CERT C Compliance Summary Tables

MathWorks^® evaluates C code generated by Embedded Coder^® from Simulink^® models and Stateflow^® charts against the CERT^® C coding standards¹ . The evaluation results are available in these summary tables.

The tables show the compliance status of generated code with CERT C rules:

Compliant: The generated code is fully compliant with the CERT C coding standards if you follow the modeling recommendations associated with the rule.
Noncompliant: The generated code fails to satisfy the CERT C coding standards.

Note

For rules marked as Noncompliant*, you can generate CERT C compliant code in some modeling instances by following the modeling guidelines shown in the table, where applicable.

The table also provides guidance on achieving compliance, where applicable:

Model Advisor checks, which facilitates the model assessment process to achieve code compliance.
Modeling recommendations, which describe model settings, blocks usage, and block parameter settings that improve code compliance.
Explanatory notes describe violations that are not within the scope of Embedded Coder, and other limitations.

When preparing the CERT C compliance statement for your project, you can use the tables in the CERT C Code Compliance Evaluation Summary. The tables align with the published CERT C Rules and Recommendations (Polyspace Bug Finder). The tables are based only on Rules as described in Section 1.7 of the SEI CERT C Coding Standards, 2016 edition. Recommendations are not considered.

Note

To detect issues in a model that might produce CERT C coding standard violations, use the Model Advisor to run the Model Advisor Checks for CERT C, SWE, and ISO/IEC TS 17961 Coding Standards (Simulink Check).

CERT C Code Compliance Evaluation Summary

Rule 01. Preprocessor (PRE)

Rule	Description^a	Compliance
PRE30-C	Do not create a universal character name through concatenation.	Compliant Model recommendations hisl_0062
PRE31-C	Avoid side effects in arguments to unsafe macros.	Compliant
PRE32-C	Do not use preprocessor directives in invocations of function-like macros.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 02. Declarations and Initialization (DCL)

Rule	Description^a	Compliance
DCL30-C	Declare objects with appropriate storage durations.	Compliant
DCL31-C	Declare identifiers before using them.	Compliant Explanatory Note Usage of Model Configuration Parameter 'Leverage target hardware instruction set extensions' Usage of Hardware board configuration
DCL36-C	Do not declare an identifier with conflicting linkage classifications.	Compliant
DCL37-C	Do not declare or define a reserved identifier.	Noncompliant* Model recommendations hisl_0032 Explanatory Note Usage of Model Configuration Parameter 'Leverage target hardware instruction set extensions' Identifier specification
DCL38-C	Use the correct syntax when declaring a flexible array member.	Compliant Model recommendations hisl_0060 Explanatory Note Flexible array violation
DCL39-C	Avoid information leakage when passing a structure across a trust boundary.	Noncompliant
DCL40-C	Do not create incompatible declarations of the same function or object.	Compliant
DCL41-C	Do not declare variables inside a switch statement before the first case label.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 03. Expressions (EXP)

Rule	Description^a	Compliance
EXP30-C	Do not depend on the order of evaluation for side effects.	Compliant Model recommendations hisl_0062 Explanatory Note Usage of const or volatile qualifiers Blocks usage Usage of Hardware board configuration
EXP32-C	Do not access a volatile object through a nonvolatile reference.	Compliant Model recommendations hisl_0020 Explanatory Note Usage of const or volatile qualifiers Usage of Hardware board configuration
EXP33-C	Do not read uninitialized memory.	Compliant Model recommendations hisl_0010 hisl_0015 hisl_0029 Explanatory Note Configuration of Variant choices
EXP34-C	Do not dereference null pointers.	Compliant Explanatory Note Run-time error analysis Usage of Model Configuration Parameter 'Classic call interface'
EXP35-C	Do not modify objects with temporary lifetime.	Compliant
EXP36-C	Do not cast pointers into more strictly aligned pointer types.	Noncompliant* Model recommendations hisl_0020
EXP37-C	Call functions with the correct number and type of arguments.	Compliant Model recommendations hisl_0020 Explanatory Note Usage of User-Written code
EXP39-C	Do not access a variable through a pointer of an incompatible type.	Noncompliant* Model recommendations hisl_0020
EXP40-C	Do not modify constant objects.	Compliant
EXP42-C	Do not compare padding data.	Compliant
EXP43-C	Avoid undefined behavior when using restrict-qualified pointers.	Noncompliant* Model recommendations hisl_0029
EXP44-C	Do not rely on side effects in operands to sizeof, _Alignof, or _Generic.	Compliant
EXP45-C	Do not perform assignments in selection statements.	Compliant Explanatory Note Usage of Hardware board configuration
EXP46-C	Do not use a bitwise operator with a Boolean-like operand.	Noncompliant
EXP47-C	Do not call va_arg with an argument of the incorrect type.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 04. Integers (INT)

