3, required]: Expression assigned to a narrower or different essential type</li>
<li>[MISRA 2012 Rule 10.5, advisory]: Impermissible cast; cannot cast from 'essentially unsigned' to 'essentially enum&lt;i&gt;'</li>
<li>[MISRA 2012 Rule 11.1, required]: Conversions shall not be performed between a pointer to a function and any other type</li>
<li>[MISRA 2012 Rule 11.3, required]: A cast shall not be performed between a pointer to object type and a pointer to a different object type</li>
<li>[MISRA 2012 Rule 11.4, advisory]: A conversion should not be performed between a pointer to object and an integer type</li>
<li>[MISRA 2012 Rule 11.5, advisory]: A conversion should not be performed from pointer to void into pointer to object</li>
<li>[MISRA 2012 Rule 11.6, required]: A cast shall not be performed between pointer to void and an arithmetic type</li>
<li>[MISRA 2012 Rule 15.5, advisory]: A function should have a single point of exit at the end</li>
<li>[MISRA 2012 Rule 20.10, advisory]: The # and ## preprocessor operators should not be used</li>
</ul>
<p>In the following all deviations are described in detail.</p>
<h1><a class="anchor" id="MISRA_1"></a>
[MISRA Note 1]: Return statements for parameter checking</h1>
<p>Return statements are used at the beginning of several functions to validate parameter values and object states. The function returns immediately without any side-effects and typically an error status is set. This structure keeps the source code better structured and easier to understand.</p>
<p>This design decision implies the following MISRA deviation:</p>
<ul>
<li>[MISRA 2012 Rule 15.5, advisory]: A function should have a single point of exit at the end</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e{904} &quot;Return statement before end of function&quot; [MISRA Note 1]</span></div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_2"></a>
[MISRA Note 2]: Object identifiers are void pointers</h1>
<p>CMSIS-RTOS is independent of an underlying RTOS implementation. The object identifiers are therefore defined as void pointers to:</p>
<ul>
<li>allow application programs that are agnostic from an underlying RTOS implementation.</li>
<li>avoid accidentally accesses an RTOS control block from an application program.</li>
</ul>
<p>This design decisions imply the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 11.3, required]: A cast shall not be performed between a pointer to object type and a pointer to a different object type</li>
<li>[MISRA 2012 Rule 11.5, advisory]: A conversion should not be performed from pointer to void into pointer to object</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e{9079} -e{9087} &quot;cast from pointer to void to pointer to object type&quot; [MISRA Note 2]</span></div>
</div><!-- fragment --><p>In the RTX5 implementation the required pointer conversions are implemented in the header file rtx_lib.h with the following inline functions:</p>
<div class="fragment"><div class="line"><a class="code" href="rtx__os_8h.html#structosRtxThread__t">osRtxThread_t</a> *osRtxThreadId (osThread_t thread_id);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxTimer__t">osRtxTimer_t</a> *osRtxTimerId (osTimer_t timer_id);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxEventFlags__t">osRtxEventFlags_t</a> *osRtxEventFlagsId (osEventFlags_t ef_id);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxMutex__t">osRtxMutex_t</a> *osRtxMutexId (osMutex_t mutex_id);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxSemaphore__t">osRtxSemaphore_t</a> *osRtxSemaphoreId (osSemaphore_t semaphore_id);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxMemoryPool__t">osRtxMemoryPool_t</a> *osRtxMemoryPoolId (<a class="code" href="group__CMSIS__RTOS__PoolMgmt.html#ga2e44473caf338266f56800960294f960">osMemoryPoolId_t</a> mp_id);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxMessageQueue__t">osRtxMessageQueue_t</a> *osRtxMessageQueueId(<a class="code" href="cmsis__os2_8h.html#a206dbc05367e03c39fc6d4d1ebcff317">osMessageQueueId_t</a> mq_id);</div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_3"></a>
[MISRA Note 3]: Conversion to unified object control blocks</h1>
<p>RTX uses a unified object control block structure that contains common object members. The unified control blocks use a fixed layout at the beginning of the structure and starts always with an object identifier. This allows common object functions that receive a pointer to a unified object control block and reference only the pointer or the members in the fixed layout. Using common object functions and data (for example the ISR queue) reduces code complexity and keeps the source code better structured. Refer also to <a class="el" href="misraCompliance5.html#MISRA_4">[MISRA Note 4]: Conversion from unified object control blocks</a></p>