Rule	Description^a	Compliance
INT30-C	Ensure that unsigned integer operations do not wrap.	Noncompliant* Model Advisor Checks Detect Integer Overflow (Simulink Check)
INT31-C	Ensure that integer conversions do not result in lost or misinterpreted data.	Noncompliant* Model recommendations hisl_0001 hisl_0054 Model Advisor Checks Detect Division by Zero (Simulink Check) Detect Integer Overflow (Simulink Check) Explanatory Note Run-time error analysis
INT32-C	Ensure that operations on signed integers do not result in overflow.	Compliant Model recommendations hisl_0001 hisl_0006 Explanatory Note Run-time error analysis
INT33-C	Ensure that division and remainder operations do not result in divide-by-zero errors.	Compliant Model recommendations hisl_0002 hisl_0004 hisl_0028 hisl_0067 Explanatory Note Run-time error analysis
INT34-C	Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.	Compliant Model recommendations hisl_0020 hisl_0073
INT35-C	Use correct integer precisions.	Compliant
INT36-C	Converting a pointer to integer or integer to pointer.	Noncompliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 05. Floating Point (FLP)

Rule	Description^a	Compliance
FLP30-C	Do not use floating-point variables as loop counters.	Noncompliant* Model recommendations hisl_0022 hisl_0102
FLP32-C	Prevent or detect domain and range errors in math functions.	Compliant Model recommendations hisl_0003 hisl_0004
FLP34-C	Ensure that floating-point conversions are within range of the new type.	Compliant Explanatory Note Blocks usage
FLP36-C	Preserve precision when converting integral values to floating-point type.	Compliant
FLP37-C	Do not use object representations to compare floating-point values.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 06. Arrays (ARR)

Rule	Description^a	Compliance
ARR30-C	Do not form or use out-of-bounds pointers or array subscripts.	Noncompliant* Model recommendations hisl_0020 Model Advisor Checks Detect Out Of Bound Array Access (Simulink Check)
ARR32-C	Ensure size arguments for variable length arrays are in a valid range.	Compliant
ARR36-C	Do not subtract or compare two pointers that do not refer to the same array.	Compliant
ARR37-C	Do not add or subtract an integer to a pointer to a nonarray object.	Compliant
ARR38-C	Guarantee that library functions do not form invalid pointers.	Compliant
ARR39-C	Do not add or subtract a scaled integer to a pointer.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 07. Characters and Strings (STR)

Rule	Description^a	Compliance
STR30-C	Do not attempt to modify string literals.	Compliant
STR31-C	Guarantee that storage for strings has sufficient space for character data and the null terminator.	Compliant Explanatory Note Run-time error analysis
STR32-C	Do not pass a non-null-terminated character sequence to a library function that expects a string.	Compliant
STR34-C	Cast characters to unsigned char before converting to larger integer sizes.	Noncompliant* Model recommendations hisl_0022
STR37-C	Arguments to character-handling functions must be representable as an unsigned char.	Compliant
STR38-C	Do not confuse narrow and wide character strings and functions.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 08. Memory Management (MEM)

Rule	Description^a	Compliance
MEM30-C	Do not access freed memory.	Compliant Model recommendations hisl_0060
MEM31-C	Free dynamically allocated memory when no longer needed.	Compliant
MEM33-C	Allocate and copy structures containing a flexible array member dynamically.	Compliant
MEM34-C	Only free memory allocated dynamically.	Compliant
MEM35-C	Allocate sufficient memory for an object.	Compliant Model recommendations hisl_0060 Explanatory Note Run-time error analysis
MEM36-C	Do not modify the alignment of objects by calling realloc().	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 09. Input Output (FIO)

Rule	Description^a	Compliance
FIO30-C	Exclude user input from format strings.	Compliant
FIO32-C	Do not perform operations on devices that are only appropriate for files.	Noncompliant* Model recommendations hisl_0020
FIO34-C	Distinguish between characters read from a file and EOF or WEOF.	Compliant
FIO37-C	Do not assume that fgets() or fgetws() returns a nonempty string when successful.	Compliant
FIO38-C	Do not copy a FILE object.	Compliant
FIO39-C	Do not alternately input and output from a stream without an intervening flush or positioning call.	Compliant
FIO40-C	Reset strings on fgets() or fgetws() failure.	Compliant Explanatory Note Usage of Hardware board configuration
FIO41-C	Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects.	Compliant
FIO42-C	Close files when they are no longer needed.	Compliant Model recommendations hisl_0020
FIO44-C	Only use values for fsetpos() that are returned from fgetpos().	Compliant
FIO45-C	Avoid TOCTOU race conditions while accessing files.	Compliant
FIO46-C	Do not access a closed file.	Compliant
FIO47-C	Use valid format strings.	Compliant Model recommendations hisl_0020
^a Copyright © 2016 Carnegie Mellon University.

Rule 10. Environment (ENV)

Rule	Description^a	Compliance
ENV30-C	Do not modify the object referenced by the return value of certain functions.	Compliant
ENV31-C	Do not rely on an environment pointer following an operation that may invalidate it.	Compliant
ENV32-C	All exit handlers must return normally.	Compliant
ENV33-C	Do not call system().	Compliant Explanatory Note Usage of Hardware board configuration
ENV34-C	Do not store pointers returned by certain functions.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 11. Signals (SIG)

Rule	Description^a	Compliance
SIG30-C	Call only asynchronous-safe functions within signal handlers.	Compliant
SIG31-C	Do not access shared objects in signal handlers.	Compliant
SIG34-C	Do not call signal() from within interruptible signal handlers.	Compliant
SIG35-C	Do not return from a computational exception signal handler.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 12. Error Handling (ERR)

Rule	Description^a	Compliance
ERR30-C	Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure.	Compliant
ERR32-C	Do not rely on indeterminate values of errno.	Compliant
ERR33-C	Detect and handle standard library errors.	Compliant Explanatory Note Usage of Hardware board configuration
ERR34-C	Detect errors when converting a string to a number.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 14. Concurrency (CON)

Rule	Description^a	Compliance
CON30-C	Clean up thread-specific storage.	Compliant
CON31-C	Do not destroy a mutex while it is locked.	Compliant
CON32-C	Prevent data races when accessing bit-fields from multiple threads.	Compliant Explanatory Note Usage of Hardware board configuration
CON33-C	Avoid race conditions when using library functions.	Compliant
CON34-C	Declare objects shared between threads with appropriate storage durations.	Compliant
CON35-C	Avoid deadlock by locking in a predefined order.	Compliant
CON36-C	Wrap functions that can spuriously wake up in a loop.	Compliant
CON37-C	Do not call signal() in a multithreaded program.	Compliant Explanatory Note Usage of Hardware board configuration
CON38-C	Preserve thread safety and liveness when using condition variables.	Compliant
CON39-C	Do not join or detach a thread that was previously joined or detached.	Compliant
CON40-C	Do not refer to an atomic variable twice in an expression.	Compliant
CON41-C	Wrap functions that can fail spuriously in a loop.	Compliant
CON43-C	Do not allow data races in multithreaded code.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 48. Miscellaneous (MSC)

Rule	Description^a	Compliance
MSC30-C	Do not use the rand() function for generating pseudorandom numbers.	Noncompliant
MSC32-C	Properly seed pseudorandom number generators.	Noncompliant
MSC33-C	Do not pass invalid data to the asctime() function.	Compliant
MSC37-C	Ensure that control never reaches the end of a non-void function.	Compliant Explanatory Note Usage of Hardware board configuration
MSC38-C	Do not treat a predefined identifier as an object if it might only be implemented as a macro.	Compliant
MSC39-C	Do not call va_arg() on a va_list that has an indeterminate value.	Compliant
MSC40-C	Do not violate constraints.	Compliant
MSC41-C	Never hard code sensitive information.	Compliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 50. POSIX (POS)

Rule	Description^a	Compliance
POS30-C	Use the readlink() function properly.	Compliant Explanatory Note Usage of Hardware board configuration
POS34-C	Do not call putenv() with a pointer to an automatic variable as the argument.	Compliant
POS35-C	Avoid race conditions while checking for the existence of a symbolic link.	Compliant
POS36-C	Observe correct revocation order while relinquishing privileges.	Compliant
POS37-C	Ensure that privilege relinquishment is successful.	Compliant
POS38-C	Beware of race conditions when using fork and file descriptors.	Compliant
POS39-C	Use the correct byte ordering when transferring data between systems.	Compliant
POS44-C	Do not use signals to terminate threads.	Compliant
POS47-C	Do not use threads that can be canceled asynchronously.	Noncompliant
POS48-C	Do not unlock or destroy another POSIX thread's mutex.	Compliant
POS49-C	When data must be accessed by multiple threads, provide a mutex and guarantee no adjacent data is also accessed.	Compliant
POS50-C	Declare objects shared between POSIX threads with appropriate storage durations.	Compliant
POS51-C	Avoid deadlock with POSIX threads by locking in predefined order.	Compliant
POS52-C	Do not perform operations that can block while holding a POSIX lock.	Compliant
POS53-C	Do not use more than one mutex for concurrent waiting operations on a condition variable.	Compliant
POS54-C	Detect and handle POSIX library errors.	Noncompliant
^a Copyright © 2016 Carnegie Mellon University.