<p>This design decisions imply the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 11.3, required]: A cast shall not be performed between a pointer to object type and a pointer to a different object type</li>
<li>[MISRA 2012 Rule 11.5, advisory]: A conversion should not be performed from pointer to void into pointer to object</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e{9079} -e{9087} &quot;cast from pointer to void to pointer to object type&quot; [MISRA Note 3]</span></div>
</div><!-- fragment --><p>In the RTX5 implementation the required pointer conversions are implemented in the header file <em>rtx_lib.h</em> with the following inline function:</p>
<div class="fragment"><div class="line"><a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *osRtxObject (<span class="keywordtype">void</span> *<span class="keywordtype">object</span>);</div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_4"></a>
[MISRA Note 4]: Conversion from unified object control blocks</h1>
<p>RTX uses a unified object control block structure that contains common object members. Refer to <a class="el" href="misraCompliance5.html#MISRA_3">[MISRA Note 3]: Conversion to unified object control blocks</a> for more information. To process specific control block data, pointer conversions are required.</p>
<p>This design decisions imply the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 1.3, required]: There shall be no occurrence of undefined or critical unspecified behavior</li>
<li>[MISRA 2012 Rule 11.3, required]: A cast shall not be performed between a pointer to object type and a pointer to a different object type In addition PC-Lint issues:</li>
<li>Info 826: Suspicious pointer-to-pointer conversion (area too small)</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e{740} -e{826} -e{9087} &quot;cast from pointer to generic object to specific object&quot; [MISRA Note 4]</span></div>
</div><!-- fragment --><p>In the RTX5 source code the required pointer conversions are implemented in the header file <em>rtx_lib.h</em> with the following inline functions:</p>
<div class="fragment"><div class="line"><a class="code" href="rtx__os_8h.html#structosRtxThread__t">osRtxThread_t</a> *osRtxThreadObject (<a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *<span class="keywordtype">object</span>);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxTimer__t">osRtxTimer_t</a> *osRtxTimerObject (<a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *<span class="keywordtype">object</span>);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxEventFlags__t">osRtxEventFlags_t</a> *osRtxEventFlagsObject (<a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *<span class="keywordtype">object</span>);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxMutex__t">osRtxMutex_t</a> *osRtxMutexObject (<a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *<span class="keywordtype">object</span>);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxSemaphore__t">osRtxSemaphore_t</a> *osRtxSemaphoreObject (<a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *<span class="keywordtype">object</span>);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxMemoryPool__t">osRtxMemoryPool_t</a> *osRtxMemoryPoolObject (<a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *<span class="keywordtype">object</span>);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxMessageQueue__t">osRtxMessageQueue_t</a> *osRtxMessageQueueObject (<a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *<span class="keywordtype">object</span>);</div>
<div class="line"><a class="code" href="rtx__os_8h.html#structosRtxMessage__t">osRtxMessage_t</a> *osRtxMessageObject (<a class="code" href="rtx__os_8h.html#structosRtxObject__t">osRtxObject_t</a> *<span class="keywordtype">object</span>);</div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_5"></a>
[MISRA Note 5]: Conversion to object types</h1>
<p>The RTX5 kernel has common memory management functions that use void pointers. These memory allocation functions return a void pointer which is correctly aligned for object types.</p>
<p>This design decision implies the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 11.5, advisory]: A conversion should not be performed from pointer to void into pointer to object</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e{9079} &quot;conversion from pointer to void to pointer to other type&quot; [MISRA Note 5]</span></div>
</div><!-- fragment --><p>Code example:</p>
<div class="fragment"><div class="line">os_thread_t *thread;</div>
<div class="line"> :</div>
<div class="line"><span class="comment">//lint -e{9079} &quot;conversion from pointer to void to pointer to other type&quot; [MISRA Note 5]</span></div>
<div class="line">thread = osRtxMemoryPoolAlloc(<a class="code" href="rtx__os_8h.html#ad2270125c4e4991c3231d752b6ee5f3f">osRtxInfo</a>.<a class="code" href="rtx__os_8h.html#a13aeb46a18b12ae911abead8e497ffd3">mpi</a>.<a class="code" href="rtx__os_8h.html#a540b2b79850c654b3f5756c488314b8d">thread</a>);</div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_6"></a>
[MISRA Note 6]: Conversion from user provided storage</h1>
<p>CMSIS-RTOS2 and RTX5 support user provided storage for object control blocks, stack, and data storage. The API uses void pointers to define the location of this user provided storage. It is therefore required to cast the void pointer to underlying storage types. Alignment restrictions of user provided storage are checked before accessing memory. Refer also to <a class="el" href="misraCompliance5.html#MISRA_7">[MISRA Note 7]: Check for proper pointer alignment</a>.</p>
<p>This design decisions imply the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 11.3, required]: A cast shall not be performed between a pointer to object type and a pointer to a different object type</li>
<li>[MISRA 2012 Rule 11.5, advisory]: A conversion should not be performed from pointer to void into pointer to object</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e{9079} &quot;conversion from pointer to void to pointer to other type&quot; [MISRA Note 6]</span></div>
</div><!-- fragment --><p>Code example: </p>
<div class="fragment"><div class="line"><span class="keyword">static</span> <a class="code" href="group__CMSIS__RTOS__TimerMgmt.html#gaad5409379689ee27bb0a0b56ea4a4b34">osTimerId_t</a> svcRtxTimerNew (<a class="code" href="group__CMSIS__RTOS__TimerMgmt.html#gaacf768c1ec64b020598afb985d7b30be">osTimerFunc_t</a> func, <a class="code" href="group__CMSIS__RTOS__TimerMgmt.html#ga7dc24a4c2b90334427081c3da7a71915">osTimerType_t</a> type, <span class="keywordtype">void</span> *argument, <span class="keyword">const</span> <a class="code" href="group__CMSIS__RTOS__TimerMgmt.html#structosTimerAttr__t">osTimerAttr_t</a> *attr) {</div>
<div class="line"> os_timer_t *timer;</div>
<div class="line"> :</div>
<div class="line"> <span class="keywordflow">if</span> (attr != NULL) {</div>
<div class="line"> :</div>
<div class="line"> <span class="comment">//lint -e{9079} &quot;conversion from pointer to void to pointer to other type&quot; [MISRA Note 6]</span></div>
<div class="line"> timer = attr-&gt;<a class="code" href="group__CMSIS__RTOS__TimerMgmt.html#a1e100dc33d403841ed3c344e3397868e">cb_mem</a>;</div>
<div class="line"> :</div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_7"></a>
[MISRA Note 7]: Check for proper pointer alignment</h1>
<p>RTX5 verifies the alignment of user provided storage for object control blocks, stack, and data storage. Refer also to <a class="el" href="misraCompliance5.html#MISRA_6">[MISRA Note 6]: Conversion from user provided storage</a> for more information.</p>
<p>This design decision implies the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 11.4, advisory]: A conversion should not be performed between a pointer to object and an integer type</li>
<li>[MISRA 2012 Rule 11.6, required]: A cast shall not be performed between pointer to void and an arithmetic type</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e(923) -e(9078) &quot;cast from pointer to unsigned int&quot; [MISRA Note 7]</span></div>
</div><!-- fragment --><p>Code example: </p>
<div class="fragment"><div class="line"><span class="keyword">static</span> <a class="code" href="group__CMSIS__RTOS__ThreadMgmt.html#gaa6c32fe2a3e0a2e01f212d55b02e51c7">osThreadId_t</a> svcRtxThreadNew (<a class="code" href="group__CMSIS__RTOS__ThreadMgmt.html#gadd51f99a6eb50b94eee75f27cae815eb">osThreadFunc_t</a> func, <span class="keywordtype">void</span> *argument, <span class="keyword">const</span> <a class="code" href="group__CMSIS__RTOS__ThreadMgmt.html#structosThreadAttr__t">osThreadAttr_t</a> *attr) {</div>
<div class="line"> :</div>
<div class="line"> <span class="keywordtype">void</span> *stack_mem;</div>
<div class="line"> :</div>
<div class="line"> <span class="keywordflow">if</span> (stack_mem != NULL) {</div>
<div class="line"> <span class="comment">//lint -e(923) -e(9078) &quot;cast from pointer to unsigned int&quot; [MISRA Note 7]</span></div>
<div class="line"> <span class="keywordflow">if</span> ((((uint32_t)stack_mem &amp; 7U) != 0U) || (stack_size == 0U)) {</div>
<div class="line"> :</div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_8"></a>
[MISRA Note 8]: Memory allocation management</h1>
<p>RTX5 implements memory allocation functions which require pointer arithmetic to manage memory. The structure with the type <em>mem_block_t</em> that is used to menage memory allocation blocks is defined in <em>rtx_memory.c</em> </p>
<p>This design decision implies the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 11.4, advisory]: A conversion should not be performed between a pointer to object and an integer type</li>