Rule 51. Microsoft Windows (WIN)

Rule	Description^a	Compliance
WIN30-C	Properly pair allocation and deallocation functions.	Compliant Model recommendations hisl_0060
^a Copyright © 2016 Carnegie Mellon University.

Rule

Description^a

Compliance

WIN30-C

Properly pair allocation and deallocation functions.

Compliant

Model recommendations
- hisl_0060

Explanatory Notes

Usage of const or volatile qualifiers

The code generator produces noncompliant code for Simulink data objects with its storage class configured with const or volatile qualifiers.

Usage of Hardware board configuration

Simulink models configured for support packages like Simulink Support Package for Raspberry Pi^® Hardware, C2000™ Microcontroller Blockset, or such configurations may generate noncompliant code.

Note

Third-party files such as drivers used with code that is generated using Embedded Coder are not considered in the evaluation.

Blocks usage

Rate Transition block and Matrix Interpolation block generate noncompliant code.

Flexible array violation

Polyspace^® may report violations if the generated code has a structure with one-dimensional array. For example, this code uses a structure DW_mg_foreach_T and a member array CoreSubsys.

typedef struct {
  real_T Delay_DSTATE[2];              /* '<Root>/Delay' */
  ...
  DW_CoreSubsys_mg_foreach_T CoreSubsys[1];/* '<Root>/S1' */
} DW_mg_foreach_T;

DW_mg_foreach_T mg_foreach_DW;
mg_foreach_DW.CoreSubsys[0].Delay_DSTATE[0] = 0.0;

CoreSubsys is a fixed size array and not a flexible array. In this case, the flexible array violation coming from the Polyspace is not an issue.

Configuration of Variant choices

Variant Source block not configured with the default variant choice generates an empty else statement. To avoid this, specify a default variant control variable for the variant blocks. For more information, see Types of Variant Controls in expression Mode.

Usage of Model Configuration Parameter 'Classic call interface'

When the model configuration parameter Classic call interface is enabled, Polyspace may report a null pointer dereferencing violation in the generated code. For example, this code uses a static variable exmpModelK_m and is dereferenced by a variable mdlTsMap.

static RT_MODEL__EXAMPMODEL exmpModelK_m;
RT_MODEL__EXMPMODEL *const exmpModelK_m = &exmpModelK_m_;

.....

  /* Initialize timing info */
  {
    int_T *mdlTsMap = exmpModelK_m->Timing.sampleTimeTaskIDArray;
    mdlTsMap[0] = 0;

    exmpModelK_m->Timing.sampleTimeTaskIDPtr = (&mdlTsMap[0]); 

... 

}

In this case of violation, it is the static memory which is dereferenced. Static memory address is of non-NULL in nature and the violation coming from the Polyspace is not an issue.

The Classic call interface parameter will be removed in a future release. To use the call interface that is common to GRT- and ERT-based system target files, clear this parameter, which is the default setting. (since R2012a) For information on updating a model configuration or migrating a custom GRT-based system target file to use the unified call interface, see Version History on the Classic call interface reference page.

Usage of Model Configuration Parameter 'Leverage target hardware instruction set extensions'

When the model configuration parameter Leverage target hardware instruction set extensions is set to anything other than None, the generated SIMD instruction starts with the identifier _mm. Generation of these intrinsic functions is not supported by Embedded Coder. For more information, see Generate SIMD Code from Simulink Blocks for Intel Platforms.

Identifier specification

You can configure Embedded Coder to limit the number of characters imposed by the implementation. For more information, see Maximum identifier length.

To ensure unique names for different types of variables (such as local variables, global variables, and macros), implement a naming convention. For more information, see Model Configuration Parameters: Code Generation Symbols.

In case of long identifiers, use shared utilities. For more information, see Generate Shared Utility Code.

If you specify identifier naming rules, you are responsible for ensuring compliance.

Run-time error analysis

Use Simulink Design Verifier™ to detect design errors at the model level. For more information, see Analyze Models for Design Errors (Simulink Design Verifier).

To handle overflow violations, see Handle Overflows in Simulink Models (Fixed-Point Designer).

Use Polyspace Bug Finder™ to identify run-time errors and Polyspace Code Prover™ to prove the absence of run-time errors. For more information, see Run Polyspace Analysis on Code Generated with Embedded Coder (Polyspace Code Prover):

Configure and Run Analysis (Polyspace Code Prover)
Configure and Run Analysis (Polyspace Bug Finder)

Usage of User-Written code

User-written C code and third-party libraries that are used with code generated by Embedded Coder are not considered in the evaluation.