<li>[MISRA 2012 Rule 11.6, required]: A cast shall not be performed between pointer to void and an arithmetic type</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e(923) -e(9078) &quot;cast from pointer to unsigned int&quot; [MISRA Note 8]</span></div>
</div><!-- fragment --><p>The required pointer arithmetic is implemented in <em>rtx_memory.c</em> with the following function: </p>
<div class="fragment"><div class="line">__STATIC_INLINE mem_block_t *MemBlockPtr (<span class="keywordtype">void</span> *mem, uint32_t offset) {</div>
<div class="line"> uint32_t addr;</div>
<div class="line"> mem_block_t *ptr;</div>
<div class="line"></div>
<div class="line"> <span class="comment">//lint --e{923} --e{9078} &quot;cast between pointer and unsigned int&quot; [MISRA Note 8]</span></div>
<div class="line"> addr = (uint32_t)mem + offset;</div>
<div class="line"> ptr = (mem_block_t *)addr;</div>
<div class="line"></div>
<div class="line"> <span class="keywordflow">return</span> ptr;</div>
<div class="line">}</div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_9"></a>
[MISRA Note 9]: Pointer conversions for register access</h1>
<p>The CMSIS-Core peripheral register blocks are accessed using a structure. The memory address of this structure is specified as unsigned integer number. Pointer conversions are required to access the specific registers.</p>
<p>This design decision implies the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 11.4, advisory]: A conversion should not be performed between a pointer to object and an integer type</li>
<li>[MISRA 2012 Rule 11.6, required]: A cast shall not be performed between pointer to void and an arithmetic type</li>
</ul>
<p>All locations in the source code are marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -emacro((923,9078),SCB) &quot;cast from unsigned long to pointer&quot; [MISRA Note 9]</span></div>
</div><!-- fragment --><p>Code example: </p>
<div class="fragment"><div class="line"><span class="preprocessor">#define SCS_BASE (0xE000E000UL)</span></div>
<div class="line"><span class="preprocessor"></span><span class="preprocessor">#define SCB ((SCB_Type *)SCB_BASE)</span></div>
<div class="line"><span class="preprocessor"></span><span class="keyword">typedef</span> <span class="keyword">struct </span>{...} SCB_Type;</div>
<div class="line"></div>
<div class="line">SCB-&gt;... = ...;</div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_10"></a>
[MISRA Note 10]: SVC calls use function-like macros</h1>
<p>RTX5 is using SVC (Service Calls) to switch between thread mode (for user code execution) and handler mode (for RTOS kernel execution). The SVC function call mechanism is implemented with assembly instructions to construct the code for SVC. The source code uses C macros and are designed as C function-like macros to generate parameter passing for variables depending on macro parameters. An alternative replacement code would be complex. The C macros use multiple '##' operators however it has been verified that the order of evaluation is irrelevant and result of macro expansion is always predictable.</p>
<p>This design decision implies the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Directive 4.9, advisory]: A function should be used in preference to a function-like macro where yet are interchangeable</li>
<li>[MISRA 2012 Rule 1.3, required]: There shall be no occurrence of undefined or critical unspecified behavior</li>
<li>[MISRA 2012 Rule 20.10, advisory]: The # and ## preprocessor operators should not be used</li>
</ul>
<p>The relevant source code is in the file <em>rtx_core_cm.h</em> and is marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -save -e9023 -e9024 -e9026 &quot;Function-like macros using &#39;#/##&#39;&quot; [MISRA Note 10]</span></div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_11"></a>
[MISRA Note 11]: SVC calls use assembly code</h1>
<p>The SVC (Service Call) functions are constructed as a mix of C and inline assembly as it is required to access CPU registers for parameter passing. The function parameters are mapped to the CPU registers R0..R3 and SVC function number to CPU register R12 (or R7). For assembly inter-working the function parameters are casted to unsigned int values.</p>
<p>The function return value after SVC call is mapped to the CPU register R0. Return value is casted from unsigned int to the target value.</p>
<p>It has been verified that this method has no side-effects and is well defined.</p>
<p>This design decision implies the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 10.3, required]: Expression assigned to a narrower or different essential type</li>
<li>[MISRA 2012 Rule 10.5, advisory]: Impermissible cast; cannot cast from 'essentially unsigned' to 'essentially enum&lt;i&gt;'</li>
<li>[MISRA 2012 Rule 11.1, required]: Conversions shall not be performed between a pointer to a function and any other type</li>
<li>[MISRA 2012 Rule 11.4, advisory]: A conversion should not be performed between a pointer to object and an integer type</li>
<li>[MISRA 2012 Rule 11.6, required]: A cast shall not be performed between pointer to void and an arithmetic type</li>
</ul>
<p>SVC functions are marked as library modules and not processed by PC-lint. The relevant source code is marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint ++flb &quot;Library Begin&quot; [MISRA Note 11]</span></div>
<div class="line"> :</div>
<div class="line"><span class="comment">//lint --flb &quot;Library End&quot;</span></div>
</div><!-- fragment --><p>Code example: </p>
<div class="fragment"><div class="line"><span class="comment">// Service Calls definitions</span></div>
<div class="line"><span class="comment">//lint ++flb &quot;Library Begin&quot; [MISRA Note 11]</span></div>
<div class="line">SVC0_1(Delay, <a class="code" href="group__CMSIS__RTOS__Definitions.html#ga6c0dbe6069e4e7f47bb4cd32ae2b813e">osStatus_t</a>, uint32_t)</div>
<div class="line">SVC0_1(DelayUntil, <a class="code" href="group__CMSIS__RTOS__Definitions.html#ga6c0dbe6069e4e7f47bb4cd32ae2b813e">osStatus_t</a>, uint32_t)</div>
<div class="line"><span class="comment">//lint --flb &quot;Library End&quot;</span></div>
</div><!-- fragment --><p>PC-lint does not process ASM input/output operand lists and therefore falsely identifies issues:</p>
<ul>
<li>Last value assigned to variable not used</li>
<li>Symbol not subsequently referenced </li>
</ul>
<h1><a class="anchor" id="MISRA_12"></a>
[MISRA Note 12]: Usage of exclusive access instructions</h1>
<p>The RTX5 implementation uses the CPU instructions LDREX and STREX (when supported by the processor) to implement atomic operations.</p>
<p>These atomic operations eliminate the requirement for interrupt lock-outs. The atomic operations are implemented using inline assembly.</p>
<p>PC-lint cannot process assembler instructions including the input/output operand lists and therefore falsely identifies issues:</p>
<ul>
<li>Symbol not initialized</li>
<li>Symbol not subsequently referenced</li>
<li>Symbol not referenced</li>
<li>Pointer parameter could be declared as pointing to const</li>
</ul>
<p>It has been verified that atomic operations have no side-effects and are well defined.</p>
<p>The functions that implement atomic instructions are marked as library modules and not processed by PC-lint. The relevant source code is marked with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint ++flb &quot;Library Begin&quot; [MISRA Note 12]</span></div>
<div class="line"> :</div>
<div class="line"><span class="comment">//lint --flb &quot;Library End&quot;</span></div>
</div><!-- fragment --><h1><a class="anchor" id="MISRA_13"></a>
[MISRA Note 13]: Usage of Event Recorder</h1>
<p>The Event Recorder is a generic event logger and the related functions are called to record an event. The function parameters are 32-bit id, 32-bit values, pointer to void (data) and are recorded as 32-bit numbers. The parameters for the Event Recorder may require cast operations to unsigned int which however has no side-effects and is well defined.</p>
<p>The return value indicates success or failure. There is no need to check the return value since no action is taken when an Event Recorder function fail. The EventID macro (part of external Event Recorder) constructs the ID based on input parameters which are shifted, masked with '&amp;' and combined with '|'. Zero value input parameters are valid and cause zero used with '&amp;' and '|'.</p>
<p>The usage of the Event Recorder implies the following MISRA deviations:</p>
<ul>
<li>[MISRA 2012 Rule 11.1, required]: Conversions shall not be performed between a pointer to a function and any other type</li>
<li>[MISRA 2012 Rule 11.4, advisory]: A conversion should not be performed between a pointer to object and an integer type</li>
<li>[MISRA 2012 Rule 11.6, required]: A cast shall not be performed between pointer to void and an arithmetic type In addition PC-Lint issues:</li>
<li>Info 835: A zero has been given as left argument to operator '&amp;'</li>
<li>Info 845: The right argument to operator '|' is certain to be 0</li>
</ul>
<p>The functions that call the Event Recorder are in the module <em>rtx_evr.c</em> and the related PC-Lint messages are disabled with: </p>
<div class="fragment"><div class="line"><span class="comment">//lint -e923 -e9074 -e9078 -emacro((835,845),EventID) [MISRA Note 13]</span></div>
</div><!-- fragment --> </div></div><!-- contents -->
</div><!-- doc-content -->
<!-- start footer part -->
<div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
<ul>
<li class="navelem"><a class="el" href="index.html">index</a></li><li class="navelem"><a class="el" href="rtx5_impl.html">RTX v5 Implementation</a></li>
<li class="footer">Generated on Wed Jul 10 2019 15:21:04 for CMSIS-RTOS2 Version 2.1.3 by Arm Ltd. All rights reserved.
<!--
<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.8.6
-->
</li>
</ul>
</div>
</body>
</html>